From 8069b44ebfa2f9b86e900f35919f2caae105e25b Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 6 Jan 2013 15:45:51 +0100 Subject: [PATCH 0001/1037] Prepare 9.1 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index ec635144f6..28a2186428 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9 +9.1 From a55700541756022043075975bca6a0b7376595b7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 2 Jan 2013 13:34:48 -0500 Subject: [PATCH 0002/1037] x86: lavr: use the x86inc.asm automatic stack alignment in mixing functions CC:libav-stable@libav.org (cherry picked from commit 95d01c3f1c33c079db04e24133ba4a6b00d62d4a) Signed-off-by: Reinhard Tartler --- libavresample/x86/audio_mix.asm | 35 +++++++++------------------------ 1 file changed, 9 insertions(+), 26 deletions(-) diff --git a/libavresample/x86/audio_mix.asm b/libavresample/x86/audio_mix.asm index daf0a7b335..8a298e2081 100644 --- a/libavresample/x86/audio_mix.asm +++ b/libavresample/x86/audio_mix.asm @@ -260,29 +260,20 @@ MIX_1_TO_2_S16P_FLT %else %assign matrix_elements_stack 0 %endif +%assign matrix_stack_size matrix_elements_stack * mmsize -cglobal mix_%1_to_%2_%3_flt, 3,in_channels+2,needed_mmregs+matrix_elements_mm, src0, src1, len, src2, src3, src4, src5, src6, src7 +%assign needed_stack_size -1 * matrix_stack_size +%if ARCH_X86_32 && in_channels >= 7 +%assign needed_stack_size needed_stack_size - 16 +%endif -; get aligned stack space if needed -%if matrix_elements_stack > 0 - %if mmsize == 32 - %assign bkpreg %1 + 1 - %define bkpq r %+ bkpreg %+ q - mov bkpq, rsp - and rsp, ~(mmsize-1) - sub rsp, matrix_elements_stack * mmsize - %else - %assign matrix_stack_size matrix_elements_stack * mmsize - %assign pad matrix_stack_size + (mmsize - gprsize) - (stack_offset & (mmsize - gprsize)) - ; on x86-32 for 7 and 8 channels we need more stack space for src pointers - %if ARCH_X86_32 && in_channels >= 7 - %assign pad pad + 0x10 +cglobal mix_%1_to_%2_%3_flt, 3,in_channels+2,needed_mmregs+matrix_elements_mm, needed_stack_size, src0, src1, len, src2, src3, src4, src5, src6, src7 + +; define src pointers on stack if needed +%if matrix_elements_stack > 0 && ARCH_X86_32 && in_channels >= 7 %define src5m [rsp+matrix_stack_size+0] %define src6m [rsp+matrix_stack_size+4] %define src7m [rsp+matrix_stack_size+8] - %endif - SUB rsp, pad - %endif %endif ; load matrix pointers @@ -463,14 +454,6 @@ cglobal mix_%1_to_%2_%3_flt, 3,in_channels+2,needed_mmregs+matrix_elements_mm, s add lenq, mmsize jl .loop -; restore stack pointer -%if matrix_elements_stack > 0 - %if mmsize == 32 - mov rsp, bkpq - %else - ADD rsp, pad - %endif -%endif ; zero ymm high halves %if mmsize == 32 vzeroupper From c1555ae4b62a23addfe7265c29cb66cc7a0d886b Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 6 Jan 2013 18:04:10 +0100 Subject: [PATCH 0003/1037] update Changelog --- Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index 92098cacd5..77e77a6371 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.1: +- Fix a crash on windows platforms related to automatic stack alignment + in libavresample + + version 9: - av_basename and av_dirname - adobe and limelight publisher authentication in RTMP From 79013a59c0605472fe941ca9ff01324c1320f874 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Jan 2013 21:54:19 +0100 Subject: [PATCH 0004/1037] update for 1.1 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 1 + doc/Doxyfile | 2 +- doc/RELEASE_NOTES | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 VERSION diff --git a/RELEASE b/RELEASE index 3d529fb483..9459d4ba2a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.git +1.1 diff --git a/VERSION b/VERSION new file mode 100644 index 0000000000..b123147e2a --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +1.1 \ No newline at end of file diff --git a/doc/Doxyfile b/doc/Doxyfile index 7e6d0f56fd..d84dccffe5 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 1.1 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/doc/RELEASE_NOTES b/doc/RELEASE_NOTES index f71f18a3aa..4c209ecb5e 100644 --- a/doc/RELEASE_NOTES +++ b/doc/RELEASE_NOTES @@ -1,7 +1,7 @@ Release Notes ============= -* 0.10 "Freedom" January, 2012 +* 1.1 "Fire Flower" January, 2013 General notes From 42bd6d9cf681306d14c92af97a40116fe4eb2522 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 4 Jan 2013 15:44:02 +0100 Subject: [PATCH 0005/1037] oggdec: free the ogg streams on read_header failure Plug an annoying memory leak on broken files. (cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07) Signed-off-by: Luca Barbato --- libavformat/oggdec.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 07af5cf9d0..a6cd31c514 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -526,6 +526,19 @@ static int ogg_get_length(AVFormatContext *s) return 0; } +static int ogg_read_close(AVFormatContext *s) +{ + struct ogg *ogg = s->priv_data; + int i; + + for (i = 0; i < ogg->nstreams; i++) { + av_free(ogg->streams[i].buf); + av_free(ogg->streams[i].private); + } + av_free(ogg->streams); + return 0; +} + static int ogg_read_header(AVFormatContext *s) { struct ogg *ogg = s->priv_data; @@ -533,8 +546,10 @@ static int ogg_read_header(AVFormatContext *s) ogg->curidx = -1; //linear headers seek from start ret = ogg_get_headers(s); - if (ret < 0) + if (ret < 0) { + ogg_read_close(s); return ret; + } for (i = 0; i < ogg->nstreams; i++) if (ogg->streams[i].header < 0) @@ -619,19 +634,6 @@ retry: return psize; } -static int ogg_read_close(AVFormatContext *s) -{ - struct ogg *ogg = s->priv_data; - int i; - - for (i = 0; i < ogg->nstreams; i++) { - av_free(ogg->streams[i].buf); - av_free(ogg->streams[i].private); - } - av_free(ogg->streams); - return 0; -} - static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, int64_t *pos_arg, int64_t pos_limit) { From c01be297ce5ac244d79a7b287f7fa050de113a14 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 4 Jan 2013 16:05:51 +0100 Subject: [PATCH 0006/1037] oggdec: make sure the private parse data is cleaned up (cherry picked from commit d894f74762bc95310ba23f804b7ba8dffc8f6646) Signed-off-by: Luca Barbato --- libavformat/oggdec.c | 4 ++++ libavformat/oggdec.h | 1 + libavformat/oggparsevorbis.c | 11 +++++++++++ 3 files changed, 16 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index a6cd31c514..d8f89b8f80 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -533,6 +533,10 @@ static int ogg_read_close(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++) { av_free(ogg->streams[i].buf); + if (ogg->streams[i].codec && + ogg->streams[i].codec->cleanup) { + ogg->streams[i].codec->cleanup(s, i); + } av_free(ogg->streams[i].private); } av_free(ogg->streams); diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index bb7b345934..d11ff9f591 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -55,6 +55,7 @@ struct ogg_codec { * Number of expected headers */ int nb_header; + void (*cleanup)(AVFormatContext *s, int idx); }; struct ogg_stream { diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 396a3e3ea7..fbe6c4fb41 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -192,6 +192,16 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } +static int vorbis_cleanup(AVFormatContext *s, int idx) +{ + struct ogg *ogg = s->priv_data; + struct ogg_stream *os = ogg->streams + idx; + struct oggvorbis_private *priv = os->private; + int i; + if (os->private) + for (i = 0; i < 3; i++) + av_freep(&priv->packet[i]); +} static int vorbis_header (AVFormatContext * s, int idx) @@ -359,5 +369,6 @@ const struct ogg_codec ff_vorbis_codec = { .magicsize = 7, .header = vorbis_header, .packet = vorbis_packet, + .cleanup= vorbis_cleanup, .nb_header = 3, }; From 0135dd73bb23060b896b06f2ecbb05435224f492 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 6 Jan 2013 18:04:10 +0100 Subject: [PATCH 0007/1037] update Changelog --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 77e77a6371..7f6249adfa 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,7 @@ releases are sorted from youngest to oldest. version 9.1: - Fix a crash on windows platforms related to automatic stack alignment in libavresample +- Fix memleaks in the ogg demuxer. Related to CVE-2012-2882 version 9: From 9202824e1bf9e3c1e2a98806e3ef0b20f8d1e5c0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 7 Jan 2013 09:44:48 +0000 Subject: [PATCH 0008/1037] Changelog: move Megalux where it belongs Signed-off-by: Paul B Mahol (cherry picked from commit e13c5abbd70440a02e00d7392738a36356481a78) --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 5d59a9738d..1a2e96a4cc 100644 --- a/Changelog +++ b/Changelog @@ -60,6 +60,7 @@ version 1.1: - support building on the Plan 9 operating system - kerndeint filter ported from MPlayer - histeq filter ported from VirtualDub +- Megalux Frame demuxer - 012v decoder @@ -349,7 +350,6 @@ easier to use. The changes are: - Simple segmenting muxer - Indeo 4 decoder - SMJPEG demuxer -- Megalux Frame demuxer version 0.8: From 36dac6da41c8a28e03d33bfb839040156d5d6804 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 8 Jan 2013 01:08:36 +0100 Subject: [PATCH 0009/1037] Add forgotten AVC Intra entry to Changelog. (cherry picked from commit b23aff6755ff96b3b338e4b5f9eb3b6a91fda433) --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 1a2e96a4cc..b12a8e4584 100644 --- a/Changelog +++ b/Changelog @@ -62,6 +62,7 @@ version 1.1: - histeq filter ported from VirtualDub - Megalux Frame demuxer - 012v decoder +- Improved AVC Intra decoding support version 1.0: From 606aa3baee1e85626f289b0864963e4c920eff8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Tue, 8 Jan 2013 22:39:25 +0100 Subject: [PATCH 0010/1037] lavf/mux: do not pass a copy of the packet to write_packet(). Sometimes the muxer modifies the packet, like for instance lavf/mp3enc changing pkt->destruct in order to keep a copy. These changes must be kept, even though the muxer behaviour is questionable. Regression since 0072116. Fixes #2124. (cherry picked from commit 119d70db5099f9513d954283245efd7f699ad321) --- libavformat/mux.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/mux.c b/libavformat/mux.c index c7e176abb3..c34a2946c7 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -490,13 +490,12 @@ static int compute_pkt_fields2(AVFormatContext *s, AVStream *st, AVPacket *pkt) */ static inline int split_write_packet(AVFormatContext *s, AVPacket *pkt) { - int ret; - AVPacket spkt = *pkt; + int ret, did_split; - av_packet_split_side_data(&spkt); - ret = s->oformat->write_packet(s, &spkt); - spkt.data = NULL; - av_destruct_packet(&spkt); + did_split = av_packet_split_side_data(pkt); + ret = s->oformat->write_packet(s, pkt); + if (did_split) + av_packet_merge_side_data(pkt); return ret; } From ddb0317154ce54b4aed15a5f58cb1fc1b7ea533b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jan 2013 00:43:31 +0100 Subject: [PATCH 0011/1037] dirac: fix inverted check Regression since: ea6da80 Fixes Ticket2123 I cannot reproduce any regressions by flipping the wrong condition to how it should have been. Thanks-to: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit 57bdd67646cfffa2921a8b28bb5f88cfe5c0989e) --- libavcodec/dirac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac.c b/libavcodec/dirac.c index 2dd754f752..e132acc44a 100644 --- a/libavcodec/dirac.c +++ b/libavcodec/dirac.c @@ -237,7 +237,7 @@ static int parse_source_parameters(AVCodecContext *avctx, GetBitContext *gb, avctx->pix_fmt = dirac_pix_fmt[!luma_offset][source->chroma_format]; avcodec_get_chroma_sub_sample(avctx->pix_fmt, &chroma_x_shift, &chroma_y_shift); - if (!(source->width % (1<height % (1<width % (1<height % (1< Date: Thu, 10 Jan 2013 11:02:57 -0800 Subject: [PATCH 0012/1037] vp3: Fix double free in vp3_decode_end() Signed-off-by: Dale Curtis Signed-off-by: Luca Barbato (cherry picked from commit ec86ba57312745fd7ad9771e3121e79c6aacba30) Signed-off-by: Luca Barbato --- libavcodec/vp3.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 6e85b90964..bdd4289a49 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -281,15 +281,15 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) Vp3DecodeContext *s = avctx->priv_data; int i; - av_free(s->superblock_coding); - av_free(s->all_fragments); - av_free(s->coded_fragment_list[0]); - av_free(s->dct_tokens_base); - av_free(s->superblock_fragments); - av_free(s->macroblock_coding); - av_free(s->motion_val[0]); - av_free(s->motion_val[1]); - av_free(s->edge_emu_buffer); + av_freep(&s->superblock_coding); + av_freep(&s->all_fragments); + av_freep(&s->coded_fragment_list[0]); + av_freep(&s->dct_tokens_base); + av_freep(&s->superblock_fragments); + av_freep(&s->macroblock_coding); + av_freep(&s->motion_val[0]); + av_freep(&s->motion_val[1]); + av_freep(&s->edge_emu_buffer); if (avctx->internal->is_copy) return 0; From ca2e3f113188e5835533d54000c314721b8445db Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 10 Jan 2013 11:05:29 -0800 Subject: [PATCH 0013/1037] matroska: Fix use after free Signed-off-by: Dale Curtis Signed-off-by: Luca Barbato (cherry picked from commit ae3d41636942cbc0236bad21ad06c65f4eb0f096) Signed-off-by: Luca Barbato --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index bf67253737..86ff477d85 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1744,6 +1744,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, */ static void matroska_clear_queue(MatroskaDemuxContext *matroska) { + matroska->prev_pkt = NULL; if (matroska->packets) { int n; for (n = 0; n < matroska->num_packets; n++) { @@ -2231,7 +2232,6 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, avio_seek(s->pb, st->index_entries[st->nb_index_entries-1].pos, SEEK_SET); matroska->current_id = 0; while ((index = av_index_search_timestamp(st, timestamp, flags)) < 0) { - matroska->prev_pkt = NULL; matroska_clear_queue(matroska); if (matroska_parse_cluster(matroska) < 0) break; From 58baa367d696f206709a5eb195bbc514467ac82a Mon Sep 17 00:00:00 2001 From: Vladimir Pantelic Date: Wed, 9 Jan 2013 17:04:09 +0100 Subject: [PATCH 0014/1037] vc1dec: prevent a crash due missing pred_flag parameter Handle pred_flag parameter not given to get_mvdata_interlaced() Signed-off-by: Vladimir Pantelic Signed-off-by: Luca Barbato (cherry picked from commit 7b8c5b263bc680eff5710bee5994de39d47fc15e) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index d5d6884a73..c29f91ce11 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1133,8 +1133,12 @@ static av_always_inline void get_mvdata_interlaced(VC1Context *v, int *dmv_x, *dmv_x = get_bits(gb, v->k_x); *dmv_y = get_bits(gb, v->k_y); if (v->numref) { - *pred_flag = *dmv_y & 1; - *dmv_y = (*dmv_y + *pred_flag) >> 1; + if (pred_flag) { + *pred_flag = *dmv_y & 1; + *dmv_y = (*dmv_y + *pred_flag) >> 1; + } else { + *dmv_y = (*dmv_y + (*dmv_y & 1)) >> 1; + } } } else { @@ -1160,7 +1164,7 @@ static av_always_inline void get_mvdata_interlaced(VC1Context *v, int *dmv_x, *dmv_y = (sign ^ ((val >> 1) + offs_tab[index1 >> v->numref])) - sign; } else *dmv_y = 0; - if (v->numref) + if (v->numref && pred_flag) *pred_flag = index1 & 1; } } From fbde7b2d0aebf2b0123f6a19f871a904322a5b45 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 11 Jan 2013 05:07:42 +0100 Subject: [PATCH 0015/1037] zmbv: Reset the decoder on keyframe errors Prevent the crash on fuzzed files as reported in bug 63. (cherry picked from commit c1d1ef4ecd9c4f1ca01c8149c7e57c14968ca588) Signed-off-by: Luca Barbato --- libavcodec/zmbv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 0733fa70d4..c92e553f6d 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -428,6 +428,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac c->fmt = buf[3]; c->bw = buf[4]; c->bh = buf[5]; + c->decode_intra = NULL; + c->decode_xor = NULL; buf += 6; len -= 6; From bc182a6acaf8549fa335a90531c3533437d44c74 Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Thu, 10 Jan 2013 12:22:53 +0000 Subject: [PATCH 0016/1037] configure: enable pic for shared libs on AArch64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marcin Juszkiewicz Signed-off-by: Martin Storsjö (cherry picked from commit d11cb13b0ef02fb1c303b29805819f6e1c9dc61b) Signed-off-by: Luca Barbato --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index e87a3261de..8cc9cdc139 100755 --- a/configure +++ b/configure @@ -2788,7 +2788,7 @@ check_64bit(){ } case "$arch" in - alpha|ia64) + aarch64|alpha|ia64) spic=$shared ;; mips) From 3dab6e542941bbbc776995914eba164de303dbcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Pankratz?= Date: Thu, 10 Jan 2013 10:37:49 +0100 Subject: [PATCH 0017/1037] lavfi/yadif: fix shorthand/option mismatch Fix trac ticket #2128. Signed-off-by: Stefano Sabatini (cherry picked from commit 0287eea914307a3fa03fa0d117af2955de0a4a2f) --- libavfilter/vf_yadif.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index dca4a8cd35..74eafcbd12 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -369,7 +369,7 @@ static int query_formats(AVFilterContext *ctx) static av_cold int init(AVFilterContext *ctx, const char *args) { YADIFContext *yadif = ctx->priv; - static const char *shorthand[] = { "mode", "parity", "enable", NULL }; + static const char *shorthand[] = { "mode", "parity", "deint", NULL }; int ret; yadif->csp = NULL; From fadebd256e91b9dbfcc77af960696767c77d82d2 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sat, 12 Jan 2013 12:53:45 +0100 Subject: [PATCH 0018/1037] APIchanges: Fill in missing hashes and dates; fix a version number typo. --- doc/APIchanges | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index a5a0bea1fc..6e18ef652c 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,31 +13,31 @@ libavutil: 2012-10-22 API changes, most recent first: -2012-xx-xx - xxxxxxx - lavu 52.2.1 - avstring.h +2012-12-29 - d8fd06c - lavu 52.3.0 - avstring.h Add av_basename() and av_dirname(). -2012-xx-xx - xxxxxxx - lavu 52.2.0 - audioconvert.h +2012-11-11 - 5980f5d - lavu 52.2.0 - audioconvert.h Rename audioconvert.h to channel_layout.h. audioconvert.h is now deprecated. -2012-xx-xx - xxxxxxx - lavu 52.1.0 - intmath.h +2012-11-05 - dfde8a3 - lavu 52.1.0 - intmath.h Add av_ctz() for trailing zero bit count -2012-10-18 - xxxxxxx - lavu 51.45.0 - error.h +2012-10-21 - a893655 - lavu 51.45.0 - error.h Add AVERROR_EXPERIMENTAL -2012-10-12 - xxxxxxx - lavu 51.44.0 - pixdesc.h +2012-10-12 - d2fcb35 - lavu 51.44.0 - pixdesc.h Add functions for accessing pixel format descriptors. Accessing the av_pix_fmt_descriptors array directly is now deprecated. -2012-10-xx - xxxxxxx - lavu 51.43.0 - aes.h, md5.h, sha.h, tree.h +2012-10-11 - 9a92aea - lavu 51.43.0 - aes.h, md5.h, sha.h, tree.h Add functions for allocating the opaque contexts for the algorithms, deprecate the context size variables. -2012-10-xx - xxxxxxx - lavf 54.18.0 - avio.h +2012-10-10 - b522000 - lavf 54.18.0 - avio.h Add avio_closep to complement avio_close. -2012-10-xx - xxxxxxx - lavu 51.42.0 - pixfmt.h +2012-10-08 - 78071a1 - lavu 51.42.0 - pixfmt.h Rename PixelFormat to AVPixelFormat and all PIX_FMT_* to AV_PIX_FMT_*. To provide backwards compatibility, PixelFormat is now #defined as AVPixelFormat. From 7a2ee770f520ae4fd5f009cfc361a18e993dec91 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 13 Jan 2013 19:52:45 +0100 Subject: [PATCH 0019/1037] lavc: check for overflow in init_get_bits Fix an undefined behaviour and make the function return a proper error in case of overflow. CC: libav-stable@libav.org (cherry picked from commit d9cf5f516974c64e01846ca685301014b38cf224) Signed-off-by: Luca Barbato --- libavcodec/get_bits.h | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index c56a2c2d10..16cfd5e0fd 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -362,20 +362,27 @@ static inline int check_marker(GetBitContext *s, const char *msg) } /** - * Inititalize GetBitContext. - * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes larger than the actual read bits - * because some optimized bitstream readers read 32 or 64 bit at once and could read over the end + * Initialize GetBitContext. + * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes + * larger than the actual read bits because some optimized bitstream + * readers read 32 or 64 bit at once and could read over the end * @param bit_size the size of the buffer in bits + * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would overflow. */ -static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer, - int bit_size) +static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, + int bit_size) { - int buffer_size = (bit_size+7)>>3; - if (buffer_size < 0 || bit_size < 0) { + int buffer_size; + int ret = 0; + + if (bit_size > INT_MAX - 7 || bit_size <= 0) { buffer_size = bit_size = 0; buffer = NULL; + ret = AVERROR_INVALIDDATA; } + buffer_size = (bit_size + 7) >> 3; + s->buffer = buffer; s->size_in_bits = bit_size; #if !UNCHECKED_BITSTREAM_READER @@ -383,6 +390,7 @@ static inline void init_get_bits(GetBitContext *s, const uint8_t *buffer, #endif s->buffer_end = buffer + buffer_size; s->index = 0; + return ret; } static inline void align_get_bits(GetBitContext *s) From 71e00caeab89d9beeef9c947673f72e992bd109c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 13 Jan 2013 23:37:11 +0100 Subject: [PATCH 0020/1037] lavc: introduce the convenience function init_get_bits8 Accept the buffer size in bytes and check for overflow before passing the value in bits to init_get_bits. (cherry picked from commit e28ac6e5e27e64a206e399e958481c1e6f992189) Signed-off-by: Luca Barbato --- libavcodec/get_bits.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 16cfd5e0fd..12770a29a0 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -393,6 +393,22 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, return ret; } +/** + * Initialize GetBitContext. + * @param buffer bitstream buffer, must be FF_INPUT_BUFFER_PADDING_SIZE bytes + * larger than the actual read bits because some optimized bitstream + * readers read 32 or 64 bit at once and could read over the end + * @param byte_size the size of the buffer in bytes + * @return 0 on success, AVERROR_INVALIDDATA if the buffer_size would overflow. + */ +static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer, + int byte_size) +{ + if (byte_size > INT_MAX / 8) + return AVERROR_INVALIDDATA; + return init_get_bits(s, buffer, byte_size * 8); +} + static inline void align_get_bits(GetBitContext *s) { int n = -get_bits_count(s) & 7; From e44d56b18d46957fceaefe7f8840263c5cd12d37 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 14 Jan 2013 05:32:38 +0100 Subject: [PATCH 0021/1037] lavc: set the default rc_initial_buffer_occupancy rc_buffer_size is not set before. Solve the initial the rate control underflow issue reported in bug 222. CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit bff3607547fdbb6e32b3830a351e6a33280c1e0d) Signed-off-by: Luca Barbato --- avconv_opt.c | 2 -- libavcodec/utils.c | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/avconv_opt.c b/avconv_opt.c index ce32df6b6b..e67abefd77 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -950,8 +950,6 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc) if (p) p++; } video_enc->rc_override_count = i; - if (!video_enc->rc_initial_buffer_occupancy) - video_enc->rc_initial_buffer_occupancy = video_enc->rc_buffer_size * 3 / 4; video_enc->intra_dc_precision = intra_dc_precision - 8; /* two pass mode */ diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 23f2ac481a..19c8a99ff5 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -824,6 +824,9 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code } else if (avctx->channel_layout) { avctx->channels = av_get_channel_layout_nb_channels(avctx->channel_layout); } + + if (!avctx->rc_initial_buffer_occupancy) + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; } if (avctx->codec->init && !(avctx->active_thread_type & FF_THREAD_FRAME)) { From 72eca26bf95dd58ce05b9dbf9b1b3694f496daf6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 14 Jan 2013 05:32:39 +0100 Subject: [PATCH 0022/1037] libx264: use the library specific default rc_initial_buffer_occupancy By default libav sets it to 3/4 while x264 sets it to 9/10. CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 47812070a267cbdf74164e154d03d99bf8ced100) Signed-off-by: Luca Barbato --- libavcodec/libx264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index f536f7f965..e9cbbad22a 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -272,7 +272,7 @@ static av_cold int X264_init(AVCodecContext *avctx) x4->params.rc.f_rf_constant_max = x4->crf_max; } - if (avctx->rc_buffer_size && avctx->rc_initial_buffer_occupancy && + if (avctx->rc_buffer_size && avctx->rc_initial_buffer_occupancy > 0 && (avctx->rc_initial_buffer_occupancy <= avctx->rc_buffer_size)) { x4->params.rc.f_vbv_buffer_init = (float)avctx->rc_initial_buffer_occupancy / avctx->rc_buffer_size; @@ -560,6 +560,7 @@ static const AVCodecDefault x264_defaults[] = { { "threads", AV_STRINGIFY(X264_THREADS_AUTO) }, { "thread_type", "0" }, { "flags", "+cgop" }, + { "rc_init_occupancy","-1" }, { NULL }, }; From 66a3112100083f85ebd3ffbbb992e5fe53b2dfb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Jan 2013 21:23:11 +0100 Subject: [PATCH 0023/1037] oggdec: resync from the last page. Previously we re synced from where we where which cam lead to loosing pages. Signed-off-by: Michael Niedermayer (cherry picked from commit c5cf58d4b9b04cee1487a3095b83300791c21f15) --- libavformat/oggdec.c | 10 ++++++++++ libavformat/oggdec.h | 1 + 2 files changed, 11 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index c3291cfbd4..6195747358 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -102,6 +102,7 @@ static int ogg_restore(AVFormatContext *s, int discard) av_free(ogg->streams[i].buf); avio_seek(bc, ost->pos, SEEK_SET); + ogg->page_pos = -1; ogg->curidx = ost->curidx; ogg->nstreams = ost->nstreams; ogg->streams = av_realloc(ogg->streams, @@ -146,6 +147,7 @@ static int ogg_reset(AVFormatContext *s) } } + ogg->page_pos = -1; ogg->curidx = -1; return 0; @@ -297,6 +299,12 @@ static int ogg_read_page(AVFormatContext *s, int *sid) sync[(sp + 2) & 3] == 'g' && sync[(sp + 3) & 3] == 'S') break; + if(!i && bc->seekable && ogg->page_pos > 0) { + memset(sync, 0, 4); + avio_seek(bc, ogg->page_pos+4, SEEK_SET); + ogg->page_pos = -1; + } + c = avio_r8(bc); if (url_feof(bc)) @@ -335,6 +343,7 @@ static int ogg_read_page(AVFormatContext *s, int *sid) } os = ogg->streams + idx; + ogg->page_pos = os->page_pos = avio_tell(bc) - 27; if (os->psize > 0) @@ -559,6 +568,7 @@ static int ogg_get_length(AVFormatContext *s) ogg_save(s); avio_seek(s->pb, end, SEEK_SET); + ogg->page_pos = -1; while (!ogg_read_page(s, &i)) { if (ogg->streams[i].granule != -1 && ogg->streams[i].granule != 0 && diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index febf8cb642..4b0ba4fcde 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -99,6 +99,7 @@ struct ogg { int nstreams; int headers; int curidx; + int64_t page_pos; ///< file offset of the current page struct ogg_state *state; }; From dc3349024a06fd3a036ffb2b5243ce20e866bcbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Jan 2013 20:44:39 +0100 Subject: [PATCH 0024/1037] vorbisdec: support freeing partially allocated contexts. Fixes null pointer derefernces Signed-off-by: Michael Niedermayer (cherry picked from commit 778069c8325514518712d194749577b3451b4125) --- libavcodec/vorbisdec.c | 44 +++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 45096322f7..3f160544f0 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -195,37 +195,41 @@ static void vorbis_free(vorbis_context *vc) av_freep(&vc->channel_residues); av_freep(&vc->saved); - for (i = 0; i < vc->residue_count; i++) - av_free(vc->residues[i].classifs); + if (vc->residues) + for (i = 0; i < vc->residue_count; i++) + av_free(vc->residues[i].classifs); av_freep(&vc->residues); av_freep(&vc->modes); ff_mdct_end(&vc->mdct[0]); ff_mdct_end(&vc->mdct[1]); - for (i = 0; i < vc->codebook_count; ++i) { - av_free(vc->codebooks[i].codevectors); - ff_free_vlc(&vc->codebooks[i].vlc); - } + if (vc->codebooks) + for (i = 0; i < vc->codebook_count; ++i) { + av_free(vc->codebooks[i].codevectors); + ff_free_vlc(&vc->codebooks[i].vlc); + } av_freep(&vc->codebooks); - for (i = 0; i < vc->floor_count; ++i) { - if (vc->floors[i].floor_type == 0) { - av_free(vc->floors[i].data.t0.map[0]); - av_free(vc->floors[i].data.t0.map[1]); - av_free(vc->floors[i].data.t0.book_list); - av_free(vc->floors[i].data.t0.lsp); - } else { - av_free(vc->floors[i].data.t1.list); + if (vc->floors) + for (i = 0; i < vc->floor_count; ++i) { + if (vc->floors[i].floor_type == 0) { + av_free(vc->floors[i].data.t0.map[0]); + av_free(vc->floors[i].data.t0.map[1]); + av_free(vc->floors[i].data.t0.book_list); + av_free(vc->floors[i].data.t0.lsp); + } else { + av_free(vc->floors[i].data.t1.list); + } } - } av_freep(&vc->floors); - for (i = 0; i < vc->mapping_count; ++i) { - av_free(vc->mappings[i].magnitude); - av_free(vc->mappings[i].angle); - av_free(vc->mappings[i].mux); - } + if (vc->mappings) + for (i = 0; i < vc->mapping_count; ++i) { + av_free(vc->mappings[i].magnitude); + av_free(vc->mappings[i].angle); + av_free(vc->mappings[i].mux); + } av_freep(&vc->mappings); } From 9636266cbdab29ef41c38d3368e014752ca49fd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Jan 2013 21:31:17 +0100 Subject: [PATCH 0025/1037] vorbisdec: handle midstream parameter changes Signed-off-by: Michael Niedermayer (cherry picked from commit e9ffee23f372390684d6d94bf8abf51350fc66a3) --- libavcodec/vorbisdec.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 3f160544f0..63a855b241 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1655,6 +1655,45 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, void *data, av_dlog(NULL, "packet length %d \n", buf_size); + if (*buf == 1 && buf_size > 7) { + init_get_bits(gb, buf+1, buf_size*8 - 8); + vorbis_free(vc); + if ((ret = vorbis_parse_id_hdr(vc))) { + av_log(avccontext, AV_LOG_ERROR, "Id header corrupt.\n"); + vorbis_free(vc); + return ret; + } + + if (vc->audio_channels > 8) + avccontext->channel_layout = 0; + else + avccontext->channel_layout = ff_vorbis_channel_layouts[vc->audio_channels - 1]; + + avccontext->channels = vc->audio_channels; + avccontext->sample_rate = vc->audio_samplerate; + return buf_size; + } + + if (*buf == 3 && buf_size > 7) { + av_log(avccontext, AV_LOG_DEBUG, "Ignoring comment header\n"); + return buf_size; + } + + if (*buf == 5 && buf_size > 7 && vc->channel_residues && !vc->modes) { + init_get_bits(gb, buf+1, buf_size*8 - 8); + if ((ret = vorbis_parse_setup_hdr(vc))) { + av_log(avccontext, AV_LOG_ERROR, "Setup header corrupt.\n"); + vorbis_free(vc); + return ret; + } + return buf_size; + } + + if (!vc->channel_residues || !vc->modes) { + av_log(avccontext, AV_LOG_ERROR, "Data packet before valid headers\n"); + return AVERROR_INVALIDDATA; + } + /* get output buffer */ vc->frame.nb_samples = vc->blocksize[1] / 2; if ((ret = ff_get_buffer(avccontext, &vc->frame)) < 0) { From 1c373456f6388f8817d20c49471d00dc9e7e755d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Jan 2013 21:32:34 +0100 Subject: [PATCH 0026/1037] oggdec: Leave treatment of serial changes to the decoder. Attempting to re-parse the headers at demuxer level is a pandora box the way its done currently. This allows full reconfiguration of vorbis streams Fixes Ticket2117 Fixes Ticket2121 Signed-off-by: Michael Niedermayer (cherry picked from commit c994bb2fb7727f5c20ef71cc6727fb219fd49d60) --- libavformat/oggdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 6195747358..c0a9508af3 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -185,6 +185,9 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial) os = &ogg->streams[0]; + os->serial = serial; + return 0; + buf = os->buf; bufsize = os->bufsize; codec = os->codec; From c3b67720f913d0d6be8369777b4cae86a6417bd1 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 13 Jan 2013 21:46:44 -0800 Subject: [PATCH 0027/1037] h264: don't clobber mmco opcode tables for non-first slice headers. Clobbering these tables will temporarily clobber the template used as a basis for other threads to start decoding from. If the other decoding thread updates from the template right at that moment, subsequent threads will get invalid (or, usually, none at all) mmco tables. This leads to invalid reference lists and subsequent decode failures. Therefore, instead, decode the mmco tables only for the first slice in a field or frame. For other slices, decode the bits and ensure they are identical to the mmco tables in the first slice, but don't ever clobber the context state. This prevents other threads from using a clobbered/invalid template as starting point for decoding, and thus fixes decoding in these cases. This fixes occasional (~1%) failures of h264-conformance-mr1_bt_a with frame-multithreading enabled. (cherry picked from commit bad446e251405dc250c3cbee199072e083a1e4b9) Signed-off-by: Luca Barbato --- libavcodec/h264.c | 12 +++- libavcodec/h264.h | 5 +- libavcodec/h264_refs.c | 143 +++++++++++++++++++++++++++++------------ 3 files changed, 114 insertions(+), 46 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 366059722f..e8b3e723e1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2904,7 +2904,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) s->current_picture_ptr->frame_num = h->prev_frame_num; ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0); ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 1); - ff_generate_sliding_window_mmcos(h); + ff_generate_sliding_window_mmcos(h, 1); if (ff_h264_execute_ref_pic_marking(h, h->mmco, h->mmco_index) < 0 && (s->avctx->err_recognition & AV_EF_EXPLODE)) return AVERROR_INVALIDDATA; @@ -3082,7 +3082,15 @@ static int decode_slice_header(H264Context *h, H264Context *h0) } } - if (h->nal_ref_idc && ff_h264_decode_ref_pic_marking(h0, &s->gb) < 0 && + // If frame-mt is enabled, only update mmco tables for the first slice + // in a field. Subsequent slices can temporarily clobber h->mmco_index + // or h->mmco, which will cause ref list mix-ups and decoding errors + // further down the line. This may break decoding if the first slice is + // corrupt, thus we only do this if frame-mt is enabled. + if (h->nal_ref_idc && + ff_h264_decode_ref_pic_marking(h0, &s->gb, + !(s->avctx->active_thread_type & FF_THREAD_FRAME) || + h0->current_slice == 0) < 0 && (s->avctx->err_recognition & AV_EF_EXPLODE)) return AVERROR_INVALIDDATA; diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 8596121aab..ad4732e1df 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -645,9 +645,10 @@ void ff_h264_remove_all_refs(H264Context *h); */ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count); -int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb); +int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb, + int first_slice); -void ff_generate_sliding_window_mmcos(H264Context *h); +void ff_generate_sliding_window_mmcos(H264Context *h, int first_slice); /** * Check if the top & left blocks are available if needed & change the diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 2a71ac1f06..62c2a5758e 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -476,23 +476,51 @@ static void print_long_term(H264Context *h) { } } -void ff_generate_sliding_window_mmcos(H264Context *h) { +static int check_opcodes(MMCO *mmco1, MMCO *mmco2, int n_mmcos) +{ + int i; + + for (i = 0; i < n_mmcos; i++) { + if (mmco1[i].opcode != mmco2[i].opcode) + return -1; + } + + return 0; +} + +void ff_generate_sliding_window_mmcos(H264Context *h, int first_slice) +{ MpegEncContext * const s = &h->s; + MMCO mmco_temp[MAX_MMCO_COUNT], *mmco = first_slice ? h->mmco : mmco_temp; + int mmco_index = 0, i; + assert(h->long_ref_count + h->short_ref_count <= h->sps.ref_frame_count); - h->mmco_index= 0; - if(h->short_ref_count && h->long_ref_count + h->short_ref_count == h->sps.ref_frame_count && - !(FIELD_PICTURE && !s->first_field && s->current_picture_ptr->f.reference)) { - h->mmco[0].opcode= MMCO_SHORT2UNUSED; - h->mmco[0].short_pic_num= h->short_ref[ h->short_ref_count - 1 ]->frame_num; - h->mmco_index= 1; + if (h->short_ref_count && + h->long_ref_count + h->short_ref_count == h->sps.ref_frame_count && + !(FIELD_PICTURE && !s->first_field && + s->current_picture_ptr->f.reference)) { + mmco[0].opcode = MMCO_SHORT2UNUSED; + mmco[0].short_pic_num = h->short_ref[h->short_ref_count - 1]->frame_num; + mmco_index = 1; if (FIELD_PICTURE) { - h->mmco[0].short_pic_num *= 2; - h->mmco[1].opcode= MMCO_SHORT2UNUSED; - h->mmco[1].short_pic_num= h->mmco[0].short_pic_num + 1; - h->mmco_index= 2; + mmco[0].short_pic_num *= 2; + mmco[1].opcode = MMCO_SHORT2UNUSED; + mmco[1].short_pic_num = mmco[0].short_pic_num + 1; + mmco_index = 2; } } + + if (first_slice) { + h->mmco_index = mmco_index; + } else if (!first_slice && mmco_index >= 0 && + (mmco_index != h->mmco_index || + (i = check_opcodes(h->mmco, mmco_temp, mmco_index)))) { + av_log(h->s.avctx, AV_LOG_ERROR, + "Inconsistent MMCO state between slices [%d, %d, %d]\n", + mmco_index, h->mmco_index, i); + return AVERROR_INVALIDDATA; + } } int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){ @@ -654,52 +682,83 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){ return (h->s.avctx->err_recognition & AV_EF_EXPLODE) ? err : 0; } -int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb){ +int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb, + int first_slice) +{ MpegEncContext * const s = &h->s; int i; + MMCO mmco_temp[MAX_MMCO_COUNT], *mmco = first_slice ? h->mmco : mmco_temp; + int mmco_index = 0; - h->mmco_index= 0; - if(h->nal_unit_type == NAL_IDR_SLICE){ //FIXME fields - s->broken_link= get_bits1(gb) -1; - if(get_bits1(gb)){ - h->mmco[0].opcode= MMCO_LONG; - h->mmco[0].long_arg= 0; - h->mmco_index= 1; + if (h->nal_unit_type == NAL_IDR_SLICE){ // FIXME fields + s->broken_link = get_bits1(gb) - 1; + if (get_bits1(gb)){ + mmco[0].opcode = MMCO_LONG; + mmco[0].long_arg = 0; + mmco_index = 1; } - }else{ - if(get_bits1(gb)){ // adaptive_ref_pic_marking_mode_flag - for(i= 0; immco[i].opcode= opcode; - if(opcode==MMCO_SHORT2UNUSED || opcode==MMCO_SHORT2LONG){ - h->mmco[i].short_pic_num= (h->curr_pic_num - get_ue_golomb(gb) - 1) & (h->max_pic_num - 1); -/* if(h->mmco[i].short_pic_num >= h->short_ref_count || h->short_ref[ h->mmco[i].short_pic_num ] == NULL){ - av_log(s->avctx, AV_LOG_ERROR, "illegal short ref in memory management control operation %d\n", mmco); - return -1; - }*/ - } - if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){ - unsigned int long_arg= get_ue_golomb_31(gb); - if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && long_arg == 16) && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ - av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode); + mmco[i].opcode = opcode; + if (opcode == MMCO_SHORT2UNUSED || opcode == MMCO_SHORT2LONG){ + mmco[i].short_pic_num = + (h->curr_pic_num - get_ue_golomb(gb) - 1) & + (h->max_pic_num - 1); +#if 0 + if (mmco[i].short_pic_num >= h->short_ref_count || + h->short_ref[ mmco[i].short_pic_num ] == NULL){ + av_log(s->avctx, AV_LOG_ERROR, + "illegal short ref in memory management control " + "operation %d\n", mmco); return -1; } - h->mmco[i].long_arg= long_arg; +#endif + } + if (opcode == MMCO_SHORT2LONG || opcode == MMCO_LONG2UNUSED || + opcode == MMCO_LONG || opcode == MMCO_SET_MAX_LONG) { + unsigned int long_arg = get_ue_golomb_31(gb); + if (long_arg >= 32 || + (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && + long_arg == 16) && + !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ + av_log(h->s.avctx, AV_LOG_ERROR, + "illegal long ref in memory management control " + "operation %d\n", opcode); + return -1; + } + mmco[i].long_arg = long_arg; } - if(opcode > (unsigned)MMCO_LONG){ - av_log(h->s.avctx, AV_LOG_ERROR, "illegal memory management control operation %d\n", opcode); + if (opcode > (unsigned) MMCO_LONG){ + av_log(h->s.avctx, AV_LOG_ERROR, + "illegal memory management control operation %d\n", + opcode); return -1; } - if(opcode == MMCO_END) + if (opcode == MMCO_END) break; } - h->mmco_index= i; - }else{ - ff_generate_sliding_window_mmcos(h); + mmco_index = i; + } else { + if (first_slice) + ff_generate_sliding_window_mmcos(h, first_slice); + mmco_index = -1; } } + if (first_slice && mmco_index != -1) { + h->mmco_index = mmco_index; + } else if (!first_slice && mmco_index >= 0 && + (mmco_index != h->mmco_index || + (i = check_opcodes(h->mmco, mmco_temp, mmco_index)))) { + av_log(h->s.avctx, AV_LOG_ERROR, + "Inconsistent MMCO state between slices [%d, %d, %d]\n", + mmco_index, h->mmco_index, i); + return AVERROR_INVALIDDATA; + } + return 0; } From 6a4803a6a9ab892c33c38086bf86b5bf27bb9a25 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 14 Jan 2013 20:07:53 +0100 Subject: [PATCH 0028/1037] h264: fix ff_generate_sliding_window_mmcos() prototype. It's been returning an error value since bad446e251405dc250c3cbee199072e083a1e4b9 Also check for the errors it returns. (cherry picked from commit ea382767ad2191acbe97e90624059723e15f0e4b) Signed-off-by: Luca Barbato --- libavcodec/h264.c | 4 +++- libavcodec/h264.h | 2 +- libavcodec/h264_refs.c | 12 ++++++++---- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index e8b3e723e1..ebf8d0b2ea 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2904,7 +2904,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0) s->current_picture_ptr->frame_num = h->prev_frame_num; ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0); ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 1); - ff_generate_sliding_window_mmcos(h, 1); + if ((ret = ff_generate_sliding_window_mmcos(h, 1)) < 0 && + s->avctx->err_recognition & AV_EF_EXPLODE) + return ret; if (ff_h264_execute_ref_pic_marking(h, h->mmco, h->mmco_index) < 0 && (s->avctx->err_recognition & AV_EF_EXPLODE)) return AVERROR_INVALIDDATA; diff --git a/libavcodec/h264.h b/libavcodec/h264.h index ad4732e1df..898ebf7b0a 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -648,7 +648,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count); int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb, int first_slice); -void ff_generate_sliding_window_mmcos(H264Context *h, int first_slice); +int ff_generate_sliding_window_mmcos(H264Context *h, int first_slice); /** * Check if the top & left blocks are available if needed & change the diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 62c2a5758e..0e4bd76931 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -488,7 +488,7 @@ static int check_opcodes(MMCO *mmco1, MMCO *mmco2, int n_mmcos) return 0; } -void ff_generate_sliding_window_mmcos(H264Context *h, int first_slice) +int ff_generate_sliding_window_mmcos(H264Context *h, int first_slice) { MpegEncContext * const s = &h->s; MMCO mmco_temp[MAX_MMCO_COUNT], *mmco = first_slice ? h->mmco : mmco_temp; @@ -521,6 +521,7 @@ void ff_generate_sliding_window_mmcos(H264Context *h, int first_slice) mmco_index, h->mmco_index, i); return AVERROR_INVALIDDATA; } + return 0; } int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){ @@ -686,7 +687,7 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb, int first_slice) { MpegEncContext * const s = &h->s; - int i; + int i, ret; MMCO mmco_temp[MAX_MMCO_COUNT], *mmco = first_slice ? h->mmco : mmco_temp; int mmco_index = 0; @@ -743,8 +744,11 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb, } mmco_index = i; } else { - if (first_slice) - ff_generate_sliding_window_mmcos(h, first_slice); + if (first_slice) { + ret = ff_generate_sliding_window_mmcos(h, first_slice); + if (ret < 0 && s->avctx->err_recognition & AV_EF_EXPLODE) + return ret; + } mmco_index = -1; } } From 9d60f608af34a3ac9716c8ef210be23498e3bfba Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 15 Jan 2013 08:38:54 -0800 Subject: [PATCH 0029/1037] h264: add 3 pixels below for subpixel filter wait position If the motion vector is at a subpixel position, we need 3 pixels below the motion vector's wholepel position available, not 2, since the MC filter is a sixtap filter for the hpel position, and then a bilin filter for the qpel position. This patch fixes highly irreproducible (0.1%) fate failures in frame 2 and 4 of h264-conformance-cama2_vtc_b (e.g. first P-frame, first field, last line of MB x=40,y=2 and second field and last lines of MBs x=39-40, y=3). These used pre-loopfilter instead of post-loopfilter data because the await_progress() waited for one line too little in that field, and the motion vector of these particular MBs happened to align exactly to a position where that demonstrates the bug. CC: libav-stable@libav.org (cherry picked from commit fb845ffdd335a1efd6dfd43e8adeb530397b348e) Signed-off-by: Luca Barbato --- libavcodec/h264.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ebf8d0b2ea..848d6a2d31 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -290,10 +290,11 @@ static inline int get_lowest_part_list_y(H264Context *h, Picture *pic, int n, int height, int y_offset, int list) { int raw_my = h->mv_cache[list][scan8[n]][1]; - int filter_height = (raw_my & 3) ? 2 : 0; + int filter_height_up = (raw_my & 3) ? 2 : 0; + int filter_height_down = (raw_my & 3) ? 3 : 0; int full_my = (raw_my >> 2) + y_offset; - int top = full_my - filter_height; - int bottom = full_my + filter_height + height; + int top = full_my - filter_height_up; + int bottom = full_my + filter_height_down + height; return FFMAX(abs(top), bottom); } From ccc4219558580cb96b448ad9b1410c09b488a1b8 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 17 Jan 2013 02:11:12 +0100 Subject: [PATCH 0030/1037] Fix detection of struct v4l2_frmsize_discrete. It was always detected successfully. (cherry picked from commit c345100efc9baae0ea7c9fcc376725cae5d3df6e) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 89e076fbb0..1b0cacfe75 100755 --- a/configure +++ b/configure @@ -3916,7 +3916,7 @@ rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || d check_header linux/fb.h check_header linux/videodev.h check_header linux/videodev2.h -check_struct linux/videodev2.h "struct v4l2_frmivalenum" discrete +check_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_safe struct_v4l2_frmivalenum_discrete check_header sys/videoio.h From 05ed9b70059962251d16f0dd0c9da50a14a31ed4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Jan 2013 14:14:41 +0100 Subject: [PATCH 0031/1037] oggparsevorbis: fix vorbis_cleanup return type Signed-off-by: Michael Niedermayer --- libavformat/oggparsevorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 5510115bc8..16bcaefd4d 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -192,7 +192,7 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } -static int vorbis_cleanup(AVFormatContext *s, int idx) +static void vorbis_cleanup(AVFormatContext *s, int idx) { struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; From ed12d1ecadb63e3d4976b16ea9f6d7217800adf9 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 10 Jan 2013 10:04:46 +0100 Subject: [PATCH 0032/1037] Fix compilation with --disable-everything. (cherry picked from commit f023003ce610a8fd6377cf4a8e98002ac3117ef4) --- libavcodec/x86/dsputil_mmx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/x86/dsputil_mmx.c b/libavcodec/x86/dsputil_mmx.c index f820d1f0d4..738bbd152b 100644 --- a/libavcodec/x86/dsputil_mmx.c +++ b/libavcodec/x86/dsputil_mmx.c @@ -1785,6 +1785,7 @@ static av_always_inline void gmc(uint8_t *dst, uint8_t *src, } } +#if CONFIG_VIDEODSP #if HAVE_YASM #if ARCH_X86_32 static void gmc_mmx(uint8_t *dst, uint8_t *src, @@ -1814,6 +1815,7 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src, width, height, &ff_emulated_edge_mc_8); } #endif +#endif #endif /* HAVE_INLINE_ASM */ @@ -2518,7 +2520,7 @@ static void dsputil_init_sse(DSPContext *c, AVCodecContext *avctx, int mm_flags) c->scalarproduct_float = ff_scalarproduct_float_sse; c->butterflies_float_interleave = ff_butterflies_float_interleave_sse; -#if HAVE_INLINE_ASM +#if HAVE_INLINE_ASM && CONFIG_VIDEODSP c->gmc = gmc_sse; #endif #endif /* HAVE_YASM */ From a95306e2d75203600cf660f8836ef541897bfb29 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 17 Jan 2013 17:19:08 +0100 Subject: [PATCH 0033/1037] Only skip MLP header in mpeg files if the codec actually is MLP. Fixes PCM audio in Kansas Pheasant Hunt 2000 mpg file. Reported-by: Mashiat Sarker Shakkhar (cherry picked from commit ad406f7e402977cb7dbc78ccb63e21c137f6699e) --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index cc2fe7f495..4af2057077 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -504,7 +504,7 @@ static int mpegps_read_packet(AVFormatContext *s, if(st->discard >= AVDISCARD_ALL) goto skip; if (startcode >= 0xa0 && startcode <= 0xaf) { - if (lpcm_header_len == 6) { + if (lpcm_header_len == 6 && st->codec->codec_id == AV_CODEC_ID_MLP) { if (len < 6) goto skip; avio_skip(s->pb, 6); From c749bec8c3ef88e3e12847a60d6e8e6d73c736d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 17 Jan 2013 16:03:36 +0200 Subject: [PATCH 0034/1037] theora: Skip zero-sized headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes a regression since d9cf5f51/7a2ee770f5 with theora over RTP (possibly with other variants of theora as well). In theora over RTP, the second of the 3 headers turns out to be 0 bytes long, which prior to d9cf5f51 worked just fine. After d9cf5f51, reading from the bitstream reader fails (since the reader wasn't initialized but returned an error if initialized with 0 bits). CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e33db35b4a91ad543d9dde3a981a89118ba68937) Signed-off-by: Martin Storsjö --- libavcodec/vp3.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index bdd4289a49..0340c22bb2 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2339,6 +2339,8 @@ static av_cold int theora_decode_init(AVCodecContext *avctx) } for(i=0;i<3;i++) { + if (header_len[i] <= 0) + continue; init_get_bits(&gb, header_start[i], header_len[i] * 8); ptype = get_bits(&gb, 8); From 21ca4ab9449f1165913fd971dc0eb7387b8fe5a8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 17 Jan 2013 11:24:01 +0100 Subject: [PATCH 0035/1037] libcdio: support recent cdio-paranoia Upstream decided to split the paranoia interface and move the headers accordingly. (cherry picked from commit 57224e425c567a87798b66425acc383c6dd37331) Signed-off-by: Luca Barbato --- configure | 7 +++++-- libavdevice/libcdio.c | 7 +++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 8cc9cdc139..6a8990d162 100755 --- a/configure +++ b/configure @@ -1201,6 +1201,8 @@ HAVE_LIST=" asm_mod_y attribute_may_alias attribute_packed + cdio_paranoia_h + cdio_paranoia_paranoia_h closesocket cmov CommandLineToArgvW @@ -3551,8 +3553,9 @@ enabled jack_indev && check_lib2 jack/jack.h jack_client_open -ljack && enabled_any sndio_indev sndio_outdev && check_lib2 sndio.h sio_open -lsndio -enabled libcdio && - check_lib2 "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open -lcdio_paranoia -lcdio_cdda -lcdio +if enabled libcdio; then + check_lib2 "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open -lcdio_paranoia -lcdio_cdda -lcdio || check_lib2 "cdio/paranoia/cdda.h cdio/paranoia/paranoia.h" cdio_cddap_open -lcdio_paranoia -lcdio_cdda -lcdio +fi enabled x11grab && require X11 X11/Xlib.h XOpenDisplay -lX11 && diff --git a/libavdevice/libcdio.c b/libavdevice/libcdio.c index e846ee635b..06ddb4a784 100644 --- a/libavdevice/libcdio.c +++ b/libavdevice/libcdio.c @@ -23,8 +23,15 @@ * libcdio CD grabbing */ +#include "config.h" + +#if HAVE_CDIO_PARANOIA_H #include #include +#elif HAVE_CDIO_PARANOIA_PARANOIA_H +#include +#include +#endif #include "libavutil/log.h" #include "libavutil/mem.h" From c3c1db7c5637c4e4d8dfdd748466a223f83fffa8 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Thu, 17 Jan 2013 01:24:15 -0500 Subject: [PATCH 0036/1037] rv30: fix masking in rv30_loop_filter() The mask `x && (1 << y)' is incorrect and always yields true. The correct form should be `x & (1 << y)'. CC: libav-stable@libav.org Signed-off-by: Xi Wang (cherry picked from commit 783e37f7ef3b3cdcfe7aa927a25b4184ae46cd53) Signed-off-by: Luca Barbato --- libavcodec/rv30.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index e4f3251047..3c3579b565 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -182,7 +182,7 @@ static void rv30_loop_filter(RV34DecContext *r, int row) for(i = !mb_x; i < 2; i++, C += 4){ int ij = i + (j >> 1); loc_lim = 0; - if(cur_cbp && (1 << ij)) + if (cur_cbp & (1 << ij)) loc_lim = cur_lim; else if(!i && left_cbp & (1 << (ij + 1))) loc_lim = left_lim; @@ -224,7 +224,7 @@ static void rv30_loop_filter(RV34DecContext *r, int row) for(i = 0; i < 2; i++, C += 4){ int ij = i + (j >> 1); loc_lim = 0; - if(r->cbp_chroma[mb_pos] && (1 << ij)) + if (r->cbp_chroma[mb_pos] & (1 << ij)) loc_lim = cur_lim; else if(!j && top_cbp & (1 << (ij + 2))) loc_lim = top_lim; From 0a837b631757a7407df038248eea5e9e79b1cb79 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 17 Jan 2013 23:06:46 +0100 Subject: [PATCH 0037/1037] fate: update ref after rv30_loop_filter fix (cherry picked from commit 56ef1ef1f7580f41d6819ac63081a02f52752903) Signed-off-by: Luca Barbato --- tests/ref/fate/filter-delogo | 164 +++++++++++++++++------------------ tests/ref/fate/rv30 | 164 +++++++++++++++++------------------ 2 files changed, 164 insertions(+), 164 deletions(-) diff --git a/tests/ref/fate/filter-delogo b/tests/ref/fate/filter-delogo index 00226982b2..1a1f4970da 100644 --- a/tests/ref/fate/filter-delogo +++ b/tests/ref/fate/filter-delogo @@ -8,13 +8,13 @@ 0, 200, 200, 0, 126720, 0x94a0f126 0, 233, 233, 0, 126720, 0x0250f106 0, 266, 266, 0, 126720, 0xcf6ab4bc -0, 300, 300, 0, 126720, 0x44aeb57c -0, 333, 333, 0, 126720, 0x33b0b5bc -0, 367, 367, 0, 126720, 0xc4bab591 +0, 300, 300, 0, 126720, 0x429eb57c +0, 333, 333, 0, 126720, 0x3bf0b5bc +0, 367, 367, 0, 126720, 0xcaedb591 0, 400, 400, 0, 126720, 0xa492b5ec -0, 433, 433, 0, 126720, 0x1459b85c -0, 467, 467, 0, 126720, 0x806fb8dc -0, 500, 500, 0, 126720, 0xd241b871 +0, 433, 433, 0, 126720, 0x2431b85c +0, 467, 467, 0, 126720, 0x8283b8dc +0, 500, 500, 0, 126720, 0xd71bb871 0, 533, 533, 0, 126720, 0x698eb5cc 0, 567, 567, 0, 126720, 0x4719aa98 0, 600, 600, 0, 126720, 0x9ca1962c @@ -28,83 +28,83 @@ 0, 867, 867, 0, 126720, 0x7af2ea86 0, 900, 900, 0, 126720, 0x40d4b4eb 0, 934, 934, 0, 126720, 0x49d00307 -0, 967, 967, 0, 126720, 0x44c8848e -0, 1000, 1000, 0, 126720, 0xc6990101 -0, 1034, 1034, 0, 126720, 0x2e01b963 +0, 967, 967, 0, 126720, 0x0654849c +0, 1000, 1000, 0, 126720, 0xe46d0107 +0, 1034, 1034, 0, 126720, 0xa483b963 0, 1067, 1067, 0, 126720, 0xd0e903f0 -0, 1101, 1101, 0, 126720, 0x3457d592 -0, 1134, 1134, 0, 126720, 0x4f1ddb3c -0, 1167, 1167, 0, 126720, 0x3980ace5 +0, 1101, 1101, 0, 126720, 0x964ed592 +0, 1134, 1134, 0, 126720, 0x23fbdb3c +0, 1167, 1167, 0, 126720, 0x59fdace5 0, 1201, 1201, 0, 126720, 0xb1e37954 -0, 1234, 1234, 0, 126720, 0x619fc554 -0, 1267, 1267, 0, 126720, 0x945fb39e -0, 1301, 1301, 0, 126720, 0xb1d5e0ce +0, 1234, 1234, 0, 126720, 0x8ed9c554 +0, 1267, 1267, 0, 126720, 0xe3c4b39f +0, 1301, 1301, 0, 126720, 0xfd17e0ce 0, 1334, 1334, 0, 126720, 0xf26e1dcc -0, 1368, 1368, 0, 126720, 0x04d5783e -0, 1401, 1401, 0, 126720, 0xbaa0479e -0, 1434, 1434, 0, 126720, 0x20d88b01 +0, 1368, 1368, 0, 126720, 0x13cc783c +0, 1401, 1401, 0, 126720, 0x47ad47a1 +0, 1434, 1434, 0, 126720, 0x427c8b0d 0, 1468, 1468, 0, 126720, 0x59d99901 -0, 1501, 1501, 0, 126720, 0x1c6e09f6 -0, 1534, 1534, 0, 126720, 0xeec50fc5 -0, 1568, 1568, 0, 126720, 0xb3a92827 -0, 1601, 1601, 0, 126720, 0xf62dd2b6 -0, 1634, 1634, 0, 126720, 0x75b1e619 -0, 1668, 1668, 0, 126720, 0x6bbce2c0 -0, 1701, 1701, 0, 126720, 0xd93e023c -0, 1735, 1735, 0, 126720, 0xbbe8e7c2 -0, 1768, 1768, 0, 126720, 0x2272ec17 -0, 1801, 1801, 0, 126720, 0xf5e4ee6e -0, 1835, 1835, 0, 126720, 0x751d2607 -0, 1868, 1868, 0, 126720, 0x44c499c9 -0, 1901, 1901, 0, 126720, 0xddccd842 -0, 1935, 1935, 0, 126720, 0x508dd214 -0, 1968, 1968, 0, 126720, 0x8eb10272 -0, 2001, 2001, 0, 126720, 0x7224b1c6 -0, 2035, 2035, 0, 126720, 0x50ff456c -0, 2068, 2068, 0, 126720, 0xa81e2731 -0, 2102, 2102, 0, 126720, 0x7e50456d -0, 2135, 2135, 0, 126720, 0x44802978 -0, 2168, 2168, 0, 126720, 0x86e88743 -0, 2202, 2202, 0, 126720, 0x0b1087d6 -0, 2235, 2235, 0, 126720, 0xb0227d21 -0, 2268, 2268, 0, 126720, 0x29d10bd2 -0, 2302, 2302, 0, 126720, 0x04b43afa -0, 2335, 2335, 0, 126720, 0xb48e9698 -0, 2369, 2369, 0, 126720, 0x75d760fb -0, 2402, 2402, 0, 126720, 0xa2ab1fdb -0, 2435, 2435, 0, 126720, 0xec30a5ee -0, 2469, 2469, 0, 126720, 0xbdab7c8c -0, 2502, 2502, 0, 126720, 0xac5c3f2c -0, 2535, 2535, 0, 126720, 0xce6350be -0, 2569, 2569, 0, 126720, 0xb109657a -0, 2602, 2602, 0, 126720, 0x723865a4 -0, 2635, 2635, 0, 126720, 0xa9869124 -0, 2669, 2669, 0, 126720, 0xc41af558 -0, 2702, 2702, 0, 126720, 0xcbe6a402 -0, 2736, 2736, 0, 126720, 0xb6735ecb -0, 2769, 2769, 0, 126720, 0xba3059f2 -0, 2802, 2802, 0, 126720, 0xe7d63b8d -0, 2836, 2836, 0, 126720, 0x8f115906 -0, 2869, 2869, 0, 126720, 0xaf6a8dcb -0, 2902, 2902, 0, 126720, 0xb73e846e -0, 2936, 2936, 0, 126720, 0xedd6380f -0, 2969, 2969, 0, 126720, 0xd9026acf -0, 3002, 3002, 0, 126720, 0xa03a650b -0, 3036, 3036, 0, 126720, 0x262765bc -0, 3069, 3069, 0, 126720, 0xaaa9ded1 -0, 3103, 3103, 0, 126720, 0xe4f42665 -0, 3136, 3136, 0, 126720, 0x78daf760 -0, 3169, 3169, 0, 126720, 0x3b0c6ef8 -0, 3203, 3203, 0, 126720, 0xb745df80 -0, 3236, 3236, 0, 126720, 0x08e57b90 -0, 3269, 3269, 0, 126720, 0x6f883ab0 -0, 3303, 3303, 0, 126720, 0x934b4dd5 -0, 3336, 3336, 0, 126720, 0x762f108f -0, 3370, 3370, 0, 126720, 0x91ee0f2b -0, 3403, 3403, 0, 126720, 0x9af6e5e8 -0, 3436, 3436, 0, 126720, 0xdcd95e0a -0, 3470, 3470, 0, 126720, 0x22c33a6e -0, 3503, 3503, 0, 126720, 0x21c1b7f4 -0, 3536, 3536, 0, 126720, 0x0a66a1ed -0, 3570, 3570, 0, 126720, 0x53fea81b -0, 3603, 3603, 0, 126720, 0x597f5567 +0, 1501, 1501, 0, 126720, 0xc40707da +0, 1534, 1534, 0, 126720, 0xcd060dce +0, 1568, 1568, 0, 126720, 0xed4024f6 +0, 1601, 1601, 0, 126720, 0x7decd2b4 +0, 1634, 1634, 0, 126720, 0xd1d2e730 +0, 1668, 1668, 0, 126720, 0x77cee457 +0, 1701, 1701, 0, 126720, 0xe78d02c0 +0, 1735, 1735, 0, 126720, 0xad0beb29 +0, 1768, 1768, 0, 126720, 0xc414eea2 +0, 1801, 1801, 0, 126720, 0x6a15f17d +0, 1835, 1835, 0, 126720, 0x516027f6 +0, 1868, 1868, 0, 126720, 0x4eda9dce +0, 1901, 1901, 0, 126720, 0x7d9bdba3 +0, 1935, 1935, 0, 126720, 0x7aa3d5c0 +0, 1968, 1968, 0, 126720, 0x7c7a04f9 +0, 2001, 2001, 0, 126720, 0x3e8fb6cc +0, 2035, 2035, 0, 126720, 0xd5474916 +0, 2068, 2068, 0, 126720, 0xf3f62bab +0, 2102, 2102, 0, 126720, 0x2f054987 +0, 2135, 2135, 0, 126720, 0x974c2e81 +0, 2168, 2168, 0, 126720, 0xe7e28a97 +0, 2202, 2202, 0, 126720, 0x45e38b41 +0, 2235, 2235, 0, 126720, 0x169c7f19 +0, 2268, 2268, 0, 126720, 0x91d90ee8 +0, 2302, 2302, 0, 126720, 0xdd653e24 +0, 2335, 2335, 0, 126720, 0x0da598c4 +0, 2369, 2369, 0, 126720, 0x687e62cc +0, 2402, 2402, 0, 126720, 0x7631232d +0, 2435, 2435, 0, 126720, 0xbd1ea826 +0, 2469, 2469, 0, 126720, 0xb55f7f4b +0, 2502, 2502, 0, 126720, 0x923f3fc9 +0, 2535, 2535, 0, 126720, 0x15515301 +0, 2569, 2569, 0, 126720, 0x9ee066e5 +0, 2602, 2602, 0, 126720, 0x7c21664b +0, 2635, 2635, 0, 126720, 0x36849100 +0, 2669, 2669, 0, 126720, 0x08b1f61a +0, 2702, 2702, 0, 126720, 0x5bfca6e2 +0, 2736, 2736, 0, 126720, 0x929f60e3 +0, 2769, 2769, 0, 126720, 0xa2b55c29 +0, 2802, 2802, 0, 126720, 0x68bd3ff3 +0, 2836, 2836, 0, 126720, 0x30db5b29 +0, 2869, 2869, 0, 126720, 0x00578f9b +0, 2902, 2902, 0, 126720, 0x18368642 +0, 2936, 2936, 0, 126720, 0xbcb83a80 +0, 2969, 2969, 0, 126720, 0x90f36b72 +0, 3002, 3002, 0, 126720, 0x85e46522 +0, 3036, 3036, 0, 126720, 0x2429660a +0, 3069, 3069, 0, 126720, 0xf283dfe2 +0, 3103, 3103, 0, 126720, 0x896b27dc +0, 3136, 3136, 0, 126720, 0x5af4f961 +0, 3169, 3169, 0, 126720, 0x31897085 +0, 3203, 3203, 0, 126720, 0x441ce33e +0, 3236, 3236, 0, 126720, 0x903f8009 +0, 3269, 3269, 0, 126720, 0xbdf33dba +0, 3303, 3303, 0, 126720, 0x8a364f36 +0, 3336, 3336, 0, 126720, 0xda5513f6 +0, 3370, 3370, 0, 126720, 0xd60012b3 +0, 3403, 3403, 0, 126720, 0x67bce7be +0, 3436, 3436, 0, 126720, 0x697e6174 +0, 3470, 3470, 0, 126720, 0xbe3e3e90 +0, 3503, 3503, 0, 126720, 0xf3e4bba6 +0, 3536, 3536, 0, 126720, 0x8124a679 +0, 3570, 3570, 0, 126720, 0x58d1acde +0, 3603, 3603, 0, 126720, 0xd8a15ba3 diff --git a/tests/ref/fate/rv30 b/tests/ref/fate/rv30 index 48834237e3..89a9d8c978 100644 --- a/tests/ref/fate/rv30 +++ b/tests/ref/fate/rv30 @@ -8,13 +8,13 @@ 0, 200, 200, 0, 126720, 0x5e6ff4d7 0, 233, 233, 0, 126720, 0xcc10f4b7 0, 266, 266, 0, 126720, 0x763ab817 -0, 300, 300, 0, 126720, 0xeb6fb8d7 -0, 333, 333, 0, 126720, 0xda71b917 -0, 367, 367, 0, 126720, 0x0967b8f7 +0, 300, 300, 0, 126720, 0xe95fb8d7 +0, 333, 333, 0, 126720, 0xe2b1b917 +0, 367, 367, 0, 126720, 0x11abb8f7 0, 400, 400, 0, 126720, 0x4b62b947 -0, 433, 433, 0, 126720, 0xbb1abbb7 -0, 467, 467, 0, 126720, 0x273fbc37 -0, 500, 500, 0, 126720, 0x16eebbd7 +0, 433, 433, 0, 126720, 0xcaf2bbb7 +0, 467, 467, 0, 126720, 0x2953bc37 +0, 500, 500, 0, 126720, 0x1dd9bbd7 0, 533, 533, 0, 126720, 0x105eb927 0, 567, 567, 0, 126720, 0x7fa3ae27 0, 600, 600, 0, 126720, 0x722e99f7 @@ -28,83 +28,83 @@ 0, 867, 867, 0, 126720, 0x6ddaef32 0, 900, 900, 0, 126720, 0xde1bb900 0, 934, 934, 0, 126720, 0xac6c071b -0, 967, 967, 0, 126720, 0x04e7897c -0, 1000, 1000, 0, 126720, 0x5eee050f -0, 1034, 1034, 0, 126720, 0xe675be59 +0, 967, 967, 0, 126720, 0x4a9f897c +0, 1000, 1000, 0, 126720, 0xd8fa050f +0, 1034, 1034, 0, 126720, 0x5d06be59 0, 1067, 1067, 0, 126720, 0xdc3e0837 -0, 1101, 1101, 0, 126720, 0x68cfda2b -0, 1134, 1134, 0, 126720, 0xe572dfc9 -0, 1167, 1167, 0, 126720, 0x582fb176 +0, 1101, 1101, 0, 126720, 0xcac6da2b +0, 1134, 1134, 0, 126720, 0x6672dfc9 +0, 1167, 1167, 0, 126720, 0x7491b176 0, 1201, 1201, 0, 126720, 0xa9477df0 -0, 1234, 1234, 0, 126720, 0xbc3cc34f -0, 1267, 1267, 0, 126720, 0xcf8cb0e2 -0, 1301, 1301, 0, 126720, 0xcff1db35 +0, 1234, 1234, 0, 126720, 0xe976c34f +0, 1267, 1267, 0, 126720, 0xdb7ab0e2 +0, 1301, 1301, 0, 126720, 0x1b42db35 0, 1334, 1334, 0, 126720, 0xc6e10f9f -0, 1368, 1368, 0, 126720, 0x75ae61b6 -0, 1401, 1401, 0, 126720, 0x12af3119 -0, 1434, 1434, 0, 126720, 0x85597543 +0, 1368, 1368, 0, 126720, 0x169d61b6 +0, 1401, 1401, 0, 126720, 0xc7623119 +0, 1434, 1434, 0, 126720, 0x5b9b7543 0, 1468, 1468, 0, 126720, 0x68c27aca -0, 1501, 1501, 0, 126720, 0x554fe3e4 -0, 1534, 1534, 0, 126720, 0x72ecea95 -0, 1568, 1568, 0, 126720, 0xf4d003d1 -0, 1601, 1601, 0, 126720, 0x9bf6a605 -0, 1634, 1634, 0, 126720, 0x5d00b5fe -0, 1668, 1668, 0, 126720, 0x93f7b040 -0, 1701, 1701, 0, 126720, 0x0d6ad154 -0, 1735, 1735, 0, 126720, 0x4be8b4ea -0, 1768, 1768, 0, 126720, 0xe39bba0d -0, 1801, 1801, 0, 126720, 0x9c21bad8 -0, 1835, 1835, 0, 126720, 0xa567f25b -0, 1868, 1868, 0, 126720, 0x7a82663a -0, 1901, 1901, 0, 126720, 0x72f2a47d -0, 1935, 1935, 0, 126720, 0x4f639ebe -0, 1968, 1968, 0, 126720, 0xab0fce83 -0, 2001, 2001, 0, 126720, 0x6cf87d39 -0, 2035, 2035, 0, 126720, 0x534a10cc -0, 2068, 2068, 0, 126720, 0x6bbcf44c -0, 2102, 2102, 0, 126720, 0xfdca11d3 -0, 2135, 2135, 0, 126720, 0x7e58f5a6 -0, 2168, 2168, 0, 126720, 0x5fd753d8 -0, 2202, 2202, 0, 126720, 0x0c735615 -0, 2235, 2235, 0, 126720, 0x2a034ebf -0, 2268, 2268, 0, 126720, 0xeaf3dd0b -0, 2302, 2302, 0, 126720, 0x0eaf0c1b -0, 2335, 2335, 0, 126720, 0xce5e6794 -0, 2369, 2369, 0, 126720, 0xf27c31c3 -0, 2402, 2402, 0, 126720, 0xb64af168 -0, 2435, 2435, 0, 126720, 0x14cf7974 -0, 2469, 2469, 0, 126720, 0x1c2a513d -0, 2502, 2502, 0, 126720, 0xa3f515ab -0, 2535, 2535, 0, 126720, 0xcfd62765 -0, 2569, 2569, 0, 126720, 0xbc513f2a -0, 2602, 2602, 0, 126720, 0xbc303fae -0, 2635, 2635, 0, 126720, 0x2f8f69b9 -0, 2669, 2669, 0, 126720, 0x0a22cc69 -0, 2702, 2702, 0, 126720, 0xd9f67585 -0, 2736, 2736, 0, 126720, 0x20403001 -0, 2769, 2769, 0, 126720, 0xf92b2a25 -0, 2802, 2802, 0, 126720, 0x3c170aad -0, 2836, 2836, 0, 126720, 0x3378251f -0, 2869, 2869, 0, 126720, 0xb3ed5911 -0, 2902, 2902, 0, 126720, 0x35d24ef8 -0, 2936, 2936, 0, 126720, 0x8da30275 -0, 2969, 2969, 0, 126720, 0xc15a3577 -0, 3002, 3002, 0, 126720, 0xf2942f53 -0, 3036, 3036, 0, 126720, 0x44d8304a -0, 3069, 3069, 0, 126720, 0xd688a932 -0, 3103, 3103, 0, 126720, 0x0a24f256 -0, 3136, 3136, 0, 126720, 0xfab9c45d -0, 3169, 3169, 0, 126720, 0x10e939ce -0, 3203, 3203, 0, 126720, 0x97fcaa3a -0, 3236, 3236, 0, 126720, 0x45464610 -0, 3269, 3269, 0, 126720, 0xfe2e057d -0, 3303, 3303, 0, 126720, 0x0b6718ae -0, 3336, 3336, 0, 126720, 0x5284da7b -0, 3370, 3370, 0, 126720, 0x23efdc35 -0, 3403, 3403, 0, 126720, 0xc387b2b3 -0, 3436, 3436, 0, 126720, 0xc9e92bf1 -0, 3470, 3470, 0, 126720, 0xfbf20a01 -0, 3503, 3503, 0, 126720, 0x4d888b2e -0, 3536, 3536, 0, 126720, 0xdd0d74df -0, 3570, 3570, 0, 126720, 0x49d07aa4 -0, 3603, 3603, 0, 126720, 0x08382b8e +0, 1501, 1501, 0, 126720, 0xa0e4e1c9 +0, 1534, 1534, 0, 126720, 0xbbdae87e +0, 1568, 1568, 0, 126720, 0xe67e00a1 +0, 1601, 1601, 0, 126720, 0x648ea605 +0, 1634, 1634, 0, 126720, 0x5becb718 +0, 1668, 1668, 0, 126720, 0xb79ab1da +0, 1701, 1701, 0, 126720, 0x0d52d1dc +0, 1735, 1735, 0, 126720, 0x1277b853 +0, 1768, 1768, 0, 126720, 0xc57cbc83 +0, 1801, 1801, 0, 126720, 0x2126bdc3 +0, 1835, 1835, 0, 126720, 0x4c1ef41f +0, 1868, 1868, 0, 126720, 0x185f6a2c +0, 1901, 1901, 0, 126720, 0xb2b5a7d3 +0, 1935, 1935, 0, 126720, 0x32d7a26d +0, 1968, 1968, 0, 126720, 0x0bffd118 +0, 2001, 2001, 0, 126720, 0x2eed823a +0, 2035, 2035, 0, 126720, 0xc4c0147c +0, 2068, 2068, 0, 126720, 0x1f8bf8ac +0, 2102, 2102, 0, 126720, 0xfcb715e8 +0, 2135, 2135, 0, 126720, 0xc3e9fa9c +0, 2168, 2168, 0, 126720, 0x9ad8572c +0, 2202, 2202, 0, 126720, 0x2800596d +0, 2235, 2235, 0, 126720, 0x3caa5094 +0, 2268, 2268, 0, 126720, 0x6162e000 +0, 2302, 2302, 0, 126720, 0x18200f2c +0, 2335, 2335, 0, 126720, 0x649e699f +0, 2369, 2369, 0, 126720, 0x5f513367 +0, 2402, 2402, 0, 126720, 0x71fbf4a8 +0, 2435, 2435, 0, 126720, 0x5bff7b97 +0, 2469, 2469, 0, 126720, 0xbad453d4 +0, 2502, 2502, 0, 126720, 0x56e6161d +0, 2535, 2535, 0, 126720, 0x524f2980 +0, 2569, 2569, 0, 126720, 0x0589405a +0, 2602, 2602, 0, 126720, 0x5c264043 +0, 2635, 2635, 0, 126720, 0x2394696f +0, 2669, 2669, 0, 126720, 0x1aa0cd15 +0, 2702, 2702, 0, 126720, 0xd6ec7840 +0, 2736, 2736, 0, 126720, 0xde5531f0 +0, 2769, 2769, 0, 126720, 0x03a42c3a +0, 2802, 2802, 0, 126720, 0xbdee0efb +0, 2836, 2836, 0, 126720, 0xa6012736 +0, 2869, 2869, 0, 126720, 0x448f5ae6 +0, 2902, 2902, 0, 126720, 0x8a2550c3 +0, 2936, 2936, 0, 126720, 0x143104e7 +0, 2969, 2969, 0, 126720, 0x75db363d +0, 3002, 3002, 0, 126720, 0x906d2f9d +0, 3036, 3036, 0, 126720, 0xfc7b30ab +0, 3069, 3069, 0, 126720, 0xd3edaa62 +0, 3103, 3103, 0, 126720, 0x6267f3fc +0, 3136, 3136, 0, 126720, 0x87b6c67f +0, 3169, 3169, 0, 126720, 0x84da3b79 +0, 3203, 3203, 0, 126720, 0x72fbae15 +0, 3236, 3236, 0, 126720, 0xb8474a80 +0, 3269, 3269, 0, 126720, 0xbeae088b +0, 3303, 3303, 0, 126720, 0x538b1a14 +0, 3336, 3336, 0, 126720, 0x07bbddcd +0, 3370, 3370, 0, 126720, 0x807ddf8f +0, 3403, 3403, 0, 126720, 0x325bb46d +0, 3436, 3436, 0, 126720, 0xd80c2f2a +0, 3470, 3470, 0, 126720, 0xfc1b0dec +0, 3503, 3503, 0, 126720, 0x46068ebc +0, 3536, 3536, 0, 126720, 0xcd987941 +0, 3570, 3570, 0, 126720, 0x52f37f2e +0, 3603, 3603, 0, 126720, 0xc96931a2 From 9bfda9df71c4a681e6a2e25e4ff44e133c3cd261 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Jan 2013 15:31:00 +0100 Subject: [PATCH 0038/1037] mpeg12: Support decoding dimensions that are a multiple of 4096 Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 5ca9bb8d90..d8e22a26af 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -2001,8 +2001,6 @@ static int mpeg1_decode_sequence(AVCodecContext *avctx, width = get_bits(&s->gb, 12); height = get_bits(&s->gb, 12); - if (width <= 0 || height <= 0) - return -1; s->aspect_ratio_info = get_bits(&s->gb, 4); if (s->aspect_ratio_info == 0) { av_log(avctx, AV_LOG_ERROR, "aspect ratio has forbidden 0 value\n"); @@ -2312,6 +2310,11 @@ static int decode_chunks(AVCodecContext *avctx, break; case PICTURE_START_CODE: + if (s2->width <= 0 || s2->height <= 0) { + av_log(avctx, AV_LOG_ERROR, "%dx%d is invalid\n", s2->width, s2->height); + return AVERROR_INVALIDDATA; + } + if(s->tmpgexs){ s2->intra_dc_precision= 3; s2->intra_matrix[0]= 1; From d7cff9f8e8f19f8505b189071de66884689558e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Jan 2013 15:31:58 +0100 Subject: [PATCH 0039/1037] mpeg12enc: Correctly mask dimensions Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 6374a97089..e8947460ad 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -227,8 +227,8 @@ static void mpeg1_encode_sequence_header(MpegEncContext *s) /* mpeg1 header repeated every gop */ put_header(s, SEQ_START_CODE); - put_sbits(&s->pb, 12, s->width ); - put_sbits(&s->pb, 12, s->height); + put_sbits(&s->pb, 12, s->width & 0xFFF); + put_sbits(&s->pb, 12, s->height & 0xFFF); for(i=1; i<15; i++){ float error= aspect_ratio; From cc8ab9865650e7542f0340cd27762dbd8da52910 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Jan 2013 15:47:21 +0100 Subject: [PATCH 0040/1037] mpeg12enc: check dimension validity Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index e8947460ad..cda1464c86 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -180,6 +180,19 @@ static av_cold int encode_init(AVCodecContext *avctx) } } + if ((avctx->width & 0xFFF) == 0 && (avctx->height & 0xFFF) == 1) { + av_log(avctx, AV_LOG_ERROR, "Width / Height is invalid for MPEG2\n"); + return AVERROR(EINVAL); + } + + if (s->strict_std_compliance > FF_COMPLIANCE_UNOFFICIAL) { + if ((avctx->width & 0xFFF) == 0 || (avctx->height & 0xFFF) == 0) { + av_log(avctx, AV_LOG_ERROR, "Width or Height are not allowed to be multiplies of 4096\n" + "add '-strict %d' if you want to use them anyway.\n", FF_COMPLIANCE_UNOFFICIAL); + return AVERROR(EINVAL); + } + } + s->drop_frame_timecode = s->drop_frame_timecode || !!(avctx->flags2 & CODEC_FLAG2_DROP_FRAME_TIMECODE); if (s->drop_frame_timecode) s->tc.flags |= AV_TIMECODE_FLAG_DROPFRAME; From 722bfe4e7c73d0c3550011a08b5e76df714e2b27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Jan 2013 18:39:06 +0100 Subject: [PATCH 0041/1037] swr: fix handling of timestamps that cause multiple drops or silence injections Signed-off-by: Michael Niedermayer (cherry picked from commit d676598f879ba01ddb62f9abe8e17b2e94cb91cd) --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index f01927f293..f530c1f59e 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -826,7 +826,7 @@ int64_t swr_next_pts(struct SwrContext *s, int64_t pts){ if(s->min_compensation >= FLT_MAX) { return (s->outpts = pts - swr_get_delay(s, s->in_sample_rate * (int64_t)s->out_sample_rate)); } else { - int64_t delta = pts - swr_get_delay(s, s->in_sample_rate * (int64_t)s->out_sample_rate) - s->outpts; + int64_t delta = pts - swr_get_delay(s, s->in_sample_rate * (int64_t)s->out_sample_rate) - s->outpts + s->drop_output*(int64_t)s->in_sample_rate; double fdelta = delta /(double)(s->in_sample_rate * (int64_t)s->out_sample_rate); if(fabs(fdelta) > s->min_compensation) { From e7475335b1e0f994ede02c0c5e06cc47bc356f98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:01:40 +0100 Subject: [PATCH 0042/1037] doc/examples: fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 48a7981e6f93a27c9caca99d0bfb39e6244606a5) Signed-off-by: Michael Niedermayer --- doc/examples/demuxing.c | 2 +- doc/examples/resampling_audio.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/examples/demuxing.c b/doc/examples/demuxing.c index 3c9d4a1278..bee21b7b33 100644 --- a/doc/examples/demuxing.c +++ b/doc/examples/demuxing.c @@ -314,7 +314,7 @@ int main (int argc, char **argv) if (audio_stream) { const char *fmt; - if ((ret = get_format_from_sample_fmt(&fmt, audio_dec_ctx->sample_fmt) < 0)) + if ((ret = get_format_from_sample_fmt(&fmt, audio_dec_ctx->sample_fmt)) < 0) goto end; printf("Play the output audio file with the command:\n" "ffplay -f %s -ac %d -ar %d %s\n", diff --git a/doc/examples/resampling_audio.c b/doc/examples/resampling_audio.c index 9075719a37..dd128e8d6e 100644 --- a/doc/examples/resampling_audio.c +++ b/doc/examples/resampling_audio.c @@ -200,7 +200,7 @@ int main(int argc, char **argv) fwrite(dst_data[0], 1, dst_bufsize, dst_file); } while (t < 10); - if ((ret = get_format_from_sample_fmt(&fmt, dst_sample_fmt) < 0)) + if ((ret = get_format_from_sample_fmt(&fmt, dst_sample_fmt)) < 0) goto end; fprintf(stderr, "Resampling succeeded. Play the output file with the command:\n" "ffplay -f %s -channel_layout %"PRId64" -channels %d -ar %d %s\n", From 07174ed8417f67a391035b851139964e22d51f71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:02:50 +0100 Subject: [PATCH 0043/1037] aacenc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 98fed59427cec17ce55ac137e7e250cff7db81cf) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 2c40ec91f5..348d3a20d2 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -517,7 +517,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* add current frame to queue */ if (frame) { - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } From d39400fed75302324bab051c22e6d07fade5b4f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:03:09 +0100 Subject: [PATCH 0044/1037] libfaac: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 68a25c64cda16e12ef3a051ff8661c71ef574683) Signed-off-by: Michael Niedermayer --- libavcodec/libfaac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libfaac.c b/libavcodec/libfaac.c index d922fdca1b..bf226af956 100644 --- a/libavcodec/libfaac.c +++ b/libavcodec/libfaac.c @@ -199,7 +199,7 @@ static int Faac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* add current frame to the queue */ if (frame) { - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } From dacac91973e9f2c3b4e500f6efb47fb4f6f386f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:03:23 +0100 Subject: [PATCH 0045/1037] libfdk-aacenc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 9302ad1ac89d5443505cf0418f9d62786513032e) Signed-off-by: Michael Niedermayer --- libavcodec/libfdk-aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libfdk-aacenc.c b/libavcodec/libfdk-aacenc.c index 196fcb5a4d..06576aabae 100644 --- a/libavcodec/libfdk-aacenc.c +++ b/libavcodec/libfdk-aacenc.c @@ -334,7 +334,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, in_buf.bufElSizes = &in_buffer_element_size; /* add current frame to the queue */ - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } From d4a08e560d11a0b8410834df69f029a5c62c86f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:03:38 +0100 Subject: [PATCH 0046/1037] libmp3lame: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 871b6ec01d27a74702b7cf1d61446709de037948) Signed-off-by: Michael Niedermayer --- libavcodec/libmp3lame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index 1447d6a10e..034fee73a9 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -237,7 +237,7 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* add current frame to the queue */ if (frame) { - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } From 59956a5957d68723618118509b6f794f1692ca5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:04:13 +0100 Subject: [PATCH 0047/1037] libopencore-amr: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit d6180aa29741334cf69f691b27ffceb33f49d36a) Signed-off-by: Michael Niedermayer --- libavcodec/libopencore-amr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c index 550ef94491..0d78035e27 100644 --- a/libavcodec/libopencore-amr.c +++ b/libavcodec/libopencore-amr.c @@ -261,7 +261,7 @@ static int amr_nb_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if (frame->nb_samples < avctx->frame_size - avctx->delay) s->enc_last_frame = -1; } - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) { + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) { av_freep(&flush_buf); return ret; } From 65a4b90840a6f79c69be44b6f60bfa6f0dcc1612 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:04:25 +0100 Subject: [PATCH 0048/1037] libspeexenc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 3b8d66d5317d91288751869206b3acbb84dc44c7) Signed-off-by: Michael Niedermayer --- libavcodec/libspeexenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libspeexenc.c b/libavcodec/libspeexenc.c index 7dfc6d333c..23ebe72dad 100644 --- a/libavcodec/libspeexenc.c +++ b/libavcodec/libspeexenc.c @@ -288,7 +288,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt, speex_encode_stereo_int(samples, s->header.frame_size, &s->bits); speex_encode_int(s->enc_state, samples, &s->bits); s->pkt_frame_count++; - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } else { /* handle end-of-stream */ From b48e2513606fe8b1afe0a2b0af087039acbbd4f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:04:41 +0100 Subject: [PATCH 0049/1037] libvo-aacenc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 0ccb31dcad5a1543fbb284d66b0410b91ebd171d) Signed-off-by: Michael Niedermayer --- libavcodec/libvo-aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libvo-aacenc.c b/libavcodec/libvo-aacenc.c index a09c74c72d..1414aadb64 100644 --- a/libavcodec/libvo-aacenc.c +++ b/libavcodec/libvo-aacenc.c @@ -157,7 +157,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, samples = (VO_PBYTE)frame->data[0]; } /* add current frame to the queue */ - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } From 3be8aeb14e4894789d5c2f87d0475e252eeb29ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:04:59 +0100 Subject: [PATCH 0050/1037] libvorbisenc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit bdd71abe5f34ca37612e17d912060f4dc9b94796) Signed-off-by: Michael Niedermayer --- libavcodec/libvorbisenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libvorbisenc.c b/libavcodec/libvorbisenc.c index c81375c8ef..188c8cc9c5 100644 --- a/libavcodec/libvorbisenc.c +++ b/libavcodec/libvorbisenc.c @@ -305,7 +305,7 @@ static int oggvorbis_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, av_log(avctx, AV_LOG_ERROR, "error in vorbis_analysis_wrote()\n"); return vorbis_error_to_averror(ret); } - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } else { if (!s->eof) From ab471e17e444fbbd0ae48ac35dbb2d13ed06be62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:05:30 +0100 Subject: [PATCH 0051/1037] nellymoserenc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 795d2dc23b16a678d60a681e906aa87c14478597) Signed-off-by: Michael Niedermayer --- libavcodec/nellymoserenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/nellymoserenc.c b/libavcodec/nellymoserenc.c index 4317e32032..0fdec2c3b5 100644 --- a/libavcodec/nellymoserenc.c +++ b/libavcodec/nellymoserenc.c @@ -397,7 +397,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if (frame->nb_samples >= NELLY_BUF_LEN) s->last_frame = 1; } - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } else { memset(s->buf + NELLY_BUF_LEN, 0, NELLY_SAMPLES * sizeof(*s->buf)); From 16dc41de279adc7ad133956bdd1e0febdade2faa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:05:42 +0100 Subject: [PATCH 0052/1037] ra144enc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit e2704381e5f13f54506f69b7a05a05dc27ce1d7d) Signed-off-by: Michael Niedermayer --- libavcodec/ra144enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144enc.c b/libavcodec/ra144enc.c index 9a8ac2b2e3..b89e4b7fb0 100644 --- a/libavcodec/ra144enc.c +++ b/libavcodec/ra144enc.c @@ -536,7 +536,7 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, for (; i < frame->nb_samples; i++) ractx->curr_block[i] = samples[i] >> 2; - if ((ret = ff_af_queue_add(&ractx->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&ractx->afq, frame)) < 0) return ret; } else ractx->last_frame = 1; From 6a0633e961f4911c98f374e7b3b690e3dc7cc5cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:06:07 +0100 Subject: [PATCH 0053/1037] svq1enc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 37be1d802f2e2c21036a54bb15423a41d5aabefb) Signed-off-by: Michael Niedermayer --- libavcodec/svq1enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 2850ab0284..1b32bbc533 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -538,7 +538,7 @@ static int svq1_encode_frame(AVCodecContext *avctx, AVPacket *pkt, int i, ret; if ((ret = ff_alloc_packet2(avctx, pkt, s->y_block_width * s->y_block_height * - MAX_MB_BYTES*3 + FF_MIN_BUFFER_SIZE) < 0)) + MAX_MB_BYTES*3 + FF_MIN_BUFFER_SIZE)) < 0) return ret; if (avctx->pix_fmt != AV_PIX_FMT_YUV410P) { @@ -547,7 +547,7 @@ static int svq1_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } if (!s->current_picture.data[0]) { - if ((ret = ff_get_buffer(avctx, &s->current_picture) < 0) || + if ((ret = ff_get_buffer(avctx, &s->current_picture))< 0 || (ret = ff_get_buffer(avctx, &s->last_picture)) < 0) { return ret; } From 2338eda8d8fd84ec426bf8ade7fe81a266ae60fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:06:44 +0100 Subject: [PATCH 0054/1037] tiff: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 659546b42d6550e67fcdbb4937cd1982c60448aa) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 558e748d5c..85a5823c35 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -878,7 +878,7 @@ static int tiff_decode_tag(TiffContext *s) s->fax_opts = value; break; #define ADD_METADATA(count, name, sep)\ - if (ret = add_metadata(count, type, name, sep, s) < 0) {\ + if ((ret = add_metadata(count, type, name, sep, s)) < 0) {\ av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n");\ return ret;\ } From 17704500fb0ca66f82ca6b3576bb359fb79f9ebb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:07:02 +0100 Subject: [PATCH 0055/1037] vsrc_testsrc: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 6f88d2d786b87cbfec5ea16d1cb570ad30c80399) Signed-off-by: Michael Niedermayer --- libavfilter/vsrc_testsrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vsrc_testsrc.c b/libavfilter/vsrc_testsrc.c index 185d382f55..f5e37f8b72 100644 --- a/libavfilter/vsrc_testsrc.c +++ b/libavfilter/vsrc_testsrc.c @@ -248,7 +248,7 @@ static int color_config_props(AVFilterLink *inlink) if (av_image_check_size(test->w, test->h, 0, ctx) < 0) return AVERROR(EINVAL); - if (ret = config_props(inlink) < 0) + if ((ret = config_props(inlink)) < 0) return ret; av_log(ctx, AV_LOG_VERBOSE, "color:0x%02x%02x%02x%02x\n", From 9348514a6713a1457052cd980c9c5e9d8544f332 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:07:26 +0100 Subject: [PATCH 0056/1037] lavf/mux: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit 1ac5a8d7e3343718b0e86b44013742b7ca413c38) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mux.c b/libavformat/mux.c index c34a2946c7..649b4961d9 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -395,7 +395,7 @@ int avformat_write_header(AVFormatContext *s, AVDictionary **options) return ret; } - if ((ret = init_pts(s) < 0)) + if ((ret = init_pts(s)) < 0) return ret; return 0; From 4d6d8d9ae943e37667176a6968a183454f73215c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:07:51 +0100 Subject: [PATCH 0057/1037] rtmpproto: Fix assignments in if() Signed-off-by: Michael Niedermayer (cherry picked from commit a601eb9543ecab09aa69a6673e553318daf7ea57) Signed-off-by: Michael Niedermayer --- libavformat/rtmpproto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 1132ab6941..6f03dd9d7e 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -1989,7 +1989,7 @@ static int handle_invoke(URLContext *s, RTMPPacket *pkt) !memcmp(pkt->data, "\002\000\007publish", 10) || !memcmp(pkt->data, "\002\000\010_checkbw", 11) || !memcmp(pkt->data, "\002\000\014createStream", 15)) { - if (ret = send_invoke_response(s, pkt) < 0) + if ((ret = send_invoke_response(s, pkt)) < 0) return ret; } From 30f0cd2f1e760b085b5288d62e4de23955829c49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Jan 2013 23:44:01 +0100 Subject: [PATCH 0058/1037] h264: fix () placement Fixes null pointer dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c13e4e288c84ba0629ead15e1460c0e498ee2bce) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f6cfa1a35d..d5009bfb80 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2589,7 +2589,7 @@ static int h264_slice_header_init(H264Context *h, int reinit) return ret; } } else { - if ((ret = ff_MPV_common_init(s) < 0)) { + if ((ret = ff_MPV_common_init(s)) < 0) { av_log(h->s.avctx, AV_LOG_ERROR, "ff_MPV_common_init() failed.\n"); return ret; } From 397fafad230a7d4f2d2c0908ae56418318e82148 Mon Sep 17 00:00:00 2001 From: Jonas Bechtel Date: Sun, 13 Jan 2013 21:45:15 +0100 Subject: [PATCH 0059/1037] Fix opencv detection. This commit changes the ".so" argument placement in check_ld sub-program. (cherry picked from commit a003c5bd4ff1846edba0518306f8091c14041c96) --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 4e4fbab03d..4dd265f502 100755 --- a/configure +++ b/configure @@ -789,8 +789,8 @@ check_ld(){ log check_ld "$@" type=$1 shift 1 - flags=$(filter_out '-l*' $@) - libs=$(filter '-l*' $@) + flags=$(filter_out '-l*|*.so' $@) + libs=$(filter '-l*|*.so' $@) check_$type $($cflags_filter $flags) || return flags=$($ldflags_filter $flags) libs=$($ldflags_filter $libs) From ccf0cd967d32084978a4346d608b44aec56b9d25 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 7 Jan 2013 10:48:02 +0000 Subject: [PATCH 0060/1037] 012v: remove double ; and return correct error code if ff_get_buffer() fails Signed-off-by: Paul B Mahol (cherry picked from commit 25160236957647d81e8beecd6c8fb7f1949fc26e) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index b2c2790193..6f4533b14c 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -44,7 +44,7 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx) static int zero12v_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - int line = 0; + int line = 0, ret; const int width = avctx->width; AVFrame *pic = avctx->coded_frame; uint16_t *y, *u, *v; @@ -65,8 +65,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, } pic->reference = 0; - if (ff_get_buffer(avctx, pic) < 0) - return AVERROR_INVALIDDATA;; + if ((ret = ff_get_buffer(avctx, pic)) < 0) + return ret; y = (uint16_t *)pic->data[0]; u = (uint16_t *)pic->data[1]; From 68a0477bc0af026db971ddba22541029a9e8715b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Jan 2013 04:44:20 +0100 Subject: [PATCH 0061/1037] error_concealment: Check that the picture is not in a half setup state. Fixes state becoming inconsistent Fixes a null pointer dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 23318a57358358e7a4dc551e830e4503f0638cfe) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 01f7424904..2b6bc42ade 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -924,6 +924,12 @@ void ff_er_frame_end(MpegEncContext *s) return; }; + if ( s->picture_structure == PICT_FRAME + && s->current_picture.f.linesize[0] != s->current_picture_ptr->f.linesize[0]) { + av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n"); + return; + } + if (s->current_picture.f.motion_val[0] == NULL) { av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n"); From 43c6b45a53a186a187f7266e4d6bd3c2620519f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Jan 2013 01:28:44 +0100 Subject: [PATCH 0062/1037] avcodec_decode_audio: do not trust the channel layout, use the channel count. Fixes memory corruption Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d270c3202539e8364c46410e15f7570800e33343) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 8c0aa9818e..12265a95ea 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1809,7 +1809,7 @@ int attribute_align_arg avcodec_decode_audio4(AVCodecContext *avctx, * extended_data are doing it correctly */ if (*got_frame_ptr) { planar = av_sample_fmt_is_planar(frame->format); - channels = av_get_channel_layout_nb_channels(frame->channel_layout); + channels = frame->channels; if (!(planar && channels > AV_NUM_DATA_POINTERS)) frame->extended_data = frame->data; } else { From 3049d5b9b32845c86aa5588bb3352bdeb2edfdb2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Jan 2013 18:39:54 +0100 Subject: [PATCH 0063/1037] doc/RELEASE_NOTES mention changed sample_fmt for audio decoders Signed-off-by: Michael Niedermayer --- doc/RELEASE_NOTES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/RELEASE_NOTES b/doc/RELEASE_NOTES index 4c209ecb5e..768a747ba2 100644 --- a/doc/RELEASE_NOTES +++ b/doc/RELEASE_NOTES @@ -20,3 +20,6 @@ compiler. Since MSVC does not support C99 features used extensively by FFmpeg, this has been accomplished using a converter that turns C99 code to C89. See the platform-specific documentation for more detailed documentation on building FFmpeg with MSVC. + +The used output sample format for several audio decoders has changed, make +sure you always check/use AVCodecContext.sample_fmt or AVFrame.format. From 90da0cb60e1cad447fc34b89a3641474f6cabb4c Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 14 Jan 2013 16:28:44 +0100 Subject: [PATCH 0064/1037] The c99-to-c89 binaries are now hosted on videolan.org. (cherry picked from commit c29c7c1470f98f8e66752fb09c44ded625e9a991) Signed-off-by: Michael Niedermayer --- doc/platform.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/platform.texi b/doc/platform.texi index dcdfff20d7..bb8e6ca5ca 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -114,7 +114,7 @@ wrapper. You will need the following prerequisites: @itemize -@item @uref{https://github.com/libav/c99-to-c89/, C99-to-C89 Converter & Wrapper} +@item @uref{http://download.videolan.org/pub/contrib/c99-to-c89/, C99-to-C89 Converter & Wrapper} @item @uref{http://code.google.com/p/msinttypes/, msinttypes} @item @uref{http://www.mingw.org/, MSYS} @item @uref{http://yasm.tortall.net/, YASM} From bd531038e8affa6387d2d7dadd20d907e5791ab5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 16:22:41 +0100 Subject: [PATCH 0065/1037] init_get_bits8: check byte_size against being positive Signed-off-by: Michael Niedermayer (cherry picked from commit ac73d3a12a33c5e4e6357d5f8824e19801663eb5) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index af7e156e59..1946c78af2 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -406,7 +406,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer, int byte_size) { - if (byte_size > INT_MAX / 8) + if (byte_size > INT_MAX / 8 || byte_size < 0) return AVERROR_INVALIDDATA; return init_get_bits(s, buffer, byte_size * 8); } From 6f3bc92c294b4ce903047e1fd43d71e59c86337b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 16:23:39 +0100 Subject: [PATCH 0066/1037] init_get_bits8: zero pointers & struct on error Signed-off-by: Michael Niedermayer (cherry picked from commit 153fad14e5a2f85637aa6c254ced0fc1c68974e2) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 1946c78af2..964456ee5d 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -407,7 +407,7 @@ static inline int init_get_bits8(GetBitContext *s, const uint8_t *buffer, int byte_size) { if (byte_size > INT_MAX / 8 || byte_size < 0) - return AVERROR_INVALIDDATA; + byte_size = -1; return init_get_bits(s, buffer, byte_size * 8); } From 1135928903325f48c0cedf1e9b793061965c1558 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 16:29:27 +0100 Subject: [PATCH 0067/1037] init_get_bits: fix off by 1 error Signed-off-by: Michael Niedermayer (cherry picked from commit 7980cca05c7c72fc8b0be4268eea2e156e538228) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 964456ee5d..89df381fdb 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -379,7 +379,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; - if (bit_size > INT_MAX - 7 || bit_size < 0) { + if (bit_size >= INT_MAX - 7 || bit_size < 0) { buffer_size = bit_size = 0; buffer = NULL; ret = AVERROR_INVALIDDATA; From 8d0631c8fa890a1a01c7289c0bf8b2ff44fe5b9c Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Sat, 19 Jan 2013 13:21:35 -0500 Subject: [PATCH 0068/1037] mpegvideo: fix loop condition in draw_line() The loop condition `x = ex' is incorrect. It should be `x <= ex'. This bug was introduced in commit c65dfac4 "mpegvideo.c: K&R formatting and cosmetics." CC:libav-stable@libav.org (cherry picked from commit 992b03183819553a73b4f870a710ef500b4eb6d0) Signed-off-by: Luca Barbato --- libavcodec/mpegvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 0b6ddb956c..10b13b552e 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1658,7 +1658,7 @@ static void draw_line(uint8_t *buf, int sx, int sy, int ex, int ey, buf += sx + sy * stride; ex -= sx; f = ((ey - sy) << 16) / ex; - for (x = 0; x = ex; x++) { + for (x = 0; x <= ex; x++) { y = (x * f) >> 16; fr = (x * f) & 0xFFFF; buf[y * stride + x] += (color * (0x10000 - fr)) >> 16; From edc00dea020b44aef9ced46a7f36acba62d89133 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Jan 2013 00:42:42 +0100 Subject: [PATCH 0069/1037] update for 1.1.1 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 9459d4ba2a..524cb55242 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1 +1.1.1 diff --git a/VERSION b/VERSION index b123147e2a..524cb55242 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1 \ No newline at end of file +1.1.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index d84dccffe5..6aa67f3e34 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1 +PROJECT_NUMBER = 1.1.1 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 01050448cfbc0ba5a3dc83138c44848692be7f9c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 20 Jan 2013 05:10:32 +0100 Subject: [PATCH 0070/1037] get_bits: change the failure condition in init_get_bits Too much code relies in having init_get_bits fed with a valid buffer and set its dimension to 0. Check for NULL buffer instead. (cherry picked from commit 4603ec85ed620e585fc6e2e072c99858ed421855) Signed-off-by: Luca Barbato --- libavcodec/get_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 12770a29a0..ffa065600b 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -375,7 +375,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; - if (bit_size > INT_MAX - 7 || bit_size <= 0) { + if (bit_size > INT_MAX - 7 || bit_size < 0 || !buffer) { buffer_size = bit_size = 0; buffer = NULL; ret = AVERROR_INVALIDDATA; From 1a28948eb3e5aaab1ed5dba7a9bc93b486995954 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sun, 20 Jan 2013 14:48:35 +0100 Subject: [PATCH 0071/1037] videodsp_armv5te: remove #if HAVE_ARMV5TE_EXTERNAL libavutil/arm/asm.S sets '.arch' depending on HAVE_ARMV5TE so that assembling armv5te code will always succeed even if the default -march flag does not support it. HAVE_ARMV5TE_EXTERNAL tests assembling code with the default arch. Fixes the missing symbol ff_prefetch_arm with --cpu= not including armv5te. CC: libav-stable@libav.org --- libavcodec/arm/videodsp_armv5te.S | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/arm/videodsp_armv5te.S b/libavcodec/arm/videodsp_armv5te.S index 96e92d5a73..120069db03 100644 --- a/libavcodec/arm/videodsp_armv5te.S +++ b/libavcodec/arm/videodsp_armv5te.S @@ -22,7 +22,6 @@ #include "config.h" #include "libavutil/arm/asm.S" -#if HAVE_ARMV5TE_EXTERNAL function ff_prefetch_arm, export=1 subs r2, r2, #1 pld [r0] @@ -30,4 +29,3 @@ function ff_prefetch_arm, export=1 bne ff_prefetch_arm bx lr endfunc -#endif From 33769e908dacbee82a6a33189d2ccb9c7127778c Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 24 Jan 2013 02:30:40 +0100 Subject: [PATCH 0072/1037] matroskaenc: add codec_tag lists back. This reverts 312645e : "Do not set codec_tag property for matroska muxers." Also adds dummy codec_tag lists with codecs supported in mkv but not in wav / avi. Fixes ticket #2169. (cherry picked from commit df39c3ce385c02cbd8046298578ea7454c0a0f81) --- libavformat/matroska.c | 3 +++ libavformat/matroskaenc.c | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/libavformat/matroska.c b/libavformat/matroska.c index 64d0a459b4..9ea904ac8c 100644 --- a/libavformat/matroska.c +++ b/libavformat/matroska.c @@ -21,6 +21,9 @@ #include "matroska.h" +/* If you add a tag here that is not in ff_codec_bmp_tags[] + or ff_codec_wav_tags[], add it also to additional_audio_tags[] + or additional_video_tags[] in matroskaenc.c */ const CodecTags ff_mkv_codec_tags[]={ {"A_AAC" , AV_CODEC_ID_AAC}, {"A_AC3" , AV_CODEC_ID_AC3}, diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 1840f90b22..12efbe2b8f 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1353,6 +1353,33 @@ static int mkv_query_codec(enum AVCodecID codec_id, int std_compliance) return 0; } +const AVCodecTag additional_audio_tags[] = { + { AV_CODEC_ID_ALAC, 0XFFFFFFFF }, + { AV_CODEC_ID_EAC3, 0XFFFFFFFF }, + { AV_CODEC_ID_MLP, 0xFFFFFFFF }, + { AV_CODEC_ID_OPUS, 0xFFFFFFFF }, + { AV_CODEC_ID_PCM_S16BE, 0xFFFFFFFF }, + { AV_CODEC_ID_PCM_S24BE, 0xFFFFFFFF }, + { AV_CODEC_ID_PCM_S32BE, 0xFFFFFFFF }, + { AV_CODEC_ID_QDM2, 0xFFFFFFFF }, + { AV_CODEC_ID_RA_144, 0xFFFFFFFF }, + { AV_CODEC_ID_RA_288, 0xFFFFFFFF }, + { AV_CODEC_ID_COOK, 0xFFFFFFFF }, + { AV_CODEC_ID_TRUEHD, 0xFFFFFFFF }, + { AV_CODEC_ID_TTA, 0xFFFFFFFF }, + { AV_CODEC_ID_WAVPACK, 0xFFFFFFFF }, + { AV_CODEC_ID_NONE, 0xFFFFFFFF } +}; + +const AVCodecTag additional_video_tags[] = { + { AV_CODEC_ID_PRORES, 0xFFFFFFFF }, + { AV_CODEC_ID_RV10, 0xFFFFFFFF }, + { AV_CODEC_ID_RV20, 0xFFFFFFFF }, + { AV_CODEC_ID_RV30, 0xFFFFFFFF }, + { AV_CODEC_ID_RV40, 0xFFFFFFFF }, + { AV_CODEC_ID_NONE, 0xFFFFFFFF } +}; + #if CONFIG_MATROSKA_MUXER AVOutputFormat ff_matroska_muxer = { .name = "matroska", @@ -1369,6 +1396,10 @@ AVOutputFormat ff_matroska_muxer = { .write_trailer = mkv_write_trailer, .flags = AVFMT_GLOBALHEADER | AVFMT_VARIABLE_FPS | AVFMT_TS_NONSTRICT, + .codec_tag = (const AVCodecTag* const []){ + ff_codec_bmp_tags, ff_codec_wav_tags, + additional_audio_tags, additional_video_tags, 0 + }, .subtitle_codec = AV_CODEC_ID_SSA, .query_codec = mkv_query_codec, }; @@ -1405,5 +1436,8 @@ AVOutputFormat ff_matroska_audio_muxer = { .write_packet = mkv_write_packet, .write_trailer = mkv_write_trailer, .flags = AVFMT_GLOBALHEADER | AVFMT_TS_NONSTRICT, + .codec_tag = (const AVCodecTag* const []){ + ff_codec_wav_tags, additional_audio_tags, 0 + }, }; #endif From 62de693a17f9b107be7867d822d5accacd4be544 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 23 Jan 2013 21:38:41 +0200 Subject: [PATCH 0073/1037] rtp: Make sure priv_data is set before reading it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes crashes with muxing H263 into RTSP. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e90820d4f815c15796e642467cdddbad755212a2) Signed-off-by: Martin Storsjö --- libavformat/rtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtp.c b/libavformat/rtp.c index 38b2348d45..9a7d44b0b4 100644 --- a/libavformat/rtp.c +++ b/libavformat/rtp.c @@ -108,7 +108,7 @@ int ff_rtp_get_payload_type(AVFormatContext *fmt, for (i = 0; AVRtpPayloadTypes[i].pt >= 0; ++i) if (AVRtpPayloadTypes[i].codec_id == codec->codec_id) { if (codec->codec_id == AV_CODEC_ID_H263 && (!fmt || - !fmt->oformat->priv_class || + !fmt->oformat->priv_class || !fmt->priv_data || !av_opt_flag_is_set(fmt->priv_data, "rtpflags", "rfc2190"))) continue; /* G722 has 8000 as nominal rate even if the sample rate is 16000, From 348cd84fc82eadd3ad81ed84b1ca7b88dcc0ccb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 23 Jan 2013 23:21:52 +0200 Subject: [PATCH 0074/1037] rtp: Make sure the output format pointer is set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Not sure if this actually happens, but we do the same check when checking payload_type further above in the function, so it might be needed. Signed-off-by: Martin Storsjö (cherry picked from commit 932117171f32fc3160f3d92943290238945fcb28) Signed-off-by: Martin Storsjö --- libavformat/rtp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtp.c b/libavformat/rtp.c index 9a7d44b0b4..eab8271c4f 100644 --- a/libavformat/rtp.c +++ b/libavformat/rtp.c @@ -107,7 +107,7 @@ int ff_rtp_get_payload_type(AVFormatContext *fmt, /* static payload type */ for (i = 0; AVRtpPayloadTypes[i].pt >= 0; ++i) if (AVRtpPayloadTypes[i].codec_id == codec->codec_id) { - if (codec->codec_id == AV_CODEC_ID_H263 && (!fmt || + if (codec->codec_id == AV_CODEC_ID_H263 && (!fmt || !fmt->oformat || !fmt->oformat->priv_class || !fmt->priv_data || !av_opt_flag_is_set(fmt->priv_data, "rtpflags", "rfc2190"))) continue; From a856623e87d34f21915b51d1d4032be0330d7bfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 23 Jan 2013 23:25:09 +0200 Subject: [PATCH 0075/1037] rtpenc_chain: Use the original AVFormatContext for getting payload type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In ff_rtp_get_payload_type, the AVFormatContext is used for checking whether the payload_type or rtpflags options are set. In rtpenc_chain, the rtpctx struct is a newly initialized struct where no options have been set yet, so no options can be fetched from there. All muxers that internally chain rtp muxers have the "rtpflags" field that allows passing such options on (which is how this worked before 8034130e06), so this works just as intended. This makes it possible to produce H263 in RFC2190 format with chained RTP muxers. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 4a4a7e138c92901e04db46a6b05cc6948023e5f5) Signed-off-by: Martin Storsjö --- libavformat/rtpenc_chain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpenc_chain.c b/libavformat/rtpenc_chain.c index 3c297eb97b..935dd6cd31 100644 --- a/libavformat/rtpenc_chain.c +++ b/libavformat/rtpenc_chain.c @@ -62,7 +62,7 @@ int ff_rtp_chain_mux_open(AVFormatContext **out, AVFormatContext *s, /* Get the payload type from the codec */ if (st->id < RTP_PT_PRIVATE) rtpctx->streams[0]->id = - ff_rtp_get_payload_type(rtpctx, st->codec, idx); + ff_rtp_get_payload_type(s, st->codec, idx); else rtpctx->streams[0]->id = st->id; From d7e7e12abc7e7451aad94225c25c679edc71378c Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 16 Jan 2013 14:15:57 -0500 Subject: [PATCH 0076/1037] lavr: call mix_function_init() in ff_audio_mix_set_matrix() This is needed if a custom matrix is set by the user after opening the AVAudioResampleContext because the matrix channel count can change if different mixing coefficients are used. CC:libav-stable@libav.org (cherry picked from commit f07ef2d9c9e9d1e84c532e9102594834e88a5c83) Conflicts: libavresample/audio_mix.c --- libavresample/audio_mix.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/libavresample/audio_mix.c b/libavresample/audio_mix.c index 2b3d9f1f7a..c0560288a5 100644 --- a/libavresample/audio_mix.c +++ b/libavresample/audio_mix.c @@ -401,10 +401,6 @@ AudioMix *ff_audio_mix_alloc(AVAudioResampleContext *avr) av_free(matrix_dbl); } - ret = mix_function_init(am); - if (ret < 0) - goto error; - return am; error: @@ -544,8 +540,5 @@ int ff_audio_mix_set_matrix(AudioMix *am, const double *matrix, int stride) return AVERROR(EINVAL); } - /* TODO: detect situations where we can just swap around pointers - instead of doing matrix multiplications with 0.0 and 1.0 */ - - return 0; + return mix_function_init(am); } From 8d55c2441c67ddd858ed829b3f17779bd63ae509 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 24 Jan 2013 12:02:57 +0100 Subject: [PATCH 0077/1037] Prepare for 9.2 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 28a2186428..1a2c3557ba 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.1 +9.2 From 302094e1d2ea1cb59ca60d194452af9be55f43af Mon Sep 17 00:00:00 2001 From: Michael Karcher Date: Fri, 25 Jan 2013 20:44:50 +0100 Subject: [PATCH 0078/1037] Fix atrac3 decoder broken in e55d53905f34f8e8747f6d321e9a695dc02ebb2f Signed-off-by: Michael Karcher Signed-off-by: Michael Niedermayer (cherry picked from commit dcbb920f1587d1fce777aae947a49304665436b5) --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 56efa19466..84c5c11fca 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -518,7 +518,7 @@ static int add_tonal_components(float *spectrum, int num_components, output = &spectrum[components[i].pos]; for (j = 0; j < components[i].num_coefs; j++) - output[i] += input[i]; + output[j] += input[j]; } return last_pos; From c2d2bf1d6bf1119efbb014ed8c53d54b713528d9 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 26 Jan 2013 11:58:36 +0000 Subject: [PATCH 0079/1037] lavc/iff: ilbm: unbreak decoding on big endian Fixes ticket #2192. Signed-off-by: Paul B Mahol (cherry picked from commit 25c75525bf1da38179ec67924f0be7a2bd8faa0d) --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index c4672b8f91..bebf6a5272 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -341,7 +341,7 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_RGB444; } else if (avctx->codec_tag != MKTAG('D','E','E','P')) { if (avctx->bits_per_coded_sample == 24) { - avctx->pix_fmt = AV_PIX_FMT_RGB0; + avctx->pix_fmt = AV_PIX_FMT_0BGR32; } else if (avctx->bits_per_coded_sample == 32) { avctx->pix_fmt = AV_PIX_FMT_BGR32; } else { From fb876e457279ba5c9b3ca153955a3dec7e9030de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 27 Jan 2013 20:25:21 +0900 Subject: [PATCH 0080/1037] lavf/srtdec: do not try to queue empty subtitle chunks. Regression since 3af3a30. Fixes Ticket2167. (cherry picked from commit f2b6aabd3da7d0d15c7cea0a9fb649b530e2d3cb) --- libavformat/srtdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 809d1d064a..76e06e4165 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -100,6 +100,8 @@ static int srt_read_header(AVFormatContext *s) pts = get_pts(&ptr, &duration, &x1, &y1, &x2, &y2); if (pts != AV_NOPTS_VALUE) { int len = buf.len - (ptr - buf.str); + if (len <= 0) + continue; sub = ff_subtitles_queue_insert(&srt->q, ptr, len, 0); if (!sub) { res = AVERROR(ENOMEM); From 59f7d583a3e467843c57278ec320efddf28097d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Jan 2013 04:14:09 +0100 Subject: [PATCH 0081/1037] mpeg1enc: Disable threads for resolutions too large for multi-threading Signed-off-by: Michael Niedermayer (cherry picked from commit 0c6b0409af070a3bfb02b55fde8ba18219edc76b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index cda1464c86..f2b5c05f0d 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -145,6 +145,9 @@ static av_cold int encode_init(AVCodecContext *avctx) { MpegEncContext *s = avctx->priv_data; + if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && avctx->height > 2800) + avctx->thread_count = 1; + if(ff_MPV_encode_init(avctx) < 0) return -1; From ea2d44503f0822367cb467adf6d3ed43cf4ce418 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 20:58:07 -0500 Subject: [PATCH 0082/1037] rtpenc: fix overflow checking in avc_mp4_find_startcode() The check `start + res < start' is broken since pointer overflow is undefined behavior in C. Many compilers such as gcc/clang optimize away this check. Use `res > end - start' instead. Also change `res' to unsigned int to avoid signed left-shift overflow. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 2f014567cfd63e58156f60666f1a61ba147276ab) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpenc_h264.c b/libavformat/rtpenc_h264.c index 68f497590b..b6c16e17d8 100644 --- a/libavformat/rtpenc_h264.c +++ b/libavformat/rtpenc_h264.c @@ -31,14 +31,14 @@ static const uint8_t *avc_mp4_find_startcode(const uint8_t *start, const uint8_t *end, int nal_length_size) { - int res = 0; + unsigned int res = 0; if (end - start < nal_length_size) return NULL; while (nal_length_size--) res = (res << 8) | *start++; - if (start + res > end || res < 0 || start + res < start) + if (res > end - start) return NULL; return start + res; From b54c155f5b18b0ce8e47e73d27f657e592f9072d Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 17:49:29 -0500 Subject: [PATCH 0083/1037] rtmp: fix multiple broken overflow checks Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 04724f7b9c..078a832812 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -356,11 +356,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return -1; data += t; } @@ -389,7 +389,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, int size = bytestream_get_be16(&data); if (!size) break; - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; if (size == namelen && !memcmp(data-size, name, namelen)) { @@ -410,7 +410,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, return 0; } len = ff_amf_tag_size(data, data_end); - if (len < 0 || data + len >= data_end || data + len < data) + if (len < 0 || len >= data_end - data) return -1; data += len; } @@ -481,13 +481,13 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); ff_amf_tag_contents(ctx, data, data_end); t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return; data += t; } From c2d11275f7cf34d69a033235d26fd45aab96d5e9 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 21:40:05 -0500 Subject: [PATCH 0084/1037] rtmp: fix buffer overflows in ff_amf_tag_contents() A negative `size' will bypass FFMIN(). In the subsequent memcpy() call, `size' will be considered as a large positive value, leading to a buffer overflow. Change the type of `size' to unsigned int to avoid buffer overflow, and simplify overflow checks accordingly. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 078a832812..3bd28eb614 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -440,7 +440,7 @@ static const char* rtmp_packet_type(int type) static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end) { - int size; + unsigned int size; char buf[1024]; if (data >= data_end) @@ -459,7 +459,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d } else { size = bytestream_get_be32(&data); } - size = FFMIN(size, 1023); + size = FFMIN(size, sizeof(buf) - 1); memcpy(buf, data, size); buf[size] = 0; av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf); @@ -472,16 +472,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d case AMF_DATA_TYPE_OBJECT: av_log(ctx, AV_LOG_DEBUG, " {\n"); for (;;) { - int size = bytestream_get_be16(&data); int t; - memcpy(buf, data, size); - buf[size] = 0; + size = bytestream_get_be16(&data); + av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1)); if (!size) { av_log(ctx, AV_LOG_DEBUG, " }\n"); data++; break; } - if (size < 0 || size >= data_end - data) + if (size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); From f4fb841ad13bab66d4fb0c7ff2a94770df7815d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Jan 2013 21:30:20 +0100 Subject: [PATCH 0085/1037] sanm: check image dimensions before using them Avoids integer overflows and out of array accesses. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 49b729d3af8464de431362e6c5b3027102bc2f88) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 7432fa273f..ff70f206e6 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -26,6 +26,7 @@ #include "bytestream.h" #include "internal.h" #include "libavutil/bswap.h" +#include "libavutil/imgutils.h" #include "libavcodec/dsputil.h" #include "sanm_data.h" @@ -716,8 +717,11 @@ static int process_frame_obj(SANMVideoContext *ctx) h = bytestream2_get_le16u(&ctx->gb); if (ctx->width < left + w || ctx->height < top + h) { - ctx->avctx->width = FFMAX(left + w, ctx->width); - ctx->avctx->height = FFMAX(top + h, ctx->height); + if (av_image_check_size(FFMAX(left + w, ctx->width), + FFMAX(top + h, ctx->height), 0, ctx->avctx) < 0) + return AVERROR_INVALIDDATA; + avcodec_set_dimensions(ctx->avctx, FFMAX(left + w, ctx->width), + FFMAX(top + h, ctx->height)); init_sizes(ctx, left + w, top + h); if (init_buffers(ctx)) { av_log(ctx->avctx, AV_LOG_ERROR, "error resizing buffers\n"); From 5c316acaa08e3f3aaf8dd7725dae245ce2e1f2d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Jan 2013 18:49:46 +0100 Subject: [PATCH 0086/1037] ffmpeg: copy tmcd track timebase parameters Fixes part of Ticket2045 Signed-off-by: Michael Niedermayer (cherry picked from commit bee044d7c261a9e488ee14705814361694b9acdb) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index acaa523170..75debe9022 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2100,6 +2100,12 @@ static int transcode_init(void) codec->time_base.num *= icodec->ticks_per_frame; } } + if ( codec->codec_tag == AV_RL32("tmcd") + && icodec->time_base.num < icodec->time_base.den + && icodec->time_base.num > 0 + && 121LL*icodec->time_base.num > icodec->time_base.den) { + codec->time_base = icodec->time_base; + } if(ost->frame_rate.num) codec->time_base = av_inv_q(ost->frame_rate); From 5589549c1d9e3ebb8b355b2b17846c06e2a9f754 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Jan 2013 18:51:49 +0100 Subject: [PATCH 0087/1037] movenc: Calculate fps for tmcd without intermediate step. Fixes part of Ticket2045 Signed-off-by: Michael Niedermayer (cherry picked from commit 9362f31b55510142eefa6d0cc26013a30bd4fc51) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index f08aa7e0db..d9b002e0b5 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1147,7 +1147,7 @@ static int mov_write_tmcd_tag(AVIOContext *pb, MOVTrack *track) { int64_t pos = avio_tell(pb); int frame_duration = av_rescale(track->timescale, track->enc->time_base.num, track->enc->time_base.den); - int nb_frames = (track->timescale + frame_duration/2) / frame_duration; + int nb_frames = 1.0/av_q2d(track->enc->time_base) + 0.5; avio_wb32(pb, 0); /* size */ ffio_wfourcc(pb, "tmcd"); /* Data format */ From bfd586577cbe22f863d5620fa2a85f5f5bb3c9e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Jan 2013 18:52:35 +0100 Subject: [PATCH 0088/1037] movenc: check that fps for tmcd is within encodable range. The fps is stored as a 8 bit value thus 255 is the maximum encodable. Signed-off-by: Michael Niedermayer (cherry picked from commit 55d66b27902d3f566cd6cf6f08d4233dcdc338f5) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index d9b002e0b5..1b851c03dd 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1149,6 +1149,11 @@ static int mov_write_tmcd_tag(AVIOContext *pb, MOVTrack *track) int frame_duration = av_rescale(track->timescale, track->enc->time_base.num, track->enc->time_base.den); int nb_frames = 1.0/av_q2d(track->enc->time_base) + 0.5; + if (nb_frames > 255) { + av_log(NULL, AV_LOG_ERROR, "fps %d is too large\n", nb_frames); + return AVERROR(EINVAL); + } + avio_wb32(pb, 0); /* size */ ffio_wfourcc(pb, "tmcd"); /* Data format */ avio_wb32(pb, 0); /* Reserved */ From 3d67f52f9dcc60cd3a660ea363762575f3779df7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 25 Jan 2013 23:16:23 +0200 Subject: [PATCH 0089/1037] arm: vp8: Fix the plain-armv6 version of vp8_luma_dc_wht MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes the plain-armv6 version use the same registers as the armv6t2 version above. This fixes fate-vp8 on plain-armv6 devices. Signed-off-by: Martin Storsjö (cherry picked from commit 2026eb1408a718c37835eb4b258c63714ab3205e) Signed-off-by: Martin Storsjö --- libavcodec/arm/vp8dsp_armv6.S | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/arm/vp8dsp_armv6.S b/libavcodec/arm/vp8dsp_armv6.S index fd254ccc30..4047aabc13 100644 --- a/libavcodec/arm/vp8dsp_armv6.S +++ b/libavcodec/arm/vp8dsp_armv6.S @@ -124,14 +124,14 @@ function ff_vp8_luma_dc_wht_armv6, export=1 sbfx r1, r9, #3, #13 sbfx r10, r4, #3, #13 #else - sxth r8, r8 - sxth r7, r7 - sxth r9, r9 - sxth r4, r4 - asr r8, #3 @ block[0][0] - asr r7, #3 @ block[0][1] - asr r9, #3 @ block[0][2] - asr r4, #3 @ block[0][3] + sxth r6, r8 + sxth r12, r7 + sxth r1, r9 + sxth r10, r4 + asr r6, #3 @ block[0][0] + asr r12, #3 @ block[0][1] + asr r1, #3 @ block[0][2] + asr r10, #3 @ block[0][3] #endif strh r6, [r0], #32 From 54e19092fd6084ed8e11f071853a0dca18e0d920 Mon Sep 17 00:00:00 2001 From: Peter Ross Date: Sun, 6 Jan 2013 14:15:24 +1100 Subject: [PATCH 0090/1037] wtvdec: demux thumbnail picture to AVStream.attached_pic Fixes ticket #2133. (cherry picked from commit 508836932fcbc3c109fcc4df7a2f2b0bf21bbece) --- libavformat/wtvdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index ee80719332..5e9c817856 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -414,6 +414,7 @@ static void get_attachment(AVFormatContext *s, AVIOContext *pb, int length) char description[1024]; unsigned int filesize; AVStream *st; + int ret; int64_t pos = avio_tell(pb); avio_get_str16le(pb, INT_MAX, mime, sizeof(mime)); @@ -430,13 +431,14 @@ static void get_attachment(AVFormatContext *s, AVIOContext *pb, int length) if (!st) goto done; av_dict_set(&st->metadata, "title", description, 0); + st->codec->codec_type = AVMEDIA_TYPE_VIDEO; st->codec->codec_id = AV_CODEC_ID_MJPEG; - st->codec->codec_type = AVMEDIA_TYPE_ATTACHMENT; - st->codec->extradata = av_mallocz(filesize); - if (!st->codec->extradata) + ret = av_get_packet(pb, &st->attached_pic, filesize); + if (ret < 0) goto done; - st->codec->extradata_size = filesize; - avio_read(pb, st->codec->extradata, filesize); + st->attached_pic.stream_index = st->index; + st->attached_pic.flags |= AV_PKT_FLAG_KEY; + st->disposition |= AV_DISPOSITION_ATTACHED_PIC; done: avio_seek(pb, pos + length, SEEK_SET); } From 9bcb84810f535ae89e698e4298fc9ac4d986eebe Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 1 Feb 2013 17:54:48 +0100 Subject: [PATCH 0091/1037] doc/muxers.texi: Fix mp3 picture attachment documentation. (cherry picked from commit 99eedfc40086972987aa27df8b1259c8bf15b20c) --- doc/muxers.texi | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/muxers.texi b/doc/muxers.texi index fb642847e1..3c6415f112 100644 --- a/doc/muxers.texi +++ b/doc/muxers.texi @@ -711,10 +711,11 @@ Write an mp3 with an ID3v2.3 header and an ID3v1 footer: ffmpeg -i INPUT -id3v2_version 3 -write_id3v1 1 out.mp3 @end example -Attach a picture to an mp3: +To attach a picture to an mp3 file select both the audio and the picture stream +with @code{map}: @example -ffmpeg -i input.mp3 -i cover.png -c copy -metadata:s:v title="Album cover" --metadata:s:v comment="Cover (Front)" out.mp3 +ffmpeg -i input.mp3 -i cover.png -c copy -map 0 -map 1 +-metadata:s:v title="Album cover" -metadata:s:v comment="Cover (Front)" out.mp3 @end example @c man end MUXERS From c8dace272829365905d67f6f2bf76668135472d5 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Fri, 1 Feb 2013 18:58:14 +0100 Subject: [PATCH 0092/1037] ffmpeg: fix broken channel_layout option Fixes ticket #2163. Signed-off-by: Michael Niedermayer (cherry picked from commit 5a67e30b1c71dc0a84779b543d95ca20faa8cbed) --- ffmpeg_opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 3af33e6996..46c917a357 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2148,7 +2148,7 @@ static int opt_channel_layout(void *optctx, const char *opt, const char *arg) return AVERROR(EINVAL); } snprintf(layout_str, sizeof(layout_str), "%"PRIu64, layout); - ret = opt_default(NULL, opt, layout_str); + ret = opt_default_new(o, opt, layout_str); if (ret < 0) return ret; From 3445bec6fc1de92a6ebef1ada2e5aa850fde9e94 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 1 Feb 2013 23:27:15 +0100 Subject: [PATCH 0093/1037] Do not change codec in flv streams if the user has forced a codec. Fixes ticket #2218. (cherry picked from commit 6a50e8a190bc1329fd3e76e8497bb7f870b6e69b) --- libavformat/flvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 09a77c4852..b57929eda1 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -713,13 +713,13 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt) st = s->streams[i]; if (stream_type == FLV_STREAM_TYPE_AUDIO) { if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && - flv_same_audio_codec(st->codec, flags)) { + (s->audio_codec_id || flv_same_audio_codec(st->codec, flags))) { break; } } else if (stream_type == FLV_STREAM_TYPE_VIDEO) { if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && - flv_same_video_codec(st->codec, flags)) { + (s->video_codec_id || flv_same_video_codec(st->codec, flags))) { break; } } else if (stream_type == FLV_STREAM_TYPE_DATA) { From 22561bc0e963cf75c20fb8efd846a343e807dfef Mon Sep 17 00:00:00 2001 From: Piotr Bandurski Date: Mon, 28 Jan 2013 03:42:07 +0100 Subject: [PATCH 0094/1037] aasc: fix 16bpp on big-endian Signed-off-by: Michael Niedermayer --- libavcodec/aasc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 0d4704fc3e..245951ab16 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -60,7 +60,7 @@ static av_cold int aasc_decode_init(AVCodecContext *avctx) } break; case 16: - avctx->pix_fmt = AV_PIX_FMT_RGB555; + avctx->pix_fmt = AV_PIX_FMT_RGB555LE; break; case 24: avctx->pix_fmt = AV_PIX_FMT_BGR24; From 6baa54924980e1f0e8121e4715d16ed1adcd2a23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 17:56:19 +0100 Subject: [PATCH 0095/1037] huffyuvdec: Check init_vlc() return codes. Prevents out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f67a0d115254461649470452058fa3c28c0df294) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 9c92bf3875..0bdd143dd2 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -124,6 +124,7 @@ static void generate_joint_tables(HYuvContext *s) int len1 = s->len[p][u]; if (len1 > limit) continue; + av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1; bits[i] = (s->bits[0][y] << len1) + s->bits[p][u]; symbols[i] = (y << 8) + u; @@ -158,6 +159,7 @@ static void generate_joint_tables(HYuvContext *s) int len2 = s->len[2][r & 255]; if (len2 > limit1) continue; + av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1 + len2; bits[i] = (code << len2) + s->bits[2][r & 255]; if (s->decorrelate) { @@ -182,6 +184,7 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length) { GetBitContext gb; int i; + int ret; init_get_bits(&gb, src, length * 8); @@ -192,8 +195,9 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length) return -1; } ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, - s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, + s->bits[i], 4, 4, 0)) < 0) + return ret; } generate_joint_tables(s); @@ -205,6 +209,7 @@ static int read_old_huffman_tables(HYuvContext *s) { GetBitContext gb; int i; + int ret; init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size * 8); @@ -228,8 +233,9 @@ static int read_old_huffman_tables(HYuvContext *s) for (i = 0; i < 3; i++) { ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, - s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, + s->bits[i], 4, 4, 0)) < 0) + return ret; } generate_joint_tables(s); From 75e88db33013eaa7ab74457f5556df677b4ffb42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 19:10:07 +0100 Subject: [PATCH 0096/1037] huffyuvdec: Skip len==0 cases Fixes vlc decoding for hypothetical files that would contain such cases. Signed-off-by: Michael Niedermayer (cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 0bdd143dd2..8d849526ff 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -118,11 +118,11 @@ static void generate_joint_tables(HYuvContext *s) for (i = y = 0; y < 256; y++) { int len0 = s->len[0][y]; int limit = VLC_BITS - len0; - if(limit <= 0) + if(limit <= 0 || !len0) continue; for (u = 0; u < 256; u++) { int len1 = s->len[p][u]; - if (len1 > limit) + if (len1 > limit || !len1) continue; av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1; @@ -147,17 +147,17 @@ static void generate_joint_tables(HYuvContext *s) for (i = 0, g = -16; g < 16; g++) { int len0 = s->len[p0][g & 255]; int limit0 = VLC_BITS - len0; - if (limit0 < 2) + if (limit0 < 2 || !len0) continue; for (b = -16; b < 16; b++) { int len1 = s->len[p1][b & 255]; int limit1 = limit0 - len1; - if (limit1 < 1) + if (limit1 < 1 || !len1) continue; code = (s->bits[p0][g & 255] << len1) + s->bits[p1][b & 255]; for (r = -16; r < 16; r++) { int len2 = s->len[2][r & 255]; - if (len2 > limit1) + if (len2 > limit1 || !len2) continue; av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1 + len2; From 0e68b6ddce2945dd367b3d8566dde061b51332af Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Fri, 1 Feb 2013 10:27:45 +0100 Subject: [PATCH 0097/1037] Use proper "" quotes for local header #includes (cherry picked from commit 6c1a7d07eb41b4cf36e48ebb560fecd9504fd968) Conflicts: libavcodec/kbdwin.c --- libavcodec/arm/videodsp_init_armv5te.c | 2 +- libavcodec/kbdwin.c | 5 ++--- libavformat/rtp.c | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/arm/videodsp_init_armv5te.c b/libavcodec/arm/videodsp_init_armv5te.c index c6ca1146ea..d11a07061b 100644 --- a/libavcodec/arm/videodsp_init_armv5te.c +++ b/libavcodec/arm/videodsp_init_armv5te.c @@ -19,7 +19,7 @@ */ #include "libavutil/arm/cpu.h" -#include +#include "libavcodec/videodsp.h" #include "videodsp_arm.h" void ff_prefetch_arm(uint8_t *mem, ptrdiff_t stride, int h); diff --git a/libavcodec/kbdwin.c b/libavcodec/kbdwin.c index 2722312f11..5a62e9da2b 100644 --- a/libavcodec/kbdwin.c +++ b/libavcodec/kbdwin.c @@ -16,9 +16,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ - -#include -#include +#include "libavutil/avassert.h" +#include "libavutil/mathematics.h" #include "libavutil/attributes.h" #include "kbdwin.h" diff --git a/libavformat/rtp.c b/libavformat/rtp.c index 80e0c7d745..c8eebac5cb 100644 --- a/libavformat/rtp.c +++ b/libavformat/rtp.c @@ -19,7 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include +#include "libavutil/opt.h" #include "avformat.h" #include "rtp.h" From 62c9beda0c189db5cb61fa772057e3af9521f293 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jan 2013 00:27:10 +0100 Subject: [PATCH 0098/1037] sanm: Check decoded_size. This prevents a buffer overflow in rle_decode() Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7357ca900efcf829de4cce4cec6ddc286526d417) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index ff70f206e6..0f68e1d1ed 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -639,6 +639,11 @@ static int old_codec47(SANMVideoContext *ctx, int top, decoded_size = bytestream2_get_le32(&ctx->gb); bytestream2_skip(&ctx->gb, 8); + if (decoded_size > height * stride - left - top * stride) { + decoded_size = height * stride - left - top * stride; + av_log(ctx->avctx, AV_LOG_WARNING, "decoded size is too large\n"); + } + if (skip & 1) bytestream2_skip(&ctx->gb, 0x8080); if (!seq) { From 9547034f9120187e23ad76424dd4d70247e62212 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jan 2013 23:11:10 +0100 Subject: [PATCH 0099/1037] gifdec: gif_copy_img_rect: Fix end pointer Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c10350358da58600884292c08a8690289b81de29) Signed-off-by: Michael Niedermayer --- libavcodec/gifdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index e5e84aea12..a916dfe8e7 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -118,7 +118,7 @@ static void gif_copy_img_rect(const uint32_t *src, uint32_t *dst, const uint32_t *src_px, *src_pr, *src_py = src + y_start, *dst_py = dst + y_start; - const uint32_t *src_pb = src_py + t * linesize; + const uint32_t *src_pb = src_py + h * linesize; uint32_t *dst_px; for (; src_py < src_pb; src_py += linesize, dst_py += linesize) { From f3d16706060ab6ae6dc78f15359fab3fd87c9495 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2013 06:11:59 +0100 Subject: [PATCH 0100/1037] vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 19b8639c59..22ec309f82 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -537,6 +537,11 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); @@ -560,6 +565,11 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); From 47e462eecc0a47ad40f59376199f93f227e21d13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Jan 2013 20:37:27 +0100 Subject: [PATCH 0101/1037] aacdec: check channel count Prevent out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 239153a9f9..6c17c337f3 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -914,6 +914,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) } } + if (avctx->channels > MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "Too many channels\n"); + return AVERROR_INVALIDDATA; + } + AAC_INIT_VLC_STATIC( 0, 304); AAC_INIT_VLC_STATIC( 1, 270); AAC_INIT_VLC_STATIC( 2, 550); From 3ef1538121fa6daeb1767510f1d4ae2c306c9fec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 04:17:48 +0100 Subject: [PATCH 0102/1037] h264: check the pixel format directly and force a reinit on mismatches. The existing checks are insufficient to detect a pixel format changes in case of some damaged streams. Fixes inconsistency and later out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 11c99c78bafa77f679a1a3ba06ad00984b9a4cae) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 7ae778a58c..1152258fc5 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2765,7 +2765,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0) || s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))); - + if (h0->s.avctx->pix_fmt != get_pixel_format(h0)) + must_reinit = 1; s->mb_width = h->sps.mb_width; s->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag); From d3bec2473972ac68aef7e7c9340631dfbf84ffa7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Jan 2013 15:03:13 +0100 Subject: [PATCH 0103/1037] h264: Only apply error concealment if theres a frame MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without any correctly decoded slices, there can be no frame. Fixes out of array reads Found-by: Rafaël Carré Signed-off-by: Michael Niedermayer (cherry picked from commit 60af6c3138dc501a647bc69b374d5d33d5d86ab5) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1152258fc5..da144db987 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2351,7 +2351,7 @@ static int field_end(H264Context *h, int in_setup) * past end by one (callers fault) and resync_mb_y != 0 * causes problems for the first MB line, too. */ - if (!FIELD_PICTURE) + if (!FIELD_PICTURE && h->current_slice) ff_er_frame_end(s); ff_MPV_frame_end(s); From eaa9d2cd6b8c1e2722d5bfc56ea67fde865200ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Feb 2013 21:11:54 +0100 Subject: [PATCH 0104/1037] h264: skip error concealment when SPS and slices are mismatching Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 695af8eed642ff0104834495652d1ee784a4c14d) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index da144db987..0aab4e7328 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2351,7 +2351,7 @@ static int field_end(H264Context *h, int in_setup) * past end by one (callers fault) and resync_mb_y != 0 * causes problems for the first MB line, too. */ - if (!FIELD_PICTURE && h->current_slice) + if (!FIELD_PICTURE && h->current_slice && !h->sps.new) ff_er_frame_end(s); ff_MPV_frame_end(s); From a55c274f519fad74b949a768e5d526775c4deaa6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Feb 2013 21:54:02 +0100 Subject: [PATCH 0105/1037] movtextenc: fix pointer messup and out of array accesses Fixes Ticket2213 Signed-off-by: Michael Niedermayer (cherry picked from commit b0635e2fcf80717dd618ef75d3317d62ed85c300) --- libavcodec/movtextenc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c index 7f1b5b830f..9b0a6c5bce 100644 --- a/libavcodec/movtextenc.c +++ b/libavcodec/movtextenc.c @@ -21,6 +21,7 @@ #include #include "avcodec.h" +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/intreadwrite.h" #include "ass_split.h" @@ -87,15 +88,18 @@ static av_cold int mov_text_encode_init(AVCodecContext *avctx) static void mov_text_text_cb(void *priv, const char *text, int len) { MovTextContext *s = priv; + av_assert0(s->end >= s->ptr); av_strlcpy(s->ptr, text, FFMIN(s->end - s->ptr, len + 1)); - s->ptr += len; + s->ptr += FFMIN(s->end - s->ptr, len); } static void mov_text_new_line_cb(void *priv, int forced) { MovTextContext *s = priv; + av_assert0(s->end >= s->ptr); av_strlcpy(s->ptr, "\n", FFMIN(s->end - s->ptr, 2)); - s->ptr++; + if (s->end > s->ptr) + s->ptr++; } static const ASSCodesCallbacks mov_text_callbacks = { From f6b50924a5fd4e83aff63f99107cb9475b68c972 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Feb 2013 22:57:35 +0100 Subject: [PATCH 0106/1037] dvenc: dont fail hard if the timecode is invalid Instead just dont store the timecode Fixes Ticket2187 Signed-off-by: Michael Niedermayer (cherry picked from commit f0eacbc760c8b27c2064cea5395e32971853c73c) --- libavformat/dvenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dvenc.c b/libavformat/dvenc.c index 0841d0e636..0b3811e838 100644 --- a/libavformat/dvenc.c +++ b/libavformat/dvenc.c @@ -376,8 +376,8 @@ static int dv_write_header(AVFormatContext *s) break; } } - if (tcr) - return av_timecode_init_from_string(&dvc->tc, rate, tcr->value, s); + if (tcr && av_timecode_init_from_string(&dvc->tc, rate, tcr->value, s) >= 0) + return 0; return av_timecode_init(&dvc->tc, rate, 0, 0, s); } From 5a97a5291a83d2053aa2380e36bda1998b7e24eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Feb 2013 18:31:27 +0100 Subject: [PATCH 0107/1037] riff: fix infinite loop Fixes Ticket2241 Signed-off-by: Michael Niedermayer (cherry picked from commit a8343bfb6a3f00777943b94ff2969422f578f246) --- libavformat/riff.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/riff.c b/libavformat/riff.c index 573e4179cd..c0b42c1f66 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -817,7 +817,13 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size) chunk_code = avio_rl32(pb); chunk_size = avio_rl32(pb); - + if (url_feof(pb)) { + if (chunk_code || chunk_size) { + av_log(s, AV_LOG_WARNING, "INFO subchunk truncated\n"); + return AVERROR_INVALIDDATA; + } + break; + } if (chunk_size > end || end - chunk_size < cur || chunk_size == UINT_MAX) { avio_seek(pb, -9, SEEK_CUR); chunk_code = avio_rl32(pb); From d2c1a8dc2de8bdda64ab7411537429d1e64dd3fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Feb 2013 18:52:07 +0100 Subject: [PATCH 0108/1037] ljpegenc: allocate needed scratch-buffer Fixes null pointer dereference Fixes Ticket2207 Signed-off-by: Michael Niedermayer (cherry picked from commit c2dd5a18b27bb33d871d41fbed9104f3a68d68fe) --- libavcodec/ljpegenc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/ljpegenc.c b/libavcodec/ljpegenc.c index d3c292123e..0ab4985c10 100644 --- a/libavcodec/ljpegenc.c +++ b/libavcodec/ljpegenc.c @@ -57,6 +57,13 @@ static int encode_picture_lossless(AVCodecContext *avctx, AVPacket *pkt, max_pkt_size += mb_width * mb_height * 3 * 4 * s->mjpeg_hsample[0] * s->mjpeg_vsample[0]; } + + if (!s->edge_emu_buffer && + (ret = ff_mpv_frame_size_alloc(s, pict->linesize[0])) < 0) { + av_log(avctx, AV_LOG_ERROR, "failed to allocate context scratch buffers.\n"); + return ret; + } + if ((ret = ff_alloc_packet2(avctx, pkt, max_pkt_size)) < 0) return ret; From 0e1bb99f26c2fdbef7cbe7a49bd9a3b91344408d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Feb 2013 17:05:02 +0100 Subject: [PATCH 0109/1037] update for 1.1.2 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 524cb55242..45a1b3f445 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.1 +1.1.2 diff --git a/VERSION b/VERSION index 524cb55242..45a1b3f445 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.1 +1.1.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 6aa67f3e34..b67606b6fb 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.1 +PROJECT_NUMBER = 1.1.2 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 5f3fa5f930875e22664fbd403b107b3a37fb4d77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Feb 2013 01:25:52 +0100 Subject: [PATCH 0110/1037] ffmpeg: dont allow -flags to override -pass Fixes Ticket2154 Signed-off-by: Michael Niedermayer (cherry picked from commit ccf9dd00da055e94117b56cead4af80ff331b00e) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 46c917a357..dd3f4eda5f 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -1153,9 +1153,11 @@ static OutputStream *new_video_stream(OptionsContext *o, AVFormatContext *oc, in if (do_pass) { if (do_pass & 1) { video_enc->flags |= CODEC_FLAG_PASS1; + av_dict_set(&ost->opts, "flags", "+pass1", AV_DICT_APPEND); } if (do_pass & 2) { video_enc->flags |= CODEC_FLAG_PASS2; + av_dict_set(&ost->opts, "flags", "+pass2", AV_DICT_APPEND); } } From b48cf5412bb4a57cc6fecd0aa8760356f9db7368 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Feb 2013 04:03:52 +0100 Subject: [PATCH 0111/1037] ffmpeg: do not call exit from exit_program() This should fix Ticket2116 Signed-off-by: Michael Niedermayer (cherry picked from commit 127ff88639e78b9d16fecb973c41b86a843b4fa7) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 75debe9022..e9837bf83a 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -471,7 +471,6 @@ static void exit_program(void) if (received_sigterm) { av_log(NULL, AV_LOG_INFO, "Received signal %d: terminating.\n", (int) received_sigterm); - exit (255); } } @@ -3220,6 +3219,6 @@ int main(int argc, char **argv) printf("bench: utime=%0.3fs maxrss=%ikB\n", ti / 1000000.0, maxrss); } - exit(0); + exit(received_nb_signals ? 255 : 0); return 0; } From 02d3ad8609573a4b0069e57df03646ec3d92fdf1 Mon Sep 17 00:00:00 2001 From: Matthieu Bouron Date: Mon, 4 Feb 2013 22:06:11 +0100 Subject: [PATCH 0112/1037] lavf/mov: skip version and flags attributes in mov_read_chan function Fixes ticket #1764. Signed-off-by: Michael Niedermayer (cherry picked from commit 59d40fc7e66e6ebb2d89e25115492bfe13b07d95) --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6c78adbd2a..b818a801df 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -696,6 +696,9 @@ static int mov_read_chan(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 16) return 0; + /* skip version and flags */ + avio_skip(pb, 4); + ff_mov_read_chan(c->fc, pb, st, atom.size - 4); return 0; From 077beee4653fb8185f802836bf18cff534e68060 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 21 Jan 2013 19:43:06 +0100 Subject: [PATCH 0113/1037] x86: ac3: Fix HAVE_MMXEXT condition to only refer to external assembly CC: libav-stable@libav.org (cherry picked from commit 4f56e773fe8a554b8c2662650aaf799c2ece2721) Signed-off-by: Reinhard Tartler --- libavcodec/x86/ac3dsp.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/ac3dsp.asm b/libavcodec/x86/ac3dsp.asm index a5d9458b39..45c30d1ae8 100644 --- a/libavcodec/x86/ac3dsp.asm +++ b/libavcodec/x86/ac3dsp.asm @@ -66,7 +66,7 @@ cglobal ac3_exponent_min, 3, 4, 2, exp, reuse_blks, expn, offset %define LOOP_ALIGN INIT_MMX mmx AC3_EXPONENT_MIN -%if HAVE_MMXEXT +%if HAVE_MMXEXT_EXTERNAL %define LOOP_ALIGN ALIGN 16 INIT_MMX mmxext AC3_EXPONENT_MIN From 5393a5600ddb870b3d7cbd427cdd82b2f583b265 Mon Sep 17 00:00:00 2001 From: Tim Walker Date: Mon, 31 Dec 2012 15:33:25 +0100 Subject: [PATCH 0114/1037] mlpdec: set the channel layout. Fixes bug 401. Signed-off-by: Justin Ruggles CC:libav-stable@libav.org (cherry picked from commit 1fd2deedcc6400e08b31566a547a5fac3b38cefb) Signed-off-by: Reinhard Tartler --- libavcodec/mlpdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 3852f6eff8..8e3a510868 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -463,8 +463,10 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, cp->huff_lsbs = 24; } - if (substr == m->max_decoded_substream) - m->avctx->channels = s->max_matrix_channel + 1; + if (substr == m->max_decoded_substream) { + m->avctx->channels = s->max_matrix_channel + 1; + m->avctx->channel_layout = s->ch_layout; + } return 0; } From 59f22ef91a1e84caadccc5a179b4a973267243b4 Mon Sep 17 00:00:00 2001 From: Tim Walker Date: Mon, 31 Dec 2012 15:33:24 +0100 Subject: [PATCH 0115/1037] mlpdec: TrueHD: use Libav channel order. Fixes bug 208. Signed-off-by: Justin Ruggles CC:libav-stable@libav.org (cherry picked from commit 3ffcccb4fbaae4d5ad775506f1f2761f2029affa) Signed-off-by: Reinhard Tartler --- libavcodec/mlpdec.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 8e3a510868..de08f1ab62 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -146,6 +146,36 @@ typedef struct MLPDecodeContext { MLPDSPContext dsp; } MLPDecodeContext; +static const uint64_t thd_channel_order[] = { + AV_CH_FRONT_LEFT, AV_CH_FRONT_RIGHT, // LR + AV_CH_FRONT_CENTER, // C + AV_CH_LOW_FREQUENCY, // LFE + AV_CH_SIDE_LEFT, AV_CH_SIDE_RIGHT, // LRs + AV_CH_TOP_FRONT_LEFT, AV_CH_TOP_FRONT_RIGHT, // LRvh + AV_CH_FRONT_LEFT_OF_CENTER, AV_CH_FRONT_RIGHT_OF_CENTER, // LRc + AV_CH_BACK_LEFT, AV_CH_BACK_RIGHT, // LRrs + AV_CH_BACK_CENTER, // Cs + AV_CH_TOP_CENTER, // Ts + AV_CH_SURROUND_DIRECT_LEFT, AV_CH_SURROUND_DIRECT_RIGHT, // LRsd + AV_CH_WIDE_LEFT, AV_CH_WIDE_RIGHT, // LRw + AV_CH_TOP_FRONT_CENTER, // Cvh + AV_CH_LOW_FREQUENCY_2, // LFE2 +}; + +static uint64_t thd_channel_layout_extract_channel(uint64_t channel_layout, + int index) +{ + int i; + + if (av_get_channel_layout_nb_channels(channel_layout) <= index) + return 0; + + for (i = 0; i < FF_ARRAY_ELEMS(thd_channel_order); i++) + if (channel_layout & thd_channel_order[i] && !index--) + return thd_channel_order[i]; + return 0; +} + static VLC huff_vlc[3]; /** Initialize static data, constant between all invocations of the codec. */ @@ -426,6 +456,12 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, for (ch = 0; ch <= s->max_matrix_channel; ch++) { int ch_assign = get_bits(gbp, 6); + if (m->avctx->codec_id == AV_CODEC_ID_TRUEHD) { + uint64_t channel = thd_channel_layout_extract_channel(s->ch_layout, + ch_assign); + ch_assign = av_get_channel_layout_channel_index(s->ch_layout, + channel); + } if (ch_assign > s->max_matrix_channel) { av_log_ask_for_sample(m->avctx, "Assignment of matrix channel %d to invalid output channel %d.