diff --git a/CREDITS b/CREDITS index e29f0b853c..f1aea93d6b 100644 --- a/CREDITS +++ b/CREDITS @@ -1,6 +1,6 @@ -See the Git history of the project (git://source.ffmpeg.org/ffmpeg) to +See the Git history of the project (https://git.ffmpeg.org/ffmpeg) to get the names of people who have contributed to FFmpeg. To check the log, you can type the command "git log" in the FFmpeg source directory, or browse the online repository at -http://source.ffmpeg.org. +https://git.ffmpeg.org/ffmpeg diff --git a/Changelog b/Changelog index beb2d2615d..22eb66c981 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,1487 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.2.11: + avcodec/takdec: Check remaining space for first predictors + avcodec/sonic: Check num_taps + avformat/mov: reject negative ELST durations + avcodec/h264_mb: Fix tmp_cr for arm + avcodec/vorbisdec: Dont treat overread as error + libpostproc: check minimum size + avformat/hls: add fmp4 to allowed_extensions + avformat/hls: Add ec3 to allowed_extensions + avformat/hls: Add cmfv and cmfa to allowed_extensions + configure: Clearer documentation for "disable-safe-bitstream-reader" + swscale/output: Fix integer overflow in yuv2gbrp_full_X_c() + avcodec/libtheora: fix setting keyframe_mask + avfilter/buffersrc: check for valid sample rate + doc: replace http/git by https urls + configure: update copyright year + avfilter/bwdif: account for chroma sub-sampling in min size calculation + avformat/iff: Check that we have a stream in read_dst_frame() + avformat/mlvdec: fix size checks + avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit() + avcodec/h263dec: Check against previous dimensions instead of coded + avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() + avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() + avformat/ipmovie: Check signature_buffer read + avformat/wtvdec: Initialize buf + avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex + avformat/vqf: Check avio_read() in add_metadata() + avformat/dashdec: Check whitelist + avutil/avstring: dont mess with NULL pointers in av_match_list() + avcodec/mpegvideo_enc: Check FLV1 resolution limits + avcodec/ffv1enc: Fix handling of 32bit unsigned symbols + avcodec/vc1dec: Clear block_index in vc1_decode_reset() + avcodec/aacsbr_template: Clear n_q on error + swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() + avfilter/af_pan: Fix sscanf() use + avformat/rmdec: check that buf if completely filled + avcodec/hapdec: Clear tex buffer + avformat/mxfdec: Check that key was read sucessfull + avformat/rpl: Fix check for negative values + avformat/mlvdec: Check avio_read() + avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV + avformat/matroskadec: Check pre_ns for overflow + avcodec/webp: Check ref_x/y + avcodec/ilbcdec: Initialize tempbuff2 + avformat/dxa: check bpc + swscale/slice: clear allocated memory in alloc_lines() + avformat/icodec: fix integer overflow with nb_pal + doc/developer: Document relationship between git accounts and MAINTAINERS + avformat/vividas: Check avio_read() for failure + avformat/ilbc: Check avio_read() for failure + avformat/nistspheredec: Clear buffer + INSTALL: explain the circular dependency issue and solution + avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen + avformat/mxfdec: Fix overflow in midpoint computation + avcodec/rangecoder: only perform renorm check/loop for callers that need it + avcodec/ffv1dec: Fix end computation with ec=2 + avcodec/ffv1enc: Prevent generation of files with broken slices + avformat/matroskadec: Check desc_bytes so bits fit in 64bit + avcodec/ffv1enc: Correct error message about unsupported version + avcodec/ffv1enc: Slice combination is unsupported + avcodec/ffv1enc: 2Pass mode is not possible with golomb coding + avcodec/ffv1enc: Fix >8bit context size + avcodec/xan: Add basic input size check + avcodec/svq3: Check for minimum size input + avcodec/eacmv: Check input size for intra frames + avcodec/jfdctint_template: use unsigned z* in row_fdct() + avformat/mxfdec: More offset_temp checks + swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() + swscale/swscale: Use unsigned operation to avoid undefined behavior + avcodec/vc2enc: basic sanity check on slice_max_bytes + avformat/mvdec: Check if name was fully read + avcodec/wmavoice: Do not use uninitialized pitch[0] + avformat/apetag: Check APETAGEX + avcodec/avcodec: Warn about data returned from get_buffer*() + avcodec/aic: Clear slice_data + avcodec/vc1dec: Clear mb_type_base and ttblk_base + avcodec/shorten: clear padding + avformat/mpeg: Check an avio_read() for failure + avformat/segafilm: Set keyframe + avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() + avcodec/dxva2: initialize validate + avcodec/dxva2: Initialize ConfigBitstreamRaw + avcodec/dxva2: Initialize dxva_size and check it + avfilter/vf_tonemap_opencl: Dereference after NULL check + avformat/lmlm4: Eliminate some AVERROR(EIO) + avformat/wtvdec: Check length of read mpeg2_descriptor + avformat/wtvdec: clear sectors + avcodec/parser: ensure input padding is zeroed + avformat/img2dec: Clear padding data after EOF + avformat/wavdec: Check if there are 16 bytes before testing them + vp9: recon: Use emulated edge to prevent buffer overflows + arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + configure: improve check for POSIX ioctl + configure: restore autodetection of v4l2 and fbdev + configure: fix --disable-v4l2-m2m can't work + configure: use just the pkg-config for sndio + configure: enable ffnvcodec, nvenc, nvdec for FreeBSD + avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD + avutil/ppc/cpu: Use proper header for OpenBSD PPC CPU detection + lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's + configure: use pkg-config for sndio + libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 + + +version 4.2.10: + avcodec/snow: Fix off by 1 error in run_buffer + avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow + avcodec/vaapi_encode: Check hwctx + avcodec/proresdec: Consider negative bits left + avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices + avcodec/diracdsp: Remove unused variable + avformat/hcom: Tell the compiler about set but not read variables + lavf/chromaprint: Silence compilation warnings + avutil/slicethread: Check pthread_*_init() for failure + avutil/frame: Check log2_crop_align + avutil/buffer: Check ff_mutex_init() for failure + avformat/xmv: Check this_packet_size + avformat/ty: rec_size seems to only need 32bit + avformat/tty: Check avio_size() + avformat/siff: Basic pkt_size check + avformat/sauce: Check avio_size() for failure + avformat/sapdec: Check ffurl_get_file_handle() for error + avformat/nsvdec: Check asize for PCM + avformat/mp3dec: Check header_filesize + avformat/mp3dec; Check for avio_size() failure + avformat/mov: Use 64bit for str_size + avformat/mm: Check length + avformat/hnm: Check *chunk_size + avformat/asfdec_o: Check size of index object + avfilter/vf_lut3d: Check av_scanf() + swscale/output: Fix integer overflows in yuv2rgba64_X_c_template + avformat/mxfdec: Reorder elements of expression in bisect loop + avcodec/utvideoenc: Use unsigned shift to build flags + avcodec/vc2enc: Fix overflows with storing large values + avcodec/mpegvideo_enc: Do not duplicate pictures on shifting + avfilter/vf_bm3d: Dont round MSE2SSE to an integer + avdevice/dshow: Check device_filter_unique_name before use + avdevice/dshow_filter: Use wcscpy_s() + avcodec/flac_parser: Assert that we do not overrun the link_penalty array + avcodec/pixlet: Simplify pfx computation + avcodec/motion_est: Fix score squaring overflow + avcodec/loco: Check loco_get_rice() for failure + avcodec/loco: check get_ur_golomb_jpegls() for failure + avcodec/imm4: check cbphi for error + avcodec/iff: Use signed count + avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() + avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() + avcodec/dxv: Fix type in get_opcodes() + avcodec/xsubdec: Check parse_timecode() + avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit + avcodec/proresenc_kostya: use unsigned alpha for rotation + avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly + avformat/rmdec: use 64bit for audio_framesize checks + avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 + avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor + avformat/tls_schannel: Initialize ret + avformat/subfile: Assert that whence is a known case + avformat/subfile: Merge if into switch() + avformat/rtsp: Check that lower transport is handled in one of the if() + avformat/rtsp: initialize reply1 + avformat/rtsp: use < 0 for error check + avformat/rtpenc_vc2hq: Check sizes + avfilter/af_aderivative: Free out on error + avfilter/af_pan: check nb_output_channels before use + cbs_av1: Reject thirty-two zero bits in uvlc code + tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() + avfilter/vf_avgblur: Check plane instead of AVFrame + avformat/rdt: Check pkt_len + avformat/mpeg: Check len in mpegps_probe() + avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure + avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() + avformat/img2dec: assert no pipe on ts_from_file + avcodec/cbs_jpeg: Try to move the read entity to one side in a test + avformat/mov: Check edit list for overflow + fftools/ffmpeg: Check read() for failure + swscale/output: Avoid undefined overflow in yuv2rgb_write_full() + swscale/output: alpha can become negative after scaling, use multiply + avcodec/targaenc: Allocate space for the palette + avcodec/r210enc: Use av_rescale for bitrate + avcodec/jfdctint_template: Fewer integer anomalies + avcodec/snowenc: MV limits due to mv_penalty table size + avformat/mxfdec: Check container_ul->desc before use + MAINTAINERS: Update the entries for the release maintainer for FFmpeg + configure: update copyright year + avfilter/vf_rotate: Check ff_draw_init2() return value + avformat/matroskadec: Assert that num_levels is non negative + avformat/img2dec: Move DQT after unrelated if() + avdevice/xcbgrab: Check sscanf() return + fftools/cmdutils: Add protective () to FLAGS + avformat/sdp: Check before appending "," + avcodec/ilbcdec: Remove dead code + avcodec/vp8: Check cond init + avcodec/vp8: Check mutex init + avcodec/tests/dct: Use 64bit in intermediate for error computation + avcodec/scpr3: Check add_dec() for failure + avcodec/wavpackenc: Use unsigned for potential 31bit shift + avcodec/tests/jpeg2000dwt: Use 64bit in comparission + avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation + avformat/ape: Use 64bit for final frame size + avcodec/tiff: Assert init_get_bits8() success in unpack_gray() + swscale/yuv2rgb: Use 64bit for brightness computation + avutil/tests/opt: Check av_set_options_string() for failure + avutil/tests/dict: Check av_dict_set() before get for failure + avdevice/dshow: fix badly indented line + avcodec/mscc & mwsc: Check loop counts before use + avcodec/mpegvideo_enc: Fix potential overflow in RD + avcodec/mpeg4videodec: assert impossible wrap points + avcodec/vble: Check av_image_get_buffer_size() for failure + avcodec/vp3: Replace check by assert + avcodec/jpeg2000dec: remove ST=3 case + avcodec/fmvc: remove dead assignment + avcodec/h264_slice: Remove dead sps check + avcodec/lpc: copy levenson coeffs only when they have been computed + avutil/tests/base64: Check with too short output array + libavutil/base64: Try not to write over the array end + avcodec/cbs_av1: Avoid shift overflow + avcodec/mpegvideo_enc: Fix 1 line and one column images + swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() + swscale/output: Fix integer overflow in yuv2rgba64_1_c_template + avformat/mxfdec: Check body_offset + avcodec/ac3_parser: Check init_get_bits8() for failure + avcodec/hevcdec: Check ref frame + doc/examples/vaapi_transcode: Simplify loop + avfilter/vf_thumbnail_cuda: Set ret before checking it + avfilter/signature_lookup: Dont copy uninitialized stuff around + avfilter/signature_lookup: Fix 2 differences to the refernce SW + fate/subtitles: Ignore line endings for sub-scc test + avformat/mxfdec: Check index_edit_rate + swscale/utils: Fix xInc overflow + avformat/mxfdec: Make edit_unit_byte_count unsigned + avformat/movenc: Check that cts fits in 32bit + avformat/mxfdec: Check first case of offset_temp computation for overflow + avfilter/vf_signature: Dont crash on no frames + avformat/westwood_vqa: Fix 2g packets + avformat/matroskadec: Check timescale + avformat/sbgdec: Check for negative duration + avformat/rpl: Use 64bit for total_audio_size and check it + avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() + avformat/concatdec: Check user_duration sum + avcodec/truemotion1: Height not being a multiple of 4 is unsupported + avformat/cafdec: Check that data chunk end fits within 64bit + avformat/dxa: Adjust order of operations around block align + avformat/cafdec: dont seek beyond 64bit + avformat/id3v2: read_uslt() check for the amount read + avcodec/proresenc_kostya: Remove bug similarity text + avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() + avcodec/pngdec: Do not pass AVFrame into global header decode + libswscale/utils: Fix bayer to yuvj + swscale/swscale: Check srcSliceH for bayer + swscale/utils: Allocate more dithererror + avcodec/indeo3: Round dimensions up in allocate_frame_buffers() + avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers + avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure + avfilter/signature_lookup: dont leave uncleared pointers in sll_free() + avcodec/mpegvideo_enc: Use ptrdiff_t for stride + libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. + avcodec/mpegvideo_enc: Dont copy beyond the image + avfilter/vf_minterpolate: Check pts before division + avformat/flacdec: Avoid double AVERRORS + avfilter/vf_vidstabdetect: Avoid double AVERRORS + avfilter/vf_swaprect: round coordinates down + avfilter/vf_swaprect: Use height for vertical variables + avfilter/vf_swaprect: assert that rectangles are within memory + avfilter/af_alimiter: Check nextpos before use + avfilter/af_stereowiden: Check length + avfilter/vf_weave: Fix odd height handling + avfilter/vf_gradfun: Do not overread last line + avformat/mov: do not set sign bit for chunk_offsets + avcodec/jpeglsdec: Check Jpeg-LS LSE + configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm + avformat/mov: Ignore duplicate ftyp + seek: Fix crashes in ff_seek_frame_binary if built with latest Clang 14 + avcodec/4xm: Check for cfrm exhaustion + avformat/mov: Disallow FTYP after streams + doc/html: fix styling issue with Texinfo 7.0 + doc/html: support texinfo 7.0 + doc/t2h.pm: fix missing TOC with texinfo 6.8 and above + doc/t2h.pm: fix missing CSS with texinfo 6.8 and above + avformat/matroskadec: Fix declaration-after-statement warnings + avformat/rtsp: Use rtsp_st->stream_index + avcodec/jpeg2000dec: Check image offset + libavutil/ppc/cpu.c: check that AT_HWCAP2 is defined + avcodec/h2645_parse: Avoid EAGAIN + avcodec/xvididct: Make c* unsigned to avoid undefined overflows + avformat/tmv: Check video chunk size + avformat/xwma: sanity check bits_per_coded_sample + avformat/matroskadec: Check prebuffered_ns for overflow + avformat/wavdec: Check left avio_tell for overflow + avformat/tta: Better totalframes check + avformat/rpl: Check for number_of_chunks overflow + avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() + avformat/jacosubdec: Check timeres + avcodec/escape124: Do not return random numbers + avformat/avs: Check if return code is representable + avcodec/lcldec: Make PNG filter addressing match the code afterwards + avformat/westwood_vqa: Check chunk size + avformat/sbgdec: Check for period overflow + avcodec/xvididct: Fix integer overflow in idct_row() + avcodec/celp_math: avoid overflow in shift + avformat/format: Stop reading data at EOF during probing + avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure + avcodec/cscd: Fix "CamStudio Lossless Codec 1.0" gzip files + avcodec/cscd: Check for CamStudio Lossless Codec 1.0 behavior in end check of LZO files + avcodec/hevcdec: Fix undefined memcpy() + avcodec/mpeg4videodec: more unsigned in amv computation + avcodec/tta: fix signed overflow in decorrelate + avcodec/xvididct: Fix integer overflow in idct_row() + avformat/avr: Check sample rate + avcodec/jpeg2000dec: Check for reduction factor and image offset + avutil/softfloat: Basic documentation for av_sincos_sf() + avutil/softfloat: fix av_sincos_sf() + avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() + avcodec/hevcdec: Avoid null pointer dereferences in MC + avcodec/takdsp: Fix integer overflows + avcodec: Ignoring errors is only possible before the input end + avcodec/noise_bsf: Check for wrapped frames + avformat/wavdec: Check that smv block fits in available space + avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() + avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated + avcodec/vorbisdec: Check codebook float values to be finite + avcodec/g2meet: Replace fake allocation avoidance for framebuf + avcodec/lcldec: More space for rgb24 + avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width + libavcodec/lcldec: width and height should not be unsigned + avcodec/x86/mathops: clip constants used with shift instructions within inline assembly + avformat/mov: Check if a key is longer than the atom containing it + avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer + avformat/mov: don't abort on duplicate Mastering Display Metadata boxes + avcodec/vdpau_mpeg4: fix order of quant matrix coefficients + avcodec/vdpau_mpeg12: fix order of quant matrix coefficients + avcodec/nvdec_mpeg4: fix order of quant matrix coefficients + avcodec/nvdec_mpeg2: fix order of quant matrix coefficients + +version 4.2.9 + avcodec/escape124: Check that blocks are allocated before use + avcodec/huffyuvdec: Fix undefined behavior with shift + avcodec/j2kenc: Replace RGB24 special case by generic test + avcodec/j2kenc: remove misleading pred value + avcodec/j2kenc: fix 5/3 DWT identifer + avcodec/vp3: Check width to avoid assertion failure + avcodec/g729postfilter: Limit shift in long term filter + configure: update copyright year + avcodec/tests/snowenc: Fix 2nd test + avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches + avcodec/snowenc: Fix visual weight calculation + avcodec/tests/snowenc: unbreak DWT tests + avcodec/vp3: Add missing check for av_malloc + avcodec/escape124: Fix some return codes + avcodec/escape124: fix signdness of end of input check + Use https for repository links + avcodec/motionpixels: Mask pixels to valid values + avcodec/xpmdec: Check size before allocation to avoid truncation + avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() + avcodec/bink: Fix off by 1 error in ref end + avcodec/utils: Ensure linesize for SVQ3 + avcodec/utils: allocate a line more for VC1 and WMV3 + avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things + avcodec/pngdec: Check deloco index more exactly + avcodec/ffv1dec: Check that num h/v slices is supported + avformat/mov: Check samplesize and offset to avoid integer overflow + avcodec/pictordec: Remove mid exit branch + avcodec/eac3dec: avoid float noise in fixed mode addition to overflow + avcodec/utils: use 32pixel alignment for bink + avcodec/scpr3: Check bx + avcodec/012v: Order operations for odd size handling + avcodec/eatgq: : Check index increments in tgq_decode_block() + avcodec/scpr: Test bx before use + avcodec/sunrast: Fix maplength check + avcodec/wavpack: Avoid undefined shift in get_tail() + avformat/id3v2: Check taglen in read_uslt() + avcodec/ffv1dec: restructure slice coordinate reading a bit + avcodec/mlpdec: Check max matrix instead of max channel in noise check + swscale/input: Use more unsigned intermediates + avcodec/alsdec: The minimal block is at least 7 bits + avformat/replaygain: avoid undefined / negative abs + swscale/output: Bias 16bps output calculations to improve non overflowing range + avcodec/speedhq: Check buf_size to be big enough for DC + avcodec/ffv1dec: Fail earlier if prior context is corrupted + avcodec/nvenc: fix vbv buffer size in cq mode + avcodec/mjpegenc: take into account component count when writing the SOF header size + checkasm: float_dsp: Scale FLT/DBL_EPSILON sufficiently when comparing + swscale: aarch64: Fix yuv2rgb with negative strides + +version 4.2.8 + avformat/vividas: Check packet size + avcodec/dstdec: Check for overflow in build_filter() + avformat/spdifdec: Use 64bit to compute bit rate + avformat/rpl: Use 64bit for duration computation + avformat/xwma: Use av_rescale() for duration computation + avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation + avformat/rmdec: check tag_size + avformat/nutdec: Check fields + avformat/flvdec: Use 64bit for sum_flv_tag_size + avformat/dxa: avoid bpc overflows + avformat/cafdec: Check that nb_frasmes fits within 64bit + avformat/asfdec_o: Limit packet offset + avformat/ape: Check frames size + avformat/icodec: Check nb_pal + avformat/aiffdec: Use 64bit for block_duration use + avformat/aiffdec: Check block_duration + avformat/mxfdec: only probe max run in + avformat/mxfdec: Check run_in is within 65536 + avcodec/apedec: Fix integer overflow in filter_3800() + avcodec/tta: Check 24bit scaling for overflow + avcodec/tiff: Fix loop detection + libavformat/hls: Free keys + avcodec/fmvc: Move frame allocation to a later stage + avfilter/vf_showinfo: remove backspaces + avcodec/speedhq: Check width + avcodec/bink: disallow odd positioned scaled blocks + avformat/asfdec_o: limit recursion depth in asf_read_unknown() + doc/git-howto.texi: Document commit signing + libavcodec/8bps: Check that line lengths fit within the buffer + libavformat/iff: Check for overflow in body_end calculation + avformat/avidec: Prevent entity expansion attacks + avcodec/h263dec: Sanity check against minimal I/P frame size + avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel + MAINTAINERS: Add ED25519 key for signing my commits in the future + avcodec/hevc_filter: copy_CTB() only within width&height + avformat/flvdec: Check for EOF in index reading + avformat/nutdec: Check get_packetheader() in mainheader + avformat/asfdec_f: Use 64bit for packet start time + avcodec/lagarith: Check dst/src in zero run code + avcodec/h264dec: Skip late SEI + avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() + avfilter/vf_signature: Fix integer overflow in filter_frame() + avformat/rtsp: break on unknown protocols + avcodec/hevcdsp_template: stay within tables in sao_band_filter() + avcodec/qpeldsp: copy less for the mc0x cases + avcodec/ffv1dec: Limit golomb rice coded slices to width 8M + avformat/iff: simplify duration calculation + avcodec/wnv1: Check for width =1 + avcodec/ffv1dec_template: fix indention + avformat/sctp: close socket on errors + avcodec/aasc: Fix indention + avcodec/qdrw: adjust max colors to array size + avcodec/alacdsp: Make intermediates unsigned + avformat/aiffdec: cleanup size handling for extreem cases + avcodec/jpeglsdec: fix end check for xfrm + avcodec/cdgraphics: limit scrolling to the line + avformat/aiffdec: avoid integer overflow in get_meta() + avformat/ape: more bits in size for less overflows + avformat/bfi: Check offsets better + avformat/asfdec_f: Check packet_frag_timestamp + avcodec/texturedspenc: Fix indexing in color distribution determination + avformat/act: Check ff_get_wav_header() for failure + avfilter/vsrc_mandelbrot: Check for malloc failure + avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements + avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment + avformat/genh: Check sample rate + configure: extend SDL check to accept all 2.x versions + +version 4.2.7 + avfilter/vf_colorspace: fix memmory leaks + avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written + avfilter/vf_random: fix memory leaks + avfilter/vf_bwdif: fix heap-buffer overflow + fftools/ffmpeg_opt: Fix leak of options when parsing options fails + avfilter/vf_edgedetect: fix heap-buffer overflow + avfilter/vf_w3fdif: deny processing small videos + avfilter/vf_avgblur: fix heap-buffer overflow + avfilter/af_tremolo: fix heap-buffer overflow + avfilter/vf_edgedetect: check if height is big enough + avfilter/vf_bitplanenoise: fix overreads + avfilter/vf_fieldorder: fix heap-buffer overflow + avfilter/vf_fieldmatch: fix heap-buffer overflow + avcodec/pngenc: remove monowhite from apng formats + lavf/tls_mbedtls: add support for mbedtls version 3 + +version 4.2.6 + configure: bump year + avfilter/vf_lenscorrection: make width/height int + avcodec/diracdec: avoid signed integer overflow in global mv + avcodec/takdsp: Fix integer overflow in decorrelate_sf() + avcodec/apedec: fix a integer overflow in long_filter_high_3800() + avfilter/vf_subtitles: pass storage size to libass + avformat/aqtitledec: Skip unrepresentable durations + avformat/cafdec: Do not store empty keys in read_info_chunk() + avformat/hls: Check target_duration + avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() + avformat/matroskadec: Check pre_ns + avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior + avformat/matroskadec: Use rounded down duration in get_cue_desc() check + avformat/avidec: Check height + avformat/rmdec: Better duplicate tags check + avformat/mov: Disallow empty sidx + avformat/matroskadec: Check duration + avformat/mov: Corner case encryption error cleanup in mov_read_senc() + avcodec/jpeglsdec: Fix if( code style + avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error + avcodec/motion_est: fix indention of ff_get_best_fcode() + avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() + avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned + avformat/matroskadec: Check desc_bytes + avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() + avformat/matroskadec: Fix infinite loop with bz decompression + avformat/mov: Check size before subtraction + avcodec/apedec: Fix integer overflows in predictor_update_3930() + avcodec/apedec: fix integer overflow in 8bit samples + avformat/flvdec: timestamps cannot use the full int64 range + avcodec/vqavideo: reset accounting on error + avcodec/alacdsp: fix integer overflow in decorrelate_stereo() + avformat/4xm: Check for duplicate track ids + avformat/4xm: Consider max_streams on reallocating tracks array + avformat/mov: Check next offset in mov_read_dref() + avformat/vivo: Favor setting fps from explicit fractions + avformat/vivo: Do not use the general expression evaluator for parsing a floating point value + avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() + avcodec/apedec: Change avg to uint32_t + avformat/mov: Disallow duplicate smdm + avformat/mov: Check for EOF in mov_read_glbl() + avcodec/vp3: Check version in all cases when VP4 code is not built + avformat/mov: Check channels for mov_parse_stsd_audio() + avformat/avidec: Check read_odml_index() for failure + avformat/aiffdec: Use av_rescale() for bitrate + avformat/aiffdec: sanity check block_align + avformat/aiffdec: Check sample_rate + avfilter/vf_gblur: fix heap-buffer overflow + avfilter/vf_lenscorrection: fix division by zero + avformat/latmenc: abort if no extradata is available + avformat/movenc: Fix segfault when remuxing rtp hint stream + avformat/tty: add probe function + avfilter/vf_neighbor: check if width is 1 + avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE + avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() + avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results + configure: Add missing libshine->mpegaudioheader dependency + +version 4.2.5 + configure: update copyright year + avformat/matroskadec: Reset state also on failure in matroska_reset_status() + avformat/wavdec: Check smv_block_size + avformat/rmdec: Check for multiple audio_stream_info + avcodec/apedec: Use 64bit to avoid overflow + avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() + oavformat/avidec: Check offset in odml + avformat/mpegts: use actually read packet size in mpegts_resync special case + avfilter/scale_npp: fix non-aligned output frame dimensions + Update for 4.2.5 + swscale/alphablend: Fix slice handling + avcodec/mxpegdec: Check for AVDISCARD_ALL + avcodec/flicvideo: Check remaining bytes in FLI*COPY + avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127 + avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return + avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable + avcodec/apedec: Fix integer overflow in intermediate + avformat/mvdec: Do not set invalid sample rate + avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 + avformat/mov: Check for duplicate clli + avformat/jacosubdec: Check for min in t overflow in get_shift() + avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() + avcodec/utils: don't return negative values in av_get_audio_frame_duration() + avcodec/jpeg2000dec: Check that atom header is within bytsetream + avcodec/apedec: Fix 2 integer overflows in filter_3800() + avcodec/xpmdec: Move allocations down after more error checks + network: Define ENOTCONN as WSAENOTCONN if not defined + avformat/avidec: Use 64bit for frame number in odml index parsing + avcodec/mjpegbdec: Skip SOS on AVDISCARD_ALL as does mjpeg + avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() + avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata + avcodec/webp: Check available space in loop in decode_entropy_coded_image() + avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode + avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init + avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() + avcodec/vc1dec: Disable error concealment for *IMAGE + avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() + avformat/wtvdec: Check for EOF before seeking back in parse_media_type() + avformat/wavdec: Use 64bit in new_pos computation + avformat/sbgdec: Check for overflow in timestamp preparation + avformat/dsicin: Check packet size for overflow + avformat/bfi: check nframes + avformat/avidec: fix position overflow in avi_load_index() + avformat/asfdec_f: Check sizeX against padding + avformat/aiffdec: Check for size overflow in header parsing + avcodec/aaccoder: Add minimal bias in search_for_ms() + avfilter/af_drmeter: Check that there is data + avfilter/vf_mestimate: Check b_count + avformat/mov: do not ignore errors in mov_metadata_hmmt() + avformat/mxfdec: Check size for shrinking + avcodec/dnxhddec: check and propagate function return value + swscale/slice: Fix wrong return on error + swscale/slice: Check slice for allocation failure + avformat/matroskadec: Fix handling of huge default durations + avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() + avformat/ftp: Check for av_strtok() failure + tools/cws2fws: Check read() for failure + avcodec/cpia: Fix missing src_size update + avcodec/clearvideo: Check tile_size to be not too large + avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation + avformat/rmdec: Check old_format len for overflow + avformat/realtextdec: Check the pts difference before using it for the duration computation + avformat/qcp: Avoid negative nb_rates + avformat/nutdec: Check tmp_size + avformat/msf: Check that channels doesnt overflow during extradata construction + avformat/mpc8: Check for position overflow in mpc8_handle_chunk() + avformat/iff: Use 64bit in duration computation + avformat/dxa: Check fps to be within the supported range more precissely + avcodec/iff: Only write palette to plane 1 if its PAL8 + avformat/tta: Check for EOF in index reading loop + Update missed irc links + avformat/rpl: The associative law doesnt hold for signed integers in C + avcodec/faxcompr: Check available bits in decode_uncompressed() + avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 + avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit + avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 + avformat/mov: Check for duplicate mdcv + avfilter/vf_dctdnoiz: Check threads + avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black + avformat/rpl: Check for EOF and zero framesize + avcodec/vc2enc: Check for non negative slice bounds + avformat/rpl: Use 64bit in bitrate computation and check it + avcodec/svq1enc: Do not print debug RD value before it has been computed + avcodec/aacpsy: Check bandwidth + avcodec/aacenc: Do not divide by lambda_count if it is 0 + avcodec/aacenc: Use FLT_EPSILON for lambda minimum + avformat/cinedec: Fix index_entries size check + avfilter/vf_yadif: Fix handing of tiny images + avfilter/vf_vmafmotion: Check dimensions + avformat/movenc: Check pal_size before use + avcodec/lpc: Avoid floating point division by 0 + avcodec/aacpsy: Avoid floating point division by 0 of norm_fac + avcodec/aacenc: Avoid 0 lambda + avcodec/exr: x/ymax cannot be INT_MAX + avformat/avio: Check av_opt_copy() for failure + avcodec/clearvideo: Check for 0 tile_shift + avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() + avformat/mov: Ignore duplicate CoLL + avformat/mov: Limit nb_chapter_tracks to input size + avformat/utils: Use 64bit earlier in r_frame_rate check + avformat/mvdec: Check sample rate in parse_audio_var() + avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() + avcodec/utils: treat PAL8 for jpegs similar to other colorspaces + avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent + avformat/asfdec_o: Use ff_get_extradata() + avformat/id3v2: Check end for overflow in id3v2_parse() + avformat/wtvdec: Improve size overflow checks in parse_chunks() + avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() + avcodec/utils: Check ima wav duration for overflow + avformat/cafdec: Check channels + avcodec/dpx: Check bits_per_color earlier + avcodec/pnm_parser: Check image size addition for overflow + avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment() + avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check + avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() + avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() + avformat/mov: Ignore multiple STSC / STCO + avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() + avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() + avutil/common: Add FF_PTR_ADD() + avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid + avformat/cafdec: Do not build an index if all packets are the same + avformat/vividas: Use equals check with n in read_sb_block() + avcodec/sonic: Use unsigned temporary in predictor_calc_error() + avformat/jacosubdec: Use 64bit intermediate for start/end timestamp shift + avformat/flvdec: Check array entry number + avcodec/h264_slice: Check sps in h264_slice_header_init() + avformat/movenc: Avoid loosing cluster array on failure + avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb + avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() + avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() + avcodec/mpeg4videoenc: Check extradata malloc() + avcodec/speedhq: Width < 8 is not supported + avformat/matroskadec: Check for EOF in resync loop + avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS + avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() + avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() + avutil/timecode: Avoid fps overflow + avformat/mvi: Check audio size for more overflows + avcodec/flacdec: Avoid undefined shift in error case + avcodec/ffv1dec: Check if trailer is available + avcodec/4xm: Check pre_gb in decode_i_block() + avcodec/dcadsp: Fix integer overflow in dmix_add_c() + avformat/flvdec: Check double before cast in parse_keyframes_index() + avformat/paf: Check for EOF before allocation in read_header() + avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() + avformat/lxfdec: Fix multiple integer overflows related to track_size + avcodec/exr: skip bottom clearing loop when its outside the image + avutil/parseutils: Check sign in av_parse_time() + avformat/aiffdec: Check that SSND is at least 8 bytes + avformat/dcstr: Check sample rate + avcodec/alsdec: Check bitstream input in read_block() + avformat/mov: Extend data_size check in mov_read_udta_string() + avformat/aadec: Check for EOF while reading chapters + avformat/voc_packet: Add a basic check on max_size + avformat/microdvddec: use 64bit for durations + avcodec/hapdec: Change compressed_offset to unsigned 32bit + avformat/rmdec: Check codec_length without overflow + avformat/mov: Check element count in mov_metadata_hmmt() + avcodec/vp8: Move end check into MB loop in vp78_decode_mv_mb_modes() + avcodec/fits: Check gcount and pcount being non negative + avformat/nutdec: Check timebase count against main header length + avformat/electronicarts: Clear partial_packet on error + avformat/r3d: Check samples before computing duration + avcodec/pnm_parser: Check av_image_get_buffer_size() for failure + avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() + avformat/rmdec: Check remaining space in debug av_log() loop + avformat/flvdec: Treat high ts byte as unsigned + avformat/samidec: Sanity check pts + avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream() + avformat/avidec: Use 64bit in get_duration() + avformat/mov: Check for duplicate st3d + avformat/mvdec: Check for EOF in read_index() + avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() + avformat/id3v2: Check the return from avio_get_str() + avcodec/hevc_sei: Check payload size in decode_nal_sei_message() + libavutil/eval: Remove CONFIG_TRAPV special handling + avformat/wtvdec: Check len in parse_chunks() to avoid overflow + avformat/asfdec_f: Add an additional check for the extradata size + avformat/3dostr: Check sample_rate + avformat/4xm: Make audio_frame_count 64bit + avformat/mov: Use av_mul_q() to avoid integer overflows + avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper + avformat/rmdec: Reorder operations to avoid overflow + avcodec/mxpegdec: fix SOF counting + avcodec/rscc: Check inflated_buf size whan it is used + avformat/mvdec: Sanity check SAMPLE_WIDTH + avformat/rmdec: Fix codecdata_length overflow check + avcodec/simple_idct: Fix undefined integer overflow in idct4row() + avformat/tta: Use 64bit intermediate for index + avformat/soxdec: Check channels to be positive + avcodec/cscd: Check output len in zlib as in lzo + avcodec/vp3: Check input amount in theora_decode_header() + avformat/wavdec: Check avio_get_str16le() for failure + avformat/flvdec: Check for EOF in amf_skip_tag() + avformat/aiffdec: Check size before subtraction in get_aiff_header() + avformat/electronicarts: More chunk_size checks + avcodec/cfhd: check peak.offset + avformat/tedcaptionsdec: Check for overflow in parse_int() + avformat/nuv: Check channels + avformat/mpc8: Check size before implicitly converting to int + avformat/nutdec: Fix integer overflow in count computation + avformat/mvi: Use 64bit for testing dimensions + avformat/utils: Check dts in update_initial_timestamps() more + avformat/flvdec: Check for avio_read() failure in amf_get_string() + avformat/flvdec: Check for nesting depth in amf_skip_tag() + avformat/flvdec: Check for nesting depth in amf_parse_object() + avformat/asfdec_o: Check for EOF in asf_read_marker() + avformat/utils: Check dts - (1<= INT_MAX + avformat/mov: Fix memleak + avformat/mov: fix memleaks + libavformat/mov: Fix memleaks when demuxing DV audio + avformat/mov: Fix reel_name size check + avformat/mov: Fix memleak upon encountering repeating tags + avformat/matroskaenc: Don't use NULL for %s format string + avformat/webvttdec: Fix memleak upon read header failure + avformat/vplayerdec: Fix memleak upon read header failure + avformat/tedcaptionsdec: Fix memleak upon read header failure + avformat/subviewerdec: Fix memleak upon read header failure + avformat/subviewer1dec: Fix memleak upon read header failure + avformat/stldec: Fix memleak upon read header failure + avformat/srtdec: Fix memleak upon read header failure + avformat/sccdec: Fix memleak upon read header failure + avformat/samidec: Fix memleak upon read header failure + avformat/pjsdec: Fix memleak upon read header failure + avformat/mpsubdec: Fix memleak upon read header failure + avformat/mpl2dec: Fix memleak upon read header failure + avformat/microdvddec: Fix memleak upon read header failure + avformat/lrcdec: Fix memleak upon read header failure + avformat/jacosubdec: Fix memleak upon read header failure + avformat/assdec: Fix memleak upon read header failure + avformat/aqtitledec: Fix memleak upon read header failure + avformat/mov: Fix memleaks upon read_header failure + avformat/omadec: Fix memleaks upon read_header failure + avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer + avformat/matroskadec: Use right number of tracks + avformat/matroskadec: Fix handling gigantic durations + avformat/aviobuf: Don't check for overflow after it happened + avformat/apngenc: Add deinit function + avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input + avcodec/nvenc: honor max bitrate in CQ mode + avcodec/nvenc: zero avg and max bitrate in CQ mode + libavcodec/libvpxenc: Don't free user-provided AVPacket + libavcodec/libmp3lame: Don't free user-provided AVPacket + avcodec/libopusenc: Don't free user-provided AVPacket + +version 4.2.3 +- avcodec/pnmdec: Use unsigned for maxval rescaling +- avcodec/ivi: Clear got_p_frame before decoding a new frame using it +- avcodec/dsddec: Check channels +- avcodec/xvididct: Fix integer overflow in idct_row() +- avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr() +- avcodec/cbs_jpeg: Fix infinite loop in cbs_jpeg_split_fragment() +- avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE +- avformat/swfenc: Fix integer overflow in frame rate handling +- avformat/aadec: Check toc_size to contain the minimum to demuxer uses +- avcodec/cbs_h265_syntax_template: Limit num_long_term_pics more strictly +- ffplay: set stream_index to -1 earlier to prevent segfault +- avformat/mov: Free temp buffer upon negative sample_size error. +- avformat/matroskadec: Improve forward compability +- avformat/matroskadec: Don't discard valid packets +- avformat/matroskaenc: Don't segfault when seekability changes +- avformat/utils: Fix memleaks +- avformat/utils: Fix memleaks in avformat_open_input() +- avfilter/vf_dedot: Fix leak of AVFrame if making it writable fails +- avfilter/vf_paletteuse: Fix potential double-free of AVFrame +- avformat/mov: Don't leak MOVFragmentStreamInfo on error +- avformat/mov: Free encryption data on error +- fftools/ffmpeg: Free swresample dictionary during cleanup +- avcodec/mediacodec_wrapper: fix {input,output}_buffers global reference leak +- avformat/webm_chunk: Close IO if writing header fails +- avcodec/cavsdsp: Fix undefined left shifts of negative numbers +- avcodec/ra144enc: Fix invalid left shift of negative number +- avcodec/adxenc: Avoid undefined left shift of negative numbers +- avcodec/adpcm: Fix undefined left shifts of negative numbers +- avcodec/proresenc_anatoliy: Fix invalid left shift of negative number +- avformat/aviobuf: Honor avio_open[2] documentation +- avcodec/cinepakenc: Fix invalid shifts +- avfilter/vf_xbr: Fix left shift of negative number +- avfilter/vf_hqx: Fix undefined left shifts of negative numbers +- avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers +- avcodec/ituh263dec: Fix undefined left shift of negative number +- avcodec/dnxhdenc: Fix undefined left shifts of negative numbers +- swscale/utils: Fix invalid left shifts of negative numbers +- swscale/x86/swscale: Fix undefined left shifts of negative numbers +- fftools/ffmpeg_opt: Fix signed integer overflow +- avcodec/exr: Fix undefined left shifts of negative numbers +- avformat/movenc: Fix undefined shift +- avcodec/pcm: Fix undefined shifts +- avcodec/wavpackenc: Fix undefined shifts +- avutil/encryption_info: Don't pass NULL to memcpy +- avcodec/ac3enc: Fix memleak +- avcodec/ac3enc: Fix invalid shift +- avcodec/g723_1dec: Fix invalid shift +- avcodec/tdsc: Fix undefined shifts +- avcodec/ttaenc: Fix undefined shift +- avformat/avidec: Fix memleak with embedded GAB2 subtitles +- avformat/matroskadec: Don't discard the upper 32bits of TrackNumber +- dump_extradata: Insert extradata even for small packets +- avformat/segafilmenc: Fix undefined left shift of 1 by 31 places +- avformat/wtvdec: Fix memleak when reading header fails +- avformat/dashenc: Fix leak of AVFormatContext on error +- avformat/fitsdec: Fix potential leak of string in AVBPrint +- avformat/matroskadec: Sanitize SeekHead entries +- avformat/matroskaenc: Fix memleak upon encountering bogus chapter +- avformat/matroskaenc: Make ebml_num_size() more robust +- avformat/oggenc: Don't free AVStream's priv_data, fix memleak +- avformat/utils: Fix memleak when decoding subtitle in find_stream_info +- fftools/ffmpeg_opt: Check attachment filesize +- avformat/mpeg: Don't use unintialized value +- avformat/webmdashenc: Check codec types +- avformat/webmdashenc: Fix memleak upon realloc failure +- avformat/subtitles: Don't increment packet counter prematurely +- avformat/bethsoftvid: Fix potential memleak upon reallocation failure +- avformat/smoothstreaming: Fix memleaks on errors +- avformat/matroskaenc: Check BlockAdditional size before use +- avformat/matroskaenc: Check functions that can fail +- avformat/matroskaenc: Check for reformatting errors +- avformat/matroskadec: Check before allocations +- avfilter/vf_unsharp: Don't dereference NULL +- avcodec/zmbvenc: Correct offset in buffer +- avcodec/cbs_h2645: Fix potential out-of-bounds array access +- avformat/mov: Don't allow negative sample sizes. +- mpeg4videoenc: Don't crash with -fsanitize=bounds +- avformat/mpegts: Shuffle avio_seek +- avcodec/binkaudio: Fix 2Ghz sample_rate +- avcodec/adpcm: Fix integer overflow in ADPCM THP +- avcodec/ralf: Check num_blocks before use +- avcodec/iff: Test video_size being non zero +- avcodec/utvideodec: Fix integer overflow in decode_plane() +- avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c() +- avcodec/ralf: Fix integer overflow in decode_block() +- avcodec/nuv: widen buf_size type +- avcodec/iff: Fix several integer overflows +- avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1 +- avcodec/alac: Fix integer overflow with 24/20bps samples +- avcodec/dstdec: Check sample rate +- avformat/thp: Require a video stream +- avformat/mpeg: Decrease score by 1 for files with very little valid data +- avcodec/pngdec: Check length in fdAT +- avcodec/g2meet: Check tile_width in epic_jb_decode_tile() +- avcodec/hapdec: Check tex_size more strictly and before using it +- avcodec/vp9dsp_template: Fix integer overflows in idct32_1d() +- avcodec/alacdsp: Fix invalid shift in append_extra_bits() +- libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative +- avcodec/dstdec: Fix integer overflow in read_table() +- avcodec/txd: Check for input size against the header size. +- avcodec/svq1dec: Check that there is data left after the header +- avcodec/cbs_h265_syntax_template: Check num_negative/positive_pics when inter_ref_pic_set_prediction_flag is set +- avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture() +- avcodec/hevc_mp4toannexb_bsf: Check nalu_size +- avcodec/iff: Check length before memcpy() in decode_deep_rle32() +- avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32() +- avcodec/pngdec: Pass ret from decode_iccp_chunk() +- avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*() +- avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs() +- avcodec/flac_parser: Do not lose header count in find_headers_search() +- avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c() +- avcodec/cbs_jpeg_syntax_template: Check array index in huffman_table() +- avcodec/cbs_jpeg_syntax_template: Check table index before use in dht() +- avformat/oggdec: Check for EOF after page header +- swscale/yuv2rgb: Fix vertical dither offset with slices +- avcodec/dpcm: clip exponent into supported range in XAN DPCM +- avcodec/flacdsp_template: Fix invalid shifts in decorrelate +- avcodec/xvididct: Fix integer overflow in MULT() +- avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT +- avcodec/cbs_h264_syntax_template: fix off by 1 error with slice_group_change_cycle +- swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input +- swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c() +- libavformat/amr.c: Check return value from avio_read() +- libavformat/mov.c: Free aes_decrypt to avoid leaking memory +- libavformat/oggdec.c: Check return value from avio_read() +- avformat/asfdec_f: Fix overflow check in get_tag() +- avformat/nsvdec: Fix memleaks on errors while reading the header +- avcodec/ffwavesynth: Fix integer overflow in computation of ddphi +- avcodec/cbs_jpeg: Check length for SOS +- avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX +- avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra() +- avcodec/cbs_h2645: Treat slices without data as invalid +- avcodec/cbs_h2645: Remove dead code to delete trailing zeroes +- avcodec/cbs_av1_syntax_template: Set seen_frame_header only after successfull uncompressed_header() +- avcodec/mpegaudioenc_template: fix invalid shift of sample +- avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search() +- libavformat/avienc: Check bits per sample for PAL8 +- avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet() +- avcodec/magicyuv: Check that there are enough lines for interlacing to be possible +- avformat/mvdec: Check stream numbers +- avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF +- avcodec/qdm2: Check fft_coefs_index +- avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info() +- avformat/avidec: Avoid integer overflow in NI switch check +- fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start() +- avfilter/vf_aspect: Fix integer overflow in compute_dar() +- avcodec/apedec: Fix invalid shift with 24 bps +- avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index() +- avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM +- avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits +- avcodec/wmalosslessdec: Fix loop in revert_acfilter() +- avcodec/agm: YUV420 without DCT needs even dimensions +- avcodec/agm: Test remaining data in decode_raw_intra_rgb() +- avcodec/lagarith: Sanity check scale +- avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() +- avcodec/ralf: Fix integer overflow in apply_lpc() +- avcodec/dca_lbr: Fix some error codes and error passing +- avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response() +- avcodec/wmavoice: sanity check block_align +- avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF +- avcodec/snappy: Sanity check bytestream2_get_levarint() +- avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel() +- avcodec/avdct: Clear IDCTDSPContext context +- avcodec/x86/diracdsp: Fix high bits on Windows x86_64 +- tests/fate/lavf-video.mak: fix fate-lavf-gif dependencies +- avformat/mov: Check STCO location +- avcodec/wmalosslessdec: Fix multiple integer overflows +- avcodec/apedec: Fix undefined integer overflow in decode_array_0000() +- avcodec/smacker: Check space before decoding type +- avcodec/rawdec: Use linesize in b64a +- avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM +- avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32() +- avfilter/vf_find_rect: Remove assert +- avfilter/vf_find_rect: Increase worst case score +- swscale/input: Fix several invalid shifts related to rgb2yuv constants +- swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template() +- swscale/swscale: Fix several invalid shifts related to vChrDrop +- avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow +- avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy() +- avcodec/cbs_av1: Check leb128 values read +- avcodec/wmalosslessdec: move channel check up +- avcodec/cbs_h2645: Skip all 0 NAL units +- avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS +- avcodec/alac: Fix integer overflow in LPC coefficient adaption +- avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp() +- avcodec/vc1dec: Check field_mode for sprites +- avcodec/vc1dec: Limit bits by the actual bitstream size +- avcodec/vmdaudio: Check block_align more +- configure: bump year +- avcodec/pgssubdec: Free subtitle on error +- avcodec/nvenc: use framerate if available +- avcodec/cbs_h265: fix writing extension_data bits +- avcodec/nvenc: offset dts to account for b-frame reordering +- Revert "avformat/rtp: Pass sources and block filter addresses via sdp file for rtp" +- avformat/matroskadec: Fix default value of BlockAddID +- avformat/dashdec: Don't allocate and leak strings that are never used +- avformat/matroskaenc: Write level 1 elements in one go +- avformat/rtp: Pass sources and block filter addresses via sdp file for rtp +- avformat/bintext: avoid division by zero + + +version 4.2.2 +- cbs_mpeg2: Fix parsing the last unit +- cbs_mpeg2: Rearrange start code search +- cbs_mpeg2: Decompose Sequence End +- cbs_mpeg2: Fix parsing of picture and slice headers +- cbs: Remove useless initializations +- mpeg2_metadata, cbs_mpeg2: Fix handling of colour_description +- lavc/cbs_h2645_syntax_template: Fix memleak +- avcodec/cbs: Fix potential overflow +- avcodec/cbs: Factor out common code for writing units +- avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() +- avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() +- avcodec/cook: Use 3 stage VLC decoding for channel_coupling +- avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe() +- avcodec/sonic: Check e in get_symbol() +- avcodec/twinvqdec: Correct overflow in block align check +- avcodec/vc1dec: Fix "return -1" cases +- avcodec/vc1dec: Free sprite_output_frame on error +- avcodec/atrac9dec: Clamp band_ext_data to max that can be read if skipped. +- avcodec/agm: Include block size in the MV check for flags == 3 +- avcodec/wmadec: Keep track of exponent initialization per channel +- avcodec/iff: Check that video_size is large enough for the read parameters +- avcodec/cbs_vp9: Check data_size +- avcodec/cbs_vp9: Check index_size +- avcodec/adpcm: Clip predictor for APC +- avcodec/targa: Check colors vs. available space +- avcodec/dstdec: Use get_ur_golomb_jpegls() +- avcodec/wmavoice: Check remaining input in parse_packet_header() +- avcodec/wmalosslessdec: Fix 2 overflows in mclms +- avcodec/wmaprodec: Fixes integer overflow with 32bit samples +- avcodec/adpcm: Fix invalid shift in xa_decode() +- avcodec/wmalosslessdec: Fix several integer issues +- avcodec/wmalosslessdec: Check that padding bits is not more than sample bits +- avcodec/iff: Skip overflowing runs in decode_delta_d() +- avcodec/pnm: Check that the header is not truncated +- avcodec/mp3_header_decompress_bsf: Check sample_rate_index +- avcodec/cbs_av1_syntax_template: Check num_y_points +- avformat/rmdec: Initialize and sanity check offset in ivr_read_header() +- avcodec/agm: Do not allow MVs out of the picture area as no edge is allocated +- avcodec/apedec: Fix 2 integer overflows +- avformat/id3v2: Fix double-free on error +- avcodec/wmaprodec: Set packet_loss when we error out on a sanity check +- avcodec/wmaprodec: Check offset +- avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block() +- avcodec/wmaprodec: Check if the channel sum of all internal contexts match the external +- avcodec/atrac9dec: Check q_unit_cnt more completely before using it to access at9_tab_band_ext_group +- avcodec/fitsdec: Use lrint() +- avcodec/g729dec: Avoid using buf_size +- avcodec/g729dec: Factor block_size out +- avcodec/g729dec: require buf_size to be non 0 +- avcodec/alac: Fix integer overflow in lpc_prediction() with sign +- avcodec/wmaprodec: Fix buflen computation in save_bits() +- avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv() +- avcodec/vmdaudio: Check chunk counts to avoid integer overflow +- avformat/mxfdec: Clear metadata_sets_count in mxf_read_close() +- avcodec/nuv: Use ff_set_dimensions() +- avformat/vividas: Error out on audio packets in the absence of audio streams +- avformat/vividas: Check and require 1 video stream +- avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next +- avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel() +- avcodec/g729dec: Use 64bit and clip in scalar product +- avcodec/mxpegdec: Check for multiple SOF +- avcodec/nuv: Move comptype check up +- avcodec/wmavoice: Fix integer overflow in synth_frame() +- avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases +- avutil/lfg: Correct index increment type to avoid undefined behavior +- avcodec/cngdec: Remove AV_CODEC_CAP_DELAY +- avcodec/iff: Move index use after check in decodeplane8() +- avcodec/atrac3: Check for huge block aligns +- avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block() +- avcodec/wmadec: Require previous exponents for reuse +- avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling +- avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid +- avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter() +- avcodec/sonic: Fix integer overflow in predictor_calc_error() +- avformat/vividas: Add EOF check in val_1 loop in track_header() +- avcodec/atrac9dec: Check precision_fine/coarse +- avformat/mp3dec: Check that the frame fits within the probe buffer +- vcodec/agm: Alloc based on coded dimensions +- avcodec/wmaprodec: get frame during frame decode +- avcodec/interplayacm: Fix overflow of last unused value +- avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI +- avcodec/cook: Move up and extend block_align check +- avcodec/sbcdec: Fix integer overflows in sbc_synthesize_four() +- avcodec/twinvq: Check block_align +- avcodec/cook: Enlarge gain table +- avcodec/cook: Check samples_per_channel earlier +- avcodec/atrac3plus: Check split point in fill mode 3 +- avcodec/wmavoice: Check sample_rate +- avcodec/xsubdec: fix overflow in alpha handling +- avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta() +- avcodec/apedec: Fix integer overflow in filter_3800() +- avutil/lfg: Document the AVLFG struct +- avcodec/ffv1dec: Use a different error message for the slice level CRC +- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() +- avcodec/dstdec: Check that AC probabilities are within range +- avcodec/dstdec: Check read_table() for failure +- avformat/vividas: Fix n_sb_blocks Check +- avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0 +- avcodec/snowenc: Fix 2 undefined shifts +- avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags() +- avcodec/aptx: Check the number of channels +- avcodec/aacdec_template: Check samplerate +- avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block() +- avcodec/utils: Check block_align +- avcodec/wmalosslessdec: Fix some integer anomalies +- avcodec/adpcm: Fix invalid shifts in ADPCM DTK +- avcodec/apedec: Only clear the needed buffer space, instead of all +- avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads +- avcodec/g723_1dec: fix invalid shift with negative sid_gain +- avcodec/vp5: Check render_x/y +- avcodec/hcom: Check the root entry and the right entries +- avcodec/qdrw: Check input for header/skiped space before get_buffer() +- avcodec/ralf: Skip initializing unused filter variables +- avcodec/takdec: Fix overflow with large sample rates +- avcodec/atrac9dec: Set channels +- avcodec/alsdec: Check that input space for header exists in read_diff_float_data() +- avformat/pjsdec: Check duration for overflow +- avcodec/agm: Check for reference frame earlier +- avcodec/ptx: Check that the input contains at least one line +- avcodec/alac: Fix integer overflow in LPC +- avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame() +- avcodec/aliaspixdec: Check input size against minimal picture size +- avcodec/ffwavesynth: Fix integer overflows in pink noise addition +- avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv() +- avcodec/wmalosslessdec: Check block_align +- avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum() +- avcodec/g729postfilter: Fix left shift of negative value +- avcodec/binkaudio: Check sample rate +- avcodec/sbcdec: Fix integer overflows in sbc_synthesize_eight() +- avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS +- avcodec/g723_1dec: Fix overflow in shift +- avcodec/apedec: Fix integer overflow in predictor_update_3930() +- avcodec/g729postfilter: Fix undefined intermediate pointers +- avcodec/g729postfilter: Fix undefined shifts +- avcodec/lsp: Fix undefined shifts in lsp2poly() +- avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA +- avformat/shortendec: Check k in probe +- avfilter/vf_geq: Use av_clipd() instead of av_clipf() +- avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels +- avcodec/qdmc: Check input space in qdmc_get_vlc() +- avcodec/wmaprodec: Fix cleanup on error +- avcodec/pcm: Check bits_per_coded_sample +- avcodec/exr: Allow duplicate use of channel indexes +- avcodec/fitsdec: Fail on 0 naxisn +- avcodec/dxv: Subtract 12 earlier in dxv_decompress_cocg() +- libavcodec/dxv: Remove redundant seek +- avcodec/ituh263dec: Check input for minimal frame size +- avcodec/truemotion1: Check that the input has enough space for a minimal index_stream +- avformat/mpsubdec: Clear queue on error +- avcodec/sunrast: Check that the input is large enough for the maximally compressed image +- avcodec/sunrast: Check for availability of maplength before allocating image +- avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize() +- avcodec/vc1_block: Fix invalid left shift in vc1_decode_p_mb() +- avcodec/wmaprodec: Check if there is a stream +- avcodec/g2meet: Check for end of input in jpg_decode_block() +- avcodec/g2meet: Check if adjusted pixel was on the stack +- avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet +- avcodec/dxv: Check op_offset in dxv_decompress_yo() +- avcodec/utils: Check sample_rate before opening the decoder +- avcodec/aptx: Fix multiple shift anomalies +- avcodec/fitsdec: fix use of uninitialised values +- avcodec/motionpixels: Mark 2 functions as always_inline +- avcodec/ituh263dec: Make the condition for the studio slice start code match between ff_h263_resync() and ff_mpeg4_decode_studio_slice_header() +- avcodec/ralf: Fix integer overflow in decode_channel() +- vcodec/vc1: compute rangex/y only for P/B frames +- avcodec/vc1_pred: Fix invalid shifts in scaleforopp() +- avcodec/vc1_block: Fix invalid shift with rangeredfrm +- avcodec/vc1: Check for excessive resolution +- avcodec/vc1: check REFDIST +- avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter() +- avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs() +- avcodec/4xm: Check index in decode_i_block() also in the path where its not used. +- avcodec/loco: Check for end of input in the first line +- avcodec/atrac3: Check block_align +- avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop +- avcodec/hcom: Check that there are dictionary entries +- avcodec/fitsdec: Prevent division by 0 with huge data_max +- avcodec/dstdec: Fix integer overflow in samples_per_frame computation +- avcodec/g729_parser: Check block_size +- avcodec/sbcdec: Initialize number of channels +- avcodec/utils: Optimize ff_color_frame() using memcpy() +- avcodec/aacdec: Check if we run out of input in read_stream_mux_config() +- avcodec/utils: Use av_memcpy_backptr() in ff_color_frame() +- avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL +- avcodec/alac: Fix invalid shifts in 20/24 bps +- avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction() +- avcodec/ffwavesynth: Fix integer overflow in timestamps +- avformat/vividas: Test size and packet numbers a bit more +- avformat/vividas: Check n_sb_blocks against input space +- avcodec/dxv: Check op_offset in both directions +- avcodec/adpcm: Check number of channels for MTAF +- avcodec/sunrast: Fix indention +- avcodec/sunrast: Fix return type for "unsupported (compression) type" +- avcodec/utils: Check channels fully earlier +- avformat/mov: Check for EOF in mov_read_meta() +- avcodec/hevcdec: Fix memleak of a53_caption +- avformat/vividas: Remove align offset which is always masked off +- avformat/vividas: remove dead assignment +- avformat/cdxl: Fix integer overflow in intermediate +- avcodec/hevcdec: repeat character in skiped +- repeat an even number of characters in occured +- avcodec/gdv: Replace assert() checking bitstream by if() +- libavcodec/utils: Free threads on init failure +- avcodec/htmlsubtitles: Avoid locale dependant isdigit() +- avcodec/alsdec: Check k from being outside what our implementation can handle +- avcodec/takdec: Fix integer overflow in decorrelate() +- avcodec/aacps: Fix integer overflows in hybrid_synthesis() +- avcodec/mpeg4videodec: Fix integer overflow in mpeg4_decode_studio_block() +- avcodec/vp56rac: delay signaling an error on truncated input +- avcodec/pnm_parser: Use memchr() in pnm_parse() +- tests: Fix bash errors in lavf_container tests. +- avformat/matroskadec: Fix use-after-free when demuxing ProRes +- avformat/matroskadec: Fix demuxing ProRes +- avcodec/cbs_av1: fix array size for ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 +- avcodec/cbs_av1: avoid reading trailing bits when obu type is OBU_TILE_LIST +- lavc/cbs_h2645: Fix incorrect max size of nalu unit +- avcodec/extract_extradata_bsf: Don't unref uninitialized buffers +- avformat/av1: Fix leak of dynamic buffer in case of parsing failure +- libavformat/rtsp: return error if rtsp_hd_out is null instead of crash +- cbs_h264: Fix missing inferred colour description fields +- avcodec/cbs_av1: keep separate reference frame state for reading and writing +- avcodec/cbs_av1: fix reading reference order hint in skip_mode_params() +- avcodec/amfnec: allocate packets using av_new_packet() +- avcodec/nvenc: make sure newly allocated packets are refcounted +- lavc/mpeg4audio: add chan_config check to avoid indeterminate channels +- aformat/movenc: add missing padding to output track extradata +- avcodec/nvenc: add driver version info for SDK 9.1 +- avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it + +version 4.2.1: +- avformat/vividas: check for tiny blocks using alignment +- avcodec/vc1_pred: Fix refdist in scaleforopp() +- avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2 +- avcodec/iff: Check for overlap in cmap_read_palette() +- avcodec/apedec: Fix 32bit int overflow in do_apply_filter() +- lavf/rawenc: Only accept the appropriate stream type for raw muxers. +- avformat/matroskadec: use av_fast_realloc to reallocate ebml list arrays +- avformat/matroskadec: use proper types for some EbmlSyntax fields +- avcodec/ralf: fix undefined shift in extend_code() +- avcodec/ralf: fix undefined shift +- avcodec/bgmc: Check input space in ff_bgmc_decode_init() +- avcodec/vp3: Check for end of input in 2 places of vp4_unpack_macroblocks() +- avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block() +- avcodec/vc1_block: Check the return code from vc1_decode_p_block() +- avcodec/vc1dec: Require res_sprite for wmv3images +- avcodec/vc1_block: Check for double escapes +- avcodec/vorbisdec: Check get_vlc2() failure +- avcodec/tta: Fix integer overflow in prediction +- avcodec/vb: Check input packet size to be large enough to contain flags +- avcodec/cavsdec: Limit the number of access units per packet to 2 +- avcodec/atrac9dec: Check block_align +- avcodec/alac: Check for bps of 0 +- avcodec/alac: Fix multiple integer overflows in lpc_prediction() +- avcodec/rl2: set dimensions +- avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP +- avcodec/idcinvideo: Add 320x240 default maximum resolution +- avformat/realtextdec: free queue on error +- avcodec/vp5/6/8: use vpX_rac_is_end() +- avformat/vividas: Check av_xiphlacing() return value before use +- avcodec/alsdec: Fix integer overflow in decode_var_block_data() +- avcodec/alsdec: Limit maximum channels to 512 +- avcodec/anm: Check input size for a frame with just a stop code +- avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer() +- avcodec/loco: Check left column value +- avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking +- avcodec/ffwavesynth: Fix integer overflow for some corner case values +- avcodec/indeo2: Check remaining input more often +- avcodec/diracdec: Check that slices are fewer than pixels +- avcodec/vp56: Consider the alpha start as end of the prior header +- avcodec/4xm: Check for end of input in decode_p_block() +- avcodec/hevcdec: Check delta_luma_weight_l0/1 +- avcodec/hnm4video: Optimize postprocess_current_frame() +- avcodec/hevc_refs: Optimize 16bit generate_missing_ref() +- avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33 +- avcodec/tiff: Enforce increasing offsets +- avcodec/dds: Use ff_set_dimensions() +- avformat/vividas: Fix another infinite loop +- avformat/vividas: Fix infinite loop in header parser +- avcodec/mpc8: Fix 32bit mask/enum +- avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data() +- avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks() +- avcodec/alsdec: fix mantisse shift +- avcodec/pngdec: consider chunk size in minimal size check +- avcodec/vc1_block: Fix invalid shifts in vc1_decode_i_blocks() +- avcodec/vc1_block: fix invalid shift in vc1_decode_p_mb() +- avcodec/aacdec_template: fix integer overflow in imdct_and_windowing() +- avformat/mpegts: Check if ready on SCTE reception +- avcodec/omx: fix xFramerate calculation +- avformat/avidec: add support for recognizing HEVC fourcc when demuxing +- avformat/mpegts: fix teletext PTS when selecting teletext streams only +- avcodec/h2645_parse: zero initialize the rbsp buffer +- avcodec/omx: Fix handling of fragmented buffers +- avcodec/omx: ensure zerocopy mode can be disabled on rpi builds +- avformat/mxfdec: do not ignore bad size errors +- avformat/matroskadec: Fix seeking +- ffplay: properly detect all window size changes + version 4.2: - tpad filter - AV1 decoding support through libdav1d @@ -36,6 +1517,7 @@ version 4.2: - derain filter - deesser filter - mov muxer writes tracks with unspecified language instead of English by default +- add support for using clang to compile CUDA kernels version 4.1: diff --git a/INSTALL.md b/INSTALL.md index 3b220bc6ff..bdf5814014 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -15,3 +15,11 @@ NOTICE ------ - Non system dependencies (e.g. libx264, libvpx) are disabled by default. + +NOTICE for Package Maintainers +------------------------------ + + - It is recommended to build FFmpeg twice, first with minimal external dependencies so + that 3rd party packages, which depend on FFmpegs libavutil/libavfilter/libavcodec/libavformat + can then be built. And last build FFmpeg with full dependancies (which may in turn depend on + some of these 3rd party packages). This avoids circular dependencies during build. diff --git a/MAINTAINERS b/MAINTAINERS index 88b0109f22..f63be9667b 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -569,10 +569,12 @@ wm4 Releases ======== +7.0 Michael Niedermayer +6.1 Michael Niedermayer +5.1 Michael Niedermayer +4.4 Michael Niedermayer +3.4 Michael Niedermayer 2.8 Michael Niedermayer -2.7 Michael Niedermayer -2.6 Michael Niedermayer -2.5 Michael Niedermayer If you want to maintain an older release, please contact us @@ -601,6 +603,7 @@ Jean Delvare 7CA6 9F44 60F1 BDC4 1FD2 C858 A552 6B9B B3CD 4E6A Loren Merritt ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE Lou Logan (llogan) 7D68 DC73 CBEF EABB 671A B6CF 621C 2E28 82F8 DC3A Michael Niedermayer 9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB + DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64 Nicolas George 24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93 Nikolay Aleksandrov 8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1 Panagiotis Issaris 6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029 diff --git a/RELEASE b/RELEASE index e3dcbea35c..7cac850784 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.git +4.2.11 diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..2c7fdb2c26 --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 4.2 "Ada" │ + └────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 4.2 "Ada", about 8 + months after the release of FFmpeg 4.1. + + A complete Changelog is available at the root of the project, and the + complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask + on the mailing-lists. diff --git a/compat/cuda/cuda_runtime.h b/compat/cuda/cuda_runtime.h new file mode 100644 index 0000000000..92c55ad859 --- /dev/null +++ b/compat/cuda/cuda_runtime.h @@ -0,0 +1,131 @@ +/* + * Minimum CUDA compatibility definitions header + * + * Copyright (c) 2019 Rodger Combs + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef COMPAT_CUDA_CUDA_RUNTIME_H +#define COMPAT_CUDA_CUDA_RUNTIME_H + +// Common macros +#define __global__ __attribute__((global)) +#define __device__ __attribute__((device)) +#define __device_builtin__ __attribute__((device_builtin)) +#define __align__(N) __attribute__((aligned(N))) +#define __inline__ __inline__ __attribute__((always_inline)) + +#define max(a, b) ((a) > (b) ? (a) : (b)) +#define min(a, b) ((a) < (b) ? (a) : (b)) +#define abs(x) ((x) < 0 ? -(x) : (x)) + +#define atomicAdd(a, b) (__atomic_fetch_add(a, b, __ATOMIC_SEQ_CST)) + +// Basic typedefs +typedef __device_builtin__ unsigned long long cudaTextureObject_t; + +typedef struct __device_builtin__ __align__(2) uchar2 +{ + unsigned char x, y; +} uchar2; + +typedef struct __device_builtin__ __align__(4) ushort2 +{ + unsigned short x, y; +} ushort2; + +typedef struct __device_builtin__ uint3 +{ + unsigned int x, y, z; +} uint3; + +typedef struct uint3 dim3; + +typedef struct __device_builtin__ __align__(8) int2 +{ + int x, y; +} int2; + +typedef struct __device_builtin__ __align__(4) uchar4 +{ + unsigned char x, y, z, w; +} uchar4; + +typedef struct __device_builtin__ __align__(8) ushort4 +{ + unsigned char x, y, z, w; +} ushort4; + +typedef struct __device_builtin__ __align__(16) int4 +{ + int x, y, z, w; +} int4; + +// Accessors for special registers +#define GETCOMP(reg, comp) \ + asm("mov.u32 %0, %%" #reg "." #comp ";" : "=r"(tmp)); \ + ret.comp = tmp; + +#define GET(name, reg) static inline __device__ uint3 name() {\ + uint3 ret; \ + unsigned tmp; \ + GETCOMP(reg, x) \ + GETCOMP(reg, y) \ + GETCOMP(reg, z) \ + return ret; \ +} + +GET(getBlockIdx, ctaid) +GET(getBlockDim, ntid) +GET(getThreadIdx, tid) + +// Instead of externs for these registers, we turn access to them into calls into trivial ASM +#define blockIdx (getBlockIdx()) +#define blockDim (getBlockDim()) +#define threadIdx (getThreadIdx()) + +// Basic initializers (simple macros rather than inline functions) +#define make_uchar2(a, b) ((uchar2){.x = a, .y = b}) +#define make_ushort2(a, b) ((ushort2){.x = a, .y = b}) +#define make_uchar4(a, b, c, d) ((uchar4){.x = a, .y = b, .z = c, .w = d}) +#define make_ushort4(a, b, c, d) ((ushort4){.x = a, .y = b, .z = c, .w = d}) + +// Conversions from the tex instruction's 4-register output to various types +#define TEX2D(type, ret) static inline __device__ void conv(type* out, unsigned a, unsigned b, unsigned c, unsigned d) {*out = (ret);} + +TEX2D(unsigned char, a & 0xFF) +TEX2D(unsigned short, a & 0xFFFF) +TEX2D(uchar2, make_uchar2(a & 0xFF, b & 0xFF)) +TEX2D(ushort2, make_ushort2(a & 0xFFFF, b & 0xFFFF)) +TEX2D(uchar4, make_uchar4(a & 0xFF, b & 0xFF, c & 0xFF, d & 0xFF)) +TEX2D(ushort4, make_ushort4(a & 0xFFFF, b & 0xFFFF, c & 0xFFFF, d & 0xFFFF)) + +// Template calling tex instruction and converting the output to the selected type +template +static inline __device__ T tex2D(cudaTextureObject_t texObject, float x, float y) +{ + T ret; + unsigned ret1, ret2, ret3, ret4; + asm("tex.2d.v4.u32.f32 {%0, %1, %2, %3}, [%4, {%5, %6}];" : + "=r"(ret1), "=r"(ret2), "=r"(ret3), "=r"(ret4) : + "l"(texObject), "f"(x), "f"(y)); + conv(&ret, ret1, ret2, ret3, ret4); + return ret; +} + +#endif /* COMPAT_CUDA_CUDA_RUNTIME_H */ diff --git a/compat/cuda/dynlink_loader.h b/compat/cuda/dynlink_loader.h index 9f93465088..ca79e604c7 100644 --- a/compat/cuda/dynlink_loader.h +++ b/compat/cuda/dynlink_loader.h @@ -16,8 +16,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#ifndef AV_COMPAT_CUDA_DYNLINK_LOADER_H -#define AV_COMPAT_CUDA_DYNLINK_LOADER_H +#ifndef COMPAT_CUDA_DYNLINK_LOADER_H +#define COMPAT_CUDA_DYNLINK_LOADER_H #include "libavutil/log.h" #include "compat/w32dlfcn.h" @@ -30,4 +30,4 @@ #include -#endif +#endif /* COMPAT_CUDA_DYNLINK_LOADER_H */ diff --git a/configure b/configure index 5a4f507246..28f3a59b41 100755 --- a/configure +++ b/configure @@ -322,6 +322,7 @@ External library support: --disable-amf disable AMF video encoding code [autodetect] --disable-audiotoolbox disable Apple AudioToolbox code [autodetect] --enable-cuda-nvcc enable Nvidia CUDA compiler [no] + --disable-cuda-llvm disable CUDA compilation using clang [autodetect] --disable-cuvid disable Nvidia CUVID support [autodetect] --disable-d3d11va disable Microsoft Direct3D 11 video acceleration code [autodetect] --disable-dxva2 disable Microsoft DirectX 9 video acceleration code [autodetect] @@ -370,7 +371,7 @@ Toolchain options: --cxx=CXX use C compiler CXX [$cxx_default] --objcc=OCC use ObjC compiler OCC [$cc_default] --dep-cc=DEPCC use dependency generator DEPCC [$cc_default] - --nvcc=NVCC use Nvidia CUDA compiler NVCC [$nvcc_default] + --nvcc=NVCC use Nvidia CUDA compiler NVCC or clang [$nvcc_default] --ld=LD use linker LD [$ld_default] --pkg-config=PKGCONFIG use pkg-config tool PKGCONFIG [$pkg_config_default] --pkg-config-flags=FLAGS pass additional flags to pkgconf [] @@ -406,7 +407,9 @@ Advanced options (experts only): --enable-hardcoded-tables use hardcoded tables instead of runtime generation --disable-safe-bitstream-reader disable buffer boundary checking in bitreaders - (faster, but may crash) + (This disables some security checks and can cause undefined behavior, + crashes and arbitrary code execution, it may be faster, but + should only be used with trusted input) --sws-max-filter-size=N the max filter size swscale uses [$sws_max_filter_size_default] Optimization options (experts only): @@ -525,7 +528,7 @@ die(){ If you think configure made a mistake, make sure you are using the latest version from Git. If the latest version fails, report the problem to the -ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net. +ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat. EOF if disabled logging; then cat <= 0x0a090500" || die "ERROR: Decklink API version must be >= 10.9.5."; } } @@ -6350,7 +6388,7 @@ fi if enabled sdl2; then SDL2_CONFIG="${cross_prefix}sdl2-config" - test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 2.1.0" SDL_events.h SDL_PollEvent + test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 3.0.0" SDL_events.h SDL_PollEvent if disabled sdl2 && "${SDL2_CONFIG}" --version > /dev/null 2>&1; then sdl2_cflags=$("${SDL2_CONFIG}" --cflags) sdl2_extralibs=$("${SDL2_CONFIG}" --libs) @@ -6396,20 +6434,24 @@ perl -v > /dev/null 2>&1 && enable perl || disable perl pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout -# check V4L2 codecs available in the API check_headers linux/fb.h check_headers linux/videodev2.h test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete -check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" -check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" -check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" -check_cc mpeg2_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG2;" -check_cc mpeg4_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG4;" -check_cc hevc_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_HEVC;" -check_cc h263_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_H263;" -check_cc h264_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_H264;" -check_cc vp8_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VP8;" -check_cc vp9_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VP9;" +test_code cc sys/ioctl.h "int ioctl(int, int, ...)" && enable posix_ioctl + +# check V4L2 codecs available in the API +if enabled v4l2_m2m; then + check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" + check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" + check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" + check_cc mpeg2_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG2;" + check_cc mpeg4_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG4;" + check_cc hevc_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_HEVC;" + check_cc h263_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_H263;" + check_cc h264_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_H264;" + check_cc vp8_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VP8;" + check_cc vp9_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VP9;" +fi check_headers sys/videoio.h test_code cc sys/videoio.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete @@ -6443,7 +6485,7 @@ enabled alsa && check_pkg_config alsa alsa "alsa/asoundlib.h" snd_pcm_htimestamp enabled libjack && require_pkg_config libjack jack jack/jack.h jack_port_get_latency_range -enabled sndio && check_lib sndio sndio.h sio_open -lsndio +enabled sndio && check_pkg_config sndio sndio sndio.h sio_open if enabled libcdio; then check_pkg_config libcdio libcdio_paranoia "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open || @@ -6536,7 +6578,7 @@ enabled crystalhd && check_lib crystalhd "stdint.h libcrystalhd/libcrystalhd_if. if enabled x86; then case $target_os in - mingw32*|mingw64*|win32|win64|linux|cygwin*) + freebsd|mingw32*|mingw64*|win32|win64|linux|cygwin*) ;; *) disable ffnvcodec cuvid nvdec nvenc @@ -6701,16 +6743,6 @@ if [ -z "$optflags" ]; then fi fi -if [ -z "$nvccflags" ]; then - nvccflags=$nvccflags_default -fi - -if enabled x86_64 || enabled ppc64 || enabled aarch64; then - nvccflags="$nvccflags -m64" -else - nvccflags="$nvccflags -m32" -fi - check_optflags(){ check_cflags "$@" enabled lto && check_ldflags "$@" @@ -7374,7 +7406,7 @@ cat > $TMPH <.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} + *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} diff --git a/doc/developer.texi b/doc/developer.texi index 5c342c9106..2f5fd085ff 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -759,6 +759,25 @@ In case you need finer control over how valgrind is invoked, use the @code{--target-exec='valgrind } option in your configure line instead. +@anchor{Maintenance} +@chapter Maintenance process + +@anchor{MAINTAINERS} +@section MAINTAINERS + +The developers maintaining each part of the codebase are listed in @file{MAINTAINERS}. +Being listed in @file{MAINTAINERS}, gives one the right to have git write access to +the specific repository. + +@anchor{Becoming a maintainer} +@section Becoming a maintainer + +People add themselves to @file{MAINTAINERS} by sending a patch like any other code +change. These get reviewed by the community like any other patch. It is expected +that, if someone has an objection to a new maintainer, she is willing to object +in public with her full name and is willing to take over maintainership for the area. + + @anchor{Release process} @chapter Release process diff --git a/doc/examples/vaapi_transcode.c b/doc/examples/vaapi_transcode.c index 279d20f636..812c96f5b7 100644 --- a/doc/examples/vaapi_transcode.c +++ b/doc/examples/vaapi_transcode.c @@ -221,10 +221,8 @@ static int dec_enc(AVPacket *pkt, AVCodec *enc_codec) fail: av_frame_free(&frame); - if (ret < 0) - return ret; } - return 0; + return ret; } int main(int argc, char **argv) diff --git a/doc/fate_config.sh.template b/doc/fate_config.sh.template index ab1bda45e4..ab990c3a58 100644 --- a/doc/fate_config.sh.template +++ b/doc/fate_config.sh.template @@ -1,5 +1,5 @@ slot= # some unique identifier -repo=git://source.ffmpeg.org/ffmpeg.git # the source repository +repo=https://git.ffmpeg.org/ffmpeg.git # the source repository #branch=release/2.6 # the branch to test samples= # path to samples directory workdir= # directory in which to do all the work diff --git a/doc/git-howto.texi b/doc/git-howto.texi index 2b4fb80233..8aa9b7cffa 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -53,7 +53,7 @@ Most distribution and operating system provide a package for it. @section Cloning the source tree @example -git clone git://source.ffmpeg.org/ffmpeg +git clone https://git.ffmpeg.org/ffmpeg.git @end example This will put the FFmpeg sources into the directory @var{}. @@ -143,7 +143,7 @@ git log @end example You may also use the graphical tools like @command{gitview} or @command{gitk} -or the web interface available at @url{http://source.ffmpeg.org/}. +or the web interface available at @url{https://git.ffmpeg.org/ffmpeg.git}. @section Checking source tree status @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions. git add [-i|-p|-A] @end example -Make sure you have told Git your name and email address +Make sure you have told Git your name, email address and GPG key @example git config --global user.name "My Name" git config --global user.email my@@email.invalid +git config --global user.signingkey ABCDEF0123245 +@end example + +Enable signing all commits or use -S + +@example +git config --global commit.gpgsign true @end example Use @option{--global} to set the global configuration for all your Git checkouts. @@ -393,6 +400,19 @@ git checkout -b svn_23456 $SHA1 where @var{$SHA1} is the commit hash from the @command{git log} output. +@chapter gpg key generation + +If you have no gpg key yet, we recommend that you create a ed25519 based key as it +is small, fast and secure. Especially it results in small signatures in git. + +@example +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com" +@end example + +When generating a key, make sure the email specified matches the email used in git as some sites like +github consider mismatches a reason to declare such commits unverified. After generating a key you +can add it to the MAINTAINER file and upload it to a keyserver. + @chapter Pre-push checklist Once you have a set of commits that you feel are ready for pushing, diff --git a/doc/t2h.pm b/doc/t2h.pm index e83d564a65..b7485e1f1e 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -20,8 +20,45 @@ # License along with FFmpeg; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Texinfo 7.0 changed the syntax of various functions. +# Provide a shim for older versions. +sub ff_set_from_init_file($$) { + my $key = shift; + my $value = shift; + if (exists &{'texinfo_set_from_init_file'}) { + texinfo_set_from_init_file($key, $value); + } else { + set_from_init_file($key, $value); + } +} + +sub ff_get_conf($) { + my $key = shift; + if (exists &{'texinfo_get_conf'}) { + texinfo_get_conf($key); + } else { + get_conf($key); + } +} + +sub get_formatting_function($$) { + my $obj = shift; + my $func = shift; + + my $sub = $obj->can('formatting_function'); + if ($sub) { + return $obj->formatting_function($func); + } else { + return $obj->{$func}; + } +} + +# determine texinfo version +my $program_version_num = version->declare(ff_get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # no navigation elements -set_from_init_file('HEADERS', 0); +ff_set_from_init_file('HEADERS', 0); sub ffmpeg_heading_command($$$$$) { @@ -55,7 +92,7 @@ sub ffmpeg_heading_command($$$$$) $element = $command->{'parent'}; } if ($element) { - $result .= &{$self->{'format_element_header'}}($self, $cmdname, + $result .= &{get_formatting_function($self, 'format_element_header')}($self, $cmdname, $command, $element); } @@ -112,7 +149,11 @@ sub ffmpeg_heading_command($$$$$) $cmdname = $Texinfo::Common::level_to_structuring_command{$cmdname}->[$heading_level]; } - $result .= &{$self->{'format_heading_text'}}( + # format_heading_text expects an array of headings for texinfo >= 7.0 + if ($program_version_num >= 7.000000) { + $heading = [$heading]; + } + $result .= &{get_formatting_function($self,'format_heading_text')}( $self, $cmdname, $heading, $heading_level + $self->get_conf('CHAPTER_HEADER_LEVEL') - 1, $command); @@ -127,14 +168,18 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { } # print the TOC where @contents is used -set_from_init_file('INLINE_CONTENTS', 1); +if ($program_version_6_8) { + ff_set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); +} else { + ff_set_from_init_file('INLINE_CONTENTS', 1); +} # make chapters

-set_from_init_file('CHAPTER_HEADER_LEVEL', 2); +ff_set_from_init_file('CHAPTER_HEADER_LEVEL', 2); # Do not add
-set_from_init_file('DEFAULT_RULE', ''); -set_from_init_file('BIG_RULE', ''); +ff_set_from_init_file('DEFAULT_RULE', ''); +ff_set_from_init_file('BIG_RULE', ''); # Customized file beginning sub ffmpeg_begin_file($$$) @@ -151,7 +196,18 @@ sub ffmpeg_begin_file($$$) my ($title, $description, $encoding, $date, $css_lines, $doctype, $bodytext, $copying_comment, $after_body_open, $extra_head, $program_and_version, $program_homepage, - $program, $generator) = $self->_file_header_informations($command); + $program, $generator); + if ($program_version_num >= 7.000000) { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_information($command); + } else { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_informations($command); + } my $links = $self->_get_links ($filename, $element); @@ -184,7 +240,11 @@ EOT return $head1 . $head_title . $head2 . $head_title . $head3; } -texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_begin_file', \&ffmpeg_begin_file); +} else { + texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file); +} sub ffmpeg_program_string($) { @@ -201,13 +261,17 @@ sub ffmpeg_program_string($) $self->gdt('This document was generated automatically.')); } } -texinfo_register_formatting_function('program_string', \&ffmpeg_program_string); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_program_string', \&ffmpeg_program_string); +} else { + texinfo_register_formatting_function('program_string', \&ffmpeg_program_string); +} # Customized file ending sub ffmpeg_end_file($) { my $self = shift; - my $program_string = &{$self->{'format_program_string'}}($self); + my $program_string = &{get_formatting_function($self,'format_program_string')}($self); my $program_text = < $program_string @@ -220,11 +284,15 @@ EOT EOT return $program_text . $footer; } -texinfo_register_formatting_function('end_file', \&ffmpeg_end_file); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_end_file', \&ffmpeg_end_file); +} else { + texinfo_register_formatting_function('end_file', \&ffmpeg_end_file); +} # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). -set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); +ff_set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); sub ffmpeg_title($$$$) { return ''; @@ -242,8 +310,14 @@ sub ffmpeg_float($$$$$) my $args = shift; my $content = shift; - my ($caption, $prepended) = Texinfo::Common::float_name_caption($self, - $command); + my ($caption, $prepended); + if ($program_version_num >= 7.000000) { + ($caption, $prepended) = Texinfo::Convert::Converter::float_name_caption($self, + $command); + } else { + ($caption, $prepended) = Texinfo::Common::float_name_caption($self, + $command); + } my $caption_text = ''; my $prepended_text; my $prepended_save = ''; @@ -315,8 +389,13 @@ sub ffmpeg_float($$$$$) $caption->{'args'}->[0], 'float caption'); } if ($prepended_text.$caption_text ne '') { - $prepended_text = $self->_attribute_class('div','float-caption'). '>' - . $prepended_text; + if ($program_version_num >= 7.000000) { + $prepended_text = $self->html_attribute_class('div',['float-caption']). '>' + . $prepended_text; + } else { + $prepended_text = $self->_attribute_class('div','float-caption'). '>' + . $prepended_text; + } $caption_text .= ''; } my $html_class = ''; @@ -329,8 +408,13 @@ sub ffmpeg_float($$$$$) $prepended_text = ''; $caption_text = ''; } - return $self->_attribute_class('div', $html_class). '>' . "\n" . - $prepended_text . $caption_text . $content . ''; + if ($program_version_num >= 7.000000) { + return $self->html_attribute_class('div', [$html_class]). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } else { + return $self->_attribute_class('div', $html_class). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } } texinfo_register_command_formatting('float', diff --git a/doc/writing_filters.txt b/doc/writing_filters.txt index 2e25cbed71..e89d7d1e05 100644 --- a/doc/writing_filters.txt +++ b/doc/writing_filters.txt @@ -418,4 +418,4 @@ done: When all of this is done, you can submit your patch to the ffmpeg-devel mailing-list for review. If you need any help, feel free to come on our IRC -channel, #ffmpeg-devel on irc.freenode.net. +channel, #ffmpeg-devel on irc.libera.chat. diff --git a/ffbuild/common.mak b/ffbuild/common.mak index d2b33320c0..7355508ea0 100644 --- a/ffbuild/common.mak +++ b/ffbuild/common.mak @@ -38,7 +38,6 @@ OBJCCFLAGS = $(CPPFLAGS) $(CFLAGS) $(OBJCFLAGS) ASFLAGS := $(CPPFLAGS) $(ASFLAGS) CXXFLAGS := $(CPPFLAGS) $(CFLAGS) $(CXXFLAGS) X86ASMFLAGS += $(IFLAGS:%=%/) -I$($@ -%.ptx: %.cu +%.ptx: %.cu $(SRC_PATH)/compat/cuda/cuda_runtime.h $(COMPILE_NVCC) %.ptx.c: %.ptx diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index 9cfbc45c2b..e1bca0b189 100644 --- a/fftools/cmdutils.c +++ b/fftools/cmdutils.c @@ -541,7 +541,7 @@ static const AVOption *opt_find(void *obj, const char *name, const char *unit, return o; } -#define FLAGS (o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0 +#define FLAGS ((o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0) int opt_default(void *optctx, const char *opt, const char *arg) { const AVOption *o; diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 01f04103cf..57e9a0e3b2 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -460,8 +460,9 @@ static int read_key(void) } //Read it if(nchars != 0) { - read(0, &ch, 1); - return ch; + if (read(0, &ch, 1) == 1) + return ch; + return 0; }else{ return -1; } @@ -567,6 +568,7 @@ static void ffmpeg_cleanup(int ret) ost->audio_channels_mapped = 0; av_dict_free(&ost->sws_dict); + av_dict_free(&ost->swr_opts); avcodec_free_context(&ost->enc_ctx); avcodec_parameters_free(&ost->ref_par); @@ -4235,7 +4237,8 @@ static int seek_to_start(InputFile *ifile, AVFormatContext *is) ifile->time_base = ist->st->time_base; /* the total duration of the stream, max_pts - min_pts is * the duration of the stream without the last frame */ - duration += ist->max_pts - ist->min_pts; + if (ist->max_pts > ist->min_pts && ist->max_pts - (uint64_t)ist->min_pts < INT64_MAX - duration) + duration += ist->max_pts - ist->min_pts; ifile->time_base = duration_max(duration, &ifile->duration, ist->st->time_base, ifile->time_base); } diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index f5ca18aa64..4efdec702a 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -1,3 +1,4 @@ + /* * ffmpeg option parsing * @@ -2372,12 +2373,14 @@ loop_end: o->attachments[i]); exit_program(1); } - if (!(attachment = av_malloc(len))) { - av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n", + if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE || + !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) { + av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n", o->attachments[i]); exit_program(1); } avio_read(pb, attachment, len); + memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); ost = new_attachment_stream(o, oc, -1); ost->stream_copy = 0; @@ -2769,13 +2772,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg) } else { /* Try to determine PAL/NTSC by peeking in the input files */ if (nb_input_files) { - int i, j, fr; + int i, j; for (j = 0; j < nb_input_files; j++) { for (i = 0; i < input_files[j]->nb_streams; i++) { AVStream *st = input_files[j]->ctx->streams[i]; + int64_t fr; if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) continue; - fr = st->time_base.den * 1000 / st->time_base.num; + fr = st->time_base.den * 1000LL / st->time_base.num; if (fr == 25000) { norm = PAL; break; @@ -3268,6 +3272,7 @@ static int open_files(OptionGroupList *l, const char *inout, if (ret < 0) { av_log(NULL, AV_LOG_ERROR, "Error parsing options for %s file " "%s.\n", inout, g->arg); + uninit_options(&o); return ret; } diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 8fb8faeb06..a5d6852c18 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -2760,9 +2760,6 @@ static int read_thread(void *arg) } memset(st_index, -1, sizeof(st_index)); - is->last_video_stream = is->video_stream = -1; - is->last_audio_stream = is->audio_stream = -1; - is->last_subtitle_stream = is->subtitle_stream = -1; is->eof = 0; ic = avformat_alloc_context(); @@ -3068,6 +3065,9 @@ static VideoState *stream_open(const char *filename, AVInputFormat *iformat) is = av_mallocz(sizeof(VideoState)); if (!is) return NULL; + is->last_video_stream = is->video_stream = -1; + is->last_audio_stream = is->audio_stream = -1; + is->last_subtitle_stream = is->subtitle_stream = -1; is->filename = av_strdup(filename); if (!is->filename) goto fail; @@ -3436,7 +3436,7 @@ static void event_loop(VideoState *cur_stream) break; case SDL_WINDOWEVENT: switch (event.window.event) { - case SDL_WINDOWEVENT_RESIZED: + case SDL_WINDOWEVENT_SIZE_CHANGED: screen_width = cur_stream->width = event.window.data1; screen_height = cur_stream->height = event.window.data2; if (cur_stream->vis_texture) { diff --git a/libavcodec/012v.c b/libavcodec/012v.c index b5a4066656..41d9e2708e 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); memcpy(y, y_temp, sizeof(*y) * (width - x)); - memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); - memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2)); + memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2)); } line_end += stride; diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 8382159bde..5dd3a347c9 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -351,6 +351,8 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, const uint16_t *src, index = size2index[log2h][log2w]; av_assert0(index >= 0); + if (get_bits_left(&f->gb) < 1) + return AVERROR_INVALIDDATA; h = 1 << log2h; code = get_vlc2(&f->gb, block_type_vlc[1 - (f->version > 1)][index].table, BLOCK_TYPE_VLC_BITS, 1); @@ -496,8 +498,8 @@ static int decode_i_block(FourXContext *f, int16_t *block) { int code, i, j, level, val; - if (get_bits_left(&f->gb) < 2){ - av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb)); + if (get_bits_left(&f->pre_gb) < 2) { + av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->pre_gb)); return AVERROR_INVALIDDATA; } @@ -523,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block) break; if (code == 0xf0) { i += 16; + if (i >= 64) { + av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i); + return 0; + } } else { if (code & 0xf) { level = get_xbits(&f->gb, code & 0xf); @@ -879,6 +885,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (i >= CFRAME_BUFFER_COUNT) { + if (free_index < 0) + return AVERROR_INVALIDDATA; i = free_index; f->cfrm[i].id = id; } diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index aa2318fa2d..655c62725b 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -70,6 +70,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *planemap = c->planemap; int ret; + if (buf_size < planes * height *2) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index baa82489b1..11b0559e1c 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -843,25 +843,25 @@ static void search_for_ms(AACEncContext *s, ChannelElement *cpe) sce0->ics.swb_sizes[g], sce0->sf_idx[w*16+g], sce0->band_type[w*16+g], - lambda / band0->threshold, INFINITY, &b1, NULL, 0); + lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0); dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128], R34, sce1->ics.swb_sizes[g], sce1->sf_idx[w*16+g], sce1->band_type[w*16+g], - lambda / band1->threshold, INFINITY, &b2, NULL, 0); + lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0); dist2 += quantize_band_cost(s, M, M34, sce0->ics.swb_sizes[g], mididx, midcb, - lambda / minthr, INFINITY, &b3, NULL, 0); + lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0); dist2 += quantize_band_cost(s, S, S34, sce1->ics.swb_sizes[g], sididx, sidcb, - mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0); + mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0); B0 += b1+b2; B1 += b3+b4; dist1 -= b1+b2; diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index c606ad40a9..d17852d8ba 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -409,6 +409,8 @@ static int read_stream_mux_config(struct LATMContext *latmctx, } else { int esc; do { + if (get_bits_left(gb) < 9) + return AVERROR_INVALIDDATA; esc = get_bits(gb, 1); skip_bits(gb, 8); } while (esc); @@ -559,7 +561,7 @@ AVCodec ff_aac_decoder = { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, .channel_layouts = aac_channel_layout, .flush = flush, .priv_class = &aac_decoder_class, @@ -584,7 +586,7 @@ AVCodec ff_aac_latm_decoder = { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, .channel_layouts = aac_channel_layout, .flush = flush, .profiles = NULL_IF_CONFIG_SMALL(ff_aac_profiles), diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 1d0142fdb0..5d11f4bec4 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -155,9 +155,9 @@ static void vector_pow43(int *coefs, int len) for (i=0; ipriv_data; int ret; + if (avctx->sample_rate > 96000) + return AVERROR_INVALIDDATA; + ret = ff_thread_once(&aac_table_init, &aac_static_table_init); if (ret != 0) return AVERROR_UNKNOWN; @@ -2659,7 +2662,7 @@ static void imdct_and_windowing(AACContext *ac, SingleChannelElement *sce) ac->mdct.imdct_half(&ac->mdct, buf, in); #if USE_FIXED for (i=0; i<1024; i++) - buf[i] = (buf[i] + 4) >> 3; + buf[i] = (buf[i] + 4LL) >> 3; #endif /* USE_FIXED */ } @@ -2804,7 +2807,7 @@ static void imdct_and_windowing_ld(AACContext *ac, SingleChannelElement *sce) static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce) { - INTFLOAT *in = sce->coeffs; + UINTFLOAT *in = sce->coeffs; INTFLOAT *out = sce->ret; INTFLOAT *saved = sce->saved; INTFLOAT *buf = ac->buf_mdct; diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 4d0abb107f..8da26d795c 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -28,6 +28,7 @@ * TODOs: * add sane pulse detection ***********************************/ +#include #include "libavutil/libm.h" #include "libavutil/thread.h" @@ -855,7 +856,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = FFMIN(s->lambda * ratio, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { @@ -900,7 +901,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx) { AACEncContext *s = avctx->priv_data; - av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count); + av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN); ff_mdct_end(&s->mdct1024); ff_mdct_end(&s->mdct128); diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index d5dca64b0f..22df160fe7 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -414,33 +414,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64], memset(out[0][n], 0, 5*sizeof(out[0][n][0])); memset(out[1][n], 0, 5*sizeof(out[1][n][0])); for (i = 0; i < 12; i++) { - out[0][n][0] += in[ i][n][0]; - out[1][n][0] += in[ i][n][1]; + out[0][n][0] += (UINTFLOAT)in[ i][n][0]; + out[1][n][0] += (UINTFLOAT)in[ i][n][1]; } for (i = 0; i < 8; i++) { - out[0][n][1] += in[12+i][n][0]; - out[1][n][1] += in[12+i][n][1]; + out[0][n][1] += (UINTFLOAT)in[12+i][n][0]; + out[1][n][1] += (UINTFLOAT)in[12+i][n][1]; } for (i = 0; i < 4; i++) { - out[0][n][2] += in[20+i][n][0]; - out[1][n][2] += in[20+i][n][1]; - out[0][n][3] += in[24+i][n][0]; - out[1][n][3] += in[24+i][n][1]; - out[0][n][4] += in[28+i][n][0]; - out[1][n][4] += in[28+i][n][1]; + out[0][n][2] += (UINTFLOAT)in[20+i][n][0]; + out[1][n][2] += (UINTFLOAT)in[20+i][n][1]; + out[0][n][3] += (UINTFLOAT)in[24+i][n][0]; + out[1][n][3] += (UINTFLOAT)in[24+i][n][1]; + out[0][n][4] += (UINTFLOAT)in[28+i][n][0]; + out[1][n][4] += (UINTFLOAT)in[28+i][n][1]; } } dsp->hybrid_synthesis_deint(out, in + 27, 5, len); } else { for (n = 0; n < len; n++) { - out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] + - in[3][n][0] + in[4][n][0] + in[5][n][0]; - out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] + - in[3][n][1] + in[4][n][1] + in[5][n][1]; - out[0][n][1] = in[6][n][0] + in[7][n][0]; - out[1][n][1] = in[6][n][1] + in[7][n][1]; - out[0][n][2] = in[8][n][0] + in[9][n][0]; - out[1][n][2] = in[8][n][1] + in[9][n][1]; + out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] + + (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0]; + out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] + + (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1]; + out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0]; + out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1]; + out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0]; + out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1]; } dsp->hybrid_synthesis_deint(out, in + 7, 3, len); } diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index fca692cb15..76458783ce 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) { const int bandwidth = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx); const float num_bark = calc_bark((float)bandwidth); + if (bandwidth <= 0) + return AVERROR(EINVAL); + ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext)); if (!ctx->model_priv_data) return AVERROR(ENOMEM); @@ -794,7 +797,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (pe < 1.15f * desired_pe) { /* 6.6.1.3.6 "Final threshold modification by linearization" */ - norm_fac = 1.0f / norm_fac; + norm_fac = norm_fac ? 