From 9711b527394c99e5bd4c5174a1a30a2238bbb859 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2013 16:39:10 +0200 Subject: [PATCH 001/492] avfilter/af_earwax: Fix out of array accesses on odd packets Found-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0a3a0edd52b98aec27d1b8c63c85cb52ff46d40e) Signed-off-by: Michael Niedermayer --- libavfilter/af_earwax.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavfilter/af_earwax.c b/libavfilter/af_earwax.c index 189243a672..3db4659c35 100644 --- a/libavfilter/af_earwax.c +++ b/libavfilter/af_earwax.c @@ -114,6 +114,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamples) AVFilterLink *outlink = inlink->dst->outputs[0]; int16_t *taps, *endin, *in, *out; AVFrame *outsamples = ff_get_audio_buffer(inlink, insamples->nb_samples); + int len; if (!outsamples) { av_frame_free(&insamples); @@ -125,16 +126,20 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamples) out = (int16_t *)outsamples->data[0]; in = (int16_t *)insamples ->data[0]; + len = FFMIN(NUMTAPS, 2*insamples->nb_samples); // copy part of new input and process with saved input - memcpy(taps+NUMTAPS, in, NUMTAPS * sizeof(*taps)); - out = scalarproduct(taps, taps + NUMTAPS, out); + memcpy(taps+NUMTAPS, in, len * sizeof(*taps)); + out = scalarproduct(taps, taps + len, out); // process current input - endin = in + insamples->nb_samples * 2 - NUMTAPS; - scalarproduct(in, endin, out); + if (2*insamples->nb_samples >= NUMTAPS ){ + endin = in + insamples->nb_samples * 2 - NUMTAPS; + scalarproduct(in, endin, out); - // save part of input for next round - memcpy(taps, endin, NUMTAPS * sizeof(*taps)); + // save part of input for next round + memcpy(taps, endin, NUMTAPS * sizeof(*taps)); + } else + memmove(taps, taps + 2*insamples->nb_samples, NUMTAPS * sizeof(*taps)); av_frame_free(&insamples); return ff_filter_frame(outlink, outsamples); From 1cda4aa1e0e1fadb3b3d984e9710b21496ba917a Mon Sep 17 00:00:00 2001 From: Piotr Bandurski Date: Wed, 10 Jul 2013 02:51:41 +0200 Subject: [PATCH 002/492] avformat/utils: avformat_find_stream_info fix a crash in case of oom fixes ticket #2767 Signed-off-by: Michael Niedermayer (cherry picked from commit ccf9211e29bdfad02faf93575bf39a8f89c30647) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 17dcb259d0..f607be789d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2783,6 +2783,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } else { pkt = add_to_pktbuf(&ic->packet_buffer, &pkt1, &ic->packet_buffer_end); + if (!pkt) + goto find_stream_info_err; if ((ret = av_dup_packet(pkt)) < 0) goto find_stream_info_err; } From 56bf38859b93dea7ac2fbacb3ba2425d77917dc9 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 10 Jul 2013 13:10:07 +0000 Subject: [PATCH 003/492] lavfi/aconvert: unbreak Even if its deprecated, it should still work correctly. Signed-off-by: Paul B Mahol (cherry picked from commit bc95b9428950cd672162bcb2bb98fbecad52a5b3) Signed-off-by: Michael Niedermayer --- libavfilter/af_aconvert.c | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/libavfilter/af_aconvert.c b/libavfilter/af_aconvert.c index 8a9dc6f6aa..970e801152 100644 --- a/libavfilter/af_aconvert.c +++ b/libavfilter/af_aconvert.c @@ -25,42 +25,48 @@ * sample format and channel layout conversion audio filter */ -#include "libavutil/avstring.h" #include "libavutil/channel_layout.h" +#include "libavutil/opt.h" #include "libswresample/swresample.h" #include "avfilter.h" #include "audio.h" #include "internal.h" typedef struct { + const AVClass *class; enum AVSampleFormat out_sample_fmt; int64_t out_chlayout; struct SwrContext *swr; + char *format_str; + char *channel_layout_str; } AConvertContext; +#define OFFSET(x) offsetof(AConvertContext, x) +#define A AV_OPT_FLAG_AUDIO_PARAM +#define F AV_OPT_FLAG_FILTERING_PARAM +static const AVOption aconvert_options[] = { + { "sample_fmt", "", OFFSET(format_str), AV_OPT_TYPE_STRING, .flags = A|F }, + { "channel_layout", "", OFFSET(channel_layout_str), AV_OPT_TYPE_STRING, .flags = A|F }, + { NULL }, +}; + +AVFILTER_DEFINE_CLASS(aconvert); + static av_cold int init(AVFilterContext *ctx) { AConvertContext *aconvert = ctx->priv; - char *arg, *ptr = NULL; int ret = 0; - char *args = av_strdup(NULL); av_log(ctx, AV_LOG_WARNING, "This filter is deprecated, use aformat instead\n"); aconvert->out_sample_fmt = AV_SAMPLE_FMT_NONE; aconvert->out_chlayout = 0; - if ((arg = av_strtok(args, ":", &ptr)) && strcmp(arg, "auto")) { - if ((ret = ff_parse_sample_format(&aconvert->out_sample_fmt, arg, ctx)) < 0) - goto end; - } - if ((arg = av_strtok(NULL, ":", &ptr)) && strcmp(arg, "auto")) { - if ((ret = ff_parse_channel_layout(&aconvert->out_chlayout, arg, ctx)) < 0) - goto end; - } - -end: - av_freep(&args); + if (aconvert->format_str && strcmp(aconvert->format_str, "auto") && + (ret = ff_parse_sample_format(&aconvert->out_sample_fmt, aconvert->format_str, ctx)) < 0) + return ret; + if (aconvert->channel_layout_str && strcmp(aconvert->channel_layout_str, "auto")) + return ff_parse_channel_layout(&aconvert->out_chlayout, aconvert->channel_layout_str, ctx); return ret; } @@ -181,6 +187,7 @@ AVFilter avfilter_af_aconvert = { .name = "aconvert", .description = NULL_IF_CONFIG_SMALL("Convert the input audio to sample_fmt:channel_layout."), .priv_size = sizeof(AConvertContext), + .priv_class = &aconvert_class, .init = init, .uninit = uninit, .query_formats = query_formats, From c1c84f0a55f88ed25caa1e690aeeb5cf61204d3e Mon Sep 17 00:00:00 2001 From: Piotr Bandurski Date: Wed, 10 Jul 2013 14:57:15 +0200 Subject: [PATCH 004/492] avformat/utils: avformat_find_stream_info set value for ret in case of oom without it FFmpeg didn't display any error message when oom event occured Signed-off-by: Michael Niedermayer (cherry picked from commit b0509563347b81d7b0a2474e56abbc9c99043688) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index f607be789d..bdee64484b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2783,8 +2783,10 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } else { pkt = add_to_pktbuf(&ic->packet_buffer, &pkt1, &ic->packet_buffer_end); - if (!pkt) + if (!pkt) { + ret = AVERROR(ENOMEM); goto find_stream_info_err; + } if ((ret = av_dup_packet(pkt)) < 0) goto find_stream_info_err; } From ea28e742051759520fe716f22e42127c04982ea0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2013 16:18:52 +0200 Subject: [PATCH 005/492] avcodec/qdm2: store bits in an integer instead of float variable Signed-off-by: Michael Niedermayer (cherry picked from commit fbe159e85079f1f94a7201dc210b155dba7ff4a6) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 76845909f6..43b617712a 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -819,7 +819,8 @@ static int synthfilt_build_sb_samples(QDM2Context *q, GetBitContext *gb, int type34_first; float type34_div = 0; float type34_predictor; - float samples[10], sign_bits[16]; + float samples[10]; + int sign_bits[16]; if (length == 0) { // If no data use noise From 37268dcc863eb297e5fdf815beeb397e220781a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2013 16:21:33 +0200 Subject: [PATCH 006/492] avcodec/qdm2: initialize sign_bits Fixes non deterministic output Signed-off-by: Michael Niedermayer (cherry picked from commit 8f09957194b8d7a3ea909647e22eaf1389b6f5c4) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 43b617712a..c56e79b03e 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -820,7 +820,7 @@ static int synthfilt_build_sb_samples(QDM2Context *q, GetBitContext *gb, float type34_div = 0; float type34_predictor; float samples[10]; - int sign_bits[16]; + int sign_bits[16] = {0}; if (length == 0) { // If no data use noise From a7315116dd4a5c48ccb368491f7968071d49a427 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 05:29:54 +0200 Subject: [PATCH 007/492] wmavoice: conceal clearly corrupted blocks Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit d14a26edb7c4487df581f11e5c6911dc0e623d08) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 1bf2497667..f31951ab7a 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1045,9 +1045,10 @@ static void aw_parse_coords(WMAVoiceContext *s, GetBitContext *gb, * @param gb bit I/O context * @param block_idx block index in frame [0, 1] * @param fcb structure containing fixed codebook vector info + * @return -1 on error, 0 otherwise */ -static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, - int block_idx, AMRFixed *fcb) +static int aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, + int block_idx, AMRFixed *fcb) { uint16_t use_mask_mem[9]; // only 5 are used, rest is padding uint16_t *use_mask = use_mask_mem + 2; @@ -1109,7 +1110,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, else if (use_mask[2]) idx = 0x2F; else if (use_mask[3]) idx = 0x3F; else if (use_mask[4]) idx = 0x4F; - else return; + else return -1; idx -= av_log2_16bit(use_mask[idx >> 4]); } if (use_mask[idx >> 4] & (0x8000 >> (idx & 15))) { @@ -1126,6 +1127,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, /* set offset for next block, relative to start of that block */ n = (MAX_FRAMESIZE / 2 - start_off) % fcb->pitch_lag; s->aw_next_pulse_off_cache = n ? fcb->pitch_lag - n : 0; + return 0; } /** @@ -1288,7 +1290,18 @@ static void synth_block_fcb_acb(WMAVoiceContext *s, GetBitContext *gb, * (fixed) codebook pulses of the speech signal. */ if (frame_desc->fcb_type == FCB_TYPE_AW_PULSES) { aw_pulse_set1(s, gb, block_idx, &fcb); - aw_pulse_set2(s, gb, block_idx, &fcb); + if (aw_pulse_set2(s, gb, block_idx, &fcb)) { + /* Conceal the block with silence and return. + * Skip the correct amount of bits to read the next + * block from the correct offset. */ + int r_idx = pRNG(s->frame_cntr, block_idx, size); + + for (n = 0; n < size; n++) + excitation[n] = + wmavoice_std_codebook[r_idx + n] * s->silence_gain; + skip_bits(gb, 7 + 1); + return; + } } else /* FCB_TYPE_EXC_PULSES */ { int offset_nbits = 5 - frame_desc->log_n_blocks; From fc3dec8b626f8c00fb89d1e66fdfbe9a021ca604 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 10 Jul 2013 13:15:57 +0200 Subject: [PATCH 008/492] lavf/utils.c: Avoid a null pointer dereference on oom after duration_error allocation. (cherry picked from commit c9eb5c9751c88caaed62af5ffe908fe545022e7e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index bdee64484b..070c224ecd 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2859,6 +2859,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) if (!st->info->duration_error) st->info->duration_error = av_mallocz(sizeof(st->info->duration_error[0])*2); + if (!st->info->duration_error) + return AVERROR(ENOMEM); // if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO) // av_log(NULL, AV_LOG_ERROR, "%f\n", dts); From fd2cf9c45d3b380cf3dfbdb5dac2fc14caa54de5 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 10 Jul 2013 13:16:28 +0200 Subject: [PATCH 009/492] Suggest recompilation with openssl or gnutls if the https protocol is not found. Fixes ticket #2765. (cherry picked from commit 1db88c33f2c0225aae160cc412b62dfaa3a34cbc) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avio.c b/libavformat/avio.c index 73b2a29801..5916e46a2e 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -241,6 +241,8 @@ int ffurl_alloc(URLContext **puc, const char *filename, int flags, return url_alloc_for_protocol (puc, up, filename, flags, int_cb); } *puc = NULL; + if (!strcmp("https", proto_str)) + av_log(NULL, AV_LOG_WARNING, "https protocol not found, recompile with openssl or gnutls enabled.\n"); return AVERROR_PROTOCOL_NOT_FOUND; } From 6127f792f900ce8f9f02c44ed6de0d989bf750dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2013 02:29:46 +0200 Subject: [PATCH 010/492] mjpegdec: initialize source variables before gbr remap Signed-off-by: Michael Niedermayer (cherry picked from commit 94e86ae15a4328b22f6f103b9fd9b6a9ee0c676c) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index dac8386037..72f482f9db 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1231,6 +1231,10 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, && nb_components == 3 && s->nb_components == 3 && i) index = 3 - i; + s->nb_blocks[i] = s->h_count[index] * s->v_count[index]; + s->h_scount[i] = s->h_count[index]; + s->v_scount[i] = s->v_count[index]; + if(nb_components == 3 && s->nb_components == 3 && s->avctx->pix_fmt == AV_PIX_FMT_GBR24P) index = (i+2)%3; if(nb_components == 1 && s->nb_components == 3 && s->avctx->pix_fmt == AV_PIX_FMT_GBR24P) @@ -1238,10 +1242,6 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, s->comp_index[i] = index; - s->nb_blocks[i] = s->h_count[index] * s->v_count[index]; - s->h_scount[i] = s->h_count[index]; - s->v_scount[i] = s->v_count[index]; - s->dc_index[i] = get_bits(&s->gb, 4); s->ac_index[i] = get_bits(&s->gb, 4); From 7740e36a89cdc27ef09ec3a8c0151e96017c24e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2013 02:30:56 +0200 Subject: [PATCH 011/492] mjpegdec: Fix used quant index for gbr Fixes Ticket1651 Signed-off-by: Michael Niedermayer (cherry picked from commit 15cee5e5628a80a51d1bb298c8b838ddefd75a88) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 9 +++++---- libavcodec/mjpegdec.h | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 72f482f9db..6a362aff0d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1088,7 +1088,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, s->dsp.clear_block(s->block); if (decode_block(s, s->block, i, s->dc_index[i], s->ac_index[i], - s->quant_matrixes[s->quant_index[c]]) < 0) { + s->quant_matrixes[s->quant_sindex[i]]) < 0) { av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); return AVERROR_INVALIDDATA; @@ -1101,9 +1101,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, int16_t *block = s->blocks[c][block_idx]; if (Ah) block[0] += get_bits1(&s->gb) * - s->quant_matrixes[s->quant_index[c]][0] << Al; + s->quant_matrixes[s->quant_sindex[i]][0] << Al; else if (decode_dc_progressive(s, block, i, s->dc_index[i], - s->quant_matrixes[s->quant_index[c]], + s->quant_matrixes[s->quant_sindex[i]], Al) < 0) { av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); @@ -1136,7 +1136,7 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, uint8_t *data = s->picture.data[c]; int linesize = s->linesize[c]; int last_scan = 0; - int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]]; + int16_t *quant_matrix = s->quant_matrixes[s->quant_sindex[0]]; av_assert0(ss>=0 && Ah>=0 && Al>=0); if (se < ss || se > 63) { @@ -1231,6 +1231,7 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, && nb_components == 3 && s->nb_components == 3 && i) index = 3 - i; + s->quant_sindex[i] = s->quant_index[index]; s->nb_blocks[i] = s->h_count[index] * s->v_count[index]; s->h_scount[i] = s->h_count[index]; s->v_scount[i] = s->v_count[index]; diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index 17665e466c..31b1fc1e48 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -84,6 +84,7 @@ typedef struct MJpegDecodeContext { int nb_blocks[MAX_COMPONENTS]; int h_scount[MAX_COMPONENTS]; int v_scount[MAX_COMPONENTS]; + int quant_sindex[MAX_COMPONENTS]; int h_max, v_max; /* maximum h and v counts */ int quant_index[4]; /* quant table index for each component */ int last_dc[MAX_COMPONENTS]; /* last DEQUANTIZED dc (XXX: am I right to do that ?) */ From bc44d06c3de8b15e76a2eb6587eeec9682e48dfa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2013 17:13:45 +0200 Subject: [PATCH 012/492] avformat/matroskadec: Detect conflicting sample rate/default_duration Fixes Ticket2508 Thanks-to: Moritz Bunkus Signed-off-by: Michael Niedermayer (cherry picked from commit 6158a3bcdf52fafc1d9ae9eb358a56c614b23aa3) --- libavformat/matroskadec.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index a1aa0ebd10..9a15a2b8e5 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2364,6 +2364,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, uint32_t *lace_size = NULL; int n, flags, laces = 0; uint64_t num; + int trust_default_duration = 1; if ((n = matroska_ebmlnum_uint(matroska, data, size, &num)) < 0) { av_log(matroska->ctx, AV_LOG_ERROR, "EBML block data error\n"); @@ -2418,7 +2419,15 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (res) goto end; - if (!block_duration) + if (track->audio.samplerate == 8000) { + // If this is needed for more codecs, then add them here + if (st->codec->codec_id == AV_CODEC_ID_AC3) { + if(track->audio.samplerate != st->codec->sample_rate || !st->codec->frame_size) + trust_default_duration = 0; + } + } + + if (!block_duration && trust_default_duration) block_duration = track->default_duration * laces / matroska->time_scale; if (cluster_time != (uint64_t)-1 && (block_time >= 0 || cluster_time >= -block_time)) From fcab45f39bda46a5f216aa8da5fd24386d307c7a Mon Sep 17 00:00:00 2001 From: Lukasz Marek Date: Tue, 16 Jul 2013 23:48:16 +0200 Subject: [PATCH 013/492] ftp: fix interrupt callback misuse FTP protocol used interrupt callback to simulate nonblock operation which is a misuse of this callback. This commit make FTP protocol fully blocking and removes invalid usage of interrutp callback Also adds support for multiline responses delimited with dashes (cherry picked from commit 247e658784ead984f96021acb9c95052ba599f26) Signed-off-by: Michael Niedermayer --- libavformat/ftp.c | 107 ++++++++++++++-------------------------------- 1 file changed, 31 insertions(+), 76 deletions(-) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index a256a25335..6358726034 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -27,6 +27,7 @@ #include "os_support.h" #include "url.h" #include "libavutil/opt.h" +#include "libavutil/bprint.h" #define CONTROL_BUFFER_SIZE 1024 #define CREDENTIALS_BUFFER_SIZE 128 @@ -42,8 +43,6 @@ typedef enum { typedef struct { const AVClass *class; URLContext *conn_control; /**< Control connection */ - int conn_control_block_flag; /**< Controls block/unblock mode of data connection */ - AVIOInterruptCB conn_control_interrupt_cb; /**< Controls block/unblock mode of data connection */ URLContext *conn_data; /**< Data connection, NULL when not connected */ uint8_t control_buffer[CONTROL_BUFFER_SIZE]; /**< Control connection buffer */ uint8_t *control_buf_ptr, *control_buf_end; @@ -77,18 +76,10 @@ static const AVClass ftp_context_class = { .version = LIBAVUTIL_VERSION_INT, }; -static int ftp_conn_control_block_control(void *data) -{ - FTPContext *s = data; - return s->conn_control_block_flag; -} - static int ftp_getc(FTPContext *s) { int len; if (s->control_buf_ptr >= s->control_buf_end) { - if (s->conn_control_block_flag) - return AVERROR_EXIT; len = ffurl_read(s->conn_control, s->control_buffer, CONTROL_BUFFER_SIZE); if (len < 0) { return len; @@ -106,12 +97,10 @@ static int ftp_get_line(FTPContext *s, char *line, int line_size) { int ch; char *q = line; - int ori_block_flag = s->conn_control_block_flag; for (;;) { ch = ftp_getc(s); if (ch < 0) { - s->conn_control_block_flag = ori_block_flag; return ch; } if (ch == '\n') { @@ -119,35 +108,14 @@ static int ftp_get_line(FTPContext *s, char *line, int line_size) if (q > line && q[-1] == '\r') q--; *q = '\0'; - - s->conn_control_block_flag = ori_block_flag; return 0; } else { - s->conn_control_block_flag = 0; /* line need to be finished */ if ((q - line) < line_size - 1) *q++ = ch; } } } -static int ftp_flush_control_input(FTPContext *s) -{ - char buf[CONTROL_BUFFER_SIZE]; - int err, ori_block_flag = s->conn_control_block_flag; - - s->conn_control_block_flag = 1; - do { - err = ftp_get_line(s, buf, sizeof(buf)); - } while (!err); - - s->conn_control_block_flag = ori_block_flag; - - if (err < 0 && err != AVERROR_EXIT) - return err; - - return 0; -} - /* * This routine returns ftp server response code. * Server may send more than one response for a certain command, following priorities are used: @@ -156,49 +124,46 @@ static int ftp_flush_control_input(FTPContext *s) */ static int ftp_status(FTPContext *s, char **line, const int response_codes[]) { - int err, i, result = 0, pref_code_found = 0, wait_count = 100; + int err, i, dash = 0, result = 0, code_found = 0; char buf[CONTROL_BUFFER_SIZE]; + AVBPrint line_buffer; - /* Set blocking mode */ - s->conn_control_block_flag = 0; - for (;;) { + if (line) + av_bprint_init(&line_buffer, 0, AV_BPRINT_SIZE_AUTOMATIC); + + while (!code_found || dash) { if ((err = ftp_get_line(s, buf, sizeof(buf))) < 0) { - if (err == AVERROR_EXIT) { - if (!pref_code_found && wait_count--) { - av_usleep(10000); - continue; - } - } - return result; + av_bprint_finalize(&line_buffer, NULL); + return err; } av_log(s, AV_LOG_DEBUG, "%s\n", buf); - if (!pref_code_found) { - if (strlen(buf) < 3) + if (strlen(buf) < 4) + continue; + + err = 0; + for (i = 0; i < 3; ++i) { + if (buf[i] < '0' || buf[i] > '9') continue; + err *= 10; + err += buf[i] - '0'; + } + dash = !!(buf[3] == '-'); - err = 0; - for (i = 0; i < 3; ++i) { - if (buf[i] < '0' || buf[i] > '9') - continue; - err *= 10; - err += buf[i] - '0'; - } - - for (i = 0; response_codes[i]; ++i) { - if (err == response_codes[i]) { - /* first code received. Now get all lines in non blocking mode */ - s->conn_control_block_flag = 1; - pref_code_found = 1; - result = err; - if (line) - *line = av_strdup(buf); - break; - } + for (i = 0; response_codes[i]; ++i) { + if (err == response_codes[i]) { + if (line) + av_bprintf(&line_buffer, "%s", buf); + code_found = 1; + result = err; + break; } } } + + if (line) + av_bprint_finalize(&line_buffer, line); return result; } @@ -207,12 +172,6 @@ static int ftp_send_command(FTPContext *s, const char *command, { int err; - /* Flush control connection input to get rid of non relevant responses if any */ - if ((err = ftp_flush_control_input(s)) < 0) - return err; - - /* send command in blocking mode */ - s->conn_control_block_flag = 0; if ((err = ffurl_write(s->conn_control, command, strlen(command))) < 0) return err; if (!err) @@ -434,8 +393,6 @@ static int ftp_connect_control_connection(URLContext *h) FTPContext *s = h->priv_data; const int connect_codes[] = {220, 0}; - s->conn_control_block_flag = 0; - if (!s->conn_control) { ff_url_join(buf, sizeof(buf), "tcp", NULL, s->hostname, s->server_control_port, NULL); @@ -444,7 +401,7 @@ static int ftp_connect_control_connection(URLContext *h) av_dict_set(&opts, "timeout", opts_format, 0); } /* if option is not given, don't pass it and let tcp use its own default */ err = ffurl_open(&s->conn_control, buf, AVIO_FLAG_READ_WRITE, - &s->conn_control_interrupt_cb, &opts); + &h->interrupt_callback, &opts); av_dict_free(&opts); if (err < 0) { av_log(h, AV_LOG_ERROR, "Cannot open control connection\n"); @@ -489,7 +446,7 @@ static int ftp_connect_data_connection(URLContext *h) snprintf(opts_format, sizeof(opts_format), "%d", s->rw_timeout); av_dict_set(&opts, "timeout", opts_format, 0); } /* if option is not given, don't pass it and let tcp use its own default */ - err = ffurl_open(&s->conn_data, buf, AVIO_FLAG_READ_WRITE, + err = ffurl_open(&s->conn_data, buf, h->flags, &h->interrupt_callback, &opts); av_dict_free(&opts); if (err < 0) @@ -553,8 +510,6 @@ static int ftp_open(URLContext *h, const char *url, int flags) s->state = DISCONNECTED; s->filesize = -1; s->position = 0; - s->conn_control_interrupt_cb.opaque = s; - s->conn_control_interrupt_cb.callback = ftp_conn_control_block_control; av_url_split(proto, sizeof(proto), s->credencials, sizeof(s->credencials), From 8f9bc6f2ce49c83a3905f09f0253df8c41bcca70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2013 04:19:23 +0200 Subject: [PATCH 014/492] swscale/input: fix 16bit gbrp input Fixes Ticket2793 Signed-off-by: Michael Niedermayer (cherry picked from commit a4b55bbb6f8ba055bba1493f6872792503e47563) --- libswscale/input.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index 35caa322ee..8016c307c6 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -754,12 +754,13 @@ static av_always_inline void planar_rgb16_to_y(uint8_t *_dst, const uint8_t *_sr const uint16_t **src = (const uint16_t **)_src; uint16_t *dst = (uint16_t *)_dst; int32_t ry = rgb2yuv[RY_IDX], gy = rgb2yuv[GY_IDX], by = rgb2yuv[BY_IDX]; + int shift = bpc < 16 ? bpc : 14; for (i = 0; i < width; i++) { int g = rdpx(src[0] + i); int b = rdpx(src[1] + i); int r = rdpx(src[2] + i); - dst[i] = ((ry*r + gy*g + by*b + (33 << (RGB2YUV_SHIFT + bpc - 9))) >> (RGB2YUV_SHIFT + bpc - 14)); + dst[i] = ((ry*r + gy*g + by*b + (33 << (RGB2YUV_SHIFT + bpc - 9))) >> (RGB2YUV_SHIFT + shift - 14)); } } @@ -773,13 +774,14 @@ static av_always_inline void planar_rgb16_to_uv(uint8_t *_dstU, uint8_t *_dstV, uint16_t *dstV = (uint16_t *)_dstV; int32_t ru = rgb2yuv[RU_IDX], gu = rgb2yuv[GU_IDX], bu = rgb2yuv[BU_IDX]; int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; + int shift = bpc < 16 ? bpc : 14; for (i = 0; i < width; i++) { int g = rdpx(src[0] + i); int b = rdpx(src[1] + i); int r = rdpx(src[2] + i); - dstU[i] = (ru*r + gu*g + bu*b + (257 << (RGB2YUV_SHIFT + bpc - 9))) >> (RGB2YUV_SHIFT + bpc - 14); - dstV[i] = (rv*r + gv*g + bv*b + (257 << (RGB2YUV_SHIFT + bpc - 9))) >> (RGB2YUV_SHIFT + bpc - 14); + dstU[i] = (ru*r + gu*g + bu*b + (257 << (RGB2YUV_SHIFT + bpc - 9))) >> (RGB2YUV_SHIFT + shift - 14); + dstV[i] = (rv*r + gv*g + bv*b + (257 << (RGB2YUV_SHIFT + bpc - 9))) >> (RGB2YUV_SHIFT + shift - 14); } } #undef rdpx From ccf470fdb6e3608fbef431e48af7e22266298471 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Wed, 24 Jul 2013 19:50:43 +0300 Subject: [PATCH 015/492] mpeg12: Ignore slice threading if hwaccel is active Slice threading does not work with hardware acceleration, as decoding is per-picture. This fixes Bugzilla #542. Signed-off-by: Diego Biurrun (cherry picked from commit 93a51984a27f3ba84d4e6f13d0c704ee9891603e) Conflicts: libavcodec/mpeg12dec.c --- libavcodec/mpeg12dec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 447057af18..7510da454a 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2130,7 +2130,8 @@ static int decode_chunks(AVCodecContext *avctx, buf_ptr = avpriv_find_start_code(buf_ptr, buf_end, &start_code); if (start_code > 0x1ff) { if (!skip_frame) { - if (HAVE_THREADS && (avctx->active_thread_type & FF_THREAD_SLICE)) { + if (HAVE_THREADS && (avctx->active_thread_type & FF_THREAD_SLICE) && + !avctx->hwaccel) { int i; av_assert0(avctx->thread_count > 1); @@ -2194,7 +2195,8 @@ static int decode_chunks(AVCodecContext *avctx, s2->intra_dc_precision= 3; s2->intra_matrix[0]= 1; } - if (HAVE_THREADS && (avctx->active_thread_type & FF_THREAD_SLICE) && s->slice_count) { + if (HAVE_THREADS && (avctx->active_thread_type & FF_THREAD_SLICE) && + !avctx->hwaccel && s->slice_count) { int i; avctx->execute(avctx, slice_decode_thread, @@ -2369,7 +2371,8 @@ static int decode_chunks(AVCodecContext *avctx, break; } - if (HAVE_THREADS && (avctx->active_thread_type & FF_THREAD_SLICE)) { + if (HAVE_THREADS && (avctx->active_thread_type & FF_THREAD_SLICE) && + !avctx->hwaccel) { int threshold = (s2->mb_height * s->slice_count + s2->slice_context_count / 2) / s2->slice_context_count; From 18043e3d2282ec19ff541335b2bb9f2c75a3e270 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2013 04:09:30 +0200 Subject: [PATCH 016/492] avformat/dtsdec: Improve probe, reject things looking like analoge signals Fixes Ticket2810 Signed-off-by: Michael Niedermayer (cherry picked from commit 6663205338f57eedb2392263dde48e2717c6e980) --- libavformat/dtsdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/dtsdec.c b/libavformat/dtsdec.c index cdbfc0cd08..23cbe93516 100644 --- a/libavformat/dtsdec.c +++ b/libavformat/dtsdec.c @@ -34,6 +34,7 @@ static int dts_probe(AVProbeData *p) uint32_t state = -1; int markers[3] = {0}; int sum, max; + int64_t diff = 0; buf = p->buf; @@ -54,12 +55,16 @@ static int dts_probe(AVProbeData *p) if (state == DCA_MARKER_14B_LE) if ((bytestream_get_be16(&bufp) & 0xF0FF) == 0xF007) markers[2]++; + + if (buf - p->buf >= 4) + diff += FFABS(AV_RL16(buf) - AV_RL16(buf-4)); } sum = markers[0] + markers[1] + markers[2]; max = markers[1] > markers[0]; max = markers[2] > markers[max] ? 2 : max; if (markers[max] > 3 && p->buf_size / markers[max] < 32*1024 && - markers[max] * 4 > sum * 3) + markers[max] * 4 > sum * 3 && + diff / p->buf_size > 200) return AVPROBE_SCORE_EXTENSION + 1; return 0; From e0d88cfd18184bc3b5b68b1f59661fb5ef79f7a5 Mon Sep 17 00:00:00 2001 From: Nicolas Bertrand Date: Fri, 12 Jul 2013 23:01:43 +0200 Subject: [PATCH 017/492] jpeg2000: Initialize only once mqc arrays Increases encoding and decoding speed Signed-off-by: Michael Niedermayer (cherry picked from commit dd1382ac9534bd9b5ec7833eed9ab6f383e68a50) --- libavcodec/j2kenc.c | 2 +- libavcodec/jpeg2000dec.c | 1 + libavcodec/mqc.c | 15 +++++++++------ libavcodec/mqc.h | 5 +++++ 4 files changed, 16 insertions(+), 7 deletions(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index e4c84efd1a..48c1db8071 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1016,7 +1016,7 @@ static av_cold int j2kenc_init(AVCodecContext *avctx) } ff_jpeg2000_init_tier1_luts(); - + ff_mqc_init_context_tables(); init_luts(); init_quantization(s); diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 4018dc904d..e2a9a95f3e 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1466,6 +1466,7 @@ end: static void jpeg2000_init_static_data(AVCodec *codec) { ff_jpeg2000_init_tier1_luts(); + ff_mqc_init_context_tables(); } #define OFFSET(x) offsetof(Jpeg2000DecoderContext, x) diff --git a/libavcodec/mqc.c b/libavcodec/mqc.c index 288570d309..f8294cd54c 100644 --- a/libavcodec/mqc.c +++ b/libavcodec/mqc.c @@ -92,14 +92,9 @@ uint16_t ff_mqc_qe [2 * 47]; uint8_t ff_mqc_nlps[2 * 47]; uint8_t ff_mqc_nmps[2 * 47]; -void ff_mqc_init_contexts(MqcState *mqc) +void ff_mqc_init_context_tables(void) { int i; - memset(mqc->cx_states, 0, sizeof(mqc->cx_states)); - mqc->cx_states[MQC_CX_UNI] = 2 * 46; - mqc->cx_states[MQC_CX_RL] = 2 * 3; - mqc->cx_states[0] = 2 * 4; - for (i = 0; i < 47; i++) { ff_mqc_qe[2 * i] = ff_mqc_qe[2 * i + 1] = cx_states[i].qe; @@ -110,3 +105,11 @@ void ff_mqc_init_contexts(MqcState *mqc) ff_mqc_nmps[2 * i + 1] = 2 * cx_states[i].nmps + 1; } } + +void ff_mqc_init_contexts(MqcState *mqc) +{ + memset(mqc->cx_states, 0, sizeof(mqc->cx_states)); + mqc->cx_states[MQC_CX_UNI] = 2 * 46; + mqc->cx_states[MQC_CX_RL] = 2 * 3; + mqc->cx_states[0] = 2 * 4; +} diff --git a/libavcodec/mqc.h b/libavcodec/mqc.h index a0112d1159..c0827bd526 100644 --- a/libavcodec/mqc.h +++ b/libavcodec/mqc.h @@ -78,6 +78,11 @@ int ff_mqc_decode(MqcState *mqc, uint8_t *cxstate); /* common */ +/** + * MQ-coder Initialize context tables (QE, NLPS, NMPS) + */ +void ff_mqc_init_context_tables(void); + /** * MQ-coder context initialisations. * @param mqc MQ-coder context From fa6b6dad3d78425f10c04faa330cef41f01e51b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2013 02:24:56 +0200 Subject: [PATCH 018/492] jpeg2000: fix overflow in dequantization Fixes decoding of file generated with: ffmpeg -f lavfi -i smptehdbars=hd720 -pix_fmt rgb48 /tmp/o.jp2 Reviewed-by: Nicolas BERTRAND Signed-off-by: Michael Niedermayer (cherry picked from commit f57119b8e58cb5437c3ab40d797293ecb9b4a894) --- libavcodec/j2kenc.c | 4 ++-- libavcodec/jpeg2000.c | 2 +- libavcodec/jpeg2000dec.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 48c1db8071..fa15aad120 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -802,7 +802,7 @@ static void truncpasses(Jpeg2000EncoderContext *s, Jpeg2000Tile *tile) Jpeg2000Cblk *cblk = prec->cblk + cblkno; cblk->ninclpasses = getcut(cblk, s->lambda, - (int64_t)dwt_norms[codsty->transform == FF_DWT53][bandpos][lev] * (int64_t)band->i_stepsize >> 16); + (int64_t)dwt_norms[codsty->transform == FF_DWT53][bandpos][lev] * (int64_t)band->i_stepsize >> 15); } } } @@ -863,7 +863,7 @@ static int encode_tile(Jpeg2000EncoderContext *s, Jpeg2000Tile *tile, int tileno int *ptr = t1.data[y-yy0]; for (x = xx0; x < xx1; x++){ *ptr = (comp->i_data[(comp->coord[0][1] - comp->coord[0][0]) * y + x]); - *ptr = (int64_t)*ptr * (int64_t)(16384 * 65536 / band->i_stepsize) >> 14 - NMSEDEC_FRACBITS; + *ptr = (int64_t)*ptr * (int64_t)(16384 * 65536 / band->i_stepsize) >> 15 - NMSEDEC_FRACBITS; ptr++; } } diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index f044164ed6..cb1a64d143 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -320,7 +320,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, if (!av_codec_is_encoder(avctx->codec)) band->f_stepsize *= 0.5; - band->i_stepsize = band->f_stepsize * (1 << 16); + band->i_stepsize = band->f_stepsize * (1 << 15); /* computation of tbx_0, tbx_1, tby_0, tby_1 * see ISO/IEC 15444-1:2002 B.5 eq. B-15 and tbl B.1 diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index e2a9a95f3e..d9b9888382 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1024,7 +1024,7 @@ static void dequantization_int(int x, int y, Jpeg2000Cblk *cblk, int32_t *datap = &comp->i_data[(comp->coord[0][1] - comp->coord[0][0]) * (y + j) + x]; int *src = t1->data[j]; for (i = 0; i < w; ++i) - datap[i] = (src[i] * band->i_stepsize + (1 << 15)) >> 16; + datap[i] = (src[i] * band->i_stepsize + (1 << 14)) >> 15; } } From 09b33f9a82510b26439b2d86a6f90bdec2d68797 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 18 Jul 2013 10:56:15 +0200 Subject: [PATCH 019/492] Fix pix_fmt detection in the native jpeg2000 decoder. Based on b7a928b by Michael Bradshaw. Fixes ticket #2683. Reviewed-by: Nicolas Bertrand (cherry picked from commit b39a6bbe7f43710d8e7163757c5aeef596878712) --- libavcodec/jpeg2000dec.c | 222 +++++++++++++++++++++++++++++++++------ 1 file changed, 190 insertions(+), 32 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index d9b9888382..7f94cad4a9 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -28,6 +28,7 @@ #include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/opt.h" +#include "libavutil/pixdesc.h" #include "avcodec.h" #include "bytestream.h" #include "internal.h" @@ -37,6 +38,7 @@ #define JP2_SIG_TYPE 0x6A502020 #define JP2_SIG_VALUE 0x0D0A870A #define JP2_CODESTREAM 0x6A703263 +#define JP2_HEADER 0x6A703268 #define HAD_COC 0x01 #define HAD_QCC 0x02 @@ -72,6 +74,9 @@ typedef struct Jpeg2000DecoderContext { int cdx[4], cdy[4]; int precision; int ncomponents; + int colour_space; + uint32_t palette[256]; + int8_t pal8; int tile_width, tile_height; unsigned numXtiles, numYtiles; int maxtilelen; @@ -154,12 +159,74 @@ static int tag_tree_decode(Jpeg2000DecoderContext *s, Jpeg2000TgtNode *node, return curval; } +static int pix_fmt_match(enum AVPixelFormat pix_fmt, int components, + int bpc, uint32_t log2_chroma_wh, int pal8) +{ + int match = 1; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(pix_fmt); + + if (desc->nb_components != components) { + return 0; + } + + switch (components) { + case 4: + match = match && desc->comp[3].depth_minus1 + 1 >= bpc && + (log2_chroma_wh >> 14 & 3) == 0 && + (log2_chroma_wh >> 12 & 3) == 0; + case 3: + match = match && desc->comp[2].depth_minus1 + 1 >= bpc && + (log2_chroma_wh >> 10 & 3) == desc->log2_chroma_w && + (log2_chroma_wh >> 8 & 3) == desc->log2_chroma_h; + case 2: + match = match && desc->comp[1].depth_minus1 + 1 >= bpc && + (log2_chroma_wh >> 6 & 3) == desc->log2_chroma_w && + (log2_chroma_wh >> 4 & 3) == desc->log2_chroma_h; + + case 1: + match = match && desc->comp[0].depth_minus1 + 1 >= bpc && + (log2_chroma_wh >> 2 & 3) == 0 && + (log2_chroma_wh & 3) == 0 && + (desc->flags & AV_PIX_FMT_FLAG_PAL) == pal8 * AV_PIX_FMT_FLAG_PAL; + } + return match; +} + +// pix_fmts with lower bpp have to be listed before +// similar pix_fmts with higher bpp. +#define RGB_PIXEL_FORMATS AV_PIX_FMT_PAL8,AV_PIX_FMT_RGB24,AV_PIX_FMT_RGBA,AV_PIX_FMT_RGB48,AV_PIX_FMT_RGBA64 +#define GRAY_PIXEL_FORMATS AV_PIX_FMT_GRAY8,AV_PIX_FMT_GRAY8A,AV_PIX_FMT_GRAY16 +#define YUV_PIXEL_FORMATS AV_PIX_FMT_YUV410P,AV_PIX_FMT_YUV411P,AV_PIX_FMT_YUVA420P, \ + AV_PIX_FMT_YUV420P,AV_PIX_FMT_YUV422P,AV_PIX_FMT_YUVA422P, \ + AV_PIX_FMT_YUV440P,AV_PIX_FMT_YUV444P,AV_PIX_FMT_YUVA444P, \ + AV_PIX_FMT_YUV420P9,AV_PIX_FMT_YUV422P9,AV_PIX_FMT_YUV444P9, \ + AV_PIX_FMT_YUVA420P9,AV_PIX_FMT_YUVA422P9,AV_PIX_FMT_YUVA444P9, \ + AV_PIX_FMT_YUV420P10,AV_PIX_FMT_YUV422P10,AV_PIX_FMT_YUV444P10, \ + AV_PIX_FMT_YUVA420P10,AV_PIX_FMT_YUVA422P10,AV_PIX_FMT_YUVA444P10, \ + AV_PIX_FMT_YUV420P12,AV_PIX_FMT_YUV422P12,AV_PIX_FMT_YUV444P12, \ + AV_PIX_FMT_YUV420P14,AV_PIX_FMT_YUV422P14,AV_PIX_FMT_YUV444P14, \ + AV_PIX_FMT_YUV420P16,AV_PIX_FMT_YUV422P16,AV_PIX_FMT_YUV444P16, \ + AV_PIX_FMT_YUVA420P16,AV_PIX_FMT_YUVA422P16,AV_PIX_FMT_YUVA444P16 +#define XYZ_PIXEL_FORMATS AV_PIX_FMT_XYZ12 + +static const enum AVPixelFormat rgb_pix_fmts[] = {RGB_PIXEL_FORMATS}; +static const enum AVPixelFormat gray_pix_fmts[] = {GRAY_PIXEL_FORMATS}; +static const enum AVPixelFormat yuv_pix_fmts[] = {YUV_PIXEL_FORMATS}; +static const enum AVPixelFormat xyz_pix_fmts[] = {XYZ_PIXEL_FORMATS}; +static const enum AVPixelFormat all_pix_fmts[] = {RGB_PIXEL_FORMATS, + GRAY_PIXEL_FORMATS, + YUV_PIXEL_FORMATS, + XYZ_PIXEL_FORMATS}; + /* marker segments */ /* get sizes and offsets of image, tiles; number of components */ static int get_siz(Jpeg2000DecoderContext *s) { int i; int ncomponents; + uint32_t log2_chroma_wh = 0; + const enum AVPixelFormat *possible_fmts = NULL; + int possible_fmts_nb = 0; if (bytestream2_get_bytes_left(&s->g) < 36) return AVERROR_INVALIDDATA; @@ -205,13 +272,7 @@ static int get_siz(Jpeg2000DecoderContext *s) s->sgnd[i] = !!(x & 0x80); s->cdx[i] = bytestream2_get_byteu(&s->g); s->cdy[i] = bytestream2_get_byteu(&s->g); - if (s->cdx[i] != 1 || s->cdy[i] != 1) { - avpriv_request_sample(s->avctx, - "CDxy values %d %d for component %d", - s->cdx[i], s->cdy[i], i); - if (!s->cdx[i] || !s->cdy[i]) - return AVERROR_INVALIDDATA; - } + log2_chroma_wh |= s->cdy[i] >> 1 << i * 4 | s->cdx[i] >> 1 << i * 4 + 2; } s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width); @@ -242,35 +303,46 @@ static int get_siz(Jpeg2000DecoderContext *s) s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, s->reduction_factor); - switch (s->ncomponents) { - case 1: - if (s->precision > 8) - s->avctx->pix_fmt = AV_PIX_FMT_GRAY16; - else - s->avctx->pix_fmt = AV_PIX_FMT_GRAY8; - break; - case 3: - switch (s->avctx->profile) { - case FF_PROFILE_JPEG2000_DCINEMA_2K: - case FF_PROFILE_JPEG2000_DCINEMA_4K: - /* XYZ color-space for digital cinema profiles */ - s->avctx->pix_fmt = AV_PIX_FMT_XYZ12; + if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K || + s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) { + possible_fmts = xyz_pix_fmts; + possible_fmts_nb = FF_ARRAY_ELEMS(xyz_pix_fmts); + } else { + switch (s->colour_space) { + case 16: + possible_fmts = rgb_pix_fmts; + possible_fmts_nb = FF_ARRAY_ELEMS(rgb_pix_fmts); + break; + case 17: + possible_fmts = gray_pix_fmts; + possible_fmts_nb = FF_ARRAY_ELEMS(gray_pix_fmts); + break; + case 18: + possible_fmts = yuv_pix_fmts; + possible_fmts_nb = FF_ARRAY_ELEMS(yuv_pix_fmts); break; default: - if (s->precision > 8) - s->avctx->pix_fmt = AV_PIX_FMT_RGB48; - else - s->avctx->pix_fmt = AV_PIX_FMT_RGB24; + possible_fmts = all_pix_fmts; + possible_fmts_nb = FF_ARRAY_ELEMS(all_pix_fmts); break; } - break; - case 4: - s->avctx->pix_fmt = AV_PIX_FMT_RGBA; - break; - default: - /* pixel format can not be identified */ - s->avctx->pix_fmt = AV_PIX_FMT_NONE; - break; + } + for (i = 0; i < possible_fmts_nb; ++i) { + if (pix_fmt_match(possible_fmts[i], ncomponents, s->precision, log2_chroma_wh, s->pal8)) { + s->avctx->pix_fmt = possible_fmts[i]; + break; + } + } + if (s->avctx->pix_fmt == AV_PIX_FMT_NONE) { + av_log(s->avctx, AV_LOG_ERROR, + "Unknown pix_fmt, profile: %d, colour_space: %d, " + "components: %d, precision: %d, " + "cdx[1]: %d, cdy[1]: %d, cdx[2]: %d, cdy[2]: %d\n", + s->avctx->profile, s->colour_space, ncomponents, s->precision, + ncomponents > 2 ? s->cdx[1] : 0, + ncomponents > 2 ? s->cdy[1] : 0, + ncomponents > 2 ? s->cdx[2] : 0, + ncomponents > 2 ? s->cdy[2] : 0); } return 0; } @@ -1386,6 +1458,89 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom = bytestream2_get_be32u(&s->g); if (atom == JP2_CODESTREAM) { found_codestream = 1; + } else if (atom == JP2_HEADER && + bytestream2_get_bytes_left(&s->g) >= atom_size && + atom_size >= 16) { + uint32_t atom2_size, atom2; + atom_size -= 8; + do { + atom2_size = bytestream2_get_be32u(&s->g); + atom2 = bytestream2_get_be32u(&s->g); + atom_size -= 8; + if (atom2_size < 8 || atom2_size - 8 > atom_size) + break; + atom2_size -= 8; + if (atom2 == JP2_CODESTREAM) { + return 1; + } else if (atom2 == MKBETAG('c','o','l','r') && atom2_size >= 7) { + int method = bytestream2_get_byteu(&s->g); + bytestream2_skipu(&s->g, 2); + atom_size -= 3; + atom2_size -= 3; + if (method == 1) { + s->colour_space = bytestream2_get_be32u(&s->g); + atom_size -= 4; + atom2_size -= 4; + } + bytestream2_skipu(&s->g, atom2_size); + atom_size -= atom2_size; + } else if (atom2 == MKBETAG('p','c','l','r') && atom2_size >= 6) { + int i, size, colour_count, colour_channels, colour_depth[3]; + uint32_t r, g, b; + colour_count = bytestream2_get_be16u(&s->g); + colour_channels = bytestream2_get_byteu(&s->g); + // FIXME: Do not ignore channel_sign + colour_depth[0] = (bytestream2_get_byteu(&s->g) & 0x7f) + 1; + colour_depth[1] = (bytestream2_get_byteu(&s->g) & 0x7f) + 1; + colour_depth[2] = (bytestream2_get_byteu(&s->g) & 0x7f) + 1; + atom_size -= 6; + atom2_size -= 6; + size = (colour_depth[0] + 7 >> 3) * colour_count + + (colour_depth[1] + 7 >> 3) * colour_count + + (colour_depth[2] + 7 >> 3) * colour_count; + if (colour_count > 256 || + colour_channels != 3 || + colour_depth[0] > 16 || + colour_depth[1] > 16 || + colour_depth[2] > 16 || + atom2_size < size) { + avpriv_request_sample(s->avctx, "Unknown palette"); + bytestream2_skipu(&s->g, atom2_size); + atom_size -= atom2_size; + continue; + } + s->pal8 = 1; + for (i = 0; i < colour_count; i++) { + if (colour_depth[0] <= 8) { + r = bytestream2_get_byteu(&s->g) << 8 - colour_depth[0]; + r |= r >> colour_depth[0]; + } else { + r = bytestream2_get_be16u(&s->g) >> colour_depth[0] - 8; + } + if (colour_depth[1] <= 8) { + g = bytestream2_get_byteu(&s->g) << 8 - colour_depth[1]; + r |= r >> colour_depth[1]; + } else { + g = bytestream2_get_be16u(&s->g) >> colour_depth[1] - 8; + } + if (colour_depth[2] <= 8) { + b = bytestream2_get_byteu(&s->g) << 8 - colour_depth[2]; + r |= r >> colour_depth[2]; + } else { + b = bytestream2_get_be16u(&s->g) >> colour_depth[2] - 8; + } + s->palette[i] = 0xffu << 24 | r << 16 | g << 8 | b; + } + atom_size -= size; + atom2_size -= size; + bytestream2_skipu(&s->g, atom2_size); + atom_size -= atom2_size; + } else { + bytestream2_skipu(&s->g, atom2_size); + atom_size -= atom2_size; + } + } while (atom_size >= 8); + bytestream2_skipu(&s->g, atom_size); } else { if (bytestream2_get_bytes_left(&s->g) < atom_size - 8) return 0; @@ -1456,6 +1611,9 @@ static int jpeg2000_decode_frame(AVCodecContext *avctx, void *data, *got_frame = 1; + if (s->avctx->pix_fmt == AV_PIX_FMT_PAL8) + memcpy(picture->data[1], s->palette, 256 * sizeof(uint32_t)); + return bytestream2_tell(&s->g); end: From 9da9b36435c944aeb02a20c091d1a5e4ec6b39dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2013 00:57:32 +0200 Subject: [PATCH 020/492] jpeg2000dec: parse CDEF Signed-off-by: Michael Niedermayer Conflicts: libavcodec/jpeg2000dec.c Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 99de97cabf35c035b628943b865ab991583a6ea5) --- libavcodec/jpeg2000dec.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 7f94cad4a9..5118e7b4f1 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -77,6 +77,7 @@ typedef struct Jpeg2000DecoderContext { int colour_space; uint32_t palette[256]; int8_t pal8; + int cdef[4]; int tile_width, tile_height; unsigned numXtiles, numYtiles; int maxtilelen; @@ -1229,6 +1230,13 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (tile->codsty[0].mct) mct_decode(s, tile); + if (s->cdef[0] < 0) { + for (x = 0; x < s->ncomponents; x++) + s->cdef[x] = x + 1; + if ((s->ncomponents & 1) == 0) + s->cdef[s->ncomponents-1] = 0; + } + if (s->precision <= 8) { for (compno = 0; compno < s->ncomponents; compno++) { Jpeg2000Component *comp = tile->comp + compno; @@ -1535,6 +1543,21 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom2_size -= size; bytestream2_skipu(&s->g, atom2_size); atom_size -= atom2_size; + } else if (atom2 == MKBETAG('c','d','e','f') && atom2_size >= 2 && + bytestream2_get_bytes_left(&s->g) >= atom2_size) { + int n = bytestream2_get_be16u(&s->g); + atom_size -= 2; + atom2_size -= 2; + for (; n>0; n--) { + int cn = bytestream2_get_be16(&s->g); + int typ = bytestream2_get_be16(&s->g); + int asoc = bytestream2_get_be16(&s->g); + if (cn < 4 || asoc < 4) + s->cdef[cn] = asoc; + atom_size -= 6; + atom2_size -= 6; + } + bytestream2_skipu(&s->g, atom2_size); } else { bytestream2_skipu(&s->g, atom2_size); atom_size -= atom2_size; @@ -1565,6 +1588,7 @@ static int jpeg2000_decode_frame(AVCodecContext *avctx, void *data, s->avctx = avctx; bytestream2_init(&s->g, avpkt->data, avpkt->size); s->curtileno = -1; + memset(s->cdef, -1, sizeof(s->cdef)); if (bytestream2_get_bytes_left(&s->g) < 2) { ret = AVERROR_INVALIDDATA; From 8b221d60fa5e7b7eff35e344d06a6bd5363eae24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2013 00:58:40 +0200 Subject: [PATCH 021/492] jpeg2000dec: Support non subsampled 8bit planar pixel formats Fixes file2.jp2 Signed-off-by: Michael Niedermayer (cherry picked from commit fc6de70c44be05eb0368ab519bfb790431d8dee5) --- libavcodec/jpeg2000dec.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 5118e7b4f1..6959a3611f 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1245,14 +1245,21 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, int32_t *i_datap = comp->i_data; int cbps = s->cbps[compno]; int w = tile->comp[compno].coord[0][1] - s->image_offset_x; + int planar = !!picture->data[2]; + int pixelsize = planar ? 1 : s->ncomponents; + int plane = 0; + + if (planar) + plane = s->cdef[compno] ? s->cdef[compno]-1 : (s->ncomponents-1); + y = tile->comp[compno].coord[1][0] - s->image_offset_y; - line = picture->data[0] + y * picture->linesize[0]; + line = picture->data[plane] + y * picture->linesize[plane]; for (; y < tile->comp[compno].coord[1][1] - s->image_offset_y; y += s->cdy[compno]) { uint8_t *dst; x = tile->comp[compno].coord[0][0] - s->image_offset_x; - dst = line + x * s->ncomponents + compno; + dst = line + x * pixelsize + compno*!planar; if (codsty->transform == FF_DWT97) { for (; x < w; x += s->cdx[compno]) { @@ -1261,7 +1268,7 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, val = av_clip(val, 0, (1 << cbps) - 1); *dst = val << (8 - cbps); datap++; - dst += s->ncomponents; + dst += pixelsize; } } else { for (; x < w; x += s->cdx[compno]) { @@ -1270,10 +1277,10 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, val = av_clip(val, 0, (1 << cbps) - 1); *dst = val << (8 - cbps); i_datap++; - dst += s->ncomponents; + dst += pixelsize; } } - line += picture->linesize[0]; + line += picture->linesize[plane]; } } } else { From 9a6d3eee599508ba70d711df6927daa9b8c3cc5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2013 17:54:57 +0200 Subject: [PATCH 022/492] jpeg2000dec: silence unused variable warning Signed-off-by: Michael Niedermayer (cherry picked from commit db33010483a024f1343bfb516415fe9ef77e82d9) --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 6959a3611f..f94d9a32df 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1557,7 +1557,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom2_size -= 2; for (; n>0; n--) { int cn = bytestream2_get_be16(&s->g); - int typ = bytestream2_get_be16(&s->g); + int av_unused typ = bytestream2_get_be16(&s->g); int asoc = bytestream2_get_be16(&s->g); if (cn < 4 || asoc < 4) s->cdef[cn] = asoc; From d73ce6cb5609512a595577578e0804f3587f64f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2013 00:58:40 +0200 Subject: [PATCH 023/492] jpeg2000dec: Support non subsampled 9-16bit planar pixel formats This applies changes similar to fc6de70c44be05eb0368ab519bfb790431d8dee5 to the >8bit codepath Signed-off-by: Michael Niedermayer (cherry picked from commit 1434df3b93fde086be729d174ffbbee1e25792b3) --- libavcodec/jpeg2000dec.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index f94d9a32df..c6f6f6c9cb 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1292,14 +1292,20 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, uint16_t *linel; int cbps = s->cbps[compno]; int w = tile->comp[compno].coord[0][1] - s->image_offset_x; + int planar = !!picture->data[2]; + int pixelsize = planar ? 1 : s->ncomponents; + int plane = 0; + + if (planar) + plane = s->cdef[compno] ? s->cdef[compno]-1 : (s->ncomponents-1); y = tile->comp[compno].coord[1][0] - s->image_offset_y; - linel = (uint16_t *)picture->data[0] + y * (picture->linesize[0] >> 1); + linel = (uint16_t *)picture->data[plane] + y * (picture->linesize[plane] >> 1); for (; y < tile->comp[compno].coord[1][1] - s->image_offset_y; y += s->cdy[compno]) { uint16_t *dst; x = tile->comp[compno].coord[0][0] - s->image_offset_x; - dst = linel + (x * s->ncomponents + compno); + dst = linel + (x * pixelsize + compno*!planar); if (codsty->transform == FF_DWT97) { for (; x < w; x += s-> cdx[compno]) { int val = lrintf(*datap) + (1 << (cbps - 1)); @@ -1308,7 +1314,7 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, /* align 12 bit values in little-endian mode */ *dst = val << (16 - cbps); datap++; - dst += s->ncomponents; + dst += pixelsize; } } else { for (; x < w; x += s-> cdx[compno]) { @@ -1318,10 +1324,10 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, /* align 12 bit values in little-endian mode */ *dst = val << (16 - cbps); i_datap++; - dst += s->ncomponents; + dst += pixelsize; } } - linel += picture->linesize[0] >> 1; + linel += picture->linesize[plane] >> 1; } } } From 0047a310905cb6816d75059f507f5ae083c8750f Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 29 Jul 2013 00:00:42 +0200 Subject: [PATCH 024/492] Revert "pnm: remove nonsense code" Breaks decoding pgms with 255 < maxval < 65535. Found-by: Carl Eugen Hoyos . This reverts commit a0348d0966a81a66f3a1bf061576b24d5296b933. (cherry picked from commit 768e40b451a459fefaceed6b1b3d6e70c93596ac) --- libavcodec/pnm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index 308457bbe9..578bb8913f 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -163,6 +163,8 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if (s->maxval >= 256) { if (avctx->pix_fmt == AV_PIX_FMT_GRAY8) { avctx->pix_fmt = AV_PIX_FMT_GRAY16BE; + if (s->maxval != 65535) + avctx->pix_fmt = AV_PIX_FMT_GRAY16; } else if (avctx->pix_fmt == AV_PIX_FMT_RGB24) { avctx->pix_fmt = AV_PIX_FMT_RGB48BE; } else if (avctx->pix_fmt == AV_PIX_FMT_YUV420P && s->maxval < 65536) { From 64444cd5784b2584b1c768154c55491389ebb3ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jul 2013 20:43:45 +0200 Subject: [PATCH 025/492] avcodec/kmvc: fix MV checks Fixes Ticket2813 Fixes regression since 70b5583 Signed-off-by: Michael Niedermayer (cherry picked from commit 3cd8aaa2b2e78faf039691e1c31ff4f8d94e3bc6) --- libavcodec/kmvc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index f5adfd60d2..0560c6e114 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -107,7 +107,7 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = val & 0xF; my = val >> 4; - if ((l0x-mx) + 320*(l0y-my) < 0 || (l0x-mx) + 320*(l0y-my) > 316*196) { + if ((l0x-mx) + 320*(l0y-my) < 0 || (l0x-mx) + 320*(l0y-my) > 320*197 - 4) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); return AVERROR_INVALIDDATA; } @@ -132,7 +132,7 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = val & 0xF; my = val >> 4; - if ((l1x-mx) + 320*(l1y-my) < 0 || (l1x-mx) + 320*(l1y-my) > 318*198) { + if ((l1x-mx) + 320*(l1y-my) < 0 || (l1x-mx) + 320*(l1y-my) > 320*199 - 2) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); return AVERROR_INVALIDDATA; } @@ -207,7 +207,7 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = (val & 0xF) - 8; my = (val >> 4) - 8; - if ((l0x+mx) + 320*(l0y+my) < 0 || (l0x+mx) + 320*(l0y+my) > 318*198) { + if ((l0x+mx) + 320*(l0y+my) < 0 || (l0x+mx) + 320*(l0y+my) > 320*197 - 4) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); return AVERROR_INVALIDDATA; } @@ -232,7 +232,7 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = (val & 0xF) - 8; my = (val >> 4) - 8; - if ((l1x+mx) + 320*(l1y+my) < 0 || (l1x+mx) + 320*(l1y+my) > 318*198) { + if ((l1x+mx) + 320*(l1y+my) < 0 || (l1x+mx) + 320*(l1y+my) > 320*199 - 2) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); return AVERROR_INVALIDDATA; } From 1bf2461765c58aad5829ea45a2885d11f50b73f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2013 18:54:43 +0200 Subject: [PATCH 026/492] avfilter: fix plane validity checks Fixes out of array accesses (cherry picked from commit e43a0a232dbf6d3c161823c2e07c52e76227a1bc) Signed-off-by: Michael Niedermayer --- libavfilter/vf_boxblur.c | 4 ++-- libavfilter/vf_delogo.c | 2 +- libavfilter/vf_fieldmatch.c | 2 +- libavfilter/vf_fieldorder.c | 2 +- libavfilter/vf_gradfun.c | 2 +- libavfilter/vf_hflip.c | 2 +- libavfilter/vf_kerndeint.c | 2 +- libavfilter/vf_lut.c | 2 +- libavfilter/vf_pad.c | 4 ++-- libavfilter/vf_showinfo.c | 4 ++-- libavfilter/vf_vignette.c | 2 +- 11 files changed, 14 insertions(+), 14 deletions(-) diff --git a/libavfilter/vf_boxblur.c b/libavfilter/vf_boxblur.c index 8a59890452..bf4c42e674 100644 --- a/libavfilter/vf_boxblur.c +++ b/libavfilter/vf_boxblur.c @@ -313,13 +313,13 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } av_frame_copy_props(out, in); - for (plane = 0; in->data[plane] && plane < 4; plane++) + for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) hblur(out->data[plane], out->linesize[plane], in ->data[plane], in ->linesize[plane], w[plane], h[plane], s->radius[plane], s->power[plane], s->temp); - for (plane = 0; in->data[plane] && plane < 4; plane++) + for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) vblur(out->data[plane], out->linesize[plane], out->data[plane], out->linesize[plane], w[plane], h[plane], s->radius[plane], s->power[plane], diff --git a/libavfilter/vf_delogo.c b/libavfilter/vf_delogo.c index 8356c615dc..6999aabbb7 100644 --- a/libavfilter/vf_delogo.c +++ b/libavfilter/vf_delogo.c @@ -236,7 +236,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) if (!sar.num) sar.num = sar.den = 1; - for (plane = 0; plane < 4 && in->data[plane]; plane++) { + for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) { int hsub = plane == 1 || plane == 2 ? hsub0 : 0; int vsub = plane == 1 || plane == 2 ? vsub0 : 0; diff --git a/libavfilter/vf_fieldmatch.c b/libavfilter/vf_fieldmatch.c index 3a6f806a8b..89c4909a3d 100644 --- a/libavfilter/vf_fieldmatch.c +++ b/libavfilter/vf_fieldmatch.c @@ -608,7 +608,7 @@ static void copy_fields(const FieldMatchContext *fm, AVFrame *dst, const AVFrame *src, int field) { int plane; - for (plane = 0; plane < 4 && src->data[plane]; plane++) + for (plane = 0; plane < 4 && src->data[plane] && src->linesize[plane]; plane++) av_image_copy_plane(dst->data[plane] + field*dst->linesize[plane], dst->linesize[plane] << 1, src->data[plane] + field*src->linesize[plane], src->linesize[plane] << 1, get_width(fm, src, plane), get_height(fm, src, plane) / 2); diff --git a/libavfilter/vf_fieldorder.c b/libavfilter/vf_fieldorder.c index 3a19500c13..7ff88418b4 100644 --- a/libavfilter/vf_fieldorder.c +++ b/libavfilter/vf_fieldorder.c @@ -106,7 +106,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) "picture will move %s one line\n", s->dst_tff ? "up" : "down"); h = frame->height; - for (plane = 0; plane < 4 && frame->data[plane]; plane++) { + for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { line_step = frame->linesize[plane]; line_size = s->line_size[plane]; data = frame->data[plane]; diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index 3abbd79e4f..276f1eb8c8 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -200,7 +200,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) av_frame_copy_props(out, in); } - for (p = 0; p < 4 && in->data[p]; p++) { + for (p = 0; p < 4 && in->data[p] && in->linesize[p]; p++) { int w = inlink->w; int h = inlink->h; int r = s->radius; diff --git a/libavfilter/vf_hflip.c b/libavfilter/vf_hflip.c index 7fc135fdfc..0a9bc2cc66 100644 --- a/libavfilter/vf_hflip.c +++ b/libavfilter/vf_hflip.c @@ -90,7 +90,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) if (av_pix_fmt_desc_get(inlink->format)->flags & AV_PIX_FMT_FLAG_PAL) memcpy(out->data[1], in->data[1], AVPALETTE_SIZE); - for (plane = 0; plane < 4 && in->data[plane]; plane++) { + for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) { const int width = (plane == 1 || plane == 2) ? FF_CEIL_RSHIFT(inlink->w, s->hsub) : inlink->w; const int height = (plane == 1 || plane == 2) ? FF_CEIL_RSHIFT(inlink->h, s->vsub) : inlink->h; step = s->max_step[plane]; diff --git a/libavfilter/vf_kerndeint.c b/libavfilter/vf_kerndeint.c index 5f99d88c2b..5f81525527 100644 --- a/libavfilter/vf_kerndeint.c +++ b/libavfilter/vf_kerndeint.c @@ -150,7 +150,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *inpic) av_frame_copy_props(outpic, inpic); outpic->interlaced_frame = 0; - for (plane = 0; inpic->data[plane] && plane < 4; plane++) { + for (plane = 0; plane < 4 && inpic->data[plane] && inpic->linesize[plane]; plane++) { h = plane == 0 ? inlink->h : FF_CEIL_RSHIFT(inlink->h, kerndeint->vsub); bwidth = kerndeint->tmp_bwidth[plane]; diff --git a/libavfilter/vf_lut.c b/libavfilter/vf_lut.c index 68320d0b41..d2fd4a14bf 100644 --- a/libavfilter/vf_lut.c +++ b/libavfilter/vf_lut.c @@ -304,7 +304,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } } else { /* planar */ - for (plane = 0; plane < 4 && in->data[plane]; plane++) { + for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) { int vsub = plane == 1 || plane == 2 ? s->vsub : 0; int hsub = plane == 1 || plane == 2 ? s->hsub : 0; int h = FF_CEIL_RSHIFT(inlink->h, vsub); diff --git a/libavfilter/vf_pad.c b/libavfilter/vf_pad.c index 2e9aa56968..023ef7f863 100644 --- a/libavfilter/vf_pad.c +++ b/libavfilter/vf_pad.c @@ -214,7 +214,7 @@ static AVFrame *get_video_buffer(AVFilterLink *inlink, int w, int h) frame->width = w; frame->height = h; - for (plane = 0; plane < 4 && frame->data[plane]; plane++) { + for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { int hsub = s->draw.hsub[plane]; int vsub = s->draw.vsub[plane]; frame->data[plane] += (s->x >> hsub) * s->draw.pixelstep[plane] + @@ -311,7 +311,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) int i; out = in; - for (i = 0; i < 4 && out->data[i]; i++) { + for (i = 0; i < 4 && out->data[i] && out->linesize[i]; i++) { int hsub = s->draw.hsub[i]; int vsub = s->draw.vsub[i]; out->data[i] -= (s->x >> hsub) * s->draw.pixelstep[i] + diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index 336a870b17..82becc40f4 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -38,7 +38,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) uint32_t plane_checksum[4] = {0}, checksum = 0; int i, plane, vsub = desc->log2_chroma_h; - for (plane = 0; plane < 4 && frame->data[plane]; plane++) { + for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { int64_t linesize = av_image_get_linesize(frame->format, frame->width, plane); uint8_t *data = frame->data[plane]; int h = plane == 1 || plane == 2 ? FF_CEIL_RSHIFT(inlink->h, vsub) : inlink->h; @@ -68,7 +68,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) av_get_picture_type_char(frame->pict_type), checksum, plane_checksum[0]); - for (plane = 1; plane < 4 && frame->data[plane]; plane++) + for (plane = 1; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) av_log(ctx, AV_LOG_INFO, " %08X", plane_checksum[plane]); av_log(ctx, AV_LOG_INFO, "]\n"); diff --git a/libavfilter/vf_vignette.c b/libavfilter/vf_vignette.c index 181999327a..b5fed65511 100644 --- a/libavfilter/vf_vignette.c +++ b/libavfilter/vf_vignette.c @@ -239,7 +239,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } else { int plane; - for (plane = 0; plane < 4 && in->data[plane]; plane++) { + for (plane = 0; plane < 4 && in->data[plane] && in->linesize[plane]; plane++) { uint8_t *dst = out->data[plane]; const uint8_t *src = in ->data[plane]; const float *fmap = s->fmap; From 211374e52a933a2b3f21a4d6e66e9f1b0623e44e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Aug 2013 13:37:18 +0200 Subject: [PATCH 027/492] avutil/mem: Fix flipped condition Fixes return code and later null pointer dereference Found-by: Laurent Butti Signed-off-by: Michael Niedermayer (cherry picked from commit c94f9e854228e0ea00e1de8769d8d3f7cab84a55) Signed-off-by: Michael Niedermayer --- libavutil/mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mem.c b/libavutil/mem.c index 76f6b65d1a..20dfd629a8 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -191,7 +191,7 @@ int av_reallocp_array(void *ptr, size_t nmemb, size_t size) { void **ptrptr = ptr; *ptrptr = av_realloc_f(*ptrptr, nmemb, size); - if (!*ptrptr && !(nmemb && size)) + if (!*ptrptr && nmemb && size) return AVERROR(ENOMEM); return 0; } From 50f9c4acc3ea82a159713151e39f0f70c79aaf71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Aug 2013 13:23:10 +0200 Subject: [PATCH 028/492] avformat/paf: Fix integer overflow and out of array read Found-by: Laurent Butti Signed-off-by: Michael Niedermayer (cherry picked from commit f58cd2867a8af2eed13acdd21d067b48249b14a1) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/paf.c b/libavformat/paf.c index 09786eb34f..09aefe6770 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -233,10 +233,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) p->current_frame_block++; } - size = p->video_size - p->frames_offset_table[p->current_frame]; - if (size < 1) + if (p->frames_offset_table[p->current_frame] >= p->video_size) return AVERROR_INVALIDDATA; + size = p->video_size - p->frames_offset_table[p->current_frame]; + if (av_new_packet(pkt, size) < 0) return AVERROR(ENOMEM); From d6d168e87b6322b30d0d2297da8b99b10e1a46e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Jul 2013 00:44:09 +0200 Subject: [PATCH 029/492] avfilter/vf_separatefields: fix ;; Found-by: llogan Signed-off-by: Michael Niedermayer (cherry picked from commit 74561680cd01f36a2b225efb529bcd5729b65d32) Signed-off-by: Michael Niedermayer --- libavfilter/vf_separatefields.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_separatefields.c b/libavfilter/vf_separatefields.c index c91c0c10e6..d9c4839630 100644 --- a/libavfilter/vf_separatefields.c +++ b/libavfilter/vf_separatefields.c @@ -33,7 +33,7 @@ static int config_props_output(AVFilterLink *outlink) SeparateFieldsContext *sf = ctx->priv; AVFilterLink *inlink = ctx->inputs[0]; - sf->nb_planes = av_pix_fmt_count_planes(inlink->format);; + sf->nb_planes = av_pix_fmt_count_planes(inlink->format); if (inlink->h & 1) { av_log(ctx, AV_LOG_ERROR, "height must be even\n"); From baf92305a6f5ce088728d41e7ac4ed7aa141c78f Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 17 Jul 2013 03:10:16 -0300 Subject: [PATCH 030/492] lavf/matroskaenc: Check for valid metadata before creating tags Tags must have at least one SimpleTag element to be spec conformant. Updated lavf-mkv and seek-lavf-mkv FATE references as the tests were affected by this. Fixes ticket #2785 Signed-off-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 088ed5314694031e07e02e9d364c9d486a60e704) --- libavformat/matroskaenc.c | 18 +++++++++++++--- tests/ref/lavf/mkv | 8 +++---- tests/ref/seek/lavf-mkv | 44 +++++++++++++++++++-------------------- 3 files changed, 41 insertions(+), 29 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 7efda5ab6b..af50630fcc 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -872,6 +872,18 @@ static int mkv_write_tag(AVFormatContext *s, AVDictionary *m, unsigned int eleme return 0; } +static int mkv_check_tag(AVDictionary *m) +{ + AVDictionaryEntry *t = NULL; + int ret = 0; + + while ((t = av_dict_get(m, "", t, AV_DICT_IGNORE_SUFFIX))) + if (av_strcasecmp(t->key, "title") && av_strcasecmp(t->key, "stereo_mode")) + ret++; + + return ret; +} + static int mkv_write_tags(AVFormatContext *s) { ebml_master tags = {0}; @@ -879,7 +891,7 @@ static int mkv_write_tags(AVFormatContext *s) ff_metadata_conv_ctx(s, ff_mkv_metadata_conv, NULL); - if (av_dict_get(s->metadata, "", NULL, AV_DICT_IGNORE_SUFFIX)) { + if (mkv_check_tag(s->metadata)) { ret = mkv_write_tag(s, s->metadata, 0, 0, &tags); if (ret < 0) return ret; } @@ -887,7 +899,7 @@ static int mkv_write_tags(AVFormatContext *s) for (i = 0; i < s->nb_streams; i++) { AVStream *st = s->streams[i]; - if (!av_dict_get(st->metadata, "", 0, AV_DICT_IGNORE_SUFFIX)) + if (!mkv_check_tag(st->metadata)) continue; ret = mkv_write_tag(s, st->metadata, MATROSKA_ID_TAGTARGETS_TRACKUID, i + 1, &tags); @@ -897,7 +909,7 @@ static int mkv_write_tags(AVFormatContext *s) for (i = 0; i < s->nb_chapters; i++) { AVChapter *ch = s->chapters[i]; - if (!av_dict_get(ch->metadata, "", NULL, AV_DICT_IGNORE_SUFFIX)) + if (!mkv_check_tag(ch->metadata)) continue; ret = mkv_write_tag(s, ch->metadata, MATROSKA_ID_TAGTARGETS_CHAPTERUID, ch->id, &tags); diff --git a/tests/ref/lavf/mkv b/tests/ref/lavf/mkv index 64979b225f..be474a4c2e 100644 --- a/tests/ref/lavf/mkv +++ b/tests/ref/lavf/mkv @@ -1,6 +1,6 @@ -b53f31e572394f225aff0bc82b5d1cc9 *./tests/data/lavf/lavf.mkv -472553 ./tests/data/lavf/lavf.mkv +1748c0b3221977509c62a158236d2492 *./tests/data/lavf/lavf.mkv +472533 ./tests/data/lavf/lavf.mkv ./tests/data/lavf/lavf.mkv CRC=0x4780846b -84dcb326fe85aeeb5768beb44372f248 *./tests/data/lavf/lavf.mkv -320297 ./tests/data/lavf/lavf.mkv +0f78dd9299210a51b18faafc971e71f2 *./tests/data/lavf/lavf.mkv +320265 ./tests/data/lavf/lavf.mkv ./tests/data/lavf/lavf.mkv CRC=0x4780846b diff --git a/tests/ref/seek/lavf-mkv b/tests/ref/seek/lavf-mkv index 681462cccc..f03bcf83d6 100644 --- a/tests/ref/seek/lavf-mkv +++ b/tests/ref/seek/lavf-mkv @@ -1,48 +1,48 @@ -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 555 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 523 size: 208 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 0 flags:0 ts: 0.788000 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 0 flags:1 ts:-0.317000 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret:-1 st: 1 flags:0 ts: 2.577000 ret: 0 st: 1 flags:1 ts: 1.471000 -ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 320026 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319994 size: 209 ret: 0 st:-1 flags:0 ts: 0.365002 -ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146738 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146706 size: 27925 ret: 0 st:-1 flags:1 ts:-0.740831 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret:-1 st: 0 flags:0 ts: 2.153000 ret: 0 st: 0 flags:1 ts: 1.048000 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 1 flags:0 ts:-0.058000 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 555 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 523 size: 208 ret: 0 st: 1 flags:1 ts: 2.836000 -ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 320026 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319994 size: 209 ret:-1 st:-1 flags:0 ts: 1.730004 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146738 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146706 size: 27925 ret: 0 st: 0 flags:0 ts:-0.482000 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret: 0 st: 0 flags:1 ts: 2.413000 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret:-1 st: 1 flags:0 ts: 1.307000 ret: 0 st: 1 flags:1 ts: 0.201000 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 555 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 523 size: 208 ret: 0 st:-1 flags:0 ts:-0.904994 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret: 0 st:-1 flags:1 ts: 1.989173 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 0 flags:0 ts: 0.883000 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 0 flags:1 ts:-0.222000 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret:-1 st: 1 flags:0 ts: 2.672000 ret: 0 st: 1 flags:1 ts: 1.566000 -ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 320026 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319994 size: 209 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146738 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146706 size: 27925 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 From f593ac1c2183a29599fdc942027bc80ffaa9ab46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Jul 2013 13:30:36 +0200 Subject: [PATCH 031/492] matroskaenc: simplify mkv_check_tag() Signed-off-by: Michael Niedermayer (cherry picked from commit 066111bf19518a9f4d836991b34dbfc5ab72a41a) --- libavformat/matroskaenc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index af50630fcc..8a0e846b09 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -875,13 +875,12 @@ static int mkv_write_tag(AVFormatContext *s, AVDictionary *m, unsigned int eleme static int mkv_check_tag(AVDictionary *m) { AVDictionaryEntry *t = NULL; - int ret = 0; while ((t = av_dict_get(m, "", t, AV_DICT_IGNORE_SUFFIX))) if (av_strcasecmp(t->key, "title") && av_strcasecmp(t->key, "stereo_mode")) - ret++; + return 1; - return ret; + return 0; } static int mkv_write_tags(AVFormatContext *s) From b79f337f8a683887f8bb436812c8bee3fd67f95e Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 2 Aug 2013 16:45:58 +0000 Subject: [PATCH 032/492] ttaenc: fix packet size Signed-off-by: Paul B Mahol (cherry picked from commit bc2187cfdb5eeb82e3caf42a81a00d1ee4c16d8e) Signed-off-by: Michael Niedermayer --- libavcodec/ttaenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index c77e0c29b0..55599cc525 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -116,7 +116,7 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, PutBitContext pb; int ret, i, out_bytes, cur_chan = 0, res = 0, samples = 0; - if ((ret = ff_alloc_packet2(avctx, avpkt, frame->nb_samples * 2 * s->bps)) < 0) + if ((ret = ff_alloc_packet2(avctx, avpkt, frame->nb_samples * 2 * avctx->channels * s->bps)) < 0) return ret; init_put_bits(&pb, avpkt->data, avpkt->size); From 80fb38153e7d8c526ee2dce09c0d685bf5220ef1 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 26 Jul 2013 21:53:54 +0000 Subject: [PATCH 033/492] sgidec: safer check for buffer overflow Signed-off-by: Paul B Mahol (cherry picked from commit 86e722ab97d7f5f0552c8a0958f7910dfcf3c5b7) Conflicts: libavcodec/sgidec.c Signed-off-by: Michael Niedermayer --- libavcodec/sgidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index e7f453bc17..84e39ef1f4 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -58,7 +58,8 @@ static int expand_rle_row(SgiState *s, uint8_t *out_buf, } /* Check for buffer overflow. */ - if(out_buf + pixelstride * (count-1) >= out_end) return -1; + if (out_end - out_buf <= pixelstride * (count - 1)) + return -1; if (pixel & 0x80) { while (count--) { From 2881bfbfd6c3ecf36bf603b163b75f30f2119dfc Mon Sep 17 00:00:00 2001 From: Stephen Hutchinson Date: Tue, 6 Aug 2013 20:57:16 -0400 Subject: [PATCH 034/492] avisynth: Cosmetics Signed-off-by: Michael Niedermayer (cherry picked from commit f277d6bf42329d481f58b6147f6dc4130f198ba5) Signed-off-by: Michael Niedermayer --- libavformat/avisynth.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavformat/avisynth.c b/libavformat/avisynth.c index ef54b9b750..03f1688cbe 100644 --- a/libavformat/avisynth.c +++ b/libavformat/avisynth.c @@ -62,19 +62,19 @@ typedef struct { void *library; #define AVSC_DECLARE_FUNC(name) name##_func name + AVSC_DECLARE_FUNC(avs_bit_blt); + AVSC_DECLARE_FUNC(avs_clip_get_error); AVSC_DECLARE_FUNC(avs_create_script_environment); AVSC_DECLARE_FUNC(avs_delete_script_environment); - AVSC_DECLARE_FUNC(avs_get_error); - AVSC_DECLARE_FUNC(avs_clip_get_error); - AVSC_DECLARE_FUNC(avs_invoke); - AVSC_DECLARE_FUNC(avs_release_value); - AVSC_DECLARE_FUNC(avs_get_video_info); - AVSC_DECLARE_FUNC(avs_take_clip); - AVSC_DECLARE_FUNC(avs_release_clip); - AVSC_DECLARE_FUNC(avs_bit_blt); AVSC_DECLARE_FUNC(avs_get_audio); + AVSC_DECLARE_FUNC(avs_get_error); AVSC_DECLARE_FUNC(avs_get_frame); + AVSC_DECLARE_FUNC(avs_get_video_info); + AVSC_DECLARE_FUNC(avs_invoke); + AVSC_DECLARE_FUNC(avs_release_clip); + AVSC_DECLARE_FUNC(avs_release_value); AVSC_DECLARE_FUNC(avs_release_video_frame); + AVSC_DECLARE_FUNC(avs_take_clip); #undef AVSC_DECLARE_FUNC } AviSynthLibrary; @@ -127,19 +127,19 @@ static av_cold int avisynth_load_library(void) { if(!continue_on_fail && !avs_library->name) \ goto fail; \ } + LOAD_AVS_FUNC(avs_bit_blt, 0); + LOAD_AVS_FUNC(avs_clip_get_error, 0); LOAD_AVS_FUNC(avs_create_script_environment, 0); LOAD_AVS_FUNC(avs_delete_script_environment, 0); - LOAD_AVS_FUNC(avs_get_error, 1); // New to AviSynth 2.6 - LOAD_AVS_FUNC(avs_clip_get_error, 0); - LOAD_AVS_FUNC(avs_invoke, 0); - LOAD_AVS_FUNC(avs_release_value, 0); - LOAD_AVS_FUNC(avs_get_video_info, 0); - LOAD_AVS_FUNC(avs_take_clip, 0); - LOAD_AVS_FUNC(avs_release_clip, 0); - LOAD_AVS_FUNC(avs_bit_blt, 0); LOAD_AVS_FUNC(avs_get_audio, 0); + LOAD_AVS_FUNC(avs_get_error, 1); // New to AviSynth 2.6 LOAD_AVS_FUNC(avs_get_frame, 0); + LOAD_AVS_FUNC(avs_get_video_info, 0); + LOAD_AVS_FUNC(avs_invoke, 0); + LOAD_AVS_FUNC(avs_release_clip, 0); + LOAD_AVS_FUNC(avs_release_value, 0); LOAD_AVS_FUNC(avs_release_video_frame, 0); + LOAD_AVS_FUNC(avs_take_clip, 0); #undef LOAD_AVS_FUNC atexit(avisynth_atexit_handler); From e7a4c34e7c70a292aa281576815caecba3a096ed Mon Sep 17 00:00:00 2001 From: Stephen Hutchinson Date: Tue, 6 Aug 2013 20:57:17 -0400 Subject: [PATCH 035/492] avisynth: Exit gracefully when trying to serve video from v2.5.8. 'Fixes' ticket #2526 insofar as it stops 2.5.8 from crashing and tells the user to upgrade to 2.6 if they want to make video input work. A real solution to #2526 would be to get video input from 2.5.8 to work right. Signed-off-by: Michael Niedermayer (cherry picked from commit 9db353bc4727d2a184778c110cf4ea0b9d1616cb) Signed-off-by: Michael Niedermayer --- libavformat/avisynth.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/libavformat/avisynth.c b/libavformat/avisynth.c index 03f1688cbe..8a480ede21 100644 --- a/libavformat/avisynth.c +++ b/libavformat/avisynth.c @@ -69,6 +69,7 @@ typedef struct { AVSC_DECLARE_FUNC(avs_get_audio); AVSC_DECLARE_FUNC(avs_get_error); AVSC_DECLARE_FUNC(avs_get_frame); + AVSC_DECLARE_FUNC(avs_get_version); AVSC_DECLARE_FUNC(avs_get_video_info); AVSC_DECLARE_FUNC(avs_invoke); AVSC_DECLARE_FUNC(avs_release_clip); @@ -134,6 +135,7 @@ static av_cold int avisynth_load_library(void) { LOAD_AVS_FUNC(avs_get_audio, 0); LOAD_AVS_FUNC(avs_get_error, 1); // New to AviSynth 2.6 LOAD_AVS_FUNC(avs_get_frame, 0); + LOAD_AVS_FUNC(avs_get_version, 0); LOAD_AVS_FUNC(avs_get_video_info, 0); LOAD_AVS_FUNC(avs_invoke, 0); LOAD_AVS_FUNC(avs_release_clip, 0); @@ -479,7 +481,26 @@ static int avisynth_read_packet_video(AVFormatContext *s, AVPacket *pkt, int dis pitch = -pitch; } + // An issue with avs_bit_blt on 2.5.8 prevents video from working correctly. + // This problem doesn't exist for 2.6 and AvxSynth, so enable the workaround + // for 2.5.8 only. This only displays the warning and exits if the script has + // video. 2.5.8's internal interface version is 3, so avs_get_version allows + // it to work only in the circumstance that the interface is 5 or higher (4 is + // unused). There's a strong chance that AvxSynth, having been based on 2.5.8, + // would also be identified as interface version 3, but since AvxSynth doesn't + // suffer from this problem, special-case it. +#ifdef _WIN32 + if (avs_library->avs_get_version(avs->clip) > 3) { avs_library->avs_bit_blt(avs->env, dst_p, rowsize, src_p, pitch, rowsize, planeheight); + } else { + av_log(s, AV_LOG_ERROR, "Video input from AviSynth 2.5.8 is not supported. Please upgrade to 2.6.