\n", From 5af78cc98d807f3b43510410dad46e1840c5c99f Mon Sep 17 00:00:00 2001 From: Tim Walker Date: Mon, 31 Dec 2012 15:33:23 +0100 Subject: [PATCH 0116/1037] mlp: store the channel layout for each substream. Also stop storing the channel arrangement in the header info, as it's unused outside of ff_mlp_read_major_sync. Signed-off-by: Justin Ruggles CC:libav-stable@libav.org (cherry picked from commit 99ccd2ba10eac2b282c272ad9e75f082123c765a) Signed-off-by: Reinhard Tartler --- libavcodec/mlp_parser.c | 26 ++++++++++++++++---------- libavcodec/mlp_parser.h | 9 ++++++--- libavcodec/mlpdec.c | 21 +++++++++++++++++++++ 3 files changed, 43 insertions(+), 13 deletions(-) diff --git a/libavcodec/mlp_parser.c b/libavcodec/mlp_parser.c index d1a3dc1ba0..31c79c9ca2 100644 --- a/libavcodec/mlp_parser.c +++ b/libavcodec/mlp_parser.c @@ -126,7 +126,7 @@ static uint64_t truehd_layout(int chanmap) int ff_mlp_read_major_sync(void *log, MLPHeaderInfo *mh, GetBitContext *gb) { - int ratebits; + int ratebits, channel_arrangement; uint16_t checksum; assert(get_bits_count(gb) == 0); @@ -157,7 +157,9 @@ int ff_mlp_read_major_sync(void *log, MLPHeaderInfo *mh, GetBitContext *gb) skip_bits(gb, 11); - mh->channels_mlp = get_bits(gb, 5); + channel_arrangement = get_bits(gb, 5); + mh->channels_mlp = mlp_channels[channel_arrangement]; + mh->channel_layout_mlp = mlp_layout[channel_arrangement]; } else if (mh->stream_type == 0xba) { mh->group1_bits = 24; // TODO: Is this information actually conveyed anywhere? mh->group2_bits = 0; @@ -168,11 +170,15 @@ int ff_mlp_read_major_sync(void *log, MLPHeaderInfo *mh, GetBitContext *gb) skip_bits(gb, 8); - mh->channels_thd_stream1 = get_bits(gb, 5); + channel_arrangement = get_bits(gb, 5); + mh->channels_thd_stream1 = truehd_channels(channel_arrangement); + mh->channel_layout_thd_stream1 = truehd_layout(channel_arrangement); skip_bits(gb, 2); - mh->channels_thd_stream2 = get_bits(gb, 13); + channel_arrangement = get_bits(gb, 13); + mh->channels_thd_stream2 = truehd_channels(channel_arrangement); + mh->channel_layout_thd_stream2 = truehd_layout(channel_arrangement); } else return AVERROR_INVALIDDATA; @@ -316,16 +322,16 @@ static int mlp_parse(AVCodecParserContext *s, if (mh.stream_type == 0xbb) { /* MLP stream */ - avctx->channels = mlp_channels[mh.channels_mlp]; - avctx->channel_layout = mlp_layout[mh.channels_mlp]; + avctx->channels = mh.channels_mlp; + avctx->channel_layout = mh.channel_layout_mlp; } else { /* mh.stream_type == 0xba */ /* TrueHD stream */ if (mh.channels_thd_stream2) { - avctx->channels = truehd_channels(mh.channels_thd_stream2); - avctx->channel_layout = truehd_layout(mh.channels_thd_stream2); + avctx->channels = mh.channels_thd_stream2; + avctx->channel_layout = mh.channel_layout_thd_stream2; } else { - avctx->channels = truehd_channels(mh.channels_thd_stream1); - avctx->channel_layout = truehd_layout(mh.channels_thd_stream1); + avctx->channels = mh.channels_thd_stream1; + avctx->channel_layout = mh.channel_layout_thd_stream1; } } diff --git a/libavcodec/mlp_parser.h b/libavcodec/mlp_parser.h index 35bb312f17..24b4169419 100644 --- a/libavcodec/mlp_parser.h +++ b/libavcodec/mlp_parser.h @@ -39,9 +39,12 @@ typedef struct MLPHeaderInfo int group1_samplerate; ///< Sample rate of first substream int group2_samplerate; ///< Sample rate of second substream (MLP only) - int channels_mlp; ///< Channel arrangement for MLP streams - int channels_thd_stream1; ///< Channel arrangement for substream 1 of TrueHD streams (5.1) - int channels_thd_stream2; ///< Channel arrangement for substream 2 of TrueHD streams (7.1) + int channels_mlp; ///< Channel count for MLP streams + int channels_thd_stream1; ///< Channel count for substream 1 of TrueHD streams ("6-channel presentation") + int channels_thd_stream2; ///< Channel count for substream 2 of TrueHD streams ("8-channel presentation") + uint64_t channel_layout_mlp; ///< Channel layout for MLP streams + uint64_t channel_layout_thd_stream1; ///< Channel layout for substream 1 of TrueHD streams ("6-channel presentation") + uint64_t channel_layout_thd_stream2; ///< Channel layout for substream 2 of TrueHD streams ("8-channel presentation") int access_unit_size; ///< Number of samples per coded frame int access_unit_size_pow2; ///< Next power of two above number of samples per frame diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index de08f1ab62..80ff4017f7 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -28,6 +28,7 @@ #include "avcodec.h" #include "libavutil/intreadwrite.h" +#include "libavutil/channel_layout.h" #include "get_bits.h" #include "internal.h" #include "libavutil/crc.h" @@ -56,6 +57,8 @@ typedef struct SubStream { uint8_t max_matrix_channel; /// For each channel output by the matrix, the output channel to map it to uint8_t ch_assign[MAX_CHANNELS]; + /// The channel layout for this substream + uint64_t ch_layout; /// Channel coding parameters for channels in the substream ChannelParams channel_params[MAX_CHANNELS]; @@ -355,6 +358,24 @@ static int read_major_sync(MLPDecodeContext *m, GetBitContext *gb) for (substr = 0; substr < MAX_SUBSTREAMS; substr++) m->substream[substr].restart_seen = 0; + /* Set the layout for each substream. When there's more than one, the first + * substream is Stereo. Subsequent substreams' layouts are indicated in the + * major sync. */ + if (m->avctx->codec_id == AV_CODEC_ID_MLP) { + if ((substr = (mh.num_substreams > 1))) + m->substream[0].ch_layout = AV_CH_LAYOUT_STEREO; + m->substream[substr].ch_layout = mh.channel_layout_mlp; + } else { + if ((substr = (mh.num_substreams > 1))) + m->substream[0].ch_layout = AV_CH_LAYOUT_STEREO; + if (mh.num_substreams > 2) + if (mh.channel_layout_thd_stream2) + m->substream[2].ch_layout = mh.channel_layout_thd_stream2; + else + m->substream[2].ch_layout = mh.channel_layout_thd_stream1; + m->substream[substr].ch_layout = mh.channel_layout_thd_stream1; + } + return 0; } From 901682ff78da014774b17947c5d83fdeaec27204 Mon Sep 17 00:00:00 2001 From: Michael Karcher Date: Fri, 25 Jan 2013 15:03:53 -0500 Subject: [PATCH 0117/1037] atrac3: use correct loop variable in add_tonal_components() Signed-off-by: Michael Karcher Signed-off-by: Justin Ruggles CC:libav-stable@libav.org (cherry picked from commit 0e3afacd4d8fbe1c21e0bc16bd707809cd87380f) Signed-off-by: Reinhard Tartler --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 312b283883..a46b0b1277 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -517,7 +517,7 @@ static int add_tonal_components(float *spectrum, int num_components, output = &spectrum[components[i].pos]; for (j = 0; j < components[i].num_coefs; j++) - output[i] += input[i]; + output[j] += input[j]; } return last_pos; From e0e42504219370d85d5e93590e361877338090eb Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 22 Jan 2013 11:55:54 +0100 Subject: [PATCH 0118/1037] dnxhdenc: fix invalid reads in dnxhd_mb_var_thread(). Do not assume that frame dimensions are mod16 (or that height is mod32 for interlaced). CC:libav-stable@libav.org (cherry picked from commit 69c25c9284645cf5189af2ede42d6f53828f3b45) Signed-off-by: Reinhard Tartler --- libavcodec/dnxhdenc.c | 27 ++++++++++++++++++++++++--- tests/ref/vsynth/vsynth1-dnxhd-1080i | 4 ++-- tests/ref/vsynth/vsynth2-dnxhd-1080i | 4 ++-- 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 8531fe0ea5..97e0fede2f 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -615,14 +615,35 @@ static void dnxhd_setup_threads_slices(DNXHDEncContext *ctx) static int dnxhd_mb_var_thread(AVCodecContext *avctx, void *arg, int jobnr, int threadnr) { DNXHDEncContext *ctx = avctx->priv_data; - int mb_y = jobnr, mb_x; + int mb_y = jobnr, mb_x, x, y; + int partial_last_row = (mb_y == ctx->m.mb_height - 1) && + ((avctx->height >> ctx->interlaced) & 0xF); + ctx = ctx->thread[threadnr]; if (ctx->cid_table->bit_depth == 8) { uint8_t *pix = ctx->thread[0]->src[0] + ((mb_y<<4) * ctx->m.linesize); for (mb_x = 0; mb_x < ctx->m.mb_width; ++mb_x, pix += 16) { unsigned mb = mb_y * ctx->m.mb_width + mb_x; - int sum = ctx->m.dsp.pix_sum(pix, ctx->m.linesize); - int varc = (ctx->m.dsp.pix_norm1(pix, ctx->m.linesize) - (((unsigned)sum*sum)>>8)+128)>>8; + int sum; + int varc; + + if (!partial_last_row && mb_x * 16 <= avctx->width - 16) { + sum = ctx->m.dsp.pix_sum(pix, ctx->m.linesize); + varc = ctx->m.dsp.pix_norm1(pix, ctx->m.linesize); + } else { + int bw = FFMIN(avctx->width - 16 * mb_x, 16); + int bh = FFMIN((avctx->height >> ctx->interlaced) - 16 * mb_y, 16); + sum = varc = 0; + for (y = 0; y < bh; y++) { + for (x = 0; x < bw; x++) { + uint8_t val = pix[x + y * ctx->m.linesize]; + sum += val; + varc += val * val; + } + } + } + varc = (varc - (((unsigned)sum * sum) >> 8) + 128) >> 8; + ctx->mb_cmp[mb].value = varc; ctx->mb_cmp[mb].mb = mb; } diff --git a/tests/ref/vsynth/vsynth1-dnxhd-1080i b/tests/ref/vsynth/vsynth1-dnxhd-1080i index 1eddbf8c4f..3a990c5657 100644 --- a/tests/ref/vsynth/vsynth1-dnxhd-1080i +++ b/tests/ref/vsynth/vsynth1-dnxhd-1080i @@ -1,4 +1,4 @@ -3cfbe36a7dd5b48859b8a569d626ef77 *tests/data/fate/vsynth1-dnxhd-1080i.mov +2412f206f5efcbbcc3f2bba0c86b73d4 *tests/data/fate/vsynth1-dnxhd-1080i.mov 3031875 tests/data/fate/vsynth1-dnxhd-1080i.mov -0c651e840f860592f0d5b66030d9fa32 *tests/data/fate/vsynth1-dnxhd-1080i.out.rawvideo +34076f61254997c8157eafed1c916472 *tests/data/fate/vsynth1-dnxhd-1080i.out.rawvideo stddev: 6.29 PSNR: 32.15 MAXDIFF: 64 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth2-dnxhd-1080i b/tests/ref/vsynth/vsynth2-dnxhd-1080i index 41a8d51444..27c79a5ee9 100644 --- a/tests/ref/vsynth/vsynth2-dnxhd-1080i +++ b/tests/ref/vsynth/vsynth2-dnxhd-1080i @@ -1,4 +1,4 @@ -19a91b7da35cecf41e5e3cb322485627 *tests/data/fate/vsynth2-dnxhd-1080i.mov +65ca6385b565b6ea9a2e28150eef1d46 *tests/data/fate/vsynth2-dnxhd-1080i.mov 3031875 tests/data/fate/vsynth2-dnxhd-1080i.mov -3c559af629ae0a8fb1a9a0e4b4da7733 *tests/data/fate/vsynth2-dnxhd-1080i.out.rawvideo +42262a2325441b38b3b3c8a42d888e7d *tests/data/fate/vsynth2-dnxhd-1080i.out.rawvideo stddev: 1.31 PSNR: 45.77 MAXDIFF: 23 bytes: 7603200/ 760320 From 00bf66785f7d10c37c1677058caec218a7c8fc08 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 29 Jan 2013 17:19:08 +0100 Subject: [PATCH 0119/1037] fraps: fix off-by one bug for version 1. CC:libav-stable@libav.org (cherry picked from commit 2cd4068071b9a8908823a3107f97e938211045ce) Conflicts: cmdutils.c libavcodec/fraps.c --- cmdutils.c | 2 +- libavcodec/fraps.c | 2 +- tests/ref/fate/fraps-v1 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index dc7e7b2e65..45418afd91 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -1566,7 +1566,7 @@ static int alloc_buffer(FrameBuffer **pool, AVCodecContext *s, FrameBuffer **pbu /* XXX this shouldn't be needed, but some tests break without this line * those decoders are buggy and need to be fixed. * the following tests fail: - * cdgraphics, ansi, aasc, fraps-v1, qtrle-1bit + * cdgraphics, ansi, aasc, qtrle-1bit */ memset(buf->base[0], 128, ret); diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index ba2f32af2a..6ac0c61908 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -235,7 +235,7 @@ static int decode_frame(AVCodecContext *avctx, if (f->pict_type == AV_PICTURE_TYPE_I) { for(y=0; yheight; y++) - memcpy(&f->data[0][ (avctx->height-y)*f->linesize[0] ], + memcpy(&f->data[0][ (avctx->height - y -1) * f->linesize[0]], &buf[y*avctx->width*3], 3*avctx->width); } diff --git a/tests/ref/fate/fraps-v1 b/tests/ref/fate/fraps-v1 index 64392c33b4..29c7e37df3 100644 --- a/tests/ref/fate/fraps-v1 +++ b/tests/ref/fate/fraps-v1 @@ -1,2 +1,2 @@ #tb 0: 1/25 -0, 0, 0, 1, 230400, 0x6bc891ff +0, 0, 0, 1, 230400, 0x23c29d17 From e835ce83e2ac518fb1227351379f3c8c8cc9066a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 21 Jan 2013 21:10:54 +0100 Subject: [PATCH 0120/1037] vf_delogo: fix an uninitialized read. CC:libav-stable@libav.org (cherry picked from commit f81c37e40fe3236d54da12aef9cdba48ba70ec31) Signed-off-by: Reinhard Tartler --- libavfilter/vf_delogo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_delogo.c b/libavfilter/vf_delogo.c index 76848c3198..5d56444e20 100644 --- a/libavfilter/vf_delogo.c +++ b/libavfilter/vf_delogo.c @@ -223,7 +223,7 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *in) AVFilterBufferRef *out; int hsub0 = desc->log2_chroma_w; int vsub0 = desc->log2_chroma_h; - int direct; + int direct = 0; int plane; if ((in->perms & AV_PERM_WRITE) && !(in->perms & AV_PERM_PRESERVE)) { From 7e35c50b81d97b513f6c4c719f2d476a681bd6d7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 30 Jan 2013 07:00:50 +0100 Subject: [PATCH 0121/1037] yop: check that extradata is large enough. CC:libav-stable@libav.org (cherry picked from commit 06cf597c352519d2b70f293518c61b8c312f5d4f) Signed-off-by: Reinhard Tartler --- libavcodec/yop.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/yop.c b/libavcodec/yop.c index 0b9cdfebe2..939b81cb01 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -89,6 +89,11 @@ static av_cold int yop_decode_init(AVCodecContext *avctx) return -1; } + if (avctx->extradata_size < 3) { + av_log(avctx, AV_LOG_ERROR, "Missing or incomplete extradata.\n"); + return AVERROR_INVALIDDATA; + } + avctx->pix_fmt = AV_PIX_FMT_PAL8; s->num_pal_colors = avctx->extradata[0]; From 1f8bf163e4b430d1a6e14d8867f3d47f50d5425e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 29 Jan 2013 12:42:54 +0100 Subject: [PATCH 0122/1037] aasc: fix output for msrle compression. The bottom line was invalid before. CC:libav-stable@libav.org (cherry picked from commit da7baaaae79b4d7d715d35ea6bcfbdd149edc177) Conflicts: cmdutils.c --- cmdutils.c | 2 +- libavcodec/aasc.c | 2 +- tests/ref/fate/aasc | 46 ++++++++++++++++++++++----------------------- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index 45418afd91..cc165bd597 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -1566,7 +1566,7 @@ static int alloc_buffer(FrameBuffer **pool, AVCodecContext *s, FrameBuffer **pbu /* XXX this shouldn't be needed, but some tests break without this line * those decoders are buggy and need to be fixed. * the following tests fail: - * cdgraphics, ansi, aasc, qtrle-1bit + * cdgraphics, ansi, qtrle-1bit */ memset(buf->base[0], 128, ret); diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 47d25d0d09..7063cbeec8 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -77,7 +77,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, } break; case 1: - bytestream2_init(&s->gb, buf - 4, buf_size + 4); + bytestream2_init(&s->gb, buf, buf_size); ff_msrle_decode(avctx, (AVPicture*)&s->frame, 8, &s->gb); break; default: diff --git a/tests/ref/fate/aasc b/tests/ref/fate/aasc index b991635715..57d59a9c48 100644 --- a/tests/ref/fate/aasc +++ b/tests/ref/fate/aasc @@ -1,24 +1,24 @@ #tb 0: 1/25 -0, 0, 0, 1, 168000, 0x45addf8f -0, 1, 1, 1, 168000, 0x45addf8f -0, 2, 2, 1, 168000, 0x45addf8f -0, 3, 3, 1, 168000, 0x45addf8f -0, 4, 4, 1, 168000, 0x45addf8f -0, 5, 5, 1, 168000, 0x45addf8f -0, 6, 6, 1, 168000, 0x45addf8f -0, 7, 7, 1, 168000, 0x45addf8f -0, 8, 8, 1, 168000, 0x45addf8f -0, 9, 9, 1, 168000, 0x45addf8f -0, 10, 10, 1, 168000, 0x45addf8f -0, 11, 11, 1, 168000, 0x45addf8f -0, 12, 12, 1, 168000, 0x8730699b -0, 13, 13, 1, 168000, 0x08b095df -0, 14, 14, 1, 168000, 0x203526e3 -0, 15, 15, 1, 168000, 0x0ebc5142 -0, 16, 16, 1, 168000, 0xd168e7c2 -0, 17, 17, 1, 168000, 0xcc7da0e6 -0, 18, 18, 1, 168000, 0x72ac60b8 -0, 19, 19, 1, 168000, 0xb691e27c -0, 20, 20, 1, 168000, 0x646fa087 -0, 21, 21, 1, 168000, 0x404450a2 -0, 22, 22, 1, 168000, 0x5214c456 +0, 0, 0, 1, 168000, 0x00000000 +0, 1, 1, 1, 168000, 0x00000000 +0, 2, 2, 1, 168000, 0x00000000 +0, 3, 3, 1, 168000, 0x00000000 +0, 4, 4, 1, 168000, 0x00000000 +0, 5, 5, 1, 168000, 0x00000000 +0, 6, 6, 1, 168000, 0x00000000 +0, 7, 7, 1, 168000, 0x00000000 +0, 8, 8, 1, 168000, 0x00000000 +0, 9, 9, 1, 168000, 0x00000000 +0, 10, 10, 1, 168000, 0x00000000 +0, 11, 11, 1, 168000, 0x00000000 +0, 12, 12, 1, 168000, 0xa6298d46 +0, 13, 13, 1, 168000, 0x5d89d96c +0, 14, 14, 1, 168000, 0x16d994da +0, 15, 15, 1, 168000, 0xa8c6079b +0, 16, 16, 1, 168000, 0xdd1decac +0, 17, 17, 1, 168000, 0x6a96003c +0, 18, 18, 1, 168000, 0xef7f1ff4 +0, 19, 19, 1, 168000, 0x90dc0126 +0, 20, 20, 1, 168000, 0x7a2b1006 +0, 21, 21, 1, 168000, 0xc7ca1345 +0, 22, 22, 1, 168000, 0x8841c413 From 5bee21d724dc47d115faae3f5065a6db74e1594a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 21 Jan 2013 21:48:49 +0100 Subject: [PATCH 0123/1037] vf_delogo: fix copying the input frame. CC:libav-stable@libav.org (cherry picked from commit 7194330bcd6db8dc5c22e0c162a0992d519307f9) Signed-off-by: Reinhard Tartler --- libavfilter/vf_delogo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_delogo.c b/libavfilter/vf_delogo.c index 5d56444e20..af479c2b12 100644 --- a/libavfilter/vf_delogo.c +++ b/libavfilter/vf_delogo.c @@ -80,12 +80,12 @@ static void apply_delogo(uint8_t *dst, int dst_linesize, topright = src+logo_y1 * src_linesize+logo_x2-1; botleft = src+(logo_y2-1) * src_linesize+logo_x1; - dst += (logo_y1+1)*dst_linesize; - src += (logo_y1+1)*src_linesize; - if (!direct) av_image_copy_plane(dst, dst_linesize, src, src_linesize, w, h); + dst += (logo_y1 + 1) * dst_linesize; + src += (logo_y1 + 1) * src_linesize; + for (y = logo_y1+1; y < logo_y2-1; y++) { for (x = logo_x1+1, xdst = dst+logo_x1+1, From 108ca6fad1e0e9af8d6337f908bfd23807b7fbd6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 30 Jan 2013 07:15:04 +0100 Subject: [PATCH 0124/1037] yop: check for input overreads. CC:libav-stable@libav.org (cherry picked from commit 8136f234445862c94d1c081606b2d1e3d44fccf3) Signed-off-by: Reinhard Tartler --- libavcodec/yop.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libavcodec/yop.c b/libavcodec/yop.c index 939b81cb01..e02b9bfd18 100644 --- a/libavcodec/yop.c +++ b/libavcodec/yop.c @@ -39,6 +39,7 @@ typedef struct YopDecContext { uint8_t *low_nibble; uint8_t *srcptr; + uint8_t *src_end; uint8_t *dstptr; uint8_t *dstbuf; } YopDecContext; @@ -123,8 +124,13 @@ static av_cold int yop_decode_close(AVCodecContext *avctx) * @param s codec context * @param tag the tag that was in the nibble */ -static void yop_paint_block(YopDecContext *s, int tag) +static int yop_paint_block(YopDecContext *s, int tag) { + if (s->src_end - s->srcptr < paint_lut[tag][3]) { + av_log(s->avctx, AV_LOG_ERROR, "Packet too small.\n"); + return AVERROR_INVALIDDATA; + } + s->dstptr[0] = s->srcptr[0]; s->dstptr[1] = s->srcptr[paint_lut[tag][0]]; s->dstptr[s->frame.linesize[0]] = s->srcptr[paint_lut[tag][1]]; @@ -132,6 +138,7 @@ static void yop_paint_block(YopDecContext *s, int tag) // The number of src bytes consumed is in the last part of the lut entry. s->srcptr += paint_lut[tag][3]; + return 0; } /** @@ -185,6 +192,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int ret, i, x, y; uint32_t *palette; + if (avpkt->size < 4 + 3 * s->num_pal_colors) { + av_log(avctx, AV_LOG_ERROR, "Packet too small.\n"); + return AVERROR_INVALIDDATA; + } + if (s->frame.data[0]) avctx->release_buffer(avctx, &s->frame); @@ -197,6 +209,7 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->dstbuf = s->frame.data[0]; s->dstptr = s->frame.data[0]; s->srcptr = avpkt->data + 4; + s->src_end = avpkt->data + avpkt->size; s->low_nibble = NULL; is_odd_frame = avpkt->data[0]; @@ -220,7 +233,9 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, tag = yop_get_next_nibble(s); if (tag != 0xf) { - yop_paint_block(s, tag); + ret = yop_paint_block(s, tag); + if (ret < 0) + return ret; } else { tag = yop_get_next_nibble(s); ret = yop_copy_previous_block(s, tag); From d0249f1c2e55d4ac48655ccc789833489891bb81 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 30 Jan 2013 06:42:17 +0100 Subject: [PATCH 0125/1037] qtrle: fix the topmost line for 1bit Signed-off-by: Anton Khirnov CC:libav-stable@libav.org (cherry picked from commit 89f11f498b9c15bc71494a11a7ec560f4adf630d) Conflicts: cmdutils.c --- cmdutils.c | 2 +- libavcodec/qtrle.c | 5 ++- tests/ref/fate/qtrle-1bit | 76 +++++++++++++++++++-------------------- 3 files changed, 43 insertions(+), 40 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index cc165bd597..8fa608233a 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -1566,7 +1566,7 @@ static int alloc_buffer(FrameBuffer **pool, AVCodecContext *s, FrameBuffer **pbu /* XXX this shouldn't be needed, but some tests break without this line * those decoders are buggy and need to be fixed. * the following tests fail: - * cdgraphics, ansi, qtrle-1bit + * cdgraphics, ansi */ memset(buf->base[0], 128, ret); diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 02091d04bf..2a83bdb9c8 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -56,13 +56,16 @@ typedef struct QtrleContext { static void qtrle_decode_1bpp(QtrleContext *s, int row_ptr, int lines_to_change) { int rle_code; - int pixel_ptr = 0; + int pixel_ptr; int row_inc = s->frame.linesize[0]; unsigned char pi0, pi1; /* 2 8-pixel values */ unsigned char *rgb = s->frame.data[0]; int pixel_limit = s->frame.linesize[0] * s->avctx->height; int skip; + row_ptr -= row_inc; + pixel_ptr = row_ptr; + lines_to_change++; while (lines_to_change) { skip = bytestream2_get_byte(&s->g); rle_code = (signed char)bytestream2_get_byte(&s->g); diff --git a/tests/ref/fate/qtrle-1bit b/tests/ref/fate/qtrle-1bit index 1cbaa9c5af..a424e47765 100644 --- a/tests/ref/fate/qtrle-1bit +++ b/tests/ref/fate/qtrle-1bit @@ -1,39 +1,39 @@ #tb 0: 1/1200 -0, 0, 0, 0, 9600, 0xc1632102 -0, 100, 100, 0, 9600, 0x0f6c0521 -0, 200, 200, 0, 9600, 0x04b90b5a -0, 300, 300, 0, 9600, 0x2ebd4500 -0, 400, 400, 0, 9600, 0x726f46f4 -0, 500, 500, 0, 9600, 0x37f6968e -0, 600, 600, 0, 9600, 0x7305872e -0, 700, 700, 0, 9600, 0x222eff5e -0, 800, 800, 0, 9600, 0x9317e227 -0, 900, 900, 0, 9600, 0x421eee9d -0, 1000, 1000, 0, 9600, 0xcbcfaaff -0, 1100, 1100, 0, 9600, 0xe7d43be2 -0, 1200, 1200, 0, 9600, 0x0b71e28c -0, 1300, 1300, 0, 9600, 0xd6a050ca -0, 1400, 1400, 0, 9600, 0x0ac6dbf5 -0, 1500, 1500, 0, 9600, 0x5c036038 -0, 1600, 1600, 0, 9600, 0x6e417ed6 -0, 1700, 1700, 0, 9600, 0x8bd0dc22 -0, 1800, 1800, 0, 9600, 0xdf3b0877 -0, 1900, 1900, 0, 9600, 0xae6e7823 -0, 2000, 2000, 0, 9600, 0x8ff0ac32 -0, 2100, 2100, 0, 9600, 0xa2d9e2ce -0, 2200, 2200, 0, 9600, 0x5fd92b65 -0, 2300, 2300, 0, 9600, 0x81c1c824 -0, 2400, 2400, 0, 9600, 0xb8a2ace4 -0, 2500, 2500, 0, 9600, 0x65b70404 -0, 2600, 2600, 0, 9600, 0xc5349eb2 -0, 2700, 2700, 0, 9600, 0xf60cc2b8 -0, 2800, 2800, 0, 9600, 0x31474595 -0, 2900, 2900, 0, 9600, 0xf602635b -0, 3000, 3000, 0, 9600, 0x873cbd87 -0, 3100, 3100, 0, 9600, 0xb9793ffe -0, 3200, 3200, 0, 9600, 0x42eb2831 -0, 3300, 3300, 0, 9600, 0x44cc1dab -0, 3400, 3400, 0, 9600, 0xbdcbbb87 -0, 3500, 3500, 0, 9600, 0x29c22df7 -0, 3600, 3600, 0, 9600, 0xde502ef5 -0, 3700, 3700, 0, 9600, 0xaf311aeb +0, 0, 0, 0, 9600, 0xc5921aa2 +0, 100, 100, 0, 9600, 0x9032fc52 +0, 200, 200, 0, 9600, 0x7db0038e +0, 300, 300, 0, 9600, 0x95b73c41 +0, 400, 400, 0, 9600, 0x531e4189 +0, 500, 500, 0, 9600, 0xb73390ec +0, 600, 600, 0, 9600, 0x958e8221 +0, 700, 700, 0, 9600, 0xd393f8a6 +0, 800, 800, 0, 9600, 0xa085da1c +0, 900, 900, 0, 9600, 0x57ace74f +0, 1000, 1000, 0, 9600, 0x5d11a308 +0, 1100, 1100, 0, 9600, 0x13e133b7 +0, 1200, 1200, 0, 9600, 0x494edb86 +0, 1300, 1300, 0, 9600, 0x43a448ea +0, 1400, 1400, 0, 9600, 0x3562d35b +0, 1500, 1500, 0, 9600, 0x0bc655d2 +0, 1600, 1600, 0, 9600, 0xbece73a1 +0, 1700, 1700, 0, 9600, 0x82e7cfa1 +0, 1800, 1800, 0, 9600, 0xda29fd8f +0, 1900, 1900, 0, 9600, 0x70fb700b +0, 2000, 2000, 0, 9600, 0xaf57a6b0 +0, 2100, 2100, 0, 9600, 0x0a5ed9b9 +0, 2200, 2200, 0, 9600, 0xf7c62c38 +0, 2300, 2300, 0, 9600, 0x0aa2ccfd +0, 2400, 2400, 0, 9600, 0xc9adabae +0, 2500, 2500, 0, 9600, 0x67ff0aba +0, 2600, 2600, 0, 9600, 0xea79a465 +0, 2700, 2700, 0, 9600, 0x8928c626 +0, 2800, 2800, 0, 9600, 0x8dab4111 +0, 2900, 2900, 0, 9600, 0x81ef63f9 +0, 3000, 3000, 0, 9600, 0xf977bc5e +0, 3100, 3100, 0, 9600, 0x9e6a3f4a +0, 3200, 3200, 0, 9600, 0x77c92865 +0, 3300, 3300, 0, 9600, 0x3915170d +0, 3400, 3400, 0, 9600, 0xbe19b995 +0, 3500, 3500, 0, 9600, 0x3e8a3077 +0, 3600, 3600, 0, 9600, 0x1331342e +0, 3700, 3700, 0, 9600, 0x4d692175 From 5479e08cc44a59516d73ae428e38255de98ce89b Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Tue, 29 Jan 2013 19:53:04 +0100 Subject: [PATCH 0126/1037] xxan: properly handle odd heights. Duplicate the last one or two chroma lines. Signed-off-by: Anton Khirnov CC:libav-stable@libav.org (cherry picked from commit 685e6f2e3939f124b41c7801cc541dad8252af3d) Signed-off-by: Reinhard Tartler --- libavcodec/xxan.c | 15 +++++++++++++++ tests/ref/fate/xxan-wc4 | 42 ++++++++++++++++++++--------------------- 2 files changed, 36 insertions(+), 21 deletions(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 9e874540b5..231ed908fa 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -45,6 +45,11 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_YUV420P; + if (avctx->height < 8) { + av_log(avctx, AV_LOG_ERROR, "Invalid frame height: %d.\n", avctx->height); + return AVERROR(EINVAL); + } + s->buffer_size = avctx->width * avctx->height; s->y_buffer = av_malloc(s->buffer_size); if (!s->y_buffer) @@ -210,6 +215,10 @@ static int xan_decode_chroma(AVCodecContext *avctx, unsigned chroma_off) U += s->pic.linesize[1]; V += s->pic.linesize[2]; } + if (avctx->height & 1) { + memcpy(U, U - s->pic.linesize[1], avctx->width >> 1); + memcpy(V, V - s->pic.linesize[2], avctx->width >> 1); + } } else { uint8_t *U2 = U + s->pic.linesize[1]; uint8_t *V2 = V + s->pic.linesize[2]; @@ -230,6 +239,12 @@ static int xan_decode_chroma(AVCodecContext *avctx, unsigned chroma_off) U2 += s->pic.linesize[1] * 2; V2 += s->pic.linesize[2] * 2; } + if (avctx->height & 3) { + int lines = ((avctx->height + 1) >> 1) - (avctx->height >> 2) * 2; + + memcpy(U, U - lines * s->pic.linesize[1], lines * s->pic.linesize[1]); + memcpy(V, V - lines * s->pic.linesize[2], lines * s->pic.linesize[2]); + } } return 0; diff --git a/tests/ref/fate/xxan-wc4 b/tests/ref/fate/xxan-wc4 index 34857bfd26..88dcc98ac5 100644 --- a/tests/ref/fate/xxan-wc4 +++ b/tests/ref/fate/xxan-wc4 @@ -1,22 +1,22 @@ #tb 0: 1/15 -0, 0, 0, 1, 79360, 0x3b0a7d1b -0, 1, 1, 1, 79360, 0x740842c3 -0, 2, 2, 1, 79360, 0x85160167 -0, 3, 3, 1, 79360, 0xaf510e92 -0, 4, 4, 1, 79360, 0x8e290bec -0, 5, 5, 1, 79360, 0x51e981b0 -0, 6, 6, 1, 79360, 0x16e52c60 -0, 7, 7, 1, 79360, 0x66e1e60a -0, 8, 8, 1, 79360, 0x40fa58f6 -0, 9, 9, 1, 79360, 0x00388edd -0, 10, 10, 1, 79360, 0xc74f95bf -0, 11, 11, 1, 79360, 0xf446a3fd -0, 12, 12, 1, 79360, 0x27b5eb60 -0, 13, 13, 1, 79360, 0xea9266a2 -0, 14, 14, 1, 79360, 0x7b6a7907 -0, 15, 15, 1, 79360, 0x2be7d946 -0, 16, 16, 1, 79360, 0x61881ee4 -0, 17, 17, 1, 79360, 0x9214bd4f -0, 18, 18, 1, 79360, 0xeb294afe -0, 19, 19, 1, 79360, 0xc861ad55 -0, 20, 20, 1, 79360, 0x3d3b6220 +0, 0, 0, 1, 79360, 0x8537821b +0, 1, 1, 1, 79360, 0x110c4343 +0, 2, 2, 1, 79360, 0xa85105bb +0, 3, 3, 1, 79360, 0x87431836 +0, 4, 4, 1, 79360, 0x5c701720 +0, 5, 5, 1, 79360, 0x20308ce4 +0, 6, 6, 1, 79360, 0xe51d3794 +0, 7, 7, 1, 79360, 0x80e6f1e0 +0, 8, 8, 1, 79360, 0x5aff64cc +0, 9, 9, 1, 79360, 0x1a3d9ab3 +0, 10, 10, 1, 79360, 0xe154a195 +0, 11, 11, 1, 79360, 0x608dafdc +0, 12, 12, 1, 79360, 0x93edf73f +0, 13, 13, 1, 79360, 0x56d97281 +0, 14, 14, 1, 79360, 0xe7a284e6 +0, 15, 15, 1, 79360, 0xd4e5e513 +0, 16, 16, 1, 79360, 0x0a952ab1 +0, 17, 17, 1, 79360, 0x3b21c91c +0, 18, 18, 1, 79360, 0x943656cb +0, 19, 19, 1, 79360, 0xffbdb94b +0, 20, 20, 1, 79360, 0x74976e16 From b7765d00f911fe0f8fcda21b93a540f27d2ba2f5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 29 Jan 2013 12:24:09 +0100 Subject: [PATCH 0127/1037] msrledec: check bounds before constructing a possibly invalid pointer, CC:libav-stable@libav.org (cherry picked from commit 9bd6375d5f16842306dcecde637ffe605acda26b) Signed-off-by: Reinhard Tartler --- libavcodec/msrledec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index fad94151c9..af2a2478b1 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -144,8 +144,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, if(p1 == 0) { //Escape code p2 = bytestream2_get_byte(gb); if(p2 == 0) { //End-of-line - output = pic->data[0] + (--line) * pic->linesize[0]; - if (line < 0) { + if (--line < 0) { if (bytestream2_get_be16(gb) == 1) { // end-of-picture return 0; } else { @@ -155,6 +154,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, return AVERROR_INVALIDDATA; } } + output = pic->data[0] + line * pic->linesize[0]; pos = 0; continue; } else if(p2 == 1) { //End-of-picture From 4eede1fca24a24e10befab1716e042beccee8df9 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Wed, 13 Feb 2013 18:41:37 -0500 Subject: [PATCH 0128/1037] doc/platform: Fix 10l typo This error was somehow missed for months. (cherry picked from commit 130cefc9dcedea5babc349251fbeec6f037144ac) Signed-off-by: Derek Buitenhuis --- doc/platform.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/platform.texi b/doc/platform.texi index 999a5f19f1..da08962e01 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -137,7 +137,7 @@ make make install @end example -If you wish to compile static libraries, add @code{--enable-shared} to your +If you wish to compile shared libraries, add @code{--enable-shared} to your configure options. Note that due to the way MSVC handles DLL imports and exports, you cannot compile static and shared libraries at the same time, and enabling shared libraries will automatically disable the static ones. From 5310da7e83ec9f149dac4c2c5a64e1a24951259e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 7 Feb 2013 10:54:20 +0200 Subject: [PATCH 0129/1037] arm: Fall back to runtime cpu feature detection via /proc/cpuinfo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On recent android versions, /proc/self/auxw is unreadable (unless the process is running running under the shell uid or in debuggable mode, which makes it hard to notice). See http://b.android.com/43055 and https://android-review.googlesource.com/51271 for more information about the issue. This makes sure e.g. neon optimizations are enabled at runtime in android apps even when built in release mode, if configured to use the runtime detection. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ab8f1a698990c33afb4c1c6ae5af3d6de4f696cb) Signed-off-by: Martin Storsjö --- libavutil/arm/cpu.c | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/libavutil/arm/cpu.c b/libavutil/arm/cpu.c index 041afc985a..b4aabc375e 100644 --- a/libavutil/arm/cpu.c +++ b/libavutil/arm/cpu.c @@ -34,6 +34,8 @@ #include #include +#include +#include "libavutil/avstring.h" #define AT_HWCAP 16 @@ -66,13 +68,44 @@ static int get_hwcap(uint32_t *hwcap) return err; } +static int get_cpuinfo(uint32_t *hwcap) +{ + FILE *f = fopen("/proc/cpuinfo", "r"); + char buf[200]; + + if (!f) + return -1; + + *hwcap = 0; + while (fgets(buf, sizeof(buf), f)) { + if (av_strstart(buf, "Features", NULL)) { + if (strstr(buf, " edsp ")) + *hwcap |= HWCAP_EDSP; + if (strstr(buf, " tls ")) + *hwcap |= HWCAP_TLS; + if (strstr(buf, " thumbee ")) + *hwcap |= HWCAP_THUMBEE; + if (strstr(buf, " vfp ")) + *hwcap |= HWCAP_VFP; + if (strstr(buf, " vfpv3 ")) + *hwcap |= HWCAP_VFPv3; + if (strstr(buf, " neon ")) + *hwcap |= HWCAP_NEON; + break; + } + } + fclose(f); + return 0; +} + int ff_get_cpu_flags_arm(void) { int flags = CORE_CPU_FLAGS; uint32_t hwcap; if (get_hwcap(&hwcap) < 0) - return flags; + if (get_cpuinfo(&hwcap) < 0) + return flags; #define check_cap(cap, flag) do { \ if (hwcap & HWCAP_ ## cap) \ From e1a86b1433f1ea39a1197b2353afad8e88e51009 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Jan 2013 00:22:39 +0100 Subject: [PATCH 0130/1037] mlpdec: dont leave a invalid huff_lsb in the context. Fix assertion failure Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4aed4f58465fa0d6940ce72c0dad90caab3ed36e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c7de13c15c..6d27417106 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -720,6 +720,7 @@ static int read_channel_params(MLPDecodeContext *m, unsigned int substr, if (cp->huff_lsbs > 24) { av_log(m->avctx, AV_LOG_ERROR, "Invalid huff_lsbs.\n"); + cp->huff_lsbs = 0; return AVERROR_INVALIDDATA; } From e67491a2a49aba7675e87713a3c9751ece14386e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Jan 2013 14:54:40 +0100 Subject: [PATCH 0131/1037] Merge commit '99ccd2ba10eac2b282c272ad9e75f082123c765a' * commit '99ccd2ba10eac2b282c272ad9e75f082123c765a': mlp: store the channel layout for each substream. Conflicts: libavcodec/mlp_parser.c libavcodec/mlpdec.c (cherry picked from commit fa36270c4c68589882cfeae68a037f1d191231c2) Signed-off-by: Michael Niedermayer --- libavcodec/mlp_parser.c | 26 ++++++++++++++++---------- libavcodec/mlp_parser.h | 9 ++++++--- libavcodec/mlpdec.c | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 13 deletions(-) diff --git a/libavcodec/mlp_parser.c b/libavcodec/mlp_parser.c index f1c0a0d1e8..2497ac3612 100644 --- a/libavcodec/mlp_parser.c +++ b/libavcodec/mlp_parser.c @@ -126,7 +126,7 @@ uint64_t ff_truehd_layout(int chanmap) int ff_mlp_read_major_sync(void *log, MLPHeaderInfo *mh, GetBitContext *gb) { - int ratebits; + int ratebits, channel_arrangement; uint16_t checksum; av_assert1(get_bits_count(gb) == 0); @@ -157,7 +157,9 @@ int ff_mlp_read_major_sync(void *log, MLPHeaderInfo *mh, GetBitContext *gb) skip_bits(gb, 11); - mh->channels_mlp = get_bits(gb, 5); + channel_arrangement = get_bits(gb, 5); + mh->channels_mlp = mlp_channels[channel_arrangement]; + mh->channel_layout_mlp = ff_mlp_layout[channel_arrangement]; } else if (mh->stream_type == 0xba) { mh->group1_bits = 24; // TODO: Is this information actually conveyed anywhere? mh->group2_bits = 0; @@ -168,11 +170,15 @@ int ff_mlp_read_major_sync(void *log, MLPHeaderInfo *mh, GetBitContext *gb) skip_bits(gb, 8); - mh->channels_thd_stream1 = get_bits(gb, 5); + channel_arrangement = get_bits(gb, 5); + mh->channels_thd_stream1 = truehd_channels(channel_arrangement); + mh->channel_layout_thd_stream1 = ff_truehd_layout(channel_arrangement); skip_bits(gb, 2); - mh->channels_thd_stream2 = get_bits(gb, 13); + channel_arrangement = get_bits(gb, 13); + mh->channels_thd_stream2 = truehd_channels(channel_arrangement); + mh->channel_layout_thd_stream2 = ff_truehd_layout(channel_arrangement); } else return AVERROR_INVALIDDATA; @@ -322,16 +328,16 @@ static int mlp_parse(AVCodecParserContext *s, if(!avctx->channels || !avctx->channel_layout) { if (mh.stream_type == 0xbb) { /* MLP stream */ - avctx->channels = mlp_channels[mh.channels_mlp]; - avctx->channel_layout = ff_mlp_layout[mh.channels_mlp]; + avctx->channels = mh.channels_mlp; + avctx->channel_layout = mh.channel_layout_mlp; } else { /* mh.stream_type == 0xba */ /* TrueHD stream */ if (mh.channels_thd_stream2) { - avctx->channels = truehd_channels(mh.channels_thd_stream2); - avctx->channel_layout = ff_truehd_layout(mh.channels_thd_stream2); + avctx->channels = mh.channels_thd_stream2; + avctx->channel_layout = mh.channel_layout_thd_stream2; } else { - avctx->channels = truehd_channels(mh.channels_thd_stream1); - avctx->channel_layout = ff_truehd_layout(mh.channels_thd_stream1); + avctx->channels = mh.channels_thd_stream1; + avctx->channel_layout = mh.channel_layout_thd_stream1; } } } diff --git a/libavcodec/mlp_parser.h b/libavcodec/mlp_parser.h index 6aafed5086..0415ccc7b0 100644 --- a/libavcodec/mlp_parser.h +++ b/libavcodec/mlp_parser.h @@ -39,9 +39,12 @@ typedef struct MLPHeaderInfo int group1_samplerate; ///< Sample rate of first substream int group2_samplerate; ///< Sample rate of second substream (MLP only) - int channels_mlp; ///< Channel arrangement for MLP streams - int channels_thd_stream1; ///< Channel arrangement for substream 1 of TrueHD streams (5.1) - int channels_thd_stream2; ///< Channel arrangement for substream 2 of TrueHD streams (7.1) + int channels_mlp; ///< Channel count for MLP streams + int channels_thd_stream1; ///< Channel count for substream 1 of TrueHD streams ("6-channel presentation") + int channels_thd_stream2; ///< Channel count for substream 2 of TrueHD streams ("8-channel presentation") + uint64_t channel_layout_mlp; ///< Channel layout for MLP streams + uint64_t channel_layout_thd_stream1; ///< Channel layout for substream 1 of TrueHD streams ("6-channel presentation") + uint64_t channel_layout_thd_stream2; ///< Channel layout for substream 2 of TrueHD streams ("8-channel presentation") int access_unit_size; ///< Number of samples per coded frame int access_unit_size_pow2; ///< Next power of two above number of samples per frame diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 6d27417106..8edca1761c 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -28,6 +28,7 @@ #include "avcodec.h" #include "libavutil/intreadwrite.h" +#include "libavutil/channel_layout.h" #include "get_bits.h" #include "internal.h" #include "libavutil/crc.h" @@ -56,6 +57,8 @@ typedef struct SubStream { uint8_t max_matrix_channel; /// For each channel output by the matrix, the output channel to map it to uint8_t ch_assign[MAX_CHANNELS]; + /// The channel layout for this substream + uint64_t ch_layout; /// Channel coding parameters for channels in the substream ChannelParams channel_params[MAX_CHANNELS]; @@ -328,6 +331,7 @@ static int read_major_sync(MLPDecodeContext *m, GetBitContext *gb) for (substr = 0; substr < MAX_SUBSTREAMS; substr++) m->substream[substr].restart_seen = 0; +#if 0 if (mh.stream_type == 0xbb) { /* MLP stream */ m->avctx->channel_layout = ff_mlp_layout[mh.channels_mlp]; @@ -352,6 +356,34 @@ static int read_major_sync(MLPDecodeContext *m, GetBitContext *gb) } } +#else + /* Set the layout for each substream. When there's more than one, the first + * substream is Stereo. Subsequent substreams' layouts are indicated in the + * major sync. */ + if (m->avctx->codec_id == AV_CODEC_ID_MLP) { + if ((substr = (mh.num_substreams > 1))) + m->substream[0].ch_layout = AV_CH_LAYOUT_STEREO; + m->substream[substr].ch_layout = mh.channel_layout_mlp; + } else { + if ((substr = (mh.num_substreams > 1))) + m->substream[0].ch_layout = AV_CH_LAYOUT_STEREO; + if (mh.num_substreams > 2) + if (mh.channel_layout_thd_stream2) + m->substream[2].ch_layout = mh.channel_layout_thd_stream2; + else + m->substream[2].ch_layout = mh.channel_layout_thd_stream1; + m->substream[substr].ch_layout = mh.channel_layout_thd_stream1; + + if (m->avctx->channels<=2 && m->substream[substr].ch_layout == AV_CH_LAYOUT_MONO && m->max_decoded_substream == 1) { + av_log(m->avctx, AV_LOG_DEBUG, "Mono stream with 2 substreams, ignoring 2nd\n"); + m->max_decoded_substream = 0; + if (m->avctx->channels==2) + m->avctx->channel_layout = AV_CH_LAYOUT_STEREO; + } + } + +#endif + m->needs_reordering = mh.channels_mlp >= 18 && mh.channels_mlp <= 20; return 0; From 1d20d975aa899cb5e0e5c9e9c34ce36e4f0faae3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Jan 2013 15:59:45 +0100 Subject: [PATCH 0132/1037] Merge commit '3ffcccb4fbaae4d5ad775506f1f2761f2029affa' * commit '3ffcccb4fbaae4d5ad775506f1f2761f2029affa': mlpdec: TrueHD: use Libav channel order. (cherry picked from commit cd6a8618b1f57a37e6bc639651fe5a657663409b) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 50 ++++++++++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 14 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 8edca1761c..8e6f1fc5f3 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -152,6 +152,36 @@ typedef struct MLPDecodeContext { MLPDSPContext dsp; } MLPDecodeContext; +static const uint64_t thd_channel_order[] = { + AV_CH_FRONT_LEFT, AV_CH_FRONT_RIGHT, // LR + AV_CH_FRONT_CENTER, // C + AV_CH_LOW_FREQUENCY, // LFE + AV_CH_SIDE_LEFT, AV_CH_SIDE_RIGHT, // LRs + AV_CH_TOP_FRONT_LEFT, AV_CH_TOP_FRONT_RIGHT, // LRvh + AV_CH_FRONT_LEFT_OF_CENTER, AV_CH_FRONT_RIGHT_OF_CENTER, // LRc + AV_CH_BACK_LEFT, AV_CH_BACK_RIGHT, // LRrs + AV_CH_BACK_CENTER, // Cs + AV_CH_TOP_CENTER, // Ts + AV_CH_SURROUND_DIRECT_LEFT, AV_CH_SURROUND_DIRECT_RIGHT, // LRsd + AV_CH_WIDE_LEFT, AV_CH_WIDE_RIGHT, // LRw + AV_CH_TOP_FRONT_CENTER, // Cvh + AV_CH_LOW_FREQUENCY_2, // LFE2 +}; + +static uint64_t thd_channel_layout_extract_channel(uint64_t channel_layout, + int index) +{ + int i; + + if (av_get_channel_layout_nb_channels(channel_layout) <= index) + return 0; + + for (i = 0; i < FF_ARRAY_ELEMS(thd_channel_order); i++) + if (channel_layout & thd_channel_order[i] && !index--) + return thd_channel_order[i]; + return 0; +} + static VLC huff_vlc[3]; /** Initialize static data, constant between all invocations of the codec. */ @@ -492,6 +522,12 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, for (ch = 0; ch <= s->max_matrix_channel; ch++) { int ch_assign = get_bits(gbp, 6); + if (m->avctx->codec_id == AV_CODEC_ID_TRUEHD) { + uint64_t channel = thd_channel_layout_extract_channel(s->ch_layout, + ch_assign); + ch_assign = av_get_channel_layout_channel_index(s->ch_layout, + channel); + } if (ch_assign > s->max_matrix_channel) { av_log_ask_for_sample(m->avctx, "Assignment of matrix channel %d to invalid output channel %d.\n", @@ -513,20 +549,6 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, FFSWAP(int, s->ch_assign[3], s->ch_assign[5]); } } - if (m->avctx->codec_id == AV_CODEC_ID_TRUEHD && - (m->avctx->channel_layout == AV_CH_LAYOUT_7POINT1 || - m->avctx->channel_layout == AV_CH_LAYOUT_7POINT1_WIDE)) { - FFSWAP(int, s->ch_assign[4], s->ch_assign[6]); - FFSWAP(int, s->ch_assign[5], s->ch_assign[7]); - } else if (m->avctx->codec_id == AV_CODEC_ID_TRUEHD && - (m->avctx->channel_layout == AV_CH_LAYOUT_6POINT1 || - m->avctx->channel_layout == (AV_CH_LAYOUT_6POINT1 | AV_CH_TOP_CENTER) || - m->avctx->channel_layout == (AV_CH_LAYOUT_6POINT1 | AV_CH_TOP_FRONT_CENTER))) { - int i = s->ch_assign[6]; - s->ch_assign[6] = s->ch_assign[5]; - s->ch_assign[5] = s->ch_assign[4]; - s->ch_assign[4] = i; - } checksum = ff_mlp_restart_checksum(buf, get_bits_count(gbp) - start_count); From 9e3e11a348e047da05415c3e7ea6720be2d78d9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Jan 2013 16:12:05 +0100 Subject: [PATCH 0133/1037] Merge commit '1fd2deedcc6400e08b31566a547a5fac3b38cefb' * commit '1fd2deedcc6400e08b31566a547a5fac3b38cefb': mlpdec: set the channel layout. Conflicts: libavcodec/mlpdec.c (cherry picked from commit 1cf6f6f3daa9d9ae54a4bf0267b510e1638e272b) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 8e6f1fc5f3..5032b31bb8 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -578,10 +578,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, cp->huff_lsbs = 24; } - if (substr == m->max_decoded_substream && - m->avctx->channels != s->max_matrix_channel + 1) { - m->avctx->channels = s->max_matrix_channel + 1; - m->avctx->channel_layout = 0; + if (substr == m->max_decoded_substream) { + m->avctx->channels = s->max_matrix_channel + 1; + m->avctx->channel_layout = s->ch_layout; } return 0; From 358e4081edb8eae53eacc73ac224d35278f1433a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Jan 2013 19:26:22 +0100 Subject: [PATCH 0134/1037] mlp: fix channel order. This fixes a regression introduced with todays merge Signed-off-by: Michael Niedermayer (cherry picked from commit 6747b0be9b2a8e20724c6e514b3c8374c32fd6f0) Signed-off-by: Michael Niedermayer --- libavcodec/mlp_parser.c | 2 ++ libavcodec/mlp_parser.h | 1 + libavcodec/mlpdec.c | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mlp_parser.c b/libavcodec/mlp_parser.c index 2497ac3612..b2fd6007d6 100644 --- a/libavcodec/mlp_parser.c +++ b/libavcodec/mlp_parser.c @@ -157,6 +157,7 @@ int ff_mlp_read_major_sync(void *log, MLPHeaderInfo *mh, GetBitContext *gb) skip_bits(gb, 11); + mh->channel_arrangement= channel_arrangement = get_bits(gb, 5); mh->channels_mlp = mlp_channels[channel_arrangement]; mh->channel_layout_mlp = ff_mlp_layout[channel_arrangement]; @@ -170,6 +171,7 @@ int ff_mlp_read_major_sync(void *log, MLPHeaderInfo *mh, GetBitContext *gb) skip_bits(gb, 8); + mh->channel_arrangement= channel_arrangement = get_bits(gb, 5); mh->channels_thd_stream1 = truehd_channels(channel_arrangement); mh->channel_layout_thd_stream1 = ff_truehd_layout(channel_arrangement); diff --git a/libavcodec/mlp_parser.h b/libavcodec/mlp_parser.h index 0415ccc7b0..4175e6c8cd 100644 --- a/libavcodec/mlp_parser.h +++ b/libavcodec/mlp_parser.h @@ -39,6 +39,7 @@ typedef struct MLPHeaderInfo int group1_samplerate; ///< Sample rate of first substream int group2_samplerate; ///< Sample rate of second substream (MLP only) + int channel_arrangement; int channels_mlp; ///< Channel count for MLP streams int channels_thd_stream1; ///< Channel count for substream 1 of TrueHD streams ("6-channel presentation") int channels_thd_stream2; ///< Channel count for substream 2 of TrueHD streams ("8-channel presentation") diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c711b06949..501f4937b9 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -386,7 +386,7 @@ static int read_major_sync(MLPDecodeContext *m, GetBitContext *gb) } } - m->needs_reordering = mh.channels_mlp >= 18 && mh.channels_mlp <= 20; + m->needs_reordering = mh.channel_arrangement >= 18 && mh.channel_arrangement <= 20; return 0; } From 2ac6b573a4083e5b840f3577a063237ae0088401 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Feb 2013 22:36:07 +0100 Subject: [PATCH 0135/1037] h264: Reset last_pocs in case of reference or frame number inconsistencies This prevents faulty increasing of has_b_frames Should fix Ticket 2062 Signed-off-by: Michael Niedermayer (cherry picked from commit c230af9bccc3cadb373f9007ba14fffb6c2acc75) --- libavcodec/h264.c | 3 +++ libavcodec/h264_refs.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 0aab4e7328..56ef1092bd 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2968,6 +2968,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0) Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL; av_log(h->s.avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n", h->frame_num, h->prev_frame_num); + if (!h->sps.gaps_in_frame_num_allowed_flag) + for(i=0; ilast_pocs); i++) + h->last_pocs[i] = INT_MIN; if (ff_h264_frame_start(h) < 0) return -1; h->prev_frame_num++; diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index d09f15cacd..32c84d8e6f 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -287,7 +287,10 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h){ for(list=0; listlist_count; list++){ for(index= 0; index < h->ref_count[list]; index++){ if (!h->ref_list[list][index].f.data[0]) { + int i; av_log(h->s.avctx, AV_LOG_ERROR, "Missing reference picture, default is %d\n", h->default_ref_list[list][0].poc); + for (i=0; ilast_pocs); i++) + h->last_pocs[i] = INT_MIN; if (h->default_ref_list[list][0].f.data[0]) h->ref_list[list][index]= h->default_ref_list[list][0]; else From 71fee2ab1e77f2cba619b54474d980158d9f24b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Feb 2013 16:11:23 +0100 Subject: [PATCH 0136/1037] sws: dont write out of array on bigendian Fixes Ticket2229 Signed-off-by: Michael Niedermayer (cherry picked from commit 4e2c63685e031e28d2296cff76473b963ee62ba1) --- libswscale/swscale_unscaled.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index f35d1ba352..44a6902e24 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -605,6 +605,9 @@ static rgbConvFn findRgbConvFn(SwsContext *c) } } + if ((dstFormat == AV_PIX_FMT_RGB32_1 || dstFormat == AV_PIX_FMT_BGR32_1) && !isRGBA32(srcFormat) && ALT32_CORR<0) + return NULL; + return conv; } From 057051b84879feff7aafa9669e1cb3266a6bb589 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 14 Feb 2013 15:08:37 +0100 Subject: [PATCH 0137/1037] Write the fiel atom to mov files independently of the used video coded. The QuickTime specification does not contain any hint that the atom must not be written in some cases and both the QuickTime and the AVID decoders do not fail if the atom is present. This change allows to signal (visually) interlaced streams with a codec different from uncompressed video. As a side-effect, this fixes ticket #2202 (cherry picked from commit 7d0e3b197c817b307d599a23704a44763ed0bbdd) Conflicts: tests/ref/lavf/mov --- libavformat/movenc.c | 7 +++-- tests/ref/lavf/mov | 16 +++++----- tests/ref/seek/lavf-mov | 44 ++++++++++++++-------------- tests/ref/vsynth/vsynth1-avui | 4 +-- tests/ref/vsynth/vsynth1-dnxhd-1080i | 4 +-- tests/ref/vsynth/vsynth1-mpeg4 | 4 +-- tests/ref/vsynth/vsynth2-avui | 4 +-- tests/ref/vsynth/vsynth2-dnxhd-1080i | 4 +-- tests/ref/vsynth/vsynth2-mpeg4 | 4 +-- 9 files changed, 46 insertions(+), 45 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 1b851c03dd..bab8314ce5 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1128,13 +1128,14 @@ static int mov_write_video_tag(AVIOContext *pb, MOVTrack *track) mov_write_avcc_tag(pb, track); if(track->mode == MODE_IPOD) mov_write_uuid_tag_ipod(pb); - } else if (track->enc->field_order != AV_FIELD_UNKNOWN) - mov_write_fiel_tag(pb, track); - else if (track->enc->codec_id == AV_CODEC_ID_VC1 && track->vos_len > 0) + } else if (track->enc->codec_id == AV_CODEC_ID_VC1 && track->vos_len > 0) mov_write_dvc1_tag(pb, track); else if (track->vos_len > 0) mov_write_glbl_tag(pb, track); + if (track->enc->field_order != AV_FIELD_UNKNOWN) + mov_write_fiel_tag(pb, track); + if (track->enc->sample_aspect_ratio.den && track->enc->sample_aspect_ratio.num && track->enc->sample_aspect_ratio.den != track->enc->sample_aspect_ratio.num) { mov_write_pasp_tag(pb, track); diff --git a/tests/ref/lavf/mov b/tests/ref/lavf/mov index 4554ea65d9..210c88a015 100644 --- a/tests/ref/lavf/mov +++ b/tests/ref/lavf/mov @@ -1,12 +1,12 @@ -fcbe7806047914d9751fd9053009df69 *./tests/data/lavf/lavf.mov -367365 ./tests/data/lavf/lavf.mov +821cbbb6166b1d1117585fa4bb167a8e *./tests/data/lavf/lavf.mov +367375 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0xb2f59ab4 -72eac0051107a16e41d5263dab640f26 *./tests/data/lavf/lavf.mov -358455 ./tests/data/lavf/lavf.mov +f8e597c1ca2dddd581c82fef7700ae33 *./tests/data/lavf/lavf.mov +358465 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0xb2f59ab4 -cbc587335946df1f08d838f48ef396f0 *./tests/data/lavf/lavf.mov -377613 ./tests/data/lavf/lavf.mov +98aadee64774fea3eb59288b44144547 *./tests/data/lavf/lavf.mov +377623 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0xc882139b -7c932d24837f46ef57d3e40a61331565 *./tests/data/lavf/lavf.mov -357837 ./tests/data/lavf/lavf.mov +2561698a1e4ba55e03fd9ebdba743bb0 *./tests/data/lavf/lavf.mov +357847 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0xb2f59ab4 diff --git a/tests/ref/seek/lavf-mov b/tests/ref/seek/lavf-mov index 9563a0d3a5..c7278bd03e 100644 --- a/tests/ref/seek/lavf-mov +++ b/tests/ref/seek/lavf-mov @@ -1,48 +1,48 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326931 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326941 size: 1024 ret: 0 st: 0 flags:0 ts: 0.788359 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 ret: 0 st: 0 flags:1 ts:-0.317500 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret:-1 st: 1 flags:0 ts: 2.576667 ret: 0 st: 1 flags:1 ts: 1.470839 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 ret: 0 st:-1 flags:0 ts: 0.365002 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 165209 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 165219 size: 27925 ret: 0 st:-1 flags:1 ts:-0.740831 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret:-1 st: 0 flags:0 ts: 2.153359 ret: 0 st: 0 flags:1 ts: 1.047500 -ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326931 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326941 size: 1024 ret: 0 st: 1 flags:0 ts:-0.058322 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret: 0 st: 1 flags:1 ts: 2.835828 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 ret:-1 st:-1 flags:0 ts: 1.730004 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 1 flags:1 dts: 0.464399 pts: 0.464399 pos: 164185 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.464399 pts: 0.464399 pos: 164195 size: 1024 ret: 0 st: 0 flags:0 ts:-0.481641 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret: 0 st: 0 flags:1 ts: 2.412500 -ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326931 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326941 size: 1024 ret:-1 st: 1 flags:0 ts: 1.306667 ret: 0 st: 1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret: 0 st:-1 flags:0 ts:-0.904994 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret: 0 st:-1 flags:1 ts: 1.989173 -ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326931 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326941 size: 1024 ret: 0 st: 0 flags:0 ts: 0.883359 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 ret: 0 st: 0 flags:1 ts:-0.222500 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 ret:-1 st: 1 flags:0 ts: 2.671678 ret: 0 st: 1 flags:1 ts: 1.565850 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 165209 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 165219 size: 27925 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 diff --git a/tests/ref/vsynth/vsynth1-avui b/tests/ref/vsynth/vsynth1-avui index 03f2b31c38..e4434e88d0 100644 --- a/tests/ref/vsynth/vsynth1-avui +++ b/tests/ref/vsynth/vsynth1-avui @@ -1,4 +1,4 @@ -853dad3a1248614c6d61c2f9dc2a999c *tests/data/fate/vsynth1-avui.mov -42624907 tests/data/fate/vsynth1-avui.mov +0e71be51f4e0701d91ff7fa4d9ea0533 *tests/data/fate/vsynth1-avui.mov +42624917 tests/data/fate/vsynth1-avui.mov c5ccac874dbf808e9088bc3107860042 *tests/data/fate/vsynth1-avui.out.rawvideo stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-dnxhd-1080i b/tests/ref/vsynth/vsynth1-dnxhd-1080i index dbe2c371e0..211f366406 100644 --- a/tests/ref/vsynth/vsynth1-dnxhd-1080i +++ b/tests/ref/vsynth/vsynth1-dnxhd-1080i @@ -1,4 +1,4 @@ -124c991ee3ac0caef39a58a45287a762 *tests/data/fate/vsynth1-dnxhd-1080i.mov -3031911 tests/data/fate/vsynth1-dnxhd-1080i.mov +850261d663d64aef9a92418f15a3ee8a *tests/data/fate/vsynth1-dnxhd-1080i.mov +3031921 tests/data/fate/vsynth1-dnxhd-1080i.mov a09132c6db44f415e831dcaa630a351b *tests/data/fate/vsynth1-dnxhd-1080i.out.rawvideo stddev: 6.29 PSNR: 32.15 MAXDIFF: 64 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth1-mpeg4 b/tests/ref/vsynth/vsynth1-mpeg4 index b6da11cef1..4ed1cd5d10 100644 --- a/tests/ref/vsynth/vsynth1-mpeg4 +++ b/tests/ref/vsynth/vsynth1-mpeg4 @@ -1,4 +1,4 @@ -a2acdf772bf7b7641079d8a03ea03ccf *tests/data/fate/vsynth1-mpeg4.mp4 -540024 tests/data/fate/vsynth1-mpeg4.mp4 +cc2240476d97c7809d461a7d334aa067 *tests/data/fate/vsynth1-mpeg4.mp4 +540034 tests/data/fate/vsynth1-mpeg4.mp4 f80ec173d37f2f91add031e95579a220 *tests/data/fate/vsynth1-mpeg4.out.rawvideo stddev: 7.97 PSNR: 30.10 MAXDIFF: 105 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-avui b/tests/ref/vsynth/vsynth2-avui index 59bac8d604..743c6ffbdb 100644 --- a/tests/ref/vsynth/vsynth2-avui +++ b/tests/ref/vsynth/vsynth2-avui @@ -1,4 +1,4 @@ -d6ed112daf14e73ea50f1c32ecc6d4ce *tests/data/fate/vsynth2-avui.mov -42624907 tests/data/fate/vsynth2-avui.mov +ec8b12fd9f1f7737f7e23419457fe431 *tests/data/fate/vsynth2-avui.mov +42624917 tests/data/fate/vsynth2-avui.mov dde5895817ad9d219f79a52d0bdfb001 *tests/data/fate/vsynth2-avui.out.rawvideo stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-dnxhd-1080i b/tests/ref/vsynth/vsynth2-dnxhd-1080i index f657eb4c95..80fa5d8218 100644 --- a/tests/ref/vsynth/vsynth2-dnxhd-1080i +++ b/tests/ref/vsynth/vsynth2-dnxhd-1080i @@ -1,4 +1,4 @@ -5d7ab75ce6e547ed63a7a0eacf18f078 *tests/data/fate/vsynth2-dnxhd-1080i.mov -3031911 tests/data/fate/vsynth2-dnxhd-1080i.mov +b50f974586d2d72739eb8e2938425819 *tests/data/fate/vsynth2-dnxhd-1080i.mov +3031921 tests/data/fate/vsynth2-dnxhd-1080i.mov 744ba46da5d4c19a28562ea31061d170 *tests/data/fate/vsynth2-dnxhd-1080i.out.rawvideo stddev: 1.31 PSNR: 45.77 MAXDIFF: 23 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth2-mpeg4 b/tests/ref/vsynth/vsynth2-mpeg4 index 399ef58e3f..c6c595e2be 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4 +++ b/tests/ref/vsynth/vsynth2-mpeg4 @@ -1,4 +1,4 @@ -04f74c54f4db25e1d454ede9216632c1 *tests/data/fate/vsynth2-mpeg4.mp4 -119661 tests/data/fate/vsynth2-mpeg4.mp4 +416519c3d814b92fe11401cfac01e3a7 *tests/data/fate/vsynth2-mpeg4.mp4 +119671 tests/data/fate/vsynth2-mpeg4.mp4 9a1e085d9e488c5ead0c940c9612a37a *tests/data/fate/vsynth2-mpeg4.out.rawvideo stddev: 5.34 PSNR: 33.57 MAXDIFF: 83 bytes: 7603200/ 7603200 From 1ca25bc387756677e9ce23163995aade2e5b663f Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sat, 16 Feb 2013 23:05:02 +0100 Subject: [PATCH 0138/1037] libopencore-amrnb: cosmetics: Group all encoder-related code together CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 81ae57a269782fbfc9e11548d1e6605f13d65c9b) --- libavcodec/libopencore-amr.c | 88 ++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c index 8dc2e9f31f..ad6d338fd9 100644 --- a/libavcodec/libopencore-amr.c +++ b/libavcodec/libopencore-amr.c @@ -49,41 +49,6 @@ static int amr_decode_fix_avctx(AVCodecContext *avctx) #include #include -/* Common code for fixed and float version*/ -typedef struct AMR_bitrates { - int rate; - enum Mode mode; -} AMR_bitrates; - -/* Match desired bitrate */ -static int get_bitrate_mode(int bitrate, void *log_ctx) -{ - /* make the correspondance between bitrate and mode */ - static const AMR_bitrates rates[] = { - { 4750, MR475 }, { 5150, MR515 }, { 5900, MR59 }, { 6700, MR67 }, - { 7400, MR74 }, { 7950, MR795 }, { 10200, MR102 }, { 12200, MR122 } - }; - int i, best = -1, min_diff = 0; - char log_buf[200]; - - for (i = 0; i < 8; i++) { - if (rates[i].rate == bitrate) - return rates[i].mode; - if (best < 0 || abs(rates[i].rate - bitrate) < min_diff) { - best = i; - min_diff = abs(rates[i].rate - bitrate); - } - } - /* no bitrate matching exactly, log a warning */ - snprintf(log_buf, sizeof(log_buf), "bitrate not supported: use one of "); - for (i = 0; i < 8; i++) - av_strlcatf(log_buf, sizeof(log_buf), "%.2fk, ", rates[i].rate / 1000.f); - av_strlcatf(log_buf, sizeof(log_buf), "using %.2fk", rates[best].rate / 1000.f); - av_log(log_ctx, AV_LOG_WARNING, "%s\n", log_buf); - - return best; -} - typedef struct AMRContext { AVClass *av_class; AVFrame frame; @@ -96,15 +61,6 @@ typedef struct AMRContext { AudioFrameQueue afq; } AMRContext; -static const AVOption options[] = { - { "dtx", "Allow DTX (generate comfort noise)", offsetof(AMRContext, enc_dtx), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, AV_OPT_FLAG_AUDIO_PARAM | AV_OPT_FLAG_ENCODING_PARAM }, - { NULL } -}; - -static const AVClass class = { - "libopencore_amrnb", av_default_item_name, options, LIBAVUTIL_VERSION_INT -}; - static av_cold int amr_nb_decode_init(AVCodecContext *avctx) { AMRContext *s = avctx->priv_data; @@ -186,6 +142,50 @@ AVCodec ff_libopencore_amrnb_decoder = { .long_name = NULL_IF_CONFIG_SMALL("OpenCORE AMR-NB (Adaptive Multi-Rate Narrow-Band)"), }; +/* Common code for fixed and float version*/ +typedef struct AMR_bitrates { + int rate; + enum Mode mode; +} AMR_bitrates; + +/* Match desired bitrate */ +static int get_bitrate_mode(int bitrate, void *log_ctx) +{ + /* make the correspondance between bitrate and mode */ + static const AMR_bitrates rates[] = { + { 4750, MR475 }, { 5150, MR515 }, { 5900, MR59 }, { 6700, MR67 }, + { 7400, MR74 }, { 7950, MR795 }, { 10200, MR102 }, { 12200, MR122 } + }; + int i, best = -1, min_diff = 0; + char log_buf[200]; + + for (i = 0; i < 8; i++) { + if (rates[i].rate == bitrate) + return rates[i].mode; + if (best < 0 || abs(rates[i].rate - bitrate) < min_diff) { + best = i; + min_diff = abs(rates[i].rate - bitrate); + } + } + /* no bitrate matching exactly, log a warning */ + snprintf(log_buf, sizeof(log_buf), "bitrate not supported: use one of "); + for (i = 0; i < 8; i++) + av_strlcatf(log_buf, sizeof(log_buf), "%.2fk, ", rates[i].rate / 1000.f); + av_strlcatf(log_buf, sizeof(log_buf), "using %.2fk", rates[best].rate / 1000.f); + av_log(log_ctx, AV_LOG_WARNING, "%s\n", log_buf); + + return best; +} + +static const AVOption options[] = { + { "dtx", "Allow DTX (generate comfort noise)", offsetof(AMRContext, enc_dtx), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, AV_OPT_FLAG_AUDIO_PARAM | AV_OPT_FLAG_ENCODING_PARAM }, + { NULL } +}; + +static const AVClass class = { + "libopencore_amrnb", av_default_item_name, options, LIBAVUTIL_VERSION_INT +}; + static av_cold int amr_nb_encode_init(AVCodecContext *avctx) { AMRContext *s = avctx->priv_data; From e492818d8925d63548c859ae560cadc852b4d297 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sat, 16 Feb 2013 23:05:03 +0100 Subject: [PATCH 0139/1037] libopencore-amr: Conditionally compile decoder and encoder bits CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit f6ad3ca159edcd2e48634bf39b9cd4a85af29cb1) --- libavcodec/libopencore-amr.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c index ad6d338fd9..8afc927784 100644 --- a/libavcodec/libopencore-amr.c +++ b/libavcodec/libopencore-amr.c @@ -61,6 +61,7 @@ typedef struct AMRContext { AudioFrameQueue afq; } AMRContext; +#if CONFIG_LIBOPENCORE_AMRNB_DECODER static av_cold int amr_nb_decode_init(AVCodecContext *avctx) { AMRContext *s = avctx->priv_data; @@ -141,7 +142,9 @@ AVCodec ff_libopencore_amrnb_decoder = { .capabilities = CODEC_CAP_DR1, .long_name = NULL_IF_CONFIG_SMALL("OpenCORE AMR-NB (Adaptive Multi-Rate Narrow-Band)"), }; +#endif /* CONFIG_LIBOPENCORE_AMRNB_DECODER */ +#if CONFIG_LIBOPENCORE_AMRNB_ENCODER /* Common code for fixed and float version*/ typedef struct AMR_bitrates { int rate; @@ -305,8 +308,9 @@ AVCodec ff_libopencore_amrnb_encoder = { .long_name = NULL_IF_CONFIG_SMALL("OpenCORE AMR-NB (Adaptive Multi-Rate Narrow-Band)"), .priv_class = &class, }; +#endif /* CONFIG_LIBOPENCORE_AMRNB_ENCODER */ -#endif +#endif /* CONFIG_LIBOPENCORE_AMRNB */ /* -----------AMR wideband ------------*/ #if CONFIG_LIBOPENCORE_AMRWB From a23d6ea1e443c34e3d103a5097e673d12e80a814 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sat, 16 Feb 2013 23:05:04 +0100 Subject: [PATCH 0140/1037] libopencore-amrwb: Make AMR-WB ifdeffery more precise The library might provide an encoder in the future, so it's better to check for the presence of the decoder rather than just the library. CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit ed89cad6aa04bbd692b3eb21c0e0bb56aca77130) --- libavcodec/libopencore-amr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c index 8afc927784..fdd7de9c53 100644 --- a/libavcodec/libopencore-amr.c +++ b/libavcodec/libopencore-amr.c @@ -313,7 +313,7 @@ AVCodec ff_libopencore_amrnb_encoder = { #endif /* CONFIG_LIBOPENCORE_AMRNB */ /* -----------AMR wideband ------------*/ -#if CONFIG_LIBOPENCORE_AMRWB +#if CONFIG_LIBOPENCORE_AMRWB_DECODER #include #include @@ -393,4 +393,4 @@ AVCodec ff_libopencore_amrwb_decoder = { .long_name = NULL_IF_CONFIG_SMALL("OpenCORE AMR-WB (Adaptive Multi-Rate Wide-Band)"), }; -#endif /* CONFIG_LIBOPENCORE_AMRWB */ +#endif /* CONFIG_LIBOPENCORE_AMRWB_DECODER */ From 6c62098827d3020c852a975f88084945867bf029 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sat, 16 Feb 2013 23:05:05 +0100 Subject: [PATCH 0141/1037] build: The libopencore-amrnb encoder depends on audio_frame_queue CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit d0fd1dd559b8362bdbca3405f739e0cc202d62e7) --- libavcodec/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 1ae17cdd0d..0f55b800dd 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -574,7 +574,7 @@ OBJS-$(CONFIG_LIBILBC_ENCODER) += libilbc.o OBJS-$(CONFIG_LIBMP3LAME_ENCODER) += libmp3lame.o mpegaudiodecheader.o \ audio_frame_queue.o OBJS-$(CONFIG_LIBOPENCORE_AMRNB_DECODER) += libopencore-amr.o -OBJS-$(CONFIG_LIBOPENCORE_AMRNB_ENCODER) += libopencore-amr.o +OBJS-$(CONFIG_LIBOPENCORE_AMRNB_ENCODER) += libopencore-amr.o audio_frame_queue.o OBJS-$(CONFIG_LIBOPENCORE_AMRWB_DECODER) += libopencore-amr.o OBJS-$(CONFIG_LIBOPENJPEG_DECODER) += libopenjpegdec.o OBJS-$(CONFIG_LIBOPENJPEG_ENCODER) += libopenjpegenc.o From 6407800521d26b103db4c22d9de709e957381e4b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 17 Feb 2013 19:56:09 +0100 Subject: [PATCH 0142/1037] Revert "swfenc: use av_get_audio_frame_duration() instead of AVCodecContext.frame_size" This reverts commit 620b88a302d522f71a6a95aff500cf7bd8520043. Fixes ticket #2272. Conflicts: libavformat/swfenc.c (cherry picked from commit 8d0757e1079f588ed69f629e2d1a4d5f232dc298) --- libavformat/swfenc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index a8fd9f91f0..5b7fd1fe5c 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -192,6 +192,10 @@ static int swf_write_header(AVFormatContext *s) return AVERROR_INVALIDDATA; } if (enc->codec_id == AV_CODEC_ID_MP3) { + if (!enc->frame_size) { + av_log(s, AV_LOG_ERROR, "audio frame size not set\n"); + return -1; + } swf->audio_enc = enc; swf->audio_fifo= av_fifo_alloc(AUDIO_FIFO_SIZE); if (!swf->audio_fifo) @@ -457,7 +461,7 @@ static int swf_write_audio(AVFormatContext *s, } av_fifo_generic_write(swf->audio_fifo, buf, size, NULL); - swf->sound_samples += av_get_audio_frame_duration(enc, size); + swf->sound_samples += enc->frame_size; /* if audio only stream make sure we add swf frames */ if (!swf->video_enc) From b9a287f23700e133a6101f115e29253f444f42f8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 17 Feb 2013 12:38:23 +0100 Subject: [PATCH 0143/1037] build: make audio_frame_queue a stand-alone component Encoders requiring it have the dependency expressed in the configure. --- configure | 15 ++++++++++++--- libavcodec/Makefile | 25 +++++++++++-------------- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/configure b/configure index 6a8990d162..aa31ea0364 100755 --- a/configure +++ b/configure @@ -1312,6 +1312,7 @@ HAVE_LIST=" CONFIG_EXTRA=" aandcttables ac3dsp + audio_frame_queue error_resilience gcrypt golomb @@ -1464,7 +1465,7 @@ mpegvideoenc_select="mpegvideo" # decoders / encoders aac_decoder_select="mdct sinewin" -aac_encoder_select="mdct sinewin" +aac_encoder_select="audio_frame_queue mdct sinewin" aac_latm_decoder_select="aac_decoder aac_latm_parser" ac3_decoder_select="mdct ac3dsp ac3_parser" ac3_encoder_select="mdct ac3dsp" @@ -1545,13 +1546,13 @@ msmpeg4v3_decoder_select="h263_decoder" msmpeg4v3_encoder_select="h263_encoder" mss2_decoder_select="vc1_decoder" nellymoser_decoder_select="mdct sinewin" -nellymoser_encoder_select="mdct sinewin" +nellymoser_encoder_select="audio_frame_queue mdct sinewin" nuv_decoder_select="lzo" png_decoder_select="zlib" png_encoder_select="zlib" qcelp_decoder_select="lsp" qdm2_decoder_select="mdct rdft mpegaudiodsp" -ra_144_encoder_select="lpc" +ra_144_encoder_select="audio_frame_queue lpc" ralf_decoder_select="golomb" rv10_decoder_select="h263_decoder" rv10_encoder_select="h263_encoder" @@ -1636,7 +1637,9 @@ vc1_parser_select="error_resilience mpegvideo" # external libraries libfaac_encoder_deps="libfaac" +libfaac_encoder_select="audio_frame_queue" libfdk_aac_encoder_deps="libfdk_aac" +libfdk_aac_encoder_select="audio_frame_queue" libgsm_decoder_deps="libgsm" libgsm_encoder_deps="libgsm" libgsm_ms_decoder_deps="libgsm" @@ -1644,21 +1647,27 @@ libgsm_ms_encoder_deps="libgsm" libilbc_decoder_deps="libilbc" libilbc_encoder_deps="libilbc" libmp3lame_encoder_deps="libmp3lame" +libmp3lame_encoder_select="audio_frame_queue" libopencore_amrnb_decoder_deps="libopencore_amrnb" libopencore_amrnb_encoder_deps="libopencore_amrnb" +libopencore_amrnb_encoder_select="audio_frame_queue" libopencore_amrwb_decoder_deps="libopencore_amrwb" libopenjpeg_decoder_deps="libopenjpeg" libopenjpeg_encoder_deps="libopenjpeg" libopus_decoder_deps="libopus" libopus_encoder_deps="libopus" +libopus_encoder_select="audio_frame_queue" libschroedinger_decoder_deps="libschroedinger" libschroedinger_encoder_deps="libschroedinger" libspeex_decoder_deps="libspeex" libspeex_encoder_deps="libspeex" +libspeex_encoder_select="audio_frame_queue" libtheora_encoder_deps="libtheora" libvo_aacenc_encoder_deps="libvo_aacenc" +libvo_aacenc_encoder_select="audio_frame_queue" libvo_amrwbenc_encoder_deps="libvo_amrwbenc" libvorbis_encoder_deps="libvorbis" +libvorbis_encoder_select="audio_frame_queue" libvpx_decoder_deps="libvpx" libvpx_encoder_deps="libvpx" libx264_encoder_deps="libx264" diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 0f55b800dd..a32ff9613f 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -36,6 +36,7 @@ OBJS = allcodecs.o \ # parts needed for many different codecs OBJS-$(CONFIG_AANDCTTABLES) += aandcttab.o OBJS-$(CONFIG_AC3DSP) += ac3dsp.o +OBJS-$(CONFIG_AUDIO_FRAME_QUEUE) += audio_frame_queue.o OBJS-$(CONFIG_DCT) += dct.o dct32_fixed.o dct32_float.o OBJS-$(CONFIG_DWT) += dwt.o OBJS-$(CONFIG_DXVA2) += dxva2.o @@ -79,8 +80,7 @@ OBJS-$(CONFIG_AAC_DECODER) += aacdec.o aactab.o aacsbr.o aacps.o \ OBJS-$(CONFIG_AAC_ENCODER) += aacenc.o aaccoder.o \ aacpsy.o aactab.o \ psymodel.o iirfilter.o \ - mpeg4audio.o kbdwin.o \ - audio_frame_queue.o + mpeg4audio.o kbdwin.o OBJS-$(CONFIG_AASC_DECODER) += aasc.o msrledec.o OBJS-$(CONFIG_AC3_DECODER) += ac3dec.o ac3dec_data.o ac3.o kbdwin.o OBJS-$(CONFIG_AC3_ENCODER) += ac3enc_float.o ac3enc.o ac3tab.o \ @@ -273,8 +273,7 @@ OBJS-$(CONFIG_MSZH_DECODER) += lcldec.o OBJS-$(CONFIG_MTS2_DECODER) += mss4.o mss34dsp.o OBJS-$(CONFIG_MXPEG_DECODER) += mxpegdec.o mjpegdec.o mjpeg.o OBJS-$(CONFIG_NELLYMOSER_DECODER) += nellymoserdec.o nellymoser.o -OBJS-$(CONFIG_NELLYMOSER_ENCODER) += nellymoserenc.o nellymoser.o \ - audio_frame_queue.o +OBJS-$(CONFIG_NELLYMOSER_ENCODER) += nellymoserenc.o nellymoser.o OBJS-$(CONFIG_NUV_DECODER) += nuv.o rtjpeg.o OBJS-$(CONFIG_PAM_DECODER) += pnmdec.o pnm.o OBJS-$(CONFIG_PAM_ENCODER) += pamenc.o pnm.o @@ -306,8 +305,7 @@ OBJS-$(CONFIG_QTRLE_ENCODER) += qtrleenc.o OBJS-$(CONFIG_R10K_DECODER) += r210dec.o OBJS-$(CONFIG_R210_DECODER) += r210dec.o OBJS-$(CONFIG_RA_144_DECODER) += ra144dec.o ra144.o celp_filters.o -OBJS-$(CONFIG_RA_144_ENCODER) += ra144enc.o ra144.o celp_filters.o \ - audio_frame_queue.o +OBJS-$(CONFIG_RA_144_ENCODER) += ra144enc.o ra144.o celp_filters.o OBJS-$(CONFIG_RA_288_DECODER) += ra288.o celp_filters.o OBJS-$(CONFIG_RALF_DECODER) += ralf.o OBJS-$(CONFIG_RAWVIDEO_DECODER) += rawdec.o @@ -563,35 +561,34 @@ OBJS-$(CONFIG_WEBM_MUXER) += mpeg4audio.o mpegaudiodata.o \ OBJS-$(CONFIG_WTV_DEMUXER) += mpeg4audio.o mpegaudiodata.o # external codec libraries -OBJS-$(CONFIG_LIBFAAC_ENCODER) += libfaac.o audio_frame_queue.o -OBJS-$(CONFIG_LIBFDK_AAC_ENCODER) += libfdk-aacenc.o audio_frame_queue.o +OBJS-$(CONFIG_LIBFAAC_ENCODER) += libfaac.o +OBJS-$(CONFIG_LIBFDK_AAC_ENCODER) += libfdk-aacenc.o OBJS-$(CONFIG_LIBGSM_DECODER) += libgsm.o OBJS-$(CONFIG_LIBGSM_ENCODER) += libgsm.o OBJS-$(CONFIG_LIBGSM_MS_DECODER) += libgsm.o OBJS-$(CONFIG_LIBGSM_MS_ENCODER) += libgsm.o OBJS-$(CONFIG_LIBILBC_DECODER) += libilbc.o OBJS-$(CONFIG_LIBILBC_ENCODER) += libilbc.o -OBJS-$(CONFIG_LIBMP3LAME_ENCODER) += libmp3lame.o mpegaudiodecheader.o \ - audio_frame_queue.o +OBJS-$(CONFIG_LIBMP3LAME_ENCODER) += libmp3lame.o mpegaudiodecheader.o OBJS-$(CONFIG_LIBOPENCORE_AMRNB_DECODER) += libopencore-amr.o -OBJS-$(CONFIG_LIBOPENCORE_AMRNB_ENCODER) += libopencore-amr.o audio_frame_queue.o +OBJS-$(CONFIG_LIBOPENCORE_AMRNB_ENCODER) += libopencore-amr.o OBJS-$(CONFIG_LIBOPENCORE_AMRWB_DECODER) += libopencore-amr.o OBJS-$(CONFIG_LIBOPENJPEG_DECODER) += libopenjpegdec.o OBJS-$(CONFIG_LIBOPENJPEG_ENCODER) += libopenjpegenc.o OBJS-$(CONFIG_LIBOPUS_DECODER) += libopusdec.o libopus.o \ vorbis_data.o OBJS-$(CONFIG_LIBOPUS_ENCODER) += libopusenc.o libopus.o \ - vorbis_data.o audio_frame_queue.o + vorbis_data.o OBJS-$(CONFIG_LIBSCHROEDINGER_DECODER) += libschroedingerdec.o \ libschroedinger.o OBJS-$(CONFIG_LIBSCHROEDINGER_ENCODER) += libschroedingerenc.o \ libschroedinger.o OBJS-$(CONFIG_LIBSPEEX_DECODER) += libspeexdec.o -OBJS-$(CONFIG_LIBSPEEX_ENCODER) += libspeexenc.o audio_frame_queue.o +OBJS-$(CONFIG_LIBSPEEX_ENCODER) += libspeexenc.o OBJS-$(CONFIG_LIBTHEORA_ENCODER) += libtheoraenc.o OBJS-$(CONFIG_LIBVO_AACENC_ENCODER) += libvo-aacenc.o mpeg4audio.o OBJS-$(CONFIG_LIBVO_AMRWBENC_ENCODER) += libvo-amrwbenc.o -OBJS-$(CONFIG_LIBVORBIS_ENCODER) += libvorbis.o audio_frame_queue.o \ +OBJS-$(CONFIG_LIBVORBIS_ENCODER) += libvorbis.o \ vorbis_data.o vorbis_parser.o OBJS-$(CONFIG_LIBVPX_DECODER) += libvpxdec.o OBJS-$(CONFIG_LIBVPX_ENCODER) += libvpxenc.o From d61c6ebccfde3797a5d376e0f203550d7beb0576 Mon Sep 17 00:00:00 2001 From: Matti Hamalainen Date: Mon, 18 Feb 2013 02:49:45 +0100 Subject: [PATCH 0144/1037] svq3: unbreak decoding a7d2861d36756b913e85681b86ed3385274e8ced removed necessary braces. --- libavcodec/svq3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 266e22f985..68bf2f7a55 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -550,20 +550,22 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) if (svq3_mc_dir(h, mb_type - 1, mode, 0, 0) < 0) return -1; } else { /* AV_PICTURE_TYPE_B */ - if (mb_type != 2) + if (mb_type != 2) { if (svq3_mc_dir(h, 0, mode, 0, 0) < 0) return -1; - else + } else { for (i = 0; i < 4; i++) memset(s->current_picture.f.motion_val[0][b_xy + i * h->b_stride], 0, 4 * 2 * sizeof(int16_t)); - if (mb_type != 1) + } + if (mb_type != 1) { if (svq3_mc_dir(h, 0, mode, 1, mb_type == 3) < 0) return -1; - else + } else { for (i = 0; i < 4; i++) memset(s->current_picture.f.motion_val[1][b_xy + i * h->b_stride], 0, 4 * 2 * sizeof(int16_t)); + } } mb_type = MB_TYPE_16x16; From c6f59b95c529baf2ea6729ab9089fddce3ddd86a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Feb 2013 20:41:16 +0100 Subject: [PATCH 0145/1037] h264: avoid calling get_format() multiple times Some applications do not like that. Fixes VDA Reduces noise for VDPAU Tested-by: Guillaume POIRIER Tested-by: Carl Eugen Hoyos Signed-off-by: Michael Niedermayer (cherry picked from commit dece584a639c9fd61a72e21800815e8397b3b617) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 56ef1092bd..da749a241d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2537,11 +2537,17 @@ static enum PixelFormat get_pixel_format(H264Context *h) return s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ422P : AV_PIX_FMT_YUV422P; } else { - return s->avctx->get_format(s->avctx, s->avctx->codec->pix_fmts ? + int i; + const enum AVPixelFormat * fmt = s->avctx->codec->pix_fmts ? s->avctx->codec->pix_fmts : s->avctx->color_range == AVCOL_RANGE_JPEG ? hwaccel_pixfmt_list_h264_jpeg_420 : - ff_hwaccel_pixfmt_list_420); + ff_hwaccel_pixfmt_list_420; + + for (i=0; fmt[i] != AV_PIX_FMT_NONE; i++) + if (fmt[i] == s->avctx->pix_fmt) + return fmt[i]; + return s->avctx->get_format(s->avctx, fmt); } break; default: From 56b6909b395e4d54a356a0274a5e4cba79bab33b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2013 17:11:34 +0100 Subject: [PATCH 0146/1037] movenc: hotfix, dont store fiel for h264 / mpeg4-asp / dnxhd Other software does not store it in this case, and the information is provided by the codec stream Signed-off-by: Michael Niedermayer (cherry picked from commit 405cc0d9052079307b2b4188c396ae30c8e9108b) Conflicts: tests/ref/lavf/mov --- libavformat/movenc.c | 7 +++-- tests/ref/lavf/mov | 16 +++++----- tests/ref/seek/lavf-mov | 44 ++++++++++++++-------------- tests/ref/vsynth/vsynth1-dnxhd-1080i | 4 +-- tests/ref/vsynth/vsynth1-mpeg4 | 4 +-- tests/ref/vsynth/vsynth2-dnxhd-1080i | 4 +-- tests/ref/vsynth/vsynth2-mpeg4 | 4 +-- 7 files changed, 43 insertions(+), 40 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index bab8314ce5..2ee21e544d 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1133,8 +1133,11 @@ static int mov_write_video_tag(AVIOContext *pb, MOVTrack *track) else if (track->vos_len > 0) mov_write_glbl_tag(pb, track); - if (track->enc->field_order != AV_FIELD_UNKNOWN) - mov_write_fiel_tag(pb, track); + if (track->enc->codec_id != AV_CODEC_ID_H264 && + track->enc->codec_id != AV_CODEC_ID_MPEG4 && + track->enc->codec_id != AV_CODEC_ID_DNXHD) + if (track->enc->field_order != AV_FIELD_UNKNOWN) + mov_write_fiel_tag(pb, track); if (track->enc->sample_aspect_ratio.den && track->enc->sample_aspect_ratio.num && track->enc->sample_aspect_ratio.den != track->enc->sample_aspect_ratio.num) { diff --git a/tests/ref/lavf/mov b/tests/ref/lavf/mov index 210c88a015..4554ea65d9 100644 --- a/tests/ref/lavf/mov +++ b/tests/ref/lavf/mov @@ -1,12 +1,12 @@ -821cbbb6166b1d1117585fa4bb167a8e *./tests/data/lavf/lavf.mov -367375 ./tests/data/lavf/lavf.mov +fcbe7806047914d9751fd9053009df69 *./tests/data/lavf/lavf.mov +367365 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0xb2f59ab4 -f8e597c1ca2dddd581c82fef7700ae33 *./tests/data/lavf/lavf.mov -358465 ./tests/data/lavf/lavf.mov +72eac0051107a16e41d5263dab640f26 *./tests/data/lavf/lavf.mov +358455 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0xb2f59ab4 -98aadee64774fea3eb59288b44144547 *./tests/data/lavf/lavf.mov -377623 ./tests/data/lavf/lavf.mov +cbc587335946df1f08d838f48ef396f0 *./tests/data/lavf/lavf.mov +377613 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0xc882139b -2561698a1e4ba55e03fd9ebdba743bb0 *./tests/data/lavf/lavf.mov -357847 ./tests/data/lavf/lavf.mov +7c932d24837f46ef57d3e40a61331565 *./tests/data/lavf/lavf.mov +357837 ./tests/data/lavf/lavf.mov ./tests/data/lavf/lavf.mov CRC=0xb2f59ab4 diff --git a/tests/ref/seek/lavf-mov b/tests/ref/seek/lavf-mov index c7278bd03e..9563a0d3a5 100644 --- a/tests/ref/seek/lavf-mov +++ b/tests/ref/seek/lavf-mov @@ -1,48 +1,48 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326941 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326931 size: 1024 ret: 0 st: 0 flags:0 ts: 0.788359 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 ret: 0 st: 0 flags:1 ts:-0.317500 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret:-1 st: 1 flags:0 ts: 2.576667 ret: 0 st: 1 flags:1 ts: 1.470839 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 ret: 0 st:-1 flags:0 ts: 0.365002 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 165219 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 165209 size: 27925 ret: 0 st:-1 flags:1 ts:-0.740831 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret:-1 st: 0 flags:0 ts: 2.153359 ret: 0 st: 0 flags:1 ts: 1.047500 -ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326941 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326931 size: 1024 ret: 0 st: 1 flags:0 ts:-0.058322 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret: 0 st: 1 flags:1 ts: 2.835828 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 ret:-1 st:-1 flags:0 ts: 1.730004 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 1 flags:1 dts: 0.464399 pts: 0.464399 pos: 164195 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.464399 pts: 0.464399 pos: 164185 size: 1024 ret: 0 st: 0 flags:0 ts:-0.481641 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret: 0 st: 0 flags:1 ts: 2.412500 -ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326941 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326931 size: 1024 ret:-1 st: 1 flags:0 ts: 1.306667 ret: 0 st: 1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret: 0 st:-1 flags:0 ts:-0.904994 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret: 0 st:-1 flags:1 ts: 1.989173 -ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326941 size: 1024 +ret: 0 st: 1 flags:1 dts: 0.952018 pts: 0.952018 pos: 326931 size: 1024 ret: 0 st: 0 flags:0 ts: 0.883359 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 ret: 0 st: 0 flags:1 ts:-0.222500 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 ret:-1 st: 1 flags:0 ts: 2.671678 ret: 0 st: 1 flags:1 ts: 1.565850 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327965 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 327955 size: 27834 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 165219 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 165209 size: 27925 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1737 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 1727 size: 27837 diff --git a/tests/ref/vsynth/vsynth1-dnxhd-1080i b/tests/ref/vsynth/vsynth1-dnxhd-1080i index 211f366406..dbe2c371e0 100644 --- a/tests/ref/vsynth/vsynth1-dnxhd-1080i +++ b/tests/ref/vsynth/vsynth1-dnxhd-1080i @@ -1,4 +1,4 @@ -850261d663d64aef9a92418f15a3ee8a *tests/data/fate/vsynth1-dnxhd-1080i.mov -3031921 tests/data/fate/vsynth1-dnxhd-1080i.mov +124c991ee3ac0caef39a58a45287a762 *tests/data/fate/vsynth1-dnxhd-1080i.mov +3031911 tests/data/fate/vsynth1-dnxhd-1080i.mov a09132c6db44f415e831dcaa630a351b *tests/data/fate/vsynth1-dnxhd-1080i.out.rawvideo stddev: 6.29 PSNR: 32.15 MAXDIFF: 64 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth1-mpeg4 b/tests/ref/vsynth/vsynth1-mpeg4 index 4ed1cd5d10..b6da11cef1 100644 --- a/tests/ref/vsynth/vsynth1-mpeg4 +++ b/tests/ref/vsynth/vsynth1-mpeg4 @@ -1,4 +1,4 @@ -cc2240476d97c7809d461a7d334aa067 *tests/data/fate/vsynth1-mpeg4.mp4 -540034 tests/data/fate/vsynth1-mpeg4.mp4 +a2acdf772bf7b7641079d8a03ea03ccf *tests/data/fate/vsynth1-mpeg4.mp4 +540024 tests/data/fate/vsynth1-mpeg4.mp4 f80ec173d37f2f91add031e95579a220 *tests/data/fate/vsynth1-mpeg4.out.rawvideo stddev: 7.97 PSNR: 30.10 MAXDIFF: 105 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-dnxhd-1080i b/tests/ref/vsynth/vsynth2-dnxhd-1080i index 80fa5d8218..f657eb4c95 100644 --- a/tests/ref/vsynth/vsynth2-dnxhd-1080i +++ b/tests/ref/vsynth/vsynth2-dnxhd-1080i @@ -1,4 +1,4 @@ -b50f974586d2d72739eb8e2938425819 *tests/data/fate/vsynth2-dnxhd-1080i.mov -3031921 tests/data/fate/vsynth2-dnxhd-1080i.mov +5d7ab75ce6e547ed63a7a0eacf18f078 *tests/data/fate/vsynth2-dnxhd-1080i.mov +3031911 tests/data/fate/vsynth2-dnxhd-1080i.mov 744ba46da5d4c19a28562ea31061d170 *tests/data/fate/vsynth2-dnxhd-1080i.out.rawvideo stddev: 1.31 PSNR: 45.77 MAXDIFF: 23 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth2-mpeg4 b/tests/ref/vsynth/vsynth2-mpeg4 index c6c595e2be..399ef58e3f 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4 +++ b/tests/ref/vsynth/vsynth2-mpeg4 @@ -1,4 +1,4 @@ -416519c3d814b92fe11401cfac01e3a7 *tests/data/fate/vsynth2-mpeg4.mp4 -119671 tests/data/fate/vsynth2-mpeg4.mp4 +04f74c54f4db25e1d454ede9216632c1 *tests/data/fate/vsynth2-mpeg4.mp4 +119661 tests/data/fate/vsynth2-mpeg4.mp4 9a1e085d9e488c5ead0c940c9612a37a *tests/data/fate/vsynth2-mpeg4.out.rawvideo stddev: 5.34 PSNR: 33.57 MAXDIFF: 83 bytes: 7603200/ 7603200 From 7acfa7758c7f655119a7cf972b9c4cc74de75161 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 14 Jan 2013 20:38:33 +0100 Subject: [PATCH 0147/1037] configure: Make warnings from -Wreturn-type fatal errors These warnings have no false positives and point to serious bugs. (cherry picked from commit 99853cb8d4237b810b2fffb4a34f66fd0064ef72) Conflicts: configure Signed-off-by: Michael Niedermayer --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 0707a940c4..ffa032f637 100755 --- a/configure +++ b/configure @@ -4094,6 +4094,7 @@ elif enabled gcc; then check_optflags -fno-tree-vectorize check_cflags -Werror=implicit-function-declaration check_cflags -Werror=missing-prototypes + check_cflags -Werror=return-type check_cflags -Werror=vla elif enabled llvm_gcc; then check_cflags -mllvm -stack-alignment=16 @@ -4102,6 +4103,7 @@ elif enabled clang; then check_cflags -Qunused-arguments check_cflags -Werror=implicit-function-declaration check_cflags -Werror=missing-prototypes + check_cflags -Werror=return-type elif enabled armcc; then # 2523: use of inline assembler is deprecated add_cflags -W${armcc_opt},--diag_suppress=2523 From e14564b9262d072057b52b2a85c974525580aee0 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Fri, 15 Feb 2013 15:53:54 +0100 Subject: [PATCH 0148/1037] lavfi/kerndeint: use av_pix_fmt_desc_get instead of directly accessing the table Fixes FATE in MSVC DLL builds. Signed-off-by: Michael Niedermayer (cherry picked from commit 5ad43af9a62cfd5422dc22f37dd2a2327fa75b7c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_kerndeint.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_kerndeint.c b/libavfilter/vf_kerndeint.c index 382b8a71ed..12eb969b22 100644 --- a/libavfilter/vf_kerndeint.c +++ b/libavfilter/vf_kerndeint.c @@ -96,7 +96,7 @@ static int query_formats(AVFilterContext *ctx) static int config_props(AVFilterLink *inlink) { KerndeintContext *kerndeint = inlink->dst->priv; - const AVPixFmtDescriptor *desc = &av_pix_fmt_descriptors[inlink->format]; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(inlink->format); int ret; kerndeint->vsub = desc->log2_chroma_h; From f5955d9f6f9ffdb81864c3de1c7b801782a55725 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Feb 2013 20:49:32 +0100 Subject: [PATCH 0149/1037] targa: Fix y check in advance_line Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 796012af6c780b5b13ebca39a491f215515a18fe) Signed-off-by: Michael Niedermayer --- libavcodec/targa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/targa.c b/libavcodec/targa.c index 6bb05a93ad..321441cb08 100644 --- a/libavcodec/targa.c +++ b/libavcodec/targa.c @@ -40,7 +40,7 @@ static uint8_t *advance_line(uint8_t *start, uint8_t *line, return line + interleave * stride; } else { *y = (*y + 1) & (interleave - 1); - if (*y) { + if (*y && *y < h) { return start + *y * stride; } else { return NULL; From 1ea5bbc5940d2ea5ec1eea83cccef331d737f5f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Feb 2013 01:09:03 +0100 Subject: [PATCH 0150/1037] sanm: add forgotten check for decoded_size in old_codec37() Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 365270aec5c2b9284230abc702b11168818f14cf) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 0f68e1d1ed..cb94b3cca6 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -416,6 +416,11 @@ static int old_codec37(SANMVideoContext *ctx, int top, flags = bytestream2_get_byte(&ctx->gb); bytestream2_skip(&ctx->gb, 3); + if (decoded_size > height * stride - left - top * stride) { + decoded_size = height * stride - left - top * stride; + av_log(ctx->avctx, AV_LOG_WARNING, "decoded size is too large\n"); + } + ctx->rotate_code = 0; if (((seq & 1) || !(flags & 1)) && (compr && compr != 2)) From 1400f1a1e46d72dc38d4cee66f611d91c3a1f49b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Feb 2013 02:03:28 +0100 Subject: [PATCH 0151/1037] sanm: Use the correct height variable in the decoded_size checks Fixes integer overflow and out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5260edee7e5bd975837696c8c8c1a80eb2fbd7c1) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index cb94b3cca6..e317b33b1f 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -416,8 +416,8 @@ static int old_codec37(SANMVideoContext *ctx, int top, flags = bytestream2_get_byte(&ctx->gb); bytestream2_skip(&ctx->gb, 3); - if (decoded_size > height * stride - left - top * stride) { - decoded_size = height * stride - left - top * stride; + if (decoded_size > ctx->height * stride - left - top * stride) { + decoded_size = ctx->height * stride - left - top * stride; av_log(ctx->avctx, AV_LOG_WARNING, "decoded size is too large\n"); } @@ -644,8 +644,8 @@ static int old_codec47(SANMVideoContext *ctx, int top, decoded_size = bytestream2_get_le32(&ctx->gb); bytestream2_skip(&ctx->gb, 8); - if (decoded_size > height * stride - left - top * stride) { - decoded_size = height * stride - left - top * stride; + if (decoded_size > ctx->height * stride - left - top * stride) { + decoded_size = ctx->height * stride - left - top * stride; av_log(ctx->avctx, AV_LOG_WARNING, "decoded size is too large\n"); } From f6687bbb6464532f14b3246cdb7b03f6d04b25cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Feb 2013 19:53:40 +0100 Subject: [PATCH 0152/1037] pngdec/filter: dont access out of array elements at the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1ac0fa50eff30d413206cffa5f47f7fe6d4849b1) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 21b742c850..c0a1737054 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -189,7 +189,7 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w if(bpp >= 2) g = dst[1];\ if(bpp >= 3) b = dst[2];\ if(bpp >= 4) a = dst[3];\ - for(; i < size; i+=bpp) {\ + for(; i <= size - bpp; i+=bpp) {\ dst[i+0] = r = op(r, src[i+0], last[i+0]);\ if(bpp == 1) continue;\ dst[i+1] = g = op(g, src[i+1], last[i+1]);\ @@ -205,13 +205,9 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w else if(bpp == 2) UNROLL1(2, op)\ else if(bpp == 3) UNROLL1(3, op)\ else if(bpp == 4) UNROLL1(4, op)\ - else {\ - for (; i < size; i += bpp) {\ - int j;\ - for (j = 0; j < bpp; j++)\ - dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\ - }\ - } + for (; i < size; i++) {\ + dst[i] = op(dst[i-bpp], src[i], last[i]);\ + }\ /* NOTE: 'dst' can be equal to 'last' */ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, From 75211f2b8cfb8b4a3f47c514e55585651eeb2767 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Feb 2013 23:40:24 +0100 Subject: [PATCH 0153/1037] tiff: Check buffer allocation and pointer increment more carefully in shorts2str() and double2str() Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e1219cdaf9fb4bc8cea410e1caf802373c1bfe51) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 85a5823c35..1011116f41 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -212,10 +212,12 @@ static char *doubles2str(double *dp, int count, const char *sep) { int i; char *ap, *ap0; - int component_len; + uint64_t component_len; if (!sep) sep = ", "; - component_len = 15 + strlen(sep); - ap = av_malloc(component_len * count); + component_len = 15LL + strlen(sep); + if (count >= (INT_MAX - 1)/component_len) + return NULL; + ap = av_malloc(component_len * count + 1); if (!ap) return NULL; ap0 = ap; @@ -236,14 +238,22 @@ static char *shorts2str(int16_t *sp, int count, const char *sep) { int i; char *ap, *ap0; + uint64_t component_len; if (!sep) sep = ", "; - ap = av_malloc((5 + strlen(sep)) * count); + component_len = 7LL + strlen(sep); + if (count >= (INT_MAX - 1)/component_len) + return NULL; + ap = av_malloc(component_len * count + 1); if (!ap) return NULL; ap0 = ap; ap[0] = '\0'; for (i = 0; i < count; i++) { - int l = snprintf(ap, 5 + strlen(sep), "%d%s", sp[i], sep); + unsigned l = snprintf(ap, component_len, "%d%s", sp[i], sep); + if (l >= component_len) { + av_free(ap0); + return NULL; + } ap += l; } ap0[strlen(ap0) - strlen(sep)] = '\0'; From 811a504c6bc2586a8ea5d52fbcfee94277123eb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Feb 2013 01:03:30 +0100 Subject: [PATCH 0154/1037] shorten: dont leave invalid channel counts in the context. Fixes freeing invalid addresses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f1279154ee9baf2078241bf5619774970d18b25) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 8e66928db5..1d1f7eca07 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -343,6 +343,7 @@ static int read_header(ShortenContext *s) s->channels = get_uint(s, CHANSIZE); if (s->channels <= 0 || s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); + s->channels = 0; return AVERROR_INVALIDDATA; } s->avctx->channels = s->channels; From 7c40a0449b4771a0a09c3c38e081d3869d1f917b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Feb 2013 17:49:16 +0100 Subject: [PATCH 0155/1037] swr: check channel layouts before using them. Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 21cd905cd44a4bbafe8631bbaa6021d328413ce5) Conflicts: libswresample/swresample.c Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index f530c1f59e..e93f707390 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -249,6 +249,16 @@ av_cold int swr_init(struct SwrContext *s){ return AVERROR(EINVAL); } + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { + av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); + s->in_ch_layout = 0; + } + + if(av_get_channel_layout_nb_channels(s->out_ch_layout) > SWR_CH_MAX) { + av_log(s, AV_LOG_WARNING, "Output channel layout 0x%"PRIx64" is invalid or unsupported.\n", s->out_ch_layout); + s->out_ch_layout = 0; + } + if(s->int_sample_fmt == AV_SAMPLE_FMT_NONE){ if(av_get_planar_sample_fmt(s->in_sample_fmt) <= AV_SAMPLE_FMT_S16P){ s->int_sample_fmt= AV_SAMPLE_FMT_S16P; From 65bf4c9c4578c9817bb88cc4503664b1aecf185e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 31 Jan 2013 10:19:57 +0200 Subject: [PATCH 0156/1037] mpegvideo: Do REBASE_PICTURE with byte pointers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit REBASE_PICTURE (more specifically, this half of it) takes a Picture pointer that points into one larger struct, finds the offset of that Picture within the struct and finds the corresponding field within another instance of a similar struct. The pointer difference "pic - (Picture*)old_ctx" is a value given in sizeof(Picture) units, and when applied back on (Picture*)new_ctx gets multiplied back with sizeof(Picture). Many compilers seem to optimize out this division/multiplication, but not all do. GCC 4.2 on OS X doesn't seem to remove the division/multiplication, therefore the new pointer didn't turn out to point to exactly the right place in the new struct since it only had sizeof(Picture) granularity (and the Picture is not aligned on a sizeof(Picture) boundary within the encompassing struct). This bug has been present before 47318953d as well - with H264, pointers to h->ref_list[0][0] pointed to 88 bytes before h->ref_list[0][0] after the rebase. After shrinking Picture, the difference ended up even larger, making writes via such a Picture pointer overwrite other fields at random in H264Context, ending up in crashes later. This fixes H264 multithreaded decoding on OS X with GCC 4.2. Fixes Bug: #439 Signed-off-by: Martin Storsjö (cherry picked from commit a65f965c04bfa27adedc0409c14cc05903f483d0) Signed-off-by: Reinhard Tartler --- libavcodec/mpegvideo.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 359bebc74b..38d9ab6d52 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -719,7 +719,7 @@ typedef struct MpegEncContext { #define REBASE_PICTURE(pic, new_ctx, old_ctx) (pic ? \ (pic >= old_ctx->picture && pic < old_ctx->picture+old_ctx->picture_count ?\ - &new_ctx->picture[pic - old_ctx->picture] : pic - (Picture*)old_ctx + (Picture*)new_ctx)\ + &new_ctx->picture[pic - old_ctx->picture] : (Picture*) ((uint8_t*)pic - (uint8_t*)old_ctx + (uint8_t*)new_ctx))\ : NULL) /* mpegvideo_enc common options */ From 0b2b8ab979624b0cce673d5e99255482d7c553ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Nov 2012 23:59:40 +0100 Subject: [PATCH 0157/1037] qdm2: check array index before use, fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler (cherry picked from commit 39bec05ed42e505d17877b0c23f16322f9b5883b) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 269a051f69..cfae824d95 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1234,6 +1234,11 @@ static void qdm2_decode_super_block (QDM2Context *q) for (i = 0; packet_bytes > 0; i++) { int j; + if (i >= FF_ARRAY_ELEMS(q->sub_packet_list_A)) { + SAMPLES_NEEDED_2("too many packet bytes"); + return; + } + q->sub_packet_list_A[i].next = NULL; if (i > 0) { From 52b18c1fde65efac7f6e6104b76d39bf8d0a34ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Nov 2012 15:18:17 +0100 Subject: [PATCH 0158/1037] roqvideodec: check dimensions validity Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845) Signed-off-by: Michael Niedermayer (cherry picked from commit fee26d352a52eb9f7fcd8d9167fb4a5ba015b612) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler (cherry picked from commit 488f87be873506abb01d67708a67c10a4dd29283) Signed-off-by: Reinhard Tartler --- libavcodec/roqvideodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c index 2543cecb27..3ee62c01b5 100644 --- a/libavcodec/roqvideodec.c +++ b/libavcodec/roqvideodec.c @@ -159,6 +159,13 @@ static av_cold int roq_decode_init(AVCodecContext *avctx) RoqContext *s = avctx->priv_data; s->avctx = avctx; + + if (avctx->width % 16 || avctx->height % 16) { + av_log(avctx, AV_LOG_ERROR, + "Dimensions must be a multiple of 16\n"); + return AVERROR_PATCHWELCOME; + } + s->width = avctx->width; s->height = avctx->height; s->last_frame = &s->frames[0]; From ab434bf0d051008a329d49d0256faa5d64e2bf4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2013 06:11:59 +0100 Subject: [PATCH 0159/1037] vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer (cherry picked from commit 13093f9767b922661132a3c1f4b5ba2c7338b660) CC: libav-stable@libav.org Signed-off-by: Reinhard Tartler (cherry picked from commit f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a) Signed-off-by: Reinhard Tartler --- libavcodec/vqavideo.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 182f2ce997..841210ce97 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -532,6 +532,12 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (%u bytes)\n", + chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); @@ -555,6 +561,12 @@ static int vqa_decode_chunk(VqaContext *s) bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET); chunk_size = bytestream2_get_be32(&s->gb); + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (%u bytes)\n", + chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index], chunk_size); From 6626a7df534591c1eaed860bcb2f61610a3727f4 Mon Sep 17 00:00:00 2001 From: Vicente Jimenez Aguilar Date: Sat, 16 Feb 2013 03:08:36 +0100 Subject: [PATCH 0160/1037] doc: Fix some obsolete references to av* tools as ff* tools Signed-off-by: Diego Biurrun CC: libav-stable@libav.org (cherry picked from commit 202b5f6deb65e405b07b9b5c20f97c8cb925cf49) Signed-off-by: Reinhard Tartler --- doc/bitstream_filters.texi | 2 +- doc/demuxers.texi | 2 +- doc/encoders.texi | 2 +- doc/indevs.texi | 2 +- doc/muxers.texi | 2 +- doc/outdevs.texi | 2 +- doc/protocols.texi | 4 ++-- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/bitstream_filters.texi b/doc/bitstream_filters.texi index a6fe2f2633..6e7f8781ee 100644 --- a/doc/bitstream_filters.texi +++ b/doc/bitstream_filters.texi @@ -10,7 +10,7 @@ You can disable all the bitstream filters using the configure option the option @code{--enable-bsf=BSF}, or you can disable a particular bitstream filter using the option @code{--disable-bsf=BSF}. -The option @code{-bsfs} of the ff* tools will display the list of +The option @code{-bsfs} of the av* tools will display the list of all the supported bitstream filters included in your build. Below is a description of the currently available bitstream filters. diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 2d5c425922..b78cf680ef 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -13,7 +13,7 @@ You can disable all the demuxers using the configure option the option "--enable-demuxer=@var{DEMUXER}", or disable it with the option "--disable-demuxer=@var{DEMUXER}". -The option "-formats" of the ff* tools will display the list of +The option "-formats" of the av* tools will display the list of enabled demuxers. The description of some of the currently available demuxers follows. diff --git a/doc/encoders.texi b/doc/encoders.texi index 830981fe8d..0491d7314a 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -14,7 +14,7 @@ You can disable all the encoders with the configure option with the options @code{--enable-encoder=@var{ENCODER}} / @code{--disable-encoder=@var{ENCODER}}. -The option @code{-codecs} of the ff* tools will display the list of +The option @code{-codecs} of the av* tools will display the list of enabled encoders. @c man end ENCODERS diff --git a/doc/indevs.texi b/doc/indevs.texi index 868329799f..8ff64a78ed 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -13,7 +13,7 @@ You can disable all the input devices using the configure option option "--enable-indev=@var{INDEV}", or you can disable a particular input device using the option "--disable-indev=@var{INDEV}". -The option "-formats" of the ff* tools will display the list of +The option "-formats" of the av* tools will display the list of supported input devices (amongst the demuxers). A description of the currently available input devices follows. diff --git a/doc/muxers.texi b/doc/muxers.texi index 4973f1af1d..d183eaf1bd 100644 --- a/doc/muxers.texi +++ b/doc/muxers.texi @@ -13,7 +13,7 @@ You can disable all the muxers with the configure option with the options @code{--enable-muxer=@var{MUXER}} / @code{--disable-muxer=@var{MUXER}}. -The option @code{-formats} of the ff* tools will display the list of +The option @code{-formats} of the av* tools will display the list of enabled muxers. A description of some of the currently available muxers follows. diff --git a/doc/outdevs.texi b/doc/outdevs.texi index 938909c784..dd7bd6475d 100644 --- a/doc/outdevs.texi +++ b/doc/outdevs.texi @@ -13,7 +13,7 @@ You can disable all the output devices using the configure option option "--enable-outdev=@var{OUTDEV}", or you can disable a particular input device using the option "--disable-outdev=@var{OUTDEV}". -The option "-formats" of the ff* tools will display the list of +The option "-formats" of the av* tools will display the list of enabled output devices (amongst the muxers). A description of the currently available output devices follows. diff --git a/doc/protocols.texi b/doc/protocols.texi index 086a249a13..0d40e5eeb9 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -14,7 +14,7 @@ option "--enable-protocol=@var{PROTOCOL}", or you can disable a particular protocol using the option "--disable-protocol=@var{PROTOCOL}". -The option "-protocols" of the ff* tools will display the list of +The option "-protocols" of the av* tools will display the list of supported protocols. A description of the currently available protocols follows. @@ -57,7 +57,7 @@ use the command: avconv -i file:input.mpeg output.mpeg @end example -The ff* tools default to the file protocol, that is a resource +The av* tools default to the file protocol, that is a resource specified with the name "FILE.mpeg" is interpreted as the URL "file:FILE.mpeg". From 4be63111d1a29a13153cc25dcd9681dbbe7e0851 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 20 Feb 2013 22:54:21 +0100 Subject: [PATCH 0161/1037] Fix bits_per_coded_sample when encoding png with frame-level multithreading. Fixes ticket #2290. (cherry picked from commit c4dc6c4c86a052b7ba53fa7ae0c1b0643ad70d0b) --- libavcodec/pngenc.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index 7ba14b2d0d..a401c78f77 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -244,12 +244,10 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, color_type = PNG_COLOR_TYPE_RGB; break; case AV_PIX_FMT_RGBA: - avctx->bits_per_coded_sample = 32; bit_depth = 8; color_type = PNG_COLOR_TYPE_RGB_ALPHA; break; case AV_PIX_FMT_RGB24: - avctx->bits_per_coded_sample = 24; bit_depth = 8; color_type = PNG_COLOR_TYPE_RGB; break; @@ -258,7 +256,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, color_type = PNG_COLOR_TYPE_GRAY; break; case AV_PIX_FMT_GRAY8: - avctx->bits_per_coded_sample = 0x28; bit_depth = 8; color_type = PNG_COLOR_TYPE_GRAY; break; @@ -267,12 +264,10 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, color_type = PNG_COLOR_TYPE_GRAY_ALPHA; break; case AV_PIX_FMT_MONOBLACK: - avctx->bits_per_coded_sample = bit_depth = 1; color_type = PNG_COLOR_TYPE_GRAY; break; case AV_PIX_FMT_PAL8: - avctx->bits_per_coded_sample = bit_depth = 8; color_type = PNG_COLOR_TYPE_PALETTE; break; @@ -437,6 +432,23 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, static av_cold int png_enc_init(AVCodecContext *avctx){ PNGEncContext *s = avctx->priv_data; + switch(avctx->pix_fmt) { + case AV_PIX_FMT_RGBA: + avctx->bits_per_coded_sample = 32; + break; + case AV_PIX_FMT_RGB24: + avctx->bits_per_coded_sample = 24; + break; + case AV_PIX_FMT_GRAY8: + avctx->bits_per_coded_sample = 0x28; + break; + case AV_PIX_FMT_MONOBLACK: + avctx->bits_per_coded_sample = 1; + break; + case AV_PIX_FMT_PAL8: + avctx->bits_per_coded_sample = 8; + } + avcodec_get_frame_defaults(&s->picture); avctx->coded_frame= &s->picture; ff_dsputil_init(&s->dsp, avctx); From bc9d341be84eeae1c0b33295284df4e285e577dc Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Fri, 15 Feb 2013 13:59:40 -0800 Subject: [PATCH 0162/1037] x86: h264: Don't use redzone in AVX h264_deblock on Win64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes crashes in chromium on win64 on machines with AVX (crashes that apparently aren't triggered by fate). Signed-off-by: Martin Storsjö (cherry picked from commit 311443f6c7eb230276e320f2d30a5d729cf32b76) Signed-off-by: Martin Storsjö --- libavcodec/x86/h264_deblock.asm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/x86/h264_deblock.asm b/libavcodec/x86/h264_deblock.asm index 1f1dbc6a2f..67f9c02464 100644 --- a/libavcodec/x86/h264_deblock.asm +++ b/libavcodec/x86/h264_deblock.asm @@ -621,7 +621,11 @@ DEBLOCK_LUMA v, 16 %define t5 m11 %define mask0 m12 %define mask1p m13 +%if WIN64 + %define mask1q [rsp] +%else %define mask1q [rsp-24] +%endif %define mpb_0 m14 %define mpb_1 m15 %else @@ -640,7 +644,11 @@ DEBLOCK_LUMA v, 16 ;----------------------------------------------------------------------------- ; void deblock_v_luma_intra( uint8_t *pix, int stride, int alpha, int beta ) ;----------------------------------------------------------------------------- +%if WIN64 +cglobal deblock_%1_luma_intra_8, 4,6,16,0x10 +%else cglobal deblock_%1_luma_intra_8, 4,6,16,ARCH_X86_64*0x50-0x50 +%endif lea r4, [r1*4] lea r5, [r1*3] ; 3*stride dec r2d ; alpha-1 From a642be972d4861159f8bf4ef47afcc8f60a2f02b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Feb 2013 02:46:02 +0100 Subject: [PATCH 0163/1037] h264: ensure that get_format() is called when changing format but not otherwise. Fixes Ticket2288 Tested-by: Stefano Pigozzi Signed-off-by: Michael Niedermayer (cherry picked from commit 04220b473e9d7b22d737405348f9904f22bcfb96) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index da749a241d..f5d4f1b150 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2475,7 +2475,7 @@ static int h264_set_parameter_from_sps(H264Context *h) return 0; } -static enum PixelFormat get_pixel_format(H264Context *h) +static enum PixelFormat get_pixel_format(H264Context *h, int force_callback) { MpegEncContext *const s = &h->s; switch (h->sps.bit_depth_luma) { @@ -2545,7 +2545,7 @@ static enum PixelFormat get_pixel_format(H264Context *h) ff_hwaccel_pixfmt_list_420; for (i=0; fmt[i] != AV_PIX_FMT_NONE; i++) - if (fmt[i] == s->avctx->pix_fmt) + if (fmt[i] == s->avctx->pix_fmt && !force_callback) return fmt[i]; return s->avctx->get_format(s->avctx, fmt); } @@ -2771,7 +2771,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) || s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))); - if (h0->s.avctx->pix_fmt != get_pixel_format(h0)) + if (h0->s.avctx->pix_fmt != get_pixel_format(h0, 0)) must_reinit = 1; s->mb_width = h->sps.mb_width; @@ -2809,7 +2809,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) flush_change(h); - if ((ret = get_pixel_format(h)) < 0) + if ((ret = get_pixel_format(h, 1)) < 0) return ret; s->avctx->pix_fmt = ret; @@ -2830,7 +2830,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) return -1; } - if ((ret = get_pixel_format(h)) < 0) + if ((ret = get_pixel_format(h, 1)) < 0) return ret; s->avctx->pix_fmt = ret; From 469cb61193861baf46cce76f98985b026b08cd8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Feb 2013 22:00:19 +0100 Subject: [PATCH 0164/1037] avcodec_decode_audio4: check got_frame_ptr before handling initial skip Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8a6449167a6da8cb747cfe3502ae86ffaac2ed48) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 12265a95ea..6552b9ee8d 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1767,7 +1767,7 @@ int attribute_align_arg avcodec_decode_audio4(AVCodecContext *avctx, av_log(avctx, AV_LOG_DEBUG, "skip %d samples due to side data\n", avctx->internal->skip_samples); } - if (avctx->internal->skip_samples) { + if (avctx->internal->skip_samples && *got_frame_ptr) { if(frame->nb_samples <= avctx->internal->skip_samples){ *got_frame_ptr = 0; avctx->internal->skip_samples -= frame->nb_samples; From 02d1efdd5b61cefb96562ff9b94c03486a8ead15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Feb 2013 15:00:59 +0100 Subject: [PATCH 0165/1037] h264: check that luma and chroma depth match Fixes out of array access Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit bdeb61ccc67911cfc5e20c7cfb1312d0501ca90a) Conflicts: libavcodec/h264_ps.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index a68645bc36..f8439b110c 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -385,7 +385,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; - if (sps->bit_depth_luma > 14U || sps->bit_depth_chroma > 14U) { + if (sps->bit_depth_luma > 14U || sps->bit_depth_chroma > 14U || sps->bit_depth_luma != sps->bit_depth_chroma) { av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", sps->bit_depth_luma, sps->bit_depth_chroma); goto fail; From ef688e742557863152e76c7a1f5735fa6e4b0332 Mon Sep 17 00:00:00 2001 From: Andrea3000 Date: Thu, 21 Feb 2013 22:24:26 +0100 Subject: [PATCH 0166/1037] matroska: fix missing , Signed-off-by: Michael Niedermayer (cherry picked from commit 8d8c59480e1bbffb290b0790a7af378447c7f1fd) Signed-off-by: Michael Niedermayer --- libavformat/matroska.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroska.c b/libavformat/matroska.c index 9ea904ac8c..1e92073921 100644 --- a/libavformat/matroska.c +++ b/libavformat/matroska.c @@ -114,7 +114,7 @@ const char * const ff_matroska_video_stereo_mode[MATROSKA_VIDEO_STEREO_MODE_COUN "bottom_top", "top_bottom", "checkerboard_rl", - "checkerboard_lr" + "checkerboard_lr", "row_interleaved_rl", "row_interleaved_lr", "col_interleaved_rl", From 705e89d75fdea01a2ae1b89cf8a93533ea9b2050 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Feb 2013 22:53:53 +0100 Subject: [PATCH 0167/1037] update for 1.1.3 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 45a1b3f445..781dcb07cd 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.2 +1.1.3 diff --git a/VERSION b/VERSION index 45a1b3f445..781dcb07cd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.2 +1.1.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index b67606b6fb..2bfdb72fd0 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.2 +PROJECT_NUMBER = 1.1.3 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 5bed920971c555da67965918f440e516294cd44d Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Fri, 15 Feb 2013 13:59:40 -0800 Subject: [PATCH 0168/1037] Fix Win64 AVX h264_deblock by not using redzone on Win64 Thanks-to: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 82a4a4e7caa96cea9aa2185c4c3110a5e9fde7c2) Signed-off-by: Michael Niedermayer --- libavcodec/x86/h264_deblock.asm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/x86/h264_deblock.asm b/libavcodec/x86/h264_deblock.asm index 8ac38fcaa8..5f2374d3ea 100644 --- a/libavcodec/x86/h264_deblock.asm +++ b/libavcodec/x86/h264_deblock.asm @@ -625,7 +625,11 @@ DEBLOCK_LUMA v, 16 %define t5 m11 %define mask0 m12 %define mask1p m13 +%if WIN64 + %define mask1q [rsp] +%else %define mask1q [rsp-24] +%endif %define mpb_0 m14 %define mpb_1 m15 %else @@ -644,7 +648,11 @@ DEBLOCK_LUMA v, 16 ;----------------------------------------------------------------------------- ; void deblock_v_luma_intra( uint8_t *pix, int stride, int alpha, int beta ) ;----------------------------------------------------------------------------- +%if WIN64 +cglobal deblock_%1_luma_intra_8, 4,6,16,0x10 +%else cglobal deblock_%1_luma_intra_8, 4,6,16,ARCH_X86_64*0x50-0x50 +%endif lea r4, [r1*4] lea r5, [r1*3] ; 3*stride dec r2d ; alpha-1 From 88ae77cea4c1281c15da6281ab593dc7c70bedc0 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 22 Feb 2013 21:52:56 +0100 Subject: [PATCH 0169/1037] update Changelog --- Changelog | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 7f6249adfa..dfc6e8cd21 100644 --- a/Changelog +++ b/Changelog @@ -1,10 +1,60 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.2: +- x86/H.264: Don't use redzone in AVX h264_deblock on Win64 +- VQA video: check chunk sizes before reading chunks +- RoQ video decoder: check dimensions validity +- QDM2: check array index before use, fix out of array accesses +- mpegvideo: Do REBASE_PICTURE with byte pointers +- SVQ3: unbreak decoding +- libopencore-amrwb: Make AMR-WB ifdeffery more precise +- libopencore-amr: Conditionally compile decoder and encoder bits +- arm: Fall back to runtime cpu feature detection via /proc/cpuinfo +- xxan: properly handle odd heights +- msrledec: check bounds before constructing a possibly invalid pointer, +- qtrle: fix the topmost line for 1bit +- aasc: fix output for msrle compression +- yop: check for input overreads +- yop: check that extradata is large enough +- fraps: fix off-by one bug for version 1 +- vf_delogo: fix copying the input frame +- vf_delogo: fix an uninitialized read +- dnxhdenc: fix invalid reads in dnxhd_mb_var_thread() +- ATRAC3: use correct loop variable in add_tonal_components() +- MLP: store the channel layout for each substream +- MLP decoder: TrueHD: use Libav channel order +- x86: ac3: Fix HAVE_MMXEXT condition to only refer to external assembly +- arm: vp8: Fix the plain-armv6 version of vp8_luma_dc_wht +- lavr: call mix_function_init() in ff_audio_mix_set_matrix() +- rtpenc_chain: Use the original AVFormatContext for getting payload type +- rtp: Make sure the output format pointer is set +- rtp: Make sure priv_data is set before reading it +- videodsp_armv5te: remove #if HAVE_ARMV5TE_EXTERNAL +- get_bits: change the failure condition in init_get_bits +- mpegvideo: fix loop condition in draw_line() +- fate: update ref after rv30_loop_filter fix +- RV30: fix masking in rv30_loop_filter() +- libcdio: support recent cdio-paranoia +- Theora: Skip zero-sized headers +- H.264: add 3 pixels below for subpixel filter wait position +- H.264: fix ff_generate_sliding_window_mmcos() prototype +- H.264: don't clobber mmco opcode tables for non-first slice headers +- libx264: use the library specific default rc_initial_buffer_occupancy +- lavc: set the default rc_initial_buffer_occupancy +- lavc: introduce the convenience function init_get_bits8 +- lavc: check for overflow in init_get_bits +- configure: enable pic for shared libs on AArch64 +- zmbv: Reset the decoder on keyframe errors +- VC1 decoder: prevent a crash due missing pred_flag parameter +- matroska: Fix use after free +- VP3: Fix double free in vp3_decode_end() + + version 9.1: - Fix a crash on windows platforms related to automatic stack alignment in libavresample -- Fix memleaks in the ogg demuxer. Related to CVE-2012-2882 +- Fix memleaks in the Ogg demuxer. Related to CVE-2012-2882 version 9: From b786ddc0f2ead744364d9de2caa64723b52da965 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 09:08:35 +0100 Subject: [PATCH 0170/1037] loco: check that there is data left after decoding a plane. CC:libav-stable@libav.org (cherry picked from commit 067432c1c95882c7221e694f33d9f3bdbe46de7f) Signed-off-by: Reinhard Tartler --- libavcodec/loco.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 6f49992a61..f78363676f 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -181,43 +181,70 @@ static int decode_frame(AVCodecContext *avctx, case LOCO_CYUY2: case LOCO_YUY2: case LOCO_UYVY: decoded = loco_decode_plane(l, p->data[0], avctx->width, avctx->height, p->linesize[0], buf, buf_size, 1); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[1], avctx->width / 2, avctx->height, p->linesize[1], buf, buf_size, 1); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[2], avctx->width / 2, avctx->height, p->linesize[2], buf, buf_size, 1); break; case LOCO_CYV12: case LOCO_YV12: decoded = loco_decode_plane(l, p->data[0], avctx->width, avctx->height, p->linesize[0], buf, buf_size, 1); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[2], avctx->width / 2, avctx->height / 2, p->linesize[2], buf, buf_size, 1); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[1], avctx->width / 2, avctx->height / 2, p->linesize[1], buf, buf_size, 1); break; case LOCO_CRGB: case LOCO_RGB: decoded = loco_decode_plane(l, p->data[0] + p->linesize[0]*(avctx->height-1), avctx->width, avctx->height, -p->linesize[0], buf, buf_size, 3); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[0] + p->linesize[0]*(avctx->height-1) + 1, avctx->width, avctx->height, -p->linesize[0], buf, buf_size, 3); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[0] + p->linesize[0]*(avctx->height-1) + 2, avctx->width, avctx->height, -p->linesize[0], buf, buf_size, 3); break; case LOCO_RGBA: decoded = loco_decode_plane(l, p->data[0], avctx->width, avctx->height, p->linesize[0], buf, buf_size, 4); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[0] + 1, avctx->width, avctx->height, p->linesize[0], buf, buf_size, 4); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[0] + 2, avctx->width, avctx->height, p->linesize[0], buf, buf_size, 4); + if (decoded >= buf_size) + goto buf_too_small; buf += decoded; buf_size -= decoded; + decoded = loco_decode_plane(l, p->data[0] + 3, avctx->width, avctx->height, p->linesize[0], buf, buf_size, 4); break; @@ -227,6 +254,9 @@ static int decode_frame(AVCodecContext *avctx, *(AVFrame*)data = l->pic; return buf_size; +buf_too_small: + av_log(avctx, AV_LOG_ERROR, "Input data too small.\n"); + return AVERROR(EINVAL); } static av_cold int decode_init(AVCodecContext *avctx){ From 488ffb813514794f088ccd988b2692889c8ca798 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 12:47:43 +0100 Subject: [PATCH 0171/1037] mov: use the format context for logging. CC:libav-stable@libav.org (cherry picked from commit 56daf10e0313c5e36f43e773f457d2a99ff0df10) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d5a75c40eb..7fe0548daa 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -718,7 +718,7 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) version = avio_r8(pb); if (version > 1) { - av_log_ask_for_sample(c, "unsupported version %d\n", version); + av_log_ask_for_sample(c->fc, "unsupported version %d\n", version); return AVERROR_PATCHWELCOME; } avio_rb24(pb); /* flags */ From 8bce2c60b8ebc31899d576dde3bbe6205faae97d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 08:47:17 +0100 Subject: [PATCH 0172/1037] lagarith: avoid infinite loop in lag_rac_refill() range == 0 happens with corrupted files CC:libav-stable@libav.org (cherry picked from commit de6dfa2bb82df916a67e5036b0ef96a944781ed3) Signed-off-by: Reinhard Tartler --- libavcodec/lagarithrac.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarithrac.h b/libavcodec/lagarithrac.h index aa36d38f85..e4f066e445 100644 --- a/libavcodec/lagarithrac.h +++ b/libavcodec/lagarithrac.h @@ -107,6 +107,9 @@ static inline uint8_t lag_get_rac(lag_rac *l) l->range -= range_scaled * l->prob[255]; } + if (!l->range) + l->range = 0x80; + l->low -= range_scaled * l->prob[val]; return val; From 612b28194b4c1fb55c8620a8cddf77ea6e81b9bf Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 12:40:36 +0100 Subject: [PATCH 0173/1037] flicvideo: avoid an infinite loop in byte run compression When byte_run is 0, pixel_countdown is not touched and the loop will run forever. CC:libav-stable@libav.org (cherry picked from commit ddfe1246d98f70cdce368a2176196ba26ed7bf2d) Signed-off-by: Reinhard Tartler --- libavcodec/flicvideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index d2cc6cdb41..0841335b09 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -348,6 +348,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, pixel_countdown = s->avctx->width; while (pixel_countdown > 0) { byte_run = sign_extend(bytestream2_get_byte(&g2), 8); + if (!byte_run) { + av_log(avctx, AV_LOG_ERROR, "Invalid byte run value.\n"); + return AVERROR_INVALIDDATA; + } + if (byte_run > 0) { palette_idx1 = bytestream2_get_byte(&g2); CHECK_PIXEL_PTR(byte_run); From 48fd461977f77f02668111769865e3740908e82a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 13 Feb 2013 21:36:25 +0100 Subject: [PATCH 0174/1037] av_memcpy_backptr: avoid an infinite loop for back = 0 CC:libav-stable@libav.org (cherry picked from commit f935aca44c674d30e3ed940ef73bbad1228a5855) Signed-off-by: Reinhard Tartler --- libavutil/mem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/mem.c b/libavutil/mem.c index 3a4433d154..391eb7db38 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -252,6 +252,9 @@ static void fill32(uint8_t *dst, int len) void av_memcpy_backptr(uint8_t *dst, int back, int cnt) { const uint8_t *src = &dst[-back]; + if (!back) + return; + if (back == 1) { memset(dst, *src, cnt); } else if (back == 2) { From e2cf32ca5f58f7f09dab8730e34aef00c986015f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 14:05:35 +0100 Subject: [PATCH 0175/1037] mlpdec: do not try to allocate a zero-sized output buffer. CC:libav-stable@libav.org (cherry picked from commit 0dff40bfb9a0b24d56ecd64cd90c8f724cc5745f) Signed-off-by: Reinhard Tartler --- libavcodec/mlpdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 80ff4017f7..0eaf2e39e5 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -978,6 +978,11 @@ static int output_data(MLPDecodeContext *m, unsigned int substr, return AVERROR_INVALIDDATA; } + if (!s->blockpos) { + av_log(avctx, AV_LOG_ERROR, "No samples to output.\n"); + return AVERROR_INVALIDDATA; + } + /* get output buffer */ m->frame.nb_samples = s->blockpos; if ((ret = ff_get_buffer(avctx, &m->frame)) < 0) { From a6403a3b69174363bff5edc85314f6d3fbba1ba1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 17:58:12 +0100 Subject: [PATCH 0176/1037] qtrle: add more checks against pixel_ptr being negative. CC:libav-stable@libav.org (cherry picked from commit e10659244782b26061e7d52c06437de32a43a7af) Signed-off-by: Reinhard Tartler --- libavcodec/qtrle.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 2a83bdb9c8..23b2a61afd 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -117,6 +117,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr, while (lines_to_change--) { pixel_ptr = row_ptr + (num_pixels * (bytestream2_get_byte(&s->g) - 1)); + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { @@ -171,6 +172,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change) while (lines_to_change--) { pixel_ptr = row_ptr + (4 * (bytestream2_get_byte(&s->g) - 1)); + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { @@ -220,6 +222,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change while (lines_to_change--) { pixel_ptr = row_ptr + (bytestream2_get_byte(&s->g) - 1) * 2; + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { @@ -263,6 +266,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change while (lines_to_change--) { pixel_ptr = row_ptr + (bytestream2_get_byte(&s->g) - 1) * 3; + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { @@ -309,6 +313,7 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change while (lines_to_change--) { pixel_ptr = row_ptr + (bytestream2_get_byte(&s->g) - 1) * 4; + CHECK_PIXEL_PTR(0); while ((rle_code = (signed char)bytestream2_get_byte(&s->g)) != -1) { if (rle_code == 0) { From bb3f1cad171b31537b64a9d19cabdbff50aca260 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 13 Feb 2013 20:46:08 +0100 Subject: [PATCH 0177/1037] 4xm: check the return value of read_huffman_tables(). CC:libav-stable@libav.org (cherry picked from commit 8097fc9a2dd49d8e467b16c8bafaa96242b7fe46) Signed-off-by: Reinhard Tartler --- libavcodec/4xm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index fb03b7e1ba..987285a682 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -720,6 +720,10 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length) } prestream = read_huffman_tables(f, prestream); + if (!prestream) { + av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); + return AVERROR_INVALIDDATA; + } init_get_bits(&f->gb, buf + 4, 8 * bitstream_size); From 77493bfd976253e87ac0d6934d64f51edc4d0d2c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 14:39:41 +0100 Subject: [PATCH 0178/1037] cavs: initialize various context tables to 0 Avoids crashes with corrupted files. CC:libav-stable@libav.org (cherry picked from commit 4f3b058c84f570e261d743c7c22f865617fd28ac) Conflicts: libavcodec/cavs.c Signed-off-by: Reinhard Tartler --- libavcodec/cavs.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index c110882377..f9b876ff65 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -702,17 +702,17 @@ void ff_cavs_init_pic(AVSContext *h) { */ void ff_cavs_init_top_lines(AVSContext *h) { /* alloc top line of predictors */ - h->top_qp = av_malloc( h->mb_width); - h->top_mv[0] = av_malloc((h->mb_width*2+1)*sizeof(cavs_vector)); - h->top_mv[1] = av_malloc((h->mb_width*2+1)*sizeof(cavs_vector)); - h->top_pred_Y = av_malloc( h->mb_width*2*sizeof(*h->top_pred_Y)); - h->top_border_y = av_malloc((h->mb_width+1)*16); - h->top_border_u = av_malloc( h->mb_width * 10); - h->top_border_v = av_malloc( h->mb_width * 10); + h->top_qp = av_mallocz( h->mb_width); + h->top_mv[0] = av_mallocz((h->mb_width*2+1)*sizeof(cavs_vector)); + h->top_mv[1] = av_mallocz((h->mb_width*2+1)*sizeof(cavs_vector)); + h->top_pred_Y = av_mallocz( h->mb_width*2*sizeof(*h->top_pred_Y)); + h->top_border_y = av_mallocz((h->mb_width+1)*16); + h->top_border_u = av_mallocz( h->mb_width * 10); + h->top_border_v = av_mallocz( h->mb_width * 10); /* alloc space for co-located MVs and types */ - h->col_mv = av_malloc( h->mb_width*h->mb_height*4*sizeof(cavs_vector)); - h->col_type_base = av_malloc(h->mb_width*h->mb_height); + h->col_mv = av_mallocz( h->mb_width*h->mb_height*4*sizeof(cavs_vector)); + h->col_type_base = av_mallocz(h->mb_width*h->mb_height); h->block = av_mallocz(64*sizeof(DCTELEM)); } From a991c0673f71199df363df05d2c8c83e17e80dfd Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 23 Feb 2013 14:49:16 +0100 Subject: [PATCH 0179/1037] update Changelog --- Changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Changelog b/Changelog index dfc6e8cd21..d20dca904f 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,15 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 9.2: +- loco: check that there is data left after decoding a plane. +- mov: use the format context for logging. +- lagarith: avoid infinite loop in lag_rac_refill() with corrupted files +- flicvideo: avoid an infinite loop in byte run compression +- av_memcpy_backptr: avoid an infinite loop for back = 0 +- mlpdec: do not try to allocate a zero-sized output buffer. +- qtrle: add more checks against pixel_ptr being negative. +- 4xm: check the return value of read_huffman_tables(). +- cavs: initialize various context tables, avoids crashes with corrupted files - x86/H.264: Don't use redzone in AVX h264_deblock on Win64 - VQA video: check chunk sizes before reading chunks - RoQ video decoder: check dimensions validity From 1f9073f41be1776aca2382357ca2ad7b3bb934db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Feb 2013 19:25:46 +0100 Subject: [PATCH 0180/1037] vf_mp: Set pseudo pal Fixes ticket2140 Fixes null pointer dereference Signed-off-by: Michael Niedermayer (cherry picked from commit 73fce258b774d0480f2d2dd7ec81fa1ec1b27812) --- libavfilter/libmpcodecs/mp_image.c | 9 ++++++++- libavfilter/libmpcodecs/mp_image.h | 2 ++ libavfilter/vf_mp.c | 6 ++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/libavfilter/libmpcodecs/mp_image.c b/libavfilter/libmpcodecs/mp_image.c index 1ef5cbd55b..dbc1d62eb7 100644 --- a/libavfilter/libmpcodecs/mp_image.c +++ b/libavfilter/libmpcodecs/mp_image.c @@ -31,8 +31,13 @@ #include "libvo/fastmemcpy.h" //#include "libavutil/mem.h" +#include "libavutil/imgutils.h" void ff_mp_image_alloc_planes(mp_image_t *mpi) { + uint32_t temp[256]; + if (avpriv_set_systematic_pal2(temp, ff_mp2ff_pix_fmt(mpi->imgfmt)) >= 0) + mpi->flags |= MP_IMGFLAG_RGB_PALETTE; + // IF09 - allocate space for 4. plane delta info - unused if (mpi->imgfmt == IMGFMT_IF09) { mpi->planes[0]=av_malloc(mpi->bpp*mpi->width*(mpi->height+2)/8+ @@ -65,8 +70,10 @@ void ff_mp_image_alloc_planes(mp_image_t *mpi) { } } else { mpi->stride[0]=mpi->width*mpi->bpp/8; - if (mpi->flags & MP_IMGFLAG_RGB_PALETTE) + if (mpi->flags & MP_IMGFLAG_RGB_PALETTE) { mpi->planes[1] = av_malloc(1024); + memcpy(mpi->planes[1], temp, 1024); + } } mpi->flags|=MP_IMGFLAG_ALLOCATED; } diff --git a/libavfilter/libmpcodecs/mp_image.h b/libavfilter/libmpcodecs/mp_image.h index d658ab03f1..c33703b77e 100644 --- a/libavfilter/libmpcodecs/mp_image.h +++ b/libavfilter/libmpcodecs/mp_image.h @@ -37,6 +37,8 @@ #define ASMALIGN(ZEROBITS) ".p2align " #ZEROBITS "\n\t" #define CODEC_FLAG2_MEMC_ONLY 0x00001000 ///< Only do ME/MC (I frames -> ref, P frame -> ME+MC). +enum AVPixelFormat ff_mp2ff_pix_fmt(int mp); + //--------- codec's requirements (filled by the codec/vf) --------- //--- buffer content restrictions: diff --git a/libavfilter/vf_mp.c b/libavfilter/vf_mp.c index 6c87b3a8f0..70d1797435 100644 --- a/libavfilter/vf_mp.c +++ b/libavfilter/vf_mp.c @@ -217,6 +217,12 @@ zrmjpeg CpuCaps ff_gCpuCaps; //FIXME initialize this so optims work +enum AVPixelFormat ff_mp2ff_pix_fmt(int mp){ + int i; + for(i=0; conversion_map[i].fmt && mp != conversion_map[i].fmt; i++) + ; + return mp == conversion_map[i].fmt ? conversion_map[i].pix_fmt : AV_PIX_FMT_NONE; +} static void ff_sws_getFlagsAndFilterFromCmdLine(int *flags, SwsFilter **srcFilterParam, SwsFilter **dstFilterParam) { From 670128ff13dac1c37461943691b5895ad18e6dc4 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 24 Feb 2013 09:29:17 +0100 Subject: [PATCH 0181/1037] Prepare for 9.3 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 1a2c3557ba..c3cae12bcc 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.2 +9.3 From b6ae41e7f42500b43bbfa346469ed88e0f66dadf Mon Sep 17 00:00:00 2001 From: Vicente Jimenez Aguilar Date: Wed, 20 Feb 2013 02:35:00 +0100 Subject: [PATCH 0182/1037] doc: filters: Correct BNF FILTER description Signed-off-by: Diego Biurrun (cherry picked from commit b5ad422bf4e671a8b30ce73ad236cd6b49940af9) --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 34db2f4630..1933b17868 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -90,7 +90,7 @@ Follows a BNF description for the filtergraph syntax: @var{LINKLABEL} ::= "[" @var{NAME} "]" @var{LINKLABELS} ::= @var{LINKLABEL} [@var{LINKLABELS}] @var{FILTER_ARGUMENTS} ::= sequence of chars (eventually quoted) -@var{FILTER} ::= [@var{LINKNAMES}] @var{NAME} ["=" @var{ARGUMENTS}] [@var{LINKNAMES}] +@var{FILTER} ::= [@var{LINKLABELS}] @var{NAME} ["=" @var{FILTER_ARGUMENTS}] [@var{LINKLABELS}] @var{FILTERCHAIN} ::= @var{FILTER} [,@var{FILTERCHAIN}] @var{FILTERGRAPH} ::= [sws_flags=@var{flags};] @var{FILTERCHAIN} [;@var{FILTERGRAPH}] @end example From dc745b76aa9a7682004c96372a9e77549de1b765 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Fri, 22 Feb 2013 22:06:37 +0100 Subject: [PATCH 0183/1037] doc: developer: Allow tabs in the vim configuration for Automake files While we do not use Automake in libav, this allows our config to be used more globally without introducing unwanted breakage. (cherry picked from commit 040c565e51985477a8fa5e42d2ddfb26ebde6608) Conflicts: doc/developer.texi --- doc/developer.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/developer.texi b/doc/developer.texi index 682a239abb..7d39f2db88 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -221,8 +221,8 @@ set shiftwidth=4 set softtabstop=4 set cindent set cinoptions=(0 -" allow tabs in Makefiles -autocmd FileType make set noexpandtab shiftwidth=8 softtabstop=8 +" Allow tabs in Makefiles. +autocmd FileType make,automake set noexpandtab shiftwidth=8 softtabstop=8 " Trailing whitespace and tabs are forbidden, so highlight them. highlight ForbiddenWhitespace ctermbg=red guibg=red match ForbiddenWhitespace /\s\+$\|\t/ From 8d3bc52acd647cbaffe250308bf548f495916520 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 16 Jan 2013 18:27:14 -0300 Subject: [PATCH 0184/1037] latmenc: Check for LOAS sync word Write the packet unaltered if found. Fixes ticket #1917 Signed-off-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit b454c64e0311d813fef9c22cf34f83c2ce77ab23) --- libavformat/latmenc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c index 233eab8382..9dfb4e4fab 100644 --- a/libavformat/latmenc.c +++ b/libavformat/latmenc.c @@ -156,6 +156,15 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) av_log(s, AV_LOG_ERROR, "ADTS header detected - ADTS will not be incorrectly muxed into LATM\n"); return AVERROR_INVALIDDATA; } + + if (!s->streams[0]->codec->extradata) { + if(pkt->size > 2 && pkt->data[0] == 0x56 && (pkt->data[1] >> 4) == 0xe && + (AV_RB16(pkt->data + 1) & 0x1FFF) + 3 == pkt->size) + return ff_raw_write_packet(s, pkt); + else + return AVERROR_INVALIDDATA; + } + if (pkt->size > 0x1fff) goto too_large; From 5fb5ac71488c145c3d688d8716063a530108da9e Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 19 Jan 2013 00:48:59 -0300 Subject: [PATCH 0185/1037] doc/Makefile: Fix make docclean Signed-off-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 4f8b73129bb3845d9aadbf3dec3027b1136092a6) --- doc/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/Makefile b/doc/Makefile index b1b4016af9..f9efe3a9c4 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -92,9 +92,9 @@ uninstall: uninstall-man uninstall-man: $(RM) $(addprefix "$(MANDIR)/man1/",$(ALLMANPAGES)) -docclean: clean +clean:: docclean -clean:: +docclean: $(RM) $(TXTPAGES) doc/*.html doc/*.pod doc/*.1 doc/*.3 $(CLEANSUFFIXES:%=doc/%) doc/avoptions_*.texi $(RM) -r doc/doxy/html From d92a7870d74e199d143cdf1fa4606cbdef689e2c Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 5 Feb 2013 22:34:29 -0300 Subject: [PATCH 0186/1037] lavc/bink: Chech for malloc failure Based on commit 8ab2173ed141aa2c3336be7f9880340dfb8dcf5e --- libavcodec/bink.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 3e2bb71d85..9c04d05e20 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -170,7 +170,7 @@ static void init_lengths(BinkContext *c, int width, int bw) * * @param c decoder context */ -static av_cold void init_bundles(BinkContext *c) +static av_cold int init_bundles(BinkContext *c) { int bw, bh, blocks; int i; @@ -181,8 +181,12 @@ static av_cold void init_bundles(BinkContext *c) for (i = 0; i < BINKB_NB_SRC; i++) { c->bundle[i].data = av_malloc(blocks * 64); + if (!c->bundle[i].data) + return AVERROR(ENOMEM); c->bundle[i].data_end = c->bundle[i].data + blocks * 64; } + + return 0; } /** @@ -1264,7 +1268,7 @@ static av_cold int decode_init(AVCodecContext *avctx) BinkContext * const c = avctx->priv_data; static VLC_TYPE table[16 * 128][2]; static int binkb_initialised = 0; - int i; + int i, ret; int flags; c->version = avctx->codec_tag >> 24; @@ -1299,7 +1303,10 @@ static av_cold int decode_init(AVCodecContext *avctx) ff_dsputil_init(&c->dsp, avctx); ff_binkdsp_init(&c->bdsp); - init_bundles(c); + if ((ret = init_bundles(c)) < 0) { + free_bundles(c); + return ret; + } if (c->version == 'b') { if (!binkb_initialised) { From 6e8ed38fabb51c46467bed29bed75523785c883f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Feb 2013 17:33:22 +0100 Subject: [PATCH 0187/1037] aac: reconfigure output on pop Fixes Ticket1918 Signed-off-by: Michael Niedermayer (cherry picked from commit 6f77122bf5712da1d860a0ad7174181fd0bcffd9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 6c17c337f3..d782e578a7 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -113,6 +113,10 @@ static VLC vlc_scalefactors; static VLC vlc_spectral[11]; +static int output_configure(AACContext *ac, + uint8_t layout_map[MAX_ELEM_ID*4][3], int tags, + enum OCStatus oc_type, int get_new_frame); + #define overread_err "Input buffer exhausted before END element found\n" static int count_channels(uint8_t (*layout)[3], int tags) @@ -406,6 +410,8 @@ static void pop_output_configuration(AACContext *ac) { ac->oc[1] = ac->oc[0]; ac->avctx->channels = ac->oc[1].channels; ac->avctx->channel_layout = ac->oc[1].channel_layout; + output_configure(ac, ac->oc[1].layout_map, ac->oc[1].layout_map_tags, + ac->oc[1].status, 0); } } From 3348e66e2eb37c5c25ffddd8f4129d383c1870ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2013 03:31:31 +0100 Subject: [PATCH 0188/1037] doc/APIchanges: fix odd .01 versions Signed-off-by: Michael Niedermayer (cherry picked from commit 9f16cb9e50a5a196af9244dc7d33ed193227528a) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index a75d268b33..63ae46c809 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -344,19 +344,19 @@ API changes, most recent first: 2012-02-08 - 38d5533 - lavu 51.22.1 - pixdesc.h Add PIX_FMT_PSEUDOPAL flag. -2012-02-08 - 52f82a1 - lavc 54.01.0 +2012-02-08 - 52f82a1 - lavc 54.1.0 Add avcodec_encode_video2() and deprecate avcodec_encode_video(). -2012-02-01 - 316fc74 - lavc 54.01.0 +2012-02-01 - 316fc74 - lavc 54.1.0 Add av_fast_padded_malloc() as alternative for av_realloc() when aligned memory is required. The buffer will always have FF_INPUT_BUFFER_PADDING_SIZE zero-padded bytes at the end. -2012-01-31 - dd6d3b0 - lavf 54.01.0 +2012-01-31 - dd6d3b0 - lavf 54.1.0 Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags(). NOTE: this was backported to 0.8 -2012-01-31 - af08d9a - lavc 54.01.0 +2012-01-31 - af08d9a - lavc 54.1.0 Add avcodec_is_open() function. NOTE: this was backported to 0.8 From ece16d91ee43c88ca3e497e17ddc5e1a1823e06e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2013 20:32:24 +0100 Subject: [PATCH 0189/1037] apichanges: fix date Signed-off-by: Michael Niedermayer (cherry picked from commit ad6802f975a91bf6757fe3729ef8c6f10e6796b7) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index 63ae46c809..f06e64b34d 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -400,7 +400,7 @@ API changes, most recent first: 2011-10-20 - b35e9e1 - lavu 51.22.0 Add av_strtok() to avstring.h. -2011-01-03 - b73ec05 - lavu 51.21.0 +2012-01-03 - b73ec05 - lavu 51.21.0 Add av_popcount64 2011-12-18 - 8400b12 - lavc 53.28.1 From 4bde8c1369e76e856decbc42b8b6fbdd95e8d881 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2013 20:34:10 +0100 Subject: [PATCH 0190/1037] apichanges: Use , instead of / to seperate multiple hashes Signed-off-by: Michael Niedermayer (cherry picked from commit 33d6330652c088dadde163da569b1a2f6c7603c0) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index f06e64b34d..a109c19dae 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -240,7 +240,7 @@ API changes, most recent first: 2012-05-15 - lavfi 2.17.0 Add support for audio filters - ac71230/a2cd9be - add video/audio buffer sink in a new installed + ac71230, a2cd9be - add video/audio buffer sink in a new installed header buffersink.h 720c6b7 - add av_buffersrc_write_frame(), deprecate av_vsrc_buffer_add_frame() From 98e96652f11d014b8fb492fd9de345cd70eb516d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2013 21:13:32 +0100 Subject: [PATCH 0191/1037] apichanges: fix 2 wrong hashes Signed-off-by: Michael Niedermayer (cherry picked from commit 2f3bc5122822687dc388f7352c92cf6db456cf7c) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index a109c19dae..32705a6e3c 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -854,11 +854,11 @@ API changes, most recent first: 2011-02-10 - 12c14cd - lavf 52.99.0 - AVStream.disposition Add AV_DISPOSITION_HEARING_IMPAIRED and AV_DISPOSITION_VISUAL_IMPAIRED. -2011-02-09 - 5592734 - lavc 52.112.0 - avcodec_thread_init() +2011-02-09 - c0b102c - lavc 52.112.0 - avcodec_thread_init() Deprecate avcodec_thread_init()/avcodec_thread_free() use; instead set thread_count before calling avcodec_open. -2011-02-09 - 778b08a - lavc 52.111.0 - threading API +2011-02-09 - 37b00b4 - lavc 52.111.0 - threading API Add CODEC_CAP_FRAME_THREADS with new restrictions on get_buffer()/ release_buffer()/draw_horiz_band() callbacks for appropriate codecs. Add thread_type and active_thread_type fields to AVCodecContext. From 50ebb524cd5494b65c6b1df7996af54b4c4077d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Feb 2013 03:32:23 +0100 Subject: [PATCH 0192/1037] doc/APIchanges: List merge commit hashes and version numbers Signed-off-by: Michael Niedermayer --- doc/APIchanges | 328 ++++++++++++++++++++++++------------------------- 1 file changed, 164 insertions(+), 164 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 32705a6e3c..8daaea3260 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -132,30 +132,30 @@ API changes, most recent first: 2012-03-26 - a67d9cf - lavfi 2.66.100 Add avfilter_fill_frame_from_{audio_,}buffer_ref() functions. -2012-12-29 - d8fd06c - lavu 52.3.0 - avstring.h +2012-12-29 - 2ce43b3 / d8fd06c - lavu 52.13.100 / 52.3.0 - avstring.h Add av_basename() and av_dirname(). -2012-11-11 - 5980f5d - lavu 52.2.0 - audioconvert.h +2012-11-11 - 03b0787 / 5980f5d - lavu 52.6.100 / 52.2.0 - audioconvert.h Rename audioconvert.h to channel_layout.h. audioconvert.h is now deprecated. -2012-11-05 - dfde8a3 - lavu 52.1.0 - intmath.h +2012-11-05 - 7d26be6 / dfde8a3 - lavu 52.5.100 / 52.1.0 - intmath.h Add av_ctz() for trailing zero bit count -2012-10-21 - a893655 - lavu 51.45.0 - error.h +2012-10-21 - e3a91c5 / a893655 - lavu 51.77.100 / 51.45.0 - error.h Add AVERROR_EXPERIMENTAL -2012-10-12 - d2fcb35 - lavu 51.44.0 - pixdesc.h +2012-10-12 - a33ed6b / d2fcb35 - lavu 51.76.100 / 51.44.0 - pixdesc.h Add functions for accessing pixel format descriptors. Accessing the av_pix_fmt_descriptors array directly is now deprecated. -2012-10-11 - 9a92aea - lavu 51.43.0 - aes.h, md5.h, sha.h, tree.h +2012-10-11 - f391e40 / 9a92aea - lavu 51.75.100 / 51.43.0 - aes.h, md5.h, sha.h, tree.h Add functions for allocating the opaque contexts for the algorithms, -2012-10-10 - b522000 - lavf 54.18.0 - avio.h +2012-10-10 - de31814 / b522000 - lavf 54.32.100 / 54.18.0 - avio.h Add avio_closep to complement avio_close. -2012-10-08 - 78071a1 - lavu 51.42.0 - pixfmt.h +2012-10-08 - ae77266 / 78071a1 - lavu 51.74.100 / 51.42.0 - pixfmt.h Rename PixelFormat to AVPixelFormat and all PIX_FMT_* to AV_PIX_FMT_*. To provide backwards compatibility, PixelFormat is now #defined as AVPixelFormat. @@ -163,23 +163,23 @@ API changes, most recent first: 'PixelFormat' identifier. Such code should either #undef PixelFormat or stop using the PixelFormat name. -2012-10-05 - e7ba5b1 - lavr 1.0.0 - avresample.h +2012-10-05 - 55c49af / e7ba5b1 - lavr 1.0.0 - avresample.h Data planes parameters to avresample_convert() and avresample_read() are now uint8_t** instead of void**. Libavresample is now stable. -2012-09-24 - a42aada - lavc 54.28.0 - avcodec.h +2012-09-24 - 46a3595 / a42aada - lavc 54.59.100 / 54.28.0 - avcodec.h Add avcodec_free_frame(). This function must now be used for freeing an AVFrame. -2012-09-12 - 8919fee - lavu 51.41.0 - audioconvert.h +2012-09-12 - e3e09f2 / 8919fee - lavu 51.73.100 / 51.41.0 - audioconvert.h Added AV_CH_LOW_FREQUENCY_2 channel mask value. -2012-09-04 - 686a329 - lavu 51.40.0 - opt.h +2012-09-04 - b21b5b0 / 686a329 - lavu 51.71.100 / 51.40.0 - opt.h Reordered the fields in default_val in AVOption, changed which default_val field is used for which AVOptionType. -2012-08-30 - a231832 - lavc 54.26.1 - avcodec.h +2012-08-30 - 98298eb / a231832 - lavc 54.54.101 / 54.26.1 - avcodec.h Add codec descriptor properties AV_CODEC_PROP_LOSSY and AV_CODEC_PROP_LOSSLESS. @@ -187,90 +187,90 @@ API changes, most recent first: Add codec descriptors for accessing codec properties without having to refer to a specific decoder or encoder. - c223d79 - Add an AVCodecDescriptor struct and functions + f5f3684 / c223d79 - Add an AVCodecDescriptor struct and functions avcodec_descriptor_get() and avcodec_descriptor_next(). - 51efed1 - Add AVCodecDescriptor.props and AV_CODEC_PROP_INTRA_ONLY. - 91e59fe - Add avcodec_descriptor_get_by_name(). + f5f3684 / 51efed1 - Add AVCodecDescriptor.props and AV_CODEC_PROP_INTRA_ONLY. + 6c180b3 / 91e59fe - Add avcodec_descriptor_get_by_name(). -2012-08-08 - 987170c - lavu 51.38 - dict.h +2012-08-08 - f5f3684 / 987170c - lavu 51.68.100 / 51.38.0 - dict.h Add av_dict_count(). -2012-08-07 - 104e10f - lavc 54.25 - avcodec.h +2012-08-07 - 7a72695 / 104e10f - lavc 54.51.100 / 54.25.0 - avcodec.h Rename CodecID to AVCodecID and all CODEC_ID_* to AV_CODEC_ID_*. To provide backwards compatibility, CodecID is now #defined as AVCodecID. Note that this can break user code that includes avcodec.h and uses the 'CodecID' identifier. Such code should either #undef CodecID or stop using the CodecID name. -2012-08-03 - 239fdf1 - lavu 51.37.1 - cpu.h +2012-08-03 - e776ee8 / 239fdf1 - lavu 51.66.101 / 51.37.1 - cpu.h lsws 2.1.1 - swscale.h Rename AV_CPU_FLAG_MMX2 ---> AV_CPU_FLAG_MMXEXT. Rename SWS_CPU_CAPS_MMX2 ---> SWS_CPU_CAPS_MMXEXT. -2012-07-29 - 681ed00 - lavf 54.13.0 - avformat.h +2012-07-29 - 7c26761 / 681ed00 - lavf 54.22.100 / 54.13.0 - avformat.h Add AVFMT_FLAG_NOBUFFER for low latency use cases. 2012-07-10 - 5fade8a - lavu 51.37.0 Add av_malloc_array() and av_mallocz_array() -2012-06-22 - d3d3a32 - lavu 51.34.0 +2012-06-22 - e847f41 / d3d3a32 - lavu 51.61.100 / 51.34.0 Add av_usleep() -2012-06-20 - ae0a301 - lavu 51.33.0 +2012-06-20 - 4da42eb / ae0a301 - lavu 51.60.100 / 51.33.0 Move av_gettime() to libavutil, add libavutil/time.h -2012-06-09 - 3971be0 - lavr 0.0.3 +2012-06-09 - 82edf67 / 3971be0 - lavr 0.0.3 Add a parameter to avresample_build_matrix() for Dolby/DPLII downmixing. -2012-06-12 - 9baeff9 - lavfi 2.23.0 - avfilter.h +2012-06-12 - c7b9eab / 9baeff9 - lavfi 2.79.100 / 2.23.0 - avfilter.h Add AVFilterContext.nb_inputs/outputs. Deprecate AVFilterContext.input/output_count. -2012-06-12 - 84b9fbe - lavfi 2.22.0 - avfilter.h +2012-06-12 - c7b9eab / 84b9fbe - lavfi 2.79.100 / 2.22.0 - avfilter.h Add avfilter_pad_get_type() and avfilter_pad_get_name(). Those should now be used instead of accessing AVFilterPad members directly. -2012-06-12 - b0f0dfc - lavu 51.32.0 - audioconvert.h +2012-06-12 - 3630a07 / b0f0dfc - lavu 51.57.100 / 51.32.0 - audioconvert.h Add av_get_channel_layout_channel_index(), av_get_channel_name() and av_channel_layout_extract_channel(). -2012-05-25 - 154486f - lavu 51.31.0 - opt.h +2012-05-25 - 53ce990 / 154486f - lavu 51.55.100 / 51.31.0 - opt.h Add av_opt_set_bin() -2012-05-15 - lavfi 2.17.0 +2012-05-15 - lavfi 2.74.100 / 2.17.0 Add support for audio filters - ac71230, a2cd9be - add video/audio buffer sink in a new installed + 61930bd / ac71230, 1cbf7fb / a2cd9be - add video/audio buffer sink in a new installed header buffersink.h - 720c6b7 - add av_buffersrc_write_frame(), deprecate + 1cbf7fb / 720c6b7 - add av_buffersrc_write_frame(), deprecate av_vsrc_buffer_add_frame() - ab16504 - add avfilter_copy_buf_props() - 9453c9e - add extended_data to AVFilterBuffer - 1b8c927 - add avfilter_get_audio_buffer_ref_from_arrays() + 61930bd / ab16504 - add avfilter_copy_buf_props() + 61930bd / 9453c9e - add extended_data to AVFilterBuffer + 61930bd / 1b8c927 - add avfilter_get_audio_buffer_ref_from_arrays() -2012-05-09 - lavu 51.30.0 - samplefmt.h - 142e740 - add av_samples_copy() - 6d7f617 - add av_samples_set_silence() +2012-05-09 - lavu 51.53.100 / 51.30.0 - samplefmt.h + 61930bd / 142e740 - add av_samples_copy() + 61930bd / 6d7f617 - add av_samples_set_silence() -2012-05-09 - a5117a2 - lavc 54.13.1 +2012-05-09 - 61930bd / a5117a2 - lavc 54.21.101 / 54.13.1 For audio formats with fixed frame size, the last frame no longer needs to be padded with silence, libavcodec will handle this internally (effectively all encoders behave as if they had CODEC_CAP_SMALL_LAST_FRAME set). -2012-05-07 - 828bd08 - lavc 54.13.0 - avcodec.h +2012-05-07 - 653d117 / 828bd08 - lavc 54.20.100 / 54.13.0 - avcodec.h Add sample_rate and channel_layout fields to AVFrame. -2012-05-01 - 4010d72 - lavr 0.0.1 +2012-05-01 - 2330eb1 / 4010d72 - lavr 0.0.1 Change AV_MIX_COEFF_TYPE_Q6 to AV_MIX_COEFF_TYPE_Q8. -2012-04-25 - 3527a73 - lavu 51.29.0 - cpu.h +2012-04-25 - e890b68 / 3527a73 - lavu 51.48.100 / 51.29.0 - cpu.h Add av_parse_cpu_flags() -2012-04-24 - c8af852 - lavr 0.0.0 +2012-04-24 - 3ead79e / c8af852 - lavr 0.0.0 Add libavresample audio conversion library -2012-04-20 - 0c0d1bc - lavu 51.28.0 - audio_fifo.h +2012-04-20 - 3194ab7 / 0c0d1bc - lavu 51.47.100 / 51.28.0 - audio_fifo.h Add audio FIFO functions: av_audio_fifo_free() av_audio_fifo_alloc() @@ -282,10 +282,10 @@ API changes, most recent first: av_audio_fifo_size() av_audio_fifo_space() -2012-04-14 - lavfi 2.16.0 - avfiltergraph.h - d7bcc71 Add avfilter_graph_parse2(). +2012-04-14 - lavfi 2.70.100 / 2.16.0 - avfiltergraph.h + 7432bcf / d7bcc71 Add avfilter_graph_parse2(). -2012-04-08 - 4d693b0 - lavu 51.27.0 - samplefmt.h +2012-04-08 - 6bfb304 / 4d693b0 - lavu 51.46.100 / 51.27.0 - samplefmt.h Add av_get_packed_sample_fmt() and av_get_planar_sample_fmt() 2012-03-21 - b75c67d - lavu 51.43.100 @@ -313,73 +313,73 @@ API changes, most recent first: 2012-01-24 - 0c3577b - lavfi 2.60.100 Add avfilter_graph_dump. -2012-03-20 - 3c90cc2 - lavfo 54.2.0 +2012-03-20 - 0ebd836 / 3c90cc2 - lavfo 54.2.0 Deprecate av_read_packet(), use av_read_frame() with AVFMT_FLAG_NOPARSE | AVFMT_FLAG_NOFILLIN in AVFormatContext.flags -2012-03-05 - lavc 54.8.0 - 6699d07 Add av_get_exact_bits_per_sample() - 9524cf7 Add av_get_audio_frame_duration() +2012-03-05 - lavc 54.10.100 / 54.8.0 + f095391 / 6699d07 Add av_get_exact_bits_per_sample() + f095391 / 9524cf7 Add av_get_audio_frame_duration() -2012-03-04 - 44fe77b - lavc 54.7.0 - avcodec.h +2012-03-04 - 2af8f2c / 44fe77b - lavc 54.8.100 / 54.7.0 - avcodec.h Add av_codec_is_encoder/decoder(). -2012-03-01 - 442c132 - lavc 54.3.0 - avcodec.h +2012-03-01 - 1eb7f39 / 442c132 - lavc 54.5.100 / 54.3.0 - avcodec.h Add av_packet_shrink_side_data. -2012-02-29 - dd2a4bc - lavf 54.2.0 - avformat.h +2012-02-29 - 79ae084 / dd2a4bc - lavf 54.2.100 / 54.2.0 - avformat.h Add AVStream.attached_pic and AV_DISPOSITION_ATTACHED_PIC, used for dealing with attached pictures/cover art. -2012-02-25 - c9bca80 - lavu 51.24.0 - error.h +2012-02-25 - 305e4b3 / c9bca80 - lavu 51.41.100 / 51.24.0 - error.h Add AVERROR_UNKNOWN NOTE: this was backported to 0.8 -2012-02-20 - e9cda85 - lavc 54.2.0 +2012-02-20 - eadd426 / e9cda85 - lavc 54.2.100 / 54.2.0 Add duration field to AVCodecParserContext -2012-02-20 - 0b42a93 - lavu 51.23.1 - mathematics.h +2012-02-20 - eadd426 / 0b42a93 - lavu 51.40.100 / 51.23.1 - mathematics.h Add av_rescale_q_rnd() -2012-02-08 - 38d5533 - lavu 51.22.1 - pixdesc.h +2012-02-08 - f2b20b7 / 38d5533 - lavu 51.38.101 / 51.22.1 - pixdesc.h Add PIX_FMT_PSEUDOPAL flag. -2012-02-08 - 52f82a1 - lavc 54.1.0 +2012-02-08 - f2b20b7 / 52f82a1 - lavc 54.2.100 / 54.1.0 Add avcodec_encode_video2() and deprecate avcodec_encode_video(). -2012-02-01 - 316fc74 - lavc 54.1.0 +2012-02-01 - 4c677df / 316fc74 - lavc 54.1.0 Add av_fast_padded_malloc() as alternative for av_realloc() when aligned memory is required. The buffer will always have FF_INPUT_BUFFER_PADDING_SIZE zero-padded bytes at the end. -2012-01-31 - dd6d3b0 - lavf 54.1.0 +2012-01-31 - a369a6b / dd6d3b0 - lavf 54.1.0 Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags(). NOTE: this was backported to 0.8 -2012-01-31 - af08d9a - lavc 54.1.0 +2012-01-31 - a369a6b / af08d9a - lavc 54.1.0 Add avcodec_is_open() function. NOTE: this was backported to 0.8 -2012-01-30 - 8b93312 - lavu 51.22.0 - intfloat.h +2012-01-30 - 151ecc2 / 8b93312 - lavu 51.36.100 / 51.22.0 - intfloat.h Add a new installed header libavutil/intfloat.h with int/float punning functions. NOTE: this was backported to 0.8 -2012-01-25 - lavf 53.22.0 - f1caf01 Allow doing av_write_frame(ctx, NULL) for flushing possible +2012-01-25 - lavf 53.31.100 / 53.22.0 + 3c5fe5b / f1caf01 Allow doing av_write_frame(ctx, NULL) for flushing possible buffered data within a muxer. Added AVFMT_ALLOW_FLUSH for muxers supporting it (av_write_frame makes sure it is called only for muxers with this flag). -2012-01-15 - lavc 53.34.0 +2012-01-15 - lavc 53.56.105 / 53.34.0 New audio encoding API: - b2c75b6 Add CODEC_CAP_VARIABLE_FRAME_SIZE capability for use by audio + 67f5650 / b2c75b6 Add CODEC_CAP_VARIABLE_FRAME_SIZE capability for use by audio encoders. - 5ee5fa0 Add avcodec_fill_audio_frame() as a convenience function. - b2c75b6 Add avcodec_encode_audio2() and deprecate avcodec_encode_audio(). + 67f5650 / 5ee5fa0 Add avcodec_fill_audio_frame() as a convenience function. + 67f5650 / b2c75b6 Add avcodec_encode_audio2() and deprecate avcodec_encode_audio(). Add AVCodec.encode2(). -2012-01-12 - 3167dc9 - lavfi 2.15.0 +2012-01-12 - b18e17e / 3167dc9 - lavfi 2.59.100 / 2.15.0 Add a new installed header -- libavfilter/version.h -- with version macros. 