1.0f / norm_fac : 0; for (w = 0; w < wi->num_windows*16; w += 16) { for (g = 0; g < num_bands; g++) { AacPsyBand *band = &pch->band[w+g]; diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 821615f2ab..d9ee4efe6e 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -592,6 +592,7 @@ static int sbr_make_f_derived(AACContext *ac, SpectralBandReplication *sbr) if (sbr->n_q > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Too many noise floor scale factors: %d\n", sbr->n_q); + sbr->n_q = 1; return -1; } diff --git a/libavcodec/aarch64/vp9mc_neon.S b/libavcodec/aarch64/vp9mc_neon.S index f67624ca04..7cdcd675ed 100644 --- a/libavcodec/aarch64/vp9mc_neon.S +++ b/libavcodec/aarch64/vp9mc_neon.S @@ -260,6 +260,9 @@ function \type\()_8tap_\size\()h_\idx1\idx2 // reduced dst stride .if \size >= 16 sub x1, x1, x5 +.elseif \size == 4 + add x12, x2, #8 + add x13, x7, #8 .endif // size >= 16 loads two qwords and increments x2, // for size 4/8 it's enough with one qword and no @@ -278,9 +281,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 ld1 {v4.8b, v5.8b, v6.8b}, [x2], #24 ld1 {v16.8b, v17.8b, v18.8b}, [x7], #24 -.else +.elseif \size == 8 ld1 {v4.8b, v5.8b}, [x2] ld1 {v16.8b, v17.8b}, [x7] +.else // \size == 4 + ld1 {v4.8b}, [x2] + ld1 {v16.8b}, [x7] + ld1 {v5.s}[0], [x12], x3 + ld1 {v17.s}[0], [x13], x3 .endif uxtl v4.8h, v4.8b uxtl v5.8h, v5.8b diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 58cc3c85ba..bf1555e72c 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx, ff_msrle_decode(avctx, s->frame, 8, &s->gb); break; case MKTAG('A', 'A', 'S', 'C'): - switch (compr) { - case 0: - stride = (avctx->width * psize + psize) & ~psize; - if (buf_size < stride * avctx->height) + switch (compr) { + case 0: + stride = (avctx->width * psize + psize) & ~psize; + if (buf_size < stride * avctx->height) + return AVERROR_INVALIDDATA; + for (i = avctx->height - 1; i >= 0; i--) { + memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); + buf += stride; + buf_size -= stride; + } + break; + case 1: + bytestream2_init(&s->gb, buf, buf_size); + ff_msrle_decode(avctx, s->frame, 8, &s->gb); + break; + default: + av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); return AVERROR_INVALIDDATA; - for (i = avctx->height - 1; i >= 0; i--) { - memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); - buf += stride; - buf_size -= stride; } break; - case 1: - bytestream2_init(&s->gb, buf, buf_size); - ff_msrle_decode(avctx, s->frame, 8, &s->gb); - break; - default: - av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); - return AVERROR_INVALIDDATA; - } - break; default: av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag); return -1; diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index f8f6a81f45..9737337806 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -75,6 +75,7 @@ #define AC3_DYNAMIC_RANGE1 0 typedef int INTFLOAT; +typedef unsigned int UINTFLOAT; typedef int16_t SHORTFLOAT; #else /* USE_FIXED */ @@ -94,6 +95,7 @@ typedef int16_t SHORTFLOAT; #define AC3_DYNAMIC_RANGE1 1.0f typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float SHORTFLOAT; #endif /* USE_FIXED */ diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 1e203ae6ac..d14161ec75 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -179,7 +179,9 @@ int av_ac3_parse_header(const uint8_t *buf, size_t size, AC3HeaderInfo hdr; int err; - init_get_bits8(&gb, buf, size); + err = init_get_bits8(&gb, buf, size); + if (err < 0) + return AVERROR_INVALIDDATA; err = ff_ac3_parse_header(&gb, &hdr); if (err < 0) return AVERROR_INVALIDDATA; diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index bd66175d50..1e1edc8964 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -107,29 +107,30 @@ static void scale_coefs ( } } else { shift = -shift; + mul <<= shift; for (i=0; inum_blocks; blk++) { @@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx) av_freep(&block->cpl_coord_mant); } - s->mdct_end(s); + if (s->mdct_end) + s->mdct_end(s); return 0; } @@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx) ret = validate_options(s); if (ret) - return ret; + goto init_fail; avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks; avctx->initial_padding = AC3_BLOCK_SIZE; diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index e194764374..651164301c 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -110,6 +110,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) case AV_CODEC_ID_ADPCM_MTAF: min_channels = 2; max_channels = 8; + if (avctx->channels & 1) { + avpriv_request_sample(avctx, "channel count %d\n", avctx->channels); + return AVERROR_PATCHWELCOME; + } break; case AV_CODEC_ID_ADPCM_PSX: max_channels = 8; @@ -135,8 +139,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) break; case AV_CODEC_ID_ADPCM_IMA_APC: if (avctx->extradata && avctx->extradata_size >= 8) { - c->status[0].predictor = AV_RL32(avctx->extradata); - c->status[1].predictor = AV_RL32(avctx->extradata + 4); + c->status[0].predictor = av_clip_intp2(AV_RL32(avctx->extradata ), 18); + c->status[1].predictor = av_clip_intp2(AV_RL32(avctx->extradata + 4), 18); } break; case AV_CODEC_ID_ADPCM_IMA_WS: @@ -333,7 +337,7 @@ static inline int16_t adpcm_ima_oki_expand_nibble(ADPCMChannelStatus *c, int nib c->predictor = av_clip_intp2(predictor, 11); c->step_index = step_index; - return c->predictor << 4; + return c->predictor * 16; } static inline int16_t adpcm_ct_expand_nibble(ADPCMChannelStatus *c, int8_t nibble) @@ -422,6 +426,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); filter=0; } + if (shift < 0) { + avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift); + shift = 0; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; @@ -432,7 +440,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, d = in[16+i+j*4]; t = sign_extend(d, 4); - s = ( t<>6); + s = t*(1<>6); s_2 = s_1; s_1 = av_clip_int16(s); out0[j] = s_1; @@ -447,10 +455,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, shift = 12 - (in[5+i*2] & 15); filter = in[5+i*2] >> 4; - if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table)) { + if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table) || shift < 0) { avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); filter=0; } + if (shift < 0) { + avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift); + shift = 0; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; @@ -459,7 +471,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, d = in[16+i+j*4]; t = sign_extend(d >> 4, 4); - s = ( t<>6); + s = t*(1<>6); s_2 = s_1; s_1 = av_clip_int16(s); out1[j] = s_1; @@ -1198,8 +1210,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } } - for (i=0; i<=st; i++) + for (i=0; i<=st; i++) { c->status[i].predictor = bytestream2_get_le32u(&gb); + if (FFABS((int64_t)c->status[i].predictor) > (1<<16)) + return AVERROR_INVALIDDATA; + } for (n = nb_samples >> (1 - st); n > 0; n--) { int byte = bytestream2_get_byteu(&gb); @@ -1246,8 +1261,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2 = 0; count2 < 28; count2++) { byte = bytestream2_get_byteu(&gb); - next_left_sample = sign_extend(byte >> 4, 4) << shift_left; - next_right_sample = sign_extend(byte, 4) << shift_right; + next_left_sample = sign_extend(byte >> 4, 4) * (1 << shift_left); + next_right_sample = sign_extend(byte, 4) * (1 << shift_right); next_left_sample = (next_left_sample + (current_left_sample * coeff1l) + @@ -1286,7 +1301,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, if (st) byte[1] = bytestream2_get_byteu(&gb); for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */ for(channel = 0; channel < avctx->channels; channel++) { - int sample = sign_extend(byte[channel] >> i, 4) << shift[channel]; + int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]); sample = (sample + c->status[channel].sample1 * coeff[channel][0] + c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8; @@ -1347,10 +1362,10 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2=0; count2<28; count2++) { if (count2 & 1) - next_sample = sign_extend(byte, 4) << shift; + next_sample = (unsigned)sign_extend(byte, 4) << shift; else { byte = bytestream2_get_byte(&gb); - next_sample = sign_extend(byte >> 4, 4) << shift; + next_sample = (unsigned)sign_extend(byte >> 4, 4) << shift; } next_sample += (current_sample * coeff1) + @@ -1401,11 +1416,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int level, pred; int byte = bytestream2_get_byteu(&gb); - level = sign_extend(byte >> 4, 4) << shift[n]; + level = sign_extend(byte >> 4, 4) * (1 << shift[n]); pred = s[-1] * coeff[0][n] + s[-2] * coeff[1][n]; s[0] = av_clip_int16((level + pred + 0x80) >> 8); - level = sign_extend(byte, 4) << shift[n]; + level = sign_extend(byte, 4) * (1 << shift[n]); pred = s[0] * coeff[0][n] + s[-1] * coeff[1][n]; s[1] = av_clip_int16((level + pred + 0x80) >> 8); } @@ -1562,8 +1577,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, sampledat = sign_extend(byte >> 4, 4); } - sampledat = ((prev1 * factor1 + prev2 * factor2) + - ((sampledat * scale) << 11)) >> 11; + sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) + + sampledat * scale; *samples = av_clip_int16(sampledat); prev2 = prev1; prev1 = *samples++; @@ -1625,8 +1640,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int byte = bytestream2_get_byteu(&gb); int index = (byte >> 4) & 7; unsigned int exp = byte & 0x0F; - int factor1 = table[ch][index * 2]; - int factor2 = table[ch][index * 2 + 1]; + int64_t factor1 = table[ch][index * 2]; + int64_t factor2 = table[ch][index * 2 + 1]; /* Decode 14 samples. */ for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) { @@ -1640,7 +1655,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } sampledat = ((c->status[ch].sample1 * factor1 - + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp); + + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp); *samples = av_clip_int16(sampledat); c->status[ch].sample2 = c->status[ch].sample1; c->status[ch].sample1 = *samples++; @@ -1687,7 +1702,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, else sampledat = sign_extend(byte >> 4, 4); - sampledat = (((sampledat << 12) >> (header & 0xf)) << 6) + prev; + sampledat = ((sampledat * (1 << 12)) >> (header & 0xf)) * (1 << 6) + prev; *samples++ = av_clip_int16(sampledat >> 6); c->status[channel].sample2 = c->status[channel].sample1; c->status[channel].sample1 = sampledat; @@ -1724,7 +1739,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, scale = sign_extend(byte, 4); } - scale = scale << 12; + scale = scale * (1 << 12); sample = (int)((scale >> shift) + (c->status[channel].sample1 * xa_adpcm_table[filter][0] + c->status[channel].sample2 * xa_adpcm_table[filter][1]) / 64); } *samples++ = av_clip_int16(sample); diff --git a/libavcodec/adxenc.c b/libavcodec/adxenc.c index f1ba5911b3..77f6bf0487 100644 --- a/libavcodec/adxenc.c +++ b/libavcodec/adxenc.c @@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { s0 = wav[i]; - d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); if (max < d) max = d; if (min > d) @@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s1 = prev->s1; s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { - d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); d = av_clip_intp2(ROUNDED_DIV(d, scale), 3); put_sbits(&pb, 4, d); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS); s2 = s1; s1 = s0; } diff --git a/libavcodec/agm.c b/libavcodec/agm.c index 2c4c9805e9..5b7282b81f 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -423,8 +423,8 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size, int map = s->map[x]; if (orig_mv_x >= -32) { - if (y * 8 + mv_y < 0 || y * 8 + mv_y >= h || - x * 8 + mv_x < 0 || x * 8 + mv_x >= w) + if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h || + x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w) return AVERROR_INVALIDDATA; copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8, @@ -460,8 +460,8 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size, return ret; if (orig_mv_x >= -32) { - if (y * 8 + mv_y < 0 || y * 8 + mv_y >= h || - x * 8 + mv_x < 0 || x * 8 + mv_x >= w) + if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h || + x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w) return AVERROR_INVALIDDATA; copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8, @@ -573,13 +573,16 @@ static int decode_raw_intra_rgb(AVCodecContext *avctx, GetByteContext *gbyte, AV uint8_t *dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; uint8_t r = 0, g = 0, b = 0; + if (bytestream2_get_bytes_left(gbyte) < 3 * avctx->width * avctx->height) + return AVERROR_INVALIDDATA; + for (int y = 0; y < avctx->height; y++) { for (int x = 0; x < avctx->width; x++) { - dst[x*3+0] = bytestream2_get_byte(gbyte) + r; + dst[x*3+0] = bytestream2_get_byteu(gbyte) + r; r = dst[x*3+0]; - dst[x*3+1] = bytestream2_get_byte(gbyte) + g; + dst[x*3+1] = bytestream2_get_byteu(gbyte) + g; g = dst[x*3+1]; - dst[x*3+2] = bytestream2_get_byte(gbyte) + b; + dst[x*3+2] = bytestream2_get_byteu(gbyte) + b; b = dst[x*3+2]; } dst -= frame->linesize[0]; @@ -827,7 +830,7 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame static int decode_motion_vectors(AVCodecContext *avctx, GetBitContext *gb) { AGMContext *s = avctx->priv_data; - int nb_mvs = ((avctx->height + 15) >> 4) * ((avctx->width + 15) >> 4); + int nb_mvs = ((avctx->coded_height + 15) >> 4) * ((avctx->coded_width + 15) >> 4); int ret, skip = 0, value, map; av_fast_padded_malloc(&s->mvectors, &s->mvectors_size, @@ -1117,6 +1120,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, frame->key_frame = s->key_frame; frame->pict_type = s->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + if (!s->key_frame) { + if (!s->prev_frame->data[0]) { + av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n"); + return AVERROR_INVALIDDATA; + } + } + if (header) { if (avctx->codec_tag == MKTAG('A', 'G', 'M', '0') || avctx->codec_tag == MKTAG('A', 'G', 'M', '1')) @@ -1186,10 +1196,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, else ret = decode_intra(avctx, gb, frame); } else { - if (!s->prev_frame->data[0]) { - av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n"); - return AVERROR_INVALIDDATA; - } if (s->prev_frame-> width != frame->width || s->prev_frame->height != frame->height) return AVERROR_INVALIDDATA; @@ -1236,6 +1242,11 @@ static av_cold int decode_init(AVCodecContext *avctx) s->dct = avctx->codec_tag != MKTAG('A', 'G', 'M', '4') && avctx->codec_tag != MKTAG('A', 'G', 'M', '5'); + if (!s->rgb && !s->dct) { + if ((avctx->width & 1) || (avctx->height & 1)) + return AVERROR_INVALIDDATA; + } + avctx->idct_algo = FF_IDCT_SIMPLE; ff_idctdsp_init(&s->idsp, avctx); ff_init_scantable(s->idsp.idct_permutation, &s->scantable, ff_zigzag_direct); diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 956d71fcff..f2c8638989 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -470,8 +470,7 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) } } - ctx->slice_data = av_malloc_array(ctx->slice_width, AIC_BAND_COEFFS - * sizeof(*ctx->slice_data)); + ctx->slice_data = av_calloc(ctx->slice_width, AIC_BAND_COEFFS * sizeof(*ctx->slice_data)); if (!ctx->slice_data) { av_log(avctx, AV_LOG_ERROR, "Error allocating slice buffer\n"); diff --git a/libavcodec/alac.c b/libavcodec/alac.c index c234d7153b..75972f4ddc 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -171,12 +171,12 @@ static inline int sign_only(int v) return v ? FFSIGN(v) : 0; } -static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, +static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, int nb_samples, int bps, int16_t *lpc_coefs, int lpc_order, int lpc_quant) { int i; - int32_t *pred = buffer_out; + uint32_t *pred = buffer_out; /* first sample always copies */ *buffer_out = *error_buffer; @@ -208,27 +208,27 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, for (; i < nb_samples; i++) { int j; int val = 0; - int error_val = error_buffer[i]; + unsigned error_val = error_buffer[i]; int error_sign; int d = *pred++; /* LPC prediction */ for (j = 0; j < lpc_order; j++) val += (pred[j] - d) * lpc_coefs[j]; - val = (val + (1 << (lpc_quant - 1))) >> lpc_quant; + val = (val + (1LL << (lpc_quant - 1))) >> lpc_quant; val += d + error_val; buffer_out[i] = sign_extend(val, bps); /* adapt LPC coefficients */ error_sign = sign_only(error_val); if (error_sign) { - for (j = 0; j < lpc_order && error_val * error_sign > 0; j++) { + for (j = 0; j < lpc_order && (int)(error_val * error_sign) > 0; j++) { int sign; val = d - pred[j]; sign = sign_only(val) * error_sign; lpc_coefs[j] -= sign; - val *= sign; - error_val -= (val >> lpc_quant) * (j + 1); + val *= (unsigned)sign; + error_val -= (val >> lpc_quant) * (j + 1U); } } } @@ -250,10 +250,12 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, alac->extra_bits = get_bits(&alac->gb, 2) << 3; bps = alac->sample_size - alac->extra_bits + channels - 1; - if (bps > 32U) { + if (bps > 32) { avpriv_report_missing_feature(avctx, "bps %d", bps); return AVERROR_PATCHWELCOME; } + if (bps < 1) + return AVERROR_INVALIDDATA; /* whether the frame is compressed */ is_compressed = !get_bits1(&alac->gb); @@ -300,6 +302,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); + if (channels == 2 && decorr_left_weight && decorr_shift > 31) + return AVERROR_INVALIDDATA; + for (ch = 0; ch < channels; ch++) { prediction_type[ch] = get_bits(&alac->gb, 4); lpc_quant[ch] = get_bits(&alac->gb, 4); @@ -395,13 +400,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, case 20: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] <<= 12; + alac->output_samples_buffer[ch][i] *= 1U << 12; }} break; case 24: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] <<= 8; + alac->output_samples_buffer[ch][i] *= 1U << 8; }} break; } diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index ecbaedb067..b3c1c424f3 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, int i; for (i = 0; i < nb_samples; i++) { - int32_t a, b; + uint32_t a, b; a = buffer[0][i]; b = buffer[1][i]; - a -= (b * decorr_left_weight) >> decorr_shift; + a -= (int)(b * decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; @@ -49,7 +49,7 @@ static void append_extra_bits(int32_t *buffer[2], int32_t *extra_bits_buffer[2], for (ch = 0; ch < channels; ch++) for (i = 0; i < nb_samples; i++) - buffer[ch][i] = (buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i]; + buffer[ch][i] = ((unsigned)buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i]; } av_cold void ff_alacdsp_init(ALACDSPContext *c) diff --git a/libavcodec/aliaspixdec.c b/libavcodec/aliaspixdec.c index 087b18fb91..def7e17c0f 100644 --- a/libavcodec/aliaspixdec.c +++ b/libavcodec/aliaspixdec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; + if (bytestream2_get_bytes_left(&gb) < width*height / 255) + return AVERROR_INVALIDDATA; + ret = ff_get_buffer(avctx, f, 0); if (ret < 0) return ret; diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 6b5774175b..e37d4c33bc 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -348,6 +348,11 @@ static av_cold int read_specific_config(ALSDecContext *ctx) if (als_id != MKBETAG('A','L','S','\0')) return AVERROR_INVALIDDATA; + if (avctx->channels > FF_SANE_NB_CHANNELS) { + avpriv_request_sample(avctx, "Huge number of channels\n"); + return AVERROR_PATCHWELCOME; + } + ctx->cur_frame_length = sconf->frame_length; // read channel config @@ -657,7 +662,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // do not continue in case of a damaged stream since // block_length must be evenly divisible by sub_blocks - if (bd->block_length & (sub_blocks - 1)) { + if (bd->block_length & (sub_blocks - 1) || bd->block_length <= 0) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); return AVERROR_INVALIDDATA; @@ -756,7 +761,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) } for (k = 2; k < opt_order; k++) - quant_cof[k] = (quant_cof[k] * (1 << 14)) + (add_base << 13); + quant_cof[k] = (quant_cof[k] * (1U << 14)) + (add_base << 13); } } @@ -816,7 +821,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) unsigned int low; unsigned int value; - ff_bgmc_decode_init(gb, &high, &low, &value); + int ret = ff_bgmc_decode_init(gb, &high, &low, &value); + if (ret < 0) + return ret; current_res = bd->raw_samples + start; @@ -826,6 +833,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; + if (k[sb] >= 32) + return AVERROR_INVALIDDATA; + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); @@ -918,7 +928,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 6; for (base = begin; base < end; base++, tab++) - y += MUL64(bd->ltp_gain[tab], raw_samples[base]); + y += (uint64_t)MUL64(bd->ltp_gain[tab], raw_samples[base]); raw_samples[ltp_smp] += y >> 7; } @@ -930,7 +940,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 19; for (sb = 0; sb < smp; sb++) - y += MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]); + y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]); *raw_samples++ -= y >> 20; parcor_to_lpc(smp, quant_cof, lpc_cof); @@ -946,7 +956,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // reconstruct difference signal for prediction (joint-stereo) if (bd->js_blocks && bd->raw_other) { - int32_t *left, *right; + uint32_t *left, *right; if (bd->raw_other > raw_samples) { // D = R - L left = raw_samples; @@ -1005,6 +1015,10 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) ALSSpecificConfig *sconf = &ctx->sconf; *bd->shift_lsbs = 0; + + if (get_bits_left(gb) < 7) + return AVERROR_INVALIDDATA; + // read block type flag and read the samples accordingly if (get_bits1(gb)) { ret = read_var_block_data(ctx, bd); @@ -1175,10 +1189,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel pair.\n"); for (s = 0; s < div_blocks[b]; s++) - bd[0].raw_samples[s] = bd[1].raw_samples[s] - bd[0].raw_samples[s]; + bd[0].raw_samples[s] = bd[1].raw_samples[s] - (unsigned)bd[0].raw_samples[s]; } else if (bd[1].js_blocks) { for (s = 0; s < div_blocks[b]; s++) - bd[1].raw_samples[s] = bd[1].raw_samples[s] + bd[0].raw_samples[s]; + bd[1].raw_samples[s] = bd[1].raw_samples[s] + (unsigned)bd[0].raw_samples[s]; } offset += div_blocks[b]; @@ -1404,7 +1418,11 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) { } } - mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count); + if (cutoff_bit_count >= 0) { + mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count); + } else { + mantissa = (unsigned int)(mantissa_temp <<-cutoff_bit_count); + } // Need one more shift? if (mantissa & 0x01000000ul) { @@ -1461,6 +1479,9 @@ static int read_diff_float_data(ALSDecContext *ctx, unsigned int ra_frame) { ff_mlz_flush_dict(ctx->mlz); } + if (avctx->channels * 8 > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + for (c = 0; c < avctx->channels; ++c) { if (use_acf) { //acf_flag @@ -1801,15 +1822,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, #define INTERLEAVE_OUTPUT(bps) \ { \ int##bps##_t *dest = (int##bps##_t*)frame->data[0]; \ + int channels = avctx->channels; \ + int32_t **raw_samples = ctx->raw_samples; \ shift = bps - ctx->avctx->bits_per_raw_sample; \ if (!ctx->cs_switch) { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ - for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[c][sample] * (1U << shift); \ + for (c = 0; c < channels; c++) \ + *dest++ = raw_samples[c][sample] * (1U << shift); \ } else { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ - for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] * (1U << shift); \ + for (c = 0; c < channels; c++) \ + *dest++ = raw_samples[sconf->chan_pos[c]][sample] * (1U << shift);\ } \ } diff --git a/libavcodec/amfenc.c b/libavcodec/amfenc.c index 384d8efc92..5af1cd002f 100644 --- a/libavcodec/amfenc.c +++ b/libavcodec/amfenc.c @@ -438,7 +438,7 @@ static int amf_copy_buffer(AVCodecContext *avctx, AVPacket *pkt, AMFBuffer *buff int64_t timestamp = AV_NOPTS_VALUE; int64_t size = buffer->pVtbl->GetSize(buffer); - if ((ret = ff_alloc_packet2(avctx, pkt, size, 0)) < 0) { + if ((ret = av_new_packet(pkt, size)) < 0) { return ret; } memcpy(pkt->data, buffer->pVtbl->GetNative(buffer), size); diff --git a/libavcodec/anm.c b/libavcodec/anm.c index ab6a3994e9..778f38413e 100644 --- a/libavcodec/anm.c +++ b/libavcodec/anm.c @@ -119,6 +119,9 @@ static int decode_frame(AVCodecContext *avctx, uint8_t *dst, *dst_end; int count, ret; + if (buf_size < 7) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; dst = s->frame->data[0]; diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index f1fafab771..e4106dcf72 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -430,7 +430,8 @@ static int decode_frame(AVCodecContext *avctx, s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0'; break; case ';': - s->nb_args++; + if (s->nb_args < MAX_NB_ARGS) + s->nb_args++; if (s->nb_args < MAX_NB_ARGS) s->args[s->nb_args] = 0; break; @@ -473,6 +474,11 @@ static av_cold int decode_close(AVCodecContext *avctx) return 0; } +static const AVCodecDefault ansi_defaults[] = { + { "max_pixels", "640*480" }, + { NULL }, +}; + AVCodec ff_ansi_decoder = { .name = "ansi", .long_name = NULL_IF_CONFIG_SMALL("ASCII/ANSI art"), @@ -484,4 +490,5 @@ AVCodec ff_ansi_decoder = { .decode = decode_frame, .capabilities = AV_CODEC_CAP_DR1, .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .defaults = ansi_defaults, }; diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7cf99a00b1..5a769a3ea9 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -101,7 +101,7 @@ typedef struct APEFilter { int16_t *historybuffer; ///< filter memory int16_t *delay; ///< filtered values - int avg; + uint32_t avg; } APEFilter; typedef struct APERice { @@ -589,7 +589,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int32_t *out, APERice *rice, int blockstodecode) { int i; - int ksummax, ksummin; + unsigned ksummax, ksummin; rice->ksum = 0; for (i = 0; i < FFMIN(blockstodecode, 5); i++) { @@ -610,7 +610,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, ksummin = rice->k ? (1 << rice->k + 6) : 0; for (; i < blockstodecode; i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); - rice->ksum += out[i] - out[i - 64]; + rice->ksum += out[i] - (unsigned)out[i - 64]; while (rice->ksum < ksummin) { rice->k--; ksummin = rice->k ? ksummin >> 1 : 0; @@ -836,7 +836,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p, else p->coeffsA[filter][0]--; - p->filterA[filter] += p->lastA[filter]; + p->filterA[filter] += (unsigned)p->lastA[filter]; return p->filterA[filter]; } @@ -859,9 +859,9 @@ static av_always_inline int filter_3800(APEPredictor *p, return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) << 1; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) << 3); - d3 = p->buf[delayB] * 2 - p->buf[delayB - 1]; + d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8); + d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; predictionA = d0 * p->coeffsA[filter][0] + @@ -880,8 +880,8 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign; p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; - p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); - p->filterA[filter] = p->filterB[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift); + p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; } @@ -902,10 +902,10 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod = 0; sign = APESIGN(buffer[i]); for (j = 0; j < order; j++) { - dotprod += delay[j] * coeffs[j]; + dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } - buffer[i] -= dotprod >> shift; + buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; @@ -916,7 +916,8 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) { int i, j; int32_t dotprod, sign; - int32_t coeffs[8] = { 0 }, delay[8] = { 0 }; + int32_t delay[8] = { 0 }; + uint32_t coeffs[8] = { 0 }; for (i = 0; i < length; i++) { dotprod = 0; @@ -928,7 +929,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) for (j = 7; j > 0; j--) delay[j] = delay[j - 1]; delay[0] = buffer[i]; - buffer[i] -= dotprod >> 9; + buffer[i] -= (unsigned)(dotprod >> 9); } } @@ -1037,13 +1038,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, const int delayA) { int32_t predictionA, sign; - int32_t d0, d1, d2, d3; + uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA ]; - d1 = p->buf[delayA ] - p->buf[delayA - 1]; - d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; - d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; + d1 = p->buf[delayA ] - (unsigned)p->buf[delayA - 1]; + d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; + d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1051,13 +1052,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, d3 * p->coeffsA[filter][3]; p->lastA[filter] = decoded + (predictionA >> 9); - p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); - p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; - p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; - p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; - p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; + p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; + p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; + p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; + p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } @@ -1121,7 +1122,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayA] = p->lastA[filter]; p->buf[adaptA] = APESIGN(p->buf[delayA]); - p->buf[delayA - 1] = p->buf[delayA] - p->buf[delayA - 1]; + p->buf[delayA - 1] = p->buf[delayA] - (unsigned)p->buf[delayA - 1]; p->buf[adaptA - 1] = APESIGN(p->buf[delayA - 1]); predictionA = p->buf[delayA ] * p->coeffsA[filter][0] + @@ -1132,7 +1133,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, /* Apply a scaled first-order filter compression */ p->buf[delayB] = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5); p->buf[adaptB] = APESIGN(p->buf[delayB]); - p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1]; + p->buf[delayB - 1] = p->buf[delayB] - (unsigned)p->buf[delayB - 1]; p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]); p->filterB[filter] = p->filterA[filter ^ 1]; @@ -1202,14 +1203,14 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) A = *decoded0; p->buf[YDELAYA] = currentA; - p->buf[YDELAYA - 1] = p->buf[YDELAYA] - p->buf[YDELAYA - 1]; + p->buf[YDELAYA - 1] = p->buf[YDELAYA] - (unsigned)p->buf[YDELAYA - 1]; predictionA = p->buf[YDELAYA ] * p->coeffsA[0][0] + p->buf[YDELAYA - 1] * p->coeffsA[0][1] + p->buf[YDELAYA - 2] * p->coeffsA[0][2] + p->buf[YDELAYA - 3] * p->coeffsA[0][3]; - currentA = A + (predictionA >> 10); + currentA = A + (unsigned)(predictionA >> 10); p->buf[YADAPTCOEFFSA] = APESIGN(p->buf[YDELAYA ]); p->buf[YADAPTCOEFFSA - 1] = APESIGN(p->buf[YDELAYA - 1]); @@ -1229,7 +1230,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) p->buf = p->historybuffer; } - p->filterA[0] = currentA + ((int)(p->filterA[0] * 31U) >> 5); + p->filterA[0] = currentA + (unsigned)((int)(p->filterA[0] * 31U) >> 5); *(decoded0++) = p->filterA[0]; } @@ -1266,8 +1267,8 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, f->delay - order, f->adaptcoeffs - order, order, APESIGN(*data)); - res = (res + (1 << (fracbits - 1))) >> fracbits; - res += *data; + res = (int)(res + (1U << (fracbits - 1))) >> fracbits; + res += (unsigned)*data; *data++ = res; /* Update the output history */ @@ -1282,10 +1283,10 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, /* Version 3.98 and later files */ /* Update the adaption coefficients */ - absres = FFABS(res); + absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); + (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; @@ -1297,7 +1298,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, else *f->adaptcoeffs = 0; - f->avg += (absres - f->avg) / 16; + f->avg += (int)(absres - (unsigned)f->avg) / 16; f->adaptcoeffs[-1] >>= 1; f->adaptcoeffs[-2] >>= 1; @@ -1376,7 +1377,7 @@ static void ape_unpack_mono(APEContext *ctx, int count) static void ape_unpack_stereo(APEContext *ctx, int count) { - int32_t left, right; + unsigned left, right; int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; @@ -1393,7 +1394,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) /* Decorrelate and scale to output depth */ while (count--) { - left = *decoded1 - (*decoded0 / 2); + left = *decoded1 - (unsigned)(*decoded0 / 2); right = left + *decoded0; *(decoded0++) = left; @@ -1451,7 +1452,8 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, if (s->fileversion >= 3900) { if (offset > 3) { av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n"); - s->data = NULL; + av_freep(&s->data); + s->data_size = 0; return AVERROR_INVALIDDATA; } if (s->data_end - s->ptr < offset) { @@ -1499,7 +1501,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); - memset(s->decoded_buffer, 0, s->decoded_size); + memset(s->decoded_buffer, 0, decoded_buffer_size); s->decoded[0] = s->decoded_buffer; s->decoded[1] = s->decoded_buffer + FFALIGN(blockstodecode, 8); @@ -1527,7 +1529,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; + *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: @@ -1541,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample24 = (int32_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample24++ = s->decoded[ch][i] << 8; + *sample24++ = s->decoded[ch][i] * 256U; } break; } diff --git a/libavcodec/aptx.c b/libavcodec/aptx.c index 8750d8421f..a2620a9212 100644 --- a/libavcodec/aptx.c +++ b/libavcodec/aptx.c @@ -480,7 +480,7 @@ static void aptx_update_codeword_history(Channel *channel) int32_t cw = ((channel->quantize[0].quantized_sample & 3) << 0) + ((channel->quantize[1].quantized_sample & 2) << 1) + ((channel->quantize[2].quantized_sample & 1) << 3); - channel->codeword_history = (cw << 8) + (channel->codeword_history << 4); + channel->codeword_history = (cw << 8) + ((unsigned)channel->codeword_history << 4); } static void aptx_generate_dither(Channel *channel) @@ -492,9 +492,9 @@ static void aptx_generate_dither(Channel *channel) aptx_update_codeword_history(channel); m = (int64_t)5184443 * (channel->codeword_history >> 7); - d = (m << 2) + (m >> 22); + d = (m * 4) + (m >> 22); for (subband = 0; subband < NB_SUBBANDS; subband++) - channel->dither[subband] = d << (23 - 5*subband); + channel->dither[subband] = (unsigned)d << (23 - 5*subband); channel->dither_parity = (d >> 25) & 1; } @@ -759,12 +759,12 @@ static void aptx_invert_quantization(InvertQuantize *invert_quantize, if (quantized_sample < 0) qr = -qr; - qr = rshift64_clip24(((int64_t)qr<<32) + MUL64(dither, tables->invert_quantize_dither_factors[idx]), 32); + qr = rshift64_clip24((qr * (1LL<<32)) + MUL64(dither, tables->invert_quantize_dither_factors[idx]), 32); invert_quantize->reconstructed_difference = MUL64(invert_quantize->quantization_factor, qr) >> 19; /* update factor_select */ factor_select = 32620 * invert_quantize->factor_select; - factor_select = rshift32(factor_select + (tables->quantize_factor_select_offset[idx] << 15), 15); + factor_select = rshift32(factor_select + (tables->quantize_factor_select_offset[idx] * (1 << 15)), 15); invert_quantize->factor_select = av_clip(factor_select, 0, tables->factor_max); /* update quantization factor */ @@ -801,7 +801,7 @@ static void aptx_prediction_filtering(Prediction *prediction, prediction->previous_reconstructed_sample = reconstructed_sample; reconstructed_differences = aptx_reconstructed_differences_update(prediction, reconstructed_difference, order); - srd0 = FFDIFFSIGN(reconstructed_difference, 0) << 23; + srd0 = FFDIFFSIGN(reconstructed_difference, 0) * (1 << 23); for (i = 0; i < order; i++) { int32_t srd = FF_SIGNBIT(reconstructed_differences[-i-1]) | 1; prediction->d_weight[i] -= rshift32(prediction->d_weight[i] - srd*srd0, 8); @@ -830,7 +830,7 @@ static void aptx_process_subband(InvertQuantize *invert_quantize, range = 0x100000; sw1 = rshift32(-same_sign[1] * prediction->s_weight[1], 1); - sw1 = (av_clip(sw1, -range, range) & ~0xF) << 4; + sw1 = (av_clip(sw1, -range, range) & ~0xF) * 16; range = 0x300000; weight[0] = 254 * prediction->s_weight[0] + 0x800000*same_sign[0] + sw1; @@ -989,6 +989,9 @@ static av_cold int aptx_init(AVCodecContext *avctx) AptXContext *s = avctx->priv_data; int chan, subband; + if (avctx->channels != 2) + return AVERROR_INVALIDDATA; + s->hd = avctx->codec->id == AV_CODEC_ID_APTX_HD; s->block_size = s->hd ? 6 : 4; @@ -1044,7 +1047,7 @@ static int aptx_decode_frame(AVCodecContext *avctx, void *data, for (channel = 0; channel < NB_CHANNELS; channel++) for (sample = 0; sample < 4; sample++) AV_WN32A(&frame->data[channel][4*(opos+sample)], - samples[channel][sample] << 8); + samples[channel][sample] * 256); } *got_frame_ptr = 1; diff --git a/libavcodec/arm/mlpdsp_armv5te.S b/libavcodec/arm/mlpdsp_armv5te.S index 4f9aa485fd..d31568611c 100644 --- a/libavcodec/arm/mlpdsp_armv5te.S +++ b/libavcodec/arm/mlpdsp_armv5te.S @@ -229,7 +229,7 @@ A .endif .endif // Begin loop -01: +1: .if TOTAL_TAPS == 0 // Things simplify a lot in this case // In fact this could be pipelined further if it's worth it... @@ -241,7 +241,7 @@ A .endif str ST0, [PST, #-4]! str ST0, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST0, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .else .if \fir_taps & 1 .set LOAD_REG, 1 @@ -333,7 +333,7 @@ T orr AC0, AC0, AC1 str ST3, [PST, #-4]! str ST2, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST3, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .endif b 99f diff --git a/libavcodec/arm/vp9mc_neon.S b/libavcodec/arm/vp9mc_neon.S index bd8cda7c30..2ec729bb31 100644 --- a/libavcodec/arm/vp9mc_neon.S +++ b/libavcodec/arm/vp9mc_neon.S @@ -279,11 +279,13 @@ function \type\()_8tap_\size\()h_\idx1\idx2 sub r1, r1, r5 .endif @ size >= 16 loads two qwords and increments r2, - @ for size 4/8 it's enough with one qword and no - @ postincrement + @ size 4 loads 1 d word, increments r2 and loads 1 32-bit lane + @ for size 8 it's enough with one qword and no postincrement .if \size >= 16 sub r3, r3, r5 sub r3, r3, #8 +.elseif \size == 4 + sub r3, r3, #8 .endif @ Load the filter vector vld1.16 {q0}, [r12,:128] @@ -295,9 +297,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 vld1.8 {d18, d19, d20}, [r2]! vld1.8 {d24, d25, d26}, [r7]! -.else +.elseif \size == 8 vld1.8 {q9}, [r2] vld1.8 {q12}, [r7] +.else @ size == 4 + vld1.8 {d18}, [r2]! + vld1.8 {d24}, [r7]! + vld1.32 {d19[0]}, [r2] + vld1.32 {d25[0]}, [r7] .endif vmovl.u8 q8, d18 vmovl.u8 q9, d19 diff --git a/libavcodec/assdec.c b/libavcodec/assdec.c index 3178f2953c..f0b1069cd2 100644 --- a/libavcodec/assdec.c +++ b/libavcodec/assdec.c @@ -31,7 +31,8 @@ static av_cold int ass_decode_init(AVCodecContext *avctx) avctx->subtitle_header = av_malloc(avctx->extradata_size + 1); if (!avctx->subtitle_header) return AVERROR(ENOMEM); - memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size); + if (avctx->extradata_size) + memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size); avctx->subtitle_header[avctx->extradata_size] = 0; avctx->subtitle_header_size = avctx->extradata_size; return 0; diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 6cdcdf1964..067aa23f1f 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -964,7 +964,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - if (avctx->block_align >= UINT_MAX / 2) + if (avctx->block_align > 1024 || avctx->block_align <= 0) return AVERROR(EINVAL); q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) + diff --git a/libavcodec/atrac3plus.c b/libavcodec/atrac3plus.c index 9f964efb4d..8d17889582 100644 --- a/libavcodec/atrac3plus.c +++ b/libavcodec/atrac3plus.c @@ -456,6 +456,10 @@ static int decode_channel_wordlen(GetBitContext *gb, Atrac3pChanUnitCtx *ctx, } else if (chan->fill_mode == 3) { pos = ch_num ? chan->num_coded_vals + chan->split_point : ctx->num_quant_units - chan->split_point; + if (pos > FF_ARRAY_ELEMS(chan->qu_wordlen)) { + av_log(avctx, AV_LOG_ERROR, "Split point beyond array\n"); + pos = FF_ARRAY_ELEMS(chan->qu_wordlen); + } for (i = chan->num_coded_vals; i < pos; i++) chan->qu_wordlen[i] = 1; } diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 2e23ea44e8..b53e2717fb 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -121,7 +121,7 @@ static inline int parse_gradient(ATRAC9Context *s, ATRAC9BlockData *b, } b->grad_boundary = get_bits(gb, 4); - if (grad_range[0] >= grad_range[1] || grad_range[1] > 47) + if (grad_range[0] >= grad_range[1] || grad_range[1] > 31) return AVERROR_INVALIDDATA; if (grad_value[0] > 31 || grad_value[1] > 31) @@ -190,7 +190,7 @@ static inline void calc_precision(ATRAC9Context *s, ATRAC9BlockData *b, for (int i = 0; i < b->q_unit_cnt; i++) { c->precision_fine[i] = 0; if (c->precision_coarse[i] > 15) { - c->precision_fine[i] = c->precision_coarse[i] - 15; + c->precision_fine[i] = FFMIN(c->precision_coarse[i], 30) - 15; c->precision_coarse[i] = 15; } } @@ -202,7 +202,7 @@ static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b, int ext_band = 0; if (b->has_band_ext) { - if (b->q_unit_cnt < 13) + if (b->q_unit_cnt < 13 || b->q_unit_cnt > 20) return AVERROR_INVALIDDATA; ext_band = at9_tab_band_ext_group[b->q_unit_cnt - 13][2]; if (stereo) { @@ -226,8 +226,18 @@ static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b, b->channel[0].band_ext = get_bits(gb, 2); b->channel[0].band_ext = ext_band > 2 ? b->channel[0].band_ext : 4; - if (!get_bits(gb, 5)) + if (!get_bits(gb, 5)) { + for (int i = 0; i <= stereo; i++) { + ATRAC9ChannelData *c = &b->channel[i]; + const int count = at9_tab_band_ext_cnt[c->band_ext][ext_band]; + for (int j = 0; j < count; j++) { + int len = at9_tab_band_ext_lengths[c->band_ext][ext_band][j]; + c->band_ext_data[j] = av_clip_uintp2_c(c->band_ext_data[j], len); + } + } + return 0; + } for (int i = 0; i <= stereo; i++) { ATRAC9ChannelData *c = &b->channel[i]; @@ -842,6 +852,11 @@ static av_cold int atrac9_decode_init(AVCodecContext *avctx) av_lfg_init(&s->lfg, 0xFBADF00D); + if (avctx->block_align <= 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid block align\n"); + return AVERROR_INVALIDDATA; + } + if (avctx->extradata_size != 12) { av_log(avctx, AV_LOG_ERROR, "Invalid extradata length!\n"); return AVERROR_INVALIDDATA; @@ -871,6 +886,7 @@ static av_cold int atrac9_decode_init(AVCodecContext *avctx) s->block_config = &at9_block_layout[block_config_idx]; avctx->channel_layout = s->block_config->channel_layout; + avctx->channels = av_get_channel_layout_nb_channels(avctx->channel_layout); avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (get_bits1(&gb)) { diff --git a/libavcodec/audiodsp.c b/libavcodec/audiodsp.c index 3c7a3a7583..efcb0a8e8a 100644 --- a/libavcodec/audiodsp.c +++ b/libavcodec/audiodsp.c @@ -79,7 +79,7 @@ static void vector_clipf_c(float *dst, const float *src, int len, static int32_t scalarproduct_int16_c(const int16_t *v1, const int16_t *v2, int order) { - int res = 0; + unsigned res = 0; while (order--) res += *v1++ **v2++; diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index d234271c5b..64e0c96833 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -2333,6 +2333,10 @@ typedef struct AVCodecContext { * this callback and filled with the extra buffers if there are more * buffers than buf[] can hold. extended_buf will be freed in * av_frame_unref(). + * Decoders will generally initialize the whole buffer before it is output + * but it can in rare error conditions happen that uninitialized data is passed + * through. \important The buffers returned by get_buffer* should thus not contain sensitive + * data. * * If AV_CODEC_CAP_DR1 is not set then get_buffer2() must call * avcodec_default_get_buffer2() instead of providing buffers allocated by diff --git a/libavcodec/avdct.c b/libavcodec/avdct.c index 47e5f7134e..7c761cf39a 100644 --- a/libavcodec/avdct.c +++ b/libavcodec/avdct.c @@ -100,7 +100,7 @@ int avcodec_dct_init(AVDCT *dsp) #if CONFIG_IDCTDSP { - IDCTDSPContext idsp; + IDCTDSPContext idsp = {0}; ff_idctdsp_init(&idsp, avctx); COPY(idsp, idct); COPY(idsp, idct_permutation); diff --git a/libavcodec/bgmc.c b/libavcodec/bgmc.c index 1a6817b73f..2d59aa37ad 100644 --- a/libavcodec/bgmc.c +++ b/libavcodec/bgmc.c @@ -485,12 +485,17 @@ av_cold void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status) /** Initialize decoding and reads the first value */ -void ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, +int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, unsigned int *l, unsigned int *v) { + if (get_bits_left(gb) < VALUE_BITS) + return AVERROR_INVALIDDATA; + *h = TOP_VALUE; *l = 0; *v = get_bits_long(gb, VALUE_BITS); + + return 0; } diff --git a/libavcodec/bgmc.h b/libavcodec/bgmc.h index 4893736af5..466df31a2e 100644 --- a/libavcodec/bgmc.h +++ b/libavcodec/bgmc.h @@ -40,7 +40,7 @@ int ff_bgmc_init(AVCodecContext *avctx, uint8_t **cf_lut, int **cf_lut_status); void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status); -void ff_bgmc_decode_init(GetBitContext *gb, +int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, unsigned int *l, unsigned int *v); diff --git a/libavcodec/bink.c b/libavcodec/bink.c index d18c0ceae4..87586e1225 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -838,7 +838,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8; + ref_end = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; @@ -894,7 +894,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8*stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -910,7 +910,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -942,7 +942,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -1052,7 +1052,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it - if ((by & 1) && blk == SCALED_BLOCK) { + if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) { bx++; dst += 8; prev += 8; diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index 96cf968c66..fbaf925037 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) { // audio is already interleaved for the RDFT format variant avctx->sample_fmt = AV_SAMPLE_FMT_FLT; + if (sample_rate > INT_MAX / avctx->channels) + return AVERROR_INVALIDDATA; sample_rate *= avctx->channels; s->channels = 1; if (!s->version_b) @@ -107,7 +109,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->frame_len = 1 << frame_len_bits; s->overlap_len = s->frame_len / 16; s->block_size = (s->frame_len - s->overlap_len) * s->channels; - sample_rate_half = (sample_rate + 1) / 2; + sample_rate_half = (sample_rate + 1LL) / 2; if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) s->root = 2.0 / (sqrt(s->frame_len) * 32768.0); else diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index be8a0f634d..53a2db7451 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, uint32_t code; volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2 - table_size = 1 << table_nb_bits; if (table_nb_bits > 30) return AVERROR(EINVAL); + table_size = 1 << table_nb_bits; table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC); ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size); if (table_index < 0) diff --git a/libavcodec/brenderpix.c b/libavcodec/brenderpix.c index 0556858de1..46b7a59aa4 100644 --- a/libavcodec/brenderpix.c +++ b/libavcodec/brenderpix.c @@ -204,6 +204,10 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, avpriv_request_sample(avctx, "Format %d", hdr.format); return AVERROR_PATCHWELCOME; } + bytes_per_scanline = bytes_pp * hdr.width; + + if (bytestream2_get_bytes_left(&gb) < hdr.height * bytes_per_scanline) + return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, hdr.width, hdr.height)) < 0) return ret; @@ -261,7 +265,6 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(&gb, 8); // read the image data to the buffer - bytes_per_scanline = bytes_pp * hdr.width; bytes_left = bytestream2_get_bytes_left(&gb); if (chunk_type != IMAGE_DATA_CHUNK || data_len != bytes_left || diff --git a/libavcodec/bsf.c b/libavcodec/bsf.c index 5081307603..e17dc854f5 100644 --- a/libavcodec/bsf.c +++ b/libavcodec/bsf.c @@ -47,7 +47,8 @@ void av_bsf_free(AVBSFContext **pctx) av_opt_free(ctx); - av_packet_free(&ctx->internal->buffer_pkt); + if (ctx->internal) + av_packet_free(&ctx->internal->buffer_pkt); av_freep(&ctx->internal); av_freep(&ctx->priv_data); diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 5f3b354518..1c4f71824a 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1215,6 +1215,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int input_size, ret; const uint8_t *buf_end; const uint8_t *buf_ptr; + int frame_start = 0; if (buf_size == 0) { if (!h->low_delay && h->DPB[0].f->data[0]) { @@ -1248,6 +1249,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h->got_keyframe = 1; } case PIC_PB_START_CODE: + if (frame_start > 1) + return AVERROR_INVALIDDATA; + frame_start ++; if (*got_frame) av_frame_unref(data); *got_frame = 0; diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 90a67e910c..ba92121cc9 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -201,20 +201,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[0][0] += 8; for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[i][1] - (src[i][7]<<1); - const int a1 = 3*src[i][3] + (src[i][5]<<1); - const int a2 = (src[i][3]<<1) - 3*src[i][5]; - const int a3 = (src[i][1]<<1) + 3*src[i][7]; + const int a0 = 3 * src[i][1] - 2 * src[i][7]; + const int a1 = 3 * src[i][3] + 2 * src[i][5]; + const int a2 = 2 * src[i][3] - 3 * src[i][5]; + const int a3 = 2 * src[i][1] + 3 * src[i][7]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[i][2]<<2) - 10*src[i][6]; - const int a6 = (src[i][6]<<2) + 10*src[i][2]; - const int a5 = ((src[i][0] - src[i][4]) << 3) + 4; - const int a4 = ((src[i][0] + src[i][4]) << 3) + 4; + const int a7 = 4 * src[i][2] - 10 * src[i][6]; + const int a6 = 4 * src[i][6] + 10 * src[i][2]; + const int a5 = 8 * (src[i][0] - src[i][4]) + 4; + const int a4 = 8 * (src[i][0] + src[i][4]) + 4; const int b0 = a4 + a6; const int b1 = a5 + a7; @@ -231,20 +231,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[i][7] = (b0 - b4) >> 3; } for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[1][i] - (src[7][i]<<1); - const int a1 = 3*src[3][i] + (src[5][i]<<1); - const int a2 = (src[3][i]<<1) - 3*src[5][i]; - const int a3 = (src[1][i]<<1) + 3*src[7][i]; + const int a0 = 3 * src[1][i] - 2 * src[7][i]; + const int a1 = 3 * src[3][i] + 2 * src[5][i]; + const int a2 = 2 * src[3][i] - 3 * src[5][i]; + const int a3 = 2 * src[1][i] + 3 * src[7][i]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[2][i]<<2) - 10*src[6][i]; - const int a6 = (src[6][i]<<2) + 10*src[2][i]; - const int a5 = (src[0][i] - src[4][i]) << 3; - const int a4 = (src[0][i] + src[4][i]) << 3; + const int a7 = 4 * src[2][i] - 10 * src[6][i]; + const int a6 = 4 * src[6][i] + 10 * src[2][i]; + const int a5 = 8 * (src[0][i] - src[4][i]); + const int a4 = 8 * (src[0][i] + src[4][i]); const int b0 = a4 + a6; const int b1 = a5 + a7; diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index 2350416501..0a71385fa2 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -95,10 +95,12 @@ int ff_cbs_init(CodedBitstreamContext **ctx_ptr, ctx->log_ctx = log_ctx; ctx->codec = type; - ctx->priv_data = av_mallocz(ctx->codec->priv_data_size); - if (!ctx->priv_data) { - av_freep(&ctx); - return AVERROR(ENOMEM); + if (type->priv_data_size) { + ctx->priv_data = av_mallocz(ctx->codec->priv_data_size); + if (!ctx->priv_data) { + av_freep(&ctx); + return AVERROR(ENOMEM); + } } ctx->decompose_unit_types = NULL; @@ -120,6 +122,7 @@ void ff_cbs_close(CodedBitstreamContext **ctx_ptr) if (ctx->codec && ctx->codec->close) ctx->codec->close(ctx); + av_freep(&ctx->write_buffer); av_freep(&ctx->priv_data); av_freep(ctx_ptr); } @@ -280,6 +283,59 @@ int ff_cbs_read(CodedBitstreamContext *ctx, return cbs_read_fragment_content(ctx, frag); } +static int cbs_write_unit_data(CodedBitstreamContext *ctx, + CodedBitstreamUnit *unit) +{ + PutBitContext pbc; + int ret; + + if (!ctx->write_buffer) { + // Initial write buffer size is 1MB. + ctx->write_buffer_size = 1024 * 1024; + + reallocate_and_try_again: + ret = av_reallocp(&ctx->write_buffer, ctx->write_buffer_size); + if (ret < 0) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " + "sufficiently large write buffer (last attempt " + "%"SIZE_SPECIFIER" bytes).\n", ctx->write_buffer_size); + return ret; + } + } + + init_put_bits(&pbc, ctx->write_buffer, ctx->write_buffer_size); + + ret = ctx->codec->write_unit(ctx, unit, &pbc); + if (ret < 0) { + if (ret == AVERROR(ENOSPC)) { + // Overflow. + if (ctx->write_buffer_size == INT_MAX / 8) + return AVERROR(ENOMEM); + ctx->write_buffer_size = FFMIN(2 * ctx->write_buffer_size, INT_MAX / 8); + goto reallocate_and_try_again; + } + // Write failed for some other reason. + return ret; + } + + // Overflow but we didn't notice. + av_assert0(put_bits_count(&pbc) <= 8 * ctx->write_buffer_size); + + if (put_bits_count(&pbc) % 8) + unit->data_bit_padding = 8 - put_bits_count(&pbc) % 8; + else + unit->data_bit_padding = 0; + + flush_put_bits(&pbc); + + ret = ff_cbs_alloc_unit_data(ctx, unit, put_bits_count(&pbc) / 8); + if (ret < 0) + return ret; + + memcpy(unit->data, ctx->write_buffer, unit->data_size); + + return 0; +} int ff_cbs_write_fragment_data(CodedBitstreamContext *ctx, CodedBitstreamFragment *frag) @@ -295,7 +351,7 @@ int ff_cbs_write_fragment_data(CodedBitstreamContext *ctx, av_buffer_unref(&unit->data_ref); unit->data = NULL; - err = ctx->codec->write_unit(ctx, unit); + err = cbs_write_unit_data(ctx, unit); if (err < 0) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Failed to write unit %d " "(type %"PRIu32").\n", i, unit->type); @@ -637,11 +693,11 @@ static int cbs_insert_unit(CodedBitstreamContext *ctx, memmove(units + position + 1, units + position, (frag->nb_units - position) * sizeof(*units)); } else { - units = av_malloc_array(frag->nb_units + 1, sizeof(*units)); + units = av_malloc_array(frag->nb_units*2 + 1, sizeof(*units)); if (!units) return AVERROR(ENOMEM); - ++frag->nb_units_allocated; + frag->nb_units_allocated = 2*frag->nb_units_allocated + 1; if (position > 0) memcpy(units, frag->units, position * sizeof(*units)); diff --git a/libavcodec/cbs.h b/libavcodec/cbs.h index fe57e7b2a5..1974cf3e66 100644 --- a/libavcodec/cbs.h +++ b/libavcodec/cbs.h @@ -210,6 +210,13 @@ typedef struct CodedBitstreamContext { * From AV_LOG_*; defaults to AV_LOG_TRACE. */ int trace_level; + + /** + * Write buffer. Used as intermediate buffer when writing units. + * For internal use of cbs only. + */ + uint8_t *write_buffer; + size_t write_buffer_size; } CodedBitstreamContext; diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index eb6b801790..e68028fdc8 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -36,7 +36,7 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, position = get_bits_count(gbc); zeroes = 0; - while (1) { + while (zeroes < 32) { if (get_bits_left(gbc) < 1) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " "%s: bitstream ended.\n", name); @@ -49,7 +49,18 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, } if (zeroes >= 32) { - value = MAX_UINT_BITS(32); + // The spec allows at least thirty-two zero bits followed by a + // one to mean 2^32-1, with no constraint on the number of + // zeroes. The libaom reference decoder does not match this, + // instead reading thirty-two zeroes but not the following one + // to mean 2^32-1. These two interpretations are incompatible + // and other implementations may follow one or the other. + // Therefore we reject thirty-two zeroes because the intended + // behaviour is not clear. + av_log(ctx->log_ctx, AV_LOG_ERROR, "Thirty-two zero bits in " + "%s uvlc code: considered invalid due to conflicting " + "standard and reference decoder behaviour.\n", name); + return AVERROR_INVALIDDATA; } else { if (get_bits_left(gbc) < zeroes) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " @@ -125,8 +136,9 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc, put_bits(pbc, 1, 1); } else { zeroes = av_log2(value + 1); - v = value - (1 << zeroes) + 1; - put_bits(pbc, zeroes + 1, 1); + v = value - (1U << zeroes) + 1; + put_bits(pbc, zeroes, 0); + put_bits(pbc, 1, 1); put_bits(pbc, zeroes, v); } @@ -170,6 +182,9 @@ static int cbs_av1_read_leb128(CodedBitstreamContext *ctx, GetBitContext *gbc, break; } + if (value > UINT32_MAX) + return AVERROR_INVALIDDATA; + if (ctx->trace_enable) ff_cbs_trace_syntax_element(ctx, position, name, NULL, "", value); @@ -379,7 +394,7 @@ static int cbs_av1_write_increment(CodedBitstreamContext *ctx, PutBitContext *pb } if (len > 0) - put_bits(pbc, len, (1 << len) - 1 - (value != range_max)); + put_bits(pbc, len, (1U << len) - 1 - (value != range_max)); return 0; } @@ -574,7 +589,7 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) #define RWContext GetBitContext #define xf(width, name, var, range_min, range_max, subs, ...) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ @@ -582,7 +597,7 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) } while (0) #define xsu(width, name, var, subs, ...) do { \ - int32_t value = 0; \ + int32_t value; \ CHECK(ff_cbs_read_signed(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), &value, \ MIN_INT_BITS(width), \ @@ -591,27 +606,27 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) } while (0) #define uvlc(name, range_min, range_max) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(cbs_av1_read_uvlc(ctx, rw, #name, \ &value, range_min, range_max)); \ current->name = value; \ } while (0) #define ns(max_value, name, subs, ...) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(cbs_av1_read_ns(ctx, rw, max_value, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), &value)); \ current->name = value; \ } while (0) #define increment(name, min, max) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(cbs_av1_read_increment(ctx, rw, min, max, #name, &value)); \ current->name = value; \ } while (0) #define subexp(name, max, subs, ...) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(cbs_av1_read_subexp(ctx, rw, max, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), &value)); \ current->name = value; \ @@ -629,7 +644,7 @@ static size_t cbs_av1_get_payload_bytes_left(GetBitContext *gbc) } while (0) #define leb128(name) do { \ - uint64_t value = 0; \ + uint64_t value; \ CHECK(cbs_av1_read_leb128(ctx, rw, #name, &value)); \ current->name = value; \ } while (0) @@ -940,6 +955,8 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, priv->spatial_id = 0; } + priv->ref = (AV1ReferenceFrameState *)&priv->read_ref; + switch (obu->header.obu_type) { case AV1_OBU_SEQUENCE_HEADER: { @@ -1038,6 +1055,7 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, if (obu->obu_size > 0 && obu->header.obu_type != AV1_OBU_TILE_GROUP && + obu->header.obu_type != AV1_OBU_TILE_LIST && obu->header.obu_type != AV1_OBU_FRAME) { int nb_bits = obu->obu_size * 8 + start_pos - end_pos; @@ -1082,6 +1100,8 @@ static int cbs_av1_write_obu(CodedBitstreamContext *ctx, td = NULL; start_pos = put_bits_count(pbc); + priv->ref = (AV1ReferenceFrameState *)&priv->write_ref; + switch (obu->header.obu_type) { case AV1_OBU_SEQUENCE_HEADER: { @@ -1200,66 +1220,19 @@ static int cbs_av1_write_obu(CodedBitstreamContext *ctx, return AVERROR(ENOSPC); if (obu->obu_size > 0) { - memmove(priv->write_buffer + data_pos, - priv->write_buffer + start_pos, header_size); + memmove(pbc->buf + data_pos, + pbc->buf + start_pos, header_size); skip_put_bytes(pbc, header_size); if (td) { - memcpy(priv->write_buffer + data_pos + header_size, + memcpy(pbc->buf + data_pos + header_size, td->data, td->data_size); skip_put_bytes(pbc, td->data_size); } } - return 0; -} - -static int cbs_av1_write_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) -{ - CodedBitstreamAV1Context *priv = ctx->priv_data; - PutBitContext pbc; - int err; - - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - - err = cbs_av1_write_obu(ctx, unit, &pbc); - if (err == AVERROR(ENOSPC)) { - // Overflow. - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } - if (err < 0) - return err; - - // Overflow but we didn't notice. - av_assert0(put_bits_count(&pbc) <= 8 * priv->write_buffer_size); - // OBU data must be byte-aligned. - av_assert0(put_bits_count(&pbc) % 8 == 0); - - unit->data_size = put_bits_count(&pbc) / 8; - flush_put_bits(&pbc); - - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); + av_assert0(put_bits_count(pbc) % 8 == 0); return 0; } @@ -1298,8 +1271,6 @@ static void cbs_av1_close(CodedBitstreamContext *ctx) av_buffer_unref(&priv->sequence_header_ref); av_buffer_unref(&priv->frame_header_ref); - - av_freep(&priv->write_buffer); } const CodedBitstreamType ff_cbs_type_av1 = { @@ -1309,7 +1280,7 @@ const CodedBitstreamType ff_cbs_type_av1 = { .split_fragment = &cbs_av1_split_fragment, .read_unit = &cbs_av1_read_unit, - .write_unit = &cbs_av1_write_unit, + .write_unit = &cbs_av1_write_obu, .assemble_fragment = &cbs_av1_assemble_fragment, .close = &cbs_av1_close, diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 1fb668ada4..d142882074 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -256,8 +256,8 @@ typedef struct AV1RawFrameHeader { uint8_t update_grain; uint8_t film_grain_params_ref_idx; uint8_t num_y_points; - uint8_t point_y_value[16]; - uint8_t point_y_scaling[16]; + uint8_t point_y_value[14]; + uint8_t point_y_scaling[14]; uint8_t chroma_scaling_from_luma; uint8_t num_cb_points; uint8_t point_cb_value[16]; @@ -268,8 +268,8 @@ typedef struct AV1RawFrameHeader { uint8_t grain_scaling_minus_8; uint8_t ar_coeff_lag; uint8_t ar_coeffs_y_plus_128[24]; - uint8_t ar_coeffs_cb_plus_128[24]; - uint8_t ar_coeffs_cr_plus_128[24]; + uint8_t ar_coeffs_cb_plus_128[25]; + uint8_t ar_coeffs_cr_plus_128[25]; uint8_t ar_coeff_shift_minus_6; uint8_t grain_scale_shift; uint8_t cb_mult; @@ -441,11 +441,9 @@ typedef struct CodedBitstreamAV1Context { int tile_cols; int tile_rows; - AV1ReferenceFrameState ref[AV1_NUM_REF_FRAMES]; - - // Write buffer. - uint8_t *write_buffer; - size_t write_buffer_size; + AV1ReferenceFrameState *ref; + AV1ReferenceFrameState read_ref[AV1_NUM_REF_FRAMES]; + AV1ReferenceFrameState write_ref[AV1_NUM_REF_FRAMES]; } CodedBitstreamAV1Context; diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index b04cd51d55..d084a76151 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -419,16 +419,17 @@ static int FUNC(frame_size_with_refs)(CodedBitstreamContext *ctx, RWContext *rw, for (i = 0; i < AV1_REFS_PER_FRAME; i++) { flags(found_ref[i], 1, i); if (current->found_ref[i]) { - AV1ReferenceFrameState *ref = - &priv->ref[current->ref_frame_idx[i]]; + AV1ReferenceFrameState *ref; - if (!ref->valid) { + if (current->ref_frame_idx[i] < 0 || + !priv->ref[current->ref_frame_idx[i]].valid) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Missing reference frame needed for frame size " "(ref = %d, ref_frame_idx = %d).\n", i, current->ref_frame_idx[i]); return AVERROR_INVALIDDATA; } + ref = &priv->ref[current->ref_frame_idx[i]]; priv->upscaled_width = ref->upscaled_width; priv->frame_width = ref->frame_width; @@ -881,7 +882,7 @@ static int FUNC(skip_mode_params)(CodedBitstreamContext *ctx, RWContext *rw, forward_idx = -1; backward_idx = -1; for (i = 0; i < AV1_REFS_PER_FRAME; i++) { - ref_hint = priv->ref[i].order_hint; + ref_hint = priv->ref[current->ref_frame_idx[i]].order_hint; dist = cbs_av1_get_relative_dist(seq, ref_hint, current->order_hint); if (dist < 0) { @@ -912,7 +913,7 @@ static int FUNC(skip_mode_params)(CodedBitstreamContext *ctx, RWContext *rw, second_forward_idx = -1; for (i = 0; i < AV1_REFS_PER_FRAME; i++) { - ref_hint = priv->ref[i].order_hint; + ref_hint = priv->ref[current->ref_frame_idx[i]].order_hint; if (cbs_av1_get_relative_dist(seq, ref_hint, forward_hint) < 0) { if (second_forward_idx < 0 || @@ -1044,7 +1045,7 @@ static int FUNC(film_grain_params)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } - fb(4, num_y_points); + fc(4, num_y_points, 0, 14); for (i = 0; i < current->num_y_points; i++) { fbs(8, point_y_value[i], 1, i); fbs(8, point_y_scaling[i], 1, i); @@ -1499,8 +1500,6 @@ static int FUNC(frame_header_obu)(CodedBitstreamContext *ctx, RWContext *rw, else HEADER("Frame Header"); - priv->seen_frame_header = 1; - #ifdef READ start_pos = get_bits_count(rw); #else diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index c95f1308e9..f0a9448941 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -289,28 +289,28 @@ static int cbs_write_se_golomb(CodedBitstreamContext *ctx, PutBitContext *pbc, #define RWContext GetBitContext #define xu(width, name, var, range_min, range_max, subs, ...) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ var = value; \ } while (0) #define xue(name, var, range_min, range_max, subs, ...) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(cbs_read_ue_golomb(ctx, rw, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ var = value; \ } while (0) #define xi(width, name, var, range_min, range_max, subs, ...) do { \ - int32_t value = range_min; \ + int32_t value; \ CHECK(ff_cbs_read_signed(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ var = value; \ } while (0) #define xse(name, var, range_min, range_max, subs, ...) do { \ - int32_t value = range_min; \ + int32_t value; \ CHECK(cbs_read_se_golomb(ctx, rw, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ @@ -568,7 +568,10 @@ static int cbs_h2645_fragment_add_nals(CodedBitstreamContext *ctx, // Remove trailing zeroes. while (size > 0 && nal->data[size - 1] == 0) --size; - av_assert0(size > 0); + if (size == 0) { + av_log(ctx->log_ctx, AV_LOG_VERBOSE, "Discarding empty 0 NAL unit\n"); + continue; + } ref = (nal->data == nal->raw_data) ? frag->data_ref : packet->rbsp.rbsp_buffer_ref; @@ -748,7 +751,7 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \ CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \ H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \ unsigned int id = ps_var->id_element; \ - if (id > FF_ARRAY_ELEMS(priv->ps_var)) { \ + if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \ av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \ " id : %d.\n", id); \ return AVERROR_INVALIDDATA; \ @@ -855,15 +858,11 @@ static int cbs_h264_read_nal_unit(CodedBitstreamContext *ctx, if (err < 0) return err; + if (!cbs_h2645_read_more_rbsp_data(&gbc)) + return AVERROR_INVALIDDATA; + pos = get_bits_count(&gbc); len = unit->data_size; - if (!unit->data[len - 1]) { - int z; - for (z = 0; z < len && !unit->data[len - z - 1]; z++); - av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes " - "from slice data.\n", z); - len -= z; - } slice->data_size = len - pos / 8; slice->data_ref = av_buffer_ref(unit->data_ref); @@ -1037,15 +1036,11 @@ static int cbs_h265_read_nal_unit(CodedBitstreamContext *ctx, if (err < 0) return err; + if (!cbs_h2645_read_more_rbsp_data(&gbc)) + return AVERROR_INVALIDDATA; + pos = get_bits_count(&gbc); len = unit->data_size; - if (!unit->data[len - 1]) { - int z; - for (z = 0; z < len && !unit->data[len - z - 1]; z++); - av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes " - "from slice data.\n", z); - len -= z; - } slice->data_size = len - pos / 8; slice->data_ref = av_buffer_ref(unit->data_ref); @@ -1101,7 +1096,7 @@ static int cbs_h2645_write_slice_data(CodedBitstreamContext *ctx, const uint8_t *pos = data + data_bit_start / 8; av_assert0(data_bit_start >= 0 && - 8 * data_size > data_bit_start); + data_size > data_bit_start / 8); if (data_size * 8 + 8 > put_bits_left(pbc)) return AVERROR(ENOSPC); @@ -1380,65 +1375,6 @@ static int cbs_h265_write_nal_unit(CodedBitstreamContext *ctx, return 0; } -static int cbs_h2645_write_nal_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) -{ - CodedBitstreamH2645Context *priv = ctx->priv_data; - enum AVCodecID codec_id = ctx->codec->codec_id; - PutBitContext pbc; - int err; - - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - - if (codec_id == AV_CODEC_ID_H264) - err = cbs_h264_write_nal_unit(ctx, unit, &pbc); - else - err = cbs_h265_write_nal_unit(ctx, unit, &pbc); - - if (err == AVERROR(ENOSPC)) { - // Overflow. - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } - // Overflow but we didn't notice. - av_assert0(put_bits_count(&pbc) <= 8 * priv->write_buffer_size); - - if (err < 0) { - // Write failed for some other reason. - return err; - } - - if (put_bits_count(&pbc) % 8) - unit->data_bit_padding = 8 - put_bits_count(&pbc) % 8; - else - unit->data_bit_padding = 0; - - unit->data_size = (put_bits_count(&pbc) + 7) / 8; - flush_put_bits(&pbc); - - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); - - return 0; -} - static int cbs_h2645_assemble_fragment(CodedBitstreamContext *ctx, CodedBitstreamFragment *frag) { @@ -1454,7 +1390,7 @@ static int cbs_h2645_assemble_fragment(CodedBitstreamContext *ctx, max_size = 0; for (i = 0; i < frag->nb_units; i++) { // Start code + content with worst-case emulation prevention. - max_size += 3 + frag->units[i].data_size * 3 / 2; + max_size += 4 + frag->units[i].data_size * 3 / 2; } data = av_malloc(max_size + AV_INPUT_BUFFER_PADDING_SIZE); @@ -1533,8 +1469,6 @@ static void cbs_h264_close(CodedBitstreamContext *ctx) ff_h2645_packet_uninit(&h264->common.read_packet); - av_freep(&h264->common.write_buffer); - for (i = 0; i < FF_ARRAY_ELEMS(h264->sps); i++) av_buffer_unref(&h264->sps_ref[i]); for (i = 0; i < FF_ARRAY_ELEMS(h264->pps); i++) @@ -1548,8 +1482,6 @@ static void cbs_h265_close(CodedBitstreamContext *ctx) ff_h2645_packet_uninit(&h265->common.read_packet); - av_freep(&h265->common.write_buffer); - for (i = 0; i < FF_ARRAY_ELEMS(h265->vps); i++) av_buffer_unref(&h265->vps_ref[i]); for (i = 0; i < FF_ARRAY_ELEMS(h265->sps); i++) @@ -1565,7 +1497,7 @@ const CodedBitstreamType ff_cbs_type_h264 = { .split_fragment = &cbs_h2645_split_fragment, .read_unit = &cbs_h264_read_nal_unit, - .write_unit = &cbs_h2645_write_nal_unit, + .write_unit = &cbs_h264_write_nal_unit, .assemble_fragment = &cbs_h2645_assemble_fragment, .close = &cbs_h264_close, @@ -1578,7 +1510,7 @@ const CodedBitstreamType ff_cbs_type_h265 = { .split_fragment = &cbs_h2645_split_fragment, .read_unit = &cbs_h265_read_nal_unit, - .write_unit = &cbs_h2645_write_nal_unit, + .write_unit = &cbs_h265_write_nal_unit, .assemble_fragment = &cbs_h2645_assemble_fragment, .close = &cbs_h265_close, diff --git a/libavcodec/cbs_h2645.h b/libavcodec/cbs_h2645.h index f4cf65bdde..f4c987a511 100644 --- a/libavcodec/cbs_h2645.h +++ b/libavcodec/cbs_h2645.h @@ -19,9 +19,6 @@ #ifndef AVCODEC_CBS_H2645_H #define AVCODEC_CBS_H2645_H -#include -#include - #include "h2645_parse.h" @@ -33,10 +30,6 @@ typedef struct CodedBitstreamH2645Context { int nal_length_size; // Packet reader. H2645Packet read_packet; - - // Write buffer - uint8_t *write_buffer; - size_t write_buffer_size; } CodedBitstreamH2645Context; diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index 26be6e590f..b65460996b 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -137,6 +137,10 @@ static int FUNC(vui_parameters)(CodedBitstreamContext *ctx, RWContext *rw, ub(8, colour_primaries); ub(8, transfer_characteristics); ub(8, matrix_coefficients); + } else { + infer(colour_primaries, 2); + infer(transfer_characteristics, 2); + infer(matrix_coefficients, 2); } } else { infer(video_format, 5); @@ -950,6 +954,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, current->payload[k].payload_type = payload_type; current->payload[k].payload_size = payload_size; + current->payload_count++; CHECK(FUNC(sei_payload)(ctx, rw, ¤t->payload[k])); if (!cbs_h2645_read_more_rbsp_data(rw)) @@ -960,7 +965,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, "SEI message: found %d.\n", k); return AVERROR_INVALIDDATA; } - current->payload_count = k + 1; #else for (k = 0; k < current->payload_count; k++) { PutBitContext start_state; @@ -1362,7 +1366,7 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, (sps->pic_height_in_map_units_minus1 + 1); max = (pic_size + pps->slice_group_change_rate_minus1) / (pps->slice_group_change_rate_minus1 + 1); - bits = av_log2(2 * max - 1); + bits = av_ceil_log2(max + 1); u(bits, slice_group_change_cycle, 0, max); } diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 54570929ec..5d6795c7aa 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -80,7 +80,7 @@ static int FUNC(extension_data)(CodedBitstreamContext *ctx, RWContext *rw, } #else for (k = 0; k < current->bit_length; k++) - xu(1, extension_data, current->data[k / 8] >> (7 - k % 8), 0, 1, 0); + xu(1, extension_data, current->data[k / 8] >> (7 - k % 8) & 1, 0, 1, 0); #endif return 0; } @@ -601,6 +601,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw, } } + if (i > 15) + return AVERROR_INVALIDDATA; infer(num_negative_pics, i); for (i = 0; i < current->num_negative_pics; i++) { infer(delta_poc_s0_minus1[i], @@ -630,6 +632,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw, } } + if (i + current->num_negative_pics > 15) + return AVERROR_INVALIDDATA; infer(num_positive_pics, i); for (i = 0; i < current->num_positive_pics; i++) { infer(delta_poc_s1_minus1[i], @@ -718,7 +722,7 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw, flag(sps_palette_predictor_initializer_present_flag); if (current->sps_palette_predictor_initializer_present_flag) { - ue(sps_num_palette_predictor_initializer_minus1, 0, 128); + ue(sps_num_palette_predictor_initializer_minus1, 0, 127); for (comp = 0; comp < (current->chroma_format_idc ? 3 : 1); comp++) { int bit_depth = comp == 0 ? current->bit_depth_luma_minus8 + 8 : current->bit_depth_chroma_minus8 + 8; @@ -1367,7 +1371,7 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw, infer(num_long_term_sps, 0); idx_size = 0; } - ue(num_long_term_pics, 0, HEVC_MAX_LONG_TERM_REF_PICS); + ue(num_long_term_pics, 0, HEVC_MAX_REFS - current->num_long_term_sps); for (i = 0; i < current->num_long_term_sps + current->num_long_term_pics; i++) { @@ -2184,6 +2188,7 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, current->payload[k].payload_type = payload_type; current->payload[k].payload_size = payload_size; + current->payload_count++; CHECK(FUNC(sei_payload)(ctx, rw, ¤t->payload[k], prefix)); if (!cbs_h2645_read_more_rbsp_data(rw)) @@ -2194,7 +2199,6 @@ static int FUNC(sei)(CodedBitstreamContext *ctx, RWContext *rw, "SEI message: found %d.\n", k); return AVERROR_INVALIDDATA; } - current->payload_count = k + 1; #else for (k = 0; k < current->payload_count; k++) { PutBitContext start_state; diff --git a/libavcodec/cbs_internal.h b/libavcodec/cbs_internal.h index dd4babf092..4c5a535ca6 100644 --- a/libavcodec/cbs_internal.h +++ b/libavcodec/cbs_internal.h @@ -44,9 +44,11 @@ typedef struct CodedBitstreamType { int (*read_unit)(CodedBitstreamContext *ctx, CodedBitstreamUnit *unit); - // Write the unit->data bitstream from unit->content. + // Write the data bitstream from unit->content into pbc. + // Return value AVERROR(ENOSPC) indicates that pbc was too small. int (*write_unit)(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit); + CodedBitstreamUnit *unit, + PutBitContext *pbc); // Read the data from all of frag->units and assemble it into // a bitstream for the whole fragment. diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 83857bbba2..13eb6df3ca 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -45,7 +45,7 @@ #define FUNC(name) cbs_jpeg_read_ ## name #define xu(width, name, range_min, range_max, subs, ...) do { \ - uint32_t value = range_min; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ @@ -148,15 +148,15 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, if (marker == JPEG_MARKER_EOI) { break; } else if (marker == JPEG_MARKER_SOS) { + next_marker = -1; + end = start; for (i = start; i + 1 < frag->data_size; i++) { if (frag->data[i] != 0xff) continue; end = i; for (++i; i + 1 < frag->data_size && frag->data[i] == 0xff; i++); - if (i + 1 >= frag->data_size) { - next_marker = -1; - } else { + if (i + 1 < frag->data_size) { if (frag->data[i] == 0x00) continue; next_marker = frag->data[i]; @@ -166,13 +166,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, } } else { i = start; - if (i + 2 > frag->data_size) { + if (i > frag->data_size - 2) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker.\n", marker); return AVERROR_INVALIDDATA; } length = AV_RB16(frag->data + i); - if (i + length > frag->data_size) { + if (length > frag->data_size - i) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker segment.\n", marker); return AVERROR_INVALIDDATA; @@ -197,6 +197,9 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, if (marker == JPEG_MARKER_SOS) { length = AV_RB16(frag->data + start); + if (length > end - start) + return AVERROR_INVALIDDATA; + data_ref = NULL; data = av_malloc(end - start + AV_INPUT_BUFFER_PADDING_SIZE); @@ -377,58 +380,13 @@ static int cbs_jpeg_write_segment(CodedBitstreamContext *ctx, } static int cbs_jpeg_write_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) + CodedBitstreamUnit *unit, + PutBitContext *pbc) { - CodedBitstreamJPEGContext *priv = ctx->priv_data; - PutBitContext pbc; - int err; - - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - if (unit->type == JPEG_MARKER_SOS) - err = cbs_jpeg_write_scan(ctx, unit, &pbc); + return cbs_jpeg_write_scan (ctx, unit, pbc); else - err = cbs_jpeg_write_segment(ctx, unit, &pbc); - - if (err == AVERROR(ENOSPC)) { - // Overflow. - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } - if (err < 0) { - // Write failed for some other reason. - return err; - } - - if (put_bits_count(&pbc) % 8) - unit->data_bit_padding = 8 - put_bits_count(&pbc) % 8; - else - unit->data_bit_padding = 0; - - unit->data_size = (put_bits_count(&pbc) + 7) / 8; - flush_put_bits(&pbc); - - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); - - return 0; + return cbs_jpeg_write_segment(ctx, unit, pbc); } static int cbs_jpeg_assemble_fragment(CodedBitstreamContext *ctx, @@ -499,22 +457,11 @@ static int cbs_jpeg_assemble_fragment(CodedBitstreamContext *ctx, return 0; } -static void cbs_jpeg_close(CodedBitstreamContext *ctx) -{ - CodedBitstreamJPEGContext *priv = ctx->priv_data; - - av_freep(&priv->write_buffer); -} - const CodedBitstreamType ff_cbs_type_jpeg = { .codec_id = AV_CODEC_ID_MJPEG, - .priv_data_size = sizeof(CodedBitstreamJPEGContext), - .split_fragment = &cbs_jpeg_split_fragment, .read_unit = &cbs_jpeg_read_unit, .write_unit = &cbs_jpeg_write_unit, .assemble_fragment = &cbs_jpeg_assemble_fragment, - - .close = &cbs_jpeg_close, }; diff --git a/libavcodec/cbs_jpeg.h b/libavcodec/cbs_jpeg.h index 913d3f90f6..ff1961106f 100644 --- a/libavcodec/cbs_jpeg.h +++ b/libavcodec/cbs_jpeg.h @@ -120,11 +120,4 @@ typedef struct JPEGRawComment { } JPEGRawComment; -typedef struct CodedBitstreamJPEGContext { - // Write buffer. - uint8_t *write_buffer; - size_t write_buffer_size; -} CodedBitstreamJPEGContext; - - #endif /* AVCODEC_CBS_JPEG_H */ diff --git a/libavcodec/cbs_jpeg_syntax_template.c b/libavcodec/cbs_jpeg_syntax_template.c index d3cd9ff62e..6eda56d623 100644 --- a/libavcodec/cbs_jpeg_syntax_template.c +++ b/libavcodec/cbs_jpeg_syntax_template.c @@ -89,6 +89,8 @@ static int FUNC(huffman_table)(CodedBitstreamContext *ctx, RWContext *rw, ij = 0; for (i = 0; i < 16; i++) { for (j = 0; j < current->L[i]; j++) { + if (ij >= 224) + return AVERROR_INVALIDDATA; us(8, V[ij], ij, 0, 255); ++ij; } @@ -108,6 +110,9 @@ static int FUNC(dht)(CodedBitstreamContext *ctx, RWContext *rw, n = 2; for (i = 0; n < current->Lh; i++) { + if (i >= 8) + return AVERROR_INVALIDDATA; + CHECK(FUNC(huffman_table)(ctx, rw, ¤t->table[i])); ++n; diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index cb202f835b..c6d0db819e 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -48,17 +48,26 @@ xui(width, name, current->name, 0, MAX_UINT_BITS(width), subs, __VA_ARGS__) #define uirs(width, name, subs, ...) \ xui(width, name, current->name, 1, MAX_UINT_BITS(width), subs, __VA_ARGS__) +#define xui(width, name, var, range_min, range_max, subs, ...) \ + xuia(width, #name, var, range_min, range_max, subs, __VA_ARGS__) #define sis(width, name, subs, ...) \ xsi(width, name, current->name, subs, __VA_ARGS__) +#define marker_bit() \ + bit("marker_bit", 1) +#define bit(string, value) do { \ + av_unused uint32_t bit = value; \ + xuia(1, string, bit, value, value, 0); \ + } while (0) + #define READ #define READWRITE read #define RWContext GetBitContext -#define xui(width, name, var, range_min, range_max, subs, ...) do { \ - uint32_t value = 0; \ - CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ +#define xuia(width, string, var, range_min, range_max, subs, ...) do { \ + uint32_t value; \ + CHECK(ff_cbs_read_unsigned(ctx, rw, width, string, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, range_min, range_max)); \ var = value; \ @@ -73,32 +82,31 @@ var = value; \ } while (0) -#define marker_bit() do { \ - av_unused uint32_t one; \ - CHECK(ff_cbs_read_unsigned(ctx, rw, 1, "marker_bit", NULL, &one, 1, 1)); \ - } while (0) - #define nextbits(width, compare, var) \ (get_bits_left(rw) >= width && \ (var = show_bits(rw, width)) == (compare)) +#define infer(name, value) do { \ + current->name = value; \ + } while (0) + #include "cbs_mpeg2_syntax_template.c" #undef READ #undef READWRITE #undef RWContext -#undef xui +#undef xuia #undef xsi -#undef marker_bit #undef nextbits +#undef infer #define WRITE #define READWRITE write #define RWContext PutBitContext -#define xui(width, name, var, range_min, range_max, subs, ...) do { \ - CHECK(ff_cbs_write_unsigned(ctx, rw, width, #name, \ +#define xuia(width, string, var, range_min, range_max, subs, ...) do { \ + CHECK(ff_cbs_write_unsigned(ctx, rw, width, string, \ SUBSCRIPTS(subs, __VA_ARGS__), \ var, range_min, range_max)); \ } while (0) @@ -110,23 +118,35 @@ MAX_INT_BITS(width))); \ } while (0) -#define marker_bit() do { \ - CHECK(ff_cbs_write_unsigned(ctx, rw, 1, "marker_bit", NULL, 1, 1, 1)); \ - } while (0) - #define nextbits(width, compare, var) (var) +#define infer(name, value) do { \ + if (current->name != (value)) { \ + av_log(ctx->log_ctx, AV_LOG_WARNING, "Warning: " \ + "%s does not match inferred value: " \ + "%"PRId64", but should be %"PRId64".\n", \ + #name, (int64_t)current->name, (int64_t)(value)); \ + } \ + } while (0) + #include "cbs_mpeg2_syntax_template.c" #undef WRITE #undef READWRITE #undef RWContext -#undef xui +#undef xuia #undef xsi -#undef marker_bit #undef nextbits +#undef infer +static void cbs_mpeg2_free_picture_header(void *unit, uint8_t *content) +{ + MPEG2RawPictureHeader *picture = (MPEG2RawPictureHeader*)content; + av_buffer_unref(&picture->extra_information_picture.extra_information_ref); + av_freep(&content); +} + static void cbs_mpeg2_free_user_data(void *unit, uint8_t *content) { MPEG2RawUserData *user = (MPEG2RawUserData*)content; @@ -137,7 +157,7 @@ static void cbs_mpeg2_free_user_data(void *unit, uint8_t *content) static void cbs_mpeg2_free_slice(void *unit, uint8_t *content) { MPEG2RawSlice *slice = (MPEG2RawSlice*)content; - av_buffer_unref(&slice->header.extra_information_ref); + av_buffer_unref(&slice->header.extra_information_slice.extra_information_ref); av_buffer_unref(&slice->data_ref); av_freep(&content); } @@ -147,41 +167,54 @@ static int cbs_mpeg2_split_fragment(CodedBitstreamContext *ctx, int header) { const uint8_t *start, *end; - uint8_t *unit_data; - uint32_t start_code = -1, next_start_code = -1; + CodedBitstreamUnitType unit_type; + uint32_t start_code = -1; size_t unit_size; - int err, i, unit_type; + int err, i, final = 0; start = avpriv_find_start_code(frag->data, frag->data + frag->data_size, &start_code); - for (i = 0;; i++) { - end = avpriv_find_start_code(start, frag->data + frag->data_size, - &next_start_code); + if (start_code >> 8 != 0x000001) { + // No start code found. + return AVERROR_INVALIDDATA; + } + for (i = 0;; i++) { unit_type = start_code & 0xff; - // The start and end pointers point at to the byte following the - // start_code_identifier in the start code that they found. - if (end == frag->data + frag->data_size) { - // We didn't find a start code, so this is the final unit. - unit_size = end - (start - 1); - } else { - // Unit runs from start to the beginning of the start code - // pointed to by end (including any padding zeroes). - unit_size = (end - 4) - (start - 1); + if (start == frag->data + frag->data_size) { + // The last four bytes form a start code which constitutes + // a unit of its own. In this situation avpriv_find_start_code + // won't modify start_code at all so modify start_code so that + // the next unit will be treated as the last unit. + start_code = 0; } - unit_data = (uint8_t *)start - 1; + end = avpriv_find_start_code(start--, frag->data + frag->data_size, + &start_code); - err = ff_cbs_insert_unit_data(ctx, frag, i, unit_type, - unit_data, unit_size, frag->data_ref); + // start points to the byte containing the start_code_identifier + // (may be the last byte of fragment->data); end points to the byte + // following the byte containing the start code identifier (or to + // the end of fragment->data). + if (start_code >> 8 == 0x000001) { + // Unit runs from start to the beginning of the start code + // pointed to by end (including any padding zeroes). + unit_size = (end - 4) - start; + } else { + // We didn't find a start code, so this is the final unit. + unit_size = end - start; + final = 1; + } + + err = ff_cbs_insert_unit_data(ctx, frag, i, unit_type, (uint8_t*)start, + unit_size, frag->data_ref); if (err < 0) return err; - if (end == frag->data + frag->data_size) + if (final) break; - start_code = next_start_code; start = end; } @@ -240,7 +273,7 @@ static int cbs_mpeg2_read_unit(CodedBitstreamContext *ctx, } \ break; START(MPEG2_START_PICTURE, MPEG2RawPictureHeader, - picture_header, NULL); + picture_header, &cbs_mpeg2_free_picture_header); START(MPEG2_START_USER_DATA, MPEG2RawUserData, user_data, &cbs_mpeg2_free_user_data); START(MPEG2_START_SEQUENCE_HEADER, MPEG2RawSequenceHeader, @@ -249,6 +282,8 @@ static int cbs_mpeg2_read_unit(CodedBitstreamContext *ctx, extension_data, NULL); START(MPEG2_START_GROUP, MPEG2RawGroupOfPicturesHeader, group_of_pictures_header, NULL); + START(MPEG2_START_SEQUENCE_END, MPEG2RawSequenceEnd, + sequence_end, NULL); #undef START default: return AVERROR(ENOSYS); @@ -275,6 +310,7 @@ static int cbs_mpeg2_write_header(CodedBitstreamContext *ctx, START(MPEG2_START_EXTENSION, MPEG2RawExtensionData, extension_data); START(MPEG2_START_GROUP, MPEG2RawGroupOfPicturesHeader, group_of_pictures_header); + START(MPEG2_START_SEQUENCE_END, MPEG2RawSequenceEnd, sequence_end); #undef START default: av_log(ctx->log_ctx, AV_LOG_ERROR, "Write unimplemented for start " @@ -301,7 +337,7 @@ static int cbs_mpeg2_write_slice(CodedBitstreamContext *ctx, uint8_t *pos = slice->data + slice->data_bit_start / 8; av_assert0(slice->data_bit_start >= 0 && - 8 * slice->data_size > slice->data_bit_start); + slice->data_size > slice->data_bit_start / 8); if (slice->data_size * 8 + 8 > put_bits_left(pbc)) return AVERROR(ENOSPC); @@ -335,58 +371,13 @@ static int cbs_mpeg2_write_slice(CodedBitstreamContext *ctx, } static int cbs_mpeg2_write_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) + CodedBitstreamUnit *unit, + PutBitContext *pbc) { - CodedBitstreamMPEG2Context *priv = ctx->priv_data; - PutBitContext pbc; - int err; - - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - if (MPEG2_START_IS_SLICE(unit->type)) - err = cbs_mpeg2_write_slice(ctx, unit, &pbc); + return cbs_mpeg2_write_slice (ctx, unit, pbc); else - err = cbs_mpeg2_write_header(ctx, unit, &pbc); - - if (err == AVERROR(ENOSPC)) { - // Overflow. - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } - if (err < 0) { - // Write failed for some other reason. - return err; - } - - if (put_bits_count(&pbc) % 8) - unit->data_bit_padding = 8 - put_bits_count(&pbc) % 8; - else - unit->data_bit_padding = 0; - - unit->data_size = (put_bits_count(&pbc) + 7) / 8; - flush_put_bits(&pbc); - - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); - - return 0; + return cbs_mpeg2_write_header(ctx, unit, pbc); } static int cbs_mpeg2_assemble_fragment(CodedBitstreamContext *ctx, @@ -426,13 +417,6 @@ static int cbs_mpeg2_assemble_fragment(CodedBitstreamContext *ctx, return 0; } -static void cbs_mpeg2_close(CodedBitstreamContext *ctx) -{ - CodedBitstreamMPEG2Context *priv = ctx->priv_data; - - av_freep(&priv->write_buffer); -} - const CodedBitstreamType ff_cbs_type_mpeg2 = { .codec_id = AV_CODEC_ID_MPEG2VIDEO, @@ -442,6 +426,4 @@ const CodedBitstreamType ff_cbs_type_mpeg2 = { .read_unit = &cbs_mpeg2_read_unit, .write_unit = &cbs_mpeg2_write_unit, .assemble_fragment = &cbs_mpeg2_assemble_fragment, - - .close = &cbs_mpeg2_close, }; diff --git a/libavcodec/cbs_mpeg2.h b/libavcodec/cbs_mpeg2.h index 11f93b9df8..5bcafd09f0 100644 --- a/libavcodec/cbs_mpeg2.h +++ b/libavcodec/cbs_mpeg2.h @@ -114,6 +114,12 @@ typedef struct MPEG2RawGroupOfPicturesHeader { uint8_t broken_link; } MPEG2RawGroupOfPicturesHeader; +typedef struct MPEG2RawExtraInformation { + uint8_t *extra_information; + AVBufferRef *extra_information_ref; + size_t extra_information_length; +} MPEG2RawExtraInformation; + typedef struct MPEG2RawPictureHeader { uint8_t picture_start_code; @@ -126,7 +132,7 @@ typedef struct MPEG2RawPictureHeader { uint8_t full_pel_backward_vector; uint8_t backward_f_code; - uint8_t extra_bit_picture; + MPEG2RawExtraInformation extra_information_picture; } MPEG2RawPictureHeader; typedef struct MPEG2RawPictureCodingExtension { @@ -194,11 +200,7 @@ typedef struct MPEG2RawSliceHeader { uint8_t slice_picture_id_enable; uint8_t slice_picture_id; - uint8_t extra_bit_slice; - - size_t extra_information_length; - uint8_t *extra_information; - AVBufferRef *extra_information_ref; + MPEG2RawExtraInformation extra_information_slice; } MPEG2RawSliceHeader; typedef struct MPEG2RawSlice { @@ -210,6 +212,10 @@ typedef struct MPEG2RawSlice { AVBufferRef *data_ref; } MPEG2RawSlice; +typedef struct MPEG2RawSequenceEnd { + uint8_t sequence_end_code; +} MPEG2RawSequenceEnd; + typedef struct CodedBitstreamMPEG2Context { // Elements stored in headers which are required for other decoding. @@ -219,10 +225,6 @@ typedef struct CodedBitstreamMPEG2Context { uint8_t scalable_mode; uint8_t progressive_sequence; uint8_t number_of_frame_centre_offsets; - - // Write buffer. - uint8_t *write_buffer; - size_t write_buffer_size; } CodedBitstreamMPEG2Context; diff --git a/libavcodec/cbs_mpeg2_syntax_template.c b/libavcodec/cbs_mpeg2_syntax_template.c index e0cf716874..5165a14cd5 100644 --- a/libavcodec/cbs_mpeg2_syntax_template.c +++ b/libavcodec/cbs_mpeg2_syntax_template.c @@ -144,6 +144,10 @@ static int FUNC(sequence_display_extension)(CodedBitstreamContext *ctx, RWContex uir(8, transfer_characteristics); uir(8, matrix_coefficients); #endif + } else { + infer(colour_primaries, 2); + infer(transfer_characteristics, 2); + infer(matrix_coefficients, 2); } ui(14, display_horizontal_size); @@ -169,6 +173,40 @@ static int FUNC(group_of_pictures_header)(CodedBitstreamContext *ctx, RWContext return 0; } +static int FUNC(extra_information)(CodedBitstreamContext *ctx, RWContext *rw, + MPEG2RawExtraInformation *current, + const char *element_name, const char *marker_name) +{ + int err; + size_t k; +#ifdef READ + GetBitContext start = *rw; + uint8_t bit; + + for (k = 0; nextbits(1, 1, bit); k++) + skip_bits(rw, 1 + 8); + current->extra_information_length = k; + if (k > 0) { + *rw = start; + current->extra_information_ref = + av_buffer_allocz(k + AV_INPUT_BUFFER_PADDING_SIZE); + if (!current->extra_information_ref) + return AVERROR(ENOMEM); + current->extra_information = current->extra_information_ref->data; + } +#endif + + for (k = 0; k < current->extra_information_length; k++) { + bit(marker_name, 1); + xuia(8, element_name, + current->extra_information[k], 0, 255, 1, k); + } + + bit(marker_name, 0); + + return 0; +} + static int FUNC(picture_header)(CodedBitstreamContext *ctx, RWContext *rw, MPEG2RawPictureHeader *current) { @@ -193,7 +231,8 @@ static int FUNC(picture_header)(CodedBitstreamContext *ctx, RWContext *rw, ui(3, backward_f_code); } - ui(1, extra_bit_picture); + CHECK(FUNC(extra_information)(ctx, rw, ¤t->extra_information_picture, + "extra_information_picture[k]", "extra_bit_picture")); return 0; } @@ -365,39 +404,22 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, ui(1, intra_slice); ui(1, slice_picture_id_enable); ui(6, slice_picture_id); - - { - size_t k; -#ifdef READ - GetBitContext start; - uint8_t bit; - start = *rw; - for (k = 0; nextbits(1, 1, bit); k++) - skip_bits(rw, 8); - current->extra_information_length = k; - if (k > 0) { - *rw = start; - current->extra_information_ref = - av_buffer_alloc(current->extra_information_length); - if (!current->extra_information_ref) - return AVERROR(ENOMEM); - current->extra_information = current->extra_information_ref->data; - for (k = 0; k < current->extra_information_length; k++) { - xui(1, extra_bit_slice, bit, 1, 1, 0); - xui(8, extra_information_slice[k], - current->extra_information[k], 0, 255, 1, k); - } - } -#else - for (k = 0; k < current->extra_information_length; k++) { - xui(1, extra_bit_slice, 1, 1, 1, 0); - xui(8, extra_information_slice[k], - current->extra_information[k], 0, 255, 1, k); - } -#endif - } } - ui(1, extra_bit_slice); + + CHECK(FUNC(extra_information)(ctx, rw, ¤t->extra_information_slice, + "extra_information_slice[k]", "extra_bit_slice")); + + return 0; +} + +static int FUNC(sequence_end)(CodedBitstreamContext *ctx, RWContext *rw, + MPEG2RawSequenceEnd *current) +{ + int err; + + HEADER("Sequence End"); + + ui(8, sequence_end_code); return 0; } diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 5579d9b0af..1bb5898d15 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -267,14 +267,14 @@ static int cbs_vp9_write_le(CodedBitstreamContext *ctx, PutBitContext *pbc, #define RWContext GetBitContext #define xf(width, name, var, subs, ...) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ &value, 0, (1 << width) - 1)); \ var = value; \ } while (0) #define xs(width, name, var, subs, ...) do { \ - int32_t value = 0; \ + int32_t value; \ CHECK(cbs_vp9_read_s(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), &value)); \ var = value; \ @@ -282,7 +282,7 @@ static int cbs_vp9_write_le(CodedBitstreamContext *ctx, PutBitContext *pbc, #define increment(name, min, max) do { \ - uint32_t value = 0; \ + uint32_t value; \ CHECK(cbs_vp9_read_increment(ctx, rw, min, max, #name, &value)); \ current->name = value; \ } while (0) @@ -315,7 +315,7 @@ static int cbs_vp9_write_le(CodedBitstreamContext *ctx, PutBitContext *pbc, } while (0) #define fixed(width, name, value) do { \ - av_unused uint32_t fixed_value = value; \ + av_unused uint32_t fixed_value; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ 0, &fixed_value, value, value)); \ } while (0) @@ -416,11 +416,14 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, uint8_t superframe_header; int err; + if (frag->data_size == 0) + return AVERROR_INVALIDDATA; + // Last byte in the packet. superframe_header = frag->data[frag->data_size - 1]; if ((superframe_header & 0xe0) == 0xc0) { - VP9RawSuperframeIndex sfi; + VP9RawSuperframeIndex sfi = {0}; GetBitContext gbc; size_t index_size, pos; int i; @@ -428,6 +431,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, index_size = 2 + (((superframe_header & 0x18) >> 3) + 1) * ((superframe_header & 0x07) + 1); + if (index_size > frag->data_size) + return AVERROR_INVALIDDATA; + err = init_get_bits(&gbc, frag->data + frag->data_size - index_size, 8 * index_size); if (err < 0) @@ -522,62 +528,28 @@ static int cbs_vp9_read_unit(CodedBitstreamContext *ctx, } static int cbs_vp9_write_unit(CodedBitstreamContext *ctx, - CodedBitstreamUnit *unit) + CodedBitstreamUnit *unit, + PutBitContext *pbc) { - CodedBitstreamVP9Context *priv = ctx->priv_data; VP9RawFrame *frame = unit->content; - PutBitContext pbc; int err; - if (!priv->write_buffer) { - // Initial write buffer size is 1MB. - priv->write_buffer_size = 1024 * 1024; - - reallocate_and_try_again: - err = av_reallocp(&priv->write_buffer, priv->write_buffer_size); - if (err < 0) { - av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " - "sufficiently large write buffer (last attempt " - "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); - return err; - } - } - - init_put_bits(&pbc, priv->write_buffer, priv->write_buffer_size); - - err = cbs_vp9_write_frame(ctx, &pbc, frame); - if (err == AVERROR(ENOSPC)) { - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } + err = cbs_vp9_write_frame(ctx, pbc, frame); if (err < 0) return err; // Frame must be byte-aligned. - av_assert0(put_bits_count(&pbc) % 8 == 0); - - unit->data_size = put_bits_count(&pbc) / 8; - unit->data_bit_padding = 0; - flush_put_bits(&pbc); + av_assert0(put_bits_count(pbc) % 8 == 0); if (frame->data) { - if (unit->data_size + frame->data_size > - priv->write_buffer_size) { - priv->write_buffer_size *= 2; - goto reallocate_and_try_again; - } + if (frame->data_size > put_bits_left(pbc) / 8) + return AVERROR(ENOSPC); - memcpy(priv->write_buffer + unit->data_size, - frame->data, frame->data_size); - unit->data_size += frame->data_size; + flush_put_bits(pbc); + memcpy(put_bits_ptr(pbc), frame->data, frame->data_size); + skip_put_bytes(pbc, frame->data_size); } - err = ff_cbs_alloc_unit_data(ctx, unit, unit->data_size); - if (err < 0) - return err; - - memcpy(unit->data, priv->write_buffer, unit->data_size); - return 0; } @@ -671,13 +643,6 @@ static int cbs_vp9_assemble_fragment(CodedBitstreamContext *ctx, return 0; } -static void cbs_vp9_close(CodedBitstreamContext *ctx) -{ - CodedBitstreamVP9Context *priv = ctx->priv_data; - - av_freep(&priv->write_buffer); -} - const CodedBitstreamType ff_cbs_type_vp9 = { .codec_id = AV_CODEC_ID_VP9, @@ -687,6 +652,4 @@ const CodedBitstreamType ff_cbs_type_vp9 = { .read_unit = &cbs_vp9_read_unit, .write_unit = &cbs_vp9_write_unit, .assemble_fragment = &cbs_vp9_assemble_fragment, - - .close = &cbs_vp9_close, }; diff --git a/libavcodec/cbs_vp9.h b/libavcodec/cbs_vp9.h index 4c9b2f880d..40e62476ed 100644 --- a/libavcodec/cbs_vp9.h +++ b/libavcodec/cbs_vp9.h @@ -207,10 +207,6 @@ typedef struct CodedBitstreamVP9Context { int bit_depth; VP9ReferenceFrameState ref[VP9_NUM_REF_FRAMES]; - - // Write buffer. - uint8_t *write_buffer; - size_t write_buffer_size; } CodedBitstreamVP9Context; diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index cf3f01a417..1341669a34 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -239,7 +239,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data, for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++) memcpy(out + FFMAX(0, hinc) + stride * y, in + FFMAX(0, hinc) - hinc + (y - vinc) * stride, - FFMIN(stride + hinc, stride)); + FFABS(stride) - FFABS(hinc)); if (vinc > 0) cdg_fill_wrapper(0, 0, out, diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index fafedd99a3..40ff7427df 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -65,11 +65,11 @@ int ff_celp_lp_synthesis_filter(int16_t *out, const int16_t *filter_coeffs, int i,n; for (n = 0; n < buffer_length; n++) { - int sum = -rounder, sum1; + int sum = rounder, sum1; for (i = 1; i <= filter_length; i++) - sum += (unsigned)(filter_coeffs[i-1] * out[n-i]); + sum -= (unsigned)(filter_coeffs[i-1] * out[n-i]); - sum1 = ((-sum >> 12) + in[n]) >> shift; + sum1 = ((sum >> 12) + in[n]) >> shift; sum = av_clip_int16(sum1); if (stop_on_overflow && sum != sum1) diff --git a/libavcodec/celp_math.h b/libavcodec/celp_math.h index 18888a425d..99a0470719 100644 --- a/libavcodec/celp_math.h +++ b/libavcodec/celp_math.h @@ -78,7 +78,7 @@ int64_t ff_dot_product(const int16_t *a, const int16_t *b, int length); * * @return value << offset, if offset>=0; value >> -offset - otherwise */ -static inline int bidir_sal(int value, int offset) +static inline unsigned bidir_sal(unsigned value, int offset) { if(offset < 0) return value >> -offset; else return value << offset; diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 49a5a2c30a..7595c10887 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -444,6 +444,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, avpriv_report_missing_feature(avctx, "Transform type of %"PRIu16, data); ret = AVERROR_PATCHWELCOME; break; + } else if (data == 1) { + av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n"); + ret = AVERROR_PATCHWELCOME; + break; } av_log(avctx, AV_LOG_DEBUG, "Transform-type? %"PRIu16"\n", data); } else if (abstag >= 0x4000 && abstag <= 0x40ff) { @@ -546,6 +550,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->peak.level = 0; } else if (tag == -74 && s->peak.offset) { s->peak.level = data; + if (s->peak.offset < 4 - bytestream2_tell(&s->peak.base) || + s->peak.offset > 4 + bytestream2_get_bytes_left(&s->peak.base) + ) { + ret = AVERROR_INVALIDDATA; + goto end; + } bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR); } else av_log(avctx, AV_LOG_DEBUG, "Unknown tag %i data %x\n", tag, data); diff --git a/libavcodec/cinepakenc.c b/libavcodec/cinepakenc.c index 93917fafe8..6024df0fba 100644 --- a/libavcodec/cinepakenc.c +++ b/libavcodec/cinepakenc.c @@ -544,8 +544,9 @@ static int encode_mode(CinepakEncContext *s, int h, uint8_t *last_data[4], int last_linesize[4], strip_info *info, unsigned char *buf) { - int x, y, z, flags, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA; + int x, y, z, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA; int needs_extra_bit, should_write_temp; + uint32_t flags; unsigned char temp[64]; // 32/2 = 16 V4 blocks at 4 B each -> 64 B mb_info *mb; uint8_t *sub_scratch_data[4] = { 0 }, *sub_last_data[4] = { 0 }; @@ -599,7 +600,7 @@ static int encode_mode(CinepakEncContext *s, int h, flags = 0; for (y = x; y < FFMIN(x + 32, mb_count); y++) if (s->mb[y].best_encoding == ENC_V4) - flags |= 1 << (31 - y + x); + flags |= 1U << (31 - y + x); AV_WB32(&buf[ret], flags); ret += 4; @@ -626,13 +627,13 @@ static int encode_mode(CinepakEncContext *s, int h, for (x = 0; x < mb_count; x++) { mb = &s->mb[x]; - flags |= (mb->best_encoding != ENC_SKIP) << (31 - bits++); + flags |= (uint32_t)(mb->best_encoding != ENC_SKIP) << (31 - bits++); needs_extra_bit = 0; should_write_temp = 0; if (mb->best_encoding != ENC_SKIP) { if (bits < 32) - flags |= (mb->best_encoding == ENC_V4) << (31 - bits++); + flags |= (uint32_t)(mb->best_encoding == ENC_V4) << (31 - bits++); else needs_extra_bit = 1; } @@ -651,7 +652,7 @@ static int encode_mode(CinepakEncContext *s, int h, } if (needs_extra_bit) { - flags = (mb->best_encoding == ENC_V4) << 31; + flags = (uint32_t)(mb->best_encoding == ENC_V4) << 31; bits = 1; } diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 82df8f3752..6f6af2edc6 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,8 +665,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1 << c->tile_shift != c->tile_size) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1 || c->tile_shift > 30) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1 and < 2^31\n", c->tile_size); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 43b96fea1b..747ab49cd0 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -173,7 +173,7 @@ AVCodec ff_comfortnoise_decoder = { .close = cng_decode_close, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, - .capabilities = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_DR1, + .capabilities = AV_CODEC_CAP_DR1, .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, }; diff --git a/libavcodec/cook.c b/libavcodec/cook.c index c5f68c98ba..451eef9609 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -143,7 +143,7 @@ typedef struct cook { /* generate tables and related variables */ int gain_size_factor; - float gain_table[23]; + float gain_table[31]; /* data buffers */ @@ -185,8 +185,8 @@ static av_cold void init_gain_table(COOKContext *q) { int i; q->gain_size_factor = q->samples_per_channel / 8; - for (i = 0; i < 23; i++) - q->gain_table[i] = pow(pow2tab[i + 52], + for (i = 0; i < 31; i++) + q->gain_table[i] = pow(pow2tab[i + 48], (1.0 / (double) q->gain_size_factor)); } @@ -670,7 +670,7 @@ static void interpolate_float(COOKContext *q, float *buffer, for (i = 0; i < q->gain_size_factor; i++) buffer[i] *= fc1; } else { // smooth gain - fc2 = q->gain_table[11 + (gain_index_next - gain_index)]; + fc2 = q->gain_table[15 + (gain_index_next - gain_index)]; for (i = 0; i < q->gain_size_factor; i++) { buffer[i] *= fc1; fc1 *= fc2; @@ -759,7 +759,7 @@ static int decouple_info(COOKContext *q, COOKSubpacket *p, int *decouple_tab) for (i = 0; i < length; i++) decouple_tab[start + i] = get_vlc2(&q->gb, p->channel_coupling.table, - p->channel_coupling.bits, 2); + p->channel_coupling.bits, 3); else for (i = 0; i < length; i++) { int v = get_bits(&q->gb, p->js_vlc_bits); @@ -1075,12 +1075,19 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (avctx->block_align >= INT_MAX / 8) + return AVERROR(EINVAL); + /* Initialize RNG. */ av_lfg_init(&q->random_state, 0); ff_audiodsp_init(&q->adsp); while (bytestream2_get_bytes_left(&gb)) { + if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); + return AVERROR_PATCHWELCOME; + } /* 8 for mono, 16 for stereo, ? for multichannel Swap to right endianness so we don't need to care later on. */ q->subpacket[s].cookversion = bytestream2_get_be32(&gb); @@ -1212,11 +1219,16 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { - avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); - return AVERROR_PATCHWELCOME; - } } + + /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ + if (q->samples_per_channel != 256 && q->samples_per_channel != 512 && + q->samples_per_channel != 1024) { + avpriv_request_sample(avctx, "samples_per_channel = %d", + q->samples_per_channel); + return AVERROR_PATCHWELCOME; + } + /* Generate tables */ init_pow2table(); init_gain_table(q); @@ -1225,10 +1237,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) if ((ret = init_cook_vlc_tables(q))) return ret; - - if (avctx->block_align >= UINT_MAX / 2) - return AVERROR(EINVAL); - /* Pad the databuffer with: DECODE_BYTES_PAD1 or DECODE_BYTES_PAD2 for decode_bytes(), AV_INPUT_BUFFER_PADDING_SIZE, for the bitstreamreader. */ @@ -1252,14 +1260,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->saturate_output = saturate_output_float; } - /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ - if (q->samples_per_channel != 256 && q->samples_per_channel != 512 && - q->samples_per_channel != 1024) { - avpriv_request_sample(avctx, "samples_per_channel = %d", - q->samples_per_channel); - return AVERROR_PATCHWELCOME; - } - avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (channel_mask) avctx->channel_layout = channel_mask; diff --git a/libavcodec/cpia.c b/libavcodec/cpia.c index f6d7332606..1be47cf5d2 100644 --- a/libavcodec/cpia.c +++ b/libavcodec/cpia.c @@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx, // Read line length, two byte little endian linelength = AV_RL16(src); src += 2; + src_size -= 2; if (src_size < linelength) { frame->decode_error_flags = FF_DECODE_ERROR_INVALID_BITSTREAM; diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 8781df110c..af7284ccfb 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -71,6 +71,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int buf_size = avpkt->size; CamStudioContext *c = avctx->priv_data; int ret; + int bpp = avctx->bits_per_coded_sample / 8; + int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height + - (avctx->width & ~3) * bpp * avctx->height; if (buf_size < 2) { av_log(avctx, AV_LOG_ERROR, "coded frame too small\n"); @@ -84,7 +87,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) { + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || (outlen && outlen != bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } @@ -93,7 +96,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) { + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || (dlen != c->decomp_size && dlen != c->decomp_size - bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/cuviddec.c b/libavcodec/cuviddec.c index acee78cf2c..9e524822c3 100644 --- a/libavcodec/cuviddec.c +++ b/libavcodec/cuviddec.c @@ -90,7 +90,7 @@ typedef struct CuvidContext CUVIDDECODECAPS caps8, caps10, caps12; CUVIDPARSERPARAMS cuparseinfo; - CUVIDEOFORMATEX cuparse_ext; + CUVIDEOFORMATEX *cuparse_ext; CudaFunctions *cudl; CuvidFunctions *cvdl; @@ -714,6 +714,7 @@ static av_cold int cuvid_decode_end(AVCodecContext *avctx) av_buffer_unref(&ctx->hwdevice); av_freep(&ctx->key_frame); + av_freep(&ctx->cuparse_ext); cuvid_free_functions(&ctx->cvdl); @@ -824,6 +825,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUcontext cuda_ctx = NULL; CUcontext dummy; const AVBitStreamFilter *bsf; + uint8_t *extradata; + int extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -920,11 +923,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) ctx->cudl = device_hwctx->internal->cuda_dl; memset(&ctx->cuparseinfo, 0, sizeof(ctx->cuparseinfo)); - memset(&ctx->cuparse_ext, 0, sizeof(ctx->cuparse_ext)); memset(&seq_pkt, 0, sizeof(seq_pkt)); - ctx->cuparseinfo.pExtVideoInfo = &ctx->cuparse_ext; - switch (avctx->codec->id) { #if CONFIG_H264_CUVID_DECODER case AV_CODEC_ID_H264: @@ -994,17 +994,26 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) goto error; } - ctx->cuparse_ext.format.seqhdr_data_length = ctx->bsf->par_out->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - ctx->bsf->par_out->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), ctx->bsf->par_out->extradata_size)); - } else if (avctx->extradata_size > 0) { - ctx->cuparse_ext.format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - avctx->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), avctx->extradata_size)); + extradata = ctx->bsf->par_out->extradata; + extradata_size = ctx->bsf->par_out->extradata_size; + } else { + extradata = avctx->extradata; + extradata_size = avctx->extradata_size; } + ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) + + FFMAX(extradata_size - (int)sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + if (!ctx->cuparse_ext) { + ret = AVERROR(ENOMEM); + goto error; + } + + if (extradata_size > 0) + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + ctx->cuparse_ext->format.seqhdr_data_length = extradata_size; + + ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; + ctx->key_frame = av_mallocz(ctx->nb_surfaces * sizeof(int)); if (!ctx->key_frame) { ret = AVERROR(ENOMEM); @@ -1033,8 +1042,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); @@ -1093,8 +1102,8 @@ static void cuvid_flush(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); diff --git a/libavcodec/dca_lbr.c b/libavcodec/dca_lbr.c index 3b50a99cf6..747fdafd3e 100644 --- a/libavcodec/dca_lbr.c +++ b/libavcodec/dca_lbr.c @@ -154,7 +154,7 @@ static int parse_lfe_24(DCALbrDecoder *s) step_i = get_bits(&s->gb, 8); if (step_i > step_max) { av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n"); - return -1; + return AVERROR_INVALIDDATA; } step = ff_dca_lfe_step_size_24[step_i]; @@ -208,7 +208,7 @@ static int parse_lfe_16(DCALbrDecoder *s) step_i = get_bits(&s->gb, 8); if (step_i > step_max) { av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n"); - return -1; + return AVERROR_INVALIDDATA; } step = ff_dca_lfe_step_size_16[step_i]; @@ -246,14 +246,17 @@ static int parse_lfe_16(DCALbrDecoder *s) static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk) { + int ret; + if (!