\n"); + avs->error = 1; + av_freep(&pkt->data); + return AVERROR_UNKNOWN; + } +#else + avs_library->avs_bit_blt(avs->env, dst_p, rowsize, src_p, pitch, rowsize, planeheight); +#endif dst_p += rowsize * planeheight; } From d5dd54df69ec01a5381259fe1ce56ef4d48cfec5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2013 12:36:56 +0200 Subject: [PATCH 036/492] MAINTAINERS: add myself as maintainer for the interface code to swresample & swscale in libavfilter Signed-off-by: Michael Niedermayer (cherry picked from commit 5ad4e29337483bbd3337bc47db4ad181d7e2da00) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 9ed8902559..cf20edf473 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -292,11 +292,13 @@ Generic parts: Filters: af_amerge.c Nicolas George + af_aresample.c Michael Niedermayer af_astreamsync.c Nicolas George af_atempo.c Pavel Koshevoy af_pan.c Nicolas George vf_delogo.c Jean Delvare (CC ) vf_drawbox.c/drawgrid Andrey Utkin + vf_scale.c Michael Niedermayer vf_yadif.c Michael Niedermayer Sources: From ec334232731addb52dbfcced093f82f29f873302 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2013 12:35:39 +0200 Subject: [PATCH 037/492] MAINTAINERS: drop 1.1 from the releases that i maintain There seems to be no need to continue maintaining it, people can easily upgrade to 1.2 Signed-off-by: Michael Niedermayer (cherry picked from commit 5fe5f020b6cfb0b7137d12aab10db936cc08836f) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index cf20edf473..a96b7373dc 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -460,7 +460,6 @@ Releases 2.0 Michael Niedermayer 1.2 Michael Niedermayer -1.1 Michael Niedermayer If you want to maintain an older release, please contact us From 15ea618ef62922ca24b3fe227b161aeaab9bc6c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2013 11:24:57 +0200 Subject: [PATCH 038/492] MAINTAINERS: order libavutil entries alphabetically Signed-off-by: Michael Niedermayer (cherry picked from commit 48188a512068e77fbf94ec1a250870260a1ff1ae) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index a96b7373dc..6f40fea50f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -62,12 +62,12 @@ Internal Interfaces: libavutil/common.h Michael Niedermayer Other: - intfloat* Michael Niedermayer - rational.c, rational.h Michael Niedermayer - mathematics.c, mathematics.h Michael Niedermayer - integer.c, integer.h Michael Niedermayer bswap.h + intfloat* Michael Niedermayer + integer.c, integer.h Michael Niedermayer + mathematics.c, mathematics.h Michael Niedermayer opencl.c, opencl.h Wei Gao + rational.c, rational.h Michael Niedermayer ripemd.c, ripemd.h James Almer From b2a9f64e1b12a414629ec175bb7066d3e669abd5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2013 11:43:22 +0200 Subject: [PATCH 039/492] MAINTAINERS: Add some maintainers for parts of libavutil Developers added are active and in the copyright of the specified files, If anyone wants to maintain anything else, send a patch that adds you to MAINTAINERS. Signed-off-by: Michael Niedermayer (cherry picked from commit b45b1d7af93bd5b8b3824edeae3d1d54644a5361) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 6f40fea50f..23d64a6734 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -62,13 +62,20 @@ Internal Interfaces: libavutil/common.h Michael Niedermayer Other: + bprint Nicolas George bswap.h + des Reimar Doeffinger + float_dsp Loren Merritt + hash Reimar Doeffinger intfloat* Michael Niedermayer integer.c, integer.h Michael Niedermayer + lzo Reimar Doeffinger mathematics.c, mathematics.h Michael Niedermayer opencl.c, opencl.h Wei Gao rational.c, rational.h Michael Niedermayer + rc4 Reimar Doeffinger ripemd.c, ripemd.h James Almer + timecode Clément Bœsch libavcodec From f09f33031b9d54f5d942ad180807d154f7cf0910 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2013 02:58:16 +0200 Subject: [PATCH 040/492] MAINTAINERS: alphabetical sort Signed-off-by: Michael Niedermayer (cherry picked from commit 81f4d55c3669733318b2f0e61d10d9efe9b00074) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 23d64a6734..5ee601004c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -138,8 +138,8 @@ Codecs: binkaudio.c Peter Ross bmp.c Mans Rullgard, Kostya Shishkov cavs* Stefan Gehrer - celp_filters.* Vitor Sessak cdxl.c Paul B Mahol + celp_filters.* Vitor Sessak cinepak.c Roberto Togni cljr Alex Beregszaszi cllc.c Derek Buitenhuis @@ -150,8 +150,8 @@ Codecs: dca.c Kostya Shishkov, Benjamin Larsson dnxhd* Baptiste Coudurier dpcm.c Mike Melanson - dxa.c Kostya Shishkov dv.c Roman Shaposhnik + dxa.c Kostya Shishkov eacmv*, eaidct*, eat* Peter Ross ffv1.c Michael Niedermayer ffwavesynth.c Nicolas George @@ -161,9 +161,9 @@ Codecs: g722.c Martin Storsjo g726.c Roman Shaposhnik gifdec.c Baptiste Coudurier - h264* Loren Merritt, Michael Niedermayer h261* Michael Niedermayer h263* Michael Niedermayer + h264* Loren Merritt, Michael Niedermayer huffyuv.c Michael Niedermayer idcinvideo.c Mike Melanson imc* Benjamin Larsson @@ -178,8 +178,8 @@ Codecs: kmvc.c Kostya Shishkov lcl*.c Roberto Togni, Reimar Doeffinger libcelt_dec.c Nicolas George - libgsm.c Michel Bardiaux libdirac* David Conrad + libgsm.c Michel Bardiaux libopenjpeg.c Jaikrishnan Menon libopenjpegenc.c Michael Bradshaw libschroedinger* David Conrad @@ -187,8 +187,8 @@ Codecs: libtheoraenc.c David Conrad libutvideo* Derek Buitenhuis libvorbis.c David Conrad - libxavs.c Stefan Gehrer libx264.c Mans Rullgard, Jason Garrett-Glaser + libxavs.c Stefan Gehrer loco.c Kostya Shishkov lzo.h, lzo.c Reimar Doeffinger mdec.c Michael Niedermayer @@ -250,8 +250,8 @@ Codecs: vda_h264_dec.c Xidorn Quan vima.c Paul B Mahol vmnc.c Kostya Shishkov - vorbis_enc.c Oded Shimon vorbis_dec.c Denes Balatoni, David Conrad + vorbis_enc.c Oded Shimon vp3* Mike Melanson vp5 Aurelien Jacobs vp6 Aurelien Jacobs @@ -285,11 +285,11 @@ libavdevice libavdevice/avdevice.h + dshow.c Roger Pack iec61883.c Georg Lippitsch libdc1394.c Roman Shaposhnik v4l2.c Luca Abeni vfwcap.c Ramiro Polla - dshow.c Roger Pack libavfilter =========== @@ -353,8 +353,8 @@ Muxers/Demuxers: idcin.c Mike Melanson idroqdec.c Mike Melanson iff.c Jaikrishnan Menon - ipmovie.c Mike Melanson img2*.c Michael Niedermayer + ipmovie.c Mike Melanson ircam* Paul B Mahol iss.c Stefan Gehrer jacosub* Clément Bœsch @@ -368,8 +368,8 @@ Muxers/Demuxers: matroskadec.c Aurelien Jacobs matroskaenc.c David Conrad metadata* Aurelien Jacobs - microdvd* Aurelien Jacobs mgsts.c Paul B Mahol + microdvd* Aurelien Jacobs mm.c Peter Ross mov.c Michael Niedermayer, Baptiste Coudurier movenc.c Michael Niedermayer, Baptiste Coudurier From 01838c5732e7c452e88cb1954e1078967d64e9e1 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Tue, 6 Aug 2013 22:08:05 +0100 Subject: [PATCH 041/492] MAINTAINERS: add myself as maintainer for lavf/aiff* and lavf/movenc.c Signed-off-by: Michael Niedermayer (cherry picked from commit 88a1ff22336ebfd62b0d1d920e0e7d49f7bd1ece) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 5ee601004c..333bb6cf12 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -325,7 +325,8 @@ Muxers/Demuxers: 4xm.c Mike Melanson adtsenc.c Robert Swain afc.c Paul B Mahol - aiff.c Baptiste Coudurier + aiffdec.c Baptiste Coudurier, Matthieu Bouron + aiffenc.c Baptiste Coudurier, Matthieu Bouron ape.c Kostya Shishkov ass* Aurelien Jacobs astdec.c Paul B Mahol @@ -372,7 +373,7 @@ Muxers/Demuxers: microdvd* Aurelien Jacobs mm.c Peter Ross mov.c Michael Niedermayer, Baptiste Coudurier - movenc.c Michael Niedermayer, Baptiste Coudurier + movenc.c Michael Niedermayer, Baptiste Coudurier, Matthieu Bouron mpc.c Kostya Shishkov mpeg.c Michael Niedermayer mpegenc.c Michael Niedermayer From 1155bdb754b0f3e98e400862af6fb6f0859bc7ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Aug 2013 16:40:19 +0200 Subject: [PATCH 042/492] MAINTAINERS: remove myself from movenc, 2 maintainers should be enough Signed-off-by: Michael Niedermayer (cherry picked from commit 55a88daf6ff1e09994bff39fac313a38a35b0055) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 333bb6cf12..1727e5cae0 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -373,7 +373,7 @@ Muxers/Demuxers: microdvd* Aurelien Jacobs mm.c Peter Ross mov.c Michael Niedermayer, Baptiste Coudurier - movenc.c Michael Niedermayer, Baptiste Coudurier, Matthieu Bouron + movenc.c Baptiste Coudurier, Matthieu Bouron mpc.c Kostya Shishkov mpeg.c Michael Niedermayer mpegenc.c Michael Niedermayer From fa004f4854db7e1dd98a4f5aace0df83716d5768 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Aug 2013 22:55:19 +0200 Subject: [PATCH 043/492] MAINTAINERS: add Alexander Strasser for the server Signed-off-by: Michael Niedermayer (cherry picked from commit c11c180132b3e0038143dc9ba4dfd7287d1509c7) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 1727e5cae0..0f93e5b432 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -46,7 +46,7 @@ Miscellaneous Areas documentation Mike Melanson website Robert Swain, Lou Logan build system (configure,Makefiles) Diego Biurrun, Mans Rullgard -project server Árpád Gereöffy, Michael Niedermayer, Reimar Döffinger +project server Árpád Gereöffy, Michael Niedermayer, Reimar Döffinger, Alexander Strasser mailinglists Michael Niedermayer, Baptiste Coudurier, Lou Logan presets Robert Swain metadata subsystem Aurelien Jacobs From fd2951bb53b3096a90307945fa074da9f9980d55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2013 23:53:37 +0200 Subject: [PATCH 044/492] update for 2.0.1 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index cd5ac039d6..38f77a65b3 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.0 +2.0.1 diff --git a/VERSION b/VERSION index cd5ac039d6..38f77a65b3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0 +2.0.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index bbfbc30c51..634e818540 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.0 +PROJECT_NUMBER = 2.0.1 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From acf511de34e0b79fff0183e06ed37f1aa8dc3d94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2013 15:50:26 +0200 Subject: [PATCH 045/492] avcodec/g2meet: fix src pointer checks in kempf_decode_tile() Fixes Ticket2842 Signed-off-by: Michael Niedermayer (cherry picked from commit 2960576378d17d71cc8dccc926352ce568b5eec1) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index bc01dfafc8..d31fc54ca8 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -389,7 +389,7 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y, return 0; zsize = (src[0] << 8) | src[1]; src += 2; - if (src_end - src < zsize) + if (src_end - src < zsize + (sub_type != 2)) return AVERROR_INVALIDDATA; ret = uncompress(c->kempf_buf, &dlen, src, zsize); @@ -411,6 +411,8 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, int tile_y, for (i = 0; i < (FFALIGN(height, 16) >> 4); i++) { for (j = 0; j < (FFALIGN(width, 16) >> 4); j++) { if (!bits) { + if (src >= src_end) + return AVERROR_INVALIDDATA; bitbuf = *src++; bits = 8; } From 8d9568b4a1a28ce024bfc92434049a21c182fad3 Mon Sep 17 00:00:00 2001 From: Stephen Hutchinson Date: Fri, 16 Aug 2013 17:29:55 -0400 Subject: [PATCH 046/492] avisynth: Support video input from AviSynth 2.5 properly. Uses the 2.5 compatibility header included with the variant of FFMS2 that uses AviSynth's C-interface. A copy of this header is now provided in compat/avisynth. avs_get_row_size_p and avs_get_height_p changed between versions 2.5 and 2.6. Since the avisynth_c.h header that avformat uses assumes AviSynth 2.6, it would cause 2.5 to crash if given any kind of real video (the Version() function was known to work, though). AvxSynth was unaffected by this issue because, despite being based on AviSynth 2.5.8 and using 2.5.8's interface version number of 3, it actually uses 2.6's versions of these functions. Signed-off-by: Michael Niedermayer --- compat/avisynth/avisynth_c_25.h | 68 +++++++++++++++++++++++++++++++++ libavformat/avisynth.c | 33 +++++++--------- 2 files changed, 81 insertions(+), 20 deletions(-) create mode 100644 compat/avisynth/avisynth_c_25.h diff --git a/compat/avisynth/avisynth_c_25.h b/compat/avisynth/avisynth_c_25.h new file mode 100644 index 0000000000..9288761331 --- /dev/null +++ b/compat/avisynth/avisynth_c_25.h @@ -0,0 +1,68 @@ +// Copyright (c) 2011 FFmpegSource Project +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +/* these are defines/functions that are used and were changed in the switch to 2.6 + * and are needed to maintain full compatility with 2.5 */ + +enum { + AVS_CS_YV12_25 = 1<<3 | AVS_CS_YUV | AVS_CS_PLANAR, // y-v-u, planar + AVS_CS_I420_25 = 1<<4 | AVS_CS_YUV | AVS_CS_PLANAR, // y-u-v, planar +}; + +AVSC_INLINE int avs_get_height_p_25(const AVS_VideoFrame * p, int plane) { + switch (plane) + { + case AVS_PLANAR_U: case AVS_PLANAR_V: + if (p->pitchUV) + return p->height>>1; + return 0; + } + return p->height;} + +AVSC_INLINE int avs_get_row_size_p_25(const AVS_VideoFrame * p, int plane) { + int r; + switch (plane) + { + case AVS_PLANAR_U: case AVS_PLANAR_V: + if (p->pitchUV) + return p->row_size>>1; + else + return 0; + case AVS_PLANAR_U_ALIGNED: case AVS_PLANAR_V_ALIGNED: + if (p->pitchUV) + { + r = ((p->row_size+AVS_FRAME_ALIGN-1)&(~(AVS_FRAME_ALIGN-1)) )>>1; // Aligned rowsize + if (r < p->pitchUV) + return r; + return p->row_size>>1; + } + else + return 0; + case AVS_PLANAR_Y_ALIGNED: + r = (p->row_size+AVS_FRAME_ALIGN-1)&(~(AVS_FRAME_ALIGN-1)); // Aligned rowsize + if (r <= p->pitch) + return r; + return p->row_size; + } + return p->row_size; +} + +AVSC_INLINE int avs_is_yv12_25(const AVS_VideoInfo * p) + { return ((p->pixel_type & AVS_CS_YV12_25) == AVS_CS_YV12_25)||((p->pixel_type & AVS_CS_I420_25) == AVS_CS_I420_25); } diff --git a/libavformat/avisynth.c b/libavformat/avisynth.c index 8a480ede21..afacf04dd1 100644 --- a/libavformat/avisynth.c +++ b/libavformat/avisynth.c @@ -36,6 +36,7 @@ #include #undef EXTERN_C #include "compat/avisynth/avisynth_c.h" + #include "compat/avisynth/avisynth_c_25.h" #define AVISYNTH_LIB "avisynth" #else #include @@ -471,9 +472,20 @@ static int avisynth_read_packet_video(AVFormatContext *s, AVPacket *pkt, int dis for (i = 0; i < avs->n_planes; i++) { plane = avs->planes[i]; src_p = avs_get_read_ptr_p(frame, plane); + pitch = avs_get_pitch_p(frame, plane); + +#ifdef _WIN32 + if (avs_library->avs_get_version(avs->clip) == 3) { + rowsize = avs_get_row_size_p_25(frame, plane); + planeheight = avs_get_height_p_25(frame, plane); + } else { + rowsize = avs_get_row_size_p(frame, plane); + planeheight = avs_get_height_p(frame, plane); + } +#else rowsize = avs_get_row_size_p(frame, plane); planeheight = avs_get_height_p(frame, plane); - pitch = avs_get_pitch_p(frame, plane); +#endif // Flip RGB video. if (avs_is_rgb24(avs->vi) || avs_is_rgb(avs->vi)) { @@ -481,26 +493,7 @@ static int avisynth_read_packet_video(AVFormatContext *s, AVPacket *pkt, int dis pitch = -pitch; } - // An issue with avs_bit_blt on 2.5.8 prevents video from working correctly. - // This problem doesn't exist for 2.6 and AvxSynth, so enable the workaround - // for 2.5.8 only. This only displays the warning and exits if the script has - // video. 2.5.8's internal interface version is 3, so avs_get_version allows - // it to work only in the circumstance that the interface is 5 or higher (4 is - // unused). There's a strong chance that AvxSynth, having been based on 2.5.8, - // would also be identified as interface version 3, but since AvxSynth doesn't - // suffer from this problem, special-case it. -#ifdef _WIN32 - if (avs_library->avs_get_version(avs->clip) > 3) { avs_library->avs_bit_blt(avs->env, dst_p, rowsize, src_p, pitch, rowsize, planeheight); - } else { - av_log(s, AV_LOG_ERROR, "Video input from AviSynth 2.5.8 is not supported. Please upgrade to 2.6.\n"); - avs->error = 1; - av_freep(&pkt->data); - return AVERROR_UNKNOWN; - } -#else - avs_library->avs_bit_blt(avs->env, dst_p, rowsize, src_p, pitch, rowsize, planeheight); -#endif dst_p += rowsize * planeheight; } From 423b87d621764b2122459a4c964a14b66dde502f Mon Sep 17 00:00:00 2001 From: Stephen Hutchinson Date: Sun, 18 Aug 2013 23:14:04 -0400 Subject: [PATCH 047/492] Revert "doc/RELEASE_NOTES: add a note about AVISynth" This reverts commit 3aa2257d240a5a0eb94014b9113dd91730786886. --- doc/RELEASE_NOTES | 4 ---- 1 file changed, 4 deletions(-) diff --git a/doc/RELEASE_NOTES b/doc/RELEASE_NOTES index bb6349ef51..28a1c05dad 100644 --- a/doc/RELEASE_NOTES +++ b/doc/RELEASE_NOTES @@ -14,7 +14,3 @@ accepted. If you are experiencing issues with any formally released version of FFmpeg, please try git master to check if the issue still exists. If it does, make your report against the development code following the usual bug reporting guidelines. - -AVI/AVXSynth --------- -If you want to use FFmpeg with AVISynth, you need AVISynth 2.6.0 at minimum. From 61dc8494d70fb4c6977a013cda68c9993fa8cc4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 13:45:20 +0200 Subject: [PATCH 048/492] movenc: ilbc needs audio_vbr set. Without this the block_align or bitrate value is not available to the decoder Fixes Ticket2858 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d64845600c6486a2706b118a81805f3bf4d3db5) --- libavformat/movenc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 42e7c4876e..a9ba6caf4e 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -3672,6 +3672,9 @@ static int mov_write_header(AVFormatContext *s) }else{ track->sample_size = (av_get_bits_per_sample(st->codec->codec_id) >> 3) * st->codec->channels; } + if (st->codec->codec_id == AV_CODEC_ID_ILBC) { + track->audio_vbr = 1; + } if (track->mode != MODE_MOV && track->enc->codec_id == AV_CODEC_ID_MP3 && track->timescale < 16000) { av_log(s, AV_LOG_ERROR, "track %d: muxing mp3 at %dhz is not supported\n", From f0f55e6726184fb526f3e5dc26408b7f383d261d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 16:49:31 +0200 Subject: [PATCH 049/492] swr: clean layouts before checking sanity Signed-off-by: Michael Niedermayer (cherry picked from commit 6dfffe92004dfd8c79d18791f28a2b1c7e387845) --- libswresample/rematrix.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 48aff3be7f..af6986af55 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -122,13 +122,14 @@ av_cold static int auto_matrix(SwrContext *s) const int matrix_encoding = s->matrix_encoding; in_ch_layout = clean_layout(s, s->in_ch_layout); + out_ch_layout = clean_layout(s, s->out_ch_layout); + if(!sane_layout(in_ch_layout)){ av_get_channel_layout_string(buf, sizeof(buf), -1, s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel layout '%s' is not supported\n", buf); return AVERROR(EINVAL); } - out_ch_layout = clean_layout(s, s->out_ch_layout); if(!sane_layout(out_ch_layout)){ av_get_channel_layout_string(buf, sizeof(buf), -1, s->out_ch_layout); av_log(s, AV_LOG_ERROR, "Output channel layout '%s' is not supported\n", buf); From e231f0fade119396e722439a0f88f47e02cecabd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 16:56:51 +0200 Subject: [PATCH 050/492] swr/rematrix: Fix handling of AV_CH_LAYOUT_STEREO_DOWNMIX output Fixes Ticket2859 Note, testcases related to the downmix channels are welcome. (id like to make sure this is working correctly now, as obviously it didnt work before ...) Signed-off-by: Michael Niedermayer (cherry picked from commit c56d4dab039b352961cca298d753b04e2f2fd990) --- libswresample/rematrix.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index af6986af55..2ebe39772e 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -82,9 +82,6 @@ static int even(int64_t layout){ } static int clean_layout(SwrContext *s, int64_t layout){ - if((layout & AV_CH_LAYOUT_STEREO_DOWNMIX) == AV_CH_LAYOUT_STEREO_DOWNMIX) - return AV_CH_LAYOUT_STEREO; - if(layout && layout != AV_CH_FRONT_CENTER && !(layout&(layout-1))) { char buf[128]; av_get_channel_layout_string(buf, sizeof(buf), -1, layout); @@ -124,6 +121,11 @@ av_cold static int auto_matrix(SwrContext *s) in_ch_layout = clean_layout(s, s->in_ch_layout); out_ch_layout = clean_layout(s, s->out_ch_layout); + if( out_ch_layout == AV_CH_LAYOUT_STEREO_DOWNMIX + && (in_ch_layout & AV_CH_LAYOUT_STEREO_DOWNMIX) == 0 + ) + out_ch_layout = AV_CH_LAYOUT_STEREO; + if(!sane_layout(in_ch_layout)){ av_get_channel_layout_string(buf, sizeof(buf), -1, s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel layout '%s' is not supported\n", buf); From 3e817d91ef6b8b1681b4d4e5e4bdbd54a720e3de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Aug 2013 03:19:40 +0200 Subject: [PATCH 051/492] jpeg2000: check log2_cblk dimensions Fixes out of array access Fixes Ticket2895 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 9a271a9368eaabf99e6c2046103acb33957e63b7) --- libavcodec/jpeg2000dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index c6f6f6c9cb..294245dfad 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -379,6 +379,11 @@ static int get_cox(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c) return AVERROR_INVALIDDATA; } + if (c->log2_cblk_width > 6 || c->log2_cblk_height > 6) { + avpriv_request_sample(s->avctx, "cblk size > 64"); + return AVERROR_PATCHWELCOME; + } + c->cblk_style = bytestream2_get_byteu(&s->g); if (c->cblk_style != 0) { // cblk style av_log(s->avctx, AV_LOG_WARNING, "extra cblk styles %X\n", c->cblk_style); @@ -1020,6 +1025,9 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, int bpass_csty_symbol = codsty->cblk_style & JPEG2000_CBLK_BYPASS; int vert_causal_ctx_csty_symbol = codsty->cblk_style & JPEG2000_CBLK_VSC; + av_assert0(width <= JPEG2000_MAX_CBLKW); + av_assert0(height <= JPEG2000_MAX_CBLKH); + for (y = 0; y < height; y++) memset(t1->data[y], 0, width * sizeof(**t1->data)); From deb8d0d6a121a155b5e396ea5b8da5567ac263f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 23:18:48 +0200 Subject: [PATCH 052/492] avcodec/flashsv: check diff_start/height Fixes out of array accesses Fixes Ticket2844 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 880c73cd76109697447fbfbaa8e5ee5683309446) Signed-off-by: Michael Niedermayer --- libavcodec/flashsv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 9982b5e966..f00bf21d47 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -387,6 +387,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); + if (s->diff_start + s->diff_height > cur_blk_height) { + av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n"); + return AVERROR_INVALIDDATA; + } av_log(avctx, AV_LOG_DEBUG, "%dx%d diff start %d height %d\n", i, j, s->diff_start, s->diff_height); From acac6b0d6951f86d5db8aaeaeb970743d1907852 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2013 01:07:32 +0200 Subject: [PATCH 053/492] avcodec/rpza: Perform pointer advance and checks before using the pointers Fixes out of array accesses Fixes Ticket2850 Signed-off-by: Michael Niedermayer (cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34) Signed-off-by: Michael Niedermayer --- libavcodec/rpza.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 2aa0091d32..416f8b6722 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -85,7 +85,7 @@ static void rpza_decode_stream(RpzaContext *s) unsigned short *pixels = (unsigned short *)s->frame.data[0]; int row_ptr = 0; - int pixel_ptr = 0; + int pixel_ptr = -4; int block_ptr; int pixel_x, pixel_y; int total_blocks; @@ -141,6 +141,7 @@ static void rpza_decode_stream(RpzaContext *s) colorA = AV_RB16 (&s->buf[stream_ptr]); stream_ptr += 2; while (n_blocks--) { + ADVANCE_BLOCK() block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -149,7 +150,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -188,6 +188,7 @@ static void rpza_decode_stream(RpzaContext *s) if (s->size - stream_ptr < n_blocks * 4) return; while (n_blocks--) { + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { index = s->buf[stream_ptr++]; @@ -198,7 +199,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -206,6 +206,7 @@ static void rpza_decode_stream(RpzaContext *s) case 0x00: if (s->size - stream_ptr < 16) return; + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -219,7 +220,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); break; /* Unknown opcode */ From e2eb0d23269043357cdab90a9fca4fca2895d2ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Aug 2013 04:40:50 +0200 Subject: [PATCH 054/492] avcodec/jpeg2000dec: Check cdx/y values more carefully Some invalid values where not handled correctly in the later pixel format matching code. Fixes out of array accesses Fixes Ticket2848 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 8bb11c3ca77b52e05a9ed1496a65f8a76e6e2d8f) Conflicts: libavcodec/jpeg2000dec.c --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 294245dfad..2c00a694a4 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -273,6 +273,11 @@ static int get_siz(Jpeg2000DecoderContext *s) s->sgnd[i] = !!(x & 0x80); s->cdx[i] = bytestream2_get_byteu(&s->g); s->cdy[i] = bytestream2_get_byteu(&s->g); + if ( !s->cdx[i] || s->cdx[i] == 3 || s->cdx[i] > 4 + || !s->cdy[i] || s->cdy[i] == 3 || s->cdy[i] > 4) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid sample seperation\n"); + return AVERROR_INVALIDDATA; + } log2_chroma_wh |= s->cdy[i] >> 1 << i * 4 | s->cdx[i] >> 1 << i * 4 + 2; } From a1b32533aa7f31224f8f0be05d2cf020159e2e90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Aug 2013 17:18:21 +0200 Subject: [PATCH 055/492] jpeg2000: fix dereferencing invalid pointers Found-by: Laurent Butti Signed-off-by: Michael Niedermayer (cherry picked from commit 912ce9dd2080c5837285a471d750fa311e09b555) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index cb1a64d143..dc3311052e 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -272,7 +272,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, reslevel->log2_prec_height) - (reslevel->coord[1][0] >> reslevel->log2_prec_height); - reslevel->band = av_malloc_array(reslevel->nbands, sizeof(*reslevel->band)); + reslevel->band = av_calloc(reslevel->nbands, sizeof(*reslevel->band)); if (!reslevel->band) return AVERROR(ENOMEM); @@ -368,7 +368,7 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, for (j = 0; j < 2; j++) band->coord[1][j] = ff_jpeg2000_ceildiv(band->coord[1][j], dy); - band->prec = av_malloc_array(reslevel->num_precincts_x * + band->prec = av_calloc(reslevel->num_precincts_x * (uint64_t)reslevel->num_precincts_y, sizeof(*band->prec)); if (!band->prec) @@ -509,10 +509,12 @@ void ff_jpeg2000_cleanup(Jpeg2000Component *comp, Jpeg2000CodingStyle *codsty) for (bandno = 0; bandno < reslevel->nbands; bandno++) { Jpeg2000Band *band = reslevel->band + bandno; for (precno = 0; precno < reslevel->num_precincts_x * reslevel->num_precincts_y; precno++) { - Jpeg2000Prec *prec = band->prec + precno; - av_freep(&prec->zerobits); - av_freep(&prec->cblkincl); - av_freep(&prec->cblk); + if (band->prec) { + Jpeg2000Prec *prec = band->prec + precno; + av_freep(&prec->zerobits); + av_freep(&prec->cblkincl); + av_freep(&prec->cblk); + } } av_freep(&band->prec); From 0cabb95811f9618f0f02fe20cd9d4b99a42e244b Mon Sep 17 00:00:00 2001 From: Lukasz Marek Date: Thu, 29 Aug 2013 01:54:04 +0200 Subject: [PATCH 056/492] lavf/ftp: fix possible crash (cherry picked from commit f3ace37a3b8c93218630a37b7df4dc195f1215a9) Signed-off-by: Michael Niedermayer --- libavformat/ftp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 6358726034..572d4b4357 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -133,7 +133,8 @@ static int ftp_status(FTPContext *s, char **line, const int response_codes[]) while (!code_found || dash) { if ((err = ftp_get_line(s, buf, sizeof(buf))) < 0) { - av_bprint_finalize(&line_buffer, NULL); + if (line) + av_bprint_finalize(&line_buffer, NULL); return err; } From c7ee4bc016e56abb69fa728e124294e786fb7c01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 04:51:09 +0200 Subject: [PATCH 057/492] ffv1dec: check that global parameters dont change in version 0/1 Such changes are not allowed nor supported Fixes Ticket2906 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 547d690d676064069d44703a1917e0dab7e33445) --- libavcodec/ffv1dec.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 17b894645f..588b5e1c18 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -562,6 +562,7 @@ static int read_header(FFV1Context *f) memset(state, 128, sizeof(state)); if (f->version < 2) { + int chroma_planes, chroma_h_shift, chroma_v_shift, transparency; unsigned v= get_symbol(c, state, 0); if (v >= 2) { av_log(f->avctx, AV_LOG_ERROR, "invalid version %d in ver01 header\n", v); @@ -579,10 +580,26 @@ static int read_header(FFV1Context *f) if (f->version > 0) f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); - f->chroma_planes = get_rac(c, state); - f->chroma_h_shift = get_symbol(c, state, 0); - f->chroma_v_shift = get_symbol(c, state, 0); - f->transparency = get_rac(c, state); + chroma_planes = get_rac(c, state); + chroma_h_shift = get_symbol(c, state, 0); + chroma_v_shift = get_symbol(c, state, 0); + transparency = get_rac(c, state); + + if (f->plane_count) { + if ( chroma_planes != f->chroma_planes + || chroma_h_shift!= f->chroma_h_shift + || chroma_v_shift!= f->chroma_v_shift + || transparency != f->transparency) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n"); + return AVERROR_INVALIDDATA; + } + } + + f->chroma_planes = chroma_planes; + f->chroma_h_shift = chroma_h_shift; + f->chroma_v_shift = chroma_v_shift; + f->transparency = transparency; + f->plane_count = 2 + f->transparency; } From a4522ae516b58175c447b65cb44536db08f82552 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:14:32 +0200 Subject: [PATCH 058/492] avcodec/pngdsp: fix (un)signed type in end comparission Fixes out of array accesses Fixes Ticket2919 Found_by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 86736f59d6a527d8bc807d09b93f971c0fe0bb07) --- libavcodec/pngdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdsp.c b/libavcodec/pngdsp.c index 0d247759cc..5ab1c351b2 100644 --- a/libavcodec/pngdsp.c +++ b/libavcodec/pngdsp.c @@ -31,7 +31,7 @@ static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w) { long i; - for (i = 0; i <= w - sizeof(long); i += sizeof(long)) { + for (i = 0; i <= w - (int)sizeof(long); i += sizeof(long)) { long a = *(long *)(src1 + i); long b = *(long *)(src2 + i); *(long *)(dst + i) = ((a & pb_7f) + (b & pb_7f)) ^ ((a ^ b) & pb_80); From 1821c849da5be820c207eba11470d059473ea6df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2013 03:08:25 +0200 Subject: [PATCH 059/492] avformat/avidec: match first index and first packet size=0 handling Fixes Ticket2861 Signed-off-by: Michael Niedermayer (cherry picked from commit 227a0eb5a92409572f2cecde6137529b83e7d495) Conflicts: libavformat/avidec.c --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index a09bebd57c..87a5e7cf00 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1328,7 +1328,7 @@ static int avi_read_idx1(AVFormatContext *s, int size) st = s->streams[index]; ast = st->priv_data; - if(first_packet && first_packet_pos && len) { + if (first_packet && first_packet_pos) { data_offset = first_packet_pos - pos; first_packet = 0; } From be47e931343edc840ac4356391d1269d3eeb0e8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Sep 2013 03:40:20 +0200 Subject: [PATCH 060/492] avcodec/h264: set er.ref_count earlier Fixes Ticket2910 Signed-off-by: Michael Niedermayer (cherry picked from commit 93cf7b01950b9d8e1646227752b522d0275d32df) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 6a6a68c050..82c243cb0a 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3876,6 +3876,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if (h->ref_count[0]) h->er.last_pic = &h->ref_list[0][0]; if (h->ref_count[1]) h->er.next_pic = &h->ref_list[1][0]; + h->er.ref_count = h->ref_count[0]; if (h->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(h->avctx, AV_LOG_DEBUG, @@ -4267,7 +4268,6 @@ static void er_add_slice(H264Context *h, int startx, int starty, if (CONFIG_ERROR_RESILIENCE) { ERContext *er = &h->er; - er->ref_count = h->ref_count[0]; ff_er_add_slice(er, startx, starty, endx, endy, status); } } From 237ef710a17792b0ae404dbe610f0e6fbf0fe24d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Sep 2013 00:21:37 +0200 Subject: [PATCH 061/492] avformat/lxfdec: use a parser to parse video frame headers lxf needs a parser (or would need to set a few fields explicitly). Fixes Ticket2917 Signed-off-by: Michael Niedermayer (cherry picked from commit 8349be852be7f68fe0590584fd46c4d5f1c16b3d) --- libavformat/lxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lxfdec.c b/libavformat/lxfdec.c index 5c61d4fcb0..c854216215 100644 --- a/libavformat/lxfdec.c +++ b/libavformat/lxfdec.c @@ -257,6 +257,7 @@ static int lxf_read_header(AVFormatContext *s) st->codec->bit_rate = 1000000 * ((video_params >> 14) & 0xFF); st->codec->codec_tag = video_params & 0xF; st->codec->codec_id = ff_codec_get_id(lxf_tags, st->codec->codec_tag); + st->need_parsing = AVSTREAM_PARSE_HEADERS; av_log(s, AV_LOG_DEBUG, "record: %x = %i-%02i-%02i\n", record_date, 1900 + (record_date & 0x7F), (record_date >> 7) & 0xF, From 1da5ab751f999a181b42fe73b3ebcaa264ae4929 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Sep 2013 19:29:38 +0200 Subject: [PATCH 062/492] avcodec/ffv1dec: move initial_states init to init_thread_copy() Signed-off-by: Michael Niedermayer (cherry picked from commit c72cca5a44d8a83e097a97a13990d421ba7a4c5d) --- libavcodec/ffv1dec.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 588b5e1c18..9f612625b8 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -916,13 +916,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac static int init_thread_copy(AVCodecContext *avctx) { FFV1Context *f = avctx->priv_data; + int i; f->picture.f = NULL; f->last_picture.f = NULL; f->sample_buffer = NULL; - f->quant_table_count = 0; f->slice_count = 0; + for (i = 0; i < f->quant_table_count; i++) { + av_assert0(f->version > 1); + f->initial_states[i] = av_memdup(f->initial_states[i], + f->context_count[i] * sizeof(*f->initial_states[i])); + } + return 0; } @@ -936,12 +942,9 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) return 0; if (!fdst->picture.f) { + FFV1Context bak = *fdst; memcpy(fdst, fsrc, sizeof(*fdst)); - - for (i = 0; i < fdst->quant_table_count; i++) { - fdst->initial_states[i] = av_malloc(fdst->context_count[i] * sizeof(*fdst->initial_states[i])); - memcpy(fdst->initial_states[i], fsrc->initial_states[i], fdst->context_count[i] * sizeof(*fdst->initial_states[i])); - } + memcpy(fdst->initial_states, bak.initial_states, sizeof(fdst->initial_states)); fdst->picture.f = av_frame_alloc(); fdst->last_picture.f = av_frame_alloc(); From 8e1760f37f7a0b5354173cf2c28f4d7f04ca1cdf Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 2 Sep 2013 08:49:59 +0200 Subject: [PATCH 063/492] avcodec/ffv1dec: reorganize thread init/update This moves some allocations to init, reducing possible failure modes in update. Always copies from the previous context instead of just during init Fixes Ticket2923 Signed-off-by: Michael Niedermayer (cherry picked from commit 21dc3a3cc23c624630a4379f08a6efe0230de37a) --- libavcodec/ffv1dec.c | 61 +++++++++++++++++++++++++++++++++----------- 1 file changed, 46 insertions(+), 15 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 9f612625b8..8d6d842561 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -916,7 +916,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac static int init_thread_copy(AVCodecContext *avctx) { FFV1Context *f = avctx->priv_data; - int i; + int i, ret; f->picture.f = NULL; f->last_picture.f = NULL; @@ -929,9 +929,43 @@ static int init_thread_copy(AVCodecContext *avctx) f->context_count[i] * sizeof(*f->initial_states[i])); } + f->picture.f = av_frame_alloc(); + f->last_picture.f = av_frame_alloc(); + + if ((ret = ffv1_init_slice_contexts(f)) < 0) + return ret; + return 0; } +static void copy_fields(FFV1Context *fsdst, FFV1Context *fssrc, FFV1Context *fsrc) +{ + fsdst->version = fsrc->version; + fsdst->minor_version = fsrc->minor_version; + fsdst->chroma_planes = fsrc->chroma_planes; + fsdst->chroma_h_shift = fsrc->chroma_h_shift; + fsdst->chroma_v_shift = fsrc->chroma_v_shift; + fsdst->transparency = fsrc->transparency; + fsdst->plane_count = fsrc->plane_count; + fsdst->ac = fsrc->ac; + fsdst->colorspace = fsrc->colorspace; + + fsdst->ec = fsrc->ec; + fsdst->intra = fsrc->intra; + fsdst->slice_damaged = fssrc->slice_damaged; + fsdst->key_frame_ok = fsrc->key_frame_ok; + + fsdst->bits_per_raw_sample = fsrc->bits_per_raw_sample; + fsdst->packed_at_lsb = fsrc->packed_at_lsb; + fsdst->slice_count = fsrc->slice_count; + if (fsrc->version<3){ + fsdst->slice_x = fssrc->slice_x; + fsdst->slice_y = fssrc->slice_y; + fsdst->slice_width = fssrc->slice_width; + fsdst->slice_height = fssrc->slice_height; + } +} + static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) { FFV1Context *fsrc = src->priv_data; @@ -941,33 +975,30 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) if (dst == src) return 0; - if (!fdst->picture.f) { + { FFV1Context bak = *fdst; memcpy(fdst, fsrc, sizeof(*fdst)); memcpy(fdst->initial_states, bak.initial_states, sizeof(fdst->initial_states)); - - fdst->picture.f = av_frame_alloc(); - fdst->last_picture.f = av_frame_alloc(); - - if ((ret = ffv1_init_slice_contexts(fdst)) < 0) - return ret; + memcpy(fdst->slice_context, bak.slice_context , sizeof(fdst->slice_context)); + fdst->picture = bak.picture; + fdst->last_picture = bak.last_picture; + for (i = 0; inum_h_slices * fdst->num_v_slices; i++) { + FFV1Context *fssrc = fsrc->slice_context[i]; + FFV1Context *fsdst = fdst->slice_context[i]; + copy_fields(fsdst, fssrc, fsrc); + } + av_assert0(!fdst->plane[0].state); + av_assert0(!fdst->sample_buffer); } av_assert1(fdst->slice_count == fsrc->slice_count); - fdst->key_frame_ok = fsrc->key_frame_ok; ff_thread_release_buffer(dst, &fdst->picture); if (fsrc->picture.f->data[0]) { if ((ret = ff_thread_ref_frame(&fdst->picture, &fsrc->picture)) < 0) return ret; } - for (i = 0; i < fdst->slice_count; i++) { - FFV1Context *fsdst = fdst->slice_context[i]; - FFV1Context *fssrc = fsrc->slice_context[i]; - - fsdst->slice_damaged = fssrc->slice_damaged; - } fdst->fsrc = fsrc; From f5a4bd23e9aedaf2691f74751e26f2f36e4ea4ab Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 2 Sep 2013 08:32:24 +0200 Subject: [PATCH 064/492] Avoid a deadlock when decoding wma. Fixes ticket #2925. (cherry picked from commit ec8a4841f7e81040f9a2757f23e70dff5e6b33a4) --- libavcodec/wmadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index d46eb33c41..8fc0cca807 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -512,6 +512,10 @@ static int wma_decode_block(WMACodecContext *s) coef escape coding */ total_gain = 1; for(;;) { + if (get_bits_left(&s->gb) < 7) { + av_log(s->avctx, AV_LOG_ERROR, "total_gain overread\n"); + return AVERROR_INVALIDDATA; + } a = get_bits(&s->gb, 7); total_gain += a; if (a != 127) From 6c0fef57628229413ea5d808c0833747737fe898 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 2 Sep 2013 22:50:00 +0000 Subject: [PATCH 065/492] w64dec: fix skipping of unknown guids Regression since 14d50c1. Fixes #2932. Signed-off-by: Paul B Mahol (cherry picked from commit 79b70e47a463057a3a48353ee1dd58671c11f86c) --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index adf41ecd89..d25ec5b333 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -697,7 +697,7 @@ static int w64_read_header(AVFormatContext *s) avio_skip(pb, end - avio_tell(pb)); } else { av_log(s, AV_LOG_DEBUG, "unknown guid: "FF_PRI_GUID"\n", FF_ARG_GUID(guid)); - avio_skip(pb, size - 24); + avio_skip(pb, FFALIGN(size, INT64_C(8)) - 24); } } From 6158eec53f98c04e4194ff5a46566259ed9e66f4 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 3 Sep 2013 01:03:10 +0000 Subject: [PATCH 066/492] w64dec: fix end position of summarylist guid Noticed-by: James Almer Signed-off-by: Paul B Mahol (cherry picked from commit 3e36dc8626f4721ea749286dae40169ee5cb7d04) --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index d25ec5b333..23c3b9e555 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -671,7 +671,7 @@ static int w64_read_header(AVFormatContext *s) uint32_t count, chunk_size, i; start = avio_tell(pb); - end = start + size; + end = start + FFALIGN(size, INT64_C(8)) - 24; count = avio_rl32(pb); for (i = 0; i < count; i++) { From fc4c29bc6efddc93a1a86c84ebdd49373478a139 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 1 Sep 2013 20:20:47 +0200 Subject: [PATCH 067/492] Read h264 headers from v4l2 to allow stream-copying. Fixes ticket #2882. Analyzed and tested by William C Bonner. (cherry picked from commit e337c9d56408dc00a15887309488a1ff5cb06ba3) --- libavdevice/v4l2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 1f43f0727f..b1dc7d10a0 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -929,6 +929,9 @@ static int v4l2_read_header(AVFormatContext *s1) if (codec_id == AV_CODEC_ID_RAWVIDEO) st->codec->codec_tag = avcodec_pix_fmt_to_codec_tag(st->codec->pix_fmt); + else if (codec_id == AV_CODEC_ID_H264) { + st->need_parsing = AVSTREAM_PARSE_HEADERS; + } if (desired_format == V4L2_PIX_FMT_YVU420) st->codec->codec_tag = MKTAG('Y', 'V', '1', '2'); else if (desired_format == V4L2_PIX_FMT_YVU410) From f5ae34250a22430dec99666f3f63b9ff5996ef09 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 8 Sep 2013 12:35:31 +0000 Subject: [PATCH 068/492] avformat/matroskaenc: remove bogus prores tag Fixes: ffmpeg -i input -c:v prores output.mkv Signed-off-by: Paul B Mahol (cherry picked from commit 14851ca5f5a3af140085e82589e28e06c7cdefdc) Conflicts: libavformat/matroskaenc.c --- libavformat/matroskaenc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 8a0e846b09..fbb18a6323 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1617,7 +1617,6 @@ const AVCodecTag additional_audio_tags[] = { }; const AVCodecTag additional_video_tags[] = { - { AV_CODEC_ID_PRORES, 0xFFFFFFFF }, { AV_CODEC_ID_RV10, 0xFFFFFFFF }, { AV_CODEC_ID_RV20, 0xFFFFFFFF }, { AV_CODEC_ID_RV30, 0xFFFFFFFF }, From 4e0c29451b6f909e87bb4f79072c6a71593ed7ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Sep 2013 09:43:53 +0200 Subject: [PATCH 069/492] avformat/vobsub: fix seeking. (cherry picked from commit f8678dcef3c5b0ea82e898e1f419863409fa135f) --- libavformat/mpeg.c | 16 ++++++++++++++++ libavformat/subtitles.c | 16 ++++++++++++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 5d5b09fc07..ca54f7111e 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -725,6 +725,7 @@ static int vobsub_read_header(AVFormatContext *s) st->id = stream_id; st->codec->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codec->codec_id = AV_CODEC_ID_DVD_SUBTITLE; + avpriv_set_pts_info(st, 64, 1, 1000); av_dict_set(&st->metadata, "language", id, 0); av_log(s, AV_LOG_DEBUG, "IDX stream[%d] id=%s\n", stream_id, id); header_parsed = 1; @@ -889,6 +890,21 @@ static int vobsub_read_seek(AVFormatContext *s, int stream_index, int64_t min_ts, int64_t ts, int64_t max_ts, int flags) { MpegDemuxContext *vobsub = s->priv_data; + + /* Rescale requested timestamps based on the first stream (timebase is the + * same for all subtitles stream within a .idx/.sub). Rescaling is done just + * like in avformat_seek_file(). */ + if (stream_index == -1 && s->nb_streams != 1) { + AVRational time_base = s->streams[0]->time_base; + ts = av_rescale_q(ts, AV_TIME_BASE_Q, time_base); + min_ts = av_rescale_rnd(min_ts, time_base.den, + time_base.num * (int64_t)AV_TIME_BASE, + AV_ROUND_UP | AV_ROUND_PASS_MINMAX); + max_ts = av_rescale_rnd(max_ts, time_base.den, + time_base.num * (int64_t)AV_TIME_BASE, + AV_ROUND_DOWN | AV_ROUND_PASS_MINMAX); + } + return ff_subtitles_queue_seek(&vobsub->q, s, stream_index, min_ts, ts, max_ts, flags); } diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 2af0450e86..11cf1a1c28 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -109,7 +109,8 @@ int ff_subtitles_queue_seek(FFDemuxSubtitlesQueue *q, AVFormatContext *s, int st for (i = 0; i < q->nb_subs; i++) { int64_t pts = q->subs[i].pts; uint64_t ts_diff = FFABS(pts - ts); - if (pts >= min_ts && pts <= max_ts && ts_diff < min_ts_diff) { + if ((stream_index == -1 || q->subs[i].stream_index == stream_index) && + pts >= min_ts && pts <= max_ts && ts_diff < min_ts_diff) { min_ts_diff = ts_diff; idx = i; } @@ -119,13 +120,24 @@ int ff_subtitles_queue_seek(FFDemuxSubtitlesQueue *q, AVFormatContext *s, int st /* look back in the latest subtitles for overlapping subtitles */ ts_selected = q->subs[idx].pts; for (i = idx - 1; i >= 0; i--) { - if (q->subs[i].duration <= 0) + if (q->subs[i].duration <= 0 || + (stream_index != -1 && q->subs[i].stream_index != stream_index)) continue; if (q->subs[i].pts > ts_selected - q->subs[i].duration) idx = i; else break; } + + /* If the queue is used to store multiple subtitles streams (like with + * VobSub) and the stream index is not specified, we need to make sure + * to focus on the smallest file position offset for a same timestamp; + * queue is ordered by pts and then filepos, so we can take the first + * entry for a given timestamp. */ + if (stream_index == -1) + while (idx > 0 && q->subs[idx - 1].pts == q->subs[idx].pts) + idx--; + q->current_sub_idx = idx; } return 0; From 283e0708777286c5b61d55bc5928a2f6053a7dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Sep 2013 09:55:02 +0200 Subject: [PATCH 070/492] avformat/subtitles: check lower bound for duration overlap seeking. (cherry picked from commit 1ca4bf930bab681a79fb591330043675c7cfd798) --- libavformat/subtitles.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 11cf1a1c28..d2eb53cab5 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -120,10 +120,11 @@ int ff_subtitles_queue_seek(FFDemuxSubtitlesQueue *q, AVFormatContext *s, int st /* look back in the latest subtitles for overlapping subtitles */ ts_selected = q->subs[idx].pts; for (i = idx - 1; i >= 0; i--) { + int64_t pts = q->subs[i].pts; if (q->subs[i].duration <= 0 || (stream_index != -1 && q->subs[i].stream_index != stream_index)) continue; - if (q->subs[i].pts > ts_selected - q->subs[i].duration) + if (pts >= min_ts && pts > ts_selected - q->subs[i].duration) idx = i; else break; From aaef59d53538e32b3ca53babfbdf34716249ed8c Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 9 Sep 2013 10:02:12 +0200 Subject: [PATCH 071/492] Store the video bit_rate in the context when muxing mxf. This will allow using rc_max_rate if no bit_rate is specified (on remuxing). Reviewed-by: Matthieu Bouron (cherry picked from commit 52cf08b4c8859f7cac010a7a59f7aa369384ad85) --- libavformat/mxfenc.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 367b6e46be..b82460d2f5 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -75,6 +75,7 @@ typedef struct { int temporal_reordering; AVRational aspect_ratio; ///< display aspect ratio int closed_gop; ///< gop is closed, used in mpeg-2 frame parsing + int video_bit_rate; } MXFStreamContext; typedef struct { @@ -975,13 +976,14 @@ static void mxf_write_cdci_desc(AVFormatContext *s, AVStream *st) static void mxf_write_mpegvideo_desc(AVFormatContext *s, AVStream *st) { AVIOContext *pb = s->pb; + MXFStreamContext *sc = st->priv_data; int profile_and_level = (st->codec->profile<<4) | st->codec->level; mxf_write_cdci_common(s, st, mxf_mpegvideo_descriptor_key, 8+5); // bit rate mxf_write_local_tag(pb, 4, 0x8000); - avio_wb32(pb, st->codec->bit_rate); + avio_wb32(pb, sc->video_bit_rate); // profile and level mxf_write_local_tag(pb, 1, 0x8007); @@ -1704,14 +1706,15 @@ static int mxf_write_header(AVFormatContext *s) ret = av_timecode_init(&mxf->tc, rate, 0, 0, s); if (ret < 0) return ret; + sc->video_bit_rate = st->codec->bit_rate; if (s->oformat == &ff_mxf_d10_muxer) { - if (st->codec->bit_rate == 50000000) { + if (sc->video_bit_rate == 50000000) { if (mxf->time_base.den == 25) sc->index = 3; else sc->index = 5; - } else if (st->codec->bit_rate == 40000000) { + } else if (sc->video_bit_rate == 40000000) { if (mxf->time_base.den == 25) sc->index = 7; else sc->index = 9; - } else if (st->codec->bit_rate == 30000000) { + } else if (sc->video_bit_rate == 30000000) { if (mxf->time_base.den == 25) sc->index = 11; else sc->index = 13; } else { @@ -1720,7 +1723,7 @@ static int mxf_write_header(AVFormatContext *s) } mxf->edit_unit_byte_count = KAG_SIZE; // system element - mxf->edit_unit_byte_count += 16 + 4 + (uint64_t)st->codec->bit_rate * + mxf->edit_unit_byte_count += 16 + 4 + (uint64_t)sc->video_bit_rate * mxf->time_base.num / (8*mxf->time_base.den); mxf->edit_unit_byte_count += klv_fill_size(mxf->edit_unit_byte_count); mxf->edit_unit_byte_count += 16 + 4 + 4 + spf->samples_per_frame[0]*8*4; @@ -1854,7 +1857,8 @@ static void mxf_write_d10_video_packet(AVFormatContext *s, AVStream *st, AVPacke { MXFContext *mxf = s->priv_data; AVIOContext *pb = s->pb; - int packet_size = (uint64_t)st->codec->bit_rate*mxf->time_base.num / + MXFStreamContext *sc = st->priv_data; + int packet_size = (uint64_t)sc->video_bit_rate*mxf->time_base.num / (8*mxf->time_base.den); // frame size int pad; From 09bc4be3dbb3c35e8ef784f40bac0fc13a3a1205 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 9 Sep 2013 10:03:14 +0200 Subject: [PATCH 072/492] Use rc_max_rate if no video bit_rate was specified when muxing mxf_d10. Fixes ticket #2945. Reviewed-by: Matthieu Bouron (cherry picked from commit d73565d5ddf41d4b7805327cdb271c59d8c3fc59) --- libavformat/mxfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index b82460d2f5..c145bca2e1 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1706,7 +1706,7 @@ static int mxf_write_header(AVFormatContext *s) ret = av_timecode_init(&mxf->tc, rate, 0, 0, s); if (ret < 0) return ret; - sc->video_bit_rate = st->codec->bit_rate; + sc->video_bit_rate = st->codec->bit_rate ? st->codec->bit_rate : st->codec->rc_max_rate; if (s->oformat == &ff_mxf_d10_muxer) { if (sc->video_bit_rate == 50000000) { if (mxf->time_base.den == 25) sc->index = 3; From 59147be24f4bdf16fd8b96217af49e55a1810725 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Sep 2013 16:17:46 +0200 Subject: [PATCH 073/492] avformat/srtdec: skip initial random line breaks. I found a bunch of (recent) SRT files in the wild with 3 to 10 line breaks at the beginning. (cherry picked from commit cfcd55db164e0acc0c30b2cf084e6eebe9741d34) Signed-off-by: Alexander Strasser --- libavformat/srtdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index dbf1866202..ac783d9e3b 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -37,6 +37,8 @@ static int srt_probe(AVProbeData *p) if (AV_RB24(ptr) == 0xEFBBBF) ptr += 3; /* skip UTF-8 BOM */ + while (*ptr == '\r' || *ptr == '\n') + ptr++; for (i=0; i<2; i++) { if ((num == i || num + 1 == i) && sscanf(ptr, "%*d:%*2d:%*2d%*1[,.]%*3d --> %*d:%*2d:%*2d%*1[,.]%3d", &v) == 1) From dc0403530e3e9d21c069f9761a2ca0b399a7297b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Sep 2013 18:02:45 +0200 Subject: [PATCH 074/492] avformat/subtitles: add a next line jumper and use it. This fixes a bunch of possible overread in avformat with the idiom p += strcspn(p, "\n") + 1 (strcspn() can focus on the trailing '\0' if no '\n' is found, so the +1 leads to an overread). Note on lavf/matroskaenc: no extra subtitles.o Makefile dependency is added because only the header is required for ff_subtitles_next_line(). Note on lavf/mpsubdec: code gets slightly complex to avoid an infinite loop in the probing since there is no more forced increment. NOTE: Code of function ff_subtitles_next_line fixed by Alexander Strasser. The original code from master did test the wrong character, but was corrected by a subsequent commit. That commit however is not backported, so it had to be fixed in this commit for the backport. Conflicts: libavformat/mpl2dec.c (cherry picked from commit 90fc00a623de44e137fe1601b91356e8cd8bdd54) Signed-off-by: Alexander Strasser --- libavformat/jacosubdec.c | 2 +- libavformat/matroskaenc.c | 3 ++- libavformat/microdvddec.c | 2 +- libavformat/mpl2dec.c | 2 +- libavformat/mpsubdec.c | 7 ++++++- libavformat/srtdec.c | 8 +++----- libavformat/subtitles.h | 13 +++++++++++++ 7 files changed, 27 insertions(+), 10 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index da1afadf1b..e2cbaad83e 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -63,7 +63,7 @@ static int jacosub_probe(AVProbeData *p) return AVPROBE_SCORE_EXTENSION + 1; return 0; } - ptr += strcspn(ptr, "\n") + 1; + ptr += ff_subtitles_next_line(ptr); } return 0; } diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index fbb18a6323..8954486b58 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -27,6 +27,7 @@ #include "isom.h" #include "matroska.h" #include "riff.h" +#include "subtitles.h" #include "wv.h" #include "libavutil/avstring.h" @@ -1328,7 +1329,7 @@ static int srt_get_duration(uint8_t **buf) s_hsec += 1000*s_sec; e_hsec += 1000*e_sec; duration = e_hsec - s_hsec; } - *buf += strcspn(*buf, "\n") + 1; + *buf += ff_subtitles_next_line(*buf); } return duration; } diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index 4b428461cb..5d9b13ee68 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -47,7 +47,7 @@ static int microdvd_probe(AVProbeData *p) sscanf(ptr, "{%*d}{%*d}%c", &c) != 1 && sscanf(ptr, "{DEFAULT}{}%c", &c) != 1) return 0; - ptr += strcspn(ptr, "\n") + 1; + ptr += ff_subtitles_next_line(ptr); } return AVPROBE_SCORE_MAX; } diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index b152cc8ddd..17b302ddfa 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -43,7 +43,7 @@ static int mpl2_probe(AVProbeData *p) if (sscanf(ptr, "[%"SCNd64"][%"SCNd64"]%c", &start, &end, &c) != 3 && sscanf(ptr, "[%"SCNd64"][]%c", &start, &c) != 2) return 0; - ptr += strcspn(ptr, "\r\n") + 1; + ptr += ff_subtitles_next_line(ptr); if (ptr >= ptr_end) return 0; } diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index 6a0cefbeb6..c5bdcdb626 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -37,11 +37,16 @@ static int mpsub_probe(AVProbeData *p) const char *ptr_end = p->buf + p->buf_size; while (ptr < ptr_end) { + int inc; + if (!memcmp(ptr, "FORMAT=TIME", 11)) return AVPROBE_SCORE_EXTENSION; if (!memcmp(ptr, "FORMAT=", 7)) return AVPROBE_SCORE_EXTENSION / 3; - ptr += strcspn(ptr, "\n") + 1; + inc = ff_subtitles_next_line(ptr); + if (!inc) + break; + ptr += inc; } return 0; } diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index ac783d9e3b..7f911bd05b 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -44,7 +44,7 @@ static int srt_probe(AVProbeData *p) && sscanf(ptr, "%*d:%*2d:%*2d%*1[,.]%*3d --> %*d:%*2d:%*2d%*1[,.]%3d", &v) == 1) return AVPROBE_SCORE_MAX; num = atoi(ptr); - ptr += strcspn(ptr, "\n") + 1; + ptr += ff_subtitles_next_line(ptr); } return 0; } @@ -65,12 +65,10 @@ static int64_t get_pts(const char **buf, int *duration, int64_t start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1; int64_t end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2; *duration = end - start; - *buf += strcspn(*buf, "\n"); - *buf += !!**buf; + *buf += ff_subtitles_next_line(*buf); return start; } - *buf += strcspn(*buf, "\n"); - *buf += !!**buf; + *buf += ff_subtitles_next_line(*buf); } return AV_NOPTS_VALUE; } diff --git a/libavformat/subtitles.h b/libavformat/subtitles.h index 455b374f25..8f68e7bda1 100644 --- a/libavformat/subtitles.h +++ b/libavformat/subtitles.h @@ -96,4 +96,17 @@ const char *ff_smil_get_attr_ptr(const char *s, const char *attr); */ void ff_subtitles_read_chunk(AVIOContext *pb, AVBPrint *buf); +/** + * Get the number of characters to increment to jump to the next line, or to + * the end of the string. + */ +static av_always_inline int ff_subtitles_next_line(const char *ptr) +{ + int n = strcspn(ptr, "\n"); + ptr += n; + if (*ptr == '\n') + n++; + return n; +} + #endif /* AVFORMAT_SUBTITLES_H */ From 2dc6c5d46221dc04e545b7829c32efc093d76bdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Sep 2013 18:28:11 +0200 Subject: [PATCH 075/492] avcodec/srtdec: fix potential overread. (cherry picked from commit 3a54c221d574ec944db1eddf9df895808f32bf9e) Signed-off-by: Alexander Strasser --- libavcodec/srtdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c index 267561c866..b16645a01e 100644 --- a/libavcodec/srtdec.c +++ b/libavcodec/srtdec.c @@ -204,7 +204,8 @@ static const char *read_ts(const char *buf, int *ts_start, int *ts_end, "%*[ ]X1:%u X2:%u Y1:%u Y2:%u", &hs, &ms, &ss, ts_start, &he, &me, &se, ts_end, x1, x2, y1, y2); - buf += strcspn(buf, "\n") + 1; + buf += strcspn(buf, "\n"); + buf += !!*buf; if (c >= 8) { *ts_start = 100*(ss + 60*(ms + 60*hs)) + *ts_start/10; *ts_end = 100*(se + 60*(me + 60*he)) + *ts_end /10; From 0f429392cf412dc89909b216cfbf7f7e9fe72717 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Sep 2013 18:23:44 +0200 Subject: [PATCH 076/492] avcodec/assenc: fix potential overread. (cherry picked from commit 860a0810583f54ccbde912aebda8711f18eab8eb) Signed-off-by: Alexander Strasser --- libavcodec/assenc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/assenc.c b/libavcodec/assenc.c index 7b8a540cdd..5dc3b09d65 100644 --- a/libavcodec/assenc.c +++ b/libavcodec/assenc.c @@ -80,9 +80,16 @@ static int ass_encode_frame(AVCodecContext *avctx, * will be "Marked=N" instead of the layer num, so we will * have layer=0, which is fine. */ layer = strtol(ass, &p, 10); - if (*p) p += strcspn(p, ",") + 1; // skip layer or marked - if (*p) p += strcspn(p, ",") + 1; // skip start timestamp - if (*p) p += strcspn(p, ",") + 1; // skip end timestamp + +#define SKIP_ENTRY(ptr) do { \ + char *sep = strchr(ptr, ','); \ + if (sep) \ + ptr = sep + 1; \ +} while (0) + + SKIP_ENTRY(p); // skip layer or marked + SKIP_ENTRY(p); // skip start timestamp + SKIP_ENTRY(p); // skip end timestamp snprintf(ass_line, sizeof(ass_line), "%d,%ld,%s", ++s->id, layer, p); ass_line[strcspn(ass_line, "\r\n")] = 0; ass = ass_line; From c7966bf7956497661ca98ffd5ed4fbc6321deb63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2013 17:18:19 +0200 Subject: [PATCH 077/492] avformat/oggparsevorbis: fix leak of ct Fixes CID1061058 Fixes fate Signed-off-by: Michael Niedermayer (cherry picked from commit d0a882ab1d2a4197da1edd77450af30e2da3460e) --- libavformat/oggparsevorbis.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index a21b3a92cc..3938f07f46 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -136,11 +136,13 @@ ff_vorbis_comment(AVFormatContext * as, AVDictionary **m, const uint8_t *buf, in if (!pict) { av_log(as, AV_LOG_WARNING, "out-of-memory error. Skipping cover art block.\n"); + av_freep(&ct); continue; } if ((ret = av_base64_decode(pict, ct, vl)) > 0) ret = ff_flac_parse_picture(as, pict, ret); av_freep(&pict); + av_freep(&ct); if (ret < 0) { av_log(as, AV_LOG_WARNING, "Failed to parse cover art block.\n"); continue; From c52a25e03bb4fb445b474878d91a49dce92e3ae5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2013 17:20:39 +0200 Subject: [PATCH 078/492] avformat/oggparsevorbis: fix leak of tt Fixes CID1061059 Fixes fate Signed-off-by: Michael Niedermayer (cherry picked from commit f3b7f470701224086d06012f1d9a31864abe9300) --- libavformat/oggparsevorbis.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 3938f07f46..ce475a4701 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -136,12 +136,14 @@ ff_vorbis_comment(AVFormatContext * as, AVDictionary **m, const uint8_t *buf, in if (!pict) { av_log(as, AV_LOG_WARNING, "out-of-memory error. Skipping cover art block.\n"); + av_freep(&tt); av_freep(&ct); continue; } if ((ret = av_base64_decode(pict, ct, vl)) > 0) ret = ff_flac_parse_picture(as, pict, ret); av_freep(&pict); + av_freep(&tt); av_freep(&ct); if (ret < 0) { av_log(as, AV_LOG_WARNING, "Failed to parse cover art block.\n"); From 414d75b8bc06ac97cc78de318689b9a1c2074399 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 17 Aug 2013 14:48:33 -0300 Subject: [PATCH 079/492] matroskadec: Improve TTA duration calculation Calculate the duration as accurately as possible to improve decoding of samples where the last frame is smaller than the rest. Signed-off-by: James Almer Approved-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit af248fa1174200acb537a6ab1198bb2fed38e884) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9a15a2b8e5..d72c4ef7f8 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1738,7 +1738,7 @@ static int matroska_read_header(AVFormatContext *s) avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); avio_wl32(&b, track->audio.out_samplerate); - avio_wl32(&b, matroska->ctx->duration * track->audio.out_samplerate); + avio_wl32(&b, av_rescale((matroska->duration * matroska->time_scale), track->audio.out_samplerate, AV_TIME_BASE * 1000)); } else if (codec_id == AV_CODEC_ID_RV10 || codec_id == AV_CODEC_ID_RV20 || codec_id == AV_CODEC_ID_RV30 || codec_id == AV_CODEC_ID_RV40) { extradata_offset = 26; From dbb534cea6b2b135485fd04cea022d08a350ac37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Aug 2013 02:20:54 +0200 Subject: [PATCH 080/492] avformat/matroskadec: check out_samplerate before using it in av_rescale() Prevent assertion failure with damaged input Signed-off-by: Michael Niedermayer (cherry picked from commit 338f8b2eaf36f078eb5cc26ac10e651dc4c48243) --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index d72c4ef7f8..b686eeba75 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1737,6 +1737,8 @@ static int matroska_read_header(AVFormatContext *s) avio_wl16(&b, 1); avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); + if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) + return AVERROR_INVALIDDATA; avio_wl32(&b, track->audio.out_samplerate); avio_wl32(&b, av_rescale((matroska->duration * matroska->time_scale), track->audio.out_samplerate, AV_TIME_BASE * 1000)); } else if (codec_id == AV_CODEC_ID_RV10 || codec_id == AV_CODEC_ID_RV20 || From 5753d780b47c8522992cc9a2c70a46d55ad55479 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 22 Jul 2013 16:44:11 -0700 Subject: [PATCH 081/492] doc/encoders: partially rewrite and reformat libx264 docs Format is based on the thread: "[PATCH] doc/encoders: Add libopus encoder doc" (06-28-2013) http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/165368/ Also merge the two option sections (Mapping and Private options). Patch partially edited by Stefano Sabatini. Signed-off-by: Stefano Sabatini (cherry picked from commit 11cb697501edf6447a718d6194f0e63ec2310d39) Signed-off-by: Timothy Gu --- doc/encoders.texi | 449 ++++++++++++++++++++++++++++++---------------- 1 file changed, 297 insertions(+), 152 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index fb475865f7..577376508b 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -873,178 +873,318 @@ For more information about libvpx see: x264 H.264/MPEG-4 AVC encoder wrapper. -Requires the presence of the libx264 headers and library during -configuration. You need to explicitly configure the build with +This encoder requires the presence of the libx264 headers and library +during configuration. You need to explicitly configure the build with @code{--enable-libx264}. -x264 supports an impressive number of features, including 8x8 and 4x4 adaptive -spatial transform, adaptive B-frame placement, CAVLC/CABAC entropy coding, -interlacing (MBAFF), lossless mode, psy optimizations for detail retention -(adaptive quantization, psy-RD, psy-trellis). +libx264 supports an impressive number of features, including 8x8 and +4x4 adaptive spatial transform, adaptive B-frame placement, CAVLC/CABAC +entropy coding, interlacing (MBAFF), lossless mode, psy optimizations +for detail retention (adaptive quantization, psy-RD, psy-trellis). -The FFmpeg wrapper provides a mapping for most of them using global options -that match those of the encoders and provides private options for the unique -encoder options. Additionally an expert override is provided to directly pass -a list of key=value tuples as accepted by x264_param_parse. +Many libx264 encoder options are mapped to FFmpeg global codec +options, while unique encoder options are provided through private +options. Additionally the @option{x264opts} and @option{x264-params} +private options allows to pass a list of key=value tuples as accepted +by the libx264 @code{x264_param_parse} function. -@subsection Option Mapping +The x264 project website is at +@url{http://www.videolan.org/developers/x264.html}. -The following options are supported by the x264 wrapper, the x264-equivalent -options follow the FFmpeg ones. +@subsection Options -@multitable @columnfractions .2 .2 -@item b @tab bitrate -FFmpeg @code{b} option is expressed in bits/s, x264 @code{bitrate} in kilobits/s. -@item bf @tab bframes -Maximum number of B-frames. -@item g @tab keyint -Maximum GOP size. -@item qmin @tab qpmin -@item qmax @tab qpmax -@item qdiff @tab qpstep -@item qblur @tab qblur -@item qcomp @tab qcomp -@item refs @tab ref -@item sc_threshold @tab scenecut -@item trellis @tab trellis -@item nr @tab nr -Noise reduction. -@item me_range @tab merange -@item me_method @tab me -@item subq @tab subme -@item b_strategy @tab b-adapt -@item keyint_min @tab keyint-min -@item coder @tab cabac -Set coder to @code{ac} to use CABAC. -@item cmp @tab chroma-me -Set to @code{chroma} to use chroma motion estimation. -@item threads @tab threads -@item thread_type @tab sliced_threads -Set to @code{slice} to use sliced threading instead of frame threading. -@item flags -cgop @tab open-gop -Set @code{-cgop} to use recovery points to close GOPs. -@item rc_init_occupancy @tab vbv-init -Initial buffer occupancy. -@end multitable +The following options are supported by the libx264 wrapper. The +@command{x264}-equivalent options or values are listed in parentheses +for easy migration. + +To reduce the duplication of documentation, only the private options +and some others requiring special attention are documented here. For +the documentation of the undocumented generic options, see +@ref{codec-options}. + +To get a more accurate and extensive documentation of the libx264 +options, invoke the command @command{x264 --full-help} or consult +the libx264 documentation. -@subsection Private Options @table @option -@item -preset @var{string} -Set the encoding preset (cf. x264 --fullhelp). -@item -tune @var{string} -Tune the encoding params (cf. x264 --fullhelp). -@item -profile @var{string} -Set profile restrictions (cf. x264 --fullhelp). -@item -fastfirstpass @var{integer} -Use fast settings when encoding first pass. -@item -crf @var{float} -Select the quality for constant quality mode. -@item -crf_max @var{float} -In CRF mode, prevents VBV from lowering quality beyond this point. -@item -qp @var{integer} -Constant quantization parameter rate control method. -@item -aq-mode @var{integer} -AQ method +@item b (@emph{bitrate}) +Set bitrate in bits/s. Note that FFmpeg's @option{b} option is +expressed in bits/s, while @command{x264}'s @option{bitrate} is in +kilobits/s. + +@item bf (@emph{bframes}) + +@item g (@emph{keyint}) + +@item qmax (@emph{qpmax}) + +@item qmin (@emph{qpmin}) + +@item qdiff (@emph{qpstep}) + +@item qblur (@emph{qblur}) + +@item qcomp (@emph{qcomp}) + +@item refs (@emph{ref}) + +@item sc_threshold (@emph{scenecut}) + +@item trellis (@emph{trellis}) + +@item nr (@emph{nr}) + +@item me_range (@emph{merange}) + +@item me_method (@emph{me}) +Set motion estimation method. Possible values in the decreasing order +of speed: -Possible values: @table @samp -@item none +@item dia (@emph{dia}) +@item epzs (@emph{dia}) +Diamond search with radius 1 (fastest). @samp{epzs} is an alias for +@samp{dia}. +@item hex (@emph{hex}) +Hexagonal search with radius 2. +@item umh (@emph{umh}) +Uneven multi-hexagon search. +@item esa (@emph{esa}) +Exhaustive search. +@item tesa (@emph{tesa}) +Hadamard exhaustive search (slowest). +@end table -@item variance +@item subq (@emph{subme}) + +@item b_strategy (@emph{b-adapt}) + +@item keyint_min (@emph{min-keyint}) + +@item coder +Set entropy encoder. Possible values: + +@table @samp +@item ac +Enable CABAC. + +@item vlc +Enable CAVLC and disable CABAC. It generates the same effect as +@command{x264}'s @option{--no-cabac} option. +@end table + +@item cmp +Set full pixel motion estimation comparation algorithm. Possible values: + +@table @samp +@item chroma +Enable chroma in motion estimation. + +@item sad +Ignore chroma in motion estimation. It generates the same effect as +@command{x264}'s @option{--no-chroma-me} option. +@end table + +@item threads (@emph{threads}) + +@item thread_type +Set multithreading technique. Possible values: + +@table @samp +@item slice +Slice-based multithreading. It generates the same effect as +@command{x264}'s @option{--sliced-threads} option. +@item frame +Frame-based multithreading. +@end table + +@item flags +Set encoding flags. It can be used to disable closed GOP and enable +open GOP by setting it to @code{-cgop}. The result is similar to +the behavior of @command{x264}'s @option{--open-gop} option. + +@item rc_init_occupancy (@emph{vbv-init}) + +@item preset (@emph{preset}) +Set the encoding preset. + +@item tune (@emph{tune}) +Set tuning of the encoding params. + +@item profile (@emph{profile}) +Set profile restrictions. + +@item fastfirstpass +Enable fast settings when encoding first pass, when set to 1. When set +to 0, it has the same effect of @command{x264}'s +@option{--slow-firstpass} option. + +@item crf (@emph{crf}) +Set the quality for constant quality mode. + +@item crf_max (@emph{crf-max}) +In CRF mode, prevents VBV from lowering quality beyond this point. + +@item qp (@emph{qp}) +Set constant quantization rate control method parameter. + +@item aq-mode (@emph{aq-mode}) +Set AQ method. Possible values: + +@table @samp +@item none (@emph{0}) +Disabled. + +@item variance (@emph{1}) Variance AQ (complexity mask). -@item autovariance + +@item autovariance (@emph{2}) Auto-variance AQ (experimental). @end table -@item -aq-strength @var{float} -AQ strength, reduces blocking and blurring in flat and textured areas. -@item -psy @var{integer} -Use psychovisual optimizations. -@item -psy-rd @var{string} -Strength of psychovisual optimization, in : format. -@item -rc-lookahead @var{integer} -Number of frames to look ahead for frametype and ratecontrol. -@item -weightb @var{integer} -Weighted prediction for B-frames. -@item -weightp @var{integer} -Weighted prediction analysis method. -Possible values: +@item aq-strength (@emph{aq-strength}) +Set AQ strength, reduce blocking and blurring in flat and textured areas. + +@item psy +Use psychovisual optimizations when set to 1. When set to 0, it has the +same effect as @command{x264}'s @option{--no-psy} option. + +@item psy-rd (@emph{psy-rd}) +Set strength of psychovisual optimization, in +@var{psy-rd}:@var{psy-trellis} format. + +@item rc-lookahead (@emph{rc-lookahead}) +Set number of frames to look ahead for frametype and ratecontrol. + +@item weightb +Enable weighted prediction for B-frames when set to 1. When set to 0, +it has the same effect as @command{x264}'s @option{--no-weightb} option. + +@item weightp (@emph{weightp}) +Set weighted prediction method for P-frames. Possible values: + @table @samp -@item none - -@item simple - -@item smart - +@item none (@emph{0}) +Disabled +@item simple (@emph{1}) +Enable only weighted refs +@item smart (@emph{2}) +Enable both weighted refs and duplicates @end table -@item -ssim @var{integer} -Calculate and print SSIM stats. -@item -intra-refresh @var{integer} -Use Periodic Intra Refresh instead of IDR frames. -@item -b-bias @var{integer} -Influences how often B-frames are used. -@item -b-pyramid @var{integer} -Keep some B-frames as references. -Possible values: +@item ssim (@emph{ssim}) +Enable calculation and printing SSIM stats after the encoding. + +@item intra-refresh (@emph{intra-refresh}) +Enable the use of Periodic Intra Refresh instead of IDR frames when set +to 1. + +@item b-bias (@emph{b-bias}) +Set the influence on how often B-frames are used. + +@item b-pyramid (@emph{b-pyramid}) +Set method for keeping of some B-frames as references. Possible values: + @table @samp -@item none - -@item strict +@item none (@emph{none}) +Disabled. +@item strict (@emph{strict}) Strictly hierarchical pyramid. -@item normal +@item normal (@emph{normal}) Non-strict (not Blu-ray compatible). @end table -@item -mixed-refs @var{integer} -One reference per partition, as opposed to one reference per macroblock. -@item -8x8dct @var{integer} -High profile 8x8 transform. -@item -fast-pskip @var{integer} -@item -aud @var{integer} -Use access unit delimiters. -@item -mbtree @var{integer} -Use macroblock tree ratecontrol. -@item -deblock @var{string} -Loop filter parameters, in form. -@item -cplxblur @var{float} -Reduce fluctuations in QP (before curve compression). -@item -partitions @var{string} -A comma-separated list of partitions to consider, possible values: p8x8, p4x4, b8x8, i8x8, i4x4, none, all. -@item -direct-pred @var{integer} -Direct MV prediction mode -Possible values: +@item mixed-refs +Enable the use of one reference per partition, as opposed to one +reference per macroblock when set to 1. When set to 0, it has the +same effect as @command{x264}'s @option{--no-mixed-refs} option. + +@item 8x8dct +Enable adaptive spatial transform (high profile 8x8 transform) +when set to 1. When set to 0, it has the same effect as +@command{x264}'s @option{--no-8x8dct} option. + +@item fast-pskip +Enable early SKIP detection on P-frames when set to 1. When set +to 0, it has the same effect as @command{x264}'s +@option{--no-fast-pskip} option. + +@item aud (@emph{aud}) +Enable use of access unit delimiters when set to 1. + +@item mbtree +Enable use macroblock tree ratecontrol when set to 1. When set +to 0, it has the same effect as @command{x264}'s +@option{--no-mbtree} option. + +@item deblock (@emph{deblock}) +Set loop filter parameters, in @var{alpha}:@var{beta} form. + +@item cplxblur (@emph{cplxblur}) +Set fluctuations reduction in QP (before curve compression). + +@item partitions (@emph{partitions}) +Set partitions to consider as a comma-separated list of. Possible +values in the list: + @table @samp -@item none - -@item spatial - -@item temporal - -@item auto - -@end table -@item -slice-max-size @var{integer} -Limit the size of each slice in bytes. -@item -stats @var{string} -Filename for 2 pass stats. -@item -nal-hrd @var{integer} -Signal HRD information (requires vbv-bufsize; cbr not allowed in .mp4). - -Possible values: -@table @samp -@item none - -@item vbr - -@item cbr - +@item p8x8 +8x8 P-frame partition. +@item p4x4 +4x4 P-frame partition. +@item b8x8 +4x4 B-frame partition. +@item i8x8 +8x8 I-frame partition. +@item i4x4 +4x4 I-frame partition. +(Enabling @samp{p4x4} requires @samp{p8x8} to be enabled. Enabling +@samp{i8x8} requires adaptive spatial transform (@option{8x8dct} +option) to be enabled.) +@item none (@emph{none}) +Do not consider any partitions. +@item all (@emph{all}) +Consider every partition. @end table -@item x264opts @var{options} -Allow to set any x264 option, see @code{x264 --fullhelp} for a list. +@item direct-pred (@emph{direct}) +Set direct MV prediction mode. Possible values: -@var{options} is a list of @var{key}=@var{value} couples separated by +@table @samp +@item none (@emph{none}) +Disable MV prediction. +@item spatial (@emph{spatial}) +Enable spatial predicting. +@item temporal (@emph{temporal}) +Enable temporal predicting. +@item auto (@emph{auto}) +Automatically decided. +@end table + +@item slice-max-size (@emph{slice-max-size}) +Set the limit of the size of each slice in bytes. If not specified +but RTP payload size (@option{ps}) is specified, that is used. + +@item stats (@emph{stats}) +Set the file name for multi-pass stats. + +@item nal-hrd (@emph{nal-hrd}) +Set signal HRD information (requires @option{vbv-bufsize} to be set). +Possible values: + +@table @samp +@item none (@emph{none}) +Disable HRD information signaling. +@item vbr (@emph{vbr}) +Variable bit rate. +@item cbr (@emph{cbr}) +Constant bit rate (not allowed in MP4 container). +@end table + +@item x264opts (N.A.) +Set any x264 option, see @command{x264 --fullhelp} for a list. + +Argument is a list of @var{key}=@var{value} couples separated by ":". In @var{filter} and @var{psy-rd} options that use ":" as a separator themselves, use "," instead. They accept it as well since long ago but this is kept undocumented for some reason. @@ -1054,18 +1194,23 @@ For example to specify libx264 encoding options with @command{ffmpeg}: ffmpeg -i foo.mpg -vcodec libx264 -x264opts keyint=123:min-keyint=20 -an out.mkv @end example -For more information about libx264 and the supported options see: -@url{http://www.videolan.org/developers/x264.html} +@item x264-params (N.A.) +Override the x264 configuration using a :-separated list of key=value +parameters. -@item -x264-params @var{string} -Override the x264 configuration using a :-separated list of key=value parameters. +This option is functionally the same as the @option{x264opts}, but is +duplicated for compability with the Libav fork. + +For example to specify libx264 encoding options with @command{ffmpeg}: @example --x264-params level=30:bframes=0:weightp=0:cabac=0:ref=1:vbv-maxrate=768:vbv-bufsize=2000:analyse=all:me=umh:no-fast-pskip=1:subq=6:8x8dct=0:trellis=0 +ffmpeg -i INPUT -c:v libx264 -x264-params level=30:bframes=0:weightp=0:\ +cabac=0:ref=1:vbv-maxrate=768:vbv-bufsize=2000:analyse=all:me=umh:\ +no-fast-pskip=1:subq=6:8x8dct=0:trellis=0 OUTPUT @end example @end table -Encoding avpresets for common usages are provided so they can be used with the -general presets system (e.g. passing the @code{-pre} option). +Encoding ffpresets for common usages are provided so they can be used with the +general presets system (e.g. passing the @option{pre} option). @section png From 68ae344b5e11fb83055a8826441fada0a946e8ac Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 29 Jul 2013 19:12:10 -0700 Subject: [PATCH 082/492] doc/encoders: add libxvid doc Signed-off-by: Stefano Sabatini (cherry picked from commit 6b255e5e70c72aa59ff7aed74b4ee976223eb140) Signed-off-by: Timothy Gu --- doc/encoders.texi | 113 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index 577376508b..8c3f660035 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -1212,6 +1212,119 @@ no-fast-pskip=1:subq=6:8x8dct=0:trellis=0 OUTPUT Encoding ffpresets for common usages are provided so they can be used with the general presets system (e.g. passing the @option{pre} option). +@section libxvid + +Xvid MPEG-4 Part 2 encoder wrapper. + +This encoder requires the presence of the libxvidcore headers and library +during configuration. You need to explicitly configure the build with +@code{--enable-libxvid --enable-gpl}. + +The native @code{mpeg4} encoder supports the MPEG-4 Part 2 format, so +users can encode to this format without this library. + +@subsection Options + +The following options are supported by the libxvid wrapper. Some of +the following options are listed but are not documented, and +correspond to shared codec options. See @ref{codec-options,,the Codec +Options chapter} for their documentation. The other shared options +which are not listed have no effect for the libxvid encoder. + +@table @option +@item b + +@item g + +@item qmin + +@item qmax + +@item mpeg_quant + +@item threads + +@item bf + +@item b_qfactor + +@item b_qoffset + +@item flags +Set specific encoding flags. Possible values: + +@table @samp + +@item mv4 +Use four motion vector by macroblock. + +@item aic +Enable high quality AC prediction. + +@item gray +Only encode grayscale. + +@item gmc +Enable the use of global motion compensation (GMC). + +@item qpel +Enable quarter-pixel motion compensation. + +@item cgop +Enable closed GOP. + +@item global_header +Place global headers in extradata instead of every keyframe. + +@end table + +@item trellis + +@item me_method +Set motion estimation method. Possible values in decreasing order of +speed and increasing order of quality: + +@table @samp +@item zero +Use no motion estimation (default). + +@item phods +@item x1 +@item log +Enable advanced diamond zonal search for 16x16 blocks and half-pixel +refinement for 16x16 blocks. @samp{x1} and @samp{log} are aliases for +@samp{phods}. + +@item epzs +Enable all of the things described above, plus advanced diamond zonal +search for 8x8 blocks, half-pixel refinement for 8x8 blocks, and motion +estimation on chroma planes. + +@item full +Enable all of the things described above, plus extended 16x16 and 8x8 +blocks search. +@end table + +@item mbd +Set macroblock decision algorithm. Possible values in the increasing +order of quality: + +@table @samp +@item simple +Use macroblock comparing function algorithm (default). + +@item bits +Enable rate distortion-based half pixel and quarter pixel refinement for +16x16 blocks. + +@item rd +Enable all of the things described above, plus rate distortion-based +half pixel and quarter pixel refinement for 8x8 blocks, and rate +distortion-based search using square pattern. +@end table + +@end table + @section png PNG image encoder. From c08e8ab715bb306eaf94586d5af92ab36ee6cc2b Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sat, 3 Aug 2013 16:51:26 -0700 Subject: [PATCH 083/492] doc/encoders: reformat libmp3lame doc Signed-off-by: Timothy Gu Signed-off-by: Stefano Sabatini (cherry picked from commit 40b8350b57adaa9aaf6731bac5130d4fec1639c3) Signed-off-by: Timothy Gu --- doc/encoders.texi | 44 +++++++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index 8c3f660035..44b0dfc780 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -420,26 +420,36 @@ Requires the presence of the libmp3lame headers and library during configuration. You need to explicitly configure the build with @code{--enable-libmp3lame}. -@subsection Option Mapping +@subsection Options -The following options are supported by the libmp3lame wrapper, -the LAME-equivalent options follow the FFmpeg ones. +The following options are supported by the libmp3lame wrapper. The +@command{lame}-equivalent of the options are listed in parentheses. -@multitable @columnfractions .2 .2 -@item FFmpeg @tab LAME -@item b @tab b -Set bitrate expressed in bits/s, LAME @code{bitrate} is expressed in -kilobits/s. -@item q @tab V -Set quality setting for VBR. -@item compression_level @tab q -Set algorithm quality. Valid arguments are integers in the 0-9 range. -@item reservoir @tab N.A. -Enable use of bit reservoir. LAME has this enabled by default. -@item joint_stereo @tab -m j +@table @option +@item b (@emph{-b}) +Set bitrate expressed in bits/s for CBR. LAME @code{bitrate} is +expressed in kilobits/s. + +@item q (@emph{-V}) +Set constant quality setting for VBR. This option is valid only +using the @command{ffmpeg} command-line tool. For library interface +users, use @option{global_quality}. + +@item compression_level (@emph{-q}) +Set algorithm quality. Valid arguments are integers in the 0-9 range, +with 0 meaning highest quality but slowest, and 9 meaning fastest +while producing the worst quality. + +@item reservoir +Enable use of bit reservoir when set to 1. Default value is 1. LAME +has this enabled by default, but can be overriden by use +@option{--nores} option. + +@item joint_stereo (@emph{-m j}) Enable the encoder to use (on a frame by frame basis) either L/R -stereo or mid/side stereo. -@end multitable +stereo or mid/side stereo. Default value is 1. + +@end table @section libopencore-amrnb From 01b39884c7f04d0b8e836608eb623788540c9444 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sat, 3 Aug 2013 16:55:40 -0700 Subject: [PATCH 084/492] doc/encoders: reformat and add some clarification in libtwolame doc Signed-off-by: Timothy Gu Signed-off-by: Stefano Sabatini (cherry picked from commit e45e72f5f89ef5a5791562cfcb935028b46ecd0a) Signed-off-by: Timothy Gu --- doc/encoders.texi | 56 ++++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index 44b0dfc780..5b1a35f5c0 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -496,24 +496,26 @@ Requires the presence of the libtwolame headers and library during configuration. You need to explicitly configure the build with @code{--enable-libtwolame}. -@subsection Options Mapping +@subsection Options The following options are supported by the libtwolame wrapper. The -TwoLAME-equivalent options follow the FFmpeg ones and are in +@command{twolame}-equivalent options follow the FFmpeg ones and are in parentheses. @table @option -@item b -(b) Set bitrate in bits/s. Note that FFmpeg @code{b} option is -expressed in bits/s, twolame @code{b} in kilobits/s. The default -value is 128k. +@item b (@emph{-b}) +Set bitrate expressed in bits/s for CBR. @command{twolame} @option{b} +option is expressed in kilobits/s. Default value is 128k. -@item q -(V) Set quality for experimental VBR support. Maximum value range is -from -50 to 50, useful range is from -10 to 10. +@item q (@emph{-V}) +Set quality for experimental VBR support. Maximum value range is +from -50 to 50, useful range is from -10 to 10. The higher the +value, the better the quality. This option is valid only using the +@command{ffmpeg} command-line tool. For library interface users, +use @option{global_quality}. -@item mode -(mode) Set MPEG mode. Possible values: +@item mode (@emph{--mode}) +Set the mode of the resulting audio. Possible values: @table @samp @item auto @@ -528,26 +530,26 @@ Dual channel Mono @end table -@item psymodel -(psyc-mode) Set psychoacoustic model to use in encoding. The argument -must be an integer between -1 and 4, inclusive. The higher the value, -the better the quality. The default value is 3. +@item psymodel (@emph{--psyc-mode}) +Set psychoacoustic model to use in encoding. The argument must be +an integer between -1 and 4, inclusive. The higher the value, the +better the quality. The default value is 3. -@item energy_levels -(energy) Enable energy levels extensions when set to 1. The default -value is 0 (disabled). +@item energy_levels (@emph{--energy}) +Enable energy levels extensions when set to 1. The default value is +0 (disabled). -@item error_protection -(protect) Enable CRC error protection when set to 1. The default value -is 0 (disabled). +@item error_protection (@emph{--protect}) +Enable CRC error protection when set to 1. The default value is 0 +(disabled). -@item copyright -(copyright) Set MPEG audio copyright flag when set to 1. The default -value is 0 (disabled). +@item copyright (@emph{--copyright}) +Set MPEG audio copyright flag when set to 1. The default value is 0 +(disabled). -@item original -(original) Set MPEG audio original flag when set to 1. The default -value is 0 (disabled). +@item original (@emph{--original}) +Set MPEG audio original flag when set to 1. The default value is 0 +(disabled). @end table From 9ebfee7ac0f5ec104c5b0e169465c51b551a53cf Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sat, 7 Sep 2013 20:13:11 -0700 Subject: [PATCH 085/492] doc/encoders: improve libvo-aacenc doc Signed-off-by: Timothy Gu Signed-off-by: Stefano Sabatini (cherry picked from commit 81bbe49a0e588aa899f37a567808ba8926d798d6) Signed-off-by: Timothy Gu --- doc/encoders.texi | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index 5b1a35f5c0..cf9c38245d 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -561,16 +561,19 @@ Requires the presence of the libvo-aacenc headers and library during configuration. You need to explicitly configure the build with @code{--enable-libvo-aacenc --enable-version3}. +This encoder is considered to be worse than the +@ref{aacenc,,native experimental FFmpeg AAC encoder}, according to +multiple sources. + @subsection Options The VisualOn AAC encoder only support encoding AAC-LC and up to 2 -channels. It is also CBR-only. It is considered to be worse than the -native experimental FFmpeg AAC encoder. +channels. It is also CBR-only. @table @option @item b -Bitrate. +Set bit rate in bits/s. @end table From cecb2b39cef1c8f22845cce454e8198e10399a43 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 15 Sep 2013 19:08:58 -0700 Subject: [PATCH 086/492] doc/formats: Add documentation for 3 parameters that have been missing Signed-off-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit b7dd4598630fb1f890ae060f21a9ec92a103f22d) Signed-off-by: Timothy Gu --- doc/formats.texi | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/formats.texi b/doc/formats.texi index 6e69bfa582..d99dca818f 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -57,6 +57,9 @@ Enable RTP MP4A-LATM payload. Reduce the latency introduced by optional buffering @end table +@item seek2any @var{integer} (@emph{input}) +Forces seeking to enable seek to any mode if set to 1. Default is 0. + @item analyzeduration @var{integer} (@emph{input}) Specify how many microseconds are analyzed to probe the input. A higher value will allow to detect more accurate information, but will @@ -133,6 +136,12 @@ been without shifting. Also note that this affects only leading negative timestamps, and not non-monotonic negative timestamps. +@item skip_initial_bytes @var{integer} (@emph{input}) +Set number initial bytes to skip. Default is 0. + +@item correct_ts_overflow @var{integer} (@emph{input}) +Correct single timestamp overflows if set to 1. Default is 1. + @item flush_packets @var{integer} (@emph{output}) Flush the underlying I/O stream after each packet. Default 1 enables it, and has the effect of reducing the latency; 0 disables it and may slightly From 6911d9e1b0cffee4cdf5f12be2030b7edbc65a32 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 8 Sep 2013 16:32:22 -0700 Subject: [PATCH 087/492] doc/encoders: add doc for AAC encoder Thanks-to: Kostya Shishkov Signed-off-by: Timothy Gu Signed-off-by: Stefano Sabatini (cherry picked from commit 0e11790cf7eef3b0f38a64486da1e3fb8c7f14b8) Signed-off-by: Timothy Gu --- doc/encoders.texi | 90 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index cf9c38245d..3b35c954e0 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -25,6 +25,95 @@ enabled encoders. A description of some of the currently available audio encoders follows. +@anchor{aacenc} +@section aac + +Advanced Audio Coding (AAC) encoder. + +This encoder is an experimental FFmpeg-native AAC encoder. Currently only the +low complexity (AAC-LC) profile is supported. To use this encoder, you must set +@option{strict} option to @samp{experimental} or lower. + +As this encoder is experimental, unexpected behavior may exist from time to +time. For a more stable AAC encoder, see @ref{libvo-aacenc}. However, be warned +that it has a worse quality reported by some users. + +@c Comment this out until somebody writes the respective documentation. +@c See also @ref{libfaac}, @ref{libaacplus}, and @ref{libfdk-aac-enc}. + +@subsection Options + +@table @option +@item b +Set bit rate in bits/s. Setting this automatically activates constant bit rate +(CBR) mode. + +@item q +Set quality for variable bit rate (VBR) mode. This option is valid only using +the @command{ffmpeg} command-line tool. For library interface users, use +@option{global_quality}. + +@item stereo_mode +Set stereo encoding mode. Possible values: + +@table @samp +@item auto +Automatically selected by the encoder. + +@item ms_off +Disable middle/side encoding. This is the default. + +@item ms_force +Force middle/side encoding. +@end table + +@item aac_coder +Set AAC encoder coding method. Possible values: + +@table @samp +@item 0 +FAAC-inspired method. + +This method is a simplified reimplementation of the method used in FAAC, which +sets thresholds proportional to the band energies, and then decreases all the +thresholds with quantizer steps to find the appropriate quantization with +distortion below threshold band by band. + +The quality of this method is comparable to the two loop searching method +descibed below, but somewhat a little better and slower. + +@item 1 +Average noise to mask ratio (ANMR) trellis-based solution. + +This has a theoretic best quality out of all the coding methods, but at the +cost of the slowest speed. + +@item 2 +Two loop searching (TLS) method. + +This method first sets quantizers depending on band thresholds and then tries +to find an optimal combination by adding or subtracting a specific value from +all quantizers and adjusting some individual quantizer a little. + +This method produces similar quality with the FAAC method and is the default. + +@item 3 +Constant quantizer method. + +This method sets a constant quantizer for all bands. This is the fastest of all +the methods, yet produces the worst quality. + +@end table + +@end table + +@subsection Tips and Tricks + +According to some reports +(e.g. @url{http://d.hatena.ne.jp/kamedo2/20120729/1343545890}), setting the +@option{cutoff} option to 15000 Hz greatly improves the quality of the output +quality. As a result, we encourage you to do the same. + @section ac3 and ac3_fixed AC-3 audio encoders. @@ -553,6 +642,7 @@ Set MPEG audio original flag when set to 1. The default value is 0 @end table +@anchor{libvo-aacenc} @section libvo-aacenc VisualOn AAC encoder. From 005b38f8f141c0ababe95db2282d8cfe3948cce3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 03:43:49 +0200 Subject: [PATCH 088/492] avcodec/ffv1dec: check global header version Signed-off-by: Michael Niedermayer (cherry picked from commit 20b965a1a43ae88b7ae95635d5a3570e7dc2bbd4) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 8d6d842561..7efd9e67b2 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -483,6 +483,10 @@ static int read_extra_header(FFV1Context *f) ff_build_rac_states(c, 0.05 * (1LL << 32), 256 - 8); f->version = get_symbol(c, state, 0); + if (f->version < 2) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid version in global header\n"); + return AVERROR_INVALIDDATA; + } if (f->version > 2) { c->bytestream_end -= 4; f->minor_version = get_symbol(c, state, 0); From 2fd824b4662a73d3023824034ab7f5692bcc3af2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 06:08:32 +0200 Subject: [PATCH 089/492] ffv1dec: Check bits_per_raw_sample and colorspace for equality in ver 0/1 headers Signed-off-by: Michael Niedermayer (cherry picked from commit b05cd1ea7e45a836f7f6071a716c38bb30326e0f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 7efd9e67b2..e77cae1960 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -566,7 +566,7 @@ static int read_header(FFV1Context *f) memset(state, 128, sizeof(state)); if (f->version < 2) { - int chroma_planes, chroma_h_shift, chroma_v_shift, transparency; + int chroma_planes, chroma_h_shift, chroma_v_shift, transparency, colorspace, bits_per_raw_sample; unsigned v= get_symbol(c, state, 0); if (v >= 2) { av_log(f->avctx, AV_LOG_ERROR, "invalid version %d in ver01 header\n", v); @@ -579,18 +579,17 @@ static int read_header(FFV1Context *f) f->state_transition[i] = get_symbol(c, state, 1) + c->one_state[i]; } - f->colorspace = get_symbol(c, state, 0); //YUV cs type - - if (f->version > 0) - f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); - + colorspace = get_symbol(c, state, 0); //YUV cs type + bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample; chroma_planes = get_rac(c, state); chroma_h_shift = get_symbol(c, state, 0); chroma_v_shift = get_symbol(c, state, 0); transparency = get_rac(c, state); if (f->plane_count) { - if ( chroma_planes != f->chroma_planes + if ( colorspace != f->colorspace + || bits_per_raw_sample != f->avctx->bits_per_raw_sample + || chroma_planes != f->chroma_planes || chroma_h_shift!= f->chroma_h_shift || chroma_v_shift!= f->chroma_v_shift || transparency != f->transparency) { @@ -599,6 +598,8 @@ static int read_header(FFV1Context *f) } } + f->colorspace = colorspace; + f->avctx->bits_per_raw_sample = bits_per_raw_sample; f->chroma_planes = chroma_planes; f->chroma_h_shift = chroma_h_shift; f->chroma_v_shift = chroma_v_shift; From 54bdb5fc8642b8384a181a10eace584cfee5494e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:40:47 +0200 Subject: [PATCH 090/492] avcodec/dsputil: fix signedness in sizeof() comparissions Signed-off-by: Michael Niedermayer (cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760) Signed-off-by: Michael Niedermayer --- libavcodec/dsputil.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index b434589fe0..43238a943d 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -1931,7 +1931,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src+i); long b = *(long*)(dst+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); @@ -1956,7 +1956,7 @@ static void diff_bytes_c(uint8_t *dst, const uint8_t *src1, const uint8_t *src2, } }else #endif - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); From db99c4156711488a3df04e105b977e6f65d4279a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Sep 2013 04:32:23 +0200 Subject: [PATCH 091/492] avfilter/vf_fps: make sure the fifo is not empty before using it Fixes Ticket2905 Signed-off-by: Michael Niedermayer (cherry picked from commit cdd5df8189ff1537f7abe8defe971f80602cc2d2) Signed-off-by: Michael Niedermayer --- libavfilter/vf_fps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_fps.c b/libavfilter/vf_fps.c index 006c24577f..32e71a9d4d 100644 --- a/libavfilter/vf_fps.c +++ b/libavfilter/vf_fps.c @@ -189,7 +189,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *buf) } /* now wait for the next timestamp */ - if (buf->pts == AV_NOPTS_VALUE) { + if (buf->pts == AV_NOPTS_VALUE || av_fifo_size(s->fifo) <= 0) { return write_to_fifo(s->fifo, buf); } From ef121a88d571fc0fc340998e6bb62a92308a2e85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Sep 2013 00:36:44 +0200 Subject: [PATCH 092/492] avcodec/mjpegdec: Add some sanity checks to ljpeg_decode_rgb_scan() These prevent the rgb ljpeg code from being run on parameters that it doesnt support. No testcase available but it seems possible to trigger these. Signed-off-by: Michael Niedermayer (cherry picked from commit 61c68000eda643dfce96dc46b488d39fd5c4e309) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 6a362aff0d..03cd065810 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -780,6 +780,12 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p int resync_mb_y = 0; int resync_mb_x = 0; + if (s->nb_components != 3 && s->nb_components != 4) + return AVERROR_INVALIDDATA; + if (s->v_max != 1 || s->h_max != 1 || !s->lossless) + return AVERROR_INVALIDDATA; + + s->restart_count = s->restart_interval; av_fast_malloc(&s->ljpeg_buffer, &s->ljpeg_buffer_size, From aeec1a6430b424f1446f4441f302320befe768df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Sep 2013 20:27:54 +0200 Subject: [PATCH 093/492] avcodec/truemotion2: Fix av_freep arguments Fixes null pointer dereference Fixes Ticket2944 Signed-off-by: Michael Niedermayer (cherry picked from commit c54aa2fb0f869ec025933944cbd1634fffe95d09) Conflicts: libavcodec/truemotion2.c --- libavcodec/truemotion2.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 7783386d25..fd782a1285 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -945,14 +945,14 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!l->Y1_base || !l->Y2_base || !l->U1_base || !l->V1_base || !l->U2_base || !l->V2_base || !l->last || !l->clast) { - av_freep(l->Y1_base); - av_freep(l->Y2_base); - av_freep(l->U1_base); - av_freep(l->U2_base); - av_freep(l->V1_base); - av_freep(l->V2_base); - av_freep(l->last); - av_freep(l->clast); + av_freep(&l->Y1_base); + av_freep(&l->Y2_base); + av_freep(&l->U1_base); + av_freep(&l->U2_base); + av_freep(&l->V1_base); + av_freep(&l->V2_base); + av_freep(&l->last); + av_freep(&l->clast); return AVERROR(ENOMEM); } l->Y1 = l->Y1_base + l->y_stride * 4 + 4; From 40e52bbb63cfa7a143ba9c335a09701fe9235200 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2013 17:58:18 +0200 Subject: [PATCH 094/492] avcodec/ffv1enc: update buffer check for 16bps Signed-off-by: Michael Niedermayer (cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 128eeb269d..78143a0604 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -275,7 +275,7 @@ static av_always_inline int encode_line(FFV1Context *s, int w, int run_mode = 0; if (s->ac) { - if (c->bytestream_end - c->bytestream < w * 20) { + if (c->bytestream_end - c->bytestream < w * 35) { av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n"); return AVERROR_INVALIDDATA; } From 0a64b25c77320577a54203b2c7e5f3da4ae36e40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Sep 2013 16:33:27 +0200 Subject: [PATCH 095/492] avcodec/g2meet: Fix order of align and pixel size multiplication. Fixes out of array accesses Fixes Ticket2922 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 821a5938d100458f4d09d634041b05c860554ce0) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index d31fc54ca8..1822c5e274 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -453,7 +453,7 @@ static int g2m_init_buffers(G2MContext *c) if (!c->synth_tile || !c->jpeg_tile || c->old_tile_w < c->tile_width || c->old_tile_h < c->tile_height) { - c->tile_stride = FFALIGN(c->tile_width * 3, 16); + c->tile_stride = FFALIGN(c->tile_width, 16) * 3; aligned_height = FFALIGN(c->tile_height, 16); av_free(c->synth_tile); av_free(c->jpeg_tile); From 2b06f5f8f15a4464c74405cd7da57da2d6be5d36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2013 23:34:11 +0200 Subject: [PATCH 096/492] avcodec/g2meet: Fix framebuf size Currently the code can in some cases draw tiles that hang outside the allocated buffer. This patch increases the buffer size to avoid out of array accesses. An alternative would be to fail if such tiles are encountered. I do not know if any valid files use such hanging tiles. Fixes Ticket2971 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit e07ac727c1cc9eed39e7f9117c97006f719864bd) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 1822c5e274..1634059f16 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -443,8 +443,8 @@ static int g2m_init_buffers(G2MContext *c) int aligned_height; if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { - c->framebuf_stride = FFALIGN(c->width * 3, 16); - aligned_height = FFALIGN(c->height, 16); + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; + aligned_height = c->height + 15; av_free(c->framebuf); c->framebuf = av_mallocz(c->framebuf_stride * aligned_height); if (!c->framebuf) From 842d7c9b3af0ea6327bbc8b4554f5fa35f3b73ac Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Tue, 1 Oct 2013 16:49:39 +0200 Subject: [PATCH 097/492] configure: fix logic for threads in case of OpenCL is enabled. Fixes ticket 3004. Signed-off-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit d3a03d90a3d57cdc6f915a05f5f28ee4bb470d00) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 54e46c8a7b..03954a4118 100755 --- a/configure +++ b/configure @@ -4201,7 +4201,7 @@ enabled openal && { { for al_libs in "${OPENAL_LIBS}" "-lopenal" "-lO enabled opencl && { check_lib2 OpenCL/cl.h clEnqueueNDRangeKernel -Wl,-framework,OpenCL || check_lib2 CL/cl.h clEnqueueNDRangeKernel -lOpenCL || die "ERROR: opencl not found"; } && - { enabled_any w32threads os2threads && + { ! enabled_any w32threads os2threads || die "opencl currently needs --enable-pthreads or --disable-w32threads"; } && { check_cpp_condition "OpenCL/cl.h" "defined(CL_VERSION_1_2)" || check_cpp_condition "CL/cl.h" "defined(CL_VERSION_1_2)" || From f089e67d515b726ac14103025edc04f6df346a3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2013 18:11:28 +0200 Subject: [PATCH 098/492] avcodec/imgconvert/get_color_type: fix type for PAL8 Fixes Ticket3008 Fate changes as PAL8 gets used instead of BGR8 Signed-off-by: Michael Niedermayer (cherry picked from commit 95666b22989b9b9f91a27da01b2bdbf4ee8022d3) --- libavcodec/imgconvert.c | 3 +++ tests/ref/lavf/gif | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 1835e00fbe..3abd6e6828 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -71,6 +71,9 @@ void avcodec_get_chroma_sub_sample(enum AVPixelFormat pix_fmt, int *h_shift, int } static int get_color_type(const AVPixFmtDescriptor *desc) { + if (desc->flags & AV_PIX_FMT_FLAG_PAL) + return FF_COLOR_RGB; + if(desc->nb_components == 1 || desc->nb_components == 2) return FF_COLOR_GRAY; diff --git a/tests/ref/lavf/gif b/tests/ref/lavf/gif index 531cd1eda7..4d90abe38f 100644 --- a/tests/ref/lavf/gif +++ b/tests/ref/lavf/gif @@ -1,3 +1,3 @@ -e35f5ea283bbcb249818e0078ec72664 *./tests/data/lavf/lavf.gif -2011766 ./tests/data/lavf/lavf.gif +8aef8081e8afa445f63f320f4a1c5edb *./tests/data/lavf/lavf.gif +2030198 ./tests/data/lavf/lavf.gif ./tests/data/lavf/lavf.gif CRC=0x0dc5477c From 9b02aa25937ff0990b7d8558f04293384d682eb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Sep 2013 21:03:48 +0200 Subject: [PATCH 099/492] avcodec/parser: reset indexes on realloc failure Fixes Ticket2982 Signed-off-by: Michael Niedermayer (cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 500bbb8f54..8a825938a6 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -237,8 +237,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s if(next == END_NOT_FOUND){ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); - if(!new_buffer) + if(!new_buffer) { + pc->index = 0; return AVERROR(ENOMEM); + } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); pc->index += *buf_size; @@ -251,9 +253,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s /* append to buffer */ if(pc->index){ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); - - if(!new_buffer) + if(!new_buffer) { + pc->overread_index = + pc->index = 0; return AVERROR(ENOMEM); + } pc->buffer = new_buffer; if (next > -FF_INPUT_BUFFER_PADDING_SIZE) memcpy(&pc->buffer[pc->index], *buf, From b4ccdf5e68c0edc7667b33a61ed15d537579ccc3 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 9 Sep 2013 10:44:27 +0000 Subject: [PATCH 100/492] avcodec/ffv1dec: fix format detection Fixes crash with carefuly designed files. Signed-off-by: Paul B Mahol (cherry picked from commit a27227d401adf12534dc7a26d72e43e2f35f8944) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index e77cae1960..d1e6e4e864 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -622,47 +622,32 @@ static int read_header(FFV1Context *f) case 0x11: f->avctx->pix_fmt = AV_PIX_FMT_YUV420P; break; case 0x20: f->avctx->pix_fmt = AV_PIX_FMT_YUV411P; break; case 0x22: f->avctx->pix_fmt = AV_PIX_FMT_YUV410P; break; - default: - av_log(f->avctx, AV_LOG_ERROR, "format not supported\n"); - return AVERROR(ENOSYS); } } else if (f->avctx->bits_per_raw_sample <= 8 && f->transparency) { switch(16*f->chroma_h_shift + f->chroma_v_shift) { case 0x00: f->avctx->pix_fmt = AV_PIX_FMT_YUVA444P; break; case 0x10: f->avctx->pix_fmt = AV_PIX_FMT_YUVA422P; break; case 0x11: f->avctx->pix_fmt = AV_PIX_FMT_YUVA420P; break; - default: - av_log(f->avctx, AV_LOG_ERROR, "format not supported\n"); - return AVERROR(ENOSYS); } - } else if (f->avctx->bits_per_raw_sample == 9) { + } else if (f->avctx->bits_per_raw_sample == 9 && !f->transparency) { f->packed_at_lsb = 1; switch(16 * f->chroma_h_shift + f->chroma_v_shift) { case 0x00: f->avctx->pix_fmt = AV_PIX_FMT_YUV444P9; break; case 0x10: f->avctx->pix_fmt = AV_PIX_FMT_YUV422P9; break; case 0x11: f->avctx->pix_fmt = AV_PIX_FMT_YUV420P9; break; - default: - av_log(f->avctx, AV_LOG_ERROR, "format not supported\n"); - return AVERROR(ENOSYS); } - } else if (f->avctx->bits_per_raw_sample == 10) { + } else if (f->avctx->bits_per_raw_sample == 10 && !f->transparency) { f->packed_at_lsb = 1; switch(16 * f->chroma_h_shift + f->chroma_v_shift) { case 0x00: f->avctx->pix_fmt = AV_PIX_FMT_YUV444P10; break; case 0x10: f->avctx->pix_fmt = AV_PIX_FMT_YUV422P10; break; case 0x11: f->avctx->pix_fmt = AV_PIX_FMT_YUV420P10; break; - default: - av_log(f->avctx, AV_LOG_ERROR, "format not supported\n"); - return AVERROR(ENOSYS); } - } else { + } else if (f->avctx->bits_per_raw_sample == 16 && !f->transparency){ switch(16 * f->chroma_h_shift + f->chroma_v_shift) { case 0x00: f->avctx->pix_fmt = AV_PIX_FMT_YUV444P16; break; case 0x10: f->avctx->pix_fmt = AV_PIX_FMT_YUV422P16; break; case 0x11: f->avctx->pix_fmt = AV_PIX_FMT_YUV420P16; break; - default: - av_log(f->avctx, AV_LOG_ERROR, "format not supported\n"); - return AVERROR(ENOSYS); } } } else if (f->colorspace == 1) { @@ -686,6 +671,10 @@ static int read_header(FFV1Context *f) av_log(f->avctx, AV_LOG_ERROR, "colorspace not supported\n"); return AVERROR(ENOSYS); } + if (f->avctx->pix_fmt == AV_PIX_FMT_NONE) { + av_log(f->avctx, AV_LOG_ERROR, "format not supported\n"); + return AVERROR(ENOSYS); + } av_dlog(f->avctx, "%d %d %d\n", f->chroma_h_shift, f->chroma_v_shift, f->avctx->pix_fmt); From a53fd4b7584a0cbf5dd51cf8182f2ac7e4588a05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Oct 2013 19:39:58 +0200 Subject: [PATCH 101/492] update for 2.0.2 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 38f77a65b3..e9307ca575 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.0.1 +2.0.2 diff --git a/VERSION b/VERSION index 38f77a65b3..e9307ca575 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.1 +2.0.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 634e818540..391133198f 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.0.1 +PROJECT_NUMBER = 2.0.2 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 9d0bb7fc3991b030603acfe899e6f001e530c89a Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 27 Jul 2013 16:50:19 +0200 Subject: [PATCH 102/492] doc/codecs: fix dangling reference to codec-options chapter (cherry picked from commit b4bd21b7fe2ad8be59b16538448586814e5db65b) Signed-off-by: Michael Niedermayer --- doc/codecs.texi | 1 + doc/encoders.texi | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/codecs.texi b/doc/codecs.texi index 4af8dcd058..6ff2a650b2 100644 --- a/doc/codecs.texi +++ b/doc/codecs.texi @@ -1,3 +1,4 @@ +@anchor{codec-options} @chapter Codec Options @c man begin CODEC OPTIONS diff --git a/doc/encoders.texi b/doc/encoders.texi index 3b35c954e0..b3e574a3e0 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -1005,7 +1005,7 @@ for easy migration. To reduce the duplication of documentation, only the private options and some others requiring special attention are documented here. For the documentation of the undocumented generic options, see -@ref{codec-options}. +@ref{codec-options,,the Codec Options chapter}. To get a more accurate and extensive documentation of the libx264 options, invoke the command @command{x264 --full-help} or consult From f581e25a69052481eb04fe45604036f685f133ae Mon Sep 17 00:00:00 2001 From: mrlika Date: Mon, 2 Sep 2013 15:10:22 +0300 Subject: [PATCH 103/492] lavd/v4l2: do not fail when VIDIOC_ENUMSTD returns EINVAL without a valid match With some (buggy) drivers, the VIDIOC_G_STD ioctl returns a std_id that cannot be matched with any of the enumerated v4l2_standard structures (for example std_id = 0 or std_id = 0xffffff). Do not fail when we reach the end of the enumeration without a valid match. Fixes ticket #2370 Note: This commit message has been modified by Giorgio Vazzana, the original commit message was: "Fixed regression for mandatory VIDIOC_ENUMSTD support by v4l2" Signed-off-by: Michael Niedermayer (cherry picked from commit ed72542539fb61dc3a6d6280d8a6a956ac04a071) --- libavdevice/v4l2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index b1dc7d10a0..3e911701fb 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -685,6 +685,10 @@ static int v4l2_set_parameters(AVFormatContext *s1) standard.index = i; if (v4l2_ioctl(s->fd, VIDIOC_ENUMSTD, &standard) < 0) { ret = AVERROR(errno); + if (ret == AVERROR(EINVAL)) { + tpf = &streamparm.parm.capture.timeperframe; + break; + } av_log(s1, AV_LOG_ERROR, "ioctl(VIDIOC_ENUMSTD): %s\n", av_err2str(ret)); return ret; } From 59431fc84187a5e726a1c67cf39a6b46d7ef36a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2013 23:52:54 +0200 Subject: [PATCH 104/492] avcodec/h264_refs: modify key frame detection heuristic to detect more cases Fixes Ticket2968 Signed-off-by: Michael Niedermayer (cherry picked from commit 5ac6b6028f17b64723884c9fa72cfcbd369a1ba2) --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 8f6262a37b..1b61010549 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -733,7 +733,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count) print_short_term(h); print_long_term(h); - if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=1 + (h->picture_structure != PICT_FRAME) && h->cur_pic_ptr->f.pict_type == AV_PICTURE_TYPE_I){ + if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=2 + (h->picture_structure != PICT_FRAME) && h->cur_pic_ptr->f.pict_type == AV_PICTURE_TYPE_I){ h->cur_pic_ptr->sync |= 1; if(!h->avctx->has_b_frames) h->sync = 2; From 736851264b7998c0e390f208a2438a1493bdf994 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2013 21:43:06 +0200 Subject: [PATCH 105/492] avformat/wavdec: Dont trust the fact chunk for PCM Fixes Ticket3033 Signed-off-by: Michael Niedermayer (cherry picked from commit 83fc6c822b06688e572333299927d93eb3c6c426) --- libavformat/wavdec.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 23c3b9e555..64dd8678b1 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -396,11 +396,15 @@ break_loop: avio_seek(pb, data_ofs, SEEK_SET); - if (!sample_count && st->codec->channels && - av_get_bits_per_sample(st->codec->codec_id) && wav->data_end <= avio_size(pb)) - sample_count = (data_size << 3) / - (st->codec->channels * - (uint64_t)av_get_bits_per_sample(st->codec->codec_id)); + if (!sample_count || av_get_exact_bits_per_sample(st->codec->codec_id) > 0) + if ( st->codec->channels + && data_size + && av_get_bits_per_sample(st->codec->codec_id) + && wav->data_end <= avio_size(pb)) + sample_count = (data_size << 3) + / + (st->codec->channels * (uint64_t)av_get_bits_per_sample(st->codec->codec_id)); + if (sample_count) st->duration = sample_count; From 6de6d9e2d3eda809cf9b48b94795ae5e012d81de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Oct 2013 00:07:28 +0200 Subject: [PATCH 106/492] avformat/matroskadec: only set r_frame_rate if the value is within reasonable limits Fixes Ticket2451 Signed-off-by: Michael Niedermayer (cherry picked from commit 6853e40106cac769f0641183ea0bdd530ae9a0a1) --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index b686eeba75..17726404a0 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1829,7 +1829,8 @@ static int matroska_read_header(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); #if FF_API_R_FRAME_RATE - st->r_frame_rate = st->avg_frame_rate; + if (st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L) + st->r_frame_rate = st->avg_frame_rate; #endif } From 7da810e68b76f7324f3f921999375fb876455f7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2013 22:56:02 +0200 Subject: [PATCH 107/492] avformat/gifdec: make GIF_APP_EXT_LABEL parsing more robust Fixes Ticket3021 Signed-off-by: Michael Niedermayer (cherry picked from commit e1f8184a1a973fd7de1bf53578d09661ec7bad75) --- libavformat/gifdec.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/libavformat/gifdec.c b/libavformat/gifdec.c index e05dc419c7..2981bcabbe 100644 --- a/libavformat/gifdec.c +++ b/libavformat/gifdec.c @@ -164,16 +164,26 @@ static int gif_read_ext(AVFormatContext *s) if ((ret = avio_skip(pb, sb_size - 3)) < 0 ) return ret; } else if (ext_label == GIF_APP_EXT_LABEL) { - uint8_t netscape_ext[sizeof(NETSCAPE_EXT_STR)-1 + 2]; + uint8_t data[256]; - if ((sb_size = avio_r8(pb)) != strlen(NETSCAPE_EXT_STR)) - return 0; - ret = avio_read(pb, netscape_ext, sizeof(netscape_ext)); - if (ret < sizeof(netscape_ext)) + sb_size = avio_r8(pb); + ret = avio_read(pb, data, sb_size); + if (ret < 0 || !sb_size) return ret; - gdc->total_iter = avio_rl16(pb); - if (gdc->total_iter == 0) - gdc->total_iter = -1; + + if (sb_size == strlen(NETSCAPE_EXT_STR)) { + sb_size = avio_r8(pb); + ret = avio_read(pb, data, sb_size); + if (ret < 0 || !sb_size) + return ret; + + if (sb_size == 3 && data[0] == 1) { + gdc->total_iter = AV_RL16(data+1); + + if (gdc->total_iter == 0) + gdc->total_iter = -1; + } + } } if ((ret = gif_skip_subblocks(pb)) < 0) From fb1fb462e598d572371a9b53cfbeeca97809bc67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2013 17:39:19 +0200 Subject: [PATCH 108/492] avformat/mov: force parsing of headers if stts is absent Fixes Ticket2991 Signed-off-by: Michael Niedermayer (cherry picked from commit e41ea866fc26f38d770bbc1ad67703e7f4400ae1) --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9c6ad99d90..54b57b0958 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1697,6 +1697,8 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) { sc->keyframe_absent = 1; + if (!st->need_parsing) + st->need_parsing = AVSTREAM_PARSE_HEADERS; return 0; } if (entries >= UINT_MAX / sizeof(int)) From 17d169ce0f0786fffa9e6d685f070bb331717950 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Thu, 24 Oct 2013 21:14:55 +0200 Subject: [PATCH 109/492] doc/Makefile: fix man pages uninstall path Fix trac ticket #3054. (cherry picked from commit af1c5388501e80e6d92704bb70610998226e5e51) --- doc/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/Makefile b/doc/Makefile index cd24b8c597..985999032e 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -103,8 +103,8 @@ endif uninstall: uninstall-man uninstall-man: - $(RM) $(addprefix "$(MANDIR)/man1/",$(MANPAGES1)) - $(RM) $(addprefix "$(MANDIR)/man3/",$(MANPAGES3)) + $(RM) $(addprefix "$(MANDIR)/man1/",$(PROGS-yes:%=%.1) $(PROGS-yes:%=%-all.1) $(COMPONENTS-yes:%=%.1)) + $(RM) $(addprefix "$(MANDIR)/man3/",$(LIBRARIES-yes:%=%.3)) clean:: docclean From cd7d575e90ceada5a9914d029124388d4993cc9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Oct 2013 23:11:41 +0200 Subject: [PATCH 110/492] avcodec/h264: do not trust last_pic_droppable when marking pictures as done This simplifies the code and fixes a deadlock Fixes Ticket2927 Signed-off-by: Michael Niedermayer (cherry picked from commit 29ffeef5e73b8f41ff3a3f2242d356759c66f91f) --- libavcodec/h264.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 82c243cb0a..8c64d260d5 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3461,7 +3461,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) assert(h0->cur_pic_ptr->reference != DELAYED_PIC_REF); /* Mark old field/frame as completed */ - if (!last_pic_droppable && h0->cur_pic_ptr->tf.owner == h0->avctx) { + if (h0->cur_pic_ptr->tf.owner == h0->avctx) { ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX, last_pic_structure == PICT_BOTTOM_FIELD); } @@ -3470,7 +3470,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if (!FIELD_PICTURE(h) || h->picture_structure == last_pic_structure) { /* Previous field is unmatched. Don't display it, but let it * remain for reference if marked as such. */ - if (!last_pic_droppable && last_pic_structure != PICT_FRAME) { + if (last_pic_structure != PICT_FRAME) { ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX, last_pic_structure == PICT_TOP_FIELD); } @@ -3480,7 +3480,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) * different frame_nums. Consider this field first in * pair. Throw away previous field except for reference * purposes. */ - if (!last_pic_droppable && last_pic_structure != PICT_FRAME) { + if (last_pic_structure != PICT_FRAME) { ff_thread_report_progress(&h0->cur_pic_ptr->tf, INT_MAX, last_pic_structure == PICT_TOP_FIELD); } From b7154758de3f2ec46da1096a8a95645d3d315c39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2013 12:50:26 +0200 Subject: [PATCH 111/492] avformat/wavdec: Fix smv packet interleaving This strips the relative timestamp "flag" off. Fixes Ticket2849 Signed-off-by: Michael Niedermayer (cherry picked from commit 6abb9eb525239f954ec12e52fc209e6dfce2a6d4) --- libavformat/wavdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 64dd8678b1..7f3eaf0748 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -462,8 +462,8 @@ static int wav_read_packet(AVFormatContext *s, AVPacket *pkt) if (wav->smv_data_ofs > 0) { int64_t audio_dts, video_dts; smv_retry: - audio_dts = s->streams[0]->cur_dts; - video_dts = s->streams[1]->cur_dts; + audio_dts = (int32_t)s->streams[0]->cur_dts; + video_dts = (int32_t)s->streams[1]->cur_dts; if (audio_dts != AV_NOPTS_VALUE && video_dts != AV_NOPTS_VALUE) { /*We always return a video frame first to get the pixel format first*/ From 94c7ee4d9e03445c9109bea328a4e01b0bd56ad6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2013 19:35:55 +0200 Subject: [PATCH 112/492] avformat/mp3dec: perform seek resync in the correct direction Fixes seeking to the last frame in CBR files Fixes Ticket2773 Signed-off-by: Michael Niedermayer (cherry picked from commit ba8716df7fb541fb690d1a898cda0e12f9011faf) --- libavformat/mp3dec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index c9973c5142..f9815cce81 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -288,6 +288,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, AVStream *st = s->streams[0]; int64_t ret = av_index_search_timestamp(st, timestamp, flags); int i, j; + int dir = (flags&AVSEEK_FLAG_BACKWARD) ? -1 : 1; if (mp3->is_cbr && st->duration > 0 && mp3->header_filesize > s->data_offset) { int64_t filesize = avio_size(s->pb); @@ -317,7 +318,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, #define MIN_VALID 3 for(i=0; i<4096; i++) { - int64_t pos = ie->pos + i; + int64_t pos = ie->pos + i*dir; for(j=0; jpb, ie->pos + i, SEEK_SET); + ret = avio_seek(s->pb, ie->pos + i*dir, SEEK_SET); if (ret < 0) return ret; ff_update_cur_dts(s, st, ie->timestamp); From 782331be1eb23717a2c7633f8e364f0e833275e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2013 20:03:29 +0200 Subject: [PATCH 113/492] avcodec/h264: reduce noisiness of "mmco: unref short failure" Do not consider it an error if we have no frames and should discard one. This condition can easily happen when decoding is started from an I frame Fixes Ticket2811 Signed-off-by: Michael Niedermayer (cherry picked from commit 08a89761964bdd0a023eff6d37a1131fb7e1d7a0) --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 1b61010549..954af21a63 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -583,7 +583,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count) if (mmco[i].opcode != MMCO_SHORT2LONG || !h->long_ref[mmco[i].long_arg] || h->long_ref[mmco[i].long_arg]->frame_num != frame_num) { - av_log(h->avctx, AV_LOG_ERROR, "mmco: unref short failure\n"); + av_log(h->avctx, h->short_ref_count ? AV_LOG_ERROR : AV_LOG_DEBUG, "mmco: unref short failure\n"); err = AVERROR_INVALIDDATA; } continue; From 1d0e58372885aa29a3c0f856bec522bd41b0307e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2013 01:22:38 +0200 Subject: [PATCH 114/492] h264: make flush_change() set mmco_reset This ensures that frames do not get mixed on context reinits Fixes Ticket2836 Signed-off-by: Michael Niedermayer (cherry picked from commit 3c9dd93faa9f3c250428dd0548c075583aa07cc3) --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8c64d260d5..21c827a406 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2660,6 +2660,7 @@ static void flush_change(H264Context *h) h->sync= 0; h->list_count = 0; h->current_slice = 0; + h->mmco_reset = 1; } /* forget old pics after a seek */ From f51483491749895c6d097cd02475ee2162502051 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2013 01:03:19 +0200 Subject: [PATCH 115/492] avformat/utils: do not override pts in h264 when they are provided from the demuxer Fixes Ticket2143 Signed-off-by: Michael Niedermayer (cherry picked from commit 1e5271a9fd6ddcceb083f2185a4bbd8d44c9a813) --- libavformat/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 070c224ecd..ea07d9bff8 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1061,12 +1061,14 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, if (pkt->dts != AV_NOPTS_VALUE) { // got DTS from the stream, update reference timestamp st->reference_dts = pkt->dts - pc->dts_ref_dts_delta * num / den; - pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; } else if (st->reference_dts != AV_NOPTS_VALUE) { // compute DTS based on reference timestamp pkt->dts = st->reference_dts + pc->dts_ref_dts_delta * num / den; - pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; } + + if (st->reference_dts != AV_NOPTS_VALUE && pkt->pts == AV_NOPTS_VALUE) + pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; + if (pc->dts_sync_point > 0) st->reference_dts = pkt->dts; // new reference } From 1fa7ad2e20dbaf4dffcc9441cb9558a3bf7ceea4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2013 14:16:12 +0200 Subject: [PATCH 116/492] ffmpeg_filter: Fix non jpeg yuv in jpeg support This is a regression, did not bisect so dont know what caused it but likely some changes to the command line handling code. Signed-off-by: Michael Niedermayer (cherry picked from commit d9bc251d3978cf0b9722991f7c23edebca7abb18) --- ffmpeg_filter.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ffmpeg_filter.c b/ffmpeg_filter.c index 1fe2106a7c..7d264c0e92 100644 --- a/ffmpeg_filter.c +++ b/ffmpeg_filter.c @@ -92,6 +92,11 @@ void choose_sample_fmt(AVStream *st, AVCodec *codec) static char *choose_pix_fmts(OutputStream *ost) { + AVDictionaryEntry *strict_dict = av_dict_get(ost->opts, "strict", NULL, 0); + if (strict_dict) + // used by choose_pixel_fmt() and below + av_opt_set(ost->st->codec, "strict", strict_dict->value, 0); + if (ost->keep_pix_fmt) { if (ost->filter) avfilter_graph_set_auto_convert(ost->filter->graph->graph, From beb28bc55dc73ae18e6a51e6f8f06ea0399da3e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Oct 2013 23:56:52 +0100 Subject: [PATCH 117/492] avcodec/bink: fix seeking to frame 0 Fixes Ticket3088 Signed-off-by: Michael Niedermayer (cherry picked from commit cb52d6da0a9c88c584a38a9a7a94825565854b7e) Conflicts: libavcodec/bink.c --- libavcodec/bink.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index ce8dcb04c3..dd53a1d76b 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -120,6 +120,7 @@ typedef struct BinkContext { int version; ///< internal Bink file version int has_alpha; int swap_planes; + unsigned frame_num; Bundle bundle[BINKB_NB_SRC]; ///< bundles for decoding all data types Tree col_high[16]; ///< trees for decoding high nibble in "colours" data type @@ -1206,6 +1207,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac if (c->version >= 'i') skip_bits_long(&gb, 32); + c->frame_num++; + for (plane = 0; plane < 3; plane++) { plane_idx = (!plane || !c->swap_planes) ? plane : (plane ^ 3); @@ -1214,7 +1217,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return ret; } else { if ((ret = binkb_decode_plane(c, frame, &gb, plane_idx, - !avctx->frame_number, !!plane)) < 0) + c->frame_num == 1, !!plane)) < 0) return ret; } if (get_bits_count(&gb) >= bits_count) @@ -1332,6 +1335,13 @@ static av_cold int decode_end(AVCodecContext *avctx) return 0; } +static void flush(AVCodecContext *avctx) +{ + BinkContext * const c = avctx->priv_data; + + c->frame_num = 0; +} + AVCodec ff_bink_decoder = { .name = "binkvideo", .type = AVMEDIA_TYPE_VIDEO, @@ -1341,5 +1351,6 @@ AVCodec ff_bink_decoder = { .close = decode_end, .decode = decode_frame, .long_name = NULL_IF_CONFIG_SMALL("Bink video"), + .flush = flush, .capabilities = CODEC_CAP_DR1, }; From 9a22d6dd6326f80dd8af93c964a57428ef08deeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2013 03:02:36 +0100 Subject: [PATCH 118/492] avformat/utils: dont count attached pics toward the probesize Such pics behave more like headers which we also dont count. Fixes Ticket3146 Signed-off-by: Michael Niedermayer (cherry picked from commit a8dec360c5db15e8da4b44ff3c0f02a6c57e8ac0) --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index ea07d9bff8..a010f29cb9 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2793,9 +2793,10 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) goto find_stream_info_err; } - read_size += pkt->size; - st = ic->streams[pkt->stream_index]; + if (!(st->disposition & AV_DISPOSITION_ATTACHED_PIC)) + read_size += pkt->size; + if (pkt->dts != AV_NOPTS_VALUE && st->codec_info_nb_frames > 1) { /* check for non-increasing dts */ if (st->info->fps_last_dts != AV_NOPTS_VALUE && From ff4c53e8b306c5d61b3c5368cbb9daeffa5b4728 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Fri, 8 Nov 2013 23:55:06 +0100 Subject: [PATCH 119/492] build: avoid stdin stall with GNU AS probing. a758c5e added probing for various tools, such as AS. Unfortunately, GNU AS is reading stdin with -v, and thus configure is stalled with configure arguments such as --as=as. Fixes Ticket #1898. (cherry picked from commit dbb41f93c16cbc65a899a75723c95da51c851cd5) --- configure | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 03954a4118..47865b62ad 100755 --- a/configure +++ b/configure @@ -2801,7 +2801,9 @@ probe_cc(){ unset _depflags _DEPCMD _DEPFLAGS _flags_filter=echo - if $_cc -v 2>&1 | grep -q '^gcc.*LLVM'; then + if $_cc --version 2>&1 | grep -q '^GNU assembler'; then + true # no-op to avoid reading stdin in following checks + elif $_cc -v 2>&1 | grep -q '^gcc.*LLVM'; then _type=llvm_gcc gcc_extra_ver=$(expr "$($_cc --version | head -n1)" : '.*\((.*)\)') _ident="llvm-gcc $($_cc -dumpversion) $gcc_extra_ver" From 93716f7bea11918b54b38d64f1de15aa38eea45e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 19 Oct 2013 19:39:28 +0200 Subject: [PATCH 120/492] avformat/image2: allow muxing gif files. Fixes Ticket #2936. (cherry picked from commit f70db22999d713da3306bf29ec763d670b9bf1ea) Conflicts: libavformat/img2enc.c --- libavformat/img2enc.c | 42 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/libavformat/img2enc.c b/libavformat/img2enc.c index 11e5801253..e995af4a32 100644 --- a/libavformat/img2enc.c +++ b/libavformat/img2enc.c @@ -21,6 +21,7 @@ */ #include "libavutil/intreadwrite.h" +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/log.h" #include "libavutil/opt.h" @@ -37,6 +38,7 @@ typedef struct { int split_planes; /**< use independent file for each Y, U, V plane */ char path[1024]; int update; + const char *muxer; } VideoMuxData; static int write_header(AVFormatContext *s) @@ -44,7 +46,6 @@ static int write_header(AVFormatContext *s) VideoMuxData *img = s->priv_data; AVStream *st = s->streams[0]; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(st->codec->pix_fmt); - const char *str; av_strlcpy(img->path, s->filename, sizeof(img->path)); @@ -54,14 +55,18 @@ static int write_header(AVFormatContext *s) else img->is_pipe = 1; - str = strrchr(img->path, '.'); + if (st->codec->codec_id == AV_CODEC_ID_GIF) { + img->muxer = "gif"; + } else if (st->codec->codec_id == AV_CODEC_ID_RAWVIDEO) { + const char *str = strrchr(img->path, '.'); + /* TODO: reindent */ img->split_planes = str && !av_strcasecmp(str + 1, "y") && s->nb_streams == 1 - && st->codec->codec_id == AV_CODEC_ID_RAWVIDEO && desc &&(desc->flags & AV_PIX_FMT_FLAG_PLANAR) && desc->nb_components >= 3; + } return 0; } @@ -115,6 +120,37 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) avio_write(pb[3], pkt->data + ysize + 2*usize, ysize); avio_close(pb[3]); } + } else if (img->muxer) { + int ret; + AVStream *st; + AVPacket pkt2 = {0}; + AVFormatContext *fmt = NULL; + + av_assert0(!img->split_planes); + + ret = avformat_alloc_output_context2(&fmt, NULL, img->muxer, s->filename); + if (ret < 0) + return ret; + st = avformat_new_stream(fmt, NULL); + if (!st) { + avformat_free_context(fmt); + return AVERROR(ENOMEM); + } + st->id = pkt->stream_index; + + fmt->pb = pb[0]; + if ((ret = av_copy_packet(&pkt2, pkt)) < 0 || + (ret = av_dup_packet(&pkt2)) < 0 || + (ret = avcodec_copy_context(st->codec, s->streams[0]->codec)) < 0 || + (ret = avformat_write_header(fmt, NULL)) < 0 || + (ret = av_interleaved_write_frame(fmt, &pkt2)) < 0 || + (ret = av_write_trailer(fmt)) < 0) { + av_free_packet(&pkt2); + avformat_free_context(fmt); + return ret; + } + av_free_packet(&pkt2); + avformat_free_context(fmt); } else { avio_write(pb[0], pkt->data, pkt->size); } From 8f7d839e15c98ada33b60d4e51ffa200473e7905 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Mon, 28 Oct 2013 11:50:09 +0100 Subject: [PATCH 121/492] lavd/lavfi: support unknown channel layouts. (cherry picked from commit 863fb11f63f7f60feec390f3c54dd13606e07d05) --- libavdevice/lavfi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c index 9322ce5961..dcb94adbe0 100644 --- a/libavdevice/lavfi.c +++ b/libavdevice/lavfi.c @@ -248,6 +248,10 @@ av_cold static int lavfi_read_header(AVFormatContext *avctx) ret = av_opt_set_int_list(sink, "sample_fmts", sample_fmts, AV_SAMPLE_FMT_NONE, AV_OPT_SEARCH_CHILDREN); if (ret < 0) goto end; + ret = av_opt_set_int(sink, "all_channel_counts", 1, + AV_OPT_SEARCH_CHILDREN); + if (ret < 0) + goto end; } lavfi->sinks[i] = sink; From 62baf22ec085a52a4ccb09cbd20a8d15c8496bdd Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Tue, 3 Sep 2013 22:12:54 +0200 Subject: [PATCH 122/492] lavfi/avfiltergraph: suggest a solution when format selection fails. Format selection can fail if unknown channel layouts are used with filters that do not support it. (cherry picked from commit f775eb3fb4c7b716107355e428e40cb63f71ee7a) --- libavfilter/avfiltergraph.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 8c400028d8..444a1a130a 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -575,6 +575,10 @@ static int pick_format(AVFilterLink *link, AVFilterLink *ref) av_log(link->src, AV_LOG_ERROR, "Cannot select channel layout for" " the link between filters %s and %s.\n", link->src->name, link->dst->name); + if (!link->in_channel_layouts->all_counts) + av_log(link->src, AV_LOG_ERROR, "Unknown channel layouts not " + "supported, try specifying a channel layout using " + "'aformat=channel_layouts=something'.\n"); return AVERROR(EINVAL); } link->in_channel_layouts->nb_channel_layouts = 1; From c2d37e736428d3daf9d0d0795af2815fd11dc432 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Tue, 3 Sep 2013 22:13:49 +0200 Subject: [PATCH 123/492] lavfi/avfiltergraph: do not reduce incompatible lists. A list of "all channel layouts" but not "all channel counts" can not be reduced to a single unknown channel count. (cherry picked from commit d300f5f6f570659e4b58567b35c9e8600c9f2956) --- libavfilter/avfiltergraph.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 444a1a130a..4ae108f810 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -661,7 +661,8 @@ static int reduce_formats_on_filter(AVFilterContext *filter) if (inlink->type != outlink->type || fmts->nb_channel_layouts == 1) continue; - if (fmts->all_layouts) { + if (fmts->all_layouts && + (!FF_LAYOUT2COUNT(fmt) || fmts->all_counts)) { /* Turn the infinite list into a singleton */ fmts->all_layouts = fmts->all_counts = 0; ff_add_channel_layout(&outlink->in_channel_layouts, fmt); From 9a4acedf3177d2fa6c521d60022d4dcc2110411a Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Fri, 25 Oct 2013 15:07:40 +0200 Subject: [PATCH 124/492] lavfi: parsing helper for unknown channel layouts. Make ff_parse_channel_layout() accept unknown layouts too. (cherry picked from commit 6e2473edfda26a556c615ebc04d8aeba800bef7e) --- libavfilter/af_aconvert.c | 2 +- libavfilter/af_pan.c | 2 +- libavfilter/asrc_aevalsrc.c | 2 +- libavfilter/asrc_anullsrc.c | 2 +- libavfilter/formats.c | 17 +++++++++++++++-- libavfilter/internal.h | 5 ++++- 6 files changed, 23 insertions(+), 7 deletions(-) diff --git a/libavfilter/af_aconvert.c b/libavfilter/af_aconvert.c index 970e801152..30737ece50 100644 --- a/libavfilter/af_aconvert.c +++ b/libavfilter/af_aconvert.c @@ -66,7 +66,7 @@ static av_cold int init(AVFilterContext *ctx) (ret = ff_parse_sample_format(&aconvert->out_sample_fmt, aconvert->format_str, ctx)) < 0) return ret; if (aconvert->channel_layout_str && strcmp(aconvert->channel_layout_str, "auto")) - return ff_parse_channel_layout(&aconvert->out_chlayout, aconvert->channel_layout_str, ctx); + return ff_parse_channel_layout(&aconvert->out_chlayout, NULL, aconvert->channel_layout_str, ctx); return ret; } diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 800c40a851..2475c91ee5 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -116,7 +116,7 @@ static av_cold int init(AVFilterContext *ctx) if (!args) return AVERROR(ENOMEM); arg = av_strtok(args, "|", &tokenizer); - ret = ff_parse_channel_layout(&pan->out_channel_layout, arg, ctx); + ret = ff_parse_channel_layout(&pan->out_channel_layout, NULL, arg, ctx); if (ret < 0) goto fail; pan->nb_output_channels = av_get_channel_layout_nb_channels(pan->out_channel_layout); diff --git a/libavfilter/asrc_aevalsrc.c b/libavfilter/asrc_aevalsrc.c index 9d2ac9c70e..652f759665 100644 --- a/libavfilter/asrc_aevalsrc.c +++ b/libavfilter/asrc_aevalsrc.c @@ -109,7 +109,7 @@ static int init(AVFilterContext *ctx) if (eval->chlayout_str) { int n; - ret = ff_parse_channel_layout(&eval->chlayout, eval->chlayout_str, ctx); + ret = ff_parse_channel_layout(&eval->chlayout, NULL, eval->chlayout_str, ctx); if (ret < 0) goto end; diff --git a/libavfilter/asrc_anullsrc.c b/libavfilter/asrc_anullsrc.c index 5a009c38b0..38ddeb1e70 100644 --- a/libavfilter/asrc_anullsrc.c +++ b/libavfilter/asrc_anullsrc.c @@ -68,7 +68,7 @@ static int init(AVFilterContext *ctx) null->sample_rate_str, ctx)) < 0) return ret; - if ((ret = ff_parse_channel_layout(&null->channel_layout, + if ((ret = ff_parse_channel_layout(&null->channel_layout, NULL, null->channel_layout_str, ctx)) < 0) return ret; diff --git a/libavfilter/formats.c b/libavfilter/formats.c index ae8a45694a..5843e34a2d 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -629,10 +629,21 @@ int ff_parse_sample_rate(int *ret, const char *arg, void *log_ctx) return 0; } -int ff_parse_channel_layout(int64_t *ret, const char *arg, void *log_ctx) +int ff_parse_channel_layout(int64_t *ret, int *nret, const char *arg, + void *log_ctx) { char *tail; - int64_t chlayout = av_get_channel_layout(arg); + int64_t chlayout, count; + + if (nret) { + count = strtol(arg, &tail, 10); + if (*tail == 'c' && !tail[1] && count > 0 && count < 63) { + *nret = count; + *ret = 0; + return 0; + } + } + chlayout = av_get_channel_layout(arg); if (chlayout == 0) { chlayout = strtol(arg, &tail, 10); if (*tail || chlayout == 0) { @@ -641,6 +652,8 @@ int ff_parse_channel_layout(int64_t *ret, const char *arg, void *log_ctx) } } *ret = chlayout; + if (nret) + *nret = av_get_channel_layout_nb_channels(chlayout); return 0; } diff --git a/libavfilter/internal.h b/libavfilter/internal.h index f7df6d3b41..000890f1ce 100644 --- a/libavfilter/internal.h +++ b/libavfilter/internal.h @@ -217,11 +217,14 @@ int ff_parse_sample_format(int *ret, const char *arg, void *log_ctx); * Parse a channel layout or a corresponding integer representation. * * @param ret 64bit integer pointer to where the value should be written. + * @param nret integer pointer to the number of channels; + * if not NULL, then unknown channel layouts are accepted * @param arg string to parse * @param log_ctx log context * @return 0 in case of success, a negative AVERROR code on error */ -int ff_parse_channel_layout(int64_t *ret, const char *arg, void *log_ctx); +int ff_parse_channel_layout(int64_t *ret, int *nret, const char *arg, + void *log_ctx); void ff_update_link_current_pts(AVFilterLink *link, int64_t pts); From 02c8c064ea285c39dede64ad5cbad0dc5ad66c6d Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Fri, 25 Oct 2013 16:11:30 +0200 Subject: [PATCH 125/492] lswr: fix assert failure on unknown layouts. (cherry picked from commit 4a640a6ac89099bfb02d6d3d3ada04e321a37476) --- libswresample/rematrix.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 2ebe39772e..44ad792787 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -424,8 +424,8 @@ int swri_rematrix(SwrContext *s, AudioData *out, AudioData *in, int len, int mus off = len1 * out->bps; } - av_assert0(out->ch_count == av_get_channel_layout_nb_channels(s->out_ch_layout)); - av_assert0(in ->ch_count == av_get_channel_layout_nb_channels(s-> in_ch_layout)); + av_assert0(!s->out_ch_layout || out->ch_count == av_get_channel_layout_nb_channels(s->out_ch_layout)); + av_assert0(!s-> in_ch_layout || in ->ch_count == av_get_channel_layout_nb_channels(s-> in_ch_layout)); for(out_i=0; out_ich_count; out_i++){ switch(s->matrix_ch[out_i][0]){ From cf8462ce00a7f8fbb2df5443de0b3df0dd38d647 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Fri, 25 Oct 2013 16:02:04 +0200 Subject: [PATCH 126/492] lavfi/af_pan: support unknown layouts on output. (cherry picked from commit 4e9adc9b7363cc336e3d47c98455e1508902fd29) --- libavfilter/af_pan.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 2475c91ee5..c3bfeca490 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -116,10 +116,10 @@ static av_cold int init(AVFilterContext *ctx) if (!args) return AVERROR(ENOMEM); arg = av_strtok(args, "|", &tokenizer); - ret = ff_parse_channel_layout(&pan->out_channel_layout, NULL, arg, ctx); + ret = ff_parse_channel_layout(&pan->out_channel_layout, + &pan->nb_output_channels, arg, ctx); if (ret < 0) goto fail; - pan->nb_output_channels = av_get_channel_layout_nb_channels(pan->out_channel_layout); /* parse channel specifications */ while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) { @@ -244,7 +244,9 @@ static int query_formats(AVFilterContext *ctx) // outlink supports only requested output channel layout layouts = NULL; - ff_add_channel_layout(&layouts, pan->out_channel_layout); + ff_add_channel_layout(&layouts, + pan->out_channel_layout ? pan->out_channel_layout : + FF_COUNT2LAYOUT(pan->nb_output_channels)); ff_channel_layouts_ref(layouts, &outlink->in_channel_layouts); return 0; } @@ -286,6 +288,8 @@ static int config_props(AVFilterLink *link) 0, ctx); if (!pan->swr) return AVERROR(ENOMEM); + if (!pan->out_channel_layout) + av_opt_set_int(pan->swr, "och", pan->nb_output_channels, 0); // gains are pure, init the channel mapping if (pan->pure_gains) { From 2005887707fe6ecb5fb35aa7f1ec6e7680982425 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Fri, 25 Oct 2013 16:12:06 +0200 Subject: [PATCH 127/492] lavfi/af_pan: support unknown layouts on input. Fix trac ticket #2899. (cherry picked from commit 7b0a587393e03dab552d66450d43ab82bda0a5a1) --- libavfilter/af_pan.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index c3bfeca490..c5a58e0713 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -46,7 +46,6 @@ typedef struct PanContext { double gain[MAX_CHANNELS][MAX_CHANNELS]; int64_t need_renorm; int need_renumber; - int nb_input_channels; int nb_output_channels; int pure_gains; @@ -239,7 +238,7 @@ static int query_formats(AVFilterContext *ctx) ff_set_common_samplerates(ctx, formats); // inlink supports any channel layout - layouts = ff_all_channel_layouts(); + layouts = ff_all_channel_counts(); ff_channel_layouts_ref(layouts, &inlink->out_channel_layouts); // outlink supports only requested output channel layout @@ -259,7 +258,6 @@ static int config_props(AVFilterLink *link) int i, j, k, r; double t; - pan->nb_input_channels = av_get_channel_layout_nb_channels(link->channel_layout); if (pan->need_renumber) { // input channels were given by their name: renumber them for (i = j = 0; i < MAX_CHANNELS; i++) { @@ -273,7 +271,7 @@ static int config_props(AVFilterLink *link) // sanity check; can't be done in query_formats since the inlink // channel layout is unknown at that time - if (pan->nb_input_channels > SWR_CH_MAX || + if (link->channels > SWR_CH_MAX || pan->nb_output_channels > SWR_CH_MAX) { av_log(ctx, AV_LOG_ERROR, "libswresample support a maximum of %d channels. " @@ -288,6 +286,8 @@ static int config_props(AVFilterLink *link) 0, ctx); if (!pan->swr) return AVERROR(ENOMEM); + if (!link->channel_layout) + av_opt_set_int(pan->swr, "ich", link->channels, 0); if (!pan->out_channel_layout) av_opt_set_int(pan->swr, "och", pan->nb_output_channels, 0); @@ -297,7 +297,7 @@ static int config_props(AVFilterLink *link) // get channel map from the pure gains for (i = 0; i < pan->nb_output_channels; i++) { int ch_id = -1; - for (j = 0; j < pan->nb_input_channels; j++) { + for (j = 0; j < link->channels; j++) { if (pan->gain[i][j]) { ch_id = j; break; @@ -315,7 +315,7 @@ static int config_props(AVFilterLink *link) if (!((pan->need_renorm >> i) & 1)) continue; t = 0; - for (j = 0; j < pan->nb_input_channels; j++) + for (j = 0; j < link->channels; j++) t += pan->gain[i][j]; if (t > -1E-5 && t < 1E-5) { // t is almost 0 but not exactly, this is probably a mistake @@ -324,7 +324,7 @@ static int config_props(AVFilterLink *link) "Degenerate coefficients while renormalizing\n"); continue; } - for (j = 0; j < pan->nb_input_channels; j++) + for (j = 0; j < link->channels; j++) pan->gain[i][j] /= t; } av_opt_set_int(pan->swr, "icl", link->channel_layout, 0); @@ -339,7 +339,7 @@ static int config_props(AVFilterLink *link) // summary for (i = 0; i < pan->nb_output_channels; i++) { cur = buf; - for (j = 0; j < pan->nb_input_channels; j++) { + for (j = 0; j < link->channels; j++) { r = snprintf(cur, buf + sizeof(buf) - cur, "%s%.3g i%d", j ? " + " : "", pan->gain[i][j], j); cur += FFMIN(buf + sizeof(buf) - cur, r); From 5c7d6be5f9abcee0179796691b01859cbe7a4d31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Dec 2013 16:49:00 +0100 Subject: [PATCH 128/492] avcodec/error_resilience: factor er_supported() check out Signed-off-by: Michael Niedermayer (cherry picked from commit afb18c55783362546b5e512ce01b7fe7bf5744d9) --- libavcodec/error_resilience.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index c9f5e1f6b5..77a9d26ce7 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -762,6 +762,17 @@ void ff_er_frame_start(ERContext *s) s->error_occurred = 0; } +static int er_supported(ERContext *s) +{ + if(s->avctx->hwaccel || + s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU || + !s->cur_pic || + s->cur_pic->field_picture + ) + return 0; + return 1; +} + /** * Add a slice. * @param endx x component of the last macroblock, can be -1 @@ -853,9 +864,7 @@ void ff_er_frame_end(ERContext *s) * though it should not crash if enabled. */ if (!s->avctx->err_recognition || s->error_count == 0 || s->avctx->lowres || - s->avctx->hwaccel || - s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU || - !s->cur_pic || s->cur_pic->field_picture || + !er_supported(s) || s->error_count == 3 * s->mb_width * (s->avctx->skip_top + s->avctx->skip_bottom)) { return; From 0639e403bed5aa5ae74d7de08934cfb8432d21fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Dec 2013 16:49:35 +0100 Subject: [PATCH 129/492] avcodec/error_resilience: check that er is supported before attempting to read the status of the previous slice Fixes incorrectly set error_occured and improves speed Signed-off-by: Michael Niedermayer (cherry picked from commit 90539cea336fd513c47295a03c164cb4a851166f) --- libavcodec/error_resilience.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 77a9d26ce7..73f7f3b76f 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -839,7 +839,7 @@ void ff_er_add_slice(ERContext *s, int startx, int starty, s->error_status_table[start_xy] |= VP_START; if (start_xy > 0 && !(s->avctx->active_thread_type & FF_THREAD_SLICE) && - s->avctx->skip_top * s->mb_width < start_i) { + er_supported(s) && s->avctx->skip_top * s->mb_width < start_i) { int prev_status = s->error_status_table[s->mb_index2xy[start_i - 1]]; prev_status &= ~ VP_START; From 7e737609504091afae983412c004fbbae131d40c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Dec 2013 01:41:10 +0100 Subject: [PATCH 130/492] avcodec/cabac: force get_cabac to be not inlined works around bug in gccs inline asm register assignment Fixes Ticket3177 gcc from 4.4 to 4.6 is affected at least, no non affected gccs known clang seems not affected Signed-off-by: Michael Niedermayer (cherry picked from commit 0538b29ae8002c44f27bae8a1a6fc6e646998be5) --- libavcodec/cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 187b7dc445..370cbf2a94 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -306,7 +306,7 @@ STOP_TIMER("get_cabac_bypass") for(i=0; i Date: Sun, 15 Dec 2013 14:10:02 +0100 Subject: [PATCH 131/492] swscale/utils: remove useless () Signed-off-by: Michael Niedermayer (cherry picked from commit 554e913fd7acc9da02ddac2c5ce9487f7f633c92) --- libswscale/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 5170321176..c87cbf5848 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1268,8 +1268,8 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, dst_stride <<= 1; if (INLINE_MMXEXT(cpu_flags) && c->srcBpc == 8 && c->dstBpc <= 14) { - c->canMMXEXTBeUsed = (dstW >= srcW && (dstW & 31) == 0 && - (srcW & 15) == 0) ? 1 : 0; + c->canMMXEXTBeUsed = dstW >= srcW && (dstW & 31) == 0 && + (srcW & 15) == 0; if (!c->canMMXEXTBeUsed && dstW >= srcW && (srcW & 15) == 0 && (flags & SWS_FAST_BILINEAR)) { From bd339d4882851ca0d8ffdcb7f12785e89bf6092e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Dec 2013 14:13:55 +0100 Subject: [PATCH 132/492] swscale/utils: check chroma width for fast bilinear scaler Fixes artifacts where fast bilinear was used for downscaling chroma Signed-off-by: Michael Niedermayer (cherry picked from commit 037fc3b054b10aee0f11fdbe835e5dffa8e95b37) --- libswscale/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index c87cbf5848..ee136ac830 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1269,8 +1269,9 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, if (INLINE_MMXEXT(cpu_flags) && c->srcBpc == 8 && c->dstBpc <= 14) { c->canMMXEXTBeUsed = dstW >= srcW && (dstW & 31) == 0 && + c->chrDstW >= c->chrSrcW && (srcW & 15) == 0; - if (!c->canMMXEXTBeUsed && dstW >= srcW && (srcW & 15) == 0 + if (!c->canMMXEXTBeUsed && dstW >= srcW && c->chrDstW >= c->chrSrcW && (srcW & 15) == 0 && (flags & SWS_FAST_BILINEAR)) { if (flags & SWS_PRINT_INFO) From 62f05d6309b8b7116403ccf92b5386f48805448d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Dec 2013 15:02:35 +0200 Subject: [PATCH 133/492] arm: Don't clobber callee saved registers in scalarproduct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit q4-q7/d8-d15 are supposed to not be clobbered by the callee. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d307e408d4a9ada22df443cc38be77cc5e492694) --- libavcodec/arm/int_neon.S | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/arm/int_neon.S b/libavcodec/arm/int_neon.S index dea1ad51eb..b3f5a69ea4 100644 --- a/libavcodec/arm/int_neon.S +++ b/libavcodec/arm/int_neon.S @@ -41,10 +41,10 @@ function ff_scalarproduct_int16_neon, export=1 vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] @@ -81,10 +81,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1 vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] From aeac212fda1bad4e0deb54cd261d6a037503eb82 Mon Sep 17 00:00:00 2001 From: Mason Carter Date: Sat, 21 Dec 2013 17:27:18 -0800 Subject: [PATCH 134/492] VC1: Fix intensity compensation performance regression Fix https://trac.ffmpeg.org/ticket/3204 The problem was that intensity compensation was always used once it was encountered. This is because v->next_use_ic was never set back to zero. To fix this, when resetting v->next_luty/uv, also reset v->next_use_ic. This improved (restored) performance by 85% when decoding http://bit.ly/bbbwmv Signed-off-by: Michael Niedermayer (cherry picked from commit ed5bed4152203aed8cce01a679bed67bbda8903f) --- libavcodec/vc1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index f7558116d1..2b872476df 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -621,6 +621,10 @@ static void rotate_luts(VC1Context *v) INIT_LUT(32, 0, v->curr_luty[0], v->curr_lutuv[0], 0); INIT_LUT(32, 0, v->curr_luty[1], v->curr_lutuv[1], 0); v->curr_use_ic = 0; + if (v->curr_luty == v->next_luty) { + // If we just initialized next_lut, clear next_use_ic to match. + v->next_use_ic = 0; + } } int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) From edca16f1af634837dd4425302a47b10a5f1c93f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2013 00:30:46 +0200 Subject: [PATCH 135/492] ffserver: strip odd chars from html error messages before sending them back Fixes Ticket3034 Signed-off-by: Michael Niedermayer (cherry picked from commit 885739f3b4ca3fb60abf417120845e3fcfb99b53) Signed-off-by: Michael Niedermayer --- ffserver.