2011-12-08 - a502939 - lavfi 2.52.0 @@ -400,37 +400,37 @@ API changes, most recent first: 2011-10-20 - b35e9e1 - lavu 51.22.0 Add av_strtok() to avstring.h. -2012-01-03 - b73ec05 - lavu 51.21.0 +2012-01-03 - ad1c8dd / b73ec05 - lavu 51.34.100 / 51.21.0 Add av_popcount64 -2011-12-18 - 8400b12 - lavc 53.28.1 +2011-12-18 - 7c29313 / 8400b12 - lavc 53.46.1 / 53.28.1 Deprecate AVFrame.age. The field is unused. -2011-12-12 - 5266045 - lavf 53.17.0 +2011-12-12 - 8bc7fe4 / 5266045 - lavf 53.25.0 / 53.17.0 Add avformat_close_input(). Deprecate av_close_input_file() and av_close_input_stream(). -2011-12-02 - 0eea212 - lavc 53.25.0 +2011-12-02 - e4de716 / 0eea212 - lavc 53.40.0 / 53.25.0 Add nb_samples and extended_data fields to AVFrame. Deprecate AVCODEC_MAX_AUDIO_FRAME_SIZE. Deprecate avcodec_decode_audio3() in favor of avcodec_decode_audio4(). avcodec_decode_audio4() writes output samples to an AVFrame, which allows audio decoders to use get_buffer(). -2011-12-04 - 560f773 - lavc 53.24.0 +2011-12-04 - e4de716 / 560f773 - lavc 53.40.0 / 53.24.0 Change AVFrame.data[4]/base[4]/linesize[4]/error[4] to [8] at next major bump. Change AVPicture.data[4]/linesize[4] to [8] at next major bump. Change AVCodecContext.error[4] to [8] at next major bump. Add AV_NUM_DATA_POINTERS to simplify the bump transition. -2011-11-23 - bbb46f3 - lavu 51.18.0 +2011-11-23 - 8e576d5 / bbb46f3 - lavu 51.27.0 / 51.18.0 Add av_samples_get_buffer_size(), av_samples_fill_arrays(), and av_samples_alloc(), to samplefmt.h. -2011-11-23 - 8889cc4 - lavu 51.17.0 +2011-11-23 - 8e576d5 / 8889cc4 - lavu 51.27.0 / 51.17.0 Add planar sample formats and av_sample_fmt_is_planar() to samplefmt.h. -2011-11-19 - f3a29b7 - lavc 53.21.0 +2011-11-19 - dbb38bc / f3a29b7 - lavc 53.36.0 / 53.21.0 Move some AVCodecContext fields to a new private struct, AVCodecInternal, which is accessed from a new field, AVCodecContext.internal. - fields moved: @@ -438,55 +438,55 @@ API changes, most recent first: AVCodecContext.internal_buffer_count --> AVCodecInternal.buffer_count AVCodecContext.is_copy --> AVCodecInternal.is_copy -2011-11-16 - 6270671 - lavu 51.16.0 +2011-11-16 - 8709ba9 / 6270671 - lavu 51.26.0 / 51.16.0 Add av_timegm() -2011-11-13 - lavf 53.15.0 +2011-11-13 - lavf 53.21.0 / 53.15.0 New interrupt callback API, allowing per-AVFormatContext/AVIOContext interrupt callbacks. - 6aa0b98 Add AVIOInterruptCB struct and the interrupt_callback field to + 5f268ca / 6aa0b98 Add AVIOInterruptCB struct and the interrupt_callback field to AVFormatContext. - 1dee0ac Add avio_open2() with additional parameters. Those are + 5f268ca / 1dee0ac Add avio_open2() with additional parameters. Those are an interrupt callback and an options AVDictionary. This will allow passing AVOptions to protocols after lavf 54.0. -2011-11-06 - ba04ecf - lavu 51.14.0 +2011-11-06 - 13b7781 / ba04ecf - lavu 51.24.0 / 51.14.0 Add av_strcasecmp() and av_strncasecmp() to avstring.h. -2011-11-06 - 07b172f - lavu 51.13.0 +2011-11-06 - 13b7781 / 07b172f - lavu 51.24.0 / 51.13.0 Add av_toupper()/av_tolower() -2011-11-05 - b6d08f4 - lavf 53.13.0 +2011-11-05 - d8cab5c / b6d08f4 - lavf 53.19.0 / 53.13.0 Add avformat_network_init()/avformat_network_deinit() -2011-10-27 - 512557b - lavc 53.15.0 +2011-10-27 - 6faf0a2 / 512557b - lavc 53.24.0 / 53.15.0 Remove avcodec_parse_frame. Deprecate AVCodecContext.parse_only and CODEC_CAP_PARSE_ONLY. -2011-10-19 - 569129a - lavf 53.10.0 +2011-10-19 - d049257 / 569129a - lavf 53.17.0 / 53.10.0 Add avformat_new_stream(). Deprecate av_new_stream(). -2011-10-13 - b631fba - lavf 53.9.0 +2011-10-13 - 91eb1b1 / b631fba - lavf 53.16.0 / 53.9.0 Add AVFMT_NO_BYTE_SEEK AVInputFormat flag. -2011-10-12 - lavu 51.12.0 +2011-10-12 - lavu 51.21.0 / 51.12.0 AVOptions API rewrite. - - 145f741 FF_OPT_TYPE* renamed to AV_OPT_TYPE_* + - f884ef0 / 145f741 FF_OPT_TYPE* renamed to AV_OPT_TYPE_* - new setting/getting functions with slightly different semantics: - dac66da av_set_string3 -> av_opt_set + f884ef0 / dac66da av_set_string3 -> av_opt_set av_set_double -> av_opt_set_double av_set_q -> av_opt_set_q av_set_int -> av_opt_set_int - 41d9d51 av_get_string -> av_opt_get + f884ef0 / 41d9d51 av_get_string -> av_opt_get av_get_double -> av_opt_get_double av_get_q -> av_opt_get_q av_get_int -> av_opt_get_int - - 8c5dcaa trivial rename av_next_option -> av_opt_next - - 641c7af new functions - av_opt_child_next, av_opt_child_class_next + - f884ef0 / 8c5dcaa trivial rename av_next_option -> av_opt_next + - f884ef0 / 641c7af new functions - av_opt_child_next, av_opt_child_class_next and av_opt_find2() 2011-09-22 - a70e787 - lavu 51.17.0 @@ -532,31 +532,31 @@ API changes, most recent first: 2011-08-20 - 69e2c1a - lavu 51.13.0 Add av_get_media_type_string(). -2011-09-03 - fb4ca26 - lavc 53.13.0 +2011-09-03 - 1889c67 / fb4ca26 - lavc 53.13.0 lavf 53.11.0 lsws 2.1.0 Add {avcodec,avformat,sws}_get_class(). -2011-08-03 - c11fb82 - lavu 51.15.0 +2011-08-03 - 1889c67 / c11fb82 - lavu 51.15.0 Add AV_OPT_SEARCH_FAKE_OBJ flag for av_opt_find() function. 2011-08-14 - 323b930 - lavu 51.12.0 Add av_fifo_peek2(), deprecate av_fifo_peek(). -2011-08-26 - lavu 51.9.0 - - add41de..abc78a5 Do not include intfloat_readwrite.h, +2011-08-26 - lavu 51.14.0 / 51.9.0 + - 976a8b2 / add41de..976a8b2 / abc78a5 Do not include intfloat_readwrite.h, mathematics.h, rational.h, pixfmt.h, or log.h from avutil.h. -2011-08-16 - 48f9e45 - lavf 53.8.0 +2011-08-16 - 27fbe31 / 48f9e45 - lavf 53.11.0 / 53.8.0 Add avformat_query_codec(). -2011-08-16 - bca06e7 - lavc 53.11.0 +2011-08-16 - 27fbe31 / bca06e7 - lavc 53.11.0 Add avcodec_get_type(). -2011-08-06 - 2f63440 - lavf 53.7.0 +2011-08-06 - 0cb233c / 2f63440 - lavf 53.7.0 Add error_recognition to AVFormatContext. -2011-08-02 - 9d39cbf - lavc 53.9.1 +2011-08-02 - 1d186e9 / 9d39cbf - lavc 53.9.1 Add AV_PKT_FLAG_CORRUPT AVPacket flag. 2011-07-16 - b57df29 - lavfi 2.27.0 @@ -567,11 +567,11 @@ API changes, most recent first: avfilter_set_common_packing_formats() avfilter_all_packing_formats() -2011-07-10 - a67c061 - lavf 53.6.0 +2011-07-10 - 3602ad7 / a67c061 - lavf 53.6.0 Add avformat_find_stream_info(), deprecate av_find_stream_info(). NOTE: this was backported to 0.7 -2011-07-10 - 0b950fe - lavc 53.8.0 +2011-07-10 - 3602ad7 / 0b950fe - lavc 53.8.0 Add avcodec_open2(), deprecate avcodec_open(). NOTE: this was backported to 0.7 @@ -614,35 +614,35 @@ API changes, most recent first: 2011-06-12 - 6119b23 - lavfi 2.16.0 - avfilter_graph_parse() Change avfilter_graph_parse() signature. -2011-06-23 - 67e9ae1 - lavu 51.8.0 - attributes.h +2011-06-23 - 686959e / 67e9ae1 - lavu 51.10.0 / 51.8.0 - attributes.h Add av_printf_format(). -2011-06-16 - 05e84c9, 25de595 - lavf 53.2.0 - avformat.h +2011-06-16 - 2905e3f / 05e84c9, 2905e3f / 25de595 - lavf 53.4.0 / 53.2.0 - avformat.h Add avformat_open_input and avformat_write_header(). Deprecate av_open_input_stream, av_open_input_file, AVFormatParameters and av_write_header. -2011-06-16 - 7e83e1c, dc59ec5 - lavu 51.7.0 - opt.h +2011-06-16 - 2905e3f / 7e83e1c, 2905e3f / dc59ec5 - lavu 51.9.0 / 51.7.0 - opt.h Add av_opt_set_dict() and av_opt_find(). Deprecate av_find_opt(). Add AV_DICT_APPEND flag. -2011-06-10 - cb7c11c - lavu 51.6.0 - opt.h +2011-06-10 - 45fb647 / cb7c11c - lavu 51.6.0 - opt.h Add av_opt_flag_is_set(). 2011-06-10 - c381960 - lavfi 2.15.0 - avfilter_get_audio_buffer_ref_from_arrays Add avfilter_get_audio_buffer_ref_from_arrays() to avfilter.h. -2011-06-09 - d9f80ea - lavu 51.8.0 - AVMetadata +2011-06-09 - f9ecb84 / d9f80ea - lavu 51.8.0 - AVMetadata Move AVMetadata from lavf to lavu and rename it to AVDictionary -- new installed header dict.h. All av_metadata_* functions renamed to av_dict_*. -2011-06-07 - a6703fa - lavu 51.8.0 - av_get_bytes_per_sample() +2011-06-07 - d552f61 / a6703fa - lavu 51.8.0 - av_get_bytes_per_sample() Add av_get_bytes_per_sample() in libavutil/samplefmt.h. Deprecate av_get_bits_per_sample_fmt(). -2011-06-05 - b39b062 - lavu 51.8.0 - opt.h +2011-06-05 - f956924 / b39b062 - lavu 51.8.0 - opt.h Add av_opt_free convenience function. 2011-06-06 - 95a0242 - lavfi 2.14.0 - AVFilterBufferRefAudioProps @@ -672,7 +672,7 @@ API changes, most recent first: Add av_get_pix_fmt_name() in libavutil/pixdesc.h, and deprecate avcodec_get_pix_fmt_name() in libavcodec/avcodec.h in its favor. -2011-05-25 - 30315a8 - lavf 53.3.0 - avformat.h +2011-05-25 - 39e4206 / 30315a8 - lavf 53.3.0 - avformat.h Add fps_probe_size to AVFormatContext. 2011-05-22 - 5ecdfd0 - lavf 53.2.0 - avformat.h @@ -688,10 +688,10 @@ API changes, most recent first: 2011-05-14 - 9fdf772 - lavfi 2.6.0 - avcodec.h Add avfilter_get_video_buffer_ref_from_frame() to libavfilter/avcodec.h. -2011-05-18 - 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt +2011-05-18 - 75a37b5 / 64150ff - lavc 53.7.0 - AVCodecContext.request_sample_fmt Add request_sample_fmt field to AVCodecContext. -2011-05-10 - 188dea1 - lavc 53.6.0 - avcodec.h +2011-05-10 - 59eb12f / 188dea1 - lavc 53.6.0 - avcodec.h Deprecate AVLPCType and the following fields in AVCodecContext: lpc_coeff_precision, prediction_order_method, min_partition_order, max_partition_order, lpc_type, lpc_passes. @@ -721,81 +721,81 @@ API changes, most recent first: Add av_dynarray_add function for adding an element to a dynamic array. -2011-04-26 - bebe72f - lavu 51.1.0 - avutil.h +2011-04-26 - d7e5aeb / bebe72f - lavu 51.1.0 - avutil.h Add AVPictureType enum and av_get_picture_type_char(), deprecate FF_*_TYPE defines and av_get_pict_type_char() defined in libavcodec/avcodec.h. -2011-04-26 - 10d3940 - lavfi 2.3.0 - avfilter.h +2011-04-26 - d7e5aeb / 10d3940 - lavfi 2.3.0 - avfilter.h Add pict_type and key_frame fields to AVFilterBufferRefVideo. -2011-04-26 - 7a11c82 - lavfi 2.2.0 - vsrc_buffer +2011-04-26 - d7e5aeb / 7a11c82 - lavfi 2.2.0 - vsrc_buffer Add sample_aspect_ratio fields to vsrc_buffer arguments -2011-04-21 - 94f7451 - lavc 53.1.0 - avcodec.h +2011-04-21 - 8772156 / 94f7451 - lavc 53.1.0 - avcodec.h Add CODEC_CAP_SLICE_THREADS for codecs supporting sliced threading. 2011-04-15 - lavc 52.120.0 - avcodec.h AVPacket structure got additional members for passing side information: - 4de339e introduce side information for AVPacket - 2d8591c make containers pass palette change in AVPacket + c407984 / 4de339e introduce side information for AVPacket + c407984 / 2d8591c make containers pass palette change in AVPacket 2011-04-12 - lavf 52.107.0 - avio.h Avio cleanup, part II - deprecate the entire URLContext API: - 175389c add avio_check as a replacement for url_exist - ff1ec0c add avio_pause and avio_seek_time as replacements + c55780d / 175389c add avio_check as a replacement for url_exist + 9891004 / ff1ec0c add avio_pause and avio_seek_time as replacements for _av_url_read_fseek/fpause - cdc6a87 deprecate av_protocol_next(), avio_enum_protocols + d4d0932 / cdc6a87 deprecate av_protocol_next(), avio_enum_protocols should be used instead. - 80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb. - f87b1b3 rename open flags: URL_* -> AVIO_* - f8270bb add avio_enum_protocols. - 5593f03 deprecate URLProtocol. - c486dad deprecate URLContext. - 026e175 deprecate the typedef for URLInterruptCB - 8e76a19 deprecate av_register_protocol2. - b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME - 1305d93 deprecate av_url_read_seek - fa104e1 deprecate av_url_read_pause - 727c7aa deprecate url_get_filename(). - 5958df3 deprecate url_max_packet_size(). - 1869ea0 deprecate url_get_file_handle(). - 32a97d4 deprecate url_filesize(). - e52a914 deprecate url_close(). - 58a48c6 deprecate url_seek(). - 925e908 deprecate url_write(). - dce3756 deprecate url_read_complete(). - bc371ac deprecate url_read(). - 0589da0 deprecate url_open(). - 62eaaea deprecate url_connect. - 5652bb9 deprecate url_alloc. - 333e894 deprecate url_open_protocol - e230705 deprecate url_poll and URLPollEntry + c88caa5 / 80c6e23 rename url_set_interrupt_cb->avio_set_interrupt_cb. + c88caa5 / f87b1b3 rename open flags: URL_* -> AVIO_* + d4d0932 / f8270bb add avio_enum_protocols. + d4d0932 / 5593f03 deprecate URLProtocol. + d4d0932 / c486dad deprecate URLContext. + d4d0932 / 026e175 deprecate the typedef for URLInterruptCB + c88caa5 / 8e76a19 deprecate av_register_protocol2. + 11d7841 / b840484 deprecate URL_PROTOCOL_FLAG_NESTED_SCHEME + 11d7841 / 1305d93 deprecate av_url_read_seek + 11d7841 / fa104e1 deprecate av_url_read_pause + 434f248 / 727c7aa deprecate url_get_filename(). + 434f248 / 5958df3 deprecate url_max_packet_size(). + 434f248 / 1869ea0 deprecate url_get_file_handle(). + 434f248 / 32a97d4 deprecate url_filesize(). + 434f248 / e52a914 deprecate url_close(). + 434f248 / 58a48c6 deprecate url_seek(). + 434f248 / 925e908 deprecate url_write(). + 434f248 / dce3756 deprecate url_read_complete(). + 434f248 / bc371ac deprecate url_read(). + 434f248 / 0589da0 deprecate url_open(). + 434f248 / 62eaaea deprecate url_connect. + 434f248 / 5652bb9 deprecate url_alloc. + 434f248 / 333e894 deprecate url_open_protocol + 434f248 / e230705 deprecate url_poll and URLPollEntry 2011-04-08 - lavf 52.106.0 - avformat.h Minor avformat.h cleanup: - a9bf9d8 deprecate av_guess_image2_codec - c3675df rename avf_sdp_create->av_sdp_create + d4d0932 / a9bf9d8 deprecate av_guess_image2_codec + d4d0932 / c3675df rename avf_sdp_create->av_sdp_create 2011-04-03 - lavf 52.105.0 - avio.h Large-scale renaming/deprecating of AVIOContext-related functions: - 724f6a0 deprecate url_fdopen - 403ee83 deprecate url_open_dyn_packet_buf - 6dc7d80 rename url_close_dyn_buf -> avio_close_dyn_buf - b92c545 rename url_open_dyn_buf -> avio_open_dyn_buf - 8978fed introduce an AVIOContext.seekable field as a replacement for + 2cae980 / 724f6a0 deprecate url_fdopen + 2cae980 / 403ee83 deprecate url_open_dyn_packet_buf + 2cae980 / 6dc7d80 rename url_close_dyn_buf -> avio_close_dyn_buf + 2cae980 / b92c545 rename url_open_dyn_buf -> avio_open_dyn_buf + 2cae980 / 8978fed introduce an AVIOContext.seekable field as a replacement for AVIOContext.is_streamed and url_is_streamed() - b64030f deprecate get_checksum() - 4c4427a deprecate init_checksum() - 4ec153b deprecate udp_set_remote_url/get_local_port - 933e90a deprecate av_url_read_fseek/fpause - 8d9769a deprecate url_fileno - b7f2fdd rename put_flush_packet -> avio_flush - 35f1023 deprecate url_close_buf - 83fddae deprecate url_open_buf - d9d86e0 rename url_fprintf -> avio_printf - 59f65d9 deprecate url_setbufsize - 3e68b3b deprecate url_ferror + 1caa412 / b64030f deprecate get_checksum() + 1caa412 / 4c4427a deprecate init_checksum() + 2fd41c9 / 4ec153b deprecate udp_set_remote_url/get_local_port + 4fa0e24 / 933e90a deprecate av_url_read_fseek/fpause + 4fa0e24 / 8d9769a deprecate url_fileno + 0fecf26 / b7f2fdd rename put_flush_packet -> avio_flush + 0fecf26 / 35f1023 deprecate url_close_buf + 0fecf26 / 83fddae deprecate url_open_buf + 0fecf26 / d9d86e0 rename url_fprintf -> avio_printf + 0fecf26 / 59f65d9 deprecate url_setbufsize + 6947b0c / 3e68b3b deprecate url_ferror e8bb2e2 deprecate url_fget_max_packet_size 76aa876 rename url_fsize -> avio_size e519753 deprecate url_fgetc @@ -816,7 +816,7 @@ API changes, most recent first: b3db9ce deprecate get_partial_buffer 8d9ac96 rename av_alloc_put_byte -> avio_alloc_context -2011-03-25 - 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type +2011-03-25 - 27ef7b1 / 34b47d7 - lavc 52.115.0 - AVCodecContext.audio_service_type Add audio_service_type field to AVCodecContext. 2011-03-17 - e309fdc - lavu 50.40.0 - pixfmt.h From 73d6f4651e64846c9a279357c158a32c6ffbd4f7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 20 Feb 2013 11:41:20 -0500 Subject: [PATCH 0193/1037] ac3dec: validate channel output mode against channel count Damaged frames can lead to a mismatch, which can cause a segfault due to using an incorrect channel mapping. CC:libav-stable@libav.org (cherry picked from commit d7c450436fcb9d3ecf59884a574e7684183e753d) Conflicts: libavcodec/ac3dec.c --- libavcodec/ac3dec.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index f15bfa2a07..0d1ba89de5 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1336,8 +1336,10 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, if (!err) { avctx->sample_rate = s->sample_rate; avctx->bit_rate = s->bit_rate; + } - /* channel config */ + /* channel config */ + if (!err || (s->channels && s->out_channels != s->channels)) { s->out_channels = s->channels; s->output_mode = s->channel_mode; if (s->lfe_on) @@ -1356,18 +1358,18 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, s->fbw_channels == s->out_channels)) { set_downmix_coeffs(s); } - } else if (!s->out_channels) { - s->out_channels = avctx->channels; - if (s->out_channels < s->channels) - s->output_mode = s->out_channels == 1 ? AC3_CHMODE_MONO : AC3_CHMODE_STEREO; + } else if (!s->channels) { + av_log(avctx, AV_LOG_ERROR, "unable to determine channel mode\n"); + return AVERROR_INVALIDDATA; } + avctx->channels = s->out_channels; + /* set audio service type based on bitstream mode for AC-3 */ avctx->audio_service_type = s->bitstream_mode; if (s->bitstream_mode == 0x7 && s->channels > 1) avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ - avctx->channels = s->out_channels; s->frame.nb_samples = s->num_blocks * 256; if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); From 37e99e384e37364fca13dc6a70111adb1c356fa2 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 24 Feb 2013 12:30:30 +0100 Subject: [PATCH 0194/1037] vorbisdec: Add missing checks Rate and order must not be 0 even if the specification does not say that explicitly. (cherry picked from commit 5b47c19bfda92273ae49e83db26a565afcaed80a) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index aac9019ed6..4b87ef96a4 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -585,7 +585,17 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) floor_setup->decode = vorbis_floor0_decode; floor_setup->data.t0.order = get_bits(gb, 8); + if (!floor_setup->data.t0.order) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 order is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.rate = get_bits(gb, 16); + if (!floor_setup->data.t0.rate) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 rate is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.bark_map_size = get_bits(gb, 16); floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * From 494ddd377ada76ed555f7a3f49391455daa099c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Jan 2013 00:54:12 +0100 Subject: [PATCH 0195/1037] vorbisdec: Error on bark_map_size equal to 0. The value is used to calculate output LSP curve and a division by zero and out of array accesses would occur. CVE-2013-0894 CC: libav-stable@libav.org Reported-by: Dale Curtis Found-by: inferno@chromium.org Signed-off-by: Michael Niedermayer Signed-off-by: Luca Barbato (cherry picked from commit 11dcecfcca0eca1a571792c4fa3c21fb2cfddddc) Signed-off-by: Reinhard Tartler --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 4b87ef96a4..cfa89be26c 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -597,6 +597,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) return AVERROR_INVALIDDATA; } floor_setup->data.t0.bark_map_size = get_bits(gb, 16); + if (floor_setup->data.t0.bark_map_size == 0) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 bark map size is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * * 2^0 - 1 == 0 */ From c6c4dc69354f72376708ded9bb56af4a58082f1d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 24 Feb 2013 16:56:15 +0100 Subject: [PATCH 0196/1037] vorbisdec: Accept 0 amplitude_bits The specification does not prevent an encoder to write the amplitude 0 as 0 amplitude_bits. Our get_bits() implementation might not support a zero sized read properly, thus the additional branch. (cherry picked from commit 23bd9ef4b209c789d5473d75f89a2e411d343d80) Conflicts: libavcodec/vorbisdec.c --- libavcodec/vorbisdec.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index cfa89be26c..884cd5bb45 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -603,13 +603,6 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) return AVERROR_INVALIDDATA; } floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); - /* zero would result in a div by zero later * - * 2^0 - 1 == 0 */ - if (floor_setup->data.t0.amplitude_bits == 0) { - av_log(vc->avccontext, AV_LOG_ERROR, - "Floor 0 amplitude bits is 0.\n"); - return AVERROR_INVALIDDATA; - } floor_setup->data.t0.amplitude_offset = get_bits(gb, 8); floor_setup->data.t0.num_books = get_bits(gb, 4) + 1; @@ -1063,6 +1056,9 @@ static int vorbis_floor0_decode(vorbis_context *vc, unsigned amplitude, book_idx; unsigned blockflag = vc->modes[vc->mode_number].blockflag; + if (!vf->amplitude_bits) + return 1; + amplitude = get_bits(&vc->gb, vf->amplitude_bits); if (amplitude > 0) { float last = 0; From d4d1f32e48d92edc69c69b14f8e642e519f7c9af Mon Sep 17 00:00:00 2001 From: David Favor Date: Wed, 27 Feb 2013 08:19:14 -0600 Subject: [PATCH 0197/1037] Slight bug building ffmpeg-1.1.3 on OSX + patch to fix Two instances of non-ascii characters have crept into file doc/filters.texi which causes pod2man to error out and break the build. Signed-off-by: Michael Niedermayer --- doc/filters.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/filters.texi b/doc/filters.texi index 937addf17d..9d6c2b86e5 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -4149,7 +4149,7 @@ Alternatively, the options can be specified as a flat string: @var{layout}[:@var{nb_frames}[:@var{margin}[:@var{padding}]]] -For example, produce 8×8 PNG tiles of all keyframes (@option{-skip_frame +For example, produce 8x8 PNG tiles of all keyframes (@option{-skip_frame nokey}) in a movie: @example ffmpeg -skip_frame nokey -i file.avi -vf 'scale=128:72,tile=8x8' -an -vsync 0 keyframes%03d.png @@ -5543,7 +5543,7 @@ Activate unsafe mode: do not fail if segments have a different format. The filter has @var{v}+@var{a} outputs: first @var{v} video outputs, then @var{a} audio outputs. -There are @var{n}×(@var{v}+@var{a}) inputs: first the inputs for the first +There are @var{n}x(@var{v}+@var{a}) inputs: first the inputs for the first segment, in the same order as the outputs, then the inputs for the second segment, etc. From cdbaaa4f001ef8043760c44c2062fbc27facffd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Feb 2013 16:08:41 +0100 Subject: [PATCH 0198/1037] doc/ffmpeg: remove non ascii char Signed-off-by: Michael Niedermayer --- doc/ffmpeg.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index d0fe327c15..0c3cbc3cde 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -978,7 +978,7 @@ ffmpeg -filter_complex 'color=red' -t 5 out.mkv As a special exception, you can use a bitmap subtitle stream as input: it will be converted into a video with the same size as the largest video in -the file, or 720×576 if no video is present. Note that this is an +the file, or 720x576 if no video is present. Note that this is an experimental and temporary solution. It will be removed once libavfilter has proper support for subtitles. From 4f3f2fe14bdfbf5a23e91c12d308c6aec840148f Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Wed, 27 Feb 2013 19:19:15 +0100 Subject: [PATCH 0199/1037] lavf/avio: check for : in filenames for protocols. If the first "special" character in a filename is a comma, it can introduce protocol options, but only if there is a colon at the end. Otherwise, it is just a filename with a comma. Fix trac ticket #2303. (cherry picked from commit d9fad53f4b447db1e436dcf3fc4a57e604616e6c) --- libavformat/avio.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 6d8a8bb92a..56f810ec76 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -210,7 +210,9 @@ int ffurl_alloc(URLContext **puc, const char *filename, int flags, "Missing call to av_register_all()?\n"); } - if (filename[proto_len] != ':' && filename[proto_len] != ',' || is_dos_path(filename)) + if (filename[proto_len] != ':' && + (filename[proto_len] != ',' || !strchr(filename + proto_len + 1, ':')) || + is_dos_path(filename)) strcpy(proto_str, "file"); else av_strlcpy(proto_str, filename, FFMIN(proto_len+1, sizeof(proto_str))); From 78dbb1a7e182226367df7cb2adad5fdbd98b2e43 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 2 Feb 2013 22:36:25 +0100 Subject: [PATCH 0200/1037] Require at least three frames to autodetect loas. (cherry picked from commit a60530e3ee1d9532c026a52b03661f88e163d647) --- libavformat/loasdec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/loasdec.c b/libavformat/loasdec.c index 2a06fe12a7..d3a8dbd6cd 100644 --- a/libavformat/loasdec.c +++ b/libavformat/loasdec.c @@ -55,7 +55,6 @@ static int loas_probe(AVProbeData *p) if (first_frames>=3) return AVPROBE_SCORE_MAX/2+1; else if(max_frames>100)return AVPROBE_SCORE_MAX/2; else if(max_frames>=3) return AVPROBE_SCORE_MAX/4; - else if(max_frames>=1) return 1; else return 0; } From 1b0082eabcc98e079d33c61da4d30ded89de68a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 1 Mar 2013 16:30:44 +0200 Subject: [PATCH 0201/1037] flvdec: Don't read the VP6 header byte when setting codec type based on metadata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This header byte is only present when actually reading a VP6 frame, not when reading the codec type field in the metadata. This potential bug has been present since 5b54a90c. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c91c63b5380bf79655c09320774a022f84d76fd5) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 7d5ea56cdd..e45a9a2bfa 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -201,7 +201,7 @@ static int flv_same_video_codec(AVCodecContext *vcodec, int flags) return 0; } -static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_codecid) { +static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_codecid, int read) { AVCodecContext *vcodec = vstream->codec; switch(flv_codecid) { case FLV_CODECID_H263 : vcodec->codec_id = AV_CODEC_ID_FLV1 ; break; @@ -211,11 +211,13 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_co case FLV_CODECID_VP6A : if(flv_codecid == FLV_CODECID_VP6A) vcodec->codec_id = AV_CODEC_ID_VP6A; - if(vcodec->extradata_size != 1) { - vcodec->extradata_size = 1; - vcodec->extradata = av_malloc(1); + if (read) { + if (vcodec->extradata_size != 1) { + vcodec->extradata_size = 1; + vcodec->extradata = av_malloc(1); + } + vcodec->extradata[0] = avio_r8(s->pb); } - vcodec->extradata[0] = avio_r8(s->pb); return 1; // 1 byte body size adjustment for flv_read_packet() case FLV_CODECID_H264: vcodec->codec_id = AV_CODEC_ID_H264; @@ -408,7 +410,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst st->codec->codec_id = AV_CODEC_ID_TEXT; } else if (flv->trust_metadata) { if (!strcmp(key, "videocodecid") && vcodec) { - flv_set_video_codec(s, vstream, num_val); + flv_set_video_codec(s, vstream, num_val, 0); } else if (!strcmp(key, "audiocodecid") && acodec) { flv_set_audio_codec(s, astream, acodec, num_val); @@ -766,7 +768,7 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt) sample_rate = ctx.sample_rate; } }else{ - size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK); + size -= flv_set_video_codec(s, st, flags & FLV_VIDEO_CODECID_MASK, 1); } if (st->codec->codec_id == AV_CODEC_ID_AAC || From efa8603518258aa992752e0589d8fdd7b7d1f66b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 1 Mar 2013 16:45:24 +0200 Subject: [PATCH 0202/1037] flvdec: Check the return value of a malloc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The callers of this function can't report errors sanely. If this one malloc fails, don't write the extradata byte, make sure we try to malloc it the next time we're called instead, and make sure we still consume the input data byte. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c5a738ca4e9789b4678b10240777d931e7dc24c9) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index e45a9a2bfa..403a9b5089 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -213,10 +213,14 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, int flv_co vcodec->codec_id = AV_CODEC_ID_VP6A; if (read) { if (vcodec->extradata_size != 1) { - vcodec->extradata_size = 1; vcodec->extradata = av_malloc(1); + if (vcodec->extradata) + vcodec->extradata_size = 1; } - vcodec->extradata[0] = avio_r8(s->pb); + if (vcodec->extradata) + vcodec->extradata[0] = avio_r8(s->pb); + else + avio_skip(s->pb, 1); } return 1; // 1 byte body size adjustment for flv_read_packet() case FLV_CODECID_H264: From b6f5a1ca588c2d632184f6f8151b4f6100309db4 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 11:43:20 +0100 Subject: [PATCH 0203/1037] h264: on reference overflow, reset the reference count to 0, not 1. Since decode_slice_header() returns before the reference lists are constructed, there are zero valid references. CC:libav-stable@libav.org (cherry picked from commit 668e16a0dd1ff56d4beeff5c658d8a2a08dbfac8) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 848d6a2d31..6f49dd28f2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3046,7 +3046,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0] = h->ref_count[1] = 1; + h->ref_count[0] = h->ref_count[1] = 0; return AVERROR_INVALIDDATA; } From 704952fee52f4033018919fee7815ee3bc833280 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Feb 2013 11:44:33 +0100 Subject: [PATCH 0204/1037] h264: set ref_count to 0 for intra slices. CC:libav-stable@libav.org (cherry picked from commit 437211ae73ef1ed8285b4fed7620502ea4999e11) Fixes deadlocks waiting for non-existing references with some fuzzed files. Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 6f49dd28f2..54f618653d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3039,8 +3039,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->list_count = 2; else h->list_count = 1; - } else + } else { h->list_count = 0; + h->ref_count[0] = h->ref_count[1] = 0; + } + max_refs = s->picture_structure == PICT_FRAME ? 16 : 32; From a3b3096772c65899d7ca43a913051420d706c88a Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 2 Mar 2013 10:54:07 +0100 Subject: [PATCH 0205/1037] update Changelog --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog b/Changelog index d20dca904f..707bc69a67 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,13 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.3: +- h264: fix deadlocks with broken/fuzzed files +- flvdec: make decoder more robust +- vorbisdec: fix buffer overflow (CVE-2013-0894) +- ac3dec: validate channel output mode against channel count +- doc: minor improvements + version 9.2: - loco: check that there is data left after decoding a plane. - mov: use the format context for logging. From 7327505883b11d6cf6e16576b04cc0cfa3ec9335 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Feb 2013 16:58:01 +0100 Subject: [PATCH 0206/1037] rtmpproto: Check APP_MAX_LENGTH Fixes Ticket2292 Signed-off-by: Michael Niedermayer (cherry picked from commit 02ac3398eb52679301028c2fd3ebad1b6261b4da) Signed-off-by: Michael Niedermayer --- libavformat/rtmpproto.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 6f03dd9d7e..fa661ee552 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2367,16 +2367,20 @@ reconnect: fname = strchr(p + 1, '/'); if (!fname || (c && c < fname)) { fname = p + 1; - av_strlcpy(rt->app, path + 1, p - path); + av_strlcpy(rt->app, path + 1, FFMIN(p - path, APP_MAX_LENGTH)); } else { fname++; - av_strlcpy(rt->app, path + 1, fname - path - 1); + av_strlcpy(rt->app, path + 1, FFMIN(fname - path - 1, APP_MAX_LENGTH)); } } } if (old_app) { // The name of application has been defined by the user, override it. + if (strlen(old_app) >= APP_MAX_LENGTH) { + ret = AVERROR(EINVAL); + goto fail; + } av_free(rt->app); rt->app = old_app; } From 7c8beec48ce7fa7380e8aab700c7d5f2b579a58e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Mar 2013 12:25:02 +0100 Subject: [PATCH 0207/1037] buildsys: only include log2_tab per library for shared builds Fix linking failures with -all_load due to multiple log2_tabs Signed-off-by: Carl Eugen Hoyos (cherry picked from commit 03148fd1743fca98c2f4b5920b796f381e820045) --- libavcodec/Makefile | 2 +- libavformat/Makefile | 2 +- libswresample/Makefile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 3ebb5a8f57..4bf3ee1701 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -25,7 +25,6 @@ OBJS = allcodecs.o \ fmtconvert.o \ imgconvert.o \ jrevdct.o \ - log2_tab.o \ mathtables.o \ options.o \ parser.o \ @@ -69,6 +68,7 @@ OBJS-$(CONFIG_MPEGVIDEOENC) += mpegvideo_enc.o mpeg12data.o \ OBJS-$(CONFIG_RANGECODER) += rangecoder.o RDFT-OBJS-$(CONFIG_HARDCODED_TABLES) += sin_tables.o OBJS-$(CONFIG_RDFT) += rdft.o $(RDFT-OBJS-yes) +OBJS-$(CONFIG_SHARED) += log2_tab.o OBJS-$(CONFIG_SINEWIN) += sinewin.o OBJS-$(CONFIG_VAAPI) += vaapi.o OBJS-$(CONFIG_VDPAU) += vdpau.o diff --git a/libavformat/Makefile b/libavformat/Makefile index 756059795e..85799d47c5 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -13,7 +13,6 @@ OBJS = allformats.o \ cutils.o \ id3v1.o \ id3v2.o \ - log2_tab.o \ metadata.o \ mux.o \ options.o \ @@ -45,6 +44,7 @@ OBJS-$(CONFIG_RTPDEC) += rdt.o \ rtpdec_vp8.o \ rtpdec_xiph.o OBJS-$(CONFIG_RTPENC_CHAIN) += rtpenc_chain.o rtp.o +OBJS-$(CONFIG_SHARED) += log2_tab.o # muxers/demuxers OBJS-$(CONFIG_A64_MUXER) += a64.o rawenc.o diff --git a/libswresample/Makefile b/libswresample/Makefile index 9d9f10c6c6..0b75bd0821 100644 --- a/libswresample/Makefile +++ b/libswresample/Makefile @@ -8,11 +8,11 @@ HEADERS = swresample.h \ OBJS = audioconvert.o \ dither.o \ - log2_tab.o \ rematrix.o \ resample.o \ swresample.o \ OBJS-$(CONFIG_LIBSOXR) += soxr_resample.o +OBJS-$(CONFIG_SHARED) += log2_tab.o TESTPROGS = swresample From a8fc0bb608305983476214b1df229d71944cd2a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Mar 2013 13:42:12 +0100 Subject: [PATCH 0208/1037] hls: fix timebase Fixes Ticket1733 Signed-off-by: Michael Niedermayer (cherry picked from commit a12a618aa9c6d84ec3c01695fb5aec9796453a6d) --- libavformat/hls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index f515dfb7f1..4a67c2db69 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -560,12 +560,14 @@ static int hls_read_header(AVFormatContext *s) /* Create new AVStreams for each stream in this variant */ for (j = 0; j < v->ctx->nb_streams; j++) { AVStream *st = avformat_new_stream(s, NULL); + AVStream *ist = v->ctx->streams[j]; if (!st) { ret = AVERROR(ENOMEM); goto fail; } ff_program_add_stream_index(s, i, stream_offset + j); st->id = i; + avpriv_set_pts_info(st, ist->pts_wrap_bits, ist->time_base.num, ist->time_base.den); avcodec_copy_context(st->codec, v->ctx->streams[j]->codec); if (v->bandwidth) av_dict_set(&st->metadata, "variant_bitrate", bitrate_str, From b642e45d8ce81f89a76ef8720c3e7cb69ec5ace6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Mar 2013 13:55:43 +0100 Subject: [PATCH 0209/1037] avformat: Fix apics with aac Fixes Ticket2318 Signed-off-by: Michael Niedermayer (cherry picked from commit cada996528422907b8b818e99029a8e3b97cf08d) --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5cbf7ca7af..be816c2d3c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -625,7 +625,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputForma goto fail; if (id3v2_extra_meta) { - if (!strcmp(s->iformat->name, "mp3")) { + if (!strcmp(s->iformat->name, "mp3") || !strcmp(s->iformat->name, "aac")) { if((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0) goto fail; } else From 088ba9bc3e7629af08e50816c91fc8e84ec8f898 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Mar 2013 19:28:30 +0100 Subject: [PATCH 0210/1037] psymodel: dont apply lowpass filters with a cutoff close to the nyquist The IIR filter numerically diverges in such cases, this could easily be fixed but would make the filter slower on some platforms Fixes Ticket2246 Signed-off-by: Michael Niedermayer (cherry picked from commit fee5da6b0a79bed9dc849f216b6da1e03132b668) --- libavcodec/psymodel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/psymodel.c b/libavcodec/psymodel.c index a4a7cbb683..09dd83d315 100644 --- a/libavcodec/psymodel.c +++ b/libavcodec/psymodel.c @@ -106,7 +106,7 @@ av_cold struct FFPsyPreprocessContext* ff_psy_preprocess_init(AVCodecContext *av if (!cutoff_coeff && avctx->codec_id == AV_CODEC_ID_AAC) cutoff_coeff = 2.0 * AAC_CUTOFF(avctx) / avctx->sample_rate; - if (cutoff_coeff) + if (cutoff_coeff && cutoff_coeff < 0.98) ctx->fcoeffs = ff_iir_filter_init_coeffs(avctx, FF_FILTER_TYPE_BUTTERWORTH, FF_FILTER_MODE_LOWPASS, FILT_ORDER, cutoff_coeff, 0.0, 0.0); From 41313bdcc51159141a3c3737ea8d8cf05f506945 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Mar 2013 14:00:22 +0100 Subject: [PATCH 0211/1037] aacsbr: Check for envelope scalefactors overflowing This prevents various values from becoming stuck at NAN and output to become silent If someone knows a cleaner solution, thats welcome! Fixes Ticket2335 Signed-off-by: Michael Niedermayer (cherry picked from commit 8978c743fb1d1f5a0d6dbdd83ff05817f8a41230) --- libavcodec/aacsbr.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 714e48c1ff..a49631b9b5 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1121,7 +1121,12 @@ static void sbr_dequant(SpectralBandReplication *sbr, int id_aac) for (k = 0; k < sbr->n[sbr->data[0].bs_freq_res[e]]; k++) { float temp1 = exp2f(sbr->data[0].env_facs[e][k] * alpha + 7.0f); float temp2 = exp2f((pan_offset - sbr->data[1].env_facs[e][k]) * alpha); - float fac = temp1 / (1.0f + temp2); + float fac; + if (temp1 > 1E20) { + av_log(NULL, AV_LOG_ERROR, "envelope scalefactor overflow in dequant\n"); + temp1 = 1; + } + fac = temp1 / (1.0f + temp2); sbr->data[0].env_facs[e][k] = fac; sbr->data[1].env_facs[e][k] = fac * temp2; } @@ -1130,7 +1135,12 @@ static void sbr_dequant(SpectralBandReplication *sbr, int id_aac) for (k = 0; k < sbr->n_q; k++) { float temp1 = exp2f(NOISE_FLOOR_OFFSET - sbr->data[0].noise_facs[e][k] + 1); float temp2 = exp2f(12 - sbr->data[1].noise_facs[e][k]); - float fac = temp1 / (1.0f + temp2); + float fac; + if (temp1 > 1E20) { + av_log(NULL, AV_LOG_ERROR, "envelope scalefactor overflow in dequant\n"); + temp1 = 1; + } + fac = temp1 / (1.0f + temp2); sbr->data[0].noise_facs[e][k] = fac; sbr->data[1].noise_facs[e][k] = fac * temp2; } @@ -1139,9 +1149,15 @@ static void sbr_dequant(SpectralBandReplication *sbr, int id_aac) for (ch = 0; ch < (id_aac == TYPE_CPE) + 1; ch++) { float alpha = sbr->data[ch].bs_amp_res ? 1.0f : 0.5f; for (e = 1; e <= sbr->data[ch].bs_num_env; e++) - for (k = 0; k < sbr->n[sbr->data[ch].bs_freq_res[e]]; k++) + for (k = 0; k < sbr->n[sbr->data[ch].bs_freq_res[e]]; k++){ sbr->data[ch].env_facs[e][k] = exp2f(alpha * sbr->data[ch].env_facs[e][k] + 6.0f); + if (sbr->data[ch].env_facs[e][k] > 1E20) { + av_log(NULL, AV_LOG_ERROR, "envelope scalefactor overflow in dequant\n"); + sbr->data[ch].env_facs[e][k] = 1; + } + } + for (e = 1; e <= sbr->data[ch].bs_num_noise; e++) for (k = 0; k < sbr->n_q; k++) sbr->data[ch].noise_facs[e][k] = From 4852b3aabd4bd763152f8aa2849f117264532b19 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 9 Mar 2013 17:49:23 +0100 Subject: [PATCH 0212/1037] Prepare for 9.4 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index c3cae12bcc..0359f24328 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.3 +9.4 From 146eac0a0c5f56dd016f281a0a01214cb51dd870 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 4 Mar 2013 11:21:08 +0100 Subject: [PATCH 0213/1037] h264: check for luma and chroma bit dept being equal The decoder assumes a single bit depth for all the planes while the specification allows different bit depths for luma and chroma. Avoid the possible problems described in CVE-2013-2277 CC: libav-stable@libav.org (cherry picked from commit 4987faee78b9869f8f4646b8dd971d459df218a5) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 54f618653d..8625b0f392 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2421,6 +2421,12 @@ static int h264_set_parameter_from_sps(H264Context *h) if (s->avctx->has_b_frames < 2) s->avctx->has_b_frames = !s->low_delay; + if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) { + av_log_missing_feature(s->avctx, + "Different bit depth between chroma and luma", 1); + return AVERROR_PATCHWELCOME; + } + if (s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc) { if (s->avctx->codec && From 77cf052e395b1fac8dd181d4f76b0101d1acd625 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 10:42:51 +0100 Subject: [PATCH 0214/1037] vmdaudio: fix invalid reads when packet size is not a multiple of chunk size CC:libav-stable@libav.org (cherry picked from commit f86d66bcfa48998b0727aa0d1089a30cbeae0933) Signed-off-by: Reinhard Tartler --- libavcodec/vmdav.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index cffc00aa40..2bb1fc3dd1 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -631,7 +631,7 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* decode audio chunks */ if (audio_chunks > 0) { buf_end = buf + buf_size; - while (buf < buf_end) { + while (buf + s->chunk_size <= buf_end) { if (s->out_bps == 2) { decode_audio_s16(output_samples_s16, buf, s->chunk_size, avctx->channels); From 60dd8b5733f9ec4919fbc732ace1be8184dde880 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 10:02:50 +0100 Subject: [PATCH 0215/1037] wmaprodec: return an error, not 0, when the input is too small. Returning 0 may result in an infinite loop in valid calling programs. A decoder should never return 0 without producing any output. CC:libav-stable@libav.org (cherry picked from commit 4c0080b7e7d501e2720d2a61f5186a18377f9d63) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index d58278b76d..ff96788905 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1504,8 +1504,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, s->packet_done = 0; /** sanity check for the buffer length */ - if (buf_size < avctx->block_align) - return 0; + if (buf_size < avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n", + buf_size, avctx->block_align); + return AVERROR_INVALIDDATA; + } s->next_packet_start = buf_size - avctx->block_align; buf_size = avctx->block_align; From 74880e78d83031d612c941a383b810ff0c9d50c6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:41:44 +0100 Subject: [PATCH 0216/1037] ivi_common: do not call MC for intra frames when dc_transform is unset CC:libav-stable@libav.org (cherry picked from commit 3ba40ebb6cc58753dc3746c718203bb31760deba) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 76782e5173..3bdcbaba56 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -527,9 +527,10 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile /* block not coded */ /* for intra blocks apply the dc slant transform */ /* for inter - perform the motion compensation without delta */ - if (is_intra && band->dc_transform) { - band->dc_transform(&prev_dc, band->buf + buf_offs, - band->pitch, blk_size); + if (is_intra) { + if (band->dc_transform) + band->dc_transform(&prev_dc, band->buf + buf_offs, + band->pitch, blk_size); } else mc_no_delta_func(band->buf + buf_offs, band->ref_buf + buf_offs + mv_y * band->pitch + mv_x, From d3b40af01f88aeb19f3400956fefa0e324ef5e2e Mon Sep 17 00:00:00 2001 From: Alexander Kojevnikov Date: Wed, 6 Mar 2013 21:38:55 -0800 Subject: [PATCH 0217/1037] mp3dec: Fix VBR bit rate parsing When parsing the Xing/Info tag, don't set the bit rate if it's an Info tag. When parsing the stream, don't override the bit rate if it's already set, otherwise calculate the mean bit rate from parsed frames. This way, the bit rate will be set correctly both for CBR and VBR streams. CC:libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit eae0879d961b78717dd2a0899809ad22819ae9e3) Signed-off-by: Reinhard Tartler --- libavcodec/mpegaudio_parser.c | 6 +++++- libavformat/mp3dec.c | 6 ++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index c904873a18..58ea452773 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -30,6 +30,7 @@ typedef struct MpegAudioParseContext { int frame_size; uint32_t header; int header_count; + int no_bitrate; } MpegAudioParseContext; #define MPA_HEADER_SIZE 4 @@ -80,7 +81,10 @@ static int mpegaudio_parse(AVCodecParserContext *s1, avctx->sample_rate= sr; avctx->channels = channels; s1->duration = frame_size; - avctx->bit_rate = bit_rate; + if (s->no_bitrate || !avctx->bit_rate) { + s->no_bitrate = 1; + avctx->bit_rate += (bit_rate - avctx->bit_rate) / s->header_count; + } } break; } diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 7d0c2fb6ed..48deefd126 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -128,6 +128,7 @@ static int mp3_parse_vbr_tags(AVFormatContext *s, AVStream *st, int64_t base) const int64_t xing_offtbl[2][2] = {{32, 17}, {17,9}}; MPADecodeHeader c; int vbrtag_size = 0; + int is_cbr; v = avio_rb32(s->pb); if(ff_mpa_check_header(v) < 0) @@ -143,7 +144,8 @@ static int mp3_parse_vbr_tags(AVFormatContext *s, AVStream *st, int64_t base) /* Check for Xing / Info tag */ avio_skip(s->pb, xing_offtbl[c.lsf == 1][c.nb_channels == 1]); v = avio_rb32(s->pb); - if(v == MKBETAG('X', 'i', 'n', 'g') || v == MKBETAG('I', 'n', 'f', 'o')) { + is_cbr = v == MKBETAG('I', 'n', 'f', 'o'); + if (v == MKBETAG('X', 'i', 'n', 'g') || is_cbr) { v = avio_rb32(s->pb); if(v & XING_FLAG_FRAMES) frames = avio_rb32(s->pb); @@ -176,7 +178,7 @@ static int mp3_parse_vbr_tags(AVFormatContext *s, AVStream *st, int64_t base) if(frames) st->duration = av_rescale_q(frames, (AVRational){spf, c.sample_rate}, st->time_base); - if(size && frames) + if (size && frames && !is_cbr) st->codec->bit_rate = av_rescale(size, 8 * c.sample_rate, frames * (int64_t)spf); return 0; From c1f479e8df24284237c80ad959619fc85e29a26d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:58:00 +0100 Subject: [PATCH 0218/1037] wmadec: require block_align to be set. Avoids an infinite loop in the calling programs with decoder not consuming any input and not returning output. CC:libav-stable@libav.org (cherry picked from commit ea1136baafb1fe271cb56c3f4d7bff0267e3c70f) Signed-off-by: Reinhard Tartler --- libavcodec/wmadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index e2803bb2a3..2f4afd3aa9 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -72,6 +72,11 @@ static int wma_decode_init(AVCodecContext * avctx) int i, flags2; uint8_t *extradata; + if (!avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + return AVERROR(EINVAL); + } + s->avctx = avctx; /* extract flag infos */ From 747fbe0c212b81952bb27ec7b99fa709081e2d63 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:15:19 +0100 Subject: [PATCH 0219/1037] roqvideodec: fix a potential infinite loop in roqvideo_decode_frame(). When there is just 1 byte remanining in the buffer, nothing will be read and the loop will continue forever. Check that there are at least 8 bytes, which are always read at the beginning. CC:libav-stable@libav.org (cherry picked from commit 3e2f200237af977b9253b0aff121eee27bcedb44) Signed-off-by: Reinhard Tartler --- libavcodec/roqvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c index 3ee62c01b5..d156a843ba 100644 --- a/libavcodec/roqvideodec.c +++ b/libavcodec/roqvideodec.c @@ -43,7 +43,7 @@ static void roqvideo_decode_frame(RoqContext *ri) roq_qcell *qcell; int64_t chunk_start; - while (bytestream2_get_bytes_left(&ri->gb) > 0) { + while (bytestream2_get_bytes_left(&ri->gb) >= 8) { chunk_id = bytestream2_get_le16(&ri->gb); chunk_size = bytestream2_get_le32(&ri->gb); chunk_arg = bytestream2_get_le16(&ri->gb); From 62a657de168cf501acb23d48cc1aa00793dc83f3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:06:16 +0100 Subject: [PATCH 0220/1037] xxan: fix invalid memory access in xan_decode_frame_type0() The loop a few lines below the xan_unpack() call accesses up to dec_size * 2 bytes into y_buffer, so dec_size must be limited to buffer_size / 2. CC:libav-stable@libav.org (cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f) Signed-off-by: Reinhard Tartler --- libavcodec/xxan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 231ed908fa..84ffdecdff 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -307,7 +307,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx) int dec_size; bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET); - dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size); + dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size / 2); if (dec_size < 0) dec_size = 0; for (i = 0; i < dec_size; i++) From d48da913733356f319931907ba7a0da0ccfd0363 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 19 Feb 2013 08:15:07 +0100 Subject: [PATCH 0221/1037] ffv1: fix calculating slice dimensions for version 2 It got broken in 0f13cd3187192ba0cc2b043430de6e279e7b97c3. CC:libav-stable@libav.org (cherry picked from commit d243896987b8b2062d1faba4d8d6f0c62d2dbee9) Signed-off-by: Reinhard Tartler --- libavcodec/ffv1dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 72f255cad1..97e2bd5873 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -735,8 +735,8 @@ static int read_header(FFV1Context *f) fs->slice_x /= f->num_h_slices; fs->slice_y /= f->num_v_slices; - fs->slice_width /= f->num_h_slices - fs->slice_x; - fs->slice_height /= f->num_v_slices - fs->slice_y; + fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x; + fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y; if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height) return AVERROR_INVALIDDATA; From 20373a66ec68d958c266f643a7d0e5ec254c0fcc Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:58:00 +0100 Subject: [PATCH 0222/1037] wmaprodec: require block_align to be set. Avoids an infinite loop in the calling programs with decoder not consuming any input and not returning output. CC:libav-stable@libav.org (cherry picked from commit cacad1c058f66558ec727faac3b277d2dee264d4) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index ff96788905..efc8fce5c8 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -280,6 +280,11 @@ static av_cold int decode_init(AVCodecContext *avctx) int log2_max_num_subframes; int num_possible_block_sizes; + if (!avctx->block_align) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + return AVERROR(EINVAL); + } + s->avctx = avctx; ff_dsputil_init(&s->dsp, avctx); avpriv_float_dsp_init(&s->fdsp, avctx->flags & CODEC_FLAG_BITEXACT); From 905f5c8a1e94d224245480298b1854e103d71141 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 16 Jan 2013 18:10:57 -0500 Subject: [PATCH 0223/1037] png: use av_mallocz_array() for the zlib zalloc function Fixes valgrind uninitialized memory errors when decoding png. CC:libav-stable@libav.org (cherry picked from commit 486f0b0cfc800cd38ec06635630539431d296774) Signed-off-by: Reinhard Tartler --- libavcodec/png.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/png.c b/libavcodec/png.c index 70a080e29e..65d696476a 100644 --- a/libavcodec/png.c +++ b/libavcodec/png.c @@ -47,9 +47,7 @@ const uint8_t ff_png_pass_mask[NB_PASSES] = { void *ff_png_zalloc(void *opaque, unsigned int items, unsigned int size) { - if(items >= UINT_MAX / size) - return NULL; - return av_malloc(items * size); + return av_mallocz_array(items, size); } void ff_png_zfree(void *opaque, void *ptr) From b77d9cbbd5050eda75030c8926241af3dbe1a8df Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 16 Jan 2013 17:52:55 -0500 Subject: [PATCH 0224/1037] libmp3lame: use the correct remaining buffer size when flushing CC:libav-stable@libav.org (cherry picked from commit e984f47873258b600fd88423f40e3cdaad179190) Signed-off-by: Reinhard Tartler --- libavcodec/libmp3lame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index 264a0e2236..8746573224 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -217,7 +217,7 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } } else { lame_result = lame_encode_flush(s->gfp, s->buffer + s->buffer_index, - BUFFER_SIZE - s->buffer_index); + s->buffer_size - s->buffer_index); } if (lame_result < 0) { if (lame_result == -1) { From 0cb3cab3431276c9339df91bfdbf30510d784a6c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 13 Feb 2013 21:04:42 +0100 Subject: [PATCH 0225/1037] eamad: allocate a dummy reference frame when the real one is missing Fixes invalid reads when the first frame is not an I-frame. CC:libav-stable@libav.org (cherry picked from commit 7b89cd20d844cbe763ca34e63e99d110043cf241) Signed-off-by: Anton Khirnov --- libavcodec/eamad.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index cf44ae98e3..bb4c7babde 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -264,6 +264,21 @@ static int decode_frame(AVCodecContext *avctx, } } + if (inter && !s->last_frame.data[0]) { + int ret; + av_log(avctx, AV_LOG_WARNING, "Missing reference frame.\n"); + s->last_frame.reference = 1; + ret = ff_get_buffer(avctx, &s->last_frame); + if (ret < 0) + return ret; + memset(s->last_frame.data[0], 0, s->last_frame.height * + s->last_frame.linesize[0]); + memset(s->last_frame.data[1], 0x80, s->last_frame.height / 2 * + s->last_frame.linesize[1]); + memset(s->last_frame.data[2], 0x80, s->last_frame.height / 2 * + s->last_frame.linesize[2]); + } + av_fast_padded_malloc(&s->bitstream_buf, &s->bitstream_buf_size, buf_end - buf); if (!s->bitstream_buf) From d84c51904cad23ed76c38eec5080887dae7f5f27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Feb 2013 23:41:53 +0100 Subject: [PATCH 0226/1037] mpegts: clear avprograms only for removed programs Fixes Ticket2186 Requested-by: carl Signed-off-by: Michael Niedermayer (cherry picked from commit 806a66fd08a395486e763fb10588c5fd02e8d54e) --- libavformat/mpegts.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index a6e07fae9c..a6dff475e1 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -208,9 +208,6 @@ static void clear_program(MpegTSContext *ts, unsigned int programid) static void clear_programs(MpegTSContext *ts) { - int i; - for(i=0; inb_prg; i++) - clear_avprogram(ts, ts->prg[i].id); av_freep(&ts->prg); ts->nb_prg=0; } @@ -1634,6 +1631,17 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len add_pid_to_pmt(ts, sid, pmt_pid); } } + + if (sid < 0) { + int i,j; + for (j=0; jstream->nb_programs; j++) { + for (i=0; inb_prg; i++) + if (ts->prg[i].id == ts->stream->programs[j]->id) + break; + if (i==ts->nb_prg) + clear_avprogram(ts, ts->stream->programs[j]->id); + } + } } static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) From 21d568be179c54a1596d1377b4da7fbe755bfe7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2013 15:13:04 +0100 Subject: [PATCH 0227/1037] shorten: set invalid channels count to 0 Prevent the loop shorten_decode_close from writing and freeing out of the array boundary. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato CC: libav-stable@libav.org (cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5) --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 1dc010f441..50fc506440 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -345,6 +345,7 @@ static int read_header(ShortenContext *s) s->channels = get_uint(s, CHANSIZE); if (s->channels <= 0 || s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); + s->channels = 0; return -1; } s->avctx->channels = s->channels; From 97cc2f286f9e3eed1a00034367ebca58cc05ee39 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 5 Mar 2013 16:11:28 +0100 Subject: [PATCH 0228/1037] shorten: K&R formatting cosmetics (cherry picked from commit a2ad554def214d2d03b7c16f68dc081a8622f9ca) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 217 ++++++++++++++++++++++--------------------- 1 file changed, 112 insertions(+), 105 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 50fc506440..f121a768ef 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -109,10 +109,10 @@ typedef struct ShortenContext { int got_quit_command; } ShortenContext; -static av_cold int shorten_decode_init(AVCodecContext * avctx) +static av_cold int shorten_decode_init(AVCodecContext *avctx) { ShortenContext *s = avctx->priv_data; - s->avctx = avctx; + s->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_S16P; avcodec_get_frame_defaults(&s->frame); @@ -127,17 +127,20 @@ static int allocate_buffers(ShortenContext *s) int *coeffs; void *tmp_ptr; - for (chan=0; chanchannels; chan++) { - if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ + for (chan = 0; chan < s->channels; chan++) { + if (FFMAX(1, s->nmean) >= UINT_MAX / sizeof(int32_t)) { av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); return -1; } - if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){ - av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); + if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) || + s->blocksize + s->nwrap <= (unsigned)s->nwrap) { + av_log(s->avctx, AV_LOG_ERROR, + "s->blocksize + s->nwrap too large\n"); return -1; } - tmp_ptr = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean)); + tmp_ptr = + av_realloc(s->offset[chan], sizeof(int32_t) * FFMAX(1, s->nmean)); if (!tmp_ptr) return AVERROR(ENOMEM); s->offset[chan] = tmp_ptr; @@ -147,7 +150,7 @@ static int allocate_buffers(ShortenContext *s) if (!tmp_ptr) return AVERROR(ENOMEM); s->decoded_base[chan] = tmp_ptr; - for (i=0; inwrap; i++) + for (i = 0; i < s->nwrap; i++) s->decoded_base[chan][i] = 0; s->decoded[chan] = s->decoded_base[chan] + s->nwrap; } @@ -160,7 +163,6 @@ static int allocate_buffers(ShortenContext *s) return 0; } - static inline unsigned int get_uint(ShortenContext *s, int k) { if (s->version != 0) @@ -168,7 +170,6 @@ static inline unsigned int get_uint(ShortenContext *s, int k) return get_ur_golomb_shorten(&s->gb, k); } - static void fix_bitshift(ShortenContext *s, int32_t *buffer) { int i; @@ -178,22 +179,20 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] <<= s->bitshift; } - static int init_offset(ShortenContext *s) { int32_t mean = 0; - int chan, i; + int chan, i; int nblock = FFMAX(1, s->nmean); /* initialise offset */ - switch (s->internal_ftype) - { - case TYPE_S16HL: - case TYPE_S16LH: - mean = 0; - break; - default: - av_log(s->avctx, AV_LOG_ERROR, "unknown audio type"); - return AVERROR_INVALIDDATA; + switch (s->internal_ftype) { + case TYPE_S16HL: + case TYPE_S16LH: + mean = 0; + break; + default: + av_log(s->avctx, AV_LOG_ERROR, "unknown audio type"); + return AVERROR_INVALIDDATA; } for (chan = 0; chan < s->channels; chan++) @@ -208,21 +207,20 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, int len; short wave_format; - - if (bytestream_get_le32(&header) != MKTAG('R','I','F','F')) { + if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); return -1; } - header += 4; /* chunk size */; + header += 4; /* chunk size */ - if (bytestream_get_le32(&header) != MKTAG('W','A','V','E')) { + if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); return -1; } - while (bytestream_get_le32(&header) != MKTAG('f','m','t',' ')) { - len = bytestream_get_le32(&header); + while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) { + len = bytestream_get_le32(&header); header += len; } len = bytestream_get_le32(&header); @@ -235,11 +233,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, wave_format = bytestream_get_le16(&header); switch (wave_format) { - case WAVE_FORMAT_PCM: - break; - default: - av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n"); - return -1; + case WAVE_FORMAT_PCM: + break; + default: + av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n"); + return -1; } header += 2; // skip channels (already got from shorten header) @@ -288,11 +286,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* read/validate prediction order */ pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); if (pred_order > s->nwrap) { - av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", pred_order); + av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", + pred_order); return AVERROR(EINVAL); } /* read LPC coefficients */ - for (i=0; icoeffs[i] = get_sr_golomb_shorten(&s->gb, LPCQUANT); coeffs = s->coeffs; @@ -300,7 +299,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, } else { /* fixed LPC coeffs */ pred_order = command; - coeffs = fixed_coeffs[pred_order-1]; + coeffs = fixed_coeffs[pred_order - 1]; qshift = 0; } @@ -311,11 +310,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; - for (i=0; i < s->blocksize; i++) { + for (i = 0; i < s->blocksize; i++) { sum = init_sum; - for (j=0; jdecoded[channel][i-j-1]; - s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + (sum >> qshift); + for (j = 0; j < pred_order; j++) + sum += coeffs[j] * s->decoded[channel][i - j - 1]; + s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + + (sum >> qshift); } /* add offset to current samples */ @@ -336,10 +336,10 @@ static int read_header(ShortenContext *s) return -1; } - s->lpcqoffset = 0; - s->blocksize = DEFAULT_BLOCK_SIZE; - s->nmean = -1; - s->version = get_bits(&s->gb, 8); + s->lpcqoffset = 0; + s->blocksize = DEFAULT_BLOCK_SIZE; + s->nmean = -1; + s->version = get_bits(&s->gb, 8); s->internal_ftype = get_uint(s, TYPESIZE); s->channels = get_uint(s, CHANSIZE); @@ -356,19 +356,19 @@ static int read_header(ShortenContext *s) blocksize = get_uint(s, av_log2(DEFAULT_BLOCK_SIZE)); if (!blocksize || blocksize > MAX_BLOCKSIZE) { - av_log(s->avctx, AV_LOG_ERROR, "invalid or unsupported block size: %d\n", + av_log(s->avctx, AV_LOG_ERROR, + "invalid or unsupported block size: %d\n", blocksize); return AVERROR(EINVAL); } s->blocksize = blocksize; - maxnlpc = get_uint(s, LPCQSIZE); + maxnlpc = get_uint(s, LPCQSIZE); s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); - for (i=0; igb, 8); - } } s->nwrap = FFMAX(NWRAP, maxnlpc); @@ -382,17 +382,20 @@ static int read_header(ShortenContext *s) s->lpcqoffset = V2LPCQOFFSET; if (get_ur_golomb_shorten(&s->gb, FNSIZE) != FN_VERBATIM) { - av_log(s->avctx, AV_LOG_ERROR, "missing verbatim section at beginning of stream\n"); + av_log(s->avctx, AV_LOG_ERROR, + "missing verbatim section at beginning of stream\n"); return -1; } s->header_size = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); - if (s->header_size >= OUT_BUFFER_SIZE || s->header_size < CANONICAL_HEADER_SIZE) { - av_log(s->avctx, AV_LOG_ERROR, "header is wrong size: %d\n", s->header_size); + if (s->header_size >= OUT_BUFFER_SIZE || + s->header_size < CANONICAL_HEADER_SIZE) { + av_log(s->avctx, AV_LOG_ERROR, "header is wrong size: %d\n", + s->header_size); return -1; } - for (i=0; iheader_size; i++) + for (i = 0; i < s->header_size; i++) s->header[i] = (char)get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); if (decode_wave_header(s->avctx, s->header, s->header_size) < 0) @@ -410,15 +413,15 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; - ShortenContext *s = avctx->priv_data; + int buf_size = avpkt->size; + ShortenContext *s = avctx->priv_data; int i, input_buf_size = 0; int ret; /* allocate internal bitstream buffer */ - if(s->max_framesize == 0){ + if (s->max_framesize == 0) { void *tmp_ptr; - s->max_framesize= 1024; // should hopefully be enough for the first header + s->max_framesize = 1024; // should hopefully be enough for the first header tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, s->max_framesize); if (!tmp_ptr) { @@ -429,29 +432,32 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, } /* append current packet data to bitstream buffer */ - if(1 && s->max_framesize){//FIXME truncated - buf_size= FFMIN(buf_size, s->max_framesize - s->bitstream_size); - input_buf_size= buf_size; + if (1 && s->max_framesize) { //FIXME truncated + buf_size = FFMIN(buf_size, s->max_framesize - s->bitstream_size); + input_buf_size = buf_size; - if(s->bitstream_index + s->bitstream_size + buf_size > s->allocated_bitstream_size){ - memmove(s->bitstream, &s->bitstream[s->bitstream_index], s->bitstream_size); - s->bitstream_index=0; + if (s->bitstream_index + s->bitstream_size + buf_size > + s->allocated_bitstream_size) { + memmove(s->bitstream, &s->bitstream[s->bitstream_index], + s->bitstream_size); + s->bitstream_index = 0; } if (buf) - memcpy(&s->bitstream[s->bitstream_index + s->bitstream_size], buf, buf_size); - buf= &s->bitstream[s->bitstream_index]; - buf_size += s->bitstream_size; - s->bitstream_size= buf_size; + memcpy(&s->bitstream[s->bitstream_index + s->bitstream_size], buf, + buf_size); + buf = &s->bitstream[s->bitstream_index]; + buf_size += s->bitstream_size; + s->bitstream_size = buf_size; /* do not decode until buffer has at least max_framesize bytes or - the end of the file has been reached */ + * the end of the file has been reached */ if (buf_size < s->max_framesize && avpkt->data) { *got_frame_ptr = 0; return input_buf_size; } } /* init and position bitstream reader */ - init_get_bits(&s->gb, buf, buf_size*8); + init_get_bits(&s->gb, buf, buf_size * 8); skip_bits(&s->gb, s->bitindex); /* process header or next subblock */ @@ -473,7 +479,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, int cmd; int len; - if (get_bits_left(&s->gb) < 3+FNSIZE) { + if (get_bits_left(&s->gb) < 3 + FNSIZE) { *got_frame_ptr = 0; break; } @@ -489,32 +495,32 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, if (!is_audio_command[cmd]) { /* process non-audio command */ switch (cmd) { - case FN_VERBATIM: - len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); - while (len--) { - get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); - } - break; - case FN_BITSHIFT: - s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); - break; - case FN_BLOCKSIZE: { - int blocksize = get_uint(s, av_log2(s->blocksize)); - if (blocksize > s->blocksize) { - av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); - return AVERROR_PATCHWELCOME; - } - if (!blocksize || blocksize > MAX_BLOCKSIZE) { - av_log(avctx, AV_LOG_ERROR, "invalid or unsupported " - "block size: %d\n", blocksize); - return AVERROR(EINVAL); - } - s->blocksize = blocksize; - break; + case FN_VERBATIM: + len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); + while (len--) + get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); + break; + case FN_BITSHIFT: + s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); + break; + case FN_BLOCKSIZE: { + int blocksize = get_uint(s, av_log2(s->blocksize)); + if (blocksize > s->blocksize) { + av_log(avctx, AV_LOG_ERROR, + "Increasing block size is not supported\n"); + return AVERROR_PATCHWELCOME; } - case FN_QUIT: - s->got_quit_command = 1; - break; + if (!blocksize || blocksize > MAX_BLOCKSIZE) { + av_log(avctx, AV_LOG_ERROR, "invalid or unsupported " + "block size: %d\n", blocksize); + return AVERROR(EINVAL); + } + s->blocksize = blocksize; + break; + } + case FN_QUIT: + s->got_quit_command = 1; + break; } if (cmd == FN_BLOCKSIZE || cmd == FN_QUIT) { *got_frame_ptr = 0; @@ -540,7 +546,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, coffset = s->offset[channel][0]; else { int32_t sum = (s->version < 2) ? 0 : s->nmean / 2; - for (i=0; inmean; i++) + for (i = 0; i < s->nmean; i++) sum += s->offset[channel][i]; coffset = sum / s->nmean; if (s->version >= 2) @@ -549,21 +555,22 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, /* decode samples for this channel */ if (cmd == FN_ZERO) { - for (i=0; iblocksize; i++) + for (i = 0; i < s->blocksize; i++) s->decoded[channel][i] = 0; } else { - if ((ret = decode_subframe_lpc(s, cmd, channel, residual_size, coffset)) < 0) + if ((ret = decode_subframe_lpc(s, cmd, channel, + residual_size, coffset)) < 0) return ret; } /* update means with info from the current block */ if (s->nmean > 0) { int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2; - for (i=0; iblocksize; i++) + for (i = 0; i < s->blocksize; i++) sum += s->decoded[channel][i]; - for (i=1; inmean; i++) - s->offset[channel][i-1] = s->offset[channel][i]; + for (i = 1; i < s->nmean; i++) + s->offset[channel][i - 1] = s->offset[channel][i]; if (s->version < 2) s->offset[channel][s->nmean - 1] = sum / s->blocksize; @@ -572,11 +579,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, } /* copy wrap samples for use with next block */ - for (i=-s->nwrap; i<0; i++) + for (i = -s->nwrap; i < 0; i++) s->decoded[channel][i] = s->decoded[channel][i + s->blocksize]; /* shift samples to add in unused zero bits which were removed - during encoding */ + * during encoding */ fix_bitshift(s, s->decoded[channel]); /* if this is the last channel in the block, output the samples */ @@ -601,12 +608,12 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 0; finish_frame: - s->bitindex = get_bits_count(&s->gb) - 8*((get_bits_count(&s->gb))/8); - i= (get_bits_count(&s->gb))/8; + s->bitindex = get_bits_count(&s->gb) - 8 * (get_bits_count(&s->gb) / 8); + i = get_bits_count(&s->gb) / 8; if (i > buf_size) { av_log(s->avctx, AV_LOG_ERROR, "overread: %d\n", i - buf_size); - s->bitstream_size=0; - s->bitstream_index=0; + s->bitstream_size = 0; + s->bitstream_index = 0; return -1; } if (s->bitstream_size) { From 0daf1428e82926dc5a8c72a0ff4c93aaa8a84ed9 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 5 Mar 2013 16:34:16 +0100 Subject: [PATCH 0229/1037] shorten: report meaningful errors (cherry picked from commit 4c364eb2b856fc33cf7b42f7c7b979e69fde5f3a) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index f121a768ef..89346b4aad 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -130,13 +130,13 @@ static int allocate_buffers(ShortenContext *s) for (chan = 0; chan < s->channels; chan++) { if (FFMAX(1, s->nmean) >= UINT_MAX / sizeof(int32_t)) { av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); - return -1; + return AVERROR_INVALIDDATA; } if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap) { av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); - return -1; + return AVERROR_INVALIDDATA; } tmp_ptr = @@ -209,14 +209,14 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); - return -1; + return AVERROR_INVALIDDATA; } header += 4; /* chunk size */ if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); - return -1; + return AVERROR_INVALIDDATA; } while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) { @@ -227,7 +227,7 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, if (len < 16) { av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n"); - return -1; + return AVERROR_INVALIDDATA; } wave_format = bytestream_get_le16(&header); @@ -237,7 +237,7 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, break; default: av_log(avctx, AV_LOG_ERROR, "unsupported wave format\n"); - return -1; + return AVERROR(ENOSYS); } header += 2; // skip channels (already got from shorten header) @@ -248,7 +248,7 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, if (avctx->bits_per_coded_sample != 16) { av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n"); - return -1; + return AVERROR(ENOSYS); } len -= 16; @@ -333,7 +333,7 @@ static int read_header(ShortenContext *s) /* shorten signature */ if (get_bits_long(&s->gb, 32) != AV_RB32("ajkg")) { av_log(s->avctx, AV_LOG_ERROR, "missing shorten magic 'ajkg'\n"); - return -1; + return AVERROR_INVALIDDATA; } s->lpcqoffset = 0; @@ -346,7 +346,7 @@ static int read_header(ShortenContext *s) if (s->channels <= 0 || s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); s->channels = 0; - return -1; + return AVERROR_INVALIDDATA; } s->avctx->channels = s->channels; @@ -384,7 +384,7 @@ static int read_header(ShortenContext *s) if (get_ur_golomb_shorten(&s->gb, FNSIZE) != FN_VERBATIM) { av_log(s->avctx, AV_LOG_ERROR, "missing verbatim section at beginning of stream\n"); - return -1; + return AVERROR_INVALIDDATA; } s->header_size = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); @@ -392,14 +392,14 @@ static int read_header(ShortenContext *s) s->header_size < CANONICAL_HEADER_SIZE) { av_log(s->avctx, AV_LOG_ERROR, "header is wrong size: %d\n", s->header_size); - return -1; + return AVERROR_INVALIDDATA; } for (i = 0; i < s->header_size; i++) s->header[i] = (char)get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); - if (decode_wave_header(s->avctx, s->header, s->header_size) < 0) - return -1; + if ((ret = decode_wave_header(s->avctx, s->header, s->header_size)) < 0) + return ret; s->cur_chan = 0; s->bitshift = 0; @@ -614,7 +614,7 @@ finish_frame: av_log(s->avctx, AV_LOG_ERROR, "overread: %d\n", i - buf_size); s->bitstream_size = 0; s->bitstream_index = 0; - return -1; + return AVERROR_INVALIDDATA; } if (s->bitstream_size) { s->bitstream_index += i; From 88089eecfd7e604d40d078b4f4206c647cb2e2b4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 5 Mar 2013 17:12:35 +0100 Subject: [PATCH 0230/1037] shorten: use the unsigned type where needed get_uint returns an unsigned value, use an unsigned to store blocksize to make sure the comparison logic is correct and report correctly the error for the channel count not supported. CC: libav-stable@libav.org (cherry picked from commit 5cf7c72757779a740e897a97710aac044fe5258c) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 89346b4aad..0b4a473892 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -84,7 +84,7 @@ typedef struct ShortenContext { GetBitContext gb; int min_framesize, max_framesize; - int channels; + unsigned channels; int32_t *decoded[MAX_CHANNELS]; int32_t *decoded_base[MAX_CHANNELS]; @@ -343,7 +343,11 @@ static int read_header(ShortenContext *s) s->internal_ftype = get_uint(s, TYPESIZE); s->channels = get_uint(s, CHANSIZE); - if (s->channels <= 0 || s->channels > MAX_CHANNELS) { + if (!s->channels) { + av_log(s->avctx, AV_LOG_ERROR, "No channels reported\n"); + return AVERROR_INVALIDDATA; + } + if (s->channels > MAX_CHANNELS) { av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels); s->channels = 0; return AVERROR_INVALIDDATA; @@ -352,7 +356,8 @@ static int read_header(ShortenContext *s) /* get blocksize if version > 0 */ if (s->version > 0) { - int skip_bytes, blocksize; + int skip_bytes; + unsigned blocksize; blocksize = get_uint(s, av_log2(DEFAULT_BLOCK_SIZE)); if (!blocksize || blocksize > MAX_BLOCKSIZE) { @@ -504,7 +509,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE); break; case FN_BLOCKSIZE: { - int blocksize = get_uint(s, av_log2(s->blocksize)); + unsigned blocksize = get_uint(s, av_log2(s->blocksize)); if (blocksize > s->blocksize) { av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n"); From f156dc54f8c285ec2f11cd9cc7e2e0d7c510cb04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Mar 2013 04:41:26 +0100 Subject: [PATCH 0231/1037] mpegaudio_parser: fix off by 1 error See: commit 29d8cd265a536063420afe78375b2176a9e1abc5 Author: Alexander Kojevnikov Date: Tue Feb 26 21:47:11 2013 -0800 mp3dec: Fix VBR bit rate parsing When parsing the Xing/Info tag, don't set the bit rate if it's an Info tag. When parsing the stream, don't override the bit rate if it's already set, otherwise calculate the mean bit rate from parsed frames. This way, the bit rate will be set correctly both for CBR and VBR streams. Signed-off-by: Alexander Kojevnikov Signed-off-by: Michael Niedermayer Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index f592d5a0ae..408193671f 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -78,7 +78,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, s->header_count++; s->frame_size = ret-4; - if (s->header_count > 1) { + if (s->header_count > 0) { avctx->sample_rate= sr; avctx->channels = channels; s1->duration = frame_size; From e586e4d93bfb66ccfcfa9c2aa48649f85470b6a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Jan 2013 16:33:45 +0100 Subject: [PATCH 0232/1037] msrledec: move output pointer test up Signed-off-by: Michael Niedermayer (cherry picked from commit c2992b705381e082e33633e62e151887da67b285) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index 03e8a1b20b..44371f0a1f 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -203,6 +203,9 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, pos += p2; } else { //run of pixels uint8_t pix[3]; //original pixel + if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) || + (pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end)) + continue; switch(depth){ case 8: pix[0] = bytestream2_get_byte(gb); break; @@ -215,9 +218,6 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, case 32: pix32 = bytestream2_get_le32(gb); break; } - if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) || - (pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end)) - continue; for(i = 0; i < p1; i++) { switch(depth){ case 8: *output++ = pix[0]; From e44f89371c3af7e881d7795d3c7e58b68348d421 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Jan 2013 16:39:35 +0100 Subject: [PATCH 0233/1037] msrledec: move loop into switch speeds up code and allows more simplifications Signed-off-by: Michael Niedermayer (cherry picked from commit dbaae33c2c71862b8eaea978ed6dccc5ec03db89) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index 44371f0a1f..e46b99bfbf 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -218,21 +218,30 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, case 32: pix32 = bytestream2_get_le32(gb); break; } - for(i = 0; i < p1; i++) { - switch(depth){ - case 8: *output++ = pix[0]; - break; - case 16: *(uint16_t*)output = pix16; - output += 2; - break; - case 24: *output++ = pix[0]; - *output++ = pix[1]; - *output++ = pix[2]; - break; - case 32: *(uint32_t*)output = pix32; - output += 4; - break; + switch(depth){ + case 8: + for(i = 0; i < p1; i++) + *output++ = pix[0]; + break; + case 16: + for(i = 0; i < p1; i++) { + *(uint16_t*)output = pix16; + output += 2; } + break; + case 24: + for(i = 0; i < p1; i++) { + *output++ = pix[0]; + *output++ = pix[1]; + *output++ = pix[2]; + } + break; + case 32: + for(i = 0; i < p1; i++) { + *(uint32_t*)output = pix32; + output += 4; + } + break; } pos += p1; } From 3ee967c1d8756fa4448772a02accc16df72bb59e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Jan 2013 16:41:33 +0100 Subject: [PATCH 0234/1037] msrledec: merge switches More speedup and fixes 'may be used uninitialized in this function' warnings Signed-off-by: Michael Niedermayer (cherry picked from commit d2e0a276d593ded94401e687f60bee266f3e725e) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index e46b99bfbf..cd0a73decf 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -206,30 +206,24 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) || (pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end)) continue; - switch(depth){ - case 8: pix[0] = bytestream2_get_byte(gb); - break; - case 16: pix16 = bytestream2_get_le16(gb); - break; - case 24: pix[0] = bytestream2_get_byte(gb); - pix[1] = bytestream2_get_byte(gb); - pix[2] = bytestream2_get_byte(gb); - break; - case 32: pix32 = bytestream2_get_le32(gb); - break; - } + switch(depth){ case 8: + pix[0] = bytestream2_get_byte(gb); for(i = 0; i < p1; i++) *output++ = pix[0]; break; case 16: + pix16 = bytestream2_get_le16(gb); for(i = 0; i < p1; i++) { *(uint16_t*)output = pix16; output += 2; } break; case 24: + pix[0] = bytestream2_get_byte(gb); + pix[1] = bytestream2_get_byte(gb); + pix[2] = bytestream2_get_byte(gb); for(i = 0; i < p1; i++) { *output++ = pix[0]; *output++ = pix[1]; @@ -237,6 +231,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, } break; case 32: + pix32 = bytestream2_get_le32(gb); for(i = 0; i < p1; i++) { *(uint32_t*)output = pix32; output += 4; From b9a1efa6f4d4cda20ce796614ff5b0c523df5672 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2013 02:19:12 +0100 Subject: [PATCH 0235/1037] msrledec: fix output_end checks Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e398990eb87785e20e065cd3f14d1dbb69df4392) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index cd0a73decf..83d7d134b1 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -138,7 +138,8 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3); output = pic->data[0] + (avctx->height - 1) * pic->linesize[0]; - output_end = pic->data[0] + avctx->height * pic->linesize[0]; + output_end = output + FFABS(pic->linesize[0]); + while (bytestream2_get_bytes_left(gb) > 0) { p1 = bytestream2_get_byteu(gb); if(p1 == 0) { //Escape code @@ -155,6 +156,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, } } output = pic->data[0] + line * pic->linesize[0]; + output_end = output + FFABS(pic->linesize[0]); pos = 0; continue; } else if(p2 == 1) { //End-of-picture @@ -169,11 +171,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, return -1; } output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3); + output_end = pic->data[0] + line * pic->linesize[0] + FFABS(pic->linesize[0]); continue; } // Copy data - if ((pic->linesize[0] > 0 && output + p2 * (depth >> 3) > output_end) || - (pic->linesize[0] < 0 && output + p2 * (depth >> 3) < output_end)) { + if (output + p2 * (depth >> 3) > output_end) { bytestream2_skip(gb, 2 * (depth >> 3)); continue; } else if (bytestream2_get_bytes_left(gb) < p2 * (depth >> 3)) { @@ -203,8 +205,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, pos += p2; } else { //run of pixels uint8_t pix[3]; //original pixel - if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) || - (pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end)) + if (output + p1 * (depth >> 3) > output_end) continue; switch(depth){ From f719e6566c08dc1e18cf1caf07ba8c0e93cd7283 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2013 01:35:28 +0100 Subject: [PATCH 0236/1037] iff: fix integer overflow Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 0e945da7a3..ffd9231fc9 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -249,6 +249,8 @@ static int iff_read_header(AVFormatContext *s) break; case ID_CMAP: + if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE; st->codec->extradata = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); if (!st->codec->extradata) @@ -409,6 +411,7 @@ static int iff_read_header(AVFormatContext *s) if (!st->codec->extradata) return AVERROR(ENOMEM); } + av_assert0(st->codec->extradata_size >= IFF_EXTRA_VIDEO_SIZE); buf = st->codec->extradata; bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE); bytestream_put_byte(&buf, iff->bitmap_compression); From c8557235fdc9310c2cbdbb7d8faa239910feecb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Mar 2013 17:20:44 +0100 Subject: [PATCH 0237/1037] jpegdec: be less picky on padding Fixes Ticket2353 Signed-off-by: Michael Niedermayer (cherry picked from commit 3c24fbbf651d4ec28eccfd7ef05a2595a11dd55a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index feb2f897a5..fd5136466b 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -740,7 +740,9 @@ static void handle_rstn(MJpegDecodeContext *s, int nb_components) i = 8 + ((-get_bits_count(&s->gb)) & 7); /* skip RSTn */ - if (s->restart_count == 0 && show_bits(&s->gb, i) == (1 << i) - 1) { + if (s->restart_count == 0) { + if( show_bits(&s->gb, i) == (1 << i) - 1 + || show_bits(&s->gb, i) == 0xFF) { int pos = get_bits_count(&s->gb); align_get_bits(&s->gb); while (get_bits_left(&s->gb) >= 8 && show_bits(&s->gb, 8) == 0xFF) @@ -750,6 +752,7 @@ static void handle_rstn(MJpegDecodeContext *s, int nb_components) s->last_dc[i] = 1024; } else skip_bits_long(&s->gb, pos - get_bits_count(&s->gb)); + } } } } From 4fb6fa477e4757177ded7e172694b4711f481f3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Mar 2013 17:39:57 +0100 Subject: [PATCH 0238/1037] update for 1.1.4 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 781dcb07cd..65087b4f5e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.3 +1.1.4 diff --git a/VERSION b/VERSION index 781dcb07cd..65087b4f5e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.3 +1.1.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 2bfdb72fd0..8216a21efd 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.3 +PROJECT_NUMBER = 1.1.4 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 0b0e87bb544be1926c4ee86c25789d5d6c3c6255 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 06:31:21 -0400 Subject: [PATCH 0239/1037] atrac3: avoid oversized shifting in decode_bytes() When `off' is 0, `0x537F6103 << 32' in the following expression invokes undefined behavior, the result of which is not necessarily 0. (0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8))) Avoid oversized shifting. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit eba1ff31304e407db3cefd7532108408f364367b) --- libavcodec/atrac3.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index a46b0b1277..910c15e473 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -164,7 +164,10 @@ static int decode_bytes(const uint8_t *input, uint8_t *out, int bytes) off = (intptr_t)input & 3; buf = (const uint32_t *)(input - off); - c = av_be2ne32((0x537F6103 >> (off * 8)) | (0x537F6103 << (32 - (off * 8)))); + if (off) + c = av_be2ne32((0x537F6103U >> (off * 8)) | (0x537F6103U << (32 - (off * 8)))); + else + c = av_be2ne32(0x537F6103U); bytes += 3 + off; for (i = 0; i < bytes / 4; i++) output[i] = c ^ buf[i]; From 9d4355d90a6a8fc49f6ff05f98b86e37c262ac91 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 07:11:47 -0400 Subject: [PATCH 0240/1037] flacdec: simplify bounds checking in flac_probe() Simplify `p->buf > p->buf + p->buf_size - 4' as `p->buf_size < 4'. Avoid a possible out-of-bounds pointer, which is undefined behavior in C. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit 8425d693eefbedbb41f91735614d41067695aa37) --- libavformat/flacdec.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index f19f95d901..fcacf190bc 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -278,11 +278,9 @@ static int flac_read_header(AVFormatContext *s) static int flac_probe(AVProbeData *p) { - uint8_t *bufptr = p->buf; - uint8_t *end = p->buf + p->buf_size; - - if(bufptr > end-4 || memcmp(bufptr, "fLaC", 4)) return 0; - else return AVPROBE_SCORE_MAX/2; + if (p->buf_size < 4 || memcmp(p->buf, "fLaC", 4)) + return 0; + return AVPROBE_SCORE_MAX/2; } AVInputFormat ff_flac_demuxer = { From 22c27e1f4a6ff3d8d0409b30c8a9edb689ffdeaa Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 15 Mar 2013 06:59:22 -0400 Subject: [PATCH 0241/1037] lzo: fix overflow checking in copy_backptr() The check `src > dst' in the form `&c->out[-back] > c->out' invokes pointer overflow, which is undefined behavior in C. Remove the check. Also replace `&c->out[-back] < c->out_start' with a safe form `c->out - c->out_start < back' to avoid overflow. CC: libav-stable@libav.org Signed-off-by: Xi Wang Signed-off-by: Luca Barbato (cherry picked from commit ca6c3f2c53be70aa3c38e8f1292809db89ea1ba6) --- libavutil/lzo.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index eff3cd2333..5c5ebc850a 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -110,9 +110,8 @@ static inline void copy(LZOContext *c, int cnt) */ static inline void copy_backptr(LZOContext *c, int back, int cnt) { - register const uint8_t *src = &c->out[-back]; register uint8_t *dst = c->out; - if (src < c->out_start || src > dst) { + if (dst - c->out_start < back) { c->error |= AV_LZO_INVALID_BACKPTR; return; } From a0361a6c30905ee428373e48718d9c3915cbeece Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Feb 2013 08:47:21 +0100 Subject: [PATCH 0242/1037] vf_gradfun: fix uninitialized variable use CC:libav-stable@libav.org (cherry picked from commit 887d31d455915b6bde6814063384dafdee61164c) Conflicts: libavfilter/vf_gradfun.c --- libavfilter/vf_gradfun.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index 2c9a9763c1..79e149009d 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -193,6 +193,7 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *in) direct = 1; out = in; } else { + direct = 0; out = ff_get_video_buffer(outlink, AV_PERM_WRITE, outlink->w, outlink->h); if (!out) { avfilter_unref_bufferp(&in); From c50241080d7599c90fc8b4e74c5f8d62a4caae52 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Feb 2013 08:47:21 +0100 Subject: [PATCH 0243/1037] vf_hqdn3d: fix uninitialized variable use CC:libav-stable@libav.org (cherry picked from commit d0a863ac891eae49ceaa4de7f759270bc87e668d) Conflicts: libavfilter/vf_hqdn3d.c --- libavfilter/vf_hqdn3d.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/vf_hqdn3d.c b/libavfilter/vf_hqdn3d.c index 085900fbce..30f7817ec0 100644 --- a/libavfilter/vf_hqdn3d.c +++ b/libavfilter/vf_hqdn3d.c @@ -333,6 +333,7 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *in) direct = 1; out = in; } else { + direct = 0; out = ff_get_video_buffer(outlink, AV_PERM_WRITE, outlink->w, outlink->h); if (!out) { avfilter_unref_bufferp(&in); From 1e7f825a9b212f838cf6df74da70d33113919dbf Mon Sep 17 00:00:00 2001 From: Loren Merritt Date: Sat, 22 Sep 2012 01:43:16 +0200 Subject: [PATCH 0244/1037] hqdn3d: Fix out of array read in LOWPASS CC:libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit 5b3c1aecb253828d09fa9825c5a4aed97badf086) Signed-off-by: Reinhard Tartler --- libavfilter/vf_hqdn3d.c | 8 ++++---- libavfilter/x86/hqdn3d.asm | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavfilter/vf_hqdn3d.c b/libavfilter/vf_hqdn3d.c index 30f7817ec0..e2d90d53ab 100644 --- a/libavfilter/vf_hqdn3d.c +++ b/libavfilter/vf_hqdn3d.c @@ -50,10 +50,10 @@ void ff_hqdn3d_row_10_x86(uint8_t *src, uint8_t *dst, uint16_t *line_ant, uint16 void ff_hqdn3d_row_16_x86(uint8_t *src, uint8_t *dst, uint16_t *line_ant, uint16_t *frame_ant, ptrdiff_t w, int16_t *spatial, int16_t *temporal); #define LUT_BITS (depth==16 ? 8 : 4) -#define RIGHTSHIFT(a,b) (((a)+(((1<<(b))-1)>>1))>>(b)) -#define LOAD(x) ((depth==8 ? src[x] : AV_RN16A(src+(x)*2)) << (16-depth)) -#define STORE(x,val) (depth==8 ? dst[x] = RIGHTSHIFT(val, 16-depth)\ - : AV_WN16A(dst+(x)*2, RIGHTSHIFT(val, 16-depth))) +#define LOAD(x) (((depth == 8 ? src[x] : AV_RN16A(src + (x) * 2)) << (16 - depth))\ + + (((1 << (16 - depth)) - 1) >> 1)) +#define STORE(x,val) (depth == 8 ? dst[x] = (val) >> (16 - depth) : \ + AV_WN16A(dst + (x) * 2, (val) >> (16 - depth))) av_always_inline static uint32_t lowpass(int prev, int cur, int16_t *coef, int depth) diff --git a/libavfilter/x86/hqdn3d.asm b/libavfilter/x86/hqdn3d.asm index dee2c96131..02632a1f09 100644 --- a/libavfilter/x86/hqdn3d.asm +++ b/libavfilter/x86/hqdn3d.asm @@ -39,6 +39,7 @@ SECTION .text %endif %if %3 != 16 shl %1, 16-%3 + add %1, (1<<(15-%3))-1 %endif %endmacro @@ -86,7 +87,6 @@ ALIGN 16 mov [frameantq+xq*2], t0w movifnidn dstq, dstmp %if %1 != 16 - add t0d, (1<<(15-%1))-1 shr t0d, 16-%1 ; could eliminate this by storing from t0h, but only with some contraints on register allocation %endif %if %1 == 8 From 6f787aa79b59bed2d9df627f90b6fec43f98f936 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 16 Mar 2013 20:13:44 +0100 Subject: [PATCH 0245/1037] Do not (re-)set libx264 parameter b_tff if interlaced encoding was not requested. Reconfiguring can break x264 lossless encoding. Fixes ticket #2165. (cherry picked from commit 75c7e4583f4fd727d236a12763a265502fe00988) --- libavcodec/libx264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index e2ef7530a6..3e7592edef 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -174,7 +174,7 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, frame->pict_type == AV_PICTURE_TYPE_P ? X264_TYPE_P : frame->pict_type == AV_PICTURE_TYPE_B ? X264_TYPE_B : X264_TYPE_AUTO; - if (x4->params.b_tff != frame->top_field_first) { + if (x4->params.b_interlaced && x4->params.b_tff != frame->top_field_first) { x4->params.b_tff = frame->top_field_first; x264_encoder_reconfig(x4->enc, &x4->params); } From 731902bd1951eb6d2f9b2c047127aabf73ca2a65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Mar 2013 00:00:02 +0100 Subject: [PATCH 0246/1037] rmdec: flush audio packet on seeking Fixes Ticket1605 Signed-off-by: Michael Niedermayer (cherry picked from commit 519ebb5ee5b89b8ecc80b4a4540fcbeb65cda172) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 3b476ff93c..142567b3ad 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -995,6 +995,18 @@ static int64_t rm_read_dts(AVFormatContext *s, int stream_index, return dts; } +static int rm_read_seek(AVFormatContext *s, int stream_index, + int64_t pts, int flags) +{ + RMDemuxContext *rm = s->priv_data; + + if (ff_seek_frame_binary(s, stream_index, pts, flags) < 0) + return -1; + rm->audio_pkt_cnt = 0; + return 0; +} + + AVInputFormat ff_rm_demuxer = { .name = "rm", .long_name = NULL_IF_CONFIG_SMALL("RealMedia"), @@ -1004,6 +1016,7 @@ AVInputFormat ff_rm_demuxer = { .read_packet = rm_read_packet, .read_close = rm_read_close, .read_timestamp = rm_read_dts, + .read_seek = rm_read_seek, }; AVInputFormat ff_rdt_demuxer = { From 69659389a3a423cf6320abaa549821d303ac1892 Mon Sep 17 00:00:00 2001 From: ArnoB Date: Thu, 14 Mar 2013 18:35:55 +0100 Subject: [PATCH 0247/1037] dpxenc: fix data offset Signed-off-by: Michael Niedermayer (cherry picked from commit 361319d0f49475bc14c744194870f9bab78a8a83) Conflicts: tests/ref/lavf/dpx Signed-off-by: Michael Niedermayer --- libavcodec/dpxenc.c | 1 + tests/ref/lavf/dpx | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/dpxenc.c b/libavcodec/dpxenc.c index bd44b16ffc..f210bbc774 100644 --- a/libavcodec/dpxenc.c +++ b/libavcodec/dpxenc.c @@ -212,6 +212,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, buf[803] = s->bits_per_component; write16(buf + 804, (s->bits_per_component == 10 || s->bits_per_component == 12) ? 1 : 0); /* packing method */ + write32(buf + 808, HEADER_SIZE); /* data offset */ /* Image source information header */ write32(buf + 1628, avctx->sample_aspect_ratio.num); diff --git a/tests/ref/lavf/dpx b/tests/ref/lavf/dpx index 1196934836..70371d8115 100644 --- a/tests/ref/lavf/dpx +++ b/tests/ref/lavf/dpx @@ -1,9 +1,9 @@ -808ea110635774252439722a48329d61 *./tests/data/images/dpx/02.dpx +d2f0b4e854fda2d3b3bee84cef80593c *./tests/data/images/dpx/02.dpx ./tests/data/images/dpx/%02d.dpx CRC=0x6da01946 305792 ./tests/data/images/dpx/02.dpx -5e1a777fa3f4094c9c4dd989cf9e8e8b *./tests/data/images/dpx/02.dpx +075963c3c08978b6a20555ba09161434 *./tests/data/images/dpx/02.dpx ./tests/data/images/dpx/%02d.dpx CRC=0xe5b9c023 609920 ./tests/data/images/dpx/02.dpx -13dc41b1e1e36399a5e1f8b7e3344a81 *./tests/data/images/dpx/02.dpx +b9f22728f8ff393bf30cf6cbd624fa95 *./tests/data/images/dpx/02.dpx ./tests/data/images/dpx/%02d.dpx CRC=0xf0a1c097 407168 ./tests/data/images/dpx/02.dpx From 3d5323a351a1cd09319c8db2d8b72707f1f63aa3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Mar 2013 18:17:47 +0100 Subject: [PATCH 0248/1037] dnxhddec: return the correct number of bytes from decode_frame Fixes Ticket2022 Signed-off-by: Michael Niedermayer (cherry picked from commit dae38a66ebd8a71aad51a29311f1c50df3ae3a2e) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 0fe03f9978..104b94354c 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -406,7 +406,7 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, *picture = ctx->picture; *got_frame = 1; - return buf_size; + return avpkt->size; } static av_cold int dnxhd_decode_close(AVCodecContext *avctx) From 9925dca1192158c5da7f3e9a1694f0ab95ab64e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Mar 2013 14:45:26 +0100 Subject: [PATCH 0249/1037] MAINTAINERS: update for 1.2 Signed-off-by: Michael Niedermayer (cherry picked from commit 80f91a70be5f03fc95eb89d222d760eeaf91b135) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 3319359bdf..32efcab3a3 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -445,9 +445,9 @@ x86 Michael Niedermayer Releases ======== +1.2 Michael Niedermayer 1.1 Michael Niedermayer 1.0 Michael Niedermayer -0.11 Michael Niedermayer From 9b0d0fd3c47ea8a60dfe8403db15f80b4c13acea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Mar 2013 14:50:42 +0100 Subject: [PATCH 0250/1037] MAINTAINERS: mention that people are welcome to pick up and maintain older releases Signed-off-by: Michael Niedermayer (cherry picked from commit 7e1efeb5707ec0fec000d42fa9f2861bab97bd8f) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 32efcab3a3..b2bccb2159 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -449,6 +449,7 @@ Releases 1.1 Michael Niedermayer 1.0 Michael Niedermayer +If you want to maintain an older release, please contact us GnuPG Fingerprints of maintainers and contributors From 31a77177ff323ef83944c60a8654891213ab6691 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sun, 17 Mar 2013 20:22:19 +0100 Subject: [PATCH 0251/1037] iff: validate CMAP palette size Fixes CVE-2013-2495 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Luca Barbato CC: libav-stable@libav.org (cherry picked from commit 50c449ac24fbb4c03c15d2e2026cef2204b80385) Signed-off-by: Reinhard Tartler --- libavformat/iff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index ab22e118f0..79f5f16050 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -166,6 +166,11 @@ static int iff_read_header(AVFormatContext *s) break; case ID_CMAP: + if (data_size < 3 || data_size > 768 || data_size % 3) { + av_log(s, AV_LOG_ERROR, "Invalid CMAP chunk size %d\n", + data_size); + return AVERROR_INVALIDDATA; + } st->codec->extradata_size = data_size; st->codec->extradata = av_malloc(data_size); if (!st->codec->extradata) From dc794d7096e32557cdc98339919aa1c12fe07c22 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 23 Mar 2013 09:43:26 +0100 Subject: [PATCH 0252/1037] fate: fetch samples that match the release series The idea is to ensure that 'make fate-rsync' always fetches the fate samples that work with this release. --- tests/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Makefile b/tests/Makefile index 4e4eb897c0..8b56b4c3ee 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -104,7 +104,7 @@ $(FATE_AVCONV) $(FATE_SAMPLES_AVCONV): avconv$(EXESUF) ifdef SAMPLES FATE += $(FATE_SAMPLES) fate-rsync: - rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES) + rsync -vaLW rsync://fate-suite.libav.org/fate-suite-9/ $(SAMPLES) else fate-rsync: @echo "use 'make fate-rsync SAMPLES=/path/to/samples' to sync the fate suite" From 9d5f16f6fe23640ee90c92b3737d9d30c2f994f3 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 23 Mar 2013 08:29:04 +0100 Subject: [PATCH 0253/1037] add missed CVE reference in 9.2 release --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 707bc69a67..7229eba90b 100644 --- a/Changelog +++ b/Changelog @@ -28,7 +28,7 @@ version 9.2: - libopencore-amr: Conditionally compile decoder and encoder bits - arm: Fall back to runtime cpu feature detection via /proc/cpuinfo - xxan: properly handle odd heights -- msrledec: check bounds before constructing a possibly invalid pointer, +- msrledec: check bounds before constructing a possibly invalid pointer (CVE-2496) - qtrle: fix the topmost line for 1bit - aasc: fix output for msrle compression - yop: check for input overreads From 2dfe3a7b4dda1ff94b31aaf1dd50f208b63dc301 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 23 Mar 2013 08:29:24 +0100 Subject: [PATCH 0254/1037] update Changelog --- Changelog | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Changelog b/Changelog index 7229eba90b..b7f7e94f6a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,29 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.4: +- atrac3: avoid oversized shifting in decode_bytes() +- eamad: allocate a dummy reference frame when the real one is missing +- ffv1: fix calculating slice dimensions for version 2 +- flacdec: simplify bounds checking in flac_probe() +- h264: check for luma and chroma bit dept being equal (CVE-2013-2277) +- hqdn3d: Fix out of array read in LOWPASS +- iff: validate CMAP palette size (CVE-2013-2495) +- ivi_common: do not call MC for intra frames when dc_transform is unset +- libmp3lame: use the correct remaining buffer size when flushing +- lzo: fix overflow checking in copy_backptr() +- mp3dec: Fix VBR bit rate parsing +- png: use av_mallocz_array() for the zlib zalloc function +- roqvideodec: fix a potential infinite loop in roqvideo_decode_frame() +- shorten: fix various programming mistakes +- vf_gradfun: fix uninitialized variable use +- vf_hqdn3d: fix uninitialized variable use +- vmdaudio: fix invalid reads when packet size is not a multiple of chunk size +- wmadec: require block_align to be set +- wmaprodec: require block_align to be set +- wmaprodec: return an error, not 0, when the input is too small +- xxan: fix invalid memory access in xan_decode_frame_type0() + version 9.3: - h264: fix deadlocks with broken/fuzzed files - flvdec: make decoder more robust From fc7071cb53ded2e332947ce2145b587c5bdcd075 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 26 Mar 2013 15:16:07 +0100 Subject: [PATCH 0255/1037] Only test the first frame for missing aac_adtstoasc bistream filter. Many players ignore broken aac frames, so don't abort mov or flv muxing when encountering one, just print a warning instead. Fixes ticket #2380. (cherry picked from commit 1741fece7073f51efdd837a4f307ea2cdf3d1cfb) --- libavformat/flvenc.c | 3 +++ libavformat/movenc.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 502da0f0c5..e1dd43f716 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -493,10 +493,13 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) return ret; } else if (enc->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 && (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) { + if (!s->streams[pkt->stream_index]->nb_frames) { av_log(s, AV_LOG_ERROR, "Malformed AAC bitstream detected: " "use audio bitstream filter 'aac_adtstoasc' to fix it " "('-bsf:a aac_adtstoasc' option with ffmpeg)\n"); return AVERROR_INVALIDDATA; + } + av_log(s, AV_LOG_WARNING, "aac bitstream error\n"); } if (flv->delay == AV_NOPTS_VALUE) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 2ee21e544d..780e044bd0 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -3178,8 +3178,11 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) } } else if (enc->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 && (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) { + if (!s->streams[pkt->stream_index]->nb_frames) { av_log(s, AV_LOG_ERROR, "malformated aac bitstream, use -absf aac_adtstoasc\n"); return -1; + } + av_log(s, AV_LOG_WARNING, "aac bitstream error\n"); } else { avio_write(pb, pkt->data, size); } From 2e06758479650f6e2a8820c7105f2d193a701175 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 31 Mar 2013 10:38:00 +0200 Subject: [PATCH 0256/1037] Prepare for 9.5 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 0359f24328..592f36ef3a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.4 +9.5 From aba56c03b9558b80bd601bc58088a43c9b791ed1 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 21 Mar 2013 08:03:58 -0400 Subject: [PATCH 0257/1037] flvdec: use the correct audio codec id when parsing metadata (cherry picked from commit c3d015775388882b8a122afc337ea35108f652be) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 403a9b5089..2821dd8c34 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -417,7 +417,8 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst flv_set_video_codec(s, vstream, num_val, 0); } else if (!strcmp(key, "audiocodecid") && acodec) { - flv_set_audio_codec(s, astream, acodec, num_val); + int id = ((int)num_val) << FLV_AUDIO_CODECID_OFFSET; + flv_set_audio_codec(s, astream, acodec, id); } else if (!strcmp(key, "audiosamplerate") && acodec) { acodec->sample_rate = num_val; From c6dce259670b210dce49d7cc6bffc2f5c967a6ad Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 21 Mar 2013 08:23:51 -0400 Subject: [PATCH 0258/1037] flvdec: read audio sample size and channels metadata This is needed in order for the FLV demuxer not to detect a codec change when using the "flv_metadata" option. (cherry picked from commit e46a2a7309d8e8b8c1573047731dea77695d0ce1) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 2821dd8c34..2f68653882 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -400,7 +400,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst acodec = astream ? astream->codec : NULL; vcodec = vstream ? vstream->codec : NULL; - if (amf_type == AMF_DATA_TYPE_NUMBER) { + if (amf_type == AMF_DATA_TYPE_NUMBER || amf_type == AMF_DATA_TYPE_BOOL) { if (!strcmp(key, "duration")) s->duration = num_val * AV_TIME_BASE; else if (!strcmp(key, "videodatarate") && vcodec && 0 <= (int)(num_val * 1024.0)) @@ -422,6 +422,13 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, AVStream *vst } else if (!strcmp(key, "audiosamplerate") && acodec) { acodec->sample_rate = num_val; + } else if (!strcmp(key, "audiosamplesize") && acodec) { + acodec->bits_per_coded_sample = num_val; + } else if (!strcmp(key, "stereo") && acodec) { + acodec->channels = num_val + 1; + acodec->channel_layout = acodec->channels == 2 ? + AV_CH_LAYOUT_STEREO : + AV_CH_LAYOUT_MONO; } else if (!strcmp(key, "width") && vcodec) { vcodec->width = num_val; From f074618a9f73c45398237b042152af7553217aad Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 21 Feb 2013 12:39:20 +0100 Subject: [PATCH 0259/1037] configure: Refactor dxva2api.h dependency declarations (cherry picked from commit 215cdd35efd625ec28ef5846f1692b18f7c2c230) Fixes Bug: #482 --- configure | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/configure b/configure index aa31ea0364..05e75b73f7 100755 --- a/configure +++ b/configure @@ -1604,25 +1604,26 @@ zmbv_decoder_select="zlib" zmbv_encoder_select="zlib" # hardware accelerators +dxva2_deps="dxva2api_h" vaapi_deps="va_va_h" vda_deps="VideoDecodeAcceleration_VDADecoder_h pthreads" vdpau_deps="vdpau_vdpau_h vdpau_vdpau_x11_h" h263_vaapi_hwaccel_select="vaapi h263_decoder" -h264_dxva2_hwaccel_deps="dxva2api_h" -h264_dxva2_hwaccel_select="dxva2 h264_decoder" +h264_dxva2_hwaccel_deps="dxva2" +h264_dxva2_hwaccel_select="h264_decoder" h264_vaapi_hwaccel_select="vaapi h264_decoder" h264_vda_hwaccel_select="vda h264_decoder" h264_vdpau_decoder_select="vdpau h264_decoder" mpeg_vdpau_decoder_select="vdpau mpegvideo_decoder" mpeg1_vdpau_decoder_select="vdpau mpeg1video_decoder" -mpeg2_dxva2_hwaccel_deps="dxva2api_h" -mpeg2_dxva2_hwaccel_select="dxva2 mpeg2video_decoder" +mpeg2_dxva2_hwaccel_deps="dxva2" +mpeg2_dxva2_hwaccel_select="mpeg2video_decoder" mpeg2_vaapi_hwaccel_select="vaapi mpeg2video_decoder" mpeg4_vaapi_hwaccel_select="vaapi mpeg4_decoder" mpeg4_vdpau_decoder_select="vdpau mpeg4_decoder" -vc1_dxva2_hwaccel_deps="dxva2api_h" -vc1_dxva2_hwaccel_select="dxva2 vc1_decoder" +vc1_dxva2_hwaccel_deps="dxva2" +vc1_dxva2_hwaccel_select="vc1_decoder" vc1_vaapi_hwaccel_select="vaapi vc1_decoder" vc1_vdpau_decoder_select="vdpau vc1_decoder" wmv3_dxva2_hwaccel_select="vc1_dxva2_hwaccel" From fc6825ebb6585138e8ee2bb3484a04542c5d8b6a Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 27 Mar 2013 17:29:57 -0700 Subject: [PATCH 0260/1037] vp8: Fix pthread_cond and pthread_mutex leaks CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 1d6e618939c1ba9c333d513fc7826719dae34031) Signed-off-by: Reinhard Tartler --- libavcodec/vp8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 3b8f7d2a24..deb501548d 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -40,6 +40,10 @@ static void free_buffers(VP8Context *s) int i; if (s->thread_data) for (i = 0; i < MAX_THREADS; i++) { +#if HAVE_THREADS + pthread_cond_destroy(&s->thread_data[i].cond); + pthread_mutex_destroy(&s->thread_data[i].lock); +#endif av_freep(&s->thread_data[i].filter_strength); av_freep(&s->thread_data[i].edge_emu_buffer); } From c0f7df96627741c737022738ef4260beb85bf69c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 30 Mar 2013 09:46:06 +0100 Subject: [PATCH 0261/1037] oma: Validate sample rates The sample rate index is 3 bits even if currently index 5, 6 and 7 are not supported. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0933fd1533560fbc718026e12f19a4824b041237) Signed-off-by: Reinhard Tartler --- libavformat/oma.c | 2 +- libavformat/oma.h | 2 +- libavformat/omadec.c | 17 +++++++++++++---- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/libavformat/oma.c b/libavformat/oma.c index f6454d97af..aaaf0b29a0 100644 --- a/libavformat/oma.c +++ b/libavformat/oma.c @@ -22,7 +22,7 @@ #include "oma.h" #include "libavcodec/avcodec.h" -const uint16_t ff_oma_srate_tab[6] = { 320, 441, 480, 882, 960, 0 }; +const uint16_t ff_oma_srate_tab[8] = { 320, 441, 480, 882, 960, 0 }; const AVCodecTag ff_oma_codec_tags[] = { { AV_CODEC_ID_ATRAC3, OMA_CODECID_ATRAC3 }, diff --git a/libavformat/oma.h b/libavformat/oma.h index bac8bcb736..1f0ddf9a88 100644 --- a/libavformat/oma.h +++ b/libavformat/oma.h @@ -37,7 +37,7 @@ enum { OMA_CODECID_WMA = 5, }; -extern const uint16_t ff_oma_srate_tab[6]; +extern const uint16_t ff_oma_srate_tab[8]; extern const AVCodecTag ff_oma_codec_tags[]; diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 2e565c1716..f6b6f13de6 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -304,7 +304,11 @@ static int oma_read_header(AVFormatContext *s) switch (buf[32]) { case OMA_CODECID_ATRAC3: - samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7]*100; + samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; + if (!samplerate) { + av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); + return AVERROR_INVALIDDATA; + } if (samplerate != 44100) av_log_ask_for_sample(s, "Unsupported sample rate: %d\n", samplerate); @@ -335,9 +339,14 @@ static int oma_read_header(AVFormatContext *s) case OMA_CODECID_ATRAC3P: st->codec->channels = (codec_params >> 10) & 7; framesize = ((codec_params & 0x3FF) * 8) + 8; - st->codec->sample_rate = ff_oma_srate_tab[(codec_params >> 13) & 7]*100; - st->codec->bit_rate = st->codec->sample_rate * framesize * 8 / 1024; - avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate); + samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; + if (!samplerate) { + av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); + return AVERROR_INVALIDDATA; + } + st->codec->sample_rate = samplerate; + st->codec->bit_rate = samplerate * framesize * 8 / 1024; + avpriv_set_pts_info(st, 64, 1, samplerate); av_log(s, AV_LOG_ERROR, "Unsupported codec ATRAC3+!\n"); break; case OMA_CODECID_MP3: From 83553838027401b6e2c415d6bfbf386404400b8e Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 18 Mar 2013 22:27:03 +0100 Subject: [PATCH 0262/1037] configure: Enable hwaccels without external dependencies by default. (cherry picked from commit 2e2ec667416d8ed345491ac360fccc94e7a4772f) This is a fixup for f074618 to reenable auto-detection of dxva in the build environment. Signed-off-by: Reinhard Tartler --- configure | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configure b/configure index 05e75b73f7..6ab04ae322 100755 --- a/configure +++ b/configure @@ -1845,6 +1845,9 @@ enable safe_bitstream_reader enable static enable swscale_alpha +# By default, enable only those hwaccels that have no external dependencies. +enable dxva2 vdpau + # build settings SHFLAGS='-shared -Wl,-soname,$$(@F)' AVSERVERLDFLAGS=-Wl,-E From 8ba3198549b9b21386022a245efb67470cca5644 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 30 Mar 2013 08:41:46 +0100 Subject: [PATCH 0263/1037] Write broken aac frames to mov files instead of skipping them. Fixes decoding with picky media players. Signed-off-by: Michael Niedermayer (cherry picked from commit b448c0a68d0cc7dfef736267dfdaed0e213c020b) --- libavformat/movenc.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 780e044bd0..bc50ccd8e0 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -3166,6 +3166,14 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) memcpy(trk->vos_data, enc->extradata, trk->vos_len); } + if (enc->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 && + (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) { + if (!s->streams[pkt->stream_index]->nb_frames) { + av_log(s, AV_LOG_ERROR, "malformated aac bitstream, use -absf aac_adtstoasc\n"); + return -1; + } + av_log(s, AV_LOG_WARNING, "aac bitstream error\n"); + } if (enc->codec_id == AV_CODEC_ID_H264 && trk->vos_len > 0 && *(uint8_t *)trk->vos_data != 1) { /* from x264 or from bytestream h264 */ /* nal reformating needed */ @@ -3176,13 +3184,6 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) } else { size = ff_avc_parse_nal_units(pb, pkt->data, pkt->size); } - } else if (enc->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 && - (AV_RB16(pkt->data) & 0xfff0) == 0xfff0) { - if (!s->streams[pkt->stream_index]->nb_frames) { - av_log(s, AV_LOG_ERROR, "malformated aac bitstream, use -absf aac_adtstoasc\n"); - return -1; - } - av_log(s, AV_LOG_WARNING, "aac bitstream error\n"); } else { avio_write(pb, pkt->data, size); } From 5ee539f69d9ab5369bc13819e33cff1bb55075e8 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 3 Apr 2013 12:57:58 +0000 Subject: [PATCH 0264/1037] smacker: fix off by one error Regression since a93b572ae4f517ce0c35cf085167c318e9215908. Fixes #2426. Signed-off-by: Paul B Mahol (cherry picked from commit e3cc92a623a6ece42816c7a692c8815688a99ab0) --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 883a2b7254..84481e22a6 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -276,7 +276,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } else if(t & 0x40){ /* copy with offset */ off = avio_r8(s->pb); j = (t & 0x3F) + 1; - if (off + j > 0xff) { + if (off + j - 1 > 0xff) { av_log(s, AV_LOG_ERROR, "Invalid palette update, offset=%d length=%d extends beyond palette size\n", off, j); From bb46240cbb5d8d3e0274d5dc879a45e1826d21ce Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 3 Apr 2013 15:45:46 +0200 Subject: [PATCH 0265/1037] Skip padding in an id3 tag in aiff files. Fixes ticket #2430. Reviewed-by: Matthieu Bouron (cherry picked from commit db2d3a90825025b2f5da85792e1df33280c61391) --- libavformat/aiffdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 8d466fa815..4a2629888b 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -192,7 +192,7 @@ static int aiff_probe(AVProbeData *p) static int aiff_read_header(AVFormatContext *s) { int ret, size, filesize; - int64_t offset = 0; + int64_t offset = 0, position; uint32_t tag; unsigned version = AIFF_C_VERSION1; AVIOContext *pb = s->pb; @@ -236,6 +236,7 @@ static int aiff_read_header(AVFormatContext *s) goto got_sound; break; case MKTAG('I', 'D', '3', ' '): + position = avio_tell(pb); ff_id3v2_read(s, ID3v2_DEFAULT_MAGIC, &id3v2_extra_meta); if (id3v2_extra_meta) if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0) { @@ -243,6 +244,8 @@ static int aiff_read_header(AVFormatContext *s) return ret; } ff_id3v2_free_extra_meta(&id3v2_extra_meta); + if (position + size > avio_tell(pb)) + avio_skip(pb, position + size - avio_tell(pb)); break; case MKTAG('F', 'V', 'E', 'R'): /* Version chunk */ version = avio_rb32(pb); From 34ecaf6e888886badaea6470aa0e9e76595fb8fd Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 17 Mar 2013 16:14:58 +0100 Subject: [PATCH 0266/1037] avfiltergraph: check for sws opts being non-NULL before using them. Avoid snprintfing a NULL pointer. CC: libav-stable@libav.org (cherry picked from commit 6e3c13a559e9ff300b5ca60e1d503e594d7f055c) Signed-off-by: Reinhard Tartler --- libavfilter/avfiltergraph.c | 7 ++++++- libavfilter/graphparser.c | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index f5c9984b6a..d27b1b21ce 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -24,6 +24,7 @@ #include #include "libavutil/avassert.h" +#include "libavutil/avstring.h" #include "libavutil/channel_layout.h" #include "libavutil/common.h" #include "libavutil/log.h" @@ -220,7 +221,11 @@ static int query_formats(AVFilterGraph *graph, AVClass *log_ctx) snprintf(inst_name, sizeof(inst_name), "auto-inserted scaler %d", scaler_count++); - snprintf(scale_args, sizeof(scale_args), "0:0:%s", graph->scale_sws_opts); + av_strlcpy(scale_args, "0:0", sizeof(scale_args)); + if (graph->scale_sws_opts) { + av_strlcat(scale_args, ":", sizeof(scale_args)); + av_strlcat(scale_args, graph->scale_sws_opts, sizeof(scale_args)); + } if ((ret = avfilter_graph_create_filter(&convert, filter, inst_name, scale_args, NULL, graph)) < 0) diff --git a/libavfilter/graphparser.c b/libavfilter/graphparser.c index 04339c8138..7ce60c16e0 100644 --- a/libavfilter/graphparser.c +++ b/libavfilter/graphparser.c @@ -123,7 +123,8 @@ static int create_filter(AVFilterContext **filt_ctx, AVFilterGraph *ctx, int ind return ret; } - if (!strcmp(filt_name, "scale") && args && !strstr(args, "flags")) { + if (!strcmp(filt_name, "scale") && args && !strstr(args, "flags") && + ctx->scale_sws_opts) { snprintf(tmp_args, sizeof(tmp_args), "%s:%s", args, ctx->scale_sws_opts); args = tmp_args; From 05015d03da1d745bb92915b5cea92dec16af719f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 28 Mar 2013 11:52:52 +0100 Subject: [PATCH 0267/1037] matroska: fix a corner case in ebml-lace parsing Make sure we notice when the lace_size[n] is a negative value. CC: libav-stable@libav.org (cherry picked from commit 8a96df7b70be509dae9ceec82d2c10a20361356d) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 86ff477d85..962493c72e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1821,7 +1821,7 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, case 0x3: /* EBML lacing */ { uint64_t num; - uint32_t total; + uint64_t total; n = matroska_ebmlnum_uint(matroska, data, size, &num); if (n < 0) { av_log(matroska->ctx, AV_LOG_INFO, From b90816d94b0b5c01f451ff98cfbf1d5ddec9c3c1 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 27 Mar 2013 14:02:03 -0700 Subject: [PATCH 0268/1037] matroska: Update the available size after lace parsing Fix heap-buffer-overflow in matroska_parse_block for corrupted real media in mkv files. CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit fc43c19a567aa945398dccb491d972c11ec2a065) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 962493c72e..5e94b725f8 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1757,10 +1757,10 @@ static void matroska_clear_queue(MatroskaDemuxContext *matroska) } static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, - int size, int type, + int* buf_size, int type, uint32_t **lace_buf, int *laces) { - int res = 0, n; + int res = 0, n, size = *buf_size; uint8_t *data = *buf; uint32_t *lace_size; @@ -1858,6 +1858,7 @@ static int matroska_parse_laces(MatroskaDemuxContext *matroska, uint8_t **buf, *buf = data; *lace_buf = lace_size; + *buf_size = size; return res; } @@ -2052,7 +2053,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, matroska->skip_to_keyframe = 0; } - res = matroska_parse_laces(matroska, &data, size, (flags & 0x06) >> 1, + res = matroska_parse_laces(matroska, &data, &size, (flags & 0x06) >> 1, &lace_size, &laces); if (res) From 09e391abd81c3298e230bebb3c4ce159a259d871 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 29 Mar 2013 12:51:51 +0100 Subject: [PATCH 0269/1037] matroska: pass the lace size to the matroska_parse_rm_audio Each lace must be independent according to the specification. Fix heap-buffer-overflow in matroska_parse_block for corrupted real media in mkv files. Stricter check than fc43c19a567aa945398dccb491d972c11ec2a065 CC: libav-stable@libav.org (cherry picked from commit 25a80a931a3829f9d730971dbd269aa39cc273f6) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 5e94b725f8..147c24cf86 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2081,7 +2081,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, st->codec->codec_id == AV_CODEC_ID_ATRAC3) && st->codec->block_align && track->audio.sub_packet_size) { - res = matroska_parse_rm_audio(matroska, track, st, data, size, + res = matroska_parse_rm_audio(matroska, track, st, data, + lace_size[n], timecode, duration, pos); if (res) goto end; @@ -2097,7 +2098,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (timecode != AV_NOPTS_VALUE) timecode = duration ? timecode + duration : AV_NOPTS_VALUE; data += lace_size[n]; - size -= lace_size[n]; } end: From 75948682969694613e5226cd48c248eacfa9a425 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 10:34:47 +0100 Subject: [PATCH 0270/1037] xmv: do not leak memory in the error paths in xmv_read_header() CC: libav-stable@libav.org (cherry picked from commit f8080bd13b5f7fc48204b17fa59a5ce9feb15f07) Signed-off-by: Reinhard Tartler --- libavformat/xmv.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 3f926eff9c..6c46a23e86 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -177,8 +177,10 @@ static int xmv_read_header(AVFormatContext *s) return AVERROR(ENOMEM); xmv->audio = av_malloc(xmv->audio_track_count * sizeof(XMVAudioPacket)); - if (!xmv->audio) - return AVERROR(ENOMEM); + if (!xmv->audio) { + ret = AVERROR(ENOMEM); + goto fail; + } for (audio_track = 0; audio_track < xmv->audio_track_count; audio_track++) { XMVAudioTrack *track = &xmv->audio_tracks[audio_track]; @@ -212,8 +214,10 @@ static int xmv_read_header(AVFormatContext *s) "(0x%04X)\n", track->flags); ast = avformat_new_stream(s, NULL); - if (!ast) - return AVERROR(ENOMEM); + if (!ast) { + ret = AVERROR(ENOMEM); + goto fail; + } ast->codec->codec_type = AVMEDIA_TYPE_AUDIO; ast->codec->codec_id = track->codec_id; From ba31b72f462cd95609d13713fff42b1b000a56c7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 10:09:36 +0100 Subject: [PATCH 0271/1037] bmv: check for len being valid in bmv_decode_frame(). It can be 0 or -1 for invalid files, which may result in invalid memory access. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b88f902125ee808c8366e9dcb3f21e4c227483fc) Conflicts: libavcodec/bmv.c --- libavcodec/bmv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c index a7f21eceb2..bcb1380030 100644 --- a/libavcodec/bmv.c +++ b/libavcodec/bmv.c @@ -136,7 +136,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, mode += 1 + advance_mode; if (mode >= 4) mode -= 3; - if (FFABS(dst_end - dst) < len) + if (len <= 0 || FFABS(dst_end - dst) < len) return -1; switch (mode) { case 1: From 858864d350320dd807e349bda017026e61a47fe0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 10:33:02 +0100 Subject: [PATCH 0272/1037] xmv: check audio track parameters validity. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d1016dccdcb10486245e5d7c186cc31af54b2a9c) Signed-off-by: Reinhard Tartler --- libavformat/xmv.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 6c46a23e86..d491dec8f6 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -126,6 +126,16 @@ static int xmv_probe(AVProbeData *p) return 0; } +static int xmv_read_close(AVFormatContext *s) +{ + XMVDemuxContext *xmv = s->priv_data; + + av_free(xmv->audio); + av_free(xmv->audio_tracks); + + return 0; +} + static int xmv_read_header(AVFormatContext *s) { XMVDemuxContext *xmv = s->priv_data; @@ -135,6 +145,7 @@ static int xmv_read_header(AVFormatContext *s) uint32_t file_version; uint32_t this_packet_size; uint16_t audio_track; + int ret; avio_skip(pb, 4); /* Next packet size */ @@ -213,6 +224,13 @@ static int xmv_read_header(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", track->flags); + if (!track->channels || !track->sample_rate) { + av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", + audio_track); + ret = AVERROR_INVALIDDATA; + goto fail; + } + ast = avformat_new_stream(s, NULL); if (!ast) { ret = AVERROR(ENOMEM); @@ -243,6 +261,10 @@ static int xmv_read_header(AVFormatContext *s) xmv->stream_count = xmv->audio_track_count + 1; return 0; + +fail: + xmv_read_close(s); + return ret; } static void xmv_read_extradata(uint8_t *extradata, AVIOContext *pb) @@ -550,16 +572,6 @@ static int xmv_read_packet(AVFormatContext *s, return 0; } -static int xmv_read_close(AVFormatContext *s) -{ - XMVDemuxContext *xmv = s->priv_data; - - av_free(xmv->audio); - av_free(xmv->audio_tracks); - - return 0; -} - AVInputFormat ff_xmv_demuxer = { .name = "xmv", .long_name = NULL_IF_CONFIG_SMALL("Microsoft XMV"), From 62f9253781fa4534f10f8dbb0a2fea9377a8c87e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2013 18:18:38 +0100 Subject: [PATCH 0273/1037] dfa: check for invalid access in decode_wdlt(). This can happen when the number of skipped lines is not consistent with the number of coded lines. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3623589edc7b1257bb45aa9e52c9631e133f22b6) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 119be7066c..332a53ee77 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -257,6 +257,8 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16(gb); } line_ptr = frame; + if (frame_end - frame < width) + return AVERROR_INVALIDDATA; frame += width; y++; while (segments--) { From 094a35aeefea6c0309e623811255e76bdda592ee Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 27 Mar 2013 17:56:59 +0100 Subject: [PATCH 0274/1037] lavf: make sure stream probe data gets freed. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dbb1425811a672eddf4acf0513237cdf20f83756) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index cd46caf3fd..085ae835ab 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2671,6 +2671,7 @@ void avformat_free_context(AVFormatContext *s) if (st->attached_pic.data) av_free_packet(&st->attached_pic); av_dict_free(&st->metadata); + av_freep(&st->probe_data.buf); av_free(st->index_entries); av_free(st->codec->extradata); av_free(st->codec->subtitle_header); From 5ebdfbe893c4509f5be6d950fe5f5f25bf52c397 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Mar 2013 09:49:38 +0100 Subject: [PATCH 0275/1037] id3v2: pad the APIC packets as required by lavc. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavformat/id3v2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 4516ac74ef..7f39a47428 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -477,9 +477,10 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, char *tag } apic->len = taglen; - apic->data = av_malloc(taglen); + apic->data = av_malloc(taglen + FF_INPUT_BUFFER_PADDING_SIZE); if (!apic->data || avio_read(pb, apic->data, taglen) != taglen) goto fail; + memset(apic->data + taglen, 0, FF_INPUT_BUFFER_PADDING_SIZE); new_extra->tag = "APIC"; new_extra->data = apic; From 8f558c3e101859aec9adcb4b4b270ae1ef8f88b5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Apr 2013 12:07:24 +0200 Subject: [PATCH 0276/1037] af_channelmap: sanity check input channel indices in all cases. Fixes invalid reads from non-existing channels. CC:libav-stable@libav.org (cherry picked from commit aafed1175df76603e94c99a7748968780d6548d2) Signed-off-by: Reinhard Tartler --- libavfilter/af_channelmap.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index 8b72d5bc9f..c4b87daeef 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -362,23 +362,32 @@ static int channelmap_config_input(AVFilterLink *inlink) { AVFilterContext *ctx = inlink->dst; ChannelMapContext *s = ctx->priv; + int nb_channels = av_get_channel_layout_nb_channels(inlink->channel_layout); int i, err = 0; const char *channel_name; char layout_name[256]; - if (s->mode == MAP_PAIR_STR_INT || s->mode == MAP_PAIR_STR_STR) { - for (i = 0; i < s->nch; i++) { + for (i = 0; i < s->nch; i++) { + if (s->mode == MAP_PAIR_STR_INT || s->mode == MAP_PAIR_STR_STR) { s->map[i].in_channel_idx = av_get_channel_layout_channel_index( inlink->channel_layout, s->map[i].in_channel); - if (s->map[i].in_channel_idx < 0) { + } + + if (s->map[i].in_channel_idx < 0 || + s->map[i].in_channel_idx >= nb_channels) { + av_get_channel_layout_string(layout_name, sizeof(layout_name), + 0, inlink->channel_layout); + if (s->map[i].in_channel) { channel_name = av_get_channel_name(s->map[i].in_channel); - av_get_channel_layout_string(layout_name, sizeof(layout_name), - 0, inlink->channel_layout); av_log(ctx, AV_LOG_ERROR, "input channel '%s' not available from input layout '%s'\n", channel_name, layout_name); - err = AVERROR(EINVAL); + } else { + av_log(ctx, AV_LOG_ERROR, + "input channel #%d not available from input layout '%s'\n", + s->map[i].in_channel_idx, layout_name); } + err = AVERROR(EINVAL); } } From 4c412580fdb689638541790cda0a920d0c13bb7b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 10 Apr 2013 09:59:36 +0200 Subject: [PATCH 0277/1037] indeo3: fix data size check The data offsets are relative to the bistream header, which is 16 bytes after the start of the data. Fixes invalid reads with corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 34e6af9e204ca6bb18d8cf8ec68fe19b0e083e95) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 261c651b52..2d199971c4 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -888,8 +888,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, if (ctx->data_size == 16) return 4; - if (ctx->data_size > buf_size) - ctx->data_size = buf_size; + ctx->data_size = FFMIN(ctx->data_size, buf_size - 16); buf_ptr += 3; // skip reserved byte and checksum From fa4192e31f4b9d3b6bf68daa5702926ae521e4ea Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 9 Apr 2013 20:33:25 +0200 Subject: [PATCH 0278/1037] rv10: check that extradata is large enough Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 01d376f598fe95478036f5d1e3e5e14ffe32d4bf) Conflicts: libavcodec/rv10.c --- libavcodec/rv10.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 9239cf7d94..26af29ff26 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -347,6 +347,11 @@ static int rv20_decode_picture_header(RVDecContext *rv) f = get_bits(&s->gb, rpr_bits); if(f){ + if (s->avctx->extradata_size < 8 + 2 * f) { + av_log(s->avctx, AV_LOG_ERROR, "Extradata too small.\n"); + return AVERROR_INVALIDDATA; + } + new_w= 4*((uint8_t*)s->avctx->extradata)[6+2*f]; new_h= 4*((uint8_t*)s->avctx->extradata)[7+2*f]; }else{ From b0b33ce14806ac11860c982d701505538430437b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 16 Apr 2013 09:41:28 +0200 Subject: [PATCH 0279/1037] indeo3: check motion vectors. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit a0a872d0733f60876b0c93f236bc4606f36fbf89) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 2d199971c4..a59d404860 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -223,7 +223,7 @@ static av_cold void free_frame_buffers(Indeo3DecodeContext *ctx) * @param plane pointer to the plane descriptor * @param cell pointer to the cell descriptor */ -static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) +static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) { int h, w, mv_x, mv_y, offset, offset_dst; uint8_t *src, *dst; @@ -233,6 +233,16 @@ static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) dst = plane->pixels[ctx->buf_sel] + offset_dst; mv_y = cell->mv_ptr[0]; mv_x = cell->mv_ptr[1]; + + /* -1 because there is an extra line on top for prediction */ + if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || + ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || + ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + av_log(ctx->avctx, AV_LOG_ERROR, + "Motion vectors point out of the frame.\n"); + return AVERROR_INVALIDDATA; + } + offset = offset_dst + mv_y * plane->pitch + mv_x; src = plane->pixels[ctx->buf_sel ^ 1] + offset; @@ -260,6 +270,8 @@ static void copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) dst += 4; } } + + return 0; } @@ -585,11 +597,23 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx, } else if (mode >= 10) { /* for mode 10 and 11 INTER first copy the predicted cell into the current one */ /* so we don't need to do data copying for each RLE code later */ - copy_cell(ctx, plane, cell); + int ret = copy_cell(ctx, plane, cell); + if (ret < 0) + return ret; } else { /* set the pointer to the reference pixels for modes 0-4 INTER */ mv_y = cell->mv_ptr[0]; mv_x = cell->mv_ptr[1]; + + /* -1 because there is an extra line on top for prediction */ + if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || + ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || + ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + av_log(ctx->avctx, AV_LOG_ERROR, + "Motion vectors point out of the frame.\n"); + return AVERROR_INVALIDDATA; + } + offset += mv_y * plane->pitch + mv_x; ref_block = plane->pixels[ctx->buf_sel ^ 1] + offset; } @@ -721,7 +745,7 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, const int depth, const int strip_width) { Cell curr_cell; - int bytes_used; + int bytes_used, ret; if (depth <= 0) { av_log(avctx, AV_LOG_ERROR, "Stack overflow (corrupted binary tree)!\n"); @@ -772,8 +796,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, CHECK_CELL if (!curr_cell.mv_ptr) return AVERROR_INVALIDDATA; - copy_cell(ctx, plane, &curr_cell); - return 0; + ret = copy_cell(ctx, plane, &curr_cell); + return ret; } break; case INTER_DATA: From 95db1624ef98ccc4ba7ff70d50c4b4d0f8ffed54 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 10 Apr 2013 09:40:20 +0200 Subject: [PATCH 0280/1037] indeo3: switch parsing the header to bytestream2 Also add an additional sanity check to the alt_quant table. Fixes invalid reads with corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 66531d634e75b834e89e4a6a0f7470ca018712a1) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index a59d404860..eacd15043a 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -880,17 +880,20 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx, static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, const uint8_t *buf, int buf_size) { - const uint8_t *buf_ptr = buf, *bs_hdr; + GetByteContext gb; + const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; uint16_t height, width; int i, j; + bytestream2_init(&gb, buf, buf_size); + /* parse and check the OS header */ - frame_num = bytestream_get_le32(&buf_ptr); - word2 = bytestream_get_le32(&buf_ptr); - check_sum = bytestream_get_le32(&buf_ptr); - data_size = bytestream_get_le32(&buf_ptr); + frame_num = bytestream2_get_le32(&gb); + word2 = bytestream2_get_le32(&gb); + check_sum = bytestream2_get_le32(&gb); + data_size = bytestream2_get_le32(&gb); if ((frame_num ^ word2 ^ data_size ^ OS_HDR_ID) != check_sum) { av_log(avctx, AV_LOG_ERROR, "OS header checksum mismatch!\n"); @@ -898,27 +901,27 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, } /* parse the bitstream header */ - bs_hdr = buf_ptr; + bs_hdr = gb.buffer; - if (bytestream_get_le16(&buf_ptr) != 32) { + if (bytestream2_get_le16(&gb) != 32) { av_log(avctx, AV_LOG_ERROR, "Unsupported codec version!\n"); return AVERROR_INVALIDDATA; } ctx->frame_num = frame_num; - ctx->frame_flags = bytestream_get_le16(&buf_ptr); - ctx->data_size = (bytestream_get_le32(&buf_ptr) + 7) >> 3; - ctx->cb_offset = *buf_ptr++; + ctx->frame_flags = bytestream2_get_le16(&gb); + ctx->data_size = (bytestream2_get_le32(&gb) + 7) >> 3; + ctx->cb_offset = bytestream2_get_byte(&gb); if (ctx->data_size == 16) return 4; ctx->data_size = FFMIN(ctx->data_size, buf_size - 16); - buf_ptr += 3; // skip reserved byte and checksum + bytestream2_skip(&gb, 3); // skip reserved byte and checksum /* check frame dimensions */ - height = bytestream_get_le16(&buf_ptr); - width = bytestream_get_le16(&buf_ptr); + height = bytestream2_get_le16(&gb); + width = bytestream2_get_le16(&gb); if (av_image_check_size(width, height, 0, avctx)) return AVERROR_INVALIDDATA; @@ -944,9 +947,10 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, avcodec_set_dimensions(avctx, width, height); } - y_offset = bytestream_get_le32(&buf_ptr); - v_offset = bytestream_get_le32(&buf_ptr); - u_offset = bytestream_get_le32(&buf_ptr); + y_offset = bytestream2_get_le32(&gb); + v_offset = bytestream2_get_le32(&gb); + u_offset = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, 4); /* unfortunately there is no common order of planes in the buffer */ /* so we use that sorting algo for determining planes data sizes */ @@ -965,6 +969,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); return AVERROR_INVALIDDATA; @@ -973,7 +978,7 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_ptr = bs_hdr + y_offset; ctx->v_data_ptr = bs_hdr + v_offset; ctx->u_data_ptr = bs_hdr + u_offset; - ctx->alt_quant = buf_ptr + sizeof(uint32_t); + ctx->alt_quant = gb.buffer; if (ctx->data_size == 16) { av_log(avctx, AV_LOG_DEBUG, "Sync frame encountered!\n"); From d0c4d61c8bfdc074d6c20fb57760ac6b3200d9a9 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 9 Apr 2013 15:25:20 +0200 Subject: [PATCH 0281/1037] qdm2: check that the FFT size is a power of 2 Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 34f87a58532ed652a6e0283c1d044ee5df0aef0b) Signed-off-by: Reinhard Tartler --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index cfae824d95..17729d18c9 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1838,6 +1838,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Unknown FFT order (%d), contact the developers!\n", s->fft_order); return -1; } + if (s->fft_size != (1 << (s->fft_order - 1))) { + av_log(avctx, AV_LOG_ERROR, "FFT size %d not power of 2.\n", s->fft_size); + return AVERROR_INVALIDDATA; + } ff_rdft_init(&s->rdft_ctx, s->fft_order, IDFT_C2R); ff_mpadsp_init(&s->mpadsp); From 43039f9386d2d81eb39a9737b1c622bb83af36f8 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 8 Apr 2013 22:12:12 +0200 Subject: [PATCH 0282/1037] svq1dec: check that the reference frame has the same dimensions as the current one They can be different if the last keyframe failed to decode correctly. Fixes possible invalid reads in such a case. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit b1bb8fb860b47e90dd67f0c5740698128fc82dcc) Signed-off-by: Reinhard Tartler --- libavcodec/svq1dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 515604222b..19ff8d6594 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -692,7 +692,8 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, } else { /* delta frame */ uint8_t *previous = s->prev->data[i]; - if (!previous) { + if (!previous || + s->prev->width != s->width || s->prev->height != s->height) { av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n"); result = AVERROR_INVALIDDATA; goto err; From a3410b5a1fcb4e965ceb40aa4d4a935df8a32f05 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 8 Apr 2013 22:15:54 +0200 Subject: [PATCH 0283/1037] svq1dec: clip motion vectors to the frame size. Fixes invalid reads for corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit ecff5acb5a738fcb4f9e206a12070dac4bf259b3) Signed-off-by: Reinhard Tartler --- libavcodec/svq1dec.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 19ff8d6594..82f9301e93 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -322,7 +322,8 @@ static void svq1_skip_block(uint8_t *current, uint8_t *previous, static int svq1_motion_inter_block(DSPContext *dsp, GetBitContext *bitbuf, uint8_t *current, uint8_t *previous, - int pitch, svq1_pmv *motion, int x, int y) + int pitch, svq1_pmv *motion, int x, int y, + int width, int height) { uint8_t *src; uint8_t *dst; @@ -352,10 +353,8 @@ static int svq1_motion_inter_block(DSPContext *dsp, GetBitContext *bitbuf, motion[x / 8 + 2].y = motion[x / 8 + 3].y = mv.y; - if (y + (mv.y >> 1) < 0) - mv.y = 0; - if (x + (mv.x >> 1) < 0) - mv.x = 0; + mv.x = av_clip(mv.x, -2 * x, 2 * (width - x - 16)); + mv.y = av_clip(mv.y, -2 * y, 2 * (height - y - 16)); src = &previous[(x + (mv.x >> 1)) + (y + (mv.y >> 1)) * pitch]; dst = current; @@ -367,7 +366,8 @@ static int svq1_motion_inter_block(DSPContext *dsp, GetBitContext *bitbuf, static int svq1_motion_inter_4v_block(DSPContext *dsp, GetBitContext *bitbuf, uint8_t *current, uint8_t *previous, - int pitch, svq1_pmv *motion, int x, int y) + int pitch, svq1_pmv *motion, int x, int y, + int width, int height) { uint8_t *src; uint8_t *dst; @@ -427,10 +427,8 @@ static int svq1_motion_inter_4v_block(DSPContext *dsp, GetBitContext *bitbuf, int mvy = pmv[i]->y + (i >> 1) * 16; // FIXME: clipping or padding? - if (y + (mvy >> 1) < 0) - mvy = 0; - if (x + (mvx >> 1) < 0) - mvx = 0; + mvx = av_clip(mvx, -2 * x, 2 * (width - x - 8)); + mvy = av_clip(mvy, -2 * y, 2 * (height - y - 8)); src = &previous[(x + (mvx >> 1)) + (y + (mvy >> 1)) * pitch]; dst = current; @@ -450,7 +448,8 @@ static int svq1_motion_inter_4v_block(DSPContext *dsp, GetBitContext *bitbuf, static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp, GetBitContext *bitbuf, uint8_t *current, uint8_t *previous, - int pitch, svq1_pmv *motion, int x, int y) + int pitch, svq1_pmv *motion, int x, int y, + int width, int height) { uint32_t block_type; int result = 0; @@ -475,7 +474,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp, case SVQ1_BLOCK_INTER: result = svq1_motion_inter_block(dsp, bitbuf, current, previous, - pitch, motion, x, y); + pitch, motion, x, y, width, height); if (result != 0) { av_dlog(avctx, "Error in svq1_motion_inter_block %i\n", result); @@ -486,7 +485,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp, case SVQ1_BLOCK_INTER_4V: result = svq1_motion_inter_4v_block(dsp, bitbuf, current, previous, - pitch, motion, x, y); + pitch, motion, x, y, width, height); if (result != 0) { av_dlog(avctx, "Error in svq1_motion_inter_4v_block %i\n", result); @@ -706,7 +705,7 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, result = svq1_decode_delta_block(avctx, &s->dsp, &s->gb, ¤t[x], previous, linesize, - pmv, x, y); + pmv, x, y, width, height); if (result != 0) { av_dlog(avctx, "Error in svq1_decode_delta_block %i\n", From c8462bd17f35f435192281a2ea4ce8008a7398d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Sep 2012 22:00:52 +0200 Subject: [PATCH 0284/1037] mp3dec: fallback to generic seeking when a TOC is not present Fixes seeking without a Xing/Info header. CC: libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit 505642f18276aed03278ac91b1f334ea888eac6a) Signed-off-by: Reinhard Tartler --- libavformat/mp3dec.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 48deefd126..9da9aa8b16 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -35,6 +35,10 @@ #define XING_TOC_COUNT 100 +typedef struct MP3DecContext { + int xing_toc; +} MP3DecContext; + /* mp3 read */ static int mp3_read_probe(AVProbeData *p) @@ -100,6 +104,7 @@ static int mp3_read_probe(AVProbeData *p) static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration) { int i; + MP3DecContext *mp3 = s->priv_data; if (!filesize && !(filesize = avio_size(s->pb))) { @@ -115,6 +120,7 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration av_rescale(i, duration, XING_TOC_COUNT), 0, 0, AVINDEX_KEYFRAME); } + mp3->xing_toc = 1; } /** @@ -238,11 +244,15 @@ static int mp3_read_packet(AVFormatContext *s, AVPacket *pkt) static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { + MP3DecContext *mp3 = s->priv_data; AVIndexEntry *ie; AVStream *st = s->streams[0]; int64_t ret = av_index_search_timestamp(st, timestamp, flags); uint32_t header = 0; + if (!mp3->xing_toc) + return AVERROR(ENOSYS); + if (ret < 0) return ret; @@ -270,6 +280,7 @@ AVInputFormat ff_mp3_demuxer = { .read_header = mp3_read_header, .read_packet = mp3_read_packet, .read_seek = mp3_seek, + .priv_data_size = sizeof(MP3DecContext), .flags = AVFMT_GENERIC_INDEX, .extensions = "mp2,mp3,m2a", /* XXX: use probe */ }; From d70bad04de8a9bc16188e766bd3b02fd35fa28af Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 9 Jan 2013 20:49:34 +0100 Subject: [PATCH 0285/1037] oggdec: fix faulty cleanup prototype (cherry picked from commit fba8e5b608577fc660989d0057a55818254a3744) Signed-off-by: Reinhard Tartler --- libavformat/oggparsevorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index fbe6c4fb41..bb41b52ca2 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -192,7 +192,7 @@ fixup_vorbis_headers(AVFormatContext * as, struct oggvorbis_private *priv, return offset; } -static int vorbis_cleanup(AVFormatContext *s, int idx) +static void vorbis_cleanup(AVFormatContext *s, int idx) { struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; From c046890191628b607e479e4845d48acc9c879143 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 20 Apr 2013 13:36:44 +0200 Subject: [PATCH 0286/1037] riff: check for eof if chunk size and code are 0 Prevent an infinite loop. Inspired by a patch from Michael Niedermayer CC: libav-stable@libav.org Signed-off-by: Diego Biurrun (cherry picked from commit 8e329dba378cef0ff6400c7df9c51da167d5a1f0) Signed-off-by: Reinhard Tartler --- libavformat/riff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index 79b2670481..e9463c0973 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -728,6 +728,10 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size) if (!chunk_code) { if (chunk_size) avio_skip(pb, chunk_size); + else if (pb->eof_reached) { + av_log(s, AV_LOG_WARNING, "truncated file\n"); + return AVERROR_EOF; + } continue; } From 6cad940989d321034e5dcabc5bd9a27f46bb0725 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 21 Apr 2013 18:51:33 +0200 Subject: [PATCH 0287/1037] update Changelog --- Changelog | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Changelog b/Changelog index b7f7e94f6a..ca9db5a1c5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,36 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.5: + +Most of the following fixes resulted from test samples that the Google +Security Team has kindly made available to us: + +- af_channelmap: sanity check input channel indices in all cases +- avfiltergraph: check for sws opts being non-NULL before using them +- bmv: check for len being valid in bmv_decode_frame() +- configure: Enable hwaccels without external dependencies by default +- dfa: check for invalid access in decode_wdlt() +- id3v2: pad the APIC packets as required by lavc +- indeo3: check motion vectors +- indeo3: fix data size check +- indeo3: switch parsing the header to bytestream2 +- lavf: make sure stream probe data gets freed +- matroska: Update the available size after lace parsing +- matroska: fix a corner case in ebml-lace parsing +- matroska: pass the lace size to the matroska_parse_rm_audio +- mp3dec: fallback to generic seeking when a TOC is not present +- oggdec: fix faulty cleanup prototype +- oma: Validate sample rates +- qdm2: check that the FFT size is a power of 2 +- riff: check for eof if chunk size and code are 0 to prevent an infinite loop +- rv10: check that extradata is large enough +- svq1dec: check that the reference frame has the same dimensions as the current one +- svq1dec: clip motion vectors to the frame size +- xmv: check audio track parameters validity +- xmv: do not leak memory in the error paths in xmv_read_header() + + version 9.4: - atrac3: avoid oversized shifting in decode_bytes() - eamad: allocate a dummy reference frame when the real one is missing From 46fd6e4f2ebbcd5a00847cdb05fe416466d06d37 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 27 Apr 2013 18:20:47 +0200 Subject: [PATCH 0288/1037] aac: check the maximum number of channels Broken bitstreams could report a larger than specified number of channels and cause outbound writes. CC:libav-stable@libav.org (cherry picked from commit a943a132f36f4df8fe2f749744677b71984abce7) Signed-off-by: Luca Barbato --- libavcodec/aacdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index d10a482cad..dec6d01418 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -142,6 +142,8 @@ static av_cold int che_configure(AACContext *ac, enum ChannelPosition che_pos, int type, int id, int *channels) { + if (*channels >= MAX_CHANNELS) + return AVERROR_INVALIDDATA; if (che_pos) { if (!ac->che[type][id]) { if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) From d8745de6ae6c6272fb33f696842cedae2c3eaad1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 27 Apr 2013 18:01:51 +0200 Subject: [PATCH 0289/1037] indeo3: fix off by one in MV validity check CC:libav-stable@libav.org (cherry picked from commit 95220be1faac628d849a004644c0d102df0aa98b) Signed-off-by: Luca Barbato --- libavcodec/indeo3.