(s->flags & LBR_FLAG_LFE_PRESENT)) return 0; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Determine bit depth from chunk size if (chunk->len >= 52) @@ -262,7 +265,7 @@ static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk) return parse_lfe_16(s); av_log(s->avctx, AV_LOG_ERROR, "LFE chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } static inline int parse_vlc(GetBitContext *s, VLC *vlc, int max_depth) @@ -291,13 +294,13 @@ static int parse_tonal(DCALbrDecoder *s, int group) for (freq = 1;; freq++) { if (get_bits_left(&s->gb) < 1) { av_log(s->avctx, AV_LOG_ERROR, "Tonal group chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } diff = parse_vlc(&s->gb, &ff_dca_vlc_tnl_grp[group], 2); if (diff >= FF_ARRAY_ELEMS(ff_dca_fst_amp)) { av_log(s->avctx, AV_LOG_ERROR, "Invalid tonal frequency diff\n"); - return -1; + return AVERROR_INVALIDDATA; } diff = get_bitsz(&s->gb, diff >> 2) + ff_dca_fst_amp[diff]; @@ -307,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group) freq += diff - 2; if (freq >> (5 - group) > s->nsubbands * 4 - 6) { av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n"); - return -1; + return AVERROR_INVALIDDATA; } // Main channel @@ -358,19 +361,21 @@ static int parse_tonal(DCALbrDecoder *s, int group) static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk) { - int sb, group; + int sb, group, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + + if (ret < 0) + return ret; // Scale factors if (chunk->id == LBR_CHUNK_SCF || chunk->id == LBR_CHUNK_TONAL_SCF) { if (get_bits_left(&s->gb) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Tonal scale factor chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } for (sb = 0; sb < 6; sb++) s->tonal_scf[sb] = get_bits(&s->gb, 6); @@ -378,20 +383,25 @@ static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk) // Tonal groups if (chunk->id == LBR_CHUNK_TONAL || chunk->id == LBR_CHUNK_TONAL_SCF) - for (group = 0; group < 5; group++) - if (parse_tonal(s, group) < 0) - return -1; + for (group = 0; group < 5; group++) { + ret = parse_tonal(s, group); + if (ret < 0) + return ret; + } return 0; } static int parse_tonal_group(DCALbrDecoder *s, LBRChunk *chunk) { + int ret; + if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; return parse_tonal(s, chunk->id); } @@ -404,7 +414,7 @@ static int ensure_bits(GetBitContext *s, int n) { int left = get_bits_left(s); if (left < 0) - return -1; + return AVERROR_INVALIDDATA; if (left < n) { skip_bits_long(s, left); return 1; @@ -433,7 +443,7 @@ static int parse_scale_factors(DCALbrDecoder *s, uint8_t *scf) dist = parse_vlc(&s->gb, &ff_dca_vlc_rsd_apprx, 1) + 1; if (dist > 7 - sf) { av_log(s->avctx, AV_LOG_ERROR, "Invalid scale factor distance\n"); - return -1; + return AVERROR_INVALIDDATA; } if (ensure_bits(&s->gb, 20)) @@ -498,22 +508,26 @@ static int parse_st_code(GetBitContext *s, int min_v) static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { - int ch, sb, sf, nsubbands; + int ch, sb, sf, nsubbands, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Scale factors nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1; for (sb = 2; sb < nsubbands; sb++) { - if (parse_scale_factors(s, s->grid_1_scf[ch1][sb]) < 0) - return -1; - if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband - && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0) - return -1; + ret = parse_scale_factors(s, s->grid_1_scf[ch1][sb]); + if (ret < 0) + return ret; + if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband) { + ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]); + if (ret < 0) + return ret; + } } if (get_bits_left(&s->gb) < 1) @@ -532,7 +546,7 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch if (get_bits_left(&s->gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "First grid chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } // Stereo image for partial mono mode @@ -562,14 +576,16 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch static int parse_grid_1_sec_ch(DCALbrDecoder *s, int ch2) { - int sb, nsubbands; + int sb, nsubbands, ret; // Scale factors nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1; for (sb = 2; sb < nsubbands; sb++) { - if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband - && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0) - return -1; + if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband) { + ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]); + if (ret < 0) + return ret; + } } // Average values for third grid @@ -709,7 +725,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2, s->sb_indices[sb] = sb_reorder; } if (sb_reorder >= s->nsubbands) - return -1; + return AVERROR_INVALIDDATA; // Third grid scale factors if (sb == 12) { @@ -731,7 +747,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2, quant_level = s->quant_levels[ch1 / 2][sb]; if (!quant_level) - return -1; + return AVERROR_INVALIDDATA; // Time samples for one or both channels if (sb < s->max_mono_subband && sb_reorder >= s->min_mono_subband) { @@ -792,13 +808,14 @@ static int parse_lpc(DCALbrDecoder *s, int ch1, int ch2, int start_sb, int end_s static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { int quant_levels[DCA_LBR_SUBBANDS]; - int sb, ch, ol, st, max_sb, profile; + int sb, ch, ol, st, max_sb, profile, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Quantizer profile profile = get_bits(&s->gb, 8); @@ -832,18 +849,20 @@ static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int c s->quant_levels[ch1 / 2][sb] = quant_levels[sb]; // LPC for the first two subbands - if (parse_lpc(s, ch1, ch2, 0, 2) < 0) - return -1; + ret = parse_lpc(s, ch1, ch2, 0, 2); + if (ret < 0) + return ret; // Time-samples for the first two subbands of main channel - if (parse_ts(s, ch1, ch2, 0, 2, 0) < 0) - return -1; + ret = parse_ts(s, ch1, ch2, 0, 2, 0); + if (ret < 0) + return ret; // First two bands of the first grid for (sb = 0; sb < 2; sb++) for (ch = ch1; ch <= ch2; ch++) - if (parse_scale_factors(s, s->grid_1_scf[ch][sb]) < 0) - return -1; + if ((ret = parse_scale_factors(s, s->grid_1_scf[ch][sb])) < 0) + return ret; return 0; } @@ -892,39 +911,42 @@ static int parse_grid_2(DCALbrDecoder *s, int ch1, int ch2, static int parse_ts1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { + int ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; - if (parse_lpc(s, ch1, ch2, 2, 3) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 2, 4, 0) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 0, 1, 0) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 4, 6, 0) < 0) - return -1; + if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0) + return ret; + if ((ret = parse_lpc(s, ch1, ch2, 2, 3)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 2, 4, 0)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 0, 1, 0)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 4, 6, 0)) < 0) + return ret; return 0; } static int parse_ts2_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { + int ret; + if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 1, 3, 0) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0) < 0) - return -1; + if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 1, 3, 0)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0)) < 0) + return ret; if (ch1 != ch2) { - if (parse_grid_1_sec_ch(s, ch2) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 0, 3, 1) < 0) - return -1; + if ((ret = parse_grid_1_sec_ch(s, ch2)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 0, 3, 1)) < 0) + return ret; } - if (parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1) < 0) - return -1; + if ((ret = parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1)) < 0) + return ret; return 0; } @@ -932,11 +954,13 @@ static int init_sample_rate(DCALbrDecoder *s) { double scale = (-1.0 / (1 << 17)) * sqrt(1 << (2 - s->limited_range)); int i, br_per_ch = s->bit_rate_scaled / s->nchannels_total; + int ret; ff_mdct_end(&s->imdct); - if (ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale) < 0) - return -1; + ret = ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale); + if (ret < 0) + return ret; for (i = 0; i < 32 << s->freq_range; i++) s->window[i] = ff_dca_long_window[i << (2 - s->freq_range)]; @@ -975,7 +999,7 @@ static int alloc_sample_buffer(DCALbrDecoder *s) // Reallocate time sample buffer av_fast_mallocz(&s->ts_buffer, &s->ts_size, nsamples * sizeof(float)); if (!s->ts_buffer) - return -1; + return AVERROR(ENOMEM); ptr = s->ts_buffer + DCA_LBR_TIME_HISTORY; for (ch = 0; ch < s->nchannels; ch++) { @@ -1796,7 +1820,7 @@ av_cold int ff_dca_lbr_init(DCALbrDecoder *s) init_tables(); if (!(s->fdsp = avpriv_float_dsp_alloc(0))) - return -1; + return AVERROR(ENOMEM); s->lbr_rand = 1; return 0; diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index fade1a6c02..f97874fbe6 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -328,7 +328,7 @@ static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] += mul15(src[i], coeff); + dst[i] += (unsigned)mul15(src[i], coeff); } static void dmix_scale_c(int32_t *dst, int scale, ptrdiff_t len) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index f026f9cd5a..9154f692fa 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -613,6 +613,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, AVFrame *frame = data; int mipmap; int ret; + int width, height; ff_texturedsp_init(&ctx->texdsp); bytestream2_init(gbc, avpkt->data, avpkt->size); @@ -631,9 +632,9 @@ static int dds_decode(AVCodecContext *avctx, void *data, bytestream2_skip(gbc, 4); // flags - avctx->height = bytestream2_get_le32(gbc); - avctx->width = bytestream2_get_le32(gbc); - ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + height = bytestream2_get_le32(gbc); + width = bytestream2_get_le32(gbc); + ret = ff_set_dimensions(avctx, width, height); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", avctx->width, avctx->height); diff --git a/libavcodec/decode.c b/libavcodec/decode.c index 6c31166ec2..9a6c57b7b8 100644 --- a/libavcodec/decode.c +++ b/libavcodec/decode.c @@ -1910,7 +1910,8 @@ static int get_buffer_internal(AVCodecContext *avctx, AVFrame *frame, int flags) int ret; if (avctx->codec_type == AVMEDIA_TYPE_VIDEO) { - if ((ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) { + if ((unsigned)avctx->width > INT_MAX - STRIDE_ALIGN || + (ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) { av_log(avctx, AV_LOG_ERROR, "video_get_buffer: image parameters invalid\n"); return AVERROR(EINVAL); } diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 1ade44a438..8e68b4a9da 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -212,10 +212,10 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; - int pts = AV_RB32(cur_pu + 13); + int64_t pts = AV_RB32(cur_pu + 13); if (s->last_pts == 0 && s->last_dts == 0) s->dts = pts - 1; - else + else if (s->last_dts != AV_NOPTS_VALUE) s->dts = s->last_dts + 1; s->pts = pts; if (!avctx->has_b_frames && (cur_pu[4] & 0x03)) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 7b9e0099df..15831459a3 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1276,7 +1276,9 @@ static int dirac_unpack_idwt_params(DiracContext *s) s->num_y = get_interleaved_ue_golomb(gb); if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX || s->num_x * (uint64_t)s->avctx->width > INT_MAX || - s->num_y * (uint64_t)s->avctx->height > INT_MAX + s->num_y * (uint64_t)s->avctx->height > INT_MAX || + s->num_x > s->avctx->width || + s->num_y > s->avctx->height ) { av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); s->num_x = s->num_y = 0; @@ -1433,8 +1435,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 2dd56f83f3..80dfafd78b 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -195,12 +195,12 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s { \ int i, y; \ for (y = 0; y < tot_v; y++) { \ - PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst; \ + PX c, *src_r = (PX *)src, *dst_r = (PX *)dst; \ for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ - sign = FFSIGN(c)*(!!c); \ - c = (FFABS(c)*(unsigned)qf + qs) >> 2; \ - *dst_r++ = c*sign; \ + if (c < 0) c = -((-(unsigned)c*qf + qs) >> 2); \ + else if(c > 0) c = (( (unsigned)c*qf + qs) >> 2); \ + *dst_r++ = c; \ } \ src += tot_h << (sizeof(PX) >> 1); \ dst += stride; \ diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 1e95086696..253f8d5c2f 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -111,6 +111,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx) static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) { + int ret; if (cid != ctx->cid) { int index; @@ -130,19 +131,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) ff_free_vlc(&ctx->dc_vlc); ff_free_vlc(&ctx->run_vlc); - init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, + if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, - ctx->cid_table->ac_codes, 2, 2, 0); - init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, + ctx->cid_table->ac_codes, 2, 2, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ctx->cid_table->dc_bits, 1, 1, - ctx->cid_table->dc_codes, 1, 1, 0); - init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, + ctx->cid_table->dc_codes, 1, 1, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, ctx->cid_table->run_bits, 1, 1, - ctx->cid_table->run_codes, 2, 2, 0); + ctx->cid_table->run_codes, 2, 2, 0)) < 0) + goto out; ctx->cid = cid; } - return 0; + ret = 0; +out: + if (ret < 0) + av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n"); + return ret; } static av_cold int dnxhd_decode_init_thread_copy(AVCodecContext *avctx) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 41b8079a09..59bda860de 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -220,7 +220,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx) ctx->vlc_bits = ctx->orig_vlc_bits + max_level * 2; for (level = -max_level; level < max_level; level++) { for (run = 0; run < 2; run++) { - int index = (level << 1) | run; + int index = level * (1 << 1) | run; int sign, offset = 0, alevel = level; MASK_ABS(sign, alevel); @@ -616,7 +616,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block, slevel = block[j]; if (slevel) { int run_level = i - last_non_zero - 1; - int rlevel = (slevel << 1) | !!run_level; + int rlevel = slevel * (1 << 1) | !!run_level; put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]); if (run_level) put_bits(&ctx->m.pb, ctx->run_bits[run_level], @@ -696,7 +696,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index) level = block[j]; if (level) { int run_level = i - last_non_zero - 1; - bits += ctx->vlc_bits[(level << 1) | + bits += ctx->vlc_bits[level * (1 << 1) | !!run_level] + ctx->run_bits[run_level]; last_non_zero = i; } diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 7d3934ee35..c7712ad412 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -305,9 +305,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, shift[ch] -= (2 * n); diff = sign_extend((diff &~ 3) << 8, 16); - /* saturate the shifter to a lower limit of 0 */ - if (shift[ch] < 0) - shift[ch] = 0; + /* saturate the shifter to 0..31 */ + shift[ch] = av_clip_uintp2(shift[ch], 5); diff >>= shift[ch]; predictor[ch] += diff; @@ -367,7 +366,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, while (output_samples < samples_end) { uint8_t n = bytestream2_get_byteu(&gb); - *output_samples++ = s->sample[idx] += s->array[n]; + *output_samples++ = s->sample[idx] += (unsigned)s->array[n]; idx ^= 1; } } diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index b1833ed9ef..03cbd3c78f 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -206,6 +206,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (bits_per_color > 32) + return AVERROR_INVALIDDATA; + buf += 820; avctx->sample_aspect_ratio.num = read32(&buf, endian); avctx->sample_aspect_ratio.den = read32(&buf, endian); diff --git a/libavcodec/dsddec.c b/libavcodec/dsddec.c index 2c5c357acc..a2e038419f 100644 --- a/libavcodec/dsddec.c +++ b/libavcodec/dsddec.c @@ -44,6 +44,9 @@ static av_cold int decode_init(AVCodecContext *avctx) int i; uint8_t silence; + if (!avctx->channels) + return AVERROR_INVALIDDATA; + ff_init_dsd_data(); s = av_malloc_array(sizeof(DSDContext), avctx->channels); diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 0614c99c4b..a94133e410 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -37,7 +37,7 @@ #define DST_MAX_CHANNELS 6 #define DST_MAX_ELEMENTS (2 * DST_MAX_CHANNELS) -#define DSD_FS44(sample_rate) (sample_rate * 8 / 44100) +#define DSD_FS44(sample_rate) (sample_rate * 8LL / 44100) #define DST_SAMPLES_PER_FRAME(sample_rate) (588 * DSD_FS44(sample_rate)) @@ -85,6 +85,16 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E) + // We are a bit more tolerant here, but this check is needed to bound the size and duration + if (avctx->sample_rate > 512 * 44100) + return AVERROR_INVALIDDATA; + + + if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) { + return AVERROR_PATCHWELCOME; + } + avctx->sample_fmt = AV_SAMPLE_FMT_FLT; for (i = 0; i < avctx->channels; i++) @@ -120,7 +130,7 @@ static int read_map(GetBitContext *gb, Table *t, unsigned int map[DST_MAX_CHANNE static av_always_inline int get_sr_golomb_dst(GetBitContext *gb, unsigned int k) { - int v = get_ur_golomb(gb, k, get_bits_left(gb), 0); + int v = get_ur_golomb_jpegls(gb, k, get_bits_left(gb), 0); if (v && get_bits1(gb)) v = -v; return v; @@ -155,12 +165,16 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[ for (j = method + 1; j < t->length[i]; j++) { int c, x = 0; for (k = 0; k < method + 1; k++) - x += code_pred_coeff[method][k] * t->coeff[i][j - k - 1]; + x += code_pred_coeff[method][k] * (unsigned)t->coeff[i][j - k - 1]; c = get_sr_golomb_dst(gb, lsb_size); if (x >= 0) c -= (x + 4) / 8; else c += (-x + 3) / 8; + if (!is_signed) { + if (c < offset || c >= offset + (1<coeff[i][j] = c; } } @@ -200,7 +214,7 @@ static uint8_t prob_dst_x_bit(int c) return (ff_reverse[c & 127] >> 1) + 1; } -static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) +static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) { int i, j, k, l; @@ -211,14 +225,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table * int total = av_clip(length - j * 8, 0, 8); for (k = 0; k < 256; k++) { - int v = 0; + int64_t v = 0; for (l = 0; l < total; l++) v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l]; + if ((int16_t)v != v) + return AVERROR_INVALIDDATA; table[i][j][k] = v; } } } + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, @@ -298,11 +315,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, /* Filter Coef Sets (10.12) */ - read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0); + ret = read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0); + if (ret < 0) + return ret; /* Probability Tables (10.13) */ - read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1); + ret = read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1); + if (ret < 0) + return ret; /* Arithmetic Coded Data (10.11) */ @@ -310,7 +331,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; ac_init(ac, gb); - build_filter(s->filter, &s->fsets); + ret = build_filter(s->filter, &s->fsets); + if (ret < 0) + return ret; memset(s->status, 0xAA, sizeof(s->status)); memset(dsd, 0, frame->nb_samples * 4 * avctx->channels); diff --git a/libavcodec/dump_extradata_bsf.c b/libavcodec/dump_extradata_bsf.c index b641508234..0b6d404792 100644 --- a/libavcodec/dump_extradata_bsf.c +++ b/libavcodec/dump_extradata_bsf.c @@ -51,8 +51,8 @@ static int dump_extradata(AVBSFContext *ctx, AVPacket *out) if (ctx->par_in->extradata && (s->freq == DUMP_FREQ_ALL || (s->freq == DUMP_FREQ_KEYFRAME && in->flags & AV_PKT_FLAG_KEY)) && - in->size >= ctx->par_in->extradata_size && - memcmp(in->data, ctx->par_in->extradata, ctx->par_in->extradata_size)) { + (in->size < ctx->par_in->extradata_size || + memcmp(in->data, ctx->par_in->extradata, ctx->par_in->extradata_size))) { if (in->size >= INT_MAX - ctx->par_in->extradata_size) { ret = AVERROR(ERANGE); goto fail; diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 4dd675316b..e5d710069d 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -456,7 +456,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 2; + Y += ystride * 4; U += ustride; V += vstride; } @@ -501,7 +501,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 1; + Y += ystride * 2; U += ustride; V += vstride; } diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index ae79de981f..a2e748b32e 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -440,7 +440,7 @@ static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op size_in_bits = bytestream2_get_le32(gb); endoffset = ((size_in_bits + 7) >> 3) - 4; - if (endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) + if ((int)endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) return AVERROR_INVALIDDATA; offset = endoffset; @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, int skip0, skip1, oi0 = 0, oi1 = 0; int ret, state0 = 0, state1 = 0; - if (op_offset < 12) + if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb)) return AVERROR_INVALIDDATA; dst = tex_data; @@ -755,7 +755,6 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, skip0 = dxv_decompress_opcodes(gb, op_data0, op_size0); if (skip0 < 0) return skip0; - bytestream2_seek(gb, data_start + op_offset + skip0 - 12, SEEK_SET); if (op_size1 > max_op_size1) return AVERROR_INVALIDDATA; skip1 = dxv_decompress_opcodes(gb, op_data1, op_size1); @@ -784,7 +783,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, return ret; } - bytestream2_seek(gb, data_start + op_offset + skip0 + skip1 - 12, SEEK_SET); + bytestream2_seek(gb, data_start - 12 + op_offset + skip0 + skip1, SEEK_SET); return 0; } @@ -799,6 +798,9 @@ static int dxv_decompress_yo(DXVContext *ctx, GetByteContext *gb, uint8_t *dst, *table0[256] = { 0 }, *table1[256] = { 0 }; int ret, state = 0, skip, oi = 0, v, vv; + if (op_offset < 8 || op_offset - 8 > bytestream2_get_bytes_left(gb)) + return AVERROR_INVALIDDATA; + dst = tex_data; bytestream2_skip(gb, op_offset - 8); if (op_size > max_op_size) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 32416112bf..282d32dbbe 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -111,7 +111,7 @@ static int dxva_get_decoder_configuration(AVCodecContext *avctx, for (i = 0; i < cfg_count; i++) { unsigned score; - UINT ConfigBitstreamRaw; + UINT ConfigBitstreamRaw = 0; GUID guidConfigBitstreamEncryption; #if CONFIG_D3D11VA @@ -262,7 +262,7 @@ static int dxva_get_decoder_guid(AVCodecContext *avctx, void *service, void *sur *decoder_guid = ff_GUID_NULL; for (i = 0; dxva_modes[i].guid; i++) { const dxva_mode *mode = &dxva_modes[i]; - int validate; + int validate = 0; if (!dxva_check_codec_compatibility(avctx, mode)) continue; @@ -794,7 +794,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, unsigned type, const void *data, unsigned size, unsigned mb_count) { - void *dxva_data; + void *dxva_data = NULL; unsigned dxva_size; int result; HRESULT hr = 0; @@ -816,7 +816,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, type, (unsigned)hr); return -1; } - if (size <= dxva_size) { + if (dxva_data && size <= dxva_size) { memcpy(dxva_data, data, size); #if CONFIG_D3D11VA @@ -894,7 +894,7 @@ int ff_dxva2_common_end_frame(AVCodecContext *avctx, AVFrame *frame, #endif DECODER_BUFFER_DESC *buffer = NULL, *buffer_slice = NULL; int result, runs = 0; - HRESULT hr; + HRESULT hr = -1; unsigned type; FFDXVASharedContext *sctx = DXVA_SHARED_CONTEXT(avctx); diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 3a5c7989b9..33b9c88bb2 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -139,9 +139,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); sscale *= 1.0 / (1<<23); + if (nscale < -1.0) + nscale = -1.0; #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { - float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); + UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state)); s->transform_coeffs[ch][bin] *= sscale; s->transform_coeffs[ch][bin++] += noise; } diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 6f39d72b88..08e9ae0192 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -198,12 +198,15 @@ static int cmv_decode_frame(AVCodecContext *avctx, if ((ret = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) return ret; + buf += EA_PREAMBLE_SIZE; + if (!(buf[0]&1) && buf_end - buf < s->width * s->height * (int64_t)(100 - s->avctx->discard_damaged_percentage) / 100) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; memcpy(frame->data[1], s->palette, AVPALETTE_SIZE); - buf += EA_PREAMBLE_SIZE; if ((buf[0]&1)) { // subtype cmv_decode_inter(s, frame, buf+2, buf_end); frame->key_frame = 0; diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 1308c07cff..46bf226f6a 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -58,7 +58,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { uint8_t *perm = s->scantable.permutated; int i, j, value; @@ -66,6 +66,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[perm[i++]] = 0; case 0: block[perm[i++]] = 0; @@ -75,6 +77,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[perm[i++]] = 0; break; @@ -102,6 +106,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -161,8 +166,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x) if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(&s->gb, mode); } else { diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 93e291f053..f82f7b9cca 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -300,6 +300,9 @@ static int tgv_decode_frame(AVCodecContext *avctx, s->palette[i] = 0xFFU << 24 | AV_RB24(buf); buf += 3; } + if (buf_end - buf < 5) { + return AVERROR_INVALIDDATA; + } } if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 0002d45457..96536b1a08 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -131,6 +131,9 @@ static int tqi_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret, w, h; + if (buf_size < 12) + return AVERROR_INVALIDDATA; + t->avctx = avctx; w = AV_RL16(&buf[0]); diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index cffd3e12b1..6bcad51edc 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,11 +88,6 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < size * 34) - return cb; - - if (size >= INT_MAX / sizeof(MacroBlock)) - return cb; cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1); if (!cb.blocks) return cb; @@ -162,7 +157,7 @@ static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb, // This condition can occur with invalid bitstreams and // *codebook_index == 2 - if (block_index >= s->codebooks[*codebook_index].size) + if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks) return (MacroBlock) { { 0 } }; return s->codebooks[*codebook_index].blocks[block_index]; @@ -226,7 +221,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) - return -1; + return AVERROR_INVALIDDATA; frame_flags = get_bits_long(&gb, 32); frame_size = get_bits_long(&gb, 32); @@ -243,7 +238,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, if ((ret = av_frame_ref(frame, s->frame)) < 0) return ret; - return frame_size; + return 0; } for (i = 0; i < 3; i++) { @@ -277,9 +272,14 @@ static int escape124_decode_frame(AVCodecContext *avctx, } av_freep(&s->codebooks[i].blocks); + if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34) + return AVERROR_INVALIDDATA; + + if (cb_size >= INT_MAX / sizeof(MacroBlock)) + return AVERROR_INVALIDDATA; s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size); if (!s->codebooks[i].blocks) - return -1; + return AVERROR(ENOMEM); } } @@ -372,7 +372,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, *got_frame = 1; - return frame_size; + return 0; } diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 0f8b0fda9f..0489e302d4 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -881,7 +881,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, in = ptr[3] + s->xdelta; for (j = 0; j < s->xdelta; ++j) { - uint32_t diff = (*(ptr[0]++) << 24) | + uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8 ) | (*(ptr[3]++)); @@ -1092,6 +1092,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, if ((col + td->xsize) != s->xdelta)/* not the last tile of the line */ axmax = 0; /* doesn't add pixel at the right of the datawindow */ + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { @@ -1111,6 +1114,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ td->xsize = s->xdelta; + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ @@ -1307,6 +1313,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) int magic_number, version, i, flags, sar = 0; int layer_match = 0; int ret; + int dup_channels = 0; s->current_channel_offset = 0; s->xmin = ~0; @@ -1465,10 +1472,12 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; } else if (channel_index >= 0) { - av_log(s->avctx, AV_LOG_ERROR, + av_log(s->avctx, AV_LOG_WARNING, "Multiple channels with index %d.\n", channel_index); - ret = AVERROR_INVALIDDATA; - goto fail; + if (++dup_channels > 10) { + ret = AVERROR_INVALIDDATA; + goto fail; + } } s->channels = av_realloc(s->channels, @@ -1511,15 +1520,28 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "dataWindow", "box2i", 31)) >= 0) { + int xmin, ymin, xmax, ymax; if (!var_size) { ret = AVERROR_INVALIDDATA; goto fail; } - s->xmin = bytestream2_get_le32(&s->gb); - s->ymin = bytestream2_get_le32(&s->gb); - s->xmax = bytestream2_get_le32(&s->gb); - s->ymax = bytestream2_get_le32(&s->gb); + xmin = bytestream2_get_le32(&s->gb); + ymin = bytestream2_get_le32(&s->gb); + xmax = bytestream2_get_le32(&s->gb); + ymax = bytestream2_get_le32(&s->gb); + + if (xmin > xmax || ymin > ymax || + ymax == INT_MAX || xmax == INT_MAX || + (unsigned)xmax - xmin >= INT_MAX || + (unsigned)ymax - ymin >= INT_MAX) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + s->xmin = xmin; + s->xmax = xmax; + s->ymin = ymin; + s->ymax = ymax; s->xdelta = (s->xmax - s->xmin) + 1; s->ydelta = (s->ymax - s->ymin) + 1; @@ -1736,7 +1758,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, s->ymin > s->ymax || s->xdelta != s->xmax - s->xmin + 1 || s->xmax >= s->w || - s->ymax >= s->h) { + s->ymax >= s->h || + s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF + ) { av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n"); return AVERROR_INVALIDDATA; } @@ -1760,7 +1784,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) return ret; - if (bytestream2_get_bytes_left(&s->gb) < nb_blocks * 8) + if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks) return AVERROR_INVALIDDATA; // check offset table and recreate it if need @@ -1788,7 +1812,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, ptr = picture->data[0]; // Zero out the start if ymin is not 0 - for (y = 0; y < s->ymin; y++) { + for (y = 0; y < FFMIN(s->ymin, s->h); y++) { memset(ptr, 0, out_line_size); ptr += picture->linesize[0]; } @@ -1798,10 +1822,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks); // Zero out the end if ymax+1 is not h - ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]); - for (y = s->ymax + 1; y < avctx->height; y++) { - memset(ptr, 0, out_line_size); - ptr += picture->linesize[0]; + if ((s->ymax+1) < avctx->height) { + ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]); + for (y = s->ymax + 1; y < avctx->height; y++) { + memset(ptr, 0, out_line_size); + ptr += picture->linesize[0]; + } } picture->pict_type = AV_PICTURE_TYPE_I; diff --git a/libavcodec/extract_extradata_bsf.c b/libavcodec/extract_extradata_bsf.c index 17e5deb96b..85cf615ffa 100644 --- a/libavcodec/extract_extradata_bsf.c +++ b/libavcodec/extract_extradata_bsf.c @@ -85,7 +85,7 @@ static int extract_extradata_av1(AVBSFContext *ctx, AVPacket *pkt, } if (extradata_size && has_seq) { - AVBufferRef *filtered_buf; + AVBufferRef *filtered_buf = NULL; uint8_t *extradata, *filtered_data; if (s->remove) { @@ -179,7 +179,7 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt, if (extradata_size && ((ctx->par_in->codec_id == AV_CODEC_ID_HEVC && has_sps && has_vps) || (ctx->par_in->codec_id == AV_CODEC_ID_H264 && has_sps))) { - AVBufferRef *filtered_buf; + AVBufferRef *filtered_buf = NULL; uint8_t *extradata, *filtered_data; if (s->remove) { diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 2a1d2bc3f6..5393fcf82b 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -141,6 +141,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb, return AVERROR_INVALIDDATA; } cwi = 10 - av_log2(cwi); + if (get_bits_left(gb) < cwi + 1) + return AVERROR_INVALIDDATA; skip_bits(gb, cwi + 1); if (cwi > 5) { newmode = get_bits1(gb); @@ -206,6 +208,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int run = 0; unsigned int t; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); run += t; if (t < 64) { @@ -224,7 +228,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, run = 0; mode = !mode; } else if ((int)t == -1) { - if (show_bits(gb, 12) == 15) { + if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) { int ret; skip_bits(gb, 12); ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode); @@ -251,7 +255,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int offs = 0, run = 0; while (offs < width) { - int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); + int cmode; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); if (cmode == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n"); return AVERROR_INVALIDDATA; @@ -273,6 +280,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, for (k = 0; k < 2; k++) { run = 0; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); if (t == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect code\n"); @@ -296,7 +305,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, mode = !mode; } } else if (cmode == 9 || cmode == 10) { - int xxx = get_bits(gb, 3); + int xxx; + if (get_bits_left(gb) < 3) + return AVERROR_INVALIDDATA; + xxx = get_bits(gb, 3); if (cmode == 9 && xxx == 7) { int ret; int pix_left = width - offs; diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index a14dd2aab2..50093100bb 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -114,6 +114,13 @@ av_cold int ff_ffv1_init_slices_state(FFV1Context *f) return 0; } +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift) { + int mpw = 1<c; uint8_t state[CONTEXT_SIZE]; unsigned ps, i, context_count; + int sx, sy, sw, sh; + memset(state, 128, sizeof(state)); + sx = get_symbol(c, state, 0); + sy = get_symbol(c, state, 0); + sw = get_symbol(c, state, 0) + 1U; + sh = get_symbol(c, state, 0) + 1U; av_assert0(f->version > 2); - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width /f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height) - return -1; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) - return -1; + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) + return AVERROR_INVALIDDATA; + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) + return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); + + if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) + return AVERROR_INVALIDDATA; for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; @@ -301,8 +311,11 @@ static int decode_slice(AVCodecContext *c, void *arg) } if ((ret = ff_ffv1_init_slice_state(f, fs)) < 0) return ret; - if (f->cur->key_frame || fs->slice_reset_contexts) + if (f->cur->key_frame || fs->slice_reset_contexts) { ff_ffv1_clear_slice_state(f, fs); + } else if (fs->slice_damaged) { + return AVERROR_INVALIDDATA; + } width = fs->slice_width; height = fs->slice_height; @@ -351,7 +364,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (fs->ac != AC_GOLOMB_RICE && f->version > 2) { int v; get_rac(&fs->c, (uint8_t[]) { 129 }); - v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*f->ec; + v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*!!f->ec; if (v) { av_log(f->avctx, AV_LOG_ERROR, "bytestream end mismatching by %d\n", v); fs->slice_damaged = 1; @@ -465,6 +478,11 @@ static int read_extra_header(FFV1Context *f) return AVERROR_INVALIDDATA; } + if (f->num_h_slices > MAX_SLICES / f->num_v_slices) { + av_log(f->avctx, AV_LOG_ERROR, "slice count unsupported\n"); + return AVERROR_PATCHWELCOME; + } + f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); @@ -767,21 +785,25 @@ static int read_header(FFV1Context *f) fs->slice_damaged = 0; if (f->version == 2) { - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; + int sx = get_symbol(c, state, 0); + int sy = get_symbol(c, state, 0); + int sw = get_symbol(c, state, 0) + 1U; + int sh = get_symbol(c, state, 0) + 1U; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || - (unsigned)fs->slice_height > f->height) + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) return AVERROR_INVALIDDATA; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); } for (i = 0; i < f->plane_count; i++) { @@ -789,7 +811,7 @@ static int read_header(FFV1Context *f) if (f->version == 2) { int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return AVERROR_INVALIDDATA; @@ -893,8 +915,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int trailer = 3 + 5*!!f->ec; int v; - if (i || f->version > 2) v = AV_RB24(buf_p-trailer) + trailer; - else v = buf_p - c->bytestream_start; + if (i || f->version > 2) { + if (trailer > buf_p - buf) v = INT_MAX; + else v = AV_RB24(buf_p-trailer) + trailer; + } else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); ff_thread_report_progress(&f->picture, INT_MAX, 0); @@ -906,7 +930,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac unsigned crc = av_crc(av_crc_get_table(AV_CRC_32_IEEE), 0, buf_p, v); if (crc) { int64_t ts = avpkt->pts != AV_NOPTS_VALUE ? avpkt->pts : avpkt->dts; - av_log(f->avctx, AV_LOG_ERROR, "CRC mismatch %X!", crc); + av_log(f->avctx, AV_LOG_ERROR, "slice CRC mismatch %X!", crc); if (ts != AV_NOPTS_VALUE && avctx->pkt_timebase.num) { av_log(f->avctx, AV_LOG_ERROR, "at %f seconds\n", ts*av_q2d(avctx->pkt_timebase)); } else if (ts != AV_NOPTS_VALUE) { diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c index 0b1d176ba1..9b1d65e825 100644 --- a/libavcodec/ffv1dec_template.c +++ b/libavcodec/ffv1dec_template.c @@ -93,11 +93,11 @@ static av_always_inline int RENAME(decode_line)(FFV1Context *s, int w, run_count--; } } else { - while (run_count > 1 && w-x > 1) { - sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x); - x++; - run_count--; - } + while (run_count > 1 && w-x > 1) { + sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x); + x++; + run_count--; + } } run_count--; if (run_count < 0) { diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 796d81f7c6..32cb2042dd 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -200,7 +200,7 @@ static av_always_inline av_flatten void put_symbol_inline(RangeCoder *c, } while (0) if (v) { - const int a = FFABS(v); + const unsigned a = is_signed ? FFABS(v) : v; const int e = av_log2(a); put_rac(c, state + 0, 0); if (e <= 9) { @@ -520,6 +520,11 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->slices > 1) s->version = FFMAX(s->version, 2); + if ((avctx->flags & (AV_CODEC_FLAG_PASS1 | AV_CODEC_FLAG_PASS2)) && s->ac == AC_GOLOMB_RICE) { + av_log(avctx, AV_LOG_ERROR, "2 Pass mode is not possible with golomb coding\n"); + return AVERROR(EINVAL); + } + // Unspecified level & slices, we choose version 1.2+ to ensure multithreaded decodability if (avctx->slices == 0 && avctx->level < 0 && avctx->width * avctx->height > 720*576) s->version = FFMAX(s->version, 2); @@ -544,7 +549,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->version = FFMAX(s->version, 3); if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { - av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); + av_log(avctx, AV_LOG_ERROR, "Version 2 or 4 needed for requested features but version 2 or 4 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; } @@ -729,19 +734,21 @@ FF_ENABLE_DEPRECATION_WARNINGS s->quant_tables[1][2][i]= 11*11*quant5 [i]; s->quant_tables[1][3][i]= 5*11*11*quant5 [i]; s->quant_tables[1][4][i]= 5*5*11*11*quant5 [i]; + s->context_count[0] = (11 * 11 * 11 + 1) / 2; + s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; } else { s->quant_tables[0][0][i]= quant9_10bit[i]; - s->quant_tables[0][1][i]= 11*quant9_10bit[i]; - s->quant_tables[0][2][i]= 11*11*quant9_10bit[i]; + s->quant_tables[0][1][i]= 9*quant9_10bit[i]; + s->quant_tables[0][2][i]= 9*9*quant9_10bit[i]; s->quant_tables[1][0][i]= quant9_10bit[i]; - s->quant_tables[1][1][i]= 11*quant9_10bit[i]; - s->quant_tables[1][2][i]= 11*11*quant5_10bit[i]; - s->quant_tables[1][3][i]= 5*11*11*quant5_10bit[i]; - s->quant_tables[1][4][i]= 5*5*11*11*quant5_10bit[i]; + s->quant_tables[1][1][i]= 9*quant9_10bit[i]; + s->quant_tables[1][2][i]= 9*9*quant5_10bit[i]; + s->quant_tables[1][3][i]= 5*9*9*quant5_10bit[i]; + s->quant_tables[1][4][i]= 5*5*9*9*quant5_10bit[i]; + s->context_count[0] = (9 * 9 * 9 + 1) / 2; + s->context_count[1] = (9 * 9 * 5 * 5 * 5 + 1) / 2; } } - s->context_count[0] = (11 * 11 * 11 + 1) / 2; - s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; memcpy(s->quant_table, s->quant_tables[s->context_model], sizeof(s->quant_table)); @@ -879,6 +886,10 @@ FF_ENABLE_DEPRECATION_WARNINGS continue; if (maxw * maxh * (int64_t)(s->bits_per_raw_sample+1) * plane_count > 8<<24) continue; + if (s->version < 4) + if ( ff_need_new_slices(avctx->width , s->num_h_slices, s->chroma_h_shift) + ||ff_need_new_slices(avctx->height, s->num_v_slices, s->chroma_v_shift)) + continue; if (avctx->slices == s->num_h_slices * s->num_v_slices && avctx->slices <= MAX_SLICES || !avctx->slices) goto slices_ok; } @@ -927,8 +938,8 @@ static void encode_slice_header(FFV1Context *f, FFV1Context *fs) put_symbol(c, state, (fs->slice_x +1)*f->num_h_slices / f->width , 0); put_symbol(c, state, (fs->slice_y +1)*f->num_v_slices / f->height , 0); - put_symbol(c, state, (fs->slice_width +1)*f->num_h_slices / f->width -1, 0); - put_symbol(c, state, (fs->slice_height+1)*f->num_v_slices / f->height-1, 0); + put_symbol(c, state, 0, 0); + put_symbol(c, state, 0, 0); for (j=0; jplane_count; j++) { put_symbol(c, state, f->plane[j].quant_table_index, 0); av_assert0(f->plane[j].quant_table_index == f->context_model); diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b319b3341a..a7bb351ee5 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -188,7 +188,7 @@ static uint64_t frac64(uint64_t a, uint64_t b) static uint64_t phi_at(struct ws_interval *in, int64_t ts) { - uint64_t dt = ts - in->ts_start; + uint64_t dt = ts - (uint64_t)in->ts_start; uint64_t dt2 = dt & 1 ? /* dt * (dt - 1) / 2 without overflow */ dt * ((dt - 1) >> 1) : (dt >> 1) * (dt - 1); return in->phi0 + dt * in->dphi0 + dt2 * in->ddphi; @@ -217,10 +217,10 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) *last = -1; lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { - int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); - int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); + uint64_t pink_ts_cur = (ws->cur_ts + (uint64_t)PINK_UNIT - 1) & ~(PINK_UNIT - 1); + uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) << 1); + lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); if (pos) { pink_fill(ws); ws->pink_pos = pos; @@ -281,7 +281,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) dphi1 = frac64(f1, (int64_t)avc->sample_rate << 16); dphi2 = frac64(f2, (int64_t)avc->sample_rate << 16); in->dphi0 = dphi1; - in->ddphi = (dphi2 - dphi1) / dt; + in->ddphi = (int64_t)(dphi2 - (uint64_t)dphi1) / dt; if (phi & 0x80000000) { phi &= ~0x80000000; if (phi >= i) @@ -301,8 +301,8 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) default: return AVERROR(EINVAL); } - in->amp0 = (int64_t)a1 << 32; - in->damp = (((int64_t)a2 << 32) - ((int64_t)a1 << 32)) / dt; + in->amp0 = (uint64_t)a1 << 32; + in->damp = (int64_t)(((uint64_t)a2 << 32) - ((uint64_t)a1 << 32)) / dt; } if (edata != edata_end) return AVERROR(EINVAL); @@ -350,7 +350,8 @@ fail: static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, int32_t *channels) { - int32_t amp, val, *cv; + int32_t amp, *cv; + unsigned val; struct ws_interval *in; int i, *last, pink; uint32_t c, all_ch = 0; @@ -372,12 +373,12 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, in->amp += in->damp; switch (in->type) { case WS_SINE: - val = amp * ws->sin[in->phi >> (64 - SIN_BITS)]; + val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)]; in->phi += in->dphi; in->dphi += in->ddphi; break; case WS_NOISE: - val = amp * pink; + val = amp * (unsigned)pink; break; default: val = 0; @@ -385,7 +386,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, all_ch |= in->channels; for (c = in->channels, cv = channels; c; c >>= 1, cv++) if (c & 1) - *cv += val; + *cv += (unsigned)val; } val = (int32_t)lcg_next(&ws->dither_state) >> 16; for (c = all_ch, cv = channels; c; c >>= 1, cv++) @@ -443,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, if (r < 0) return r; pcm = (int16_t *)frame->data[0]; - for (s = 0; s < duration; s++, ts++) { + for (s = 0; s < duration; s++, ts+=(uint64_t)1) { memset(channels, 0, avc->channels * sizeof(*channels)); if (ts >= ws->next_ts) wavesynth_enter_intervals(ws, ts); @@ -451,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, for (c = 0; c < avc->channels; c++) *(pcm++) = channels[c] >> 16; } - ws->cur_ts += duration; + ws->cur_ts += (uint64_t)duration; *rgot_frame = 1; return packet->size; } diff --git a/libavcodec/fits.c b/libavcodec/fits.c index ad73ab70de..97fa7abe80 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -187,6 +187,8 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t header->blank = t; header->blank_found = 1; } else if (!strcmp(keyword, "BSCALE") && sscanf(value, "%lf", &d) == 1) { + if (d <= 0) + return AVERROR_INVALIDDATA; header->bscale = d; } else if (!strcmp(keyword, "BZERO") && sscanf(value, "%lf", &d) == 1) { header->bzero = d; @@ -203,8 +205,12 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t } else if (!strcmp(keyword, "GROUPS") && sscanf(value, "%c", &c) == 1) { header->groups = (c == 'T'); } else if (!strcmp(keyword, "GCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->gcount = t; } else if (!strcmp(keyword, "PCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->pcount = t; } dict_set_if_not_null(metadata, keyword, value); diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 4f452422ef..32a79cdd0d 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -143,7 +143,7 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead size = abs(header->bitpix) >> 3; for (i = 0; i < header->naxis; i++) { - if (size && header->naxisn[i] > SIZE_MAX / size) { + if (size == 0 || header->naxisn[i] > SIZE_MAX / size) { av_log(avctx, AV_LOG_ERROR, "unsupported size of FITS image"); return AVERROR_INVALIDDATA; } @@ -264,6 +264,13 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, CASE_RGB(16, dst16, uint16_t, AV_RB16); } } else { + double scale = header.data_max - header.data_min; + + if (scale <= 0 || !isfinite(scale)) { + scale = 1; + } + scale = 1/scale; + switch (header.bitpix) { #define CASE_GRAY(cas, dst, type, t, rd) \ case cas: \ @@ -272,7 +279,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < avctx->width; j++) { \ t = rd; \ if (!header.blank_found || t != header.blank) { \ - *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) / (header.data_max - header.data_min); \ + *dst++ = lrint(((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale); \ } else { \ *dst++ = fitsctx->blank_val; \ } \ diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 2721286464..07b140cd90 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -55,6 +55,7 @@ /** largest possible size of flac header */ #define MAX_FRAME_HEADER_SIZE 16 +#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE) typedef struct FLACHeaderMarker { int offset; /**< byte offset from start of FLACParseContext->buffer */ @@ -169,7 +170,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset) uint8_t *header_buf; int size = 0; header_buf = flac_fifo_read_wrap(fpc, offset, - MAX_FRAME_HEADER_SIZE, + MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE, &fpc->wrap_buf, &fpc->wrap_buf_allocated_size); if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) { @@ -216,16 +217,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf, int buf_size uint32_t x; for (i = 0; i < mod_offset; i++) { - if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) - size = find_headers_search_validate(fpc, search_start + i); + if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) { + int ret = find_headers_search_validate(fpc, search_start + i); + size = FFMAX(size, ret); + } } for (; i < buf_size - 1; i += 4) { x = AV_RB32(buf + i); if (((x & ~(x + 0x01010101)) & 0x80808080)) { for (j = 0; j < 4; j++) { - if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) - size = find_headers_search_validate(fpc, search_start + i + j); + if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) { + int ret = find_headers_search_validate(fpc, search_start + i + j); + size = FFMAX(size, ret); + } } } } @@ -362,6 +367,8 @@ static int check_header_mismatch(FLACParseContext *fpc, for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++) curr = curr->next; + av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS); + if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY || header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) { FLACHeaderMarker *start, *end; diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index c8eb456049..8de8ebd80e 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -262,7 +262,7 @@ static int decode_residuals(FLACContext *s, int32_t *decoded, int pred_order) } else { int real_limit = tmp ? (INT_MAX >> tmp) + 2 : INT_MAX; for (; i < samples; i++) { - int v = get_sr_golomb_flac(&gb, tmp, real_limit, 0); + int v = get_sr_golomb_flac(&gb, tmp, real_limit, 1); if (v == 0x80000000){ av_log(s->avctx, AV_LOG_ERROR, "invalid residual\n"); return AVERROR_INVALIDDATA; diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 776c78da71..892418cddc 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -66,8 +66,8 @@ static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; - int b = in[1][i]; + unsigned a = in[0][i]; + unsigned b = in[1][i]; S(samples, 0, i) = a << shift; S(samples, 1, i) = (a - b) << shift; } @@ -80,8 +80,8 @@ static void FUNC(flac_decorrelate_rs_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; - int b = in[1][i]; + unsigned a = in[0][i]; + unsigned b = in[1][i]; S(samples, 0, i) = (a + b) << shift; S(samples, 1, i) = b << shift; } @@ -94,7 +94,7 @@ static void FUNC(flac_decorrelate_ms_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; + unsigned a = in[0][i]; int b = in[1][i]; a -= b >> 1; S(samples, 0, i) = (a + b) << shift; diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 99868f3ba3..bf095f7461 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -735,6 +735,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, bytestream2_skip(&g2, chunk_size - 6); } else { + if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height ) + return AVERROR_INVALIDDATA; for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { @@ -1024,14 +1026,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { - pixel_countdown = s->avctx->width; - pixel_ptr = 0; - while (pixel_countdown > 0) { - pixel = bytestream2_get_le24(&g2); - AV_WL24(&pixels[y_ptr + pixel_ptr], pixel); - pixel_ptr += 3; - pixel_countdown--; - } + bytestream2_get_buffer(&g2, pixels + y_ptr, 3*s->avctx->width); if (s->avctx->width & 1) bytestream2_skip(&g2, 3); } diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 5bee96a18d..417830834f 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -100,7 +100,6 @@ static int decode_type2(GetByteContext *gb, PutByteContext *pb) continue; } } - repeat = 0; } repeat = 1; } @@ -401,20 +400,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, PutByteContext *pb = &s->pb; AVFrame *frame = data; int ret, y, x; + int key_frame; if (avpkt->size < 8) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - bytestream2_init(gb, avpkt->data, avpkt->size); bytestream2_skip(gb, 2); - frame->key_frame = !!bytestream2_get_le16(gb); - frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + key_frame = !!bytestream2_get_le16(gb); - if (frame->key_frame) { + if (key_frame) { const uint8_t *src; unsigned type, size; uint8_t *dst; @@ -434,6 +430,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_PATCHWELCOME; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 1; + frame->pict_type = AV_PICTURE_TYPE_I; + src = s->buffer; dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { @@ -512,6 +514,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, dst = &rect[block_h * s->stride]; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 0; + frame->pict_type = AV_PICTURE_TYPE_P; + ssrc = s->buffer; ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c index 55756c4c54..d85b14e946 100644 --- a/libavcodec/frame_thread_encoder.c +++ b/libavcodec/frame_thread_encoder.c @@ -117,7 +117,7 @@ end: int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ int i=0; ThreadContext *c; - + AVCodecContext *thread_avctx = NULL; if( !(avctx->thread_type & FF_THREAD_FRAME) || !(avctx->codec->capabilities & AV_CODEC_CAP_INTRA_ONLY)) @@ -195,16 +195,17 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ AVDictionary *tmp = NULL; int ret; void *tmpv; - AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); + thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; + thread_avctx->priv_data = tmpv; + thread_avctx->internal = NULL; + thread_avctx->hw_frames_ctx = NULL; ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; - thread_avctx->priv_data = tmpv; - thread_avctx->internal = NULL; if (avctx->codec->priv_class) { int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data); if (ret < 0) @@ -232,6 +233,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ return 0; fail: + avcodec_close(thread_avctx); + av_freep(&thread_avctx); avctx->thread_count = i; av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n"); ff_frame_thread_encoder_free(avctx); diff --git a/libavcodec/frame_thread_encoder.h b/libavcodec/frame_thread_encoder.h index 1f79553f20..fc85ba48b8 100644 --- a/libavcodec/frame_thread_encoder.h +++ b/libavcodec/frame_thread_encoder.h @@ -23,6 +23,10 @@ #include "avcodec.h" +/** + * Initialize frame thread encoder. + * @note hardware encoders are not supported + */ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options); void ff_frame_thread_encoder_free(AVCodecContext *avctx); int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet_ptr); diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index a1dec8d823..5856d51783 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -143,7 +143,8 @@ typedef struct G2MContext { int got_header; uint8_t *framebuf; - int framebuf_stride, old_width, old_height; + int framebuf_stride; + unsigned int framebuf_allocated; uint8_t *synth_tile, *jpeg_tile, *epic_buf, *epic_buf_base; int tile_stride, epic_buf_stride, old_tile_w, old_tile_h; @@ -244,6 +245,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb, const int is_chroma = !!plane; const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + c->bdsp.clear_block(block); dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3); if (dc < 0) @@ -854,6 +858,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height, uint32_t ref_pix = curr_row[x - 1]; if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) { pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row); + if (is_pixel_on_stack(dc, pix)) + return AVERROR_INVALIDDATA; + if (x) { int ret = epic_add_pixel_to_cache(&dc->hash, ref_pix, @@ -911,6 +918,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, awidth = FFALIGN(tile_width, 16); aheight = FFALIGN(tile_height, 16); + if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) { + avpriv_request_sample(avctx, "large tile width"); + return AVERROR_INVALIDDATA; + } + if (els_dsize) { int ret, i, j, k; uint8_t tr_r, tr_g, tr_b, *buf; @@ -1168,14 +1180,13 @@ static int g2m_init_buffers(G2MContext *c) { int aligned_height; - if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { - c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; - aligned_height = c->height + 15; - av_free(c->framebuf); - c->framebuf = av_mallocz_array(c->framebuf_stride, aligned_height); - if (!c->framebuf) - return AVERROR(ENOMEM); - } + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; + aligned_height = c->height + 15; + + av_fast_mallocz(&c->framebuf, &c->framebuf_allocated, c->framebuf_stride * aligned_height); + if (!c->framebuf) + return AVERROR(ENOMEM); + if (!c->synth_tile || !c->jpeg_tile || (c->compression == 2 && !c->epic_buf_base) || c->old_tile_w < c->tile_width || @@ -1627,6 +1638,7 @@ static av_cold int g2m_decode_end(AVCodecContext *avctx) av_freep(&c->jpeg_tile); av_freep(&c->cursor); av_freep(&c->framebuf); + c->framebuf_allocated = 0; return 0; } diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index d8bc3f97ac..f601d31d00 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -677,7 +677,9 @@ static int estimate_sid_gain(G723_1_ChannelContext *p) if (p->sid_gain < 0) t = INT32_MIN; else t = INT32_MAX; } else - t = p->sid_gain << shift; + t = p->sid_gain * (1 << shift); + } else if(shift < -31) { + t = (p->sid_gain < 0) ? -1 : 0; }else t = p->sid_gain >> -shift; x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); @@ -1010,7 +1012,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data, formant_postfilter(p, lpc, p->audio, out); } else { // if output is not postfiltered it should be scaled by 2 for (i = 0; i < FRAME_LEN; i++) - out[i] = av_clip_int16(p->audio[LPC_ORDER + i] << 1); + out[i] = av_clip_int16(2 * p->audio[LPC_ORDER + i]); } } diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c index 9982dbfffc..fc00235d7f 100644 --- a/libavcodec/g729_parser.c +++ b/libavcodec/g729_parser.c @@ -52,6 +52,12 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx, s->duration = avctx->frame_size; } + if (!s->block_size) { + *poutbuf = buf; + *poutbuf_size = buf_size; + return buf_size; + } + if (!s->remaining) s->remaining = s->block_size; if (s->remaining <= buf_size) { diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 2e4756b805..222d6014b6 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -97,6 +97,7 @@ typedef struct { uint8_t gc_2nd_index_bits; ///< gain codebook (second stage) index (size in bits) uint8_t fc_signs_bits; ///< number of pulses in fixed-codebook vector uint8_t fc_indexes_bits; ///< size (in bits) of fixed-codebook index entry + uint8_t block_size; } G729FormatDescription; typedef struct { @@ -165,6 +166,7 @@ static const G729FormatDescription format_g729_8k = { .gc_2nd_index_bits = GC_2ND_IDX_BITS_8K, .fc_signs_bits = 4, .fc_indexes_bits = 13, + .block_size = G729_8K_BLOCK_SIZE, }; static const G729FormatDescription format_g729d_6k4 = { @@ -174,6 +176,7 @@ static const G729FormatDescription format_g729d_6k4 = { .gc_2nd_index_bits = GC_2ND_IDX_BITS_6K4, .fc_signs_bits = 2, .fc_indexes_bits = 9, + .block_size = G729D_6K4_BLOCK_SIZE, }; /** @@ -332,11 +335,14 @@ static int16_t g729d_voice_decision(int onset, int prev_voice_decision, const in static int32_t scalarproduct_int16_c(const int16_t * v1, const int16_t * v2, int order) { - int res = 0; + int64_t res = 0; while (order--) res += *v1++ * *v2++; + if (res > INT32_MAX) return INT32_MAX; + else if (res < INT32_MIN) return INT32_MIN; + return res; } @@ -424,7 +430,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - if (buf_size % (G729_8K_BLOCK_SIZE * avctx->channels) == 0) { + if (buf_size && buf_size % (G729_8K_BLOCK_SIZE * avctx->channels) == 0) { packet_type = FORMAT_G729_8K; format = &format_g729_8k; //Reset voice decision @@ -446,11 +452,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, int is_periodic = 0; ///< whether one of the subframes is declared as periodic or not out_frame = (int16_t*)frame->data[c]; - for (i = 0; i < buf_size; i++) + for (i = 0; i < format->block_size; i++) frame_erasure |= buf[i]; frame_erasure = !frame_erasure; - init_get_bits(&gb, buf, 8*buf_size); + init_get_bits(&gb, buf, 8*format->block_size); ma_predictor = get_bits(&gb, 1); quantizer_1st = get_bits(&gb, VQ_1ST_BITS); @@ -552,12 +558,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, fc_v[i] = < \ fc_v[i] + gain_pitch * fc_v[i-pitch_delay], i >= pitch_delay */ - ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i], - fc + pitch_delay_int[i], - fc, 1 << 14, - av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX), - 0, 14, - SUBFRAME_SIZE - pitch_delay_int[i]); + if (SUBFRAME_SIZE > pitch_delay_int[i]) + ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i], + fc + pitch_delay_int[i], + fc, 1 << 14, + av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX), + 0, 14, + SUBFRAME_SIZE - pitch_delay_int[i]); memmove(ctx->past_gain_pitch+1, ctx->past_gain_pitch, 5 * sizeof(int16_t)); ctx->past_gain_code[1] = ctx->past_gain_code[0]; @@ -722,12 +729,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, /* Save signal for use in next frame. */ memmove(ctx->exc_base, ctx->exc_base + 2 * SUBFRAME_SIZE, (PITCH_DELAY_MAX+INTERPOL_LEN)*sizeof(int16_t)); - buf += packet_type == FORMAT_G729_8K ? G729_8K_BLOCK_SIZE : G729D_6K4_BLOCK_SIZE; + buf += format->block_size; ctx++; } *got_frame_ptr = 1; - return packet_type == FORMAT_G729_8K ? G729_8K_BLOCK_SIZE * avctx->channels : G729D_6K4_BLOCK_SIZE * avctx->channels; + return format->block_size * avctx->channels; } static av_cold int decode_close(AVCodecContext *avctx) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index d9076ec735..7ca569530a 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -156,7 +156,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, sig_scaled[i] = residual[i] >> shift; else for (i = 0; i < subframe_size + RES_PREV_DATA_SIZE; i++) - sig_scaled[i] = residual[i] << -shift; + sig_scaled[i] = (unsigned)residual[i] << -shift; /* Start of best delay searching code */ gain_num = 0; @@ -201,8 +201,8 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, } if (corr_int_num) { /* Compute denominator of pseudo-normalized correlation R'(0). */ - corr_int_den = adsp->scalarproduct_int16(sig_scaled - best_delay_int + RES_PREV_DATA_SIZE, - sig_scaled - best_delay_int + RES_PREV_DATA_SIZE, + corr_int_den = adsp->scalarproduct_int16(sig_scaled + RES_PREV_DATA_SIZE - best_delay_int, + sig_scaled + RES_PREV_DATA_SIZE - best_delay_int, subframe_size); /* Compute signals with non-integer delay k (with 1/8 precision), @@ -346,11 +346,11 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, L_temp1 = gain_long_num * gain_long_num; L_temp1 = MULL(L_temp1, gain_den, FRAC_BITS); - tmp = ((sh_gain_long_num - sh_gain_num) << 1) - (sh_gain_long_den - sh_gain_den); + tmp = ((sh_gain_long_num - sh_gain_num) * 2) - (sh_gain_long_den - sh_gain_den); if (tmp > 0) L_temp0 >>= tmp; else - L_temp1 >>= -tmp; + L_temp1 >>= FFMIN(-tmp, 31); /* Check if longer filter increases the values of R'(k). */ if (L_temp1 > L_temp0) { @@ -367,7 +367,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, /* Rescale selected signal to original value. */ if (shift > 0) for (i = 0; i < subframe_size; i++) - selected_signal[i] <<= shift; + selected_signal[i] *= 1 << shift; else for (i = 0; i < subframe_size; i++) selected_signal[i] >>= -shift; @@ -464,7 +464,7 @@ static int16_t get_tilt_comp(AudioDSPContext *adsp, int16_t *lp_gn, speech[i] = (speech[i] * temp + 0x4000) >> 15; } - return -(rh1 << 15) / rh0; + return -(rh1 * (1 << 15)) / rh0; } /** @@ -486,29 +486,29 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, if (refl_coeff > 0) { gt = (refl_coeff * G729_TILT_FACTOR_PLUS + 0x4000) >> 15; - fact = 0x4000; // 0.5 in (0.15) - sh_fact = 15; + fact = 0x2000; // 0.5 in (0.15) + sh_fact = 14; } else { gt = (refl_coeff * G729_TILT_FACTOR_MINUS + 0x4000) >> 15; - fact = 0x800; // 0.5 in (3.12) - sh_fact = 12; + fact = 0x400; // 0.5 in (3.12) + sh_fact = 11; } - ga = (fact << 15) / av_clip_int16(32768 - FFABS(gt)); + ga = (fact << 16) / av_clip_int16(32768 - FFABS(gt)); gt >>= 1; /* Apply tilt compensation filter to signal. */ tmp = res_pst[subframe_size - 1]; for (i = subframe_size - 1; i >= 1; i--) { - tmp2 = (res_pst[i] << 15) + ((gt * res_pst[i-1]) << 1); - tmp2 = (tmp2 + 0x4000) >> 15; + tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000; + tmp2 = res_pst[i] + (tmp2 >> 15); - tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; + tmp2 = (tmp2 * ga + fact) >> sh_fact; out[i] = tmp2; } - tmp2 = (res_pst[0] << 15) + ((gt * ht_prev_data) << 1); - tmp2 = (tmp2 + 0x4000) >> 15; - tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; + tmp2 = (gt * ht_prev_data) * 2 + 0x4000; + tmp2 = res_pst[0] + (tmp2 >> 15); + tmp2 = (tmp2 * ga + fact) >> sh_fact; out[0] = tmp2; return tmp; @@ -578,7 +578,7 @@ void ff_g729_postfilter(AudioDSPContext *adsp, int16_t* ht_prev_data, int* voici int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *speech, int subframe_size, int16_t gain_prev) { - int gain; // (3.12) + unsigned gain; // (3.12) int n; int exp_before, exp_after; @@ -600,6 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t * gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000; gain = bidir_sal(gain, exp_after - exp_before); } + gain = FFMIN(gain, 32767); gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875) } else gain = 0; diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index a5ce6b799e..f00f3ac145 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -358,7 +358,8 @@ static int decompress_68(AVCodecContext *avctx, unsigned skip, unsigned use8) if (val != ((1 << lbits) - 1)) { break; } - assert(lbits < 16); + if (lbits >= 16) + return AVERROR_INVALIDDATA; } for (i = 0; i < len; i++) { bytestream2_put_byte(pb, bytestream2_get_byte(gb)); diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 5cdfa0945d..4612d57e7c 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -402,6 +402,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, log = av_log2(buf); if (log > 31 - limit) { + av_assert2(log >= k); buf >>= log - k; buf += (30U - log) << k; LAST_SKIP_BITS(re, gb, 32 + k - log); @@ -424,6 +425,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, /** * read unsigned golomb rice code (jpegls). + * + * @returns -1 on error */ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int esc_len) @@ -535,6 +538,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit, /** * read signed golomb rice code (flac). + * + * @returns INT_MIN on error */ static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit, int esc_len) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 6f001f6d47..0123647475 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -300,7 +300,7 @@ static int decode_slice(MpegEncContext *s) ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR & part_mask); - if (s->avctx->err_recognition & AV_EF_IGNORE_ERR) + if ((s->avctx->err_recognition & AV_EF_IGNORE_ERR) && get_bits_left(&s->gb) > 0) continue; return AVERROR_INVALIDDATA; } @@ -426,7 +426,9 @@ int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, MpegEncContext *s = avctx->priv_data; int ret; int slice_ret = 0; + AVFrame *pict = data; + int bak_width, bak_height; /* no supplementary picture */ if (buf_size == 0) { @@ -490,6 +492,9 @@ retry: // we need the idct permutation for reading a custom matrix ff_mpv_idct_init(s); + bak_width = s->width; + bak_height = s->height; + /* let's go :-) */ if (CONFIG_WMV2_DECODER && s->msmpeg4_version == 5) { ret = ff_wmv2_decode_picture_header(s); @@ -512,11 +517,12 @@ retry: } if (ret < 0 || ret == FRAME_SKIPPED) { - if ( s->width != avctx->coded_width - || s->height != avctx->coded_height) { + if ( s->width != bak_width + || s->height != bak_height) { av_log(s->avctx, AV_LOG_WARNING, "Reverting picture dimensions change due to header decoding failure\n"); - s->width = avctx->coded_width; - s->height= avctx->coded_height; + s->width = bak_width; + s->height= bak_height; + } } if (ret == FRAME_SKIPPED) @@ -544,6 +550,8 @@ retry: avctx->has_b_frames = !s->low_delay; if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) { + if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; if (ff_mpeg4_workaround_bugs(avctx) == 1) goto retry; if (s->studio_profile != (s->idsp.idct == NULL)) @@ -614,7 +622,7 @@ retry: if ((ret = ff_mpv_frame_start(s, avctx)) < 0) return ret; - if (!s->divx_packed) + if (!s->divx_packed && !avctx->hwaccel) ff_thread_finish_setup(avctx); if (avctx->hwaccel) { @@ -747,6 +755,9 @@ const AVCodecHWConfigInternal *ff_h263_hw_config_list[] = { #if CONFIG_H263_VAAPI_HWACCEL HWACCEL_VAAPI(h263), #endif +#if CONFIG_MPEG4_NVDEC_HWACCEL + HWACCEL_NVDEC(mpeg4), +#endif #if CONFIG_MPEG4_VDPAU_HWACCEL HWACCEL_VDPAU(mpeg4), #endif diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index 24658b3dfa..307e8643e6 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -345,13 +345,18 @@ static int find_next_start_code(const uint8_t *buf, const uint8_t *next_avc) static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref) { + int min_size = size; + if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) goto fail; size += AV_INPUT_BUFFER_PADDING_SIZE; if (rbsp->rbsp_buffer_alloc_size >= size && - (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) + (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) { + av_assert0(rbsp->rbsp_buffer); + memset(rbsp->rbsp_buffer + min_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); return; + } size = FFMIN(size + size / 16 + 32, INT_MAX); @@ -360,7 +365,7 @@ static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref) else av_free(rbsp->rbsp_buffer); - rbsp->rbsp_buffer = av_malloc(size); + rbsp->rbsp_buffer = av_mallocz(size); if (!rbsp->rbsp_buffer) goto fail; rbsp->rbsp_buffer_alloc_size = size; diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index 2c29ca517c..38e4d5d089 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -116,7 +116,7 @@ static inline int get_nalsize(int nal_length_size, const uint8_t *buf, if (*buf_index >= buf_size - nal_length_size) { // the end of the buffer is reached, refill it - return AVERROR(EAGAIN); + return AVERROR_INVALIDDATA; } for (i = 0; i < nal_length_size; i++) diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index 3cd17b7e4b..226c0ff09a 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -406,7 +406,7 @@ static av_always_inline void mc_part_weighted(const H264Context *h, H264SliceCon /* don't optimize for luma-only case, since B-frames usually * use implicit weights => chroma too. */ uint8_t *tmp_cb = sl->bipred_scratchpad; - uint8_t *tmp_cr = sl->bipred_scratchpad + (16 << pixel_shift); + uint8_t *tmp_cr = sl->bipred_scratchpad + (8 << pixel_shift + (chroma_idc == 3)); uint8_t *tmp_y = sl->bipred_scratchpad + 16 * sl->mb_uvlinesize; int refn0 = sl->ref_cache[0][scan8[n]]; int refn1 = sl->ref_cache[1][scan8[n]]; diff --git a/libavcodec/h264_metadata_bsf.c b/libavcodec/h264_metadata_bsf.c index 1c1c340d8f..2a66137212 100644 --- a/libavcodec/h264_metadata_bsf.c +++ b/libavcodec/h264_metadata_bsf.c @@ -488,7 +488,7 @@ static int h264_metadata_filter(AVBSFContext *bsf, AVPacket *pkt) if (err < 0) { av_log(bsf, AV_LOG_ERROR, "Failed to attach extracted " "displaymatrix side data to packet.\n"); - av_freep(matrix); + av_free(matrix); goto fail; } } diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 5ceee107a0..2480b5d199 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -296,9 +296,8 @@ int ff_h264_update_thread_context(AVCodecContext *dst, if (dst == src) return 0; - // We can't fail if SPS isn't set at it breaks current skip_frame code - //if (!h1->ps.sps) - // return AVERROR_INVALIDDATA; + if (inited && !h1->ps.sps) + return AVERROR_INVALIDDATA; if (inited && (h->width != h1->width || @@ -920,6 +919,11 @@ static int h264_slice_header_init(H264Context *h) const SPS *sps = h->ps.sps; int i, ret; + if (!sps) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + ff_set_sar(h->avctx, sps->sar); av_pix_fmt_get_chroma_sub_sample(h->avctx->pix_fmt, &h->chroma_x_shift, &h->chroma_y_shift); @@ -1458,7 +1462,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, sps = h->ps.sps; - if (sps && sps->bitstream_restriction_flag && + if (sps->bitstream_restriction_flag && h->avctx->has_b_frames < sps->num_reorder_frames) { h->avctx->has_b_frames = sps->num_reorder_frames; } diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index 8d1bd16a8e..062e3adfc1 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -623,7 +623,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) } ret = ff_h2645_packet_split(&h->pkt, buf, buf_size, avctx, h->is_avc, h->nal_length_size, - avctx->codec_id, avctx->flags2 & AV_CODEC_FLAG2_FAST, 0); + avctx->codec_id, 0, 0); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Error splitting the input into NAL units.\n"); @@ -699,6 +699,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) avpriv_request_sample(avctx, "data partitioning"); break; case H264_NAL_SEI: + if (h->setup_finished) { + avpriv_request_sample(avctx, "Late SEI"); + break; + } ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx); h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1; if (avctx->debug & FF_DEBUG_GREEN_MD) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 5993ae2e6e..ce66ed3ab8 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -278,13 +278,13 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ const int stride= 16*2; const int xStride= 16; int i; - int temp[8]; + unsigned temp[8]; static const uint8_t x_offset[2]={0, 16}; dctcoef *block = (dctcoef*)_block; for(i=0; i<4; i++){ - temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1]; - temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1]; + temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1]; + temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1]; } for(i=0; i<2; i++){ diff --git a/libavcodec/h265_metadata_bsf.c b/libavcodec/h265_metadata_bsf.c index b3a1fda144..35490fc5df 100644 --- a/libavcodec/h265_metadata_bsf.c +++ b/libavcodec/h265_metadata_bsf.c @@ -359,7 +359,7 @@ static int h265_metadata_filter(AVBSFContext *bsf, AVPacket *pkt) } // If an AUD is present, it must be the first NAL unit. - if (au->units[0].type == HEVC_NAL_AUD) { + if (au->nb_units && au->units[0].type == HEVC_NAL_AUD) { if (ctx->aud == REMOVE) ff_cbs_delete_unit(ctx->cbc, au, 0); } else { diff --git a/libavcodec/hap.h b/libavcodec/hap.h index bbeed11e32..00c3dbb32d 100644 --- a/libavcodec/hap.h +++ b/libavcodec/hap.h @@ -52,7 +52,7 @@ enum HapSectionType { typedef struct HapChunk { enum HapCompressor compressor; - int compressed_offset; + uint32_t compressed_offset; size_t compressed_size; int uncompressed_offset; size_t uncompressed_size; diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index 8c845770cf..2f1a60285e 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -105,6 +105,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size) size_t running_size = 0; for (i = 0; i < ctx->chunk_count; i++) { ctx->chunks[i].compressed_offset = running_size; + if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size) + return AVERROR_INVALIDDATA; running_size += ctx->chunks[i].compressed_size; } } @@ -186,7 +188,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx) HapChunk *chunk = &ctx->chunks[i]; /* Check the compressed buffer is valid */ - if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc)) + if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc)) return AVERROR_INVALIDDATA; /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed @@ -305,7 +307,6 @@ static int hap_decode(AVCodecContext *avctx, void *data, HapContext *ctx = avctx->priv_data; ThreadFrame tframe; int ret, i, t; - int tex_size; int section_size; enum HapSectionType section_type; int start_texture_section = 0; @@ -342,6 +343,13 @@ static int hap_decode(AVCodecContext *avctx, void *data, if (ret < 0) return ret; + if (ctx->tex_size != (avctx->coded_width / TEXTURE_BLOCK_W) + *(avctx->coded_height / TEXTURE_BLOCK_H) + *tex_rat[t]) { + av_log(avctx, AV_LOG_ERROR, "uncompressed size mismatches\n"); + return AVERROR_INVALIDDATA; + } + start_texture_section += ctx->texture_section_size + 4; if (avctx->codec->update_thread_context) @@ -349,14 +357,22 @@ static int hap_decode(AVCodecContext *avctx, void *data, /* Unpack the DXT texture */ if (hap_can_use_tex_in_place(ctx)) { + int tex_size; /* Only DXTC texture compression in a contiguous block */ ctx->tex_data = ctx->gbc.buffer; tex_size = FFMIN(ctx->texture_section_size, bytestream2_get_bytes_left(&ctx->gbc)); + if (tex_size < (avctx->coded_width / TEXTURE_BLOCK_W) + *(avctx->coded_height / TEXTURE_BLOCK_H) + *tex_rat[t]) { + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n"); + return AVERROR_INVALIDDATA; + } } else { /* Perform the second-stage decompression */ ret = av_reallocp(&ctx->tex_buf, ctx->tex_size); if (ret < 0) return ret; + memset(ctx->tex_buf, 0, ctx->tex_size); avctx->execute2(avctx, decompress_chunks_thread, NULL, ctx->chunk_results, ctx->chunk_count); @@ -367,14 +383,6 @@ static int hap_decode(AVCodecContext *avctx, void *data, } ctx->tex_data = ctx->tex_buf; - tex_size = ctx->tex_size; - } - - if (tex_size < (avctx->coded_width / TEXTURE_BLOCK_W) - *(avctx->coded_height / TEXTURE_BLOCK_H) - *tex_rat[t]) { - av_log(avctx, AV_LOG_ERROR, "Insufficient data\n"); - return AVERROR_INVALIDDATA; } /* Use the decompress function on the texture, one block per thread */ diff --git a/libavcodec/hcom.c b/libavcodec/hcom.c index bce9e80aa5..8300676f98 100644 --- a/libavcodec/hcom.c +++ b/libavcodec/hcom.c @@ -52,7 +52,8 @@ static av_cold int hcom_init(AVCodecContext *avctx) if (avctx->extradata_size <= 7) return AVERROR_INVALIDDATA; s->dict_entries = AV_RB16(avctx->extradata); - if (avctx->extradata_size < s->dict_entries * 4 + 7) + if (avctx->extradata_size < s->dict_entries * 4 + 7 || + s->dict_entries == 0) return AVERROR_INVALIDDATA; s->delta_compression = AV_RB32(avctx->extradata + 2); s->sample = s->first_sample = avctx->extradata[avctx->extradata_size - 1]; @@ -65,8 +66,15 @@ static av_cold int hcom_init(AVCodecContext *avctx) s->dict[i].r = AV_RB16(avctx->extradata + 6 + 4 * i + 2); if (s->dict[i].l >= 0 && (s->dict[i].l >= s->dict_entries || - s->dict[i].r >= s->dict_entries)) + s->dict[i].r >= s->dict_entries || + s->dict[i].r < 0 )) { + av_freep(&s->dict); return AVERROR_INVALIDDATA; + } + } + if (s->dict[0].l < 0) { + av_freep(&s->dict); + return AVERROR_INVALIDDATA; } avctx->sample_fmt = AV_SAMPLE_FMT_U8; diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index faa36d5459..12fc9f9fdc 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -642,11 +642,11 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) } if (prefix_val >= 5) { int k = 0; - while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { + while (k < 7 && get_cabac_bypass(&s->HEVClc->cc)) { suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) { + if (k == 7) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); return AVERROR_INVALIDDATA; } @@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; - if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 6b9824088c..a45cb6f0fb 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -145,11 +145,22 @@ int i, j; if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) { for (i = 0; i < height; i++) { - for (j = 0; j < width; j+=8) + for (j = 0; j < width - 7; j+=8) AV_COPY64U(dst+j, src+j); dst += stride_dst; src += stride_src; } + if (width&7) { + dst += ((width>>3)<<3) - stride_dst * height; + src += ((width>>3)<<3) - stride_src * height; + width &= 7; + for (i = 0; i < height; i++) { + for (j = 0; j < width; j++) + dst[j] = src[j]; + dst += stride_dst; + src += stride_src; + } + } } else { for (i = 0; i < height; i++) { for (j = 0; j < width; j+=16) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index 09bce5b34c..477d86d9fd 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -141,9 +141,18 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) int nalu_type; int is_irap, add_extradata, extra_size, prev_size; + if (bytestream2_get_bytes_left(&gb) < s->length_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); + if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f; /* prepend extradata to IRAP frames */ @@ -152,8 +161,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) extra_size = add_extradata * ctx->par_out->extradata_size; got_irap |= is_irap; - if (SIZE_MAX - nalu_size < 4 || - SIZE_MAX - 4 - nalu_size < extra_size) { + if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) { ret = AVERROR_INVALIDDATA; goto fail; } @@ -164,7 +172,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) if (ret < 0) goto fail; - if (add_extradata) + if (extra_size) memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size); AV_WB32(out->data + prev_size + extra_size, 1); bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size); diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index abf08b919b..a902e5073e 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -786,7 +786,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi next_coef = 8; coef_num = FFMIN(64, 1 << (4 + (size_id << 1))); if (size_id > 1) { - scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8; + int scaling_list_coeff_minus8 = get_se_golomb(gb); + if (scaling_list_coeff_minus8 < -7 || + scaling_list_coeff_minus8 > 247) + return AVERROR_INVALIDDATA; + scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8; next_coef = scaling_list_dc_coef[size_id - 2][matrix_id]; sl->sl_dc[size_id - 2][matrix_id] = next_coef; } diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 7cf3a55725..7870a72fd6 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -394,7 +394,7 @@ static void mark_ref(HEVCFrame *frame, int flag) static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) { HEVCFrame *frame; - int i, x, y; + int i, y; frame = alloc_frame(s); if (!frame) @@ -407,11 +407,11 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) frame->frame->buf[i]->size); } else { for (i = 0; frame->frame->data[i]; i++) - for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) - for (x = 0; x < (s->ps.sps->width >> s->ps.sps->hshift[i]); x++) { - AV_WN16(frame->frame->data[i] + y * frame->frame->linesize[i] + 2 * x, - 1 << (s->ps.sps->bit_depth - 1)); - } + for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) { + uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i]; + AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1)); + av_memcpy_backptr(dst + 2, 2, 2*(s->ps.sps->width >> s->ps.sps->hshift[i]) - 2); + } } } diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index c59bd4321e..752ad59ddc 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -336,6 +336,8 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s, byte = get_bits(gb, 8); payload_size += byte; } + if (get_bits_left(gb) < 8LL*payload_size) + return AVERROR_INVALIDDATA; if (nal_unit_type == HEVC_NAL_SEI_PREFIX) { return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size); } else { /* nal_unit_type == NAL_SEI_SUFFIX */ diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index f1934975d5..cbfd68a501 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -182,6 +182,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) for (i = 0; i < s->sh.nb_refs[L0]; i++) { if (luma_weight_l0_flag[i]) { int delta_luma_weight_l0 = get_se_golomb(gb); + if ((int8_t)delta_luma_weight_l0 != delta_luma_weight_l0) + return AVERROR_INVALIDDATA; s->sh.luma_weight_l0[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l0; s->sh.luma_offset_l0[i] = get_se_golomb(gb); } @@ -224,6 +226,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) for (i = 0; i < s->sh.nb_refs[L1]; i++) { if (luma_weight_l1_flag[i]) { int delta_luma_weight_l1 = get_se_golomb(gb); + if ((int8_t)delta_luma_weight_l1 != delta_luma_weight_l1) + return AVERROR_INVALIDDATA; s->sh.luma_weight_l1[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l1; s->sh.luma_offset_l1[i] = get_se_golomb(gb); } @@ -504,7 +508,7 @@ static int hls_slice_header(HEVCContext *s) sh->first_slice_in_pic_flag = get_bits1(gb); if (s->ref && sh->first_slice_in_pic_flag) { av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); - return 1; // This slice will be skiped later, do not corrupt state + return 1; // This slice will be skipped later, do not corrupt state } if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { @@ -563,6 +567,10 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->dependent_slice_segments_enabled_flag) sh->dependent_slice_segment_flag = get_bits1(gb); + if (sh->dependent_slice_segment_flag && !s->slice_initialized) { + av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); + return AVERROR_INVALIDDATA; + } slice_address_length = av_ceil_log2(s->ps.sps->ctb_width * s->ps.sps->ctb_height); @@ -776,6 +784,11 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) { sh->slice_cb_qp_offset = get_se_golomb(gb); sh->slice_cr_qp_offset = get_se_golomb(gb); + if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 || + sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n"); + return AVERROR_INVALIDDATA; + } } else { sh->slice_cb_qp_offset = 0; sh->slice_cr_qp_offset = 0; @@ -826,9 +839,6 @@ static int hls_slice_header(HEVCContext *s) } else { sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag; } - } else if (!s->slice_initialized) { - av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); - return AVERROR_INVALIDDATA; } sh->num_entry_point_offsets = 0; @@ -1447,7 +1457,8 @@ static void luma_mc_uni(HEVCContext *s, uint8_t *dst, ptrdiff_t dststride, if (x_off < QPEL_EXTRA_BEFORE || y_off < QPEL_EXTRA_AFTER || x_off >= pic_width - block_w - QPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - QPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - QPEL_EXTRA_AFTER || + ref == s->frame) { const ptrdiff_t edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset = QPEL_EXTRA_BEFORE * srcstride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); int buf_offset = QPEL_EXTRA_BEFORE * edge_emu_stride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); @@ -1595,6 +1606,7 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, intptr_t my = av_mod_uintp2(mv->y, 2 + vshift); intptr_t _mx = mx << (1 - hshift); intptr_t _my = my << (1 - vshift); + int emu = src0 == s->frame->data[1] || src0 == s->frame->data[2]; x_off += mv->x >> (2 + hshift); y_off += mv->y >> (2 + vshift); @@ -1602,7 +1614,8 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, if (x_off < EPEL_EXTRA_BEFORE || y_off < EPEL_EXTRA_AFTER || x_off >= pic_width - block_w - EPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - EPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - EPEL_EXTRA_AFTER || + emu) { const int edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset0 = EPEL_EXTRA_BEFORE * (srcstride + (1 << s->ps.sps->pixel_shift)); int buf_offset0 = EPEL_EXTRA_BEFORE * @@ -1841,13 +1854,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0) + if (!ref0 || !ref0->frame) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1) + if (!ref1 || !ref1->frame) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } @@ -2929,8 +2942,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) case HEVC_NAL_RASL_N: case HEVC_NAL_RASL_R: ret = hls_slice_header(s); - if (ret < 0) + if (ret < 0) { + // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices + s->slice_initialized = 0; return ret; + } if (ret == 1) { ret = AVERROR_INVALIDDATA; goto fail; @@ -3227,7 +3243,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output, } } else { /* verify the SEI checksum */ - if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded && + if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded && s->sei.picture_hash.is_md5) { ret = verify_md5(s, s->ref->frame); if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) { @@ -3332,6 +3348,8 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx) ff_h2645_packet_uninit(&s->pkt); + ff_hevc_reset_sei(&s->sei); + return 0; } @@ -3525,6 +3543,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) { HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); + ff_hevc_reset_sei(&s->sei); s->max_ra = INT_MAX; s->eos = 1; } diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 56cd9e605d..61425975cd 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -313,7 +313,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src, offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1]; for (y = 0; y < height; y++) { for (x = 0; x < width; x++) - dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]); + dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]); dst += stride_dst; src += stride_src; } diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6fe33546b1..f1a1f4c1f0 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -83,6 +83,7 @@ do { \ int y = y0 >> vshift; int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; + int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size)); int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb); @@ -103,11 +104,11 @@ do { \ pixel *top = top_array + 1; pixel *filtered_left = filtered_left_array + 1; pixel *filtered_top = filtered_top_array + 1; - int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask); + int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask); int cand_left = lc->na.cand_left; int cand_up_left = lc->na.cand_up_left; int cand_up = lc->na.cand_up; - int cand_up_right = lc->na.cand_up_right && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); + int cand_up_right = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) - (y0 + size_in_luma_v)) >> vshift; diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index 9e1ac49ddc..177ce1d47a 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -117,14 +117,17 @@ static void unpack_intraframe(AVCodecContext *avctx, uint8_t *src, static void postprocess_current_frame(AVCodecContext *avctx) { Hnm4VideoContext *hnm = avctx->priv_data; - uint32_t x, y, src_x, src_y; + uint32_t x, y, src_y; + int width = hnm->width; for (y = 0; y < hnm->height; y++) { + uint8_t *dst = hnm->processed + y * width; + const uint8_t *src = hnm->current; src_y = y - (y % 2); - src_x = src_y * hnm->width + (y % 2); - for (x = 0; x < hnm->width; x++) { - hnm->processed[(y * hnm->width) + x] = hnm->current[src_x]; - src_x += 2; + src += src_y * width + (y % 2); + for (x = 0; x < width; x++) { + dst[x] = *src; + src += 2; } } } @@ -143,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame) } } -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) { Hnm4VideoContext *hnm = avctx->priv_data; GetByteContext gb; @@ -162,7 +165,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (tag == 0) { if (writeoffset + 2 > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } hnm->current[writeoffset++] = bytestream2_get_byte(&gb); hnm->current[writeoffset++] = bytestream2_get_byte(&gb); @@ -176,7 +179,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s count = bytestream2_get_byte(&gb) * 2; if (writeoffset + count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } while (count > 0) { hnm->current[writeoffset++] = bytestream2_peek_byte(&gb); @@ -188,7 +191,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } if (writeoffset > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { previous = bytestream2_peek_byte(&gb) & 0x20; @@ -204,24 +207,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (!backward && offset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (backward && offset + 1 >= hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (writeoffset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to write out of bounds\n"); - break; + return AVERROR_INVALIDDATA; + } if(backward) { if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { if (offset < (!!backline)*(2 * hnm->width - 1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } @@ -268,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } } } + return 0; } static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src, @@ -435,7 +440,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8); memcpy(hnm->processed, hnm->current, hnm->width * hnm->height); } else { - decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + if (ret < 0) + return ret; postprocess_current_frame(avctx); } copy_processed_frame(avctx, frame); diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index eec2e980b3..8404e80ec8 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data, int info_size; bytestream2_skip(&ctx->gbc, 4); info_size = bytestream2_get_le32(&ctx->gbc); - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) { av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index d9221ba16b..8ce66e0b27 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -55,7 +55,7 @@ static int scanbraces(const char* in) { if (strncmp(in, "{\\an", 4) != 0) { return 0; } - if (!isdigit(in[4])) { + if (!av_isdigit(in[4])) { return 0; } if (in[5] != '}') { diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 46dcfa8235..19dcb9cfbd 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -691,9 +691,9 @@ static void decode_422_bitstream(HYuvContext *s, int count) /* TODO instead of restarting the read when the code isn't in the first level * of the joint table, jump into the 2nd level of the individual table. */ #define READ_2PIX_PLANE16(dst0, dst1, plane){\ - dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst0 += get_bits(&s->gb, 2);\ - dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst1 += get_bits(&s->gb, 2);\ } static void decode_plane_bitstream(HYuvContext *s, int width, int plane) @@ -751,7 +751,7 @@ static void decode_plane_bitstream(HYuvContext *s, int width, int plane) } } if( width&1 && get_bits_left(&s->gb)>0 ) { - int dst = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; + int dst = (unsigned)get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; s->temp16[0][width-1] = dst + get_bits(&s->gb, 2); } } @@ -767,6 +767,8 @@ static void decode_gray_bitstream(HYuvContext *s, int count) for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); } + for (; i < count; i++) + s->temp[0][2 * i] = s->temp[0][2 * i + 1] = 0; } else { for (i = 0; i < count; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); @@ -957,12 +959,16 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height, left= left_prediction(s, p->data[plane], s->temp[0], w, 0); y = 1; + if (y >= h) + break; /* second line is left predicted for interlaced case */ if (s->interlaced) { decode_plane_bitstream(s, w, plane); left = left_prediction(s, p->data[plane] + p->linesize[plane], s->temp[0], w, left); y++; + if (y >= h) + break; } lefttop = p->data[plane][0]; @@ -1074,6 +1080,8 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height, } cy = y = 1; + if (y >= height) + break; /* second line is left predicted for interlaced case */ if (s->interlaced) { @@ -1086,6 +1094,8 @@ static int decode_slice(AVCodecContext *avctx, AVFrame *p, int height, } y++; cy++; + if (y >= height) + break; } /* next 4 pixels are left predicted too */ diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index cff9ad31ac..6b2d8087ae 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -243,6 +243,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, return buf_size; } +static const AVCodecDefault idcin_defaults[] = { + { "max_pixels", "320*240" }, + { NULL }, +}; + AVCodec ff_idcin_decoder = { .name = "idcinvideo", .long_name = NULL_IF_CONFIG_SMALL("id Quake II CIN video"), @@ -252,4 +257,5 @@ AVCodec ff_idcin_decoder = { .init = idcin_decode_init, .decode = idcin_decode_frame, .capabilities = AV_CODEC_CAP_DR1, + .defaults = idcin_defaults, }; diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 7f1c589d7c..2cd1a06de5 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -111,23 +111,23 @@ static const uint64_t plane8_lut[8][256] = { LUT8(4), LUT8(5), LUT8(6), LUT8(7), }; -#define LUT32(plane) { \ - 0, 0, 0, 0, \ - 0, 0, 0, 1 << plane, \ - 0, 0, 1 << plane, 0, \ - 0, 0, 1 << plane, 1 << plane, \ - 0, 1 << plane, 0, 0, \ - 0, 1 << plane, 0, 1 << plane, \ - 0, 1 << plane, 1 << plane, 0, \ - 0, 1 << plane, 1 << plane, 1 << plane, \ - 1 << plane, 0, 0, 0, \ - 1 << plane, 0, 0, 1 << plane, \ - 1 << plane, 0, 1 << plane, 0, \ - 1 << plane, 0, 1 << plane, 1 << plane, \ - 1 << plane, 1 << plane, 0, 0, \ - 1 << plane, 1 << plane, 0, 1 << plane, \ - 1 << plane, 1 << plane, 1 << plane, 0, \ - 1 << plane, 1 << plane, 1 << plane, 1 << plane, \ +#define LUT32(plane) { \ + 0, 0, 0, 0, \ + 0, 0, 0, 1U << plane, \ + 0, 0, 1U << plane, 0, \ + 0, 0, 1U << plane, 1U << plane, \ + 0, 1U << plane, 0, 0, \ + 0, 1U << plane, 0, 1U << plane, \ + 0, 1U << plane, 1U << plane, 0, \ + 0, 1U << plane, 1U << plane, 1U << plane, \ + 1U << plane, 0, 0, 0, \ + 1U << plane, 0, 0, 1U << plane, \ + 1U << plane, 0, 1U << plane, 0, \ + 1U << plane, 0, 1U << plane, 1U << plane, \ + 1U << plane, 1U << plane, 0, 0, \ + 1U << plane, 1U << plane, 0, 1U << plane, \ + 1U << plane, 1U << plane, 1U << plane, 0, \ + 1U << plane, 1U << plane, 1U << plane, 1U << plane, \ } // 32 planes * 4-bit mask * 4 lookup tables each @@ -180,6 +180,10 @@ static int cmap_read_palette(AVCodecContext *avctx, uint32_t *pal) pal[i] = 0xFF000000 | gray2rgb((i * 255) >> avctx->bits_per_coded_sample); } if (s->masking == MASK_HAS_MASK) { + if ((1 << avctx->bits_per_coded_sample) < count) { + avpriv_request_sample(avctx, "overlapping mask"); + return AVERROR_PATCHWELCOME; + } memcpy(pal + (1 << avctx->bits_per_coded_sample), pal, count * 4); for (i = 0; i < count; i++) pal[i] &= 0xFFFFFF; @@ -318,6 +322,8 @@ static int extract_header(AVCodecContext *const avctx, av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp); return AVERROR_INVALIDDATA; } + if (s->video_size && s->planesize * s->bpp * avctx->height > s->video_size) + return AVERROR_INVALIDDATA; av_freep(&s->ham_buf); av_freep(&s->ham_palbuf); @@ -326,13 +332,17 @@ static int extract_header(AVCodecContext *const avctx, int i, count = FFMIN(palette_size / 3, 1 << s->ham); int ham_count; const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata); + int extra_space = 1; + + if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4) + extra_space = 4; s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->ham_buf) return AVERROR(ENOMEM); ham_count = 8 * (1 << s->ham); - s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE); + s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->ham_palbuf) { av_freep(&s->ham_buf); return AVERROR(ENOMEM); @@ -430,6 +440,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->codec_tag == MKTAG('A', 'N', 'I', 'M')) { s->video_size = FFALIGN(avctx->width, 2) * avctx->height * s->bpp; + if (!s->video_size) + return AVERROR_INVALIDDATA; s->video[0] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp); s->video[1] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp); s->pal = av_calloc(256, sizeof(*s->pal)); @@ -452,11 +464,12 @@ static av_cold int decode_init(AVCodecContext *avctx) */ static void decodeplane8(uint8_t *dst, const uint8_t *buf, int buf_size, int plane) { - const uint64_t *lut = plane8_lut[plane]; + const uint64_t *lut; if (plane >= 8) { av_log(NULL, AV_LOG_WARNING, "Ignoring extra planes beyond 8\n"); return; } + lut = plane8_lut[plane]; do { uint64_t v = AV_RN64A(dst) | lut[*buf++]; AV_WN64A(dst, v); @@ -570,7 +583,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, GetByteContext *gb) { GetByteContext cmds; - unsigned count; + int count; int i, y_pos = 0, x_pos = 0; if (bytestream2_get_be32(gb) != MKBETAG('V', 'D', 'A', 'T')) @@ -578,7 +591,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, bytestream2_skip(gb, 4); count = bytestream2_get_be16(gb) - 2; - if (bytestream2_get_bytes_left(gb) < count) + if (count < 0 || bytestream2_get_bytes_left(gb) < count) return 0; bytestream2_init(&cmds, gb->buffer, count); @@ -704,13 +717,15 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in { const uint8_t *src_end = src + src_size; int x = 0, y = 0, i; - while (src + 5 <= src_end) { + while (src_end - src >= 5) { int opcode; opcode = *(int8_t *)src++; if (opcode >= 0) { int size = opcode + 1; for (i = 0; i < size; i++) { - int length = FFMIN(size - i, width); + int length = FFMIN(size - i, width - x); + if (src_end - src < length * 4) + return; memcpy(dst + y*linesize + x * 4, src, length * 4); src += length * 4; x += length; @@ -1139,6 +1154,9 @@ static void decode_long_vertical_delta(uint8_t *dst, x = bytestream2_get_be32(&dgb); } + if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb)) + return; + while (opcode) { bytestream2_seek_p(&pb, ofsdst, SEEK_SET); if (h && (j == (ncolumns - 1))) { @@ -1279,6 +1297,9 @@ static void decode_long_vertical_delta2(uint8_t *dst, x = bytestream2_get_be32(&gb); } + if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb)) + return; + while (opcode && bytestream2_get_bytes_left_p(&pb) > 1) { bytestream2_seek_p(&pb, ofsdst, SEEK_SET); if (h && (j == ncolumns - 1)) @@ -1348,17 +1369,18 @@ static void decode_delta_d(uint8_t *dst, bytestream2_seek_p(&pb, (offset / planepitch_byte) * pitch + (offset % planepitch_byte) + k * planepitch, SEEK_SET); if (opcode >= 0) { uint32_t x = bytestream2_get_be32(&gb); + if (opcode && 4 + (opcode - 1LL) * pitch > bytestream2_get_bytes_left_p(&pb)) + continue; while (opcode && bytestream2_get_bytes_left_p(&pb) > 0) { bytestream2_put_be32(&pb, x); bytestream2_skip_p(&pb, pitch - 4); opcode--; } } else { - opcode = -opcode; while (opcode && bytestream2_get_bytes_left(&gb) > 0) { bytestream2_put_be32(&pb, bytestream2_get_be32(&gb)); bytestream2_skip_p(&pb, pitch - 4); - opcode--; + opcode++; } } entries--; @@ -1823,7 +1845,8 @@ static int decode_frame(AVCodecContext *avctx, buf += s->planesize; } } - memcpy(frame->data[1], s->pal, 256 * 4); + if (avctx->pix_fmt == AV_PIX_FMT_PAL8) + memcpy(frame->data[1], s->pal, 256 * 4); } else if (s->ham) { int i, count = 1 << s->ham; diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index a82a27525c..81e51d105d 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -653,7 +653,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector * int16_t k, base_size; int16_t lag; /* Stack based */ - int16_t tempbuff2[SUBL + 5]; + int16_t tempbuff2[SUBL + 5] = {0}; /* Determine size of codebook sections */ base_size = lMem - cbveclen + 1; @@ -1092,12 +1092,6 @@ static void do_plc(int16_t *plc_residual, /* (o) concealed residual */ if (s->consPLICount * s->block_samples > 320) { use_gain = 29491; /* 0.9 in Q15 */ - } else if (s->consPLICount * s->block_samples > 640) { - use_gain = 22938; /* 0.7 in Q15 */ - } else if (s->consPLICount * s->block_samples > 960) { - use_gain = 16384; /* 0.5 in Q15 */ - } else if (s->consPLICount * s->block_samples > 1280) { - use_gain = 0; /* 0.0 in Q15 */ } /* Compute mixing factor of picth repeatition and noise: diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index d92bc30ddc..4b04f1342e 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -232,12 +232,15 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { - unsigned flag, cbphi, cbplo; + unsigned flag, cbplo; + int cbphi; cbplo = get_vlc2(gb, cbplo_tab.table, cbplo_tab.bits, 1) >> 4; flag = get_bits1(gb); cbphi = get_cbphi(gb, 1); + if (cbphi < 0) + return cbphi; ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag); if (ret < 0) @@ -285,7 +288,8 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { int reverse, intra_block, value; - unsigned cbphi, cbplo, flag2 = 0; + unsigned cbplo, flag2 = 0; + int cbphi; if (get_bits1(gb)) { copy_block16(frame->data[0] + y * frame->linesize[0] + x, @@ -311,6 +315,9 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, cbplo = value >> 4; cbphi = get_cbphi(gb, reverse); + if (cbphi < 0) + return cbphi; + if (intra_block) { ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag2); if (ret < 0) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 09cb560d8e..f367682e61 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -79,10 +79,11 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; - if (get_bits_left(&ctx->gb) <= 0) - return AVERROR_INVALIDDATA; while (out < width) { - int c = ir2_get_code(&ctx->gb); + int c; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; + c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; if (out + c*2 > width) @@ -123,9 +124,9 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; - if (get_bits_left(&ctx->gb) <= 0) - return AVERROR_INVALIDDATA; while (out < width) { + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 71d478c9fc..41d5132509 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -169,6 +169,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx, int luma_size, chroma_size; ptrdiff_t luma_pitch, chroma_pitch; + luma_width = FFALIGN(luma_width , 2); + luma_height = FFALIGN(luma_height, 2); + if (luma_width < 16 || luma_width > 640 || luma_height < 16 || luma_height > 480 || luma_width & 3 || luma_height & 3) { diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 5639d8de82..8692a75b5e 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -528,7 +528,7 @@ static int decode_block(InterplayACMContext *s) for (i = 1, x = -val; i <= count; i++) { s->midbuf[-i] = x; - x -= val; + x -= (unsigned)val; } ret = fill_block(s); diff --git a/libavcodec/intrax8.c b/libavcodec/intrax8.c index d46f97c7a4..f385423dc1 100644 --- a/libavcodec/intrax8.c +++ b/libavcodec/intrax8.c @@ -801,6 +801,8 @@ int ff_intrax8_decode_picture(IntraX8Context *w, Picture *pict, for (w->mb_y = 0; w->mb_y < w->mb_height * 2; w->mb_y++) { x8_init_block_index(w, w->frame); mb_xy = (w->mb_y >> 1) * (w->mb_width + 1); + if (get_bits_left(gb) < 1) + goto error; for (w->mb_x = 0; w->mb_x < w->mb_width * 2; w->mb_x++) { x8_get_prediction(w); if (x8_setup_spatial_predictor(w, 0)) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 1b57e53cad..c1005b0994 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -222,7 +222,7 @@ int ff_h263_resync(MpegEncContext *s){ get_bits(&s->gb, 8); } - if (show_bits_long(&s->gb, 32) == SLICE_START_CODE) + if (get_bits_left(&s->gb) >= 32 && show_bits_long(&s->gb, 32) == SLICE_START_CODE) return get_bits_count(&s->gb); else return -1; @@ -1218,6 +1218,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s) if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0) return ret; + if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) { + if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; + } + s->mb_width = (s->width + 15) / 16; s->mb_height = (s->height + 15) / 16; s->mb_num = s->mb_width * s->mb_height; @@ -1281,7 +1286,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s) for(i=0; i<13; i++){ for(j=0; j<3; j++){ int v= get_bits(&s->gb, 8); - v |= get_sbits(&s->gb, 8)<<8; + v |= get_sbits(&s->gb, 8) * (1 << 8); av_log(s->avctx, AV_LOG_DEBUG, " %5d", v); } av_log(s->avctx, AV_LOG_DEBUG, "\n"); diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index 73fcf51b7b..48af4270cb 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -1196,6 +1196,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket pkt; pkt.data = avpkt->data + (get_bits_count(&ctx->gb) >> 3); pkt.size = get_bits_left(&ctx->gb) >> 3; + ctx->got_p_frame = 0; + av_frame_unref(ctx->p_frame); ff_ivi_decode_frame(avctx, ctx->p_frame, &ctx->got_p_frame, &pkt); } } diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index e91d932bb7..df55c9c62e 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1003,6 +1003,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, int tileno, ret; Jpeg2000EncoderContext *s = avctx->priv_data; uint8_t *chunkstart, *jp2cstart, *jp2hstart; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); if ((ret = ff_alloc_packet2(avctx, pkt, avctx->width*avctx->height*9 + AV_INPUT_BUFFER_MIN_SIZE, 0)) < 0) return ret; @@ -1055,7 +1056,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream_put_byte(&s->buf, 1); bytestream_put_byte(&s->buf, 0); bytestream_put_byte(&s->buf, 0); - if (avctx->pix_fmt == AV_PIX_FMT_RGB24 || avctx->pix_fmt == AV_PIX_FMT_PAL8) { + if ((desc->flags & AV_PIX_FMT_FLAG_RGB) || avctx->pix_fmt == AV_PIX_FMT_PAL8) { bytestream_put_be32(&s->buf, 16); } else if (s->ncomponents == 1) { bytestream_put_be32(&s->buf, 17); @@ -1151,7 +1152,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && (s->pred != FF_DWT97_INT || s->format != CODEC_JP2)) { av_log(s->avctx, AV_LOG_WARNING, "Forcing lossless jp2 for pal8\n"); - s->pred = FF_DWT97_INT; + s->pred = 1; s->format = CODEC_JP2; } @@ -1229,7 +1230,7 @@ static const AVOption options[] = { { "tile_height", "Tile Height", OFFSET(tile_height), AV_OPT_TYPE_INT, { .i64 = 256 }, 1, 1<<30, VE, }, { "pred", "DWT Type", OFFSET(pred), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE, "pred" }, { "dwt97int", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, - { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, + { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 1 }, INT_MIN, INT_MAX, VE, "pred" }, { NULL } }; diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index 67fb77b5e1..126c3d913c 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -69,7 +69,7 @@ #define GLOBAL(x) x #define RIGHT_SHIFT(x, n) ((x) >> (n)) #define MULTIPLY16C16(var,const) ((var)*(const)) -#define DESCALE(x,n) RIGHT_SHIFT((x) + (1 << ((n) - 1)), n) +#define DESCALE(x,n) RIGHT_SHIFT((int)(x) + (1 << ((n) - 1)), n) /* @@ -175,7 +175,7 @@ #if BITS_IN_JSAMPLE == 8 && CONST_BITS<=13 && PASS1_BITS<=2 #define MULTIPLY(var,const) MULTIPLY16C16(var,const) #else -#define MULTIPLY(var,const) ((var) * (const)) +#define MULTIPLY(var,const) (int)((var) * (unsigned)(const)) #endif @@ -183,7 +183,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; @@ -261,7 +261,7 @@ FUNC(ff_jpeg_fdct_islow)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 019dc81f56..aad6ec77c0 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -312,6 +312,16 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->image_offset_x >= s->width || s->image_offset_y >= s->height) { + av_log(s->avctx, AV_LOG_ERROR, "image offsets outside image"); + return AVERROR_INVALIDDATA; + } + + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ + av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); + return AVERROR_PATCHWELCOME; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { @@ -816,9 +826,6 @@ static uint8_t get_tlm(Jpeg2000DecoderContext *s, int n) case 2: bytestream2_get_be16(&s->g); break; - case 3: - bytestream2_get_be32(&s->g); - break; } if (SP == 0) { bytestream2_get_be16(&s->g); @@ -2040,8 +2047,12 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) return 0; } atom_size = bytestream2_get_be32u(&s->g); + if (atom_size < 16 || (int64_t)bytestream2_tell(&s->g) + atom_size - 16 > INT_MAX) + return AVERROR_INVALIDDATA; atom_end = bytestream2_tell(&s->g) + atom_size - 16; } else { + if (atom_size < 8 || (int64_t)bytestream2_tell(&s->g) + atom_size - 8 > INT_MAX) + return AVERROR_INVALIDDATA; atom_end = bytestream2_tell(&s->g) + atom_size - 8; } @@ -2055,6 +2066,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom_size >= 16) { uint32_t atom2_size, atom2, atom2_end; do { + if (bytestream2_get_bytes_left(&s->g) < 8) + break; atom2_size = bytestream2_get_be32u(&s->g); atom2 = bytestream2_get_be32u(&s->g); atom2_end = bytestream2_tell(&s->g) + atom2_size - 8; diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index badf0f8cd0..f418454ee9 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -255,7 +255,7 @@ static void dwt_encode97_int(DWTContext *s, int *t) line += 5; for (i = 0; i < w * h; i++) - t[i] <<= I_PRESHIFT; + t[i] *= 1 << I_PRESHIFT; for (lev = s->ndeclevels-1; lev >= 0; lev--){ int lh = s->linelen[lev][0], diff --git a/libavcodec/jpegls.h b/libavcodec/jpegls.h index 6b89b2afa3..a317871225 100644 --- a/libavcodec/jpegls.h +++ b/libavcodec/jpegls.h @@ -99,7 +99,7 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q) static inline int ff_jpegls_update_state_regular(JLSState *state, int Q, int err) { - if(FFABS(err) > 0xFFFF) + if(FFABS(err) > 0xFFFF || FFABS(err) > INT_MAX - state->A[Q]) return -0x10000; state->A[Q] += FFABS(err); err *= state->twonear; diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 5308b744df..0200c51453 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->t3 = get_bits(&s->gb, 16); s->reset = get_bits(&s->gb, 16); - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) else maxtab = 65530/wt - 1; - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->avctx->pix_fmt = AV_PIX_FMT_PAL8; for (i=s->palette_index; i<=maxtab; i++) { uint8_t k = i << shift; - pal[k] = 0; + pal[k] = wt < 4 ? 