From 90932a9e3cc2c26cf6d3edf406929dbd9a1ce2b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 23:19:54 +0200 Subject: [PATCH 001/380] add RELEASE_NOTES, based on previous --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..1451d33f91 --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌─────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 2.7 "Nash" │ + └─────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 2.7 "Nash", about 3 + months after the release of FFmpeg 2.6. + + A complete Changelog is available at the root of the project, and the + complete Git history on http://source.ffmpeg.org. + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. From 0e9209183a272fa4063fa59e686149a1daa59a6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 23:21:20 +0200 Subject: [PATCH 002/380] Update for 2.7 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 3359b98d07..1effb00340 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.6.git +2.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 8697e6c551..0244e2b98b 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 2.7 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From f5bb7b99927d3b19a329b4f3a8990ae6f58693d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 23:54:46 +0200 Subject: [PATCH 003/380] MAINTAINERS: add 2.7 Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 598c0b30a6..795e90470b 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -545,6 +545,7 @@ x86 Michael Niedermayer Releases ======== +2.7 Michael Niedermayer 2.6 Michael Niedermayer 2.5 Michael Niedermayer 2.4 Michael Niedermayer From 6e94e77632df457da03b5c27fff8a1b976f6994d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jun 2015 00:47:43 +0200 Subject: [PATCH 004/380] avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet() Signed-off-by: Michael Niedermayer (cherry picked from commit 913685f55208efd78bfc34d82b261bd449e69774) Signed-off-by: Michael Niedermayer --- libavdevice/lavfi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c index 64db376899..126e5f62ce 100644 --- a/libavdevice/lavfi.c +++ b/libavdevice/lavfi.c @@ -411,7 +411,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt) continue; } else if (ret < 0) return ret; - d = av_rescale_q(frame->pts, tb, AV_TIME_BASE_Q); + d = av_rescale_q_rnd(frame->pts, tb, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); av_dlog(avctx, "sink_idx:%d time:%f\n", i, d); av_frame_unref(frame); From 5a0862af55298259c4528645695c8348c830be38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jun 2015 11:37:48 +0200 Subject: [PATCH 005/380] avcodec/h264_slice: Use AVFrame diemensions for grayscale handling The AVFrame values are closer to the AVFrame bitmap changed instead of the AVCodecContext values, so this should be more robust Signed-off-by: Michael Niedermayer (cherry picked from commit aef0e0f009802f1a5e21eb6465498632071e4475) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index f12e4b75e8..9c4d613195 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -251,11 +251,11 @@ static int alloc_picture(H264Context *h, H264Picture *pic) av_pix_fmt_get_chroma_sub_sample(pic->f->format, &h_chroma_shift, &v_chroma_shift); - for(i=0; iavctx->height, v_chroma_shift); i++) { + for(i=0; if->height, v_chroma_shift); i++) { memset(pic->f->data[1] + pic->f->linesize[1]*i, - 0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift)); + 0x80, FF_CEIL_RSHIFT(pic->f->width, h_chroma_shift)); memset(pic->f->data[2] + pic->f->linesize[2]*i, - 0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift)); + 0x80, FF_CEIL_RSHIFT(pic->f->width, h_chroma_shift)); } } From 1051c152f97c0e22436fee3657dc7c31a229aba4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 10 Jun 2015 00:12:38 +0200 Subject: [PATCH 006/380] takdec: ensure chan2 is a valid channel index If chan2 is not smaller than the number of channels, it can cause segmentation faults due to dereferencing a NULL pointer. Signed-off-by: Andreas Cadhalpun Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 05c57ba2f42324da2fdc93d83d65bb68dd637613) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index a453da81ec..4225030376 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -801,6 +801,12 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->mcdparams[i].present) { s->mcdparams[i].index = get_bits(gb, 2); s->mcdparams[i].chan2 = get_bits(gb, 4); + if (s->mcdparams[i].chan2 >= avctx->channels) { + av_log(avctx, AV_LOG_ERROR, + "invalid channel 2 (%d) for %d channel(s)\n", + s->mcdparams[i].chan2, avctx->channels); + return AVERROR_INVALIDDATA; + } if (s->mcdparams[i].index == 1) { if ((nbit == s->mcdparams[i].chan2) || (ch_mask & 1 << s->mcdparams[i].chan2)) From 665b67014f871f97a0bc6d57a6233b46b0af6dac Mon Sep 17 00:00:00 2001 From: Deliang Fu Date: Wed, 10 Jun 2015 12:30:46 +0800 Subject: [PATCH 007/380] avformat: Fix bug in parse_rps for HEVC. Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps Signed-off-by: Michael Niedermayer (cherry picked from commit 6e1f8780c833ef55815111d4771b95ff78567cdb) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 16b06b4bf4..643b71596a 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -449,7 +449,7 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx, * * NumDeltaPocs[RefRpsIdx]: num_delta_pocs[rps_idx - 1] */ - for (i = 0; i < num_delta_pocs[rps_idx - 1]; i++) { + for (i = 0; i <= num_delta_pocs[rps_idx - 1]; i++) { uint8_t use_delta_flag = 0; uint8_t used_by_curr_pic_flag = get_bits1(gb); if (!used_by_curr_pic_flag) From 259bb2555b7030d1b099c563c18df8d3849b421d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jun 2015 13:20:25 +0200 Subject: [PATCH 008/380] configure: Disable VSX on unspecified / generic CPUs Fixes fate tests on PPC64be Signed-off-by: Michael Niedermayer (cherry picked from commit 04f00022910c8b468fcf72c1f12ac410d3588802) Signed-off-by: Michael Niedermayer --- configure | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configure b/configure index 58338082e3..0c907ff805 100755 --- a/configure +++ b/configure @@ -4033,6 +4033,9 @@ elif enabled ppc; then disable altivec disable dcbzl ;; + *) + disable vsx + ;; esac elif enabled sparc; then From 3b6aeb148b1da3b21a5a569f2697c7e49901d031 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 13 Jun 2015 17:47:13 -0300 Subject: [PATCH 009/380] avformat/singlejpeg: fix standalone compilation (cherry picked from commit 4aebaed0e17b396bd9d18acb8e58a4700c7559df) --- libavformat/rawenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rawenc.c b/libavformat/rawenc.c index e95cb6151d..e59f1ae95e 100644 --- a/libavformat/rawenc.c +++ b/libavformat/rawenc.c @@ -250,7 +250,9 @@ AVOutputFormat ff_mjpeg_muxer = { .write_packet = ff_raw_write_packet, .flags = AVFMT_NOTIMESTAMPS, }; +#endif +#if CONFIG_SINGLEJPEG_MUXER AVOutputFormat ff_singlejpeg_muxer = { .name = "singlejpeg", .long_name = NULL_IF_CONFIG_SMALL("JPEG single image"), From 965f96c5ed445c639377c977934ee3aecf505ca8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jun 2015 15:36:20 +0200 Subject: [PATCH 010/380] ffmpeg_opt: Check for localtime() failure Found-by: Daemon404 Signed-off-by: Michael Niedermayer (cherry picked from commit 8e91d9652ea5048d9014e7636e12c6ed4732d7b7) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 1c5794ce09..79cb5caa34 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2438,6 +2438,9 @@ static int opt_vstats(void *optctx, const char *opt, const char *arg) time_t today2 = time(NULL); struct tm *today = localtime(&today2); + if (!today) + return AVERROR(errno); + snprintf(filename, sizeof(filename), "vstats_%02d%02d%02d.log", today->tm_hour, today->tm_min, today->tm_sec); return opt_vstats_file(NULL, opt, filename); From ed5041143edb9742860250de9bddc384dbd827cf Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 13 Jun 2015 13:09:21 +0200 Subject: [PATCH 011/380] configure: only disable VSX for !ppc64el This reverts commit 04f0002, which made it impossible to enable VSX with a generic cpu. This changes the behavior back to what it was before commit b0af404. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 45babb01217f4cf776c50f1bec8ced0065277c89) Signed-off-by: Michael Niedermayer --- configure | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 0c907ff805..06a9941695 100755 --- a/configure +++ b/configure @@ -4033,9 +4033,6 @@ elif enabled ppc; then disable altivec disable dcbzl ;; - *) - disable vsx - ;; esac elif enabled sparc; then @@ -4610,6 +4607,9 @@ unsigned int endian = 'B' << 24 | 'I' << 16 | 'G' << 8 | 'E'; EOF od -t x1 $TMPO | grep -q '42 *49 *47 *45' && enable bigendian +if ! enabled ppc64 || enabled bigendian; then + disable vsx +fi check_gas() { log "check_gas using '$as' as AS" From 265db4154097a754107dcc7dcd8e13a8bd755db1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 13 Jun 2015 21:34:40 +0200 Subject: [PATCH 012/380] doc: fix spelling errors Neccessary -> Necessary formated -> formatted thee -> the eventhough -> even though seperately -> separately Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ed0b1db640110cccdbf0db1d882fb952cf3a130d) Signed-off-by: Michael Niedermayer --- doc/examples/transcoding.c | 2 +- libavcodec/ass_split.h | 2 +- libavcodec/bitstream.c | 2 +- libavformat/avio.h | 2 +- libavformat/flvenc.c | 2 +- libavutil/log.h | 2 +- libavutil/pixfmt.h | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/examples/transcoding.c b/doc/examples/transcoding.c index 2a8220eefa..980e1f101b 100644 --- a/doc/examples/transcoding.c +++ b/doc/examples/transcoding.c @@ -117,7 +117,7 @@ static int open_output_file(const char *filename) /* in this example, we choose transcoding to same codec */ encoder = avcodec_find_encoder(dec_ctx->codec_id); if (!encoder) { - av_log(NULL, AV_LOG_FATAL, "Neccessary encoder not found\n"); + av_log(NULL, AV_LOG_FATAL, "Necessary encoder not found\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/ass_split.h b/libavcodec/ass_split.h index c9122526c0..defb5ccd74 100644 --- a/libavcodec/ass_split.h +++ b/libavcodec/ass_split.h @@ -103,7 +103,7 @@ typedef struct ASSSplitContext ASSSplitContext; * Split a full ASS file or a ASS header from a string buffer and store * the split structure in a newly allocated context. * - * @param buf String containing the ASS formated data. + * @param buf String containing the ASS formatted data. * @return Newly allocated struct containing split data. */ ASSSplitContext *ff_ass_split(const char *buf); diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index 20eae6b1bf..00742349f2 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -247,7 +247,7 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, /* Build VLC decoding tables suitable for use with get_vlc(). - 'nb_bits' set thee decoding table size (2^nb_bits) entries. The + 'nb_bits' set the decoding table size (2^nb_bits) entries. The bigger it is, the faster is the decoding. But it should not be too big to save memory and L1 cache. '9' is a good compromise. diff --git a/libavformat/avio.h b/libavformat/avio.h index 5c5aa6d0f0..073059347b 100644 --- a/libavformat/avio.h +++ b/libavformat/avio.h @@ -79,7 +79,7 @@ typedef struct AVIODirEntry { char *name; /**< Filename */ int type; /**< Type of the entry */ int utf8; /**< Set to 1 when name is encoded with UTF-8, 0 otherwise. - Name can be encoded with UTF-8 eventhough 0 is set. */ + Name can be encoded with UTF-8 even though 0 is set. */ int64_t size; /**< File size in bytes, -1 if unknown. */ int64_t modification_timestamp; /**< Time of last modification in microseconds since unix epoch, -1 if unknown. */ diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index e4717ca5d2..e217ba8a82 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -562,7 +562,7 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) } if (enc->codec_id == AV_CODEC_ID_H264 || enc->codec_id == AV_CODEC_ID_MPEG4) { - /* check if extradata looks like mp4 formated */ + /* check if extradata looks like mp4 formatted */ if (enc->extradata_size > 0 && *(uint8_t*)enc->extradata != 1) if ((ret = ff_avc_parse_nal_units_buf(pkt->data, &data, &size)) < 0) return ret; diff --git a/libavutil/log.h b/libavutil/log.h index 57769b803c..db7eb3f719 100644 --- a/libavutil/log.h +++ b/libavutil/log.h @@ -309,7 +309,7 @@ AVClassCategory av_default_get_category(void *ptr); /** * Format a line of log the same way as the default callback. - * @param line buffer to receive the formated line + * @param line buffer to receive the formatted line * @param line_size size of the buffer * @param print_prefix used to store whether the prefix must be printed; * must point to a persistent integer initially set to 1 diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h index 58e354476d..eef64449b2 100644 --- a/libavutil/pixfmt.h +++ b/libavutil/pixfmt.h @@ -530,7 +530,7 @@ enum AVColorRange { * Illustration showing the location of the first (top left) chroma sample of the * image, the left shows only luma, the right * shows the location of the chroma sample, the 2 could be imagined to overlay - * each other but are drawn seperately due to limitations of ASCII + * each other but are drawn separately due to limitations of ASCII * * 1st 2nd 1st 2nd horizontal luma sample positions * v v v v From 3ba55ea4aec2ce6c179017e12a933e20a20a14d1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 14 Jun 2015 12:40:18 +0200 Subject: [PATCH 013/380] h264: er: Copy from the previous reference only if compatible Also use the frame pixel format instead of the one from the codec context, which is more robust. Signed-off-by: Luca Barbato Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit fdc64a104410f5fcc7f35b62287b0ae502b7061a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 9c4d613195..0712f2d73a 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1549,12 +1549,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) * vectors. Given we are concealing a lost frame, this probably * is not noticeable by comparison, but it should be fixed. */ if (h->short_ref_count) { - if (prev) { + if (prev && + h->short_ref[0]->f->width == prev->f->width && + h->short_ref[0]->f->height == prev->f->height && + h->short_ref[0]->f->format == prev->f->format) { av_image_copy(h->short_ref[0]->f->data, h->short_ref[0]->f->linesize, (const uint8_t **)prev->f->data, prev->f->linesize, - h->avctx->pix_fmt, + prev->f->format, h->mb_width * 16, h->mb_height * 16); h->short_ref[0]->poc = prev->poc + 2; From 8a24ccfee3841d5b2069371b78921e7e6c8289dc Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 14 Jun 2015 20:34:16 +0200 Subject: [PATCH 014/380] examples/demuxing_decoding: use properties from frame instead of video_dec_ctx This is more robust. And only check if there is actually a frame returned. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit dd6c8575dbc8d3ff5dc2ffacb5028c253066ff78) Signed-off-by: Michael Niedermayer --- doc/examples/demuxing_decoding.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/doc/examples/demuxing_decoding.c b/doc/examples/demuxing_decoding.c index feeeb967f8..98b3a83097 100644 --- a/doc/examples/demuxing_decoding.c +++ b/doc/examples/demuxing_decoding.c @@ -81,22 +81,24 @@ static int decode_packet(int *got_frame, int cached) fprintf(stderr, "Error decoding video frame (%s)\n", av_err2str(ret)); return ret; } - if (video_dec_ctx->width != width || video_dec_ctx->height != height || - video_dec_ctx->pix_fmt != pix_fmt) { - /* To handle this change, one could call av_image_alloc again and - * decode the following frames into another rawvideo file. */ - fprintf(stderr, "Error: Width, height and pixel format have to be " - "constant in a rawvideo file, but the width, height or " - "pixel format of the input video changed:\n" - "old: width = %d, height = %d, format = %s\n" - "new: width = %d, height = %d, format = %s\n", - width, height, av_get_pix_fmt_name(pix_fmt), - video_dec_ctx->width, video_dec_ctx->height, - av_get_pix_fmt_name(video_dec_ctx->pix_fmt)); - return -1; - } if (*got_frame) { + + if (frame->width != width || frame->height != height || + frame->format != pix_fmt) { + /* To handle this change, one could call av_image_alloc again and + * decode the following frames into another rawvideo file. */ + fprintf(stderr, "Error: Width, height and pixel format have to be " + "constant in a rawvideo file, but the width, height or " + "pixel format of the input video changed:\n" + "old: width = %d, height = %d, format = %s\n" + "new: width = %d, height = %d, format = %s\n", + width, height, av_get_pix_fmt_name(pix_fmt), + frame->width, frame->height, + av_get_pix_fmt_name(frame->format)); + return -1; + } + printf("video_frame%s n:%d coded_n:%d pts:%s\n", cached ? "(cached)" : "", video_frame_count++, frame->coded_picture_number, From 9473e5a05d2cbdd56a7e3923868451a07a0edfe0 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 17 Jun 2015 00:21:02 +0200 Subject: [PATCH 015/380] avio: fix potential crashes when combining ffio_ensure_seekback + crc Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by: Michael Niedermayer (cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 45400cd01d..392b369a78 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -812,6 +812,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; int filled = s->buf_end - s->buffer; + ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1; buf_size += s->buf_ptr - s->buffer + max_buffer_size; @@ -829,6 +830,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) s->buf_end = buffer + (s->buf_end - s->buffer); s->buffer = buffer; s->buffer_size = buf_size; + if (checksum_ptr_offset >= 0) + s->checksum_ptr = s->buffer + checksum_ptr_offset; return 0; } From 08fadda68aebdc0b28c6e2816b77875ee50d6faf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2015 00:34:59 +0200 Subject: [PATCH 016/380] avcodec/ffv1enc: fix bps for >8bit yuv when not explicitly set Fixes Ticket4636 Signed-off-by: Michael Niedermayer (cherry picked from commit 3a6a8f6ee1cb619913b87b6c78e0436303e2a35f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index af727a5cd5..45ab3a39a3 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -753,7 +753,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->chroma_planes = desc->nb_components < 3 ? 0 : 1; s->colorspace = 0; s->transparency = desc->nb_components == 4; - if (!avctx->bits_per_raw_sample) + if (!avctx->bits_per_raw_sample && !s->bits_per_raw_sample) s->bits_per_raw_sample = 8; break; case AV_PIX_FMT_RGB32: From e04ae11fa06a6b156f077b91f4d7de9014c82006 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2015 05:27:08 +0200 Subject: [PATCH 017/380] ffmpeg: Free last_frame instead of just unref Fixes Ticket4611 Signed-off-by: Michael Niedermayer (cherry picked from commit d1050d9950610aa2b27878b67bb2b902dd717e7c) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index 40d929dac2..f5029987ad 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1178,6 +1178,8 @@ static void do_video_out(AVFormatContext *s, av_frame_unref(ost->last_frame); if (next_picture) av_frame_ref(ost->last_frame, next_picture); + else + av_frame_free(&ost->last_frame); } static double psnr(double d) From 6432f8826dd15ec9ce966249f4dc6933f94cf04f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2015 18:03:21 +0200 Subject: [PATCH 018/380] avcodec/hevc_ps: Only discard overread VPS if a previous is available Fixes Ticket4621 Signed-off-by: Michael Niedermayer (cherry picked from commit 57078e4d255a06246fef27846073f5ffb312b5dc) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index ced0600e32..757f66625c 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -499,7 +499,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) if (get_bits_left(gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "Overread VPS by %d bits\n", -get_bits_left(gb)); - goto err; + if (s->vps_list[vps_id]) + goto err; } if (s->vps_list[vps_id] && From c3c8365dbd3b677207998e5120f7b78850e3532c Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 13 Jun 2015 23:55:21 +0200 Subject: [PATCH 019/380] tls_gnutls: fix hang on disconnection GNUTLS_SHUT_RDWR means GnuTLS will keep waiting for the server's termination reply. But since we don't shutdown the TCP connection at this point yet, GnuTLS will just keep skipping actual data from the server, which basically is perceived as hang. Use GNUTLS_SHUT_WR instead, which doesn't have this problem. Signed-off-by: Michael Niedermayer (cherry picked from commit 2222f419da99ef85d49ab04e7e15b76612f4d054) Signed-off-by: Michael Niedermayer --- libavformat/tls_gnutls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c index 942ece97ed..6388f37a8e 100644 --- a/libavformat/tls_gnutls.c +++ b/libavformat/tls_gnutls.c @@ -87,7 +87,7 @@ static int tls_close(URLContext *h) { TLSContext *c = h->priv_data; if (c->need_shutdown) - gnutls_bye(c->session, GNUTLS_SHUT_RDWR); + gnutls_bye(c->session, GNUTLS_SHUT_WR); if (c->session) gnutls_deinit(c->session); if (c->cred) From a9b600cf3995bc075090f4f1dbfbf772e21a4d5b Mon Sep 17 00:00:00 2001 From: George Boyle Date: Tue, 16 Jun 2015 08:25:01 +0100 Subject: [PATCH 020/380] avcodec/flacenc: Fix Invalid Rice order Fixes ticket #4628. The problem arose, in the sample file at least, in the last block where the minimum and maximum Rice partition orders were both 0. In that case, and any other where pmax == pmin, the original UINT32_MAX placeholder value for bits[opt_porder] was getting overwritten before the comparison to check if the current partition order is a new optimal, so the correct partition order and RiceContext params were not being set. Signed-off-by: Michael Niedermayer (cherry picked from commit 2469ed32c81ebf2347e6883091c566724b286167) --- libavcodec/flacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index cdfeaf87cd..29bd9999b5 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -705,7 +705,7 @@ static uint64_t calc_rice_params(RiceContext *rc, bits[pmin] = UINT32_MAX; for (i = pmax; ; ) { bits[i] = calc_optimal_rice_params(&tmp_rc, i, sums, n, pred_order, kmax, exact); - if (bits[i] < bits[opt_porder]) { + if (bits[i] < bits[opt_porder] || pmax == pmin) { opt_porder = i; *rc = tmp_rc; } From 8749b83e0be1b290ae2605f11684d096cc85098f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2015 14:40:11 +0200 Subject: [PATCH 021/380] avcodec/libx264: Avoid reconfig on equivalent aspect ratios Workaround for ticket #4287. Signed-off-by: Michael Niedermayer (cherry picked from commit 7b1c03aa744f1f82fe30ea2cd2aeef2ea01d5ce9) Conflicts: libavcodec/libx264.c --- libavcodec/libx264.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 9020a40495..d25f69afbb 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -191,8 +191,7 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, x4->params.b_tff = frame->top_field_first; x264_encoder_reconfig(x4->enc, &x4->params); } - if (x4->params.vui.i_sar_height != ctx->sample_aspect_ratio.den || - x4->params.vui.i_sar_width != ctx->sample_aspect_ratio.num) { + if (x4->params.vui.i_sar_height*ctx->sample_aspect_ratio.num != ctx->sample_aspect_ratio.den * x4->params.vui.i_sar_width) { x4->params.vui.i_sar_height = ctx->sample_aspect_ratio.den; x4->params.vui.i_sar_width = ctx->sample_aspect_ratio.num; x264_encoder_reconfig(x4->enc, &x4->params); From 93d076b4fde12f11c67dcea86a27cc9770450fd4 Mon Sep 17 00:00:00 2001 From: wm4 Date: Thu, 18 Jun 2015 20:36:19 +0200 Subject: [PATCH 022/380] avformat: clarify what package needs to be compiled with SSL support Try to reduce user confusion. Signed-off-by: Michael Niedermayer (cherry picked from commit f6c3f1ed6048ebc55f652ed59f7af9acebbf57e5) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index deeb87f9ec..261ff2af98 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -263,7 +263,7 @@ int ffurl_alloc(URLContext **puc, const char *filename, int flags, *puc = NULL; if (av_strstart(filename, "https:", NULL)) - av_log(NULL, AV_LOG_WARNING, "https protocol not found, recompile with " + av_log(NULL, AV_LOG_WARNING, "https protocol not found, recompile FFmpeg with " "openssl, gnutls,\n" "or securetransport enabled.\n"); return AVERROR_PROTOCOL_NOT_FOUND; From 250cf2d4dae0baf14ecdd6744c9555d24a6668ff Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 17 Jun 2015 19:02:15 +0200 Subject: [PATCH 023/380] vp9: don't retain NULL as segmentation_map This fixes segmentation faults, which were introduced in commit 4ba8f327. Reviewed-by: Ronald S. Bultje Signed-off-by: Andreas Cadhalpun (cherry picked from commit d216b9debd9843d31732ebb7344a85b3cd96b7cc) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index d5147e5b04..b9d207a79c 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3988,7 +3988,8 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, int size = pkt->size; VP9Context *s = ctx->priv_data; int res, tile_row, tile_col, i, ref, row, col; - int retain_segmap_ref = s->segmentation.enabled && !s->segmentation.update_map; + int retain_segmap_ref = s->segmentation.enabled && !s->segmentation.update_map + && s->frames[REF_FRAME_SEGMAP].segmentation_map; ptrdiff_t yoff, uvoff, ls_y, ls_uv; AVFrame *f; int bytesperpixel; From bea4894d0c429fee33ac5c9f8a0874404638d816 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 18 Jun 2015 20:15:12 +0200 Subject: [PATCH 024/380] postproc: fix unaligned access QP_store is only 8-bit-aligned, so accessing it as uint32_t causes SIGBUS crashes on sparc. The AV_RN32/AV_WN32 macros only do unaligned access in the HAVE_FAST_UNALIGNED case. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 590743101dc934043f34013f1c9bb9fb261355b0) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 92cc4367d0..3b86f93980 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -76,6 +76,7 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks #include "config.h" #include "libavutil/avutil.h" #include "libavutil/avassert.h" +#include "libavutil/intreadwrite.h" #include #include #include @@ -997,7 +998,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int i; const int count= FFMAX(mbHeight * QPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; + AV_WN32(c->nonBQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) & 0x3F3F3F3F); } for(i<<=2; inonBQPTable[i] = QP_store[i] & 0x3F; From 23614d09d51178a0be368d5fdf39a6f014f46988 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jun 2015 15:57:32 +0200 Subject: [PATCH 025/380] avutil/avstring: Do not print NULL Fixes segfault Fixes Ticket4452 Signed-off-by: Michael Niedermayer (cherry picked from commit 52e02a9e59f83ede84363d0f035389e44357d4a5) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index f785816063..5fa295d5e1 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -502,7 +502,7 @@ int main(void) printf("Testing av_append_path_component()\n"); #define TEST_APPEND_PATH_COMPONENT(path, component, expected) \ fullpath = av_append_path_component((path), (component)); \ - printf("%s = %s\n", fullpath, expected); \ + printf("%s = %s\n", fullpath ? fullpath : "(null)", expected); \ av_free(fullpath); TEST_APPEND_PATH_COMPONENT(NULL, NULL, "(null)") TEST_APPEND_PATH_COMPONENT("path", NULL, "path"); From 157dd527008cf3569853dd75dc808021a6a1f62e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jun 2015 16:46:06 +0200 Subject: [PATCH 026/380] avcodec/dpxenc: implement write16/32 as functions Fixes undefined behavior and segfault Signed-off-by: Michael Niedermayer (cherry picked from commit 8edc17b639c4ac47913c467107ffb43c67c64890) Signed-off-by: Michael Niedermayer --- libavcodec/dpxenc.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/libavcodec/dpxenc.c b/libavcodec/dpxenc.c index aca745bb58..76aa0cc473 100644 --- a/libavcodec/dpxenc.c +++ b/libavcodec/dpxenc.c @@ -75,17 +75,20 @@ static av_cold int encode_init(AVCodecContext *avctx) return 0; } -#define write16(p, value) \ -do { \ - if (s->big_endian) AV_WB16(p, value); \ - else AV_WL16(p, value); \ -} while(0) +static av_always_inline void write16_internal(int big_endian, void *p, int value) +{ + if (big_endian) AV_WB16(p, value); + else AV_WL16(p, value); +} -#define write32(p, value) \ -do { \ - if (s->big_endian) AV_WB32(p, value); \ - else AV_WL32(p, value); \ -} while(0) +static av_always_inline void write32_internal(int big_endian, void *p, int value) +{ + if (big_endian) AV_WB32(p, value); + else AV_WL32(p, value); +} + +#define write16(p, value) write16_internal(s->big_endian, p, value) +#define write32(p, value) write32_internal(s->big_endian, p, value) static void encode_rgb48_10bit(AVCodecContext *avctx, const AVPicture *pic, uint8_t *dst) { From 7cbceb16ade6937d0f8b5e7d92e8acfc1a00f088 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jun 2015 19:03:00 +0200 Subject: [PATCH 027/380] Update for 2.7.1 Signed-off-by: Michael Niedermayer --- Changelog | 21 +++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index aa5753eadf..8c2c45826b 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,27 @@ releases are sorted from youngest to oldest. version : +version 2.7.1: +- postproc: fix unaligned access +- avformat: clarify what package needs to be compiled with SSL support +- avcodec/libx264: Avoid reconfig on equivalent aspect ratios +- avcodec/flacenc: Fix Invalid Rice order +- tls_gnutls: fix hang on disconnection +- avcodec/hevc_ps: Only discard overread VPS if a previous is available +- ffmpeg: Free last_frame instead of just unref +- avcodec/ffv1enc: fix bps for >8bit yuv when not explicitly set +- avio: fix potential crashes when combining ffio_ensure_seekback + crc +- examples/demuxing_decoding: use properties from frame instead of video_dec_ctx +- h264: er: Copy from the previous reference only if compatible +- doc: fix spelling errors +- configure: only disable VSX for !ppc64el +- ffmpeg_opt: Check for localtime() failure +- avformat/singlejpeg: fix standalone compilation +- configure: Disable VSX on unspecified / generic CPUs +- avformat: Fix bug in parse_rps for HEVC. +- takdec: ensure chan2 is a valid channel index +- avcodec/h264_slice: Use AVFrame dimensions for grayscale handling + version 2.7: - FFT video filter diff --git a/RELEASE b/RELEASE index 1effb00340..860487ca19 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.7 +2.7.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0244e2b98b..0f847afa0c 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.7 +PROJECT_NUMBER = 2.7.1 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From d89cd16afa97771f2950b2ee783e9b4ad6e75b57 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 15 Jun 2015 20:59:22 +0200 Subject: [PATCH 028/380] matroskadec: check audio sample rate And default to 8000 if it is invalid. An invalid sample rate can trigger av_assert2 in av_rescale_rnd. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5b76c82fd7a5f4f36bb901b8c43d7f7319599599) Signed-off-by: Andreas Cadhalpun --- libavformat/matroskadec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 16063412de..9cb52f95ee 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1668,6 +1668,14 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || + isnan(track->audio.samplerate)) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid sample rate %f, defaulting to 8000 instead.\n", + track->audio.samplerate); + track->audio.samplerate = 8000; + } + if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { if (!track->default_duration && track->video.frame_rate > 0) track->default_duration = 1000000000 / track->video.frame_rate; From 973e67e5d2d491c9687d4e3cb6d9c0e1563fc6ce Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 15 Jun 2015 21:06:51 +0200 Subject: [PATCH 029/380] matroskadec: validate audio channels and bitdepth In the TTA extradata re-construction the values are written with avio_wl16 and if they don't fit into uint16_t, this triggers an av_assert2 in avio_w8. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 92e79a2f7bf2f8bb0cb2d1a3e4d76737557071c4) Signed-off-by: Andreas Cadhalpun --- libavformat/matroskadec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9cb52f95ee..ca43c28c6b 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1877,6 +1877,18 @@ static int matroska_parse_tracks(AVFormatContext *s) NULL, NULL, NULL, NULL); avio_write(&b, "TTA1", 4); avio_wl16(&b, 1); + if (track->audio.channels > UINT16_MAX || + track->audio.bitdepth > UINT16_MAX) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Too large audio channel number %"PRIu64 + " or bitdepth %"PRIu64". Skipping track.\n", + track->audio.channels, track->audio.bitdepth); + av_freep(&extradata); + if (matroska->ctx->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + continue; + } avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) From 73e7fe8e648a9d666338691fd30c6c080ee808b1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 13 Jun 2015 20:24:27 +0200 Subject: [PATCH 030/380] configure: make makeinfo_html check more robust The current check is too strict for newer makeinfo versions. Existing version strings are: makeinfo (GNU texinfo) 4.13 makeinfo (GNU texinfo) 5.2 texi2any (GNU texinfo) 5.9.93 Probably version 6 will come in the not too far future. Reviewed-by: Timothy Gu Signed-off-by: Andreas Cadhalpun (cherry picked from commit 72654526e4489c0aac05d25cfeca5bbba26026b3) Signed-off-by: Andreas Cadhalpun --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 06a9941695..3960b735c1 100755 --- a/configure +++ b/configure @@ -5239,8 +5239,8 @@ disabled securetransport || { check_func SecIdentityCreate "-Wl,-framework,CoreF enable securetransport; } makeinfo --version > /dev/null 2>&1 && enable makeinfo || disable makeinfo -enabled makeinfo && (makeinfo --version | \ - grep -q 'makeinfo (GNU texinfo) 5' > /dev/null 2>&1) \ +enabled makeinfo \ + && [ 0$(makeinfo --version | grep "texinfo" | sed 's/.*texinfo[^0-9]*\([0-9]*\)\..*/\1/') -ge 5 ] \ && enable makeinfo_html || disable makeinfo_html disabled makeinfo_html && texi2html --help 2> /dev/null | grep -q 'init-file' && enable texi2html || disable texi2html perl -v > /dev/null 2>&1 && enable perl || disable perl From 620197d1ffea20e9168372c354438f1c1e926ecd Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 14 Jun 2015 20:28:28 +0200 Subject: [PATCH 031/380] doc: avoid incorrect phrase 'allows to' Also fix typo found by Lou Logan: Sacrifying -> Sacrificing Reviewed-by: Lou Logan Signed-off-by: Andreas Cadhalpun (cherry picked from commit 28efeb6502df37c99ccf18575d2552381d83a877) Signed-off-by: Andreas Cadhalpun --- Changelog | 2 +- doc/decoders.texi | 2 +- libavcodec/bitstream.c | 2 +- libavcodec/libspeexenc.c | 2 +- libavcodec/ppc/me_cmp.c | 2 +- libavcodec/vp9.c | 2 +- libavcodec/x86/vc1dsp_mmx.c | 2 +- libavdevice/alsa_dec.c | 2 +- libavdevice/alsa_enc.c | 2 +- libavdevice/avdevice.h | 2 +- libavformat/avformat.h | 6 +++--- libavutil/opt.h | 2 +- 12 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Changelog b/Changelog index 8c2c45826b..b484505321 100644 --- a/Changelog +++ b/Changelog @@ -594,7 +594,7 @@ easier to use. The changes are: all the stream in the first input file, except for the second audio stream'. * There is a new option -c (or -codec) for choosing the decoder/encoder to - use, which allows to precisely specify target stream(s) consistently with + use, which makes it possible to precisely specify target stream(s) consistently with other options. E.g. -c:v lib264 sets the codec for all video streams, -c:a:0 libvorbis sets the codec for the first audio stream and -c copy copies all the streams without reencoding. Old -vcodec/-acodec/-scodec options are now diff --git a/doc/decoders.texi b/doc/decoders.texi index 68196cf111..2fb533ae2d 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -95,7 +95,7 @@ This decoder aims to implement the complete FLAC specification from Xiph. @item -use_buggy_lpc The lavc FLAC encoder used to produce buggy streams with high lpc values -(like the default value). This option allows to decode such streams +(like the default value). This option makes it possible to decode such streams correctly by using lavc's old buggy lpc logic for decoding. @end table diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index 00742349f2..924cc519a2 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -265,7 +265,7 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, 'xxx_size' : gives the number of bytes of each entry of the 'bits' or 'codes' tables. - 'wrap' and 'size' allows to use any memory configuration and types + 'wrap' and 'size' make it possible to use any memory configuration and types (byte/word/long) to store the 'bits', 'codes', and 'symbols' tables. 'use_static' should be set to 1 for tables, which should be freed diff --git a/libavcodec/libspeexenc.c b/libavcodec/libspeexenc.c index 22d0d6ef3d..fac8e725ac 100644 --- a/libavcodec/libspeexenc.c +++ b/libavcodec/libspeexenc.c @@ -76,7 +76,7 @@ * encodes them with just enough bits to reproduce the background noise. * * Discontinuous Transmission (DTX) - * DTX is an addition to VAD/VBR operation, that allows to stop transmitting + * DTX is an addition to VAD/VBR operation, that makes it possible to stop transmitting * completely when the background noise is stationary. * In file-based operation only 5 bits are used for such frames. */ diff --git a/libavcodec/ppc/me_cmp.c b/libavcodec/ppc/me_cmp.c index 38a7ba1476..9f75ed256a 100644 --- a/libavcodec/ppc/me_cmp.c +++ b/libavcodec/ppc/me_cmp.c @@ -504,7 +504,7 @@ static int hadamard8_diff8x8_altivec(MpegEncContext *s, uint8_t *dst, } /* - * 16x8 works with 16 elements; it allows to avoid replicating loads, and + * 16x8 works with 16 elements; it can avoid replicating loads, and * gives the compiler more room for scheduling. It's only used from * inside hadamard8_diff16_altivec. * diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index b9d207a79c..9d9326c247 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3286,7 +3286,7 @@ static void decode_b(AVCodecContext *ctx, int row, int col, } // emulated overhangs if the stride of the target buffer can't hold. This - // allows to support emu-edge and so on even if we have large block + // makes it possible to support emu-edge and so on even if we have large block // overhangs emu[0] = (col + w4) * 8 > f->linesize[0] || (row + h4) > s->rows; diff --git a/libavcodec/x86/vc1dsp_mmx.c b/libavcodec/x86/vc1dsp_mmx.c index f11170c075..a7eb59df47 100644 --- a/libavcodec/x86/vc1dsp_mmx.c +++ b/libavcodec/x86/vc1dsp_mmx.c @@ -80,7 +80,7 @@ "movq %%mm"#R1", "#OFF"(%1) \n\t" \ "add %2, %0 \n\t" -/** Sacrifying mm6 allows to pipeline loads from src */ +/** Sacrificing mm6 makes it possible to pipeline loads from src */ static void vc1_put_ver_16b_shift2_mmx(int16_t *dst, const uint8_t *src, x86_reg stride, int rnd, int64_t shift) diff --git a/libavdevice/alsa_dec.c b/libavdevice/alsa_dec.c index 286af650c7..b8e957a5e2 100644 --- a/libavdevice/alsa_dec.c +++ b/libavdevice/alsa_dec.c @@ -27,7 +27,7 @@ * @author Benoit Fouet ( benoit fouet free fr ) * @author Nicolas George ( nicolas george normalesup org ) * - * This avdevice decoder allows to capture audio from an ALSA (Advanced + * This avdevice decoder can capture audio from an ALSA (Advanced * Linux Sound Architecture) device. * * The filename parameter is the name of an ALSA PCM device capable of diff --git a/libavdevice/alsa_enc.c b/libavdevice/alsa_enc.c index fb428f0623..10289a91a3 100644 --- a/libavdevice/alsa_enc.c +++ b/libavdevice/alsa_enc.c @@ -26,7 +26,7 @@ * @author Luca Abeni ( lucabe72 email it ) * @author Benoit Fouet ( benoit fouet free fr ) * - * This avdevice encoder allows to play audio to an ALSA (Advanced Linux + * This avdevice encoder can play audio to an ALSA (Advanced Linux * Sound Architecture) device. * * The filename parameter is the name of an ALSA PCM device capable of diff --git a/libavdevice/avdevice.h b/libavdevice/avdevice.h index 2d675b012d..6b0446cde7 100644 --- a/libavdevice/avdevice.h +++ b/libavdevice/avdevice.h @@ -324,7 +324,7 @@ int avdevice_dev_to_app_control_message(struct AVFormatContext *s, * Following API allows user to probe device capabilities (supported codecs, * pixel formats, sample formats, resolutions, channel counts, etc). * It is build on top op AVOption API. - * Queried capabilities allows to set up converters of video or audio + * Queried capabilities make it possible to set up converters of video or audio * parameters that fit to the device. * * List of capabilities that can be queried: diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 719c23b33c..fb69852f45 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -67,7 +67,7 @@ * with an AVFMT_NOFILE format). * * @section lavf_options Passing options to (de)muxers - * Lavf allows to configure muxers and demuxers using the @ref avoptions + * It is possible to configure lavf muxers and demuxers using the @ref avoptions * mechanism. Generic (format-independent) libavformat options are provided by * AVFormatContext, they can be examined from a user program by calling * av_opt_next() / av_opt_find() on an allocated AVFormatContext (or its AVClass @@ -234,7 +234,7 @@ * @defgroup lavf_io I/O Read/Write * @{ * @section lavf_io_dirlist Directory listing - * The directory listing API allows to list files on remote servers. + * The directory listing API makes it possible to list files on remote servers. * * Some of possible use cases: * - an "open file" dialog to choose files from a remote location, @@ -2361,7 +2361,7 @@ int av_write_uncoded_frame(AVFormatContext *s, int stream_index, /** * Write a uncoded frame to an output media file. * - * If the muxer supports it, this function allows to write an AVFrame + * If the muxer supports it, this function makes it possible to write an AVFrame * structure directly, without encoding it into a packet. * It is mostly useful for devices and similar special muxers that use raw * video or PCM data and will not serialize it into a byte stream. diff --git a/libavutil/opt.h b/libavutil/opt.h index 5fc8a9b58a..0bc0d30972 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -213,7 +213,7 @@ * In some cases it may be more convenient to put all options into an * AVDictionary and call av_opt_set_dict() on it. A specific case of this * are the format/codec open functions in lavf/lavc which take a dictionary - * filled with option as a parameter. This allows to set some options + * filled with option as a parameter. This makes it possible to set some options * that cannot be set otherwise, since e.g. the input file format is not known * before the file is actually opened. */ From 071d7f4e179a18a403063c57f92664e8079def09 Mon Sep 17 00:00:00 2001 From: Gwenole Beauchesne Date: Tue, 23 Jun 2015 11:35:45 +0200 Subject: [PATCH 032/380] vaapi_h264: fix RefPicList[] field flags. Use new H264Ref.reference field to track field picture flags. The H264Picture.reference flag in DPB is now irrelevant here. This is a regression from git commit d8151a7, and that affected multiple interlaced video streams. Signed-off-by: Gwenole Beauchesne (cherry picked from commit 88325c2e0b63abf4c3482cecd43870015123764a) --- libavcodec/vaapi_h264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vaapi_h264.c b/libavcodec/vaapi_h264.c index eef3c29ab5..151aca9e18 100644 --- a/libavcodec/vaapi_h264.c +++ b/libavcodec/vaapi_h264.c @@ -162,7 +162,8 @@ static void fill_vaapi_RefPicList(VAPictureH264 RefPicList[32], unsigned int i, n = 0; for (i = 0; i < ref_count; i++) if (ref_list[i].reference) - fill_vaapi_pic(&RefPicList[n++], ref_list[i].parent, 0); + fill_vaapi_pic(&RefPicList[n++], ref_list[i].parent, + ref_list[i].reference); for (; n < 32; n++) init_vaapi_pic(&RefPicList[n]); From 459090181fe53cea5cf43982b363d8a98fc60a50 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 19 Jun 2015 12:11:16 +0200 Subject: [PATCH 033/380] library.mak: Workaround SDL redefining main and breaking fate tests on mingw Fixes Ticket3368 Commit message by commiter Signed-off-by: Michael Niedermayer (cherry picked from commit a9af9da6311b4ba50abe55d14d42a4d4818e83d8) --- library.mak | 1 + 1 file changed, 1 insertion(+) diff --git a/library.mak b/library.mak index 7c260245a4..29460b8e75 100644 --- a/library.mak +++ b/library.mak @@ -34,6 +34,7 @@ $(SUBDIR)x86/%.o: $(SUBDIR)x86/%$(YASMD).asm LIBOBJS := $(OBJS) $(SUBDIR)%.h.o $(TESTOBJS) $(LIBOBJS) $(LIBOBJS:.o=.s) $(LIBOBJS:.o=.i): CPPFLAGS += -DHAVE_AV_CONFIG_H $(TESTOBJS) $(TESTOBJS:.o=.i): CPPFLAGS += -DTEST +$(TESTOBJS) $(TESTOBJS:.o=.i): CFLAGS += -Umain $(SUBDIR)$(LIBNAME): $(OBJS) $(RM) $@ From aebb9410c5465058319ced6678da8d15ee99a75b Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 23 Jun 2015 01:14:16 -0300 Subject: [PATCH 034/380] swscale/x86/rgb2rgb_template: add missing xmm clobbers Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 910eeab48026060b5f7780b2560445c069eb4d6b) --- libswscale/x86/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e71c7ebfe3..fd04923dae 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1905,7 +1905,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui "cmp %3, %%"REG_a" \n\t" " jb 1b \n\t" ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) - : "memory", "%"REG_a"" + : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); #else __asm__( From 7f2ab5e50ff725e8d297b22c78b7fb4bcfc09652 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 23 Jun 2015 01:14:42 -0300 Subject: [PATCH 035/380] swscale/x86/rgb2rgb_template: don't call emms on sse2/avx functions Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 0c15f2f158e11950c2a5c831787ea377b7671bf4) --- libswscale/x86/rgb2rgb_template.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index fd04923dae..a1f7434e35 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1943,7 +1943,9 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui src2 += src2Stride; } __asm__( +#if !COMPILE_TEMPLATE_SSE2 EMMS" \n\t" +#endif SFENCE" \n\t" ::: "memory" ); @@ -1971,7 +1973,9 @@ static void RENAME(deinterleaveBytes)(const uint8_t *src, uint8_t *dst1, uint8_t dst2 += dst2Stride; } __asm__( +#if !COMPILE_TEMPLATE_SSE2 EMMS" \n\t" +#endif SFENCE" \n\t" ::: "memory" ); From 6ff54eb87bd011a97e3b153feba7699455a3365a Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Fri, 26 Jun 2015 14:05:00 +0100 Subject: [PATCH 036/380] configure: Check for x265_api_get Any other x265 symbol may not exported, e.g. if the build is a multilib (10-bit and 8-bit in one) build. This is the only symbol we directly call, and is available in the build number we check for. Fixes the configure check on multilib x265 builds. Signed-off-by: Derek Buitenhuis (cherry picked from commit f4be604f1c4d5cb6480c81c671d646cc16b02017) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 3960b735c1..806e2e9296 100755 --- a/configure +++ b/configure @@ -5157,7 +5157,7 @@ enabled libx264 && { use_pkg_config x264 "stdint.h x264.h" x264_encode warn "using libx264 without pkg-config"; } } && { check_cpp_condition x264.h "X264_BUILD >= 118" || die "ERROR: libx264 must be installed and version must be >= 0.118."; } -enabled libx265 && require_pkg_config x265 x265.h x265_encoder_encode && +enabled libx265 && require_pkg_config x265 x265.h x265_api_get && { check_cpp_condition x265.h "X265_BUILD >= 57" || die "ERROR: libx265 version must be >= 57."; } enabled libxavs && require libxavs xavs.h xavs_encoder_encode -lxavs From a7fa1c9b2b182c6ced9a218fa77196e5e62d378f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2015 05:10:51 +0200 Subject: [PATCH 037/380] ffmpeg_opt: Fix forcing fourccs Fixes Ticket4682 Signed-off-by: Michael Niedermayer (cherry picked from commit 8750aef3d65c0d52946a9b52eba5f5203280b548) --- ffmpeg_opt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 79cb5caa34..3cdabb4905 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -1203,6 +1203,7 @@ static OutputStream *new_output_stream(OptionsContext *o, AVFormatContext *oc, e uint32_t tag = strtol(codec_tag, &next, 0); if (*next) tag = AV_RL32(codec_tag); + ost->st->codec->codec_tag = ost->enc_ctx->codec_tag = tag; } From f921a47fae3e0625372de246cda3bc801b5ce5fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jul 2015 02:43:02 +0200 Subject: [PATCH 038/380] avformat/swfdec: Do not error out on pixel format changes Instead print an error and continue Fixes Ticket4702 Signed-off-by: Michael Niedermayer (cherry picked from commit 6a1204a1a46674084b1e6b92562f81aaab7aac69) --- libavformat/swfdec.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index d34d3d90df..570a4f5439 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -407,10 +407,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) } if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); - res = AVERROR_PATCHWELCOME; - goto bitmap_end; - } - st->codec->pix_fmt = pix_fmt; + }else + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; From d403242a289aee3a346d536864485230052b7c57 Mon Sep 17 00:00:00 2001 From: Rob Sykes Date: Sun, 21 Jun 2015 19:45:50 +0000 Subject: [PATCH 039/380] swresample: soxr implementation for swr_get_out_samples() Signed-off-by: Michael Niedermayer (cherry picked from commit c70c6be2259759b75c1b1dc7d68a0cf172f2cab8) Signed-off-by: Michael Niedermayer --- libswresample/soxr_resample.c | 34 +++++++++++++++++++++++++---- libswresample/swresample_internal.h | 1 + 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/libswresample/soxr_resample.c b/libswresample/soxr_resample.c index 0f75bc554c..535e9cee07 100644 --- a/libswresample/soxr_resample.c +++ b/libswresample/soxr_resample.c @@ -67,7 +67,17 @@ static void destroy(struct ResampleContext * *c){ } static int flush(struct SwrContext *s){ + s->delayed_samples_fixup = soxr_delay((soxr_t)s->resample); + soxr_process((soxr_t)s->resample, NULL, 0, NULL, NULL, 0, NULL); + + { + float f; + size_t idone, odone; + soxr_process((soxr_t)s->resample, &f, 0, &idone, &f, 0, &odone); + s->delayed_samples_fixup -= soxr_delay((soxr_t)s->resample); + } + return 0; } @@ -87,18 +97,34 @@ static int process( } static int64_t get_delay(struct SwrContext *s, int64_t base){ - double delay_s = soxr_delay((soxr_t)s->resample) / s->out_sample_rate; + double delayed_samples = soxr_delay((soxr_t)s->resample); + double delay_s; + + if (s->flushed) + delayed_samples += s->delayed_samples_fixup; + + delay_s = delayed_samples / s->out_sample_rate; + return (int64_t)(delay_s * base + .5); } static int invert_initial_buffer(struct ResampleContext *c, AudioData *dst, const AudioData *src, - int in_count, int *out_idx, int *out_sz) -{ + int in_count, int *out_idx, int *out_sz){ return 0; } +static int64_t get_out_samples(struct SwrContext *s, int in_samples){ + double out_samples = (double)s->out_sample_rate / s->in_sample_rate * in_samples; + double delayed_samples = soxr_delay((soxr_t)s->resample); + + if (s->flushed) + delayed_samples += s->delayed_samples_fixup; + + return (int64_t)(out_samples + delayed_samples + 1 + .5); +} + struct Resampler const swri_soxr_resampler={ create, destroy, process, flush, NULL /* set_compensation */, get_delay, - invert_initial_buffer, + invert_initial_buffer, get_out_samples }; diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index 7595588f41..6669cbfd70 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -157,6 +157,7 @@ struct SwrContext { int64_t outpts; ///< output PTS int64_t firstpts; ///< first PTS int drop_output; ///< number of output samples to drop + double delayed_samples_fixup; ///< soxr 0.1.1: needed to fixup delayed_samples after flush has been called. struct AudioConvert *in_convert; ///< input conversion context struct AudioConvert *out_convert; ///< output conversion context From e40688ed807f2a5d4346f95c014921815a8be750 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2015 18:27:27 +0200 Subject: [PATCH 040/380] swr: Remember previously set int_sample_format from user Signed-off-by: Michael Niedermayer (cherry picked from commit d4325b2fea9e2f4f4a17d0b929f12425e9c39964) Signed-off-by: Michael Niedermayer --- libswresample/options.c | 4 ++-- libswresample/swresample.c | 2 ++ libswresample/swresample_internal.h | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libswresample/options.c b/libswresample/options.c index de84672834..1bc1a70510 100644 --- a/libswresample/options.c +++ b/libswresample/options.c @@ -49,8 +49,8 @@ static const AVOption options[]={ {"in_sample_fmt" , "set input sample format" , OFFSET( in_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"osf" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"out_sample_fmt" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"tsf" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"internal_sample_fmt" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, +{"tsf" , "set internal sample format" , OFFSET(user_int_sample_fmt), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, +{"internal_sample_fmt" , "set internal sample format" , OFFSET(user_int_sample_fmt), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"icl" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"in_channel_layout" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"ocl" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, diff --git a/libswresample/swresample.c b/libswresample/swresample.c index ab02bac89a..693a403f90 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -173,6 +173,8 @@ av_cold int swr_init(struct SwrContext *s){ s-> in_ch_layout = s-> user_in_ch_layout; s->out_ch_layout = s->user_out_ch_layout; + s->int_sample_fmt= s->user_int_sample_fmt; + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); s->in_ch_layout = 0; diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index 6669cbfd70..e36faf117d 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -119,6 +119,7 @@ struct SwrContext { int user_used_ch_count; ///< User set used channel count int64_t user_in_ch_layout; ///< User set input channel layout int64_t user_out_ch_layout; ///< User set output channel layout + enum AVSampleFormat user_int_sample_fmt; ///< User set internal sample format struct DitherContext dither; From 12aa4220dd1fa75590a64520b82f2db2ea080c3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2015 22:23:22 +0200 Subject: [PATCH 041/380] swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian The function is specific to little endian Signed-off-by: Michael Niedermayer (cherry picked from commit 4df3cf90bf7a54793e90304bd1b6c7599673f36a) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index f9a98a8701..70294aec97 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -929,7 +929,9 @@ static av_cold void rgb2rgb_init_c(void) rgb24to15 = rgb24to15_c; rgb24to16 = rgb24to16_c; rgb24tobgr24 = rgb24tobgr24_c; +#if !HAVE_BIGENDIAN shuffle_bytes_2103 = shuffle_bytes_2103_c; +#endif rgb32tobgr16 = rgb32tobgr16_c; rgb32tobgr15 = rgb32tobgr15_c; yv12toyuy2 = yv12toyuy2_c; From 2af2c7ecff2c5c5f2bc696149f9584c814d23f73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2015 04:36:02 +0200 Subject: [PATCH 042/380] swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE Signed-off-by: Michael Niedermayer (cherry picked from commit abb833c5681b84d7025c083e2191140eaa30dca7) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb.c | 2 +- libswscale/rgb2rgb.h | 2 +- libswscale/rgb2rgb_template.c | 20 +++++++++++++++++++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/libswscale/rgb2rgb.c b/libswscale/rgb2rgb.c index 5b1fcf73ca..340174fd65 100644 --- a/libswscale/rgb2rgb.c +++ b/libswscale/rgb2rgb.c @@ -51,6 +51,7 @@ void (*rgb16to15)(const uint8_t *src, uint8_t *dst, int src_size); void (*rgb15to16)(const uint8_t *src, uint8_t *dst, int src_size); void (*rgb15to32)(const uint8_t *src, uint8_t *dst, int src_size); +void (*shuffle_bytes_0321)(const uint8_t *src, uint8_t *dst, int src_size); void (*shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, int src_size); void (*yv12toyuy2)(const uint8_t *ysrc, const uint8_t *usrc, @@ -333,7 +334,6 @@ void shuffle_bytes_ ## a ## b ## c ## d(const uint8_t *src, \ } \ } -DEFINE_SHUFFLE_BYTES(0, 3, 2, 1) DEFINE_SHUFFLE_BYTES(1, 2, 3, 0) DEFINE_SHUFFLE_BYTES(3, 0, 1, 2) DEFINE_SHUFFLE_BYTES(3, 2, 1, 0) diff --git a/libswscale/rgb2rgb.h b/libswscale/rgb2rgb.h index 5df5dea420..8faebe6a43 100644 --- a/libswscale/rgb2rgb.h +++ b/libswscale/rgb2rgb.h @@ -50,6 +50,7 @@ extern void (*rgb24to15)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*rgb32tobgr16)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*rgb32tobgr15)(const uint8_t *src, uint8_t *dst, int src_size); +extern void (*shuffle_bytes_0321)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, int src_size); void rgb64tobgr48_nobswap(const uint8_t *src, uint8_t *dst, int src_size); @@ -71,7 +72,6 @@ void rgb15tobgr15(const uint8_t *src, uint8_t *dst, int src_size); void rgb12tobgr12(const uint8_t *src, uint8_t *dst, int src_size); void rgb12to15(const uint8_t *src, uint8_t *dst, int src_size); -void shuffle_bytes_0321(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_1230(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_3012(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_3210(const uint8_t *src, uint8_t *dst, int src_size); diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 70294aec97..5b446debfa 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -328,6 +328,20 @@ static inline void shuffle_bytes_2103_c(const uint8_t *src, uint8_t *dst, } } +static inline void shuffle_bytes_0321_c(const uint8_t *src, uint8_t *dst, + int src_size) +{ + int idx = 15 - src_size; + const uint8_t *s = src - idx; + uint8_t *d = dst - idx; + + for (; idx < 15; idx += 4) { + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0x00ff00ff; + v &= 0xff00ff00; + *(uint32_t *)&d[idx] = (v >> 16) + g + (v << 16); + } +} + static inline void rgb24tobgr24_c(const uint8_t *src, uint8_t *dst, int src_size) { unsigned i; @@ -929,7 +943,11 @@ static av_cold void rgb2rgb_init_c(void) rgb24to15 = rgb24to15_c; rgb24to16 = rgb24to16_c; rgb24tobgr24 = rgb24tobgr24_c; -#if !HAVE_BIGENDIAN +#if HAVE_BIGENDIAN + shuffle_bytes_0321 = shuffle_bytes_2103_c; + shuffle_bytes_2103 = shuffle_bytes_0321_c; +#else + shuffle_bytes_0321 = shuffle_bytes_0321_c; shuffle_bytes_2103 = shuffle_bytes_2103_c; #endif rgb32tobgr16 = rgb32tobgr16_c; From f5c880cecb191026aada81feab5afe2332ec1725 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2015 05:09:11 +0200 Subject: [PATCH 043/380] swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 7604358018229f345dfdf88b16c8930a67984435) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 5b446debfa..1cc28cdd13 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -322,7 +322,7 @@ static inline void shuffle_bytes_2103_c(const uint8_t *src, uint8_t *dst, uint8_t *d = dst - idx; for (; idx < 15; idx += 4) { - register int v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; v &= 0xff00ff; *(uint32_t *)&d[idx] = (v >> 16) + g + (v << 16); } From ce3a8c983f6e31ab685db1ab245d8a00a0d63b68 Mon Sep 17 00:00:00 2001 From: Sebastien Zwickert Date: Sat, 20 Jun 2015 13:19:29 +0200 Subject: [PATCH 044/380] vda: unlock the pixel buffer base address. The pixel buffer base address is never unlocked this causes a bug with some pixel format types that are produced natively by the hardware decoder: the first buffer was always used. Unlock the pixel buffer base address fixes the issue. (cherry picked from commit c06fdacc3dc706e70d953917fea845532d3703ca) Signed-off-by: Michael Niedermayer --- ffmpeg_vda.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg_vda.c b/ffmpeg_vda.c index d15648dd8e..6fe4ed45ea 100644 --- a/ffmpeg_vda.c +++ b/ffmpeg_vda.c @@ -77,6 +77,8 @@ static int vda_retrieve_data(AVCodecContext *s, AVFrame *frame) frame->width, frame->height); ret = av_frame_copy_props(vda->tmp_frame, frame); + CVPixelBufferUnlockBaseAddress(pixbuf, kCVPixelBufferLock_ReadOnly); + if (ret < 0) return ret; From 3f06023bd248248f59914ee4af429d438a39a035 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 23 Jun 2015 01:15:07 -0300 Subject: [PATCH 045/380] swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext} Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit e22edbfd413242dda720dc5191fc00a51c24d74c) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index a1f7434e35..e97ba4fe82 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1090,7 +1090,7 @@ static inline void RENAME(shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, : "r" (s), "r" (d), "m" (mask32b), "m" (mask32r), "m" (mmx_one) : "memory"); for (; idx<15; idx+=4) { - register int v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; v &= 0xff00ff; *(uint32_t *)&d[idx] = (v>>16) + g + (v<<16); } From 483a02e25f7babffb1658f6e13f1553d5f8d5370 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jun 2015 13:27:39 +0200 Subject: [PATCH 046/380] ffmpeg: Do not use the data/size of a bitstream filter after failure Found-by: Rodger Combs Signed-off-by: Michael Niedermayer (cherry picked from commit 8f0f678f090d9939b0014ba85641e2cb83d39cb8) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ffmpeg.c b/ffmpeg.c index f5029987ad..1cf4487592 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -650,6 +650,7 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost) if (!new_pkt.buf) exit_program(1); } else if (a < 0) { + new_pkt = *pkt; av_log(NULL, AV_LOG_ERROR, "Failed to open bitstream filter %s for stream %d with codec %s", bsfc->filter->name, pkt->stream_index, avctx->codec ? avctx->codec->name : "copy"); From d1f8eaf3d2b0b845b7b50e3a82267e2acd7ada02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 13:51:43 +0200 Subject: [PATCH 047/380] swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian Fixes fate/dds-rgb16 on big endian Signed-off-by: Michael Niedermayer (cherry picked from commit f6ab967eae497733f6adc12b30075980fd6eea98) Conflicts: tests/ref/fate/dds-rgb16 --- libswscale/swscale_unscaled.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index b426fa188b..1dc42c81e1 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1243,6 +1243,11 @@ static rgbConvFn findRgbConvFn(SwsContext *c) if ((dstFormat == AV_PIX_FMT_RGB32_1 || dstFormat == AV_PIX_FMT_BGR32_1) && !isRGBA32(srcFormat) && ALT32_CORR<0) return NULL; + // Maintain symmetry between endianness + if (c->flags & SWS_BITEXACT) + if ((dstFormat == AV_PIX_FMT_RGB32 || dstFormat == AV_PIX_FMT_BGR32 ) && !isRGBA32(srcFormat) && ALT32_CORR>0) + return NULL; + return conv; } From 254fabe758a476587cefe96c49dbd8c8c3d575ac Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 28 Jun 2015 12:40:12 +0200 Subject: [PATCH 048/380] wmavoice: limit wmavoice_decode_packet return value to packet size Claiming to have decoded more bytes than the packet size is wrong. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index ae88d4ec80..fff1aa87ae 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1982,7 +1982,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, *got_frame_ptr) { cnt += s->spillover_nbits; s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_ERROR, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + return AVERROR_INVALIDDATA; + } + return res; } else skip_bits_long (gb, s->spillover_nbits - cnt + get_bits_count(gb)); // resync @@ -2001,7 +2008,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, } else if (*got_frame_ptr) { int cnt = get_bits_count(gb); s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_ERROR, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + return AVERROR_INVALIDDATA; + } + return res; } else if ((s->sframe_cache_size = pos) > 0) { /* rewind bit reader to start of last (incomplete) superframe... */ init_get_bits(gb, avpkt->data, size << 3); From e84d17c7c991f380622f6d2f25994dc6955d853c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 21:08:05 +0200 Subject: [PATCH 049/380] avcodec/pngdec: Only allow one IHDR chunk Multiple IHDR chunks are forbidden in PNG Fixes inconsistency and out of array accesses Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 47f4e2d8960ca756ca153ab8e3e93d80449b8c91) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index ceda383209..f8b398ffde 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -542,6 +542,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } + if (s->state & PNG_IHDR) { + av_log(avctx, AV_LOG_ERROR, "Multiple IHDR\n"); + return AVERROR_INVALIDDATA; + } + s->width = bytestream2_get_be32(&s->gb); s->height = bytestream2_get_be32(&s->gb); if (av_image_check_size(s->width, s->height, 0, avctx)) { From be54d1f1043e9e4fc58bb7889c9cf85b52de5396 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 21:57:12 +0200 Subject: [PATCH 050/380] avcodec/pngdec: Require a IHDR chunk before fctl This is required by the APNG spec Signed-off-by: Michael Niedermayer (cherry picked from commit a1736926e9ae51706b537776722e816a4d1f6b36) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index f8b398ffde..85bc447a81 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -824,6 +824,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, if (length != 26) return AVERROR_INVALIDDATA; + if (!(s->state & PNG_IHDR)) { + av_log(avctx, AV_LOG_ERROR, "fctl before IHDR\n"); + return AVERROR_INVALIDDATA; + } + s->last_w = s->cur_w; s->last_h = s->cur_h; s->last_x_offset = s->x_offset; From cccb06b09573a708a9ce03471db07af8dd47e712 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 21:59:41 +0200 Subject: [PATCH 051/380] avcodec/pngdec: Copy IHDR & plte state from last thread Previously these chunks where parsed again for each frame with threads but not without leading to a different path and the potential for inconsistencies This also removes a related special case from decode_ihdr_chunk() Signed-off-by: Michael Niedermayer (cherry picked from commit f1ffa01dd3dad983481bf05ec47246e7ec0c8932) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 85bc447a81..615aad394e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -547,18 +547,13 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } - s->width = bytestream2_get_be32(&s->gb); - s->height = bytestream2_get_be32(&s->gb); + s->width = s->cur_w = bytestream2_get_be32(&s->gb); + s->height = s->cur_h = bytestream2_get_be32(&s->gb); if (av_image_check_size(s->width, s->height, 0, avctx)) { - s->width = s->height = 0; + s->cur_w = s->cur_h = s->width = s->height = 0; av_log(avctx, AV_LOG_ERROR, "Invalid image size\n"); return AVERROR_INVALIDDATA; } - if (s->cur_w == 0 && s->cur_h == 0) { - // Only set cur_w/h if update_thread_context() has not set it - s->cur_w = s->width; - s->cur_h = s->height; - } s->bit_depth = bytestream2_get_byte(&s->gb); s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); @@ -1269,12 +1264,24 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) (ret = ff_thread_ref_frame(&pdst->picture, &psrc->picture)) < 0) return ret; if (CONFIG_APNG_DECODER && dst->codec_id == AV_CODEC_ID_APNG) { + pdst->width = psrc->width; + pdst->height = psrc->height; + pdst->bit_depth = psrc->bit_depth; + pdst->color_type = psrc->color_type; + pdst->compression_type = psrc->compression_type; + pdst->interlace_type = psrc->interlace_type; + pdst->filter_type = psrc->filter_type; pdst->cur_w = psrc->cur_w; pdst->cur_h = psrc->cur_h; pdst->x_offset = psrc->x_offset; pdst->y_offset = psrc->y_offset; + pdst->dispose_op = psrc->dispose_op; + memcpy(pdst->palette, psrc->palette, sizeof(pdst->palette)); + + pdst->state |= psrc->state & (PNG_IHDR | PNG_PLTE); + ff_thread_release_buffer(dst, &pdst->last_picture); if (psrc->last_picture.f->data[0]) return ff_thread_ref_frame(&pdst->last_picture, &psrc->last_picture); From f775a92054a4aebbc4acc33795cb9203805e816a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 22:32:02 +0200 Subject: [PATCH 052/380] avcodec/pngdec: Check values before updating context in decode_fctl_chunk() Signed-off-by: Michael Niedermayer (cherry picked from commit b54ac8403bfea4e7fab0799ccfe728ba76959a38) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 615aad394e..60c49758f1 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -815,6 +815,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, uint32_t length) { uint32_t sequence_number; + int cur_w, cur_h, x_offset, y_offset, dispose_op, blend_op; if (length != 26) return AVERROR_INVALIDDATA; @@ -831,23 +832,23 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, s->last_dispose_op = s->dispose_op; sequence_number = bytestream2_get_be32(&s->gb); - s->cur_w = bytestream2_get_be32(&s->gb); - s->cur_h = bytestream2_get_be32(&s->gb); - s->x_offset = bytestream2_get_be32(&s->gb); - s->y_offset = bytestream2_get_be32(&s->gb); + cur_w = bytestream2_get_be32(&s->gb); + cur_h = bytestream2_get_be32(&s->gb); + x_offset = bytestream2_get_be32(&s->gb); + y_offset = bytestream2_get_be32(&s->gb); bytestream2_skip(&s->gb, 4); /* delay_num (2), delay_den (2) */ - s->dispose_op = bytestream2_get_byte(&s->gb); - s->blend_op = bytestream2_get_byte(&s->gb); + dispose_op = bytestream2_get_byte(&s->gb); + blend_op = bytestream2_get_byte(&s->gb); bytestream2_skip(&s->gb, 4); /* crc */ if (sequence_number == 0 && - (s->cur_w != s->width || - s->cur_h != s->height || - s->x_offset != 0 || - s->y_offset != 0) || - s->cur_w <= 0 || s->cur_h <= 0 || - s->x_offset < 0 || s->y_offset < 0 || - s->cur_w > s->width - s->x_offset|| s->cur_h > s->height - s->y_offset) + (cur_w != s->width || + cur_h != s->height || + x_offset != 0 || + y_offset != 0) || + cur_w <= 0 || cur_h <= 0 || + x_offset < 0 || y_offset < 0 || + cur_w > s->width - x_offset|| cur_h > s->height - y_offset) return AVERROR_INVALIDDATA; if (sequence_number == 0 && s->dispose_op == APNG_DISPOSE_OP_PREVIOUS) { @@ -868,6 +869,13 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, s->dispose_op = APNG_BLEND_OP_SOURCE; } + s->cur_w = cur_w; + s->cur_h = cur_h; + s->x_offset = x_offset; + s->y_offset = y_offset; + s->dispose_op = dispose_op; + s->blend_op = blend_op; + return 0; } From a9c3b588af747521a88c57f528df9c740e4b1c6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 01:19:30 +0200 Subject: [PATCH 053/380] avcodec/mjpegdec: Fix small picture upscale Fixes out of array access Fixes: asan_heap-oob_1dd60fd_267_cov_2954683513_5baad44ca4702949724234e35c5bb341.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 84afc6b70d24fc0bf686e43138c96cf60a9445fe) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 1ce332833d..2c18a4964a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2192,11 +2192,13 @@ the_end: } } else if (s->upscale_h[p] == 2) { if (is16bit) { - ((uint16_t*)line)[w - 1] = - ((uint16_t*)line)[w - 2] = ((uint16_t*)line)[(w - 1) / 3]; + ((uint16_t*)line)[w - 1] = ((uint16_t*)line)[(w - 1) / 3]; + if (w > 1) + ((uint16_t*)line)[w - 2] = ((uint16_t*)line)[w - 1]; } else { - line[w - 1] = - line[w - 2] = line[(w - 1) / 3]; + line[w - 1] = line[(w - 1) / 3]; + if (w > 1) + line[w - 2] = line[w - 1]; } for (index = w - 3; index > 0; index--) { line[index] = (line[index / 3] + line[(index + 1) / 3] + line[(index + 2) / 3] + 1) / 3; From 0afb004d3cc42fa520735436a375fdf8c7af66cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 03:23:30 +0200 Subject: [PATCH 054/380] avcodec/h264_refs: discard mismatching references Fixes inconsistency and out of array access Fixes: asan_heap-oob_17301a3_2100_cov_3226131691_ff_add_pixels_clamped_mmx.m2ts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4aa0de644a2de62f0bc3013a4533ab9283aa0a65) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 379fb26a1a..548a3ba8df 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -125,6 +125,7 @@ static int add_sorted(H264Picture **sorted, H264Picture **src, int len, int limi int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl) { int i, len; + int j; if (sl->slice_type_nos == AV_PICTURE_TYPE_B) { H264Picture *sorted[32]; @@ -188,6 +189,21 @@ int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl) } } #endif + + for (j = 0; j<1+(sl->slice_type_nos == AV_PICTURE_TYPE_B); j++) { + for (i = 0; i < sl->ref_count[j]; i++) { + if (h->default_ref_list[j][i].parent) { + AVFrame *f = h->default_ref_list[j][i].parent->f; + if (h->cur_pic_ptr->f->width != f->width || + h->cur_pic_ptr->f->height != f->height || + h->cur_pic_ptr->f->format != f->format) { + av_log(h->avctx, AV_LOG_ERROR, "Discarding mismatching reference\n"); + memset(&h->default_ref_list[j][i], 0, sizeof(h->default_ref_list[j][i])); + } + } + } + } + return 0; } From 51782e86903c49a172c8b5c7e494b72e6c8a8aa4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 16:01:15 +0200 Subject: [PATCH 055/380] avfilter/vf_transpose: Fix rounding error Fixes out of array access Fixes: asan_heap-oob_7f875d_3482_cov_1818465256_ssudec.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0083c16605aa5997534e87e68f97ef85a8c3b7b8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_transpose.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index 911329caac..e4de31b042 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -151,7 +151,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int hsub = plane == 1 || plane == 2 ? trans->hsub : 0; int vsub = plane == 1 || plane == 2 ? trans->vsub : 0; int pixstep = trans->pixsteps[plane]; - int inh = in->height >> vsub; + int inh = FF_CEIL_RSHIFT(in->height, vsub); int outw = FF_CEIL_RSHIFT(out->width, hsub); int outh = FF_CEIL_RSHIFT(out->height, vsub); int start = (outh * jobnr ) / nb_jobs; From 662714abbe40249b09c9ef28c6111e8ceb00de58 Mon Sep 17 00:00:00 2001 From: James Zern Date: Mon, 29 Jun 2015 23:03:14 -0700 Subject: [PATCH 056/380] vp9/update_prob: prevent out of bounds table read the max value of the lookup in expanded form is: (((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254 add one entry of padding to inv_map_table[] to prevent out of bounds access with non-conforming / fuzzed bitstreams Signed-off-by: James Zern Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit e91f860ea74e11e9178500fe8794c47f57dbf48c) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 9d9326c247..a7954c3fb4 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -425,7 +425,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m) // differential forward probability updates static int update_prob(VP56RangeCoder *c, int p) { - static const int inv_map_table[254] = { + static const int inv_map_table[255] = { 7, 20, 33, 46, 59, 72, 85, 98, 111, 124, 137, 150, 163, 176, 189, 202, 215, 228, 241, 254, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22, 23, 24, @@ -444,7 +444,7 @@ static int update_prob(VP56RangeCoder *c, int p) 207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, - 252, 253, + 252, 253, 253, }; int d; @@ -474,6 +474,7 @@ static int update_prob(VP56RangeCoder *c, int p) if (d >= 65) d = (d << 1) - 65 + vp8_rac_get(c); d += 64; + av_assert2(d < FF_ARRAY_ELEMS(inv_map_table)); } return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) : From 65aac419e53a7f6ed6df1e6bebfc31c6aff3321a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 19:37:12 +0200 Subject: [PATCH 057/380] avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h Fixes out of array access Fixes: asan_heap-oob_4d5bb0_682_cov_3124593265_Fraunhofer__a_driving_force_in_innovation__small.mp4 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 330863c9f19a23c500ba7901a23f1cc377b353bb) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 0712f2d73a..968e3ecb83 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1558,8 +1558,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) (const uint8_t **)prev->f->data, prev->f->linesize, prev->f->format, - h->mb_width * 16, - h->mb_height * 16); + prev->f->width, + prev->f->height); h->short_ref[0]->poc = prev->poc + 2; } h->short_ref[0]->frame_num = h->prev_frame_num; From e740506d31e793801c520e4a6283438d88279e75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2015 02:05:43 +0200 Subject: [PATCH 058/380] avcodec/aacsbr: check that the element type matches before applying SBR Fixes out of array access Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79a98294da6cd85f8c86b34764c5e0c43b09eea3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 8 ++++++++ libavcodec/sbr.h | 1 + 2 files changed, 9 insertions(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 7e98834c49..ca6dad7c00 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1019,6 +1019,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr, { unsigned int cnt = get_bits_count(gb); + sbr->id_aac = id_aac; + if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) { if (read_sbr_single_channel_element(ac, sbr, gb)) { sbr_turnoff(sbr); @@ -1695,6 +1697,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, int nch = (id_aac == TYPE_CPE) ? 2 : 1; int err; + if (id_aac != sbr->id_aac) { + av_log(ac->avctx, AV_LOG_ERROR, + "element type mismatch %d != %d\n", id_aac, sbr->id_aac); + sbr_turnoff(sbr); + } + if (!sbr->kx_and_m_pushed) { sbr->kx[0] = sbr->kx[1]; sbr->m[0] = sbr->m[1]; diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h index e28fccda09..ff00acba0d 100644 --- a/libavcodec/sbr.h +++ b/libavcodec/sbr.h @@ -137,6 +137,7 @@ typedef struct AACSBRContext { struct SpectralBandReplication { int sample_rate; int start; + int id_aac; int reset; SpectrumParameters spectrum_params; int bs_amp_res_header; From bbcf6f5c6200c3458dc344c4ba4abac316c322b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2015 02:08:25 +0200 Subject: [PATCH 059/380] avcodec/aacsbr: Assert that bs_num_env is positive Signed-off-by: Michael Niedermayer (cherry picked from commit 2e13a45b1a9a69456631e582bbb06954d169eb55) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index ca6dad7c00..a39b78de18 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1726,6 +1726,7 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, sbr->c.sbr_hf_inverse_filter(&sbr->dsp, sbr->alpha0, sbr->alpha1, (const float (*)[40][2]) sbr->X_low, sbr->k[0]); sbr_chirp(sbr, &sbr->data[ch]); + av_assert0(sbr->data[ch].bs_num_env > 0); sbr_hf_gen(ac, sbr, sbr->X_high, (const float (*)[40][2]) sbr->X_low, (const float (*)[2]) sbr->alpha0, From ac91bfe086535cfdba443abf3c9cfedf4fd8cb36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Jul 2015 20:00:15 +0200 Subject: [PATCH 060/380] avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2() the later is not optimal when the buffer size is well known at allocation time This avoids a memcpy() Overall 2.5% speedup with a random 1920x1080 video Signed-off-by: Michael Niedermayer (cherry picked from commit 47496eb97cff8130991313d1b7292613620d8592) Signed-off-by: Michael Niedermayer --- libavcodec/rawenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawenc.c b/libavcodec/rawenc.c index d7923931bb..71c1de5b0e 100644 --- a/libavcodec/rawenc.c +++ b/libavcodec/rawenc.c @@ -54,7 +54,7 @@ static int raw_encode(AVCodecContext *avctx, AVPacket *pkt, if (ret < 0) return ret; - if ((ret = ff_alloc_packet2(avctx, pkt, ret)) < 0) + if ((ret = ff_alloc_packet(pkt, ret)) < 0) return ret; if ((ret = avpicture_layout((const AVPicture *)frame, avctx->pix_fmt, avctx->width, avctx->height, pkt->data, pkt->size)) < 0) From 151554e1eb86404fd973dbcf888c50d2d5a51ff5 Mon Sep 17 00:00:00 2001 From: Chris Watkins Date: Tue, 7 Jul 2015 10:40:27 -0700 Subject: [PATCH 061/380] Put a space between string literals and macros. When compiling libavutil/internal.h as C++11, clang warns that a space is required between a string literal and an identifier. Put spaces in concatenations of string literals and EXTERN_PREFIX. Signed-off-by: Chris Watkins Signed-off-by: Michael Niedermayer (cherry picked from commit 55e29ceec84aa498122576c1ae8a0fa1fab0b41e) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/internal.h b/libavutil/internal.h index 8817ec3b0e..859b91971e 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -238,8 +238,8 @@ void avpriv_request_sample(void *avc, #if HAVE_LIBC_MSVCRT #include #if defined(_VC_CRT_MAJOR_VERSION) && _VC_CRT_MAJOR_VERSION < 14 -#pragma comment(linker, "/include:"EXTERN_PREFIX"avpriv_strtod") -#pragma comment(linker, "/include:"EXTERN_PREFIX"avpriv_snprintf") +#pragma comment(linker, "/include:" EXTERN_PREFIX "avpriv_strtod") +#pragma comment(linker, "/include:" EXTERN_PREFIX "avpriv_snprintf") #endif #define avpriv_open ff_open From 1ec0541ae05b40f7dfdba76fd3fce4c84d3eac31 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 3 Jul 2015 00:01:56 +0200 Subject: [PATCH 062/380] wmalosslessdec: avoid reading 0 bits with get_bits Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f9020d514e9ed5043496a710b36daba1ab182e97) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 843ce90b3a..8094db3b2a 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -488,7 +488,7 @@ static int decode_cdlms(WmallDecodeCtx *s) if ((1 << cbits) < s->cdlms[c][i].scaling + 1) cbits++; - s->cdlms[c][i].bitsend = get_bits(&s->gb, cbits) + 2; + s->cdlms[c][i].bitsend = (cbits ? get_bits(&s->gb, cbits) : 0) + 2; shift_l = 32 - s->cdlms[c][i].bitsend; shift_r = 32 - s->cdlms[c][i].scaling - 2; for (j = 0; j < s->cdlms[c][i].coefsend; j++) From c001472226c723615fac45cc3228874d9b9679fb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 3 Jul 2015 00:02:44 +0200 Subject: [PATCH 063/380] wmalosslessdec: reset frame->nb_samples on packet loss Otherwise a frame with non-zero nb_samples but without any data can be returned. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 42e7a5b3c704985c2c18970cc94a837b413df9d9) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8094db3b2a..0c85c83996 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1005,6 +1005,7 @@ static int decode_frame(WmallDecodeCtx *s) if ((ret = ff_get_buffer(s->avctx, s->frame, 0)) < 0) { /* return an error if no frame could be decoded at all */ s->packet_loss = 1; + s->frame->nb_samples = 0; return ret; } for (i = 0; i < s->num_channels; i++) { From 2a6f2cd8486fb5fbe4f1d2fa97c272bd4a7b34fb Mon Sep 17 00:00:00 2001 From: Chris Watkins Date: Tue, 7 Jul 2015 10:23:44 -0700 Subject: [PATCH 064/380] oggparsedirac: check return value of init_get_bits If init_get_bits fails the GetBitContext is invalid and must not be used. Check the return value in dirac_header and propogate the error. Signed-off-by: Michael Niedermayer (cherry picked from commit 4f5c2e651a95b950f6a3fb36f2342cbc32515f17) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedirac.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavformat/oggparsedirac.c b/libavformat/oggparsedirac.c index 10fb07e92d..ab40f96c63 100644 --- a/libavformat/oggparsedirac.c +++ b/libavformat/oggparsedirac.c @@ -31,14 +31,19 @@ static int dirac_header(AVFormatContext *s, int idx) AVStream *st = s->streams[idx]; dirac_source_params source; GetBitContext gb; + int ret; // already parsed the header if (st->codec->codec_id == AV_CODEC_ID_DIRAC) return 0; - init_get_bits(&gb, os->buf + os->pstart + 13, (os->psize - 13) * 8); - if (avpriv_dirac_parse_sequence_header(st->codec, &gb, &source) < 0) - return -1; + ret = init_get_bits8(&gb, os->buf + os->pstart + 13, (os->psize - 13)); + if (ret < 0) + return ret; + + ret = avpriv_dirac_parse_sequence_header(st->codec, &gb, &source); + if (ret < 0) + return ret; st->codec->codec_type = AVMEDIA_TYPE_VIDEO; st->codec->codec_id = AV_CODEC_ID_DIRAC; From 88fa3243ddf320ce1d6691c6098e87263bd6d0ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jul 2015 22:16:15 +0200 Subject: [PATCH 065/380] avcodec/mpegvideo: Clear pointers in ff_mpv_common_init() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This ensures that no stale pointers leak through on any path Fixes: signal_sigsegv_c3097a_991_xtrem_e2_m64q15_a32sxx.3gp Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b160fc290cf49b516c5b6ee0730fd9da7fc623b1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 82 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 78 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 03d6815d5b..06188a03c0 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1227,6 +1227,82 @@ fail: return AVERROR(ENOMEM); } +static void clear_context(MpegEncContext *s) +{ + int i, j, k; + + memset(&s->next_picture, 0, sizeof(s->next_picture)); + memset(&s->last_picture, 0, sizeof(s->last_picture)); + memset(&s->current_picture, 0, sizeof(s->current_picture)); + memset(&s->new_picture, 0, sizeof(s->new_picture)); + + memset(s->thread_context, 0, sizeof(s->thread_context)); + + s->me.map = NULL; + s->me.score_map = NULL; + s->dct_error_sum = NULL; + s->block = NULL; + s->blocks = NULL; + memset(s->pblocks, 0, sizeof(s->pblocks)); + s->ac_val_base = NULL; + s->ac_val[0] = + s->ac_val[1] = + s->ac_val[2] =NULL; + s->sc.edge_emu_buffer = NULL; + s->me.scratchpad = NULL; + s->me.temp = + s->sc.rd_scratchpad = + s->sc.b_scratchpad = + s->sc.obmc_scratchpad = NULL; + + s->parse_context.buffer = NULL; + s->parse_context.buffer_size = 0; + s->bitstream_buffer = NULL; + s->allocated_bitstream_buffer_size = 0; + s->picture = NULL; + s->mb_type = NULL; + s->p_mv_table_base = NULL; + s->b_forw_mv_table_base = NULL; + s->b_back_mv_table_base = NULL; + s->b_bidir_forw_mv_table_base = NULL; + s->b_bidir_back_mv_table_base = NULL; + s->b_direct_mv_table_base = NULL; + s->p_mv_table = NULL; + s->b_forw_mv_table = NULL; + s->b_back_mv_table = NULL; + s->b_bidir_forw_mv_table = NULL; + s->b_bidir_back_mv_table = NULL; + s->b_direct_mv_table = NULL; + for (i = 0; i < 2; i++) { + for (j = 0; j < 2; j++) { + for (k = 0; k < 2; k++) { + s->b_field_mv_table_base[i][j][k] = NULL; + s->b_field_mv_table[i][j][k] = NULL; + } + s->b_field_select_table[i][j] = NULL; + s->p_field_mv_table_base[i][j] = NULL; + s->p_field_mv_table[i][j] = NULL; + } + s->p_field_select_table[i] = NULL; + } + + s->dc_val_base = NULL; + s->coded_block_base = NULL; + s->mbintra_table = NULL; + s->cbp_table = NULL; + s->pred_dir_table = NULL; + + s->mbskip_table = NULL; + + s->er.error_status_table = NULL; + s->er.er_temp_buffer = NULL; + s->mb_index2xy = NULL; + s->lambda_table = NULL; + + s->cplx_tab = NULL; + s->bits_tab = NULL; +} + /** * init common structure for both encoder and decoder. * this assumes that some variables like width/height are already set @@ -1238,6 +1314,8 @@ av_cold int ff_mpv_common_init(MpegEncContext *s) s->avctx->active_thread_type & FF_THREAD_SLICE) ? s->avctx->thread_count : 1; + clear_context(s); + if (s->encoding && s->avctx->slices) nb_slices = s->avctx->slices; @@ -1282,10 +1360,6 @@ av_cold int ff_mpv_common_init(MpegEncContext *s) if (!s->picture[i].f) goto fail; } - memset(&s->next_picture, 0, sizeof(s->next_picture)); - memset(&s->last_picture, 0, sizeof(s->last_picture)); - memset(&s->current_picture, 0, sizeof(s->current_picture)); - memset(&s->new_picture, 0, sizeof(s->new_picture)); s->next_picture.f = av_frame_alloc(); if (!s->next_picture.f) goto fail; From 0df814cf97310903eecd6b44c0f828c7da52905a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jul 2015 02:01:17 +0200 Subject: [PATCH 066/380] avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264 Fixes Assertion failure Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7ef6656b1e5bfbc7499013d3b38b093b6b2f31ec) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 558afebc2f..6596aeae2b 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -428,10 +428,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); - if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) + if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) { // some of the optimized chroma MC reads one line too much // which is also done in mpeg decoders with lowres > 0 *height += 2; + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; From 7db809a373f0fb066eea20883d1ba3b35fcbfe70 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 10 Jul 2015 09:31:24 +0200 Subject: [PATCH 067/380] bytestream2: set the reader to the end when reading more than available This prevents possible infinite loops with the calling code along the lines of while (bytestream2_get_bytes_left()) { ... }, where the reader does not advance. CC: libav-stable@libav.org (cherry picked from commit 86eee85daddb682fa072c2e2657c90a514b855e3) Signed-off-by: Michael Niedermayer --- libavcodec/bytestream.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index c2cb601806..7c05ea6cf5 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -71,8 +71,10 @@ static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g) \ } \ static av_always_inline type bytestream2_get_ ## name(GetByteContext *g) \ { \ - if (g->buffer_end - g->buffer < bytes) \ + if (g->buffer_end - g->buffer < bytes) { \ + g->buffer = g->buffer_end; \ return 0; \ + } \ return bytestream2_get_ ## name ## u(g); \ } \ static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g) \ From 264eb0074f3b0591c9430b20927d6547c8757c48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 15:46:10 +0200 Subject: [PATCH 068/380] avcodec/alac: Clear pointers in allocate_buffers() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 06a4edb39ad8a9883175f9bd428334a2_signal_sigsegv_7ffff713351a_706_mov__alac__ALAC_6ch.mov Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f7068bf277a37479aecde2832208d820682b35e6) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index b0527f1439..a5948bba7e 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -534,6 +534,12 @@ static int allocate_buffers(ALACContext *alac) int ch; int buf_size = alac->max_samples_per_frame * sizeof(int32_t); + for (ch = 0; ch < 2; ch++) { + alac->predict_error_buffer[ch] = NULL; + alac->output_samples_buffer[ch] = NULL; + alac->extra_bits_buffer[ch] = NULL; + } + for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) { FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch], buf_size, buf_alloc_fail); From 237751eb257fd528a91f35f0a835c2273957ee62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 16:05:21 +0200 Subject: [PATCH 069/380] avcodec/sanm: Reset sizes in destroy_buffers() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes crash in 1288a2fe8e9ae6b00ca40e089d08ca65_signal_sigsegv_7ffff71426a7_354_accident.san with allocation limit 65536 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 9e5ec5400e..2547abb840 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -457,6 +457,7 @@ static void destroy_buffers(SANMVideoContext *ctx) ctx->frm0_size = ctx->frm1_size = ctx->frm2_size = 0; + init_sizes(ctx, 0, 0); } static av_cold int init_buffers(SANMVideoContext *ctx) From 6e53134f98928d4de91341540cfbb64eb328c5f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 21:19:04 +0200 Subject: [PATCH 070/380] avcodec/pthread_frame: check avctx on deallocation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereferences Fixes: af1a5a33e67e479f439239097bd0d4fd_signal_sigsegv_7ffff713351a_152_Dolby_Rain_Logo.pmp with memlimit of 8388608 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5d346feafa817c4fbc30f7ed0b93b2dad6cef15b) Signed-off-by: Michael Niedermayer --- libavcodec/pthread_frame.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index a3fd1fff75..c8f35a72dd 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -572,7 +572,7 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) pthread_join(p->thread, NULL); p->thread_init=0; - if (codec->close) + if (codec->close && p->avctx) codec->close(p->avctx); release_delayed_buffers(p); @@ -590,12 +590,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) av_packet_unref(&p->avpkt); av_freep(&p->released_buffers); - if (i) { + if (i && p->avctx) { av_freep(&p->avctx->priv_data); av_freep(&p->avctx->slice_offset); } - av_freep(&p->avctx->internal); + if (p->avctx) + av_freep(&p->avctx->internal); av_freep(&p->avctx); } From 441ef87ea8e0422fa5eee39702cabae141ebda89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 23:33:18 +0200 Subject: [PATCH 071/380] ffmpeg: Fix cleanup with ost = NULL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 09e670595acbdafb226974b08dab66e3_signal_sigabrt_7ffff70eccc9_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 1048576 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 503ec7139f887bf8ed8d57da07ce93c4e88447a6) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 1cf4487592..d23e713d5a 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -466,7 +466,12 @@ static void ffmpeg_cleanup(int ret) } for (i = 0; i < nb_output_streams; i++) { OutputStream *ost = output_streams[i]; - AVBitStreamFilterContext *bsfc = ost->bitstream_filters; + AVBitStreamFilterContext *bsfc; + + if (!ost) + continue; + + bsfc = ost->bitstream_filters; while (bsfc) { AVBitStreamFilterContext *next = bsfc->next; av_bitstream_filter_close(bsfc); From a18e8d82de87f6cd88a68ede8f5526a102d47869 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Jul 2015 13:02:19 +0200 Subject: [PATCH 072/380] ffmpeg: Fix crash with ost->last_frame allocation failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 1013dbde2c360d939cc2dfc33e4f275c_signal_sigsegv_a0500f_45_320vp3.nsv with memlimit of 536870912 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fd4c87fa3becaf8a6c480db915daf51e297b76c5) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index d23e713d5a..52aa967d9a 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1182,7 +1182,7 @@ static void do_video_out(AVFormatContext *s, if (!ost->last_frame) ost->last_frame = av_frame_alloc(); av_frame_unref(ost->last_frame); - if (next_picture) + if (next_picture && ost->last_frame) av_frame_ref(ost->last_frame, next_picture); else av_frame_free(&ost->last_frame); From a066b2ceddc64f8d3e8cb8eb8ee129714df302bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Jul 2015 14:14:16 +0200 Subject: [PATCH 073/380] avformat/mov: Fix deallocation when MOVStreamContext failed to allocate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 260813283176b57b3c9974fe284eebc3_signal_sigsegv_7ffff713351a_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 262144 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 15629129dde771446a005282ee33c4ea1199e696) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5ea6932801..b42537f562 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3964,6 +3964,9 @@ static int mov_read_close(AVFormatContext *s) AVStream *st = s->streams[i]; MOVStreamContext *sc = st->priv_data; + if (!sc) + continue; + av_freep(&sc->ctts_data); for (j = 0; j < sc->drefs_count; j++) { av_freep(&sc->drefs[j].path); From 2e7bd0f725c8124a3c040fce60e952d802925cdf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Jul 2015 15:49:41 +0200 Subject: [PATCH 074/380] ffmpeg: Fix cleanup after failed allocation of output_files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 39a25908b84604acdaa490138282d091_signal_sigsegv_7ffff713351a_331_WAWV.avi with memlimit of 262144 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6e80fe1ecd984a59bb6c73cbb436cc06536b7728) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 52aa967d9a..ec67af35a1 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -456,7 +456,10 @@ static void ffmpeg_cleanup(int ret) /* close files */ for (i = 0; i < nb_output_files; i++) { OutputFile *of = output_files[i]; - AVFormatContext *s = of->ctx; + AVFormatContext *s; + if (!of) + continue; + s = of->ctx; if (s && s->oformat && !(s->oformat->flags & AVFMT_NOFILE)) avio_closep(&s->pb); avformat_free_context(s); From a330aca126eb67d7374f821cbf4765eb6640d00c Mon Sep 17 00:00:00 2001 From: Zhang Rui Date: Tue, 14 Jul 2015 14:47:26 +0800 Subject: [PATCH 075/380] avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write() Signed-off-by: Michael Niedermayer (cherry picked from commit fcbea93cf8777bbef2a393d26942b5d3c70a448d) Signed-off-by: Michael Niedermayer --- libavutil/fifo.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/fifo.c b/libavutil/fifo.c index 4ff3194c5f..f2fe93de75 100644 --- a/libavutil/fifo.c +++ b/libavutil/fifo.c @@ -129,7 +129,8 @@ int av_fifo_generic_write(AVFifoBuffer *f, void *src, int size, do { int len = FFMIN(f->end - wptr, size); if (func) { - if (func(src, wptr, len) <= 0) + len = func(src, wptr, len); + if (len <= 0) break; } else { memcpy(wptr, src, len); From 1cbd7b08f661163ea0f41f03752e420a47904c11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jul 2015 19:20:19 +0200 Subject: [PATCH 076/380] swscale/utils: Clear pix buffers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized memory Fixes: a96874b9466b6edc660a519c7ad47977_signal_sigsegv_7ffff713351a_744_nc_sample.avi with memlimit 2147483648 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a5d44d5c220e12ca0cb7a4eceb0f74759cb13111) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index f9f4ec6cb7..63fb05ccfd 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1487,9 +1487,9 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* Allocate pixbufs (we use dynamic allocation because otherwise we would * need to allocate several megabytes to handle all possible cases) */ - FF_ALLOC_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); - FF_ALLOC_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); - FF_ALLOC_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) FF_ALLOCZ_OR_GOTO(c, c->alpPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); /* Note we need at least one pixel more at the end because of the MMX code From 73ebc4046e774d93630b6de45bb8fbdb860187bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jul 2015 11:52:33 +0200 Subject: [PATCH 077/380] avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: b4b47bc2b3fb7ca710bfffe5aa969e37_signal_sigabrt_7ffff70eccc9_744_nc_sample2.avi with memlimit of 4194304 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f1a38264f20382731cf2cc75fdd98f4c9a84a626) Signed-off-by: Michael Niedermayer --- libavcodec/pthread_frame.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index c8f35a72dd..fbef57c35e 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -679,6 +679,7 @@ int ff_frame_thread_init(AVCodecContext *avctx) copy->internal = av_malloc(sizeof(AVCodecInternal)); if (!copy->internal) { + copy->priv_data = NULL; err = AVERROR(ENOMEM); goto error; } From e693af81b7f497817399722a21d95cc3afc3d62b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jul 2015 20:27:25 +0200 Subject: [PATCH 078/380] avfilter/af_aresample: Check ff_all_* for allocation failures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signal_sigabrt_7ffff70eccc9_498_divx502.avi with memlimit 1572864 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 2ea8a480832acad3095783bcb11d5f290bec56cf) Signed-off-by: Michael Niedermayer --- libavfilter/af_aresample.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavfilter/af_aresample.c b/libavfilter/af_aresample.c index 57ac3978be..6cb765df1b 100644 --- a/libavfilter/af_aresample.c +++ b/libavfilter/af_aresample.c @@ -87,15 +87,24 @@ static int query_formats(AVFilterContext *ctx) AVFilterLink *inlink = ctx->inputs[0]; AVFilterLink *outlink = ctx->outputs[0]; - AVFilterFormats *in_formats = ff_all_formats(AVMEDIA_TYPE_AUDIO); - AVFilterFormats *out_formats; - AVFilterFormats *in_samplerates = ff_all_samplerates(); - AVFilterFormats *out_samplerates; - AVFilterChannelLayouts *in_layouts = ff_all_channel_counts(); - AVFilterChannelLayouts *out_layouts; + AVFilterFormats *in_formats, *out_formats; + AVFilterFormats *in_samplerates, *out_samplerates; + AVFilterChannelLayouts *in_layouts, *out_layouts; + + in_formats = ff_all_formats(AVMEDIA_TYPE_AUDIO); + if (!in_formats) + return AVERROR(ENOMEM); ff_formats_ref (in_formats, &inlink->out_formats); + + in_samplerates = ff_all_samplerates(); + if (!in_samplerates) + return AVERROR(ENOMEM); ff_formats_ref (in_samplerates, &inlink->out_samplerates); + + in_layouts = ff_all_channel_counts(); + if (!in_layouts) + return AVERROR(ENOMEM); ff_channel_layouts_ref(in_layouts, &inlink->out_channel_layouts); if(out_rate > 0) { From 05684cee424a6e440c6757d224a748a2ffe87dde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 11:24:45 +0200 Subject: [PATCH 079/380] avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoids leaving stale pointers Fixes: signal_sigabrt_7ffff70eccc9_819_sabtriple.rm with memlimit 536870912 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index c109a9e003..51e0f4014f 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1534,7 +1534,14 @@ int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx) if (avctx->internal->is_copy) { r->tmp_b_block_base = NULL; + r->cbp_chroma = NULL; + r->cbp_luma = NULL; + r->deblock_coefs = NULL; + r->intra_types_hist = NULL; + r->mb_type = NULL; + ff_mpv_idct_init(&r->s); + if ((err = ff_mpv_common_init(&r->s)) < 0) return err; if ((err = rv34_decoder_alloc(r)) < 0) { From f00f799833afb856ce78b9251e73e72a4a31fd70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 17:55:19 +0200 Subject: [PATCH 080/380] avcodec/diracdec: Check for hpel_base allocation failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Fixes: signal_sigsegv_b02a96_280_RL_420p_ffdirac.drc with memlimit of 67108864 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1c5b712c0a643a039d6f34269b4102de313a050a) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 0213048d3b..49a495255c 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1563,7 +1563,7 @@ static void select_dsp_funcs(DiracContext *s, int width, int height, int xblen, } } -static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height) +static int interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height) { /* chroma allocates an edge of 8 when subsampled which for 4:2:2 means an h edge of 16 and v edge of 8 @@ -1575,11 +1575,14 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in /* no need for hpel if we only have fpel vectors */ if (!s->mv_precision) - return; + return 0; for (i = 1; i < 4; i++) { if (!ref->hpel_base[plane][i]) ref->hpel_base[plane][i] = av_malloc((height+2*edge) * ref->avframe->linesize[plane] + 32); + if (!ref->hpel_base[plane][i]) { + return AVERROR(ENOMEM); + } /* we need to be 16-byte aligned even for chroma */ ref->hpel[plane][i] = ref->hpel_base[plane][i] + edge*ref->avframe->linesize[plane] + 16; } @@ -1593,6 +1596,8 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in s->mpvencdsp.draw_edges(ref->hpel[plane][3], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM); } ref->interpolated[plane] = 1; + + return 0; } /** @@ -1646,8 +1651,11 @@ static int dirac_decode_frame_internal(DiracContext *s) select_dsp_funcs(s, p->width, p->height, p->xblen, p->yblen); - for (i = 0; i < s->num_refs; i++) - interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height); + for (i = 0; i < s->num_refs; i++) { + int ret = interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height); + if (ret < 0) + return ret; + } memset(s->mctmp, 0, 4*p->yoffset*p->stride); From 9c655d2a57d48707317af149154b9a38893d8a15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 19:02:26 +0200 Subject: [PATCH 081/380] avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signal_sigsegv_d5de23_967_vp80_00_comprehensive_010.ivf with memlimit 524288 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a84f0e8d8f293df3c535f9b893730a835bed6520) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index becbb2c437..494400f41e 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2689,6 +2689,9 @@ av_cold int ff_vp8_decode_free(AVCodecContext *avctx) VP8Context *s = avctx->priv_data; int i; + if (!s) + return 0; + vp8_decode_flush_impl(avctx, 1); for (i = 0; i < FF_ARRAY_ELEMS(s->frames); i++) av_frame_free(&s->frames[i].tf.f); From 08337cca05e6fca34a9efcb9f3ac0219291c3e56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 19:18:24 +0200 Subject: [PATCH 082/380] avcodec/vp8: Check buffer size in vp8_decode_frame_header() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit avoids null pointer dereference Fixes: signal_sigsegv_d5de40_964_vp80-00-comprehensive-010.ivf with memlimit of 1048576 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 599d746e07319dc792ed2e511b666fe482f1ff88) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 494400f41e..25fe70ae31 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -639,6 +639,11 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si int width = s->avctx->width; int height = s->avctx->height; + if (buf_size < 3) { + av_log(s->avctx, AV_LOG_ERROR, "Insufficent data (%d) for header\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->keyframe = !(buf[0] & 1); s->profile = (buf[0]>>1) & 7; s->invisible = !(buf[0] & 0x10); From 4a6ac71742e09f425bccb623ab3e0d5455853090 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 20:53:40 +0200 Subject: [PATCH 083/380] Update for FFmpeg 2.7.2 Signed-off-by: Michael Niedermayer --- Changelog | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 54 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index b484505321..674a9d9f8e 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,58 @@ releases are sorted from youngest to oldest. version : +version 2.7.2: +- avcodec/vp8: Check buffer size in vp8_decode_frame_header() +- avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() +- avcodec/diracdec: Check for hpel_base allocation failure +- avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() +- avfilter/af_aresample: Check ff_all_* for allocation failures +- avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case +- swscale/utils: Clear pix buffers +- avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write() +- ffmpeg: Fix cleanup after failed allocation of output_files +- avformat/mov: Fix deallocation when MOVStreamContext failed to allocate +- ffmpeg: Fix crash with ost->last_frame allocation failure +- ffmpeg: Fix cleanup with ost = NULL +- avcodec/pthread_frame: check avctx on deallocation +- avcodec/sanm: Reset sizes in destroy_buffers() +- avcodec/alac: Clear pointers in allocate_buffers() +- bytestream2: set the reader to the end when reading more than available +- avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264 +- avcodec/mpegvideo: Clear pointers in ff_mpv_common_init() +- oggparsedirac: check return value of init_get_bits +- wmalosslessdec: reset frame->nb_samples on packet loss +- wmalosslessdec: avoid reading 0 bits with get_bits +- Put a space between string literals and macros. +- avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2() +- avcodec/aacsbr: check that the element type matches before applying SBR +- avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h +- vp9/update_prob: prevent out of bounds table read +- avfilter/vf_transpose: Fix rounding error +- avcodec/h264_refs: discard mismatching references +- avcodec/mjpegdec: Fix small picture upscale +- avcodec/pngdec: Check values before updating context in decode_fctl_chunk() +- avcodec/pngdec: Copy IHDR & plte state from last thread +- avcodec/pngdec: Require a IHDR chunk before fctl +- avcodec/pngdec: Only allow one IHDR chunk +- wmavoice: limit wmavoice_decode_packet return value to packet size +- swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian +- ffmpeg: Do not use the data/size of a bitstream filter after failure +- swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext} +- vda: unlock the pixel buffer base address. +- swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c() +- swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE +- swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian +- swr: Remember previously set int_sample_format from user +- swresample: soxr implementation for swr_get_out_samples() +- avformat/swfdec: Do not error out on pixel format changes +- ffmpeg_opt: Fix forcing fourccs +- configure: Check for x265_api_get +- swscale/x86/rgb2rgb_template: don't call emms on sse2/avx functions +- swscale/x86/rgb2rgb_template: add missing xmm clobbers +- library.mak: Workaround SDL redefining main and breaking fate tests on mingw +- vaapi_h264: fix RefPicList[] field flags. + version 2.7.1: - postproc: fix unaligned access - avformat: clarify what package needs to be compiled with SSL support diff --git a/RELEASE b/RELEASE index 860487ca19..37c2961c24 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.7.1 +2.7.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0f847afa0c..1b116d4d4a 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.7.1 +PROJECT_NUMBER = 2.7.2 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From f66d2bf94909904109f6b0609516c10f9f3f3db4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 26 Jun 2015 00:27:54 +0200 Subject: [PATCH 084/380] mpegaudiodec: copy AVFloatDSPContext from first context to all contexts This fixes a segfault when decoding multi-channel MP3onMP4 files. This is similar to commit cb72230d for MPADSPContext. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 151dbe4579601a81662b4b366d0e10df3c00027a) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegaudiodec_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 1cc5ac47f4..8c43f41e20 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1893,6 +1893,7 @@ static av_cold int decode_init_mp3on4(AVCodecContext * avctx) s->mp3decctx[i]->adu_mode = 1; s->mp3decctx[i]->avctx = avctx; s->mp3decctx[i]->mpadsp = s->mp3decctx[0]->mpadsp; + s->mp3decctx[i]->fdsp = s->mp3decctx[0]->fdsp; } return 0; From 2e1226a695dd2faada939e0bdc3ee166b05c3579 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 25 Jun 2015 22:47:38 +0200 Subject: [PATCH 085/380] vc1dec: use get_bits_long and limit the read bits to 32 get_bits should not be used with more than 25 bits. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1f1e0a2971b2a01f275bb5088c2e36166514be64) Signed-off-by: Andreas Cadhalpun --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 3fa39a579e..d7a0cefa4d 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -469,7 +469,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) count = avctx->extradata_size*8 - get_bits_count(&gb); if (count > 0) { av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n", - count, get_bits(&gb, count)); + count, get_bits_long(&gb, FFMIN(count, 32))); } else if (count < 0) { av_log(avctx, AV_LOG_INFO, "Read %i bits in overflow\n", -count); } From 72933729598240a05411d177a3f405b7694537de Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 26 Jun 2015 19:31:03 +0200 Subject: [PATCH 086/380] s302m: fix arithmetic exception If nb_samples is zero, the bit_rate calculation results in a division by zero. Since ff_get_buffer fails if frame->nb_samples is zero, this can be fixed by moving the bit_rate calculation after that function call. That also makes it possible to reuse the already calculated frame->nb_samples value. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 04dfbc9441beed93984568c1547f1ed588122627) Signed-off-by: Andreas Cadhalpun --- libavcodec/s302m.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index 5cf9eb5b1d..24130d8786 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -85,10 +85,6 @@ static int s302m_parse_frame_header(AVCodecContext *avctx, const uint8_t *buf, case 8: avctx->channel_layout = AV_CH_LAYOUT_5POINT1_BACK | AV_CH_LAYOUT_STEREO_DOWNMIX; } - avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + - 32 * (48000 / (buf_size * 8 / - (avctx->channels * - (avctx->bits_per_raw_sample + 4)))); return frame_size; } @@ -117,6 +113,8 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; + avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + + 32 * 48000 / frame->nb_samples; buf_size = (frame->nb_samples * avctx->channels / 2) * block_size; if (avctx->bits_per_raw_sample == 24) { From eddf146ada12b394a7796af12bff2121505dc4a1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 27 Jun 2015 17:50:56 +0200 Subject: [PATCH 087/380] nutdec: check maxpos in read_sm_data before returning success Otherwise sm_size can be larger than size, which results in a negative packet size. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 6b9fdf7f4f07926557048070cc2af3cfd0e3fe50) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 13fb39924d..606deaa838 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1005,6 +1005,9 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int AV_WL32(dst+4, skip_end); } + if (avio_tell(bc) >= maxpos) + return AVERROR_INVALIDDATA; + return 0; } From 95bd0f3a4b65e1641079f8bbdf391d0a2bfcd27a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 27 Jun 2015 20:16:12 +0200 Subject: [PATCH 088/380] wavpack: use get_bits_long to read up to 32 bits get_bits should not be used for more than 25 bits. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f9883a669c3df05a5c453428e080298c6511a17e) Signed-off-by: Andreas Cadhalpun --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index b51a21cc9d..d91b66cf2a 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -155,7 +155,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (t >= 2) { if (get_bits_left(gb) < t - 1) goto error; - t = get_bits(gb, t - 1) | (1 << (t - 1)); + t = get_bits_long(gb, t - 1) | (1 << (t - 1)); } else { if (get_bits_left(gb) < 0) goto error; @@ -186,7 +186,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, } else { if (get_bits_left(gb) < t2 - 1) goto error; - t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } } From 43f8a422b34302d94ba76eb9a5be75ffffbc9881 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 28 Jun 2015 11:21:54 +0200 Subject: [PATCH 089/380] huffyuvdec: validate image size Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9a345802edf7f430b3335f486aecdd8552f8367b) Signed-off-by: Andreas Cadhalpun --- libavcodec/huffyuvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 98c6128470..a99ac71a89 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -37,6 +37,7 @@ #include "huffyuv.h" #include "huffyuvdsp.h" #include "thread.h" +#include "libavutil/imgutils.h" #include "libavutil/pixdesc.h" #define classic_shift_luma_table_size 42 @@ -291,6 +292,10 @@ static av_cold int decode_init(AVCodecContext *avctx) HYuvContext *s = avctx->priv_data; int ret; + ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + if (ret < 0) + return ret; + ff_huffyuvdsp_init(&s->hdsp); memset(s->vlc, 0, 4 * sizeof(VLC)); From acfad331adde5b4ae247bf5748211e8fdb6b4ef5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 30 Jun 2015 21:01:29 +0200 Subject: [PATCH 090/380] pthread_frame: forward error codes when flushing This is the first part of the fix for ticket #4370. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 32a5b631267e1f8bf279e407039b9a99d012d033) Signed-off-by: Andreas Cadhalpun --- libavcodec/pthread_frame.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index fbef57c35e..77bb6fdb4d 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -454,6 +454,9 @@ int ff_thread_decode_frame(AVCodecContext *avctx, *got_picture_ptr = p->got_frame; picture->pkt_dts = p->avpkt.dts; + if (p->result < 0) + err = p->result; + /* * A later call with avkpt->size == 0 may loop over all threads, * including this one, searching for a frame to return before being @@ -471,6 +474,14 @@ int ff_thread_decode_frame(AVCodecContext *avctx, fctx->next_finished = finished; + /* + * When no frame was found while flushing, but an error occured in + * any thread, return it instead of 0. + * Otherwise the error can get lost. + */ + if (!avpkt->size && !*got_picture_ptr) + return err; + /* return the size of the consumed packet if no error occurred */ return (p->result >= 0) ? avpkt->size : p->result; } From 1d1adf5ff42041810d4069ce03303706fbf13d8a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 30 Jun 2015 21:06:40 +0200 Subject: [PATCH 091/380] ffmpeg: exit_on_error if decoding a packet failed This is the second part of the fix for ticket #4370. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit cd64ead8d96b2d2c300e0ac620fb82b17d6051bf) Signed-off-by: Andreas Cadhalpun Conflicts: ffmpeg.c --- ffmpeg.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index ec67af35a1..1524ac24b6 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1877,6 +1877,9 @@ static int decode_audio(InputStream *ist, AVPacket *pkt, int *got_output) if (*got_output || ret<0 || pkt->size) decode_error_stat[ret<0] ++; + if (ret < 0 && exit_on_error) + exit_program(1); + if (!*got_output || ret < 0) { if (!pkt->size) { for (i = 0; i < ist->nb_filters; i++) @@ -2022,6 +2025,9 @@ static int decode_video(InputStream *ist, AVPacket *pkt, int *got_output) if (*got_output || ret<0 || pkt->size) decode_error_stat[ret<0] ++; + if (ret < 0 && exit_on_error) + exit_program(1); + if (*got_output && ret >= 0) { if (ist->dec_ctx->width != decoded_frame->width || ist->dec_ctx->height != decoded_frame->height || @@ -2140,6 +2146,9 @@ static int transcode_subtitles(InputStream *ist, AVPacket *pkt, int *got_output) if (*got_output || ret<0 || pkt->size) decode_error_stat[ret<0] ++; + if (ret < 0 && exit_on_error) + exit_program(1); + if (ret < 0 || !*got_output) { if (!pkt->size) sub2video_flush(ist); From 70b97a89d2d7ba837c830b1da5924314d68fc3e7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 30 Jun 2015 21:09:50 +0200 Subject: [PATCH 092/380] ffmpeg: only count got_output/errors in decode_error_stat If threading is used, the first (thread_count - 1) packets are read before any frame/error is returned. Counting this as successful decoding is wrong, because it also happens when no single frame could be decoded. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit bd0f14123fd8c7ff1c27b726d143f84c67f3a522) Signed-off-by: Andreas Cadhalpun --- ffmpeg.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 1524ac24b6..384b92ca16 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1874,7 +1874,7 @@ static int decode_audio(InputStream *ist, AVPacket *pkt, int *got_output) ret = AVERROR_INVALIDDATA; } - if (*got_output || ret<0 || pkt->size) + if (*got_output || ret<0) decode_error_stat[ret<0] ++; if (ret < 0 && exit_on_error) @@ -2022,7 +2022,7 @@ static int decode_video(InputStream *ist, AVPacket *pkt, int *got_output) ); } - if (*got_output || ret<0 || pkt->size) + if (*got_output || ret<0) decode_error_stat[ret<0] ++; if (ret < 0 && exit_on_error) @@ -2143,7 +2143,7 @@ static int transcode_subtitles(InputStream *ist, AVPacket *pkt, int *got_output) int i, ret = avcodec_decode_subtitle2(ist->dec_ctx, &subtitle, got_output, pkt); - if (*got_output || ret<0 || pkt->size) + if (*got_output || ret<0) decode_error_stat[ret<0] ++; if (ret < 0 && exit_on_error) From f0af6e705f3b30f7f5afa3c24db27433af6b1bfc Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 2 Jul 2015 23:05:05 +0200 Subject: [PATCH 093/380] wavpack: limit extra_bits to 32 and use get_bits_long More than 32 bits can't be stored in an integer and get_bits should not be used with more than 25 bits. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit d0eff8857ceff2601f85037c930cbe61a88b611e) Signed-off-by: Andreas Cadhalpun --- libavcodec/wavpack.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index d91b66cf2a..554367b32f 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -271,7 +271,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { - S |= get_bits(&s->gb_extra_bits, s->extra_bits); + S |= get_bits_long(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S & 0xffff) * 3 + ((unsigned)S >> 16); } } @@ -835,7 +835,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0]) { + if (val[0] > 32) { + av_log(avctx, AV_LOG_ERROR, + "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + continue; + } else if (val[0]) { s->extra_bits = val[0]; } else if (val[1]) { s->shift = val[1]; From 762a5878a6b0bef923ef97c15fdb8274a0351278 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 2 Jul 2015 23:45:46 +0200 Subject: [PATCH 094/380] webp: fix infinite loop in webp_decode_frame The loop always needs at least 8 bytes for chunk_type and chunk_size. If fewer are left, bytestream2_get_le32 just returns 0 without reading any bytes, leading to an infinite loop. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 0762152f7af6cd93bc8f504d5503723500c3f369) Signed-off-by: Andreas Cadhalpun --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 47e9e9e662..723a84769b 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1387,7 +1387,7 @@ static int webp_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } av_dict_free(&s->exif_metadata); - while (bytestream2_get_bytes_left(&gb) > 0) { + while (bytestream2_get_bytes_left(&gb) > 8) { char chunk_str[5] = { 0 }; chunk_type = bytestream2_get_le32(&gb); From 26cb351452e76dc4a61028f277cf11b8d7abd74b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 9 Jul 2015 19:50:34 +0200 Subject: [PATCH 095/380] snow: remove an obsolete av_assert2 It asserts that the frame linesize is larger than 37, but it can be smaller and decoding such frames works. Before commit cc884a35 src_stride > 7*MB_SIZE was necessary, because the blocks were interleaved in the tmp buffer and the last block was added with an offset of 6*MB_SIZE. It was changed for src_stride <= 7*MB_SIZE to write the blocks sequentially, hence the larger tmp_step. After that the assert was only necessary to make sure that the buffer remained large enough. Since commit bd2b6b33 s->scratchbuf is used as tmp buffer. As part of commit 86e107a7 the minimal scratchbuf size was increased to 256*7*MB_SIZE, which is enough for any src_stride <= 7*MB_SIZE. Also add a comment explaining the tmp_step calculation. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3526a120f92929cb0a4009e403ee2f141030c487) Signed-off-by: Andreas Cadhalpun --- libavcodec/snow.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 95e07cd0ae..447859f488 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -304,6 +304,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer BlockNode *lb= lt+b_stride; BlockNode *rb= lb+1; uint8_t *block[4]; + // When src_stride is large enough, it is possible to interleave the blocks. + // Otherwise the blocks are written sequentially in the tmp buffer. int tmp_step= src_stride >= 7*MB_SIZE ? MB_SIZE : MB_SIZE*src_stride; uint8_t *tmp = s->scratchbuf; uint8_t *ptmp; @@ -347,8 +349,6 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(b_w<=0 || b_h<=0) return; - av_assert2(src_stride > 2*MB_SIZE + 5); - if(!sliced && offset_dst) dst += src_x + src_y*dst_stride; dst8+= src_x + src_y*src_stride; From f06d9dced4c7267008beae45f28ce4e1848ef403 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 10 Jul 2015 19:41:43 +0200 Subject: [PATCH 096/380] hevc: check slice address length It is used as get_bits argument and reading 0 bits isn't supported. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 05cc8c8e4b7008ff3be8ec477c901b2ceca4b16b) Signed-off-by: Andreas Cadhalpun --- libavcodec/hevc.c | 2 +- libavcodec/hevc_parser.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 1d2fa9c81d..a56063f8fd 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -456,7 +456,7 @@ static int hls_slice_header(HEVCContext *s) slice_address_length = av_ceil_log2(s->sps->ctb_width * s->sps->ctb_height); - sh->slice_segment_addr = get_bits(gb, slice_address_length); + sh->slice_segment_addr = slice_address_length ? get_bits(gb, slice_address_length) : 0; if (sh->slice_segment_addr >= s->sps->ctb_width * s->sps->ctb_height) { av_log(s->avctx, AV_LOG_ERROR, "Invalid slice segment address: %u.\n", diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c index 3c7c3c377d..31452f2055 100644 --- a/libavcodec/hevc_parser.c +++ b/libavcodec/hevc_parser.c @@ -200,7 +200,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, AVCodecContext *avctx slice_address_length = av_ceil_log2_c(h->sps->ctb_width * h->sps->ctb_height); - sh->slice_segment_addr = get_bits(gb, slice_address_length); + sh->slice_segment_addr = slice_address_length ? get_bits(gb, slice_address_length) : 0; if (sh->slice_segment_addr >= h->sps->ctb_width * h->sps->ctb_height) { av_log(h->avctx, AV_LOG_ERROR, "Invalid slice segment address: %u.\n", sh->slice_segment_addr); From 27816fb9ef26af1fa820c434079491f155e67471 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 10 Jul 2015 21:50:50 +0200 Subject: [PATCH 097/380] imc: use correct position for flcoeffs2 calculation flcoeffs2[pos] should be the log2 of flcoeffs1[pos]. flcoeffs1[0] can be 0 here, thus flcoeffs2[pos] gets set to -inf, causing problems further down. This seems to have been copied from imc_decode_level_coefficients in commit 4eb4bb3 without updating the position. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 75fd5ce4c1c0b2d96d71c74b650cefaaef519d27) Signed-off-by: Andreas Cadhalpun --- libavcodec/imc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index b062b216e8..e15ac9cfde 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -426,7 +426,7 @@ static void imc_decode_level_coefficients_raw(IMCContext *q, int *levlCoeffBuf, pos = q->coef0_pos; flcoeffs1[pos] = 20000.0 / pow (2, levlCoeffBuf[0] * 0.18945); // 0.18945 = log2(10) * 0.05703125 - flcoeffs2[pos] = log2f(flcoeffs1[0]); + flcoeffs2[pos] = log2f(flcoeffs1[pos]); tmp = flcoeffs1[pos]; tmp2 = flcoeffs2[pos]; From 15466db69e60f486c44e4c3e680d27c951f125d7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 10 Jul 2015 19:41:43 +0200 Subject: [PATCH 098/380] Changelog update Signed-off-by: Andreas Cadhalpun --- Changelog | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Changelog b/Changelog index 674a9d9f8e..68ce3f7a5a 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,20 @@ releases are sorted from youngest to oldest. version : version 2.7.2: +- imc: use correct position for flcoeffs2 calculation +- hevc: check slice address length +- snow: remove an obsolete av_assert2 +- webp: fix infinite loop in webp_decode_frame +- wavpack: limit extra_bits to 32 and use get_bits_long +- ffmpeg: only count got_output/errors in decode_error_stat +- ffmpeg: exit_on_error if decoding a packet failed +- pthread_frame: forward error codes when flushing +- huffyuvdec: validate image size +- wavpack: use get_bits_long to read up to 32 bits +- nutdec: check maxpos in read_sm_data before returning success +- s302m: fix arithmetic exception +- vc1dec: use get_bits_long and limit the read bits to 32 +- mpegaudiodec: copy AVFloatDSPContext from first context to all contexts - avcodec/vp8: Check buffer size in vp8_decode_frame_header() - avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() - avcodec/diracdec: Check for hpel_base allocation failure From a3d45dbcc144a221bfa799e07e675cf18151975f Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 30 Jul 2015 19:28:02 -0300 Subject: [PATCH 099/380] mips/hevcdsp: fix string concatenation on macros Needed for old compilers like GCC 4.2 Tested by trac user brad. Fixes ticket #4745 Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit a0092cea462ff4f203aaff09c42c6731c6516b44) --- libavcodec/mips/hevc_mc_bi_msa.c | 4 ++-- libavcodec/mips/hevc_mc_biw_msa.c | 4 ++-- libavcodec/mips/hevc_mc_uni_msa.c | 4 ++-- libavcodec/mips/hevc_mc_uniw_msa.c | 4 ++-- libavcodec/mips/hevcdsp_mips.h | 10 +++++----- libavcodec/mips/hevcdsp_msa.c | 4 ++-- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/mips/hevc_mc_bi_msa.c b/libavcodec/mips/hevc_mc_bi_msa.c index 0709b40ccf..8208be327d 100644 --- a/libavcodec/mips/hevc_mc_bi_msa.c +++ b/libavcodec/mips/hevc_mc_bi_msa.c @@ -4369,7 +4369,7 @@ BI_MC_COPY(64); #undef BI_MC_COPY #define BI_MC(PEL, DIR, WIDTH, TAP, DIR1, FILT_DIR) \ -void ff_hevc_put_hevc_bi_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_bi_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t dst_stride, \ uint8_t *src, \ ptrdiff_t src_stride, \ @@ -4423,7 +4423,7 @@ BI_MC(epel, v, 32, 4, vt, my); #undef BI_MC #define BI_MC_HV(PEL, DIR, WIDTH, TAP, DIR1) \ -void ff_hevc_put_hevc_bi_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_bi_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t dst_stride, \ uint8_t *src, \ ptrdiff_t src_stride, \ diff --git a/libavcodec/mips/hevc_mc_biw_msa.c b/libavcodec/mips/hevc_mc_biw_msa.c index a1deb0ec4e..05a28ece44 100644 --- a/libavcodec/mips/hevc_mc_biw_msa.c +++ b/libavcodec/mips/hevc_mc_biw_msa.c @@ -5454,7 +5454,7 @@ BI_W_MC_COPY(64); #undef BI_W_MC_COPY #define BI_W_MC(PEL, DIR, WIDTH, TAP, DIR1, FILT_DIR) \ -void ff_hevc_put_hevc_bi_w_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_bi_w_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t \ dst_stride, \ uint8_t *src, \ @@ -5521,7 +5521,7 @@ BI_W_MC(epel, v, 32, 4, vt, my); #undef BI_W_MC #define BI_W_MC_HV(PEL, DIR, WIDTH, TAP, DIR1) \ -void ff_hevc_put_hevc_bi_w_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_bi_w_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t \ dst_stride, \ uint8_t *src, \ diff --git a/libavcodec/mips/hevc_mc_uni_msa.c b/libavcodec/mips/hevc_mc_uni_msa.c index 7d02ce82fa..545e8ae76a 100644 --- a/libavcodec/mips/hevc_mc_uni_msa.c +++ b/libavcodec/mips/hevc_mc_uni_msa.c @@ -3871,7 +3871,7 @@ UNI_MC_COPY(64); #undef UNI_MC_COPY #define UNI_MC(PEL, DIR, WIDTH, TAP, DIR1, FILT_DIR) \ -void ff_hevc_put_hevc_uni_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_uni_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t \ dst_stride, \ uint8_t *src, \ @@ -3925,7 +3925,7 @@ UNI_MC(epel, v, 32, 4, vt, my); #undef UNI_MC #define UNI_MC_HV(PEL, DIR, WIDTH, TAP, DIR1) \ -void ff_hevc_put_hevc_uni_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_uni_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t \ dst_stride, \ uint8_t *src, \ diff --git a/libavcodec/mips/hevc_mc_uniw_msa.c b/libavcodec/mips/hevc_mc_uniw_msa.c index 90796300d4..ce10f413ed 100644 --- a/libavcodec/mips/hevc_mc_uniw_msa.c +++ b/libavcodec/mips/hevc_mc_uniw_msa.c @@ -4687,7 +4687,7 @@ UNIWGT_MC_COPY(64); #undef UNIWGT_MC_COPY #define UNI_W_MC(PEL, DIR, WIDTH, TAP, DIR1, FILT_DIR) \ -void ff_hevc_put_hevc_uni_w_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_uni_w_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t \ dst_stride, \ uint8_t *src, \ @@ -4746,7 +4746,7 @@ UNI_W_MC(epel, v, 32, 4, vt, my); #undef UNI_W_MC #define UNI_W_MC_HV(PEL, DIR, WIDTH, TAP, DIR1) \ -void ff_hevc_put_hevc_uni_w_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_uni_w_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t \ dst_stride, \ uint8_t *src, \ diff --git a/libavcodec/mips/hevcdsp_mips.h b/libavcodec/mips/hevcdsp_mips.h index b7c903e80e..2eb25af73e 100644 --- a/libavcodec/mips/hevcdsp_mips.h +++ b/libavcodec/mips/hevcdsp_mips.h @@ -24,7 +24,7 @@ #include "libavcodec/hevcdsp.h" #define MC(PEL, DIR, WIDTH) \ -void ff_hevc_put_hevc_##PEL##_##DIR####WIDTH##_8_msa(int16_t *dst, \ +void ff_hevc_put_hevc_##PEL##_##DIR##WIDTH##_8_msa(int16_t *dst, \ uint8_t *src, \ ptrdiff_t src_stride, \ int height, \ @@ -102,7 +102,7 @@ MC(epel, hv, 64); #undef MC #define UNI_MC(PEL, DIR, WIDTH) \ -void ff_hevc_put_hevc_uni_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_uni_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t dst_stride, \ uint8_t *src, \ ptrdiff_t src_stride, \ @@ -181,7 +181,7 @@ UNI_MC(epel, hv, 64); #undef UNI_MC #define UNI_W_MC(PEL, DIR, WIDTH) \ -void ff_hevc_put_hevc_uni_w_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_uni_w_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t \ dst_stride, \ uint8_t *src, \ @@ -265,7 +265,7 @@ UNI_W_MC(epel, hv, 64); #undef UNI_W_MC #define BI_MC(PEL, DIR, WIDTH) \ -void ff_hevc_put_hevc_bi_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_bi_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t dst_stride, \ uint8_t *src, \ ptrdiff_t src_stride, \ @@ -345,7 +345,7 @@ BI_MC(epel, hv, 64); #undef BI_MC #define BI_W_MC(PEL, DIR, WIDTH) \ -void ff_hevc_put_hevc_bi_w_##PEL##_##DIR####WIDTH##_8_msa(uint8_t *dst, \ +void ff_hevc_put_hevc_bi_w_##PEL##_##DIR##WIDTH##_8_msa(uint8_t *dst, \ ptrdiff_t \ dst_stride, \ uint8_t *src, \ diff --git a/libavcodec/mips/hevcdsp_msa.c b/libavcodec/mips/hevcdsp_msa.c index ed3acbb8f1..f2bc748e37 100644 --- a/libavcodec/mips/hevcdsp_msa.c +++ b/libavcodec/mips/hevcdsp_msa.c @@ -3792,7 +3792,7 @@ MC_COPY(64); #undef MC_COPY #define MC(PEL, DIR, WIDTH, TAP, DIR1, FILT_DIR) \ -void ff_hevc_put_hevc_##PEL##_##DIR####WIDTH##_8_msa(int16_t *dst, \ +void ff_hevc_put_hevc_##PEL##_##DIR##WIDTH##_8_msa(int16_t *dst, \ uint8_t *src, \ ptrdiff_t src_stride, \ int height, \ @@ -3843,7 +3843,7 @@ MC(epel, v, 32, 4, vt, my); #undef MC #define MC_HV(PEL, DIR, WIDTH, TAP, DIR1) \ -void ff_hevc_put_hevc_##PEL##_##DIR####WIDTH##_8_msa(int16_t *dst, \ +void ff_hevc_put_hevc_##PEL##_##DIR##WIDTH##_8_msa(int16_t *dst, \ uint8_t *src, \ ptrdiff_t src_stride, \ int height, \ From 4afccfdc04f979985b1826846944f77c18d08a8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jul 2015 15:54:38 +0200 Subject: [PATCH 100/380] MAINTAINERS: Remove myself as leader Signed-off-by: Michael Niedermayer (cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 795e90470b..b70f24fca2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14,7 +14,6 @@ patches and related discussions. Project Leader ============== -Michael Niedermayer final design decisions From b1863e3d948474cfca995c34209912f3c8a3a753 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jul 2015 02:10:04 +0200 Subject: [PATCH 101/380] avcodec/ffv1enc: fix assertion failure with unset bits per raw sample Signed-off-by: Michael Niedermayer (cherry picked from commit 749f85496ccff345ec811976ce45ec9e1900e9a8) Fixes ticket #4751. --- libavcodec/ffv1enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 45ab3a39a3..a47a64d391 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -755,6 +755,8 @@ static av_cold int encode_init(AVCodecContext *avctx) s->transparency = desc->nb_components == 4; if (!avctx->bits_per_raw_sample && !s->bits_per_raw_sample) s->bits_per_raw_sample = 8; + else if (!s->bits_per_raw_sample) + s->bits_per_raw_sample = 8; break; case AV_PIX_FMT_RGB32: s->colorspace = 1; From 763c0d25b1f498b35518442d866fd90984b33050 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 20 Sep 2015 23:20:43 -0300 Subject: [PATCH 102/380] doc: mention libavcodec can decode Opus natively Signed-off-by: James Almer (cherry picked from commit fd9ac48dc8aebcbd601af34336234d5102b36e21) --- doc/general.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/general.texi b/doc/general.texi index ba79503d3f..88a8847f1b 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -954,8 +954,8 @@ following image formats are supported: @item Musepack SV8 @tab @tab X @item Nellymoser Asao @tab X @tab X @item On2 AVC (Audio for Video Codec) @tab @tab X -@item Opus @tab E @tab E - @tab supported through external library libopus +@item Opus @tab E @tab X + @tab encoding supported through external library libopus @item PCM A-law @tab X @tab X @item PCM mu-law @tab X @tab X @item PCM signed 8-bit planar @tab X @tab X From 5ac6daf995687a60e0ce5ba393da51065e982714 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Thu, 1 Oct 2015 11:48:45 +0200 Subject: [PATCH 103/380] avformat/srtdec: more lenient first line probing Fixes Ticket #4898 (cherry picked from commit 7218352e0228028dfa009a3799ec93fd041065f1) --- libavformat/srtdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index b35e50fc36..7fee0fc2d1 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -41,9 +41,11 @@ static int srt_probe(AVProbeData *p) ff_text_r8(&tr); /* Check if the first non-empty line is a number. We do not check what the - * number is because in practice it can be anything. */ + * number is because in practice it can be anything. + * Also, that number can be followed by random garbage, so we can not + * unfortunately check that we only have a number. */ if (ff_subtitles_read_line(&tr, buf, sizeof(buf)) < 0 || - strtol(buf, &pbuf, 10) < 0 || *pbuf) + strtol(buf, &pbuf, 10) < 0) return 0; /* Check if the next line matches a SRT timestamp */ From 6b6932471ece1fd951b3ebcb5ac116dad94ef153 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Fri, 9 Oct 2015 10:52:58 +0200 Subject: [PATCH 104/380] avformat/srtdec: make sure we probe a number Fixes regression since 7218352e0228028dfa009a3799ec93fd041065f1: WebVTT files were matching the SRT probing. (cherry picked from commit 40d9d6de90c3652f4c468ab14976c7faf5e40c07) --- libavformat/srtdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 7fee0fc2d1..3b1373f559 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -45,7 +45,7 @@ static int srt_probe(AVProbeData *p) * Also, that number can be followed by random garbage, so we can not * unfortunately check that we only have a number. */ if (ff_subtitles_read_line(&tr, buf, sizeof(buf)) < 0 || - strtol(buf, &pbuf, 10) < 0) + strtol(buf, &pbuf, 10) < 0 || pbuf == buf) return 0; /* Check if the next line matches a SRT timestamp */ From 114c0f002aa9c8fc501d168ca7b7935a07b7a238 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 30 Sep 2015 14:53:35 +0200 Subject: [PATCH 105/380] avcodec/mp3: fix skipping zeros Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3 packets. This code forgot to report to the user that data was skipped at all. Since audio codecs allow partial packet decoding, the user application has to rely on the return value. It will remove the data reported as consumed by the decoder, and feed it to the decoder again. This resulted in the mp3 frame after the zero region to be decoded over and over again, until the zero region was finally skipped by the application. Fix this by including the amount of skipped bytes to the number of consumed bytes returned by the decode call. Fixes trac ticket #4890. (cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d) --- libavcodec/mpegaudiodec_template.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 8c43f41e20..2249292c5c 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1657,9 +1657,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, uint32_t header; int ret; + int skipped = 0; while(buf_size && !*buf){ buf++; buf_size--; + skipped++; } if (buf_size < HEADER_SIZE) @@ -1714,7 +1716,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, return ret; } s->frame_size = 0; - return buf_size; + return buf_size + skipped; } static void mp_flush(MPADecodeContext *ctx) From 2ef386d0a607b9b728603849597522ddf7455a88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Sobala?= Date: Tue, 29 Sep 2015 15:25:07 +0200 Subject: [PATCH 106/380] lavf/img2dec: Fix memory leak Fixes #4886 Signed-off-by: Michael Niedermayer (cherry picked from commit 01dd7e025c246d9001f1a30f4a5d8fa2936d1a5e) --- libavformat/img2dec.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 0830f0073c..f9ecf6f042 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -444,14 +444,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } res = av_new_packet(pkt, size[0] + size[1] + size[2]); - if (res < 0) - return res; + if (res < 0) { + goto fail; + } pkt->stream_index = 0; pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; - if (stat(filename, &img_stat)) - return AVERROR(EIO); + if (stat(filename, &img_stat)) { + res = AVERROR(EIO); + goto fail; + } pkt->pts = (int64_t)img_stat.st_mtime; #if HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC if (s->ts_from_file == 2) @@ -485,18 +488,29 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) { av_free_packet(pkt); if (ret[0] < 0) { - return ret[0]; + res = ret[0]; } else if (ret[1] < 0) { - return ret[1]; - } else if (ret[2] < 0) - return ret[2]; - return AVERROR_EOF; + res = ret[1]; + } else if (ret[2] < 0) { + res = ret[2]; + } else { + res = AVERROR_EOF; + } + goto fail; } else { s->img_count++; s->img_number++; s->pts++; return 0; } + +fail: + if (!s->is_pipe) { + for (i = 0; i < 3; i++) { + avio_closep(&f[i]); + } + } + return res; } static int img_read_close(struct AVFormatContext* s1) From 0fb4a85603b10776107e411b0bc2d9c8898424c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2015 23:49:30 +0200 Subject: [PATCH 107/380] avcodec/ffv1: seperate slice_count from max_slice_count Fix segfault with too large slice_count Fixes Ticket4879 Signed-off-by: Michael Niedermayer (cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568) Conflicts: libavcodec/ffv1enc.c --- libavcodec/ffv1.c | 14 +++++++------- libavcodec/ffv1.h | 1 + libavcodec/ffv1dec.c | 8 +++++--- libavcodec/ffv1enc.c | 4 +++- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 7a38bf9212..5fd605e436 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -101,7 +101,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) av_cold int ffv1_init_slices_state(FFV1Context *f) { int i, ret; - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = f->slice_context[i]; if ((ret = ffv1_init_slice_state(f, fs)) < 0) return AVERROR(ENOMEM); @@ -113,10 +113,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) { int i; - f->slice_count = f->num_h_slices * f->num_v_slices; - av_assert0(f->slice_count > 0); + f->max_slice_count = f->num_h_slices * f->num_v_slices; + av_assert0(f->max_slice_count > 0); - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { int sx = i % f->num_h_slices; int sy = i / f->num_h_slices; int sxs = f->avctx->width * sx / f->num_h_slices; @@ -210,7 +210,7 @@ av_cold int ffv1_close(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->last_picture); av_frame_free(&s->last_picture.f); - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *fs = s->slice_context[j]; for (i = 0; i < s->plane_count; i++) { PlaneContext *p = &fs->plane[i]; @@ -224,14 +224,14 @@ av_cold int ffv1_close(AVCodecContext *avctx) av_freep(&avctx->stats_out); for (j = 0; j < s->quant_table_count; j++) { av_freep(&s->initial_states[j]); - for (i = 0; i < s->slice_count; i++) { + for (i = 0; i < s->max_slice_count; i++) { FFV1Context *sf = s->slice_context[i]; av_freep(&sf->rc_stat2[j]); } av_freep(&s->rc_stat2[j]); } - for (i = 0; i < s->slice_count; i++) + for (i = 0; i < s->max_slice_count; i++) av_freep(&s->slice_context[i]); return 0; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index bfc4d71e65..c554fb8b72 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -117,6 +117,7 @@ typedef struct FFV1Context { struct FFV1Context *slice_context[MAX_SLICES]; int slice_count; + int max_slice_count; int num_v_slices; int num_h_slices; int slice_width; diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index cc7c605c6b..0302997fa1 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -772,6 +772,7 @@ static int read_header(FFV1Context *f) av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n"); return AVERROR_INVALIDDATA; } + f->slice_count = f->max_slice_count; } else if (f->version < 3) { f->slice_count = get_symbol(c, state, 0); } else { @@ -786,8 +787,8 @@ static int read_header(FFV1Context *f) p -= size + trailer; } } - if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) { - av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count); + if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) { + av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count); return AVERROR_INVALIDDATA; } @@ -1010,6 +1011,7 @@ static int init_thread_copy(AVCodecContext *avctx) f->picture.f = NULL; f->last_picture.f = NULL; f->sample_buffer = NULL; + f->max_slice_count = 0; f->slice_count = 0; for (i = 0; i < f->quant_table_count; i++) { @@ -1085,7 +1087,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) av_assert0(!fdst->sample_buffer); } - av_assert1(fdst->slice_count == fsrc->slice_count); + av_assert1(fdst->max_slice_count == fsrc->max_slice_count); ff_thread_release_buffer(dst, &fdst->picture); diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index a47a64d391..393551c93c 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -976,6 +976,7 @@ slices_ok: if ((ret = ffv1_init_slice_contexts(s)) < 0) return ret; + s->slice_count = s->max_slice_count; if ((ret = ffv1_init_slices_state(s)) < 0) return ret; @@ -985,7 +986,7 @@ slices_ok: if (!avctx->stats_out) return AVERROR(ENOMEM); for (i = 0; i < s->quant_table_count; i++) - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *sf = s->slice_context[j]; av_assert0(!sf->rc_stat2[i]); sf->rc_stat2[i] = av_mallocz(s->context_count[i] * @@ -1209,6 +1210,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, for (i = 0; i < f->quant_table_count; i++) memset(f->rc_stat2[i], 0, f->context_count[i] * sizeof(*f->rc_stat2[i])); + av_assert0(f->slice_count == f->max_slice_count); for (j = 0; j < f->slice_count; j++) { FFV1Context *fs = f->slice_context[j]; for (i = 0; i < 256; i++) { From f7cb979766e8edfa7b16a08dc9855d6a46b16353 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 20 Sep 2015 12:39:14 +0200 Subject: [PATCH 108/380] hevc: fix wpp threading deadlock. Fixes ticket 4258. (cherry picked from commit 74e4948235bc8f8946eeca20525258bbf383f75d) --- libavcodec/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index a56063f8fd..cbcb87dbe5 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2385,6 +2385,8 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int if (more_data < 0) { s->tab_slice_address[ctb_addr_rs] = -1; + avpriv_atomic_int_set(&s1->wpp_err, 1); + ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP); return more_data; } From 98fdd0baf39c81da37e042758104fb9a09d4bd5b Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Sat, 12 Sep 2015 21:50:24 +0200 Subject: [PATCH 109/380] hevc: properly handle no_rasl_output_flag when removing pictures from the DPB Fixes ticket #4185. Reviewed-By: Mickael Raulet Signed-off-by: Hendrik Leppkes (cherry picked from commit 0118158efa8e45761f9f65a3bb74f33907bd2aec) --- libavcodec/hevc.c | 5 +++++ libavcodec/hevc.h | 1 + libavcodec/hevc_refs.c | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index cbcb87dbe5..05e7f12da3 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -795,6 +795,8 @@ static int hls_slice_header(HEVCContext *s) s->HEVClc->tu.cu_qp_offset_cb = 0; s->HEVClc->tu.cu_qp_offset_cr = 0; + s->no_rasl_output_flag = IS_IDR(s) || IS_BLA(s) || (s->nal_unit_type == NAL_CRA_NUT && s->last_eos); + return 0; } @@ -3355,6 +3357,7 @@ static int hevc_update_thread_context(AVCodecContext *dst, s->pocTid0 = s0->pocTid0; s->max_ra = s0->max_ra; s->eos = s0->eos; + s->no_rasl_output_flag = s0->no_rasl_output_flag; s->is_nalff = s0->is_nalff; s->nal_length_size = s0->nal_length_size; @@ -3459,6 +3462,7 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx) s->enable_parallel_tiles = 0; s->picture_struct = 0; + s->eos = 1; if(avctx->active_thread_type & FF_THREAD_SLICE) s->threads_number = avctx->thread_count; @@ -3500,6 +3504,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); s->max_ra = INT_MAX; + s->eos = 1; } #define OFFSET(x) offsetof(HEVCContext, x) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index eecccb7f16..2b47de24f8 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -842,6 +842,7 @@ typedef struct HEVCContext { int bs_height; int is_decoded; + int no_rasl_output_flag; HEVCPredContext hpc; HEVCDSPContext hevcdsp; diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index fea3d125ba..3b55ec7851 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -174,7 +174,7 @@ int ff_hevc_output_frame(HEVCContext *s, AVFrame *out, int flush) int min_poc = INT_MAX; int i, min_idx, ret; - if (s->sh.no_output_of_prior_pics_flag == 1) { + if (s->sh.no_output_of_prior_pics_flag == 1 && s->no_rasl_output_flag == 1) { for (i = 0; i < FF_ARRAY_ELEMS(s->DPB); i++) { HEVCFrame *frame = &s->DPB[i]; if (!(frame->flags & HEVC_FRAME_FLAG_BUMPING) && frame->poc != s->poc && From 6752f8ef04010bb9c14c69ca64a79be5fff6d719 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Sep 2015 04:01:27 +0200 Subject: [PATCH 110/380] avformat/avidec: Workaround broken initial frame Fixes Ticket4851 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2ef00394b8079e93835d47c993868229f07502) --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 5348b44b74..cb52e4556d 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1577,7 +1577,8 @@ static int avi_read_idx1(AVFormatContext *s, int size) ast = st->priv_data; if (first_packet && first_packet_pos) { - data_offset = first_packet_pos - pos; + if (avi->movi_list + 4 != pos || pos + 500 > first_packet_pos) + data_offset = first_packet_pos - pos; first_packet = 0; } pos += data_offset; From 1ef419447edc95c57bab62e0c5d66e35aadb7c12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 23:40:25 +0200 Subject: [PATCH 111/380] avformat/segment: atomically update list if possible Fixes Ticket4802 Signed-off-by: Michael Niedermayer (cherry picked from commit e2b19a533dbb4cb0fba85261ea835316381bc907) --- libavformat/segment.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index 4418d0f338..7831d8b73b 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -113,6 +113,9 @@ typedef struct SegmentContext { int reference_stream_index; int break_non_keyframes; + int use_rename; + char temp_list_filename[1024]; + SegmentListEntry cur_entry; SegmentListEntry *segment_list_entries; SegmentListEntry *segment_list_entries_end; @@ -258,7 +261,8 @@ static int segment_list_open(AVFormatContext *s) SegmentContext *seg = s->priv_data; int ret; - ret = avio_open2(&seg->list_pb, seg->list, AVIO_FLAG_WRITE, + snprintf(seg->temp_list_filename, sizeof(seg->temp_list_filename), seg->use_rename ? "%s.tmp" : "%s", seg->list); + ret = avio_open2(&seg->list_pb, seg->temp_list_filename, AVIO_FLAG_WRITE, &s->interrupt_callback, NULL); if (ret < 0) { av_log(s, AV_LOG_ERROR, "Failed to open segment list '%s'\n", seg->list); @@ -368,6 +372,8 @@ static int segment_end(AVFormatContext *s, int write_trailer, int is_last) if (seg->list_type == LIST_TYPE_M3U8 && is_last) avio_printf(seg->list_pb, "#EXT-X-ENDLIST\n"); avio_closep(&seg->list_pb); + if (seg->use_rename) + ff_rename(seg->temp_list_filename, seg->list, s); } else { segment_list_print_entry(seg->list_pb, seg->list_type, &seg->cur_entry, s); avio_flush(seg->list_pb); @@ -644,9 +650,13 @@ static int seg_write_header(AVFormatContext *s) else if (av_match_ext(seg->list, "ffcat,ffconcat")) seg->list_type = LIST_TYPE_FFCONCAT; else seg->list_type = LIST_TYPE_FLAT; } - if (!seg->list_size && seg->list_type != LIST_TYPE_M3U8) + if (!seg->list_size && seg->list_type != LIST_TYPE_M3U8) { if ((ret = segment_list_open(s)) < 0) goto fail; + } else { + const char *proto = avio_find_protocol_name(s->filename); + seg->use_rename = proto && !strcmp(proto, "file"); + } } if (seg->list_type == LIST_TYPE_EXT) av_log(s, AV_LOG_WARNING, "'ext' list type option is deprecated in favor of 'csv'\n"); From eee1faef752cac07954d8c94b0607117a15c967f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 04:08:42 +0200 Subject: [PATCH 112/380] avformat/oggenc: Check segments_count for headers too Fixes infinite loop and segfault in ogg_buffer_data() Fixes Ticket4806 Signed-off-by: Michael Niedermayer (cherry picked from commit 81a8701eb52d2b6469ae16ef442ce425388141b7) --- libavformat/oggenc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index 2c0a44e455..4907512989 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -260,7 +260,7 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, if (i == total_segments) page->granule = granule; - if (!header) { + { AVStream *st = s->streams[page->stream_index]; int64_t start = av_rescale_q(page->start_granule, st->time_base, @@ -268,10 +268,13 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, int64_t next = av_rescale_q(page->granule, st->time_base, AV_TIME_BASE_Q); - if (page->segments_count == 255 || - (ogg->pref_size > 0 && page->size >= ogg->pref_size) || - (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + if (page->segments_count == 255) { ogg_buffer_page(s, oggstream); + } else if (!header) { + if ((ogg->pref_size > 0 && page->size >= ogg->pref_size) || + (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + ogg_buffer_page(s, oggstream); + } } } } From 8f00ff5ae03d22d8a73f357a3f1c08f403a40ba2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:49:21 +0200 Subject: [PATCH 113/380] avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check Fixes Ticket4778 Signed-off-by: Michael Niedermayer (cherry picked from commit 2bb54b82b5094fd906aa28c0443be08c95662a31) --- libavcodec/h264_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index ae96ee953d..2187264c2f 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -182,7 +182,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, buf += ctx->length_size; unit_type = *buf & 0x1f; - if (buf + nal_size > buf_end || nal_size < 0) + if (nal_size > buf_end - buf || nal_size < 0) goto fail; if (unit_type == 7) From 6197d35a93bf959527d52efe28f9dd692b0a035f Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Sun, 16 Aug 2015 03:06:04 -0500 Subject: [PATCH 114/380] lavf/matroskadec: Fully parse and repack MP3 packets Fixes https://trac.ffmpeg.org/ticket/4776 Signed-off-by: Michael Niedermayer (cherry picked from commit b4b2717ffe89940999eeca7317190f729b27f472) --- libavformat/matroskadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index ca43c28c6b..206d798db6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2053,7 +2053,9 @@ static int matroska_parse_tracks(AVFormatContext *s) st->codec->channels = track->audio.channels; if (!st->codec->bits_per_coded_sample) st->codec->bits_per_coded_sample = track->audio.bitdepth; - if (st->codec->codec_id != AV_CODEC_ID_AAC) + if (st->codec->codec_id == AV_CODEC_ID_MP3) + st->need_parsing = AVSTREAM_PARSE_FULL; + else if (st->codec->codec_id != AV_CODEC_ID_AAC) st->need_parsing = AVSTREAM_PARSE_HEADERS; if (track->codec_delay > 0) { st->codec->delay = av_rescale_q(track->codec_delay, From e69d8fc619d2e640e207c2b412cfc0b6cc6d5230 Mon Sep 17 00:00:00 2001 From: Anssi Hannula Date: Thu, 15 Oct 2015 13:42:38 +0300 Subject: [PATCH 115/380] avformat/hls: fix segment selection regression on track changes of live streams Commit ad701326b43078b90 ("avformat/hls: open playlists immediately when AVDISCARD_ALL is dropped") inadvertently caused first_packet to never be cleared, causing select_cur_seq_no() to not use the specific code for live streams. In practice this means that when the user selects a different audio track during live stream (i.e. non-VOD) playback, there may be some additional delay as the code might select an incorrect segment at first, and we have to wait for video to catch audio (if too late segment was selected) or to download more following audio segments (if too early segment was selected). Fix that by restoring the zeroing of first_packet. (cherry picked from commit fd74d45d5158812675105a3b4aeb29c67b82f7e8) --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 3f1d97eb6f..59117f9072 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1535,6 +1535,7 @@ static int hls_read_packet(AVFormatContext *s, AVPacket *pkt) int ret, i, minplaylist = -1; recheck_discard_flags(s, c->first_packet); + c->first_packet = 0; for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; From 1f25a3ddb83d17b579396f37add381fc792fa2ba Mon Sep 17 00:00:00 2001 From: Anssi Hannula Date: Thu, 15 Oct 2015 14:23:00 +0300 Subject: [PATCH 116/380] avformat/hls: add support for EXT-X-MAP Without EXT-X-MAP support we miss the first bytes of some streams. These streams worked by luck before byte-ranged segment support was added in da7759b3579de3e98deb1ac58e642b861280ba54 Fixes ticket #4797. (cherry picked from commit 909907948846dedf57a730a4d115d04d1117f9e5) Conflicts: libavformat/hls.c --- libavformat/hls.c | 192 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 182 insertions(+), 10 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 59117f9072..bd34329cb6 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -73,6 +73,8 @@ struct segment { char *key; enum KeyType key_type; uint8_t iv[16]; + /* associated Media Initialization Section, treated as a segment */ + struct segment *init_section; }; struct rendition; @@ -110,6 +112,13 @@ struct playlist { int64_t cur_seg_offset; int64_t last_load_time; + /* Currently active Media Initialization Section */ + struct segment *cur_init_section; + uint8_t *init_sec_buf; + unsigned int init_sec_buf_size; + unsigned int init_sec_data_len; + unsigned int init_sec_buf_read_offset; + char key_url[MAX_URL_SIZE]; uint8_t key[16]; @@ -135,6 +144,11 @@ struct playlist { * multiple (playlist-less) renditions associated with them. */ int n_renditions; struct rendition **renditions; + + /* Media Initialization Sections (EXT-X-MAP) associated with this + * playlist, if any. */ + int n_init_sections; + struct segment **init_sections; }; /* @@ -204,16 +218,29 @@ static void free_segment_list(struct playlist *pls) pls->n_segments = 0; } +static void free_init_section_list(struct playlist *pls) +{ + int i; + for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->url); + av_freep(&pls->init_sections[i]); + } + av_freep(&pls->init_sections); + pls->n_init_sections = 0; +} + static void free_playlist_list(HLSContext *c) { int i; for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; free_segment_list(pls); + free_init_section_list(pls); av_freep(&pls->renditions); av_freep(&pls->id3_buf); av_dict_free(&pls->id3_initial); ff_id3v2_free_extra_meta(&pls->id3_deferred_extra); + av_freep(&pls->init_sec_buf); av_free_packet(&pls->pkt); av_freep(&pls->pb.buffer); if (pls->input) @@ -351,6 +378,60 @@ static void handle_key_args(struct key_info *info, const char *key, } } +struct init_section_info { + char uri[MAX_URL_SIZE]; + char byterange[32]; +}; + +static struct segment *new_init_section(struct playlist *pls, + struct init_section_info *info, + const char *url_base) +{ + struct segment *sec; + char *ptr; + char tmp_str[MAX_URL_SIZE]; + + if (!info->uri[0]) + return NULL; + + sec = av_mallocz(sizeof(*sec)); + if (!sec) + return NULL; + + ff_make_absolute_url(tmp_str, sizeof(tmp_str), url_base, info->uri); + sec->url = av_strdup(tmp_str); + if (!sec->url) { + av_free(sec); + return NULL; + } + + if (info->byterange[0]) { + sec->size = atoi(info->byterange); + ptr = strchr(info->byterange, '@'); + if (ptr) + sec->url_offset = atoi(ptr+1); + } else { + /* the entire file is the init section */ + sec->size = -1; + } + + dynarray_add(&pls->init_sections, &pls->n_init_sections, sec); + + return sec; +} + +static void handle_init_section_args(struct init_section_info *info, const char *key, + int key_len, char **dest, int *dest_len) +{ + if (!strncmp(key, "URI=", key_len)) { + *dest = info->uri; + *dest_len = sizeof(info->uri); + } else if (!strncmp(key, "BYTERANGE=", key_len)) { + *dest = info->byterange; + *dest_len = sizeof(info->byterange); + } +} + struct rendition_info { char type[16]; char uri[MAX_URL_SIZE]; @@ -511,6 +592,7 @@ static int parse_playlist(HLSContext *c, const char *url, uint8_t *new_url = NULL; struct variant_info variant_info; char tmp_str[MAX_URL_SIZE]; + struct segment *cur_init_section = NULL; if (!in) { AVDictionary *opts = NULL; @@ -589,6 +671,14 @@ static int parse_playlist(HLSContext *c, const char *url, pls->type = PLS_TYPE_EVENT; else if (!strcmp(ptr, "VOD")) pls->type = PLS_TYPE_VOD; + } else if (av_strstart(line, "#EXT-X-MAP:", &ptr)) { + struct init_section_info info = {{0}}; + ret = ensure_playlist(c, &pls, url); + if (ret < 0) + goto fail; + ff_parse_key_value(ptr, (ff_parse_key_val_cb) handle_init_section_args, + &info); + cur_init_section = new_init_section(pls, &info, url); } else if (av_strstart(line, "#EXT-X-ENDLIST", &ptr)) { if (pls) pls->finished = 1; @@ -667,6 +757,8 @@ static int parse_playlist(HLSContext *c, const char *url, seg->url_offset = 0; seg_offset = 0; } + + seg->init_section = cur_init_section; } } } @@ -680,17 +772,22 @@ fail: return ret; } +static struct segment *current_segment(struct playlist *pls) +{ + return pls->segments[pls->cur_seq_no - pls->start_seq_no]; +} + enum ReadFromURLMode { READ_NORMAL, READ_COMPLETE, }; /* read from URLContext, limiting read to current segment */ -static int read_from_url(struct playlist *pls, uint8_t *buf, int buf_size, +static int read_from_url(struct playlist *pls, struct segment *seg, + uint8_t *buf, int buf_size, enum ReadFromURLMode mode) { int ret; - struct segment *seg = pls->segments[pls->cur_seq_no - pls->start_seq_no]; /* limit read if the segment was only a part of a file */ if (seg->size >= 0) @@ -813,12 +910,13 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, int bytes; int id3_buf_pos = 0; int fill_buf = 0; + struct segment *seg = current_segment(pls); /* gather all the id3 tags */ while (1) { /* see if we can retrieve enough data for ID3 header */ if (*len < ID3v2_HEADER_SIZE && buf_size >= ID3v2_HEADER_SIZE) { - bytes = read_from_url(pls, buf + *len, ID3v2_HEADER_SIZE - *len, READ_COMPLETE); + bytes = read_from_url(pls, seg, buf + *len, ID3v2_HEADER_SIZE - *len, READ_COMPLETE); if (bytes > 0) { if (bytes == ID3v2_HEADER_SIZE - *len) @@ -839,7 +937,6 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, break; if (ff_id3v2_match(buf, ID3v2_DEFAULT_MAGIC)) { - struct segment *seg = pls->segments[pls->cur_seq_no - pls->start_seq_no]; int64_t maxsize = seg->size >= 0 ? seg->size : 1024*1024; int taglen = ff_id3v2_tag_len(buf); int tag_got_bytes = FFMIN(taglen, *len); @@ -871,7 +968,7 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, if (remaining > 0) { /* read the rest of the tag in */ - if (read_from_url(pls, pls->id3_buf + id3_buf_pos, remaining, READ_COMPLETE) != remaining) + if (read_from_url(pls, seg, pls->id3_buf + id3_buf_pos, remaining, READ_COMPLETE) != remaining) break; id3_buf_pos += remaining; av_log(pls->ctx, AV_LOG_DEBUG, "Stripped additional %d HLS ID3 bytes\n", remaining); @@ -885,7 +982,7 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, /* re-fill buffer for the caller unless EOF */ if (*len >= 0 && (fill_buf || *len == 0)) { - bytes = read_from_url(pls, buf + *len, buf_size - *len, READ_NORMAL); + bytes = read_from_url(pls, seg, buf + *len, buf_size - *len, READ_NORMAL); /* ignore error if we already had some data */ if (bytes >= 0) @@ -913,12 +1010,11 @@ static void update_options(char **dest, const char *name, void *src) av_freep(dest); } -static int open_input(HLSContext *c, struct playlist *pls) +static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) { AVDictionary *opts = NULL; AVDictionary *opts2 = NULL; int ret; - struct segment *seg = pls->segments[pls->cur_seq_no - pls->start_seq_no]; // broker prior HTTP options that should be consistent across requests av_dict_set(&opts, "user-agent", c->user_agent, 0); @@ -1010,6 +1106,66 @@ cleanup: return ret; } +static int update_init_section(struct playlist *pls, struct segment *seg) +{ + static const int max_init_section_size = 1024*1024; + HLSContext *c = pls->parent->priv_data; + int64_t sec_size; + int64_t urlsize; + int ret; + + if (seg->init_section == pls->cur_init_section) + return 0; + + pls->cur_init_section = NULL; + + if (!seg->init_section) + return 0; + + /* this will clobber playlist URLContext stuff, so this should be + * called between segments only */ + ret = open_input(c, pls, seg->init_section); + if (ret < 0) { + av_log(pls->parent, AV_LOG_WARNING, + "Failed to open an initialization section in playlist %d\n", + pls->index); + return ret; + } + + if (seg->init_section->size >= 0) + sec_size = seg->init_section->size; + else if ((urlsize = ffurl_size(pls->input)) >= 0) + sec_size = urlsize; + else + sec_size = max_init_section_size; + + av_log(pls->parent, AV_LOG_DEBUG, + "Downloading an initialization section of size %"PRId64"\n", + sec_size); + + sec_size = FFMIN(sec_size, max_init_section_size); + + av_fast_malloc(&pls->init_sec_buf, &pls->init_sec_buf_size, sec_size); + + ret = read_from_url(pls, seg->init_section, pls->init_sec_buf, + pls->init_sec_buf_size, READ_COMPLETE); + ffurl_close(pls->input); + pls->input = NULL; + + if (ret < 0) + return ret; + + pls->cur_init_section = seg->init_section; + pls->init_sec_data_len = ret; + pls->init_sec_buf_read_offset = 0; + + /* spec says audio elementary streams do not have media initialization + * sections, so there should be no ID3 timestamps */ + pls->is_id3_timestamped = 0; + + return 0; +} + static int64_t default_reload_interval(struct playlist *pls) { return pls->n_segments > 0 ? @@ -1030,6 +1186,7 @@ restart: if (!v->input) { int64_t reload_interval; + struct segment *seg; /* Check that the playlist is still needed before opening a new * segment. */ @@ -1083,7 +1240,14 @@ reload: goto reload; } - ret = open_input(c, v); + seg = current_segment(v); + + /* load/update Media Initialization Section, if any */ + ret = update_init_section(v, seg); + if (ret) + return ret; + + ret = open_input(c, v, seg); if (ret < 0) { av_log(v->parent, AV_LOG_WARNING, "Failed to open segment of playlist %d\n", v->index); @@ -1093,7 +1257,15 @@ reload: just_opened = 1; } - ret = read_from_url(v, buf, buf_size, READ_NORMAL); + if (v->init_sec_buf_read_offset < v->init_sec_data_len) { + /* Push init section out first before first actual segment */ + int copy_size = FFMIN(v->init_sec_data_len - v->init_sec_buf_read_offset, buf_size); + memcpy(buf, v->init_sec_buf, copy_size); + v->init_sec_buf_read_offset += copy_size; + return copy_size; + } + + ret = read_from_url(v, current_segment(v), buf, buf_size, READ_NORMAL); if (ret > 0) { if (just_opened && v->is_id3_timestamped != 0) { /* Intercept ID3 tags here, elementary audio streams are required From 9362282fd17f026331026ef244c98338fd631558 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 20 Oct 2015 12:17:21 +0200 Subject: [PATCH 117/380] avformat/mp3dec: improve junk skipping heuristic Commit 2b3e9bbfb529e6bde238aeb511b55ebe461664c8 caused problems for a certain API user: https://code.google.com/p/chromium/issues/detail?id=537725 https://code.google.com/p/chromium/issues/detail?id=542032 The problem seems rather arbitrary, because if there's junk, anything can happen. In this case, the imperfect junk skipping just caused it to read different junk, from what I can see. We can improve the accuracy of junk detection by a lot by checking if 2 consecutive frames use the same configuration. While in theory it might be completely fine for the 1st frame to have a different format than the 2nd frame, it's exceedingly unlikely, and I can't think of a legitimate use-case. This is approximately the same mpg123 does for junk skipping. The set of compared header bits is the same as the libavcodec mp3 parser uses for similar purposes. (cherry picked from commit de1b1a7da9e6ddf42447271e519099a88b389e4a) Conflicts: libavformat/mp3dec.c --- libavformat/mp3dec.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 07d7f54345..2d803e7b00 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -42,6 +42,9 @@ #define XING_TOC_COUNT 100 +#define SAME_HEADER_MASK \ + (0xffe00000 | (3 << 17) | (3 << 10) | (3 << 19)) + typedef struct { AVClass *class; int64_t filesize; @@ -54,7 +57,7 @@ typedef struct { int is_cbr; } MP3DecContext; -static int check(AVFormatContext *s, int64_t pos); +static int check(AVFormatContext *s, int64_t pos, uint32_t *header); /* mp3 read */ @@ -374,12 +377,21 @@ static int mp3_read_header(AVFormatContext *s) off = avio_tell(s->pb); for (i = 0; i < 64 * 1024; i++) { + uint32_t header, header2; + int frame_size; if (!(i&1023)) ffio_ensure_seekback(s->pb, i + 1024 + 4); - if (check(s, off + i) >= 0) { - av_log(s, AV_LOG_INFO, "Skipping %d bytes of junk at %lld.\n", i, (long long)off); - avio_seek(s->pb, off + i, SEEK_SET); - break; + frame_size = check(s, off + i, &header); + if (frame_size > 0) { + avio_seek(s->pb, off, SEEK_SET); + ffio_ensure_seekback(s->pb, i + 1024 + frame_size + 4); + if (check(s, off + i + frame_size, &header2) >= 0 && + (header & SAME_HEADER_MASK) == (header2 & SAME_HEADER_MASK)) + { + av_log(s, AV_LOG_INFO, "Skipping %d bytes of junk at %"PRId64".\n", i, off); + avio_seek(s->pb, off + i, SEEK_SET); + break; + } } avio_seek(s->pb, off, SEEK_SET); } @@ -425,7 +437,7 @@ static int mp3_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } -static int check(AVFormatContext *s, int64_t pos) +static int check(AVFormatContext *s, int64_t pos, uint32_t *ret_header) { int64_t ret = avio_seek(s->pb, pos, SEEK_SET); unsigned header; @@ -437,6 +449,9 @@ static int check(AVFormatContext *s, int64_t pos) return -1; if (avpriv_mpegaudio_decode_header(&sd, header) == 1) return -1; + + if (ret_header) + *ret_header = header; return sd.frame_size; } @@ -490,7 +505,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, continue; for(j=0; jpos - pos)*dir <= 0 && abs(MIN_VALID/2-j) < score) { From 131f2c366e4084531f21f5f49c511dce59c2f445 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 23 Oct 2015 11:11:53 -0400 Subject: [PATCH 118/380] videodsp: don't overread edges in vfix3 emu_edge. Fixes trac ticket 3226. Also see Andreas' analysis in https://bugs.debian.org/801745, which was very helpful. (cherry picked from commit 52f84d82bdf1851ecfcc412c1719e5f6f3396209) --- libavcodec/x86/videodsp.asm | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm index 25d43640ab..48f5ac0ce6 100644 --- a/libavcodec/x86/videodsp.asm +++ b/libavcodec/x86/videodsp.asm @@ -194,8 +194,12 @@ hvar_fn %elif (%2-%%off) == 2 mov valw, [srcq+%2-2] %elifidn %1, body - mov vald, [srcq+%2-3] -%else + mov valb, [srcq+%2-1] + sal vald, 16 + mov valw, [srcq+%2-3] +%elifidn %1, bottom + movd mm %+ %%mmx_idx, [srcq+%2-4] +%else ; top movd mm %+ %%mmx_idx, [srcq+%2-3] %endif %endif ; (%2-%%off) >= 1 @@ -251,12 +255,15 @@ hvar_fn mov [dstq+%2-2], valw %elifidn %1, body mov [dstq+%2-3], valw - shr vald, 16 + sar vald, 16 mov [dstq+%2-1], valb %else movd vald, mm %+ %%mmx_idx +%ifidn %1, bottom + sar vald, 8 +%endif mov [dstq+%2-3], valw - shr vald, 16 + sar vald, 16 mov [dstq+%2-1], valb %endif %endif ; (%2-%%off) >= 1 From 99ab664ff84c07dd014fe4f04b3698e80eae3041 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=91=A8=E6=99=93=E5=8B=87?= Date: Wed, 15 Jul 2015 17:28:31 +0800 Subject: [PATCH 119/380] configure: loongson disable expensive optimizations in gcc O3 optimization With gcc-4.9.2 loongson faild in test fate-dca, this is caused by option -fexpensive-optimizations in -O3 optimization. We disable it temporarily before the bug been fixed up. Signed-off-by: ZhouXiaoyong Signed-off-by: Michael Niedermayer (cherry picked from commit 2c34389551b6ba3d90f8783806c337e387e603cd) Conflicts: configure --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 806e2e9296..cf124b7e92 100755 --- a/configure +++ b/configure @@ -3965,7 +3965,7 @@ elif enabled mips; then enable fast_cmov enable fast_unaligned disable aligned_stack - cpuflags="-march=loongson3a -mhard-float" + cpuflags="-march=loongson3a -mhard-float -fno-expensive-optimizations" ;; generic) disable mips32r5 From 2c8a8a114c57cf800ce62668c4475f8144c5cb6f Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 29 Jul 2015 22:11:18 +0200 Subject: [PATCH 120/380] rawdec: fix mjpeg probing There can be other headers than "Content-Type:" (in this case, a "Content-Length:" header was following), so checking for a trailing newline is wrong. Signed-off-by: Michael Niedermayer (cherry picked from commit bf51fcd304d5594a4d8eed2bedf0ef0f68fa65f8) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index b903e63fb4..caa209faf5 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -188,7 +188,7 @@ static int mjpeg_probe(AVProbeData *p) } if (nb_invalid*4 + 1 < nb_frames) { - static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n\r\n"; + static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n"; int i; for (i=0; ibuf_size - sizeof(ct_jpeg), 100); i++) From 1900d023ae7b40c0a9b0cc65f0b0fc2814857258 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 29 Jul 2015 22:33:44 +0200 Subject: [PATCH 121/380] rawdec: fix mjpeg probing buffer size check Signed-off-by: Michael Niedermayer (cherry picked from commit 4c6beaed9210f01290e5a5a4e377f93f145172cc) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index caa209faf5..7684e1dd9a 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -191,7 +191,7 @@ static int mjpeg_probe(AVProbeData *p) static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n"; int i; - for (i=0; ibuf_size - sizeof(ct_jpeg), 100); i++) + for (i=0; ibuf_size - (int)sizeof(ct_jpeg), 100); i++) if (!memcmp(p->buf + i, ct_jpeg, sizeof(ct_jpeg) - 1)) return AVPROBE_SCORE_EXTENSION; From 5e71f4aa6ad89dab73fd7cc30395c99ad2f11696 Mon Sep 17 00:00:00 2001 From: Emanuel Czirai Date: Mon, 3 Aug 2015 00:58:46 +0200 Subject: [PATCH 122/380] libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame() related to ticket4749 Signed-off-by: Michael Niedermayer (cherry picked from commit 7ab1c57a64b629455805d7fa74a8a20c689fc1f6) Conflicts: libavcodec/aacdec_template.c --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 622cc5c087..b8779c01a6 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -3178,7 +3178,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, if (INT_MAX / 8 <= buf_size) return AVERROR_INVALIDDATA; - if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0) + if ((err = init_get_bits8(&gb, buf, buf_size)) < 0) return err; switch (ac->oc[1].m4ac.object_type) { From 94541f5f76240dad953decc0b3dcdc782052c35b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Aug 2015 03:11:15 +0200 Subject: [PATCH 123/380] avcodec/dcaenc: clear bitstream end This avoids leaving uninitialized bits in the output Signed-off-by: Michael Niedermayer (cherry picked from commit e322b7061f873e8fd33b9e518caa19b87616a528) Signed-off-by: Michael Niedermayer --- libavcodec/dcaenc.c | 4 ++++ tests/fate/acodec.mak | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dcaenc.c b/libavcodec/dcaenc.c index c8a215c200..1ea1481f33 100644 --- a/libavcodec/dcaenc.c +++ b/libavcodec/dcaenc.c @@ -938,6 +938,10 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt, for (i = 0; i < SUBFRAMES; i++) put_subframe(c, i); + + for (i = put_bits_count(&c->pb); i < 8*c->frame_size; i++) + put_bits(&c->pb, 1, 0); + flush_put_bits(&c->pb); avpkt->pts = frame->pts; diff --git a/tests/fate/acodec.mak b/tests/fate/acodec.mak index d693e9e65d..c1e4c4ea98 100644 --- a/tests/fate/acodec.mak +++ b/tests/fate/acodec.mak @@ -103,7 +103,7 @@ fate-acodec-dca: tests/data/asynth-44100-2.wav fate-acodec-dca: SRC = tests/data/asynth-44100-2.wav fate-acodec-dca: CMD = md5 -i $(TARGET_PATH)/$(SRC) -c:a dca -strict -2 -f dts -flags +bitexact fate-acodec-dca: CMP = oneline -fate-acodec-dca: REF = fe28cef432ed88de4ee01b87537fd2bd +fate-acodec-dca: REF = c54ca9a13711755ef90fa143a9b38386 FATE_ACODEC-$(call ENCDEC, DCA, WAV) += fate-acodec-dca2 fate-acodec-dca2: CMD = enc_dec_pcm dts wav s16le $(SRC) -c:a dca -strict -2 -flags +bitexact From d165ec179e466bb165df7630e7a4b962d76aaa9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2015 14:54:36 +0200 Subject: [PATCH 124/380] avcodec/svq1enc: Check dimensions Fixes assertion failure Signed-off-by: Michael Niedermayer (cherry picked from commit 88fe45e0fe379d7ea86c8ac1e1e8cf2c3f62389f) Signed-off-by: Michael Niedermayer --- libavcodec/svq1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 56031451de..31e317ae45 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -515,6 +515,11 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int ret; + if (avctx->width >= 4096 || avctx->height >= 4096) { + av_log(avctx, AV_LOG_ERROR, "Dimensions too large, maximum is 4095x4095\n"); + return AVERROR(EINVAL); + } + ff_hpeldsp_init(&s->hdsp, avctx->flags); ff_me_cmp_init(&s->mecc, avctx); ff_mpegvideoencdsp_init(&s->m.mpvencdsp, avctx); From b87fc3526f27ad912a5ab22212febd68afe98e66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2015 15:21:04 +0200 Subject: [PATCH 125/380] avcodec/flashsvenc: Correct max dimension in error message Signed-off-by: Michael Niedermayer (cherry picked from commit b1f59bb6606721ef5eeade4ada541630d51510fe) Signed-off-by: Michael Niedermayer --- libavcodec/flashsvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index acbc13482a..ce89f6d210 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -111,7 +111,7 @@ static av_cold int flashsv_encode_init(AVCodecContext *avctx) if (avctx->width > 4095 || avctx->height > 4095) { av_log(avctx, AV_LOG_ERROR, - "Input dimensions too large, input must be max 4096x4096 !\n"); + "Input dimensions too large, input must be max 4095x4095 !\n"); return AVERROR_INVALIDDATA; } From 485372e91cc23978cf193cb141169ceb139b22fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2015 03:35:10 +0200 Subject: [PATCH 126/380] avformat/mux: Update sidedata in ff_write_chained() Fixes Ticket4777 Signed-off-by: Michael Niedermayer (cherry picked from commit db91e0edb63afc682ae709f73e3732a4c832944d) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mux.c b/libavformat/mux.c index f99dbd9c07..11b3d5094d 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -1043,6 +1043,8 @@ int ff_write_chained(AVFormatContext *dst, int dst_stream, AVPacket *pkt, if (interleave) ret = av_interleaved_write_frame(dst, &local_pkt); else ret = av_write_frame(dst, &local_pkt); pkt->buf = local_pkt.buf; + pkt->side_data = local_pkt.side_data; + pkt->side_data_elems = local_pkt.side_data_elems; pkt->destruct = local_pkt.destruct; return ret; } From a8c8a2f3f4aa6489c117f00bc2d15f09db935809 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:02:05 +0200 Subject: [PATCH 127/380] ffmpeg: check avpicture_fill() return value Signed-off-by: Michael Niedermayer (cherry picked from commit 15ff3f3fdfc788c0e4e584badd7ec300abfbd716) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 384b92ca16..81751cdaf7 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1823,7 +1823,11 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { /* store AVPicture in AVPacket, as expected by the output format */ - avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); + int ret = avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "avpicture_fill failed\n"); + exit_program(1); + } opkt.data = (uint8_t *)&pict; opkt.size = sizeof(AVPicture); opkt.flags |= AV_PKT_FLAG_KEY; From ce17111ed18dda4193114137c104450e266545e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:16:31 +0200 Subject: [PATCH 128/380] ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE The null muxer has AVFMT_RAWPICTURE set but can be fed with non-raw material related to Ticket4778 Signed-off-by: Michael Niedermayer (cherry picked from commit c8890941d63df786bb7a8cab92677416499bb7c3) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 81751cdaf7..c99a014f6e 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1821,7 +1821,9 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p } av_copy_packet_side_data(&opkt, pkt); - if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { + if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + ost->st->codec->codec_id == AV_CODEC_ID_RAWVIDEO && + (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { /* store AVPicture in AVPacket, as expected by the output format */ int ret = avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); if (ret < 0) { From 483f5bccc129eaec0f9be8af9e85a895be402bc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 03:02:55 +0200 Subject: [PATCH 129/380] ffmpeg: Check av_parser_change() for failure No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit ac0ba6f233698f02ebb75b03242e94333dbe13d4) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index c99a014f6e..ce095ed881 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1807,10 +1807,15 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG2VIDEO && ost->enc_ctx->codec_id != AV_CODEC_ID_VC1 ) { - if (av_parser_change(ost->parser, ost->st->codec, + int ret = av_parser_change(ost->parser, ost->st->codec, &opkt.data, &opkt.size, pkt->data, pkt->size, - pkt->flags & AV_PKT_FLAG_KEY)) { + pkt->flags & AV_PKT_FLAG_KEY); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "av_parser_change failed\n"); + exit_program(1); + } + if (ret) { opkt.buf = av_buffer_create(opkt.data, opkt.size, av_buffer_default_free, NULL, 0); if (!opkt.buf) exit_program(1); From 43b094fa03f68e6c21cbae081cc7e11d7d4bf88f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 03:04:41 +0200 Subject: [PATCH 130/380] ffmpeg: Use correct codec_id for av_parser_change() check No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit 45f3d4e63e7807ff3d281f269625ed83f11e4cdc) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index ce095ed881..8bf0aa87c0 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1800,12 +1800,11 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p opkt.duration = av_rescale_q(pkt->duration, ist->st->time_base, ost->st->time_base); opkt.flags = pkt->flags; - // FIXME remove the following 2 lines they shall be replaced by the bitstream filters - if ( ost->enc_ctx->codec_id != AV_CODEC_ID_H264 - && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG1VIDEO - && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG2VIDEO - && ost->enc_ctx->codec_id != AV_CODEC_ID_VC1 + if ( ost->st->codec->codec_id != AV_CODEC_ID_H264 + && ost->st->codec->codec_id != AV_CODEC_ID_MPEG1VIDEO + && ost->st->codec->codec_id != AV_CODEC_ID_MPEG2VIDEO + && ost->st->codec->codec_id != AV_CODEC_ID_VC1 ) { int ret = av_parser_change(ost->parser, ost->st->codec, &opkt.data, &opkt.size, From 717c3ebfa46fac9d51dec9e079fdbc9e4652a9ac Mon Sep 17 00:00:00 2001 From: Arthur Grant Date: Mon, 24 Aug 2015 12:19:03 +0200 Subject: [PATCH 131/380] avformat/hevc: Fix parsing errors Signed-off-by: Michael Niedermayer (cherry picked from commit 781efd07415cdf6f676cca5b22147e5d6be0a4c4) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 643b71596a..c3257fffd1 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -565,7 +565,8 @@ static int hvcc_parse_sps(GetBitContext *gb, } if (get_bits1(gb)) { // long_term_ref_pics_present_flag - for (i = 0; i < get_ue_golomb_long(gb); i++) { // num_long_term_ref_pics_sps + unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16); skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i] skip_bits1(gb); // used_by_curr_pic_lt_sps_flag[i] @@ -616,11 +617,12 @@ static int hvcc_parse_pps(GetBitContext *gb, get_se_golomb_long(gb); // pps_cr_qp_offset /* + * pps_slice_chroma_qp_offsets_present_flag u(1) * weighted_pred_flag u(1) * weighted_bipred_flag u(1) * transquant_bypass_enabled_flag u(1) */ - skip_bits(gb, 3); + skip_bits(gb, 4); tiles_enabled_flag = get_bits1(gb); entropy_coding_sync_enabled_flag = get_bits1(gb); From 679df05683e6a36e3af4d98a65248debc472ed7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Aug 2015 13:04:38 +0200 Subject: [PATCH 132/380] avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops Signed-off-by: Michael Niedermayer (cherry picked from commit ee155c18a2c50b339ba5f6f223fbb6dc343fd471) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index c3257fffd1..f0cbab8e67 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -566,6 +566,8 @@ static int hvcc_parse_sps(GetBitContext *gb, if (get_bits1(gb)) { // long_term_ref_pics_present_flag unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (num_long_term_ref_pics_sps > 31U) + return AVERROR_INVALIDDATA; for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16); skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i] From 42fd94b5144ce2fba483b618aa557c8f6b78beed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 12:44:31 +0200 Subject: [PATCH 133/380] avcodec/libopusenc: Fix infinite loop on flushing after 0 input Signed-off-by: Michael Niedermayer (cherry picked from commit 6701c92fa4269872856c70c3170a9b3291b46247) Signed-off-by: Michael Niedermayer --- libavcodec/libopusenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 785460972d..edb0b38bc4 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -326,7 +326,7 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, } else audio = frame->data[0]; } else { - if (!opus->afq.remaining_samples) + if (!opus->afq.remaining_samples || (!opus->afq.frame_alloc && !opus->afq.frame_count)) return 0; audio = opus->samples; memset(audio, 0, opus->opts.packet_size * sample_size); From ffcd26d25bfdb64097decae60889152012e6a84f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Sep 2015 02:45:10 +0200 Subject: [PATCH 134/380] avcodec/mpeg12dec: Set dimensions in mpeg1_decode_sequence() only in absence of errors Fixes assertion failure Fixes: 56dcafde14a8397161bb61a16c511179/signal_sigabrt_7ffff6ac8cc9_686_cov_1897408623_microsoft_new_way_to_shove_mpeg2_in_asf.dvr_ms Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b54e03c9dc2a05324c08b503bfe7535c49c0f281) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index b0e5ae9adc..00ce2a4496 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2152,8 +2152,6 @@ static int mpeg1_decode_sequence(AVCodecContext *avctx, if (check_marker(&s->gb, "in sequence header") == 0) { return AVERROR_INVALIDDATA; } - s->width = width; - s->height = height; s->avctx->rc_buffer_size = get_bits(&s->gb, 10) * 1024 * 16; skip_bits(&s->gb, 1); @@ -2185,6 +2183,9 @@ static int mpeg1_decode_sequence(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + s->width = width; + s->height = height; + /* We set MPEG-2 parameters so that it emulates MPEG-1. */ s->progressive_sequence = 1; s->progressive_frame = 1; From 19a29c92db92702bc87b7d06289008fad4fa3100 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Sep 2015 04:57:22 +0200 Subject: [PATCH 135/380] avcodec/truemotion1: Check for even width Fixes out of array access Fixes: 87196d8bbc633629fc9dd851fce73e70/asan_heap-oob_26f6853_862_cov_585961513_sonic3dblast_intro-partial.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 63fb5a6aefb4223334001fd2c0d82a5e22e3b528) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 660ecf5413..b2de889c46 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -402,6 +402,10 @@ static int truemotion1_decode_header(TrueMotion1Context *s) new_pix_fmt = AV_PIX_FMT_RGB555; // RGB565 is supported as well s->w >>= width_shift; + if (s->w & 1) { + avpriv_request_sample(s->avctx, "Frame with odd width"); + return AVERROR_PATCHWELCOME; + } if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { From 13aaefb70e7891d2c7be5371f6e69f479bd21813 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Sep 2015 22:45:07 +0200 Subject: [PATCH 136/380] avformat/mxg: Use memmove() Fixes undefined behavior Fixes: 1700002963a49da13542e0726b7bb758/unknown_unknown_292_658_cov_2141972066_m1.mxg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c7c207aecde0773afc974ce4b7e25dca659bc5b5) Signed-off-by: Michael Niedermayer --- libavformat/mxg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxg.c b/libavformat/mxg.c index 34977b8197..4de0ef92b9 100644 --- a/libavformat/mxg.c +++ b/libavformat/mxg.c @@ -182,7 +182,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (mxg->soi_ptr - mxg->buffer > mxg->cache_size) { if (mxg->cache_size > 0) { - memcpy(mxg->buffer, mxg->buffer_ptr, mxg->cache_size); + memmove(mxg->buffer, mxg->buffer_ptr, mxg->cache_size); } mxg->buffer_ptr = mxg->buffer; From ab91919e57d28eabdb7fadbe5938ee0d33d744e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:49:44 +0200 Subject: [PATCH 137/380] avformat/dump: Fix integer overflow in aspect ratio calculation Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d1bdaf3fb2c45020f72a378bb64eab1bf136581c) Signed-off-by: Michael Niedermayer --- libavformat/dump.