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index eacd15043a..f2f7c09d98 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -236,8 +236,8 @@ static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) /* -1 because there is an extra line on top for prediction */ if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || - ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || - ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + ((cell->ypos + cell->height) << 2) + mv_y > plane->height || + ((cell->xpos + cell->width) << 2) + mv_x > plane->width) { av_log(ctx->avctx, AV_LOG_ERROR, "Motion vectors point out of the frame.\n"); return AVERROR_INVALIDDATA; @@ -607,8 +607,8 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx, /* -1 because there is an extra line on top for prediction */ if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || - ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || - ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + ((cell->ypos + cell->height) << 2) + mv_y > plane->height || + ((cell->xpos + cell->width) << 2) + mv_x > plane->width) { av_log(ctx->avctx, AV_LOG_ERROR, "Motion vectors point out of the frame.\n"); return AVERROR_INVALIDDATA; From 5aac0811100ee5db9d03d7488b69cc321854da70 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 1 May 2013 19:01:11 +0200 Subject: [PATCH 0290/1037] id3v2: check for end of file while unescaping tags Prevent an out of buffer bound write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit af4cc2605c7a56ecfd84c264aa2b325020418472) Signed-off-by: Luca Barbato --- libavformat/id3v2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 7f39a47428..5cc17c4f3e 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -626,9 +626,10 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t goto seek; } b = buffer; - while (avio_tell(s->pb) < end) { + while (avio_tell(s->pb) < end && !s->pb->eof_reached) { *b++ = avio_r8(s->pb); - if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1) { + if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1 && + !s->pb->eof_reached ) { uint8_t val = avio_r8(s->pb); *b++ = val ? val : avio_r8(s->pb); } From ddeb6eeeb1c1343ef40d276335e58a6d75ebd5ba Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 16 Apr 2013 21:53:56 +0200 Subject: [PATCH 0291/1037] afifo: fix request_samples on the last frame in certain cases The current code can fail to return the last frame if it contains exactly the requested number of samples. Fixes the join filter test, which previously did not include the last 408 samples in most cases. CC:libav-stable@libav.org Signed-off-by: Diego Biurrun (cherry picked from commit 9bfc6e02bae9de354fb9ba09a8a140e83eeadf7d) Signed-off-by: Reinhard Tartler Conflicts: libavfilter/fifo.c tests/fate/filter-audio.mak --- libavfilter/fifo.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/libavfilter/fifo.c b/libavfilter/fifo.c index 88c44fe3b9..3faa84fd55 100644 --- a/libavfilter/fifo.c +++ b/libavfilter/fifo.c @@ -184,8 +184,25 @@ static int return_audio_frame(AVFilterContext *ctx) } while (s->buf_out->audio->nb_samples < s->allocated_samples) { - int len = FFMIN(s->allocated_samples - s->buf_out->audio->nb_samples, - head->audio->nb_samples); + int len; + + if (!s->root.next && + (ret = ff_request_frame(ctx->inputs[0])) < 0) { + if (ret == AVERROR_EOF) { + av_samples_set_silence(s->buf_out->extended_data, + s->buf_out->audio->nb_samples, + s->allocated_samples - + s->buf_out->audio->nb_samples, + nb_channels, link->format); + s->buf_out->audio->nb_samples = s->allocated_samples; + break; + } + return ret; + } + head = s->root.next->buf; + + len = FFMIN(s->allocated_samples - s->buf_out->audio->nb_samples, + head->audio->nb_samples); av_samples_copy(s->buf_out->extended_data, head->extended_data, s->buf_out->audio->nb_samples, 0, len, nb_channels, @@ -195,21 +212,6 @@ static int return_audio_frame(AVFilterContext *ctx) if (len == head->audio->nb_samples) { avfilter_unref_buffer(head); queue_pop(s); - - if (!s->root.next && - (ret = ff_request_frame(ctx->inputs[0])) < 0) { - if (ret == AVERROR_EOF) { - av_samples_set_silence(s->buf_out->extended_data, - s->buf_out->audio->nb_samples, - s->allocated_samples - - s->buf_out->audio->nb_samples, - nb_channels, link->format); - s->buf_out->audio->nb_samples = s->allocated_samples; - break; - } - return ret; - } - head = s->root.next->buf; } else { buffer_offset(link, head, len); } From 0662967d2bbdbe90540eaa8c847f521fa4b75aab Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 26 Apr 2013 09:54:59 +0200 Subject: [PATCH 0292/1037] hls, segment: fix splitting for audio-only streams. CC:libav-stable@libav.org (cherry picked from commit cf679b9476727a237c8006c685ace18acba149ab) Signed-off-by: Reinhard Tartler --- libavformat/hlsenc.c | 12 +++++++----- libavformat/segment.c | 12 +++++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 4f74b5f04b..c4c0217211 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -250,18 +250,20 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) AVFormatContext *oc = hls->avf; AVStream *st = s->streams[pkt->stream_index]; int64_t end_pts = hls->recording_time * hls->number; - int ret; + int ret, can_split = 1; if (hls->start_pts == AV_NOPTS_VALUE) { hls->start_pts = pkt->pts; hls->end_pts = pkt->pts; } - if ((hls->has_video && st->codec->codec_type == AVMEDIA_TYPE_VIDEO) && - av_compare_ts(pkt->pts - hls->start_pts, st->time_base, - end_pts, AV_TIME_BASE_Q) >= 0 && - pkt->flags & AV_PKT_FLAG_KEY) { + if (hls->has_video) { + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + pkt->flags & AV_PKT_FLAG_KEY; + } + if (can_split && av_compare_ts(pkt->pts - hls->start_pts, st->time_base, + end_pts, AV_TIME_BASE_Q) >= 0) { ret = append_entry(hls, av_rescale(pkt->pts - hls->end_pts, st->time_base.num, st->time_base.den)); diff --git a/libavformat/segment.c b/libavformat/segment.c index 8afb41f93d..d79a32798e 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -272,13 +272,15 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) AVFormatContext *oc = seg->avf; AVStream *st = s->streams[pkt->stream_index]; int64_t end_pts = seg->recording_time * seg->number; - int ret; + int ret, can_split = 1; - if ((seg->has_video && st->codec->codec_type == AVMEDIA_TYPE_VIDEO) && - av_compare_ts(pkt->pts, st->time_base, - end_pts, AV_TIME_BASE_Q) >= 0 && - pkt->flags & AV_PKT_FLAG_KEY) { + if (seg->has_video) { + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + pkt->flags & AV_PKT_FLAG_KEY; + } + if (can_split && av_compare_ts(pkt->pts, st->time_base, end_pts, + AV_TIME_BASE_Q) >= 0) { av_log(s, AV_LOG_DEBUG, "Next segment starts at %d %"PRId64"\n", pkt->stream_index, pkt->pts); From a6f7fc8f3b1a878de3d3f7c054eba555ed7918e4 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 4 May 2013 10:54:20 +0200 Subject: [PATCH 0293/1037] Prepare for 9.6 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 592f36ef3a..c026ac828d 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.5 +9.6 From 46e1d05991bcfb642ae6078aee1397fc842d9469 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 5 May 2013 19:29:00 +0200 Subject: [PATCH 0294/1037] Fix type of shared flac table ff_flac_blocksize_table[]. Fixes ticket #2533. (cherry picked from commit a07ac1f7888fd08e42da2bed0421e74f1cfac177) --- libavcodec/flacdata.c | 2 +- libavcodec/flacdata.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacdata.c b/libavcodec/flacdata.c index 6fcbe3955a..1954f32d32 100644 --- a/libavcodec/flacdata.c +++ b/libavcodec/flacdata.c @@ -27,7 +27,7 @@ const int ff_flac_sample_rate_table[16] = 8000, 16000, 22050, 24000, 32000, 44100, 48000, 96000, 0, 0, 0, 0 }; -const int16_t ff_flac_blocksize_table[16] = { +const int32_t ff_flac_blocksize_table[16] = { 0, 192, 576<<0, 576<<1, 576<<2, 576<<3, 0, 0, 256<<0, 256<<1, 256<<2, 256<<3, 256<<4, 256<<5, 256<<6, 256<<7 }; diff --git a/libavcodec/flacdata.h b/libavcodec/flacdata.h index 96a50b9183..e2c1e5d7f2 100644 --- a/libavcodec/flacdata.h +++ b/libavcodec/flacdata.h @@ -26,6 +26,6 @@ extern const int ff_flac_sample_rate_table[16]; -extern const int16_t ff_flac_blocksize_table[16]; +extern const int32_t ff_flac_blocksize_table[16]; #endif /* AVCODEC_FLACDATA_H */ From 5772cbb3435e06672a5c882c6f36101f407db818 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 6 May 2013 14:48:25 +0300 Subject: [PATCH 0295/1037] swscale: Use alpha from the right row in yuva2rgba_c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Every other pixel had the alpha channel taken from the wrong row. This fixes bug 504. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 6e293d111fcad27d52a2ef5ad77b1009f1743396) Signed-off-by: Martin Storsjö --- libswscale/yuv2rgb.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 1dbd0d8e10..2ffbf5b5d6 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -264,16 +264,16 @@ YUV2RGBFUNC(yuva2rgba_c, uint32_t, 1) PUTRGBA(dst_2, py_2, pa_2, 0, 24); LOADCHROMA(1); - PUTRGBA(dst_2, py_2, pa_1, 1, 24); - PUTRGBA(dst_1, py_1, pa_2, 1, 24); + PUTRGBA(dst_2, py_2, pa_2, 1, 24); + PUTRGBA(dst_1, py_1, pa_1, 1, 24); LOADCHROMA(2); PUTRGBA(dst_1, py_1, pa_1, 2, 24); PUTRGBA(dst_2, py_2, pa_2, 2, 24); LOADCHROMA(3); - PUTRGBA(dst_2, py_2, pa_1, 3, 24); - PUTRGBA(dst_1, py_1, pa_2, 3, 24); + PUTRGBA(dst_2, py_2, pa_2, 3, 24); + PUTRGBA(dst_1, py_1, pa_1, 3, 24); pa_1 += 8; \ pa_2 += 8; \ ENDYUV2RGBLINE(8, 0) @@ -282,8 +282,8 @@ ENDYUV2RGBLINE(8, 0) PUTRGBA(dst_2, py_2, pa_2, 0, 24); LOADCHROMA(1); - PUTRGBA(dst_2, py_2, pa_1, 1, 24); - PUTRGBA(dst_1, py_1, pa_2, 1, 24); + PUTRGBA(dst_2, py_2, pa_2, 1, 24); + PUTRGBA(dst_1, py_1, pa_1, 1, 24); pa_1 += 4; \ pa_2 += 4; \ ENDYUV2RGBLINE(8, 1) From 2922ab7e6fecd56942323b27065c21f5332b0588 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 5 May 2013 09:46:37 +0200 Subject: [PATCH 0296/1037] matroska: set "done" only during resync fail. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes playback of test7.mkv validation test file. Signed-off-by: Reimar Döffinger (cherry picked from commit 762d4335aec2e5299a06bfbce15d21336af19464) --- libavformat/matroskadec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 87c4a39d0e..ea7c541d16 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2319,7 +2319,6 @@ static int matroska_parse_cluster_incremental(MatroskaDemuxContext *matroska) } } - if (res < 0) matroska->done = 1; return res; } From 52ab9e898485b370a4da46febb91e1ba50a1c357 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 4 May 2013 12:18:57 +0200 Subject: [PATCH 0297/1037] wav: Always seek to an even offset RIFF chunks are aligned to 16bit according to the specification. Bug-Id:500 CC:libav-stable@libav.org (cherry picked from commit ac87eaf856e0fb51917266b899bb15d19b907baf) Signed-off-by: Reinhard Tartler --- libavformat/wavdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index c9f7abbbcf..e9dda92f0b 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -50,6 +50,12 @@ static int64_t next_tag(AVIOContext *pb, uint32_t *tag) return avio_rl32(pb); } +/* RIFF chunks are always on a even offset. */ +static int64_t wav_seek_tag(AVIOContext *s, int64_t offset, int whence) +{ + return avio_seek(s, offset + (offset & 1), whence); +} + /* return the size of the found tag */ static int64_t find_tag(AVIOContext *pb, uint32_t tag1) { @@ -62,7 +68,7 @@ static int64_t find_tag(AVIOContext *pb, uint32_t tag1) size = next_tag(pb, &tag); if (tag == tag1) break; - avio_skip(pb, size); + wav_seek_tag(pb, size, SEEK_CUR); } return size; } @@ -301,7 +307,7 @@ static int wav_read_header(AVFormatContext *s) /* seek to next tag unless we know that we'll run into EOF */ if ((avio_size(pb) > 0 && next_tag_ofs >= avio_size(pb)) || - avio_seek(pb, next_tag_ofs, SEEK_SET) < 0) { + wav_seek_tag(pb, next_tag_ofs, SEEK_SET) < 0) { break; } } From 1ab4578c88dc3e1407da15471bd323ba40c3ebbb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Jan 2013 00:02:50 +0100 Subject: [PATCH 0298/1037] lavc: Fix assignments in if() when calling ff_af_queue_add MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 1d7ffd06e41e44d8932d0dd62caa2da17947d8c4) Signed-off-by: Luca Barbato --- libavcodec/aacenc.c | 2 +- libavcodec/libfaac.c | 2 +- libavcodec/libfdk-aacenc.c | 2 +- libavcodec/libmp3lame.c | 2 +- libavcodec/libopencore-amr.c | 2 +- libavcodec/libspeexenc.c | 2 +- libavcodec/libvo-aacenc.c | 2 +- libavcodec/libvorbis.c | 2 +- libavcodec/nellymoserenc.c | 2 +- libavcodec/ra144enc.c | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 5558e39d17..6f582ca8aa 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -518,7 +518,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* add current frame to queue */ if (frame) { - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } diff --git a/libavcodec/libfaac.c b/libavcodec/libfaac.c index 745fee2674..d32e776678 100644 --- a/libavcodec/libfaac.c +++ b/libavcodec/libfaac.c @@ -200,7 +200,7 @@ static int Faac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* add current frame to the queue */ if (frame) { - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } diff --git a/libavcodec/libfdk-aacenc.c b/libavcodec/libfdk-aacenc.c index 00397d58ed..c40bcedba5 100644 --- a/libavcodec/libfdk-aacenc.c +++ b/libavcodec/libfdk-aacenc.c @@ -334,7 +334,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, in_buf.bufElSizes = &in_buffer_element_size; /* add current frame to the queue */ - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index 8746573224..2e501cac0b 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -236,7 +236,7 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* add current frame to the queue */ if (frame) { - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c index fdd7de9c53..be98b1f93b 100644 --- a/libavcodec/libopencore-amr.c +++ b/libavcodec/libopencore-amr.c @@ -265,7 +265,7 @@ static int amr_nb_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if (frame->nb_samples < avctx->frame_size - avctx->delay) s->enc_last_frame = -1; } - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) { + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) { av_freep(&flush_buf); return ret; } diff --git a/libavcodec/libspeexenc.c b/libavcodec/libspeexenc.c index e30185a758..4277e62e4c 100644 --- a/libavcodec/libspeexenc.c +++ b/libavcodec/libspeexenc.c @@ -287,7 +287,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt, speex_encode_stereo_int(samples, s->header.frame_size, &s->bits); speex_encode_int(s->enc_state, samples, &s->bits); s->pkt_frame_count++; - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } else { /* handle end-of-stream */ diff --git a/libavcodec/libvo-aacenc.c b/libavcodec/libvo-aacenc.c index d09f1ed109..31822b5d73 100644 --- a/libavcodec/libvo-aacenc.c +++ b/libavcodec/libvo-aacenc.c @@ -157,7 +157,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, samples = (VO_PBYTE)frame->data[0]; } /* add current frame to the queue */ - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } diff --git a/libavcodec/libvorbis.c b/libavcodec/libvorbis.c index a31d476c74..092cbbc0a7 100644 --- a/libavcodec/libvorbis.c +++ b/libavcodec/libvorbis.c @@ -279,7 +279,7 @@ static int oggvorbis_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, av_log(avctx, AV_LOG_ERROR, "error in vorbis_analysis_wrote()\n"); return vorbis_error_to_averror(ret); } - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } else { if (!s->eof) diff --git a/libavcodec/nellymoserenc.c b/libavcodec/nellymoserenc.c index 487cffd2dc..122282623c 100644 --- a/libavcodec/nellymoserenc.c +++ b/libavcodec/nellymoserenc.c @@ -397,7 +397,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if (frame->nb_samples >= NELLY_BUF_LEN) s->last_frame = 1; } - if ((ret = ff_af_queue_add(&s->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&s->afq, frame)) < 0) return ret; } else { memset(s->buf + NELLY_BUF_LEN, 0, NELLY_SAMPLES * sizeof(*s->buf)); diff --git a/libavcodec/ra144enc.c b/libavcodec/ra144enc.c index 5b5de76434..b9473ac197 100644 --- a/libavcodec/ra144enc.c +++ b/libavcodec/ra144enc.c @@ -537,7 +537,7 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, for (; i < frame->nb_samples; i++) ractx->curr_block[i] = samples[i] >> 2; - if ((ret = ff_af_queue_add(&ractx->afq, frame) < 0)) + if ((ret = ff_af_queue_add(&ractx->afq, frame)) < 0) return ret; } else ractx->last_frame = 1; From 7f8b55b560bb76f84baa909cdc683eeba47c923d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 4 May 2013 09:51:17 +0200 Subject: [PATCH 0299/1037] indeo3: use unaligned reads on reference blocks. They are not guaranteed to be aligned. Fixes Bug 503. CC:libav-stable@libav.org (cherry picked from commit a97d8cc16e0da30c9ffefa1ede2a0adf3db5f3f8) Signed-off-by: Reinhard Tartler --- libavcodec/indeo3.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index f2f7c09d98..81bf0a9e9c 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -277,10 +277,10 @@ static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) /* Average 4/8 pixels at once without rounding using SWAR */ #define AVG_32(dst, src, ref) \ - AV_WN32A(dst, ((AV_RN32A(src) + AV_RN32A(ref)) >> 1) & 0x7F7F7F7FUL) + AV_WN32A(dst, ((AV_RN32(src) + AV_RN32(ref)) >> 1) & 0x7F7F7F7FUL) #define AVG_64(dst, src, ref) \ - AV_WN64A(dst, ((AV_RN64A(src) + AV_RN64A(ref)) >> 1) & 0x7F7F7F7F7F7F7F7FULL) + AV_WN64A(dst, ((AV_RN64(src) + AV_RN64(ref)) >> 1) & 0x7F7F7F7F7F7F7F7FULL) /* @@ -339,7 +339,7 @@ if (*data_ptr >= last_ptr) \ copy_block4(dst, ref, row_offset, row_offset, 4 << v_zoom) #define RLE_BLOCK_COPY_8 \ - pix64 = AV_RN64A(ref);\ + pix64 = AV_RN64(ref);\ if (is_first_row) {/* special prediction case: top line of a cell */\ pix64 = replicate64(pix64);\ fill_64(dst + row_offset, pix64, 7, row_offset);\ @@ -351,7 +351,7 @@ if (*data_ptr >= last_ptr) \ copy_block4(dst, ref, row_offset, row_offset, num_lines << v_zoom) #define RLE_LINES_COPY_M10 \ - pix64 = AV_RN64A(ref);\ + pix64 = AV_RN64(ref);\ if (is_top_of_cell) {\ pix64 = replicate64(pix64);\ fill_64(dst + row_offset, pix64, (num_lines << 1) - 1, row_offset);\ @@ -361,12 +361,12 @@ if (*data_ptr >= last_ptr) \ #define APPLY_DELTA_4 \ AV_WN16A(dst + line_offset ,\ - (AV_RN16A(ref ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ + (AV_RN16(ref ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ AV_WN16A(dst + line_offset + 2,\ - (AV_RN16A(ref + 2) + delta_tab->deltas[dyad2]) & 0x7F7F);\ + (AV_RN16(ref + 2) + delta_tab->deltas[dyad2]) & 0x7F7F);\ if (mode >= 3) {\ if (is_top_of_cell && !cell->ypos) {\ - AV_COPY32(dst, dst + row_offset);\ + AV_COPY32U(dst, dst + row_offset);\ } else {\ AVG_32(dst, ref, dst + row_offset);\ }\ @@ -376,20 +376,20 @@ if (*data_ptr >= last_ptr) \ /* apply two 32-bit VQ deltas to next even line */\ if (is_top_of_cell) { \ AV_WN32A(dst + row_offset , \ - (replicate32(AV_RN32A(ref )) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ + (replicate32(AV_RN32(ref )) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ AV_WN32A(dst + row_offset + 4, \ - (replicate32(AV_RN32A(ref + 4)) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ + (replicate32(AV_RN32(ref + 4)) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ } else { \ AV_WN32A(dst + row_offset , \ - (AV_RN32A(ref ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ + (AV_RN32(ref ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ AV_WN32A(dst + row_offset + 4, \ - (AV_RN32A(ref + 4) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ + (AV_RN32(ref + 4) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ } \ /* odd lines are not coded but rather interpolated/replicated */\ /* first line of the cell on the top of image? - replicate */\ /* otherwise - interpolate */\ if (is_top_of_cell && !cell->ypos) {\ - AV_COPY64(dst, dst + row_offset);\ + AV_COPY64U(dst, dst + row_offset);\ } else \ AVG_64(dst, ref, dst + row_offset); @@ -397,22 +397,22 @@ if (*data_ptr >= last_ptr) \ #define APPLY_DELTA_1011_INTER \ if (mode == 10) { \ AV_WN32A(dst , \ - (AV_RN32A(dst ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ + (AV_RN32(dst ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ AV_WN32A(dst + 4 , \ - (AV_RN32A(dst + 4 ) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ + (AV_RN32(dst + 4 ) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ AV_WN32A(dst + row_offset , \ - (AV_RN32A(dst + row_offset ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ + (AV_RN32(dst + row_offset ) + delta_tab->deltas_m10[dyad1]) & 0x7F7F7F7F);\ AV_WN32A(dst + row_offset + 4, \ - (AV_RN32A(dst + row_offset + 4) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ + (AV_RN32(dst + row_offset + 4) + delta_tab->deltas_m10[dyad2]) & 0x7F7F7F7F);\ } else { \ AV_WN16A(dst , \ - (AV_RN16A(dst ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ + (AV_RN16(dst ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ AV_WN16A(dst + 2 , \ - (AV_RN16A(dst + 2 ) + delta_tab->deltas[dyad2]) & 0x7F7F);\ + (AV_RN16(dst + 2 ) + delta_tab->deltas[dyad2]) & 0x7F7F);\ AV_WN16A(dst + row_offset , \ - (AV_RN16A(dst + row_offset ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ + (AV_RN16(dst + row_offset ) + delta_tab->deltas[dyad1]) & 0x7F7F);\ AV_WN16A(dst + row_offset + 2, \ - (AV_RN16A(dst + row_offset + 2) + delta_tab->deltas[dyad2]) & 0x7F7F);\ + (AV_RN16(dst + row_offset + 2) + delta_tab->deltas[dyad2]) & 0x7F7F);\ } From 77a2f4cbcfc3ca29e128e830622fc8b6fc7676f6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 7 May 2013 09:39:10 +0200 Subject: [PATCH 0300/1037] oma: properly forward errors in oma_read_packet Prevent spurios EIO on EOF. CC:libav-stable@libav.org (cherry picked from commit db9aee6ccf183508835acc325f5ad87d595eacc4) Signed-off-by: Reinhard Tartler --- libavformat/omadec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index f6b6f13de6..cd255c1704 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -381,8 +381,10 @@ static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) int packet_size = s->streams[0]->codec->block_align; int ret = av_get_packet(s->pb, pkt, packet_size); - if (ret <= 0) - return AVERROR(EIO); + if (ret < 0) + return ret; + if (!ret) + return AVERROR_EOF; pkt->stream_index = 0; From 600bc1debaad1598fcc8aa5809de3de595d168eb Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 8 May 2013 21:44:20 +0200 Subject: [PATCH 0301/1037] af_asyncts: fix offset calculation delta is in samples, not bytes. Also the sample format is not guaranteed to be planar. CC:libav-stable@libav.org (cherry picked from commit 16a4a18db089af8c432f1cdec62155000585b72c) Signed-off-by: Reinhard Tartler --- libavfilter/af_asyncts.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavfilter/af_asyncts.c b/libavfilter/af_asyncts.c index 40680c8559..3ebe3b567e 100644 --- a/libavfilter/af_asyncts.c +++ b/libavfilter/af_asyncts.c @@ -237,18 +237,23 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *buf) } if (s->first_frame && delta > 0) { + int planar = av_sample_fmt_is_planar(buf_out->format); + int planes = planar ? nb_channels : 1; + int block_size = av_get_bytes_per_sample(buf_out->format) * + (planar ? 1 : nb_channels); + int ch; av_samples_set_silence(buf_out->extended_data, 0, delta, nb_channels, buf->format); - for (ch = 0; ch < nb_channels; ch++) - buf_out->extended_data[ch] += delta; + for (ch = 0; ch < planes; ch++) + buf_out->extended_data[ch] += delta * block_size; avresample_read(s->avr, buf_out->extended_data, out_size); - for (ch = 0; ch < nb_channels; ch++) - buf_out->extended_data[ch] -= delta; + for (ch = 0; ch < planes; ch++) + buf_out->extended_data[ch] -= delta * block_size; } else { avresample_read(s->avr, buf_out->extended_data, out_size); From d2d38531d608d94ae78e65172c19d1c3f17d2a45 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 11 May 2013 11:51:47 +0200 Subject: [PATCH 0302/1037] update Changelog --- Changelog | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog b/Changelog index ca9db5a1c5..284d4cca57 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,19 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.6: +- aac: check the maximum number of channels to avoid invalid writes +- indeo3: fix off by one in MV validity check +- id3v2: check for end of file while unescaping tags to avoid invalid + writes, reported by Google Security Team +- afifo: fix request_samples on the last frame in certain cases +- hls, segment: fix splitting for audio-only streams +- wav: Always seek to an even offset, Bug #500, LP: #1174737 +- swscale: Use alpha from the right row in yuva2rgba_c, Bug #504 +- indeo3: use unaligned reads on reference blocks, Bug #503 +- oma: properly forward errors in oma_read_packet +- af_asyncts: fix offset calculation + version 9.5: Most of the following fixes resulted from test samples that the Google From 1fa37f2bfa0f5c50ce61dedf2bbb772d96d71101 Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Mon, 21 Jan 2013 19:40:35 +0100 Subject: [PATCH 0303/1037] proresdec: support mixed interlaced/non-interlaced content Set interlaced to false if we don't have an interlaced frame Signed-off-by: Luca Barbato (cherry picked from commit 0881cbf314982cce8448bd12644ce2a6e0b8c576) Signed-off-by: Reinhard Tartler --- libavcodec/proresdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c index f7e32c998b..4b196f6d32 100644 --- a/libavcodec/proresdec.c +++ b/libavcodec/proresdec.c @@ -164,6 +164,8 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf, if (ctx->frame_type) { /* if interlaced */ ctx->picture.interlaced_frame = 1; ctx->picture.top_field_first = ctx->frame_type & 1; + } else { + ctx->picture.interlaced_frame = 0; } avctx->color_primaries = buf[14]; From 82c3792a308469351f0a3df20b539a9b7e6641a3 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 12 May 2013 08:39:07 +0200 Subject: [PATCH 0304/1037] update Changelog --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 284d4cca57..3ceb469850 100644 --- a/Changelog +++ b/Changelog @@ -13,6 +13,7 @@ version 9.6: - indeo3: use unaligned reads on reference blocks, Bug #503 - oma: properly forward errors in oma_read_packet - af_asyncts: fix offset calculation +- proresdec: support mixed interlaced/non-interlaced content version 9.5: From 731f4bb6fd4415e468ae8639b4c6d34185319256 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2013 00:23:13 +0200 Subject: [PATCH 0305/1037] xbmdec: fix off by one error in scanf() Fixes out of array access Signed-off-by: Michael Niedermayer --- libavcodec/xbmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xbmdec.c b/libavcodec/xbmdec.c index 2a41836492..5166c4e6ed 100644 --- a/libavcodec/xbmdec.c +++ b/libavcodec/xbmdec.c @@ -58,7 +58,7 @@ static int xbm_decode_frame(AVCodecContext *avctx, void *data, int number, len; ptr += strcspn(ptr, "#"); - if (sscanf(ptr, "#define %256s %u", name, &number) != 2) { + if (sscanf(ptr, "#define %255s %u", name, &number) != 2) { av_log(avctx, AV_LOG_ERROR, "Unexpected preprocessor directive\n"); return AVERROR_INVALIDDATA; } From 4427e96bb1cf9372dd34d986d79d5caa57ba385a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2013 00:56:39 +0200 Subject: [PATCH 0306/1037] src_movie: fix scanf string Fixes out of array accesses Signed-off-by: Michael Niedermayer (cherry picked from commit adaa7743f5fdca0c0aca0b7ffdebf61c7d868571) Signed-off-by: Michael Niedermayer --- libavfilter/src_movie.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index bd45766641..ec9131ecab 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -91,13 +91,13 @@ static int movie_request_frame(AVFilterLink *outlink); static AVStream *find_stream(void *log, AVFormatContext *avf, const char *spec) { int i, ret, already = 0, stream_id = -1; - char type_char, dummy; + char type_char[2], dummy; AVStream *found = NULL; enum AVMediaType type; - ret = sscanf(spec, "d%[av]%d%c", &type_char, &stream_id, &dummy); + ret = sscanf(spec, "d%1[av]%d%c", type_char, &stream_id, &dummy); if (ret >= 1 && ret <= 2) { - type = type_char == 'v' ? AVMEDIA_TYPE_VIDEO : AVMEDIA_TYPE_AUDIO; + type = type_char[0] == 'v' ? AVMEDIA_TYPE_VIDEO : AVMEDIA_TYPE_AUDIO; ret = av_find_best_stream(avf, type, stream_id, -1, NULL, 0); if (ret < 0) { av_log(log, AV_LOG_ERROR, "No %s stream with index '%d' found\n", From 4a455358363f61570b0333399c081f0f48a9fe8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2013 01:17:45 +0200 Subject: [PATCH 0307/1037] avcodec/mpegvideo: Fix block height for lowres 3 interlaced blocks Fixes green trash Fixes part of Ticket2535 Signed-off-by: Michael Niedermayer (cherry picked from commit bca50e5cd52240d885afeb3edb0fa2c74b352add) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index e7dcaf41cc..6ad81b197a 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -2175,11 +2175,12 @@ static av_always_inline void mpeg_motion_lowres(MpegEncContext *s, pix_op[lowres - 1](dest_y, ptr_y, linesize, h, sx, sy); if (!CONFIG_GRAY || !(s->flags & CODEC_FLAG_GRAY)) { + int hc = s->chroma_y_shift ? (h+1-bottom_field)>>1 : h; uvsx = (uvsx << 2) >> lowres; uvsy = (uvsy << 2) >> lowres; - if (h >> s->chroma_y_shift) { - pix_op[op_index](dest_cb, ptr_cb, uvlinesize, h >> s->chroma_y_shift, uvsx, uvsy); - pix_op[op_index](dest_cr, ptr_cr, uvlinesize, h >> s->chroma_y_shift, uvsx, uvsy); + if (hc) { + pix_op[op_index](dest_cb, ptr_cb, uvlinesize, hc, uvsx, uvsy); + pix_op[op_index](dest_cr, ptr_cr, uvlinesize, hc, uvsx, uvsy); } } // FIXME h261 lowres loop filter From 0cb4887b838a4a9a7e0fbe4fc9f8104e685de9db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2013 01:18:56 +0200 Subject: [PATCH 0308/1037] avcodec/mpegvideo: Fix edge emu with lowres Fixes a few green artifacts at the top Fixes rest of Ticket 2535 Signed-off-by: Michael Niedermayer (cherry picked from commit c67bca2b5a94efb8fb3c2ba2c7d9b1b413468838) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 6ad81b197a..f9246f06c1 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -2135,7 +2135,7 @@ static av_always_inline void mpeg_motion_lowres(MpegEncContext *s, ptr_cb = ref_picture[1] + uvsrc_y * uvlinesize + uvsrc_x; ptr_cr = ref_picture[2] + uvsrc_y * uvlinesize + uvsrc_x; - if ((unsigned) src_x > FFMAX( h_edge_pos - (!!sx) - 2 * block_s, 0) || + if ((unsigned) src_x > FFMAX( h_edge_pos - (!!sx) - 2 * block_s, 0) || uvsrc_y<0 || (unsigned) src_y > FFMAX((v_edge_pos >> field_based) - (!!sy) - h, 0)) { s->vdsp.emulated_edge_mc(s->edge_emu_buffer, ptr_y, linesize >> field_based, 17, 17 + field_based, From 82a627c2c3d8523f4068e7f128933b90e9cb258d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2013 19:53:24 +0200 Subject: [PATCH 0309/1037] mjpegdec: fix overlapping memcpy with upscale_v Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b39fd7d63648442c20671c3e4b357268ec5c49f2) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index fd5136466b..b1aff360d2 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1633,6 +1633,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, MJpegDecodeContext *s = avctx->priv_data; const uint8_t *buf_end, *buf_ptr; const uint8_t *unescaped_buf_ptr; + int hshift, vshift; int unescaped_buf_size; int start_code; int i, index; @@ -1811,6 +1812,9 @@ the_end: } if (s->upscale_v) { uint8_t *dst = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(s->height - 1) * s->linesize[s->upscale_v]]; + int w; + avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); + w = s->width >> hshift; av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVJ444P || avctx->pix_fmt == AV_PIX_FMT_YUV444P || avctx->pix_fmt == AV_PIX_FMT_YUVJ422P || @@ -1819,16 +1823,16 @@ the_end: uint8_t *src1 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[i / 2 * s->linesize[s->upscale_v]]; uint8_t *src2 = &((uint8_t *)s->picture_ptr->data[s->upscale_v])[(i + 1) / 2 * s->linesize[s->upscale_v]]; if (src1 == src2) { - memcpy(dst, src1, s->width); + memcpy(dst, src1, w); } else { - for (index = 0; index < s->width; index++) + for (index = 0; index < w; index++) dst[index] = (src1[index] + src2[index]) >> 1; } dst -= s->linesize[s->upscale_v]; } } if (s->flipped && (s->avctx->flags & CODEC_FLAG_EMU_EDGE)) { - int hshift, vshift, j; + int j; avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); for (index=0; index<4; index++) { uint8_t *dst = s->picture_ptr->data[index]; From 520c3d23036f6df4af8a6a8c3c0ba4965bca4f98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 May 2013 21:52:08 +0200 Subject: [PATCH 0310/1037] mmvideo/mm_decode_inter: check horizontal coordinate too Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8d3c99e825317b7efda5fd12e69896b47c700303) Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index c61cd576e4..4214eeb964 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -151,6 +151,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert) int replace_array = bytestream2_get_byte(&s->gb); for(j=0; j<8; j++) { int replace = (replace_array >> (7-j)) & 1; + if (x + half_horiz >= s->avctx->width) + return AVERROR_INVALIDDATA; if (replace) { int color = bytestream2_get_byte(&data_ptr); s->frame.data[0][y*s->frame.linesize[0] + x] = color; From e4bae0a140677869ffad76fd742d6f4ecbd57b2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 May 2013 22:06:03 +0200 Subject: [PATCH 0311/1037] mmvideo/mm_decode_intra: check horizontal coordinate too Signed-off-by: Michael Niedermayer (cherry picked from commit ae2132ac90f02330b0988e6e26ee0d53e41cd196) Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 4214eeb964..b74424cc13 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -104,6 +104,9 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (half_horiz) run_length *=2; + if (run_length > s->avctx->width - x) + return AVERROR_INVALIDDATA; + if (color) { memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length); if (half_vert) From e9d9fd1137b18c5649342a15c77f67d1c5d0be01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2013 23:46:38 +0200 Subject: [PATCH 0312/1037] vmdav: Try to fix unpack_rle() This fixes out of array accesses The code prior to this commit could not have worked, thus obviously was untested. I was also not able to find a valid sample that uses this code. This fix is thus only based on the description of the format If someone has a sample that uses unpack_rle(), please mail me. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb) Conflicts: libavcodec/vmdav.c Signed-off-by: Michael Niedermayer (cherry picked from commit 0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652) Signed-off-by: Michael Niedermayer --- libavcodec/vmdav.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 9c96055b62..c50117c44e 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -162,7 +162,7 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count, const unsigned char *ps; const unsigned char *ps_end; unsigned char *pd; - int i, l; + int i, j, l; unsigned char *dest_end = dest + dest_len; ps = src; @@ -188,9 +188,9 @@ static int rle_unpack(const unsigned char *src, int src_len, int src_count, ps += l; pd += l; } else { - if (dest_end - pd < i || ps_end - ps < 2) + if (dest_end - pd < 2*l || ps_end - ps < 2) return ps - src; - for (i = 0; i < l; i++) { + for (j = 0; j < l; j++) { *pd++ = ps[0]; *pd++ = ps[1]; } From cd2d8aca8468523e34f67e3647a65bdebb155efc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Apr 2013 20:05:31 +0200 Subject: [PATCH 0313/1037] avutil/log: Fix context pointer used for get_category() Fixes calling a random pointer Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7edb984dd051b6919d7d8471c70499273f31b0fa) Signed-off-by: Michael Niedermayer --- libavutil/log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/log.c b/libavutil/log.c index 700e89fa97..49dd4d1897 100644 --- a/libavutil/log.c +++ b/libavutil/log.c @@ -178,7 +178,7 @@ static void format_line(void *ptr, int level, const char *fmt, va_list vl, if (parent && *parent) { snprintf(part[0], part_size, "[%s @ %p] ", (*parent)->item_name(parent), parent); - if(type) type[0] = get_category(((uint8_t *) ptr) + avc->parent_log_context_offset); + if(type) type[0] = get_category(parent); } } snprintf(part[1], part_size, "[%s @ %p] ", From a4e3bb0106a5f3d6e183ae7bc578d6039822cef1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Apr 2013 20:40:56 +0200 Subject: [PATCH 0314/1037] avutil/intfloat_readwrite: avoid comparission with INFINITY, use isinf() Should fix pgc warning Signed-off-by: Michael Niedermayer (cherry picked from commit cc6f848dba89a6dc89b840cc2e1942cc3007c2a3) Signed-off-by: Michael Niedermayer --- libavutil/intfloat_readwrite.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/intfloat_readwrite.c b/libavutil/intfloat_readwrite.c index 2998229e49..9574532116 100644 --- a/libavutil/intfloat_readwrite.c +++ b/libavutil/intfloat_readwrite.c @@ -88,7 +88,7 @@ AVExtFloat av_dbl2ext(double d){ ext.mantissa[i] = m>>(56-(i<<3)); } else if (f != 0.0) { ext.exponent[0] = 0x7f; ext.exponent[1] = 0xff; - if (f != INFINITY) + if (!isinf(f)) ext.mantissa[0] = ~0; } if (d < 0) From 426715ccbd57714f4e71589bb211530ace38fbd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Apr 2013 23:16:05 +0200 Subject: [PATCH 0315/1037] avutil/intfloat_readwrite: include common.h for isinf() Solution based on rational.c, which uses isinf() too This should fix compilation with msvc Signed-off-by: Michael Niedermayer (cherry picked from commit c25224737cba4079602c447c344cb54b81430ce4) Signed-off-by: Michael Niedermayer --- libavutil/intfloat_readwrite.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/intfloat_readwrite.c b/libavutil/intfloat_readwrite.c index 9574532116..142331dac1 100644 --- a/libavutil/intfloat_readwrite.c +++ b/libavutil/intfloat_readwrite.c @@ -26,6 +26,7 @@ */ #include +#include "common.h" #include "mathematics.h" #include "intfloat_readwrite.h" From d9ab7c629242cb2c9fbe6fd04bda75a62b6552b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 31 Mar 2013 14:49:14 +0200 Subject: [PATCH 0316/1037] cmdutils: avtool -> fftool (cherry picked from commit 7d8ad6c1fa11ec548fc63427656989e0e7c6af8b) Signed-off-by: Michael Niedermayer --- cmdutils.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmdutils.h b/cmdutils.h index f193132f09..12407501e6 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -190,13 +190,13 @@ void show_help_options(const OptionDef *options, const char *msg, int req_flags, void show_help_children(const AVClass *class, int flags); /** - * Per-avtool specific help handler. Implemented in each - * avtool, called by show_help(). + * Per-fftool specific help handler. Implemented in each + * fftool, called by show_help(). */ void show_help_default(const char *opt, const char *arg); /** - * Generic -h handler common to all avtools. + * Generic -h handler common to all fftools. */ int show_help(void *optctx, const char *opt, const char *arg); From dafd8228bc0f7d9a6afd4e84a476b3a73e0a5a4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 May 2013 21:58:27 +0200 Subject: [PATCH 0317/1037] sanm: Check dimensions before use Fixes integer overflow and out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9dd04f6d8cdd1c10c28b2cb4252c1a41df581915) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index e317b33b1f..60437c0b33 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -726,6 +726,11 @@ static int process_frame_obj(SANMVideoContext *ctx) w = bytestream2_get_le16u(&ctx->gb); h = bytestream2_get_le16u(&ctx->gb); + if (!w || !h) { + av_log(ctx->avctx, AV_LOG_ERROR, "dimensions are invalid\n"); + return AVERROR_INVALIDDATA; + } + if (ctx->width < left + w || ctx->height < top + h) { if (av_image_check_size(FFMAX(left + w, ctx->width), FFMAX(top + h, ctx->height), 0, ctx->avctx) < 0) From 151c2ca8c797a00927776bb77427dc0c77e641d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 May 2013 21:04:33 +0200 Subject: [PATCH 0318/1037] avcodec/cdgraphics: check buffer size before use Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ad002e1a13a8df934bd6cb2c84175a4780ab8942) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 71d9da7ee2..218d68a11c 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -296,7 +296,9 @@ static int cdg_decode_frame(AVCodecContext *avctx, inst = bytestream_get_byte(&buf); inst &= CDG_MASK; buf += 2; /// skipping 2 unneeded bytes - bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); + + if (buf_size > CDG_HEADER_SIZE) + bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); if ((command & CDG_MASK) == CDG_COMMAND) { switch (inst) { From a4681d1043556718fb20c9026f8d1cec4e7f453f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 May 2013 16:07:27 +0200 Subject: [PATCH 0319/1037] gifdec: reset previous Graphic Control Extension disposal type This fixes out of array accesses. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d23b8462b5a4a9da78ed45c4a7a3b35d538df909) Signed-off-by: Michael Niedermayer (cherry picked from commit 7ee5e97c46e30fb3d6f9f78cc3313dbc06528b37) Conflicts: libavcodec/gifdec.c Signed-off-by: Michael Niedermayer --- libavcodec/gifdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index a916dfe8e7..9be5bec003 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -471,6 +471,7 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, A } if (s->keyframe) { + s->gce_prev_disposal = GCE_DISPOSAL_NONE; if ((ret = gif_read_header1(s)) < 0) return ret; From 91138821fb675883e69f123a5ad86ca8470fb537 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jan 2013 04:17:58 +0100 Subject: [PATCH 0320/1037] gifdec: check that the last keyframe exists and has been successfully parsed. Prevents inconsistent state and null pointer dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 46cb61819d867961e8f2052a8f13bcf2027d484f) Conflicts: libavcodec/gifdec.c Signed-off-by: Michael Niedermayer --- libavcodec/gifdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 9be5bec003..41d3d5b9dd 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -75,6 +75,7 @@ typedef struct GifState { AVCodecContext *avctx; int keyframe; + int keyframe_ok; int trans_color; /**< color value that is used instead of transparent color */ } GifState; @@ -471,6 +472,7 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, A } if (s->keyframe) { + s->keyframe_ok = 0; s->gce_prev_disposal = GCE_DISPOSAL_NONE; if ((ret = gif_read_header1(s)) < 0) return ret; @@ -489,7 +491,13 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, A s->picture.pict_type = AV_PICTURE_TYPE_I; s->picture.key_frame = 1; + s->keyframe_ok = 1; } else { + if (!s->keyframe_ok) { + av_log(avctx, AV_LOG_ERROR, "cannot decode frame without keyframe\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = avctx->reget_buffer(avctx, &s->picture)) < 0) { av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return ret; From 2e00dd4d62015efbd87fb1c21daa342b2ec250c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2013 00:59:36 +0200 Subject: [PATCH 0321/1037] Update for 1.1.5 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 65087b4f5e..e25d8d9f35 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.4 +1.1.5 diff --git a/VERSION b/VERSION index 65087b4f5e..e25d8d9f35 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.4 +1.1.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 8216a21efd..d4b93f549c 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.4 +PROJECT_NUMBER = 1.1.5 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 51ee51b5ebd35870a4d4db82db966608f73101aa Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 13 May 2013 12:39:44 +0200 Subject: [PATCH 0322/1037] Do not read strd chunk in avi files as H264 extradata. Fixes ticket #2561. (cherry picked from commit 231b3317184790b6be4b4619d96fd328f13aeabb) --- libavformat/avidec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 7436b63cfb..00145e02c5 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -703,7 +703,9 @@ static int avi_read_header(AVFormatContext *s) } break; case MKTAG('s', 't', 'r', 'd'): - if (stream_index >= (unsigned)s->nb_streams || s->streams[stream_index]->codec->extradata_size) { + if (stream_index >= (unsigned)s->nb_streams + || s->streams[stream_index]->codec->extradata_size + || s->streams[stream_index]->codec->codec_tag == MKTAG('H','2','6','4')) { avio_skip(pb, size); } else { uint64_t cur_pos = avio_tell(pb); From f544553c2993163da1797d01ee79d9c3e5f607b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2013 22:03:14 +0200 Subject: [PATCH 0323/1037] avidec: dont randomly skip packets for offseting the index Fixes Ticket2490 Signed-off-by: Michael Niedermayer (cherry picked from commit 6c593f1b671b7725b8c36f92f7c0a23ccf8e7628) --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 00145e02c5..7177105573 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1000,9 +1000,9 @@ start_sync: || st->discard >= AVDISCARD_ALL){ if (!exit_early) { ast->frame_offset += get_duration(ast, size); + avio_skip(pb, size); + goto start_sync; } - avio_skip(pb, size); - goto start_sync; } if (d[2] == 'p' && d[3] == 'c' && size<=4*256+4) { From 85277ff9364c976d7d06a03791047e7e406c63c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 May 2013 01:08:18 +0200 Subject: [PATCH 0324/1037] ffmpeg: free threads on error conditions. Fixes Ticket2562 Signed-off-by: Michael Niedermayer (cherry picked from commit 1a36c756d8959207d3386f03e11c15216abc50b7) --- ffmpeg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ffmpeg.c b/ffmpeg.c index e9837bf83a..7fe00abe80 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -152,6 +152,8 @@ static struct termios oldtty; static int restore_tty; #endif +static void free_input_threads(void); + /* sub2video hack: Convert subtitles to video with alpha to insert them in filter graphs. @@ -441,6 +443,9 @@ static void exit_program(void) av_freep(&output_streams[i]->logfile_prefix); av_freep(&output_streams[i]); } +#if HAVE_PTHREADS + free_input_threads(); +#endif for (i = 0; i < nb_input_files; i++) { avformat_close_input(&input_files[i]->ctx); av_freep(&input_files[i]); From 6f585f1e66ff459f902899777c463aee1bad60ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2013 21:42:06 +0200 Subject: [PATCH 0325/1037] smacker: remove av_clip_int16() Fixes Ticket2425 Signed-off-by: Michael Niedermayer (cherry picked from commit 2211c76287e073a9e176fde7dbb9a63ceb2af8d1) --- libavcodec/smacker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 1a73dcce0d..5765c1568c 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -703,7 +703,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, } val |= h[3].values[res] << 8; pred[1] += sign_extend(val, 16); - *samples++ = av_clip_int16(pred[1]); + *samples++ = pred[1]; } else { if(vlc[0].table) res = get_vlc2(&gb, vlc[0].table, SMKTREE_BITS, 3); @@ -724,7 +724,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, } val |= h[1].values[res] << 8; pred[0] += sign_extend(val, 16); - *samples++ = av_clip_int16(pred[0]); + *samples++ = pred[0]; } } } else { //8-bit data From 414c6bf094310379aad970c5191faaf95a9aaae1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2013 18:58:39 +0200 Subject: [PATCH 0326/1037] avienc: Disallow the first frame to be skiped Fixes Ticket2386 Signed-off-by: Michael Niedermayer (cherry picked from commit cc0db8cf3042186d8355dcf10be67071cfbbcc5d) --- libavformat/avienc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avienc.c b/libavformat/avienc.c index 15f07943f6..918992f5a9 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -523,7 +523,7 @@ static int avi_write_packet(AVFormatContext *s, AVPacket *pkt) int size= pkt->size; av_dlog(s, "dts:%s packet_count:%d stream_index:%d\n", av_ts2str(pkt->dts), avist->packet_count, stream_index); - while(enc->block_align==0 && pkt->dts != AV_NOPTS_VALUE && pkt->dts > avist->packet_count && enc->codec_id != AV_CODEC_ID_XSUB){ + while(enc->block_align==0 && pkt->dts != AV_NOPTS_VALUE && pkt->dts > avist->packet_count && enc->codec_id != AV_CODEC_ID_XSUB && avist->packet_count){ AVPacket empty_packet; if(pkt->dts - avist->packet_count > 60000){ From 2416eff5b9275e2e6e110f3ddbe7784586e4cd4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Feb 2013 19:48:44 +0100 Subject: [PATCH 0327/1037] ff_read_timestamp: check stream_index before using it as array index Fixes out of array read Fixes ticket #2609. Found-by: durandal_1707 Signed-off-by: Michael Niedermayer (cherry picked from commit 695a766bff4cd8414a84e58159506d72b4e44892) --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e85fa65945..fc374f048b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1765,7 +1765,10 @@ int av_index_search_timestamp(AVStream *st, int64_t wanted_timestamp, static int64_t ff_read_timestamp(AVFormatContext *s, int stream_index, int64_t *ppos, int64_t pos_limit, int64_t (*read_timestamp)(struct AVFormatContext *, int , int64_t *, int64_t )) { - return wrap_timestamp(s->streams[stream_index], read_timestamp(s, stream_index, ppos, pos_limit)); + int64_t ts = read_timestamp(s, stream_index, ppos, pos_limit); + if (stream_index >= 0) + ts = wrap_timestamp(s->streams[stream_index], ts); + return ts; } int ff_seek_frame_binary(AVFormatContext *s, int stream_index, int64_t target_ts, int flags) From a98775026765b4dae2d63680f946ca7915d157b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 May 2013 18:30:42 +0200 Subject: [PATCH 0328/1037] h264_cavlc: fix reading skip run Fixes Ticket2606 Signed-off-by: Michael Niedermayer (cherry picked from commit 826b3a75cd295c03720e00d3de83e1abcbedd4b9) Conflicts: libavcodec/h264_cavlc.c --- libavcodec/h264_cavlc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index cd1130a4bc..7cbc553cc3 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -709,7 +709,7 @@ int ff_h264_decode_mb_cavlc(H264Context *h){ down the code */ if(h->slice_type_nos != AV_PICTURE_TYPE_I){ if(s->mb_skip_run==-1) - s->mb_skip_run= get_ue_golomb(&s->gb); + s->mb_skip_run= get_ue_golomb_long(&s->gb); if (s->mb_skip_run--) { if(FRAME_MBAFF && (s->mb_y&1) == 0){ From 7f451cb01f9f7a749b503179ba58b2f999056905 Mon Sep 17 00:00:00 2001 From: Jindrich Makovicka Date: Thu, 16 May 2013 16:49:28 +0200 Subject: [PATCH 0329/1037] mpegvideo: allocate sufficiently large scratch buffer for interlaced vid MPV_decode_mb_internal needs 3 * 16 * linesize bytes of scratch buffer For interlaced content, linesize is multiplied by two after the allocation of the scratch buffer, and the dest_cr pointer ends past the buffer. This patch makes ff_mpv_frame_size_alloc allocate a total of (aligned line_size) * 2 * 16 * 3 bytes, which suffices even for the interlaced case. CC:libav-stable@libav.org Signed-off-by: Jindrich Makovicka Signed-off-by: Anton Khirnov (cherry picked from commit 259af1b92370b32f6d0b9a6de314db4b44c2481d) Signed-off-by: Reinhard Tartler --- libavcodec/mpegvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 10b13b552e..77e21d2bf1 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -248,7 +248,7 @@ int ff_mpv_frame_size_alloc(MpegEncContext *s, int linesize) FF_ALLOCZ_OR_GOTO(s->avctx, s->edge_emu_buffer, alloc_size * 2 * 24, fail); - FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, alloc_size * 2 * 16 * 2, + FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, alloc_size * 2 * 16 * 3, fail) s->me.temp = s->me.scratchpad; s->rd_scratchpad = s->me.scratchpad; From 9eecf633f7015cd8364354ffb7846d999519d099 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 12:36:06 +0200 Subject: [PATCH 0330/1037] jpegls: return meaningful errors (cherry picked from commit a5a0ef5e13a59ff53318a45d77c5624b23229c6f) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/jpeglsdec.c --- libavcodec/jpeglsdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 8a558476c3..b0badbb7d9 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -70,13 +70,13 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) case 2: case 3: av_log(s->avctx, AV_LOG_ERROR, "palette not supported\n"); - return -1; + return AVERROR(ENOSYS); case 4: av_log(s->avctx, AV_LOG_ERROR, "oversize image not supported\n"); - return -1; + return AVERROR(ENOSYS); default: av_log(s->avctx, AV_LOG_ERROR, "invalid id %d\n", id); - return -1; + return AVERROR_INVALIDDATA; } av_dlog(s->avctx, "ID=%i, T=%i,%i,%i\n", id, s->t1, s->t2, s->t3); @@ -327,11 +327,11 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor last = cur; cur += s->picture_ptr->linesize[0]; } - } else if(ilv == 2) { /* sample interleaving */ + } else if (ilv == 2) { /* sample interleaving */ av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n"); av_free(state); av_free(zero); - return -1; + return AVERROR_PATCHWELCOME; } if(shift){ /* we need to do point transform or normalize samples */ From 2c23237cb4ed963eb5f33d8ef536b3033712e69d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 31 May 2013 23:00:19 +0200 Subject: [PATCH 0331/1037] Prepare for 9.7 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index c026ac828d..9d5e716c05 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.6 +9.7 From 582aec49892dd42eb8bab5d4837f656a4b821188 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 31 May 2013 22:36:47 +0200 Subject: [PATCH 0332/1037] jpegls: factorize return paths Conflicts: libavcodec/jpeglsdec.c (cherry picked from commit 4a4107b48944397c914aa39ee16a82fe44db8c4c) --- libavcodec/jpeglsdec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index b0badbb7d9..15bf962900 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -259,7 +259,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor int i, t = 0; uint8_t *zero, *last, *cur; JLSState *state; - int off = 0, stride = 1, width, shift; + int off = 0, stride = 1, width, shift, ret = 0; zero = av_mallocz(s->picture_ptr->linesize[0]); last = zero; @@ -329,9 +329,8 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor } } else if (ilv == 2) { /* sample interleaving */ av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n"); - av_free(state); - av_free(zero); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto end; } if(shift){ /* we need to do point transform or normalize samples */ @@ -359,10 +358,12 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor } } } + +end: av_free(state); av_free(zero); - return 0; + return ret; } From c340319559bfcd9664a3ea29e73ac80b3fbc2d4d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 18:29:15 +0200 Subject: [PATCH 0333/1037] wavpack: validate samples size parsed in wavpack_decode_block Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ed50673066956d6f2201a57c3254569f2ab08d9d) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/wavpack.c --- libavcodec/wavpack.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e8f34fa632..96ea6103cc 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -796,6 +796,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, if (!wc->mkv_mode) { s->samples = AV_RL32(buf); buf += 4; + if (s->samples != wc->samples) + return AVERROR_INVALIDDATA; + if (!s->samples) { *got_frame_ptr = 0; return 0; From aaeef7fa0d6ebb1a3668894e67a70cd5084ce4f4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 14 May 2013 15:27:26 +0200 Subject: [PATCH 0334/1037] mjpegdec: properly report unsupported disabled features When JPEG-LS support is disabled the decoder would feed the data to the JPEG Lossless decode_*_scan function resulting in faulty decoding. CC: libav-stable@libav.org (cherry picked from commit b25e49b187617c486ae3f50a5cbb356fc0e868bb) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 0b22bca5f3..4956e3a8b7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1489,6 +1489,12 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, else if (start_code == COM) mjpeg_decode_com(s); + if (!CONFIG_JPEGLS_DECODER && + (start_code == SOF48 || start_code == LSE)) { + av_log(avctx, AV_LOG_ERROR, "JPEG-LS support not enabled.\n"); + return AVERROR(ENOSYS); + } + switch (start_code) { case SOI: s->restart_interval = 0; From 0af5a774ebc96ae9018926dc8b276c7f39767e3e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 13:08:55 +0200 Subject: [PATCH 0335/1037] jpegls: check the scan offset Prevent an out of array bound write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit abad374909e6416e941351094f4f1446a71f8d23) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/jpeglsdec.c --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 15bf962900..f851ec0420 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -289,6 +289,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor av_dlog(s->avctx, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); if(ilv == 0) { /* separate planes */ + if (s->cur_scan > s->nb_components) { + ret = AVERROR_INVALIDDATA; + goto end; + } off = s->cur_scan - 1; stride = (s->nb_components > 1) ? 3 : 1; width = s->width * stride; From 510a96a2116a06877b9f43f1672dbd6410be8653 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 14 May 2013 16:20:14 +0200 Subject: [PATCH 0336/1037] ljpeg: use the correct number of components in yuv Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a030279a67ef883df8cf3707774656fa1be81078) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 4956e3a8b7..5b59e48930 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -709,10 +709,9 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int predictor, } static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, - int point_transform) + int point_transform, int nb_components) { int i, mb_x, mb_y; - const int nb_components = 3; for (mb_y = 0; mb_y < s->mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { @@ -1094,7 +1093,8 @@ next_field: return ret; } else { if ((ret = ljpeg_decode_yuv_scan(s, predictor, - point_transform)) < 0) + point_transform, + nb_components)) < 0) return ret; } } From 7923a25fdda9482107a94ade1e8e855f863e03b8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 13 May 2013 19:32:04 +0200 Subject: [PATCH 0337/1037] mjpeg: Validate sampling factors They must be non-zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8aa3500905fec6c4e657bb291b861d43c34d3de9) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5b59e48930..9551850694 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -265,6 +265,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) s->quant_index[i] = get_bits(&s->gb, 8); if (s->quant_index[i] >= 4) return AVERROR_INVALIDDATA; + if (!s->h_count[i] || !s->v_count[i]) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid sampling factor in component %d %d:%d\n", + i, s->h_count[i], s->v_count[i]); + return AVERROR_INVALIDDATA; + } + av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n", i, s->h_count[i], s->v_count[i], s->component_id[i], s->quant_index[i]); From aed12df7fe653c9eb0414cb612515ec321467bbc Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 15 May 2013 18:41:41 +0200 Subject: [PATCH 0338/1037] mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac Prevent out of buffer write when decoding broken samples. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cfbd98abe82cfcb9984a18d08697251b72b110c8) Signed-off-by: Reinhard Tartler --- libavcodec/mjpegdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 9551850694..d47fc2ca9e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -945,6 +945,11 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]]; GetBitContext mb_bitmask_gb; + if (ss < 0 || ss >= 64 || + se < ss || se >= 64 || + Ah < 0 || Al < 0) + return AVERROR_INVALIDDATA; + if (mb_bitmask) init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width * s->mb_height); From 5a8dcc993dac545050c8c8de04dbf54f4292c724 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 28 May 2013 22:00:12 +0200 Subject: [PATCH 0339/1037] vmd: return meaningful errors CC: libav-stable@libav.org (cherry picked from commit c8f3cb9119c2183680d44a509a1b5a9817a3bee9) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/vmdav.c --- libavcodec/vmdav.c | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 0fd4815383..a66d2eae63 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -192,7 +192,7 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest, return bytestream2_tell(&gb); } -static void vmd_decode(VmdVideoContext *s) +static int vmd_decode(VmdVideoContext *s) { int i; unsigned int *palette32; @@ -216,13 +216,21 @@ static void vmd_decode(VmdVideoContext *s) if (frame_x < 0 || frame_width < 0 || frame_x >= s->avctx->width || frame_width > s->avctx->width || - frame_x + frame_width > s->avctx->width) - return; + frame_x + frame_width > s->avctx->width) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid horizontal range %d-%d\n", + frame_x, frame_width); + return AVERROR_INVALIDDATA; + } if (frame_y < 0 || frame_height < 0 || frame_y >= s->avctx->height || frame_height > s->avctx->height || - frame_y + frame_height > s->avctx->height) - return; + frame_y + frame_height > s->avctx->height) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid vertical range %d-%d\n", + frame_x, frame_width); + return AVERROR_INVALIDDATA; + } if ((frame_width == s->avctx->width && frame_height == s->avctx->height) && (frame_x || frame_y)) { @@ -255,6 +263,9 @@ static void vmd_decode(VmdVideoContext *s) b = bytestream2_get_byteu(&gb) * 4; palette32[i] = (r << 16) | (g << 8) | (b); } + } else { + av_log(s->avctx, AV_LOG_ERROR, "Incomplete palette\n"); + return AVERROR_INVALIDDATA; } s->size -= (256 * 3 + 2); } @@ -262,7 +273,7 @@ static void vmd_decode(VmdVideoContext *s) /* originally UnpackFrame in VAG's code */ bytestream2_init(&gb, gb.buffer, s->buf + s->size - gb.buffer); if (bytestream2_get_bytes_left(&gb) < 1) - return; + return AVERROR_INVALIDDATA; meth = bytestream2_get_byteu(&gb); if (meth & 0x80) { lz_unpack(gb.buffer, bytestream2_get_bytes_left(&gb), @@ -282,13 +293,13 @@ static void vmd_decode(VmdVideoContext *s) if (len & 0x80) { len = (len & 0x7F) + 1; if (ofs + len > frame_width || bytestream2_get_bytes_left(&gb) < len) - return; + return AVERROR_INVALIDDATA; bytestream2_get_buffer(&gb, &dp[ofs], len); ofs += len; } else { /* interframe pixel copy */ if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) - return; + return AVERROR_INVALIDDATA; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; } @@ -296,7 +307,7 @@ static void vmd_decode(VmdVideoContext *s) if (ofs > frame_width) { av_log(s->avctx, AV_LOG_ERROR, "VMD video: offset > width (%d > %d)\n", ofs, frame_width); - break; + return AVERROR_INVALIDDATA; } dp += s->frame.linesize[0]; pp += s->prev_frame.linesize[0]; @@ -328,7 +339,7 @@ static void vmd_decode(VmdVideoContext *s) } else { /* interframe pixel copy */ if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) - return; + return AVERROR_INVALIDDATA; memcpy(&dp[ofs], &pp[ofs], len + 1); ofs += len + 1; } @@ -336,6 +347,7 @@ static void vmd_decode(VmdVideoContext *s) if (ofs > frame_width) { av_log(s->avctx, AV_LOG_ERROR, "VMD video: offset > width (%d > %d)\n", ofs, frame_width); + return AVERROR_INVALIDDATA; } dp += s->frame.linesize[0]; pp += s->prev_frame.linesize[0]; @@ -343,6 +355,7 @@ static void vmd_decode(VmdVideoContext *s) break; } } + return 0; } static av_cold int vmdvideo_decode_init(AVCodecContext *avctx) @@ -396,7 +409,7 @@ static int vmdvideo_decode_frame(AVCodecContext *avctx, s->size = buf_size; if (buf_size < 16) - return buf_size; + return AVERROR_INVALIDDATA; s->frame.reference = 1; if (ff_get_buffer(avctx, &s->frame)) { From 10f77c165c3b3e881bb174a0f57dd62083639072 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 4 May 2013 13:57:32 +0200 Subject: [PATCH 0340/1037] pixdesc: mark gray8 as pseudopal Many functions treat it as such already. Fixes Bug 499. CC:libav-stable@libav.org (cherry picked from commit f36d7831d96aeb072db5a2b78892a534d96e288e) Signed-off-by: Reinhard Tartler --- libavutil/pixdesc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index 06d5defdba..31b7cf57c5 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -231,6 +231,7 @@ const AVPixFmtDescriptor av_pix_fmt_descriptors[AV_PIX_FMT_NB] = { .comp = { { 0, 0, 1, 0, 7 }, /* Y */ }, + .flags = PIX_FMT_PSEUDOPAL, }, [AV_PIX_FMT_MONOWHITE] = { .name = "monow", From 93fbf034c94caf7ddfecd3c1947e3139fef6bfca Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 22 May 2013 12:51:42 +0200 Subject: [PATCH 0341/1037] wavpack: check packet size early Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fd06291239c1bb616bf303b5696cc432710b2530) Signed-off-by: Reinhard Tartler --- libavcodec/wavpack.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 96ea6103cc..826b449262 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1178,6 +1178,9 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, int frame_size, ret, frame_flags; int samplecount = 0; + if (avpkt->size < 12 + s->multichannel * 4) + return AVERROR_INVALIDDATA; + s->block = 0; s->ch_offset = 0; From 5ba83e90919cdeef38e2b5343b48f3f367292564 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 May 2013 18:28:33 +0200 Subject: [PATCH 0342/1037] wavpack: return meaningful errors And forward those that were already meaningful. (cherry picked from commit 8c34558131d846d2b10389564caadaa206372fd4) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/wavpack.c --- libavcodec/wavpack.c | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 826b449262..0bbed042f5 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -779,13 +779,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, if (block_no >= wc->fdec_num && wv_alloc_frame_context(wc) < 0) { av_log(avctx, AV_LOG_ERROR, "Error creating frame decode context\n"); - return -1; + return AVERROR_INVALIDDATA; } s = wc->fdec[block_no]; if (!s) { av_log(avctx, AV_LOG_ERROR, "Context for block %d is not present\n", block_no); - return -1; + return AVERROR_INVALIDDATA; } memset(s->decorr, 0, MAX_TERMS * sizeof(Decorr)); @@ -1028,7 +1028,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, case WP_ID_CHANINFO: if (size <= 1) { av_log(avctx, AV_LOG_ERROR, "Insufficient channel information\n"); - return -1; + return AVERROR_INVALIDDATA; } chan = *buf++; switch (size - 2) { @@ -1047,10 +1047,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, chmask = avctx->channel_layout; } if (chan != avctx->channels) { - av_log(avctx, AV_LOG_ERROR, "Block reports total %d channels, " - "decoder believes it's %d channels\n", chan, - avctx->channels); - return -1; + av_log(avctx, AV_LOG_ERROR, + "Block reports total %d channels, " + "decoder believes it's %d channels\n", + chan, avctx->channels); + return AVERROR_INVALIDDATA; } if (!avctx->channel_layout) avctx->channel_layout = chmask; @@ -1065,31 +1066,31 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, if (!got_terms) { av_log(avctx, AV_LOG_ERROR, "No block with decorrelation terms\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_weights) { av_log(avctx, AV_LOG_ERROR, "No block with decorrelation weights\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_samples) { av_log(avctx, AV_LOG_ERROR, "No block with decorrelation samples\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_entropy) { av_log(avctx, AV_LOG_ERROR, "No block with entropy info\n"); - return -1; + return AVERROR_INVALIDDATA; } if (s->hybrid && !got_hybrid) { av_log(avctx, AV_LOG_ERROR, "Hybrid config not found\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_bs) { av_log(avctx, AV_LOG_ERROR, "Packed samples not found\n"); - return -1; + return AVERROR_INVALIDDATA; } if (!got_float && avctx->sample_fmt == AV_SAMPLE_FMT_FLT) { av_log(avctx, AV_LOG_ERROR, "Float information not found\n"); - return -1; + return AVERROR_INVALIDDATA; } if (s->got_extra_bits && avctx->sample_fmt != AV_SAMPLE_FMT_FLT) { const int size = get_bits_left(&s->gb_extra_bits); @@ -1109,7 +1110,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); if (samplecount < 0) - return -1; + return samplecount; samplecount >>= 1; } else { @@ -1123,7 +1124,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); if (samplecount < 0) - return -1; + return samplecount; if (s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16) { int16_t *dst = (int16_t*)samples + 1; @@ -1200,7 +1201,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, if (s->samples <= 0) { av_log(avctx, AV_LOG_ERROR, "Invalid number of samples: %d\n", s->samples); - return AVERROR(EINVAL); + return AVERROR_INVALIDDATA; } if (frame_flags & 0x80) { @@ -1235,13 +1236,13 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d " "vs. %d bytes left)\n", s->block, frame_size, buf_size); wavpack_decode_flush(avctx); - return -1; + return AVERROR_INVALIDDATA; } if ((samplecount = wavpack_decode_block(avctx, s->block, s->frame.data[0], got_frame_ptr, buf, frame_size)) < 0) { wavpack_decode_flush(avctx); - return -1; + return samplecount; } s->block++; buf += frame_size; buf_size -= frame_size; From 7251de30322aff5660e571856132dc6c7256fe94 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 22 May 2013 12:27:04 +0200 Subject: [PATCH 0343/1037] wavpack: use bytestream2 in wavpack_decode_block Prevent most out of buffer reads. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3f0b6d7a6248a33df37b98cfcb37a1acce263f62) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/wavpack.c --- libavcodec/wavpack.c | 189 ++++++++++++++++++++++++------------------- 1 file changed, 106 insertions(+), 83 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 0bbed042f5..02cef5f527 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -26,6 +26,7 @@ #include "get_bits.h" #include "internal.h" #include "unary.h" +#include "bytestream.h" /** * @file @@ -763,12 +764,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, { WavpackContext *wc = avctx->priv_data; WavpackFrameContext *s; + GetByteContext gb; void *samples = data; int samplecount; int got_terms = 0, got_weights = 0, got_samples = 0, got_entropy = 0, got_bs = 0, got_float = 0, got_hybrid = 0; - const uint8_t *orig_buf = buf; - const uint8_t *buf_end = buf + buf_size; int i, j, id, size, ssize, weights, t; int bpp, chan, chmask, orig_bpp; @@ -794,8 +794,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->and = s->or = s->shift = 0; s->got_extra_bits = 0; + bytestream2_init(&gb, buf, buf_size); + if (!wc->mkv_mode) { - s->samples = AV_RL32(buf); buf += 4; + s->samples = bytestream2_get_le32(&gb); if (s->samples != wc->samples) return AVERROR_INVALIDDATA; @@ -806,7 +808,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } else { s->samples = wc->samples; } - s->frame_flags = AV_RL32(buf); buf += 4; + s->frame_flags = bytestream2_get_le32(&gb); bpp = av_get_bytes_per_sample(avctx->sample_fmt); samples = (uint8_t*)samples + bpp * wc->ch_offset; orig_bpp = ((s->frame_flags & 0x03) + 1) << 3; @@ -819,19 +821,19 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = (( 1LL << (orig_bpp - 1)) - 1); s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); - s->CRC = AV_RL32(buf); buf += 4; + s->CRC = bytestream2_get_le32(&gb); if (wc->mkv_mode) - buf += 4; //skip block size; + bytestream2_skip(&gb, 4); // skip block size; wc->ch_offset += 1 + s->stereo; // parse metadata blocks - while (buf < buf_end) { - id = *buf++; - size = *buf++; + while (bytestream2_get_bytes_left(&gb)) { + id = bytestream2_get_byte(&gb); + size = bytestream2_get_byte(&gb); if (id & WP_IDF_LONG) { - size |= (*buf++) << 8; - size |= (*buf++) << 16; + size |= (bytestream2_get_byte(&gb)) << 8; + size |= (bytestream2_get_byte(&gb)) << 16; } size <<= 1; // size is specified in words ssize = size; @@ -841,12 +843,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, av_log(avctx, AV_LOG_ERROR, "Got incorrect block %02X with size %i\n", id, size); break; } - if (buf + ssize > buf_end) { - av_log(avctx, AV_LOG_ERROR, "Block size %i is out of bounds\n", size); + if (bytestream2_get_bytes_left(&gb) < ssize) { + av_log(avctx, AV_LOG_ERROR, + "Block size %i is out of bounds\n", size); break; } if (id & WP_IDF_IGNORE) { - buf += ssize; + bytestream2_skip(&gb, ssize); continue; } switch (id & WP_IDF_MASK) { @@ -854,14 +857,14 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, if (size > MAX_TERMS) { av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n"); s->terms = 0; - buf += ssize; + bytestream2_skip(&gb, ssize); continue; } s->terms = size; for (i = 0; i < s->terms; i++) { - s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5; - s->decorr[s->terms - i - 1].delta = *buf >> 5; - buf++; + uint8_t val = bytestream2_get_byte(&gb); + s->decorr[s->terms - i - 1].value = (val & 0x1F) - 5; + s->decorr[s->terms - i - 1].delta = val >> 5; } got_terms = 1; break; @@ -873,17 +876,17 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, weights = size >> s->stereo_in; if (weights > MAX_TERMS || weights > s->terms) { av_log(avctx, AV_LOG_ERROR, "Too many decorrelation weights\n"); - buf += ssize; + bytestream2_skip(&gb, ssize); continue; } for (i = 0; i < weights; i++) { - t = (int8_t)(*buf++); + t = (int8_t)bytestream2_get_byte(&gb); s->decorr[s->terms - i - 1].weightA = t << 3; if (s->decorr[s->terms - i - 1].weightA > 0) s->decorr[s->terms - i - 1].weightA += (s->decorr[s->terms - i - 1].weightA + 64) >> 7; if (s->stereo_in) { - t = (int8_t)(*buf++); + t = (int8_t)bytestream2_get_byte(&gb); s->decorr[s->terms - i - 1].weightB = t << 3; if (s->decorr[s->terms - i - 1].weightB > 0) s->decorr[s->terms - i - 1].weightB += @@ -900,23 +903,32 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, t = 0; for (i = s->terms - 1; (i >= 0) && (t < size); i--) { if (s->decorr[i].value > 8) { - s->decorr[i].samplesA[0] = wp_exp2(AV_RL16(buf)); buf += 2; - s->decorr[i].samplesA[1] = wp_exp2(AV_RL16(buf)); buf += 2; + s->decorr[i].samplesA[0] = + wp_exp2(bytestream2_get_le16(&gb)); + s->decorr[i].samplesA[1] = + wp_exp2(bytestream2_get_le16(&gb)); + if (s->stereo_in) { - s->decorr[i].samplesB[0] = wp_exp2(AV_RL16(buf)); buf += 2; - s->decorr[i].samplesB[1] = wp_exp2(AV_RL16(buf)); buf += 2; - t += 4; + s->decorr[i].samplesB[0] = + wp_exp2(bytestream2_get_le16(&gb)); + s->decorr[i].samplesB[1] = + wp_exp2(bytestream2_get_le16(&gb)); + t += 4; } t += 4; } else if (s->decorr[i].value < 0) { - s->decorr[i].samplesA[0] = wp_exp2(AV_RL16(buf)); buf += 2; - s->decorr[i].samplesB[0] = wp_exp2(AV_RL16(buf)); buf += 2; - t += 4; + s->decorr[i].samplesA[0] = + wp_exp2(bytestream2_get_le16(&gb)); + s->decorr[i].samplesB[0] = + wp_exp2(bytestream2_get_le16(&gb)); + t += 4; } else { for (j = 0; j < s->decorr[i].value; j++) { - s->decorr[i].samplesA[j] = wp_exp2(AV_RL16(buf)); buf += 2; + s->decorr[i].samplesA[j] = + wp_exp2(bytestream2_get_le16(&gb)); if (s->stereo_in) { - s->decorr[i].samplesB[j] = wp_exp2(AV_RL16(buf)); buf += 2; + s->decorr[i].samplesB[j] = + wp_exp2(bytestream2_get_le16(&gb)); } } t += s->decorr[i].value * 2 * (s->stereo_in + 1); @@ -926,15 +938,15 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, break; case WP_ID_ENTROPY: if (size != 6 * (s->stereo_in + 1)) { - av_log(avctx, AV_LOG_ERROR, "Entropy vars size should be %i, " - "got %i", 6 * (s->stereo_in + 1), size); - buf += ssize; + av_log(avctx, AV_LOG_ERROR, + "Entropy vars size should be %i, got %i", + 6 * (s->stereo_in + 1), size); + bytestream2_skip(&gb, ssize); continue; } for (j = 0; j <= s->stereo_in; j++) { for (i = 0; i < 3; i++) { - s->ch[j].median[i] = wp_exp2(AV_RL16(buf)); - buf += 2; + s->ch[j].median[i] = wp_exp2(bytestream2_get_le16(&gb)); } } got_entropy = 1; @@ -942,20 +954,18 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, case WP_ID_HYBRID: if (s->hybrid_bitrate) { for (i = 0; i <= s->stereo_in; i++) { - s->ch[i].slow_level = wp_exp2(AV_RL16(buf)); - buf += 2; - size -= 2; + s->ch[i].slow_level = wp_exp2(bytestream2_get_le16(&gb)); + size -= 2; } } for (i = 0; i < (s->stereo_in + 1); i++) { - s->ch[i].bitrate_acc = AV_RL16(buf) << 16; - buf += 2; - size -= 2; + s->ch[i].bitrate_acc = bytestream2_get_le16(&gb) << 16; + size -= 2; } if (size > 0) { for (i = 0; i < (s->stereo_in + 1); i++) { - s->ch[i].bitrate_delta = wp_exp2((int16_t)AV_RL16(buf)); - buf += 2; + s->ch[i].bitrate_delta = + wp_exp2((int16_t)bytestream2_get_le16(&gb)); } } else { for (i = 0; i < (s->stereo_in + 1); i++) @@ -963,22 +973,26 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } got_hybrid = 1; break; - case WP_ID_INT32INFO: + case WP_ID_INT32INFO: { + uint8_t val[4]; if (size != 4) { - av_log(avctx, AV_LOG_ERROR, "Invalid INT32INFO, size = %i, sent_bits = %i\n", size, *buf); - buf += ssize; + av_log(avctx, AV_LOG_ERROR, + "Invalid INT32INFO, size = %i\n", + size); + bytestream2_skip(&gb, ssize - 4); continue; } - if (buf[0]) - s->extra_bits = buf[0]; - else if (buf[1]) - s->shift = buf[1]; - else if (buf[2]){ - s->and = s->or = 1; - s->shift = buf[2]; - } else if(buf[3]) { + bytestream2_get_buffer(&gb, val, 4); + if (val[0]) { + s->extra_bits = val[0]; + } else if (val[1]) { + s->shift = val[1]; + } else if (val[2]) { + s->and = s->or = 1; + s->shift = val[2]; + } else if (val[3]) { s->and = 1; - s->shift = buf[3]; + s->shift = val[3]; } /* original WavPack decoder forces 32-bit lossy sound to be treated * as 24-bit one in order to have proper clipping @@ -989,56 +1003,66 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid_maxclip >>= 8; s->hybrid_minclip >>= 8; } - buf += 4; break; + } case WP_ID_FLOATINFO: if (size != 4) { - av_log(avctx, AV_LOG_ERROR, "Invalid FLOATINFO, size = %i\n", size); - buf += ssize; + av_log(avctx, AV_LOG_ERROR, + "Invalid FLOATINFO, size = %i\n", size); + bytestream2_skip(&gb, ssize); continue; } - s->float_flag = buf[0]; - s->float_shift = buf[1]; - s->float_max_exp = buf[2]; - buf += 4; - got_float = 1; + s->float_flag = bytestream2_get_byte(&gb); + s->float_shift = bytestream2_get_byte(&gb); + s->float_max_exp = bytestream2_get_byte(&gb); + got_float = 1; + bytestream2_skip(&gb, 1); break; case WP_ID_DATA: - s->sc.offset = buf - orig_buf; + s->sc.offset = bytestream2_tell(&gb); s->sc.size = size * 8; - init_get_bits(&s->gb, buf, size * 8); + init_get_bits(&s->gb, gb.buffer, size * 8); s->data_size = size * 8; - buf += size; + bytestream2_skip(&gb, size); got_bs = 1; break; case WP_ID_EXTRABITS: if (size <= 4) { av_log(avctx, AV_LOG_ERROR, "Invalid EXTRABITS, size = %i\n", size); - buf += size; + bytestream2_skip(&gb, size); continue; } - s->extra_sc.offset = buf - orig_buf; + s->extra_sc.offset = bytestream2_tell(&gb); s->extra_sc.size = size * 8; - init_get_bits(&s->gb_extra_bits, buf, size * 8); - s->crc_extra_bits = get_bits_long(&s->gb_extra_bits, 32); - buf += size; - s->got_extra_bits = 1; + init_get_bits(&s->gb_extra_bits, gb.buffer, size * 8); + s->crc_extra_bits = get_bits_long(&s->gb_extra_bits, 32); + bytestream2_skip(&gb, size); + s->got_extra_bits = 1; break; case WP_ID_CHANINFO: if (size <= 1) { av_log(avctx, AV_LOG_ERROR, "Insufficient channel information\n"); return AVERROR_INVALIDDATA; } - chan = *buf++; + chan = bytestream2_get_byte(&gb); switch (size - 2) { - case 0: chmask = *buf; break; - case 1: chmask = AV_RL16(buf); break; - case 2: chmask = AV_RL24(buf); break; - case 3: chmask = AV_RL32(buf); break; + case 0: + chmask = bytestream2_get_byte(&gb); + break; + case 1: + chmask = bytestream2_get_le16(&gb); + break; + case 2: + chmask = bytestream2_get_le24(&gb); + break; + case 3: + chmask = bytestream2_get_le32(&gb);; + break; case 5: - chan |= (buf[1] & 0xF) << 8; - chmask = AV_RL24(buf + 2); + bytestream2_skip(&gb, 1); + chan |= (bytestream2_get_byte(&gb) & 0xF) << 8; + chmask = bytestream2_get_le16(&gb); break; default: av_log(avctx, AV_LOG_ERROR, "Invalid channel info size %d\n", @@ -1055,13 +1079,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } if (!avctx->channel_layout) avctx->channel_layout = chmask; - buf += size - 1; break; default: - buf += size; + bytestream2_skip(&gb, size); } if (id & WP_IDF_ODD) - buf++; + bytestream2_skip(&gb, 1); } if (!got_terms) { From 4f6fbe47a9f784373c277870d9d4989762873bf1 Mon Sep 17 00:00:00 2001 From: Alexandra Khirnova Date: Wed, 13 Mar 2013 13:54:27 +0100 Subject: [PATCH 0344/1037] vmdav: convert to bytestream2 Signed-off-by: Anton Khirnov (cherry picked from commit 0afcf97e1ece51d29bb791698b00cd1b7ba97dcf) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/vmdav.c --- libavcodec/vmdav.c | 152 ++++++++++++++++++--------------------------- 1 file changed, 59 insertions(+), 93 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 2bb1fc3dd1..0fd4815383 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -48,6 +48,7 @@ #include "libavutil/intreadwrite.h" #include "avcodec.h" #include "internal.h" +#include "bytestream.h" #define VMD_HEADER_SIZE 0x330 #define PALETTE_COUNT 256 @@ -78,8 +79,6 @@ typedef struct VmdVideoContext { static void lz_unpack(const unsigned char *src, int src_len, unsigned char *dest, int dest_len) { - const unsigned char *s; - unsigned int s_len; unsigned char *d; unsigned char *d_end; unsigned char queue[QUEUE_SIZE]; @@ -90,18 +89,17 @@ static void lz_unpack(const unsigned char *src, int src_len, unsigned int speclen; unsigned char tag; unsigned int i, j; + GetByteContext gb; - s = src; - s_len = src_len; + bytestream2_init(&gb, src, src_len); d = dest; d_end = d + dest_len; - dataleft = AV_RL32(s); - s += 4; s_len -= 4; + dataleft = bytestream2_get_le32(&gb); memset(queue, 0x20, QUEUE_SIZE); - if (s_len < 4) + if (bytestream2_get_bytes_left(&gb) < 4) return; - if (AV_RL32(s) == 0x56781234) { - s += 4; s_len -= 4; + if (bytestream2_peek_le32(&gb) == 0x56781234) { + bytestream2_get_le32(&gb); qpos = 0x111; speclen = 0xF + 3; } else { @@ -109,40 +107,32 @@ static void lz_unpack(const unsigned char *src, int src_len, speclen = 100; /* no speclen */ } - while (dataleft > 0 && s_len > 0) { - tag = *s++; s_len--; + while (dataleft > 0 && bytestream2_get_bytes_left(&gb) > 0) { + tag = bytestream2_get_byteu(&gb); if ((tag == 0xFF) && (dataleft > 8)) { - if (d + 8 > d_end || s_len < 8) + if (d + 8 > d_end || bytestream2_get_bytes_left(&gb) < 8) return; for (i = 0; i < 8; i++) { - queue[qpos++] = *d++ = *s++; + queue[qpos++] = *d++ = bytestream2_get_byteu(&gb); qpos &= QUEUE_MASK; } - s_len -= 8; dataleft -= 8; } else { for (i = 0; i < 8; i++) { if (dataleft == 0) break; if (tag & 0x01) { - if (d + 1 > d_end || s_len < 1) + if (d + 1 > d_end || bytestream2_get_bytes_left(&gb) < 1) return; - queue[qpos++] = *d++ = *s++; + queue[qpos++] = *d++ = bytestream2_get_byte(&gb); qpos &= QUEUE_MASK; dataleft--; - s_len--; } else { - if (s_len < 2) - return; - chainofs = *s++; - chainofs |= ((*s & 0xF0) << 4); - chainlen = (*s++ & 0x0F) + 3; - s_len -= 2; + chainofs = bytestream2_get_byte(&gb); + chainofs |= ((bytestream2_peek_byte(&gb) & 0xF0) << 4); + chainlen = (bytestream2_get_byte(&gb) & 0x0F) + 3; if (chainlen == speclen) { - if (s_len < 1) - return; - chainlen = *s++ + 0xF + 3; - s_len--; + chainlen = bytestream2_get_byte(&gb) + 0xF + 3; } if (d + chainlen > d_end) return; @@ -162,49 +152,44 @@ static void lz_unpack(const unsigned char *src, int src_len, static int rle_unpack(const unsigned char *src, unsigned char *dest, int src_count, int src_size, int dest_len) { - const unsigned char *ps; unsigned char *pd; int i, l; unsigned char *dest_end = dest + dest_len; + GetByteContext gb; - ps = src; + bytestream2_init(&gb, src, src_size); pd = dest; if (src_count & 1) { - if (src_size < 1) + if (bytestream2_get_bytes_left(&gb) < 1) return 0; - *pd++ = *ps++; - src_size--; + *pd++ = bytestream2_get_byteu(&gb); } src_count >>= 1; i = 0; do { - if (src_size < 1) + if (bytestream2_get_bytes_left(&gb) < 1) break; - l = *ps++; - src_size--; + l = bytestream2_get_byteu(&gb); if (l & 0x80) { l = (l & 0x7F) * 2; - if (pd + l > dest_end || src_size < l) - return ps - src; - memcpy(pd, ps, l); - ps += l; - src_size -= l; + if (pd + l > dest_end || bytestream2_get_bytes_left(&gb) < l) + return bytestream2_tell(&gb); + bytestream2_get_buffer(&gb, pd, l); pd += l; } else { - if (pd + i > dest_end || src_size < 2) - return ps - src; + if (pd + i > dest_end || bytestream2_get_bytes_left(&gb) < 2) + return bytestream2_tell(&gb); for (i = 0; i < l; i++) { - *pd++ = ps[0]; - *pd++ = ps[1]; + *pd++ = bytestream2_get_byteu(&gb); + *pd++ = bytestream2_get_byteu(&gb); } - ps += 2; - src_size -= 2; + bytestream2_skip(&gb, 2); } i += l; } while (i < src_count); - return ps - src; + return bytestream2_tell(&gb); } static void vmd_decode(VmdVideoContext *s) @@ -213,11 +198,8 @@ static void vmd_decode(VmdVideoContext *s) unsigned int *palette32; unsigned char r, g, b; - /* point to the start of the encoded data */ - const unsigned char *p = s->buf + 16; + GetByteContext gb; - const unsigned char *pb; - unsigned int pb_size; unsigned char meth; unsigned char *dp; /* pointer to current frame */ unsigned char *pp; /* pointer to previous frame */ @@ -262,30 +244,31 @@ static void vmd_decode(VmdVideoContext *s) } /* check if there is a new palette */ + bytestream2_init(&gb, s->buf + 16, s->size - 16); if (s->buf[15] & 0x02) { - p += 2; + bytestream2_skip(&gb, 2); palette32 = (unsigned int *)s->palette; - for (i = 0; i < PALETTE_COUNT; i++) { - r = *p++ * 4; - g = *p++ * 4; - b = *p++ * 4; - palette32[i] = (r << 16) | (g << 8) | (b); + if (bytestream2_get_bytes_left(&gb) >= PALETTE_COUNT * 3) { + for (i = 0; i < PALETTE_COUNT; i++) { + r = bytestream2_get_byteu(&gb) * 4; + g = bytestream2_get_byteu(&gb) * 4; + b = bytestream2_get_byteu(&gb) * 4; + palette32[i] = (r << 16) | (g << 8) | (b); + } } s->size -= (256 * 3 + 2); } if (s->size > 0) { /* originally UnpackFrame in VAG's code */ - pb = p; - pb_size = s->buf + s->size - pb; - if (pb_size < 1) + bytestream2_init(&gb, gb.buffer, s->buf + s->size - gb.buffer); + if (bytestream2_get_bytes_left(&gb) < 1) return; - meth = *pb++; pb_size--; + meth = bytestream2_get_byteu(&gb); if (meth & 0x80) { - lz_unpack(pb, pb_size, + lz_unpack(gb.buffer, bytestream2_get_bytes_left(&gb), s->unpack_buffer, s->unpack_buffer_size); meth &= 0x7F; - pb = s->unpack_buffer; - pb_size = s->unpack_buffer_size; + bytestream2_init(&gb, s->unpack_buffer, s->unpack_buffer_size); } dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; @@ -295,17 +278,12 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { - if (pb_size < 1) - return; - len = *pb++; - pb_size--; + len = bytestream2_get_byte(&gb); if (len & 0x80) { len = (len & 0x7F) + 1; - if (ofs + len > frame_width || pb_size < len) + if (ofs + len > frame_width || bytestream2_get_bytes_left(&gb) < len) return; - memcpy(&dp[ofs], pb, len); - pb += len; - pb_size -= len; + bytestream2_get_buffer(&gb, &dp[ofs], len); ofs += len; } else { /* interframe pixel copy */ @@ -327,11 +305,7 @@ static void vmd_decode(VmdVideoContext *s) case 2: for (i = 0; i < frame_height; i++) { - if (pb_size < frame_width) - return; - memcpy(dp, pb, frame_width); - pb += frame_width; - pb_size -= frame_width; + bytestream2_get_buffer(&gb, dp, frame_width); dp += s->frame.linesize[0]; pp += s->prev_frame.linesize[0]; } @@ -341,24 +315,16 @@ static void vmd_decode(VmdVideoContext *s) for (i = 0; i < frame_height; i++) { ofs = 0; do { - if (pb_size < 1) - return; - len = *pb++; - pb_size--; + len = bytestream2_get_byte(&gb); if (len & 0x80) { len = (len & 0x7F) + 1; - if (pb_size < 1) - return; - if (*pb++ == 0xFF) - len = rle_unpack(pb, &dp[ofs], len, pb_size, frame_width - ofs); - else { - if (pb_size < len) - return; - memcpy(&dp[ofs], pb, len); - } - pb += len; - pb_size -= 1 + len; - ofs += len; + if (bytestream2_get_byte(&gb) == 0xFF) + len = rle_unpack(gb.buffer, &dp[ofs], + len, bytestream2_get_bytes_left(&gb), + frame_width - ofs); + else + bytestream2_get_buffer(&gb, &dp[ofs], len); + bytestream2_skip(&gb, len); } else { /* interframe pixel copy */ if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) From dbaf3f7b0bc9e99dff8e06bd29fcb3e84eebfe7c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 29 May 2013 16:59:13 +0200 Subject: [PATCH 0345/1037] vmd: drop incomplete chunks and spurious samples Odd chunk size makes no sense for stereo and incomplete chunks are not supported. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 701966730ce10290fd49c5ccedd73f505680f764) Signed-off-by: Reinhard Tartler --- libavcodec/vmdav.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index a66d2eae63..526cf304ee 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -586,6 +586,9 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* ensure output buffer is large enough */ audio_chunks = buf_size / s->chunk_size; + /* drop incomplete chunks */ + buf_size = audio_chunks * s->chunk_size; + /* get output buffer */ s->frame.nb_samples = ((silent_chunks + audio_chunks) * avctx->block_align) / avctx->channels; if ((ret = ff_get_buffer(avctx, &s->frame)) < 0) { @@ -597,7 +600,8 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* decode silent chunks */ if (silent_chunks > 0) { - int silent_size = avctx->block_align * silent_chunks; + int silent_size = FFMIN(avctx->block_align * silent_chunks, + s->frame.nb_samples * avctx->channels); if (s->out_bps == 2) { memset(output_samples_s16, 0x00, silent_size * 2); output_samples_s16 += silent_size; @@ -609,7 +613,7 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* decode audio chunks */ if (audio_chunks > 0) { - buf_end = buf + buf_size; + buf_end = buf + (buf_size & ~(avctx->channels > 1)); while (buf + s->chunk_size <= buf_end) { if (s->out_bps == 2) { decode_audio_s16(output_samples_s16, buf, s->chunk_size, From 5a01ab0e62c95a60b4848744e623640f5dafe23b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 28 May 2013 23:49:43 +0200 Subject: [PATCH 0346/1037] vmd: use the PALETTE_COUNT constant uniformly While at it drop useless parentheses. (cherry picked from commit 91a6944e56236234f0a7ba162404665753cbcb51) Signed-off-by: Luca Barbato --- libavcodec/vmdav.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 526cf304ee..49ad20cc90 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -267,7 +267,7 @@ static int vmd_decode(VmdVideoContext *s) av_log(s->avctx, AV_LOG_ERROR, "Incomplete palette\n"); return AVERROR_INVALIDDATA; } - s->size -= (256 * 3 + 2); + s->size -= PALETTE_COUNT * 3 + 2; } if (s->size > 0) { /* originally UnpackFrame in VAG's code */ From 5fed47b94f889b724b3214a0898aa6eac00ac575 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 28 May 2013 22:09:59 +0200 Subject: [PATCH 0347/1037] vmd: refactor the inner decode loop Simplify a little, assume empty frames are acceptable and do not pointlessly reinit the bytestream2 contexts using possibly wrong size values. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 676da248cad49debc40720baa13214f0b94dcc71) Signed-off-by: Luca Barbato Conflicts: libavcodec/vmdav.c --- libavcodec/vmdav.c | 164 +++++++++++++++++++++++---------------------- 1 file changed, 84 insertions(+), 80 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 49ad20cc90..d4ac6f79b0 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -269,91 +269,95 @@ static int vmd_decode(VmdVideoContext *s) } s->size -= PALETTE_COUNT * 3 + 2; } - if (s->size > 0) { - /* originally UnpackFrame in VAG's code */ - bytestream2_init(&gb, gb.buffer, s->buf + s->size - gb.buffer); - if (bytestream2_get_bytes_left(&gb) < 1) - return AVERROR_INVALIDDATA; - meth = bytestream2_get_byteu(&gb); - if (meth & 0x80) { - lz_unpack(gb.buffer, bytestream2_get_bytes_left(&gb), - s->unpack_buffer, s->unpack_buffer_size); - meth &= 0x7F; - bytestream2_init(&gb, s->unpack_buffer, s->unpack_buffer_size); - } - dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; - pp = &s->prev_frame.data[0][frame_y * s->prev_frame.linesize[0] + frame_x]; - switch (meth) { - case 1: - for (i = 0; i < frame_height; i++) { - ofs = 0; - do { - len = bytestream2_get_byte(&gb); - if (len & 0x80) { - len = (len & 0x7F) + 1; - if (ofs + len > frame_width || bytestream2_get_bytes_left(&gb) < len) - return AVERROR_INVALIDDATA; + if (!s->size) + return 0; + + /* originally UnpackFrame in VAG's code */ + if (bytestream2_get_bytes_left(&gb) < 1) + return AVERROR_INVALIDDATA; + meth = bytestream2_get_byteu(&gb); + if (meth & 0x80) { + lz_unpack(gb.buffer, bytestream2_get_bytes_left(&gb), + s->unpack_buffer, s->unpack_buffer_size); + meth &= 0x7F; + bytestream2_init(&gb, s->unpack_buffer, s->unpack_buffer_size); + } + + dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x]; + pp = &s->prev_frame.data[0][frame_y * s->prev_frame.linesize[0] + frame_x]; + switch (meth) { + case 1: + for (i = 0; i < frame_height; i++) { + ofs = 0; + do { + len = bytestream2_get_byte(&gb); + if (len & 0x80) { + len = (len & 0x7F) + 1; + if (ofs + len > frame_width || + bytestream2_get_bytes_left(&gb) < len) + return AVERROR_INVALIDDATA; + bytestream2_get_buffer(&gb, &dp[ofs], len); + ofs += len; + } else { + /* interframe pixel copy */ + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) + return AVERROR_INVALIDDATA; + memcpy(&dp[ofs], &pp[ofs], len + 1); + ofs += len + 1; + } + } while (ofs < frame_width); + if (ofs > frame_width) { + av_log(s->avctx, AV_LOG_ERROR, + "VMD video: offset > width (%d > %d)\n", + ofs, frame_width); + return AVERROR_INVALIDDATA; + } + dp += s->frame.linesize[0]; + pp += s->prev_frame.linesize[0]; + } + break; + + case 2: + for (i = 0; i < frame_height; i++) { + bytestream2_get_buffer(&gb, dp, frame_width); + dp += s->frame.linesize[0]; + pp += s->prev_frame.linesize[0]; + } + break; + + case 3: + for (i = 0; i < frame_height; i++) { + ofs = 0; + do { + len = bytestream2_get_byte(&gb); + if (len & 0x80) { + len = (len & 0x7F) + 1; + if (bytestream2_get_byte(&gb) == 0xFF) + len = rle_unpack(gb.buffer, &dp[ofs], + len, bytestream2_get_bytes_left(&gb), + frame_width - ofs); + else bytestream2_get_buffer(&gb, &dp[ofs], len); - ofs += len; - } else { - /* interframe pixel copy */ - if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) - return AVERROR_INVALIDDATA; - memcpy(&dp[ofs], &pp[ofs], len + 1); - ofs += len + 1; - } - } while (ofs < frame_width); - if (ofs > frame_width) { - av_log(s->avctx, AV_LOG_ERROR, "VMD video: offset > width (%d > %d)\n", - ofs, frame_width); - return AVERROR_INVALIDDATA; + bytestream2_skip(&gb, len); + } else { + /* interframe pixel copy */ + if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) + return AVERROR_INVALIDDATA; + memcpy(&dp[ofs], &pp[ofs], len + 1); + ofs += len + 1; } - dp += s->frame.linesize[0]; - pp += s->prev_frame.linesize[0]; + } while (ofs < frame_width); + if (ofs > frame_width) { + av_log(s->avctx, AV_LOG_ERROR, + "VMD video: offset > width (%d > %d)\n", + ofs, frame_width); + return AVERROR_INVALIDDATA; } - break; - - case 2: - for (i = 0; i < frame_height; i++) { - bytestream2_get_buffer(&gb, dp, frame_width); - dp += s->frame.linesize[0]; - pp += s->prev_frame.linesize[0]; - } - break; - - case 3: - for (i = 0; i < frame_height; i++) { - ofs = 0; - do { - len = bytestream2_get_byte(&gb); - if (len & 0x80) { - len = (len & 0x7F) + 1; - if (bytestream2_get_byte(&gb) == 0xFF) - len = rle_unpack(gb.buffer, &dp[ofs], - len, bytestream2_get_bytes_left(&gb), - frame_width - ofs); - else - bytestream2_get_buffer(&gb, &dp[ofs], len); - bytestream2_skip(&gb, len); - } else { - /* interframe pixel copy */ - if (ofs + len + 1 > frame_width || !s->prev_frame.data[0]) - return AVERROR_INVALIDDATA; - memcpy(&dp[ofs], &pp[ofs], len + 1); - ofs += len + 1; - } - } while (ofs < frame_width); - if (ofs > frame_width) { - av_log(s->avctx, AV_LOG_ERROR, "VMD video: offset > width (%d > %d)\n", - ofs, frame_width); - return AVERROR_INVALIDDATA; - } - dp += s->frame.linesize[0]; - pp += s->prev_frame.linesize[0]; - } - break; + dp += s->frame.linesize[0]; + pp += s->prev_frame.linesize[0]; } + break; } return 0; } From c320f9f5e9982e1e516ba620518f9a66887de04a Mon Sep 17 00:00:00 2001 From: Claudio Freire Date: Sat, 4 May 2013 18:36:37 -0300 Subject: [PATCH 0348/1037] AAC encoder: Fix rate control on twoloop. Fixes a case where multichannel bitrate isn't accurately targetted by psy model alone, never achieving the target bitrate. Now fixed. Fixes ticket #2625. Signed-off-by: Michael Niedermayer Signed-off-by: Carl Eugen Hoyos --- libavcodec/aaccoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 994de286c9..45fbc2dedf 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -710,7 +710,7 @@ static void search_for_quantizers_twoloop(AVCodecContext *avctx, const float lambda) { int start = 0, i, w, w2, g; - int destbits = avctx->bit_rate * 1024.0 / avctx->sample_rate / avctx->channels; + int destbits = avctx->bit_rate * 1024.0 / avctx->sample_rate / avctx->channels * (lambda / 120.f); float dists[128] = { 0 }, uplims[128]; float maxvals[128]; int fflag, minscaler; From 406632d1ef448ca6ada969b2f72707a6449a4046 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 22 May 2013 15:17:08 -0700 Subject: [PATCH 0349/1037] avformat/utils: Keep internal and external av_read_frame() packets in sync. Otherwise, during error conditions, the caller will be left with dangling pointers to a destructed packet => boom. BUG=242786 TEST=ffmpeg_regression_tests Commit slightly simplified by commiter Signed-off-by: Michael Niedermayer (cherry picked from commit c54a1565f512858ccfa70392f40f11c098bc1b63) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index fc374f048b..b1a3417bfc 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1455,6 +1455,9 @@ static int read_frame_internal(AVFormatContext *s, AVPacket *pkt) st->skip_to_keyframe = 0; if (st->skip_to_keyframe) { av_free_packet(&cur_pkt); + if (got_packet) { + *pkt = cur_pkt; + } got_packet = 0; } } From 2fae70db2ac2ffaf7968637fe4f111a24e7e4351 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2013 23:46:38 +0200 Subject: [PATCH 0350/1037] vmdav: Try to fix unpack_rle() This fixes out of array accesses The code prior to this commit could not have worked, thus obviously was untested. I was also not able to find a valid sample that uses this code. This fix is thus only based on the description of the format If someone has a sample that uses unpack_rle(), please mail me. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c1f2c4c3b49277d65b71ccdd3b6b2878f1b593eb) Conflicts: libavcodec/vmdav.c Signed-off-by: Michael Niedermayer --- libavcodec/vmdav.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index ca0916b729..9c24a01ba7 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -179,12 +179,14 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest, bytestream2_get_buffer(&gb, pd, l); pd += l; } else { + int ps[2]; if (dest_end - pd < 2*l || bytestream2_get_bytes_left(&gb) < 2) return bytestream2_tell(&gb); - + ps[0] = bytestream2_get_byteu(&gb); + ps[1] = bytestream2_get_byteu(&gb); for (j = 0; j < l; j++) { - *pd++ = bytestream2_get_byteu(&gb); - *pd++ = bytestream2_get_byteu(&gb); + *pd++ = ps[0]; + *pd++ = ps[1]; } } i += l; From 042b8c2f06b4796bab0b65069ac7e7565d9157ce Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 29 May 2013 16:18:40 +0200 Subject: [PATCH 0351/1037] apetag: use int64_t for filesize CC: libav-stable@libav.org (cherry picked from commit e816aaacd68201b67182f9c70dc680e89a0123e9) Signed-off-by: Reinhard Tartler --- libavformat/apetag.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 0d2cb973fb..bb8b2dfadc 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -116,7 +116,7 @@ static int ape_tag_read_field(AVFormatContext *s) int64_t ff_ape_parse_tag(AVFormatContext *s) { AVIOContext *pb = s->pb; - int file_size = avio_size(pb); + int64_t file_size = avio_size(pb); uint32_t val, fields, tag_bytes; uint8_t buf[8]; int64_t tag_start; From 8eb7c2566ca20392315618cda4a635b19cbb8e21 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Jun 2013 04:53:02 +0200 Subject: [PATCH 0352/1037] tiff: do not overread the source buffer At least 2 bytes from the source are read every loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9c2216976907336dfae0e8e38a4d70ca2465a92c) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8c40006aa5..264e98501b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -207,10 +207,13 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, break; case TIFF_PACKBITS: for (pixels = 0; pixels < width;) { + if (ssrc + size - src < 2) + return AVERROR_INVALIDDATA; code = (int8_t) * src++; if (code >= 0) { code++; - if (pixels + code > width) { + if (pixels + code > width || + ssrc + size - src < code) { av_log(s->avctx, AV_LOG_ERROR, "Copy went out of bounds\n"); return -1; From bc4dc32b2a4086ae4e5159ac6ec1897a3b9a9a31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2013 00:01:13 +0200 Subject: [PATCH 0353/1037] alacenc: Fix missing sign_extend() Fixes ticket #2497 Signed-off-by: Michael Niedermayer (cherry picked from commit 8aea2f05dc56f7e7d60767dd27ba8e846a05e8ae) --- libavcodec/alacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacenc.c b/libavcodec/alacenc.c index 71e2a74822..5354d0b940 100644 --- a/libavcodec/alacenc.c +++ b/libavcodec/alacenc.c @@ -275,7 +275,7 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch) // generate warm-up samples residual[0] = samples[0]; for (i = 1; i <= lpc.lpc_order; i++) - residual[i] = samples[i] - samples[i-1]; + residual[i] = sign_extend(samples[i] - samples[i-1], s->write_sample_size); // perform lpc on remaining samples for (i = lpc.lpc_order + 1; i < s->frame_size; i++) { From 04c506e912716697e47daad0722c972acef4674e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 17:12:16 +0200 Subject: [PATCH 0354/1037] 4xm: use the correct logging context (cherry picked from commit 08859d19b429c522d6494c186656f4a2d3ff8e21) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 987285a682..f0e1b48975 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -670,9 +670,9 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length) color[1] = bytestream2_get_le16u(&g3); if (color[0] & 0x8000) - av_log(NULL, AV_LOG_ERROR, "unk bit 1\n"); + av_log(f->avctx, AV_LOG_ERROR, "unk bit 1\n"); if (color[1] & 0x8000) - av_log(NULL, AV_LOG_ERROR, "unk bit 2\n"); + av_log(f->avctx, AV_LOG_ERROR, "unk bit 2\n"); color[2] = mix(color[0], color[1]); color[3] = mix(color[1], color[0]); From 9ac3c6c2c6d9057b12b0169a0ebb70bd8485d5f2 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 17:32:49 +0200 Subject: [PATCH 0355/1037] 4xm: K&R formatting cosmetics (cherry picked from commit e6496ea7e7ea7355167a1ccbe67a7199d446a654) Signed-off-by: Luca Barbato --- libavformat/4xm.c | 85 +++++++++++++++++++++++------------------------ 1 file changed, 41 insertions(+), 44 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index e530c34a47..a300e34289 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -57,7 +57,7 @@ #define GET_LIST_HEADER() \ fourcc_tag = avio_rl32(pb); \ - size = avio_rl32(pb); \ + size = avio_rl32(pb); \ if (fourcc_tag != LIST_TAG) \ return AVERROR_INVALIDDATA; \ fourcc_tag = avio_rl32(pb); @@ -103,8 +103,8 @@ static int fourxm_read_header(AVFormatContext *s) AVStream *st; fourxm->track_count = 0; - fourxm->tracks = NULL; - fourxm->fps = 1.0; + fourxm->tracks = NULL; + fourxm->fps = 1.0; /* skip the first 3 32-bit numbers */ avio_skip(pb, 12); @@ -119,7 +119,7 @@ static int fourxm_read_header(AVFormatContext *s) header = av_malloc(header_size); if (!header) return AVERROR(ENOMEM); - if (avio_read(pb, header, header_size) != header_size){ + if (avio_read(pb, header, header_size) != header_size) { av_free(header); return AVERROR(EIO); } @@ -127,14 +127,14 @@ static int fourxm_read_header(AVFormatContext *s) /* take the lazy approach and search for any and all vtrk and strk chunks */ for (i = 0; i < header_size - 8; i++) { fourcc_tag = AV_RL32(&header[i]); - size = AV_RL32(&header[i + 4]); + size = AV_RL32(&header[i + 4]); if (fourcc_tag == std__TAG) { fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); } else if (fourcc_tag == vtrk_TAG) { /* check that there is enough data */ if (size != vtrk_SIZE) { - ret= AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; goto fail; } fourxm->width = AV_RL32(&header[i + 36]); @@ -142,18 +142,18 @@ static int fourxm_read_header(AVFormatContext *s) /* allocate a new AVStream */ st = avformat_new_stream(s, NULL); - if (!st){ - ret= AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); goto fail; } avpriv_set_pts_info(st, 60, 1, fourxm->fps); fourxm->video_stream_index = st->index; - st->codec->codec_type = AVMEDIA_TYPE_VIDEO; - st->codec->codec_id = AV_CODEC_ID_4XM; + st->codec->codec_type = AVMEDIA_TYPE_VIDEO; + st->codec->codec_id = AV_CODEC_ID_4XM; st->codec->extradata_size = 4; - st->codec->extradata = av_malloc(4); + st->codec->extradata = av_malloc(4); AV_WL32(st->codec->extradata, AV_RL32(&header[i + 16])); st->codec->width = fourxm->width; st->codec->height = fourxm->height; @@ -188,24 +188,25 @@ static int fourxm_read_header(AVFormatContext *s) fourxm->tracks[current_track].sample_rate = AV_RL32(&header[i + 40]); fourxm->tracks[current_track].bits = AV_RL32(&header[i + 44]); fourxm->tracks[current_track].audio_pts = 0; - if( fourxm->tracks[current_track].channels <= 0 - || fourxm->tracks[current_track].sample_rate <= 0 - || fourxm->tracks[current_track].bits < 0){ + if (fourxm->tracks[current_track].channels <= 0 || + fourxm->tracks[current_track].sample_rate <= 0 || + fourxm->tracks[current_track].bits < 0) { av_log(s, AV_LOG_ERROR, "audio header invalid\n"); - ret= -1; + ret = -1; goto fail; } i += 8 + size; /* allocate a new AVStream */ st = avformat_new_stream(s, NULL); - if (!st){ - ret= AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); goto fail; } st->id = current_track; - avpriv_set_pts_info(st, 60, 1, fourxm->tracks[current_track].sample_rate); + avpriv_set_pts_info(st, 60, 1, + fourxm->tracks[current_track].sample_rate); fourxm->tracks[current_track].stream_index = st->index; @@ -219,17 +220,17 @@ static int fourxm_read_header(AVFormatContext *s) st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; if (fourxm->tracks[current_track].adpcm){ st->codec->codec_id = AV_CODEC_ID_ADPCM_4XM; - }else if (st->codec->bits_per_coded_sample == 8){ + } else if (st->codec->bits_per_coded_sample == 8) { st->codec->codec_id = AV_CODEC_ID_PCM_U8; - }else + } else st->codec->codec_id = AV_CODEC_ID_PCM_S16LE; } } /* skip over the LIST-MOVI chunk (which is where the stream should be */ GET_LIST_HEADER(); - if (fourcc_tag != MOVI_TAG){ - ret= AVERROR_INVALIDDATA; + if (fourcc_tag != MOVI_TAG) { + ret = AVERROR_INVALIDDATA; goto fail; } @@ -248,7 +249,7 @@ static int fourxm_read_packet(AVFormatContext *s, AVPacket *pkt) { FourxmDemuxContext *fourxm = s->priv_data; - AVIOContext *pb = s->pb; + AVIOContext *pb = s->pb; unsigned int fourcc_tag; unsigned int size; int ret = 0; @@ -258,18 +259,16 @@ static int fourxm_read_packet(AVFormatContext *s, int audio_frame_count; while (!packet_read) { - if ((ret = avio_read(s->pb, header, 8)) < 0) return ret; fourcc_tag = AV_RL32(&header[0]); - size = AV_RL32(&header[4]); + size = AV_RL32(&header[4]); if (pb->eof_reached) return AVERROR(EIO); switch (fourcc_tag) { - case LIST_TAG: /* this is a good time to bump the video pts */ - fourxm->video_pts ++; + fourxm->video_pts++; /* skip the LIST-* tag and move on to the next fourcc */ avio_rl32(pb); @@ -286,45 +285,43 @@ static int fourxm_read_packet(AVFormatContext *s, if (size + 8 < size || av_new_packet(pkt, size + 8)) return AVERROR(EIO); pkt->stream_index = fourxm->video_stream_index; - pkt->pts = fourxm->video_pts; - pkt->pos = avio_tell(s->pb); + pkt->pts = fourxm->video_pts; + pkt->pos = avio_tell(s->pb); memcpy(pkt->data, header, 8); ret = avio_read(s->pb, &pkt->data[8], size); - if (ret < 0){ + if (ret < 0) { av_free_packet(pkt); - }else + } else packet_read = 1; break; case snd__TAG: track_number = avio_rl32(pb); avio_skip(pb, 4); - size-=8; + size -= 8; - if (track_number < fourxm->track_count && fourxm->tracks[track_number].channels>0) { - ret= av_get_packet(s->pb, pkt, size); - if(ret<0) + if (track_number < fourxm->track_count && + fourxm->tracks[track_number].channels > 0) { + ret = av_get_packet(s->pb, pkt, size); + if (ret < 0) return AVERROR(EIO); pkt->stream_index = fourxm->tracks[track_number].stream_index; - pkt->pts = fourxm->tracks[track_number].audio_pts; + pkt->pts = fourxm->tracks[track_number].audio_pts; packet_read = 1; /* pts accounting */ audio_frame_count = size; if (fourxm->tracks[track_number].adpcm) - audio_frame_count -= - 2 * (fourxm->tracks[track_number].channels); - audio_frame_count /= - fourxm->tracks[track_number].channels; - if (fourxm->tracks[track_number].adpcm){ + audio_frame_count -= 2 * (fourxm->tracks[track_number].channels); + audio_frame_count /= fourxm->tracks[track_number].channels; + if (fourxm->tracks[track_number].adpcm) { audio_frame_count *= 2; - }else + } else audio_frame_count /= - (fourxm->tracks[track_number].bits / 8); + (fourxm->tracks[track_number].bits / 8); fourxm->tracks[track_number].audio_pts += audio_frame_count; - } else { avio_skip(pb, size); } From ea56f6e5a7e2ef64b313702dfd27e8118e98c31a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 18:45:45 +0200 Subject: [PATCH 0356/1037] 4xm: refactor fourxm_read_header Split sound and video tag parsing in separate functions. (cherry picked from commit e7a44f87d07655ec0cd31c315936931674434340) Signed-off-by: Luca Barbato Conflicts: libavcodec/4xm.c --- libavformat/4xm.c | 190 ++++++++++++++++++++++++---------------------- 1 file changed, 101 insertions(+), 89 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index a300e34289..2396045226 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -72,8 +72,6 @@ typedef struct AudioTrack { } AudioTrack; typedef struct FourxmDemuxContext { - int width; - int height; int video_stream_index; int track_count; AudioTrack *tracks; @@ -91,6 +89,104 @@ static int fourxm_probe(AVProbeData *p) return AVPROBE_SCORE_MAX; } +static int parse_vtrk(AVFormatContext *s, + FourxmDemuxContext *fourxm, uint8_t *buf, int size) +{ + AVStream *st; + /* check that there is enough data */ + if (size != vtrk_SIZE) { + return AVERROR_INVALIDDATA; + } + + /* allocate a new AVStream */ + st = avformat_new_stream(s, NULL); + if (!st) + return AVERROR(ENOMEM); + + avpriv_set_pts_info(st, 60, 1, fourxm->fps); + + fourxm->video_stream_index = st->index; + + st->codec->codec_type = AVMEDIA_TYPE_VIDEO; + st->codec->codec_id = AV_CODEC_ID_4XM; + st->codec->extradata_size = 4; + st->codec->extradata = av_malloc(4); + AV_WL32(st->codec->extradata, AV_RL32(buf + 16)); + st->codec->width = AV_RL32(buf + 36); + st->codec->height = AV_RL32(buf + 40); + + return 0; +} + + +static int parse_strk(AVFormatContext *s, + FourxmDemuxContext *fourxm, uint8_t *buf, int size) +{ + AVStream *st; + int track; + /* check that there is enough data */ + if (size != strk_SIZE) + return AVERROR_INVALIDDATA; + + track = AV_RL32(buf + 8); + + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + av_log(s, AV_LOG_ERROR, "current_track too large\n"); + return AVERROR_INVALIDDATA; + } + if (track + 1 > fourxm->track_count) { + AudioTrack *tmp = av_realloc(fourxm->tracks, + (track + 1) * sizeof(AudioTrack)); + if (!tmp) + return AVERROR(ENOMEM); + fourxm->tracks = tmp; + memset(&fourxm->tracks[fourxm->track_count], 0, + sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); + fourxm->track_count = track + 1; + } + fourxm->tracks[track].adpcm = AV_RL32(buf + 12); + fourxm->tracks[track].channels = AV_RL32(buf + 36); + fourxm->tracks[track].sample_rate = AV_RL32(buf + 40); + fourxm->tracks[track].bits = AV_RL32(buf + 44); + fourxm->tracks[track].audio_pts = 0; + + if (fourxm->tracks[track].channels <= 0 || + fourxm->tracks[track].sample_rate <= 0 || + fourxm->tracks[track].bits < 0) { + av_log(s, AV_LOG_ERROR, "audio header invalid\n"); + return AVERROR_INVALIDDATA; + } + /* allocate a new AVStream */ + st = avformat_new_stream(s, NULL); + if (!st) + return AVERROR(ENOMEM); + + st->id = track; + avpriv_set_pts_info(st, 60, 1, fourxm->tracks[track].sample_rate); + + fourxm->tracks[track].stream_index = st->index; + + st->codec->codec_type = AVMEDIA_TYPE_AUDIO; + st->codec->codec_tag = 0; + st->codec->channels = fourxm->tracks[track].channels; + st->codec->sample_rate = fourxm->tracks[track].sample_rate; + st->codec->bits_per_coded_sample = fourxm->tracks[track].bits; + st->codec->bit_rate = st->codec->channels * + st->codec->sample_rate * + st->codec->bits_per_coded_sample; + st->codec->block_align = st->codec->channels * + st->codec->bits_per_coded_sample; + + if (fourxm->tracks[track].adpcm){ + st->codec->codec_id = AV_CODEC_ID_ADPCM_4XM; + } else if (st->codec->bits_per_coded_sample == 8) { + st->codec->codec_id = AV_CODEC_ID_PCM_U8; + } else + st->codec->codec_id = AV_CODEC_ID_PCM_S16LE; + + return 0; +} + static int fourxm_read_header(AVFormatContext *s) { AVIOContext *pb = s->pb; @@ -100,7 +196,6 @@ static int fourxm_read_header(AVFormatContext *s) FourxmDemuxContext *fourxm = s->priv_data; unsigned char *header; int i, ret; - AVStream *st; fourxm->track_count = 0; fourxm->tracks = NULL; @@ -132,98 +227,15 @@ static int fourxm_read_header(AVFormatContext *s) if (fourcc_tag == std__TAG) { fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); } else if (fourcc_tag == vtrk_TAG) { - /* check that there is enough data */ - if (size != vtrk_SIZE) { - ret = AVERROR_INVALIDDATA; + if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0) goto fail; - } - fourxm->width = AV_RL32(&header[i + 36]); - fourxm->height = AV_RL32(&header[i + 40]); - - /* allocate a new AVStream */ - st = avformat_new_stream(s, NULL); - if (!st) { - ret = AVERROR(ENOMEM); - goto fail; - } - avpriv_set_pts_info(st, 60, 1, fourxm->fps); - - fourxm->video_stream_index = st->index; - - st->codec->codec_type = AVMEDIA_TYPE_VIDEO; - st->codec->codec_id = AV_CODEC_ID_4XM; - st->codec->extradata_size = 4; - st->codec->extradata = av_malloc(4); - AV_WL32(st->codec->extradata, AV_RL32(&header[i + 16])); - st->codec->width = fourxm->width; - st->codec->height = fourxm->height; i += 8 + size; } else if (fourcc_tag == strk_TAG) { - int current_track; - /* check that there is enough data */ - if (size != strk_SIZE) { - ret= AVERROR_INVALIDDATA; + if ((ret = parse_strk(s, fourxm, header + i, size)) < 0) goto fail; - } - current_track = AV_RL32(&header[i + 8]); - if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){ - av_log(s, AV_LOG_ERROR, "current_track too large\n"); - ret= -1; - goto fail; - } - if (current_track + 1 > fourxm->track_count) { - fourxm->tracks = av_realloc(fourxm->tracks, - (current_track + 1) * sizeof(AudioTrack)); - if (!fourxm->tracks) { - ret = AVERROR(ENOMEM); - goto fail; - } - memset(&fourxm->tracks[fourxm->track_count], 0, - sizeof(AudioTrack) * (current_track + 1 - fourxm->track_count)); - fourxm->track_count = current_track + 1; - } - fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]); - fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]); - fourxm->tracks[current_track].sample_rate = AV_RL32(&header[i + 40]); - fourxm->tracks[current_track].bits = AV_RL32(&header[i + 44]); - fourxm->tracks[current_track].audio_pts = 0; - if (fourxm->tracks[current_track].channels <= 0 || - fourxm->tracks[current_track].sample_rate <= 0 || - fourxm->tracks[current_track].bits < 0) { - av_log(s, AV_LOG_ERROR, "audio header invalid\n"); - ret = -1; - goto fail; - } + i += 8 + size; - - /* allocate a new AVStream */ - st = avformat_new_stream(s, NULL); - if (!st) { - ret = AVERROR(ENOMEM); - goto fail; - } - - st->id = current_track; - avpriv_set_pts_info(st, 60, 1, - fourxm->tracks[current_track].sample_rate); - - fourxm->tracks[current_track].stream_index = st->index; - - st->codec->codec_type = AVMEDIA_TYPE_AUDIO; - st->codec->codec_tag = 0; - st->codec->channels = fourxm->tracks[current_track].channels; - st->codec->sample_rate = fourxm->tracks[current_track].sample_rate; - st->codec->bits_per_coded_sample = fourxm->tracks[current_track].bits; - st->codec->bit_rate = st->codec->channels * st->codec->sample_rate * - st->codec->bits_per_coded_sample; - st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; - if (fourxm->tracks[current_track].adpcm){ - st->codec->codec_id = AV_CODEC_ID_ADPCM_4XM; - } else if (st->codec->bits_per_coded_sample == 8) { - st->codec->codec_id = AV_CODEC_ID_PCM_U8; - } else - st->codec->codec_id = AV_CODEC_ID_PCM_S16LE; } } From 3f71c0c1b08a815609fba9a9378171d1181083d3 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 18:56:28 +0200 Subject: [PATCH 0357/1037] 4xm: do not overread while parsing header Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 42d73f7f6bea0ee0f64a3ad4882860ce5b923a11) Signed-off-by: Luca Barbato --- libavformat/4xm.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 2396045226..c0b3914fa1 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p) } static int parse_vtrk(AVFormatContext *s, - FourxmDemuxContext *fourxm, uint8_t *buf, int size) + FourxmDemuxContext *fourxm, uint8_t *buf, int size, + int left) { AVStream *st; /* check that there is enough data */ - if (size != vtrk_SIZE) { + if (size != vtrk_SIZE || left < size + 8) { return AVERROR_INVALIDDATA; } @@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s, static int parse_strk(AVFormatContext *s, - FourxmDemuxContext *fourxm, uint8_t *buf, int size) + FourxmDemuxContext *fourxm, uint8_t *buf, int size, + int left) { AVStream *st; int track; /* check that there is enough data */ - if (size != strk_SIZE) + if (size != strk_SIZE || left < size + 8) return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); @@ -225,14 +227,20 @@ static int fourxm_read_header(AVFormatContext *s) size = AV_RL32(&header[i + 4]); if (fourcc_tag == std__TAG) { + if (header_size - i < 16) { + ret = AVERROR_INVALIDDATA; + goto fail; + } fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); } else if (fourcc_tag == vtrk_TAG) { - if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0) + if ((ret = parse_vtrk(s, fourxm, header + i, size, + header_size - i)) < 0) goto fail; i += 8 + size; } else if (fourcc_tag == strk_TAG) { - if ((ret = parse_strk(s, fourxm, header + i, size)) < 0) + if ((ret = parse_strk(s, fourxm, header + i, size, + header_size - i)) < 0) goto fail; i += 8 + size; From dac0d4f354fe5ae93910cc6b30df9b992cca6be0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 20:30:48 +0200 Subject: [PATCH 0358/1037] 4xm: fold last_picture lazy allocation in decode_p_frame (cherry picked from commit 50ec1db62d977b6e864f315a53c1c580a6d7efa4) Signed-off-by: Luca Barbato Conflicts: libavcodec/4xm.c --- libavcodec/4xm.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index f0e1b48975..ceaacee5a6 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -395,6 +395,16 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length) const int stride = f->current_picture.linesize[0] >> 1; unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset; + int ret; + + if (!f->last_picture.data[0]) { + if ((ret = ff_get_buffer(f->avctx, &f->last_picture)) < 0) { + av_log(f->avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + return ret; + } + memset(f->last_picture.data[0], 0, + f->avctx->height * FFABS(f->last_picture.linesize[0])); + } if (f->version > 1) { extra = 20; @@ -852,14 +862,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, if (decode_i_frame(f, buf, frame_size) < 0) return -1; } else if (frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")) { - if (!f->last_picture.data[0]) { - f->last_picture.reference = 1; - if (ff_get_buffer(avctx, &f->last_picture) < 0) { - av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; - } - memset(f->last_picture.data[0], 0, avctx->height * FFABS(f->last_picture.linesize[0])); - } p->pict_type = AV_PICTURE_TYPE_P; if (decode_p_frame(f, buf, frame_size) < 0) From d0cabcc78975e8d4ffc84cffc3a390807e415ffa Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Jun 2013 22:33:34 +0200 Subject: [PATCH 0359/1037] 4xm: forward errors from decode_p_block Partially mitigate out of memory writes. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b8b809908ec547b2609dbac24194f4fd2df61aea) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index ceaacee5a6..696d2cf425 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -333,8 +333,8 @@ static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, } } -static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, - int log2w, int log2h, int stride) +static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, + int log2w, int log2h, int stride) { const int index = size2index[log2h][log2w]; const int h = 1 << log2h; @@ -343,33 +343,41 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, BLOCK_TYPE_VLC_BITS, 1); uint16_t *start = (uint16_t *)f->last_picture.data[0]; uint16_t *end = start + stride * (f->avctx->height - h + 1) - (1 << log2w); + int ret; - assert(code >= 0 && code <= 6); + if (code < 0 || code > 6) + return AVERROR_INVALIDDATA; if (code == 0) { src += f->mv[bytestream2_get_byte(&f->g)]; if (start > src || src > end) { av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); - return; + return AVERROR_INVALIDDATA; } mcdc(dst, src, log2w, h, stride, 1, 0); } else if (code == 1) { log2h--; - decode_p_block(f, dst, src, log2w, log2h, stride); - decode_p_block(f, dst + (stride << log2h), - src + (stride << log2h), log2w, log2h, stride); + if ((ret = decode_p_block(f, dst, src, log2w, log2h, stride)) < 0) + return ret; + if ((ret = decode_p_block(f, dst + (stride << log2h), + src + (stride << log2h), + log2w, log2h, stride)) < 0) + return ret; } else if (code == 2) { log2w--; - decode_p_block(f, dst , src, log2w, log2h, stride); - decode_p_block(f, dst + (1 << log2w), - src + (1 << log2w), log2w, log2h, stride); + if ((ret = decode_p_block(f, dst , src, log2w, log2h, stride)) < 0) + return ret; + if ((ret = decode_p_block(f, dst + (1 << log2w), + src + (1 << log2w), + log2w, log2h, stride)) < 0) + return ret; } else if (code == 3 && f->version < 2) { mcdc(dst, src, log2w, h, stride, 1, 0); } else if (code == 4) { src += f->mv[bytestream2_get_byte(&f->g)]; if (start > src || src > end) { av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); - return; + return AVERROR_INVALIDDATA; } mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); } else if (code == 5) { @@ -383,6 +391,7 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, dst[stride] = bytestream2_get_le16(&f->g2); } } + return 0; } static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length) @@ -449,7 +458,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length) for (y = 0; y < height; y += 8) { for (x = 0; x < width; x += 8) - decode_p_block(f, dst + x, src + x, 3, 3, stride); + if ((ret = decode_p_block(f, dst + x, src + x, 3, 3, stride)) < 0) + return ret; src += 8 * stride; dst += 8 * stride; } From f82e9deec2c2657d73731ab16c49efba5559670d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 6 Jun 2013 14:21:19 +0200 Subject: [PATCH 0360/1037] 4xm: drop pointless assert Make sure the value of wlog2 is always between 0 and 3. (cherry picked from commit 1f0c6075604c271d5627480f1243d22795f9a315) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 696d2cf425..4973b41636 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -329,7 +329,7 @@ static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w, } break; default: - assert(0); + break; } } @@ -345,7 +345,7 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, uint16_t *end = start + stride * (f->avctx->height - h + 1) - (1 << log2w); int ret; - if (code < 0 || code > 6) + if (code < 0 || code > 6 || log2w < 0) return AVERROR_INVALIDDATA; if (code == 0) { From ded74ab5d1ccfef375090a0e828fa123c589083c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 6 Jun 2013 16:58:57 +0200 Subject: [PATCH 0361/1037] 4xm: reject frames not compatible with the declared version Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 145023f57262d21474e35b4a6069cf95136339d4) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 4973b41636..dbf49177e6 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -835,6 +835,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, av_log(f->avctx, AV_LOG_ERROR, "cframe id mismatch %d %d\n", id, avctx->frame_number); + if (f->version <= 1) + return AVERROR_INVALIDDATA; + cfrm->size = cfrm->id = 0; frame_4cc = AV_RL32("pfrm"); } else From 6ddc1eb037042da814a62aa7f54517a897f0bdad Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 7 Jun 2013 16:16:46 +0200 Subject: [PATCH 0362/1037] 4xm: validate the buffer size before parsing it Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit de2e5777e225e75813daf2373c95e223651fd89a) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index dbf49177e6..493e2ad152 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -416,6 +416,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length) } if (f->version > 1) { + if (length < 20) + return AVERROR_INVALIDDATA; extra = 20; bitstream_size = AV_RL32(buf + 8); wordstream_size = AV_RL32(buf + 12); @@ -786,18 +788,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, AVFrame *p, temp; int i, frame_4cc, frame_size; - frame_4cc = AV_RL32(buf); - if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20) + if (buf_size < 20) + return AVERROR_INVALIDDATA; + + if (buf_size < AV_RL32(buf + 4) + 8) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); + return AVERROR_INVALIDDATA; + } + + frame_4cc = AV_RL32(buf); if (frame_4cc == AV_RL32("cfrm")) { int free_index = -1; + int id, whole_size; const int data_size = buf_size - 20; - const int id = AV_RL32(buf + 12); - const int whole_size = AV_RL32(buf + 16); CFrameBuffer *cfrm; + if (data_size < 0) + return AVERROR_INVALIDDATA; + + id = AV_RL32(buf + 12); + whole_size = AV_RL32(buf + 16); + for (i = 0; i < CFRAME_BUFFER_COUNT; i++) if (f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number) av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", From d33b0f72245da71f7121b08116ef8732731f5adf Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 7 Jun 2013 16:18:22 +0200 Subject: [PATCH 0363/1037] 4xm: do not overread the prestream buffer Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit be373cb50d3c411366fec7eef2eb3681abe48f96) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 493e2ad152..5602f62026 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -576,7 +576,8 @@ static int decode_i_mb(FourXContext *f) } static const uint8_t *read_huffman_tables(FourXContext *f, - const uint8_t * const buf) + const uint8_t * const buf, + int len) { int frequency[512] = { 0 }; uint8_t flag[512]; @@ -594,12 +595,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f, for (;;) { int i; + len -= end - start + 1; + + if (end < start || len < 0) + return NULL; + for (i = start; i <= end; i++) frequency[i] = *ptr++; start = *ptr++; if (start == 0) break; + if (--len < 0) + return NULL; + end = *ptr++; } frequency[256] = 1; @@ -741,7 +750,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length) return -1; } - prestream = read_huffman_tables(f, prestream); + prestream = read_huffman_tables(f, prestream, prestream_size); if (!prestream) { av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); return AVERROR_INVALIDDATA; From 1a0cdd18b0cc3373c3a1348a8d5a4dab86a994d5 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:22:24 +0200 Subject: [PATCH 0364/1037] smacker: fix an off by one in huff.length computation Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit ee205588b250fe5cae0681be8eba51a5403c3272) Signed-off-by: Luca Barbato --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index b20a7b6d10..8c26e1ec4f 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -246,7 +246,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int ctx.recode2 = tmp2.values; ctx.last = last; - huff.length = ((size + 3) >> 2) + 3; + huff.length = ((size + 3) >> 2) + 4; huff.maxlength = 0; huff.current = 0; huff.values = av_mallocz(huff.length * sizeof(int)); From 5e6122ddadae542350933c2077434f17d51587a7 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:27:00 +0200 Subject: [PATCH 0365/1037] smacker: check the return value of smacker_decode_tree Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit a2f9937bb04b23a341b0ec0eb1d923bbeb420277) Signed-off-by: Luca Barbato --- libavcodec/smacker.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 8c26e1ec4f..a72d7c5a35 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -639,7 +639,16 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, h[i].lengths = av_mallocz(256 * sizeof(int)); h[i].values = av_mallocz(256 * sizeof(int)); skip_bits1(&gb); - smacker_decode_tree(&gb, &h[i], 0, 0); + if (smacker_decode_tree(&gb, &h[i], 0, 0) < 0) { + for (; i >= 0; i--) { + if (vlc[i].table) + ff_free_vlc(&vlc[i]); + av_free(h[i].bits); + av_free(h[i].lengths); + av_free(h[i].values); + } + return AVERROR_INVALIDDATA; + } skip_bits1(&gb); if(h[i].current > 1) { res = init_vlc(&vlc[i], SMKTREE_BITS, h[i].length, From 71b8ef938c1ec4aedc6459ec7338a4abf0f807b8 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:28:07 +0200 Subject: [PATCH 0366/1037] smacker: pad the extradata allocation Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 4c22baf65363433f8c20efd1022b4ba2d8cf2288) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 17c7c529e7..df074a4c5d 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -210,7 +210,8 @@ static int smacker_read_header(AVFormatContext *s) /* load trees to extradata, they will be unpacked by decoder */ - st->codec->extradata = av_malloc(smk->treesize + 16); + st->codec->extradata = av_mallocz(smk->treesize + 16 + + FF_INPUT_BUFFER_PADDING_SIZE); st->codec->extradata_size = smk->treesize + 16; if(!st->codec->extradata){ av_log(s, AV_LOG_ERROR, "Cannot allocate %i bytes of extradata\n", smk->treesize + 16); From 7e326d52a783fd2f1a93e07bdb2ce74176d4c4a6 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 12 Jun 2013 14:30:51 +0200 Subject: [PATCH 0367/1037] smacker: check frame size validity Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 07423ad7836325e03894f2f87ba46a531a1cc0b3) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index df074a4c5d..4a3a2b39d1 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -304,10 +304,14 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) /* if audio chunks are present, put them to stack and retrieve later */ for(i = 0; i < 7; i++) { if(flags & 1) { - int size; + uint32_t size; uint8_t *tmpbuf; size = avio_rl32(s->pb) - 4; + if (!size || size > frame_size) { + av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); + return AVERROR_INVALIDDATA; + } frame_size -= size; frame_size -= 4; smk->curstream++; From 5d2e4c918f35b247fb5a19b74d84de52cbc34e2c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 16 Jun 2013 19:31:58 +0200 Subject: [PATCH 0368/1037] update Changelog --- Changelog | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Changelog b/Changelog index 3ceb469850..2676d15fa3 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,29 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.7: + +Most of the following fixes resulted from test samples that the Google +Security Team has kindly made available to us: + +- 4xm: fix several programming errors to avoid crashes, etc. +- apetag: use int64_t for filesize +- jpegls: Fix invalid writes to memory +- ljpeg: use the correct number of components in YUV +- mjpeg: Validate sampling factors +- mjpegdec: properly report unsupported disabled features +- mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac +- mpegvideo: allocate sufficiently large scratch buffer for interlaced vid +- pixdesc: mark gray8 as pseudopal +- smacker: fix several programming errors to avoid crashes, etc. +- tiff: do not overread the source buffer +- vmd: drop incomplete chunks and spurious samples +- vmdav: convert to bytestream2 to avoid invalid reads and writes +- wavpack: check packet size early +- wavpack: use bytestream2 in wavpack_decode_block +- wavpack: validate samples size parsed in wavpack_decode_block + + version 9.6: - aac: check the maximum number of channels to avoid invalid writes - indeo3: fix off by one in MV validity check From d9a91dfb542ae3a5b0dcf2339183ee0177b8ab16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2013 02:09:46 +0200 Subject: [PATCH 0369/1037] swresample/x86/audio_convert: add emms to CONV Fixes ticket #1874 Signed-off-by: Michael Niedermayer (cherry picked from commit ca2818b88155029bb6f989ee522e7f8e9e9f5927) --- libswresample/x86/audio_convert.asm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswresample/x86/audio_convert.asm b/libswresample/x86/audio_convert.asm index ad46977c6f..4963959c54 100644 --- a/libswresample/x86/audio_convert.asm +++ b/libswresample/x86/audio_convert.asm @@ -195,7 +195,12 @@ cglobal %2_to_%1_%3, 3, 3, 6, dst, src, len add lenq, 2*mmsize/(1<<%4) %endif jl .next +%if mmsize == 8 + emms + RET +%else REP_RET +%endif %endmacro %macro PACK_6CH 5-7 From 8268c1fea870b78975499db5a5151ab5cdc9e24b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 19 Jun 2013 16:31:10 +0200 Subject: [PATCH 0370/1037] Autodetect idcin only if audio properties allow decoding. Fixes ticket #2688. (cherry picked from commit 06bede95fcea47d2e51e8ff248c15311f335b898) --- libavformat/idcin.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/idcin.c b/libavformat/idcin.c index bede04075e..fdd19e14a5 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -91,7 +91,7 @@ typedef struct IdcinDemuxContext { static int idcin_probe(AVProbeData *p) { - unsigned int number; + unsigned int number, sample_rate; /* * This is what you could call a "probabilistic" file check: id CIN @@ -120,18 +120,18 @@ static int idcin_probe(AVProbeData *p) return 0; /* check the audio sample rate */ - number = AV_RL32(&p->buf[8]); - if ((number != 0) && ((number < 8000) | (number > 48000))) + sample_rate = AV_RL32(&p->buf[8]); + if (sample_rate && (sample_rate < 8000 || sample_rate > 48000)) return 0; /* check the audio bytes/sample */ number = AV_RL32(&p->buf[12]); - if (number > 2) + if (number > 2 || sample_rate && !number) return 0; /* check the audio channels */ number = AV_RL32(&p->buf[16]); - if (number > 2) + if (number > 2 || sample_rate && !number) return 0; /* return half certainly since this check is a bit sketchy */ From 2cfdf732efafa3a8c556d562bcc0bed4106150a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2013 01:11:45 +0200 Subject: [PATCH 0371/1037] avformat/libmodplug: Reduce the probe score for small input This ensures that theres enough data for mpeg_probe() to recognize mpeg-ps Fixes Ticket2583 Based on code by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c605adbf562fbf535e83ae427bb681bc45e440c8) --- libavformat/libmodplug.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/libavformat/libmodplug.c b/libavformat/libmodplug.c index aa8edccb59..4ba9392aa0 100644 --- a/libavformat/libmodplug.c +++ b/libavformat/libmodplug.c @@ -347,6 +347,19 @@ static int modplug_read_seek(AVFormatContext *s, int stream_idx, int64_t ts, int return 0; } +static const char modplug_extensions[] = "669,abc,amf,ams,dbm,dmf,dsm,far,it,mdl,med,mid,mod,mt2,mtm,okt,psm,ptm,s3m,stm,ult,umx,xm,itgz,itr,itz,mdgz,mdr,mdz,s3gz,s3r,s3z,xmgz,xmr,xmz"; + +static int modplug_probe(AVProbeData *p) +{ + if (av_match_ext(p->filename, modplug_extensions)) { + if (p->buf_size < 16384) + return AVPROBE_SCORE_MAX/4-1; + else + return AVPROBE_SCORE_MAX/2; + } + return 0; +} + static const AVClass modplug_class = { .class_name = "ModPlug demuxer", .item_name = av_default_item_name, @@ -358,11 +371,11 @@ AVInputFormat ff_libmodplug_demuxer = { .name = "libmodplug", .long_name = NULL_IF_CONFIG_SMALL("ModPlug demuxer"), .priv_data_size = sizeof(ModPlugContext), + .read_probe = modplug_probe, .read_header = modplug_read_header, .read_packet = modplug_read_packet, .read_close = modplug_read_close, .read_seek = modplug_read_seek, - .extensions = "669,abc,amf,ams,dbm,dmf,dsm,far,it,mdl,med,mid,mod,mt2,mtm,okt,psm,ptm,s3m,stm,ult,umx,xm" - ",itgz,itr,itz,mdgz,mdr,mdz,s3gz,s3r,s3z,xmgz,xmr,xmz", // compressed mods + .extensions = modplug_extensions, .priv_class = &modplug_class, }; From d8e76a531cd7064725fbb8ff842c60d6d6fabd3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2013 20:20:56 +0200 Subject: [PATCH 0372/1037] avdevice/x11grab: allocate just one Cursor Fixes resource leak and Ticket2450 Reviewed-by: Carl Eugen Hoyos Signed-off-by: Michael Niedermayer (cherry picked from commit 1ee8fadb811f3b1ef370c7d6c7bf62088f1cc954) --- libavdevice/x11grab.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavdevice/x11grab.c b/libavdevice/x11grab.c index 612400654b..7db1da675a 100644 --- a/libavdevice/x11grab.c +++ b/libavdevice/x11grab.c @@ -78,6 +78,7 @@ struct x11grab { int show_region; /**< set by a private option. */ char *framerate; /**< Set by a private option. */ + Cursor c; Window region_win; /**< This is used by show_region option. */ }; @@ -353,7 +354,6 @@ paint_mouse_pointer(XImage *image, struct x11grab *s) * Anyone who performs further investigation of the xlib API likely risks * permanent brain damage. */ uint8_t *pix = image->data; - Cursor c; Window w; XSetWindowAttributes attr; @@ -361,9 +361,10 @@ paint_mouse_pointer(XImage *image, struct x11grab *s) if (image->bits_per_pixel != 24 && image->bits_per_pixel != 32) return; - c = XCreateFontCursor(dpy, XC_left_ptr); + if(!s->c) + s->c = XCreateFontCursor(dpy, XC_left_ptr); w = DefaultRootWindow(dpy); - attr.cursor = c; + attr.cursor = s->c; XChangeWindowAttributes(dpy, w, CWCursor, &attr); xcim = XFixesGetCursorImage(dpy); From 24dc6b1a06d6dcfd02b34a07f452ea33cd07d9d2 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Sat, 15 Jun 2013 22:46:01 +0200 Subject: [PATCH 0373/1037] mathops/x86: work around inline asm miscompilation with GCC 4.8.1 The volatile is not required here, and prevents a miscompilation with GCC 4.8.1 when building on x86 with --cpu=i686 Signed-off-by: Michael Niedermayer (cherry picked from commit 659df32a9d8984081ccd54adc3aee7daeb33388d) --- libavcodec/x86/mathops.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 79e29e6232..76ea1315c2 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -74,7 +74,7 @@ static av_always_inline av_const int64_t MUL64(int a, int b) static inline av_const int mid_pred(int a, int b, int c) { int i=b; - __asm__ volatile( + __asm__ ( "cmp %2, %1 \n\t" "cmovg %1, %0 \n\t" "cmovg %2, %1 \n\t" From e2dcc4452dada1633c54601e8073b1ed84ff4b7e Mon Sep 17 00:00:00 2001 From: Nigel Touati-Evans Date: Thu, 27 Jun 2013 12:28:43 +0100 Subject: [PATCH 0374/1037] Fix copying extradata to codec in mxfdec.c The code that copies any extradata from the MXFDescriptor to the codec does not set the size, which it should otherwise the copied data is useless. Signed-off-by: Michael Niedermayer (cherry picked from commit 42bd0cd21ae68abef4436cc97d67f592be38d3e3) Conflicts: libavformat/mxfdec.c --- libavformat/mxfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index bb5f4a7808..88cfd5d5a2 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1591,8 +1591,10 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) } if (descriptor->extradata) { st->codec->extradata = av_mallocz(descriptor->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); - if (st->codec->extradata) + if (st->codec->extradata) { memcpy(st->codec->extradata, descriptor->extradata, descriptor->extradata_size); + st->codec->extradata_size = descriptor->extradata_size; + } } else if(st->codec->codec_id == CODEC_ID_H264) { ff_generate_avci_extradata(st); } From 04c29196ad70af4efe656a777cfbf6a02404303c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 10 Jun 2013 16:37:43 +0200 Subject: [PATCH 0375/1037] 4xm: check bitstream_size boundary before using it Prevent buffer overread. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 59d7bb99b6a963b7e11c637228b2203adf535eee) Signed-off-by: Reinhard Tartler --- libavcodec/4xm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 5602f62026..cf9ad72522 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -733,6 +733,9 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length) unsigned int prestream_size; const uint8_t *prestream; + if (bitstream_size > (1 << 26)) + return AVERROR_INVALIDDATA; + if (length < bitstream_size + 12) { av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); return AVERROR_INVALIDDATA; @@ -743,7 +746,6 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length) prestream = buf + bitstream_size + 12; if (prestream_size + bitstream_size + 12 != length - || bitstream_size > (1 << 26) || prestream_size > (1 << 26)) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length); From c7934c6c0b0c6e33a83ed12f6e20dc977a945384 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 9 Jun 2013 18:27:05 +0200 Subject: [PATCH 0376/1037] 4xm: do not overread the source buffer in decode_p_block Check for out of picture macroblocks before calling mcdc. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 94aefb1932be882fd93f66cf790ceb19ff575c19) Signed-off-by: Reinhard Tartler --- libavcodec/4xm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index cf9ad72522..99e0e2e4da 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -372,6 +372,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, log2w, log2h, stride)) < 0) return ret; } else if (code == 3 && f->version < 2) { + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return AVERROR_INVALIDDATA; + } mcdc(dst, src, log2w, h, stride, 1, 0); } else if (code == 4) { src += f->mv[bytestream2_get_byte(&f->g)]; @@ -381,6 +385,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, } mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); } else if (code == 5) { + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return AVERROR_INVALIDDATA; + } mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); } else if (code == 6) { if (log2w) { From 9d1b173aae27aae016ff799e48cd5aa1bdaba0ad Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Jun 2013 03:40:35 +0200 Subject: [PATCH 0377/1037] lavc: move put_bits_left in put_bits.h (cherry picked from commit afe03092dd693d025d43e1620283d8d285c92772) Signed-off-by: Reinhard Tartler --- libavcodec/dv.c | 5 ----- libavcodec/put_bits.h | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/dv.c b/libavcodec/dv.c index 7067f0caf2..0cbb106571 100644 --- a/libavcodec/dv.c +++ b/libavcodec/dv.c @@ -339,11 +339,6 @@ static av_cold int dvvideo_init_encoder(AVCodecContext *avctx) static const int vs_total_ac_bits = (100 * 4 + 68*2) * 5; static const int mb_area_start[5] = { 1, 6, 21, 43, 64 }; -static inline int put_bits_left(PutBitContext* s) -{ - return (s->buf_end - s->buf) * 8 - put_bits_count(s); -} - #if CONFIG_SMALL /* Converts run and level (where level != 0) pair into VLC, returning bit size */ static av_always_inline int dv_rl2vlc(int run, int level, int sign, uint32_t* vlc) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index f32b7fd060..d13a744e47 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -72,6 +72,14 @@ static inline int put_bits_count(PutBitContext *s) return (s->buf_ptr - s->buf) * 8 + 32 - s->bit_left; } +/** + * @return the number of bits available in the bitstream. + */ +static inline int put_bits_left(PutBitContext* s) +{ + return (s->buf_end - s->buf_ptr) * 8 - 32 + s->bit_left; +} + /** * Pad the end of the output stream with zeros. */ From 88433979c21ccaba3581acd397d091f2a50a6028 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Jun 2013 04:03:47 +0200 Subject: [PATCH 0378/1037] wmapro: make sure there is room to store the current packet Prevent horrid and hard to trace struct overwrite. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e30b068ef79f604ff439418da07f7e2efd01d4ea) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index efc8fce5c8..8fabc3a59c 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1464,6 +1464,14 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, return; } + if (len > put_bits_left(&s->pb)) { + av_log(s->avctx, AV_LOG_ERROR, + "Cannot append %d bits, only %d bits available.