0xFF000000 : 0; for (j=0; jgb, 8) << (8*(wt-j-1)); } @@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q) { int k, ret; - for (k = 0; (state->N[Q] << k) < state->A[Q]; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++) ; #ifdef JLS_BROKEN @@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, if (RItype) temp += state->N[Q] >> 1; - for (k = 0; (state->N[Q] << k) < temp; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN @@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); + if (ret < 0) + return -0x10000; /* decode mapped error */ map = 0; @@ -209,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, ret = ret >> 1; } - if(FFABS(ret) > 0xFFFF) + if (FFABS(ret) > 0xFFFF) return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; @@ -371,6 +373,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, state->T3 = s->t3; state->reset = s->reset; ff_jpegls_reset_coding_parameters(state, 0); + + /* Testing parameters here, we cannot test in LSE or SOF because + * these interdepend and are allowed in either order + */ + if (state->maxval >= (1<bpp) || + state->T1 > state->T2 || + state->T2 > state->T3 || + state->T3 > state->maxval || + state->reset > FFMAX(255, state->maxval)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + ff_jpegls_init_state(state); if (s->bits <= 8) @@ -463,19 +478,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, for (i = 0; i < s->height; i++) { switch(s->xfrm) { case 1: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += src[x+1] + 128; } break; case 2: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += ((src[x ] + src[x+1])>>1) + 128; } break; case 3: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64; src[x+0] = src[x+2] + g + 128; src[x+2] = src[x+1] + g + 128; @@ -483,7 +498,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, } break; case 4: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int r = src[x+0] - (( 359 * (src[x+2]-128) + 490) >> 8); int g = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) + 30) >> 8); int b = src[x+0] + ((454 * (src[x+1]-128) + 574) >> 8); diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 59169be5de..bbd90526b9 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -226,6 +226,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } } + if (scale_factor > 23) + return AVERROR_INVALIDDATA; + rac->scale = scale_factor; /* Fill probability array with cumulative probability for each symbol. */ @@ -405,6 +408,9 @@ output_zeros: if (zero_run) { zero_run = 0; i += esc_count; + if (i > end - dst || + i >= src_end - src) + return AVERROR_INVALIDDATA; memcpy(dst, src, i); dst += i; l->zeros_rem = lag_calc_zero_run(src[i]); diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 104defa5f5..38a4993143 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -148,6 +148,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i if (expected != (unsigned int)c->zstream.total_out) { av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n", expected, c->zstream.total_out); + if (expected > (unsigned int)c->zstream.total_out) + return (unsigned int)c->zstream.total_out; return AVERROR_UNKNOWN; } return c->zstream.total_out; @@ -166,8 +168,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int row, col; unsigned char *encoded = avpkt->data, *outptr; uint8_t *y_out, *u_out, *v_out; - unsigned int width = avctx->width; // Real image width - unsigned int height = avctx->height; // Real image height + int width = avctx->width; // Real image width + int height = avctx->height; // Real image height unsigned int mszh_dlen; unsigned char yq, y1q, uq, vq; int uqvq, ret; @@ -225,16 +227,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac break; case COMP_MSZH_NOCOMP: { int bppx2; + int aligned_width = width; switch (c->imgtype) { case IMGTYPE_YUV111: case IMGTYPE_RGB24: bppx2 = 6; break; case IMGTYPE_YUV422: + aligned_width &= ~3; case IMGTYPE_YUV211: bppx2 = 4; break; case IMGTYPE_YUV411: + aligned_width &= ~3; case IMGTYPE_YUV420: bppx2 = 3; break; @@ -242,7 +247,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac bppx2 = 0; // will error out below break; } - if (len < ((width * height * bppx2) >> 1)) + if (len < ((aligned_width * height * bppx2) >> 1)) return AVERROR_INVALIDDATA; break; } @@ -274,12 +279,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen, mthread_outlen, mthread_outlen); if (ret < 0) return ret; + len = c->decomp_size; } else { int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size); if (ret < 0) return ret; + len = ret; } encoded = c->decomp_buf; - len = c->decomp_size; break; #endif default: @@ -307,8 +313,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } break; case IMGTYPE_YUV422: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width * 2; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; @@ -324,8 +330,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } break; case IMGTYPE_YUV411: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width / 2 * 3; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; @@ -399,6 +405,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac v_out[ col >> 1 ] = *encoded++ + 128; v_out[(col >> 1) + 1] = *encoded++ + 128; } + if (col && col < width) { + u_out[ col >> 1 ] = u_out[(col>>1) - 1]; + v_out[ col >> 1 ] = v_out[(col>>1) - 1]; + } + y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -420,6 +431,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac u_out[col >> 2] = *encoded++ + 128; v_out[col >> 2] = *encoded++ + 128; } + if (col && col < width) { + u_out[col >> 2] = u_out[(col>>2) - 1]; + v_out[col >> 2] = v_out[(col>>2) - 1]; + } y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -477,6 +492,7 @@ static av_cold int decode_init(AVCodecContext *avctx) FFALIGN(avctx->height, 4); unsigned int max_decomp_size; int subsample_h, subsample_v; + int partial_h_supported = 0; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); @@ -498,26 +514,24 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n"); break; case IMGTYPE_YUV422: - c->decomp_size = basesize * 2; + c->decomp_size = (avctx->width & ~3) * avctx->height * 2; max_decomp_size = max_basesize * 2; avctx->pix_fmt = AV_PIX_FMT_YUV422P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n"); - if (avctx->width % 4) { - avpriv_request_sample(avctx, "Unsupported dimensions"); - return AVERROR_INVALIDDATA; - } + partial_h_supported = 1; break; case IMGTYPE_RGB24: - c->decomp_size = basesize * 3; + c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height; max_decomp_size = max_basesize * 3; avctx->pix_fmt = AV_PIX_FMT_BGR24; av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); break; case IMGTYPE_YUV411: - c->decomp_size = basesize / 2 * 3; + c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3; max_decomp_size = max_basesize / 2 * 3; avctx->pix_fmt = AV_PIX_FMT_YUV411P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n"); + partial_h_supported = 1; break; case IMGTYPE_YUV211: c->decomp_size = basesize * 2; @@ -537,7 +551,7 @@ static av_cold int decode_init(AVCodecContext *avctx) } av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v); - if (avctx->width % (1<height % (1<width % (1<height % (1<frame_size) != (avpkt->duration > 0)) { av_log(avctx, AV_LOG_ERROR, "discard padding overflow\n"); av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if ((!s->delay_sent && avctx->initial_padding > 0) || discard_padding > 0) { @@ -288,7 +287,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } if (!s->delay_sent) { diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 7c025a66d7..13017ac323 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -503,7 +503,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, // Check if subtraction resulted in an overflow if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if (discard_padding > 0) { @@ -512,7 +511,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } AV_WL32(side_data + 4, discard_padding); diff --git a/libavcodec/libtheoraenc.c b/libavcodec/libtheoraenc.c index 16966ed433..a16211c403 100644 --- a/libavcodec/libtheoraenc.c +++ b/libavcodec/libtheoraenc.c @@ -232,7 +232,7 @@ static av_cold int encode_init(AVCodecContext* avc_context) return AVERROR_EXTERNAL; } - h->keyframe_mask = (1 << t_info.keyframe_granule_shift) - 1; + h->keyframe_mask = (1 << av_ceil_log2(avc_context->gop_size)) - 1; /* Clear up theora_info struct */ th_info_clear(&t_info); diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c index 89cbbb41b6..3c53b8fdaf 100644 --- a/libavcodec/libvorbisdec.c +++ b/libavcodec/libvorbisdec.c @@ -64,22 +64,25 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) { } } else if(*p == 2) { unsigned int offset = 1; + unsigned int sizesum = 1; p++; for(i=0; i<2; i++) { hsizes[i] = 0; - while((*p == 0xFF) && (offset < avccontext->extradata_size)) { + while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) { hsizes[i] += 0xFF; offset++; + sizesum += 1 + 0xFF; p++; } - if(offset >= avccontext->extradata_size - 1) { + hsizes[i] += *p; + offset++; + sizesum += 1 + *p; + if(sizesum > avccontext->extradata_size) { av_log(avccontext, AV_LOG_ERROR, "vorbis header sizes damaged\n"); ret = AVERROR_INVALIDDATA; goto error; } - hsizes[i] += *p; - offset++; p++; } hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset; diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index feb52ea0dd..af8d11f87c 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -935,7 +935,6 @@ FF_ENABLE_DEPRECATION_WARNINGS cx_frame->sz_alpha + 8); if(!side_data) { av_packet_unref(pkt); - av_free(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1); diff --git a/libavcodec/loco.c b/libavcodec/loco.c index e8c62b8178..a2960430e4 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -82,17 +82,24 @@ static inline void loco_update_rice_param(RICEContext *r, int val) static inline int loco_get_rice(RICEContext *r) { - int v; + unsigned v; if (r->run > 0) { /* we have zero run */ r->run--; loco_update_rice_param(r, 0); return 0; } + if (get_bits_left(&r->gb) < 1) + return INT_MIN; v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); + if (v == -1) + return INT_MIN; loco_update_rice_param(r, (v + 1) >> 1); if (!v) { if (r->save >= 0) { - r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + if (run == -1) + return INT_MIN; + r->run = run; if (r->run > 1) r->save += r->run + 1; else @@ -129,7 +136,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh int stride, const uint8_t *buf, int buf_size) { RICEContext rc; - int val; + unsigned val; int ret; int i, j; @@ -149,20 +156,28 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top left pixel */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = 128 + val; /* restore top line */ for (i = 1; i < width; i++) { val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[i] = data[i - 1] + val; } data += stride; for (j = 1; j < height; j++) { /* restore left column */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = data[-stride] + val; /* restore all other pixels */ for (i = 1; i < width; i++) { val = loco_get_rice(&rc); + if (val == INT_MIN) + return -1; data[i] = loco_predict(&data[i], stride) + val; } data += stride; diff --git a/libavcodec/lossless_audiodsp.c b/libavcodec/lossless_audiodsp.c index 3a9f9b20bb..378165924d 100644 --- a/libavcodec/lossless_audiodsp.c +++ b/libavcodec/lossless_audiodsp.c @@ -27,7 +27,7 @@ static int32_t scalarproduct_and_madd_int16_c(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul) { - int res = 0; + unsigned res = 0; do { res += *v1 * *v2++; diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index f8da1e1266..fc97ce3ae0 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -188,7 +188,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len, compute_ref_coefs(autoc, order, ref, error); for (i = 0; i < order; i++) avg_err = (avg_err + error[i])/2.0f; - return signal/avg_err; + return avg_err ? signal/avg_err : NAN; } /** @@ -243,8 +243,10 @@ int ff_lpc_calc_coefs(LPCContext *s, double av_uninit(weight); memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var)); - for(j=0; j 1) + for(j=0; j (3.22) + f[1] = -lsp[0] * 256; // *2 and (0.15) -> (3.22) for(i=2; i<=lp_half_order; i++) { @@ -116,7 +116,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order) for(j=i; j>1; j--) f[j] -= MULL(f[j-1], lsp[2*i-2], FRAC_BITS) - f[j-2]; - f[1] -= lsp[2*i-2] << 8; + f[1] -= lsp[2*i-2] * 256; } } diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 5b7526ef18..1e3c86c88c 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -49,7 +49,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) if (s < LZF_LITERAL_MAX) { s++; if (s > *size - len) { - *size += *size /2; + *size += s + *size /2; ret = av_reallocp(buf, *size); if (ret < 0) return ret; @@ -72,7 +72,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) return AVERROR_INVALIDDATA; if (l > *size - len) { - *size += *size / 2; + *size += l + *size / 2; ret = av_reallocp(buf, *size); if (ret < 0) return ret; diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index f4fb2a7809..5415e63207 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -677,6 +677,17 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + if (s->interlaced) { + if ((s->slice_height >> s->vshift[1]) < 2) { + av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); + return AVERROR_INVALIDDATA; + } + if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) { + av_log(avctx, AV_LOG_ERROR, "impossible height\n"); + return AVERROR_INVALIDDATA; + } + } + for (i = 0; i < s->planes; i++) { av_fast_malloc(&s->slices[i], &s->slices_size[i], s->nb_slices * sizeof(Slice)); if (!s->slices[i]) @@ -702,6 +713,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, s->slices[i][j].start = offset + header_size; s->slices[i][j].size = avpkt->size - s->slices[i][j].start; + + if (s->slices[i][j].size < 2) + return AVERROR_INVALIDDATA; } if (bytestream2_get_byte(&gbyte) != s->planes) diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c index a024e3bdb1..79abc8b6aa 100644 --- a/libavcodec/mediacodec_wrapper.c +++ b/libavcodec/mediacodec_wrapper.c @@ -392,8 +392,6 @@ char *ff_AMediaCodecList_getCodecNameByType(const char *mime, int profile, int e struct JNIAMediaCodecListFields jfields = { 0 }; struct JNIAMediaFormatFields mediaformat_jfields = { 0 }; - jobject format = NULL; - jobject codec = NULL; jobject codec_name = NULL; jobject info = NULL; @@ -469,6 +467,11 @@ char *ff_AMediaCodecList_getCodecNameByType(const char *mime, int profile, int e goto done; } + if (codec_name) { + (*env)->DeleteLocalRef(env, codec_name); + codec_name = NULL; + } + /* Skip software decoders */ if ( strstr(name, "OMX.google") || @@ -566,14 +569,6 @@ done_with_info: } done: - if (format) { - (*env)->DeleteLocalRef(env, format); - } - - if (codec) { - (*env)->DeleteLocalRef(env, codec); - } - if (codec_name) { (*env)->DeleteLocalRef(env, codec_name); } @@ -1308,6 +1303,12 @@ int ff_AMediaCodec_delete(FFAMediaCodec* codec) ret = AVERROR_EXTERNAL; } + (*env)->DeleteGlobalRef(env, codec->input_buffers); + codec->input_buffers = NULL; + + (*env)->DeleteGlobalRef(env, codec->output_buffers); + codec->output_buffers = NULL; + (*env)->DeleteGlobalRef(env, codec->object); codec->object = NULL; @@ -1337,6 +1338,10 @@ char *ff_AMediaCodec_getName(FFAMediaCodec *codec) ret = ff_jni_jstring_to_utf_chars(env, name, codec); fail: + if (name) { + (*env)->DeleteLocalRef(env, name); + } + return ret; } diff --git a/libavcodec/mediacodec_wrapper.h b/libavcodec/mediacodec_wrapper.h index f0de16d669..b106ff315a 100644 --- a/libavcodec/mediacodec_wrapper.h +++ b/libavcodec/mediacodec_wrapper.h @@ -26,6 +26,8 @@ #include #include +#include "avcodec.h" + /** * The following API around MediaCodec and MediaFormat is based on the * NDK one provided by Google since Android 5.0. diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 37d7bb8228..e09d1ea851 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -118,9 +118,13 @@ read_header: 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; - ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL); - if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return ret; + if (avctx->skip_frame == AVDISCARD_ALL) { + skip_bits(&s->gb, get_bits_left(&s->gb)); + } else { + ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL); + if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) + return ret; + } } if (s->interlaced) { diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a65bc8df15..da33bf7ced 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1516,6 +1516,9 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, else ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0], quant_matrix, ss, se, Al, &EOBRUN); + + if (ret >= 0 && get_bits_left(&s->gb) < 0) + ret = AVERROR_INVALIDDATA; if (ret < 0) { av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 31868c9bed..37c15367a4 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -275,7 +275,7 @@ void ff_mjpeg_encode_picture_header(AVCodecContext *avctx, PutBitContext *pb, default: av_assert0(0); } - put_bits(pb, 16, 17); + put_bits(pb, 16, 8 + 3 * components); if (lossless && ( avctx->pix_fmt == AV_PIX_FMT_BGR0 || avctx->pix_fmt == AV_PIX_FMT_BGRA || avctx->pix_fmt == AV_PIX_FMT_BGR24)) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 39c40914cd..7cdd7ad42b 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -520,7 +520,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { + if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 32a4503b64..12bef3a721 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -79,7 +79,7 @@ void ff_mlp_rematrix_channel(int32_t *samples, if (matrix_noise_shift) { index &= access_unit_size_pow2 - 1; - accum += noise_buffer[index] << (matrix_noise_shift + 7); + accum += noise_buffer[index] * (1 << (matrix_noise_shift + 7)); index += index2; } diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 759eea479d..9aa44e7b65 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1442,7 +1442,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) s->b_direct_mv_table[mot_xy][0]= 0; s->b_direct_mv_table[mot_xy][1]= 0; - return 256*256*256*64; + return 256*256*256*64-1; } c->xmin= xmin; @@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; - for(x=0; xmb_width; x++){ + for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1622,16 +1622,15 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) fcode_tab[my + MAX_MV]); int j; - if(mx >= range || mx < -range || - my >= range || my < -range) - continue; + if (mx >= range || mx < -range || + my >= range || my < -range) + continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) score[j]-= 170; } } - xy++; } } diff --git a/libavcodec/motion_est_template.c b/libavcodec/motion_est_template.c index 014038e54f..13e73f2653 100644 --- a/libavcodec/motion_est_template.c +++ b/libavcodec/motion_est_template.c @@ -157,8 +157,8 @@ static int no_sub_motion_search(MpegEncContext * s, int src_index, int ref_index, int size, int h) { - (*mx_ptr)<<=1; - (*my_ptr)<<=1; + (*mx_ptr) *= 2; + (*my_ptr) *= 2; return dmin; } diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 73977664a5..85b0056e48 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -171,7 +171,7 @@ static int mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb) return 0; } -static int mp_gradient(MotionPixelsContext *mp, int component, int v) +static av_always_inline int mp_gradient(MotionPixelsContext *mp, int component, int v) { int delta; @@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y) int color; color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2]; - return mp_rgb_yuv_table[color]; + return mp_rgb_yuv_table[color & 0x7FFF]; } static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p) @@ -196,7 +196,7 @@ static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const Yuv *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2] = color; } -static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) +static av_always_inline int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) { int i; diff --git a/libavcodec/mp3_header_decompress_bsf.c b/libavcodec/mp3_header_decompress_bsf.c index 294858953c..ab3d420300 100644 --- a/libavcodec/mp3_header_decompress_bsf.c +++ b/libavcodec/mp3_header_decompress_bsf.c @@ -62,6 +62,11 @@ static int mp3_header_decompress(AVBSFContext *ctx, AVPacket *out) lsf = sample_rate < (24000+32000)/2; mpeg25 = sample_rate < (12000+16000)/2; sample_rate_index= (header>>10)&3; + if (sample_rate_index == 3) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + sample_rate= avpriv_mpa_freq_tab[sample_rate_index] >> (lsf + mpeg25); //in case sample rate is a little off for(bitrate_index=2; bitrate_index<30; bitrate_index++){ diff --git a/libavcodec/mpc.c b/libavcodec/mpc.c index 6cf9b9d520..e56b608d8c 100644 --- a/libavcodec/mpc.c +++ b/libavcodec/mpc.c @@ -75,17 +75,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out, j = 0; mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF]; for(; j < 12; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF]; for(; j < 24; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF]; for(; j < 36; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); } } if(bands[i].msf){ - int t1, t2; + unsigned t1, t2; for(j = 0; j < SAMPLES_PER_BAND; j++){ t1 = c->sb_samples[0][j][i]; t2 = c->sb_samples[1][j][i]; diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index d7baac2f04..03838a9351 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -62,7 +62,7 @@ static inline int mpc8_dec_enum(GetBitContext *gb, int k, int n) do { n--; if (code >= C[n]) { - bits |= 1 << n; + bits |= 1U << n; code -= C[n]; C -= 32; k--; diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 83e537884b..8d9c62a2fa 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -220,7 +220,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -396,7 +395,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -558,7 +556,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -586,7 +583,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); i = 0; if (s->intra_vlc_format) rl = &ff_rl_mpeg2; @@ -1540,6 +1537,10 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->mpeg_f_code[0][1] = get_bits(&s->gb, 4); s->mpeg_f_code[1][0] = get_bits(&s->gb, 4); s->mpeg_f_code[1][1] = get_bits(&s->gb, 4); + s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; + s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; + s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; + s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; if (!s->pict_type && s1->mpeg_enc_ctx_allocated) { av_log(s->avctx, AV_LOG_ERROR, "Missing picture start code, guessing missing values\n"); @@ -1553,10 +1554,6 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->current_picture.f->pict_type = s->pict_type; s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I; } - s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; - s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; - s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; - s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; s->intra_dc_precision = get_bits(&s->gb, 2); s->picture_structure = get_bits(&s->gb, 2); @@ -2483,7 +2480,7 @@ static int decode_chunks(AVCodecContext *avctx, AVFrame *picture, return ret; else if (ret) { // FIXME: merge with the stuff in mpeg_decode_slice - if (s2->last_picture_ptr || s2->low_delay) + if (s2->last_picture_ptr || s2->low_delay || s2->pict_type == AV_PICTURE_TYPE_B) *got_output = 1; } } diff --git a/libavcodec/mpeg2_metadata_bsf.c b/libavcodec/mpeg2_metadata_bsf.c index 6779ffd4c4..3f371a028d 100644 --- a/libavcodec/mpeg2_metadata_bsf.c +++ b/libavcodec/mpeg2_metadata_bsf.c @@ -213,6 +213,18 @@ static int mpeg2_metadata_init(AVBSFContext *bsf) CodedBitstreamFragment *frag = &ctx->fragment; int err; +#define VALIDITY_CHECK(name) do { \ + if (!ctx->name) { \ + av_log(bsf, AV_LOG_ERROR, "The value 0 for %s is " \ + "forbidden.\n", #name); \ + return AVERROR(EINVAL); \ + } \ + } while (0) + VALIDITY_CHECK(colour_primaries); + VALIDITY_CHECK(transfer_characteristics); + VALIDITY_CHECK(matrix_coefficients); +#undef VALIDITY_CHECK + err = ff_cbs_init(&ctx->cbc, AV_CODEC_ID_MPEG2VIDEO, bsf); if (err < 0) return err; diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c index 219714752f..2dbd972eaf 100644 --- a/libavcodec/mpeg4audio.c +++ b/libavcodec/mpeg4audio.c @@ -93,6 +93,10 @@ int ff_mpeg4audio_get_config_gb(MPEG4AudioConfig *c, GetBitContext *gb, c->chan_config = get_bits(gb, 4); if (c->chan_config < FF_ARRAY_ELEMS(ff_mpeg4audio_channels)) c->channels = ff_mpeg4audio_channels[c->chan_config]; + else { + av_log(NULL, AV_LOG_ERROR, "Invalid chan_config %d\n", c->chan_config); + return AVERROR_INVALIDDATA; + } c->sbr = -1; c->ps = -1; if (c->object_type == AOT_SBR || (c->object_type == AOT_PS && diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index b6f2ae7b7b..464def6d71 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -351,6 +351,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; + default: + av_assert0(0); } /* try to simplify the situation */ if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && @@ -610,13 +612,13 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) dy -= 1 << (shift + a + 1); else dx -= 1 << (shift + a + 1); - mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16; + mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U; sum = 0; for (y = 0; y < 16; y++) { int v; - v = mb_v + dy * y; + v = mb_v + (unsigned)dy * y; // FIXME optimize for (x = 0; x < 16; x++) { sum += v >> shift; @@ -1189,7 +1191,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "1. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; } SKIP_CACHE(re, &s->gb, 1); @@ -1200,7 +1202,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "2. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; } @@ -1826,6 +1828,7 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n uint32_t flc; const int min = -1 * (1 << (s->avctx->bits_per_raw_sample + 6)); const int max = ((1 << (s->avctx->bits_per_raw_sample + 6)) - 1); + int shift = 3 - s->dct_precision; mismatch = 1; @@ -1921,7 +1924,7 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n else block[j] = flc; } - block[j] = ((8 * 2 * block[j] * quant_matrix[j] * s->qscale) >> s->dct_precision) / 32; + block[j] = ((block[j] * quant_matrix[j] * s->qscale) * (1 << shift)) / 16; block[j] = av_clip(block[j], min, max); mismatch ^= block[j]; } @@ -3133,6 +3136,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; int width, height; int bits_per_raw_sample; + int rgb, chroma_format; // random_accessible_vol and video_object_type_indication have already // been read by the caller decode_vol_header() @@ -3140,28 +3144,36 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) ctx->shape = get_bits(gb, 2); /* video_object_layer_shape */ skip_bits(gb, 4); /* video_object_layer_shape_extension */ skip_bits1(gb); /* progressive_sequence */ + if (ctx->shape != RECT_SHAPE) { + avpriv_request_sample(s->avctx, "MPEG-4 Studio profile non rectangular shape"); + return AVERROR_PATCHWELCOME; + } if (ctx->shape != BIN_ONLY_SHAPE) { - ctx->rgb = get_bits1(gb); /* rgb_components */ - s->chroma_format = get_bits(gb, 2); /* chroma_format */ - if (!s->chroma_format) { + rgb = get_bits1(gb); /* rgb_components */ + chroma_format = get_bits(gb, 2); /* chroma_format */ + if (!chroma_format || chroma_format == CHROMA_420 || (rgb && chroma_format == CHROMA_422)) { av_log(s->avctx, AV_LOG_ERROR, "illegal chroma format\n"); return AVERROR_INVALIDDATA; } bits_per_raw_sample = get_bits(gb, 4); /* bit_depth */ if (bits_per_raw_sample == 10) { - if (ctx->rgb) { + if (rgb) { s->avctx->pix_fmt = AV_PIX_FMT_GBRP10; } else { - s->avctx->pix_fmt = s->chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; + s->avctx->pix_fmt = chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; } } else { avpriv_request_sample(s->avctx, "MPEG-4 Studio profile bit-depth %u", bits_per_raw_sample); return AVERROR_PATCHWELCOME; } + if (rgb != ctx->rgb || s->chroma_format != chroma_format) + s->context_reinit = 1; s->avctx->bits_per_raw_sample = bits_per_raw_sample; + ctx->rgb = rgb; + s->chroma_format = chroma_format; } if (ctx->shape == RECT_SHAPE) { check_marker(s->avctx, gb, "before video_object_layer_width"); @@ -3211,7 +3223,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) * Decode MPEG-4 headers. * * @param header If set the absence of a VOP is not treated as error; otherwise, it is treated as such. - * @return <0 if an error occured + * @return <0 if an error occurred * FRAME_SKIPPED if a not coded VOP is found * 0 else */ diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index f6a5992df7..2d9d6cd654 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -104,7 +104,7 @@ static inline void restore_ac_coeffs(MpegEncContext *s, int16_t block[6][64], memcpy(s->block_last_index, zigzag_last_index, sizeof(int) * 6); for (n = 0; n < 6; n++) { - int16_t *ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + int16_t *ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16; st[n] = s->intra_scantable.permutated; if (dir[n]) { @@ -143,7 +143,7 @@ static inline int decide_ac_pred(MpegEncContext *s, int16_t block[6][64], score -= get_block_rate(s, block[n], s->block_last_index[n], s->intra_scantable.permutated); - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16; ac_val1 = ac_val; if (dir[n]) { const int xy = s->mb_x + s->mb_y * s->mb_stride - s->mb_stride; @@ -1306,6 +1306,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (s->avctx->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { s->avctx->extradata = av_malloc(1024); + if (!s->avctx->extradata) + return AVERROR(ENOMEM); init_put_bits(&s->pb, s->avctx->extradata, 1024); if (!(s->workaround_bugs & FF_BUG_MS)) diff --git a/libavcodec/mpegaudioenc_template.c b/libavcodec/mpegaudioenc_template.c index 93363fe1d2..12f7a098e6 100644 --- a/libavcodec/mpegaudioenc_template.c +++ b/libavcodec/mpegaudioenc_template.c @@ -701,7 +701,7 @@ static void encode_frame(MpegAudioContext *s, /* normalize to P bits */ if (shift < 0) - q1 = sample << (-shift); + q1 = sample * (1 << -shift); else q1 = sample >> shift; q1 = (q1 * mult) >> P; diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index dbb6ab9b39..454f200d6f 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1089,6 +1089,13 @@ int ff_mpv_common_frame_size_change(MpegEncContext *s) (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) goto fail; + /* set chroma shifts */ + err = av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, + &s->chroma_x_shift, + &s->chroma_y_shift); + if (err < 0) + return err; + if ((err = init_context_frame(s))) goto fail; diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index ae3b131229..f8569596ee 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -492,9 +492,13 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!s->fixed_qscale && avctx->bit_rate * av_q2d(avctx->time_base) > avctx->bit_rate_tolerance) { + double nbt = avctx->bit_rate * av_q2d(avctx->time_base) * 5; av_log(avctx, AV_LOG_WARNING, "bitrate tolerance %d too small for bitrate %"PRId64", overriding\n", avctx->bit_rate_tolerance, avctx->bit_rate); - avctx->bit_rate_tolerance = 5 * avctx->bit_rate * av_q2d(avctx->time_base); + if (nbt <= INT_MAX) { + avctx->bit_rate_tolerance = nbt; + } else + avctx->bit_rate_tolerance = INT_MAX; } if (s->avctx->rc_max_rate && @@ -558,6 +562,12 @@ FF_ENABLE_DEPRECATION_WARNINGS av_log(avctx, AV_LOG_ERROR, "H.263 does not support resolutions above 2048x1152\n"); return -1; } + if (s->codec_id == AV_CODEC_ID_FLV1 && + (avctx->width > 65535 || + avctx->height > 65535 )) { + av_log(avctx, AV_LOG_ERROR, "FLV does not support resolutions above 16bit\n"); + return AVERROR(EINVAL); + } if ((s->codec_id == AV_CODEC_ID_H263 || s->codec_id == AV_CODEC_ID_H263P) && ((avctx->width &3) || @@ -1230,12 +1240,12 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) &v_chroma_shift); for (i = 0; i < 3; i++) { - int src_stride = pic_arg->linesize[i]; - int dst_stride = i ? s->uvlinesize : s->linesize; + ptrdiff_t src_stride = pic_arg->linesize[i]; + ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; - int w = s->width >> h_shift; - int h = s->height >> v_shift; + int w = AV_CEIL_RSHIFT(s->width , h_shift); + int h = AV_CEIL_RSHIFT(s->height, v_shift); uint8_t *src = pic_arg->data[i]; uint8_t *dst = pic->f->data[i]; int vpad = 16; @@ -1249,7 +1259,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) dst += INPLACE_OFFSET; if (src_stride == dst_stride) - memcpy(dst, src, src_stride * h); + memcpy(dst, src, src_stride * h - src_stride + w); else { int h2 = h; uint8_t *dst2 = dst; @@ -1292,6 +1302,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) /* shift buffer entries */ for (i = flush_offset; i < MAX_PICTURE_COUNT /*s->encoding_delay + 1*/; i++) s->input_picture[i - flush_offset] = s->input_picture[i]; + for (int i = MAX_B_FRAMES + 1 - flush_offset; i <= MAX_B_FRAMES; i++) + s->input_picture[i] = NULL; s->input_picture[encoding_delay] = (Picture*) pic; @@ -1470,7 +1482,7 @@ static int estimate_best_b_count(MpegEncContext *s) goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); } /* get the delayed frames */ @@ -1479,7 +1491,7 @@ static int estimate_best_b_count(MpegEncContext *s) ret = out_size; goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); rd += c->error[0] + c->error[1] + c->error[2]; diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c index 86e4e88ed3..c7eec1d9c8 100644 --- a/libavcodec/mscc.c +++ b/libavcodec/mscc.c @@ -52,6 +52,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont unsigned run = bytestream2_get_byte(gb); if (run) { + if (bytestream2_get_bytes_left_p(pb) < run * s->bpp) + return AVERROR_INVALIDDATA; + switch (avctx->bits_per_coded_sample) { case 8: fill = bytestream2_get_byte(gb); @@ -100,6 +103,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont bytestream2_seek_p(pb, y * avctx->width * s->bpp + x * s->bpp, SEEK_SET); } else { + if (bytestream2_get_bytes_left_p(pb) < copy * s->bpp) + return AVERROR_INVALIDDATA; + for (j = 0; j < copy; j++) { switch (avctx->bits_per_coded_sample) { case 8: diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c index a579d9d9a4..84b7a37007 100644 --- a/libavcodec/mss1.c +++ b/libavcodec/mss1.c @@ -56,6 +56,8 @@ static void arith_normalise(ArithCoder *c) c->low <<= 1; c->high <<= 1; c->high |= 1; + if (get_bits_left(c->gbc.gb) < 1) + c->overread++; c->value |= get_bits1(c->gbc.gb); } } @@ -112,6 +114,7 @@ static void arith_init(ArithCoder *c, GetBitContext *gb) c->low = 0; c->high = 0xFFFF; c->value = get_bits(gb, 16); + c->overread = 0; c->gbc.gb = gb; c->get_model_sym = arith_get_model_sym; c->get_number = arith_get_number; diff --git a/libavcodec/mss12.c b/libavcodec/mss12.c index 3b1a3029e0..5a5bd9a91b 100644 --- a/libavcodec/mss12.c +++ b/libavcodec/mss12.c @@ -161,6 +161,8 @@ static av_always_inline int decode_pixel(ArithCoder *acoder, PixContext *pctx, { int i, val, pix; + if (acoder->overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; val = acoder->get_model_sym(acoder, &pctx->cache_model); if (val < pctx->num_syms) { if (any_ngb) { @@ -306,6 +308,8 @@ static int decode_region(ArithCoder *acoder, uint8_t *dst, uint8_t *rgb_pic, else p = decode_pixel_in_context(acoder, pctx, dst + i, stride, i, j, width - i - 1); + if (p < 0) + return p; dst[i] = p; if (rgb_pic) @@ -398,6 +402,8 @@ static int decode_region_masked(MSS12Context const *c, ArithCoder *acoder, else p = decode_pixel_in_context(acoder, pctx, dst + i, stride, i, j, width - i - 1); + if (p < 0) + return p; dst[i] = p; if (c->rgb_pic) AV_WB24(rgb_dst + i * 3, c->pal[p]); @@ -473,6 +479,8 @@ static int decode_region_intra(SliceContext *sc, ArithCoder *acoder, uint8_t *rgb_dst = c->rgb_pic + x * 3 + y * rgb_stride; pix = decode_pixel(acoder, &sc->intra_pix_ctx, NULL, 0, 0); + if (pix < 0) + return pix; rgb_pix = c->pal[pix]; for (i = 0; i < height; i++, dst += stride, rgb_dst += rgb_stride) { memset(dst, pix, width); @@ -499,6 +507,8 @@ static int decode_region_inter(SliceContext *sc, ArithCoder *acoder, if (!mode) { mode = decode_pixel(acoder, &sc->inter_pix_ctx, NULL, 0, 0); + if (mode < 0) + return mode; if (c->avctx->err_recognition & AV_EF_EXPLODE && ( c->rgb_pic && mode != 0x01 && mode != 0x02 && mode != 0x04 || @@ -530,6 +540,8 @@ int ff_mss12_decode_rect(SliceContext *sc, ArithCoder *acoder, int x, int y, int width, int height) { int mode, pivot; + if (acoder->overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; mode = acoder->get_model_sym(acoder, &sc->split_mode); diff --git a/libavcodec/mss12.h b/libavcodec/mss12.h index 45c4074652..6f68fc3db6 100644 --- a/libavcodec/mss12.h +++ b/libavcodec/mss12.h @@ -47,6 +47,8 @@ typedef struct Model { typedef struct ArithCoder { int low, high, value; + int overread; +#define MAX_OVERREAD 16 union { GetBitContext *gb; GetByteContext *gB; diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 2eb366ee78..29897cea2e 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -152,6 +152,7 @@ static void arith2_init(ArithCoder *c, GetByteContext *gB) c->low = 0; c->high = 0xFFFFFF; c->value = bytestream2_get_be24(gB); + c->overread = 0; c->gbc.gB = gB; c->get_model_sym = arith2_get_model_sym; c->get_number = arith2_get_number; diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 21226f9085..02bd360996 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -298,6 +298,10 @@ static void rac_normalise(RangeCoder *c) c->got_error = 1; c->low = 1; } + if (c->low > c->range) { + c->got_error = 1; + c->low = 1; + } if (c->range >= RAC_BOTTOM) return; } diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c index 4db7642e85..94554ebd4a 100644 --- a/libavcodec/mwsc.c +++ b/libavcodec/mwsc.c @@ -50,6 +50,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext if (run == 0) { run = bytestream2_get_le32(gb); + + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; @@ -61,6 +65,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext int pos = bytestream2_tell_p(pb); bytestream2_seek(gbp, pos, SEEK_SET); + + if (pos + width - w < fill) + return AVERROR_INVALIDDATA; + for (int j = 0; j < fill; j++, w++) { if (w == width) { w = 0; @@ -72,6 +80,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext intra = 0; } else { + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 2e3ebe6e70..ea73bd4a10 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -195,10 +195,14 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, int start_code; int ret; + if (avctx->skip_frame == AVDISCARD_ALL) + return AVERROR_PATCHWELCOME; + buf_ptr = buf; buf_end = buf + buf_size; jpg->got_picture = 0; s->got_mxm_bitmask = 0; + s->got_sof_data = !!s->got_sof_data; while (buf_ptr < buf_end) { start_code = ff_mjpeg_find_marker(jpg, &buf_ptr, buf_end, &unescaped_buf_ptr, &unescaped_buf_size); @@ -241,19 +245,25 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, return ret; break; case SOF0: - s->got_sof_data = 0; + if (s->got_sof_data > 1) { + av_log(avctx, AV_LOG_ERROR, + "Multiple SOF in a frame\n"); + return AVERROR_INVALIDDATA; + } ret = ff_mjpeg_decode_sof(jpg); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "SOF data decode error\n"); + s->got_sof_data = 0; return ret; } if (jpg->interlaced) { av_log(avctx, AV_LOG_ERROR, "Interlaced mode not supported in MxPEG\n"); + s->got_sof_data = 0; return AVERROR(EINVAL); } - s->got_sof_data = 1; + s->got_sof_data ++; break; case SOS: if (!s->got_sof_data) { diff --git a/libavcodec/noise_bsf.c b/libavcodec/noise_bsf.c index d79f63b777..42533c6df9 100644 --- a/libavcodec/noise_bsf.c +++ b/libavcodec/noise_bsf.c @@ -44,6 +44,11 @@ static int noise(AVBSFContext *ctx, AVPacket *pkt) if (amount <= 0) return AVERROR(EINVAL); + if (ctx->par_in->codec_id == AV_CODEC_ID_WRAPPED_AVFRAME) { + av_log(ctx, AV_LOG_ERROR, "Wrapped AVFrame noising is unsupported\n"); + return AVERROR_PATCHWELCOME; + } + ret = ff_bsf_get_packet_ref(ctx, pkt); if (ret < 0) return ret; diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 75b14bce5b..21e12c6f1e 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -126,15 +126,15 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, get_quant_quality(c, quality); if (width != c->width || height != c->height) { // also reserve space for a possible additional header - int buf_size = height * width * 3 / 2 + int64_t buf_size = height * (int64_t)width * 3 / 2 + FFMAX(AV_LZO_OUTPUT_PADDING, AV_INPUT_BUFFER_PADDING_SIZE) + RTJPEG_HEADER_SIZE; if (buf_size > INT_MAX/8) return -1; - if ((ret = av_image_check_size(height, width, 0, avctx)) < 0) + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - avctx->width = c->width = width; - avctx->height = c->height = height; + c->width = width; + c->height = height; av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size); if (!c->decomp_buf) { @@ -217,6 +217,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG: minsize = c->width/16 * (c->height/16) * 6; break; + case NUV_BLACK: + case NUV_COPY_LAST: + case NUV_LZO: + case NUV_RTJPEG_IN_LZO: + break; + default: + av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); + return AVERROR_INVALIDDATA; } if (buf_size < minsize / 4) return AVERROR_INVALIDDATA; @@ -305,9 +313,6 @@ retry: case NUV_COPY_LAST: /* nothing more to do here */ break; - default: - av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); - return AVERROR_INVALIDDATA; } if ((result = av_frame_ref(picture, c->pic)) < 0) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index b60da24301..88061d353c 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -550,6 +550,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx) NVDECContext *ctx = avctx->internal->hwaccel_priv_data; int ret = ff_nvdec_end_frame(avctx); ctx->bitstream = NULL; + ctx->bitstream_len = 0; + ctx->nb_slices = 0; return ret; } diff --git a/libavcodec/nvdec_mpeg12.c b/libavcodec/nvdec_mpeg12.c index 300e1d3d88..5408ca4c76 100644 --- a/libavcodec/nvdec_mpeg12.c +++ b/libavcodec/nvdec_mpeg12.c @@ -76,8 +76,9 @@ static int nvdec_mpeg12_start_frame(AVCodecContext *avctx, const uint8_t *buffer }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } return 0; diff --git a/libavcodec/nvdec_mpeg4.c b/libavcodec/nvdec_mpeg4.c index 739b049933..5404e4e330 100644 --- a/libavcodec/nvdec_mpeg4.c +++ b/libavcodec/nvdec_mpeg4.c @@ -86,8 +86,9 @@ static int nvdec_mpeg4_start_frame(AVCodecContext *avctx, const uint8_t *buffer, }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } // We need to pass the full frame buffer and not just the slice diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 3fe64bba8b..ff018fef5f 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -122,7 +122,15 @@ static int nvenc_print_error(void *log_ctx, NVENCSTATUS err, static void nvenc_print_driver_requirement(AVCodecContext *avctx, int level) { -#if NVENCAPI_CHECK_VERSION(9, 0) +#if NVENCAPI_CHECK_VERSION(9, 2) + const char *minver = "(unknown)"; +#elif NVENCAPI_CHECK_VERSION(9, 1) +# if defined(_WIN32) || defined(__CYGWIN__) + const char *minver = "436.15"; +# else + const char *minver = "435.21"; +# endif +#elif NVENCAPI_CHECK_VERSION(9, 0) # if defined(_WIN32) || defined(__CYGWIN__) const char *minver = "418.81"; # else @@ -904,12 +912,18 @@ static av_cold void nvenc_setup_rate_control(AVCodecContext *avctx) if (ctx->zerolatency) ctx->encode_config.rcParams.zeroReorderDelay = 1; - if (ctx->quality) - { + if (ctx->quality) { //convert from float to fixed point 8.8 int tmp_quality = (int)(ctx->quality * 256.0f); ctx->encode_config.rcParams.targetQuality = (uint8_t)(tmp_quality >> 8); ctx->encode_config.rcParams.targetQualityLSB = (uint8_t)(tmp_quality & 0xff); + + av_log(avctx, AV_LOG_VERBOSE, "CQ(%d) mode enabled.\n", tmp_quality); + + // CQ mode shall discard avg bitrate/vbv buffer size and honor only max bitrate + ctx->encode_config.rcParams.averageBitRate = avctx->bit_rate = 0; + ctx->encode_config.rcParams.vbvBufferSize = avctx->rc_buffer_size = 0; + ctx->encode_config.rcParams.maxBitRate = avctx->rc_max_rate; } } @@ -1156,8 +1170,13 @@ static av_cold int nvenc_setup_encoder(AVCodecContext *avctx) ctx->init_encode_params.darHeight = dh; ctx->init_encode_params.darWidth = dw; - ctx->init_encode_params.frameRateNum = avctx->time_base.den; - ctx->init_encode_params.frameRateDen = avctx->time_base.num * avctx->ticks_per_frame; + if (avctx->framerate.num > 0 && avctx->framerate.den > 0) { + ctx->init_encode_params.frameRateNum = avctx->framerate.num; + ctx->init_encode_params.frameRateDen = avctx->framerate.den; + } else { + ctx->init_encode_params.frameRateNum = avctx->time_base.den; + ctx->init_encode_params.frameRateDen = avctx->time_base.num * avctx->ticks_per_frame; + } ctx->init_encode_params.enableEncodeAsync = 0; ctx->init_encode_params.enablePTD = 1; @@ -1775,10 +1794,11 @@ static int nvenc_set_timestamp(AVCodecContext *avctx, pkt->dts = ts0 - delta; ctx->first_packet_output = 1; - return 0; + } else { + pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list); } - pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list); + pkt->dts -= avctx->max_b_frames; return 0; } @@ -1828,7 +1848,11 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur goto error; } - if (res = ff_alloc_packet2(avctx, pkt, lock_params.bitstreamSizeInBytes,0)) { + res = pkt->data ? + ff_alloc_packet2(avctx, pkt, lock_params.bitstreamSizeInBytes, lock_params.bitstreamSizeInBytes) : + av_new_packet(pkt, lock_params.bitstreamSizeInBytes); + + if (res < 0) { p_nvenc->nvEncUnlockBitstream(ctx->nvencoder, tmpoutsurf->output_surface); goto error; } diff --git a/libavcodec/omx.c b/libavcodec/omx.c index a1e5a46a54..a555c3c07d 100644 --- a/libavcodec/omx.c +++ b/libavcodec/omx.c @@ -473,9 +473,9 @@ static av_cold int omx_component_init(AVCodecContext *avctx, const char *role) in_port_params.format.video.nFrameWidth = avctx->width; in_port_params.format.video.nFrameHeight = avctx->height; if (avctx->framerate.den > 0 && avctx->framerate.num > 0) - in_port_params.format.video.xFramerate = (1 << 16) * avctx->framerate.num / avctx->framerate.den; + in_port_params.format.video.xFramerate = (1LL << 16) * avctx->framerate.num / avctx->framerate.den; else - in_port_params.format.video.xFramerate = (1 << 16) * avctx->time_base.den / avctx->time_base.num; + in_port_params.format.video.xFramerate = (1LL << 16) * avctx->time_base.den / avctx->time_base.num; err = OMX_SetParameter(s->handle, OMX_IndexParamPortDefinition, &in_port_params); CHECK(err); @@ -644,10 +644,6 @@ static av_cold int omx_encode_init(AVCodecContext *avctx) OMX_BUFFERHEADERTYPE *buffer; OMX_ERRORTYPE err; -#if CONFIG_OMX_RPI - s->input_zerocopy = 1; -#endif - s->omx_context = omx_init(avctx, s->libname, s->libprefix); if (!s->omx_context) return AVERROR_ENCODER_NOT_FOUND; @@ -739,6 +735,7 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt, int ret = 0; OMX_BUFFERHEADERTYPE* buffer; OMX_ERRORTYPE err; + int had_partial = 0; if (frame) { uint8_t *dst[4]; @@ -830,7 +827,7 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt, // packet, or get EOS. buffer = get_buffer(&s->output_mutex, &s->output_cond, &s->num_done_out_buffers, s->done_out_buffers, - !frame); + !frame || had_partial); if (!buffer) break; @@ -865,6 +862,9 @@ static int omx_encode_frame(AVCodecContext *avctx, AVPacket *pkt, s->output_buf = NULL; s->output_buf_size = 0; } +#if CONFIG_OMX_RPI + had_partial = 1; +#endif } else { // End of frame, and the caller provided a preallocated frame if ((ret = ff_alloc_packet2(avctx, pkt, s->output_buf_size + buffer->nFilledLen, 0)) < 0) { @@ -913,7 +913,7 @@ static av_cold int omx_encode_end(AVCodecContext *avctx) static const AVOption options[] = { { "omx_libname", "OpenMAX library name", OFFSET(libname), AV_OPT_TYPE_STRING, { 0 }, 0, 0, VDE }, { "omx_libprefix", "OpenMAX library prefix", OFFSET(libprefix), AV_OPT_TYPE_STRING, { 0 }, 0, 0, VDE }, - { "zerocopy", "Try to avoid copying input frames if possible", OFFSET(input_zerocopy), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE }, + { "zerocopy", "Try to avoid copying input frames if possible", OFFSET(input_zerocopy), AV_OPT_TYPE_INT, { .i64 = CONFIG_OMX_RPI }, 0, 1, VE }, { "profile", "Set the encoding profile", OFFSET(profile), AV_OPT_TYPE_INT, { .i64 = FF_PROFILE_UNKNOWN }, FF_PROFILE_UNKNOWN, FF_PROFILE_H264_HIGH, VE, "profile" }, { "baseline", "", 0, AV_OPT_TYPE_CONST, { .i64 = FF_PROFILE_H264_BASELINE }, 0, 0, VE, "profile" }, { "main", "", 0, AV_OPT_TYPE_CONST, { .i64 = FF_PROFILE_H264_MAIN }, 0, 0, VE, "profile" }, diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 3e19810a94..9fe3789692 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -267,6 +267,7 @@ int ff_combine_frame(ParseContext *pc, int next, } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); + memset(&pc->buffer[pc->index + *buf_size], 0, AV_INPUT_BUFFER_PADDING_SIZE); pc->index += *buf_size; return -1; } diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index ffcbccc77d..7178c988bd 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -264,6 +264,9 @@ static av_cold int pcm_decode_init(AVCodecContext *avctx) break; case AV_CODEC_ID_PCM_F16LE: case AV_CODEC_ID_PCM_F24LE: + if (avctx->bits_per_coded_sample < 1 || avctx->bits_per_coded_sample > 24) + return AVERROR_INVALIDDATA; + s->scale = 1. / (1 << (avctx->bits_per_coded_sample - 1)); s->fdsp = avpriv_float_dsp_alloc(0); if (!s->fdsp) @@ -303,7 +306,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) #define DECODE(size, endian, src, dst, n, shift, offset) \ for (; n > 0; n--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ## _t)(v - offset) << shift); \ dst += size / 8; \ } @@ -314,7 +317,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) dst = frame->extended_data[c]; \ for (i = n; i > 0; i--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ##_t)(v - offset) << shift); \ dst += size / 8; \ } \ } @@ -512,13 +515,13 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, dst_int32_t = (int32_t *)frame->extended_data[c]; for (i = 0; i < n; i++) { // extract low 20 bits and expand to 32 bits - *dst_int32_t++ = (src[2] << 28) | + *dst_int32_t++ = ((uint32_t)src[2]<<28) | (src[1] << 20) | (src[0] << 12) | ((src[2] & 0x0F) << 8) | src[1]; // extract high 20 bits and expand to 32 bits - *dst_int32_t++ = (src[4] << 24) | + *dst_int32_t++ = ((uint32_t)src[4]<<24) | (src[3] << 16) | ((src[2] & 0xF0) << 8) | (src[4] << 4) | diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 8c10f6d573..7fadcb8b4b 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -691,8 +691,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size, ret = AVERROR_INVALIDDATA; break; } - if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) + if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) { + avsubtitle_free(data); + *data_size = 0; return ret; + } buf += segment_length; } diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 2e6fcdca52..31b25bbff5 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -231,8 +231,6 @@ static int decode_frame(AVCodecContext *avctx, run = bytestream2_get_le16(&s->g); val = bytestream2_get_byte(&s->g); } - if (!bytestream2_get_bytes_left(&s->g)) - break; if (bits_per_plane == 8) { picmemset_8bpp(s, frame, val, run, &x, &y); diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 03a2cdacc8..b17288e391 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -221,7 +221,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, length = 25 - nbits; while (i < size) { - if (state >> 8 != -3) + if (((state >> 8) + 3) & 0xFFFFFFF) value = ff_clz((state >> 8) + 3) ^ 0x1F; else value = -1; @@ -230,8 +230,8 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, if (cnt1 >= length) { cnt1 = get_bits(bc, nbits); } else { - pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14)); - if (pfx < 1 || pfx > 25) + pfx = FFMIN(value, 14); + if (pfx < 1) return AVERROR_INVALIDDATA; cnt1 *= (1 << pfx) - 1; shbits = show_bits(bc, pfx); @@ -404,7 +404,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); - dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -415,7 +415,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); - dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index bf5a5191cc..16056a7f89 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -309,7 +309,7 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \ { \ int i; \ - for (i = 0; i < size; i += 3 + alpha) { \ + for (i = 0; i < size - 2; i += 3 + alpha) { \ int g = dst [i + 1]; \ dst[i + 0] += g; \ dst[i + 2] += g; \ @@ -621,6 +621,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, int ret; size_t byte_depth = s->bit_depth > 8 ? 2 : 1; + if (!p) + return AVERROR_INVALIDDATA; if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n"); return AVERROR_INVALIDDATA; @@ -973,6 +975,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } + if (s->pic_state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n"); + return AVERROR_INVALIDDATA; + } + s->last_w = s->cur_w; s->last_h = s->cur_h; s->last_x_offset = s->x_offset; @@ -1242,7 +1249,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, case MKTAG('f', 'd', 'A', 'T'): if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG) goto skip_tag; - if (!decode_next_dat) { + if (!decode_next_dat || length < 4) { ret = AVERROR_INVALIDDATA; goto fail; } @@ -1290,7 +1297,9 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('i', 'C', 'C', 'P'): { - if (decode_iccp_chunk(s, length, p) < 0) + if (!p) + return AVERROR_INVALIDDATA; + if ((ret = decode_iccp_chunk(s, length, p)) < 0) goto fail; break; } @@ -1348,6 +1357,9 @@ skip_tag: } exit_loop: + if (!p) + return AVERROR_INVALIDDATA; + if (avctx->codec_id == AV_CODEC_ID_PNG && avctx->skip_frame == AVDISCARD_ALL) { return 0; @@ -1494,7 +1506,7 @@ static int decode_frame_apng(AVCodecContext *avctx, s->zstream.zfree = ff_png_zfree; bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size); - if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0) + if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0) goto end; } @@ -1547,7 +1559,7 @@ static int decode_frame_lscr(AVCodecContext *avctx, return ret; nb_blocks = bytestream2_get_le16(gb); - if (bytestream2_get_bytes_left(gb) < 2 + nb_blocks * 12) + if (bytestream2_get_bytes_left(gb) < 2 + nb_blocks * (12 + 8)) return AVERROR_INVALIDDATA; if (s->last_picture.f->data[0]) { diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index d4d8dc8b5e..0ca779a707 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = { AV_PIX_FMT_PAL8, AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A, AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE, - AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE + AV_PIX_FMT_NONE }, .priv_class = &apngenc_class, }; diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index a9771710c2..9c9ae0dd7e 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -112,6 +112,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) return AVERROR_INVALIDDATA; } } + if (!pnm_space(s->bytestream[-1])) + return AVERROR_INVALIDDATA; + /* check that all tags are present */ if (w <= 0 || h <= 0 || maxval <= 0 || maxval > UINT16_MAX || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) @@ -192,6 +195,10 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) } }else s->maxval=1; + + if (!pnm_space(s->bytestream[-1])) + return AVERROR_INVALIDDATA; + /* more check if YUV420 */ if (av_pix_fmt_desc_get(avctx->pix_fmt)->flags & AV_PIX_FMT_FLAG_PLANAR) { if ((avctx->width & 1) != 0) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 5339bebde9..10a215f3c6 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -92,8 +92,11 @@ retry: sync = bs; c = *bs++; if (c == '#') { - while (c != '\n' && bs < end) - c = *bs++; + uint8_t *match = memchr(bs, '\n', end-bs); + if (match) + bs = match + 1; + else + break; } else if (c == 'P') { next = bs - pnmctx.bytestream_start + skip - 1; pnmpc->ascii_scan = 0; @@ -103,8 +106,10 @@ retry: if (next == END_NOT_FOUND) pnmpc->ascii_scan = sync - pnmctx.bytestream + skip; } else { - next = pnmctx.bytestream - pnmctx.bytestream_start + skip - + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + next = pnmctx.bytestream - pnmctx.bytestream_start + skip; + if (ret >= 0 && next + (uint64_t)ret <= INT_MAX) + next += ret; } if (next != END_NOT_FOUND && pnmctx.bytestream_start != buf + skip) next -= pc->index; diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 958c5e43b0..b625d8d3c4 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -132,7 +132,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, init_put_bits(&pb, ptr, linesize); for(j=0; jwidth * components; j++){ unsigned int c=0; - int v=0; + unsigned v=0; if(s->type < 4) while(s->bytestream < s->bytestream_end && (*s->bytestream < '0' || *s->bytestream > '9' )) s->bytestream++; @@ -172,7 +172,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, } else if (upgrade == 2) { unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } } @@ -226,7 +226,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; for (i = 0; i < avctx->height; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } s->bytestream += n; @@ -238,13 +238,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, h = avctx->height >> 1; for (i = 0; i < h; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr1[j] = (v * f + 16384) >> 15; } s->bytestream += n; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr2[j] = (v * f + 16384) >> 15; } s->bytestream += n; diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 2652a31c81..8365f0d3dc 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -488,7 +488,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex for (pos = block_mask;;) { bits_left = gb->size_in_bits - re_index; - if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) + if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) break; DECODE_CODEWORD(run, run_to_cb[FFMIN(run, 15)], LAST_SKIP_BITS); diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index 0fc79fc1de..1fcb0ae913 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -224,7 +224,7 @@ static void encode_codeword(PutBitContext *pb, int val, int codebook) } #define QSCALE(qmat,ind,val) ((val) / ((qmat)[ind])) -#define TO_GOLOMB(val) (((val) << 1) ^ ((val) >> 31)) +#define TO_GOLOMB(val) (((val) * 2) ^ ((val) >> 31)) #define DIFF_SIGN(val, sign) (((val) >> 31) ^ (sign)) #define IS_NEGATIVE(val) ((((val) >> 31) ^ -1) + 1) #define TO_GOLOMB2(val,sign) ((val)==0 ? 0 : ((val) << 1) + (sign)) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index e045a972f1..98331be0a9 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -3,9 +3,6 @@ * * Copyright (c) 2012 Konstantin Shishkov * - * This encoder appears to be based on Anatoliy Wassermans considering - * similarities in the bugs. - * * This file is part of FFmpeg. * * FFmpeg is free software; you can redistribute it and/or @@ -342,7 +339,7 @@ static void get_slice_data(ProresContext *ctx, const uint16_t *src, static void get_alpha_data(ProresContext *ctx, const uint16_t *src, ptrdiff_t linesize, int x, int y, int w, int h, - int16_t *blocks, int mbs_per_slice, int abits) + uint16_t *blocks, int mbs_per_slice, int abits) { const int slice_width = 16 * mbs_per_slice; int i, j, copy_w, copy_h; diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c index 42147f4afc..19f9305cda 100644 --- a/libavcodec/ptx.c +++ b/libavcodec/ptx.c @@ -55,6 +55,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, buf += offset; + if (buf_end - buf < w * bytes_per_pixel) + return AVERROR_INVALIDDATA; + if ((ret = ff_set_dimensions(avctx, w, h)) < 0) return ret; diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index eaffb36dcc..657b2da64d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1334,6 +1334,9 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration, if (q->frequency_range > (local_int_14 + 1)) { int sub_packet = (local_int_20 + local_int_28); + if (q->fft_coefs_index + stereo >= FF_ARRAY_ELEMS(q->fft_coefs)) + return; + qdm2_fft_init_coefficient(q, sub_packet, offset, duration, channel, exp, phase); if (stereo) @@ -1704,7 +1707,7 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->group_size = bytestream2_get_be32(&gb); s->fft_size = bytestream2_get_be32(&gb); s->checksum_size = bytestream2_get_be32(&gb); - if (s->checksum_size >= 1U << 28 || !s->checksum_size) { + if (s->checksum_size >= 1U << 28 || s->checksum_size <= 1) { av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size); return AVERROR_INVALIDDATA; } @@ -1727,6 +1730,11 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->sub_sampling = s->fft_order - 7; s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); + if (s->frame_size * 4 >> s->sub_sampling > MPA_FRAME_SIZE) { + avpriv_request_sample(avctx, "large frames"); + return AVERROR_PATCHWELCOME; + } + switch ((s->sub_sampling * 2 + s->channels - 1)) { case 0: tmp = 40; break; case 1: tmp = 48; break; diff --git a/libavcodec/qdmc.c b/libavcodec/qdmc.c index 8bea1552e1..10ceb7aa55 100644 --- a/libavcodec/qdmc.c +++ b/libavcodec/qdmc.c @@ -367,6 +367,8 @@ static int qdmc_get_vlc(GetBitContext *gb, VLC *table, int flag) { int v; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; v = get_vlc2(gb, table->table, table->bits, 1); if (v < 0) return AVERROR_INVALIDDATA; diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 32ba410968..c04c756d71 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -369,7 +369,7 @@ static int decode_frame(AVCodecContext *avctx, bytestream2_skip(&gbc, 18); colors = bytestream2_get_be16(&gbc); - if (colors < 0 || colors > 256) { + if (colors < 0 || colors > 255) { av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return AVERROR_INVALIDDATA; @@ -455,6 +455,8 @@ static int decode_frame(AVCodecContext *avctx, avpriv_request_sample(avctx, "Pack type %d", pack_type); return AVERROR_PATCHWELCOME; } + if (bytestream2_get_bytes_left(&gbc) < 30) + return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; diff --git a/libavcodec/qpeldsp.c b/libavcodec/qpeldsp.c index 6e52b33657..d99b8fd0ba 100644 --- a/libavcodec/qpeldsp.c +++ b/libavcodec/qpeldsp.c @@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8); \ } \ @@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[16 * 9]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16); \ } \ \ @@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8); \ } \ @@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16); \ } \ @@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[24 * 17]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24); \ } \ \ @@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16); \ } \ diff --git a/libavcodec/r210enc.c b/libavcodec/r210enc.c index 02412f3684..31903f34a5 100644 --- a/libavcodec/r210enc.c +++ b/libavcodec/r210enc.c @@ -31,7 +31,7 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->bits_per_coded_sample = 32; if (avctx->width > 0) - avctx->bit_rate = ff_guess_coded_bitrate(avctx) * aligned_width / avctx->width; + avctx->bit_rate = av_rescale(ff_guess_coded_bitrate(avctx), aligned_width, avctx->width); return 0; } diff --git a/libavcodec/ra144enc.c b/libavcodec/ra144enc.c index cc4f381606..059f582334 100644 --- a/libavcodec/ra144enc.c +++ b/libavcodec/ra144enc.c @@ -477,8 +477,8 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, LPC_ORDER, 16, lpc_coefs, shift, FF_LPC_TYPE_LEVINSON, 0, ORDER_METHOD_EST, 0, 12, 0); for (i = 0; i < LPC_ORDER; i++) - block_coefs[NBLOCKS - 1][i] = -(lpc_coefs[LPC_ORDER - 1][i] << - (12 - shift[LPC_ORDER - 1])); + block_coefs[NBLOCKS - 1][i] = -lpc_coefs[LPC_ORDER - 1][i] + * (1 << (12 - shift[LPC_ORDER - 1])); /** * TODO: apply perceptual weighting of the input speech through bandwidth diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 3f7953c6db..406326779a 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -220,7 +220,7 @@ static inline int extend_code(GetBitContext *gb, int val, int range, int bits) val -= range; } if (bits) - val = (val << bits) | get_bits(gb, bits); + val = ((unsigned)val << bits) | get_bits(gb, bits); return val; } @@ -234,8 +234,10 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, int *dst = ctx->channel_data[ch]; ctx->filter_params = get_vlc2(gb, set->filter_params.table, 9, 2); - ctx->filter_bits = (ctx->filter_params - 2) >> 6; - ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1; + if (ctx->filter_params > 1) { + ctx->filter_bits = (ctx->filter_params - 2) >> 6; + ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1; + } if (ctx->filter_params == FILTER_RAW) { for (i = 0; i < length; i++) @@ -262,8 +264,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, vlc[cmode].table, vlc[cmode].bits, 2); t = extend_code(gb, t, 21, add_bits); if (!cmode) - coeff -= 12 << add_bits; - coeff = t - coeff; + coeff -= 12U << add_bits; + coeff = (unsigned)t - coeff; ctx->filter[i] = coeff; cmode = coeff >> add_bits; @@ -286,7 +288,7 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, add_bits--; range = 10; range2 = 21; - code_vlc = set->long_codes + code_params - 15; + code_vlc = set->long_codes + (code_params - 15); } else { add_bits = 0; range = 6; @@ -300,8 +302,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2); code1 = t / range2; code2 = t % range2; - dst[i] = extend_code(gb, code1, range, 0) << add_bits; - dst[i + 1] = extend_code(gb, code2, range, 0) << add_bits; + dst[i] = extend_code(gb, code1, range, 0) * (1U << add_bits); + dst[i + 1] = extend_code(gb, code2, range, 0) * (1U << add_bits); if (add_bits) { dst[i] |= get_bits(gb, add_bits); dst[i + 1] |= get_bits(gb, add_bits); @@ -323,12 +325,12 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits) acc = 0; for (j = 0; j < flen; j++) - acc += ctx->filter[j] * audio[i - j - 1]; + acc += (unsigned)ctx->filter[j] * audio[i - j - 1]; if (acc < 0) { acc = (acc + bias - 1) >> ctx->filter_bits; acc = FFMAX(acc, min_clip); } else { - acc = (acc + bias) >> ctx->filter_bits; + acc = ((unsigned)acc + bias) >> ctx->filter_bits; acc = FFMIN(acc, max_clip); } audio[i] += acc; @@ -342,7 +344,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, int len, ch, ret; int dmode, mode[2], bits[2]; int *ch0, *ch1; - int i, t, t2; + int i; + unsigned int t, t2; len = 12 - get_unary(gb, 0, 6); @@ -406,9 +409,9 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, case 4: for (i = 0; i < len; i++) { t = ch1[i] + ctx->bias[1]; - t2 = ((ch0[i] + ctx->bias[0]) << 1) | (t & 1); - dst0[i] = (t2 + t) / 2; - dst1[i] = (t2 - t) / 2; + t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1); + dst0[i] = (int)(t2 + t) / 2; + dst1[i] = (int)(t2 - t) / 2; } break; } @@ -479,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, init_get_bits(&gb, src + 2, table_size); ctx->num_blocks = 0; while (get_bits_left(&gb) > 0) { + if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size)) + return AVERROR_INVALIDDATA; ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels); if (get_bits1(&gb)) { ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9); diff --git a/libavcodec/rangecoder.h b/libavcodec/rangecoder.h index 4d4ca4d526..b6f56b5737 100644 --- a/libavcodec/rangecoder.h +++ b/libavcodec/rangecoder.h @@ -71,7 +71,6 @@ void ff_build_rac_states(RangeCoder *c, int factor, int max_p); static inline void renorm_encoder(RangeCoder *c) { // FIXME: optimize - while (c->range < 0x100) { if (c->outstanding_byte < 0) { c->outstanding_byte = c->low >> 8; } else if (c->low <= 0xFF00) { @@ -90,7 +89,6 @@ static inline void renorm_encoder(RangeCoder *c) c->low = (c->low & 0xFF) << 8; c->range <<= 8; - } } static inline int get_rac_count(RangeCoder *c) @@ -117,7 +115,8 @@ static inline void put_rac(RangeCoder *c, uint8_t *const state, int bit) *state = c->one_state[*state]; } - renorm_encoder(c); + while (c->range < 0x100) + renorm_encoder(c); } static inline void refill(RangeCoder *c) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 21fc43f325..598bb395b4 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -70,6 +70,9 @@ static void clear_plane(AVCodecContext *avctx, AVFrame *frame) RASCContext *s = avctx->priv_data; uint8_t *dst = frame->data[0]; + if (!dst) + return; + for (int y = 0; y < avctx->height; y++) { memset(dst, 0, avctx->width * s->bpp); dst += frame->linesize[0]; diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 53f5b76e93..a110a690f5 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -223,7 +223,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, FFALIGN(avctx->width, 16), avctx->height, 1); } else { - context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample && avctx->bits_per_coded_sample < 16; + context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample > 8 && avctx->bits_per_coded_sample < 16; context->frame_size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); } @@ -467,10 +467,13 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, avctx->pix_fmt == AV_PIX_FMT_RGBA64BE) { uint8_t *dst = frame->data[0]; uint64_t v; - int x; - for (x = 0; x >> 3 < avctx->width * avctx->height; x += 8) { - v = AV_RB64(&dst[x]); - AV_WB64(&dst[x], v << 16 | v >> 48); + int x, y; + for (y = 0; y < avctx->height; y++) { + for (x = 0; x >> 3 < avctx->width; x += 8) { + v = AV_RB64(&dst[x]); + AV_WB64(&dst[x], v << 16 | v >> 48); + } + dst += frame->linesize[0]; } } diff --git a/libavcodec/rl2.c b/libavcodec/rl2.c index 6662979c52..2d336a61e5 100644 --- a/libavcodec/rl2.c +++ b/libavcodec/rl2.c @@ -134,10 +134,15 @@ static av_cold int rl2_decode_init(AVCodecContext *avctx) Rl2Context *s = avctx->priv_data; int back_size; int i; + int ret; s->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 320, 200); + if (ret < 0) + return ret; + /** parse extra data */ if (!avctx->extradata || avctx->extradata_size < EXTRADATA1_SIZE) { av_log(avctx, AV_LOG_ERROR, "invalid extradata size\n"); diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index f494c30ed8..e306b4a204 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -300,6 +300,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto end; } + if (ctx->inflated_size < pixel_size) { + ret = AVERROR_INVALIDDATA; + goto end; + } ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size); if (ret) { av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret); diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 5579bd9bed..2ac791d674 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -385,7 +385,7 @@ static void rv40_weight_func_rnd_ ## size (uint8_t *dst, uint8_t *src1, uint8_t \ for (j = 0; j < size; j++) {\ for (i = 0; i < size; i++)\ - dst[i] = (((w2 * src1[i]) >> 9) + ((w1 * src2[i]) >> 9) + 0x10) >> 5;\ + dst[i] = ((((unsigned)w2 * src1[i]) >> 9) + (((unsigned)w1 * src2[i]) >> 9) + 0x10) >> 5;\ src1 += stride;\ src2 += stride;\ dst += stride;\ @@ -397,7 +397,7 @@ static void rv40_weight_func_nornd_ ## size (uint8_t *dst, uint8_t *src1, uint8_ \ for (j = 0; j < size; j++) {\ for (i = 0; i < size; i++)\ - dst[i] = (w2 * src1[i] + w1 * src2[i] + 0x10) >> 5;\ + dst[i] = ((unsigned)w2 * src1[i] + (unsigned)w1 * src2[i] + 0x10) >> 5;\ src1 += stride;\ src2 += stride;\ dst += stride;\ diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 25aee7220f..d0000ebd0c 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -491,6 +491,11 @@ static av_cold int decode_init(AVCodecContext *avctx) ctx->avctx = avctx; ctx->version = !avctx->extradata_size; + // early sanity check before allocations to avoid need for deallocation code. + if (!ctx->version && avctx->extradata_size < 1026) { + av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n"); + return AVERROR_INVALIDDATA; + } avctx->pix_fmt = ctx->version ? AV_PIX_FMT_RGB565 : AV_PIX_FMT_PAL8; @@ -506,11 +511,6 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->version) { int i; - if (avctx->extradata_size < 1026) { - av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n"); - return AVERROR_INVALIDDATA; - } - ctx->subversion = AV_RL16(avctx->extradata); for (i = 0; i < PALETTE_SIZE; i++) ctx->pal[i] = 0xFFU << 24 | AV_RL32(avctx->extradata + 2 + i * 4); diff --git a/libavcodec/sbcdec.c b/libavcodec/sbcdec.c index 546b38c106..d8ea6855fe 100644 --- a/libavcodec/sbcdec.c +++ b/libavcodec/sbcdec.c @@ -227,10 +227,10 @@ static inline void sbc_synthesize_four(struct sbc_decoder_state *state, /* Distribute the new matrix value to the shifted position */ v[offset[i]] = - ( ff_synmatrix4[i][0] * frame->sb_sample[blk][ch][0] + - ff_synmatrix4[i][1] * frame->sb_sample[blk][ch][1] + - ff_synmatrix4[i][2] * frame->sb_sample[blk][ch][2] + - ff_synmatrix4[i][3] * frame->sb_sample[blk][ch][3] ) >> 15; + (int)( (unsigned)ff_synmatrix4[i][0] * frame->sb_sample[blk][ch][0] + + (unsigned)ff_synmatrix4[i][1] * frame->sb_sample[blk][ch][1] + + (unsigned)ff_synmatrix4[i][2] * frame->sb_sample[blk][ch][2] + + (unsigned)ff_synmatrix4[i][3] * frame->sb_sample[blk][ch][3] ) >> 15; } /* Compute the samples */ @@ -239,16 +239,16 @@ static inline void sbc_synthesize_four(struct sbc_decoder_state *state, /* Store in output, Q0 */ AV_WN16A(&output_frame->data[ch][blk * 8 + i * 2], av_clip_int16( - ( v[offset[i] + 0] * ff_sbc_proto_4_40m0[idx + 0] + - v[offset[k] + 1] * ff_sbc_proto_4_40m1[idx + 0] + - v[offset[i] + 2] * ff_sbc_proto_4_40m0[idx + 1] + - v[offset[k] + 3] * ff_sbc_proto_4_40m1[idx + 1] + - v[offset[i] + 4] * ff_sbc_proto_4_40m0[idx + 2] + - v[offset[k] + 5] * ff_sbc_proto_4_40m1[idx + 2] + - v[offset[i] + 6] * ff_sbc_proto_4_40m0[idx + 3] + - v[offset[k] + 7] * ff_sbc_proto_4_40m1[idx + 3] + - v[offset[i] + 8] * ff_sbc_proto_4_40m0[idx + 4] + - v[offset[k] + 9] * ff_sbc_proto_4_40m1[idx + 4] ) >> 15)); + (int)( (unsigned)v[offset[i] + 0] * ff_sbc_proto_4_40m0[idx + 0] + + (unsigned)v[offset[k] + 1] * ff_sbc_proto_4_40m1[idx + 0] + + (unsigned)v[offset[i] + 2] * ff_sbc_proto_4_40m0[idx + 1] + + (unsigned)v[offset[k] + 3] * ff_sbc_proto_4_40m1[idx + 1] + + (unsigned)v[offset[i] + 4] * ff_sbc_proto_4_40m0[idx + 2] + + (unsigned)v[offset[k] + 5] * ff_sbc_proto_4_40m1[idx + 2] + + (unsigned)v[offset[i] + 6] * ff_sbc_proto_4_40m0[idx + 3] + + (unsigned)v[offset[k] + 7] * ff_sbc_proto_4_40m1[idx + 3] + + (unsigned)v[offset[i] + 8] * ff_sbc_proto_4_40m0[idx + 4] + + (unsigned)v[offset[k] + 9] * ff_sbc_proto_4_40m1[idx + 4] ) >> 15)); } } @@ -270,14 +270,14 @@ static inline void sbc_synthesize_eight(struct sbc_decoder_state *state, /* Distribute the new matrix value to the shifted position */ v[offset[i]] = - ( ff_synmatrix8[i][0] * frame->sb_sample[blk][ch][0] + - ff_synmatrix8[i][1] * frame->sb_sample[blk][ch][1] + - ff_synmatrix8[i][2] * frame->sb_sample[blk][ch][2] + - ff_synmatrix8[i][3] * frame->sb_sample[blk][ch][3] + - ff_synmatrix8[i][4] * frame->sb_sample[blk][ch][4] + - ff_synmatrix8[i][5] * frame->sb_sample[blk][ch][5] + - ff_synmatrix8[i][6] * frame->sb_sample[blk][ch][6] + - ff_synmatrix8[i][7] * frame->sb_sample[blk][ch][7] ) >> 15; + (int)( (unsigned)ff_synmatrix8[i][0] * frame->sb_sample[blk][ch][0] + + (unsigned)ff_synmatrix8[i][1] * frame->sb_sample[blk][ch][1] + + (unsigned)ff_synmatrix8[i][2] * frame->sb_sample[blk][ch][2] + + (unsigned)ff_synmatrix8[i][3] * frame->sb_sample[blk][ch][3] + + (unsigned)ff_synmatrix8[i][4] * frame->sb_sample[blk][ch][4] + + (unsigned)ff_synmatrix8[i][5] * frame->sb_sample[blk][ch][5] + + (unsigned)ff_synmatrix8[i][6] * frame->sb_sample[blk][ch][6] + + (unsigned)ff_synmatrix8[i][7] * frame->sb_sample[blk][ch][7] ) >> 15; } /* Compute the samples */ @@ -286,16 +286,16 @@ static inline void sbc_synthesize_eight(struct sbc_decoder_state *state, /* Store in output, Q0 */ AV_WN16A(&output_frame->data[ch][blk * 16 + i * 2], av_clip_int16( - ( v[offset[i] + 0] * ff_sbc_proto_8_80m0[idx + 0] + - v[offset[k] + 1] * ff_sbc_proto_8_80m1[idx + 0] + - v[offset[i] + 2] * ff_sbc_proto_8_80m0[idx + 1] + - v[offset[k] + 3] * ff_sbc_proto_8_80m1[idx + 1] + - v[offset[i] + 4] * ff_sbc_proto_8_80m0[idx + 2] + - v[offset[k] + 5] * ff_sbc_proto_8_80m1[idx + 2] + - v[offset[i] + 6] * ff_sbc_proto_8_80m0[idx + 3] + - v[offset[k] + 7] * ff_sbc_proto_8_80m1[idx + 3] + - v[offset[i] + 8] * ff_sbc_proto_8_80m0[idx + 4] + - v[offset[k] + 9] * ff_sbc_proto_8_80m1[idx + 4] ) >> 15)); + (int)( (unsigned)v[offset[i] + 0] * ff_sbc_proto_8_80m0[idx + 0] + + (unsigned)v[offset[k] + 1] * ff_sbc_proto_8_80m1[idx + 0] + + (unsigned)v[offset[i] + 2] * ff_sbc_proto_8_80m0[idx + 1] + + (unsigned)v[offset[k] + 3] * ff_sbc_proto_8_80m1[idx + 1] + + (unsigned)v[offset[i] + 4] * ff_sbc_proto_8_80m0[idx + 2] + + (unsigned)v[offset[k] + 5] * ff_sbc_proto_8_80m1[idx + 2] + + (unsigned)v[offset[i] + 6] * ff_sbc_proto_8_80m0[idx + 3] + + (unsigned)v[offset[k] + 7] * ff_sbc_proto_8_80m1[idx + 3] + + (unsigned)v[offset[i] + 8] * ff_sbc_proto_8_80m0[idx + 4] + + (unsigned)v[offset[k] + 9] * ff_sbc_proto_8_80m1[idx + 4] ) >> 15)); } } @@ -348,6 +348,7 @@ static int sbc_decode_frame(AVCodecContext *avctx, if (frame_length <= 0) return frame_length; + avctx->channels = frame->channels = sbc->frame.channels; frame->format = AV_SAMPLE_FMT_S16P; frame->nb_samples = sbc->frame.blocks * sbc->frame.subbands; diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 91fa664c08..0d34a2a710 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -87,7 +87,7 @@ static void sbr_neg_odd_64_c(int *x) { int i; for (i = 1; i < 64; i += 2) - x[i] = -x[i]; + x[i] = -(unsigned)x[i]; } static void sbr_qmf_pre_shuffle_c(int *z) @@ -114,8 +114,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src) { int i; for (i = 0; i < 32; i++) { - v[ i] = ( src[63 - 2*i ] + 0x10) >> 5; - v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5; + v[ i] = (int)(0x10U + src[63 - 2*i ]) >> 5; + v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5; } } diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 317950dafb..9d04494b36 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -459,6 +459,9 @@ static int decompress_p(AVCodecContext *avctx, int run, bx = x * 16 + sx1, by = y * 16 + sy1; uint32_t r, g, b, clr, ptype = 0; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value(s, s->op_model[ptype], 6, 1000, &ptype); if (ret < 0) @@ -532,7 +535,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->current_frame->linesize[0] / 4); } else if (type == 17 || type == 33) { uint32_t clr, *dst = (uint32_t *)s->current_frame->data[0]; - int x, y; + int y; frame->key_frame = 1; bytestream2_skip(gb, 1); @@ -548,9 +551,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, clr = bytestream2_get_le24(gb); } for (y = 0; y < avctx->height; y++) { - for (x = 0; x < avctx->width; x++) { - dst[x] = clr; - } + dst[0] = clr; + av_memcpy_backptr((uint8_t*)(dst+1), 4, 4*avctx->width - 4); dst += s->current_frame->linesize[0] / 4; } } else if (type == 0 || type == 1) { diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index b4d2e21a17..e45f56ebcc 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -234,6 +234,8 @@ static int update_model6_to_7(PixelModel3 *m) } p = (e + 127) >> 7; k = ((f + e - 1) >> 7) + 1; + if (k > FF_ARRAY_ELEMS(n.dectab)) + return AVERROR_INVALIDDATA; for (i = 0; i < k - p; i++) n.dectab[p + i] = j; e += f; @@ -464,6 +466,8 @@ static int decode_adaptive6(PixelModel3 *m, uint32_t code, uint32_t *value, return 0; grow_dec(m); c = add_dec(m, q, g, f); + if (c < 0) + return AVERROR_INVALIDDATA; } incr_cntdec(m, c); @@ -702,7 +706,11 @@ static int update_model3_to_7(PixelModel3 *m, uint8_t value) e = d; n.cntsum += n.cnts[e]; n.freqs1[e] = c; - for (g = n.freqs[e], q = c + 128 - 1 >> 7, f = (c + g - 1 >> 7) + 1; q < f; q++) { + g = n.freqs[e]; + f = (c + g - 1 >> 7) + 1; + if (f > FF_ARRAY_ELEMS(n.dectab)) + return AVERROR_INVALIDDATA; + for (q = c + 128 - 1 >> 7; q < f; q++) { n.dectab[q] = e; } c += g; @@ -837,6 +845,7 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t uint16_t a = 0, b = 0; uint32_t param; int type; + int ret; type = m->type; switch (type) { @@ -859,7 +868,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t break; case 3: *value = bytestream2_get_byte(&s->gb); - decode_static3(m, *value); + ret = decode_static3(m, *value); + if (ret < 0) + return AVERROR_INVALIDDATA; sync_code3(gb, rc); break; case 4: @@ -876,9 +887,11 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t sync_code3(gb, rc); break; case 6: - if (!decode_adaptive6(m, code, value, &a, &b)) { - update_model6_to_7(m); - } + ret = decode_adaptive6(m, code, value, &a, &b); + if (!ret) + ret = update_model6_to_7(m); + if (ret < 0) + return ret; decode3(gb, rc, a, b); sync_code3(gb, rc); break; @@ -1173,6 +1186,9 @@ static int decompress_p3(AVCodecContext *avctx, int run, bx = x * 16 + sx1, by = y * 16 + sy1; uint32_t clr, ptype = 0, r, g, b; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value3(s, 5, &s->op_model3[ptype].cntsum, s->op_model3[ptype].freqs[0], diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4134af74cf..762bca0df3 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -558,6 +558,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, buf = &s->bitstream[s->bitstream_index]; buf_size += s->bitstream_size; s->bitstream_size = buf_size; + memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); /* do not decode until buffer has at least max_framesize bytes or * the end of the file has been reached */ diff --git a/libavcodec/simple_idct.c b/libavcodec/simple_idct.c index 3b2e736538..0ef167491a 100644 --- a/libavcodec/simple_idct.c +++ b/libavcodec/simple_idct.c @@ -175,7 +175,8 @@ static inline void idct4col_add(uint8_t *dest, ptrdiff_t line_size, const int16_ #define R_SHIFT 11 static inline void idct4row(int16_t *row) { - int c0, c1, c2, c3, a0, a1, a2, a3; + unsigned c0, c1, c2, c3; + int a0, a1, a2, a3; a0 = row[0]; a1 = row[1]; diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 61e316916b..b42d71b1c0 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -391,6 +391,8 @@ static av_always_inline int smk_get_code(GetBitContext *gb, int *recode, int *la int v; while(*table & SMK_NODE) { + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(gb)) table += (*table) & (~SMK_NODE); table++; @@ -455,6 +457,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint16_t pix; type = smk_get_code(&gb, smk->type_tbl, smk->type_last); + if (type < 0) + return type; run = block_runs[(type >> 2) & 0x3F]; switch(type & 3){ case SMK_BLK_MONO: @@ -480,6 +484,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case SMK_BLK_FULL: mode = 0; if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(&gb)) mode = 1; else if(get_bits1(&gb)) mode = 2; } @@ -536,7 +542,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, while(run-- && blk < blocks){ uint32_t col; out = smk->pic->data[0] + (blk / bw) * (stride * 4) + (blk % bw) * 4; - col = mode * 0x01010101; + col = mode * 0x01010101U; for(i = 0; i < 4; i++) { *((uint32_t*)out) = col; out += stride; @@ -735,7 +741,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } val |= h[3].values[res] << 8; - pred[1] += sign_extend(val, 16); + pred[1] += (unsigned)sign_extend(val, 16); *samples++ = pred[1]; } else { if(vlc[0].table) @@ -756,7 +762,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } val |= h[1].values[res] << 8; - pred[0] += sign_extend(val, 16); + pred[0] += (unsigned)sign_extend(val, 16); *samples++ = pred[0]; } } diff --git a/libavcodec/snappy.c b/libavcodec/snappy.c index 7900b0f978..f5c4c6578b 100644 --- a/libavcodec/snappy.c +++ b/libavcodec/snappy.c @@ -39,6 +39,8 @@ static int64_t bytestream2_get_levarint(GetByteContext *gb) do { tmp = bytestream2_get_byte(gb); + if (shift > 31 || ((tmp & 127LL) << shift) > INT_MAX) + return AVERROR_INVALIDDATA; val |= (tmp & 127) << shift; shift += 7; } while (tmp & 128); diff --git a/libavcodec/snow.c b/libavcodec/snow.c index a3e6afc86a..584be1578c 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -491,7 +491,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->spatial_dwt_buffer, width, height * sizeof(DWTELEM), fail); //FIXME this does not belong here FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_dwt_buffer, width, sizeof(DWTELEM), fail); FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_idwt_buffer, width, sizeof(IDWTELEM), fail); - FF_ALLOC_ARRAY_OR_GOTO(avctx, s->run_buffer, ((width + 1) >> 1), ((height + 1) >> 1) * sizeof(*s->run_buffer), fail); + FF_ALLOC_ARRAY_OR_GOTO(avctx, s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1, sizeof(*s->run_buffer), fail); for(i=0; iwidth; int y; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int new_index = 0; @@ -224,7 +224,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){ const int w= b->width; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); const int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); const int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int x,y; @@ -369,7 +369,10 @@ static int decode_header(SnowContext *s){ htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ - p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); + unsigned hcoeff = get_symbol(&s->c, s->header_state, 0); + if (hcoeff > 127) + return AVERROR_INVALIDDATA; + p->hcoeff[i]= hcoeff * (1-2*(i&1)); sum += p->hcoeff[i]; } p->hcoeff[0]= 32-sum; diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index df1729a083..427bd50499 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -81,6 +81,7 @@ FF_ENABLE_DEPRECATION_WARNINGS s->m.bit_rate= avctx->bit_rate; s->m.lmin = avctx->mb_lmin; s->m.lmax = avctx->mb_lmax; + s->m.mb_num = (avctx->width * avctx->height + 255) / 256; // For ratecontrol s->m.me.temp = s->m.me.scratchpad= av_mallocz_array((avctx->width+64), 2*16*2*sizeof(uint8_t)); @@ -267,6 +268,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)); int s_context= 2*left->level + 2*top->level + tl->level + tr->level; int ref, best_ref, ref_score, ref_mx, ref_my; + int range = MAX_MV >> (1 + qpel); av_assert0(sizeof(s->block_state) >= 256); if(s->keyframe){ @@ -308,11 +310,16 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; + c->xmin = FFMAX(c->xmin,-range); + c->xmax = FFMIN(c->xmax, range); + c->ymin = FFMAX(c->ymin,-range); + c->ymax = FFMIN(c->ymax, range); + if(P_LEFT[0] > (c->xmax<xmax< (c->ymax<ymax< (c->xmax<xmax< (c->ymax<ymax<xmin<xmin<xmin * (1<xmin * (1< (c->xmax<xmax< (c->ymax<ymax<spatial_decomposition_count; level++){ + int64_t error=0; for(orientation=level ? 1 : 0; orientation<4; orientation++){ SubBand *b= &p->band[level][orientation]; IDWTELEM *ibuf= b->ibuf; - int64_t error=0; memset(s->spatial_idwt_buffer, 0, sizeof(*s->spatial_idwt_buffer)*width*height); ibuf[b->width/2 + b->height/2*b->stride]= 256*16; @@ -1556,9 +1563,13 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ error += d*d; } } - + if (orientation == 2) + error /= 2; b->qlog= (int)(QROOT * log2(352256.0/sqrt(error)) + 0.5); + if (orientation != 1) + error = 0; } + p->band[level][1].qlog = p->band[level][2].qlog; } } @@ -1774,7 +1785,7 @@ FF_ENABLE_DEPRECATION_WARNINGS }else{ for(y=0; yspatial_dwt_buffer[y*w + x]=s->spatial_idwt_buffer[y*w + x]<spatial_dwt_buffer[y*w + x]= s->spatial_idwt_buffer[y*w + x] * (1 << ENCODER_EXTRA_BITS); } } } diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 34d2952e69..b0746002d4 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -140,10 +140,13 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1; @@ -472,13 +475,13 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * state_value, LATTICE_SHIFT); - state_ptr[1] = state_value + shift_down(k_value * x, LATTICE_SHIFT); + x -= (unsigned)shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); + state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else for (i = order-2; i >= 0; i--) { - x -= shift_down(k[i] * state[i], LATTICE_SHIFT); + x -= (unsigned)shift_down(k[i] * state[i], LATTICE_SHIFT); state[i+1] = state[i] + shift_down(k[i] * x, LATTICE_SHIFT); } #endif @@ -924,6 +927,9 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) if (get_bits1(&gb)) // XXX FIXME av_log(avctx, AV_LOG_INFO, "Custom quant table\n"); + if (s->num_taps > 128) + return AVERROR_INVALIDDATA; + s->block_align = 2048LL*s->samplerate/(44100*s->downsampling); s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; @@ -977,9 +983,7 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx) av_freep(&s->int_samples); av_freep(&s->tap_quant); av_freep(&s->predictor_k); - - for (i = 0; i < s->channels; i++) - { + for (i = 0; i < MAX_CHANNELS; i++) { av_freep(&s->predictor_state[i]); av_freep(&s->coded_samples[i]); } @@ -1017,7 +1021,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, // dequantize for (i = 0; i < s->num_taps; i++) - s->predictor_k[i] *= s->tap_quant[i]; + s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; @@ -1030,6 +1034,9 @@ static int sonic_decode_frame(AVCodecContext *avctx, { int x = ch; + if (c.overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; + predictor_init_state(s->predictor_k, s->predictor_state[ch], s->num_taps); intlist_read(&c, state, s->coded_samples[ch], s->block_align, 1); @@ -1042,7 +1049,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, x += s->channels; } - s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * quant); + s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * (unsigned)quant); x += s->channels; } diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 890b8253cd..27aab11903 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,9 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4) + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) + return AVERROR_INVALIDDATA; + if (buf_size < avctx->width*avctx->height / 64 / 4) return AVERROR_INVALIDDATA; quality = buf[0]; diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 0af5626e35..991915fa62 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" @@ -72,9 +73,15 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); - return -1; + return AVERROR_PATCHWELCOME; } + if (maplength > 768) { + av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); + return AVERROR_INVALIDDATA; + } + + // This also checks depth to be valid switch (depth) { case 1: avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE; @@ -96,25 +103,37 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + // This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int ret = ff_set_dimensions(avctx, w, h); if (ret < 0) return ret; + // ensured by ff_set_dimensions() + av_assert0(w <= (INT32_MAX - 7) / depth); + + /* scanlines are aligned on 16 bit boundaries */ + len = (depth * w + 7) >> 3; + alen = len + (len & 1); + + // ensured by ff_set_dimensions() + av_assert0(h <= INT32_MAX / (3 * len)); + + // maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check + if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; p->pict_type = AV_PICTURE_TYPE_I; - if (buf_end - buf < maplength) - return AVERROR_INVALIDDATA; - if (depth > 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); } else if (maplength) { unsigned int len = maplength / 3; - if (maplength % 3 || maplength > 768) { + if (maplength % 3) { av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); return AVERROR_INVALIDDATA; } @@ -132,14 +151,10 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR(ENOMEM); stride = (w + 15 >> 3) * depth; } else { - ptr = p->data[0]; - stride = p->linesize[0]; + ptr = p->data[0]; + stride = p->linesize[0]; } - /* scanlines are aligned on 16 bit boundaries */ - len = (depth * w + 7) >> 3; - alen = len + (len & 1); - if (type == RT_BYTE_ENCODED) { int value, run; uint8_t *end = ptr + h * stride; diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index d3e60c3a4a..b61ae348d2 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -602,6 +602,8 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) if (skip_1stop_8data_bits(bitbuf) < 0) return AVERROR_INVALIDDATA; } + if (get_bits_left(bitbuf) <= 0) + return AVERROR_INVALIDDATA; s->width = width; s->height = height; diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 80a8af1ef7..398625ff97 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -486,9 +486,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int i; - av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", - s->rd_total / (double)(avctx->width * avctx->height * - avctx->frame_number)); + if (avctx->frame_number) + av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", + s->rd_total / (double)(avctx->width * avctx->height * + avctx->frame_number)); s->m.mb_type = NULL; ff_mpv_common_end(&s->m); diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 9cea9ac840..7db4c9ed1e 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1439,6 +1439,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; + if (avpkt->size < s->mb_width * s->mb_height / 8) + return AVERROR_INVALIDDATA; + s->pict_type = s->slice_type; if (s->pict_type != AV_PICTURE_TYPE_B) diff --git a/libavcodec/tak.c b/libavcodec/tak.c index 8aa956b661..7989afbd97 100644 --- a/libavcodec/tak.c +++ b/libavcodec/tak.c @@ -167,6 +167,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb, if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA) return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 24) + return AVERROR_INVALIDDATA; + skip_bits(gb, 24); return 0; diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0439a3ac9b..934e38e7ac 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -176,8 +176,8 @@ static void set_sample_rate_params(AVCodecContext *avctx) } else { shift = 0; } - s->uval = FFALIGN(avctx->sample_rate + 511 >> 9, 4) << shift; - s->subframe_scale = FFALIGN(avctx->sample_rate + 511 >> 9, 4) << 1; + s->uval = FFALIGN(avctx->sample_rate + 511LL >> 9, 4) << shift; + s->subframe_scale = FFALIGN(avctx->sample_rate + 511LL >> 9, 4) << 1; } static av_cold int tak_decode_init(AVCodecContext *avctx) @@ -431,6 +431,9 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, return AVERROR_INVALIDDATA; } + if (get_bits_left(gb) < 2*10 + 2*size) + return AVERROR_INVALIDDATA; + s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); @@ -653,7 +656,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) s->residues[i ] * s->filter[0]; } - v = av_clip_intp2(v >> 10, 13) * (1 << dshift) - *p1; + v = av_clip_intp2(v >> 10, 13) * (1U << dshift) - *p1; *p1++ = v; } diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 2441c2baa6..f5dc47988f 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -28,8 +28,8 @@ static void decorrelate_ls(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p2[i] = a + b; } } @@ -39,8 +39,8 @@ static void decorrelate_sr(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p1[i] = b - a; } } @@ -50,7 +50,7 @@ static void decorrelate_sm(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; a -= b >> 1; p1[i] = a; @@ -63,9 +63,9 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; - b = dfactor * (b >> dshift) + 128 >> 8 << dshift; + b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } diff --git a/libavcodec/targa.c b/libavcodec/targa.c index 93e0ef7905..a61fef1d7b 100644 --- a/libavcodec/targa.c +++ b/libavcodec/targa.c @@ -132,12 +132,6 @@ static int decode_frame(AVCodecContext *avctx, h = bytestream2_get_le16(&s->gb); bpp = bytestream2_get_byte(&s->gb); - if (bytestream2_get_bytes_left(&s->gb) <= idlen) { - av_log(avctx, AV_LOG_ERROR, - "Not enough data to read header\n"); - return AVERROR_INVALIDDATA; - } - flags = bytestream2_get_byte(&s->gb); if (!pal && (first_clr || colors || csize)) { @@ -146,6 +140,12 @@ static int decode_frame(AVCodecContext *avctx, first_clr = colors = csize = 0; } + if (bytestream2_get_bytes_left(&s->gb) < idlen + 2*colors) { + av_log(avctx, AV_LOG_ERROR, + "Not enough data to read header\n"); + return AVERROR_INVALIDDATA; + } + // skip identifier if any bytestream2_skip(&s->gb, idlen); diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c index 79030a012b..e939b90414 100644 --- a/libavcodec/targaenc.c +++ b/libavcodec/targaenc.c @@ -21,6 +21,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -88,10 +89,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, TargaContext *s = avctx->priv_data; int bpp, picsize, datasize = -1, ret, i; uint8_t *out; + int maxpal = 32*32; picsize = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45, 0)) < 0) + if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45 + maxpal, 0)) < 0) return ret; /* zero out the header and only set applicable fields */ @@ -124,6 +126,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4)); } out += 32 * pal_bpp; /* skip past the palette we just output */ + av_assert0(32 * pal_bpp <= maxpal); break; } case AV_PIX_FMT_GRAY8: diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index 4182404cf0..854e7e0510 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -187,7 +187,7 @@ static void tdsc_paint_cursor(AVCodecContext *avctx, uint8_t *dst, int stride) static int tdsc_load_cursor(AVCodecContext *avctx) { TDSCContext *ctx = avctx->priv_data; - int i, j, k, ret, bits, cursor_fmt; + int i, j, k, ret, cursor_fmt; uint8_t *dst; ctx->cursor_hot_x = bytestream2_get_le16(&ctx->gbc); @@ -231,7 +231,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) case CUR_FMT_MONO: for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { dst[0] = !!(bits & 0x80000000); dst += 4; @@ -244,7 +244,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) dst = ctx->cursor; for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { int mask_bit = !!(bits & 0x80000000); switch (dst[0] * 2 + mask_bit) { @@ -390,7 +390,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) for (i = 0; i < number_tiles; i++) { int tile_size; int tile_mode; - int x, y, w, h; + int x, y, x2, y2, w, h; int ret; if (bytestream2_get_bytes_left(&ctx->gbc) < 4 || @@ -408,20 +408,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) bytestream2_skip(&ctx->gbc, 4); // unknown x = bytestream2_get_le32(&ctx->gbc); y = bytestream2_get_le32(&ctx->gbc); - w = bytestream2_get_le32(&ctx->gbc) - x; - h = bytestream2_get_le32(&ctx->gbc) - y; + x2 = bytestream2_get_le32(&ctx->gbc); + y2 = bytestream2_get_le32(&ctx->gbc); - if (x >= ctx->width || y >= ctx->height) { + if (x < 0 || y < 0 || x2 <= x || y2 <= y || + x2 > ctx->width || y2 > ctx->height + ) { av_log(avctx, AV_LOG_ERROR, - "Invalid tile position (%d.%d outside %dx%d).\n", - x, y, ctx->width, ctx->height); - return AVERROR_INVALIDDATA; - } - if (x + w > ctx->width || y + h > ctx->height) { - av_log(avctx, AV_LOG_ERROR, - "Invalid tile size %dx%d\n", w, h); + "Invalid tile position (%d.%d %d.%d outside %dx%d).