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dump.c b/libavformat/dump.c index 6355b99f41..7bb593c013 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -420,8 +420,8 @@ static void dump_stream_format(AVFormatContext *ic, int i, av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)) { AVRational display_aspect_ratio; av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - st->codec->width * st->sample_aspect_ratio.num, - st->codec->height * st->sample_aspect_ratio.den, + st->codec->width * (int64_t)st->sample_aspect_ratio.num, + st->codec->height * (int64_t)st->sample_aspect_ratio.den, 1024 * 1024); av_log(NULL, AV_LOG_INFO, ", SAR %d:%d DAR %d:%d", st->sample_aspect_ratio.num, st->sample_aspect_ratio.den, From ab3f129011710d308846d072365c4678a84d76bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:00:05 +0200 Subject: [PATCH 138/380] avutil/common: Document FFABS() corner case Signed-off-by: Michael Niedermayer (cherry picked from commit 733511fb53fedd3adaaeabc5db9d0b29e71ea1d3) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavutil/common.h b/libavutil/common.h index 3e62b6d5b7..14343d977b 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -58,6 +58,12 @@ : ((a) + (1<<(b)) - 1) >> (b)) #define FFUDIV(a,b) (((a)>0 ?(a):(a)-(b)+1) / (b)) #define FFUMOD(a,b) ((a)-(b)*FFUDIV(a,b)) + +/** + * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as they + * are not representable as absolute values of their type. This is the same + * as with *abs() + */ #define FFABS(a) ((a) >= 0 ? (a) : (-(a))) #define FFSIGN(a) ((a) > 0 ? 1 : -1) From 03ef13889c1965c5b5f5d383815438389695a2a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:17:24 +0200 Subject: [PATCH 139/380] avutil/common: Add FFNABS() This macro avoids the undefined corner case with the *_MIN values Previous version Reviewed-by: Ganesh Ajjanagadde Signed-off-by: Michael Niedermayer (cherry picked from commit d6cd614dac579850076ae312c29c4188f8659e46) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavutil/common.h b/libavutil/common.h index 14343d977b..38eae28d2a 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -63,10 +63,19 @@ * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as they * are not representable as absolute values of their type. This is the same * as with *abs() + * @see FFNABS() */ #define FFABS(a) ((a) >= 0 ? (a) : (-(a))) #define FFSIGN(a) ((a) > 0 ? 1 : -1) +/** + * Negative Absolute value. + * this works for all integers of all types. + * As with many macros, this evaluates its argument twice, it thus must not have + * a sideeffect, that is FFNABS(x++) has undefined behavior. + */ +#define FFNABS(a) ((a) <= 0 ? (a) : (-(a))) + #define FFMAX(a,b) ((a) > (b) ? (a) : (b)) #define FFMAX3(a,b,c) FFMAX(FFMAX(a,b),c) #define FFMIN(a,b) ((a) > (b) ? (b) : (a)) From 1e6f641052aad75cbf4b7c2d7207625359a16292 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 09:20:23 +0200 Subject: [PATCH 140/380] avformat/mov: Fix integer overflow in FFABS Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b42537f562..20a574912d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2354,7 +2354,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_TRACE, "count=%d, duration=%d\n", count, duration); - if (FFABS(duration) > (1<<28) && i+2fc, AV_LOG_WARNING, "CTTS invalid\n"); av_freep(&sc->ctts_data); sc->ctts_count = 0; From 95db0aa276feca1e818c59f9905927a5932e881c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 09:22:31 +0200 Subject: [PATCH 141/380] swresample/swresample: Fix integer overflow in seed calculation Fixes CID1322333 Signed-off-by: Michael Niedermayer (cherry picked from commit 32f53958b8f6ed4c3c2a7447c1e47d012796fae2) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 693a403f90..400b529785 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -643,7 +643,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co return ret; if(ret) for(ch=0; chdither.noise.ch_count; ch++) - if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt))<0) + if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, (12345678913579ULL*ch + 3141592) % 2718281828U, s->dither.noise.fmt))<0) return ret; av_assert0(s->dither.noise.ch_count == preout->ch_count); From dceec28eac8a8a8190c98d8ba73ed3e6989cf762 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 01:13:05 +0200 Subject: [PATCH 142/380] avcodec/vp3: Check init_get_bits8() for failure Fixes CID1322316 Signed-off-by: Michael Niedermayer (cherry picked from commit cbd3cd8eb2de2280d83da5ee875c35581b46a3a3) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 005f043b0f..2c8a8fec91 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2473,6 +2473,7 @@ static av_cold int theora_decode_init(AVCodecContext *avctx) const uint8_t *header_start[3]; int header_len[3]; int i; + int ret; avctx->pix_fmt = AV_PIX_FMT_YUV420P; @@ -2492,7 +2493,9 @@ static av_cold int theora_decode_init(AVCodecContext *avctx) for (i = 0; i < 3; i++) { if (header_len[i] <= 0) continue; - init_get_bits8(&gb, header_start[i], header_len[i]); + ret = init_get_bits8(&gb, header_start[i], header_len[i]); + if (ret < 0) + return ret; ptype = get_bits(&gb, 8); From 1e7ff902f2f57b62e9db4fa0e5f24780d3140fa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 01:18:13 +0200 Subject: [PATCH 143/380] avcodec/tta: Check init_get_bits8() for failure Fixes: CID1322319 Signed-off-by: Michael Niedermayer (cherry picked from commit f1593e4ca564cdb7f3194a9eee1dea16df41142d) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 01584d957e..81f5dddf69 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -123,6 +123,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) TTAContext *s = avctx->priv_data; GetBitContext gb; int total_frames; + int ret; s->avctx = avctx; @@ -131,7 +132,10 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) return AVERROR_INVALIDDATA; s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); - init_get_bits8(&gb, avctx->extradata, avctx->extradata_size); + ret = init_get_bits8(&gb, avctx->extradata, avctx->extradata_size); + if (ret < 0) + return ret; + if (show_bits_long(&gb, 32) == AV_RL32("TTA1")) { /* signature */ skip_bits_long(&gb, 32); From 50e4d38ce4739dbde9551c56ae18541349e67532 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 01:18:13 +0200 Subject: [PATCH 144/380] avcodec/svq1dec: Check init_get_bits8() for failure Fixes: CID1322313 Signed-off-by: Michael Niedermayer (cherry picked from commit a51d4246d8ac96acee735e7e5dedb9d9ef27a594) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 21d4acf87d..fc782eb900 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -618,9 +618,12 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, uint8_t *current; int result, i, x, y, width, height; svq1_pmv *pmv; + int ret; /* initialize bit buffer */ - init_get_bits8(&s->gb, buf, buf_size); + ret = init_get_bits8(&s->gb, buf, buf_size); + if (ret < 0) + return ret; /* decode frame header */ s->frame_code = get_bits(&s->gb, 22); From 746a65640f7149b56afd586412a8ae74980fd553 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 12:10:02 +0200 Subject: [PATCH 145/380] avcodec/g2meet: Fix potential overflow in tile dimensions check Fixes CID1322351 Signed-off-by: Michael Niedermayer (cherry picked from commit 71ec8e1ed6cf4947e204e3e4b5929a44c054f5fb) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 6482483444..cd0d80d894 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -746,7 +746,7 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, c->tile_height = bytestream2_get_be32(&bc); if (c->tile_width <= 0 || c->tile_height <= 0 || ((c->tile_width | c->tile_height) & 0xF) || - c->tile_width * 4LL * c->tile_height >= INT_MAX + c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", From 484eb2b0e3b2911be7d242d0eacc8a9e5c7e8613 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 12:11:46 +0200 Subject: [PATCH 146/380] avcodec/g2meet: Also clear tile dimensions on header_fail Signed-off-by: Michael Niedermayer (cherry picked from commit fb0466699575724923aeddc4490302180dfdf4af) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index cd0d80d894..5a37fea59b 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -877,6 +877,8 @@ header_fail: c->height = 0; c->tiles_x = c->tiles_y = 0; + c->tile_width = + c->tile_height = 0; return ret; } From a30a30b59af10c5de7dd65dd83bba9360349cb84 Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Sat, 5 Sep 2015 20:42:02 -0700 Subject: [PATCH 147/380] avfilter/af_asyncts: use llabs for int64_t long may not be 64 bit on all platforms; so labs on int64_t is unsafe. This fixes a warning reported in: http://fate.ffmpeg.org/log.cgi?time=20150905071512&log=compile&slot=i386-darwin-clang-polly-3.7 Signed-off-by: Ganesh Ajjanagadde Signed-off-by: Michael Niedermayer (cherry picked from commit d74123d03eb1047b844bc39fbde26f199c72cbcb) Signed-off-by: Michael Niedermayer --- libavfilter/af_asyncts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_asyncts.c b/libavfilter/af_asyncts.c index 5f8e1f61cc..4be093b194 100644 --- a/libavfilter/af_asyncts.c +++ b/libavfilter/af_asyncts.c @@ -205,7 +205,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *buf) delta = pts - s->pts - get_delay(s); out_size = avresample_available(s->avr); - if (labs(delta) > s->min_delta || + if (llabs(delta) > s->min_delta || (s->first_frame && delta && s->first_pts != AV_NOPTS_VALUE)) { av_log(ctx, AV_LOG_VERBOSE, "Discontinuity - %"PRId64" samples.\n", delta); out_size = av_clipl_int32((int64_t)out_size + delta); From 04ad22d77aa59c59eb7458ec22532e70d6be3d98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Sep 2015 13:28:51 +0200 Subject: [PATCH 148/380] avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG Signed-off-by: Michael Niedermayer (cherry picked from commit 055e56e9f76da3298f1b59bf5ea46f570e844600) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 2c18a4964a..7a69d9496d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -990,7 +990,14 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p skip_bits(&s->gb, 16); /* skip RSTn */ } } - if (s->nb_components == 4) { + if (s->rct && s->nb_components == 4) { + for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + ptr[4*mb_x + 2] = buffer[mb_x][0] - ((buffer[mb_x][1] + buffer[mb_x][2] - 0x200) >> 2); + ptr[4*mb_x + 1] = buffer[mb_x][1] + ptr[4*mb_x + 2]; + ptr[4*mb_x + 3] = buffer[mb_x][2] + ptr[4*mb_x + 2]; + ptr[4*mb_x + 0] = buffer[mb_x][3]; + } + } else if (s->nb_components == 4) { for(i=0; icomp_index[i]; if (s->bits <= 8) { From d1de4923305b326990ace91f3a56c2916cda1037 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Fri, 11 Sep 2015 21:49:07 +0200 Subject: [PATCH 149/380] lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream. Not requiring this can end up producing hilariously broken files together with -c:s copy (e.g. a webvtt file containing binary subtitle data). Signed-off-by: Simon Thelen Signed-off-by: Michael Niedermayer (cherry picked from commit b84232694ef0c6897e82b52326c9ea4027c69ec4) Signed-off-by: Michael Niedermayer --- libavformat/webvttenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/webvttenc.c b/libavformat/webvttenc.c index b93993d55c..c386538718 100644 --- a/libavformat/webvttenc.c +++ b/libavformat/webvttenc.c @@ -46,8 +46,14 @@ static void webvtt_write_time(AVIOContext *pb, int64_t millisec) static int webvtt_write_header(AVFormatContext *ctx) { AVStream *s = ctx->streams[0]; + AVCodecContext *avctx = ctx->streams[0]->codec; AVIOContext *pb = ctx->pb; + if (ctx->nb_streams != 1 || avctx->codec_id != AV_CODEC_ID_WEBVTT) { + av_log(ctx, AV_LOG_ERROR, "Exactly one WebVTT stream is needed.\n"); + return AVERROR(EINVAL); + } + avpriv_set_pts_info(s, 64, 1, 1000); avio_printf(pb, "WEBVTT\n"); From abd20c20576324c50336dedb9a21856036dc11d0 Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Thu, 17 Sep 2015 08:11:39 -0400 Subject: [PATCH 150/380] avutil/log: fix zero length gnu_printf format string warning This should fix warning reported by fate client: http://fate.ffmpeg.org/report.cgi?time=20150917113121&slot=x86_32-linux-gnu-gcc-4.5.1-have_6regs. Untested. Signed-off-by: Ganesh Ajjanagadde Signed-off-by: Michael Niedermayer (cherry picked from commit 63cdb6e4a59e296e27a78ac08f15500b42cd27fc) Signed-off-by: Michael Niedermayer --- libavutil/log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/log.c b/libavutil/log.c index b2bc65cd8b..45835195e1 100644 --- a/libavutil/log.c +++ b/libavutil/log.c @@ -343,7 +343,7 @@ void av_log_default_callback(void* ptr, int level, const char* fmt, va_list vl) #if CONFIG_VALGRIND_BACKTRACE if (level <= BACKTRACE_LOGLEVEL) - VALGRIND_PRINTF_BACKTRACE(""); + VALGRIND_PRINTF_BACKTRACE("%s", ""); #endif end: av_bprint_finalize(part+3, NULL); From 50f62fef19f159ad2729f530b12901b6f4cba3a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Sep 2015 14:26:14 +0200 Subject: [PATCH 151/380] avcodec/rangecoder: Check e Fixes hang.nut Found-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b2955b6c5aed11026ec5c7164462899a10cdb937) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- libavcodec/snow.h | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 0302997fa1..85de676300 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -47,8 +47,11 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, else { int i, e, a; e = 0; - while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10 + while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; + } a = 1; for (i = e - 1; i >= 0; i--) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 447859f488..9da44fb65d 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -563,6 +563,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1; From 54661cf0b2c9b0218e419b7cc3fd095a59762cda Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2015 13:09:59 +0200 Subject: [PATCH 152/380] avcodec/ffv1dec: Explicitly check read_quant_table() return value Forwards the error code, avoids potential integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 10bbf6cf622f8a954c6cc694ca07c24f989c99af) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 85de676300..d828aaf3ef 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -502,7 +502,10 @@ static int read_quant_tables(RangeCoder *c, int context_count = 1; for (i = 0; i < 5; i++) { - context_count *= read_quant_table(c, quant_table[i], context_count); + int ret = read_quant_table(c, quant_table[i], context_count); + if (ret < 0) + return ret; + context_count *= ret; if (context_count > 32768U) { return AVERROR_INVALIDDATA; } From f10ba15d7371203e16cee3fb9e46bae9febcb6da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2015 13:20:59 +0200 Subject: [PATCH 153/380] avcodec/ffv1dec: Fix off by 1 error in quant_table_count check Fixes: invalid_read.nut Found-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2d221d9e069e6269cb41f3678f2734800171d87b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index d828aaf3ef..7dcce95caa 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -305,7 +305,7 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return -1; } From f43dac169efde3e6499cb85ccd87bb4a6c44c3c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Sep 2015 13:08:48 +0200 Subject: [PATCH 154/380] avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise Fixes crash Fixes: flicker-1.scout3d21443372922.28.m4a Found-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 1b82b934a166e60f64e966eaa97512ba9dcb615b) Signed-off-by: Michael Niedermayer --- libavcodec/x86/sbrdsp.asm | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/x86/sbrdsp.asm b/libavcodec/x86/sbrdsp.asm index 083461a107..498c136abd 100644 --- a/libavcodec/x86/sbrdsp.asm +++ b/libavcodec/x86/sbrdsp.asm @@ -382,6 +382,7 @@ apply_noise_main: %else %define count m_maxq %endif + movsxdifnidn noiseq, noised dec noiseq shl count, 2 %ifdef PIC From 6d3f047a8592d223cd7caa21264899c21a619807 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Thu, 1 Oct 2015 13:56:31 +0300 Subject: [PATCH 155/380] avformat/httpauth: Add space after commas in HTTP/RTSP auth header This fixes access to Grandstream cameras, which return 401 to ffmpeg otherwise. VLC sends Authorization: header with spaces between parameters, and it is known to work with Grandstream devices and broad range of other HTTP and RTSP servers, so author considers switching to such behaviour safe. Just for record - RFC 2617 (HTTP Auth) does not specify the need in spaces, so this is not a bug of FFmpeg. Signed-off-by: Michael Niedermayer (cherry picked from commit fdb32838723effb4560a345013387ea37b85ff20) Signed-off-by: Michael Niedermayer --- libavformat/httpauth.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c index dbe3eff48f..18cf36bcfe 100644 --- a/libavformat/httpauth.c +++ b/libavformat/httpauth.c @@ -220,21 +220,21 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username, /* TODO: Escape the quoted strings properly. */ av_strlcatf(authstr, len, "username=\"%s\"", username); - av_strlcatf(authstr, len, ",realm=\"%s\"", state->realm); - av_strlcatf(authstr, len, ",nonce=\"%s\"", digest->nonce); - av_strlcatf(authstr, len, ",uri=\"%s\"", uri); - av_strlcatf(authstr, len, ",response=\"%s\"", response); + av_strlcatf(authstr, len, ", realm=\"%s\"", state->realm); + av_strlcatf(authstr, len, ", nonce=\"%s\"", digest->nonce); + av_strlcatf(authstr, len, ", uri=\"%s\"", uri); + av_strlcatf(authstr, len, ", response=\"%s\"", response); // we are violating the RFC and use "" because all others seem to do that too. if (digest->algorithm[0]) - av_strlcatf(authstr, len, ",algorithm=\"%s\"", digest->algorithm); + av_strlcatf(authstr, len, ", algorithm=\"%s\"", digest->algorithm); if (digest->opaque[0]) - av_strlcatf(authstr, len, ",opaque=\"%s\"", digest->opaque); + av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque); if (digest->qop[0]) { - av_strlcatf(authstr, len, ",qop=\"%s\"", digest->qop); - av_strlcatf(authstr, len, ",cnonce=\"%s\"", cnonce); - av_strlcatf(authstr, len, ",nc=%s", nc); + av_strlcatf(authstr, len, ", qop=\"%s\"", digest->qop); + av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce); + av_strlcatf(authstr, len, ", nc=%s", nc); } av_strlcatf(authstr, len, "\r\n"); From f7ef26538761df0fd93d52f76cf85a268a90e7fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2015 20:15:48 +0200 Subject: [PATCH 156/380] avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons Fixes Ticket4931 Signed-off-by: Michael Niedermayer (cherry picked from commit 4c2d4e8700cd3db59bc11ab196c0002215cf601f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 7dcce95caa..b24be3192b 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -408,6 +408,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (ffv1_init_slice_state(f, fs) < 0) return AVERROR(ENOMEM); if (decode_slice_header(f, fs) < 0) { + fs->slice_x = fs->slice_y = fs->slice_height = fs->slice_width = 0; fs->slice_damaged = 1; return AVERROR_INVALIDDATA; } From 06c87da4104d642eecd615ae1acd35342d519e4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2015 22:25:20 +0200 Subject: [PATCH 157/380] avcodec/ffv1dec: update progress in case of broken pointer chains Fixes deadlock Fixes Ticket4932 Signed-off-by: Michael Niedermayer (cherry picked from commit 5063a18f5635008b2a45ada1f8c1e21e20450029) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index b24be3192b..dd1f7fd1d2 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -937,6 +937,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); + ff_thread_report_progress(&f->picture, INT_MAX, 0); return AVERROR_INVALIDDATA; } buf_p -= v; From c6cb24ffbf53896a3421f044a125bd26cdf1d4ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2015 02:13:42 +0200 Subject: [PATCH 158/380] avcodec/ffv1: Initialize vlc_state on allocation This ensures that they are always set to valid values Fixes Ticket4939 Signed-off-by: Michael Niedermayer (cherry picked from commit a878dfa4f57d068eb69fb6614f7a4a20f769ee7b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 5fd605e436..0e9e9043c1 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -66,7 +66,7 @@ av_cold int ffv1_common_init(AVCodecContext *avctx) av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) { - int j; + int j, i; fs->plane_count = f->plane_count; fs->transparency = f->transparency; @@ -80,10 +80,15 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) if (!p->state) return AVERROR(ENOMEM); } else { - if (!p->vlc_state) - p->vlc_state = av_malloc_array(p->context_count, sizeof(VlcState)); - if (!p->vlc_state) - return AVERROR(ENOMEM); + if (!p->vlc_state) { + p->vlc_state = av_mallocz_array(p->context_count, sizeof(VlcState)); + if (!p->vlc_state) + return AVERROR(ENOMEM); + for (i = 0; i < p->context_count; i++) { + p->vlc_state[i].error_sum = 4; + p->vlc_state[i].count = 1; + } + } } } From c3ce508135402282972449cf36f201c75f94fa48 Mon Sep 17 00:00:00 2001 From: Kieran Kunhya Date: Mon, 26 Oct 2015 23:09:44 +0000 Subject: [PATCH 159/380] opusdec: Don't run vector_fmul_scalar on zero length arrays Fixes crashes on fuzzed files Fixes Ticket4969 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit b3e5f15b95f04a35821f63f6fd89ddd60f666a59) Signed-off-by: Michael Niedermayer --- libavcodec/opusdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 2ee3f2ad36..3f383aeec2 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -538,7 +538,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, memset(frame->extended_data[i], 0, frame->linesize[0]); } - if (c->gain_i) { + if (c->gain_i && decoded_samples > 0) { c->fdsp->vector_fmul_scalar((float*)frame->extended_data[i], (float*)frame->extended_data[i], c->gain, FFALIGN(decoded_samples, 8)); From ab6f4bc06433c57ca9b789a5853524b67301b548 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2015 21:36:00 +0100 Subject: [PATCH 160/380] avcodec/h264_slice: Disable slice threads if there are multiple access units in a packet Fixes null pointer dereference Fixes part of Ticket4977 Signed-off-by: Michael Niedermayer (cherry picked from commit 9368d2da3d33cac845f2fdf663df500b53625c5e) Conflicts: libavcodec/h264_slice.c --- libavcodec/h264_slice.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 968e3ecb83..10f4d77380 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1159,6 +1159,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) if (first_mb_in_slice == 0) { // FIXME better field boundary detection if (h->current_slice) { + if (h->max_contexts > 1) { + if (!h->single_decode_warning) { + av_log(h->avctx, AV_LOG_WARNING, "Cannot decode multiple access units as slice threads\n"); + h->single_decode_warning = 1; + } + h->max_contexts = 1; + return SLICE_SINGLETHREAD; + } + if (h->cur_pic_ptr && FIELD_PICTURE(h) && h->first_field) { ff_h264_field_end(h, h->slice_ctx, 1); h->current_slice = 0; From 5ae4842122ca5b70f5499d233ff99143ac3369e4 Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Thu, 29 Oct 2015 09:11:37 +0100 Subject: [PATCH 161/380] avutil/file_open: avoid file handle inheritance on Windows Avoids inheritance of file handles on Windows systems similar to the O_CLOEXEC/FD_CLOEXEC flag on Linux. Fixes file lock issues in Windows applications when a child process is started with handle inheritance enabled (standard input/output redirection) while a FFmpeg transcoding is running in the parent process. Links relevant to the subject: https://msdn.microsoft.com/en-us/library/w7sa2b22.aspx Describes the _wsopen() function and the O_NOINHERIT flag. File handles opened by _wsopen() are inheritable by default. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx Describes handle inheritance when creating new processes. Handle inheritance must be enabled (bInheritHandles = TRUE) e.g. when you want to pass handles for stdin/stdout via lpStartupInfo. Signed-off-by: Tobias Rapp Signed-off-by: Michael Niedermayer (cherry picked from commit 474665346616e446ecd1407002fdf5f88201bf72) Signed-off-by: Michael Niedermayer --- libavutil/file_open.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/file_open.c b/libavutil/file_open.c index 3f9a67c3fc..9e76127919 100644 --- a/libavutil/file_open.c +++ b/libavutil/file_open.c @@ -77,6 +77,9 @@ int avpriv_open(const char *filename, int flags, ...) #ifdef O_CLOEXEC flags |= O_CLOEXEC; #endif +#ifdef O_NOINHERIT + flags |= O_NOINHERIT; +#endif fd = open(filename, flags, mode); #if HAVE_FCNTL From edf06a056253267bb1f2fba3bbc17f4b323f92b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2015 18:08:52 +0100 Subject: [PATCH 162/380] avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg Fixes out of array access Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d24888ef19ba38b787b11d1ee091a3d94920c76a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 7a69d9496d..c0b7ef9e6d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1088,7 +1088,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap if(y==0 && toprow){ if(x==0 && leftcol){ @@ -1156,7 +1159,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap From 32808460cc5d92aacc10ab9150276c752609137b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2015 21:27:04 +0100 Subject: [PATCH 163/380] avcodec/mjpegdec: Reinitialize IDCT on BPP changes Fixes misaligned access Fixes: dc9262a469f6f315f74c087a7b3a7f35/signal_sigsegv_2e95bcd_9_9c0f9f4a9ba82aa9b3ab2b91ce4d5277.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cc35f6f4768ffe57cc4fcfa56ecb89aee409e3d5) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index c0b7ef9e6d..30fc99a045 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -98,6 +98,15 @@ static void parse_avid(MJpegDecodeContext *s, uint8_t *buf, int len) av_log(s->avctx, AV_LOG_INFO, "AVID: len:%d %d\n", len, len > 14 ? buf[12] : -1); } +static void init_idct(AVCodecContext *avctx) +{ + MJpegDecodeContext *s = avctx->priv_data; + + ff_idctdsp_init(&s->idsp, avctx); + ff_init_scantable(s->idsp.idct_permutation, &s->scantable, + ff_zigzag_direct); +} + av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx) { MJpegDecodeContext *s = avctx->priv_data; @@ -112,9 +121,7 @@ av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx) s->avctx = avctx; ff_blockdsp_init(&s->bdsp, avctx); ff_hpeldsp_init(&s->hdsp, avctx->flags); - ff_idctdsp_init(&s->idsp, avctx); - ff_init_scantable(s->idsp.idct_permutation, &s->scantable, - ff_zigzag_direct); + init_idct(avctx); s->buffer_size = 0; s->buffer = NULL; s->start_code = -1; @@ -267,7 +274,6 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->avctx->bits_per_raw_sample = bits = get_bits(&s->gb, 8); if (bits > 16 || bits < 1) { @@ -275,6 +281,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } + if (s->avctx->bits_per_raw_sample != bits) { + av_log(s->avctx, AV_LOG_INFO, "Changeing bps to %d\n", bits); + s->avctx->bits_per_raw_sample = bits; + init_idct(s->avctx); + } if (s->pegasus_rct) bits = 9; if (bits == 9 && !s->pegasus_rct) From e98f3ba2212485aa0eb4399803eb1cda57010bfc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 00:36:59 +0100 Subject: [PATCH 164/380] avcodec/ffv1dec: Check for 0 quant tables Fixes assertion failure Fixes: 07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index dd1f7fd1d2..27a92d9c2e 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -568,7 +568,7 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) return AVERROR_INVALIDDATA; for (i = 0; i < f->quant_table_count; i++) { From 6acf5ff1d3c5bb3cfcaa1847f8c26e3e3aead1bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 19:24:33 +0100 Subject: [PATCH 165/380] libavutil/channel_layout: Check strtol*() for failure Fixes assertion failure Fixes: 4f5814bb15d2dda6fc18ef9791b13816/signal_sigabrt_7ffff6ae7cc9_65_7209d160d168b76f311be6cd64a548eb.wv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c9bfd6a8c35a2102e730aca12f6e09d1627f76b3) Conflicts: libavutil/channel_layout.c --- libavutil/channel_layout.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index cd5cf426d4..45249c4367 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -125,6 +125,8 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) strlen(channel_names[i].name) == name_len && !memcmp(channel_names[i].name, name, name_len)) return (int64_t)1 << i; + + errno = 0; i = strtol(name, &end, 10); #if FF_API_GET_CHANNEL_LAYOUT_COMPAT @@ -143,14 +145,15 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) } } else { #endif - if ((end + 1 - name == name_len && *end == 'c')) + if (!errno && (end + 1 - name == name_len && *end == 'c')) return av_get_default_channel_layout(i); #if FF_API_GET_CHANNEL_LAYOUT_COMPAT } #endif + errno = 0; layout = strtoll(name, &end, 0); - if (end - name == name_len) + if (!errno && end - name == name_len) return FFMAX(layout, 0); return 0; } From b0b1b208f5c7cd783b58cd1527f65b20ff550ffe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 00:56:04 +0100 Subject: [PATCH 166/380] avcodec/mpeg12dec: Do not call show_bits() with invalid bits Fixes assertion failure Fixes: 63e50545709a6440d3d59f6426d58db9/signal_sigabrt_7ffff6ae7cc9_8189_3272a3010fd98ddf947c662bbde1ac13.ts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 973c3dba27d0b1a88c70f6661b6a90d2f2e50665) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 00ce2a4496..fdb93e3cdc 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1928,7 +1928,7 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y, (left && show_bits(&s->gb, FFMIN(left, 23)) && !is_d10) || ((avctx->err_recognition & (AV_EF_BITSTREAM | AV_EF_AGGRESSIVE)) && left > 8)) { av_log(avctx, AV_LOG_ERROR, "end mismatch left=%d %0X\n", - left, show_bits(&s->gb, FFMIN(left, 23))); + left, left>0 ? show_bits(&s->gb, FFMIN(left, 23)) : 0); return AVERROR_INVALIDDATA; } else goto eos; From 6ad10cbec954ab00dfa88046e4d309f32773f3e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 02:11:01 +0100 Subject: [PATCH 167/380] avformat/xmv: factor return check out of if/else Signed-off-by: Michael Niedermayer (cherry picked from commit 9b6fac11da470274d4b93d46ef66527aa1824179) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 45c24642cc..06c070ca43 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -549,16 +549,14 @@ static int xmv_read_packet(AVFormatContext *s, /* Fetch a video frame */ result = xmv_fetch_video_packet(s, pkt); - if (result) - return result; - } else { /* Fetch an audio frame */ result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1); - if (result) - return result; } + if (result) + return result; + /* Increase our counters */ if (++xmv->current_stream >= xmv->stream_count) { From bcedc2b0f0e47edc2670200c91a49b36e4c07257 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 02:13:36 +0100 Subject: [PATCH 168/380] avformat/xmv: Discard remainder of packet on error Fixes infinite loop Fixes: 9c48ae2680c5f23bca3d20ff0f325fd8/asan_generic_4c254d_1374_993f1e5967dd6f844b8d72f978ce2a6c.pss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79c4a338e4b2bf0bc6f81c9f455994f673a92f78) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 06c070ca43..14d007a3e0 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -554,8 +554,11 @@ static int xmv_read_packet(AVFormatContext *s, result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1); } - if (result) + if (result) { + xmv->current_stream = 0; + xmv->video.current_frame = xmv->video.frame_count; return result; + } /* Increase our counters */ From 327dd70690a13313e77dec46de8bc03efd06ba5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 21:58:42 +0100 Subject: [PATCH 169/380] avcodec/dirac_parser: Fix undefined memcpy() use Fixes: 9d375e415486edd1a0c826f2307d89a4/asan_generic_4a5159_1577_faa333e83dacdd9e4dd322380aeed537.iss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit daefd8ab2f2aeb90cd53cb75445faffdc7a3cc79) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 45ded5a779..83c35a2010 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -123,7 +123,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, DiracParseContext *pc = s->priv_data; if (pc->overread_index) { - memcpy(pc->buffer, pc->buffer + pc->overread_index, + memmove(pc->buffer, pc->buffer + pc->overread_index, pc->index - pc->overread_index); pc->index -= pc->overread_index; pc->overread_index = 0; From af3a608e7e3de4d4a0d35dc527980601f9f36969 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 22:24:23 +0100 Subject: [PATCH 170/380] avcodec/microdvddec: Check for string end in 'P' case Fixes out of array read Fixes: a9502b60f4cecc19475382aee255f73c/asan_heap-oob_1e87fba_2548_a8ad47f6dde36644fe9cdc444d4632d0.sub Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c719cd6cf79ec21d974b81ba874580f4b8e9eb90) Signed-off-by: Michael Niedermayer --- libavcodec/microdvddec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/microdvddec.c b/libavcodec/microdvddec.c index 96034a042a..9035892205 100644 --- a/libavcodec/microdvddec.c +++ b/libavcodec/microdvddec.c @@ -164,6 +164,8 @@ static char *microdvd_load_tags(struct microdvd_tag *tags, char *s) /* Position */ case 'P': + if (!*s) + break; tag.persistent = MICRODVD_PERSISTENT_ON; tag.data1 = (*s++ == '1'); if (*s != '}') From 169a02da1e39915f20f21d67de5747e1752d8da2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2015 02:16:11 +0100 Subject: [PATCH 171/380] avcodec/jpeg2000dec: Clip all tile coordinates Fixes out of array access Fixes: b877a6b788a25c70e8b1d014f8628549/asan_heap-oob_1da2c3f_2324_5a1b329b0b3c4bb6b1d775660ac56717.r3d Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 43492ff3ab68a343c1264801baa1d5a02de10167) Conflicts: libavcodec/jpeg2000dec.c --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 24cb8a171f..444a731623 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -705,10 +705,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int tileno) Jpeg2000QuantStyle *qntsty = tile->qntsty + compno; int ret; // global bandno - comp->coord_o[0][0] = FFMAX(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x); - comp->coord_o[0][1] = FFMIN((tilex + 1) * s->tile_width + s->tile_offset_x, s->width); - comp->coord_o[1][0] = FFMAX(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y); - comp->coord_o[1][1] = FFMIN((tiley + 1) * s->tile_height + s->tile_offset_y, s->height); + comp->coord_o[0][0] = av_clip(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[0][1] = av_clip((tilex + 1) * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[1][0] = av_clip(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[1][1] = av_clip((tiley + 1) * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); if (compno) { comp->coord_o[0][0] /= s->cdx[compno]; comp->coord_o[0][1] /= s->cdx[compno]; From d332aa6ec678e5e9630710a049eee36a91127f8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 14:52:33 +0100 Subject: [PATCH 172/380] avcodec/hevc_ps: Check chroma_format_idc Fixes out of array access Fixes: 24d05e8b84676799c735c9e27d97895e/asan_heap-oob_1b70f6a_2955_7c3652a7f370f9f3ef40642bc2c99bb2.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 93f30f825c08477fe8f76be00539e96014cc83c8) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 757f66625c..05d9cd634c 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -806,6 +806,9 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) } sps->chroma_format_idc = get_ue_golomb_long(gb); + if (sps->chroma_format_idc > 3U) { + return AVERROR_INVALIDDATA; + } if (sps->chroma_format_idc == 3) sps->separate_colour_plane_flag = get_bits1(gb); From cd8bedb9fa7c3d04288bf57b64081b4a89aefb4d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 6 Nov 2015 21:04:34 +0100 Subject: [PATCH 173/380] jvdec: avoid unsigned overflow in comparison The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size is 3, the right side overflows leading to a wrong result of the comparison and subsequently a heap buffer overflow. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85) Signed-off-by: Michael Niedermayer --- libavformat/jvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c index 64d31e0ee6..103507df4c 100644 --- a/libavformat/jvdec.c +++ b/libavformat/jvdec.c @@ -54,7 +54,7 @@ typedef struct JVDemuxContext { static int read_probe(AVProbeData *pd) { - if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 && + if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size && !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC))) return AVPROBE_SCORE_MAX; return 0; From 132bd4bc4fb4a3d6c4cf0504f0f42699d5c20e7c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 6 Nov 2015 23:44:01 +0100 Subject: [PATCH 174/380] apng: use correct size for output buffer The buffer needs s->bpp bytes, at maximum currently 10. Assert that s->bpp is not larger. This fixes a stack buffer overflow. Reviewed-by: wm4 Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3e8e1a660ea182111057d56ec1cfad2c62250f4c) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 60c49758f1..ffb0d7b737 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -946,7 +946,7 @@ static int handle_p_frame_apng(AVCodecContext *avctx, PNGDecContext *s, for (x = s->x_offset; x < s->x_offset + s->cur_w; ++x, foreground += s->bpp, background += s->bpp) { size_t b; uint8_t foreground_alpha, background_alpha, output_alpha; - uint8_t output[4]; + uint8_t output[10]; // Since we might be blending alpha onto alpha, we use the following equations: // output_alpha = foreground_alpha + (1 - foreground_alpha) * background_alpha @@ -986,6 +986,8 @@ static int handle_p_frame_apng(AVCodecContext *avctx, PNGDecContext *s, output_alpha = foreground_alpha + FAST_DIV255((255 - foreground_alpha) * background_alpha); + av_assert0(s->bpp <= 10); + for (b = 0; b < s->bpp - 1; ++b) { if (output_alpha == 0) { output[b] = 0; From b9a3e0af07bc09e1c5db28bf90505e1d7a76daa6 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Mon, 2 Nov 2015 16:36:16 +0100 Subject: [PATCH 175/380] ffmpeg: Don't try and write sdp info if none of the outputs had an rtp format. Fixes a segfault when trying to write nonexistent rtp information. Signed-off-by: Simon Thelen Signed-off-by: Michael Niedermayer (cherry picked from commit 70fb5eadc580a82c4b977a1233d70ad0041faba0) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index 8bf0aa87c0..b65ee7144e 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2370,6 +2370,9 @@ static void print_sdp(void) } } + if (!j) + goto fail; + av_sdp_create(avc, j, sdp, sizeof(sdp)); if (!sdp_filename) { @@ -2385,6 +2388,7 @@ static void print_sdp(void) } } +fail: av_freep(&avc); } From ae270314c7f4e9fabc9166bb5f5dfcba03304703 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Mon, 2 Nov 2015 15:57:50 +0100 Subject: [PATCH 176/380] doc/ffmpeg: Clarify that the sdp_file option requires an rtp output. Signed-off-by: Simon Thelen Signed-off-by: Michael Niedermayer (cherry picked from commit b02201efb531348406e48f9252bd39a6acebd2b7) Signed-off-by: Michael Niedermayer --- doc/ffmpeg.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 1078ea110a..5ff8798b99 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -1193,9 +1193,9 @@ The option is intended for cases where features are needed that cannot be specified to @command{ffserver} but can be to @command{ffmpeg}. @item -sdp_file @var{file} (@emph{global}) -Print sdp information to @var{file}. +Print sdp information for an output stream to @var{file}. This allows dumping sdp information when at least one output isn't an -rtp stream. +rtp stream. (Requires at least one of the output formats to be rtp). @item -discard (@emph{input}) Allows discarding specific streams or frames of streams at the demuxer. From 4eb67f3ddccacc03312b8dea06dd35e24411d16c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2015 04:14:55 +0100 Subject: [PATCH 177/380] tests/fate/avformat: Fix fate-lavf The CMP variable seems to have been inherited from fate-api-seek which set it to null the mxf reference needed a change due to c7e14a279fa7348db10ec824bb2d67858cb1c1ca Signed-off-by: Michael Niedermayer (cherry picked from commit b83c849e8797fbb972ebd7f2919e0f085061f37f) Signed-off-by: Michael Niedermayer --- tests/fate/avformat.mak | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/fate/avformat.mak b/tests/fate/avformat.mak index 1d13434d45..54bfb974a5 100644 --- a/tests/fate/avformat.mak +++ b/tests/fate/avformat.mak @@ -61,6 +61,7 @@ FATE_LAVF += $(FATE_LAVF_PIXFMT-yes) $(FATE_LAVF): $(AREF) $(VREF) $(FATE_LAVF): CMD = lavftest +$(FATE_LAVF): CMP = FATE_AVCONV += $(FATE_LAVF) fate-lavf: $(FATE_LAVF) From 3300005351e7153caa4e59f960bb2b9a18f877b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 00:51:56 +0100 Subject: [PATCH 178/380] avcodec/jpeg2000dec: Check for duplicate SIZ marker Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 44a7f17d0b20e6f8d836b2957e3e357b639f19a2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 444a731623..04f94234d8 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1400,6 +1400,7 @@ static void jpeg2000_dec_cleanup(Jpeg2000DecoderContext *s) memset(s->codsty, 0, sizeof(s->codsty)); memset(s->qntsty, 0, sizeof(s->qntsty)); s->numXtiles = s->numYtiles = 0; + s->ncomponents = 0; } static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s) @@ -1454,6 +1455,10 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s) switch (marker) { case JPEG2000_SIZ: + if (s->ncomponents) { + av_log(s->avctx, AV_LOG_ERROR, "Duplicate SIZ\n"); + return AVERROR_INVALIDDATA; + } ret = get_siz(s); if (!s->tile) s->numXtiles = s->numYtiles = 0; From 63465f00707c0dc6b1f0c30c950f5782dc9f059a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 01:35:08 +0100 Subject: [PATCH 179/380] avcodec/utils: Better check for channels in av_get_audio_frame_duration() Fixes integer overflow Fixes: 0c2625f236ced104d402b4a03c0d65c7/asan_generic_274e1ce_5990_9314e7a67c26aecf011b178ade9f217c.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4e16ad2868a1819de6680fc355a8eb20164adaea) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6596aeae2b..cc689d8aaf 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3418,7 +3418,7 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) return frame_bytes * 8 / bps; } - if (ch > 0) { + if (ch > 0 && ch < INT_MAX/16) { /* calc from frame_bytes and channels */ switch (id) { case AV_CODEC_ID_ADPCM_AFC: From b996cde19323756e647f3aa9c67c4ff2efe3a32d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 02:36:22 +0100 Subject: [PATCH 180/380] avcodec/ivi: Check image dimensions Fixes integer overflow Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df91aa034b82b77a3c4e01791f4a2b2ff6c82066) Signed-off-by: Michael Niedermayer --- libavcodec/ivi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index 4525ff494c..eab42bb535 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -30,6 +30,7 @@ #define BITSTREAM_READER_LE #include "libavutil/attributes.h" +#include "libavutil/imgutils.h" #include "libavutil/timer.h" #include "avcodec.h" #include "get_bits.h" @@ -310,7 +311,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg, ivi_free_buffers(planes); - if (cfg->pic_width < 1 || cfg->pic_height < 1 || + if (av_image_check_size(cfg->pic_width, cfg->pic_height, 0, NULL) < 0 || cfg->luma_bands < 1 || cfg->chroma_bands < 1) return AVERROR_INVALIDDATA; From ec1f59150d2437ea36baa0b6052ae1cf89b85ca8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:34:02 +0100 Subject: [PATCH 181/380] avcodec/flashsv: Check size before updating it Fixes out of array read Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 17705f5d4f57c15f9b9bb9cfcbbb4621fed2fc70) Signed-off-by: Michael Niedermayer --- libavcodec/flashsv.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index f429167fe0..088b50e616 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } if (has_diff) { + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for diff\n"); + return AVERROR_INVALIDDATA; + } if (!s->keyframe) { av_log(avctx, AV_LOG_ERROR, "Inter frame without keyframe\n"); @@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, int row = get_bits(&gb, 8); av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n", i, j, col, row); + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n"); + return AVERROR_INVALIDDATA; + } size -= 2; avpriv_request_sample(avctx, "zlibprime_curr"); return AVERROR_PATCHWELCOME; From d61c3d1fca62b2497e4327af3ea50de5f7a8de0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 14:29:02 +0100 Subject: [PATCH 182/380] avcodec/dpx: Move need_align to act per line Fixes out of array read Fixes: 61cf123c081ee2bb774d307c75bdb99e/asan_heap-oob_1224f76_5546_bee833ffae73f752b489b9eeaac52db7.dpx Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c8aaae8e0f1519bc99bd717ea3067c9cfdb68def) Signed-off-by: Michael Niedermayer --- libavcodec/dpx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index 66d8428951..3b45b8eb98 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -348,11 +348,11 @@ static int decode_frame(AVCodecContext *avctx, // For 12 bit, ignore alpha if (elements == 4) buf += 2; - // Jump to next aligned position - buf += need_align; } for (i = 0; i < 3; i++) ptr[i] += p->linesize[i]; + // Jump to next aligned position + buf += need_align; } break; case 16: From 196be9284a8d047254951c9f48b08b958349373b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 21:11:52 +0100 Subject: [PATCH 183/380] avcodec/error_resilience: avoid accessing previous or next frames tables beyond height The height of tables can be rounded up for MBAFF but this does not imply that is also true for the previous frames Fixes out of array reads Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a105f52855d08e4ab1ed7306da8e32fc90d6d647) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index df4a64d17a..6a92a13e95 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -381,14 +381,19 @@ static void guess_mv(ERContext *s) #define MV_UNCHANGED 1 const int mb_stride = s->mb_stride; const int mb_width = s->mb_width; - const int mb_height = s->mb_height; + int mb_height = s->mb_height; int i, depth, num_avail; int mb_x, mb_y, mot_step, mot_stride; + if (s->last_pic.f && s->last_pic.f->data[0]) + mb_height = FFMIN(mb_height, (s->last_pic.f->height+15)>>4); + if (s->next_pic.f && s->next_pic.f->data[0]) + mb_height = FFMIN(mb_height, (s->next_pic.f->height+15)>>4); + set_mv_strides(s, &mot_step, &mot_stride); num_avail = 0; - for (i = 0; i < s->mb_num; i++) { + for (i = 0; i < mb_width * mb_height; i++) { const int mb_xy = s->mb_index2xy[i]; int f = 0; int error = s->error_status_table[mb_xy]; @@ -413,7 +418,7 @@ static void guess_mv(ERContext *s) if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) || num_avail <= mb_width / 2) { - for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_dir = (s->last_pic.f && s->last_pic.f->data[0]) ? MV_DIR_FORWARD : MV_DIR_BACKWARD; @@ -442,7 +447,7 @@ static void guess_mv(ERContext *s) int score_sum = 0; changed = 0; - for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_predictor[8][2] = { { 0 } }; @@ -675,7 +680,7 @@ skip_last_mv: if (none_left) return; - for (i = 0; i < s->mb_num; i++) { + for (i = 0; i < mb_width * mb_height; i++) { int mb_xy = s->mb_index2xy[i]; if (fixed[mb_xy]) fixed[mb_xy] = MV_FROZEN; From 08940cd54596935e8780029d5c8ebcc0f409b58f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 00:25:11 +0100 Subject: [PATCH 184/380] avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() Fixes out of array read Fixes: c50c4aa6cefda71b19a31ea12302980c/asan_heap-oob_12be5fd_7011_33ebd015a74976215934add72b9c8352.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9caa9414ccf2dcf8aee2695377dee830a5024c82) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 22e7b2f4eb..c12a193265 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -108,7 +108,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3LL / 2) { + if (src_size < FFALIGN(avctx->width, 2) * FFALIGN(avctx->height, 2) * 3LL / 2) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } From 588a7769c7adaa6713d253cbf35ea1fb967ca7da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 00:25:11 +0100 Subject: [PATCH 185/380] avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() Fixes potential out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 76b6f4b7d91901929177cc61d9810dcca0bb40c1) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index c12a193265..4f84c524f0 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -65,7 +65,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 9LL / 8) { + if (src_size < FFALIGN(avctx->width, 4) * FFALIGN(avctx->height, 4) * 9LL / 8) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } From acba2a36b3ce01fbecf8e5ecc2c79d43e4e803f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 01:22:31 +0100 Subject: [PATCH 186/380] avcodec/takdec: Skip last p2 sample (which is unused) Fixes out of array read Fixes: cb3f38b08b4541523974667c7d1eee9e/asan_heap-oob_2659e18_9838_021fd5cd635bf76cede6398cd9ecbcdd.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 08b520636e96ba6888b669b9b3f4c414631ea1d2) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 4225030376..45c7650efb 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -632,7 +632,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) for (; length2 > 0; length2 -= tmp) { tmp = FFMIN(length2, x); - for (i = 0; i < tmp; i++) + for (i = 0; i < tmp - (tmp == length2); i++) s->residues[filter_order + i] = *p2++ >> dshift; for (i = 0; i < tmp; i++) { From 10398038239b6357a6ebe6f7ba0836280a2673fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 14:52:08 +0100 Subject: [PATCH 187/380] avcodec/smacker: Check that the data size is a multiple of a sample vector Fixes out of array access Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index b5538c7494..7b30664f38 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -668,6 +668,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); + if (unp_size % (avctx->channels * (bits + 1))) { + av_log(avctx, AV_LOG_ERROR, "unp_size %d is odd\n", unp_size); + return AVERROR(EINVAL); + } if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; samples = (int16_t *)frame->data[0]; From 082bdba4e7152d5a48144c9ea2d01306c6b58c34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 18:18:40 +0100 Subject: [PATCH 188/380] avcodec/wmaprodec: Check for overread in decode_packet() Fixes assertion failure Fixes: 0256e92df2df7e933b43a2c70e4c8040/signal_sigabrt_7ffff6ae7cc9_1358_999ac18684788221490757582ce9af84.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7ad698e24e6b9dde57c4e01c145bcddfe9d6e4a3) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index c319b39836..ecc3aaef54 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1623,6 +1623,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, s->packet_done = 1; } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /** save the rest of the data so that it can be decoded From d972df307aaa593e5c3f2a7a23570c63665ed601 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 20:03:39 +0100 Subject: [PATCH 189/380] avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() Signed-off-by: Michael Niedermayer (cherry picked from commit 016fd413f9168816924f21c0c1ffb578f7226221) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 38df58dd1d..064981fdf9 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -28,6 +28,7 @@ #include "libavutil/attributes.h" #include "libavutil/avassert.h" #include "libavutil/common.h" +#include "libavutil/imgutils.h" #include "libavutil/mem.h" #include "avcodec.h" #include "jpeg2000.h" @@ -210,7 +211,10 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, codsty->nreslevels2decode - 1, codsty->transform)) return ret; - // component size comp->coord is uint16_t so ir cannot overflow + + if (av_image_check_size(comp->coord[0][1] - comp->coord[0][0], + comp->coord[1][1] - comp->coord[1][0], 0, avctx)) + return AVERROR_INVALIDDATA; csize = (comp->coord[0][1] - comp->coord[0][0]) * (comp->coord[1][1] - comp->coord[1][0]); From a9c73b13c1170a43bc8b3e0e85c21f97145b3d2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 20:49:17 +0100 Subject: [PATCH 190/380] avcodec/jpeg2000: Check comp coords to be within the supported size Fixes assertion failure Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi This fix is choosen to be simple to backport, better solution for master is planed Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a1a8cbcb35ef2759a66b4f0875785e4b3f277057) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 064981fdf9..982e68b553 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -217,6 +217,11 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, return AVERROR_INVALIDDATA; csize = (comp->coord[0][1] - comp->coord[0][0]) * (comp->coord[1][1] - comp->coord[1][0]); + if (comp->coord[0][1] > 32768 || + comp->coord[1][1] > 32768) { + av_log(avctx, AV_LOG_ERROR, "component size too large\n"); + return AVERROR_PATCHWELCOME; + } if (codsty->transform == FF_DWT97) { comp->i_data = NULL; From 2deaccfe670e2c51d895951d2e1cb73b04c87e99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 21:12:50 +0100 Subject: [PATCH 191/380] avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range Fixes potential integer overflows Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi This fix is choosen to be simple to backport, better solution for master is planed Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6ef819c40bcc2175edba7ce9e20c3036c01b36b9) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 04f94234d8..34591c3cc2 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -252,6 +252,10 @@ static int get_siz(Jpeg2000DecoderContext *s) avpriv_request_sample(s->avctx, "Support for image offsets"); return AVERROR_PATCHWELCOME; } + if (s->width > 32768U || s->height > 32768U) { + avpriv_request_sample(s->avctx, "Large Dimensions"); + return AVERROR_PATCHWELCOME; + } if (ncomponents <= 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n", From ca43c6e1f53af217f6192332570d006e1c1f7079 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 21:17:05 +0100 Subject: [PATCH 192/380] avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions Signed-off-by: Michael Niedermayer (cherry picked from commit 65d3359fb366ea265a8468d76a111cb7352f0b55) Conflicts: libavcodec/jpeg2000dec.c --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 34591c3cc2..caaf2f7614 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -709,10 +709,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int tileno) Jpeg2000QuantStyle *qntsty = tile->qntsty + compno; int ret; // global bandno - comp->coord_o[0][0] = av_clip(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); - comp->coord_o[0][1] = av_clip((tilex + 1) * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); - comp->coord_o[1][0] = av_clip(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); - comp->coord_o[1][1] = av_clip((tiley + 1) * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[0][0] = av_clip(tilex * (int64_t)s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[0][1] = av_clip((tilex + 1) * (int64_t)s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[1][0] = av_clip(tiley * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[1][1] = av_clip((tiley + 1) * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); if (compno) { comp->coord_o[0][0] /= s->cdx[compno]; comp->coord_o[0][1] /= s->cdx[compno]; From 0ecde4557068de0d132b073ac6b405131c54f140 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 23:41:14 +0100 Subject: [PATCH 193/380] avformat/utils: Do not init parser if probing is unfinished Fixes assertion failure Fixes: 136f8b8d47af7892306625e597dee655/signal_sigabrt_7ffff6ae7cc9_8941_ab11bea57c84796418f481f873dc31ba.dvr_ms Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1ef336e912a7a3a13a9933825a56c421f891e44b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index caa15abbae..5729b0bde6 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3068,7 +3068,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) st->codec->time_base = st->time_base; } // only for the split stuff - if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE)) { + if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE) && st->request_probe <= 0) { st->parser = av_parser_init(st->codec->codec_id); if (st->parser) { if (st->need_parsing == AVSTREAM_PARSE_HEADERS) { From aa9dadccacc88f643e39a64524a0b24be7a6eaa2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Nov 2015 18:19:01 +0100 Subject: [PATCH 194/380] avformat/matroskadec: Check subtitle stream before dereferencing Unrecognized streams are not allocated Fixes: flicker-1.color1.vp91447030769.08.webm Found-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit a5034b324cad4c29d47ef285a30b0705e6eb0384) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 206d798db6..6ebca94943 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3076,6 +3076,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, tracks[i].audio.buf_timecode = AV_NOPTS_VALUE; tracks[i].end_timecode = 0; if (tracks[i].type == MATROSKA_TRACK_TYPE_SUBTITLE && + tracks[i].stream && tracks[i].stream->discard != AVDISCARD_ALL) { index_sub = av_index_search_timestamp( tracks[i].stream, st->index_entries[index].timestamp, From bc3d86cddb804c326ac33d96938abc0d26929d8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2015 12:41:05 +0100 Subject: [PATCH 195/380] Update versions for 2.7.3 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 37c2961c24..2c9b4ef42e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.7.2 +2.7.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 1b116d4d4a..4d1686bdc8 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.7.2 +PROJECT_NUMBER = 2.7.3 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From cf115791daf4c0c9ed3d028ec0c7ed76c51ecd41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Nov 2015 21:42:02 +0200 Subject: [PATCH 196/380] rtmpcrypt: Do the xtea decryption in little endian mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The XTEA algorithm operates on 32 bit numbers, not on byte sequences. The XTEA implementation in libavutil is written assuming big endian numbers, while the rtmpe signature encryption assumes little endian. This fixes rtmpe communication with rtmpe servers that use signature type 8 (XTEA), e.g. crunchyroll. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e7728319b92dbb4fb949155e33de7ff5358ddff3) Signed-off-by: Michael Niedermayer --- libavformat/rtmpcrypt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/rtmpcrypt.c b/libavformat/rtmpcrypt.c index 2065ec6602..3771909857 100644 --- a/libavformat/rtmpcrypt.c +++ b/libavformat/rtmpcrypt.c @@ -184,9 +184,14 @@ int ff_rtmpe_compute_secret_key(URLContext *h, const uint8_t *serverdata, static void rtmpe8_sig(const uint8_t *in, uint8_t *out, int key_id) { struct AVXTEA ctx; + uint8_t tmpbuf[8]; av_xtea_init(&ctx, rtmpe8_keys[key_id]); - av_xtea_crypt(&ctx, out, in, 1, NULL, 0); + AV_WB32(tmpbuf, AV_RL32(in)); + AV_WB32(tmpbuf + 4, AV_RL32(in + 4)); + av_xtea_crypt(&ctx, tmpbuf, tmpbuf, 1, NULL, 0); + AV_WL32(out, AV_RB32(tmpbuf)); + AV_WL32(out + 4, AV_RB32(tmpbuf + 4)); } static void rtmpe9_sig(const uint8_t *in, uint8_t *out, int key_id) From 93f3752b970cc7c9e1a360037fff1ddb9dcbb86e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2015 19:37:58 +0100 Subject: [PATCH 197/380] Changelog: update for 2.7.3 Signed-off-by: Michael Niedermayer --- Changelog | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 100 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 68ce3f7a5a..6e79b7a396 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,106 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 2.7.3: +- rtmpcrypt: Do the xtea decryption in little endian mode +- Update versions for 2.7.3 +- avformat/matroskadec: Check subtitle stream before dereferencing +- avformat/utils: Do not init parser if probing is unfinished +- avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions +- avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range +- avcodec/jpeg2000: Check comp coords to be within the supported size +- avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() +- avcodec/wmaprodec: Check for overread in decode_packet() +- avcodec/smacker: Check that the data size is a multiple of a sample vector +- avcodec/takdec: Skip last p2 sample (which is unused) +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() +- avcodec/error_resilience: avoid accessing previous or next frames tables beyond height +- avcodec/dpx: Move need_align to act per line +- avcodec/flashsv: Check size before updating it +- avcodec/ivi: Check image dimensions +- avcodec/utils: Better check for channels in av_get_audio_frame_duration() +- avcodec/jpeg2000dec: Check for duplicate SIZ marker +- tests/fate/avformat: Fix fate-lavf +- doc/ffmpeg: Clarify that the sdp_file option requires an rtp output. +- ffmpeg: Don't try and write sdp info if none of the outputs had an rtp format. +- apng: use correct size for output buffer +- jvdec: avoid unsigned overflow in comparison +- avcodec/hevc_ps: Check chroma_format_idc +- avcodec/jpeg2000dec: Clip all tile coordinates +- avcodec/microdvddec: Check for string end in 'P' case +- avcodec/dirac_parser: Fix undefined memcpy() use +- avformat/xmv: Discard remainder of packet on error +- avformat/xmv: factor return check out of if/else +- avcodec/mpeg12dec: Do not call show_bits() with invalid bits +- libavutil/channel_layout: Check strtol*() for failure +- avcodec/ffv1dec: Check for 0 quant tables +- avcodec/mjpegdec: Reinitialize IDCT on BPP changes +- avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it +- avutil/file_open: avoid file handle inheritance on Windows +- avcodec/h264_slice: Disable slice threads if there are multiple access units in a packet +- opusdec: Don't run vector_fmul_scalar on zero length arrays +- avcodec/ffv1: Initialize vlc_state on allocation +- avcodec/ffv1dec: update progress in case of broken pointer chains +- avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons +- avformat/httpauth: Add space after commas in HTTP/RTSP auth header +- avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise +- avcodec/ffv1dec: Fix off by 1 error in quant_table_count check +- avcodec/ffv1dec: Explicitly check read_quant_table() return value +- avcodec/rangecoder: Check e +- avutil/log: fix zero length gnu_printf format string warning +- lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream. +- avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG +- avfilter/af_asyncts: use llabs for int64_t +- avcodec/g2meet: Also clear tile dimensions on header_fail +- avcodec/g2meet: Fix potential overflow in tile dimensions check +- avcodec/svq1dec: Check init_get_bits8() for failure +- avcodec/tta: Check init_get_bits8() for failure +- avcodec/vp3: Check init_get_bits8() for failure +- swresample/swresample: Fix integer overflow in seed calculation +- avformat/mov: Fix integer overflow in FFABS +- avutil/common: Add FFNABS() +- avutil/common: Document FFABS() corner case +- avformat/dump: Fix integer overflow in aspect ratio calculation +- avformat/mxg: Use memmove() +- avcodec/truemotion1: Check for even width +- avcodec/mpeg12dec: Set dimensions in mpeg1_decode_sequence() only in absence of errors +- avcodec/libopusenc: Fix infinite loop on flushing after 0 input +- avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops +- avformat/hevc: Fix parsing errors +- ffmpeg: Use correct codec_id for av_parser_change() check +- ffmpeg: Check av_parser_change() for failure +- ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE +- ffmpeg: check avpicture_fill() return value +- avformat/mux: Update sidedata in ff_write_chained() +- avcodec/flashsvenc: Correct max dimension in error message +- avcodec/svq1enc: Check dimensions +- avcodec/dcaenc: clear bitstream end +- libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame() +- rawdec: fix mjpeg probing buffer size check +- rawdec: fix mjpeg probing +- configure: loongson disable expensive optimizations in gcc O3 optimization +- videodsp: don't overread edges in vfix3 emu_edge. +- avformat/mp3dec: improve junk skipping heuristic +- avformat/hls: add support for EXT-X-MAP +- avformat/hls: fix segment selection regression on track changes of live streams +- lavf/matroskadec: Fully parse and repack MP3 packets +- avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check +- avformat/oggenc: Check segments_count for headers too +- avformat/segment: atomically update list if possible +- avformat/avidec: Workaround broken initial frame +- hevc: properly handle no_rasl_output_flag when removing pictures from the DPB +- hevc: fix wpp threading deadlock. +- avcodec/ffv1: separate slice_count from max_slice_count +- lavf/img2dec: Fix memory leak +- avcodec/mp3: fix skipping zeros +- avformat/srtdec: make sure we probe a number +- avformat/srtdec: more lenient first line probing +- doc: mention libavcodec can decode Opus natively +- avcodec/ffv1enc: fix assertion failure with unset bits per raw sample +- MAINTAINERS: Remove myself as leader +- mips/hevcdsp: fix string concatenation on macros + version 2.7.2: - imc: use correct position for flcoeffs2 calculation From 185126415eeecb2b79a80eb157b22c48a71577b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Jul 2015 15:21:15 +0200 Subject: [PATCH 198/380] Merge commit 'd80811c94e068085aab797f9ba35790529126f85' * commit 'd80811c94e068085aab797f9ba35790529126f85': riff: Use the correct logging context Conflicts: libavformat/asfdec_o.c libavformat/avidec.c libavformat/dxa.c libavformat/matroskadec.c libavformat/mov.c libavformat/riff.h libavformat/riffdec.c libavformat/wavdec.c libavformat/wtvdec.c libavformat/xwma.c Merged-by: Michael Niedermayer (cherry picked from commit ba77fb61f741d9ab3bd12935527556055b2ffb2e) Signed-off-by: Andreas Cadhalpun --- libavformat/act.c | 2 +- libavformat/asfdec.c | 2 +- libavformat/avidec.c | 2 +- libavformat/dxa.c | 2 +- libavformat/matroskadec.c | 2 +- libavformat/mlvdec.c | 2 +- libavformat/mov.c | 2 +- libavformat/riff.h | 2 +- libavformat/riffdec.c | 5 +++-- libavformat/wavdec.c | 4 ++-- libavformat/wtvdec.c | 2 +- libavformat/xwma.c | 2 +- 12 files changed, 15 insertions(+), 14 deletions(-) diff --git a/libavformat/act.c b/libavformat/act.c index 7b6b8406fc..35aacbc459 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -75,7 +75,7 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(pb, st->codec, size, 0); + ff_get_wav_header(s, pb, st->codec, size, 0); /* 8000Hz (Fine-rec) file format has 10 bytes long diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 92784348cb..8028520263 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -429,7 +429,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) st->codec->codec_type = type; if (type == AVMEDIA_TYPE_AUDIO) { - int ret = ff_get_wav_header(pb, st->codec, type_specific_size, 0); + int ret = ff_get_wav_header(s, pb, st->codec, type_specific_size, 0); if (ret < 0) return ret; if (is_dvr_ms_audio) { diff --git a/libavformat/avidec.c b/libavformat/avidec.c index cb52e4556d..aee1d2bef6 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -835,7 +835,7 @@ static int avi_read_header(AVFormatContext *s) // avio_skip(pb, size - 5 * 4); break; case AVMEDIA_TYPE_AUDIO: - ret = ff_get_wav_header(pb, st->codec, size, 0); + ret = ff_get_wav_header(s, pb, st->codec, size, 0); if (ret < 0) return ret; ast->dshow_block_align = st->codec->block_align; diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 44033563f8..228e6fdca1 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -106,7 +106,7 @@ static int dxa_read_header(AVFormatContext *s) ast = avformat_new_stream(s, NULL); if (!ast) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, ast->codec, fsize, 0); + ret = ff_get_wav_header(s, pb, ast->codec, fsize, 0); if (ret < 0) return ret; if (ast->codec->sample_rate > 0) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 6ebca94943..fd785fbe05 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1780,7 +1780,7 @@ static int matroska_parse_tracks(AVFormatContext *s) ffio_init_context(&b, track->codec_priv.data, track->codec_priv.size, 0, NULL, NULL, NULL, NULL); - ret = ff_get_wav_header(&b, st->codec, track->codec_priv.size, 0); + ret = ff_get_wav_header(s, &b, st->codec, track->codec_priv.size, 0); if (ret < 0) return ret; codec_id = st->codec->codec_id; diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index aa1ba60d37..48a429eb23 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -143,7 +143,7 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f vst->codec->codec_tag = MKTAG('B', 'I', 'T', 16); size -= 164; } else if (ast && type == MKTAG('W', 'A', 'V', 'I') && size >= 16) { - ret = ff_get_wav_header(pb, ast->codec, 16, 0); + ret = ff_get_wav_header(avctx, pb, ast->codec, 16, 0); if (ret < 0) return ret; size -= 16; diff --git a/libavformat/mov.c b/libavformat/mov.c index 20a574912d..65c4461747 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -769,7 +769,7 @@ static int mov_read_wfex(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; st = c->fc->streams[c->fc->nb_streams-1]; - if ((ret = ff_get_wav_header(pb, st->codec, atom.size, 0)) < 0) + if ((ret = ff_get_wav_header(c->fc, pb, st->codec, atom.size, 0)) < 0) av_log(c->fc, AV_LOG_WARNING, "get_wav_header failed\n"); return ret; diff --git a/libavformat/riff.h b/libavformat/riff.h index ae5ecef4c5..399c52738f 100644 --- a/libavformat/riff.h +++ b/libavformat/riff.h @@ -62,7 +62,7 @@ void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, const AVCodecTag *t int ff_put_wav_header(AVIOContext *pb, AVCodecContext *enc, int flags); enum AVCodecID ff_wav_codec_get_id(unsigned int tag, int bps); -int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size, int big_endian); +int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecContext *codec, int size, int big_endian); extern const AVCodecTag ff_codec_bmp_tags[]; // exposed through avformat_get_riff_video_tags() extern const AVCodecTag ff_codec_wav_tags[]; diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index f44df1e672..4afe8071ce 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -81,7 +81,8 @@ static void parse_waveformatex(AVIOContext *pb, AVCodecContext *c) } /* "big_endian" values are needed for RIFX file format */ -int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size, int big_endian) +int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, + AVCodecContext *codec, int size, int big_endian) { int id; @@ -143,7 +144,7 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size, int big_ avio_skip(pb, size); } if (codec->sample_rate <= 0) { - av_log(NULL, AV_LOG_ERROR, + av_log(s, AV_LOG_ERROR, "Invalid sample rate: %d\n", codec->sample_rate); return AVERROR_INVALIDDATA; } diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 864185f989..9bc8c4f44d 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -134,7 +134,7 @@ static int wav_parse_fmt_tag(AVFormatContext *s, int64_t size, AVStream **st) if (!*st) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, (*st)->codec, size, wav->rifx); + ret = ff_get_wav_header(s, pb, (*st)->codec, size, wav->rifx); if (ret < 0) return ret; handle_stream_probing(*st); @@ -689,7 +689,7 @@ static int w64_read_header(AVFormatContext *s) if (!memcmp(guid, ff_w64_guid_fmt, 16)) { /* subtract chunk header size - normal wav file doesn't count it */ - ret = ff_get_wav_header(pb, st->codec, size - 24, 0); + ret = ff_get_wav_header(s, pb, st->codec, size - 24, 0); if (ret < 0) return ret; avio_skip(pb, FFALIGN(size, INT64_C(8)) - size); diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index e226690283..e8f6196a5e 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -670,7 +670,7 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, if (!st) return NULL; if (!ff_guidcmp(formattype, ff_format_waveformatex)) { - int ret = ff_get_wav_header(pb, st->codec, size, 0); + int ret = ff_get_wav_header(s, pb, st->codec, size, 0); if (ret < 0) return NULL; } else { diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 683d3d0d4d..9edad7d75a 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -75,7 +75,7 @@ static int xwma_read_header(AVFormatContext *s) if (!st) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, st->codec, size, 0); + ret = ff_get_wav_header(s, pb, st->codec, size, 0); if (ret < 0) return ret; st->need_parsing = AVSTREAM_PARSE_NONE; From 65dc698607388f5bea72a1b249d8bf05a5e8b14a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 11 Jul 2015 00:09:46 +0200 Subject: [PATCH 199/380] riffdec: prevent negative bit rate Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 189420cb561929e05f5cc4224cdca83740a24a32) Signed-off-by: Andreas Cadhalpun --- libavformat/riffdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 4afe8071ce..632c58cfd5 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -103,6 +103,14 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, codec->bit_rate = avio_rb32(pb) * 8; codec->block_align = avio_rb16(pb); } + if (codec->bit_rate < 0) { + av_log(s, AV_LOG_WARNING, + "Invalid bit rate: %d\n", codec->bit_rate); + if (s->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + codec->bit_rate = 0; + } if (size == 14) { /* We're dealing with plain vanilla WAVEFORMAT */ codec->bits_per_coded_sample = 8; } else { From 27f3696502e10eb3b6aaec8af73f7ef082e2d913 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2015 20:05:27 +0100 Subject: [PATCH 200/380] avcodec/takdec: Use memove, avoid undefined memcpy() use Fixes: e214333cbd94c91228e624ff39329ce6/asan_generic_4a5159_6412_96cda2530e80607210ab41ccae3d456d.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7cea3430a56fb0ff6ef60f08620fd3875e7bfeb6) Signed-off-by: Andreas Cadhalpun --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 45c7650efb..28f884a3f6 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -656,7 +656,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) *p1++ = v; } - memcpy(s->residues, &s->residues[tmp], 2 * filter_order); + memmove(s->residues, &s->residues[tmp], 2 * filter_order); } emms_c(); From 9e3848328daecf069be8a618d5f2c1ef54557567 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Nov 2015 22:16:01 +0100 Subject: [PATCH 201/380] aacdec: don't return frames without data from aac_decode_er_frame This is similar to commit ec38a1b for aac_decode_frame_int. Signed-off-by: Andreas Cadhalpun Reviewed-by: Michael Niedermayer (cherry picked from commit d7f29bfa6985e3eea2033dba0449e47b41b85928) Signed-off-by: Andreas Cadhalpun --- libavcodec/aacdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index b8779c01a6..9fe1133b34 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -2940,6 +2940,11 @@ static int aac_decode_er_frame(AVCodecContext *avctx, void *data, spectral_to_sample(ac); + if (!ac->frame->data[0] && samples) { + av_log(avctx, AV_LOG_ERROR, "no frame data found\n"); + return AVERROR_INVALIDDATA; + } + ac->frame->nb_samples = samples; ac->frame->sample_rate = avctx->sample_rate; *got_frame_ptr = 1; From 258584cfaf8684dac54b997f112c62783481bd7a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 10 Nov 2015 22:14:39 +0100 Subject: [PATCH 202/380] dvdsubdec: validate offset2 similar to offset1 If it is negative, it causes segmentation faults in decode_rle. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f621749d1181987b3f815c6766ea66d6c5d55198) Signed-off-by: Andreas Cadhalpun --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 7120f10a53..f009824401 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -346,7 +346,7 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, } } the_end: - if (offset1 >= 0) { + if (offset1 >= 0 && offset2 >= 0) { int w, h; uint8_t *bitmap; From 725d7fb2c608f8f4712fc13750455eec47b0cc4a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 14 Nov 2015 22:46:46 +0100 Subject: [PATCH 203/380] mpegvideo: clear overread in clear_context Otherwise the h263p decoder can try to copy overread bytes, even though buffer is NULL. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 6a69a175e7b5c5393528ed0f5753e41573fa0df2) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegvideo.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 06188a03c0..60b9f8a8a7 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1257,6 +1257,7 @@ static void clear_context(MpegEncContext *s) s->parse_context.buffer = NULL; s->parse_context.buffer_size = 0; + s->parse_context.overread = 0; s->bitstream_buffer = NULL; s->allocated_bitstream_buffer_size = 0; s->picture = NULL; From 1f6c88e287d122e089c07d27c669a26f9f394b63 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 15 Nov 2015 17:46:08 +0100 Subject: [PATCH 204/380] mxfdec: check edit_rate also for physical_track Previously only the edit_rate of material_track was checked. If it's negative, it causes assertion failures in av_rescale_rnd. Reviewed-by: Tim Nicholson Signed-off-by: Andreas Cadhalpun (cherry picked from commit 047bf82c181c1220b3087b37f28445f8b87a7a23) Signed-off-by: Andreas Cadhalpun --- libavformat/mxfdec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 78e2393c18..c7732c0aa8 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1754,6 +1754,16 @@ static int mxf_parse_physical_source_package(MXFContext *mxf, MXFTrack *source_t continue; } + if (physical_track->edit_rate.num <= 0 || + physical_track->edit_rate.den <= 0) { + av_log(mxf->fc, AV_LOG_WARNING, + "Invalid edit rate (%d/%d) found on structural" + " component #%d, defaulting to 25/1\n", + physical_track->edit_rate.num, + physical_track->edit_rate.den, i); + physical_track->edit_rate = (AVRational){25, 1}; + } + for (k = 0; k < physical_track->sequence->structural_components_count; k++) { if (!(mxf_tc = mxf_resolve_timecode_component(mxf, &physical_track->sequence->structural_components_refs[k]))) continue; From 67ed1ee680b70c23c0262776e4807f0df734512b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 15 Nov 2015 10:33:40 +0100 Subject: [PATCH 205/380] hqx: correct type and size check of info_offset It is used as size argument of ff_canopus_parse_info_tag, which uses it as size argument to bytestream2_init, which only supports sizes up to INT_MAX. Changing it's type to unsigned simplifies the check. Reviewed-by: Vittorio Giovara Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1ed7fcd42af956979abf4e32cd3c9ee17622bbcb) Signed-off-by: Andreas Cadhalpun --- libavcodec/hqx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hqx.c b/libavcodec/hqx.c index 44016ac34a..9db8a7fbee 100644 --- a/libavcodec/hqx.c +++ b/libavcodec/hqx.c @@ -417,8 +417,8 @@ static int hqx_decode_frame(AVCodecContext *avctx, void *data, info_tag = AV_RL32(src); if (info_tag == MKTAG('I', 'N', 'F', 'O')) { - int info_offset = AV_RL32(src + 4); - if (info_offset > UINT32_MAX - 8 || info_offset + 8 > avpkt->size) { + unsigned info_offset = AV_RL32(src + 4); + if (info_offset > INT_MAX || info_offset + 8 > avpkt->size) { av_log(avctx, AV_LOG_ERROR, "Invalid INFO header offset: 0x%08"PRIX32" is too large.\n", info_offset); From 70373bde2d5c9a2b5f7c738c9033300ef50d4899 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Tue, 1 Dec 2015 21:15:53 +0200 Subject: [PATCH 206/380] doc/filters/drawtext: fix centering example Signed-off-by: Andrey Utkin Signed-off-by: Lou Logan (cherry picked from commit 648b26acc5e25ab40c43fddc54b50e9f0b13ebd8) Signed-off-by: Timothy Gu --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 4b5c3c11af..9a2fd98180 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -4343,7 +4343,7 @@ within the parameter list. @item Show the text at the center of the video frame: @example -drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2" +drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2" @end example @item From 183f5805944251f6856e26b6ceec10ca3072ff00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 01:25:50 +0100 Subject: [PATCH 207/380] avcodec/ffv1dec: Print an error if the quant table count is invalid Signed-off-by: Michael Niedermayer (cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b) --- libavcodec/ffv1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 27a92d9c2e..c0894be64e 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -568,8 +568,10 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { + av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); return AVERROR_INVALIDDATA; + } for (i = 0; i < f->quant_table_count; i++) { f->context_count[i] = read_quant_tables(c, f->quant_tables[i]); From e6264f00addca8bd4efed7329aa1faf5fa13b70b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:21:58 +0100 Subject: [PATCH 208/380] avcodec/ffv1dec: Clear quant_table_count if its invalid Fixes deallocation of corrupted pointer Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi No releases affected Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb) Fixes ticket #5052. --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c0894be64e..ea3b8d2f7a 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -570,6 +570,7 @@ static int read_extra_header(FFV1Context *f) f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); + f->quant_table_count = 0; return AVERROR_INVALIDDATA; } From 8405b6329463af8ac2e5dac4fcdda03888388f78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Sep 2015 13:10:48 +0200 Subject: [PATCH 209/380] avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup The variable is not a constant and can lead to race conditions Fixes: repro.webm (not reproducable with FFmpeg alone) Found-by: Dale Curtis Tested-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 25fe70ae31..29379f4382 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -164,7 +164,7 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) s->mb_height = (s->avctx->coded_height + 15) / 16; s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE && - FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1; + avctx->thread_count > 1; if (!s->mb_layout) { // Frame threading and one thread s->macroblocks_base = av_mallocz((s->mb_width + s->mb_height * 2 + 1) * sizeof(*s->macroblocks)); From 54e94522b899111dd4b9f93386d582d26859ead5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Nov 2015 22:12:37 +0100 Subject: [PATCH 210/380] avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized Fixes out of array access Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4ea4d2f438c9a7eba37980c9a87be4b34943e4d5) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 10f4d77380..9cbe8d2966 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1086,6 +1086,7 @@ static int h264_slice_header_init(H264Context *h) nb_slices = max_slices; } h->slice_context_count = nb_slices; + h->max_contexts = FFMIN(h->max_contexts, nb_slices); if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) { ret = ff_h264_slice_context_init(h, &h->slice_ctx[0]); From 1258bdf7f0985ec489e2767a1a633bb47ceecc92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 12:11:29 +0100 Subject: [PATCH 211/380] avcodec/cabac_functions: Fix "left shift of negative value -31767" Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5) Signed-off-by: Michael Niedermayer --- libavcodec/cabac_functions.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 15dba29f8e..4e132535e1 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){ #ifndef get_cabac_inline static void refill2(CABACContext *c){ - int i, x; + int i; + unsigned x; x= c->low ^ (c->low-1); i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)]; From ed3d4336769425912b925dc46c8d647fbfb4a400 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 13:37:50 +0100 Subject: [PATCH 212/380] avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h --- libavcodec/cabac.c | 5 ++++- libavcodec/cabac.h | 2 +- libavcodec/cabac_functions.h | 3 ++- libavcodec/h264_cabac.c | 5 ++++- libavcodec/h264_slice.c | 4 +++- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 8cc9333e09..f298336ea4 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; + if ((c->range<<(CABAC_BITS+1)) < c->low) + return AVERROR_INVALIDDATA; + return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed105..857211c9d9 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e132535e1..2d1d2a6b89 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; - ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); + if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) + return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index c1c8b80855..04d412b74b 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2026,6 +2026,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; + int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2042,7 +2043,9 @@ decode_intra_mb: sl->intra_pcm_ptr = ptr; ptr += mb_size; - ff_init_cabac_decoder(&sl->cabac, ptr, sl->cabac.bytestream_end - ptr); + ret = ff_init_cabac_decoder(&sl->cabac, ptr, sl->cabac.bytestream_end - ptr); + if (ret < 0) + return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 9cbe8d2966..2f32948f43 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2319,9 +2319,11 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) align_get_bits(&sl->gb); /* init cabac */ - ff_init_cabac_decoder(&sl->cabac, + ret = ff_init_cabac_decoder(&sl->cabac, sl->gb.buffer + get_bits_count(&sl->gb) / 8, (get_bits_left(&sl->gb) + 7) / 8); + if (ret < 0) + return ret; ff_h264_init_cabac_states(h, sl); From 0cd23e0d1e89c0f7faecea997ade67b56abbc83d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 18:30:05 +0100 Subject: [PATCH 213/380] avcodec/hevc: Check entry_point_offsets Fixes out of array read Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 05e7f12da3..8e7e736bb5 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2426,7 +2426,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) HEVCLocalContext *lc = s->HEVClc; int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); - int offset; + int64_t offset; int startheader, cmpt = 0; int i, j, res = 0; @@ -2473,6 +2473,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) } if (s->sh.num_entry_point_offsets != 0) { offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt; + if (length < offset) { + av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n"); + res = AVERROR_INVALIDDATA; + goto error; + } s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset; s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset; @@ -2499,6 +2504,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) for (i = 0; i <= s->sh.num_entry_point_offsets; i++) res += ret[i]; +error: av_free(ret); av_free(arg); return res; From 8ef86669ca25b71a61e4b69d428b69b5d71ec7b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 20:52:39 +0100 Subject: [PATCH 214/380] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() Fixes out of array access Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index ceceda36dc..015a4fec27 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -555,6 +555,9 @@ int ff_dwt_encode(DWTContext *s, void *t) int ff_dwt_decode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch (s->type) { case FF_DWT97: dwt_decode97_float(s, t); From c1db1a5ff47fd3b99cb074c761d76fd0bf05dd82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 21:02:13 +0100 Subject: [PATCH 215/380] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() Signed-off-by: Michael Niedermayer (cherry picked from commit feb3f39614b88c113211a98dda1bc2fe5c3c6957) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 015a4fec27..925adea13b 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -540,6 +540,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, uint16_t border[2][2], int ff_dwt_encode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch(s->type){ case FF_DWT97: dwt_encode97_float(s, t); break; From 694416e327c2fb6495cbc62f63acec65d8c5446c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 22:45:46 +0100 Subject: [PATCH 216/380] avcodec/hevc_cabac: Fix multiple integer overflows Fixes: 04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 3d16896b3c..c1c9f20388 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -883,11 +883,13 @@ static av_always_inline int mvd_decode(HEVCContext *s) int k = 1; while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { - ret += 1 << k; + ret += 1U << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return 0; + } while (k--) ret += get_cabac_bypass(&s->HEVClc->cc) << k; return get_cabac_bypass_sign(&s->HEVClc->cc, -ret); @@ -1025,8 +1027,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) + if (prefix == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); From 4fe6f9f6271c3e33ec9fddc3dbac17c0436c0f9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 23:33:03 +0100 Subject: [PATCH 217/380] avcodec/hevc: allocate entries unconditionally Fixes out of array access Fixes: 08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 8e7e736bb5..b52a6d13a5 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2436,11 +2436,9 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) return AVERROR(ENOMEM); } + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { - ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); - - for (i = 1; i < s->threads_number; i++) { s->sList[i] = av_malloc(sizeof(HEVCContext)); memcpy(s->sList[i], s, sizeof(HEVCContext)); From c1d29678f1ca993e201b32b8e4af3f9846c5db32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 00:23:54 +0100 Subject: [PATCH 218/380] avcodec/vp3: Clear context on reinitialization failure Fixes null pointer dereference Fixes: 1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 2c8a8fec91..26c2ea7ee6 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2014,17 +2014,19 @@ static int vp3_decode_frame(AVCodecContext *avctx, vp3_decode_end(avctx); ret = theora_decode_header(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } else if (type == 2) { ret = theora_decode_tables(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } From 6c25411c06a9867eb993ad2c0ee477b4573516c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 17:26:05 +0100 Subject: [PATCH 219/380] avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() Fixes integer overflow Fixes: 3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index cc689d8aaf..f960295830 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3115,8 +3115,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) if (enc->sample_aspect_ratio.num) { av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - enc->width * enc->sample_aspect_ratio.num, - enc->height * enc->sample_aspect_ratio.den, + enc->width * (int64_t)enc->sample_aspect_ratio.num, + enc->height * (int64_t)enc->sample_aspect_ratio.den, 1024 * 1024); snprintf(buf + strlen(buf), buf_size - strlen(buf), " [SAR %d:%d DAR %d:%d]", From fad0748b9221fbc7ca806e2ca9aac84927cd7234 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 20:08:46 +0100 Subject: [PATCH 220/380] avcodec/utils: Clear dimensions in ff_get_buffer() on failure Fixes out of array access Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f960295830..0e8e466051 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1037,8 +1037,10 @@ end: int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags) { int ret = get_buffer_internal(avctx, frame, flags); - if (ret < 0) + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + frame->width = frame->height = 0; + } return ret; } From 900039e7dc321ca33db696f7ae11b4058d6494ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Nov 2015 03:25:41 +0100 Subject: [PATCH 221/380] avcodec/h264_refs: Check that long references match before use Fixes out of array read Fixes: 59bb925e90201fa0f87f0a31945d43b5/asan_heap-oob_4a52e5_3388_66027f11e3d072f1e02401ecc6193361.jvt Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit aa427537b529cd584cd73222980286d36a00fe28) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 548a3ba8df..2d787a5e28 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -122,6 +122,14 @@ static int add_sorted(H264Picture **sorted, H264Picture **src, int len, int limi return out_i; } +static int mismatches_ref(H264Context *h, H264Picture *pic) +{ + AVFrame *f = pic->f; + return (h->cur_pic_ptr->f->width != f->width || + h->cur_pic_ptr->f->height != f->height || + h->cur_pic_ptr->f->format != f->format); +} + int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl) { int i, len; @@ -193,10 +201,7 @@ int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl) for (j = 0; j<1+(sl->slice_type_nos == AV_PICTURE_TYPE_B); j++) { for (i = 0; i < sl->ref_count[j]; i++) { if (h->default_ref_list[j][i].parent) { - AVFrame *f = h->default_ref_list[j][i].parent->f; - if (h->cur_pic_ptr->f->width != f->width || - h->cur_pic_ptr->f->height != f->height || - h->cur_pic_ptr->f->format != f->format) { + if (mismatches_ref(h, h->default_ref_list[j][i].parent)) { av_log(h->avctx, AV_LOG_ERROR, "Discarding mismatching reference\n"); memset(&h->default_ref_list[j][i], 0, sizeof(h->default_ref_list[j][i])); } @@ -305,7 +310,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h, H264SliceContext *sl) } ref = h->long_ref[long_idx]; assert(!(ref && !ref->reference)); - if (ref && (ref->reference & pic_structure)) { + if (ref && (ref->reference & pic_structure) && !mismatches_ref(h, ref)) { ref->pic_id = pic_id; assert(ref->long_ref); i = 0; From cf1f615b67a4a486176b9aeaedeceef0337023e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:40:32 +0100 Subject: [PATCH 222/380] avformat/dump: Fix integer overflow in av_dump_format() Fixes part of mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 8e7f4520226d2d9ad6a58ad6c32d1455a8b244b2) Signed-off-by: Michael Niedermayer --- libavformat/dump.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dump.c b/libavformat/dump.c index 7bb593c013..7a746b3e0f 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -493,7 +493,7 @@ void av_dump_format(AVFormatContext *ic, int index, av_log(NULL, AV_LOG_INFO, " Duration: "); if (ic->duration != AV_NOPTS_VALUE) { int hours, mins, secs, us; - int64_t duration = ic->duration + 5000; + int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 5000 ? 5000 : 0); secs = duration / AV_TIME_BASE; us = duration % AV_TIME_BASE; mins = secs / 60; From 07a30246315b568fc2155e17a4e78529082657ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:41:43 +0100 Subject: [PATCH 223/380] avutil/integer: Fix av_mod_i() with negative dividend Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9cb18855d29c96a5d9d2f5ad30448cae3a2ddf) Signed-off-by: Michael Niedermayer --- libavutil/integer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavutil/integer.c b/libavutil/integer.c index 5bcde0dc6e..6d6855fa1b 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -29,6 +29,8 @@ #include "integer.h" #include "avassert.h" +static const AVInteger zero_i; + AVInteger av_add_i(AVInteger a, AVInteger b){ int i, carry=0; @@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger b){ AVInteger quot_temp; if(!quot) quot = "_temp; + if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) { + a = av_mod_i(quot, av_sub_i(zero_i, a), b); + *quot = av_sub_i(zero_i, *quot); + return av_sub_i(zero_i, a); + } + av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && (int16_t)b.v[AV_INTEGER_SIZE-1] >= 0); av_assert2(av_log2_i(b)>=0); From 88ccca204ab67d8eda5745a94eed69882af6a3dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:44:23 +0100 Subject: [PATCH 224/380] avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd The code expects actual positive numbers and gives completely wrong results if INT64_MIN is treated as positive Instead clip it into the valid range that is add 1 and treat it as negative Signed-off-by: Michael Niedermayer (cherry picked from commit 25e37f5ea92d4201976a59ae306ce848d257a7e6) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 126cffc3f0..b1ffd652de 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) rnd -= AV_ROUND_PASS_MINMAX; } - if (a < 0 && a != INT64_MIN) - return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1)); + if (a < 0) + return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; From fc69fa8474ae2a3b3420074c17c908e0204c82af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Nov 2015 23:44:40 +0100 Subject: [PATCH 225/380] avcodec/mpeg4videodec: Check available data before reading custom matrix Fixes: out of array read Fixes: 76c515fc3779d1b838667c61ea13ce92/asan_heap-oob_1fc0d07_8913_794a4629a264ebdb25b58d3a94ed1785.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 891dc8f87536ac2ec695c70d081345224524ad99) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index e151f9ee8e..dd2414b9ed 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1875,6 +1875,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; @@ -1898,6 +1902,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; From 710dccf0360baa7375130b31c7ccae17a5aaa601 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Nov 2015 03:32:36 +0100 Subject: [PATCH 226/380] avcodec/vp3: always set pix_fmt in theora_decode_header() Fixes assertion failure Fixes: d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_7ffff6ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 26c2ea7ee6..33c3e3992b 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2321,7 +2321,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) return AVERROR_INVALIDDATA; } skip_bits(gb, 3); /* reserved */ - } + } else + avctx->pix_fmt = AV_PIX_FMT_YUV420P; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) From d259a0534ee2f89b103cfc52b988b452c6411662 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Dec 2015 21:16:27 +0100 Subject: [PATCH 227/380] avcodec/apedec: Check length in long_filter_high_3800() Fixes out of array read Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 03afd756dc..9984b4099b 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -892,6 +892,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len int32_t dotprod, sign; int32_t coeffs[256], delay[256]; + if (order >= length) + return; + memset(coeffs, 0, order * sizeof(*coeffs)); for (i = 0; i < order; i++) delay[i] = buffer[i]; From 86a52988bd50b16d7f4c52e610de00d5354c5174 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 13:32:31 +0100 Subject: [PATCH 228/380] avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows Fixes integer overflow Fixes: mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit f03c2ceec174877e03bb302f5971fbe9ffbe4856) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index b1ffd652de..4d8467b8c8 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -77,7 +77,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) } if (a < 0) - return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); + return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; @@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) if (b <= INT_MAX && c <= INT_MAX) { if (a <= INT_MAX) return (a * b + r) / c; - else - return a / c * b + (a % c * b + r) / c; + else { + int64_t ad = a / c; + int64_t a2 = (a % c * b + r) / c; + if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) + return INT64_MIN; + return ad * b + a2; + } } else { #if 1 uint64_t a0 = a & 0xFFFFFFFF; @@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) t1++; } } + if (t1 > INT64_MAX) + return INT64_MIN; return t1; } #else From da87a699ea9c1ba0b330413528dbca29bcc54ef8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2015 03:14:11 +0100 Subject: [PATCH 229/380] avutil/timecode: Fix fps check The fps variable is explicitly set to -1 in case of some errors, the check must thus be signed or the code setting it needs to use 0 as error code the type of the field could be changed as well but its in an installed header Fixes: integer overflow Fixes: 9982cc157b1ea90429435640a989122f/asan_generic_3ad004a_3799_22cf198d9cd09928e2d9ad250474fa58.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b46dcd5209a77254345ae098b83a872634c5591b) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 1dfd040868..bf463ed515 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -151,7 +151,7 @@ static int check_fps(int fps) static int check_timecode(void *log_ctx, AVTimecode *tc) { - if (tc->fps <= 0) { + if ((int)tc->fps <= 0) { av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be specified\n"); return AVERROR(EINVAL); } From 76cb34f7f5b8608670d1998b587ef9e12856ab99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Sat, 28 Nov 2015 08:27:39 +0200 Subject: [PATCH 230/380] mpegencts: Fix overflow in cbr mode period calculations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ts->mux_rate is int (signed 32-bit) type. The period calculations will start to overflow when mux_rate > 5mbps. This fixes overflows by converting first to 64-bit type. Fixes #5044. Signed-off-by: Timo Teräs Signed-off-by: Michael Niedermayer (cherry picked from commit 64f7db554ee83846f207e82a08946a6a5a6acfe2) Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 9efa9fc362..043a80f4e6 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -751,11 +751,11 @@ static int mpegts_write_header(AVFormatContext *s) ts_st = pcr_st->priv_data; if (ts->mux_rate > 1) { - service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) / + service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period / (TS_PACKET_SIZE * 8 * 1000); - ts->sdt_packet_period = (ts->mux_rate * SDT_RETRANS_TIME) / + ts->sdt_packet_period = (int64_t)ts->mux_rate * SDT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); - ts->pat_packet_period = (ts->mux_rate * PAT_RETRANS_TIME) / + ts->pat_packet_period = (int64_t)ts->mux_rate * PAT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); if (ts->copyts < 1) From e3ffc7ab4a07cfaa25b6a36e78e91cf47a47c942 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 12:47:20 +0100 Subject: [PATCH 231/380] avcodec/vp3: Fix "runtime error: left shift of negative value" Fixes: 5c6129154b356b80bcab86f9e3ee5d29/signal_sigabrt_7ffff6ae7cc9_7322_d26ac6d7cb6567db1b8be0159b387d0b.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 18268f761bffb37552f59f87542fef3d5c80618c) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 33c3e3992b..fbb7da7dee 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -209,8 +209,8 @@ typedef struct Vp3DecodeContext { int16_t *dct_tokens[3][64]; int16_t *dct_tokens_base; #define TOKEN_EOB(eob_run) ((eob_run) << 2) -#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 1) -#define TOKEN_COEFF(coeff) (((coeff) << 2) + 2) +#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 1) +#define TOKEN_COEFF(coeff) (((coeff) * 4) + 2) /** * number of blocks that contain DCT coefficients at From 4e80d4bf25589f3beecc5e0633b148cc113fe708 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:06:16 +0100 Subject: [PATCH 232/380] avformat/smacker: fix integer overflow with pts_inc Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 5dcf4adafe..de8bbdb07a 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s) smk->height = avio_rl32(pb); smk->frames = avio_rl32(pb); smk->pts_inc = (int32_t)avio_rl32(pb); + if (smk->pts_inc > INT_MAX / 100) { + av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc); + return AVERROR_INVALIDDATA; + } + smk->flags = avio_rl32(pb); if(smk->flags & SMACKER_FLAG_RING_FRAME) smk->frames++; From bdf79f29db6ff5ebd7d09082734c6e39f5afc39f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:11:23 +0100 Subject: [PATCH 233/380] avcodec/wmaprodec: Fix overflow of cutoff Fixes: 129ca3e28d73af7b1e24a9d4118e7a2d/signal_sigabrt_7ffff6ae7cc9_836_762b310fc3ef6087bd7771e5d8e90b9b.asf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0c56f8303e676556ea09bfac73d881c6c9057259) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index ecc3aaef54..5b59da51a0 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -477,7 +477,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /** calculate subwoofer cutoff values */ for (i = 0; i < num_possible_block_sizes; i++) { int block_size = s->samples_per_frame >> i; - int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1) + int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1) / s->avctx->sample_rate; s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size); } From 1601420be4b505d4b9f8f2d92d37e19a44cc42bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:48:06 +0100 Subject: [PATCH 234/380] avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows Fixes: 549d5aab1480d10f2a775ed90b0342f1/signal_sigabrt_7ffff6ae7cc9_5643_96bbb0cfe3e28be1dadfce1075016345.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 66e05f6ff5e5c105bdd7bf3a49234ddac1b592c5) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 5b59da51a0..8653bdab6b 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -300,6 +300,12 @@ static av_cold int decode_init(AVCodecContext *avctx) s->decode_flags = AV_RL16(edata_ptr+14); channel_mask = AV_RL32(edata_ptr+2); s->bits_per_sample = AV_RL16(edata_ptr); + + if (s->bits_per_sample > 32 || s->bits_per_sample < 1) { + avpriv_request_sample(avctx, "bits per sample is %d", s->bits_per_sample); + return AVERROR_PATCHWELCOME; + } + /** dump the extradata */ for (i = 0; i < avctx->extradata_size; i++) ff_dlog(avctx, "[%x] ", avctx->extradata[i]); From d092b7f04ca8dfb977343aa12289b6b6123260ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:11:54 +0100 Subject: [PATCH 235/380] avcodec/dirac_parser: Fix potential overflows in pointer checks Signed-off-by: Michael Niedermayer (cherry picked from commit 79798f7c57b098c78e0bbc6becd64b9888b013d1) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 83c35a2010..12f1a60145 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -100,10 +100,12 @@ typedef struct DiracParseUnit { static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, int offset) { - uint8_t *start = pc->buffer + offset; - uint8_t *end = pc->buffer + pc->index; - if (start < pc->buffer || (start + 13 > end)) + int8_t *start; + + if (offset < 0 || pc->index - 13 < offset) return 0; + + start = pc->buffer + offset; pu->pu_type = start[4]; pu->next_pu_offset = AV_RB32(start + 5); From ece3912daf656651b092f2362f62203594418a3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:14:36 +0100 Subject: [PATCH 236/380] avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset Signed-off-by: Michael Niedermayer (cherry picked from commit c7d6ec947c053699950af90f695413a5640b3872) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 12f1a60145..c7c4b697c8 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -114,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, if (pu->pu_type == 0x10 && pu->next_pu_offset == 0) pu->next_pu_offset = 13; + if (pu->next_pu_offset && pu->next_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset); + return 0; + } + if (pu->prev_pu_offset && pu->prev_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset); + return 0; + } + return 1; } From d17298b666bcbaba2931d98a292c866c29cc94da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:15:38 +0100 Subject: [PATCH 237/380] avcodec/dirac_parser: Check that there is a previous PU before accessing it Fixes out of array read Fixes: 99d142c47e6ba3510a74b872a1a2ae72/asan_heap-oob_11b36f4_3811_0f5c69e7609a88a580135678de1df844.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a08681f1e614152184615e2bcd71c3d63835f810) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index c7c4b697c8..1ca7e31f1c 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -201,7 +201,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, } /* Get the picture number to set the pts and dts*/ - if (parse_timing_info) { + if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; int pts = AV_RB32(cur_pu + 13); From 5af5396970b7cbaf22bd8754257f9bf9ffb36297 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 22:08:59 +0100 Subject: [PATCH 238/380] avcodec/hevc: Fix integer overflow of entry_point_offset Fixes out of array read Fixes: d41d8cd98f00b204e9800998ecf8427e/signal_sigsegv_321165b_7641_077dfcd8cbc80b1c0b470c8554cd6ffb.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 214085852491448631dcecb008b5d172c11b8892) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 4 ++-- libavcodec/hevc.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index b52a6d13a5..c520878b52 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -730,7 +730,7 @@ static int hls_slice_header(HEVCContext *s) av_freep(&sh->entry_point_offset); av_freep(&sh->offset); av_freep(&sh->size); - sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); + sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned)); sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); if (!sh->entry_point_offset || !sh->offset || !sh->size) { @@ -2427,7 +2427,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int64_t offset; - int startheader, cmpt = 0; + int64_t startheader, cmpt = 0; int i, j, res = 0; if (!ret || !arg) { diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 2b47de24f8..96fc25897c 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -609,7 +609,7 @@ typedef struct SliceHeader { unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand - int *entry_point_offset; + unsigned *entry_point_offset; int * offset; int * size; int num_entry_point_offsets; From dc0bc71471bff6dedd371d97c0b1a45d0ea59042 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 21:44:05 +0100 Subject: [PATCH 239/380] swscale/utils: Fix for runtime error: left shift of negative value -1 Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 325b59368dae3c3f2f5cc39873002b4cf133ccbc) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 63fb05ccfd..93cbad79c9 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -384,7 +384,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x10000LL)>>7); for (i = 0; i < dstW; i++) { - int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17); + int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17); int j; (*filterPos)[i] = xx; for (j = 0; j < filterSize; j++) { From 0a06e2824a675fb778cd98ccab35a8936db569b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 21:38:12 +0100 Subject: [PATCH 240/380] avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int Fixes: b293a6479bb4b5286cff24d356bfd955/asan_generic_225c3c9_7819_cc526b657450c6cdef1371b526499626.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f2419888ba49245761f4ab343679c38e7880cfe) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 0d307f5302..e567f53ab4 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -33,7 +33,7 @@ #include "libavutil/imgutils.h" #include "libavutil/opt.h" -#define RGBA(r,g,b,a) (((a) << 24) | ((r) << 16) | ((g) << 8) | (b)) +#define RGBA(r,g,b,a) (((unsigned)(a) << 24) | ((r) << 16) | ((g) << 8) | (b)) #define MAX_EPOCH_PALETTES 8 // Max 8 allowed per PGS epoch #define MAX_EPOCH_OBJECTS 64 // Max 64 allowed per PGS epoch #define MAX_OBJECT_REFS 2 // Max objects per display set From 0f331f94c0db42647bb950c8ae529e43215c32df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 16:23:24 +0100 Subject: [PATCH 241/380] avcodec/jpeg2000dec: Check bpno in decode_cblk() Fixes: undefined shift Fixes: c409ef86f892335a0a164b5871174d5a/asan_heap-oob_1dff564_2159_162b7234616deab02b544410455eb07b.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a85b02dcf70f62a6a433a607143f1f78fa5648bb) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index caaf2f7614..54006afaf7 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1106,6 +1106,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(&t1->mqc, cblk->data); while (passno--) { + if (bpno < 0) { + av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); + return AVERROR_INVALIDDATA; + } switch(pass_t) { case 0: decode_sigpass(t1, width, height, bpno + 1, bandpos, From 548a07cdc439def22a24d64a9092830af9ea7e2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Dec 2015 22:59:56 +0100 Subject: [PATCH 242/380] avcodec/vp3: ensure header is parsed successfully before tables Fixes assertion failure Fixes: 266ee543812e934f7b4a72923a2701d4/signal_sigabrt_7ffff6ae7cc9_7322_85218d61759d461bdf7387180e8000c9.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 26379d4fddc17cac853ef297ff327b58c44edbad) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index fbb7da7dee..1670aba747 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = { typedef struct Vp3DecodeContext { AVCodecContext *avctx; - int theora, theora_tables; + int theora, theora_tables, theora_header; int version; int width, height; int chroma_x_shift, chroma_y_shift; @@ -2251,6 +2251,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); @@ -2356,6 +2357,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) avctx->color_trc = AVCOL_TRC_BT709; } + s->theora_header = 1; return 0; } @@ -2364,6 +2366,9 @@ static int theora_decode_tables(AVCodecContext *avctx, GetBitContext *gb) Vp3DecodeContext *s = avctx->priv_data; int i, n, matrices, inter, plane; + if (!s->theora_header) + return AVERROR_INVALIDDATA; + if (s->theora >= 0x030200) { n = get_bits(gb, 3); /* loop filter limit values table */ From d013f51303de27126f92dfa4357c14243019037a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 13:42:05 +0100 Subject: [PATCH 243/380] avcodec/hevc: Check max ctb addresses for WPP Fixes out of array read Fixes: 2f95ddd996db8a6281d2e18c184595a7/asan_heap-oob_192fe91_3330_58e4441181e30a66c19f743dcb392347.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dad354f38ddc9bfc834bc21358a1d0ad41532ca0) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index c520878b52..7d1565e0df 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2436,6 +2436,15 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) return AVERROR(ENOMEM); } + if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * s->sps->ctb_width >= s->sps->ctb_width * s->sps->ctb_height) { + av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d %d)\n", + s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets, + s->sps->ctb_width, s->sps->ctb_height + ); + res = AVERROR_INVALIDDATA; + goto error; + } + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { From 9a8d2f51cf0548aa3724e2a46e58416b333c755f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Dec 2015 21:52:23 +0100 Subject: [PATCH 244/380] mjpegdec: consider chroma subsampling in size check If the chroma components are subsampled, smaller buffers are allocated for them. In that case the maximal block_offset for the chroma components is not as large as for the luma component. This fixes out of bounds writes causing segmentation faults or memory corruption. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 30fc99a045..48f5ca4caf 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1241,7 +1241,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, int mb_bitmask_size, const AVFrame *reference) { - int i, mb_x, mb_y; + int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width, chroma_height; uint8_t *data[MAX_COMPONENTS]; const uint8_t *reference_data[MAX_COMPONENTS]; int linesize[MAX_COMPONENTS]; @@ -1258,6 +1258,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, s->restart_count = 0; + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift, + &chroma_v_shift); + chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift); + chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift); + for (i = 0; i < nb_components; i++) { int c = s->comp_index[i]; data[c] = s->picture_ptr->data[c]; @@ -1294,8 +1299,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - if ( 8*(h * mb_x + x) < s->width - && 8*(v * mb_y + y) < s->height) { + if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ? chroma_width : s->width) + && 8*(v * mb_y + y) < ((c == 1) || (c == 2) ? chroma_height : s->height)) { ptr = data[c] + block_offset; } else ptr = NULL; From 8be41ad2bb3201aac6ec608e860ecb3e4ff02c26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 17:39:38 +0100 Subject: [PATCH 245/380] avutil/mathematics: Fix division by 0 Fixes: CID1341571 Signed-off-by: Michael Niedermayer (cherry picked from commit bc8b1e694cc395fdf5e2917377ef11263c937d85) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 4d8467b8c8..78a87d8457 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -90,7 +90,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) else { int64_t ad = a / c; int64_t a2 = (a % c * b + r) / c; - if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) + if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b) return INT64_MIN; return ad * b + a2; } From 5c7ffbbda3e7addc63702ff51cee95c33457f194 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 16:16:46 +0100 Subject: [PATCH 246/380] avformat/matroskaenc: Check codecdelay before use Fixes CID1238790 Signed-off-by: Michael Niedermayer (cherry picked from commit e6971db12b8ae49712b77378fa8141de4904082b) Signed-off-by: Michael Niedermayer --- libavformat/matroskaenc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 3b525ad4d4..dd4f356eea 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -904,14 +904,18 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, } if (codec->codec_type == AVMEDIA_TYPE_AUDIO && codec->initial_padding && codec->codec_id == AV_CODEC_ID_OPUS) { + int64_t codecdelay = av_rescale_q(codec->initial_padding, + (AVRational){ 1, codec->sample_rate }, + (AVRational){ 1, 1000000000 }); + if (codecdelay < 0) { + av_log(s, AV_LOG_ERROR, "Initial padding is invalid\n"); + return AVERROR(EINVAL); + } // mkv->tracks[i].ts_offset = av_rescale_q(codec->initial_padding, // (AVRational){ 1, codec->sample_rate }, // st->time_base); - put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, - av_rescale_q(codec->initial_padding, - (AVRational){ 1, codec->sample_rate }, - (AVRational){ 1, 1000000000 })); + put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, codecdelay); } if (codec->codec_id == AV_CODEC_ID_OPUS) { put_ebml_uint(pb, MATROSKA_ID_SEEKPREROLL, OPUS_SEEK_PREROLL); From 93fa19addf6dcf503989709de083b33443dc65c5 Mon Sep 17 00:00:00 2001 From: Rainer Hochecker Date: Sun, 15 Nov 2015 13:58:50 +0100 Subject: [PATCH 247/380] avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec Fixes a mpegts file with hevc that fails estimating duration. Increasing number of retries fixes the issue. Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8c2f1a28073d451c7db31291c333cb15ca3d0b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5729b0bde6..47d07071b7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2391,7 +2391,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) } #define DURATION_MAX_READ_SIZE 250000LL -#define DURATION_MAX_RETRY 4 +#define DURATION_MAX_RETRY 6 /* only usable for MPEG-PS streams */ static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset) From a9ce4583dfbb65dc2d0d7483f11c6e71b413bac8 Mon Sep 17 00:00:00 2001 From: zjh8890 <243186085@qq.com> Date: Sun, 22 Nov 2015 00:07:35 +0800 Subject: [PATCH 248/380] avcodec/aarch64/neon.S: Update neon.s for transpose_4x4H The transpose_4x4H is wrong which cost me much time to find this bug. The orders of r2 and r3 are wrong, this bug waste me much time while I make aarch64 arm instruction which used the function. (cherry picked from commit c18176bd551b4616757080376707637e30547fd0) Signed-off-by: Michael Niedermayer --- libavcodec/aarch64/neon.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aarch64/neon.S b/libavcodec/aarch64/neon.S index 619aec6426..a227cbd3f6 100644 --- a/libavcodec/aarch64/neon.S +++ b/libavcodec/aarch64/neon.S @@ -107,8 +107,8 @@ .macro transpose_4x4H r0, r1, r2, r3, r4, r5, r6, r7 trn1 \r4\().4H, \r0\().4H, \r1\().4H trn2 \r5\().4H, \r0\().4H, \r1\().4H - trn1 \r7\().4H, \r3\().4H, \r2\().4H - trn2 \r6\().4H, \r3\().4H, \r2\().4H + trn1 \r7\().4H, \r2\().4H, \r3\().4H + trn2 \r6\().4H, \r2\().4H, \r3\().4H trn1 \r0\().2S, \r4\().2S, \r7\().2S trn2 \r3\().2S, \r4\().2S, \r7\().2S trn1 \r1\().2S, \r5\().2S, \r6\().2S From 4aa876f2880c0252b547e0de9c2ca1034d6120d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2015 16:13:22 +0100 Subject: [PATCH 249/380] avformat/mxfenc: Do not crash if there is no packet in the first stream Fixes: Ticket4914 Signed-off-by: Michael Niedermayer (cherry picked from commit b51e7554e74cbf007a1cab83c7bed3ad9fa2793a) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index db7d2bf455..319d3c7e4d 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2448,6 +2448,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) } mxf->edit_units_count++; } else if (!mxf->edit_unit_byte_count && st->index == 1) { + if (!mxf->edit_units_count) { + av_log(s, AV_LOG_ERROR, "No packets in first stream\n"); + return AVERROR_PATCHWELCOME; + } mxf->index_entries[mxf->edit_units_count-1].slice_offset = mxf->body_offset - mxf->index_entries[mxf->edit_units_count-1].offset; } From e7e4c65571d8aa10c8e907991a55efbd03d7aa43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:06:04 +0100 Subject: [PATCH 250/380] swscale/x86/rgb2rgb_template: Do not crash on misaligend stride Fixes Ticket5013 Signed-off-by: Michael Niedermayer (cherry picked from commit 80bfce35ccd11458e97f68f417fc094c5347070c) --- libswscale/x86/rgb2rgb_template.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e97ba4fe82..6524461d1b 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,8 +1887,10 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16) + if (width >= 16 #if COMPILE_TEMPLATE_SSE2 + && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1908,6 +1910,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); #else + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" From 3ffc22443579c761caec43a650db198cf165a04c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:50:20 +0100 Subject: [PATCH 251/380] swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* This also as a sideeffect fixes the non aligned case Signed-off-by: Michael Niedermayer (cherry picked from commit a066ff89bcbae6033c2ffda9271cad84f6c1b807) --- libswscale/x86/rgb2rgb_template.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 6524461d1b..a10f268009 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,10 +1887,9 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16 + if (width >= 16) { #if COMPILE_TEMPLATE_SSE2 - && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) - ) + if (!((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15)) { __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1909,8 +1908,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); -#else - ) + } else +#endif __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1936,7 +1935,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", "%"REG_a ); -#endif + + } for (w= (width&(~15)); w < width; w++) { dest[2*w+0] = src1[w]; dest[2*w+1] = src2[w]; @@ -1946,9 +1946,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui src2 += src2Stride; } __asm__( -#if !COMPILE_TEMPLATE_SSE2 EMMS" \n\t" -#endif SFENCE" \n\t" ::: "memory" ); From e56d32203289e579959f4097ad67d8305a952d7b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Dec 2015 22:47:12 +0100 Subject: [PATCH 252/380] ffmdec: reject zero-sized chunks If size is zero, avio_get_str fails, leaving the buffer uninitialized. This causes invalid reads in av_set_options_string. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a611375db532c3d5363d97b10fadd0211811a4fd) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 9b50c9f5a6..0c5865c9cf 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -414,7 +414,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', '2', 'V', 'I'): - if (f_stvi++) { + if (f_stvi++ || !size) { ret = AVERROR(EINVAL); goto fail; } @@ -429,7 +429,7 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; break; case MKBETAG('S', '2', 'A', 'U'): - if (f_stau++) { + if (f_stau++ || !size) { ret = AVERROR(EINVAL); goto fail; } From c78d268e9fa84fefe4d25af57801c6468d02dac3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Dec 2015 18:13:07 +0100 Subject: [PATCH 253/380] aaccoder: prevent crash of anmr coder If minq is negative, the range of sf_idx can be larger than SCALE_MAX_DIFF allows, causing assertion failures later in encode_scale_factors. Reviewed-by: Claudio Freire Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7a4652dd5da0502ff21c183b5ca7d76b1cfd6c51) Signed-off-by: Andreas Cadhalpun --- libavcodec/aaccoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 2929f3ac44..2ab67f6fa6 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -728,7 +728,7 @@ static void search_for_quantizers_anmr(AVCodecContext *avctx, AACEncContext *s, } while (idx) { sce->sf_idx[bandaddr[idx]] = minq + q0; - minq = paths[idx][minq].prev; + minq = FFMAX(paths[idx][minq].prev, 0); idx--; } //set the same quantizers inside window groups From 435b0ab96977f92b34e84cc1ab316ce6448e987d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Dec 2015 21:02:16 +0100 Subject: [PATCH 254/380] golomb: always check for invalid UE golomb codes in get_ue_golomb Also correct the check to reject log < 7, because UPDATE_CACHE only guarantees 25 meaningful bits. This fixes undefined behavior: runtime error: shift exponent is negative Testing with START/STOP timers in get_ue_golomb, one for the first branch (A) and one for the second (B), shows that there is practically no slowdown, e.g. for the cavs decoder: With the check in the B branch: 629 decicycles in get_ue_golomb B, 4194260 runs, 44 skips 433 decicycles in get_ue_golomb A,268434102 runs, 1354 skips Without the check: 624 decicycles in get_ue_golomb B, 4194273 runs, 31 skips 433 decicycles in get_ue_golomb A,268434203 runs, 1253 skips Since the B branch is executed far less often than the A branch, this change is negligible, even more so for the h264 decoder, where the ratio B/A is a lot smaller. Fixes: mozilla bug 1230239 Fixes: fbeb8b2c7c996e9b91c6b1af319d7ebc/asan_heap-oob_195450f_2743_e8856ece4579ea486670be2b236099a0.bit Found-by: Tyson Smith Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 22e960ad478e568f4094971a58c6ad8f549c0180) Signed-off-by: Andreas Cadhalpun --- libavcodec/golomb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index d30bb6bc86..5136a04845 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -68,7 +68,7 @@ static inline int get_ue_golomb(GetBitContext *gb) int log = 2 * av_log2(buf) - 31; LAST_SKIP_BITS(re, gb, 32 - log); CLOSE_READER(re, gb); - if (CONFIG_FTRAPV && log < 0) { + if (log < 7) { av_log(NULL, AV_LOG_ERROR, "Invalid UE golomb code\n"); return AVERROR_INVALIDDATA; } From 8b30abd0201a24f57f786a3225194d37de0afff5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 14 Dec 2015 22:11:55 +0100 Subject: [PATCH 255/380] ffm: reject invalid codec_id and codec_type A negative codec_id cannot be handled by the found_decoder API of AVStream->info: if the codec_id is not recognized, found_decoder is set to -codec_id, which has to be '<0' according to the API documentation. This can cause NULL pointer dereferencing in try_decode_frame. Also make sure the codec_type matches the expected one for codec_id. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 0c5865c9cf..1d1a9ae1e1 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -267,6 +267,7 @@ static int ffm2_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int ret; int f_main = 0, f_cprv = -1, f_stvi = -1, f_stau = -1; AVCodec *enc; @@ -321,7 +322,20 @@ static int ffm2_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -470,6 +484,7 @@ static int ffm_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int i, nb_streams; uint32_t tag; @@ -507,7 +522,20 @@ static int ffm_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); /* codec_type */ + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); From ea4b99f82cbe77b72d6f090b267e78acb1981a37 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 22:00:31 +0100 Subject: [PATCH 256/380] opus_silk: fix typo causing overflow in silk_stabilize_lsf Due to this typo max_center can be too large, causing nlsf to be set to too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to overflow to a negative value, which is not allowed for nlsf and can cause an out of bounds read in silk_lsf2lpc. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced) Signed-off-by: Andreas Cadhalpun --- libavcodec/opus_silk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 841d1ed25c..73526f9800 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ /* upper extent */ for (i = order; i > k; i--) - max_center -= min_delta[k]; + max_center -= min_delta[i]; max_center -= min_delta[k] >> 1; /* move apart */ From 34b9c7612d1a8c48590f54d38d042de7a3082d9a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 23:43:03 +0100 Subject: [PATCH 257/380] sonic: make sure num_taps * channels is not larger than frame_size If that is the case, the loop setting predictor_state in sonic_decode_frame causes out of bounds reads of int_samples, which has only frame_size number of elements. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80) Signed-off-by: Andreas Cadhalpun --- libavcodec/sonic.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c5076f9d8e..ab947c47b0 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -925,6 +925,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; + if (s->num_taps * s->channels > s->frame_size) { + av_log(avctx, AV_LOG_ERROR, + "number of taps times channels (%d * %d) larger than frame size %d\n", + s->num_taps, s->channels, s->frame_size); + return AVERROR_INVALIDDATA; + } + av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n", s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling); From 1586fda2fc5228a526388f4a98a890c15ce78608 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Dec 2015 18:56:13 +0100 Subject: [PATCH 258/380] avfilter/vf_mpdecimate: Add missing emms_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 997de2e8107cc4256e50611463d609b18fe9619f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_mpdecimate.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c index 7cc32547ff..670bfb9291 100644 --- a/libavfilter/vf_mpdecimate.c +++ b/libavfilter/vf_mpdecimate.c @@ -131,10 +131,13 @@ static int decimate_frame(AVFilterContext *ctx, cur->data[plane], cur->linesize[plane], ref->data[plane], ref->linesize[plane], FF_CEIL_RSHIFT(ref->width, hsub), - FF_CEIL_RSHIFT(ref->height, vsub))) + FF_CEIL_RSHIFT(ref->height, vsub))) { + emms_c(); return 0; + } } + emms_c(); return 1; } From e274976c92080f4971a428f440d03a716d6328ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Dec 2015 21:14:45 +0100 Subject: [PATCH 259/380] Revert "avcodec/aarch64/neon.S: Update neon.s for transpose_4x4H" The change was not correct and broke H264 This reverts commit cd83f899c94f691b045697d12efa21f83eb2329f. (cherry picked from commit 95b59bfb9d9e47de8438183a035e02667946f27c) Signed-off-by: Michael Niedermayer --- libavcodec/aarch64/neon.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aarch64/neon.S b/libavcodec/aarch64/neon.S index a227cbd3f6..619aec6426 100644 --- a/libavcodec/aarch64/neon.S +++ b/libavcodec/aarch64/neon.S @@ -107,8 +107,8 @@ .macro transpose_4x4H r0, r1, r2, r3, r4, r5, r6, r7 trn1 \r4\().4H, \r0\().4H, \r1\().4H trn2 \r5\().4H, \r0\().4H, \r1\().4H - trn1 \r7\().4H, \r2\().4H, \r3\().4H - trn2 \r6\().4H, \r2\().4H, \r3\().4H + trn1 \r7\().4H, \r3\().4H, \r2\().4H + trn2 \r6\().4H, \r3\().4H, \r2\().4H trn1 \r0\().2S, \r4\().2S, \r7\().2S trn2 \r3\().2S, \r4\().2S, \r7\().2S trn1 \r1\().2S, \r5\().2S, \r6\().2S From a628b7083100f96e376d97e5afb12efb74f01e8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Dec 2015 22:51:00 +0100 Subject: [PATCH 260/380] avcodec/h264_slice: Simplify ref2frm indexing This also suppresses a ubsan warning Fixes Mozilla bug 1230247 Signed-off-by: Michael Niedermayer (cherry picked from commit ef8f6464a55db730cab8c48a1a51fa4e6ca12107) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 2f32948f43..f80c469986 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1940,12 +1940,12 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, if (USES_LIST(top_type, list)) { const int b_xy = h->mb2b_xy[top_xy] + 3 * b_stride; const int b8_xy = 4 * top_xy + 2; - int (*ref2frm)[64] = (void*)(sl->ref2frm[h->slice_table[top_xy] & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); + int *ref2frm = sl->ref2frm[h->slice_table[top_xy] & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); AV_COPY128(mv_dst - 1 * 8, h->cur_pic.motion_val[list][b_xy + 0]); ref_cache[0 - 1 * 8] = - ref_cache[1 - 1 * 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 0]]; + ref_cache[1 - 1 * 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 0]]; ref_cache[2 - 1 * 8] = - ref_cache[3 - 1 * 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 1]]; + ref_cache[3 - 1 * 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 1]]; } else { AV_ZERO128(mv_dst - 1 * 8); AV_WN32A(&ref_cache[0 - 1 * 8], ((LIST_NOT_USED) & 0xFF) * 0x01010101u); @@ -1955,15 +1955,15 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, if (USES_LIST(left_type[LTOP], list)) { const int b_xy = h->mb2b_xy[left_xy[LTOP]] + 3; const int b8_xy = 4 * left_xy[LTOP] + 1; - int (*ref2frm)[64] =(void*)( sl->ref2frm[h->slice_table[left_xy[LTOP]] & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); + int *ref2frm = sl->ref2frm[h->slice_table[left_xy[LTOP]] & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); AV_COPY32(mv_dst - 1 + 0, h->cur_pic.motion_val[list][b_xy + b_stride * 0]); AV_COPY32(mv_dst - 1 + 8, h->cur_pic.motion_val[list][b_xy + b_stride * 1]); AV_COPY32(mv_dst - 1 + 16, h->cur_pic.motion_val[list][b_xy + b_stride * 2]); AV_COPY32(mv_dst - 1 + 24, h->cur_pic.motion_val[list][b_xy + b_stride * 3]); ref_cache[-1 + 0] = - ref_cache[-1 + 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 2 * 0]]; + ref_cache[-1 + 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 2 * 0]]; ref_cache[-1 + 16] = - ref_cache[-1 + 24] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 2 * 1]]; + ref_cache[-1 + 24] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 2 * 1]]; } else { AV_ZERO32(mv_dst - 1 + 0); AV_ZERO32(mv_dst - 1 + 8); @@ -1988,9 +1988,9 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, { int8_t *ref = &h->cur_pic.ref_index[list][4 * mb_xy]; - int (*ref2frm)[64] = (void*)(sl->ref2frm[sl->slice_num & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); - uint32_t ref01 = (pack16to32(ref2frm[list][ref[0]], ref2frm[list][ref[1]]) & 0x00FF00FF) * 0x0101; - uint32_t ref23 = (pack16to32(ref2frm[list][ref[2]], ref2frm[list][ref[3]]) & 0x00FF00FF) * 0x0101; + int *ref2frm = sl->ref2frm[sl->slice_num & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); + uint32_t ref01 = (pack16to32(ref2frm[ref[0]], ref2frm[ref[1]]) & 0x00FF00FF) * 0x0101; + uint32_t ref23 = (pack16to32(ref2frm[ref[2]], ref2frm[ref[3]]) & 0x00FF00FF) * 0x0101; AV_WN32A(&ref_cache[0 * 8], ref01); AV_WN32A(&ref_cache[1 * 8], ref01); AV_WN32A(&ref_cache[2 * 8], ref23); From 50ce06cc7c5aa37ddab9147c13b22aaff959a43a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2015 00:20:51 +0100 Subject: [PATCH 261/380] avcodec/h264_mc_template: prefetch list1 only if it is used in the MB Fixes ubsan warning Fixes Mozilla bug 1230276 Signed-off-by: Michael Niedermayer (cherry picked from commit c8ea57664fe3ad611c9ecd234670544ddff7ca55) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mc_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c index eaead35bb2..e4333a733c 100644 --- a/libavcodec/h264_mc_template.c +++ b/libavcodec/h264_mc_template.c @@ -158,6 +158,7 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl, } } - prefetch_motion(h, sl, 1, PIXEL_SHIFT, CHROMA_IDC); + if (USES_LIST(mb_type, 1)) + prefetch_motion(h, sl, 1, PIXEL_SHIFT, CHROMA_IDC); } From 5124bf8ea6c3f6d8d174e033076520bbf67d4b80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2015 21:59:42 +0100 Subject: [PATCH 262/380] avcodec/h264_refs: Fix long_idx check Fixes out of array read Fixes mozilla bug 1233606 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit b92b4775a0d07cacfdd2b4be6511f3cb362c977b) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 2d787a5e28..29045df226 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -303,7 +303,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h, H264SliceContext *sl) long_idx = pic_num_extract(h, pic_id, &pic_structure); - if (long_idx > 31) { + if (long_idx > 31U) { av_log(h->avctx, AV_LOG_ERROR, "long_term_pic_idx overflow\n"); return AVERROR_INVALIDDATA; From 4bfaa040fc47fa9a0e7b25ea80e3aecb4368544c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2015 23:21:33 +0100 Subject: [PATCH 263/380] avcodec/mpeg4videodec: also for empty partitioned slices Fixes assertion failure Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index dd2414b9ed..e61bb24769 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -882,7 +882,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx) const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END; mb_num = mpeg4_decode_partition_a(ctx); - if (mb_num < 0) { + if (mb_num <= 0) { ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, part_a_error); return -1; From 3e187a9a2dfacea0d76df90dd88d957938f9d33c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Dec 2015 16:48:19 +0100 Subject: [PATCH 264/380] on2avc: limit number of bits to 30 in get_egolomb More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8) Signed-off-by: Andreas Cadhalpun --- libavcodec/on2avc.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 1d8fcbc596..9ca716c8fa 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; - while (get_bits1(gb)) v++; + while (get_bits1(gb)) { + v++; + if (v > 30) { + av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); + v = 30; + break; + } + } - return (1 << v) + get_bits(gb, v); + return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, From 5b88d24f241f1ae31d86d2987b17a1db7547a509 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Dec 2015 23:17:09 +0100 Subject: [PATCH 265/380] exr: fix out of bounds read in get_code This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun --- libavcodec/exr.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 9308ae03a8..29cb4030c8 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ - if (out + cs > oe) \ + if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; - get_code(pl.p[j], rlc, c, lc, gb, out, oe); + get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } From 7f320ed15d7ba4c4c84764888eb126daea932d7b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 18 Dec 2015 15:18:47 +0100 Subject: [PATCH 266/380] nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 606deaa838..41c9689f50 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1126,7 +1126,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; - memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); + if (nut->header[header_idx]) + memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; From f040f3e5d5abfe4f59036e7b671d7b03eda244e7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 18 Dec 2015 19:28:51 +0100 Subject: [PATCH 267/380] xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun --- libavcodec/xwddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 62dfdace16..18b1f93d2e 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { + if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } From 1dc135e03d83d14274e3049011396a5bcb36e464 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 12:02:56 +0100 Subject: [PATCH 268/380] nutdec: reject negative value_len in read_sm_data If it is negative, it can cause the byte position to move backwards in avio_skip, which in turn makes sm_size negative and thus size larger than the size of the packet buffer, causing invalid writes in avio_read. Also fix potential overflow of avio_tell(bc) + value_len. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 41c9689f50..2be52e4426 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -927,7 +927,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int return ret; } value_len = ffio_read_varlen(bc); - if (avio_tell(bc) + value_len >= maxpos) + if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); From 93eda8dcbadfe375a7fe99592e4097c08deb06d1 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 23:44:53 +0100 Subject: [PATCH 269/380] mlvdec: check that index_entries exist This fixes NULL pointer dereferencing. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9fcfe4a3cdf9a5af0c37758b178965b7b99582d4) Signed-off-by: Andreas Cadhalpun --- libavformat/mlvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 48a429eb23..4b3bdc1eca 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -365,6 +365,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; + if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { + av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); + return AVERROR_INVALIDDATA; + } + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst) From 3219de21f4e9e9bcd09df9dbc5eab63492dd05a4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 23:45:06 +0100 Subject: [PATCH 270/380] rawdec: only exempt BIT0 with need_copy from buffer sanity check Otherwise the too small buffer is directly used in the frame, causing segmentation faults, when trying to use the frame. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7) Signed-off-by: Andreas Cadhalpun --- libavcodec/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 647dfa9a0a..568553923b 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); - if (buf_size < len && (avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0)) { + if (buf_size < len && ((avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(&frame->buf[0]); return AVERROR(EINVAL); From 7ad058168665a74c8975a2bb1bd4286d37280218 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Dec 2015 20:52:39 +0100 Subject: [PATCH 271/380] nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun --- libavformat/nuv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 001d9c8860..cb51511943 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0.9999 && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); + if (fps < 0.0f) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); + return AVERROR_INVALIDDATA; + } else { + av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); + fps = 0.0f; + } + } // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); From 26241af6f8b291eed42c597ffa2b32802331f813 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Dec 2015 14:52:20 +0100 Subject: [PATCH 272/380] Update for 2.7.4 Signed-off-by: Michael Niedermayer --- Changelog | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 79 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 6e79b7a396..0935c1a2da 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,83 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 2.7.4 +- nuv: sanitize negative fps rate +- rawdec: only exempt BIT0 with need_copy from buffer sanity check +- mlvdec: check that index_entries exist +- nutdec: reject negative value_len in read_sm_data +- xwddec: prevent overflow of lsize * avctx->height +- nutdec: only copy the header if it exists +- exr: fix out of bounds read in get_code +- on2avc: limit number of bits to 30 in get_egolomb +- avcodec/mpeg4videodec: also for empty partitioned slices +- avcodec/h264_refs: Fix long_idx check +- avcodec/h264_mc_template: prefetch list1 only if it is used in the MB +- avcodec/h264_slice: Simplify ref2frm indexing +- Revert "avcodec/aarch64/neon.S: Update neon.s for transpose_4x4H" +- avfilter/vf_mpdecimate: Add missing emms_c() +- sonic: make sure num_taps * channels is not larger than frame_size +- opus_silk: fix typo causing overflow in silk_stabilize_lsf +- ffm: reject invalid codec_id and codec_type +- golomb: always check for invalid UE golomb codes in get_ue_golomb +- aaccoder: prevent crash of anmr coder +- ffmdec: reject zero-sized chunks +- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* +- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride +- avformat/mxfenc: Do not crash if there is no packet in the first stream +- avcodec/aarch64/neon.S: Update neon.s for transpose_4x4H +- avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec +- avformat/matroskaenc: Check codecdelay before use +- avutil/mathematics: Fix division by 0 +- mjpegdec: consider chroma subsampling in size check +- avcodec/hevc: Check max ctb addresses for WPP +- avcodec/vp3: ensure header is parsed successfully before tables +- avcodec/jpeg2000dec: Check bpno in decode_cblk() +- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int +- swscale/utils: Fix for runtime error: left shift of negative value -1 +- avcodec/hevc: Fix integer overflow of entry_point_offset +- avcodec/dirac_parser: Check that there is a previous PU before accessing it +- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset +- avcodec/dirac_parser: Fix potential overflows in pointer checks +- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows +- avcodec/wmaprodec: Fix overflow of cutoff +- avformat/smacker: fix integer overflow with pts_inc +- avcodec/vp3: Fix "runtime error: left shift of negative value" +- mpegencts: Fix overflow in cbr mode period calculations +- avutil/timecode: Fix fps check +- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows +- avcodec/apedec: Check length in long_filter_high_3800() +- avcodec/vp3: always set pix_fmt in theora_decode_header() +- avcodec/mpeg4videodec: Check available data before reading custom matrix +- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd +- avutil/integer: Fix av_mod_i() with negative dividend +- avformat/dump: Fix integer overflow in av_dump_format() +- avcodec/h264_refs: Check that long references match before use +- avcodec/utils: Clear dimensions in ff_get_buffer() on failure +- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() +- avcodec/vp3: Clear context on reinitialization failure +- avcodec/hevc: allocate entries unconditionally +- avcodec/hevc_cabac: Fix multiple integer overflows +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() +- avcodec/hevc: Check entry_point_offsets +- avcodec/cabac: Check initial cabac decoder state +- avcodec/cabac_functions: Fix "left shift of negative value -31767" +- avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized +- avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup +- avcodec/ffv1dec: Clear quant_table_count if its invalid +- avcodec/ffv1dec: Print an error if the quant table count is invalid +- doc/filters/drawtext: fix centering example +- hqx: correct type and size check of info_offset +- mxfdec: check edit_rate also for physical_track +- mpegvideo: clear overread in clear_context +- dvdsubdec: validate offset2 similar to offset1 +- aacdec: don't return frames without data from aac_decode_er_frame +- avcodec/takdec: Use memove, avoid undefined memcpy() use +- riffdec: prevent negative bit rate + + version 2.7.3: - rtmpcrypt: Do the xtea decryption in little endian mode - Update versions for 2.7.3 diff --git a/RELEASE b/RELEASE index 2c9b4ef42e..a4dd9dba4f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.7.3 +2.7.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4d1686bdc8..7e7e091d24 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.7.3 +PROJECT_NUMBER = 2.7.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 784506c2b5c68fb56f9a9f969771c3608281964d Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 2 Jan 2016 18:51:11 +0100 Subject: [PATCH 273/380] avfilter/vf_zoompan: do not free frame we pushed to lavfi Signed-off-by: Paul B Mahol (cherry picked from commit 8bcd1997eadb0d79a049227a1d1afe6111397baa) Fixes ticket #5113. --- libavfilter/vf_zoompan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_zoompan.c b/libavfilter/vf_zoompan.c index c49193a065..e5d8190451 100644 --- a/libavfilter/vf_zoompan.c +++ b/libavfilter/vf_zoompan.c @@ -230,9 +230,9 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) s->frame_count++; ret = ff_filter_frame(outlink, out); + out = NULL; if (ret < 0) break; - out = NULL; sws_freeContext(s->sws); s->sws = NULL; From 34c5f6685a866f371e7edda2dcf17b9db25bc71e Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 8 Jan 2016 12:08:56 -0300 Subject: [PATCH 274/380] x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse Reviewed-by: Christophe Gisquet Signed-off-by: James Almer (cherry picked from commit dc79824deb6ac0ce236589c618744b33629201cd) --- libavutil/x86/float_dsp.asm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/x86/float_dsp.asm b/libavutil/x86/float_dsp.asm index ec3d22b230..c4484a28e6 100644 --- a/libavutil/x86/float_dsp.asm +++ b/libavutil/x86/float_dsp.asm @@ -332,10 +332,10 @@ VECTOR_FMUL_REVERSE ; float scalarproduct_float_sse(const float *v1, const float *v2, int len) INIT_XMM sse cglobal scalarproduct_float, 3,3,2, v1, v2, offset + shl offsetd, 2 + add v1q, offsetq + add v2q, offsetq neg offsetq - shl offsetq, 2 - sub v1q, offsetq - sub v2q, offsetq xorps xmm0, xmm0 .loop: movaps xmm1, [v1q+offsetq] From d41b91ba33a52f8deac4d2e35b698b360de5666c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Dec 2015 21:46:15 +0100 Subject: [PATCH 275/380] swscale/utils: Fix intermediate format for cascaded alpha downscaling Fixes Ticket4926 Signed-off-by: Michael Niedermayer (cherry picked from commit b83d8be6bff7d645469a623aee0b380541da15cf) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 93cbad79c9..cc6402d4c8 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1598,6 +1598,9 @@ fail: // FIXME replace things by appropriate error codes int tmpH = sqrt(srcH * (int64_t)dstH); enum AVPixelFormat tmpFormat = AV_PIX_FMT_YUV420P; + if (isALPHA(srcFormat)) + tmpFormat = AV_PIX_FMT_YUVA420P; + if (srcW*(int64_t)srcH <= 4LL*dstW*dstH) return AVERROR(EINVAL); From a7a7c6e44c403d64cdd2fd3e8f83b796274fe40e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 31 Dec 2015 16:55:43 +0100 Subject: [PATCH 276/380] mjpegdec: extend check for incompatible values of s->rgb and s->ls This can happen if s->ls changes from 0 to 1, but picture allocation is skipped due to s->interlaced. In that case ff_jpegls_decode_picture could be called even though the s->picture_ptr frame has the wrong pixel format and thus a wrong linesize, which results in a too small zero buffer being allocated. This fixes an out-of-bounds read in ls_decode_line. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7ea2db6eafa0a8a9497aab20be2cfc8742a59072) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 48f5ca4caf..c28f07d0a8 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -628,7 +628,8 @@ unk_pixfmt: av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len); } - if (s->rgb && !s->lossless && !s->ls) { + if ((s->rgb && !s->lossless && !s->ls) || + (!s->rgb && s->ls && s->nb_components > 1)) { av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n"); return AVERROR_PATCHWELCOME; } From b65c06ee5efefe96f1dccf65c68174099ba26d7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jan 2016 02:41:06 +0100 Subject: [PATCH 277/380] avcodec/put_bits: Always check buffer end before writing This causes a overall slowdown of 0.1 % (tested with mpeg4 single thread encoding of matrixbench at QP=3) Signed-off-by: Michael Niedermayer (cherry picked from commit cccb0ffccc3723acc7aab3a859b24743596dd9c0) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 5b1bc8b8b7..0db8a033ad 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -163,9 +163,13 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) #ifdef BITSTREAM_WRITER_LE bit_buf |= value << (32 - bit_left); if (n >= bit_left) { - av_assert2(s->buf_ptr+3buf_end); - AV_WL32(s->buf_ptr, bit_buf); - s->buf_ptr += 4; + if (3 < s->buf_end - s->buf_ptr) { + AV_WL32(s->buf_ptr, bit_buf); + s->buf_ptr += 4; + } else { + av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer too small\n"); + av_assert2(0); + } bit_buf = value >> bit_left; bit_left += 32; } @@ -177,9 +181,13 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) } else { bit_buf <<= bit_left; bit_buf |= value >> (n - bit_left); - av_assert2(s->buf_ptr+3buf_end); - AV_WB32(s->buf_ptr, bit_buf); - s->buf_ptr += 4; + if (3 < s->buf_end - s->buf_ptr) { + AV_WB32(s->buf_ptr, bit_buf); + s->buf_ptr += 4; + } else { + av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer too small\n"); + av_assert2(0); + } bit_left += 32 - n; bit_buf = value; } From d7a13ff23b5ea698e97f6c432349d3eb8b860e14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jan 2016 23:22:25 +0100 Subject: [PATCH 278/380] swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions Fixes Ticket4960 Signed-off-by: Michael Niedermayer (cherry picked from commit 1edf129cbc897447a289ca8b045853df5df1bab3) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index cc6402d4c8..66bce60c13 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1071,6 +1071,12 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcW, srcH, dstW, dstH); return AVERROR(EINVAL); } + if (flags & SWS_FAST_BILINEAR) { + if (srcW < 8 || dstW < 8) { + flags ^= SWS_FAST_BILINEAR | SWS_BILINEAR; + c->flags = flags; + } + } if (!dstFilter) dstFilter = &dummyFilter; From 5b14f436c6358dc0db599be6a1c635a4135a96a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jan 2016 01:06:18 +0100 Subject: [PATCH 279/380] avcodec/h264_slice: Fix integer overflow in implicit weight computation Fixes mozilla bug 1230423 Signed-off-by: Michael Niedermayer (cherry picked from commit 7cc01c25727a96eaaa0c177234b626e47c8ea491) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index f80c469986..75ea464b8d 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -778,7 +778,7 @@ static void implicit_weight_table(const H264Context *h, H264SliceContext *sl, in cur_poc = h->cur_pic_ptr->field_poc[h->picture_structure - 1]; } if (sl->ref_count[0] == 1 && sl->ref_count[1] == 1 && !FRAME_MBAFF(h) && - sl->ref_list[0][0].poc + sl->ref_list[1][0].poc == 2 * cur_poc) { + sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2 * cur_poc) { sl->use_weight = 0; sl->use_weight_chroma = 0; return; @@ -799,7 +799,7 @@ static void implicit_weight_table(const H264Context *h, H264SliceContext *sl, in sl->chroma_log2_weight_denom = 5; for (ref0 = ref_start; ref0 < ref_count0; ref0++) { - int poc0 = sl->ref_list[0][ref0].poc; + int64_t poc0 = sl->ref_list[0][ref0].poc; for (ref1 = ref_start; ref1 < ref_count1; ref1++) { int w = 32; if (!sl->ref_list[0][ref0].parent->long_ref && !sl->ref_list[1][ref1].parent->long_ref) { From 2c58d734132fba3773629d1ce347af2c931267a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jan 2016 14:41:04 +0100 Subject: [PATCH 280/380] avcodec/motion_est: Fix mv_penalty table size Fixes out of array read Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 5b4da8a38a5ed211df9504c85ce401c30af86b97) Conflicts: libavcodec/motion_est.h --- libavcodec/ituh263enc.c | 6 +++--- libavcodec/motion_est.c | 16 ++++++++-------- libavcodec/motion_est.h | 3 ++- libavcodec/mpeg12enc.c | 6 +++--- libavcodec/mpegvideo_enc.c | 2 +- libavcodec/snowenc.c | 2 +- 6 files changed, 18 insertions(+), 17 deletions(-) diff --git a/libavcodec/ituh263enc.c b/libavcodec/ituh263enc.c index 3ea2d19441..0073560dc4 100644 --- a/libavcodec/ituh263enc.c +++ b/libavcodec/ituh263enc.c @@ -44,7 +44,7 @@ /** * Table of number of bits a motion vector component needs. */ -static uint8_t mv_penalty[MAX_FCODE+1][MAX_MV*2+1]; +static uint8_t mv_penalty[MAX_FCODE+1][MAX_DMV*2+1]; /** * Minimal fcode that a motion vector component would need. @@ -677,7 +677,7 @@ static av_cold void init_mv_penalty_and_fcode(MpegEncContext *s) int mv; for(f_code=1; f_code<=MAX_FCODE; f_code++){ - for(mv=-MAX_MV; mv<=MAX_MV; mv++){ + for(mv=-MAX_DMV; mv<=MAX_DMV; mv++){ int len; if(mv==0) len= ff_mvtab[0][1]; @@ -698,7 +698,7 @@ static av_cold void init_mv_penalty_and_fcode(MpegEncContext *s) } } - mv_penalty[f_code][mv+MAX_MV]= len; + mv_penalty[f_code][mv+MAX_DMV]= len; } } diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 96aa9ac84e..25cf8125f1 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -908,7 +908,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); c->sub_penalty_factor= get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_sub_cmp); c->mb_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->mb_cmp); - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; get_limits(s, 16*mb_x, 16*mb_y); c->skip=0; @@ -1084,7 +1084,7 @@ int ff_pre_estimate_p_frame_motion(MpegEncContext * s, av_assert0(s->quarter_sample==0 || s->quarter_sample==1); c->pre_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_pre_cmp); - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; get_limits(s, 16*mb_x, 16*mb_y); c->skip=0; @@ -1133,7 +1133,7 @@ static int estimate_motion_b(MpegEncContext *s, int mb_x, int mb_y, const int shift= 1+s->quarter_sample; const int mot_stride = s->mb_stride; const int mot_xy = mb_y*mot_stride + mb_x; - uint8_t * const mv_penalty= c->mv_penalty[f_code] + MAX_MV; + uint8_t * const mv_penalty= c->mv_penalty[f_code] + MAX_DMV; int mv_scale; c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); @@ -1207,8 +1207,8 @@ static inline int check_bidir_mv(MpegEncContext * s, //FIXME better f_code prediction (max mv & distance) //FIXME pointers MotionEstContext * const c= &s->me; - uint8_t * const mv_penalty_f= c->mv_penalty[s->f_code] + MAX_MV; // f_code of the prev frame - uint8_t * const mv_penalty_b= c->mv_penalty[s->b_code] + MAX_MV; // f_code of the prev frame + uint8_t * const mv_penalty_f= c->mv_penalty[s->f_code] + MAX_DMV; // f_code of the prev frame + uint8_t * const mv_penalty_b= c->mv_penalty[s->b_code] + MAX_DMV; // f_code of the prev frame int stride= c->stride; uint8_t *dest_y = c->scratchpad; uint8_t *ptr; @@ -1421,7 +1421,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) int mx, my, xmin, xmax, ymin, ymax; int16_t (*mv_table)[2]= s->b_direct_mv_table; - c->current_mv_penalty= c->mv_penalty[1] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[1] + MAX_DMV; ymin= xmin=(-32)>>shift; ymax= xmax= 31>>shift; @@ -1557,11 +1557,11 @@ void ff_estimate_b_frame_motion(MpegEncContext * s, if (s->avctx->flags & CODEC_FLAG_INTERLACED_ME) { //FIXME mb type penalty c->skip=0; - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; fimin= interlaced_search(s, 0, s->b_field_mv_table[0], s->b_field_select_table[0], s->b_forw_mv_table[xy][0], s->b_forw_mv_table[xy][1], 0); - c->current_mv_penalty= c->mv_penalty[s->b_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->b_code] + MAX_DMV; bimin= interlaced_search(s, 2, s->b_field_mv_table[1], s->b_field_select_table[1], s->b_back_mv_table[xy][0], s->b_back_mv_table[xy][1], 0); diff --git a/libavcodec/motion_est.h b/libavcodec/motion_est.h index c6a1691e0b..42be73bce9 100644 --- a/libavcodec/motion_est.h +++ b/libavcodec/motion_est.h @@ -30,6 +30,7 @@ struct MpegEncContext; #define MAX_MV 4096 +#define MAX_DMV (2*MAX_MV) /** * Motion estimation context. @@ -80,7 +81,7 @@ typedef struct MotionEstContext { op_pixels_func(*hpel_avg)[4]; qpel_mc_func(*qpel_put)[16]; qpel_mc_func(*qpel_avg)[16]; - uint8_t (*mv_penalty)[MAX_MV * 2 + 1]; ///< bit amount needed to encode a MV + uint8_t (*mv_penalty)[MAX_DMV * 2 + 1]; ///< bit amount needed to encode a MV uint8_t *current_mv_penalty; int (*sub_motion_search)(struct MpegEncContext *s, int *mx_ptr, int *my_ptr, int dmin, diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index d131e48285..5b8c4ecf33 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -52,7 +52,7 @@ static const uint8_t svcd_scan_offset_placeholder[] = { 0x81, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, }; -static uint8_t mv_penalty[MAX_FCODE + 1][MAX_MV * 2 + 1]; +static uint8_t mv_penalty[MAX_FCODE + 1][MAX_DMV * 2 + 1]; static uint8_t fcode_tab[MAX_MV * 2 + 1]; static uint8_t uni_mpeg1_ac_vlc_len[64 * 64 * 2]; @@ -1051,7 +1051,7 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) } for (f_code = 1; f_code <= MAX_FCODE; f_code++) - for (mv = -MAX_MV; mv <= MAX_MV; mv++) { + for (mv = -MAX_DMV; mv <= MAX_DMV; mv++) { int len; if (mv == 0) { @@ -1074,7 +1074,7 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) 2 + bit_size; } - mv_penalty[f_code][mv + MAX_MV] = len; + mv_penalty[f_code][mv + MAX_DMV] = len; } diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 49fc083d3f..edebc9d340 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -72,7 +72,7 @@ static int sse_mb(MpegEncContext *s); static void denoise_dct_c(MpegEncContext *s, int16_t *block); static int dct_quantize_trellis_c(MpegEncContext *s, int16_t *block, int n, int qscale, int *overflow); -static uint8_t default_mv_penalty[MAX_FCODE + 1][MAX_MV * 2 + 1]; +static uint8_t default_mv_penalty[MAX_FCODE + 1][MAX_DMV * 2 + 1]; static uint8_t default_fcode_tab[MAX_MV * 2 + 1]; const AVOption ff_mpv_generic_options[] = { diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index bd5c0fde15..82c09ea037 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -284,7 +284,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); c->sub_penalty_factor= get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_sub_cmp); c->mb_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->mb_cmp); - c->current_mv_penalty= c->mv_penalty[s->m.f_code=1] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->m.f_code=1] + MAX_DMV; c->xmin = - x*block_w - 16+3; c->ymin = - y*block_w - 16+3; From 2f6d3459d9085472ddab243eaa1bf47aed3f130f Mon Sep 17 00:00:00 2001 From: Thomas Mundt Date: Thu, 31 Dec 2015 00:01:21 +0100 Subject: [PATCH 281/380] avfilter/vf_scale: set proper out frame color range Prevents that following scalers in the filter chain will do unintentional color range conversions. Fixes Ticket #5096 Signed-off-by: Thomas Mundt Signed-off-by: Michael Niedermayer (cherry picked from commit 73ce8162f3499cf0e86d1d80dea53324bd62bcb3) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 2a3d00808d..d5cd2dcc20 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -526,6 +526,8 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) sws_setColorspaceDetails(scale->isws[1], inv_table, in_full, table, out_full, brightness, contrast, saturation); + + av_frame_set_color_range(out, out_full ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG); } av_reduce(&out->sample_aspect_ratio.num, &out->sample_aspect_ratio.den, From 3dd0d43d8cf7970a141c8f76fa8ec3d81d65be82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Jan 2016 00:22:56 +0100 Subject: [PATCH 282/380] avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range Fixes out of array read Fixes: test_case-mdc.264 (b47be15a120979f5a1a945c938cbef33) Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 13f266b50cc7554028d22480b7e4383968e64a63) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index edebc9d340..0cf138e217 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -317,6 +317,7 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) break; } + avctx->bits_per_raw_sample = av_clip(avctx->bits_per_raw_sample, 0, 8); s->bit_rate = avctx->bit_rate; s->width = avctx->width; s->height = avctx->height; From 2316c3586591f858ad14f586bb30a54700dd266e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Jan 2016 10:49:23 +0100 Subject: [PATCH 283/380] avformat: Add integer fps from 31 to 60 to get_std_framerate() Fixes Ticket 5106 Signed-off-by: Michael Niedermayer (cherry picked from commit 2039b3e7511ef183dae206575114e15b6d99c134) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 2 +- libavformat/utils.c | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index fb69852f45..4b270db7f3 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -968,7 +968,7 @@ typedef struct AVStream { /** * Stream information used internally by av_find_stream_info() */ -#define MAX_STD_TIMEBASES (30*12+7+6) +#define MAX_STD_TIMEBASES (30*12+30+3+6) struct { int64_t last_dts; int64_t duration_gcd; diff --git a/libavformat/utils.c b/libavformat/utils.c index 47d07071b7..d5e65814ef 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2832,10 +2832,14 @@ static int get_std_framerate(int i) return (i + 1) * 1001; i -= 30*12; - if (i < 7) - return ((const int[]) { 40, 48, 50, 60, 80, 120, 240})[i] * 1001 * 12; + if (i < 30) + return (i + 31) * 1001 * 12; + i -= 30; - i -= 7; + if (i < 3) + return ((const int[]) { 80, 120, 240})[i] * 1001 * 12; + + i -= 3; return ((const int[]) { 24, 30, 60, 12, 15, 48 })[i] * 1000 * 12; } From 8c08247990ca5246bf8f2c48fc2f3fd8a043f326 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 12:19:48 +0100 Subject: [PATCH 284/380] avcodec/mss2: Check for repeat overflow Fixes: mss2_left_shift.wmv Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit e273dade78943e22b71d0ddb67cd0d737fc26edf) Signed-off-by: Michael Niedermayer --- libavcodec/mss2.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index f57685d7b1..1af2cd00aa 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -210,8 +210,13 @@ static int decode_555(GetByteContext *gB, uint16_t *dst, int stride, last_symbol = b << 8 | bytestream2_get_byte(gB); else if (b > 129) { repeat = 0; - while (b-- > 130) + while (b-- > 130) { + if (repeat >= (INT_MAX >> 8) - 1) { + av_log(NULL, AV_LOG_ERROR, "repeat overflow\n"); + return AVERROR_INVALIDDATA; + } repeat = (repeat << 8) + bytestream2_get_byte(gB) + 1; + } if (last_symbol == -2) { int skip = FFMIN((unsigned)repeat, dst + w - p); repeat -= skip; From 7cfea0d41cb05f099c2456f7b0797382adda7756 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 15:52:09 +0100 Subject: [PATCH 285/380] avcodec/mjpegdec: Fix negative shift Fixes: mjpeg_left_shift.avi Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit d86d7b2486cd5c31db8e820d8a89554abf19567e) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index c28f07d0a8..2e0a5683de 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -994,7 +994,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = - mask & (pred + (dc << point_transform)); + mask & (pred + (dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { From 3820c6a979cad16ad993580af80b5968b87ea382 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 17:43:56 +0100 Subject: [PATCH 286/380] avcodec/dvdec: Fix "left shift of negative value -254" Fixes: dvdec_left_shift.avi Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 93ac72a98dff592ffc174cfb36a8975dfbf145ae) Signed-off-by: Michael Niedermayer --- libavcodec/dvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdec.c b/libavcodec/dvdec.c index fbd6bf504b..0f9edf0dae 100644 --- a/libavcodec/dvdec.c +++ b/libavcodec/dvdec.c @@ -333,7 +333,7 @@ static int dv_decode_video_segment(AVCodecContext *avctx, void *arg) dct_mode * 22 * 64 + (quant + ff_dv_quant_offset[class1]) * 64]; } - dc = dc << 2; + dc = dc * 4; /* convert to unsigned because 128 is not added in the * standard IDCT */ dc += 1024; From d755045e7801a4ceb35027ab9bf069f7e6ecc221 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 19:29:39 +0100 Subject: [PATCH 287/380] avcodec/aacdec_template: Check id_map Fixes index out of bounds error Fixes: aac_index_out_of_bounds.wmv Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 590863876d1478547640304a31c15809c3618090) Conflicts: libavcodec/aacdec_template.c --- libavcodec/aacdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 9fe1133b34..803082767a 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -473,6 +473,10 @@ static int output_configure(AACContext *ac, int type = layout_map[i][0]; int id = layout_map[i][1]; id_map[type][id] = type_counts[type]++; + if (id_map[type][id] >= MAX_ELEM_ID) { + avpriv_request_sample(ac->avctx, "Remapped id too large\n"); + return AVERROR_PATCHWELCOME; + } } // Try to sniff a reasonable channel order, otherwise output the // channels in the order the PCE declared them. From d0fd9bec1f8d7055c5036935d9a8d3a8e4a69566 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Jan 2016 18:32:32 +0100 Subject: [PATCH 288/380] avcodec/wavpackenc: Headers are per channel Fixes: 1b8b83a53bfa751f01b1daa65a4758db/signal_sigabrt_7ffff6ae7cb7_7488_403f71d1a2565b598d01b6cb110fac8f.aiff Fixes: assertion failure Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 26757b0279b4b93c6066c2151d4d3dbd2ec266bf) Conflicts: libavcodec/wavpackenc.c Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 87f1445738..b387b360d0 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -2878,7 +2878,7 @@ static int wavpack_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } buf_size = s->block_samples * avctx->channels * 8 - + 200 /* for headers */; + + 200 * avctx->channels /* for headers */; if ((ret = ff_alloc_packet2(avctx, avpkt, buf_size)) < 0) return ret; buf = avpkt->data; From 858f43043f74278cb8f4f9967a1177348a528ca0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Jan 2016 18:58:08 +0100 Subject: [PATCH 289/380] avcodec/wavpackenc: Check the number of channels They are stored in a byte, thus more than 255 is not possible Signed-off-by: Michael Niedermayer (cherry picked from commit 59c915a403af32c4ff5126625b0cc7e38f4beff9) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index b387b360d0..0798fc5d68 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -128,6 +128,11 @@ static av_cold int wavpack_encode_init(AVCodecContext *avctx) s->avctx = avctx; + if (avctx->channels > 255) { + av_log(avctx, AV_LOG_ERROR, "Too many channels\n", avctx->channels); + return AVERROR(EINVAL); + } + if (!avctx->frame_size) { int block_samples; if (!(avctx->sample_rate & 1)) From 0e3c36518d9920aebee0cfaf6a54d81ae5180666 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2016 03:03:01 +0100 Subject: [PATCH 290/380] avcodec/mpeg4video: Check time_incr Fixes assertion failure Fixes out of memory access Fixes: test_casex.ivf Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 7c97946d6131b31340954a3f603b6bf92590a9a5) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4video.h | 2 +- libavcodec/mpeg4videoenc.c | 10 +++++++++- libavcodec/mpegvideo_enc.c | 8 +++++--- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4video.h b/libavcodec/mpeg4video.h index 49bc13f87a..5998c7191c 100644 --- a/libavcodec/mpeg4video.h +++ b/libavcodec/mpeg4video.h @@ -140,7 +140,7 @@ void ff_mpeg4_encode_mb(MpegEncContext *s, void ff_mpeg4_pred_ac(MpegEncContext *s, int16_t *block, int n, int dir); void ff_set_mpeg4_time(MpegEncContext *s); -void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number); int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb); void ff_mpeg4_encode_video_packet_header(MpegEncContext *s); diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index bca294ebd8..f565e3a4c4 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1086,7 +1086,7 @@ static void mpeg4_encode_vol_header(MpegEncContext *s, } /* write mpeg4 VOP header */ -void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) { int time_incr; int time_div, time_mod; @@ -1112,6 +1112,12 @@ void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) time_mod = FFUMOD(s->time, s->avctx->time_base.den); time_incr = time_div - s->last_time_base; av_assert0(time_incr >= 0); + + // This limits the frame duration to max 1 hour + if (time_incr > 3600) { + av_log(s->avctx, AV_LOG_ERROR, "time_incr %d too large\n", time_incr); + return AVERROR(EINVAL); + } while (time_incr--) put_bits(&s->pb, 1, 1); @@ -1137,6 +1143,8 @@ void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) put_bits(&s->pb, 3, s->f_code); /* fcode_for */ if (s->pict_type == AV_PICTURE_TYPE_B) put_bits(&s->pb, 3, s->b_code); /* fcode_back */ + + return 0; } static av_cold void init_uni_dc_tab(void) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 0cf138e217..c4e448251e 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3723,9 +3723,11 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_wmv2_encode_picture_header(s, picture_number); else if (CONFIG_MSMPEG4_ENCODER && s->msmpeg4_version) ff_msmpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_MPEG4_ENCODER && s->h263_pred) - ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + else if (CONFIG_MPEG4_ENCODER && s->h263_pred) { + ret = ff_mpeg4_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { ret = ff_rv10_encode_picture_header(s, picture_number); if (ret < 0) return ret; From f1cdd93517c8c7f2ed5956962c7e41528c063b1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2016 18:49:20 +0100 Subject: [PATCH 291/380] avformat/asfenc: Check pts Fixes integer overflow Fixes: 0063df8be3aaa30dd6d76f59c8f818c8/signal_sigsegv_7b7b59_3634_bf418b6822bbfa68734411d96b667be3.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7c0b84d89911b2035161f5ef51aafbfcc84aa9e2) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index 015c731cec..6b4e794b24 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -927,6 +927,11 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; av_assert0(pts != AV_NOPTS_VALUE); + if ( pts < - PREROLL_TIME + || pts > (INT_MAX-3)/10000LL * ASF_INDEXED_INTERVAL - PREROLL_TIME) { + av_log(s, AV_LOG_ERROR, "input pts %"PRId64" is invalid\n", pts); + return AVERROR(EINVAL); + } pts *= 10000; asf->duration = FFMAX(asf->duration, pts + pkt->duration * 10000); From a2b234b917bf15fd0f60c131b801f0f84bf14ef4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Jan 2016 02:31:59 +0100 Subject: [PATCH 292/380] avformat/aviobuf: Fix end check in put_str16() Fixes out of array read Fixes: 03c406ec9530e594a074ce2979f8a1f0/asan_heap-oob_7dec26_4664_37c52495b2870a2eaac65f53958e76c1.flac Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 115fb6d03ef6310732b42258d8c3cd1839cfb74b) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 392b369a78..5dda200a3b 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -359,6 +359,8 @@ static inline int put_str16(AVIOContext *s, const char *str, const int be) invalid: av_log(s, AV_LOG_ERROR, "Invaid UTF8 sequence in avio_put_str16%s\n", be ? "be" : "le"); err = AVERROR(EINVAL); + if (!*(q-1)) + break; } if (be) avio_wb16(s, 0); From cde38373d134e6cf6a92d900fb2f3ce996e4655c Mon Sep 17 00:00:00 2001 From: Maxim Andreev Date: Wed, 13 Jan 2016 11:51:12 +0300 Subject: [PATCH 293/380] avformat/hls: forbid all protocols except http(s) & file Signed-off-by: Michael Niedermayer (cherry picked from commit 7145e80b4f78cff5ed5fee04d4c4d53daaa0e077) Conflicts: libavformat/hls.c --- libavformat/hls.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index bd34329cb6..e7e323b71b 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1036,6 +1036,12 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { + const char *proto_name = avio_find_protocol_name(seg->url); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { + ret = AVERROR_INVALIDDATA; + goto cleanup; + } + ret = ffurl_open(&pls->input, seg->url, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts); @@ -1043,6 +1049,11 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { URLContext *uc; + const char *proto_name = avio_find_protocol_name(seg->key); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { + ret = AVERROR_INVALIDDATA; + goto cleanup; + } if (ffurl_open(&uc, seg->key, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts2) == 0) { if (ffurl_read_complete(uc, pls->key, sizeof(pls->key)) From f5060bce3108acf85b2e5da22d8d9e98858de43a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2016 12:36:41 +0100 Subject: [PATCH 294/380] swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out Signed-off-by: Michael Niedermayer (cherry picked from commit 5e5f82a28737fba4402259617500911cc37e3674) Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 1 + libswscale/yuv2rgb.c | 89 ++++++++++++++++++----------------- 2 files changed, 46 insertions(+), 44 deletions(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 2299aa5c87..fa119d304c 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -40,6 +40,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long #define YUVRGB_TABLE_HEADROOM 256 +#define YUVRGB_TABLE_LUMA_HEADROOM 0 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 1d682ba57c..e81f3f6f31 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -776,7 +776,8 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], uint16_t *y_table16; uint32_t *y_table32; int i, base, rbase, gbase, bbase, av_uninit(abase), needAlpha; - const int yoffs = fullRange ? 384 : 326; + const int yoffs = (fullRange ? 384 : 326) + YUVRGB_TABLE_LUMA_HEADROOM; + const int table_plane_size = 1024 + 2*YUVRGB_TABLE_LUMA_HEADROOM; int64_t crv = inv_table[0]; int64_t cbu = inv_table[1]; @@ -833,10 +834,10 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], return AVERROR(ENOMEM); switch (bpp) { case 1: - ALLOC_YUV_TABLE(1024); + ALLOC_YUV_TABLE(table_plane_size); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 110; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 110; i++) { y_table[i + 110] = av_clip_uint8((yb + 0x8000) >> 16) >> 7; yb += cy; } @@ -848,60 +849,60 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 3 : 0; gbase = 1; bbase = isRgb ? 0 : 3; - ALLOC_YUV_TABLE(1024 * 3); + ALLOC_YUV_TABLE(table_plane_size * 3); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 110; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 110; i++) { int yval = av_clip_uint8((yb + 0x8000) >> 16); y_table[i + 110] = (yval >> 7) << rbase; - y_table[i + 37 + 1024] = ((yval + 43) / 85) << gbase; - y_table[i + 110 + 2048] = (yval >> 7) << bbase; + y_table[i + 37 + table_plane_size] = ((yval + 43) / 85) << gbase; + y_table[i + 110 + 2*table_plane_size] = (yval >> 7) << bbase; yb += cy; } fill_table(c->table_rV, 1, crv, y_table + yoffs); - fill_table(c->table_gU, 1, cgu, y_table + yoffs + 1024); - fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2048); + fill_table(c->table_gU, 1, cgu, y_table + yoffs + table_plane_size); + fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 1, cgv); break; case 8: rbase = isRgb ? 5 : 0; gbase = isRgb ? 2 : 3; bbase = isRgb ? 0 : 6; - ALLOC_YUV_TABLE(1024 * 3); + ALLOC_YUV_TABLE(table_plane_size * 3); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 38; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 38; i++) { int yval = av_clip_uint8((yb + 0x8000) >> 16); y_table[i + 16] = ((yval + 18) / 36) << rbase; - y_table[i + 16 + 1024] = ((yval + 18) / 36) << gbase; - y_table[i + 37 + 2048] = ((yval + 43) / 85) << bbase; + y_table[i + 16 + table_plane_size] = ((yval + 18) / 36) << gbase; + y_table[i + 37 + 2*table_plane_size] = ((yval + 43) / 85) << bbase; yb += cy; } fill_table(c->table_rV, 1, crv, y_table + yoffs); - fill_table(c->table_gU, 1, cgu, y_table + yoffs + 1024); - fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2048); + fill_table(c->table_gU, 1, cgu, y_table + yoffs + table_plane_size); + fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 1, cgv); break; case 12: rbase = isRgb ? 8 : 0; gbase = 4; bbase = isRgb ? 0 : 8; - ALLOC_YUV_TABLE(1024 * 3 * 2); + ALLOC_YUV_TABLE(table_plane_size * 3 * 2); y_table16 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { uint8_t yval = av_clip_uint8((yb + 0x8000) >> 16); y_table16[i] = (yval >> 4) << rbase; - y_table16[i + 1024] = (yval >> 4) << gbase; - y_table16[i + 2048] = (yval >> 4) << bbase; + y_table16[i + table_plane_size] = (yval >> 4) << gbase; + y_table16[i + 2*table_plane_size] = (yval >> 4) << bbase; yb += cy; } if (isNotNe) - for (i = 0; i < 1024 * 3; i++) + for (i = 0; i < table_plane_size * 3; i++) y_table16[i] = av_bswap16(y_table16[i]); fill_table(c->table_rV, 2, crv, y_table16 + yoffs); - fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + 1024); - fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2048); + fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + table_plane_size); + fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 2, cgv); break; case 15: @@ -909,30 +910,30 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? bpp - 5 : 0; gbase = 5; bbase = isRgb ? 0 : (bpp - 5); - ALLOC_YUV_TABLE(1024 * 3 * 2); + ALLOC_YUV_TABLE(table_plane_size * 3 * 2); y_table16 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { uint8_t yval = av_clip_uint8((yb + 0x8000) >> 16); y_table16[i] = (yval >> 3) << rbase; - y_table16[i + 1024] = (yval >> (18 - bpp)) << gbase; - y_table16[i + 2048] = (yval >> 3) << bbase; + y_table16[i + table_plane_size] = (yval >> (18 - bpp)) << gbase; + y_table16[i + 2*table_plane_size] = (yval >> 3) << bbase; yb += cy; } if (isNotNe) - for (i = 0; i < 1024 * 3; i++) + for (i = 0; i < table_plane_size * 3; i++) y_table16[i] = av_bswap16(y_table16[i]); fill_table(c->table_rV, 2, crv, y_table16 + yoffs); - fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + 1024); - fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2048); + fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + table_plane_size); + fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 2, cgv); break; case 24: case 48: - ALLOC_YUV_TABLE(1024); + ALLOC_YUV_TABLE(table_plane_size); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { y_table[i] = av_clip_uint8((yb + 0x8000) >> 16); yb += cy; } @@ -951,20 +952,20 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], needAlpha = CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat); if (!needAlpha) abase = (base + 24) & 31; - ALLOC_YUV_TABLE(1024 * 3 * 4); + ALLOC_YUV_TABLE(table_plane_size * 3 * 4); y_table32 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { unsigned yval = av_clip_uint8((yb + 0x8000) >> 16); y_table32[i] = (yval << rbase) + (needAlpha ? 0 : (255u << abase)); - y_table32[i + 1024] = yval << gbase; - y_table32[i + 2048] = yval << bbase; + y_table32[i + table_plane_size] = yval << gbase; + y_table32[i + 2*table_plane_size] = yval << bbase; yb += cy; } fill_table(c->table_rV, 4, crv, y_table32 + yoffs); - fill_table(c->table_gU, 4, cgu, y_table32 + yoffs + 1024); - fill_table(c->table_bU, 4, cbu, y_table32 + yoffs + 2048); + fill_table(c->table_gU, 4, cgu, y_table32 + yoffs + table_plane_size); + fill_table(c->table_bU, 4, cbu, y_table32 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 4, cgv); break; default: From f0cc6f74fcfed14b7ff7b3fdff66866db8447d73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2016 03:05:11 +0100 Subject: [PATCH 295/380] swscale/yuv2rgb: Increase YUV2RGB table headroom This makes SWS more robust Fixes: 07650a772d98aa63b0fed6370dc89037/asan_heap-oob_27ddeaf_2657_2c81ff264dee5d9712cb3251fb9c3bbb.264 Fixes: out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f3a9a8c278acf886f70a1d743bc07b6f9c7b51a) Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index fa119d304c..217e30781f 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -39,8 +39,8 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 256 -#define YUVRGB_TABLE_LUMA_HEADROOM 0 +#define YUVRGB_TABLE_HEADROOM 512 +#define YUVRGB_TABLE_LUMA_HEADROOM 512 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE From 119659b759a6840d7121340313d06cdc83215d7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2016 15:11:48 +0100 Subject: [PATCH 296/380] swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls This avoids running various table inits unnecessarily Signed-off-by: Michael Niedermayer (cherry picked from commit cc538e9dbd14b61d1ac8c9fa687d83289673fe90) Conflicts: libswscale/utils.c --- libswscale/utils.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 66bce60c13..8dcc116147 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -829,8 +829,6 @@ int sws_setColorspaceDetails(struct SwsContext *c, const int inv_table[4], const AVPixFmtDescriptor *desc_dst; const AVPixFmtDescriptor *desc_src; int need_reinit = 0; - memmove(c->srcColorspaceTable, inv_table, sizeof(int) * 4); - memmove(c->dstColorspaceTable, table, sizeof(int) * 4); handle_formats(c); desc_dst = av_pix_fmt_desc_get(c->dstFormat); @@ -841,11 +839,24 @@ int sws_setColorspaceDetails(struct SwsContext *c, const int inv_table[4], if(!isYUV(c->srcFormat) && !isGray(c->srcFormat)) srcRange = 0; + if (c->srcRange != srcRange || + c->dstRange != dstRange || + c->brightness != brightness || + c->contrast != contrast || + c->saturation != saturation || + memcmp(c->srcColorspaceTable, inv_table, sizeof(int) * 4) || + memcmp(c->dstColorspaceTable, table, sizeof(int) * 4) + ) + need_reinit = 1; + + memmove(c->srcColorspaceTable, inv_table, sizeof(int) * 4); + memmove(c->dstColorspaceTable, table, sizeof(int) * 4); + + + c->brightness = brightness; c->contrast = contrast; c->saturation = saturation; - if (c->srcRange != srcRange || c->dstRange != dstRange) - need_reinit = 1; c->srcRange = srcRange; c->dstRange = dstRange; @@ -860,6 +871,9 @@ int sws_setColorspaceDetails(struct SwsContext *c, const int inv_table[4], c->dstFormatBpp = av_get_bits_per_pixel(desc_dst); c->srcFormatBpp = av_get_bits_per_pixel(desc_src); + if (!need_reinit) + return 0; + if (!isYUV(c->dstFormat) && !isGray(c->dstFormat)) { ff_yuv2rgb_c_init_tables(c, inv_table, srcRange, brightness, contrast, saturation); From 123d356829d6d72f75c820a184fee3dc7086dde0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Jan 2016 13:29:38 +0100 Subject: [PATCH 297/380] avformat/hls: More strict url checks No case is known where these are needed Signed-off-by: Michael Niedermayer (cherry picked from commit 6ba42b6482c725a59eb468391544dc0c75b8c6f0) Conflicts: libavformat/hls.c Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index e7e323b71b..472e226faa 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1010,6 +1010,19 @@ static void update_options(char **dest, const char *name, void *src) av_freep(dest); } +static int check_url(const char *url) { + const char *proto_name = avio_find_protocol_name(url); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + return AVERROR_INVALIDDATA; + + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') + return 0; + else if (strcmp(proto_name, "file") || !strcmp(url, "file,")) + return AVERROR_INVALIDDATA; + + return 0; +} + static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) { AVDictionary *opts = NULL; @@ -1036,11 +1049,9 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { - const char *proto_name = avio_find_protocol_name(seg->url); - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { - ret = AVERROR_INVALIDDATA; + ret = check_url(seg->url); + if (ret < 0) goto cleanup; - } ret = ffurl_open(&pls->input, seg->url, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts); @@ -1049,11 +1060,10 @@ static int open_input(HLSContext *c, struct playlist *pls, struct segment *seg) char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { URLContext *uc; - const char *proto_name = avio_find_protocol_name(seg->key); - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { - ret = AVERROR_INVALIDDATA; + ret = check_url(seg->key); + if (ret < 0) goto cleanup; - } + if (ffurl_open(&uc, seg->key, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts2) == 0) { if (ffurl_read_complete(uc, pls->key, sizeof(pls->key)) From e681e92d2c8a46feb11ce1f36ff82c16e37cfe11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Jan 2016 15:29:22 +0100 Subject: [PATCH 298/380] avformat/hls: Even stricter URL checks This fixes a null pointer dereference at least Signed-off-by: Michael Niedermayer (cherry picked from commit cfda1bea4c18ec1edbc11ecc465f788b02851488) Conflicts: libavformat/hls.c --- libavformat/hls.