\n", + len, put_bits_left(&s->pb)); + s->packet_loss = 1; + return; + } + s->num_saved_bits += len; if (!append) { avpriv_copy_bits(&s->pb, gb->buffer + (get_bits_count(gb) >> 3), From fbeae4a95188d8042f0ff9f16836d49afa6f44af Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Jun 2013 05:23:21 +0200 Subject: [PATCH 0379/1037] wmapro: check num_vec_coeffs against the actual available buffer Prevent yet another buffer overwrite. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 38229362529ed1619d8ebcc81ecde85b23b45895) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 8fabc3a59c..eed38f6dc7 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1124,11 +1124,12 @@ static int decode_subframe(WMAProDecodeCtx *s) cur_subwoofer_cutoff = s->subwoofer_cutoffs[s->table_idx]; /** configure the decoder for the current subframe */ + offset += s->samples_per_frame >> 1; + for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; - s->channel[c].coeffs = &s->channel[c].out[(s->samples_per_frame >> 1) - + offset]; + s->channel[c].coeffs = &s->channel[c].out[offset]; } s->subframe_len = subframe_len; @@ -1179,7 +1180,7 @@ static int decode_subframe(WMAProDecodeCtx *s) for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; - if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { + if (num_vec_coeffs + offset > FF_ARRAY_ELEMS(s->channel[c].out)) { av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); return AVERROR_INVALIDDATA; } From 9761abffb69d9cb24fc187ffb2900b039a1ffd5e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Jun 2013 05:21:33 +0200 Subject: [PATCH 0380/1037] wmapro: return early on unsupported condition Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6652338f43ef623045912d7f28b61adea05d27ae) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/wmaprodec.c --- libavcodec/wmaprodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index eed38f6dc7..57c22a4063 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -722,6 +722,7 @@ static int decode_channel_transform(WMAProDecodeCtx* s) if (get_bits1(&s->gb)) { av_log_ask_for_sample(s->avctx, "unsupported channel transform type\n"); + return AVERROR_PATCHWELCOME; } } else { chgroup->transform = 1; From 8bd037293769c5ed65adce83ba097571ff4d6faf Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 01:56:09 +0200 Subject: [PATCH 0381/1037] wmapro: check the min_samples_per_subframe Must be at least WMAPRO_BLOCK_MIN_SIZE. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d4a217a408da4bd63acc02cd8f9ebe378a2ad65a) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 57c22a4063..392d146a11 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -107,6 +107,7 @@ #define WMAPRO_BLOCK_MIN_BITS 6 ///< log2 of min block size #define WMAPRO_BLOCK_MAX_BITS 13 ///< log2 of max block size +#define WMAPRO_BLOCK_MIN_SIZE (1 << WMAPRO_BLOCK_MIN_BITS) ///< minimum block size #define WMAPRO_BLOCK_MAX_SIZE (1 << WMAPRO_BLOCK_MAX_BITS) ///< maximum block size #define WMAPRO_BLOCK_SIZES (WMAPRO_BLOCK_MAX_BITS - WMAPRO_BLOCK_MIN_BITS + 1) ///< possible block sizes @@ -340,6 +341,12 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (s->min_samples_per_subframe < WMAPRO_BLOCK_MIN_SIZE) { + av_log(avctx, AV_LOG_ERROR, "Invalid minimum block size %i\n", + s->max_num_subframes); + return AVERROR_INVALIDDATA; + } + if (s->avctx->sample_rate <= 0) { av_log(avctx, AV_LOG_ERROR, "invalid sample rate\n"); return AVERROR_INVALIDDATA; From efcfd50c9fec0670489d1c73b86d1247db29d8b3 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 02:16:50 +0200 Subject: [PATCH 0382/1037] wmapro: error out on impossible scale factor offsets Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 02ec656af72030eea4f3d63e30b25625cce6a3df) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 392d146a11..ed9c6d31de 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -439,7 +439,8 @@ static av_cold int decode_init(AVCodecContext *avctx) for (x = 0; x < num_possible_block_sizes; x++) { int v = 0; while (s->sfb_offsets[x][v + 1] << x < offset) - ++v; + if (++v >= MAX_BANDS) + return AVERROR_INVALIDDATA; s->sf_offsets[i][x][b] = v; } } From 2cdc97632033206d287b734365e055751a5636de Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 06:07:57 +0200 Subject: [PATCH 0383/1037] mjpeg: Check the unescaped size for overflows And contextually check init_get_bits success and fix the reporting message. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6765ee7b9cba46818a45b051438b2552f0a1b70a) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d47fc2ca9e..05f2f02e61 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1476,15 +1476,20 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, /* EOF */ if (start_code < 0) { goto the_end; - } else if (unescaped_buf_size > (1U<<29)) { - av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n", + } else if (unescaped_buf_size > INT_MAX / 8) { + av_log(avctx, AV_LOG_ERROR, + "MJPEG packet 0x%x too big (%d/%d), corrupt data?\n", start_code, unescaped_buf_size, buf_size); return AVERROR_INVALIDDATA; } else { av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n", start_code, buf_end - buf_ptr); - init_get_bits(&s->gb, unescaped_buf_ptr, unescaped_buf_size * 8); + ret = init_get_bits(&s->gb, unescaped_buf_ptr, + unescaped_buf_size * 8); + + if (ret < 0) + return ret; s->start_code = start_code; if (s->avctx->debug & FF_DEBUG_STARTCODE) From 5c54fc6195e52c329b88cf5a56d18628f0ee0029 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 30 Jun 2013 16:03:11 +0200 Subject: [PATCH 0384/1037] Prepare for 9.8 RELEASE --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 9d5e716c05..021debdfd4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.7 +9.8 From 51a23b0e95ac117a691c7d849c7af7ffa9e7d18b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 30 Jun 2013 09:57:56 +0200 Subject: [PATCH 0385/1037] indeo: Properly forward the error codes If the tile data size does not match the buffer size it did not return an AVERROR_INVALIDDATA causing futher corruption later. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7388c0c58601477db076e2e74e8b11f8a644384a) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 3bdcbaba56..f0e4f60ff1 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -774,8 +774,16 @@ static int decode_band(IVI45DecContext *ctx, break; result = ivi_decode_blocks(&ctx->gb, band, tile, avctx); - if (result < 0 || ((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { - av_log(avctx, AV_LOG_ERROR, "Corrupted tile data encountered!\n"); + if (result < 0) { + av_log(avctx, AV_LOG_ERROR, + "Corrupted tile data encountered!\n"); + break; + } + + if (((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { + av_log(avctx, AV_LOG_ERROR, + "Tile data_size mismatch!\n"); + result = AVERROR_INVALIDDATA; break; } From f518fa6beef8c00febfeeab0c37af7a98cc77a27 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 30 Jun 2013 10:11:05 +0200 Subject: [PATCH 0386/1037] indeo: use proper error code (cherry picked from commit dd3754a48854cd570d38db72394491aab0f36570) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index f0e4f60ff1..9628728b6c 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -85,7 +85,7 @@ static int ivi_create_huff_from_desc(const IVIHuffDesc *cb, VLC *vlc, int flag) bits[pos] = i + cb->xbits[i] + not_last_row; if (bits[pos] > IVI_VLC_BITS) - return -1; /* invalid descriptor */ + return AVERROR_INVALIDDATA; /* invalid descriptor */ codewords[pos] = inv_bits((prefix | j), bits[pos]); if (!bits[pos]) @@ -482,7 +482,7 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile } else { if (sym >= 256U) { av_log(avctx, AV_LOG_ERROR, "Invalid sym encountered: %d.\n", sym); - return -1; + return AVERROR_INVALIDDATA; } run = rvmap->runtab[sym]; val = rvmap->valtab[sym]; @@ -505,7 +505,7 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile }// while if (scan_pos >= num_coeffs && sym != rvmap->eob_sym) - return -1; /* corrupt block data */ + return AVERROR_INVALIDDATA; /* corrupt block data */ /* undoing DC coeff prediction for intra-blocks */ if (is_intra && band->is_2d_trans) { @@ -831,14 +831,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (result) { av_log(avctx, AV_LOG_ERROR, "Error while decoding picture header: %d\n", result); - return -1; + return result; } if (ctx->gop_invalid) return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { - av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); - return -1; + avpriv_report_missing_feature(avctx, "Password-protected clip!\n"); + return AVERROR_PATCHWELCOME; } ctx->switch_buffers(ctx); @@ -849,10 +849,10 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (p = 0; p < 3; p++) { for (b = 0; b < ctx->planes[p].num_bands; b++) { result = decode_band(ctx, &ctx->planes[p].bands[b], avctx); - if (result) { + if (result < 0) { av_log(avctx, AV_LOG_ERROR, "Error while decoding band: %d, plane: %d\n", b, p); - return -1; + return result; } } } From 5f7944a308df69619315a18e0a6c2661c7346990 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 30 Jun 2013 10:40:37 +0200 Subject: [PATCH 0387/1037] indeo: check for reference when inheriting mvs The same is done already for qdelta. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b36e1893ef3430f039c1eaddeedcbb378f9c4444) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 9628728b6c..956bbb162a 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -599,7 +599,7 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, if (band->inherit_qdelta && ref_mb) mb->q_delta = ref_mb->q_delta; - if (band->inherit_mv) { + if (band->inherit_mv && ref_mb) { /* motion vector inheritance */ if (mv_scale) { mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale); From c8fb5d0f383fcbb0da9bdef609c3a826df0064f7 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 6 Jul 2013 13:20:57 +0200 Subject: [PATCH 0388/1037] Update Changelog --- Changelog | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog b/Changelog index 2676d15fa3..754e4168b6 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,19 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.8: +- indeo: Check for reference when inheriting motion vectors +- indeo: Properly forward the error codes +- mjpeg: Check the unescaped size for overflows +- wmapro: Error out on impossible scale factor offsets +- wmapro: Check the min_samples_per_subframe +- wmapro: Return early on unsupported condition +- wmapro: Check num_vec_coeffs against the actual available buffer +- wmapro: Make sure there is room to store the current packet +- lavc: Move put_bits_left in put_bits.h +- 4xm: Do not overread the source buffer in decode_p_block +- 4xm: Check bitstream_size boundary before using it + version 9.7: Most of the following fixes resulted from test samples that the Google From d8dab6c3b85cdf472e50ac96f70a6f5ec51855ba Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 30 Jun 2013 10:11:05 +0200 Subject: [PATCH 0389/1037] indeo: use proper error code (cherry picked from commit dd3754a48854cd570d38db72394491aab0f36570) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 956bbb162a..842a53d052 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -837,7 +837,7 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { - avpriv_report_missing_feature(avctx, "Password-protected clip!\n"); + av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); return AVERROR_PATCHWELCOME; } From 33388299fbb4daa9c58798dc90bea0c8af2e72a7 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 11:18:30 +0200 Subject: [PATCH 0390/1037] indeo: use a typedef for the mc function pointer (cherry picked from commit e6d8acf6a8fba4743eb56eabe72a741d1bbee3cb) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 842a53d052..f0269066f9 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -41,6 +41,9 @@ extern const IVIHuffDesc ff_ivi_blk_huff_desc[8]; ///< static block huffman tabl static VLC ivi_mb_vlc_tabs [8]; ///< static macroblock Huffman tables static VLC ivi_blk_vlc_tabs[8]; ///< static block Huffman tables +typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf, + uint32_t pitch, int mc_type); + /** * Reverse "nbits" bits of the value "val" and return the result * in the least significant bits. @@ -394,8 +397,7 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile uint32_t cbp, sym, lo, hi, quant, buf_offs, q; IVIMbInfo *mb; RVMapDesc *rvmap = band->rv_map; - void (*mc_with_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); - void (*mc_no_delta_func) (int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); + ivi_mc_func mc_with_delta_func, mc_no_delta_func; const uint16_t *base_tab; const uint8_t *scale_tab; @@ -563,8 +565,7 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVIMbInfo *mb, *ref_mb; const int16_t *src; int16_t *dst; - void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, - int mc_type); + ivi_mc_func mc_no_delta_func; if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches " From d76480e6ba4022869857b748939053203a770a88 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 12:58:40 +0200 Subject: [PATCH 0391/1037] indeo: Refactor ff_ivi_dec_huff_desc Spare an indentation level. (cherry picked from commit f6f36ca8ca1b2526d3abff7d7c627322d3bce912) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 68 +++++++++++++++++++++-------------------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index f0269066f9..77cdce9edd 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -156,41 +156,43 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, if (!desc_coded) { /* select default table */ huff_tab->tab = (which_tab) ? &ivi_blk_vlc_tabs[7] - : &ivi_mb_vlc_tabs [7]; - } else { - huff_tab->tab_sel = get_bits(gb, 3); - if (huff_tab->tab_sel == 7) { - /* custom huffman table (explicitly encoded) */ - new_huff.num_rows = get_bits(gb, 4); - if (!new_huff.num_rows) { - av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n"); - return AVERROR_INVALIDDATA; - } + : &ivi_mb_vlc_tabs [7]; + return 0; + } - for (i = 0; i < new_huff.num_rows; i++) - new_huff.xbits[i] = get_bits(gb, 4); - - /* Have we got the same custom table? Rebuild if not. */ - if (ivi_huff_desc_cmp(&new_huff, &huff_tab->cust_desc)) { - ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff); - - if (huff_tab->cust_tab.table) - ff_free_vlc(&huff_tab->cust_tab); - result = ivi_create_huff_from_desc(&huff_tab->cust_desc, - &huff_tab->cust_tab, 0); - if (result) { - huff_tab->cust_desc.num_rows = 0; // reset faulty description - av_log(avctx, AV_LOG_ERROR, - "Error while initializing custom vlc table!\n"); - return result; - } - } - huff_tab->tab = &huff_tab->cust_tab; - } else { - /* select one of predefined tables */ - huff_tab->tab = (which_tab) ? &ivi_blk_vlc_tabs[huff_tab->tab_sel] - : &ivi_mb_vlc_tabs [huff_tab->tab_sel]; + huff_tab->tab_sel = get_bits(gb, 3); + if (huff_tab->tab_sel == 7) { + /* custom huffman table (explicitly encoded) */ + new_huff.num_rows = get_bits(gb, 4); + if (!new_huff.num_rows) { + av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n"); + return AVERROR_INVALIDDATA; } + + for (i = 0; i < new_huff.num_rows; i++) + new_huff.xbits[i] = get_bits(gb, 4); + + /* Have we got the same custom table? Rebuild if not. */ + if (ivi_huff_desc_cmp(&new_huff, &huff_tab->cust_desc)) { + ivi_huff_desc_copy(&huff_tab->cust_desc, &new_huff); + + if (huff_tab->cust_tab.table) + ff_free_vlc(&huff_tab->cust_tab); + result = ivi_create_huff_from_desc(&huff_tab->cust_desc, + &huff_tab->cust_tab, 0); + if (result) { + // reset faulty description + huff_tab->cust_desc.num_rows = 0; + av_log(avctx, AV_LOG_ERROR, + "Error while initializing custom vlc table!\n"); + return result; + } + } + huff_tab->tab = &huff_tab->cust_tab; + } else { + /* select one of predefined tables */ + huff_tab->tab = (which_tab) ? &ivi_blk_vlc_tabs[huff_tab->tab_sel] + : &ivi_mb_vlc_tabs [huff_tab->tab_sel]; } return 0; From b9892e181370b070d949b250312cbd7104b06612 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 13:59:16 +0200 Subject: [PATCH 0392/1037] indeo: Refactor ff_ivi_init_tiles and ivi_decode_blocks Spin large and mostly self contained blocks into stand alone functions. (cherry picked from commit 62256010e9bc8879e2bf7f3b94af8ff85e239082) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 273 ++++++++++++++++++++++------------------ 1 file changed, 153 insertions(+), 120 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 77cdce9edd..1b71e7417a 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -286,11 +286,46 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) return 0; } -av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_height) +static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile, + int p, int b, int t_height, int t_width) { - int p, b, x, y, x_tiles, y_tiles, t_width, t_height; + int x, y; + IVITile *tile = band->tiles; + + for (y = 0; y < band->height; y += t_height) { + for (x = 0; x < band->width; x += t_width) { + tile->xpos = x; + tile->ypos = y; + tile->mb_size = band->mb_size; + tile->width = FFMIN(band->width - x, t_width); + tile->height = FFMIN(band->height - y, t_height); + tile->is_empty = tile->data_size = 0; + /* calculate number of macroblocks */ + tile->num_MBs = IVI_MBs_PER_TILE(tile->width, tile->height, + band->mb_size); + + av_freep(&tile->mbs); + tile->mbs = av_malloc(tile->num_MBs * sizeof(IVIMbInfo)); + if (!tile->mbs) + return AVERROR(ENOMEM); + + tile->ref_mbs = 0; + if (p || b) { + tile->ref_mbs = ref_tile->mbs; + ref_tile++; + } + tile++; + } + } + + return 0; +} + +av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes, + int tile_width, int tile_height) +{ + int p, b, x_tiles, y_tiles, t_width, t_height, ret; IVIBandDesc *band; - IVITile *tile, *ref_tile; for (p = 0; p < 3; p++) { t_width = !p ? tile_width : (tile_width + 3) >> 2; @@ -312,41 +347,14 @@ av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes, int tile_width, int tile_hei if (!band->tiles) return AVERROR(ENOMEM); - tile = band->tiles; - /* use the first luma band as reference for motion vectors * and quant */ - ref_tile = planes[0].bands[0].tiles; - - for (y = 0; y < band->height; y += t_height) { - for (x = 0; x < band->width; x += t_width) { - tile->xpos = x; - tile->ypos = y; - tile->mb_size = band->mb_size; - tile->width = FFMIN(band->width - x, t_width); - tile->height = FFMIN(band->height - y, t_height); - tile->is_empty = tile->data_size = 0; - /* calculate number of macroblocks */ - tile->num_MBs = IVI_MBs_PER_TILE(tile->width, tile->height, - band->mb_size); - - av_freep(&tile->mbs); - tile->mbs = av_malloc(tile->num_MBs * sizeof(IVIMbInfo)); - if (!tile->mbs) - return AVERROR(ENOMEM); - - tile->ref_mbs = 0; - if (p || b) { - tile->ref_mbs = ref_tile->mbs; - ref_tile++; - } - - tile++; - } - } - - }// for b - }// for p + ret = ivi_init_tiles(band, planes[0].bands[0].tiles, + p, b, t_height, t_width); + if (ret < 0) + return ret; + } + } return 0; } @@ -378,6 +386,94 @@ static int ivi_dec_tile_data_size(GetBitContext *gb) return len; } + +static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, + ivi_mc_func mc, int mv_x, int mv_y, + int *prev_dc, int is_intra, int mc_type, + uint32_t quant, int offs, + AVCodecContext *avctx) +{ + const uint16_t *base_tab = is_intra ? band->intra_base : band->inter_base; + RVMapDesc *rvmap = band->rv_map; + uint8_t col_flags[8]; + int32_t trvec[64]; + uint32_t sym = 0, lo, hi, q; + int pos, run, val; + int blk_size = band->blk_size; + int num_coeffs = blk_size * blk_size; + int col_mask = blk_size - 1; + int scan_pos = -1; + + if (!band->scan) { + av_log(avctx, AV_LOG_ERROR, "Scan pattern is not set.\n"); + return AVERROR_INVALIDDATA; + } + + /* zero transform vector */ + memset(trvec, 0, num_coeffs * sizeof(trvec[0])); + /* zero column flags */ + memset(col_flags, 0, sizeof(col_flags)); + while (scan_pos <= num_coeffs) { + sym = get_vlc2(gb, band->blk_vlc.tab->table, + IVI_VLC_BITS, 1); + if (sym == rvmap->eob_sym) + break; /* End of block */ + + /* Escape - run/val explicitly coded using 3 vlc codes */ + if (sym == rvmap->esc_sym) { + run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1; + lo = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); + hi = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); + /* merge them and convert into signed val */ + val = IVI_TOSIGNED((hi << 6) | lo); + } else { + if (sym >= 256U) { + av_log(avctx, AV_LOG_ERROR, "Invalid sym encountered: %d.\n", sym); + return AVERROR_INVALIDDATA; + } + run = rvmap->runtab[sym]; + val = rvmap->valtab[sym]; + } + + /* de-zigzag and dequantize */ + scan_pos += run; + if (scan_pos >= num_coeffs) + break; + pos = band->scan[scan_pos]; + + if (!val) + av_dlog(avctx, "Val = 0 encountered!\n"); + + q = (base_tab[pos] * quant) >> 9; + if (q > 1) + val = val * q + FFSIGN(val) * (((q ^ 1) - 1) >> 1); + trvec[pos] = val; + /* track columns containing non-zero coeffs */ + col_flags[pos & col_mask] |= !!val; + } + + if (scan_pos >= num_coeffs && sym != rvmap->eob_sym) + return AVERROR_INVALIDDATA; /* corrupt block data */ + + /* undoing DC coeff prediction for intra-blocks */ + if (is_intra && band->is_2d_trans) { + *prev_dc += trvec[0]; + trvec[0] = *prev_dc; + col_flags[0] |= !!*prev_dc; + } + + /* apply inverse transform */ + band->inv_transform(trvec, band->buf + offs, + band->pitch, col_flags); + + /* apply motion compensation */ + if (!is_intra) + mc(band->buf + offs, + band->ref_buf + offs + mv_y * band->pitch + mv_x, + band->pitch, mc_type); + + return 0; +} /* * Decode block data: * extract huffman-coded transform coefficients from the bitstream, @@ -389,26 +485,22 @@ static int ivi_dec_tile_data_size(GetBitContext *gb) * @param[in] tile pointer to the tile descriptor * @return result code: 0 - OK, -1 = error (corrupted blocks data) */ -static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile, - AVCodecContext *avctx) +static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, + IVITile *tile, AVCodecContext *avctx) { - int mbn, blk, num_blocks, num_coeffs, blk_size, scan_pos, run, val, - pos, is_intra, mc_type = 0, mv_x, mv_y, col_mask; - uint8_t col_flags[8]; - int32_t prev_dc, trvec[64]; - uint32_t cbp, sym, lo, hi, quant, buf_offs, q; - IVIMbInfo *mb; - RVMapDesc *rvmap = band->rv_map; + int mbn, blk, num_blocks, blk_size, ret, is_intra, mc_type = 0; + int mv_x = 0, mv_y = 0; + int32_t prev_dc; + uint32_t cbp, quant, buf_offs; + IVIMbInfo *mb; ivi_mc_func mc_with_delta_func, mc_no_delta_func; - const uint16_t *base_tab; - const uint8_t *scale_tab; - - prev_dc = 0; /* init intra prediction for the DC coefficient */ + const uint8_t *scale_tab; + /* init intra prediction for the DC coefficient */ + prev_dc = 0; blk_size = band->blk_size; - col_mask = blk_size - 1; /* column mask for tracking non-zero coeffs */ - num_blocks = (band->mb_size != blk_size) ? 4 : 1; /* number of blocks per mb */ - num_coeffs = blk_size * blk_size; + /* number of blocks per mb */ + num_blocks = (band->mb_size != blk_size) ? 4 : 1; if (blk_size == 8) { mc_with_delta_func = ff_ivi_mc_8x8_delta; mc_no_delta_func = ff_ivi_mc_8x8_no_delta; @@ -424,7 +516,6 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile quant = av_clip(band->glob_quant + mb->q_delta, 0, 23); - base_tab = is_intra ? band->intra_base : band->inter_base; scale_tab = is_intra ? band->intra_scale : band->inter_scale; if (scale_tab) quant = scale_tab[quant]; @@ -445,10 +536,10 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile cx = mb->mv_x & band->is_halfpel; cy = mb->mv_y & band->is_halfpel; - if ( mb->xpos + dmv_x < 0 - || mb->xpos + dmv_x + band->mb_size + cx > band->pitch - || mb->ypos + dmv_y < 0 - || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { + if (mb->xpos + dmv_x < 0 || + mb->xpos + dmv_x + band->mb_size + cx > band->pitch || + mb->ypos + dmv_y < 0 || + mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { return AVERROR_INVALIDDATA; } } @@ -464,69 +555,11 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile } if (cbp & 1) { /* block coded ? */ - if (!band->scan) { - av_log(avctx, AV_LOG_ERROR, "Scan pattern is not set.\n"); - return AVERROR_INVALIDDATA; - } - - scan_pos = -1; - memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */ - memset(col_flags, 0, sizeof(col_flags)); /* zero column flags */ - - while (scan_pos <= num_coeffs) { - sym = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); - if (sym == rvmap->eob_sym) - break; /* End of block */ - - if (sym == rvmap->esc_sym) { /* Escape - run/val explicitly coded using 3 vlc codes */ - run = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1) + 1; - lo = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); - hi = get_vlc2(gb, band->blk_vlc.tab->table, IVI_VLC_BITS, 1); - val = IVI_TOSIGNED((hi << 6) | lo); /* merge them and convert into signed val */ - } else { - if (sym >= 256U) { - av_log(avctx, AV_LOG_ERROR, "Invalid sym encountered: %d.\n", sym); - return AVERROR_INVALIDDATA; - } - run = rvmap->runtab[sym]; - val = rvmap->valtab[sym]; - } - - /* de-zigzag and dequantize */ - scan_pos += run; - if (scan_pos >= num_coeffs) - break; - pos = band->scan[scan_pos]; - - if (!val) - av_dlog(avctx, "Val = 0 encountered!\n"); - - q = (base_tab[pos] * quant) >> 9; - if (q > 1) - val = val * q + FFSIGN(val) * (((q ^ 1) - 1) >> 1); - trvec[pos] = val; - col_flags[pos & col_mask] |= !!val; /* track columns containing non-zero coeffs */ - }// while - - if (scan_pos >= num_coeffs && sym != rvmap->eob_sym) - return AVERROR_INVALIDDATA; /* corrupt block data */ - - /* undoing DC coeff prediction for intra-blocks */ - if (is_intra && band->is_2d_trans) { - prev_dc += trvec[0]; - trvec[0] = prev_dc; - col_flags[0] |= !!prev_dc; - } - - /* apply inverse transform */ - band->inv_transform(trvec, band->buf + buf_offs, - band->pitch, col_flags); - - /* apply motion compensation */ - if (!is_intra) - mc_with_delta_func(band->buf + buf_offs, - band->ref_buf + buf_offs + mv_y * band->pitch + mv_x, - band->pitch, mc_type); + ret = ivi_decode_coded_blocks(gb, band, mc_with_delta_func, + mv_x, mv_y, &prev_dc, is_intra, + mc_type, quant, buf_offs, avctx); + if (ret < 0) + return ret; } else { /* block not coded */ /* for intra blocks apply the dc slant transform */ From 80d73b4adacac449fc528cb564b9fd88efa47f88 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 14:01:32 +0200 Subject: [PATCH 0393/1037] indeo: Cosmetic formatting Trim some overly long lines. (cherry picked from commit 6dfacd7ab126aea1392949d1aa10fdc3d3eeb911) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 52 +++++++++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 1b71e7417a..0caefe1ed6 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -53,9 +53,10 @@ static uint16_t inv_bits(uint16_t val, int nbits) uint16_t res; if (nbits <= 8) { - res = ff_reverse[val] >> (8-nbits); + res = ff_reverse[val] >> (8 - nbits); } else - res = ((ff_reverse[val & 0xFF] << 8) + (ff_reverse[val >> 8])) >> (16-nbits); + res = ((ff_reverse[val & 0xFF] << 8) + + (ff_reverse[val >> 8])) >> (16 - nbits); return res; } @@ -114,10 +115,12 @@ void ff_ivi_init_static_vlc(void) for (i = 0; i < 8; i++) { ivi_mb_vlc_tabs[i].table = table_data + i * 2 * 8192; ivi_mb_vlc_tabs[i].table_allocated = 8192; - ivi_create_huff_from_desc(&ff_ivi_mb_huff_desc[i], &ivi_mb_vlc_tabs[i], 1); + ivi_create_huff_from_desc(&ff_ivi_mb_huff_desc[i], + &ivi_mb_vlc_tabs[i], 1); ivi_blk_vlc_tabs[i].table = table_data + (i * 2 + 1) * 8192; ivi_blk_vlc_tabs[i].table_allocated = 8192; - ivi_create_huff_from_desc(&ff_ivi_blk_huff_desc[i], &ivi_blk_vlc_tabs[i], 1); + ivi_create_huff_from_desc(&ff_ivi_blk_huff_desc[i], + &ivi_blk_vlc_tabs[i], 1); } initialized_vlcs = 1; } @@ -141,16 +144,17 @@ static void ivi_huff_desc_copy(IVIHuffDesc *dst, const IVIHuffDesc *src) * @param[in] desc2 ptr to the 2nd descriptor to compare * @return comparison result: 0 - equal, 1 - not equal */ -static int ivi_huff_desc_cmp(const IVIHuffDesc *desc1, const IVIHuffDesc *desc2) +static int ivi_huff_desc_cmp(const IVIHuffDesc *desc1, + const IVIHuffDesc *desc2) { - return desc1->num_rows != desc2->num_rows - || memcmp(desc1->xbits, desc2->xbits, desc1->num_rows); + return desc1->num_rows != desc2->num_rows || + memcmp(desc1->xbits, desc2->xbits, desc1->num_rows); } int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, IVIHuffTab *huff_tab, AVCodecContext *avctx) { - int i, result; + int i, result; IVIHuffDesc new_huff; if (!desc_coded) { @@ -225,8 +229,9 @@ static av_cold void ivi_free_buffers(IVIPlaneDesc *planes) av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) { - int p, b; - uint32_t b_width, b_height, align_fac, width_aligned, height_aligned, buf_size; + int p, b; + uint32_t b_width, b_height, align_fac, width_aligned, + height_aligned, buf_size; IVIBandDesc *band; ivi_free_buffers(planes); @@ -249,8 +254,10 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) /* select band dimensions: if there is only one band then it * has the full size, if there are several bands each of them * has only half size */ - b_width = planes[p].num_bands == 1 ? planes[p].width : (planes[p].width + 1) >> 1; - b_height = planes[p].num_bands == 1 ? planes[p].height : (planes[p].height + 1) >> 1; + b_width = planes[p].num_bands == 1 ? planes[p].width + : (planes[p].width + 1) >> 1; + b_height = planes[p].num_bands == 1 ? planes[p].height + : (planes[p].height + 1) >> 1; /* luma band buffers will be aligned on 16x16 (max macroblock size) */ /* chroma band buffers will be aligned on 8x8 (max macroblock size) */ @@ -278,8 +285,8 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) if (!band->bufs[2]) return AVERROR(ENOMEM); } - - planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0; /* reset custom vlc */ + /* reset custom vlc */ + planes[p].bands[0].blk_vlc.cust_desc.num_rows = 0; } } @@ -827,7 +834,8 @@ static int decode_band(IVI45DecContext *ctx, } } - /* restore the selected rvmap table by applying its corrections in reverse order */ + /* restore the selected rvmap table by applying its corrections in + * reverse order */ for (i = band->num_corr-1; i >= 0; i--) { idx1 = band->corr[i*2]; idx2 = band->corr[i*2+1]; @@ -840,7 +848,8 @@ static int decode_band(IVI45DecContext *ctx, uint16_t chksum = ivi_calc_band_checksum(band); if (chksum != band->checksum) { av_log(avctx, AV_LOG_ERROR, - "Band checksum mismatch! Plane %d, band %d, received: %x, calculated: %x\n", + "Band checksum mismatch! Plane %d, band %d, " + "received: %x, calculated: %x\n", band->plane, band->band_num, band->checksum, chksum); } } @@ -896,10 +905,13 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, //STOP_TIMER("decode_planes"); } - /* If the bidirectional mode is enabled, next I and the following P frame will */ - /* be sent together. Unfortunately the approach below seems to be the only way */ - /* to handle the B-frames mode. That's exactly the same Intel decoders do. */ - if (avctx->codec_id == AV_CODEC_ID_INDEO4 && ctx->frame_type == 0/*FRAMETYPE_INTRA*/) { + /* If the bidirectional mode is enabled, next I and the following P + * frame will be sent together. Unfortunately the approach below seems + * to be the only way to handle the B-frames mode. + * That's exactly the same Intel decoders do. + */ + if (avctx->codec_id == AV_CODEC_ID_INDEO4 && + ctx->frame_type == 0/*FRAMETYPE_INTRA*/) { while (get_bits(&ctx->gb, 8)); // skip version string skip_bits_long(&ctx->gb, 64); // skip padding, TODO: implement correct 8-bytes alignment if (get_bits_left(&ctx->gb) > 18 && show_bits(&ctx->gb, 18) == 0x3FFF8) From 73d5d7acb0e01142fe6935196f57000f26717d30 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 3 Jul 2013 14:55:50 +0200 Subject: [PATCH 0394/1037] indeo: reject negative array indexes Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6a10142faa1cca8ba2bfe51b970754f62d60f320) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 42 ++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 0caefe1ed6..815a5cb112 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -44,6 +44,20 @@ static VLC ivi_blk_vlc_tabs[8]; ///< static block Huffman tables typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); +static int ivi_mc(ivi_mc_func mc, int16_t *buf, const int16_t *ref_buf, + int offs, int mv_x, int mv_y, uint32_t pitch, + int mc_type) +{ + int ref_offs = offs + mv_y * pitch + mv_x; + + if (offs < 0 || ref_offs < 0 || !ref_buf) + return AVERROR_INVALIDDATA; + + mc(buf + offs, ref_buf + ref_offs, pitch, mc_type); + + return 0; +} + /** * Reverse "nbits" bits of the value "val" and return the result * in the least significant bits. @@ -444,7 +458,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, /* de-zigzag and dequantize */ scan_pos += run; - if (scan_pos >= num_coeffs) + if (scan_pos >= num_coeffs || scan_pos < 0) break; pos = band->scan[scan_pos]; @@ -459,7 +473,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, col_flags[pos & col_mask] |= !!val; } - if (scan_pos >= num_coeffs && sym != rvmap->eob_sym) + if (scan_pos < 0 || scan_pos >= num_coeffs && sym != rvmap->eob_sym) return AVERROR_INVALIDDATA; /* corrupt block data */ /* undoing DC coeff prediction for intra-blocks */ @@ -475,9 +489,8 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, /* apply motion compensation */ if (!is_intra) - mc(band->buf + offs, - band->ref_buf + offs + mv_y * band->pitch + mv_x, - band->pitch, mc_type); + return ivi_mc(mc, band->buf, band->ref_buf, offs, mv_x, mv_y, + band->pitch, mc_type); return 0; } @@ -575,10 +588,12 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, if (band->dc_transform) band->dc_transform(&prev_dc, band->buf + buf_offs, band->pitch, blk_size); - } else - mc_no_delta_func(band->buf + buf_offs, - band->ref_buf + buf_offs + mv_y * band->pitch + mv_x, - band->pitch, mc_type); + } else { + ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, + buf_offs, mv_x, mv_y, band->pitch, mc_type); + if (ret < 0) + return ret; + } } cbp >>= 1; @@ -603,7 +618,7 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; - int offs, mb_offset, row_offset; + int offs, mb_offset, row_offset, ret; IVIMbInfo *mb, *ref_mb; const int16_t *src; int16_t *dst; @@ -681,9 +696,10 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, for (blk = 0; blk < num_blocks; blk++) { /* adjust block position in the buffer according with its number */ offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch); - mc_no_delta_func(band->buf + offs, - band->ref_buf + offs + mv_y * band->pitch + mv_x, - band->pitch, mc_type); + ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, + offs, mv_x, mv_y, band->pitch, mc_type); + if (ret < 0) + return ret; } } } else { From 1c2bd6fe5f962b32ca48e6a6fa4e179d02e6bf90 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 1 Jul 2013 03:04:15 +0200 Subject: [PATCH 0395/1037] kmvc: use fixed sized arrays in the context Avoid some boilerplate code to dynamically allocate and then free the buffers. (cherry picked from commit 8f689770548c86151071ef976cf9b6998ba21c2a) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/kmvc.c --- libavcodec/kmvc.c | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index d9fbbb0d71..1bfc0da802 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -47,7 +47,7 @@ typedef struct KmvcContext { int palsize; uint32_t pal[MAX_PALSIZE]; uint8_t *cur, *prev; - uint8_t *frm0, *frm1; + uint8_t frm0[320 * 200], frm1[320 * 200]; GetByteContext g; } KmvcContext; @@ -369,8 +369,6 @@ static av_cold int decode_init(AVCodecContext * avctx) return -1; } - c->frm0 = av_mallocz(320 * 200); - c->frm1 = av_mallocz(320 * 200); c->cur = c->frm0; c->prev = c->frm1; @@ -404,30 +402,12 @@ static av_cold int decode_init(AVCodecContext * avctx) return 0; } - - -/* - * Uninit kmvc decoder - */ -static av_cold int decode_end(AVCodecContext * avctx) -{ - KmvcContext *const c = avctx->priv_data; - - av_freep(&c->frm0); - av_freep(&c->frm1); - if (c->pic.data[0]) - avctx->release_buffer(avctx, &c->pic); - - return 0; -} - AVCodec ff_kmvc_decoder = { .name = "kmvc", .type = AVMEDIA_TYPE_VIDEO, .id = AV_CODEC_ID_KMVC, .priv_data_size = sizeof(KmvcContext), .init = decode_init, - .close = decode_end, .decode = decode_frame, .capabilities = CODEC_CAP_DR1, .long_name = NULL_IF_CONFIG_SMALL("Karl Morton's video codec"), From 258eea3f2e0db2c8d46982b766b7965c40095a28 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 1 Jul 2013 03:05:41 +0200 Subject: [PATCH 0396/1037] kmvc: Clip pixel position to valid range Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4e7f0b082d8c4b360312216b9241bec65ff63b35) Signed-off-by: Reinhard Tartler --- libavcodec/kmvc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index 1bfc0da802..e3dcd076a5 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -30,6 +30,7 @@ #include "avcodec.h" #include "bytestream.h" #include "internal.h" +#include "libavutil/common.h" #define KMVC_KEYFRAME 0x80 #define KMVC_PALETTE 0x40 @@ -56,7 +57,7 @@ typedef struct BitBuf { int bitbuf; } BitBuf; -#define BLK(data, x, y) data[(x) + (y) * 320] +#define BLK(data, x, y) data[av_clip((x) + (y) * 320, 0, 320 * 200 -1)] #define kmvc_init_getbits(bb, g) bb.bits = 7; bb.bitbuf = bytestream2_get_byte(g); From 9aaca159bd220582c698f13d081a455f398c9975 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 6 Jul 2013 13:20:57 +0200 Subject: [PATCH 0397/1037] Update Changelog --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index 754e4168b6..4cd63c823a 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 9.8: +- kmvc: Clip pixel position to valid range +- kmvc: Use fixed sized arrays in the context +- indeo: Reject negative array indexes - indeo: Check for reference when inheriting motion vectors - indeo: Properly forward the error codes - mjpeg: Check the unescaped size for overflows From 93fc80f8bfb3c6ce146e4cd30915bbd15ca73533 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2013 20:48:38 +0200 Subject: [PATCH 0398/1037] avcodec/x86/dsputil_init: only use xvid idct for lowres=0 Fixes crash Fixes Ticket2714 Signed-off-by: Michael Niedermayer (cherry picked from commit b791a0831b0a027e7ba4eb6961cc0180472ac603) Conflicts: libavcodec/x86/dsputil_init.c --- libavcodec/x86/dsputil_mmx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/dsputil_mmx.c b/libavcodec/x86/dsputil_mmx.c index 738bbd152b..96abaf90bc 100644 --- a/libavcodec/x86/dsputil_mmx.c +++ b/libavcodec/x86/dsputil_mmx.c @@ -2533,7 +2533,7 @@ static void dsputil_init_sse2(DSPContext *c, AVCodecContext *avctx, const int high_bit_depth = bit_depth > 8; #if HAVE_SSE2_INLINE - if (!high_bit_depth && avctx->idct_algo == FF_IDCT_XVIDMMX) { + if (!high_bit_depth && avctx->idct_algo == FF_IDCT_XVIDMMX && avctx->lowres == 0) { c->idct_put = ff_idct_xvid_sse2_put; c->idct_add = ff_idct_xvid_sse2_add; c->idct = ff_idct_xvid_sse2; From af95e174c5d9cf9c87cbe396ed2e0269c0f18bc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2013 23:38:08 +0200 Subject: [PATCH 0399/1037] rmdec: Pass AVIOContext to rm_read_metadata() Fix null pointer dereference Fixes Ticket2588 Signed-off-by: Michael Niedermayer (cherry picked from commit bf87908cd8da31e8f8fe75c06577170928ea70a8) --- libavformat/rmdec.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 142567b3ad..c2d2495e49 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -94,13 +94,14 @@ static int rm_read_extradata(AVIOContext *pb, AVCodecContext *avctx, unsigned si return 0; } -static void rm_read_metadata(AVFormatContext *s, int wide) +static void rm_read_metadata(AVFormatContext *s, AVIOContext *pb, int wide) { char buf[1024]; int i; + for (i=0; ipb) : avio_r8(s->pb); - get_strl(s->pb, buf, sizeof(buf), len); + int len = wide ? avio_rb16(pb) : avio_r8(pb); + get_strl(pb, buf, sizeof(buf), len); av_dict_set(&s->metadata, ff_rm_metadata[i], buf, 0); } } @@ -133,7 +134,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_skip(pb, 8); bytes_per_minute = avio_rb16(pb); avio_skip(pb, 4); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); if ((startpos + header_size) >= avio_tell(pb) + 2) { // fourcc (should always be "lpcJ") avio_r8(pb); @@ -292,7 +293,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_r8(pb); avio_r8(pb); avio_r8(pb); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); } } return 0; @@ -515,7 +516,7 @@ static int rm_read_header(AVFormatContext *s) flags = avio_rb16(pb); /* flags */ break; case MKTAG('C', 'O', 'N', 'T'): - rm_read_metadata(s, 1); + rm_read_metadata(s, pb, 1); break; case MKTAG('M', 'D', 'P', 'R'): st = avformat_new_stream(s, NULL); From b186a5d08cde10ec61b2d7e83ced44c18cc1d9de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2013 03:27:07 +0200 Subject: [PATCH 0400/1037] mpegts: only reopen pmt_cb filter if its different from the previous. Fixes Ticket2632 Signed-off-by: Michael Niedermayer (cherry picked from commit b009267910df10c004b5f340a090d45da29089a0) --- libavformat/mpegts.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index a6dff475e1..274b85690a 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1620,12 +1620,18 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len if (sid == 0x0000) { /* NIT info */ } else { + MpegTSFilter *fil = ts->pids[pmt_pid]; program = av_new_program(ts->stream, sid); program->program_num = sid; program->pmt_pid = pmt_pid; - if (ts->pids[pmt_pid]) - mpegts_close_filter(ts, ts->pids[pmt_pid]); - mpegts_open_section_filter(ts, pmt_pid, pmt_cb, ts, 1); + if (fil) + if ( fil->type != MPEGTS_SECTION + || fil->pid != pmt_pid + || fil->u.section_filter.section_cb != pmt_cb) + mpegts_close_filter(ts, ts->pids[pmt_pid]); + + if (!ts->pids[pmt_pid]) + mpegts_open_section_filter(ts, pmt_pid, pmt_cb, ts, 1); add_pat_entry(ts, sid); add_pid_to_pmt(ts, sid, 0); //add pat pid to program add_pid_to_pmt(ts, sid, pmt_pid); From 25ed0f05fdc3a4fedb2b8257df60103140588db6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2013 01:29:48 +0200 Subject: [PATCH 0401/1037] libavcodec/x86/mpegvideo: Move mmx functions under HAVE_MMX_INLINE should fix ticket2755 Signed-off-by: Michael Niedermayer (cherry picked from commit 707b2135fda3687a6eeb91411f801e437f633f30) --- libavcodec/x86/mpegvideo.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/mpegvideo.c b/libavcodec/x86/mpegvideo.c index 9870ed7d51..2ca661c69a 100644 --- a/libavcodec/x86/mpegvideo.c +++ b/libavcodec/x86/mpegvideo.c @@ -26,7 +26,7 @@ #include "libavcodec/mpegvideo.h" #include "dsputil_mmx.h" -#if HAVE_INLINE_ASM +#if HAVE_MMX_INLINE static void dct_unquantize_h263_intra_mmx(MpegEncContext *s, DCTELEM *block, int n, int qscale) @@ -574,11 +574,11 @@ static void denoise_dct_sse2(MpegEncContext *s, DCTELEM *block){ ); } -#endif /* HAVE_INLINE_ASM */ +#endif /* HAVE_MMX_INLINE */ void ff_MPV_common_init_x86(MpegEncContext *s) { -#if HAVE_INLINE_ASM +#if HAVE_MMX_INLINE int mm_flags = av_get_cpu_flags(); if (mm_flags & AV_CPU_FLAG_MMX) { @@ -596,5 +596,5 @@ void ff_MPV_common_init_x86(MpegEncContext *s) s->denoise_dct= denoise_dct_mmx; } } -#endif /* HAVE_INLINE_ASM */ +#endif /* HAVE_MMX_INLINE */ } From ba8d68462228b5ae0d4726a00150cdae26ad4ff4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2013 02:42:40 +0200 Subject: [PATCH 0402/1037] avformat/mov: Fix duration of fragmented mov Fixes Ticket2757 Signed-off-by: Michael Niedermayer (cherry picked from commit dc2a13aa802fc691c25d5e0194818831058316ee) --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a789750a55..cc1d596ac1 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -880,7 +880,7 @@ static int mov_read_mvhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->duration = (version == 1) ? avio_rb64(pb) : avio_rb32(pb); /* duration */ // set the AVCodecContext duration because the duration of individual tracks // may be inaccurate - if (c->time_scale > 0) + if (c->time_scale > 0 && !c->trex_data) c->fc->duration = av_rescale(c->duration, AV_TIME_BASE, c->time_scale); avio_rb32(pb); /* preferred scale */ From ce74b92c0981663754a5bf5edad59f9d2ea91e3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2013 22:03:36 +0200 Subject: [PATCH 0403/1037] mmsh: dont close context on seeking failure Fixes Ticket2581 Signed-off-by: Michael Niedermayer (cherry picked from commit b4579a29c75e2968ede2ad002dd4a495dbfc883d) --- libavformat/mmsh.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mmsh.c b/libavformat/mmsh.c index 86a0575e59..d5d2f0c171 100644 --- a/libavformat/mmsh.c +++ b/libavformat/mmsh.c @@ -309,14 +309,16 @@ static int mmsh_open_internal(URLContext *h, const char *uri, int flags, int tim return 0; fail: av_freep(&stream_selection); - mmsh_close(h); av_dlog(NULL, "Connection failed with error %d\n", err); return err; } static int mmsh_open(URLContext *h, const char *uri, int flags) { - return mmsh_open_internal(h, uri, flags, 0, 0); + int ret = mmsh_open_internal(h, uri, flags, 0, 0); + if (ret < 0) + mmsh_close(h); + return ret; } static int handle_chunk_type(MMSHContext *mmsh) From 8695d814e1ad90389fab9a760827b449d24c188c Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 6 Jul 2013 04:34:13 -0300 Subject: [PATCH 0404/1037] oggparseskeleton: Fix fisbone header parsing start_granule should be applied to the stream referenced in the fisbone packet, not to the Skeleton stream. This was broken in d1f05dd18375f2f8e68372edee11436927e43ba8 and produced bogus warnings about multiple fisbone in the same stream on files with more than one stream. Signed-off-by: Michael Niedermayer (cherry picked from commit 3960992f0abf8e28acada220c79fb754d67298ba) --- libavformat/oggparseskeleton.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparseskeleton.c b/libavformat/oggparseskeleton.c index f9ad701145..df4dc843c9 100644 --- a/libavformat/oggparseskeleton.c +++ b/libavformat/oggparseskeleton.c @@ -74,12 +74,17 @@ static int skeleton_header(AVFormatContext *s, int idx) target_idx = ogg_find_stream(ogg, AV_RL32(buf+12)); start_granule = AV_RL64(buf+36); + if (target_idx < 0) { + av_log(s, AV_LOG_WARNING, "Serial number in fisbone doesn't match any stream\n"); + return 1; + } + os = ogg->streams + target_idx; if (os->start_granule != OGG_NOGRANULE_VALUE) { av_log_missing_feature(s, "Multiple fisbone for the same stream", 0); return 1; } - if (target_idx >= 0 && start_granule != OGG_NOGRANULE_VALUE) { + if (start_granule != OGG_NOGRANULE_VALUE) { os->start_granule = start_granule; } } From 86a816902f36f01b3ea83b08cfe681add0a43995 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 6 Jul 2013 04:34:13 -0300 Subject: [PATCH 0405/1037] oggparseskeleton: Replace avpriv_report_missing_feature() with a normal av_log() call since there should not be more than one fisbone for a given stream. Signed-off-by: Michael Niedermayer (cherry picked from commit 63d7684fefcfa9de1a04b43471f876e882ba7aac) Conflicts: libavformat/oggparseskeleton.c --- libavformat/oggparseskeleton.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/oggparseskeleton.c b/libavformat/oggparseskeleton.c index df4dc843c9..415a4235dc 100644 --- a/libavformat/oggparseskeleton.c +++ b/libavformat/oggparseskeleton.c @@ -80,8 +80,7 @@ static int skeleton_header(AVFormatContext *s, int idx) } os = ogg->streams + target_idx; if (os->start_granule != OGG_NOGRANULE_VALUE) { - av_log_missing_feature(s, - "Multiple fisbone for the same stream", 0); + av_log(s, AV_LOG_WARNING, "Multiple fisbone for the same stream\n"); return 1; } if (start_granule != OGG_NOGRANULE_VALUE) { From 944c47166d618dc02b65fd644b7a34de516514c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2013 23:53:19 +0200 Subject: [PATCH 0406/1037] oggparseskeleton: avoid header parsing failure Based on description by James Almer and the xiph wiki Signed-off-by: Michael Niedermayer (cherry picked from commit 9a6e814be7c052deb34a8f585176d053f4c187c1) --- libavformat/oggparseskeleton.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggparseskeleton.c b/libavformat/oggparseskeleton.c index 415a4235dc..79c018da66 100644 --- a/libavformat/oggparseskeleton.c +++ b/libavformat/oggparseskeleton.c @@ -37,6 +37,9 @@ static int skeleton_header(AVFormatContext *s, int idx) strcpy(st->codec->codec_name, "skeleton"); st->codec->codec_type = AVMEDIA_TYPE_DATA; + if ((os->flags & OGG_FLAG_EOS) && os->psize == 0) + return 1; + if (os->psize < 8) return -1; From 18900381e2d36b1b28d8f39148e6a799bf7336bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2013 13:15:32 +0200 Subject: [PATCH 0407/1037] mp3dec: detect CBR and use CBR axiom to seek This should also work reasonable with truncated and growing mp3s. Fixes Ticket2590 Signed-off-by: Michael Niedermayer (cherry picked from commit e096283ea55bc36a637b47329e19ddb26fb1440b) Conflicts: libavformat/mp3dec.c --- libavformat/mp3dec.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index d599c9c489..05cbece529 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -37,9 +37,11 @@ typedef struct { int64_t filesize; + int64_t header_filesize; int xing_toc; int start_pad; int end_pad; + int is_cbr; } MP3DecContext; /* mp3 read */ @@ -185,6 +187,9 @@ static int mp3_parse_vbr_tags(AVFormatContext *s, AVStream *st, int64_t base) if (size && frames && !is_cbr) st->codec->bit_rate = av_rescale(size, 8 * c.sample_rate, frames * (int64_t)spf); + mp3->is_cbr = is_cbr; + mp3->header_filesize = size; + return 0; } @@ -274,21 +279,33 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { MP3DecContext *mp3 = s->priv_data; - AVIndexEntry *ie; + AVIndexEntry *ie, ie1; AVStream *st = s->streams[0]; int64_t ret = av_index_search_timestamp(st, timestamp, flags); int i, j; - if (!mp3->xing_toc) { + if (mp3->is_cbr && st->duration > 0 && mp3->header_filesize > s->data_offset) { + int64_t filesize = avio_size(s->pb); + int64_t duration; + if (filesize <= s->data_offset) + filesize = mp3->header_filesize; + filesize -= s->data_offset; + duration = av_rescale(st->duration, filesize, mp3->header_filesize - s->data_offset); + ie = &ie1; + timestamp = av_clip64(timestamp, 0, duration); + ie->timestamp = timestamp; + ie->pos = av_rescale(timestamp, filesize, duration) + s->data_offset; + } else if (mp3->xing_toc) { + if (ret < 0) + return ret; + + ie = &st->index_entries[ret]; + } else { st->skip_samples = timestamp <= 0 ? mp3->start_pad + 528 + 1 : 0; return -1; } - if (ret < 0) - return ret; - - ie = &st->index_entries[ret]; ret = avio_seek(s->pb, ie->pos, SEEK_SET); if (ret < 0) return ret; From 0f84286677b5bcb049c2db4b17543a83a806e32e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2013 21:46:20 +0200 Subject: [PATCH 0408/1037] mpeg12dec: avoid reinitialization on PS changes when possible. Fixes Ticket2574 Signed-off-by: Michael Niedermayer (cherry picked from commit 970c8df73528659925819dec31c4c8c0887f0321) Conflicts: libavcodec/mpeg12dec.c --- libavcodec/mpeg12.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index d8e22a26af..9c5e967188 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1266,7 +1266,7 @@ static int mpeg_decode_postinit(AVCodecContext *avctx) s1->save_width != s->width || s1->save_height != s->height || s1->save_aspect_info != s->aspect_ratio_info || - s1->save_progressive_seq != s->progressive_sequence || + (s1->save_progressive_seq != s->progressive_sequence && (s->height&31)) || 0) { From b0558cd01110a8f579f4871ae0995a03064b1c2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jun 2013 19:46:48 +0200 Subject: [PATCH 0409/1037] update all trac links to use the trac subdomain Signed-off-by: Michael Niedermayer --- doc/issue_tracker.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/issue_tracker.txt b/doc/issue_tracker.txt index d487f66830..27b0009b58 100644 --- a/doc/issue_tracker.txt +++ b/doc/issue_tracker.txt @@ -24,7 +24,7 @@ a mail for every change to every issue. The subscription URL for the ffmpeg-trac list is: http(s)://ffmpeg.org/mailman/listinfo/ffmpeg-trac The URL of the webinterface of the tracker is: -http(s)://ffmpeg.org/trac/ffmpeg +http(s)://trac.ffmpeg.org Type: ----- From ae72abf6521c7870922db3aeb63fb28478da22f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2013 17:13:45 +0200 Subject: [PATCH 0410/1037] avformat/matroskadec: Detect conflicting sample rate/default_duration Fixes Ticket2508 Thanks-to: Moritz Bunkus Signed-off-by: Michael Niedermayer (cherry picked from commit 6158a3bcdf52fafc1d9ae9eb358a56c614b23aa3) --- libavformat/matroskadec.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 166eee49ab..fe4b70cd73 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2170,6 +2170,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, uint32_t *lace_size = NULL; int n, flags, laces = 0; uint64_t num; + int trust_default_duration = 1; if ((n = matroska_ebmlnum_uint(matroska, data, size, &num)) < 0) { av_log(matroska->ctx, AV_LOG_ERROR, "EBML block data error\n"); @@ -2224,7 +2225,15 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (res) goto end; - if (!block_duration) + if (track->audio.samplerate == 8000) { + // If this is needed for more codecs, then add them here + if (st->codec->codec_id == AV_CODEC_ID_AC3) { + if(track->audio.samplerate != st->codec->sample_rate || !st->codec->frame_size) + trust_default_duration = 0; + } + } + + if (!block_duration && trust_default_duration) block_duration = track->default_duration * laces / matroska->time_scale; if (cluster_time != (uint64_t)-1 && (block_time >= 0 || cluster_time >= -block_time)) From a1ac3c2d9cff3027d4d58300c5800084e1735619 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2013 04:09:30 +0200 Subject: [PATCH 0411/1037] avformat/dtsdec: Improve probe, reject things looking like analog signals Fixes Ticket2810 Signed-off-by: Michael Niedermayer (cherry picked from commit 6663205338f57eedb2392263dde48e2717c6e980) Conflicts: libavformat/dtsdec.c --- libavformat/dtsdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/dtsdec.c b/libavformat/dtsdec.c index 5c05758327..009dd5c456 100644 --- a/libavformat/dtsdec.c +++ b/libavformat/dtsdec.c @@ -34,6 +34,7 @@ static int dts_probe(AVProbeData *p) uint32_t state = -1; int markers[3] = {0}; int sum, max; + int64_t diff = 0; buf = p->buf; @@ -54,12 +55,16 @@ static int dts_probe(AVProbeData *p) if (state == DCA_MARKER_14B_LE) if ((bytestream_get_be16(&bufp) & 0xF0FF) == 0xF007) markers[2]++; + + if (buf - p->buf >= 4) + diff += FFABS(AV_RL16(buf) - AV_RL16(buf-4)); } sum = markers[0] + markers[1] + markers[2]; max = markers[1] > markers[0]; max = markers[2] > markers[max] ? 2 : max; if (markers[max] > 3 && p->buf_size / markers[max] < 32*1024 && - markers[max] * 4 > sum * 3) + markers[max] * 4 > sum * 3 && + diff / p->buf_size > 200) return AVPROBE_SCORE_MAX/2+1; return 0; From c2c9b7297fe6ee95788c27728b0073e38e33b94d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 27 Jul 2013 15:48:41 +0200 Subject: [PATCH 0412/1037] avidec: Let the inner dv demuxer take care of discarding (cherry picked from commit c8f0b20b4a6bb6691928789d83e4b) CC: libav-stable@libav.org --- libavformat/avidec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index a3af5cf2de..ee341c21b6 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -920,9 +920,12 @@ start_sync: } - if( (st->discard >= AVDISCARD_DEFAULT && size==0) - /*|| (st->discard >= AVDISCARD_NONKEY && !(pkt->flags & AV_PKT_FLAG_KEY))*/ //FIXME needs a little reordering - || st->discard >= AVDISCARD_ALL){ + if (!avi->dv_demux && + ((st->discard >= AVDISCARD_DEFAULT && size==0) /* || + //FIXME needs a little reordering + (st->discard >= AVDISCARD_NONKEY && + !(pkt->flags & AV_PKT_FLAG_KEY)) */ + || st->discard >= AVDISCARD_ALL)) { if (!exit_early) { ast->frame_offset += get_duration(ast, size); } From ef81f55ec7a95907ec0eb1cb8cbcc3c8fa68e2e6 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 29 Jul 2013 00:00:42 +0200 Subject: [PATCH 0413/1037] Revert "pnm: remove nonsense code" Breaks decoding pgms with 255 < maxval < 65535. Found-by: Carl Eugen Hoyos . This reverts commit a0348d0966a81a66f3a1bf061576b24d5296b933. (cherry picked from commit 768e40b451a459fefaceed6b1b3d6e70c93596ac) --- libavcodec/pnm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index 13ecbb057f..e73f5a7acb 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -163,6 +163,8 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if (s->maxval >= 256) { if (avctx->pix_fmt == AV_PIX_FMT_GRAY8) { avctx->pix_fmt = AV_PIX_FMT_GRAY16BE; + if (s->maxval != 65535) + avctx->pix_fmt = AV_PIX_FMT_GRAY16; } else if (avctx->pix_fmt == AV_PIX_FMT_RGB24) { avctx->pix_fmt = AV_PIX_FMT_RGB48BE; } else { From a1ce54ce6a5d7c50265aac0eee39bbb899043798 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jul 2013 20:43:45 +0200 Subject: [PATCH 0414/1037] avcodec/kmvc: fix MV checks Fixes Ticket2813 Fixes regression since 70b5583 Signed-off-by: Michael Niedermayer (cherry picked from commit 3cd8aaa2b2e78faf039691e1c31ff4f8d94e3bc6) --- libavcodec/kmvc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index edfafa0401..5e94f5b571 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -107,7 +107,7 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = val & 0xF; my = val >> 4; - if ((l0x-mx) + 320*(l0y-my) < 0 || (l0x-mx) + 320*(l0y-my) > 316*196) { + if ((l0x-mx) + 320*(l0y-my) < 0 || (l0x-mx) + 320*(l0y-my) > 320*197 - 4) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); return AVERROR_INVALIDDATA; } @@ -132,7 +132,7 @@ static int kmvc_decode_intra_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = val & 0xF; my = val >> 4; - if ((l1x-mx) + 320*(l1y-my) < 0 || (l1x-mx) + 320*(l1y-my) > 318*198) { + if ((l1x-mx) + 320*(l1y-my) < 0 || (l1x-mx) + 320*(l1y-my) > 320*199 - 2) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); return AVERROR_INVALIDDATA; } @@ -207,7 +207,7 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = (val & 0xF) - 8; my = (val >> 4) - 8; - if ((l0x+mx) + 320*(l0y+my) < 0 || (l0x+mx) + 320*(l0y+my) > 318*198) { + if ((l0x+mx) + 320*(l0y+my) < 0 || (l0x+mx) + 320*(l0y+my) > 320*197 - 4) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); return AVERROR_INVALIDDATA; } @@ -232,7 +232,7 @@ static int kmvc_decode_inter_8x8(KmvcContext * ctx, int w, int h) val = bytestream2_get_byte(&ctx->g); mx = (val & 0xF) - 8; my = (val >> 4) - 8; - if ((l1x+mx) + 320*(l1y+my) < 0 || (l1x+mx) + 320*(l1y+my) > 318*198) { + if ((l1x+mx) + 320*(l1y+my) < 0 || (l1x+mx) + 320*(l1y+my) > 320*199 - 2) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid MV\n"); return AVERROR_INVALIDDATA; } From 3f5824aa18aa7b18016701123efc7e1714d56001 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 4 Aug 2013 18:57:39 +0200 Subject: [PATCH 0415/1037] avconv: do not use lavfi direct rendering with -deinterlace -deinterlace allocates a temporary buffer that is freed immediately after the frame is sent to lavfi, which results in use after free. Disable direct rendering when -deinterlace is used. CC:libav-stable@libav.org Bug-id: 479 --- avconv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avconv.c b/avconv.c index dd998ab40c..6544fc6fb7 100644 --- a/avconv.c +++ b/avconv.c @@ -1215,7 +1215,7 @@ static int decode_video(InputStream *ist, AVPacket *pkt, int *got_output) } for (i = 0; i < ist->nb_filters; i++) { - if (ist->st->codec->codec->capabilities & CODEC_CAP_DR1) { + if (ist->st->codec->codec->capabilities & CODEC_CAP_DR1 && !do_deinterlace) { FrameBuffer *buf = decoded_frame->opaque; AVFilterBufferRef *fb = avfilter_get_video_buffer_ref_from_arrays( decoded_frame->data, decoded_frame->linesize, From cb51d9ed254dd3cecc83bc158dea91a973de6d58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 13:45:20 +0200 Subject: [PATCH 0416/1037] movenc: ilbc needs audio_vbr set. Without this the block_align or bitrate value is not available to the decoder Fixes Ticket2858 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d64845600c6486a2706b118a81805f3bf4d3db5) --- libavformat/movenc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index bc50ccd8e0..bba42782e0 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -3641,6 +3641,9 @@ static int mov_write_header(AVFormatContext *s) }else{ track->sample_size = (av_get_bits_per_sample(st->codec->codec_id) >> 3) * st->codec->channels; } + if (st->codec->codec_id == AV_CODEC_ID_ILBC) { + track->audio_vbr = 1; + } if (track->mode != MODE_MOV && track->enc->codec_id == AV_CODEC_ID_MP3 && track->timescale < 16000) { av_log(s, AV_LOG_ERROR, "track %d: muxing mp3 at %dhz is not supported\n", From 6124a7edbcb03e572b9fc03b447361628fcdc52f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 16:49:31 +0200 Subject: [PATCH 0417/1037] swr: clean layouts before checking sanity Signed-off-by: Michael Niedermayer (cherry picked from commit 6dfffe92004dfd8c79d18791f28a2b1c7e387845) --- libswresample/rematrix.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 51658cee21..cfe0a1b592 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -118,13 +118,14 @@ av_cold static int auto_matrix(SwrContext *s) const int matrix_encoding = s->matrix_encoding; in_ch_layout = clean_layout(s, s->in_ch_layout); + out_ch_layout = clean_layout(s, s->out_ch_layout); + if(!sane_layout(in_ch_layout)){ av_get_channel_layout_string(buf, sizeof(buf), -1, s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel layout '%s' is not supported\n", buf); return AVERROR(EINVAL); } - out_ch_layout = clean_layout(s, s->out_ch_layout); if(!sane_layout(out_ch_layout)){ av_get_channel_layout_string(buf, sizeof(buf), -1, s->out_ch_layout); av_log(s, AV_LOG_ERROR, "Output channel layout '%s' is not supported\n", buf); From daa809fd9f1cb74353f99a1e2817bc5fa68ba076 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 16:56:51 +0200 Subject: [PATCH 0418/1037] swr/rematrix: Fix handling of AV_CH_LAYOUT_STEREO_DOWNMIX output Fixes Ticket2859 Note, testcases related to the downmix channels are welcome. (id like to make sure this is working correctly now, as obviously it didnt work before ...) Signed-off-by: Michael Niedermayer (cherry picked from commit c56d4dab039b352961cca298d753b04e2f2fd990) --- libswresample/rematrix.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index cfe0a1b592..541f46a782 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -78,9 +78,6 @@ static int even(int64_t layout){ } static int clean_layout(SwrContext *s, int64_t layout){ - if((layout & AV_CH_LAYOUT_STEREO_DOWNMIX) == AV_CH_LAYOUT_STEREO_DOWNMIX) - return AV_CH_LAYOUT_STEREO; - if(layout && layout != AV_CH_FRONT_CENTER && !(layout&(layout-1))) { char buf[128]; av_get_channel_layout_string(buf, sizeof(buf), -1, layout); @@ -120,6 +117,11 @@ av_cold static int auto_matrix(SwrContext *s) in_ch_layout = clean_layout(s, s->in_ch_layout); out_ch_layout = clean_layout(s, s->out_ch_layout); + if( out_ch_layout == AV_CH_LAYOUT_STEREO_DOWNMIX + && (in_ch_layout & AV_CH_LAYOUT_STEREO_DOWNMIX) == 0 + ) + out_ch_layout = AV_CH_LAYOUT_STEREO; + if(!sane_layout(in_ch_layout)){ av_get_channel_layout_string(buf, sizeof(buf), -1, s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel layout '%s' is not supported\n", buf); From fa6eef4210c2fd7f7324d558b09311c75987a31e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 24 Jun 2013 18:12:24 +0200 Subject: [PATCH 0419/1037] wtv: Mark attachment with a negative stream id A sid 0 would be mismatched to the attachment. Prevent NULL pointer dereference. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f5e646a00ac21e500dae4bcceded790a0fbc5246) Signed-off-by: Luca Barbato --- libavformat/wtv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/wtv.c b/libavformat/wtv.c index 2e5d39cff2..1811e4645c 100644 --- a/libavformat/wtv.c +++ b/libavformat/wtv.c @@ -502,6 +502,7 @@ static void get_attachment(AVFormatContext *s, AVIOContext *pb, int length) st->codec->codec_id = AV_CODEC_ID_MJPEG; st->codec->codec_type = AVMEDIA_TYPE_ATTACHMENT; st->codec->extradata = av_mallocz(filesize); + st->id = -1; if (!st->codec->extradata) goto done; st->codec->extradata_size = filesize; From 002ca3e099f0d54cefab250baf027a7c006410d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jun 2013 14:23:44 +0200 Subject: [PATCH 0420/1037] avio: Handle AVERROR_EOF in the same way as the return value 0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes sure the ffurl_read_complete function actually returns the number of bytes read, as the documentation of the function says, even if the underlying protocol uses AVERROR_EOF instead of 0. Signed-off-by: Martin Storsjö (cherry picked from commit 5d876be87a115b93dd2e644049e3ada2cfb5ccb7) Signed-off-by: Luca Barbato --- libavformat/avio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index a43b241399..ad39e6fdb0 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -238,7 +238,7 @@ static inline int retry_transfer_wrapper(URLContext *h, unsigned char *buf, int else av_usleep(1000); } else if (ret < 1) - return ret < 0 ? ret : len; + return (ret < 0 && ret != AVERROR_EOF) ? ret : len; if (ret) fast_retries = FFMAX(fast_retries, 2); len += ret; From a747cf8873ee8e4cb229b215fd3356f374488c12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2013 23:38:08 +0200 Subject: [PATCH 0421/1037] rmdec: Use the AVIOContext given as parameter in rm_read_metadata() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes crashes when playing back certain RealRTSP streams. When invoked from the RTP depacketizer, the full realmedia demuxer isn't invoked, but only certain functions from it, where a separate AVIOContext is passed in as parameter (for the buffer containing the data to parse). The functions called from within those entry points should only be using that parameter, not s->pb. In the depacketizer case, s is the RTSP context, where ->pb is null. Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d35b6cd3775456a23b63e73316e244b671caa02f) Signed-off-by: Luca Barbato --- libavformat/rmdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 3cf2c97fe4..6495bdf17a 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -93,13 +93,13 @@ static int rm_read_extradata(AVIOContext *pb, AVCodecContext *avctx, unsigned si return 0; } -static void rm_read_metadata(AVFormatContext *s, int wide) +static void rm_read_metadata(AVFormatContext *s, AVIOContext *pb, int wide) { char buf[1024]; int i; for (i=0; ipb) : avio_r8(s->pb); - get_strl(s->pb, buf, sizeof(buf), len); + int len = wide ? avio_rb16(pb) : avio_r8(pb); + get_strl(pb, buf, sizeof(buf), len); av_dict_set(&s->metadata, ff_rm_metadata[i], buf, 0); } } @@ -129,7 +129,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, int header_size = avio_rb16(pb); int64_t startpos = avio_tell(pb); avio_skip(pb, 14); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); if ((startpos + header_size) >= avio_tell(pb) + 2) { // fourcc (should always be "lpcJ") avio_r8(pb); @@ -276,7 +276,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_r8(pb); avio_r8(pb); avio_r8(pb); - rm_read_metadata(s, 0); + rm_read_metadata(s, pb, 0); } } return 0; @@ -471,7 +471,7 @@ static int rm_read_header(AVFormatContext *s) flags = avio_rb16(pb); /* flags */ break; case MKTAG('C', 'O', 'N', 'T'): - rm_read_metadata(s, 1); + rm_read_metadata(s, pb, 1); break; case MKTAG('M', 'D', 'P', 'R'): st = avformat_new_stream(s, NULL); From fb1823e17807294ba0ab89b28f744ba73856009f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 03:19:05 +0200 Subject: [PATCH 0422/1037] vqavideo: check the version Prevent out of buffer write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c4abc9098cacb227dba39bac6aea16b2bceba0d0) Signed-off-by: Luca Barbato --- libavcodec/vqavideo.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 841210ce97..b4656b8891 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -135,6 +135,17 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) /* load up the VQA parameters from the header */ s->vqa_version = s->avctx->extradata[0]; + switch (s->vqa_version) { + case 1: + case 2: + break; + case 3: + av_log_missing_feature(avctx, "VQA Version 3", 0); + return AVERROR_PATCHWELCOME; + default: + av_log_missing_feature(avctx, "VQA Version", 1); + return AVERROR_PATCHWELCOME; + } s->width = AV_RL16(&s->avctx->extradata[6]); s->height = AV_RL16(&s->avctx->extradata[8]); if(av_image_check_size(s->width, s->height, 0, avctx)){ From e7800543fe804dde114e4d86d7ab053a5b5516da Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 04:30:20 +0200 Subject: [PATCH 0423/1037] westwood_vqa: do not free extradata on error in read_header The extradata is already freed by avformat_open_input on failure. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 76f5dfbfd902178df4a38221a68dc8540189345a) Signed-off-by: Luca Barbato --- libavformat/westwood_vqa.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index 7c9cb0db81..77da375e70 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -106,7 +106,6 @@ static int wsvqa_read_header(AVFormatContext *s) header = (unsigned char *)st->codec->extradata; if (avio_read(pb, st->codec->extradata, VQA_HEADER_SIZE) != VQA_HEADER_SIZE) { - av_free(st->codec->extradata); return AVERROR(EIO); } st->codec->width = AV_RL16(&header[6]); @@ -132,7 +131,6 @@ static int wsvqa_read_header(AVFormatContext *s) * FINF has been skipped and the file will be ready to be demuxed */ do { if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) { - av_free(st->codec->extradata); return AVERROR(EIO); } chunk_tag = AV_RB32(&scratch[0]); From 86eec54c943981d7fade67bbde64cb097acea819 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 02:20:59 +0200 Subject: [PATCH 0424/1037] qdm2: use init_static_data (cherry picked from commit f054e309c58894450a5d18cce9799ef58aab9f14) Signed-off-by: Luca Barbato --- libavcodec/qdm2.c | 244 +++++++++++++++++++++++++--------------------- 1 file changed, 132 insertions(+), 112 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 17729d18c9..767368cf91 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -221,116 +221,145 @@ static const uint16_t qdm2_vlc_offs[] = { static av_cold void qdm2_init_vlc(void) { - static int vlcs_initialized = 0; static VLC_TYPE qdm2_table[3838][2]; - if (!vlcs_initialized) { + vlc_tab_level.table = &qdm2_table[qdm2_vlc_offs[0]]; + vlc_tab_level.table_allocated = qdm2_vlc_offs[1] - qdm2_vlc_offs[0]; + init_vlc(&vlc_tab_level, 8, 24, + vlc_tab_level_huffbits, 1, 1, + vlc_tab_level_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_level.table = &qdm2_table[qdm2_vlc_offs[0]]; - vlc_tab_level.table_allocated = qdm2_vlc_offs[1] - qdm2_vlc_offs[0]; - init_vlc (&vlc_tab_level, 8, 24, - vlc_tab_level_huffbits, 1, 1, - vlc_tab_level_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_diff.table = &qdm2_table[qdm2_vlc_offs[1]]; + vlc_tab_diff.table_allocated = qdm2_vlc_offs[2] - qdm2_vlc_offs[1]; + init_vlc(&vlc_tab_diff, 8, 37, + vlc_tab_diff_huffbits, 1, 1, + vlc_tab_diff_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_diff.table = &qdm2_table[qdm2_vlc_offs[1]]; - vlc_tab_diff.table_allocated = qdm2_vlc_offs[2] - qdm2_vlc_offs[1]; - init_vlc (&vlc_tab_diff, 8, 37, - vlc_tab_diff_huffbits, 1, 1, - vlc_tab_diff_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_run.table = &qdm2_table[qdm2_vlc_offs[2]]; + vlc_tab_run.table_allocated = qdm2_vlc_offs[3] - qdm2_vlc_offs[2]; + init_vlc(&vlc_tab_run, 5, 6, + vlc_tab_run_huffbits, 1, 1, + vlc_tab_run_huffcodes, 1, 1, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_run.table = &qdm2_table[qdm2_vlc_offs[2]]; - vlc_tab_run.table_allocated = qdm2_vlc_offs[3] - qdm2_vlc_offs[2]; - init_vlc (&vlc_tab_run, 5, 6, - vlc_tab_run_huffbits, 1, 1, - vlc_tab_run_huffcodes, 1, 1, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + fft_level_exp_alt_vlc.table = &qdm2_table[qdm2_vlc_offs[3]]; + fft_level_exp_alt_vlc.table_allocated = qdm2_vlc_offs[4] - + qdm2_vlc_offs[3]; + init_vlc(&fft_level_exp_alt_vlc, 8, 28, + fft_level_exp_alt_huffbits, 1, 1, + fft_level_exp_alt_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - fft_level_exp_alt_vlc.table = &qdm2_table[qdm2_vlc_offs[3]]; - fft_level_exp_alt_vlc.table_allocated = qdm2_vlc_offs[4] - qdm2_vlc_offs[3]; - init_vlc (&fft_level_exp_alt_vlc, 8, 28, - fft_level_exp_alt_huffbits, 1, 1, - fft_level_exp_alt_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + fft_level_exp_vlc.table = &qdm2_table[qdm2_vlc_offs[4]]; + fft_level_exp_vlc.table_allocated = qdm2_vlc_offs[5] - qdm2_vlc_offs[4]; + init_vlc(&fft_level_exp_vlc, 8, 20, + fft_level_exp_huffbits, 1, 1, + fft_level_exp_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + fft_stereo_exp_vlc.table = &qdm2_table[qdm2_vlc_offs[5]]; + fft_stereo_exp_vlc.table_allocated = qdm2_vlc_offs[6] - + qdm2_vlc_offs[5]; + init_vlc(&fft_stereo_exp_vlc, 6, 7, + fft_stereo_exp_huffbits, 1, 1, + fft_stereo_exp_huffcodes, 1, 1, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - fft_level_exp_vlc.table = &qdm2_table[qdm2_vlc_offs[4]]; - fft_level_exp_vlc.table_allocated = qdm2_vlc_offs[5] - qdm2_vlc_offs[4]; - init_vlc (&fft_level_exp_vlc, 8, 20, - fft_level_exp_huffbits, 1, 1, - fft_level_exp_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + fft_stereo_phase_vlc.table = &qdm2_table[qdm2_vlc_offs[6]]; + fft_stereo_phase_vlc.table_allocated = qdm2_vlc_offs[7] - + qdm2_vlc_offs[6]; + init_vlc(&fft_stereo_phase_vlc, 6, 9, + fft_stereo_phase_huffbits, 1, 1, + fft_stereo_phase_huffcodes, 1, 1, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - fft_stereo_exp_vlc.table = &qdm2_table[qdm2_vlc_offs[5]]; - fft_stereo_exp_vlc.table_allocated = qdm2_vlc_offs[6] - qdm2_vlc_offs[5]; - init_vlc (&fft_stereo_exp_vlc, 6, 7, - fft_stereo_exp_huffbits, 1, 1, - fft_stereo_exp_huffcodes, 1, 1, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_tone_level_idx_hi1.table = + &qdm2_table[qdm2_vlc_offs[7]]; + vlc_tab_tone_level_idx_hi1.table_allocated = qdm2_vlc_offs[8] - + qdm2_vlc_offs[7]; + init_vlc(&vlc_tab_tone_level_idx_hi1, 8, 20, + vlc_tab_tone_level_idx_hi1_huffbits, 1, 1, + vlc_tab_tone_level_idx_hi1_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - fft_stereo_phase_vlc.table = &qdm2_table[qdm2_vlc_offs[6]]; - fft_stereo_phase_vlc.table_allocated = qdm2_vlc_offs[7] - qdm2_vlc_offs[6]; - init_vlc (&fft_stereo_phase_vlc, 6, 9, - fft_stereo_phase_huffbits, 1, 1, - fft_stereo_phase_huffcodes, 1, 1, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_tone_level_idx_mid.table = + &qdm2_table[qdm2_vlc_offs[8]]; + vlc_tab_tone_level_idx_mid.table_allocated = qdm2_vlc_offs[9] - + qdm2_vlc_offs[8]; + init_vlc(&vlc_tab_tone_level_idx_mid, 8, 24, + vlc_tab_tone_level_idx_mid_huffbits, 1, 1, + vlc_tab_tone_level_idx_mid_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_tone_level_idx_hi1.table = &qdm2_table[qdm2_vlc_offs[7]]; - vlc_tab_tone_level_idx_hi1.table_allocated = qdm2_vlc_offs[8] - qdm2_vlc_offs[7]; - init_vlc (&vlc_tab_tone_level_idx_hi1, 8, 20, - vlc_tab_tone_level_idx_hi1_huffbits, 1, 1, - vlc_tab_tone_level_idx_hi1_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_tone_level_idx_hi2.table = + &qdm2_table[qdm2_vlc_offs[9]]; + vlc_tab_tone_level_idx_hi2.table_allocated = qdm2_vlc_offs[10] - + qdm2_vlc_offs[9]; + init_vlc(&vlc_tab_tone_level_idx_hi2, 8, 24, + vlc_tab_tone_level_idx_hi2_huffbits, 1, 1, + vlc_tab_tone_level_idx_hi2_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_tone_level_idx_mid.table = &qdm2_table[qdm2_vlc_offs[8]]; - vlc_tab_tone_level_idx_mid.table_allocated = qdm2_vlc_offs[9] - qdm2_vlc_offs[8]; - init_vlc (&vlc_tab_tone_level_idx_mid, 8, 24, - vlc_tab_tone_level_idx_mid_huffbits, 1, 1, - vlc_tab_tone_level_idx_mid_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_type30.table = &qdm2_table[qdm2_vlc_offs[10]]; + vlc_tab_type30.table_allocated = qdm2_vlc_offs[11] - qdm2_vlc_offs[10]; + init_vlc(&vlc_tab_type30, 6, 9, + vlc_tab_type30_huffbits, 1, 1, + vlc_tab_type30_huffcodes, 1, 1, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_tone_level_idx_hi2.table = &qdm2_table[qdm2_vlc_offs[9]]; - vlc_tab_tone_level_idx_hi2.table_allocated = qdm2_vlc_offs[10] - qdm2_vlc_offs[9]; - init_vlc (&vlc_tab_tone_level_idx_hi2, 8, 24, - vlc_tab_tone_level_idx_hi2_huffbits, 1, 1, - vlc_tab_tone_level_idx_hi2_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_type34.table = &qdm2_table[qdm2_vlc_offs[11]]; + vlc_tab_type34.table_allocated = qdm2_vlc_offs[12] - qdm2_vlc_offs[11]; + init_vlc(&vlc_tab_type34, 5, 10, + vlc_tab_type34_huffbits, 1, 1, + vlc_tab_type34_huffcodes, 1, 1, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_type30.table = &qdm2_table[qdm2_vlc_offs[10]]; - vlc_tab_type30.table_allocated = qdm2_vlc_offs[11] - qdm2_vlc_offs[10]; - init_vlc (&vlc_tab_type30, 6, 9, - vlc_tab_type30_huffbits, 1, 1, - vlc_tab_type30_huffcodes, 1, 1, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_fft_tone_offset[0].table = + &qdm2_table[qdm2_vlc_offs[12]]; + vlc_tab_fft_tone_offset[0].table_allocated = qdm2_vlc_offs[13] - + qdm2_vlc_offs[12]; + init_vlc(&vlc_tab_fft_tone_offset[0], 8, 23, + vlc_tab_fft_tone_offset_0_huffbits, 1, 1, + vlc_tab_fft_tone_offset_0_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_type34.table = &qdm2_table[qdm2_vlc_offs[11]]; - vlc_tab_type34.table_allocated = qdm2_vlc_offs[12] - qdm2_vlc_offs[11]; - init_vlc (&vlc_tab_type34, 5, 10, - vlc_tab_type34_huffbits, 1, 1, - vlc_tab_type34_huffcodes, 1, 1, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_fft_tone_offset[1].table = + &qdm2_table[qdm2_vlc_offs[13]]; + vlc_tab_fft_tone_offset[1].table_allocated = qdm2_vlc_offs[14] - + qdm2_vlc_offs[13]; + init_vlc(&vlc_tab_fft_tone_offset[1], 8, 28, + vlc_tab_fft_tone_offset_1_huffbits, 1, 1, + vlc_tab_fft_tone_offset_1_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_fft_tone_offset[0].table = &qdm2_table[qdm2_vlc_offs[12]]; - vlc_tab_fft_tone_offset[0].table_allocated = qdm2_vlc_offs[13] - qdm2_vlc_offs[12]; - init_vlc (&vlc_tab_fft_tone_offset[0], 8, 23, - vlc_tab_fft_tone_offset_0_huffbits, 1, 1, - vlc_tab_fft_tone_offset_0_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_fft_tone_offset[2].table = + &qdm2_table[qdm2_vlc_offs[14]]; + vlc_tab_fft_tone_offset[2].table_allocated = qdm2_vlc_offs[15] - + qdm2_vlc_offs[14]; + init_vlc(&vlc_tab_fft_tone_offset[2], 8, 32, + vlc_tab_fft_tone_offset_2_huffbits, 1, 1, + vlc_tab_fft_tone_offset_2_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_fft_tone_offset[1].table = &qdm2_table[qdm2_vlc_offs[13]]; - vlc_tab_fft_tone_offset[1].table_allocated = qdm2_vlc_offs[14] - qdm2_vlc_offs[13]; - init_vlc (&vlc_tab_fft_tone_offset[1], 8, 28, - vlc_tab_fft_tone_offset_1_huffbits, 1, 1, - vlc_tab_fft_tone_offset_1_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); + vlc_tab_fft_tone_offset[3].table = + &qdm2_table[qdm2_vlc_offs[15]]; + vlc_tab_fft_tone_offset[3].table_allocated = qdm2_vlc_offs[16] - + qdm2_vlc_offs[15]; + init_vlc(&vlc_tab_fft_tone_offset[3], 8, 35, + vlc_tab_fft_tone_offset_3_huffbits, 1, 1, + vlc_tab_fft_tone_offset_3_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - vlc_tab_fft_tone_offset[2].table = &qdm2_table[qdm2_vlc_offs[14]]; - vlc_tab_fft_tone_offset[2].table_allocated = qdm2_vlc_offs[15] - qdm2_vlc_offs[14]; - init_vlc (&vlc_tab_fft_tone_offset[2], 8, 32, - vlc_tab_fft_tone_offset_2_huffbits, 1, 1, - vlc_tab_fft_tone_offset_2_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - - vlc_tab_fft_tone_offset[3].table = &qdm2_table[qdm2_vlc_offs[15]]; - vlc_tab_fft_tone_offset[3].table_allocated = qdm2_vlc_offs[16] - qdm2_vlc_offs[15]; - init_vlc (&vlc_tab_fft_tone_offset[3], 8, 35, - vlc_tab_fft_tone_offset_3_huffbits, 1, 1, - vlc_tab_fft_tone_offset_3_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - - vlc_tab_fft_tone_offset[4].table = &qdm2_table[qdm2_vlc_offs[16]]; - vlc_tab_fft_tone_offset[4].table_allocated = qdm2_vlc_offs[17] - qdm2_vlc_offs[16]; - init_vlc (&vlc_tab_fft_tone_offset[4], 8, 38, - vlc_tab_fft_tone_offset_4_huffbits, 1, 1, - vlc_tab_fft_tone_offset_4_huffcodes, 2, 2, INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); - - vlcs_initialized=1; - } + vlc_tab_fft_tone_offset[4].table = + &qdm2_table[qdm2_vlc_offs[16]]; + vlc_tab_fft_tone_offset[4].table_allocated = qdm2_vlc_offs[17] - + qdm2_vlc_offs[16]; + init_vlc(&vlc_tab_fft_tone_offset[4], 8, 38, + vlc_tab_fft_tone_offset_4_huffbits, 1, 1, + vlc_tab_fft_tone_offset_4_huffcodes, 2, 2, + INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); } static int qdm2_get_vlc (GetBitContext *gb, VLC *vlc, int flag, int depth) @@ -1652,20 +1681,12 @@ static void qdm2_synthesis_filter (QDM2Context *q, int index) * * @param q context */ -static av_cold void qdm2_init(QDM2Context *q) { - static int initialized = 0; - - if (initialized != 0) - return; - initialized = 1; - +static av_cold void qdm2_init_static_data(AVCodec *codec) { qdm2_init_vlc(); ff_mpa_synth_init_float(ff_mpa_synth_window_float); softclip_table_init(); rnd_table_init(); init_noise_samples(); - - av_log(NULL, AV_LOG_DEBUG, "init done\n"); } @@ -1846,8 +1867,6 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) ff_rdft_init(&s->rdft_ctx, s->fft_order, IDFT_C2R); ff_mpadsp_init(&s->mpadsp); - qdm2_init(s); - avctx->sample_fmt = AV_SAMPLE_FMT_S16; avcodec_get_frame_defaults(&s->frame); @@ -1963,13 +1982,14 @@ static int qdm2_decode_frame(AVCodecContext *avctx, void *data, AVCodec ff_qdm2_decoder = { - .name = "qdm2", - .type = AVMEDIA_TYPE_AUDIO, - .id = AV_CODEC_ID_QDM2, - .priv_data_size = sizeof(QDM2Context), - .init = qdm2_decode_init, - .close = qdm2_decode_close, - .decode = qdm2_decode_frame, - .capabilities = CODEC_CAP_DR1, - .long_name = NULL_IF_CONFIG_SMALL("QDesign Music Codec 2"), + .name = "qdm2", + .type = AVMEDIA_TYPE_AUDIO, + .id = AV_CODEC_ID_QDM2, + .priv_data_size = sizeof(QDM2Context), + .init = qdm2_decode_init, + .init_static_data = qdm2_init_static_data, + .close = qdm2_decode_close, + .decode = qdm2_decode_frame, + .capabilities = CODEC_CAP_DR1, + .long_name = NULL_IF_CONFIG_SMALL("QDesign Music Codec 2"), }; From 998a0389d307109af43e452441050281a09d540c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 02:49:15 +0200 Subject: [PATCH 0425/1037] qdm2: formatting cosmetics Apply the usual style plus drop few unnecessary return at the end of void functions. (cherry picked from commit 76efedeadb1f6bf79020c44a71dd0cee13d932ad) Signed-off-by: Luca Barbato --- libavcodec/qdm2.c | 391 ++++++++++++++++++++++++---------------------- 1 file changed, 204 insertions(+), 187 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 767368cf91..297ca65bc1 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -219,6 +219,10 @@ static const uint16_t qdm2_vlc_offs[] = { 0,260,566,598,894,1166,1230,1294,1678,1950,2214,2278,2310,2570,2834,3124,3448,3838, }; +static const int switchtable[23] = { + 0, 5, 1, 5, 5, 5, 5, 5, 2, 5, 5, 5, 5, 5, 5, 5, 3, 5, 5, 5, 5, 5, 4 +}; + static av_cold void qdm2_init_vlc(void) { static VLC_TYPE qdm2_table[3838][2]; @@ -362,7 +366,7 @@ static av_cold void qdm2_init_vlc(void) INIT_VLC_USE_NEW_STATIC | INIT_VLC_LE); } -static int qdm2_get_vlc (GetBitContext *gb, VLC *vlc, int flag, int depth) +static int qdm2_get_vlc(GetBitContext *gb, VLC *vlc, int flag, int depth) { int value; @@ -370,29 +374,27 @@ static int qdm2_get_vlc (GetBitContext *gb, VLC *vlc, int flag, int depth) /* stage-2, 3 bits exponent escape sequence */ if (value-- == 0) - value = get_bits (gb, get_bits (gb, 3) + 1); + value = get_bits(gb, get_bits(gb, 3) + 1); /* stage-3, optional */ if (flag) { int tmp = vlc_stage3_values[value]; if ((value & ~3) > 0) - tmp += get_bits (gb, (value >> 2)); + tmp += get_bits(gb, (value >> 2)); value = tmp; } return value; } - -static int qdm2_get_se_vlc (VLC *vlc, GetBitContext *gb, int depth) +static int qdm2_get_se_vlc(VLC *vlc, GetBitContext *gb, int depth) { - int value = qdm2_get_vlc (gb, vlc, 0, depth); + int value = qdm2_get_vlc(gb, vlc, 0, depth); return (value & 1) ? ((value + 1) >> 1) : -(value >> 1); } - /** * QDM2 checksum * @@ -402,49 +404,50 @@ static int qdm2_get_se_vlc (VLC *vlc, GetBitContext *gb, int depth) * * @return 0 if checksum is OK */ -static uint16_t qdm2_packet_checksum (const uint8_t *data, int length, int value) { +static uint16_t qdm2_packet_checksum(const uint8_t *data, int length, int value) +{ int i; - for (i=0; i < length; i++) + for (i = 0; i < length; i++) value -= data[i]; return (uint16_t)(value & 0xffff); } - /** * Fill a QDM2SubPacket structure with packet type, size, and data pointer. * * @param gb bitreader context * @param sub_packet packet under analysis */ -static void qdm2_decode_sub_packet_header (GetBitContext *gb, QDM2SubPacket *sub_packet) +static void qdm2_decode_sub_packet_header(GetBitContext *gb, + QDM2SubPacket *sub_packet) { - sub_packet->type = get_bits (gb, 8); + sub_packet->type = get_bits(gb, 8); if (sub_packet->type == 0) { sub_packet->size = 0; sub_packet->data = NULL; } else { - sub_packet->size = get_bits (gb, 8); + sub_packet->size = get_bits(gb, 8); - if (sub_packet->type & 0x80) { - sub_packet->size <<= 8; - sub_packet->size |= get_bits (gb, 8); - sub_packet->type &= 0x7f; - } + if (sub_packet->type & 0x80) { + sub_packet->size <<= 8; + sub_packet->size |= get_bits(gb, 8); + sub_packet->type &= 0x7f; + } - if (sub_packet->type == 0x7f) - sub_packet->type |= (get_bits (gb, 8) << 8); + if (sub_packet->type == 0x7f) + sub_packet->type |= (get_bits(gb, 8) << 8); - sub_packet->data = &gb->buffer[get_bits_count(gb) / 8]; // FIXME: this depends on bitreader internal data + // FIXME: this depends on bitreader-internal data + sub_packet->data = &gb->buffer[get_bits_count(gb) / 8]; } - av_log(NULL,AV_LOG_DEBUG,"Subpacket: type=%d size=%d start_offs=%x\n", - sub_packet->type, sub_packet->size, get_bits_count(gb) / 8); + av_log(NULL, AV_LOG_DEBUG, "Subpacket: type=%d size=%d start_offs=%x\n", + sub_packet->type, sub_packet->size, get_bits_count(gb) / 8); } - /** * Return node pointer to first packet of requested type in list. * @@ -452,7 +455,8 @@ static void qdm2_decode_sub_packet_header (GetBitContext *gb, QDM2SubPacket *sub * @param type type of searched subpacket * @return node pointer for subpacket if found, else NULL */ -static QDM2SubPNode* qdm2_search_subpacket_type_in_list (QDM2SubPNode *list, int type) +static QDM2SubPNode *qdm2_search_subpacket_type_in_list(QDM2SubPNode *list, + int type) { while (list != NULL && list->packet != NULL) { if (list->packet->type == type) @@ -462,14 +466,13 @@ static QDM2SubPNode* qdm2_search_subpacket_type_in_list (QDM2SubPNode *list, int return NULL; } - /** * Replace 8 elements with their average value. * Called by qdm2_decode_superblock before starting subblock decoding. * * @param q context */ -static void average_quantized_coeffs (QDM2Context *q) +static void average_quantized_coeffs(QDM2Context *q) { int i, j, n, ch, sum; @@ -486,12 +489,11 @@ static void average_quantized_coeffs (QDM2Context *q) if (sum > 0) sum--; - for (j=0; j < 8; j++) + for (j = 0; j < 8; j++) q->quantized_coeffs[ch][i][j] = sum; } } - /** * Build subband samples with noise weighted by q->tone_level. * Called by synthfilt_build_sb_samples. @@ -499,7 +501,7 @@ static void average_quantized_coeffs (QDM2Context *q) * @param q context * @param sb subband index */ -static void build_sb_samples_from_noise (QDM2Context *q, int sb) +static void build_sb_samples_from_noise(QDM2Context *q, int sb) { int ch, j; @@ -508,14 +510,16 @@ static void build_sb_samples_from_noise (QDM2Context *q, int sb) if (!q->nb_channels) return; - for (ch = 0; ch < q->nb_channels; ch++) + for (ch = 0; ch < q->nb_channels; ch++) { for (j = 0; j < 64; j++) { - q->sb_samples[ch][j * 2][sb] = SB_DITHERING_NOISE(sb,q->noise_idx) * q->tone_level[ch][sb][j]; - q->sb_samples[ch][j * 2 + 1][sb] = SB_DITHERING_NOISE(sb,q->noise_idx) * q->tone_level[ch][sb][j]; + q->sb_samples[ch][j * 2][sb] = + SB_DITHERING_NOISE(sb, q->noise_idx) * q->tone_level[ch][sb][j]; + q->sb_samples[ch][j * 2 + 1][sb] = + SB_DITHERING_NOISE(sb, q->noise_idx) * q->tone_level[ch][sb][j]; } + } } - /** * Called while processing data from subpackets 11 and 12. * Used after making changes to coding_method array. @@ -524,44 +528,62 @@ static void build_sb_samples_from_noise (QDM2Context *q, int sb) * @param channels number of channels * @param coding_method q->coding_method[0][0][0] */ -static void fix_coding_method_array (int sb, int channels, sb_int8_array coding_method) +static void fix_coding_method_array(int sb, int channels, + sb_int8_array coding_method) { - int j,k; + int j, k; int ch; int run, case_val; - static const int switchtable[23] = {0,5,1,5,5,5,5,5,2,5,5,5,5,5,5,5,3,5,5,5,5,5,4}; for (ch = 0; ch < channels; ch++) { for (j = 0; j < 64; ) { - if((coding_method[ch][sb][j] - 8) > 22) { - run = 1; + if ((coding_method[ch][sb][j] - 8) > 22) { + run = 1; case_val = 8; } else { - switch (switchtable[coding_method[ch][sb][j]-8]) { - case 0: run = 10; case_val = 10; break; - case 1: run = 1; case_val = 16; break; - case 2: run = 5; case_val = 24; break; - case 3: run = 3; case_val = 30; break; - case 4: run = 1; case_val = 30; break; - case 5: run = 1; case_val = 8; break; - default: run = 1; case_val = 8; break; + switch (switchtable[coding_method[ch][sb][j] - 8]) { + case 0: run = 10; + case_val = 10; + break; + case 1: run = 1; + case_val = 16; + break; + case 2: run = 5; + case_val = 24; + break; + case 3: run = 3; + case_val = 30; + break; + case 4: run = 1; + case_val = 30; + break; + case 5: run = 1; + case_val = 8; + break; + default: run = 1; + case_val = 8; + break; } } - for (k = 0; k < run; k++) - if (j + k < 128) - if (coding_method[ch][sb + (j + k) / 64][(j + k) % 64] > coding_method[ch][sb][j]) + for (k = 0; k < run; k++) { + if (j + k < 128) { + if (coding_method[ch][sb + (j + k) / 64][(j + k) % 64] > coding_method[ch][sb][j]) { if (k > 0) { - SAMPLES_NEEDED + SAMPLES_NEEDED //not debugged, almost never used - memset(&coding_method[ch][sb][j + k], case_val, k * sizeof(int8_t)); - memset(&coding_method[ch][sb][j + k], case_val, 3 * sizeof(int8_t)); + memset(&coding_method[ch][sb][j + k], case_val, + k *sizeof(int8_t)); + memset(&coding_method[ch][sb][j + k], case_val, + 3 * sizeof(int8_t)); } + } + } + } j += run; } } } - /** * Related to synthesis filter * Called by process_subpacket_10 @@ -569,7 +591,7 @@ static void fix_coding_method_array (int sb, int channels, sb_int8_array coding_ * @param q context * @param flag 1 if called after getting data from subpacket 10, 0 if no subpacket 10 */ -static void fill_tone_level_array (QDM2Context *q, int flag) +static void fill_tone_level_array(QDM2Context *q, int flag) { int i, sb, ch, sb_used; int tmp, tab; @@ -641,16 +663,14 @@ static void fill_tone_level_array (QDM2Context *q, int flag) } } } - - return; } - /** * Related to synthesis filter * Called by process_subpacket_11 * c is built with data from subpacket 11 - * Most of this function is used only if superblock_type_2_3 == 0, never seen it in samples + * Most of this function is used only if superblock_type_2_3 == 0, + * never seen it in samples. * * @param tone_level_idx * @param tone_level_idx_temp @@ -660,9 +680,12 @@ static void fill_tone_level_array (QDM2Context *q, int flag) * @param superblocktype_2_3 flag based on superblock packet type * @param cm_table_select q->cm_table_select */ -static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_array tone_level_idx_temp, - sb_int8_array coding_method, int nb_channels, - int c, int superblocktype_2_3, int cm_table_select) +static void fill_coding_method_array(sb_int8_array tone_level_idx, + sb_int8_array tone_level_idx_temp, + sb_int8_array coding_method, + int nb_channels, + int c, int superblocktype_2_3, + int cm_table_select) { int ch, sb, j; int tmp, acc, esp_40, comp; @@ -768,15 +791,14 @@ static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_arra for (j = 0; j < 64; j++) coding_method[ch][sb][j] = coding_method_table[cm_table_select][sb]; } - - return; } - /** * - * Called by process_subpacket_11 to process more data from subpacket 11 with sb 0-8 - * Called by process_subpacket_12 to process data from subpacket 12 with sb 8-sb_used + * Called by process_subpacket_11 to process more data from subpacket 11 + * with sb 0-8. + * Called by process_subpacket_12 to process data from subpacket 12 with + * sb 8-sb_used. * * @param q context * @param gb bitreader context @@ -784,7 +806,8 @@ static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_arra * @param sb_min lower subband processed (sb_min included) * @param sb_max higher subband processed (sb_max excluded) */ -static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) +static void synthfilt_build_sb_samples(QDM2Context *q, GetBitContext *gb, + int length, int sb_min, int sb_max) { int sb, j, k, n, ch, run, channels; int joined_stereo, zero_encoding, chs; @@ -964,16 +987,18 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l } // subband loop } - /** - * Init the first element of a channel in quantized_coeffs with data from packet 10 (quantized_coeffs[ch][0]). - * This is similar to process_subpacket_9, but for a single channel and for element [0] + * Init the first element of a channel in quantized_coeffs with data + * from packet 10 (quantized_coeffs[ch][0]). + * This is similar to process_subpacket_9, but for a single channel + * and for element [0] * same VLC tables as process_subpacket_9 are used. * * @param quantized_coeffs pointer to quantized_coeffs[ch][0] * @param gb bitreader context */ -static void init_quantized_coeffs_elem0 (int8_t *quantized_coeffs, GetBitContext *gb) +static void init_quantized_coeffs_elem0(int8_t *quantized_coeffs, + GetBitContext *gb) { int i, k, run, level, diff; @@ -1000,11 +1025,11 @@ static void init_quantized_coeffs_elem0 (int8_t *quantized_coeffs, GetBitContext } } - /** * Related to synthesis filter, process data from packet 10 * Init part of quantized_coeffs via function init_quantized_coeffs_elem0 - * Init tone_level_idx_hi1, tone_level_idx_hi2, tone_level_idx_mid with data from packet 10 + * Init tone_level_idx_hi1, tone_level_idx_hi2, tone_level_idx_mid with + * data from packet 10 * * @param q context * @param gb bitreader context @@ -1072,29 +1097,29 @@ static void init_tone_level_dequantization (QDM2Context *q, GetBitContext *gb) * @param q context * @param node pointer to node with packet */ -static void process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) +static void process_subpacket_9(QDM2Context *q, QDM2SubPNode *node) { GetBitContext gb; int i, j, k, n, ch, run, level, diff; - init_get_bits(&gb, node->packet->data, node->packet->size*8); + init_get_bits(&gb, node->packet->data, node->packet->size * 8); - n = coeff_per_sb_for_avg[q->coeff_per_sb_select][QDM2_SB_USED(q->sub_sampling) - 1] + 1; // same as averagesomething function + n = coeff_per_sb_for_avg[q->coeff_per_sb_select][QDM2_SB_USED(q->sub_sampling) - 1] + 1; for (i = 1; i < n; i++) - for (ch=0; ch < q->nb_channels; ch++) { + for (ch = 0; ch < q->nb_channels; ch++) { level = qdm2_get_vlc(&gb, &vlc_tab_level, 0, 2); q->quantized_coeffs[ch][i][0] = level; for (j = 0; j < (8 - 1); ) { - run = qdm2_get_vlc(&gb, &vlc_tab_run, 0, 1) + 1; + run = qdm2_get_vlc(&gb, &vlc_tab_run, 0, 1) + 1; diff = qdm2_get_se_vlc(&vlc_tab_diff, &gb, 2); for (k = 1; k <= run; k++) - q->quantized_coeffs[ch][i][j + k] = (level + ((k*diff) / run)); + q->quantized_coeffs[ch][i][j + k] = (level + ((k * diff) / run)); level += diff; - j += run; + j += run; } } @@ -1103,14 +1128,13 @@ static void process_subpacket_9 (QDM2Context *q, QDM2SubPNode *node) q->quantized_coeffs[ch][0][i] = 0; } - /** * Process subpacket 10 if not null, else * * @param q context * @param node pointer to node with packet */ -static void process_subpacket_10 (QDM2Context *q, QDM2SubPNode *node) +static void process_subpacket_10(QDM2Context *q, QDM2SubPNode *node) { GetBitContext gb; @@ -1123,14 +1147,13 @@ static void process_subpacket_10 (QDM2Context *q, QDM2SubPNode *node) } } - /** * Process subpacket 11 * * @param q context * @param node pointer to node with packet */ -static void process_subpacket_11 (QDM2Context *q, QDM2SubPNode *node) +static void process_subpacket_11(QDM2Context *q, QDM2SubPNode *node) { GetBitContext gb; int length = 0; @@ -1141,24 +1164,25 @@ static void process_subpacket_11 (QDM2Context *q, QDM2SubPNode *node) } if (length >= 32) { - int c = get_bits (&gb, 13); + int c = get_bits(&gb, 13); if (c > 3) - fill_coding_method_array (q->tone_level_idx, q->tone_level_idx_temp, q->coding_method, - q->nb_channels, 8*c, q->superblocktype_2_3, q->cm_table_select); + fill_coding_method_array(q->tone_level_idx, + q->tone_level_idx_temp, q->coding_method, + q->nb_channels, 8 * c, + q->superblocktype_2_3, q->cm_table_select); } synthfilt_build_sb_samples(q, &gb, length, 0, 8); } - /** * Process subpacket 12 * * @param q context * @param node pointer to node with packet */ -static void process_subpacket_12 (QDM2Context *q, QDM2SubPNode *node) +static void process_subpacket_12(QDM2Context *q, QDM2SubPNode *node) { GetBitContext gb; int length = 0; @@ -1177,7 +1201,7 @@ static void process_subpacket_12 (QDM2Context *q, QDM2SubPNode *node) * @param q context * @param list list with synthesis filter packets (list D) */ -static void process_synthesis_subpackets (QDM2Context *q, QDM2SubPNode *list) +static void process_synthesis_subpackets(QDM2Context *q, QDM2SubPNode *list) { QDM2SubPNode *nodes[4]; @@ -1204,13 +1228,12 @@ static void process_synthesis_subpackets (QDM2Context *q, QDM2SubPNode *list) process_subpacket_12(q, NULL); } - /* * Decode superblock, fill packet lists. * * @param q context */ -static void qdm2_decode_super_block (QDM2Context *q) +static void qdm2_decode_super_block(QDM2Context *q) { GetBitContext gb; QDM2SubPacket header, *packet; @@ -1222,33 +1245,33 @@ static void qdm2_decode_super_block (QDM2Context *q) memset(q->tone_level_idx_hi2, 0, sizeof(q->tone_level_idx_hi2)); q->sub_packets_B = 0; - sub_packets_D = 0; + sub_packets_D = 0; average_quantized_coeffs(q); // average elements in quantized_coeffs[max_ch][10][8] - init_get_bits(&gb, q->compressed_data, q->compressed_size*8); + init_get_bits(&gb, q->compressed_data, q->compressed_size * 8); qdm2_decode_sub_packet_header(&gb, &header); if (header.type < 2 || header.type >= 8) { q->has_errors = 1; - av_log(NULL,AV_LOG_ERROR,"bad superblock type\n"); + av_log(NULL, AV_LOG_ERROR, "bad superblock type\n"); return; } q->superblocktype_2_3 = (header.type == 2 || header.type == 3); - packet_bytes = (q->compressed_size - get_bits_count(&gb) / 8); + packet_bytes = (q->compressed_size - get_bits_count(&gb) / 8); - init_get_bits(&gb, header.data, header.size*8); + init_get_bits(&gb, header.data, header.size * 8); if (header.type == 2 || header.type == 4 || header.type == 5) { - int csum = 257 * get_bits(&gb, 8); - csum += 2 * get_bits(&gb, 8); + int csum = 257 * get_bits(&gb, 8); + csum += 2 * get_bits(&gb, 8); csum = qdm2_packet_checksum(q->compressed_data, q->checksum_size, csum); if (csum != 0) { q->has_errors = 1; - av_log(NULL,AV_LOG_ERROR,"bad packet checksum\n"); + av_log(NULL, AV_LOG_ERROR, "bad packet checksum\n"); return; } } @@ -1274,8 +1297,8 @@ static void qdm2_decode_super_block (QDM2Context *q) q->sub_packet_list_A[i - 1].next = &q->sub_packet_list_A[i]; /* seek to next block */ - init_get_bits(&gb, header.data, header.size*8); - skip_bits(&gb, next_index*8); + init_get_bits(&gb, header.data, header.size * 8); + skip_bits(&gb, next_index * 8); if (next_index >= header.size) break; @@ -1284,7 +1307,7 @@ static void qdm2_decode_super_block (QDM2Context *q) /* decode subpacket */ packet = &q->sub_packets[i]; qdm2_decode_sub_packet_header(&gb, packet); - next_index = packet->size + get_bits_count(&gb) / 8; + next_index = packet->size + get_bits_count(&gb) / 8; sub_packet_size = ((packet->size > 0xff) ? 1 : 0) + packet->size + 2; if (packet->type == 0) @@ -1317,13 +1340,13 @@ static void qdm2_decode_super_block (QDM2Context *q) } else if (packet->type == 15) { SAMPLES_NEEDED_2("packet type 15") return; - } else if (packet->type >= 16 && packet->type < 48 && !fft_subpackets[packet->type - 16]) { + } else if (packet->type >= 16 && packet->type < 48 && + !fft_subpackets[packet->type - 16]) { /* packets for FFT */ QDM2_LIST_ADD(q->sub_packet_list_B, q->sub_packets_B, packet); } } // Packet bytes loop -/* **************************************************************** */ if (q->sub_packet_list_D[0].packet != NULL) { process_synthesis_subpackets(q, q->sub_packet_list_D); q->do_synth_filter = 1; @@ -1332,49 +1355,48 @@ static void qdm2_decode_super_block (QDM2Context *q) process_subpacket_11(q, NULL); process_subpacket_12(q, NULL); } -/* **************************************************************** */ } - -static void qdm2_fft_init_coefficient (QDM2Context *q, int sub_packet, - int offset, int duration, int channel, - int exp, int phase) +static void qdm2_fft_init_coefficient(QDM2Context *q, int sub_packet, + int offset, int duration, int channel, + int exp, int phase) { if (q->fft_coefs_min_index[duration] < 0) q->fft_coefs_min_index[duration] = q->fft_coefs_index; - q->fft_coefs[q->fft_coefs_index].sub_packet = ((sub_packet >= 16) ? (sub_packet - 16) : sub_packet); + q->fft_coefs[q->fft_coefs_index].sub_packet = + ((sub_packet >= 16) ? (sub_packet - 16) : sub_packet); q->fft_coefs[q->fft_coefs_index].channel = channel; - q->fft_coefs[q->fft_coefs_index].offset = offset; - q->fft_coefs[q->fft_coefs_index].exp = exp; - q->fft_coefs[q->fft_coefs_index].phase = phase; + q->fft_coefs[q->fft_coefs_index].offset = offset; + q->fft_coefs[q->fft_coefs_index].exp = exp; + q->fft_coefs[q->fft_coefs_index].phase = phase; q->fft_coefs_index++; } - -static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext *gb, int b) +static void qdm2_fft_decode_tones(QDM2Context *q, int duration, + GetBitContext *gb, int b) { int channel, stereo, phase, exp; - int local_int_4, local_int_8, stereo_phase, local_int_10; + int local_int_4, local_int_8, stereo_phase, local_int_10; int local_int_14, stereo_exp, local_int_20, local_int_28; int n, offset; - local_int_4 = 0; + local_int_4 = 0; local_int_28 = 0; local_int_20 = 2; - local_int_8 = (4 - duration); + local_int_8 = (4 - duration); local_int_10 = 1 << (q->group_order - duration - 1); - offset = 1; + offset = 1; while (1) { if (q->superblocktype_2_3) { while ((n = qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2)) < 2) { offset = 1; if (n == 0) { - local_int_4 += local_int_10; + local_int_4 += local_int_10; local_int_28 += (1 << local_int_8); } else { - local_int_4 += 8*local_int_10; + local_int_4 += 8 * local_int_10; local_int_28 += (8 << local_int_8); } } @@ -1382,7 +1404,7 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * } else { offset += qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2); while (offset >= (local_int_10 - 1)) { - offset += (1 - (local_int_10 - 1)); + offset += (1 - (local_int_10 - 1)); local_int_4 += local_int_10; local_int_28 += (1 << local_int_8); } @@ -1397,22 +1419,22 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * if (q->nb_channels > 1) { channel = get_bits1(gb); - stereo = get_bits1(gb); + stereo = get_bits1(gb); } else { channel = 0; - stereo = 0; + stereo = 0; } - exp = qdm2_get_vlc(gb, (b ? &fft_level_exp_vlc : &fft_level_exp_alt_vlc), 0, 2); + exp = qdm2_get_vlc(gb, (b ? &fft_level_exp_vlc : &fft_level_exp_alt_vlc), 0, 2); exp += q->fft_level_exp[fft_level_index_table[local_int_14]]; - exp = (exp < 0) ? 0 : exp; + exp = (exp < 0) ? 0 : exp; - phase = get_bits(gb, 3); - stereo_exp = 0; + phase = get_bits(gb, 3); + stereo_exp = 0; stereo_phase = 0; if (stereo) { - stereo_exp = (exp - qdm2_get_vlc(gb, &fft_stereo_exp_vlc, 0, 1)); + stereo_exp = (exp - qdm2_get_vlc(gb, &fft_stereo_exp_vlc, 0, 1)); stereo_phase = (phase - qdm2_get_vlc(gb, &fft_stereo_phase_vlc, 0, 1)); if (stereo_phase < 0) stereo_phase += 8; @@ -1421,17 +1443,18 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext * if (q->frequency_range > (local_int_14 + 1)) { int sub_packet = (local_int_20 + local_int_28); - qdm2_fft_init_coefficient(q, sub_packet, offset, duration, channel, exp, phase); + qdm2_fft_init_coefficient(q, sub_packet, offset, duration, + channel, exp, phase); if (stereo) - qdm2_fft_init_coefficient(q, sub_packet, offset, duration, (1 - channel), stereo_exp, stereo_phase); + qdm2_fft_init_coefficient(q, sub_packet, offset, duration, + 1 - channel, + stereo_exp, stereo_phase); } - offset++; } } - -static void qdm2_decode_fft_packets (QDM2Context *q) +static void qdm2_decode_fft_packets(QDM2Context *q) { int i, j, min, max, value, type, unknown_flag; GetBitContext gb; @@ -1441,18 +1464,18 @@ static void qdm2_decode_fft_packets (QDM2Context *q) /* reset minimum indexes for FFT coefficients */ q->fft_coefs_index = 0; - for (i=0; i < 5; i++) + for (i = 0; i < 5; i++) q->fft_coefs_min_index[i] = -1; /* process subpackets ordered by type, largest type first */ for (i = 0, max = 256; i < q->sub_packets_B; i++) { - QDM2SubPacket *packet= NULL; + QDM2SubPacket *packet = NULL; /* find subpacket with largest type less than max */ for (j = 0, min = 0; j < q->sub_packets_B; j++) { value = q->sub_packet_list_B[j].packet->type; if (value > min && value < max) { - min = value; + min = value; packet = q->sub_packet_list_B[j].packet; } } @@ -1463,11 +1486,13 @@ static void qdm2_decode_fft_packets (QDM2Context *q) if (!packet) return; - if (i == 0 && (packet->type < 16 || packet->type >= 48 || fft_subpackets[packet->type - 16])) + if (i == 0 && + (packet->type < 16 || packet->type >= 48 || + fft_subpackets[packet->type - 16])) return; /* decode FFT tones */ - init_get_bits (&gb, packet->data, packet->size*8); + init_get_bits(&gb, packet->data, packet->size * 8); if (packet->type >= 32 && packet->type < 48 && !fft_subpackets[packet->type - 16]) unknown_flag = 1; @@ -1482,13 +1507,13 @@ static void qdm2_decode_fft_packets (QDM2Context *q) if (duration >= 0 && duration < 4) qdm2_fft_decode_tones(q, duration, &gb, unknown_flag); } else if (type == 31) { - for (j=0; j < 4; j++) + for (j = 0; j < 4; j++) qdm2_fft_decode_tones(q, j, &gb, unknown_flag); } else if (type == 46) { - for (j=0; j < 6; j++) + for (j = 0; j < 6; j++) q->fft_level_exp[j] = get_bits(&gb, 6); - for (j=0; j < 4; j++) - qdm2_fft_decode_tones(q, j, &gb, unknown_flag); + for (j = 0; j < 4; j++) + qdm2_fft_decode_tones(q, j, &gb, unknown_flag); } } // Loop on B packets @@ -1503,20 +1528,19 @@ static void qdm2_decode_fft_packets (QDM2Context *q) q->fft_coefs_max_index[j] = q->fft_coefs_index; } - -static void qdm2_fft_generate_tone (QDM2Context *q, FFTTone *tone) +static void qdm2_fft_generate_tone(QDM2Context *q, FFTTone *tone) { - float level, f[6]; - int i; - QDM2Complex c; - const double iscale = 2.0*M_PI / 512.0; + float level, f[6]; + int i; + QDM2Complex c; + const double iscale = 2.0 * M_PI / 512.0; tone->phase += tone->phase_shift; /* calculate current level (maximum amplitude) of tone */ level = fft_tone_envelope_table[tone->duration][tone->time_index] * tone->level; - c.im = level * sin(tone->phase*iscale); - c.re = level * cos(tone->phase*iscale); + c.im = level * sin(tone->phase * iscale); + c.re = level * cos(tone->phase * iscale); /* generate FFT coefficients for tone */ if (tone->duration >= 3 || tone->cutoff >= 3) { @@ -1526,30 +1550,31 @@ static void qdm2_fft_generate_tone (QDM2Context *q, FFTTone *tone) tone->complex[1].re -= c.re; } else { f[1] = -tone->table[4]; - f[0] = tone->table[3] - tone->table[0]; - f[2] = 1.0 - tone->table[2] - tone->table[3]; - f[3] = tone->table[1] + tone->table[4] - 1.0; - f[4] = tone->table[0] - tone->table[1]; - f[5] = tone->table[2]; + f[0] = tone->table[3] - tone->table[0]; + f[2] = 1.0 - tone->table[2] - tone->table[3]; + f[3] = tone->table[1] + tone->table[4] - 1.0; + f[4] = tone->table[0] - tone->table[1]; + f[5] = tone->table[2]; for (i = 0; i < 2; i++) { - tone->complex[fft_cutoff_index_table[tone->cutoff][i]].re += c.re * f[i]; - tone->complex[fft_cutoff_index_table[tone->cutoff][i]].im += c.im *((tone->cutoff <= i) ? -f[i] : f[i]); + tone->complex[fft_cutoff_index_table[tone->cutoff][i]].re += + c.re * f[i]; + tone->complex[fft_cutoff_index_table[tone->cutoff][i]].im += + c.im * ((tone->cutoff <= i) ? -f[i] : f[i]); } for (i = 0; i < 4; i++) { - tone->complex[i].re += c.re * f[i+2]; - tone->complex[i].im += c.im * f[i+2]; + tone->complex[i].re += c.re * f[i + 2]; + tone->complex[i].im += c.im * f[i + 2]; } } /* copy the tone if it has not yet died out */ if (++tone->time_index < ((1 << (5 - tone->duration)) - 1)) { - memcpy(&q->fft_tones[q->fft_tone_end], tone, sizeof(FFTTone)); - q->fft_tone_end = (q->fft_tone_end + 1) % 1000; + memcpy(&q->fft_tones[q->fft_tone_end], tone, sizeof(FFTTone)); + q->fft_tone_end = (q->fft_tone_end + 1) % 1000; } } - -static void qdm2_fft_tone_synthesizer (QDM2Context *q, int sub_packet) +static void qdm2_fft_tone_synthesizer(QDM2Context *q, int sub_packet) { int i, j, ch; const double iscale = 0.25 * M_PI; @@ -1620,29 +1645,27 @@ static void qdm2_fft_tone_synthesizer (QDM2Context *q, int sub_packet) } } - -static void qdm2_calculate_fft (QDM2Context *q, int channel, int sub_packet) +static void qdm2_calculate_fft(QDM2Context *q, int channel, int sub_packet) { const float gain = (q->channels == 1 && q->nb_channels == 2) ? 0.5f : 1.0f; - float *out = q->output_buffer + channel; + float *out = q->output_buffer + channel; int i; q->fft.complex[channel][0].re *= 2.0f; - q->fft.complex[channel][0].im = 0.0f; + q->fft.complex[channel][0].im = 0.0f; q->rdft_ctx.rdft_calc(&q->rdft_ctx, (FFTSample *)q->fft.complex[channel]); /* add samples to output buffer */ for (i = 0; i < FFALIGN(q->fft_size, 8); i++) { out[0] += q->fft.complex[channel][i].re * gain; out[q->channels] += q->fft.complex[channel][i].im * gain; - out += 2 * q->channels; + out += 2 * q->channels; } } - /** * @param q context * @param index subpacket number */ -static void qdm2_synthesis_filter (QDM2Context *q, int index) +static void qdm2_synthesis_filter(QDM2Context *q, int index) { int i, k, ch, sb_used, sub_sampling, dither_state = 0; @@ -1651,7 +1674,7 @@ static void qdm2_synthesis_filter (QDM2Context *q, int index) for (ch = 0; ch < q->channels; ch++) for (i = 0; i < 8; i++) - for (k=sb_used; k < SBLIMIT; k++) + for (k = sb_used; k < SBLIMIT; k++) q->sb_samples[ch][(8 * index) + i][k] = 0; for (ch = 0; ch < q->nb_channels; ch++) { @@ -1659,10 +1682,10 @@ static void qdm2_synthesis_filter (QDM2Context *q, int index) for (i = 0; i < 8; i++) { ff_mpa_synth_filter_float(&q->mpadsp, - q->synth_buf[ch], &(q->synth_buf_offset[ch]), - ff_mpa_synth_window_float, &dither_state, - samples_ptr, q->nb_channels, - q->sb_samples[ch][(8 * index) + i]); + q->synth_buf[ch], &(q->synth_buf_offset[ch]), + ff_mpa_synth_window_float, &dither_state, + samples_ptr, q->nb_channels, + q->sb_samples[ch][(8 * index) + i]); samples_ptr += 32 * q->nb_channels; } } @@ -1675,7 +1698,6 @@ static void qdm2_synthesis_filter (QDM2Context *q, int index) q->output_buffer[q->channels * i + ch] += (1 << 23) * q->samples[q->nb_channels * sub_sampling * i + ch]; } - /** * Init static data (does not depend on specific file) * @@ -1689,7 +1711,6 @@ static av_cold void qdm2_init_static_data(AVCodec *codec) { init_noise_samples(); } - /** * Init parameters from codec extradata */ @@ -1739,7 +1760,7 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) return -1; } - extradata = avctx->extradata; + extradata = avctx->extradata; extradata_size = avctx->extradata_size; while (extradata_size > 7) { @@ -1875,7 +1896,6 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) return 0; } - static av_cold int qdm2_decode_close(AVCodecContext *avctx) { QDM2Context *s = avctx->priv_data; @@ -1885,8 +1905,7 @@ static av_cold int qdm2_decode_close(AVCodecContext *avctx) return 0; } - -static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) +static int qdm2_decode(QDM2Context *q, const uint8_t *in, int16_t *out) { int ch, i; const int frame_size = (q->frame_size * q->channels); @@ -1945,7 +1964,6 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) return 0; } - static int qdm2_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { @@ -1980,8 +1998,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx, void *data, return s->checksum_size; } -AVCodec ff_qdm2_decoder = -{ +AVCodec ff_qdm2_decoder = { .name = "qdm2", .type = AVMEDIA_TYPE_AUDIO, .id = AV_CODEC_ID_QDM2, From 64bcb5d35013a4a41969b124a3dcf9a21aef9346 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 02:50:52 +0200 Subject: [PATCH 0426/1037] qdm2: check and reset dithering index per channel Checking per subband would have the index exceed the dithering noise table size. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 744a11c996641888d477a3981d609e79eeb69ea9) Signed-off-by: Luca Barbato --- libavcodec/qdm2.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 297ca65bc1..697f852c12 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -825,8 +825,6 @@ static void synthfilt_build_sb_samples(QDM2Context *q, GetBitContext *gb, } for (sb = sb_min; sb < sb_max; sb++) { - FIX_NOISE_IDX(q->noise_idx); - channels = q->nb_channels; if (q->nb_channels <= 1 || sb < 12) @@ -850,6 +848,7 @@ static void synthfilt_build_sb_samples(QDM2Context *q, GetBitContext *gb, } for (ch = 0; ch < channels; ch++) { + FIX_NOISE_IDX(q->noise_idx); zero_encoding = (get_bits_left(gb) >= 1) ? get_bits1(gb) : 0; type34_predictor = 0.0; type34_first = 1; From 8f3fe7c696866c965ebc4444aaa5487bb1cd53f1 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 01:03:13 +0200 Subject: [PATCH 0427/1037] atrac3: fix error handling decode_tonal_components returns a proper AVERROR. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 874c8a17ac9b04fb7ac23d003e54e3662dd23b4e) Signed-off-by: Luca Barbato --- libavcodec/atrac3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 910c15e473..632cc37a0b 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -664,8 +664,8 @@ static int decode_channel_sound_unit(ATRAC3Context *q, GetBitContext *gb, snd->num_components = decode_tonal_components(gb, snd->components, snd->bands_coded); - if (snd->num_components == -1) - return -1; + if (snd->num_components < 0) + return snd->num_components; num_subbands = decode_spectrum(gb, snd->spectrum); From 67a8a1c20242de9481ca491aa0bbbfad9c8b6565 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 04:20:23 +0200 Subject: [PATCH 0428/1037] atrac3: set the getbits context the right buffer_end Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 22e76ec635bafdd1d1ec35581a7ac09e69e3c43e) Signed-off-by: Luca Barbato --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 632cc37a0b..b2052f7aa9 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -742,7 +742,7 @@ static int decode_frame(AVCodecContext *avctx, const uint8_t *databuf, /* set the bitstream reader at the start of the second Sound Unit*/ - init_get_bits(&q->gb, ptr1, avctx->block_align * 8); + init_get_bits(&q->gb, ptr1, (avctx->block_align - i) * 8); /* Fill the Weighting coeffs delay buffer */ memmove(q->weighting_delay, &q->weighting_delay[2], From aa99cb15f6e4032efc1ade53f832a8788bdc758b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 04:44:26 +0200 Subject: [PATCH 0429/1037] atrac3: Error on impossible encoding/channel combinations Joint stereo encoded mono is impossible. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 50cf5a7fb78846fc39b3ecdaa896a10bcd74da2a) Signed-off-by: Luca Barbato --- libavcodec/atrac3.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index b2052f7aa9..68ce2475b6 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -941,9 +941,11 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) if (q->coding_mode == STEREO) av_log(avctx, AV_LOG_DEBUG, "Normal stereo detected.\n"); - else if (q->coding_mode == JOINT_STEREO) + else if (q->coding_mode == JOINT_STEREO) { + if (avctx->channels != 2) + return AVERROR_INVALIDDATA; av_log(avctx, AV_LOG_DEBUG, "Joint stereo detected.\n"); - else { + } else { av_log(avctx, AV_LOG_ERROR, "Unknown channel coding mode %x!\n", q->coding_mode); return AVERROR_INVALIDDATA; From 6d2a92c4678616fe342be0b606343ae3ade83641 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 09:18:16 +0200 Subject: [PATCH 0430/1037] imc: Catch a division by zero Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bbf6a4aa20bfe3d7869b2218e66063602dfb8aa7) Signed-off-by: Luca Barbato --- libavcodec/imc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index 5cff70fcb4..316dd77462 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -450,6 +450,10 @@ static int bit_allocation(IMCContext *q, IMCChannel *chctx, iacc += chctx->bandWidthT[i]; summa += chctx->bandWidthT[i] * chctx->flcoeffs4[i]; } + + if (!iacc) + return AVERROR_INVALIDDATA; + chctx->bandWidthT[BANDS - 1] = 0; summa = (summa * 0.5 - freebits) / iacc; From c02d4c1a98aef485be25228b33adb4ce357173e4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 7 Jul 2013 12:56:12 +0200 Subject: [PATCH 0431/1037] adpcm: Write the correct number of samples for ima-dk4 Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 12576afe206d35231ccd61f9033c5fdab6a11e80) Signed-off-by: Luca Barbato --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 3b0eb8b9d0..df6b9d300f 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -773,7 +773,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } } - for (n = nb_samples >> (1 - st); n > 0; n--) { + for (n = (nb_samples >> (1 - st)) - 1; n > 0; n--) { int v = bytestream2_get_byteu(&gb); *samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4 , 3); *samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3); From 160910acdb4d1eeffe8a12750ece93fa88fe0469 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 14:44:02 +0200 Subject: [PATCH 0432/1037] qdm2: refactor joined stereo support qdm2 does support only two channels. Loop over the run once. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit adadc3f2443d25b375e21e801516ccfd78e0b080) Signed-off-by: Luca Barbato --- libavcodec/qdm2.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 697f852c12..490668432b 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -810,7 +810,7 @@ static void synthfilt_build_sb_samples(QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) { int sb, j, k, n, ch, run, channels; - int joined_stereo, zero_encoding, chs; + int joined_stereo, zero_encoding; int type34_first; float type34_div = 0; float type34_predictor; @@ -964,16 +964,18 @@ static void synthfilt_build_sb_samples(QDM2Context *q, GetBitContext *gb, } if (joined_stereo) { - float tmp[10][MPA_MAX_CHANNELS]; - - for (k = 0; k < run; k++) { - tmp[k][0] = samples[k]; - tmp[k][1] = (sign_bits[(j + k) / 8]) ? -samples[k] : samples[k]; + for (k = 0; k < run && j + k < 128; k++) { + q->sb_samples[0][j + k][sb] = + q->tone_level[0][sb][(j + k) / 2] * samples[k]; + if (q->nb_channels == 2) { + if (sign_bits[(j + k) / 8]) + q->sb_samples[1][j + k][sb] = + q->tone_level[1][sb][(j + k) / 2] * -samples[k]; + else + q->sb_samples[1][j + k][sb] = + q->tone_level[1][sb][(j + k) / 2] * samples[k]; + } } - for (chs = 0; chs < q->nb_channels; chs++) - for (k = 0; k < run; k++) - if ((j + k) < 128) - q->sb_samples[chs][j + k][sb] = q->tone_level[chs][sb][((j + k)/2)] * tmp[k][chs]; } else { for (k = 0; k < run; k++) if ((j + k) < 128) From 9f1c3cd5ad07812a70c7a21c4b5f2d6367e02a35 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 9 Jul 2013 14:59:33 +0200 Subject: [PATCH 0433/1037] qdm2: Conceal broken samples Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 4ecdb5ed44591aba8a0ddb7d443cace836f761f6) Signed-off-by: Luca Barbato --- libavcodec/qdm2.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 490668432b..99775d2c72 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -528,8 +528,8 @@ static void build_sb_samples_from_noise(QDM2Context *q, int sb) * @param channels number of channels * @param coding_method q->coding_method[0][0][0] */ -static void fix_coding_method_array(int sb, int channels, - sb_int8_array coding_method) +static int fix_coding_method_array(int sb, int channels, + sb_int8_array coding_method) { int j, k; int ch; @@ -537,6 +537,8 @@ static void fix_coding_method_array(int sb, int channels, for (ch = 0; ch < channels; ch++) { for (j = 0; j < 64; ) { + if (coding_method[ch][sb][j] < 8) + return -1; if ((coding_method[ch][sb][j] - 8) > 22) { run = 1; case_val = 8; @@ -582,6 +584,7 @@ static void fix_coding_method_array(int sb, int channels, j += run; } } + return 0; } /** @@ -843,7 +846,11 @@ static void synthfilt_build_sb_samples(QDM2Context *q, GetBitContext *gb, if (q->coding_method[1][sb][j] > q->coding_method[0][sb][j]) q->coding_method[0][sb][j] = q->coding_method[1][sb][j]; - fix_coding_method_array(sb, q->nb_channels, q->coding_method); + if (fix_coding_method_array(sb, q->nb_channels, + q->coding_method)) { + build_sb_samples_from_noise(q, sb); + continue; + } channels = 1; } From c4e2758eecbcc73621a478b71d29a4b2397ca727 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 07:26:48 +0200 Subject: [PATCH 0434/1037] iff: Do not read over the source buffer Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7d65e960c72f36b73ae7fe84f8e427d758e61da9) Signed-off-by: Luca Barbato --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 99da7b5d61..b7a7bb3d51 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -272,7 +272,7 @@ static int decode_frame_ilbm(AVCodecContext *avctx, if (avctx->codec_tag == MKTAG('I','L','B','M')) { // interleaved if (avctx->pix_fmt == AV_PIX_FMT_PAL8 || avctx->pix_fmt == AV_PIX_FMT_GRAY8) { - for(y = 0; y < avctx->height; y++ ) { + for (y = 0; y < avctx->height && buf < buf_end; y++ ) { uint8_t *row = &s->frame.data[0][ y*s->frame.linesize[0] ]; memset(row, 0, avctx->width); for (plane = 0; plane < avctx->bits_per_coded_sample && buf < buf_end; plane++) { From d6a65735f96b9aa94feedbc1f141b8cf7963bc91 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 05:29:54 +0200 Subject: [PATCH 0435/1037] wmavoice: conceal clearly corrupted blocks Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit d14a26edb7c4487df581f11e5c6911dc0e623d08) Signed-off-by: Luca Barbato --- libavcodec/wmavoice.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 08d0600200..e0b7f5b528 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1050,9 +1050,10 @@ static void aw_parse_coords(WMAVoiceContext *s, GetBitContext *gb, * @param gb bit I/O context * @param block_idx block index in frame [0, 1] * @param fcb structure containing fixed codebook vector info + * @return -1 on error, 0 otherwise */ -static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, - int block_idx, AMRFixed *fcb) +static int aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, + int block_idx, AMRFixed *fcb) { uint16_t use_mask_mem[9]; // only 5 are used, rest is padding uint16_t *use_mask = use_mask_mem + 2; @@ -1114,7 +1115,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, else if (use_mask[2]) idx = 0x2F; else if (use_mask[3]) idx = 0x3F; else if (use_mask[4]) idx = 0x4F; - else return; + else return -1; idx -= av_log2_16bit(use_mask[idx >> 4]); } if (use_mask[idx >> 4] & (0x8000 >> (idx & 15))) { @@ -1131,6 +1132,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, /* set offset for next block, relative to start of that block */ n = (MAX_FRAMESIZE / 2 - start_off) % fcb->pitch_lag; s->aw_next_pulse_off_cache = n ? fcb->pitch_lag - n : 0; + return 0; } /** @@ -1293,7 +1295,18 @@ static void synth_block_fcb_acb(WMAVoiceContext *s, GetBitContext *gb, * (fixed) codebook pulses of the speech signal. */ if (frame_desc->fcb_type == FCB_TYPE_AW_PULSES) { aw_pulse_set1(s, gb, block_idx, &fcb); - aw_pulse_set2(s, gb, block_idx, &fcb); + if (aw_pulse_set2(s, gb, block_idx, &fcb)) { + /* Conceal the block with silence and return. + * Skip the correct amount of bits to read the next + * block from the correct offset. */ + int r_idx = pRNG(s->frame_cntr, block_idx, size); + + for (n = 0; n < size; n++) + excitation[n] = + wmavoice_std_codebook[r_idx + n] * s->silence_gain; + skip_bits(gb, 7 + 1); + return; + } } else /* FCB_TYPE_EXC_PULSES */ { int offset_nbits = 5 - frame_desc->log_n_blocks; From 64867f3cb507b4f309d9e444ba9ddb66bd6b32e2 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 29 Jun 2013 06:37:32 +0200 Subject: [PATCH 0436/1037] pcx: Do not overread source buffer in pcx_rle_decode Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22) Signed-off-by: Luca Barbato --- libavcodec/pcx.c | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 1bd861215e..ba3703a712 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -44,16 +44,19 @@ static av_cold int pcx_init(AVCodecContext *avctx) { /** * @return advanced src pointer */ -static const uint8_t *pcx_rle_decode(const uint8_t *src, uint8_t *dst, - unsigned int bytes_per_scanline, int compressed) { +static const uint8_t *pcx_rle_decode(const uint8_t *src, + const uint8_t *end, + uint8_t *dst, + unsigned int bytes_per_scanline, + int compressed) { unsigned int i = 0; unsigned char run, value; if (compressed) { - while (i= 0xc0) { + if (value >= 0xc0 && src < end) { run = value & 0x3f; value = *src++; } @@ -88,6 +91,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, unsigned int w, h, bits_per_pixel, bytes_per_line, nplanes, stride, y, x, bytes_per_scanline; uint8_t *ptr; + const uint8_t *buf_end = buf + buf_size; uint8_t const *bufstart = buf; uint8_t *scanline; int ret = -1; @@ -116,7 +120,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, nplanes = buf[65]; bytes_per_scanline = nplanes * bytes_per_line; - if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8) { + if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8 || + (!compressed && bytes_per_scanline > buf_size / h)) { av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n"); return -1; } @@ -164,7 +169,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (nplanes == 3 && bits_per_pixel == 8) { for (y=0; y> (x&7), v = 0; From cbc12124999b633a02f25bc6f6fa895a7cf656da Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Jul 2013 04:35:34 +0200 Subject: [PATCH 0437/1037] mlpdec: Do not set invalid context in read_restart_header The faulty values rippled further down the codepath causing a hard-to-track segfault in the assembly code. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e9d394f3fad7e8fd8fc80e3b33cb045bbaceb446) Signed-off-by: Luca Barbato Conflicts: libavcodec/mlpdec.c --- libavcodec/mlpdec.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 0eaf2e39e5..d999495f40 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -392,9 +392,10 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, uint8_t checksum; uint8_t lossless_check; int start_count = get_bits_count(gbp); - const int max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP - ? MAX_MATRIX_CHANNEL_MLP - : MAX_MATRIX_CHANNEL_TRUEHD; + int min_channel, max_channel, max_matrix_channel; + const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP + ? MAX_MATRIX_CHANNEL_MLP + : MAX_MATRIX_CHANNEL_TRUEHD; sync_word = get_bits(gbp, 13); @@ -413,18 +414,18 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, skip_bits(gbp, 16); /* Output timestamp */ - s->min_channel = get_bits(gbp, 4); - s->max_channel = get_bits(gbp, 4); - s->max_matrix_channel = get_bits(gbp, 4); + min_channel = get_bits(gbp, 4); + max_channel = get_bits(gbp, 4); + max_matrix_channel = get_bits(gbp, 4); - if (s->max_matrix_channel > max_matrix_channel) { + if (max_matrix_channel > std_max_matrix_channel) { av_log(m->avctx, AV_LOG_ERROR, "Max matrix channel cannot be greater than %d.\n", max_matrix_channel); return AVERROR_INVALIDDATA; } - if (s->max_channel != s->max_matrix_channel) { + if (max_channel != max_matrix_channel) { av_log(m->avctx, AV_LOG_ERROR, "Max channel must be equal max matrix channel.\n"); return AVERROR_INVALIDDATA; @@ -439,15 +440,20 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, return AVERROR_PATCHWELCOME; } - if (s->min_channel > s->max_channel) { + if (min_channel > max_channel) { av_log(m->avctx, AV_LOG_ERROR, "Substream min channel cannot be greater than max channel.\n"); return AVERROR_INVALIDDATA; } - if (m->avctx->request_channels > 0 - && s->max_channel + 1 >= m->avctx->request_channels - && substr < m->max_decoded_substream) { + + s->min_channel = min_channel; + s->max_channel = max_channel; + s->max_matrix_channel = max_matrix_channel; + + if (m->avctx->request_channels > 0 && + m->avctx->request_channels <= s->max_channel + 1 && + m->max_decoded_substream > substr) { av_log(m->avctx, AV_LOG_DEBUG, "Extracting %d channel downmix from substream %d. " "Further substreams will be skipped.\n", From 5e46ad33eb2d752a3eb90f9400a1a5b3632f57e5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Jul 2013 04:54:49 +0200 Subject: [PATCH 0438/1037] pcm: always use codec->id instead of codec_id Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c82da343e635663605bd81c59d872bee3182da73) Signed-off-by: Luca Barbato --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index d6899cf52d..5cc989b239 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -268,7 +268,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, /* av_get_bits_per_sample returns 0 for AV_CODEC_ID_PCM_DVD */ samples_per_block = 1; - if (AV_CODEC_ID_PCM_DVD == avctx->codec_id) { + if (avctx->codec->id == AV_CODEC_ID_PCM_DVD) { if (avctx->bits_per_coded_sample != 20 && avctx->bits_per_coded_sample != 24) { av_log(avctx, AV_LOG_ERROR, "PCM DVD unsupported sample depth\n"); From 423ce8830e48f4dc2b9e19379c1d0c7e23705972 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Jul 2013 18:07:45 +0200 Subject: [PATCH 0439/1037] dca: Error out on missing DSYNC Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f261e508459e28beca59868a878e1519a44bb678) Signed-off-by: Luca Barbato --- libavcodec/dcadec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index f26111a387..a2d9964305 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -1258,6 +1258,7 @@ static int dca_subsubframe(DCAContext *s, int base_channel, int block_index) #endif } else { av_log(s->avctx, AV_LOG_ERROR, "Didn't get subframe DSYNC\n"); + return AVERROR_INVALIDDATA; } } From c03533ace27c9553cf716bb7a8336d258b4c2018 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Jul 2013 19:00:15 +0200 Subject: [PATCH 0440/1037] dca: Respect the current limits in the downmixing capabilities Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3802833bc1f79775a1547c5e427fed6e92b77e53) Signed-off-by: Luca Barbato --- libavcodec/dcadec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index a2d9964305..561c30c003 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -809,6 +809,12 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) "Invalid channel mode %d\n", am); return AVERROR_INVALIDDATA; } + if (s->prim_channels > FF_ARRAY_ELEMS(dca_default_coeffs[0])) { + av_log_ask_for_sample(s->avctx, "Downmixing %d channels", + s->prim_channels); + return AVERROR_PATCHWELCOME; + } + for (j = base_channel; j < s->prim_channels; j++) { s->downmix_coef[j][0] = dca_default_coeffs[am][j][0]; s->downmix_coef[j][1] = dca_default_coeffs[am][j][1]; From 96f9b184972a6d0bcb954fd6a60f7dea69765631 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 11 Jul 2013 16:30:18 +0300 Subject: [PATCH 0441/1037] ac3dec: Increment channel pointers only once per channel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the channel mapping map multiple output channels to one input channel, we should only increment the actual pointer once. Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 68e57cde68f3da4c557ca15491fda74d1ea6321e) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 0d1ba89de5..6fb7b0b3ab 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1393,10 +1393,10 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, if (err) for (ch = 0; ch < s->out_channels; ch++) memcpy(s->outptr[channel_map[ch]], output[ch], 1024); - for (ch = 0; ch < s->out_channels; ch++) { + for (ch = 0; ch < s->out_channels; ch++) output[ch] = s->outptr[channel_map[ch]]; - s->outptr[channel_map[ch]] += AC3_BLOCK_SIZE; - } + for (ch = 0; ch < s->channels; ch++) + s->outptr[ch] += AC3_BLOCK_SIZE; } /* keep last block for error concealment in next frame */ From 99d82a07e7dc481ac66dac6e7280ae859f03e14a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 14:32:03 +0200 Subject: [PATCH 0442/1037] indeo4: Do not access missing reference MV Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8435bca087c0e79385763c51de009fd89390b6a5) Signed-off-by: Luca Barbato --- libavcodec/indeo4.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 2eebc26513..b2dd7e8b84 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -457,7 +457,7 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, } mb->mv_x = mb->mv_y = 0; /* no motion vector coded */ - if (band->inherit_mv) { + if (band->inherit_mv && ref_mb) { /* motion vector inheritance */ if (mv_scale) { mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale); @@ -469,7 +469,10 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, } } else { if (band->inherit_mv) { - mb->type = ref_mb->type; /* copy mb_type from corresponding reference mb */ + /* copy mb_type from corresponding reference mb */ + if (!ref_mb) + return AVERROR_INVALIDDATA; + mb->type = ref_mb->type; } else if (ctx->frame_type == FRAMETYPE_INTRA || ctx->frame_type == FRAMETYPE_INTRA1) { mb->type = 0; /* mb_type is always INTRA for intra-frames */ @@ -493,14 +496,15 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, mb->mv_x = mb->mv_y = 0; /* there is no motion vector in intra-macroblocks */ } else { if (band->inherit_mv) { - /* motion vector inheritance */ - if (mv_scale) { - mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale); - mb->mv_y = ivi_scale_mv(ref_mb->mv_y, mv_scale); - } else { - mb->mv_x = ref_mb->mv_x; - mb->mv_y = ref_mb->mv_y; - } + if (ref_mb) + /* motion vector inheritance */ + if (mv_scale) { + mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale); + mb->mv_y = ivi_scale_mv(ref_mb->mv_y, mv_scale); + } else { + mb->mv_x = ref_mb->mv_x; + mb->mv_y = ref_mb->mv_y; + } } else { /* decode motion vector deltas */ mv_delta = get_vlc2(&ctx->gb, ctx->mb_vlc.tab->table, From be71990da6bdf13f35d1b0193e109f6de07908bf Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 15:02:33 +0200 Subject: [PATCH 0443/1037] indeo4: Check the quantization matrix index Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 6255ccf7d51c82ab79bf0cd47a921f572dda4489) Signed-off-by: Luca Barbato --- libavcodec/indeo4.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index b2dd7e8b84..0f32ab966a 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -360,6 +360,11 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, av_log(avctx, AV_LOG_ERROR, "Custom quant matrix encountered!\n"); return AVERROR_INVALIDDATA; } + if (band->quant_mat >= FF_ARRAY_ELEMS(quant_index_to_tab)) { + av_log_ask_for_sample(avctx, "Quantization matrix %d", + band->quant_mat); + return AVERROR_INVALIDDATA; + } } /* decode block huffman codebook */ From 4ec5c35850c9ecef57799a5a0fae00166ffe6e70 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 18:10:05 +0200 Subject: [PATCH 0444/1037] indeo4: Validate scantable dimension Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit cd78e934c246d1b2510f8fba0abfe40bb75795f6) Signed-off-by: Luca Barbato --- libavcodec/indeo4.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 0f32ab966a..8d00e7fd99 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -353,6 +353,12 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, av_log(avctx, AV_LOG_ERROR, "Custom scan pattern encountered!\n"); return AVERROR_INVALIDDATA; } + if (scan_indx > 4 && scan_indx < 10) { + if (band->blk_size != 4) + return AVERROR_INVALIDDATA; + } else if (band->blk_size != 8) + return AVERROR_INVALIDDATA; + band->scan = scan_index_to_tab[scan_indx]; band->quant_mat = get_bits(&ctx->gb, 5); From 7514868cb0de6e9dad1d1ce5c1aa3bd9d1642889 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 14:33:24 +0200 Subject: [PATCH 0445/1037] indeo: Bound-check before applying transform Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dc79685195a45c9b8b17d7b93d118e0aefa45462) Signed-off-by: Luca Barbato --- libavcodec/indeo4.c | 7 +++++++ libavcodec/indeo5.c | 38 +++++++++++++++++++++++--------------- libavcodec/ivi_common.c | 30 +++++++++++++++++++++++++++--- libavcodec/ivi_common.h | 1 + 4 files changed, 58 insertions(+), 18 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 8d00e7fd99..7955db1215 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -347,6 +347,13 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, band->inv_transform = transforms[transform_id].inv_trans; band->dc_transform = transforms[transform_id].dc_trans; band->is_2d_trans = transforms[transform_id].is_2d_trans; + if (transform_id < 10) + band->transform_size = 8; + else + band->transform_size = 4; + + if (band->blk_size != band->transform_size) + return AVERROR_INVALIDDATA; scan_indx = get_bits(&ctx->gb, 4); if (scan_indx == 15) { diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index dc5f6f09ad..3bdb23f5f1 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -147,39 +147,47 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) /* select transform function and scan pattern according to plane and band number */ switch ((p << 2) + i) { case 0: - band->inv_transform = ff_ivi_inverse_slant_8x8; - band->dc_transform = ff_ivi_dc_slant_2d; - band->scan = ff_zigzag_direct; + band->inv_transform = ff_ivi_inverse_slant_8x8; + band->dc_transform = ff_ivi_dc_slant_2d; + band->scan = ff_zigzag_direct; + band->transform_size = 8; break; case 1: - band->inv_transform = ff_ivi_row_slant8; - band->dc_transform = ff_ivi_dc_row_slant; - band->scan = ff_ivi_vertical_scan_8x8; + band->inv_transform = ff_ivi_row_slant8; + band->dc_transform = ff_ivi_dc_row_slant; + band->scan = ff_ivi_vertical_scan_8x8; + band->transform_size = 8; break; case 2: - band->inv_transform = ff_ivi_col_slant8; - band->dc_transform = ff_ivi_dc_col_slant; - band->scan = ff_ivi_horizontal_scan_8x8; + band->inv_transform = ff_ivi_col_slant8; + band->dc_transform = ff_ivi_dc_col_slant; + band->scan = ff_ivi_horizontal_scan_8x8; + band->transform_size = 8; break; case 3: - band->inv_transform = ff_ivi_put_pixels_8x8; - band->dc_transform = ff_ivi_put_dc_pixel_8x8; - band->scan = ff_ivi_horizontal_scan_8x8; + band->inv_transform = ff_ivi_put_pixels_8x8; + band->dc_transform = ff_ivi_put_dc_pixel_8x8; + band->scan = ff_ivi_horizontal_scan_8x8; + band->transform_size = 8; break; case 4: - band->inv_transform = ff_ivi_inverse_slant_4x4; - band->dc_transform = ff_ivi_dc_slant_2d; - band->scan = ff_ivi_direct_scan_4x4; + band->inv_transform = ff_ivi_inverse_slant_4x4; + band->dc_transform = ff_ivi_dc_slant_2d; + band->scan = ff_ivi_direct_scan_4x4; + band->transform_size = 4; break; } band->is_2d_trans = band->inv_transform == ff_ivi_inverse_slant_8x8 || band->inv_transform == ff_ivi_inverse_slant_4x4; + if (band->transform_size != band->blk_size) + return AVERROR_INVALIDDATA; + /* select dequant matrix according to plane and band number */ if (!p) { quant_mat = (pic_conf.luma_bands > 1) ? i+1 : 0; diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 815a5cb112..4901feb37c 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -407,6 +407,24 @@ static int ivi_dec_tile_data_size(GetBitContext *gb) return len; } +static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs, + int blk_size) +{ + int buf_size = band->pitch * band->aheight - buf_offs; + int min_size = (blk_size - 1) * band->pitch + blk_size; + + if (!band->dc_transform) + return 0; + + + if (min_size > buf_size) + return AVERROR_INVALIDDATA; + + band->dc_transform(prev_dc, band->buf + buf_offs, + band->pitch, blk_size); + + return 0; +} static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, ivi_mc_func mc, int mv_x, int mv_y, @@ -424,6 +442,12 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, int num_coeffs = blk_size * blk_size; int col_mask = blk_size - 1; int scan_pos = -1; + int min_size = band->pitch * (band->transform_size - 1) + + band->transform_size; + int buf_size = band->pitch * band->aheight - offs; + + if (min_size > buf_size) + return AVERROR_INVALIDDATA; if (!band->scan) { av_log(avctx, AV_LOG_ERROR, "Scan pattern is not set.\n"); @@ -585,9 +609,9 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, /* for intra blocks apply the dc slant transform */ /* for inter - perform the motion compensation without delta */ if (is_intra) { - if (band->dc_transform) - band->dc_transform(&prev_dc, band->buf + buf_offs, - band->pitch, blk_size); + ret = ivi_dc_transform(band, &prev_dc, buf_offs, blk_size); + if (ret < 0) + return ret; } else { ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, buf_offs, mv_x, mv_y, band->pitch, mc_type); diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index 8ac41a5554..fb253745ac 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -159,6 +159,7 @@ typedef struct IVIBandDesc { int num_tiles; ///< number of tiles in this band IVITile *tiles; ///< array of tile descriptors InvTransformPtr *inv_transform; + int transform_size; DCTransformPtr *dc_transform; int is_2d_trans; ///< 1 indicates that the two-dimensional inverse transform is used int32_t checksum; ///< for debug purposes From 861526bbd184aeb3776ce96b370912b17bc2baa0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 14:06:16 +0200 Subject: [PATCH 0446/1037] indeo: Bound-check before applying motion compensation Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 25a6666f6c07c6ac8449a63d7fbce0dfd29c54cd) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 4901feb37c..66f94c132b 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -44,16 +44,22 @@ static VLC ivi_blk_vlc_tabs[8]; ///< static block Huffman tables typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); -static int ivi_mc(ivi_mc_func mc, int16_t *buf, const int16_t *ref_buf, - int offs, int mv_x, int mv_y, uint32_t pitch, - int mc_type) +static int ivi_mc(IVIBandDesc *band, ivi_mc_func mc, + int offs, int mv_x, int mv_y, int mc_type) { - int ref_offs = offs + mv_y * pitch + mv_x; + int ref_offs = offs + mv_y * band->pitch + mv_x; + int buf_size = band->pitch * band->aheight; + int min_size = band->pitch * (band->blk_size - 1) + band->blk_size; + int ref_size = (mc_type > 1) * band->pitch + (mc_type & 1); - if (offs < 0 || ref_offs < 0 || !ref_buf) + if (offs < 0 || ref_offs < 0 || !band->ref_buf) + return AVERROR_INVALIDDATA; + if (buf_size - min_size < offs) + return AVERROR_INVALIDDATA; + if (buf_size - min_size - ref_size < ref_offs) return AVERROR_INVALIDDATA; - mc(buf + offs, ref_buf + ref_offs, pitch, mc_type); + mc(band->buf + offs, band->ref_buf + ref_offs, band->pitch, mc_type); return 0; } @@ -513,8 +519,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band, /* apply motion compensation */ if (!is_intra) - return ivi_mc(mc, band->buf, band->ref_buf, offs, mv_x, mv_y, - band->pitch, mc_type); + return ivi_mc(band, mc, offs, mv_x, mv_y, mc_type); return 0; } @@ -613,8 +618,8 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, if (ret < 0) return ret; } else { - ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, - buf_offs, mv_x, mv_y, band->pitch, mc_type); + ret = ivi_mc(band, mc_no_delta_func, buf_offs, + mv_x, mv_y, mc_type); if (ret < 0) return ret; } @@ -720,8 +725,8 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, for (blk = 0; blk < num_blocks; blk++) { /* adjust block position in the buffer according with its number */ offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch); - ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, - offs, mv_x, mv_y, band->pitch, mc_type); + ret = ivi_mc(band, mc_no_delta_func, offs, + mv_x, mv_y, mc_type); if (ret < 0) return ret; } From cf738340d061a4cbea7d3fe90f3bf999feb9dda1 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 14:41:56 +0200 Subject: [PATCH 0447/1037] indeo5: return proper error codes (cherry picked from commit b0eeb9d442e4b7e82f6797d74245434ea33110a5) Signed-off-by: Luca Barbato --- libavcodec/indeo5.c | 54 +++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 3bdb23f5f1..9b42962331 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -74,7 +74,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) tile_size = (ctx->gop_flags & 0x40) ? 64 << get_bits(&ctx->gb, 2) : 0; if (tile_size > 256) { av_log(avctx, AV_LOG_ERROR, "Invalid tile size: %d\n", tile_size); - return -1; + return AVERROR_INVALIDDATA; } /* decode number of wavelet bands */ @@ -85,7 +85,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) if (ctx->is_scalable && (pic_conf.luma_bands != 4 || pic_conf.chroma_bands != 1)) { av_log(avctx, AV_LOG_ERROR, "Scalability: unsupported subdivision! Luma bands: %d, chroma bands: %d\n", pic_conf.luma_bands, pic_conf.chroma_bands); - return -1; + return AVERROR_INVALIDDATA; } pic_size_indx = get_bits(&ctx->gb, 4); @@ -98,8 +98,8 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) } if (ctx->gop_flags & 2) { - av_log(avctx, AV_LOG_ERROR, "YV12 picture format not supported!\n"); - return -1; + av_log_missing_feature(avctx, "YV12 picture format", 0); + return AVERROR_PATCHWELCOME; } pic_conf.chroma_height = (pic_conf.pic_height + 3) >> 2; @@ -115,9 +115,9 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) /* check if picture layout was changed and reallocate buffers */ if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) { result = ff_ivi_init_planes(ctx->planes, &pic_conf); - if (result) { + if (result < 0) { av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n"); - return -1; + return result; } ctx->pic_conf = pic_conf; blk_size_changed = 1; /* force reallocation of the internal structures */ @@ -140,8 +140,8 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) } if (get_bits1(&ctx->gb)) { - av_log(avctx, AV_LOG_ERROR, "Extended transform info encountered!