\n", + x, y, x2, y2, ctx->width, ctx->height); return AVERROR_INVALIDDATA; } + w = x2 - x; + h = y2 - y; ret = av_reallocp(&ctx->tilebuffer, tile_size); if (!ctx->tilebuffer) diff --git a/libavcodec/tests/dct.c b/libavcodec/tests/dct.c index 2ca8039c01..36a4c38a55 100644 --- a/libavcodec/tests/dct.c +++ b/libavcodec/tests/dct.c @@ -222,8 +222,8 @@ static int dct_error(const struct algo *dct, int test, int is_idct, int speed, c v = abs(err); if (v > err_inf) err_inf = v; - err2_matrix[i] += v * v; - err2 += v * v; + err2_matrix[i] += v * (int64_t)v; + err2 += v * (int64_t)v; sysErr[i] += block[i] - block1[i]; blockSumErr += v; if (abs(block[i]) > maxout) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 80b33bee79..a6cf9f6824 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -47,12 +47,12 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i return 1; } for (j = 0; j max_diff) { + if (FFABS(array[j] - (int64_t)ref[j]) > max_diff) { fprintf(stderr, "missmatch at %d (%d != %d) decomp:%d border %d %d %d %d\n", j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; } - err2 += (array[j] - ref[j]) * (array[j] - ref[j]); + err2 += (array[j] - ref[j]) * (int64_t)(array[j] - ref[j]); array[j] = ref[j]; } ff_dwt_destroy(s); diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index d5f94e8a61..65699158ca 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -31,11 +31,13 @@ int main(void){ #define width 256 #define height 256 int buffer[2][width*height]; + short obuffer[width*height]; SnowContext s; int i; AVLFG prng; s.spatial_decomposition_count=6; s.spatial_decomposition_type=1; + int ret = 0; s.temp_dwt_buffer = av_mallocz_array(width, sizeof(DWTELEM)); s.temp_idwt_buffer = av_mallocz_array(width, sizeof(IDWTELEM)); @@ -49,24 +51,34 @@ int main(void){ printf("testing 5/3 DWT\n"); for(i=0; i20) printf("fsck: %6d %12d %7d\n",i, buffer[0][i], buffer[1][i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) { + printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + ret = 1; + } { int level, orientation, x, y; @@ -81,18 +93,18 @@ int main(void){ int w= width >> (s.spatial_decomposition_count-level); int h= height >> (s.spatial_decomposition_count-level); int stride= width << (s.spatial_decomposition_count-level); - DWTELEM *buf= buffer[0]; + IDWTELEM *buf= obuffer; int64_t error=0; if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; - memset(buffer[0], 0, sizeof(int)*width*height); - buf[w/2 + h/2*stride]= 256*256; - ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); + memset(obuffer, 0, sizeof(short)*width*height); + buf[w/2 + h/2*stride]= 8*256; + ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y maxv) + else if (bp[x * 4 + y * stride] > maxv) maxv = bp[x * 4 + y * stride]; } } diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c520d7df83..b22baccad5 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -73,6 +73,7 @@ typedef struct TiffContext { int fill_order; uint32_t res[4]; int is_thumbnail; + unsigned last_tag; int is_bayer; uint8_t pattern[4]; @@ -326,7 +327,8 @@ static void unpack_gray(TiffContext *s, AVFrame *p, GetBitContext gb; uint16_t *dst = (uint16_t *)(p->data[0] + lnum * p->linesize[0]); - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst[i] = get_bits(&gb, bpp); @@ -933,6 +935,12 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (ret < 0) { goto end; } + if (tag <= s->last_tag) + return AVERROR_INVALIDDATA; + + // We ignore TIFF_STRIP_SIZE as it is sometimes in the logic but wrong order around TIFF_STRIP_OFFS + if (tag != TIFF_STRIP_SIZE) + s->last_tag = tag; off = bytestream2_tell(&s->gb); if (count == 1) { @@ -965,7 +973,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - if (count > 5U) { + if (count > 5 || count <= 0) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", value, count); @@ -996,9 +1004,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) "Samples per pixel requires a single value, many provided\n"); return AVERROR_INVALIDDATA; } - if (value > 5U) { + if (value > 5 || value <= 0) { av_log(s->avctx, AV_LOG_ERROR, - "Samples per pixel %d is too large\n", value); + "Invalid samples per pixel %d\n", value); return AVERROR_INVALIDDATA; } if (s->bppcount == 1) @@ -1399,7 +1407,7 @@ static int decode_frame(AVCodecContext *avctx, TiffContext *const s = avctx->priv_data; AVFrame *const p = data; ThreadFrame frame = { .f = data }; - unsigned off; + unsigned off, last_off = 0; int le, ret, plane, planes; int i, j, entries, stride; unsigned soff, ssize; @@ -1430,6 +1438,7 @@ again: s->is_bayer = 0; s->cur_page = 0; s->tiff_type = TIFF_TYPE_TIFF; + s->last_tag = 0; free_geotags(s); // Reset these offsets so we can tell if they were set this frame @@ -1463,6 +1472,15 @@ again: } if (retry_for_subifd || retry_for_page) { + if (!off) { + av_log(avctx, AV_LOG_ERROR, "Requested entry not found\n"); + return AVERROR_INVALIDDATA; + } + if (off <= last_off) { + avpriv_request_sample(s->avctx, "non increasing IFD offset\n"); + return AVERROR_INVALIDDATA; + } + last_off = off; if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index e1824384c5..60c5a812d1 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -407,6 +407,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return AVERROR_PATCHWELCOME; } + if (s->h & 3) { + avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4"); + return AVERROR_PATCHWELCOME; + } + if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { av_frame_unref(s->frame); @@ -444,6 +449,8 @@ static int truemotion1_decode_header(TrueMotion1Context *s) if (s->flags & FLAG_KEYFRAME) { /* no change bits specified for a keyframe; only index bytes */ s->index_stream = s->mb_change_bits; + if (s->avctx->width * s->avctx->height / 2048 + header.header_size > s->size) + return AVERROR_INVALIDDATA; } else { /* one change bit per 4x4 block */ s->index_stream = s->mb_change_bits + diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index a86dd16e0f..2d1fd0e41b 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -581,15 +581,15 @@ static inline void tm2_low_res_block(TM2Context *ctx, AVFrame *pic, int bx, int deltas[10] = GET_TOK(ctx, TM2_L_LO); if (bx > 0) - last[0] = (last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1; + last[0] = (int)((unsigned)last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1; else - last[0] = (last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; - last[2] = (last[1] + last[3]) >> 1; + last[0] = (int)((unsigned)last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; + last[2] = (int)((unsigned)last[1] + last[3]) >> 1; - t1 = ctx->D[0] + ctx->D[1]; + t1 = ctx->D[0] + (unsigned)ctx->D[1]; ctx->D[0] = t1 >> 1; ctx->D[1] = t1 - (t1 >> 1); - t2 = ctx->D[2] + ctx->D[3]; + t2 = ctx->D[2] + (unsigned)ctx->D[3]; ctx->D[2] = t2 >> 1; ctx->D[3] = t2 - (t2 >> 1); @@ -619,7 +619,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int ct = ctx->D[0] + ctx->D[1] + ctx->D[2] + ctx->D[3]; if (bx > 0) - left = last[-1] - ct; + left = last[-1] - (unsigned)ct; else left = 0; @@ -630,7 +630,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int last[2] = right - (diff >> 2); last[3] = right; { - int tp = left; + unsigned tp = left; ctx->D[0] = (tp + (ct >> 2)) - left; left += ctx->D[0]; @@ -764,10 +764,10 @@ static inline void tm2_motion_block(TM2Context *ctx, AVFrame *pic, int bx, int b } /* calculate deltas */ Y -= Ystride * 4; - ctx->D[0] = Y[3] - last[3]; - ctx->D[1] = Y[3 + Ystride] - Y[3]; - ctx->D[2] = Y[3 + Ystride * 2] - Y[3 + Ystride]; - ctx->D[3] = Y[3 + Ystride * 3] - Y[3 + Ystride * 2]; + ctx->D[0] = (unsigned)Y[3] - last[3]; + ctx->D[1] = (unsigned)Y[3 + Ystride] - Y[3]; + ctx->D[2] = (unsigned)Y[3 + Ystride * 2] - Y[3 + Ystride]; + ctx->D[3] = (unsigned)Y[3 + Ystride * 3] - Y[3 + Ystride * 2]; for (i = 0; i < 4; i++) last[i] = Y[i + Ystride * 3]; } diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 4d27fcd555..a93f8b2d19 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -227,7 +227,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, GetBitContext gb; int i, ret; int cur_chan = 0, framelen = s->frame_length; - int32_t *p; + uint32_t *p; if (avctx->err_recognition & AV_EF_CRCCHECK) { if (buf_size < 4 || @@ -261,7 +261,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, } i = 0; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) { + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) { int32_t *predictor = &s->ch_ctx[cur_chan].predictor; TTAFilter *filter = &s->ch_ctx[cur_chan].filter; TTARice *rice = &s->ch_ctx[cur_chan].rice; @@ -334,8 +334,8 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, // decorrelate in case of multiple channels if (s->channels > 1) { int32_t *r = p - 1; - for (*p += *r / 2; r > p - s->channels; r--) - *r = *(r + 1) - *r; + for (*p += *r / 2; r > (int32_t*)p - s->channels; r--) + *r = *(r + 1) - (unsigned)*r; } cur_chan = 0; i++; @@ -358,21 +358,28 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, switch (s->bps) { case 1: { uint8_t *samples = (uint8_t *)frame->data[0]; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) *samples++ = *p + 0x80; break; } case 2: { int16_t *samples = (int16_t *)frame->data[0]; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) *samples++ = *p; break; } case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; diff --git a/libavcodec/ttadata.c b/libavcodec/ttadata.c index bf793a4cc8..aa9f418a7d 100644 --- a/libavcodec/ttadata.c +++ b/libavcodec/ttadata.c @@ -30,7 +30,8 @@ const uint32_t ff_tta_shift_1[] = { 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000, 0x40000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, - 0x80000000, 0x80000000, 0x80000000, 0x80000000 + 0x80000000, 0x80000000, 0x80000000, 0x80000000, + 0xFFFFFFFF }; const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4; diff --git a/libavcodec/ttadsp.c b/libavcodec/ttadsp.c index 056a2c7ef1..99dd66a0c2 100644 --- a/libavcodec/ttadsp.c +++ b/libavcodec/ttadsp.c @@ -20,9 +20,11 @@ #include "ttadsp.h" #include "config.h" -static void tta_filter_process_c(int32_t *qm, int32_t *dx, int32_t *dl, +static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl, int32_t *error, int32_t *in, int32_t shift, int32_t round) { + uint32_t *qm = qmi; + if (*error < 0) { qm[0] -= dx[0]; qm[1] -= dx[1]; qm[2] -= dx[2]; qm[3] -= dx[3]; qm[4] -= dx[4]; qm[5] -= dx[5]; qm[6] -= dx[6]; qm[7] -= dx[7]; @@ -45,9 +47,9 @@ static void tta_filter_process_c(int32_t *qm, int32_t *dx, int32_t *dl, *error = *in; *in += (round >> shift); - dl[4] = -dl[5]; dl[5] = -dl[6]; - dl[6] = *in - dl[7]; dl[7] = *in; - dl[5] += dl[6]; dl[4] += dl[5]; + dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6]; + dl[6] = *in -(unsigned)dl[7]; dl[7] = *in; + dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5]; } av_cold void ff_ttadsp_init(TTADSPContext *c) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index 3cc54d78c5..08a0d0483a 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -164,7 +164,7 @@ pkt_alloc: put_bits(&pb, 31, 0x7FFFFFFF); unary -= 31; } else { - put_bits(&pb, unary, (1 << unary) - 1); + put_bits(&pb, unary, (1U << unary) - 1); unary = 0; } } while (unary); diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 7b2e19e536..34ca1846b9 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -771,23 +771,26 @@ av_cold int ff_twinvq_decode_init(AVCodecContext *avctx) { int ret; TwinVQContext *tctx = avctx->priv_data; + int64_t frames_per_packet; tctx->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (!avctx->block_align) { avctx->block_align = tctx->frame_size + 7 >> 3; - } else if (avctx->block_align * 8 < tctx->frame_size) { - av_log(avctx, AV_LOG_ERROR, "Block align is %d bits, expected %d\n", - avctx->block_align * 8, tctx->frame_size); + } + frames_per_packet = avctx->block_align * 8LL / tctx->frame_size; + if (frames_per_packet <= 0) { + av_log(avctx, AV_LOG_ERROR, "Block align is %"PRId64" bits, expected %d\n", + avctx->block_align * (int64_t)8, tctx->frame_size); return AVERROR_INVALIDDATA; } - tctx->frames_per_packet = avctx->block_align * 8 / tctx->frame_size; - if (tctx->frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) { - av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%d)\n", - tctx->frames_per_packet); + if (frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) { + av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%"PRId64")\n", + frames_per_packet); return AVERROR_INVALIDDATA; } + tctx->frames_per_packet = frames_per_packet; tctx->fdsp = avpriv_float_dsp_alloc(avctx->flags & AV_CODEC_FLAG_BITEXACT); if (!tctx->fdsp) { diff --git a/libavcodec/twinvqdec.c b/libavcodec/twinvqdec.c index c2353f51b5..c00ebb2ad5 100644 --- a/libavcodec/twinvqdec.c +++ b/libavcodec/twinvqdec.c @@ -404,7 +404,7 @@ static av_cold int twinvq_decode_init(AVCodecContext *avctx) tctx->frame_size = avctx->bit_rate * tctx->mtab->size / avctx->sample_rate + 8; tctx->is_6kbps = 0; - if (avctx->block_align && avctx->block_align * 8 / tctx->frame_size > 1) { + if (avctx->block_align && avctx->block_align * 8LL / tctx->frame_size > 1) { av_log(avctx, AV_LOG_ERROR, "VQF TwinVQ should have only one frame per packet\n"); return AVERROR_INVALIDDATA; diff --git a/libavcodec/txd.c b/libavcodec/txd.c index 8b20475d39..f00ba89e82 100644 --- a/libavcodec/txd.c +++ b/libavcodec/txd.c @@ -43,6 +43,9 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int i, j; int ret; + if (avpkt->size < 88) + return AVERROR_INVALIDDATA; + ff_texturedsp_init(&dxtc); bytestream2_init(&gb, avpkt->data, avpkt->size); diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 66c68d1cf5..5fbfa78e77 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -256,6 +256,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRAP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height + if (s->codec_id == AV_CODEC_ID_BINKVIDEO) + w_align = 16*2; break; case AV_PIX_FMT_YUV411P: case AV_PIX_FMT_YUVJ411P: @@ -267,6 +269,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, if (s->codec_id == AV_CODEC_ID_SVQ1) { w_align = 64; h_align = 64; + } else if (s->codec_id == AV_CODEC_ID_SNOW) { + w_align = 16; + h_align = 16; } break; case AV_PIX_FMT_RGB555: @@ -292,6 +297,16 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 8; h_align = 8; } + if (s->codec_id == AV_CODEC_ID_MJPEG || + s->codec_id == AV_CODEC_ID_MJPEGB || + s->codec_id == AV_CODEC_ID_LJPEG || + s->codec_id == AV_CODEC_ID_SMVJPEG || + s->codec_id == AV_CODEC_ID_AMV || + s->codec_id == AV_CODEC_ID_SP5X || + s->codec_id == AV_CODEC_ID_JPEGLS) { + w_align = 8; + h_align = 2*8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || @@ -311,12 +326,13 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } if (s->codec_id == AV_CODEC_ID_IFF_ILBM) { - w_align = FFMAX(w_align, 8); + w_align = FFMAX(w_align, 16); } *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 || s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A ) { @@ -330,6 +346,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, // the next rounded up width is 32 *width = FFMAX(*width, 32); } + if (s->codec_id == AV_CODEC_ID_SVQ3) { + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; @@ -412,7 +431,7 @@ int avcodec_fill_audio_frame(AVFrame *frame, int nb_channels, void ff_color_frame(AVFrame *frame, const int c[4]) { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(frame->format); - int p, y, x; + int p, y; av_assert0(desc->flags & AV_PIX_FMT_FLAG_PLANAR); @@ -421,13 +440,19 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int is_chroma = p == 1 || p == 2; int bytes = is_chroma ? AV_CEIL_RSHIFT(frame->width, desc->log2_chroma_w) : frame->width; int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; - for (y = 0; y < height; y++) { - if (desc->comp[0].depth >= 9) { - for (x = 0; xcomp[0].depth >= 9) { + ((uint16_t*)dst)[0] = c[p]; + av_memcpy_backptr(dst + 2, 2, bytes - 2); dst += frame->linesize[p]; + for (y = 1; y < height; y++) { + memcpy(dst, frame->data[p], 2*bytes); + dst += frame->linesize[p]; + } + } else { + for (y = 0; y < height; y++) { + memset(dst, c[p], bytes); + dst += frame->linesize[p]; + } } } } @@ -505,7 +530,14 @@ static int64_t get_bit_rate(AVCodecContext *ctx) break; case AVMEDIA_TYPE_AUDIO: bits_per_sample = av_get_bits_per_sample(ctx->codec_id); - bit_rate = bits_per_sample ? ctx->sample_rate * (int64_t)ctx->channels * bits_per_sample : ctx->bit_rate; + if (bits_per_sample) { + bit_rate = ctx->sample_rate * (int64_t)ctx->channels; + if (bit_rate > INT64_MAX / bits_per_sample) { + bit_rate = 0; + } else + bit_rate *= bits_per_sample; + } else + bit_rate = ctx->bit_rate; break; default: bit_rate = 0; @@ -678,8 +710,18 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code if (av_codec_is_decoder(codec)) av_freep(&avctx->subtitle_header); - if (avctx->channels > FF_SANE_NB_CHANNELS) { - av_log(avctx, AV_LOG_ERROR, "Too many channels: %d\n", avctx->channels); + if (avctx->channels > FF_SANE_NB_CHANNELS || avctx->channels < 0) { + av_log(avctx, AV_LOG_ERROR, "Too many or invalid channels: %d\n", avctx->channels); + ret = AVERROR(EINVAL); + goto free_and_end; + } + if (avctx->sample_rate < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample rate: %d\n", avctx->sample_rate); + ret = AVERROR(EINVAL); + goto free_and_end; + } + if (avctx->block_align < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid block align: %d\n", avctx->block_align); ret = AVERROR(EINVAL); goto free_and_end; } @@ -1029,6 +1071,9 @@ free_and_end: (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); + if (HAVE_THREADS && avctx->internal->thread_ctx) + ff_thread_free(avctx); + if (codec->priv_class && codec->priv_data_size) av_opt_free(avctx->priv_data); av_opt_free(avctx); @@ -1041,6 +1086,7 @@ FF_ENABLE_DEPRECATION_WARNINGS av_dict_free(&tmp); av_freep(&avctx->priv_data); + av_freep(&avctx->subtitle_header); if (avctx->internal) { av_frame_free(&avctx->internal->to_free); av_frame_free(&avctx->internal->compat_decode_frame); @@ -1555,7 +1601,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_MP1: return 384; case AV_CODEC_ID_ATRAC1: return 512; case AV_CODEC_ID_ATRAC9: - case AV_CODEC_ID_ATRAC3: return 1024 * framecount; + case AV_CODEC_ID_ATRAC3: + if (framecount > INT_MAX/1024) + return 0; + return 1024 * framecount; case AV_CODEC_ID_ATRAC3P: return 2048; case AV_CODEC_ID_MP2: case AV_CODEC_ID_MUSEPACK7: return 1152; @@ -1565,14 +1614,17 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (sr > 0) { /* calc from sample rate */ if (id == AV_CODEC_ID_TTA) - return 256 * sr / 245; + return 256ll * sr / 245; else if (id == AV_CODEC_ID_DST) - return 588 * sr / 44100; + return 588ll * sr / 44100; if (ch > 0) { /* calc from sample rate and channels */ - if (id == AV_CODEC_ID_BINKAUDIO_DCT) + if (id == AV_CODEC_ID_BINKAUDIO_DCT) { + if (sr / 22050 > 22) + return 0; return (480 << (sr / 22050)) / ch; + } } if (id == AV_CODEC_ID_MP3) @@ -1618,7 +1670,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, return frame_bytes / (9 * ch) * 16; case AV_CODEC_ID_ADPCM_PSX: case AV_CODEC_ID_ADPCM_DTK: - return frame_bytes / (16 * ch) * 28; + frame_bytes /= 16 * ch; + if (frame_bytes > INT_MAX / 28) + return 0; + return frame_bytes * 28; case AV_CODEC_ID_ADPCM_4XM: case AV_CODEC_ID_ADPCM_IMA_DAT4: case AV_CODEC_ID_ADPCM_IMA_ISS: @@ -1630,7 +1685,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_THP: case AV_CODEC_ID_ADPCM_THP_LE: if (extradata) - return frame_bytes * 14 / (8 * ch); + return frame_bytes * 14LL / (8 * ch); break; case AV_CODEC_ID_ADPCM_XA: return (frame_bytes / 128) * 224 / ch; @@ -1664,21 +1719,33 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; + int64_t tmp = 0; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - return blocks * (1 + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8LL); + break; case AV_CODEC_ID_ADPCM_IMA_DK3: - return blocks * (((ba - 16) * 2 / 3 * 4) / ch); + tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); + break; case AV_CODEC_ID_ADPCM_IMA_DK4: - return blocks * (1 + (ba - 4 * ch) * 2 / ch); + tmp = blocks * (1 + (ba - 4LL * ch) * 2 / ch); + break; case AV_CODEC_ID_ADPCM_IMA_RAD: - return blocks * ((ba - 4 * ch) * 2 / ch); + tmp = blocks * ((ba - 4LL * ch) * 2 / ch); + break; case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2 / ch); + tmp = blocks * (2 + (ba - 7LL * ch) * 2LL / ch); + break; case AV_CODEC_ID_ADPCM_MTAF: - return blocks * (ba - 16) * 2 / ch; + tmp = blocks * (ba - 16LL) * 2 / ch; + break; + } + if (tmp) { + if (tmp != (int)tmp) + return 0; + return tmp; } } @@ -1716,20 +1783,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) { - return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, + int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, avctx->channels, avctx->block_align, avctx->codec_tag, avctx->bits_per_coded_sample, avctx->bit_rate, avctx->extradata, avctx->frame_size, frame_bytes); + return FFMAX(0, duration); } int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) { - return get_audio_frame_duration(par->codec_id, par->sample_rate, + int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, par->channels, par->block_align, par->codec_tag, par->bits_per_coded_sample, par->bit_rate, par->extradata, par->frame_size, frame_bytes); + return FFMAX(0, duration); } #if !HAVE_THREADS diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index d5af9d53a8..3da3f7e58a 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -317,7 +317,7 @@ static int decode_plane(UtvideoContext *c, int plane_no, for (i = 0; i < width; i++) { pix = fsym; if (use_pred) { - prev += pix; + prev += (unsigned)pix; pix = prev; } dest[i] = pix; diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index db00e1eff5..476cf3819b 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -233,7 +233,7 @@ FF_ENABLE_DEPRECATION_WARNINGS * - Compression mode (none/huff) * And write the flags. */ - c->flags = (c->slices - 1) << 24; + c->flags = (c->slices - 1U) << 24; c->flags |= 0 << 11; // bit field to signal interlaced encoding mode c->flags |= c->compression; diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index dd2a24de04..707cb63f7e 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -2253,12 +2253,14 @@ av_cold int ff_vaapi_encode_close(AVCodecContext *avctx) av_buffer_pool_uninit(&ctx->output_buffer_pool); if (ctx->va_context != VA_INVALID_ID) { - vaDestroyContext(ctx->hwctx->display, ctx->va_context); + if (ctx->hwctx) + vaDestroyContext(ctx->hwctx->display, ctx->va_context); ctx->va_context = VA_INVALID_ID; } if (ctx->va_config != VA_INVALID_ID) { - vaDestroyConfig(ctx->hwctx->display, ctx->va_config); + if (ctx->hwctx) + vaDestroyConfig(ctx->hwctx->display, ctx->va_config); ctx->va_config = VA_INVALID_ID; } diff --git a/libavcodec/vb.c b/libavcodec/vb.c index c6dd6fb456..d9c6b93a73 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint32_t size; int offset = 0; + if (avpkt->size < 2) + return AVERROR_INVALIDDATA; + bytestream2_init(&c->stream, avpkt->data, avpkt->size); if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) diff --git a/libavcodec/vble.c b/libavcodec/vble.c index c25ee98697..d2945fcae6 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -193,6 +193,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx) ctx->size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + if (ctx->size < 0) + return ctx->size; + ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val)); if (!ctx->val) { diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index e102b931d8..4297834522 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -451,7 +451,11 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) h = get_bits(gb, 8) + 1; v->s.avctx->sample_aspect_ratio = (AVRational){w, h}; } else { - av_reduce(&v->s.avctx->sample_aspect_ratio.num, + if (v->s.avctx->width > v->max_coded_width || + v->s.avctx->height > v->max_coded_height) { + avpriv_request_sample(v->s.avctx, "Huge resolution"); + } else + av_reduce(&v->s.avctx->sample_aspect_ratio.num, &v->s.avctx->sample_aspect_ratio.den, v->s.avctx->height * w, v->s.avctx->width * h, @@ -667,6 +671,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) if (v->s.pict_type == AV_PICTURE_TYPE_P) v->rnd ^= 1; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; /* Quantizer stuff */ pqindex = get_bits(gb, 5); if (!pqindex) @@ -759,6 +765,9 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: " "Imode: %i, Invert: %i\n", status>>1, status&1); + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + /* Hopefully this is correct for P-frames */ v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables v->cbptab = get_bits(gb, 2); @@ -933,7 +942,9 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) else if ((v->s.pict_type != AV_PICTURE_TYPE_B) && (v->s.pict_type != AV_PICTURE_TYPE_BI)) { v->refdist = get_bits(gb, 2); if (v->refdist == 3) - v->refdist += get_unary(gb, 0, 16); + v->refdist += get_unary(gb, 0, 14); + if (v->refdist > 16) + return AVERROR_INVALIDDATA; } if ((v->s.pict_type == AV_PICTURE_TYPE_B) || (v->s.pict_type == AV_PICTURE_TYPE_BI)) { if (read_bfraction(v, gb) < 0) @@ -1313,16 +1324,17 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) break; } - if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) { - v->range_x <<= 1; - v->range_y <<= 1; - } /* AC Syntax */ v->c_ac_table_index = decode012(gb); if (v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) { v->y_ac_table_index = decode012(gb); } + else if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) { + v->range_x <<= 1; + v->range_y <<= 1; + } + /* DC Syntax */ v->s.dc_table_index = get_bits1(gb); if ((v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index ec5339d2f0..f128f696d5 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -430,12 +430,12 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, if (c_avail && (n != 1 && n != 3)) { q2 = FFABS(s->current_picture.qscale_table[mb_pos - 1]); if (q2 && q2 != q1) - c = (c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + c = (int)((unsigned)c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && (n != 2 && n != 3)) { q2 = FFABS(s->current_picture.qscale_table[mb_pos - s->mb_stride]); if (q2 && q2 != q1) - a = (a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + a = (int)((unsigned)a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && c_avail && (n != 3)) { int off = mb_pos; @@ -445,7 +445,7 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, off -= s->mb_stride; q2 = FFABS(s->current_picture.qscale_table[off]); if (q2 && q2 != q1) - b = (b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + b = (int)((unsigned)b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (c_avail && (!a_avail || abs(a - b) <= abs(b - c))) { @@ -526,6 +526,8 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int escape = decode210(gb); if (escape != 2) { index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); + if (index >= ff_vc1_ac_sizes[codingset] - 1U) + return AVERROR_INVALIDDATA; run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; lst = index >= vc1_last_decode_table[codingset]; @@ -844,7 +846,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - block[k << sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << sh] += (int)(ac_val[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } else { for (k = 1; k < 8; k++) block[k << sh] += ac_val[k]; @@ -887,7 +889,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } for (k = 1; k < 8; k++) { block[k << sh] = ac_val2[k] * scale; @@ -1034,10 +1036,10 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (q2 && q1 != q2) { if (dc_pred_dir) { // left for (k = 1; k < 8; k++) - block[k << v->left_blk_sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << v->left_blk_sh] += (int)(ac_val[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } else { //top for (k = 1; k < 8; k++) - block[k << v->top_blk_sh] += (ac_val[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << v->top_blk_sh] += (int)(ac_val[k + 8] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } else { if (dc_pred_dir) { // left @@ -1078,7 +1080,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } else { // top @@ -1091,7 +1093,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k + 8] = (int)(ac_val2[k + 8] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } @@ -1376,13 +1378,15 @@ static int vc1_decode_p_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[i]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[i]][j] *= 2; block_cbp |= 0xF << (i << 2); block_intra |= 1 << i; } else if (val) { pat = vc1_decode_p_block(v, v->block[v->cur_blk_idx][block_map[i]], i, mquant, ttmb, first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1477,7 +1481,7 @@ static int vc1_decode_p_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[i]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[i]][j] *= 2; block_cbp |= 0xF << (i << 2); block_intra |= 1 << i; } else if (is_coded[i]) { @@ -1486,6 +1490,8 @@ static int vc1_decode_p_mb(VC1Context *v) (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1696,6 +1702,8 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : (s->linesize << fieldtx), CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1832,6 +1840,8 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1851,7 +1861,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) /** Decode one B-frame MB (in Main profile) */ -static void vc1_decode_b_mb(VC1Context *v) +static int vc1_decode_b_mb(VC1Context *v) { MpegEncContext *s = &v->s; GetBitContext *gb = &s->gb; @@ -1917,7 +1927,7 @@ static void vc1_decode_b_mb(VC1Context *v) bmvtype = BMV_TYPE_INTERPOLATED; ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } if (direct) { cbp = get_vlc2(&v->s.gb, v->cbpcy_vlc->table, VC1_CBPCY_P_VLC_BITS, 2); @@ -1934,7 +1944,7 @@ static void vc1_decode_b_mb(VC1Context *v) /* no coded blocks - effectively skipped */ ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } if (s->mb_intra && !mb_has_coeffs) { GET_MQUANT(); @@ -1949,7 +1959,7 @@ static void vc1_decode_b_mb(VC1Context *v) /* interpolated skipped block */ ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } } ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); @@ -1987,26 +1997,29 @@ static void vc1_decode_b_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - s->block[i][j] <<= 1; + s->block[i][j] *= 2; s->idsp.put_signed_pixels_clamped(s->block[i], s->dest[dst_idx] + off, i & 4 ? s->uvlinesize : s->linesize); } else if (val) { - vc1_decode_p_block(v, s->block[i], i, mquant, ttmb, - first_block, s->dest[dst_idx] + off, - (i & 4) ? s->uvlinesize : s->linesize, - CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), NULL); + int pat = vc1_decode_p_block(v, s->block[i], i, mquant, ttmb, + first_block, s->dest[dst_idx] + off, + (i & 4) ? s->uvlinesize : s->linesize, + CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), NULL); + if (pat < 0) + return pat; if (!v->ttmbf && ttmb < 8) ttmb = -1; first_block = 0; } } + return 0; } /** Decode one B-frame MB (in interlaced field B picture) */ -static void vc1_decode_b_mb_intfi(VC1Context *v) +static int vc1_decode_b_mb_intfi(VC1Context *v) { MpegEncContext *s = &v->s; GetBitContext *gb = &s->gb; @@ -2111,7 +2124,7 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) dmv_x[1] = dmv_y[1] = pred_flag[0] = 0; if (!s->next_picture_ptr->field_picture) { av_log(s->avctx, AV_LOG_ERROR, "Mixed field/frame direct mode not supported\n"); - return; + return AVERROR_INVALIDDATA; } } ff_vc1_pred_b_mv_intfi(v, 0, dmv_x, dmv_y, 1, pred_flag); @@ -2156,6 +2169,8 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -2165,6 +2180,8 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) } v->cbp[s->mb_x] = block_cbp; v->ttblk[s->mb_x] = block_tt; + + return 0; } /** Decode one B-frame MB (in interlaced frame B picture) @@ -2451,6 +2468,8 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : (s->linesize << fieldtx), CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -2600,13 +2619,13 @@ static void vc1_decode_i_blocks(VC1Context *v) if (v->rangeredfrm) for (k = 0; k < 6; k++) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[k]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[k]][j] *= 2; vc1_put_blocks_clamped(v, 1); } else { if (v->rangeredfrm) for (k = 0; k < 6; k++) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[k]][j] = (v->block[v->cur_blk_idx][block_map[k]][j] - 64) << 1; + v->block[v->cur_blk_idx][block_map[k]][j] = (v->block[v->cur_blk_idx][block_map[k]][j] - 64) * 2; vc1_put_blocks_clamped(v, 0); } diff --git a/libavcodec/vc1_loopfilter.c b/libavcodec/vc1_loopfilter.c index 0f990cccef..ee694ede28 100644 --- a/libavcodec/vc1_loopfilter.c +++ b/libavcodec/vc1_loopfilter.c @@ -1125,10 +1125,7 @@ static av_always_inline void vc1_b_h_intfi_loop_filter(VC1Context *v, uint8_t *d dst = dest + (block_num & 2) * 4 * s->linesize + (block_num & 1) * 8; if (!(flags & RIGHT_EDGE) || !(block_num & 5)) { - if (block_num > 3) - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); - else - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); + v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); } tt = ttblk[0] >> (block_num * 4) & 0xf; diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index 9e29b44a1f..f70956e739 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -178,7 +178,7 @@ static av_always_inline int scaleforsame(VC1Context *v, int i, int n /* MV */, brfd = FFMIN(v->brfd, 3); scalesame = ff_vc1_b_field_mvpred_scales[0][brfd]; - n = (n * scalesame >> 8) << hpel; + n = (n * scalesame >> 8) * (1 << hpel); return n; } @@ -191,15 +191,16 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, n >>= hpel; if (v->s.pict_type == AV_PICTURE_TYPE_B && !v->second_field && dir == 1) { if (dim) - n = scaleforopp_y(v, n, dir) << hpel; + n = scaleforopp_y(v, n, dir) * (1 << hpel); else - n = scaleforopp_x(v, n) << hpel; + n = scaleforopp_x(v, n) * (1 << hpel); return n; } if (v->s.pict_type != AV_PICTURE_TYPE_B) - refdist = FFMIN(v->refdist, 3); + refdist = v->refdist; else refdist = dir ? v->brfd : v->frfd; + refdist = FFMIN(refdist, 3); scaleopp = ff_vc1_field_mvpred_scales[dir ^ v->second_field][0][refdist]; n = (n * scaleopp >> 8) * (1 << hpel); diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 9519864c55..2debd741a6 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -344,7 +344,7 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) if (!v->block || !v->cbp_base) goto error; v->cbp = v->cbp_base + 2 * s->mb_stride; - v->ttblk_base = av_malloc(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); + v->ttblk_base = av_mallocz(sizeof(v->ttblk_base[0]) * 3 * s->mb_stride); if (!v->ttblk_base) goto error; v->ttblk = v->ttblk_base + 2 * s->mb_stride; @@ -358,7 +358,7 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) v->luma_mv = v->luma_mv_base + 2 * s->mb_stride; /* allocate block type info in that way so it could be used with s->block_index[] */ - v->mb_type_base = av_malloc(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); + v->mb_type_base = av_mallocz(s->b8_stride * (mb_height * 2 + 1) + s->mb_stride * (mb_height + 1) * 2); if (!v->mb_type_base) goto error; v->mb_type[0] = v->mb_type_base + s->b8_stride + 1; @@ -431,7 +431,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) v->output_height = avctx->height; if (!avctx->extradata_size || !avctx->extradata) - return -1; + return AVERROR_INVALIDDATA; v->s.avctx = avctx; if ((ret = ff_vc1_init_common(v)) < 0) @@ -450,6 +450,11 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0) return ret; + if (avctx->codec_id == AV_CODEC_ID_WMV3IMAGE && !v->res_sprite) { + avpriv_request_sample(avctx, "Non sprite WMV3IMAGE"); + return AVERROR_PATCHWELCOME; + } + count = avctx->extradata_size*8 - get_bits_count(&gb); if (count > 0) { av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n", @@ -467,7 +472,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 16) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small: %i\n", avctx->extradata_size); - return -1; + return AVERROR_INVALIDDATA; } buf2 = av_mallocz(avctx->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); @@ -503,7 +508,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) av_free(buf2); if (!seq_initialized || !ep_initialized) { av_log(avctx, AV_LOG_ERROR, "Incomplete extradata\n"); - return -1; + return AVERROR_INVALIDDATA; } v->res_sprite = (avctx->codec_id == AV_CODEC_ID_VC1IMAGE); } @@ -571,14 +576,21 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (v->sprite_width > 1 << 14 || v->sprite_height > 1 << 14 || v->output_width > 1 << 14 || - v->output_height > 1 << 14) return -1; + v->output_height > 1 << 14) { + ret = AVERROR_INVALIDDATA; + goto error; + } if ((v->sprite_width&1) || (v->sprite_height&1)) { avpriv_request_sample(avctx, "odd sprites support"); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto error; } } return 0; +error: + av_frame_free(&v->sprite_output_frame); + return ret; } /** Close a VC1/WMV3 decoder @@ -596,6 +608,7 @@ av_cold int ff_vc1_decode_end(AVCodecContext *avctx) av_freep(&v->hrd_rate); av_freep(&v->hrd_buffer); ff_mpv_common_end(&v->s); + memset(v->s.block_index, 0, sizeof(v->s.block_index)); av_freep(&v->mv_type_mb_plane); av_freep(&v->direct_mb_plane); av_freep(&v->forward_mb_plane); @@ -842,7 +855,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - + if ((avctx->codec_id == AV_CODEC_ID_WMV3IMAGE || avctx->codec_id == AV_CODEC_ID_VC1IMAGE) + && v->field_mode) { + av_log(v->s.avctx, AV_LOG_ERROR, "Sprite decoder: expected Frames not Fields\n"); + ret = AVERROR_INVALIDDATA; + goto err; + } if ((s->mb_height >> v->field_mode) == 0) { av_log(v->s.avctx, AV_LOG_ERROR, "image too short\n"); ret = AVERROR_INVALIDDATA; @@ -1021,7 +1039,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ff_mpeg_er_frame_start(s); - v->bits = buf_size * 8; + v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits); v->end_mb_x = s->mb_width; if (v->field_mode) { s->current_picture.f->linesize[0] <<= 1; @@ -1095,8 +1113,10 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, continue; } ff_vc1_decode_blocks(v); - if (i != n_slices) + if (i != n_slices) { s->gb = slices[i].gb; + v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits); + } } if (v->field_mode) { v->second_field = 0; @@ -1118,7 +1138,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - if (!v->field_mode) + if ( !v->field_mode + && avctx->codec_id != AV_CODEC_ID_WMV3IMAGE + && avctx->codec_id != AV_CODEC_ID_VC1IMAGE) ff_er_frame_end(&s->er); } @@ -1141,12 +1163,14 @@ image: if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { if ((ret = av_frame_ref(pict, s->current_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->current_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->current_picture_ptr, pict); *got_frame = 1; } else if (s->last_picture_ptr) { if ((ret = av_frame_ref(pict, s->last_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->last_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->last_picture_ptr, pict); *got_frame = 1; } } diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index d0101e01e4..a3057f91fb 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -183,7 +183,9 @@ typedef struct VC2EncContext { static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) { int i; - int pbits = 0, bits = 0, topbit = 1, maxval = 1; + int bits = 0; + unsigned topbit = 1, maxval = 1; + uint64_t pbits = 0; if (!val++) { put_bits(pb, 1, 1); @@ -200,12 +202,13 @@ static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) for (i = 0; i < bits; i++) { topbit >>= 1; + av_assert2(pbits <= UINT64_MAX>>3); pbits <<= 2; if (val & topbit) pbits |= 0x1; } - put_bits(pb, bits*2 + 1, (pbits << 1) | 1); + put_bits64(pb, bits*2 + 1, (pbits << 1) | 1); } static av_always_inline int count_vc2_ue_uint(uint32_t val) @@ -981,6 +984,8 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); + if (s->slice_min_bytes < 0 || s->slice_max_bytes > INT_MAX >> 3) + return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); if (ret) diff --git a/libavcodec/vdpau_mpeg12.c b/libavcodec/vdpau_mpeg12.c index d286e7e57d..41b3fd8641 100644 --- a/libavcodec/vdpau_mpeg12.c +++ b/libavcodec/vdpau_mpeg12.c @@ -73,8 +73,9 @@ static int vdpau_mpeg_start_frame(AVCodecContext *avctx, info->f_code[1][0] = s->mpeg_f_code[1][0]; info->f_code[1][1] = s->mpeg_f_code[1][1]; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } return ff_vdpau_common_start_frame(pic_ctx, buffer, size); diff --git a/libavcodec/vdpau_mpeg4.c b/libavcodec/vdpau_mpeg4.c index 96f83026a8..5bf82dc9fa 100644 --- a/libavcodec/vdpau_mpeg4.c +++ b/libavcodec/vdpau_mpeg4.c @@ -74,8 +74,9 @@ static int vdpau_mpeg4_start_frame(AVCodecContext *avctx, info->alternate_vertical_scan_flag = s->alternate_scan; info->top_field_first = s->top_field_first; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } ff_vdpau_common_start_frame(pic_ctx, buffer, size); diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 55123a5844..8743d725c6 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -60,7 +60,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, av_assert2(start_x < end_x && block_w); w = end_x - start_x; - src += start_y * src_linesize + start_x * sizeof(pixel); + src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel); buf += start_x * sizeof(pixel); // top @@ -83,7 +83,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, buf += buf_linesize; } - buf -= block_h * buf_linesize + start_x * sizeof(pixel); + buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel); while (block_h--) { pixel *bufp = (pixel *) buf; diff --git a/libavcodec/vmdaudio.c b/libavcodec/vmdaudio.c index e8c8a064c7..dfbd49fd84 100644 --- a/libavcodec/vmdaudio.c +++ b/libavcodec/vmdaudio.c @@ -76,7 +76,9 @@ static av_cold int vmdaudio_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n"); return AVERROR(EINVAL); } - if (avctx->block_align < 1 || avctx->block_align % avctx->channels) { + if (avctx->block_align < 1 || avctx->block_align % avctx->channels || + avctx->block_align > INT_MAX - avctx->channels + ) { av_log(avctx, AV_LOG_ERROR, "invalid block align\n"); return AVERROR(EINVAL); } @@ -179,6 +181,9 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* drop incomplete chunks */ buf_size = audio_chunks * s->chunk_size; + if (silent_chunks + audio_chunks >= INT_MAX / avctx->block_align) + return AVERROR_INVALIDDATA; + /* get output buffer */ frame->nb_samples = ((silent_chunks + audio_chunks) * avctx->block_align) / avctx->channels; diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index a86d4c4c36..006b9e332b 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -363,6 +363,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc) unsigned codebook_value_bits = get_bits(gb, 4) + 1; unsigned codebook_sequence_p = get_bits1(gb); + if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) { + ret = AVERROR_INVALIDDATA; + goto error; + } ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n", codebook_lookup_values); ff_dlog(NULL, " delta %f minmum %f \n", @@ -1182,6 +1186,9 @@ static int vorbis_floor0_decode(vorbis_context *vc, q *= q; } + if (p + q == 0.0) + return AVERROR_INVALIDDATA; + /* calculate linear floor value */ q = exp((((amplitude*vf->amplitude_offset) / (((1ULL << vf->amplitude_bits) - 1) * sqrt(p + q))) @@ -1358,8 +1365,12 @@ static av_always_inline int setup_classifs(vorbis_context *vc, return AVERROR_INVALIDDATA; } - av_assert0(vr->classifications > 1); //needed for inverse[] - + if (vr->classifications == 1) { + for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { + if (i < ptns_to_read) + vr->classifs[p + i] = 0; + } + } else { for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { temp2 = (((uint64_t)temp) * inverse_class) >> 32; @@ -1367,6 +1378,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, vr->classifs[p + i] = temp - temp2 * vr->classifications; temp = temp2; } + } } p += ptns_to_read; } @@ -1434,23 +1446,34 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, int vqbook = vr->books[vqclass][pass]; if (vqbook >= 0 && vc->codebooks[vqbook].codevectors) { - unsigned coffs; + int coffs; unsigned dim = vc->codebooks[vqbook].dimensions; unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; + if (get_bits_left(gb) < 0) { + av_log(vc->avctx, AV_LOG_ERROR, "Overread %d bits\n", -get_bits_left(gb)); + return 0; + } + if (vr_type == 0) { voffs = voffset+j*vlen; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l) vec[voffs + k + l * step] += codebook.codevectors[coffs + l]; } } else if (vr_type == 1) { voffs = voffset + j * vlen; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l, ++voffs) { vec[voffs]+=codebook.codevectors[coffs+l]; @@ -1463,13 +1486,19 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, if (dim == 2) { for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 2; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= 2; vec[voffs + k ] += codebook.codevectors[coffs ]; vec[voffs + k + vlen] += codebook.codevectors[coffs + 1]; } } else if (dim == 4) { for (k = 0; k < step; ++k, voffs += 2) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 4; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= 4; vec[voffs ] += codebook.codevectors[coffs ]; vec[voffs + 1 ] += codebook.codevectors[coffs + 2]; vec[voffs + vlen ] += codebook.codevectors[coffs + 1]; @@ -1477,7 +1506,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } } else for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; l += 2, voffs++) { vec[voffs ] += codebook.codevectors[coffs + l ]; vec[voffs + vlen] += codebook.codevectors[coffs + l + 1]; @@ -1490,11 +1522,14 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } } else if (vr_type == 2) { - unsigned voffs_div = FASTDIV(voffset << 1, ch <<1); + unsigned voffs_div = ch == 1 ? voffset : FASTDIV(voffset, ch); unsigned voffs_mod = voffset - voffs_div * ch; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l) { vec[voffs_div + voffs_mod * vlen] += codebook.codevectors[coffs + l]; diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index a6f759ebf5..a9b7fabd18 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -710,6 +710,8 @@ static int vp4_unpack_macroblocks(Vp3DecodeContext *s, GetBitContext *gb) has_partial = 0; bit = get_bits1(gb); for (i = 0; i < s->yuv_macroblock_count; i += current_run) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; current_run = vp4_get_mb_count(s, gb); if (current_run > s->yuv_macroblock_count - i) return -1; @@ -719,6 +721,8 @@ static int vp4_unpack_macroblocks(Vp3DecodeContext *s, GetBitContext *gb) } if (has_partial) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; bit = get_bits1(gb); current_run = vp4_get_mb_count(s, gb); for (i = 0; i < s->yuv_macroblock_count; i++) { @@ -1403,6 +1407,8 @@ static int vp4_unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, int eob_run; while (!eob_tracker[coeff_i]) { + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; token = get_vlc2(gb, vlc_tables[coeff_i]->table, 11, 3); @@ -1996,8 +2002,7 @@ static int vp4_mc_loop_filter(Vp3DecodeContext *s, int plane, int motion_x, int x_offset = (-(x + 2) & 7) + 2; y_offset = (-(y + 2) & 7) + 2; - if (x_offset > 8 + x_subpel && y_offset > 8 + y_subpel) - return 0; + av_assert1(!(x_offset > 8 + x_subpel && y_offset > 8 + y_subpel)); s->vdsp.emulated_edge_mc(loop, motion_source - stride - 1, loop_stride, stride, @@ -2330,6 +2335,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) s->avctx = avctx; s->width = FFALIGN(avctx->coded_width, 16); s->height = FFALIGN(avctx->coded_height, 16); + if (s->width < 18) + return AVERROR_PATCHWELCOME; if (avctx->codec_id != AV_CODEC_ID_THEORA) avctx->pix_fmt = AV_PIX_FMT_YUV420P; avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; @@ -2734,15 +2741,27 @@ static int vp3_decode_frame(AVCodecContext *avctx, if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0) goto error; - if (!s->edge_emu_buffer) + if (!s->edge_emu_buffer) { s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); + if (!s->edge_emu_buffer) { + ret = AVERROR(ENOMEM); + goto error; + } + } if (s->keyframe) { if (!s->theora) { skip_bits(&gb, 4); /* width code */ skip_bits(&gb, 4); /* height code */ if (s->version) { - s->version = get_bits(&gb, 5); + int version = get_bits(&gb, 5); +#if !CONFIG_VP4_DECODER + if (version >= 2) { + av_log(avctx, AV_LOG_ERROR, "This build does not support decoding VP4.\n"); + return AVERROR_DECODER_NOT_FOUND; + } +#endif + s->version = version; if (avctx->frame_number == 0) av_log(s->avctx, AV_LOG_DEBUG, "VP version: %d\n", s->version); @@ -2954,9 +2973,16 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + if (get_bits_left(gb) < 206) + return AVERROR_INVALIDDATA; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); + if (!s->theora) { + s->theora = 1; + avpriv_request_sample(s->avctx, "theora 0"); + } /* 3.2.0 aka alpha3 has the same frame orientation as original vp3 * but previous versions have the image flipped relative to vp3 */ @@ -2982,7 +3008,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) /* sanity check */ if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 || visible_width + offset_x > s->width || - visible_height + offset_y > s->height) { + visible_height + offset_y > s->height || + visible_width < 18 + ) { av_log(avctx, AV_LOG_ERROR, "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n", visible_width, visible_height, offset_x, offset_y, @@ -3028,6 +3056,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) } else avctx->pix_fmt = AV_PIX_FMT_YUV420P; + if (s->width < 18) + return AVERROR_PATCHWELCOME; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index ac4c57441c..151545bd01 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -490,5 +490,5 @@ void ff_vp3dsp_set_bounding_values(int * bounding_values_array, int filter_limit } if (value) bounding_values[128] = value; - bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202; + bounding_values[129] = bounding_values[130] = filter_limit * 0x02020202U; } diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 49988b8b76..f3946f508c 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -48,6 +48,8 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); if (s->frames[VP56_FRAME_CURRENT]->key_frame) { + int render_x, render_y; + vp56_rac_gets(c, 8); if(vp56_rac_gets(c, 5) > 5) return AVERROR_INVALIDDATA; @@ -63,8 +65,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) cols << 4, rows << 4); return AVERROR_INVALIDDATA; } - vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ - vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ + render_y = vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ + render_x = vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ + if (render_x == 0 || render_x > cols || + render_y == 0 || render_y > rows) + return AVERROR_INVALIDDATA; vp56_rac_gets(c, 2); if (!s->macroblocks || /* first frame */ 16*cols != s->avctx->coded_width || @@ -183,7 +188,7 @@ static int vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end <= c->buffer && c->bits >= 0) { + if (vpX_rac_is_end(c)) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 72fea3780e..695f37e972 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -572,7 +572,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, VP56Context *s = avctx->priv_data; AVFrame *const p = s->frames[VP56_FRAME_CURRENT]; int remaining_buf_size = avpkt->size; - int av_uninit(alpha_offset); + int alpha_offset = remaining_buf_size; int i, res; int ret; @@ -585,7 +585,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_INVALIDDATA; } - res = s->parse_header(s, buf, remaining_buf_size); + res = s->parse_header(s, buf, alpha_offset); if (res < 0) return res; diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 84b2f6c94b..65cf46870a 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -89,6 +89,7 @@ typedef struct VP56RangeCoder { const uint8_t *buffer; const uint8_t *end; unsigned int code_word; + int end_reached; } VP56RangeCoder; typedef struct VP56RefDc { @@ -235,7 +236,9 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si */ static av_always_inline int vpX_rac_is_end(VP56RangeCoder *c) { - return c->end <= c->buffer && c->bits >= 0; + if (c->end <= c->buffer && c->bits >= 0) + c->end_reached ++; + return c->end_reached > 10; } static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index e70302bf85..64fb6a99b4 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -43,6 +43,7 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + c->end_reached = 0; if (buf_size < 1) return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 977fcb7076..e5dec19f50 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -473,7 +473,7 @@ static int vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end <= c->buffer && c->bits >= 0) { + if (vpX_rac_is_end(c)) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index ba79e5fdab..7f90a4dae5 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -235,8 +235,16 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) return AVERROR(ENOMEM); } #if HAVE_THREADS - pthread_mutex_init(&s->thread_data[i].lock, NULL); - pthread_cond_init(&s->thread_data[i].cond, NULL); + ret = pthread_mutex_init(&s->thread_data[i].lock, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } + ret = pthread_cond_init(&s->thread_data[i].cond, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } #endif } @@ -661,7 +669,7 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->fade_present = vp8_rac_get(c); } - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { @@ -2286,10 +2294,10 @@ int vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, s->mv_bounds.mv_min.x = -MARGIN; s->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; - if (vpX_rac_is_end(&s->c)) { - return AVERROR_INVALIDDATA; - } for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (vpX_rac_is_end(&s->c)) { + return AVERROR_INVALIDDATA; + } if (mb_y == 0) AV_WN32A((mb - s->mb_width - 1)->intra4x4_pred_mode_top, DC_PRED * 0x01010101); @@ -2372,7 +2380,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; if (mb_y == 0) @@ -2403,7 +2411,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void td->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bb54561a60..9b11661704 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1138,7 +1138,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (t + (1 << (bits - 1))) >> bits : \ + (int)(t + (1U << (bits - 1))) >> bits : \ t)); \ dst++; \ } \ @@ -1153,7 +1153,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (out[j] + (1 << (bits - 1))) >> bits : \ + (int)(out[j] + (1U << (bits - 1))) >> bits : \ out[j])); \ dst++; \ } \ @@ -1260,25 +1260,25 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (t2a - t6a + (1 << 13)) >> 14; t7 = (t3a - t7a + (1 << 13)) >> 14; - t4a = 15137 * t4 + 6270 * t5; - t5a = 6270 * t4 - 15137 * t5; - t6a = 15137 * t7 - 6270 * t6; - t7a = 6270 * t7 + 15137 * t6; + t4a = 15137U * t4 + 6270U * t5; + t5a = 6270U * t4 - 15137U * t5; + t6a = 15137U * t7 - 6270U * t6; + t7a = 6270U * t7 + 15137U * t6; out[0] = t0 + t2; out[7] = -(t1 + t3); t2 = t0 - t2; t3 = t1 - t3; - out[1] = -((t4a + t6a + (1 << 13)) >> 14); - out[6] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[1] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[6] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; - out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); - out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; - out[2] = ((t6 + t7) * 11585 + (1 << 13)) >> 14; - out[5] = -(((t6 - t7) * 11585 + (1 << 13)) >> 14); + out[3] = -((dctint)((t2 + t3) * 11585U + (1 << 13)) >> 14); + out[4] = (dctint)((t2 - t3) * 11585U + (1 << 13)) >> 14; + out[2] = (dctint)((t6 + t7) * 11585U + (1 << 13)) >> 14; + out[5] = -((dctint)((t6 - t7) * 11585U + (1 << 13)) >> 14); } itxfm_wrap(8, 5) @@ -1290,22 +1290,22 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0a = ((IN(0) + IN(8)) * 11585 + (1 << 13)) >> 14; - t1a = ((IN(0) - IN(8)) * 11585 + (1 << 13)) >> 14; - t2a = (IN(4) * 6270 - IN(12) * 15137 + (1 << 13)) >> 14; - t3a = (IN(4) * 15137 + IN(12) * 6270 + (1 << 13)) >> 14; - t4a = (IN(2) * 3196 - IN(14) * 16069 + (1 << 13)) >> 14; - t7a = (IN(2) * 16069 + IN(14) * 3196 + (1 << 13)) >> 14; - t5a = (IN(10) * 13623 - IN(6) * 9102 + (1 << 13)) >> 14; - t6a = (IN(10) * 9102 + IN(6) * 13623 + (1 << 13)) >> 14; - t8a = (IN(1) * 1606 - IN(15) * 16305 + (1 << 13)) >> 14; - t15a = (IN(1) * 16305 + IN(15) * 1606 + (1 << 13)) >> 14; - t9a = (IN(9) * 12665 - IN(7) * 10394 + (1 << 13)) >> 14; - t14a = (IN(9) * 10394 + IN(7) * 12665 + (1 << 13)) >> 14; - t10a = (IN(5) * 7723 - IN(11) * 14449 + (1 << 13)) >> 14; - t13a = (IN(5) * 14449 + IN(11) * 7723 + (1 << 13)) >> 14; - t11a = (IN(13) * 15679 - IN(3) * 4756 + (1 << 13)) >> 14; - t12a = (IN(13) * 4756 + IN(3) * 15679 + (1 << 13)) >> 14; + t0a = (dctint)((IN(0) + IN(8)) * 11585U + (1 << 13)) >> 14; + t1a = (dctint)((IN(0) - IN(8)) * 11585U + (1 << 13)) >> 14; + t2a = (dctint)(IN(4) * 6270U - IN(12) * 15137U + (1 << 13)) >> 14; + t3a = (dctint)(IN(4) * 15137U + IN(12) * 6270U + (1 << 13)) >> 14; + t4a = (dctint)(IN(2) * 3196U - IN(14) * 16069U + (1 << 13)) >> 14; + t7a = (dctint)(IN(2) * 16069U + IN(14) * 3196U + (1 << 13)) >> 14; + t5a = (dctint)(IN(10) * 13623U - IN(6) * 9102U + (1 << 13)) >> 14; + t6a = (dctint)(IN(10) * 9102U + IN(6) * 13623U + (1 << 13)) >> 14; + t8a = (dctint)(IN(1) * 1606U - IN(15) * 16305U + (1 << 13)) >> 14; + t15a = (dctint)(IN(1) * 16305U + IN(15) * 1606U + (1 << 13)) >> 14; + t9a = (dctint)(IN(9) * 12665U - IN(7) * 10394U + (1 << 13)) >> 14; + t14a = (dctint)(IN(9) * 10394U + IN(7) * 12665U + (1 << 13)) >> 14; + t10a = (dctint)(IN(5) * 7723U - IN(11) * 14449U + (1 << 13)) >> 14; + t13a = (dctint)(IN(5) * 14449U + IN(11) * 7723U + (1 << 13)) >> 14; + t11a = (dctint)(IN(13) * 15679U - IN(3) * 4756U + (1 << 13)) >> 14; + t12a = (dctint)(IN(13) * 4756U + IN(3) * 15679U + (1 << 13)) >> 14; t0 = t0a + t3a; t1 = t1a + t2a; @@ -1324,12 +1324,12 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t15a - t14a; t15 = t15a + t14a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1348,10 +1348,10 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t14a + t13a; t15a = t15 + t12; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; out[ 0] = t0a + t15a; out[ 1] = t1a + t14; @@ -1378,48 +1378,48 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0 = IN(15) * 16364 + IN(0) * 804; - t1 = IN(15) * 804 - IN(0) * 16364; - t2 = IN(13) * 15893 + IN(2) * 3981; - t3 = IN(13) * 3981 - IN(2) * 15893; - t4 = IN(11) * 14811 + IN(4) * 7005; - t5 = IN(11) * 7005 - IN(4) * 14811; - t6 = IN(9) * 13160 + IN(6) * 9760; - t7 = IN(9) * 9760 - IN(6) * 13160; - t8 = IN(7) * 11003 + IN(8) * 12140; - t9 = IN(7) * 12140 - IN(8) * 11003; - t10 = IN(5) * 8423 + IN(10) * 14053; - t11 = IN(5) * 14053 - IN(10) * 8423; - t12 = IN(3) * 5520 + IN(12) * 15426; - t13 = IN(3) * 15426 - IN(12) * 5520; - t14 = IN(1) * 2404 + IN(14) * 16207; - t15 = IN(1) * 16207 - IN(14) * 2404; + t0 = IN(15) * 16364U + IN(0) * 804U; + t1 = IN(15) * 804U - IN(0) * 16364U; + t2 = IN(13) * 15893U + IN(2) * 3981U; + t3 = IN(13) * 3981U - IN(2) * 15893U; + t4 = IN(11) * 14811U + IN(4) * 7005U; + t5 = IN(11) * 7005U - IN(4) * 14811U; + t6 = IN(9) * 13160U + IN(6) * 9760U; + t7 = IN(9) * 9760U - IN(6) * 13160U; + t8 = IN(7) * 11003U + IN(8) * 12140U; + t9 = IN(7) * 12140U - IN(8) * 11003U; + t10 = IN(5) * 8423U + IN(10) * 14053U; + t11 = IN(5) * 14053U - IN(10) * 8423U; + t12 = IN(3) * 5520U + IN(12) * 15426U; + t13 = IN(3) * 15426U - IN(12) * 5520U; + t14 = IN(1) * 2404U + IN(14) * 16207U; + t15 = IN(1) * 16207U - IN(14) * 2404U; - t0a = (t0 + t8 + (1 << 13)) >> 14; - t1a = (t1 + t9 + (1 << 13)) >> 14; - t2a = (t2 + t10 + (1 << 13)) >> 14; - t3a = (t3 + t11 + (1 << 13)) >> 14; - t4a = (t4 + t12 + (1 << 13)) >> 14; - t5a = (t5 + t13 + (1 << 13)) >> 14; - t6a = (t6 + t14 + (1 << 13)) >> 14; - t7a = (t7 + t15 + (1 << 13)) >> 14; - t8a = (t0 - t8 + (1 << 13)) >> 14; - t9a = (t1 - t9 + (1 << 13)) >> 14; - t10a = (t2 - t10 + (1 << 13)) >> 14; - t11a = (t3 - t11 + (1 << 13)) >> 14; - t12a = (t4 - t12 + (1 << 13)) >> 14; - t13a = (t5 - t13 + (1 << 13)) >> 14; - t14a = (t6 - t14 + (1 << 13)) >> 14; - t15a = (t7 - t15 + (1 << 13)) >> 14; + t0a = (dctint)((1U << 13) + t0 + t8 ) >> 14; + t1a = (dctint)((1U << 13) + t1 + t9 ) >> 14; + t2a = (dctint)((1U << 13) + t2 + t10) >> 14; + t3a = (dctint)((1U << 13) + t3 + t11) >> 14; + t4a = (dctint)((1U << 13) + t4 + t12) >> 14; + t5a = (dctint)((1U << 13) + t5 + t13) >> 14; + t6a = (dctint)((1U << 13) + t6 + t14) >> 14; + t7a = (dctint)((1U << 13) + t7 + t15) >> 14; + t8a = (dctint)((1U << 13) + t0 - t8 ) >> 14; + t9a = (dctint)((1U << 13) + t1 - t9 ) >> 14; + t10a = (dctint)((1U << 13) + t2 - t10) >> 14; + t11a = (dctint)((1U << 13) + t3 - t11) >> 14; + t12a = (dctint)((1U << 13) + t4 - t12) >> 14; + t13a = (dctint)((1U << 13) + t5 - t13) >> 14; + t14a = (dctint)((1U << 13) + t6 - t14) >> 14; + t15a = (dctint)((1U << 13) + t7 - t15) >> 14; - t8 = t8a * 16069 + t9a * 3196; - t9 = t8a * 3196 - t9a * 16069; - t10 = t10a * 9102 + t11a * 13623; - t11 = t10a * 13623 - t11a * 9102; - t12 = t13a * 16069 - t12a * 3196; - t13 = t13a * 3196 + t12a * 16069; - t14 = t15a * 9102 - t14a * 13623; - t15 = t15a * 13623 + t14a * 9102; + t8 = t8a * 16069U + t9a * 3196U; + t9 = t8a * 3196U - t9a * 16069U; + t10 = t10a * 9102U + t11a * 13623U; + t11 = t10a * 13623U - t11a * 9102U; + t12 = t13a * 16069U - t12a * 3196U; + t13 = t13a * 3196U + t12a * 16069U; + t14 = t15a * 9102U - t14a * 13623U; + t15 = t15a * 13623U + t14a * 9102U; t0 = t0a + t4a; t1 = t1a + t5a; @@ -1429,49 +1429,49 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride, t5 = t1a - t5a; t6 = t2a - t6a; t7 = t3a - t7a; - t8a = (t8 + t12 + (1 << 13)) >> 14; - t9a = (t9 + t13 + (1 << 13)) >> 14; - t10a = (t10 + t14 + (1 << 13)) >> 14; - t11a = (t11 + t15 + (1 << 13)) >> 14; - t12a = (t8 - t12 + (1 << 13)) >> 14; - t13a = (t9 - t13 + (1 << 13)) >> 14; - t14a = (t10 - t14 + (1 << 13)) >> 14; - t15a = (t11 - t15 + (1 << 13)) >> 14; + t8a = (dctint)((1U << 13) + t8 + t12) >> 14; + t9a = (dctint)((1U << 13) + t9 + t13) >> 14; + t10a = (dctint)((1U << 13) + t10 + t14) >> 14; + t11a = (dctint)((1U << 13) + t11 + t15) >> 14; + t12a = (dctint)((1U << 13) + t8 - t12) >> 14; + t13a = (dctint)((1U << 13) + t9 - t13) >> 14; + t14a = (dctint)((1U << 13) + t10 - t14) >> 14; + t15a = (dctint)((1U << 13) + t11 - t15) >> 14; - t4a = t4 * 15137 + t5 * 6270; - t5a = t4 * 6270 - t5 * 15137; - t6a = t7 * 15137 - t6 * 6270; - t7a = t7 * 6270 + t6 * 15137; - t12 = t12a * 15137 + t13a * 6270; - t13 = t12a * 6270 - t13a * 15137; - t14 = t15a * 15137 - t14a * 6270; - t15 = t15a * 6270 + t14a * 15137; + t4a = t4 * 15137U + t5 * 6270U; + t5a = t4 * 6270U - t5 * 15137U; + t6a = t7 * 15137U - t6 * 6270U; + t7a = t7 * 6270U + t6 * 15137U; + t12 = t12a * 15137U + t13a * 6270U; + t13 = t12a * 6270U - t13a * 15137U; + t14 = t15a * 15137U - t14a * 6270U; + t15 = t15a * 6270U + t14a * 15137U; out[ 0] = t0 + t2; out[15] = -(t1 + t3); t2a = t0 - t2; t3a = t1 - t3; - out[ 3] = -((t4a + t6a + (1 << 13)) >> 14); - out[12] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[ 3] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[12] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; out[ 1] = -(t8a + t10a); out[14] = t9a + t11a; t10 = t8a - t10a; t11 = t9a - t11a; - out[ 2] = (t12 + t14 + (1 << 13)) >> 14; - out[13] = -((t13 + t15 + (1 << 13)) >> 14); - t14a = (t12 - t14 + (1 << 13)) >> 14; - t15a = (t13 - t15 + (1 << 13)) >> 14; + out[ 2] = (dctint)((1U << 13) + t12 + t14) >> 14; + out[13] = -((dctint)((1U << 13) + t13 + t15) >> 14); + t14a = (dctint)((1U << 13) + t12 - t14) >> 14; + t15a = (dctint)((1U << 13) + t13 - t15) >> 14; - out[ 7] = ((t2a + t3a) * -11585 + (1 << 13)) >> 14; - out[ 8] = ((t2a - t3a) * 11585 + (1 << 13)) >> 14; - out[ 4] = ((t7 + t6) * 11585 + (1 << 13)) >> 14; - out[11] = ((t7 - t6) * 11585 + (1 << 13)) >> 14; - out[ 6] = ((t11 + t10) * 11585 + (1 << 13)) >> 14; - out[ 9] = ((t11 - t10) * 11585 + (1 << 13)) >> 14; - out[ 5] = ((t14a + t15a) * -11585 + (1 << 13)) >> 14; - out[10] = ((t14a - t15a) * 11585 + (1 << 13)) >> 14; + out[ 7] = (dctint)(-(t2a + t3a) * 11585U + (1 << 13)) >> 14; + out[ 8] = (dctint)( (t2a - t3a) * 11585U + (1 << 13)) >> 14; + out[ 4] = (dctint)( (t7 + t6) * 11585U + (1 << 13)) >> 14; + out[11] = (dctint)( (t7 - t6) * 11585U + (1 << 13)) >> 14; + out[ 6] = (dctint)( (t11 + t10) * 11585U + (1 << 13)) >> 14; + out[ 9] = (dctint)( (t11 - t10) * 11585U + (1 << 13)) >> 14; + out[ 5] = (dctint)(-(t14a + t15a) * 11585U + (1 << 13)) >> 14; + out[10] = (dctint)( (t14a - t15a) * 11585U + (1 << 13)) >> 14; } itxfm_wrap(16, 6) @@ -1479,38 +1479,38 @@ itxfm_wrap(16, 6) static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, dctcoef *out, int pass) { - dctint t0a = ((IN(0) + IN(16)) * 11585 + (1 << 13)) >> 14; - dctint t1a = ((IN(0) - IN(16)) * 11585 + (1 << 13)) >> 14; - dctint t2a = (IN( 8) * 6270 - IN(24) * 15137 + (1 << 13)) >> 14; - dctint t3a = (IN( 8) * 15137 + IN(24) * 6270 + (1 << 13)) >> 14; - dctint t4a = (IN( 4) * 3196 - IN(28) * 16069 + (1 << 13)) >> 14; - dctint t7a = (IN( 4) * 16069 + IN(28) * 3196 + (1 << 13)) >> 14; - dctint t5a = (IN(20) * 13623 - IN(12) * 9102 + (1 << 13)) >> 14; - dctint t6a = (IN(20) * 9102 + IN(12) * 13623 + (1 << 13)) >> 14; - dctint t8a = (IN( 2) * 1606 - IN(30) * 16305 + (1 << 13)) >> 14; - dctint t15a = (IN( 2) * 16305 + IN(30) * 1606 + (1 << 13)) >> 14; - dctint t9a = (IN(18) * 12665 - IN(14) * 10394 + (1 << 13)) >> 14; - dctint t14a = (IN(18) * 10394 + IN(14) * 12665 + (1 << 13)) >> 14; - dctint t10a = (IN(10) * 7723 - IN(22) * 14449 + (1 << 13)) >> 14; - dctint t13a = (IN(10) * 14449 + IN(22) * 7723 + (1 << 13)) >> 14; - dctint t11a = (IN(26) * 15679 - IN( 6) * 4756 + (1 << 13)) >> 14; - dctint t12a = (IN(26) * 4756 + IN( 6) * 15679 + (1 << 13)) >> 14; - dctint t16a = (IN( 1) * 804 - IN(31) * 16364 + (1 << 13)) >> 14; - dctint t31a = (IN( 1) * 16364 + IN(31) * 804 + (1 << 13)) >> 14; - dctint t17a = (IN(17) * 12140 - IN(15) * 11003 + (1 << 13)) >> 14; - dctint t30a = (IN(17) * 11003 + IN(15) * 12140 + (1 << 13)) >> 14; - dctint t18a = (IN( 9) * 7005 - IN(23) * 14811 + (1 << 13)) >> 14; - dctint t29a = (IN( 9) * 14811 + IN(23) * 7005 + (1 << 13)) >> 14; - dctint t19a = (IN(25) * 15426 - IN( 7) * 5520 + (1 << 13)) >> 14; - dctint t28a = (IN(25) * 5520 + IN( 7) * 15426 + (1 << 13)) >> 14; - dctint t20a = (IN( 5) * 3981 - IN(27) * 15893 + (1 << 13)) >> 14; - dctint t27a = (IN( 5) * 15893 + IN(27) * 3981 + (1 << 13)) >> 14; - dctint t21a = (IN(21) * 14053 - IN(11) * 8423 + (1 << 13)) >> 14; - dctint t26a = (IN(21) * 8423 + IN(11) * 14053 + (1 << 13)) >> 14; - dctint t22a = (IN(13) * 9760 - IN(19) * 13160 + (1 << 13)) >> 14; - dctint t25a = (IN(13) * 13160 + IN(19) * 9760 + (1 << 13)) >> 14; - dctint t23a = (IN(29) * 16207 - IN( 3) * 2404 + (1 << 13)) >> 14; - dctint t24a = (IN(29) * 2404 + IN( 3) * 16207 + (1 << 13)) >> 14; + dctint t0a = (dctint)((IN(0) + IN(16)) * 11585U + (1 << 13)) >> 14; + dctint t1a = (dctint)((IN(0) - IN(16)) * 11585U + (1 << 13)) >> 14; + dctint t2a = (dctint)(IN( 8) * 6270U - IN(24) * 15137U + (1 << 13)) >> 14; + dctint t3a = (dctint)(IN( 8) * 15137U + IN(24) * 6270U + (1 << 13)) >> 14; + dctint t4a = (dctint)(IN( 4) * 3196U - IN(28) * 16069U + (1 << 13)) >> 14; + dctint t7a = (dctint)(IN( 4) * 16069U + IN(28) * 3196U + (1 << 13)) >> 14; + dctint t5a = (dctint)(IN(20) * 13623U - IN(12) * 9102U + (1 << 13)) >> 14; + dctint t6a = (dctint)(IN(20) * 9102U + IN(12) * 13623U + (1 << 13)) >> 14; + dctint t8a = (dctint)(IN( 2) * 1606U - IN(30) * 16305U + (1 << 13)) >> 14; + dctint t15a = (dctint)(IN( 2) * 16305U + IN(30) * 1606U + (1 << 13)) >> 14; + dctint t9a = (dctint)(IN(18) * 12665U - IN(14) * 10394U + (1 << 13)) >> 14; + dctint t14a = (dctint)(IN(18) * 10394U + IN(14) * 12665U + (1 << 13)) >> 14; + dctint t10a = (dctint)(IN(10) * 7723U - IN(22) * 14449U + (1 << 13)) >> 14; + dctint t13a = (dctint)(IN(10) * 14449U + IN(22) * 7723U + (1 << 13)) >> 14; + dctint t11a = (dctint)(IN(26) * 15679U - IN( 6) * 4756U + (1 << 13)) >> 14; + dctint t12a = (dctint)(IN(26) * 4756U + IN( 6) * 15679U + (1 << 13)) >> 14; + dctint t16a = (dctint)(IN( 1) * 804U - IN(31) * 16364U + (1 << 13)) >> 14; + dctint t31a = (dctint)(IN( 1) * 16364U + IN(31) * 804U + (1 << 13)) >> 14; + dctint t17a = (dctint)(IN(17) * 12140U - IN(15) * 11003U + (1 << 13)) >> 14; + dctint t30a = (dctint)(IN(17) * 11003U + IN(15) * 12140U + (1 << 13)) >> 14; + dctint t18a = (dctint)(IN( 9) * 7005U - IN(23) * 14811U + (1 << 13)) >> 14; + dctint t29a = (dctint)(IN( 9) * 14811U + IN(23) * 7005U + (1 << 13)) >> 14; + dctint t19a = (dctint)(IN(25) * 15426U - IN( 7) * 5520U + (1 << 13)) >> 14; + dctint t28a = (dctint)(IN(25) * 5520U + IN( 7) * 15426U + (1 << 13)) >> 14; + dctint t20a = (dctint)(IN( 5) * 3981U - IN(27) * 15893U + (1 << 13)) >> 14; + dctint t27a = (dctint)(IN( 5) * 15893U + IN(27) * 3981U + (1 << 13)) >> 14; + dctint t21a = (dctint)(IN(21) * 14053U - IN(11) * 8423U + (1 << 13)) >> 14; + dctint t26a = (dctint)(IN(21) * 8423U + IN(11) * 14053U + (1 << 13)) >> 14; + dctint t22a = (dctint)(IN(13) * 9760U - IN(19) * 13160U + (1 << 13)) >> 14; + dctint t25a = (dctint)(IN(13) * 13160U + IN(19) * 9760U + (1 << 13)) >> 14; + dctint t23a = (dctint)(IN(29) * 16207U - IN( 3) * 2404U + (1 << 13)) >> 14; + dctint t24a = (dctint)(IN(29) * 2404U + IN( 3) * 16207U + (1 << 13)) >> 14; dctint t0 = t0a + t3a; dctint t1 = t1a + t2a; @@ -1545,20 +1545,20 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, dctint t30 = t31a - t30a; dctint t31 = t31a + t30a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; - t17a = ( t30 * 3196 - t17 * 16069 + (1 << 13)) >> 14; - t30a = ( t30 * 16069 + t17 * 3196 + (1 << 13)) >> 14; - t18a = (-(t29 * 16069 + t18 * 3196) + (1 << 13)) >> 14; - t29a = ( t29 * 3196 - t18 * 16069 + (1 << 13)) >> 14; - t21a = ( t26 * 13623 - t21 * 9102 + (1 << 13)) >> 14; - t26a = ( t26 * 9102 + t21 * 13623 + (1 << 13)) >> 14; - t22a = (-(t25 * 9102 + t22 * 13623) + (1 << 13)) >> 14; - t25a = ( t25 * 13623 - t22 * 9102 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; + t17a = (dctint)( t30 * 3196U - t17 * 16069U + (1 << 13)) >> 14; + t30a = (dctint)( t30 * 16069U + t17 * 3196U + (1 << 13)) >> 14; + t18a = (dctint)(-(t29 * 16069U + t18 * 3196U) + (1 << 13)) >> 14; + t29a = (dctint)( t29 * 3196U - t18 * 16069U + (1 << 13)) >> 14; + t21a = (dctint)( t26 * 13623U - t21 * 9102U + (1 << 13)) >> 14; + t26a = (dctint)( t26 * 9102U + t21 * 13623U + (1 << 13)) >> 14; + t22a = (dctint)(-(t25 * 9102U + t22 * 13623U) + (1 << 13)) >> 14; + t25a = (dctint)( t25 * 13623U - t22 * 9102U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1593,18 +1593,18 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, t30 = t30a + t29a; t31a = t31 + t28; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; - t18a = ( t29 * 6270 - t18 * 15137 + (1 << 13)) >> 14; - t29a = ( t29 * 15137 + t18 * 6270 + (1 << 13)) >> 14; - t19 = ( t28a * 6270 - t19a * 15137 + (1 << 13)) >> 14; - t28 = ( t28a * 15137 + t19a * 6270 + (1 << 13)) >> 14; - t20 = (-(t27a * 15137 + t20a * 6270) + (1 << 13)) >> 14; - t27 = ( t27a * 6270 - t20a * 15137 + (1 << 13)) >> 14; - t21a = (-(t26 * 15137 + t21 * 6270) + (1 << 13)) >> 14; - t26a = ( t26 * 6270 - t21 * 15137 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; + t18a = (dctint)( t29 * 6270U - t18 * 15137U + (1 << 13)) >> 14; + t29a = (dctint)( t29 * 15137U + t18 * 6270U + (1 << 13)) >> 14; + t19 = (dctint)( t28a * 6270U - t19a * 15137U + (1 << 13)) >> 14; + t28 = (dctint)( t28a * 15137U + t19a * 6270U + (1 << 13)) >> 14; + t20 = (dctint)(-(t27a * 15137U + t20a * 6270U) + (1 << 13)) >> 14; + t27 = (dctint)( t27a * 6270U - t20a * 15137U + (1 << 13)) >> 14; + t21a = (dctint)(-(t26 * 15137U + t21 * 6270U) + (1 << 13)) >> 14; + t26a = (dctint)( t26 * 6270U - t21 * 15137U + (1 << 13)) >> 14; t0 = t0a + t15a; t1 = t1a + t14; @@ -1639,14 +1639,14 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, t30a = t30 + t25; t31 = t31a + t24a; - t20 = ((t27a - t20a) * 11585 + (1 << 13)) >> 14; - t27 = ((t27a + t20a) * 11585 + (1 << 13)) >> 14; - t21a = ((t26 - t21 ) * 11585 + (1 << 13)) >> 14; - t26a = ((t26 + t21 ) * 11585 + (1 << 13)) >> 14; - t22 = ((t25a - t22a) * 11585 + (1 << 13)) >> 14; - t25 = ((t25a + t22a) * 11585 + (1 << 13)) >> 14; - t23a = ((t24 - t23 ) * 11585 + (1 << 13)) >> 14; - t24a = ((t24 + t23 ) * 11585 + (1 << 13)) >> 14; + t20 = (dctint)((t27a - t20a) * 11585U + (1 << 13)) >> 14; + t27 = (dctint)((t27a + t20a) * 11585U + (1 << 13)) >> 14; + t21a = (dctint)((t26 - t21 ) * 11585U + (1 << 13)) >> 14; + t26a = (dctint)((t26 + t21 ) * 11585U + (1 << 13)) >> 14; + t22 = (dctint)((t25a - t22a) * 11585U + (1 << 13)) >> 14; + t25 = (dctint)((t25a + t22a) * 11585U + (1 << 13)) >> 14; + t23a = (dctint)((t24 - t23 ) * 11585U + (1 << 13)) >> 14; + t24a = (dctint)((t24 + t23 ) * 11585U + (1 << 13)) >> 14; out[ 0] = t0 + t31; out[ 1] = t1 + t30a; diff --git a/libavcodec/vp9recon.c b/libavcodec/vp9recon.c index 49bb04e1f4..363fc3cf26 100644 --- a/libavcodec/vp9recon.c +++ b/libavcodec/vp9recon.c @@ -318,7 +318,11 @@ static av_always_inline void mc_luma_unscaled(VP9TileData *td, vp9_mc_func (*mc) // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref - !!my * 3 * ref_stride - !!mx * 3 * bytesperpixel, @@ -357,7 +361,11 @@ static av_always_inline void mc_chroma_unscaled(VP9TileData *td, vp9_mc_func (*m // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref_u - !!my * 3 * src_stride_u - !!mx * 3 * bytesperpixel, diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 0e70be1000..8df3ab3c2b 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -147,7 +147,7 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) } s->width = AV_RL16(&s->avctx->extradata[6]); s->height = AV_RL16(&s->avctx->extradata[8]); - if ((ret = av_image_check_size(s->width, s->height, 0, avctx)) < 0) { + if ((ret = ff_set_dimensions(avctx, s->width, s->height)) < 0) { s->width= s->height= 0; return ret; } @@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame) if (s->partial_countdown <= 0) { bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ - if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) - return res; + res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; + if (res < 0) + return res; } } diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index d0242809fe..132ed668b9 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -95,7 +95,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, int k) e = (1 << (p + 1)) - k - 1; res = get_bitsz(gb, p); if (res >= e) - res = (res << 1) - e + get_bits1(gb); + res = res * 2U - e + get_bits1(gb); return res; } diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 95f4b6530c..2bc5890087 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -529,9 +529,9 @@ static int8_t store_weight(int weight) static int restore_weight(int8_t weight) { - int result; + int result = 8 * weight; - if ((result = (int) weight << 3) > 0) + if (result > 0) result += (result + 64) >> 7; return result; @@ -1976,7 +1976,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); @@ -2005,7 +2005,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); @@ -2557,7 +2557,7 @@ static int wavpack_encode_block(WavPackEncodeContext *s, ret = wv_mono(s, samples_l, !s->num_terms, 1); } else { for (i = 0; i < nb_samples; i++) - crc += (crc << 3) + (samples_l[i] << 1) + samples_l[i] + samples_r[i]; + crc += (crc << 3) + ((uint32_t)samples_l[i] << 1) + samples_l[i] + samples_r[i]; if (s->num_passes) ret = wv_stereo(s, samples_l, samples_r, !s->num_terms, 1); diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 077bb06f85..f5e257c548 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -665,6 +665,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, while (y < img->frame->height) { int v; + if (get_bits_left(&s->gb) < 0) + return AVERROR_INVALIDDATA; + hg = get_huffman_group(s, img, x, y); v = huff_reader_get_symbol(&hg[HUFF_IDX_GREEN], &s->gb); if (v < NUM_LITERAL_CODES) { @@ -736,6 +739,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, ref_x = FFMAX(0, ref_x); ref_y = FFMAX(0, ref_y); + if (ref_y == y && ref_x >= x) + return AVERROR_INVALIDDATA; + /* copy pixels * source and dest regions can overlap and wrap lines, so just * copy per-pixel */ diff --git a/libavcodec/wma.h b/libavcodec/wma.h index 325f03c44b..c7fcf5047c 100644 --- a/libavcodec/wma.h +++ b/libavcodec/wma.h @@ -123,6 +123,7 @@ typedef struct WMACodecContext { uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; /* padding added */ int last_bitoffset; int last_superframe_len; + int exponents_initialized[MAX_CHANNELS]; float noise_table[NOISE_TAB_SIZE]; int noise_index; float noise_mult; /* XXX: suppress that and integrate it in the noise array */ diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 78b51e5871..6365fe7f47 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -585,10 +585,16 @@ static int wma_decode_block(WMACodecContext *s) decode_exp_lsp(s, ch); } s->exponents_bsize[ch] = bsize; + s->exponents_initialized[ch] = 1; } } } + for (ch = 0; ch < s->avctx->channels; ch++) { + if (s->channel_coded[ch] && !s->exponents_initialized[ch]) + return AVERROR_INVALIDDATA; + } + /* parse spectral coefficients : just RLE encoding */ for (ch = 0; ch < s->avctx->channels; ch++) { if (s->channel_coded[ch]) { diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index eb1db615ae..5afc0544d5 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -164,7 +164,7 @@ typedef struct WmallDecodeCtx { int transient_pos[WMALL_MAX_CHANNELS]; int seekable_tile; - int ave_sum[WMALL_MAX_CHANNELS]; + unsigned ave_sum[WMALL_MAX_CHANNELS]; int channel_residues[WMALL_MAX_CHANNELS][WMALL_BLOCK_MAX_SIZE]; @@ -184,11 +184,21 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int channel_mask; int i, log2_max_num_subframes; - if (!avctx->block_align) { - av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n"); return AVERROR(EINVAL); } + if (avctx->channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", + avctx->channels); + return AVERROR_INVALIDDATA; + } else if (avctx->channels > WMALL_MAX_CHANNELS) { + avpriv_request_sample(avctx, + "More than %d channels", WMALL_MAX_CHANNELS); + return AVERROR_PATCHWELCOME; + } + s->max_frame_size = MAX_FRAMESIZE * avctx->channels; s->frame_data = av_mallocz(s->max_frame_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->frame_data) @@ -267,16 +277,6 @@ static av_cold int decode_init(AVCodecContext *avctx) ++s->lfe_channel; } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %"PRId8"\n", - s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMALL_MAX_CHANNELS) { - avpriv_request_sample(avctx, - "More than %d channels", WMALL_MAX_CHANNELS); - return AVERROR_PATCHWELCOME; - } - s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); @@ -535,7 +535,8 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size) i++; } for (; i < tile_size; i++) { - int quo = 0, rem, rem_bits, residue; + int rem, rem_bits; + unsigned quo = 0, residue; while(get_bits1(&s->gb)) { quo++; if (get_bits_left(&s->gb) <= 0) @@ -628,7 +629,7 @@ static void mclms_update(WmallDecodeCtx *s, int icoef, int *pred) int range = 1 << (s->bits_per_sample - 1); for (ich = 0; ich < num_channels; ich++) { - pred_error = s->channel_residues[ich][icoef] - pred[ich]; + pred_error = s->channel_residues[ich][icoef] - (unsigned)pred[ich]; if (pred_error > 0) { for (i = 0; i < order * num_channels; i++) s->mclms_coeffs[i + ich * order * num_channels] += @@ -678,9 +679,9 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) for (i = 0; i < ich; i++) pred[ich] += (uint32_t)s->channel_residues[i][icoef] * s->mclms_coeffs_cur[i + num_channels * ich]; - pred[ich] += 1 << s->mclms_scaling - 1; + pred[ich] += (1U << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; - s->channel_residues[ich][icoef] += pred[ich]; + s->channel_residues[ich][icoef] += (unsigned)pred[ich]; } } @@ -760,13 +761,14 @@ static void lms_update ## bits (WmallDecodeCtx *s, int ich, int ilms, int input) static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ int coef_begin, int coef_end) \ { \ - int icoef, pred, ilms, num_lms, residue, input; \ + int icoef, ilms, num_lms, residue, input; \ + unsigned pred;\ \ num_lms = s->cdlms_ttl[ch]; \ for (ilms = num_lms - 1; ilms >= 0; ilms--) { \ for (icoef = coef_begin; icoef < coef_end; icoef++) { \ int##bits##_t *prevvalues = (int##bits##_t *)s->cdlms[ch][ilms].lms_prevvalues; \ - pred = 1 << (s->cdlms[ch][ilms].scaling - 1); \ + pred = (1 << s->cdlms[ch][ilms].scaling) >> 1; \ residue = s->channel_residues[ch][icoef]; \ pred += s->dsp.scalarproduct_and_madd_int## bits (s->cdlms[ch][ilms].coefs, \ prevvalues + s->cdlms[ch][ilms].recent, \ @@ -774,7 +776,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ s->cdlms[ch][ilms].recent, \ FFALIGN(s->cdlms[ch][ilms].order, ROUND), \ WMASIGN(residue)); \ - input = residue + (pred >> s->cdlms[ch][ilms].scaling); \ + input = residue + (unsigned)((int)pred >> s->cdlms[ch][ilms].scaling); \ lms_update ## bits(s, ch, ilms, input); \ s->channel_residues[ch][icoef] = input; \ } \ @@ -792,8 +794,8 @@ static void revert_inter_ch_decorr(WmallDecodeCtx *s, int tile_size) else if (s->is_channel_coded[0] || s->is_channel_coded[1]) { int icoef; for (icoef = 0; icoef < tile_size; icoef++) { - s->channel_residues[0][icoef] -= s->channel_residues[1][icoef] >> 1; - s->channel_residues[1][icoef] += s->channel_residues[0][icoef]; + s->channel_residues[0][icoef] -= (unsigned)(s->channel_residues[1][icoef] >> 1); + s->channel_residues[1][icoef] += (unsigned) s->channel_residues[0][icoef]; } } } @@ -811,22 +813,25 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size) pred = 0; for (j = 0; j < order; j++) { if (i <= j) - pred += filter_coeffs[j] * prevvalues[j - i]; + pred += (uint32_t)filter_coeffs[j] * prevvalues[j - i]; else - pred += s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; + pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; } pred >>= scaling; - s->channel_residues[ich][i] += pred; + s->channel_residues[ich][i] += (unsigned)pred; } for (i = order; i < tile_size; i++) { pred = 0; for (j = 0; j < order; j++) pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; pred >>= scaling; - s->channel_residues[ich][i] += pred; + s->channel_residues[ich][i] += (unsigned)pred; } - for (j = 0; j < order; j++) - prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; + for (j = order - 1; j >= 0; j--) + if (tile_size <= j) { + prevvalues[j] = prevvalues[j - tile_size]; + }else + prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; } } @@ -930,6 +935,8 @@ static int decode_subframe(WmallDecodeCtx *s) s->do_lpc = 0; } + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) padding_zeroes = get_bits(&s->gb, 5); @@ -950,6 +957,8 @@ static int decode_subframe(WmallDecodeCtx *s) for (j = 0; j < subframe_len; j++) s->channel_residues[i][j] = get_sbits_long(&s->gb, bits); } else { + if (s->bits_per_sample < padding_zeroes) + return AVERROR_INVALIDDATA; for (i = 0; i < s->num_channels; i++) { if (s->is_channel_coded[i]) { decode_channel_residues(s, i, subframe_len); @@ -977,7 +986,7 @@ static int decode_subframe(WmallDecodeCtx *s) if (s->quant_stepsize != 1) for (i = 0; i < s->num_channels; i++) for (j = 0; j < subframe_len; j++) - s->channel_residues[i][j] *= s->quant_stepsize; + s->channel_residues[i][j] *= (unsigned)s->quant_stepsize; } /* Write to proper output buffer depending on bit-depth */ @@ -987,9 +996,9 @@ static int decode_subframe(WmallDecodeCtx *s) for (j = 0; j < subframe_len; j++) { if (s->bits_per_sample == 16) { - *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] << padding_zeroes; + *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] * (1 << padding_zeroes); } else { - *s->samples_32[c]++ = s->channel_residues[c][j] << (padding_zeroes + 8); + *s->samples_32[c]++ = s->channel_residues[c][j] * (256U << padding_zeroes); } } } diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index d0fa974c80..5d76050e3a 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -437,7 +437,7 @@ static av_cold int decode_init(WMAProDecodeCtx *s, AVCodecContext *avctx, int nu av_log(avctx, AV_LOG_ERROR, "invalid number of channels per XMA stream %d\n", s->nb_channels); return AVERROR_INVALIDDATA; - } else if (s->nb_channels > WMAPRO_MAX_CHANNELS) { + } else if (s->nb_channels > WMAPRO_MAX_CHANNELS || s->nb_channels > avctx->channels) { avpriv_request_sample(avctx, "More than %d channels", WMAPRO_MAX_CHANNELS); return AVERROR_PATCHWELCOME; @@ -544,7 +544,7 @@ static av_cold int decode_init(WMAProDecodeCtx *s, AVCodecContext *avctx, int nu for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) ff_mdct_init(&s->mdct_ctx[i], WMAPRO_BLOCK_MIN_BITS+1+i, 1, 1.0 / (1 << (WMAPRO_BLOCK_MIN_BITS + i - 1)) - / (1 << (s->bits_per_sample - 1))); + / (1ll << (s->bits_per_sample - 1))); /** init MDCT windows: simple sine window */ for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) { @@ -1565,9 +1565,9 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, s->frame_offset = get_bits_count(gb) & 7; s->num_saved_bits = s->frame_offset; init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); - } - - buflen = (put_bits_count(&s->pb) + len + 8) >> 3; + buflen = (s->num_saved_bits + len + 7) >> 3; + } else + buflen = (put_bits_count(&s->pb) + len + 7) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { avpriv_request_sample(s->avctx, "Too small input buffer"); @@ -1644,6 +1644,7 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, if (avctx->codec_id == AV_CODEC_ID_WMAPRO && buf_size < avctx->block_align) { av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n", buf_size, avctx->block_align); + s->packet_loss = 1; return AVERROR_INVALIDDATA; } @@ -1718,6 +1719,12 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, } } else { int frame_size; + + if (avpkt->size < s->next_packet_start) { + s->packet_loss = 1; + return AVERROR_INVALIDDATA; + } + s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; init_get_bits(gb, avpkt->data, s->buf_bit_size); skip_bits(gb, s->packet_offset); @@ -1793,10 +1800,21 @@ static int xma_decode_packet(AVCodecContext *avctx, void *data, AVFrame *frame = data; int i, ret, offset = INT_MAX; + if (!s->frames[s->current_stream]->data[0]) { + s->frames[s->current_stream]->nb_samples = 512; + if ((ret = ff_get_buffer(avctx, s->frames[s->current_stream], 0)) < 0) { + return ret; + } + } /* decode current stream packet */ ret = decode_packet(avctx, &s->xma[s->current_stream], s->frames[s->current_stream], &got_stream_frame_ptr, avpkt); + if (got_stream_frame_ptr && s->offset[s->current_stream] >= 64) { + got_stream_frame_ptr = 0; + ret = AVERROR_INVALIDDATA; + } + /* copy stream samples (1/2ch) to sample buffer (Nch) */ if (got_stream_frame_ptr) { int start_ch = s->start_channel[s->current_stream]; @@ -1888,12 +1906,14 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->num_streams = avctx->extradata[1]; if (avctx->extradata_size != (32 + ((avctx->extradata[0]==3)?0:8) + 4*s->num_streams)) { av_log(avctx, AV_LOG_ERROR, "Incorrect XMA2 extradata size\n"); + s->num_streams = 0; return AVERROR(EINVAL); } } else if (avctx->codec_id == AV_CODEC_ID_XMA1 && avctx->extradata_size >= 4) { /* XMAWAVEFORMAT */ s->num_streams = avctx->extradata[4]; if (avctx->extradata_size != (8 + 20*s->num_streams)) { av_log(avctx, AV_LOG_ERROR, "Incorrect XMA1 extradata size\n"); + s->num_streams = 0; return AVERROR(EINVAL); } } else { @@ -1902,8 +1922,11 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) } /* encoder supports up to 64 streams / 64*2 channels (would have to alloc arrays) */ - if (avctx->channels > XMA_MAX_CHANNELS || s->num_streams > XMA_MAX_STREAMS) { + if (avctx->channels > XMA_MAX_CHANNELS || s->num_streams > XMA_MAX_STREAMS || + s->num_streams <= 0 + ) { avpriv_request_sample(avctx, "More than %d channels in %d streams", XMA_MAX_CHANNELS, s->num_streams); + s->num_streams = 0; return AVERROR_PATCHWELCOME; } @@ -1915,14 +1938,12 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->frames[i] = av_frame_alloc(); if (!s->frames[i]) return AVERROR(ENOMEM); - s->frames[i]->nb_samples = 512; - if ((ret = ff_get_buffer(avctx, s->frames[i], 0)) < 0) { - return AVERROR(ENOMEM); - } s->start_channel[i] = start_channels; start_channels += s->xma[i].nb_channels; } + if (start_channels != avctx->channels) + return AVERROR_INVALIDDATA; return ret; } @@ -1936,6 +1957,7 @@ static av_cold int xma_decode_end(AVCodecContext *avctx) decode_end(&s->xma[i]); av_frame_free(&s->frames[i]); } + s->num_streams = 0; return 0; } @@ -1991,6 +2013,7 @@ AVCodec ff_wmapro_decoder = { .close = wmapro_decode_end, .decode = wmapro_decode_packet, .capabilities = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .flush = wmapro_flush, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, @@ -2006,6 +2029,7 @@ AVCodec ff_xma1_decoder = { .close = xma_decode_end, .decode = xma_decode_packet, .capabilities = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1 | AV_CODEC_CAP_DELAY, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, }; @@ -2021,6 +2045,7 @@ AVCodec ff_xma2_decoder = { .decode = xma_decode_packet, .flush = xma_flush, .capabilities = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1 | AV_CODEC_CAP_DELAY, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, }; diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 68bb65986e..9ef6e95d21 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -386,7 +386,7 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) ctx->extradata_size); return AVERROR_INVALIDDATA; } - if (ctx->block_align <= 0) { + if (ctx->block_align <= 0 || ctx->block_align > (1<<22)) { av_log(ctx, AV_LOG_ERROR, "Invalid block alignment %d.\n", ctx->block_align); return AVERROR_INVALIDDATA; } @@ -433,6 +433,9 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) return AVERROR_INVALIDDATA; } + if (ctx->sample_rate >= INT_MAX / (256 * 37)) + return AVERROR_INVALIDDATA; + s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8; s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8; pitch_range = s->max_pitch_val - s->min_pitch_val; @@ -633,12 +636,14 @@ static void calc_input_response(WMAVoiceContext *s, float *lpcs, for (n = 0; n <= 64; n++) { float pwr; - idx = FFMAX(0, lrint((max - lpcs[n]) * irange) - 1); + idx = lrint((max - lpcs[n]) * irange - 1); + idx = FFMAX(0, idx); pwr = wmavoice_denoise_power_table[s->denoise_strength][idx]; lpcs[n] = angle_mul * pwr; /* 70.57 =~ 1/log10(1.0331663) */ - idx = (pwr * gain_mul - 0.0295) * 70.570526123; + idx = av_clipf((pwr * gain_mul - 0.0295) * 70.570526123, 0, INT_MAX / 2); + if (idx > 127) { // fall back if index falls outside table range coeffs[n] = wmavoice_energy_table[127] * powf(1.0331663, idx - 127); @@ -1486,6 +1491,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* Parse frame type ("frame header"), see frame_descs */ int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples; + pitch[0] = INT_MAX; + if (bd_idx < 0) { av_log(ctx, AV_LOG_ERROR, "Invalid frame type VLC code, skipping\n"); @@ -1520,7 +1527,7 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* "pitch-diff-per-sample" for calculation of pitch per sample */ s->pitch_diff_sh16 = - ((cur_pitch_val - s->last_pitch_val) << 16) / MAX_FRAMESIZE; + (cur_pitch_val - s->last_pitch_val) * (1 << 16) / MAX_FRAMESIZE; } /* Global gain (if silence) and pitch-adaptive window coordinates */ @@ -1603,6 +1610,9 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, double i_lsps[MAX_LSPS]; float lpcs[MAX_LSPS]; + if(frame_descs[bd_idx].fcb_type >= FCB_TYPE_AW_PULSES && pitch[0] == INT_MAX) + return AVERROR_INVALIDDATA; + for (n = 0; n < s->lsps; n++) // LSF -> LSP i_lsps[n] = cos(0.5 * (prev_lsps[n] + lsps[n])); ff_acelp_lspd2lpc(i_lsps, lpcs, s->lsps >> 1); @@ -1840,6 +1850,9 @@ static int parse_packet_header(WMAVoiceContext *s) skip_bits(gb, 4); // packet sequence number s->has_residual_lsps = get_bits1(gb); do { + if (get_bits_left(gb) < 6 + s->spillover_bitsize) + return AVERROR_INVALIDDATA; + res = get_bits(gb, 6); // number of superframes per packet // (minus first one if there is spillover) n_superframes += res; diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 915e9c7dc9..291be78cc8 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -136,6 +136,9 @@ static av_cold int decode_init(AVCodecContext *avctx) { static VLC_TYPE code_table[1 << CODE_VLC_BITS][2]; + if (avctx->width <= 1) + return AVERROR_INVALIDDATA; + avctx->pix_fmt = AV_PIX_FMT_YUV422P; code_vlc.table = code_table; diff --git a/libavcodec/x86/diracdsp.asm b/libavcodec/x86/diracdsp.asm index cc8a26fca5..17145baf87 100644 --- a/libavcodec/x86/diracdsp.asm +++ b/libavcodec/x86/diracdsp.asm @@ -274,7 +274,7 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h movd m3, qsd SPLATD m2 SPLATD m3 - mov r4, tot_hq + mov r4d, tot_hd mov r3, dstq .loop_v: @@ -294,8 +294,9 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h add srcq, mmsize add dstq, mmsize - sub tot_hd, 4 + sub tot_hq, 4 jg .loop_h + lea srcq, [srcq + 4*tot_hq] add r3, strideq dec tot_vd diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 6298f5ed19..ca7e2dffc1 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -35,12 +35,20 @@ static av_always_inline av_const int MULL(int a, int b, unsigned shift) { int rt, dummy; + if (__builtin_constant_p(shift)) __asm__ ( "imull %3 \n\t" "shrdl %4, %%edx, %%eax \n\t" :"=a"(rt), "=d"(dummy) - :"a"(a), "rm"(b), "ci"((uint8_t)shift) + :"a"(a), "rm"(b), "i"(shift & 0x1F) ); + else + __asm__ ( + "imull %3 \n\t" + "shrdl %4, %%edx, %%eax \n\t" + :"=a"(rt), "=d"(dummy) + :"a"(a), "rm"(b), "c"((uint8_t)shift) + ); return rt; } @@ -113,19 +121,31 @@ __asm__ volatile(\ // avoid +32 for shift optimization (gcc should do that ...) #define NEG_SSR32 NEG_SSR32 static inline int32_t NEG_SSR32( int32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("sarl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("sarl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } #define NEG_USR32 NEG_USR32 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("shrl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("shrl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 1ccf164847..c8f098d17c 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -614,6 +614,9 @@ static int xan_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + if (buf_size < 9) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 922dfc0f67..6db95285ce 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -341,9 +341,6 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - if ((ret = ff_get_buffer(avctx, p, 0)) < 0) - return ret; - if (cpp <= 0 || cpp >= 5) { av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp); return AVERROR_INVALIDDATA; @@ -358,16 +355,22 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - size *= 4; - - av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); - if (!x->pixels) + if (size > SIZE_MAX / 4) return AVERROR(ENOMEM); + size *= 4; + ptr += mod_strcspn(ptr, ",") + 1; if (end - ptr < 1) return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) + return ret; + + av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); + if (!x->pixels) + return AVERROR(ENOMEM); + for (i = 0; i < ncolors; i++) { const uint8_t *index; int len; diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index 93fd0f4d50..569eb4e0ce 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -57,6 +57,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, int64_t packet_time = 0; GetBitContext gb; int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); + int64_t start_display_time, end_display_time; // check that at least header fits if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { @@ -71,8 +72,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (avpkt->pts != AV_NOPTS_VALUE) packet_time = av_rescale_q(avpkt->pts, AV_TIME_BASE_Q, (AVRational){1, 1000}); - sub->start_display_time = parse_timecode(buf + 1, packet_time); - sub->end_display_time = parse_timecode(buf + 14, packet_time); + + sub->start_display_time = start_display_time = parse_timecode(buf + 1, packet_time); + sub->end_display_time = end_display_time = parse_timecode(buf + 14, packet_time); + if (sub->start_display_time != start_display_time || + sub-> end_display_time != end_display_time) { + av_log(avctx, AV_LOG_ERROR, "time code not representable in 32bit\n"); + return -1; + } buf += 27; // read header @@ -130,7 +137,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, ((uint32_t *)sub->rects[0]->data[1])[i] |= 0xff000000; } else { for (i = 0; i < sub->rects[0]->nb_colors; i++) - ((uint32_t *)sub->rects[0]->data[1])[i] |= *buf++ << 24; + ((uint32_t *)sub->rects[0]->data[1])[i] |= (unsigned)*buf++ << 24; } #if FF_API_AVPICTURE diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index d8f3dd7072..ced8c7235a 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -56,37 +56,37 @@ static const int TAB35[] = { 26722, 25172, 22654, 19266, 15137, 10426, 5315 }; static int idct_row(short *in, const int *const tab, int rnd) { - const int c1 = tab[0]; - const int c2 = tab[1]; - const int c3 = tab[2]; - const int c4 = tab[3]; - const int c5 = tab[4]; - const int c6 = tab[5]; - const int c7 = tab[6]; + const unsigned c1 = tab[0]; + const unsigned c2 = tab[1]; + const unsigned c3 = tab[2]; + const unsigned c4 = tab[3]; + const unsigned c5 = tab[4]; + const unsigned c6 = tab[5]; + const unsigned c7 = tab[6]; const int right = in[5] | in[6] | in[7]; const int left = in[1] | in[2] | in[3]; if (!(right | in[4])) { const int k = c4 * in[0] + rnd; if (left) { - const int a0 = k + c2 * in[2]; - const int a1 = k + c6 * in[2]; - const int a2 = k - c6 * in[2]; - const int a3 = k - c2 * in[2]; + const unsigned a0 = k + c2 * in[2]; + const unsigned a1 = k + c6 * in[2]; + const unsigned a2 = k - c6 * in[2]; + const unsigned a3 = k - c2 * in[2]; const int b0 = c1 * in[1] + c3 * in[3]; const int b1 = c3 * in[1] - c7 * in[3]; const int b2 = c5 * in[1] - c1 * in[3]; const int b3 = c7 * in[1] - c5 * in[3]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } else { const int a0 = k >> ROW_SHIFT; if (a0) { @@ -102,8 +102,8 @@ static int idct_row(short *in, const int *const tab, int rnd) return 0; } } else if (!(left | right)) { - const int a0 = (rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; - const int a1 = (rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; + const int a0 = (int)(rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; + const int a1 = (int)(rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; in[0] = a0; in[3] = a0; @@ -114,25 +114,25 @@ static int idct_row(short *in, const int *const tab, int rnd) in[5] = a1; in[6] = a1; } else { - const int k = c4 * in[0] + rnd; - const int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; - const int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; - const int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; - const int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6]; + const unsigned int k = c4 * in[0] + rnd; + const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; + const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; + const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; + const unsigned int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6]; - const int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7]; - const int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7]; - const int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7]; - const int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7]; + const unsigned int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7]; + const unsigned int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7]; + const unsigned int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7]; + const unsigned int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } return 1; } @@ -142,7 +142,7 @@ static int idct_row(short *in, const int *const tab, int rnd) #define TAN3 0xAB0E #define SQRT2 0x5A82 -#define MULT(c, x, n) (((c) * (x)) >> (n)) +#define MULT(c, x, n) ((unsigned)((int)((c) * (unsigned)(x)) >> (n))) // 12b version => #define MULT(c,x, n) ((((c) >> 3) * (x)) >> ((n) - 3)) // 12b zero-testing version: diff --git a/libavcodec/zmbvenc.c b/libavcodec/zmbvenc.c index 48871758e0..4d3429393e 100644 --- a/libavcodec/zmbvenc.c +++ b/libavcodec/zmbvenc.c @@ -409,7 +409,7 @@ static av_cold int encode_init(AVCodecContext *avctx) */ c->pstride = FFALIGN((avctx->width + c->lrange) * c->bypp, 16); prev_size = FFALIGN(c->lrange * c->bypp, 16) + c->pstride * (c->lrange + avctx->height + c->urange); - prev_offset = FFALIGN(c->lrange, 16) + c->pstride * c->lrange; + prev_offset = FFALIGN(c->lrange * c->bypp, 16) + c->pstride * c->lrange; if (!(c->prev_buf = av_mallocz(prev_size))) { av_log(avctx, AV_LOG_ERROR, "Can't allocate picture.\n"); return AVERROR(ENOMEM); diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index d7f5bd7069..1c1adee1ff 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -778,10 +778,10 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, goto error; } } - if (ctx->device_filter[otherDevType]) { + if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) - if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { + if (!device_filter_unique_name || strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { av_log(avctx, AV_LOG_DEBUG, "reusing previous graph capture filter... %s\n", device_filter_unique_name); IBaseFilter_Release(device_filter); device_filter = ctx->device_filter[otherDevType]; @@ -873,7 +873,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n"); goto error; } - ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); + r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); if (r != S_OK) { av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n"); goto error; diff --git a/libavdevice/dshow_filter.c b/libavdevice/dshow_filter.c index db4bff60f8..7be560ca61 100644 --- a/libavdevice/dshow_filter.c +++ b/libavdevice/dshow_filter.c @@ -146,7 +146,7 @@ libAVFilter_JoinFilterGraph(libAVFilter *this, IFilterGraph *graph, this->info.pGraph = graph; if (name) - wcscpy(this->info.achName, name); + wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name); return S_OK; } diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index a9a0ed324d..7a7ba58435 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -95,10 +95,10 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#ifdef __GLIBC__ - int (*ioctl_f)(int fd, unsigned long int request, ...); -#else +#if HAVE_POSIX_IOCTL int (*ioctl_f)(int fd, int request, ...); +#else + int (*ioctl_f)(int fd, unsigned long int request, ...); #endif ssize_t (*read_f)(int fd, void *buffer, size_t n); void *(*mmap_f)(void *start, size_t length, int prot, int flags, int fd, int64_t offset); diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index b7e689343e..9fb9262156 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -636,7 +636,10 @@ static av_cold int xcbgrab_read_header(AVFormatContext *s) if (!sscanf(s->url, "%[^+]+%d,%d", display_name, &c->x, &c->y)) { *display_name = 0; - sscanf(s->url, "+%d,%d", &c->x, &c->y); + if(sscanf(s->url, "+%d,%d", &c->x, &c->y) != 2) { + if (*s->url) + av_log(s, AV_LOG_WARNING, "Ambigous URL: %s\n", s->url); + } } c->conn = xcb_connect(display_name[0] ? display_name : NULL, &screen_num); diff --git a/libavfilter/af_aderivative.c b/libavfilter/af_aderivative.c index a591515cbf..56a59d517e 100644 --- a/libavfilter/af_aderivative.c +++ b/libavfilter/af_aderivative.c @@ -150,6 +150,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) s->prev = ff_get_audio_buffer(inlink, 1); if (!s->prev) { av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } } diff --git a/libavfilter/af_alimiter.c b/libavfilter/af_alimiter.c index c41e95576f..f941768848 100644 --- a/libavfilter/af_alimiter.c +++ b/libavfilter/af_alimiter.c @@ -176,10 +176,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } else { for (i = s->nextiter; i < s->nextiter + s->nextlen; i++) { int j = i % buffer_size; - double ppeak, pdelta; + double ppeak = 0, pdelta; - ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? - fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); + if (nextpos[j] >= 0) + ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? + fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels); if (pdelta < nextdelta[j]) { nextdelta[j] = pdelta; diff --git a/libavfilter/af_drmeter.c b/libavfilter/af_drmeter.c index ecccb65186..425c25ae87 100644 --- a/libavfilter/af_drmeter.c +++ b/libavfilter/af_drmeter.c @@ -167,6 +167,11 @@ static void print_stats(AVFilterContext *ctx) float chdr, secondpeak, rmssum = 0; int i, j, first = 0; + if (!p->nb_samples) { + av_log(ctx, AV_LOG_INFO, "No data, dynamic range not meassurable\n"); + return; + } + finish_block(p); for (i = 0; i <= 10000; i++) { diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 34e522c9d4..c601d5b53a 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -126,6 +126,14 @@ static av_cold int init(AVFilterContext *ctx) if (ret < 0) goto fail; + if (pan->nb_output_channels > MAX_CHANNELS) { + av_log(ctx, AV_LOG_ERROR, + "af_pan supports a maximum of %d channels. " + "Feel free to ask for a higher limit.\n", MAX_CHANNELS); + ret = AVERROR_PATCHWELCOME; + goto fail; + } + /* parse channel specifications */ while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) { int used_in_ch[MAX_CHANNELS] = {0}; @@ -178,7 +186,7 @@ static av_cold int init(AVFilterContext *ctx) sign = 1; while (1) { gain = 1; - if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) + if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) arg += len; if (parse_channel_name(&arg, &in_ch_id, &named)){ av_log(ctx, AV_LOG_ERROR, diff --git a/libavfilter/af_stereowiden.c b/libavfilter/af_stereowiden.c index d23c8dba75..e8bb043cd5 100644 --- a/libavfilter/af_stereowiden.c +++ b/libavfilter/af_stereowiden.c @@ -74,6 +74,8 @@ static int config_input(AVFilterLink *inlink) s->length = s->delay * inlink->sample_rate / 1000; s->length *= 2; + if (s->length == 0) + return AVERROR(EINVAL); s->buffer = av_calloc(s->length, sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); diff --git a/libavfilter/af_tremolo.c b/libavfilter/af_tremolo.c index 8cbc79892d..f55e8e2b09 100644 --- a/libavfilter/af_tremolo.c +++ b/libavfilter/af_tremolo.c @@ -28,6 +28,7 @@ typedef struct TremoloContext { double freq; double depth; double *table; + int table_size; int index; } TremoloContext; @@ -72,7 +73,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) dst += channels; src += channels; s->index++; - if (s->index >= inlink->sample_rate / s->freq) + if (s->index >= s->table_size) s->index = 0; } @@ -125,11 +126,12 @@ static int config_input(AVFilterLink *inlink) const double offset = 1. - s->depth / 2.; int i; - s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table)); + s->table_size = inlink->sample_rate / s->freq; + s->table = av_malloc_array(s->table_size, sizeof(*s->table)); if (!s->table) return AVERROR(ENOMEM); - for (i = 0; i < inlink->sample_rate / s->freq; i++) { + for (i = 0; i < s->table_size; i++) { double env = s->freq * i / inlink->sample_rate; env = sin(2 * M_PI * fmod(env + 0.25, 1.0)); s->table[i] = env * (1 - fabs(offset)) + offset; diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index e0ff7e4dd8..35da02990c 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -372,6 +372,11 @@ static av_cold int init_audio(AVFilterContext *ctx) if (!(s->fifo = av_fifo_alloc(sizeof(AVFrame*)))) return AVERROR(ENOMEM); + if (s->sample_rate <= 0) { + av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n"); + return AVERROR(EINVAL); + } + if (!s->time_base.num) s->time_base = (AVRational){1, s->sample_rate}; diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 272c717c77..ba0dcfbf34 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -37,6 +37,16 @@ #define STATUS_END_REACHED 1 #define STATUS_BEGIN_REACHED 2 +static void sll_free(MatchingInfo **sll) +{ + while (*sll) { + MatchingInfo *tmp = *sll; + *sll = tmp->next; + tmp->next = NULL; + av_free(tmp); + } +} + static void fill_l1distlut(uint8_t lut[]) { int i, j, tmp_i, tmp_j,count; @@ -289,6 +299,11 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont if (!c->next) av_log(ctx, AV_LOG_FATAL, "Could not allocate memory"); c = c->next; + + } + if (!c) { + sll_free(&cands); + goto error; } c->framerateratio = (i+1.0) / 30; c->score = hspace[i][j].score; @@ -305,6 +320,7 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont } } } + error: for (i = 0; i < MAX_FRAMERATE; i++) { av_freep(&hspace[i]); } @@ -437,14 +453,14 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * } if (tolerancecount > 2) { - a = aprev; - b = bprev; if (dir == DIR_NEXT) { /* turn around */ a = infos->first; b = infos->second; dir = DIR_PREV; } else { + a = aprev; + b = bprev; break; } } @@ -485,10 +501,10 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * continue; /* matching sequence is too short */ if ((double) goodfcount / (double) fcount < sc->thit) continue; - if ((double) goodfcount*0.5 < FFMAX(gooda, goodb)) + if ((double) goodfcount*0.5 <= FFMAX(gooda, goodb)) continue; - meandist = (double) goodfcount / (double) distsum; + meandist = (double) distsum / (double) goodfcount; if (meandist < minmeandist || status == STATUS_END_REACHED | STATUS_BEGIN_REACHED || @@ -520,16 +536,6 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * return bestmatch; } -static void sll_free(MatchingInfo *sll) -{ - void *tmp; - while (sll) { - tmp = sll; - sll = sll->next; - av_freep(&tmp); - } -} - static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc, StreamContext *first, StreamContext *second, int mode) { CoarseSignature *cs, *cs2; @@ -572,7 +578,7 @@ static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc "ratio %f, offset %d, score %d, %d frames matching\n", bestmatch.first->index, bestmatch.second->index, bestmatch.framerateratio, bestmatch.offset, bestmatch.score, bestmatch.matchframes); - sll_free(infos); + sll_free(&infos); } } while (find_next_coarsecandidate(sc, second->coarsesiglist, &cs, &cs2, 0) && !bestmatch.whole); return bestmatch; diff --git a/libavfilter/vf_aspect.c b/libavfilter/vf_aspect.c index c042698ef7..70e7fedc97 100644 --- a/libavfilter/vf_aspect.c +++ b/libavfilter/vf_aspect.c @@ -78,7 +78,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *frame) static inline void compute_dar(AVRational *dar, AVRational sar, int w, int h) { if (sar.num && sar.den) { - av_reduce(&dar->num, &dar->den, sar.num * w, sar.den * h, INT_MAX); + av_reduce(&dar->num, &dar->den, sar.num * (int64_t)w, sar.den * (int64_t)h, INT_MAX); } else { av_reduce(&dar->num, &dar->den, w, h, INT_MAX); } diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index c7b88427fd..8110b42aee 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -149,7 +149,7 @@ static int filter_vertically_##name(AVFilterContext *ctx, void *arg, int jobnr, \ src = s->buffer + x; \ ptr = buffer + x; \ - for (i = 0; i <= radius; i++) { \ + for (i = 0; i + radius < height && i <= radius; i++) { \ acc += src[(i + radius) * width]; \ count++; \ ptr[i * linesize] = acc / count; \ @@ -273,7 +273,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) const int width = s->planewidth[plane]; if (!(s->planes & (1 << plane))) { - if (out != in) + if (out->data[plane] != in->data[plane]) av_image_copy_plane(out->data[plane], out->linesize[plane], in->data[plane], in->linesize[plane], width * ((s->depth + 7) / 8), height); diff --git a/libavfilter/vf_bitplanenoise.c b/libavfilter/vf_bitplanenoise.c index 4ec3a22572..94aa24abec 100644 --- a/libavfilter/vf_bitplanenoise.c +++ b/libavfilter/vf_bitplanenoise.c @@ -122,7 +122,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) if (s->depth <= 8) { for (plane = 0; plane < s->nb_planes; plane++) { - const int linesize = in->linesize[plane]; + const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] : 0; const int dlinesize = out->linesize[plane]; uint8_t *val = in->data[plane]; uint8_t *dst = s->filter ? out->data[plane]: NULL; @@ -151,7 +151,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } } else { for (plane = 0; plane < s->nb_planes; plane++) { - const int linesize = in->linesize[plane] / 2; + const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] / 2 : 0; const int dlinesize = out->linesize[plane] / 2; uint16_t *val = (uint16_t *)in->data[plane]; uint16_t *dst = s->filter ? (uint16_t *)out->data[plane] : NULL; diff --git a/libavfilter/vf_bm3d.c b/libavfilter/vf_bm3d.c index 75c356728e..ef034843b3 100644 --- a/libavfilter/vf_bm3d.c +++ b/libavfilter/vf_bm3d.c @@ -275,7 +275,7 @@ static void do_block_matching_multi(BM3DContext *s, const uint8_t *src, int src_ int r_y, int r_x, int plane, int jobnr) { SliceContext *sc = &s->slices[jobnr]; - double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (s->max * s->max); + double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (double)(s->max * s->max); double distMul = 1. / MSE2SSE; double th_sse = th_mse * MSE2SSE; int i, index = sc->nb_match_blocks; diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index 37165584cf..e4b4ec79b0 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -343,13 +343,14 @@ static int config_props(AVFilterLink *link) if(yadif->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - if (link->w < 3 || link->h < 3) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n"); + yadif->csp = av_pix_fmt_desc_get(link->format); + yadif->filter = filter; + + if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) { + av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } - yadif->csp = av_pix_fmt_desc_get(link->format); - yadif->filter = filter; if (yadif->csp->comp[0].depth > 8) { s->filter_intra = filter_intra_16bit; s->filter_line = filter_line_c_16bit; diff --git a/libavfilter/vf_ciescope.c b/libavfilter/vf_ciescope.c index 7c0cfed061..311696817d 100644 --- a/libavfilter/vf_ciescope.c +++ b/libavfilter/vf_ciescope.c @@ -842,7 +842,8 @@ rgb_to_xy(double rc, *z = m[2][0] * rc + m[2][1] * gc + m[2][2] * bc; sum = *x + *y + *z; - + if (sum == 0) + sum = 1; *x = *x / sum; *y = *y / sum; } diff --git a/libavfilter/vf_colorspace.c b/libavfilter/vf_colorspace.c index df6efffb3d..f651070adb 100644 --- a/libavfilter/vf_colorspace.c +++ b/libavfilter/vf_colorspace.c @@ -780,6 +780,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) res = av_frame_copy_props(out, in); if (res < 0) { av_frame_free(&in); + av_frame_free(&out); return res; } @@ -839,13 +840,18 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) !s->dither_scratch_base[1][0] || !s->dither_scratch_base[1][1] || !s->dither_scratch_base[2][0] || !s->dither_scratch_base[2][1]) { uninit(ctx); + av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } s->rgb_sz = rgb_sz; } res = create_filtergraph(ctx, in, out); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } s->rgb_stride = rgb_stride / sizeof(int16_t); td.in = in; td.out = out; @@ -859,8 +865,11 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) td.out_ss_h = av_pix_fmt_desc_get(out->format)->log2_chroma_h; if (s->yuv2yuv_passthrough) { res = av_frame_copy(out, in); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } } else { ctx->internal->execute(ctx, convert, &td, NULL, FFMIN((in->height + 1) >> 1, ff_filter_get_nb_threads(ctx))); diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index cdbe5f853f..3fbea473ed 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -563,6 +563,9 @@ static int config_input(AVFilterLink *inlink) inlink->h - s->pr_height); max_slice_h = s->pr_height / ((s->bsize - 1) * 2); + if (max_slice_h == 0) + return AVERROR(EINVAL); + s->nb_threads = FFMIN3(MAX_THREADS, ff_filter_get_nb_threads(ctx), max_slice_h); av_log(ctx, AV_LOG_DEBUG, "threads: [max=%d hmax=%d user=%d] => %d\n", MAX_THREADS, max_slice_h, ff_filter_get_nb_threads(ctx), s->nb_threads); diff --git a/libavfilter/vf_dedot.c b/libavfilter/vf_dedot.c index bb0f9e5ac8..ff2e0e3a79 100644 --- a/libavfilter/vf_dedot.c +++ b/libavfilter/vf_dedot.c @@ -312,7 +312,8 @@ static int activate(AVFilterContext *ctx) FFMIN(s->planeheight[2], ff_filter_get_nb_threads(ctx))); } - } + } else + av_frame_free(&out); } else if (!out) { ret = AVERROR(ENOMEM); } diff --git a/libavfilter/vf_edgedetect.c b/libavfilter/vf_edgedetect.c index a0ddcbbf5c..25ae6dfacc 100644 --- a/libavfilter/vf_edgedetect.c +++ b/libavfilter/vf_edgedetect.c @@ -150,10 +150,12 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, int i, j; memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; + if (h > 1) + memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; for (j = 2; j < h - 2; j++) { dst[0] = src[0]; - dst[1] = src[1]; + if (w > 1) + dst[1] = src[1]; for (i = 2; i < w - 2; i++) { /* Gaussian mask of size 5x5 with sigma = 1.4 */ dst[i] = ((src[-2*src_linesize + i-2] + src[2*src_linesize + i-2]) * 2 @@ -174,14 +176,18 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, + src[i+1] * 12 + src[i+2] * 5) / 159; } - dst[i ] = src[i ]; - dst[i + 1] = src[i + 1]; + if (w > 2) + dst[i ] = src[i ]; + if (w > 3) + dst[i + 1] = src[i + 1]; dst += dst_linesize; src += src_linesize; } - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); + if (h > 2) + memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; + if (h > 3) + memcpy(dst, src, w); } enum { diff --git a/libavfilter/vf_fieldmatch.c b/libavfilter/vf_fieldmatch.c index 5a73eb43b8..8d1e68b85f 100644 --- a/libavfilter/vf_fieldmatch.c +++ b/libavfilter/vf_fieldmatch.c @@ -938,7 +938,7 @@ static int config_input(AVFilterLink *inlink) fm->tpitchy = FFALIGN(w, 16); fm->tpitchuv = FFALIGN(w >> 1, 16); - fm->tbuffer = av_malloc(h/2 * fm->tpitchy); + fm->tbuffer = av_calloc((h/2 + 4) * fm->tpitchy, sizeof(*fm->tbuffer)); fm->c_array = av_malloc((((w + fm->blockx/2)/fm->blockx)+1) * (((h + fm->blocky/2)/fm->blocky)+1) * 4 * sizeof(*fm->c_array)); diff --git a/libavfilter/vf_fieldorder.c b/libavfilter/vf_fieldorder.c index ca55ff1f66..5707151f1b 100644 --- a/libavfilter/vf_fieldorder.c +++ b/libavfilter/vf_fieldorder.c @@ -108,8 +108,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) s->dst_tff ? "up" : "down"); h = frame->height; for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { - dst_line_step = out->linesize[plane]; - src_line_step = frame->linesize[plane]; + dst_line_step = out->linesize[plane] * (h > 2); + src_line_step = frame->linesize[plane] * (h > 2); line_size = s->line_size[plane]; dst = out->data[plane]; src = frame->data[plane]; diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c index d7e6579af7..706e59cefe 100644 --- a/libavfilter/vf_find_rect.c +++ b/libavfilter/vf_find_rect.c @@ -22,7 +22,6 @@ * @todo switch to dualinput */ -#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/opt.h" #include "internal.h" @@ -159,7 +158,7 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax, if (pass + 1 <= maxpass) { int sub_x, sub_y; - search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 1.0); + search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 2.0); xmin = FFMAX(xmin, 2*sub_x - 4); xmax = FFMIN(xmax, 2*sub_x + 4); ymin = FFMAX(ymin, 2*sub_y - 4); @@ -169,7 +168,6 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax, for (y = ymin; y <= ymax; y++) { for (x = xmin; x <= xmax; x++) { float score = compare(foc->haystack_frame[pass], foc->needle_frame[pass], x, y); - av_assert0(score != 0); if (score < best_score) { best_score = score; *best_x = x; @@ -198,7 +196,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) FFMIN(foc->xmax, foc->last_x + 8), FFMAX(foc->ymin, foc->last_y - 8), FFMIN(foc->ymax, foc->last_y + 8), - &best_x, &best_y, 1.0); + &best_x, &best_y, 2.0); best_score = search(foc, 0, foc->mipmaps - 1, foc->xmin, foc->xmax, foc->ymin, foc->ymax, &best_x, &best_y, best_score); diff --git a/libavfilter/vf_frei0r.c b/libavfilter/vf_frei0r.c index 5d38405999..8595324ec5 100644 --- a/libavfilter/vf_frei0r.c +++ b/libavfilter/vf_frei0r.c @@ -353,15 +353,21 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) { Frei0rContext *s = inlink->dst->priv; AVFilterLink *outlink = inlink->dst->outputs[0]; - AVFrame *out; + AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!out) + goto fail; - out = ff_get_video_buffer(outlink, outlink->w, outlink->h); - if (!out) { - av_frame_free(&in); - return AVERROR(ENOMEM); - } av_frame_copy_props(out, in); + if (in->linesize[0] != out->linesize[0]) { + AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!in2) + goto fail; + av_frame_copy(in2, in); + av_frame_free(&in); + in = in2; + } + s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000, (const uint32_t *)in->data[0], (uint32_t *)out->data[0]); @@ -369,6 +375,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) av_frame_free(&in); return ff_filter_frame(outlink, out); +fail: + av_frame_free(&in); + av_frame_free(&out); + return AVERROR(ENOMEM); } #define OFFSET(x) offsetof(Frei0rContext, x) @@ -451,7 +461,7 @@ static int source_config_props(AVFilterLink *outlink) static int source_request_frame(AVFilterLink *outlink) { Frei0rContext *s = outlink->src->priv; - AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h); + AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); if (!frame) return AVERROR(ENOMEM); diff --git a/libavfilter/vf_gblur.c b/libavfilter/vf_gblur.c index e71b33da80..f0d861852f 100644 --- a/libavfilter/vf_gblur.c +++ b/libavfilter/vf_gblur.c @@ -236,7 +236,7 @@ static int config_input(AVFilterLink *inlink) s->nb_planes = av_pix_fmt_count_planes(inlink->format); - s->buffer = av_malloc_array(inlink->w, inlink->h * sizeof(*s->buffer)); + s->buffer = av_malloc_array(FFALIGN(inlink->w, 16), FFALIGN(inlink->h, 16) * sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); diff --git a/libavfilter/vf_geq.c b/libavfilter/vf_geq.c index 91eb9685f9..8b1c7726dc 100644 --- a/libavfilter/vf_geq.c +++ b/libavfilter/vf_geq.c @@ -88,8 +88,8 @@ static inline double getpix(void *priv, double x, double y, int plane) if (!src) return 0; - xi = x = av_clipf(x, 0, w - 2); - yi = y = av_clipf(y, 0, h - 2); + xi = x = av_clipd(x, 0, w - 2); + yi = y = av_clipd(y, 0, h - 2); x -= xi; y -= yi; diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index f63128d72e..da4c01a546 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi for (y = 0; y < r; y++) ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2); for (;;) { - if (y < height - r) { + if (y + 1 < height - r) { int mod = ((y + r) / 2) % r; uint16_t *buf0 = buf + mod * bstride; uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride; diff --git a/libavfilter/vf_hqx.c b/libavfilter/vf_hqx.c index 16a1be7bd4..4f768c7a13 100644 --- a/libavfilter/vf_hqx.c +++ b/libavfilter/vf_hqx.c @@ -523,7 +523,7 @@ static av_cold int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { hqx->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; diff --git a/libavfilter/vf_lenscorrection.c b/libavfilter/vf_lenscorrection.c index 239fe195bd..754b8f5ada 100644 --- a/libavfilter/vf_lenscorrection.c +++ b/libavfilter/vf_lenscorrection.c @@ -36,8 +36,8 @@ typedef struct LenscorrectionCtx { const AVClass *av_class; - unsigned int width; - unsigned int height; + int width; + int height; int hsub, vsub; int nb_planes; double cx, cy, k1, k2; @@ -155,10 +155,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) for (plane = 0; plane < rect->nb_planes; ++plane) { int hsub = plane == 1 || plane == 2 ? rect->hsub : 0; int vsub = plane == 1 || plane == 2 ? rect->vsub : 0; - int hdiv = 1 << hsub; - int vdiv = 1 << vsub; - int w = rect->width / hdiv; - int h = rect->height / vdiv; + int w = AV_CEIL_RSHIFT(rect->width, hsub); + int h = AV_CEIL_RSHIFT(rect->height, vsub); int xcenter = rect->cx * w; int ycenter = rect->cy * h; int k1 = rect->k1 * (1<<24); diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c index a525039baa..2462a3eed0 100644 --- a/libavfilter/vf_lut3d.c +++ b/libavfilter/vf_lut3d.c @@ -412,7 +412,8 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; @@ -1233,12 +1234,14 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; } else if (!strncmp(line, "LUT_1D_INPUT_RANGE ", 19)) { - av_sscanf(line + 19, "%f %f", min, max); + if (av_sscanf(line + 19, "%f %f", min, max) != 2) + return AVERROR_INVALIDDATA; min[1] = min[2] = min[0]; max[1] = max[2] = max[0]; goto try_again; diff --git a/libavfilter/vf_mestimate.c b/libavfilter/vf_mestimate.c index 7ecfe7da60..9a2865a0cb 100644 --- a/libavfilter/vf_mestimate.c +++ b/libavfilter/vf_mestimate.c @@ -100,6 +100,9 @@ static int config_input(AVFilterLink *inlink) s->b_height = inlink->h >> s->log2_mb_size; s->b_count = s->b_width * s->b_height; + if (s->b_count == 0) + return AVERROR(EINVAL); + for (i = 0; i < 3; i++) { s->mv_table[i] = av_mallocz_array(s->b_count, sizeof(*s->mv_table[0])); if (!s->mv_table[i]) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index b0bb238ade..26f912bc46 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -1086,8 +1086,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, (int64_t) outlink->time_base.den * inlink->time_base.num); - alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); - alpha = av_clip(alpha, 0, ALPHA_MAX); + if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { + alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); + alpha = av_clip(alpha, 0, ALPHA_MAX); + } else { + av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); + alpha = 0; + } if (alpha == 0 || alpha == ALPHA_MAX) { av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); diff --git a/libavfilter/vf_neighbor.c b/libavfilter/vf_neighbor.c index e50d4b4ed0..47c6175a12 100644 --- a/libavfilter/vf_neighbor.c +++ b/libavfilter/vf_neighbor.c @@ -296,9 +296,11 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) src + (width - 2) * bpc, src + (width - 2) * bpc, src + (width - 2) * bpc + ph * stride, src + (width - 1) * bpc + ph * stride, src + (width - 2) * bpc + ph * stride}; - s->filter(dst, src, 1, threshold, coordinateslb, s->coordinates, s->max); - s->filter(dst + 1 * bpc, src + 1 * bpc, width - 2, threshold, coordinates, s->coordinates, s->max); - s->filter(dst + (width - 1) * bpc, src + (width - 1) * bpc, 1, threshold, coordinatesrb, s->coordinates, s->max); + s->filter(dst, src, 1, threshold, coordinateslb, s->coordinates, s->max); + if (width > 1) { + s->filter(dst + 1 * bpc, src + 1 * bpc, width - 2, threshold, coordinates, s->coordinates, s->max); + s->filter(dst + (width - 1) * bpc, src + (width - 1) * bpc, 1, threshold, coordinatesrb, s->coordinates, s->max); + } src += stride; dst += dstride; diff --git a/libavfilter/vf_paletteuse.c b/libavfilter/vf_paletteuse.c index ed128813d6..255c9d79e3 100644 --- a/libavfilter/vf_paletteuse.c +++ b/libavfilter/vf_paletteuse.c @@ -903,7 +903,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) AVFrame *out = ff_get_video_buffer(outlink, outlink->w, outlink->h); if (!out) { - av_frame_free(&in); *outf = NULL; return AVERROR(ENOMEM); } @@ -916,7 +915,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) if (av_frame_ref(s->last_in, in) < 0 || av_frame_ref(s->last_out, out) < 0 || av_frame_make_writable(s->last_in) < 0) { - av_frame_free(&in); av_frame_free(&out); *outf = NULL; return AVERROR(ENOMEM); @@ -934,7 +932,6 @@ static int apply_palette(AVFilterLink *inlink, AVFrame *in, AVFrame **outf) memcpy(out->data[1], s->palette, AVPALETTE_SIZE); if (s->calc_mean_err) debug_mean_error(s, in, out, inlink->frame_count_out); - av_frame_free(&in); *outf = out; return 0; } @@ -1023,20 +1020,17 @@ static int load_apply_palette(FFFrameSync *fs) if (ret < 0) return ret; if (!master || !second) { - ret = AVERROR_BUG; - goto error; + av_frame_free(&master); + return AVERROR_BUG; } if (!s->palette_loaded) { load_palette(s, second); } ret = apply_palette(inlink, master, &out); - if (ret < 0) - goto error; - return ff_filter_frame(ctx->outputs[0], out); - -error: av_frame_free(&master); - return ret; + if (ret < 0) + return ret; + return ff_filter_frame(ctx->outputs[0], out); } #define DEFINE_SET_FRAME(color_search, name, value) \ diff --git a/libavfilter/vf_random.c b/libavfilter/vf_random.c index 373a7db053..c7c9ff09c0 100644 --- a/libavfilter/vf_random.c +++ b/libavfilter/vf_random.c @@ -108,6 +108,14 @@ static int request_frame(AVFilterLink *outlink) return ret; } +static av_cold void uninit(AVFilterContext *ctx) +{ + RandomContext *s = ctx->priv; + + for (int i = 0; i < s->nb_frames; i++) + av_frame_free(&s->frames[i]); +} + static const AVFilterPad random_inputs[] = { { .name = "default", @@ -132,6 +140,7 @@ AVFilter ff_vf_random = { .priv_size = sizeof(RandomContext), .priv_class = &random_class, .init = init, + .uninit = uninit, .inputs = random_inputs, .outputs = random_outputs, }; diff --git a/libavfilter/vf_rotate.c b/libavfilter/vf_rotate.c index 371ff7f722..61a331f53a 100644 --- a/libavfilter/vf_rotate.c +++ b/libavfilter/vf_rotate.c @@ -295,7 +295,9 @@ static int config_props(AVFilterLink *outlink) double res; char *expr; - ff_draw_init(&rot->draw, inlink->format, 0); + ret = ff_draw_init(&rot->draw, inlink->format, 0); + if (ret < 0) + return ret; ff_draw_color(&rot->draw, &rot->color, rot->fillcolor); rot->hsub = pixdesc->log2_chroma_w; diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 7aebf56ad8..42485b281a 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -388,8 +388,8 @@ static int scale_slice(AVFilterLink *link, AVFrame *out_buf, AVFrame *cur_pic, s int vsub= ((i+1)&2) ? scale->vsub : 0; in_stride[i] = cur_pic->linesize[i] * mul; out_stride[i] = out_buf->linesize[i] * mul; - in[i] = cur_pic->data[i] + ((y>>vsub)+field) * cur_pic->linesize[i]; - out[i] = out_buf->data[i] + field * out_buf->linesize[i]; + in[i] = FF_PTR_ADD(cur_pic->data[i], ((y>>vsub)+field) * cur_pic->linesize[i]); + out[i] = FF_PTR_ADD(out_buf->data[i], field * out_buf->linesize[i]); } if(scale->input_is_pal) in[1] = cur_pic->data[1]; diff --git a/libavfilter/vf_scale_npp.c b/libavfilter/vf_scale_npp.c index a3e085764a..f363853432 100644 --- a/libavfilter/vf_scale_npp.c +++ b/libavfilter/vf_scale_npp.c @@ -475,13 +475,16 @@ static int nppscale_scale(AVFilterContext *ctx, AVFrame *out, AVFrame *in) src = s->stages[i].frame; last_stage = i; } - if (last_stage < 0) return AVERROR_BUG; + ret = av_hwframe_get_buffer(src->hw_frames_ctx, s->tmp_frame, 0); if (ret < 0) return ret; + s->tmp_frame->width = src->width; + s->tmp_frame->height = src->height; + av_frame_move_ref(out, src); av_frame_move_ref(src, s->tmp_frame); diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index f6f8f49778..37a2de3ad7 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -226,12 +226,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) av_log(ctx, AV_LOG_INFO, " %08"PRIX32, plane_checksum[plane]); av_log(ctx, AV_LOG_INFO, "] mean:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%"PRId64" ", (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); - av_log(ctx, AV_LOG_INFO, "\b] stdev:["); + av_log(ctx, AV_LOG_INFO, "%s%"PRId64, + plane ? " ":"", + (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); + av_log(ctx, AV_LOG_INFO, "] stdev:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%3.1f ", + av_log(ctx, AV_LOG_INFO, "%s%3.1f", + plane ? " ":"", sqrt((sum2[plane] - sum[plane]*(double)sum[plane]/pixelcount[plane])/pixelcount[plane])); - av_log(ctx, AV_LOG_INFO, "\b]"); + av_log(ctx, AV_LOG_INFO, "]"); } av_log(ctx, AV_LOG_INFO, "\n"); diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index d07b213f31..81b0f6c3a7 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -223,7 +223,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) dw1 = inlink->w / 32; if (inlink->w % 32) dw2 = dw1 + 1; - denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1; + denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1; for (i = 0; i < 32; i++) { rowcount = 0; @@ -249,7 +249,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) } } - denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2; + denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2; for (i = 0; i < ELEMENT_COUNT; i++) { const ElemCat* elemcat = elements[i]; @@ -390,6 +390,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext *sc, const char* filen FILE* f; unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 }; + if (!sc->coarseend->last) + return AVERROR(EINVAL); // No frames ? + f = fopen(filename, "w"); if (!f) { int err = AVERROR(EINVAL); diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c index a7b02461f2..2f0608ad90 100644 --- a/libavfilter/vf_subtitles.c +++ b/libavfilter/vf_subtitles.c @@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink) ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); - if (ass->original_w && ass->original_h) + if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x01010000 + ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); + } else { + ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif + } + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index f1fab1e36d..9a691a7bec 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/eval.h" #include "libavutil/imgutils.h" @@ -146,10 +147,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) w = dw; h = dh; x1[0] = dx1; y1[0] = dy1; x2[0] = dx2; y2[0] = dy2; x1[0] = av_clip(x1[0], 0, inlink->w - 1); - y1[0] = av_clip(y1[0], 0, inlink->w - 1); + y1[0] = av_clip(y1[0], 0, inlink->h - 1); x2[0] = av_clip(x2[0], 0, inlink->w - 1); - y2[0] = av_clip(y2[0], 0, inlink->w - 1); + y2[0] = av_clip(y2[0], 0, inlink->h - 1); ah[1] = ah[2] = AV_CEIL_RSHIFT(h, s->desc->log2_chroma_h); ah[0] = ah[3] = h; @@ -169,16 +170,20 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) lw[1] = lw[2] = AV_CEIL_RSHIFT(inlink->w, s->desc->log2_chroma_w); lw[0] = lw[3] = inlink->w; - x1[1] = x1[2] = AV_CEIL_RSHIFT(x1[0], s->desc->log2_chroma_w); + x1[1] = x1[2] = (x1[0] >> s->desc->log2_chroma_w); x1[0] = x1[3] = x1[0]; - y1[1] = y1[2] = AV_CEIL_RSHIFT(y1[0], s->desc->log2_chroma_h); + y1[1] = y1[2] = (y1[0] >> s->desc->log2_chroma_h); y1[0] = y1[3] = y1[0]; - x2[1] = x2[2] = AV_CEIL_RSHIFT(x2[0], s->desc->log2_chroma_w); + x2[1] = x2[2] = (x2[0] >> s->desc->log2_chroma_w); x2[0] = x2[3] = x2[0]; - y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); + y2[1] = y2[2] = (y2[0] >> s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; + + av_assert0(FFMAX(x1[1], x2[1]) + pw[1] <= lw[1]); + av_assert0(FFMAX(y1[1], y2[1]) + ph[1] <= lh[1]); + for (p = 0; p < s->nb_planes; p++) { if (ph[p] == ah[p] && pw[p] == aw[p]) { uint8_t *src = in->data[p] + y1[p] * in->linesize[p] + x1[p] * s->pixsteps[p]; diff --git a/libavfilter/vf_thumbnail_cuda.c b/libavfilter/vf_thumbnail_cuda.c index 0c06815643..de61afd1f5 100644 --- a/libavfilter/vf_thumbnail_cuda.c +++ b/libavfilter/vf_thumbnail_cuda.c @@ -288,7 +288,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) hist[i] = 4 * hist[i]; } - CHECK_CU(cu->cuCtxPopCurrent(&dummy)); + ret = CHECK_CU(cu->cuCtxPopCurrent(&dummy)); if (ret < 0) return ret; diff --git a/libavfilter/vf_thumbnail_cuda.cu b/libavfilter/vf_thumbnail_cuda.cu index c73e49fbc6..d4d4d791f6 100644 --- a/libavfilter/vf_thumbnail_cuda.cu +++ b/libavfilter/vf_thumbnail_cuda.cu @@ -71,7 +71,7 @@ __global__ void Thumbnail_ushort2(cudaTextureObject_t ushort2_tex, { ushort2 pixel = tex2D(ushort2_tex, x, y); atomicAdd(&histogram[(pixel.x + 128) >> 8], 1); - atomicAdd(&histogram[256 + (pixel.y + 128) >> 8], 1); + atomicAdd(&histogram[256 + ((pixel.y + 128) >> 8)], 1); } } diff --git a/libavfilter/vf_tonemap_opencl.c b/libavfilter/vf_tonemap_opencl.c index 315ead49d4..5225e181d3 100644 --- a/libavfilter/vf_tonemap_opencl.c +++ b/libavfilter/vf_tonemap_opencl.c @@ -345,8 +345,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) int err; double peak = ctx->peak; - AVHWFramesContext *input_frames_ctx = - (AVHWFramesContext*)input->hw_frames_ctx->data; + AVHWFramesContext *input_frames_ctx; av_log(ctx, AV_LOG_DEBUG, "Filter input: %s, %ux%u (%"PRId64").