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ffserver.c b/ffserver.c index 45ec386a21..b9eb8c6bde 100644 --- a/ffserver.c +++ b/ffserver.c @@ -328,6 +328,14 @@ static AVLFG random_state; static FILE *logfile = NULL; +static void htmlstrip(char *s) { + while (s && *s) { + s += strspn(s, "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,. "); + if (*s) + *s++ = '?'; + } +} + static int64_t ffm_read_write_index(int fd) { uint8_t buf[8]; @@ -1887,6 +1895,7 @@ static int http_parse_request(HTTPContext *c) send_error: c->http_error = 404; q = c->buffer; + htmlstrip(msg); snprintf(q, c->buffer_size, "HTTP/1.0 404 Not Found\r\n" "Content-type: text/html\r\n" From f684bbf224dfccac3a5d4fab0ae51ffddd142b73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2013 03:33:40 +0200 Subject: [PATCH 136/492] avcodec/jpeg2000dec: check transform equality in MCT Fixes null pointer dereference Fixes Ticket2843 Signed-off-by: Michael Niedermayer (cherry picked from commit ac3b01a9c0607961f4540fe62040833870f5deb1) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 2c00a694a4..4fe9136909 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1135,6 +1135,12 @@ static void mct_decode(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) int32_t *src[3], i0, i1, i2; float *srcf[3], i0f, i1f, i2f; + for (i = 1; i < 3; i++) + if (tile->codsty[0].transform != tile->codsty[i].transform) { + av_log(s->avctx, AV_LOG_ERROR, "Transforms mismatch, MCT not supported\n"); + return; + } + for (i = 0; i < 3; i++) if (tile->codsty[0].transform == FF_DWT97) srcf[i] = tile->comp[i].f_data; From 93f26b79926cf311784ce939ba570cf282e15b5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Oct 2013 21:18:23 +0200 Subject: [PATCH 137/492] avcodec/jpeg2000dec: prevent out of array accesses in pixel addressing Fixes Ticket2921 Signed-off-by: Michael Niedermayer (cherry picked from commit fe448cd28d674c3eff3072552eae366d0b659ce9) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 4fe9136909..3856d7b74b 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1273,12 +1273,12 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, y = tile->comp[compno].coord[1][0] - s->image_offset_y; - line = picture->data[plane] + y * picture->linesize[plane]; + line = picture->data[plane] + y / s->cdy[compno] * picture->linesize[plane]; for (; y < tile->comp[compno].coord[1][1] - s->image_offset_y; y += s->cdy[compno]) { uint8_t *dst; x = tile->comp[compno].coord[0][0] - s->image_offset_x; - dst = line + x * pixelsize + compno*!planar; + dst = line + x / s->cdx[compno] * pixelsize + compno*!planar; if (codsty->transform == FF_DWT97) { for (; x < w; x += s->cdx[compno]) { @@ -1319,12 +1319,12 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, plane = s->cdef[compno] ? s->cdef[compno]-1 : (s->ncomponents-1); y = tile->comp[compno].coord[1][0] - s->image_offset_y; - linel = (uint16_t *)picture->data[plane] + y * (picture->linesize[plane] >> 1); + linel = (uint16_t *)picture->data[plane] + y / s->cdy[compno] * (picture->linesize[plane] >> 1); for (; y < tile->comp[compno].coord[1][1] - s->image_offset_y; y += s->cdy[compno]) { uint16_t *dst; x = tile->comp[compno].coord[0][0] - s->image_offset_x; - dst = linel + (x * pixelsize + compno*!planar); + dst = linel + (x / s->cdx[compno] * pixelsize + compno*!planar); if (codsty->transform == FF_DWT97) { for (; x < w; x += s-> cdx[compno]) { int val = lrintf(*datap) + (1 << (cbps - 1)); From 47f8497837ebbb6877ab9d199f66f655017b769c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Oct 2013 13:15:47 +0200 Subject: [PATCH 138/492] avcodec/jpeg2000dec: fix context consistency with too large lowres Fixes out of array accesses Fixes Ticket2898 Signed-off-by: Michael Niedermayer (cherry picked from commit a1b9004b768bef606ee98d417bceb9392ceb788d) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 3856d7b74b..5730b3cc33 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -369,11 +369,18 @@ static int get_cox(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c) return AVERROR_INVALIDDATA; } + if (c->nreslevels <= s->reduction_factor) { + /* we are forced to update reduction_factor as its requested value is + not compatible with this bitstream, and as we might have used it + already in setup earlier we have to fail this frame until + reinitialization is implemented */ + av_log(s->avctx, AV_LOG_ERROR, "reduction_factor too large for this bitstream, max is %d\n", c->nreslevels - 1); + s->reduction_factor = c->nreslevels - 1; + return AVERROR(EINVAL); + } + /* compute number of resolution levels to decode */ - if (c->nreslevels < s->reduction_factor) - c->nreslevels2decode = 1; - else - c->nreslevels2decode = c->nreslevels - s->reduction_factor; + c->nreslevels2decode = c->nreslevels - s->reduction_factor; c->log2_cblk_width = (bytestream2_get_byteu(&s->g) & 15) + 2; // cblk width c->log2_cblk_height = (bytestream2_get_byteu(&s->g) & 15) + 2; // cblk height From 074ebfacf40f187069e90e1618a95926757ed7c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2013 16:21:14 +0200 Subject: [PATCH 139/492] avfilter/ff_insert_pad: fix order of operations Fixes out of bounds access Fixes CID732170 Fixes CID732169 No filter is known to use this function in a way so the issue can be reproduced. Signed-off-by: Michael Niedermayer (cherry picked from commit ab2bfb85d49b2f8aa505816f93e75fd18ad0a361) Conflicts: libavfilter/avfilter.c --- libavfilter/avfilter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index c3228cd855..251f6ae38d 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -110,8 +110,8 @@ void ff_insert_pad(unsigned idx, unsigned *count, size_t padidx_off, (*count)++; for (i = idx + 1; i < *count; i++) - if (*links[i]) - (*(unsigned *)((uint8_t *) *links[i] + padidx_off))++; + if ((*links)[i]) + (*(unsigned *)((uint8_t *) (*links)[i] + padidx_off))++; } int avfilter_link(AVFilterContext *src, unsigned srcpad, From 72f1907c96b5cf88cfe18cf57a40a8b229ea96c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2013 17:45:54 +0200 Subject: [PATCH 140/492] avcodec/avpacket/av_packet_split_side_data: ensure that side data padding is initialized Signed-off-by: Michael Niedermayer (cherry picked from commit 240fd8c96f59ebe9dcfc4152a1086cd3f63400c0) Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index e276c60c2d..136e4b5669 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -377,7 +377,7 @@ int av_packet_split_side_data(AVPacket *pkt){ for (i=0; ; i++){ size= AV_RB32(p); av_assert0(size<=INT_MAX && p - pkt->data >= size); - pkt->side_data[i].data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); + pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE); pkt->side_data[i].size = size; pkt->side_data[i].type = p[4]&127; if (!pkt->side_data[i].data) From fce2cfbdcfbdcf40907f5965f08eb3231385f65b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2013 17:52:47 +0200 Subject: [PATCH 141/492] avcodec/utils: add some saftey checks to add_metadata_from_side_data() This fixes potential overreads with crafted files. Found-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit 838f461b0716393a1b5c70efd03de1e8bc197380) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d77b5ec661..5b1b96d9b8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1899,10 +1899,17 @@ static int add_metadata_from_side_data(AVCodecContext *avctx, AVFrame *frame) if (!side_metadata) goto end; end = side_metadata + size; + if (size && end[-1]) + return AVERROR_INVALIDDATA; while (side_metadata < end) { const uint8_t *key = side_metadata; const uint8_t *val = side_metadata + strlen(key) + 1; - int ret = av_dict_set(avpriv_frame_get_metadatap(frame), key, val, 0); + int ret; + + if (val >= end) + return AVERROR_INVALIDDATA; + + ret = av_dict_set(avpriv_frame_get_metadatap(frame), key, val, 0); if (ret < 0) break; side_metadata = val + strlen(val) + 1; From 83e4aa3e7c57eea9b532471458a5d04fd4f853f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2013 18:38:48 +0200 Subject: [PATCH 142/492] avutil/opt: initialize ret Fixes CID1108610 Fixes use of uninitialized variable Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8ccf0adcae09cb9e14b01cfe20e4d77c3bbf5d) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 191ac2dcae..24511defa2 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -251,7 +251,7 @@ int av_set_string3(void *obj, const char *name, const char *val, int alloc, cons int av_opt_set(void *obj, const char *name, const char *val, int search_flags) { - int ret; + int ret = 0; void *dst, *target_obj; const AVOption *o = av_opt_find2(obj, name, NULL, 0, search_flags, &target_obj); if (!o || !target_obj) From bdf6e6fff41ba90528aa6452ea0621dfaa4d78a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Oct 2013 23:27:28 +0100 Subject: [PATCH 143/492] avcodec/jpeglsdec: check err value for ls_get_code_runterm() Fixes infinite loop Fixes Ticket3086 Signed-off-by: Michael Niedermayer (cherry picked from commit cc0e47b55096361723b364afa43b79a3f5619cdc) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 3af230d1db..894dd428d7 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -148,6 +148,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, ret = ret >> 1; } + if(FFABS(ret) > 0xFFFF) + return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; ret *= state->twonear; From c88bdac4605cf0a8a6fe85159658379be165f732 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2013 02:19:40 +0100 Subject: [PATCH 144/492] avformat/thp: fix variable types to avoid overflows Signed-off-by: Michael Niedermayer (cherry picked from commit 2b1056e4e27b046af3777e8bd65a5145abff878f) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/thp.c b/libavformat/thp.c index 3717b8f12c..09979aca99 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -26,15 +26,15 @@ typedef struct ThpDemuxContext { int version; - int first_frame; - int first_framesz; - int last_frame; + unsigned first_frame; + unsigned first_framesz; + unsigned last_frame; int compoff; - int framecnt; + unsigned framecnt; AVRational fps; - int frame; - int next_frame; - int next_framesz; + unsigned frame; + int64_t next_frame; + unsigned next_framesz; int video_stream_index; int audio_stream_index; int compcount; From 4324d7badeb6ccbd6bd3bd65967b7e56c8915b30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2013 02:26:07 +0100 Subject: [PATCH 145/492] avformat/thp: force moving forward Fixes infinite loop Fixes Ticket3098 Signed-off-by: Michael Niedermayer (cherry picked from commit 6c4b87d3d6ae08a6da16b4616626b4d2a726afbf) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/thp.c b/libavformat/thp.c index 09979aca99..568807d6f7 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -158,7 +158,7 @@ static int thp_read_packet(AVFormatContext *s, avio_seek(pb, thp->next_frame, SEEK_SET); /* Locate the next frame and read out its size. */ - thp->next_frame += thp->next_framesz; + thp->next_frame += FFMAX(thp->next_framesz, 1); thp->next_framesz = avio_rb32(pb); avio_rb32(pb); /* Previous total size. */ From b545d11d498c5a79d5cb2b8d7a9339467648e10d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2013 02:19:13 +0200 Subject: [PATCH 146/492] avcodec/jpeg2000dec: non zero image offsets are not supported Fixes out of array accesses Fixes Ticket3080 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 780669ef7c23c00836a24921fcc6b03be2b8ca4a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 5730b3cc33..66abd59948 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -243,6 +243,11 @@ static int get_siz(Jpeg2000DecoderContext *s) s->tile_offset_y = bytestream2_get_be32u(&s->g); // YT0Siz ncomponents = bytestream2_get_be16u(&s->g); // CSiz + if (s->image_offset_x || s->image_offset_y) { + avpriv_request_sample(s->avctx, "Support for image offsets"); + return AVERROR_PATCHWELCOME; + } + if (ncomponents <= 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n", s->ncomponents); From 70fcea3b77617373c1a3317218cee9d5c8da2410 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Nov 2013 11:27:45 +0100 Subject: [PATCH 147/492] h264: Do not treat the initial frame special in handling of frame gaps The not handling of frame gaps has lead to the lack of a dummy reference frame, which has lead to the failure of decode_slice_header() which has lead to one SEI recovery message being skiped which had introduced a slightly suboptimal recovery point for at least 1 h264 file compared to JM. Found-by: Carl & BugMaster Signed-off-by: Michael Niedermayer (cherry picked from commit 9e5ef1c5c37208326c59d642e2dc7afd3f10b09b) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 21c827a406..a5c2147fc2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3435,7 +3435,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) } else { /* Shorten frame num gaps so we don't have to allocate reference * frames just to throw them away */ - if (h->frame_num != h->prev_frame_num && h->prev_frame_num >= 0) { + if (h->frame_num != h->prev_frame_num) { int unwrap_prev_frame_num = h->prev_frame_num; int max_frame_num = 1 << h->sps.log2_max_frame_num; @@ -3508,7 +3508,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) } } - while (h->frame_num != h->prev_frame_num && h->prev_frame_num >= 0 && !h0->first_field && + while (h->frame_num != h->prev_frame_num && !h0->first_field && h->frame_num != (h->prev_frame_num + 1) % (1 << h->sps.log2_max_frame_num)) { Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL; av_log(h->avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n", From 3a3b5ae4c05388340965554369a854bc7971afab Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 13 Nov 2013 18:44:26 +0100 Subject: [PATCH 148/492] mpegvideo: Fix swapping of UV planes for VCR2 Signed-off-by: Michael Niedermayer (cherry picked from commit bae14f38d992f326c94d93f01197ccd84ea62053) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 4fef2f7338..d497864b62 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -537,6 +537,15 @@ fail: return ret; } +static void exchange_uv(MpegEncContext *s) +{ + int16_t (*tmp)[64]; + + tmp = s->pblocks[4]; + s->pblocks[4] = s->pblocks[5]; + s->pblocks[5] = tmp; +} + static int init_duplicate_context(MpegEncContext *s) { int y_size = s->b8_stride * (2 * s->mb_height + 1); @@ -567,6 +576,8 @@ static int init_duplicate_context(MpegEncContext *s) for (i = 0; i < 12; i++) { s->pblocks[i] = &s->block[i]; } + if (s->avctx->codec_tag == AV_RL32("VCR2")) + exchange_uv(s); if (s->out_format == FMT_H263) { /* ac values */ @@ -641,6 +652,8 @@ int ff_update_duplicate_context(MpegEncContext *dst, MpegEncContext *src) for (i = 0; i < 12; i++) { dst->pblocks[i] = &dst->block[i]; } + if (dst->avctx->codec_tag == AV_RL32("VCR2")) + exchange_uv(dst); if (!dst->edge_emu_buffer && (ret = ff_mpv_frame_size_alloc(dst, dst->linesize)) < 0) { av_log(dst->avctx, AV_LOG_ERROR, "failed to allocate context " From 6b683be641b6ed8fa1acc4c482fc1e09840c5117 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 13 Nov 2013 18:44:25 +0100 Subject: [PATCH 149/492] mpeg12dec: Remove incomplete and wrong UV swapping code for VCR2 Signed-off-by: Michael Niedermayer (cherry picked from commit 321514042534a2501a9f6223b88f0d2b8060f858) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 7510da454a..ccf9847973 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2038,7 +2038,6 @@ static int vcr2_init_sequence(AVCodecContext *avctx) if (s->codec_tag == AV_RL32("BW10")) { s->codec_id = s->avctx->codec_id = AV_CODEC_ID_MPEG1VIDEO; } else { - exchange_uv(s); // common init reset pblocks, so we swap them here s->swap_uv = 1; // in case of xvmc we need to swap uv for each MB s->codec_id = s->avctx->codec_id = AV_CODEC_ID_MPEG2VIDEO; } From 28ac4e91dcfadf1c8723489cbb7d07b72d60b755 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Nov 2013 22:35:46 +0100 Subject: [PATCH 150/492] avutil: rename lls to lls2 Signed-off-by: Michael Niedermayer (cherry picked from commit bbe66ef912470007f7cc424badde2ccec500b36b) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 2 +- libavutil/Makefile | 4 ++-- libavutil/{lls.c => lls2.c} | 2 +- libavutil/{lls.h => lls2.h} | 0 libavutil/x86/lls_init.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) rename libavutil/{lls.c => lls2.c} (99%) rename libavutil/{lls.h => lls2.h} (100%) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index 1d52edf744..198903028b 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -20,7 +20,7 @@ */ #include "libavutil/common.h" -#include "libavutil/lls.h" +#include "libavutil/lls2.h" #define LPC_USE_DOUBLE #include "lpc.h" diff --git a/libavutil/Makefile b/libavutil/Makefile index 21746f0713..ba759f07c0 100644 --- a/libavutil/Makefile +++ b/libavutil/Makefile @@ -89,7 +89,7 @@ OBJS = adler32.o \ intfloat_readwrite.o \ intmath.o \ lfg.o \ - lls.o \ + lls2.o \ log.o \ log2_tab.o \ mathematics.o \ @@ -142,7 +142,7 @@ TESTPROGS = adler32 \ fifo \ hmac \ lfg \ - lls \ + lls2 \ md5 \ murmur3 \ opt \ diff --git a/libavutil/lls.c b/libavutil/lls2.c similarity index 99% rename from libavutil/lls.c rename to libavutil/lls2.c index abed8efaff..f381ebc3ff 100644 --- a/libavutil/lls.c +++ b/libavutil/lls2.c @@ -30,7 +30,7 @@ #include "attributes.h" #include "version.h" -#include "lls.h" +#include "lls2.h" static void update_lls(LLSModel *m, double *var) { diff --git a/libavutil/lls.h b/libavutil/lls2.h similarity index 100% rename from libavutil/lls.h rename to libavutil/lls2.h diff --git a/libavutil/x86/lls_init.c b/libavutil/x86/lls_init.c index 181ca38dae..b2424b3645 100644 --- a/libavutil/x86/lls_init.c +++ b/libavutil/x86/lls_init.c @@ -20,7 +20,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include "libavutil/lls.h" +#include "libavutil/lls2.h" #include "libavutil/x86/cpu.h" void ff_update_lls_sse2(LLSModel *m, double *var); From 0cd61c7f7d105ec6b1652be2a1fce029fade16db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Nov 2013 16:42:57 +0100 Subject: [PATCH 151/492] rename new lls code to lls2 to avoid conflict with the old which has a different ABI also remove failed attempt at a compatibility layer, the code simply cannot work Signed-off-by: Michael Niedermayer (cherry picked from commit c3814ab654a993723b0e5f14cc252d68f233ad79) Conflicts: libavcodec/version.h --- libavcodec/lpc.c | 6 +++--- libavutil/lls2.c | 35 ++++++++--------------------------- libavutil/lls2.h | 23 ++++++++--------------- libavutil/x86/lls.asm | 8 ++++---- libavutil/x86/lls_init.c | 8 ++++---- 5 files changed, 27 insertions(+), 53 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index 198903028b..a6f23775a5 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -208,7 +208,7 @@ int ff_lpc_calc_coefs(LPCContext *s, } if (lpc_type == FF_LPC_TYPE_CHOLESKY) { - LLSModel m[2]; + LLSModel2 m[2]; LOCAL_ALIGNED(32, double, var, [FFALIGN(MAX_LPC_ORDER+1,4)]); double av_uninit(weight); memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var)); @@ -217,7 +217,7 @@ int ff_lpc_calc_coefs(LPCContext *s, m[0].coeff[max_order-1][j] = -lpc[max_order-1][j]; for(; passcovariance[1][0]; @@ -100,7 +100,7 @@ void avpriv_solve_lls(LLSModel *m, double threshold, unsigned short min_order) } } -static double evaluate_lls(LLSModel *m, double *param, int order) +static double evaluate_lls(LLSModel2 *m, double *param, int order) { int i; double out = 0; @@ -111,9 +111,9 @@ static double evaluate_lls(LLSModel *m, double *param, int order) return out; } -av_cold void avpriv_init_lls(LLSModel *m, int indep_count) +av_cold void avpriv_init_lls2(LLSModel2 *m, int indep_count) { - memset(m, 0, sizeof(LLSModel)); + memset(m, 0, sizeof(LLSModel2)); m->indep_count = indep_count; m->update_lls = update_lls; m->evaluate_lls = evaluate_lls; @@ -121,25 +121,6 @@ av_cold void avpriv_init_lls(LLSModel *m, int indep_count) ff_init_lls_x86(m); } -#if FF_API_LLS_PRIVATE -av_cold void av_init_lls(LLSModel *m, int indep_count) -{ - avpriv_init_lls(m, indep_count); -} -void av_update_lls(LLSModel *m, double *param, double decay) -{ - m->update_lls(m, param); -} -void av_solve_lls(LLSModel *m, double threshold, int min_order) -{ - avpriv_solve_lls(m, threshold, min_order); -} -double av_evaluate_lls(LLSModel *m, double *param, int order) -{ - return m->evaluate_lls(m, param, order); -} -#endif /* FF_API_LLS_PRIVATE */ - #ifdef TEST #include @@ -148,12 +129,12 @@ double av_evaluate_lls(LLSModel *m, double *param, int order) int main(void) { - LLSModel m; + LLSModel2 m; int i, order; AVLFG lfg; av_lfg_init(&lfg, 1); - avpriv_init_lls(&m, 3); + avpriv_init_lls2(&m, 3); for (i = 0; i < 100; i++) { LOCAL_ALIGNED(32, double, var, [4]); @@ -164,7 +145,7 @@ int main(void) var[2] = var[1] + av_lfg_get(&lfg) / (double) UINT_MAX - 0.5; var[3] = var[2] + av_lfg_get(&lfg) / (double) UINT_MAX - 0.5; m.update_lls(&m, var); - avpriv_solve_lls(&m, 0.001, 0); + avpriv_solve_lls2(&m, 0.001, 0); for (order = 0; order < 3; order++) { eval = m.evaluate_lls(&m, var + 1, order); printf("real:%9f order:%d pred:%9f var:%f coeffs:%f %9f %9f\n", diff --git a/libavutil/lls2.h b/libavutil/lls2.h index c62d78a230..35815d2704 100644 --- a/libavutil/lls2.h +++ b/libavutil/lls2.h @@ -30,12 +30,12 @@ #define MAX_VARS 32 #define MAX_VARS_ALIGN FFALIGN(MAX_VARS+1,4) -//FIXME avoid direct access to LLSModel from outside +//FIXME avoid direct access to LLSModel2 from outside /** * Linear least squares model. */ -typedef struct LLSModel { +typedef struct LLSModel2 { DECLARE_ALIGNED(32, double, covariance[MAX_VARS_ALIGN][MAX_VARS_ALIGN]); DECLARE_ALIGNED(32, double, coeff[MAX_VARS][MAX_VARS]); double variance[MAX_VARS]; @@ -47,25 +47,18 @@ typedef struct LLSModel { * 32-byte aligned, and any padding elements must be initialized * (i.e not denormal/nan). */ - void (*update_lls)(struct LLSModel *m, double *var); + void (*update_lls)(struct LLSModel2 *m, double *var); /** * Inner product of var[] and the LPC coefs. * @param m this context * @param var training samples, excluding the value to be predicted. unaligned. * @param order lpc order */ - double (*evaluate_lls)(struct LLSModel *m, double *var, int order); -} LLSModel; + double (*evaluate_lls)(struct LLSModel2 *m, double *var, int order); +} LLSModel2; -void avpriv_init_lls(LLSModel *m, int indep_count); -void ff_init_lls_x86(LLSModel *m); -void avpriv_solve_lls(LLSModel *m, double threshold, unsigned short min_order); - -#if FF_API_LLS_PRIVATE -void av_init_lls(LLSModel *m, int indep_count); -void av_update_lls(LLSModel *m, double *param, double decay); -void av_solve_lls(LLSModel *m, double threshold, int min_order); -double av_evaluate_lls(LLSModel *m, double *param, int order); -#endif /* FF_API_LLS_PRIVATE */ +void avpriv_init_lls2(LLSModel2 *m, int indep_count); +void ff_init_lls_x86(LLSModel2 *m); +void avpriv_solve_lls2(LLSModel2 *m, double threshold, unsigned short min_order); #endif /* AVUTIL_LLS_H */ diff --git a/libavutil/x86/lls.asm b/libavutil/x86/lls.asm index 769befb769..c2aead38ef 100644 --- a/libavutil/x86/lls.asm +++ b/libavutil/x86/lls.asm @@ -29,7 +29,7 @@ SECTION .text %define COVAR_STRIDE MAX_VARS_ALIGN*8 %define COVAR(x,y) [covarq + (x)*8 + (y)*COVAR_STRIDE] -struc LLSModel +struc LLSModel2 .covariance: resq MAX_VARS_ALIGN*MAX_VARS_ALIGN .coeff: resq MAX_VARS*MAX_VARS .variance: resq MAX_VARS @@ -49,7 +49,7 @@ INIT_XMM sse2 %define movdqa movaps cglobal update_lls, 2,5,8, ctx, var, i, j, covar2 %define covarq ctxq - mov id, [ctxq + LLSModel.indep_count] + mov id, [ctxq + LLSModel2.indep_count] lea varq, [varq + iq*8] neg iq mov covar2q, covarq @@ -129,7 +129,7 @@ cglobal update_lls, 2,5,8, ctx, var, i, j, covar2 INIT_YMM avx cglobal update_lls, 3,6,8, ctx, var, count, i, j, count2 %define covarq ctxq - mov countd, [ctxq + LLSModel.indep_count] + mov countd, [ctxq + LLSModel2.indep_count] lea count2d, [countq-2] xor id, id .loopi: @@ -206,7 +206,7 @@ cglobal evaluate_lls, 3,4,2, ctx, var, order, i %define coefsq ctxq mov id, orderd imul orderd, MAX_VARS - lea coefsq, [ctxq + LLSModel.coeff + orderq*8] + lea coefsq, [ctxq + LLSModel2.coeff + orderq*8] movsd m0, [varq] movhpd m0, [varq + 8] mulpd m0, [coefsq] diff --git a/libavutil/x86/lls_init.c b/libavutil/x86/lls_init.c index b2424b3645..bf999d5fc3 100644 --- a/libavutil/x86/lls_init.c +++ b/libavutil/x86/lls_init.c @@ -23,11 +23,11 @@ #include "libavutil/lls2.h" #include "libavutil/x86/cpu.h" -void ff_update_lls_sse2(LLSModel *m, double *var); -void ff_update_lls_avx(LLSModel *m, double *var); -double ff_evaluate_lls_sse2(LLSModel *m, double *var, int order); +void ff_update_lls_sse2(LLSModel2 *m, double *var); +void ff_update_lls_avx(LLSModel2 *m, double *var); +double ff_evaluate_lls_sse2(LLSModel2 *m, double *var, int order); -av_cold void ff_init_lls_x86(LLSModel *m) +av_cold void ff_init_lls_x86(LLSModel2 *m) { int cpu_flags = av_get_cpu_flags(); if (EXTERNAL_SSE2(cpu_flags)) { From 4f93400db1f21f65a94777f0b13b0f1b336e41fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Nov 2013 23:32:51 +0100 Subject: [PATCH 152/492] avutil: reintroduce lls1 as the 52 ABI needs it lls1 taken from ff130d7 This is incompatible with libavcodec version 55.18.100 to 55.43.100 except 55.39.101 This incompatibility is caused by these libavcodec versions depending on a libavutil 52 which is ABI incompatible with the previous ABI 52 you can avoid this incompatibility by upgrading your libavcodec so it does no longer depend on the invalid ABI See: 502ab21af0ca68f76d6112722c46d2f35c004053 See: cc6714bb16b1f0716ba43701d47273dbe9657b8b See: 41578f70cf8aec8e7565fba1ca7e07f3dc46c3d2 See: Ticket3136 Tested-by: marillat Signed-off-by: Michael Niedermayer (cherry picked from commit b382d09d29be90e0947295a70cdcbaa60b9030b8) Signed-off-by: Michael Niedermayer --- libavutil/Makefile | 2 + libavutil/lls1.c | 180 ++++++++++++++++++++++++++++++++++++++++++++ libavutil/lls1.h | 54 +++++++++++++ libavutil/version.h | 3 + 4 files changed, 239 insertions(+) create mode 100644 libavutil/lls1.c create mode 100644 libavutil/lls1.h diff --git a/libavutil/Makefile b/libavutil/Makefile index ba759f07c0..26e8d37e1c 100644 --- a/libavutil/Makefile +++ b/libavutil/Makefile @@ -89,6 +89,7 @@ OBJS = adler32.o \ intfloat_readwrite.o \ intmath.o \ lfg.o \ + lls1.o \ lls2.o \ log.o \ log2_tab.o \ @@ -142,6 +143,7 @@ TESTPROGS = adler32 \ fifo \ hmac \ lfg \ + lls1 \ lls2 \ md5 \ murmur3 \ diff --git a/libavutil/lls1.c b/libavutil/lls1.c new file mode 100644 index 0000000000..c452d82334 --- /dev/null +++ b/libavutil/lls1.c @@ -0,0 +1,180 @@ +/* + * linear least squares model + * + * Copyright (c) 2006 Michael Niedermayer + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/** + * @file + * linear least squares model + */ + +#include +#include + +#include "attributes.h" +#include "version.h" +#include "lls1.h" + +#if FF_API_LLS1 + +av_cold void avpriv_init_lls(LLSModel *m, int indep_count) +{ + memset(m, 0, sizeof(LLSModel)); + m->indep_count = indep_count; +} + +void avpriv_update_lls(LLSModel *m, double *var, double decay) +{ + int i, j; + + for (i = 0; i <= m->indep_count; i++) { + for (j = i; j <= m->indep_count; j++) { + m->covariance[i][j] *= decay; + m->covariance[i][j] += var[i] * var[j]; + } + } +} + +void avpriv_solve_lls(LLSModel *m, double threshold, unsigned short min_order) +{ + int i, j, k; + double (*factor)[MAX_VARS + 1] = (void *) &m->covariance[1][0]; + double (*covar) [MAX_VARS + 1] = (void *) &m->covariance[1][1]; + double *covar_y = m->covariance[0]; + int count = m->indep_count; + + for (i = 0; i < count; i++) { + for (j = i; j < count; j++) { + double sum = covar[i][j]; + + for (k = i - 1; k >= 0; k--) + sum -= factor[i][k] * factor[j][k]; + + if (i == j) { + if (sum < threshold) + sum = 1.0; + factor[i][i] = sqrt(sum); + } else { + factor[j][i] = sum / factor[i][i]; + } + } + } + + for (i = 0; i < count; i++) { + double sum = covar_y[i + 1]; + + for (k = i - 1; k >= 0; k--) + sum -= factor[i][k] * m->coeff[0][k]; + + m->coeff[0][i] = sum / factor[i][i]; + } + + for (j = count - 1; j >= min_order; j--) { + for (i = j; i >= 0; i--) { + double sum = m->coeff[0][i]; + + for (k = i + 1; k <= j; k++) + sum -= factor[k][i] * m->coeff[j][k]; + + m->coeff[j][i] = sum / factor[i][i]; + } + + m->variance[j] = covar_y[0]; + + for (i = 0; i <= j; i++) { + double sum = m->coeff[j][i] * covar[i][i] - 2 * covar_y[i + 1]; + + for (k = 0; k < i; k++) + sum += 2 * m->coeff[j][k] * covar[k][i]; + + m->variance[j] += m->coeff[j][i] * sum; + } + } +} + +double avpriv_evaluate_lls(LLSModel *m, double *param, int order) +{ + int i; + double out = 0; + + for (i = 0; i <= order; i++) + out += param[i] * m->coeff[order][i]; + + return out; +} + +#if FF_API_LLS_PRIVATE +av_cold void av_init_lls(LLSModel *m, int indep_count) +{ + avpriv_init_lls(m, indep_count); +} +void av_update_lls(LLSModel *m, double *param, double decay) +{ + avpriv_update_lls(m, param, decay); +} +void av_solve_lls(LLSModel *m, double threshold, int min_order) +{ + avpriv_solve_lls(m, threshold, min_order); +} +double av_evaluate_lls(LLSModel *m, double *param, int order) +{ + return avpriv_evaluate_lls(m, param, order); +} +#endif /* FF_API_LLS_PRIVATE */ + +#endif /* FF_API_LLS1 */ + +#ifdef TEST + +#include +#include +#include "lfg.h" + +int main(void) +{ + LLSModel m; + int i, order; + AVLFG lfg; + + av_lfg_init(&lfg, 1); + avpriv_init_lls(&m, 3); + + for (i = 0; i < 100; i++) { + double var[4]; + double eval; + + var[0] = (av_lfg_get(&lfg) / (double) UINT_MAX - 0.5) * 2; + var[1] = var[0] + av_lfg_get(&lfg) / (double) UINT_MAX - 0.5; + var[2] = var[1] + av_lfg_get(&lfg) / (double) UINT_MAX - 0.5; + var[3] = var[2] + av_lfg_get(&lfg) / (double) UINT_MAX - 0.5; + avpriv_update_lls(&m, var, 0.99); + avpriv_solve_lls(&m, 0.001, 0); + for (order = 0; order < 3; order++) { + eval = avpriv_evaluate_lls(&m, var + 1, order); + printf("real:%9f order:%d pred:%9f var:%f coeffs:%f %9f %9f\n", + var[0], order, eval, sqrt(m.variance[order] / (i + 1)), + m.coeff[order][0], m.coeff[order][1], + m.coeff[order][2]); + } + } + return 0; +} + +#endif diff --git a/libavutil/lls1.h b/libavutil/lls1.h new file mode 100644 index 0000000000..c785d44421 --- /dev/null +++ b/libavutil/lls1.h @@ -0,0 +1,54 @@ +/* + * linear least squares model + * + * Copyright (c) 2006 Michael Niedermayer + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef AVUTIL_LLS_H +#define AVUTIL_LLS_H + +#include "version.h" + +#define MAX_VARS 32 + +//FIXME avoid direct access to LLSModel from outside + +/** + * Linear least squares model. + */ +typedef struct LLSModel { + double covariance[MAX_VARS + 1][MAX_VARS + 1]; + double coeff[MAX_VARS][MAX_VARS]; + double variance[MAX_VARS]; + int indep_count; +} LLSModel; + +void avpriv_init_lls(LLSModel *m, int indep_count); +void avpriv_update_lls(LLSModel *m, double *param, double decay); +void avpriv_solve_lls(LLSModel *m, double threshold, unsigned short min_order); +double avpriv_evaluate_lls(LLSModel *m, double *param, int order); + +#if FF_API_LLS_PRIVATE +void av_init_lls(LLSModel *m, int indep_count); +void av_update_lls(LLSModel *m, double *param, double decay); +void av_solve_lls(LLSModel *m, double threshold, int min_order); +double av_evaluate_lls(LLSModel *m, double *param, int order); +#endif /* FF_API_LLS_PRIVATE */ + +#endif /* AVUTIL_LLS_H */ diff --git a/libavutil/version.h b/libavutil/version.h index b03aa4a871..369d8cc93a 100644 --- a/libavutil/version.h +++ b/libavutil/version.h @@ -132,6 +132,9 @@ #ifndef FF_API_LLS_PRIVATE #define FF_API_LLS_PRIVATE (LIBAVUTIL_VERSION_MAJOR < 53) #endif +#ifndef FF_API_LLS1 +#define FF_API_LLS1 (LIBAVUTIL_VERSION_MAJOR < 53) +#endif #ifndef FF_API_AVFRAME_LAVC #define FF_API_AVFRAME_LAVC (LIBAVUTIL_VERSION_MAJOR < 53) #endif From ae81a0e32de6fa53a2670fe0dbb5d2a252030281 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Nov 2013 02:32:37 +0100 Subject: [PATCH 153/492] avcodec: move end zeroing code from av_packet_split_side_data() to avcodec_decode_subtitle2() This code changes the input packet, which is read only and can in rare circumstances lead to decoder errors. (i run into one of these in the audio decoder, which corrupted the packet during av_find_stream_info() so that actual decoding that single packet failed later) Until a better fix is implemented, this commit limits the problem. A better fix might be to make the subtitle decoders not depend on data[size] = 0 or to copy their input when this is not the case. (cherry picked from commit 01923bab98506b1e98b4cbf08419364ce6ffea6d) Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 9 +-------- libavcodec/utils.c | 10 ++++++++++ 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 136e4b5669..d5d3e2a40f 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -356,7 +356,7 @@ int av_packet_merge_side_data(AVPacket *pkt){ int av_packet_split_side_data(AVPacket *pkt){ if (!pkt->side_data_elems && pkt->size >12 && AV_RB64(pkt->data + pkt->size - 8) == FF_MERGE_MARKER){ int i; - unsigned int size, orig_pktsize = pkt->size; + unsigned int size; uint8_t *p; p = pkt->data + pkt->size - 8 - 5; @@ -389,13 +389,6 @@ int av_packet_split_side_data(AVPacket *pkt){ p-= size+5; } pkt->size -= 8; - /* FFMIN() prevents overflow in case the packet wasn't allocated with - * proper padding. - * If the side data is smaller than the buffer padding size, the - * remaining bytes should have already been filled with zeros by the - * original packet allocation anyway. */ - memset(pkt->data + pkt->size, 0, - FFMIN(orig_pktsize - pkt->size, FF_INPUT_BUFFER_PADDING_SIZE)); pkt->side_data_elems = i+1; return 1; } diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5b1b96d9b8..6609f20ef7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -2278,6 +2278,16 @@ int avcodec_decode_subtitle2(AVCodecContext *avctx, AVSubtitle *sub, int did_split = av_packet_split_side_data(&tmp); //apply_param_change(avctx, &tmp); + if (did_split) { + /* FFMIN() prevents overflow in case the packet wasn't allocated with + * proper padding. + * If the side data is smaller than the buffer padding size, the + * remaining bytes should have already been filled with zeros by the + * original packet allocation anyway. */ + memset(tmp.data + tmp.size, 0, + FFMIN(avpkt->size - tmp.size, FF_INPUT_BUFFER_PADDING_SIZE)); + } + pkt_recoded = tmp; ret = recode_subtitle(avctx, &pkt_recoded, &tmp); if (ret < 0) { From bd9dcb411d2e036193ddc6a829842ae9e9a05a4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Nov 2013 03:50:20 +0100 Subject: [PATCH 154/492] avcodec/jpeg2000dec: Check precno before using it in JPEG2000_PGOD_CPRL Fixes out of array reads Fixes: asan_heap-oob_f0de57_6823_mjp2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5a5e86be2a65e33c34ab3ad7923f54e8e49c1d) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 66abd59948..d70413a0da 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -884,6 +884,10 @@ static int jpeg2000_decode_packets(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile prcx = ff_jpeg2000_ceildivpow2(x, reducedresno) >> rlevel->log2_prec_width; prcy = ff_jpeg2000_ceildivpow2(y, reducedresno) >> rlevel->log2_prec_height; precno = prcx + rlevel->num_precincts_x * prcy; + + if (prcx >= rlevel->num_precincts_x || prcy >= rlevel->num_precincts_y) + return AVERROR_PATCHWELCOME; + for (layno = 0; layno < tile->codsty[0].nlayers; layno++) { if ((ret = jpeg2000_decode_packet(s, codsty, rlevel, precno, layno, From a9382fc15c15c0517e41db8a294afc4c7696ba19 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 15 Nov 2013 01:09:06 +0000 Subject: [PATCH 155/492] avcodec/libopusenc: change default frame duration to 20 ms 20 ms is used by libopus encoder. Signed-off-by: Paul B Mahol (cherry picked from commit 74906d3727ec3bd9b7b28dfa7a98ff6e8cf8b6d7) Signed-off-by: Michael Niedermayer --- doc/encoders.texi | 2 +- libavcodec/libopusenc.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index b3e574a3e0..18b122c21e 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -753,7 +753,7 @@ Set maximum frame size, or duration of a frame in milliseconds. The argument must be exactly the following: 2.5, 5, 10, 20, 40, 60. Smaller frame sizes achieve lower latency but less quality at a given bitrate. Sizes greater than 20ms are only interesting at fairly low bitrates. -The default of FFmpeg is 10ms, but is 20ms in @command{opusenc}. +The default is 20ms. @item packet_loss (@emph{expect-loss}) Set expected packet loss percentage. The default is 0. diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 59caac76c7..faa0806289 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -380,7 +380,7 @@ static const AVOption libopus_options[] = { { "voip", "Favor improved speech intelligibility", 0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_VOIP }, 0, 0, FLAGS, "application" }, { "audio", "Favor faithfulness to the input", 0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_AUDIO }, 0, 0, FLAGS, "application" }, { "lowdelay", "Restrict to only the lowest delay modes", 0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_RESTRICTED_LOWDELAY }, 0, 0, FLAGS, "application" }, - { "frame_duration", "Duration of a frame in milliseconds", OFFSET(frame_duration), AV_OPT_TYPE_FLOAT, { .dbl = 10.0 }, 2.5, 60.0, FLAGS }, + { "frame_duration", "Duration of a frame in milliseconds", OFFSET(frame_duration), AV_OPT_TYPE_FLOAT, { .dbl = 20.0 }, 2.5, 60.0, FLAGS }, { "packet_loss", "Expected packet loss percentage", OFFSET(packet_loss), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 100, FLAGS }, { "vbr", "Variable bit rate mode", OFFSET(vbr), AV_OPT_TYPE_INT, { .i64 = 1 }, 0, 2, FLAGS, "vbr" }, { "off", "Use constant bit rate", 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, 0, 0, FLAGS, "vbr" }, From 66a9edfcf677f2673b5163f8008bdc7d0454074c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Dec 2013 15:24:10 +0100 Subject: [PATCH 156/492] do O(1) instead of O(n) atomic operations in register functions about 1ms faster startup time Signed-off-by: Michael Niedermayer (cherry picked from commit 133fbfc7811ffae7b97dd129fcd0b5e646742362) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++-- libavfilter/avfilter.c | 2 +- libavformat/format.c | 4 ++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6609f20ef7..9acf7bd770 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -163,7 +163,8 @@ av_cold void avcodec_register(AVCodec *codec) avcodec_init(); p = &first_avcodec; codec->next = NULL; - while(avpriv_atomic_ptr_cas((void * volatile *)p, NULL, codec)) + + while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, codec)) p = &(*p)->next; if (codec->init_static_data) @@ -3013,7 +3014,7 @@ void av_register_hwaccel(AVHWAccel *hwaccel) { AVHWAccel **p = &first_hwaccel; hwaccel->next = NULL; - while(avpriv_atomic_ptr_cas((void * volatile *)p, NULL, hwaccel)) + while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, hwaccel)) p = &(*p)->next; } diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index 251f6ae38d..e92f3e543b 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -468,7 +468,7 @@ int avfilter_register(AVFilter *filter) filter->next = NULL; - while(avpriv_atomic_ptr_cas((void * volatile *)f, NULL, filter)) + while(*f || avpriv_atomic_ptr_cas((void * volatile *)f, NULL, filter)) f = &(*f)->next; return 0; diff --git a/libavformat/format.c b/libavformat/format.c index ac9100b604..36c0131c12 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -54,7 +54,7 @@ void av_register_input_format(AVInputFormat *format) AVInputFormat **p = &first_iformat; format->next = NULL; - while(avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) + while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) p = &(*p)->next; } @@ -63,7 +63,7 @@ void av_register_output_format(AVOutputFormat *format) AVOutputFormat **p = &first_oformat; format->next = NULL; - while(avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) + while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) p = &(*p)->next; } From 172f92976752618a7d1b6636bf2d04cbdbd65790 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Dec 2013 23:30:34 +0100 Subject: [PATCH 157/492] avutil/log: skip IO calls on empty strings These occur when no context is set for example, thus they are common Signed-off-by: Michael Niedermayer (cherry picked from commit a044a183a3fb90b20a8deaa3ea1158510bcdd420) Signed-off-by: Michael Niedermayer --- libavutil/log.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/log.c b/libavutil/log.c index a4111f6274..7cd7ce7691 100644 --- a/libavutil/log.c +++ b/libavutil/log.c @@ -103,6 +103,9 @@ static int use_color = -1; static void colored_fputs(int level, const char *str) { + if (!*str) + return; + if (use_color < 0) { #if HAVE_SETCONSOLETEXTATTRIBUTE CONSOLE_SCREEN_BUFFER_INFO con_info; From b4552cc9b8c37410f754af5d34d24e7b8a9b4b0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Dec 2013 03:22:00 +0100 Subject: [PATCH 158/492] update for FFmpeg 2.0.3 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index e9307ca575..50ffc5aa7f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.0.2 +2.0.3 diff --git a/VERSION b/VERSION index e9307ca575..50ffc5aa7f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.2 +2.0.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 391133198f..6ff927c619 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.0.2 +PROJECT_NUMBER = 2.0.3 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 33aa2c5d6b22df74ec508c24bbb9cb1b4feec787 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 2 Jan 2014 14:29:38 -0800 Subject: [PATCH 159/492] h264: Clear ERContext.cur_pic when unref'ing current picture. Signed-off-by: Dale Curtis (cherry picked from commit 4feca2214a0b69dcbe4d1c7cd145c3881459e867) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index a5c2147fc2..9111d923d2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1847,6 +1847,10 @@ static int h264_frame_start(H264Context *h) h->cur_pic_ptr = pic; unref_picture(h, &h->cur_pic); + if (CONFIG_ERROR_RESILIENCE) { + h->er.cur_pic = NULL; + } + if ((ret = ref_picture(h, &h->cur_pic, h->cur_pic_ptr)) < 0) return ret; From dfdeabadcaf1a17e96c99375fc7893eb5cc04346 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2014 02:53:32 +0100 Subject: [PATCH 160/492] cmdutils: update year Signed-off-by: Michael Niedermayer --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 6eb093df18..40acadca71 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -67,7 +67,7 @@ struct SwsContext *sws_opts; AVDictionary *swr_opts; AVDictionary *format_opts, *codec_opts, *resample_opts; -const int this_year = 2013; +const int this_year = 2014; static FILE *report_file; From 9847f02fafac16c1c3b72bad2f9bb5ccdd4d3678 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jan 2014 20:09:48 +0100 Subject: [PATCH 161/492] dnxhdenc: fix mb_rc size Fixes out of array access with RC_VARIANCE set to 0 Signed-off-by: Michael Niedermayer (cherry picked from commit f1caaa1c61310beba705957e6366f0392a0b005b) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 0af948e78b..ac19ea68b3 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -236,7 +236,7 @@ static av_cold int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias) static av_cold int dnxhd_init_rc(DNXHDEncContext *ctx) { - FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail); + FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail); if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD) FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail); From 7c17207ab9acfaa934e8feb8fba90765c9d0b989 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jan 2014 18:08:18 +0100 Subject: [PATCH 162/492] avcodec/vmnc: Check that rectangles are within the picture Prevents out of array accesses with CODEC_FLAG_EMU_EDGE Signed-off-by: Michael Niedermayer (cherry picked from commit 6ba02602aa7fc7d38db582e75b8b093fb3c1608d) Conflicts: libavcodec/vmnc.c Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 99571a1b76..2cb48e619f 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -277,6 +277,11 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, const uint8_t* src, int } xy = *src++; wh = *src++; + if ( (xy >> 4) + (wh >> 4) + 1 > w - i + || (xy & 0xF) + (wh & 0xF)+1 > h - j) { + av_log(c->avctx, AV_LOG_ERROR, "Rectangle outside picture\n"); + return AVERROR_INVALIDDATA; + } paint_rect(dst2, xy >> 4, xy & 0xF, (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride); } } From ca5d6c615e505bc84fe698650b4ddbd80229eb59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jan 2014 18:40:37 +0100 Subject: [PATCH 163/492] avcodec/jpeg2000dec: fix error detection in pix_fmt_match() Fixes out of array accesses with CODEC_FLAG_EMU_EDGE Signed-off-by: Michael Niedermayer (cherry picked from commit 8001e9f7d17e90b4b0898ba64e3b8bbd716c513c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index d70413a0da..5231040494 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -344,7 +344,7 @@ static int get_siz(Jpeg2000DecoderContext *s) break; } } - if (s->avctx->pix_fmt == AV_PIX_FMT_NONE) { + if (i == possible_fmts_nb) { av_log(s->avctx, AV_LOG_ERROR, "Unknown pix_fmt, profile: %d, colour_space: %d, " "components: %d, precision: %d, " @@ -354,6 +354,7 @@ static int get_siz(Jpeg2000DecoderContext *s) ncomponents > 2 ? s->cdy[1] : 0, ncomponents > 2 ? s->cdx[2] : 0, ncomponents > 2 ? s->cdy[2] : 0); + return AVERROR_PATCHWELCOME; } return 0; } From d0d0924947a40df52b06cafd86fc293949edbfc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jan 2014 19:16:02 +0100 Subject: [PATCH 164/492] avcodec/takdec: always check bits_per_raw_sample Fixes out of array access Fixes: asan_heap-oob_19c7a94_6470_cov_1453611734_luckynight-partial.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f58eab151214d2d35ff0973f2b3e51c5eb372da4) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 9e01ee02d7..45366c443d 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -721,11 +721,9 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - if (s->ti.bps != avctx->bits_per_raw_sample) { - avctx->bits_per_raw_sample = s->ti.bps; - if ((ret = set_bps_params(avctx)) < 0) - return ret; - } + avctx->bits_per_raw_sample = s->ti.bps; + if ((ret = set_bps_params(avctx)) < 0) + return ret; if (s->ti.sample_rate != avctx->sample_rate) { avctx->sample_rate = s->ti.sample_rate; set_sample_rate_params(avctx); From 33c47d3976f77ba924d0a98151635d2c7306b278 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2014 19:04:37 +0100 Subject: [PATCH 165/492] avcodec/vc1: reset fcm/field_mode in non advanced header parsing Fixes NULL pointer dereference Fixes: signal_sigsegv_1ab8bf4_2847_cov_4254117347_SA10091.vc1 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b51e9354772de446e8196dabf9aad1567b22f74d) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 2b872476df..e4e25a8d53 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -631,6 +631,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) { int pqindex, lowquant, status; + v->field_mode = 0; + v->fcm = 0; if (v->finterpflag) v->interpfrm = get_bits1(gb); if (!v->s.avctx->codec) From 0962c26b6ba8f84609b510d5c9834a87ae94576f Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 30 Jan 2014 14:08:38 -0500 Subject: [PATCH 166/492] samplefmt: avoid integer overflow in av_samples_get_buffer_size() CC:libav-stable@libav.org (cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6) Signed-off-by: Michael Niedermayer --- libavutil/samplefmt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/samplefmt.c b/libavutil/samplefmt.c index 08ecc83467..a1986980f0 100644 --- a/libavutil/samplefmt.c +++ b/libavutil/samplefmt.c @@ -135,6 +135,8 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, /* auto-select alignment if not specified */ if (!align) { + if (nb_samples > INT_MAX - 31) + return AVERROR(EINVAL); align = 1; nb_samples = FFALIGN(nb_samples, 32); } From 13ce3673684e0fe69964f71660747e674c1f524c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2014 15:07:23 +0100 Subject: [PATCH 167/492] avcodec/wmalosslessdec: fix mclms_coeffs* array size Fixes corruption of context Fixes: 8835659dde6a4f7dcdf341de6a45c6c8-signal_sigsegv_1dce67b_4564_cov_2504444599_classical_22_16_1_14000_v3c_0_extend_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ec9578d54d09b64bf112c2bf7a34b1ef3b93dbd3) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 90a01098fb..5e6effb336 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -127,8 +127,8 @@ typedef struct WmallDecodeCtx { int8_t mclms_order; int8_t mclms_scaling; - int16_t mclms_coeffs[128]; - int16_t mclms_coeffs_cur[4]; + int16_t mclms_coeffs[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS * 32]; + int16_t mclms_coeffs_cur[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS]; int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32]; int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32]; int mclms_recent; From 5e7e43c33ea45550137f5dd2b9f81deef2acbfcd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Feb 2014 13:59:51 +0100 Subject: [PATCH 168/492] avformat/mpegtsenc: Check data array size in mpegts_write_pmt() Prevents out of array writes Signed-off-by: Michael Niedermayer (cherry picked from commit 842b6c14bcfc1c5da1a2d288fd65386eb8c158ad) Conflicts: libavformat/mpegtsenc.c (cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb) Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index e7c522c8b9..0274605c7a 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -256,7 +256,7 @@ static void mpegts_write_pat(AVFormatContext *s) data, q - data); } -static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) +static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) { MpegTSWrite *ts = s->priv_data; uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr; @@ -312,6 +312,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) stream_type = STREAM_TYPE_PRIVATE_DATA; break; } + + if (q - data > sizeof(data) - 32) + return AVERROR(EINVAL); + *q++ = stream_type; put16(&q, 0xe000 | ts_st->pid); desc_length_ptr = q; @@ -343,7 +347,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) len_ptr = q++; *len_ptr = 0; - for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) { + for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) { next = strchr(p, ','); if (strlen(p) != 3 && (!next || next != p + 3)) continue; /* not a 3-letter code */ @@ -415,6 +419,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) } mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0, data, q - data); + return 0; } /* NOTE: str == NULL is accepted for an empty string */ From 67b943ad661eb0f620448b1c8bc0d8089822ee5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2014 01:28:26 +0100 Subject: [PATCH 169/492] avcodec/utils: set AVFrame format unconditional Fixes inconsistency and out of array accesses Fixes: 10cdd7e63e7f66e3e66273939e0863dd-asan_heap-oob_1a4ff32_7078_cov_4056274555_mov_h264_aac__mp4box_frag.mp4 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e5c7229999182ad1cef13b9eca050dba7a5a08da) Conflicts: libavcodec/utils.c (cherry picked from commit 4f94e1901a1ff0073c64122c577b6efd3dee22d4) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9acf7bd770..5f58fb0ad2 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -640,8 +640,7 @@ int ff_init_buffer_info(AVCodecContext *avctx, AVFrame *frame) case AVMEDIA_TYPE_VIDEO: frame->width = FFMAX(avctx->width, FF_CEIL_RSHIFT(avctx->coded_width, avctx->lowres)); frame->height = FFMAX(avctx->height, FF_CEIL_RSHIFT(avctx->coded_height, avctx->lowres)); - if (frame->format < 0) - frame->format = avctx->pix_fmt; + frame->format = avctx->pix_fmt; if (!frame->sample_aspect_ratio.num) frame->sample_aspect_ratio = avctx->sample_aspect_ratio; break; From bc1c8ec5e65098fd2ccd8456f667151dfc9cda42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2014 23:08:52 +0100 Subject: [PATCH 170/492] avcodec/msrle: use av_image_get_linesize() to calculate the linesize Fixes out of array access Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c919e1ca2ecfc47d796382973ba0e48b8f6f92a2) Conflicts: libavcodec/msrle.c --- libavcodec/msrle.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 674e586ac2..9d9200d125 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -35,6 +35,7 @@ #include "avcodec.h" #include "internal.h" #include "msrledec.h" +#include "libavutil/imgutils.h" typedef struct MsrleContext { AVCodecContext *avctx; @@ -108,7 +109,7 @@ static int msrle_decode_frame(AVCodecContext *avctx, /* FIXME how to correctly detect RLE ??? */ if (avctx->height * istride == avpkt->size) { /* assume uncompressed */ - int linesize = (avctx->width * avctx->bits_per_coded_sample + 7) / 8; + int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0); uint8_t *ptr = s->frame.data[0]; uint8_t *buf = avpkt->data + (avctx->height-1)*istride; int i, j; From d41f4e8dc82bc734cd1beba5d5ef4a7b2038d15f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Feb 2014 20:49:42 +0100 Subject: [PATCH 171/492] avcodec/ansi: fix integer overflow Fixes out of array read Fixes: 5f9698e86d92f19bb08d54ff0d57027f-signal_sigsegv_b30756_3795_cov_2693691257_ansi256.ans Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d42ec8433c687fcbccefa51a7716d81920218e4f) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 68132dfb1c..71c2ed3ed5 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -417,7 +417,7 @@ static int decode_frame(AVCodecContext *avctx, switch(buf[0]) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': - if (s->nb_args < MAX_NB_ARGS) + if (s->nb_args < MAX_NB_ARGS && s->args[s->nb_args] < 6553) s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0'; break; case ';': From f0ee0fcbfcb5b42f57cd6b629c0cbba1a9160ee6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2014 02:53:14 +0100 Subject: [PATCH 172/492] avcodec/snow: split block clipping checks Fixes out of array read Fixes: d4476f68ca1c1c57afbc45806f581963-asan_heap-oob_2266b27_8607_cov_4044577381_snow_chroma_bug.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 61d59703c91869f4e5cdacd8d6be52f8b89d4ba4) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 922a48e54d..6335c5d8ae 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -317,7 +317,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(!sliced && !offset_dst) dst -= src_x; src_x=0; - }else if(src_x + b_w > w){ + } + if(src_x + b_w > w){ b_w = w - src_x; } if(src_y<0){ @@ -326,7 +327,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(!sliced && !offset_dst) dst -= src_y*dst_stride; src_y=0; - }else if(src_y + b_h> h){ + } + if(src_y + b_h> h){ b_h = h - src_y; } From 612ef09a1819da800865372df25378efffcf9acf Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 23 Feb 2014 16:39:18 -0800 Subject: [PATCH 173/492] configure: use pkg-config to detect libbluray The current configure fails when static libbluray is compiled with libxml2 support. Signed-off-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit baa650cc7946a9eb1cf5a083f61a581a97122f03) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 47865b62ad..43b4937775 100755 --- a/configure +++ b/configure @@ -4136,7 +4136,7 @@ enabled gnutls && require_pkg_config gnutls gnutls/gnutls.h gnutls_gl enabled libiec61883 && require libiec61883 libiec61883/iec61883.h iec61883_cmp_connect -lraw1394 -lavc1394 -lrom1394 -liec61883 enabled libaacplus && require "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus enabled libass && require_pkg_config libass ass/ass.h ass_library_init -enabled libbluray && require libbluray libbluray/bluray.h bd_open -lbluray +enabled libbluray && require_pkg_config libbluray libbluray/bluray.h bd_open enabled libcelt && require libcelt celt/celt.h celt_decode -lcelt0 && { check_lib celt/celt.h celt_decoder_create_custom -lcelt0 || die "ERROR: libcelt must be installed and version must be >= 0.11.0."; } From e939c7b7f533af3af8db2c2791ad403f650e8548 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Mar 2014 02:40:19 +0100 Subject: [PATCH 174/492] avcodec/utvideoenc: fix slice_bits size Fixes assertion failure Signed-off-by: Michael Niedermayer (cherry picked from commit 0a8c90202bb906747168a698b6837496f82c717c) Conflicts: libavcodec/utvideoenc.c (cherry picked from commit 57522ca79cc38c279123596d3288ddbf56fa8903) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index acb25c3899..ce9f249431 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -468,7 +468,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, * get the offset in bits and convert to bytes. */ offset += write_huff_codes(dst + sstart * width, c->slice_bits, - width * (send - sstart), width, + width * height + 4, width, send - sstart, he) >> 3; slice_len = offset - slice_len; @@ -525,8 +525,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream2_init_writer(&pb, dst, pkt->size); - av_fast_malloc(&c->slice_bits, &c->slice_bits_size, - width * height + FF_INPUT_BUFFER_PADDING_SIZE); + av_fast_padded_malloc(&c->slice_bits, &c->slice_bits_size, width * height + 4); if (!c->slice_bits) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer 2.\n"); From 7de7bd4f563a1431bdac59dae5d8e930e71405e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Mar 2014 01:20:37 +0100 Subject: [PATCH 175/492] update for 2.0.4 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 50ffc5aa7f..2165f8f9b6 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.0.3 +2.0.4 diff --git a/VERSION b/VERSION index 50ffc5aa7f..2165f8f9b6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.3 +2.0.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 6ff927c619..3aa4e80671 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.0.3 +PROJECT_NUMBER = 2.0.4 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 9ecd0f34adcc042bb4a009e9e806f35bf75f5e9c Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 4 Nov 2013 16:22:27 +0100 Subject: [PATCH 176/492] avformat/mov: only force parsing for video tracks if stss is empty Fixes playback of some AAC streams, which are otherwise mangled by the parser, and stss is typically only valid for video anyway. Fixes a regression since e41ea866. Signed-off-by: Michael Niedermayer (cherry picked from commit 019247bdc326a90bf20d3ce5d2413cc642e8bb08) --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 54b57b0958..790c855ecc 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1697,7 +1697,7 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) { sc->keyframe_absent = 1; - if (!st->need_parsing) + if (!st->need_parsing && st->codec->codec_type == AVMEDIA_TYPE_VIDEO) st->need_parsing = AVSTREAM_PARSE_HEADERS; return 0; } From 5ee384c4eb6b4f6cc724bc2e72a31a3bc9839247 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Feb 2014 06:32:51 +0100 Subject: [PATCH 177/492] avformat/mov: fix keyframe flags for sample from chromium Issue 340865 Fixes ticket #3362. Signed-off-by: Michael Niedermayer (cherry picked from commit a0911b059763b8f13c70adcbbe71e10382855104) --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 790c855ecc..b668c8276a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2054,6 +2054,11 @@ static void mov_build_index(MOVContext *mov, AVStream *st) rap_group_index++; } } + if (sc->keyframe_absent + && !sc->stps_count + && !rap_group_present + && st->codec->codec_type == AVMEDIA_TYPE_AUDIO) + keyframe = 1; if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; From 91d024d75dce74f2e149be9092debfe6a9cec2b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Mar 2014 17:32:15 +0100 Subject: [PATCH 178/492] avutil/timestamp: Warn about missing __STDC_FORMAT_MACROS for C++ use Signed-off-by: Michael Niedermayer (cherry picked from commit 8b02dfd37cb3bc9521fc6e1f5b5f13c80d144cd2) Signed-off-by: Michael Niedermayer --- libavutil/timestamp.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/timestamp.h b/libavutil/timestamp.h index f63a08c579..f010a7ee38 100644 --- a/libavutil/timestamp.h +++ b/libavutil/timestamp.h @@ -26,6 +26,10 @@ #include "common.h" +#if defined(__cplusplus) && !defined(__STDC_FORMAT_MACROS) && !defined(PRId64) +#error missing -D__STDC_FORMAT_MACROS / #define __STDC_FORMAT_MACROS +#endif + #define AV_TS_MAX_STRING_SIZE 32 /** From 9933e06595c0073785474e17be88d8fe442617ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Mar 2014 22:52:22 +0100 Subject: [PATCH 179/492] swscale/x86/swscale: fix missing xmm clobbers in yuv2yuvX_sse3() Signed-off-by: Michael Niedermayer (cherry picked from commit 6c47a4e972485e5f0c812159373f703c6f1d089f) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index 961b6220d3..4333ceb467 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -266,7 +266,8 @@ static void yuv2yuvX_sse3(const int16_t *filter, int filterSize, "jb 1b \n\t"\ :: "g" (filter), "r" (dest-offset), "g" ((x86_reg)(dstW+offset)), "m" (offset) - : "%"REG_d, "%"REG_S, "%"REG_c + : XMM_CLOBBERS("%xmm0" , "%xmm1" , "%xmm2" , "%xmm3" , "%xmm4" , "%xmm5" , "%xmm7" ,) + "%"REG_d, "%"REG_S, "%"REG_c ); } #endif From d581567e0948e709c5ab995a1eaa91587797a12f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Mar 2014 00:07:53 +0100 Subject: [PATCH 180/492] avcodec/utils: fix sizeof(AVFrame) dependence in avcodec_encode_audio2() This is a bit tricky, we allocate a correctly sized AVFrame but then only copy the compile time AVFrame size, this is to ensure that user applications which do not use the correct av frame API dont end with out of array reads. Note, applications using the correct API have set extended_data and the changed code will never be executed for them. Signed-off-by: Michael Niedermayer (cherry picked from commit 8ab80707841a73ca7708e1e1aa97f3513fff3d35) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5f58fb0ad2..7a45653430 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1491,7 +1491,7 @@ int attribute_align_arg avcodec_encode_audio2(AVCodecContext *avctx, const AVFrame *frame, int *got_packet_ptr) { - AVFrame tmp; + AVFrame *extended_frame = NULL; AVFrame *padded_frame = NULL; int ret; AVPacket user_pkt = *avpkt; @@ -1516,9 +1516,13 @@ int attribute_align_arg avcodec_encode_audio2(AVCodecContext *avctx, } av_log(avctx, AV_LOG_WARNING, "extended_data is not set.\n"); - tmp = *frame; - tmp.extended_data = tmp.data; - frame = &tmp; + extended_frame = av_frame_alloc(); + if (!extended_frame) + return AVERROR(ENOMEM); + + memcpy(extended_frame, frame, sizeof(AVFrame)); + extended_frame->extended_data = extended_frame->data; + frame = extended_frame; } /* check for valid frame size */ @@ -1526,14 +1530,15 @@ int attribute_align_arg avcodec_encode_audio2(AVCodecContext *avctx, if (avctx->codec->capabilities & CODEC_CAP_SMALL_LAST_FRAME) { if (frame->nb_samples > avctx->frame_size) { av_log(avctx, AV_LOG_ERROR, "more samples than frame size (avcodec_encode_audio2)\n"); - return AVERROR(EINVAL); + ret = AVERROR(EINVAL); + goto end; } } else if (!(avctx->codec->capabilities & CODEC_CAP_VARIABLE_FRAME_SIZE)) { if (frame->nb_samples < avctx->frame_size && !avctx->internal->last_audio_frame) { ret = pad_last_frame(avctx, &padded_frame, frame); if (ret < 0) - return ret; + goto end; frame = padded_frame; avctx->internal->last_audio_frame = 1; @@ -1605,6 +1610,7 @@ int attribute_align_arg avcodec_encode_audio2(AVCodecContext *avctx, end: av_frame_free(&padded_frame); + av_free(extended_frame); return ret; } From 6387aa94d664ba2203834a04320c671be3f31eb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Mar 2014 18:06:17 +0100 Subject: [PATCH 181/492] avcodec/h263dec: Fix use of uninitialized memory from the bitstream buffer Signed-off-by: Michael Niedermayer (cherry picked from commit f07cebcd910c97ff6012085c21493231752990e9) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index bf9e072546..fde8d484b0 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -718,10 +718,10 @@ frame_end: } if(startcode_found){ - av_fast_malloc( + av_fast_padded_mallocz( &s->bitstream_buffer, &s->allocated_bitstream_buffer_size, - buf_size - current_pos + FF_INPUT_BUFFER_PADDING_SIZE); + buf_size - current_pos); if (!s->bitstream_buffer) return AVERROR(ENOMEM); memcpy(s->bitstream_buffer, buf + current_pos, buf_size - current_pos); From f65501f80cbc2f251b6a50b881652acb64540fe0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Mar 2014 15:45:03 +0100 Subject: [PATCH 182/492] ffmpeg: dont call exit_program() from a signal hander This is unsafe and can deadlock amongth other things Signed-off-by: Michael Niedermayer (cherry picked from commit 9dca02ee541120de2a96c387faed9a4e033a60fd) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 01cfaea850..2a9bafda79 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -319,7 +319,7 @@ sigterm_handler(int sig) received_nb_signals++; term_exit(); if(received_nb_signals > 3) - exit_program(123); + exit(123); } void term_init(void) From 673f679c8ae219b6857600f6e3a2d399f6742d80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Mar 2014 01:26:48 +0100 Subject: [PATCH 183/492] avformat/mp3enc: use av_copy_packet() Fixes double free Fixes Ticket3476 Signed-off-by: Michael Niedermayer (cherry picked from commit d003a0cd2e587a47627fd328f9fc5a484adc29f2) Signed-off-by: Michael Niedermayer --- libavformat/mp3enc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index ee0956e8b9..c94aa590ec 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -418,14 +418,14 @@ static int mp3_write_packet(AVFormatContext *s, AVPacket *pkt) if (mp3->pics_to_write) { /* buffer audio packets until we get all the pictures */ AVPacketList *pktl = av_mallocz(sizeof(*pktl)); + int ret; if (!pktl) return AVERROR(ENOMEM); - pktl->pkt = *pkt; - pktl->pkt.buf = av_buffer_ref(pkt->buf); - if (!pktl->pkt.buf) { + ret = av_copy_packet(&pktl->pkt, pkt); + if (ret < 0) { av_freep(&pktl); - return AVERROR(ENOMEM); + return ret; } if (mp3->queue_end) From 3ae71dd33ed3a4fb36994622bf4ed0418027150e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Mar 2014 00:08:54 +0100 Subject: [PATCH 184/492] avcodec: Add padding after the remaining AVFrames This limits ABI issues in case libavcodec is linked to a libavutil with larger AVFrame Which can happen if they are shiped in seperate binary packages and libavutil is upgraded A cleaner alternative would be to replace them by pointers but this would likely cause a small speedloss Signed-off-by: Michael Niedermayer (cherry picked from commit fc567ac49e17151f00f31b59030cd10f952612ef) Conflicts: libavcodec/h264.h --- libavcodec/mpegvideo.h | 1 + libavcodec/utils.c | 1 + 2 files changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index cbd01c4474..f72e89e25e 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -96,6 +96,7 @@ struct MpegEncContext; */ typedef struct Picture{ struct AVFrame f; + uint8_t avframe_padding[1024]; // hack to allow linking to a avutil with larger AVFrame ThreadFrame tf; AVBufferRef *qscale_table_buf; diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 7a45653430..f3dc8537f9 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -682,6 +682,7 @@ int avcodec_default_get_buffer(AVCodecContext *avctx, AVFrame *frame) typedef struct CompatReleaseBufPriv { AVCodecContext avctx; AVFrame frame; + uint8_t avframe_padding[1024]; // hack to allow linking to a avutil with larger AVFrame } CompatReleaseBufPriv; static void compat_free_buffer(void *opaque, uint8_t *data) From 36fc9bff08f989d28c19fd6624f5239098407120 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Mar 2014 05:01:32 +0100 Subject: [PATCH 185/492] swscale/swscale: fix integer overflow Should fix fate failure with clang ftrapv Signed-off-by: Michael Niedermayer (cherry picked from commit c9c0451224fd7bc38b4e135e99f114f80c1ae67f) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index c5bba82e88..c336548bac 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -208,8 +208,9 @@ static void lumRangeToJpeg16_c(int16_t *_dst, int width) { int i; int32_t *dst = (int32_t *) _dst; - for (i = 0; i < width; i++) - dst[i] = (FFMIN(dst[i], 30189 << 4) * 4769 - (39057361 << 2)) >> 12; + for (i = 0; i < width; i++) { + dst[i] = ((int)(FFMIN(dst[i], 30189 << 4) * 4769U - (39057361 << 2))) >> 12; + } } static void lumRangeFromJpeg16_c(int16_t *_dst, int width) From 102df43f49cb6dc94ed70ec29fbfe5e27f9209f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Mar 2014 22:04:52 +0100 Subject: [PATCH 186/492] dox/scaler:fix bicubiclin typo See Ticket3486 Signed-off-by: Michael Niedermayer (cherry picked from commit 575b957758670d6094e9095acfcc24e4e32fc4a7) Signed-off-by: Michael Niedermayer --- doc/scaler.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/scaler.texi b/doc/scaler.texi index c33b6d93ad..16b56a92d1 100644 --- a/doc/scaler.texi +++ b/doc/scaler.texi @@ -33,7 +33,7 @@ Select nearest neighbor rescaling algorithm. @item area Select averaging area rescaling algorithm. -@item bicubiclin +@item bicublin Select bicubic scaling algorithm for the luma component, bilinear for chroma components. From b556432f5a7566b00525d215e55327fd1b3872b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Mar 2014 00:15:52 +0100 Subject: [PATCH 187/492] avcodec/x86/mpegvideoenc_template: fix integer overflow Signed-off-by: Michael Niedermayer --- libavcodec/x86/mpegvideoenc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/mpegvideoenc_template.c b/libavcodec/x86/mpegvideoenc_template.c index 1e0505ea3c..b0ba234d4b 100644 --- a/libavcodec/x86/mpegvideoenc_template.c +++ b/libavcodec/x86/mpegvideoenc_template.c @@ -216,7 +216,7 @@ static int RENAME(dct_quantize)(MpegEncContext *s, "psubusw "MM"1, "MM"4 \n\t" "packuswb "MM"4, "MM"4 \n\t" #if COMPILE_TEMPLATE_SSE2 - "packuswb "MM"4, "MM"4 \n\t" + "packsswb "MM"4, "MM"4 \n\t" #endif "movd "MM"4, %0 \n\t" // *overflow : "=g" (*overflow) From c7f419efd1df6469e3a704a5d121443b7d443a45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Mar 2014 18:09:23 +0100 Subject: [PATCH 188/492] avcodec/h264_mp4toannexb_bsf: prepend global headers before any in stream parameter sets Fixes h264_mp4toannexb_bsf_failure.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 289b149cecb381522cc9ccdf382825330169c655) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index eeb67e46d7..975e6e5557 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -172,7 +172,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, goto fail; /* prepend only to the first type 5 NAL unit of an IDR picture */ - if (ctx->first_idr && unit_type == 5) { + if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) { if ((ret=alloc_and_copy(poutbuf, poutbuf_size, avctx->extradata, avctx->extradata_size, buf, nal_size)) < 0) From 02055da69ace89c7c8a6058969ecf34bb4c16332 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Mar 2014 00:03:38 +0100 Subject: [PATCH 189/492] avcodec/libx264: move where x264opts is applied down so it isnt overridden by avctx & defaults fixes x264opts opengop=1 Signed-off-by: Michael Niedermayer (cherry picked from commit 64b79141bdfdffaa9fda69eecce140473d0a9a18) Signed-off-by: Michael Niedermayer --- libavcodec/libx264.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 0a1341263c..fb5268a9f5 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -343,19 +343,6 @@ static av_cold int X264_init(AVCodecContext *avctx) OPT_STR("level", x4->level); - if(x4->x264opts){ - const char *p= x4->x264opts; - while(p){ - char param[256]={0}, val[256]={0}; - if(sscanf(p, "%255[^:=]=%255[^:]", param, val) == 1){ - OPT_STR(param, "1"); - }else - OPT_STR(param, val); - p= strchr(p, ':'); - p+=!!p; - } - } - if (avctx->i_quant_factor > 0) x4->params.rc.f_ip_factor = 1 / fabs(avctx->i_quant_factor); @@ -525,6 +512,19 @@ static av_cold int X264_init(AVCodecContext *avctx) if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) x4->params.b_repeat_headers = 0; + if(x4->x264opts){ + const char *p= x4->x264opts; + while(p){ + char param[256]={0}, val[256]={0}; + if(sscanf(p, "%255[^:=]=%255[^:]", param, val) == 1){ + OPT_STR(param, "1"); + }else + OPT_STR(param, val); + p= strchr(p, ':'); + p+=!!p; + } + } + if (x4->x264_params) { AVDictionary *dict = NULL; AVDictionaryEntry *en = NULL; From 5ac53d07a276ae019d9975ab57fc033ca565b142 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Apr 2014 23:46:25 +0200 Subject: [PATCH 190/492] avcodec/h264: clear cur_pic structure instead of duplicating it in ff_h264_update_thread_context() Fixes crash Found-by: iive Signed-off-by: Michael Niedermayer (cherry picked from commit 8710ee11d75eebc17e7d63bc6ffb91766933bd68) Conflicts: libavcodec/h264_slice.c (cherry picked from commit cb44d69665596d2f19e032fc852162b0a6de0562) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9111d923d2..7227e1ee27 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1682,6 +1682,7 @@ static int decode_update_thread_context(AVCodecContext *dst, memset(&h->mb, 0, sizeof(h->mb)); memset(&h->mb_luma_dc, 0, sizeof(h->mb_luma_dc)); memset(&h->mb_padding, 0, sizeof(h->mb_padding)); + memset(&h->cur_pic, 0, sizeof(h->cur_pic)); h->avctx = dst; h->DPB = NULL; From c61c66cfb17e3552689020f0ef228b149ab42627 Mon Sep 17 00:00:00 2001 From: Lukasz Marek Date: Fri, 4 Apr 2014 19:28:45 +0200 Subject: [PATCH 191/492] lavu/opt: validate range before dereference This change make error handling simplier. av_opt_freep_ranges may be called when some ranges are NULL, for example after memory allocation fail. Signed-off-by: Lukasz Marek Signed-off-by: Michael Niedermayer (cherry picked from commit 3aac5fcfa9d3748659d78ab2a66d0ccce22cfd4f) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 24511defa2..15b681cc3f 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -1430,8 +1430,10 @@ void av_opt_freep_ranges(AVOptionRanges **rangesp) for (i = 0; i < ranges->nb_ranges; i++) { AVOptionRange *range = ranges->range[i]; - av_freep(&range->str); - av_freep(&ranges->range[i]); + if (range) { + av_freep(&range->str); + av_freep(&ranges->range[i]); + } } av_freep(&ranges->range); av_freep(rangesp); From 5805c0c2b6cf4d8c621acb76fd16b611e6599bd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Apr 2014 21:34:03 +0200 Subject: [PATCH 192/492] avcodec/wma: use av_freep(), do not leave stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit d167faafe9dfa0b82bebb267c3c4e5fa5286bd67) Signed-off-by: Michael Niedermayer --- libavcodec/wma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wma.c b/libavcodec/wma.c index b6dab4b65d..696157d750 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -386,9 +386,9 @@ int ff_wma_end(AVCodecContext *avctx) } for (i = 0; i < 2; i++) { ff_free_vlc(&s->coef_vlc[i]); - av_free(s->run_table[i]); - av_free(s->level_table[i]); - av_free(s->int_table[i]); + av_freep(&s->run_table[i]); + av_freep(&s->level_table[i]); + av_freep(&s->int_table[i]); } return 0; From 491e1ec95db40130b29ba5749d6f6312c9c2f8fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Apr 2014 04:01:24 +0200 Subject: [PATCH 193/492] avcodec/msrle: check return code for success before use The check is possibly redundant, but better to check for errors that dont occur than to skip the check and crash Fixes CID1197060 Signed-off-by: Michael Niedermayer (cherry picked from commit 754f84663e8b3a88fa2e953b195d59230393fb8d) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 9d9200d125..113dd548d3 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -114,6 +114,9 @@ static int msrle_decode_frame(AVCodecContext *avctx, uint8_t *buf = avpkt->data + (avctx->height-1)*istride; int i, j; + if (linesize < 0) + return linesize; + for (i = 0; i < avctx->height; i++) { if (avctx->bits_per_coded_sample == 4) { for (j = 0; j < avctx->width - 1; j += 2) { From 1c321b7c31aa6e2cd763176961f818ff91e48168 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Apr 2014 00:19:07 +0200 Subject: [PATCH 194/492] swresample/resample: Limit filter length Related to CID1197063 The limit choosen is arbitrary and much larger than what makes sense. It avoids the need for checking arithmetic operations with the length for overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f9158b01d0f3effb58e87fb07db0382bc1e47de5) Signed-off-by: Michael Niedermayer --- libswresample/resample.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswresample/resample.c b/libswresample/resample.c index fb9da7c354..1288d9fe1f 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -229,6 +229,11 @@ static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_r av_assert0(0); } + if (filter_size/factor > INT32_MAX/256) { + av_log(NULL, AV_LOG_ERROR, "Filter length too large\n"); + goto error; + } + c->phase_shift = phase_shift; c->phase_mask = phase_count - 1; c->linear = linear; From c9ed7a4fc13ce8ae94575fca45d0547d27d8da33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Apr 2014 00:29:06 +0200 Subject: [PATCH 195/492] swresample/dither: use av_malloc_array() Signed-off-by: Michael Niedermayer (cherry picked from commit a5290cb1ac047851563da7aca06569e3ada55f79) Signed-off-by: Michael Niedermayer --- libswresample/dither.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/dither.c b/libswresample/dither.c index 7cbe410557..b8b592a7ce 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -26,7 +26,7 @@ void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { double scale = s->dither.noise_scale; #define TMP_EXTRA 2 - double *tmp = av_malloc((len + TMP_EXTRA) * sizeof(double)); + double *tmp = av_malloc_array(len + TMP_EXTRA, sizeof(double)); int i; for(i=0; i Date: Tue, 8 Apr 2014 00:29:26 +0200 Subject: [PATCH 196/492] swresample/resample: use av_malloc_array() where appropriate Signed-off-by: Michael Niedermayer (cherry picked from commit 5027f39712fdce25b9008e72d52e5abfeefd5fe6) Signed-off-by: Michael Niedermayer --- libswresample/resample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/resample.c b/libswresample/resample.c index 1288d9fe1f..93c86aa6bd 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -95,7 +95,7 @@ static int build_filter(ResampleContext *c, void *filter, double factor, int tap int filter_type, int kaiser_beta){ int ph, i; double x, y, w; - double *tab = av_malloc(tap_count * sizeof(*tab)); + double *tab = av_malloc_array(tap_count, sizeof(*tab)); const int center= (tap_count-1)/2; if (!tab) From 218c853774a9d8e3752c7e66c8c2408b3c44f498 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Apr 2014 18:12:12 +0200 Subject: [PATCH 197/492] swscale/x86/swscale_template: loose hardcoded dstw_offset Signed-off-by: Michael Niedermayer (cherry picked from commit f6759d9ad4a8b71e6f212ca4f1e7da9fa56d3298) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale_template.c | 78 +++++++++++++++---------------- 1 file changed, 37 insertions(+), 41 deletions(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index f2567c1d8b..98a3dc880a 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -332,7 +332,7 @@ static void RENAME(yuv2yuvX)(const int16_t *filter, int filterSize, MOVNTQ( q3, 24(dst, index, 4))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEBGR32(dst, dstw, index, b, g, r, a, q0, q2, q3, t) REAL_WRITEBGR32(dst, dstw, index, b, g, r, a, q0, q2, q3, t) @@ -358,13 +358,13 @@ static void RENAME(yuv2rgb32_X_ar)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm3, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm2, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm3, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm2, %%mm6) YSCALEYUV2PACKEDX_END } else { YSCALEYUV2PACKEDX_ACCURATE YSCALEYUV2RGBX "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } } @@ -387,13 +387,13 @@ static void RENAME(yuv2rgb32_X)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } else { YSCALEYUV2PACKEDX YSCALEYUV2RGBX "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } } @@ -422,7 +422,7 @@ static void RENAME(yuv2rgb32_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm1, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITERGB16(dst, dstw, index) REAL_WRITERGB16(dst, dstw, index) @@ -446,7 +446,7 @@ static void RENAME(yuv2rgb565_X_ar)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4\n\t" "paddusb "RED_DITHER"(%0), %%mm5\n\t" #endif - WRITERGB16(%4, %5, %%REGa) + WRITERGB16(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -470,7 +470,7 @@ static void RENAME(yuv2rgb565_X)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4 \n\t" "paddusb "RED_DITHER"(%0), %%mm5 \n\t" #endif - WRITERGB16(%4, %5, %%REGa) + WRITERGB16(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -499,7 +499,7 @@ static void RENAME(yuv2rgb565_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm1, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITERGB15(dst, dstw, index) REAL_WRITERGB15(dst, dstw, index) @@ -523,7 +523,7 @@ static void RENAME(yuv2rgb555_X_ar)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4\n\t" "paddusb "RED_DITHER"(%0), %%mm5\n\t" #endif - WRITERGB15(%4, %5, %%REGa) + WRITERGB15(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -547,7 +547,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4 \n\t" "paddusb "RED_DITHER"(%0), %%mm5 \n\t" #endif - WRITERGB15(%4, %5, %%REGa) + WRITERGB15(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -601,7 +601,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "add $24, "#dst" \n\t"\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEBGR24MMXEXT(dst, dstw, index) \ @@ -649,7 +649,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "add $24, "#dst" \n\t"\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #if COMPILE_TEMPLATE_MMXEXT @@ -676,7 +676,7 @@ static void RENAME(yuv2bgr24_X_ar)(SwsContext *c, const int16_t *lumFilter, "pxor %%mm7, %%mm7 \n\t" "lea (%%"REG_a", %%"REG_a", 2), %%"REG_c"\n\t" //FIXME optimize "add %4, %%"REG_c" \n\t" - WRITEBGR24(%%REGc, %5, %%REGa) + WRITEBGR24(%%REGc, "%5", %%REGa) :: "r" (&c->redDither), "m" (dummy), "m" (dummy), "m" (dummy), "r" (dest), "m" (dstW_reg), "m"(uv_off) @@ -700,7 +700,7 @@ static void RENAME(yuv2bgr24_X)(SwsContext *c, const int16_t *lumFilter, "pxor %%mm7, %%mm7 \n\t" "lea (%%"REG_a", %%"REG_a", 2), %%"REG_c" \n\t" //FIXME optimize "add %4, %%"REG_c" \n\t" - WRITEBGR24(%%REGc, %5, %%REGa) + WRITEBGR24(%%REGc, "%5", %%REGa) :: "r" (&c->redDither), "m" (dummy), "m" (dummy), "m" (dummy), "r" (dest), "m" (dstW_reg), "m"(uv_off) @@ -721,7 +721,7 @@ static void RENAME(yuv2bgr24_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm7, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEYUY2(dst, dstw, index) REAL_WRITEYUY2(dst, dstw, index) @@ -742,7 +742,7 @@ static void RENAME(yuv2yuyv422_X_ar)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm4 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" - WRITEYUY2(%4, %5, %%REGa) + WRITEYUY2(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -763,7 +763,7 @@ static void RENAME(yuv2yuyv422_X)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm4 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" - WRITEYUY2(%4, %5, %%REGa) + WRITEYUY2(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -864,7 +864,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "psraw $3, %%mm1 \n\t" /* abuf0[eax] - abuf1[eax] >>7*/ "psraw $3, %%mm7 \n\t" /* abuf0[eax] - abuf1[eax] >>7*/ "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, 8280(%5), %%r8, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%4, DSTW_OFFSET"(%5)", %%r8, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "r" (dest), "a" (&c->redDither), "r" (abuf0), "r" (abuf1) @@ -888,7 +888,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "packuswb %%mm7, %%mm1 \n\t" "pop %1 \n\t" "pop %0 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -902,7 +902,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "push %%"REG_BP" \n\t" YSCALEYUV2RGB(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -919,14 +919,13 @@ static void RENAME(yuv2bgr24_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2RGB(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -942,7 +941,6 @@ static void RENAME(yuv2rgb555_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" @@ -955,7 +953,7 @@ static void RENAME(yuv2rgb555_2)(SwsContext *c, const int16_t *buf[2], "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -971,7 +969,6 @@ static void RENAME(yuv2rgb565_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" @@ -984,7 +981,7 @@ static void RENAME(yuv2rgb565_2)(SwsContext *c, const int16_t *buf[2], "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1040,13 +1037,12 @@ static void RENAME(yuv2yuyv422_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1189,7 +1185,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) YSCALEYUV2RGB1_ALPHA(%%REGBP) - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (abuf0), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1202,7 +1198,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1218,7 +1214,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) YSCALEYUV2RGB1_ALPHA(%%REGBP) - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (abuf0), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1231,7 +1227,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1257,7 +1253,7 @@ static void RENAME(yuv2bgr24_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1271,7 +1267,7 @@ static void RENAME(yuv2bgr24_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1302,7 +1298,7 @@ static void RENAME(yuv2rgb555_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1322,7 +1318,7 @@ static void RENAME(yuv2rgb555_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1353,7 +1349,7 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1373,7 +1369,7 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1434,7 +1430,7 @@ static void RENAME(yuv2yuyv422_1)(SwsContext *c, const int16_t *buf0, "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED1(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1447,7 +1443,7 @@ static void RENAME(yuv2yuyv422_1)(SwsContext *c, const int16_t *buf0, "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED1b(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), From 853bbe1aed3b09d7aa5aabecd420076c66da04f4 Mon Sep 17 00:00:00 2001 From: Anthoine Bourgeois Date: Wed, 9 Apr 2014 12:18:32 +0200 Subject: [PATCH 198/492] avcodec/dirac_arith: Fix build with PIC and stack-check options Fixes Ticket3540 The function dirac_get_arith_bit in libavcodec/dirac_arith.h can't be built with PIC and check-stack because the asm code needs 6 registers and PIC and check-stack options take 1 each and x86 is quite limited in this area. Signed-off-by: Michael Niedermayer (cherry picked from commit d8ab7f31dd819f7b3e0d460a2fa4261aaae87b98) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_arith.