\n"); - return -1; + av_log_missing_feature(avctx, "Extended transform info", 0); + return AVERROR_PATCHWELCOME; } /* select transform function and scan pattern according to plane and band number */ @@ -209,7 +209,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) if (get_bits(&ctx->gb, 2)) { av_log(avctx, AV_LOG_ERROR, "End marker missing!\n"); - return -1; + return AVERROR_INVALIDDATA; } } } @@ -238,17 +238,17 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) if (blk_size_changed) { result = ff_ivi_init_tiles(ctx->planes, pic_conf.tile_width, pic_conf.tile_height); - if (result) { + if (result < 0) { av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate internal structures!\n"); - return -1; + return result; } } if (ctx->gop_flags & 8) { if (get_bits(&ctx->gb, 3)) { av_log(avctx, AV_LOG_ERROR, "Alignment bits are not zero!\n"); - return -1; + return AVERROR_INVALIDDATA; } if (get_bits1(&ctx->gb)) @@ -297,25 +297,27 @@ static inline void skip_hdr_extension(GetBitContext *gb) */ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) { + int ret; + if (get_bits(&ctx->gb, 5) != 0x1F) { av_log(avctx, AV_LOG_ERROR, "Invalid picture start code!\n"); - return -1; + return AVERROR_INVALIDDATA; } ctx->prev_frame_type = ctx->frame_type; ctx->frame_type = get_bits(&ctx->gb, 3); if (ctx->frame_type >= 5) { av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type); - return -1; + return AVERROR_INVALIDDATA; } ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { ctx->gop_invalid = 1; - if (decode_gop_header(ctx, avctx)) { + if ((ret = decode_gop_header(ctx, avctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); - return AVERROR_INVALIDDATA; + return ret; } ctx->gop_invalid = 0; } @@ -332,8 +334,10 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) skip_hdr_extension(&ctx->gb); /* XXX: untested */ /* decode macroblock huffman codebook */ - if (ff_ivi_dec_huff_desc(&ctx->gb, ctx->frame_flags & 0x40, IVI_MB_HUFF, &ctx->mb_vlc, avctx)) - return -1; + ret = ff_ivi_dec_huff_desc(&ctx->gb, ctx->frame_flags & 0x40, + IVI_MB_HUFF, &ctx->mb_vlc, avctx); + if (ret < 0) + return ret; skip_bits(&ctx->gb, 3); /* FIXME: unknown meaning! */ } @@ -355,7 +359,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, AVCodecContext *avctx) { - int i; + int i, ret; uint8_t band_flags; band_flags = get_bits(&ctx->gb, 8); @@ -379,7 +383,7 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, if (band->num_corr > 61) { av_log(avctx, AV_LOG_ERROR, "Too many corrections: %d\n", band->num_corr); - return -1; + return AVERROR_INVALIDDATA; } /* read correction pairs */ @@ -391,8 +395,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, band->rvmap_sel = (band_flags & 0x40) ? get_bits(&ctx->gb, 3) : 8; /* decode block huffman codebook */ - if (ff_ivi_dec_huff_desc(&ctx->gb, band_flags & 0x80, IVI_BLK_HUFF, &band->blk_vlc, avctx)) - return -1; + ret = ff_ivi_dec_huff_desc(&ctx->gb, band_flags & 0x80, IVI_BLK_HUFF, + &band->blk_vlc, avctx); + if (ret < 0) + return ret; band->checksum_present = get_bits1(&ctx->gb); if (band->checksum_present) @@ -459,7 +465,7 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, if (get_bits1(&ctx->gb)) { if (ctx->frame_type == FRAMETYPE_INTRA) { av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n"); - return -1; + return AVERROR_INVALIDDATA; } mb->type = 1; /* empty macroblocks are always INTER */ mb->cbp = 0; /* all blocks are empty */ @@ -623,7 +629,7 @@ static av_cold int decode_init(AVCodecContext *avctx) result = ff_ivi_init_planes(ctx->planes, &ctx->pic_conf); if (result) { av_log(avctx, AV_LOG_ERROR, "Couldn't allocate color planes!\n"); - return -1; + return AVERROR_INVALIDDATA; } ctx->buf_switch = 0; From d55f7a174d49c0b2e87254c075013a7008ddf798 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 16:49:43 +0200 Subject: [PATCH 0448/1037] indeo: Do not reference mismatched tiles Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit f9e5261cab067be7278f73d515bc9b601eb56202) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 80d35725be..36293a12cb 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -343,6 +343,8 @@ static int ivi_init_tiles(IVIBandDesc *band, IVITile *ref_tile, tile->ref_mbs = 0; if (p || b) { + if (tile->num_MBs != ref_tile->num_MBs) + return AVERROR_INVALIDDATA; tile->ref_mbs = ref_tile->mbs; ref_tile++; } From 505415b98599777f8951d3d86821f542e661e581 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 18:16:56 +0200 Subject: [PATCH 0449/1037] indeo: Reject impossible FRAMETYPE_NULL A frame marked FRAMETYPE_NULL cannot be scalable and requires a previous frame successfully decoded. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5b2a29552ca09edd4646b6aa1828b32912b7ab36) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 36293a12cb..2a737547a5 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -953,6 +953,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } } + } else { + if (ctx->is_scalable) + return AVERROR_INVALIDDATA; + + for (p = 0; p < 3; p++) { + if (!ctx->planes[p].bands[0].buf) + return AVERROR_INVALIDDATA; + } } //STOP_TIMER("decode_planes"); } From 9680f84a31fa97272777e43a9234eb20d6da5930 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 11:28:46 +0300 Subject: [PATCH 0450/1037] ac3dec: Don't consume more data than the actual input packet size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was handled properly in the normal return case at the end of the function, but not in this special case. Returning a value larger than the input packet size can cause problems for certain library users. Returning the actual input buffer size unconditionally, since it is not guaranteed that frame_size is set to a sensible value at this point. Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8f24c12be7a3b3ea105e67bba9a867fe210a2333) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 6fb7b0b3ab..4f32c2d166 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1308,7 +1308,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; - return s->frame_size; + return buf_size; } else { av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); } From 256d61538336973c91c0c0c11c16b30522e12e00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 15:59:50 +0300 Subject: [PATCH 0451/1037] mov: Seek back if overreading an individual atom MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5b4eb243bce10a3e8345401a353749e0414c54ca) Signed-off-by: Luca Barbato --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7fe0548daa..52b73a98e8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2601,6 +2601,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) left = a.size - avio_tell(pb) + start_pos; if (left > 0) /* skip garbage at atom end */ avio_skip(pb, left); + else if (left < 0) { + av_log(c->fc, AV_LOG_WARNING, + "overread end of atom '%.4s' by %"PRId64" bytes\n", + (char*)&a.type, -left); + avio_seek(pb, left, SEEK_CUR); + } } total_size += a.size; From 7e9debb083d95db6601224ac13a4e7419528d03b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 17:13:54 +0300 Subject: [PATCH 0452/1037] mov: Do not allow updating the time scale after it has been set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The time scale is set in mdhd, and later validated in the enclosing trak atom once all of its children have been parsed. A loose mdhd atom outside of a trak atom could update the time scale of the last stream without any validation. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 31931520df35a6f9606fe8293c8a39e2d1fabedf) Signed-off-by: Luca Barbato --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 52b73a98e8..f6529340a3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -716,6 +716,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + if (sc->time_scale) { + av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n"); + return AVERROR_INVALIDDATA; + } + version = avio_r8(pb); if (version > 1) { av_log_ask_for_sample(c->fc, "unsupported version %d\n", version); From fbbe487b1c1f21339cff9ca86c3dfc495ad1c2c6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 14 Jul 2013 15:48:17 +0200 Subject: [PATCH 0453/1037] indeo: Sanitize ff_ivi_init_planes fail paths Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 28dda8a691f1c723a4a9365ab85f9625f1330096) Signed-off-by: Luca Barbato --- libavcodec/indeo4.c | 1 + libavcodec/indeo5.c | 4 ++-- libavcodec/ivi_common.c | 5 +++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 7955db1215..42b11305e4 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -210,6 +210,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) { if (ff_ivi_init_planes(ctx->planes, &pic_conf)) { av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n"); + ctx->pic_conf.luma_bands = 0; return AVERROR(ENOMEM); } diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 9b42962331..b7cfc5f09f 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -113,7 +113,7 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx) } /* check if picture layout was changed and reallocate buffers */ - if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf)) { + if (ivi_pic_config_cmp(&pic_conf, &ctx->pic_conf) || ctx->gop_invalid) { result = ff_ivi_init_planes(ctx->planes, &pic_conf); if (result < 0) { av_log(avctx, AV_LOG_ERROR, "Couldn't reallocate color planes!\n"); @@ -314,9 +314,9 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { - ctx->gop_invalid = 1; if ((ret = decode_gop_header(ctx, avctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); + ctx->gop_invalid = 1; return ret; } ctx->gop_invalid = 0; diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 66f94c132b..80d35725be 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -244,6 +244,7 @@ static av_cold void ivi_free_buffers(IVIPlaneDesc *planes) av_freep(&planes[p].bands[b].tiles); } av_freep(&planes[p].bands); + planes[p].num_bands = 0; } } @@ -256,6 +257,10 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) ivi_free_buffers(planes); + if (cfg->pic_width < 1 || cfg->pic_height < 1 || + cfg->luma_bands < 1 || cfg->chroma_bands < 1) + return AVERROR_INVALIDDATA; + /* fill in the descriptor of the luminance plane */ planes[0].width = cfg->pic_width; planes[0].height = cfg->pic_height; From dc556d8bf71d7cf463fb14234707e827f790818c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 16:44:20 +0300 Subject: [PATCH 0454/1037] lavf: Make sure avg_frame_rate can be calculated without integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If either of the deltas is too large for the multiplications to succeed, don't use this for setting the avg frame rate. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e740929a071ab032ffa382e89da69c6ec7cf882c) Signed-off-by: Luca Barbato --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 085ae835ab..e1511ee215 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2493,6 +2493,9 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) int best_fps = 0; double best_error = 0.01; + if (delta_dts >= INT64_MAX / st->time_base.num || + delta_packets >= INT64_MAX / st->time_base.den) + continue; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, delta_packets*(int64_t)st->time_base.den, delta_dts*(int64_t)st->time_base.num, 60000); From 47cb05d78340dcbd7ae571b53ab646583716cd16 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:05:44 +0200 Subject: [PATCH 0455/1037] dsicinav: K&R formatting cosmetics (cherry picked from commit fcae3ff124ee97c9265e3b93f3d41238b2aee9bd) Signed-off-by: Luca Barbato Conflicts: libavcodec/dsicinav.c --- libavcodec/dsicinav.c | 113 +++++++++++++++++++++++------------------- 1 file changed, 62 insertions(+), 51 deletions(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 39b6a4cabb..df81c58c8e 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -109,27 +109,30 @@ static av_cold int cinvideo_decode_init(AVCodecContext *avctx) return 0; } -static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, int size) +static void cin_apply_delta_data(const unsigned char *src, unsigned char *dst, + int size) { while (size--) *dst++ += *src++; } -static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_huffman(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { int b, huff_code = 0; unsigned char huff_code_table[15]; - unsigned char *dst_cur = dst; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_cur = dst; + unsigned char *dst_end = dst + dst_size; const unsigned char *src_end = src + src_size; - memcpy(huff_code_table, src, 15); src += 15; + memcpy(huff_code_table, src, 15); + src += 15; while (src < src_end) { huff_code = *src++; if ((huff_code >> 4) == 15) { - b = huff_code << 4; - huff_code = *src++; + b = huff_code << 4; + huff_code = *src++; *dst_cur++ = b | (huff_code >> 4); } else *dst_cur++ = huff_code_table[huff_code >> 4]; @@ -148,11 +151,12 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c return dst_cur - dst; } -static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static int cin_decode_lzss(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { uint16_t cmd; int i, sz, offset, code; - unsigned char *dst_end = dst + dst_size, *dst_start = dst; + unsigned char *dst_end = dst + dst_size, *dst_start = dst; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -161,13 +165,15 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char if (code & (1 << i)) { *dst++ = *src++; } else { - cmd = AV_RL16(src); src += 2; + cmd = AV_RL16(src); + src += 2; offset = cmd >> 4; - if ((int) (dst - dst_start) < offset + 1) + if ((int)(dst - dst_start) < offset + 1) return AVERROR_INVALIDDATA; sz = (cmd & 0xF) + 2; - /* don't use memcpy/memmove here as the decoding routine (ab)uses */ - /* buffer overlappings to repeat bytes in the destination */ + /* don't use memcpy/memmove here as the decoding routine + * (ab)uses buffer overlappings to repeat bytes in the + * destination */ sz = FFMIN(sz, dst_end - dst); while (sz--) { *dst = *(dst - offset - 1); @@ -180,10 +186,11 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char return 0; } -static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) +static void cin_decode_rle(const unsigned char *src, int src_size, + unsigned char *dst, int dst_size) { int len, code; - unsigned char *dst_end = dst + dst_size; + unsigned char *dst_end = dst + dst_size; const unsigned char *src_end = src + src_size; while (src < src_end && dst < dst_end) { @@ -204,15 +211,16 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; + const uint8_t *buf = avpkt->data; + int buf_size = avpkt->size; CinVideoContext *cin = avctx->priv_data; - int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0; + int i, y, palette_type, palette_colors_count, + bitmap_frame_type, bitmap_frame_size, res = 0; - palette_type = buf[0]; - palette_colors_count = AV_RL16(buf+1); - bitmap_frame_type = buf[3]; - buf += 4; + palette_type = buf[0]; + palette_colors_count = AV_RL16(buf + 1); + bitmap_frame_type = buf[3]; + buf += 4; bitmap_frame_size = buf_size - 4; @@ -223,46 +231,48 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (palette_colors_count > 256) return AVERROR_INVALIDDATA; for (i = 0; i < palette_colors_count; ++i) { - cin->palette[i] = bytestream_get_le24(&buf); + cin->palette[i] = bytestream_get_le24(&buf); bitmap_frame_size -= 3; } } else { for (i = 0; i < palette_colors_count; ++i) { - cin->palette[buf[0]] = AV_RL24(buf+1); - buf += 4; - bitmap_frame_size -= 4; + cin->palette[buf[0]] = AV_RL24(buf + 1); + buf += 4; + bitmap_frame_size -= 4; } } - /* note: the decoding routines below assumes that surface.width = surface.pitch */ + /* note: the decoding routines below assumes that + * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: cin_decode_rle(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 34: cin_decode_rle(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_INT_BMP], + cin->bitmap_size); cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 37: cin_decode_huffman(buf, bitmap_frame_size, - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 38: res = cin_decode_lzss(buf, bitmap_frame_size, @@ -278,24 +288,26 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, if (res < 0) return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], - cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; } cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; - if (avctx->reget_buffer(avctx, &cin->frame)) { - av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); - return -1; + if ((res = avctx->reget_buffer(avctx, &cin->frame)) < 0) { + av_log(cin->avctx, AV_LOG_ERROR, + "delphinecinvideo: reget_buffer() failed to allocate a frame\n"); + return res; } memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette)); cin->frame.palette_has_changed = 1; for (y = 0; y < cin->avctx->height; ++y) memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0], - cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, - cin->avctx->width); + cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, + cin->avctx->width); - FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_table[CIN_PRE_BMP]); + FFSWAP(uint8_t *, cin->bitmap_table[CIN_CUR_BMP], + cin->bitmap_table[CIN_PRE_BMP]); *got_frame = 1; *(AVFrame *)data = cin->frame; @@ -336,8 +348,8 @@ static av_cold int cinaudio_decode_init(AVCodecContext *avctx) static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - CinAudioContext *cin = avctx->priv_data; + const uint8_t *buf = avpkt->data; + CinAudioContext *cin = avctx->priv_data; const uint8_t *buf_end = buf + avpkt->size; int16_t *samples; int delta, ret; @@ -353,13 +365,13 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, delta = cin->delta; if (cin->initial_decode_frame) { cin->initial_decode_frame = 0; - delta = sign_extend(AV_RL16(buf), 16); - buf += 2; - *samples++ = delta; + delta = sign_extend(AV_RL16(buf), 16); + buf += 2; + *samples++ = delta; } while (buf < buf_end) { - delta += cinaudio_delta16_table[*buf++]; - delta = av_clip_int16(delta); + delta += cinaudio_delta16_table[*buf++]; + delta = av_clip_int16(delta); *samples++ = delta; } cin->delta = delta; @@ -370,7 +382,6 @@ static int cinaudio_decode_frame(AVCodecContext *avctx, void *data, return avpkt->size; } - AVCodec ff_dsicinvideo_decoder = { .name = "dsicinvideo", .type = AVMEDIA_TYPE_VIDEO, From 95275723aee38ee841706e667d09ca9f325e634b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:09:40 +0200 Subject: [PATCH 0456/1037] dsicinav: Bound-check the source buffer when needed Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dd0bfc3a6a310e3e3674ce7742672d689a9a0e93) Signed-off-by: Luca Barbato --- libavcodec/dsicinav.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index df81c58c8e..7f5c1daa23 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -196,11 +196,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, while (src < src_end && dst < dst_end) { code = *src++; if (code & 0x80) { + if (src >= src_end) + break; len = code - 0x7F; memset(dst, *src++, FFMIN(len, dst_end - dst)); } else { len = code + 1; - memcpy(dst, src, FFMIN(len, dst_end - dst)); + memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src)); src += len; } dst += len; From 068bc633f2999d81c87177acc637e11726e31926 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 19 Jul 2013 21:34:21 +0200 Subject: [PATCH 0457/1037] dsicinav: Clip the source size to the expected maximum A packet larger than cin->bitmap_size does not make sense. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit fd8189932147a524fe43532b46baa35e8be92a1b) Signed-off-by: Luca Barbato --- libavcodec/dsicinav.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 7f5c1daa23..772fb8d51c 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -244,6 +244,8 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, } } + bitmap_frame_size = FFMIN(cin->bitmap_size, bitmap_frame_size); + /* note: the decoding routines below assumes that * surface.width = surface.pitch */ switch (bitmap_frame_type) { From dcbfba3bb60df59668ed14397b7c8780b77a6d90 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 23:02:25 +0200 Subject: [PATCH 0458/1037] alsdec: Fix the clipping range mcc_weightings is only 32 elements. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 70ecc175c7b513a153ac87d1c5d219556ca55070) Signed-off-by: Luca Barbato --- libavcodec/alsdec.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index ff2a735bdf..c71b0ddafd 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1156,6 +1156,12 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, return 0; } +static inline int als_weighting(GetBitContext *gb, int k, int off) +{ + int idx = av_clip(decode_rice(gb, k) + off, + 0, FF_ARRAY_ELEMS(mcc_weightings) - 1); + return mcc_weightings[idx]; +} /** Read the channel data. */ @@ -1176,14 +1182,14 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel != c) { current->time_diff_flag = get_bits1(gb); - current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 32)]; - current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[0] = als_weighting(gb, 1, 16); + current->weighting[1] = als_weighting(gb, 2, 14); + current->weighting[2] = als_weighting(gb, 1, 16); if (current->time_diff_flag) { - current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; - current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 32)]; + current->weighting[3] = als_weighting(gb, 1, 16); + current->weighting[4] = als_weighting(gb, 1, 16); + current->weighting[5] = als_weighting(gb, 1, 16); current->time_diff_sign = get_bits1(gb); current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3; From a5bdec1c75bab2c35b03d46b4b15ea00d3172e3c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 12 Jul 2013 23:38:02 +0200 Subject: [PATCH 0459/1037] alsdec: Clean up error paths Fix at least a memory leak. CC: libav-stable@libav.org (cherry picked from commit ca488ad480360dfafcb5766f7bfbb567a0638979) Signed-off-by: Luca Barbato --- libavcodec/alsdec.c | 138 ++++++++++++++++++++++++-------------------- 1 file changed, 75 insertions(+), 63 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index c71b0ddafd..f1d01a2569 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -295,12 +295,12 @@ static av_cold int read_specific_config(ALSDecContext *ctx) avctx->extradata_size * 8, 1); if (config_offset < 0) - return -1; + return AVERROR_INVALIDDATA; skip_bits_long(&gb, config_offset); if (get_bits_left(&gb) < (30 << 3)) - return -1; + return AVERROR_INVALIDDATA; // read the fixed items als_id = get_bits_long(&gb, 32); @@ -335,7 +335,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // check for ALSSpecificConfig struct if (als_id != MKBETAG('A','L','S','\0')) - return -1; + return AVERROR_INVALIDDATA; ctx->cur_frame_length = sconf->frame_length; @@ -350,7 +350,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) int chan_pos_bits = av_ceil_log2(avctx->channels); int bits_needed = avctx->channels * chan_pos_bits + 7; if (get_bits_left(&gb) < bits_needed) - return -1; + return AVERROR_INVALIDDATA; if (!(sconf->chan_pos = av_malloc(avctx->channels * sizeof(*sconf->chan_pos)))) return AVERROR(ENOMEM); @@ -368,7 +368,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // read fixed header and trailer sizes, // if size = 0xFFFFFFFF then there is no data field! if (get_bits_left(&gb) < 64) - return -1; + return AVERROR_INVALIDDATA; header_size = get_bits_long(&gb, 32); trailer_size = get_bits_long(&gb, 32); @@ -382,10 +382,10 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // skip the header and trailer data if (get_bits_left(&gb) < ht_size) - return -1; + return AVERROR_INVALIDDATA; if (ht_size > INT32_MAX) - return -1; + return AVERROR_PATCHWELCOME; skip_bits_long(&gb, ht_size); @@ -393,7 +393,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) // initialize CRC calculation if (sconf->crc_enabled) { if (get_bits_left(&gb) < 32) - return -1; + return AVERROR_INVALIDDATA; if (avctx->err_recognition & AV_EF_CRCCHECK) { ctx->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); @@ -633,7 +633,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (bd->block_length & (sub_blocks - 1)) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); - return -1; + return AVERROR_INVALIDDATA; } sb_length = bd->block_length >> log2_sub_blocks; @@ -964,18 +964,18 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) */ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) { + int ret = 0; GetBitContext *gb = &ctx->gb; *bd->shift_lsbs = 0; // read block type flag and read the samples accordingly if (get_bits1(gb)) { - if (read_var_block_data(ctx, bd)) - return -1; + ret = read_var_block_data(ctx, bd); } else { read_const_block_data(ctx, bd); } - return 0; + return ret; } @@ -984,12 +984,16 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) static int decode_block(ALSDecContext *ctx, ALSBlockData *bd) { unsigned int smp; + int ret = 0; // read block type flag and read the samples accordingly if (*bd->const_block) decode_const_block_data(ctx, bd); - else if (decode_var_block_data(ctx, bd)) - return -1; + else + ret = decode_var_block_data(ctx, bd); // always return 0 + + if (ret < 0) + return ret; // TODO: read RLSLMS extension data @@ -1007,14 +1011,10 @@ static int read_decode_block(ALSDecContext *ctx, ALSBlockData *bd) { int ret; - ret = read_block(ctx, bd); - - if (ret) + if ((ret = read_block(ctx, bd)) < 0) return ret; - ret = decode_block(ctx, bd); - - return ret; + return decode_block(ctx, bd); } @@ -1040,6 +1040,7 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, unsigned int c, const unsigned int *div_blocks, unsigned int *js_blocks) { + int ret; unsigned int b; ALSBlockData bd = { 0 }; @@ -1060,10 +1061,10 @@ static int decode_blocks_ind(ALSDecContext *ctx, unsigned int ra_frame, for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; - if (read_decode_block(ctx, &bd)) { + if ((ret = read_decode_block(ctx, &bd)) < 0) { // damaged block, write zero for the rest of the frame zero_remaining(b, ctx->num_blocks, div_blocks, bd.raw_samples); - return -1; + return ret; } bd.raw_samples += div_blocks[b]; bd.ra_block = 0; @@ -1082,6 +1083,7 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, ALSSpecificConfig *sconf = &ctx->sconf; unsigned int offset = 0; unsigned int b; + int ret; ALSBlockData bd[2] = { { 0 } }; bd[0].ra_block = ra_frame; @@ -1123,12 +1125,9 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, bd[0].raw_other = bd[1].raw_samples; bd[1].raw_other = bd[0].raw_samples; - if(read_decode_block(ctx, &bd[0]) || read_decode_block(ctx, &bd[1])) { - // damaged block, write zero for the rest of the frame - zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); - zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); - return -1; - } + if ((ret = read_decode_block(ctx, &bd[0])) < 0 || + (ret = read_decode_block(ctx, &bd[1])) < 0) + goto fail; // reconstruct joint-stereo blocks if (bd[0].js_blocks) { @@ -1154,6 +1153,11 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, sizeof(*ctx->raw_samples[c]) * sconf->max_order); return 0; +fail: + // damaged block, write zero for the rest of the frame + zero_remaining(b, ctx->num_blocks, div_blocks, bd[0].raw_samples); + zero_remaining(b, ctx->num_blocks, div_blocks, bd[1].raw_samples); + return ret; } static inline int als_weighting(GetBitContext *gb, int k, int off) @@ -1177,7 +1181,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel >= channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid master channel!\n"); - return -1; + return AVERROR_INVALIDDATA; } if (current->master_channel != c) { @@ -1202,7 +1206,7 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (entries == channels) { av_log(ctx->avctx, AV_LOG_ERROR, "Damaged channel data!\n"); - return -1; + return AVERROR_INVALIDDATA; } align_get_bits(gb); @@ -1234,7 +1238,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (dep == channels) { av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel correlation!\n"); - return -1; + return AVERROR_INVALIDDATA; } bd->const_block = ctx->const_block + c; @@ -1305,8 +1309,8 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) unsigned int div_blocks[32]; ///< block sizes. unsigned int c; unsigned int js_blocks[2]; - uint32_t bs_info = 0; + int ret; // skip the size of the ra unit if present in the frame if (sconf->ra_flag == RA_FLAG_FRAMES && ra_frame) @@ -1337,13 +1341,15 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) independent_bs = 1; if (independent_bs) { - if (decode_blocks_ind(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; - + ret = decode_blocks_ind(ctx, ra_frame, c, + div_blocks, js_blocks); + if (ret < 0) + return ret; independent_bs--; } else { - if (decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks)) - return -1; + ret = decode_blocks(ctx, ra_frame, c, div_blocks, js_blocks); + if (ret < 0) + return ret; c++; } @@ -1362,7 +1368,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) for (c = 0; c < avctx->channels; c++) if (ctx->chan_data[c] < ctx->chan_data_buffer) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid channel data!\n"); - return -1; + return AVERROR_INVALIDDATA; } memset(reverted_channels, 0, sizeof(*reverted_channels) * avctx->channels); @@ -1394,11 +1400,12 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) return ret; } - for (c = 0; c < avctx->channels; c++) - if (revert_channel_correlation(ctx, &bd, ctx->chan_data, - reverted_channels, offset, c)) - return -1; - + for (c = 0; c < avctx->channels; c++) { + ret = revert_channel_correlation(ctx, &bd, ctx->chan_data, + reverted_channels, offset, c); + if (ret < 0) + return ret; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c; bd.shift_lsbs = ctx->shift_lsbs + c; @@ -1596,30 +1603,30 @@ static av_cold int decode_init(AVCodecContext *avctx) { unsigned int c; unsigned int channel_size; - int num_buffers; + int num_buffers, ret; ALSDecContext *ctx = avctx->priv_data; ALSSpecificConfig *sconf = &ctx->sconf; ctx->avctx = avctx; if (!avctx->extradata) { av_log(avctx, AV_LOG_ERROR, "Missing required ALS extradata.\n"); - return -1; + return AVERROR_INVALIDDATA; } - if (read_specific_config(ctx)) { + if ((ret = read_specific_config(ctx)) < 0) { av_log(avctx, AV_LOG_ERROR, "Reading ALSSpecificConfig failed.\n"); - decode_end(avctx); - return -1; + goto fail; } - if (check_specific_config(ctx)) { - decode_end(avctx); - return -1; + if ((ret = check_specific_config(ctx)) < 0) { + goto fail; } - if (sconf->bgmc) - ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); - + if (sconf->bgmc) { + ret = ff_bgmc_init(avctx, &ctx->bgmc_lut, &ctx->bgmc_lut_status); + if (ret < 0) + goto fail; + } if (sconf->floating) { avctx->sample_fmt = AV_SAMPLE_FMT_FLT; avctx->bits_per_raw_sample = 32; @@ -1654,7 +1661,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->quant_cof_buffer || !ctx->lpc_cof_buffer || !ctx->lpc_cof_reversed_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign quantized parcor coefficient buffers @@ -1679,8 +1687,8 @@ static av_cold int decode_init(AVCodecContext *avctx) !ctx->use_ltp || !ctx->ltp_lag || !ctx->ltp_gain || !ctx->ltp_gain_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1697,8 +1705,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->chan_data_buffer || !ctx->chan_data || !ctx->reverted_channels) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } for (c = 0; c < num_buffers; c++) @@ -1718,8 +1726,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate previous raw sample buffer if (!ctx->prev_raw_samples || !ctx->raw_buffer|| !ctx->raw_samples) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } // assign raw samples buffers @@ -1736,8 +1744,8 @@ static av_cold int decode_init(AVCodecContext *avctx) av_get_bytes_per_sample(avctx->sample_fmt)); if (!ctx->crc_buffer) { av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n"); - decode_end(avctx); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto fail; } } @@ -1747,6 +1755,10 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->coded_frame = &ctx->frame; return 0; + +fail: + decode_end(avctx); + return ret; } From f8602ef7176d45521ea82176c9342e9298e119a8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Jul 2013 12:44:19 +0200 Subject: [PATCH 0460/1037] 4xm: Reject not a multiple of 16 dimension Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2f034f255c49050e894ab9b88087c09ebe249f3f) Signed-off-by: Luca Barbato --- libavcodec/4xm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 99e0e2e4da..cc0361dd2e 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -810,6 +810,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, if (buf_size < 20) return AVERROR_INVALIDDATA; + if (avctx->width % 16 || avctx->height % 16) { + av_log(avctx, AV_LOG_ERROR, + "Dimensions non-multiple of 16 are invalid.\n"); + return AVERROR_INVALIDDATA; + } + if (buf_size < AV_RL32(buf + 4) + 8) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); From e6cf47ee9e36f249f63e7dee5f99ad8b5386eaa4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Jul 2013 23:26:05 +0200 Subject: [PATCH 0461/1037] 8bps: Bound-check the input buffer Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd7b4da0f4627bb6c4a7c2575da83fe6b261a21c) Signed-off-by: Luca Barbato Conflicts: libavcodec/8bps.c --- libavcodec/8bps.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 8f0692c4ba..3d81810fe4 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *pixptr, *pixptr_end; unsigned int height = avctx->height; // Real image height unsigned int dlen, p, row; - const unsigned char *lp, *dp; + const unsigned char *lp, *dp, *ep; unsigned char count; unsigned int px_inc; unsigned int planes = c->planes; @@ -80,6 +80,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, return -1; } + ep = encoded + buf_size; + /* Set data pointer after line lengths */ dp = encoded + planes * (height << 1); @@ -97,17 +99,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, for (row = 0; row < height; row++) { pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; pixptr_end = pixptr + c->pic.linesize[0]; + if (ep - lp < row * 2 + 2) + return AVERROR_INVALIDDATA; dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2)); /* Decode a row of this plane */ while (dlen > 0) { - if (dp + 1 >= buf + buf_size) + if (ep - dp <= 1) return -1; if ((count = *dp++) <= 127) { count++; dlen -= count + 1; if (pixptr + count * px_inc > pixptr_end) break; - if (dp + count > buf + buf_size) + if (ep - dp < count) return -1; while (count--) { *pixptr = *dp++; From 116aa30db4ae28f0b67cb2861ea534bfb840f3bc Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 28 Jul 2013 18:24:15 +0200 Subject: [PATCH 0462/1037] xl: Make sure the width is valid CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/xl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/xl.c b/libavcodec/xl.c index 1cadeab561..240339ea8b 100644 --- a/libavcodec/xl.c +++ b/libavcodec/xl.c @@ -71,6 +71,11 @@ static int decode_frame(AVCodecContext *avctx, stride = avctx->width - 4; + if (avctx->width % 4) { + av_log(avctx, AV_LOG_ERROR, "Width not a multiple of 4.\n"); + return AVERROR_INVALIDDATA; + } + if (buf_size < avctx->width * avctx->height) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); return AVERROR_INVALIDDATA; From 0b6adcf76bda8994902f5b6d8e694b0b916ea210 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 4 May 2013 07:40:09 +0200 Subject: [PATCH 0463/1037] oma: refactor seek function Properly propagate seek errors from avio and the generic pcm seek. (cherry picked from commit 4f03a77e52596cbe9ec179666ddb3e0345a8133a) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index cd255c1704..db599f5dbd 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -427,23 +427,26 @@ static int oma_read_probe(AVProbeData *p) static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { OMAContext *oc = s->priv_data; + int err = ff_pcm_read_seek(s, stream_index, timestamp, flags); - ff_pcm_read_seek(s, stream_index, timestamp, flags); + if (!oc->encrypted) + return err; - if (oc->encrypted) { - /* readjust IV for CBC */ - int64_t pos = avio_tell(s->pb); - if (pos < oc->content_start) - memset(oc->iv, 0, 8); - else { - if (avio_seek(s->pb, -8, SEEK_CUR) < 0 || avio_read(s->pb, oc->iv, 8) < 8) { - memset(oc->iv, 0, 8); - return -1; - } - } + /* readjust IV for CBC */ + if (err || avio_tell(s->pb) < oc->content_start) + goto wipe; + if ((err = avio_seek(s->pb, -8, SEEK_CUR)) < 0) + goto wipe; + if ((err = avio_read(s->pb, oc->iv, 8)) < 8) { + if (err >= 0) + err = AVERROR_EOF; + goto wipe; } return 0; +wipe: + memset(oc->iv, 0, 8); + return err; } AVInputFormat ff_oma_demuxer = { From 97e6099c0c702795a6c953b75920968fc256b6d2 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 17 Apr 2013 21:07:09 +0200 Subject: [PATCH 0464/1037] oma: check geob tag boundary Prevent read after buffer boundary on corrupted tag. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9d0b45ade864f3d2ccd8610149fe1fff53c4e937) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index db599f5dbd..07d8b2c972 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -113,13 +113,18 @@ static int kset(AVFormatContext *s, const uint8_t *r_val, const uint8_t *n_val, return 0; } -static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val) +#define OMA_RPROBE_M_VAL 48 + 1 + +static int rprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, + const uint8_t *r_val) { OMAContext *oc = s->priv_data; unsigned int pos; struct AVDES av_des; - if (!enc_header || !r_val) + if (!enc_header || !r_val || + size < OMA_ENC_HEADER_SIZE + oc->k_size + oc->e_size + oc->i_size || + size < OMA_RPROBE_M_VAL) return -1; /* m_val */ @@ -140,35 +145,41 @@ static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val) return memcmp(&enc_header[pos], oc->sm_val, 8) ? -1 : 0; } -static int nprobe(AVFormatContext *s, uint8_t *enc_header, int size, const uint8_t *n_val) +static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, + const uint8_t *n_val) { OMAContext *oc = s->priv_data; - uint32_t pos, taglen, datalen; + uint64_t pos; + uint32_t taglen, datalen; struct AVDES av_des; - if (!enc_header || !n_val) + if (!enc_header || !n_val || + size < OMA_ENC_HEADER_SIZE + oc->k_size + 4) return -1; pos = OMA_ENC_HEADER_SIZE + oc->k_size; if (!memcmp(&enc_header[pos], "EKB ", 4)) pos += 32; + if (size < pos + 44) + return -1; + if (AV_RB32(&enc_header[pos]) != oc->rid) av_log(s, AV_LOG_DEBUG, "Mismatching RID\n"); taglen = AV_RB32(&enc_header[pos+32]); datalen = AV_RB32(&enc_header[pos+36]) >> 4; - if(taglen + (((uint64_t)datalen)<<4) + 44 > size) - return -1; - pos += 44 + taglen; + if (datalen << 4 > size - pos) + return -1; + av_des_init(&av_des, n_val, 192, 1); while (datalen-- > 0) { av_des_crypt(&av_des, oc->r_val, &enc_header[pos], 2, NULL, 1); kset(s, oc->r_val, NULL, 16); - if (!rprobe(s, enc_header, oc->r_val)) + if (!rprobe(s, enc_header, size, oc->r_val)) return 0; pos += 16; } @@ -231,7 +242,7 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) kset(s, s->key, s->key, s->keylen); } if (!memcmp(oc->r_val, (const uint8_t[8]){0}, 8) || - rprobe(s, gdata, oc->r_val) < 0 && + rprobe(s, gdata, geob->datasize, oc->r_val) < 0 && nprobe(s, gdata, geob->datasize, oc->n_val) < 0) { int i; for (i = 0; i < FF_ARRAY_ELEMS(leaf_table); i += 2) { @@ -239,7 +250,8 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) AV_WL64(buf, leaf_table[i]); AV_WL64(&buf[8], leaf_table[i+1]); kset(s, buf, buf, 16); - if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, geob->datasize, oc->n_val)) + if (!rprobe(s, gdata, geob->datasize, oc->r_val) || + !nprobe(s, gdata, geob->datasize, oc->n_val)) break; } if (i >= sizeof(leaf_table)) { From d502bd7410570c0a1e566af18097ffe2437937f0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 17 Apr 2013 21:19:23 +0200 Subject: [PATCH 0465/1037] oma: correctly mark and decrypt partial packets Incomplete crypted files would lead to a read after buffer boundary otherwise. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2219e27b5b17d146e4ab71a3ed86dfc013fb7a93) Signed-off-by: Luca Barbato Conflicts: libavformat/omadec.c --- libavformat/omadec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 07d8b2c972..8548fb5f78 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -393,6 +393,9 @@ static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) int packet_size = s->streams[0]->codec->block_align; int ret = av_get_packet(s->pb, pkt, packet_size); + if (ret < packet_size) + pkt->flags |= AV_PKT_FLAG_CORRUPT; + if (ret < 0) return ret; if (!ret) @@ -401,8 +404,13 @@ static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->stream_index = 0; if (oc->encrypted) { - /* previous unencrypted block saved in IV for the next packet (CBC mode) */ - av_des_crypt(&oc->av_des, pkt->data, pkt->data, (packet_size >> 3), oc->iv, 1); + /* previous unencrypted block saved in IV for + * the next packet (CBC mode) */ + if (ret == packet_size) + av_des_crypt(&oc->av_des, pkt->data, pkt->data, + (packet_size >> 3), oc->iv, 1); + else + memset(oc->iv, 0, 8); } return ret; From d0323b62349190d7b5e215c4c560b29f1d979a75 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 27 Jun 2013 01:22:06 +0200 Subject: [PATCH 0466/1037] aac: K&R formatting cosmetics (cherry picked from commit 6d8629aac13692447b54eac795bf74007ebf8987) Signed-off-by: Luca Barbato --- libavcodec/aacdec.c | 266 ++++++++++++++++++++++++++++---------------- 1 file changed, 172 insertions(+), 94 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index dec6d01418..99895bae08 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -206,28 +206,39 @@ struct elem_to_channel { static int assign_pair(struct elem_to_channel e2c_vec[MAX_ELEM_ID], uint8_t (*layout_map)[3], int offset, uint64_t left, - uint64_t right, int pos) + uint64_t right, int pos) { if (layout_map[offset][0] == TYPE_CPE) { e2c_vec[offset] = (struct elem_to_channel) { - .av_position = left | right, .syn_ele = TYPE_CPE, - .elem_id = layout_map[offset ][1], .aac_position = pos }; + .av_position = left | right, + .syn_ele = TYPE_CPE, + .elem_id = layout_map[offset][1], + .aac_position = pos + }; return 1; } else { - e2c_vec[offset] = (struct elem_to_channel) { - .av_position = left, .syn_ele = TYPE_SCE, - .elem_id = layout_map[offset ][1], .aac_position = pos }; + e2c_vec[offset] = (struct elem_to_channel) { + .av_position = left, + .syn_ele = TYPE_SCE, + .elem_id = layout_map[offset][1], + .aac_position = pos + }; e2c_vec[offset + 1] = (struct elem_to_channel) { - .av_position = right, .syn_ele = TYPE_SCE, - .elem_id = layout_map[offset + 1][1], .aac_position = pos }; + .av_position = right, + .syn_ele = TYPE_SCE, + .elem_id = layout_map[offset + 1][1], + .aac_position = pos + }; return 2; } } -static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, int *current) { +static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, + int *current) +{ int num_pos_channels = 0; - int first_cpe = 0; - int sce_parity = 0; + int first_cpe = 0; + int sce_parity = 0; int i; for (i = *current; i < tags; i++) { if (layout_map[i][2] != pos) @@ -241,7 +252,7 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in } } num_pos_channels += 2; - first_cpe = 1; + first_cpe = 1; } else { num_pos_channels++; sce_parity ^= 1; @@ -249,7 +260,7 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in } if (sce_parity && ((pos == AAC_CHANNEL_FRONT && first_cpe) || pos == AAC_CHANNEL_SIDE)) - return -1; + return -1; *current = i; return num_pos_channels; } @@ -257,7 +268,7 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) { int i, n, total_non_cc_elements; - struct elem_to_channel e2c_vec[4*MAX_ELEM_ID] = {{ 0 }}; + struct elem_to_channel e2c_vec[4 * MAX_ELEM_ID] = { { 0 } }; int num_front_channels, num_side_channels, num_back_channels; uint64_t layout; @@ -281,8 +292,11 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) i = 0; if (num_front_channels & 1) { e2c_vec[i] = (struct elem_to_channel) { - .av_position = AV_CH_FRONT_CENTER, .syn_ele = TYPE_SCE, - .elem_id = layout_map[i][1], .aac_position = AAC_CHANNEL_FRONT }; + .av_position = AV_CH_FRONT_CENTER, + .syn_ele = TYPE_SCE, + .elem_id = layout_map[i][1], + .aac_position = AAC_CHANNEL_FRONT + }; i++; num_front_channels--; } @@ -339,22 +353,31 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) } if (num_back_channels) { e2c_vec[i] = (struct elem_to_channel) { - .av_position = AV_CH_BACK_CENTER, .syn_ele = TYPE_SCE, - .elem_id = layout_map[i][1], .aac_position = AAC_CHANNEL_BACK }; + .av_position = AV_CH_BACK_CENTER, + .syn_ele = TYPE_SCE, + .elem_id = layout_map[i][1], + .aac_position = AAC_CHANNEL_BACK + }; i++; num_back_channels--; } if (i < tags && layout_map[i][2] == AAC_CHANNEL_LFE) { e2c_vec[i] = (struct elem_to_channel) { - .av_position = AV_CH_LOW_FREQUENCY, .syn_ele = TYPE_LFE, - .elem_id = layout_map[i][1], .aac_position = AAC_CHANNEL_LFE }; + .av_position = AV_CH_LOW_FREQUENCY, + .syn_ele = TYPE_LFE, + .elem_id = layout_map[i][1], + .aac_position = AAC_CHANNEL_LFE + }; i++; } while (i < tags && layout_map[i][2] == AAC_CHANNEL_LFE) { e2c_vec[i] = (struct elem_to_channel) { - .av_position = UINT64_MAX, .syn_ele = TYPE_LFE, - .elem_id = layout_map[i][1], .aac_position = AAC_CHANNEL_LFE }; + .av_position = UINT64_MAX, + .syn_ele = TYPE_LFE, + .elem_id = layout_map[i][1], + .aac_position = AAC_CHANNEL_LFE + }; i++; } @@ -362,12 +385,11 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) total_non_cc_elements = n = i; do { int next_n = 0; - for (i = 1; i < n; i++) { - if (e2c_vec[i-1].av_position > e2c_vec[i].av_position) { - FFSWAP(struct elem_to_channel, e2c_vec[i-1], e2c_vec[i]); + for (i = 1; i < n; i++) + if (e2c_vec[i - 1].av_position > e2c_vec[i].av_position) { + FFSWAP(struct elem_to_channel, e2c_vec[i - 1], e2c_vec[i]); next_n = i; } - } n = next_n; } while (n > 0); @@ -407,12 +429,13 @@ static void pop_output_configuration(AACContext *ac) { } /** - * Configure output channel order based on the current program configuration element. + * Configure output channel order based on the current program + * configuration element. * * @return Returns error status. 0 - OK, !0 - error */ static int output_configure(AACContext *ac, - uint8_t layout_map[MAX_ELEM_ID*4][3], int tags, + uint8_t layout_map[MAX_ELEM_ID * 4][3], int tags, enum OCStatus oc_type, int get_new_frame) { AVCodecContext *avctx = ac->avctx; @@ -448,7 +471,7 @@ static int output_configure(AACContext *ac, memcpy(ac->tag_che_map, ac->che, 4 * MAX_ELEM_ID * sizeof(ac->che[0][0])); avctx->channel_layout = ac->oc[1].channel_layout = layout; - avctx->channels = ac->oc[1].channels = channels; + avctx->channels = ac->oc[1].channels = channels; ac->oc[1].status = oc_type; if (get_new_frame) { @@ -466,34 +489,38 @@ static int output_configure(AACContext *ac, * @return Returns error status. 0 - OK, !0 - error */ static int set_default_channel_config(AVCodecContext *avctx, - uint8_t (*layout_map)[3], - int *tags, - int channel_config) + uint8_t (*layout_map)[3], + int *tags, + int channel_config) { if (channel_config < 1 || channel_config > 7) { - av_log(avctx, AV_LOG_ERROR, "invalid default channel configuration (%d)\n", + av_log(avctx, AV_LOG_ERROR, + "invalid default channel configuration (%d)\n", channel_config); return -1; } *tags = tags_per_config[channel_config]; - memcpy(layout_map, aac_channel_layout_map[channel_config-1], *tags * sizeof(*layout_map)); + memcpy(layout_map, aac_channel_layout_map[channel_config - 1], + *tags * sizeof(*layout_map)); return 0; } static ChannelElement *get_che(AACContext *ac, int type, int elem_id) { - // For PCE based channel configurations map the channels solely based on tags. + /* For PCE based channel configurations map the channels solely based + * on tags. */ if (!ac->oc[1].m4ac.chan_config) { return ac->tag_che_map[type][elem_id]; } // Allow single CPE stereo files to be signalled with mono configuration. - if (!ac->tags_mapped && type == TYPE_CPE && ac->oc[1].m4ac.chan_config == 1) { + if (!ac->tags_mapped && type == TYPE_CPE && + ac->oc[1].m4ac.chan_config == 1) { uint8_t layout_map[MAX_ELEM_ID*4][3]; int layout_map_tags; push_output_configuration(ac); - if (set_default_channel_config(ac->avctx, layout_map, &layout_map_tags, - 2) < 0) + if (set_default_channel_config(ac->avctx, layout_map, + &layout_map_tags, 2) < 0) return NULL; if (output_configure(ac, layout_map, layout_map_tags, OC_TRIAL_FRAME, 1) < 0) @@ -503,13 +530,14 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id) ac->oc[1].m4ac.ps = 0; } // And vice-versa - if (!ac->tags_mapped && type == TYPE_SCE && ac->oc[1].m4ac.chan_config == 2) { - uint8_t layout_map[MAX_ELEM_ID*4][3]; + if (!ac->tags_mapped && type == TYPE_SCE && + ac->oc[1].m4ac.chan_config == 2) { + uint8_t layout_map[MAX_ELEM_ID * 4][3]; int layout_map_tags; push_output_configuration(ac); - if (set_default_channel_config(ac->avctx, layout_map, &layout_map_tags, - 1) < 0) + if (set_default_channel_config(ac->avctx, layout_map, + &layout_map_tags, 1) < 0) return NULL; if (output_configure(ac, layout_map, layout_map_tags, OC_TRIAL_FRAME, 1) < 0) @@ -519,7 +547,8 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id) if (ac->oc[1].m4ac.sbr) ac->oc[1].m4ac.ps = -1; } - // For indexed channel configurations map the channels solely based on position. + /* For indexed channel configurations map the channels solely based + * on position. */ switch (ac->oc[1].m4ac.chan_config) { case 7: if (ac->tags_mapped == 3 && type == TYPE_CPE) { @@ -527,9 +556,12 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id) return ac->tag_che_map[TYPE_CPE][elem_id] = ac->che[TYPE_CPE][2]; } case 6: - /* Some streams incorrectly code 5.1 audio as SCE[0] CPE[0] CPE[1] SCE[1] - instead of SCE[0] CPE[0] CPE[1] LFE[0]. If we seem to have - encountered such a stream, transfer the LFE[0] element to the SCE[1]'s mapping */ + /* Some streams incorrectly code 5.1 audio as + * SCE[0] CPE[0] CPE[1] SCE[1] + * instead of + * SCE[0] CPE[0] CPE[1] LFE[0]. + * If we seem to have encountered such a stream, transfer + * the LFE[0] element to the SCE[1]'s mapping */ if (ac->tags_mapped == tags_per_config[ac->oc[1].m4ac.chan_config] - 1 && (type == TYPE_LFE || type == TYPE_SCE)) { ac->tags_mapped++; return ac->tag_che_map[type][elem_id] = ac->che[TYPE_LFE][0]; @@ -540,13 +572,16 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id) return ac->tag_che_map[TYPE_CPE][elem_id] = ac->che[TYPE_CPE][1]; } case 4: - if (ac->tags_mapped == 2 && ac->oc[1].m4ac.chan_config == 4 && type == TYPE_SCE) { + if (ac->tags_mapped == 2 && + ac->oc[1].m4ac.chan_config == 4 && + type == TYPE_SCE) { ac->tags_mapped++; return ac->tag_che_map[TYPE_SCE][elem_id] = ac->che[TYPE_SCE][1]; } case 3: case 2: - if (ac->tags_mapped == (ac->oc[1].m4ac.chan_config != 2) && type == TYPE_CPE) { + if (ac->tags_mapped == (ac->oc[1].m4ac.chan_config != 2) && + type == TYPE_CPE) { ac->tags_mapped++; return ac->tag_che_map[TYPE_CPE][elem_id] = ac->che[TYPE_CPE][0]; } else if (ac->oc[1].m4ac.chan_config == 2) { @@ -563,7 +598,8 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id) } /** - * Decode an array of 4 bit element IDs, optionally interleaved with a stereo/mono switching bit. + * Decode an array of 4 bit element IDs, optionally interleaved with a + * stereo/mono switching bit. * * @param type speaker type/position for these channels */ @@ -603,7 +639,8 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac, uint8_t (*layout_map)[3], GetBitContext *gb) { - int num_front, num_side, num_back, num_lfe, num_assoc_data, num_cc, sampling_index; + int num_front, num_side, num_back, num_lfe, num_assoc_data, num_cc; + int sampling_index; int comment_len; int tags; @@ -611,7 +648,9 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac, sampling_index = get_bits(gb, 4); if (m4ac->sampling_index != sampling_index) - av_log(avctx, AV_LOG_WARNING, "Sample rate index in program config element does not match the sample rate index configured by the container.\n"); + av_log(avctx, AV_LOG_WARNING, + "Sample rate index in program config element does not " + "match the sample rate index configured by the container.\n"); num_front = get_bits(gb, 4); num_side = get_bits(gb, 4); @@ -690,7 +729,8 @@ static int decode_ga_specific_config(AACContext *ac, AVCodecContext *avctx, if (tags < 0) return tags; } else { - if ((ret = set_default_channel_config(avctx, layout_map, &tags, channel_config))) + if ((ret = set_default_channel_config(avctx, layout_map, + &tags, channel_config))) return ret; } @@ -712,7 +752,7 @@ static int decode_ga_specific_config(AACContext *ac, AVCodecContext *avctx, case AOT_ER_AAC_LTP: case AOT_ER_AAC_SCALABLE: case AOT_ER_AAC_LD: - skip_bits(gb, 3); /* aacSectionDataResilienceFlag + skip_bits(gb, 3); /* aacSectionDataResilienceFlag * aacScalefactorDataResilienceFlag * aacSpectralDataResilienceFlag */ @@ -746,15 +786,18 @@ static int decode_audio_specific_config(AACContext *ac, av_dlog(avctx, "extradata size %d\n", avctx->extradata_size); for (i = 0; i < avctx->extradata_size; i++) - av_dlog(avctx, "%02x ", avctx->extradata[i]); + av_dlog(avctx, "%02x ", avctx->extradata[i]); av_dlog(avctx, "\n"); init_get_bits(&gb, data, bit_size); - if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0) + if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, + sync_extension)) < 0) return -1; if (m4ac->sampling_index > 12) { - av_log(avctx, AV_LOG_ERROR, "invalid sampling rate index %d\n", m4ac->sampling_index); + av_log(avctx, AV_LOG_ERROR, + "invalid sampling rate index %d\n", + m4ac->sampling_index); return -1; } @@ -768,14 +811,18 @@ static int decode_audio_specific_config(AACContext *ac, return -1; break; default: - av_log(avctx, AV_LOG_ERROR, "Audio object type %s%d is not supported.\n", - m4ac->sbr == 1? "SBR+" : "", m4ac->object_type); + av_log(avctx, AV_LOG_ERROR, + "Audio object type %s%d is not supported.\n", + m4ac->sbr == 1 ? "SBR+" : "", + m4ac->object_type); return -1; } - av_dlog(avctx, "AOT %d chan config %d sampling index %d (%d) SBR %d PS %d\n", + av_dlog(avctx, + "AOT %d chan config %d sampling index %d (%d) SBR %d PS %d\n", m4ac->object_type, m4ac->chan_config, m4ac->sampling_index, - m4ac->sample_rate, m4ac->sbr, m4ac->ps); + m4ac->sample_rate, m4ac->sbr, + m4ac->ps); return get_bits_count(&gb); } @@ -833,10 +880,12 @@ static void reset_predictor_group(PredictorState *ps, int group_num) reset_predict_state(&ps[i]); } -#define AAC_INIT_VLC_STATIC(num, size) \ - INIT_VLC_STATIC(&vlc_spectral[num], 8, ff_aac_spectral_sizes[num], \ - ff_aac_spectral_bits[num], sizeof( ff_aac_spectral_bits[num][0]), sizeof( ff_aac_spectral_bits[num][0]), \ - ff_aac_spectral_codes[num], sizeof(ff_aac_spectral_codes[num][0]), sizeof(ff_aac_spectral_codes[num][0]), \ +#define AAC_INIT_VLC_STATIC(num, size) \ + INIT_VLC_STATIC(&vlc_spectral[num], 8, ff_aac_spectral_sizes[num], \ + ff_aac_spectral_bits[num], sizeof(ff_aac_spectral_bits[num][0]), \ + sizeof(ff_aac_spectral_bits[num][0]), \ + ff_aac_spectral_codes[num], sizeof(ff_aac_spectral_codes[num][0]), \ + sizeof(ff_aac_spectral_codes[num][0]), \ size); static av_cold int aac_decode_init(AVCodecContext *avctx) @@ -851,7 +900,7 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) if (avctx->extradata_size > 0) { if (decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac, avctx->extradata, - avctx->extradata_size*8, 1) < 0) + avctx->extradata_size * 8, 1) < 0) return -1; } else { int sr, i; @@ -905,9 +954,14 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) ff_aac_tableinit(); - INIT_VLC_STATIC(&vlc_scalefactors,7,FF_ARRAY_ELEMS(ff_aac_scalefactor_code), - ff_aac_scalefactor_bits, sizeof(ff_aac_scalefactor_bits[0]), sizeof(ff_aac_scalefactor_bits[0]), - ff_aac_scalefactor_code, sizeof(ff_aac_scalefactor_code[0]), sizeof(ff_aac_scalefactor_code[0]), + INIT_VLC_STATIC(&vlc_scalefactors, 7, + FF_ARRAY_ELEMS(ff_aac_scalefactor_code), + ff_aac_scalefactor_bits, + sizeof(ff_aac_scalefactor_bits[0]), + sizeof(ff_aac_scalefactor_bits[0]), + ff_aac_scalefactor_code, + sizeof(ff_aac_scalefactor_code[0]), + sizeof(ff_aac_scalefactor_code[0]), 352); ff_mdct_init(&ac->mdct, 11, 1, 1.0 / (32768.0 * 1024.0)); @@ -953,8 +1007,10 @@ static int decode_prediction(AACContext *ac, IndividualChannelStream *ics, int sfb; if (get_bits1(gb)) { ics->predictor_reset_group = get_bits(gb, 5); - if (ics->predictor_reset_group == 0 || ics->predictor_reset_group > 30) { - av_log(ac->avctx, AV_LOG_ERROR, "Invalid Predictor Reset Group.\n"); + if (ics->predictor_reset_group == 0 || + ics->predictor_reset_group > 30) { + av_log(ac->avctx, AV_LOG_ERROR, + "Invalid Predictor Reset Group.\n"); return -1; } } @@ -1024,7 +1080,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return AVERROR_INVALIDDATA; } } else if (ac->oc[1].m4ac.object_type == AOT_AAC_LC) { - av_log(ac->avctx, AV_LOG_ERROR, "Prediction is not allowed in AAC-LC.\n"); + av_log(ac->avctx, AV_LOG_ERROR, + "Prediction is not allowed in AAC-LC.\n"); return AVERROR_INVALIDDATA; } else { if ((ics->ltp.present = get_bits(gb, 1))) @@ -1035,7 +1092,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (ics->max_sfb > ics->num_swb) { av_log(ac->avctx, AV_LOG_ERROR, - "Number of scalefactor bands in group (%d) exceeds limit (%d).\n", + "Number of scalefactor bands in group (%d) " + "exceeds limit (%d).\n", ics->max_sfb, ics->num_swb); return AVERROR_INVALIDDATA; } @@ -1116,7 +1174,8 @@ static int decode_scalefactors(AACContext *ac, float sf[120], GetBitContext *gb, if (band_type[idx] == ZERO_BT) { for (; i < run_end; i++, idx++) sf[idx] = 0.; - } else if ((band_type[idx] == INTENSITY_BT) || (band_type[idx] == INTENSITY_BT2)) { + } else if ((band_type[idx] == INTENSITY_BT) || + (band_type[idx] == INTENSITY_BT2)) { for (; i < run_end; i++, idx++) { offset[2] += get_vlc2(gb, vlc_scalefactors.table, 7, 3) - 60; clipped_offset = av_clip(offset[2], -155, 100); @@ -1204,7 +1263,8 @@ static int decode_tns(AACContext *ac, TemporalNoiseShaping *tns, tns->length[w][filt] = get_bits(gb, 6 - 2 * is8); if ((tns->order[w][filt] = get_bits(gb, 5 - 2 * is8)) > tns_max_order) { - av_log(ac->avctx, AV_LOG_ERROR, "TNS filter order %d is greater than maximum %d.\n", + av_log(ac->avctx, AV_LOG_ERROR, + "TNS filter order %d is greater than maximum %d.\n", tns->order[w][filt], tns_max_order); tns->order[w][filt] = 0; return -1; @@ -1236,7 +1296,9 @@ static void decode_mid_side_stereo(ChannelElement *cpe, GetBitContext *gb, { int idx; if (ms_present == 1) { - for (idx = 0; idx < cpe->ch[0].ics.num_window_groups * cpe->ch[0].ics.max_sfb; idx++) + for (idx = 0; + idx < cpe->ch[0].ics.num_window_groups * cpe->ch[0].ics.max_sfb; + idx++) cpe->ms_mask[idx] = get_bits1(gb); } else if (ms_present == 2) { memset(cpe->ms_mask, 1, cpe->ch[0].ics.num_window_groups * cpe->ch[0].ics.max_sfb * sizeof(cpe->ms_mask[0])); @@ -1335,7 +1397,8 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], float *coef_base = coef; for (g = 0; g < ics->num_windows; g++) - memset(coef + g * 128 + offsets[ics->max_sfb], 0, sizeof(float) * (c - offsets[ics->max_sfb])); + memset(coef + g * 128 + offsets[ics->max_sfb], 0, + sizeof(float) * (c - offsets[ics->max_sfb])); for (g = 0; g < ics->num_window_groups; g++) { unsigned g_len = ics->group_len[g]; @@ -1605,14 +1668,20 @@ static void apply_prediction(AACContext *ac, SingleChannelElement *sce) } if (sce->ics.window_sequence[0] != EIGHT_SHORT_SEQUENCE) { - for (sfb = 0; sfb < ff_aac_pred_sfb_max[ac->oc[1].m4ac.sampling_index]; sfb++) { - for (k = sce->ics.swb_offset[sfb]; k < sce->ics.swb_offset[sfb + 1]; k++) { + for (sfb = 0; + sfb < ff_aac_pred_sfb_max[ac->oc[1].m4ac.sampling_index]; + sfb++) { + for (k = sce->ics.swb_offset[sfb]; + k < sce->ics.swb_offset[sfb + 1]; + k++) { predict(&sce->predictor_state[k], &sce->coeffs[k], - sce->ics.predictor_present && sce->ics.prediction_used[sfb]); + sce->ics.predictor_present && + sce->ics.prediction_used[sfb]); } } if (sce->ics.predictor_reset_group) - reset_predictor_group(sce->predictor_state, sce->ics.predictor_reset_group); + reset_predictor_group(sce->predictor_state, + sce->ics.predictor_reset_group); } else reset_all_predictors(sce->predictor_state); } @@ -1646,20 +1715,24 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, return AVERROR_INVALIDDATA; } - if (decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics) < 0) + if (decode_band_types(ac, sce->band_type, + sce->band_type_run_end, gb, ics) < 0) return -1; - if (decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end) < 0) + if (decode_scalefactors(ac, sce->sf, gb, global_gain, ics, + sce->band_type, sce->band_type_run_end) < 0) return -1; pulse_present = 0; if (!scale_flag) { if ((pulse_present = get_bits1(gb))) { if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { - av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); + av_log(ac->avctx, AV_LOG_ERROR, + "Pulse tool not allowed in eight short sequence.\n"); return -1; } if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) { - av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); + av_log(ac->avctx, AV_LOG_ERROR, + "Pulse data corrupt or invalid.\n"); return -1; } } @@ -1671,7 +1744,8 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, } } - if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, &pulse, ics, sce->band_type) < 0) + if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, + &pulse, ics, sce->band_type) < 0) return -1; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) @@ -1693,7 +1767,8 @@ static void apply_mid_side_stereo(AACContext *ac, ChannelElement *cpe) for (g = 0; g < ics->num_window_groups; g++) { for (i = 0; i < ics->max_sfb; i++, idx++) { if (cpe->ms_mask[idx] && - cpe->ch[0].band_type[idx] < NOISE_BT && cpe->ch[1].band_type[idx] < NOISE_BT) { + cpe->ch[0].band_type[idx] < NOISE_BT && + cpe->ch[1].band_type[idx] < NOISE_BT) { for (group = 0; group < ics->group_len[g]; group++) { ac->dsp.butterflies_float(ch0 + group * 128 + offsets[i], ch1 + group * 128 + offsets[i], @@ -1713,7 +1788,8 @@ static void apply_mid_side_stereo(AACContext *ac, ChannelElement *cpe) * [1] mask is decoded from bitstream; [2] mask is all 1s; * [3] reserved for scalable AAC */ -static void apply_intensity_stereo(AACContext *ac, ChannelElement *cpe, int ms_present) +static void apply_intensity_stereo(AACContext *ac, + ChannelElement *cpe, int ms_present) { const IndividualChannelStream *ics = &cpe->ch[1].ics; SingleChannelElement *sce1 = &cpe->ch[1]; @@ -1724,7 +1800,8 @@ static void apply_intensity_stereo(AACContext *ac, ChannelElement *cpe, int ms_p float scale; for (g = 0; g < ics->num_window_groups; g++) { for (i = 0; i < ics->max_sfb;) { - if (sce1->band_type[idx] == INTENSITY_BT || sce1->band_type[idx] == INTENSITY_BT2) { + if (sce1->band_type[idx] == INTENSITY_BT || + sce1->band_type[idx] == INTENSITY_BT2) { const int bt_run_end = sce1->band_type_run_end[idx]; for (; i < bt_run_end; i++, idx++) { c = -1 + 2 * (sce1->band_type[idx] - 14); @@ -1764,7 +1841,8 @@ static int decode_cpe(AACContext *ac, GetBitContext *gb, ChannelElement *cpe) i = cpe->ch[1].ics.use_kb_window[0]; cpe->ch[1].ics = cpe->ch[0].ics; cpe->ch[1].ics.use_kb_window[1] = i; - if (cpe->ch[1].ics.predictor_present && (ac->oc[1].m4ac.object_type != AOT_AAC_MAIN)) + if (cpe->ch[1].ics.predictor_present && + (ac->oc[1].m4ac.object_type != AOT_AAC_MAIN)) if ((cpe->ch[1].ics.ltp.present = get_bits(gb, 1))) decode_ltp(&cpe->ch[1].ics.ltp, gb, cpe->ch[1].ics.max_sfb); ms_present = get_bits(gb, 2); @@ -2592,13 +2670,13 @@ static av_cold int aac_decode_close(AVCodecContext *avctx) #define LOAS_SYNC_WORD 0x2b7 ///< 11 bits LOAS sync word struct LATMContext { - AACContext aac_ctx; ///< containing AACContext - int initialized; ///< initilized after a valid extradata was seen + AACContext aac_ctx; ///< containing AACContext + int initialized; ///< initilized after a valid extradata was seen // parser data - int audio_mux_version_A; ///< LATM syntax version - int frame_length_type; ///< 0/1 variable/fixed frame length - int frame_length; ///< frame length for fixed frame length + int audio_mux_version_A; ///< LATM syntax version + int frame_length_type; ///< 0/1 variable/fixed frame length + int frame_length; ///< frame length for fixed frame length }; static inline uint32_t latm_get_value(GetBitContext *b) From b53db58ab78925930e69605b704c4f6ab3ac8c18 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 7 May 2013 01:29:36 +0200 Subject: [PATCH 0467/1037] aac: return meaningful errors (cherry picked from commit 07c52e2c7c60b087fd023cd9771778973def0b33) Signed-off-by: Luca Barbato --- libavcodec/aacdec.c | 66 ++++++++++++++++++++++++--------------------- 1 file changed, 35 insertions(+), 31 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 99895bae08..7952ac4129 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -497,7 +497,7 @@ static int set_default_channel_config(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "invalid default channel configuration (%d)\n", channel_config); - return -1; + return AVERROR_INVALIDDATA; } *tags = tags_per_config[channel_config]; memcpy(layout_map, aac_channel_layout_map[channel_config - 1], @@ -687,7 +687,7 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac, comment_len = get_bits(gb, 8) * 8; if (get_bits_left(gb) < comment_len) { av_log(avctx, AV_LOG_ERROR, overread_err); - return -1; + return AVERROR_INVALIDDATA; } skip_bits_long(gb, comment_len); return tags; @@ -782,7 +782,7 @@ static int decode_audio_specific_config(AACContext *ac, int sync_extension) { GetBitContext gb; - int i; + int i, ret; av_dlog(avctx, "extradata size %d\n", avctx->extradata_size); for (i = 0; i < avctx->extradata_size; i++) @@ -793,12 +793,12 @@ static int decode_audio_specific_config(AACContext *ac, if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0) - return -1; + return AVERROR_INVALIDDATA; if (m4ac->sampling_index > 12) { av_log(avctx, AV_LOG_ERROR, "invalid sampling rate index %d\n", m4ac->sampling_index); - return -1; + return AVERROR_INVALIDDATA; } skip_bits_long(&gb, i); @@ -807,15 +807,16 @@ static int decode_audio_specific_config(AACContext *ac, case AOT_AAC_MAIN: case AOT_AAC_LC: case AOT_AAC_LTP: - if (decode_ga_specific_config(ac, avctx, &gb, m4ac, m4ac->chan_config)) - return -1; + if ((ret = decode_ga_specific_config(ac, avctx, &gb, + m4ac, m4ac->chan_config)) < 0) + return ret; break; default: av_log(avctx, AV_LOG_ERROR, "Audio object type %s%d is not supported.\n", m4ac->sbr == 1 ? "SBR+" : "", m4ac->object_type); - return -1; + return AVERROR(ENOSYS); } av_dlog(avctx, @@ -891,6 +892,7 @@ static void reset_predictor_group(PredictorState *ps, int group_num) static av_cold int aac_decode_init(AVCodecContext *avctx) { AACContext *ac = avctx->priv_data; + int ret; ac->avctx = avctx; ac->oc[1].m4ac.sample_rate = avctx->sample_rate; @@ -898,10 +900,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (avctx->extradata_size > 0) { - if (decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac, - avctx->extradata, - avctx->extradata_size * 8, 1) < 0) - return -1; + if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac, + avctx->extradata, + avctx->extradata_size * 8, + 1)) < 0) + return ret; } else { int sr, i; uint8_t layout_map[MAX_ELEM_ID*4][3]; @@ -995,7 +998,7 @@ static int skip_data_stream_element(AACContext *ac, GetBitContext *gb) if (get_bits_left(gb) < 8 * count) { av_log(ac->avctx, AV_LOG_ERROR, overread_err); - return -1; + return AVERROR_INVALIDDATA; } skip_bits_long(gb, 8 * count); return 0; @@ -1011,7 +1014,7 @@ static int decode_prediction(AACContext *ac, IndividualChannelStream *ics, ics->predictor_reset_group > 30) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid Predictor Reset Group.\n"); - return -1; + return AVERROR_INVALIDDATA; } } for (sfb = 0; sfb < FFMIN(ics->max_sfb, ff_aac_pred_sfb_max[ac->oc[1].m4ac.sampling_index]); sfb++) { @@ -1123,20 +1126,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120], int sect_band_type = get_bits(gb, 4); if (sect_band_type == 12) { av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n"); - return -1; + return AVERROR_INVALIDDATA; } do { sect_len_incr = get_bits(gb, bits); sect_end += sect_len_incr; if (get_bits_left(gb) < 0) { av_log(ac->avctx, AV_LOG_ERROR, overread_err); - return -1; + return AVERROR_INVALIDDATA; } if (sect_end > ics->max_sfb) { av_log(ac->avctx, AV_LOG_ERROR, "Number of bands (%d) exceeds limit (%d).\n", sect_end, ics->max_sfb); - return -1; + return AVERROR_INVALIDDATA; } } while (sect_len_incr == (1 << bits) - 1); for (; k < sect_end; k++) { @@ -1208,7 +1211,7 @@ static int decode_scalefactors(AACContext *ac, float sf[120], GetBitContext *gb, if (offset[0] > 255U) { av_log(ac->avctx, AV_LOG_ERROR, "Scalefactor (%d) out of range.\n", offset[0]); - return -1; + return AVERROR_INVALIDDATA; } sf[idx] = -ff_aac_pow2sf_tab[offset[0] - 100 + POW_SF2_ZERO]; } @@ -1267,7 +1270,7 @@ static int decode_tns(AACContext *ac, TemporalNoiseShaping *tns, "TNS filter order %d is greater than maximum %d.\n", tns->order[w][filt], tns_max_order); tns->order[w][filt] = 0; - return -1; + return AVERROR_INVALIDDATA; } if (tns->order[w][filt]) { tns->direction[w][filt] = get_bits1(gb); @@ -1553,7 +1556,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024], if (b > 8) { av_log(ac->avctx, AV_LOG_ERROR, "error in spectral data, ESC overflow\n"); - return -1; + return AVERROR_INVALIDDATA; } SKIP_BITS(re, gb, b + 1); @@ -1702,6 +1705,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, IndividualChannelStream *ics = &sce->ics; float *out = sce->coeffs; int global_gain, pulse_present = 0; + int ret; /* This assignment is to silence a GCC warning about the variable being used * uninitialized when in fact it always is. @@ -1715,12 +1719,12 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, return AVERROR_INVALIDDATA; } - if (decode_band_types(ac, sce->band_type, - sce->band_type_run_end, gb, ics) < 0) - return -1; - if (decode_scalefactors(ac, sce->sf, gb, global_gain, ics, - sce->band_type, sce->band_type_run_end) < 0) - return -1; + if ((ret = decode_band_types(ac, sce->band_type, + sce->band_type_run_end, gb, ics)) < 0) + return ret; + if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, + sce->band_type, sce->band_type_run_end)) < 0) + return ret; pulse_present = 0; if (!scale_flag) { @@ -1728,16 +1732,16 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); - return -1; + return AVERROR_INVALIDDATA; } if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); - return -1; + return AVERROR_INVALIDDATA; } } if ((tns->present = get_bits1(gb)) && decode_tns(ac, tns, gb, ics)) - return -1; + return AVERROR_INVALIDDATA; if (get_bits1(gb)) { av_log_missing_feature(ac->avctx, "SSR", 1); return AVERROR_PATCHWELCOME; @@ -1746,7 +1750,7 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, &pulse, ics, sce->band_type) < 0) - return -1; + return AVERROR_INVALIDDATA; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); @@ -1848,7 +1852,7 @@ static int decode_cpe(AACContext *ac, GetBitContext *gb, ChannelElement *cpe) ms_present = get_bits(gb, 2); if (ms_present == 3) { av_log(ac->avctx, AV_LOG_ERROR, "ms_present = 3 is reserved.\n"); - return -1; + return AVERROR_INVALIDDATA; } else if (ms_present) decode_mid_side_stereo(cpe, gb, ms_present); } From cb31b6ca724774057822ed65a818a41db8072e06 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 4 Aug 2013 15:00:02 +0200 Subject: [PATCH 0468/1037] aac: Check init_get_bits return value Some code paths can call it with invalid length. CC: libav-stable@libav.org (cherry picked from commit 71953ebcf94fe4ef316cdad1f276089205dd1d65) Signed-off-by: Luca Barbato --- libavcodec/aacdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 7952ac4129..325bf63794 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -789,7 +789,8 @@ static int decode_audio_specific_config(AACContext *ac, av_dlog(avctx, "%02x ", avctx->extradata[i]); av_dlog(avctx, "\n"); - init_get_bits(&gb, data, bit_size); + if ((ret = init_get_bits(&gb, data, bit_size)) < 0) + return ret; if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0) @@ -2638,7 +2639,8 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, } } - init_get_bits(&gb, buf, buf_size * 8); + if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0) + return err; if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb)) < 0) return err; @@ -2883,7 +2885,8 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out, int muxlength, err; GetBitContext gb; - init_get_bits(&gb, avpkt->data, avpkt->size * 8); + if ((err = init_get_bits(&gb, avpkt->data, avpkt->size * 8)) < 0) + return err; // check for LOAS sync word if (get_bits(&gb, 11) != LOAS_SYNC_WORD) From c5ba226c1b0b76c1e7fad17a1448b793240671f6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 4 Aug 2013 18:48:20 +0200 Subject: [PATCH 0469/1037] bink: Bound check the quantization matrix. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 9991298f2c4d9022ad56057f15d037e18d454157) Signed-off-by: Luca Barbato --- libavcodec/bink.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 059601debf..c637f4e33f 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -677,6 +677,9 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t * quant_idx = q; } + if (quant_idx >= 16) + return AVERROR_INVALIDDATA; + quant = quant_matrices[quant_idx]; block[0] = (block[0] * quant[0]) >> 11; From 937cedd7c0ca98d183ceaf650f0dad1aab1b75a5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 06:27:12 +0200 Subject: [PATCH 0470/1037] vc1: check the source buffer in vc1_mc functions Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 090cd0631140ac1a3a795d2adfac5dbf5e381aa2) Signed-off-by: Luca Barbato Conflicts: libavcodec/vc1dec.c --- libavcodec/vc1dec.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index c29f91ce11..e24a15380e 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -394,6 +394,11 @@ static void vc1_mc_1mv(VC1Context *v, int dir) } } + if (!srcY || !srcU) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + src_x = s->mb_x * 16 + (mx >> 2); src_y = s->mb_y * 16 + (my >> 2); uvsrc_x = s->mb_x * 8 + (uvmx >> 2); @@ -569,6 +574,11 @@ static void vc1_mc_4mv_luma(VC1Context *v, int n, int dir) } else srcY = s->next_picture.f.data[0]; + if (!srcY) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + if (v->field_mode) { if (v->cur_field_type != v->ref_field_type[dir]) my = my - 2 + 4 * v->cur_field_type; @@ -856,6 +866,11 @@ static void vc1_mc_4mv_chroma(VC1Context *v, int dir) srcV = s->next_picture.f.data[2] + uvsrc_y * s->uvlinesize + uvsrc_x; } + if (!srcU) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + if (v->field_mode) { if (chroma_ref_type) { srcU += s->current_picture_ptr->f.linesize[1]; From b26c9f4e522040b24580554f06a2376de3d00b24 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 06:30:24 +0200 Subject: [PATCH 0471/1037] vc1: check mb_height validity. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 43bacd5b7d3d265a77cd29d8abb131057796aecc) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index e24a15380e..bafd6a2f8c 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5594,6 +5594,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, v->mv_f[1] = tmp[1]; } mb_height = s->mb_height >> v->field_mode; + + if (!mb_height) { + av_log(v->s.avctx, AV_LOG_ERROR, "Invalid mb_height.\n"); + goto err; + } + for (i = 0; i <= n_slices; i++) { if (i > 0 && slices[i - 1].mby_start >= mb_height) { if (v->field_mode <= 0) { From e897e0631ae6ae74c74198aa5d5ff223d01ab8da Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 8 Aug 2013 18:52:11 +0200 Subject: [PATCH 0472/1037] rtmp: rename data_size to size (cherry picked from commit ba5393a609c723ec8ab7f9727c10fef734c09278) Signed-off-by: Luca Barbato --- libavformat/rtmppkt.c | 74 ++++++++++++++++++++--------------------- libavformat/rtmppkt.h | 2 +- libavformat/rtmpproto.c | 70 +++++++++++++++++++------------------- 3 files changed, 73 insertions(+), 73 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index aed188dcc7..3af56270d2 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -145,25 +145,25 @@ int ff_rtmp_packet_read_internal(URLContext *h, RTMPPacket *p, int chunk_size, { uint8_t t, buf[16]; - int channel_id, timestamp, data_size, offset = 0; + int channel_id, timestamp, size, offset = 0; uint32_t extra = 0; enum RTMPPacketType type; - int size = 0; + int written = 0; int ret; - size++; + written++; channel_id = hdr & 0x3F; if (channel_id < 2) { //special case for channel number >= 64 buf[1] = 0; if (ffurl_read_complete(h, buf, channel_id + 1) != channel_id + 1) return AVERROR(EIO); - size += channel_id + 1; + written += channel_id + 1; channel_id = AV_RL16(buf) + 64; } - data_size = prev_pkt[channel_id].data_size; - type = prev_pkt[channel_id].type; - extra = prev_pkt[channel_id].extra; + size = prev_pkt[channel_id].size; + type = prev_pkt[channel_id].type; + extra = prev_pkt[channel_id].extra; hdr >>= 6; if (hdr == RTMP_PS_ONEBYTE) { @@ -171,21 +171,21 @@ int ff_rtmp_packet_read_internal(URLContext *h, RTMPPacket *p, int chunk_size, } else { if (ffurl_read_complete(h, buf, 3) != 3) return AVERROR(EIO); - size += 3; + written += 3; timestamp = AV_RB24(buf); if (hdr != RTMP_PS_FOURBYTES) { if (ffurl_read_complete(h, buf, 3) != 3) return AVERROR(EIO); - size += 3; - data_size = AV_RB24(buf); + written += 3; + size = AV_RB24(buf); if (ffurl_read_complete(h, buf, 1) != 1) return AVERROR(EIO); - size++; + written++; type = buf[0]; if (hdr == RTMP_PS_TWELVEBYTES) { if (ffurl_read_complete(h, buf, 4) != 4) return AVERROR(EIO); - size += 4; + written += 4; extra = AV_RL32(buf); } } @@ -199,36 +199,36 @@ int ff_rtmp_packet_read_internal(URLContext *h, RTMPPacket *p, int chunk_size, timestamp += prev_pkt[channel_id].timestamp; if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp, - data_size)) < 0) + size)) < 0) return ret; p->extra = extra; // save history prev_pkt[channel_id].channel_id = channel_id; prev_pkt[channel_id].type = type; - prev_pkt[channel_id].data_size = data_size; + prev_pkt[channel_id].size = size; prev_pkt[channel_id].ts_delta = timestamp - prev_pkt[channel_id].timestamp; prev_pkt[channel_id].timestamp = timestamp; prev_pkt[channel_id].extra = extra; - while (data_size > 0) { - int toread = FFMIN(data_size, chunk_size); + while (size > 0) { + int toread = FFMIN(size, chunk_size); if (ffurl_read_complete(h, p->data + offset, toread) != toread) { ff_rtmp_packet_destroy(p); return AVERROR(EIO); } - data_size -= chunk_size; - offset += chunk_size; - size += chunk_size; - if (data_size > 0) { + size -= chunk_size; + offset += chunk_size; + written += chunk_size; + if (size > 0) { if ((ret = ffurl_read_complete(h, &t, 1)) < 0) { // marker ff_rtmp_packet_destroy(p); return ret; } - size++; + written++; if (t != (0xC0 + channel_id)) return -1; } } - return size; + return written; } int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, @@ -237,7 +237,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, uint8_t pkt_hdr[16], *p = pkt_hdr; int mode = RTMP_PS_TWELVEBYTES; int off = 0; - int size = 0; + int written = 0; int ret; pkt->ts_delta = pkt->timestamp - prev_pkt[pkt->channel_id].timestamp; @@ -246,7 +246,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, if (prev_pkt[pkt->channel_id].channel_id && pkt->extra == prev_pkt[pkt->channel_id].extra) { if (pkt->type == prev_pkt[pkt->channel_id].type && - pkt->data_size == prev_pkt[pkt->channel_id].data_size) { + pkt->size == prev_pkt[pkt->channel_id].size) { mode = RTMP_PS_FOURBYTES; if (pkt->ts_delta == prev_pkt[pkt->channel_id].ts_delta) mode = RTMP_PS_ONEBYTE; @@ -270,7 +270,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, timestamp = pkt->ts_delta; bytestream_put_be24(&p, timestamp >= 0xFFFFFF ? 0xFFFFFF : timestamp); if (mode != RTMP_PS_FOURBYTES) { - bytestream_put_be24(&p, pkt->data_size); + bytestream_put_be24(&p, pkt->size); bytestream_put_byte(&p, pkt->type); if (mode == RTMP_PS_TWELVEBYTES) bytestream_put_le32(&p, pkt->extra); @@ -281,7 +281,7 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, // save history prev_pkt[pkt->channel_id].channel_id = pkt->channel_id; prev_pkt[pkt->channel_id].type = pkt->type; - prev_pkt[pkt->channel_id].data_size = pkt->data_size; + prev_pkt[pkt->channel_id].size = pkt->size; prev_pkt[pkt->channel_id].timestamp = pkt->timestamp; if (mode != RTMP_PS_TWELVEBYTES) { prev_pkt[pkt->channel_id].ts_delta = pkt->ts_delta; @@ -292,20 +292,20 @@ int ff_rtmp_packet_write(URLContext *h, RTMPPacket *pkt, if ((ret = ffurl_write(h, pkt_hdr, p - pkt_hdr)) < 0) return ret; - size = p - pkt_hdr + pkt->data_size; - while (off < pkt->data_size) { - int towrite = FFMIN(chunk_size, pkt->data_size - off); + written = p - pkt_hdr + pkt->size; + while (off < pkt->size) { + int towrite = FFMIN(chunk_size, pkt->size - off); if ((ret = ffurl_write(h, pkt->data + off, towrite)) < 0) return ret; off += towrite; - if (off < pkt->data_size) { + if (off < pkt->size) { uint8_t marker = 0xC0 | pkt->channel_id; if ((ret = ffurl_write(h, &marker, 1)) < 0) return ret; - size++; + written++; } } - return size; + return written; } int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type, @@ -316,7 +316,7 @@ int ff_rtmp_packet_create(RTMPPacket *pkt, int channel_id, RTMPPacketType type, if (!pkt->data) return AVERROR(ENOMEM); } - pkt->data_size = size; + pkt->size = size; pkt->channel_id = channel_id; pkt->type = type; pkt->timestamp = timestamp; @@ -331,7 +331,7 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt) if (!pkt) return; av_freep(&pkt->data); - pkt->data_size = 0; + pkt->size = 0; } int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) @@ -503,9 +503,9 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p) { av_log(ctx, AV_LOG_DEBUG, "RTMP packet type '%s'(%d) for channel %d, timestamp %d, extra field %d size %d\n", - rtmp_packet_type(p->type), p->type, p->channel_id, p->timestamp, p->extra, p->data_size); + rtmp_packet_type(p->type), p->type, p->channel_id, p->timestamp, p->extra, p->size); if (p->type == RTMP_PT_INVOKE || p->type == RTMP_PT_NOTIFY) { - uint8_t *src = p->data, *src_end = p->data + p->data_size; + uint8_t *src = p->data, *src_end = p->data + p->size; while (src < src_end) { int sz; ff_amf_tag_contents(ctx, src, src_end); @@ -520,7 +520,7 @@ void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p) av_log(ctx, AV_LOG_DEBUG, "Client BW = %d\n", AV_RB32(p->data)); } else if (p->type != RTMP_PT_AUDIO && p->type != RTMP_PT_VIDEO && p->type != RTMP_PT_METADATA) { int i; - for (i = 0; i < p->data_size; i++) + for (i = 0; i < p->size; i++) av_log(ctx, AV_LOG_DEBUG, " %02X", p->data[i]); av_log(ctx, AV_LOG_DEBUG, "\n"); } diff --git a/libavformat/rtmppkt.h b/libavformat/rtmppkt.h index 276c5608c0..83803d2362 100644 --- a/libavformat/rtmppkt.h +++ b/libavformat/rtmppkt.h @@ -81,7 +81,7 @@ typedef struct RTMPPacket { uint32_t ts_delta; ///< timestamp increment to the previous one in milliseconds (latter only for media packets) uint32_t extra; ///< probably an additional channel ID used during streaming data uint8_t *data; ///< packet payload - int data_size; ///< packet payload size + int size; ///< packet payload size } RTMPPacket; /** diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index f25a79b0e3..d36a43bae7 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -186,7 +186,7 @@ static int find_tracked_method(URLContext *s, RTMPPacket *pkt, int offset, int ret; int i; - bytestream2_init(&gbc, pkt->data + offset, pkt->data_size - offset); + bytestream2_init(&gbc, pkt->data + offset, pkt->size - offset); if ((ret = ff_amf_read_number(&gbc, &pkt_id)) < 0) return ret; @@ -224,7 +224,7 @@ static int rtmp_send_packet(RTMPContext *rt, RTMPPacket *pkt, int track) double pkt_id; int len; - bytestream2_init(&gbc, pkt->data, pkt->data_size); + bytestream2_init(&gbc, pkt->data, pkt->size); if ((ret = ff_amf_read_string(&gbc, name, sizeof(name), &len)) < 0) goto fail; @@ -388,7 +388,7 @@ static int gen_connect(URLContext *s, RTMPContext *rt) } } - pkt.data_size = p - pkt.data; + pkt.size = p - pkt.data; return rtmp_send_packet(rt, &pkt, 1); } @@ -409,7 +409,7 @@ static int read_connect(URLContext *s, RTMPContext *rt) rt->prev_pkt[1])) < 0) return ret; cp = pkt.data; - bytestream2_init(&gbc, cp, pkt.data_size); + bytestream2_init(&gbc, cp, pkt.size); if (ff_amf_read_string(&gbc, command, sizeof(command), &stringlen)) { av_log(s, AV_LOG_ERROR, "Unable to read command string\n"); ff_rtmp_packet_destroy(&pkt); @@ -440,7 +440,7 @@ static int read_connect(URLContext *s, RTMPContext *rt) return ret; p = pkt.data; bytestream_put_be32(&p, rt->server_bw); - pkt.data_size = p - pkt.data; + pkt.size = p - pkt.data; ret = ff_rtmp_packet_write(rt->stream, &pkt, rt->out_chunk_size, rt->prev_pkt[1]); ff_rtmp_packet_destroy(&pkt); @@ -453,7 +453,7 @@ static int read_connect(URLContext *s, RTMPContext *rt) p = pkt.data; bytestream_put_be32(&p, rt->server_bw); bytestream_put_byte(&p, 2); // dynamic - pkt.data_size = p - pkt.data; + pkt.size = p - pkt.data; ret = ff_rtmp_packet_write(rt->stream, &pkt, rt->out_chunk_size, rt->prev_pkt[1]); ff_rtmp_packet_destroy(&pkt); @@ -515,7 +515,7 @@ static int read_connect(URLContext *s, RTMPContext *rt) ff_amf_write_number(&p, 0); ff_amf_write_object_end(&p); - pkt.data_size = p - pkt.data; + pkt.size = p - pkt.data; ret = ff_rtmp_packet_write(rt->stream, &pkt, rt->out_chunk_size, rt->prev_pkt[1]); ff_rtmp_packet_destroy(&pkt); @@ -530,7 +530,7 @@ static int read_connect(URLContext *s, RTMPContext *rt) ff_amf_write_number(&p, 0); ff_amf_write_null(&p); ff_amf_write_number(&p, 8192); - pkt.data_size = p - pkt.data; + pkt.size = p - pkt.data; ret = ff_rtmp_packet_write(rt->stream, &pkt, rt->out_chunk_size, rt->prev_pkt[1]); ff_rtmp_packet_destroy(&pkt); @@ -745,9 +745,9 @@ static int gen_pong(URLContext *s, RTMPContext *rt, RTMPPacket *ppkt) uint8_t *p; int ret; - if (ppkt->data_size < 6) { + if (ppkt->size < 6) { av_log(s, AV_LOG_ERROR, "Too short ping packet (%d)\n", - ppkt->data_size); + ppkt->size); return AVERROR_INVALIDDATA; } @@ -1421,10 +1421,10 @@ static int handle_chunk_size(URLContext *s, RTMPPacket *pkt) RTMPContext *rt = s->priv_data; int ret; - if (pkt->data_size < 4) { + if (pkt->size < 4) { av_log(s, AV_LOG_ERROR, "Too short chunk size change packet (%d)\n", - pkt->data_size); + pkt->size); return AVERROR_INVALIDDATA; } @@ -1454,9 +1454,9 @@ static int handle_ping(URLContext *s, RTMPPacket *pkt) RTMPContext *rt = s->priv_data; int t, ret; - if (pkt->data_size < 2) { + if (pkt->size < 2) { av_log(s, AV_LOG_ERROR, "Too short ping packet (%d)\n", - pkt->data_size); + pkt->size); return AVERROR_INVALIDDATA; } @@ -1480,10 +1480,10 @@ static int handle_client_bw(URLContext *s, RTMPPacket *pkt) { RTMPContext *rt = s->priv_data; - if (pkt->data_size < 4) { + if (pkt->size < 4) { av_log(s, AV_LOG_ERROR, "Client bandwidth report packet is less than 4 bytes long (%d)\n", - pkt->data_size); + pkt->size); return AVERROR_INVALIDDATA; } @@ -1504,10 +1504,10 @@ static int handle_server_bw(URLContext *s, RTMPPacket *pkt) { RTMPContext *rt = s->priv_data; - if (pkt->data_size < 4) { + if (pkt->size < 4) { av_log(s, AV_LOG_ERROR, "Too short server bandwidth report packet (%d)\n", - pkt->data_size); + pkt->size); return AVERROR_INVALIDDATA; } @@ -1707,7 +1707,7 @@ static int handle_connect_error(URLContext *s, const char *desc) static int handle_invoke_error(URLContext *s, RTMPPacket *pkt) { RTMPContext *rt = s->priv_data; - const uint8_t *data_end = pkt->data + pkt->data_size; + const uint8_t *data_end = pkt->data + pkt->size; char *tracked_method = NULL; int level = AV_LOG_ERROR; uint8_t tmpstr[256]; @@ -1755,7 +1755,7 @@ static int send_invoke_response(URLContext *s, RTMPPacket *pkt) GetByteContext gbc; int ret; - bytestream2_init(&gbc, p, pkt->data_size); + bytestream2_init(&gbc, p, pkt->size); if (ff_amf_read_string(&gbc, command, sizeof(command), &stringlen)) { av_log(s, AV_LOG_ERROR, "Error in PT_INVOKE\n"); @@ -1807,7 +1807,7 @@ static int send_invoke_response(URLContext *s, RTMPPacket *pkt) return ret; } pp = spkt.data; - bytestream2_init_writer(&pbc, pp, spkt.data_size); + bytestream2_init_writer(&pbc, pp, spkt.size); bytestream2_put_be16(&pbc, 0); // 0 -> Stream Begin bytestream2_put_be32(&pbc, rt->nb_streamid); ret = ff_rtmp_packet_write(rt->stream, &spkt, rt->out_chunk_size, @@ -1866,7 +1866,7 @@ static int send_invoke_response(URLContext *s, RTMPPacket *pkt) * if a client creates more than 2^32 - 2 streams. */ } } - spkt.data_size = pp - spkt.data; + spkt.size = pp - spkt.data; ret = ff_rtmp_packet_write(rt->stream, &spkt, rt->out_chunk_size, rt->prev_pkt[1]); ff_rtmp_packet_destroy(&spkt); @@ -1940,7 +1940,7 @@ fail: static int handle_invoke_status(URLContext *s, RTMPPacket *pkt) { RTMPContext *rt = s->priv_data; - const uint8_t *data_end = pkt->data + pkt->data_size; + const uint8_t *data_end = pkt->data + pkt->size; const uint8_t *ptr = pkt->data + 11; uint8_t tmpstr[256]; int i, t; @@ -2014,7 +2014,7 @@ static int handle_notify(URLContext *s, RTMPPacket *pkt) { unsigned datatowritelength; p = pkt->data; - bytestream2_init(&gbc, p, pkt->data_size); + bytestream2_init(&gbc, p, pkt->size); if (ff_amf_read_string(&gbc, commandbuffer, sizeof(commandbuffer), &stringlen)) return AVERROR_INVALIDDATA; @@ -2128,7 +2128,7 @@ static int get_packet(URLContext *s, int for_header) int ret; uint8_t *p; const uint8_t *next; - uint32_t data_size; + uint32_t size; uint32_t ts, cts, pts=0; if (rt->state == STATE_STOPPED) @@ -2171,7 +2171,7 @@ static int get_packet(URLContext *s, int for_header) ff_rtmp_packet_destroy(&rpkt); return 0; } - if (!rpkt.data_size || !rt->is_input) { + if (!rpkt.size || !rt->is_input) { ff_rtmp_packet_destroy(&rpkt); continue; } @@ -2181,14 +2181,14 @@ static int get_packet(URLContext *s, int for_header) // generate packet header and put data into buffer for FLV demuxer rt->flv_off = 0; - rt->flv_size = rpkt.data_size + 15; + rt->flv_size = rpkt.size + 15; rt->flv_data = p = av_realloc(rt->flv_data, rt->flv_size); bytestream_put_byte(&p, rpkt.type); - bytestream_put_be24(&p, rpkt.data_size); + bytestream_put_be24(&p, rpkt.size); bytestream_put_be24(&p, ts); bytestream_put_byte(&p, ts >> 24); bytestream_put_be24(&p, 0); - bytestream_put_buffer(&p, rpkt.data, rpkt.data_size); + bytestream_put_buffer(&p, rpkt.data, rpkt.size); bytestream_put_be32(&p, 0); ff_rtmp_packet_destroy(&rpkt); return 0; @@ -2203,14 +2203,14 @@ static int get_packet(URLContext *s, int for_header) } else if (rpkt.type == RTMP_PT_METADATA) { // we got raw FLV data, make it available for FLV demuxer rt->flv_off = 0; - rt->flv_size = rpkt.data_size; + rt->flv_size = rpkt.size; rt->flv_data = av_realloc(rt->flv_data, rt->flv_size); /* rewrite timestamps */ next = rpkt.data; ts = rpkt.timestamp; - while (next - rpkt.data < rpkt.data_size - 11) { + while (next - rpkt.data < rpkt.size - 11) { next++; - data_size = bytestream_get_be24(&next); + size = bytestream_get_be24(&next); p=next; cts = bytestream_get_be24(&next); cts |= bytestream_get_byte(&next) << 24; @@ -2220,9 +2220,9 @@ static int get_packet(URLContext *s, int for_header) pts = cts; bytestream_put_be24(&p, ts); bytestream_put_byte(&p, ts >> 24); - next += data_size + 3 + 4; + next += size + 3 + 4; } - memcpy(rt->flv_data, rpkt.data, rpkt.data_size); + memcpy(rt->flv_data, rpkt.data, rpkt.size); ff_rtmp_packet_destroy(&rpkt); return 0; } @@ -2237,7 +2237,7 @@ static int rtmp_close(URLContext *h) if (!rt->is_input) { rt->flv_data = NULL; - if (rt->out_pkt.data_size) + if (rt->out_pkt.size) ff_rtmp_packet_destroy(&rt->out_pkt); if (rt->state > STATE_FCPUBLISH) ret = gen_fcunpublish_stream(h, rt); From dd923878e8efd85e27a0c6ea83175e166d273e28 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 8 Aug 2013 19:44:19 +0200 Subject: [PATCH 0473/1037] rtmp: Do not misuse memcmp CC: libav-stable@libav.org (cherry picked from commit 5718e3487ba3b26aba341070be0b6b0b4de45ea3) Signed-off-by: Luca Barbato Conflicts: libavformat/rtmpproto.c --- libavformat/rtmppkt.c | 33 +++++++++++++++++++++++++++++++++ libavformat/rtmppkt.h | 7 +++++++ libavformat/rtmpproto.c | 27 ++++++++++++++------------- 3 files changed, 54 insertions(+), 13 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 3af56270d2..ace77297c6 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -525,3 +525,36 @@ void ff_rtmp_packet_dump(void *ctx, RTMPPacket *p) av_log(ctx, AV_LOG_DEBUG, "\n"); } } + +int ff_amf_match_string(const uint8_t *data, int size, const char *str) +{ + int len = strlen(str); + int amf_len, type; + + if (size < 1) + return 0; + + type = *data++; + + if (type != AMF_DATA_TYPE_LONG_STRING && + type != AMF_DATA_TYPE_STRING) + return 0; + + if (type == AMF_DATA_TYPE_LONG_STRING) { + if ((size -= 4 + 1) < 0) + return 0; + amf_len = bytestream_get_be32(&data); + } else { + if ((size -= 2 + 1) < 0) + return 0; + amf_len = bytestream_get_be16(&data); + } + + if (amf_len > size) + return 0; + + if (amf_len != len) + return 0; + + return !memcmp(data, str, len); +} diff --git a/libavformat/rtmppkt.h b/libavformat/rtmppkt.h index 83803d2362..ba6696b65c 100644 --- a/libavformat/rtmppkt.h +++ b/libavformat/rtmppkt.h @@ -282,6 +282,13 @@ int ff_amf_read_string(GetByteContext *gbc, uint8_t *str, */ int ff_amf_read_null(GetByteContext *gbc); +/** + * Match AMF string with a NULL-terminated string. + * + * @return 0 if the strings do not match. + */ + +int ff_amf_match_string(const uint8_t *data, int size, const char *str); /** @} */ // AMF funcs diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index d36a43bae7..9989b28737 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -1887,7 +1887,7 @@ static int handle_invoke_result(URLContext *s, RTMPPacket *pkt) return ret; } - if (!memcmp(tracked_method, "connect", 7)) { + if (!strcmp(tracked_method, "connect")) { if (!rt->is_input) { if ((ret = gen_release_stream(s, rt)) < 0) goto fail; @@ -1913,7 +1913,7 @@ static int handle_invoke_result(URLContext *s, RTMPPacket *pkt) goto fail; } } - } else if (!memcmp(tracked_method, "createStream", 12)) { + } else if (!strcmp(tracked_method, "createStream")) { //extract a number from the result if (pkt->data[10] || pkt->data[19] != 5 || pkt->data[20]) { av_log(s, AV_LOG_WARNING, "Unexpected reply on connect()\n"); @@ -1975,24 +1975,24 @@ static int handle_invoke(URLContext *s, RTMPPacket *pkt) int ret = 0; //TODO: check for the messages sent for wrong state? - if (!memcmp(pkt->data, "\002\000\006_error", 9)) { + if (ff_amf_match_string(pkt->data, pkt->size, "_error")) { if ((ret = handle_invoke_error(s, pkt)) < 0) return ret; - } else if (!memcmp(pkt->data, "\002\000\007_result", 10)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "_result")) { if ((ret = handle_invoke_result(s, pkt)) < 0) return ret; - } else if (!memcmp(pkt->data, "\002\000\010onStatus", 11)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "onStatus")) { if ((ret = handle_invoke_status(s, pkt)) < 0) return ret; - } else if (!memcmp(pkt->data, "\002\000\010onBWDone", 11)) { + } else if (ff_amf_match_string(pkt->data, pkt->size, "onBWDone")) { if ((ret = gen_check_bw(s, rt)) < 0) return ret; - } else if (!memcmp(pkt->data, "\002\000\015releaseStream", 16) || - !memcmp(pkt->data, "\002\000\011FCPublish", 12) || - !memcmp(pkt->data, "\002\000\007publish", 10) || - !memcmp(pkt->data, "\002\000\010_checkbw", 11) || - !memcmp(pkt->data, "\002\000\014createStream", 15)) { - if (ret = send_invoke_response(s, pkt) < 0) + } else if (ff_amf_match_string(pkt->data, pkt->size, "releaseStream") || + ff_amf_match_string(pkt->data, pkt->size, "FCPublish") || + ff_amf_match_string(pkt->data, pkt->size, "publish") || + ff_amf_match_string(pkt->data, pkt->size, "_checkbw") || + ff_amf_match_string(pkt->data, pkt->size, "createStream")) { + if ((ret = send_invoke_response(s, pkt)) < 0) return ret; } @@ -2176,7 +2176,8 @@ static int get_packet(URLContext *s, int for_header) continue; } if (rpkt.type == RTMP_PT_VIDEO || rpkt.type == RTMP_PT_AUDIO || - (rpkt.type == RTMP_PT_NOTIFY && !memcmp("\002\000\012onMetaData", rpkt.data, 13))) { + (rpkt.type == RTMP_PT_NOTIFY && + ff_amf_match_string(rpkt.data, rpkt.size, "onMetaData"))) { ts = rpkt.timestamp; // generate packet header and put data into buffer for FLV demuxer From c92e37c20791580e88bdcf06f866a760a138eb07 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 12 Aug 2013 00:16:12 +0200 Subject: [PATCH 0474/1037] nuv: Do not ignore lzo decompression failures Update the fate reference since the last broken frame is not decoded anymore. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit aae159a7cc4df7d0521901022b778c9da251c24e) Signed-off-by: Luca Barbato --- libavcodec/nuv.c | 4 +++- tests/ref/fate/nuv-rtjpeg | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 0b47e974f5..9aa195f4db 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -198,8 +198,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { int outlen = c->decomp_size, inlen = buf_size; - if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) + if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); + return AVERROR_INVALIDDATA; + } buf = c->decomp_buf; buf_size = c->decomp_size; } diff --git a/tests/ref/fate/nuv-rtjpeg b/tests/ref/fate/nuv-rtjpeg index e9286d6a6d..a5c9c4a6f3 100644 --- a/tests/ref/fate/nuv-rtjpeg +++ b/tests/ref/fate/nuv-rtjpeg @@ -7,4 +7,3 @@ 0, 269, 269, 0, 460800, 0x4e091ee2 0, 302, 302, 0, 460800, 0x2ea88828 0, 335, 335, 0, 460800, 0x4b7f4df0 -0, 369, 369, 0, 460800, 0xb30eb322 From 6537f577827b7273e390a3eea7b4717654262c6d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 12 Aug 2013 11:34:06 +0200 Subject: [PATCH 0475/1037] nuv: Pad the lzo outbuf And properly update the buf_size with the correct size. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 075dbc185521f193c98b896cd63be3ec2613df5d) Signed-off-by: Luca Barbato --- libavcodec/nuv.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 9aa195f4db..e06dab7d56 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -123,7 +123,8 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, avctx->width = c->width = width; avctx->height = c->height = height; av_fast_malloc(&c->decomp_buf, &c->decomp_size, - c->height * c->width * 3 / 2); + c->height * c->width * 3 / 2 + + FF_INPUT_BUFFER_PADDING_SIZE); if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); @@ -197,13 +198,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, buf = &buf[12]; buf_size -= 12; if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) { - int outlen = c->decomp_size, inlen = buf_size; + int outlen = c->decomp_size - FF_INPUT_BUFFER_PADDING_SIZE; + int inlen = buf_size; if (av_lzo1x_decode(c->decomp_buf, &outlen, buf, &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } buf = c->decomp_buf; - buf_size = c->decomp_size; + buf_size = outlen; } if (c->codec_frameheader) { int w, h, q; From cf6a34b2a5d0690c6e2fd25b9a35082418d9a12e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 17 Nov 2012 18:07:42 +0100 Subject: [PATCH 0476/1037] nuv: return meaningful error codes. (cherry picked from commit 3344f5cb747bb1f54cc34878b66dc0536f194720) Signed-off-by: Luca Barbato --- libavcodec/nuv.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index e06dab7d56..75ea4bf032 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -87,7 +87,7 @@ static int get_quant(AVCodecContext *avctx, NuvContext *c, const uint8_t *buf, int i; if (size < 2 * 64 * 4) { av_log(avctx, AV_LOG_ERROR, "insufficient rtjpeg quant data\n"); - return -1; + return AVERROR_INVALIDDATA; } for (i = 0; i < 64; i++, buf += 4) c->lq[i] = AV_RL32(buf); @@ -113,13 +113,15 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, int quality) { NuvContext *c = avctx->priv_data; + int ret; + width = FFALIGN(width, 2); height = FFALIGN(height, 2); if (quality >= 0) get_quant_quality(c, quality); if (width != c->width || height != c->height) { - if (av_image_check_size(height, width, 0, avctx) < 0) - return 0; + if ((ret = av_image_check_size(height, width, 0, avctx)) < 0) + return ret; avctx->width = c->width = width; avctx->height = c->height = height; av_fast_malloc(&c->decomp_buf, &c->decomp_size, @@ -128,7 +130,7 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, if (!c->decomp_buf) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); - return 0; + return AVERROR(ENOMEM); } ff_rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); @@ -136,7 +138,7 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, ff_rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); - return 1; + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, @@ -160,7 +162,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (buf_size < 12) { av_log(avctx, AV_LOG_ERROR, "coded frame too small\n"); - return -1; + return AVERROR_INVALIDDATA; } // codec data (rtjpeg quant tables) @@ -179,7 +181,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (buf[0] != 'V' || buf_size < 12) { av_log(avctx, AV_LOG_ERROR, "not a nuv video frame\n"); - return -1; + return AVERROR_INVALIDDATA; } comptype = buf[1]; switch (comptype) { @@ -217,8 +219,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; - if (!codec_reinit(avctx, w, h, q)) - return -1; + if ((result = codec_reinit(avctx, w, h, q)) < 0) + return result; buf = &buf[RTJPEG_HEADER_SIZE]; buf_size -= RTJPEG_HEADER_SIZE; } @@ -231,7 +233,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, result = avctx->reget_buffer(avctx, &c->pic); if (result < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; + return result; } c->pic.pict_type = keyframe ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; @@ -262,7 +264,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, break; default: av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); - return -1; + return AVERROR_INVALIDDATA; } *picture = c->pic; @@ -273,6 +275,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, static av_cold int decode_init(AVCodecContext *avctx) { NuvContext *c = avctx->priv_data; + int ret; + avctx->pix_fmt = AV_PIX_FMT_YUV420P; c->pic.data[0] = NULL; c->decomp_buf = NULL; @@ -287,8 +291,8 @@ static av_cold int decode_init(AVCodecContext *avctx) ff_dsputil_init(&c->dsp, avctx); - if (!codec_reinit(avctx, avctx->width, avctx->height, -1)) - return 1; + if ((ret = codec_reinit(avctx, avctx->width, avctx->height, -1)) < 0) + return ret; return 0; } From 747c320a190ae86021484e09c9add8d221b950d7 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 07:01:40 +0200 Subject: [PATCH 0477/1037] nuv: Use av_fast_realloc The decompressed buffer can be used after codec_reinit, so it must be preserved. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 2df0776c2293efb0ac12c003843ce19332342e01) Signed-off-by: Luca Barbato --- libavcodec/nuv.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 75ea4bf032..d742df3bac 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -120,18 +120,21 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, if (quality >= 0) get_quant_quality(c, quality); if (width != c->width || height != c->height) { + void *ptr; if ((ret = av_image_check_size(height, width, 0, avctx)) < 0) return ret; avctx->width = c->width = width; avctx->height = c->height = height; - av_fast_malloc(&c->decomp_buf, &c->decomp_size, - c->height * c->width * 3 / 2 + - FF_INPUT_BUFFER_PADDING_SIZE); - if (!c->decomp_buf) { + ptr = av_fast_realloc(c->decomp_buf, &c->decomp_size, + c->height * c->width * 3 / 2 + + FF_INPUT_BUFFER_PADDING_SIZE + + RTJPEG_HEADER_SIZE); + if (!ptr) { av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n"); return AVERROR(ENOMEM); - } + } else + c->decomp_buf = ptr; ff_rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); } else if (quality != c->quality) @@ -221,6 +224,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, q = buf[10]; if ((result = codec_reinit(avctx, w, h, q)) < 0) return result; + if (comptype == NUV_RTJPEG_IN_LZO || comptype == NUV_LZO) + buf = c->decomp_buf; buf = &buf[RTJPEG_HEADER_SIZE]; buf_size -= RTJPEG_HEADER_SIZE; } From 082e3fd4693c22e4a35326954f226424eaa7db24 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 06:01:48 +0200 Subject: [PATCH 0478/1037] nuv: Reset the frame on resize Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/nuv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index d742df3bac..9c765a0f64 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -137,6 +137,8 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, c->decomp_buf = ptr; ff_rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); + if (c->pic.data[0]) + avctx->release_buffer(avctx, &c->pic); } else if (quality != c->quality) ff_rtjpeg_decode_init(&c->rtj, &c->dsp, c->width, c->height, c->lq, c->cq); From cea1769fb62bd3356b19d32c46483883f16334c4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 07:05:28 +0200 Subject: [PATCH 0479/1037] rtjpeg: Use init_get_bits8 CC:libav-stable@libav.org (cherry picked from commit f13fe6020e6a3871f9b0c96b240e58e6ed4fb5d7) Signed-off-by: Luca Barbato --- libavcodec/rtjpeg.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/rtjpeg.c b/libavcodec/rtjpeg.c index 360458540b..77baa5b66e 100644 --- a/libavcodec/rtjpeg.c +++ b/libavcodec/rtjpeg.c @@ -108,10 +108,13 @@ int ff_rtjpeg_decode_frame_yuv420(RTJpegContext *c, AVFrame *f, const uint8_t *buf, int buf_size) { GetBitContext gb; int w = c->w / 16, h = c->h / 16; - int x, y; + int x, y, ret; uint8_t *y1 = f->data[0], *y2 = f->data[0] + 8 * f->linesize[0]; uint8_t *u = f->data[1], *v = f->data[2]; - init_get_bits(&gb, buf, buf_size * 8); + + if ((ret = init_get_bits8(&gb, buf, buf_size)) < 0) + return ret; + for (y = 0; y < h; y++) { for (x = 0; x < w; x++) { #define BLOCK(quant, dst, stride) do { \ From e2d32ad18e85016815dd26793abfab33bc6ef63e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 07:28:41 +0200 Subject: [PATCH 0480/1037] ogg: Always alloc the private context in vorbis_header It is possible to have an initial broken header and then valid packets. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3562684db716d11de0b0dcc52748e9cd90d68132) Signed-off-by: Luca Barbato --- libavformat/oggparsevorbis.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index bb41b52ca2..9d0ffce8a5 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -212,15 +212,15 @@ vorbis_header (AVFormatContext * s, int idx) struct oggvorbis_private *priv; int pkt_type = os->buf[os->pstart]; - if (!(pkt_type & 1)) - return 0; - if (!os->private) { os->private = av_mallocz(sizeof(struct oggvorbis_private)); if (!os->private) return 0; } + if (!(pkt_type & 1)) + return 0; + if (os->psize < 1 || pkt_type > 5) return -1; From 7c30ea500640e85a04ad5610197059b1b559a565 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Aug 2013 07:40:38 +0200 Subject: [PATCH 0481/1037] segafilm: Error out on impossible packet size Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5268bd2900effa59b51e0fede61aacde5e2f0b95) Signed-off-by: Luca Barbato --- libavformat/segafilm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 068d432083..adf24759c6 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -214,6 +214,8 @@ static int film_read_header(AVFormatContext *s) film->sample_table[i].sample_offset = data_offset + AV_RB32(&scratch[0]); film->sample_table[i].sample_size = AV_RB32(&scratch[4]); + if (film->sample_table[i].sample_size > INT_MAX / 4) + return AVERROR_INVALIDDATA; if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) { film->sample_table[i].stream = film->audio_stream_index; film->sample_table[i].pts = audio_frame_counter; From a14ff5b2569de04c974302368d35a4ae62b95f86 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 14 Aug 2013 16:57:21 +0200 Subject: [PATCH 0482/1037] h261: check the mtype index Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c59967fa7cc5bc2fa06b36c17d2c207240c06b3e) Signed-off-by: Luca Barbato Conflicts: libavcodec/h261dec.c --- libavcodec/h261dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h261dec.c b/libavcodec/h261dec.c index 55453c112d..77c6cab0ec 100644 --- a/libavcodec/h261dec.c +++ b/libavcodec/h261dec.c @@ -286,6 +286,11 @@ static int h261_decode_mb(H261Context *h){ // Read mtype h->mtype = get_vlc2(&s->gb, h261_mtype_vlc.table, H261_MTYPE_VLC_BITS, 2); + if (h->mtype < 0 || h->mtype >= FF_ARRAY_ELEMS(h261_mtype_map)) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid mtype index %d\n", + h->mtype); + return SLICE_ERROR; + } h->mtype = h261_mtype_map[h->mtype]; // Read mquant From 93fbabb60f723ea66794cdad071e843720719cf4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 14 Aug 2013 16:51:53 +0200 Subject: [PATCH 0483/1037] dxa: Make sure the reference frame exists Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5ef7c84a9374681c64722a96d91741f3b990af2b) Signed-off-by: Luca Barbato Conflicts: libavcodec/dxa.c --- libavcodec/dxa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 0f590f1ed9..ddc8d986a0 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -256,6 +256,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac case 5: c->pic.key_frame = !(compr & 1); c->pic.pict_type = (compr & 1) ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + + if (!tmpptr && !c->pic.key_frame) { + av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n"); + return AVERROR_INVALIDDATA; + } + for(j = 0; j < avctx->height; j++){ if(compr & 1){ for(i = 0; i < avctx->width; i++) From cbc6ded5b780195edc93d37f8b9e8eb6e00e8f0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 18 Aug 2013 17:40:51 +0200 Subject: [PATCH 0484/1037] ogg: Fix potential infinite discard loop Seeking in certain broken files would cause ogg_read_timestamp to fail because ogg_packet would go into a state where all packets of stream 1 would be discarded until the end of the stream. Bug-Id: 553 CC: libav-stable@libav.org Signed-off-by: Jan Gerber Signed-off-by: Luca Barbato (cherry picked from commit 9a27acae9e6b7d0bf74c5b878af9c42495a546f3) Signed-off-by: Luca Barbato --- libavformat/oggdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index d8f89b8f80..03ec50e084 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -384,7 +384,11 @@ static int ogg_packet(AVFormatContext *s, int *str, int *dstart, int *dsize, if (!complete && os->segp == os->nsegs) { ogg->curidx = -1; - os->incomplete = 1; + // Do not set incomplete for empty packets. + // Together with the code in ogg_read_page + // that discards all continuation of empty packets + // we would get an infinite loop. + os->incomplete = !!os->psize; } } while (!complete); From 1b16302e5464267f30ad59e9bc06fe567fd0d755 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 17 Jul 2013 03:10:16 -0300 Subject: [PATCH 0485/1037] lavf/matroskaenc: Check for valid metadata before creating tags Tags must have at least one SimpleTag element to be spec conformant. Updated lavf-mkv and seek-lavf-mkv FATE references as the tests were affected by this. Fixes ticket #2785 Signed-off-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 088ed5314694031e07e02e9d364c9d486a60e704) Conflicts: tests/ref/lavf/mkv --- libavformat/matroskaenc.c | 18 +++++++++++++--- tests/ref/lavf/mkv | 4 ++-- tests/ref/seek/lavf-mkv | 44 +++++++++++++++++++-------------------- 3 files changed, 39 insertions(+), 27 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 12efbe2b8f..a1913a47ac 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -797,6 +797,18 @@ static int mkv_write_tag(AVFormatContext *s, AVDictionary *m, unsigned int eleme return 0; } +static int mkv_check_tag(AVDictionary *m) +{ + AVDictionaryEntry *t = NULL; + int ret = 0; + + while ((t = av_dict_get(m, "", t, AV_DICT_IGNORE_SUFFIX))) + if (av_strcasecmp(t->key, "title") && av_strcasecmp(t->key, "stereo_mode")) + ret++; + + return ret; +} + static int mkv_write_tags(AVFormatContext *s) { ebml_master tags = {0}; @@ -804,7 +816,7 @@ static int mkv_write_tags(AVFormatContext *s) ff_metadata_conv_ctx(s, ff_mkv_metadata_conv, NULL); - if (av_dict_get(s->metadata, "", NULL, AV_DICT_IGNORE_SUFFIX)) { + if (mkv_check_tag(s->metadata)) { ret = mkv_write_tag(s, s->metadata, 0, 0, &tags); if (ret < 0) return ret; } @@ -812,7 +824,7 @@ static int mkv_write_tags(AVFormatContext *s) for (i = 0; i < s->nb_streams; i++) { AVStream *st = s->streams[i]; - if (!av_dict_get(st->metadata, "", 0, AV_DICT_IGNORE_SUFFIX)) + if (!mkv_check_tag(st->metadata)) continue; ret = mkv_write_tag(s, st->metadata, MATROSKA_ID_TAGTARGETS_TRACKUID, i + 1, &tags); @@ -822,7 +834,7 @@ static int mkv_write_tags(AVFormatContext *s) for (i = 0; i < s->nb_chapters; i++) { AVChapter *ch = s->chapters[i]; - if (!av_dict_get(ch->metadata, "", NULL, AV_DICT_IGNORE_SUFFIX)) + if (!mkv_check_tag(ch->metadata)) continue; ret = mkv_write_tag(s, ch->metadata, MATROSKA_ID_TAGTARGETS_CHAPTERUID, ch->id, &tags); diff --git a/tests/ref/lavf/mkv b/tests/ref/lavf/mkv index d92aaa8c81..ee115d21a6 100644 --- a/tests/ref/lavf/mkv +++ b/tests/ref/lavf/mkv @@ -1,3 +1,3 @@ -84dcb326fe85aeeb5768beb44372f248 *./tests/data/lavf/lavf.mkv -320297 ./tests/data/lavf/lavf.mkv +0f78dd9299210a51b18faafc971e71f2 *./tests/data/lavf/lavf.mkv +320265 ./tests/data/lavf/lavf.mkv ./tests/data/lavf/lavf.mkv CRC=0x4780846b diff --git a/tests/ref/seek/lavf-mkv b/tests/ref/seek/lavf-mkv index 681462cccc..f03bcf83d6 100644 --- a/tests/ref/seek/lavf-mkv +++ b/tests/ref/seek/lavf-mkv @@ -1,48 +1,48 @@ -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 555 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 523 size: 208 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 0 flags:0 ts: 0.788000 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 0 flags:1 ts:-0.317000 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret:-1 st: 1 flags:0 ts: 2.577000 ret: 0 st: 1 flags:1 ts: 1.471000 -ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 320026 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319994 size: 209 ret: 0 st:-1 flags:0 ts: 0.365002 -ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146738 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146706 size: 27925 ret: 0 st:-1 flags:1 ts:-0.740831 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret:-1 st: 0 flags:0 ts: 2.153000 ret: 0 st: 0 flags:1 ts: 1.048000 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 1 flags:0 ts:-0.058000 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 555 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 523 size: 208 ret: 0 st: 1 flags:1 ts: 2.836000 -ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 320026 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319994 size: 209 ret:-1 st:-1 flags:0 ts: 1.730004 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146738 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146706 size: 27925 ret: 0 st: 0 flags:0 ts:-0.482000 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret: 0 st: 0 flags:1 ts: 2.413000 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret:-1 st: 1 flags:0 ts: 1.307000 ret: 0 st: 1 flags:1 ts: 0.201000 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 555 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 523 size: 208 ret: 0 st:-1 flags:0 ts:-0.904994 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret: 0 st:-1 flags:1 ts: 1.989173 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 0 flags:0 ts: 0.883000 -ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292185 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292153 size: 27834 ret: 0 st: 0 flags:1 ts:-0.222000 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 ret:-1 st: 1 flags:0 ts: 2.672000 ret: 0 st: 1 flags:1 ts: 1.566000 -ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 320026 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319994 size: 209 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146738 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146706 size: 27925 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 771 size: 27837 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 739 size: 27837 From 979f97a86127371fef7cda7521e01a8b20243c21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Jul 2013 13:30:36 +0200 Subject: [PATCH 0486/1037] matroskaenc: simplify mkv_check_tag() Signed-off-by: Michael Niedermayer (cherry picked from commit 066111bf19518a9f4d836991b34dbfc5ab72a41a) --- libavformat/matroskaenc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index a1913a47ac..05d0c362fd 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -800,13 +800,12 @@ static int mkv_write_tag(AVFormatContext *s, AVDictionary *m, unsigned int eleme static int mkv_check_tag(AVDictionary *m) { AVDictionaryEntry *t = NULL; - int ret = 0; while ((t = av_dict_get(m, "", t, AV_DICT_IGNORE_SUFFIX))) if (av_strcasecmp(t->key, "title") && av_strcasecmp(t->key, "stereo_mode")) - ret++; + return 1; - return ret; + return 0; } static int mkv_write_tags(AVFormatContext *s) From 77783c7114ab2720f065aa2474b252121a5a1d11 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 17 Aug 2013 14:48:33 -0300 Subject: [PATCH 0487/1037] matroskadec: Improve TTA duration calculation Calculate the duration as accurately as possible to improve decoding of samples where the last frame is smaller than the rest. Signed-off-by: James Almer Approved-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit af248fa1174200acb537a6ab1198bb2fed38e884) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index fe4b70cd73..de9b58f719 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1673,7 +1673,7 @@ static int matroska_read_header(AVFormatContext *s) avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); avio_wl32(&b, track->audio.out_samplerate); - avio_wl32(&b, matroska->ctx->duration * track->audio.out_samplerate); + avio_wl32(&b, av_rescale((matroska->duration * matroska->time_scale), track->audio.out_samplerate, AV_TIME_BASE * 1000)); } else if (codec_id == AV_CODEC_ID_RV10 || codec_id == AV_CODEC_ID_RV20 || codec_id == AV_CODEC_ID_RV30 || codec_id == AV_CODEC_ID_RV40) { extradata_offset = 26; From 40b8e7f168e36b91f8119c1482122140de2a5813 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Aug 2013 02:20:54 +0200 Subject: [PATCH 0488/1037] avformat/matroskadec: check out_samplerate before using it in av_rescale() Prevent assertion failure with damaged input Signed-off-by: Michael Niedermayer (cherry picked from commit 338f8b2eaf36f078eb5cc26ac10e651dc4c48243) --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index de9b58f719..350df45329 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1672,6 +1672,8 @@ static int matroska_read_header(AVFormatContext *s) avio_wl16(&b, 1); avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); + if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) + return AVERROR_INVALIDDATA; avio_wl32(&b, track->audio.out_samplerate); avio_wl32(&b, av_rescale((matroska->duration * matroska->time_scale), track->audio.out_samplerate, AV_TIME_BASE * 1000)); } else if (codec_id == AV_CODEC_ID_RV10 || codec_id == AV_CODEC_ID_RV20 || From 07bfb254c6c7fb5fafd0647ccdf8630a17ddc7e4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 28 Jul 2013 13:26:12 +0200 Subject: [PATCH 0489/1037] ac3: Do not clash with normal AVERROR The parsing function return AVERROR and AAC_AC3_PARSE_ERROR values, make sure they are not misunderstood. (cherry picked from commit 6258d362b82934a2c27557e0984aed372d98091a) Signed-off-by: Luca Barbato --- libavcodec/aac_ac3_parser.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/aac_ac3_parser.h b/libavcodec/aac_ac3_parser.h index 90b49c5a59..99286f0711 100644 --- a/libavcodec/aac_ac3_parser.h +++ b/libavcodec/aac_ac3_parser.h @@ -28,13 +28,13 @@ #include "parser.h" typedef enum { - AAC_AC3_PARSE_ERROR_SYNC = -1, - AAC_AC3_PARSE_ERROR_BSID = -2, - AAC_AC3_PARSE_ERROR_SAMPLE_RATE = -3, - AAC_AC3_PARSE_ERROR_FRAME_SIZE = -4, - AAC_AC3_PARSE_ERROR_FRAME_TYPE = -5, - AAC_AC3_PARSE_ERROR_CRC = -6, - AAC_AC3_PARSE_ERROR_CHANNEL_CFG = -7, + AAC_AC3_PARSE_ERROR_SYNC = -0x1030c0a, + AAC_AC3_PARSE_ERROR_BSID = -0x2030c0a, + AAC_AC3_PARSE_ERROR_SAMPLE_RATE = -0x3030c0a, + AAC_AC3_PARSE_ERROR_FRAME_SIZE = -0x4030c0a, + AAC_AC3_PARSE_ERROR_FRAME_TYPE = -0x5030c0a, + AAC_AC3_PARSE_ERROR_CRC = -0x6030c0a, + AAC_AC3_PARSE_ERROR_CHANNEL_CFG = -0x7030c0a, } AACAC3ParseError; typedef struct AACAC3ParseContext { From a32bbe54e434b57b2288c4bb06e09999a3f643ff Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 28 Jul 2013 13:32:18 +0200 Subject: [PATCH 0490/1037] ac3: Clean up the error paths (cherry picked from commit 818d1f1a3e89d35213af0bd5dc4a772713951882) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 4f32c2d166..d548f8ee22 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1305,7 +1305,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, /* skip frame if CRC is ok. otherwise use error concealment. */ /* TODO: add support for substreams and dependent frames */ if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT || s->substreamid) { - av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " + av_log(avctx, AV_LOG_WARNING, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; return buf_size; @@ -1313,9 +1313,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); } break; - default: - av_log(avctx, AV_LOG_ERROR, "invalid header\n"); + case AAC_AC3_PARSE_ERROR_CRC: + case AAC_AC3_PARSE_ERROR_CHANNEL_CFG: break; + default: // Normal AVERROR do not try to recover. + *got_frame_ptr = 0; + return err; } } else { /* check that reported frame size fits in input buffer */ From 26605efed72e70edabc999e819961f9628450212 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 27 Jul 2013 10:16:35 +0200 Subject: [PATCH 0491/1037] ac3: Return proper error codes (cherry picked from commit b1f9cdc37ff5d5b391d2cd9af737ab4e5a0fc1c0) Signed-off-by: Luca Barbato --- libavcodec/ac3dec.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index d548f8ee22..51ac334775 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -292,7 +292,7 @@ static int parse_frame_header(AC3DecodeContext *s) return ff_eac3_parse_header(s); } else { av_log(s->avctx, AV_LOG_ERROR, "E-AC-3 support not compiled in\n"); - return -1; + return AVERROR(ENOSYS); } } @@ -787,12 +787,12 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (start_subband >= end_subband) { av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension " "range (%d >= %d)\n", start_subband, end_subband); - return -1; + return AVERROR_INVALIDDATA; } if (dst_start_freq >= src_start_freq) { av_log(s->avctx, AV_LOG_ERROR, "invalid spectral extension " "copy start bin (%d >= %d)\n", dst_start_freq, src_start_freq); - return -1; + return AVERROR_INVALIDDATA; } s->spx_dst_start_freq = dst_start_freq; @@ -869,7 +869,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (channel_mode < AC3_CHMODE_STEREO) { av_log(s->avctx, AV_LOG_ERROR, "coupling not allowed in mono or dual-mono\n"); - return -1; + return AVERROR_INVALIDDATA; } /* check for enhanced coupling */ @@ -899,7 +899,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (cpl_start_subband >= cpl_end_subband) { av_log(s->avctx, AV_LOG_ERROR, "invalid coupling range (%d >= %d)\n", cpl_start_subband, cpl_end_subband); - return -1; + return AVERROR_INVALIDDATA; } s->start_freq[CPL_CH] = cpl_start_subband * 12 + 37; s->end_freq[CPL_CH] = cpl_end_subband * 12 + 37; @@ -921,7 +921,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling strategy must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } else { s->cpl_in_use[blk] = s->cpl_in_use[blk-1]; } @@ -951,7 +951,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling coordinates must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } else { /* channel not in coupling */ @@ -1006,7 +1006,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) int bandwidth_code = get_bits(gbc, 6); if (bandwidth_code > 60) { av_log(s->avctx, AV_LOG_ERROR, "bandwidth code = %d > 60\n", bandwidth_code); - return -1; + return AVERROR_INVALIDDATA; } s->end_freq[ch] = bandwidth_code * 3 + 73; } @@ -1029,7 +1029,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->num_exp_groups[ch], s->dexps[ch][0], &s->dexps[ch][s->start_freq[ch]+!!ch])) { av_log(s->avctx, AV_LOG_ERROR, "exponent out-of-range\n"); - return -1; + return AVERROR_INVALIDDATA; } if (ch != CPL_CH && ch != s->lfe_ch) skip_bits(gbc, 2); /* skip gainrng */ @@ -1049,7 +1049,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!blk) { av_log(s->avctx, AV_LOG_ERROR, "new bit allocation info must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } @@ -1080,7 +1080,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } } else if (!s->eac3 && !blk) { av_log(s->avctx, AV_LOG_ERROR, "new snr offsets must be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } } @@ -1119,7 +1119,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) } else if (!s->eac3 && !blk) { av_log(s->avctx, AV_LOG_ERROR, "new coupling leak info must " "be present in block 0\n"); - return -1; + return AVERROR_INVALIDDATA; } s->first_cpl_leak = 0; } @@ -1131,7 +1131,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->dba_mode[ch] = get_bits(gbc, 2); if (s->dba_mode[ch] == DBA_RESERVED) { av_log(s->avctx, AV_LOG_ERROR, "delta bit allocation strategy reserved\n"); - return -1; + return AVERROR_INVALIDDATA; } bit_alloc_stages[ch] = FFMAX(bit_alloc_stages[ch], 2); } @@ -1172,7 +1172,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) s->dba_offsets[ch], s->dba_lengths[ch], s->dba_values[ch], s->mask[ch])) { av_log(s->avctx, AV_LOG_ERROR, "error in bit allocation\n"); - return -1; + return AVERROR_INVALIDDATA; } } if (bit_alloc_stages[ch] > 0) { @@ -1291,7 +1291,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, switch (err) { case AAC_AC3_PARSE_ERROR_SYNC: av_log(avctx, AV_LOG_ERROR, "frame sync error\n"); - return -1; + return AVERROR_INVALIDDATA; case AAC_AC3_PARSE_ERROR_BSID: av_log(avctx, AV_LOG_ERROR, "invalid bitstream id\n"); break; From 898c51a01608ba30e21abbe16d9243ee264be660 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Aug 2013 13:23:10 +0200 Subject: [PATCH 0492/1037] avformat/paf: Fix integer overflow and out of array read Found-by: Laurent Butti Signed-off-by: Michael Niedermayer (cherry picked from commit f58cd2867a8af2eed13acdd21d067b48249b14a1) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/paf.c b/libavformat/paf.c index 09786eb34f..09aefe6770 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -233,10 +233,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) p->current_frame_block++; } - size = p->video_size - p->frames_offset_table[p->current_frame]; - if (size < 1) + if (p->frames_offset_table[p->current_frame] >= p->video_size) return AVERROR_INVALIDDATA; + size = p->video_size - p->frames_offset_table[p->current_frame]; + if (av_new_packet(pkt, size) < 0) return AVERROR(ENOMEM); From f508bf7ff1f86d876dc6da43002d2240d4157bf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 23:18:48 +0200 Subject: [PATCH 0493/1037] avcodec/flashsv: check diff_start/height Fixes out of array accesses Fixes Ticket2844 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 880c73cd76109697447fbfbaa8e5ee5683309446) Signed-off-by: Michael Niedermayer --- libavcodec/flashsv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 7855416567..9e271e1f75 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -389,6 +389,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); + if (s->diff_start + s->diff_height > cur_blk_height) { + av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n"); + return AVERROR_INVALIDDATA; + } av_log(avctx, AV_LOG_DEBUG, "%dx%d diff start %d height %d\n", i, j, s->diff_start, s->diff_height); From bb263cc33afbab9520f776c03bc846ad316c7e18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2013 01:07:32 +0200 Subject: [PATCH 0494/1037] avcodec/rpza: Perform pointer advance and checks before using the pointers Fixes out of array accesses Fixes Ticket2850 Signed-off-by: Michael Niedermayer (cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34) Signed-off-by: Michael Niedermayer --- libavcodec/rpza.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index a424759953..246d575ee4 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -84,7 +84,7 @@ static void rpza_decode_stream(RpzaContext *s) unsigned short *pixels = (unsigned short *)s->frame.data[0]; int row_ptr = 0; - int pixel_ptr = 0; + int pixel_ptr = -4; int block_ptr; int pixel_x, pixel_y; int total_blocks; @@ -140,6 +140,7 @@ static void rpza_decode_stream(RpzaContext *s) colorA = AV_RB16 (&s->buf[stream_ptr]); stream_ptr += 2; while (n_blocks--) { + ADVANCE_BLOCK() block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -148,7 +149,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -187,6 +187,7 @@ static void rpza_decode_stream(RpzaContext *s) if (s->size - stream_ptr < n_blocks * 4) return; while (n_blocks--) { + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { index = s->buf[stream_ptr++]; @@ -197,7 +198,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -205,6 +205,7 @@ static void rpza_decode_stream(RpzaContext *s) case 0x00: if (s->size - stream_ptr < 16) return; + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -218,7 +219,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); break; /* Unknown opcode */ From 359bfa4c272adf9c3b1c59d123fadb57a9e2f8cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Aug 2013 03:19:40 +0200 Subject: [PATCH 0495/1037] jpeg2000: check log2_cblk dimensions Fixes out of array access Fixes Ticket2895 Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 9a271a9368eaabf99e6c2046103acb33957e63b7) Conflicts: libavcodec/jpeg2000dec.c Signed-off-by: Michael Niedermayer --- libavcodec/j2kdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c index 53c4f079f8..d086de731f 100644 --- a/libavcodec/j2kdec.c +++ b/libavcodec/j2kdec.c @@ -31,6 +31,7 @@ #include "bytestream.h" #include "internal.h" #include "j2k.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #define JP2_SIG_TYPE 0x6A502020 @@ -302,6 +303,10 @@ static int get_cox(J2kDecoderContext *s, J2kCodingStyle *c) c->log2_cblk_width = bytestream2_get_byteu(&s->g) + 2; // cblk width c->log2_cblk_height = bytestream2_get_byteu(&s->g) + 2; // cblk height + if (c->log2_cblk_width > 6 || c->log2_cblk_height > 6) { + return AVERROR_PATCHWELCOME; + } + c->cblk_style = bytestream2_get_byteu(&s->g); if (c->cblk_style != 0){ // cblk style av_log(s->avctx, AV_LOG_WARNING, "extra cblk styles %X\n", c->cblk_style); @@ -719,6 +724,9 @@ static int decode_cblk(J2kDecoderContext *s, J2kCodingStyle *codsty, J2kT1Contex int bpass_csty_symbol = J2K_CBLK_BYPASS & codsty->cblk_style; int vert_causal_ctx_csty_symbol = J2K_CBLK_VSC & codsty->cblk_style; + av_assert0(width <= J2K_MAX_CBLKW); + av_assert0(height <= J2K_MAX_CBLKH); + for (y = 0; y < height+2; y++) memset(t1->flags[y], 0, (width+2)*sizeof(int)); From a5fe40f728e670de5f3a4ebfbaeccc5186cfe42e Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Fri, 24 May 2013 12:28:48 -0700 Subject: [PATCH 0496/1037] doc/encoders: Add documentation for libmp3lame Signed-off-by: Michael Niedermayer (cherry picked from commit 4703a345fb41b14fe28f7e6bf7f60bb2213aa9e0) Signed-off-by: Timothy Gu --- doc/encoders.texi | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index a5325f45a8..3d9517310d 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -412,6 +412,35 @@ Selected by Encoder (default) @end table +@section libmp3lame + +LAME (Lame Ain't an MP3 Encoder) MP3 encoder wrapper + +Requires the presence of the libmp3lame headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libmp3lame}. + +@subsection Option Mapping + +The following options are supported by the libmp3lame wrapper, +the LAME-equivalent options follow the FFmpeg ones. + +@multitable @columnfractions .2 .2 +@item FFmpeg @tab LAME +@item b @tab b +FFmpeg @code{b} option is expressed in bits/s, lame @code{bitrate} +in kilobits/s. +@item q @tab V +Quality setting for VBR. +@item compression_level @tab q +Algorithm quality. Valid options are integers from 0-9. +@item reservoir @tab N.A. +Enable use of bit reservoir. LAME has this enabled by default. +@item joint_stereo @tab -m j +Enables the the encoder to use (on a frame by frame basis) either L/R +stereo or mid/side stereo. +@end multitable + @c man end AUDIO ENCODERS @chapter Video Encoders From 856bdcd5bc860957d46093a78096b686939d8f37 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sat, 1 Jun 2013 16:26:03 -0700 Subject: [PATCH 0497/1037] doc/encoders: add documentation for libtwolame (cherry picked from commit ea038b996d5662702b2247a6aa919dee1cebc0be) Signed-off-by: Timothy Gu --- doc/encoders.texi | 63 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index 3d9517310d..9a661475c2 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -441,6 +441,69 @@ Enables the the encoder to use (on a frame by frame basis) either L/R stereo or mid/side stereo. @end multitable +@section libtwolame + +TwoLAME MP2 encoder wrapper + +Requires the presence of the libtwolame headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libtwolame}. + +@subsection Options Mapping + +The following options are supported by the libtwolame wrapper. The +TwoLAME-equivalent options follow the FFmpeg ones and are in +parentheses. + +@table @option +@item b +(b) Set bitrate in bits/s. Note that FFmpeg @code{b} option is +expressed in bits/s, twolame @code{b} in kilobits/s. The default +value is 128k. + +@item q +(V) Set quality for experimental VBR support. Maximum value range is +from -50 to 50, useful range is from -10 to 10. + +@item mode +(mode) Set MPEG mode. Possible values: + +@table @samp +@item auto +Choose mode automatically based on the input. This is the default. +@item stereo +Stereo +@item joint_stereo +Joint stereo +@item dual_channel +Dual channel +@item mono +Mono +@end table + +@item psymodel +(psyc-mode) Set psychoacoustic model to use in encoding. The argument +must be an integer between -1 and 4, inclusive. The higher the value, +the better the quality. The default value is 3. + +@item energy_levels +(energy) Enable energy levels extensions when set to 1. The default +value is 0 (disabled). + +@item error_protection +(protect) Enable CRC error protection when set to 1. The default value +is 0 (disabled). + +@item copyright +(copyright) Set MPEG audio copyright flag when set to 1. The default +value is 0 (disabled). + +@item original +(original) Set MPEG audio original flag when set to 1. The default +value is 0 (disabled). + +@end table + @c man end AUDIO ENCODERS @chapter Video Encoders From 5c0dff6c60d6d1bbc37de60f29121b792b038271 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Fri, 7 Jun 2013 19:54:23 -0700 Subject: [PATCH 0498/1037] doc/encoders: Add libvo-aacenc doc Signed-off-by: Michael Niedermayer (cherry picked from commit ba7cb4807f050c401f8fd7ef1d1065b138358135) Signed-off-by: Timothy Gu --- doc/encoders.texi | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index 9a661475c2..e29b12fa8e 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -504,6 +504,27 @@ value is 0 (disabled). @end table +@section libvo-aacenc + +VisualOn AAC encoder + +Requires the presence of the libvo-aacenc headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libvo-aacenc --enable-version3}. + +@subsection Options + +The VisualOn AAC encoder only support encoding AAC-LC and up to 2 +channels. It is also CBR-only. It is considered to be worse than the +native experimental FFmpeg AAC encoder. + +@table @option + +@item b +Bitrate. + +@end table + @c man end AUDIO ENCODERS @chapter Video Encoders From ccdeedf22c72df803229cc8ceb8b538230673f5a Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Tue, 11 Jun 2013 16:58:01 -0700 Subject: [PATCH 0499/1037] doc/encoders: Add libvo-amrwbenc doc Signed-off-by: Michael Niedermayer (cherry picked from commit 0ec65aa1046a4417d5c7dfcf8faeecde60e3fe00) Signed-off-by: Timothy Gu Conflicts: doc/encoders.texi --- doc/encoders.texi | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index e29b12fa8e..5d75b8ec32 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -525,6 +525,44 @@ Bitrate. @end table +@section libvo-amrwbenc + +VisualOn Adaptive Multi-Rate Wideband encoder + +Requires the presence of the libvo-amrwbenc headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libvo-amrwbenc --enable-version3}. + +This is a mono-only encoder. Officially it only supports 16000Hz sample +rate, but you can override it by setting @option{strict} to +@samp{unofficial} or lower. + +@subsection Options + +@table @option + +@item b +Set bitrate in bits/s. Only the following bitrates are supported, otherwise +libavcodec will round to the nearest valid bitrate. + +@table @samp +@item 6600 +@item 8850 +@item 12650 +@item 14250 +@item 15850 +@item 18250 +@item 19850 +@item 23050 +@item 23850 +@end table + +@item dtx +Allow discontinuous transmission (generate comfort noise) when set to 1. The +default value is 0 (disabled). + +@end table + @c man end AUDIO ENCODERS @chapter Video Encoders From 528dd54d15e0360d1368e87e1f72910dd80177da Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Tue, 11 Jun 2013 16:52:12 -0700 Subject: [PATCH 0500/1037] doc/general: Make the license status of the Android libraries clearer Signed-off-by: Michael Niedermayer (cherry picked from commit 6fe419bf73146655961a373c734e9e4d8826c835) Signed-off-by: Timothy Gu --- doc/general.texi | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/doc/general.texi b/doc/general.texi index cdbcf8407e..200ea1a3f5 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -24,7 +24,7 @@ instructions. To enable using OpenJPEG in FFmpeg, pass @code{--enable-libopenjp @file{./configure}. -@section OpenCORE and VisualOn libraries +@section OpenCORE, VisualOn, and Fraunhofer libraries Spun off Google Android sources, OpenCore, VisualOn and Fraunhofer libraries provide encoders for a number of audio codecs. @@ -32,9 +32,14 @@ libraries provide encoders for a number of audio codecs. @float NOTE OpenCORE and VisualOn libraries are under the Apache License 2.0 (see @url{http://www.apache.org/licenses/LICENSE-2.0} for details), which is -incompatible with the LGPL version 2.1 and GPL version 2. You have to +incompatible to the LGPL version 2.1 and GPL version 2. You have to upgrade FFmpeg's license to LGPL version 3 (or if you have enabled -GPL components, GPL version 3) to use it. +GPL components, GPL version 3) by passing @code{--enable-version3} to configure in +order to use it. + +The Fraunhofer AAC library is licensed under a license incompatible to the GPL +and is not known to be compatible to the LGPL. Therefore, you have to pass +@code{--enable-nonfree} to configure to use it. @end float @subsection OpenCORE AMR From 46ecbef251d21bbe47471f23bf2e43dec869a856 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 17 Jun 2013 17:42:08 -0700 Subject: [PATCH 0501/1037] doc/decoders: Document libcelt Signed-off-by: Michael Niedermayer (cherry picked from commit e3580449221c79cf611995dc7e2fcb61dd867d4c) Signed-off-by: Timothy Gu --- doc/decoders.texi | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/decoders.texi b/doc/decoders.texi index 2d812a27ff..7d639b98b3 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -60,6 +60,14 @@ This decoder generates wave patterns according to predefined sequences. Its use is purely internal and the format of the data it accepts is not publicly documented. +@section libcelt + +libcelt decoder wrapper + +libcelt allows libavcodec to decode the Xiph CELT ultra-low delay audio codec. +Requires the presence of the libcelt headers and library during configuration. +You need to explicitly configure the build with @code{--enable-libcelt}. + @c man end AUDIO DECODERS @chapter Subtitles Decoders From e3e5779a04c1419d02a4811575b771cd2ce92499 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 17 Jun 2013 17:38:38 -0700 Subject: [PATCH 0502/1037] doc/encoders: Add libopencore-amrnb doc Signed-off-by: Michael Niedermayer (cherry picked from commit 9ead06057acfcc43bcb99a63a7c58543007b2847) Signed-off-by: Timothy Gu --- doc/encoders.texi | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index 5d75b8ec32..9821151551 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -563,6 +563,43 @@ default value is 0 (disabled). @end table +@section libopencore-amrnb + +OpenCORE Adaptive Multi-Rate Narrowband encoder. + +Requires the presence of the libopencore-amrnb headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libopencore-amrnb --enable-version3}. + +This is a mono-only encoder. Officially it only supports 8000Hz sample rate, +but you can override it by setting @option{strict} to @samp{unofficial} or +lower. + +@subsection Options + +@table @option + +@item b +Set bitrate in bits per second. Only the following bitrates are supported, +otherwise libavcodec will round to the nearest valid bitrate. + +@table @option +@item 4750 +@item 5150 +@item 5900 +@item 6700 +@item 7400 +@item 7950 +@item 10200 +@item 12200 +@end table + +@item dtx +Allow discontinuous transmission (generate comfort noise) when set to 1. The +default value is 0 (disabled). + +@end table + @c man end AUDIO ENCODERS @chapter Video Encoders From be5fef6e0d75dedbd907f057004d9c584f3b63ee Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Tue, 18 Jun 2013 16:01:43 -0700 Subject: [PATCH 0503/1037] doc/decoders: Document libgsm decoder Signed-off-by: Michael Niedermayer (cherry picked from commit c16496c3770fa083472ab86146c18dc96c1feea7) Signed-off-by: Timothy Gu --- doc/decoders.texi | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/decoders.texi b/doc/decoders.texi index 7d639b98b3..4885607801 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -68,6 +68,16 @@ libcelt allows libavcodec to decode the Xiph CELT ultra-low delay audio codec. Requires the presence of the libcelt headers and library during configuration. You need to explicitly configure the build with @code{--enable-libcelt}. +@section libgsm + +libgsm decoder wrapper + +libgsm allows libavcodec to decode the GSM full rate audio codec. Requires +the presence of the libgsm headers and library during configuration. You need +to explicitly configure the build with @code{--enable-libgsm}. + +This decoder supports both the ordinary GSM and the Microsoft variant. + @c man end AUDIO DECODERS @chapter Subtitles Decoders From 23633f49250f36fb9a7996bff405b074458d6786 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Thu, 20 Jun 2013 16:33:49 -0700 Subject: [PATCH 0504/1037] doc/decoders: Document libilbc decoder Signed-off-by: Michael Niedermayer (cherry picked from commit 8cdea50f6eee1271e24ff0c9590522f8323e87fe) Signed-off-by: Timothy Gu --- doc/decoders.texi | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/doc/decoders.texi b/doc/decoders.texi index 4885607801..f3e57a0ef0 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -78,6 +78,27 @@ to explicitly configure the build with @code{--enable-libgsm}. This decoder supports both the ordinary GSM and the Microsoft variant. +@section libilbc + +libilbc decoder wrapper + +libilbc allows libavcodec to decode the Internet Low Bitrate Codec (iLBC) +audio codec. Requires the presence of the libilbc headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libilbc}. + +@subsection Options + +The following option is supported by the libilbc wrapper. + +@table @option +@item enhance + +Enable the enhancement of the decoded audio when set to 1. The default +value is 0 (disabled). + +@end table + @c man end AUDIO DECODERS @chapter Subtitles Decoders From 9fb9419b02ca0176a47181267a597dd9adef3de0 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Thu, 20 Jun 2013 20:08:35 -0700 Subject: [PATCH 0505/1037] doc/decoders: Document libopencore-amrnb decoder Signed-off-by: Michael Niedermayer (cherry picked from commit b43860ee0c27279f2fa020ea965c03d359f8f45c) Signed-off-by: Timothy Gu --- doc/decoders.texi | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/decoders.texi b/doc/decoders.texi index f3e57a0ef0..08f8df8074 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -99,6 +99,18 @@ value is 0 (disabled). @end table +@section libopencore-amrnb + +libopencore-amrnb decoder wrapper + +libopencore-amrnb allows libavcodec to decode the Adaptive Multi-Rate +Narrowband audio codec. Using it requires the presence of the +libopencore-amrnb headers and library during configuration. You need to +explicitly configure the build with @code{--enable-libopencore-amrnb}. + +An FFmpeg native decoder for AMR-NB exists, so users can decode AMR-NB +without this library. + @c man end AUDIO DECODERS @chapter Subtitles Decoders From e36a005749f2b26719f106c44d1a7aa9c113c2f0 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Fri, 21 Jun 2013 18:17:21 +0200 Subject: [PATCH 0506/1037] doc/decoders: Add libopencore-amrwb decoder doc Signed-off-by: Stefano Sabatini (cherry picked from commit 83647ace735d1707d4b28345ef77fefe525ea52e) Signed-off-by: Timothy Gu --- doc/decoders.texi | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/decoders.texi b/doc/decoders.texi index 08f8df8074..345540b9f8 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -111,6 +111,18 @@ explicitly configure the build with @code{--enable-libopencore-amrnb}. An FFmpeg native decoder for AMR-NB exists, so users can decode AMR-NB without this library. +@section libopencore-amrwb + +libopencore-amrwb decoder wrapper. + +libopencore-amrwb allows libavcodec to decode the Adaptive Multi-Rate +Wideband audio codec. Using it requires the presence of the +libopencore-amrwb headers and library during configuration. You need to +explicitly configure the build with @code{--enable-libopencore-amrwb}. + +An FFmpeg native decoder for AMR-WB exists, so users can decode AMR-WB +without this library. + @c man end AUDIO DECODERS @chapter Subtitles Decoders From 68c9f5cf64ab58b6b91259ca959dd84c25721f5a Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Thu, 27 Jun 2013 18:50:54 -0700 Subject: [PATCH 0507/1037] doc/encoders: alphabetically list the encoders Signed-off-by: Stefano Sabatini (cherry picked from commit 934df3b0375743ae2b03168a4174edb9f88a6889) Signed-off-by: Timothy Gu Conflicts: doc/encoders.texi --- doc/encoders.texi | 74 +++++++++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index 9821151551..17bb079a8f 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -441,6 +441,43 @@ Enables the the encoder to use (on a frame by frame basis) either L/R stereo or mid/side stereo. @end multitable +@section libopencore-amrnb + +OpenCORE Adaptive Multi-Rate Narrowband encoder. + +Requires the presence of the libopencore-amrnb headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libopencore-amrnb --enable-version3}. + +This is a mono-only encoder. Officially it only supports 8000Hz sample rate, +but you can override it by setting @option{strict} to @samp{unofficial} or +lower. + +@subsection Options + +@table @option + +@item b +Set bitrate in bits per second. Only the following bitrates are supported, +otherwise libavcodec will round to the nearest valid bitrate. + +@table @option +@item 4750 +@item 5150 +@item 5900 +@item 6700 +@item 7400 +@item 7950 +@item 10200 +@item 12200 +@end table + +@item dtx +Allow discontinuous transmission (generate comfort noise) when set to 1. The +default value is 0 (disabled). + +@end table + @section libtwolame TwoLAME MP2 encoder wrapper @@ -563,43 +600,6 @@ default value is 0 (disabled). @end table -@section libopencore-amrnb - -OpenCORE Adaptive Multi-Rate Narrowband encoder. - -Requires the presence of the libopencore-amrnb headers and library during -configuration. You need to explicitly configure the build with -@code{--enable-libopencore-amrnb --enable-version3}. - -This is a mono-only encoder. Officially it only supports 8000Hz sample rate, -but you can override it by setting @option{strict} to @samp{unofficial} or -lower. - -@subsection Options - -@table @option - -@item b -Set bitrate in bits per second. Only the following bitrates are supported, -otherwise libavcodec will round to the nearest valid bitrate. - -@table @option -@item 4750 -@item 5150 -@item 5900 -@item 6700 -@item 7400 -@item 7950 -@item 10200 -@item 12200 -@end table - -@item dtx -Allow discontinuous transmission (generate comfort noise) when set to 1. The -default value is 0 (disabled). - -@end table - @c man end AUDIO ENCODERS @chapter Video Encoders From 5582cfd0e44b87947a4cd846eca06be937ec3b09 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Thu, 27 Jun 2013 19:07:32 -0700 Subject: [PATCH 0508/1037] doc/decoders: document libopus decoder Signed-off-by: Stefano Sabatini (cherry picked from commit 7eb5288f17aad81d5bd1b4d3d46533e457df262c) Signed-off-by: Timothy Gu --- doc/decoders.texi | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/decoders.texi b/doc/decoders.texi index 345540b9f8..cdcbe6515b 100644 --- a/doc/decoders.texi +++ b/doc/decoders.texi @@ -123,6 +123,15 @@ explicitly configure the build with @code{--enable-libopencore-amrwb}. An FFmpeg native decoder for AMR-WB exists, so users can decode AMR-WB without this library. +@section libopus + +libopus decoder wrapper. + +libopus allows libavcodec to decode the Opus Interactive Audio Codec. +Requires the presence of the libopus headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libopus}. + @c man end AUDIO DECODERS @chapter Subtitles Decoders From ee9a440f49a7e205d0190623c76f2e85ff160bc0 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Tue, 2 Jul 2013 19:32:27 -0700 Subject: [PATCH 0509/1037] doc/muxers: Add AIFF doc Signed-off-by: Stefano Sabatini (cherry picked from commit 4ec46b1160eb549a551823c168905b43922add31) Signed-off-by: Timothy Gu --- doc/muxers.texi | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/doc/muxers.texi b/doc/muxers.texi index 3c6415f112..33cbb7859e 100644 --- a/doc/muxers.texi +++ b/doc/muxers.texi @@ -18,6 +18,23 @@ enabled muxers. A description of some of the currently available muxers follows. +@anchor{aiff} +@section aiff + +Audio Interchange File Format muxer. + +It accepts the following options: + +@table @option +@item write_id3v2 +Enable ID3v2 tags writing when set to 1. Default is 0 (disabled). + +@item id3v2_version +Select ID3v2 version to write. Currently only version 3 and 4 (aka. +ID3v2.3 and ID3v2.4) are supported. The default is version 4. + +@end table + @anchor{crc} @section crc From e5162b3bc9b0b6f8c9e27ece798932cb50253ebf Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Fri, 5 Jul 2013 20:37:18 -0700 Subject: [PATCH 0510/1037] doc/encoders: add libopus encoder doc Signed-off-by: Stefano Sabatini (cherry picked from commit 561e05136f1cbe28a79af1940aa137f70281eef4) Signed-off-by: Timothy Gu Conflicts: doc/encoders.texi --- doc/encoders.texi | 73 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index 17bb079a8f..d09a4ea599 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -600,6 +600,79 @@ default value is 0 (disabled). @end table +@section libopus + +libopus Opus Interactive Audio Codec encoder wrapper. + +Requires the presence of the libopus headers and library during +configuration. You need to explicitly configure the build with +@code{--enable-libopus}. + +@subsection Option Mapping + +Most libopus options are modeled after the @command{opusenc} utility from +opus-tools. The following is an option mapping chart describing options +supported by the libopus wrapper, and their @command{opusenc}-equivalent +in parentheses. + +@table @option + +@item b (@emph{bitrate}) +Set the bit rate in bits/s. FFmpeg's @option{b} option is +expressed in bits/s, while @command{opusenc}'s @option{bitrate} in +kilobits/s. + +@item vbr (@emph{vbr}, @emph{hard-cbr}, and @emph{cvbr}) +Set VBR mode. The FFmpeg @option{vbr} option has the following +valid arguments, with the their @command{opusenc} equivalent options +in parentheses: + +@table @samp +@item off (@emph{hard-cbr}) +Use constant bit rate encoding. + +@item on (@emph{vbr}) +Use variable bit rate encoding (the default). + +@item constrained (@emph{cvbr}) +Use constrained variable bit rate encoding. +@end table + +@item compression_level (@emph{comp}) +Set encoding algorithm complexity. Valid options are integers in +the 0-10 range. 