\n", av_get_pix_fmt_name(input->format), @@ -354,6 +353,7 @@ static int tonemap_opencl_filter_frame(AVFilterLink *inlink, AVFrame *input) if (!input->hw_frames_ctx) return AVERROR(EINVAL); + input_frames_ctx = (AVHWFramesContext*)input->hw_frames_ctx->data; output = ff_get_video_buffer(outlink, outlink->w, outlink->h); if (!output) { diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c index af05833a5d..7481ac05e8 100644 --- a/libavfilter/vf_unsharp.c +++ b/libavfilter/vf_unsharp.c @@ -218,7 +218,7 @@ static int init_filter_param(AVFilterContext *ctx, UnsharpFilterParam *fp, const effect, effect_type, fp->msize_x, fp->msize_y, fp->amount / 65535.0); fp->sr = av_malloc_array((MAX_MATRIX_SIZE - 1) * s->nb_threads, sizeof(uint32_t)); - fp->sc = av_malloc_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t **)); + fp->sc = av_mallocz_array(2 * fp->steps_y * s->nb_threads, sizeof(uint32_t *)); if (!fp->sr || !fp->sc) return AVERROR(ENOMEM); @@ -258,9 +258,11 @@ static void free_filter_param(UnsharpFilterParam *fp, int nb_threads) { int z; - for (z = 0; z < 2 * fp->steps_y * nb_threads; z++) - av_freep(&fp->sc[z]); - av_freep(&fp->sc); + if (fp->sc) { + for (z = 0; z < 2 * fp->steps_y * nb_threads; z++) + av_freep(&fp->sc[z]); + av_freep(&fp->sc); + } av_freep(&fp->sr); } diff --git a/libavfilter/vf_vidstabdetect.c b/libavfilter/vf_vidstabdetect.c index fd7ff3be24..7b4ba3df17 100644 --- a/libavfilter/vf_vidstabdetect.c +++ b/libavfilter/vf_vidstabdetect.c @@ -176,7 +176,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) { av_log(ctx, AV_LOG_ERROR, "motion detection failed"); - return AVERROR(AVERROR_EXTERNAL); + return AVERROR_EXTERNAL; } else { if (vsWriteToFile(md, s->f, &localmotions) != VS_OK) { int ret = AVERROR(errno); diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c index 5c2a974538..909d234b34 100644 --- a/libavfilter/vf_vmafmotion.c +++ b/libavfilter/vf_vmafmotion.c @@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + if (w < 3 || h < 3) + return AVERROR(EINVAL); + s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32); diff --git a/libavfilter/vf_w3fdif.c b/libavfilter/vf_w3fdif.c index c6a6550778..b84052e8c7 100644 --- a/libavfilter/vf_w3fdif.c +++ b/libavfilter/vf_w3fdif.c @@ -274,6 +274,11 @@ static int config_input(AVFilterLink *inlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + if (inlink->h < 3) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 lines is not supported\n"); + return AVERROR(EINVAL); + } + s->nb_planes = av_pix_fmt_count_planes(inlink->format); s->nb_threads = ff_filter_get_nb_threads(ctx); s->work_line = av_calloc(s->nb_threads, sizeof(*s->work_line)); diff --git a/libavfilter/vf_weave.c b/libavfilter/vf_weave.c index 663d79f511..11f5c6e2d5 100644 --- a/libavfilter/vf_weave.c +++ b/libavfilter/vf_weave.c @@ -30,6 +30,7 @@ typedef struct WeaveContext { int double_weave; int nb_planes; int planeheight[4]; + int outheight[4]; int linesize[4]; AVFrame *prev; @@ -72,6 +73,9 @@ static int config_props_output(AVFilterLink *outlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); + s->outheight[0] = s->outheight[3] = 2*inlink->h; + s->nb_planes = av_pix_fmt_count_planes(inlink->format); return 0; @@ -104,14 +108,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) field1 = weave ? s->first_field : (!s->first_field); field2 = weave ? (!s->first_field) : s->first_field; for (i = 0; i < s->nb_planes; i++) { + const int compensation = 2*s->planeheight[i] > s->outheight[i]; av_image_copy_plane(out->data[i] + out->linesize[i] * field1, out->linesize[i] * 2, in->data[i], in->linesize[i], - s->linesize[i], s->planeheight[i]); + s->linesize[i], s->planeheight[i] - compensation * field1); av_image_copy_plane(out->data[i] + out->linesize[i] * field2, out->linesize[i] * 2, s->prev->data[i], s->prev->linesize[i], - s->linesize[i], s->planeheight[i]); + s->linesize[i], s->planeheight[i] - compensation * field2); } out->pts = s->double_weave ? s->prev->pts : in->pts / 2; diff --git a/libavfilter/vf_xbr.c b/libavfilter/vf_xbr.c index 2c71871d22..87810c88f1 100644 --- a/libavfilter/vf_xbr.c +++ b/libavfilter/vf_xbr.c @@ -395,7 +395,7 @@ static int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { s->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index 3107924932..a3f0c1a97f 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, uint8_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN - 1; + int offset = FFMAX(w - edge, 3); /* Only edge pixels need to be processed here. A constant value of false * for is_not_edge should let the compiler ignore the whole branch. */ - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint8_t*)dst1 + w - edge; - prev = (uint8_t*)prev1 + w - edge; - cur = (uint8_t*)cur1 + w - edge; - next = (uint8_t*)next1 + w - edge; + dst = (uint8_t*)dst1 + offset; + prev = (uint8_t*)prev1 + offset; + cur = (uint8_t*)cur1 + offset; + next = (uint8_t*)next1 + offset; prev2 = (uint8_t*)(parity ? prev : cur); next2 = (uint8_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } @@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, uint16_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN / 2 - 1; + int offset = FFMAX(w - edge, 3); mrefs /= 2; prefs /= 2; - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint16_t*)dst1 + w - edge; - prev = (uint16_t*)prev1 + w - edge; - cur = (uint16_t*)cur1 + w - edge; - next = (uint16_t*)next1 + w - edge; + dst = (uint16_t*)dst1 + offset; + prev = (uint16_t*)prev1 + offset; + cur = (uint16_t*)cur1 + offset; + next = (uint16_t*)next1 + offset; prev2 = (uint16_t*)(parity ? prev : cur); next2 = (uint16_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) diff --git a/libavfilter/video.c b/libavfilter/video.c index 7a8e587798..b049804419 100644 --- a/libavfilter/video.c +++ b/libavfilter/video.c @@ -41,7 +41,7 @@ AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h) return ff_get_video_buffer(link->dst->outputs[0], w, h); } -AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align) { AVFrame *frame = NULL; int pool_width = 0; @@ -96,6 +96,11 @@ AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) return frame; } +AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +{ + return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align()); +} + AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h) { AVFrame *ret = NULL; diff --git a/libavfilter/video.h b/libavfilter/video.h index 56c58d6766..f9174a4a0b 100644 --- a/libavfilter/video.h +++ b/libavfilter/video.h @@ -24,6 +24,7 @@ #include "avfilter.h" AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h); +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align); AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h); /** diff --git a/libavfilter/vsrc_mandelbrot.c b/libavfilter/vsrc_mandelbrot.c index 6ad108151f..11650e36f7 100644 --- a/libavfilter/vsrc_mandelbrot.c +++ b/libavfilter/vsrc_mandelbrot.c @@ -134,6 +134,9 @@ static av_cold int init(AVFilterContext *ctx) s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache)); s-> zyklus = av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus)); + if (!s->point_cache || !s->next_cache || !s->zyklus) + return AVERROR(ENOMEM); + return 0; } diff --git a/libavfilter/x86/vf_gblur.asm b/libavfilter/x86/vf_gblur.asm index 762c953c85..a25b1659f5 100644 --- a/libavfilter/x86/vf_gblur.asm +++ b/libavfilter/x86/vf_gblur.asm @@ -100,7 +100,7 @@ cglobal horiz_slice, 4, 9, 9, ptr, width, height, steps, nu, bscale, x, y, step, add widthq, remainq cmp xq, widthq - je .end_scalar + jge .end_scalar .loop_scalar: ; ptr[x] += nu * ptr[x-1] @@ -148,7 +148,7 @@ cglobal horiz_slice, 4, 9, 9, ptr, width, height, steps, nu, bscale, x, y, step, jg .loop_x_back cmp xq, 0 - je .end_scalar_back + jle .end_scalar_back .loop_scalar_back: ; ptr[x-1] += nu * ptr[x] diff --git a/libavformat/3dostr.c b/libavformat/3dostr.c index 6c49f7589c..e77df9e5c9 100644 --- a/libavformat/3dostr.c +++ b/libavformat/3dostr.c @@ -64,7 +64,7 @@ static int threedostr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->sample_rate = avio_rb32(s->pb); st->codecpar->channels = avio_rb32(s->pb); - if (st->codecpar->channels <= 0) + if (st->codecpar->channels <= 0 || st->codecpar->sample_rate <= 0) return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); avio_skip(s->pb, 4); diff --git a/libavformat/4xm.c b/libavformat/4xm.c index a984fc9fdf..e3a3432428 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -59,8 +59,10 @@ #define GET_LIST_HEADER() \ fourcc_tag = avio_rl32(pb); \ size = avio_rl32(pb); \ - if (fourcc_tag != LIST_TAG) \ - return AVERROR_INVALIDDATA; \ + if (fourcc_tag != LIST_TAG) { \ + ret = AVERROR_INVALIDDATA; \ + goto fail; \ + } \ fourcc_tag = avio_rl32(pb); typedef struct AudioTrack { @@ -135,7 +137,8 @@ static int parse_strk(AVFormatContext *s, return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); - if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || + track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } @@ -146,6 +149,9 @@ static int parse_strk(AVFormatContext *s, memset(&fourxm->tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; + } else { + if (fourxm->tracks[track].bits) + return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels = AV_RL32(buf + 36); @@ -210,12 +216,13 @@ static int fourxm_read_header(AVFormatContext *s) unsigned int size; int header_size; FourxmDemuxContext *fourxm = s->priv_data; - unsigned char *header; + unsigned char *header = NULL; int i, ret; fourxm->track_count = 0; fourxm->tracks = NULL; fourxm->fps = (AVRational){1,1}; + fourxm->video_stream_index = -1; /* skip the first 3 32-bit numbers */ avio_skip(pb, 12); @@ -295,7 +302,7 @@ static int fourxm_read_packet(AVFormatContext *s, unsigned int track_number; int packet_read = 0; unsigned char header[8]; - int audio_frame_count; + int64_t audio_frame_count; while (!packet_read) { if ((ret = avio_read(s->pb, header, 8)) < 0) @@ -321,6 +328,8 @@ static int fourxm_read_packet(AVFormatContext *s, case cfr2_TAG: /* allocate 8 more bytes than 'size' to account for fourcc * and size */ + if (fourxm->video_stream_index < 0) + return AVERROR_INVALIDDATA; if (size + 8 < size || av_new_packet(pkt, size + 8)) return AVERROR(EIO); pkt->stream_index = fourxm->video_stream_index; diff --git a/libavformat/aadec.c b/libavformat/aadec.c index b9dd51ebfc..612e66906d 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s) avio_skip(pb, 4); // magic string toc_size = avio_rb32(pb); // TOC size avio_skip(pb, 4); // unidentified integer - if (toc_size > MAX_TOC_ENTRIES) + if (toc_size > MAX_TOC_ENTRIES || toc_size < 2) return AVERROR_INVALIDDATA; for (i = 0; i < toc_size; i++) { // read TOC avio_skip(pb, 4); // TOC entry index @@ -223,7 +223,8 @@ static int aa_read_header(AVFormatContext *s) while ((chapter_pos = avio_tell(pb)) >= 0 && chapter_pos < c->content_end) { int chapter_idx = s->nb_chapters; uint32_t chapter_size = avio_rb32(pb); - if (chapter_size == 0) break; + if (chapter_size == 0 || avio_feof(pb)) + break; chapter_pos -= start + CHAPTER_HEADER_SIZE * chapter_idx; avio_skip(pb, 4 + chapter_size); if (!avpriv_new_chapter(s, chapter_idx, st->time_base, diff --git a/libavformat/act.c b/libavformat/act.c index 26425ca1bb..f6edfb44ab 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -66,6 +66,7 @@ static int read_header(AVFormatContext *s) AVIOContext *pb = s->pb; int size; AVStream* st; + int ret; int min,sec,msec; @@ -75,7 +76,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(s, pb, st->codecpar, size, 0); + ret = ff_get_wav_header(s, pb, st->codecpar, size, 0); + if (ret < 0) + return ret; /* 8000Hz (Fine-rec) file format has 10 bytes long diff --git a/libavformat/ads.c b/libavformat/ads.c index f25141b3c6..544d652829 100644 --- a/libavformat/ads.c +++ b/libavformat/ads.c @@ -34,8 +34,9 @@ static int ads_probe(const AVProbeData *p) static int ads_read_header(AVFormatContext *s) { - int align, codec, size; + int align, codec; AVStream *st; + int64_t size; st = avformat_new_stream(s, NULL); if (!st) @@ -62,7 +63,7 @@ static int ads_read_header(AVFormatContext *s) st->codecpar->block_align = st->codecpar->channels * align; avio_skip(s->pb, 12); size = avio_rl32(s->pb); - if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX) + if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX && size >= 0x40) st->duration = (size - 0x40) / 16 / st->codecpar->channels * 28; avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index 3c2840c6ab..3807d67517 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -50,9 +50,11 @@ static int adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, const ui GetBitContext gb; PutBitContext pb; MPEG4AudioConfig m4ac; - int off; + int off, ret; - init_get_bits(&gb, buf, size * 8); + ret = init_get_bits8(&gb, buf, size); + if (ret < 0) + return ret; off = avpriv_mpeg4audio_get_config(&m4ac, buf, size * 8, 1); if (off < 0) return off; diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index fcedb0a804..4de612ffc5 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -54,9 +54,9 @@ static enum AVCodecID aiff_codec_get_id(int bps) } /* returns the size of the found tag */ -static int get_tag(AVIOContext *pb, uint32_t * tag) +static int64_t get_tag(AVIOContext *pb, uint32_t * tag) { - int size; + int64_t size; if (avio_feof(pb)) return AVERROR(EIO); @@ -64,16 +64,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) *tag = avio_rl32(pb); size = avio_rb32(pb); - if (size < 0) - size = 0x7fffffff; - return size; } /* Metadata string read */ -static void get_meta(AVFormatContext *s, const char *key, int size) +static void get_meta(AVFormatContext *s, const char *key, int64_t size) { - uint8_t *str = av_malloc(size+1); + uint8_t *str = NULL; + + if (size < SIZE_MAX) + str = av_malloc(size+1); if (str) { int res = avio_read(s->pb, str, size); @@ -90,7 +90,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size) } /* Returns the number of sound data frames or negative on error */ -static int get_aiff_header(AVFormatContext *s, int size, +static int get_aiff_header(AVFormatContext *s, int64_t size, unsigned version) { AVIOContext *pb = s->pb; @@ -118,7 +118,12 @@ static int get_aiff_header(AVFormatContext *s, int size, sample_rate = val << exp; else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + par->sample_rate = sample_rate; + if (size < 18) + return AVERROR_INVALIDDATA; size -= 18; /* get codec id for AIFF-C */ @@ -178,8 +183,10 @@ static int get_aiff_header(AVFormatContext *s, int size, par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3; if (aiff->block_duration) { - par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) / - aiff->block_duration; + par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL, + aiff->block_duration); + if (par->bit_rate < 0) + par->bit_rate = 0; } /* Chunk is over */ @@ -204,7 +211,8 @@ static int aiff_probe(const AVProbeData *p) /* aiff input */ static int aiff_read_header(AVFormatContext *s) { - int ret, size, filesize; + int ret; + int64_t filesize, size; int64_t offset = 0, position; uint32_t tag; unsigned version = AIFF_C_VERSION1; @@ -215,7 +223,7 @@ static int aiff_read_header(AVFormatContext *s) /* check FORM header */ filesize = get_tag(pb, &tag); - if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M')) + if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M')) return AVERROR_INVALIDDATA; /* AIFF data type */ @@ -282,6 +290,8 @@ static int aiff_read_header(AVFormatContext *s) get_meta(s, "comment" , size); break; case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */ + if (size < 8) + return AVERROR_INVALIDDATA; aiff->data_end = avio_tell(pb) + size; offset = avio_rb32(pb); /* Offset of sound data */ avio_rb32(pb); /* BlockSize... don't care */ @@ -352,10 +362,12 @@ got_sound: if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) { av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n"); st->codecpar->block_align = 35; - } else if (!st->codecpar->block_align) { + } else if (st->codecpar->block_align <= 0) { av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } + if (aiff->block_duration < 0) + return AVERROR_INVALIDDATA; /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); @@ -398,6 +410,8 @@ static int aiff_read_packet(AVFormatContext *s, break; default: size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE; + if (!size) + return AVERROR_INVALIDDATA; } size = FFMIN(max_size, size); res = av_get_packet(s->pb, pkt, size); @@ -408,7 +422,7 @@ static int aiff_read_packet(AVFormatContext *s, pkt->flags &= ~AV_PKT_FLAG_CORRUPT; /* Only one stream in an AIFF file */ pkt->stream_index = 0; - pkt->duration = (res / st->codecpar->block_align) * aiff->block_duration; + pkt->duration = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration; return 0; } diff --git a/libavformat/amr.c b/libavformat/amr.c index 42840a50a3..a963eb3ded 100644 --- a/libavformat/amr.c +++ b/libavformat/amr.c @@ -90,13 +90,15 @@ static int amr_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 6); + if (avio_read(pb, header, 6) != 6) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); if (memcmp(header, AMR_header, 6)) { - avio_read(pb, header + 6, 3); + if (avio_read(pb, header + 6, 3) != 3) + return AVERROR_INVALIDDATA; if (memcmp(header, AMRWB_header, 9)) { return -1; } diff --git a/libavformat/ape.c b/libavformat/ape.c index 977e6f3d18..c4c93f9359 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -42,8 +42,8 @@ typedef struct APEFrame { int64_t pos; + int64_t size; int nblocks; - int size; int skip; int64_t pts; } APEFrame; @@ -146,7 +146,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx) av_log(s, AV_LOG_DEBUG, "\nFrames\n\n"); for (i = 0; i < ape_ctx->totalframes; i++) - av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8d (%d samples)\n", i, + av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8"PRId64" (%d samples)\n", i, ape_ctx->frames[i].pos, ape_ctx->frames[i].size, ape_ctx->frames[i].nblocks); @@ -164,7 +164,8 @@ static int ape_read_header(AVFormatContext * s) AVStream *st; uint32_t tag; int i; - int total_blocks, final_size = 0; + int total_blocks; + int64_t final_size = 0; int64_t pts, file_size; /* Skip any leading junk such as id3v2 tags */ @@ -314,7 +315,7 @@ static int ape_read_header(AVFormatContext * s) final_size -= final_size & 3; } if (file_size <= 0 || final_size <= 0) - final_size = ape->finalframeblocks * 8; + final_size = ape->finalframeblocks * 8LL; ape->frames[ape->totalframes - 1].size = final_size; for (i = 0; i < ape->totalframes; i++) { @@ -322,6 +323,8 @@ static int ape_read_header(AVFormatContext * s) ape->frames[i].pos -= ape->frames[i].skip; ape->frames[i].size += ape->frames[i].skip; } + if (ape->frames[i].size > INT_MAX - 3) + return AVERROR_INVALIDDATA; ape->frames[i].size = (ape->frames[i].size + 3) & ~3; } if (ape->fileversion < 3810) { @@ -403,7 +406,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt) if (ape->frames[ape->currentframe].size <= 0 || ape->frames[ape->currentframe].size > INT_MAX - extra_size) { - av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n", + av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n", ape->frames[ape->currentframe].size); ape->currentframe++; return AVERROR(EIO); diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 8cb3f4a23a..3164ada6eb 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -129,7 +129,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s) avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET); - avio_read(pb, buf, 8); /* APETAGEX */ + if(avio_read(pb, buf, 8) != 8) /* APETAGEX */ + return 0; if (strncmp(buf, APE_TAG_PREAMBLE, 8)) { return 0; } diff --git a/libavformat/apngenc.c b/libavformat/apngenc.c index 77c1c916c2..88cd8054d6 100644 --- a/libavformat/apngenc.c +++ b/libavformat/apngenc.c @@ -251,7 +251,6 @@ static int apng_write_trailer(AVFormatContext *format_context) if (apng->prev_packet) { ret = flush_packet(format_context, NULL); - av_freep(&apng->prev_packet); if (ret < 0) return ret; } @@ -266,12 +265,18 @@ static int apng_write_trailer(AVFormatContext *format_context) apng_write_chunk(io_context, MKBETAG('a', 'c', 'T', 'L'), buf, 8); } - av_freep(&apng->extra_data); - apng->extra_data = 0; - return 0; } +static void apng_deinit(AVFormatContext *s) +{ + APNGMuxContext *apng = s->priv_data; + + av_packet_free(&apng->prev_packet); + av_freep(&apng->extra_data); + apng->extra_data_size = 0; +} + #define OFFSET(x) offsetof(APNGMuxContext, x) #define ENC AV_OPT_FLAG_ENCODING_PARAM static const AVOption options[] = { @@ -300,6 +305,7 @@ AVOutputFormat ff_apng_muxer = { .write_header = apng_write_header, .write_packet = apng_write_packet, .write_trailer = apng_write_trailer, + .deinit = apng_deinit, .priv_class = &apng_muxer_class, .flags = AVFMT_VARIABLE_FPS, }; diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 8cc82a8f39..960a5d8ef5 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -74,18 +74,19 @@ static int aqt_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); if (sub) { - sub->duration = frame - sub->pts; + if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) + sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { if (!new_event) { sub = ff_subtitles_queue_insert(&aqt->q, "\n", 1, 1); if (!sub) - return AVERROR(ENOMEM); + goto fail; } sub = ff_subtitles_queue_insert(&aqt->q, line, strlen(line), !new_event); if (!sub) - return AVERROR(ENOMEM); + goto fail; if (new_event) { sub->pts = frame; sub->duration = -1; @@ -97,6 +98,9 @@ static int aqt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &aqt->q); return 0; +fail: + ff_subtitles_queue_clean(&aqt->q); + return AVERROR(ENOMEM); } static int aqt_read_packet(AVFormatContext *s, AVPacket *pkt) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 57dc3b09b9..7418410d43 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -104,7 +104,7 @@ typedef struct ASFContext { int ts_is_pts; int packet_multi_size; int packet_time_delta; - int packet_time_start; + int64_t packet_time_start; int64_t packet_pos; int stream_index; @@ -321,8 +321,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int int64_t off = avio_tell(s->pb); #define LEN 22 - if ((unsigned)len >= (UINT_MAX - LEN) / 2) - return; + av_assert0((unsigned)len < (INT_MAX - LEN) / 2); if (!asf->export_xmp && !strncmp(key, "xmp", 3)) goto finish; @@ -425,7 +424,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) if (!(asf->hdr.flags & 0x01)) { // if we aren't streaming... int64_t fsize = avio_size(pb); if (fsize <= 0 || (int64_t)asf->hdr.file_size <= 0 || - 20*FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)) + FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)/20) st->duration = asf->hdr.play_time / (10000000 / 1000) - start_time; } @@ -517,6 +516,8 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { + if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); @@ -608,6 +609,8 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) ff_get_guid(pb, &g); size = avio_rl16(pb); ext_len = avio_rl32(pb); + if (ext_len < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, ext_len); if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) { ASFPayload *p = &asf->streams[stream_num].payload[i]; @@ -712,6 +715,9 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) value_type = avio_rl16(pb); /* value_type */ value_len = avio_rl32(pb); + if (value_len < 0 || value_len > UINT16_MAX) + return AVERROR_INVALIDDATA; + name_len_utf8 = 2*name_len_utf16 + 1; name = av_malloc(name_len_utf8); if (!name) @@ -767,6 +773,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) avio_rl32(pb); // send time avio_rl32(pb); // flags name_len = avio_rl32(pb); // name length + if ((unsigned)name_len > INT_MAX / 2) + return AVERROR_INVALIDDATA; if ((ret = avio_get_str16le(pb, name_len * 2, name, sizeof(name))) < name_len) avio_skip(pb, name_len - ret); @@ -857,11 +865,20 @@ static int asf_read_header(AVFormatContext *s) return ret; av_hex_dump_log(s, AV_LOG_DEBUG, pkt.data, pkt.size); av_packet_unref(&pkt); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_Protection_Type", -1, len, 32); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_Key_ID", -1, len, 32); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_License_URL", -1, len, 32); } else if (!ff_guidcmp(&g, &ff_asf_ext_content_encryption)) { av_log(s, AV_LOG_WARNING, @@ -1298,10 +1315,12 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) < 0) return ret; asf_st->seq = asf->packet_seq; - if (asf->ts_is_pts) { - asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; - } else - asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) { + if (asf->ts_is_pts) { + asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; + } else + asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + } asf_st->pkt.stream_index = asf->stream_index; asf_st->pkt.pos = asf_st->packet_pos = asf->packet_pos; asf_st->pkt_clean = 0; diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 8e7f044ce9..3bc53670e3 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -113,6 +113,7 @@ typedef struct ASFContext { int64_t data_offset; int64_t first_packet_offset; // packet offset int64_t unknown_offset; // for top level header objects or subobjects without specified behavior + int in_asf_read_unknown; // ASF file must not contain more than 128 streams according to the specification ASFStream *asf_st[ASF_MAX_STREAMS]; @@ -177,7 +178,7 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) uint64_t size = avio_rl64(pb); int ret; - if (size > INT64_MAX) + if (size > INT64_MAX || asf->in_asf_read_unknown > 5) return AVERROR_INVALIDDATA; if (asf->is_header) @@ -186,8 +187,11 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) if (!g->is_subobject) { if (!(ret = strcmp(g->name, "Header Extension"))) avio_skip(pb, 22); // skip reserved fields and Data Size - if ((ret = detect_unknown_subobject(s, asf->unknown_offset, - asf->unknown_size)) < 0) + asf->in_asf_read_unknown ++; + ret = detect_unknown_subobject(s, asf->unknown_offset, + asf->unknown_size); + asf->in_asf_read_unknown --; + if (ret < 0) return ret; } else { if (size < 24) { @@ -245,6 +249,9 @@ static int asf_read_marker(AVFormatContext *s, const GUIDParseTable *g) avio_skip(pb, 4); // flags len = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if ((ret = avio_get_str16le(pb, len, name, sizeof(name))) < len) avio_skip(pb, len - ret); @@ -691,7 +698,7 @@ static int asf_read_properties(AVFormatContext *s, const GUIDParseTable *g) return 0; } -static int parse_video_info(AVIOContext *pb, AVStream *st) +static int parse_video_info(AVFormatContext *avfmt, AVIOContext *pb, AVStream *st) { uint16_t size_asf; // ASF-specific Format Data size uint32_t size_bmp; // BMP_HEADER-specific Format Data size @@ -706,19 +713,10 @@ static int parse_video_info(AVIOContext *pb, AVStream *st) st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); - if (size_bmp > BMP_HEADER_SIZE && - size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { - int ret; - st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; - if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + - AV_INPUT_BUFFER_PADDING_SIZE))) { - st->codecpar->extradata_size = 0; - return AVERROR(ENOMEM); - } - memset(st->codecpar->extradata + st->codecpar->extradata_size , 0, - AV_INPUT_BUFFER_PADDING_SIZE); - if ((ret = avio_read(pb, st->codecpar->extradata, - st->codecpar->extradata_size)) < 0) + if (size_bmp > BMP_HEADER_SIZE) { + int ret = ff_get_extradata(avfmt, st->codecpar, pb, size_bmp - BMP_HEADER_SIZE); + + if (ret < 0) return ret; } return 0; @@ -799,7 +797,7 @@ static int asf_read_stream_properties(AVFormatContext *s, const GUIDParseTable * break; case AVMEDIA_TYPE_VIDEO: asf_st->type = AVMEDIA_TYPE_VIDEO; - if ((ret = parse_video_info(pb, st)) < 0) + if ((ret = parse_video_info(s, pb, st)) < 0) return ret; break; default: @@ -983,6 +981,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) int64_t offset; uint64_t size = avio_rl64(pb); + if (size < 24) + return AVERROR_INVALIDDATA; + // simple index objects should be ordered by stream number, this loop tries to find // the first not indexed video stream for (i = 0; i < asf->nb_streams; i++) { @@ -1363,6 +1364,8 @@ static int asf_read_packet_header(AVFormatContext *s) unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { @@ -1679,6 +1682,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t ff_asf_guid guid; int ret; + if (offset > INT64_MAX - size) + return AVERROR_INVALIDDATA; + while (avio_tell(pb) <= offset + size) { if (avio_tell(pb) == asf->offset) break; diff --git a/libavformat/assdec.c b/libavformat/assdec.c index f66b296673..8fb9e8e501 100644 --- a/libavformat/assdec.c +++ b/libavformat/assdec.c @@ -160,6 +160,8 @@ static int ass_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &ass->q); end: + if (res < 0) + ass_read_close(s); av_bprint_finalize(&header, NULL); av_bprint_finalize(&line, NULL); av_bprint_finalize(&rline, NULL); diff --git a/libavformat/au.c b/libavformat/au.c index cb48e67feb..31a5ef6db6 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,6 +86,11 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { + if (avio_feof(pb)) { + av_bprint_finalize(&bprint, NULL); + av_freep(&key); + return AVERROR_EOF; + } c = avio_r8(pb); switch(state) { case PARSE_KEY: diff --git a/libavformat/av1.c b/libavformat/av1.c index 5fde8df97e..03669dfd2a 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -26,6 +26,7 @@ #include "libavcodec/put_bits.h" #include "av1.h" #include "avio.h" +#include "avio_internal.h" int ff_av1_filter_obus(AVIOContext *pb, const uint8_t *buf, int size) { @@ -67,8 +68,10 @@ int ff_av1_filter_obus_buf(const uint8_t *buf, uint8_t **out, int *size) return ret; ret = ff_av1_filter_obus(pb, buf, *size); - if (ret < 0) + if (ret < 0) { + ffio_free_dyn_buf(&pb); return ret; + } av_freep(out); *size = avio_close_dyn_buf(pb, out); @@ -76,18 +79,6 @@ int ff_av1_filter_obus_buf(const uint8_t *buf, uint8_t **out, int *size) return ret; } -typedef struct AV1SequenceParameters { - uint8_t seq_profile; - uint8_t seq_level_idx_0; - uint8_t seq_tier_0; - uint8_t high_bitdepth; - uint8_t twelve_bit; - uint8_t monochrome; - uint8_t chroma_subsampling_x; - uint8_t chroma_subsampling_y; - uint8_t chroma_sample_position; -} AV1SequenceParameters; - static inline void uvlc(GetBitContext *gb) { int leading_zeros = 0; @@ -106,49 +97,51 @@ static inline void uvlc(GetBitContext *gb) static int parse_color_config(AV1SequenceParameters *seq_params, GetBitContext *gb) { - int color_primaries, transfer_characteristics, matrix_coefficients; + int twelve_bit = 0; + int high_bitdepth = get_bits1(gb); + if (seq_params->profile == FF_PROFILE_AV1_PROFESSIONAL && high_bitdepth) + twelve_bit = get_bits1(gb); - seq_params->high_bitdepth = get_bits1(gb); - if (seq_params->seq_profile == FF_PROFILE_AV1_PROFESSIONAL && seq_params->high_bitdepth) - seq_params->twelve_bit = get_bits1(gb); + seq_params->bitdepth = 8 + (high_bitdepth * 2) + (twelve_bit * 2); - if (seq_params->seq_profile == FF_PROFILE_AV1_HIGH) + if (seq_params->profile == FF_PROFILE_AV1_HIGH) seq_params->monochrome = 0; else seq_params->monochrome = get_bits1(gb); - if (get_bits1(gb)) { // color_description_present_flag - color_primaries = get_bits(gb, 8); - transfer_characteristics = get_bits(gb, 8); - matrix_coefficients = get_bits(gb, 8); + seq_params->color_description_present_flag = get_bits1(gb); + if (seq_params->color_description_present_flag) { + seq_params->color_primaries = get_bits(gb, 8); + seq_params->transfer_characteristics = get_bits(gb, 8); + seq_params->matrix_coefficients = get_bits(gb, 8); } else { - color_primaries = AVCOL_PRI_UNSPECIFIED; - transfer_characteristics = AVCOL_TRC_UNSPECIFIED; - matrix_coefficients = AVCOL_SPC_UNSPECIFIED; + seq_params->color_primaries = AVCOL_PRI_UNSPECIFIED; + seq_params->transfer_characteristics = AVCOL_TRC_UNSPECIFIED; + seq_params->matrix_coefficients = AVCOL_SPC_UNSPECIFIED; } if (seq_params->monochrome) { - skip_bits1(gb); // color_range + seq_params->color_range = get_bits1(gb); seq_params->chroma_subsampling_x = 1; seq_params->chroma_subsampling_y = 1; seq_params->chroma_sample_position = 0; return 0; - } else if (color_primaries == AVCOL_PRI_BT709 && - transfer_characteristics == AVCOL_TRC_IEC61966_2_1 && - matrix_coefficients == AVCOL_SPC_RGB) { + } else if (seq_params->color_primaries == AVCOL_PRI_BT709 && + seq_params->transfer_characteristics == AVCOL_TRC_IEC61966_2_1 && + seq_params->matrix_coefficients == AVCOL_SPC_RGB) { seq_params->chroma_subsampling_x = 0; seq_params->chroma_subsampling_y = 0; } else { - skip_bits1(gb); // color_range + seq_params->color_range = get_bits1(gb); - if (seq_params->seq_profile == FF_PROFILE_AV1_MAIN) { + if (seq_params->profile == FF_PROFILE_AV1_MAIN) { seq_params->chroma_subsampling_x = 1; seq_params->chroma_subsampling_y = 1; - } else if (seq_params->seq_profile == FF_PROFILE_AV1_HIGH) { + } else if (seq_params->profile == FF_PROFILE_AV1_HIGH) { seq_params->chroma_subsampling_x = 0; seq_params->chroma_subsampling_y = 0; } else { - if (seq_params->twelve_bit) { + if (twelve_bit) { seq_params->chroma_subsampling_x = get_bits1(gb); if (seq_params->chroma_subsampling_x) seq_params->chroma_subsampling_y = get_bits1(gb); @@ -185,14 +178,14 @@ static int parse_sequence_header(AV1SequenceParameters *seq_params, const uint8_ memset(seq_params, 0, sizeof(*seq_params)); - seq_params->seq_profile = get_bits(&gb, 3); + seq_params->profile = get_bits(&gb, 3); skip_bits1(&gb); // still_picture reduced_still_picture_header = get_bits1(&gb); if (reduced_still_picture_header) { - seq_params->seq_level_idx_0 = get_bits(&gb, 5); - seq_params->seq_tier_0 = 0; + seq_params->level = get_bits(&gb, 5); + seq_params->tier = 0; } else { int initial_display_delay_present_flag, operating_points_cnt_minus_1; int decoder_model_info_present_flag, buffer_delay_length_minus_1; @@ -242,8 +235,8 @@ static int parse_sequence_header(AV1SequenceParameters *seq_params, const uint8_ } if (i == 0) { - seq_params->seq_level_idx_0 = seq_level_idx; - seq_params->seq_tier_0 = seq_tier; + seq_params->level = seq_level_idx; + seq_params->tier = seq_tier; } } } @@ -297,6 +290,36 @@ static int parse_sequence_header(AV1SequenceParameters *seq_params, const uint8_ return 0; } +int ff_av1_parse_seq_header(AV1SequenceParameters *seq, const uint8_t *buf, int size) +{ + int64_t obu_size; + int start_pos, type, temporal_id, spatial_id; + + if (size <= 0) + return AVERROR_INVALIDDATA; + + while (size > 0) { + int len = parse_obu_header(buf, size, &obu_size, &start_pos, + &type, &temporal_id, &spatial_id); + if (len < 0) + return len; + + switch (type) { + case AV1_OBU_SEQUENCE_HEADER: + if (!obu_size) + return AVERROR_INVALIDDATA; + + return parse_sequence_header(seq, buf + start_pos, obu_size); + default: + break; + } + size -= len; + buf += len; + } + + return AVERROR_INVALIDDATA; +} + int ff_isom_write_av1c(AVIOContext *pb, const uint8_t *buf, int size) { AVIOContext *seq_pb = NULL, *meta_pb = NULL; @@ -363,11 +386,11 @@ int ff_isom_write_av1c(AVIOContext *pb, const uint8_t *buf, int size) put_bits(&pbc, 1, 1); // marker put_bits(&pbc, 7, 1); // version - put_bits(&pbc, 3, seq_params.seq_profile); - put_bits(&pbc, 5, seq_params.seq_level_idx_0); - put_bits(&pbc, 1, seq_params.seq_tier_0); - put_bits(&pbc, 1, seq_params.high_bitdepth); - put_bits(&pbc, 1, seq_params.twelve_bit); + put_bits(&pbc, 3, seq_params.profile); + put_bits(&pbc, 5, seq_params.level); + put_bits(&pbc, 1, seq_params.tier); + put_bits(&pbc, 1, seq_params.bitdepth > 8); + put_bits(&pbc, 1, seq_params.bitdepth == 12); put_bits(&pbc, 1, seq_params.monochrome); put_bits(&pbc, 1, seq_params.chroma_subsampling_x); put_bits(&pbc, 1, seq_params.chroma_subsampling_y); diff --git a/libavformat/av1.h b/libavformat/av1.h index 9f2a71f353..441b6c9898 100644 --- a/libavformat/av1.h +++ b/libavformat/av1.h @@ -25,6 +25,22 @@ #include "avio.h" +typedef struct AV1SequenceParameters { + uint8_t profile; + uint8_t level; + uint8_t tier; + uint8_t bitdepth; + uint8_t monochrome; + uint8_t chroma_subsampling_x; + uint8_t chroma_subsampling_y; + uint8_t chroma_sample_position; + uint8_t color_description_present_flag; + uint8_t color_primaries; + uint8_t transfer_characteristics; + uint8_t matrix_coefficients; + uint8_t color_range; +} AV1SequenceParameters; + /** * Filter out AV1 OBUs not meant to be present in ISOBMFF sample data and write * the resulting bitstream to the provided AVIOContext. @@ -55,6 +71,18 @@ int ff_av1_filter_obus(AVIOContext *pb, const uint8_t *buf, int size); */ int ff_av1_filter_obus_buf(const uint8_t *buf, uint8_t **out, int *size); +/** + * Parses a Sequence Header from the the provided buffer. + * + * @param seq pointer to the AV1SequenceParameters where the parsed values will + * be written + * @param buf input data buffer + * @param size size in bytes of the input data buffer + * + * @return >= 0 in case of success, a negative AVERROR code in case of failure + */ +int ff_av1_parse_seq_header(AV1SequenceParameters *seq, const uint8_t *buf, int size); + /** * Writes AV1 extradata (Sequence Header and Metadata OBUs) to the provided * AVIOContext. diff --git a/libavformat/avc.c b/libavformat/avc.c index a041e84357..34edec04f0 100644 --- a/libavformat/avc.c +++ b/libavformat/avc.c @@ -308,27 +308,24 @@ static inline int get_se_golomb(GetBitContext *gb) { return ((v >> 1) ^ sign) - sign; } -H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *buf, int buf_size) +int ff_avc_decode_sps(H264SPS *sps, const uint8_t *buf, int buf_size) { int i, j, ret, rbsp_size, aspect_ratio_idc, pic_order_cnt_type; int num_ref_frames_in_pic_order_cnt_cycle; int delta_scale, lastScale = 8, nextScale = 8; int sizeOfScalingList; - H264SequenceParameterSet *sps = NULL; GetBitContext gb; uint8_t *rbsp_buf; rbsp_buf = ff_nal_unit_extract_rbsp(buf, buf_size, &rbsp_size, 0); if (!rbsp_buf) - return NULL; + return AVERROR(ENOMEM); ret = init_get_bits8(&gb, rbsp_buf, rbsp_size); if (ret < 0) goto end; - sps = av_mallocz(sizeof(*sps)); - if (!sps) - goto end; + memset(sps, 0, sizeof(*sps)); sps->profile_idc = get_bits(&gb, 8); sps->constraint_set_flags |= get_bits1(&gb) << 0; // constraint_set0_flag @@ -423,7 +420,8 @@ H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *buf, int buf_size) sps->sar.den = 1; } + ret = 0; end: av_free(rbsp_buf); - return sps; + return ret; } diff --git a/libavformat/avc.h b/libavformat/avc.h index a79bf9b2db..f75d7a9c72 100644 --- a/libavformat/avc.h +++ b/libavformat/avc.h @@ -45,8 +45,8 @@ typedef struct { uint8_t bit_depth_luma; uint8_t frame_mbs_only_flag; AVRational sar; -} H264SequenceParameterSet; +} H264SPS; -H264SequenceParameterSet *ff_avc_decode_sps(const uint8_t *src, int src_len); +int ff_avc_decode_sps(H264SPS *sps, const uint8_t *buf, int buf_size); #endif /* AVFORMAT_AVC_H */ diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 1d887b1cc9..430b4c8aa7 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -61,7 +61,7 @@ typedef struct AVIStream { AVFormatContext *sub_ctx; AVPacket sub_pkt; - uint8_t *sub_buffer; + AVBufferRef *sub_buffer; int64_t seek_pos; } AVIStream; @@ -80,6 +80,8 @@ typedef struct AVIContext { int stream_index; DVDemuxContext *dv_demux; int odml_depth; + int64_t odml_read; + int64_t odml_max_pos; int use_odml; #define MAX_ODML_DEPTH 1000 int64_t dts_max; @@ -126,7 +128,7 @@ static inline int get_duration(AVIStream *ast, int len) if (ast->sample_size) return len; else if (ast->dshow_block_align) - return (len + ast->dshow_block_align - 1) / ast->dshow_block_align; + return (len + (int64_t)ast->dshow_block_align - 1) / ast->dshow_block_align; else return 1; } @@ -156,7 +158,7 @@ static int get_riff(AVFormatContext *s, AVIOContext *pb) return 0; } -static int read_odml_index(AVFormatContext *s, int frame_num) +static int read_odml_index(AVFormatContext *s, int64_t frame_num) { AVIContext *avi = s->priv_data; AVIOContext *pb = s->pb; @@ -176,7 +178,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num) av_log(s, AV_LOG_TRACE, "longs_per_entry:%d index_type:%d entries_in_use:%d " - "chunk_id:%X base:%16"PRIX64" frame_num:%d\n", + "chunk_id:%X base:%16"PRIX64" frame_num:%"PRId64"\n", longs_per_entry, index_type, entries_in_use, @@ -189,7 +191,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num) st = s->streams[stream_id]; ast = st->priv_data; - if (index_sub_type) + if (index_sub_type || entries_in_use < 0) return AVERROR_INVALIDDATA; avio_rl32(pb); @@ -210,11 +212,18 @@ static int read_odml_index(AVFormatContext *s, int frame_num) } for (i = 0; i < entries_in_use; i++) { + avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb)); + + // If we read more than there are bytes then we must have been reading something twice + if (avi->odml_read > avi->odml_max_pos) + return AVERROR_INVALIDDATA; + if (index_type) { int64_t pos = avio_rl32(pb) + base - 8; int len = avio_rl32(pb); int key = len >= 0; len &= 0x7FFFFFFF; + avi->odml_read += 8; av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len); @@ -232,11 +241,14 @@ static int read_odml_index(AVFormatContext *s, int frame_num) } else { int64_t offset, pos; int duration; + int ret; + avi->odml_read += 16; + offset = avio_rl64(pb); avio_rl32(pb); /* size */ duration = avio_rl32(pb); - if (avio_feof(pb)) + if (avio_feof(pb) || offset > INT64_MAX - 8) return AVERROR_INVALIDDATA; pos = avio_tell(pb); @@ -249,7 +261,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num) if (avio_seek(pb, offset + 8, SEEK_SET) < 0) return -1; avi->odml_depth++; - read_odml_index(s, frame_num); + ret = read_odml_index(s, frame_num); avi->odml_depth--; frame_num += duration; @@ -257,7 +269,8 @@ static int read_odml_index(AVFormatContext *s, int frame_num) av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n"); return -1; } - + if (ret < 0) + return ret; } } avi->index_loaded = 2; @@ -438,7 +451,7 @@ static int calculate_bitrate(AVFormatContext *s) maxpos = FFMAX(maxpos, st->index_entries[j-1].pos); lensum += len; } - if (maxpos < avi->io_fsize*9/10) // index does not cover the whole file + if (maxpos < av_rescale(avi->io_fsize, 9, 10)) // index does not cover the whole file return 0; if (lensum*9/10 > maxpos || lensum < maxpos*9/10) // frame sum and filesize mismatch return 0; @@ -815,6 +828,9 @@ FF_ENABLE_DEPRECATION_WARNINGS "mov tag found in avi (fourcc %s)\n", av_fourcc2str(tag1)); } + if (!st->codecpar->codec_id) + st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags_unofficial, tag1); + /* This is needed to get the pict type which is necessary * for generating correct pts. */ st->need_parsing = AVSTREAM_PARSE_HEADERS; @@ -840,6 +856,8 @@ FF_ENABLE_DEPRECATION_WARNINGS memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } + if (st->codecpar->height == INT_MIN) + return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); // avio_skip(pb, size - 5 * 4); @@ -1118,8 +1136,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) time_base = ast->sub_ctx->streams[0]->time_base; avpriv_set_pts_info(st, 64, time_base.num, time_base.den); } - ast->sub_buffer = pkt->data; - memset(pkt, 0, sizeof(*pkt)); + ast->sub_buffer = pkt->buf; + pkt->buf = NULL; + av_packet_unref(pkt); return 1; error: @@ -1255,7 +1274,7 @@ start_sync: AVStream *st1 = s->streams[1]; AVIStream *ast1 = st1->priv_data; // workaround for broken small-file-bug402.avi - if ( d[2] == 'w' && d[3] == 'b' + if (ast1 && d[2] == 'w' && d[3] == 'b' && n == 0 && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO @@ -1423,6 +1442,7 @@ resync: if (avi->stream_index >= 0) { AVStream *st = s->streams[avi->stream_index]; AVIStream *ast = st->priv_data; + int dv_demux = CONFIG_DV_DEMUXER && avi->dv_demux; int size, err; if (get_subtitle_pkt(s, st, pkt)) @@ -1445,7 +1465,7 @@ resync: return err; size = err; - if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2) { + if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2 && !dv_demux) { uint8_t *pal; pal = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, @@ -1459,7 +1479,7 @@ resync: } } - if (CONFIG_DV_DEMUXER && avi->dv_demux) { + if (dv_demux) { AVBufferRef *avbuf = pkt->buf; size = avpriv_dv_produce_packet(avi->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); @@ -1528,11 +1548,12 @@ resync: if (!avi->non_interleaved && st->nb_index_entries>1 && avi->index_loaded>1) { int64_t dts= av_rescale_q(pkt->dts, st->time_base, AV_TIME_BASE_Q); - if (avi->dts_max - dts > 2*AV_TIME_BASE) { + if (avi->dts_max < dts) { + avi->dts_max = dts; + } else if (avi->dts_max - (uint64_t)dts > 2*AV_TIME_BASE) { avi->non_interleaved= 1; av_log(s, AV_LOG_INFO, "Switching to NI mode, due to poor interleaving\n"); - }else if (avi->dts_max < dts) - avi->dts_max = dts; + } } return 0; @@ -1747,7 +1768,10 @@ static int avi_load_index(AVFormatContext *s) size = avio_rl32(pb); if (avio_feof(pb)) break; - next = avio_tell(pb) + size + (size & 1); + next = avio_tell(pb); + if (next < 0 || next > INT64_MAX - size - (size & 1)) + break; + next += size + (size & 1LL); if (tag == MKTAG('i', 'd', 'x', '1') && avi_read_idx1(s, size) >= 0) { @@ -1910,7 +1934,7 @@ static int avi_read_close(AVFormatContext *s) av_freep(&ast->sub_ctx->pb); avformat_close_input(&ast->sub_ctx); } - av_freep(&ast->sub_buffer); + av_buffer_unref(&ast->sub_buffer); av_packet_unref(&ast->sub_pkt); } } diff --git a/libavformat/avienc.c b/libavformat/avienc.c index ac0f04c354..1b8904fa40 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -459,6 +459,14 @@ static int avi_write_header(AVFormatContext *s) && par->format != AV_PIX_FMT_NONE) av_log(s, AV_LOG_ERROR, "%s rawvideo cannot be written to avi, output file will be unreadable\n", av_get_pix_fmt_name(par->format)); + + if (par->format == AV_PIX_FMT_PAL8) { + if (par->bits_per_coded_sample < 0 || par->bits_per_coded_sample > 8) { + av_log(s, AV_LOG_ERROR, "PAL8 with %d bps is not allowed\n", par->bits_per_coded_sample); + return AVERROR(EINVAL); + } + } + break; case AVMEDIA_TYPE_AUDIO: flags = (avi->write_channel_mask == 0) ? FF_PUT_WAV_HEADER_SKIP_CHANNELMASK : 0; diff --git a/libavformat/avio.c b/libavformat/avio.c index 663789ec02..810268641b 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -314,8 +314,11 @@ int ffurl_open_whitelist(URLContext **puc, const char *filename, int flags, int ret = ffurl_alloc(puc, filename, flags, int_cb); if (ret < 0) return ret; - if (parent) - av_opt_copy(*puc, parent); + if (parent) { + ret = av_opt_copy(*puc, parent); + if (ret < 0) + goto fail; + } if (options && (ret = av_opt_set_dict(*puc, options)) < 0) goto fail; diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 2d011027c9..6836e0c79e 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1163,6 +1163,8 @@ int ffio_open_whitelist(AVIOContext **s, const char *filename, int flags, URLContext *h; int err; + *s = NULL; + err = ffurl_open_whitelist(&h, filename, flags, int_cb, options, whitelist, blacklist, NULL); if (err < 0) return err; @@ -1303,7 +1305,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) unsigned new_size, new_allocated_size; /* reallocate buffer if needed */ - new_size = d->pos + buf_size; + new_size = (unsigned)d->pos + buf_size; new_allocated_size = d->allocated_size; if (new_size < d->pos || new_size > INT_MAX/2) return -1; diff --git a/libavformat/avr.c b/libavformat/avr.c index c4ce70142a..a79898f146 100644 --- a/libavformat/avr.c +++ b/libavformat/avr.c @@ -70,6 +70,9 @@ static int avr_read_header(AVFormatContext *s) avio_skip(s->pb, 1); // replay speed st->codecpar->sample_rate = avio_rb24(s->pb); + if (st->codecpar->sample_rate == 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4 * 3); avio_skip(s->pb, 2 * 3); avio_skip(s->pb, 20); diff --git a/libavformat/avs.c b/libavformat/avs.c index 47fa41017d..c846265c50 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -129,7 +129,8 @@ avs_read_video_packet(AVFormatContext * s, AVPacket * pkt, static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) { AvsFormat *avs = s->priv_data; - int ret, size; + int ret; + int64_t size; size = avio_tell(s->pb); ret = ff_voc_get_packet(s, pkt, avs->st_audio, avs->remaining_audio_size); @@ -140,6 +141,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) return 0; /* this indicate EOS */ if (ret < 0) return ret; + if (size != (int)size) { + av_packet_unref(pkt); + return AVERROR(EDOM); + } pkt->stream_index = avs->st_audio->index; pkt->flags |= AV_PKT_FLAG_KEY; diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index 4aefb04f14..2a8e7239a7 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -28,6 +28,7 @@ */ #include "libavutil/channel_layout.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avformat.h" #include "internal.h" @@ -71,6 +72,7 @@ static int vid_read_header(AVFormatContext *s) { BVID_DemuxContext *vid = s->priv_data; AVIOContext *pb = s->pb; + int ret; /* load main header. Contents: * bytes: 'V' 'I' 'D' @@ -83,6 +85,10 @@ static int vid_read_header(AVFormatContext *s) vid->bethsoft_global_delay = avio_rl16(pb); avio_rl16(pb); + ret = av_image_check_size(vid->width, vid->height, 0, s); + if (ret < 0) + return ret; + // wait until the first packet to create each stream vid->video_index = -1; vid->audio_index = -1; @@ -146,9 +152,13 @@ static int read_frame(BVID_DemuxContext *vid, AVIOContext *pb, AVPacket *pkt, } do{ - vidbuf_start = av_fast_realloc(vidbuf_start, &vidbuf_capacity, vidbuf_nbytes + BUFFER_PADDING_SIZE); - if(!vidbuf_start) - return AVERROR(ENOMEM); + uint8_t *tmp = av_fast_realloc(vidbuf_start, &vidbuf_capacity, + vidbuf_nbytes + BUFFER_PADDING_SIZE); + if (!tmp) { + ret = AVERROR(ENOMEM); + goto fail; + } + vidbuf_start = tmp; code = avio_r8(pb); vidbuf_start[vidbuf_nbytes++] = code; diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 29e2cf8cf4..35b6816aad 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -69,7 +69,12 @@ static int bfi_read_header(AVFormatContext * s) /* Set the total number of frames. */ avio_skip(pb, 8); chunk_header = avio_rl32(pb); + if (chunk_header < 3) + return AVERROR_INVALIDDATA; + bfi->nframes = avio_rl32(pb); + if (bfi->nframes < 0) + return AVERROR_INVALIDDATA; avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); @@ -135,12 +140,12 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) audio_offset = avio_rl32(pb); avio_rl32(pb); video_offset = avio_rl32(pb); - audio_size = video_offset - audio_offset; - bfi->video_size = chunk_size - video_offset; - if (audio_size < 0 || bfi->video_size < 0) { + if (audio_offset < 0 || video_offset < audio_offset || chunk_size < video_offset) { av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); return AVERROR_INVALIDDATA; } + audio_size = video_offset - audio_offset; + bfi->video_size = chunk_size - video_offset; //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); diff --git a/libavformat/bintext.c b/libavformat/bintext.c index d4921749a0..9acfcf6574 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -149,7 +149,7 @@ static int bin_probe(const AVProbeData *p) return AVPROBE_SCORE_EXTENSION + 1; predict_width(&par, p->buf_size, got_width); - if (par.width <= 0) + if (par.width < 8) return 0; calculate_height(&par, p->buf_size); if (par.height <= 0) @@ -195,6 +195,8 @@ static int bintext_read_header(AVFormatContext *s) next_tag_read(s, &bin->fsize); if (!bin->width) { predict_width(st->codecpar, bin->fsize, got_width); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; calculate_height(st->codecpar, bin->fsize); } avio_seek(pb, 0, SEEK_SET); @@ -289,6 +291,8 @@ static int adf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 1 + 192 + 4096, SEEK_SET); @@ -340,6 +344,8 @@ static int idf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 12, SEEK_SET); diff --git a/libavformat/boadec.c b/libavformat/boadec.c index 495090c485..74a6ceecb1 100644 --- a/libavformat/boadec.c +++ b/libavformat/boadec.c @@ -54,12 +54,12 @@ static int read_header(AVFormatContext *s) avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); st->codecpar->channels = avio_rl32(s->pb); - if (st->codecpar->channels > FF_SANE_NB_CHANNELS) + if (st->codecpar->channels > FF_SANE_NB_CHANNELS || st->codecpar->channels <= 0) return AVERROR(ENOSYS); s->internal->data_offset = avio_rl32(s->pb); avio_r8(s->pb); st->codecpar->block_align = avio_rl32(s->pb); - if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS) + if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS || st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; st->codecpar->block_align *= st->codecpar->channels; diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 86228595c9..ab32756923 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -70,7 +70,7 @@ static int read_desc_chunk(AVFormatContext *s) /* parse format description */ st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; - st->codecpar->sample_rate = av_int2double(avio_rb64(pb)); + st->codecpar->sample_rate = av_clipd(av_int2double(avio_rb64(pb)), 0, INT_MAX); st->codecpar->codec_tag = avio_rl32(pb); flags = avio_rb32(pb); caf->bytes_per_packet = avio_rb32(pb); @@ -79,6 +79,9 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0 || st->codecpar->channels < 0) + return AVERROR_INVALIDDATA; + /* calculate bit rate for constant size packets */ if (caf->frames_per_packet > 0 && caf->bytes_per_packet > 0) { st->codecpar->bit_rate = (uint64_t)st->codecpar->sample_rate * (uint64_t)caf->bytes_per_packet * 8 @@ -191,6 +194,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) CafContext *caf = s->priv_data; int64_t pos = 0, ccount, num_packets; int i; + int ret; ccount = avio_tell(pb); @@ -202,14 +206,23 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->nb_frames += avio_rb32(pb); /* priming frames */ st->nb_frames += avio_rb32(pb); /* remainder frames */ - st->duration = 0; - for (i = 0; i < num_packets; i++) { - av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); - pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); - st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { + st->duration = caf->frames_per_packet * num_packets; + pos = caf-> bytes_per_packet * num_packets; + } else { + st->duration = 0; + for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; + pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); + st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + } } - if (avio_tell(pb) - ccount > size) { + if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { av_log(s, AV_LOG_ERROR, "error reading packet table\n"); return AVERROR_INVALIDDATA; } @@ -230,6 +243,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size) char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); + if (!*key) + continue; av_dict_set(&s->metadata, key, value, 0); } } @@ -279,6 +294,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); /* edit count */ caf->data_start = avio_tell(pb); caf->data_size = size < 0 ? -1 : size - 4; + if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start) + return AVERROR_INVALIDDATA; + if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL)) avio_skip(pb, caf->data_size); found_data = 1; @@ -329,7 +347,7 @@ static int read_header(AVFormatContext *s) found_data: if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { - if (caf->data_size > 0) + if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet) st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet; } else if (st->nb_index_entries && st->duration > 0) { if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) { diff --git a/libavformat/cdg.c b/libavformat/cdg.c index 05cac6e528..f933819d57 100644 --- a/libavformat/cdg.c +++ b/libavformat/cdg.c @@ -49,7 +49,7 @@ static int read_header(AVFormatContext *s) if (ret < 0) { av_log(s, AV_LOG_WARNING, "Cannot calculate duration as file size cannot be determined\n"); } else - vst->duration = (ret * vst->time_base.den) / (CDG_PACKET_SIZE * 300); + vst->duration = (ret * (int64_t)vst->time_base.den) / (CDG_PACKET_SIZE * 300); return 0; } diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index 9aacaddb40..e675b2c8f1 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); - if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + if (cdxl->header[19] == 0 || + FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) return AVERROR_INVALIDDATA; if (format == 0x20) image_size = width * height * cdxl->header[19] / 8; diff --git a/libavformat/chromaprint.c b/libavformat/chromaprint.c index f39c09ddb9..32ac27796c 100644 --- a/libavformat/chromaprint.c +++ b/libavformat/chromaprint.c @@ -114,14 +114,15 @@ fail: static int write_packet(AVFormatContext *s, AVPacket *pkt) { ChromaprintMuxContext *cpr = s->priv_data; - return chromaprint_feed(cpr->ctx, pkt->data, pkt->size / 2) ? 0 : AVERROR(EINVAL); + return chromaprint_feed(cpr->ctx, (const int16_t *)pkt->data, pkt->size / 2) ? 0 : AVERROR(EINVAL); } static int write_trailer(AVFormatContext *s) { ChromaprintMuxContext *cpr = s->priv_data; AVIOContext *pb = s->pb; - void *fp = NULL, *enc_fp = NULL; + void *fp = NULL; + char *enc_fp = NULL; int size, enc_size, ret = AVERROR(EINVAL); if (!chromaprint_finish(cpr->ctx)) { @@ -129,7 +130,7 @@ static int write_trailer(AVFormatContext *s) goto fail; } - if (!chromaprint_get_raw_fingerprint(cpr->ctx, &fp, &size)) { + if (!chromaprint_get_raw_fingerprint(cpr->ctx, (uint32_t **)&fp, &size)) { av_log(s, AV_LOG_ERROR, "Failed to retrieve fingerprint\n"); goto fail; } diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index d27ebbba7b..b496af6d8f 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -284,7 +284,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVIOContext *pb = avctx->pb; int n, size, ret; - if (cine->pts >= st->duration) + if (cine->pts >= st->nb_index_entries) return AVERROR_EOF; avio_seek(pb, st->index_entries[cine->pts].pos, SEEK_SET); diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index b80294efbf..41e66570fc 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -113,7 +113,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, ConcatFile *file; char *url = NULL; const char *proto; - size_t url_len, proto_len; + const char *ptr; + size_t url_len; int ret; if (cat->safe > 0 && !safe_filename(filename)) { @@ -122,9 +123,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, } proto = avio_find_protocol_name(filename); - proto_len = proto ? strlen(proto) : 0; - if (proto && !memcmp(filename, proto, proto_len) && - (filename[proto_len] == ':' || filename[proto_len] == ',')) { + if (proto && av_strstart(filename, proto, &ptr) && + (*ptr == ':' || *ptr == ',')) { url = filename; filename = NULL; } else { @@ -503,6 +503,8 @@ static int concat_read_header(AVFormatContext *avf) cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } cat->files[i].duration = cat->files[i].user_duration; + if (time + (uint64_t)cat->files[i].user_duration > INT64_MAX) + return AVERROR_INVALIDDATA; time += cat->files[i].user_duration; } if (i == cat->nb_files) { diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index f82a750d6f..923b0225af 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -122,19 +122,6 @@ struct representation { typedef struct DASHContext { const AVClass *class; char *base_url; - char *adaptionset_contenttype_val; - char *adaptionset_par_val; - char *adaptionset_lang_val; - char *adaptionset_minbw_val; - char *adaptionset_maxbw_val; - char *adaptionset_minwidth_val; - char *adaptionset_maxwidth_val; - char *adaptionset_minheight_val; - char *adaptionset_maxheight_val; - char *adaptionset_minframerate_val; - char *adaptionset_maxframerate_val; - char *adaptionset_segmentalignment_val; - char *adaptionset_bitstreamswitching_val; int n_videos; struct representation **videos; @@ -451,7 +438,7 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, return AVERROR_INVALIDDATA; av_freep(pb); - ret = avio_open2(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp); + ret = ffio_open_whitelist(pb, url, AVIO_FLAG_READ, c->interrupt_callback, &tmp, s->protocol_whitelist, s->protocol_blacklist); if (ret >= 0) { // update cookies on http response with setcookies. char *new_cookies = NULL; @@ -1107,26 +1094,12 @@ static int parse_manifest_adaptationset(AVFormatContext *s, const char *url, xmlNodePtr period_segmentlist_node) { int ret = 0; - DASHContext *c = s->priv_data; xmlNodePtr fragment_template_node = NULL; xmlNodePtr content_component_node = NULL; xmlNodePtr adaptionset_baseurl_node = NULL; xmlNodePtr adaptionset_segmentlist_node = NULL; xmlNodePtr adaptionset_supplementalproperty_node = NULL; xmlNodePtr node = NULL; - c->adaptionset_contenttype_val = xmlGetProp(adaptionset_node, "contentType"); - c->adaptionset_par_val = xmlGetProp(adaptionset_node, "par"); - c->adaptionset_lang_val = xmlGetProp(adaptionset_node, "lang"); - c->adaptionset_minbw_val = xmlGetProp(adaptionset_node, "minBandwidth"); - c->adaptionset_maxbw_val = xmlGetProp(adaptionset_node, "maxBandwidth"); - c->adaptionset_minwidth_val = xmlGetProp(adaptionset_node, "minWidth"); - c->adaptionset_maxwidth_val = xmlGetProp(adaptionset_node, "maxWidth"); - c->adaptionset_minheight_val = xmlGetProp(adaptionset_node, "minHeight"); - c->adaptionset_maxheight_val = xmlGetProp(adaptionset_node, "maxHeight"); - c->adaptionset_minframerate_val = xmlGetProp(adaptionset_node, "minFrameRate"); - c->adaptionset_maxframerate_val = xmlGetProp(adaptionset_node, "maxFrameRate"); - c->adaptionset_segmentalignment_val = xmlGetProp(adaptionset_node, "segmentAlignment"); - c->adaptionset_bitstreamswitching_val = xmlGetProp(adaptionset_node, "bitstreamSwitching"); node = xmlFirstElementChild(adaptionset_node); while (node) { @@ -1217,7 +1190,7 @@ static int parse_manifest(AVFormatContext *s, const char *url, AVIOContext *in) close_in = 1; av_dict_copy(&opts, c->avio_opts, 0); - ret = avio_open2(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts); + ret = ffio_open_whitelist(&in, url, AVIO_FLAG_READ, c->interrupt_callback, &opts, s->protocol_whitelist, s->protocol_blacklist); av_dict_free(&opts); if (ret < 0) return ret; diff --git a/libavformat/dashenc.c b/libavformat/dashenc.c index b25afb40aa..f0e45da89a 100644 --- a/libavformat/dashenc.c +++ b/libavformat/dashenc.c @@ -35,6 +35,7 @@ #include "libavutil/time.h" #include "libavutil/time_internal.h" +#include "av1.h" #include "avc.h" #include "avformat.h" #include "avio_internal.h" @@ -385,6 +386,21 @@ static void set_codec_str(AVFormatContext *s, AVCodecParameters *par, av_strlcatf(str, size, ".%02x%02x%02x", extradata[1], extradata[2], extradata[3]); av_free(tmpbuf); + } else if (!strcmp(str, "av01")) { + AV1SequenceParameters seq; + if (!par->extradata_size) + return; + if (ff_av1_parse_seq_header(&seq, par->extradata, par->extradata_size) < 0) + return; + + av_strlcatf(str, size, ".%01u.%02u%s.%02u", + seq.profile, seq.level, seq.tier ? "H" : "M", seq.bitdepth); + if (seq.color_description_present_flag) + av_strlcatf(str, size, ".%01u.%01u%01u%01u.%02u.%02u.%02u.%01u", + seq.monochrome, + seq.chroma_subsampling_x, seq.chroma_subsampling_y, seq.chroma_sample_position, + seq.color_primaries, seq.transfer_characteristics, seq.matrix_coefficients, + seq.color_range); } } @@ -1191,10 +1207,6 @@ static int dash_init(AVFormatContext *s) dict_copy_entry(&as->metadata, s->streams[i]->metadata, "language"); dict_copy_entry(&as->metadata, s->streams[i]->metadata, "role"); - ctx = avformat_alloc_context(); - if (!ctx) - return AVERROR(ENOMEM); - if (c->init_seg_name) { os->init_seg_name = av_strireplace(c->init_seg_name, "$ext$", os->extension_name); if (!os->init_seg_name) @@ -1227,10 +1239,13 @@ static int dash_init(AVFormatContext *s) } } + os->ctx = ctx = avformat_alloc_context(); + if (!ctx) + return AVERROR(ENOMEM); + ctx->oformat = av_guess_format(os->format_name, NULL, NULL); if (!ctx->oformat) return AVERROR_MUXER_NOT_FOUND; - os->ctx = ctx; ctx->interrupt_callback = s->interrupt_callback; ctx->opaque = s->opaque; ctx->io_close = s->io_close; @@ -1435,23 +1450,24 @@ static void find_index_range(AVFormatContext *s, const char *full_path, } static int update_stream_extradata(AVFormatContext *s, OutputStream *os, - AVCodecParameters *par, - AVRational *frame_rate) + AVPacket *pkt, AVRational *frame_rate) { + AVCodecParameters *par = os->ctx->streams[0]->codecpar; uint8_t *extradata; + int ret, extradata_size; - if (os->ctx->streams[0]->codecpar->extradata_size || !par->extradata_size) + if (par->extradata_size) return 0; - extradata = av_malloc(par->extradata_size); + extradata = av_packet_get_side_data(pkt, AV_PKT_DATA_NEW_EXTRADATA, &extradata_size); + if (!extradata_size) + return 0; - if (!extradata) - return AVERROR(ENOMEM); + ret = ff_alloc_extradata(par, extradata_size); + if (ret < 0) + return ret; - memcpy(extradata, par->extradata, par->extradata_size); - - os->ctx->streams[0]->codecpar->extradata = extradata; - os->ctx->streams[0]->codecpar->extradata_size = par->extradata_size; + memcpy(par->extradata, extradata, extradata_size); set_codec_str(s, par, frame_rate, os->codec_str, sizeof(os->codec_str)); @@ -1668,7 +1684,7 @@ static int dash_write_packet(AVFormatContext *s, AVPacket *pkt) int64_t seg_end_duration, elapsed_duration; int ret; - ret = update_stream_extradata(s, os, st->codecpar, &st->avg_frame_rate); + ret = update_stream_extradata(s, os, pkt, &st->avg_frame_rate); if (ret < 0) return ret; diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 9041a86539..9ddccc7f2d 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -43,6 +43,8 @@ static int dcstr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); align = avio_rl32(s->pb); avio_skip(s->pb, 4); diff --git a/libavformat/dsfdec.c b/libavformat/dsfdec.c index afb24634b2..46cc1f74f0 100644 --- a/libavformat/dsfdec.c +++ b/libavformat/dsfdec.c @@ -124,8 +124,8 @@ static int dsf_read_header(AVFormatContext *s) dsf->audio_size = avio_rl64(pb) / 8 * st->codecpar->channels; st->codecpar->block_align = avio_rl32(pb); - if (st->codecpar->block_align > INT_MAX / st->codecpar->channels) { - avpriv_request_sample(s, "block_align overflow"); + if (st->codecpar->block_align > INT_MAX / st->codecpar->channels || st->codecpar->block_align <= 0) { + avpriv_request_sample(s, "block_align invalid"); return AVERROR_INVALIDDATA; } st->codecpar->block_align *= st->codecpar->channels; diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c index 244622ee39..4c56492f59 100644 --- a/libavformat/dsicin.c +++ b/libavformat/dsicin.c @@ -166,7 +166,8 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) CinDemuxContext *cin = s->priv_data; AVIOContext *pb = s->pb; CinFrameHeader *hdr = &cin->frame_header; - int rc, palette_type, pkt_size; + int rc, palette_type; + int64_t pkt_size; int ret; if (cin->audio_buffer_size == 0) { @@ -182,7 +183,9 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) } /* palette and video packet */ - pkt_size = (palette_type + 3) * hdr->pal_colors_count + hdr->video_frame_size; + pkt_size = (palette_type + 3LL) * hdr->pal_colors_count + hdr->video_frame_size; + if (pkt_size + 4 > INT_MAX) + return AVERROR_INVALIDDATA; pkt_size = ffio_limit(pb, pkt_size); diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 298cda05d7..353bac4d1d 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s) if(fps > 0){ den = 1000; num = fps; - }else if (fps < 0){ + }else if (fps < 0 && fps > INT_MIN){ den = 100000; num = -fps; }else{ @@ -118,9 +118,14 @@ static int dxa_read_header(AVFormatContext *s) if(tag == MKTAG('d', 'a', 't', 'a')) break; avio_skip(pb, fsize); } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) - c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if (c->bpc < 0) + return AVERROR_INVALIDDATA; + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; + c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); avio_seek(pb, c->vidpos, SEEK_SET); @@ -143,7 +148,7 @@ static int dxa_read_header(AVFormatContext *s) c->readvid = !c->has_sound; c->vidpos = avio_tell(pb); s->start_time = 0; - s->duration = (int64_t)c->frames * AV_TIME_BASE * num / den; + s->duration = av_rescale(c->frames, AV_TIME_BASE * (int64_t)num, den); av_log(s, AV_LOG_DEBUG, "%d frame(s)\n",c->frames); return 0; diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 6dbc3e350a..8e5e7f9581 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -530,20 +530,17 @@ static int ea_read_header(AVFormatContext *s) if (ea->num_channels <= 0 || ea->num_channels > 2) { av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->sample_rate <= 0) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate: %d\n", ea->sample_rate); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->bytes <= 0 || ea->bytes > 2) { av_log(s, AV_LOG_ERROR, "Invalid number of bytes per sample: %d\n", ea->bytes); - ea->audio_codec = AV_CODEC_ID_NONE; - return 1; + goto no_audio; } /* initialize the audio decoder stream */ @@ -564,8 +561,13 @@ static int ea_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample; ea->audio_stream_index = st->index; st->start_time = 0; + return 1; } +no_audio: + ea->audio_codec = AV_CODEC_ID_NONE; + if (!ea->video.codec) + return AVERROR_INVALIDDATA; return 1; } @@ -574,11 +576,14 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) EaDemuxContext *ea = s->priv_data; AVIOContext *pb = s->pb; int partial_packet = 0; + int hit_end = 0; unsigned int chunk_type, chunk_size; int ret = 0, packet_read = 0, key = 0; int av_uninit(num_samples); - while (!packet_read || partial_packet) { + while ((!packet_read && !hit_end) || partial_packet) { + if (avio_feof(pb)) + return AVERROR_EOF; chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); if (chunk_size < 8) @@ -602,10 +607,14 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) break; } else if (ea->audio_codec == AV_CODEC_ID_PCM_S16LE_PLANAR || ea->audio_codec == AV_CODEC_ID_MP3) { + if (chunk_size < 12) + return AVERROR_INVALIDDATA; num_samples = avio_rl32(pb); avio_skip(pb, 8); chunk_size -= 12; } else if (ea->audio_codec == AV_CODEC_ID_ADPCM_PSX) { + if (chunk_size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); chunk_size -= 8; } @@ -676,7 +685,7 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) } if (avio_feof(pb)) ret = AVERROR_EOF; - packet_read = 1; + hit_end = 1; break; case MVIh_TAG: @@ -689,6 +698,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) case fVGT_TAG: case MADm_TAG: case MADe_TAG: + if (chunk_size > INT_MAX - 8) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); // include chunk preamble chunk_size += 8; goto get_video_packet; @@ -718,6 +729,7 @@ get_video_packet: ret = av_get_packet(pb, pkt, chunk_size); if (ret < 0) { packet_read = 1; + partial_packet = 0; break; } partial_packet = chunk_type == MVIh_TAG; @@ -737,6 +749,9 @@ get_video_packet: if (ret < 0 && partial_packet) av_packet_unref(pkt); + if (ret >= 0 && hit_end && !packet_read) + return AVERROR(EAGAIN); + return ret; } diff --git a/libavformat/ffmetadec.c b/libavformat/ffmetadec.c index 45c92f1ff6..6a30b58c41 100644 --- a/libavformat/ffmetadec.c +++ b/libavformat/ffmetadec.c @@ -182,7 +182,7 @@ static int read_header(AVFormatContext *s) AVStream *st = avformat_new_stream(s, NULL); if (!st) - return AVERROR(ENOMEM); + goto nomem; st->codecpar->codec_type = AVMEDIA_TYPE_DATA; st->codecpar->codec_id = AV_CODEC_ID_FFMETADATA; @@ -192,7 +192,7 @@ static int read_header(AVFormatContext *s) AVChapter *ch = read_chapter(s); if (!ch) - return AVERROR(ENOMEM); + goto nomem; m = &ch->metadata; } else @@ -208,6 +208,10 @@ static int read_header(AVFormatContext *s) AV_TIME_BASE_Q); return 0; +nomem: + av_bprint_finalize(&bp, NULL); + + return AVERROR(ENOMEM); } static int read_packet(AVFormatContext *s, AVPacket *pkt) diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c index c7d1edec60..bea762b71c 100644 --- a/libavformat/fitsdec.c +++ b/libavformat/fitsdec.c @@ -24,6 +24,7 @@ * FITS demuxer. */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "internal.h" #include "libavutil/opt.h" @@ -125,14 +126,14 @@ static int64_t is_image(AVFormatContext *s, FITSContext *fits, FITSHeader *heade size += header->pcount; t = (abs(header->bitpix) >> 3) * ((int64_t) header->gcount); - if(size && t > UINT64_MAX / size) + if(size && t > INT64_MAX / size) return AVERROR_INVALIDDATA; size *= t; if (!size) { image = 0; } else { - if(FITS_BLOCK_SIZE - 1 > UINT64_MAX - size) + if(FITS_BLOCK_SIZE - 1 > INT64_MAX - size) return AVERROR_INVALIDDATA; size = ((size + FITS_BLOCK_SIZE - 1) / FITS_BLOCK_SIZE) * FITS_BLOCK_SIZE; } @@ -157,11 +158,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED); while ((ret = is_image(s, fits, &header, &avbuf, &size)) == 0) { + av_bprint_finalize(&avbuf, NULL); pos = avio_skip(s->pb, size); if (pos < 0) return pos; - av_bprint_finalize(&avbuf, NULL); av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED); avpriv_fits_header_init(&header, STATE_XTENSION); } @@ -173,6 +174,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) goto fail; } + av_assert0(avbuf.len <= INT64_MAX && size <= INT64_MAX); + if (avbuf.len + size > INT_MAX - 80) { + ret = AVERROR_INVALIDDATA; + goto fail; + } // Header is sent with the first line removed... ret = av_new_packet(pkt, avbuf.len - 80 + size); if (ret < 0) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 8394e47483..376cf90ece 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -68,7 +68,7 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { if (avio_read(s->pb, header, 4) != 4) - return AVERROR(AVERROR_INVALIDDATA); + return AVERROR_INVALIDDATA; flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index b531a39adc..37f565b1ae 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -42,6 +42,8 @@ #define RESYNC_BUFFER_SIZE (1<<20) +#define MAX_DEPTH 16 ///< arbitrary limit to prevent unbounded recursion + typedef struct FLVContext { const AVClass *class; ///< Class for private options. int trust_metadata; ///< configure streams according onMetaData @@ -63,7 +65,7 @@ typedef struct FLVContext { uint8_t resync_buffer[2*RESYNC_BUFFER_SIZE]; int broken_sizes; - int sum_flv_tag_size; + int64_t sum_flv_tag_size; int last_keyframe_stream_index; int keyframe_count; @@ -383,13 +385,18 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) { + int ret; int length = avio_rb16(ioc); if (length >= buffsize) { avio_skip(ioc, length); return -1; } - avio_read(ioc, buffer, length); + ret = avio_read(ioc, buffer, length); + if (ret < 0) + return ret; + if (ret < length) + return AVERROR_INVALIDDATA; buffer[length] = '\0'; @@ -447,9 +454,17 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m } for (i = 0; i < arraylen && avio_tell(ioc) < max_pos - 1; i++) { + double d; if (avio_r8(ioc) != AMF_DATA_TYPE_NUMBER) goto invalid; - current_array[0][i] = av_int2double(avio_rb64(ioc)); + d = av_int2double(avio_rb64(ioc)); + if (isnan(d) || d < INT64_MIN || d > INT64_MAX) + goto invalid; + if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) + goto invalid; + if (avio_feof(ioc)) + goto invalid; + current_array[0][i] = d; } if (times && filepositions) { // All done, exiting at a position allowing amf_parse_object @@ -494,8 +509,13 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, double num_val; amf_date date; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + num_val = 0; ioc = s->pb; + if (avio_feof(ioc)) + return AVERROR_EOF; amf_type = avio_r8(ioc); switch (amf_type) { @@ -838,10 +858,16 @@ static void clear_index_entries(AVFormatContext *s, int64_t pos) } } -static int amf_skip_tag(AVIOContext *pb, AMFDataType type) +static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) { int nb = -1, ret, parse_name = 1; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + + if (avio_feof(pb)) + return AVERROR_EOF; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); @@ -856,6 +882,8 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type) parse_name = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = avio_rb32(pb); + if (nb < 0) + return AVERROR_INVALIDDATA; case AMF_DATA_TYPE_OBJECT: while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) { if (parse_name) { @@ -866,7 +894,7 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type) } avio_skip(pb, size); } - if ((ret = amf_skip_tag(pb, avio_r8(pb))) < 0) + if ((ret = amf_skip_tag(pb, avio_r8(pb), depth + 1)) < 0) return ret; } break; @@ -910,7 +938,7 @@ static int flv_data_packet(AVFormatContext *s, AVPacket *pkt, else break; } else { - if ((ret = amf_skip_tag(pb, type)) < 0) + if ((ret = amf_skip_tag(pb, type, 0)) < 0) goto skip; } } @@ -1008,7 +1036,7 @@ retry: type = (avio_r8(s->pb) & 0x1F); orig_size = size = avio_rb24(s->pb); - flv->sum_flv_tag_size += size + 11; + flv->sum_flv_tag_size += size + 11LL; dts = avio_rb24(s->pb); dts |= (unsigned)avio_r8(s->pb) << 24; av_log(s, AV_LOG_TRACE, "type:%d, size:%d, last:%d, dts:%"PRId64" pos:%"PRId64"\n", type, size, last, dts, avio_tell(s->pb)); @@ -1162,7 +1190,7 @@ retry_duration: avio_seek(s->pb, fsize - 3 - size, SEEK_SET); if (size == avio_rb24(s->pb) + 11) { uint32_t ts = avio_rb24(s->pb); - ts |= avio_r8(s->pb) << 24; + ts |= (unsigned)avio_r8(s->pb) << 24; if (ts) s->duration = ts * (int64_t)AV_TIME_BASE / 1000; else if (fsize >= 8 && fsize - 8 >= size) { @@ -1330,7 +1358,7 @@ leave: !avio_feof(s->pb) && (last != orig_size || !last) && last != flv->sum_flv_tag_size && !flv->broken_sizes) { - av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %d\n", last, orig_size + 11, flv->sum_flv_tag_size); + av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %"PRId64"\n", last, orig_size + 11, flv->sum_flv_tag_size); avio_seek(s->pb, pos + 1, SEEK_SET); ret = resync(s); av_packet_unref(pkt); diff --git a/libavformat/format.c b/libavformat/format.c index c47490c8eb..109aa4c92e 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -228,6 +228,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, int ret = 0, probe_size, buf_offset = 0; int score = 0; int ret2; + int eof = 0; if (!max_probe_size) max_probe_size = PROBE_BUF_MAX; @@ -251,7 +252,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, } } - for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt; + for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt && !eof; probe_size = FFMIN(probe_size << 1, FFMAX(max_probe_size, probe_size + 1))) { score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0; @@ -267,6 +268,7 @@ int av_probe_input_buffer2(AVIOContext *pb, ff_const59 AVInputFormat **fmt, score = 0; ret = 0; /* error was end of file, nothing read */ + eof = 1; } buf_offset += ret; if (buf_offset < offset) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 3adc04ee1f..a98b0acbcb 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -949,6 +949,8 @@ static int ftp_parse_entry_mlsd(char *mlsd, AVIODirEntry *next) continue; } fact = av_strtok(fact, "=", &value); + if (!fact) + continue; if (!av_strcasecmp(fact, "type")) { if (!av_strcasecmp(value, "cdir") || !av_strcasecmp(value, "pdir")) return 1; diff --git a/libavformat/genh.c b/libavformat/genh.c index 61adf49964..0b55a8884a 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -67,6 +67,9 @@ static int genh_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate < 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); @@ -87,7 +90,9 @@ static int genh_read_header(AVFormatContext *s) case 5: st->codecpar->codec_id = st->codecpar->block_align > 0 ? AV_CODEC_ID_PCM_S8_PLANAR : AV_CODEC_ID_PCM_S8; break; - case 6: st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; + case 6: if (st->codecpar->block_align > INT_MAX/1024) + return AVERROR_INVALIDDATA; + st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; case 7: ret = ff_alloc_extradata(st->codecpar, 2); if (ret < 0) return ret; @@ -144,6 +149,9 @@ static int genh_read_header(AVFormatContext *s) } } + if (st->codecpar->block_align <= 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, start_offset - avio_tell(s->pb)); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 49364b7205..bbad47c240 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -285,9 +285,12 @@ static void gxf_track_tags(AVIOContext *pb, int *len, struct gxf_stream_info *si static void gxf_read_index(AVFormatContext *s, int pkt_len) { AVIOContext *pb = s->pb; AVStream *st; - uint32_t fields_per_map = avio_rl32(pb); - uint32_t map_cnt = avio_rl32(pb); + uint32_t fields_per_map, map_cnt; int i; + if (pkt_len < 8) + return; + fields_per_map = avio_rl32(pb); + map_cnt = avio_rl32(pb); pkt_len -= 8; if ((s->flags & AVFMT_FLAG_IGNIDX) || !s->streams) { avio_skip(pb, pkt_len); diff --git a/libavformat/hcom.c b/libavformat/hcom.c index 0d1736b620..3e1e8da236 100644 --- a/libavformat/hcom.c +++ b/libavformat/hcom.c @@ -38,7 +38,7 @@ static int hcom_probe(const AVProbeData *p) static int hcom_read_header(AVFormatContext *s) { AVStream *st; - unsigned data_size, rsrc_size, huffcount; + av_unused unsigned data_size, rsrc_size, huffcount; unsigned compresstype, divisor; unsigned dict_entries; int ret; diff --git a/libavformat/hls.c b/libavformat/hls.c index 8c12fcef77..6dcd77921e 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -231,6 +231,7 @@ static void free_init_section_list(struct playlist *pls) { int i; for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->key); av_freep(&pls->init_sections[i]->url); av_freep(&pls->init_sections[i]); } @@ -791,10 +792,16 @@ static int parse_playlist(HLSContext *c, const char *url, &info); new_rendition(c, &info, url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) { + int64_t t; ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; + t = strtoll(ptr, NULL, 10); + if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { ret = ensure_playlist(c, &pls, url); if (ret < 0) @@ -873,8 +880,6 @@ static int parse_playlist(HLSContext *c, const char *url, ret = AVERROR(ENOMEM); goto fail; } - seg->duration = duration; - seg->key_type = key_type; if (has_iv) { memcpy(seg->iv, iv, sizeof(iv)); } else { @@ -904,6 +909,13 @@ static int parse_playlist(HLSContext *c, const char *url, goto fail; } + if (duration < 0.001 * AV_TIME_BASE) { + av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," + " set to default value to 1ms.\n", seg->url); + duration = 0.001 * AV_TIME_BASE; + } + seg->duration = duration; + seg->key_type = key_type; dynarray_add(&pls->segments, &pls->n_segments, seg); is_segment = 0; @@ -1873,6 +1885,7 @@ static int hls_read_header(AVFormatContext *s) /* Open the demuxer for each playlist */ for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; + char *url; ff_const59 AVInputFormat *in_fmt = NULL; if (!(pls->ctx = avformat_alloc_context())) { @@ -1909,8 +1922,9 @@ static int hls_read_header(AVFormatContext *s) ffio_init_context(&pls->pb, pls->read_buffer, INITIAL_BUFFER_SIZE, 0, pls, read_data, NULL, NULL); pls->pb.seekable = 0; - ret = av_probe_input_buffer(&pls->pb, &in_fmt, pls->segments[0]->url, - NULL, 0, 0); + url = av_strdup(pls->segments[0]->url); + ret = av_probe_input_buffer(&pls->pb, &in_fmt, url, NULL, 0, 0); + av_free(url); if (ret < 0) { /* Free the ctx - it isn't initialized properly at this point, * so avformat_close_input shouldn't be called. If @@ -2311,7 +2325,11 @@ static const AVOption hls_options[] = { OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS}, {"allowed_extensions", "List of file extensions that hls is allowed to access", OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, - {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,vtt,wav,webvtt" + ",cmfv,cmfa" // Ticket11526 www.nicovideo.jp + ",ec3" // part of Ticket11435 (Elisa Viihde (Finnish online recording service)) + ",fmp4" // https://github.com/yt-dlp/yt-dlp/issues/12700 + }, INT_MIN, INT_MAX, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 2ade6723f9..98e9c23142 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -321,8 +321,11 @@ static void write_codec_attr(AVStream *st, VariantStream *vs) { } else if (st->codecpar->codec_id == AV_CODEC_ID_MP3) { snprintf(attr, sizeof(attr), "mp4a.40.34"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AAC) { - /* TODO : For HE-AAC, HE-AACv2, the last digit needs to be set to 5 and 29 respectively */ - snprintf(attr, sizeof(attr), "mp4a.40.2"); + if (st->codecpar->profile != FF_PROFILE_UNKNOWN) + snprintf(attr, sizeof(attr), "mp4a.40.%d", st->codecpar->profile+1); + else + // This is for backward compatibility with the previous implementation. + snprintf(attr, sizeof(attr), "mp4a.40.2"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AC3) { snprintf(attr, sizeof(attr), "ac-3"); } else if (st->codecpar->codec_id == AV_CODEC_ID_EAC3) { diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 40ef5c06ee..463b039694 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -70,6 +70,7 @@ static int hnm_read_header(AVFormatContext *s) Hnm4DemuxContext *hnm = s->priv_data; AVIOContext *pb = s->pb; AVStream *vst; + int ret; /* default context members */ hnm->pts = 0; @@ -113,10 +114,10 @@ static int hnm_read_header(AVFormatContext *s) vst->codecpar->codec_tag = 0; vst->codecpar->width = hnm->width; vst->codecpar->height = hnm->height; - vst->codecpar->extradata = av_mallocz(1); + if ((ret = ff_alloc_extradata(vst->codecpar, 1)) < 0) + return ret; - vst->codecpar->extradata_size = 1; - memcpy(vst->codecpar->extradata, &hnm->version, 1); + vst->codecpar->extradata[0] = hnm->version; vst->start_time = 0; @@ -140,6 +141,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) if (hnm->superchunk_remaining == 0) { /* parse next superchunk */ superchunk_size = avio_rl24(pb); + if (superchunk_size < 4) + return AVERROR_INVALIDDATA; avio_skip(pb, 1); hnm->superchunk_remaining = superchunk_size - 4; @@ -150,7 +153,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) chunk_id = avio_rl16(pb); avio_skip(pb, 2); - if (chunk_size > hnm->superchunk_remaining || !chunk_size) { + if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) { av_log(s, AV_LOG_ERROR, "invalid chunk size: %"PRIu32", offset: %"PRId64"\n", chunk_size, avio_tell(pb)); diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 98684e5e74..89bd14ebcf 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -84,6 +84,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); ico->nb_images = avio_rl16(pb); + if (!ico->nb_images) + return AVERROR_INVALIDDATA; + ico->images = av_malloc_array(ico->nb_images, sizeof(IcoImage)); if (!ico->images) return AVERROR(ENOMEM); @@ -93,7 +96,7 @@ static int read_header(AVFormatContext *s) int tmp; if (avio_seek(pb, 6 + i * 16, SEEK_SET) < 0) - break; + goto fail; st = avformat_new_stream(s, NULL); if (!st) { @@ -113,13 +116,12 @@ static int read_header(AVFormatContext *s) ico->images[i].size = avio_rl32(pb); if (ico->images[i].size <= 0) { av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) - break; + goto fail; codec = avio_rl32(pb); switch (codec) { @@ -130,8 +132,7 @@ static int read_header(AVFormatContext *s) break; case 40: if (ico->images[i].size < 40) { - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } st->codecpar->codec_id = AV_CODEC_ID_BMP; tmp = avio_rl32(pb); @@ -143,12 +144,14 @@ static int read_header(AVFormatContext *s) break; default: avpriv_request_sample(s, "codec %d", codec); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } } return 0; +fail: + av_freep(&ico->images); + return AVERROR_INVALIDDATA; } static int read_packet(AVFormatContext *s, AVPacket *pkt) @@ -156,12 +159,14 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) IcoDemuxContext *ico = s->priv_data; IcoImage *image; AVIOContext *pb = s->pb; - AVStream *st = s->streams[0]; + AVStream *st; int ret; if (ico->current_image >= ico->nb_images) return AVERROR_EOF; + st = s->streams[0]; + image = &ico->images[ico->current_image]; if ((ret = avio_seek(pb, image->offset, SEEK_SET)) < 0) @@ -199,6 +204,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } + if (image->nb_pal > INT_MAX / 4 - 14 - 40U) + return AVERROR_INVALIDDATA; + AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); AV_WL32(buf + 8, AV_RL32(buf + 8) / 2); } diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index b43ab1745f..465c909ae9 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -366,7 +366,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, int encoding; int ok = 0; - if (taglen < 1) + if (taglen < 4) goto error; encoding = avio_r8(pb); @@ -377,10 +377,10 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, lang[3] = '\0'; taglen -= 3; - if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0) + if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0 || taglen < 0) goto error; - if (decode_str(s, pb, encoding, &text, &taglen) < 0) + if (decode_str(s, pb, encoding, &text, &taglen) < 0 || taglen < 0) goto error; // FFmpeg does not support hierarchical metadata, so concatenate the keys. @@ -611,7 +611,10 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, /* mimetype */ if (isv34) { - taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + int ret = avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + if (ret < 0 || ret >= taglen) + goto fail; + taglen -= ret; } else { if (avio_read(pb, mimetype, 3) < 0) goto fail; @@ -826,7 +829,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, int isv34, unsync; unsigned tlen; char tag[5]; - int64_t next, end = avio_tell(pb) + len; + int64_t next, end = avio_tell(pb); int taghdrlen; const char *reason = NULL; AVIOContext pb_local; @@ -838,6 +841,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_unused int uncompressed_buffer_size = 0; const char *comm_frame; + if (end > INT64_MAX - len - 10) + return; + end += len; + av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len); switch (version) { @@ -1006,6 +1013,9 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_log(s, AV_LOG_DEBUG, "Compresssed frame %s tlen=%d dlen=%ld\n", tag, tlen, dlen); + if (tlen <= 0) + goto seek; + av_fast_malloc(&uncompressed_buffer, &uncompressed_buffer_size, dlen); if (!uncompressed_buffer) { av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen); @@ -1263,8 +1273,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met } if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) { - av_free(key); - av_free(escaped); return ret; } } diff --git a/libavformat/iff.c b/libavformat/iff.c index f4d806b7b8..12c2998ab4 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -223,6 +223,9 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t orig_pos = avio_tell(pb); const char * metadata_tag = NULL; + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('D','I','A','R'): metadata_tag = "artist"; break; case MKTAG('D','I','T','I'): metadata_tag = "title"; break; @@ -256,6 +259,9 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('A','B','S','S'): if (size < 8) @@ -353,6 +359,9 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) uint64_t chunk_pos, data_pos, data_size; int ret = AVERROR_EOF; + if (s->nb_streams < 1) + return AVERROR_INVALIDDATA; + while (!avio_feof(pb)) { chunk_pos = avio_tell(pb); if (chunk_pos >= iff->body_end) @@ -362,7 +371,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); data_pos = avio_tell(pb); - if (data_size < 1) + if (data_size < 1 || data_size >= INT64_MAX) return AVERROR_INVALIDDATA; switch (chunk_id) { @@ -379,7 +388,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588 * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = s->streams[0]->codecpar->sample_rate / 75; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); @@ -392,7 +401,8 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) case ID_FRTE: if (data_size < 4) return AVERROR_INVALIDDATA; - s->streams[0]->duration = avio_rb32(pb) * 588LL * s->streams[0]->codecpar->sample_rate / 44100; + s->streams[0]->duration = avio_rb32(pb) * (uint64_t)s->streams[0]->codecpar->sample_rate / 75; + break; } @@ -449,6 +459,9 @@ static int iff_read_header(AVFormatContext *s) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); orig_pos = avio_tell(pb); + if (data_size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(chunk_id) { case ID_VHDR: st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -492,6 +505,9 @@ static int iff_read_header(AVFormatContext *s) case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) { @@ -751,7 +767,7 @@ static int iff_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = av_get_bits_per_sample(st->codecpar->codec_id); st->codecpar->bit_rate = (int64_t)st->codecpar->channels * st->codecpar->sample_rate * st->codecpar->bits_per_coded_sample; st->codecpar->block_align = st->codecpar->channels * st->codecpar->bits_per_coded_sample; - if (st->codecpar->codec_tag == ID_DSD && st->codecpar->block_align <= 0) + if ((st->codecpar->codec_tag == ID_DSD || st->codecpar->codec_tag == ID_MAUD) && st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; break; @@ -834,7 +850,7 @@ static int iff_read_packet(AVFormatContext *s, } else if (st->codecpar->codec_tag == ID_DST) { return read_dst_frame(s, pkt); } else { - if (iff->body_size > INT_MAX) + if (iff->body_size > INT_MAX || !iff->body_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); } @@ -870,6 +886,8 @@ static int iff_read_packet(AVFormatContext *s, pkt->flags |= AV_PKT_FLAG_KEY; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st->codecpar->codec_tag != ID_ANIM) { + if (iff->body_size > INT_MAX || !iff->body_size) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); pkt->pos = pos; if (pos == iff->body_pos) diff --git a/libavformat/ifv.c b/libavformat/ifv.c index f95e9b0e52..4e904fa828 100644 --- a/libavformat/ifv.c +++ b/libavformat/ifv.c @@ -210,6 +210,7 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) } if (!ev) { + uint64_t vframes, aframes; if (ifv->is_audio_present && !ea) { /*read new video and audio indexes*/ @@ -217,8 +218,12 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_audio_index = ifv->total_aframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); - ifv->total_aframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + aframes = ifv->total_aframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX || aframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; + ifv->total_aframes = aframes; avio_skip(s->pb, 0xc); if (avio_feof(s->pb)) @@ -240,7 +245,10 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_video_index = ifv->total_vframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; avio_skip(s->pb, 0x10); if (avio_feof(s->pb)) diff --git a/libavformat/ilbc.c b/libavformat/ilbc.c index ba11953b59..b5d3e00060 100644 --- a/libavformat/ilbc.c +++ b/libavformat/ilbc.c @@ -74,7 +74,8 @@ static int ilbc_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 9); + if (avio_read(pb, header, 9) != 9) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index f8b4a655a5..7d60d332b3 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -23,6 +23,7 @@ #define _DEFAULT_SOURCE #define _BSD_SOURCE #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/log.h" #include "libavutil/opt.h" @@ -469,6 +470,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; + av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers if (stat(filename, &img_stat)) { res = AVERROR(EIO); goto fail; @@ -516,6 +518,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } goto fail; } else { + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); s->img_count++; s->img_number++; s->pts++; @@ -737,7 +740,6 @@ static int jpeg_probe(const AVProbeData *p) return 0; state = EOI; break; - case DQT: case APP0: case APP1: case APP2: @@ -754,6 +756,7 @@ static int jpeg_probe(const AVProbeData *p) case APP13: case APP14: case APP15: + case DQT: /* fallthrough */ case COM: i += AV_RB16(&b[i + 2]) + 1; break; diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 137c857700..76cfef7c7b 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -639,7 +639,8 @@ static int ipmovie_read_header(AVFormatContext *s) ipmovie->avf = s; - avio_read(pb, signature_buffer, sizeof(signature_buffer)); + if (avio_read(pb, signature_buffer, sizeof(signature_buffer)) != sizeof(signature_buffer)) + return AVERROR_INVALIDDATA; while (memcmp(signature_buffer, signature, sizeof(signature))) { memmove(signature_buffer, signature_buffer + 1, sizeof(signature_buffer) - 1); signature_buffer[sizeof(signature_buffer) - 1] = avio_r8(pb); diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 121c86d659..549ba95a7a 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -125,8 +125,8 @@ static const char *read_ts(JACOsubContext *jacosub, const char *buf, return NULL; shift_and_ret: - ts_start64 = (ts_start + jacosub->shift) * 100LL / jacosub->timeres; - ts_end64 = (ts_end + jacosub->shift) * 100LL / jacosub->timeres; + ts_start64 = (ts_start + (int64_t)jacosub->shift) * 100LL / jacosub->timeres; + ts_end64 = (ts_end + (int64_t)jacosub->shift) * 100LL / jacosub->timeres; *start = ts_start64; *duration = ts_end64 - ts_start64; return buf + len; @@ -136,22 +136,29 @@ static int get_shift(int timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; + int64_t ret; #define SSEP "%*1[.:]" int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP + if (a == INT_MIN) + return 0; + if (*buf == '-' || a < 0) { sign = -1; a = FFABS(a); } + ret = 0; switch (n) { - case 4: return sign * ((a*3600 + b*60 + c) * timeres + d); - case 3: return sign * (( a*60 + b) * timeres + c); - case 2: return sign * (( a) * timeres + b); + case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); + case 2: ret = sign * (( (int64_t)a) * timeres + b); } + if ((int)ret != ret) + ret = 0; - return 0; + return ret; } static int jacosub_read_header(AVFormatContext *s) @@ -188,8 +195,10 @@ static int jacosub_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&jacosub->q, line, len, merge_line); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; merge_line = len > 1 && !strcmp(&line[len - 2], "\\\n"); continue; @@ -220,14 +229,17 @@ static int jacosub_read_header(AVFormatContext *s) } av_bprintf(&header, "#S %s", p); break; - case 'T': // ...but must be placed after TIMERES - jacosub->timeres = strtol(p, NULL, 10); - if (!jacosub->timeres) + case 'T': { // ...but must be placed after TIMERES + int64_t timeres = strtol(p, NULL, 10); + if (timeres <= 0 || timeres > UINT32_MAX) { jacosub->timeres = 30; - else + } else { + jacosub->timeres = timeres; av_bprintf(&header, "#T %s", p); + } break; } + } } /* general/essential directives in the extradata */ diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c index 8eb219f8ae..0ccf401b35 100644 --- a/libavformat/latmenc.c +++ b/libavformat/latmenc.c @@ -176,7 +176,8 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; memcpy(par->extradata, side_data, side_data_size); - } + } else + return AVERROR_INVALIDDATA; } } diff --git a/libavformat/lmlm4.c b/libavformat/lmlm4.c index 79d703a8fc..186bffba3a 100644 --- a/libavformat/lmlm4.c +++ b/libavformat/lmlm4.c @@ -94,15 +94,15 @@ static int lmlm4_read_packet(AVFormatContext *s, AVPacket *pkt) if (frame_type > LMLM4_MPEG1L2 || frame_type == LMLM4_INVALID) { av_log(s, AV_LOG_ERROR, "invalid or unsupported frame_type\n"); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if (packet_size > LMLM4_MAX_PACKET_SIZE || packet_size<=8) { av_log(s, AV_LOG_ERROR, "packet size %d is invalid\n", packet_size); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if ((ret = av_get_packet(pb, pkt, frame_size)) <= 0) - return AVERROR(EIO); + return ret < 0 ? ret : AVERROR(EIO); avio_skip(pb, padding); diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index a9a117691a..ca23a60f84 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -185,6 +185,8 @@ static int lrc_read_header(AVFormatContext *s) sscanf(comma_offset + 1, "%"SCNd64, &lrc->ts_offset) != 1) { av_dict_set(&s->metadata, line.str + 1, comma_offset + 1, 0); } + lrc->ts_offset = av_clip64(lrc->ts_offset, INT64_MIN/4, INT64_MAX/4); + *comma_offset = ':'; *right_bracket_offset = ']'; } @@ -198,10 +200,12 @@ static int lrc_read_header(AVFormatContext *s) while((ts_stroffset_incr = read_ts(line.str + ts_stroffset, &ts_start)) != 0) { + ts_start = av_clip64(ts_start, INT64_MIN/4, INT64_MAX/4); ts_stroffset += ts_stroffset_incr; sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); if(!sub) { + ff_subtitles_queue_clean(&lrc->q); return AVERROR(ENOMEM); } sub->pos = pos; diff --git a/libavformat/lvfdec.c b/libavformat/lvfdec.c index 8b8d6f01b9..4c87728def 100644 --- a/libavformat/lvfdec.c +++ b/libavformat/lvfdec.c @@ -106,6 +106,7 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) unsigned size, flags, timestamp, id; int64_t pos; int ret, is_video = 0; + int stream_index; pos = avio_tell(s->pb); while (!avio_feof(s->pb)) { @@ -121,12 +122,15 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) case MKTAG('0', '1', 'w', 'b'): if (size < 8) return AVERROR_INVALIDDATA; + stream_index = is_video ? 