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 472e226faa..a6bf692b01 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1012,12 +1012,16 @@ static void update_options(char **dest, const char *name, void *src) static int check_url(const char *url) { const char *proto_name = avio_find_protocol_name(url); + + if (!proto_name) + return AVERROR_INVALIDDATA; + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) return AVERROR_INVALIDDATA; if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') return 0; - else if (strcmp(proto_name, "file") || !strcmp(url, "file,")) + else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5)) return AVERROR_INVALIDDATA; return 0; From d4a7e8979338865dea5eed1615d133dc54031700 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 2 Jan 2016 16:28:31 -0300 Subject: [PATCH 299/380] configure: bump copyright year to 2016 Signed-off-by: James Almer (cherry picked from commit 78129978f02f27d76ecaf2cd1a7bf7a47253fdab) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index cf124b7e92..66eb54ab67 100755 --- a/configure +++ b/configure @@ -5950,7 +5950,7 @@ cat > $TMPH < Date: Fri, 15 Jan 2016 16:29:16 +0100 Subject: [PATCH 300/380] Update for 2.7.5 Signed-off-by: Michael Niedermayer --- Changelog | 29 +++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 0935c1a2da..990a34807e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,35 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.7.5 +- configure: bump copyright year to 2016 +- avformat/hls: Even stricter URL checks +- avformat/hls: More strict url checks +- swscale/utils: Detect and skip unneeded sws_setColorspaceDetails() calls +- swscale/yuv2rgb: Increase YUV2RGB table headroom +- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out +- avformat/hls: forbid all protocols except http(s) & file +- avformat/aviobuf: Fix end check in put_str16() +- avformat/asfenc: Check pts +- avcodec/mpeg4video: Check time_incr +- avcodec/wavpackenc: Check the number of channels +- avcodec/wavpackenc: Headers are per channel +- avcodec/aacdec_template: Check id_map +- avcodec/dvdec: Fix "left shift of negative value -254" +- avcodec/mjpegdec: Fix negative shift +- avcodec/mss2: Check for repeat overflow +- avformat: Add integer fps from 31 to 60 to get_std_framerate() +- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range +- avfilter/vf_scale: set proper out frame color range +- avcodec/motion_est: Fix mv_penalty table size +- avcodec/h264_slice: Fix integer overflow in implicit weight computation +- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions +- avcodec/put_bits: Always check buffer end before writing +- mjpegdec: extend check for incompatible values of s->rgb and s->ls +- swscale/utils: Fix intermediate format for cascaded alpha downscaling +- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse +- avfilter/vf_zoompan: do not free frame we pushed to lavfi + version 2.7.4 - nuv: sanitize negative fps rate diff --git a/RELEASE b/RELEASE index a4dd9dba4f..a603bb50a2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.7.4 +2.7.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 7e7e091d24..1b8e500b1d 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.7.4 +PROJECT_NUMBER = 2.7.5 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From a697577a641de602e55fcdcd88be3bb657ebcbd2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 13 Jan 2016 19:26:40 -0300 Subject: [PATCH 301/380] avcodec/wavpackenc: print channel count in av_log call Fixes a warning with -Wformat-extra-args (cherry picked from commit 17e7fdf61a04f52c499e2d06eab2cf2d22343aa9) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 0798fc5d68..f8b6a7c931 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -129,7 +129,7 @@ static av_cold int wavpack_encode_init(AVCodecContext *avctx) s->avctx = avctx; if (avctx->channels > 255) { - av_log(avctx, AV_LOG_ERROR, "Too many channels\n", avctx->channels); + av_log(avctx, AV_LOG_ERROR, "Invalid channel count: %d\n", avctx->channels); return AVERROR(EINVAL); } From 0c03d860f49aca335f7977ab5c8997c2ba28992a Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 1 Nov 2015 17:02:26 +0100 Subject: [PATCH 302/380] avformat/ipmovie: put video decoding_map_size into packet and use it in decoder The size of decoding map can differ from one calculated internally, producing artifacts while decoding video. Signed-off-by: Paul B Mahol (cherry picked from commit c293ef258cbb2c058e23651a26edf46e3bc05050) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayvideo.c | 14 +++++++++----- libavformat/ipmovie.c | 7 ++++--- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 2106419da3..a858ab9e67 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -38,6 +38,7 @@ #include #include +#include "libavutil/intreadwrite.h" #include "avcodec.h" #include "bytestream.h" #include "hpeldsp.h" @@ -949,7 +950,7 @@ static void ipvideo_decode_opcodes(IpvideoContext *s, AVFrame *frame) } } if (bytestream2_get_bytes_left(&s->stream_ptr) > 1) { - av_log(s->avctx, AV_LOG_ERROR, + av_log(s->avctx, AV_LOG_DEBUG, "decode finished with %d bytes left over\n", bytestream2_get_bytes_left(&s->stream_ptr)); } @@ -987,12 +988,15 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; + if (buf_size < 2) + return AVERROR_INVALIDDATA; + /* decoding map contains 4 bits of information per 8x8 block */ - s->decoding_map_size = avctx->width * avctx->height / (8 * 8 * 2); + s->decoding_map_size = AV_RL16(avpkt->data); /* compressed buffer needs to be large enough to at least hold an entire * decoding map */ - if (buf_size < s->decoding_map_size) + if (buf_size < s->decoding_map_size + 2) return buf_size; if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { @@ -1000,8 +1004,8 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, av_frame_unref(s->second_last_frame); } - s->decoding_map = buf; - bytestream2_init(&s->stream_ptr, buf + s->decoding_map_size, + s->decoding_map = buf + 2; + bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, buf_size - s->decoding_map_size); if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index af518b59d3..47c93dd9b8 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -156,7 +156,7 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, /* send both the decode map and the video data together */ - if (av_new_packet(pkt, s->decode_map_chunk_size + s->video_chunk_size)) + if (av_new_packet(pkt, 2 + s->decode_map_chunk_size + s->video_chunk_size)) return CHUNK_NOMEM; if (s->has_palette) { @@ -178,7 +178,8 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, avio_seek(pb, s->decode_map_chunk_offset, SEEK_SET); s->decode_map_chunk_offset = 0; - if (avio_read(pb, pkt->data, s->decode_map_chunk_size) != + AV_WL16(pkt->data, s->decode_map_chunk_size); + if (avio_read(pb, pkt->data + 2, s->decode_map_chunk_size) != s->decode_map_chunk_size) { av_free_packet(pkt); return CHUNK_EOF; @@ -187,7 +188,7 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, avio_seek(pb, s->video_chunk_offset, SEEK_SET); s->video_chunk_offset = 0; - if (avio_read(pb, pkt->data + s->decode_map_chunk_size, + if (avio_read(pb, pkt->data + 2 + s->decode_map_chunk_size, s->video_chunk_size) != s->video_chunk_size) { av_free_packet(pkt); return CHUNK_EOF; From a21ec4e1ee5475000847572a35e19fad122acbe4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 2 Jan 2016 16:27:02 +0100 Subject: [PATCH 303/380] ffmdec: reset packet_end in case of failure This fixes segmentation faults caused by passing a packet_ptr of NULL to memcpy. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 40eb2531b279abe008012c5c2c292552d3e62449) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 1d1a9ae1e1..9422130d1b 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -113,9 +113,10 @@ static int ffm_read_data(AVFormatContext *s, ffm->dts = avio_rb64(pb); frame_offset = avio_rb16(pb); avio_read(pb, ffm->packet, ffm->packet_size - FFM_HEADER_SIZE); - ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size); - if (ffm->packet_end < ffm->packet || frame_offset < 0) + if (ffm->packet_size < FFM_HEADER_SIZE + fill_size || frame_offset < 0) { return -1; + } + ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size); /* if first packet or resynchronization packet, we must handle it specifically */ if (ffm->first_packet || (frame_offset & 0x8000)) { @@ -131,8 +132,10 @@ static int ffm_read_data(AVFormatContext *s, return 0; } ffm->first_packet = 0; - if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) + if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) { + ffm->packet_end = ffm->packet_ptr; return -1; + } ffm->packet_ptr = ffm->packet + (frame_offset & 0x7fff) - FFM_HEADER_SIZE; if (!header) break; From 00a0c0fd75f270427970cf69f6729952987b9d36 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 Jan 2016 19:20:54 +0100 Subject: [PATCH 304/380] vorbisdec: reject channel mapping with less than two channels It causes the angle channel number to equal the magnitude channel number, which makes the stream undecodable according to the specification. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit b4b13848dec5420fa5dd9e1a7d4dfae5de1932d5) Signed-off-by: Andreas Cadhalpun --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 2926e8e59d..e01f915b39 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -789,6 +789,11 @@ static int vorbis_parse_setup_hdr_mappings(vorbis_context *vc) if (get_bits1(gb)) { mapping_setup->coupling_steps = get_bits(gb, 8) + 1; + if (vc->audio_channels < 2) { + av_log(vc->avctx, AV_LOG_ERROR, + "Square polar channel mapping with less than two channels is not compliant with the Vorbis I specification.\n"); + return AVERROR_INVALIDDATA; + } mapping_setup->magnitude = av_mallocz(mapping_setup->coupling_steps * sizeof(*mapping_setup->magnitude)); mapping_setup->angle = av_mallocz(mapping_setup->coupling_steps * From 6fe77207ed3bd11f604490eae11bffd5ed91e50f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 Jan 2016 19:11:24 +0100 Subject: [PATCH 305/380] vorbisdec: reject rangebits 0 with non-0 partitions This causes non-unique elements in floor_setup->data.t1.list, which makes the stream undecodable according to the specification. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit e7a7b3135a4e5ba4bd2e144444d95a7563f53e9b) Signed-off-by: Andreas Cadhalpun --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index e01f915b39..dbbf651c99 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -573,6 +573,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) return AVERROR(ENOMEM); rangebits = get_bits(gb, 4); + if (!rangebits && floor_setup->data.t1.partitions) { + av_log(vc->avctx, AV_LOG_ERROR, + "A rangebits value of 0 is not compliant with the Vorbis I specification.\n"); + return AVERROR_INVALIDDATA; + } rangemax = (1 << rangebits); if (rangemax > vc->blocksize[1] / 2) { av_log(vc->avctx, AV_LOG_ERROR, From 496c02a065bde5b1a0d6df9ebfcec462f672175d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 12:57:38 +0100 Subject: [PATCH 306/380] brstm: make sure an ADPC chunk was read for adpcm_thp This fixes NULL pointer dereferencing. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit d7d37c479fa71639650751648275615e979beb33) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index 19a4a2a96b..9228fa7488 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -260,6 +260,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (codec->codec_id == AV_CODEC_ID_ADPCM_THP) { uint8_t *dst; + if (!b->adpc) { + av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); + return AVERROR_INVALIDDATA; + } + if (av_new_packet(pkt, 8 + (32 + 4) * codec->channels + size) < 0) return AVERROR(ENOMEM); dst = pkt->data; From 269a522aeccfe01422febaff99ccf02ec7a21268 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 12:53:20 +0100 Subject: [PATCH 307/380] brstm: also allocate b->table in read_packet This fixes NULL pointer dereferencing if the codec is forced to adpcm_thp even though a different one was detected. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit bcf4ee26a0a1ed349ec7489925540401002b87cc) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index 9228fa7488..aba3770ee6 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -263,6 +263,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (!b->adpc) { av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); return AVERROR_INVALIDDATA; + if (!b->table) { + b->table = av_mallocz(32 * codec->channels); + if (!b->table) + return AVERROR(ENOMEM); } if (av_new_packet(pkt, 8 + (32 + 4) * codec->channels + size) < 0) From f106232e9405782fee6f7d74d9ecb564e280d132 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 13:44:16 +0100 Subject: [PATCH 308/380] brstm: fix missing closing brace Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1cb2331eca0dbde1bc63bc715a0e98771dda8b80) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index aba3770ee6..6afae73b2f 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -263,6 +263,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (!b->adpc) { av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); return AVERROR_INVALIDDATA; + } if (!b->table) { b->table = av_mallocz(32 * codec->channels); if (!b->table) From 41157f6bfff364b82a47c260b99a43d9489311ff Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 13 Jan 2016 00:52:58 +0100 Subject: [PATCH 309/380] dca: fix misaligned access in avpriv_dca_convert_bitstream src and dst are only 8-bit-aligned, so accessing them as uint16_t causes SIGBUS crashes on architectures like sparc. This fixes ubsan runtime error: load of misaligned address for type 'const uint16_t', which requires 2 byte alignment Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 44ac13eed49593f4f8efdb72ab0d5b48e05aa305) Signed-off-by: Andreas Cadhalpun --- libavcodec/dca.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 8dd043088e..714509b267 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -41,8 +41,6 @@ int avpriv_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst, { uint32_t mrk; int i, tmp; - const uint16_t *ssrc = (const uint16_t *) src; - uint16_t *sdst = (uint16_t *) dst; PutBitContext pb; if ((unsigned) src_size > (unsigned) max_size) @@ -54,8 +52,11 @@ int avpriv_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst, memcpy(dst, src, src_size); return src_size; case DCA_SYNCWORD_CORE_LE: - for (i = 0; i < (src_size + 1) >> 1; i++) - *sdst++ = av_bswap16(*ssrc++); + for (i = 0; i < (src_size + 1) >> 1; i++) { + AV_WB16(dst, AV_RL16(src)); + src += 2; + dst += 2; + } return src_size; case DCA_SYNCWORD_CORE_14B_BE: case DCA_SYNCWORD_CORE_14B_LE: From 4b17205c775608247e6726ecad018de0b6a8bc20 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Aug 2015 03:08:10 +0200 Subject: [PATCH 310/380] swscale/swscale-test: Fix slice height in random reference data creation. Found-by: Pedro Arthur Signed-off-by: Michael Niedermayer --- libswscale/swscale-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale-test.c b/libswscale/swscale-test.c index 661ff5b7b2..b79bb2373a 100644 --- a/libswscale/swscale-test.c +++ b/libswscale/swscale-test.c @@ -399,7 +399,7 @@ bad_option: for (y = 0; y < H; y++) for (x = 0; x < W * 4; x++) rgb_data[ x + y * 4 * W] = av_lfg_get(&rand); - sws_scale(sws, rgb_src, rgb_stride, 0, H, src, stride); + sws_scale(sws, rgb_src, rgb_stride, 0, H / 12, src, stride); sws_freeContext(sws); av_free(rgb_data); From 9d230f4666ac98c35a1a42b1a91e934fa563a579 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2016 18:32:07 +0100 Subject: [PATCH 311/380] avcodec/aacenc: Check both channels for finiteness Fixes null pointer dereference Fixes: 10412fc52ecc6eab40ed67f82ca7b372/signal_sigsegv_2618c99_2129_f808373959e46afb165593332799ffbc.aif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 057549a9ccc9fd32df71678e6abe69e10668186a) Conflicts: libavcodec/aacenc.c --- libavcodec/aacenc.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 897c3a10df..47fc1be446 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -589,8 +589,16 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, ics->group_len[w] = wi[ch].grouping[w]; apply_window_and_mdct(s, &cpe->ch[ch], overlap); - if (isnan(cpe->ch->coeffs[0])) { - av_log(avctx, AV_LOG_ERROR, "Input contains NaN\n"); + + if (isnan(cpe->ch[ch].coeffs[ 0]) || isinf(cpe->ch[ch].coeffs[ 0]) || + isnan(cpe->ch[ch].coeffs[ 128]) || isinf(cpe->ch[ch].coeffs[ 128]) || + isnan(cpe->ch[ch].coeffs[2*128]) || isinf(cpe->ch[ch].coeffs[2*128]) || + isnan(cpe->ch[ch].coeffs[3*128]) || isinf(cpe->ch[ch].coeffs[3*128]) || + isnan(cpe->ch[ch].coeffs[4*128]) || isinf(cpe->ch[ch].coeffs[4*128]) || + isnan(cpe->ch[ch].coeffs[5*128]) || isinf(cpe->ch[ch].coeffs[5*128]) || + isnan(cpe->ch[ch].coeffs[6*128]) || isinf(cpe->ch[ch].coeffs[6*128]) || + isnan(cpe->ch[ch].coeffs[7*128]) || isinf(cpe->ch[ch].coeffs[7*128])) { + av_log(avctx, AV_LOG_ERROR, "Input contains NaN/+-Inf\n"); return AVERROR(EINVAL); } } From d3cefc271daa9b5829b14469b63fac8359241c3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 00:55:44 +0100 Subject: [PATCH 312/380] swscale/swscale_unscaled: Fix odd height inputs for bayer_to_rgb24_wrapper() Fixes: 372d2df1f04b49e25f109f07f90b1505/asan_heap-oob_2835d2e_8501_99e0114d7ba3a6db885d0b4684d200c1.cine Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ad3b6fa7d83db7de951ed891649af93a47e74be5) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 1dc42c81e1..56e3933ea6 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1059,6 +1059,8 @@ static int bayer_to_rgb24_wrapper(SwsContext *c, const uint8_t* src[], int srcSt default: return 0; } + av_assert0(srcSliceH > 1); + copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); srcPtr += 2 * srcStride[0]; dstPtr += 2 * dstStride[0]; @@ -1069,7 +1071,10 @@ static int bayer_to_rgb24_wrapper(SwsContext *c, const uint8_t* src[], int srcSt dstPtr += 2 * dstStride[0]; } - copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); + if (i + 1 == srcSliceH) { + copy(srcPtr, -srcStride[0], dstPtr, -dstStride[0], c->srcW); + } else if (i < srcSliceH) + copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); return srcSliceH; } From 1a88eef93bd1a175465d61d162d42e4921549ba2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 00:55:44 +0100 Subject: [PATCH 313/380] swscale/swscale_unscaled: Fix odd height inputs for bayer_to_yv12_wrapper() Fixes: 372d2df1f04b49e25f109f07f90b1505/asan_heap-oob_2835d2e_8501_99e0114d7ba3a6db885d0b4684d200c1.cine Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 757248ea3cd917a7755cb15f817a9b1f15578718) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 56e3933ea6..1c75063e32 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1110,6 +1110,8 @@ static int bayer_to_yv12_wrapper(SwsContext *c, const uint8_t* src[], int srcStr default: return 0; } + av_assert0(srcSliceH > 1); + copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); srcPtr += 2 * srcStride[0]; dstY += 2 * dstStride[0]; @@ -1124,7 +1126,10 @@ static int bayer_to_yv12_wrapper(SwsContext *c, const uint8_t* src[], int srcStr dstV += dstStride[1]; } - copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); + if (i + 1 == srcSliceH) { + copy(srcPtr, -srcStride[0], dstY, dstU, dstV, -dstStride[0], c->srcW, c->input_rgb2yuv_table); + } else if (i < srcSliceH) + copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); return srcSliceH; } From edc7ef376bbea64441d3756dcb7301c646dead20 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 12:33:50 +0100 Subject: [PATCH 314/380] swscale/x86/rgb2rgb_template: Fix planar2x() for short width Fixes: 451b3e0cf956c0bd2f27ed753ac24050/asan_heap-oob_2873c01_3231_7ed10a9464d15f0d57277f5917c566a8.AVI Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c8a9aaab2695e0f9921db946a3b9f14bea880167) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index a10f268009..b56e15cf36 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1434,7 +1434,9 @@ static inline void RENAME(planar2x)(const uint8_t *src, uint8_t *dst, int srcWid dst+= dstStride; for (y=1; y> 2; + dst[dstStride] = (src[0] + 3 * src[srcStride]) >> 2; + } for (x=mmxSize-1; x>2; From 1b6390dd5be9f4edae0230c18c462d91d185ff16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 18:57:01 +0100 Subject: [PATCH 315/380] swscale/swscale: Add some sanity checks for srcSlice* parameters Signed-off-by: Michael Niedermayer (cherry picked from commit 321e85e1769ca1fc1567025ae264760790ee7fc9) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 5312016927..c3a14b7009 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -919,12 +919,20 @@ int attribute_align_arg sws_scale(struct SwsContext *c, const uint8_t *src2[4]; uint8_t *dst2[4]; uint8_t *rgb0_tmp = NULL; + int macro_height = isBayer(c->srcFormat) ? 2 : (1 << c->chrSrcVSubSample); if (!srcStride || !dstStride || !dst || !srcSlice) { av_log(c, AV_LOG_ERROR, "One of the input parameters to sws_scale() is NULL, please check the calling code\n"); return 0; } + if ((srcSliceY & (macro_height-1)) || + ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) || + srcSliceY + srcSliceH > c->srcH) { + av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); + return AVERROR(EINVAL); + } + if (c->gamma_flag && c->cascaded_context[0]) { From eb0872335f0118d7081f05df7f441d8edf0171cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 03:31:25 +0100 Subject: [PATCH 316/380] avcodec/tiff: Check subsample & rps values more completely Fixes out of array access Fixes: 83aedfb29af669c4d6e10f1bfad974d2/asan_heap-oob_1ab42fe_4984_9f6ec14462f8d8a00ea24b320572a963.tif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 89f464e9c229006e16f6bb5403c5529fdd0a9edd) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 7a7f9b748d..bdf5ed9972 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1008,8 +1008,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) av_log(s->avctx, AV_LOG_ERROR, "subsample count invalid\n"); return AVERROR_INVALIDDATA; } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { s->subsampling[i] = ff_tget(&s->gb, type, s->le); + if (s->subsampling[i] <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + return AVERROR_INVALIDDATA; + } + } break; case TIFF_T4OPTIONS: if (s->compr == TIFF_G3) @@ -1257,7 +1262,7 @@ static int decode_frame(AVCodecContext *avctx, avpkt->size - s->strippos); } - if (s->rps <= 0) { + if (s->rps <= 0 || s->rps % s->subsampling[1]) { av_log(avctx, AV_LOG_ERROR, "rps %d invalid\n", s->rps); return AVERROR_INVALIDDATA; } From f6755e5e19eb84de3e9f6838406d9f1f240c02b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 17:13:55 +0100 Subject: [PATCH 317/380] avcodec/put_bits: Assert buf_ptr in flush_put_bits() Signed-off-by: Michael Niedermayer (cherry picked from commit 3ef5de0f19774e2c3dd9b08ba2e8ab7241a4862a) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 0db8a033ad..68ed391195 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -105,7 +105,7 @@ static inline void flush_put_bits(PutBitContext *s) s->bit_buf <<= s->bit_left; #endif while (s->bit_left < 32) { - /* XXX: should test end of buffer */ + av_assert0(s->buf_ptr < s->buf_end); #ifdef BITSTREAM_WRITER_LE *s->buf_ptr++ = s->bit_buf; s->bit_buf >>= 8; From 40e846bb3f8e6fcc0133f1da24ef30de0a6c5f16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 19:20:03 +0100 Subject: [PATCH 318/380] avcodec/gif: Fix lzw buffer size Fixes out of array access Fixes: aaa479088e6fb40b04837b3119f47b04/asan_heap-oob_e38c68_8576_9d653078b2470700e2834636f12ff557.tga Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 03d83ba34b2070878909eae18dfac0f519503777) Signed-off-by: Michael Niedermayer --- libavcodec/gif.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/gif.c b/libavcodec/gif.c index cf5d438a72..e55337568a 100644 --- a/libavcodec/gif.c +++ b/libavcodec/gif.c @@ -43,6 +43,7 @@ typedef struct GIFContext { const AVClass *class; LZWState *lzw; uint8_t *buf; + int buf_size; AVFrame *last_frame; int flags; uint32_t palette[AVPALETTE_COUNT]; ///< local reference palette for !pal8 @@ -174,7 +175,7 @@ static int gif_image_write_image(AVCodecContext *avctx, bytestream_put_byte(bytestream, 0x08); - ff_lzw_encode_init(s->lzw, s->buf, 2 * width * height, + ff_lzw_encode_init(s->lzw, s->buf, s->buf_size, 12, FF_LZW_GIF, put_bits); ptr = buf + y_start*linesize + x_start; @@ -232,7 +233,8 @@ static av_cold int gif_encode_init(AVCodecContext *avctx) s->transparent_index = -1; s->lzw = av_mallocz(ff_lzw_encode_state_size); - s->buf = av_malloc(avctx->width*avctx->height*2); + s->buf_size = avctx->width*avctx->height*2 + 1000; + s->buf = av_malloc(s->buf_size); s->tmpl = av_malloc(avctx->width); if (!s->tmpl || !s->buf || !s->lzw) return AVERROR(ENOMEM); @@ -324,6 +326,7 @@ static int gif_encode_close(AVCodecContext *avctx) av_freep(&s->lzw); av_freep(&s->buf); + s->buf_size = 0; av_frame_free(&s->last_frame); av_freep(&s->tmpl); return 0; From c6ab367dbe7303c657835ff6d5ce2e66119e8ee7 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Fri, 15 Jan 2016 17:03:49 +0000 Subject: [PATCH 319/380] mov: Add an option to toggle dref opening This feature is mostly only used by NLE software, and is both of dubious value being enabled by default, and a possible security risk. Signed-off-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 712d962a6a29b1099cd872cfb07867175a93ac4c) Conflicts: libavformat/isom.h libavformat/mov.c libavformat/version.h Signed-off-by: Michael Niedermayer --- libavformat/isom.h | 1 + libavformat/mov.c | 22 +++++++++++++++++----- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index 5d48989fd9..da3285e944 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -198,6 +198,7 @@ typedef struct MOVContext { MOVFragmentIndex** fragment_index_data; unsigned fragment_index_count; int atom_depth; + int enable_drefs; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index 65c4461747..1f122b4799 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2801,13 +2801,23 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (sc->dref_id-1 < sc->drefs_count && sc->drefs[sc->dref_id-1].path) { MOVDref *dref = &sc->drefs[sc->dref_id - 1]; - if (mov_open_dref(c, &sc->pb, c->fc->filename, dref, - &c->fc->interrupt_callback) < 0) - av_log(c->fc, AV_LOG_ERROR, - "stream %d, error opening alias: path='%s', dir='%s', " - "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d\n", + if (c->enable_drefs) { + if (mov_open_dref(c, &sc->pb, c->fc->filename, dref, + &c->fc->interrupt_callback) < 0) + av_log(c->fc, AV_LOG_ERROR, + "stream %d, error opening alias: path='%s', dir='%s', " + "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d\n", + st->index, dref->path, dref->dir, dref->filename, + dref->volume, dref->nlvl_from, dref->nlvl_to); + } else { + av_log(c->fc, AV_LOG_WARNING, + "Skipped opening external track: " + "stream %d, alias: path='%s', dir='%s', " + "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d." + "Set enable_drefs to allow this.\n", st->index, dref->path, dref->dir, dref->filename, dref->volume, dref->nlvl_from, dref->nlvl_to); + } } else { sc->pb = c->fc->pb; sc->pb_is_copied = 1; @@ -4537,6 +4547,8 @@ static const AVOption mov_options[] = { AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = FLAGS }, { "export_xmp", "Export full XMP metadata", OFFSET(export_xmp), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = FLAGS }, + { "enable_drefs", "Enable external track support.", OFFSET(enable_drefs), AV_OPT_TYPE_INT, + {.i64 = 0}, 0, 1, FLAGS }, { NULL }, }; From 6fabd858659994b98589bfaf42f700e1c5b85da8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 15:39:11 +0100 Subject: [PATCH 320/380] avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get() Fixes: 55d71971da50365d542ed14b65565fe1/signal_sigsegv_4765a4_8499_f146af090a94f591d6254515c7700ef5.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 158f0545d81b2aca1c936490f80d13988616910e) Signed-off-by: Michael Niedermayer --- libavcodec/ass_split.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ass_split.c b/libavcodec/ass_split.c index 2458cb9225..5b6d7af1d1 100644 --- a/libavcodec/ass_split.c +++ b/libavcodec/ass_split.c @@ -523,7 +523,7 @@ ASSStyle *ff_ass_style_get(ASSSplitContext *ctx, const char *style) if (!style || !*style) style = "Default"; for (i=0; istyles_count; i++) - if (!strcmp(ass->styles[i].name, style)) + if (ass->styles[i].name && !strcmp(ass->styles[i].name, style)) return ass->styles + i; return NULL; } From 4180a83892b498ecd6e42cfc2c330e2684d2b817 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 11:21:44 +0100 Subject: [PATCH 321/380] avformat/img2dec: do not interpret the filename by default if a IO context has been opened With this, user applications which use custom IO and have set a IO context will not have their already opened IO context ignored and glob/seq being interpreted Comments and tests from maintainers of user apps are welcome! Liked-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit 7ccedc1c78c9a5140758f515d46ce23de6e6a7d2) Signed-off-by: Michael Niedermayer --- libavformat/img2.h | 3 ++- libavformat/img2dec.c | 9 ++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/img2.h b/libavformat/img2.h index f6b9dd9220..a9678d1f6e 100644 --- a/libavformat/img2.h +++ b/libavformat/img2.h @@ -34,7 +34,8 @@ enum PatternType { PT_GLOB_SEQUENCE, PT_GLOB, PT_SEQUENCE, - PT_NONE + PT_NONE, + PT_DEFAULT }; typedef struct VideoDemuxData { diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index f9ecf6f042..67754f21a2 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -224,6 +224,13 @@ int ff_img_read_header(AVFormatContext *s1) } if (!s->is_pipe) { + if (s->pattern_type == PT_DEFAULT) { + if (s1->pb) { + s->pattern_type = PT_NONE; + } else + s->pattern_type = PT_GLOB_SEQUENCE; + } + if (s->pattern_type == PT_GLOB_SEQUENCE) { s->use_glob = is_glob(s->path); if (s->use_glob) { @@ -550,7 +557,7 @@ const AVOption ff_img_options[] = { { "framerate", "set the video framerate", OFFSET(framerate), AV_OPT_TYPE_VIDEO_RATE, {.str = "25"}, 0, 0, DEC }, { "loop", "force loop over input file sequence", OFFSET(loop), AV_OPT_TYPE_INT, {.i64 = 0 }, 0, 1, DEC }, - { "pattern_type", "set pattern type", OFFSET(pattern_type), AV_OPT_TYPE_INT, {.i64=PT_GLOB_SEQUENCE}, 0, INT_MAX, DEC, "pattern_type"}, + { "pattern_type", "set pattern type", OFFSET(pattern_type), AV_OPT_TYPE_INT, {.i64=PT_DEFAULT}, 0, INT_MAX, DEC, "pattern_type"}, { "glob_sequence","select glob/sequence pattern type", 0, AV_OPT_TYPE_CONST, {.i64=PT_GLOB_SEQUENCE}, INT_MIN, INT_MAX, DEC, "pattern_type" }, { "glob", "select glob pattern type", 0, AV_OPT_TYPE_CONST, {.i64=PT_GLOB }, INT_MIN, INT_MAX, DEC, "pattern_type" }, { "sequence", "select sequence pattern type", 0, AV_OPT_TYPE_CONST, {.i64=PT_SEQUENCE }, INT_MIN, INT_MAX, DEC, "pattern_type" }, From 3cd17b9b5c4301405c99bcb6897f7ebf975ad1ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 09:43:54 +0100 Subject: [PATCH 322/380] avformat/avio: Limit url option parsing to the documented cases This feature is not know much or used much AFAIK, and it might be helpfull in exploits. No specific case is known where it can be used in an exploit though subsequent commits depend on this commit though Signed-off-by: Michael Niedermayer (cherry picked from commit 984d58a3440d513f66344b5332f6b589c0a6bbc6) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 261ff2af98..822f87cde3 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -156,9 +156,16 @@ static int url_alloc_for_protocol(URLContext **puc, struct URLProtocol *up, char sep= *++p; char *key, *val; p++; + + if (strcmp(up->name, "subfile")) + ret = AVERROR(EINVAL); + while(ret >= 0 && (key= strchr(p, sep)) && ppriv_data, p, key+1, 0); + if (strcmp(p, "start") && strcmp(p, "end")) { + ret = AVERROR_OPTION_NOT_FOUND; + } else + ret= av_opt_set(uc->priv_data, p, key+1, 0); if (ret == AVERROR_OPTION_NOT_FOUND) av_log(uc, AV_LOG_ERROR, "Key '%s' not found.\n", p); *val= *key= sep; @@ -223,7 +230,7 @@ static struct URLProtocol *url_find_protocol(const char *filename) size_t proto_len = strspn(filename, URL_SCHEME_CHARS); if (filename[proto_len] != ':' && - (filename[proto_len] != ',' || !strchr(filename + proto_len + 1, ':')) || + (strncmp(filename, "subfile,", 8) || !strchr(filename + proto_len + 1, ':')) || is_dos_path(filename)) strcpy(proto_str, "file"); else From 8c2f006d10c7e8df42d6ee57060bd1ce6ff3298f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 02:35:56 +0100 Subject: [PATCH 323/380] avformat/img2dec: Use AVOpenCallback Signed-off-by: Michael Niedermayer (cherry picked from commit b750b67d13696fdbcd62ce7238eb2826f2be4686) Conflicts: libavformat/img2dec.c --- libavformat/img2dec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 67754f21a2..1ee6a0f6e4 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -376,6 +376,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) int size[3] = { 0 }, ret[3] = { 0 }; AVIOContext *f[3] = { NULL }; AVCodecContext *codec = s1->streams[0]->codec; + AVOpenCallback open_func = s1->open_cb; + + if (!open_func) + open_func = ffio_open2_wrapper; if (!s->is_pipe) { /* loop over input */ @@ -397,7 +401,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) return AVERROR(EIO); } for (i = 0; i < 3; i++) { - if (avio_open2(&f[i], filename, AVIO_FLAG_READ, + if (open_func(s1, &f[i], filename, AVIO_FLAG_READ, &s1->interrupt_callback, NULL) < 0) { if (i >= 1) break; From 302f11e719cc7fc59960f145b99b1f54a4ba0374 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 00:36:51 +0100 Subject: [PATCH 324/380] avcodec/mpeg12enc: Move high resolution thread check to before initializing threads Cleaner solution is welcome! Signed-off-by: Michael Niedermayer (cherry picked from commit a53fbda9dc92273054a103db7539d2bb6e9632b2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 3 --- libavcodec/pthread_slice.c | 6 ++++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 5b8c4ecf33..ea3c7843b9 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -144,9 +144,6 @@ static av_cold int encode_init(AVCodecContext *avctx) { MpegEncContext *s = avctx->priv_data; - if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && avctx->height > 2800) - avctx->thread_count = 1; - if (ff_mpv_encode_init(avctx) < 0) return -1; diff --git a/libavcodec/pthread_slice.c b/libavcodec/pthread_slice.c index c8e69f0a9a..f9fc8042fe 100644 --- a/libavcodec/pthread_slice.c +++ b/libavcodec/pthread_slice.c @@ -193,6 +193,12 @@ int ff_slice_thread_init(AVCodecContext *avctx) w32thread_init(); #endif + // We cannot do this in the encoder init as the threads are created before + if (av_codec_is_encoder(avctx->codec) && + avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && + avctx->height > 2800) + thread_count = avctx->thread_count = 1; + if (!thread_count) { int nb_cpus = av_cpu_count(); if (avctx->height) From 974f9d255d28acfe8b482836e466135bc42a94d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 02:38:05 +0100 Subject: [PATCH 325/380] avcodec/wmaenc: Check ff_wma_init() for failure Fixes null pointer dereference Fixes: c4faf8280ba366bf00a79d425f2910a8/signal_sigsegv_1f96477_5177_1448ba7e4125faceb966f44ceb69abfa.qcp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 19e456d48c90a1e3ceeb9e6241383384cc73dfdf) Signed-off-by: Michael Niedermayer --- libavcodec/wmaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index b922acdee8..9361855939 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -32,6 +32,7 @@ static av_cold int encode_init(AVCodecContext *avctx) WMACodecContext *s = avctx->priv_data; int i, flags1, flags2, block_align; uint8_t *extradata; + int ret; s->avctx = avctx; @@ -82,7 +83,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (avctx->channels == 2) s->ms_stereo = 1; - ff_wma_init(avctx, flags2); + if ((ret = ff_wma_init(avctx, flags2)) < 0) + return ret; /* init MDCT */ for (i = 0; i < s->nb_block_sizes; i++) From 874945c7b93e841b0fd1a8c9b209fb7d12f8255c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 21:01:08 +0100 Subject: [PATCH 326/380] avformat/avformat: Replace some references to filenames by urls Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 41e07390e04cf369d84f0cc7ff5858c273290770) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 4b270db7f3..35867a51e1 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -88,10 +88,10 @@ * cleanup. * * @section lavf_decoding_open Opening a media file - * The minimum information required to open a file is its URL or filename, which + * The minimum information required to open a file is its URL, which * is passed to avformat_open_input(), as in the following code: * @code - * const char *url = "in.mp3"; + * const char *url = "file:in.mp3"; * AVFormatContext *s = NULL; * int ret = avformat_open_input(&s, url, NULL, NULL); * if (ret < 0) @@ -2033,7 +2033,7 @@ AVInputFormat *av_probe_input_format3(AVProbeData *pd, int is_opened, int *score * * @param pb the bytestream to probe * @param fmt the input format is put here - * @param filename the filename of the stream + * @param url the url of the stream * @param logctx the log context * @param offset the offset within the bytestream to probe from * @param max_probe_size the maximum probe buffer size (zero for default) @@ -2042,14 +2042,14 @@ AVInputFormat *av_probe_input_format3(AVProbeData *pd, int is_opened, int *score * AVERROR code otherwise */ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt, - const char *filename, void *logctx, + const char *url, void *logctx, unsigned int offset, unsigned int max_probe_size); /** * Like av_probe_input_buffer2() but returns 0 on success */ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, - const char *filename, void *logctx, + const char *url, void *logctx, unsigned int offset, unsigned int max_probe_size); /** @@ -2060,7 +2060,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, * May be a pointer to NULL, in which case an AVFormatContext is allocated by this * function and written into ps. * Note that a user-supplied AVFormatContext will be freed on failure. - * @param filename Name of the stream to open. + * @param url URL of the stream to open. * @param fmt If non-NULL, this parameter forces a specific input format. * Otherwise the format is autodetected. * @param options A dictionary filled with AVFormatContext and demuxer-private options. @@ -2071,7 +2071,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, * * @note If you want to use custom IO, preallocate the format context and set its pb field. */ -int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputFormat *fmt, AVDictionary **options); +int avformat_open_input(AVFormatContext **ps, const char *url, AVInputFormat *fmt, AVDictionary **options); attribute_deprecated int av_demuxer_open(AVFormatContext *ic); From e229fbf5ce8400fde181758171c6ac911432ddfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 15:39:43 +0100 Subject: [PATCH 327/380] avcodec/mpegvideo_enc: Check for integer overflow in ff_mpv_reallocate_putbitbuffer() Fixes assertion failure Fixes: 6568d187979ce17878b6fe5fbbb89142/signal_sigabrt_7ffff6ae7cb7_7176_564bbc6741bdcf907f5c4e685c9a77a2.mpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b65efbc0f4195421c15d2a6c228d331eec5b31c3) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index c4e448251e..b2112c142a 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2740,6 +2740,11 @@ int ff_mpv_reallocate_putbitbuffer(MpegEncContext *s, size_t threshold, size_t s uint8_t *new_buffer = NULL; int new_buffer_size = 0; + if ((s->avctx->internal->byte_buffer_size + size_increase) >= INT_MAX/8) { + av_log(s->avctx, AV_LOG_ERROR, "Cannot reallocate putbit buffer\n"); + return AVERROR(ENOMEM); + } + av_fast_padded_malloc(&new_buffer, &new_buffer_size, s->avctx->internal->byte_buffer_size + size_increase); if (!new_buffer) From 965a8bda9422eb9fcb2940c0c9776c5af3f95d0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 21:01:47 +0100 Subject: [PATCH 328/380] avcodec/mjpegdec: Check for end for both bytes in unescaping Fixes assertion failure Fixes: c40c779601b77dc6e19aaea0b04b9751/signal_sigabrt_7ffff6ae7cb7_5769_b94f6ec70caecb2d3d76b4771b109ac1.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 509c9e74e548139285f30ed8dcc9baf1d64359fa) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 2e0a5683de..9d080e8c3b 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1961,7 +1961,7 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, while (b < t) { uint8_t x = src[b++]; put_bits(&pb, 8, x); - if (x == 0xFF) { + if (x == 0xFF && b < t) { x = src[b++]; if (x & 0x80) { av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); From 3c7597f2e9c98fb4bcb62b0bd8262be36bbcd0b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 16:49:43 +0100 Subject: [PATCH 329/380] doc/demuxers: Document enable_drefs and use_absolute_path Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 9a8034b8bc1d1cd7a8889dc385d41744be47b159) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 35a1561439..6f9effc8b0 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -369,6 +369,23 @@ ffmpeg -framerate 10 -pattern_type glob -i "*.png" out.mkv @end example @end itemize +@section mov/mp4/3gp/Quicktme + +Quicktime / MP4 demuxer. + +This demuxer accepts the following options: +@table @option +@item enable_drefs +Enable loading of external tracks, disabled by default. +Enabling this can theoretically leak information in some use cases. + +@item use_absolute_path +Allows loading of external tracks via absolute paths, disabled by default. +Enabling this poses a security risk. It should only be enabled if the source +is known to be non malicious. + +@end table + @section mpegts MPEG-2 transport stream demuxer. From 573a7b4c670681fa31607201dfe1aa81aee01440 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 11:10:27 +0100 Subject: [PATCH 330/380] avformat/concat: Check protocol prefix Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 8e32d014322eada1812af268d7ea9d53169d279c) Signed-off-by: Michael Niedermayer --- libavformat/concat.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/concat.c b/libavformat/concat.c index 81fe97082c..7bcc27905e 100644 --- a/libavformat/concat.c +++ b/libavformat/concat.c @@ -65,7 +65,10 @@ static av_cold int concat_open(URLContext *h, const char *uri, int flags) struct concat_data *data = h->priv_data; struct concat_nodes *nodes; - av_strstart(uri, "concat:", &uri); + if (!av_strstart(uri, "concat:", &uri)) { + av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); + return AVERROR(EINVAL); + } for (i = 0, len = 1; uri[i]; i++) { if (uri[i] == *AV_CAT_SEPARATOR) { From 197c0f618acff6a7e386fb867114f6af6e91adac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 15:25:32 +0100 Subject: [PATCH 331/380] avformat/libquvi: Set default demuxer and protocol limitations Signed-off-by: Michael Niedermayer (cherry picked from commit 15cc98a0f38ac45444d177186cfbf28e14bd5f1f) Signed-off-by: Michael Niedermayer --- libavformat/libquvi.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libavformat/libquvi.c b/libavformat/libquvi.c index 7151694542..1e5c8bc525 100644 --- a/libavformat/libquvi.c +++ b/libavformat/libquvi.c @@ -95,6 +95,20 @@ static int libquvi_read_header(AVFormatContext *s) goto err_quvi_cleanup; } + if (!qc->fmtctx->format_whitelist) { + qc->fmtctx->format_whitelist = av_strdup("avi,asf,flv,mov,mpeg,mpegts,aac,h264,hevc,mp3,ogg,matroska,mxf,mp2"); + if (!qc->fmtctx->format_whitelist) { + avformat_free_context(qc->fmtctx); + qc->fmtctx = NULL; + goto err_quvi_cleanup; + } + } + if (strncmp(media_url, "http:", 5) && strncmp(media_url, "https:", 6)) { + avformat_free_context(qc->fmtctx); + qc->fmtctx = NULL; + goto err_quvi_cleanup; + } + ret = avformat_open_input(&qc->fmtctx, media_url, NULL, NULL); if (ret < 0) goto err_quvi_cleanup; From 41f97fe378e3d2b79feaa1460e85865edafe08f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2016 00:35:46 +0100 Subject: [PATCH 332/380] avformat: Document urls a bit Spell-checked-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 3130556c0eb09f3da3c9de6473a97937a4648d62) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 35867a51e1..744bce2ff0 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -78,6 +78,18 @@ * if its AVClass is non-NULL, and the protocols layer. See the discussion on * nesting in @ref avoptions documentation to learn how to access those. * + * @section urls + * URL strings in libavformat are made of a scheme/protocol, a ':', and a + * scheme specific string. URLs without a scheme and ':' used for local files + * are supported but deprecated. "file:" should be used for local files. + * + * It is important that the scheme string is not taken from untrusted + * sources without checks. + * + * Note that some schemes/protocols are quite powerful, allowing access to + * both local and remote files, parts of them, concatenations of them, local + * audio and video devices and so on. + * * @defgroup lavf_decoding Demuxing * @{ * Demuxers read a media file and split it into chunks of data (@em packets). A From d8b37664d524251ac524c780c0f978fb48ce4b2d Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 24 Jan 2016 20:47:49 +0100 Subject: [PATCH 333/380] avcodec/flacenc: fix calculation of bits required in case of custom sample rate Sample rate of 11025 takes 16 bits but previous code would pick only 8. Fixes assertion failure. Reviewed-by: Rostislav Pehlivanov Signed-off-by: Paul B Mahol (cherry picked from commit 3e7d6849120d61bb354376d52786c26f20e20835) Signed-off-by: Michael Niedermayer --- libavcodec/flacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index 29bd9999b5..35904ab8fd 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -1021,7 +1021,7 @@ static int count_frame_header(FlacEncodeContext *s) count += 16; /* explicit sample rate */ - count += ((s->sr_code[0] == 12) + (s->sr_code[0] > 12)) * 8; + count += ((s->sr_code[0] == 12) + (s->sr_code[0] > 12) * 2) * 8; /* frame header CRC-8 */ count += 8; From b54b8a628c8baa3f599048e4161e7b9bd6f45c85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Jan 2016 03:42:46 +0100 Subject: [PATCH 334/380] avutil/opt: check for and handle errors in av_opt_set_dict2() Previously errors could result in random entries to be lost. Signed-off-by: Michael Niedermayer (cherry picked from commit f3ace85d8869c3dddd2d28d064002d0d912e3624) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 62db1b50b7..41741b5536 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -1464,10 +1464,11 @@ int av_opt_set_dict2(void *obj, AVDictionary **options, int search_flags) while ((t = av_dict_get(*options, "", t, AV_DICT_IGNORE_SUFFIX))) { ret = av_opt_set(obj, t->key, t->value, search_flags); if (ret == AVERROR_OPTION_NOT_FOUND) - av_dict_set(&tmp, t->key, t->value, 0); - else if (ret < 0) { + ret = av_dict_set(&tmp, t->key, t->value, 0); + if (ret < 0) { av_log(obj, AV_LOG_ERROR, "Error setting option %s to value %s.\n", t->key, t->value); - break; + av_dict_free(&tmp); + return ret; } ret = 0; } From 12f256a729a8d9f1f1ae37dc14fb4437b935b133 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jan 2016 17:13:10 +0100 Subject: [PATCH 335/380] avcodec/jpeg2000dec: More completely check cdef Fixes out of array access Fixes: j2k-poc.bin Found-by: Lucas Leong Signed-off-by: Michael Niedermayer (cherry picked from commit 0aada30510d809bccfd539a90ea37b61188f2cb4) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 54006afaf7..9e6e1b5158 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1286,11 +1286,15 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (tile->codsty[0].mct) mct_decode(s, tile); - if (s->cdef[0] < 0) { - for (x = 0; x < s->ncomponents; x++) - s->cdef[x] = x + 1; - if ((s->ncomponents & 1) == 0) - s->cdef[s->ncomponents-1] = 0; + for (x = 0; x < s->ncomponents; x++) { + if (s->cdef[x] < 0) { + for (x = 0; x < s->ncomponents; x++) { + s->cdef[x] = x + 1; + } + if ((s->ncomponents & 1) == 0) + s->cdef[s->ncomponents-1] = 0; + break; + } } if (s->precision <= 8) { From bbea86d80922148598527018dc1e9488fdca73a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2016 00:42:09 +0100 Subject: [PATCH 336/380] Update for 2.7.6 Signed-off-by: Michael Niedermayer --- Changelog | 36 ++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 990a34807e..482f7cb15f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,42 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.7.6 +- avcodec/jpeg2000dec: More completely check cdef +- avutil/opt: check for and handle errors in av_opt_set_dict2() +- avcodec/flacenc: fix calculation of bits required in case of custom sample rate +- avformat: Document urls a bit +- avformat/libquvi: Set default demuxer and protocol limitations +- avformat/concat: Check protocol prefix +- doc/demuxers: Document enable_drefs and use_absolute_path +- avcodec/mjpegdec: Check for end for both bytes in unescaping +- avcodec/mpegvideo_enc: Check for integer overflow in ff_mpv_reallocate_putbitbuffer() +- avformat/avformat: Replace some references to filenames by urls +- avcodec/wmaenc: Check ff_wma_init() for failure +- avcodec/mpeg12enc: Move high resolution thread check to before initializing threads +- avformat/img2dec: Use AVOpenCallback +- avformat/avio: Limit url option parsing to the documented cases +- avformat/img2dec: do not interpret the filename by default if a IO context has been opened +- avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get() +- mov: Add an option to toggle dref opening +- avcodec/gif: Fix lzw buffer size +- avcodec/put_bits: Assert buf_ptr in flush_put_bits() +- avcodec/tiff: Check subsample & rps values more completely +- swscale/swscale: Add some sanity checks for srcSlice* parameters +- swscale/x86/rgb2rgb_template: Fix planar2x() for short width +- swscale/swscale_unscaled: Fix odd height inputs for bayer_to_yv12_wrapper() +- swscale/swscale_unscaled: Fix odd height inputs for bayer_to_rgb24_wrapper() +- avcodec/aacenc: Check both channels for finiteness +- swscale/swscale-test: Fix slice height in random reference data creation. +- dca: fix misaligned access in avpriv_dca_convert_bitstream +- brstm: fix missing closing brace +- brstm: also allocate b->table in read_packet +- brstm: make sure an ADPC chunk was read for adpcm_thp +- vorbisdec: reject rangebits 0 with non-0 partitions +- vorbisdec: reject channel mapping with less than two channels +- ffmdec: reset packet_end in case of failure +- avformat/ipmovie: put video decoding_map_size into packet and use it in decoder + version 2.7.5 - configure: bump copyright year to 2016 - avformat/hls: Even stricter URL checks diff --git a/RELEASE b/RELEASE index a603bb50a2..49cdd668e1 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.7.5 +2.7.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 1b8e500b1d..32099c4aa4 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.7.5 +PROJECT_NUMBER = 2.7.6 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From d2b2c66b17a20dc3cad6a979aaf950bedc9824f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2016 00:43:51 +0100 Subject: [PATCH 337/380] MAINTAINERS: remove unmaintained releases Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 -- 1 file changed, 2 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index b70f24fca2..d65b74956c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -547,8 +547,6 @@ Releases 2.7 Michael Niedermayer 2.6 Michael Niedermayer 2.5 Michael Niedermayer -2.4 Michael Niedermayer -2.2 Michael Niedermayer If you want to maintain an older release, please contact us From 4ecb216ad447f1d9ac42505e8a23ca8753a40a9c Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 2 Mar 2016 11:20:07 +0100 Subject: [PATCH 338/380] doc/utils: fix typo for min() description Signed-off-by: Paul B Mahol (cherry picked from commit bdf474bcff29f5b40fe14f6fa1dbe10e69c73ab7) Signed-off-by: Timothy Gu --- doc/utils.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/utils.texi b/doc/utils.texi index 6517ac0a97..2f1906afeb 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -861,7 +861,7 @@ Return 1 if @var{x} is lesser than or equal to @var{y}, 0 otherwise. Return the maximum between @var{x} and @var{y}. @item min(x, y) -Return the maximum between @var{x} and @var{y}. +Return the minimum between @var{x} and @var{y}. @item mod(x, y) Compute the remainder of division of @var{x} by @var{y}. From c5e12dc10de83c70ce1ba88628c3691eb920ce53 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 17 Mar 2016 00:50:08 -0300 Subject: [PATCH 339/380] libwebpenc_animencoder: zero initialize the WebPAnimEncoderOptions struct This zeroes the WebPAnimEncoderOptions.verbose field, silencing library info messages printed to stderr. Reviewed-by: James Zern Signed-off-by: James Almer (cherry picked from commit 626b6b769ced6d3e55d2661985ab2a1cb89f481e) --- libavcodec/libwebpenc_animencoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libwebpenc_animencoder.c b/libavcodec/libwebpenc_animencoder.c index e9582016d3..7c1ac66b25 100644 --- a/libavcodec/libwebpenc_animencoder.c +++ b/libavcodec/libwebpenc_animencoder.c @@ -41,7 +41,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext *avctx) int ret = ff_libwebp_encode_init_common(avctx); if (!ret) { LibWebPAnimContext *s = avctx->priv_data; - WebPAnimEncoderOptions enc_options; + WebPAnimEncoderOptions enc_options = { 0 }; WebPAnimEncoderOptionsInit(&enc_options); // TODO(urvang): Expose some options on command-line perhaps. s->enc = WebPAnimEncoderNew(avctx->width, avctx->height, &enc_options); From d2161b8a6daf0d519eb9ff9fd85d49bc95335441 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 17 Mar 2016 01:01:02 -0300 Subject: [PATCH 340/380] libwebpenc_animencoder: print library messages in verbose log levels Reviewed-by: James Zern Signed-off-by: James Almer (cherry picked from commit f875ba48739f59691661393eed1f7cc2371c93f1) --- libavcodec/libwebpenc_animencoder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/libwebpenc_animencoder.c b/libavcodec/libwebpenc_animencoder.c index 7c1ac66b25..7a82ee62bf 100644 --- a/libavcodec/libwebpenc_animencoder.c +++ b/libavcodec/libwebpenc_animencoder.c @@ -43,6 +43,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext *avctx) LibWebPAnimContext *s = avctx->priv_data; WebPAnimEncoderOptions enc_options = { 0 }; WebPAnimEncoderOptionsInit(&enc_options); + enc_options.verbose = av_log_get_level() >= AV_LOG_VERBOSE; // TODO(urvang): Expose some options on command-line perhaps. s->enc = WebPAnimEncoderNew(avctx->width, avctx->height, &enc_options); if (!s->enc) From 46e791a9b35f2479058fe02a3d3a0d84edc05e46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Feb 2016 20:57:26 +0100 Subject: [PATCH 341/380] avutil/frame: Free destination qp_table_buf in frame_copy_props() Fixes memleak Fixes: Ticket4899 Signed-off-by: Michael Niedermayer (cherry picked from commit 4099e4a77d2d49e2308415d92766ad1511f62f9a) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/frame.c b/libavutil/frame.c index 4596927f97..e6d1a21f56 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -348,6 +348,7 @@ static int frame_copy_props(AVFrame *dst, const AVFrame *src, int force_copy) dst->qscale_table = NULL; dst->qstride = 0; dst->qscale_type = 0; + av_buffer_unref(&dst->qp_table_buf); if (src->qp_table_buf) { dst->qp_table_buf = av_buffer_ref(src->qp_table_buf); if (dst->qp_table_buf) { From 010fd5deb6cae8bcfb6c774a086f8c139d0906bf Mon Sep 17 00:00:00 2001 From: KO Myung-Hun Date: Mon, 15 Feb 2016 13:16:23 +0900 Subject: [PATCH 342/380] MAINTAINERS: add myself as an OS/2 maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit 346ec917646c18fc9e26bddf04bfa8f8f1e2e18f) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index d65b74956c..acc4f9e6b7 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -539,6 +539,7 @@ Windows ICL Matthew Oliver ADI/Blackfin DSP Marc Hoffman Sparc Roman Shaposhnik x86 Michael Niedermayer +OS/2 KO Myung-Hun Releases From 34e76d75a0f085ad37c2f9b283247b75a17e11d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Feb 2016 04:15:29 +0100 Subject: [PATCH 343/380] swscale/x86/output: Move code into yuv2planeX_mainloop Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit d07f6e5f1c36be675e0900edba3e40a32f05f0f4) Signed-off-by: Michael Niedermayer --- libswscale/x86/output.asm | 141 +++++++++++++++++++------------------- 1 file changed, 72 insertions(+), 69 deletions(-) diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9ea4af9535..9570969cea 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,75 +54,7 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- - -%macro yuv2planeX_fn 3 - -%if ARCH_X86_32 -%define cntr_reg fltsizeq -%define movsx mov -%else -%define cntr_reg r7 -%define movsx movsxd -%endif - -cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset -%if %1 == 8 || %1 == 9 || %1 == 10 - pxor m6, m6 -%endif ; %1 == 8/9/10 - -%if %1 == 8 -%if ARCH_X86_32 -%assign pad 0x2c - (stack_offset & 15) - SUB rsp, pad -%define m_dith m7 -%else ; x86-64 -%define m_dith m9 -%endif ; x86-32 - - ; create registers holding dither - movq m_dith, [ditherq] ; dither - test offsetd, offsetd - jz .no_rot -%if mmsize == 16 - punpcklqdq m_dith, m_dith -%endif ; mmsize == 16 - PALIGNR m_dith, m_dith, 3, m0 -.no_rot: -%if mmsize == 16 - punpcklbw m_dith, m6 -%if ARCH_X86_64 - punpcklwd m8, m_dith, m6 - pslld m8, 12 -%else ; x86-32 - punpcklwd m5, m_dith, m6 - pslld m5, 12 -%endif ; x86-32/64 - punpckhwd m_dith, m6 - pslld m_dith, 12 -%if ARCH_X86_32 - mova [rsp+ 0], m5 - mova [rsp+16], m_dith -%endif -%else ; mmsize == 8 - punpcklbw m5, m_dith, m6 - punpckhbw m_dith, m6 - punpcklwd m4, m5, m6 - punpckhwd m5, m6 - punpcklwd m3, m_dith, m6 - punpckhwd m_dith, m6 - pslld m4, 12 - pslld m5, 12 - pslld m3, 12 - pslld m_dith, 12 - mova [rsp+ 0], m4 - mova [rsp+ 8], m5 - mova [rsp+16], m3 - mova [rsp+24], m_dith -%endif ; mmsize == 8/16 -%endif ; %1 == 8 - - xor r5, r5 - +%macro yuv2planeX_mainloop 1 .pixelloop: %assign %%i 0 ; the rep here is for the 8bit output mmx case, where dither covers @@ -233,6 +165,77 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset %assign %%i %%i+2 %endrep jg .pixelloop +%endmacro + +%macro yuv2planeX_fn 3 + +%if ARCH_X86_32 +%define cntr_reg fltsizeq +%define movsx mov +%else +%define cntr_reg r7 +%define movsx movsxd +%endif + +cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset +%if %1 == 8 || %1 == 9 || %1 == 10 + pxor m6, m6 +%endif ; %1 == 8/9/10 + +%if %1 == 8 +%if ARCH_X86_32 +%assign pad 0x2c - (stack_offset & 15) + SUB rsp, pad +%define m_dith m7 +%else ; x86-64 +%define m_dith m9 +%endif ; x86-32 + + ; create registers holding dither + movq m_dith, [ditherq] ; dither + test offsetd, offsetd + jz .no_rot +%if mmsize == 16 + punpcklqdq m_dith, m_dith +%endif ; mmsize == 16 + PALIGNR m_dith, m_dith, 3, m0 +.no_rot: +%if mmsize == 16 + punpcklbw m_dith, m6 +%if ARCH_X86_64 + punpcklwd m8, m_dith, m6 + pslld m8, 12 +%else ; x86-32 + punpcklwd m5, m_dith, m6 + pslld m5, 12 +%endif ; x86-32/64 + punpckhwd m_dith, m6 + pslld m_dith, 12 +%if ARCH_X86_32 + mova [rsp+ 0], m5 + mova [rsp+16], m_dith +%endif +%else ; mmsize == 8 + punpcklbw m5, m_dith, m6 + punpckhbw m_dith, m6 + punpcklwd m4, m5, m6 + punpckhwd m5, m6 + punpcklwd m3, m_dith, m6 + punpckhwd m_dith, m6 + pslld m4, 12 + pslld m5, 12 + pslld m3, 12 + pslld m_dith, 12 + mova [rsp+ 0], m4 + mova [rsp+ 8], m5 + mova [rsp+16], m3 + mova [rsp+24], m_dith +%endif ; mmsize == 8/16 +%endif ; %1 == 8 + + xor r5, r5 + +yuv2planeX_mainloop %1 %if %1 == 8 %if ARCH_X86_32 From 13b75ba30a221987f25b9a5463e7eedb72a58075 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Feb 2016 00:14:56 +0100 Subject: [PATCH 344/380] swscale/x86/output: Fix yuv2planeX_16* with unaligned destination Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit f6492a2ea8df80be0ed9591aee4019cef0e36e99) Signed-off-by: Michael Niedermayer --- libswscale/x86/output.asm | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9570969cea..133817cb71 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,8 +54,8 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- -%macro yuv2planeX_mainloop 1 -.pixelloop: +%macro yuv2planeX_mainloop 2 +.pixelloop_%2: %assign %%i 0 ; the rep here is for the 8bit output mmx case, where dither covers ; 8 pixels but we can only handle 2 pixels per register, and thus 4 @@ -82,7 +82,7 @@ SECTION .text mova m2, m1 %endif ; %1 == 8/9/10/16 movsx cntr_reg, fltsizem -.filterloop_ %+ %%i: +.filterloop_%2_ %+ %%i: ; input pixels mov r6, [srcq+gprsize*cntr_reg-2*gprsize] %if %1 == 16 @@ -129,7 +129,7 @@ SECTION .text %endif ; %1 == 8/9/10/16 sub cntr_reg, 2 - jg .filterloop_ %+ %%i + jg .filterloop_%2_ %+ %%i %if %1 == 16 psrad m2, 31 - %1 @@ -156,7 +156,7 @@ SECTION .text %endif ; mmxext/sse2/sse4/avx pminsw m2, [yuv2yuvX_%1_upper] %endif ; %1 == 9/10/16 - mova [dstq+r5*2], m2 + mov%2 [dstq+r5*2], m2 %endif ; %1 == 8/9/10/16 add r5, mmsize/2 @@ -164,7 +164,7 @@ SECTION .text %assign %%i %%i+2 %endrep - jg .pixelloop + jg .pixelloop_%2 %endmacro %macro yuv2planeX_fn 3 @@ -235,7 +235,16 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset xor r5, r5 -yuv2planeX_mainloop %1 +%if mmsize == 8 || %1 == 8 + yuv2planeX_mainloop %1, a +%else ; mmsize == 16 + test dstq, 15 + jnz .unaligned + yuv2planeX_mainloop %1, a + REP_RET +.unaligned: + yuv2planeX_mainloop %1, u +%endif ; mmsize == 8/16 %if %1 == 8 %if ARCH_X86_32 From 8dce138510b917bcbabd1bfbd356cb929498a353 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2016 01:31:16 +0100 Subject: [PATCH 345/380] avcodec/h264: Execute error concealment before marking the frame as done. Fixes race condition causing artifacts Fixes Ticket4122 Signed-off-by: Michael Niedermayer (cherry picked from commit 98a0053d0f90e3309dc1038b1bae3a48bbd9067c) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 41 +++++++++++++++++++++++++++++++++++++++ libavcodec/h264_picture.c | 41 --------------------------------------- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9a002142cc..1f5f4a0b20 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1642,6 +1642,47 @@ again: ret = 0; end: + +#if CONFIG_ERROR_RESILIENCE + sl = h->slice_ctx; + /* + * FIXME: Error handling code does not seem to support interlaced + * when slices span multiple rows + * The ff_er_add_slice calls don't work right for bottom + * fields; they cause massive erroneous error concealing + * Error marking covers both fields (top and bottom). + * This causes a mismatched s->error_count + * and a bad error table. Further, the error count goes to + * INT_MAX when called for bottom field, because mb_y is + * past end by one (callers fault) and resync_mb_y != 0 + * causes problems for the first MB line, too. + */ + if (!FIELD_PICTURE(h) && h->current_slice && !h->sps.new && h->enable_er) { + int use_last_pic = h->last_pic_for_ec.f->buf[0] && !sl->ref_count[0]; + + ff_h264_set_erpic(&sl->er.cur_pic, h->cur_pic_ptr); + + if (use_last_pic) { + ff_h264_set_erpic(&sl->er.last_pic, &h->last_pic_for_ec); + sl->ref_list[0][0].parent = &h->last_pic_for_ec; + memcpy(sl->ref_list[0][0].data, h->last_pic_for_ec.f->data, sizeof(sl->ref_list[0][0].data)); + memcpy(sl->ref_list[0][0].linesize, h->last_pic_for_ec.f->linesize, sizeof(sl->ref_list[0][0].linesize)); + sl->ref_list[0][0].reference = h->last_pic_for_ec.reference; + } else if (sl->ref_count[0]) { + ff_h264_set_erpic(&sl->er.last_pic, sl->ref_list[0][0].parent); + } else + ff_h264_set_erpic(&sl->er.last_pic, NULL); + + if (sl->ref_count[1]) + ff_h264_set_erpic(&sl->er.next_pic, sl->ref_list[1][0].parent); + + sl->er.ref_count = sl->ref_count[0]; + + ff_er_frame_end(&sl->er); + if (use_last_pic) + memset(&sl->ref_list[0][0], 0, sizeof(sl->ref_list[0][0])); + } +#endif /* CONFIG_ERROR_RESILIENCE */ /* clean up */ if (h->cur_pic_ptr && !h->droppable) { ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, diff --git a/libavcodec/h264_picture.c b/libavcodec/h264_picture.c index bf1471de51..0ac5400d13 100644 --- a/libavcodec/h264_picture.c +++ b/libavcodec/h264_picture.c @@ -181,47 +181,6 @@ int ff_h264_field_end(H264Context *h, H264SliceContext *sl, int in_setup) h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU) ff_vdpau_h264_picture_complete(h); -#if CONFIG_ERROR_RESILIENCE - av_assert0(sl == h->slice_ctx); - /* - * FIXME: Error handling code does not seem to support interlaced - * when slices span multiple rows - * The ff_er_add_slice calls don't work right for bottom - * fields; they cause massive erroneous error concealing - * Error marking covers both fields (top and bottom). - * This causes a mismatched s->error_count - * and a bad error table. Further, the error count goes to - * INT_MAX when called for bottom field, because mb_y is - * past end by one (callers fault) and resync_mb_y != 0 - * causes problems for the first MB line, too. - */ - if (!FIELD_PICTURE(h) && h->current_slice && !h->sps.new && h->enable_er) { - int use_last_pic = h->last_pic_for_ec.f->buf[0] && !sl->ref_count[0]; - - ff_h264_set_erpic(&sl->er.cur_pic, h->cur_pic_ptr); - - if (use_last_pic) { - ff_h264_set_erpic(&sl->er.last_pic, &h->last_pic_for_ec); - sl->ref_list[0][0].parent = &h->last_pic_for_ec; - memcpy(sl->ref_list[0][0].data, h->last_pic_for_ec.f->data, sizeof(sl->ref_list[0][0].data)); - memcpy(sl->ref_list[0][0].linesize, h->last_pic_for_ec.f->linesize, sizeof(sl->ref_list[0][0].linesize)); - sl->ref_list[0][0].reference = h->last_pic_for_ec.reference; - } else if (sl->ref_count[0]) { - ff_h264_set_erpic(&sl->er.last_pic, sl->ref_list[0][0].parent); - } else - ff_h264_set_erpic(&sl->er.last_pic, NULL); - - if (sl->ref_count[1]) - ff_h264_set_erpic(&sl->er.next_pic, sl->ref_list[1][0].parent); - - sl->er.ref_count = sl->ref_count[0]; - - ff_er_frame_end(&sl->er); - if (use_last_pic) - memset(&sl->ref_list[0][0], 0, sizeof(sl->ref_list[0][0])); - } -#endif /* CONFIG_ERROR_RESILIENCE */ - if (!in_setup && !h->droppable) ff_thread_report_progress(&h->cur_pic_ptr->tf, INT_MAX, h->picture_structure == PICT_BOTTOM_FIELD); From b8148973c59b717e9eff92e55825698a660da972 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Feb 2016 03:31:34 +0100 Subject: [PATCH 346/380] avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats Signed-off-by: Michael Niedermayer (cherry picked from commit 1ec7a703806049265991723a8826bd61555edef4) Signed-off-by: Michael Niedermayer --- libavutil/pixdesc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index 32dc4b80ab..29913fdcea 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -2208,6 +2208,7 @@ enum AVPixelFormat av_pix_fmt_swap_endianness(enum AVPixelFormat pix_fmt) #define FF_COLOR_GRAY 1 /**< gray color space */ #define FF_COLOR_YUV 2 /**< YUV color space. 