0 gives the fastest encodes but lower quality, while 10 +gives the highest quality but slowest encoding. The default is 10. + +@item frame_duration (@emph{framesize}) +Set maximum frame size, or duration of a frame in milliseconds. The +argument must be exactly the following: 2.5, 5, 10, 20, 40, 60. Smaller +frame sizes achieve lower latency but less quality at a given bitrate. +Sizes greater than 20ms are only interesting at fairly low bitrates. +The default of FFmpeg is 10ms, but is 20ms in @command{opusenc}. + +@item packet_loss (@emph{expect-loss}) +Set expected packet loss percentage. The default is 0. + +@item application (N.A.) +Set intended application type. Valid options are listed below: + +@table @samp +@item voip +Favor improved speech intelligibility. +@item audio +Favor faithfulness to the input (the default). +@item lowdelay +Restrict to only the lowest delay modes. +@end table + +@item cutoff (N.A.) +Set cutoff bandwidth in Hz. The argument must be exactly one of the +following: 4000, 6000, 8000, 12000, or 20000, corresponding to +narrowband, mediumband, wideband, super wideband, and fullband +respectively. The default is 0 (cutoff disabled). + +@end table + @c man end AUDIO ENCODERS @chapter Video Encoders From 57588cda7bec6fe2df72feacf143a8ef3f5ab3fe Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 29 Jul 2013 19:12:10 -0700 Subject: [PATCH 0511/1037] doc/encoders: add libxvid doc Signed-off-by: Stefano Sabatini (cherry picked from commit 6b255e5e70c72aa59ff7aed74b4ee976223eb140) Signed-off-by: Timothy Gu Conflicts: doc/encoders.texi --- doc/encoders.texi | 113 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index d09a4ea599..1f06dee2ac 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -894,4 +894,117 @@ ffmpeg -i foo.mpg -vcodec libx264 -x264opts keyint=123:min-keyint=20 -an out.mkv For more information about libx264 and the supported options see: @url{http://www.videolan.org/developers/x264.html} +@section libxvid + +Xvid MPEG-4 Part 2 encoder wrapper. + +This encoder requires the presence of the libxvidcore headers and library +during configuration. You need to explicitly configure the build with +@code{--enable-libxvid --enable-gpl}. + +The native @code{mpeg4} encoder supports the MPEG-4 Part 2 format, so +users can encode to this format without this library. + +@subsection Options + +The following options are supported by the libxvid wrapper. Some of +the following options are listed but are not documented, and +correspond to shared codec options. See @ref{codec-options,,the Codec +Options chapter} for their documentation. The other shared options +which are not listed have no effect for the libxvid encoder. + +@table @option +@item b + +@item g + +@item qmin + +@item qmax + +@item mpeg_quant + +@item threads + +@item bf + +@item b_qfactor + +@item b_qoffset + +@item flags +Set specific encoding flags. Possible values: + +@table @samp + +@item mv4 +Use four motion vector by macroblock. + +@item aic +Enable high quality AC prediction. + +@item gray +Only encode grayscale. + +@item gmc +Enable the use of global motion compensation (GMC). + +@item qpel +Enable quarter-pixel motion compensation. + +@item cgop +Enable closed GOP. + +@item global_header +Place global headers in extradata instead of every keyframe. + +@end table + +@item trellis + +@item me_method +Set motion estimation method. Possible values in decreasing order of +speed and increasing order of quality: + +@table @samp +@item zero +Use no motion estimation (default). + +@item phods +@item x1 +@item log +Enable advanced diamond zonal search for 16x16 blocks and half-pixel +refinement for 16x16 blocks. @samp{x1} and @samp{log} are aliases for +@samp{phods}. + +@item epzs +Enable all of the things described above, plus advanced diamond zonal +search for 8x8 blocks, half-pixel refinement for 8x8 blocks, and motion +estimation on chroma planes. + +@item full +Enable all of the things described above, plus extended 16x16 and 8x8 +blocks search. +@end table + +@item mbd +Set macroblock decision algorithm. Possible values in the increasing +order of quality: + +@table @samp +@item simple +Use macroblock comparing function algorithm (default). + +@item bits +Enable rate distortion-based half pixel and quarter pixel refinement for +16x16 blocks. + +@item rd +Enable all of the things described above, plus rate distortion-based +half pixel and quarter pixel refinement for 8x8 blocks, and rate +distortion-based search using square pattern. +@end table + +@end table + @c man end VIDEO ENCODERS From 19382a2a1062d153d5ae8738022991749335bbe6 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 6 Apr 2013 01:43:01 +0200 Subject: [PATCH 0512/1037] doc/filters: review introductory example and explanation In particular, fix wrong vertical mirroring command, and clarify and extend explanation. Based on a patch by littlebat . Should fix trac ticket #2413. (cherry picked from commit 215ca864759a54f45265a51ac57dbfd75cb23da2) Signed-off-by: Timothy Gu Conflicts: doc/filters.texi --- doc/filters.texi | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/doc/filters.texi b/doc/filters.texi index 9d6c2b86e5..ce7bbb45f8 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -3,10 +3,10 @@ Filtering in FFmpeg is enabled through the libavfilter library. -In libavfilter, it is possible for filters to have multiple inputs and -multiple outputs. -To illustrate the sorts of things that are possible, we can -use a complex filter graph. For example, the following one: +In libavfilter, a filter can have multiple inputs and multiple +outputs. +To illustrate the sorts of things that are possible, we consider the +following filtergraph. @example input --> split ---------------------> overlay --> output @@ -15,25 +15,32 @@ input --> split ---------------------> overlay --> output +-----> crop --> vflip -------+ @end example -splits the stream in two streams, sends one stream through the crop filter -and the vflip filter before merging it back with the other stream by -overlaying it on top. You can use the following command to achieve this: +This filtergraph splits the input stream in two streams, sends one +stream through the crop filter and the vflip filter before merging it +back with the other stream by overlaying it on top. You can use the +following command to achieve this: @example -ffmpeg -i input -vf "[in] split [T1], [T2] overlay=0:H/2 [out]; [T1] crop=iw:ih/2:0:ih/2, vflip [T2]" output +ffmpeg -i INPUT -vf "split [main][tmp]; [tmp] crop=iw:ih/2:0:0, vflip [flip]; [main][flip] overlay=0:H/2" OUTPUT @end example The result will be that in output the top half of the video is mirrored onto the bottom half. -Filters are loaded using the @var{-vf} or @var{-af} option passed to -@command{ffmpeg} or to @command{ffplay}. Filters in the same linear -chain are separated by commas. In our example, @var{split, -overlay} are in one linear chain, and @var{crop, vflip} are in -another. The points where the linear chains join are labeled by names -enclosed in square brackets. In our example, that is @var{[T1]} and -@var{[T2]}. The special labels @var{[in]} and @var{[out]} are the points -where video is input and output. +Filters in the same linear chain are separated by commas, and distinct +linear chains of filters are separated by semicolons. In our example, +@var{crop,vflip} are in one linear chain, @var{split} and +@var{overlay} are separately in another. The points where the linear +chains join are labelled by names enclosed in square brackets. In the +example, the split filter generates two outputs that are associated to +the labels @var{[main]} and @var{[tmp]}. + +The stream sent to the second output of @var{split}, labelled as +@var{[tmp]}, is processed through the @var{crop} filter, which crops +away the lower half part of the video, and then vertically flipped. The +@var{overlay} filter takes in input the first unchanged output of the +split filter (which was labelled as @var{[main]}), and overlay on its +lower half the output generated by the @var{crop,vflip} filterchain. Some filters take in input a list of parameters: they are specified after the filter name and an equal sign, and are separated from each other From 1feef46b9033f0cac0982f67856f804ace0dcce3 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 27 Jul 2013 16:50:19 +0200 Subject: [PATCH 0513/1037] doc/codecs: fix dangling reference to codec-options chapter (cherry picked from commit b4bd21b7fe2ad8be59b16538448586814e5db65b) Signed-off-by: Timothy Gu Conflicts: doc/codecs.texi doc/encoders.texi --- doc/ffmpeg-codecs.texi | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/ffmpeg-codecs.texi b/doc/ffmpeg-codecs.texi index b6d123a7da..e94c216ac3 100644 --- a/doc/ffmpeg-codecs.texi +++ b/doc/ffmpeg-codecs.texi @@ -17,6 +17,7 @@ the libavcodec library. @c man end DESCRIPTION +@anchor{codec-options} @chapter Codec Options @c man begin CODEC OPTIONS From e4a49ae561cbd651fb3c1b23d5479de9ee6ead5f Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Tue, 19 Mar 2013 20:34:42 +0100 Subject: [PATCH 0514/1037] doc/texi2pod.pl: skip printing chapter names if they are disabled (cherry picked from commit c838701ce4515bd51f7827be0b20f256ba5c69f3) Signed-off-by: Timothy Gu --- doc/texi2pod.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/texi2pod.pl b/doc/texi2pod.pl index 8790563131..104b337071 100755 --- a/doc/texi2pod.pl +++ b/doc/texi2pod.pl @@ -121,7 +121,7 @@ INF: while(<$inf>) { $chapters{$chapter_name} .= postprocess($chapter) if ($chapter_name); # start new chapter - $chapter_name = $1, push (@chapters_sequence, $chapter_name); + $chapter_name = $1, push (@chapters_sequence, $chapter_name) unless $skipping; $chapters{$chapter_name} = "" unless exists $chapters{$chapter_name}; $chapter = ""; $output = 1; From 2892b01227d9b1e829b428591ce6fd2a30aae67a Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 12 Jan 2013 00:53:42 +0100 Subject: [PATCH 0515/1037] doc/texipod: add rule to correctly interpret @ref{ANCHOR,XREF,SECTION_NAME,...} This allows to name an internal reference in the POD/MAN output. (cherry picked from commit c499d45c6bea8d7bbbb7a819c53fe9766136bf29) Signed-off-by: Timothy Gu --- doc/texi2pod.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/texi2pod.pl b/doc/texi2pod.pl index 104b337071..c7f1125deb 100755 --- a/doc/texi2pod.pl +++ b/doc/texi2pod.pl @@ -361,6 +361,7 @@ sub postprocess s/\(?\@xref\{(?:[^\}]*)\}(?:[^.<]|(?:<[^<>]*>))*\.\)?//g; s/\s+\(\@pxref\{(?:[^\}]*)\}\)//g; s/;\s+\@pxref\{(?:[^\}]*)\}//g; + s/\@ref\{(?:[^,]*,)(?:[^,]*,)([^,\}]*).*\}/$1/g; s/\@ref\{([^\}]*)\}/$1/g; s/\@noindent\s*//g; s/\@refill//g; From bd055c17682f5ee7dd94c7bcf318577fb4a10f3d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 23 Jan 2013 11:43:37 +0100 Subject: [PATCH 0516/1037] doc: support multitable in texi2pod (cherry picked from commit 5ea5ffc9cee1b91eed471fff2f51d771222cf8d2) Signed-off-by: Timothy Gu --- doc/texi2pod.pl | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/doc/texi2pod.pl b/doc/texi2pod.pl index c7f1125deb..fbb1d9aacb 100755 --- a/doc/texi2pod.pl +++ b/doc/texi2pod.pl @@ -169,7 +169,7 @@ INF: while(<$inf>) { } elsif ($ended =~ /^(?:example|smallexample|display)$/) { $shift = ""; $_ = ""; # need a paragraph break - } elsif ($ended =~ /^(?:itemize|enumerate|[fv]?table)$/) { + } elsif ($ended =~ /^(?:itemize|enumerate|(?:multi|[fv])?table)$/) { $_ = "\n=back\n"; $ic = pop @icstack; } else { @@ -269,7 +269,7 @@ INF: while(<$inf>) { $endw = "enumerate"; }; - /^\@([fv]?table)\s+(\@[a-z]+)/ and do { + /^\@((?:multi|[fv])?table)\s+(\@[a-z]+)/ and do { push @endwstack, $endw; push @icstack, $ic; $endw = $1; @@ -278,6 +278,7 @@ INF: while(<$inf>) { $ic =~ s/\@(?:code|kbd)/C/; $ic =~ s/\@(?:dfn|var|emph|cite|i)/I/; $ic =~ s/\@(?:file)/F/; + $ic =~ s/\@(?:columnfractions)//; $_ = "\n=over 4\n"; }; @@ -288,6 +289,21 @@ INF: while(<$inf>) { $_ = ""; # need a paragraph break }; + /^\@item\s+(.*\S)\s*$/ and $endw eq "multitable" and do { + my $columns = $1; + $columns =~ s/\@tab/ : /; + + $_ = "\n=item B<". $columns .">\n"; + }; + + /^\@tab\s+(.*\S)\s*$/ and $endw eq "multitable" and do { + my $columns = $1; + $columns =~ s/\@tab/ : /; + + $_ = " : ". $columns; + $section =~ s/\n+\s+$//; + }; + /^\@itemx?\s*(.+)?$/ and do { if (defined $1) { # Entity escapes prevent munging by the <> processing below. From de1609bc2d0f9259c344cb9574859ab4a288d521 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Sat, 26 Jan 2013 15:10:55 +0100 Subject: [PATCH 0517/1037] doc/texi2pod: fix warnings introduced in e7e14bc69a606a6bec82efef729263cd38f122d4 The variable "$section" was replaced by "$chapter". (cherry picked from commit c0c06c1bba80c4bee162a3c40eec678ddc65571d) Signed-off-by: Timothy Gu --- doc/texi2pod.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/texi2pod.pl b/doc/texi2pod.pl index fbb1d9aacb..fc23c7bcb6 100755 --- a/doc/texi2pod.pl +++ b/doc/texi2pod.pl @@ -301,7 +301,7 @@ INF: while(<$inf>) { $columns =~ s/\@tab/ : /; $_ = " : ". $columns; - $section =~ s/\n+\s+$//; + $chapter =~ s/\n+\s+$//; }; /^\@itemx?\s*(.+)?$/ and do { From b7a4b4c145eae1d070a313250e6f0f66e8519c2a Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Thu, 7 Mar 2013 01:43:39 +0100 Subject: [PATCH 0518/1037] doc/texi2pod: fix @ref substitution rule, disallow "}" within the fields Fix potential spurious substitution. (cherry picked from commit 9167db3829f360f241255d4240ba6b7135ab4111) Signed-off-by: Timothy Gu --- doc/texi2pod.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/texi2pod.pl b/doc/texi2pod.pl index fc23c7bcb6..610f349afb 100755 --- a/doc/texi2pod.pl +++ b/doc/texi2pod.pl @@ -377,7 +377,7 @@ sub postprocess s/\(?\@xref\{(?:[^\}]*)\}(?:[^.<]|(?:<[^<>]*>))*\.\)?//g; s/\s+\(\@pxref\{(?:[^\}]*)\}\)//g; s/;\s+\@pxref\{(?:[^\}]*)\}//g; - s/\@ref\{(?:[^,]*,)(?:[^,]*,)([^,\}]*).*\}/$1/g; + s/\@ref\{(?:[^,\}]*,)(?:[^,\}]*,)([^,\}]*).*\}/$1/g; s/\@ref\{([^\}]*)\}/$1/g; s/\@noindent\s*//g; s/\@refill//g; From f7fcd40e63fd36f3b158379318b5805a58b79b73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2013 04:00:30 +0200 Subject: [PATCH 0519/1037] matroska_read_seek: Fix used streams for subtitle index compensation Might fix Ticket1907 (I have no testcase so i cant test) Signed-off-by: Michael Niedermayer (cherry picked from commit 4758e32a6c48044f77102a49110c79b4f338f648) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index fe4b70cd73..860a9fdfc7 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2418,10 +2418,11 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, if (tracks[i].type == MATROSKA_TRACK_TYPE_SUBTITLE && tracks[i].stream->discard != AVDISCARD_ALL) { index_sub = av_index_search_timestamp(tracks[i].stream, st->index_entries[index].timestamp, AVSEEK_FLAG_BACKWARD); - if (index_sub >= 0 - && st->index_entries[index_sub].pos < st->index_entries[index_min].pos - && st->index_entries[index].timestamp - st->index_entries[index_sub].timestamp < 30000000000/matroska->time_scale) - index_min = index_sub; + while(index_sub >= 0 + && index_min >= 0 + && tracks[i].stream->index_entries[index_sub].pos < st->index_entries[index_min].pos + && st->index_entries[index].timestamp - tracks[i].stream->index_entries[index_sub].timestamp < 30000000000/matroska->time_scale) + index_min--; } } From a2e7fd406c5b1d9095fe198c72007e4136ef5e93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:14:32 +0200 Subject: [PATCH 0520/1037] avcodec/pngdsp: fix (un)signed type in end comparission Fixes out of array accesses Fixes Ticket2919 Found_by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 86736f59d6a527d8bc807d09b93f971c0fe0bb07) --- libavcodec/pngdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdsp.c b/libavcodec/pngdsp.c index 1ee8b57bc9..38ee458f8d 100644 --- a/libavcodec/pngdsp.c +++ b/libavcodec/pngdsp.c @@ -30,7 +30,7 @@ static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w) { long i; - for (i = 0; i <= w - sizeof(long); i += sizeof(long)) { + for (i = 0; i <= w - (int)sizeof(long); i += sizeof(long)) { long a = *(long *)(src1 + i); long b = *(long *)(src2 + i); *(long *)(dst + i) = ((a & pb_7f) + (b & pb_7f)) ^ ((a ^ b) & pb_80); From 890c36d7ff1a12641c9fe5c84db4398dfb493fc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 03:43:49 +0200 Subject: [PATCH 0521/1037] avcodec/ffv1dec: check global header version Signed-off-by: Michael Niedermayer (cherry picked from commit 20b965a1a43ae88b7ae95635d5a3570e7dc2bbd4) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index a1da544697..69930d8ea8 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -447,6 +447,10 @@ static int read_extra_header(FFV1Context *f) ff_build_rac_states(c, 0.05 * (1LL << 32), 256 - 8); f->version = get_symbol(c, state, 0); + if (f->version < 2) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid version in global header\n"); + return AVERROR_INVALIDDATA; + } if (f->version > 2) { c->bytestream_end -= 4; f->minor_version = get_symbol(c, state, 0); From df2fc635439df6d5ab84d50ae96acb0da07f941e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 04:51:09 +0200 Subject: [PATCH 0522/1037] ffv1dec: check that global parameters dont change in version 0/1 Such changes are not allowed nor supported Fixes Ticket2906 Found-by: ami_stuff Signed-off-by: Michael Niedermayer (cherry picked from commit 547d690d676064069d44703a1917e0dab7e33445) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 69930d8ea8..8f5f5044fa 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -528,6 +528,7 @@ static int read_header(FFV1Context *f) memset(state, 128, sizeof(state)); if (f->version < 2) { + int chroma_planes, chroma_h_shift, chroma_v_shift, transparency; unsigned v= get_symbol(c, state, 0); if (v >= 2) { av_log(f->avctx, AV_LOG_ERROR, "invalid version %d in ver01 header\n", v); @@ -545,10 +546,26 @@ static int read_header(FFV1Context *f) if (f->version > 0) f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); - f->chroma_planes = get_rac(c, state); - f->chroma_h_shift = get_symbol(c, state, 0); - f->chroma_v_shift = get_symbol(c, state, 0); - f->transparency = get_rac(c, state); + chroma_planes = get_rac(c, state); + chroma_h_shift = get_symbol(c, state, 0); + chroma_v_shift = get_symbol(c, state, 0); + transparency = get_rac(c, state); + + if (f->plane_count) { + if ( chroma_planes != f->chroma_planes + || chroma_h_shift!= f->chroma_h_shift + || chroma_v_shift!= f->chroma_v_shift + || transparency != f->transparency) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n"); + return AVERROR_INVALIDDATA; + } + } + + f->chroma_planes = chroma_planes; + f->chroma_h_shift = chroma_h_shift; + f->chroma_v_shift = chroma_v_shift; + f->transparency = transparency; + f->plane_count = 2 + f->transparency; } From f78a3868fd3d8f66da68338c0783aa15f98833bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 06:08:32 +0200 Subject: [PATCH 0523/1037] ffv1dec: Check bits_per_raw_sample and colorspace for equality in ver 0/1 headers Signed-off-by: Michael Niedermayer (cherry picked from commit b05cd1ea7e45a836f7f6071a716c38bb30326e0f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 8f5f5044fa..a3afa14845 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -528,7 +528,7 @@ static int read_header(FFV1Context *f) memset(state, 128, sizeof(state)); if (f->version < 2) { - int chroma_planes, chroma_h_shift, chroma_v_shift, transparency; + int chroma_planes, chroma_h_shift, chroma_v_shift, transparency, colorspace, bits_per_raw_sample; unsigned v= get_symbol(c, state, 0); if (v >= 2) { av_log(f->avctx, AV_LOG_ERROR, "invalid version %d in ver01 header\n", v); @@ -541,18 +541,17 @@ static int read_header(FFV1Context *f) f->state_transition[i] = get_symbol(c, state, 1) + c->one_state[i]; } - f->colorspace = get_symbol(c, state, 0); //YUV cs type - - if (f->version > 0) - f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); - + colorspace = get_symbol(c, state, 0); //YUV cs type + bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample; chroma_planes = get_rac(c, state); chroma_h_shift = get_symbol(c, state, 0); chroma_v_shift = get_symbol(c, state, 0); transparency = get_rac(c, state); if (f->plane_count) { - if ( chroma_planes != f->chroma_planes + if ( colorspace != f->colorspace + || bits_per_raw_sample != f->avctx->bits_per_raw_sample + || chroma_planes != f->chroma_planes || chroma_h_shift!= f->chroma_h_shift || chroma_v_shift!= f->chroma_v_shift || transparency != f->transparency) { @@ -561,6 +560,8 @@ static int read_header(FFV1Context *f) } } + f->colorspace = colorspace; + f->avctx->bits_per_raw_sample = bits_per_raw_sample; f->chroma_planes = chroma_planes; f->chroma_h_shift = chroma_h_shift; f->chroma_v_shift = chroma_v_shift; From 558d0b9483d0eecf9718986516c00b696541c693 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:40:47 +0200 Subject: [PATCH 0524/1037] avcodec/dsputil: fix signedness in sizeof() comparissions Signed-off-by: Michael Niedermayer (cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760) Signed-off-by: Michael Niedermayer --- libavcodec/dsputil.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 7314215387..b1b0c0c57d 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -1922,7 +1922,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src+i); long b = *(long*)(dst+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); @@ -1947,7 +1947,7 @@ static void diff_bytes_c(uint8_t *dst, const uint8_t *src1, const uint8_t *src2, } }else #endif - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); From 86bf0a8871dfd447709232fc1f4b48e524c9e6df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2013 04:55:35 +0200 Subject: [PATCH 0525/1037] update for 1.1.6 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index e25d8d9f35..0664a8fd29 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.5 +1.1.6 diff --git a/VERSION b/VERSION index e25d8d9f35..0664a8fd29 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.5 +1.1.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index d4b93f549c..daf30c05cc 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.5 +PROJECT_NUMBER = 1.1.6 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From f743c4ece8a857f475fe2e4188c26095fdd9a04d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2013 03:08:25 +0200 Subject: [PATCH 0526/1037] avformat/avidec: match first index and first packet size=0 handling Fixes Ticket2861 Signed-off-by: Michael Niedermayer (cherry picked from commit 227a0eb5a92409572f2cecde6137529b83e7d495) Conflicts: libavformat/avidec.c --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 14fc2f77e0..248dd2cb13 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1301,7 +1301,7 @@ static int avi_read_idx1(AVFormatContext *s, int size) st = s->streams[index]; ast = st->priv_data; - if(first_packet && first_packet_pos && len) { + if (first_packet && first_packet_pos) { data_offset = first_packet_pos - pos; first_packet = 0; } From e27fab0e6ee045a0f7e3e77fcbb54c8293a172a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Sep 2013 00:21:37 +0200 Subject: [PATCH 0527/1037] avformat/lxfdec: use a parser to parse video frame headers lxf needs a parser (or would need to set a few fields explicitly). Fixes Ticket2917 Signed-off-by: Michael Niedermayer (cherry picked from commit 8349be852be7f68fe0590584fd46c4d5f1c16b3d) --- libavformat/lxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lxfdec.c b/libavformat/lxfdec.c index 90c49749a6..99257397f9 100644 --- a/libavformat/lxfdec.c +++ b/libavformat/lxfdec.c @@ -258,6 +258,7 @@ static int lxf_read_header(AVFormatContext *s) st->codec->bit_rate = 1000000 * ((video_params >> 14) & 0xFF); st->codec->codec_tag = video_params & 0xF; st->codec->codec_id = ff_codec_get_id(lxf_tags, st->codec->codec_tag); + st->need_parsing = AVSTREAM_PARSE_HEADERS; av_log(s, AV_LOG_DEBUG, "record: %x = %i-%02i-%02i\n", record_date, 1900 + (record_date & 0x7F), (record_date >> 7) & 0xF, From c93874c3a8f820312e1e8655bac9c6441589120f Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 2 Sep 2013 08:32:24 +0200 Subject: [PATCH 0528/1037] Avoid a deadlock when decoding wma. Fixes ticket #2925. (cherry picked from commit ec8a4841f7e81040f9a2757f23e70dff5e6b33a4) --- libavcodec/wmadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 613a434ab1..7de87dbcd8 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -514,6 +514,10 @@ static int wma_decode_block(WMACodecContext *s) coef escape coding */ total_gain = 1; for(;;) { + if (get_bits_left(&s->gb) < 7) { + av_log(s->avctx, AV_LOG_ERROR, "total_gain overread\n"); + return AVERROR_INVALIDDATA; + } a = get_bits(&s->gb, 7); total_gain += a; if (a != 127) From f1f8c0e558c6b888f8b7d87eadea7469570d6737 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 2 Sep 2013 22:50:00 +0000 Subject: [PATCH 0529/1037] w64dec: fix skipping of unknown guids Regression since 14d50c1. Fixes #2932. Signed-off-by: Paul B Mahol (cherry picked from commit 79b70e47a463057a3a48353ee1dd58671c11f86c) --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index e53d8da9c4..ca1e8edba3 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -655,7 +655,7 @@ static int w64_read_header(AVFormatContext *s) avio_skip(pb, end - avio_tell(pb)); } else { av_log(s, AV_LOG_DEBUG, "unknown guid: "FF_PRI_GUID"\n", FF_ARG_GUID(guid)); - avio_skip(pb, size - 24); + avio_skip(pb, FFALIGN(size, INT64_C(8)) - 24); } } From b438451b7eb855fb5197da24fccf57d590b8c4fd Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 3 Sep 2013 01:03:10 +0000 Subject: [PATCH 0530/1037] w64dec: fix end position of summarylist guid Noticed-by: James Almer Signed-off-by: Paul B Mahol (cherry picked from commit 3e36dc8626f4721ea749286dae40169ee5cb7d04) --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index ca1e8edba3..b71fb016e6 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -629,7 +629,7 @@ static int w64_read_header(AVFormatContext *s) uint32_t count, chunk_size, i; start = avio_tell(pb); - end = start + size; + end = start + FFALIGN(size, INT64_C(8)) - 24; count = avio_rl32(pb); for (i = 0; i < count; i++) { From 1a65ce923a67329beb450ac3502dc023dc94b57b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 1 Sep 2013 20:20:47 +0200 Subject: [PATCH 0531/1037] Read h264 headers from v4l2 to allow stream-copying. Fixes ticket #2882. Analyzed and tested by William C Bonner. (cherry picked from commit e337c9d56408dc00a15887309488a1ff5cb06ba3) --- libavdevice/v4l2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index b2e5fed27d..88cacd9545 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -882,6 +882,9 @@ static int v4l2_read_header(AVFormatContext *s1) if (codec_id == AV_CODEC_ID_RAWVIDEO) st->codec->codec_tag = avcodec_pix_fmt_to_codec_tag(st->codec->pix_fmt); + else if (codec_id == AV_CODEC_ID_H264) { + st->need_parsing = AVSTREAM_PARSE_HEADERS; + } if (desired_format == V4L2_PIX_FMT_YVU420) st->codec->codec_tag = MKTAG('Y', 'V', '1', '2'); st->codec->width = s->width; From 251b4655be73f4b5e86d3e81d61abb5787b1262b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 0532/1037] vcr1: add sanity checks Fixes invalid reads with corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 8aba7968dd604aae91ee42cbce0be3dad7dceb30) Signed-off-by: Luca Barbato --- libavcodec/vcr1.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/libavcodec/vcr1.c b/libavcodec/vcr1.c index d0805a3759..42ba7874c7 100644 --- a/libavcodec/vcr1.c +++ b/libavcodec/vcr1.c @@ -50,6 +50,11 @@ static av_cold int vcr1_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_YUV410P; + if (avctx->width & 7) { + av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width); + return AVERROR_INVALIDDATA; + } + return 0; } @@ -85,9 +90,13 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; + if (buf_size < 32) + goto packet_small; + for (i = 0; i < 16; i++) { a->delta[i] = *bytestream++; bytestream++; + buf_size--; } for (y = 0; y < avctx->height; y++) { @@ -98,8 +107,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, uint8_t *cb = &a->picture.data[1][(y >> 2) * a->picture.linesize[1]]; uint8_t *cr = &a->picture.data[2][(y >> 2) * a->picture.linesize[2]]; + if (buf_size < 4 + avctx->width) + goto packet_small; + for (i = 0; i < 4; i++) a->offset[i] = *bytestream++; + buf_size -= 4; offset = a->offset[0] - a->delta[bytestream[2] & 0xF]; for (x = 0; x < avctx->width; x += 4) { @@ -113,8 +126,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, *cr++ = bytestream[1]; bytestream += 4; + buf_size -= 4; } } else { + if (buf_size < avctx->width / 2) + goto packet_small; + offset = a->offset[y & 3] - a->delta[bytestream[2] & 0xF]; for (x = 0; x < avctx->width; x += 8) { @@ -128,6 +145,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, luma[7] = offset += a->delta[bytestream[1] >> 4]; luma += 8; bytestream += 4; + buf_size -= 4; } } } @@ -136,6 +154,9 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, *got_frame = 1; return buf_size; +packet_small: + av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; } AVCodec ff_vcr1_decoder = { From 8dc4b2c92e492aa172327d10c926d5ca3a04371c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 0533/1037] pictordec: break out of both decoding loops when y drops below 0 Otherwise picmemset can get called with negative y, resulting in an invalid write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5f7aecde02a95451e514c809f2794c1deba80695) Signed-off-by: Luca Barbato --- libavcodec/pictordec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 16f930730b..f88fc52f1b 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -227,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx, if (bits_per_plane == 8) { picmemset_8bpp(s, val, run, &x, &y); if (y < 0) - break; + goto finish; } else { picmemset(s, val, run, &x, &y, &plane, bits_per_plane); } @@ -237,6 +237,7 @@ static int decode_frame(AVCodecContext *avctx, av_log_ask_for_sample(s, "uncompressed image\n"); return avpkt->size; } +finish: *got_frame = 1; *(AVFrame*)data = s->frame; From 1e9d234c0c62cdce17016a68c948e4f4a8aceea3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 0534/1037] pictordec: pass correct context to avpriv_request_sample Fixes invalid reads. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry-picked from commit fe9bb61f9a16be19ad91875632c39e44b7a99a8a) Signed-off-by: Luca Barbato --- libavcodec/pictordec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index f88fc52f1b..53fef1c6f6 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -122,7 +122,7 @@ static int decode_frame(AVCodecContext *avctx, s->nb_planes = (tmp >> 4) + 1; bpp = bits_per_plane * s->nb_planes; if (bits_per_plane > 8 || bpp < 1 || bpp > 32) { - av_log_ask_for_sample(s, "unsupported bit depth\n"); + av_log_ask_for_sample(avctx, "unsupported bit depth\n"); return AVERROR_PATCHWELCOME; } @@ -234,7 +234,7 @@ static int decode_frame(AVCodecContext *avctx, } } } else { - av_log_ask_for_sample(s, "uncompressed image\n"); + av_log_ask_for_sample(avctx, "uncompressed image\n"); return avpkt->size; } finish: From 4cb3efc206a69e0affceb7715c1d83c3a568b2ed Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 0535/1037] lavf: avoid integer overflow when estimating bitrate Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit df33a58e5311ee9a64a573889b883a80e981af7b) Signed-off-by: Luca Barbato --- libavformat/utils.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e1511ee215..27d9d06667 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1863,8 +1863,13 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) bit_rate = 0; for(i=0;inb_streams;i++) { st = ic->streams[i]; - if (st->codec->bit_rate > 0) - bit_rate += st->codec->bit_rate; + if (st->codec->bit_rate > 0) { + if (INT_MAX - st->codec->bit_rate > bit_rate) { + bit_rate = 0; + break; + } + bit_rate += st->codec->bit_rate; + } } ic->bit_rate = bit_rate; } From f3c7e604fabd1505c7de3eaddee5a24b8aacf4c3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 0536/1037] 4xm: check that bits per sample is strictly positive Avoids a divide by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit a7c1689dedd11689edb30088d467ac03f9b8d1cf) Signed-off-by: Luca Barbato --- libavformat/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index c0b3914fa1..5fb1921dd9 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -154,7 +154,7 @@ static int parse_strk(AVFormatContext *s, if (fourxm->tracks[track].channels <= 0 || fourxm->tracks[track].sample_rate <= 0 || - fourxm->tracks[track].bits < 0) { + fourxm->tracks[track].bits <= 0) { av_log(s, AV_LOG_ERROR, "audio header invalid\n"); return AVERROR_INVALIDDATA; } From 9486e98712879e1f3b2d83bbfc361e402b535005 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 24 Aug 2013 21:30:46 +0200 Subject: [PATCH 0537/1037] ape demuxer: check for EOF in potentially long loops Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry-picked from commit 488b2984fece7ad0c2596826fee18e74aa904667) Signed-off-by: Luca Barbato --- libavformat/ape.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index d67e684167..a9c695efe0 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -276,7 +276,9 @@ static int ape_read_header(AVFormatContext * s) ape->seektable = av_malloc(ape->seektablelength); if (!ape->seektable) return AVERROR(ENOMEM); - for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) + for (i = 0; + i < ape->seektablelength / sizeof(uint32_t) && !pb->eof_reached; + i++) ape->seektable[i] = avio_rl32(pb); } From 3d91117df0034ca9458e4b791a182082a50a6ad9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 3 Sep 2013 11:54:03 +0300 Subject: [PATCH 0538/1037] alac: Limit max_samples_per_frame MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise buffer size calculations in allocate_buffers could overflow later, making the code think a large enough buffer actually was allocated. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f7c5883126f9440547933eefcf000aa78af4821c) Signed-off-by: Luca Barbato --- libavcodec/alac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 1a3f769513..b69efc30dd 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -495,7 +495,8 @@ static int alac_set_info(ALACContext *alac) bytestream2_skipu(&gb, 12); // size:4, alac:4, version:4 alac->max_samples_per_frame = bytestream2_get_be32u(&gb); - if (!alac->max_samples_per_frame || alac->max_samples_per_frame > INT_MAX) { + if (!alac->max_samples_per_frame || + alac->max_samples_per_frame > INT_MAX / sizeof(int32_t)) { av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %u\n", alac->max_samples_per_frame); return AVERROR_INVALIDDATA; From aade60ab165716523788cd11caf03ae61b40144a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 3 Sep 2013 12:10:50 +0300 Subject: [PATCH 0539/1037] matroskadec: Check that .lang was allocated and set before reading it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5bcd3ae5b167fb74215520b01d5d810e0c8986ab) Signed-off-by: Luca Barbato --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 147c24cf86..fe4d932cf2 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1157,7 +1157,8 @@ static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, int i; for (i=0; i < list->nb_elem; i++) { - const char *lang = strcmp(tags[i].lang, "und") ? tags[i].lang : NULL; + const char *lang = tags[i].lang && strcmp(tags[i].lang, "und") ? + tags[i].lang : NULL; if (!tags[i].name) { av_log(s, AV_LOG_WARNING, "Skipping invalid tag with no TagName.\n"); From 7b9bcd993c10144f65b62364ab1fd11be51bde9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 3 Sep 2013 13:53:23 +0300 Subject: [PATCH 0540/1037] 4xm: Check that the read track value is non-negative MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d719981273bc779c7d1e879d88404fd867f93a0e) Signed-off-by: Luca Barbato Conflicts: libavformat/4xm.c --- libavformat/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 5fb1921dd9..9dfb95650f 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -136,6 +136,8 @@ static int parse_strk(AVFormatContext *s, av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } + if (track < 0) + return AVERROR_INVALIDDATA; if (track + 1 > fourxm->track_count) { AudioTrack *tmp = av_realloc(fourxm->tracks, (track + 1) * sizeof(AudioTrack)); From 790606cfe97ea897e72cd7d393ee653d2a56e8bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 3 Sep 2013 14:16:40 +0300 Subject: [PATCH 0541/1037] alac: Check that the channels fit at the given offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The code tries to decode a number of channels at the offset given by the ff_alac_channel_layout_offsets table. Even if the number of channels decoded so far doesn't exceed the total number of channels, we need to check that we actually can decode that number of channels at this offset as well. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 35cbc98b720db95b923cb2d745f77bb2ee4363dc) Signed-off-by: Luca Barbato --- libavcodec/alac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index b69efc30dd..72e9353b54 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -418,7 +418,8 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data, } channels = (element == TYPE_CPE) ? 2 : 1; - if (ch + channels > alac->channels) { + if (ch + channels > alac->channels || + ff_alac_channel_layout_offsets[alac->channels - 1][ch] + channels > alac->channels) { av_log(avctx, AV_LOG_ERROR, "invalid element channel count\n"); return AVERROR_INVALIDDATA; } From 68c990466990d68b740ae55db706629a6975765b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Mar 2012 22:02:46 +0100 Subject: [PATCH 0542/1037] mjpegb: Detect changing number of planes in interlaced video MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit af11fa5409cc72fc45ca7f3527400beca10967b9) Signed-off-by: Luca Barbato --- libavcodec/mjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 05f2f02e61..74bbfa6b6f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -243,6 +243,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) if (nb_components <= 0 || nb_components > MAX_COMPONENTS) return -1; + if (s->interlaced && (s->bottom_field == !s->interlace_polarity)) { + if (nb_components != s->nb_components) { + av_log(s->avctx, AV_LOG_ERROR, + "nb_components changing in interlaced picture\n"); + return AVERROR_INVALIDDATA; + } + } if (s->ls && !(s->bits <= 8 || nb_components == 1)) { av_log_missing_feature(s->avctx, "For JPEG-LS anything except <= 8 bits/component" From b01e4d80c69da83d765263dd774fbbc4a2944b97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 4 Sep 2013 01:36:51 +0300 Subject: [PATCH 0543/1037] mpegvideo: Avoid 32-bit wrapping of linesize multiplications MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes sure that linesize * start_y doesn't overflow, so that emulated_edge_mc can get back the original value if needed. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a711a2cb473dc95708f371a82c85c97fe789b5c2) Signed-off-by: Luca Barbato --- libavcodec/mpegvideo_motion.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index 536377a46f..a432763d5d 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -214,7 +214,8 @@ void mpeg_motion_internal(MpegEncContext *s, { uint8_t *ptr_y, *ptr_cb, *ptr_cr; int dxy, uvdxy, mx, my, src_x, src_y, - uvsrc_x, uvsrc_y, v_edge_pos, uvlinesize, linesize; + uvsrc_x, uvsrc_y, v_edge_pos; + ptrdiff_t uvlinesize, linesize; #if 0 if(s->quarter_sample) From 0eb465f981de014becd4c99c8d6ad4523ad81ad1 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 11 Aug 2013 20:35:40 +0200 Subject: [PATCH 0544/1037] nuv: check ff_rtjpeg_decode_frame_yuv420 return value CC: libav-stable@libav.org (cherry picked from commit 85ac12587bfef970d0e0e4abc292df346daf8478) Signed-off-by: Luca Barbato Conflicts: libavcodec/nuv.c --- libavcodec/nuv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 9c765a0f64..e253bfbbed 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -156,6 +156,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int orig_size = buf_size; int keyframe; int result; + int ret; enum { NUV_UNCOMPRESSED = '0', NUV_RTJPEG = '1', @@ -259,7 +260,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: - ff_rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + ret = ff_rtjpeg_decode_frame_yuv420(&c->rtj, &c->pic, buf, buf_size); + if (ret < 0) + return ret; break; case NUV_BLACK: memset(c->pic.data[0], 0, c->width * c->height); From 1e9e311e21074575f1ad29fb35ac135197f4b68d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Aug 2013 22:15:24 +0200 Subject: [PATCH 0545/1037] dv: Add a guard to not overread the ppcm array Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 7ee191cab0dc44700f26c5784e2adeb6a779651b) Signed-off-by: Luca Barbato Conflicts: libavformat/dv.c --- libavformat/dv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dv.c b/libavformat/dv.c index 1730972213..ea2805e630 100644 --- a/libavformat/dv.c +++ b/libavformat/dv.c @@ -108,7 +108,7 @@ static const int dv_audio_frequency[3] = { * 3. Audio is always returned as 16bit linear samples: 12bit nonlinear samples * are converted into 16bit linear ones. */ -static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4], +static int dv_extract_audio(uint8_t *frame, uint8_t **ppcm, const DVprofile *sys) { int size, chan, i, j, d, of, smpls, freq, quant, half_ch; @@ -336,7 +336,7 @@ int avpriv_dv_produce_packet(DVDemuxContext *c, AVPacket *pkt, uint8_t* buf, int buf_size) { int size, i; - uint8_t *ppcm[4] = {0}; + uint8_t *ppcm[5] = { 0 }; if (buf_size < DV_PROFILE_BYTES || !(c->sys = avpriv_dv_frame_profile(c->sys, buf, buf_size)) || From 777bc81a91a476f9e1f81faebfb952b823f13f28 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 4 Sep 2013 08:55:08 +0200 Subject: [PATCH 0546/1037] lavf: fix the comparison in an overflow check CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit 26f027fba1c5ab482fa2488fbe0fa36c8bb33b69) Signed-off-by: Luca Barbato --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 27d9d06667..4f73dfebef 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1864,7 +1864,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) for(i=0;inb_streams;i++) { st = ic->streams[i]; if (st->codec->bit_rate > 0) { - if (INT_MAX - st->codec->bit_rate > bit_rate) { + if (INT_MAX - st->codec->bit_rate < bit_rate) { bit_rate = 0; break; } From 580418bd558505789f1670aeec895bc81668ceb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Sep 2013 04:32:23 +0200 Subject: [PATCH 0547/1037] avfilter/vf_fps: make sure the fifo is not empty before using it Fixes Ticket2905 Signed-off-by: Michael Niedermayer (cherry picked from commit cdd5df8189ff1537f7abe8defe971f80602cc2d2) Signed-off-by: Michael Niedermayer --- libavfilter/vf_fps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_fps.c b/libavfilter/vf_fps.c index d4305e7273..e2a4b3d4ee 100644 --- a/libavfilter/vf_fps.c +++ b/libavfilter/vf_fps.c @@ -202,7 +202,7 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *buf) } /* now wait for the next timestamp */ - if (buf->pts == AV_NOPTS_VALUE) { + if (buf->pts == AV_NOPTS_VALUE || av_fifo_size(s->fifo) <= 0) { return write_to_fifo(s->fifo, buf); } From 701543a081e039a7ee1afd2286f4ccefabb195cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Sep 2013 00:36:44 +0200 Subject: [PATCH 0548/1037] avcodec/mjpegdec: Add some sanity checks to ljpeg_decode_rgb_scan() These prevent the rgb ljpeg code from being run on parameters that it doesnt support. No testcase available but it seems possible to trigger these. Signed-off-by: Michael Niedermayer (cherry picked from commit 61c68000eda643dfce96dc46b488d39fd5c4e309) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d377827c09..0c9bb3d866 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -770,6 +770,12 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p int resync_mb_y = 0; int resync_mb_x = 0; + if (s->nb_components != 3 && s->nb_components != 4) + return AVERROR_INVALIDDATA; + if (s->v_max != 1 || s->h_max != 1 || !s->lossless) + return AVERROR_INVALIDDATA; + + s->restart_count = s->restart_interval; av_fast_malloc(&s->ljpeg_buffer, &s->ljpeg_buffer_size, From 5c6aea5c31bf2a2f3343a051f6b39a62b245878e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Sep 2013 14:36:12 +0200 Subject: [PATCH 0549/1037] avformat/utils: Fix bitrate overflow check The check added in df33a58e5311ee9a64a573889b883a80e981af7b does not work at all, rather it broke the summing of bitrates completely. The comparission was wrong way around. This commit replaces it by a simpler and hopefully clearer check Signed-off-by: Michael Niedermayer (cherry picked from commit a5d67bc796e1f9a2b99b43ea807166b655e4bdbc) Conflicts: libavformat/utils.c Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5fff3e26fa..9619d95f5e 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2253,23 +2253,20 @@ static void fill_all_stream_timings(AVFormatContext *ic) static void estimate_timings_from_bit_rate(AVFormatContext *ic) { int64_t filesize, duration; - int bit_rate, i; + int i; AVStream *st; /* if bit_rate is already set, we believe it */ if (ic->bit_rate <= 0) { - bit_rate = 0; + int64_t bit_rate = 0; for(i=0;inb_streams;i++) { st = ic->streams[i]; if (st->codec->bit_rate > 0) { - if (INT_MAX - st->codec->bit_rate > bit_rate) { - bit_rate = 0; - break; - } bit_rate += st->codec->bit_rate; } } - ic->bit_rate = bit_rate; + if (bit_rate <= INT_MAX) + ic->bit_rate = bit_rate; } /* if duration is already set, we believe it */ From 87908de715c2f7e898cfebbb78edca346d18b155 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Sep 2013 14:22:20 +0200 Subject: [PATCH 0550/1037] avcodec: add emuedge_linesize_type Currently all uses of the emu edge code as well as the code itself assume int linesize changing some but not changing all would introduce a security issue once all use this typedef a simple search and replace can be done to switch them all to ptrdiff_t Signed-off-by: Michael Niedermayer (cherry picked from commit 2ffead98ddd384f61cdf6b1cb3f36592f54cd34a) Conflicts: libavcodec/videodsp.h Merged-by: Michael Niedermayer --- libavcodec/mpegvideo_motion.c | 3 ++- libavcodec/videodsp.h | 2 ++ libavcodec/videodsp_template.c | 2 +- libavcodec/x86/videodsp_init.c | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index 22381dea27..3e0211b0d6 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -215,7 +215,8 @@ void mpeg_motion_internal(MpegEncContext *s, { uint8_t *ptr_y, *ptr_cb, *ptr_cr; int dxy, uvdxy, mx, my, src_x, src_y, - uvsrc_x, uvsrc_y, v_edge_pos, uvlinesize, linesize; + uvsrc_x, uvsrc_y, v_edge_pos; + emuedge_linesize_type uvlinesize, linesize; #if 0 if(s->quarter_sample) diff --git a/libavcodec/videodsp.h b/libavcodec/videodsp.h index dc893847b3..5a79e661f0 100644 --- a/libavcodec/videodsp.h +++ b/libavcodec/videodsp.h @@ -29,6 +29,8 @@ #include #include +typedef int emuedge_linesize_type; + typedef struct VideoDSPContext { /** * Copy a rectangular area of samples to a temporary buffer and replicate diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 44f6a4d63e..1f709c499d 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -27,7 +27,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, { int x, y; int start_y, start_x, end_y, end_x; - int linesize = linesize_arg; + emuedge_linesize_type linesize = linesize_arg; if (!w || !h) return; diff --git a/libavcodec/x86/videodsp_init.c b/libavcodec/x86/videodsp_init.c index 4a8b244254..bbf9464d8d 100644 --- a/libavcodec/x86/videodsp_init.c +++ b/libavcodec/x86/videodsp_init.c @@ -44,7 +44,7 @@ static av_always_inline void emulated_edge_mc(uint8_t *buf, const uint8_t *src, emu_edge_core_func *core_fn) { int start_y, start_x, end_y, end_x, src_y_add = 0; - int linesize = linesize_arg; + emuedge_linesize_type linesize = linesize_arg; if(!w || !h) return; From fbbd6317e2c10df2b98996afd14d0a3ee280c11f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Sep 2013 13:36:22 +0200 Subject: [PATCH 0551/1037] avcodec/vcr1: replace redundant checks from libav (8aba7968dd604aae91ee42cbce0be3dad7dceb30) by asserts Signed-off-by: Michael Niedermayer (cherry picked from commit 164b67ca281fa5a47b965a858c7783aa547091b8) Signed-off-by: Michael Niedermayer --- libavcodec/vcr1.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/libavcodec/vcr1.c b/libavcodec/vcr1.c index 39e7630946..0691c9f615 100644 --- a/libavcodec/vcr1.c +++ b/libavcodec/vcr1.c @@ -27,6 +27,7 @@ #include "avcodec.h" #include "dsputil.h" #include "internal.h" +#include "libavutil/avassert.h" #include "libavutil/internal.h" typedef struct VCR1Context { @@ -96,9 +97,6 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; - if (buf_size < 32) - goto packet_small; - for (i = 0; i < 16; i++) { a->delta[i] = *bytestream++; bytestream++; @@ -113,8 +111,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, uint8_t *cb = &a->picture.data[1][(y >> 2) * a->picture.linesize[1]]; uint8_t *cr = &a->picture.data[2][(y >> 2) * a->picture.linesize[2]]; - if (buf_size < 4 + avctx->width) - goto packet_small; + av_assert0 (buf_size >= 4 + avctx->width); for (i = 0; i < 4; i++) a->offset[i] = *bytestream++; @@ -135,8 +132,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, buf_size -= 4; } } else { - if (buf_size < avctx->width / 2) - goto packet_small; + av_assert0 (buf_size >= avctx->width / 2); offset = a->offset[y & 3] - a->delta[bytestream[2] & 0xF]; @@ -160,9 +156,6 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, *got_frame = 1; return buf_size; -packet_small: - av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n"); - return AVERROR_INVALIDDATA; } AVCodec ff_vcr1_decoder = { From 6d2e3efd7c9c7df9ee738b9af3797fee5a2c97bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Sep 2013 15:44:37 +0200 Subject: [PATCH 0552/1037] avcodec/vcr1: return the actual number of consumed bytes Signed-off-by: Michael Niedermayer (cherry picked from commit a4e70918316c6d1423e559aad15823a5e0453fcf) Signed-off-by: Michael Niedermayer --- libavcodec/vcr1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vcr1.c b/libavcodec/vcr1.c index 0691c9f615..04a6b3183d 100644 --- a/libavcodec/vcr1.c +++ b/libavcodec/vcr1.c @@ -155,7 +155,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data, *picture = a->picture; *got_frame = 1; - return buf_size; + return bytestream - avpkt->data; } AVCodec ff_vcr1_decoder = { From 007f3f416573f428dab24ef1099ade9f1a0bd5c4 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 2 Sep 2013 12:22:13 -0400 Subject: [PATCH 0553/1037] Prepare for 9.9 RELEASE Signed-off-by: Luca Barbato --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 021debdfd4..a61a79be6c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.8 +9.9 From 4d073ddac95d789f23c3ee6f7b5348599b39f047 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 2 Sep 2013 12:22:14 -0400 Subject: [PATCH 0554/1037] Update Changelog Signed-off-by: Luca Barbato --- Changelog | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/Changelog b/Changelog index 4cd63c823a..a0b11862b6 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,90 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.9: +- 4xm: check that bits per sample is strictly positive +- 4xm: Check that the read track value is non-negative +- 4xm: Reject not a multiple of 16 dimension +- 8bps: Bound-check the input buffer +- aac: Check init_get_bits return value +- aac: return meaningful errors +- ac3: Clean up the error paths +- ac3dec: Don't consume more data than the actual input packet size +- ac3dec: Increment channel pointers only once per channel +- ac3: Do not clash with normal AVERROR +- ac3: Return proper error codes +- adpcm: Write the correct number of samples for ima-dk4 +- alac: Check that the channels fit at the given offset +- alac: Limit max_samples_per_frame +- alsdec: Clean up error paths +- alsdec: Fix the clipping range +- ape demuxer: check for EOF in potentially long loops +- atrac3: Error on impossible encoding/channel combinations +- atrac3: fix error handling +- atrac3: set the getbits context the right buffer_end +- avconv: do not use lavfi direct rendering with -deinterlace +- avidec: Let the inner dv demuxer take care of discarding +- avio: Handle AVERROR_EOF in the same way as the return value 0 +- bink: Bound check the quantization matrix. +- dca: Error out on missing DSYNC +- dca: Respect the current limits in the downmixing capabilities +- dsicinav: Bound-check the source buffer when needed +- dsicinav: Clip the source size to the expected maximum +- dv: Add a guard to not overread the ppcm array +- dxa: Make sure the reference frame exists +- h261: check the mtype index +- iff: Do not read over the source buffer +- imc: Catch a division by zero +- indeo4: Check the quantization matrix index +- indeo4: Do not access missing reference MV +- indeo4: Validate scantable dimension +- indeo5: return proper error codes +- indeo: Bound-check before applying motion compensation +- indeo: Bound-check before applying transform +- indeo: Do not reference mismatched tiles +- indeo: Reject impossible FRAMETYPE_NULL +- indeo: Sanitize ff_ivi_init_planes fail paths +- lavf: avoid integer overflow when estimating bitrate +- lavf: Make sure avg_frame_rate can be calculated without integer overflow +- matroskadec: Check that .lang was allocated and set before reading it +- mjpegb: Detect changing number of planes in interlaced video +- mlpdec: Do not set invalid context in read_restart_header +- mov: Do not allow updating the time scale after it has been set +- mov: Seek back if overreading an individual atom +- mpegvideo: Avoid 32-bit wrapping of linesize multiplications +- nuv: check ff_rtjpeg_decode_frame_yuv420 return value +- nuv: Do not ignore lzo decompression failures +- nuv: Pad the lzo outbuf +- nuv: Reset the frame on resize +- nuv: return meaningful error codes. +- nuv: Use av_fast_realloc +- ogg: Always alloc the private context in vorbis_header +- ogg: Fix potential infinite discard loop +- oma: check geob tag boundary +- oma: correctly mark and decrypt partial packets +- oma: refactor seek function +- pcm: always use codec->id instead of codec_id +- pcx: Do not overread source buffer in pcx_rle_decode +- pictordec: break out of both decoding loops when y drops below 0 +- pictordec: pass correct context to avpriv_request_sample +- qdm2: check and reset dithering index per channel +- qdm2: Conceal broken samples +- qdm2: refactor joined stereo support +- qdm2: use init_static_data +- rmdec: Use the AVIOContext given as parameter in rm_read_metadata() +- rtjpeg: Use init_get_bits8 +- rtmp: Do not misuse memcmp +- rtmp: rename data_size to size +- segafilm: Error out on impossible packet size +- vc1: check mb_height validity. +- vc1: check the source buffer in vc1_mc functions +- vcr1: add sanity checks +- vqavideo: check the version +- westwood_vqa: do not free extradata on error in read_header +- wmavoice: conceal clearly corrupted blocks +- wtv: Mark attachment with a negative stream id +- xl: Make sure the width is valid + version 9.8: - kmvc: Clip pixel position to valid range - kmvc: Use fixed sized arrays in the context From 8715ca0b82c1a1cc2ec9998acca990bbe63d4a34 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 8 Sep 2013 12:35:31 +0000 Subject: [PATCH 0555/1037] avformat/matroskaenc: remove bogus prores tag Fixes: ffmpeg -i input -c:v prores output.mkv Signed-off-by: Paul B Mahol (cherry picked from commit 14851ca5f5a3af140085e82589e28e06c7cdefdc) Conflicts: libavformat/matroskaenc.c --- libavformat/matroskaenc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 05d0c362fd..e746eee060 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1383,7 +1383,6 @@ const AVCodecTag additional_audio_tags[] = { }; const AVCodecTag additional_video_tags[] = { - { AV_CODEC_ID_PRORES, 0xFFFFFFFF }, { AV_CODEC_ID_RV10, 0xFFFFFFFF }, { AV_CODEC_ID_RV20, 0xFFFFFFFF }, { AV_CODEC_ID_RV30, 0xFFFFFFFF }, From af225c41d42e777d4cbf93b9e277a3a7f6e35129 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Sep 2013 09:43:53 +0200 Subject: [PATCH 0556/1037] avformat/vobsub: fix seeking. (cherry picked from commit f8678dcef3c5b0ea82e898e1f419863409fa135f) --- libavformat/mpeg.c | 16 ++++++++++++++++ libavformat/subtitles.c | 16 ++++++++++++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 4af2057077..c0bee2e64d 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -653,6 +653,7 @@ static int vobsub_read_header(AVFormatContext *s) st->id = stream_id; st->codec->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codec->codec_id = AV_CODEC_ID_DVD_SUBTITLE; + avpriv_set_pts_info(st, 64, 1, 1000); av_dict_set(&st->metadata, "language", id, 0); av_log(s, AV_LOG_DEBUG, "IDX stream[%d] id=%s\n", stream_id, id); header_parsed = 1; @@ -810,6 +811,21 @@ static int vobsub_read_seek(AVFormatContext *s, int stream_index, int64_t min_ts, int64_t ts, int64_t max_ts, int flags) { MpegDemuxContext *vobsub = s->priv_data; + + /* Rescale requested timestamps based on the first stream (timebase is the + * same for all subtitles stream within a .idx/.sub). Rescaling is done just + * like in avformat_seek_file(). */ + if (stream_index == -1 && s->nb_streams != 1) { + AVRational time_base = s->streams[0]->time_base; + ts = av_rescale_q(ts, AV_TIME_BASE_Q, time_base); + min_ts = av_rescale_rnd(min_ts, time_base.den, + time_base.num * (int64_t)AV_TIME_BASE, + AV_ROUND_UP | AV_ROUND_PASS_MINMAX); + max_ts = av_rescale_rnd(max_ts, time_base.den, + time_base.num * (int64_t)AV_TIME_BASE, + AV_ROUND_DOWN | AV_ROUND_PASS_MINMAX); + } + return ff_subtitles_queue_seek(&vobsub->q, s, stream_index, min_ts, ts, max_ts, flags); } diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 546261605f..9263acfd5f 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -108,7 +108,8 @@ int ff_subtitles_queue_seek(FFDemuxSubtitlesQueue *q, AVFormatContext *s, int st for (i = 0; i < q->nb_subs; i++) { int64_t pts = q->subs[i].pts; uint64_t ts_diff = FFABS(pts - ts); - if (pts >= min_ts && pts <= max_ts && ts_diff < min_ts_diff) { + if ((stream_index == -1 || q->subs[i].stream_index == stream_index) && + pts >= min_ts && pts <= max_ts && ts_diff < min_ts_diff) { min_ts_diff = ts_diff; idx = i; } @@ -118,13 +119,24 @@ int ff_subtitles_queue_seek(FFDemuxSubtitlesQueue *q, AVFormatContext *s, int st /* look back in the latest subtitles for overlapping subtitles */ ts_selected = q->subs[idx].pts; for (i = idx - 1; i >= 0; i--) { - if (q->subs[i].duration <= 0) + if (q->subs[i].duration <= 0 || + (stream_index != -1 && q->subs[i].stream_index != stream_index)) continue; if (q->subs[i].pts > ts_selected - q->subs[i].duration) idx = i; else break; } + + /* If the queue is used to store multiple subtitles streams (like with + * VobSub) and the stream index is not specified, we need to make sure + * to focus on the smallest file position offset for a same timestamp; + * queue is ordered by pts and then filepos, so we can take the first + * entry for a given timestamp. */ + if (stream_index == -1) + while (idx > 0 && q->subs[idx - 1].pts == q->subs[idx].pts) + idx--; + q->current_sub_idx = idx; } return 0; From 63e370b2cf86699132117bea4e238085046a6c26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Sep 2013 09:55:02 +0200 Subject: [PATCH 0557/1037] avformat/subtitles: check lower bound for duration overlap seeking. (cherry picked from commit 1ca4bf930bab681a79fb591330043675c7cfd798) --- libavformat/subtitles.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 9263acfd5f..339e2c787f 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -119,10 +119,11 @@ int ff_subtitles_queue_seek(FFDemuxSubtitlesQueue *q, AVFormatContext *s, int st /* look back in the latest subtitles for overlapping subtitles */ ts_selected = q->subs[idx].pts; for (i = idx - 1; i >= 0; i--) { + int64_t pts = q->subs[i].pts; if (q->subs[i].duration <= 0 || (stream_index != -1 && q->subs[i].stream_index != stream_index)) continue; - if (q->subs[i].pts > ts_selected - q->subs[i].duration) + if (pts >= min_ts && pts > ts_selected - q->subs[i].duration) idx = i; else break; From b5e2ef771d8955a149db932f4a3c7562bcd41fe2 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 9 Sep 2013 10:02:12 +0200 Subject: [PATCH 0558/1037] Store the video bit_rate in the context when muxing mxf. This will allow using rc_max_rate if no bit_rate is specified (on remuxing). Reviewed-by: Matthieu Bouron (cherry picked from commit 52cf08b4c8859f7cac010a7a59f7aa369384ad85) --- libavformat/mxfenc.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index cf9b77dd92..257542cec9 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -76,6 +76,7 @@ typedef struct { int temporal_reordering; AVRational aspect_ratio; ///< display aspect ratio int closed_gop; ///< gop is closed, used in mpeg-2 frame parsing + int video_bit_rate; } MXFStreamContext; typedef struct { @@ -976,13 +977,14 @@ static void mxf_write_cdci_desc(AVFormatContext *s, AVStream *st) static void mxf_write_mpegvideo_desc(AVFormatContext *s, AVStream *st) { AVIOContext *pb = s->pb; + MXFStreamContext *sc = st->priv_data; int profile_and_level = (st->codec->profile<<4) | st->codec->level; mxf_write_cdci_common(s, st, mxf_mpegvideo_descriptor_key, 8+5); // bit rate mxf_write_local_tag(pb, 4, 0x8000); - avio_wb32(pb, st->codec->bit_rate); + avio_wb32(pb, sc->video_bit_rate); // profile and level mxf_write_local_tag(pb, 1, 0x8007); @@ -1705,14 +1707,15 @@ static int mxf_write_header(AVFormatContext *s) ret = av_timecode_init(&mxf->tc, rate, 0, 0, s); if (ret < 0) return ret; + sc->video_bit_rate = st->codec->bit_rate; if (s->oformat == &ff_mxf_d10_muxer) { - if (st->codec->bit_rate == 50000000) { + if (sc->video_bit_rate == 50000000) { if (mxf->time_base.den == 25) sc->index = 3; else sc->index = 5; - } else if (st->codec->bit_rate == 40000000) { + } else if (sc->video_bit_rate == 40000000) { if (mxf->time_base.den == 25) sc->index = 7; else sc->index = 9; - } else if (st->codec->bit_rate == 30000000) { + } else if (sc->video_bit_rate == 30000000) { if (mxf->time_base.den == 25) sc->index = 11; else sc->index = 13; } else { @@ -1721,7 +1724,7 @@ static int mxf_write_header(AVFormatContext *s) } mxf->edit_unit_byte_count = KAG_SIZE; // system element - mxf->edit_unit_byte_count += 16 + 4 + (uint64_t)st->codec->bit_rate * + mxf->edit_unit_byte_count += 16 + 4 + (uint64_t)sc->video_bit_rate * mxf->time_base.num / (8*mxf->time_base.den); mxf->edit_unit_byte_count += klv_fill_size(mxf->edit_unit_byte_count); mxf->edit_unit_byte_count += 16 + 4 + 4 + spf->samples_per_frame[0]*8*4; @@ -1855,7 +1858,8 @@ static void mxf_write_d10_video_packet(AVFormatContext *s, AVStream *st, AVPacke { MXFContext *mxf = s->priv_data; AVIOContext *pb = s->pb; - int packet_size = (uint64_t)st->codec->bit_rate*mxf->time_base.num / + MXFStreamContext *sc = st->priv_data; + int packet_size = (uint64_t)sc->video_bit_rate*mxf->time_base.num / (8*mxf->time_base.den); // frame size int pad; From 9fde820d8e3cd6b9af5668b19047a465b108b298 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 9 Sep 2013 10:03:14 +0200 Subject: [PATCH 0559/1037] Use rc_max_rate if no video bit_rate was specified when muxing mxf_d10. Fixes ticket #2945. Reviewed-by: Matthieu Bouron (cherry picked from commit d73565d5ddf41d4b7805327cdb271c59d8c3fc59) --- libavformat/mxfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 257542cec9..e9a870bf3e 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1707,7 +1707,7 @@ static int mxf_write_header(AVFormatContext *s) ret = av_timecode_init(&mxf->tc, rate, 0, 0, s); if (ret < 0) return ret; - sc->video_bit_rate = st->codec->bit_rate; + sc->video_bit_rate = st->codec->bit_rate ? st->codec->bit_rate : st->codec->rc_max_rate; if (s->oformat == &ff_mxf_d10_muxer) { if (sc->video_bit_rate == 50000000) { if (mxf->time_base.den == 25) sc->index = 3; From 4ad0330b3dd185708656b85b1740e7b066f002ca Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sat, 3 Aug 2013 16:51:26 -0700 Subject: [PATCH 0560/1037] doc/encoders: reformat libmp3lame doc Signed-off-by: Timothy Gu Signed-off-by: Stefano Sabatini (cherry picked from commit 40b8350b57adaa9aaf6731bac5130d4fec1639c3) Conflicts: doc/encoders.texi --- doc/encoders.texi | 46 ++++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index 1f06dee2ac..f2ff004c6b 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -420,26 +420,36 @@ Requires the presence of the libmp3lame headers and library during configuration. You need to explicitly configure the build with @code{--enable-libmp3lame}. -@subsection Option Mapping +@subsection Options -The following options are supported by the libmp3lame wrapper, -the LAME-equivalent options follow the FFmpeg ones. +The following options are supported by the libmp3lame wrapper. The +@command{lame}-equivalent of the options are listed in parentheses. -@multitable @columnfractions .2 .2 -@item FFmpeg @tab LAME -@item b @tab b -FFmpeg @code{b} option is expressed in bits/s, lame @code{bitrate} -in kilobits/s. -@item q @tab V -Quality setting for VBR. -@item compression_level @tab q -Algorithm quality. Valid options are integers from 0-9. -@item reservoir @tab N.A. -Enable use of bit reservoir. LAME has this enabled by default. -@item joint_stereo @tab -m j -Enables the the encoder to use (on a frame by frame basis) either L/R -stereo or mid/side stereo. -@end multitable +@table @option +@item b (@emph{-b}) +Set bitrate expressed in bits/s for CBR. LAME @code{bitrate} is +expressed in kilobits/s. + +@item q (@emph{-V}) +Set constant quality setting for VBR. This option is valid only +using the @command{ffmpeg} command-line tool. For library interface +users, use @option{global_quality}. + +@item compression_level (@emph{-q}) +Set algorithm quality. Valid arguments are integers in the 0-9 range, +with 0 meaning highest quality but slowest, and 9 meaning fastest +while producing the worst quality. + +@item reservoir +Enable use of bit reservoir when set to 1. Default value is 1. LAME +has this enabled by default, but can be overriden by use +@option{--nores} option. + +@item joint_stereo (@emph{-m j}) +Enable the encoder to use (on a frame by frame basis) either L/R +stereo or mid/side stereo. Default value is 1. + +@end table @section libopencore-amrnb From ed2c15eadc3bcd3e9541e7a656de2d1994274bfa Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sat, 3 Aug 2013 16:55:40 -0700 Subject: [PATCH 0561/1037] doc/encoders: reformat and add some clarification in libtwolame doc Signed-off-by: Timothy Gu Signed-off-by: Stefano Sabatini (cherry picked from commit e45e72f5f89ef5a5791562cfcb935028b46ecd0a) Signed-off-by: Timothy Gu --- doc/encoders.texi | 56 ++++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index f2ff004c6b..bfba772736 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -496,24 +496,26 @@ Requires the presence of the libtwolame headers and library during configuration. You need to explicitly configure the build with @code{--enable-libtwolame}. -@subsection Options Mapping +@subsection Options The following options are supported by the libtwolame wrapper. The -TwoLAME-equivalent options follow the FFmpeg ones and are in +@command{twolame}-equivalent options follow the FFmpeg ones and are in parentheses. @table @option -@item b -(b) Set bitrate in bits/s. Note that FFmpeg @code{b} option is -expressed in bits/s, twolame @code{b} in kilobits/s. The default -value is 128k. +@item b (@emph{-b}) +Set bitrate expressed in bits/s for CBR. @command{twolame} @option{b} +option is expressed in kilobits/s. Default value is 128k. -@item q -(V) Set quality for experimental VBR support. Maximum value range is -from -50 to 50, useful range is from -10 to 10. +@item q (@emph{-V}) +Set quality for experimental VBR support. Maximum value range is +from -50 to 50, useful range is from -10 to 10. The higher the +value, the better the quality. This option is valid only using the +@command{ffmpeg} command-line tool. For library interface users, +use @option{global_quality}. -@item mode -(mode) Set MPEG mode. Possible values: +@item mode (@emph{--mode}) +Set the mode of the resulting audio. Possible values: @table @samp @item auto @@ -528,26 +530,26 @@ Dual channel Mono @end table -@item psymodel -(psyc-mode) Set psychoacoustic model to use in encoding. The argument -must be an integer between -1 and 4, inclusive. The higher the value, -the better the quality. The default value is 3. +@item psymodel (@emph{--psyc-mode}) +Set psychoacoustic model to use in encoding. The argument must be +an integer between -1 and 4, inclusive. The higher the value, the +better the quality. The default value is 3. -@item energy_levels -(energy) Enable energy levels extensions when set to 1. The default -value is 0 (disabled). +@item energy_levels (@emph{--energy}) +Enable energy levels extensions when set to 1. The default value is +0 (disabled). -@item error_protection -(protect) Enable CRC error protection when set to 1. The default value -is 0 (disabled). +@item error_protection (@emph{--protect}) +Enable CRC error protection when set to 1. The default value is 0 +(disabled). -@item copyright -(copyright) Set MPEG audio copyright flag when set to 1. The default -value is 0 (disabled). +@item copyright (@emph{--copyright}) +Set MPEG audio copyright flag when set to 1. The default value is 0 +(disabled). -@item original -(original) Set MPEG audio original flag when set to 1. The default -value is 0 (disabled). +@item original (@emph{--original}) +Set MPEG audio original flag when set to 1. The default value is 0 +(disabled). @end table From 852ee0e0ad264ab010d963ba77bc9685e7d1e47e Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 8 Sep 2013 16:56:39 -0700 Subject: [PATCH 0562/1037] doc/encoders: Remove options that were not there when branch was cut from master Signed-off-by: Timothy Gu --- doc/encoders.texi | 4 ---- 1 file changed, 4 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index bfba772736..af25182cf3 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -445,10 +445,6 @@ Enable use of bit reservoir when set to 1. Default value is 1. LAME has this enabled by default, but can be overriden by use @option{--nores} option. -@item joint_stereo (@emph{-m j}) -Enable the encoder to use (on a frame by frame basis) either L/R -stereo or mid/side stereo. Default value is 1. - @end table @section libopencore-amrnb From 3eee21406a9f010a865fa0154c0927e0636a01b5 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sat, 7 Sep 2013 20:13:11 -0700 Subject: [PATCH 0563/1037] doc/encoders: improve libvo-aacenc doc Signed-off-by: Timothy Gu Signed-off-by: Stefano Sabatini (cherry picked from commit 81bbe49a0e588aa899f37a567808ba8926d798d6) Signed-off-by: Timothy Gu --- doc/encoders.texi | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index af25182cf3..e8105e682d 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -557,16 +557,19 @@ Requires the presence of the libvo-aacenc headers and library during configuration. You need to explicitly configure the build with @code{--enable-libvo-aacenc --enable-version3}. +This encoder is considered to be worse than the +@ref{aacenc,,native experimental FFmpeg AAC encoder}, according to +multiple sources. + @subsection Options The VisualOn AAC encoder only support encoding AAC-LC and up to 2 -channels. It is also CBR-only. It is considered to be worse than the -native experimental FFmpeg AAC encoder. +channels. It is also CBR-only. @table @option @item b -Bitrate. +Set bit rate in bits/s. @end table From c42fd4c6eee4019570a80b920229c2b022d9ec40 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 15 Sep 2013 19:08:58 -0700 Subject: [PATCH 0564/1037] doc/ffmpeg-formats: Add documentation for 2 parameters that have been missing (partially cherry picked from commit b7dd4598630fb1f890ae060f21a9ec92a103f22d) Signed-off-by: Timothy Gu Conflicts: doc/formats.texi --- doc/ffmpeg-formats.texi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/ffmpeg-formats.texi b/doc/ffmpeg-formats.texi index 03e4f30ac3..4d9038698e 100644 --- a/doc/ffmpeg-formats.texi +++ b/doc/ffmpeg-formats.texi @@ -140,6 +140,12 @@ Use wallclock as timestamps. @item avoid_negative_ts @var{integer} (@emph{output}) Shift timestamps to make them positive. 1 enables, 0 disables, default of -1 enables when required by target format. + +@item skip_initial_bytes @var{integer} (@emph{input}) +Set number initial bytes to skip. Default is 0. + +@item correct_ts_overflow @var{integer} (@emph{input}) +Correct single timestamp overflows if set to 1. Default is 1. @end table @c man end FORMAT OPTIONS From a4acb5b9003833109eaa4b72ef016062b368fe5a Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 8 Sep 2013 16:32:22 -0700 Subject: [PATCH 0565/1037] doc/encoders: add doc for AAC encoder Thanks-to: Kostya Shishkov Signed-off-by: Timothy Gu Signed-off-by: Stefano Sabatini (cherry picked from commit 0e11790cf7eef3b0f38a64486da1e3fb8c7f14b8) Signed-off-by: Timothy Gu --- doc/encoders.texi | 90 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/doc/encoders.texi b/doc/encoders.texi index e8105e682d..32d77ee43d 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -25,6 +25,95 @@ enabled encoders. A description of some of the currently available audio encoders follows. +@anchor{aacenc} +@section aac + +Advanced Audio Coding (AAC) encoder. + +This encoder is an experimental FFmpeg-native AAC encoder. Currently only the +low complexity (AAC-LC) profile is supported. To use this encoder, you must set +@option{strict} option to @samp{experimental} or lower. + +As this encoder is experimental, unexpected behavior may exist from time to +time. For a more stable AAC encoder, see @ref{libvo-aacenc}. However, be warned +that it has a worse quality reported by some users. + +@c Comment this out until somebody writes the respective documentation. +@c See also @ref{libfaac}, @ref{libaacplus}, and @ref{libfdk-aac-enc}. + +@subsection Options + +@table @option +@item b +Set bit rate in bits/s. Setting this automatically activates constant bit rate +(CBR) mode. + +@item q +Set quality for variable bit rate (VBR) mode. This option is valid only using +the @command{ffmpeg} command-line tool. For library interface users, use +@option{global_quality}. + +@item stereo_mode +Set stereo encoding mode. Possible values: + +@table @samp +@item auto +Automatically selected by the encoder. + +@item ms_off +Disable middle/side encoding. This is the default. + +@item ms_force +Force middle/side encoding. +@end table + +@item aac_coder +Set AAC encoder coding method. Possible values: + +@table @samp +@item 0 +FAAC-inspired method. + +This method is a simplified reimplementation of the method used in FAAC, which +sets thresholds proportional to the band energies, and then decreases all the +thresholds with quantizer steps to find the appropriate quantization with +distortion below threshold band by band. + +The quality of this method is comparable to the two loop searching method +descibed below, but somewhat a little better and slower. + +@item 1 +Average noise to mask ratio (ANMR) trellis-based solution. + +This has a theoretic best quality out of all the coding methods, but at the +cost of the slowest speed. + +@item 2 +Two loop searching (TLS) method. + +This method first sets quantizers depending on band thresholds and then tries +to find an optimal combination by adding or subtracting a specific value from +all quantizers and adjusting some individual quantizer a little. + +This method produces similar quality with the FAAC method and is the default. + +@item 3 +Constant quantizer method. + +This method sets a constant quantizer for all bands. This is the fastest of all +the methods, yet produces the worst quality. + +@end table + +@end table + +@subsection Tips and Tricks + +According to some reports +(e.g. @url{http://d.hatena.ne.jp/kamedo2/20120729/1343545890}), setting the +@option{cutoff} option to 15000 Hz greatly improves the quality of the output +quality. As a result, we encourage you to do the same. + @section ac3 and ac3_fixed AC-3 audio encoders. @@ -549,6 +638,7 @@ Set MPEG audio original flag when set to 1. The default value is 0 @end table +@anchor{libvo-aacenc} @section libvo-aacenc VisualOn AAC encoder From 3bd0cd26774dcc69a0ea7d53c5f3d38c6fad30ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 15:13:48 +0300 Subject: [PATCH 0566/1037] dsicin: Add some basic sanity checks for fields read from the file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 48d6556dd46d4f4fac10d0f4a819e314887cd50e) Signed-off-by: Luca Barbato --- libavformat/dsicin.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c index ecc8c0b6af..6a7c8b948a 100644 --- a/libavformat/dsicin.c +++ b/libavformat/dsicin.c @@ -154,6 +154,8 @@ static int cin_read_frame_header(CinDemuxContext *cin, AVIOContext *pb) { if (avio_rl32(pb) != 0xAA55AA55) return AVERROR_INVALIDDATA; + if (hdr->video_frame_size < 0 || hdr->audio_frame_size < 0) + return AVERROR_INVALIDDATA; return 0; } From 057f655dc6a9a14224dd3d557606eedf15dfe64c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 15:20:01 +0300 Subject: [PATCH 0567/1037] smacker: Don't return packets in unallocated streams MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8d928023f953a28692ba27071a448259134b103b) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 4a3a2b39d1..56a75d8fa1 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -343,6 +343,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) smk->cur_frame++; smk->nextpos = avio_tell(s->pb); } else { + if (smk->stream_id[smk->curstream] < 0) + return AVERROR_INVALIDDATA; if (av_new_packet(pkt, smk->buf_sizes[smk->curstream])) return AVERROR(ENOMEM); memcpy(pkt->data, smk->bufs[smk->curstream], smk->buf_sizes[smk->curstream]); From 47bb4d888e1ef84b29aec4641a737c3aa35663a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 15:25:13 +0300 Subject: [PATCH 0568/1037] smacker: Avoid integer overflow when allocating packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 710b0e27025948b7511821c2f888ff2d74a59e14) Signed-off-by: Luca Barbato --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 56a75d8fa1..a6a6933e6b 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -327,7 +327,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } flags >>= 1; } - if (frame_size < 0) + if (frame_size < 0 || frame_size >= INT_MAX/2) return AVERROR_INVALIDDATA; if (av_new_packet(pkt, frame_size + 769)) return AVERROR(ENOMEM); From 01a58b439d5f41ffa0b4324d1f6d7864ef4a2a45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 15:54:20 +0300 Subject: [PATCH 0569/1037] smacker: Make sure we don't fill in huffman codes out of range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0679cec6e8802643bbe6d5f68ca1110a7d3171da) Signed-off-by: Luca Barbato --- libavcodec/smacker.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index a72d7c5a35..2baf059af9 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -257,6 +257,12 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int if(ctx.last[0] == -1) ctx.last[0] = huff.current++; if(ctx.last[1] == -1) ctx.last[1] = huff.current++; if(ctx.last[2] == -1) ctx.last[2] = huff.current++; + if (ctx.last[0] >= huff.length || + ctx.last[1] >= huff.length || + ctx.last[2] >= huff.length) { + av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n"); + err = AVERROR_INVALIDDATA; + } *recodes = huff.values; From 8484351749d4a8b9e58c5414932b2737eb3d1c52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:17:13 +0300 Subject: [PATCH 0570/1037] shorten: Use a checked bytestream reader for the wave header MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 49568851bf1700e3d9ea9cda29208d0df3c2c38b) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0b4a473892..3e63759e24 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -206,31 +206,34 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, { int len; short wave_format; + GetByteContext gb; - if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) { + bytestream2_init(&gb, header, header_size); + + if (bytestream2_get_le32(&gb) != MKTAG('R', 'I', 'F', 'F')) { av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n"); return AVERROR_INVALIDDATA; } - header += 4; /* chunk size */ + bytestream2_skip(&gb, 4); /* chunk size */ - if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) { + if (bytestream2_get_le32(&gb) != MKTAG('W', 'A', 'V', 'E')) { av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n"); return AVERROR_INVALIDDATA; } - while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) { - len = bytestream_get_le32(&header); - header += len; + while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) { + len = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, len); } - len = bytestream_get_le32(&header); + len = bytestream2_get_le32(&gb); if (len < 16) { av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n"); return AVERROR_INVALIDDATA; } - wave_format = bytestream_get_le16(&header); + wave_format = bytestream2_get_le16(&gb); switch (wave_format) { case WAVE_FORMAT_PCM: @@ -240,11 +243,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, return AVERROR(ENOSYS); } - header += 2; // skip channels (already got from shorten header) - avctx->sample_rate = bytestream_get_le32(&header); - header += 4; // skip bit rate (represents original uncompressed bit rate) - header += 2; // skip block align (not needed) - avctx->bits_per_coded_sample = bytestream_get_le16(&header); + bytestream2_skip(&gb, 2); // skip channels (already got from shorten header) + avctx->sample_rate = bytestream2_get_le32(&gb); + bytestream2_skip(&gb, 4); // skip bit rate (represents original uncompressed bit rate) + bytestream2_skip(&gb, 2); // skip block align (not needed) + avctx->bits_per_coded_sample = bytestream2_get_le16(&gb); if (avctx->bits_per_coded_sample != 16) { av_log(avctx, AV_LOG_ERROR, "unsupported number of bits per sample\n"); From d411f0775189516739ddc7c12626f486c28caf58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:19:28 +0300 Subject: [PATCH 0571/1037] shorten: Break out of loop looking for fmt chunk if none is found MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b26742cc308552f242ee2bf93b07a3ff509f4edc) Signed-off-by: Luca Barbato --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 3e63759e24..fda90fedfe 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -225,6 +225,10 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header, while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) { len = bytestream2_get_le32(&gb); bytestream2_skip(&gb, len); + if (bytestream2_get_bytes_left(&gb) < 16) { + av_log(avctx, AV_LOG_ERROR, "no fmt chunk found\n"); + return AVERROR_INVALIDDATA; + } } len = bytestream2_get_le32(&gb); From eba112b4e3313e31f64e93bc878785822a55943e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:29:33 +0300 Subject: [PATCH 0572/1037] ape: Don't allow the seektable to be omitted MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The seektable is required for filling in ape->frames[i].pos further down. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 183b9d843a9533774fabd3984a52f3987001acbc) Signed-off-by: Luca Barbato --- libavformat/ape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index a9c695efe0..3c25630de0 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -255,7 +255,7 @@ static int ape_read_header(AVFormatContext * s) ape->totalframes); return -1; } - if (ape->seektablelength && (ape->seektablelength / sizeof(*ape->seektable)) < ape->totalframes) { + if (ape->seektablelength / sizeof(*ape->seektable) < ape->totalframes) { av_log(s, AV_LOG_ERROR, "Number of seek entries is less than number of frames: %zu vs. %"PRIu32"\n", ape->seektablelength / sizeof(*ape->seektable), ape->totalframes); From 9e505065b55f9b252d9faa9700f911c6a655a543 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Nov 2012 18:08:39 +0100 Subject: [PATCH 0573/1037] zmbvdec: Check the buffer size for uncompressed data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also don't pointlessly set the buffer size to 1 after copying one packet. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0d61f260010707f3028b818e8b24598e1a83d696) Signed-off-by: Luca Barbato --- libavcodec/zmbv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index c92e553f6d..c7a90f0def 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -508,8 +508,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } if (c->comp == 0) { //Uncompressed data + if (c->decomp_size < len) { + av_log(avctx, AV_LOG_ERROR, "Buffer too small\n"); + return AVERROR_INVALIDDATA; + } memcpy(c->decomp_buf, buf, len); - c->decomp_size = 1; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = buf; From f8a72f041c049e812dfa1f32156327e9778f5710 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:47:06 +0300 Subject: [PATCH 0574/1037] mpc8: Check the seek table size parsed from the bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Limit the size to INT_MAX/2 (for simplicity) to be sure that size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 459f2b393a3f89ed08d10fbceb4738d1429f268e) Signed-off-by: Luca Barbato --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index f60a314b77..66cf01ab73 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_log(s, AV_LOG_ERROR, "No seek table at given position\n"); return; } + if (size < 0 || size >= INT_MAX / 2) { + av_log(s, AV_LOG_ERROR, "Bad seek table size\n"); + return; + } if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE))) return; avio_read(s->pb, buf, size); From 557df77eab7d3726c34221aeb999afe9e7818d52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:53:15 +0300 Subject: [PATCH 0575/1037] mpc8: Make sure the first stream exists before parsing the seek table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 17d57848fc14e82f76a65ffb25c90f2f011dc4a0) Signed-off-by: Luca Barbato --- libavformat/mpc8.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 66cf01ab73..c7aa87519c 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -139,6 +139,11 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) int i, t, seekd; GetBitContext gb; + if (s->nb_streams == 0) { + av_log(s, AV_LOG_ERROR, "No stream added before parsing seek table\n"); + return; + } + avio_seek(s->pb, off, SEEK_SET); mpc8_get_chunk_header(s->pb, &tag, &size); if(tag != TAG_SEEKTABLE){ From 9eba02d5dd7036294ea350cb772822deec95b867 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 14:54:05 +0300 Subject: [PATCH 0576/1037] omadec: Properly check lengths before incrementing the position MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 342c43d154e586bc022c86b168fe8d36f69da9d3) Signed-off-by: Luca Barbato --- libavformat/omadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 8548fb5f78..040345187b 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -170,7 +170,11 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, taglen = AV_RB32(&enc_header[pos+32]); datalen = AV_RB32(&enc_header[pos+36]) >> 4; - pos += 44 + taglen; + pos += 44; + if (size - pos < taglen) + return -1; + + pos += taglen; if (datalen << 4 > size - pos) return -1; From 153deed18bed43d16b272e8681b2a9b988d2682a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 22:56:55 +0300 Subject: [PATCH 0577/1037] sierravmd: Do sanity checking of frame sizes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Limit the size to INT_MAX/2 (for simplicity) to be sure that size + BYTES_PER_FRAME_RECORD won't overflow. Also factorize other existing error return paths. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0ef1660a6365ce60ead8858936b6f3f8ea862826) Signed-off-by: Luca Barbato --- libavformat/sierravmd.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c index 359282c875..a8534be54c 100644 --- a/libavformat/sierravmd.c +++ b/libavformat/sierravmd.c @@ -88,7 +88,7 @@ static int vmd_read_header(AVFormatContext *s) unsigned char *raw_frame_table; int raw_frame_table_size; int64_t current_offset; - int i, j; + int i, j, ret; unsigned int total_frames; int64_t current_audio_pts = 0; unsigned char chunk[BYTES_PER_FRAME_RECORD]; @@ -175,15 +175,13 @@ static int vmd_read_header(AVFormatContext *s) raw_frame_table = av_malloc(raw_frame_table_size); vmd->frame_table = av_malloc((vmd->frame_count * vmd->frames_per_block + sound_buffers) * sizeof(vmd_frame)); if (!raw_frame_table || !vmd->frame_table) { - av_free(raw_frame_table); - av_free(vmd->frame_table); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto error; } if (avio_read(pb, raw_frame_table, raw_frame_table_size) != raw_frame_table_size) { - av_free(raw_frame_table); - av_free(vmd->frame_table); - return AVERROR(EIO); + ret = AVERROR(EIO); + goto error; } total_frames = 0; @@ -199,6 +197,11 @@ static int vmd_read_header(AVFormatContext *s) avio_read(pb, chunk, BYTES_PER_FRAME_RECORD); type = chunk[0]; size = AV_RL32(&chunk[2]); + if (size > INT_MAX / 2) { + av_log(s, AV_LOG_ERROR, "Invalid frame size\n"); + ret = AVERROR_INVALIDDATA; + goto error; + } if(!size && type != 1) continue; switch(type) { @@ -235,6 +238,11 @@ static int vmd_read_header(AVFormatContext *s) vmd->frame_count = total_frames; return 0; + +error: + av_free(raw_frame_table); + av_free(vmd->frame_table); + return ret; } static int vmd_read_packet(AVFormatContext *s, From e47543eda585a6a3655d29bca17ab218f85f6646 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 12 Sep 2013 11:31:53 +0300 Subject: [PATCH 0578/1037] vocdec: Don't update codec parameters mid-stream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we really want to support parameter changes, they need to be signalled along with the AVPackets as parameter change side data, not just changing the AVCodecContext parameters when a packet is demuxed (since there may be other earlier packets yet undecoded). Something similar was already done for the sample rate in 0883109b2, but some parameters were left changeable. This avoids having to recheck the channel count for validity for each decoded frame in (ad)pcm decoders, unless the decoders explicitly say that they accept parameter changes. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5bbfe193a0a41bd2adb648c8c3f6901a575734a2) Signed-off-by: Luca Barbato --- libavformat/vocdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/vocdec.c b/libavformat/vocdec.c index 4e06513735..2fb8440931 100644 --- a/libavformat/vocdec.c +++ b/libavformat/vocdec.c @@ -91,11 +91,11 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) if (sample_rate) dec->sample_rate = sample_rate; avpriv_set_pts_info(st, 64, 1, dec->sample_rate); + dec->channels = channels; + dec->bits_per_coded_sample = av_get_bits_per_sample(dec->codec_id); } else avio_skip(pb, 1); - dec->channels = channels; tmp_codec = avio_r8(pb); - dec->bits_per_coded_sample = av_get_bits_per_sample(dec->codec_id); voc->remaining_size -= 2; max_size -= 2; channels = 1; @@ -117,10 +117,10 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) if (!dec->sample_rate) { dec->sample_rate = avio_rl32(pb); avpriv_set_pts_info(st, 64, 1, dec->sample_rate); + dec->bits_per_coded_sample = avio_r8(pb); + dec->channels = avio_r8(pb); } else - avio_skip(pb, 4); - dec->bits_per_coded_sample = avio_r8(pb); - dec->channels = avio_r8(pb); + avio_skip(pb, 6); tmp_codec = avio_rl16(pb); avio_skip(pb, 4); voc->remaining_size -= 12; From 9f883e75e66a0cc0ddde78dabf52a8c78a25e9bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 12 Sep 2013 11:58:25 +0300 Subject: [PATCH 0579/1037] cavsdec: Make sure a sequence header has been decoded before decoding pictures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e90a6846c2c006fbebd00e1f2789f4a86fafacef) Signed-off-by: Luca Barbato Conflicts: libavcodec/cavsdec.c --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index cef6b953a5..7cfb2ca21b 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -931,6 +931,11 @@ static int decode_pic(AVSContext *h) int skip_count = -1; enum cavs_mb mb_type; + if (!h->top_qp) { + av_log(h->avctx, AV_LOG_ERROR, "No sequence header decoded yet\n"); + return AVERROR_INVALIDDATA; + } + skip_bits(&h->gb, 16);//bbv_dwlay if (h->stc == PIC_PB_START_CODE) { h->cur.f->pict_type = get_bits(&h->gb, 2) + AV_PICTURE_TYPE_I; From b4c479a82adbb1301e3e549cd80cdd65208ddd05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 12 Sep 2013 12:27:58 +0300 Subject: [PATCH 0580/1037] vp3: Check the framerate for validity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 6fc8226e29055858f28973bb3d27b63b3b65e616) Signed-off-by: Luca Barbato --- libavcodec/vp3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 0340c22bb2..1d68c09ad6 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2160,6 +2160,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) fps.num = get_bits_long(gb, 32); fps.den = get_bits_long(gb, 32); if (fps.num && fps.den) { + if (fps.num < 0 || fps.den < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } av_reduce(&avctx->time_base.num, &avctx->time_base.den, fps.den, fps.num, 1<<30); } From aeca97a7b5c1ea966ace310dbf4db52d64faa698 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:05:03 +0300 Subject: [PATCH 0581/1037] svq3: Check for any negative return value from ff_h264_check_intra_pred_mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also pass on any returned error code. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 1115689d54ea95a084421f5a182b8dc56cbff978) Signed-off-by: Luca Barbato Conflicts: libavcodec/svq3.c --- libavcodec/svq3.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 68bf2f7a55..683b9dc948 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -634,9 +634,9 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type) dir = i_mb_type_info[mb_type - 8].pred_mode; dir = (dir >> 1) ^ 3 * (dir & 1) ^ 1; - if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1) { - av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n"); - return -1; + if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "ff_h264_check_intra_pred_mode < 0\n"); + return h->intra16x16_pred_mode; } cbp = i_mb_type_info[mb_type - 8].cbp; From 9272aa469848cdd6516050e702acac6ecd1ed9cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:19:52 +0300 Subject: [PATCH 0582/1037] mace: Make sure that the channel count is set to a valid value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also return a proper error code. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e1f3847f860a1094a46be4c5f10db8df616c3135) Signed-off-by: Luca Barbato Conflicts: libavcodec/mace.c --- libavcodec/mace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mace.c b/libavcodec/mace.c index c78a207a09..5074e4bb14 100644 --- a/libavcodec/mace.c +++ b/libavcodec/mace.c @@ -229,8 +229,8 @@ static av_cold int mace_decode_init(AVCodecContext * avctx) { MACEContext *ctx = avctx->priv_data; - if (avctx->channels > 2) - return -1; + if (avctx->channels > 2 || avctx->channels < 1) + return AVERROR(EINVAL); avctx->sample_fmt = AV_SAMPLE_FMT_S16P; avcodec_get_frame_defaults(&ctx->frame); From 9f7a8b8f8f6ad024410232d926b774261ef2ef36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:36:24 +0300 Subject: [PATCH 0583/1037] matroskadec: Verify realaudio codec parameters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 569d18aa9dc989c37bb4d4b968026fe5afa6fff9) Signed-off-by: Luca Barbato --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index fe4d932cf2..8a0c91bf9c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1580,6 +1580,10 @@ static int matroska_read_header(AVFormatContext *s) track->audio.sub_packet_h = avio_rb16(&b); track->audio.frame_size = avio_rb16(&b); track->audio.sub_packet_size = avio_rb16(&b); + if (flavor <= 0 || track->audio.coded_framesize <= 0 || + track->audio.sub_packet_h <= 0 || track->audio.frame_size <= 0 || + track->audio.sub_packet_size <= 0) + return AVERROR_INVALIDDATA; track->audio.buf = av_malloc(track->audio.frame_size * track->audio.sub_packet_h); if (codec_id == AV_CODEC_ID_RA_288) { st->codec->block_align = track->audio.coded_framesize; From fe8bc7d1ee098de7f6da4d841a651773370ca454 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:17:47 +0300 Subject: [PATCH 0584/1037] mov: Don't use a negative duration for setting other fields MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some files have the duration set to -1 in the mdhd atom, more or less legitimately. (We produce such files ourselves, for the initial duration in fragmented mp4 files.) Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7f8d41eb097e8d4223c9caf97dd332a2fdb29d52) Signed-off-by: Luca Barbato --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f6529340a3..2ae19c9358 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2063,7 +2063,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) ((double)st->codec->width * sc->height), INT_MAX); } - if (st->duration != AV_NOPTS_VALUE) + if (st->duration != AV_NOPTS_VALUE && st->duration > 0) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, sc->time_scale*st->nb_frames, st->duration, INT_MAX); @@ -2805,7 +2805,7 @@ static int mov_read_header(AVFormatContext *s) for (i = 0; i < s->nb_streams; i++) { AVStream *st = s->streams[i]; MOVStreamContext *sc = st->priv_data; - if (st->duration) + if (st->duration > 0) st->codec->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } } From 38bd229af9c4fa5897fc1a69e73a04c55f78647f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:32:35 +0300 Subject: [PATCH 0585/1037] ivi_common: Make sure color planes have been initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a92538b7c0defc86c55fb91f55dfa36aad192673) Signed-off-by: Luca Barbato --- libavcodec/ivi_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 2a737547a5..152e9c4a55 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -938,6 +938,11 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_PATCHWELCOME; } + if (!ctx->planes[0].bands) { + av_log(avctx, AV_LOG_ERROR, "Color planes not initialized yet\n"); + return AVERROR_INVALIDDATA; + } + ctx->switch_buffers(ctx); //{ START_TIMER; From c8c93795e4afd04c2c5b74e29e8dec29b6a76b81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:40:13 +0300 Subject: [PATCH 0586/1037] mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a potential division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f875a732e36786d49f3650e3235272891a820600) Signed-off-by: Luca Barbato --- libavcodec/mpeg4videodec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index faa98668d9..7ff290c9e0 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -152,7 +152,7 @@ static inline int mpeg4_is_resync(MpegEncContext *s){ return 0; } -static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb) +static int mpeg4_decode_sprite_trajectory(MpegEncContext *s, GetBitContext *gb) { int i; int a= 2<sprite_warping_accuracy; @@ -168,6 +168,9 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb int h= s->height; int min_ab; + if (w <= 0 || h <= 0) + return AVERROR_INVALIDDATA; + for(i=0; inum_sprite_warping_points; i++){ int length; int x=0, y=0; @@ -340,6 +343,7 @@ static void mpeg4_decode_sprite_trajectory(MpegEncContext * s, GetBitContext *gb } s->real_sprite_warping_points= s->num_sprite_warping_points; } + return 0; } /** @@ -414,7 +418,8 @@ int ff_mpeg4_decode_video_packet_header(MpegEncContext *s) skip_bits(&s->gb, 3); /* intra dc vlc threshold */ //FIXME don't just ignore everything if(s->pict_type == AV_PICTURE_TYPE_S && s->vol_sprite_usage==GMC_SPRITE){ - mpeg4_decode_sprite_trajectory(s, &s->gb); + if (mpeg4_decode_sprite_trajectory(s, &s->gb) < 0) + return AVERROR_INVALIDDATA; av_log(s->avctx, AV_LOG_ERROR, "untested\n"); } @@ -2029,7 +2034,8 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){ } if(s->pict_type == AV_PICTURE_TYPE_S && (s->vol_sprite_usage==STATIC_SPRITE || s->vol_sprite_usage==GMC_SPRITE)){ - mpeg4_decode_sprite_trajectory(s, gb); + if (mpeg4_decode_sprite_trajectory(s, gb) < 0) + return AVERROR_INVALIDDATA; if(s->sprite_brightness_change) av_log(s->avctx, AV_LOG_ERROR, "sprite_brightness_change not supported\n"); if(s->vol_sprite_usage==STATIC_SPRITE) av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); } From 20c8f176293e7520c6205b664e25ecf8a711253e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 16:01:02 +0300 Subject: [PATCH 0587/1037] rv34: Check the return value from ff_rv34_decode_init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 711c970168297683860422e95d6b7e37ee3c8367) Signed-off-by: Luca Barbato --- libavcodec/rv30.c | 4 +++- libavcodec/rv40.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 3c3579b565..b61b75dd77 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -244,9 +244,11 @@ static void rv30_loop_filter(RV34DecContext *r, int row) static av_cold int rv30_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; + int ret; r->rv30 = 1; - ff_rv34_decode_init(avctx); + if ((ret = ff_rv34_decode_init(avctx)) < 0) + return ret; if(avctx->extradata_size < 2){ av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index f95622ab5a..d317d07966 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -545,9 +545,11 @@ static void rv40_loop_filter(RV34DecContext *r, int row) static av_cold int rv40_decode_init(AVCodecContext *avctx) { RV34DecContext *r = avctx->priv_data; + int ret; r->rv30 = 0; - ff_rv34_decode_init(avctx); + if ((ret = ff_rv34_decode_init(avctx)) < 0) + return ret; if(!aic_top_vlc.bits) rv40_init_tables(); r->parse_slice_header = rv40_parse_slice_header; From 2e12af4587613dd5b2c3431e5c8194d73b03434f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:07:30 +0300 Subject: [PATCH 0588/1037] eacmv: Make sure a reference frame exists before referencing it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is similar to an existing check for the second-last frame from 062421e3. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ea78a348d86a3a733f6c1e0a65cfdd8283d924b9) Signed-off-by: Luca Barbato Conflicts: libavcodec/eacmv.c --- libavcodec/eacmv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index 0dce066f1e..b7e13b1114 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -108,9 +108,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * }else{ /* inter using last frame as reference */ int xoffset = (buf[i] & 0xF) - 7; int yoffset = ((buf[i] >> 4)) - 7; - cmv_motcomp(s->frame.data[0], s->frame.linesize[0], - s->last_frame.data[0], s->last_frame.linesize[0], - x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); + if (s->last_frame.data[0]) + cmv_motcomp(s->frame.data[0], s->frame.linesize[0], + s->last_frame.data[0], s->last_frame.linesize[0], + x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height); } i++; } From 163196562fe744149ef599d754c30c08a9898381 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 17:17:26 +0300 Subject: [PATCH 0589/1037] oggparseogm: Convert to use bytestream2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 19b9659f3174599e8685d329c4330b1ea8c4c6db) Signed-off-by: Luca Barbato --- libavformat/oggparseogm.c | 52 ++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index 7b3cda221e..56ea5575f2 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -37,60 +37,62 @@ ogm_header(AVFormatContext *s, int idx) struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; AVStream *st = s->streams[idx]; - const uint8_t *p = os->buf + os->pstart; + GetByteContext p; uint64_t time_unit; uint64_t spu; - if(!(*p & 1)) + bytestream2_init(&p, os->buf + os->pstart, os->psize); + if (!(bytestream2_peek_byte(&p) & 1)) return 0; - if(*p == 1) { - p++; + if (bytestream2_peek_byte(&p) == 1) { + bytestream2_skip(&p, 1); - if(*p == 'v'){ + if (bytestream2_peek_byte(&p) == 'v'){ int tag; st->codec->codec_type = AVMEDIA_TYPE_VIDEO; - p += 8; - tag = bytestream_get_le32(&p); + bytestream2_skip(&p, 8); + tag = bytestream2_get_le32(&p); st->codec->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); st->codec->codec_tag = tag; - } else if (*p == 't') { + } else if (bytestream2_peek_byte(&p) == 't') { st->codec->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codec->codec_id = AV_CODEC_ID_TEXT; - p += 12; + bytestream2_skip(&p, 12); } else { - uint8_t acid[5]; + uint8_t acid[5] = { 0 }; int cid; st->codec->codec_type = AVMEDIA_TYPE_AUDIO; - p += 8; - bytestream_get_buffer(&p, acid, 4); + bytestream2_skip(&p, 8); + bytestream2_get_buffer(&p, acid, 4); acid[4] = 0; cid = strtol(acid, NULL, 16); st->codec->codec_id = ff_codec_get_id(ff_codec_wav_tags, cid); st->need_parsing = AVSTREAM_PARSE_FULL; } - p += 4; /* useless size field */ + bytestream2_skip(&p, 4); /* useless size field */ - time_unit = bytestream_get_le64(&p); - spu = bytestream_get_le64(&p); - p += 4; /* default_len */ - p += 8; /* buffersize + bits_per_sample */ + time_unit = bytestream2_get_le64(&p); + spu = bytestream2_get_le64(&p); + bytestream2_skip(&p, 4); /* default_len */ + bytestream2_skip(&p, 8); /* buffersize + bits_per_sample */ if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO){ - st->codec->width = bytestream_get_le32(&p); - st->codec->height = bytestream_get_le32(&p); + st->codec->width = bytestream2_get_le32(&p); + st->codec->height = bytestream2_get_le32(&p); avpriv_set_pts_info(st, 64, time_unit, spu * 10000000); } else { - st->codec->channels = bytestream_get_le16(&p); - p += 2; /* block_align */ - st->codec->bit_rate = bytestream_get_le32(&p) * 8; + st->codec->channels = bytestream2_get_le16(&p); + bytestream2_skip(&p, 2); /* block_align */ + st->codec->bit_rate = bytestream2_get_le32(&p) * 8; st->codec->sample_rate = spu * 10000000 / time_unit; avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate); } - } else if (*p == 3) { - if (os->psize > 8) - ff_vorbis_comment(s, &st->metadata, p+7, os->psize-8); + } else if (bytestream2_peek_byte(&p) == 3) { + bytestream2_skip(&p, 7); + if (bytestream2_get_bytes_left(&p) > 1) + ff_vorbis_comment(s, &st->metadata, p.buffer, bytestream2_get_bytes_left(&p) - 1); } return 1; From eac1c3f384eab770d42468f4f244156c1735701d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:03:34 +0300 Subject: [PATCH 0590/1037] truemotion2: Use av_freep properly in an error path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c39f7eba01cd656e8f0eed592f93d11814736650) Signed-off-by: Luca Barbato --- libavcodec/truemotion2.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 2d7a5102c2..7691989b40 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -905,14 +905,14 @@ static av_cold int decode_init(AVCodecContext *avctx){ if (!l->Y1_base || !l->Y2_base || !l->U1_base || !l->V1_base || !l->U2_base || !l->V2_base || !l->last || !l->clast) { - av_freep(l->Y1_base); - av_freep(l->Y2_base); - av_freep(l->U1_base); - av_freep(l->U2_base); - av_freep(l->V1_base); - av_freep(l->V2_base); - av_freep(l->last); - av_freep(l->clast); + av_freep(&l->Y1_base); + av_freep(&l->Y2_base); + av_freep(&l->U1_base); + av_freep(&l->U2_base); + av_freep(&l->V1_base); + av_freep(&l->V2_base); + av_freep(&l->last); + av_freep(&l->clast); return AVERROR(ENOMEM); } l->Y1 = l->Y1_base + l->y_stride * 4 + 4; From 3706c229920115f022876ef07b16217dce504db6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:46:50 +0300 Subject: [PATCH 0591/1037] ffv1: Make sure at least one slice context is initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids crashes when initializing the range coder for the first slice context. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b1db33159fdc2da4bdd8c75e4ff9a7dd0ef2f0c2) Signed-off-by: Luca Barbato --- libavcodec/ffv1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 682d111c0c..f6d9eaf276 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -194,6 +194,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) int i; f->slice_count = f->num_h_slices * f->num_v_slices; + if (f->slice_count <= 0) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid number of slices\n"); + return AVERROR(EINVAL); + } for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); From 00516b5491fbd99e4057f21eae231fc02cc596e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 21:27:49 +0300 Subject: [PATCH 0592/1037] xmv: Add more sanity checks for parameters read from the bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since the number of channels is multiplied by 36 and assigned to to a uint16_t, make sure this calculation didn't overflow. (In certain cases the calculation could overflow leaving the truncated block_align at 0, leading to divisions by zero later.) Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d4c2a3740fb95f952a87ba320d2bf31f126bdf68) Signed-off-by: Luca Barbato --- libavformat/xmv.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index d491dec8f6..201dc3ac72 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -43,6 +43,8 @@ XMV_AUDIO_ADPCM51_FRONTCENTERLOW | \ XMV_AUDIO_ADPCM51_REARLEFTRIGHT) +#define XMV_BLOCK_ALIGN_SIZE 36 + typedef struct XMVAudioTrack { uint16_t compression; uint16_t channels; @@ -207,7 +209,7 @@ static int xmv_read_header(AVFormatContext *s) track->bit_rate = track->bits_per_sample * track->sample_rate * track->channels; - track->block_align = 36 * track->channels; + track->block_align = XMV_BLOCK_ALIGN_SIZE * track->channels; track->block_samples = 64; track->codec_id = ff_wav_codec_get_id(track->compression, track->bits_per_sample); @@ -224,7 +226,8 @@ static int xmv_read_header(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Unsupported 5.1 ADPCM audio stream " "(0x%04X)\n", track->flags); - if (!track->channels || !track->sample_rate) { + if (!track->channels || !track->sample_rate || + track->channels >= UINT16_MAX / XMV_BLOCK_ALIGN_SIZE) { av_log(s, AV_LOG_ERROR, "Invalid parameters for audio track %d.\n", audio_track); ret = AVERROR_INVALIDDATA; From 0b0f1cd44ece180e12795cfc8d0a0ac5ea3ebe2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 15:40:57 +0300 Subject: [PATCH 0593/1037] rv10: Validate the dimensions set from the container MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5372cda67109848d22146289e401669266217e80) Signed-off-by: Luca Barbato --- libavcodec/rv10.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 26af29ff26..04518dd21b 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -426,12 +426,15 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) RVDecContext *rv = avctx->priv_data; MpegEncContext *s = &rv->m; static int done=0; - int major_ver, minor_ver, micro_ver; + int major_ver, minor_ver, micro_ver, ret; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata is too small.\n"); return -1; } + if ((ret = av_image_check_size(avctx->coded_width, + avctx->coded_height, 0, avctx)) < 0) + return ret; ff_MPV_decode_defaults(s); From de75bc01cda53acfbd9f901639695ade8e650c43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 14:53:15 +0300 Subject: [PATCH 0594/1037] idroqdec: Make sure a video stream has been allocated before returning packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit bcbe4f3ceb6ee0210d3a401963518906c8b9b230) Signed-off-by: Luca Barbato --- libavformat/idroqdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index eeaafec5aa..82eff24e94 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -142,6 +142,8 @@ static int roq_read_packet(AVFormatContext *s, break; case RoQ_QUAD_CODEBOOK: + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; /* packet needs to contain both this codebook and next VQ chunk */ codebook_offset = avio_tell(pb) - RoQ_CHUNK_PREAMBLE_SIZE; codebook_size = chunk_size; @@ -191,6 +193,11 @@ static int roq_read_packet(AVFormatContext *s, st->codec->block_align = st->codec->channels * st->codec->bits_per_coded_sample; } case RoQ_QUAD_VQ: + if (chunk_type == RoQ_QUAD_VQ) { + if (roq->video_stream_index < 0) + return AVERROR_INVALIDDATA; + } + /* load up the packet */ if (av_new_packet(pkt, chunk_size + RoQ_CHUNK_PREAMBLE_SIZE)) return AVERROR(EIO); From 5358f1b50753638628fa5b99afd4b7da20d62e22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:14:56 +0300 Subject: [PATCH 0595/1037] asvdec: Verify the amount of extradata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The init function reads one byte of extradata. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f50803354c6acb4575379d7c54ca48ec5d36dd61) Signed-off-by: Luca Barbato --- libavcodec/asvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/asvdec.c b/libavcodec/asvdec.c index 16722a9192..d3579dea4c 100644 --- a/libavcodec/asvdec.c +++ b/libavcodec/asvdec.c @@ -285,6 +285,11 @@ static av_cold int decode_init(AVCodecContext *avctx) const int scale = avctx->codec_id == AV_CODEC_ID_ASV1 ? 1 : 2; int i; + if (avctx->extradata_size < 1) { + av_log(avctx, AV_LOG_ERROR, "No extradata provided\n"); + return AVERROR_INVALIDDATA; + } + ff_asv_common_init(avctx); init_vlcs(a); ff_init_scantable(a->dsp.idct_permutation, &a->scantable, ff_asv_scantab); From bacf5db1962a6955ce80eea6bbc86c6970d7d360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:32:02 +0300 Subject: [PATCH 0596/1037] mpegaudiodec: Validate that the number of channels fits at the given offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is similar to the fix in 35cbc98b. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e9d61de96c113ee0ef8082833c7e682df0e23eec) Signed-off-by: Luca Barbato --- libavcodec/mpegaudiodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index fda0280b44..bd096df26a 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -1936,7 +1936,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data, avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header); - if (ch + m->nb_channels > avctx->channels) { + if (ch + m->nb_channels > avctx->channels || + s->coff[fr] + m->nb_channels > avctx->channels) { av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec " "channel count\n"); return AVERROR_INVALIDDATA; From 4d90550cf95eac0451465116d6e53bac37b96927 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:53:31 +0300 Subject: [PATCH 0597/1037] qpeg: Add checks for running out of rows in qpeg_decode_inter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7a5a55722749a3ab77941914707277b147322cbe) Signed-off-by: Luca Barbato --- libavcodec/qpeg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 4a918e71ec..75e12234fe 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -190,6 +190,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */ @@ -201,6 +203,8 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, filled = 0; dst -= stride; height--; + if (height < 0) + break; } } } else if(code >= 0x80) { /* skip code: 0x80..0xBF */ From 5379c5184b9fe9ef06234638f5629d4c80056e04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:02:29 +0300 Subject: [PATCH 0598/1037] segafilm: Validate the number of audio channels MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids divisions by zero later. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 82e266c6d3fbf3cc74e515b883e66543381a0f2c) Signed-off-by: Luca Barbato --- libavformat/segafilm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index adf24759c6..5643f33cc8 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -111,6 +111,11 @@ static int film_read_header(AVFormatContext *s) return AVERROR(EIO); film->audio_samplerate = AV_RB16(&scratch[24]); film->audio_channels = scratch[21]; + if (!film->audio_channels || film->audio_channels > 2) { + av_log(s, AV_LOG_ERROR, + "Invalid number of channels: %d\n", film->audio_channels); + return AVERROR_INVALIDDATA; + } film->audio_bits = scratch[22]; if (scratch[23] == 2) film->audio_type = AV_CODEC_ID_ADPCM_ADX; From 78dc022f6f8a8b87773a209e0fcbea2d5b48396f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:55:13 +0300 Subject: [PATCH 0599/1037] wtv: Add more sanity checks for a length read from the file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also make sure the existing length check can't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 83c285f88016b087c2f0f4b9ef356ad8ef12d947) Signed-off-by: Luca Barbato --- libavformat/wtv.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/wtv.c b/libavformat/wtv.c index 1811e4645c..7f029ff369 100644 --- a/libavformat/wtv.c +++ b/libavformat/wtv.c @@ -274,7 +274,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b dir_length = AV_RL16(buf + 16); file_length = AV_RL64(buf + 24); name_size = 2 * AV_RL32(buf + 32); - if (buf + 48 + name_size > buf_end) { + if (name_size < 0) { + av_log(s, AV_LOG_ERROR, + "bad filename length, remaining directory entries ignored\n"); + break; + } + if (48 + name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; } From ce1dacb435460dda1f9d453eaaeac44bd502aca4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:57:47 +0300 Subject: [PATCH 0600/1037] rl2: Avoid a division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 3ca14aa5964ea5d11f7a15f9fff17924d6096d44) Signed-off-by: Luca Barbato --- libavformat/rl2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index ac0532f1c9..ab33aabccc 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -107,6 +107,10 @@ static av_cold int rl2_read_header(AVFormatContext *s) rate = avio_rl16(pb); channels = avio_rl16(pb); def_sound_size = avio_rl16(pb); + if (!channels || channels > 42) { + av_log(s, AV_LOG_ERROR, "Invalid number of channels: %d\n", channels); + return AVERROR_INVALIDDATA; + } /** setup video stream */ st = avformat_new_stream(s, NULL); From 97b6916f93e6998ed787e35efc56018f9d390c55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:12:06 +0300 Subject: [PATCH 0601/1037] dcadec: Validate the lfe parameter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a9d50bb578ec04c085a25f1e023f75e0e4499d5e) Signed-off-by: Luca Barbato --- libavcodec/dcadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 561c30c003..eecdeaad99 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -582,6 +582,11 @@ static int dca_parse_frame_header(DCAContext *s) s->lfe = get_bits(&s->gb, 2); s->predictor_history = get_bits(&s->gb, 1); + if (s->lfe > 2) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe); + return AVERROR_INVALIDDATA; + } + /* TODO: check CRC */ if (s->crc_present) s->header_crc = get_bits(&s->gb, 16); From 0c8c6b4419e00d13197a4aea5456b398dca24df0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 00:07:34 +0300 Subject: [PATCH 0602/1037] wnv1: Make sure the input packet is large enough MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 91be1103fd1f79d381edf268c32f4166b6c3b6d8) Signed-off-by: Luca Barbato --- libavcodec/wnv1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 1636f16510..362fafca9e 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -71,6 +71,11 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; + if (buf_size < 8) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } + rbuf = av_malloc(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!rbuf) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); From b62704891d2353679e012555ac9e9a49ee63d497 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:16:00 +0300 Subject: [PATCH 0603/1037] vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ede508443e4bf57dc1e019fac81bf6244b88fbd3) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index bafd6a2f8c..cb9007849f 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5131,8 +5131,19 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v) if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane || !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base || - !v->mb_type_base) - return -1; + !v->mb_type_base) { + av_freep(&v->mv_type_mb_plane); + av_freep(&v->direct_mb_plane); + av_freep(&v->acpred_plane); + av_freep(&v->over_flags_plane); + av_freep(&v->block); + av_freep(&v->cbp_base); + av_freep(&v->ttblk_base); + av_freep(&v->is_intra_base); + av_freep(&v->luma_mv_base); + av_freep(&v->mb_type_base); + return AVERROR(ENOMEM); + } return 0; } From a6a8f66608cce414ef31c01a3059d64f6ef26663 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:16:57 +0300 Subject: [PATCH 0604/1037] vc1dec: Undo mpegvideo initialization if unable to allocate tables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, s->context_initialized was left set to 1 if ff_vc1_decode_init_alloc_tables failed, skipping the initialization completely on the next decode call. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b772b0e28eba6abf76d86ee8c6e459a86642db5a) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index cb9007849f..9d68d32c13 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5495,8 +5495,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, } if (!s->context_initialized) { - if (ff_msmpeg4_decode_init(avctx) < 0 || ff_vc1_decode_init_alloc_tables(v) < 0) + if (ff_msmpeg4_decode_init(avctx) < 0) goto err; + if (ff_vc1_decode_init_alloc_tables(v) < 0) { + ff_MPV_common_end(s); + goto err; + } s->low_delay = !avctx->has_b_frames || v->res_sprite; From 17e7edf75b451edd7dde4816c3225fd1557517c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 12:20:06 +0300 Subject: [PATCH 0605/1037] lavf: Avoid setting avg_frame_rate if delta_dts is negative MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids setting avg_frame_rate to invalid (negative) values. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit ce67f442be0f6c4a8794272873852e256b5b8ee4) Signed-off-by: Luca Barbato --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 4f73dfebef..b0bfea224f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2499,7 +2499,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) double best_error = 0.01; if (delta_dts >= INT64_MAX / st->time_base.num || - delta_packets >= INT64_MAX / st->time_base.den) + delta_packets >= INT64_MAX / st->time_base.den || + delta_dts < 0) continue; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, delta_packets*(int64_t)st->time_base.den, From 8bd27a167b6e22e7da964df1638c493d51a9663b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 12:26:45 +0300 Subject: [PATCH 0606/1037] electronicarts: Check packet sizes before reading MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit f7e616959aff8706edccdae763c24c897c449f6f) Signed-off-by: Luca Barbato --- libavformat/electronicarts.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index ae2fda079f..ebb4c124dd 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -525,10 +525,16 @@ static int ea_read_packet(AVFormatContext *s, case AV_CODEC_ID_ADPCM_EA_R1: case AV_CODEC_ID_ADPCM_EA_R2: case AV_CODEC_ID_ADPCM_IMA_EA_EACS: - pkt->duration = AV_RL32(pkt->data); - break; case AV_CODEC_ID_ADPCM_EA_R3: - pkt->duration = AV_RB32(pkt->data); + if (pkt->size < 4) { + av_log(s, AV_LOG_ERROR, "Packet is too short\n"); + av_free_packet(pkt); + return AVERROR_INVALIDDATA; + } + if (ea->audio_codec == AV_CODEC_ID_ADPCM_EA_R3) + pkt->duration = AV_RB32(pkt->data); + else + pkt->duration = AV_RL32(pkt->data); break; case AV_CODEC_ID_ADPCM_IMA_EA_SEAD: pkt->duration = ret * 2 / ea->num_channels; From 4d60ab62e05decc562645cd6f813f7c9e69637ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 00:34:35 +0300 Subject: [PATCH 0607/1037] vqf: Make sure sample_rate is set to a valid value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids divisions by zero later (and possibly assertions in time base scaling), since an invalid rate_flag combined with an invalid bitrate below could pass the mode combination test. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9277050e2918e0a0df9689721a188a604d886616) Signed-off-by: Luca Barbato --- libavformat/vqf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 66ced37bad..b0e3b6de74 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s) st->codec->sample_rate = 11025; break; default: + if (rate_flag < 8 || rate_flag > 44) { + av_log(s, AV_LOG_ERROR, "Invalid rate flag %d\n", rate_flag); + return AVERROR_INVALIDDATA; + } st->codec->sample_rate = rate_flag*1000; break; } From 60701469ab9f526841ae81444236425f87916adb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:19:10 +0300 Subject: [PATCH 0608/1037] vqf: Make sure the bitrate is in the valid range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Even if the sample rate is valid, an invalid bitrate could pass the mode combination test below. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 68ff9981283a56c731f00c2ee7901103665092fc) Signed-off-by: Luca Barbato --- libavformat/vqf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index b0e3b6de74..aba6ab1f37 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -182,6 +182,13 @@ static int vqf_read_header(AVFormatContext *s) break; } + if (read_bitrate / st->codec->channels < 8 || + read_bitrate / st->codec->channels > 48) { + av_log(s, AV_LOG_ERROR, "Invalid bitrate per channel %d\n", + read_bitrate / st->codec->channels); + return AVERROR_INVALIDDATA; + } + switch (((st->codec->sample_rate/1000) << 8) + read_bitrate/st->codec->channels) { case (11<<8) + 8 : From 2e4c649b3e62fdd158b5a9a0f973d3b186a23e94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 00:41:31 +0300 Subject: [PATCH 0609/1037] avidec: Make sure a packet is large enough before reading its data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8d07258bb6063d0780ce2d39443d6dc6d8eedc5a) Signed-off-by: Luca Barbato Conflicts: libavformat/avidec.c --- libavformat/avidec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ee341c21b6..e17d932319 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -752,8 +752,10 @@ static int avi_read_header(AVFormatContext *s) return 0; } -static int read_gab2_sub(AVStream *st, AVPacket *pkt) { - if (!strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data+5) == 2) { +static int read_gab2_sub(AVStream *st, AVPacket *pkt) +{ + if (pkt->size >= 7 && + !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) { uint8_t desc[256]; int score = AVPROBE_SCORE_MAX / 2, ret; AVIStream *ast = st->priv_data; From 2ff935a06008fb1959ff633962fbc728762c33cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:13:26 +0300 Subject: [PATCH 0610/1037] xwma: Avoid division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit adc09136a4a63b152630abeacb22c56541eacf60) Signed-off-by: Luca Barbato --- libavformat/xwma.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 46ca0b80f1..5500db81d7 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -200,6 +200,14 @@ static int xwma_read_header(AVFormatContext *s) /* Estimate the duration from the total number of output bytes. */ const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1]; + + if (!bytes_per_sample) { + av_log(s, AV_LOG_ERROR, + "Invalid bits_per_coded_sample %d for %d channels\n", + st->codec->bits_per_coded_sample, st->codec->channels); + return AVERROR_INVALIDDATA; + } + st->duration = total_decoded_bytes / bytes_per_sample; /* Use the dpds data to build a seek table. We can only do this after From 607863acaec85671f8c2afd81079ae4c605e3468 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:32:39 +0300 Subject: [PATCH 0611/1037] riffdec: Add sanity checks for the sample rate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a division by zero for G726. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d07aa3f02b73ab1371c13ac7898338380ca0932b) Signed-off-by: Luca Barbato --- libavformat/riff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/riff.c b/libavformat/riff.c index e9463c0973..09d8dbbdb2 100644 --- a/libavformat/riff.c +++ b/libavformat/riff.c @@ -653,6 +653,11 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) if (size > 0) avio_skip(pb, size); } + if (codec->sample_rate <= 0) { + av_log(NULL, AV_LOG_ERROR, + "Invalid sample rate: %d\n", codec->sample_rate); + return AVERROR_INVALIDDATA; + } codec->codec_id = ff_wav_codec_get_id(id, codec->bits_per_coded_sample); if (codec->codec_id == AV_CODEC_ID_AAC_LATM) { /* channels and sample_rate values are those prior to applying SBR and/or PS */ From a89868d714705af1b0b004fa790a889e9ba792cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:38:40 +0300 Subject: [PATCH 0612/1037] electronicarts: Add more sanity checking for the number of channels MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a9221e39600a31ee13e736e9e47743cde23f0280) Signed-off-by: Luca Barbato Conflicts: libavformat/electronicarts.c --- libavformat/electronicarts.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index ebb4c124dd..b85b4c2678 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -439,8 +439,9 @@ static int ea_read_header(AVFormatContext *s) } if (ea->audio_codec) { - if (ea->num_channels <= 0) { - av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); + if (ea->num_channels <= 0 || ea->num_channels > 2) { + av_log(s, AV_LOG_WARNING, + "Unsupported number of channels: %d\n", ea->num_channels); ea->audio_codec = 0; return 1; } From ad1223d6bcc69e1639951aedcdae40822bf41042 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:42:40 +0300 Subject: [PATCH 0613/1037] bfi: Avoid divisions by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a zero-length video packet is to be returned, just return AVERROR(EAGAIN) and switch back to the audio stream. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9fc7184d1a9af8d97b3fc5c2ef9d0a647d6617ea) Signed-off-by: Luca Barbato --- libavformat/bfi.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index e60bbf4cab..5d7ccb85e6 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -140,9 +140,7 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) pkt->pts = bfi->audio_frame; bfi->audio_frame += ret; - } - - else { + } else if (bfi->video_size > 0) { //Tossing a video packet at the video decoder. ret = av_get_packet(pb, pkt, bfi->video_size); @@ -154,6 +152,9 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) /* One less frame to read. A cursory decrement. */ bfi->nframes--; + } else { + /* Empty video packet */ + ret = AVERROR(EAGAIN); } bfi->avflag = !bfi->avflag; From 78aa2ed620178044a227fbbe48f749c0dc86023f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 00:22:52 +0300 Subject: [PATCH 0614/1037] alac: Do bounds checking of lpc_order read from the bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In lpc_prediction(), we write up to array element 'lpc_order' in an array allocated to hold 'max_samples_per_frame' elements. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 59480abce7e4238e22b3a4a904a9fe6abf4e4188) Signed-off-by: Luca Barbato --- libavcodec/alac.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 72e9353b54..139e352ad3 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -315,6 +315,9 @@ static int decode_element(AVCodecContext *avctx, void *data, int ch_index, rice_history_mult[ch] = get_bits(&alac->gb, 3); lpc_order[ch] = get_bits(&alac->gb, 5); + if (lpc_order[ch] >= alac->max_samples_per_frame) + return AVERROR_INVALIDDATA; + /* read the predictor table */ for (i = lpc_order[ch] - 1; i >= 0; i--) lpc_coefs[ch][i] = get_sbits(&alac->gb, 16); From 10f384e4f5d0ee692cacaf90d629d8bc2178b092 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:46:04 +0300 Subject: [PATCH 0615/1037] bfi: Add some very basic sanity checks for input packet sizes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 640a2427aafa774b83316b7a8c5c2bdc28bfd269) Signed-off-by: Luca Barbato --- libavformat/bfi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 5d7ccb85e6..19060e760f 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -132,6 +132,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) video_offset = avio_rl32(pb); audio_size = video_offset - audio_offset; bfi->video_size = chunk_size - video_offset; + if (audio_size < 0 || bfi->video_size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); + return AVERROR_INVALIDDATA; + } //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); From 04d2f9ace3fb6e880f3488770fc5a39de5b63cbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:26:18 +0300 Subject: [PATCH 0616/1037] mvi: Add sanity checking for the audio frame size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids a division by zero. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 28ff439efd2362fb21e1a78610737f2e26a72d8f) Signed-off-by: Luca Barbato --- libavformat/mvi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 10ec8bbb20..65096f10b4 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -93,6 +93,12 @@ static int read_header(AVFormatContext *s) mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; + if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { + av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n", + mvi->audio_data_size, frames_count); + return AVERROR_INVALIDDATA; + } + mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; mvi->audio_size_left = mvi->audio_data_size; From c10f3fed259c23e6887f68cdf3e7d4ae87026f65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:57:36 +0300 Subject: [PATCH 0617/1037] mov: Make sure the read sample count is nonnegative MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids setting a negative number of frames, ending up with a negative average frame rate. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c231987662194d009dd91bfc57c678e0e70ca161) Signed-off-by: Luca Barbato --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2ae19c9358..6b89a2d1ba 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1659,6 +1659,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sample_count=avio_rb32(pb); sample_duration = avio_rb32(pb); + if (sample_count < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid sample_count=%d\n", sample_count); + return AVERROR_INVALIDDATA; + } sc->stts_data[i].count= sample_count; sc->stts_data[i].duration= sample_duration; From a63e83cd4b43c3dcef38f7fefe41c002a263af0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:12:04 +0300 Subject: [PATCH 0618/1037] pngdec: Stop trying to decode once inflate returns Z_STREAM_END MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the input buffer contains more data after the deflate stream, the loop previously left running infinitely, with inflate returning Z_STREAM_END. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit a81cad8f86d1feb7e4bfae29e43f3e994935a5c7) Signed-off-by: Luca Barbato --- libavcodec/pngdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 9c340eacb4..6c2df12c7d 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length) s->zstream.avail_out = s->crow_size; s->zstream.next_out = s->crow_buf; } + if (ret == Z_STREAM_END && s->zstream.avail_in > 0) { + av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in); + return 0; + } } return 0; } From 812955a12b190012c134be33a93f27308953eb2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:38:50 +0300 Subject: [PATCH 0619/1037] pcx: Consume the whole packet if giving up due to missing palette MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, we returned 0, meaning successful decoding but 0 bytes consumed, leading to an infinite loop. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9fb0de86b49e9fb0709a8ad1e1875e35da841887) Signed-off-by: Luca Barbato --- libavcodec/pcx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index ba3703a712..9c79aff1ae 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -196,6 +196,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*buf++ != 12) { av_log(avctx, AV_LOG_ERROR, "expected palette after image data\n"); + ret = buf_size; goto end; } From 145de32896b37a508f11bcf11dfcc94487301716 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:53:58 +0300 Subject: [PATCH 0620/1037] xan: Use bytestream2 to limit reading to within the buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 30db94dc399f6e4ef8905049d9b740556f0fce47) Signed-off-by: Luca Barbato --- libavcodec/xan.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 8c90bb6ab0..0dd81f5681 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -283,8 +283,8 @@ static int xan_wc3_decode_frame(XanContext *s) { /* pointers to segments inside the compressed chunk */ const unsigned char *huffman_segment; - const unsigned char *size_segment; - const unsigned char *vector_segment; + GetByteContext size_segment; + GetByteContext vector_segment; const unsigned char *imagedata_segment; int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size; @@ -304,8 +304,8 @@ static int xan_wc3_decode_frame(XanContext *s) { return AVERROR_INVALIDDATA; huffman_segment = s->buf + huffman_offset; - size_segment = s->buf + size_offset; - vector_segment = s->buf + vector_offset; + bytestream2_init(&size_segment, s->buf + size_offset, s->size - size_offset); + bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, @@ -357,19 +357,17 @@ static int xan_wc3_decode_frame(XanContext *s) { case 9: case 19: - size = *size_segment++; + size = bytestream2_get_byte(&size_segment); break; case 10: case 20: - size = AV_RB16(&size_segment[0]); - size_segment += 2; + size = bytestream2_get_be16(&size_segment); break; case 11: case 21: - size = AV_RB24(size_segment); - size_segment += 3; + size = bytestream2_get_be24(&size_segment); break; } @@ -391,9 +389,9 @@ static int xan_wc3_decode_frame(XanContext *s) { } } else { /* run-based motion compensation from last frame */ - motion_x = sign_extend(*vector_segment >> 4, 4); - motion_y = sign_extend(*vector_segment & 0xF, 4); - vector_segment++; + uint8_t vector = bytestream2_get_byte(&vector_segment); + motion_x = sign_extend(vector >> 4, 4); + motion_y = sign_extend(vector & 0xF, 4); /* copy a run of pixels from the previous frame */ xan_wc3_copy_pixel_run(s, x, y, size, motion_x, motion_y); From 09ace619d6ccb2c0a45b5fdead29f926409fa129 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 00:59:50 +0300 Subject: [PATCH 0621/1037] xan: Only read within the data that actually was initialized MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit fc739b3eefa0b58d64e7661621da94a94dbc8a82) Signed-off-by: Luca Barbato --- libavcodec/xan.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 0dd81f5681..369f89b18e 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -104,6 +104,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; + unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len < 0) @@ -119,13 +120,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val < 0x16) { if (dest >= dest_end) - return 0; + return dest_len; *dest++ = val; val = ival; } } - return 0; + return dest - dest_start; } /** @@ -274,7 +275,7 @@ static int xan_wc3_decode_frame(XanContext *s) { unsigned char flag = 0; int size = 0; int motion_x, motion_y; - int x, y; + int x, y, ret; unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; @@ -308,9 +309,10 @@ static int xan_wc3_decode_frame(XanContext *s) { bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; - if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - huffman_offset) < 0) + if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset)) < 0) return AVERROR_INVALIDDATA; + opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, s->buffer2_size, From 3ac156b707932e93ed5e1f23ca866e251fafb743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 01:04:05 +0300 Subject: [PATCH 0622/1037] xxan: Disallow odd width MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Decoded data is always written in pairs within this decoder. This fixes writes out of bounds. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit aa0dd52434768da64f1f3d8ae92bcf980c1adffc) Signed-off-by: Luca Barbato --- libavcodec/xxan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 84ffdecdff..7a0cdc48c6 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -49,6 +49,10 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid frame height: %d.