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h index f9a8bba5fd..089c71a698 100644 --- a/libavcodec/dirac_arith.h +++ b/libavcodec/dirac_arith.h @@ -28,6 +28,7 @@ #ifndef AVCODEC_DIRAC_ARITH_H #define AVCODEC_DIRAC_ARITH_H +#include "libavutil/x86/asm.h" #include "bytestream.h" #include "get_bits.h" @@ -134,7 +135,7 @@ static inline int dirac_get_arith_bit(DiracArith *c, int ctx) range_times_prob = (c->range * prob_zero) >> 16; -#if HAVE_FAST_CMOV && HAVE_INLINE_ASM +#if HAVE_FAST_CMOV && HAVE_INLINE_ASM && HAVE_6REGS low -= range_times_prob << 16; range -= range_times_prob; bit = 0; From 2ca68b98ba496c41a269b566174310ed7bc65cd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Apr 2014 17:29:27 +0200 Subject: [PATCH 199/492] avcodec/x86/idct_sse2_xvid: fix non C99 inline function Found-by: Matt Oliver Signed-off-by: Michael Niedermayer (cherry picked from commit 46d5625f44185271862337d61cd246fd569c42a4) Signed-off-by: Michael Niedermayer --- libavcodec/x86/idct_sse2_xvid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/idct_sse2_xvid.c b/libavcodec/x86/idct_sse2_xvid.c index ee2a08d73a..2e6de832e2 100644 --- a/libavcodec/x86/idct_sse2_xvid.c +++ b/libavcodec/x86/idct_sse2_xvid.c @@ -343,7 +343,7 @@ DECLARE_ASM_CONST(16, int32_t, walkenIdctRounders)[] = { "movdqa %%xmm6, 4*16("dct") \n\t" \ "movdqa "SREG2", 7*16("dct") \n\t" -inline void ff_idct_xvid_sse2(short *block) +av_extern_inline void ff_idct_xvid_sse2(short *block) { __asm__ volatile( "movq "MANGLE(m127)", %%mm0 \n\t" From 690a3c4fb7c90cd1919ae9bb08c26758d674a513 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 01:55:08 +0200 Subject: [PATCH 200/492] swscale/swscale: fix srcStride/srcSlice typo Fixes part of Ticket3466 Found by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit 14fa7fc6a81d5e59e05243cdc92108eab1b138ac) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index c336548bac..db82802455 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -866,7 +866,7 @@ int attribute_align_arg sws_scale(struct SwsContext *c, uint8_t *dst2[4]; uint8_t *rgb0_tmp = NULL; - if (!srcSlice || !dstStride || !dst || !srcSlice) { + if (!srcStride || !dstStride || !dst || !srcSlice) { av_log(c, AV_LOG_ERROR, "One of the input parameters to sws_scale() is NULL, please check the calling code\n"); return 0; } From 6f6f5f9c8b3d1682d8c00dbe649ccf2e4de59132 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 201/492] avcodec/mjpegen: Fix declared argument size Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit 256f530603ef3838a712a4fcd737b46b7bce455e) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegenc.c | 2 +- libavcodec/mjpegenc.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegenc.c b/libavcodec/mjpegenc.c index 80a4022c7e..9460d7bd74 100644 --- a/libavcodec/mjpegenc.c +++ b/libavcodec/mjpegenc.c @@ -454,7 +454,7 @@ static void encode_block(MpegEncContext *s, int16_t *block, int n) put_bits(&s->pb, huff_size_ac[0], huff_code_ac[0]); } -void ff_mjpeg_encode_mb(MpegEncContext *s, int16_t block[6][64]) +void ff_mjpeg_encode_mb(MpegEncContext *s, int16_t block[12][64]) { int i; if (s->chroma_format == CHROMA_444) { diff --git a/libavcodec/mjpegenc.h b/libavcodec/mjpegenc.h index ce0c1cce15..041f026bba 100644 --- a/libavcodec/mjpegenc.h +++ b/libavcodec/mjpegenc.h @@ -56,6 +56,6 @@ void ff_mjpeg_encode_picture_trailer(MpegEncContext *s); void ff_mjpeg_encode_stuffing(MpegEncContext *s); void ff_mjpeg_encode_dc(MpegEncContext *s, int val, uint8_t *huff_size, uint16_t *huff_code); -void ff_mjpeg_encode_mb(MpegEncContext *s, int16_t block[6][64]); +void ff_mjpeg_encode_mb(MpegEncContext *s, int16_t block[12][64]); #endif /* AVCODEC_MJPEGENC_H */ From ed38ed3b629f4996370a0722e11f8972e719a59d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 202/492] avformat/mpegts: Remove redundant check Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit ff6fa0b4b980fc5b9f7653d7b159ae02c3d95210) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 0fc16d1c2d..f49c2c4049 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1268,7 +1268,7 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, int section_le AVStream *st; if (ts->pids[pid]->es_id != mp4_descr[i].es_id) continue; - if (!(ts->pids[pid] && ts->pids[pid]->type == MPEGTS_PES)) { + if (ts->pids[pid]->type != MPEGTS_PES) { av_log(s, AV_LOG_ERROR, "pid %x is not PES\n", pid); continue; } From 8162b69091b62bb11a9db194b804ff7fe5fc2bad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 203/492] avcodec/diracdec: fix undefined behavior with shifts Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit b8598f6ce61ccda3f2ff0c730b009fb650e42986) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 81d2b6509e..58266e8b65 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1343,8 +1343,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5], motion_y >>= s->chroma_y_shift; } - mx = motion_x & ~(-1 << s->mv_precision); - my = motion_y & ~(-1 << s->mv_precision); + mx = motion_x & ~(-1U << s->mv_precision); + my = motion_y & ~(-1U << s->mv_precision); motion_x >>= s->mv_precision; motion_y >>= s->mv_precision; /* normalize subpel coordinates to epel */ From 66ca450fcb073207391ce3ce79a9bbf74067f398 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:55:13 +0200 Subject: [PATCH 204/492] avcodec/g723_1: add assert to help static code analyzers Signed-off-by: Michael Niedermayer (cherry picked from commit 1457f3fd90e17745791354fbb87899fc4803085a) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c index 6254c9a5b2..af65f7ce5a 100644 --- a/libavcodec/g723_1.c +++ b/libavcodec/g723_1.c @@ -2286,7 +2286,8 @@ static int pack_bitstream(G723_1_Context *p, unsigned char *frame, int size) if (p->cur_rate == RATE_6300) { info_bits = 0; put_bits(&pb, 2, info_bits); - } + }else + av_assert0(0); put_bits(&pb, 8, p->lsp_index[2]); put_bits(&pb, 8, p->lsp_index[1]); From 98805cbac5a45538b5b3fe2473bfe74f22f2d08c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 205/492] avfilter/f_select: fix loss of precission in SAD calculation Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit 5a8ef3c66b762f265b05aa096105555f1d26879c) Signed-off-by: Michael Niedermayer --- libavfilter/f_select.c | 2 +- tests/ref/fate/filter-metadata-scenedetect | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavfilter/f_select.c b/libavfilter/f_select.c index 07a64f3139..4d32622754 100644 --- a/libavfilter/f_select.c +++ b/libavfilter/f_select.c @@ -279,7 +279,7 @@ static double get_scene_score(AVFilterContext *ctx, AVFrame *frame) p2 += 8 * linesize; } emms_c(); - mafd = nb_sad ? sad / nb_sad : 0; + mafd = nb_sad ? (double)sad / nb_sad : 0; diff = fabs(mafd - select->prev_mafd); ret = av_clipf(FFMIN(mafd, diff) / 100., 0, 1); select->prev_mafd = mafd; diff --git a/tests/ref/fate/filter-metadata-scenedetect b/tests/ref/fate/filter-metadata-scenedetect index 67251dfe60..495101352f 100644 --- a/tests/ref/fate/filter-metadata-scenedetect +++ b/tests/ref/fate/filter-metadata-scenedetect @@ -1,10 +1,10 @@ pkt_pts=1620|tag:lavfi.scene_score=1.000000 -pkt_pts=4140|tag:lavfi.scene_score=0.880000 +pkt_pts=4140|tag:lavfi.scene_score=0.876620 pkt_pts=5800|tag:lavfi.scene_score=1.000000 -pkt_pts=6720|tag:lavfi.scene_score=0.460000 +pkt_pts=6720|tag:lavfi.scene_score=0.463258 pkt_pts=8160|tag:lavfi.scene_score=1.000000 pkt_pts=9760|tag:lavfi.scene_score=1.000000 -pkt_pts=14080|tag:lavfi.scene_score=0.840000 +pkt_pts=14080|tag:lavfi.scene_score=0.842022 pkt_pts=15700|tag:lavfi.scene_score=1.000000 -pkt_pts=18500|tag:lavfi.scene_score=0.470000 +pkt_pts=18500|tag:lavfi.scene_score=0.471341 pkt_pts=21760|tag:lavfi.scene_score=1.000000 From 6882a04706b95b8e8ce0128fd7fac710ab50734f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 206/492] avfilter/vf_deshake: fix loss of precission with odd resolutions Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit 73734282e0e4df92269984ee1671424e39249481) Signed-off-by: Michael Niedermayer --- libavfilter/vf_deshake.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_deshake.c b/libavfilter/vf_deshake.c index 4729c7e30a..b816c2c3bd 100644 --- a/libavfilter/vf_deshake.c +++ b/libavfilter/vf_deshake.c @@ -306,8 +306,8 @@ static void find_motion(DeshakeContext *deshake, uint8_t *src1, uint8_t *src2, //av_log(NULL, AV_LOG_ERROR, "\n"); } - p_x = (center_x - width / 2); - p_y = (center_y - height / 2); + p_x = (center_x - width / 2.0); + p_y = (center_y - height / 2.0); t->vector.x += (cos(t->angle)-1)*p_x - sin(t->angle)*p_y; t->vector.y += sin(t->angle)*p_x + (cos(t->angle)-1)*p_y; From 4d9aad95b517057c0c341fd705f7b571def0fa4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 207/492] iavcodec/vc1dec: Fix missing {} Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit cb53beb81a5b9192c79de401f1e1e13fadddc429) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 3 ++- tests/ref/fate/vc1_sa10143 | 28 ++++++++++++++-------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 88f3ca25da..941a5a66f3 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1909,9 +1909,10 @@ static void vc1_interp_mc(VC1Context *v) uvmx = (mx + ((mx & 3) == 3)) >> 1; uvmy = (my + ((my & 3) == 3)) >> 1; if (v->field_mode) { - if (v->cur_field_type != v->ref_field_type[1]) + if (v->cur_field_type != v->ref_field_type[1]) { my = my - 2 + 4 * v->cur_field_type; uvmy = uvmy - 2 + 4 * v->cur_field_type; + } } if (v->fastuvmc) { uvmx = uvmx + ((uvmx < 0) ? -(uvmx & 1) : (uvmx & 1)); diff --git a/tests/ref/fate/vc1_sa10143 b/tests/ref/fate/vc1_sa10143 index 6a5137f712..c0ecc3bb9d 100644 --- a/tests/ref/fate/vc1_sa10143 +++ b/tests/ref/fate/vc1_sa10143 @@ -1,31 +1,31 @@ #tb 0: 1/25 0, 0, 0, 1, 518400, 0x89407f55 -0, 2, 2, 1, 518400, 0x8611849c +0, 2, 2, 1, 518400, 0xaa896afd 0, 3, 3, 1, 518400, 0x0e69ff59 -0, 4, 4, 1, 518400, 0xf31adb03 +0, 4, 4, 1, 518400, 0x0c30bfa0 0, 5, 5, 1, 518400, 0x1a5b6a69 -0, 6, 6, 1, 518400, 0x6ae6232e +0, 6, 6, 1, 518400, 0x23470858 0, 7, 7, 1, 518400, 0x9a4e3c54 -0, 8, 8, 1, 518400, 0xe5852b45 +0, 8, 8, 1, 518400, 0xad63160b 0, 9, 9, 1, 518400, 0x0fcfeebc -0, 10, 10, 1, 518400, 0x06e22dc3 +0, 10, 10, 1, 518400, 0x20b31777 0, 11, 11, 1, 518400, 0x9d79df09 -0, 12, 12, 1, 518400, 0xcb2c716f +0, 12, 12, 1, 518400, 0x3e86766f 0, 13, 13, 1, 518400, 0x638a8746 -0, 14, 14, 1, 518400, 0xf7032efd +0, 14, 14, 1, 518400, 0x7a6c1a0e 0, 15, 15, 1, 518400, 0x306f6cef -0, 16, 16, 1, 518400, 0xe83d2518 +0, 16, 16, 1, 518400, 0x81f81281 0, 17, 17, 1, 518400, 0x49ab5bf5 -0, 18, 18, 1, 518400, 0x6b336b6f +0, 18, 18, 1, 518400, 0x8f316e44 0, 19, 19, 1, 518400, 0x95ae00c9 -0, 20, 20, 1, 518400, 0x68ddb64f +0, 20, 20, 1, 518400, 0xf71bb7f5 0, 21, 21, 1, 518400, 0x5205ea68 -0, 22, 22, 1, 518400, 0xb088e617 +0, 22, 22, 1, 518400, 0x74a1d8b9 0, 23, 23, 1, 518400, 0xa3217616 -0, 24, 24, 1, 518400, 0x1723bc53 +0, 24, 24, 1, 518400, 0x2b28bbf8 0, 25, 25, 1, 518400, 0xf024872a -0, 26, 26, 1, 518400, 0x2e81a8bb +0, 26, 26, 1, 518400, 0x2fdbaaf3 0, 27, 27, 1, 518400, 0xa3a2418e -0, 28, 28, 1, 518400, 0xb7beffed +0, 28, 28, 1, 518400, 0x55bfe435 0, 29, 29, 1, 518400, 0x50fb6c94 0, 30, 30, 1, 518400, 0x5584bb40 From eaa6d791054581ba15fff316ab52703f23b36817 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Apr 2014 11:33:17 +0200 Subject: [PATCH 208/492] avfilter/filtfmts: Support dynamically allocated in/outputs Fixes crash Fixes Ticket3468 Signed-off-by: Michael Niedermayer (cherry picked from commit 59c7615d58b5b7ea9caff2c8c774677973eb4f1c) Signed-off-by: Michael Niedermayer --- libavfilter/filtfmts.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavfilter/filtfmts.c b/libavfilter/filtfmts.c index 93150d3c9d..5413e74891 100644 --- a/libavfilter/filtfmts.c +++ b/libavfilter/filtfmts.c @@ -38,7 +38,7 @@ static void print_formats(AVFilterContext *filter_ctx) for (j = 0; j < fmts->nb_formats; j++) \ if(av_get_pix_fmt_name(fmts->formats[j])) \ printf(#INOUT "PUT[%d] %s: fmt:%s\n", \ - i, filter_ctx->filter->inout##puts[i].name, \ + i, filter_ctx->inout##put_pads[i].name, \ av_get_pix_fmt_name(fmts->formats[j])); \ } else if (filter_ctx->inout##puts[i]->type == AVMEDIA_TYPE_AUDIO) { \ AVFilterFormats *fmts; \ @@ -47,7 +47,7 @@ static void print_formats(AVFilterContext *filter_ctx) fmts = filter_ctx->inout##puts[i]->outin##_formats; \ for (j = 0; j < fmts->nb_formats; j++) \ printf(#INOUT "PUT[%d] %s: fmt:%s\n", \ - i, filter_ctx->filter->inout##puts[i].name, \ + i, filter_ctx->inout##put_pads[i].name, \ av_get_sample_fmt_name(fmts->formats[j])); \ \ layouts = filter_ctx->inout##puts[i]->outin##_channel_layouts; \ @@ -56,7 +56,7 @@ static void print_formats(AVFilterContext *filter_ctx) av_get_channel_layout_string(buf, sizeof(buf), -1, \ layouts->channel_layouts[j]); \ printf(#INOUT "PUT[%d] %s: chlayout:%s\n", \ - i, filter_ctx->filter->inout##puts[i].name, buf); \ + i, filter_ctx->inout##put_pads[i].name, buf); \ } \ } \ } \ @@ -106,12 +106,12 @@ int main(int argc, char **argv) /* create a link for each of the input pads */ for (i = 0; i < filter_ctx->input_count; i++) { AVFilterLink *link = av_mallocz(sizeof(AVFilterLink)); - link->type = filter_ctx->filter->inputs[i].type; + link->type = filter_ctx->input_pads[i].type; filter_ctx->inputs[i] = link; } for (i = 0; i < filter_ctx->output_count; i++) { AVFilterLink *link = av_mallocz(sizeof(AVFilterLink)); - link->type = filter_ctx->filter->outputs[i].type; + link->type = filter_ctx->output_pads[i].type; filter_ctx->outputs[i] = link; } From d3bcc9cfa9fc439adef6c5edb9b78e50a246486a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Apr 2014 06:04:50 +0200 Subject: [PATCH 209/492] avformat/mux: Check for and remove invalid packet durations Fixes assertion failure Fixes Ticket3575 Signed-off-by: Michael Niedermayer (cherry picked from commit dc6a17cf74a90e41d70ea1753cdb70c0a5b2ced8) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mux.c b/libavformat/mux.c index 82b5a8e2a4..806e2bf57a 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -420,6 +420,12 @@ static int compute_pkt_fields2(AVFormatContext *s, AVStream *st, AVPacket *pkt) av_dlog(s, "compute_pkt_fields2: pts:%s dts:%s cur_dts:%s b:%d size:%d st:%d\n", av_ts2str(pkt->pts), av_ts2str(pkt->dts), av_ts2str(st->cur_dts), delay, pkt->size, pkt->stream_index); + if (pkt->duration < 0 && st->codec->codec_type != AVMEDIA_TYPE_SUBTITLE) { + av_log(s, AV_LOG_WARNING, "Packet with invalid duration %d in stream %d\n", + pkt->duration, pkt->stream_index); + pkt->duration = 0; + } + /* duration field */ if (pkt->duration == 0) { ff_compute_frame_duration(&num, &den, st, NULL, pkt); From ee282be99b9db9a8ed9f4f718cbe5595048036b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Apr 2014 21:47:48 +0200 Subject: [PATCH 210/492] avformat/h263dec: Fix h263 probe The code was missing 1 bit in the src format Signed-off-by: Michael Niedermayer (cherry picked from commit fc145e576a443bfc89efdf35b91fd3c9ca0d8388) Signed-off-by: Michael Niedermayer --- libavformat/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/h263dec.c b/libavformat/h263dec.c index e6e0345b69..19ed6a94ca 100644 --- a/libavformat/h263dec.c +++ b/libavformat/h263dec.c @@ -35,7 +35,7 @@ static int h263_probe(AVProbeData *p) for(i=0; ibuf_size; i++){ code = (code<<8) + p->buf[i]; if ((code & 0xfffffc0000) == 0x800000) { - src_fmt= (code>>2)&3; + src_fmt= (code>>2)&7; if( src_fmt != last_src_fmt && last_src_fmt>0 && last_src_fmt<6 && src_fmt<6) From 0be9a2e9d9bb21c867cc0beb4dbd17a4853d8dfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Apr 2014 01:25:46 +0200 Subject: [PATCH 211/492] swresample: fix AV_CH_LAYOUT_STEREO_DOWNMIX input Fixes Ticket 3542 Signed-off-by: Michael Niedermayer (cherry picked from commit 291d464161a5bf3b566bc147f83e4242b0c18d74) Signed-off-by: Michael Niedermayer --- libswresample/rematrix.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 44ad792787..13b794f845 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -126,6 +126,11 @@ av_cold static int auto_matrix(SwrContext *s) ) out_ch_layout = AV_CH_LAYOUT_STEREO; + if( in_ch_layout == AV_CH_LAYOUT_STEREO_DOWNMIX + && (out_ch_layout & AV_CH_LAYOUT_STEREO_DOWNMIX) == 0 + ) + in_ch_layout = AV_CH_LAYOUT_STEREO; + if(!sane_layout(in_ch_layout)){ av_get_channel_layout_string(buf, sizeof(buf), -1, s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel layout '%s' is not supported\n", buf); From db33fb1c4866459fd3b48c844ea691b5118d63af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Apr 2014 03:45:12 +0200 Subject: [PATCH 212/492] ffmpeg_filter: fix pointer to local outside scope Fixes CID1206652 Signed-off-by: Michael Niedermayer (cherry picked from commit 09b16619d33ddf93005060d0782f28a1c1cbb7f6) Signed-off-by: Michael Niedermayer --- ffmpeg_filter.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/ffmpeg_filter.c b/ffmpeg_filter.c index 7d264c0e92..263d5d38ec 100644 --- a/ffmpeg_filter.c +++ b/ffmpeg_filter.c @@ -42,12 +42,15 @@ enum AVPixelFormat choose_pixel_fmt(AVStream *st, AVCodec *codec, enum AVPixelFo const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(target); int has_alpha = desc ? desc->nb_components % 2 == 0 : 0; enum AVPixelFormat best= AV_PIX_FMT_NONE; + const enum AVPixelFormat mjpeg_formats[] = { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE }; + const enum AVPixelFormat ljpeg_formats[] = { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P, + AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE }; + if (st->codec->strict_std_compliance <= FF_COMPLIANCE_UNOFFICIAL) { if (st->codec->codec_id == AV_CODEC_ID_MJPEG) { - p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE }; + p = mjpeg_formats; } else if (st->codec->codec_id == AV_CODEC_ID_LJPEG) { - p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P, - AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE }; + p =ljpeg_formats; } } for (; *p != AV_PIX_FMT_NONE; p++) { From d9d66d2d16fab53457fc374280ca00f24345c34d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Apr 2014 05:32:56 +0200 Subject: [PATCH 213/492] avcodec/mjpegdec: Fix undefined shift Fixes CID1194388 Signed-off-by: Michael Niedermayer (cherry picked from commit b4329605289e25bb071ec1c1182bf25fc83b09aa) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 03cd065810..6a61315efc 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1151,7 +1151,7 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, } if (!Al) { - s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss); + s->coefs_finished[c] |= (2LL << se) - (1LL << ss); last_scan = !~s->coefs_finished[c]; } From 99d4d3532fac0c3b6289ea207bdb3238b70540a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Apr 2014 04:01:50 +0200 Subject: [PATCH 214/492] avfilter/graphdump: Fix pointer to local outside scope Fixes CID1194435 Signed-off-by: Michael Niedermayer (cherry picked from commit 18af0ce62da322176f7bd283b85314d2f41bee2c) Signed-off-by: Michael Niedermayer --- libavfilter/graphdump.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/graphdump.c b/libavfilter/graphdump.c index 756f63dc49..ba74cccdc5 100644 --- a/libavfilter/graphdump.c +++ b/libavfilter/graphdump.c @@ -31,9 +31,10 @@ static int print_link_prop(AVBPrint *buf, AVFilterLink *link) { char *format; char layout[64]; + AVBPrint dummy_buffer = { 0 }; if (!buf) - buf = &(AVBPrint){ 0 }; /* dummy buffer */ + buf = &dummy_buffer; switch (link->type) { case AVMEDIA_TYPE_VIDEO: format = av_x_if_null(av_get_pix_fmt_name(link->format), "?"); From 0e18480fc3b3e27a1bed8535479f7550db2dbd5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Apr 2014 06:21:58 +0200 Subject: [PATCH 215/492] sws: dont use the optimized 410->420 unscaled conversion when height%4 Fixes Ticket3594 Signed-off-by: Michael Niedermayer (cherry picked from commit 421b21ca8a02a346ba03cea3bb2ecc33f791fc30) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 3b07800d02..b3c84c6451 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1184,7 +1184,7 @@ void ff_get_unscaled_swscale(SwsContext *c) c->swScale = ff_yuv2rgb_get_func_ptr(c); } - if (srcFormat == AV_PIX_FMT_YUV410P && + if (srcFormat == AV_PIX_FMT_YUV410P && !(dstH & 3) && (dstFormat == AV_PIX_FMT_YUV420P || dstFormat == AV_PIX_FMT_YUVA420P) && !(flags & SWS_BITEXACT)) { c->swScale = yvu9ToYv12Wrapper; From 62b9c99aec0f641e289e347d917b7b474d21fa5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 May 2014 06:19:23 +0200 Subject: [PATCH 216/492] avcodec/diracdec: move mc buffer allocation to per frame Fixes out of array accesses for non default buffers with large strides Signed-off-by: Michael Niedermayer (cherry picked from commit 4a30f08505a4e85718896ff233c97be41a9754ca) (cherry picked from commit 9c9fc79d9237d28e33161cb2e75082d8ad232b2e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 47 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 58266e8b65..5653c86937 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -201,6 +201,7 @@ typedef struct DiracContext { uint16_t *mctmp; /* buffer holding the MC data multipled by OBMC weights */ uint8_t *mcscratch; + int buffer_stride; DECLARE_ALIGNED(16, uint8_t, obmc_weight)[3][MAX_BLOCKSIZE*MAX_BLOCKSIZE]; @@ -343,22 +344,44 @@ static int alloc_sequence_buffers(DiracContext *s) return AVERROR(ENOMEM); } - w = s->source.width; - h = s->source.height; - /* fixme: allocate using real stride here */ - s->sbsplit = av_malloc(sbwidth * sbheight); - s->blmotion = av_malloc(sbwidth * sbheight * 16 * sizeof(*s->blmotion)); - s->edge_emu_buffer_base = av_malloc((w+64)*MAX_BLOCKSIZE); + s->sbsplit = av_malloc_array(sbwidth, sbheight); + s->blmotion = av_malloc_array(sbwidth, sbheight * 16 * sizeof(*s->blmotion)); - s->mctmp = av_malloc((w+64+MAX_BLOCKSIZE) * (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp)); - s->mcscratch = av_malloc((w+64)*MAX_BLOCKSIZE); - - if (!s->sbsplit || !s->blmotion || !s->mctmp || !s->mcscratch) + if (!s->sbsplit || !s->blmotion) return AVERROR(ENOMEM); return 0; } +static int alloc_buffers(DiracContext *s, int stride) +{ + int w = s->source.width; + int h = s->source.height; + + av_assert0(stride >= w); + stride += 64; + + if (s->buffer_stride >= stride) + return 0; + s->buffer_stride = 0; + + av_freep(&s->edge_emu_buffer_base); + memset(s->edge_emu_buffer, 0, sizeof(s->edge_emu_buffer)); + av_freep(&s->mctmp); + av_freep(&s->mcscratch); + + s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE); + + s->mctmp = av_malloc_array((stride+MAX_BLOCKSIZE), (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp)); + s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE); + + if (!s->edge_emu_buffer_base || !s->mctmp || !s->mcscratch) + return AVERROR(ENOMEM); + + s->buffer_stride = stride; + return 0; +} + static void free_sequence_buffers(DiracContext *s) { int i, j, k; @@ -382,6 +405,7 @@ static void free_sequence_buffers(DiracContext *s) av_freep(&s->plane[i].idwt_tmp); } + s->buffer_stride = 0; av_freep(&s->sbsplit); av_freep(&s->blmotion); av_freep(&s->edge_emu_buffer_base); @@ -1818,6 +1842,9 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int s->plane[1].stride = pic->avframe.linesize[1]; s->plane[2].stride = pic->avframe.linesize[2]; + if (alloc_buffers(s, FFMAX3(FFABS(s->plane[0].stride), FFABS(s->plane[1].stride), FFABS(s->plane[2].stride))) < 0) + return AVERROR(ENOMEM); + /* [DIRAC_STD] 11.1 Picture parse. picture_parse() */ if (dirac_decode_picture_header(s)) return -1; From 332777970c8b430cd29cb945855c4cc3f20946ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 May 2014 05:23:52 +0200 Subject: [PATCH 217/492] avutil/cpu: force mmx on selection of higher x86 SIMD features Fixes various runtime failures with manually set flags that represent no existing CPU Fixes Ticket3653 Signed-off-by: Michael Niedermayer (cherry picked from commit 6310eb8010b7a3b3016e297132380cbd4e3d2d10) Signed-off-by: Michael Niedermayer --- libavutil/cpu.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/libavutil/cpu.c b/libavutil/cpu.c index cdea209d8d..55e8b4e900 100644 --- a/libavutil/cpu.c +++ b/libavutil/cpu.c @@ -45,6 +45,24 @@ static int flags, checked; void av_force_cpu_flags(int arg){ + if ( (arg & ( AV_CPU_FLAG_3DNOW | + AV_CPU_FLAG_3DNOWEXT | + AV_CPU_FLAG_SSE | + AV_CPU_FLAG_SSE2 | + AV_CPU_FLAG_SSE2SLOW | + AV_CPU_FLAG_SSE3 | + AV_CPU_FLAG_SSE3SLOW | + AV_CPU_FLAG_SSSE3 | + AV_CPU_FLAG_SSE4 | + AV_CPU_FLAG_SSE42 | + AV_CPU_FLAG_AVX | + AV_CPU_FLAG_XOP | + AV_CPU_FLAG_FMA4 )) + && !(arg & AV_CPU_FLAG_MMX)) { + av_log(NULL, AV_LOG_WARNING, "MMX implied by specified flags\n"); + arg |= AV_CPU_FLAG_MMX; + } + flags = arg; checked = arg != -1; } From bdd2f7c7a7610e09c203b9eefcf1b06b7fc1633f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 May 2014 03:02:06 +0200 Subject: [PATCH 218/492] avcodec/libvorbisenc: dont add the duration to AV_NOPTS_VALUE Signed-off-by: Michael Niedermayer (cherry picked from commit 19e66c7232d96e4ae8f05b52da2b84dfaa4e4da3) Signed-off-by: Michael Niedermayer --- libavcodec/libvorbisenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libvorbisenc.c b/libavcodec/libvorbisenc.c index d7fded813f..d37a254f1e 100644 --- a/libavcodec/libvorbisenc.c +++ b/libavcodec/libvorbisenc.c @@ -351,7 +351,8 @@ static int oggvorbis_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, avctx->delay = duration; av_assert0(!s->afq.remaining_delay); s->afq.frames->duration += duration; - s->afq.frames->pts -= duration; + if (s->afq.frames->pts != AV_NOPTS_VALUE) + s->afq.frames->pts -= duration; s->afq.remaining_samples += duration; } ff_af_queue_remove(&s->afq, duration, &avpkt->pts, &avpkt->duration); From 2f1f4070446e5407f562b2a3b8b675efae37e944 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 May 2014 03:19:47 +0200 Subject: [PATCH 219/492] avcodec/aac: fix () in IS_CODEBOOK_UNSIGNED macro Signed-off-by: Michael Niedermayer (cherry picked from commit fa915d4193e13187773c500b80c7df6baeb22c3b) Signed-off-by: Michael Niedermayer --- libavcodec/aac.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac.h b/libavcodec/aac.h index d586e271da..e24351eee0 100644 --- a/libavcodec/aac.h +++ b/libavcodec/aac.h @@ -81,7 +81,7 @@ enum BandType { INTENSITY_BT = 15, ///< Scalefactor data are intensity stereo positions. }; -#define IS_CODEBOOK_UNSIGNED(x) ((x - 1) & 10) +#define IS_CODEBOOK_UNSIGNED(x) (((x) - 1) & 10) enum ChannelPosition { AAC_CHANNEL_OFF = 0, From db6f3be9418c0a4efaf4262b931e92cda41d37ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 May 2014 03:27:56 +0200 Subject: [PATCH 220/492] avcodec/golomb-test: fix () in EXTEND() macro Signed-off-by: Michael Niedermayer (cherry picked from commit 97e6b5ee3a16fee7d130f19f4dcee030f14d91cf) Signed-off-by: Michael Niedermayer --- libavcodec/golomb-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/golomb-test.c b/libavcodec/golomb-test.c index 8adcdf63d8..2dfe917144 100644 --- a/libavcodec/golomb-test.c +++ b/libavcodec/golomb-test.c @@ -58,7 +58,7 @@ int main(void) } } -#define EXTEND(i) (i << 3 | i & 7) +#define EXTEND(i) ((i) << 3 | (i) & 7) init_put_bits(&pb, temp, SIZE); for (i = 0; i < COUNT; i++) set_ue_golomb(&pb, EXTEND(i)); From a83304814c28dd66f662fcaaad75050facd96a93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 May 2014 03:30:13 +0200 Subject: [PATCH 221/492] avcodec/h264: fix () in macros Signed-off-by: Michael Niedermayer (cherry picked from commit af62b42736c00332d39965168b5cc966a06f07d6) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index ed07ad6778..5ea00bef9d 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -61,10 +61,10 @@ #define MAX_SLICES 16 #ifdef ALLOW_INTERLACE -#define MB_MBAFF(h) h->mb_mbaff -#define MB_FIELD(h) h->mb_field_decoding_flag -#define FRAME_MBAFF(h) h->mb_aff_frame -#define FIELD_PICTURE(h) (h->picture_structure != PICT_FRAME) +#define MB_MBAFF(h) (h)->mb_mbaff +#define MB_FIELD(h) (h)->mb_field_decoding_flag +#define FRAME_MBAFF(h) (h)->mb_aff_frame +#define FIELD_PICTURE(h) ((h)->picture_structure != PICT_FRAME) #define LEFT_MBS 2 #define LTOP 0 #define LBOT 1 @@ -84,12 +84,12 @@ #define FIELD_OR_MBAFF_PICTURE(h) (FRAME_MBAFF(h) || FIELD_PICTURE(h)) #ifndef CABAC -#define CABAC(h) h->pps.cabac +#define CABAC(h) (h)->pps.cabac #endif -#define CHROMA(h) (h->sps.chroma_format_idc) -#define CHROMA422(h) (h->sps.chroma_format_idc == 2) -#define CHROMA444(h) (h->sps.chroma_format_idc == 3) +#define CHROMA(h) ((h)->sps.chroma_format_idc) +#define CHROMA422(h) ((h)->sps.chroma_format_idc == 2) +#define CHROMA444(h) ((h)->sps.chroma_format_idc == 3) #define EXTENDED_SAR 255 From 4965da92eff9539df1393920fc6728dd4aa37b78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 May 2014 03:39:08 +0200 Subject: [PATCH 222/492] avcodec/ivi_dsp: add some missing () to macros Signed-off-by: Michael Niedermayer (cherry picked from commit f276bf303cbb7a8fed3c388135007bc29f45f8d5) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index f5e5e6b52e..9537cb0376 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -235,15 +235,15 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst, /** butterfly operation for the inverse Haar transform */ #define IVI_HAAR_BFLY(s1, s2, o1, o2, t) \ - t = (s1 - s2) >> 1;\ - o1 = (s1 + s2) >> 1;\ - o2 = t;\ + t = ((s1) - (s2)) >> 1;\ + o1 = ((s1) + (s2)) >> 1;\ + o2 = (t);\ /** inverse 8-point Haar transform */ #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = s1 << 1; t5 = s5 << 1;\ + t1 = (s1) << 1; t5 = (s5) << 1;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -485,21 +485,21 @@ void ff_ivi_dc_haar_2d(const int32_t *in, int16_t *out, uint32_t pitch, /** butterfly operation for the inverse slant transform */ #define IVI_SLANT_BFLY(s1, s2, o1, o2, t) \ - t = s1 - s2;\ - o1 = s1 + s2;\ - o2 = t;\ + t = (s1) - (s2);\ + o1 = (s1) + (s2);\ + o2 = (t);\ /** This is a reflection a,b = 1/2, 5/4 for the inverse slant transform */ #define IVI_IREFLECT(s1, s2, o1, o2, t) \ - t = ((s1 + s2*2 + 2) >> 2) + s1;\ - o2 = ((s1*2 - s2 + 2) >> 2) - s2;\ - o1 = t;\ + t = (((s1) + (s2)*2 + 2) >> 2) + (s1);\ + o2 = (((s1)*2 - (s2) + 2) >> 2) - (s2);\ + o1 = (t);\ /** This is a reflection a,b = 1/2, 7/8 for the inverse slant transform */ #define IVI_SLANT_PART4(s1, s2, o1, o2, t) \ - t = s2 + ((s1*4 - s2 + 4) >> 3);\ - o2 = s1 + ((-s1 - s2*4 + 4) >> 3);\ - o1 = t;\ + t = (s2) + (((s1)*4 - (s2) + 4) >> 3);\ + o2 = (s1) + ((-(s1) - (s2)*4 + 4) >> 3);\ + o1 = (t);\ /** inverse slant8 transform */ #define IVI_INV_SLANT8(s1, s4, s8, s5, s2, s6, s3, s7,\ @@ -557,7 +557,7 @@ void ff_ivi_inverse_slant_8x8(const int32_t *in, int16_t *out, uint32_t pitch, c } #undef COMPENSATE -#define COMPENSATE(x) ((x + 1)>>1) +#define COMPENSATE(x) (((x) + 1)>>1) src = tmp; for (i = 0; i < 8; i++) { if (!src[0] && !src[1] && !src[2] && !src[3] && !src[4] && !src[5] && !src[6] && !src[7]) { @@ -597,7 +597,7 @@ void ff_ivi_inverse_slant_4x4(const int32_t *in, int16_t *out, uint32_t pitch, c } #undef COMPENSATE -#define COMPENSATE(x) ((x + 1)>>1) +#define COMPENSATE(x) (((x) + 1)>>1) src = tmp; for (i = 0; i < 4; i++) { if (!src[0] && !src[1] && !src[2] && !src[3]) { @@ -631,7 +631,7 @@ void ff_ivi_row_slant8(const int32_t *in, int16_t *out, uint32_t pitch, const ui int i; int t0, t1, t2, t3, t4, t5, t6, t7, t8; -#define COMPENSATE(x) ((x + 1)>>1) +#define COMPENSATE(x) (((x) + 1)>>1) for (i = 0; i < 8; i++) { if (!in[0] && !in[1] && !in[2] && !in[3] && !in[4] && !in[5] && !in[6] && !in[7]) { memset(out, 0, 8*sizeof(out[0])); @@ -673,7 +673,7 @@ void ff_ivi_col_slant8(const int32_t *in, int16_t *out, uint32_t pitch, const ui row4 = pitch << 2; row8 = pitch << 3; -#define COMPENSATE(x) ((x + 1)>>1) +#define COMPENSATE(x) (((x) + 1)>>1) for (i = 0; i < 8; i++) { if (flags[i]) { IVI_INV_SLANT8(in[0], in[8], in[16], in[24], in[32], in[40], in[48], in[56], @@ -710,7 +710,7 @@ void ff_ivi_row_slant4(const int32_t *in, int16_t *out, uint32_t pitch, const ui int i; int t0, t1, t2, t3, t4; -#define COMPENSATE(x) ((x + 1)>>1) +#define COMPENSATE(x) (((x) + 1)>>1) for (i = 0; i < 4; i++) { if (!in[0] && !in[1] && !in[2] && !in[3]) { memset(out, 0, 4*sizeof(out[0])); @@ -732,7 +732,7 @@ void ff_ivi_col_slant4(const int32_t *in, int16_t *out, uint32_t pitch, const ui row2 = pitch << 1; -#define COMPENSATE(x) ((x + 1)>>1) +#define COMPENSATE(x) (((x) + 1)>>1) for (i = 0; i < 4; i++) { if (flags[i]) { IVI_INV_SLANT4(in[0], in[4], in[8], in[12], From a144d305dd6541f0c88381fece769651785c1c68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 May 2014 05:17:51 +0200 Subject: [PATCH 223/492] avcodec/mlpdec: fix () in MSB_MASK() macro Signed-off-by: Michael Niedermayer (cherry picked from commit fa160af08b6f42f17e93124aef86e3f6eec70d51) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index a4d53780f1..caf5f60338 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -815,7 +815,7 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp, return 0; } -#define MSB_MASK(bits) (-1u << bits) +#define MSB_MASK(bits) (-1u << (bits)) /** Generate PCM samples using the prediction filters and residual values * read from the data stream, and update the filter state. */ From 81a2740919aed28372ccecfad937c5dfb4b13b53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 May 2014 05:18:47 +0200 Subject: [PATCH 224/492] avcodec/mss34dsp: fix () in SOP* macros Signed-off-by: Michael Niedermayer (cherry picked from commit 6e720c5c815e510188a0bda654662383f2c48050) Signed-off-by: Michael Niedermayer --- libavcodec/mss34dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c index e4d4299805..0397add17d 100644 --- a/libavcodec/mss34dsp.c +++ b/libavcodec/mss34dsp.c @@ -84,8 +84,8 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma) blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) ((a) << 16) + 0x2000 -#define SOP_COL(a) ((a + 32) << 16) +#define SOP_ROW(a) (((a) << 16) + 0x2000) +#define SOP_COL(a) (((a) + 32) << 16) void ff_mss34_dct_put(uint8_t *dst, int stride, int *block) { From 3c169251eec2f4786f54187867eb45277a9eeca4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 May 2014 05:19:09 +0200 Subject: [PATCH 225/492] avcodec/mss4: Fix () in MKVAL() macro Signed-off-by: Michael Niedermayer (cherry picked from commit cf7ff0146c76b93c32edf5230a28b9590acf5105) Signed-off-by: Michael Niedermayer --- libavcodec/mss4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mss4.c b/libavcodec/mss4.c index c518fda3ae..583dfabfd8 100644 --- a/libavcodec/mss4.c +++ b/libavcodec/mss4.c @@ -364,7 +364,7 @@ static int get_value_cached(GetBitContext *gb, int vec_pos, uint8_t *vec, return prev[component]; } -#define MKVAL(vals) (vals[0] | (vals[1] << 3) | (vals[2] << 6)) +#define MKVAL(vals) ((vals)[0] | ((vals)[1] << 3) | ((vals)[2] << 6)) /* Image mode - the hardest to comprehend MSS4 coding mode. * From 9fe7e450305ccd60b463f06b0ab5a90e63e4d55c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Jun 2014 23:21:15 +0200 Subject: [PATCH 226/492] avcodec/aic: fix quantization table permutation Fixes Ticket3700 Signed-off-by: Michael Niedermayer (cherry picked from commit 0a2004b6d11ff962361420c3150fe760cf1f7115) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 70e9f3f103..de992003e3 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -150,6 +150,7 @@ typedef struct AICContext { int16_t *data_ptr[NUM_BANDS]; DECLARE_ALIGNED(16, int16_t, block)[64]; + DECLARE_ALIGNED(16, uint8_t, quant_matrix)[64]; } AICContext; static int aic_decode_header(AICContext *ctx, const uint8_t *src, int size) @@ -285,7 +286,7 @@ static void recombine_block_il(int16_t *dst, const uint8_t *scan, } } -static void unquant_block(int16_t *block, int q) +static void unquant_block(int16_t *block, int q, uint8_t *quant_matrix) { int i; @@ -293,7 +294,7 @@ static void unquant_block(int16_t *block, int q) int val = (uint16_t)block[i]; int sign = val & 1; - block[i] = (((val >> 1) ^ -sign) * q * aic_quant_matrix[i] >> 4) + block[i] = (((val >> 1) ^ -sign) * q * quant_matrix[i] >> 4) + sign; } } @@ -334,7 +335,7 @@ static int aic_decode_slice(AICContext *ctx, int mb_x, int mb_y, else recombine_block_il(ctx->block, ctx->scantable.permutated, &base_y, &ext_y, blk); - unquant_block(ctx->block, ctx->quant); + unquant_block(ctx->block, ctx->quant, ctx->quant_matrix); ctx->dsp.idct(ctx->block); if (!ctx->interlaced) { @@ -352,7 +353,7 @@ static int aic_decode_slice(AICContext *ctx, int mb_x, int mb_y, for (blk = 0; blk < 2; blk++) { recombine_block(ctx->block, ctx->scantable.permutated, &base_c, &ext_c); - unquant_block(ctx->block, ctx->quant); + unquant_block(ctx->block, ctx->quant, ctx->quant_matrix); ctx->dsp.idct(ctx->block); ctx->dsp.put_signed_pixels_clamped(ctx->block, C[blk], ctx->frame->linesize[blk + 1]); @@ -430,6 +431,8 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) for (i = 0; i < 64; i++) scan[i] = i; ff_init_scantable(ctx->dsp.idct_permutation, &ctx->scantable, scan); + for (i = 0; i < 64; i++) + ctx->quant_matrix[ctx->dsp.idct_permutation[i]] = aic_quant_matrix[i]; ctx->mb_width = FFALIGN(avctx->width, 16) >> 4; ctx->mb_height = FFALIGN(avctx->height, 16) >> 4; From a2b4e38729cacd9c4dce72609b9c93bf438f7d2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Jun 2014 12:03:31 +0200 Subject: [PATCH 227/492] avformat/flvenc: Do not allow creating h263/mpeg4 in flv without unofficial format extensions being enabled. Found-by: Jean-Baptiste Kempf Signed-off-by: Michael Niedermayer (cherry picked from commit 74760883fcb4443d105814ed246b3cf51d7e9dca) Signed-off-by: Michael Niedermayer --- libavformat/flvenc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index b0f8a413a6..9d5522e9bc 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -223,6 +223,18 @@ static int flv_write_header(AVFormatContext *s) avcodec_get_name(enc->codec_id), i); return AVERROR(EINVAL); } + if (enc->codec_id == AV_CODEC_ID_MPEG4 || + enc->codec_id == AV_CODEC_ID_H263) { + int error = enc->strict_std_compliance > FF_COMPLIANCE_UNOFFICIAL; + av_log(s, error ? AV_LOG_ERROR : AV_LOG_WARNING, + "Codec %s is not supported in the official FLV specification,\n", avcodec_get_name(enc->codec_id)); + + if (error) { + av_log(s, AV_LOG_ERROR, + "use vstrict=-1 / -strict -1 to use it anyway.\n"); + return AVERROR(EINVAL); + } + } break; case AVMEDIA_TYPE_AUDIO: if (audio_enc) { From b94621ac6ba6ab12476c81218c88f43bd2f1d27b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jun 2014 14:30:30 +0200 Subject: [PATCH 228/492] avcodec/alsdec: Clear MPEG4AudioConfig so that no use of uninitialized memory is possible Signed-off-by: Michael Niedermayer (cherry picked from commit 6e6bd5481cf42a9765c492c77754d4633092cece) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e7aeb0c7f0..5e08295f2a 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -280,7 +280,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) GetBitContext gb; uint64_t ht_size; int i, config_offset; - MPEG4AudioConfig m4ac; + MPEG4AudioConfig m4ac = {0}; ALSSpecificConfig *sconf = &ctx->sconf; AVCodecContext *avctx = ctx->avctx; uint32_t als_id, header_size, trailer_size; From b93659db5bbe326cda0630883724117a23944f68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Jun 2014 05:17:34 +0200 Subject: [PATCH 229/492] avformat/cavsvideodec: Fix probing when the file extension is avs Signed-off-by: Michael Niedermayer (cherry picked from commit 52e563bb2f7897d615391520c3c4acba1ee7dcb4) Signed-off-by: Michael Niedermayer --- libavformat/cavsvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cavsvideodec.c b/libavformat/cavsvideodec.c index 5ca3c80b32..880f4ab534 100644 --- a/libavformat/cavsvideodec.c +++ b/libavformat/cavsvideodec.c @@ -61,7 +61,7 @@ static int cavsvideo_probe(AVProbeData *p) } } if(seq && seq*9<=pic*10) - return AVPROBE_SCORE_EXTENSION; + return AVPROBE_SCORE_EXTENSION+1; return 0; } From 01e2dd53a0672e21d715f664b1a8d2eeee2a4e5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Jun 2014 05:47:49 +0200 Subject: [PATCH 230/492] cavsdec: fix qp fixed slice handling Fixes Ticket3400 Signed-off-by: Michael Niedermayer (cherry picked from commit 0accf24b15ac5a01a67768f41c896ef4e4b8b4a2) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.h | 1 + libavcodec/cavsdec.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/cavs.h b/libavcodec/cavs.h index b0cdb8f200..acb32fa422 100644 --- a/libavcodec/cavs.h +++ b/libavcodec/cavs.h @@ -214,6 +214,7 @@ typedef struct AVSContext { int luma_scan[4]; int qp; int qp_fixed; + int pic_qp_fixed; int cbp; ScanTable scantable; diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index ec4a819eab..0212a21655 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -900,7 +900,7 @@ static inline int decode_slice_header(AVSContext *h, GetBitContext *gb) /* mark top macroblocks as unavailable */ h->flags &= ~(B_AVAIL | C_AVAIL); - if ((h->mby == 0) && (!h->qp_fixed)) { + if (!h->pic_qp_fixed) { h->qp_fixed = get_bits1(gb); h->qp = get_bits(gb, 6); } @@ -1018,6 +1018,7 @@ static int decode_pic(AVSContext *h) skip_bits1(&h->gb); //advanced_pred_mode_disable skip_bits1(&h->gb); //top_field_first skip_bits1(&h->gb); //repeat_first_field + h->pic_qp_fixed = h->qp_fixed = get_bits1(&h->gb); h->qp = get_bits(&h->gb, 6); if (h->cur.f->pict_type == AV_PICTURE_TYPE_I) { From 1e9ae5dbbd676b53906d3340b5acaf0e77cb6d00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Jun 2014 00:49:02 +0200 Subject: [PATCH 231/492] avformat/mpc: attempt to allocate a packet that is not smaller than the data inside it Signed-off-by: Michael Niedermayer (cherry picked from commit 86a9370e2b91d67375e66a06d6eb573b5a017775) Signed-off-by: Michael Niedermayer --- libavformat/mpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc.c b/libavformat/mpc.c index b0f6f533e1..a46919ba36 100644 --- a/libavformat/mpc.c +++ b/libavformat/mpc.c @@ -153,7 +153,7 @@ static int mpc_read_packet(AVFormatContext *s, AVPacket *pkt) } c->curbits = (curbits + size2) & 0x1F; - if ((ret = av_new_packet(pkt, size)) < 0) + if ((ret = av_new_packet(pkt, size + 4)) < 0) return ret; pkt->data[0] = curbits; From 083d0b7b2d928185d7cadff7b4f558c8d8557939 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Jun 2014 03:15:28 +0200 Subject: [PATCH 232/492] avutil/lzo: Fix integer overflow Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list) Fixes: LMS-2014-06-16-4 Found-by: "Don A. Bailey" See: ccda51b14c0fcae2fad73a24872dce75a7964996 Signed-off-by: Michael Niedermayer (cherry picked from commit d6af26c55c1ea30f85a7d9edbc373f53be1743ee) Signed-off-by: Michael Niedermayer --- libavutil/lzo.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 221a66b9ab..82dba94771 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -65,8 +65,13 @@ static inline int get_len(LZOContext *c, int x, int mask) { int cnt = x & mask; if (!cnt) { - while (!(x = get_byte(c))) + while (!(x = get_byte(c))) { + if (cnt >= INT_MAX - 1000) { + c->error |= AV_LZO_ERROR; + break; + } cnt += 255; + } cnt += mask + x; } return cnt; From 4a237657047b8c2404858417e79a5548fac7cbe8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Jun 2014 14:45:47 +0200 Subject: [PATCH 233/492] avutil/lzo: add asserts to be double sure against overflows These asserts cannot fail since d6af26c55c1ea30f85a7d9edbc373f53be1743ee Based-on: ccda51b14c0fcae2fad73a24872dce75a7964996 Signed-off-by: Michael Niedermayer (cherry picked from commit cf2b7c01f81c1fb3283a1390c0ca9a2f81f4f4a8) Signed-off-by: Michael Niedermayer --- libavutil/lzo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 82dba94771..6104fc3085 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -22,6 +22,7 @@ #include #include "avutil.h" +#include "avassert.h" #include "common.h" #include "intreadwrite.h" #include "lzo.h" @@ -85,6 +86,7 @@ static inline void copy(LZOContext *c, int cnt) { register const uint8_t *src = c->in; register uint8_t *dst = c->out; + av_assert0(cnt >= 0); if (cnt > c->in_end - src) { cnt = FFMAX(c->in_end - src, 0); c->error |= AV_LZO_INPUT_DEPLETED; @@ -116,6 +118,7 @@ static inline void copy(LZOContext *c, int cnt) static inline void copy_backptr(LZOContext *c, int back, int cnt) { register uint8_t *dst = c->out; + av_assert0(cnt > 0); if (dst - c->out_start < back) { c->error |= AV_LZO_INVALID_BACKPTR; return; From 205e2264c3d5b1a16a4493b9281b9167d09c3505 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Jun 2014 17:08:42 +0200 Subject: [PATCH 234/492] update for FFmpeg 2.0.5 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 2165f8f9b6..e01025862f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.0.4 +2.0.5 diff --git a/VERSION b/VERSION index 2165f8f9b6..e01025862f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.4 +2.0.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3aa4e80671..0fcf7b0195 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.0.4 +PROJECT_NUMBER = 2.0.5 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From dd72df9845d0687d03be6a5b830c8ed84edaa907 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Jul 2014 01:07:59 +0200 Subject: [PATCH 235/492] avformat/utils: do not wait for packets from discarded streams for genpts Fixes long loop Fixes Ticket3208 Signed-off-by: Michael Niedermayer (cherry picked from commit 8202c49b43621c04e26d4a3aa83a10e1e5cc1836) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a010f29cb9..3280a0d214 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1440,7 +1440,8 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) } /* read packet from packet buffer, if there is data */ - if (!(next_pkt->pts == AV_NOPTS_VALUE && + st = s->streams[next_pkt->stream_index]; + if (!(next_pkt->pts == AV_NOPTS_VALUE && st->discard < AVDISCARD_ALL && next_pkt->dts != AV_NOPTS_VALUE && !eof)) { ret = read_from_packet_buffer(&s->packet_buffer, &s->packet_buffer_end, pkt); From c2af6b500bcf5bf59380c404b77edeb0c6eb46a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jul 2014 21:03:43 +0200 Subject: [PATCH 236/492] avformat: add av_stream_get_parser() to access avformat AVParser The AVStream.parser field is considered private and its location cannot be preserved while preserving also ABI compatibility to libav, as libav added fields before it. Some tools like ffmpeg.c access this field though Signed-off-by: Michael Niedermayer (cherry picked from commit 62227a70f0a4c07d7ead5775d8bad64797f8ef80) Conflicts: RELEASE_NOTES doc/APIchanges libavformat/utils.c libavformat/version.h (cherry picked from commit a78e6363e9a7ef90bd1ff4aeceee8e5501cbc6d4) Conflicts: libavformat/utils.c --- libavformat/avformat.h | 1 + libavformat/utils.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 04fad94219..2adcae27d7 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -892,6 +892,7 @@ typedef struct AVStream { AVRational av_stream_get_r_frame_rate(const AVStream *s); void av_stream_set_r_frame_rate(AVStream *s, AVRational r); +struct AVCodecParserContext *av_stream_get_parser(const AVStream *s); #define AV_PROGRAM_RUNNING 1 diff --git a/libavformat/utils.c b/libavformat/utils.c index 3280a0d214..4cb0adfdfe 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -103,6 +103,11 @@ static int64_t wrap_timestamp(AVStream *st, int64_t timestamp) MAKE_ACCESSORS(AVStream, stream, AVRational, r_frame_rate) +struct AVCodecParserContext *av_stream_get_parser(const AVStream *st) +{ + return st->parser; +} + /* an arbitrarily chosen "sane" max packet size -- 50M */ #define SANE_CHUNK_SIZE (50000000) From 2428b02bb4beeb16873a85f492bb83969de30976 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jul 2014 21:06:58 +0200 Subject: [PATCH 237/492] ffmpeg: Use av_stream_get_parser() to avoid ABI issues Signed-off-by: Michael Niedermayer (cherry picked from commit 8bbadc9b6ec71abbd9dab854c47027b949997af0) Conflicts: ffmpeg.c (cherry picked from commit 8fae6207e30059611cdc788ad440b6831637f86f) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 2a9bafda79..2f18bc1b9b 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1452,7 +1452,7 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p && ost->st->codec->codec_id != AV_CODEC_ID_MPEG2VIDEO && ost->st->codec->codec_id != AV_CODEC_ID_VC1 ) { - if (av_parser_change(ist->st->parser, ost->st->codec, &opkt.data, &opkt.size, pkt->data, pkt->size, pkt->flags & AV_PKT_FLAG_KEY)) { + if (av_parser_change(av_stream_get_parser(ist->st), ost->st->codec, &opkt.data, &opkt.size, pkt->data, pkt->size, pkt->flags & AV_PKT_FLAG_KEY)) { opkt.buf = av_buffer_create(opkt.data, opkt.size, av_buffer_default_free, NULL, 0); if (!opkt.buf) exit_program(1); @@ -1852,7 +1852,7 @@ static int output_packet(InputStream *ist, const AVPacket *pkt) if (avpkt.duration) { duration = av_rescale_q(avpkt.duration, ist->st->time_base, AV_TIME_BASE_Q); } else if(ist->st->codec->time_base.num != 0 && ist->st->codec->time_base.den != 0) { - int ticks= ist->st->parser ? ist->st->parser->repeat_pict+1 : ist->st->codec->ticks_per_frame; + int ticks= av_stream_get_parser(ist->st) ? av_stream_get_parser(ist->st)->repeat_pict+1 : ist->st->codec->ticks_per_frame; duration = ((int64_t)AV_TIME_BASE * ist->st->codec->time_base.num * ticks) / ist->st->codec->time_base.den; @@ -1909,7 +1909,7 @@ static int output_packet(InputStream *ist, const AVPacket *pkt) } else if (pkt->duration) { ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q); } else if(ist->st->codec->time_base.num != 0) { - int ticks= ist->st->parser ? ist->st->parser->repeat_pict + 1 : ist->st->codec->ticks_per_frame; + int ticks= av_stream_get_parser(ist->st) ? av_stream_get_parser(ist->st)->repeat_pict + 1 : ist->st->codec->ticks_per_frame; ist->next_dts += ((int64_t)AV_TIME_BASE * ist->st->codec->time_base.num * ticks) / ist->st->codec->time_base.den; From 3d10235b83520532a586cf5e3066368b347268f5 Mon Sep 17 00:00:00 2001 From: Anshul Maheswhwari Date: Thu, 31 Jul 2014 20:59:59 +0530 Subject: [PATCH 238/492] v4l2enc: adding AVClass Signed-off-by: Michael Niedermayer (cherry picked from commit fcb11ec291e9b3e3f352fa4d3e9026c0f7f64aa8) Signed-off-by: Michael Niedermayer --- libavdevice/v4l2enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/v4l2enc.c b/libavdevice/v4l2enc.c index 21f0ef6983..db4946581e 100644 --- a/libavdevice/v4l2enc.c +++ b/libavdevice/v4l2enc.c @@ -22,6 +22,7 @@ #include "avdevice.h" typedef struct { + AVClass *class; int fd; } V4L2Context; From 8d48223a329a511a4d845df967e98e26c9a5bf53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 00:27:23 +0200 Subject: [PATCH 239/492] avcodec/dvdsub_parser: never return 0 when the input isnt 0 Fixes a infinite loop Fixes Ticket3804 Signed-off-by: Michael Niedermayer (cherry picked from commit cfdb30d2f1241de9354a8efdbf8252d0f1a6f933) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index e50c3396e4..9a6457e8b4 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -46,7 +46,7 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_index == 0) { if (buf_size < 2) - return 0; + return buf_size; pc->packet_len = AV_RB16(buf); if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); From c7fac44ef83eedb3de0abad516c0c73de03092e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 01:15:37 +0200 Subject: [PATCH 240/492] avcodec/dvdsub_parser: Check buf_size before reading 32bit packet size Signed-off-by: Michael Niedermayer (cherry picked from commit 81c1657a593b1c0f8e46fca00ead1d30ee1cd418) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 9a6457e8b4..07ed4f72fc 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -45,8 +45,9 @@ static int dvdsub_parse(AVCodecParserContext *s, DVDSubParseContext *pc = s->priv_data; if (pc->packet_index == 0) { - if (buf_size < 2) + if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { return buf_size; + } pc->packet_len = AV_RB16(buf); if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); From 65f581472c48bd9093c1df7f045db72df7006c3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 01:16:14 +0200 Subject: [PATCH 241/492] avcodec/dvdsub_parser: print message if packet is smaller than the packet size field Signed-off-by: Michael Niedermayer (cherry picked from commit bcc898dd2643c883522ffa565be4b226ce798c78) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 07ed4f72fc..32a945ed65 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -46,6 +46,8 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_index == 0) { if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { + if (buf_size) + av_log(avctx, AV_LOG_DEBUG, "Parser input %d too small\n", buf_size); return buf_size; } pc->packet_len = AV_RB16(buf); From bcb10b99f4e86692b02e3ce38a89e21874b77dc9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 03:29:42 +0200 Subject: [PATCH 242/492] ffmpeg_opt: Use av_guess_codec() instead of AVOutputFormat->*codec Fixes part of ticket2236 Signed-off-by: Michael Niedermayer (cherry picked from commit 956f4087c6eb717e31f3b92fe03fd56a3747eccf) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 286f9736c5..8b2b83e5f3 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -1681,7 +1681,7 @@ static int open_output_file(OptionsContext *o, const char *filename) /* pick the "best" stream of each type */ /* video: highest resolution */ - if (!o->video_disable && oc->oformat->video_codec != AV_CODEC_ID_NONE) { + if (!o->video_disable && av_guess_codec(oc->oformat, NULL, filename, NULL, AVMEDIA_TYPE_VIDEO) != AV_CODEC_ID_NONE) { int area = 0, idx = -1; int qcr = avformat_query_codec(oc->oformat, oc->oformat->video_codec, 0); for (i = 0; i < nb_input_streams; i++) { @@ -1703,7 +1703,7 @@ static int open_output_file(OptionsContext *o, const char *filename) } /* audio: most channels */ - if (!o->audio_disable && oc->oformat->audio_codec != AV_CODEC_ID_NONE) { + if (!o->audio_disable && av_guess_codec(oc->oformat, NULL, filename, NULL, AVMEDIA_TYPE_AUDIO) != AV_CODEC_ID_NONE) { int channels = 0, idx = -1; for (i = 0; i < nb_input_streams; i++) { ist = input_streams[i]; From 04973b02c3aa6a0c3a2f013b6266ff68623fc425 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 22:30:03 +0200 Subject: [PATCH 243/492] avformat/tee: flip assigment direction Found-by: CSA Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 2e6fdcb7f3c86491408a3699f0aa9dc52b7c5686) Signed-off-by: Michael Niedermayer --- libavformat/tee.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tee.c b/libavformat/tee.c index 7b8b37176e..d1dab90bde 100644 --- a/libavformat/tee.c +++ b/libavformat/tee.c @@ -251,7 +251,7 @@ static int tee_write_packet(AVFormatContext *avf, AVPacket *pkt) if ((ret = av_copy_packet(&pkt2, pkt)) < 0 || (ret = av_dup_packet(&pkt2))< 0) if (!ret_all) { - ret = ret_all; + ret_all = ret; continue; } tb = avf ->streams[s]->time_base; From c56d6f3552a0cfeef54c8fd6108d92373f3aaa41 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Aug 2014 10:56:34 +0000 Subject: [PATCH 244/492] cdgraphics: do not return 0 from the decode function 0 means no data consumed, so it can trigger an infinite loop in the caller. CC:libav-stable@libav.org (cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index d29231758a..8fa505bdae 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -353,10 +353,9 @@ static int cdg_decode_frame(AVCodecContext *avctx, *got_frame = 1; } else { *got_frame = 0; - buf_size = 0; } - return buf_size; + return avpkt->size; } static av_cold int cdg_decode_end(AVCodecContext *avctx) From 656f930160db48e0b7b25069c62abc340e7f0628 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Aug 2014 21:59:33 +0200 Subject: [PATCH 245/492] avcodec/iff: check pixfmt for rgb8 / rgbn Fixes out of array access Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 3539d6c63a16e1b2874bb037a86f317449c58770) Conflicts: libavcodec/iff.c --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 716a7314e2..b41ee6501d 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -829,9 +829,9 @@ static int decode_frame(AVCodecContext *avctx, break; case 4: bytestream2_init(&gb, buf, buf_size); - if (avctx->codec_tag == MKTAG('R','G','B','8')) + if (avctx->codec_tag == MKTAG('R','G','B','8') && avctx->pix_fmt == AV_PIX_FMT_RGB32) decode_rgb8(&gb, s->frame->data[0], avctx->width, avctx->height, s->frame->linesize[0]); - else if (avctx->codec_tag == MKTAG('R','G','B','N')) + else if (avctx->codec_tag == MKTAG('R','G','B','N') && avctx->pix_fmt == AV_PIX_FMT_RGB444) decode_rgbn(&gb, s->frame->data[0], avctx->width, avctx->height, s->frame->linesize[0]); else return unsupported(avctx); From b469fce85d8a0278ea489e6d333ae6b0513c9861 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Mon, 11 Aug 2014 22:06:07 +0000 Subject: [PATCH 246/492] proresenc_kostya: remove unneeded parameters Signed-off-by: Michael Niedermayer (cherry picked from commit bf10f09bccdcfdb41b9f5bbae01d55961bfd0693) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 92a5f3bd5f..d80280be1d 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -470,7 +470,6 @@ static void put_alpha_run(PutBitContext *pb, int run) // todo alpha quantisation for high quants static int encode_alpha_plane(ProresContext *ctx, PutBitContext *pb, - const uint16_t *src, int linesize, int mbs_per_slice, uint16_t *blocks, int quant) { @@ -565,7 +564,7 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic, get_alpha_data(ctx, src, linesize, xp, yp, pwidth, avctx->height / ctx->pictures_per_frame, ctx->blocks[0], mbs_per_slice, ctx->alpha_bits); - sizes[i] = encode_alpha_plane(ctx, pb, src, linesize, + sizes[i] = encode_alpha_plane(ctx, pb, mbs_per_slice, ctx->blocks[0], quant); } From 57a6cd8ab1c221cad1c2c49ff02216d752684651 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Mon, 11 Aug 2014 22:06:08 +0000 Subject: [PATCH 247/492] proresenc_kostya: report buffer overflow If the allocated size, despite best efforts, is too small, exit with the appropriate error. Signed-off-by: Michael Niedermayer (cherry picked from commit 52b81ff4635c077b2bc8b8d3637d933b6629d803) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index d80280be1d..a22efa40c5 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -569,6 +569,11 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic, quant); } total_size += sizes[i]; + if (put_bits_left(pb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Serious underevaluation of" + "required buffer size"); + return AVERROR_BUFFER_TOO_SMALL; + } } return total_size; } @@ -939,9 +944,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I; avctx->coded_frame->key_frame = 1; - pkt_size = ctx->frame_size_upper_bound + FF_MIN_BUFFER_SIZE; + pkt_size = ctx->frame_size_upper_bound; - if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size)) < 0) + if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size + FF_MIN_BUFFER_SIZE)) < 0) return ret; orig_buf = pkt->data; @@ -1018,7 +1023,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, slice_hdr = buf; buf += slice_hdr_size - 1; init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); - encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); + ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); + if (ret < 0) + return ret; bytestream_put_byte(&slice_hdr, q); slice_size = slice_hdr_size + sizes[ctx->num_planes - 1]; From caf08defa69f13aef60bdbcee5b4cf4092d0aaa4 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Mon, 11 Aug 2014 19:43:27 +0200 Subject: [PATCH 248/492] proresenc_kostya: properly account for alpha The packet buffer allocation considered as dct-coded, while it is actually run-coded and thus requires a larger buffer. Signed-off-by: Michael Niedermayer (cherry picked from commit 117bc8e6ffc744fedcf77edf2fdb33c964b83370) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index a22efa40c5..ab434301b4 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -1193,8 +1193,6 @@ static av_cold int encode_init(AVCodecContext *avctx) ctx->bits_per_mb = ls * 8; if (ctx->chroma_factor == CFACTOR_Y444) ctx->bits_per_mb += ls * 4; - if (ctx->num_planes == 4) - ctx->bits_per_mb += ls * 4; } ctx->frame_size_upper_bound = ctx->pictures_per_frame * @@ -1203,6 +1201,14 @@ static av_cold int encode_init(AVCodecContext *avctx) (mps * ctx->bits_per_mb) / 8) + 200; + if (ctx->alpha_bits) { + // alpha plane is run-coded and might run over bit budget + ctx->frame_size_upper_bound += ctx->pictures_per_frame * + ctx->slices_per_picture * + /* num pixels per slice */ (ctx->mbs_per_slice * 256 * + /* bits per pixel */ (1 + ctx->alpha_bits + 1) + 7 >> 3); + } + avctx->codec_tag = ctx->profile_info->tag; av_log(avctx, AV_LOG_DEBUG, From 2958b8b86e3674b2be87abba92135b9a928e06f1 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Tue, 19 Aug 2014 12:26:47 +0000 Subject: [PATCH 249/492] wavpack: report if there is no bits left Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 11a39bdf534a4ead634b4a593c66ebf756910b9b) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 47f598a6fe..82c9b37312 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -411,6 +411,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, return sign ? ~ret : ret; error: + ret = get_bits_left(gb); + if (ret <= 0) { + av_log(ctx->avctx, AV_LOG_ERROR, "Too few bits (%d) left\n", ret); + } *last = 1; return 0; } From 9fc7de8d8030156cedeea0d894019fe6e3f20425 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Aug 2014 01:15:57 +0200 Subject: [PATCH 250/492] avcodec: fix aac/ac3 parser bitstream buffer size Buffers containing copies of the AAC and AC3 header bits were not padded before parsing, violating init_get_bits() buffer padding requirement, leading to potential buffer read overflows. This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer for parsing the header in each of aac_parser.c and ac3_parser.c. Based on patch by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit fccd85b9f30525f88692f53134eba41f1f2d90db) Signed-off-by: Michael Niedermayer --- libavcodec/aac_parser.c | 2 +- libavcodec/ac3_parser.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c index ab6ca4e268..cb93ba9482 100644 --- a/libavcodec/aac_parser.c +++ b/libavcodec/aac_parser.c @@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info, int size; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp; tmp.u64 = av_be2ne64(state); diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 8dc4c0d480..acfbc2ea66 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -147,7 +147,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info, int err; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp = { av_be2ne64(state) }; AC3HeaderInfo hdr; GetBitContext gbc; From d4253b3a5b7431053810844323a5cb4ea0293810 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Aug 2014 23:33:40 +0200 Subject: [PATCH 251/492] avcodec/utils: add GBRP16 to avcodec_align_dimensions2() Fixes Ticket3869 Signed-off-by: Michael Niedermayer (cherry picked from commit 3fe9e7be4c70c8fccdcd56fd19276e668cfb7de8) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f3dc8537f9..7f6792d8ac 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -260,6 +260,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRP12BE: case AV_PIX_FMT_GBRP14LE: case AV_PIX_FMT_GBRP14BE: + case AV_PIX_FMT_GBRP16LE: + case AV_PIX_FMT_GBRP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height break; From d76c9b5665a87be003adf9c88cbc902099c90fc4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Aug 2014 02:12:10 +0200 Subject: [PATCH 252/492] avcodec/snow: check coeffs for validity Fixes deadlock Fixes integer overflow Fixes Ticket 3892 Signed-off-by: Michael Niedermayer (cherry picked from commit 596636a474ab201badaae269f3a2cef4824b8c1f) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 6335c5d8ae..dace5e39cf 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -654,7 +654,10 @@ static inline void unpack_coeffs(SnowContext *s, SubBand *b, SubBand * parent, i if(v){ v= 2*(get_symbol2(&s->c, b->state[context + 2], context-4) + 1); v+=get_rac(&s->c, &b->state[0][16 + 1 + 3 + ff_quant3bA[l&0xFF] + 3*ff_quant3bA[t&0xFF]]); - + if ((uint16_t)v != v) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient damaged\n"); + v = 1; + } xc->x=x; (xc++)->coeff= v; } @@ -664,6 +667,10 @@ static inline void unpack_coeffs(SnowContext *s, SubBand *b, SubBand * parent, i else run= INT_MAX; v= 2*(get_symbol2(&s->c, b->state[0 + 2], 0-4) + 1); v+=get_rac(&s->c, &b->state[0][16 + 1 + 3]); + if ((uint16_t)v != v) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient damaged\n"); + v = 1; + } xc->x=x; (xc++)->coeff= v; From d7d29f0d433ad6c12c7cecd2a537aaef53d51808 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Sep 2014 05:22:26 +0200 Subject: [PATCH 253/492] avformat/swfdec: Use side data to communicate w/h changes to the decoder Fixes reading from freed data Fixes part of Ticket3539 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1c55d0ff3202a04ebc67a72d72391104e9bdb633) Signed-off-by: Michael Niedermayer (cherry picked from commit a9734e7d3017ffc9539eaac2a8acce3ad427f746) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 54e0f6dc0e..00926c8274 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -347,11 +347,15 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) avpriv_set_pts_info(vst, 64, 256, swf->frame_rate); st = vst; } - st->codec->width = width; - st->codec->height = height; if ((res = av_new_packet(pkt, out_len - colormapsize * colormapbpp)) < 0) goto bitmap_end; + if (!st->codec->width && !st->codec->height) { + st->codec->width = width; + st->codec->height = height; + } else { + ff_add_param_change(pkt, 0, 0, 0, width, height); + } pkt->pos = pos; pkt->stream_index = st->index; From 2fdb02693bbd6d534d91af9aa5d004cf5f056801 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Sep 2014 16:42:33 +0200 Subject: [PATCH 254/492] avformat/swfdec: Do not change the pixel format This is currently not supported Fixes part of Ticket 3539 Signed-off-by: Michael Niedermayer (cherry picked from commit c2430304dfb3cc0e3a59ce6d1b59ebdcc934a0c2) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 00926c8274..bf5b581d5d 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -283,6 +283,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) const int bmp_fmt = avio_r8(pb); const int width = avio_rl16(pb); const int height = avio_rl16(pb); + int pix_fmt; len -= 2+1+2+2; @@ -361,7 +362,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) switch (bmp_fmt) { case 3: - st->codec->pix_fmt = AV_PIX_FMT_PAL8; + pix_fmt = AV_PIX_FMT_PAL8; for (i = 0; i < colormapsize; i++) if (alpha_bmp) colormap[i] = buf[3]<<24 | AV_RB24(buf + 4*i); else colormap[i] = 0xffU <<24 | AV_RB24(buf + 3*i); @@ -373,14 +374,20 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) memcpy(pal, colormap, AVPALETTE_SIZE); break; case 4: - st->codec->pix_fmt = AV_PIX_FMT_RGB555; + pix_fmt = AV_PIX_FMT_RGB555; break; case 5: - st->codec->pix_fmt = alpha_bmp ? AV_PIX_FMT_ARGB : AV_PIX_FMT_0RGB; + pix_fmt = alpha_bmp ? AV_PIX_FMT_ARGB : AV_PIX_FMT_0RGB; break; default: av_assert0(0); } + if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { + av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); + res = AVERROR_PATCHWELCOME; + goto bitmap_end; + } + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; From 6e70816f719125a630fcb8ce7e67c0c7136e7655 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 12:52:24 +0200 Subject: [PATCH 255/492] avcodec/mpegvideo: Use "goto fail" for all error paths in ff_mpv_common_frame_size_change() Signed-off-by: Michael Niedermayer (cherry picked from commit 2762323c37511fbbc98b164c07620b9ebc59ec68) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index d497864b62..666fccac91 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1212,7 +1212,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) if ((s->width || s->height) && av_image_check_size(s->width, s->height, 0, s->avctx)) - return AVERROR_INVALIDDATA; + goto fail; if ((err = init_context_frame(s))) goto fail; From 2b415192fd9a60642f87afc602c424df36f8c82c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 13:00:47 +0200 Subject: [PATCH 256/492] avcodec/mpegvideo: check that the context is initialized in ff_mpv_common_frame_size_change() The function otherwise would initialize the context without setting context_initialized alternatively we could set context_initialized Fixes valgrind anomalies related to ticket 3928 Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0f7f0ba43f64312ae4a05d97afecf1b7b1330c) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 666fccac91..809138241a 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1182,6 +1182,9 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) { int i, err = 0; + if (!s->context_initialized) + return AVERROR(EINVAL); + if (s->slice_context_count > 1) { for (i = 0; i < s->slice_context_count; i++) { free_duplicate_context(s->thread_context[i]); From beb83f0a40708c95a6420ca15fcf4f1dd0a2c1be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 14:14:52 +0200 Subject: [PATCH 257/492] avcodec/mpegvideo: Set err on failure in ff_mpv_common_frame_size_change() Found-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit cfce6f7efd28130bf0dd409b2367ca0f8c9b2417) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 809138241a..1a115d3254 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1214,7 +1214,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) s->mb_height = (s->height + 15) / 16; if ((s->width || s->height) && - av_image_check_size(s->width, s->height, 0, s->avctx)) + (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) goto fail; if ((err = init_context_frame(s))) @@ -1231,7 +1231,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) } for (i = 0; i < nb_slices; i++) { - if (init_duplicate_context(s->thread_context[i]) < 0) + if ((err = init_duplicate_context(s->thread_context[i])) < 0) goto fail; s->thread_context[i]->start_mb_y = (s->mb_height * (i) + nb_slices / 2) / nb_slices; From 47fe68eec82106606e4b9fec20245fde33204315 Mon Sep 17 00:00:00 2001 From: Katerina Barone-Adesi Date: Tue, 16 Sep 2014 01:40:24 +0200 Subject: [PATCH 258/492] apetag: Fix APE tag size check The size variable is (correctly) unsigned, but is passed to several functions which take signed parameters, such as avio_read, sometimes after having numbers added to it. So ensure that size remains within the bounds that these functions can handle. CC: libav-stable@libav.org Signed-off-by: Diego Biurrun (cherry picked from commit c5560e72d0bb69f8a1ac9536570398f84388f396) Signed-off-by: Michael Niedermayer --- libavformat/apetag.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index ab93736718..6b7c01ee42 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -53,8 +53,10 @@ static int ape_tag_read_field(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - if (size >= UINT_MAX) - return -1; + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n"); + return AVERROR_INVALIDDATA; + } if (flags & APE_TAG_FLAG_IS_BINARY) { uint8_t filename[1024]; enum AVCodecID id; From 992ce9777c7e3f4268f66db9b7c5b1375e65d484 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 5 Mar 2014 19:44:36 -0300 Subject: [PATCH 259/492] x86/dsputil: add emms to ff_scalarproduct_int16_mmxext() Also undo the changes to ra144enc.c from previous commits. Should fix ticket #3429 Signed-off-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 9e0e1f9067430de1655a7b28536b5afed48bded5) Conflicts: libavcodec/ra144enc.c Signed-off-by: Michael Niedermayer --- libavcodec/ra144enc.c | 1 - libavcodec/x86/dsputil.asm | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ra144enc.c b/libavcodec/ra144enc.c index da55b73560..61cd95f050 100644 --- a/libavcodec/ra144enc.c +++ b/libavcodec/ra144enc.c @@ -34,7 +34,6 @@ #include "celp_filters.h" #include "ra144.h" - static av_cold int ra144_encode_close(AVCodecContext *avctx) { RA144Context *ractx = avctx->priv_data; diff --git a/libavcodec/x86/dsputil.asm b/libavcodec/x86/dsputil.asm index 77069e20f8..d7825ee387 100644 --- a/libavcodec/x86/dsputil.asm +++ b/libavcodec/x86/dsputil.asm @@ -61,6 +61,9 @@ cglobal scalarproduct_int16, 3,3,3, v1, v2, order %endif paddd m2, m0 movd eax, m2 +%if mmsize == 8 + emms +%endif RET ; int scalarproduct_and_madd_int16(int16_t *v1, int16_t *v2, int16_t *v3, int order, int mul) From f238de19905364993921fa83daf35e5e59d50d56 Mon Sep 17 00:00:00 2001 From: Gianluigi Tiesi Date: Fri, 19 Sep 2014 04:49:36 +0200 Subject: [PATCH 260/492] avcodec/libilbc: support for latest git of libilbc in the latest git commits of libilbc developers removed WebRtc_xxx typedefs This commit uses int types instead, it's safe to apply also for previous versions since WebRtc_Word16 was always a typedef of int16_t and WebRtc_UWord16 a typedef of uint16_t Reviewed-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit 59af5383c18c8cf3fe2a4b5cc1ebf2f3300bdfe5) Signed-off-by: Michael Niedermayer --- libavcodec/libilbc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/libilbc.c b/libavcodec/libilbc.c index b4163c67eb..d0d92e374b 100644 --- a/libavcodec/libilbc.c +++ b/libavcodec/libilbc.c @@ -96,8 +96,7 @@ static int ilbc_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - WebRtcIlbcfix_DecodeImpl((WebRtc_Word16*) frame->data[0], - (const WebRtc_UWord16*) buf, &s->decoder, 1); + WebRtcIlbcfix_DecodeImpl((int16_t *) frame->data[0], (const uint16_t *) buf, &s->decoder, 1); *got_frame_ptr = 1; @@ -170,7 +169,7 @@ static int ilbc_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if ((ret = ff_alloc_packet2(avctx, avpkt, 50)) < 0) return ret; - WebRtcIlbcfix_EncodeImpl((WebRtc_UWord16*) avpkt->data, (const WebRtc_Word16*) frame->data[0], &s->encoder); + WebRtcIlbcfix_EncodeImpl((uint16_t *) avpkt->data, (const int16_t *) frame->data[0], &s->encoder); avpkt->size = s->encoder.no_of_bytes; *got_packet_ptr = 1; From 2eda0e705a286107b9861c51cccd724665a176eb Mon Sep 17 00:00:00 2001 From: lvqcl Date: Sat, 27 Sep 2014 13:21:31 +0200 Subject: [PATCH 261/492] avutil/x86/cpu: fix cpuid sub-leaf selection Signed-off-by: Michael Niedermayer (cherry picked from commit e58fc44649d07d523fcd17aa10d9eb0d3a5ef3f4) Signed-off-by: Michael Niedermayer --- libavutil/x86/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index a3a5239159..9f8d7491e8 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -44,7 +44,7 @@ "cpuid \n\t" \ "xchg %%"REG_b", %%"REG_S \ : "=a" (eax), "=S" (ebx), "=c" (ecx), "=d" (edx) \ - : "0" (index)) + : "0" (index), "2"(0)) #define xgetbv(index, eax, edx) \ __asm__ (".byte 0x0f, 0x01, 0xd0" : "=a"(eax), "=d"(edx) : "c" (index)) From 52fd0cda2cdd20d89d3a59401379b7befa998688 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Sep 2014 20:34:44 +0200 Subject: [PATCH 262/492] avcodec/ac3enc_template: fix out of array read Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d85ebea3f3b68ebccfe308fa839fc30fa634e4de) Signed-off-by: Michael Niedermayer --- libavcodec/ac3enc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc_template.c b/libavcodec/ac3enc_template.c index 0389c2ef4a..76d42a2bdc 100644 --- a/libavcodec/ac3enc_template.c +++ b/libavcodec/ac3enc_template.c @@ -260,7 +260,7 @@ static void apply_channel_coupling(AC3EncodeContext *s) energy_cpl = energy[blk][CPL_CH][bnd]; energy_ch = energy[blk][ch][bnd]; blk1 = blk+1; - while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) { + while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) { if (s->blocks[blk1].cpl_in_use) { energy_cpl += energy[blk1][CPL_CH][bnd]; energy_ch += energy[blk1][ch][bnd]; From 8622618839c6fc9a3e2f8fcd3889bfce79fbb762 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 21 Sep 2014 09:58:10 +0100 Subject: [PATCH 263/492] configure: add noexecstack to linker options if supported. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Reimar Döffinger (cherry picked from commit b7082d953fda93f7841ffffe7d15a6c3cd15bdee) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 43b4937775..5ed0ddcf44 100755 --- a/configure +++ b/configure @@ -3957,6 +3957,7 @@ EOF fi check_ldflags -Wl,--as-needed +check_ldflags -Wl,-z,noexecstack if check_func dlopen; then ldl= From 3f9a148022ef0473e96d75add7f04a3e020ebbaa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Oct 2014 23:17:21 +0200 Subject: [PATCH 264/492] avcodec/jpeglsdec: Check run value more completely in ls_decode_line() previously it could have been by 1 too large Fixes out of array access Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 06e7d58410a17dc72c30ee7f3145fcacc425f4f2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 894dd428d7..c2179e520b 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -217,6 +217,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, x += stride; } + if (x >= w) { + av_log(NULL, AV_LOG_ERROR, "run overflow\n"); + return; + } + /* decode run termination value */ Rb = R(last, x); RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0; From 49d69844f500e20708a86ae840e809538ba6c6ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 01:50:27 +0200 Subject: [PATCH 265/492] avcodec/mjpegdec: check bits per pixel for changes similar to dimensions Fixes out of array accesses Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c378d6a6df8243f06c87962b873bd563e58cd39) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 94371a404c663c3dae3d542fa43951567ab67f82) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 6a61315efc..895577421e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -212,7 +212,7 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id; + int len, nb_components, i, width, height, bits, pix_fmt_id; int h_count[MAX_COMPONENTS]; int v_count[MAX_COMPONENTS]; @@ -221,14 +221,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly - if (s->bits != 8 && !s->lossless) { + if (bits != 8 && !s->lossless) { av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); return -1; } @@ -259,7 +259,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray"); @@ -305,11 +305,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* if different size, realloc/alloc picture */ if ( width != s->width || height != s->height + || bits != s->bits || memcmp(s->h_count, h_count, sizeof(h_count)) || memcmp(s->v_count, v_count, sizeof(v_count))) { s->width = width; s->height = height; + s->bits = bits; memcpy(s->h_count, h_count, sizeof(h_count)); memcpy(s->v_count, v_count, sizeof(v_count)); s->interlaced = 0; From ac82e318bb81933a427efa1038a24483c00c77a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 04:30:58 +0200 Subject: [PATCH 266/492] avcodec/utils: Add case for jv to avcodec_align_dimensions2() Fixes out of array accesses Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 105654e376a736d243aef4a1d121abebce912e6b) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 7f6792d8ac..a6de45cdc7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -291,6 +291,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_JV) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || From 16775c7aaa0798c396036e55336fc5c087cc202e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 14:45:04 +0200 Subject: [PATCH 267/492] avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks Fixes out of array access Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e) Conflicts: libavcodec/mmvideo.c --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 292ebe68b9..f028e5765d 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -109,7 +109,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (color) { memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length); - if (half_vert) + if (half_vert && y + half_vert < s->avctx->height) memset(s->frame.data[0] + (y+1)*s->frame.linesize[0] + x, color, run_length); } x+= run_length; From abbfc4d87ec4a420b06425baf89ae961e1a41e74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 16:08:32 +0200 Subject: [PATCH 268/492] avcodec/tiff: more completely check bpp/bppcount Fixes pixel format selection Fixes out of array accesses Fixes: asan_heap-oob_1766029_6_asan_heap-oob_20aa045_332_cov_1823216757_m2-d1d366d7965db766c19a66c7a2ccbb6b.tif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index fdfa8f2b9e..b258aa4283 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -748,13 +748,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - s->bppcount = count; - if (count > 4) { + if (count > 4U) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); + value, count); return AVERROR_INVALIDDATA; } + s->bppcount = count; if (count == 1) s->bpp = value; else { @@ -775,6 +775,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->bpp = -1; } } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { From ae81d9a7da10ee51e229b7e28da4a862888fbdde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:35:58 +0200 Subject: [PATCH 269/492] avcodec/pngdec: Check bits per pixel before setting monoblack pixel format Fixes out of array accesses Fixes: asan_heap-oob_14dbfcf_4_asan_heap-oob_1ce5767_179_add_method_small.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 1358ac5c5c..016dff9d4a 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -623,7 +623,7 @@ static int decode_frame(AVCodecContext *avctx, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { From db48767d7c16f3b9661235a0ed95a2347b0f4226 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:54:21 +0200 Subject: [PATCH 270/492] avcodec/pngdec: Calculate MPNG bytewidth more defensively Signed-off-by: Michael Niedermayer (cherry picked from commit e830902934a29df05c7af65aef2a480b15f572c4) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 016dff9d4a..c4fc422ccf 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -829,9 +829,10 @@ static int decode_frame(AVCodecContext *avctx, int i, j; uint8_t *pd = p->data[0]; uint8_t *pd_last = s->prev->data[0]; + int ls = FFMIN(av_image_get_linesize(p->format, s->width, 0), s->width * s->bpp); for (j = 0; j < s->height; j++) { - for (i = 0; i < s->width * s->bpp; i++) { + for (i = 0; i < ls; i++) { pd[i] += pd_last[i]; } pd += s->image_linesize; From 97fdbd12f9093366a9a7f870b3ba17771f1e3419 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 19:33:01 +0200 Subject: [PATCH 271/492] avcodec/cinepak: fix integer underflow Fixes out of array access Fixes: asan_heap-oob_4da0ba_6_asan_heap-oob_4da0ba_241_cvid_crash.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e7e5114c506957f40aafd794e06de1a7e341e9d5) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index f5bc113232..4a6e143bde 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -135,7 +135,7 @@ static int cinepak_decode_vectors (CinepakContext *s, cvid_strip *strip, const uint8_t *eod = (data + size); uint32_t flag, mask; uint8_t *cb0, *cb1, *cb2, *cb3; - unsigned int x, y; + int x, y; char *ip0, *ip1, *ip2, *ip3; flag = 0; From be7105dff61e3356459546ea952c0ea795674106 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 20:15:52 +0200 Subject: [PATCH 272/492] avcodec/gifdec: factorize interleave end handling out also change it to a loop Fixes out of array access Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f1457864be8fb9653643519dea1c6492f1dde57) Signed-off-by: Michael Niedermayer --- libavcodec/gifdec.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 4c1cb83aa5..a7a56965d0 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -251,26 +251,21 @@ static int gif_read_image(GifState *s, AVFrame *frame) case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } From d36bb362a673b6e4aeab8200a66798a3fccecb6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 21:08:52 +0200 Subject: [PATCH 273/492] avcodec/qpeg: fix off by 1 error in MV bounds check Fixes out of array access Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 6015b7f4b0..d7356baed2 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -163,7 +163,7 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); From b4e0acfa043cbb7991335e1383ba7456dc07d169 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 22:50:45 +0200 Subject: [PATCH 274/492] avcodec/smc: fix off by 1 error Fixes out of array access Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c727401aa9d62335e89d118a5b4e202edf39d905) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 2c7ab9ab69..51465ce610 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -70,7 +70,7 @@ typedef struct SmcContext { row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < 0 + !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ From ff59edb6dcd7e695b28335c5f718fb7342823714 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 00:13:26 +0200 Subject: [PATCH 275/492] avcodec/svq3: Dont memcpy AVFrame This avoids out of array accesses Fixes: asan_heap-uaf_21f42e4_9_asan_heap-uaf_21f42e4_278_gl2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 075a165d2715837d125a9cc714fb430ccf6c9d6b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 3da341e667..5e8e1077d6 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1147,7 +1147,7 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, h->cur_pic_ptr = s->cur_pic; av_frame_unref(&h->cur_pic.f); - h->cur_pic = *s->cur_pic; + memcpy(&h->cur_pic.tf, &s->cur_pic->tf, sizeof(h->cur_pic) - offsetof(Picture, tf)); ret = av_frame_ref(&h->cur_pic.f, &s->cur_pic->f); if (ret < 0) return ret; From 128b0510e1596058fd65c23c274c9cf1b88956fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 04:29:40 +0200 Subject: [PATCH 276/492] avformat/mpegts: Check desc_len / get8() return code Fixes out of array read Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index f49c2c4049..2bb3fdca87 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1698,7 +1698,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len break; desc_len = get8(&p, desc_list_end); desc_end = p + desc_len; - if (desc_end > desc_list_end) + if (desc_len < 0 || desc_end > desc_list_end) break; av_dlog(ts->stream, "tag: 0x%02x len=%d\n", From 0e7173826216384b56192be3ccdbccb488d7c977 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 14:51:46 +0200 Subject: [PATCH 277/492] avcodec/h264: Check mode before considering mixed mode intra prediction Fixes out of array read Fixes: asan_heap-oob_e476fc_2_asan_heap-oob_1333ec6_61_CAMACI3_Sony_C.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9734a7a1de3043f012ad0f1ef11027d9488067e6) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 7227e1ee27..5e92b30a4c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -500,18 +500,18 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma) if ((h->left_samples_available & 0x8080) != 0x8080) { mode = left[mode]; - if (is_chroma && (h->left_samples_available & 0x8080)) { - // mad cow disease mode, aka MBAFF + constrained_intra_pred - mode = ALZHEIMER_DC_L0T_PRED8x8 + - (!(h->left_samples_available & 0x8000)) + - 2 * (mode == DC_128_PRED8x8); - } if (mode < 0) { av_log(h->avctx, AV_LOG_ERROR, "left block unavailable for requested intra mode at %d %d\n", h->mb_x, h->mb_y); return -1; } + if (is_chroma && (h->left_samples_available & 0x8080)) { + // mad cow disease mode, aka MBAFF + constrained_intra_pred + mode = ALZHEIMER_DC_L0T_PRED8x8 + + (!(h->left_samples_available & 0x8000)) + + 2 * (mode == DC_128_PRED8x8); + } } return mode; From 322470e606334bdbda7993a44acc1955fb00fdec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Oct 2014 01:08:20 +0200 Subject: [PATCH 278/492] swresample/swresample: fix sample drop loop end condition Fixes Ticket3985 Signed-off-by: Michael Niedermayer (cherry picked from commit f9fefa499f0af48f47ea73c8ce0b25df0976c315) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index ba2afdb1d0..c534ccf0dc 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -752,6 +752,8 @@ int swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_coun in_count = 0; if(ret>0) { s->drop_output -= ret; + if (!s->drop_output && !out_arg) + return 0; continue; } From d7906baa85978c052475d8ea2f8391c031649400 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Oct 2014 20:26:27 +0200 Subject: [PATCH 279/492] postproc/postprocess: fix quant store for fq mode Signed-off-by: Michael Niedermayer (cherry picked from commit 941aaa39e8cd78ba4d16dfcec767290aec9a0136) Conflicts: tests/ref/fate/filter-pp3 (cherry picked from commit 705748caf3f6a4a3e74ad3d2fc547a5a0213a521) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 2 +- tests/ref/fate/filter-pp3 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index b34943f983..fb18776f94 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -1000,7 +1000,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * QPStride; + const int count= mbHeight * FFMAX(QPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; } diff --git a/tests/ref/fate/filter-pp3 b/tests/ref/fate/filter-pp3 index ccf2eebc62..1af87610c8 100644 --- a/tests/ref/fate/filter-pp3 +++ b/tests/ref/fate/filter-pp3 @@ -1 +1 @@ -pp3 39af1a30d0ea0e906df264773adfcaa6 +pp3 c8277ef31ab01bad51356841c9634522 From 9b1673531cf92447ab1e03ad62c7ae4487c5ee0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Oct 2014 16:02:42 +0200 Subject: [PATCH 280/492] postproc: fix qp count Found-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit 0b7e5d0d75e7d8762dd04d35f8c0821736164372) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index fb18776f94..8e5b043060 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -975,7 +975,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if(pict_type & PP_PICT_TYPE_QP2){ int i; - const int count= mbHeight * absQPStride; + const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; } @@ -1000,7 +1000,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * FFMAX(QPStride, mbWidth); + const int count= FFMAX(mbHeight * QPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; } From 70402f6ee78606b55558fc864ad3d10a44d0a60c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 01:23:40 +0100 Subject: [PATCH 281/492] avcodec/diracdec: Use 64bit in calculation of codeblock coordinates Fixes integer overflow Fixes out of array read Fixes: asan_heap-oob_107866c_42_041.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 526886e6069636a918c8c04db17e864e3d8151c1) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 5653c86937..9c6fbc765b 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -598,10 +598,10 @@ static av_always_inline void decode_subband_internal(DiracContext *s, SubBand *b top = 0; for (cb_y = 0; cb_y < cb_height; cb_y++) { - bottom = (b->height * (cb_y+1)) / cb_height; + bottom = (b->height * (cb_y+1LL)) / cb_height; left = 0; for (cb_x = 0; cb_x < cb_width; cb_x++) { - right = (b->width * (cb_x+1)) / cb_width; + right = (b->width * (cb_x+1LL)) / cb_width; codeblock(s, b, &gb, &c, left, right, top, bottom, blockcnt_one, is_arith); left = right; } From c0be9d7264400f8eb8648fd0b0ad00819e376163 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 01:23:40 +0100 Subject: [PATCH 282/492] avcodec/diracdec: Tighter checks on CODEBLOCKS_X/Y Fixes very long but finite loop Fixes: asan_heap-oob_107866c_42_041.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5145d22b88b9835db81c4d286b931a78e08ab76a) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 9c6fbc765b..02ec30b285 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -990,8 +990,8 @@ static int dirac_unpack_idwt_params(DiracContext *s) /* Codeblock parameters (core syntax only) */ if (get_bits1(gb)) { for (i = 0; i <= s->wavelet_depth; i++) { - CHECKEDREAD(s->codeblock[i].width , tmp < 1, "codeblock width invalid\n") - CHECKEDREAD(s->codeblock[i].height, tmp < 1, "codeblock height invalid\n") + CHECKEDREAD(s->codeblock[i].width , tmp < 1 || tmp > (s->avctx->width >>s->wavelet_depth-i), "codeblock width invalid\n") + CHECKEDREAD(s->codeblock[i].height, tmp < 1 || tmp > (s->avctx->height>>s->wavelet_depth-i), "codeblock height invalid\n") } CHECKEDREAD(s->codeblock_mode, tmp > 1, "unknown codeblock mode\n") From 2cf83677b31453868b090e898bb66809b8d18b63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 02:14:41 +0100 Subject: [PATCH 283/492] avcodec/dirac_arith: fix integer overflow Fixes: asan_heap-oob_1078676_9_008.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 39680caceebfc6abf09b17032048752c014e57a8) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_arith.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h index 089c71a698..a1fa96b5bc 100644 --- a/libavcodec/dirac_arith.h +++ b/libavcodec/dirac_arith.h @@ -171,6 +171,10 @@ static inline int dirac_get_arith_uint(DiracArith *c, int follow_ctx, int data_c { int ret = 1; while (!dirac_get_arith_bit(c, follow_ctx)) { + if (ret >= 0x40000000) { + av_log(NULL, AV_LOG_ERROR, "dirac_get_arith_uint overflow\n"); + return -1; + } ret <<= 1; ret += dirac_get_arith_bit(c, data_ctx); follow_ctx = ff_dirac_next_ctx[follow_ctx]; From 808b0ccc03dcdac68eb8b693b5c9a59aa1d62b6d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 15:26:42 +0100 Subject: [PATCH 284/492] avcodec/dxa: check dimensions Fixes out of array access Fixes: asan_heap-oob_11222fb_21_020.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90) Conflicts: libavcodec/dxa.c --- libavcodec/dxa.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 985b9dab3f..c56c0af210 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -306,6 +306,11 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (avctx->width%4 || avctx->height%4) { + avpriv_request_sample(avctx, "dimensions are not a multiple of 4"); + return AVERROR_INVALIDDATA; + } + c->prev = av_frame_alloc(); if (!c->prev) return AVERROR(ENOMEM); From 85cac770bdb0ed871ce5715452f416d16d36d7e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 00:57:07 +0100 Subject: [PATCH 285/492] avcodec/dnxhddec: treat pix_fmt like width/height Fixes out of array accesses Fixes: asan_heap-oob_22c9a39_16_015.mxf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3c0e0bf6f53df0977f3878d4f5cec99dff8de9e) Conflicts: libavcodec/dnxhddec.c Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index e96369be9a..61d769570e 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -35,6 +35,7 @@ typedef struct DNXHDContext { GetBitContext gb; int64_t cid; ///< compression id unsigned int width, height; + enum AVPixelFormat pix_fmt; unsigned int mb_width, mb_height; uint32_t mb_scan_index[68]; /* max for 1080p */ int cur_field; ///< current interlaced field @@ -128,7 +129,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, av_dlog(ctx->avctx, "width %d, height %d\n", ctx->width, ctx->height); if (buf[0x21] & 0x40) { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P10; + ctx->pix_fmt = AV_PIX_FMT_YUV422P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { ff_dsputil_init(&ctx->dsp, ctx->avctx); @@ -136,7 +137,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, ctx->decode_dct_block = dnxhd_decode_dct_block_10; } } else { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P; + ctx->pix_fmt = AV_PIX_FMT_YUV422P; ctx->avctx->bits_per_raw_sample = 8; if (ctx->bit_depth != 8) { ff_dsputil_init(&ctx->dsp, ctx->avctx); @@ -376,9 +377,15 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, avctx->width, avctx->height, ctx->width, ctx->height); first_field = 1; } + if (avctx->pix_fmt != AV_PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) { + av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n", + av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt)); + first_field = 1; + } if (av_image_check_size(ctx->width, ctx->height, 0, avctx)) return -1; + avctx->pix_fmt = ctx->pix_fmt; avcodec_set_dimensions(avctx, ctx->width, ctx->height); if (first_field) { From bde9e859b3c7ebb0f76437dd6457a41ac8904740 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 14:15:29 +0100 Subject: [PATCH 286/492] avcodec/utils: Align dimensions by at least their chroma sub-sampling factors. Fixes: out of array accesses Fixes: asan_heap-oob_112c6b3_13_012.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df74811cd53e45fcbbd3b77a1c42416816687c5c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index a6de45cdc7..8e421e7073 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -196,6 +196,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int i; int w_align = 1; int h_align = 1; + AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(s->pix_fmt); + + if (desc) { + w_align = 1 << desc->log2_chroma_w; + h_align = 1 << desc->log2_chroma_h; + } switch (s->pix_fmt) { case AV_PIX_FMT_YUV420P: @@ -310,8 +316,6 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } break; default: - w_align = 1; - h_align = 1; break; } From e2865d931618deb65659343f185a0f77cf000296 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 01:19:17 +0100 Subject: [PATCH 287/492] avcodec/g2meet: check tile dimensions to avoid integer overflow Fixes out of array access Fixes: asan_heap-oob_12a55d3_30_029.wmv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 32e666c354e4a3160d8cf1d303cb51990b095c87) Conflicts: libavcodec/g2meet.c Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 1634059f16..bcf6cb05d3 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -716,7 +716,10 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, } c->tile_width = bytestream2_get_be32(&bc); c->tile_height = bytestream2_get_be32(&bc); - if (!c->tile_width || !c->tile_height) { + if (c->tile_width <= 0 || c->tile_height <= 0 || + ((c->tile_width | c->tile_height) & 0xF) || + c->tile_width * 4LL * c->tile_height >= INT_MAX + ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", c->tile_width, c->tile_height); From 8efb06c8735f1ceb47e10a2162209c66fe648b3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 16:53:09 +0100 Subject: [PATCH 288/492] avcodec/cook: check that the subpacket sizes fit in block_align Fixes out of array read Fixes: asan_heap-oob_fb5c50_19_018.rmvb Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 10e32618acce9c3fc64c061eb7907e8a8d2749ae) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 08cd4017fc..3344b703d9 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1217,8 +1217,8 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > MAX_SUBPACKETS) { - avpriv_request_sample(avctx, "subpackets > %d", MAX_SUBPACKETS); + if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); return AVERROR_PATCHWELCOME; } } From 694c3dab363fd13a0312cfb635dd7499656a0d27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 18:16:25 +0100 Subject: [PATCH 289/492] avcodec/svq1dec: zero terminate embedded message before printing Fixes out of array access Fixes: asan_stack-oob_49b1e5_10_009.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e91ba2efa949470e9157b652535d207a101f91e0) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 86fe6f8813..464b8c2dac 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -496,7 +496,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, HpelDSPContext *hdsp, return result; } -static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) +static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257]) { uint8_t seed; int i; @@ -508,6 +508,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) out[i] = get_bits(bitbuf, 8) ^ seed; seed = string_table[out[i] ^ seed]; } + out[i] = 0; } static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) @@ -550,12 +551,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) } if ((s->frame_code ^ 0x10) >= 0x50) { - uint8_t msg[256]; + uint8_t msg[257]; svq1_parse_string(bitbuf, msg); av_log(avctx, AV_LOG_INFO, - "embedded message:\n%s\n", (char *)msg); + "embedded message:\n%s\n", ((char *)msg) + 1); } skip_bits(bitbuf, 2); From 0140f11c3bad6f9532e8f0f3c858d08a948bb6b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Nov 2014 01:55:40 +0100 Subject: [PATCH 290/492] avcodec/h264_slice: Clear table pointers to avoid stale pointers Might fix Ticket3889 Signed-off-by: Michael Niedermayer (cherry picked from commit 547fce95858ef83f8c25ae347e3ae3b8ba437fd9) Conflicts: libavcodec/h264_slice.c Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 5e92b30a4c..5be363a5e1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1690,6 +1690,17 @@ static int decode_update_thread_context(AVCodecContext *dst, h->mb_type_pool = NULL; h->ref_index_pool = NULL; h->motion_val_pool = NULL; + h->intra4x4_pred_mode= NULL; + h->non_zero_count = NULL; + h->slice_table_base = NULL; + h->slice_table = NULL; + h->cbp_table = NULL; + h->chroma_pred_mode_table = NULL; + memset(h->mvd_table, 0, sizeof(h->mvd_table)); + h->direct_table = NULL; + h->list_counts = NULL; + h->mb2b_xy = NULL; + h->mb2br_xy = NULL; if (h1->context_initialized) { h->context_initialized = 0; From 2389309d4836b7f0ba7f2e50fda1943bfa945e53 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 30 Oct 2014 00:27:04 +0100 Subject: [PATCH 291/492] lavc/utils: Make pix_fmt desc pointer const. Fixes an "initialization discards qualifiers from pointer target type" warning. (cherry picked from commit f05855414ed4cce97c06ba2a31f4987af47e6d4e) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 8e421e7073..5326f19f04 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -196,7 +196,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int i; int w_align = 1; int h_align = 1; - AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(s->pix_fmt); + AVPixFmtDescriptor const *desc = av_pix_fmt_desc_get(s->pix_fmt); if (desc) { w_align = 1 << desc->log2_chroma_w; From 05e5d785fa6ac1d8a706d04bd7352f87d496c971 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Nov 2014 13:20:24 +0100 Subject: [PATCH 292/492] avcodec/options_table fix min of audio channels and sample rate Found-by: Lukasz Marek Signed-off-by: Michael Niedermayer (cherry picked from commit 206c98f303e833c9e94427c9e3f9867f85265f78) Signed-off-by: Michael Niedermayer --- libavcodec/options_table.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index 3461a6f4f5..84463a0ca9 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -92,8 +92,8 @@ static const AVOption options[]={ {"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, -{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, -{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, +{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, +{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, {"cutoff", "set cutoff bandwidth", OFFSET(cutoff), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_size", NULL, OFFSET(frame_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_number", NULL, OFFSET(frame_number), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, From f8675743c40a468359207903c7b2ec6bc2b4fcbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 19:44:20 +0100 Subject: [PATCH 293/492] avcodec/utvideodec: fix assumtation that slice_height >= 1 Fixes out of array read Fixes: asan_heap-oob_2573085_3783_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7656c4c6e66f8a787d384f027ad824cc1677fda1) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 241431cc31..acc20bf541 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -222,7 +222,7 @@ static void restore_median(uint8_t *src, int step, int stride, A = bsrc[i]; } bsrc += stride; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride]; @@ -282,7 +282,7 @@ static void restore_median_il(uint8_t *src, int step, int stride, A = bsrc[stride + i]; } bsrc += stride2; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride2]; From 0baeb59307e68db8c1cfc672093802b46c6ee84f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 23:07:50 +0100 Subject: [PATCH 294/492] avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization Fixes out of array read Fixes: asan_heap-oob_2aec5b0_1828_classical_22_16_2_16000_v3c_0_exclusive_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5dcb99033df16eccc4dbbc4a099ad64457f9f090) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index ca57f64cda..000659dc7a 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -420,6 +420,9 @@ static av_cold int decode_init(AVCodecContext *avctx) offset &= ~3; if (offset > s->sfb_offsets[i][band - 1]) s->sfb_offsets[i][band++] = offset; + + if (offset >= subframe_len) + break; } s->sfb_offsets[i][band - 1] = subframe_len; s->num_sfb[i] = band - 1; From 3d91569c5e39f4062393fdb40b038e31df38473a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Nov 2014 19:35:38 +0100 Subject: [PATCH 295/492] update for 2.0.6 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index e01025862f..157e54f3e4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.0.5 +2.0.6 diff --git a/VERSION b/VERSION index e01025862f..157e54f3e4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.5 +2.0.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0fcf7b0195..04340e3491 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.0.5 +PROJECT_NUMBER = 2.0.6 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 8a35f24ca94375a4855deefee9ea8c3b7a5908dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 20 Dec 2014 00:17:43 +0100 Subject: [PATCH 296/492] avformat/rsd: make tag_buf string larger av_get_codec_tag_string() uses more that 1 char for unprintable characters. (cherry picked from commit edbbb11488e1fce9b9703535936d2e1731e2e318) --- libavformat/rsd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index 5b53cef9c0..ef7c0cb63c 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -67,7 +67,7 @@ static int rsd_read_header(AVFormatContext *s) codec->codec_tag = avio_rl32(pb); codec->codec_id = ff_codec_get_id(rsd_tags, codec->codec_tag); if (!codec->codec_id) { - char tag_buf[5]; + char tag_buf[32]; av_get_codec_tag_string(tag_buf, sizeof(tag_buf), codec->codec_tag); for (i=0; i < FF_ARRAY_ELEMS(rsd_unsupported_tags); i++) { From ac81fbba74155a595281d7401e79b95ed1d767aa Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 25 Feb 2015 15:07:18 +0100 Subject: [PATCH 297/492] lavfi/fade: Do not overread input buffer. (cherry picked from commit ab3ff19f08b7a83e320c39ab066f289c242b8030) --- libavfilter/vf_fade.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_fade.c b/libavfilter/vf_fade.c index 6c9b2252a0..54b2d89c4d 100644 --- a/libavfilter/vf_fade.c +++ b/libavfilter/vf_fade.c @@ -126,7 +126,9 @@ static int config_props(AVFilterLink *inlink) s->hsub = pixdesc->log2_chroma_w; s->vsub = pixdesc->log2_chroma_h; - s->bpp = av_get_bits_per_pixel(pixdesc) >> 3; + s->bpp = pixdesc->flags & AV_PIX_FMT_FLAG_PLANAR ? + 1 : + av_get_bits_per_pixel(pixdesc) >> 3; s->alpha &= !!(pixdesc->flags & AV_PIX_FMT_FLAG_ALPHA); s->is_packed_rgb = ff_fill_rgba_map(s->rgba_map, inlink->format) >= 0; From 3190acae6fd2c2dbf7c703b607cefe17286d013c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Nov 2014 04:02:56 +0100 Subject: [PATCH 298/492] avformat/hlsenc: Free context after hls_append_segment Fixes reading uninitialized memory Signed-off-by: Michael Niedermayer (cherry picked from commit 530eb6acf8ee867bf00728bf7efaf505da107e17) Conflicts: libavformat/hlsenc.c (cherry picked from commit 0ac22f043bee2f1c4daf5e1044b014326325d929) Conflicts: libavformat/hlsenc.c (cherry picked from commit 134d3e1c0331462ea94c78a5e13a63b20d283653) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index af04d09d2f..e080051270 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -306,9 +306,10 @@ static int hls_write_trailer(struct AVFormatContext *s) av_write_trailer(oc); avio_closep(&oc->pb); - avformat_free_context(oc); av_free(hls->basename); append_entry(hls, hls->duration); + avformat_free_context(oc); + hls->avf = NULL; hls_window(s, 1); free_entries(hls); From ff6ee4571ceb16e728b4facbc49509840f49b74b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Nov 2014 00:43:45 +0100 Subject: [PATCH 299/492] swscale/x86/rgb2rgb_template: handle the first 2 lines with C in rgb24toyv12_*() This avoids out of array accesses Should fix Ticket3451 Signed-off-by: Michael Niedermayer (cherry picked from commit 4388e78a0f022c8572996f9ab568a39b5f716f9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index d684b70d4c..004621a824 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1623,6 +1623,16 @@ static inline void RENAME(rgb24toyv12)(const uint8_t *src, uint8_t *ydst, uint8_ #define BGR2V_IDX "16*4+16*34" int y; const x86_reg chromWidth= width>>1; + + if (height > 2) { + ff_rgb24toyv12_c(src, ydst, udst, vdst, width, 2, lumStride, chromStride, srcStride, rgb2yuv); + src += 2*srcStride; + ydst += 2*lumStride; + udst += chromStride; + vdst += chromStride; + height -= 2; + } + for (y=0; y Date: Tue, 25 Nov 2014 13:53:06 +0100 Subject: [PATCH 300/492] avcodec/mjpegdec: Fix context fields becoming inconsistent Fixes out of array access Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 895577421e..44894b8d45 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1448,6 +1448,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RB32("LJIF")) { + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); @@ -1457,17 +1459,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknown always 0? */ switch (get_bits(&s->gb, 8)) { case 1: - s->rgb = 1; - s->pegasus_rct = 0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb = 1; - s->pegasus_rct = 1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n"); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } From 42b0ef9056e7b47b5931e6f3f7313a830c160086 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 14:45:30 +0100 Subject: [PATCH 301/492] avcodec/utils: Check that the data is complete in avpriv_bprint_to_extradata() Fixes out of array read Fixes: asan_heap-oob_4d2250_814_cov_2745172097_JACOsub_capability_tester.jss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5d95db3f5d8e2093e9e19d0c46e86f54ed2a5d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5326f19f04..56258ebd22 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3215,6 +3215,11 @@ int avpriv_bprint_to_extradata(AVCodecContext *avctx, struct AVBPrint *buf) ret = av_bprint_finalize(buf, &str); if (ret < 0) return ret; + if (!av_bprint_is_complete(buf)) { + av_free(str); + return AVERROR(ENOMEM); + } + avctx->extradata = str; /* Note: the string is NUL terminated (so extradata can be read as a * string), but the ending character is not accounted in the size (in From 71ad971244a75ff6ea633003b8482f816ca1d160 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 03:29:03 +0100 Subject: [PATCH 302/492] avcodec/flacdec: Call ff_flacdsp_init() unconditionally Fixes out of array access Fixes: signal_sigsegv_324b135_3398_cov_246853371_short.flac Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e5c01ccdf5a9a330d4c51a9b9ea721fd8f1fb70b) Conflicts: libavcodec/flacdec.c --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index c5847e3cfc..e62590af48 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -465,10 +465,10 @@ static int decode_frame(FLACContext *s) ret = allocate_buffers(s); if (ret < 0) return ret; - ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); s->got_streaminfo = 1; dump_headers(s->avctx, (FLACStreaminfo *)s); } + ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); // dump_headers(s->avctx, (FLACStreaminfo *)s); From a0f1da9baab02f7452248d3e5bb9f7924523d8c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 15:45:47 +0100 Subject: [PATCH 303/492] avcodec/pngdec: Check IHDR/IDAT order Fixes out of array access Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index c4fc422ccf..fd2328c331 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -555,6 +555,12 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n"); + goto fail; + } + s->width = bytestream2_get_be32(&s->gb); s->height = bytestream2_get_be32(&s->gb); if (av_image_check_size(s->width, s->height, 0, avctx)) { From eeff4bdbb86800f791d2033fdc4cb1eb0478dd44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 18:56:39 +0100 Subject: [PATCH 304/492] avcodec/rawdec: Check the return code of avpicture_get_size() Fixes out of array access Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1d3a3b9f8907625b361420d48fe05716859620ff) Conflicts: libavcodec/rawdec.c --- libavcodec/rawdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 54ed52df0f..54d52e0a89 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -144,6 +144,9 @@ static av_cold int raw_init_decoder(AVCodecContext *avctx) context->frame_size = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height); } + if (context->frame_size < 0) + return context->frame_size; + if ((avctx->extradata_size >= 9 && !memcmp(avctx->extradata + avctx->extradata_size - 9, "BottomUp", 9)) || From 0c50e41d63f0e3a5580a6ded4cb7ff8d28538dc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Dec 2014 13:23:24 +0100 Subject: [PATCH 305/492] avcodec/motion_est: use 2x8x8 for interlaced qpel Fixes out of array read Fixes Ticket4121 Signed-off-by: Michael Niedermayer (cherry picked from commit b50e003e1cb6a215df44ffa3354603bf600b4aa3) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index f4d217bf30..02aeb2ef90 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -189,7 +189,13 @@ static av_always_inline int cmp_inline(MpegEncContext *s, const int x, const int int uvdxy; /* no, it might not be used uninitialized */ if(dxy){ if(qpel){ - c->qpel_put[size][dxy](c->temp, ref[0] + x + y*stride, stride); //FIXME prototype (add h) + if (h << size == 16) { + c->qpel_put[size][dxy](c->temp, ref[0] + x + y*stride, stride); //FIXME prototype (add h) + } else if (size == 0 && h == 8) { + c->qpel_put[1][dxy](c->temp , ref[0] + x + y*stride , stride); + c->qpel_put[1][dxy](c->temp + 8, ref[0] + x + y*stride + 8, stride); + } else + av_assert2(0); if(chroma){ int cx= hx/2; int cy= hy/2; From f43127a51602aec8fdcd7fe4b56f5aab77a9e1df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:01:18 +0100 Subject: [PATCH 306/492] avformat/rmdec: Check codec_data_size Fixes infinite loop Fixes Ticket4154 Signed-off-by: Michael Niedermayer (cherry picked from commit a6f730730b82645a9d31aad0968487cb77d6946c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 2c4ed49c12..5a8c6dc160 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -309,6 +309,9 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, int64_t codec_pos; int ret; + if (codec_data_size < 0) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From a0976c15e69459438fa8796df435b8cda8bacb59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:21:56 +0100 Subject: [PATCH 307/492] swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output Fixes Ticket4151 Signed-off-by: Michael Niedermayer (cherry picked from commit 8524558858b7e14bc50afa10233e0194f591ab9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 004621a824..80e5670465 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1874,6 +1874,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; + if (width >= 16) #if COMPILE_TEMPLATE_SSE2 __asm__( "xor %%"REG_a", %%"REG_a" \n\t" From b9ab59a82907eb557a2323b968708b57539861d5 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 6 Dec 2014 16:53:30 +0100 Subject: [PATCH 308/492] avformat/matroskadec: fix handling of recursive SeekHead elements When matroska_execute_seekhead() is called, it goes through the list of seekhead entries and attempts to read elements not read yet. When doing this, the parser can find further SeekHead elements, and will extend the matroska->seekhead list. This can lead to a (practically) infinite loop with certain broken files. (Maybe it can happen even with valid files. The demuxer doesn't seem to check correctly whether an element has already been read.) Fix this by ignoring elements that were added to the seekhead field during executing seekhead entries. This does not fix the possible situation when multiple SeekHead elements after the file header (i.e. occur after the "before_pos" file position) point to the same elements. These elements will probably be parsed multiple times, likely leading to bugs. Fixes ticket #4162. Signed-off-by: Michael Niedermayer (cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 17726404a0..7368a9b030 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1384,13 +1384,17 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) EbmlList *seekhead_list = &matroska->seekhead; int64_t before_pos = avio_tell(matroska->ctx->pb); int i; + int nb_elem; // we should not do any seeking in the streaming case if (!matroska->ctx->pb->seekable || (matroska->ctx->flags & AVFMT_FLAG_IGNIDX)) return; - for (i = 0; i < seekhead_list->nb_elem; i++) { + // do not read entries that are added while parsing seekhead entries + nb_elem = seekhead_list->nb_elem; + + for (i = 0; i < nb_elem; i++) { MatroskaSeekhead *seekhead = seekhead_list->elem; if (seekhead[i].pos <= before_pos) continue; From 32d24c8c05a9e12bc71412831b2a430b7e3f66e2 Mon Sep 17 00:00:00 2001 From: Rob Sykes Date: Sat, 13 Dec 2014 21:12:56 +0100 Subject: [PATCH 309/492] swresample/soxr_resample: fix error handling Fixes CID1257659 Signed-off-by: Michael Niedermayer (cherry picked from commit 4b6f2253741f3023928e61ae5105ccd4b1c515fb) Signed-off-by: Michael Niedermayer --- libswresample/soxr_resample.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libswresample/soxr_resample.c b/libswresample/soxr_resample.c index 4c000db0ca..7467f8d5cc 100644 --- a/libswresample/soxr_resample.c +++ b/libswresample/soxr_resample.c @@ -76,8 +76,12 @@ static int process( AudioData *src, int src_size, int *consumed){ size_t idone, odone; soxr_error_t error = soxr_set_error((soxr_t)c, soxr_set_num_channels((soxr_t)c, src->ch_count)); - error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, - &idone, dst->ch, (size_t)dst_size, &odone); + if (!error) + error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, + &idone, dst->ch, (size_t)dst_size, &odone); + else + idone = 0; + *consumed = (int)idone; return error? -1 : odone; } From 4e6706f851d388163a7cfe53529810ec8888d95d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 17:26:11 +0100 Subject: [PATCH 310/492] avformat/aviobuf: Check that avio_seek() target is non negative Fixes out of array access Suggested-by: Andrew Scherkus Signed-off-by: Michael Niedermayer (cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 93a187b4aa..4c29baf5a7 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -217,6 +217,9 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) return offset1; offset += offset1; } + if (offset < 0) + return AVERROR(EINVAL); + offset1 = offset - pos; if (!s->must_flush && (!s->direct || !s->seek) && offset1 >= 0 && offset1 <= (s->buf_end - s->buffer)) { From a54aaa822ae7aefd3efb983c186a55c304222a18 Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 15 Dec 2014 04:32:58 +0100 Subject: [PATCH 311/492] lavu/frame: fix malloc error path in av_frame_copy_props() The error path frees all side data, but forgets to reset the side data count. This can blow up later in av_frame_unref() and free_side_data(). Signed-off-by: Michael Niedermayer (cherry picked from commit a400edbb6d00c0211de38e4f1b4f593681db91d8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/frame.c b/libavutil/frame.c index 7584ae3587..f16b72f07e 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -472,6 +472,7 @@ int av_frame_copy_props(AVFrame *dst, const AVFrame *src) av_dict_free(&dst->side_data[i]->metadata); } av_freep(&dst->side_data); + dst->nb_side_data = 0; return AVERROR(ENOMEM); } memcpy(sd_dst->data, sd_src->data, sd_src->size); From 47b82e51be67497502df6c42a3a7651aea5703b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Dec 2014 04:32:23 +0100 Subject: [PATCH 312/492] configure: create the tests directory like the doc directory This fixes an issue where the tests directory is not created for out of tree builds before its needed Tested-by: Dave Yeo Signed-off-by: Michael Niedermayer (cherry picked from commit e631872f13b6be0583603d45a11e53319754bc8d) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 5ed0ddcf44..310da55da4 100755 --- a/configure +++ b/configure @@ -4780,6 +4780,7 @@ enabled getenv || echo "#define getenv(x) NULL" >> $TMPH mkdir -p doc +mkdir -p tests echo "@c auto-generated by configure" > doc/config.texi print_config ARCH_ "$config_files" $ARCH_LIST From 87af5b3877a398885389c5aa0345978ce8e6c72e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 16:24:55 +0100 Subject: [PATCH 313/492] avcodec/vmdvideo: Check len before using it in method 3 Fixes out of array access Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd) Signed-off-by: Michael Niedermayer --- libavcodec/vmdav.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index fcb8a9b026..1b506e14a7 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -348,6 +348,9 @@ static int vmd_decode(VmdVideoContext *s, AVFrame *frame) ofs += slen; bytestream2_skip(&gb, len); } else { + if (ofs + len > frame_width || + bytestream2_get_bytes_left(&gb) < len) + return AVERROR_INVALIDDATA; bytestream2_get_buffer(&gb, &dp[ofs], len); ofs += len; } From 9a15f326828c7fba847be401248a087ccb6ad0c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 20:45:31 +0100 Subject: [PATCH 314/492] avcodec/utvideodec: Fix handling of slice_height=0 Fixes out of array accesses Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index acc20bf541..2a88ad19c2 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -212,6 +212,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; // first line - left neighbour prediction @@ -267,6 +269,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; From 22f8dfafa86b48153492daa0259cec5441f1e5ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 21:14:40 +0100 Subject: [PATCH 315/492] avformat/mov: check atom nesting depth Fixes call stack overflow Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit caa7a3914f499f74b3ee346f26d598ebdc0ec210) Conflicts: libavformat/isom.h Conflicts: libavformat/isom.h --- libavformat/isom.h | 1 + libavformat/mov.c | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index b0fa453de6..7d4a25c85c 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -164,6 +164,7 @@ typedef struct MOVContext { int64_t next_root_atom; ///< offset of the next root atom int *bitrates; ///< bitrates read before streams creation int bitrates_count; + int atom_depth; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index b668c8276a..3a8282cc56 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2893,6 +2893,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVAtom a; int i; + if (c->atom_depth > 10) { + av_log(c->fc, AV_LOG_ERROR, "Atoms too deeply nested\n"); + return AVERROR_INVALIDDATA; + } + c->atom_depth ++; + if (atom.size < 0) atom.size = INT64_MAX; while (total_size + 8 <= atom.size && !url_feof(pb)) { @@ -2909,6 +2915,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) { av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n"); avio_skip(pb, -8); + c->atom_depth --; return 0; } } @@ -2945,13 +2952,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) int64_t start_pos = avio_tell(pb); int64_t left; int err = parse(c, pb, a); - if (err < 0) + if (err < 0) { + c->atom_depth --; return err; + } if (c->found_moov && c->found_mdat && ((!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) || start_pos + a.size == avio_size(pb))) { if (!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) c->next_root_atom = start_pos + a.size; + c->atom_depth --; return 0; } left = a.size - avio_tell(pb) + start_pos; @@ -2969,6 +2979,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (total_size < atom.size && atom.size < 0x7ffff) avio_skip(pb, atom.size - total_size); + c->atom_depth --; return 0; } From 8b130c4aab8590a5ee08e72db46a63312832cc99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 22:21:21 +0100 Subject: [PATCH 316/492] swscale: increase yuv2rgb table headroom Fixes out of array access Fixes: case2_bad_read_yuv2rgbx32.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 2241ba5235..f4aea9d9bc 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -37,7 +37,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 128 +#define YUVRGB_TABLE_HEADROOM 256 #define MAX_FILTER_SIZE 256 From 587cd92bd729902fc6f0753a0e4c88fe385101ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 01:31:48 +0100 Subject: [PATCH 317/492] avcodec/h264: make the first field of H264Context an AVClass Fixes use of freed memory Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3b5b139ad853b6f69c6a0b036815a60e7b3f261) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 5ea00bef9d..a137f99225 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -258,6 +258,7 @@ typedef struct MMCO { * H264Context */ typedef struct H264Context { + AVClass *av_class; AVCodecContext *avctx; VideoDSPContext vdsp; H264DSPContext h264dsp; From 53dc6f66430e516f5a2bdeee034d1cdb6ca7e316 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 03:14:21 +0100 Subject: [PATCH 318/492] avcodec/indeo3: use signed variables to avoid underflow Fixes out of array read Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 7959f91b4f..700607aff2 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext { int16_t width, height; uint32_t frame_num; ///< current frame number (zero-based) - uint32_t data_size; ///< size of the frame data in bytes + int data_size; ///< size of the frame data in bytes uint16_t frame_flags; ///< frame properties uint8_t cb_offset; ///< needed for selecting VQ tables uint8_t buf_sel; ///< active frame buffer: 0 - primary, 1 -secondary @@ -899,7 +899,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, GetByteContext gb; const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; - uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; + int y_offset, u_offset, v_offset; + uint32_t starts[3], ends[3]; uint16_t height, width; int i, j; From ae19e19678a15df311f4c1fd8d2054134e6a6ef3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 21:27:37 +0100 Subject: [PATCH 319/492] avcodec/h264: Clear delayed_pic on deallocation Fixes use of freed memory Fixes: case5_av_frame_copy_props.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit e8714f6f93d1a32f4e4655209960afcf4c185214) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 5be363a5e1..5f488b7745 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1131,6 +1131,7 @@ static void free_tables(H264Context *h, int free_rbsp) av_buffer_pool_uninit(&h->ref_index_pool); if (free_rbsp && h->DPB) { + memset(h->delayed_pic, 0, sizeof(h->delayed_pic)); for (i = 0; i < MAX_PICTURE_COUNT; i++) unref_picture(h, &h->DPB[i]); av_freep(&h->DPB); From 1fa9b7feb66d952355ad4a27374c5a5b6532918b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 03:16:39 +0100 Subject: [PATCH 320/492] avcodec/h264: Check *log2_weight_denom Fixes undefined behavior Fixes: signal_sigsegv_14768d2_2248_cov_3629497219_h264_h264___pi_20070614T182942.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 61296d41e2de3b41304339e4631dd44c2e15f805) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 5f488b7745..fa47542683 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2517,6 +2517,16 @@ static int pred_weight_table(H264Context *h) h->luma_log2_weight_denom = get_ue_golomb(&h->gb); if (h->sps.chroma_format_idc) h->chroma_log2_weight_denom = get_ue_golomb(&h->gb); + + if (h->luma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", h->luma_log2_weight_denom); + h->luma_log2_weight_denom = 0; + } + if (h->chroma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", h->chroma_log2_weight_denom); + h->chroma_log2_weight_denom = 0; + } + luma_def = 1 << h->luma_log2_weight_denom; chroma_def = 1 << h->chroma_log2_weight_denom; From 932e5c374a252fa73270ec66925c1ff8f640a43c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 18:57:27 +0100 Subject: [PATCH 321/492] avcodec/indeo3: ensure offsets are non negative Signed-off-by: Michael Niedermayer (cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 700607aff2..f159d312c6 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -981,7 +981,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_size = ends[0] - starts[0]; ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; - if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + if (FFMIN3(y_offset, v_offset, u_offset) < 0 || + FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); From ca39fbe14da397bb3ce065c37c238eb9e9978e94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 18:16:15 +0100 Subject: [PATCH 322/492] avformat/mov: Fix memleaks for duplicate STCO/CO64/STSC atoms Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations which contains more fixes but is unfinished Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1b5d11240692025f036e945bc37968735679320a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3a8282cc56..fd9f556fb1 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1177,6 +1177,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (entries >= UINT_MAX/sizeof(int64_t)) return AVERROR_INVALIDDATA; + if (sc->chunk_offsets) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STCO atom\n"); + av_free(sc->chunk_offsets); + sc->chunk_count = 0; sc->chunk_offsets = av_malloc(entries * sizeof(int64_t)); if (!sc->chunk_offsets) return AVERROR(ENOMEM); @@ -1625,6 +1629,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; if (entries >= UINT_MAX / sizeof(*sc->stsc_data)) return AVERROR_INVALIDDATA; + if (sc->stsc_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSC atom\n"); + av_free(sc->stsc_data); + sc->stsc_count = 0; sc->stsc_data = av_malloc(entries * sizeof(*sc->stsc_data)); if (!sc->stsc_data) return AVERROR(ENOMEM); From 43b601d36ffcdc944d9b5f16ca340f03667c9f14 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Tue, 21 Jan 2014 19:58:41 +0100 Subject: [PATCH 323/492] lavf/segment: remove duplicated and inconsistent cleanup code in seg_write_packet() In particular, avoid to leave around the seg->avf pointer to freed structure, and fix crash with: ffmpeg -f lavfi -i testsrc -c:v h264 -map 0 -f segment foo-%d.ts (cherry picked from commit 169065fbfb3da1ab776379c333aebc54bb1f1bc4) Found-by: Qinghao Tang Signed-off-by: Michael Niedermayer --- libavformat/segment.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index dbcfe898cf..29dd935fbc 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -718,12 +718,6 @@ fail: if (pkt->stream_index == seg->reference_stream_index) seg->frame_count++; - if (ret < 0) { - if (seg->list) - avio_close(seg->list_pb); - avformat_free_context(oc); - } - return ret; } From 5ba020d6481008a2a42401fb753cd9bd1482cca0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Dec 2014 21:41:46 +0100 Subject: [PATCH 324/492] avformat/cdxl: Fix integer overflow of image_size Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128) Signed-off-by: Michael Niedermayer --- libavformat/cdxl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index ab8a846cc5..51b9567d20 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -127,6 +127,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); + if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + return AVERROR_INVALIDDATA; image_size = FFALIGN(width, 16) * height * cdxl->header[19] / 8; video_size = palette_size + image_size; From 5426a36300f3c31e0e06db01e1c87abe26a4d320 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jan 2015 18:07:24 +0100 Subject: [PATCH 325/492] avformat/flvdec: do not inject dts=0 metadata packets which failed to be parsed into a new data stream Such data streams (which then contain no other packets except the faulty one) confuse some user applications, like VLC Works around vlcticket 12389 Signed-off-by: Michael Niedermayer (cherry picked from commit 322f0f5960a743cac47252d90a0f1ea7a025feff) Conflicts: libavformat/flvdec.c --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 69e2bee331..d4d08aee90 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -483,13 +483,13 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) { type = avio_r8(ioc); if (type != AMF_DATA_TYPE_STRING || amf_get_string(ioc, buffer, sizeof(buffer)) < 0) - return -1; + return 2; if (!strcmp(buffer, "onTextData")) return 1; if (strcmp(buffer, "onMetaData")) - return -1; + return 2; //find the streams now so that amf_parse_object doesn't need to do the lookup every time it is called. for(i = 0; i < s->nb_streams; i++) { @@ -706,7 +706,7 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt) stream_type=FLV_STREAM_TYPE_DATA; if (size > 13+1+4 && dts == 0) { // Header-type metadata stuff meta_pos = avio_tell(s->pb); - if (flv_read_metabody(s, next) == 0){ + if (flv_read_metabody(s, next) <= 0){ goto skip; } avio_seek(s->pb, meta_pos, SEEK_SET); From b0369f33693dc166dd60f0003ac44280d444bcb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jan 2015 18:15:16 +0100 Subject: [PATCH 326/492] avformat/flvdec: Increase string array size Fixes parsing httphostheader of Scarlatti\,\ Pieter-Jan\ Belder\ -\ Sonata\ K113\ in\ A\ major\ -\ Alle.flv Signed-off-by: Michael Niedermayer (cherry picked from commit eb767a276bfdb9a0493bdb0b38203638230b7ccb) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index d4d08aee90..8fa7a04cfd 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -333,7 +333,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst FLVContext *flv = s->priv_data; AVIOContext *ioc; AMFDataType amf_type; - char str_val[256]; + char str_val[1024]; double num_val; num_val = 0; From 9ac17454a92b1be3362c9a5e7868fddc7a77b062 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jan 2015 01:03:26 +0100 Subject: [PATCH 327/492] avfilter/vf_sab: fix filtering tiny images Fixes out of array reads Signed-off-by: Michael Niedermayer (cherry picked from commit 9bff052b51f27f6cce04e8d7d8b405c710d7ad67) Signed-off-by: Michael Niedermayer --- libavfilter/vf_sab.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/libavfilter/vf_sab.c b/libavfilter/vf_sab.c index 1d970fa95f..67c24a9bce 100644 --- a/libavfilter/vf_sab.c +++ b/libavfilter/vf_sab.c @@ -220,6 +220,19 @@ static int config_props(AVFilterLink *inlink) #define NB_PLANES 4 +static inline int mirror(int x, int w) +{ + if (!w) + return 0; + + while ((unsigned)x > (unsigned)w) { + x = -x; + if (x < 0) + x += 2 * w; + } + return x; +} + static void blur(uint8_t *dst, const int dst_linesize, const uint8_t *src, const int src_linesize, const int w, const int h, FilterParam *fp) @@ -253,8 +266,7 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2 + 1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { const int ix = x+dx - radius; @@ -265,13 +277,11 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2+1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { int ix = x+dx - radius; - if (ix < 0) ix = -ix; - else if (ix >= w) ix = w+w-ix-1; + ix = mirror(ix, w-1); UPDATE_FACTOR; } } From 776c481eb902afa6f8fbb32582154b3f19feefb3 Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 5 Jan 2015 04:45:26 +0100 Subject: [PATCH 328/492] avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 19c31dc3c7..5f64eb10f0 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -98,6 +98,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; + if (start >= buf_size) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -339,10 +342,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; - decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); - decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); + if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) + goto fail; + if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) + goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) From da29aadeb7f2ecb5fd84be2631386a4e3838a9de Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:19:09 -0800 Subject: [PATCH 329/492] mov: Avoid overflow with mov_metadata_raw() The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index fd9f556fb1..b78fa74bb4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -278,6 +278,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); From 227a26cd404c8f9e782d43b0becb33ad980051f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 04:29:10 +0100 Subject: [PATCH 330/492] avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b78fa74bb4..cad17fea0e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -385,7 +385,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); From 3e11a186facfd4f17ce23f462734658d88899b55 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:34:17 -0800 Subject: [PATCH 331/492] mov: Fix negative size calculation in mov_read_default(). The previous code assumed if an atom was marked with a 64-bit size extension, it actually had that data available. The new code verfies there's enough data in the atom for this to be done. Failure to verify causes total_size > atom.size which will result in negative size calculations later on. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index cad17fea0e..eba27b3108 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2931,7 +2931,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) } } total_size += 8; - if (a.size == 1) { /* 64 bit extended size */ + if (a.size == 1 && total_size + 8 <= atom.size) { /* 64 bit extended size */ a.size = avio_rb64(pb) - 8; total_size += 8; } From e148369df93d48878e01f0ccc291a3304434b754 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 6 Jan 2015 09:42:59 +0000 Subject: [PATCH 332/492] lavfi: check av_strdup() return value Signed-off-by: Paul B Mahol (cherry picked from commit 145a84717b62e086cdb5f26649ad9f1b51ef38d0) Signed-off-by: Michael Niedermayer --- libavfilter/af_amix.c | 2 ++ libavfilter/af_join.c | 2 ++ libavfilter/split.c | 2 ++ libavfilter/src_movie.c | 2 ++ 4 files changed, 8 insertions(+) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index 8cecdafd7e..b03596163a 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -496,6 +496,8 @@ static av_cold int init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; ff_insert_inpad(ctx, i, &pad); diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c index 11978bd97e..168e4e9e4a 100644 --- a/libavfilter/af_join.c +++ b/libavfilter/af_join.c @@ -218,6 +218,8 @@ static av_cold int join_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; pad.needs_fifo = 1; diff --git a/libavfilter/split.c b/libavfilter/split.c index f3fe2336af..1a6fe8a9ac 100644 --- a/libavfilter/split.c +++ b/libavfilter/split.c @@ -52,6 +52,8 @@ static av_cold int split_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "output%d", i); pad.type = ctx->filter->inputs[0].type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); ff_insert_outpad(ctx, i, &pad); } diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index dfb4289f3c..ecb8ea4821 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -291,6 +291,8 @@ static av_cold int movie_common_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "out%d", i); pad.type = movie->st[i].st->codec->codec_type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.config_props = movie_config_output_props; pad.request_frame = movie_request_frame; ff_insert_outpad(ctx, i, &pad); From 81a766e57a34b6a5525c731024ce304b1bf4af21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 12:48:38 +0100 Subject: [PATCH 333/492] avformat/matroskadec: Use av_freep() to avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 6e70e4aca50696040cc9256ec96e5c31d9641432) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 7368a9b030..9aa2cffdbf 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1009,7 +1009,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data) char *ptr = list->elem; for (j=0; jnb_elem; j++, ptr+=syntax[i].list_elem_size) ebml_free(syntax[i].def.n, ptr); - av_free(list->elem); + av_freep(&list->elem); } else ebml_free(syntax[i].def.n, data_off); default: break; @@ -1938,7 +1938,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, { if (matroska->num_packets > 0) { memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); - av_free(matroska->packets[0]); + av_freep(&matroska->packets[0]); if (matroska->num_packets > 1) { void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], @@ -1968,7 +1968,7 @@ static void matroska_clear_queue(MatroskaDemuxContext *matroska) int n; for (n = 0; n < matroska->num_packets; n++) { av_free_packet(matroska->packets[n]); - av_free(matroska->packets[n]); + av_freep(&matroska->packets[n]); } av_freep(&matroska->packets); matroska->num_packets = 0; @@ -2668,7 +2668,7 @@ static int matroska_read_close(AVFormatContext *s) for (n=0; n < matroska->tracks.nb_elem; n++) if (tracks[n].type == MATROSKA_TRACK_TYPE_AUDIO) - av_free(tracks[n].audio.buf); + av_freep(&tracks[n].audio.buf); ebml_free(matroska_cluster, &matroska->current_cluster); ebml_free(matroska_segment, matroska); From 04e28b3b257f02370aeb1e4c7b0836d7ea9f21f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 19:51:38 +0100 Subject: [PATCH 334/492] avformat/mov: Fix mixed declaration and statement warning Signed-off-by: Michael Niedermayer (cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index eba27b3108..681260a8b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -278,10 +278,11 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + char *value; // Check for overflow. if (len >= INT_MAX) return AVERROR(EINVAL); - char *value = av_malloc(len + 1); + value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); avio_read(pb, value, len); From bda7aa7cb39a8098e14fda9400fd42f059b70f4d Mon Sep 17 00:00:00 2001 From: Johan Andersson Date: Sat, 3 Jan 2015 17:31:36 +0100 Subject: [PATCH 335/492] cmdutils: update copyright year to 2015. (cherry picked from commit 3e160652219ff4da433f5672ae1e5f4956abb815) Conflicts: cmdutils.c --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 40acadca71..d5fb4eb1af 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -67,7 +67,7 @@ struct SwsContext *sws_opts; AVDictionary *swr_opts; AVDictionary *format_opts, *codec_opts, *resample_opts; -const int this_year = 2014; +const int this_year = 2015; static FILE *report_file; From 59fc55b29738a6436489d1b9de112e35ad12a23d Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 7 Jan 2015 23:57:50 +0100 Subject: [PATCH 336/492] avcodec/dvdsubdec: error on bitmaps with size 0 Attemtping to decode them could lead to invalid writes with some fuzzed samples. Signed-off-by: Michael Niedermayer (cherry picked from commit bcaa9099b3648b47060e1724a97dc98b63c83702) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 5f64eb10f0..b3b1cba5bb 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -101,6 +101,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, if (start >= buf_size) return -1; + if (w <= 0 || h <= 0) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); From c2439cad51015dc34c9b2c56e779ec46acde9ae9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jan 2015 23:02:30 +0100 Subject: [PATCH 337/492] ffmpeg: Clear error message array at init. This avoids printing uninitialized bytes if no error message is set Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1a2efb8ac399a003ea7d3b6f8c641d192567ee) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 2f18bc1b9b..e8d281589c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2086,7 +2086,7 @@ static int transcode_init(void) AVCodecContext *codec; OutputStream *ost; InputStream *ist; - char error[1024]; + char error[1024] = {0}; int want_sdp = 1; /* init framerate emulation */ From 61b31c69391874d4f8dc4a82f2b9bd0fe5f2e7bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jan 2015 01:56:03 +0100 Subject: [PATCH 338/492] avcodec/flac_parser: fix handling EOF if no headers are found Fixes assertion failure Fixes Ticket4269 Signed-off-by: Michael Niedermayer (cherry picked from commit c4d85fc23c100f7a27d9bad710eb153214868e27) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 69c2965f65..925d64258c 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -682,7 +682,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, handle_error: *poutbuf = NULL; *poutbuf_size = 0; - return read_end - buf; + return buf_size ? read_end - buf : 0; } static av_cold int flac_parse_init(AVCodecParserContext *c) From 3d5c48937bebaafdd2ff855393632351321f0276 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 17 Dec 2014 16:02:07 +0100 Subject: [PATCH 339/492] swscale: check memory allocations Bug-Id: CID 1257779 (cherry picked from commit 1dd797e3c9f179f957316a0becbec048b42df8aa) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 6d542937bc..36a127baf5 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -782,9 +782,13 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], av_free(c->yuvTable); +#define ALLOC_YUV_TABLE(x) \ + c->yuvTable = av_malloc(x); \ + if (!c->yuvTable) \ + return AVERROR(ENOMEM); switch (bpp) { case 1: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(1024); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 110; i++) { @@ -799,7 +803,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 3 : 0; gbase = 1; bbase = isRgb ? 0 : 3; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(1024 * 3); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 110; i++) { @@ -818,7 +822,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 5 : 0; gbase = isRgb ? 2 : 3; bbase = isRgb ? 0 : 6; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(1024 * 3); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 38; i++) { @@ -837,7 +841,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 8 : 0; gbase = 4; bbase = isRgb ? 0 : 8; - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(1024 * 3 * 2); y_table16 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -860,7 +864,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? bpp - 5 : 0; gbase = 5; bbase = isRgb ? 0 : (bpp - 5); - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(1024 * 3 * 2); y_table16 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -880,7 +884,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], break; case 24: case 48: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(1024); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -902,7 +906,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], needAlpha = CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat); if (!needAlpha) abase = (base + 24) & 31; - c->yuvTable = av_malloc(1024 * 3 * 4); + ALLOC_YUV_TABLE(1024 * 3 * 4); y_table32 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { From 2324c670763ce3b78c87ee3e74a52fd681388885 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Dec 2014 00:18:29 +0100 Subject: [PATCH 340/492] avformat/rmdec: Check for overflow in ff_rm_read_mdpr_codecdata() Signed-off-by: Michael Niedermayer (cherry picked from commit 03abf55f252945c70f4a79eaf4d609cee4d98710) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 5a8c6dc160..d178909fcb 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -389,7 +389,11 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, skip: /* skip codec info */ size = avio_tell(pb) - codec_pos; - avio_skip(pb, codec_data_size - size); + if (codec_data_size >= size) { + avio_skip(pb, codec_data_size - size); + } else { + av_log(s, AV_LOG_WARNING, "codec_data_size %u < size %d\n", codec_data_size, size); + } return 0; } From 1a8f5c9e2dbd276d9106a8116e08df40b9e1a538 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:19:25 +0100 Subject: [PATCH 341/492] avformat/utils: Fix number suffixes in tb_unreliable() Signed-off-by: Michael Niedermayer (cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191) Conflicts: libavformat/utils.c (cherry picked from commit e651a2f88c219e74c9851563e74100f7652a6005) --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 4cb0adfdfe..9309b91cee 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2623,8 +2623,8 @@ static int get_std_framerate(int i){ * And there are "variable" fps files this needs to detect as well. */ static int tb_unreliable(AVCodecContext *c){ - if( c->time_base.den >= 101L*c->time_base.num - || c->time_base.den < 5L*c->time_base.num + if( c->time_base.den >= 101LL*c->time_base.num + || c->time_base.den < 5LL*c->time_base.num /* || c->codec_tag == AV_RL32("DIVX") || c->codec_tag == AV_RL32("XVID")*/ || c->codec_tag == AV_RL32("mp4v") From c21604b5e72d8481d24853332bc5b04b904c474d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:27:00 +0100 Subject: [PATCH 342/492] swresample/dither: Cleanup number suffixes The <<31 case needs LL Signed-off-by: Michael Niedermayer (cherry picked from commit c77cc2c1766666cdb5f14daee0f75e397bf7a194) Signed-off-by: Michael Niedermayer --- libswresample/dither.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswresample/dither.c b/libswresample/dither.c index b8b592a7ce..8121f11c2f 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -84,14 +84,14 @@ int swri_dither_init(SwrContext *s, enum AVSampleFormat out_fmt, enum AVSampleFo in_fmt = av_get_packed_sample_fmt( in_fmt); if(in_fmt == AV_SAMPLE_FMT_FLT || in_fmt == AV_SAMPLE_FMT_DBL){ - if(out_fmt == AV_SAMPLE_FMT_S32) scale = 1.0/(1L<<31); - if(out_fmt == AV_SAMPLE_FMT_S16) scale = 1.0/(1L<<15); - if(out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1.0/(1L<< 7); + if(out_fmt == AV_SAMPLE_FMT_S32) scale = 1.0/(1LL<<31); + if(out_fmt == AV_SAMPLE_FMT_S16) scale = 1.0/(1LL<<15); + if(out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1.0/(1LL<< 7); } if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S32 && (s->dither.output_sample_bits&31)) scale = 1; - if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S16) scale = 1L<<16; - if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1L<<24; - if(in_fmt == AV_SAMPLE_FMT_S16 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1L<<8; + if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S16) scale = 1<<16; + if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1<<24; + if(in_fmt == AV_SAMPLE_FMT_S16 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1<<8; scale *= s->dither.scale; From 5c36d0e1cdb861df3958b05133d917e3b81a9d6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:34:52 +0100 Subject: [PATCH 343/492] avformat/matroskadec: Fix number suffixes Signed-off-by: Michael Niedermayer (cherry picked from commit fc3cdb00d084222a107e61e7168903bf3d3d0b47) Conflicts: libavformat/matroskadec.c (cherry picked from commit 201d626bb90ea3ca22f0168b8e2085bbd16ac984) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9aa2cffdbf..6e765d9d1a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1833,7 +1833,7 @@ static int matroska_read_header(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); #if FF_API_R_FRAME_RATE - if (st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L) + if (st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL) st->r_frame_rate = st->avg_frame_rate; #endif } From 6e4e32e7590c0b4fabd4248a54c30a9898ed530a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:36:13 +0100 Subject: [PATCH 344/492] avformat/smacker: Fix number suffix Signed-off-by: Michael Niedermayer (cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index b4c1bf4335..73b49edd21 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -310,7 +310,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) uint8_t *tmpbuf; size = avio_rl32(s->pb) - 4; - if (!size || size + 4L > frame_size) { + if (!size || size + 4LL > frame_size) { av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); return AVERROR_INVALIDDATA; } From 89e08520fc611b55f3ab6f513c29fa06103dffff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:39:22 +0100 Subject: [PATCH 345/492] avcodec/h264_cabac: use int instead of long for mbb_xy The mb address fits in int Signed-off-by: Michael Niedermayer (cherry picked from commit 592ba6ec106206f97133c9345313010c76361e12) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 60048e0112..a35dca94dd 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1278,7 +1278,7 @@ void ff_h264_init_cabac_states(H264Context *h) { } static int decode_cabac_field_decoding_flag(H264Context *h) { - const long mbb_xy = h->mb_xy - 2L*h->mb_stride; + const int mbb_xy = h->mb_xy - 2*h->mb_stride; unsigned long ctx = 0; From 904f75d3c46ba4359aecdf77a206a194882b9810 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:40:13 +0100 Subject: [PATCH 346/492] avcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 4531e2c489d279bfc90d54ca26ed898c5b265a7f) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index cce5991fe4..85830d9f3a 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -364,18 +364,18 @@ av_cold int ff_MPV_encode_init(AVCodecContext *avctx) switch(avctx->codec_id) { case AV_CODEC_ID_MPEG1VIDEO: case AV_CODEC_ID_MPEG2VIDEO: - avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112L / 15000000 * 16384; + avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112LL / 15000000 * 16384; break; case AV_CODEC_ID_MPEG4: case AV_CODEC_ID_MSMPEG4V1: case AV_CODEC_ID_MSMPEG4V2: case AV_CODEC_ID_MSMPEG4V3: if (avctx->rc_max_rate >= 15000000) { - avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000L) * (760-320) / (38400000 - 15000000); + avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000LL) * (760-320) / (38400000 - 15000000); } else if(avctx->rc_max_rate >= 2000000) { - avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000L) * (320- 80) / (15000000 - 2000000); + avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000LL) * (320- 80) / (15000000 - 2000000); } else if(avctx->rc_max_rate >= 384000) { - avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000L) * ( 80- 40) / ( 2000000 - 384000); + avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000LL) * ( 80- 40) / ( 2000000 - 384000); } else avctx->rc_buffer_size = 40; avctx->rc_buffer_size *= 16384; From 64857ecd68b7aad7dc6cf4e9a26d46250315ebb0 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 14:41:10 +0100 Subject: [PATCH 347/492] avformat/tta: fix crash with corrupted files av_add_index_entry() can fail, for example because the parameters are invalid, or because memory allocation fails. Check this; it can actually happen with corrupted files. The second hunk is just for robustness. Just in case functions like ff_reduce_index() remove entries. (Not sure if this can actually happen.) Fixes ticket #4294. Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6a0cd529a35190d9374b0b26504e71857cd67b83) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index bbb6a2292c..9cfadb9356 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -122,8 +122,10 @@ static int tta_read_header(AVFormatContext *s) ffio_init_checksum(s->pb, tta_check_crc, UINT32_MAX); for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); - av_add_index_entry(st, framepos, i * c->frame_size, size, 0, - AVINDEX_KEYFRAME); + int r; + if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + AVINDEX_KEYFRAME)) < 0) + return r; framepos += size; } crc = ffio_get_checksum(s->pb) ^ UINT32_MAX; @@ -157,6 +159,11 @@ static int tta_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->currentframe >= c->totalframes) return AVERROR_EOF; + if (st->nb_index_entries < c->totalframes) { + av_log(s, AV_LOG_ERROR, "Index entry disappeared\n"); + return AVERROR_INVALIDDATA; + } + size = st->index_entries[c->currentframe].size; ret = av_get_packet(s->pb, pkt, size); From 2e6b1915cb32af835129f78856cb7e7b382338db Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:12 +0100 Subject: [PATCH 348/492] avformat/mpc8: fix hang with fuzzed file This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 73b7eb739c..c7881384d2 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -216,6 +216,10 @@ static int mpc8_read_header(AVFormatContext *s) while(!url_feof(pb)){ pos = avio_tell(pb); mpc8_get_chunk_header(pb, &tag, &size); + if (size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid chunk length\n"); + return AVERROR_INVALIDDATA; + } if(tag == TAG_STREAMHDR) break; mpc8_handle_chunk(s, tag, pos, size); From 76d18b6e095bac40b72bf79e880058efcb2aa0e4 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:11 +0100 Subject: [PATCH 349/492] avformat/mpc8: fix broken pointer math MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This could overflow and crash at least on 32 bit systems. Reviewed-by: Reimar Döffinger Signed-off-by: Michael Niedermayer (cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index c7881384d2..6aa68fcaa9 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p) size = bs_get_v(&bs); if (size < 2) return 0; - if (bs + size - 2 >= bs_end) + if (size >= bs_end - bs + 2) return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but no header yet if (header_found) { if (size < 11 || size > 28) From 2acdf29838323afe93636bbb73ce01b2b9669f60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 14:47:41 +0100 Subject: [PATCH 350/492] avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 6aa68fcaa9..1b803391fa 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -57,7 +57,7 @@ typedef struct { static inline int64_t bs_get_v(const uint8_t **bs) { - int64_t v = 0; + uint64_t v = 0; int br = 0; int c; @@ -108,7 +108,7 @@ static int mpc8_probe(AVProbeData *p) static inline int64_t gb_get_v(GetBitContext *gb) { - int64_t v = 0; + uint64_t v = 0; int bits = 0; while(get_bits1(gb) && bits < 64-7){ v <<= 7; From c6ef9ca9710a96bf42697bd446d3eb0a10da7184 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:13:18 +0100 Subject: [PATCH 351/492] avcodec/mjpegdec: Check escape sequence validity Fixes assertion failure Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 44894b8d45..e5be9b66ea 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1646,6 +1646,10 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, put_bits(&pb, 8, x); if (x == 0xFF) { x = src[b++]; + if (x & 0x80) { + av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); + x &= 0x7f; + } put_bits(&pb, 7, x); bit_count--; } From fe618beccf10566e834d6a81e6e432263331553b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:48:30 +0100 Subject: [PATCH 352/492] avcodec/mjpegdec: Check number of components for JPEG-LS Fixes out of array accesses Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e5be9b66ea..e5823d8f9f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -443,9 +443,12 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) } if (s->ls) { s->upscale_h = s->upscale_v = 0; - if (s->nb_components > 1) + if (s->nb_components == 3) { s->avctx->pix_fmt = AV_PIX_FMT_RGB24; - else if (s->bits <= 8) + } else if (s->nb_components != 1) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components); + return AVERROR_PATCHWELCOME; + } else if (s->bits <= 8) s->avctx->pix_fmt = AV_PIX_FMT_GRAY8; else s->avctx->pix_fmt = AV_PIX_FMT_GRAY16; From 0d728ed7926e9bb5e3f3c10f3689652b88814f8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 00:12:08 +0100 Subject: [PATCH 353/492] swscale/utils: Limit filter shifting so as not to read from prior the array Fixes out of array read Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 692b22626ec9a9585f667c124a186b1a9796e432) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index ee136ac830..f2d0e632d4 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -586,14 +586,15 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, } if ((*filterPos)[i] + filterSize > srcW) { - int shift = (*filterPos)[i] + filterSize - srcW; + int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + // move filter coefficients right to compensate for filterPos for (j = filterSize - 2; j >= 0; j--) { int right = FFMIN(j + shift, filterSize - 1); filter[i * filterSize + right] += filter[i * filterSize + j]; filter[i * filterSize + j] = 0; } - (*filterPos)[i]= srcW - filterSize; + (*filterPos)[i]-= shift; } } From 11afd2e2dd15a6c4639c7dbcc90835460bf6cfa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 03:45:21 +0100 Subject: [PATCH 354/492] avformat/thp: Check av_get_packet() for failure not only for partial output Fixes null pointer dereference Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 568807d6f7..3ef9497b42 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -180,6 +180,8 @@ static int thp_read_packet(AVFormatContext *s, pkt->stream_index = thp->video_stream_index; } else { ret = av_get_packet(pb, pkt, thp->audiosize); + if (ret < 0) + return ret; if (ret != thp->audiosize) { av_free_packet(pkt); return AVERROR(EIO); From a22da15b0cace003b445b8c232338f70eb90451a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 04:11:56 +0100 Subject: [PATCH 355/492] avcodec/h264_ps: More completely check the bit depths Fixes out of array read Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4) Conflicts: libavcodec/h264_ps.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index a4555455ac..5ba7941dc6 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -384,7 +384,9 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->bit_depth_luma = get_ue_golomb(&h->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&h->gb) + 8; - if (sps->bit_depth_luma > 14U || sps->bit_depth_chroma > 14U || sps->bit_depth_luma != sps->bit_depth_chroma) { + if (sps->bit_depth_luma < 8 || sps->bit_depth_luma > 14 || + sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 14 || + sps->bit_depth_luma != sps->bit_depth_chroma) { av_log(h->avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", sps->bit_depth_luma, sps->bit_depth_chroma); goto fail; From 1081c9decc63931e30438c8f2490837c7eb7e26a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 03:34:48 +0100 Subject: [PATCH 356/492] avcodec/h264_slice: ignore SAR changes in slices after the first Fixes race condition and null pointer dereference Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 38d5241b7f36c1571a88517a0650caade16dd5f4) Signed-off-by: Michael Niedermayer Conflicts: libavcodec/h264_slice.c --- libavcodec/h264.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index fa47542683..5bf5039332 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3242,6 +3242,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) int last_pic_structure, last_pic_droppable; int must_reinit; int needs_reinit = 0; + int first_slice = h == h0 && !h0->current_slice; h->me.qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; h->me.qpel_avg = h->h264qpel.avg_h264_qpel_pixels_tab; @@ -3336,13 +3337,15 @@ static int decode_slice_header(H264Context *h, H264Context *h0) || 16*h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) != h->avctx->coded_height || h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc - || av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio) || h->mb_width != h->sps.mb_width || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) )); if (h0->avctx->pix_fmt != get_pixel_format(h0, 0)) must_reinit = 1; + if (first_slice && av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)) + must_reinit = 1; + h->mb_width = h->sps.mb_width; h->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag); h->mb_num = h->mb_width * h->mb_height; From b4e4a5cbaa57dc857f1dabdc44ad4dedeeed1b3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Feb 2015 03:33:53 +0100 Subject: [PATCH 357/492] avcodec/mjpegdec: Skip blocks which are outside the visible area Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash.avi Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e5823d8f9f..91b4d79492 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1089,13 +1089,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - ptr = data[c] + block_offset; + if ( 8*(h * mb_x + x) < s->width + && 8*(v * mb_y + y) < s->height) { + ptr = data[c] + block_offset; + } else + ptr = NULL; if (!s->progressive) { - if (copy_mb) - mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, - linesize[c], s->avctx->lowres); + if (copy_mb) { + if (ptr) + mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, + linesize[c], s->avctx->lowres); - else { + } else { s->dsp.clear_block(s->block); if (decode_block(s, s->block, i, s->dc_index[i], s->ac_index[i], @@ -1104,7 +1109,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, "error y=%d x=%d\n", mb_y, mb_x); return AVERROR_INVALIDDATA; } - s->dsp.idct_put(ptr, linesize[c], s->block); + if (ptr) { + s->dsp.idct_put(ptr, linesize[c], s->block); + } } } else { int block_idx = s->block_stride[c] * (v * mb_y + y) + From d20c761782c6e9db49fbeef2321803638af9ca50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:13:06 +0100 Subject: [PATCH 358/492] avformat/idcin: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit d1923d15a3544cbb94563a59e7169291db76b312) Signed-off-by: Michael Niedermayer --- libavformat/idcin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/idcin.c b/libavformat/idcin.c index 85d538c4f3..cbf2896c7e 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -359,7 +359,7 @@ static int idcin_read_seek(AVFormatContext *s, int stream_index, IdcinDemuxContext *idcin = s->priv_data; if (idcin->first_pkt_pos > 0) { - int ret = avio_seek(s->pb, idcin->first_pkt_pos, SEEK_SET); + int64_t ret = avio_seek(s->pb, idcin->first_pkt_pos, SEEK_SET); if (ret < 0) return ret; ff_update_cur_dts(s, s->streams[idcin->video_stream_index], 0); From 052cd9e5523008506bdc37cfe3ea2c85b5135793 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:14:56 +0100 Subject: [PATCH 359/492] avformat/gxf: Use 64bit for res to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index e15d06aaf9..c0a38171fc 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -556,7 +556,7 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { } static int gxf_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { - int res = 0; + int64_t res = 0; uint64_t pos; uint64_t maxlen = 100 * 1024 * 1024; AVStream *st = s->streams[0]; From fc0d183729c2fbaed88e4b62155646400978052d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:41:35 +0100 Subject: [PATCH 360/492] avformat/mvdec: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 26c0cc154e06cb0064b3a3da49447ac44d82444f) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 5525233db5..8d6a26cd6c 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -371,7 +371,7 @@ static int mv_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVStream *st = avctx->streams[mv->stream_index]; const AVIndexEntry *index; int frame = mv->frame[mv->stream_index]; - int ret; + int64_t ret; uint64_t pos; if (frame < st->nb_index_entries) { From 79460c552f8d93dc8fb71f5fb3b4131b437aad70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 21:00:57 +0100 Subject: [PATCH 361/492] avformat/vqf: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit cb08687180683a755d0fe9d425280d0e4d1e6db2) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 1ce53595d6..3479657b3a 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -256,7 +256,7 @@ static int vqf_read_seek(AVFormatContext *s, { VqfContext *c = s->priv_data; AVStream *st; - int ret; + int64_t ret; int64_t pos; st = s->streams[stream_index]; From e201e753688cad5bf6d7e6189ce2aba2b1e4951a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 12 Feb 2015 13:06:49 +0100 Subject: [PATCH 362/492] h264: initialize H264Context.avctx in init_thread_copy This prevents using a wrong (first thread's) AVCodecContext if decoding a frame in the first pass over all threads fails. (cherry picked from commit a06b0b1295c51d100101e0ca0434e199ad6de6b5) Conflicts: libavcodec/h264.c Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 5bf5039332..4d1269a5dd 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1588,6 +1588,7 @@ static int decode_init_thread_copy(AVCodecContext *avctx) memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); + h->avctx = avctx; h->context_initialized = 0; return 0; From 24bb746194153181a3ff67afd6075fb25b380887 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Feb 2015 16:25:29 +0100 Subject: [PATCH 363/492] avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch by Francisco Blas Izquierdo Riera Commit message partly taken from carl fixes a compilation error in mlpdsp_init.c with -fstack-check and some gcc compilers (I reproduced the issue with gcc 4.7.3) by simplifying the code. See also https://bugs.gentoo.org/show_bug.cgi?id=471756 $ make libavcodec/x86/mlpdsp_init.o libavcodec/x86/mlpdsp_init.c: In function ‘mlp_filter_channel_x86’: libavcodec/x86/mlpdsp_init.c:142:5: error: can’t find a register in class ‘GENERAL_REGS’ while reloading ‘asm’ libavcodec/x86/mlpdsp_init.c:142:5: error: ‘asm’ operand has impossible constraints 4551 -> 4509 dezicycles Reviewed-by: Ramiro Polla Signed-off-by: Michael Niedermayer (cherry picked from commit 03f39fbb2a558153a3c464edec1378d637a755fe) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mlpdsp.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/mlpdsp.c b/libavcodec/x86/mlpdsp.c index 81cab5a5e9..ef73433058 100644 --- a/libavcodec/x86/mlpdsp.c +++ b/libavcodec/x86/mlpdsp.c @@ -130,8 +130,8 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, FIRMUL (ff_mlp_firorder_6, 0x14 ) FIRMUL (ff_mlp_firorder_5, 0x10 ) FIRMUL (ff_mlp_firorder_4, 0x0c ) - FIRMULREG(ff_mlp_firorder_3, 0x08,10) - FIRMULREG(ff_mlp_firorder_2, 0x04, 9) + FIRMUL (ff_mlp_firorder_3, 0x08 ) + FIRMUL (ff_mlp_firorder_2, 0x04 ) FIRMULREG(ff_mlp_firorder_1, 0x00, 8) LABEL_MANGLE(ff_mlp_firorder_0)":\n\t" "jmp *%6 \n\t" @@ -160,8 +160,6 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, : /* 4*/"r"((x86_reg)mask), /* 5*/"r"(firjump), /* 6*/"r"(iirjump) , /* 7*/"c"(filter_shift) , /* 8*/"r"((int64_t)coeff[0]) - , /* 9*/"r"((int64_t)coeff[1]) - , /*10*/"r"((int64_t)coeff[2]) : "rax", "rdx", "rsi" #else /* ARCH_X86_32 */ /* 3*/"+m"(blocksize) From c4353d7ee2039296b2a9ecb2907db7805c6ab1d3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:43:30 +0100 Subject: [PATCH 364/492] avcodec/a64multienc: use av_frame_ref instead of copying the frame This fixes freeing the frame buffer twice on cleanup leading to a crash. Signed-off-by: Michael Niedermayer (cherry picked from commit 39e4ed7c1d8d840be47f6d604704d47a59a9ae5d) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index eaf7b46b55..a97c641c63 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -315,7 +315,9 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else { /* fill up mc_meta_charset with data until lifetime exceeds */ if (c->mc_frame_counter < c->mc_lifetime) { - *p = *pict; + ret = av_frame_ref(p, pict); + if (ret < 0) + return ret; p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; to_meta_with_crop(avctx, p, meta + 32000 * c->mc_frame_counter); From ffdfa80147f3f534185e2b9dd9327b9bd48417ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Feb 2015 01:21:30 +0100 Subject: [PATCH 365/492] avcodec/a64multienc: don't set incorrect packet size This fixes invalid reads of the packet buffer in av_dup_packet Based on patch by Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d96142e9af92ded84f2580620c571ab96c4bb657) Conflicts: libavcodec/a64multienc.c --- libavcodec/a64multienc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index a97c641c63..a2b4837990 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -334,8 +334,8 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, req_size = 0; /* any frames to encode? */ if (c->mc_lifetime) { - req_size = charset_size + c->mc_lifetime*(screen_size + colram_size); - if ((ret = ff_alloc_packet2(avctx, pkt, req_size)) < 0) + int alloc_size = charset_size + c->mc_lifetime*(screen_size + colram_size); + if ((ret = ff_alloc_packet2(avctx, pkt, alloc_size)) < 0) return ret; buf = pkt->data; @@ -352,6 +352,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, /* advance pointers */ buf += charset_size; charset += charset_size; + req_size += charset_size; } /* write x frames to buf */ From 1cba89a135ba28bb80c2b7ea451331512827ac10 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:48:38 +0100 Subject: [PATCH 366/492] avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop Averaging over 2 pixels doesn't work correctly for the last pixel, because the rest of the buffer is not initialized. Signed-off-by: Michael Niedermayer (cherry picked from commit 87513d654546a99f8ddb045ca4fa5d33778a617e) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index a2b4837990..ca9a6c14c1 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -81,9 +81,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) for (y = blocky; y < blocky + 8 && y < C64YRES; y++) { for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) { if(x < width && y < height) { - /* build average over 2 pixels */ - luma = (src[(x + 0 + y * p->linesize[0])] + - src[(x + 1 + y * p->linesize[0])]) / 2; + if (x + 1 < width) { + /* build average over 2 pixels */ + luma = (src[(x + 0 + y * p->linesize[0])] + + src[(x + 1 + y * p->linesize[0])]) / 2; + } else { + luma = src[(x + y * p->linesize[0])]; + } /* write blocks as linear data now so they are suitable for elbg */ dest[0] = luma; } From 3cca4c770ea6c9b946067df7b0f46716fc864414 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 00:32:39 +0100 Subject: [PATCH 367/492] swscale/utils: More carefully merge and clear coefficients outside the input Fixes out of array read Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1895d414aaacece3b57d7bf19502305e9a064fae) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index f2d0e632d4..05ec6ca7a8 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -587,14 +587,24 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, if ((*filterPos)[i] + filterSize > srcW) { int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + int64_t acc = 0; - // move filter coefficients right to compensate for filterPos - for (j = filterSize - 2; j >= 0; j--) { - int right = FFMIN(j + shift, filterSize - 1); - filter[i * filterSize + right] += filter[i * filterSize + j]; - filter[i * filterSize + j] = 0; + for (j = filterSize - 1; j >= 0; j--) { + if ((*filterPos)[i] + j >= srcW) { + acc += filter[i * filterSize + j]; + filter[i * filterSize + j] = 0; + } } + for (j = filterSize - 1; j >= 0; j--) { + if (j < shift) { + filter[i * filterSize + j] = 0; + } else { + filter[i * filterSize + j] = filter[i * filterSize + j - shift]; + } + } + (*filterPos)[i]-= shift; + filter[i * filterSize + srcW - 1 - (*filterPos)[i]] += acc; } } From bc0bf39e4ccfb0a85ddb2b072d42bad2a8e8b1be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 03:12:22 +0100 Subject: [PATCH 368/492] avcodec/snowdec: Fix ref value check Fixes integer overflow and out of array read. Fixes: signal_sigsegv_24169e6_3445_cov_3778346427_snow_chroma_bug.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f4cbf940212079a34753c7f4d6c6b5a43586d30) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index c8a03277e6..f2ea8de491 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -156,7 +156,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int l = left->color[0]; int cb= left->color[1]; int cr= left->color[2]; - int ref = 0; + unsigned ref = 0; int ref_context= av_log2(2*left->ref) + av_log2(2*top->ref); int mx_context= av_log2(2*FFABS(left->mx - top->mx)) + 0*av_log2(2*FFABS(tr->mx - top->mx)); int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); From 22dc1fd166eb403d6e1d1b6b8c602922f37520a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Feb 2015 12:29:10 +0100 Subject: [PATCH 369/492] avcodec/zmbv: Check len before reading in decode_frame() Fixes out of array read Fixes: asan_heap-oob_4d4eb0_3994_cov_3169972261_zmbv_15bit.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5c7781e63d6519192ada59c1e36bcecc92791d) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 7f3b326dd1..fde8539a58 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -409,11 +409,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int hi_ver, lo_ver, ret; /* parse header */ + if (len < 1) + return AVERROR_INVALIDDATA; c->flags = buf[0]; buf++; len--; if (c->flags & ZMBV_KEYFRAME) { void *decode_intra = NULL; c->decode_intra= NULL; + + if (len < 6) + return AVERROR_INVALIDDATA; hi_ver = buf[0]; lo_ver = buf[1]; c->comp = buf[2]; From 1697813db84aa16fcf5c56af674aa5b6c77e7b3a Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Thu, 26 Feb 2015 13:42:52 +0000 Subject: [PATCH 370/492] mips/acelp_filters: fix incorrect register constraint Change register constraint on the v variable from = to +. This was causing GCC to think that the v variable was never read and therefore not initialize it. This fixes about 20 fate failures on mips64el. Signed-off-by: James Cowgill Signed-off-by: Michael Niedermayer (cherry picked from commit b9de1303a6414174ab2f3bccefa801bfabcf0f88) Signed-off-by: Michael Niedermayer --- libavcodec/mips/acelp_filters_mips.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mips/acelp_filters_mips.c b/libavcodec/mips/acelp_filters_mips.c index c8d980aa00..ffc0fe6250 100644 --- a/libavcodec/mips/acelp_filters_mips.c +++ b/libavcodec/mips/acelp_filters_mips.c @@ -89,7 +89,7 @@ static void ff_acelp_interpolatef_mips(float *out, const float *in, "addu %[p_filter_coeffs_m], %[p_filter_coeffs_m], %[prec] \n\t" "madd.s %[v],%[v],%[in_val_m], %[fc_val_m] \n\t" - : [v] "=&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), + : [v] "+&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), [p_filter_coeffs_p] "+r" (p_filter_coeffs_p), [in_val_p] "=&f" (in_val_p), [in_val_m] "=&f" (in_val_m), [fc_val_p] "=&f" (fc_val_p), [fc_val_m] "=&f" (fc_val_m), From 5ae61395afe63f4f5e24f6f1e7bc6f38f0e49c24 Mon Sep 17 00:00:00 2001 From: Dyami Caliri Date: Thu, 26 Feb 2015 10:17:01 -0800 Subject: [PATCH 371/492] Fix buffer_size argument to init_put_bits() in multiple encoders. Several encoders were multiplying the buffer size by 8, in order to get a bit size. However, the buffer_size argument is for the byte size of the buffer. We had experienced crashes encoding prores (Anatoliy) at size 4096x4096. (cherry picked from commit 50833c9f7b4e1922197a8955669f8ab3589c8cef) Conflicts: libavcodec/proresenc_kostya.c --- libavcodec/aacenc.c | 2 +- libavcodec/adpcmenc.c | 4 ++-- libavcodec/faxcompr.c | 2 +- libavcodec/flashsv2enc.c | 2 +- libavcodec/flashsvenc.c | 2 +- libavcodec/nellymoserenc.c | 2 +- libavcodec/proresenc_anatoliy.c | 2 +- libavcodec/proresenc_kostya.c | 2 +- libavcodec/s302menc.c | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 362f02b115..409e16bc1d 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -165,7 +165,7 @@ static void put_audio_specific_config(AVCodecContext *avctx) PutBitContext pb; AACEncContext *s = avctx->priv_data; - init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8); + init_put_bits(&pb, avctx->extradata, avctx->extradata_size); put_bits(&pb, 5, 2); //object type - AAC-LC put_bits(&pb, 4, s->samplerate_index); //sample rate index put_bits(&pb, 4, s->channels); diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index cef8b6f916..8531f3f015 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -541,7 +541,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_IMA_QT: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); for (ch = 0; ch < avctx->channels; ch++) { ADPCMChannelStatus *status = &c->status[ch]; @@ -570,7 +570,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_SWF: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); n = frame->nb_samples - 1; diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 900851b3f1..d2ba7068ca 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -251,7 +251,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs) PutBitContext pb; int run, mode = ~0, pix_left = width, run_idx = 0; - init_put_bits(&pb, dst, size * 8); + init_put_bits(&pb, dst, size); while (pix_left > 0) { run = runs[run_idx++]; mode = ~mode; diff --git a/libavcodec/flashsv2enc.c b/libavcodec/flashsv2enc.c index 1d0d1963f6..3e2961771a 100644 --- a/libavcodec/flashsv2enc.c +++ b/libavcodec/flashsv2enc.c @@ -288,7 +288,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size) if (buf_size < 5) return -1; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, (s->block_width >> 4) - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index e6b181f2ae..34384b3956 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -131,7 +131,7 @@ static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf, int buf_pos, res; int pred_blocks = 0; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, block_width / 16 - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/nellymoserenc.c b/libavcodec/nellymoserenc.c index b35820a3f8..bf762c6b81 100644 --- a/libavcodec/nellymoserenc.c +++ b/libavcodec/nellymoserenc.c @@ -301,7 +301,7 @@ static void encode_block(NellyMoserEncodeContext *s, unsigned char *output, int apply_mdct(s); - init_put_bits(&pb, output, output_size * 8); + init_put_bits(&pb, output, output_size); i = 0; for (band = 0; band < NELLY_BANDS; band++) { diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index ccd0392ca6..dd927d41e1 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -304,7 +304,7 @@ static int encode_slice_plane(AVCodecContext *avctx, int mb_count, } blocks_per_slice = mb_count << (2 - chroma); - init_put_bits(&pb, buf, buf_size << 3); + init_put_bits(&pb, buf, buf_size); encode_dc_coeffs(&pb, blocks, blocks_per_slice, qmat); encode_ac_coeffs(avctx, &pb, blocks, blocks_per_slice, qmat); diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index ab434301b4..c009ed671e 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -1022,7 +1022,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream_put_byte(&buf, slice_hdr_size << 3); slice_hdr = buf; buf += slice_hdr_size - 1; - init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); + init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf))); ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); if (ret < 0) return ret; diff --git a/libavcodec/s302menc.c b/libavcodec/s302menc.c index 6af5dfee40..ec0c574a5a 100644 --- a/libavcodec/s302menc.c +++ b/libavcodec/s302menc.c @@ -81,7 +81,7 @@ static int s302m_encode2_frame(AVCodecContext *avctx, AVPacket *avpkt, return ret; o = avpkt->data; - init_put_bits(&pb, o, buf_size * 8); + init_put_bits(&pb, o, buf_size); put_bits(&pb, 16, buf_size - AES3_HEADER_LEN); put_bits(&pb, 2, (avctx->channels - 2) >> 1); // number of channels put_bits(&pb, 8, 0); // channel ID From 15fc5263f9d474cc1107d77246106824df3ddfcc Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 25 Feb 2015 22:55:44 +0100 Subject: [PATCH 372/492] avformat/adxdec: check avctx->channels for invalid values This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7faa40af982960608b117e20fec999b48011e5e0) Signed-off-by: Michael Niedermayer --- libavformat/adxdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index 49e19307d5..2cde39da7b 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -41,6 +41,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket *pkt) AVCodecContext *avctx = s->streams[0]->codec; int ret, size; + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + size = BLOCK_SIZE * avctx->channels; pkt->pos = avio_tell(s->pb); From 77955dcabfce95b32f696d521f260d53b1ac3709 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:38:50 +0100 Subject: [PATCH 373/492] avformat/bit: check that pkt->size is 10 in write_packet Ohter packet sizes are not supported by this muxer. This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit eeda2c3de8a8484d9e7d1e47ac836bec850b31fc) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bit.c b/libavformat/bit.c index 0be471ac4f..42df0c2fae 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -133,6 +133,9 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) GetBitContext gb; int i; + if (pkt->size != 10) + return AVERROR(EINVAL); + avio_wl16(pb, SYNC_WORD); avio_wl16(pb, 8 * 10); From 45432879ff415ec3e91d66ef5a19219ba7563ab9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:42:02 +0100 Subject: [PATCH 374/492] avformat/bit: only accept the g729 codec and 1 channel Other codecs/channel numbers are not supported by this muxer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d0b8640f75ff7569c98d6fdb03d83451104e088c) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/bit.c b/libavformat/bit.c index 42df0c2fae..f5112c2fea 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -119,8 +119,12 @@ static int write_header(AVFormatContext *s) { AVCodecContext *enc = s->streams[0]->codec; - enc->codec_id = AV_CODEC_ID_G729; - enc->channels = 1; + if ((enc->codec_id != AV_CODEC_ID_G729) || enc->channels != 1) { + av_log(s, AV_LOG_ERROR, + "only codec g729 with 1 channel is supported by this format\n"); + return AVERROR(EINVAL); + } + enc->bits_per_coded_sample = 16; enc->block_align = (enc->bits_per_coded_sample * enc->channels) >> 3; From 852ef62b85c04eb37dbe337ff0d8a59d459a7d29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Feb 2015 03:12:23 +0100 Subject: [PATCH 375/492] swscale/utils: clear formatConvBuffer on allocation Fixes use of uninitialized memory Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 007498fc1a639ecee2cda1892cbcff66c7c8c951) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 05ec6ca7a8..aa3d10ab46 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1251,7 +1251,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, c->chrDstW = FF_CEIL_RSHIFT(dstW, c->chrDstHSubSample); c->chrDstH = FF_CEIL_RSHIFT(dstH, c->chrDstVSubSample); - FF_ALLOC_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); + FF_ALLOCZ_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); /* unscaled special cases */ if (unscaled && !usesHFilter && !usesVFilter && From 3bfaadfadaba9a1035f87d276d3a0ab64d571cb5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 28 Feb 2015 20:58:31 +0100 Subject: [PATCH 376/492] avformat/flvenc: check that the codec_tag fits in the available bits flags is later written with avio_w8 and if it doesn't fit in one byte it triggers an av_assert2. Signed-off-by: Michael Niedermayer (cherry picked from commit e8565d21c276ab9ac5ce785549420321fbd0b093) Signed-off-by: Michael Niedermayer --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 9d5522e9bc..8ff964c31b 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -485,7 +485,7 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) avio_w8(pb, FLV_TAG_TYPE_VIDEO); flags = enc->codec_tag; - if (flags == 0) { + if (flags <= 0 || flags > 15) { av_log(s, AV_LOG_ERROR, "Video codec '%s' is not compatible with FLV\n", avcodec_get_name(enc->codec_id)); From 5f92a0d1e94c7cde4a6dec7bb11abf200a59f3ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 14:30:34 +0100 Subject: [PATCH 377/492] avcodec/utils: Align YUV411 by as much as the other YUV variants Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash2.avi Found-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit e3201c38d53d2b8b24d0bc95d726b2cb1752dc12) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 56258ebd22..f6d4477769 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -275,7 +275,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_YUVJ411P: case AV_PIX_FMT_UYYVYY411: w_align = 32; - h_align = 8; + h_align = 16 * 2; break; case AV_PIX_FMT_YUV410P: if (s->codec_id == AV_CODEC_ID_SVQ1) { From ff0985347c2c127870d693bffc063102934dedca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Mar 2015 23:27:43 +0100 Subject: [PATCH 378/492] avcodec/tiff: move bpp check to after "end:" This ensures that all current and future code-pathes get bpp checked Signed-off-by: Michael Niedermayer (cherry picked from commit d5e9fc782150d4596c72440a0aa02b7f4f1254b1) Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index b258aa4283..126e59c991 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -775,13 +775,6 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->bpp = -1; } } - if (s->bpp > 64U) { - av_log(s->avctx, AV_LOG_ERROR, - "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); - s->bpp = 0; - return AVERROR_INVALIDDATA; - } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { @@ -1072,6 +1065,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) return AVERROR_INVALIDDATA; } } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } bytestream2_seek(&s->gb, start, SEEK_SET); return 0; } From e69c43035363bd3b7420b5718e7951049fc771a0 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 27 Feb 2015 19:00:25 +0000 Subject: [PATCH 379/492] aic: Fix decoding files with odd dimensions Normally the aic decoder finds the proper slice combination (multiple of some number less than 32) but in case of odd width, it resorts to the default values, which were actually swapped. The number of slices is modified to account for such odd width cases. CC: libav-stable@libav.org (cherry picked from commit e878ec0d47cd6228c367b2f3128b76d7523f7255) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index de992003e3..e06b20de11 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -437,8 +437,8 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) ctx->mb_width = FFALIGN(avctx->width, 16) >> 4; ctx->mb_height = FFALIGN(avctx->height, 16) >> 4; - ctx->num_x_slices = 16; - ctx->slice_width = ctx->mb_width / 16; + ctx->num_x_slices = (ctx->mb_width + 15) >> 4; + ctx->slice_width = 16; for (i = 1; i < 32; i++) { if (!(ctx->mb_width % i) && (ctx->mb_width / i < 32)) { ctx->slice_width = ctx->mb_width / i; From 27432f259d50e9ade1c962a9a797d6a339b389bf Mon Sep 17 00:00:00 2001 From: Federico Tomassetti Date: Wed, 18 Feb 2015 12:11:43 +0000 Subject: [PATCH 380/492] mdec: check for out of bounds read Bug-Id: CID 1257501 CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 2c63081b48d98f3a0d0bed7b0ec3c0347b99144c) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 8fb29ce1eb..a861a95df3 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -83,7 +83,12 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (level == 127) { break; } else if (level != 0) { - i += run; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 3; level = (level ^ SHOW_SBITS(re, &a->gb, 1)) - SHOW_SBITS(re, &a->gb, 1); @@ -93,8 +98,13 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) run = SHOW_UBITS(re, &a->gb, 6)+1; LAST_SKIP_BITS(re, &a->gb, 6); UPDATE_CACHE(re, &a->gb); level = SHOW_SBITS(re, &a->gb, 10); SKIP_BITS(re, &a->gb, 10); - i += run; - j = scantable[i]; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } + j = scantable[i]; if (level < 0) { level = -level; level = (level * qscale * quant_matrix[j]) >> 3; @@ -105,10 +115,6 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) level = (level - 1) | 1; } } - if (i > 63) { - av_log(a->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); - return AVERROR_INVALIDDATA; - } block[j] = level; } From 63efad67ee56565c6376e8233a83d8b1837fef3a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 20:27:26 +0100 Subject: [PATCH 381/492] avcodec/rv10: check size of s->mb_width * s->mb_height If it doesn't fit into 12 bits it triggers an assertion. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 2578a546183da09d49d5bba8ab5e982dece1dede) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.h | 2 +- libavcodec/mpegvideo_enc.c | 7 +++++-- libavcodec/rv10enc.c | 7 ++++++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index f72e89e25e..106916dd57 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -927,7 +927,7 @@ extern const uint8_t ff_h263_chroma_qscale_table[32]; extern const uint8_t ff_h263_loop_filter_strength[32]; /* rv10.c */ -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); int ff_rv_decode_dc(MpegEncContext *s, int n); void ff_rv20_encode_picture_header(MpegEncContext *s, int picture_number); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 85830d9f3a..e8333f8600 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3389,8 +3389,11 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_msmpeg4_encode_picture_header(s, picture_number); else if (CONFIG_MPEG4_ENCODER && s->h263_pred) ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) - ff_rv10_encode_picture_header(s, picture_number); + else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + ret = ff_rv10_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV20_ENCODER && s->codec_id == AV_CODEC_ID_RV20) ff_rv20_encode_picture_header(s, picture_number); else if (CONFIG_FLV_ENCODER && s->codec_id == AV_CODEC_ID_FLV1) diff --git a/libavcodec/rv10enc.c b/libavcodec/rv10enc.c index c4c5c53850..941bbbd768 100644 --- a/libavcodec/rv10enc.c +++ b/libavcodec/rv10enc.c @@ -28,7 +28,7 @@ #include "mpegvideo.h" #include "put_bits.h" -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) { int full_frame= 0; @@ -48,12 +48,17 @@ void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) /* if multiple packets per frame are sent, the position at which to display the macroblocks is coded here */ if(!full_frame){ + if (s->mb_width * s->mb_height >= (1U << 12)) { + avpriv_report_missing_feature(s, "Encoding frames with 4096 or more macroblocks"); + return AVERROR(ENOSYS); + } put_bits(&s->pb, 6, 0); /* mb_x */ put_bits(&s->pb, 6, 0); /* mb_y */ put_bits(&s->pb, 12, s->mb_width * s->mb_height); } put_bits(&s->pb, 3, 0); /* ignored */ + return 0; } FF_MPV_GENERIC_CLASS(rv10) From 3d11279745a64e7eb65f63b76dbc9d561651fcfc Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 15:46:44 +0100 Subject: [PATCH 382/492] avformat/rm: limit packet size The chunk size is limited to 0xFFFF (written by avio_wb16), so make sure that the packet size is not too large. Such large frames need to be split into slices smaller than 64 kB, but that is currently supported neither by the rv10/rv20 encoders nor the rm muxer. Signed-off-by: Andreas Cadhalpun See Ticket244 Signed-off-by: Michael Niedermayer (cherry picked from commit 08728f400b8367dc8c983036cb2eff3a2891322b) Signed-off-by: Michael Niedermayer --- libavformat/rmenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index 17192ff275..a4e97a02e9 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -391,6 +391,11 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + /* 0xFFFF is the maximal chunk size; header needs at most 7 + 4 + 12 B */ + if (size > 0xFFFF - 7 - 4 - 12) { + av_log(s, AV_LOG_ERROR, "large packet size %d not supported\n", size); + return AVERROR_PATCHWELCOME; + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); From 9be586e166472eca4ce2770f00a6c72d33c26f33 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 23:31:48 +0100 Subject: [PATCH 383/492] ffmdec: fix infinite loop at EOF If EOF is reached, while skipping bytes, avio_tell(pb) won't change anymore, resulting in an infinite loop. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6fa98822eba501a4898fdec5b75acd3026201005) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 02cf790f87..601ddaaf8e 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -347,7 +347,7 @@ static int ffm2_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ @@ -477,7 +477,7 @@ static int ffm_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ From 0f2401e3cb440af4e278315b0df535de3c702ccb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 14:59:44 +0100 Subject: [PATCH 384/492] ffmdec: limit the backward seek to the last resync position If resyncing leads to the same position as previously, it will again lead to a resync attempt, resulting in an infinite loop. Thus don't seek back beyond the last syncpoint. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6b8263b03ab3d16d70525ae1893cb106be7852f1) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 601ddaaf8e..e927b21607 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -77,6 +77,7 @@ static int ffm_read_data(AVFormatContext *s, FFMContext *ffm = s->priv_data; AVIOContext *pb = s->pb; int len, fill_size, size1, frame_offset, id; + int64_t last_pos = -1; size1 = size; while (size > 0) { @@ -96,9 +97,11 @@ static int ffm_read_data(AVFormatContext *s, avio_seek(pb, tell, SEEK_SET); } id = avio_rb16(pb); /* PACKET_ID */ - if (id != PACKET_ID) + if (id != PACKET_ID) { if (ffm_resync(s, id) < 0) return -1; + last_pos = avio_tell(pb); + } fill_size = avio_rb16(pb); ffm->dts = avio_rb64(pb); frame_offset = avio_rb16(pb); @@ -112,7 +115,9 @@ static int ffm_read_data(AVFormatContext *s, if (!frame_offset) { /* This packet has no frame headers in it */ if (avio_tell(pb) >= ffm->packet_size * 3LL) { - avio_seek(pb, -ffm->packet_size * 2LL, SEEK_CUR); + int64_t seekback = FFMIN(ffm->packet_size * 2LL, avio_tell(pb) - last_pos); + seekback = FFMAX(seekback, 0); + avio_seek(pb, -seekback, SEEK_CUR); goto retry_read; } /* This is bad, we cannot find a valid frame header */ From 1c1574e3777aea8bf9255122c63c423f34ef6d15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Mar 2015 03:42:00 +0100 Subject: [PATCH 385/492] avcodec/options_table: remove extradata_size from the AVOptions table allowing access to the size but not the extradata itself is not useful and could lead to potential problems if writing happens through this field Reviewed-by: Andreas Cadhalpun Reviewed-by: Lukasz Marek Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 1f4088b28540080ce1d42345c5614be3e1a6a197) Signed-off-by: Michael Niedermayer --- libavcodec/options_table.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index 84463a0ca9..63c5196297 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -89,7 +89,6 @@ static const AVOption options[]={ {"hex", "hex motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_HEX }, INT_MIN, INT_MAX, V|E, "me_method" }, {"umh", "umh motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_UMH }, INT_MIN, INT_MAX, V|E, "me_method" }, {"iter", "iter motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_ITER }, INT_MIN, INT_MAX, V|E, "me_method" }, -{"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, {"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, From c9edf502cd8bf2cff80a26fd368bdbc59c94c5b9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:24:09 +0100 Subject: [PATCH 386/492] roqvideoenc: set enc->avctx in roq_encode_init So far it is only set in roq_encode_frame, but it is used in roq_encode_end to free the coded_frame. This currently segfaults if roq_encode_frame is not called between roq_encode_init and roq_encode_end. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288) Signed-off-by: Michael Niedermayer --- libavcodec/roqvideoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index 666c49df13..cd60f8a9fc 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -959,6 +959,8 @@ static av_cold int roq_encode_init(AVCodecContext *avctx) av_lfg_init(&enc->randctx, 1); + enc->avctx = avctx; + enc->framesSinceKeyframe = 0; if ((avctx->width & 0xf) || (avctx->height & 0xf)) { av_log(avctx, AV_LOG_ERROR, "Dimensions must be divisible by 16\n"); From 46ee330d3a1e84034aadbaede606c1722210a8ff Mon Sep 17 00:00:00 2001 From: Xiaohan Wang Date: Thu, 6 Nov 2014 12:59:54 -0800 Subject: [PATCH 387/492] Fix read-after-free in matroska_read_seek(). In matroska_read_seek(), |tracks| is assigned at the begining of the function. However, functions like matroska_parse_cues() could reallocate the tracks so that |tracks| can get invalidated. This CL assigns |tracks| only before we use it so that it won't be invalidated. BUG=427266 TEST=Test case in associated bug passes now. Change-Id: I9c7065fe8f4311ca846076281df2282d190ed344 Signed-off-by: Michael Niedermayer (cherry picked from commit 33301f001747d7a542073c634cc81da5eff051cf) Conflicts: libavformat/matroskadec.c --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 6e765d9d1a..361d9de820 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2587,7 +2587,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { MatroskaDemuxContext *matroska = s->priv_data; - MatroskaTrack *tracks = matroska->tracks.elem; + MatroskaTrack *tracks = NULL; AVStream *st = s->streams[stream_index]; int i, index, index_sub, index_min; @@ -2616,6 +2616,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, goto err; index_min = index; + tracks = matroska->tracks.elem; for (i=0; i < matroska->tracks.nb_elem; i++) { tracks[i].audio.pkt_cnt = 0; tracks[i].audio.sub_packet_cnt = 0; From b13cba308253cb76c500c0425f7569f4a43131b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 5 Mar 2015 23:38:00 +0200 Subject: [PATCH 388/492] arm: Suppress tags about used cpu arch and extensions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When all the codepaths using manually set .arch/.fpu code is behind runtime detection, the elf attributes should be suppressed. This allows tools to know that the final built binary doesn't strictly require these extensions. Signed-off-by: Martin Storsjö (cherry picked from commit dcae2e32f7d8a1ca5fb8c1e4aa81313be854dd73 and b77e335e441040a40fc6156b8e4a134745d10233) Signed-off-by: Martin Storsjö (cherry picked from commit 9841654c158c80e9d525ba03754135d3f34e306e) Signed-off-by: Michael Niedermayer --- configure | 6 ++++++ libavutil/arm/asm.S | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/configure b/configure index 310da55da4..8f46a5a61d 100755 --- a/configure +++ b/configure @@ -1415,6 +1415,7 @@ HAVE_LIST=" alsa_asoundlib_h altivec_h arpa_inet_h + as_object_arch asm_mod_q asm_mod_y asm_types_h @@ -3831,6 +3832,11 @@ EOF [ $target_os != win32 ] && enabled_all armv6t2 shared !pic && enable_weak_pic + # llvm's integrated assembler supports .object_arch from llvm 3.5 + [ "$objformat" = elf ] && check_as < Date: Tue, 10 Mar 2015 20:21:14 +0100 Subject: [PATCH 389/492] avcodec/012v: Check dimensions more completely Fixes division by 0 Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit d3b25383daffac154846daeb4e4fb46569e728db) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index 58e3cd6fbd..38b1bb5f62 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -45,8 +45,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, const uint8_t *line_end, *src = avpkt->data; int stride = avctx->width * 8 / 3; - if (width == 1) { - av_log(avctx, AV_LOG_ERROR, "Width 1 not supported.\n"); + if (width <= 1 || avctx->height <= 0) { + av_log(avctx, AV_LOG_ERROR, "Dimensions %dx%d not supported.\n", width, avctx->height); return AVERROR_INVALIDDATA; } if (avpkt->size < avctx->height * stride) { From e5f7aeb46f55fc3134a55e435a1bee8f5ac8b974 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Mar 2015 19:18:34 +0100 Subject: [PATCH 390/492] avcodec/012v: redesign main loop Fixes out of array accesses Fixes: ffmpeg_012v_crash.ts Found-by: Thomas Lindroth Reviewed-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 48df30d36c3ca360c407d84f96749888d1fbe853) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 82 ++++++++++++++++++++++------------------------- 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index 38b1bb5f62..873e86bfed 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -38,7 +38,7 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx) static int zero12v_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - int line = 0, ret; + int line, ret; const int width = avctx->width; AVFrame *pic = data; uint16_t *y, *u, *v; @@ -61,45 +61,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, pic->pict_type = AV_PICTURE_TYPE_I; pic->key_frame = 1; - y = (uint16_t *)pic->data[0]; - u = (uint16_t *)pic->data[1]; - v = (uint16_t *)pic->data[2]; line_end = avpkt->data + stride; + for (line = 0; line < avctx->height; line++) { + uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000}; + uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000}; + uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000}; + int x; + y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); - while (line++ < avctx->height) { - while (1) { - uint32_t t = AV_RL32(src); + for (x = 0; x < width; x += 6) { + uint32_t t; + + if (width - x < 6 || line_end - src < 16) { + y = y_temp; + u = u_temp; + v = v_temp; + } + + if (line_end - src < 4) + break; + + t = AV_RL32(src); src += 4; *u++ = t << 6 & 0xFFC0; *y++ = t >> 4 & 0xFFC0; *v++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; *y++ = t << 6 & 0xFFC0; *u++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (!(width & 1)) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -107,15 +107,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *y++ = t >> 4 & 0xFFC0; *u++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -123,18 +116,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *v++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (width & 1) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (width - x < 6) break; - } } + + if (x < width) { + y = x + (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + memcpy(y, y_temp, sizeof(*y) * (width - x)); + memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); + memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + } + + line_end += stride; + src = line_end - stride; } *got_frame = 1; From 572cfee405d93b2a6e195fcc0d91790331381841 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 23:12:59 +0100 Subject: [PATCH 391/492] ffmdec: make sure the time base is valid A negative time base can trigger assertions. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4c91d81be23ffacfa3897b2bcfa77445bb0c2f89) Conflicts: libavformat/ffmdec.c (cherry picked from commit 9678ceb6976ca8194848b24535785a298521211f) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index e927b21607..2b1891fa23 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -297,6 +297,11 @@ static int ffm2_read_header(AVFormatContext *s) case MKBETAG('S', 'T', 'V', 'I'): codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); @@ -421,6 +426,11 @@ static int ffm_read_header(AVFormatContext *s) case AVMEDIA_TYPE_VIDEO: codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); From a26a200b3f134882f08ee6982cbfc8a2f6867871 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:23:32 +0100 Subject: [PATCH 392/492] avformat/mov: Use sizeof(filename) instead of a literal number Signed-off-by: Michael Niedermayer (cherry picked from commit 21a53dd08dce7cc5b3fdf9c4826b4b74d8300ea0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 681260a8b7..516c44ed81 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2220,9 +2220,9 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, filename[src_path - src] = 0; for (i = 1; i < ref->nlvl_from; i++) - av_strlcat(filename, "../", 1024); + av_strlcat(filename, "../", sizeof(filename)); - av_strlcat(filename, ref->path + l + 1, 1024); + av_strlcat(filename, ref->path + l + 1, sizeof(filename)); if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) return 0; From dece653d0de93ab4b362e6e888a98045e929f7fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:24:54 +0100 Subject: [PATCH 393/492] avformat/mov: Check for string truncation in mov_open_dref() Signed-off-by: Michael Niedermayer (cherry picked from commit 8003816e1619e77d8de051883264aa090e0d78cc) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 516c44ed81..512e8bbd41 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2194,7 +2194,7 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, /* try relative path, we do not try the absolute because it can leak information about our system to an attacker */ if (ref->nlvl_to > 0 && ref->nlvl_from > 0) { - char filename[1024]; + char filename[1025]; const char *src_path; int i, l; @@ -2224,6 +2224,8 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, av_strlcat(filename, ref->path + l + 1, sizeof(filename)); + if (strlen(filename) + 1 == sizeof(filename)) + return AVERROR(ENOENT); if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) return 0; } From 9c10ef55b0aa97894b841076c3b893f42235b89a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:32:35 +0100 Subject: [PATCH 394/492] avformat/mov: Disallow ".." in dref unless use_absolute_path is set as this kind of allows to circumvent it to some extend. We also could add a separate parameter or value to choose this Found-by: ramiro Signed-off-by: Michael Niedermayer (cherry picked from commit 1e4d0498df6621143da1a550006ddc3526ad51cb) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 512e8bbd41..52d93ee559 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2223,6 +2223,9 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, av_strlcat(filename, "../", sizeof(filename)); av_strlcat(filename, ref->path + l + 1, sizeof(filename)); + if (!use_absolute_path) + if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1) + return AVERROR(ENOENT); if (strlen(filename) + 1 == sizeof(filename)) return AVERROR(ENOENT); From 81ba3b1b916692e24d00aed6b673f43ebe13d639 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Mar 2015 23:28:39 +0100 Subject: [PATCH 395/492] avcodec/dnxhddec: Check that the frame is interlaced before using cur_field Fixes Ticket4227 Signed-off-by: Michael Niedermayer (cherry picked from commit 2c660e34cf3c2b77cd2bef6f292920334dfd9192) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 61d769570e..720f1b11cf 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -312,7 +312,7 @@ static int dnxhd_decode_macroblock(DNXHDContext *ctx, AVFrame *frame, int x, int dest_u = frame->data[1] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1)); dest_v = frame->data[2] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1)); - if (ctx->cur_field) { + if (frame->interlaced_frame && ctx->cur_field) { dest_y += frame->linesize[0]; dest_u += frame->linesize[1]; dest_v += frame->linesize[2]; From 936554f1d7388cd9e46add774345b138e55acf47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Mar 2015 15:50:12 +0100 Subject: [PATCH 396/492] avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer Fixes out of array access Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f7e1367f58263593e6cee3c282f7277d7ee9d553) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index 83d7d134b1..d6553a83f7 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -37,16 +37,14 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, unsigned char extra_byte, odd_pixel; unsigned char stream_byte; unsigned int pixel_ptr = 0; - int row_dec = pic->linesize[0]; - int row_ptr = (avctx->height - 1) * row_dec; - int frame_size = row_dec * avctx->height; + int line = avctx->height - 1; int i; - while (row_ptr >= 0) { + while (line >= 0 && pixel_ptr <= avctx->width) { if (bytestream2_get_bytes_left(gb) <= 0) { av_log(avctx, AV_LOG_ERROR, - "MS RLE: bytestream overrun, %d rows left\n", - row_ptr); + "MS RLE: bytestream overrun, %dx%d left\n", + avctx->width - pixel_ptr, line); return AVERROR_INVALIDDATA; } rle_code = stream_byte = bytestream2_get_byteu(gb); @@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, stream_byte = bytestream2_get_byte(gb); if (stream_byte == 0) { /* line is done, goto the next one */ - row_ptr -= row_dec; + line--; pixel_ptr = 0; } else if (stream_byte == 1) { /* decode is done */ @@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, stream_byte = bytestream2_get_byte(gb); pixel_ptr += stream_byte; stream_byte = bytestream2_get_byte(gb); - row_ptr -= stream_byte * row_dec; } else { // copy pixels from encoded stream odd_pixel = stream_byte & 1; rle_code = (stream_byte + 1) / 2; extra_byte = rle_code & 0x01; - if (row_ptr + pixel_ptr + stream_byte > frame_size || + if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width || bytestream2_get_bytes_left(gb) < rle_code) { av_log(avctx, AV_LOG_ERROR, "MS RLE: frame/stream ptr just went out of bounds (copy)\n"); @@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, if (pixel_ptr >= avctx->width) break; stream_byte = bytestream2_get_byteu(gb); - pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4; pixel_ptr++; if (i + 1 == rle_code && odd_pixel) break; if (pixel_ptr >= avctx->width) break; - pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F; pixel_ptr++; } @@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, } } else { // decode a run of data - if (row_ptr + pixel_ptr + stream_byte > frame_size) { + if (pixel_ptr + rle_code > avctx->width + 1) { av_log(avctx, AV_LOG_ERROR, "MS RLE: frame ptr just went out of bounds (run)\n"); return AVERROR_INVALIDDATA; @@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, if (pixel_ptr >= avctx->width) break; if ((i & 1) == 0) - pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4; else - pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F; pixel_ptr++; } } From 50e17cdc984ec9ec30a59da355c061bb013cd710 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Mar 2015 04:37:42 +0200 Subject: [PATCH 397/492] avutil/pca: Check for av_malloc* failures Signed-off-by: Michael Niedermayer (cherry picked from commit dadc43eee4d9036aa532665a04720238cc15e922) Signed-off-by: Michael Niedermayer --- libavutil/pca.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavutil/pca.c b/libavutil/pca.c index 311b6bc9cb..a745136e1d 100644 --- a/libavutil/pca.c +++ b/libavutil/pca.c @@ -41,12 +41,20 @@ PCA *ff_pca_init(int n){ return NULL; pca= av_mallocz(sizeof(*pca)); + if (!pca) + return NULL; + pca->n= n; pca->z = av_malloc(sizeof(*pca->z) * n); pca->count=0; pca->covariance= av_calloc(n*n, sizeof(double)); pca->mean= av_calloc(n, sizeof(double)); + if (!pca->z || !pca->covariance || !pca->mean) { + ff_pca_free(pca); + return NULL; + } + return pca; } From 2f51865751778ffccb08ddee2afb71b09ead74ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Apr 2015 18:08:23 +0200 Subject: [PATCH 398/492] avcodec/h264_refs: Do not set reference to things which dont exist Fixes deadlock Fixes Ticket4428 Fixes Ticket4429 Signed-off-by: Michael Niedermayer (cherry picked from commit 429de043202286a2b5bcc082cc02de860b734db2) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 954af21a63..1816fa7328 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -681,7 +681,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count) */ if (h->short_ref_count && h->short_ref[0] == h->cur_pic_ptr) { /* Just mark the second field valid */ - h->cur_pic_ptr->reference = PICT_FRAME; + h->cur_pic_ptr->reference |= h->picture_structure; } else if (h->cur_pic_ptr->long_ref) { av_log(h->avctx, AV_LOG_ERROR, "illegal short term reference " "assignment for second field " From b73e47a413ae7ed7bdfd1a5ae388f919e7dece30 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 9 Jun 2014 21:46:37 -0700 Subject: [PATCH 399/492] tests/fate.sh: report different status for different errors The order of error codes will be useful in my future fateserver patches. Signed-off-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit cc0057a31c7097839f9c4e4da61e2933b5b0e055) Signed-off-by: Timothy Gu --- tests/fate.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/fate.sh b/tests/fate.sh index a401f9d72b..f7eb068e30 100755 --- a/tests/fate.sh +++ b/tests/fate.sh @@ -110,8 +110,8 @@ echo ${version} >version-$slot rm -rf "${build}" *.log mkdir -p ${build} -configure >configure.log 2>&1 || fail $? "error configuring" -compile >compile.log 2>&1 || fail $? "error compiling" -fate >test.log 2>&1 || fail $? "error testing" +configure >configure.log 2>&1 || fail 3 "error configuring" +compile >compile.log 2>&1 || fail 2 "error compiling" +fate >test.log 2>&1 || fail 1 "error testing" report 0 success clean From feb869b6829ca608f2f0c879728618f11271d695 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 9 Nov 2014 21:37:18 -0800 Subject: [PATCH 400/492] tests: Fix test name for pixfmts tests(cherry picked from commit e1ee0521a698809ed216e9e5c11bd2bbb466ed04) Signed-off-by: Michael Niedermayer --- tests/fate-run.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 9f5690d7be..768c1e1ace 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -196,12 +196,14 @@ pixfmts(){ $showfiltfmts $filter | awk -F '[ \r]' '/^INPUT/{ fmt=substr($3, 5); print fmt }' | sort >$in_fmts pix_fmts=$(comm -12 $scale_exclude_fmts $in_fmts) + outertest=$test for pix_fmt in $pix_fmts; do test=$pix_fmt video_filter "${prefilter_chain}format=$pix_fmt,$filter=$filter_args" -pix_fmt $pix_fmt done rm $in_fmts $scale_in_fmts $scale_out_fmts $scale_exclude_fmts + test=$outertest } mkdir -p "$outdir" From a5e2f793170bc9daaf270a3ad1914cc05af45b7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Apr 2015 00:04:44 +0200 Subject: [PATCH 401/492] avcodec/aacdec: Fix storing state before PCE decode Fixes Ticket4460 Signed-off-by: Michael Niedermayer (cherry picked from commit e88b3852aefaa39b2170ef185ad03dda18732821) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index a17fb2caf8..b08cf9e7d4 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -419,7 +419,7 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) * Save current output configuration if and only if it has been locked. */ static void push_output_configuration(AACContext *ac) { - if (ac->oc[1].status == OC_LOCKED) { + if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) { ac->oc[0] = ac->oc[1]; } ac->oc[1].status = OC_NONE; From 97b137a64071354f527926ac7d131ebf130fc987 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 14:49:08 +0200 Subject: [PATCH 402/492] msrledec: use signed pixel_ptr in msrle_decode_pal4 This fixes segmentation faults, when pic->linesize[0] is negative. In that case 'line * pic->linesize[0] + pixel_ptr' is treated as unsigned and wraps around. This reverts commit 7d78a964. The problem was introduced in commit f7e1367f, which should obsolete that commit. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ae6fd7300b4e9f81d3b5ba201096ffe7cccf26fb) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index d6553a83f7..bc3eb406bc 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -36,7 +36,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, unsigned char rle_code; unsigned char extra_byte, odd_pixel; unsigned char stream_byte; - unsigned int pixel_ptr = 0; + int pixel_ptr = 0; int line = avctx->height - 1; int i; From 743973f56f94e12c9153c06b17fb59cac7ccda39 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 19:12:02 +0200 Subject: [PATCH 403/492] aasc: return correct buffer size from aasc_decode_frame Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 0be54ad280cf114c02306b7063147e8379f8ed1e) Signed-off-by: Michael Niedermayer --- libavcodec/aasc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 26ba30dd14..17e639b05b 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -139,7 +139,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, return ret; /* report that the buffer was completely consumed */ - return buf_size; + return avpkt->size; } static av_cold int aasc_decode_end(AVCodecContext *avctx) From c962405c1968c0bfb3271f225df3ccabcb683c0e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 20:04:54 +0200 Subject: [PATCH 404/492] aacpsy: avoid psy_band->threshold becoming NaN If band->thr is 0.0f, the division is undefined, making norm_fac not a number or infinity, which causes psy_band->threshold to become NaN. This is passed on to other variables until it finally reaches sce->sf_idx and is converted to an integer (-2147483648). This causes a segmentation fault when it is used as array index. Signed-off-by: Andreas Cadhalpun Reviewed-by: Claudio Freire Signed-off-by: Michael Niedermayer (cherry picked from commit e224aa41917454e7b5c23d9f2541425743ce595a) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index d2a782e8dd..a1183bea3f 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -727,7 +727,10 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (active_lines > 0.0f) band->thr = calc_reduced_thr_3gpp(band, coeffs[g].min_snr, reduction); pe += calc_pe_3gpp(band); - band->norm_fac = band->active_lines / band->thr; + if (band->thr > 0.0f) + band->norm_fac = band->active_lines / band->thr; + else + band->norm_fac = 0.0f; norm_fac += band->norm_fac; } } From 997a997465b5848bfa8437345fef67c81ccfd387 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 21:25:26 +0200 Subject: [PATCH 405/492] ac3: validate end in ff_ac3_bit_alloc_calc_mask This fixes an invalid read if end is 0: band_end = ff_ac3_bin_to_band_tab[end-1] + 1; Depending on what is before the array, this can cause stack smashing, when band_end becomes too large. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit bc4fee7f2a51635fa3c0f61d1e5164da1efeded3) Signed-off-by: Michael Niedermayer --- libavcodec/ac3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ac3.c b/libavcodec/ac3.c index 29e132f5d1..8d39bbe83b 100644 --- a/libavcodec/ac3.c +++ b/libavcodec/ac3.c @@ -131,6 +131,9 @@ int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, int band_start, band_end, begin, end1; int lowcomp, fastleak, slowleak; + if (end <= 0) + return AVERROR_INVALIDDATA; + /* excitation function */ band_start = ff_ac3_bin_to_band_tab[start]; band_end = ff_ac3_bin_to_band_tab[end-1] + 1; From 82e24ec792fcaa2bb4c5ca61121cb35024c3bfaa Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 18:31:36 +0200 Subject: [PATCH 406/492] alsdec: ensure channel reordering is reversible If the same idx is used for more than one i, at least one entry in sconf->chan_pos remains uninitialized. This can cause segmentation faults. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ef16501aebed43e34a3721336e8bee732eca2877) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 5e08295f2a..bf2c997562 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -355,11 +355,15 @@ static av_cold int read_specific_config(ALSDecContext *ctx) ctx->cs_switch = 1; + for (i = 0; i < avctx->channels; i++) { + sconf->chan_pos[i] = -1; + } + for (i = 0; i < avctx->channels; i++) { int idx; idx = get_bits(&gb, chan_pos_bits); - if (idx >= avctx->channels) { + if (idx >= avctx->channels || sconf->chan_pos[idx] != -1) { av_log(avctx, AV_LOG_WARNING, "Invalid channel reordering.\n"); ctx->cs_switch = 0; break; From baa58c19c48fa34a3782cd93264b7b0b1c7091e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Apr 2015 20:50:23 +0200 Subject: [PATCH 407/492] avcodec/alsdec: Use av_mallocz_array() for chan_data to ensure the arrays never contain random data Signed-off-by: Michael Niedermayer (cherry picked from commit 7e104647a3556fc61a139483cee1cb7dfa2dc5bd) Conflicts: libavcodec/alsdec.c --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index bf2c997562..636ec34986 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1703,9 +1703,9 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate and assign channel data buffer for mcc mode if (sconf->mc_coding) { - ctx->chan_data_buffer = av_malloc(sizeof(*ctx->chan_data_buffer) * + ctx->chan_data_buffer = av_mallocz(sizeof(*ctx->chan_data_buffer) * num_buffers * num_buffers); - ctx->chan_data = av_malloc(sizeof(*ctx->chan_data) * + ctx->chan_data = av_mallocz(sizeof(*ctx->chan_data) * num_buffers); ctx->reverted_channels = av_malloc(sizeof(*ctx->reverted_channels) * num_buffers); From a1f0c1b6fe10c7341679678c959a2784a8e885d0 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 20:09:28 +0200 Subject: [PATCH 408/492] alsdec: validate time diff index If begin is smaller than t, the subtraction 'begin -= t' wraps around, because begin is unsigned. The same applies for end < t. This causes segmentation faults. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit faf9fe2c224ea81a98afd53e2f0be0a2e13aeca9) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 636ec34986..03bb2da6f8 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1272,8 +1272,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (ch[dep].time_diff_sign) { t = -t; + if (t > 0 && begin < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t); + return AVERROR_INVALIDDATA; + } begin -= t; } else { + if (t > 0 && end < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t); + return AVERROR_INVALIDDATA; + } end -= t; } From 1a87782c2e55753a3b34dc8f1064dc267401cae8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Apr 2015 22:22:31 +0200 Subject: [PATCH 409/492] avformat/utils: Ensure that AVFMT_FLAG_CUSTOM_IO is set before use Signed-off-by: Michael Niedermayer (cherry picked from commit ba631b791435c395361e2026fc7419b341e57813) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 9309b91cee..76142a7692 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -483,6 +483,9 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputForma if (options) av_dict_copy(&tmp, *options, 0); + if (s->pb) // must be before any goto fail + s->flags |= AVFMT_FLAG_CUSTOM_IO; + if ((ret = av_opt_set_dict(s, &tmp)) < 0) goto fail; From 1303d8a204d181e5a2db595a74a2fce1d08f22ac Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 21 Apr 2015 19:25:50 +0200 Subject: [PATCH 410/492] alsdec: check sample pointer range in revert_channel_correlation Also change the type of begin, end and smp to ptrdiff_t to make the comparison well-defined. Signed-off-by: Andreas Cadhalpun Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit afc7748d1f6abc4b3b1cc957b0fa6941837db3d0) Conflicts: libavcodec/alsdec.c (cherry picked from commit 0b5405c443ec8adc3c114e508b71ce2012c83f0d) --- libavcodec/alsdec.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 03bb2da6f8..e21809a072 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1230,6 +1230,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ALSChannelData *ch = cd[c]; unsigned int dep = 0; unsigned int channels = ctx->avctx->channels; + unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order; if (reverted[c]) return 0; @@ -1261,9 +1262,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, dep = 0; while (!ch[dep].stop_flag) { - unsigned int smp; - unsigned int begin = 1; - unsigned int end = bd->block_length - 1; + ptrdiff_t smp; + ptrdiff_t begin = 1; + ptrdiff_t end = bd->block_length - 1; int64_t y; int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset; @@ -1272,19 +1273,28 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (ch[dep].time_diff_sign) { t = -t; - if (t > 0 && begin < t) { - av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t); + if (begin < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "begin %td smaller than time diff index %d.\n", begin, t); return AVERROR_INVALIDDATA; } begin -= t; } else { - if (t > 0 && end < t) { - av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t); + if (end < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "end %td smaller than time diff index %d.\n", end, t); return AVERROR_INVALIDDATA; } end -= t; } + if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master || + FFMAX(end + 1, end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1, end + 1 + t), + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1 ]) + @@ -1297,6 +1307,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples[smp] += y >> 7; } } else { + + if (begin - 1 < ctx->raw_buffer - master || + end + 1 > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + begin - 1, master + end + 1, + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1]) + From cee951b596f1b844cfdbc9289febae689bc944ff Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 16:32:42 +0200 Subject: [PATCH 411/492] mpeg4videodec: only allow a positive length Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit b3408ae4c64cb674b1d5f0f30171759113ce722a) Conflicts: libavcodec/mpeg4videodec.c (cherry picked from commit 3339bae2197a2a02b090e74a8720282b5b87598e) --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index be4aa37589..57b62423d8 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -186,13 +186,13 @@ static int mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) int x=0, y=0; length= get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3); - if(length){ + if(length > 0){ x= get_xbits(gb, length); } if(!(s->divx_version==500 && s->divx_build==413)) skip_bits1(gb); /* marker bit */ length= get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3); - if(length){ + if(length > 0){ y=get_xbits(gb, length); } skip_bits1(gb); /* marker bit */ From cf13885622c33302d1d7fcfda0d47cf32256732e Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 22 Apr 2015 14:59:56 +0100 Subject: [PATCH 412/492] lavf: Reset global flag on deinit Signed-off-by: Michael Niedermayer (cherry picked from commit 32da94fa7f73ac749e0a1e2f20499fad2f6f57fe) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 76142a7692..73ae7c2ae5 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3992,6 +3992,7 @@ int avformat_network_deinit(void) #if CONFIG_NETWORK ff_network_close(); ff_tls_deinit(); + ff_network_inited_globally = 0; #endif return 0; } From c7e56b8b9cc21fac33177f7a790f8dbaede69db9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 16:03:41 +0200 Subject: [PATCH 413/492] alsdec: only adapt order for positive max_order For max_order = 0 the clipping range is invalid. (amin = 2, amax = 1) Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 58d605ee9b3277289278dc40e022311f8e083833) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e21809a072..bfadf70e0d 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -680,7 +680,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (!sconf->rlslms) { - if (sconf->adapt_order) { + if (sconf->adapt_order && sconf->max_order) { int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); From 2d204f313bd00e7d4ab29239833aeb0a5ab39c29 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 24 Apr 2015 00:01:43 +0200 Subject: [PATCH 414/492] alac: reject rice_limit 0 if compression is used If rice_limit is 0, k can be 0 in decode_scalar, which calls show_bits(gb, k). Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4b657a1b1eedcf38bcf36e89a2f4be6f76b5ce09) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 6ffc00634f..9ead233985 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -311,6 +311,11 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, int lpc_quant[2]; int rice_history_mult[2]; + if (!alac->rice_limit) { + avpriv_request_sample(alac->avctx, "Compression with rice limit 0"); + return AVERROR(ENOSYS); + } + decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); From 9f665b0d6a12b4b351f93dd4ae33448223b3afb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Apr 2015 04:27:56 +0200 Subject: [PATCH 415/492] tests/fate-run: do not attempt to parse tiny_psnrs output if it failed This avoids confusing syntax errors with awk later Likely fixes awk errors at: http://buildd.debian-ports.org/status/fetch.php?pkg=ffmpeg&arch=sparc64&ver=7%3A2.6.2-1&stamp=1428928967 Reviewed-by: Timothy Gu Thanks-to: Andreas Cadhalpun for the link Signed-off-by: Michael Niedermayer (cherry picked from commit c0d847e457c1ef72843a63853f1135d52b74131e) Signed-off-by: Michael Niedermayer --- tests/fate-run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 768c1e1ace..0dbc9bee51 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -42,7 +42,7 @@ compare(){ } do_tiny_psnr(){ - psnr=$(tests/tiny_psnr "$1" "$2" $cmp_unit $cmp_shift 0) + psnr=$(tests/tiny_psnr "$1" "$2" $cmp_unit $cmp_shift 0) || return 1 val=$(expr "$psnr" : ".