16 <= Y <= 235, 16 <= U, V <= 240 */ #define FF_COLOR_YUV_JPEG 3 /**< YUV color space. 0 <= Y <= 255, 0 <= U, V <= 255 */ +#define FF_COLOR_XYZ 4 #define pixdesc_has_alpha(pixdesc) \ ((pixdesc)->nb_components == 2 || (pixdesc)->nb_components == 4 || (pixdesc)->flags & AV_PIX_FMT_FLAG_PAL) @@ -2223,6 +2224,9 @@ static int get_color_type(const AVPixFmtDescriptor *desc) { if(desc->name && !strncmp(desc->name, "yuvj", 4)) return FF_COLOR_YUV_JPEG; + if(desc->name && !strncmp(desc->name, "xyz", 3)) + return FF_COLOR_XYZ; + if(desc->flags & AV_PIX_FMT_FLAG_RGB) return FF_COLOR_RGB; From c7b34fa7335562211cfe1702b6e4e44c66674695 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 23 Feb 2016 15:50:28 +0100 Subject: [PATCH 347/380] postproc: fix unaligned access Based on 59074310 by Andreas Cadhalpun. Fixes ticket #5259. (cherry picked from commit 2aa21eec1adcb3737be59f0eab7081c5a790faa9) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 3b86f93980..1dc719cf93 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -973,7 +973,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int i; const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; + AV_WN32(c->stdQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) >> 1 & 0x7F7F7F7F); } for(i<<=2; istdQPTable[i] = QP_store[i]>>1; From 19257891d176b9862f30d0b300a9cec73141c99b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Feb 2016 23:14:03 +0100 Subject: [PATCH 348/380] swscale/input: Fix GBRAP16 input Fixes part of Ticket5264 Signed-off-by: Michael Niedermayer (cherry picked from commit df36257a53561a51af969a6ea6319dd2579509b9) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libswscale/input.c b/libswscale/input.c index 1f04fc2752..3c4e0cd841 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -818,6 +818,19 @@ static av_always_inline void planar_rgb16_to_y(uint8_t *_dst, const uint8_t *_sr } } +static av_always_inline void planar_rgb16_to_a(uint8_t *_dst, const uint8_t *_src[4], + int width, int bpc, int is_be, int32_t *rgb2yuv) +{ + int i; + const uint16_t **src = (const uint16_t **)_src; + uint16_t *dst = (uint16_t *)_dst; + int shift = bpc < 16 ? bpc : 14; + + for (i = 0; i < width; i++) { + dst[i] = rdpx(src[3] + i) << (14 - shift); + } +} + static av_always_inline void planar_rgb16_to_uv(uint8_t *_dstU, uint8_t *_dstV, const uint8_t *_src[4], int width, int bpc, int is_be, int32_t *rgb2yuv) @@ -846,6 +859,11 @@ static void planar_rgb##nbits##endian_name##_to_y(uint8_t *dst, const uint8_t *s { \ planar_rgb16_to_y(dst, src, w, nbits, endian, rgb2yuv); \ } \ +static void planar_rgb##nbits##endian_name##_to_a(uint8_t *dst, const uint8_t *src[4], \ + int w, int32_t *rgb2yuv) \ +{ \ + planar_rgb16_to_a(dst, src, w, nbits, endian, rgb2yuv); \ +} \ static void planar_rgb##nbits##endian_name##_to_uv(uint8_t *dstU, uint8_t *dstV, \ const uint8_t *src[4], int w, int32_t *rgb2yuv) \ { \ @@ -1172,6 +1190,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14le_to_y; break; case AV_PIX_FMT_GBRAP16LE: + c->readAlpPlanar = planar_rgb16le_to_a; case AV_PIX_FMT_GBRP16LE: c->readLumPlanar = planar_rgb16le_to_y; break; @@ -1188,6 +1207,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14be_to_y; break; case AV_PIX_FMT_GBRAP16BE: + c->readAlpPlanar = planar_rgb16be_to_a; case AV_PIX_FMT_GBRP16BE: c->readLumPlanar = planar_rgb16be_to_y; break; From 751e525757512ca65d0b98b4f0ae57b1a489ee8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Feb 2016 23:48:11 +0100 Subject: [PATCH 349/380] swscale/utils: Fix chrSrcHSubSample for GBRAP16 Fixes part of Ticket5264 Signed-off-by: Michael Niedermayer (cherry picked from commit 67e5bd0c501f7568fc8d93284d0f7eb40663ab06) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 8dcc116147..644ef74709 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1213,6 +1213,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcFormat != AV_PIX_FMT_GBRP12BE && srcFormat != AV_PIX_FMT_GBRP12LE && srcFormat != AV_PIX_FMT_GBRP14BE && srcFormat != AV_PIX_FMT_GBRP14LE && srcFormat != AV_PIX_FMT_GBRP16BE && srcFormat != AV_PIX_FMT_GBRP16LE && + srcFormat != AV_PIX_FMT_GBRAP16BE && srcFormat != AV_PIX_FMT_GBRAP16LE && ((dstW >> c->chrDstHSubSample) <= (srcW >> 1) || (flags & SWS_FAST_BILINEAR))) c->chrSrcHSubSample = 1; From c6950985cb91ba42a920fbd6d7ae6a9591c29728 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Feb 2016 15:48:28 +0100 Subject: [PATCH 350/380] avcodec/avpacket: clear priv in av_init_packet() This should fix leaving uninitialized pointers in priv which can confuse user applications. See: https://github.com/golang/go/issues/14426 Only or release branches Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index aae67c5a00..b73cf212aa 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -58,6 +58,7 @@ void av_init_packet(AVPacket *pkt) #if FF_API_DESTRUCT_PACKET FF_DISABLE_DEPRECATION_WARNINGS pkt->destruct = NULL; + pkt->priv = NULL; FF_ENABLE_DEPRECATION_WARNINGS #endif pkt->buf = NULL; From 6fe1f5646e12c53794ccf69f05a32664074be93a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Feb 2016 18:10:23 +0100 Subject: [PATCH 351/380] avcodec/mjpegdec: Fix decoding slightly odd progressive jpeg Fixes: ebd58db6-dc86-11e5-91c2-59daeddf50c7.jpg Signed-off-by: Michael Niedermayer (cherry picked from commit c6f4720b8664e6e22eb5b3da6bb48ed5b113f746) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 9d080e8c3b..1daa6a4d18 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1376,12 +1376,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, return AVERROR_INVALIDDATA; } - if (!Al) { - // s->coefs_finished is a bitmask for coefficients coded - // ss and se are parameters telling start and end coefficients - s->coefs_finished[c] |= (2ULL << se) - (1ULL << ss); - last_scan = !~s->coefs_finished[c]; - } + // s->coefs_finished is a bitmask for coefficients coded + // ss and se are parameters telling start and end coefficients + s->coefs_finished[c] |= (2ULL << se) - (1ULL << ss); + last_scan = !Al && !~s->coefs_finished[c]; if (s->interlaced && s->bottom_field) data += linesize >> 1; From 46e4028e6949e13c6d6403c4a23de61884e0ace7 Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Thu, 18 Feb 2016 12:57:37 -0600 Subject: [PATCH 352/380] lavf/mov: fix sidx with edit lists (cherry picked from commit 3617e69d50dd9dd07b5011dfb9477a9d1a630354) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1f122b4799..2d37d49bb7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3321,7 +3321,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) } av_log(c->fc, AV_LOG_DEBUG, "calculated into dts %"PRId64"\n", dts); } else { - dts = frag->time; + dts = frag->time - sc->time_offset; av_log(c->fc, AV_LOG_DEBUG, "found frag time %"PRId64 ", using it for dts\n", dts); } From dc92c6045f94a56fcf9bdee5225749809b444a7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Mar 2016 14:09:23 +0100 Subject: [PATCH 353/380] avformat/cache: Fix memleak of tree entries Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit 554f6e930ce05a4c5449efcaae36bdafe2d9de74) Signed-off-by: Michael Niedermayer --- libavformat/cache.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/cache.c b/libavformat/cache.c index d3d12bb4d5..7cb6c22b36 100644 --- a/libavformat/cache.c +++ b/libavformat/cache.c @@ -282,6 +282,12 @@ resolve_eof: return ret; } +static int enu_free(void *opaque, void *elem) +{ + av_free(elem); + return 0; +} + static int cache_close(URLContext *h) { Context *c= h->priv_data; @@ -291,6 +297,7 @@ static int cache_close(URLContext *h) close(c->fd); ffurl_close(c->inner); + av_tree_enumerate(c->root, NULL, NULL, enu_free); av_tree_destroy(c->root); return 0; From f00f588a6ed4ad855756f9abf3c67e55ec7cdbc0 Mon Sep 17 00:00:00 2001 From: Boris Nagels Date: Sun, 6 Mar 2016 16:31:36 +0100 Subject: [PATCH 354/380] avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT RTCP synchronization packet was broken since commit in ffmpeg version > 2.8.3 (commit: e04b039b1528f4c7df5c2b93865651bfea168a19) Since this commit (2e814d0329aded98c811d0502839618f08642685) "rtpenc: Simplify code by introducing a macro for rescaling NTP timestamps", NTP_TO_RTP_FORMAT uses av_rescale_rnd() function to add the data to the packet. This causes an overflow in the av_rescale_rnd() function and it will return INT64_MIN. Causing the NTP stamp in the RTCP packet to have an invalid value. Github: Closes #182 Reverting commit '2e814d0329aded98c811d0502839618f08642685' solves the problem. (cherry picked from commit 1109ed7973c7fd1e7001898adc4976590d862122) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rtpenc.c b/libavformat/rtpenc.c index 31569d60b7..00b69f5765 100644 --- a/libavformat/rtpenc.c +++ b/libavformat/rtpenc.c @@ -271,7 +271,8 @@ static void rtcp_send_sr(AVFormatContext *s1, int64_t ntp_time, int bye) avio_w8(s1->pb, RTCP_SR); avio_wb16(s1->pb, 6); /* length in words - 1 */ avio_wb32(s1->pb, s->ssrc); - avio_wb64(s1->pb, NTP_TO_RTP_FORMAT(ntp_time)); + avio_wb32(s1->pb, ntp_time / 1000000); + avio_wb32(s1->pb, ((ntp_time % 1000000) << 32) / 1000000); avio_wb32(s1->pb, rtp_ts); avio_wb32(s1->pb, s->packet_count); avio_wb32(s1->pb, s->octet_count); From 7b1803a427f967828e103beb260aa2a9ed1989f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Mar 2016 02:42:10 +0100 Subject: [PATCH 355/380] avformat/utils: fix dts from pts code in compute_pkt_fields() during ascending delay Signed-off-by: Michael Niedermayer (cherry picked from commit de1de4932419d0fb49c9c23f62e68cdbe90d0ee3) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- tests/ref/fate/mkv | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d5e65814ef..7cbd4663aa 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1143,12 +1143,13 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, } } - if (pkt->pts != AV_NOPTS_VALUE && delay <= MAX_REORDER_DELAY && has_decode_delay_been_guessed(st)) { + if (pkt->pts != AV_NOPTS_VALUE && delay <= MAX_REORDER_DELAY) { st->pts_buffer[0] = pkt->pts; for (i = 0; ipts_buffer[i] > st->pts_buffer[i + 1]; i++) FFSWAP(int64_t, st->pts_buffer[i], st->pts_buffer[i + 1]); - pkt->dts = select_from_pts_buffer(st, st->pts_buffer, pkt->dts); + if(has_decode_delay_been_guessed(st)) + pkt->dts = select_from_pts_buffer(st, st->pts_buffer, pkt->dts); } // We skipped it above so we try here. if (!onein_oneout) diff --git a/tests/ref/fate/mkv b/tests/ref/fate/mkv index aea378a881..765798cbfe 100644 --- a/tests/ref/fate/mkv +++ b/tests/ref/fate/mkv @@ -25,9 +25,9 @@ 1, 264, 264, 21, 609, 0xc0dc255c 1, 285, 285, 21, 619, 0x9ac52dd1 0, 292, 292, 41, 16751, 0xf293ab46, F=0x0 -0, 292, 417, 41, 22029, 0x3696462b, F=0x0 1, 306, 306, 21, 574, 0xf6410d4d 1, 327, 327, 22, 565, 0xfd561191 +0, 334, 417, 41, 22029, 0x3696462b, F=0x0 1, 350, 350, 21, 713, 0x48425147 1, 371, 371, 21, 537, 0x09bbf515 0, 375, 375, 41, 5044, 0xa0344ae6, F=0x0 From 72b224e3f67a3c2f9cb8954a92e0bc3450ac3634 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jan 2016 22:13:14 +0100 Subject: [PATCH 356/380] avformat/concatdec: set safe mode to enabled instead of auto This is safer, as a selected demuxer could still mean that it was auto-detected by a user application Reviewed-previously-by: Nicolas George Reviewed-previously-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 689211d5727231c3fe92762d224dbadebdbf4e30) Conflicts: libavformat/concatdec.c --- doc/demuxers.texi | 6 ++++-- libavformat/concatdec.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 6f9effc8b0..45949db26d 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -98,7 +98,7 @@ All subsequent file-related directives apply to that file. @item @code{ffconcat version 1.0} Identify the script type and version. It also sets the @option{safe} option -to 1 if it was to its default -1. +to 1 if it was -1. To make FFmpeg recognize the format automatically, this directive must appears exactly as is (no extra space or byte-order-mark) on the very first @@ -145,7 +145,9 @@ component. If set to 0, any file name is accepted. -The default is -1, it is equivalent to 1 if the format was automatically +The default is 1. + +-1 is equivalent to 1 if the format was automatically probed and 0 otherwise. @item auto_convert diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 07db9f96a3..0b14347b0f 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -625,7 +625,7 @@ static int concat_seek(AVFormatContext *avf, int stream, static const AVOption options[] = { { "safe", "enable safe mode", - OFFSET(safe), AV_OPT_TYPE_INT, {.i64 = -1}, -1, 1, DEC }, + OFFSET(safe), AV_OPT_TYPE_INT, {.i64 = 1}, -1, 1, DEC }, { "auto_convert", "automatically convert bitstream format", OFFSET(auto_convert), AV_OPT_TYPE_INT, {.i64 = 1}, 0, 1, DEC }, { NULL } From 2a73404558d4f8ac116e7dfe149403e82bc4f6d5 Mon Sep 17 00:00:00 2001 From: Martin Cracauer Date: Tue, 1 Dec 2015 17:59:36 -0500 Subject: [PATCH 357/380] avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing Trying to make heads and tails out of DTS 6.1 I can across this typo. I also noticed that this wiki page is incorrect or misleading, the channel order for 6.1 given does not match the source code. At the least it should be clarified that the layout given does not apply to DTS. https://trac.ffmpeg.org/wiki/AudioChannelManipulation Signed-off-by: Michael Niedermayer (cherry picked from commit 73d1398f0c4ce2de16790f46e05a79242137d153) Signed-off-by: Michael Niedermayer --- libavutil/channel_layout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index 45249c4367..7aceb81971 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -94,7 +94,7 @@ static const struct { { "6.0(front)", 6, AV_CH_LAYOUT_6POINT0_FRONT }, { "hexagonal", 6, AV_CH_LAYOUT_HEXAGONAL }, { "6.1", 7, AV_CH_LAYOUT_6POINT1 }, - { "6.1", 7, AV_CH_LAYOUT_6POINT1_BACK }, + { "6.1(back)", 7, AV_CH_LAYOUT_6POINT1_BACK }, { "6.1(front)", 7, AV_CH_LAYOUT_6POINT1_FRONT }, { "7.0", 7, AV_CH_LAYOUT_7POINT0 }, { "7.0(front)", 7, AV_CH_LAYOUT_7POINT0_FRONT }, From 91b6d89d0a5ed5ac1aa3ca60d6f8dca93b50d461 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 15:18:53 +0100 Subject: [PATCH 358/380] avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool This should theoretically improve the randomness slightly Signed-off-by: Michael Niedermayer (cherry picked from commit 2540d884f3fd7cfac503e048112098967be2569a) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 8aa8c3879b..5af8e9e524 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -97,8 +97,13 @@ static uint32_t get_generic_seed(void) last_t = t; } - if(TEST) + if(TEST) { buffer[0] = buffer[1] = 0; + } else { +#ifdef AV_READ_TIME + buffer[111] += AV_READ_TIME(); +#endif + } av_sha_init(sha, 160); av_sha_update(sha, (const uint8_t *)buffer, sizeof(buffer)); From 873ca2839052563b3f43b6f8a553fdde9371f76a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Sobala?= Date: Fri, 18 Sep 2015 15:40:58 +0200 Subject: [PATCH 359/380] avcodec/imgconvert: Support non-planar colorspaces while padding Signed-off-by: Michael Niedermayer (cherry picked from commit 0d097a869c38850c9ac09bccef60a229470f489b) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 8cb609946a..8336460441 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -236,9 +236,41 @@ int av_picture_pad(AVPicture *dst, const AVPicture *src, int height, int width, int x_shift; int yheight; int i, y; + int max_step[4]; - if (pix_fmt < 0 || pix_fmt >= AV_PIX_FMT_NB || - !is_yuv_planar(desc)) return -1; + if (pix_fmt < 0 || pix_fmt >= AV_PIX_FMT_NB) + return -1; + + if (!is_yuv_planar(desc)) { + if (src) + return -1; //TODO: Not yet implemented + + av_image_fill_max_pixsteps(max_step, NULL, desc); + + if (padtop || padleft) { + memset(dst->data[0], color[0], + dst->linesize[0] * padtop + (padleft * max_step[0])); + } + + if (padleft || padright) { + optr = dst->data[0] + dst->linesize[0] * padtop + + (dst->linesize[0] - (padright * max_step[0])); + yheight = height - 1 - (padtop + padbottom); + for (y = 0; y < yheight; y++) { + memset(optr, color[0], (padleft + padright) * max_step[0]); + optr += dst->linesize[0]; + } + } + + if (padbottom || padright) { + optr = dst->data[0] + dst->linesize[0] * (height - padbottom) - + (padright * max_step[0]); + memset(optr, color[0], dst->linesize[0] * padbottom + + (padright * max_step[0])); + } + + return 0; + } for (i = 0; i < 3; i++) { x_shift = i ? desc->log2_chroma_w : 0; @@ -284,6 +316,7 @@ int av_picture_pad(AVPicture *dst, const AVPicture *src, int height, int width, (padbottom >> y_shift) + (padright >> x_shift)); } } + return 0; } From 51f686fa77a030f98652238e4047c7d964296227 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Feb 2016 19:58:18 -0500 Subject: [PATCH 360/380] indeo2data: K&R formatting cosmetics Signed-off-by: Vittorio Giovara Signed-off-by: Diego Biurrun (cherry picked from commit d4066a702407352a0648af882c34ea81a404fa2b) (cherry picked from commit 522ab0b9a92962edda7156a91a494a1e2b8a7f64) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2data.h | 208 ++++++++++++++++++++-------------------- 1 file changed, 104 insertions(+), 104 deletions(-) diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 0d6d82f22c..8fd664c6ab 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -27,115 +27,115 @@ #define IR2_CODES 143 static const uint16_t ir2_codes[IR2_CODES][2] = { #ifdef BITSTREAM_READER_LE -{0x0000, 3}, {0x0004, 3}, {0x0006, 3}, {0x0001, 5}, -{0x0009, 5}, {0x0019, 5}, {0x000D, 5}, {0x001D, 5}, -{0x0023, 6}, {0x0013, 6}, {0x0033, 6}, {0x000B, 6}, -{0x002B, 6}, {0x001B, 6}, {0x0007, 8}, {0x0087, 8}, -{0x0027, 8}, {0x00A7, 8}, {0x0067, 8}, {0x00E7, 8}, -{0x0097, 8}, {0x0057, 8}, {0x0037, 8}, {0x00B7, 8}, -{0x00F7, 8}, {0x000F, 9}, {0x008F, 9}, {0x018F, 9}, -{0x014F, 9}, {0x00CF, 9}, {0x002F, 9}, {0x012F, 9}, -{0x01AF, 9}, {0x006F, 9}, {0x00EF, 9}, {0x01EF, 9}, -{0x001F, 10}, {0x021F, 10}, {0x011F, 10}, {0x031F, 10}, -{0x009F, 10}, {0x029F, 10}, {0x019F, 10}, {0x039F, 10}, -{0x005F, 10}, {0x025F, 10}, {0x015F, 10}, {0x035F, 10}, -{0x00DF, 10}, {0x02DF, 10}, {0x01DF, 10}, {0x03DF, 10}, -{0x003F, 13}, {0x103F, 13}, {0x083F, 13}, {0x183F, 13}, -{0x043F, 13}, {0x143F, 13}, {0x0C3F, 13}, {0x1C3F, 13}, -{0x023F, 13}, {0x123F, 13}, {0x0A3F, 13}, {0x1A3F, 13}, -{0x063F, 13}, {0x163F, 13}, {0x0E3F, 13}, {0x1E3F, 13}, -{0x013F, 13}, {0x113F, 13}, {0x093F, 13}, {0x193F, 13}, -{0x053F, 13}, {0x153F, 13}, {0x0D3F, 13}, {0x1D3F, 13}, -{0x033F, 13}, {0x133F, 13}, {0x0B3F, 13}, {0x1B3F, 13}, -{0x073F, 13}, {0x173F, 13}, {0x0F3F, 13}, {0x1F3F, 13}, -{0x00BF, 13}, {0x10BF, 13}, {0x08BF, 13}, {0x18BF, 13}, -{0x04BF, 13}, {0x14BF, 13}, {0x0CBF, 13}, {0x1CBF, 13}, -{0x02BF, 13}, {0x12BF, 13}, {0x0ABF, 13}, {0x1ABF, 13}, -{0x06BF, 13}, {0x16BF, 13}, {0x0EBF, 13}, {0x1EBF, 13}, -{0x01BF, 13}, {0x11BF, 13}, {0x09BF, 13}, {0x19BF, 13}, -{0x05BF, 13}, {0x15BF, 13}, {0x0DBF, 13}, {0x1DBF, 13}, -{0x03BF, 13}, {0x13BF, 13}, {0x0BBF, 13}, {0x1BBF, 13}, -{0x07BF, 13}, {0x17BF, 13}, {0x0FBF, 13}, {0x1FBF, 13}, -{0x007F, 14}, {0x207F, 14}, {0x107F, 14}, {0x307F, 14}, -{0x087F, 14}, {0x287F, 14}, {0x187F, 14}, {0x387F, 14}, -{0x047F, 14}, {0x247F, 14}, {0x147F, 14}, {0x0002, 3}, -{0x0011, 5}, {0x0005, 5}, {0x0015, 5}, {0x0003, 6}, -{0x003B, 6}, {0x0047, 8}, {0x00C7, 8}, {0x0017, 8}, -{0x00D7, 8}, {0x0077, 8}, {0x010F, 9}, {0x004F, 9}, -{0x01CF, 9}, {0x00AF, 9}, {0x016F, 9}, + { 0x0000, 3 }, { 0x0004, 3 }, { 0x0006, 3 }, { 0x0001, 5 }, + { 0x0009, 5 }, { 0x0019, 5 }, { 0x000D, 5 }, { 0x001D, 5 }, + { 0x0023, 6 }, { 0x0013, 6 }, { 0x0033, 6 }, { 0x000B, 6 }, + { 0x002B, 6 }, { 0x001B, 6 }, { 0x0007, 8 }, { 0x0087, 8 }, + { 0x0027, 8 }, { 0x00A7, 8 }, { 0x0067, 8 }, { 0x00E7, 8 }, + { 0x0097, 8 }, { 0x0057, 8 }, { 0x0037, 8 }, { 0x00B7, 8 }, + { 0x00F7, 8 }, { 0x000F, 9 }, { 0x008F, 9 }, { 0x018F, 9 }, + { 0x014F, 9 }, { 0x00CF, 9 }, { 0x002F, 9 }, { 0x012F, 9 }, + { 0x01AF, 9 }, { 0x006F, 9 }, { 0x00EF, 9 }, { 0x01EF, 9 }, + { 0x001F, 10 }, { 0x021F, 10 }, { 0x011F, 10 }, { 0x031F, 10 }, + { 0x009F, 10 }, { 0x029F, 10 }, { 0x019F, 10 }, { 0x039F, 10 }, + { 0x005F, 10 }, { 0x025F, 10 }, { 0x015F, 10 }, { 0x035F, 10 }, + { 0x00DF, 10 }, { 0x02DF, 10 }, { 0x01DF, 10 }, { 0x03DF, 10 }, + { 0x003F, 13 }, { 0x103F, 13 }, { 0x083F, 13 }, { 0x183F, 13 }, + { 0x043F, 13 }, { 0x143F, 13 }, { 0x0C3F, 13 }, { 0x1C3F, 13 }, + { 0x023F, 13 }, { 0x123F, 13 }, { 0x0A3F, 13 }, { 0x1A3F, 13 }, + { 0x063F, 13 }, { 0x163F, 13 }, { 0x0E3F, 13 }, { 0x1E3F, 13 }, + { 0x013F, 13 }, { 0x113F, 13 }, { 0x093F, 13 }, { 0x193F, 13 }, + { 0x053F, 13 }, { 0x153F, 13 }, { 0x0D3F, 13 }, { 0x1D3F, 13 }, + { 0x033F, 13 }, { 0x133F, 13 }, { 0x0B3F, 13 }, { 0x1B3F, 13 }, + { 0x073F, 13 }, { 0x173F, 13 }, { 0x0F3F, 13 }, { 0x1F3F, 13 }, + { 0x00BF, 13 }, { 0x10BF, 13 }, { 0x08BF, 13 }, { 0x18BF, 13 }, + { 0x04BF, 13 }, { 0x14BF, 13 }, { 0x0CBF, 13 }, { 0x1CBF, 13 }, + { 0x02BF, 13 }, { 0x12BF, 13 }, { 0x0ABF, 13 }, { 0x1ABF, 13 }, + { 0x06BF, 13 }, { 0x16BF, 13 }, { 0x0EBF, 13 }, { 0x1EBF, 13 }, + { 0x01BF, 13 }, { 0x11BF, 13 }, { 0x09BF, 13 }, { 0x19BF, 13 }, + { 0x05BF, 13 }, { 0x15BF, 13 }, { 0x0DBF, 13 }, { 0x1DBF, 13 }, + { 0x03BF, 13 }, { 0x13BF, 13 }, { 0x0BBF, 13 }, { 0x1BBF, 13 }, + { 0x07BF, 13 }, { 0x17BF, 13 }, { 0x0FBF, 13 }, { 0x1FBF, 13 }, + { 0x007F, 14 }, { 0x207F, 14 }, { 0x107F, 14 }, { 0x307F, 14 }, + { 0x087F, 14 }, { 0x287F, 14 }, { 0x187F, 14 }, { 0x387F, 14 }, + { 0x047F, 14 }, { 0x247F, 14 }, { 0x147F, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0005, 5 }, { 0x0015, 5 }, { 0x0003, 6 }, + { 0x003B, 6 }, { 0x0047, 8 }, { 0x00C7, 8 }, { 0x0017, 8 }, + { 0x00D7, 8 }, { 0x0077, 8 }, { 0x010F, 9 }, { 0x004F, 9 }, + { 0x01CF, 9 }, { 0x00AF, 9 }, { 0x016F, 9 }, #else - {0x0000, 3}, {0x0001, 3}, {0x0003, 3}, {0x0010, 5}, - {0x0012, 5}, {0x0013, 5}, {0x0016, 5}, {0x0017, 5}, - {0x0031, 6}, {0x0032, 6}, {0x0033, 6}, {0x0034, 6}, - {0x0035, 6}, {0x0036, 6}, {0x00E0, 8}, {0x00E1, 8}, - {0x00E4, 8}, {0x00E5, 8}, {0x00E6, 8}, {0x00E7, 8}, - {0x00E9, 8}, {0x00EA, 8}, {0x00EC, 8}, {0x00ED, 8}, - {0x00EF, 8}, {0x01E0, 9}, {0x01E2, 9}, {0x01E3, 9}, - {0x01E5, 9}, {0x01E6, 9}, {0x01E8, 9}, {0x01E9, 9}, - {0x01EB, 9}, {0x01EC, 9}, {0x01EE, 9}, {0x01EF, 9}, - {0x03E0, 10}, {0x03E1, 10}, {0x03E2, 10}, {0x03E3, 10}, - {0x03E4, 10}, {0x03E5, 10}, {0x03E6, 10}, {0x03E7, 10}, - {0x03E8, 10}, {0x03E9, 10}, {0x03EA, 10}, {0x03EB, 10}, - {0x03EC, 10}, {0x03ED, 10}, {0x03EE, 10}, {0x03EF, 10}, - {0x1F80, 13}, {0x1F81, 13}, {0x1F82, 13}, {0x1F83, 13}, - {0x1F84, 13}, {0x1F85, 13}, {0x1F86, 13}, {0x1F87, 13}, - {0x1F88, 13}, {0x1F89, 13}, {0x1F8A, 13}, {0x1F8B, 13}, - {0x1F8C, 13}, {0x1F8D, 13}, {0x1F8E, 13}, {0x1F8F, 13}, - {0x1F90, 13}, {0x1F91, 13}, {0x1F92, 13}, {0x1F93, 13}, - {0x1F94, 13}, {0x1F95, 13}, {0x1F96, 13}, {0x1F97, 13}, - {0x1F98, 13}, {0x1F99, 13}, {0x1F9A, 13}, {0x1F9B, 13}, - {0x1F9C, 13}, {0x1F9D, 13}, {0x1F9E, 13}, {0x1F9F, 13}, - {0x1FA0, 13}, {0x1FA1, 13}, {0x1FA2, 13}, {0x1FA3, 13}, - {0x1FA4, 13}, {0x1FA5, 13}, {0x1FA6, 13}, {0x1FA7, 13}, - {0x1FA8, 13}, {0x1FA9, 13}, {0x1FAA, 13}, {0x1FAB, 13}, - {0x1FAC, 13}, {0x1FAD, 13}, {0x1FAE, 13}, {0x1FAF, 13}, - {0x1FB0, 13}, {0x1FB1, 13}, {0x1FB2, 13}, {0x1FB3, 13}, - {0x1FB4, 13}, {0x1FB5, 13}, {0x1FB6, 13}, {0x1FB7, 13}, - {0x1FB8, 13}, {0x1FB9, 13}, {0x1FBA, 13}, {0x1FBB, 13}, - {0x1FBC, 13}, {0x1FBD, 13}, {0x1FBE, 13}, {0x1FBF, 13}, - {0x3F80, 14}, {0x3F81, 14}, {0x3F82, 14}, {0x3F83, 14}, - {0x3F84, 14}, {0x3F85, 14}, {0x3F86, 14}, {0x3F87, 14}, - {0x3F88, 14}, {0x3F89, 14}, {0x3F8A, 14}, {0x0002, 3}, - {0x0011, 5}, {0x0014, 5}, {0x0015, 5}, {0x0030, 6}, - {0x0037, 6}, {0x00E2, 8}, {0x00E3, 8}, {0x00E8, 8}, - {0x00EB, 8}, {0x00EE, 8}, {0x01E1, 9}, {0x01E4, 9}, - {0x01E7, 9}, {0x01EA, 9}, {0x01ED, 9} + { 0x0000, 3 }, { 0x0001, 3 }, { 0x0003, 3 }, { 0x0010, 5 }, + { 0x0012, 5 }, { 0x0013, 5 }, { 0x0016, 5 }, { 0x0017, 5 }, + { 0x0031, 6 }, { 0x0032, 6 }, { 0x0033, 6 }, { 0x0034, 6 }, + { 0x0035, 6 }, { 0x0036, 6 }, { 0x00E0, 8 }, { 0x00E1, 8 }, + { 0x00E4, 8 }, { 0x00E5, 8 }, { 0x00E6, 8 }, { 0x00E7, 8 }, + { 0x00E9, 8 }, { 0x00EA, 8 }, { 0x00EC, 8 }, { 0x00ED, 8 }, + { 0x00EF, 8 }, { 0x01E0, 9 }, { 0x01E2, 9 }, { 0x01E3, 9 }, + { 0x01E5, 9 }, { 0x01E6, 9 }, { 0x01E8, 9 }, { 0x01E9, 9 }, + { 0x01EB, 9 }, { 0x01EC, 9 }, { 0x01EE, 9 }, { 0x01EF, 9 }, + { 0x03E0, 10 }, { 0x03E1, 10 }, { 0x03E2, 10 }, { 0x03E3, 10 }, + { 0x03E4, 10 }, { 0x03E5, 10 }, { 0x03E6, 10 }, { 0x03E7, 10 }, + { 0x03E8, 10 }, { 0x03E9, 10 }, { 0x03EA, 10 }, { 0x03EB, 10 }, + { 0x03EC, 10 }, { 0x03ED, 10 }, { 0x03EE, 10 }, { 0x03EF, 10 }, + { 0x1F80, 13 }, { 0x1F81, 13 }, { 0x1F82, 13 }, { 0x1F83, 13 }, + { 0x1F84, 13 }, { 0x1F85, 13 }, { 0x1F86, 13 }, { 0x1F87, 13 }, + { 0x1F88, 13 }, { 0x1F89, 13 }, { 0x1F8A, 13 }, { 0x1F8B, 13 }, + { 0x1F8C, 13 }, { 0x1F8D, 13 }, { 0x1F8E, 13 }, { 0x1F8F, 13 }, + { 0x1F90, 13 }, { 0x1F91, 13 }, { 0x1F92, 13 }, { 0x1F93, 13 }, + { 0x1F94, 13 }, { 0x1F95, 13 }, { 0x1F96, 13 }, { 0x1F97, 13 }, + { 0x1F98, 13 }, { 0x1F99, 13 }, { 0x1F9A, 13 }, { 0x1F9B, 13 }, + { 0x1F9C, 13 }, { 0x1F9D, 13 }, { 0x1F9E, 13 }, { 0x1F9F, 13 }, + { 0x1FA0, 13 }, { 0x1FA1, 13 }, { 0x1FA2, 13 }, { 0x1FA3, 13 }, + { 0x1FA4, 13 }, { 0x1FA5, 13 }, { 0x1FA6, 13 }, { 0x1FA7, 13 }, + { 0x1FA8, 13 }, { 0x1FA9, 13 }, { 0x1FAA, 13 }, { 0x1FAB, 13 }, + { 0x1FAC, 13 }, { 0x1FAD, 13 }, { 0x1FAE, 13 }, { 0x1FAF, 13 }, + { 0x1FB0, 13 }, { 0x1FB1, 13 }, { 0x1FB2, 13 }, { 0x1FB3, 13 }, + { 0x1FB4, 13 }, { 0x1FB5, 13 }, { 0x1FB6, 13 }, { 0x1FB7, 13 }, + { 0x1FB8, 13 }, { 0x1FB9, 13 }, { 0x1FBA, 13 }, { 0x1FBB, 13 }, + { 0x1FBC, 13 }, { 0x1FBD, 13 }, { 0x1FBE, 13 }, { 0x1FBF, 13 }, + { 0x3F80, 14 }, { 0x3F81, 14 }, { 0x3F82, 14 }, { 0x3F83, 14 }, + { 0x3F84, 14 }, { 0x3F85, 14 }, { 0x3F86, 14 }, { 0x3F87, 14 }, + { 0x3F88, 14 }, { 0x3F89, 14 }, { 0x3F8A, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0014, 5 }, { 0x0015, 5 }, { 0x0030, 6 }, + { 0x0037, 6 }, { 0x00E2, 8 }, { 0x00E3, 8 }, { 0x00E8, 8 }, + { 0x00EB, 8 }, { 0x00EE, 8 }, { 0x01E1, 9 }, { 0x01E4, 9 }, + { 0x01E7, 9 }, { 0x01EA, 9 }, { 0x01ED, 9 }, #endif }; static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80 + 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }; #endif /* AVCODEC_INDEO2DATA_H */ From fbe2f77e3f7371e838e865bbdb7e781f33323e88 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Feb 2016 19:58:19 -0500 Subject: [PATCH 361/380] indeo2: Fix banding artefacts Rename luma table to delta table and change how it is used. CC: libav-stable@libav.org Signed-off-by: Vittorio Giovara Signed-off-by: Diego Biurrun (cherry picked from commit f8c34f4b8d62afad3f63cf3d9617d73735bef8c1) (cherry picked from commit 73f3c8f73edf0a69502233b2c50fa9e7104f99ec) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 15 ++-- libavcodec/indeo2data.h | 162 ++++++++++++++++++++++++++++++++-------- 2 files changed, 138 insertions(+), 39 deletions(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 39735c2e4b..b2656686a2 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -146,6 +146,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, AVFrame *picture = data; AVFrame * const p = s->picture; int start, ret; + int ltab, ctab; if ((ret = ff_reget_buffer(avctx, p)) < 0) return ret; @@ -167,34 +168,36 @@ static int ir2_decode_frame(AVCodecContext *avctx, init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); + ltab = buf[0x22] & 3; + ctab = buf[0x22] >> 2; if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } else { /* interframe */ if ((ret = ir2_decode_plane_inter(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 8fd664c6ab..e05c91ff58 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -103,39 +103,135 @@ static const uint16_t ir2_codes[IR2_CODES][2] = { #endif }; -static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, +static const uint8_t ir2_delta_table[4][256] = { + { 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }, + { 0x80, 0x80, 0x85, 0x85, 0x7B, 0x7B, 0x7E, 0x87, + 0x82, 0x79, 0x87, 0x7E, 0x79, 0x82, 0x8F, 0x8F, + 0x71, 0x71, 0x84, 0x8F, 0x7C, 0x71, 0x8F, 0x84, + 0x71, 0x7C, 0x75, 0x8B, 0x8B, 0x75, 0x8B, 0x75, + 0x75, 0x8B, 0x8E, 0x9A, 0x72, 0x66, 0x9A, 0x8E, + 0x66, 0x72, 0x7B, 0x93, 0x85, 0x6D, 0x93, 0x7B, + 0x6D, 0x85, 0x9B, 0x9B, 0x65, 0x65, 0x82, 0x9D, + 0x7E, 0x63, 0x9D, 0x82, 0x63, 0x7E, 0x9B, 0xA8, + 0x65, 0x58, 0xA8, 0x9B, 0x58, 0x65, 0xA9, 0xA9, + 0x57, 0x57, 0x8D, 0xAA, 0x73, 0x56, 0xAA, 0x8D, + 0x56, 0x73, 0x6E, 0x99, 0x92, 0x67, 0x99, 0x6E, + 0x67, 0x92, 0x76, 0xA2, 0x8A, 0x5E, 0xA2, 0x76, + 0x5E, 0x8A, 0x7F, 0xAF, 0x81, 0x51, 0xAF, 0x7F, + 0x51, 0x81, 0xAB, 0xBA, 0x55, 0x46, 0xBA, 0xAB, + 0x46, 0x55, 0x9A, 0xBB, 0x66, 0x45, 0xBB, 0x9A, + 0x45, 0x66, 0xBB, 0xBB, 0x45, 0x45, 0x60, 0xA0, + 0xA0, 0x60, 0xA0, 0x60, 0x60, 0xA0, 0x8B, 0xBE, + 0x75, 0x42, 0xBE, 0x8B, 0x42, 0x75, 0x66, 0xAA, + 0x9A, 0x56, 0xAA, 0x66, 0x56, 0x9A, 0x70, 0xB5, + 0x90, 0x4B, 0xB5, 0x70, 0x4B, 0x90, 0xBE, 0xCF, + 0x42, 0x31, 0xCF, 0xBE, 0x31, 0x42, 0xAB, 0xD0, + 0x55, 0x30, 0xD0, 0xAB, 0x30, 0x55, 0xD1, 0xD1, + 0x2F, 0x2F, 0x9A, 0xD3, 0x66, 0x2D, 0xD3, 0x9A, + 0x2D, 0x66, 0x7B, 0xC5, 0x85, 0x3B, 0xC5, 0x7B, + 0x3B, 0x85, 0x54, 0xB4, 0xAC, 0x4C, 0xB4, 0x54, + 0x4C, 0xAC, 0x5E, 0xBE, 0xA2, 0x42, 0xBE, 0x5E, + 0x42, 0xA2, 0x87, 0xD8, 0x79, 0x28, 0xD8, 0x87, + 0x28, 0x79, 0xC0, 0xE8, 0x40, 0x18, 0xE8, 0xC0, + 0x18, 0x40, 0xD5, 0xE8, 0x2B, 0x18, 0xE8, 0xD5, + 0x18, 0x2B, 0xAB, 0xE9, 0x55, 0x17, 0xE9, 0xAB, + 0x17, 0x55, 0x68, 0xCD, 0x98, 0x33, 0xCD, 0x68, + 0x33, 0x98, 0xEA, 0xEA, 0x16, 0x16, 0x80, 0x80, }, + { 0x80, 0x80, 0x86, 0x86, 0x7A, 0x7A, 0x7E, 0x88, + 0x82, 0x78, 0x88, 0x7E, 0x78, 0x82, 0x92, 0x92, + 0x6E, 0x6E, 0x85, 0x92, 0x7B, 0x6E, 0x92, 0x85, + 0x6E, 0x7B, 0x73, 0x8D, 0x8D, 0x73, 0x8D, 0x73, + 0x73, 0x8D, 0x91, 0x9E, 0x6F, 0x62, 0x9E, 0x91, + 0x62, 0x6F, 0x79, 0x97, 0x87, 0x69, 0x97, 0x79, + 0x69, 0x87, 0xA0, 0xA0, 0x60, 0x60, 0x83, 0xA2, + 0x7D, 0x5E, 0xA2, 0x83, 0x5E, 0x7D, 0xA0, 0xB0, + 0x60, 0x50, 0xB0, 0xA0, 0x50, 0x60, 0xB1, 0xB1, + 0x4F, 0x4F, 0x8F, 0xB2, 0x71, 0x4E, 0xB2, 0x8F, + 0x4E, 0x71, 0x6B, 0x9E, 0x95, 0x62, 0x9E, 0x6B, + 0x62, 0x95, 0x74, 0xA9, 0x8C, 0x57, 0xA9, 0x74, + 0x57, 0x8C, 0x7F, 0xB8, 0x81, 0x48, 0xB8, 0x7F, + 0x48, 0x81, 0xB4, 0xC5, 0x4C, 0x3B, 0xC5, 0xB4, + 0x3B, 0x4C, 0x9F, 0xC6, 0x61, 0x3A, 0xC6, 0x9F, + 0x3A, 0x61, 0xC6, 0xC6, 0x3A, 0x3A, 0x59, 0xA7, + 0xA7, 0x59, 0xA7, 0x59, 0x59, 0xA7, 0x8D, 0xCA, + 0x73, 0x36, 0xCA, 0x8D, 0x36, 0x73, 0x61, 0xB2, + 0x9F, 0x4E, 0xB2, 0x61, 0x4E, 0x9F, 0x6D, 0xBF, + 0x93, 0x41, 0xBF, 0x6D, 0x41, 0x93, 0xCA, 0xDF, + 0x36, 0x21, 0xDF, 0xCA, 0x21, 0x36, 0xB3, 0xDF, + 0x4D, 0x21, 0xDF, 0xB3, 0x21, 0x4D, 0xE1, 0xE1, + 0x1F, 0x1F, 0x9F, 0xE3, 0x61, 0x1D, 0xE3, 0x9F, + 0x1D, 0x61, 0x7A, 0xD3, 0x86, 0x2D, 0xD3, 0x7A, + 0x2D, 0x86, 0x4C, 0xBE, 0xB4, 0x42, 0xBE, 0x4C, + 0x42, 0xB4, 0x57, 0xCA, 0xA9, 0x36, 0xCA, 0x57, + 0x36, 0xA9, 0x88, 0xE9, 0x78, 0x17, 0xE9, 0x88, + 0x17, 0x78, 0xCC, 0xFB, 0x34, 0x05, 0xFB, 0xCC, + 0x05, 0x34, 0xE6, 0xFB, 0x1A, 0x05, 0xFB, 0xE6, + 0x05, 0x1A, 0xB4, 0xFD, 0x4C, 0x03, 0xFD, 0xB4, + 0x03, 0x4C, 0x63, 0xDC, 0x9D, 0x24, 0xDC, 0x63, + 0x24, 0x9D, 0xFE, 0xFE, 0x02, 0x02, 0x80, 0x80, }, + { 0x80, 0x80, 0x87, 0x87, 0x79, 0x79, 0x7E, 0x89, + 0x82, 0x77, 0x89, 0x7E, 0x77, 0x82, 0x95, 0x95, + 0x6B, 0x6B, 0x86, 0x96, 0x7A, 0x6A, 0x96, 0x86, + 0x6A, 0x7A, 0x70, 0x90, 0x90, 0x70, 0x90, 0x70, + 0x70, 0x90, 0x94, 0xA4, 0x6C, 0x5C, 0xA4, 0x94, + 0x5C, 0x6C, 0x78, 0x9B, 0x88, 0x65, 0x9B, 0x78, + 0x65, 0x88, 0xA6, 0xA6, 0x5A, 0x5A, 0x83, 0xA9, + 0x7D, 0x57, 0xA9, 0x83, 0x57, 0x7D, 0xA6, 0xB9, + 0x5A, 0x47, 0xB9, 0xA6, 0x47, 0x5A, 0xBA, 0xBA, + 0x46, 0x46, 0x92, 0xBC, 0x6E, 0x44, 0xBC, 0x92, + 0x44, 0x6E, 0x67, 0xA3, 0x99, 0x5D, 0xA3, 0x67, + 0x5D, 0x99, 0x72, 0xB0, 0x8E, 0x50, 0xB0, 0x72, + 0x50, 0x8E, 0x7F, 0xC3, 0x81, 0x3D, 0xC3, 0x7F, + 0x3D, 0x81, 0xBE, 0xD2, 0x42, 0x2E, 0xD2, 0xBE, + 0x2E, 0x42, 0xA5, 0xD4, 0x5B, 0x2C, 0xD4, 0xA5, + 0x2C, 0x5B, 0xD4, 0xD4, 0x2C, 0x2C, 0x52, 0xAE, + 0xAE, 0x52, 0xAE, 0x52, 0x52, 0xAE, 0x8F, 0xD8, + 0x71, 0x28, 0xD8, 0x8F, 0x28, 0x71, 0x5B, 0xBB, + 0xA5, 0x45, 0xBB, 0x5B, 0x45, 0xA5, 0x69, 0xCB, + 0x97, 0x35, 0xCB, 0x69, 0x35, 0x97, 0xD8, 0xF0, + 0x28, 0x10, 0xF0, 0xD8, 0x10, 0x28, 0xBD, 0xF1, + 0x43, 0x0F, 0xF1, 0xBD, 0x0F, 0x43, 0xF3, 0xF3, + 0x0D, 0x0D, 0xA5, 0xF6, 0x5B, 0x0A, 0xF6, 0xA5, + 0x0A, 0x5B, 0x78, 0xE2, 0x88, 0x1E, 0xE2, 0x78, + 0x1E, 0x88, 0x42, 0xC9, 0xBE, 0x37, 0xC9, 0x42, + 0x37, 0xBE, 0x4F, 0xD8, 0xB1, 0x28, 0xD8, 0x4F, + 0x28, 0xB1, 0x8A, 0xFD, 0x76, 0x03, 0xFD, 0x8A, + 0x03, 0x76, 0xDB, 0xFF, 0x25, 0x01, 0xFF, 0xDB, + 0x01, 0x25, 0xF9, 0xFF, 0x07, 0x01, 0xFF, 0xF9, + 0x01, 0x07, 0xBE, 0xFF, 0x42, 0x01, 0xFF, 0xBE, + 0x01, 0x42, 0x5E, 0xED, 0xA2, 0x13, 0xED, 0x5E, + 0x13, 0xA2, 0xFF, 0xFF, 0x01, 0x01, 0x80, 0x80, }, }; #endif /* AVCODEC_INDEO2DATA_H */ From 24bd4b363ecd647f087d641e8f6b3f7847b1114e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Mar 2016 19:40:32 +0100 Subject: [PATCH 362/380] avcodec/resample: Remove disabled and faulty code Fixes Ticket5345 Signed-off-by: Michael Niedermayer (cherry picked from commit 50ef7361cb5f78c94da2323f3bae86c6bbd618c8) Signed-off-by: Michael Niedermayer --- libavcodec/resample.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/resample.c b/libavcodec/resample.c index c45aa16cd1..ec311c7bfb 100644 --- a/libavcodec/resample.c +++ b/libavcodec/resample.c @@ -290,12 +290,6 @@ int audio_resample(ReSampleContext *s, short *output, short *input, int nb_sampl short *output_bak = NULL; int lenout; - if (s->input_channels == s->output_channels && s->ratio == 1.0 && 0) { - /* nothing to do */ - memcpy(output, input, nb_samples * s->input_channels * sizeof(short)); - return nb_samples; - } - if (s->sample_fmt[0] != AV_SAMPLE_FMT_S16) { int istride[1] = { s->sample_size[0] }; int ostride[1] = { 2 }; From c6bb7659726728d9c523b168f08c8d04aec75433 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2016 15:41:30 +0100 Subject: [PATCH 363/380] avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored Fixes Ticket5244 Signed-off-by: Michael Niedermayer (cherry picked from commit 068026b0f7845e0f1850094d974f60d181480d64) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegenc_common.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index daa5b6924d..01ebab9129 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -119,6 +119,16 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) uint8_t *ptr; if (avctx->sample_aspect_ratio.num > 0 && avctx->sample_aspect_ratio.den > 0) { + AVRational sar = avctx->sample_aspect_ratio; + + if (sar.num > 65535 || sar.den > 65535) { + if (!av_reduce(&sar.num, &sar.den, avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 65535)) + av_log(avctx, AV_LOG_WARNING, + "Cannot store exact aspect ratio %d:%d\n", + avctx->sample_aspect_ratio.num, + avctx->sample_aspect_ratio.den); + } + /* JFIF header */ put_marker(p, APP0); put_bits(p, 16, 16); @@ -128,8 +138,8 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) * released revision. */ put_bits(p, 16, 0x0102); put_bits(p, 8, 0); /* units type: 0 - aspect ratio */ - put_bits(p, 16, avctx->sample_aspect_ratio.num); - put_bits(p, 16, avctx->sample_aspect_ratio.den); + put_bits(p, 16, sar.num); + put_bits(p, 16, sar.den); put_bits(p, 8, 0); /* thumbnail width */ put_bits(p, 8, 0); /* thumbnail height */ } From e112096885c556e45be5f973a3cbb4cfb8bf48fe Mon Sep 17 00:00:00 2001 From: Ico Doornekamp Date: Thu, 24 Mar 2016 14:31:38 +0100 Subject: [PATCH 364/380] avformat/rtpdec_jpeg: fix low contrast image on low quality setting Original mail and my own followup on ffmpeg-user earlier today: I have a device sending out a MJPEG/RTP stream on a low quality setting. Decoding and displaying the video with libavformat results in a washed out, low contrast, greyish image. Playing the same stream with VLC results in proper color representation. Screenshots for comparison: http://zevv.nl/div/libav/shot-ffplay.jpg http://zevv.nl/div/libav/shot-vlc.jpg A pcap capture of a few seconds of video and SDP file for playing the stream are available at http://zevv.nl/div/libav/mjpeg.pcap http://zevv.nl/div/libav/mjpeg.sdp I believe the problem might be in the calculation of the quantization tables in the function create_default_qtables(), the attached patch solves the issue for me. The problem is that the argument 'q' is of the type uint8_t. According to the JPEG standard, if 1 <= q <= 50, the scale factor 'S' should be 5000 / Q. Because the create_default_qtables() reuses the variable 'q' to store the result of this calculation, for small values of q < 19, q wil subsequently overflow and give wrong results in the calculated quantization tables. The patch below uses a new variable 'S' (same name as in RFC2435) with the proper range to store the result of the division. Signed-off-by: Michael Niedermayer (cherry picked from commit e3e6a2cff4af9542455d416faec4584d5e823d5d) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_jpeg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpdec_jpeg.c b/libavformat/rtpdec_jpeg.c index 6bf88f8c3a..32655cc5ef 100644 --- a/libavformat/rtpdec_jpeg.c +++ b/libavformat/rtpdec_jpeg.c @@ -193,16 +193,17 @@ static void create_default_qtables(uint8_t *qtables, uint8_t q) { int factor = q; int i; + uint16_t S; factor = av_clip(q, 1, 99); if (q < 50) - q = 5000 / factor; + S = 5000 / factor; else - q = 200 - factor * 2; + S = 200 - factor * 2; for (i = 0; i < 128; i++) { - int val = (default_quantizers[i] * q + 50) / 100; + int val = (default_quantizers[i] * S + 50) / 100; /* Limit the quantizers to 1 <= q <= 255. */ val = av_clip(val, 1, 255); From f3da3e2aed9d9af1e49f79266b15dc987c0cdcf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Mar 2016 20:55:30 +0100 Subject: [PATCH 365/380] avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set Reviewed-by: maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit 0cd9ff4e3aa23318a855c21d60b1c9035b2b99d2) Signed-off-by: Michael Niedermayer --- libavcodec/libutvideodec.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/libutvideodec.cpp b/libavcodec/libutvideodec.cpp index e4b87a8bbc..93fbcb4a51 100644 --- a/libavcodec/libutvideodec.cpp +++ b/libavcodec/libutvideodec.cpp @@ -222,9 +222,19 @@ static int utvideo_decode_frame(AVCodecContext *avctx, void *data, pic->data[0] = utv->buffer + utv->buf_size + pic->linesize[0]; break; } + pic->width = w; + pic->height = h; + pic->format = avctx->pix_fmt; + + if (avctx->refcounted_frames) { + int ret = av_frame_ref((AVFrame*)data, pic); + if (ret < 0) + return ret; + } else { + av_frame_move_ref((AVFrame*)data, pic); + } *got_frame = 1; - av_frame_move_ref((AVFrame*)data, pic); return avpkt->size; } From 1bccba1893cffee4778d79bb94185ad715e76838 Mon Sep 17 00:00:00 2001 From: Aaron Boxer Date: Thu, 31 Mar 2016 16:02:14 -0400 Subject: [PATCH 366/380] avcodec/j2kenc: Add attribution to OpenJPEG project: http://ghostscript.com/~tor/gs-browse/gs/openjpeg/libopenjpeg/t1.c Signed-off-by: Michael Niedermayer (cherry picked from commit b6b4b0a65e02495edf9d7e5b23bef99a92921147) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 593ceb40e5..d044948c15 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -17,8 +17,46 @@ * You should have received a copy of the GNU Lesser General Public * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + * ********************************************************************************************************************** + * + * + * + * This source code incorporates work covered by the following copyright and + * permission notice: + * + * Copyright (c) 2002-2007, Communications and Remote Sensing Laboratory, Universite catholique de Louvain (UCL), Belgium + * Copyright (c) 2002-2007, Professor Benoit Macq + * Copyright (c) 2001-2003, David Janssens + * Copyright (c) 2002-2003, Yannick Verschueren + * Copyright (c) 2003-2007, Francois-Olivier Devaux and Antonin Descampe + * Copyright (c) 2005, Herve Drolon, FreeImage Team + * Copyright (c) 2007, Callum Lerwick + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. */ + /** * JPEG2000 image encoder * @file From 3d9f1c0dbbcba0164ec5f0bd3497c481afc43062 Mon Sep 17 00:00:00 2001 From: Marios Titas Date: Sat, 2 Apr 2016 21:11:44 +0300 Subject: [PATCH 367/380] avfilter/src_movie: fix how we check for overflows with seek_point Currently, if the movie source filter is used and a seek_point is specified on a file that has a negative start time, ffmpeg will fail. An easy way to reproduce this is as follows: $ ffmpeg -vsync passthrough -filter_complex 'color=d=10,setpts=PTS-1/TB' test.mp4 $ ffmpeg -filter_complex 'movie=filename=test.mp4:seek_point=2' -f null - The problem is caused by checking for int64_t overflow the wrong way. In general, to check whether a + b overflows, it is not enough to do: a > INT64_MAX - b because b might be negative; the correct way is: b > 0 && > a > INT64_MAX - b Signed-off-by: Michael Niedermayer (cherry picked from commit c1f9734f977f59bc0034096afbe8e43e40d93a5d) Signed-off-by: Michael Niedermayer --- libavfilter/src_movie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index 908c03e1d3..6df52f75cc 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -240,7 +240,7 @@ static av_cold int movie_common_init(AVFilterContext *ctx) timestamp = movie->seek_point; // add the stream start time, should it exist if (movie->format_ctx->start_time != AV_NOPTS_VALUE) { - if (timestamp > INT64_MAX - movie->format_ctx->start_time) { + if (timestamp > 0 && movie->format_ctx->start_time > INT64_MAX - timestamp) { av_log(ctx, AV_LOG_ERROR, "%s: seek value overflow with start_time:%"PRId64" seek_point:%"PRId64"\n", movie->file_name, movie->format_ctx->start_time, movie->seek_point); From 62e87d065b9bae0f9d5319a88c8af0a0c3bdd084 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Apr 2016 15:10:31 +0200 Subject: [PATCH 368/380] avcodec/bmp_parser: Ensure remaining_size is not too small in startcode packet crossing corner case Fixes Ticket 5438 Signed-off-by: Michael Niedermayer (cherry picked from commit 8e26bdd59bf559d00c7e60c53fff292de10139ff) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index c9493dc32d..7ab32a0b00 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -63,7 +63,7 @@ restart: continue; } bpc->pc.frame_start_found++; - bpc->remaining_size = bpc->fsize + i - 17; + bpc->remaining_size = bpc->fsize + FFMAX(i - 17, 0); if (bpc->pc.index + i > 17) { next = i - 17; From 0696a555b6a516ce569bb2320b512dc790e747b4 Mon Sep 17 00:00:00 2001 From: Ivan Date: Tue, 12 Apr 2016 16:32:04 -0400 Subject: [PATCH 369/380] avcodec/h264: Fix for H.264 configuration parsing Sometimes video fails to decode if H.264 configuration changes mid stream. The reason is that configuration parser assumes that nal_ref_idc is equal to 11b while actually some codecs but 01b there. The H.264 spec is somewhat vague about this but it looks like it allows any non-zero nal_ref_idc for sps/pps. Signed-off-by: Michael Niedermayer (cherry picked from commit 3a727606c474d3d0b9efa3c900294a84bdb5e331) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1f5f4a0b20..692cd62d57 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1737,7 +1737,7 @@ static int is_extra(const uint8_t *buf, int buf_size) const uint8_t *p= buf+6; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x67) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 7) return 0; p += nalsize; } @@ -1746,7 +1746,7 @@ static int is_extra(const uint8_t *buf, int buf_size) return 0; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x68) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 8) return 0; p += nalsize; } From cff516d9e841388c3cf805dd179f7305b84050f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Apr 2016 22:38:26 +0200 Subject: [PATCH 370/380] avcodec/avpacket: Fix off by 5 error Fixes out of array read Fixes: mozilla bug 1266129 Found-by: Tyson Smith Tested-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 9f36ea57ae6eefb42432220feab0350494f4144c) Conflicts: libavcodec/avpacket.c --- libavcodec/avpacket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index b73cf212aa..230ddb0e5d 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -411,10 +411,12 @@ int av_packet_split_side_data(AVPacket *pkt){ p = pkt->data + pkt->size - 8 - 5; for (i=1; ; i++){ size = AV_RB32(p); - if (size>INT_MAX || p - pkt->data < size) + if (size>INT_MAX - 5 || p - pkt->data < size) return 0; if (p[4]&128) break; + if (p - pkt->data < size + 5) + return 0; p-= size+5; } @@ -425,7 +427,7 @@ int av_packet_split_side_data(AVPacket *pkt){ p= pkt->data + pkt->size - 8 - 5; for (i=0; ; i++){ size= AV_RB32(p); - av_assert0(size<=INT_MAX && p - pkt->data >= size); + av_assert0(size<=INT_MAX - 5 && p - pkt->data >= size); pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE); pkt->side_data[i].size = size; pkt->side_data[i].type = p[4]&127; From 7e2c69516910ff6170cd687a9cd057f2f01afa2c Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 12 Apr 2016 10:51:30 +0200 Subject: [PATCH 371/380] avcodec/apedec: fix decoding of stereo files with one channel full of silence Signed-off-by: Paul B Mahol (cherry picked from commit 9149e9c0baaec122bc3da925d6068dffa60b5427) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9984b4099b..2cd77d4d18 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1372,7 +1372,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; - if (ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) { + if ((ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) == APE_FRAMECODE_STEREO_SILENCE) { /* We are pure silence, so we're done. */ av_log(ctx->avctx, AV_LOG_DEBUG, "pure silence stereo\n"); return; From cec42e6f4de3b040fac34eb99dc1acbb2cfdcbee Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 20 Apr 2016 22:45:05 +0200 Subject: [PATCH 372/380] avcodec/takdec: add code that got somehow lost in process of REing Signed-off-by: Paul B Mahol (cherry picked from commit 38797a8033d061ade58b30b8ac86da222fe42a84) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 28f884a3f6..fbec0e037b 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -224,6 +224,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a3 = coeffs[2]; int a4 = a3 + a1; int a5 = a4 + a2; + coeffs[2] = a5; coeffs += 3; for (i = 0; i < length - 3; i++) { a3 += *coeffs; From 526aca805f778a94654672c5ddc8ef766fee63c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Apr 2016 12:30:20 +0200 Subject: [PATCH 373/380] avfilter/vf_drawtext: Check return code of load_glyph() Fixes segfault Fixes Ticket5347 Signed-off-by: Michael Niedermayer (cherry picked from commit 2e67a99fbc6b99315925de40fc6fa7161576be10) Signed-off-by: Michael Niedermayer --- libavfilter/vf_drawtext.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index 16e3383db0..a0cb222fa0 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -1210,7 +1210,9 @@ static int draw_text(AVFilterContext *ctx, AVFrame *frame, dummy.code = code; glyph = av_tree_find(s->glyphs, &dummy, glyph_cmp, NULL); if (!glyph) { - load_glyph(ctx, &glyph, code); + ret = load_glyph(ctx, &glyph, code); + if (ret < 0) + return ret; } y_min = FFMIN(glyph->bbox.yMin, y_min); From 49fc747b4874e9c21fc37811c612add2d1eb7eda Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Apr 2016 04:08:21 +0200 Subject: [PATCH 374/380] avcodec/ac3dec: Reset SPX when switching from EAC3 to AC3 Fixes Ticket5319 Signed-off-by: Michael Niedermayer (cherry picked from commit 9ac154d1facd4756db6918f866dccf3e3ffb698c) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 234b469bc0..d06b2813e3 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -901,11 +901,13 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) ff_eac3_default_spx_band_struct, &s->num_spx_bands, s->spx_band_sizes); - } else { - for (ch = 1; ch <= fbw_channels; ch++) { - s->channel_uses_spx[ch] = 0; - s->first_spx_coords[ch] = 1; - } + } + } + if (!s->eac3 || !s->spx_in_use) { + s->spx_in_use = 0; + for (ch = 1; ch <= fbw_channels; ch++) { + s->channel_uses_spx[ch] = 0; + s->first_spx_coords[ch] = 1; } } From 3f69797e9b2f2d7060c5f7833479ab085bbca50f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Sun, 24 Apr 2016 17:30:56 +0300 Subject: [PATCH 375/380] pgssubdec: fix subpicture output colorspace and range Functionality used before didn't widen the values from limited to full range. Additionally, now the decoder uses BT.709 where it should be used according to the video resolution. Default for not yet set colorimetry is BT.709 due to most observed HDMV content being HD. BT.709 coefficients were gathered from the first two parts of BT.709 to BT.2020 conversion guide in ARIB STD-B62 (Pt. 1, Chapter 6.2.2). They were additionally confirmed by manually calculating values. Fixes #4637 (cherry picked from commit 9779b6262471d553c1ed811ff7312564e39d8adf) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 10 ++++++++-- libavutil/colorspace.h | 10 ++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index e567f53ab4..6ff6cc4059 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -354,8 +354,14 @@ static int parse_palette_segment(AVCodecContext *avctx, cb = bytestream_get_byte(&buf); alpha = bytestream_get_byte(&buf); - YUV_TO_RGB1(cb, cr); - YUV_TO_RGB2(r, g, b, y); + /* Default to BT.709 colorimetry. In case of <= 576 height use BT.601 */ + if (avctx->height <= 0 || avctx->height > 576) { + YUV_TO_RGB1_CCIR_BT709(cb, cr); + } else { + YUV_TO_RGB1_CCIR(cb, cr); + } + + YUV_TO_RGB2_CCIR(r, g, b, y); ff_dlog(avctx, "Color %d := (%d,%d,%d,%d)\n", color_id, r, g, b, alpha); diff --git a/libavutil/colorspace.h b/libavutil/colorspace.h index 826ffd52c4..7d3f7110c9 100644 --- a/libavutil/colorspace.h +++ b/libavutil/colorspace.h @@ -41,6 +41,16 @@ b_add = FIX(1.77200*255.0/224.0) * cb + ONE_HALF;\ } +#define YUV_TO_RGB1_CCIR_BT709(cb1, cr1)\ +{\ + cb = (cb1) - 128;\ + cr = (cr1) - 128;\ + r_add = FIX(1.5747*255.0/224.0) * cr + ONE_HALF;\ + g_add = - FIX(0.1873*255.0/224.0) * cb - FIX(0.4682*255.0/224.0) * cr + \ + ONE_HALF;\ + b_add = FIX(1.8556*255.0/224.0) * cb + ONE_HALF;\ +} + #define YUV_TO_RGB2_CCIR(r, g, b, y1)\ {\ y = ((y1) - 16) * FIX(255.0/219.0);\ From d94d786bf06bc87c53305cfb9ffd13dce1ff58b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Apr 2016 19:17:19 +0200 Subject: [PATCH 376/380] avcodec/ttaenc: Reallocate packet if its too small Fixes assertion failure Fixes Ticket5394 Signed-off-by: Michael Niedermayer (cherry picked from commit 005c61c6b8982f977e415aa69d2d2b42e6b7f3f2) Conflicts: libavcodec/ttaenc.c --- libavcodec/ttaenc.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index ccd41a90c9..37624a9c62 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -114,9 +114,12 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, { TTAEncContext *s = avctx->priv_data; PutBitContext pb; - int ret, i, out_bytes, cur_chan = 0, res = 0, samples = 0; + int ret, i, out_bytes, cur_chan, res, samples; + int64_t pkt_size = frame->nb_samples * 2LL * avctx->channels * s->bps; - if ((ret = ff_alloc_packet2(avctx, avpkt, frame->nb_samples * 2 * avctx->channels * s->bps)) < 0) +pkt_alloc: + cur_chan = 0, res = 0, samples = 0; + if ((ret = ff_alloc_packet2(avctx, avpkt, pkt_size)) < 0) return ret; init_put_bits(&pb, avpkt->data, avpkt->size); @@ -174,6 +177,14 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, rice->k1++; unary = 1 + (outval >> k); + if (unary + 100LL > put_bits_left(&pb)) { + if (pkt_size < INT_MAX/2) { + pkt_size *= 2; + av_packet_unref(avpkt); + goto pkt_alloc; + } else + return AVERROR(ENOMEM); + } do { if (unary > 31) { put_bits(&pb, 31, 0x7FFFFFFF); From 4621bc436bea662006c8a2018ffbd6d2a1df48ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2016 22:50:48 +0200 Subject: [PATCH 377/380] avformat/ffmdec: Check pix_fmt Fixes crash Fixes Ticket5412 Signed-off-by: Michael Niedermayer (cherry picked from commit 78baa450d9939957f52d5187beb95d763d2f1f18) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 9422130d1b..1753109eb6 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -26,6 +26,7 @@ #include "libavutil/opt.h" #include "libavutil/avassert.h" #include "libavutil/avstring.h" +#include "libavutil/pixdesc.h" #include "avformat.h" #include "internal.h" #include "ffm.h" @@ -365,6 +366,11 @@ static int ffm2_read_header(AVFormatContext *s) codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); + if (!av_pix_fmt_desc_get(codec->pix_fmt)) { + av_log(s, AV_LOG_ERROR, "Invalid pix fmt id: %d\n", codec->pix_fmt); + codec->pix_fmt = AV_PIX_FMT_NONE; + goto fail; + } codec->qmin = avio_r8(pb); codec->qmax = avio_r8(pb); codec->max_qdiff = avio_r8(pb); @@ -557,6 +563,11 @@ static int ffm_read_header(AVFormatContext *s) codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); codec->pix_fmt = avio_rb32(pb); + if (!av_pix_fmt_desc_get(codec->pix_fmt)) { + av_log(s, AV_LOG_ERROR, "Invalid pix fmt id: %d\n", codec->pix_fmt); + codec->pix_fmt = AV_PIX_FMT_NONE; + goto fail; + } codec->qmin = avio_r8(pb); codec->qmax = avio_r8(pb); codec->max_qdiff = avio_r8(pb); From 0ca22536c7d780bd021b3f919cb7ffbf218aeab0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Apr 2016 04:06:01 +0200 Subject: [PATCH 378/380] Update for 2.7. Signed-off-by: Michael Niedermayer --- Changelog | 42 ++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 44 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 482f7cb15f..59dd09871c 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,48 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.7.7 +- avformat/ffmdec: Check pix_fmt +- avcodec/ttaenc: Reallocate packet if its too small +- pgssubdec: fix subpicture output colorspace and range +- avcodec/ac3dec: Reset SPX when switching from EAC3 to AC3 +- avfilter/vf_drawtext: Check return code of load_glyph() +- avcodec/takdec: add code that got somehow lost in process of REing +- avcodec/apedec: fix decoding of stereo files with one channel full of silence +- avcodec/avpacket: Fix off by 5 error +- avcodec/h264: Fix for H.264 configuration parsing +- avcodec/bmp_parser: Ensure remaining_size is not too small in startcode packet crossing corner case +- avfilter/src_movie: fix how we check for overflows with seek_point +- avcodec/j2kenc: Add attribution to OpenJPEG project: +- avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set +- avformat/rtpdec_jpeg: fix low contrast image on low quality setting +- avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored +- avcodec/resample: Remove disabled and faulty code +- indeo2: Fix banding artefacts +- indeo2data: K&R formatting cosmetics +- avcodec/imgconvert: Support non-planar colorspaces while padding +- avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool +- avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing +- avformat/concatdec: set safe mode to enabled instead of auto +- avformat/utils: fix dts from pts code in compute_pkt_fields() during ascending delay +- avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT +- avformat/cache: Fix memleak of tree entries +- lavf/mov: fix sidx with edit lists (cherry picked from commit 3617e69d50dd9dd07b5011dfb9477a9d1a630354) +- avcodec/mjpegdec: Fix decoding slightly odd progressive jpeg +- avcodec/avpacket: clear priv in av_init_packet() +- swscale/utils: Fix chrSrcHSubSample for GBRAP16 +- swscale/input: Fix GBRAP16 input +- postproc: fix unaligned access +- avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats +- avcodec/h264: Execute error concealment before marking the frame as done. +- swscale/x86/output: Fix yuv2planeX_16* with unaligned destination +- swscale/x86/output: Move code into yuv2planeX_mainloop +- avutil/frame: Free destination qp_table_buf in frame_copy_props() +- libwebpenc_animencoder: print library messages in verbose log levels +- libwebpenc_animencoder: zero initialize the WebPAnimEncoderOptions struct +- doc/utils: fix typo for min() description + + version 2.7.6 - avcodec/jpeg2000dec: More completely check cdef - avutil/opt: check for and handle errors in av_opt_set_dict2() diff --git a/RELEASE b/RELEASE index 49cdd668e1..1f7da99d4e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.7.6 +2.7.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 32099c4aa4..f2a3a54944 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.7.6 +PROJECT_NUMBER = 2.7.7 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 470bdd397f2a8fcc4ea968dcf017d9d5f91f296a Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 12 Jul 2016 17:05:42 -0300 Subject: [PATCH 379/380] avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame Signed-off-by: James Almer (cherry picked from commit 5adfbd391847fcdaea1e9b105fae2dd90af2a733) --- libavformat/oggparsevp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index 7aed8abad3..ca13928f1e 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -82,7 +82,11 @@ static uint64_t vp8_gptopts(AVFormatContext *s, int idx, struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; - uint64_t pts = (granule >> 32); + int invcnt = !((granule >> 30) & 3); + // If page granule is that of an invisible vp8 frame, its pts will be + // that of the end of the next visible frame. We substract 1 for those + // to prevent messing up pts calculations. + uint64_t pts = (granule >> 32) - invcnt; uint32_t dist = (granule >> 3) & 0x07ffffff; if (!dist) From 2b6bc8e340ac214971aace12483f4ed460afd36c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 22 Jun 2016 06:36:31 +0200 Subject: [PATCH 380/380] librtmp: Avoid an infiniloop setting connection arguments The exit condition was missing. Signed-off-by: Timothy Gu (cherry picked from commit e85d38c20a8893cb59d7c86f74481f2497882196) Signed-off-by: Timothy Gu --- libavformat/librtmp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/librtmp.c b/libavformat/librtmp.c index bfa9a718f1..5a138adad4 100644 --- a/libavformat/librtmp.c +++ b/libavformat/librtmp.c @@ -193,6 +193,8 @@ static int rtmp_open(URLContext *s, const char *uri, int flags) if (sep) p = sep + 1; + else + break; } } if (ctx->playpath) {