0 : 1; + if (stream_index >= s->nb_streams) + return AVERROR_INVALIDDATA; timestamp = avio_rl32(s->pb); flags = avio_rl32(s->pb); ret = av_get_packet(s->pb, pkt, size - 8); if (flags & (1 << 12)) pkt->flags |= AV_PKT_FLAG_KEY; - pkt->stream_index = is_video ? 0 : 1; + pkt->stream_index = stream_index; pkt->pts = timestamp; pkt->pos = pos; return ret; diff --git a/libavformat/lxfdec.c b/libavformat/lxfdec.c index 434518fc59..c3bd5107da 100644 --- a/libavformat/lxfdec.c +++ b/libavformat/lxfdec.c @@ -195,7 +195,7 @@ static int get_packet_header(AVFormatContext *s) return AVERROR_PATCHWELCOME; } - samples = track_size * 8 / st->codecpar->bits_per_coded_sample; + samples = track_size * 8LL / st->codecpar->bits_per_coded_sample; //use audio packet size to determine video standard //for NTSC we have one 8008-sample audio frame per five video frames @@ -210,6 +210,8 @@ static int get_packet_header(AVFormatContext *s) avpriv_set_pts_info(s->streams[0], 64, 1, 25); } + if (av_popcount(channels) * (uint64_t)track_size > INT_MAX) + return AVERROR_INVALIDDATA; //TODO: warning if track mask != (1 << channels) - 1? ret = av_popcount(channels) * track_size; diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4e20f15792..eb672995ce 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -97,8 +97,8 @@ typedef enum { typedef const struct EbmlSyntax { uint32_t id; EbmlType type; - int list_elem_size; - int data_offset; + size_t list_elem_size; + size_t data_offset; union { int64_t i; uint64_t u; @@ -110,6 +110,7 @@ typedef const struct EbmlSyntax { typedef struct EbmlList { int nb_elem; + unsigned int alloc_elem_size; void *elem; } EbmlList; @@ -706,7 +707,7 @@ static EbmlSyntax matroska_segments[] = { }; static EbmlSyntax matroska_blockmore[] = { - { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) }, + { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } }, { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN, 0, offsetof(MatroskaBlock,additional) }, CHILD_OF(matroska_blockadditions) }; @@ -756,20 +757,22 @@ static int matroska_read_close(AVFormatContext *s); static int matroska_reset_status(MatroskaDemuxContext *matroska, uint32_t id, int64_t position) { + int64_t err = 0; if (position >= 0) { - int err = avio_seek(matroska->ctx->pb, position, SEEK_SET); - if (err < 0) - return err; - } + err = avio_seek(matroska->ctx->pb, position, SEEK_SET); + if (err > 0) + err = 0; + } else + position = avio_tell(matroska->ctx->pb); matroska->current_id = id; matroska->num_levels = 1; matroska->unknown_count = 0; - matroska->resync_pos = avio_tell(matroska->ctx->pb); + matroska->resync_pos = position; if (id) matroska->resync_pos -= (av_log2(id) + 7) / 8; - return 0; + return err; } static int matroska_resync(MatroskaDemuxContext *matroska, int64_t last_pos) @@ -797,7 +800,7 @@ static int matroska_resync(MatroskaDemuxContext *matroska, int64_t last_pos) id == MATROSKA_ID_CLUSTER || id == MATROSKA_ID_CHAPTERS) { /* Prepare the context for parsing of a level 1 element. */ matroska_reset_status(matroska, id, -1); - /* Given that we are here means that an error has occured, + /* Given that we are here means that an error has occurred, * so treat the segment as unknown length in order not to * discard valid data that happens to be beyond the designated * end of the segment. */ @@ -1236,8 +1239,13 @@ static int ebml_parse(MatroskaDemuxContext *matroska, data = (char *) data + syntax->data_offset; if (syntax->list_elem_size) { EbmlList *list = data; - void *newelem = av_realloc_array(list->elem, list->nb_elem + 1, - syntax->list_elem_size); + void *newelem; + + if ((unsigned)list->nb_elem + 1 >= UINT_MAX / syntax->list_elem_size) + return AVERROR(ENOMEM); + newelem = av_fast_realloc(list->elem, + &list->alloc_elem_size, + (list->nb_elem + 1) * syntax->list_elem_size); if (!newelem) return AVERROR(ENOMEM); list->elem = newelem; @@ -1325,7 +1333,7 @@ static int ebml_parse(MatroskaDemuxContext *matroska, // current element (i.e. how much would be skipped); if there were // more than a few skipped elements in a row and skipping the current // element would lead us more than SKIP_THRESHOLD away from the last - // known good position, then it is inferred that an error occured. + // known good position, then it is inferred that an error occurred. // The dependency on the number of unknown elements in a row exists // because the distance to the last known good position is // automatically big if the last parsed element was big. @@ -1490,6 +1498,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data) ebml_free(syntax[i].def.n, ptr); av_freep(&list->elem); list->nb_elem = 0; + list->alloc_elem_size = 0; } else ebml_free(syntax[i].def.n, data_off); default: @@ -1549,7 +1558,7 @@ static int matroska_probe(const AVProbeData *p) } static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, - int num) + uint64_t num) { MatroskaTrack *tracks = matroska->tracks.elem; int i; @@ -1558,7 +1567,7 @@ static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, if (tracks[i].num == num) return &tracks[i]; - av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %d\n", num); + av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %"PRIu64"\n", num); return NULL; } @@ -1624,7 +1633,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; - if (inflateInit(&zstream) != Z_OK) + if (!pkt_size || inflateInit(&zstream) != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1657,7 +1666,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; - if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) + if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; @@ -1807,6 +1816,7 @@ static int matroska_parse_seekhead_entry(MatroskaDemuxContext *matroska, uint32_t saved_id = matroska->current_id; int64_t before_pos = avio_tell(matroska->ctx->pb); int ret = 0; + int ret2; /* seek */ if (avio_seek(matroska->ctx->pb, pos, SEEK_SET) == pos) { @@ -1831,7 +1841,9 @@ static int matroska_parse_seekhead_entry(MatroskaDemuxContext *matroska, } /* Seek back - notice that in all instances where this is used * it is safe to set the level to 1. */ - matroska_reset_status(matroska, saved_id, before_pos); + ret2 = matroska_reset_status(matroska, saved_id, before_pos); + if (ret >= 0) + ret = ret2; return ret; } @@ -1849,8 +1861,12 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) MatroskaSeekhead *seekheads = seekhead_list->elem; uint32_t id = seekheads[i].id; int64_t pos = seekheads[i].pos + matroska->segment_start; + MatroskaLevel1Element *elem; - MatroskaLevel1Element *elem = matroska_find_level1_elem(matroska, id); + if (id != seekheads[i].id || pos < matroska->segment_start) + continue; + + elem = matroska_find_level1_elem(matroska, id); if (!elem || elem->parsed) continue; @@ -2311,6 +2327,15 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if ( track->type == MATROSKA_TRACK_TYPE_AUDIO && track->codec_id[0] != 'A' + || track->type == MATROSKA_TRACK_TYPE_VIDEO && track->codec_id[0] != 'V' + || track->type == MATROSKA_TRACK_TYPE_SUBTITLE && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + || track->type == MATROSKA_TRACK_TYPE_METADATA && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + ) { + av_log(matroska->ctx, AV_LOG_INFO, "Inconsistent track type\n"); + continue; + } + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || isnan(track->audio.samplerate)) { av_log(matroska->ctx, AV_LOG_WARNING, @@ -2551,6 +2576,19 @@ static int matroska_parse_tracks(AVFormatContext *s) memcpy(&extradata[12], track->codec_priv.data, track->codec_priv.size); } else if (codec_id == AV_CODEC_ID_TTA) { + if (track->audio.channels > UINT16_MAX || + track->audio.bitdepth > UINT16_MAX) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Too large audio channel number %"PRIu64 + " or bitdepth %"PRIu64". Skipping track.\n", + track->audio.channels, track->audio.bitdepth); + if (matroska->ctx->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + continue; + } + if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) + return AVERROR_INVALIDDATA; extradata_size = 30; extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!extradata) @@ -2559,22 +2597,8 @@ static int matroska_parse_tracks(AVFormatContext *s) NULL, NULL, NULL, NULL); avio_write(&b, "TTA1", 4); avio_wl16(&b, 1); - if (track->audio.channels > UINT16_MAX || - track->audio.bitdepth > UINT16_MAX) { - av_log(matroska->ctx, AV_LOG_WARNING, - "Too large audio channel number %"PRIu64 - " or bitdepth %"PRIu64". Skipping track.\n", - track->audio.channels, track->audio.bitdepth); - av_freep(&extradata); - if (matroska->ctx->error_recognition & AV_EF_EXPLODE) - return AVERROR_INVALIDDATA; - else - continue; - } avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); - if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) - return AVERROR_INVALIDDATA; avio_wl32(&b, track->audio.out_samplerate); avio_wl32(&b, av_rescale((matroska->duration * matroska->time_scale), track->audio.out_samplerate, @@ -2649,6 +2673,10 @@ static int matroska_parse_tracks(AVFormatContext *s) if (track->time_scale < 0.01) track->time_scale = 1.0; + + if (matroska->time_scale * track->time_scale > UINT_MAX) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale, 1000 * 1000 * 1000); /* 64 bit pts in ns */ @@ -2712,8 +2740,9 @@ static int matroska_parse_tracks(AVFormatContext *s) st->need_parsing = AVSTREAM_PARSE_HEADERS; if (track->default_duration) { + int div = track->default_duration <= INT64_MAX ? 1 : 2; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, - 1000000000, track->default_duration, 30000); + 1000000000 / div, track->default_duration / div, 30000); #if FF_API_R_FRAME_RATE if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) @@ -2857,6 +2886,8 @@ static int matroska_read_header(AVFormatContext *s) goto fail; pos = avio_tell(matroska->ctx->pb); res = ebml_parse(matroska, matroska_segment, matroska); + if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF + goto fail; } /* Set data_offset as it might be needed later by seek_frame_generic. */ if (matroska->current_id == MATROSKA_ID_CLUSTER) @@ -2865,6 +2896,8 @@ static int matroska_read_header(AVFormatContext *s) if (!matroska->time_scale) matroska->time_scale = 1000000; + if (isnan(matroska->duration)) + matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; @@ -3013,7 +3046,9 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, return 0; } - av_assert0(size > 0); + if (size <= 0) + return AVERROR_INVALIDDATA; + *laces = *data + 1; data += 1; size -= 1; @@ -3043,7 +3078,7 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, break; } } - if (size <= total) { + if (size < total) { res = AVERROR_INVALIDDATA; break; } @@ -3090,7 +3125,7 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, lace_size[n] = lace_size[n - 1] + snum; total += lace_size[n]; } - if (size <= total) { + if (size < total) { res = AVERROR_INVALIDDATA; break; } @@ -3269,20 +3304,17 @@ fail: static int matroska_parse_prores(MatroskaTrack *track, uint8_t *src, uint8_t **pdst, int *size) { - uint8_t *dst = src; - int dstlen = *size; + uint8_t *dst; + int dstlen = *size + 8; - if (AV_RB32(&src[4]) != MKBETAG('i', 'c', 'p', 'f')) { - dst = av_malloc(dstlen + 8 + AV_INPUT_BUFFER_PADDING_SIZE); + dst = av_malloc(dstlen + AV_INPUT_BUFFER_PADDING_SIZE); if (!dst) return AVERROR(ENOMEM); AV_WB32(dst, dstlen); AV_WB32(dst + 4, MKBETAG('i', 'c', 'p', 'f')); - memcpy(dst + 8, src, dstlen); - memset(dst + 8 + dstlen, 0, AV_INPUT_BUFFER_PADDING_SIZE); - dstlen += 8; - } + memcpy(dst + 8, src, dstlen - 8); + memset(dst + dstlen, 0, AV_INPUT_BUFFER_PADDING_SIZE); *pdst = dst; *size = dstlen; @@ -3415,7 +3447,7 @@ static int matroska_parse_frame(MatroskaDemuxContext *matroska, { MatroskaTrackEncoding *encodings = track->encodings.elem; uint8_t *pkt_data = data; - int res; + int res = 0; AVPacket pktl, *pkt = &pktl; if (encodings && !encodings->type && encodings->scope & 1) { @@ -3437,7 +3469,8 @@ static int matroska_parse_frame(MatroskaDemuxContext *matroska, pkt_data = wv_data; } - if (st->codecpar->codec_id == AV_CODEC_ID_PRORES) { + if (st->codecpar->codec_id == AV_CODEC_ID_PRORES && + AV_RB32(pkt_data + 4) != MKBETAG('i', 'c', 'p', 'f')) { uint8_t *pr_data; res = matroska_parse_prores(track, pkt_data, &pr_data, &pkt_size); if (res < 0) { @@ -3450,6 +3483,9 @@ static int matroska_parse_frame(MatroskaDemuxContext *matroska, pkt_data = pr_data; } + if (!pkt_size && !additional_size) + goto no_output; + av_init_packet(pkt); if (pkt_data != data) pkt->buf = av_buffer_create(pkt_data, pkt_size + AV_INPUT_BUFFER_PADDING_SIZE, @@ -3520,6 +3556,7 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; +no_output: fail: if (pkt_data != data) av_freep(&pkt_data); @@ -3549,16 +3586,20 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, AVBufferRef *buf size -= n; track = matroska_find_track_by_num(matroska, num); - if (!track || !track->stream) { - av_log(matroska->ctx, AV_LOG_INFO, - "Invalid stream %"PRIu64"\n", num); + if (!track || size < 3) return AVERROR_INVALIDDATA; - } else if (size <= 3) + + if (!(st = track->stream)) { + av_log(matroska->ctx, AV_LOG_VERBOSE, + "No stream associated to TrackNumber %"PRIu64". " + "Ignoring Block with this TrackNumber.\n", num); return 0; - st = track->stream; + } + if (st->discard >= AVDISCARD_ALL) return res; - av_assert1(block_duration != AV_NOPTS_VALUE); + if (block_duration > INT64_MAX) + block_duration = INT64_MAX; block_time = sign_extend(AV_RB16(data), 16); data += 2; @@ -3669,7 +3710,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) MatroskaBlock *block = &cluster->block; int res; - av_assert0(matroska->num_levels <= 2); + av_assert0(matroska->num_levels <= 2U); if (matroska->num_levels == 1) { res = ebml_parse(matroska, matroska_segment, NULL); @@ -3836,7 +3877,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t ts, int64_t cues_start) int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; - if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + + if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) + return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { @@ -3997,16 +4040,19 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t prebuffer_ns = 1000000000; int64_t time_ns = st->index_entries[i].timestamp * matroska->time_scale; double nano_seconds_per_second = 1000000000.0; - int64_t prebuffered_ns = time_ns + prebuffer_ns; + int64_t prebuffered_ns; double prebuffer_bytes = 0.0; int64_t temp_prebuffer_ns = prebuffer_ns; int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); - // Start with the first Cue. CueDesc desc_end = desc_beg; + if (time_ns > INT64_MAX - prebuffer_ns) + return -1; + prebuffered_ns = time_ns + prebuffer_ns; + // Figure out how much data we have downloaded for the prebuffer. This will // be used later to adjust the bits per sample to try. while (desc_end.start_time_ns != -1 && desc_end.end_time_ns < prebuffered_ns) { @@ -4024,6 +4070,9 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // The prebuffer ends in the last Cue. Estimate how much data was // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; + if (desc_end.end_time_ns <= desc_end.start_time_ns || + desc_end.end_time_ns - (uint64_t)desc_end.start_time_ns > INT64_MAX) + return -1; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += @@ -4036,12 +4085,16 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; - double desc_sec = desc_ns / nano_seconds_per_second; - double calc_bits_per_second = (desc_bytes * 8) / desc_sec; + double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; + if (desc_bytes <= 0 || desc_bytes > INT64_MAX/8) + return -1; + + desc_sec = desc_ns / nano_seconds_per_second; + calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. - double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; - double mod_bits_per_second = calc_bits_per_second * percent; + percent = (desc_bytes - prebuffer_bytes) / desc_bytes; + mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = @@ -4164,15 +4217,18 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } - if (!s->nb_streams) { - matroska_read_close(s); - av_log(s, AV_LOG_ERROR, "No streams found\n"); - return AVERROR_INVALIDDATA; + if (!matroska->tracks.nb_elem || !s->nb_streams) { + av_log(s, AV_LOG_ERROR, "No track found\n"); + ret = AVERROR_INVALIDDATA; + goto fail; } if (!matroska->is_live) { buf = av_asprintf("%g", matroska->duration); - if (!buf) return AVERROR(ENOMEM); + if (!buf) { + ret = AVERROR(ENOMEM); + goto fail; + } av_dict_set(&s->streams[0]->metadata, DURATION, buf, 0); av_free(buf); @@ -4195,7 +4251,7 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) ret = webm_dash_manifest_cues(s, init_range); if (ret < 0) { av_log(s, AV_LOG_ERROR, "Error parsing Cues\n"); - return ret; + goto fail; } } @@ -4205,6 +4261,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) matroska->bandwidth, 0); } return 0; +fail: + matroska_read_close(s); + return ret; } static int webm_dash_manifest_read_packet(AVFormatContext *s, AVPacket *pkt) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index cef504fa05..ad7b0bf2c6 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -210,9 +210,11 @@ static void put_ebml_size_unknown(AVIOContext *pb, int bytes) */ static int ebml_num_size(uint64_t num) { - int bytes = 1; - while ((num + 1) >> bytes * 7) + int bytes = 0; + num++; + do { bytes++; + } while (num >>= 7); return bytes; } @@ -331,26 +333,26 @@ static void end_ebml_master(AVIOContext *pb, ebml_master master) avio_seek(pb, pos, SEEK_SET); } -static int start_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, MatroskaMuxContext *mkv, - uint32_t elementid) +static int start_ebml_master_crc32(AVIOContext **dyn_cp, MatroskaMuxContext *mkv) { int ret; if ((ret = avio_open_dyn_buf(dyn_cp)) < 0) return ret; - put_ebml_id(pb, elementid); if (mkv->write_crc) put_ebml_void(*dyn_cp, 6); /* Reserve space for CRC32 so position/size calculations using avio_tell() take it into account */ return 0; } -static void end_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, MatroskaMuxContext *mkv) +static void end_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, + MatroskaMuxContext *mkv, uint32_t id) { uint8_t *buf, crc[4]; int size, skip = 0; + put_ebml_id(pb, id); size = avio_close_dyn_buf(*dyn_cp, &buf); put_ebml_num(pb, size, 0); if (mkv->write_crc) { @@ -368,13 +370,14 @@ static void end_ebml_master_crc32(AVIOContext *pb, AVIOContext **dyn_cp, Matrosk * Complete ebml master without destroying the buffer, allowing for later updates */ static void end_ebml_master_crc32_preliminary(AVIOContext *pb, AVIOContext **dyn_cp, MatroskaMuxContext *mkv, - int64_t *pos) + uint32_t id, int64_t *pos) { uint8_t *buf; int size = avio_get_dyn_buf(*dyn_cp, &buf); *pos = avio_tell(pb); + put_ebml_id(pb, id); put_ebml_num(pb, size, 0); avio_write(pb, buf, size); } @@ -500,7 +503,7 @@ static int64_t mkv_write_seekhead(AVIOContext *pb, MatroskaMuxContext *mkv) } } - if (start_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_SEEKHEAD) < 0) { + if (start_ebml_master_crc32(&dyn_cp, mkv) < 0) { currentpos = -1; goto fail; } @@ -517,7 +520,7 @@ static int64_t mkv_write_seekhead(AVIOContext *pb, MatroskaMuxContext *mkv) put_ebml_uint(dyn_cp, MATROSKA_ID_SEEKPOSITION, entry->segmentpos); end_ebml_master(dyn_cp, seekentry); } - end_ebml_master_crc32(pb, &dyn_cp, mkv); + end_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_SEEKHEAD); if (seekhead->reserved_size > 0) { uint64_t remaining = seekhead->filepos + seekhead->reserved_size - avio_tell(pb); @@ -574,7 +577,7 @@ static int64_t mkv_write_cues(AVFormatContext *s, mkv_cues *cues, mkv_track *tra int i, j, ret; currentpos = avio_tell(pb); - ret = start_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_CUES); + ret = start_ebml_master_crc32(&dyn_cp, mkv); if (ret < 0) return ret; @@ -620,7 +623,7 @@ static int64_t mkv_write_cues(AVFormatContext *s, mkv_cues *cues, mkv_track *tra i += j - 1; end_ebml_master(dyn_cp, cuepoint); } - end_ebml_master_crc32(pb, &dyn_cp, mkv); + end_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_CUES); return currentpos; } @@ -1450,7 +1453,7 @@ static int mkv_write_tracks(AVFormatContext *s) if (ret < 0) return ret; - ret = start_ebml_master_crc32(pb, &mkv->tracks_bc, mkv, MATROSKA_ID_TRACKS); + ret = start_ebml_master_crc32(&mkv->tracks_bc, mkv); if (ret < 0) return ret; @@ -1465,9 +1468,10 @@ static int mkv_write_tracks(AVFormatContext *s) } if ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) - end_ebml_master_crc32_preliminary(pb, &mkv->tracks_bc, mkv, &mkv->tracks_pos); + end_ebml_master_crc32_preliminary(pb, &mkv->tracks_bc, mkv, + MATROSKA_ID_TRACKS, &mkv->tracks_pos); else - end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv); + end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv, MATROSKA_ID_TRACKS); return 0; } @@ -1486,7 +1490,7 @@ static int mkv_write_chapters(AVFormatContext *s) ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_CHAPTERS, avio_tell(pb)); if (ret < 0) return ret; - ret = start_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_CHAPTERS); + ret = start_ebml_master_crc32(&dyn_cp, mkv); if (ret < 0) return ret; editionentry = start_ebml_master(dyn_cp, MATROSKA_ID_EDITIONENTRY, 0); @@ -1504,6 +1508,7 @@ static int mkv_write_chapters(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid chapter start (%"PRId64") or end (%"PRId64").\n", chapterstart, chapterend); + ffio_free_dyn_buf(&dyn_cp); return AVERROR_INVALIDDATA; } @@ -1524,7 +1529,7 @@ static int mkv_write_chapters(AVFormatContext *s) end_ebml_master(dyn_cp, chapteratom); } end_ebml_master(dyn_cp, editionentry); - end_ebml_master_crc32(pb, &dyn_cp, mkv); + end_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_CHAPTERS); mkv->wrote_chapters = 1; return 0; @@ -1576,7 +1581,9 @@ static int mkv_write_tag_targets(AVFormatContext *s, uint32_t elementid, ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_TAGS, avio_tell(s->pb)); if (ret < 0) return ret; - start_ebml_master_crc32(s->pb, &mkv->tags_bc, mkv, MATROSKA_ID_TAGS); + ret = start_ebml_master_crc32(&mkv->tags_bc, mkv); + if (ret < 0) + return ret; } pb = mkv->tags_bc; @@ -1672,7 +1679,10 @@ static int mkv_write_tags(AVFormatContext *s) if (st->codecpar->codec_type == AVMEDIA_TYPE_ATTACHMENT) continue; - mkv_write_tag_targets(s, MATROSKA_ID_TAGTARGETS_TRACKUID, i + 1, &tag_target); + ret = mkv_write_tag_targets(s, MATROSKA_ID_TAGTARGETS_TRACKUID, + i + 1, &tag_target); + if (ret < 0) + return ret; pb = mkv->tags_bc; tag = start_ebml_master(pb, MATROSKA_ID_SIMPLETAG, 0); @@ -1716,9 +1726,10 @@ static int mkv_write_tags(AVFormatContext *s) if (mkv->tags_bc) { if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) - end_ebml_master_crc32_preliminary(s->pb, &mkv->tags_bc, mkv, &mkv->tags_pos); + end_ebml_master_crc32_preliminary(s->pb, &mkv->tags_bc, mkv, + MATROSKA_ID_TAGS, &mkv->tags_pos); else - end_ebml_master_crc32(s->pb, &mkv->tags_bc, mkv); + end_ebml_master_crc32(s->pb, &mkv->tags_bc, mkv, MATROSKA_ID_TAGS); } return 0; } @@ -1742,7 +1753,7 @@ static int mkv_write_attachments(AVFormatContext *s) ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_ATTACHMENTS, avio_tell(pb)); if (ret < 0) return ret; - ret = start_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_ATTACHMENTS); + ret = start_ebml_master_crc32(&dyn_cp, mkv); if (ret < 0) return ret; for (i = 0; i < s->nb_streams; i++) { @@ -1815,7 +1826,7 @@ static int mkv_write_attachments(AVFormatContext *s) mkv->attachments->entries[mkv->attachments->num_entries].stream_idx = i; mkv->attachments->entries[mkv->attachments->num_entries++].fileuid = fileuid; } - end_ebml_master_crc32(pb, &dyn_cp, mkv); + end_ebml_master_crc32(pb, &dyn_cp, mkv, MATROSKA_ID_ATTACHMENTS); return 0; } @@ -1901,7 +1912,7 @@ static int mkv_write_header(AVFormatContext *s) ret = mkv_add_seekhead_entry(mkv->seekhead, MATROSKA_ID_INFO, avio_tell(pb)); if (ret < 0) goto fail; - ret = start_ebml_master_crc32(pb, &mkv->info_bc, mkv, MATROSKA_ID_INFO); + ret = start_ebml_master_crc32(&mkv->info_bc, mkv); if (ret < 0) return ret; pb = mkv->info_bc; @@ -1960,9 +1971,10 @@ static int mkv_write_header(AVFormatContext *s) } } if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) - end_ebml_master_crc32_preliminary(s->pb, &mkv->info_bc, mkv, &mkv->info_pos); + end_ebml_master_crc32_preliminary(s->pb, &mkv->info_bc, mkv, + MATROSKA_ID_INFO, &mkv->info_pos); else - end_ebml_master_crc32(s->pb, &mkv->info_bc, mkv); + end_ebml_master_crc32(s->pb, &mkv->info_bc, mkv, MATROSKA_ID_INFO); pb = s->pb; // initialize stream_duration fields @@ -2104,13 +2116,13 @@ fail: return ret; } -static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, - uint32_t blockid, AVPacket *pkt, int keyframe) +static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, + uint32_t blockid, AVPacket *pkt, int keyframe) { MatroskaMuxContext *mkv = s->priv_data; AVCodecParameters *par = s->streams[pkt->stream_index]->codecpar; uint8_t *data = NULL, *side_data = NULL; - int offset = 0, size = pkt->size, side_data_size = 0; + int err = 0, offset = 0, size = pkt->size, side_data_size = 0; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; uint64_t additional_id = 0; int64_t discard_padding = 0; @@ -2129,22 +2141,24 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, mkv->cluster_pos, track_number, keyframe != 0); if (par->codec_id == AV_CODEC_ID_H264 && par->extradata_size > 0 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) - ff_avc_parse_nal_units_buf(pkt->data, &data, &size); + err = ff_avc_parse_nal_units_buf(pkt->data, &data, &size); else if (par->codec_id == AV_CODEC_ID_HEVC && par->extradata_size > 6 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) /* extradata is Annex B, assume the bitstream is too and convert it */ - ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); + err = ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); else if (par->codec_id == AV_CODEC_ID_AV1) - ff_av1_filter_obus_buf(pkt->data, &data, &size); + err = ff_av1_filter_obus_buf(pkt->data, &data, &size); else if (par->codec_id == AV_CODEC_ID_WAVPACK) { - int ret = mkv_strip_wavpack(pkt->data, &data, &size); - if (ret < 0) { - av_log(s, AV_LOG_ERROR, "Error stripping a WavPack packet.\n"); - return; - } + err = mkv_strip_wavpack(pkt->data, &data, &size); } else data = pkt->data; + if (err < 0) { + av_log(s, AV_LOG_ERROR, "Error when reformatting data of " + "a packet from stream %d.\n", pkt->stream_index); + return err; + } + if (par->codec_id == AV_CODEC_ID_PRORES && size >= 8) { /* Matroska specification requires to remove the first QuickTime atom */ @@ -2166,9 +2180,13 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, AV_PKT_DATA_MATROSKA_BLOCKADDITIONAL, &side_data_size); if (side_data) { - additional_id = AV_RB64(side_data); - side_data += 8; - side_data_size -= 8; + if (side_data_size < 8) { + side_data_size = 0; + } else { + additional_id = AV_RB64(side_data); + side_data += 8; + side_data_size -= 8; + } } if ((side_data_size && additional_id == 1) || discard_padding) { @@ -2209,6 +2227,8 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, if ((side_data_size && additional_id == 1) || discard_padding) { end_ebml_master(pb, block_group); } + + return 0; } static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) @@ -2216,17 +2236,19 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *p MatroskaMuxContext *mkv = s->priv_data; ebml_master blockgroup; int id_size, settings_size, size; - uint8_t *id, *settings; + const char *id, *settings; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; const int flags = 0; id_size = 0; id = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_IDENTIFIER, &id_size); + id = id ? id : ""; settings_size = 0; settings = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_SETTINGS, &settings_size); + settings = settings ? settings : ""; size = id_size + 1 + settings_size + 1 + pkt->size; @@ -2258,7 +2280,7 @@ static void mkv_start_new_cluster(AVFormatContext *s, AVPacket *pkt) { MatroskaMuxContext *mkv = s->priv_data; - end_ebml_master_crc32(s->pb, &mkv->cluster_bc, mkv); + end_ebml_master_crc32(s->pb, &mkv->cluster_bc, mkv, MATROSKA_ID_CLUSTER); mkv->cluster_pos = -1; av_log(s, AV_LOG_DEBUG, "Starting new cluster at offset %" PRIu64 " bytes, " @@ -2280,7 +2302,7 @@ static int mkv_check_new_extra_data(AVFormatContext *s, AVPacket *pkt) switch (par->codec_id) { case AV_CODEC_ID_AAC: - if (side_data_size && (s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) { + if (side_data_size && mkv->tracks_bc) { int filler, output_sample_rate = 0; int64_t curpos; ret = get_aac_sample_rates(s, side_data, side_data_size, &track->sample_rate, @@ -2311,7 +2333,7 @@ static int mkv_check_new_extra_data(AVFormatContext *s, AVPacket *pkt) } break; case AV_CODEC_ID_FLAC: - if (side_data_size && (s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live) { + if (side_data_size && mkv->tracks_bc) { AVCodecParameters *codecpriv_par; int64_t curpos; if (side_data_size != par->extradata_size) { @@ -2338,8 +2360,7 @@ static int mkv_check_new_extra_data(AVFormatContext *s, AVPacket *pkt) // FIXME: Remove the following once libaom starts propagating extradata during init() // See https://bugs.chromium.org/p/aomedia/issues/detail?id=2012 case AV_CODEC_ID_AV1: - if (side_data_size && (s->pb->seekable & AVIO_SEEKABLE_NORMAL) && !mkv->is_live && - !par->extradata_size) { + if (side_data_size && mkv->tracks_bc && !par->extradata_size) { AVIOContext *dyn_cp; uint8_t *codecpriv; int codecpriv_size; @@ -2403,7 +2424,7 @@ static int mkv_write_packet_internal(AVFormatContext *s, AVPacket *pkt, int add_ if (mkv->cluster_pos == -1) { mkv->cluster_pos = avio_tell(s->pb); - ret = start_ebml_master_crc32(s->pb, &mkv->cluster_bc, mkv, MATROSKA_ID_CLUSTER); + ret = start_ebml_master_crc32(&mkv->cluster_bc, mkv); if (ret < 0) return ret; put_ebml_uint(mkv->cluster_bc, MATROSKA_ID_CLUSTERTIMECODE, FFMAX(0, ts)); @@ -2414,7 +2435,9 @@ static int mkv_write_packet_internal(AVFormatContext *s, AVPacket *pkt, int add_ relative_packet_pos = avio_tell(pb); if (par->codec_type != AVMEDIA_TYPE_SUBTITLE) { - mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + ret = mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + if (ret < 0) + return ret; if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && (par->codec_type == AVMEDIA_TYPE_VIDEO && keyframe || add_cue)) { ret = mkv_add_cuepoint(mkv->cues, pkt->stream_index, dash_tracknum, ts, mkv->cluster_pos, relative_packet_pos, -1); if (ret < 0) return ret; @@ -2539,7 +2562,8 @@ static int mkv_write_flush_packet(AVFormatContext *s, AVPacket *pkt) if (!pkt) { if (mkv->cluster_pos != -1) { - end_ebml_master_crc32(s->pb, &mkv->cluster_bc, mkv); + end_ebml_master_crc32(s->pb, &mkv->cluster_bc, + mkv, MATROSKA_ID_CLUSTER); mkv->cluster_pos = -1; av_log(s, AV_LOG_DEBUG, "Flushing cluster at offset %" PRIu64 " bytes\n", @@ -2570,7 +2594,7 @@ static int mkv_write_trailer(AVFormatContext *s) } if (mkv->cluster_bc) { - end_ebml_master_crc32(pb, &mkv->cluster_bc, mkv); + end_ebml_master_crc32(pb, &mkv->cluster_bc, mkv, MATROSKA_ID_CLUSTER); } ret = mkv_write_chapters(s); @@ -2616,14 +2640,18 @@ static int mkv_write_trailer(AVFormatContext *s) // update the duration av_log(s, AV_LOG_DEBUG, "end duration = %" PRIu64 "\n", mkv->duration); currentpos = avio_tell(pb); + if (mkv->info_bc) { avio_seek(mkv->info_bc, mkv->duration_offset, SEEK_SET); put_ebml_float(mkv->info_bc, MATROSKA_ID_DURATION, mkv->duration); avio_seek(pb, mkv->info_pos, SEEK_SET); - end_ebml_master_crc32(pb, &mkv->info_bc, mkv); + end_ebml_master_crc32(pb, &mkv->info_bc, mkv, MATROSKA_ID_INFO); + } + if (mkv->tracks_bc) { // write tracks master avio_seek(pb, mkv->tracks_pos, SEEK_SET); - end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv); + end_ebml_master_crc32(pb, &mkv->tracks_bc, mkv, MATROSKA_ID_TRACKS); + } // update stream durations if (!mkv->is_live && mkv->stream_durations) { @@ -2652,7 +2680,7 @@ static int mkv_write_trailer(AVFormatContext *s) } if (mkv->tags_bc && !mkv->is_live) { avio_seek(pb, mkv->tags_pos, SEEK_SET); - end_ebml_master_crc32(pb, &mkv->tags_bc, mkv); + end_ebml_master_crc32(pb, &mkv->tags_bc, mkv, MATROSKA_ID_TAGS); } avio_seek(pb, currentpos, SEEK_SET); diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index ca9086afe9..d062b95de9 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -65,12 +65,12 @@ static int64_t get_pts(const char *buf) return AV_NOPTS_VALUE; } -static int get_duration(const char *buf) +static int64_t get_duration(const char *buf) { int frame_start, frame_end; if (sscanf(buf, "{%d}{%d}", &frame_start, &frame_end) == 2) - return frame_end - frame_start; + return frame_end - (int64_t)frame_start; return -1; } @@ -81,7 +81,7 @@ static int microdvd_read_header(AVFormatContext *s) AVRational pts_info = (AVRational){ 2997, 125 }; /* default: 23.976 fps */ MicroDVDContext *microdvd = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - int i = 0; + int i = 0, ret; char line_buf[MAX_LINESIZE]; int has_real_fps = 0; @@ -94,6 +94,7 @@ static int microdvd_read_header(AVFormatContext *s) int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line_buf, sizeof(line_buf)); char *line = line_buf; + int64_t pts; if (!strncmp(line, bom, 3)) line += 3; @@ -118,8 +119,10 @@ static int microdvd_read_header(AVFormatContext *s) } if (!st->codecpar->extradata && sscanf(line, "{DEFAULT}{}%c", &c) == 1) { st->codecpar->extradata = av_strdup(line + 11); - if (!st->codecpar->extradata) - return AVERROR(ENOMEM); + if (!st->codecpar->extradata) { + ret = AVERROR(ENOMEM); + goto fail; + } st->codecpar->extradata_size = strlen(st->codecpar->extradata) + 1; continue; } @@ -136,11 +139,16 @@ static int microdvd_read_header(AVFormatContext *s) SKIP_FRAME_ID; if (!*p) continue; + pts = get_pts(line); + if (pts == AV_NOPTS_VALUE) + continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; - sub->pts = get_pts(line); + sub->pts = pts; sub->duration = get_duration(line); } ff_subtitles_queue_finalize(s, µdvd->q); @@ -155,6 +163,9 @@ static int microdvd_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_MICRODVD; return 0; +fail: + ff_subtitles_queue_clean(µdvd->q); + return ret; } static int microdvd_read_packet(AVFormatContext *s, AVPacket *pkt) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 68ca2c5e1c..fa8d91fa7b 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -80,13 +80,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); + int ret; + if (!value) { avio_skip(pb, size); return; } - avio_read(pb, value, size); - if (!value[0]) { + ret = avio_read(pb, value, size); + if (ret != size || !value[0]) { av_free(value); return; } @@ -393,10 +395,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) { MlvContext *mlv = avctx->priv_data; AVIOContext *pb; - AVStream *st = avctx->streams[mlv->stream_index]; + AVStream *st; int index, ret; unsigned int size, space; + if (!avctx->nb_streams) + return AVERROR_EOF; + + st = avctx->streams[mlv->stream_index]; if (mlv->pts >= st->duration) return AVERROR_EOF; @@ -414,19 +420,25 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) if (size < 16) return AVERROR_INVALIDDATA; avio_skip(pb, 12); //timestamp, frameNumber - if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) + size -= 12; + if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { + if (size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); // cropPosX, cropPosY, panPosX, panPosY + size -= 8; + } space = avio_rl32(pb); + if (size < space + 4LL) + return AVERROR_INVALIDDATA; avio_skip(pb, space); + size -= space; if ((mlv->class[st->id] & (MLV_CLASS_FLAG_DELTA|MLV_CLASS_FLAG_LZMA))) { ret = AVERROR_PATCHWELCOME; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { ret = av_get_packet(pb, pkt, (st->codecpar->width * st->codecpar->height * st->codecpar->bits_per_coded_sample + 7) >> 3); } else { // AVMEDIA_TYPE_AUDIO - if (space > UINT_MAX - 24 || size < (24 + space)) - return AVERROR_INVALIDDATA; - ret = av_get_packet(pb, pkt, size - (24 + space)); + ret = av_get_packet(pb, pkt, size - 4); } if (ret < 0) diff --git a/libavformat/mm.c b/libavformat/mm.c index 83b3c200c6..e57153f7ee 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s) type = avio_rl16(pb); length = avio_rl32(pb); - if (type != MM_TYPE_HEADER) + if (type != MM_TYPE_HEADER || length < 10) return AVERROR_INVALIDDATA; /* read header */ @@ -174,6 +174,8 @@ static int read_packet(AVFormatContext *s, return 0; case MM_TYPE_AUDIO : + if (s->nb_streams < 2) + return AVERROR_INVALIDDATA; if (av_get_packet(s->pb, pkt, length)<0) return AVERROR(ENOMEM); pkt->stream_index = 1; diff --git a/libavformat/mov.c b/libavformat/mov.c index 327a25bbdf..d2bb003c54 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -288,10 +288,14 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) return 0; n_hmmt = avio_rb32(pb); + if (n_hmmt > len / 4) + return AVERROR_INVALIDDATA; for (i = 0; i < n_hmmt && !pb->eof_reached; i++) { int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); } + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; return 0; } @@ -302,7 +306,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) char *str = NULL; const char *key = NULL; uint16_t langcode = 0; - uint32_t data_type = 0, str_size, str_size_alloc; + uint32_t data_type = 0, str_size_alloc; + uint64_t str_size; int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL; int raw = 0; int num = 0; @@ -402,7 +407,7 @@ retry: if (c->itunes_metadata && atom.size > 8) { int data_size = avio_rb32(pb); int tag = avio_rl32(pb); - if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) { + if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) { data_type = avio_rb32(pb); // type avio_rb32(pb); // unknown str_size = data_size - 16; @@ -599,11 +604,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); - int64_t next = avio_tell(pb) + size - 4; + int64_t next = avio_tell(pb); - if (size < 12) + if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; + next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags @@ -1004,6 +1011,7 @@ static int mov_read_adrm(MOVContext *c, AVIOContext *pb, MOVAtom atom) sha = av_sha_alloc(); if (!sha) return AVERROR(ENOMEM); + av_free(c->aes_decrypt); c->aes_decrypt = av_aes_alloc(); if (!c->aes_decrypt) { ret = AVERROR(ENOMEM); @@ -1107,6 +1115,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; + if (c->fc->nb_streams) { + if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT) + return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n"); + return 0; + } if (strcmp(type, "qt ")) c->isom = 1; @@ -1116,7 +1130,7 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dict_set_int(&c->fc->metadata, "minor_version", minor_ver, 0); comp_brand_size = atom.size - 8; - if (comp_brand_size < 0) + if (comp_brand_size < 0 || comp_brand_size == INT_MAX) return AVERROR_INVALIDDATA; comp_brands_str = av_malloc(comp_brand_size + 1); /* Add null terminator */ if (!comp_brands_str) @@ -1326,8 +1340,10 @@ static int update_frag_index(MOVContext *c, int64_t offset) for (i = 0; i < c->fc->nb_streams; i++) { // Avoid building frag index if streams lack track id. - if (c->fc->streams[i]->id < 0) + if (c->fc->streams[i]->id < 0) { + av_free(frag_stream_info); return AVERROR_INVALIDDATA; + } frag_stream_info[i].id = c->fc->streams[i]->id; frag_stream_info[i].sidx_pts = AV_NOPTS_VALUE; @@ -1896,6 +1912,8 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, MOVAtom atom) // wrap a whole fiel atom inside of a glbl atom. unsigned size = avio_rb32(pb); unsigned type = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('f','i','e','l') && size == atom.size) return mov_read_default(c, pb, atom); @@ -1979,6 +1997,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; unsigned int i, entries; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STCO outside TRAK\n"); + return 0; + } if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; @@ -1992,8 +2014,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->chunk_offsets) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STCO atom\n"); + if (sc->chunk_offsets) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n"); + return 0; + } av_free(sc->chunk_offsets); sc->chunk_count = 0; sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); @@ -2005,8 +2029,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) sc->chunk_offsets[i] = avio_rb32(pb); else if (atom.type == MKTAG('c','o','6','4')) - for (i = 0; i < entries && !pb->eof_reached; i++) + for (i = 0; i < entries && !pb->eof_reached; i++) { sc->chunk_offsets[i] = avio_rb64(pb); + if (sc->chunk_offsets[i] < 0) { + av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n"); + sc->chunk_offsets[i] = 0; + } + } else return AVERROR_INVALIDDATA; @@ -2214,7 +2243,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, } bits_per_sample = av_get_bits_per_sample(st->codecpar->codec_id); - if (bits_per_sample) { + if (bits_per_sample && (bits_per_sample >> 3) * (uint64_t)st->codecpar->channels <= INT_MAX) { st->codecpar->bits_per_coded_sample = bits_per_sample; sc->sample_size = (bits_per_sample >> 3) * st->codecpar->channels; } @@ -2314,12 +2343,10 @@ FF_ENABLE_DEPRECATION_WARNINGS if (tmcd_ctx->tmcd_flags & 0x0008) { int timescale = AV_RB32(st->codecpar->extradata + 8); int framedur = AV_RB32(st->codecpar->extradata + 12); - st->avg_frame_rate.num *= timescale; - st->avg_frame_rate.den *= framedur; + st->avg_frame_rate = av_mul_q(st->avg_frame_rate, (AVRational){timescale, framedur}); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - st->codec->time_base.den *= timescale; - st->codec->time_base.num *= framedur; + st->codec->time_base = av_mul_q(st->codec->time_base , (AVRational){framedur, timescale}); FF_ENABLE_DEPRECATION_WARNINGS #endif } @@ -2328,7 +2355,7 @@ FF_ENABLE_DEPRECATION_WARNINGS uint32_t format = AV_RB32(st->codecpar->extradata + 22); if (format == AV_RB32("name") && (int64_t)size >= (int64_t)len + 18) { uint16_t str_size = AV_RB16(st->codecpar->extradata + 26); /* string length */ - if (str_size > 0 && size >= (int)str_size + 26) { + if (str_size > 0 && size >= (int)str_size + 30) { char *reel_name = av_malloc(str_size + 1); if (!reel_name) return AVERROR(ENOMEM); @@ -2514,6 +2541,10 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries) av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); return AVERROR_INVALIDDATA; } + if (st->codecpar->channels < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels); + return AVERROR_INVALIDDATA; + } } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){ mov_parse_stsd_subtitle(c, pb, st, sc, size - (avio_tell(pb) - start_pos)); @@ -2641,8 +2672,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->stsc_data) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STSC atom\n"); + if (sc->stsc_data) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STSC atom\n"); + return 0; + } av_free(sc->stsc_data); sc->stsc_count = 0; sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data)); @@ -2867,6 +2900,11 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) { sc->sample_sizes[i] = get_bits_long(&gb, field_size); + if (sc->sample_sizes[i] < 0) { + av_free(buf); + av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]); + return AVERROR_INVALIDDATA; + } sc->data_size += sc->sample_sizes[i]; } @@ -3105,6 +3143,10 @@ static int get_edit_list_entry(MOVContext *mov, } *edit_list_duration = av_rescale(*edit_list_duration, msc->time_scale, global_timescale); + + if (*edit_list_duration + (uint64_t)*edit_list_media_time > INT64_MAX) + *edit_list_duration = 0; + return 1; } @@ -3873,6 +3915,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e; @@ -4318,12 +4367,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); @@ -4377,6 +4427,9 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) } else break; + if (*p) + break; + *p = av_malloc(len + 1); if (!*p) { ret = AVERROR(ENOMEM); @@ -4418,7 +4471,10 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) static int mov_read_meta(MOVContext *c, AVIOContext *pb, MOVAtom atom) { while (atom.size > 8) { - uint32_t tag = avio_rl32(pb); + uint32_t tag; + if (avio_feof(pb)) + return AVERROR_EOF; + tag = avio_rl32(pb); atom.size -= 4; if (tag == MKTAG('h','d','l','r')) { avio_seek(pb, -8, SEEK_CUR); @@ -4613,6 +4669,8 @@ static int mov_read_chap(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < num && !pb->eof_reached; i++) c->chapter_tracks[i] = avio_rb32(pb); + c->nb_chapter_tracks = i; + return 0; } @@ -5005,6 +5063,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb16(pb); // reserved item_count = avio_rb16(pb); + if (item_count == 0) + return AVERROR_INVALIDDATA; for (i = 0; i < item_count; i++) { int index; @@ -5200,6 +5260,11 @@ static int mov_read_elst(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->fc->nb_streams-1, i, e->time); return AVERROR_INVALIDDATA; } + if (e->duration < 0) { + av_log(c->fc, AV_LOG_ERROR, "Track %d, edit %d: Invalid edit list duration=%"PRId64"\n", + c->fc->nb_streams-1, i, e->duration); + return AVERROR_INVALIDDATA; + } } sc->elst_count = i; @@ -5309,6 +5374,11 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Metadata\n"); + return 0; + } + avio_skip(pb, 3); /* flags */ sc->mastering = av_mastering_display_metadata_alloc(); @@ -5349,6 +5419,11 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR_INVALIDDATA; } + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Color Volume\n"); + return 0; + } + sc->mastering = av_mastering_display_metadata_alloc(); if (!sc->mastering) return AVERROR(ENOMEM); @@ -5392,6 +5467,11 @@ static int mov_read_coll(MOVContext *c, AVIOContext *pb, MOVAtom atom) } avio_skip(pb, 3); /* flags */ + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); @@ -5416,6 +5496,11 @@ static int mov_read_clli(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR_INVALIDDATA; } + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate CLLI/COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); @@ -5443,6 +5528,10 @@ static int mov_read_st3d(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "Empty stereoscopic video box\n"); return AVERROR_INVALIDDATA; } + + if (sc->stereo3d) + return AVERROR_INVALIDDATA; + avio_skip(pb, 4); /* version + flags */ mode = avio_r8(pb); @@ -5992,6 +6081,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } if (pb->eof_reached) { av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n"); + if (ret >= 0) + av_encryption_info_free(encryption_index->encrypted_samples[i]); ret = AVERROR_INVALIDDATA; } @@ -6298,8 +6389,10 @@ static int mov_read_pssh(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (version > 0) { kid_count = avio_rb32(pb); - if (kid_count >= INT_MAX / sizeof(*key_ids)) - return AVERROR(ENOMEM); + if (kid_count >= INT_MAX / sizeof(*key_ids)) { + ret = AVERROR(ENOMEM); + goto finish; + } for (unsigned int i = 0; i < kid_count && !pb->eof_reached; i++) { unsigned int min_kid_count = FFMIN(FFMAX(i + 1, 1024), kid_count); @@ -6804,13 +6897,14 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) a.size >= 8 && c->fc->strict_std_compliance < FF_COMPLIANCE_STRICT && c->moov_retry) { - uint8_t buf[8]; - uint32_t *type = (uint32_t *)buf + 1; - if (avio_read(pb, buf, 8) != 8) - return AVERROR_INVALIDDATA; + uint32_t type; + avio_skip(pb, 4); + type = avio_rl32(pb); + if (avio_feof(pb)) + break; avio_seek(pb, -8, SEEK_CUR); - if (*type == MKTAG('m','v','h','d') || - *type == MKTAG('c','m','o','v')) { + if (type == MKTAG('m','v','h','d') || + type == MKTAG('c','m','o','v')) { av_log(c->fc, AV_LOG_ERROR, "Detected moov in a free atom.\n"); a.type = MKTAG('m','o','o','v'); } @@ -6837,6 +6931,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (a.size == 0) { a.size = atom.size - total_size + 8; } + if (a.size < 0) + break; a.size -= 8; if (a.size < 0) break; @@ -6871,7 +6967,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->atom_depth --; return err; } - if (c->found_moov && c->found_mdat && + if (c->found_moov && c->found_mdat && a.size <= INT64_MAX - start_pos && ((!(pb->seekable & AVIO_SEEKABLE_NORMAL) || c->fc->flags & AVFMT_FLAG_IGNIDX || c->frag_index.complete) || start_pos + a.size == avio_size(pb))) { if (!(pb->seekable & AVIO_SEEKABLE_NORMAL) || c->fc->flags & AVFMT_FLAG_IGNIDX || c->frag_index.complete) @@ -7216,10 +7312,9 @@ static int mov_read_close(AVFormatContext *s) av_freep(&sc->coll); } - if (mov->dv_demux) { - avformat_free_context(mov->dv_fctx); - mov->dv_fctx = NULL; - } + av_freep(&mov->dv_demux); + avformat_free_context(mov->dv_fctx); + mov->dv_fctx = NULL; if (mov->meta_keys) { for (i = 1; i < mov->meta_keys_count; i++) { @@ -7408,14 +7503,13 @@ static int mov_read_header(AVFormatContext *s) avio_seek(pb, 0, SEEK_SET); if ((err = mov_read_default(mov, pb, atom)) < 0) { av_log(s, AV_LOG_ERROR, "error reading header\n"); - mov_read_close(s); - return err; + goto fail; } } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mov->found_moov && !mov->moov_retry++); if (!mov->found_moov) { av_log(s, AV_LOG_ERROR, "moov atom not found\n"); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } av_log(mov->fc, AV_LOG_TRACE, "on_parse_exit_offset=%"PRId64"\n", avio_tell(pb)); @@ -7468,7 +7562,7 @@ static int mov_read_header(AVFormatContext *s) } if (st->codecpar->codec_id == AV_CODEC_ID_DVD_SUBTITLE) { if ((err = mov_rewrite_dvd_sub_extradata(st)) < 0) - return err; + goto fail; } } if (mov->handbrake_version && @@ -7488,8 +7582,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } @@ -7504,8 +7598,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / sc->duration_for_fps; @@ -7529,8 +7623,7 @@ static int mov_read_header(AVFormatContext *s) case AVMEDIA_TYPE_AUDIO: err = ff_replaygain_export(st, s->metadata); if (err < 0) { - mov_read_close(s); - return err; + goto fail; } break; case AVMEDIA_TYPE_VIDEO: @@ -7538,7 +7631,7 @@ static int mov_read_header(AVFormatContext *s) err = av_stream_add_side_data(st, AV_PKT_DATA_DISPLAYMATRIX, (uint8_t*)sc->display_matrix, sizeof(int32_t) * 9); if (err < 0) - return err; + goto fail; sc->display_matrix = NULL; } @@ -7547,7 +7640,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->stereo3d, sizeof(*sc->stereo3d)); if (err < 0) - return err; + goto fail; sc->stereo3d = NULL; } @@ -7556,7 +7649,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->spherical, sc->spherical_size); if (err < 0) - return err; + goto fail; sc->spherical = NULL; } @@ -7565,7 +7658,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->mastering, sizeof(*sc->mastering)); if (err < 0) - return err; + goto fail; sc->mastering = NULL; } @@ -7574,7 +7667,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->coll, sc->coll_size); if (err < 0) - return err; + goto fail; sc->coll = NULL; } @@ -7588,6 +7681,9 @@ static int mov_read_header(AVFormatContext *s) mov->frag_index.item[i].headers_read = 1; return 0; +fail: + mov_read_close(s); + return err; } static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) @@ -7601,12 +7697,13 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) if (msc->pb && msc->current_sample < avst->nb_index_entries) { AVIndexEntry *current_sample = &avst->index_entries[msc->current_sample]; int64_t dts = av_rescale(current_sample->timestamp, AV_TIME_BASE, msc->time_scale); + uint64_t dtsdiff = best_dts > dts ? best_dts - (uint64_t)dts : ((uint64_t)dts - best_dts); av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && - ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && - ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || - (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { + ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && + ((dtsdiff <= AV_TIME_BASE && current_sample->pos < sample->pos) || + (dtsdiff > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; best_dts = dts; *st = avst; @@ -7732,6 +7829,19 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } return ret; } +#if CONFIG_DV_DEMUXER + if (mov->dv_demux && sc->dv_audio_container) { + AVBufferRef *buf = pkt->buf; + ret = avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); + pkt->buf = buf; + av_packet_unref(pkt); + if (ret < 0) + return ret; + ret = avpriv_dv_get_packet(mov->dv_demux, pkt); + if (ret < 0) + return ret; + } +#endif if (sc->has_palette) { uint8_t *pal; @@ -7743,16 +7853,6 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) sc->has_palette = 0; } } -#if CONFIG_DV_DEMUXER - if (mov->dv_demux && sc->dv_audio_container) { - avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); - av_freep(&pkt->data); - pkt->size = 0; - ret = avpriv_dv_get_packet(mov->dv_demux, pkt); - if (ret < 0) - return ret; - } -#endif if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) { if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0) st->need_parsing = AVSTREAM_PARSE_FULL; @@ -7809,8 +7909,10 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) aax_filter(pkt->data, pkt->size, mov); ret = cenc_filter(mov, st, sc, pkt, current_index); - if (ret < 0) + if (ret < 0) { + av_packet_unref(pkt); return ret; + } return 0; } diff --git a/libavformat/movenc.c b/libavformat/movenc.c index a96139077b..bdde003375 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1552,6 +1552,10 @@ static unsigned int mov_get_codec_tag(AVFormatContext *s, MOVTrack *track) { unsigned int tag = track->par->codec_tag; + // "rtp " is used to distinguish internally created RTP-hint tracks + // (with rtp_ctx) from other tracks. + if (tag == MKTAG('r','t','p',' ')) + tag = 0; if (!tag || (s->strict_std_compliance >= FF_COMPLIANCE_NORMAL && (track->par->codec_id == AV_CODEC_ID_DVVIDEO || track->par->codec_id == AV_CODEC_ID_RAWVIDEO || @@ -2004,11 +2008,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { - int pal_size = 1 << track->par->bits_per_coded_sample; - int i; + int pal_size, i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ + if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) + return AVERROR(EINVAL); + pal_size = 1 << track->par->bits_per_coded_sample; avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i]; @@ -4475,7 +4481,8 @@ static int mov_write_sidx_tag(AVIOContext *pb, { int64_t pos = avio_tell(pb), offset_pos, end_pos; int64_t presentation_time, duration, offset; - int starts_with_SAP, i, entries; + unsigned starts_with_SAP; + int i, entries; if (track->entry) { entries = 1; @@ -5265,6 +5272,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; + if (pkt->pts != AV_NOPTS_VALUE && + (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) { + av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n"); + return AVERROR_PATCHWELCOME; + } + if (mov->flags & FF_MOV_FLAG_FRAGMENT) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { @@ -5321,12 +5334,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) !TAG_IS_AVCI(trk->tag) && (par->codec_id != AV_CODEC_ID_DNXHD)) { trk->vos_len = par->extradata_size; - trk->vos_data = av_malloc(trk->vos_len); + trk->vos_data = av_malloc(trk->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!trk->vos_data) { ret = AVERROR(ENOMEM); goto err; } memcpy(trk->vos_data, par->extradata, trk->vos_len); + memset(trk->vos_data + trk->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } if (par->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 && @@ -5403,21 +5417,23 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) par->codec_id == AV_CODEC_ID_AC3) && !trk->vos_len) { /* copy frame to create needed atoms */ trk->vos_len = size; - trk->vos_data = av_malloc(size); + trk->vos_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!trk->vos_data) { ret = AVERROR(ENOMEM); goto err; } memcpy(trk->vos_data, pkt->data, size); + memset(trk->vos_data + size, 0, AV_INPUT_BUFFER_PADDING_SIZE); } if (trk->entry >= trk->cluster_capacity) { unsigned new_capacity = 2 * (trk->entry + MOV_INDEX_CLUSTER_SIZE); - if (av_reallocp_array(&trk->cluster, new_capacity, - sizeof(*trk->cluster))) { + void *cluster = av_realloc_array(trk->cluster, new_capacity, sizeof(*trk->cluster)); + if (!cluster) { ret = AVERROR(ENOMEM); goto err; } + trk->cluster = cluster; trk->cluster_capacity = new_capacity; } @@ -6031,12 +6047,13 @@ static int mov_create_dvd_sub_decoder_specific_info(MOVTrack *track, cur += strspn(cur, "\n\r"); } if (have_palette) { - track->vos_data = av_malloc(16*4); + track->vos_data = av_malloc(16*4 + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); for (i = 0; i < 16; i++) { AV_WB32(track->vos_data + i * 4, palette[i]); } + memset(track->vos_data + 16*4, 0, AV_INPUT_BUFFER_PADDING_SIZE); track->vos_len = 16 * 4; } st->codecpar->width = width; @@ -6393,11 +6410,12 @@ static int mov_write_header(AVFormatContext *s) mov_create_dvd_sub_decoder_specific_info(track, st); else if (!TAG_IS_AVCI(track->tag) && st->codecpar->codec_id != AV_CODEC_ID_DNXHD) { track->vos_len = st->codecpar->extradata_size; - track->vos_data = av_malloc(track->vos_len); + track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) { return AVERROR(ENOMEM); } memcpy(track->vos_data, st->codecpar->extradata, track->vos_len); + memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } } @@ -6653,10 +6671,11 @@ static int mov_write_trailer(AVFormatContext *s) AVCodecParameters *par = track->par; track->vos_len = par->extradata_size; - track->vos_data = av_malloc(track->vos_len); + track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); memcpy(track->vos_data, par->extradata, track->vos_len); + memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } mov->need_rewrite_extradata = 0; } diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 258f19174b..096dd0e23f 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -91,7 +91,7 @@ static int mp3_read_probe(const AVProbeData *p) header = AV_RB32(buf2); ret = avpriv_mpegaudio_decode_header(&h, header); - if (ret != 0) + if (ret != 0 || end - buf2 < h.frame_size) break; buf2 += h.frame_size; framesizes += h.frame_size; @@ -125,9 +125,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration int fill_index = (mp3->usetoc || fast_seek) && duration > 0; if (!filesize && - !(filesize = avio_size(s->pb))) { + (filesize = avio_size(s->pb)) <= 0) { av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n"); fill_index = 0; + filesize = 0; } for (i = 0; i < XING_TOC_COUNT; i++) { @@ -572,7 +573,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, if (best_pos < 0) return best_pos; - if (mp3->is_cbr && ie == &ie1 && mp3->frames) { + if (mp3->is_cbr && ie == &ie1 && mp3->frames && mp3->header_filesize > 0) { int frame_duration = av_rescale(st->duration, 1, mp3->frames); ie1.timestamp = frame_duration * av_rescale(best_pos - s->internal->data_offset, mp3->frames, mp3->header_filesize); } diff --git a/libavformat/mpc.c b/libavformat/mpc.c index 487ff90c7d..a7b2e116ed 100644 --- a/libavformat/mpc.c +++ b/libavformat/mpc.c @@ -88,7 +88,7 @@ static int mpc_read_header(AVFormatContext *s) st = avformat_new_stream(s, NULL); if (!st) - return AVERROR(ENOMEM); + goto mem_error; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->codec_id = AV_CODEC_ID_MUSEPACK7; st->codecpar->channels = 2; @@ -96,7 +96,7 @@ static int mpc_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = 16; if (ff_get_extradata(s, st->codecpar, s->pb, 16) < 0) - return AVERROR(ENOMEM); + goto mem_error; st->codecpar->sample_rate = mpc_rate[st->codecpar->extradata[2] & 3]; avpriv_set_pts_info(st, 32, MPC_FRAMESIZE, st->codecpar->sample_rate); /* scan for seekpoints */ @@ -113,6 +113,9 @@ static int mpc_read_header(AVFormatContext *s) } return 0; +mem_error: + av_freep(&c->frames); + return AVERROR(ENOMEM); } static int mpc_read_packet(AVFormatContext *s, AVPacket *pkt) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 0eb879ffc0..db5f7f210d 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -177,12 +177,16 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME); } for(; i < size; i++){ + if (get_bits_left(&gb) < 13) { + av_free(buf); + return; + } t = get_unary(&gb, 1, 33) << 12; t += get_bits(&gb, 12); if(t & 1) t = -(t & ~1); - pos = (t >> 1) + ppos[0]*2 - ppos[1]; - av_add_index_entry(s->streams[0], pos, i << seekd, 0, 0, AVINDEX_KEYFRAME); + pos = (t >> 1) + (uint64_t)ppos[0]*2 - ppos[1]; + av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; } @@ -196,8 +200,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in switch(tag){ case TAG_SEEKTBLOFF: - pos = avio_tell(pb) + size; + pos = avio_tell(pb); off = ffio_read_varlen(pb); + if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos) + return; + pos += size; mpc8_parse_seektable(s, chunk_pos + off); avio_seek(pb, pos, SEEK_SET); break; @@ -257,7 +264,7 @@ static int mpc8_read_header(AVFormatContext *s) st->codecpar->channels = (st->codecpar->extradata[1] >> 4) + 1; st->codecpar->sample_rate = mpc8_rate[st->codecpar->extradata[0] >> 5]; - avpriv_set_pts_info(st, 32, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); + avpriv_set_pts_info(st, 64, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); st->start_time = 0; st->duration = c->samples / (1152 << (st->codecpar->extradata[1]&3)*2); size -= avio_tell(pb) - pos; @@ -287,7 +294,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_EOF; mpc8_get_chunk_header(s->pb, &tag, &size); - if (size < 0) + if (size < 0 || size > INT_MAX) return -1; if(tag == TAG_AUDIOPACKET){ if(av_get_packet(s->pb, pkt, size) < 0) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 3205f209e6..b4488a3480 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -79,6 +79,9 @@ static int mpegps_probe(const AVProbeData *p) int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); + if (len > INT_MAX - i) + break; + if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) @@ -107,7 +110,7 @@ static int mpegps_probe(const AVProbeData *p) if (sys > invalid && sys * 9 <= pspack * 10) return (audio > 12 || vid > 3 || pspack > 2) ? AVPROBE_SCORE_EXTENSION + 2 - : AVPROBE_SCORE_EXTENSION / 2 + 1; // 1 more than mp3 + : AVPROBE_SCORE_EXTENSION / 2 + (audio + vid + pspack > 1); // 1 more than mp3 if (pspack > invalid && (priv1 + vid + audio) * 10 >= pspack * 9) return pspack > 2 ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg @@ -161,9 +164,12 @@ static int mpegps_read_header(AVFormatContext *s) static int64_t get_pts(AVIOContext *pb, int c) { uint8_t buf[5]; + int ret; buf[0] = c < 0 ? avio_r8(pb) : c; - avio_read(pb, buf + 1, 4); + ret = avio_read(pb, buf + 1, 4); + if (ret < 4) + return AV_NOPTS_VALUE; return ff_parse_pes_pts(buf); } @@ -557,7 +563,9 @@ redo: static const unsigned char avs_seqh[4] = { 0, 0, 1, 0xb0 }; unsigned char buf[8]; - avio_read(s->pb, buf, 8); + ret = avio_read(s->pb, buf, 8); + if (ret != 8) + return AVERROR_INVALIDDATA; avio_seek(s->pb, -8, SEEK_CUR); if (!memcmp(buf, avs_seqh, 4) && (buf[6] != 0 || buf[7] != 1)) codec_id = AV_CODEC_ID_CAVS; @@ -915,6 +923,10 @@ static int vobsub_read_packet(AVFormatContext *s, AVPacket *pkt) FFDemuxSubtitlesQueue *tmpq = &vobsub->q[i]; int64_t ts; av_assert0(tmpq->nb_subs); + + if (tmpq->current_sub_idx >= tmpq->nb_subs) + continue; + ts = tmpq->subs[tmpq->current_sub_idx].pts; if (ts < min_ts) { min_ts = ts; diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 43ebc46e0e..1b0b532790 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1215,7 +1215,7 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) if (s->is_dvd) { // min VOBU length 0.4 seconds (mpucoder) if (is_iframe && - (s->packet_number == 0 || + (s->packet_number == 0 || pts != AV_NOPTS_VALUE && (pts - stream->vobu_start_pts >= 36000))) { stream->bytes_to_iframe = av_fifo_size(stream->fifo); stream->align_iframe = 1; diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 47d8d5f877..edd193996e 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -138,7 +138,7 @@ struct MpegTSContext { int fix_teletext_pts; int64_t cur_pcr; /**< used to estimate the exact PCR */ - int pcr_incr; /**< used to estimate the exact PCR */ + int64_t pcr_incr; /**< used to estimate the exact PCR */ /* data needed to handle file based ts */ /** stop parsing loop */ @@ -1303,15 +1303,17 @@ skip: st = pst; } } - if (f->last_pcr != -1 && st && st->discard != AVDISCARD_ALL) { + if (f->last_pcr != -1 && !f->discard) { // teletext packets do not always have correct timestamps, // the standard says they should be handled after 40.6 ms at most, // and the pcr error to this packet should be no more than 100 ms. // TODO: we should interpolate the PCR, not just use the last one int64_t pcr = f->last_pcr / 300; pcr_found = 1; - pes->st->pts_wrap_reference = st->pts_wrap_reference; - pes->st->pts_wrap_behavior = st->pts_wrap_behavior; + if (st) { + pes->st->pts_wrap_reference = st->pts_wrap_reference; + pes->st->pts_wrap_behavior = st->pts_wrap_behavior; + } if (pes->dts == AV_NOPTS_VALUE || pes->dts < pcr) { pes->pts = pes->dts = pcr; } else if (pes->st->codecpar->codec_id == AV_CODEC_ID_DVB_TELETEXT && @@ -1624,6 +1626,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size, MP4DescrParseContext d; int ret; + d.predefined_SLConfigDescriptor_seen = 0; + ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count); if (ret < 0) return ret; @@ -1723,6 +1727,13 @@ static void scte_data_cb(MpegTSFilter *filter, const uint8_t *section, if (idx < 0) return; + /** + * In case we receive an SCTE-35 packet before mpegts context is fully + * initialized. + */ + if (!ts->pkt) + return; + new_data_packet(section, section_len, ts->pkt); ts->pkt->stream_index = idx; prg = av_find_program_from_stream(ts->stream, NULL, idx); @@ -2577,13 +2588,12 @@ static int parse_pcr(int64_t *ppcr_high, int *ppcr_low, const uint8_t *packet); /* handle one TS packet */ -static int handle_packet(MpegTSContext *ts, const uint8_t *packet) +static int handle_packet(MpegTSContext *ts, const uint8_t *packet, int64_t pos) { MpegTSFilter *tss; int len, pid, cc, expected_cc, cc_ok, afc, is_start, is_discontinuity, has_adaptation, has_payload; const uint8_t *p, *p_end; - int64_t pos; pid = AV_RB16(packet + 1) & 0x1fff; is_start = packet[1] & 0x40; @@ -2650,7 +2660,6 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) if (p >= p_end || !has_payload) return 0; - pos = avio_tell(ts->stream->pb); if (pos >= 0) { av_assert0(pos >= TS_PACKET_SIZE); ts->pos47_full = pos - TS_PACKET_SIZE; @@ -2758,15 +2767,16 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren AVIOContext *pb = s->pb; int c, i; uint64_t pos = avio_tell(pb); - - avio_seek(pb, -FFMIN(seekback, pos), SEEK_CUR); + int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts - if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12, SEEK_CUR); + if (current_packet[0] == 0x80 && current_packet[12] == 0x47 && pos >= TS_PACKET_SIZE) { + avio_seek(pb, 12 - TS_PACKET_SIZE, SEEK_CUR); return 0; } + avio_seek(pb, -back, SEEK_CUR); + for (i = 0; i < ts->resync_size; i++) { c = avio_r8(pb); if (avio_feof(pb)) @@ -2861,7 +2871,7 @@ static int handle_packets(MpegTSContext *ts, int64_t nb_packets) ret = read_packet(s, packet, ts->raw_packet_size, &data); if (ret != 0) break; - ret = handle_packet(ts, data); + ret = handle_packet(ts, data, avio_tell(s->pb)); finished_reading_packet(s, ts->raw_packet_size); if (ret != 0) break; @@ -3043,7 +3053,7 @@ static int mpegts_read_header(AVFormatContext *s) s->bit_rate = TS_PACKET_SIZE * 8 * 27000000LL / ts->pcr_incr; st->codecpar->bit_rate = s->bit_rate; st->start_time = ts->cur_pcr; - av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%d\n", + av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%"PRId64"\n", st->start_time / 1000000.0, pcrs[0] / 27e6, ts->pcr_incr); } @@ -3071,7 +3081,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } if (data != pkt->data) - memcpy(pkt->data, data, ts->raw_packet_size); + memcpy(pkt->data, data, TS_PACKET_SIZE); finished_reading_packet(s, ts->raw_packet_size); if (ts->mpeg2ts_compute_pcr) { /* compute exact PCR for each packet */ @@ -3254,7 +3264,7 @@ int avpriv_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt, buf++; len--; } else { - handle_packet(ts, buf); + handle_packet(ts, buf, len1 - len + TS_PACKET_SIZE); buf += TS_PACKET_SIZE; len -= TS_PACKET_SIZE; if (ts->stop_parse == 1) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index 4ae18390f0..bea258d9e9 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -55,7 +55,7 @@ static int mpl2_probe(const AVProbeData *p) return AVPROBE_SCORE_MAX; } -static int read_ts(char **line, int64_t *pts_start, int *duration) +static int read_ts(char **line, int64_t *pts_start, int64_t *duration) { char c; int len; @@ -69,7 +69,10 @@ static int read_ts(char **line, int64_t *pts_start, int *duration) } if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n", pts_start, &end, &c, &len) >= 3) { - *duration = end - *pts_start; + if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) { + *duration = -1; + } else + *duration = end - *pts_start; *line += len - 1; return 0; } @@ -97,7 +100,7 @@ static int mpl2_read_header(AVFormatContext *s) const int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line, sizeof(line)); int64_t pts_start; - int duration; + int64_t duration; if (!len) break; @@ -108,8 +111,10 @@ static int mpl2_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&mpl2->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&mpl2->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index 4ff49ba3cf..4297fc4b05 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -97,8 +97,10 @@ static int mpsub_read_header(AVFormatContext *s) } st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + res = AVERROR(ENOMEM); + goto end; + } avpriv_set_pts_info(st, 64, pts_info.den, pts_info.num); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; @@ -106,6 +108,9 @@ static int mpsub_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &mpsub->q); end: + if (res < 0) + ff_subtitles_queue_clean(&mpsub->q); + av_bprint_finalize(&buf, NULL); return res; } diff --git a/libavformat/msf.c b/libavformat/msf.c index 155f488e44..1eaed54357 100644 --- a/libavformat/msf.c +++ b/libavformat/msf.c @@ -70,6 +70,8 @@ static int msf_read_header(AVFormatContext *s) case 4: case 5: case 6: st->codecpar->block_align = (codec == 4 ? 96 : codec == 5 ? 152 : 192) * st->codecpar->channels; + if (st->codecpar->channels > UINT16_MAX / 2048) + return AVERROR_INVALIDDATA; ret = ff_alloc_extradata(st->codecpar, 14); if (ret < 0) return ret; diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 4f75dcacdb..586d4520d7 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -156,10 +156,16 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, } else if (!strcmp(name, "NUM_CHANNELS")) { return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { - st->codecpar->sample_rate = var_read_int(pb, size); + int sample_rate = var_read_int(pb, size); + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + st->codecpar->sample_rate = sample_rate; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { - st->codecpar->bits_per_coded_sample = var_read_int(pb, size) * 8; + uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; + if (bpc > 16) + return AVERROR_INVALIDDATA; + st->codecpar->bits_per_coded_sample = bpc; } else return AVERROR_INVALIDDATA; @@ -241,7 +247,8 @@ static int read_table(AVFormatContext *avctx, AVStream *st, if (avio_feof(pb)) return AVERROR_EOF; - avio_read(pb, name, 16); + if (avio_read(pb, name, 16) != 16) + return AVERROR_INVALIDDATA; name[sizeof(name) - 1] = 0; size = avio_rb32(pb); if (size < 0) { @@ -264,9 +271,11 @@ static void read_index(AVIOContext *pb, AVStream *st) uint32_t pos = avio_rb32(pb); uint32_t size = avio_rb32(pb); avio_skip(pb, 8); + if (avio_feof(pb)) + return ; av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { - timestamp += size / (st->codecpar->channels * 2); + timestamp += size / (st->codecpar->channels * 2LL); } else { timestamp++; } @@ -353,7 +362,7 @@ static int mv_read_header(AVFormatContext *avctx) avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); - timestamp += asize / (ast->codecpar->channels * 2); + timestamp += asize / (ast->codecpar->channels * 2LL); } } else if (!version && avio_rb16(pb) == 3) { avio_skip(pb, 4); @@ -361,6 +370,12 @@ static int mv_read_header(AVFormatContext *avctx) if ((ret = read_table(avctx, NULL, parse_global_var)) < 0) return ret; + if (mv->nb_audio_tracks < 0 || mv->nb_video_tracks < 0 || + (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) { + av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n"); + return AVERROR_INVALIDDATA; + } + if (mv->nb_audio_tracks > 1) { avpriv_request_sample(avctx, "Multiple audio streams support"); return AVERROR_PATCHWELCOME; diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 9f90faf56b..6aad6cb86a 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -93,7 +93,7 @@ static int read_header(AVFormatContext *s) vst->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; vst->codecpar->codec_id = AV_CODEC_ID_MOTIONPIXELS; - mvi->get_int = (vst->codecpar->width * vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; + mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { @@ -119,9 +119,15 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) mvi->video_frame_size = (mvi->get_int)(pb); if (mvi->audio_size_left == 0) return AVERROR(EIO); + if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size || + mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS) + return AVERROR_INVALIDDATA; + count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; + if ((int64_t)count << MVI_FRAC_BITS > INT_MAX) + return AVERROR_INVALIDDATA; if ((ret = av_get_packet(pb, pkt, count)) < 0) return ret; pkt->stream_index = MVI_AUDIO_STREAM_INDEX; diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index bb72fb9841..533bd13a22 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -58,6 +58,7 @@ #include "mxf.h" #define MXF_MAX_CHUNK_SIZE (32 << 20) +#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant typedef enum { Header, @@ -212,7 +213,7 @@ typedef struct MXFDescriptor { typedef struct MXFIndexTableSegment { UID uid; enum MXFMetadataSetType type; - int edit_unit_byte_count; + unsigned edit_unit_byte_count; int index_sid; int body_sid; AVRational index_edit_rate; @@ -330,9 +331,8 @@ static void mxf_free_metadataset(MXFMetadataSet **ctx, int freectx) MXFIndexTableSegment *seg; switch ((*ctx)->type) { case Descriptor: - av_freep(&((MXFDescriptor *)*ctx)->extradata); - break; case MultipleDescriptor: + av_freep(&((MXFDescriptor *)*ctx)->extradata); av_freep(&((MXFDescriptor *)*ctx)->sub_descriptors_refs); break; case Sequence: @@ -542,6 +542,10 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ + + if (st->codecpar->channels > 8) + return AVERROR_INVALIDDATA; + for (; end_ptr - buf_ptr >= st->codecpar->channels * 4; ) { for (i = 0; i < st->codecpar->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); @@ -601,10 +605,11 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv return AVERROR_INVALIDDATA; // enc. code size = klv_decode_ber_length(pb); - if (size < 32 || size - 32 < orig_size) + if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); - avio_read(pb, tmpbuf, 16); + if (avio_read(pb, tmpbuf, 16) != 16) + return AVERROR_INVALIDDATA; if (mxf->aesc) av_aes_crypt(mxf->aesc, tmpbuf, tmpbuf, 1, ivec, 1); if (memcmp(tmpbuf, checkv, 16)) @@ -713,6 +718,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->index_sid = avio_rb32(pb); partition->body_offset = avio_rb64(pb); partition->body_sid = avio_rb32(pb); + if (partition->body_offset < 0) + return AVERROR_INVALIDDATA; + if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) { av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n"); return AVERROR_INVALIDDATA; @@ -866,6 +874,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i return AVERROR(EINVAL); buf_size = size + size / 2 + 1; + av_free(*str); *str = av_malloc(buf_size); if (!*str) return AVERROR(ENOMEM); @@ -1063,6 +1072,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg { int i, length; + if (segment->temporal_offset_entries) + return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); @@ -1111,6 +1123,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int case 0x3F0B: segment->index_edit_rate.num = avio_rb32(pb); segment->index_edit_rate.den = avio_rb32(pb); + if (segment->index_edit_rate.num <= 0 || + segment->index_edit_rate.den <= 0) + return AVERROR_INVALIDDATA; av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num, segment->index_edit_rate.den); break; @@ -1258,7 +1273,8 @@ static int mxf_read_indirect_value(void *arg, AVIOContext *pb, int size) if (size <= 17) return 0; - avio_read(pb, key, 17); + if (avio_read(pb, key, 17) != 17) + return AVERROR_INVALIDDATA; /* TODO: handle other types of of indirect values */ if (memcmp(key, mxf_indirect_value_utf16le, 17) == 0) { return mxf_read_utf16le_string(pb, size - 17, &tagged_value->value); @@ -1576,9 +1592,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t if (edit_unit < s->index_start_position + s->index_duration) { int64_t index = edit_unit - s->index_start_position; - if (s->edit_unit_byte_count) + if (s->edit_unit_byte_count) { + if (index > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * index > INT64_MAX - offset_temp) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * index; - else { + } else { if (s->nb_index_entries == 2 * s->index_duration + 1) index *= 2; /* Avid index */ @@ -1597,6 +1617,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out, partition_out); } else { /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */ + if (s->edit_unit_byte_count && (s->index_duration > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp) + ) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * s->index_duration; } } @@ -2529,6 +2554,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) if (container_ul->desc) av_dict_set(&st->metadata, "data_type", container_ul->desc, 0); if (mxf->eia608_extract && + container_ul->desc && !strcmp(container_ul->desc, "vbi_vanc_smpte_436M")) { st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_EIA_608; @@ -2737,8 +2763,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF int ret; int tag = avio_rb16(pb); int size = avio_rb16(pb); /* KLV specified by 0x53 */ - uint64_t next = avio_tell(pb) + size; + int64_t next = avio_tell(pb); UID uid = {0}; + if (next < 0 || next > INT64_MAX - size) + return next < 0 ? next : AVERROR_INVALIDDATA; + next += size; av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */ @@ -3164,6 +3193,7 @@ static int mxf_read_header(AVFormatContext *s) KLVPacket klv; int64_t essence_offset = 0; int ret; + int64_t run_in; mxf->last_forward_tell = INT64_MAX; @@ -3173,7 +3203,10 @@ static int mxf_read_header(AVFormatContext *s) } avio_seek(s->pb, -14, SEEK_CUR); mxf->fc = s; - mxf->run_in = avio_tell(s->pb); + run_in = avio_tell(s->pb); + if (run_in < 0 || run_in > RUN_IN_MAX) + return AVERROR_INVALIDDATA; + mxf->run_in = run_in; mxf_read_random_index_pack(s); @@ -3286,9 +3319,8 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; - - while (b - a > 1) { - m = (a + b) >> 1; + while (b - 1 > a) { + m = (a + (uint64_t)b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; if (offset < current_offset) @@ -3358,7 +3390,7 @@ static int64_t mxf_set_current_edit_unit(MXFContext *mxf, AVStream *st, int64_t int64_t new_edit_unit; MXFIndexTable *t = mxf_find_index_table(mxf, track->index_sid); - if (!t || track->wrapping == UnknownWrapped) + if (!t || track->wrapping == UnknownWrapped || edit_unit > INT64_MAX - track->edit_units_per_packet) return -1; if (mxf_edit_unit_absolute_offset(mxf, t, edit_unit + track->edit_units_per_packet, track->edit_rate, NULL, &next_ofs, NULL, 0) < 0 && @@ -3508,8 +3540,8 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) } else { if ((size = next_ofs - pos) <= 0) { av_log(s, AV_LOG_ERROR, "bad size: %"PRId64"\n", size); - ret = AVERROR_INVALIDDATA; - goto skip; + mxf->current_klv_data = (KLVPacket){{0}}; + return AVERROR_INVALIDDATA; } // We must not overread, because the next edit unit might be in another KLV if (size > max_data_size) @@ -3581,6 +3613,7 @@ static int mxf_read_close(AVFormatContext *s) for (i = 0; i < mxf->metadata_sets_count; i++) { mxf_free_metadataset(mxf->metadata_sets + i, 1); } + mxf->metadata_sets_count = 0; av_freep(&mxf->partitions); av_freep(&mxf->metadata_sets); av_freep(&mxf->aesc); @@ -3601,7 +3634,7 @@ static int mxf_read_close(AVFormatContext *s) static int mxf_probe(const AVProbeData *p) { const uint8_t *bufp = p->buf; - const uint8_t *end = p->buf + p->buf_size; + const uint8_t *end = p->buf + FFMIN(p->buf_size, RUN_IN_MAX + 1 + sizeof(mxf_header_partition_pack_key)); if (p->buf_size < sizeof(mxf_header_partition_pack_key)) return 0; diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index b677f6af8e..9a75899906 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1944,8 +1944,7 @@ static int mxf_write_partition(AVFormatContext *s, int bodysid, index_byte_count = 80; if (index_byte_count) { - // add encoded ber length - index_byte_count += 16 + klv_ber_length(index_byte_count); + index_byte_count += 16 + 4; // add encoded ber4 length index_byte_count += klv_fill_size(index_byte_count); } @@ -2248,14 +2247,14 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, { MXFContext *mxf = s->priv_data; MXFStreamContext *sc = st->priv_data; - H264SequenceParameterSet *sps = NULL; + H264SPS seq, *const sps = &seq; GetBitContext gb; const uint8_t *buf = pkt->data; const uint8_t *buf_end = pkt->data + pkt->size; const uint8_t *nal_end; uint32_t state = -1; int extra_size = 512; // support AVC Intra files without SPS/PPS header - int i, frame_size, slice_type, intra_only = 0; + int i, frame_size, slice_type, has_sps = 0, intra_only = 0, ret; for (;;) { buf = avpriv_find_start_code(buf, buf_end, &state); @@ -2270,11 +2269,12 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, break; nal_end = ff_avc_find_startcode(buf, buf_end); - sps = ff_avc_decode_sps(buf, nal_end - buf); - if (!sps) { + ret = ff_avc_decode_sps(sps, buf, nal_end - buf); + if (ret < 0) { av_log(s, AV_LOG_ERROR, "error parsing sps\n"); return 0; } + has_sps = 1; sc->aspect_ratio.num = st->codecpar->width * sps->sar.num; sc->aspect_ratio.den = st->codecpar->height * sps->sar.den; @@ -2320,7 +2320,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, if (mxf->header_written) return 1; - if (!sps) + if (!has_sps) sc->interlaced = st->codecpar->field_order != AV_FIELD_PROGRESSIVE ? 1 : 0; sc->codec_ul = NULL; frame_size = pkt->size + extra_size; @@ -2337,7 +2337,7 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, if (sc->interlaced) sc->field_dominance = 1; // top field first is mandatory for AVC Intra break; - } else if (sps && mxf_h264_codec_uls[i].frame_size == 0 && + } else if (has_sps && mxf_h264_codec_uls[i].frame_size == 0 && mxf_h264_codec_uls[i].profile == sps->profile_idc && (mxf_h264_codec_uls[i].intra_only < 0 || mxf_h264_codec_uls[i].intra_only == intra_only)) { @@ -2348,8 +2348,6 @@ static int mxf_parse_h264_frame(AVFormatContext *s, AVStream *st, } } - av_free(sps); - if (!sc->codec_ul) { av_log(s, AV_LOG_ERROR, "h264 profile not supported\n"); return 0; diff --git a/libavformat/network.h b/libavformat/network.h index 7f467304a8..71347e815b 100644 --- a/libavformat/network.h +++ b/libavformat/network.h @@ -50,6 +50,9 @@ #ifndef EINPROGRESS #define EINPROGRESS WSAEINPROGRESS #endif +#ifndef ENOTCONN +#define ENOTCONN WSAENOTCONN +#endif #define getsockopt(a, b, c, d, e) getsockopt(a, b, c, (char*) d, e) #define setsockopt(a, b, c, d, e) setsockopt(a, b, c, (const char*) d, e) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 3ef3843d5e..b2cbbfefaa 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -34,7 +34,7 @@ static int nist_probe(const AVProbeData *p) static int nist_read_header(AVFormatContext *s) { - char buffer[256], coding[32] = "pcm", format[32] = "01"; + char buffer[256]= {0}, coding[32] = "pcm", format[32] = "01"; int bps = 0, be = 0; int32_t header_size = -1; AVStream *st; @@ -90,6 +90,8 @@ static int nist_read_header(AVFormatContext *s) return 0; } else if (!memcmp(buffer, "channel_count", 13)) { sscanf(buffer, "%*s %*s %u", &st->codecpar->channels); + if (st->codecpar->channels <= 0 || st->codecpar->channels > INT16_MAX) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_byte_format", 18)) { sscanf(buffer, "%*s %*s %31s", format); @@ -109,10 +111,14 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); + if (bps > INT16_MAX/8U) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->bits_per_coded_sample); + if (st->codecpar->bits_per_coded_sample <= 0 || st->codecpar->bits_per_coded_sample > INT16_MAX) + return AVERROR_INVALIDDATA; } else { char key[32], value[32]; if (sscanf(buffer, "%31s %*s %31s", key, value) == 2) { diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 7aa1b605b0..0420fbabbe 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -211,6 +211,7 @@ static const AVCodecTag nsv_codec_audio_tags[] = { //static int nsv_load_index(AVFormatContext *s); static int nsv_read_chunk(AVFormatContext *s, int fill_header); +static int nsv_read_close(AVFormatContext *s); /* try to find something we recognize, and set the state accordingly */ static int nsv_resync(AVFormatContext *s) @@ -492,25 +493,32 @@ static int nsv_read_header(AVFormatContext *s) nsv->ahead[0].data = nsv->ahead[1].data = NULL; for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) { - if (nsv_resync(s) < 0) - return -1; + err = nsv_resync(s); + if (err < 0) + goto fail; if (nsv->state == NSV_FOUND_NSVF) { err = nsv_parse_NSVf_header(s); if (err < 0) - return err; + goto fail; } /* we need the first NSVs also... */ if (nsv->state == NSV_FOUND_NSVS) { err = nsv_parse_NSVs_header(s); if (err < 0) - return err; + goto fail; break; /* we just want the first one */ } } - if (s->nb_streams < 1) /* no luck so far */ - return -1; + if (s->nb_streams < 1) { /* no luck so far */ + err = AVERROR_INVALIDDATA; + goto fail; + } + /* now read the first chunk, so we can attempt to decode more info */ err = nsv_read_chunk(s, 1); +fail: + if (err < 0) + nsv_read_close(s); av_log(s, AV_LOG_TRACE, "parsed header\n"); return err; @@ -595,7 +603,7 @@ null_chunk_retry: pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ /* on ALL audio chunks ?? seems so! */ - if (asize && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { + if (asize >= 4 && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { uint8_t bps; uint8_t channels; uint16_t samplerate; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 979cb9a031..3ac9cb6b53 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -193,13 +193,15 @@ static int decode_main_header(NUTContext *nut) { AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; - uint64_t tmp, end; + uint64_t tmp, end, length; unsigned int stream_count; int i, j, count, ret; int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; - end = get_packetheader(nut, bc, 1, MAIN_STARTCODE); - end += avio_tell(bc); + length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + if (length == (uint64_t)-1) + return AVERROR_INVALIDDATA; + end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); if (nut->version < NUT_MIN_VERSION || @@ -219,7 +221,7 @@ static int decode_main_header(NUTContext *nut) nut->max_distance = 65536; } - GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational)); + GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational) && tmp < length/2); nut->time_base = av_malloc_array(nut->time_base_count, sizeof(AVRational)); if (!nut->time_base) return AVERROR(ENOMEM); @@ -242,6 +244,11 @@ static int decode_main_header(NUTContext *nut) for (i = 0; i < 256;) { int tmp_flags = ffio_read_varlen(bc); int tmp_fields = ffio_read_varlen(bc); + if (tmp_fields < 0) { + av_log(s, AV_LOG_ERROR, "fields %d is invalid\n", tmp_fields); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (tmp_fields > 0) tmp_pts = get_s(bc); @@ -260,7 +267,7 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 5) count = ffio_read_varlen(bc); else - count = tmp_mul - tmp_size; + count = tmp_mul - (unsigned)tmp_size; if (tmp_fields > 6) get_s(bc); if (tmp_fields > 7) @@ -286,6 +293,11 @@ static int decode_main_header(NUTContext *nut) ret = AVERROR_INVALIDDATA; goto fail; } + if (tmp_size < 0 || tmp_size > INT_MAX - count) { + av_log(s, AV_LOG_ERROR, "illegal size\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } for (j = 0; j < count; j++, i++) { if (i == 'N') { diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index e9a3bb49db..7405dc28cc 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -789,11 +789,12 @@ static int get_needed_flags(NUTContext *nut, StreamContext *nus, FrameCode *fc, flags |= FLAG_CHECKSUM; if (FFABS(pkt->pts - nus->last_pts) > nus->max_pts_distance) flags |= FLAG_CHECKSUM; - if (pkt->size < nut->header_len[fc->header_idx] || - (pkt->size > 4096 && fc->header_idx) || - memcmp(pkt->data, nut->header[fc->header_idx], - nut->header_len[fc->header_idx])) - flags |= FLAG_HEADER_IDX; + if (fc->header_idx) + if (pkt->size < nut->header_len[fc->header_idx] || + pkt->size > 4096 || + memcmp(pkt->data, nut->header [fc->header_idx], + nut->header_len[fc->header_idx])) + flags |= FLAG_HEADER_IDX; return flags | (fc->flags & FLAG_CODED); } @@ -1170,8 +1171,11 @@ static int nut_write_trailer(AVFormatContext *s) while (nut->header_count < 3) write_headers(s, bc); + if (!nut->sp_count) + return 0; + ret = avio_open_dyn_buf(&dyn_bc); - if (ret >= 0 && nut->sp_count) { + if (ret >= 0) { av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written write_index(nut, dyn_bc); put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE); diff --git a/libavformat/nuv.c b/libavformat/nuv.c index a1edbf88df..32438e89dd 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -121,6 +121,10 @@ static int get_codec_data(AVFormatContext *s, AVIOContext *pb, AVStream *vst, ast->codecpar->bits_per_coded_sample = avio_rl32(pb); ast->codecpar->channels = avio_rl32(pb); ast->codecpar->channel_layout = 0; + if (ast->codecpar->channels <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid channels %d\n", ast->codecpar->channels); + return AVERROR_INVALIDDATA; + } id = ff_wav_codec_get_id(ast->codecpar->codec_tag, ast->codecpar->bits_per_coded_sample); diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index e815f42134..4f62da3b9d 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -216,7 +216,8 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, int nsegs) uint8_t magic[8]; int64_t pos = avio_tell(s->pb); avio_skip(s->pb, nsegs); - avio_read(s->pb, magic, sizeof(magic)); + if (avio_read(s->pb, magic, sizeof(magic)) != sizeof(magic)) + return AVERROR_INVALIDDATA; avio_seek(s->pb, pos, SEEK_SET); codec = ogg_find_codec(magic, sizeof(magic)); if (!codec) { @@ -388,6 +389,9 @@ static int ogg_read_page(AVFormatContext *s, int *sid) avio_skip(bc, 8); /* seq, crc */ nsegs = avio_r8(bc); + if (avio_feof(bc)) + return AVERROR_EOF; + idx = ogg_find_stream(ogg, serial); if (idx < 0) { if (data_packets_seen(ogg)) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index 06021c4f4b..dea390b015 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -547,7 +547,6 @@ static int ogg_init(AVFormatContext *s) &st->metadata); if (err) { av_log(s, AV_LOG_ERROR, "Error writing FLAC headers\n"); - av_freep(&st->priv_data); return err; } } else if (st->codecpar->codec_id == AV_CODEC_ID_SPEEX) { @@ -556,7 +555,6 @@ static int ogg_init(AVFormatContext *s) &st->metadata); if (err) { av_log(s, AV_LOG_ERROR, "Error writing Speex headers\n"); - av_freep(&st->priv_data); return err; } } else if (st->codecpar->codec_id == AV_CODEC_ID_OPUS) { @@ -565,7 +563,6 @@ static int ogg_init(AVFormatContext *s) &st->metadata, s->chapters, s->nb_chapters); if (err) { av_log(s, AV_LOG_ERROR, "Error writing Opus headers\n"); - av_freep(&st->priv_data); return err; } } else if (st->codecpar->codec_id == AV_CODEC_ID_VP8) { @@ -573,7 +570,6 @@ static int ogg_init(AVFormatContext *s) s->flags & AVFMT_FLAG_BITEXACT); if (err) { av_log(s, AV_LOG_ERROR, "Error writing VP8 headers\n"); - av_freep(&st->priv_data); return err; } } else { @@ -586,7 +582,7 @@ static int ogg_init(AVFormatContext *s) st->codecpar->codec_id == AV_CODEC_ID_VORBIS ? 30 : 42, (const uint8_t**)oggstream->header, oggstream->header_len) < 0) { av_log(s, AV_LOG_ERROR, "Extradata corrupted\n"); - av_freep(&st->priv_data); + oggstream->header[1] = NULL; return AVERROR_INVALIDDATA; } @@ -754,7 +750,6 @@ static void ogg_free(AVFormatContext *s) av_freep(&oggstream->header[0]); } av_freep(&oggstream->header[1]); - av_freep(&st->priv_data); } } diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 43f05f928a..f64a35489b 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -386,7 +386,12 @@ static int vorbis_header(AVFormatContext *s, int idx) } } } else { - int ret = fixup_vorbis_headers(s, priv, &st->codecpar->extradata); + int ret; + + if (priv->vp) + return AVERROR_INVALIDDATA; + + ret = fixup_vorbis_headers(s, priv, &st->codecpar->extradata); if (ret < 0) { st->codecpar->extradata_size = 0; return ret; diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 60cbf3a87f..fdfc0270b7 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -79,6 +79,13 @@ typedef struct OMAContext { int (*read_packet)(AVFormatContext *s, AVPacket *pkt); } OMAContext; +static int oma_read_close(AVFormatContext *s) +{ + OMAContext *oc = s->priv_data; + av_freep(&oc->av_des); + return 0; +} + static void hex_log(AVFormatContext *s, int level, const char *name, const uint8_t *value, int len) { @@ -403,11 +410,14 @@ static int oma_read_header(AVFormatContext *s) } ret = avio_read(s->pb, buf, EA3_HEADER_SIZE); - if (ret < EA3_HEADER_SIZE) + if (ret < EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); return -1; + } if (memcmp(buf, ((const uint8_t[]){'E', 'A', '3'}), 3) || buf[4] != 0 || buf[5] != EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); av_log(s, AV_LOG_ERROR, "Couldn't find the EA3 header !\n"); return AVERROR_INVALIDDATA; } @@ -426,8 +436,10 @@ static int oma_read_header(AVFormatContext *s) codec_params = AV_RB24(&buf[33]); st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } st->start_time = 0; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -442,7 +454,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (samplerate != 44100) avpriv_request_sample(s, "Sample rate %d", samplerate); @@ -459,8 +472,8 @@ static int oma_read_header(AVFormatContext *s) /* fake the ATRAC3 extradata * (wav format, makes stream copy to wav work) */ - if (ff_alloc_extradata(st->codecpar, 14)) - return AVERROR(ENOMEM); + if ((ret = ff_alloc_extradata(st->codecpar, 14)) < 0) + goto fail; edata = st->codecpar->extradata; AV_WL16(&edata[0], 1); // always 1 @@ -477,7 +490,8 @@ static int oma_read_header(AVFormatContext *s) if (!channel_id) { av_log(s, AV_LOG_ERROR, "Invalid ATRAC-X channel id: %"PRIu32"\n", channel_id); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->channel_layout = ff_oma_chid_to_native_layout[channel_id - 1]; st->codecpar->channels = ff_oma_chid_to_num_channels[channel_id - 1]; @@ -485,7 +499,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->sample_rate = samplerate; st->codecpar->bit_rate = samplerate * framesize / (2048 / 8); @@ -525,12 +540,16 @@ static int oma_read_header(AVFormatContext *s) break; default: av_log(s, AV_LOG_ERROR, "Unsupported codec %d!\n", buf[32]); - return AVERROR(ENOSYS); + ret = AVERROR(ENOSYS); + goto fail; } st->codecpar->block_align = framesize; return 0; +fail: + oma_read_close(s); + return ret; } static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) @@ -592,13 +611,6 @@ wipe: return err; } -static int oma_read_close(AVFormatContext *s) -{ - OMAContext *oc = s->priv_data; - av_free(oc->av_des); - return 0; -} - AVInputFormat ff_oma_demuxer = { .name = "oma", .long_name = NULL_IF_CONFIG_SMALL("Sony OpenMG audio"), diff --git a/libavformat/paf.c b/libavformat/paf.c index b3c8e786bc..116c4e332f 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -75,14 +75,18 @@ static int read_close(AVFormatContext *s) return 0; } -static void read_table(AVFormatContext *s, uint32_t *table, uint32_t count) +static int read_table(AVFormatContext *s, uint32_t *table, uint32_t count) { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; table[i] = avio_rl32(s->pb); + } avio_skip(s->pb, 4 * (FFALIGN(count, 512) - count)); + return 0; } static int read_header(AVFormatContext *s) @@ -132,6 +136,10 @@ static int read_header(AVFormatContext *s) p->start_offset = avio_rl32(pb); p->max_video_blks = avio_rl32(pb); p->max_audio_blks = avio_rl32(pb); + + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if (p->buffer_size < 175 || p->max_audio_blks < 2 || p->max_video_blks < 1 || @@ -171,9 +179,15 @@ static int read_header(AVFormatContext *s) avio_seek(pb, p->buffer_size, SEEK_SET); - read_table(s, p->blocks_count_table, p->nb_frames); - read_table(s, p->frames_offset_table, p->nb_frames); - read_table(s, p->blocks_offset_table, p->frame_blks); + ret = read_table(s, p->blocks_count_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->frames_offset_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->blocks_offset_table, p->frame_blks); + if (ret < 0) + goto fail; p->got_audio = 0; p->current_frame = 0; diff --git a/libavformat/pcm.c b/libavformat/pcm.c index 767bbd045a..1effc0b6f8 100644 --- a/libavformat/pcm.c +++ b/libavformat/pcm.c @@ -39,7 +39,11 @@ int ff_pcm_read_packet(AVFormatContext *s, AVPacket *pkt) * Clamp to RAW_SAMPLES if larger. */ size = FFMAX(par->sample_rate/25, 1); - size = FFMIN(size, RAW_SAMPLES) * par->block_align; + if (par->block_align <= INT_MAX / RAW_SAMPLES) { + size = FFMIN(size, RAW_SAMPLES) * par->block_align; + } else { + size = par->block_align; + } ret = av_get_packet(s->pb, pkt, size); diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index 50b1a48e4e..e30c23d830 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -55,6 +55,8 @@ static int64_t read_ts(char **line, int *duration) if (sscanf(*line, "%"SCNd64",%"SCNd64, &start, &end) == 2) { *line += strcspn(*line, "\""); *line += !!**line; + if (end < start || end - (uint64_t)start > INT_MAX) + return AV_NOPTS_VALUE; *duration = end - start; return start; } @@ -92,8 +94,10 @@ static int pjs_read_header(AVFormatContext *s) p[strcspn(p, "\"")] = 0; sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&pjs->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; diff --git a/libavformat/qcp.c b/libavformat/qcp.c index 168030dc16..4478875f2d 100644 --- a/libavformat/qcp.c +++ b/libavformat/qcp.c @@ -93,7 +93,8 @@ static int qcp_read_header(AVFormatContext *s) QCPContext *c = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); uint8_t buf[16]; - int i, nb_rates; + int i; + unsigned nb_rates; if (!st) return AVERROR(ENOMEM); diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 224bcf780d..de11c85077 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -326,7 +326,8 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) pkt->stream_index = 1; pkt->dts = dts; - if (st->codecpar->sample_rate) + + if (st->codecpar->sample_rate && samples > 0) pkt->duration = av_rescale(samples, st->time_base.den, st->codecpar->sample_rate); av_log(s, AV_LOG_TRACE, "pkt dts %"PRId64" duration %"PRId64" samples %d sample rate %d\n", pkt->dts, pkt->duration, samples, st->codecpar->sample_rate); diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index 59b49e3f77..526cce8c13 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -123,6 +123,8 @@ const AVOption ff_rawvideo_options[] = { { "raw_packet_size", "", OFFSET(raw_packet_size), AV_OPT_TYPE_INT, {.i64 = RAW_PACKET_SIZE }, 1, INT_MAX, DEC}, { NULL }, }; +#undef OFFSET +#define OFFSET(x) offsetof(FFRawDemuxerContext, x) const AVOption ff_raw_options[] = { { "raw_packet_size", "", OFFSET(raw_packet_size), AV_OPT_TYPE_INT, {.i64 = RAW_PACKET_SIZE }, 1, INT_MAX, DEC}, { NULL }, diff --git a/libavformat/rawdec.h b/libavformat/rawdec.h index 85e0790c86..34c8adcb19 100644 --- a/libavformat/rawdec.h +++ b/libavformat/rawdec.h @@ -95,7 +95,7 @@ static const AVClass name ## _demuxer_class = {\ }; #define FF_DEF_RAWSUB_DEMUXER(shortname, longname, probe, ext, id, flag)\ -FF_RAWVIDEO_DEMUXER_CLASS(shortname)\ +FF_RAWSUB_DEMUXER_CLASS(shortname)\ AVInputFormat ff_ ## shortname ## _demuxer = {\ .name = #shortname,\ .long_name = NULL_IF_CONFIG_SMALL(longname),\ diff --git a/libavformat/rawenc.c b/libavformat/rawenc.c index 993d232b70..32704f9bfd 100644 --- a/libavformat/rawenc.c +++ b/libavformat/rawenc.c @@ -39,6 +39,18 @@ static int force_one_stream(AVFormatContext *s) s->oformat->name); return AVERROR(EINVAL); } + if ( s->oformat->audio_codec != AV_CODEC_ID_NONE + && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_AUDIO) { + av_log(s, AV_LOG_ERROR, "%s files have exactly one audio stream\n", + s->oformat->name); + return AVERROR(EINVAL); + } + if ( s->oformat->video_codec != AV_CODEC_ID_NONE + && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) { + av_log(s, AV_LOG_ERROR, "%s files have exactly one video stream\n", + s->oformat->name); + return AVERROR(EINVAL); + } return 0; } diff --git a/libavformat/rdt.c b/libavformat/rdt.c index 60c36f09e6..1250c9d70a 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -204,6 +204,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len, return -1; /* not followed by a data packet */ pkt_len = AV_RB16(buf+3); + if (pkt_len > len) + return AVERROR_INVALIDDATA; buf += pkt_len; len -= pkt_len; consumed += pkt_len; diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index e12871e6ad..77f5f5f537 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -87,6 +87,10 @@ static int realtext_read_header(AVFormatContext *s) /* save header to extradata */ const char *p = ff_smil_get_attr_ptr(buf.str, "duration"); + if (st->codecpar->extradata) { + res = AVERROR_INVALIDDATA; + goto end; + } if (p) duration = read_ts(p); st->codecpar->extradata = av_strdup(buf.str); @@ -107,10 +111,11 @@ static int realtext_read_header(AVFormatContext *s) if (!merge) { const char *begin = ff_smil_get_attr_ptr(buf.str, "begin"); const char *end = ff_smil_get_attr_ptr(buf.str, "end"); + int64_t endi = end ? read_ts(end) : 0; sub->pos = pos; sub->pts = begin ? read_ts(begin) : 0; - sub->duration = end ? (read_ts(end) - sub->pts) : duration; + sub->duration = (end && endi > sub->pts && endi - (uint64_t)sub->pts <= INT64_MAX) ? endi - sub->pts : duration; } } av_bprint_clear(&buf); @@ -119,6 +124,8 @@ static int realtext_read_header(AVFormatContext *s) end: av_bprint_finalize(&buf, NULL); + if (res < 0) + ff_subtitles_queue_clean(&rt->q); return res; } diff --git a/libavformat/replaygain.c b/libavformat/replaygain.c index 707d3cd4f1..01db483257 100644 --- a/libavformat/replaygain.c +++ b/libavformat/replaygain.c @@ -61,7 +61,7 @@ static int32_t parse_value(const char *value, int32_t min) } } - if (abs(db) > (INT32_MAX - mb) / 100000) + if (llabs(db) > (INT32_MAX - mb) / 100000) return min; return db * 100000 + sign * mb; diff --git a/libavformat/riff.c b/libavformat/riff.c index e755ad8d5f..52b0bf8f03 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -491,6 +491,11 @@ const AVCodecTag ff_codec_bmp_tags[] = { { AV_CODEC_ID_NONE, 0 } }; +const AVCodecTag ff_codec_bmp_tags_unofficial[] = { + { AV_CODEC_ID_HEVC, MKTAG('H', 'E', 'V', 'C') }, + { AV_CODEC_ID_NONE, 0 } +}; + const AVCodecTag ff_codec_wav_tags[] = { { AV_CODEC_ID_PCM_S16LE, 0x0001 }, /* must come after s16le in this list */ diff --git a/libavformat/riff.h b/libavformat/riff.h index 323aa38b4d..21078b77c8 100644 --- a/libavformat/riff.h +++ b/libavformat/riff.h @@ -73,6 +73,8 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecParameters *pa extern const AVCodecTag ff_codec_bmp_tags[]; // exposed through avformat_get_riff_video_tags() extern const AVCodecTag ff_codec_wav_tags[]; +extern const AVCodecTag ff_codec_bmp_tags_unofficial[]; + void ff_parse_specific_params(AVStream *st, int *au_rate, int *au_ssize, int *au_scale); int ff_read_riff_info(AVFormatContext *s, int64_t size); diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index c9abd38d33..a2ff061c9b 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -164,7 +164,11 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_rb16(pb); /* version2 */ avio_rb32(pb); /* header size */ flavor= avio_rb16(pb); /* add codec info / flavor */ - ast->coded_framesize = coded_framesize = avio_rb32(pb); /* coded frame size */ + coded_framesize = avio_rb32(pb); /* coded frame size */ + if (coded_framesize < 0) + return AVERROR_INVALIDDATA; + ast->coded_framesize = coded_framesize; + avio_rb32(pb); /* ??? */ bytes_per_minute = avio_rb32(pb); if (version == 4) { @@ -184,7 +188,8 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codecpar->channels = avio_rb16(pb); if (version == 5) { ast->deint_id = avio_rl32(pb); - avio_read(pb, buf, 4); + if (avio_read(pb, buf, 4) != 4) + return AVERROR_INVALIDDATA; buf[4] = 0; } else { AV_WL32(buf, 0); @@ -218,7 +223,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } @@ -249,7 +254,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } @@ -264,9 +269,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } @@ -291,7 +296,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, ast->deint_id == DEINT_ID_GENR || ast->deint_id == DEINT_ID_SIPR) { if (st->codecpar->block_align <= 0 || - ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || + ast->audio_framesize * (uint64_t)sub_packet_h > (unsigned)INT_MAX || ast->audio_framesize * sub_packet_h < st->codecpar->block_align) return AVERROR_INVALIDDATA; if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) @@ -322,6 +327,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, if (codec_data_size == 0) return 0; + // Duplicate tags + if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN + && st->codecpar->codec_type != AVMEDIA_TYPE_DATA) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); @@ -453,6 +463,8 @@ static int rm_read_index(AVFormatContext *s) } for (n = 0; n < n_pkts; n++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 2); pts = avio_rb32(pb); pos = avio_rb32(pb); @@ -553,6 +565,8 @@ static int rm_read_header(AVFormatContext *s) } tag_size = avio_rb32(pb); + if (tag_size < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, tag_size - 8); for(;;) { @@ -696,21 +710,23 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre state= (state<<8) + avio_r8(pb); if(state == MKBETAG('I', 'N', 'D', 'X')){ - int n_pkts, expected_len; + int n_pkts; + int64_t expected_len; len = avio_rb32(pb); avio_skip(pb, 2); n_pkts = avio_rb32(pb); - expected_len = 20 + n_pkts * 14; - if (len == 20) + expected_len = 20 + n_pkts * 14LL; + + if (len == 20 && expected_len <= INT_MAX) /* some files don't add index entries to chunk size... */ len = expected_len; else if (len != expected_len) av_log(s, AV_LOG_WARNING, - "Index size %d (%d pkts) is wrong, should be %d.\n", + "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); - len -= 14; // we already read part of the index header - if(len<0) + if(len < 14) continue; + len -= 14; // we already read part of the index header goto skip; } else if (state == MKBETAG('D','A','T','A')) { av_log(s, AV_LOG_WARNING, @@ -1003,8 +1019,8 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) { RMDemuxContext *rm = s->priv_data; AVStream *st = NULL; // init to silence compiler warning - int i, len, res, seq = 1; - int64_t timestamp, pos; + int i, res, seq = 1; + int64_t timestamp, pos, len; int flags; for (;;) { @@ -1023,7 +1039,9 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) ast = st->priv_data; timestamp = AV_NOPTS_VALUE; len = !ast->audio_framesize ? RAW_PACKET_SIZE : - ast->coded_framesize * ast->sub_packet_h / 2; + ast->coded_framesize * (int64_t)ast->sub_packet_h / 2; + if (len > INT_MAX) + return AVERROR_INVALIDDATA; flags = (seq++ == 1) ? 