*$3: *\([0-9.]*\)") size1=$(expr "$psnr" : '.*bytes: *\([0-9]*\)') size2=$(expr "$psnr" : '.*bytes:[ 0-9]*/ *\([0-9]*\)') From 57208a0999a0cc7377187bd7f6e23904133b5d59 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 00:30:51 +0200 Subject: [PATCH 416/492] apedec: set s->samples only when init_frame_decoder succeeded Otherwise range_start_decoding is not necessarily run and thus ctx->rc.range still 0 in range_dec_normalize leading to an infinite loop. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 464c49155ce7ffc88ed39eb2511e7a75565c24be) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 1f55dab851..ae3ae64e00 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1467,13 +1467,13 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %u.\n", nblocks); return AVERROR_INVALIDDATA; } - s->samples = nblocks; /* Initialize the frame decoder */ if (init_frame_decoder(s) < 0) { av_log(avctx, AV_LOG_ERROR, "Error reading frame header\n"); return AVERROR_INVALIDDATA; } + s->samples = nblocks; } if (!s->data) { From e6cc6a08d9938c9c8dd2efa682112d7ca91a5512 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 11:13:43 +0200 Subject: [PATCH 417/492] apedec: prevent out of array writes in decode_array_0000 s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_0000. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_0000 to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12) Conflicts: libavcodec/apedec.c Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index ae3ae64e00..dab5c34979 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -598,12 +598,12 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; - for (i = 0; i < 5; i++) { + for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; - for (; i < 64; i++) { + for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; From 35ca5eb11f19faf86dbd0c604594091d5ff182ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Apr 2015 14:29:47 +0200 Subject: [PATCH 418/492] ffmpeg: remove incorrect network deinit Signed-off-by: Michael Niedermayer (cherry picked from commit e2877bdf3862325c2982c3237d9bf28f1bbf793f) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 1 - 1 file changed, 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index e8d281589c..d78f2ca92a 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -349,7 +349,6 @@ void term_init(void) signal(SIGQUIT, sigterm_handler); /* Quit (POSIX). */ } #endif - avformat_network_deinit(); signal(SIGINT , sigterm_handler); /* Interrupt (ANSI). */ signal(SIGTERM, sigterm_handler); /* Termination (ANSI). */ From 7f2b3c3bee6f6ca57d7074cf272685c2c0e3f03c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:31:56 +0200 Subject: [PATCH 419/492] nutdec: check for negative frame rate in decode_info_header A negative frame rate triggers an av_assert2 in av_rescale_rnd. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6621105877ce0d65724a8ab60b3a50160adbe65d) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 13048fba97..3eb6d4b703 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -530,7 +530,8 @@ static int decode_info_header(NUTContext *nut) if (stream_id_plus1 && !strcmp(name, "r_frame_rate")) { sscanf(str_value, "%d/%d", &st->r_frame_rate.num, &st->r_frame_rate.den); - if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den) + if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den || + st->r_frame_rate.num < 0 || st->r_frame_rate.num < 0) st->r_frame_rate.num = st->r_frame_rate.den = 0; continue; } From 0691554e68e36833586f5d5a9ada0f7cdbf88fb2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:57:59 +0200 Subject: [PATCH 420/492] nutdec: check chapter creation in decode_info_header This fixes a segmentation fault when accessing the metadata. Signed-off-by: Michael Niedermayer (cherry picked from commit 3ff1af2b0db7132d5717be6395227a94c8abab07) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 3eb6d4b703..202d84c250 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -487,6 +487,10 @@ static int decode_info_header(NUTContext *nut) nut->time_base[chapter_start % nut->time_base_count], start, start + chapter_len, NULL); + if (!chapter) { + av_log(s, AV_LOG_ERROR, "could not create chapter\n"); + return AVERROR(ENOMEM); + } metadata = &chapter->metadata; } else if (stream_id_plus1) { st = s->streams[stream_id_plus1 - 1]; From 9d5362a45cbd8777751e8a98e7cb8c26f180868c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 22:37:19 +0200 Subject: [PATCH 421/492] nutdec: fix illegal count check in decode_main_header The existing check has two problems: 1) i + count can overflow, so that the check '< 256' returns true. 2) In the (i == 'N') case occurs a j-- so that the loop runs once more. This can trigger the assertion 'nut->header_len[0] == 0' or cause segmentation faults or infinite hangs. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 202d84c250..961f76ccd3 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -286,7 +286,7 @@ static int decode_main_header(NUTContext *nut) while (tmp_fields-- > 8) ffio_read_varlen(bc); - if (count == 0 || i + count > 256) { + if (count <= 0 || count > 256 - (i <= 'N') - i) { av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i); return AVERROR_INVALIDDATA; } From 9ac72b1dde34bd17ac6b8bdf57c82a4f609a917b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 May 2015 15:54:21 +0200 Subject: [PATCH 422/492] avcodec/wavpack: Check L/R values before use to avoid harmless integer overflow and undefined behavior in fate Signed-off-by: Michael Niedermayer (cherry picked from commit 042260cde4ecf716438c5fc92d15ad5f037ee2e1) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 82c9b37312..80930f5fa3 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -630,6 +630,14 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, s->decorr[i].samplesB[0] = L; } } + + if (type == AV_SAMPLE_FMT_S16P) { + if (FFABS(L) + FFABS(R) > (1<<19)) { + av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); + return AVERROR_INVALIDDATA; + } + } + pos = (pos + 1) & 7; if (s->joint) L += (R -= (L >> 1)); From ac7a211b3be16946acc1832d54b5e3a39dde80ce Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 23:07:20 +0200 Subject: [PATCH 423/492] matroskadec: use uint64_t instead of int for index_scale index_scale is set to matroska->time_scale of type uint64_t. When index_scale is int, the assignment can overflow and e.g. result in index_scale = 0. This causes a floating point exception due to the division by index_scale. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit eb9fb508b0e09d85d234fe694333b2005e1d7a7e) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 361d9de820..0d759fef91 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1416,7 +1416,7 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) static void matroska_add_index_entries(MatroskaDemuxContext *matroska) { EbmlList *index_list; MatroskaIndex *index; - int index_scale = 1; + uint64_t index_scale = 1; int i, j; index_list = &matroska->index; From d2142c3b3a98ecf5abf80afac0abf2798d4806ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2015 13:37:26 +0200 Subject: [PATCH 424/492] avcodec/ffv1dec: Check chroma shift parameters Signed-off-by: Michael Niedermayer (cherry picked from commit d43cd6b08ed555c303478e3133717fbb2236be6e) Conflicts: libavcodec/ffv1dec.c --- libavcodec/ffv1dec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index d1e6e4e864..eb8606a44a 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -507,6 +507,12 @@ static int read_extra_header(FFV1Context *f) f->num_h_slices = 1 + get_symbol(c, state, 0); f->num_v_slices = 1 + get_symbol(c, state, 0); + if (f->chroma_h_shift > 4U || f->chroma_v_shift > 4U) { + av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n", + f->chroma_h_shift, f->chroma_v_shift); + return AVERROR_INVALIDDATA; + } + if (f->num_h_slices > (unsigned)f->width || !f->num_h_slices || f->num_v_slices > (unsigned)f->height || !f->num_v_slices ) { @@ -598,6 +604,12 @@ static int read_header(FFV1Context *f) } } + if (chroma_h_shift > 4U || chroma_v_shift > 4U) { + av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n", + chroma_h_shift, chroma_v_shift); + return AVERROR_INVALIDDATA; + } + f->colorspace = colorspace; f->avctx->bits_per_raw_sample = bits_per_raw_sample; f->chroma_planes = chroma_planes; From 68e1c80c67daeb29bd7e8d8d104faf9439b70b74 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 23:55:20 +0200 Subject: [PATCH 425/492] matroskadec: check s->streams[k] before using it This fixes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit e54540655f229d06667dc7fa7005f2a20e101e80) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 0d759fef91..49c1200367 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1854,7 +1854,7 @@ static int matroska_read_header(AVFormatContext *s) snprintf(buf, sizeof(buf), "%s_%d", ff_matroska_video_stereo_plane[planes[j].type], i); for (k=0; k < matroska->tracks.nb_elem; k++) - if (planes[j].uid == tracks[k].uid) { + if (planes[j].uid == tracks[k].uid && s->streams[k]) { av_dict_set(&s->streams[k]->metadata, "stereo_mode", buf, 0); break; From 35eabb85b2a68ea5620c5cbd21fb478291bc7b51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2015 15:47:54 +0200 Subject: [PATCH 426/492] avformat/matroskadec: Use tracks[k]->stream instead of s->streams[k] The later is not correct Signed-off-by: Michael Niedermayer (cherry picked from commit 5d309d309108684f742bbf5fc2393f1c519cda72) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 49c1200367..0b87573f5a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1854,8 +1854,8 @@ static int matroska_read_header(AVFormatContext *s) snprintf(buf, sizeof(buf), "%s_%d", ff_matroska_video_stereo_plane[planes[j].type], i); for (k=0; k < matroska->tracks.nb_elem; k++) - if (planes[j].uid == tracks[k].uid && s->streams[k]) { - av_dict_set(&s->streams[k]->metadata, + if (planes[j].uid == tracks[k].uid && tracks[k].stream) { + av_dict_set(&tracks[k].stream->metadata, "stereo_mode", buf, 0); break; } From 4d27d864a653c47b76da2ad994799e994720dbf6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 May 2015 23:01:45 +0200 Subject: [PATCH 427/492] avidec: avoid infinite loop due to negative ast->sample_size If max in clean_index is set to a negative ast->sample_size, the following loop never ends: while (max < 1024) max += max; Thus set ast->sample_size to 0 if it would otherwise be negative. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ca234639ac49a0dc073ac1f10977979acdb94f97) Conflicts: libavformat/avidec.c --- libavformat/avidec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 87a5e7cf00..1d5e3bafb3 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -571,6 +571,7 @@ static int avi_read_header(AVFormatContext *s) default: av_log(s, AV_LOG_INFO, "unknown stream type %X\n", tag1); } + ast->sample_size = FFMAX(ast->sample_size, 0); if(ast->sample_size == 0) { st->duration = st->nb_frames; if (st->duration > 0 && avi->io_fsize > 0 && avi->riff_end > avi->io_fsize) { From 869613728cea6c26aa1428f099abbb6f100046db Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 21:33:08 +0200 Subject: [PATCH 428/492] diracdec: prevent overflow in data_unit_size check buf_idx + data_unit_size can overflow, causing the '> buf_size' check to wrongly fail. This causes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 984f50deb2d48f6844d65e10991b996a6d29e87c) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 02ec30b285..234cf7eed3 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1893,8 +1893,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, break; data_unit_size = AV_RB32(buf+buf_idx+5); - if (buf_idx + data_unit_size > buf_size || !data_unit_size) { - if(buf_idx + data_unit_size > buf_size) + if (data_unit_size > buf_size - buf_idx || !data_unit_size) { + if(data_unit_size > buf_size - buf_idx) av_log(s->avctx, AV_LOG_ERROR, "Data unit with size %d is larger than input buffer, discarding\n", data_unit_size); From ebc768cfa1c928ca38580e17bbf8f1b164731eb6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 22:10:44 +0200 Subject: [PATCH 429/492] diracdec: avoid overflow of bytes*8 in decode_lowdelay If bytes is large enough, bytes*8 can overflow and become negative. In that case 'bufsize -= bytes*8' causes bufsize to increase instead of decrease. This leads to a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 234cf7eed3..f74a903b3c 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -785,7 +785,10 @@ static void decode_lowdelay(DiracContext *s) slice_num++; buf += bytes; - bufsize -= bytes*8; + if (bufsize/8 >= bytes) + bufsize -= bytes*8; + else + bufsize = 0; } avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num, From 994538281645e1f12a0e238b5b7225566e51a98c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 23:51:48 +0200 Subject: [PATCH 430/492] diracdec: check if reference could not be allocated s->ref_pics[i] is later used as ref argument of interpolate_refplane, where it is dereferenced. If it is NULL, it causes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d93181ef3eacdb862d93448f31c97765a523d1db) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index f74a903b3c..cf1a5c7d9d 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1701,6 +1701,12 @@ static int dirac_decode_picture_header(DiracContext *s) ff_get_buffer(s->avctx, &s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); break; } + + if (!s->ref_pics[i]) { + av_log(s->avctx, AV_LOG_ERROR, "Reference could not be allocated\n"); + return -1; + } + } /* retire the reference frames that are not used anymore */ From bf665557691571632ff22f5457e79d44a3045dfe Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 6 May 2015 15:34:53 +0200 Subject: [PATCH 431/492] diracdec: check that block length is valid In init_planes p->xblen and p->yblen are set to: p->xblen = s->plane[0].xblen >> s->chroma_x_shift; p->yblen = s->plane[0].yblen >> s->chroma_y_shift; These are later used as block_w and block_h arguments of s->vdsp.emulated_edge_mc. If one of them is 0 it triggers an av_assert2 in emulated_edge_mc: av_assert2(start_x < end_x && block_w > 0); av_assert2(start_y < end_y && block_h > 0); Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 75fc81c8318505aa7946e05a9bee08d47241fc66) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index cf1a5c7d9d..8bd9a3eef1 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -885,6 +885,14 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) /*[DIRAC_STD] 11.2.4 motion_data_dimensions() Calculated in function dirac_unpack_block_motion_data */ + if (s->plane[0].xblen % (1 << s->chroma_x_shift) != 0 || + s->plane[0].yblen % (1 << s->chroma_y_shift) != 0 || + !s->plane[0].xblen || !s->plane[0].yblen) { + av_log(s->avctx, AV_LOG_ERROR, + "invalid x/y block length (%d/%d) for x/y chroma shift (%d/%d)\n", + s->plane[0].xblen, s->plane[0].yblen, s->chroma_x_shift, s->chroma_y_shift); + return AVERROR_INVALIDDATA; + } if (!s->plane[0].xbsep || !s->plane[0].ybsep || s->plane[0].xbsep < s->plane[0].xblen/2 || s->plane[0].ybsep < s->plane[0].yblen/2) { av_log(s->avctx, AV_LOG_ERROR, "Block separation too small\n"); return -1; From 998d943cce73ac186cc002786f79db6fd46e4b75 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 15:23:24 +0200 Subject: [PATCH 432/492] aacsbr: break infinite loop in sbr_hf_calc_npatches Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 584cc1ade10a3297ef9c107ef3a2081c04024156) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 0b6779c293..4cbd74d061 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -520,7 +520,7 @@ static int sbr_make_f_master(AACContext *ac, SpectralBandReplication *sbr, /// High Frequency Generation - Patch Construction (14496-3 sp04 p216 fig. 4.46) static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) { - int i, k, sb = 0; + int i, k, last_k = -1, last_msb = -1, sb = 0; int msb = sbr->k[0]; int usb = sbr->kx[1]; int goal_sb = ((1000 << 11) + (sbr->sample_rate >> 1)) / sbr->sample_rate; @@ -534,6 +534,12 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) do { int odd = 0; + if (k == last_k && msb == last_msb) { + av_log(ac->avctx, AV_LOG_ERROR, "patch construction failed\n"); + return AVERROR_INVALIDDATA; + } + last_k = k; + last_msb = msb; for (i = k; i == k || sb > (sbr->k[0] - 1 + msb - odd); i--) { sb = sbr->f_master[i]; odd = (sb + sbr->k[0]) & 1; From fdc62caf3075d02c0a65368cd43c98dde04e4185 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2015 16:09:07 +0200 Subject: [PATCH 433/492] avutil/dict: Use size_t for appending strings the string length is not constrained to INT_MAX Signed-off-by: Michael Niedermayer (cherry picked from commit 4c128ea1629116fc4936edc5f96bbd18f3ef1647) Conflicts: libavutil/dict.c --- libavutil/dict.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/dict.c b/libavutil/dict.c index 3a0e84cd40..73dbfd55a0 100644 --- a/libavutil/dict.c +++ b/libavutil/dict.c @@ -92,7 +92,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const char *value, int flags if (flags & AV_DICT_DONT_STRDUP_VAL) { m->elems[m->count].value = (char*)(intptr_t)value; } else if (oldval && flags & AV_DICT_APPEND) { - int len = strlen(oldval) + strlen(value) + 1; + size_t len = strlen(oldval) + strlen(value) + 1; char *newval = av_mallocz(len); if (!newval) return AVERROR(ENOMEM); From db0c4d2e3c7079c2d854e258b494b39a55b84a90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:23:51 +0200 Subject: [PATCH 434/492] avformat/vorbiscomment: Check entry length in ff_vorbiscomment_write() Signed-off-by: Michael Niedermayer (cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578) Signed-off-by: Michael Niedermayer --- libavformat/vorbiscomment.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/vorbiscomment.c b/libavformat/vorbiscomment.c index 9b38e6a791..df5171dad9 100644 --- a/libavformat/vorbiscomment.c +++ b/libavformat/vorbiscomment.c @@ -62,8 +62,10 @@ int ff_vorbiscomment_write(uint8_t **p, AVDictionary **m, AVDictionaryEntry *tag = NULL; bytestream_put_le32(p, count); while ((tag = av_dict_get(*m, "", tag, AV_DICT_IGNORE_SUFFIX))) { - unsigned int len1 = strlen(tag->key); - unsigned int len2 = strlen(tag->value); + int64_t len1 = strlen(tag->key); + int64_t len2 = strlen(tag->value); + if (len1+1+len2 > UINT32_MAX) + return AVERROR(EINVAL); bytestream_put_le32(p, len1+1+len2); bytestream_put_buffer(p, tag->key, len1); bytestream_put_byte(p, '='); From 93a04473fc09b6283f3d8322f862ce882a47e0d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 20:01:15 +0200 Subject: [PATCH 435/492] avutil/avstring: Use size_t in av_strlcatf() Signed-off-by: Michael Niedermayer (cherry picked from commit ae4eea8be45a0b212fd57ceaac1f11089ab81d98) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index cf9be2a0d5..6127a985e0 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -99,7 +99,7 @@ size_t av_strlcat(char *dst, const char *src, size_t size) size_t av_strlcatf(char *dst, size_t size, const char *fmt, ...) { - int len = strlen(dst); + size_t len = strlen(dst); va_list vl; va_start(vl, fmt); From c7b089b1ac804b4a29124404add1b5cfbccbdb4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 03:50:01 +0200 Subject: [PATCH 436/492] avformat/url: Use size_t for len from strlen() Signed-off-by: Michael Niedermayer (cherry picked from commit 95efc651294b3cf3e5ec4b3ed36e79d7261545ff) Signed-off-by: Michael Niedermayer --- libavformat/url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/url.c b/libavformat/url.c index 47e15843cf..9b94163637 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -68,7 +68,7 @@ int ff_url_join(char *str, int size, const char *proto, av_strlcatf(str, size, ":%d", port); if (fmt) { va_list vl; - int len = strlen(str); + size_t len = strlen(str); va_start(vl, fmt); vsnprintf(str + len, size > len ? size - len : 0, fmt, vl); From 5399107682ae7cab7c38ef18ff636dca9e3ff1e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2015 15:38:40 +0200 Subject: [PATCH 437/492] avformat/subtitles: Use size_t for len MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit string length could theoretically be larger than int Reviewed-by: Clément Bœsch Signed-off-by: Michael Niedermayer (cherry picked from commit a633928d47057426a9c328da594407d1c7da8a5c) Signed-off-by: Michael Niedermayer --- libavformat/subtitles.c | 4 ++-- libavformat/subtitles.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index d2eb53cab5..f173af4cfc 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -24,7 +24,7 @@ #include "libavutil/avstring.h" AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, - const uint8_t *event, int len, int merge) + const uint8_t *event, size_t len, int merge) { AVPacket *subs, *sub; @@ -180,7 +180,7 @@ int ff_smil_extract_next_chunk(AVIOContext *pb, AVBPrint *buf, char *c) const char *ff_smil_get_attr_ptr(const char *s, const char *attr) { int in_quotes = 0; - const int len = strlen(attr); + const size_t len = strlen(attr); while (*s) { while (*s) { diff --git a/libavformat/subtitles.h b/libavformat/subtitles.h index 8f68e7bda1..2cfadeaac0 100644 --- a/libavformat/subtitles.h +++ b/libavformat/subtitles.h @@ -41,7 +41,7 @@ typedef struct { * previous one instead of adding a new entry, 0 otherwise */ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, - const uint8_t *event, int len, int merge); + const uint8_t *event, size_t len, int merge); /** * Set missing durations and sort subtitles by PTS, and then byte position. From 1dad249ae66ce0cc77f610dbed11d21676f09b07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 03:59:30 +0200 Subject: [PATCH 438/492] tools/graph2dot: use larger data types than int for array/string sizes Signed-off-by: Michael Niedermayer (cherry picked from commit acf4925f444636a828534ab47d0f86c21a7a9b4e) Signed-off-by: Michael Niedermayer --- tools/graph2dot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/graph2dot.c b/tools/graph2dot.c index 2daceb6152..e2c9d0a0f9 100644 --- a/tools/graph2dot.c +++ b/tools/graph2dot.c @@ -153,7 +153,7 @@ int main(int argc, char **argv) /* read from infile and put it in a buffer */ { - unsigned int count = 0; + int64_t count = 0; struct line *line, *last_line, *first_line; char *p; last_line = first_line = av_malloc(sizeof(struct line)); @@ -169,7 +169,7 @@ int main(int argc, char **argv) graph_string = av_malloc(count + 1); p = graph_string; for (line = first_line; line->next; line = line->next) { - unsigned int l = strlen(line->data); + size_t l = strlen(line->data); memcpy(p, line->data, l); p += l; } From 4a9ce87ef334e4ae2f21bfa9dc392e7203d2316a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:03:55 +0200 Subject: [PATCH 439/492] avformat/rtpdec_xiph: Check upper bound on len in xiph_handle_packet() Larger packets are not supported and would cause problems later Signed-off-by: Michael Niedermayer (cherry picked from commit aa5169935e160551fb1c290d1397da2f04325817) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_xiph.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_xiph.c b/libavformat/rtpdec_xiph.c index 52a94b3159..7d3d61ed8d 100644 --- a/libavformat/rtpdec_xiph.c +++ b/libavformat/rtpdec_xiph.c @@ -111,7 +111,7 @@ static int xiph_handle_packet(AVFormatContext *ctx, PayloadContext *data, return data->split_pkts > 0; } - if (len < 6) { + if (len < 6 || len > INT_MAX/2) { av_log(ctx, AV_LOG_ERROR, "Invalid %d byte packet\n", len); return AVERROR_INVALIDDATA; } From b470e21d61558be80c40dd47bfae85e7fe4a99e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 17:55:40 +0200 Subject: [PATCH 440/492] avformat/rtpenc_jpeg: Check remaining buffer size for SOS Fixes CID1238818 Signed-off-by: Michael Niedermayer (cherry picked from commit 81198a68370e88f7d02f16de58db36713c2a50b6) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_jpeg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index 7eb0e23c6f..47898a30ad 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -80,6 +80,11 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) } else if (buf[i + 1] == SOS) { /* SOS is last marker in the header */ i += AV_RB16(&buf[i + 2]) + 2; + if (i > size) { + av_log(s1, AV_LOG_ERROR, + "Insufficient data. Aborted!\n"); + return; + } break; } } From 8ad873ed4e99380958e6a60016554876d96716a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:20:23 +0200 Subject: [PATCH 441/492] avformat/nutdec: Fix use of uinitialized value Fixes CID1041175 Signed-off-by: Michael Niedermayer (cherry picked from commit 56abf35151c635caa3eb04bbb90454bae5463a09) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 961f76ccd3..b1bbcb9ee5 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -501,6 +501,8 @@ static int decode_info_header(NUTContext *nut) for (i = 0; i < count; i++) { get_str(bc, name, sizeof(name)); value = get_s(bc); + str_value[0] = 0; + if (value == -1) { type = "UTF-8"; get_str(bc, str_value, sizeof(str_value)); From e553282860c805679349af521af96e1e7886e713 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:32:12 +0200 Subject: [PATCH 442/492] avformat/matroskadec: Cleanup error handling for bz2 & zlib Fixes CID703652 Signed-off-by: Michael Niedermayer (cherry picked from commit 171af59d58fc67d82dce8ff7ed11fa671108baa5) Conflicts: libavformat/matroskadec.c --- libavformat/matroskadec.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 0b87573f5a..7ba6e75977 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1145,15 +1145,13 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, newpktdata = av_realloc(pkt_data, pkt_size); if (!newpktdata) { inflateEnd(&zstream); + result = AVERROR(ENOMEM); goto failed; } pkt_data = newpktdata; zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; - if (pkt_data) { - result = inflate(&zstream, Z_NO_FLUSH); - } else - result = Z_MEM_ERROR; + result = inflate(&zstream, Z_NO_FLUSH); } while (result==Z_OK && pkt_size<10000000); pkt_size = zstream.total_out; inflateEnd(&zstream); @@ -1179,15 +1177,13 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, newpktdata = av_realloc(pkt_data, pkt_size); if (!newpktdata) { BZ2_bzDecompressEnd(&bzstream); + result = AVERROR(ENOMEM); goto failed; } pkt_data = newpktdata; bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; - if (pkt_data) { - result = BZ2_bzDecompress(&bzstream); - } else - result = BZ_MEM_ERROR; + result = BZ2_bzDecompress(&bzstream); } while (result==BZ_OK && pkt_size<10000000); pkt_size = bzstream.total_out_lo32; BZ2_bzDecompressEnd(&bzstream); From 0bf455c0543dca474088e3ef004904a747555bec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 00:41:38 +0200 Subject: [PATCH 443/492] avcodec/vqavideo: Check chunk size Fixes CID1239154 Signed-off-by: Michael Niedermayer (cherry picked from commit 8a62b80ce6c8e87e7937f9a5d68f83882c1c8da2) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 0a2b668d29..7282cf9ddb 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -231,6 +231,12 @@ static int decode_format80(VqaContext *s, int src_size, unsigned char color; int i; + if (src_size < 0 || src_size > bytestream2_get_bytes_left(&s->gb)) { + av_log(s->avctx, AV_LOG_ERROR, "Chunk size %d is out of range\n", + src_size); + return AVERROR_INVALIDDATA; + } + start = bytestream2_tell(&s->gb); while (bytestream2_tell(&s->gb) - start < src_size) { opcode = bytestream2_get_byte(&s->gb); From 32f568f82c46cd8cf897b118b146c15271c0081f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 15:15:55 +0200 Subject: [PATCH 444/492] avcodec/jpeg2000dec: fix boolean operator Fixes CID1271791 #7-6 Signed-off-by: Michael Niedermayer (cherry picked from commit f8f155a18ac454e7ff3312e0e0c3a70eb4359143) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 5231040494..a88bfeaebe 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1601,7 +1601,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) int cn = bytestream2_get_be16(&s->g); int av_unused typ = bytestream2_get_be16(&s->g); int asoc = bytestream2_get_be16(&s->g); - if (cn < 4 || asoc < 4) + if (cn < 4 && asoc < 4) s->cdef[cn] = asoc; atom_size -= 6; atom2_size -= 6; From c0726da9339f9dffdb4eee59fbc551292adf893f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 18:36:19 +0200 Subject: [PATCH 445/492] avcodec/mjpegdec: fix len computation in ff_mjpeg_decode_dqt() Signed-off-by: Michael Niedermayer (cherry picked from commit 81cf9108563510dee24f73b2c5d94a7bd07ff747) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 91b4d79492..946d7be01a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -150,7 +150,7 @@ int ff_mjpeg_decode_dqt(MJpegDecodeContext *s) s->quant_matrixes[index][s->scantable.permutated[8]]) >> 1; av_log(s->avctx, AV_LOG_DEBUG, "qscale[%d]: %d\n", index, s->qscale[index]); - len -= 65; + len -= 1 + 64 * (1+pr); } return 0; } From 136bd71f690fa78954475904e54e702925cca866 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 00:09:56 +0200 Subject: [PATCH 446/492] avcodec/mpeg4audio: add some padding/alignment to MAX_PCE_SIZE This avoids potential accesses over the end Signed-off-by: Michael Niedermayer (cherry picked from commit 93cfa7d1692c25cff045f99ba1af2c9e5772c45e) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4audio.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4audio.h b/libavcodec/mpeg4audio.h index 0f410455f5..a1f3ffc59b 100644 --- a/libavcodec/mpeg4audio.h +++ b/libavcodec/mpeg4audio.h @@ -101,7 +101,7 @@ enum AudioObjectType { AOT_USAC, ///< N Unified Speech and Audio Coding }; -#define MAX_PCE_SIZE 304 /// Date: Thu, 14 May 2015 17:54:40 +0200 Subject: [PATCH 447/492] avcodec/cavsdec: Check esc_code Signed-off-by: Michael Niedermayer (cherry picked from commit 139e1c8009df7729a53eaaae7036ca01071aced5) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 0212a21655..2264cb46a4 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -568,6 +568,11 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, if(run > 64) return -1; esc_code = get_ue_code(gb, esc_golomb_order); + if (esc_code < 0 || esc_code > 32767) { + av_log(h->avctx, AV_LOG_ERROR, "esc_code invalid\n"); + return AVERROR_INVALIDDATA; + } + level = esc_code + (run > r->max_run ? 1 : r->level_add[run]); while (level > r->inc_limit) r++; From c532c56e7b77ee30b86d218d6407d17575fc66a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 20:49:25 +0200 Subject: [PATCH 448/492] avcodec/dcadec: Check nchans Fixes CID1239110 Signed-off-by: Michael Niedermayer (cherry picked from commit a6a45774d045007f8262cd7c614804390e53122e) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index aa583742f5..d4c8676686 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -571,6 +571,14 @@ static int dca_parse_audio_coding_header(DCAContext *s, int base_channel, } nchans = get_bits(&s->gb, 3) + 1; + if (xxch && nchans >= 3) { + av_log(s->avctx, AV_LOG_ERROR, "nchans %d is too large\n", nchans); + return AVERROR_INVALIDDATA; + } else if (nchans + base_channel > DCA_PRIM_CHANNELS_MAX) { + av_log(s->avctx, AV_LOG_ERROR, "channel sum %d + %d is too large\n", nchans, base_channel); + return AVERROR_INVALIDDATA; + } + s->total_channels = nchans + base_channel; s->prim_channels = s->total_channels; From 3fedff39852553692b5cb6222ff5d9f492f3d559 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 21:29:19 +0200 Subject: [PATCH 449/492] avcodec/dcadec: Check subsubframes Fixes: CID1239152 Signed-off-by: Michael Niedermayer (cherry picked from commit a9bf628bfdad142763880a3d1ccb6058040dda57) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index d4c8676686..801a380df2 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -838,6 +838,10 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) if (!base_channel) { s->subsubframes[s->current_subframe] = get_bits(&s->gb, 2) + 1; + if (block_index + s->subsubframes[s->current_subframe] > s->sample_blocks/8) { + s->subsubframes[s->current_subframe] = 1; + return AVERROR_INVALIDDATA; + } s->partial_samples[s->current_subframe] = get_bits(&s->gb, 3); } From ffd894917fd5aaab9bb462ddc85ddb71b02b7346 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 May 2015 13:07:00 +0200 Subject: [PATCH 450/492] ffmpeg_opt: Fix -timestamp parsing Signed-off-by: Michael Niedermayer (cherry picked from commit 107e4da47644fe615ea821d6a19682d73789aca7) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 8b2b83e5f3..cd437527a3 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2617,7 +2617,7 @@ const OptionDef options[] = { { "itsscale", HAS_ARG | OPT_DOUBLE | OPT_SPEC | OPT_EXPERT | OPT_INPUT, { .off = OFFSET(ts_scale) }, "set the input ts scale", "scale" }, - { "timestamp", HAS_ARG | OPT_PERFILE, { .func_arg = opt_recording_timestamp }, + { "timestamp", HAS_ARG | OPT_PERFILE | OPT_OUTPUT, { .func_arg = opt_recording_timestamp }, "set the recording timestamp ('now' to set the current time)", "time" }, { "metadata", HAS_ARG | OPT_STRING | OPT_SPEC | OPT_OUTPUT, { .off = OFFSET(metadata) }, "add metadata", "string=string" }, From 990c2ee3bd950f3b7d447cd71fa5efc979d1c98a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 15:23:32 +0200 Subject: [PATCH 451/492] avcodec/proresdec2: Reset slice_count on deallocation Signed-off-by: Michael Niedermayer (cherry picked from commit c4c6aea397f62421bf8ef0449b2b465a53e4ab4d) Conflicts: libavcodec/proresdec2.c --- libavcodec/proresdec2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 5037bb8e02..a9f6e20f3a 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -202,6 +202,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons if (ctx->slice_count != slice_count || !ctx->slices) { av_freep(&ctx->slices); + ctx->slice_count = 0; ctx->slices = av_mallocz(slice_count * sizeof(*ctx->slices)); if (!ctx->slices) return AVERROR(ENOMEM); From 0888e7110e7ac23cb884d5dcdebe9090f02548ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 16:58:51 +0200 Subject: [PATCH 452/492] avcodec/shorten: Fix code depending on signed overflow behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 2d15588124ab1d4c0612cab66f02a716f1509211) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 3bba10c398..08ea2178a4 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -131,8 +131,7 @@ static int allocate_buffers(ShortenContext *s) av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); return AVERROR_INVALIDDATA; } - if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) || - s->blocksize + s->nwrap <= (unsigned)s->nwrap) { + if (s->blocksize + (uint64_t)s->nwrap >= UINT_MAX / sizeof(int32_t)) { av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); return AVERROR_INVALIDDATA; From a7c8dc67e773d8591cd29cbfb8b4ab586c3ba160 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 16:48:31 +0200 Subject: [PATCH 453/492] avcodec/shorten: Check skip_bytes() Fixes CID1210526 Signed-off-by: Michael Niedermayer (cherry picked from commit d201becfc0d89c6a5dfe44e96f1044fbc2aadb70) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 08ea2178a4..a512759fd4 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -366,6 +366,11 @@ static int read_header(ShortenContext *s) s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); + if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { + av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < skip_bytes; i++) skip_bits(&s->gb, 8); } From f58c9746c3972873e80b385846a451c479d69d6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:02:28 +0200 Subject: [PATCH 454/492] avcodec/shorten: More complete pred_order check Fixes CID1239055 Signed-off-by: Michael Niedermayer (cherry picked from commit 294469416d8193a28710d802bb0c46e5fa09fad7) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index a512759fd4..70b032aafc 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -279,7 +279,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, if (command == FN_QLPC) { /* read/validate prediction order */ pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); - if (pred_order > s->nwrap) { + if ((unsigned)pred_order > s->nwrap) { av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", pred_order); return AVERROR(EINVAL); From 41c81556a70cd32fc153a614a2088a926b779b39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:21:10 +0200 Subject: [PATCH 455/492] avcodec/smvjpegdec: check avcodec_decode_video2() return code Fixes CID1271810 Signed-off-by: Michael Niedermayer (cherry picked from commit cdd25f9a3df3905543a5546cf6076d2eaf895736) Signed-off-by: Michael Niedermayer --- libavcodec/smvjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c index 7d848394fb..9d9ad63fb2 100644 --- a/libavcodec/smvjpegdec.c +++ b/libavcodec/smvjpegdec.c @@ -137,6 +137,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz if (!cur_frame) { av_frame_unref(mjpeg_data); ret = avcodec_decode_video2(s->avctx, mjpeg_data, &s->mjpeg_data_size, avpkt); + if (ret < 0) { + s->mjpeg_data_size = 0; + return ret; + } } else if (!s->mjpeg_data_size) return AVERROR(EINVAL); From 025b38f3a6147aff2f143a930a50b377ad4a60f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:31:58 +0200 Subject: [PATCH 456/492] avcodec/sonic: More completely check sample_rate_index and channels Fixes CID1271783 Signed-off-by: Michael Niedermayer (cherry picked from commit ade8a46154cb45c88b1cb5c616eaa6320c941187) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 7a9db36311..2621be41cf 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -769,13 +769,19 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) if (version == 1) { + int sample_rate_index; s->channels = get_bits(&gb, 2); - s->samplerate = samplerate_table[get_bits(&gb, 4)]; + sample_rate_index = get_bits(&gb, 4); + if (sample_rate_index >= FF_ARRAY_ELEMS(samplerate_table)) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample_rate_index %d\n", sample_rate_index); + return AVERROR_INVALIDDATA; + } + s->samplerate = samplerate_table[sample_rate_index]; av_log(avctx, AV_LOG_INFO, "Sonicv2 chans: %d samprate: %d\n", s->channels, s->samplerate); } - if (s->channels > MAX_CHANNELS) + if (s->channels > MAX_CHANNELS || s->channels < 1) { av_log(avctx, AV_LOG_ERROR, "Only mono and stereo streams are supported by now\n"); return AVERROR_INVALIDDATA; From a3d05bf6be2e97092ce2ded0a849d9150aac82f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 18:04:12 +0200 Subject: [PATCH 457/492] avcodec/dcadec: Check scale table index Fixes CID1297594 part 1 Signed-off-by: Michael Niedermayer (cherry picked from commit 0f3e6959bfa67d12cd5a173b86eb15abd7d9e4d5) Conflicts: libavcodec/dcadec.c --- libavcodec/dcadec.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 801a380df2..f68a6f2982 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -1810,23 +1810,34 @@ static int dca_xbr_parse_frame(DCAContext *s) for(i = 0; i < n_xbr_ch[chset]; i++) { const uint32_t *scale_table; int nbits; + int scale_table_size; if (s->scalefactor_huffman[chan_base+i] == 6) { scale_table = scale_factor_quant7; + scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant7); } else { scale_table = scale_factor_quant6; + scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant6); } nbits = anctemp[i]; for(j = 0; j < active_bands[chset][i]; j++) { if(abits_high[i][j] > 0) { - scale_table_high[i][j][0] = - scale_table[get_bits(&s->gb, nbits)]; + int index = get_bits(&s->gb, nbits); + if (index >= scale_table_size) { + av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index); + return AVERROR_INVALIDDATA; + } + scale_table_high[i][j][0] = scale_table[index]; if(xbr_tmode && s->transition_mode[i][j]) { - scale_table_high[i][j][1] = - scale_table[get_bits(&s->gb, nbits)]; + int index = get_bits(&s->gb, nbits); + if (index >= scale_table_size) { + av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index); + return AVERROR_INVALIDDATA; + } + scale_table_high[i][j][1] = scale_table[index]; } } } From c01f5517280c389cd823e9e1b5d1cf979040bd61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 18:29:40 +0200 Subject: [PATCH 458/492] avcodec/dcadec: Check active_bands Fixes CID1297594 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit fc624ec9ba7e5c4e8d905ac10f605a43d123f95a) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index f68a6f2982..bb5a6d113b 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -1767,8 +1767,13 @@ static int dca_xbr_parse_frame(DCAContext *s) for(i = 0; i < num_chsets; i++) { n_xbr_ch[i] = get_bits(&s->gb, 3) + 1; k = get_bits(&s->gb, 2) + 5; - for(j = 0; j < n_xbr_ch[i]; j++) + for(j = 0; j < n_xbr_ch[i]; j++) { active_bands[i][j] = get_bits(&s->gb, k) + 1; + if (active_bands[i][j] > DCA_SUBBANDS) { + av_log(s->avctx, AV_LOG_ERROR, "too many active subbands (%d)\n", active_bands[i][j]); + return AVERROR_INVALIDDATA; + } + } } /* skip to the end of the header */ From 13b22617c185e69f3d1ada5544f1512acb0777bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 22:02:12 +0200 Subject: [PATCH 459/492] avcodec/libtheoraenc: Check for av_malloc failure Fixes CID1257799 Signed-off-by: Michael Niedermayer (cherry picked from commit c64b2d480b4a35d4face9928b4265a0fda3f3dd9) Signed-off-by: Michael Niedermayer --- libavcodec/libtheoraenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/libtheoraenc.c b/libavcodec/libtheoraenc.c index a2e5b74cb6..3a0a736b59 100644 --- a/libavcodec/libtheoraenc.c +++ b/libavcodec/libtheoraenc.c @@ -113,6 +113,8 @@ static int get_stats(AVCodecContext *avctx, int eos) // libtheora generates a summary header at the end memcpy(h->stats, buf, bytes); avctx->stats_out = av_malloc(b64_size); + if (!avctx->stats_out) + return AVERROR(ENOMEM); av_base64_encode(avctx->stats_out, b64_size, h->stats, h->stats_offset); } return 0; From ced57c6ef3e5510e7d07525d1b04f0b011834fdf Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Sat, 11 Apr 2015 00:54:10 +0300 Subject: [PATCH 460/492] rtpenc_jpeg: handle case of picture dimensions not dividing by 8 This fixes the calculation of the number of needed blocks to make sure that ALL pixels are represented by the result. Reviewed-by: Thomas Volkert Signed-off-by: Michael Niedermayer (cherry picked from commit 7f64a7503b19b39f1251e4380987034c569bebf5) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index 47898a30ad..5288283043 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -40,8 +40,8 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) s->timestamp = s->cur_timestamp; /* convert video pixel dimensions from pixels to blocks */ - w = s1->streams[0]->codec->width >> 3; - h = s1->streams[0]->codec->height >> 3; + w = FF_CEIL_RSHIFT(s1->streams[0]->codec->width, 3); + h = FF_CEIL_RSHIFT(s1->streams[0]->codec->height, 3); /* check if pixel format is not the normal 420 case */ if (s1->streams[0]->codec->pix_fmt == AV_PIX_FMT_YUVJ422P) { From fd1be2bd874c1979d45f471165b1b76af2cde45f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 24 Apr 2015 12:38:09 +0300 Subject: [PATCH 461/492] rtsp: Make sure we don't write too many transport entries into a fixed-size array (cherry picked from commit b90adb0aba073f9c1b4abca852119947393ced4c) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 6310d79c28..1abb4715ab 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -821,6 +821,8 @@ static void rtsp_parse_transport(RTSPMessageHeader *reply, const char *p) p++; reply->nb_transports++; + if (reply->nb_transports >= RTSP_MAX_TRANSPORTS) + break; } } From 9dd9090b89d57451740fe8d2d49082b1152d2928 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 May 2015 17:13:15 +0200 Subject: [PATCH 462/492] avformat/nutdec: Return error on EOF from get_str() Signed-off-by: Michael Niedermayer (cherry picked from commit 6bbb2f8f4da67af374d62403742482cc5962aa21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index b1bbcb9ee5..52dbc99410 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -49,6 +49,8 @@ static int get_str(AVIOContext *bc, char *string, unsigned int maxlen) if (maxlen) string[FFMIN(len, maxlen - 1)] = 0; + if (bc->eof_reached) + return AVERROR_EOF; if (maxlen == len) return -1; else From 00b8a9dd8d996f8a033aea2598ccc0e44b239b7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 May 2015 17:32:48 +0200 Subject: [PATCH 463/492] avformat/nutdec: Fix recovery when immedeately after seeking a failure happens Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit b3496b4a33e806b7afdcbbf6f468b0332b676d7c) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 52dbc99410..d3b7ea4d4c 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1027,6 +1027,7 @@ static int read_seek(AVFormatContext *s, int stream_index, av_log(NULL, AV_LOG_DEBUG, "SEEKTO: %"PRId64"\n", pos2); pos = find_startcode(s->pb, SYNCPOINT_STARTCODE, pos2); avio_seek(s->pb, pos, SEEK_SET); + nut->last_syncpoint_pos = pos; av_log(NULL, AV_LOG_DEBUG, "SP: %"PRId64"\n", pos); if (pos2 > pos || pos2 + 15 < pos) av_log(NULL, AV_LOG_ERROR, "no syncpoint at backptr pos\n"); From 6cb8599bab1b16331a4fd0423782de67718aa78a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 May 2015 00:23:05 +0200 Subject: [PATCH 464/492] avformat/nutdec: Check X in 2nd branch of index reading Prevents read of uninitialized variable Based on patch by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ebb0ca3d70465ab6d369a66b2ef43bb059705db8) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index d3b7ea4d4c..438f898160 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -665,6 +665,10 @@ static int find_and_decode_index(NUTContext *nut) has_keyframe[n++] = flag; has_keyframe[n++] = !flag; } else { + if (x <= 1) { + av_log(s, AV_LOG_ERROR, "index: x %"PRIu64" is invalid\n", x); + goto fail; + } while (x != 1) { if (n >= syncpoint_count + 1) { av_log(s, AV_LOG_ERROR, "index overflow B\n"); From 5123c8aa0bf35c0340f0562986440b654ed7bb8c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:06:05 +0200 Subject: [PATCH 465/492] nutdec: fix infinite resync loops nut->last_syncpoint_pos doesn't necessarily change between resync attempts, so find_any_startcode can return the same startcode again. Thus remember where the last resync happened and don't try to resync before that. This can't be done locally in nut_read_packet, because this wouldn't prevent infinite resync loops, where after the resync a packet is returned and while reading a following packet the resync happens again. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 37e679881d364b6da817d829d35869d657218ab3) Signed-off-by: Michael Niedermayer --- libavformat/nut.h | 1 + libavformat/nutdec.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/nut.h b/libavformat/nut.h index dc5af15a57..6f8547e2c4 100644 --- a/libavformat/nut.h +++ b/libavformat/nut.h @@ -98,6 +98,7 @@ typedef struct NUTContext { unsigned int max_distance; unsigned int time_base_count; int64_t last_syncpoint_pos; + int64_t last_resync_pos; int header_count; AVRational *time_base; struct AVTreeNode *syncpoints; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 438f898160..6b93bec7d5 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -941,7 +941,8 @@ static int nut_read_packet(AVFormatContext *s, AVPacket *pkt) default: resync: av_log(s, AV_LOG_DEBUG, "syncing from %"PRId64"\n", pos); - tmp = find_any_startcode(bc, nut->last_syncpoint_pos + 1); + tmp = find_any_startcode(bc, FFMAX(nut->last_syncpoint_pos, nut->last_resync_pos) + 1); + nut->last_resync_pos = avio_tell(bc); if (tmp == 0) return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "sync\n"); @@ -1038,6 +1039,8 @@ static int read_seek(AVFormatContext *s, int stream_index, for (i = 0; i < s->nb_streams; i++) nut->stream[i].skip_until_key_frame = 1; + nut->last_resync_pos = 0; + return 0; } From b6ae28c2e9cb1b667a4fd51feb9ad63987c0c9c2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:31:24 +0200 Subject: [PATCH 466/492] nutdec: stop skipping bytes at EOF This can unnecessarily waste a lot of time. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit fa7dec8cb00d2d0dd96ff9863ccda38428610a21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 6b93bec7d5..08f070a652 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -44,6 +44,8 @@ static int get_str(AVIOContext *bc, char *string, unsigned int maxlen) while (len > maxlen) { avio_r8(bc); len--; + if (bc->eof_reached) + len = maxlen; } if (maxlen) @@ -210,8 +212,11 @@ static int skip_reserved(AVIOContext *bc, int64_t pos) avio_seek(bc, pos, SEEK_CUR); return AVERROR_INVALIDDATA; } else { - while (pos--) + while (pos--) { + if (bc->eof_reached) + return AVERROR_INVALIDDATA; avio_r8(bc); + } return 0; } } @@ -285,8 +290,13 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 7) tmp_head_idx = ffio_read_varlen(bc); - while (tmp_fields-- > 8) + while (tmp_fields-- > 8) { + if (bc->eof_reached) { + av_log(s, AV_LOG_ERROR, "reached EOF while decoding main header\n"); + return AVERROR_INVALIDDATA; + } ffio_read_varlen(bc); + } if (count <= 0 || count > 256 - (i <= 'N') - i) { av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i); @@ -825,8 +835,13 @@ static int decode_frame_header(NUTContext *nut, int64_t *pts, int *stream_id, *header_idx = ffio_read_varlen(bc); if (flags & FLAG_RESERVED) reserved_count = ffio_read_varlen(bc); - for (i = 0; i < reserved_count; i++) + for (i = 0; i < reserved_count; i++) { + if (bc->eof_reached) { + av_log(s, AV_LOG_ERROR, "reached EOF while decoding frame header\n"); + return AVERROR_INVALIDDATA; + } ffio_read_varlen(bc); + } if (*header_idx >= (unsigned)nut->header_count) { av_log(s, AV_LOG_ERROR, "header_idx invalid\n"); From 03c80a740043bd8cf35dc18db84ed1ffd4c08ddc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Aug 2014 16:33:03 +0200 Subject: [PATCH 467/492] avcodec/h264_slice: More complete cleanup in h264_slice_header_init() Fixes null pointer dereference Fixes Ticket3873 Signed-off-by: Michael Niedermayer (cherry picked from commit 1fa35e4352cc39894987e14de464e3d72b55739f) Conflicts: libavcodec/h264_slice.c --- libavcodec/h264.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 4d1269a5dd..c41cc36c34 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3128,6 +3128,7 @@ static int h264_slice_header_init(H264Context *h, int reinit) h->avctx->active_thread_type & FF_THREAD_SLICE) ? h->avctx->thread_count : 1; int i; + int ret = AVERROR_INVALIDDATA; h->avctx->sample_aspect_ratio = h->sps.sar; av_assert0(h->avctx->sample_aspect_ratio.den); @@ -3153,7 +3154,7 @@ static int h264_slice_header_init(H264Context *h, int reinit) if (ff_h264_alloc_tables(h) < 0) { av_log(h->avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n"); - return AVERROR(ENOMEM); + goto fail; } if (nb_slices > MAX_THREADS || (nb_slices > h->mb_height && h->mb_height)) { @@ -3171,12 +3172,16 @@ static int h264_slice_header_init(H264Context *h, int reinit) if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) { if (context_init(h) < 0) { av_log(h->avctx, AV_LOG_ERROR, "context_init() failed.\n"); - return -1; + goto fail; } } else { for (i = 1; i < h->slice_context_count; i++) { H264Context *c; c = h->thread_context[i] = av_mallocz(sizeof(H264Context)); + if (!c) { + ret = AVERROR(ENOMEM); + goto fail; + } c->avctx = h->avctx; if (CONFIG_ERROR_RESILIENCE) { c->dsp = h->dsp; @@ -3215,13 +3220,17 @@ static int h264_slice_header_init(H264Context *h, int reinit) for (i = 0; i < h->slice_context_count; i++) if (context_init(h->thread_context[i]) < 0) { av_log(h->avctx, AV_LOG_ERROR, "context_init() failed.\n"); - return -1; + goto fail; } } h->context_initialized = 1; return 0; +fail: + free_tables(h, 0); + h->context_initialized = 0; + return ret; } /** From 04bb8cc842125381a966e064fcee3e7fe8ee6386 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 25 May 2015 22:30:10 +0200 Subject: [PATCH 468/492] h264: Make sure reinit failures mark the context as not initialized (cherry picked from commit 3b69f245dbe6e2016659a45c4bfe284f6c5ac57e) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/h264_slice.c (cherry picked from commit 964fef3f3ced60e67831549df223bc177e1537c9) Signed-off-by: Michael Niedermayer Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index c41cc36c34..dac1ca513f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3389,7 +3389,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->height != h->avctx->coded_height || must_reinit || needs_reinit)) { - + h->context_initialized = 0; if (h != h0) { av_log(h->avctx, AV_LOG_ERROR, "changing width/height on " "slice %d\n", h0->current_slice + 1); From 9db97584ca5b1664f44f43f18546f78afd4db686 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jun 2015 00:48:29 +0200 Subject: [PATCH 469/492] swresample: Check the return value of resampler->init() Signed-off-by: Michael Niedermayer (cherry picked from commit 02915602d9313aa4b108342a3081244b9d2422bf) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index c534ccf0dc..e866dc24e9 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -352,6 +352,10 @@ av_cold int swr_init(struct SwrContext *s){ if (s->out_sample_rate!=s->in_sample_rate || (s->flags & SWR_FLAG_RESAMPLE)){ s->resample = s->resampler->init(s->resample, s->out_sample_rate, s->in_sample_rate, s->filter_size, s->phase_shift, s->linear_interp, s->cutoff, s->int_sample_fmt, s->filter_type, s->kaiser_beta, s->precision, s->cheby); + if (!s->resample) { + av_log(s, AV_LOG_ERROR, "Failed to initilaize resampler\n"); + return AVERROR(ENOMEM); + } }else s->resampler->free(&s->resample); if( s->int_sample_fmt != AV_SAMPLE_FMT_S16P From 6d7384bd735b9e75f15af4639a102bdc9bdc2891 Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Tue, 2 Jun 2015 23:17:48 -0400 Subject: [PATCH 470/492] swresample/dither: check memory allocation check memory allocation in swri_get_dither() Signed-off-by: Michael Niedermayer (cherry picked from commit 196b885a5f0aa3ca022c1fa99509f47341239784) Signed-off-by: Michael Niedermayer --- libswresample/dither.c | 6 +++++- libswresample/swresample.c | 3 ++- libswresample/swresample_internal.h | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/libswresample/dither.c b/libswresample/dither.c index 8121f11c2f..23e7e12ede 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -23,12 +23,15 @@ #include "noise_shaping_data.c" -void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { +int swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { double scale = s->dither.noise_scale; #define TMP_EXTRA 2 double *tmp = av_malloc_array(len + TMP_EXTRA, sizeof(double)); int i; + if (!tmp) + return AVERROR(ENOMEM); + for(i=0; idither.noise.ch_count; ch++) - swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt); + if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt))<0) + return ret; av_assert0(s->dither.noise.ch_count == preout->ch_count); if(s->dither.noise_pos + out_count > s->dither.noise.count) diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index 108f837f23..96e1beac62 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -184,7 +184,7 @@ void swri_rematrix_free(SwrContext *s); int swri_rematrix(SwrContext *s, AudioData *out, AudioData *in, int len, int mustcopy); void swri_rematrix_init_x86(struct SwrContext *s); -void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt); +int swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt); int swri_dither_init(SwrContext *s, enum AVSampleFormat out_fmt, enum AVSampleFormat in_fmt); void swri_audio_convert_init_arm(struct AudioConvert *ac, From ff0e9060a53fc3c8fdcb40c4314e61b381a1b269 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jun 2015 21:35:02 +0200 Subject: [PATCH 471/492] avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec This is the maximum rate possible based on the frame size limit of MXF D-10 Previous version reviewed by tim nicholson Signed-off-by: Michael Niedermayer (cherry picked from commit d7a762553c6f6c422adb6632354bcc4ff577b701) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index c145bca2e1..ddc403b673 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1708,9 +1708,10 @@ static int mxf_write_header(AVFormatContext *s) return ret; sc->video_bit_rate = st->codec->bit_rate ? st->codec->bit_rate : st->codec->rc_max_rate; if (s->oformat == &ff_mxf_d10_muxer) { - if (sc->video_bit_rate == 50000000) { - if (mxf->time_base.den == 25) sc->index = 3; - else sc->index = 5; + if ((sc->video_bit_rate == 50000000) && (mxf->time_base.den == 25)) { + sc->index = 3; + } else if ((sc->video_bit_rate == 49999840 || sc->video_bit_rate == 50000000) && (mxf->time_base.den != 25)) { + sc->index = 5; } else if (sc->video_bit_rate == 40000000) { if (mxf->time_base.den == 25) sc->index = 7; else sc->index = 9; From a3740b6a8644198d9c61f9080f4fa407d37531b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 22:59:34 +0200 Subject: [PATCH 472/492] avcodec/alsdec: Check for overread Signed-off-by: Michael Niedermayer (cherry picked from commit c2657633187e325a439e3297fd9ccd0522ab2e39) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index bfadf70e0d..b1f6b3a435 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1468,6 +1468,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) // TODO: read_diff_float_data + if (get_bits_left(gb) < 0) { + av_log(ctx->avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb)); + return AVERROR_INVALIDDATA; + } + return 0; } From 6fd4b2b84f603a0b5721ec1bc965abadb89095e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 22:34:12 +0200 Subject: [PATCH 473/492] avcodec/adpcm: Check for overreads See: vlc ticket 14649 Reported-by: carl Signed-off-by: Michael Niedermayer (cherry picked from commit 3c803ed9cb23e5a8d76b6c31d8a8c71cac27e769) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index dbbb358b44..b16abc9119 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -570,6 +570,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_IMA_DK4: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_IMA_RAD: @@ -583,13 +585,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples; break; } case AV_CODEC_ID_ADPCM_MS: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); - nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch; + nb_samples = (buf_size - 6 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_SBPRO_2: case AV_CODEC_ID_ADPCM_SBPRO_3: @@ -602,6 +606,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break; } if (!s->status[0].step_index) { + if (buf_size < ch) + return AVERROR_INVALIDDATA; nb_samples++; buf_size -= ch; } @@ -1517,6 +1523,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; + if (avpkt->size < bytestream2_tell(&gb)) { + av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb)); + return avpkt->size; + } + return bytestream2_tell(&gb); } From 1fe67c9472adba37b0ac7c9b30cd9b8fa5c3ef3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2015 14:55:10 +0200 Subject: [PATCH 474/492] avformat/ffmdec: Check ffio_set_buf_size() return value Signed-off-by: Michael Niedermayer (cherry picked from commit dc55477a64cefebf8dcc611f026be71382814ae2) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 2b1891fa23..d170bcb544 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -93,7 +93,9 @@ static int ffm_read_data(AVFormatContext *s, retry_read: if (pb->buffer_size != ffm->packet_size) { int64_t tell = avio_tell(pb); - ffio_set_buf_size(pb, ffm->packet_size); + int ret = ffio_set_buf_size(pb, ffm->packet_size); + if (ret < 0) + return ret; avio_seek(pb, tell, SEEK_SET); } id = avio_rb16(pb); /* PACKET_ID */ From 7a9f4f2816be98fee348dec2a63177b431366e9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 00:37:26 +0200 Subject: [PATCH 475/492] avcodec/jpeg2000dec: Check that coords match before applying ICT This avoid potential out of array accesses Signed-off-by: Michael Niedermayer (cherry picked from commit 12ba1b2b4d5592c0e27b0fcc83db929e8d6a8eee) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index a88bfeaebe..e12ed95217 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1152,11 +1152,16 @@ static void mct_decode(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) int32_t *src[3], i0, i1, i2; float *srcf[3], i0f, i1f, i2f; - for (i = 1; i < 3; i++) + for (i = 1; i < 3; i++) { if (tile->codsty[0].transform != tile->codsty[i].transform) { av_log(s->avctx, AV_LOG_ERROR, "Transforms mismatch, MCT not supported\n"); return; } + if (memcmp(tile->comp[0].coord, tile->comp[i].coord, sizeof(tile->comp[0].coord))) { + av_log(s->avctx, AV_LOG_ERROR, "Coords mismatch, MCT not supported\n"); + return; + } + } for (i = 0; i < 3; i++) if (tile->codsty[0].transform == FF_DWT97) From 8320aa7dc74309df8eba2e39e50844ab59a47ed4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 05:11:09 +0200 Subject: [PATCH 476/492] avcodec/x86/h264_weight: handle weight1=128 Fix ticket4596 Signed-off-by: Michael Niedermayer (cherry picked from commit e1009665759d4a3938dd2dd07b7e84d8bc9c5290) Signed-off-by: Michael Niedermayer --- libavcodec/x86/h264_weight.asm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/x86/h264_weight.asm b/libavcodec/x86/h264_weight.asm index 4759a063a6..f6b9d5f6ad 100644 --- a/libavcodec/x86/h264_weight.asm +++ b/libavcodec/x86/h264_weight.asm @@ -135,8 +135,11 @@ WEIGHT_FUNC_HALF_MM 8, 8 add off_regd, 1 or off_regd, 1 add r4, 1 + cmp r6d, 128 + je .nonnormal cmp r5, 128 jne .normal +.nonnormal sar r5, 1 sar r6, 1 sar off_regd, 1 From af79d964a73ffb941570768d352cfe8a4e56a763 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jun 2015 00:47:43 +0200 Subject: [PATCH 477/492] avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet() Signed-off-by: Michael Niedermayer (cherry picked from commit 913685f55208efd78bfc34d82b261bd449e69774) Signed-off-by: Michael Niedermayer --- libavdevice/lavfi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c index dcb94adbe0..dc0dc51cfc 100644 --- a/libavdevice/lavfi.c +++ b/libavdevice/lavfi.c @@ -343,7 +343,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt) continue; } else if (ret < 0) return ret; - d = av_rescale_q(frame->pts, tb, AV_TIME_BASE_Q); + d = av_rescale_q_rnd(frame->pts, tb, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); av_dlog(avctx, "sink_idx:%d time:%f\n", i, d); av_frame_unref(frame); From 0caff57c42cac0f80152187473b1ee753aca8257 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jun 2015 03:26:56 +0200 Subject: [PATCH 478/492] Update for 2.0.7 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 157e54f3e4..f1547e6d13 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.0.6 +2.0.7 diff --git a/VERSION b/VERSION index 157e54f3e4..f1547e6d13 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.0.6 +2.0.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 04340e3491..eecff178d7 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.0.6 +PROJECT_NUMBER = 2.0.7 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 4a2be7027f7ea995bbda848133a9978a389e2537 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 May 2015 04:31:30 +0200 Subject: [PATCH 479/492] avfilter/x86/vf_hqdn3d: Fix register types Fixes Ticket4301 Signed-off-by: Michael Niedermayer (cherry picked from commit 52fc3e372f8ed4de5735abed1f7f7569fe37b023) --- libavfilter/x86/vf_hqdn3d.asm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/x86/vf_hqdn3d.asm b/libavfilter/x86/vf_hqdn3d.asm index 961127e670..e3b1bdca53 100644 --- a/libavfilter/x86/vf_hqdn3d.asm +++ b/libavfilter/x86/vf_hqdn3d.asm @@ -27,8 +27,8 @@ SECTION .text %if lut_bits != 8 sar %1q, 8-lut_bits %endif - movsx %1d, word [%3q+%1q*2] - add %1d, %2d + movsx %1q, word [%3q+%1q*2] + add %1q, %2q %endmacro %macro LOAD 3 ; dstreg, x, bitdepth From 804b90a5f578db8e2e363806c1d725cc74db4352 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jul 2015 02:43:02 +0200 Subject: [PATCH 480/492] avformat/swfdec: Do not error out on pixel format changes Instead print an error and continue Fixes Ticket4702 Signed-off-by: Michael Niedermayer (cherry picked from commit 6a1204a1a46674084b1e6b92562f81aaab7aac69) --- libavformat/swfdec.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index bf5b581d5d..43a82b8b0e 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -384,10 +384,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) } if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); - res = AVERROR_PATCHWELCOME; - goto bitmap_end; - } - st->codec->pix_fmt = pix_fmt; + }else + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; From 9b493887d502090255af443b3224b6d7bf63ca6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jul 2015 15:54:38 +0200 Subject: [PATCH 481/492] MAINTAINERS: Remove myself as leader Signed-off-by: Michael Niedermayer (cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 0f93e5b432..87ded1dc66 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14,7 +14,6 @@ patches and related discussions. Project Leader ============== -Michael Niedermayer final design decisions From 7fc8458bebc65544dccc181a20af28cfe285fcd0 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 30 Sep 2015 14:53:35 +0200 Subject: [PATCH 482/492] avcodec/mp3: fix skipping zeros Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3 packets. This code forgot to report to the user that data was skipped at all. Since audio codecs allow partial packet decoding, the user application has to rely on the return value. It will remove the data reported as consumed by the decoder, and feed it to the decoder again. This resulted in the mp3 frame after the zero region to be decoded over and over again, until the zero region was finally skipped by the application. Fix this by including the amount of skipped bytes to the number of consumed bytes returned by the decode call. Fixes trac ticket #4890. (cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d) --- libavcodec/mpegaudiodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 2834ba54c9..2ada242743 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1667,9 +1667,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, uint32_t header; int ret; + int skipped = 0; while(buf_size && !*buf){ buf++; buf_size--; + skipped++; } if (buf_size < HEADER_SIZE) @@ -1724,7 +1726,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, return ret; } s->frame_size = 0; - return buf_size; + return buf_size + skipped; } static void mp_flush(MPADecodeContext *ctx) From b44025a1d031fc000dcd984364775fd8014717ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2015 23:49:30 +0200 Subject: [PATCH 483/492] avcodec/ffv1: seperate slice_count from max_slice_count Fix segfault with too large slice_count Fixes Ticket4879 Signed-off-by: Michael Niedermayer (cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568) Conflicts: libavcodec/ffv1enc.c libavcodec/ffv1.c --- libavcodec/ffv1.c | 14 +++++++------- libavcodec/ffv1.h | 1 + libavcodec/ffv1dec.c | 8 +++++--- libavcodec/ffv1enc.c | 3 ++- 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 3299cc6140..222f91b631 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -102,7 +102,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) av_cold int ffv1_init_slices_state(FFV1Context *f) { int i, ret; - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = f->slice_context[i]; if ((ret = ffv1_init_slice_state(f, fs)) < 0) return AVERROR(ENOMEM); @@ -114,10 +114,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) { int i; - f->slice_count = f->num_h_slices * f->num_v_slices; - av_assert0(f->slice_count > 0); + f->max_slice_count = f->num_h_slices * f->num_v_slices; + av_assert0(f->max_slice_count > 0); - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); int sx = i % f->num_h_slices; int sy = i / f->num_h_slices; @@ -202,7 +202,7 @@ av_cold int ffv1_close(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->last_picture); av_frame_free(&s->last_picture.f); - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *fs = s->slice_context[j]; for (i = 0; i < s->plane_count; i++) { PlaneContext *p = &fs->plane[i]; @@ -216,14 +216,14 @@ av_cold int ffv1_close(AVCodecContext *avctx) av_freep(&avctx->stats_out); for (j = 0; j < s->quant_table_count; j++) { av_freep(&s->initial_states[j]); - for (i = 0; i < s->slice_count; i++) { + for (i = 0; i < s->max_slice_count; i++) { FFV1Context *sf = s->slice_context[i]; av_freep(&sf->rc_stat2[j]); } av_freep(&s->rc_stat2[j]); } - for (i = 0; i < s->slice_count; i++) + for (i = 0; i < s->max_slice_count; i++) av_freep(&s->slice_context[i]); return 0; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index 914eb103d7..4b6342989c 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -122,6 +122,7 @@ typedef struct FFV1Context { struct FFV1Context *slice_context[MAX_SLICES]; int slice_count; + int max_slice_count; int num_v_slices; int num_h_slices; int slice_width; diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index eb8606a44a..45fb7036cb 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -696,6 +696,7 @@ static int read_header(FFV1Context *f) av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n"); return AVERROR_INVALIDDATA; } + f->slice_count = f->max_slice_count; } else if (f->version < 3) { f->slice_count = get_symbol(c, state, 0); } else { @@ -710,8 +711,8 @@ static int read_header(FFV1Context *f) p -= size + trailer; } } - if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) { - av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count); + if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) { + av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count); return AVERROR_INVALIDDATA; } @@ -927,6 +928,7 @@ static int init_thread_copy(AVCodecContext *avctx) f->picture.f = NULL; f->last_picture.f = NULL; f->sample_buffer = NULL; + f->max_slice_count = 0; f->slice_count = 0; for (i = 0; i < f->quant_table_count; i++) { @@ -997,7 +999,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) av_assert0(!fdst->sample_buffer); } - av_assert1(fdst->slice_count == fsrc->slice_count); + av_assert1(fdst->max_slice_count == fsrc->max_slice_count); ff_thread_release_buffer(dst, &fdst->picture); diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 78143a0604..f34e3b89ef 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -902,6 +902,7 @@ slices_ok: if ((ret = ffv1_init_slice_contexts(s)) < 0) return ret; + s->slice_count = s->max_slice_count; if ((ret = ffv1_init_slices_state(s)) < 0) return ret; @@ -911,7 +912,7 @@ slices_ok: if (!avctx->stats_out) return AVERROR(ENOMEM); for (i = 0; i < s->quant_table_count; i++) - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *sf = s->slice_context[j]; av_assert0(!sf->rc_stat2[i]); sf->rc_stat2[i] = av_mallocz(s->context_count[i] * From 055c302a11cdf78d2e31ddfc7ef3be6f46eaa6a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Sep 2015 04:01:27 +0200 Subject: [PATCH 484/492] avformat/avidec: Workaround broken initial frame Fixes Ticket4851 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2ef00394b8079e93835d47c993868229f07502) Conflicts: libavformat/avidec.c --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 1d5e3bafb3..9a4f881df7 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1330,7 +1330,8 @@ static int avi_read_idx1(AVFormatContext *s, int size) ast = st->priv_data; if (first_packet && first_packet_pos) { - data_offset = first_packet_pos - pos; + if (avi->movi_list + 4 != pos || pos + 500 > first_packet_pos) + data_offset = first_packet_pos - pos; first_packet = 0; } pos += data_offset; From 0b0183c5b741afea80fefef662d61e32e21a09c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 04:08:42 +0200 Subject: [PATCH 485/492] avformat/oggenc: Check segments_count for headers too Fixes infinite loop and segfault in ogg_buffer_data() Fixes Ticket4806 Signed-off-by: Michael Niedermayer (cherry picked from commit 81a8701eb52d2b6469ae16ef442ce425388141b7) --- libavformat/oggenc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index 1255364259..a92fc6c22e 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -256,7 +256,7 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, if (i == total_segments) page->granule = granule; - if (!header) { + { AVStream *st = s->streams[page->stream_index]; int64_t start = av_rescale_q(page->start_granule, st->time_base, @@ -264,10 +264,13 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, int64_t next = av_rescale_q(page->granule, st->time_base, AV_TIME_BASE_Q); - if (page->segments_count == 255 || - (ogg->pref_size > 0 && page->size >= ogg->pref_size) || - (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + if (page->segments_count == 255) { ogg_buffer_page(s, oggstream); + } else if (!header) { + if ((ogg->pref_size > 0 && page->size >= ogg->pref_size) || + (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + ogg_buffer_page(s, oggstream); + } } } } From 087561a7dcaa1db0d9f87385e1e317e833971c26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:49:21 +0200 Subject: [PATCH 486/492] avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check Fixes Ticket4778 Signed-off-by: Michael Niedermayer (cherry picked from commit 2bb54b82b5094fd906aa28c0443be08c95662a31) --- libavcodec/h264_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 975e6e5557..2f005f213d 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -168,7 +168,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, buf += ctx->length_size; unit_type = *buf & 0x1f; - if (buf + nal_size > buf_end || nal_size < 0) + if (nal_size > buf_end - buf || nal_size < 0) goto fail; /* prepend only to the first type 5 NAL unit of an IDR picture */ From c513e721f3fb469cb8ac0888d489a0c657628d01 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Tue, 1 Dec 2015 21:15:53 +0200 Subject: [PATCH 487/492] doc/filters/drawtext: fix centering example Signed-off-by: Andrey Utkin Signed-off-by: Lou Logan (cherry picked from commit 648b26acc5e25ab40c43fddc54b50e9f0b13ebd8) Signed-off-by: Timothy Gu --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 33436ad267..d10e42ab67 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -3370,7 +3370,7 @@ within the parameter list. @item Show the text at the center of the video frame: @example -drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2" +drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2" @end example @item From 58986f0fa15185e48561dc0da5b278d40a697a51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 00:36:59 +0100 Subject: [PATCH 488/492] avcodec/ffv1dec: Check for 0 quant tables Fixes assertion failure Fixes: 07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc) --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 45fb7036cb..6b785a2855 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -521,7 +521,7 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) return AVERROR_INVALIDDATA; for (i = 0; i < f->quant_table_count; i++) { From 5628d6202217b651c6977944a956b094c3174bea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 01:25:50 +0100 Subject: [PATCH 489/492] avcodec/ffv1dec: Print an error if the quant table count is invalid Signed-off-by: Michael Niedermayer (cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b) --- libavcodec/ffv1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 6b785a2855..c64a43e77b 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -521,8 +521,10 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { + av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); return AVERROR_INVALIDDATA; + } for (i = 0; i < f->quant_table_count; i++) { f->context_count[i] = read_quant_tables(c, f->quant_tables[i]); From 2789b48b4ef5b6548eaffeb9b532b2d8f4729db5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:21:58 +0100 Subject: [PATCH 490/492] avcodec/ffv1dec: Clear quant_table_count if its invalid Fixes deallocation of corrupted pointer Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi No releases affected Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb) Fixes ticket #5052. --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c64a43e77b..3ed96501f1 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -523,6 +523,7 @@ static int read_extra_header(FFV1Context *f) f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); + f->quant_table_count = 0; return AVERROR_INVALIDDATA; } From f23efdd2401d452dcfcc004086283ebdc36cf7c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:06:04 +0100 Subject: [PATCH 491/492] swscale/x86/rgb2rgb_template: Do not crash on misaligend stride Fixes Ticket5013 Signed-off-by: Michael Niedermayer (cherry picked from commit 80bfce35ccd11458e97f68f417fc094c5347070c) --- libswscale/x86/rgb2rgb_template.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 80e5670465..bfcaead9d0 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1874,8 +1874,10 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16) + if (width >= 16 #if COMPILE_TEMPLATE_SSE2 + && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1895,6 +1897,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui : "memory", "%"REG_a"" ); #else + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" From 72006016ae70ab21dfc39d5e90d55f94182cbb1c Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 2 Mar 2016 11:20:07 +0100 Subject: [PATCH 492/492] doc/utils: fix typo for min() description Signed-off-by: Paul B Mahol (cherry picked from commit bdf474bcff29f5b40fe14f6fa1dbe10e69c73ab7) Signed-off-by: Timothy Gu --- doc/utils.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/utils.texi b/doc/utils.texi index 75f7fdcc99..eabf09bbf8 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -386,7 +386,7 @@ Return 1 if @var{x} is lesser than or equal to @var{y}, 0 otherwise. Return the maximum between @var{x} and @var{y}. @item min(x, y) -Return the maximum between @var{x} and @var{y}. +Return the minimum between @var{x} and @var{y}. @item mod(x, y) Compute the remainder of division of @var{x} by @var{y}.