2 : 0; pos = avio_tell(s->pb); } else { @@ -1174,7 +1192,7 @@ static int ivr_read_header(AVFormatContext *s) uint8_t key[256], val[256]; AVIOContext *pb = s->pb; AVStream *st; - int64_t pos, offset, temp; + int64_t pos, offset=0, temp; pos = avio_tell(pb); tag = avio_rl32(pb); @@ -1191,6 +1209,8 @@ static int ivr_read_header(AVFormatContext *s) offset = temp; temp = avio_rb64(pb); } + if (offset <= 0) + return AVERROR_INVALIDDATA; avio_skip(pb, offset - avio_tell(pb)); if (avio_r8(pb) != 1) return AVERROR_INVALIDDATA; @@ -1281,8 +1301,11 @@ static int ivr_read_header(AVFormatContext *s) int j; av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "Duration", tlen)) { st->duration = avio_rb32(pb); diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 6afd373810..59ad639cb0 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -101,9 +101,9 @@ static AVRational read_fps(const char* line, int* error) line++; for (; *line>='0' && *line<='9'; line++) { // Truncate any numerator too large to fit into an int64_t - if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) + if (num > (INT64_MAX - 9) / 10ULL || den > INT64_MAX / 10ULL) break; - num = 10 * num + *line - '0'; + num = 10 * num + (*line - '0'); den *= 10; } if (!num) @@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; RPLContext *rpl = s->priv_data; AVStream *vst = NULL, *ast = NULL; - int total_audio_size; + int64_t total_audio_size; int error = 0; const char *endptr; char audio_type[RPL_LINE_LENGTH]; @@ -207,8 +207,10 @@ static int rpl_read_header(AVFormatContext *s) ast->codecpar->bits_per_coded_sample = 4; ast->codecpar->bit_rate = ast->codecpar->sample_rate * - ast->codecpar->bits_per_coded_sample * - ast->codecpar->channels; + (int64_t)ast->codecpar->channels; + if (ast->codecpar->bit_rate > INT64_MAX / ast->codecpar->bits_per_coded_sample) + return AVERROR_INVALIDDATA; + ast->codecpar->bit_rate *= ast->codecpar->bits_per_coded_sample; ast->codecpar->codec_id = AV_CODEC_ID_NONE; switch (audio_format) { @@ -253,6 +255,9 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); } + if (s->nb_streams == 0) + return AVERROR_INVALIDDATA; + rpl->frames_per_chunk = read_line_and_int(pb, &error); // video frames per chunk if (vst && rpl->frames_per_chunk > 1 && vst->codecpar->codec_tag != 124) av_log(s, AV_LOG_WARNING, @@ -260,6 +265,9 @@ static int rpl_read_header(AVFormatContext *s) "Video stream will be broken!\n", av_fourcc2str(vst->codecpar->codec_tag)); number_of_chunks = read_line_and_int(pb, &error); // number of chunks in the file + if (number_of_chunks == INT_MAX) + return AVERROR_INVALIDDATA; + // The number in the header is actually the index of the last chunk. number_of_chunks++; @@ -271,7 +279,7 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); // size of "helpful" sprite if (vst) { error |= read_line(pb, line, sizeof(line)); // offset to key frame list - vst->duration = number_of_chunks * rpl->frames_per_chunk; + vst->duration = number_of_chunks * (int64_t)rpl->frames_per_chunk; } // Read the index @@ -291,6 +299,8 @@ static int rpl_read_header(AVFormatContext *s) if (ast) av_add_index_entry(ast, offset + video_size, total_audio_size, audio_size, audio_size * 8, 0); + if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8) + return AVERROR_INVALIDDATA; total_audio_size += audio_size * 8; } @@ -331,7 +341,7 @@ static int rpl_read_packet(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 4); /* flags */ frame_size = avio_rl32(pb); - if (avio_seek(pb, -8, SEEK_CUR) < 0) + if (avio_feof(pb) || avio_seek(pb, -8, SEEK_CUR) < 0 || !frame_size) return AVERROR(EIO); ret = av_get_packet(pb, pkt, frame_size); diff --git a/libavformat/rsd.c b/libavformat/rsd.c index 396a431f34..0e2578e0e4 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -104,13 +104,9 @@ static int rsd_read_header(AVFormatContext *s) break; case AV_CODEC_ID_ADPCM_PSX: par->block_align = 16 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_RAD: par->block_align = 20 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_WAV: if (version == 2) @@ -118,8 +114,6 @@ static int rsd_read_header(AVFormatContext *s) par->bits_per_coded_sample = 4; par->block_align = 36 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP_LE: /* RSD3GADP is mono, so only alloc enough memory @@ -129,8 +123,6 @@ static int rsd_read_header(AVFormatContext *s) if ((ret = ff_get_extradata(s, par, s->pb, 32)) < 0) return ret; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP: par->block_align = 8 * par->channels; @@ -140,21 +132,41 @@ static int rsd_read_header(AVFormatContext *s) return ret; for (i = 0; i < par->channels; i++) { + if (avio_feof(pb)) + return AVERROR_EOF; avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / (8 * par->channels) * 14; break; case AV_CODEC_ID_PCM_S16LE: case AV_CODEC_ID_PCM_S16BE: if (version != 4) start = avio_rl32(pb); - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / 2 / par->channels; break; } + if (start < 0) + return AVERROR_INVALIDDATA; + + if (pb->seekable & AVIO_SEEKABLE_NORMAL) { + int64_t remaining = avio_size(pb); + + if (remaining >= start && remaining - start <= INT_MAX) + switch (par->codec_id) { + case AV_CODEC_ID_ADPCM_PSX: + case AV_CODEC_ID_ADPCM_IMA_RAD: + case AV_CODEC_ID_ADPCM_IMA_WAV: + case AV_CODEC_ID_ADPCM_THP_LE: + st->duration = av_get_audio_frame_duration2(par, remaining - start); + break; + case AV_CODEC_ID_ADPCM_THP: + st->duration = (remaining - start) / (8 * par->channels) * 14; + break; + case AV_CODEC_ID_PCM_S16LE: + case AV_CODEC_ID_PCM_S16BE: + st->duration = (remaining - start) / 2 / par->channels; + } + } avio_skip(pb, start - avio_tell(pb)); if (par->codec_id == AV_CODEC_ID_XMA2) { diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 1eeae17337..64e014aa19 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -437,7 +437,6 @@ static int amf_tag_skip(GetByteContext *gb) { AMFDataType type; unsigned nb = -1; - int parse_key = 1; if (bytestream2_get_bytes_left(gb) < 1) return -1; @@ -462,13 +461,12 @@ static int amf_tag_skip(GetByteContext *gb) bytestream2_skip(gb, 10); return 0; case AMF_DATA_TYPE_ARRAY: - parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: - while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { + while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) { int t; - if (parse_key) { + if (type != AMF_DATA_TYPE_ARRAY) { int size = bytestream2_get_be16(gb); if (!size) { bytestream2_get_byte(gb); diff --git a/libavformat/rtpenc_vc2hq.c b/libavformat/rtpenc_vc2hq.c index 085204fa64..cf548191d2 100644 --- a/libavformat/rtpenc_vc2hq.c +++ b/libavformat/rtpenc_vc2hq.c @@ -45,7 +45,7 @@ static void send_packet(AVFormatContext *ctx, uint8_t parse_code, int info_hdr_s ff_rtp_send_data(ctx, rtp_ctx->buf, RTP_VC2HQ_PL_HEADER_SIZE + info_hdr_size + size, rtp_m); } -static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) +static int send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) { RTPMuxContext *rtp_ctx = ctx->priv_data; GetBitContext gc; @@ -54,6 +54,9 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int uint16_t frag_len; char *info_hdr = &rtp_ctx->buf[4]; + if (size < DIRAC_PIC_NR_SIZE) + return AVERROR(EINVAL); + pic_nr = AV_RB32(&buf[0]); buf += DIRAC_PIC_NR_SIZE; size -= DIRAC_PIC_NR_SIZE; @@ -97,6 +100,7 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int send_packet(ctx, DIRAC_RTP_PCODE_HQ_PIC_FRAGMENT, 16, buf, frag_len, interlaced, second_field, size > 0 ? 0 : 1); buf += frag_len; } + return 0; } void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame_size, int interlaced) @@ -110,16 +114,21 @@ void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame parse_code = unit[4]; unit_size = AV_RB32(&unit[5]); + if (unit_size > end - unit) + break; + switch (parse_code) { /* sequence header */ /* end of sequence */ case DIRAC_PCODE_SEQ_HEADER: case DIRAC_PCODE_END_SEQ: - send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); break; /* HQ picture */ case DIRAC_PCODE_PICTURE_HQ: - send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); break; /* parse codes without specification */ case DIRAC_PCODE_AUX: diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index c153cac88b..35e0a3de0e 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -382,7 +382,7 @@ static void parse_fmtp(AVFormatContext *s, RTSPState *rt, if (rtsp_st->sdp_payload_type == payload_type && rtsp_st->dynamic_handler && rtsp_st->dynamic_handler->parse_sdp_a_line) { - rtsp_st->dynamic_handler->parse_sdp_a_line(s, i, + rtsp_st->dynamic_handler->parse_sdp_a_line(s, rtsp_st->stream_index, rtsp_st->dynamic_protocol_context, line); } } @@ -932,6 +932,8 @@ static void rtsp_parse_transport(AVFormatContext *s, ";,", &p); } th->transport = RTSP_TRANSPORT_RAW; + } else { + break; } if (!av_strcasecmp(lower_transport, "TCP")) th->lower_transport = RTSP_LOWER_TRANSPORT_TCP; @@ -1318,6 +1320,9 @@ static int rtsp_send_cmd_with_content_async(AVFormatContext *s, char buf[4096], *out_buf; char base64buf[AV_BASE64_SIZE(sizeof(buf))]; + if (!rt->rtsp_hd_out) + return ENOTCONN; + /* Add in RTSP headers */ out_buf = buf; rt->seq++; @@ -1392,7 +1397,7 @@ retry: cur_auth_type = rt->auth_state.auth_type; if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header, send_content, - send_content_length))) + send_content_length)) < 0) return ret; if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0) @@ -1425,6 +1430,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, char cmd[2048]; const char *trans_pref; + memset(&reply1, 0, sizeof(reply1)); + if (rt->transport == RTSP_TRANSPORT_RDT) trans_pref = "x-pn-tng"; else if (rt->transport == RTSP_TRANSPORT_RAW) @@ -1535,7 +1542,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) { snprintf(transport, sizeof(transport) - 1, "%s/UDP;multicast", trans_pref); + } else { + err = AVERROR(EINVAL); + goto fail; // transport would be uninitialized } + if (s->oformat) { av_strlcat(transport, ";mode=record", sizeof(transport)); } else if (rt->server_type == RTSP_SERVER_REAL || diff --git a/libavformat/samidec.c b/libavformat/samidec.c index fd98393086..cf5076c7b8 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -95,6 +95,11 @@ static int sami_read_header(AVFormatContext *s) const char *p = ff_smil_get_attr_ptr(buf.str, "Start"); sub->pos = pos; sub->pts = p ? strtol(p, NULL, 10) : 0; + if (sub->pts <= INT64_MIN/2 || sub->pts >= INT64_MAX/2) { + res = AVERROR_PATCHWELCOME; + goto end; + } + sub->duration = -1; } } @@ -108,6 +113,8 @@ static int sami_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &sami->q); end: + if (res < 0) + ff_subtitles_queue_clean(&sami->q); av_bprint_finalize(&buf, NULL); return res; } diff --git a/libavformat/sapdec.c b/libavformat/sapdec.c index eddeddeaea..b7bcbcc6a8 100644 --- a/libavformat/sapdec.c +++ b/libavformat/sapdec.c @@ -195,6 +195,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt) struct pollfd p = {fd, POLLIN, 0}; uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; + if (fd < 0) + return fd; + if (sap->eof) return AVERROR_EOF; diff --git a/libavformat/sauce.c b/libavformat/sauce.c index 5ac9ca9d14..a9ee9697a3 100644 --- a/libavformat/sauce.c +++ b/libavformat/sauce.c @@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g AVIOContext *pb = avctx->pb; char buf[36]; int datatype, filetype, t1, t2, nb_comments; - uint64_t start_pos = avio_size(pb) - 128; + int64_t start_pos = avio_size(pb); + + if (start_pos < 128) + return AVERROR_INVALIDDATA; + + start_pos -= 128; avio_seek(pb, start_pos, SEEK_SET); if (avio_read(pb, buf, 7) != 7) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 4155395da0..bb5c60b13a 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -181,6 +181,7 @@ static int str_to_time(const char *str, int64_t *rtime) char *end; int hours, minutes; double seconds = 0; + int64_t ts = 0; if (*cur < '0' || *cur > '9') return 0; @@ -196,8 +197,9 @@ static int str_to_time(const char *str, int64_t *rtime) seconds = strtod(cur + 1, &end); if (end > cur + 1) cur = end; + ts = av_clipd(seconds * AV_TIME_BASE, INT64_MIN/2, INT64_MAX/2); } - *rtime = (hours * 3600LL + minutes * 60LL + seconds) * AV_TIME_BASE; + *rtime = (hours * 3600LL + minutes * 60LL) * AV_TIME_BASE + ts; return cur - str; } @@ -382,7 +384,7 @@ static int parse_options(struct sbg_parser *p) case 'L': FORWARD_ERROR(parse_optarg(p, opt, &oarg)); r = str_to_time(oarg.s, &p->scs.opt_duration); - if (oarg.e != oarg.s + r) { + if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { snprintf(p->err_msg, sizeof(p->err_msg), "syntax error for option -L"); return AVERROR_INVALIDDATA; @@ -1270,7 +1272,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* SBaGen handles the time before and after the extremal events, and the corresponding transitions, as if the sequence were cyclic with a 24-hours period. */ - period = s->events[s->nb_events - 1].ts - s->events[0].ts; + period = s->events[s->nb_events - 1].ts - (uint64_t)s->events[0].ts; + if (period < 0) + return AVERROR_INVALIDDATA; + period = (period + (DAY_TS - 1)) / DAY_TS * DAY_TS; period = FFMAX(period, DAY_TS); @@ -1279,6 +1284,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, ev1 = &s->events[i]; ev2 = &s->events[(i + 1) % s->nb_events]; ev1->ts_int = ev1->ts; + + if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period) + return AVERROR_INVALIDDATA; + ev1->ts_trans = ev1->fade.slide ? ev1->ts : ev2->ts + (ev1 < ev2 ? 0 : period); } @@ -1411,6 +1420,11 @@ static av_cold int sbg_read_header(AVFormatContext *avf) if (r < 0) goto fail; + if (script.end_ts != AV_NOPTS_VALUE && script.end_ts < script.start_ts) { + r = AVERROR_INVALIDDATA; + goto fail; + } + st = avformat_new_stream(avf, NULL); if (!st) return AVERROR(ENOMEM); diff --git a/libavformat/sccdec.c b/libavformat/sccdec.c index 412d8aaf49..b0b3ac1005 100644 --- a/libavformat/sccdec.c +++ b/libavformat/sccdec.c @@ -133,7 +133,7 @@ try_again: sub = ff_subtitles_queue_insert(&scc->q, out, i, 0); if (!sub) - return AVERROR(ENOMEM); + goto fail; sub->pos = pos; sub->pts = ts_start; @@ -149,6 +149,9 @@ try_again: ff_subtitles_queue_finalize(s, &scc->q); return ret; +fail: + ff_subtitles_queue_clean(&scc->q); + return AVERROR(ENOMEM); } static int scc_read_packet(AVFormatContext *s, AVPacket *pkt) diff --git a/libavformat/sctp.c b/libavformat/sctp.c index 9a80e9b015..be0cb47865 100644 --- a/libavformat/sctp.c +++ b/libavformat/sctp.c @@ -282,6 +282,8 @@ fail: goto restart; } fail1: + if (fd >= 0) + closesocket(fd); ret = AVERROR(EIO); freeaddrinfo(ai); return ret; diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 34e9839b67..5343e8d1d3 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -195,6 +195,8 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) continue; } if (p != (psets + strlen(pset_string))) { + if (p - psets >= MAX_PSET_SIZE) + goto fail_in_loop; *p = ','; p++; } @@ -204,6 +206,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) } if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) { av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r); +fail_in_loop: av_free(psets); av_free(tmpbuf); @@ -212,7 +215,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) p += strlen(p); r = r1; } - if (sps && sps_end - sps >= 4) { + if (sps && sps_end - sps >= 4 && p - psets <= MAX_PSET_SIZE - strlen(profile_string) - 7) { memcpy(p, profile_string, strlen(profile_string)); p += strlen(p); ff_data_to_hex(p, sps + 1, 3, 0); diff --git a/libavformat/sdsdec.c b/libavformat/sdsdec.c index 9c361cdff2..2f4056c8b3 100644 --- a/libavformat/sdsdec.c +++ b/libavformat/sdsdec.c @@ -112,7 +112,7 @@ static int sds_read_header(AVFormatContext *ctx) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = 1; st->codecpar->sample_rate = sample_period ? 1000000000 / sample_period : 16000; - st->duration = (avio_size(pb) - 21) / (127) * s->size / 4; + st->duration = av_rescale((avio_size(pb) - 21) / 127, s->size, 4); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 777606bcb6..b4f9af68da 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,8 +144,11 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } + if (film->video_type == AV_CODEC_ID_NONE && film->audio_type == AV_CODEC_ID_NONE) + return AVERROR_INVALIDDATA; + /* initialize the decoder streams */ - if (film->video_type) { + if (film->video_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -166,7 +169,7 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) { + if (film->audio_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -236,12 +239,13 @@ static int film_read_header(AVFormatContext *s) else if (film->audio_type != AV_CODEC_ID_NONE) audio_frame_counter += (film->sample_table[i].sample_size / (film->audio_channels * film->audio_bits / 8)); + film->sample_table[i].keyframe = 1; } else { film->sample_table[i].stream = film->video_stream_index; film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; film->sample_table[i].keyframe = (scratch[8] & 0x80) ? 0 : AVINDEX_KEYFRAME; video_frame_counter++; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) av_add_index_entry(s->streams[film->video_stream_index], film->sample_table[i].sample_offset, film->sample_table[i].pts, @@ -250,10 +254,10 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) + if (film->audio_type != AV_CODEC_ID_NONE) s->streams[film->audio_stream_index]->duration = audio_frame_counter; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) s->streams[film->video_stream_index]->duration = video_frame_counter; film->current_sample = 0; diff --git a/libavformat/segafilmenc.c b/libavformat/segafilmenc.c index 524230e461..7aad8084a5 100644 --- a/libavformat/segafilmenc.c +++ b/libavformat/segafilmenc.c @@ -70,7 +70,7 @@ static int film_write_packet_to_header(AVFormatContext *format_context, FILMPack info2 = pkt->duration; /* The top bit being set indicates a key frame */ if (!pkt->keyframe) - info1 |= (1 << 31); + info1 |= 1U << 31; } /* Write the 16-byte sample info packet to the STAB chunk in the header */ diff --git a/libavformat/shortendec.c b/libavformat/shortendec.c index a2879dc5a3..f7390b2e62 100644 --- a/libavformat/shortendec.c +++ b/libavformat/shortendec.c @@ -40,12 +40,18 @@ static int shn_probe(const AVProbeData *p) channels = get_ur_golomb_shorten(&gb, 0); blocksize = 256; } else { - int k; + unsigned k; k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; internal_ftype = get_ur_golomb_shorten(&gb, k); k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; channels = get_ur_golomb_shorten(&gb, k); k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; blocksize = get_ur_golomb_shorten(&gb, k); } diff --git a/libavformat/siff.c b/libavformat/siff.c index 24d5ebb42d..9882b7046d 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -198,8 +198,13 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->cur_frame >= c->frames) return AVERROR_EOF; if (c->curstrm == -1) { - c->pktsize = avio_rl32(s->pb) - 4; + unsigned pktsize = avio_rl32(s->pb); + if (pktsize < 4) + return AVERROR_INVALIDDATA; + c->pktsize = pktsize - 4; c->flags = avio_rl16(s->pb); + if (c->flags & VB_HAS_AUDIO && !c->has_audio) + return AVERROR_INVALIDDATA; c->gmcsize = (c->flags & VB_HAS_GMC) ? 4 : 0; if (c->gmcsize) avio_read(s->pb, c->gmc, c->gmcsize); diff --git a/libavformat/smjpegdec.c b/libavformat/smjpegdec.c index 5bc04921fe..a4e1f957ed 100644 --- a/libavformat/smjpegdec.c +++ b/libavformat/smjpegdec.c @@ -51,6 +51,9 @@ static int smjpeg_read_header(AVFormatContext *s) uint32_t version, htype, hlength, duration; char *comment; + sc->audio_stream_index = + sc->video_stream_index = -1; + avio_skip(pb, 8); // magic version = avio_rb32(pb); if (version) @@ -147,6 +150,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) dtype = avio_rl32(s->pb); switch (dtype) { case SMJPEG_SNDD: + if (sc->audio_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); @@ -155,6 +160,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->pos = pos; break; case SMJPEG_VIDD: + if (sc->video_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); diff --git a/libavformat/smoothstreamingenc.c b/libavformat/smoothstreamingenc.c index 1ed19ebb2f..78c3000040 100644 --- a/libavformat/smoothstreamingenc.c +++ b/libavformat/smoothstreamingenc.c @@ -333,12 +333,11 @@ static int ism_write_header(AVFormatContext *s) goto fail; } - ctx = avformat_alloc_context(); + os->ctx = ctx = avformat_alloc_context(); if (!ctx || ff_copy_whiteblacklists(ctx, s) < 0) { ret = AVERROR(ENOMEM); goto fail; } - os->ctx = ctx; ctx->oformat = oformat; ctx->interrupt_callback = s->interrupt_callback; @@ -358,12 +357,13 @@ static int ism_write_header(AVFormatContext *s) av_dict_set_int(&opts, "ism_lookahead", c->lookahead_count, 0); av_dict_set(&opts, "movflags", "frag_custom", 0); - if ((ret = avformat_write_header(ctx, &opts)) < 0) { + ret = avformat_write_header(ctx, &opts); + av_dict_free(&opts); + if (ret < 0) { goto fail; } os->ctx_inited = 1; avio_flush(ctx->pb); - av_dict_free(&opts); s->streams[i]->time_base = st->time_base; if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { c->has_video = 1; diff --git a/libavformat/soxdec.c b/libavformat/soxdec.c index d3f709f9a6..35e11feec6 100644 --- a/libavformat/soxdec.c +++ b/libavformat/soxdec.c @@ -90,7 +90,7 @@ static int sox_read_header(AVFormatContext *s) sample_rate_frac); if ((header_size + 4) & 7 || header_size < SOX_FIXED_HDR + comment_size - || st->codecpar->channels > 65535) /* Reserve top 16 bits */ { + || st->codecpar->channels > 65535 || st->codecpar->channels <= 0) /* Reserve top 16 bits */ { av_log(s, AV_LOG_ERROR, "invalid header\n"); return AVERROR_INVALIDDATA; } diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c index d74f58d82b..8c1a7c87e6 100644 --- a/libavformat/spdifdec.c +++ b/libavformat/spdifdec.c @@ -229,7 +229,7 @@ int ff_spdif_read_packet(AVFormatContext *s, AVPacket *pkt) if (!s->bit_rate && s->streams[0]->codecpar->sample_rate) /* stream bitrate matches 16-bit stereo PCM bitrate for currently supported codecs */ - s->bit_rate = 2 * 16 * s->streams[0]->codecpar->sample_rate; + s->bit_rate = 2 * 16LL * s->streams[0]->codecpar->sample_rate; return 0; } diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 40d324b44d..d6ff00ba6d 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -207,6 +207,8 @@ static int srt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &srt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&srt->q); av_bprint_finalize(&buf, NULL); return res; } diff --git a/libavformat/stldec.c b/libavformat/stldec.c index d6e0713f8c..fb67407ac5 100644 --- a/libavformat/stldec.c +++ b/libavformat/stldec.c @@ -97,8 +97,10 @@ static int stl_read_header(AVFormatContext *s) if (pts_start != AV_NOPTS_VALUE) { AVPacket *sub; sub = ff_subtitles_queue_insert(&stl->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&stl->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 2f162e0a34..cf1db1970e 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -125,9 +125,9 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) return end; } - if (whence == AVSEEK_SIZE) - return end - c->start; switch (whence) { + case AVSEEK_SIZE: + return end - c->start; case SEEK_SET: new_pos = c->start + pos; break; @@ -137,6 +137,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) case SEEK_END: new_pos = end + c->pos; break; + default: + av_assert0(0); } if (new_pos < c->start) return AVERROR(EINVAL); diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 659c99d1cf..849ccccbcb 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -132,9 +132,10 @@ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, if (!subs) return NULL; q->subs = subs; - sub = &subs[q->nb_subs++]; + sub = &subs[q->nb_subs]; if (av_new_packet(sub, len) < 0) return NULL; + q->nb_subs++; sub->flags |= AV_PKT_FLAG_KEY; sub->pts = sub->dts = 0; memcpy(sub->data, event, len); @@ -194,6 +195,9 @@ void ff_subtitles_queue_finalize(void *log_ctx, FFDemuxSubtitlesQueue *q) { int i; + if (!q->nb_subs) + return; + qsort(q->subs, q->nb_subs, sizeof(*q->subs), q->sort == SUB_SORT_TS_POS ? cmp_pkt_sub_ts_pos : cmp_pkt_sub_pos_ts); diff --git a/libavformat/subviewer1dec.c b/libavformat/subviewer1dec.c index 1360d9b7d9..f2eee294a1 100644 --- a/libavformat/subviewer1dec.c +++ b/libavformat/subviewer1dec.c @@ -77,8 +77,10 @@ static int subviewer1_read_header(AVFormatContext *s) sub->duration = pts_start - sub->pts; } else { sub = ff_subtitles_queue_insert(&subviewer1->q, line, len, 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&subviewer1->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index 06b827b70f..94817c04e9 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -138,6 +138,10 @@ static int subviewer_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); } else if (*line) { + if (pts_start == AV_NOPTS_VALUE) { + res = AVERROR_INVALIDDATA; + goto end; + } if (!new_event) { sub = ff_subtitles_queue_insert(&subviewer->q, "\n", 1, 1); if (!sub) { @@ -162,6 +166,8 @@ static int subviewer_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &subviewer->q); end: + if (res < 0) + ff_subtitles_queue_clean(&subviewer->q); av_bprint_finalize(&header, NULL); return res; } diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index f53db0fb2b..877dcfa9cb 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -256,7 +256,7 @@ static int swf_write_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid (too large) frame rate %d/%d\n", rate, rate_base); return AVERROR(EINVAL); } - avio_wl16(pb, (rate * 256) / rate_base); /* frame rate */ + avio_wl16(pb, (rate * 256LL) / rate_base); /* frame rate */ swf->duration_pos = avio_tell(pb); avio_wl16(pb, (uint16_t)(DUMMY_DURATION * (int64_t)rate / rate_base)); /* frame count */ diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 5572bfd931..8b44528982 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -181,6 +181,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result) if ((unsigned)*cur_byte - '0' > 9) return AVERROR_INVALIDDATA; while (BETWEEN(*cur_byte, '0', '9')) { + if (val > INT_MAX/10 - (*cur_byte - '0')) + return AVERROR_INVALIDDATA; val = val * 10 + (*cur_byte - '0'); next_byte(pb, cur_byte); } @@ -275,10 +277,13 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) static av_cold int tedcaptions_read_header(AVFormatContext *avf) { TEDCaptionsDemuxer *tc = avf->priv_data; - AVStream *st; + AVStream *st = avformat_new_stream(avf, NULL); int ret, i; AVPacket *last; + if (!st) + return AVERROR(ENOMEM); + ret = parse_file(avf->pb, &tc->subs); if (ret < 0) { if (ret == AVERROR_INVALIDDATA) @@ -292,9 +297,6 @@ static av_cold int tedcaptions_read_header(AVFormatContext *avf) tc->subs.subs[i].pts += tc->start_time; last = &tc->subs.subs[tc->subs.nb_subs - 1]; - st = avformat_new_stream(avf, NULL); - if (!st) - return AVERROR(ENOMEM); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; avpriv_set_pts_info(st, 64, 1, 1000); diff --git a/libavformat/thp.c b/libavformat/thp.c index ee5c78b6d3..fd5a60e30f 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -75,6 +75,8 @@ static int thp_read_header(AVFormatContext *s) avio_rb32(pb); /* Max samples. */ thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX); + if (thp->fps.den <= 0 || thp->fps.num < 0) + return AVERROR_INVALIDDATA; thp->framecnt = avio_rb32(pb); thp->first_framesz = avio_rb32(pb); pb->maxsize = avio_rb32(pb); @@ -93,6 +95,9 @@ static int thp_read_header(AVFormatContext *s) avio_seek (pb, thp->compoff, SEEK_SET); thp->compcount = avio_rb32(pb); + if (thp->compcount > FF_ARRAY_ELEMS(thp->components)) + return AVERROR_INVALIDDATA; + /* Read the list of component types. */ avio_read(pb, thp->components, 16); @@ -145,6 +150,9 @@ static int thp_read_header(AVFormatContext *s) } } + if (!thp->vst) + return AVERROR_INVALIDDATA; + return 0; } diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c index f32bc2821b..e41156cc30 100644 --- a/libavformat/tls_gnutls.c +++ b/libavformat/tls_gnutls.c @@ -183,6 +183,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op gnutls_transport_set_ptr(p->session, c->tcp); gnutls_priority_set_direct(p->session, "NORMAL", NULL); do { + if (ff_check_interrupt(&h->interrupt_callback)) { + ret = AVERROR_EXIT; + goto fail; + } + ret = gnutls_handshake(p->session); if (gnutls_error_is_fatal(ret)) { ret = print_tls_error(h, ret); diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 9b80a1e3c7..9f1679b15b 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -19,8 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include -#include +#include #include #include #include @@ -129,9 +128,15 @@ static void handle_pk_parse_error(URLContext *h, int ret) static void handle_handshake_error(URLContext *h, int ret) { switch (ret) { +#if MBEDTLS_VERSION_MAJOR < 3 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n"); break; +#else + case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: + av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); + break; +#endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); break; @@ -194,16 +199,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op } } - // load key file - if (shr->key_file) { - if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, - shr->key_file, - tls_ctx->priv_key_pw)) != 0) { - handle_pk_parse_error(h, ret); - goto fail; - } - } - // seed the random number generator if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context, mbedtls_entropy_func, @@ -213,6 +208,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } + // load key file + if (shr->key_file) { + if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, + shr->key_file, + tls_ctx->priv_key_pw +#if MBEDTLS_VERSION_MAJOR >= 3 + , mbedtls_ctr_drbg_random, + &tls_ctx->ctr_drbg_context +#endif + )) != 0) { + handle_pk_parse_error(h, ret); + goto fail; + } + } + if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config, shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 4f0badcb8d..03f644dcde 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -389,10 +389,15 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) SECURITY_STATUS sspi_ret = SEC_E_OK; SecBuffer inbuf[4]; SecBufferDesc inbuf_desc; - int size, ret; + int size, ret = 0; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; - if (len <= c->dec_buf_offset) + /* If we have some left-over data from previous network activity, + * return it first in case it is enough. It may contain + * data that is required to know whether this connection + * is still required or not, esp. in case of HTTP keep-alive + * connections. */ + if (c->dec_buf_offset > 0) goto cleanup; if (c->sspi_close_notify) @@ -424,7 +429,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) c->enc_buf_offset += ret; } - while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK && c->dec_buf_offset < len) { + while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK) { /* input buffer */ init_sec_buffer(&inbuf[0], SECBUFFER_DATA, c->enc_buf, c->enc_buf_offset); diff --git a/libavformat/tmv.c b/libavformat/tmv.c index b74af547c5..57f2e09df6 100644 --- a/libavformat/tmv.c +++ b/libavformat/tmv.c @@ -103,6 +103,10 @@ static int tmv_read_header(AVFormatContext *s) char_cols = avio_r8(pb); char_rows = avio_r8(pb); tmv->video_chunk_size = char_cols * char_rows * 2; + if (!tmv->video_chunk_size) { + av_log(s, AV_LOG_ERROR, "invalid video chunk size\n"); + return AVERROR_INVALIDDATA; + } features = avio_r8(pb); if (features & ~(TMV_PADDING | TMV_STEREO)) { diff --git a/libavformat/tta.c b/libavformat/tta.c index 467c24455c..b34630d1d7 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -91,7 +91,7 @@ static int tta_read_header(AVFormatContext *s) c->totalframes = nb_samples / c->frame_size + (c->last_frame_size < c->frame_size); c->currentframe = 0; - if(c->totalframes >= UINT_MAX/sizeof(uint32_t) || c->totalframes <= 0){ + if(c->totalframes >= (INT_MAX - 4)/sizeof(uint32_t) || c->totalframes <= 0){ av_log(s, AV_LOG_ERROR, "totalframes %d invalid\n", c->totalframes); return AVERROR_INVALIDDATA; } @@ -119,7 +119,9 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; - if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; + if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; framepos += size; diff --git a/libavformat/tty.c b/libavformat/tty.c index 8d48f2c45c..954aafe33b 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -34,6 +34,13 @@ #include "internal.h" #include "sauce.h" +static int isansicode(int x) +{ + return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f); +} + +static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt"; + typedef struct TtyDemuxContext { AVClass *class; int chars_per_frame; @@ -42,6 +49,17 @@ typedef struct TtyDemuxContext { AVRational framerate; /**< Set by a private option. */ } TtyDemuxContext; +static int read_probe(const AVProbeData *p) +{ + int cnt = 0; + + for (int i = 0; i < p->buf_size; i++) + cnt += !!isansicode(p->buf[i]); + + return (cnt * 100LL / p->buf_size) * (cnt > 400) * + !!av_match_ext(p->filename, tty_extensions); +} + /** * Parse EFI header */ @@ -95,13 +113,16 @@ static int read_header(AVFormatContext *avctx) s->chars_per_frame = FFMAX(av_q2d(st->time_base)*s->chars_per_frame, 1); if (avctx->pb->seekable & AVIO_SEEKABLE_NORMAL) { - s->fsize = avio_size(avctx->pb); - st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; + int64_t fsize = avio_size(avctx->pb); + if (fsize > 0) { + s->fsize = fsize; + st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; - if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) - efi_read(avctx, s->fsize - 51); + if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) + efi_read(avctx, s->fsize - 51); - avio_seek(avctx->pb, 0, SEEK_SET); + avio_seek(avctx->pb, 0, SEEK_SET); + } } fail: @@ -153,8 +174,9 @@ AVInputFormat ff_tty_demuxer = { .name = "tty", .long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"), .priv_data_size = sizeof(TtyDemuxContext), + .read_probe = read_probe, .read_header = read_header, .read_packet = read_packet, - .extensions = "ans,art,asc,diz,ice,nfo,txt,vt", + .extensions = tty_extensions, .priv_class = &tty_demuxer_class, }; diff --git a/libavformat/ty.c b/libavformat/ty.c index bbb2e28a93..b9f4d0d814 100644 --- a/libavformat/ty.c +++ b/libavformat/ty.c @@ -47,7 +47,7 @@ static const uint8_t ty_AC3AudioPacket[] = { 0x00, 0x00, 0x01, 0xbd }; #define CHUNK_PEEK_COUNT 3 /* number of chunks to probe */ typedef struct TyRecHdr { - int64_t rec_size; + int32_t rec_size; uint8_t ex[2]; uint8_t rec_type; uint8_t subrec_type; diff --git a/libavformat/utils.c b/libavformat/utils.c index 6c6f4e1bd1..2143d9fb59 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -247,13 +247,16 @@ int av_format_get_probe_score(const AVFormatContext *s) int ffio_limit(AVIOContext *s, int size) { if (s->maxsize>= 0) { - int64_t remaining= s->maxsize - avio_tell(s); + int64_t pos = avio_tell(s); + int64_t remaining= s->maxsize - pos; if (remaining < size) { int64_t newsize = avio_size(s); if (!s->maxsize || s->maxsizemaxsize = newsize - !newsize; - remaining= s->maxsize - avio_tell(s); - remaining= FFMAX(remaining, 0); + if (pos > s->maxsize && s->maxsize >= 0) + s->maxsize = AVERROR(EIO); + if (s->maxsize >= 0) + remaining = s->maxsize - pos; } if (s->maxsize>= 0 && remaining+1 < size) { @@ -640,26 +643,28 @@ FF_ENABLE_DEPRECATION_WARNINGS level = AV_LOG_ERROR; av_log(s, level, "Discarding ID3 tags because more suitable tags were found.\n"); av_dict_free(&s->internal->id3v2_meta); - if (s->error_recognition & AV_EF_EXPLODE) - return AVERROR_INVALIDDATA; + if (s->error_recognition & AV_EF_EXPLODE) { + ret = AVERROR_INVALIDDATA; + goto close; + } } if (id3v2_extra_meta) { if (!strcmp(s->iformat->name, "mp3") || !strcmp(s->iformat->name, "aac") || !strcmp(s->iformat->name, "tta") || !strcmp(s->iformat->name, "wav")) { if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; if ((ret = ff_id3v2_parse_chapters(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; if ((ret = ff_id3v2_parse_priv(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; } else av_log(s, AV_LOG_DEBUG, "demuxer does not support additional id3 data, skipping\n"); } ff_id3v2_free_extra_meta(&id3v2_extra_meta); if ((ret = avformat_queue_attached_pictures(s)) < 0) - goto fail; + goto close; if (!(s->flags&AVFMT_FLAG_PRIV_OPT) && s->pb && !s->internal->data_offset) s->internal->data_offset = avio_tell(s->pb); @@ -678,6 +683,9 @@ FF_ENABLE_DEPRECATION_WARNINGS *ps = s; return 0; +close: + if (s->iformat->read_close) + s->iformat->read_close(s); fail: ff_id3v2_free_extra_meta(&id3v2_extra_meta); av_dict_free(&tmp); @@ -873,8 +881,10 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) } err = av_packet_make_refcounted(pkt); - if (err < 0) + if (err < 0) { + av_packet_unref(pkt); return err; + } if ((s->flags & AVFMT_FLAG_DISCARD_CORRUPT) && (pkt->flags & AV_PKT_FLAG_CORRUPT)) { @@ -917,8 +927,10 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) err = ff_packet_list_put(&s->internal->raw_packet_buffer, &s->internal->raw_packet_buffer_end, pkt, 0); - if (err) + if (err < 0) { + av_packet_unref(pkt); return err; + } s->internal->raw_packet_buffer_remaining_size -= pkt->size; if ((err = probe_codec(s, st, pkt)) < 0) @@ -1130,6 +1142,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || st->cur_dts < INT_MIN + RELATIVE_TS_BASE || + dts < INT_MIN + (st->cur_dts - RELATIVE_TS_BASE) || is_relative(dts)) return; @@ -1279,7 +1292,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << st->pts_wrap_bits) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; @@ -1611,15 +1624,19 @@ static int read_frame_internal(AVFormatContext *s, AVPacket *pkt) } ret = avcodec_parameters_to_context(st->internal->avctx, st->codecpar); - if (ret < 0) + if (ret < 0) { + av_packet_unref(&cur_pkt); return ret; + } #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS /* update deprecated public codec context */ ret = avcodec_parameters_to_context(st->codec, st->codecpar); - if (ret < 0) + if (ret < 0) { + av_packet_unref(&cur_pkt); return ret; + } FF_ENABLE_DEPRECATION_WARNINGS #endif @@ -2096,6 +2113,8 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance) //We could use URLProtocol flags here but as many user applications do not use URLProtocols this would be unreliable const char *proto = avio_find_protocol_name(s->url); + av_assert0(time_tolerance >= 0); + if (!proto) { av_log(s, AV_LOG_INFO, "Protocol name not provided, cannot determine if input is local or " @@ -2123,7 +2142,7 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance) for (; i2 < st2->nb_index_entries; i2++) { AVIndexEntry *e2 = &st2->index_entries[i2]; int64_t e2_pts = av_rescale_q(e2->timestamp, st2->time_base, AV_TIME_BASE_Q); - if (e2_pts - e1_pts < time_tolerance) + if (e2_pts < e1_pts || e2_pts - (uint64_t)e1_pts < time_tolerance) continue; pos_delta = FFMAX(pos_delta, e1->pos - e2->pos); break; @@ -2164,7 +2183,7 @@ int ff_seek_frame_binary(AVFormatContext *s, int stream_index, int64_t target_ts, int flags) { const AVInputFormat *avif = s->iformat; - int64_t av_uninit(pos_min), av_uninit(pos_max), pos, pos_limit; + int64_t pos_min = 0, pos_max = 0, pos, pos_limit; int64_t ts_min, ts_max, ts; int index; int64_t ret; @@ -2768,7 +2787,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) st = ic->streams[i]; if ( st->time_base.num <= INT64_MAX / ic->bit_rate && st->duration == AV_NOPTS_VALUE) { - duration = av_rescale(8 * filesize, st->time_base.den, + duration = av_rescale(filesize, 8LL * st->time_base.den, ic->bit_rate * (int64_t) st->time_base.num); st->duration = duration; @@ -3090,6 +3109,8 @@ static int try_decode_frame(AVFormatContext *s, AVStream *st, AVPacket *avpkt, } else if (avctx->codec_type == AVMEDIA_TYPE_SUBTITLE) { ret = avcodec_decode_subtitle2(avctx, &subtitle, &got_picture, &pkt); + if (got_picture) + avsubtitle_free(&subtitle); if (ret >= 0) pkt.size = 0; } @@ -4017,7 +4038,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (int64_t) st->time_base.den) { + <= avctx->time_base.num * (uint64_t)avctx->ticks_per_frame * st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { @@ -4685,8 +4706,11 @@ int av_get_frame_filename2(char *buf, int buf_size, const char *path, int number if (c == '%') { do { nd = 0; - while (av_isdigit(*p)) + while (av_isdigit(*p)) { + if (nd >= INT_MAX / 10 - 255) + goto fail; nd = nd * 10 + *p++ - '0'; + } c = *p++; } while (av_isdigit(c)); @@ -4938,7 +4962,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf, key_len = ptr - key; callback_get_buf(context, key, key_len, &dest, &dest_len); - dest_end = dest + dest_len - 1; + dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 830e318645..42aae86fa2 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -28,6 +28,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "avio_internal.h" #include "avformat.h" @@ -52,6 +53,7 @@ typedef struct VIV_AudioSubpacket { typedef struct VividasDemuxContext { int n_sb_blocks; VIV_SB_block *sb_blocks; + int num_audio; uint32_t sb_key; int64_t sb_offset; @@ -153,6 +155,10 @@ static void decode_block(uint8_t *src, uint8_t *dest, unsigned size, if (align) { uint32_t tmpkey = *key_ptr - key; + if (a2 > s) { + a2 = s; + avpriv_request_sample(NULL, "tiny aligned block\n"); + } memcpy(tmp + align, src, a2); xor_block(tmp, tmp, 4, key, &tmpkey); memcpy(dest, tmp + align, a2); @@ -160,8 +166,6 @@ static void decode_block(uint8_t *src, uint8_t *dest, unsigned size, } if (s >= 4) { - if (!align) - align = 4; xor_block(src + a2, dest + a2, s & ~3, key, key_ptr); s &= 3; @@ -216,7 +220,7 @@ static uint8_t *read_vblock(AVIOContext *src, uint32_t *size, memcpy(buf, tmp, 4); if (avio_read(src, buf + 4, n) == n) { - decode_block(buf + 4, buf + 4, n, key, k2, align + 4); + decode_block(buf + 4, buf + 4, n, key, k2, align); } else { av_free(buf); buf = NULL; @@ -251,6 +255,9 @@ static uint8_t *read_sb_block(AVIOContext *src, unsigned *size, *key = tmpkey; } + if (n < 8) + return NULL; + buf = av_malloc(n); if (!buf) return NULL; @@ -260,7 +267,7 @@ static uint8_t *read_sb_block(AVIOContext *src, unsigned *size, *size = n; n -= 8; - if (avio_read(src, buf+8, n) < n) { + if (avio_read(src, buf+8, n) != n) { av_free(buf); return NULL; } @@ -270,17 +277,17 @@ static uint8_t *read_sb_block(AVIOContext *src, unsigned *size, return buf; } -static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, int size) +static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, int size) { int i,j; int64_t off; int val_1; - int num_video, num_audio; + int num_video; AVIOContext *pb; pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL); if (!pb) - return; + return AVERROR(ENOMEM); ffio_read_varlen(pb); // track_header_len avio_r8(pb); // '1' @@ -289,7 +296,11 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t for (i=0;inum_audio = avio_r8(pb); avio_seek(pb, off, SEEK_SET); - if (num_audio != 1) - av_log(s, AV_LOG_WARNING, "number of audio tracks %d is not 1\n", num_audio); + if (viv->num_audio != 1) + av_log(s, AV_LOG_WARNING, "number of audio tracks %d is not 1\n", viv->num_audio); - for(i=0;inum_audio;i++) { int q; AVStream *st = avformat_new_stream(s, NULL); @@ -355,6 +368,8 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t avio_rl16(pb); //codec_subid st->codecpar->channels = avio_rl16(pb); // channels st->codecpar->sample_rate = avio_rl32(pb); // sample_rate + if (st->codecpar->sample_rate <= 0 || st->codecpar->channels <= 0) + return AVERROR_INVALIDDATA; avio_seek(pb, 10, SEEK_CUR); // data_1 q = avio_r8(pb); avio_seek(pb, q, SEEK_CUR); // data_2 @@ -362,7 +377,7 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t if (avio_tell(pb) < off) { int num_data; - int xd_size = 0; + int xd_size = 1; int data_len[256]; int offset = 1; uint8_t *p; @@ -371,22 +386,37 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t ffio_read_varlen(pb); // len_3 num_data = avio_r8(pb); for (j = 0; j < num_data; j++) { - data_len[j] = ffio_read_varlen(pb); - xd_size += data_len[j]; + int64_t len = ffio_read_varlen(pb); + if (len < 0 || len > INT_MAX/2 - xd_size) { + av_free(pb); + return AVERROR_INVALIDDATA; + } + data_len[j] = len; + xd_size += len + 1 + len/255; } - st->codecpar->extradata_size = 64 + xd_size + xd_size / 255; - if (ff_alloc_extradata(st->codecpar, st->codecpar->extradata_size)) - return; + if (ff_alloc_extradata(st->codecpar, xd_size)) { + av_free(pb); + return AVERROR(ENOMEM); + } p = st->codecpar->extradata; p[0] = 2; - for (j = 0; j < num_data - 1; j++) - offset += av_xiphlacing(&p[offset], data_len[j]); + for (j = 0; j < num_data - 1; j++) { + unsigned delta = av_xiphlacing(&p[offset], data_len[j]); + av_assert0(delta <= xd_size - offset); + offset += delta; + } for (j = 0; j < num_data; j++) { - avio_read(pb, &p[offset], data_len[j]); + int ret = avio_read(pb, &p[offset], data_len[j]); + if (ret < data_len[j]) { + st->codecpar->extradata_size = 0; + av_freep(&st->codecpar->extradata); + break; + } + av_assert0(data_len[j] <= xd_size - offset); offset += data_len[j]; } @@ -396,50 +426,69 @@ static void track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t } av_free(pb); + return 0; } -static void track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, unsigned size) +static int track_index(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *buf, unsigned size) { int64_t off; int64_t poff; int maxnp=0; AVIOContext *pb; int i; + int64_t filesize = avio_size(s->pb); pb = avio_alloc_context(buf, size, 0, NULL, NULL, NULL, NULL); if (!pb) - return; + return AVERROR(ENOMEM); ffio_read_varlen(pb); // track_index_len avio_r8(pb); // 'c' viv->n_sb_blocks = ffio_read_varlen(pb); + if (viv->n_sb_blocks < 0 || viv->n_sb_blocks > size / 2) + goto error; viv->sb_blocks = av_calloc(viv->n_sb_blocks, sizeof(VIV_SB_block)); if (!viv->sb_blocks) { viv->n_sb_blocks = 0; av_free(pb); - return; + return AVERROR(ENOMEM); } off = 0; poff = 0; for (i = 0; i < viv->n_sb_blocks; i++) { + uint64_t size_tmp = ffio_read_varlen(pb); + uint64_t n_packets_tmp = ffio_read_varlen(pb); + + if (size_tmp > INT_MAX || n_packets_tmp > INT_MAX) + goto error; + viv->sb_blocks[i].byte_offset = off; viv->sb_blocks[i].packet_offset = poff; - viv->sb_blocks[i].size = ffio_read_varlen(pb); - viv->sb_blocks[i].n_packets = ffio_read_varlen(pb); + viv->sb_blocks[i].size = size_tmp; + viv->sb_blocks[i].n_packets = n_packets_tmp; off += viv->sb_blocks[i].size; poff += viv->sb_blocks[i].n_packets; - if (maxnp < viv->sb_blocks[i].n_packets) maxnp = viv->sb_blocks[i].n_packets; } + if (filesize > 0 && poff > filesize) + goto error; + viv->sb_entries = av_calloc(maxnp, sizeof(VIV_SB_entry)); av_free(pb); + + return 0; +error: + av_free(pb); + viv->n_sb_blocks = 0; + av_freep(&viv->sb_blocks); + return AVERROR_INVALIDDATA; } static void load_sb_block(AVFormatContext *s, VividasDemuxContext *viv, unsigned expected_size) @@ -498,6 +547,7 @@ static int viv_read_header(AVFormatContext *s) uint32_t b22_size = 0; uint32_t b22_key = 0; uint8_t *buf = 0; + int ret; avio_skip(pb, 9); @@ -515,7 +565,8 @@ static int viv_read_header(AVFormatContext *s) v = avio_r8(pb); avio_seek(pb, v, SEEK_CUR); - avio_read(pb, keybuffer, 187); + if (avio_read(pb, keybuffer, 187) != 187) + return AVERROR_INVALIDDATA; key = decode_key(keybuffer); viv->sb_key = key; @@ -529,6 +580,9 @@ static int viv_read_header(AVFormatContext *s) break; block_len = ffio_read_varlen(pb); + if (avio_feof(pb) || block_len <= 0) + return AVERROR_INVALIDDATA; + block_type = avio_r8(pb); if (block_type == 22) { @@ -553,14 +607,18 @@ static int viv_read_header(AVFormatContext *s) buf = read_vblock(pb, &v, key, &k2, 0); if (!buf) return AVERROR(EIO); - track_header(viv, s, buf, v); + ret = track_header(viv, s, buf, v); av_free(buf); + if (ret < 0) + return ret; buf = read_vblock(pb, &v, key, &k2, v); if (!buf) return AVERROR(EIO); - track_index(viv, s, buf, v); + ret = track_index(viv, s, buf, v); av_free(buf); + if (ret < 0) + return ret; viv->sb_offset = avio_tell(pb); if (viv->n_sb_blocks > 0) { @@ -619,13 +677,21 @@ static int viv_read_packet(AVFormatContext *s, if (!pb) return AVERROR(EIO); off = avio_tell(pb); + + if (viv->current_sb_entry >= viv->n_sb_entries) + return AVERROR_INVALIDDATA; + off += viv->sb_entries[viv->current_sb_entry].size; if (viv->sb_entries[viv->current_sb_entry].flag == 0) { uint64_t v_size = ffio_read_varlen(pb); + int last = 0, last_start; + + if (!viv->num_audio) + return AVERROR_INVALIDDATA; ffio_read_varlen(pb); - if (v_size > INT_MAX) + if (v_size > INT_MAX || !v_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) @@ -643,18 +709,24 @@ static int viv_read_packet(AVFormatContext *s, if (i > 0 && start == 0) break; + if (start < last) + return AVERROR_INVALIDDATA; viv->n_audio_subpackets = i + 1; + last = viv->audio_subpackets[i].start = start; viv->audio_subpackets[i].pcm_bytes = pcm_bytes; } + last_start = viv->audio_subpackets[viv->n_audio_subpackets].start = (int)(off - avio_tell(pb)); + if (last_start < last) + return AVERROR_INVALIDDATA; viv->current_audio_subpacket = 0; } else { uint64_t v_size = ffio_read_varlen(pb); - if (v_size > INT_MAX) + if (v_size > INT_MAX || !v_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, v_size); if (ret < 0) diff --git a/libavformat/vivo.c b/libavformat/vivo.c index 9a07c43849..6119e52de8 100644 --- a/libavformat/vivo.c +++ b/libavformat/vivo.c @@ -26,6 +26,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vivo */ +#include "libavutil/avstring.h" #include "libavutil/parseutils.h" #include "avformat.h" #include "internal.h" @@ -118,7 +119,7 @@ static int vivo_get_packet_header(AVFormatContext *s) static int vivo_read_header(AVFormatContext *s) { VivoContext *vivo = s->priv_data; - AVRational fps = { 1, 25}; + AVRational fps = { 0 }; AVStream *ast, *vst; unsigned char *line, *line_end, *key, *value; long value_int; @@ -204,17 +205,21 @@ static int vivo_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; value_used = 1; } else if (!strcmp(key, "FPS")) { - AVRational tmp; + double d; + if (av_sscanf(value, "%f", &d) != 1) + return AVERROR_INVALIDDATA; value_used = 1; - if (!av_parse_ratio(&tmp, value, 10000, AV_LOG_WARNING, s)) - fps = av_inv_q(tmp); + if (!fps.num && !fps.den) + fps = av_inv_q(av_d2q(d, 10000)); } if (!value_used) av_dict_set(&s->metadata, key, value, 0); } } + if (!fps.num || !fps.den) + fps = (AVRational){ 1, 25 }; avpriv_set_pts_info(ast, 64, 1, ast->codecpar->sample_rate); avpriv_set_pts_info(vst, 64, fps.num, fps.den); diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 1e2e19e1c3..e5ae0be1de 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -44,19 +44,29 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) AVINDEX_KEYFRAME); while (!voc->remaining_size) { + if (max_size < 4) + max_size = 0; type = avio_r8(pb); if (type == VOC_TYPE_EOF) return AVERROR_EOF; voc->remaining_size = avio_rl24(pb); if (!voc->remaining_size) { + int64_t filesize; if (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); - voc->remaining_size = avio_size(pb) - avio_tell(pb); + filesize = avio_size(pb); + if (filesize - avio_tell(pb) > INT_MAX) + return AVERROR_INVALIDDATA; + voc->remaining_size = filesize - avio_tell(pb); } max_size -= 4; switch (type) { case VOC_TYPE_VOICE_DATA: + if (voc->remaining_size < 2) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = 1000000 / (256 - avio_r8(pb)); if (sample_rate) @@ -85,6 +95,10 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) break; case VOC_TYPE_NEW_VOICE_DATA: + if (voc->remaining_size < 12) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = avio_rl32(pb); avpriv_set_pts_info(st, 64, 1, par->sample_rate); diff --git a/libavformat/vplayerdec.c b/libavformat/vplayerdec.c index e3e7b4efb8..ca23ec76ac 100644 --- a/libavformat/vplayerdec.c +++ b/libavformat/vplayerdec.c @@ -83,8 +83,10 @@ static int vplayer_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&vplayer->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&vplayer->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 755849bac7..ba52409cc0 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -61,7 +61,8 @@ static void add_metadata(AVFormatContext *s, uint32_t tag, buf = av_malloc(len+1); if (!buf) return; - avio_read(s->pb, buf, len); + if (len != avio_read(s->pb, buf, len)) + return; buf[len] = 0; AV_WL32(key, tag); av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); @@ -132,6 +133,9 @@ static int vqf_read_header(AVFormatContext *s) switch(chunk_tag){ case MKTAG('C','O','M','M'): + if (len < 12) + return AVERROR_INVALIDDATA; + avio_read(s->pb, comm_chunk, 12); st->codecpar->channels = AV_RB32(comm_chunk ) + 1; read_bitrate = AV_RB32(comm_chunk + 4); diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1b131ee2c1..5916187b57 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -69,7 +69,7 @@ static void set_spdif(AVFormatContext *s, WAVDemuxContext *wav) int ret = ffio_ensure_seekback(s->pb, len); if (ret >= 0) { - uint8_t *buf = av_malloc(len); + uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE); if (!buf) { ret = AVERROR(ENOMEM); } else { @@ -233,9 +233,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key, char temp[257]; int ret; - av_assert0(length <= sizeof(temp)); - if ((ret = avio_read(s->pb, temp, length)) < 0) - return ret; + av_assert0(length < sizeof(temp)); + if ((ret = avio_read(s->pb, temp, length)) != length) + return ret < 0 ? ret : AVERROR_INVALIDDATA; temp[length] = 0; @@ -304,8 +304,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size) if (!(coding_history = av_malloc(size + 1))) return AVERROR(ENOMEM); - if ((ret = avio_read(s->pb, coding_history, size)) < 0) - return ret; + if ((ret = avio_read(s->pb, coding_history, size)) != size) { + av_free(coding_history); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } coding_history[size] = 0; if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history, @@ -479,6 +481,8 @@ static int wav_read_header(AVFormatContext *s) wav->smv_data_ofs = avio_tell(pb) + (size - 5) * 3; avio_rl24(pb); wav->smv_block_size = avio_rl24(pb); + if (!wav->smv_block_size) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(vst, 32, 1, avio_rl24(pb)); vst->duration = avio_rl24(pb); avio_rl24(pb); @@ -610,7 +614,7 @@ static int64_t find_guid(AVIOContext *pb, const uint8_t guid1[16]) while (!avio_feof(pb)) { avio_read(pb, guid, 16); size = avio_rl64(pb); - if (size <= 24) + if (size <= 24 || size > INT64_MAX - 8) return AVERROR_INVALIDDATA; if (!memcmp(guid, guid1, 16)) return size; @@ -650,12 +654,16 @@ smv_retry: if (wav->smv_last_stream) { uint64_t old_pos = avio_tell(s->pb); uint64_t new_pos = wav->smv_data_ofs + - wav->smv_block * wav->smv_block_size; + wav->smv_block * (int64_t)wav->smv_block_size; if (avio_seek(s->pb, new_pos, SEEK_SET) < 0) { ret = AVERROR_EOF; goto smv_out; } size = avio_rl24(s->pb); + if (size > wav->smv_block_size) { + ret = AVERROR_EOF; + goto smv_out; + } ret = av_get_packet(s->pb, pkt, size); if (ret < 0) goto smv_out; @@ -694,6 +702,8 @@ smv_out: goto smv_retry; return AVERROR_EOF; } + if (INT64_MAX - left < avio_tell(s->pb)) + return AVERROR_INVALIDDATA; wav->data_end = avio_tell(s->pb) + left; } @@ -794,8 +804,7 @@ static int w64_read_header(AVFormatContext *s) uint8_t guid[16]; int ret; - avio_read(pb, guid, 16); - if (memcmp(guid, ff_w64_guid_riff, 16)) + if (avio_read(pb, guid, 16) != 16 || memcmp(guid, ff_w64_guid_riff, 16)) return AVERROR_INVALIDDATA; /* riff + wave + fmt + sizes */ @@ -847,6 +856,7 @@ static int w64_read_header(AVFormatContext *s) } else if (!memcmp(guid, ff_w64_guid_summarylist, 16)) { int64_t start, end, cur; uint32_t count, chunk_size, i; + int64_t filesize = avio_size(s->pb); start = avio_tell(pb); end = start + FFALIGN(size, INT64_C(8)) - 24; @@ -861,7 +871,7 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); - if (chunk_size == UINT32_MAX) + if (chunk_size == UINT32_MAX || (filesize >= 0 && chunk_size > filesize)) return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); @@ -869,6 +879,10 @@ static int w64_read_header(AVFormatContext *s) return AVERROR(ENOMEM); ret = avio_get_str16le(pb, chunk_size, value, chunk_size); + if (ret < 0) { + av_free(value); + return ret; + } avio_skip(pb, chunk_size - ret); av_dict_set(&s->metadata, chunk_key, value, AV_DICT_DONT_STRDUP_VAL); diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c index 27f5eb1962..9dcc54e934 100644 --- a/libavformat/wc3movie.c +++ b/libavformat/wc3movie.c @@ -73,6 +73,16 @@ typedef struct Wc3DemuxContext { } Wc3DemuxContext; +static int wc3_read_close(AVFormatContext *s) +{ + Wc3DemuxContext *wc3 = s->priv_data; + + if (wc3->vpkt.size > 0) + av_packet_unref(&wc3->vpkt); + + return 0; +} + static int wc3_probe(const AVProbeData *p) { if (p->buf_size < 12) @@ -128,10 +138,14 @@ static int wc3_read_header(AVFormatContext *s) case BNAM_TAG: /* load up the name */ buffer = av_malloc(size+1); - if (!buffer) - return AVERROR(ENOMEM); - if ((ret = avio_read(pb, buffer, size)) != size) - return AVERROR(EIO); + if (!buffer) { + ret = AVERROR(ENOMEM); + goto fail; + } + if ((ret = avio_read(pb, buffer, size)) != size) { + ret = AVERROR(EIO); + goto fail; + } buffer[size] = 0; av_dict_set(&s->metadata, "title", buffer, AV_DICT_DONT_STRDUP_VAL); @@ -152,21 +166,26 @@ static int wc3_read_header(AVFormatContext *s) default: av_log(s, AV_LOG_ERROR, "unrecognized WC3 chunk: %s\n", av_fourcc2str(fourcc_tag)); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } fourcc_tag = avio_rl32(pb); /* chunk sizes are 16-bit aligned */ size = (avio_rb32(pb) + 1) & (~1); - if (avio_feof(pb)) - return AVERROR(EIO); + if (avio_feof(pb)) { + ret = AVERROR(EIO); + goto fail; + } } while (fourcc_tag != BRCH_TAG); /* initialize the decoder streams */ st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } avpriv_set_pts_info(st, 33, 1, WC3_FRAME_FPS); wc3->video_stream_index = st->index; st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; @@ -176,8 +195,10 @@ static int wc3_read_header(AVFormatContext *s) st->codecpar->height = wc3->height; st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } avpriv_set_pts_info(st, 33, 1, WC3_FRAME_FPS); wc3->audio_stream_index = st->index; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -192,6 +213,9 @@ static int wc3_read_header(AVFormatContext *s) st->codecpar->block_align = WC3_AUDIO_BITS * WC3_AUDIO_CHANNELS; return 0; +fail: + wc3_read_close(s); + return ret; } static int wc3_read_packet(AVFormatContext *s, @@ -284,16 +308,6 @@ static int wc3_read_packet(AVFormatContext *s, return ret; } -static int wc3_read_close(AVFormatContext *s) -{ - Wc3DemuxContext *wc3 = s->priv_data; - - if (wc3->vpkt.size > 0) - av_packet_unref(&wc3->vpkt); - - return 0; -} - AVInputFormat ff_wc3_demuxer = { .name = "wc3movie", .long_name = NULL_IF_CONFIG_SMALL("Wing Commander III movie"), diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index 4e2ce21a79..d00ffd284b 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -151,9 +151,9 @@ static int webm_chunk_write_header(AVFormatContext *s) oc->pb->seekable = 0; ret = oc->oformat->write_header(oc); + ff_format_io_close(s, &oc->pb); if (ret < 0) return ret; - ff_format_io_close(s, &oc->pb); for (i = 0; i < s->nb_streams; i++) { // ms precision is the de-facto standard timescale for mkv files. avpriv_set_pts_info(s->streams[i], 64, 1, 1000); diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 26b8727304..3a2504795e 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -104,7 +104,7 @@ static int write_header(AVFormatContext *s) } avio_printf(s->pb, " minBufferTime=\"PT%gS\"\n", min_buffer_time); avio_printf(s->pb, " profiles=\"%s\"%s", - w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:webm:dash:profile:webm-on-demand:2012", + w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:mpeg:dash:profile:webm-on-demand:2012", w->is_live ? "\n" : ">\n"); if (w->is_live) { time_t local_time = time(NULL); @@ -489,11 +489,12 @@ static int parse_adaptation_sets(AVFormatContext *s) state = parsing_streams; } else if (state == parsing_streams) { struct AdaptationSet *as = &w->as[w->nb_as - 1]; + int ret = av_reallocp_array(&as->streams, ++as->nb_streams, + sizeof(*as->streams)); + if (ret < 0) + return ret; q = p; while (*q != '\0' && *q != ',' && *q != ' ') q++; - as->streams = av_realloc(as->streams, sizeof(*as->streams) * ++as->nb_streams); - if (as->streams == NULL) - return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); if (as->streams[as->nb_streams - 1] < 0 || as->streams[as->nb_streams - 1] >= s->nb_streams) { @@ -516,6 +517,14 @@ static int webm_dash_manifest_write_header(AVFormatContext *s) double start = 0.0; int ret; WebMDashMuxContext *w = s->priv_data; + + for (unsigned i = 0; i < s->nb_streams; i++) { + enum AVCodecID codec_id = s->streams[i]->codecpar->codec_id; + if (codec_id != AV_CODEC_ID_VP8 && codec_id != AV_CODEC_ID_VP9 && + codec_id != AV_CODEC_ID_VORBIS && codec_id != AV_CODEC_ID_OPUS) + return AVERROR(EINVAL); + } + ret = parse_adaptation_sets(s); if (ret < 0) { goto fail; diff --git a/libavformat/webvttdec.c b/libavformat/webvttdec.c index 52579c5ed2..6f22a1edf6 100644 --- a/libavformat/webvttdec.c +++ b/libavformat/webvttdec.c @@ -165,6 +165,8 @@ static int webvtt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &webvtt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&webvtt->q); av_bprint_finalize(&cue, NULL); av_bprint_finalize(&header, NULL); return res; diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index c21a3e31f6..541cfae561 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -163,13 +163,15 @@ static int wsvqa_read_packet(AVFormatContext *s, int ret = -1; uint8_t preamble[VQA_PREAMBLE_SIZE]; uint32_t chunk_type; - uint32_t chunk_size; - int skip_byte; + int chunk_size; + unsigned skip_byte; while (avio_read(pb, preamble, VQA_PREAMBLE_SIZE) == VQA_PREAMBLE_SIZE) { chunk_type = AV_RB32(&preamble[0]); chunk_size = AV_RB32(&preamble[4]); + if (chunk_size < 0) + return AVERROR_INVALIDDATA; skip_byte = chunk_size & 0x01; if ((chunk_type == SND0_TAG) || (chunk_type == SND1_TAG) || @@ -230,7 +232,7 @@ static int wsvqa_read_packet(AVFormatContext *s, break; case SND2_TAG: /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ - pkt->duration = (chunk_size * 2) / wsvqa->channels; + pkt->duration = (chunk_size * 2LL) / wsvqa->channels; break; } break; diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 706e8ca38d..a0e3e93701 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -183,7 +183,7 @@ static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int nb_sectors1 = read_ints(s->pb, sectors1, WTV_SECTOR_SIZE / 4); int i; - wf->sectors = av_malloc_array(nb_sectors1, 1 << WTV_SECTOR_BITS); + wf->sectors = av_calloc(nb_sectors1, 1 << WTV_SECTOR_BITS); if (!wf->sectors) { av_free(wf); return NULL; @@ -274,6 +274,11 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b "bad filename length, remaining directory entries ignored\n"); break; } + if (dir_length == 0) { + av_log(s, AV_LOG_ERROR, + "bad dir length, remaining directory entries ignored\n"); + break; + } if (48 + (int64_t)name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; @@ -656,6 +661,8 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, avio_skip(pb, size - 32); ff_get_guid(pb, &actual_subtype); ff_get_guid(pb, &actual_formattype); + if (avio_feof(pb)) + return NULL; avio_seek(pb, -size, SEEK_CUR); st = parse_media_type(s, st, sid, mediatype, actual_subtype, actual_formattype, size - 32); @@ -790,7 +797,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p ff_get_guid(pb, &g); len = avio_rl32(pb); - if (len < 32) { + if (len < 32 || len > INT_MAX - 7) { int ret; if (avio_feof(pb)) return AVERROR_EOF; @@ -813,6 +820,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 92 - consumed) + return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; } @@ -827,6 +836,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 76 - consumed) + return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; } @@ -839,7 +850,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p int stream_index = ff_find_stream_index(s, sid); if (stream_index >= 0) { AVStream *st = s->streams[stream_index]; - uint8_t buf[258]; + uint8_t buf[258] = {0}; const uint8_t *pbuf = buf; int buf_size; @@ -852,7 +863,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p } buf_size = FFMIN(len - consumed, sizeof(buf)); - avio_read(pb, buf, buf_size); + if (avio_read(pb, buf, buf_size) != buf_size) + return AVERROR_INVALIDDATA; consumed += buf_size; ff_parse_mpeg2_descriptor(s, st, 0, &pbuf, buf + buf_size, NULL, 0, 0, NULL); } @@ -993,8 +1005,10 @@ static int read_header(AVFormatContext *s) } ret = parse_chunks(s, SEEK_TO_DATA, 0, 0); - if (ret < 0) + if (ret < 0) { + wtvfile_close(wtv->pb); return ret; + } avio_seek(wtv->pb, -32, SEEK_CUR); timeline_pos = avio_tell(s->pb); // save before opening another file diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 7f12956458..3ad3e03284 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -223,6 +223,8 @@ static int xmv_read_header(AVFormatContext *s) /* Initialize the packet context */ xmv->next_packet_offset = avio_tell(pb); + if (this_packet_size < xmv->next_packet_offset) + return AVERROR_INVALIDDATA; xmv->next_packet_size = this_packet_size - xmv->next_packet_offset; xmv->stream_count = xmv->audio_track_count + 1; diff --git a/libavformat/xwma.c b/libavformat/xwma.c index b084449296..2a5f38dfcd 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -151,7 +151,7 @@ static int xwma_read_header(AVFormatContext *s) st->codecpar->channels); return AVERROR_INVALIDDATA; } - if (!st->codecpar->bits_per_coded_sample) { + if (!st->codecpar->bits_per_coded_sample || st->codecpar->bits_per_coded_sample > 64) { av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n", st->codecpar->bits_per_coded_sample); return AVERROR_INVALIDDATA; @@ -211,6 +211,10 @@ static int xwma_read_header(AVFormatContext *s) } for (i = 0; i < dpds_table_size; ++i) { + if (avio_feof(pb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } dpds_table[i] = avio_rl32(pb); size -= 4; } @@ -274,7 +278,7 @@ static int xwma_read_header(AVFormatContext *s) * the total duration using the average bits per sample and the * total data length. */ - st->duration = (size<<3) * st->codecpar->sample_rate / st->codecpar->bit_rate; + st->duration = av_rescale((size<<3), st->codecpar->sample_rate, st->codecpar->bit_rate); } fail: diff --git a/libavutil/avsscanf.c b/libavutil/avsscanf.c index 1c85412fd4..850c117940 100644 --- a/libavutil/avsscanf.c +++ b/libavutil/avsscanf.c @@ -229,9 +229,9 @@ static long long scanexp(FFFILE *f, int pok) return LLONG_MIN; } for (x=0; c-'0'<10U && x> 10; + if (end - dst) + *dst++ = v >> 10; v <<= 2; out2: - *dst++ = v >> 4; + if (end - dst) + *dst++ = v >> 4; out1: out0: return bits & 1 ? AVERROR_INVALIDDATA : dst - out; diff --git a/libavutil/buffer.c b/libavutil/buffer.c index 8d1aa5fa84..7884dbf053 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -223,7 +223,10 @@ AVBufferPool *av_buffer_pool_init2(int size, void *opaque, if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->opaque = opaque; @@ -241,7 +244,10 @@ AVBufferPool *av_buffer_pool_init(int size, AVBufferRef* (*alloc)(int size)) if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; diff --git a/libavutil/common.h b/libavutil/common.h index 8db0291170..bad43e426e 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -331,7 +331,7 @@ static av_always_inline av_const double av_clipd_c(double a, double amin, double */ static av_always_inline av_const int av_ceil_log2_c(int x) { - return av_log2((x - 1) << 1); + return av_log2((x - 1U) << 1); } /** diff --git a/libavutil/encryption_info.c b/libavutil/encryption_info.c index 812c704776..dd3fa71a44 100644 --- a/libavutil/encryption_info.c +++ b/libavutil/encryption_info.c @@ -331,8 +331,10 @@ uint8_t *av_encryption_init_info_add_side_data(const AVEncryptionInitInfo *info, memcpy(cur_buffer, cur_info->key_ids[i], cur_info->key_id_size); cur_buffer += cur_info->key_id_size; } - memcpy(cur_buffer, cur_info->data, cur_info->data_size); - cur_buffer += cur_info->data_size; + if (cur_info->data_size > 0) { + memcpy(cur_buffer, cur_info->data, cur_info->data_size); + cur_buffer += cur_info->data_size; + } } return buffer; diff --git a/libavutil/eval.c b/libavutil/eval.c index 5da9a6d83b..7a3f4f9aa9 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -304,7 +304,7 @@ static double eval_expr(Parser *p, AVExpr *e) double d = eval_expr(p, e->param[0]); double d2 = eval_expr(p, e->param[1]); switch (e->type) { - case e_mod: return e->value * (d - floor((!CONFIG_FTRAPV || d2) ? d / d2 : d * INFINITY) * d2); + case e_mod: return e->value * (d - floor(d2 ? d / d2 : d * INFINITY) * d2); case e_gcd: return e->value * av_gcd(d,d2); case e_max: return e->value * (d > d2 ? d : d2); case e_min: return e->value * (d < d2 ? d : d2); diff --git a/libavutil/fixed_dsp.c b/libavutil/fixed_dsp.c index 8c018581df..f1b195f184 100644 --- a/libavutil/fixed_dsp.c +++ b/libavutil/fixed_dsp.c @@ -134,9 +134,10 @@ static int scalarproduct_fixed_c(const int *v1, const int *v2, int len) return (int)(p >> 31); } -static void butterflies_fixed_c(int *v1, int *v2, int len) +static void butterflies_fixed_c(int *v1s, int *v2, int len) { int i; + unsigned int *v1 = v1s; for (i = 0; i < len; i++){ int t = v1[i] - v2[i]; diff --git a/libavutil/frame.c b/libavutil/frame.c index dcf1fc3d17..f186564a6b 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -927,7 +927,7 @@ int av_frame_apply_cropping(AVFrame *frame, int flags) if (log2_crop_align < min_log2_align) return AVERROR_BUG; - if (min_log2_align < 5) { + if (min_log2_align < 5 && log2_crop_align != INT_MAX) { frame->crop_left &= ~((1 << (5 + log2_crop_align - min_log2_align)) - 1); calc_cropping_offsets(offsets, frame, desc); } diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index 6670c47579..209c8dd352 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -163,7 +163,7 @@ static AVBufferRef *wrap_texture_buf(ID3D11Texture2D *tex, int index) desc->texture = tex; desc->index = index; - buf = av_buffer_create((uint8_t *)desc, sizeof(desc), free_texture, tex, 0); + buf = av_buffer_create((uint8_t *)desc, sizeof(*desc), free_texture, tex, 0); if (!buf) { ID3D11Texture2D_Release(tex); av_free(desc); diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 64366cea89..df4ec37ae7 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -133,7 +133,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); + sizeof(**hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index c733cb5cf5..7f16efeb6c 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -262,7 +262,7 @@ int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enu stride = 8LL*w; stride += 128*8; - if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + if (w==0 || h==0 || w > INT32_MAX || h > INT32_MAX || stride >= INT_MAX || stride*(h + 128ULL) >= INT_MAX) { av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); return AVERROR(EINVAL); } diff --git a/libavutil/internal.h b/libavutil/internal.h index 4acbcf56cb..3a5d1c7bc6 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -173,6 +173,8 @@ }\ } +#define FF_PTR_ADD(ptr, off) ((off) ? (ptr) + (off) : (ptr)) + #include "libm.h" /** diff --git a/libavutil/lfg.h b/libavutil/lfg.h index 03f779ad8a..2b669205d1 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -24,6 +24,12 @@ #include +/** + * Context structure for the Lagged Fibonacci PRNG. + * The exact layout, types and content of this struct may change and should + * not be accessed directly. Only its sizeof() is guranteed to stay the same + * to allow easy instanciation. + */ typedef struct AVLFG { unsigned int state[64]; int index; @@ -45,8 +51,9 @@ int av_lfg_init_from_data(AVLFG *c, const uint8_t *data, unsigned int length); * it may be good enough and faster for your specific use case. */ static inline unsigned int av_lfg_get(AVLFG *c){ - c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; - return c->state[c->index++ & 63]; + unsigned a = c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; + c->index += 1U; + return a; } /** @@ -57,7 +64,9 @@ static inline unsigned int av_lfg_get(AVLFG *c){ static inline unsigned int av_mlfg_get(AVLFG *c){ unsigned int a= c->state[(c->index-55) & 63]; unsigned int b= c->state[(c->index-24) & 63]; - return c->state[c->index++ & 63] = 2*a*b+a+b; + a = c->state[c->index & 63] = 2*a*b+a+b; + c->index += 1U; + return a; } /** diff --git a/libavutil/mathematics.h b/libavutil/mathematics.h index 54901800ba..64d4137a60 100644 --- a/libavutil/mathematics.h +++ b/libavutil/mathematics.h @@ -134,6 +134,7 @@ int64_t av_rescale(int64_t a, int64_t b, int64_t c) av_const; * * The operation is mathematically equivalent to `a * b / c`, but writing that * directly can overflow, and does not support different rounding methods. + * If the result is not representable then INT64_MIN is returned. * * @see av_rescale(), av_rescale_q(), av_rescale_q_rnd() */ diff --git a/libavutil/parseutils.c b/libavutil/parseutils.c index 167e822648..7f678cd85a 100644 --- a/libavutil/parseutils.c +++ b/libavutil/parseutils.c @@ -736,12 +736,14 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration) if (*q) return AVERROR(EINVAL); - if (INT64_MAX / suffix < t) + if (INT64_MAX / suffix < t || t < INT64_MIN / suffix) return AVERROR(ERANGE); t *= suffix; if (INT64_MAX - microseconds < t) return AVERROR(ERANGE); t += microseconds; + if (t == INT64_MIN && negative) + return AVERROR(ERANGE); *timeval = negative ? -t : t; return 0; } diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index b022149fa0..2b13cda662 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -27,8 +27,8 @@ #if HAVE_UNISTD_H #include #endif -#elif defined(__OpenBSD__) -#include +#elif defined(__NetBSD__) || defined(__OpenBSD__) +#include #include #include #elif defined(__AMIGAOS4__) @@ -56,8 +56,8 @@ int ff_get_cpu_flags_ppc(void) if (result == VECTORTYPE_ALTIVEC) return AV_CPU_FLAG_ALTIVEC; return 0; -#elif defined(__APPLE__) || defined(__OpenBSD__) -#ifdef __OpenBSD__ +#elif defined(__APPLE__) || defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) int sels[2] = {CTL_MACHDEP, CPU_ALTIVEC}; #else int sels[2] = {CTL_HW, HW_VECTORUNIT}; @@ -95,12 +95,15 @@ int ff_get_cpu_flags_ppc(void) #endif if (ret & AV_CPU_FLAG_VSX) av_assert0(ret & AV_CPU_FLAG_ALTIVEC); - } else if (buf[i] == AT_HWCAP2) { + } +#ifdef AT_HWCAP2 /* not introduced until glibc 2.18 */ + else if (buf[i] == AT_HWCAP2) { #ifdef PPC_FEATURE2_ARCH_2_07 if (buf[i + 1] & PPC_FEATURE2_ARCH_2_07) ret |= AV_CPU_FLAG_POWER8; #endif } +#endif /* AT_HWCAP2 */ } } diff --git a/libavutil/rational.h b/libavutil/rational.h index 5c6b67b4e9..3ab7f59bd7 100644 --- a/libavutil/rational.h +++ b/libavutil/rational.h @@ -168,6 +168,10 @@ static av_always_inline AVRational av_inv_q(AVRational q) * In case of infinity, the returned value is expressed as `{1, 0}` or * `{-1, 0}` depending on the sign. * + * In general rational numbers with |num| <= 1<<26 && |den| <= 1<<26 + * can be recovered exactly from their double representation. + * (no exceptions were found within 1B random ones) + * * @param d `double` to convert * @param max Maximum allowed numerator and denominator * @return `d` in AVRational form diff --git a/libavutil/slicethread.c b/libavutil/slicethread.c index dfbe551ef2..45d085001c 100644 --- a/libavutil/slicethread.c +++ b/libavutil/slicethread.c @@ -98,6 +98,7 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, { AVSliceThread *ctx; int nb_workers, i; + int ret; av_assert0(nb_threads >= 0); if (!nb_threads) { @@ -131,16 +132,37 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, atomic_init(&ctx->first_job, 0); atomic_init(&ctx->current_job, 0); - pthread_mutex_init(&ctx->done_mutex, NULL); - pthread_cond_init(&ctx->done_cond, NULL); + ret = pthread_mutex_init(&ctx->done_mutex, NULL); + if (ret) { + av_freep(&ctx->workers); + av_freep(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&ctx->done_cond, NULL); + if (ret) { + ctx->nb_threads = main_func ? 0 : 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } ctx->done = 0; for (i = 0; i < nb_workers; i++) { WorkerContext *w = &ctx->workers[i]; int ret; w->ctx = ctx; - pthread_mutex_init(&w->mutex, NULL); - pthread_cond_init(&w->cond, NULL); + ret = pthread_mutex_init(&w->mutex, NULL); + if (ret) { + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&w->cond, NULL); + if (ret) { + pthread_mutex_destroy(&w->mutex); + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } pthread_mutex_lock(&w->mutex); w->done = 0; diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index a651406f74..399ca6d682 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -236,6 +236,10 @@ static av_always_inline SoftFloat av_sqrt_sf(SoftFloat val) /** * Rounding-to-nearest used. + * + * @param a angle in units of (1ULL<<30)/M_PI radians + * @param s pointer to where sine in units of (1<<30) is returned + * @param c pointer to where cosine in units of (1<<30) is returned */ static av_unused void av_sincos_sf(int a, int *s, int *c) { @@ -281,7 +285,7 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) (int64_t)av_sintbl_4_sf[(idx & 0x1f) + 1] * (a & 0x7ff) + 0x400) >> 11); - *c = (int)(((int64_t)cv * ct + (int64_t)sv * st + 0x20000000) >> 30); + *c = (int)(((int64_t)cv * ct - (int64_t)sv * st + 0x20000000) >> 30); *s = (int)(((int64_t)cv * st + (int64_t)sv * ct + 0x20000000) >> 30); } diff --git a/libavutil/tests/base64.c b/libavutil/tests/base64.c index 400e01cefe..66d0fdc1fc 100644 --- a/libavutil/tests/base64.c +++ b/libavutil/tests/base64.c @@ -64,6 +64,16 @@ static int test_encode_decode(const uint8_t *data, unsigned int data_size, printf("Failed: decode to NULL buffer\n"); return 1; } + if (data_size > 0 && (data2_size = av_base64_decode(data2, encoded, data_size - 1)) != data_size - 1) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } + if (data_size > 1 && (data2_size = av_base64_decode(data2, encoded, data_size - 2)) != data_size - 2) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } if (strlen(encoded)) { char *end = strchr(encoded, '='); if (!end) diff --git a/libavutil/tests/dict.c b/libavutil/tests/dict.c index 56e98557a7..4c526f72f4 100644 --- a/libavutil/tests/dict.c +++ b/libavutil/tests/dict.c @@ -122,12 +122,15 @@ int main(void) //valgrind sensible test printf("\nTesting av_dict_set() with existing AVDictionaryEntry.key as key\n"); - av_dict_set(&dict, "key", "old", 0); + if (av_dict_set(&dict, "key", "old", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); - av_dict_set(&dict, e->key, "new val OK", 0); + if (av_dict_set(&dict, e->key, "new val OK", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); - av_dict_set(&dict, e->key, e->value, 0); + if (av_dict_set(&dict, e->key, e->value, 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); av_dict_free(&dict); diff --git a/libavutil/tests/opt.c b/libavutil/tests/opt.c index f4cfa590aa..08ba6f4d0f 100644 --- a/libavutil/tests/opt.c +++ b/libavutil/tests/opt.c @@ -171,6 +171,7 @@ int main(void) { TestContext test_ctx = { 0 }; char *buf; + int ret; test_ctx.class = &test_class; av_log_set_level(AV_LOG_QUIET); @@ -181,8 +182,10 @@ int main(void) av_opt_free(&test_ctx); memset(&test_ctx, 0, sizeof(test_ctx)); test_ctx.class = &test_class; - av_set_options_string(&test_ctx, buf, "=", ","); + ret = av_set_options_string(&test_ctx, buf, "=", ","); av_free(buf); + if (ret < 0) + printf("Error ret '%d'\n", ret); if (av_opt_serialize(&test_ctx, 0, 0, &buf, '=', ',') >= 0) { printf("%s\n", buf); av_free(buf); diff --git a/libavutil/tests/softfloat.c b/libavutil/tests/softfloat.c index c06de44933..a2e628fe81 100644 --- a/libavutil/tests/softfloat.c +++ b/libavutil/tests/softfloat.c @@ -148,7 +148,7 @@ int main(void){ av_sincos_sf(i*(1ULL<<32)/36/4, &s, &c); errs = (double)s/ (1<<30) - sin(i*M_PI/36); errc = (double)c/ (1<<30) - cos(i*M_PI/36); - if (fabs(errs) > 0.00000002 || fabs(errc) >0.001) { + if (fabs(errs) > 0.000000004 || fabs(errc) >0.000000004) { printf("sincos FAIL %d %f %f %f %f\n", i, (float)s/ (1<<30), (float)c/ (1<<30), sin(i*M_PI/36), cos(i*M_PI/36)); } diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 60077ba0c0..54b0d65a38 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -49,7 +49,7 @@ int av_timecode_adjust_ntsc_framenum2(int framenum, int fps) d = framenum / frames_per_10mins; m = framenum % frames_per_10mins; - return framenum + 9 * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); + return framenum + 9U * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); } uint32_t av_timecode_get_smpte_from_framenum(const AVTimecode *tc, int framenum) @@ -96,8 +96,8 @@ char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) } ff = framenum % fps; ss = framenum / fps % 60; - mm = framenum / (fps*60) % 60; - hh = framenum / (fps*3600); + mm = framenum / (fps*60LL) % 60; + hh = framenum / (fps*3600LL); if (tc->flags & AV_TIMECODE_FLAG_24HOURSMAX) hh = hh % 24; snprintf(buf, AV_TIMECODE_STR_SIZE, "%s%02d:%02d:%02d%c%02d", @@ -173,7 +173,7 @@ static int fps_from_frame_rate(AVRational rate) { if (!rate.den || !rate.num) return -1; - return (rate.num + rate.den/2) / rate.den; + return (rate.num + rate.den/2LL) / rate.den; } int av_timecode_check_frame_rate(AVRational rate) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 1fef8747c0..4f5901217c 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -950,6 +950,11 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int minStride= FFMAX(FFABS(srcStride[0]), FFABS(dstStride[0])); int absQPStride = FFABS(QPStride); + if (width < 16 || height < 16) { + av_log(c, AV_LOG_ERROR, "Postproc is designed to filter 16x16 macroblock based formats, the minimum size is 1 macroblock\n"); + return; + } + // c->stride and c->QPStride are always positive if(c->stride < minStride || c->qpStride < absQPStride) reallocBuffers(c, width, height, diff --git a/libswscale/aarch64/yuv2rgb_neon.S b/libswscale/aarch64/yuv2rgb_neon.S index b7446aa105..10bd1f7480 100644 --- a/libswscale/aarch64/yuv2rgb_neon.S +++ b/libswscale/aarch64/yuv2rgb_neon.S @@ -118,8 +118,8 @@ .endm .macro increment_yuv422p - add x6, x6, w7, UXTW // srcU += incU - add x13, x13, w14, UXTW // srcV += incV + add x6, x6, w7, SXTW // srcU += incU + add x13, x13, w14, SXTW // srcV += incV .endm .macro compute_rgba r1 g1 b1 a1 r2 g2 b2 a2 @@ -188,8 +188,8 @@ function ff_\ifmt\()_to_\ofmt\()_neon, export=1 st4 {v16.8B,v17.8B,v18.8B,v19.8B}, [x2], #32 subs w8, w8, #16 // width -= 16 b.gt 2b - add x2, x2, w3, UXTW // dst += padding - add x4, x4, w5, UXTW // srcY += paddingY + add x2, x2, w3, SXTW // dst += padding + add x4, x4, w5, SXTW // srcY += paddingY increment_\ifmt subs w1, w1, #1 // height -= 1 b.gt 1b diff --git a/libswscale/alphablend.c b/libswscale/alphablend.c index b5686599c0..b5967c889b 100644 --- a/libswscale/alphablend.c +++ b/libswscale/alphablend.c @@ -26,7 +26,7 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(c->srcFormat); int nb_components = desc->nb_components; - int plane, x, y; + int plane, x, ysrc; int plane_count = isGray(c->srcFormat) ? 1 : 3; int sixteen_bits = desc->comp[0].depth >= 9; unsigned off = 1<<(desc->comp[0].depth - 1); @@ -50,14 +50,15 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], int w = plane ? c->chrSrcW : c->srcW; int x_subsample = plane ? desc->log2_chroma_w: 0; int y_subsample = plane ? desc->log2_chroma_h: 0; - for (y = srcSliceY >> y_subsample; y < AV_CEIL_RSHIFT(srcSliceH, y_subsample); y++) { + for (ysrc = 0; ysrc < AV_CEIL_RSHIFT(srcSliceH, y_subsample); ysrc++) { + int y = ysrc + (srcSliceY >> y_subsample); if (x_subsample || y_subsample) { int alpha; unsigned u; if (sixteen_bits) { ptrdiff_t alpha_step = srcStride[plane_count] >> 1; - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * y << y_subsample)); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample)); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -82,8 +83,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { ptrdiff_t alpha_step = srcStride[plane_count]; - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + (srcStride[plane_count] * y << y_subsample); + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample); uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { if (y_subsample) { @@ -97,8 +98,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * y); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * ysrc); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -113,8 +114,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + srcStride[plane_count] * y; + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + srcStride[plane_count] * ysrc; uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { unsigned u = s[x]*a[x] + target_table[((x^y)>>5)&1][plane]*(255-a[x]) + 128; @@ -127,10 +128,11 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } else { int alpha_pos = desc->comp[plane_count].offset; int w = c->srcW; - for (y = srcSliceY; y < srcSliceH; y++) { + for (ysrc = 0; ysrc < srcSliceH; ysrc++) { + int y = ysrc + srcSliceY; if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * y + 2*!alpha_pos); - const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * y + alpha_pos); + const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * ysrc + 2*!alpha_pos); + const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * ysrc + alpha_pos); uint16_t *d = ( uint16_t *)(dst[0] + dstStride[0] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -151,8 +153,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[0] + srcStride[0] * y + !alpha_pos; - const uint8_t *a = src[0] + srcStride[0] * y + alpha_pos; + const uint8_t *s = src[0] + srcStride[0] * ysrc + !alpha_pos; + const uint8_t *a = src[0] + srcStride[0] * ysrc + alpha_pos; uint8_t *d = dst[0] + dstStride[0] * y; for (x = 0; x < w; x++) { for (plane = 0; plane < plane_count; plane++) { diff --git a/libswscale/input.c b/libswscale/input.c index 064f8da314..bc0eec65b8 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -84,9 +84,9 @@ rgb64ToUV_half_c_template(uint16_t *dstU, uint16_t *dstV, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1==src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; - int g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; - int b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; + unsigned g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; dstU[i]= (ru*r + gu*g + bu*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; dstV[i]= (rv*r + gv*g + bv*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; @@ -156,9 +156,9 @@ static av_always_inline void rgb48ToUV_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = input_pixel(&src1[i * 3 + 0]); - int g = input_pixel(&src1[i * 3 + 1]); - int b_r = input_pixel(&src1[i * 3 + 2]); + unsigned r_b = input_pixel(&src1[i * 3 + 0]); + unsigned g = input_pixel(&src1[i * 3 + 1]); + unsigned b_r = input_pixel(&src1[i * 3 + 2]); dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; @@ -178,12 +178,12 @@ static av_always_inline void rgb48ToUV_half_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[6 * i + 0]) + - input_pixel(&src1[6 * i + 3]) + 1) >> 1; - int g = (input_pixel(&src1[6 * i + 1]) + - input_pixel(&src1[6 * i + 4]) + 1) >> 1; - int b_r = (input_pixel(&src1[6 * i + 2]) + - input_pixel(&src1[6 * i + 5]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[6 * i + 0]) + + input_pixel(&src1[6 * i + 3]) + 1) >> 1; + unsigned g = (input_pixel(&src1[6 * i + 1]) + + input_pixel(&src1[6 * i + 4]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[6 * i + 2]) + + input_pixel(&src1[6 * i + 5]) + 1) >> 1; dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; @@ -286,8 +286,8 @@ static av_always_inline void rgb16_32ToUV_c_template(int16_t *dstU, int gsh, int bsh, int S, int32_t *rgb2yuv) { - const int ru = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh, - rv = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh; + const int ru = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh), + rv = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh); const unsigned rnd = (256u<<((S)-1)) + (1<<(S-7)); int i; @@ -314,8 +314,8 @@ static av_always_inline void rgb16_32ToUV_half_c_template(int16_t *dstU, int gsh, int bsh, int S, int32_t *rgb2yuv) { - const int ru = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh, - rv = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh, + const int ru = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh), + rv = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh), maskgx = ~(maskr | maskb); const unsigned rnd = (256U<<(S)) + (1<<(S-6)); int i; diff --git a/libswscale/output.c b/libswscale/output.c index 26b0ff3d48..c9a6c445dd 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -997,8 +997,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, for (i = 0; i < ((dstW + 1) >> 1); i++) { int j; - int Y1 = -0x40000000; - int Y2 = -0x40000000; + unsigned Y1 = -0x40000000; + unsigned Y2 = -0x40000000; int U = -(128 << 23); // 19 int V = -(128 << 23); int R, G, B; @@ -1026,9 +1026,9 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, } // 8 bits: 12+15=27; 16 bits: 12+19=31 - Y1 >>= 14; // 10 + Y1 = (int)Y1 >> 14; // 10 Y1 += 0x10000; - Y2 >>= 14; + Y2 = (int)Y2 >> 14; Y2 += 0x10000; U >>= 14; V >>= 14; @@ -1038,8 +1038,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; // 21 - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); // 21 + Y2 += (1 << 13) - (1 << 29); // 8 bits: 17 + 13 bits = 30 bits, 16 bits: 17 + 13 bits = 30 bits R = V * c->yuv2rgb_v2r_coeff; @@ -1047,20 +1047,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1087,8 +1087,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], av_assert2(uvalpha <= 4096U); for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; - int Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; + unsigned Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; + unsigned Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14; int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14; int R, G, B; @@ -1097,8 +1097,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1112,20 +1112,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1143,8 +1143,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1153,12 +1153,12 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1168,20 +1168,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1189,8 +1189,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1199,12 +1199,12 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1214,20 +1214,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1278,7 +1278,7 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, // 8bit: 27 -> 17bit, 16bit: 31 - 14 = 17bit Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; // 21 + Y += (1 << 13) - (1<<29); // 21 // 8bit: 17 + 13bit = 30bit, 16bit: 17 + 13bit = 30bit R = V * c->yuv2rgb_v2r_coeff; @@ -1286,9 +1286,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + (unsigned)Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1326,7 +1326,7 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1338,9 +1338,9 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], A += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1362,17 +1362,17 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } @@ -1381,9 +1381,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1395,17 +1395,17 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } @@ -1414,9 +1414,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1847,9 +1847,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = Y + V*c->yuv2rgb_v2r_coeff; - G = Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*(unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); @@ -2090,7 +2090,7 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0, if (uvalpha < 2048) { int A = 0; //init to silence warning for (i = 0; i < dstW; i++) { - int Y = buf0[i] << 2; + int Y = buf0[i] * 4; int U = (ubuf0[i] - (128<<7)) * 4; int V = (vbuf0[i] - (128<<7)) * 4; @@ -2107,9 +2107,9 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0, const int16_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0; //init to silence warning for (i = 0; i < dstW; i++) { - int Y = buf0[i] << 2; - int U = (ubuf0[i] + ubuf1[i] - (128<<8)) << 1; - int V = (vbuf0[i] + vbuf1[i] - (128<<8)) << 1; + int Y = buf0[i] * 4; + int U = (ubuf0[i] + ubuf1[i] - (128<<8)) * 2; + int V = (vbuf0[i] + vbuf1[i] - (128<<8)) * 2; if (hasAlpha) { A = (abuf0[i] + 64) >> 7; @@ -2199,9 +2199,9 @@ yuv2gbrp_full_X_c(SwsContext *c, const int16_t *lumFilter, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << (SH-1); - R = Y + V * c->yuv2rgb_v2r_coeff; - G = Y + V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; - B = Y + U * c->yuv2rgb_u2b_coeff; + R = Y + V * (unsigned)c->yuv2rgb_v2r_coeff; + G = Y + V * (unsigned)c->yuv2rgb_v2g_coeff + U * (unsigned)c->yuv2rgb_u2g_coeff; + B = Y + U * (unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); @@ -2275,7 +2275,7 @@ yuv2gbrp16_full_X_c(SwsContext *c, const int16_t *lumFilter, A = -0x40000000; for (j = 0; j < lumFilterSize; j++) - A += alpSrc[j][i] * lumFilter[j]; + A += alpSrc[j][i] * (unsigned)lumFilter[j]; A >>= 1; A += 0x20002000; diff --git a/libswscale/slice.c b/libswscale/slice.c index db4fa874ff..1af2b1f5a5 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -59,7 +59,7 @@ static int alloc_lines(SwsSlice *s, int size, int width) for (j = 0; j < n; ++j) { // chroma plane line U and V are expected to be contiguous in memory // by mmx vertical scaler code - s->plane[i].line[j] = av_malloc(size * 2 + 32); + s->plane[i].line[j] = av_mallocz(size * 2 + 32); if (!s->plane[i].line[j]) { free_lines(s); return AVERROR(ENOMEM); @@ -286,7 +286,10 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - + if (!c->slice) { + res = AVERROR(ENOMEM); + goto cleanup; + } res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 40695503ad..f4e10d7a17 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -225,7 +225,7 @@ static void lumRangeFromJpeg16_c(int16_t *_dst, int width) int i; int32_t *dst = (int32_t *) _dst; for (i = 0; i < width; i++) - dst[i] = (dst[i]*(14071/4) + (33561947<<4)/4)>>12; + dst[i] = ((int)(dst[i]*(14071U/4) + (33561947<<4)/4)) >> 12; } @@ -300,8 +300,8 @@ static int swscale(SwsContext *c, const uint8_t *src[], srcStride[2] = srcStride[3] = srcStride[0]; } - srcStride[1] <<= c->vChrDrop; - srcStride[2] <<= c->vChrDrop; + srcStride[1] *= 1 << c->vChrDrop; + srcStride[2] *= 1 << c->vChrDrop; DEBUG_BUFFERS("swscale() %p[%d] %p[%d] %p[%d] %p[%d] -> %p[%d] %p[%d] %p[%d] %p[%d]\n", src[0], srcStride[0], src[1], srcStride[1], @@ -784,7 +784,8 @@ int attribute_align_arg sws_scale(struct SwsContext *c, if ((srcSliceY & (macro_height-1)) || ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) || - srcSliceY + srcSliceH > c->srcH) { + srcSliceY + srcSliceH > c->srcH || + (isBayer(c->srcFormat) && srcSliceH <= 1)) { av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); return AVERROR(EINVAL); } diff --git a/libswscale/utils.c b/libswscale/utils.c index 1b1f779532..e0e36b6f03 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -390,7 +390,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, (*filterPos)[i] = xx; // bilinear upscale / linear interpolate / area averaging for (j = 0; j < filterSize; j++) { - int64_t coeff= fone - FFABS(((int64_t)xx<<16) - xDstInSrc)*(fone>>16); + int64_t coeff = fone - FFABS((int64_t)xx * (1 << 16) - xDstInSrc) * (fone >> 16); if (coeff < 0) coeff = 0; filter[i * filterSize + j] = coeff; @@ -506,7 +506,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, filter[i * filterSize + j] = coeff; xx++; } - xDstInSrc += 2 * xInc; + xDstInSrc += 2LL * xInc; } } @@ -1740,7 +1740,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, } for (i = 0; i < 4; i++) - FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+2) * sizeof(int), fail); + FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+3) * sizeof(int), fail); c->needAlpha = (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) ? 1 : 0; @@ -1816,7 +1816,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* unscaled special cases */ if (unscaled && !usesHFilter && !usesVFilter && (c->srcRange == c->dstRange || isAnyRGB(dstFormat) || - isFloat(srcFormat) || isFloat(dstFormat))){ + isFloat(srcFormat) || isFloat(dstFormat) || isBayer(srcFormat))){ ff_get_unscaled_swscale(c); if (c->swscale) { diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index 7dc2d70574..0eed4f18d5 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -160,7 +160,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&lumMmxFilter[s*i+APCK_PTR2/4 ]= lumSrcPtr[i+(vLumFilterSize>1)]; lumMmxFilter[s*i+APCK_COEF/4 ]= lumMmxFilter[s*i+APCK_COEF/4+1]= vLumFilter[dstY*vLumFilterSize + i ] - + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1]<<16 : 0); + + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1] * (1 << 16) : 0); if (CONFIG_SWSCALE_ALPHA && hasAlpha) { *(const void**)&alpMmxFilter[s*i ]= alpSrcPtr[i ]; *(const void**)&alpMmxFilter[s*i+APCK_PTR2/4 ]= alpSrcPtr[i+(vLumFilterSize>1)]; @@ -173,7 +173,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&chrMmxFilter[s*i+APCK_PTR2/4 ]= chrUSrcPtr[i+(vChrFilterSize>1)]; chrMmxFilter[s*i+APCK_COEF/4 ]= chrMmxFilter[s*i+APCK_COEF/4+1]= vChrFilter[chrDstY*vChrFilterSize + i ] - + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1]<<16 : 0); + + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1] * (1 << 16) : 0); } } else { for (i=0; itable_gU[128 + YUVRGB_TABLE_HEADROOM] + c->table_gV[128 + YUVRGB_TABLE_HEADROOM]; @@ -824,7 +825,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], cbu = (cbu * contrast * saturation) >> 32; cgu = (cgu * contrast * saturation) >> 32; cgv = (cgv * contrast * saturation) >> 32; - oy -= 256 * brightness; + oy -= 256LL * brightness; c->uOffset = 0x0400040004000400LL; c->vOffset = 0x0400040004000400LL; diff --git a/tests/checkasm/float_dsp.c b/tests/checkasm/float_dsp.c index 2abe4eccbd..a1616a61a8 100644 --- a/tests/checkasm/float_dsp.c +++ b/tests/checkasm/float_dsp.c @@ -51,7 +51,8 @@ static void test_vector_fmul(const float *src0, const float *src1) call_ref(cdst, src0, src1, LEN); call_new(odst, src0, src1, LEN); for (i = 0; i < LEN; i++) { - if (!float_near_abs_eps(cdst[i], odst[i], FLT_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[i]) + fabs(src0[i] * src1[i]) + 1.0; + if (!float_near_abs_eps(cdst[i], odst[i], t * 2 * FLT_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); @@ -73,7 +74,8 @@ static void test_vector_dmul(const double *src0, const double *src1) call_ref(cdst, src0, src1, LEN); call_new(odst, src0, src1, LEN); for (i = 0; i < LEN; i++) { - if (!double_near_abs_eps(cdst[i], odst[i], DBL_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[i]) + fabs(src0[i] * src1[i]) + 1.0; + if (!double_near_abs_eps(cdst[i], odst[i], t * 2 * DBL_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); @@ -117,7 +119,8 @@ static void test_vector_fmul_scalar(const float *src0, const float *src1) call_ref(cdst, src0, src1[0], LEN); call_new(odst, src0, src1[0], LEN); for (i = 0; i < LEN; i++) { - if (!float_near_abs_eps(cdst[i], odst[i], FLT_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[0]) + fabs(src0[i] * src1[0]) + 1.0; + if (!float_near_abs_eps(cdst[i], odst[i], t * 2 * FLT_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 2f1991da52..aec12c16a3 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -296,7 +296,7 @@ lavf_container(){ outdir="tests/data/lavf" file=${outdir}/lavf.$t do_avconv $file $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src $DEC_OPTS -ar 44100 -f s16le $1 -i $pcm_src "$ENC_OPTS -metadata title=lavftest" -b:a 64k -t 1 -qscale:v 10 $2 - test $3 = "disable_crc" || + test "$3" = "disable_crc" || do_avconv_crc $file $DEC_OPTS -i $target_path/$file $3 } diff --git a/tests/fate/lavf-video.mak b/tests/fate/lavf-video.mak index 7a70ac90ce..f6e98246c4 100644 --- a/tests/fate/lavf-video.mak +++ b/tests/fate/lavf-video.mak @@ -6,7 +6,7 @@ FATE_LAVF_VIDEO-$(call ENCDEC, FITS, FITS) += gbrp.fits FATE_LAVF_VIDEO-$(call ENCDEC, FITS, FITS) += gbrap.fits FATE_LAVF_VIDEO-$(call ENCDEC, FITS, FITS) += gbrp16be.fits FATE_LAVF_VIDEO-$(call ENCDEC, FITS, FITS) += gbrap16be.fits -FATE_LAVF_VIDEO-$(call ENCDEC, GIF, FITS) += gif +FATE_LAVF_VIDEO-$(call ENCDEC, GIF, GIF) += gif FATE_LAVF_VIDEO-$(CONFIG_YUV4MPEGPIPE_MUXER) += y4m FATE_LAVF_VIDEO = $(FATE_LAVF_VIDEO-yes:%=fate-lavf-%) diff --git a/tests/fate/subtitles.mak b/tests/fate/subtitles.mak index 0042902161..2877224668 100644 --- a/tests/fate/subtitles.mak +++ b/tests/fate/subtitles.mak @@ -102,6 +102,7 @@ fate-sub-charenc: CMD = fmtstdout ass -sub_charenc cp1251 -i $(TARGET_SAMPLES)/s FATE_SUBTITLES-$(call DEMDEC, SCC, CCAPTION) += fate-sub-scc fate-sub-scc: CMD = fmtstdout ass -ss 57 -i $(TARGET_SAMPLES)/sub/witch.scc +fate-sub-scc: CMP = diff FATE_SUBTITLES-$(call ENCMUX, ASS, ASS) += $(FATE_SUBTITLES_ASS-yes) FATE_SUBTITLES += $(FATE_SUBTITLES-yes) diff --git a/tests/ref/fate/fitsdec-bitpix-32 b/tests/ref/fate/fitsdec-bitpix-32 index 9bce361555..b3a51401d4 100644 --- a/tests/ref/fate/fitsdec-bitpix-32 +++ b/tests/ref/fate/fitsdec-bitpix-32 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 102x109 #sar 0: 0/1 -0, 0, 0, 1, 22236, 0x34490902 +0, 0, 0, 1, 22236, 0x24634517 diff --git a/tests/ref/fate/fitsdec-bitpix-64 b/tests/ref/fate/fitsdec-bitpix-64 index 9febdd68f4..e50d5e029c 100644 --- a/tests/ref/fate/fitsdec-bitpix-64 +++ b/tests/ref/fate/fitsdec-bitpix-64 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 77x173 #sar 0: 0/1 -0, 0, 0, 1, 26642, 0x0ad2a46a +0, 0, 0, 1, 26642, 0xa9eec634 diff --git a/tests/ref/fate/fitsdec-blank_bitpix32 b/tests/ref/fate/fitsdec-blank_bitpix32 index 184fd41c59..330d6710ca 100644 --- a/tests/ref/fate/fitsdec-blank_bitpix32 +++ b/tests/ref/fate/fitsdec-blank_bitpix32 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 256x256 #sar 0: 0/1 -0, 0, 0, 1, 131072, 0x7fb22427 +0, 0, 0, 1, 131072, 0x3ecd0739 diff --git a/tests/ref/fate/fitsdec-ext_data_min_max b/tests/ref/fate/fitsdec-ext_data_min_max index 9009a4efb3..006d8d6250 100644 --- a/tests/ref/fate/fitsdec-ext_data_min_max +++ b/tests/ref/fate/fitsdec-ext_data_min_max @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 512x512 #sar 0: 0/1 -0, 0, 0, 1, 524288, 0xc327ed23 +0, 0, 0, 1, 524288, 0x6567ecb3 diff --git a/tests/ref/fate/fitsdec-gray b/tests/ref/fate/fitsdec-gray index 425b31fc0f..d080732452 100644 --- a/tests/ref/fate/fitsdec-gray +++ b/tests/ref/fate/fitsdec-gray @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 128x128 #sar 0: 0/1 -0, 0, 0, 1, 16384, 0xd788a2d2 +0, 0, 0, 1, 16384, 0x353dbacd diff --git a/tests/ref/fate/source b/tests/ref/fate/source index 8e12582ce8..ad1e5b95d6 100644 --- a/tests/ref/fate/source +++ b/tests/ref/fate/source @@ -25,7 +25,6 @@ compat/avisynth/avs/types.h compat/avisynth/avxsynth_c.h compat/avisynth/windowsPorts/basicDataTypeConversions.h compat/avisynth/windowsPorts/windows2linux.h -compat/cuda/dynlink_loader.h compat/djgpp/math.h compat/float/float.h compat/float/limits.h diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 2469a3ec21..09ebe62b25 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -249,4 +249,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xbf73f1b7 +0, 246, 246, 1, 233472, 0x4f3ef38c diff --git a/tests/ref/fate/webm-dash-manifest b/tests/ref/fate/webm-dash-manifest index f5fc9121da..3a557fc39f 100644 --- a/tests/ref/fate/webm-dash-manifest +++ b/tests/ref/fate/webm-dash-manifest @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-representations b/tests/ref/fate/webm-dash-manifest-representations index 8556ecebee..41713bb367 100644 --- a/tests/ref/fate/webm-dash-manifest-representations +++ b/tests/ref/fate/webm-dash-manifest-representations @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams b/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams index 6e9de211fb..b1bc7ecea1 100644 --- a/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams +++ b/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-unaligned-video-streams b/tests/ref/fate/webm-dash-manifest-unaligned-video-streams index ce205638b6..690c2aabe3 100644 --- a/tests/ref/fate/webm-dash-manifest-unaligned-video-streams +++ b/tests/ref/fate/webm-dash-manifest-unaligned-video-streams @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/lavf/gray16be.fits b/tests/ref/lavf/gray16be.fits index 078d6c8678..058fa4ad19 100644 --- a/tests/ref/lavf/gray16be.fits +++ b/tests/ref/lavf/gray16be.fits @@ -1,3 +1,3 @@ 15e85a553bbd07783f92377ed369308b *tests/data/lavf/lavf.gray16be.fits 5184000 tests/data/lavf/lavf.gray16be.fits -tests/data/lavf/lavf.gray16be.fits CRC=0x8b840cff +tests/data/lavf/lavf.gray16be.fits CRC=0x8cdcbeb2 diff --git a/tests/ref/seek/vsynth_lena-snow b/tests/ref/seek/vsynth_lena-snow index 33d6c27463..b2d2d22cda 100644 --- a/tests/ref/seek/vsynth_lena-snow +++ b/tests/ref/seek/vsynth_lena-snow @@ -2,45 +2,45 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret: 0 st: 0 flags:0 ts:-0.040000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:1 ts: 0.200839 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:0 ts:-0.920000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth1-snow b/tests/ref/vsynth/vsynth1-snow index f20abd2ee4..b0e3a0bfd7 100644 --- a/tests/ref/vsynth/vsynth1-snow +++ b/tests/ref/vsynth/vsynth1-snow @@ -1,4 +1,4 @@ -67c10f8d52fcd1103caa675a1408bf6e *tests/data/fate/vsynth1-snow.avi -136088 tests/data/fate/vsynth1-snow.avi -bfc0bcc4bc7b956933aa58acc587018d *tests/data/fate/vsynth1-snow.out.rawvideo -stddev: 22.77 PSNR: 20.98 MAXDIFF: 175 bytes: 7603200/ 7603200 +c4c77a6fb926b89fe6591c398f5cd4db *tests/data/fate/vsynth1-snow.avi +136160 tests/data/fate/vsynth1-snow.avi +dcf8b3f62d9c3ae2b2d0fbbacbf83e4e *tests/data/fate/vsynth1-snow.out.rawvideo +stddev: 22.74 PSNR: 20.99 MAXDIFF: 173 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-snow-hpel b/tests/ref/vsynth/vsynth1-snow-hpel index 39780ad8a2..72b082b2ce 100644 --- a/tests/ref/vsynth/vsynth1-snow-hpel +++ b/tests/ref/vsynth/vsynth1-snow-hpel @@ -1,4 +1,4 @@ -e62ae25d5040d04622a965bcb27fdb1e *tests/data/fate/vsynth1-snow-hpel.avi -138446 tests/data/fate/vsynth1-snow-hpel.avi -57c914cd150f8fc260b5989ce3e5884c *tests/data/fate/vsynth1-snow-hpel.out.rawvideo -stddev: 22.74 PSNR: 20.99 MAXDIFF: 172 bytes: 7603200/ 7603200 +5c9eb93646eb0e5570d37e9adc9625e4 *tests/data/fate/vsynth1-snow-hpel.avi +138580 tests/data/fate/vsynth1-snow-hpel.avi +3382bdde624d8bb4af206a5ac6614605 *tests/data/fate/vsynth1-snow-hpel.out.rawvideo +stddev: 22.71 PSNR: 21.00 MAXDIFF: 171 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow b/tests/ref/vsynth/vsynth2-snow index e9607bb7d0..355f89d5f4 100644 --- a/tests/ref/vsynth/vsynth2-snow +++ b/tests/ref/vsynth/vsynth2-snow @@ -1,4 +1,4 @@ -0a41e73ddd2f54936490655b46dad4a3 *tests/data/fate/vsynth2-snow.avi -72868 tests/data/fate/vsynth2-snow.avi -34a75f5cf8a71159f1a572d9cedcfef9 *tests/data/fate/vsynth2-snow.out.rawvideo -stddev: 13.73 PSNR: 25.37 MAXDIFF: 162 bytes: 7603200/ 7603200 +5e130d6a48b69348eee7f7c76c5869a3 *tests/data/fate/vsynth2-snow.avi +72942 tests/data/fate/vsynth2-snow.avi +9b6cee60e3ec0d1f312a8a25a7878fcc *tests/data/fate/vsynth2-snow.out.rawvideo +stddev: 13.39 PSNR: 25.59 MAXDIFF: 154 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow-hpel b/tests/ref/vsynth/vsynth2-snow-hpel index 66839fd6f6..ec3b5dfad2 100644 --- a/tests/ref/vsynth/vsynth2-snow-hpel +++ b/tests/ref/vsynth/vsynth2-snow-hpel @@ -1,4 +1,4 @@ -9bc409e4794ee50691a26c9c836d31a7 *tests/data/fate/vsynth2-snow-hpel.avi -79728 tests/data/fate/vsynth2-snow-hpel.avi -2cc64d8171175a1532fd7d3ed3011fbf *tests/data/fate/vsynth2-snow-hpel.out.rawvideo -stddev: 13.70 PSNR: 25.39 MAXDIFF: 162 bytes: 7603200/ 7603200 +8edcf0fd7f066972ff77d5b891ed6dde *tests/data/fate/vsynth2-snow-hpel.avi +79798 tests/data/fate/vsynth2-snow-hpel.avi +7e0f2a24feda6fb3e54b85511a28c45f *tests/data/fate/vsynth2-snow-hpel.out.rawvideo +stddev: 13.35 PSNR: 25.62 MAXDIFF: 157 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow b/tests/ref/vsynth/vsynth_lena-snow index ec29a78483..582c294531 100644 --- a/tests/ref/vsynth/vsynth_lena-snow +++ b/tests/ref/vsynth/vsynth_lena-snow @@ -1,4 +1,4 @@ -8e96f337e8f4ccac7d72ef517e1d2208 *tests/data/fate/vsynth_lena-snow.avi -57680 tests/data/fate/vsynth_lena-snow.avi -90963cfd2359d460001c94d94256dc2b *tests/data/fate/vsynth_lena-snow.out.rawvideo -stddev: 10.48 PSNR: 27.72 MAXDIFF: 119 bytes: 7603200/ 7603200 +bf2cf9cacc1d98388798be98872049ee *tests/data/fate/vsynth_lena-snow.avi +57604 tests/data/fate/vsynth_lena-snow.avi +707a42eb20195913be55ba8dfadf72fb *tests/data/fate/vsynth_lena-snow.out.rawvideo +stddev: 10.37 PSNR: 27.81 MAXDIFF: 120 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow-hpel b/tests/ref/vsynth/vsynth_lena-snow-hpel index 2d6edd8a79..67effebc8a 100644 --- a/tests/ref/vsynth/vsynth_lena-snow-hpel +++ b/tests/ref/vsynth/vsynth_lena-snow-hpel @@ -1,4 +1,4 @@ -56b14cb1cbb637536233982e87f7ac3e *tests/data/fate/vsynth_lena-snow-hpel.avi -61764 tests/data/fate/vsynth_lena-snow-hpel.avi -244b0266127fa354d8485234b2c388e4 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo -stddev: 10.45 PSNR: 27.74 MAXDIFF: 119 bytes: 7603200/ 7603200 +c6ec87a11415a99b1a781f9f5bacb722 *tests/data/fate/vsynth_lena-snow-hpel.avi +61814 tests/data/fate/vsynth_lena-snow-hpel.avi +40f330397b7acf6bdbb3ec6d908be451 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo +stddev: 10.34 PSNR: 27.83 MAXDIFF: 118 bytes: 7603200/ 7603200 diff --git a/tools/coverity.c b/tools/coverity.c index 19a132a976..541e108238 100644 --- a/tools/coverity.c +++ b/tools/coverity.c @@ -31,6 +31,17 @@ #define NULL (void *)0 +typedef long long int64_t; + +enum AVRounding { + AV_ROUND_ZERO = 0, + AV_ROUND_INF = 1, + AV_ROUND_DOWN = 2, + AV_ROUND_UP = 3, + AV_ROUND_NEAR_INF = 5, + AV_ROUND_PASS_MINMAX = 8192, +}; + // Based on https://scan.coverity.com/models void *av_malloc(size_t size) { int has_memory; @@ -77,3 +88,10 @@ void *av_free(void *ptr) { __coverity_mark_as_afm_freed__(ptr, "av_free"); } + +int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) { + __coverity_negative_sink__(b); + __coverity_negative_sink__(c); + + return (double)a * (double)b / (double)c; +} diff --git a/tools/cws2fws.c b/tools/cws2fws.c index 7046b69957..9ce321fe20 100644 --- a/tools/cws2fws.c +++ b/tools/cws2fws.c @@ -89,6 +89,12 @@ int main(int argc, char *argv[]) for (i = 0; i < comp_len - 8;) { int ret, len = read(fd_in, &buf_in, 1024); + if (len == -1) { + printf("read failure\n"); + inflateEnd(&zstream); + goto out; + } + dbgprintf("read %d bytes\n", len); last_out = zstream.total_out;