\n", avctx->height); return AVERROR(EINVAL); } + if (avctx->width & 1) { + av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width); + return AVERROR(EINVAL); + } s->buffer_size = avctx->width * avctx->height; s->y_buffer = av_malloc(s->buffer_size); From fd2ba1807e9a4c91b76b3cd6be55931e092c5885 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 28 Sep 2013 16:56:54 +0200 Subject: [PATCH 0623/1037] mxfdec: set audio timebase to 1/samplerate Fixes sync in some samples (e.g. bugs 7581 and 8374 in VLC). Based on a commit by Matthieu Bouron Reported-by: Jean-Baptiste Kempf CC: libav-stable@libav.org (cherry picked from commit 93370d12164236d59645314871a1d6808b2a8ddb) Signed-off-by: Luca Barbato --- libavformat/mxfdec.c | 10 +++++++++- tests/ref/fate/mxf-demux | 6 +++--- tests/ref/seek/lavf-mxf | 18 +++++++++--------- tests/ref/seek/lavf-mxf_d10 | 30 +++++++++++++++--------------- 4 files changed, 36 insertions(+), 28 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 18f7b26fa1..d380b369dd 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1527,8 +1527,16 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st->codec->channels = descriptor->channels; st->codec->bits_per_coded_sample = descriptor->bits_per_sample; - if (descriptor->sample_rate.den > 0) + if (descriptor->sample_rate.den > 0) { st->codec->sample_rate = descriptor->sample_rate.num / descriptor->sample_rate.den; + avpriv_set_pts_info(st, 64, descriptor->sample_rate.den, descriptor->sample_rate.num); + } else { + av_log(mxf->fc, AV_LOG_WARNING, "invalid sample rate (%d/%d) " + "found for stream #%d, time base forced to 1/48000\n", + descriptor->sample_rate.num, descriptor->sample_rate.den, + st->index); + avpriv_set_pts_info(st, 64, 1, 48000); + } /* TODO: implement AV_CODEC_ID_RAWAUDIO */ if (st->codec->codec_id == AV_CODEC_ID_PCM_S16LE) { diff --git a/tests/ref/fate/mxf-demux b/tests/ref/fate/mxf-demux index e162775d52..426afae965 100644 --- a/tests/ref/fate/mxf-demux +++ b/tests/ref/fate/mxf-demux @@ -1,7 +1,7 @@ #tb 0: 1/25 -#tb 1: 1/25 +#tb 1: 1/8000 0, 0, -9223372036854775808, 1, 8468, 0xc0855553 -1, 0, 0, 50, 32000, 0x479155e6 +1, 0, 0, 16000, 32000, 0x479155e6 0, 1, -9223372036854775808, 1, 3814, 0xa10783b4 0, 2, -9223372036854775808, 1, 3747, 0xb7bf6973 0, 3, -9223372036854775808, 1, 3705, 0x5462a600 @@ -52,7 +52,7 @@ 0, 48, -9223372036854775808, 1, 3688, 0x1db45852 0, 49, -9223372036854775808, 1, 38412, 0x2ee26a63 0, 50, -9223372036854775808, 1, 8385, 0x0bc20a27 -1, 50, 50, 50, 32000, 0x8f7e5009 +1, 16000, 16000, 16000, 32000, 0x8f7e5009 0, 51, -9223372036854775808, 1, 3733, 0xa3e2a9a0 0, 52, -9223372036854775808, 1, 3773, 0x27769caa 0, 53, -9223372036854775808, 1, 3670, 0xc8335e98 diff --git a/tests/ref/seek/lavf-mxf b/tests/ref/seek/lavf-mxf index cc634a8af2..5f2cf5d1b0 100644 --- a/tests/ref/seek/lavf-mxf +++ b/tests/ref/seek/lavf-mxf @@ -7,8 +7,8 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret:-1 st: 1 flags:0 ts: 2.560000 -ret: 0 st: 1 flags:1 ts: 1.480000 +ret:-1 st: 1 flags:0 ts: 2.576667 +ret: 0 st: 1 flags:1 ts: 1.470833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.480000 pos: 211968 size: 24787 @@ -17,9 +17,9 @@ ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret:-1 st: 0 flags:0 ts: 2.160000 ret: 0 st: 0 flags:1 ts: 1.040000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret: 0 st: 1 flags:1 ts: 2.840000 +ret: 0 st: 1 flags:1 ts: 2.835833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret:-1 st:-1 flags:0 ts: 1.730004 ret: 0 st:-1 flags:1 ts: 0.624171 @@ -28,9 +28,9 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret: 0 st: 0 flags:1 ts: 2.400000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 -ret:-1 st: 1 flags:0 ts: 1.320000 -ret: 0 st: 1 flags:1 ts: 0.200000 -ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 +ret:-1 st: 1 flags:0 ts: 1.306667 +ret: 0 st: 1 flags:1 ts: 0.200833 +ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 ret: 0 st:-1 flags:1 ts: 1.989173 @@ -39,8 +39,8 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts:-0.040000 pts: 0.000000 pos: 6144 size: 24801 -ret:-1 st: 1 flags:0 ts: 2.680000 -ret: 0 st: 1 flags:1 ts: 1.560000 +ret:-1 st: 1 flags:0 ts: 2.671667 +ret: 0 st: 1 flags:1 ts: 1.565833 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.840000 pts: 0.960000 pos: 460800 size: 24712 diff --git a/tests/ref/seek/lavf-mxf_d10 b/tests/ref/seek/lavf-mxf_d10 index 4cfe595415..e091c77633 100644 --- a/tests/ref/seek/lavf-mxf_d10 +++ b/tests/ref/seek/lavf-mxf_d10 @@ -7,10 +7,10 @@ ret: 0 st: 0 flags:0 ts: 0.800000 ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:4265984 size:150000 ret: 0 st: 0 flags:1 ts:-0.320000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.560000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 1.480000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:0 ts: 2.576667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 1.470833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 0.365002 ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos:1923072 size:150000 ret: 0 st:-1 flags:1 ts:-0.740831 @@ -19,10 +19,10 @@ ret: 0 st: 0 flags:0 ts: 2.160000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 ret: 0 st: 0 flags:1 ts: 1.040000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:0 ts:-0.040000 +ret: 0 st: 1 flags:0 ts:-0.058333 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 2.835833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 1.730004 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 ret: 0 st:-1 flags:1 ts: 0.624171 @@ -31,10 +31,10 @@ ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 ret: 0 st: 0 flags:1 ts: 2.400000 ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:0 ts: 1.320000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 0.200000 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos:1071104 size:150000 +ret: 0 st: 1 flags:0 ts: 1.306667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 0.200833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts:-0.904994 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 ret: 0 st:-1 flags:1 ts: 1.989173 @@ -43,10 +43,10 @@ ret: 0 st: 0 flags:0 ts: 0.880000 ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:4691968 size:150000 ret: 0 st: 0 flags:1 ts:-0.240000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 6144 size:150000 -ret: 0 st: 1 flags:0 ts: 2.680000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 -ret: 0 st: 1 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:5117952 size:150000 +ret: 0 st: 1 flags:0 ts: 2.671667 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 +ret: 0 st: 1 flags:1 ts: 1.565833 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos:5117952 size:150000 ret: 0 st:-1 flags:0 ts: 0.460008 ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:2562048 size:150000 ret: 0 st:-1 flags:1 ts:-0.645825 From f06e39fe6b272a11782c023c31eec43bfce3138d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 01:24:20 +0300 Subject: [PATCH 0624/1037] rpza: Fix a buffer size check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We read 2 bytes for 15 out of 16 pixels, therefore we need to have at least 30 bytes, not 16. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7ba0cedbfeff5671b264d1d7e90777057b5714c6) Signed-off-by: Luca Barbato --- libavcodec/rpza.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 57d4d2d228..59b15c6d4f 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -203,7 +203,7 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: - if (s->size - stream_ptr < 16) + if (s->size - stream_ptr < 30) return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { From fc4d11ec9b4c9710e2dac012d4ed0e7d08c6df7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 28 Sep 2013 23:32:57 +0300 Subject: [PATCH 0625/1037] asfdec: Check the return value of asf_read_stream_properties MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes sure errors in setting stream parameters are passed on to the caller. This avoids successfully opening files while some parameters aren't filled in properly. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit cc41167aede4c101ad17eeffa8f39bb6c23d3dad) Signed-off-by: Luca Barbato --- libavformat/asfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index c6b322d6d3..e8587af809 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -714,7 +714,9 @@ static int asf_read_header(AVFormatContext *s) if (ret < 0) return ret; } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) { - asf_read_stream_properties(s, gsize); + int ret = asf_read_stream_properties(s, gsize); + if (ret < 0) + return ret; } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) { asf_read_content_desc(s, gsize); } else if (!ff_guidcmp(&g, &ff_asf_language_guid)) { From 7e350b7ddd19af856b55634233d609e29baab646 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 29 Sep 2013 13:02:27 +0300 Subject: [PATCH 0626/1037] pcx: Check the packet size before assuming it fits a palette MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes reads out of bounds. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d1d99e3befea5d411ac3aae72dbdecce94f8b547) Signed-off-by: Luca Barbato Conflicts: libavcodec/pcx.c --- libavcodec/pcx.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 9c79aff1ae..223429d35e 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -184,7 +184,13 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } else if (nplanes == 1 && bits_per_pixel == 8) { const uint8_t *palstart = bufstart + buf_size - 769; - for (y=0; y Date: Tue, 17 Sep 2013 19:33:48 +0300 Subject: [PATCH 0627/1037] twinvqdec: Check the ibps parameter separately MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is required, since invalid parameters actually could pass the switch check below. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit c77d409bf95954aceb762dd800d1ee2868c4b0d4) --- libavcodec/twinvq.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 8989469237..f6c897f899 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -1142,6 +1142,10 @@ static av_cold int twin_decode_init(AVCodecContext *avctx) AV_CH_LAYOUT_STEREO; ibps = avctx->bit_rate / (1000 * avctx->channels); + if (ibps < 8 || ibps > 48) { + av_log(avctx, AV_LOG_ERROR, "Bad bitrate per channel value %d\n", ibps); + return AVERROR_INVALIDDATA; + } switch ((isampf << 8) + ibps) { case (8 <<8) + 8: tctx->mtab = &mode_08_08; break; From 99f953b3fe4bc43783208186a64fc38ca71ca2ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 16 Sep 2013 20:58:38 +0300 Subject: [PATCH 0628/1037] rmdec: Validate the fps value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Abort if it is invalid if strict error checking has been requested. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0f310a6f333b016d336674d086045e8473fdf918) Signed-off-by: Luca Barbato Conflicts: libavformat/rmdec.c --- libavformat/rmdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 6495bdf17a..f8362c0192 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -331,8 +331,13 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, if ((ret = rm_read_extradata(pb, st->codec, codec_data_size - (avio_tell(pb) - codec_pos))) < 0) return ret; - av_reduce(&st->avg_frame_rate.den, &st->avg_frame_rate.num, - 0x10000, fps, (1 << 30) - 1); + if (fps > 0) { + av_reduce(&st->avg_frame_rate.den, &st->avg_frame_rate.num, + 0x10000, fps, (1 << 30) - 1); + } else if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid framerate\n"); + return AVERROR_INVALIDDATA; + } #if FF_API_R_FRAME_RATE st->r_frame_rate = st->avg_frame_rate; #endif From 3ee5458aa8b2d789d7abedf2a4cb6aed61d09c8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 15:58:59 +0300 Subject: [PATCH 0629/1037] svq3: Avoid a division by zero MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the height is zero, the decompression will probably end up failing due to not fitting into the allocated buffer later anyway, so this doesn't need any more elaborate check. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 601c2015bc16f0b281160292a6a760cbbbb0eacb) --- libavcodec/svq3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 683b9dc948..34cda3283c 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -956,7 +956,8 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) int offset = get_bits_count(&gb) + 7 >> 3; uint8_t *buf; - if ((uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) + if (watermark_height > 0 && + (uint64_t)watermark_width * 4 > UINT_MAX / watermark_height) return -1; buf = av_malloc(buf_len); From 98e1f0a2db41fff12d88b9bf1f903b5410bcd03a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 16:29:23 +0300 Subject: [PATCH 0630/1037] fraps: Make the input buffer size checks more strict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö Conflicts: libavcodec/fraps.c --- libavcodec/fraps.c | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index 6ac0c61908..a691d9e2ab 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -140,10 +140,17 @@ static int decode_frame(AVCodecContext *avctx, uint32_t offs[4]; int i, j, is_chroma, planes; enum AVPixelFormat pix_fmt; + int prev_pic_bit, expected_size; + + if (buf_size < 4) { + av_log(avctx, AV_LOG_ERROR, "Packet is too short\n"); + return AVERROR_INVALIDDATA; + } header = AV_RL32(buf); version = header & 0xff; header_size = (header & (1<<30))? 8 : 4; /* bit 30 means pad to 8 bytes */ + prev_pic_bit = header & (1U << 31); /* bit 31 means same as previous pic */ if (version > 5) { av_log(avctx, AV_LOG_ERROR, @@ -162,16 +169,19 @@ static int decode_frame(AVCodecContext *avctx, } avctx->pix_fmt = pix_fmt; - switch(version) { + expected_size = header_size; + + switch (version) { case 0: default: /* Fraps v0 is a reordered YUV420 */ - if ( (buf_size != avctx->width*avctx->height*3/2+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3 / 2; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3/2+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } if (( (avctx->width % 8) != 0) || ( (avctx->height % 2) != 0 )) { @@ -188,8 +198,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { @@ -213,12 +222,13 @@ static int decode_frame(AVCodecContext *avctx, case 1: /* Fraps v1 is an upside-down BGR24 */ - if ( (buf_size != avctx->width*avctx->height*3+header_size) && - (buf_size != header_size) ) { + if (!prev_pic_bit) + expected_size += avctx->width * avctx->height * 3; + if (buf_size != expected_size) { av_log(avctx, AV_LOG_ERROR, "Invalid frame length %d (should be %d)\n", - buf_size, avctx->width*avctx->height*3+header_size); - return -1; + buf_size, expected_size); + return AVERROR_INVALIDDATA; } f->reference = 1; @@ -229,8 +239,7 @@ static int decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); return -1; } - /* bit 31 means same as previous pic */ - f->pict_type = (header & (1U<<31))? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; + f->pict_type = prev_pic_bit ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; f->key_frame = f->pict_type == AV_PICTURE_TYPE_I; if (f->pict_type == AV_PICTURE_TYPE_I) { From 99fe4c577fc88dc7421b6aa6837e65401b5e56db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 19 Sep 2013 17:02:36 +0300 Subject: [PATCH 0631/1037] r3d: Add more input value validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö Conflicts: libavformat/r3d.c --- libavformat/r3d.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/r3d.c b/libavformat/r3d.c index a4cb20add2..543043e9c9 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -87,7 +87,7 @@ static int r3d_read_red1(AVFormatContext *s) framerate.num = avio_rb16(s->pb); framerate.den = avio_rb16(s->pb); - if (framerate.num && framerate.den) { + if (framerate.num > 0 && framerate.den > 0) { #if FF_API_R_FRAME_RATE st->r_frame_rate = #endif @@ -286,6 +286,10 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) dts = avio_rb32(s->pb); st->codec->sample_rate = avio_rb32(s->pb); + if (st->codec->sample_rate <= 0) { + av_log(s, AV_LOG_ERROR, "Bad sample rate\n"); + return AVERROR_INVALIDDATA; + } samples = avio_rb32(s->pb); From 9597807ab1979a71483d6e0c5d18054cf9c11bba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Feb 2013 21:40:09 +0100 Subject: [PATCH 0632/1037] vc1dec: Don't decode slices when the latest slice header failed to decode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö Conflicts: libavcodec/vc1dec.c --- libavcodec/vc1dec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index dc0e197520..6b3211650b 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5591,6 +5591,8 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (avctx->hwaccel->end_frame(avctx) < 0) goto err; } else { + int header_ret = 0; + ff_er_frame_start(s); v->bits = buf_size * 8; @@ -5637,18 +5639,20 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (i) { v->pic_header_flag = 0; if (v->field_mode && i == n_slices1 + 2) { - if (ff_vc1_parse_frame_header_adv(v, &s->gb) < 0) { + if ((header_ret = ff_vc1_parse_frame_header_adv(v, &s->gb)) < 0) { av_log(v->s.avctx, AV_LOG_ERROR, "Field header damaged\n"); continue; } } else if (get_bits1(&s->gb)) { v->pic_header_flag = 1; - if (ff_vc1_parse_frame_header_adv(v, &s->gb) < 0) { + if ((header_ret = ff_vc1_parse_frame_header_adv(v, &s->gb)) < 0) { av_log(v->s.avctx, AV_LOG_ERROR, "Slice header damaged\n"); continue; } } } + if (header_ret < 0) + continue; s->start_mb_y = (i == 0) ? 0 : FFMAX(0, slices[i-1].mby_start % mb_height); if (!v->field_mode || v->second_field) s->end_mb_y = (i == n_slices ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height); From 494f2d4f9e834db1eaf1a7d0160d497f9802013d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Sep 2013 11:32:25 +0300 Subject: [PATCH 0633/1037] vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 5e25fdbfe01635cfc650ac4adc27d434b2df0d64) Signed-off-by: Luca Barbato Conflicts: libavcodec/vc1dec.c --- libavcodec/vc1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 9d68d32c13..dc0e197520 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -4742,6 +4742,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; + if (!v->s.last_picture.f.data[0]) + return; + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, ER_MB_END); s->first_slice_line = 1; for (s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { From 42c7ed49a9e4cd5fdeb1306e8e09a96a4c7dbbbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 24 Sep 2013 12:02:39 +0300 Subject: [PATCH 0634/1037] mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes breakage in a few fate tests on certain setups (that for some reason didn't break on OS X) after the previous commit (8812a8057). Currently, some video streams are initialized in ff_MPV_common_init with width/height set at 0 and only changed to a proper video size with ff_MPV_common_frame_size_change later. The breakage was diagnosed by Anton Khirnov. Signed-off-by: Martin Storsjö (cherry picked from commit 5f24fe82e5fcf227abb5ebf62aa9bc246fda8c0d) Signed-off-by: Martin Storsjö --- libavcodec/mpegvideo.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 77e21d2bf1..0274f01208 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -914,17 +914,17 @@ av_cold int ff_MPV_common_init(MpegEncContext *s) s->flags = s->avctx->flags; s->flags2 = s->avctx->flags2; + /* set chroma shifts */ + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, + &s->chroma_x_shift, + &s->chroma_y_shift); + + /* convert fourcc to upper case */ + s->codec_tag = avpriv_toupper4(s->avctx->codec_tag); + + s->stream_codec_tag = avpriv_toupper4(s->avctx->stream_codec_tag); + if (s->width && s->height) { - /* set chroma shifts */ - av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, - &s->chroma_x_shift, - &s->chroma_y_shift); - - /* convert fourcc to upper case */ - s->codec_tag = avpriv_toupper4(s->avctx->codec_tag); - - s->stream_codec_tag = avpriv_toupper4(s->avctx->stream_codec_tag); - s->avctx->coded_frame = &s->current_picture.f; if (s->encoding) { From 23e42841609739b2e47f040761c9daf1b1a9f291 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 23 Sep 2013 12:25:48 +0300 Subject: [PATCH 0635/1037] h263dec: Remove a hack that can cause infinite loops MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The actual usefulness of the hack is not known, and it does cause infinite loops with some broken input files. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8812a8057f539845f6801cafdf6c481a59e96b48) Signed-off-by: Martin Storsjö --- libavcodec/h263dec.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index fc5f565131..db58fd2e12 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -385,8 +385,6 @@ uint64_t time= rdtsc(); } -retry: - if(s->bitstream_buffer_size && (s->divx_packed || buf_size<20)){ //divx 5.01+/xvid frame reorder init_get_bits(&s->gb, s->bitstream_buffer, s->bitstream_buffer_size*8); }else @@ -569,17 +567,6 @@ retry: /* FIXME: By the way H263 decoder is evolving it should have */ /* an H263EncContext */ - if (!avctx->coded_width || !avctx->coded_height) { - ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat - - s->parse_context.buffer=0; - ff_MPV_common_end(s); - s->parse_context= pc; - avcodec_set_dimensions(avctx, s->width, s->height); - - goto retry; - } - if (s->width != avctx->coded_width || s->height != avctx->coded_height || s->context_reinit) { From a9fc88ea93b2648e043a2bb863cfacabc8c3342d Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 4 Oct 2013 19:14:27 -0400 Subject: [PATCH 0636/1037] Prepare for 9.10 RELEASE --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index a61a79be6c..5f3c44015f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.9 +9.10 From 2a7bdbf67efbb7061957f52ef81f49e6c06cfd54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2013 00:30:46 +0200 Subject: [PATCH 0637/1037] ffserver: strip odd chars from html error messages before sending them back Fixes Ticket3034 Signed-off-by: Michael Niedermayer (cherry picked from commit 885739f3b4ca3fb60abf417120845e3fcfb99b53) Signed-off-by: Michael Niedermayer --- ffserver.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ffserver.c b/ffserver.c index f2cf67f694..9b2ce990d2 100644 --- a/ffserver.c +++ b/ffserver.c @@ -328,6 +328,14 @@ static AVLFG random_state; static FILE *logfile = NULL; +static void htmlstrip(char *s) { + while (s && *s) { + s += strspn(s, "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,. "); + if (*s) + *s++ = '?'; + } +} + static int64_t ffm_read_write_index(int fd) { uint8_t buf[8]; @@ -1887,6 +1895,7 @@ static int http_parse_request(HTTPContext *c) send_error: c->http_error = 404; q = c->buffer; + htmlstrip(msg); snprintf(q, c->buffer_size, "HTTP/1.0 404 Not Found\r\n" "Content-type: text/html\r\n" From 58287d3b10a2eb90dbfb5b21981bc27dfda98ff3 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 10 Oct 2013 08:50:09 -0400 Subject: [PATCH 0638/1037] update Changelog --- Changelog | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/Changelog b/Changelog index a0b11862b6..5f15390ac9 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,78 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 9.10: +- alac: Do bounds checking of lpc_order read from the bitstream +- ape: Don't allow the seektable to be omitted +- asfdec: Check the return value of asf_read_stream_properties +- asvdec: Verify the amount of extradata +- avidec: Make sure a packet is large enough before reading its data +- bfi: Add some very basic sanity checks for input packet sizes +- bfi: Avoid divisions by zero +- cavsdec: Make sure a sequence header has been decoded before decoding pictures +- dcadec: Validate the lfe parameter +- dsicin: Add some basic sanity checks for fields read from the file +- eacmv: Make sure a reference frame exists before referencing it +- electronicarts: Add more sanity checking for the number of channels +- electronicarts: Check packet sizes before reading +- ffv1: Make sure at least one slice context is initialized +- fraps: Make the input buffer size checks more strict +- h263dec: Remove a hack that can cause infinite loops +- idroqdec: Make sure a video stream has been allocated before returning packets +- ivi_common: Make sure color planes have been initialized +- lavf: Avoid setting avg_frame_rate if delta_dts is negative +- mace: Make sure that the channel count is set to a valid value +- matroskadec: Verify realaudio codec parameters +- mov: Don't use a negative duration for setting other fields +- mov: Make sure the read sample count is nonnegative +- mpc8: Check the seek table size parsed from the bitstream +- mpc8: Make sure the first stream exists before parsing the seek table +- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory +- mpegaudiodec: Validate that the number of channels fits at the given offset +- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0 +- mvi: Add sanity checking for the audio frame size +- mxfdec: set audio timebase to 1/samplerate +- oggparseogm: Convert to use bytestream2 +- omadec: Properly check lengths before incrementing the position +- pcx: Check the packet size before assuming it fits a palette +- pcx: Consume the whole packet if giving up due to missing palette +- pngdec: Stop trying to decode once inflate returns Z_STREAM_END +- qpeg: Add checks for running out of rows in qpeg_decode_inter +- r3d: Add more input value validation +- riffdec: Add sanity checks for the sample rate +- rl2: Avoid a division by zero +- rmdec: Validate the fps value +- rpza: Fix a buffer size check +- rv10: Validate the dimensions set from the container +- rv34: Check the return value from ff_rv34_decode_init +- segafilm: Validate the number of audio channels +- shorten: Break out of loop looking for fmt chunk if none is found +- shorten: Use a checked bytestream reader for the wave header +- sierravmd: Do sanity checking of frame sizes +- smacker: Avoid integer overflow when allocating packets +- smacker: Don't return packets in unallocated streams +- smacker: Make sure we don't fill in huffman codes out of range +- svq3: Avoid a division by zero +- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode +- truemotion2: Use av_freep properly in an error path +- twinvqdec: Check the ibps parameter separately +- vc1dec: Don't decode slices when the latest slice header failed to decode +- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors +- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks +- vc1dec: Undo mpegvideo initialization if unable to allocate tables +- vocdec: Don't update codec parameters mid-stream +- vp3: Check the framerate for validity +- vqf: Make sure sample_rate is set to a valid value +- vqf: Make sure the bitrate is in the valid range +- wnv1: Make sure the input packet is large enough +- wtv: Add more sanity checks for a length read from the file +- xan: Only read within the data that actually was initialized +- xan: Use bytestream2 to limit reading to within the buffer +- xmv: Add more sanity checks for parameters read from the bitstream +- xwma: Avoid division by zero +- xxan: Disallow odd width +- zmbvdec: Check the buffer size for uncompressed data + version 9.9: - 4xm: check that bits per sample is strictly positive - 4xm: Check that the read track value is non-negative From bb81b2b2e06abbf713094f8b77b4cbd550c02503 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 10 Oct 2013 09:56:40 -0400 Subject: [PATCH 0639/1037] Fix top-level description --- Changelog | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 5f15390ac9..594a6ff929 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,4 @@ -Entries are sorted chronologically from oldest to youngest within each release, -releases are sorted from youngest to oldest. +Releases are sorted from youngest to oldest. version 9.10: - alac: Do bounds checking of lpc_order read from the bitstream From e31e66948d0a9a3f98afdb49c63208caefed5a61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Oct 2013 14:49:50 +0200 Subject: [PATCH 0640/1037] Delete changelog The merges have filled the changelog of the 1.1 branch with bugfix entries that ffmpeg 1.1 was never affected by or that where fixed long ago. No one has cleaned this mess up and its better to have no changelog file than one that is 80% wrong. If someone wants to clean this up, thats of course very welcome, aka yes patches and pull requests welcome! Signed-off-by: Michael Niedermayer --- Changelog | 1366 ----------------------------------------------------- 1 file changed, 1366 deletions(-) delete mode 100644 Changelog diff --git a/Changelog b/Changelog deleted file mode 100644 index 6c67dd9541..0000000000 --- a/Changelog +++ /dev/null @@ -1,1366 +0,0 @@ -Releases are sorted from youngest to oldest. - - -version : -- alac: Do bounds checking of lpc_order read from the bitstream -- ape: Don't allow the seektable to be omitted -- asfdec: Check the return value of asf_read_stream_properties -- asvdec: Verify the amount of extradata -- avidec: Make sure a packet is large enough before reading its data -- bfi: Add some very basic sanity checks for input packet sizes -- bfi: Avoid divisions by zero -- cavsdec: Make sure a sequence header has been decoded before decoding pictures -- dcadec: Validate the lfe parameter -- dsicin: Add some basic sanity checks for fields read from the file -- eacmv: Make sure a reference frame exists before referencing it -- electronicarts: Add more sanity checking for the number of channels -- electronicarts: Check packet sizes before reading -- ffv1: Make sure at least one slice context is initialized -- fraps: Make the input buffer size checks more strict -- h263dec: Remove a hack that can cause infinite loops -- idroqdec: Make sure a video stream has been allocated before returning packets -- ivi_common: Make sure color planes have been initialized -- lavf: Avoid setting avg_frame_rate if delta_dts is negative -- mace: Make sure that the channel count is set to a valid value -- matroskadec: Verify realaudio codec parameters -- mov: Don't use a negative duration for setting other fields -- mov: Make sure the read sample count is nonnegative -- mpc8: Check the seek table size parsed from the bitstream -- mpc8: Make sure the first stream exists before parsing the seek table -- mpeg4videodec: Check the width/height in mpeg4_decode_sprite_trajectory -- mpegaudiodec: Validate that the number of channels fits at the given offset -- mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0 -- mvi: Add sanity checking for the audio frame size -- mxfdec: set audio timebase to 1/samplerate -- oggparseogm: Convert to use bytestream2 -- omadec: Properly check lengths before incrementing the position -- pcx: Check the packet size before assuming it fits a palette -- pcx: Consume the whole packet if giving up due to missing palette -- pngdec: Stop trying to decode once inflate returns Z_STREAM_END -- qpeg: Add checks for running out of rows in qpeg_decode_inter -- r3d: Add more input value validation -- riffdec: Add sanity checks for the sample rate -- rl2: Avoid a division by zero -- rmdec: Validate the fps value -- rpza: Fix a buffer size check -- rv10: Validate the dimensions set from the container -- rv34: Check the return value from ff_rv34_decode_init -- segafilm: Validate the number of audio channels -- shorten: Break out of loop looking for fmt chunk if none is found -- shorten: Use a checked bytestream reader for the wave header -- sierravmd: Do sanity checking of frame sizes -- smacker: Avoid integer overflow when allocating packets -- smacker: Don't return packets in unallocated streams -- smacker: Make sure we don't fill in huffman codes out of range -- svq3: Avoid a division by zero -- svq3: Check for any negative return value from ff_h264_check_intra_pred_mode -- truemotion2: Use av_freep properly in an error path -- twinvqdec: Check the ibps parameter separately -- vc1dec: Don't decode slices when the latest slice header failed to decode -- vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors -- vc1dec: Make sure last_picture is initialized in vc1_decode_skip_blocks -- vc1dec: Undo mpegvideo initialization if unable to allocate tables -- vocdec: Don't update codec parameters mid-stream -- vp3: Check the framerate for validity -- vqf: Make sure sample_rate is set to a valid value -- vqf: Make sure the bitrate is in the valid range -- wnv1: Make sure the input packet is large enough -- wtv: Add more sanity checks for a length read from the file -- xan: Only read within the data that actually was initialized -- xan: Use bytestream2 to limit reading to within the buffer -- xmv: Add more sanity checks for parameters read from the bitstream -- xwma: Avoid division by zero -- xxan: Disallow odd width -- zmbvdec: Check the buffer size for uncompressed data -- 4xm: check that bits per sample is strictly positive -- 4xm: Check that the read track value is non-negative -- 4xm: Reject not a multiple of 16 dimension -- 8bps: Bound-check the input buffer -- aac: Check init_get_bits return value -- aac: return meaningful errors -- ac3: Clean up the error paths -- ac3dec: Don't consume more data than the actual input packet size -- ac3dec: Increment channel pointers only once per channel -- ac3: Do not clash with normal AVERROR -- ac3: Return proper error codes -- adpcm: Write the correct number of samples for ima-dk4 -- alac: Check that the channels fit at the given offset -- alac: Limit max_samples_per_frame -- alsdec: Clean up error paths -- alsdec: Fix the clipping range -- ape demuxer: check for EOF in potentially long loops -- atrac3: Error on impossible encoding/channel combinations -- atrac3: fix error handling -- atrac3: set the getbits context the right buffer_end -- ffmpeg: do not use lavfi direct rendering with -deinterlace -- avidec: Let the inner dv demuxer take care of discarding -- avio: Handle AVERROR_EOF in the same way as the return value 0 -- bink: Bound check the quantization matrix. -- dca: Error out on missing DSYNC -- dca: Respect the current limits in the downmixing capabilities -- dsicinav: Bound-check the source buffer when needed -- dsicinav: Clip the source size to the expected maximum -- dv: Add a guard to not overread the ppcm array -- dxa: Make sure the reference frame exists -- h261: check the mtype index -- iff: Do not read over the source buffer -- imc: Catch a division by zero -- indeo4: Check the quantization matrix index -- indeo4: Do not access missing reference MV -- indeo4: Validate scantable dimension -- indeo5: return proper error codes -- indeo: Bound-check before applying motion compensation -- indeo: Bound-check before applying transform -- indeo: Do not reference mismatched tiles -- indeo: Reject impossible FRAMETYPE_NULL -- indeo: Sanitize ff_ivi_init_planes fail paths -- lavf: avoid integer overflow when estimating bitrate -- lavf: Make sure avg_frame_rate can be calculated without integer overflow -- matroskadec: Check that .lang was allocated and set before reading it -- mjpegb: Detect changing number of planes in interlaced video -- mlpdec: Do not set invalid context in read_restart_header -- mov: Do not allow updating the time scale after it has been set -- mov: Seek back if overreading an individual atom -- mpegvideo: Avoid 32-bit wrapping of linesize multiplications -- nuv: check ff_rtjpeg_decode_frame_yuv420 return value -- nuv: Do not ignore lzo decompression failures -- nuv: Pad the lzo outbuf -- nuv: Reset the frame on resize -- nuv: return meaningful error codes. -- nuv: Use av_fast_realloc -- ogg: Always alloc the private context in vorbis_header -- ogg: Fix potential infinite discard loop -- oma: check geob tag boundary -- oma: correctly mark and decrypt partial packets -- oma: refactor seek function -- pcm: always use codec->id instead of codec_id -- pcx: Do not overread source buffer in pcx_rle_decode -- pictordec: break out of both decoding loops when y drops below 0 -- pictordec: pass correct context to avpriv_request_sample -- qdm2: check and reset dithering index per channel -- qdm2: Conceal broken samples -- qdm2: refactor joined stereo support -- qdm2: use init_static_data -- rmdec: Use the AVIOContext given as parameter in rm_read_metadata() -- rtjpeg: Use init_get_bits8 -- rtmp: Do not misuse memcmp -- rtmp: rename data_size to size -- segafilm: Error out on impossible packet size -- vc1: check mb_height validity. -- vc1: check the source buffer in vc1_mc functions -- vcr1: add sanity checks -- vqavideo: check the version -- westwood_vqa: do not free extradata on error in read_header -- wmavoice: conceal clearly corrupted blocks -- wtv: Mark attachment with a negative stream id -- xl: Make sure the width is valid -- kmvc: Clip pixel position to valid range -- kmvc: Use fixed sized arrays in the context -- indeo: Reject negative array indexes -- indeo: Check for reference when inheriting motion vectors -- indeo: Properly forward the error codes -- mjpeg: Check the unescaped size for overflows -- wmapro: Error out on impossible scale factor offsets -- wmapro: Check the min_samples_per_subframe -- wmapro: Return early on unsupported condition -- wmapro: Check num_vec_coeffs against the actual available buffer -- wmapro: Make sure there is room to store the current packet -- lavc: Move put_bits_left in put_bits.h -- 4xm: Do not overread the source buffer in decode_p_block -- 4xm: Check bitstream_size boundary before using it - -Most of the following fixes resulted from test samples that the Google -Security Team has kindly made available to us: - -- 4xm: fix several programming errors to avoid crashes, etc. -- apetag: use int64_t for filesize -- jpegls: Fix invalid writes to memory -- ljpeg: use the correct number of components in YUV -- mjpeg: Validate sampling factors -- mjpegdec: properly report unsupported disabled features -- mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac -- mpegvideo: allocate sufficiently large scratch buffer for interlaced vid -- pixdesc: mark gray8 as pseudopal -- smacker: fix several programming errors to avoid crashes, etc. -- tiff: do not overread the source buffer -- vmd: drop incomplete chunks and spurious samples -- vmdav: convert to bytestream2 to avoid invalid reads and writes -- wavpack: check packet size early -- wavpack: use bytestream2 in wavpack_decode_block -- wavpack: validate samples size parsed in wavpack_decode_block - -- aac: check the maximum number of channels to avoid invalid writes -- indeo3: fix off by one in MV validity check -- id3v2: check for end of file while unescaping tags to avoid invalid - writes, reported by Google Security Team -- afifo: fix request_samples on the last frame in certain cases -- hls, segment: fix splitting for audio-only streams -- wav: Always seek to an even offset, Bug #500, LP: #1174737 -- swscale: Use alpha from the right row in yuva2rgba_c, Bug #504 -- indeo3: use unaligned reads on reference blocks, Bug #503 -- oma: properly forward errors in oma_read_packet -- af_asyncts: fix offset calculation -- proresdec: support mixed interlaced/non-interlaced content - -Most of the following fixes resulted from test samples that the Google -Security Team has kindly made available to us: - -- af_channelmap: sanity check input channel indices in all cases -- avfiltergraph: check for sws opts being non-NULL before using them -- bmv: check for len being valid in bmv_decode_frame() -- configure: Enable hwaccels without external dependencies by default -- dfa: check for invalid access in decode_wdlt() -- id3v2: pad the APIC packets as required by lavc -- indeo3: check motion vectors -- indeo3: fix data size check -- indeo3: switch parsing the header to bytestream2 -- lavf: make sure stream probe data gets freed -- matroska: Update the available size after lace parsing -- matroska: fix a corner case in ebml-lace parsing -- matroska: pass the lace size to the matroska_parse_rm_audio -- mp3dec: fallback to generic seeking when a TOC is not present -- oggdec: fix faulty cleanup prototype -- oma: Validate sample rates -- qdm2: check that the FFT size is a power of 2 -- riff: check for eof if chunk size and code are 0 to prevent an infinite loop -- rv10: check that extradata is large enough -- svq1dec: check that the reference frame has the same dimensions as the current one -- svq1dec: clip motion vectors to the frame size -- xmv: check audio track parameters validity -- xmv: do not leak memory in the error paths in xmv_read_header() -- atrac3: avoid oversized shifting in decode_bytes() -- eamad: allocate a dummy reference frame when the real one is missing -- ffv1: fix calculating slice dimensions for version 2 -- flacdec: simplify bounds checking in flac_probe() -- h264: check for luma and chroma bit dept being equal (CVE-2013-2277) -- hqdn3d: Fix out of array read in LOWPASS -- iff: validate CMAP palette size (CVE-2013-2495) -- ivi_common: do not call MC for intra frames when dc_transform is unset -- libmp3lame: use the correct remaining buffer size when flushing -- lzo: fix overflow checking in copy_backptr() -- mp3dec: Fix VBR bit rate parsing -- png: use av_mallocz_array() for the zlib zalloc function -- roqvideodec: fix a potential infinite loop in roqvideo_decode_frame() -- shorten: fix various programming mistakes -- vf_gradfun: fix uninitialized variable use -- vf_hqdn3d: fix uninitialized variable use -- vmdaudio: fix invalid reads when packet size is not a multiple of chunk size -- wmadec: require block_align to be set -- wmaprodec: require block_align to be set -- wmaprodec: return an error, not 0, when the input is too small -- xxan: fix invalid memory access in xan_decode_frame_type0() -- h264: fix deadlocks with broken/fuzzed files -- flvdec: make decoder more robust -- vorbisdec: fix buffer overflow (CVE-2013-0894) -- ac3dec: validate channel output mode against channel count -- doc: minor improvements -- loco: check that there is data left after decoding a plane. -- mov: use the format context for logging. -- lagarith: avoid infinite loop in lag_rac_refill() with corrupted files -- flicvideo: avoid an infinite loop in byte run compression -- av_memcpy_backptr: avoid an infinite loop for back = 0 -- mlpdec: do not try to allocate a zero-sized output buffer. -- qtrle: add more checks against pixel_ptr being negative. -- 4xm: check the return value of read_huffman_tables(). -- cavs: initialize various context tables, avoids crashes with corrupted files -- x86/H.264: Don't use redzone in AVX h264_deblock on Win64 -- VQA video: check chunk sizes before reading chunks -- RoQ video decoder: check dimensions validity -- QDM2: check array index before use, fix out of array accesses -- mpegvideo: Do REBASE_PICTURE with byte pointers -- SVQ3: unbreak decoding -- libopencore-amrwb: Make AMR-WB ifdeffery more precise -- libopencore-amr: Conditionally compile decoder and encoder bits -- arm: Fall back to runtime cpu feature detection via /proc/cpuinfo -- xxan: properly handle odd heights -- msrledec: check bounds before constructing a possibly invalid pointer (CVE-2496) -- qtrle: fix the topmost line for 1bit -- aasc: fix output for msrle compression -- yop: check for input overreads -- yop: check that extradata is large enough -- fraps: fix off-by one bug for version 1 -- vf_delogo: fix copying the input frame -- vf_delogo: fix an uninitialized read -- dnxhdenc: fix invalid reads in dnxhd_mb_var_thread() -- ATRAC3: use correct loop variable in add_tonal_components() -- MLP: store the channel layout for each substream -- MLP decoder: TrueHD: use Libav channel order -- x86: ac3: Fix HAVE_MMXEXT condition to only refer to external assembly -- arm: vp8: Fix the plain-armv6 version of vp8_luma_dc_wht -- lavr: call mix_function_init() in ff_audio_mix_set_matrix() -- rtpenc_chain: Use the original AVFormatContext for getting payload type -- rtp: Make sure the output format pointer is set -- rtp: Make sure priv_data is set before reading it -- videodsp_armv5te: remove #if HAVE_ARMV5TE_EXTERNAL -- get_bits: change the failure condition in init_get_bits -- mpegvideo: fix loop condition in draw_line() -- fate: update ref after rv30_loop_filter fix -- RV30: fix masking in rv30_loop_filter() -- libcdio: support recent cdio-paranoia -- Theora: Skip zero-sized headers -- H.264: add 3 pixels below for subpixel filter wait position -- H.264: fix ff_generate_sliding_window_mmcos() prototype -- H.264: don't clobber mmco opcode tables for non-first slice headers -- libx264: use the library specific default rc_initial_buffer_occupancy -- lavc: set the default rc_initial_buffer_occupancy -- lavc: introduce the convenience function init_get_bits8 -- lavc: check for overflow in init_get_bits -- configure: enable pic for shared libs on AArch64 -- zmbv: Reset the decoder on keyframe errors -- VC1 decoder: prevent a crash due missing pred_flag parameter -- matroska: Fix use after free -- VP3: Fix double free in vp3_decode_end() -- Fix a crash on windows platforms related to automatic stack alignment - in libavresample -- Fix memleaks in the Ogg demuxer. Related to CVE-2012-2882 - - -version 1.1: - -- stream disposition information printing in ffprobe -- filter for loudness analysis following EBU R128 -- Opus encoder using libopus -- ffprobe -select_streams option -- Pinnacle TARGA CineWave YUV16 decoder -- TAK demuxer, decoder and parser -- DTS-HD demuxer -- remove -same_quant, it hasn't worked for years -- FFM2 support -- X-Face image encoder and decoder -- 24-bit FLAC encoding -- multi-channel ALAC encoding up to 7.1 -- metadata (INFO tag) support in WAV muxer -- subtitles raw text decoder -- support for building DLLs using MSVC -- LVF demuxer -- ffescape tool -- metadata (info chunk) support in CAF muxer -- field filter ported from libmpcodecs -- AVR demuxer -- geq filter ported from libmpcodecs -- remove ffserver daemon mode -- AST muxer/demuxer -- new expansion syntax for drawtext -- BRender PIX image decoder -- ffprobe -show_entries option -- ffprobe -sections option -- ADPCM IMA Dialogic decoder -- BRSTM demuxer -- animated GIF decoder and demuxer -- PVF demuxer -- subtitles filter -- IRCAM muxer/demuxer -- Paris Audio File demuxer -- Virtual concatenation demuxer -- VobSub demuxer -- JSON captions for TED talks decoding support -- SOX Resampler support in libswresample -- aselect filter -- SGI RLE 8-bit decoder -- Silicon Graphics Motion Video Compressor 1 & 2 decoder -- Silicon Graphics Movie demuxer -- apad filter -- Resolution & pixel format change support with multithreading for H.264 -- documentation split into per-component manuals -- pp (postproc) filter ported from MPlayer -- NIST Sphere demuxer -- MPL2, VPlayer, MPlayer, AQTitle, PJS and SubViewer v1 subtitles demuxers and decoders -- Sony Wave64 muxer -- adobe and limelight publisher authentication in RTMP -- data: URI scheme -- support building on the Plan 9 operating system -- kerndeint filter ported from MPlayer -- histeq filter ported from VirtualDub -- Megalux Frame demuxer -- 012v decoder -- Improved AVC Intra decoding support - - -version 1.0: - -- INI and flat output in ffprobe -- Scene detection in libavfilter -- Indeo Audio decoder -- channelsplit audio filter -- setnsamples audio filter -- atempo filter -- ffprobe -show_data option -- RTMPT protocol support -- iLBC encoding/decoding via libilbc -- Microsoft Screen 1 decoder -- join audio filter -- audio channel mapping filter -- Microsoft ATC Screen decoder -- RTSP listen mode -- TechSmith Screen Codec 2 decoder -- AAC encoding via libfdk-aac -- Microsoft Expression Encoder Screen decoder -- RTMPS protocol support -- RTMPTS protocol support -- RTMPE protocol support -- RTMPTE protocol support -- showwaves and showspectrum filter -- LucasArts SMUSH playback support -- SAMI, RealText and SubViewer demuxers and decoders -- Heart Of Darkness PAF playback support -- iec61883 device -- asettb filter -- new option: -progress -- 3GPP Timed Text encoder/decoder -- GeoTIFF decoder support -- ffmpeg -(no)stdin option -- Opus decoder using libopus -- caca output device using libcaca -- alphaextract and alphamerge filters -- concat filter -- flite filter -- Canopus Lossless Codec decoder -- bitmap subtitles in filters (experimental and temporary) -- MP2 encoding via TwoLAME -- bmp parser -- smptebars source -- asetpts filter -- hue filter -- ICO muxer -- SubRip encoder and decoder without embedded timing -- edge detection filter -- framestep filter -- ffmpeg -shortest option is now per-output file - -pass and -passlogfile are now per-output stream -- volume measurement filter -- Ut Video encoder -- Microsoft Screen 2 decoder -- smartblur filter ported from MPlayer -- CPiA decoder -- decimate filter ported from MPlayer -- RTP depacketization of JPEG -- Smooth Streaming live segmenter muxer -- F4V muxer -- sendcmd and asendcmd filters -- WebVTT demuxer and decoder (simple tags supported) -- RTP packetization of JPEG -- faststart option in the MOV/MP4 muxer -- support for building with MSVC - - -version 0.11: - -- Fixes: CVE-2012-2772, CVE-2012-2774, CVE-2012-2775, CVE-2012-2776, CVE-2012-2777, - CVE-2012-2779, CVE-2012-2782, CVE-2012-2783, CVE-2012-2784, CVE-2012-2785, - CVE-2012-2786, CVE-2012-2787, CVE-2012-2788, CVE-2012-2789, CVE-2012-2790, - CVE-2012-2791, CVE-2012-2792, CVE-2012-2793, CVE-2012-2794, CVE-2012-2795, - CVE-2012-2796, CVE-2012-2797, CVE-2012-2798, CVE-2012-2799, CVE-2012-2800, - CVE-2012-2801, CVE-2012-2802, CVE-2012-2803, CVE-2012-2804, -- v408 Quicktime and Microsoft AYUV Uncompressed 4:4:4:4 encoder and decoder -- setfield filter -- CDXL demuxer and decoder -- Apple ProRes encoder -- ffprobe -count_packets and -count_frames options -- Sun Rasterfile Encoder -- ID3v2 attached pictures reading and writing -- WMA Lossless decoder -- bluray protocol -- blackdetect filter -- libutvideo encoder wrapper (--enable-libutvideo) -- swapuv filter -- bbox filter -- XBM encoder and decoder -- RealAudio Lossless decoder -- ZeroCodec decoder -- tile video filter -- Metal Gear Solid: The Twin Snakes demuxer -- OpenEXR image decoder -- removelogo filter -- drop support for ffmpeg without libavfilter -- drawtext video filter: fontconfig support -- ffmpeg -benchmark_all option -- super2xsai filter ported from libmpcodecs -- add libavresample audio conversion library for compatibility -- MicroDVD decoder -- Avid Meridien (AVUI) encoder and decoder -- accept + prefix to -pix_fmt option to disable automatic conversions. -- complete audio filtering in libavfilter and ffmpeg -- add fps filter -- vorbis parser -- png parser -- audio mix filter -- ffv1: support (draft) version 1.3 - - -version 0.10: - -- Fixes: CVE-2011-3929, CVE-2011-3934, CVE-2011-3935, CVE-2011-3936, - CVE-2011-3937, CVE-2011-3940, CVE-2011-3941, CVE-2011-3944, - CVE-2011-3945, CVE-2011-3946, CVE-2011-3947, CVE-2011-3949, - CVE-2011-3950, CVE-2011-3951, CVE-2011-3952 -- v410 Quicktime Uncompressed 4:4:4 10-bit encoder and decoder -- SBaGen (SBG) binaural beats script demuxer -- OpenMG Audio muxer -- Timecode extraction in DV and MOV -- thumbnail video filter -- XML output in ffprobe -- asplit audio filter -- tinterlace video filter -- astreamsync audio filter -- amerge audio filter -- ISMV (Smooth Streaming) muxer -- GSM audio parser -- SMJPEG muxer -- XWD encoder and decoder -- Automatic thread count based on detection number of (available) CPU cores -- y41p Brooktree Uncompressed 4:1:1 12-bit encoder and decoder -- ffprobe -show_error option -- Avid 1:1 10-bit RGB Packer codec -- v308 Quicktime Uncompressed 4:4:4 encoder and decoder -- yuv4 libquicktime packed 4:2:0 encoder and decoder -- ffprobe -show_frames option -- silencedetect audio filter -- ffprobe -show_program_version, -show_library_versions, -show_versions options -- rv34: frame-level multi-threading -- optimized iMDCT transform on x86 using SSE for for mpegaudiodec -- Improved PGS subtitle decoder -- dumpgraph option to lavfi device -- r210 and r10k encoders -- ffwavesynth decoder -- aviocat tool -- ffeval tool - - -version 0.9: - -- openal input device added -- boxblur filter added -- BWF muxer -- Flash Screen Video 2 decoder -- lavfi input device added -- added avconv, which is almost the same for now, except -for a few incompatible changes in the options, which will hopefully make them -easier to use. The changes are: - * The options placement is now strictly enforced! While in theory the - options for ffmpeg should be given in [input options] -i INPUT [output - options] OUTPUT order, in practice it was possible to give output options - before the -i and it mostly worked. Except when it didn't - the behavior was - a bit inconsistent. In avconv, it is not possible to mix input and output - options. All non-global options are reset after an input or output filename. - * All per-file options are now truly per-file - they apply only to the next - input or output file and specifying different values for different files - will now work properly (notably -ss and -t options). - * All per-stream options are now truly per-stream - it is possible to - specify which stream(s) should a given option apply to. See the Stream - specifiers section in the avconv manual for details. - * In ffmpeg some options (like -newvideo/-newaudio/...) are irregular in the - sense that they're specified after the output filename instead of before, - like all other options. In avconv this irregularity is removed, all options - apply to the next input or output file. - * -newvideo/-newaudio/-newsubtitle options were removed. Not only were they - irregular and highly confusing, they were also redundant. In avconv the -map - option will create new streams in the output file and map input streams to - them. E.g. avconv -i INPUT -map 0 OUTPUT will create an output stream for - each stream in the first input file. - * The -map option now has slightly different and more powerful syntax: - + Colons (':') are used to separate file index/stream type/stream index - instead of dots. Comma (',') is used to separate the sync stream instead - of colon.. This is done for consistency with other options. - + It's possible to specify stream type. E.g. -map 0:a:2 creates an - output stream from the third input audio stream. - + Omitting the stream index now maps all the streams of the given type, - not just the first. E.g. -map 0:s creates output streams for all the - subtitle streams in the first input file. - + Since -map can now match multiple streams, negative mappings were - introduced. Negative mappings disable some streams from an already - defined map. E.g. '-map 0 -map -0:a:1' means 'create output streams for - all the stream in the first input file, except for the second audio - stream'. - * There is a new option -c (or -codec) for choosing the decoder/encoder to - use, which allows to precisely specify target stream(s) consistently with - other options. E.g. -c:v lib264 sets the codec for all video streams, -c:a:0 - libvorbis sets the codec for the first audio stream and -c copy copies all - the streams without reencoding. Old -vcodec/-acodec/-scodec options are now - aliases to -c:v/a/s - * It is now possible to precisely specify which stream should an AVOption - apply to. E.g. -b:v:0 2M sets the bitrate for the first video stream, while - -b:a 128k sets the bitrate for all audio streams. Note that the old -ab 128k - syntax is deprecated and will stop working soon. - * -map_chapters now takes only an input file index and applies to the next - output file. This is consistent with how all the other options work. - * -map_metadata now takes only an input metadata specifier and applies to - the next output file. Output metadata specifier is now part of the option - name, similarly to the AVOptions/map/codec feature above. - * -metadata can now be used to set metadata on streams and chapters, e.g. - -metadata:s:1 language=eng sets the language of the first stream to 'eng'. - This made -vlang/-alang/-slang options redundant, so they were removed. - * -qscale option now uses stream specifiers and applies to all streams, not - just video. I.e. plain -qscale number would now apply to all streams. To get - the old behavior, use -qscale:v. Also there is now a shortcut -q for -qscale - and -aq is now an alias for -q:a. - * -vbsf/-absf/-sbsf options were removed and replaced by a -bsf option which - uses stream specifiers. Use -bsf:v/a/s instead of the old options. - * -itsscale option now uses stream specifiers, so its argument is only the - scale parameter. - * -intra option was removed, use -g 0 for the same effect. - * -psnr option was removed, use -flags +psnr for the same effect. - * -vf option is now an alias to the new -filter option, which uses stream specifiers. - * -vframes/-aframes/-dframes options are now aliases to the new -frames option. - * -vtag/-atag/-stag options are now aliases to the new -tag option. -- XMV demuxer -- LOAS demuxer -- ashowinfo filter added -- Windows Media Image decoder -- amovie source added -- LATM muxer/demuxer -- Speex encoder via libspeex -- JSON output in ffprobe -- WTV muxer -- Optional C++ Support (needed for libstagefright) -- H.264 Decoding on Android via Stagefright -- Prores decoder -- BIN/XBIN/ADF/IDF text file decoder -- aconvert audio filter added -- audio support to lavfi input device added -- libcdio-paranoia input device for audio CD grabbing -- Apple ProRes decoder -- CELT in Ogg demuxing -- G.723.1 demuxer and decoder -- libmodplug support (--enable-libmodplug) -- VC-1 interlaced decoding -- libutvideo wrapper (--enable-libutvideo) -- aevalsrc audio source added -- Ut Video decoder -- Speex encoding via libspeex -- 4:2:2 H.264 decoding support -- 4:2:2 and 4:4:4 H.264 encoding with libx264 -- Pulseaudio input device -- Prores encoder -- Video Decoder Acceleration (VDA) HWAccel module. -- replacement Indeo 3 decoder -- new ffmpeg option: -map_channel -- volume audio filter added -- earwax audio filter added -- libv4l2 support (--enable-libv4l2) -- TLS/SSL and HTTPS protocol support -- AVOptions API rewritten and documented -- most of CODEC_FLAG2_*, some CODEC_FLAG_* and many codec-specific fields in - AVCodecContext deprecated. Codec private options should be used instead. -- Properly working defaults in libx264 wrapper, support for native presets. -- Encrypted OMA files support -- Discworld II BMV decoding support -- VBLE Decoder -- OS X Video Decoder Acceleration (VDA) support -- compact and csv output in ffprobe -- pan audio filter -- IFF Amiga Continuous Bitmap (ACBM) decoder -- ass filter -- CRI ADX audio format muxer and demuxer -- Playstation Portable PMP format demuxer -- Microsoft Windows ICO demuxer -- life source -- PCM format support in OMA demuxer -- CLJR encoder -- new option: -report -- Dxtory capture format decoder -- cellauto source -- Simple segmenting muxer -- Indeo 4 decoder -- SMJPEG demuxer - - -version 0.8: - -- many many things we forgot because we rather write code than changelogs -- WebM support in Matroska de/muxer -- low overhead Ogg muxing -- MMS-TCP support -- VP8 de/encoding via libvpx -- Demuxer for On2's IVF format -- Pictor/PC Paint decoder -- HE-AAC v2 decoder -- HE-AAC v2 encoding with libaacplus -- libfaad2 wrapper removed -- DTS-ES extension (XCh) decoding support -- native VP8 decoder -- RTSP tunneling over HTTP -- RTP depacketization of SVQ3 -- -strict inofficial replaced by -strict unofficial -- ffplay -exitonkeydown and -exitonmousedown options added -- native GSM / GSM MS decoder -- RTP depacketization of QDM2 -- ANSI/ASCII art playback system -- Lego Mindstorms RSO de/muxer -- libavcore added (and subsequently removed) -- SubRip subtitle file muxer and demuxer -- Chinese AVS encoding via libxavs -- ffprobe -show_packets option added -- RTP packetization of Theora and Vorbis -- RTP depacketization of MP4A-LATM -- RTP packetization and depacketization of VP8 -- hflip filter -- Apple HTTP Live Streaming demuxer -- a64 codec -- MMS-HTTP support -- G.722 ADPCM audio encoder/decoder -- R10k video decoder -- ocv_smooth filter -- frei0r wrapper filter -- change crop filter syntax to width:height:x:y -- make the crop filter accept parametric expressions -- make ffprobe accept AVFormatContext options -- yadif filter -- blackframe filter -- Demuxer for Leitch/Harris' VR native stream format (LXF) -- RTP depacketization of the X-QT QuickTime format -- SAP (Session Announcement Protocol, RFC 2974) muxer and demuxer -- cropdetect filter -- ffmpeg -crop* options removed -- transpose filter added -- ffmpeg -force_key_frames option added -- demuxer for receiving raw rtp:// URLs without an SDP description -- single stream LATM/LOAS decoder -- setpts filter added -- Win64 support for optimized x86 assembly functions -- MJPEG/AVI1 to JPEG/JFIF bitstream filter -- ASS subtitle encoder and decoder -- IEC 61937 encapsulation for E-AC-3, TrueHD, DTS-HD (for HDMI passthrough) -- overlay filter added -- rename aspect filter to setdar, and pixelaspect to setsar -- IEC 61937 demuxer -- Mobotix .mxg demuxer -- frei0r source added -- hqdn3d filter added -- RTP depacketization of QCELP -- FLAC parser added -- gradfun filter added -- AMR-WB decoder -- replace the ocv_smooth filter with a more generic ocv filter -- Windows Televison (WTV) demuxer -- FFmpeg metadata format muxer and demuxer -- SubRip (srt) subtitle encoder and decoder -- floating-point AC-3 encoder added -- Lagarith decoder -- ffmpeg -copytb option added -- IVF muxer added -- Wing Commander IV movies decoder added -- movie source added -- Bink version 'b' audio and video decoder -- Bitmap Brothers JV playback system -- Apple HTTP Live Streaming protocol handler -- sndio support for playback and record -- Linux framebuffer input device added -- Chronomaster DFA decoder -- DPX image encoder -- MicroDVD subtitle file muxer and demuxer -- Playstation Portable PMP format demuxer -- fieldorder video filter added -- AAC encoding via libvo-aacenc -- AMR-WB encoding via libvo-amrwbenc -- xWMA demuxer -- Mobotix MxPEG decoder -- VP8 frame-multithreading -- NEON optimizations for VP8 -- Lots of deprecated API cruft removed -- fft and imdct optimizations for AVX (Sandy Bridge) processors -- showinfo filter added -- SMPTE 302M AES3 audio decoder -- Apple Core Audio Format muxer -- 9bit and 10bit per sample support in the H.264 decoder -- 9bit and 10bit FFV1 encoding / decoding -- split filter added -- select filter added -- sdl output device added -- libmpcodecs video filter support (3 times as many filters than before) -- mpeg2 aspect ratio dection fixed -- libxvid aspect pickiness fixed -- Frame multithreaded decoding -- E-AC-3 audio encoder -- ac3enc: add channel coupling support -- floating-point sample format support to the ac3, eac3, dca, aac, and vorbis decoders. -- H264/MPEG frame-level multi-threading -- All av_metadata_* functions renamed to av_dict_* and moved to libavutil -- 4:4:4 H.264 decoding support -- 10-bit H.264 optimizations for x86 -- lut, lutrgb, and lutyuv filters added -- buffersink libavfilter sink added -- Bump libswscale for recently reported ABI break -- New J2K encoder (via OpenJPEG) - - -version 0.7: - -- all the changes for 0.8, but keeping API/ABI compatibility with the 0.6 release - - -version 0.6: - -- PB-frame decoding for H.263 -- deprecated vhook subsystem removed -- deprecated old scaler removed -- VQF demuxer -- Alpha channel scaler -- PCX encoder -- RTP packetization of H.263 -- RTP packetization of AMR -- RTP depacketization of Vorbis -- CorePNG decoding support -- Cook multichannel decoding support -- introduced avlanguage helpers in libavformat -- 8088flex TMV demuxer and decoder -- per-stream language-tags extraction in asfdec -- V210 decoder and encoder -- remaining GPL parts in AC-3 decoder converted to LGPL -- QCP demuxer -- SoX native format muxer and demuxer -- AMR-NB decoding/encoding, AMR-WB decoding via OpenCORE libraries -- DPX image decoder -- Electronic Arts Madcow decoder -- DivX (XSUB) subtitle encoder -- nonfree libamr support for AMR-NB/WB decoding/encoding removed -- experimental AAC encoder -- RTP depacketization of ASF and RTSP from WMS servers -- RTMP support in libavformat -- noX handling for OPT_BOOL X options -- Wave64 demuxer -- IEC-61937 compatible Muxer -- TwinVQ decoder -- Bluray (PGS) subtitle decoder -- LPCM support in MPEG-TS (HDMV RID as found on Blu-ray disks) -- WMA Pro decoder -- Core Audio Format demuxer -- Atrac1 decoder -- MD STUDIO audio demuxer -- RF64 support in WAV demuxer -- MPEG-4 Audio Lossless Coding (ALS) decoder -- -formats option split into -formats, -codecs, -bsfs, and -protocols -- IV8 demuxer -- CDG demuxer and decoder -- R210 decoder -- Auravision Aura 1 and 2 decoders -- Deluxe Paint Animation playback system -- SIPR decoder -- Adobe Filmstrip muxer and demuxer -- RTP depacketization of H.263 -- Bink demuxer and audio/video decoders -- enable symbol versioning by default for linkers that support it -- IFF PBM/ILBM bitmap decoder -- concat protocol -- Indeo 5 decoder -- RTP depacketization of AMR -- WMA Voice decoder -- ffprobe tool -- AMR-NB decoder -- RTSP muxer -- HE-AAC v1 decoder -- Kega Game Video (KGV1) decoder -- VorbisComment writing for FLAC, Ogg FLAC and Ogg Speex files -- RTP depacketization of Theora -- HTTP Digest authentication -- RTMP/RTMPT/RTMPS/RTMPE/RTMPTE protocol support via librtmp -- Psygnosis YOP demuxer and video decoder -- spectral extension support in the E-AC-3 decoder -- unsharp video filter -- RTP hinting in the mov/3gp/mp4 muxer -- Dirac in Ogg demuxing -- seek to keyframes in Ogg -- 4:2:2 and 4:4:4 Theora decoding -- 35% faster VP3/Theora decoding -- faster AAC decoding -- faster H.264 decoding -- RealAudio 1.0 (14.4K) encoder - - -version 0.5: - -- DV50 AKA DVCPRO50 encoder, decoder, muxer and demuxer -- TechSmith Camtasia (TSCC) video decoder -- IBM Ultimotion (ULTI) video decoder -- Sierra Online audio file demuxer and decoder -- Apple QuickDraw (qdrw) video decoder -- Creative ADPCM audio decoder (16 bits as well as 8 bits schemes) -- Electronic Arts Multimedia (WVE/UV2/etc.) file demuxer -- Miro VideoXL (VIXL) video decoder -- H.261 video encoder -- QPEG video decoder -- Nullsoft Video (NSV) file demuxer -- Shorten audio decoder -- LOCO video decoder -- Apple Lossless Audio Codec (ALAC) decoder -- Winnov WNV1 video decoder -- Autodesk Animator Studio Codec (AASC) decoder -- Indeo 2 video decoder -- Fraps FPS1 video decoder -- Snow video encoder/decoder -- Sonic audio encoder/decoder -- Vorbis audio decoder -- Macromedia ADPCM decoder -- Duck TrueMotion 2 video decoder -- support for decoding FLX and DTA extensions in FLIC files -- H.264 custom quantization matrices support -- ffserver fixed, it should now be usable again -- QDM2 audio decoder -- Real Cooker audio decoder -- TrueSpeech audio decoder -- WMA2 audio decoder fixed, now all files should play correctly -- RealAudio 14.4 and 28.8 decoders fixed -- JPEG-LS decoder -- build system improvements -- tabs and trailing whitespace removed from the codebase -- CamStudio video decoder -- AIFF/AIFF-C audio format, encoding and decoding -- ADTS AAC file reading and writing -- Creative VOC file reading and writing -- American Laser Games multimedia (*.mm) playback system -- Zip Motion Blocks Video decoder -- improved Theora/VP3 decoder -- True Audio (TTA) decoder -- AVS demuxer and video decoder -- JPEG-LS encoder -- Smacker demuxer and decoder -- NuppelVideo/MythTV demuxer and RTjpeg decoder -- KMVC decoder -- MPEG-2 intra VLC support -- MPEG-2 4:2:2 encoder -- Flash Screen Video decoder -- GXF demuxer -- Chinese AVS decoder -- GXF muxer -- MXF demuxer -- VC-1/WMV3/WMV9 video decoder -- MacIntel support -- AVISynth support -- VMware video decoder -- VP5 video decoder -- VP6 video decoder -- WavPack lossless audio decoder -- Targa (.TGA) picture decoder -- Vorbis audio encoder -- Delphine Software .cin demuxer/audio and video decoder -- Tiertex .seq demuxer/video decoder -- MTV demuxer -- TIFF picture encoder and decoder -- GIF picture decoder -- Intel Music Coder decoder -- Zip Motion Blocks Video encoder -- Musepack decoder -- Flash Screen Video encoder -- Theora encoding via libtheora -- BMP encoder -- WMA encoder -- GSM-MS encoder and decoder -- DCA decoder -- DXA demuxer and decoder -- DNxHD decoder -- Gamecube movie (.THP) playback system -- Blackfin optimizations -- Interplay C93 demuxer and video decoder -- Bethsoft VID demuxer and video decoder -- CRYO APC demuxer -- Atrac3 decoder -- V.Flash PTX decoder -- RoQ muxer, RoQ audio encoder -- Renderware TXD demuxer and decoder -- extern C declarations for C++ removed from headers -- sws_flags command line option -- codebook generator -- RoQ video encoder -- QTRLE encoder -- OS/2 support removed and restored again -- AC-3 decoder -- NUT muxer -- additional SPARC (VIS) optimizations -- Matroska muxer -- slice-based parallel H.264 decoding -- Monkey's Audio demuxer and decoder -- AMV audio and video decoder -- DNxHD encoder -- H.264 PAFF decoding -- Nellymoser ASAO decoder -- Beam Software SIFF demuxer and decoder -- libvorbis Vorbis decoding removed in favor of native decoder -- IntraX8 (J-Frame) subdecoder for WMV2 and VC-1 -- Ogg (Theora, Vorbis and FLAC) muxer -- The "device" muxers and demuxers are now in a new libavdevice library -- PC Paintbrush PCX decoder -- Sun Rasterfile decoder -- TechnoTrend PVA demuxer -- Linux Media Labs MPEG-4 (LMLM4) demuxer -- AVM2 (Flash 9) SWF muxer -- QT variant of IMA ADPCM encoder -- VFW grabber -- iPod/iPhone compatible mp4 muxer -- Mimic decoder -- MSN TCP Webcam stream demuxer -- RL2 demuxer / decoder -- IFF demuxer -- 8SVX audio decoder -- non-recursive Makefiles -- BFI demuxer -- MAXIS EA XA (.xa) demuxer / decoder -- BFI video decoder -- OMA demuxer -- MLP/TrueHD decoder -- Electronic Arts CMV decoder -- Motion Pixels Video decoder -- Motion Pixels MVI demuxer -- removed animated GIF decoder/demuxer -- D-Cinema audio muxer -- Electronic Arts TGV decoder -- Apple Lossless Audio Codec (ALAC) encoder -- AAC decoder -- floating point PCM encoder/decoder -- MXF muxer -- DV100 AKA DVCPRO HD decoder and demuxer -- E-AC-3 support added to AC-3 decoder -- Nellymoser ASAO encoder -- ASS and SSA demuxer and muxer -- liba52 wrapper removed -- SVQ3 watermark decoding support -- Speex decoding via libspeex -- Electronic Arts TGQ decoder -- RV40 decoder -- QCELP / PureVoice decoder -- RV30 decoder -- hybrid WavPack support -- R3D REDCODE demuxer -- ALSA support for playback and record -- Electronic Arts TQI decoder -- OpenJPEG based JPEG 2000 decoder -- NC (NC4600) camera file demuxer -- Gopher client support -- MXF D-10 muxer -- generic metadata API -- flash ScreenVideo2 encoder - - -version 0.4.9-pre1: - -- DV encoder, DV muxer -- Microsoft RLE video decoder -- Microsoft Video-1 decoder -- Apple Animation (RLE) decoder -- Apple Graphics (SMC) decoder -- Apple Video (RPZA) decoder -- Cinepak decoder -- Sega FILM (CPK) file demuxer -- Westwood multimedia support (VQA & AUD files) -- Id Quake II CIN playback support -- 8BPS video decoder -- FLIC playback support -- RealVideo 2.0 (RV20) decoder -- Duck TrueMotion v1 (DUCK) video decoder -- Sierra VMD demuxer and video decoder -- MSZH and ZLIB decoder support -- SVQ1 video encoder -- AMR-WB support -- PPC optimizations -- rate distortion optimal cbp support -- rate distorted optimal ac prediction for MPEG-4 -- rate distorted optimal lambda->qp support -- AAC encoding with libfaac -- Sunplus JPEG codec (SP5X) support -- use Lagrange multipler instead of QP for ratecontrol -- Theora/VP3 decoding support -- XA and ADX ADPCM codecs -- export MPEG-2 active display area / pan scan -- Add support for configuring with IBM XLC -- floating point AAN DCT -- initial support for zygo video (not complete) -- RGB ffv1 support -- new audio/video parser API -- av_log() system -- av_read_frame() and av_seek_frame() support -- missing last frame fixes -- seek by mouse in ffplay -- noise reduction of DCT coefficients -- H.263 OBMC & 4MV support -- H.263 alternative inter vlc support -- H.263 loop filter -- H.263 slice structured mode -- interlaced DCT support for MPEG-2 encoding -- stuffing to stay above min_bitrate -- MB type & QP visualization -- frame stepping for ffplay -- interlaced motion estimation -- alternate scantable support -- SVCD scan offset support -- closed GOP support -- SSE2 FDCT -- quantizer noise shaping -- G.726 ADPCM audio codec -- MS ADPCM encoding -- multithreaded/SMP motion estimation -- multithreaded/SMP encoding for MPEG-1/MPEG-2/MPEG-4/H.263 -- multithreaded/SMP decoding for MPEG-2 -- FLAC decoder -- Metrowerks CodeWarrior suppport -- H.263+ custom pcf support -- nicer output for 'ffmpeg -formats' -- Matroska demuxer -- SGI image format, encoding and decoding -- H.264 loop filter support -- H.264 CABAC support -- nicer looking arrows for the motion vector visualization -- improved VCD support -- audio timestamp drift compensation -- MPEG-2 YUV 422/444 support -- polyphase kaiser windowed sinc and blackman nuttall windowed sinc audio resample -- better image scaling -- H.261 support -- correctly interleave packets during encoding -- VIS optimized motion compensation -- intra_dc_precision>0 encoding support -- support reuse of motion vectors/MB types/field select values of the source video -- more accurate deblock filter -- padding support -- many optimizations and bugfixes -- FunCom ISS audio file demuxer and according ADPCM decoding - - -version 0.4.8: - -- MPEG-2 video encoding (Michael) -- Id RoQ playback subsystem (Mike Melanson and Tim Ferguson) -- Wing Commander III Movie (.mve) file playback subsystem (Mike Melanson - and Mario Brito) -- Xan DPCM audio decoder (Mario Brito) -- Interplay MVE playback subsystem (Mike Melanson) -- Duck DK3 and DK4 ADPCM audio decoders (Mike Melanson) - - -version 0.4.7: - -- RealAudio 1.0 (14_4) and 2.0 (28_8) native decoders. Author unknown, code from mplayerhq - (originally from public domain player for Amiga at http://www.honeypot.net/audio) -- current version now also compiles with older GCC (Fabrice) -- 4X multimedia playback system including 4xm file demuxer (Mike - Melanson), and 4X video and audio codecs (Michael) -- Creative YUV (CYUV) decoder (Mike Melanson) -- FFV1 codec (our very simple lossless intra only codec, compresses much better - than HuffYUV) (Michael) -- ASV1 (Asus), H.264, Intel indeo3 codecs have been added (various) -- tiny PNG encoder and decoder, tiny GIF decoder, PAM decoder (PPM with - alpha support), JPEG YUV colorspace support. (Fabrice Bellard) -- ffplay has been replaced with a newer version which uses SDL (optionally) - for multiplatform support (Fabrice) -- Sorenson Version 3 codec (SVQ3) support has been added (decoding only) - donated - by anonymous -- AMR format has been added (Johannes Carlsson) -- 3GP support has been added (Johannes Carlsson) -- VP3 codec has been added (Mike Melanson) -- more MPEG-1/2 fixes -- better multiplatform support, MS Visual Studio fixes (various) -- AltiVec optimizations (Magnus Damn and others) -- SH4 processor support has been added (BERO) -- new public interfaces (avcodec_get_pix_fmt) (Roman Shaposhnick) -- VOB streaming support (Brian Foley) -- better MP3 autodetection (Andriy Rysin) -- qpel encoding (Michael) -- 4mv+b frames encoding finally fixed (Michael) -- chroma ME (Michael) -- 5 comparison functions for ME (Michael) -- B-frame encoding speedup (Michael) -- WMV2 codec (unfinished - Michael) -- user specified diamond size for EPZS (Michael) -- Playstation STR playback subsystem, still experimental (Mike and Michael) -- ASV2 codec (Michael) -- CLJR decoder (Alex) - -.. And lots more new enhancements and fixes. - - -version 0.4.6: - -- completely new integer only MPEG audio layer 1/2/3 decoder rewritten - from scratch -- Recoded DCT and motion vector search with gcc (no longer depends on nasm) -- fix quantization bug in AC3 encoder -- added PCM codecs and format. Corrected WAV/AVI/ASF PCM issues -- added prototype ffplay program -- added GOB header parsing on H.263/H.263+ decoder (Juanjo) -- bug fix on MCBPC tables of H.263 (Juanjo) -- bug fix on DC coefficients of H.263 (Juanjo) -- added Advanced Prediction Mode on H.263/H.263+ decoder (Juanjo) -- now we can decode H.263 streams found in QuickTime files (Juanjo) -- now we can decode H.263 streams found in VIVO v1 files(Juanjo) -- preliminary RTP "friendly" mode for H.263/H.263+ coding. (Juanjo) -- added GOB header for H.263/H.263+ coding on RTP mode (Juanjo) -- now H.263 picture size is returned on the first decoded frame (Juanjo) -- added first regression tests -- added MPEG-2 TS demuxer -- new demux API for libav -- more accurate and faster IDCT (Michael) -- faster and entropy-controlled motion search (Michael) -- two pass video encoding (Michael) -- new video rate control (Michael) -- added MSMPEG4V1, MSMPEGV2 and WMV1 support (Michael) -- great performance improvement of video encoders and decoders (Michael) -- new and faster bit readers and vlc parsers (Michael) -- high quality encoding mode: tries all macroblock/VLC types (Michael) -- added DV video decoder -- preliminary RTP/RTSP support in ffserver and libavformat -- H.263+ AIC decoding/encoding support (Juanjo) -- VCD MPEG-PS mode (Juanjo) -- PSNR stuff (Juanjo) -- simple stats output (Juanjo) -- 16-bit and 15-bit RGB/BGR/GBR support (Bisqwit) - - -version 0.4.5: - -- some header fixes (Zdenek Kabelac ) -- many MMX optimizations (Nick Kurshev ) -- added configure system (actually a small shell script) -- added MPEG audio layer 1/2/3 decoding using LGPL'ed mpglib by - Michael Hipp (temporary solution - waiting for integer only - decoder) -- fixed VIDIOCSYNC interrupt -- added Intel H.263 decoding support ('I263' AVI fourCC) -- added Real Video 1.0 decoding (needs further testing) -- simplified image formats again. Added PGM format (=grey - pgm). Renamed old PGM to PGMYUV. -- fixed msmpeg4 slice issues (tell me if you still find problems) -- fixed OpenDivX bugs with newer versions (added VOL header decoding) -- added support for MPlayer interface -- added macroblock skip optimization -- added MJPEG decoder -- added mmx/mmxext IDCT from libmpeg2 -- added pgmyuvpipe, ppm, and ppm_pipe formats (original patch by Celer - ) -- added pixel format conversion layer (e.g. for MJPEG or PPM) -- added deinterlacing option -- MPEG-1/2 fixes -- MPEG-4 vol header fixes (Jonathan Marsden ) -- ARM optimizations (Lionel Ulmer ). -- Windows porting of file converter -- added MJPEG raw format (input/output) -- added JPEG image format support (input/output) - - -version 0.4.4: - -- fixed some std header definitions (Bjorn Lindgren - ). -- added MPEG demuxer (MPEG-1 and 2 compatible). -- added ASF demuxer -- added prototype RM demuxer -- added AC3 decoding (done with libac3 by Aaron Holtzman) -- added decoding codec parameter guessing (.e.g. for MPEG, because the - header does not include them) -- fixed header generation in MPEG-1, AVI and ASF muxer: wmplayer can now - play them (only tested video) -- fixed H.263 white bug -- fixed phase rounding in img resample filter -- add MMX code for polyphase img resample filter -- added CPU autodetection -- added generic title/author/copyright/comment string handling (ASF and RM - use them) -- added SWF demux to extract MP3 track (not usable yet because no MP3 - decoder) -- added fractional frame rate support -- codecs are no longer searched by read_header() (should fix ffserver - segfault) - - -version 0.4.3: - -- BGR24 patch (initial patch by Jeroen Vreeken ) -- fixed raw yuv output -- added motion rounding support in MPEG-4 -- fixed motion bug rounding in MSMPEG4 -- added B-frame handling in video core -- added full MPEG-1 decoding support -- added partial (frame only) MPEG-2 support -- changed the FOURCC code for H.263 to "U263" to be able to see the - +AVI/H.263 file with the UB Video H.263+ decoder. MPlayer works with - this +codec ;) (JuanJo). -- Halfpel motion estimation after MB type selection (JuanJo) -- added pgm and .Y.U.V output format -- suppressed 'img:' protocol. Simply use: /tmp/test%d.[pgm|Y] as input or - output. -- added pgmpipe I/O format (original patch from Martin Aumueller - , but changed completely since we use a format - instead of a protocol) - - -version 0.4.2: - -- added H.263/MPEG-4/MSMPEG4 decoding support. MPEG-4 decoding support - (for OpenDivX) is almost complete: 8x8 MVs and rounding are - missing. MSMPEG4 support is complete. -- added prototype MPEG-1 decoder. Only I- and P-frames handled yet (it - can decode ffmpeg MPEGs :-)). -- added libavcodec API documentation (see apiexample.c). -- fixed image polyphase bug (the bottom of some images could be - greenish) -- added support for non clipped motion vectors (decoding only) - and image sizes non-multiple of 16 -- added support for AC prediction (decoding only) -- added file overwrite confirmation (can be disabled with -y) -- added custom size picture to H.263 using H.263+ (Juanjo) - - -version 0.4.1: - -- added MSMPEG4 (aka DivX) compatible encoder. Changed default codec - of AVI and ASF to DIV3. -- added -me option to set motion estimation method - (default=log). suppressed redundant -hq option. -- added options -acodec and -vcodec to force a given codec (useful for - AVI for example) -- fixed -an option -- improved dct_quantize speed -- factorized some motion estimation code - - -version 0.4.0: - -- removing grab code from ffserver and moved it to ffmpeg. Added - multistream support to ffmpeg. -- added timeshifting support for live feeds (option ?date=xxx in the - URL) -- added high quality image resize code with polyphase filter (need - mmx/see optimization). Enable multiple image size support in ffserver. -- added multi live feed support in ffserver -- suppressed master feature from ffserver (it should be done with an - external program which opens the .ffm url and writes it to another - ffserver) -- added preliminary support for video stream parsing (WAV and AVI half - done). Added proper support for audio/video file conversion in - ffmpeg. -- added preliminary support for video file sending from ffserver -- redesigning I/O subsystem: now using URL based input and output - (see avio.h) -- added WAV format support -- added "tty user interface" to ffmpeg to stop grabbing gracefully -- added MMX/SSE optimizations to SAD (Sums of Absolutes Differences) - (Juan J. Sierralta P. a.k.a. "Juanjo" ) -- added MMX DCT from mpeg2_movie 1.5 (Juanjo) -- added new motion estimation algorithms, log and phods (Juanjo) -- changed directories: libav for format handling, libavcodec for - codecs - - -version 0.3.4: - -- added stereo in MPEG audio encoder - - -version 0.3.3: - -- added 'high quality' mode which use motion vectors. It can be used in - real time at low resolution. -- fixed rounding problems which caused quality problems at high - bitrates and large GOP size - - -version 0.3.2: small fixes - -- ASF fixes -- put_seek bug fix - - -version 0.3.1: added avi/divx support - -- added AVI support -- added MPEG-4 codec compatible with OpenDivX. It is based on the H.263 codec -- added sound for flash format (not tested) - - -version 0.3: initial public release From f0bb0aaaa7a8aa57541d2ae61934342f0364de10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2013 17:58:18 +0200 Subject: [PATCH 0641/1037] avcodec/ffv1enc: update buffer check for 16bps Signed-off-by: Michael Niedermayer (cherry picked from commit 3728603f1854b5c79d1a64dd3b41b80640ef1e7f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 031db061fe..c5481af4f4 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -275,7 +275,7 @@ static av_always_inline int encode_line(FFV1Context *s, int w, int run_mode = 0; if (s->ac) { - if (c->bytestream_end - c->bytestream < w * 20) { + if (c->bytestream_end - c->bytestream < w * 35) { av_log(s->avctx, AV_LOG_ERROR, "encoded frame too large\n"); return AVERROR_INVALIDDATA; } From 0efb4ff86c200fad9da910ed7adaf3bc90793694 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Sep 2013 21:03:48 +0200 Subject: [PATCH 0642/1037] avcodec/parser: reset indexes on realloc failure Fixes Ticket2982 Signed-off-by: Michael Niedermayer (cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index f7cb5cfa67..c30b43e0e5 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -235,8 +235,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s if(next == END_NOT_FOUND){ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); - if(!new_buffer) + if(!new_buffer) { + pc->index = 0; return AVERROR(ENOMEM); + } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); pc->index += *buf_size; @@ -249,9 +251,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s /* append to buffer */ if(pc->index){ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); - - if(!new_buffer) + if(!new_buffer) { + pc->overread_index = + pc->index = 0; return AVERROR(ENOMEM); + } pc->buffer = new_buffer; if (next > -FF_INPUT_BUFFER_PADDING_SIZE) memcpy(&pc->buffer[pc->index], *buf, From 4bc7c1ba8e9ac2173b04869c9244517add7ff19f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Oct 2013 15:39:23 +0200 Subject: [PATCH 0643/1037] update for 1.1.7 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 0664a8fd29..2bf1ca5f54 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.6 +1.1.7 diff --git a/VERSION b/VERSION index 0664a8fd29..2bf1ca5f54 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.6 +1.1.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index daf30c05cc..b68f1932a8 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.6 +PROJECT_NUMBER = 1.1.7 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 1a5a6ac01b0ad2cf3d2128372ea41f3c1cfc2d3f Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 10 Oct 2013 11:05:40 -0400 Subject: [PATCH 0644/1037] pthread: Fix deadlock during thread initialization Sometimes, if pthread_create() failed, then pthread_cond_wait() could accidentally be called in the worker threads after the uninit function had already called pthread_cond_broadcast(), leading to a deadlock. Don't call pthread_cond_wait() if c->done is set. Signed-off-by: Derek Buitenhuis --- libavcodec/pthread.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 73d9da3f1c..5ebcc9b983 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -207,7 +207,8 @@ static void* attribute_align_arg worker(void *v) if (c->current_job == thread_count + c->job_count) pthread_cond_signal(&c->last_job_cond); - pthread_cond_wait(&c->current_job_cond, &c->current_job_lock); + if (!c->done) + pthread_cond_wait(&c->current_job_cond, &c->current_job_lock); our_job = self_id; if (c->done) { From 311583e7798237be5cc531d672a9e37f8c729d83 Mon Sep 17 00:00:00 2001 From: Ben Jackson Date: Fri, 18 Oct 2013 15:28:50 +0100 Subject: [PATCH 0645/1037] pthread: Avoid spurious wakeups pthread_wait_cond can wake up unexpectedly (Wikipedia: Spurious_wakeup). The FF_THREAD_SLICE thread mechanism could spontaneously execute jobs or allow the caller of avctx->execute to return before all jobs were complete. Test both cases to ensure the wakeup is real. Signed-off-by: Ben Jackson Signed-off-by: Michael Niedermayer Signed-off-by: Derek Buitenhuis Signed-off-by: Luca Barbato --- libavcodec/pthread.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 5ebcc9b983..8ae494b0b5 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -76,6 +76,7 @@ typedef struct ThreadContext { pthread_cond_t last_job_cond; pthread_cond_t current_job_cond; pthread_mutex_t current_job_lock; + unsigned current_execute; int current_job; int done; } ThreadContext; @@ -196,6 +197,7 @@ static void* attribute_align_arg worker(void *v) { AVCodecContext *avctx = v; ThreadContext *c = avctx->thread_opaque; + unsigned last_execute = 0; int our_job = c->job_count; int thread_count = avctx->thread_count; int self_id; @@ -207,8 +209,9 @@ static void* attribute_align_arg worker(void *v) if (c->current_job == thread_count + c->job_count) pthread_cond_signal(&c->last_job_cond); - if (!c->done) + while (last_execute == c->current_execute && !c->done) pthread_cond_wait(&c->current_job_cond, &c->current_job_lock); + last_execute = c->current_execute; our_job = self_id; if (c->done) { @@ -228,7 +231,8 @@ static void* attribute_align_arg worker(void *v) static av_always_inline void avcodec_thread_park_workers(ThreadContext *c, int thread_count) { - pthread_cond_wait(&c->last_job_cond, &c->current_job_lock); + while (c->current_job != thread_count + c->job_count) + pthread_cond_wait(&c->last_job_cond, &c->current_job_lock); pthread_mutex_unlock(&c->current_job_lock); } @@ -277,6 +281,7 @@ static int avcodec_thread_execute(AVCodecContext *avctx, action_func* func, void c->rets = &dummy_ret; c->rets_count = 1; } + c->current_execute++; pthread_cond_broadcast(&c->current_job_cond); avcodec_thread_park_workers(c, avctx->thread_count); From de32de679bcc9dfb9b7d635fdef868dda46d9176 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2013 21:43:06 +0200 Subject: [PATCH 0646/1037] avformat/wavdec: Dont trust the fact chunk for PCM Fixes Ticket3033 Signed-off-by: Michael Niedermayer (cherry picked from commit 83fc6c822b06688e572333299927d93eb3c6c426) Conflicts: libavformat/wavdec.c --- libavformat/wavdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index b71fb016e6..b067d30d2f 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -374,8 +374,15 @@ break_loop: avio_seek(pb, data_ofs, SEEK_SET); - if (!sample_count && st->codec->channels && av_get_bits_per_sample(st->codec->codec_id) && wav->data_end <= avio_size(pb)) - sample_count = (data_size<<3) / (st->codec->channels * (uint64_t)av_get_bits_per_sample(st->codec->codec_id)); + if (!sample_count || av_get_exact_bits_per_sample(st->codec->codec_id) > 0) + if ( st->codec->channels + && data_size + && av_get_bits_per_sample(st->codec->codec_id) + && wav->data_end <= avio_size(pb)) + sample_count = (data_size << 3) + / + (st->codec->channels * (uint64_t)av_get_bits_per_sample(st->codec->codec_id)); + if (sample_count) st->duration = sample_count; From 8ffdcd04c481e3357c9df2cad9dbb94fc3d9e0e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Oct 2013 00:07:28 +0200 Subject: [PATCH 0647/1037] avformat/matroskadec: only set r_frame_rate if the value is within reasonable limits Fixes Ticket2451 Signed-off-by: Michael Niedermayer (cherry picked from commit 6853e40106cac769f0641183ea0bdd530ae9a0a1) --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 18b41b1e72..5f5ab91bd5 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1769,7 +1769,8 @@ static int matroska_read_header(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); #if FF_API_R_FRAME_RATE - st->r_frame_rate = st->avg_frame_rate; + if (st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L) + st->r_frame_rate = st->avg_frame_rate; #endif } From 6636dd551fda4fac77f2caa25d24d81abcadcd71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2013 23:52:54 +0200 Subject: [PATCH 0648/1037] avcodec/h264_refs: modify key frame detection heuristic to detect more cases Fixes Ticket2968 Signed-off-by: Michael Niedermayer (cherry picked from commit 5ac6b6028f17b64723884c9fa72cfcbd369a1ba2) Conflicts: libavcodec/h264_refs.c --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 32c84d8e6f..6061844cef 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -687,7 +687,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){ print_short_term(h); print_long_term(h); - if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=1 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){ + if(err >= 0 && h->long_ref_count==0 && h->short_ref_count<=2 && h->pps.ref_count[0]<=2 + (s->picture_structure != PICT_FRAME) && s->current_picture_ptr->f.pict_type == AV_PICTURE_TYPE_I){ s->current_picture_ptr->sync |= 1; if(!h->s.avctx->has_b_frames) h->sync = 2; From 802c4f5231865a56dfa2723db434fa199d1a1039 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2013 17:39:19 +0200 Subject: [PATCH 0649/1037] avformat/mov: force parsing of headers if stts is absent Fixes Ticket2991 Signed-off-by: Michael Niedermayer (cherry picked from commit e41ea866fc26f38d770bbc1ad67703e7f4400ae1) --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index db4ff274ce..905647edcc 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1684,6 +1684,8 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) { sc->keyframe_absent = 1; + if (!st->need_parsing) + st->need_parsing = AVSTREAM_PARSE_HEADERS; return 0; } if (entries >= UINT_MAX / sizeof(int)) From a4b705b4cbb57c1cc32d6e368e0176510ef3c2e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Oct 2013 23:11:41 +0200 Subject: [PATCH 0650/1037] avcodec/h264: do not trust last_pic_droppable when marking pictures as done This simplifies the code and fixes a deadlock Fixes Ticket2927 Signed-off-by: Michael Niedermayer (cherry picked from commit 29ffeef5e73b8f41ff3a3f2242d356759c66f91f) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index d992bf2da9..ee2315849f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2920,7 +2920,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) assert(s0->current_picture_ptr->f.reference != DELAYED_PIC_REF); /* Mark old field/frame as completed */ - if (!last_pic_droppable && s0->current_picture_ptr->owner2 == s0) { + if (s0->current_picture_ptr->owner2 == s0) { ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX, last_pic_structure == PICT_BOTTOM_FIELD); } @@ -2929,7 +2929,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if (!FIELD_PICTURE || s->picture_structure == last_pic_structure) { /* Previous field is unmatched. Don't display it, but let it * remain for reference if marked as such. */ - if (!last_pic_droppable && last_pic_structure != PICT_FRAME) { + if (last_pic_structure != PICT_FRAME) { ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX, last_pic_structure == PICT_TOP_FIELD); } @@ -2939,7 +2939,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) * different frame_nums. Consider this field first in * pair. Throw away previous field except for reference * purposes. */ - if (!last_pic_droppable && last_pic_structure != PICT_FRAME) { + if (last_pic_structure != PICT_FRAME) { ff_thread_report_progress(&s0->current_picture_ptr->f, INT_MAX, last_pic_structure == PICT_TOP_FIELD); } From 8e72a8d1c278a6e9e41e218012d38eb102f27c9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2013 19:35:55 +0200 Subject: [PATCH 0651/1037] avformat/mp3dec: perform seek resync in the correct direction Fixes seeking to the last frame in CBR files Fixes Ticket2773 Signed-off-by: Michael Niedermayer (cherry picked from commit ba8716df7fb541fb690d1a898cda0e12f9011faf) --- libavformat/mp3dec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 05cbece529..08f33241bd 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -283,6 +283,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, AVStream *st = s->streams[0]; int64_t ret = av_index_search_timestamp(st, timestamp, flags); int i, j; + int dir = (flags&AVSEEK_FLAG_BACKWARD) ? -1 : 1; if (mp3->is_cbr && st->duration > 0 && mp3->header_filesize > s->data_offset) { int64_t filesize = avio_size(s->pb); @@ -312,7 +313,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, #define MIN_VALID 3 for(i=0; i<4096; i++) { - int64_t pos = ie->pos + i; + int64_t pos = ie->pos + i*dir; for(j=0; jpb, ie->pos + i, SEEK_SET); + ret = avio_seek(s->pb, ie->pos + i*dir, SEEK_SET); if (ret < 0) return ret; ff_update_cur_dts(s, st, ie->timestamp); From 5bce35d9581c64358ddb5bfa9aba94dc615c8da3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2013 20:03:29 +0200 Subject: [PATCH 0652/1037] avcodec/h264: reduce noisiness of "mmco: unref short failure" Do not consider it an error if we have no frames and should discard one. This condition can easily happen when decoding is started from an I frame Fixes Ticket2811 Signed-off-by: Michael Niedermayer (cherry picked from commit 08a89761964bdd0a023eff6d37a1131fb7e1d7a0) Conflicts: libavcodec/h264_refs.c --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 6061844cef..2c9c71680a 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -550,7 +550,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count){ if(!pic){ if(mmco[i].opcode != MMCO_SHORT2LONG || !h->long_ref[mmco[i].long_arg] || h->long_ref[mmco[i].long_arg]->frame_num != frame_num) { - av_log(h->s.avctx, AV_LOG_ERROR, "mmco: unref short failure\n"); + av_log(h->s.avctx, h->short_ref_count ? AV_LOG_ERROR : AV_LOG_DEBUG, "mmco: unref short failure\n"); err = AVERROR_INVALIDDATA; } continue; From 69603724750b6e8cee31692c7352e313df5317fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2013 01:22:38 +0200 Subject: [PATCH 0653/1037] h264: make flush_change() set mmco_reset This ensures that frames do not get mixed on context reinits Fixes Ticket2836 Signed-off-by: Michael Niedermayer (cherry picked from commit 3c9dd93faa9f3c250428dd0548c075583aa07cc3) --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ee2315849f..bf5bfa0e0d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2170,6 +2170,7 @@ static void flush_change(H264Context *h) h->sync= 0; h->list_count = 0; h->current_slice = 0; + h->mmco_reset = 1; } /* forget old pics after a seek */ From 4c17e20ff05a2ec14a1e76a4ed63894e4fb93095 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2013 01:03:19 +0200 Subject: [PATCH 0654/1037] avformat/utils: do not override pts in h264 when they are provided from the demuxer Fixes Ticket2143 Signed-off-by: Michael Niedermayer (cherry picked from commit 1e5271a9fd6ddcceb083f2185a4bbd8d44c9a813) --- libavformat/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 8a5b84ff39..aa0c1034d1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1163,12 +1163,14 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, if (pkt->dts != AV_NOPTS_VALUE) { // got DTS from the stream, update reference timestamp st->reference_dts = pkt->dts - pc->dts_ref_dts_delta * num / den; - pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; } else if (st->reference_dts != AV_NOPTS_VALUE) { // compute DTS based on reference timestamp pkt->dts = st->reference_dts + pc->dts_ref_dts_delta * num / den; - pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; } + + if (st->reference_dts != AV_NOPTS_VALUE && pkt->pts == AV_NOPTS_VALUE) + pkt->pts = pkt->dts + pc->pts_dts_delta * num / den; + if (pc->dts_sync_point > 0) st->reference_dts = pkt->dts; // new reference } From a3f8c6a42759e80c0ab801debb9b9071fedf6f3e Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Fri, 26 Apr 2013 16:48:39 +0200 Subject: [PATCH 0655/1037] x86: ac3dsp: Remove 3dnow version of ff_ac3_extract_exponents The function requires increasing the fuzz factor for the ac3/eac3 encode tests and even so makes fate fail. It only provides a slight encoding speedup for legacy CPUs that do not support SSE2. Thus its benefit is not worth the trouble it creates and fixing it would be a waste of time. --- libavcodec/x86/ac3dsp.asm | 36 ------------------------------------ libavcodec/x86/ac3dsp_init.c | 1 - tests/fate/ac3.mak | 2 -- 3 files changed, 39 deletions(-) diff --git a/libavcodec/x86/ac3dsp.asm b/libavcodec/x86/ac3dsp.asm index 45c30d1ae8..4facf32309 100644 --- a/libavcodec/x86/ac3dsp.asm +++ b/libavcodec/x86/ac3dsp.asm @@ -382,42 +382,6 @@ cglobal ac3_compute_mantissa_size, 1, 2, 4, mant_cnt, sum %endif %endmacro -%if HAVE_AMD3DNOW_EXTERNAL -INIT_MMX 3dnow -cglobal ac3_extract_exponents, 3, 3, 0, exp, coef, len - add expq, lenq - lea coefq, [coefq+4*lenq] - neg lenq - movq m3, [pd_1] - movq m4, [pd_151] -.loop: - movq m0, [coefq+4*lenq ] - movq m1, [coefq+4*lenq+8] - PABSD m0, m2 - PABSD m1, m2 - pslld m0, 1 - por m0, m3 - pi2fd m2, m0 - psrld m2, 23 - movq m0, m4 - psubd m0, m2 - pslld m1, 1 - por m1, m3 - pi2fd m2, m1 - psrld m2, 23 - movq m1, m4 - psubd m1, m2 - packssdw m0, m0 - packuswb m0, m0 - packssdw m1, m1 - packuswb m1, m1 - punpcklwd m0, m1 - movd [expq+lenq], m0 - add lenq, 4 - jl .loop - REP_RET -%endif - %macro AC3_EXTRACT_EXPONENTS 0 cglobal ac3_extract_exponents, 3, 3, 4, exp, coef, len add expq, lenq diff --git a/libavcodec/x86/ac3dsp_init.c b/libavcodec/x86/ac3dsp_init.c index e8f7304ca3..e144440591 100644 --- a/libavcodec/x86/ac3dsp_init.c +++ b/libavcodec/x86/ac3dsp_init.c @@ -189,7 +189,6 @@ av_cold void ff_ac3dsp_init_x86(AC3DSPContext *c, int bit_exact) c->ac3_rshift_int32 = ff_ac3_rshift_int32_mmx; } if (EXTERNAL_AMD3DNOW(mm_flags)) { - c->extract_exponents = ff_ac3_extract_exponents_3dnow; if (!bit_exact) { c->float_to_fixed24 = ff_float_to_fixed24_3dnow; } diff --git a/tests/fate/ac3.mak b/tests/fate/ac3.mak index 46e7a38645..fa9f89369d 100644 --- a/tests/fate/ac3.mak +++ b/tests/fate/ac3.mak @@ -52,14 +52,12 @@ fate-ac3-encode: CMD = enc_dec_pcm ac3 wav s16le $(REF) -c:a ac3 -b:a 128k fate-ac3-encode: CMP_SHIFT = -1024 fate-ac3-encode: CMP_TARGET = 399.62 fate-ac3-encode: SIZE_TOLERANCE = 488 -fate-ac3-encode: FUZZ = 3 FATE_EAC3-$(call ENCDEC, EAC3, EAC3) += fate-eac3-encode fate-eac3-encode: CMD = enc_dec_pcm eac3 wav s16le $(REF) -c:a eac3 -b:a 128k fate-eac3-encode: CMP_SHIFT = -1024 fate-eac3-encode: CMP_TARGET = 514.02 fate-eac3-encode: SIZE_TOLERANCE = 488 -fate-eac3-encode: FUZZ = 3 fate-ac3-encode fate-eac3-encode: CMP = stddev fate-ac3-encode fate-eac3-encode: REF = $(SAMPLES)/audio-reference/luckynight_2ch_44kHz_s16.wav From 7f174cec8bd505bacfe23db23cd7f780fdb59bdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Fri, 8 Nov 2013 23:55:06 +0100 Subject: [PATCH 0656/1037] build: avoid stdin stall with GNU AS probing. a758c5e added probing for various tools, such as AS. Unfortunately, GNU AS is reading stdin with -v, and thus configure is stalled with configure arguments such as --as=as. Fixes Ticket #1898. (cherry picked from commit dbb41f93c16cbc65a899a75723c95da51c851cd5) --- configure | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 31726ad8c2..90fdff81e3 100755 --- a/configure +++ b/configure @@ -2560,7 +2560,9 @@ probe_cc(){ unset _depflags _DEPCMD _DEPFLAGS _flags_filter=echo - if $_cc -v 2>&1 | grep -q '^gcc.*LLVM'; then + if $_cc --version 2>&1 | grep -q '^GNU assembler'; then + true # no-op to avoid reading stdin in following checks + elif $_cc -v 2>&1 | grep -q '^gcc.*LLVM'; then _type=llvm_gcc gcc_extra_ver=$(expr "$($_cc --version | head -n1)" : '.*\((.*)\)') _ident="llvm-gcc $($_cc -dumpversion) $gcc_extra_ver" From f401e600638b389301be8c4bb0758c4f7a3086ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2013 03:02:36 +0100 Subject: [PATCH 0657/1037] avformat/utils: dont count attached pics toward the probesize Such pics behave more like headers which we also dont count. Fixes Ticket3146 Signed-off-by: Michael Niedermayer (cherry picked from commit a8dec360c5db15e8da4b44ff3c0f02a6c57e8ac0) --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index aa0c1034d1..1be62f19c3 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2819,9 +2819,10 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) goto find_stream_info_err; } - read_size += pkt->size; - st = ic->streams[pkt->stream_index]; + if (!(st->disposition & AV_DISPOSITION_ATTACHED_PIC)) + read_size += pkt->size; + if (pkt->dts != AV_NOPTS_VALUE && st->codec_info_nb_frames > 1) { /* check for non-increasing dts */ if (st->info->fps_last_dts != AV_NOPTS_VALUE && From 56eded8bc7bccdf14245bae3a45b0fecf9d9d122 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 22:13:45 +0100 Subject: [PATCH 0658/1037] mpeg4videodec: split initializing static tables into a separate function Signed-off-by: Anton Khirnov --- libavcodec/mpeg4videodec.c | 53 +++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 7ff290c9e0..443326c401 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -45,6 +45,33 @@ static const int mb_type_b_map[4]= { MB_TYPE_L0 | MB_TYPE_16x16, }; +static void init_tables(void) +{ + static int done = 0; + if (!done) { + done = 1; + + ff_init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]); + ff_init_rl(&ff_rvlc_rl_inter, ff_mpeg4_static_rl_table_store[1]); + ff_init_rl(&ff_rvlc_rl_intra, ff_mpeg4_static_rl_table_store[2]); + INIT_VLC_RL(ff_mpeg4_rl_intra, 554); + INIT_VLC_RL(ff_rvlc_rl_inter, 1072); + INIT_VLC_RL(ff_rvlc_rl_intra, 1072); + INIT_VLC_STATIC(&dc_lum, DC_VLC_BITS, 10 /* 13 */, + &ff_mpeg4_DCtab_lum[0][1], 2, 1, + &ff_mpeg4_DCtab_lum[0][0], 2, 1, 512); + INIT_VLC_STATIC(&dc_chrom, DC_VLC_BITS, 10 /* 13 */, + &ff_mpeg4_DCtab_chrom[0][1], 2, 1, + &ff_mpeg4_DCtab_chrom[0][0], 2, 1, 512); + INIT_VLC_STATIC(&sprite_trajectory, SPRITE_TRAJ_VLC_BITS, 15, + &ff_sprite_trajectory_tab[0][1], 4, 2, + &ff_sprite_trajectory_tab[0][0], 4, 2, 128); + INIT_VLC_STATIC(&mb_type_b_vlc, MB_TYPE_B_VLC_BITS, 4, + &ff_mb_type_b_tab[0][1], 2, 1, + &ff_mb_type_b_tab[0][0], 2, 1, 16); + } +} + /** * Predict the ac. * @param n block index (0-3 are luma, 4-5 are chroma) @@ -2202,7 +2229,8 @@ static av_cold int decode_init(AVCodecContext *avctx) { MpegEncContext *s = avctx->priv_data; int ret; - static int done = 0; + + init_tables(); s->divx_version= s->divx_build= @@ -2212,29 +2240,6 @@ static av_cold int decode_init(AVCodecContext *avctx) if((ret=ff_h263_decode_init(avctx)) < 0) return ret; - if (!done) { - done = 1; - - ff_init_rl(&ff_mpeg4_rl_intra, ff_mpeg4_static_rl_table_store[0]); - ff_init_rl(&ff_rvlc_rl_inter, ff_mpeg4_static_rl_table_store[1]); - ff_init_rl(&ff_rvlc_rl_intra, ff_mpeg4_static_rl_table_store[2]); - INIT_VLC_RL(ff_mpeg4_rl_intra, 554); - INIT_VLC_RL(ff_rvlc_rl_inter, 1072); - INIT_VLC_RL(ff_rvlc_rl_intra, 1072); - INIT_VLC_STATIC(&dc_lum, DC_VLC_BITS, 10 /* 13 */, - &ff_mpeg4_DCtab_lum[0][1], 2, 1, - &ff_mpeg4_DCtab_lum[0][0], 2, 1, 512); - INIT_VLC_STATIC(&dc_chrom, DC_VLC_BITS, 10 /* 13 */, - &ff_mpeg4_DCtab_chrom[0][1], 2, 1, - &ff_mpeg4_DCtab_chrom[0][0], 2, 1, 512); - INIT_VLC_STATIC(&sprite_trajectory, SPRITE_TRAJ_VLC_BITS, 15, - &ff_sprite_trajectory_tab[0][1], 4, 2, - &ff_sprite_trajectory_tab[0][0], 4, 2, 128); - INIT_VLC_STATIC(&mb_type_b_vlc, MB_TYPE_B_VLC_BITS, 4, - &ff_mb_type_b_tab[0][1], 2, 1, - &ff_mb_type_b_tab[0][0], 2, 1, 16); - } - s->h263_pred = 1; s->low_delay = 0; //default, might be overriden in the vol header during header parsing s->decode_mb= mpeg4_decode_mb; From bd405475ceb38c01088cc9cf1838b23bdd8f685f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 22:13:46 +0100 Subject: [PATCH 0659/1037] mpeg4video_parser: init mpeg4 static tables. They are used when decoding the frame header. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org Signed-off-by: Anton Khirnov --- libavcodec/mpeg4video.h | 1 + libavcodec/mpeg4video_parser.c | 2 ++ libavcodec/mpeg4videodec.c | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4video.h b/libavcodec/mpeg4video.h index 64c0243785..0dec893371 100644 --- a/libavcodec/mpeg4video.h +++ b/libavcodec/mpeg4video.h @@ -110,6 +110,7 @@ int ff_mpeg4_set_direct_mv(MpegEncContext *s, int mx, int my); extern uint8_t ff_mpeg4_static_rl_table_store[3][2][2*MAX_RUN + MAX_LEVEL + 3]; +void ff_mpeg4_init_tables(void); #if 0 //3IV1 is quite rare and it slows things down a tiny bit #define IS_3IV1 s->codec_tag == AV_RL32("3IV1") diff --git a/libavcodec/mpeg4video_parser.c b/libavcodec/mpeg4video_parser.c index e291262d94..6587d7fe52 100644 --- a/libavcodec/mpeg4video_parser.c +++ b/libavcodec/mpeg4video_parser.c @@ -100,6 +100,8 @@ static av_cold int mpeg4video_parse_init(AVCodecParserContext *s) { struct Mp4vParseContext *pc = s->priv_data; + ff_mpeg4_init_tables(); + pc->first_picture = 1; pc->enc.slice_context_count = 1; return 0; diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 443326c401..3e8c8f79b4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -45,7 +45,7 @@ static const int mb_type_b_map[4]= { MB_TYPE_L0 | MB_TYPE_16x16, }; -static void init_tables(void) +void ff_mpeg4_init_tables(void) { static int done = 0; if (!done) { @@ -2230,7 +2230,7 @@ static av_cold int decode_init(AVCodecContext *avctx) MpegEncContext *s = avctx->priv_data; int ret; - init_tables(); + ff_mpeg4_init_tables(); s->divx_version= s->divx_build= From 718a2ddcb898d8465c6715ac1a6627ca67dc6a22 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 29 Nov 2013 13:18:29 +0100 Subject: [PATCH 0660/1037] h264/mpegvideo: do not provide pixel formats for hwaccels that are not compiled in --- libavcodec/h264.c | 6 ++++++ libavcodec/mpegvideo.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8625b0f392..29c81966c9 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -60,9 +60,15 @@ static const uint8_t div6[QP_MAX_NUM + 1] = { }; static const enum AVPixelFormat hwaccel_pixfmt_list_h264_jpeg_420[] = { +#if CONFIG_H264_DXVA2_HWACCEL AV_PIX_FMT_DXVA2_VLD, +#endif +#if CONFIG_H264_VAAPI_HWACCEL AV_PIX_FMT_VAAPI_VLD, +#endif +#if CONFIG_H264_VDA_HWACCEL AV_PIX_FMT_VDA_VLD, +#endif AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_NONE }; diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 0274f01208..2f65779f2a 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -131,9 +131,15 @@ const enum AVPixelFormat ff_pixfmt_list_420[] = { }; const enum AVPixelFormat ff_hwaccel_pixfmt_list_420[] = { +#if CONFIG_H264_DXVA2_HWACCEL AV_PIX_FMT_DXVA2_VLD, +#endif +#if CONFIG_H264_VAAPI_HWACCEL AV_PIX_FMT_VAAPI_VLD, +#endif +#if CONFIG_H264_VDA_HWACCEL AV_PIX_FMT_VDA_VLD, +#endif AV_PIX_FMT_YUV420P, AV_PIX_FMT_NONE }; From b8eaf47917ab921d4f36cf04bc43af4ef5d30b37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Dec 2013 01:41:10 +0100 Subject: [PATCH 0661/1037] avcodec/cabac: force get_cabac to be not inlined works around bug in gccs inline asm register assignment Fixes Ticket3177 gcc from 4.4 to 4.6 is affected at least, no non affected gccs known clang seems not affected Signed-off-by: Michael Niedermayer (cherry picked from commit 0538b29ae8002c44f27bae8a1a6fc6e646998be5) --- libavcodec/cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 385721fe1d..d8f34c8602 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -305,7 +305,7 @@ STOP_TIMER("get_cabac_bypass") for(i=0; i Date: Sun, 8 Dec 2013 13:24:26 -0500 Subject: [PATCH 0662/1037] alsdec: check block length Fix writing over the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Addresses: CVE-2013-0845 (cherry picked from commit 2a0fb7286d67c47e44aa76c237ede117b22af616) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index f1d01a2569..cb942c2e7c 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1380,6 +1380,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) for (b = 0; b < ctx->num_blocks; b++) { bd.block_length = div_blocks[b]; + if (bd.block_length <= 0) { + av_log(ctx->avctx, AV_LOG_WARNING, + "Invalid block length %d in channel data!\n", bd.block_length); + continue; + } for (c = 0; c < avctx->channels; c++) { bd.const_block = ctx->const_block + c; From bdb975ab699a4374e928bc12f1653d079667d84a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 20 Dec 2013 15:02:35 +0200 Subject: [PATCH 0663/1037] arm: Don't clobber callee saved registers in scalarproduct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit q4-q7/d8-d15 are supposed to not be clobbered by the callee. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d307e408d4a9ada22df443cc38be77cc5e492694) Signed-off-by: Martin Storsjö --- libavcodec/arm/int_neon.S | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/arm/int_neon.S b/libavcodec/arm/int_neon.S index 04208c2be9..b1906c8a2b 100644 --- a/libavcodec/arm/int_neon.S +++ b/libavcodec/arm/int_neon.S @@ -41,10 +41,10 @@ function ff_scalarproduct_int16_neon, export=1 vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] @@ -81,10 +81,10 @@ function ff_scalarproduct_and_madd_int16_neon, export=1 vpadd.s32 d16, d0, d1 vpadd.s32 d17, d2, d3 - vpadd.s32 d10, d4, d5 - vpadd.s32 d11, d6, d7 + vpadd.s32 d18, d4, d5 + vpadd.s32 d19, d6, d7 vpadd.s32 d0, d16, d17 - vpadd.s32 d1, d10, d11 + vpadd.s32 d1, d18, d19 vpadd.s32 d2, d0, d1 vpaddl.s32 d3, d2 vmov.32 r0, d3[0] From 5bd291e265b988c285f96076b6d9f05de940439b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2013 16:21:14 +0200 Subject: [PATCH 0664/1037] avfilter/ff_insert_pad: fix order of operations Fixes out of bounds access Fixes CID732170 Fixes CID732169 No filter is known to use this function in a way so the issue can be reproduced. Signed-off-by: Michael Niedermayer (cherry picked from commit ab2bfb85d49b2f8aa505816f93e75fd18ad0a361) Conflicts: libavfilter/avfilter.c (cherry picked from commit 86591b244f3a27293153896813f5569b49b2f5c0) Conflicts: libavfilter/avfilter.c (cherry picked from commit 400c4f8fa3fd58951dc3f356b2b00484e3363694) Signed-off-by: Michael Niedermayer --- libavfilter/avfilter.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index 4edd5be30f..b21e1ad07f 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -117,9 +117,9 @@ void ff_insert_pad(unsigned idx, unsigned *count, size_t padidx_off, (*links)[idx] = NULL; (*count)++; - for (i = idx+1; i < *count; i++) - if (*links[i]) - (*(unsigned *)((uint8_t *) *links[i] + padidx_off))++; + for (i = idx + 1; i < *count; i++) + if ((*links)[i]) + (*(unsigned *)((uint8_t *) (*links)[i] + padidx_off))++; } int avfilter_link(AVFilterContext *src, unsigned srcpad, From 848af79decd25aff03a17d5fd736181b4f2108c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Dec 2013 18:47:28 +0100 Subject: [PATCH 0665/1037] nutenc/write_index: warn if 2 consecutive keyframes have the same PTS and discard the 2nd This fixes an assertion failure and regression and restores previous behaviour Fixes Ticket3197 An alternative would be to fail hard in this case and refuse to mux such data. Signed-off-by: Michael Niedermayer (cherry picked from commit de2a2caf4dedb28a959d0ff6f02751bb6c3ff033) --- libavformat/nutenc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index 46711528a0..9b1ffaf935 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -584,8 +584,15 @@ static int write_index(NUTContext *nut, AVIOContext *bc) { int64_t last_pts= -1; int j, k; for (j=0; jsp_count; j++) { - int flag = (nus->keyframe_pts[j] != AV_NOPTS_VALUE) ^ (j+1 == nut->sp_count); + int flag; int n = 0; + + if (j && nus->keyframe_pts[j] == nus->keyframe_pts[j-1]) { + av_log(nut->avf, AV_LOG_WARNING, "Multiple keyframes with same PTS\n"); + nus->keyframe_pts[j] = AV_NOPTS_VALUE; + } + + flag = (nus->keyframe_pts[j] != AV_NOPTS_VALUE) ^ (j+1 == nut->sp_count); for (; jsp_count && (nus->keyframe_pts[j] != AV_NOPTS_VALUE) == flag; j++) n++; From 5dcc17992430f4ef910b06956b4d19af98880670 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 25 Nov 2013 14:04:41 +0100 Subject: [PATCH 0666/1037] vc1: Reset numref if fieldmode is not set There are samples in the wild with B-frames and P-frames with different interlace mode. CC: libav-stable@libav.org Reported-by: Jean-Baptiste Kempf Signed-off-by: Luca Barbato (cherry picked from commit de44dfc7c0ec02bda7d846ef713145c890bfae3f) Signed-off-by: Reinhard Tartler --- libavcodec/vc1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index a8dd38ad5f..21449bdb6d 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -992,6 +992,8 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) v->reffield = get_bits1(gb); v->ref_field_type[0] = v->reffield ^ !v->cur_field_type; } + } else { + v->numref = 0; } if (v->extended_mv) v->mvrange = get_unary(gb, 0, 3); From 3e089e8f7158176edc019182d2177f5797e1cad2 Mon Sep 17 00:00:00 2001 From: Aurelien Jacobs Date: Sun, 21 Aug 2011 16:03:13 +0200 Subject: [PATCH 0667/1037] matroskadec: use correct compression parameters for current track CodecPrivate Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit 8b516f154a0a08655cec2d13d12aadc58cae0b1c) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8a0c91bf9c..e42118c10f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1405,7 +1405,7 @@ static int matroska_read_header(AVFormatContext *s) for (i=0; i < matroska->tracks.nb_elem; i++) { MatroskaTrack *track = &tracks[i]; enum AVCodecID codec_id = AV_CODEC_ID_NONE; - EbmlList *encodings_list = &tracks->encodings; + EbmlList *encodings_list = &track->encodings; MatroskaTrackEncoding *encodings = encodings_list->elem; uint8_t *extradata = NULL; int extradata_size = 0; From 12479588d7894a6d9827c53d89f235e006b95533 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 3 Jan 2014 15:47:02 +0200 Subject: [PATCH 0668/1037] sdp: Check that fmt->oformat is non-null before accessing it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids crashes when avserver tries to create an SDP, since d77f4af. Addresses: CVE-2012-6617 CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 82b9799bb211ecd117171115e4a8b832c4942314) Signed-off-by: Reinhard Tartler --- libavformat/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 57044d4c51..e6e6f829d4 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -402,7 +402,7 @@ static char *sdp_write_media_attributes(char *buff, int size, AVCodecContext *c, switch (c->codec_id) { case AV_CODEC_ID_H264: { int mode = 1; - if (fmt && fmt->oformat->priv_class && + if (fmt && fmt->oformat && fmt->oformat->priv_class && av_opt_flag_is_set(fmt->priv_data, "rtpflags", "h264_mode0")) mode = 0; if (c->extradata_size) { From 343c87ac19c8db3f102d21a928c0e07980c056cc Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0669/1037] rv30: fix extradata size check. It has been checking the number of bits in the offset instead of the actual offset. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit a6a2282c25abe43e352010a7c3fbc92994c0bc1c) Signed-off-by: Reinhard Tartler --- libavcodec/rv30.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index b61b75dd77..ffd4d9666a 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -35,6 +35,7 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceInfo *si) { + AVCodecContext *avctx = r->s.avctx; int mb_bits; int w = r->s.width, h = r->s.height; int mb_size; @@ -52,6 +53,13 @@ static int rv30_parse_slice_header(RV34DecContext *r, GetBitContext *gb, SliceIn si->pts = get_bits(gb, 13); rpr = get_bits(gb, r->rpr); if(rpr){ + if (avctx->extradata_size < rpr * 2 + 8) { + av_log(avctx, AV_LOG_ERROR, + "Insufficient extradata - need at least %d bytes, got %d\n", + 8 + rpr * 2, avctx->extradata_size); + return AVERROR(EINVAL); + } + w = r->s.avctx->extradata[6 + rpr*2] << 2; h = r->s.avctx->extradata[7 + rpr*2] << 2; } @@ -255,11 +263,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) } r->rpr = (avctx->extradata[1] & 7) >> 1; r->rpr = FFMIN(r->rpr + 1, 3); - if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ - av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", - 6 + r->rpr * 2, avctx->extradata_size); - return AVERROR(EINVAL); - } + r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; r->decode_mb_info = rv30_decode_mb_info; From f194f2be418a9a9bbb74cb0b54e3bc6fea0da0ba Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 12 Dec 2013 07:31:26 +0100 Subject: [PATCH 0670/1037] eacmv: check the framerate before setting it. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 24057c83207d6ea8bfd824155ac37be8a33dfd0c) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/eacmv.c --- libavcodec/eacmv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c index b7e13b1114..4c65f6fcbf 100644 --- a/libavcodec/eacmv.c +++ b/libavcodec/eacmv.c @@ -119,7 +119,7 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t * static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t *buf_end) { - int pal_start, pal_count, i; + int pal_start, pal_count, i, fps; if(buf_end - buf < 16) { av_log(s->avctx, AV_LOG_WARNING, "truncated header\n"); @@ -131,8 +131,9 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t if (s->avctx->width!=s->width || s->avctx->height!=s->height) avcodec_set_dimensions(s->avctx, s->width, s->height); - s->avctx->time_base.num = 1; - s->avctx->time_base.den = AV_RL16(&buf[10]); + fps = AV_RL16(&buf[10]); + if (fps > 0) + s->avctx->time_base = (AVRational){ 1, fps }; pal_start = AV_RL16(&buf[12]); pal_count = AV_RL16(&buf[14]); From 5e7a5dd70b519121973ca243a802ee4eef4ed961 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 19 Nov 2012 10:30:01 +0100 Subject: [PATCH 0671/1037] gifdec: return meaningful error codes. (cherry picked from commit 048ffb9bb26f30f1995400b8cd3809221ba03441) Signed-off-by: Reinhard Tartler --- libavcodec/gifdec.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 8f1d6941bc..2a962e5de0 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -207,13 +207,13 @@ static int gif_read_header1(GifState *s) int has_global_palette; if (s->bytestream_end < s->bytestream + 13) - return -1; + return AVERROR_INVALIDDATA; /* read gif signature */ bytestream_get_buffer(&s->bytestream, sig, 6); if (memcmp(sig, gif87a_sig, 6) != 0 && memcmp(sig, gif89a_sig, 6) != 0) - return -1; + return AVERROR_INVALIDDATA; /* read screen header */ s->transparent_color_index = -1; @@ -222,7 +222,7 @@ static int gif_read_header1(GifState *s) if( (unsigned)s->screen_width > 32767 || (unsigned)s->screen_height > 32767){ av_log(NULL, AV_LOG_ERROR, "picture size too large\n"); - return -1; + return AVERROR_INVALIDDATA; } v = bytestream_get_byte(&s->bytestream); @@ -239,7 +239,7 @@ static int gif_read_header1(GifState *s) if (has_global_palette) { n = 1 << s->bits_per_pixel; if (s->bytestream_end < s->bytestream + n * 3) - return -1; + return AVERROR_INVALIDDATA; bytestream_get_buffer(&s->bytestream, s->global_palette, n * 3); } return 0; @@ -249,6 +249,7 @@ static int gif_parse_next_image(GifState *s) { while (s->bytestream < s->bytestream_end) { int code = bytestream_get_byte(&s->bytestream); + int ret; av_dlog(s->avctx, "gif: code=%02x '%c'\n", code, code); @@ -256,17 +257,17 @@ static int gif_parse_next_image(GifState *s) case ',': return gif_read_image(s); case '!': - if (gif_read_extension(s) < 0) - return -1; + if ((ret = gif_read_extension(s)) < 0) + return ret; break; case ';': /* end of image */ default: /* error or erroneous EOF */ - return -1; + return AVERROR_INVALIDDATA; } } - return -1; + return AVERROR_INVALIDDATA; } static av_cold int gif_decode_init(AVCodecContext *avctx) @@ -293,19 +294,19 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->bytestream = buf; s->bytestream_end = buf + buf_size; - if (gif_read_header1(s) < 0) - return -1; + if ((ret = gif_read_header1(s)) < 0) + return ret; avctx->pix_fmt = AV_PIX_FMT_PAL8; - if (av_image_check_size(s->screen_width, s->screen_height, 0, avctx)) - return -1; + if ((ret = av_image_check_size(s->screen_width, s->screen_height, 0, avctx)) < 0) + return ret; avcodec_set_dimensions(avctx, s->screen_width, s->screen_height); if (s->picture.data[0]) avctx->release_buffer(avctx, &s->picture); - if (ff_get_buffer(avctx, &s->picture) < 0) { + if ((ret = ff_get_buffer(avctx, &s->picture)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; + return ret; } s->image_palette = (uint32_t *)s->picture.data[1]; ret = gif_parse_next_image(s); From c5c7e3e6f7cf17943c04bd078f260eaf789afbc9 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 10:15:24 +0100 Subject: [PATCH 0672/1037] gifdec: check that the image dimensions are non-zero Also add an error message an return a more suitable error code (INVALIDDATA, not EINVAL); Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit c453723ad7d14abc5e82677eebaa6025fa598f08) Signed-off-by: Reinhard Tartler --- libavcodec/gifdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 2a962e5de0..8636780375 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -90,8 +90,11 @@ static int gif_read_image(GifState *s) /* verify that all the image is inside the screen dimensions */ if (left + width > s->screen_width || - top + height > s->screen_height) - return AVERROR(EINVAL); + top + height > s->screen_height || + !width || !height) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid image dimensions.\n"); + return AVERROR_INVALIDDATA; + } /* build the palette */ n = (1 << bits_per_pixel); From 819541ff833d8e31aa1423ccf18005584451ba59 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 10:23:04 +0100 Subject: [PATCH 0673/1037] gifdec: convert to bytestream2 (cherry picked from commit 1f3e56b6dcc163a705704e98569d4850a31d651c) Signed-off-by: Reinhard Tartler --- libavcodec/gifdec.c | 67 ++++++++++++++++++++++----------------------- libavcodec/lzw.c | 7 +++-- libavcodec/lzw.h | 2 +- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 8636780375..99c24d50ab 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -49,8 +49,7 @@ typedef struct GifState { int gce_delay; /* LZW compatible decoder */ - const uint8_t *bytestream; - const uint8_t *bytestream_end; + GetByteContext gb; LZWState *lzw; /* aux buffers */ @@ -69,11 +68,11 @@ static int gif_read_image(GifState *s) int is_interleaved, has_local_palette, y, pass, y1, linesize, n, i; uint8_t *ptr, *spal, *palette, *ptr1; - left = bytestream_get_le16(&s->bytestream); - top = bytestream_get_le16(&s->bytestream); - width = bytestream_get_le16(&s->bytestream); - height = bytestream_get_le16(&s->bytestream); - flags = bytestream_get_byte(&s->bytestream); + left = bytestream2_get_le16(&s->gb); + top = bytestream2_get_le16(&s->gb); + width = bytestream2_get_le16(&s->gb); + height = bytestream2_get_le16(&s->gb); + flags = bytestream2_get_byte(&s->gb); is_interleaved = flags & 0x40; has_local_palette = flags & 0x80; bits_per_pixel = (flags & 0x07) + 1; @@ -81,7 +80,7 @@ static int gif_read_image(GifState *s) av_dlog(s->avctx, "gif: image x=%d y=%d w=%d h=%d\n", left, top, width, height); if (has_local_palette) { - bytestream_get_buffer(&s->bytestream, s->local_palette, 3 * (1 << bits_per_pixel)); + bytestream2_get_buffer(&s->gb, s->local_palette, 3 * (1 << bits_per_pixel)); palette = s->local_palette; } else { palette = s->global_palette; @@ -110,9 +109,9 @@ static int gif_read_image(GifState *s) s->image_palette[s->transparent_color_index] = 0; /* now get the image data */ - code_size = bytestream_get_byte(&s->bytestream); - ff_lzw_decode_init(s->lzw, code_size, s->bytestream, - s->bytestream_end - s->bytestream, FF_LZW_GIF); + code_size = bytestream2_get_byte(&s->gb); + ff_lzw_decode_init(s->lzw, code_size, s->gb.buffer, + bytestream2_get_bytes_left(&s->gb), FF_LZW_GIF); /* read all the image */ linesize = s->picture.linesize[0]; @@ -155,7 +154,8 @@ static int gif_read_image(GifState *s) } /* read the garbage data until end marker is found */ ff_lzw_decode_tail(s->lzw); - s->bytestream = ff_lzw_cur_ptr(s->lzw); + + bytestream2_skip(&s->gb, ff_lzw_size_read(s->lzw)); return 0; } @@ -164,8 +164,8 @@ static int gif_read_extension(GifState *s) int ext_code, ext_len, i, gce_flags, gce_transparent_index; /* extension */ - ext_code = bytestream_get_byte(&s->bytestream); - ext_len = bytestream_get_byte(&s->bytestream); + ext_code = bytestream2_get_byte(&s->gb); + ext_len = bytestream2_get_byte(&s->gb); av_dlog(s->avctx, "gif: ext_code=0x%x len=%d\n", ext_code, ext_len); @@ -174,9 +174,9 @@ static int gif_read_extension(GifState *s) if (ext_len != 4) goto discard_ext; s->transparent_color_index = -1; - gce_flags = bytestream_get_byte(&s->bytestream); - s->gce_delay = bytestream_get_le16(&s->bytestream); - gce_transparent_index = bytestream_get_byte(&s->bytestream); + gce_flags = bytestream2_get_byte(&s->gb); + s->gce_delay = bytestream2_get_le16(&s->gb); + gce_transparent_index = bytestream2_get_byte(&s->gb); if (gce_flags & 0x01) s->transparent_color_index = gce_transparent_index; else @@ -187,7 +187,7 @@ static int gif_read_extension(GifState *s) gce_flags, s->gce_delay, s->transparent_color_index, s->gce_disposal); - ext_len = bytestream_get_byte(&s->bytestream); + ext_len = bytestream2_get_byte(&s->gb); break; } @@ -195,8 +195,8 @@ static int gif_read_extension(GifState *s) discard_ext: while (ext_len != 0) { for (i = 0; i < ext_len; i++) - bytestream_get_byte(&s->bytestream); - ext_len = bytestream_get_byte(&s->bytestream); + bytestream2_get_byte(&s->gb); + ext_len = bytestream2_get_byte(&s->gb); av_dlog(s->avctx, "gif: ext_len1=%d\n", ext_len); } @@ -209,31 +209,31 @@ static int gif_read_header1(GifState *s) int v, n; int has_global_palette; - if (s->bytestream_end < s->bytestream + 13) + if (bytestream2_get_bytes_left(&s->gb) < 13) return AVERROR_INVALIDDATA; /* read gif signature */ - bytestream_get_buffer(&s->bytestream, sig, 6); + bytestream2_get_buffer(&s->gb, sig, 6); if (memcmp(sig, gif87a_sig, 6) != 0 && memcmp(sig, gif89a_sig, 6) != 0) return AVERROR_INVALIDDATA; /* read screen header */ s->transparent_color_index = -1; - s->screen_width = bytestream_get_le16(&s->bytestream); - s->screen_height = bytestream_get_le16(&s->bytestream); + s->screen_width = bytestream2_get_le16(&s->gb); + s->screen_height = bytestream2_get_le16(&s->gb); if( (unsigned)s->screen_width > 32767 || (unsigned)s->screen_height > 32767){ av_log(NULL, AV_LOG_ERROR, "picture size too large\n"); return AVERROR_INVALIDDATA; } - v = bytestream_get_byte(&s->bytestream); + v = bytestream2_get_byte(&s->gb); s->color_resolution = ((v & 0x70) >> 4) + 1; has_global_palette = (v & 0x80); s->bits_per_pixel = (v & 0x07) + 1; - s->background_color_index = bytestream_get_byte(&s->bytestream); - bytestream_get_byte(&s->bytestream); /* ignored */ + s->background_color_index = bytestream2_get_byte(&s->gb); + bytestream2_get_byte(&s->gb); /* ignored */ av_dlog(s->avctx, "gif: screen_w=%d screen_h=%d bpp=%d global_palette=%d\n", s->screen_width, s->screen_height, s->bits_per_pixel, @@ -241,17 +241,17 @@ static int gif_read_header1(GifState *s) if (has_global_palette) { n = 1 << s->bits_per_pixel; - if (s->bytestream_end < s->bytestream + n * 3) + if (bytestream2_get_bytes_left(&s->gb) < n * 3) return AVERROR_INVALIDDATA; - bytestream_get_buffer(&s->bytestream, s->global_palette, n * 3); + bytestream2_get_buffer(&s->gb, s->global_palette, n * 3); } return 0; } static int gif_parse_next_image(GifState *s) { - while (s->bytestream < s->bytestream_end) { - int code = bytestream_get_byte(&s->bytestream); + while (bytestream2_get_bytes_left(&s->gb) > 0) { + int code = bytestream2_get_byte(&s->gb); int ret; av_dlog(s->avctx, "gif: code=%02x '%c'\n", code, code); @@ -295,8 +295,7 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVFrame *picture = data; int ret; - s->bytestream = buf; - s->bytestream_end = buf + buf_size; + bytestream2_init(&s->gb, buf, buf_size); if ((ret = gif_read_header1(s)) < 0) return ret; @@ -318,7 +317,7 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, *picture = s->picture; *got_frame = 1; - return s->bytestream - buf; + return bytestream2_tell(&s->gb); } static av_cold int gif_decode_close(AVCodecContext *avctx) diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c index 2c99014c2a..016714021c 100644 --- a/libavcodec/lzw.c +++ b/libavcodec/lzw.c @@ -43,7 +43,7 @@ static const uint16_t mask[17] = }; struct LZWState { - const uint8_t *pbuf, *ebuf; + const uint8_t *buf_start, *pbuf, *ebuf; int bbits; unsigned int bbuf; @@ -92,9 +92,10 @@ static int lzw_get_code(struct LZWState * s) return c & s->curmask; } -const uint8_t* ff_lzw_cur_ptr(LZWState *p) +int ff_lzw_size_read(LZWState *p) { - return ((struct LZWState*)p)->pbuf; + struct LZWState *s = p; + return s->pbuf - s->buf_start; } void ff_lzw_decode_tail(LZWState *p) diff --git a/libavcodec/lzw.h b/libavcodec/lzw.h index ab782f5219..d925d35e27 100644 --- a/libavcodec/lzw.h +++ b/libavcodec/lzw.h @@ -47,7 +47,7 @@ void ff_lzw_decode_open(LZWState **p); void ff_lzw_decode_close(LZWState **p); int ff_lzw_decode_init(LZWState *s, int csize, const uint8_t *buf, int buf_size, int mode); int ff_lzw_decode(LZWState *s, uint8_t *buf, int len); -const uint8_t* ff_lzw_cur_ptr(LZWState *lzw); +int ff_lzw_size_read(LZWState *lzw); void ff_lzw_decode_tail(LZWState *lzw); /** LZW encode state */ From ffa83bcc49375a7760ff9cbc889ce7171e8afe4a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0674/1037] lzw: switch to bytestream2 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit e89aa4bf56e5b5c45f569eb12733519789e057da) Signed-off-by: Reinhard Tartler --- libavcodec/lzw.c | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c index 016714021c..fae5687ab7 100644 --- a/libavcodec/lzw.c +++ b/libavcodec/lzw.c @@ -28,6 +28,7 @@ */ #include "avcodec.h" +#include "bytestream.h" #include "lzw.h" #include "libavutil/mem.h" @@ -43,7 +44,7 @@ static const uint16_t mask[17] = }; struct LZWState { - const uint8_t *buf_start, *pbuf, *ebuf; + GetByteContext gb; int bbits; unsigned int bbuf; @@ -73,9 +74,9 @@ static int lzw_get_code(struct LZWState * s) if(s->mode == FF_LZW_GIF) { while (s->bbits < s->cursize) { if (!s->bs) { - s->bs = *s->pbuf++; + s->bs = bytestream2_get_byte(&s->gb); } - s->bbuf |= (*s->pbuf++) << s->bbits; + s->bbuf |= bytestream2_get_byte(&s->gb) << s->bbits; s->bbits += 8; s->bs--; } @@ -83,7 +84,7 @@ static int lzw_get_code(struct LZWState * s) s->bbuf >>= s->cursize; } else { // TIFF while (s->bbits < s->cursize) { - s->bbuf = (s->bbuf << 8) | (*s->pbuf++); + s->bbuf = (s->bbuf << 8) | bytestream2_get_byte(&s->gb); s->bbits += 8; } c = s->bbuf >> (s->bbits - s->cursize); @@ -95,7 +96,7 @@ static int lzw_get_code(struct LZWState * s) int ff_lzw_size_read(LZWState *p) { struct LZWState *s = p; - return s->pbuf - s->buf_start; + return bytestream2_tell(&s->gb); } void ff_lzw_decode_tail(LZWState *p) @@ -103,17 +104,12 @@ void ff_lzw_decode_tail(LZWState *p) struct LZWState *s = (struct LZWState *)p; if(s->mode == FF_LZW_GIF) { - while (s->bs > 0) { - if (s->bs >= s->ebuf - s->pbuf) { - s->pbuf = s->ebuf; - break; - } else { - s->pbuf += s->bs; - s->bs = *s->pbuf++; - } + while (s->bs > 0 && bytestream2_get_bytes_left(&s->gb)) { + bytestream2_skip(&s->gb, s->bs); + s->bs = bytestream2_get_byte(&s->gb); } }else - s->pbuf= s->ebuf; + bytestream2_skip(&s->gb, bytestream2_get_bytes_left(&s->gb)); } av_cold void ff_lzw_decode_open(LZWState **p) @@ -141,8 +137,7 @@ int ff_lzw_decode_init(LZWState *p, int csize, const uint8_t *buf, int buf_size, if(csize < 1 || csize >= LZW_MAXBITS) return -1; /* read buffer */ - s->pbuf = buf; - s->ebuf = s->pbuf + buf_size; + bytestream2_init(&s->gb, buf, buf_size); s->bbuf = 0; s->bbits = 0; s->bs = 0; From a8f6d93071a8ac1f039a4ee2ae1f74dcd77da1cb Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0675/1037] pmpdec: check that there is at least one audio packet. The code cannot handle there being none, but that should not happen for valid files. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 1b5d065ca722eb8028c7a08e054b6da3419faf5d) Signed-off-by: Reinhard Tartler --- libavformat/pmpdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/pmpdec.c b/libavformat/pmpdec.c index 6cdce107c4..b2c613ad97 100644 --- a/libavformat/pmpdec.c +++ b/libavformat/pmpdec.c @@ -124,6 +124,11 @@ static int pmp_packet(AVFormatContext *s, AVPacket *pkt) if (pmp->cur_stream == 0) { int num_packets; pmp->audio_packets = avio_r8(pb); + if (!pmp->audio_packets) { + av_log(s, AV_LOG_ERROR, "No audio packets.\n"); + return AVERROR_INVALIDDATA; + } + num_packets = (pmp->num_streams - 1) * pmp->audio_packets + 1; avio_skip(pb, 8); pmp->current_packet = 0; From 24a8dfd37b45d63e5f6332cfd12b58ad482f3df2 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 27 Oct 2013 15:00:36 -0400 Subject: [PATCH 0676/1037] lavr: check that current_buffer is not NULL before using it Fixes a segfault during resampling when compiled with -DDEBUG. Fixes all fate-lavr-resample tests with -DDEBUG. CC:libav-stable@libav.org (cherry picked from commit 211ca69b13eb0a127a9ef7e70ddaccdab125d1c5) Signed-off-by: Reinhard Tartler --- libavresample/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavresample/utils.c b/libavresample/utils.c index ed7f470483..36d9d04430 100644 --- a/libavresample/utils.c +++ b/libavresample/utils.c @@ -350,7 +350,8 @@ int attribute_align_arg avresample_convert(AVAudioResampleContext *avr, resample_out = &output_buffer; else resample_out = avr->resample_out_buffer; - av_dlog(avr, "[resample] %s to %s\n", current_buffer->name, + av_dlog(avr, "[resample] %s to %s\n", + current_buffer ? current_buffer->name : "null", resample_out->name); ret = ff_audio_resample(avr->resample, resample_out, current_buffer); From 0e8ae6d10c609bb968c141aa2436413a55852590 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 22 Oct 2013 19:17:10 +0200 Subject: [PATCH 0677/1037] mpegvideo: Drop a faulty assert That check is easily reachable by faulty input. CC:libav-stable@libav.org Reported-by: Torsten Sadowski (cherry picked from commit 72072bf9de3241848ea86f68d2297b7a5d6ad49b) Signed-off-by: Reinhard Tartler --- libavcodec/mpegvideo.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 2f65779f2a..eb71670379 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1521,8 +1521,12 @@ int ff_MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) s->last_picture_ptr->owner2 = s; } - assert(s->pict_type == AV_PICTURE_TYPE_I || (s->last_picture_ptr && - s->last_picture_ptr->f.data[0])); + if (s->pict_type != AV_PICTURE_TYPE_I && + !(s->last_picture_ptr && s->last_picture_ptr->f.data[0])) { + av_log(s, AV_LOG_ERROR, + "Non-reference picture received and no reference available\n"); + return AVERROR_INVALIDDATA; + } if (s->picture_structure!= PICT_FRAME && s->out_format != FMT_H264) { int i; From d6d2617d07fcb25665543a3b7300ef17facaa809 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 20 Oct 2013 22:01:54 +0200 Subject: [PATCH 0678/1037] avio: Use AVERROR_PROTOCOL_NOT_FOUND When the protocol is missing ffurl_alloc() should return AVERROR_PROTOCOL_NOT_FOUND instead of AVERROR(ENOENT). Bug-Id: 577 CC: libav-stable@libav.org (cherry picked from commit ea71aafd6881d7ce5cffec56feb45488e3ac5221) Signed-off-by: Reinhard Tartler --- libavformat/avio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index ad39e6fdb0..689d4a1b07 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -197,7 +197,7 @@ int ffurl_alloc(URLContext **puc, const char *filename, int flags, return url_alloc_for_protocol (puc, up, filename, flags, int_cb); } *puc = NULL; - return AVERROR(ENOENT); + return AVERROR_PROTOCOL_NOT_FOUND; } int ffurl_open(URLContext **puc, const char *filename, int flags, From e776a1e8f37dbaf8c89ae13dcbcc3b387b782619 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2013 18:46:53 -0400 Subject: [PATCH 0679/1037] ac3dec: fix outptr increment. Fixes corrupt data errors when downmixing in the AC-3 decoder. Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles CC:libav-stable@libav.org (cherry picked from commit 6c82c87dbbc0582658968eae46cfebeea90a9c5e) Signed-off-by: Reinhard Tartler --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 51ac334775..ce14737141 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1398,7 +1398,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, memcpy(s->outptr[channel_map[ch]], output[ch], 1024); for (ch = 0; ch < s->out_channels; ch++) output[ch] = s->outptr[channel_map[ch]]; - for (ch = 0; ch < s->channels; ch++) + for (ch = 0; ch < s->out_channels; ch++) s->outptr[ch] += AC3_BLOCK_SIZE; } From cdc47c48137fd5eb2e8195a005b6d59480b4d570 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Oct 2013 15:24:25 +0200 Subject: [PATCH 0680/1037] omadec: check GEOB sizes against buffer size Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: David Goldwich CC:libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit 1c736bedd9891501960ebac0f7c05eb60225e947) Signed-off-by: Reinhard Tartler --- libavformat/omadec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 040345187b..158e1a6abe 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -234,6 +234,11 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) av_log(s, AV_LOG_ERROR, "Invalid encryption header\n"); return -1; } + if (OMA_ENC_HEADER_SIZE + oc->k_size + oc->e_size + oc->i_size + 8 > geob->datasize || + OMA_ENC_HEADER_SIZE + 48 > geob->datasize) { + av_log(s, AV_LOG_ERROR, "Too little GEOB data\n"); + return AVERROR_INVALIDDATA; + } oc->rid = AV_RB32(&gdata[OMA_ENC_HEADER_SIZE + 28]); av_log(s, AV_LOG_DEBUG, "RID: %.8x\n", oc->rid); From 35f9a0896ee6858114831a5a8e951872e4473a75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Oct 2013 15:24:24 +0200 Subject: [PATCH 0681/1037] omadec: Fix wrong number of array elements Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: David Goldwich CC:libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit 97f50e92b5cf3b47a76f75d76ed4340e822030db) Signed-off-by: Reinhard Tartler --- libavformat/omadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 158e1a6abe..e3b151886e 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -263,7 +263,7 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) !nprobe(s, gdata, geob->datasize, oc->n_val)) break; } - if (i >= sizeof(leaf_table)) { + if (i >= FF_ARRAY_ELEMS(leaf_table)) { av_log(s, AV_LOG_ERROR, "Invalid key\n"); return -1; } From 51ff11647f8dea26abfc63a533f7144b0502197d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 19:06:23 +0100 Subject: [PATCH 0682/1037] pcx: round up in bits->bytes conversion in a buffer size check Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 430d12196432ded13f011a3bf7690f03c9b2e5d6) Signed-off-by: Reinhard Tartler --- libavcodec/pcx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 223429d35e..4bc9adc744 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -120,7 +120,7 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, nplanes = buf[65]; bytes_per_scanline = nplanes * bytes_per_line; - if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8 || + if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8 || (!compressed && bytes_per_scanline > buf_size / h)) { av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n"); return -1; From 7b337b122959b9bf634c31b549892df974f35b40 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 19:06:23 +0100 Subject: [PATCH 0683/1037] truemotion1: make sure index does not go out of bounds Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit c918e08b9cc9ce8d06159c51da55ec5ab018039a) Signed-off-by: Reinhard Tartler --- libavcodec/truemotion1.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index c49f9fecbf..63cd05b66c 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -512,6 +512,15 @@ hres,vres,i,i%vres (0 < i < 4) index = s->index_stream[index_stream_index++] * 4; \ } +#define INC_INDEX \ +do { \ + if (index >= 1023) { \ + av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n"); \ + return; \ + } \ + index++; \ +} while (0) + #define APPLY_C_PREDICTOR() \ predictor_pair = s->c_predictor_table[index]; \ horiz_pred += (predictor_pair >> 1); \ @@ -524,10 +533,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_C_PREDICTOR_24() \ predictor_pair = s->c_predictor_table[index]; \ @@ -541,10 +550,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_Y_PREDICTOR() \ @@ -559,10 +568,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define APPLY_Y_PREDICTOR_24() \ predictor_pair = s->y_predictor_table[index]; \ @@ -576,10 +585,10 @@ hres,vres,i,i%vres (0 < i < 4) if (predictor_pair & 1) \ GET_NEXT_INDEX() \ else \ - index++; \ + INC_INDEX; \ } \ } else \ - index++; + INC_INDEX; #define OUTPUT_PIXEL_PAIR() \ *current_pixel_pair = *vert_pred + horiz_pred; \ From 7c214e313c92e8e9f125c0ab74902bdd5ae2e153 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 19:06:23 +0100 Subject: [PATCH 0684/1037] avidec: fix a memleak in the dv init code. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit ce9bba5340a5fb6f38974a19af019dd6aa2da035) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index e17d932319..414ed01c55 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -456,6 +456,7 @@ static int avi_read_header(AVFormatContext *s) ast = s->streams[0]->priv_data; av_freep(&s->streams[0]->codec->extradata); av_freep(&s->streams[0]->codec); + av_freep(&s->streams[0]->info); av_freep(&s->streams[0]); s->nb_streams = 0; if (CONFIG_DV_DEMUXER) { From 26221a54eca391de29557fc08c32d23a40ef4d32 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 15:33:20 +0100 Subject: [PATCH 0685/1037] motionpixels: clip VLC codes. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit ca41c72c6d9515d9045bd3b68104525dee81b8d0) Signed-off-by: Reinhard Tartler --- libavcodec/motionpixels.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index c2bd0f4d2b..4c0b98be91 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -159,6 +159,7 @@ static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) int i; i = (mp->codes_count == 1) ? 0 : get_vlc2(gb, mp->vlc.table, mp->max_codes_bits, 1); + i = FFMIN(i, FF_ARRAY_ELEMS(mp->codes) - 1); return mp->codes[i].delta; } From cbf51c4d36af139b6ce2c3f1c96955ca87468e2a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 10:15:24 +0100 Subject: [PATCH 0686/1037] matroskadec: pad EBML_BIN data. It might be passed to code requiring padding, such as lzo decompression. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 30be1ea33e5525266ad871bed60b1893a53caeaf) Signed-off-by: Reinhard Tartler --- libavformat/matroskadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e42118c10f..730285afdc 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -704,9 +704,11 @@ static int ebml_read_ascii(AVIOContext *pb, int size, char **str) static int ebml_read_binary(AVIOContext *pb, int length, EbmlBin *bin) { av_free(bin->data); - if (!(bin->data = av_malloc(length))) + if (!(bin->data = av_malloc(length + FF_INPUT_BUFFER_PADDING_SIZE))) return AVERROR(ENOMEM); + memset(bin->data + length, 0, FF_INPUT_BUFFER_PADDING_SIZE); + bin->size = length; bin->pos = avio_tell(pb); if (avio_read(pb, bin->data, length) != length) { From f9f2591beb1125237be803f1f9b6c576f5ae60a7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 1 Dec 2013 09:27:01 +0100 Subject: [PATCH 0687/1037] alsa-audio-dec: explicitly cast the delay to a signed int64 Otherwise the expression will be evaluated as unsigned, which will break when the result should be negative. CC:libav-stable@libav.org (cherry picked from commit 089fac77a6bf9199a5ec161e9c27850f0a680541) Signed-off-by: Reinhard Tartler --- libavdevice/alsa-audio-dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/alsa-audio-dec.c b/libavdevice/alsa-audio-dec.c index 5b32ed980c..0687a4ad3d 100644 --- a/libavdevice/alsa-audio-dec.c +++ b/libavdevice/alsa-audio-dec.c @@ -142,7 +142,7 @@ static int audio_read_packet(AVFormatContext *s1, AVPacket *pkt) ts_delay += res; pkt->pts = timestamp.tv_sec * 1000000LL + (timestamp.tv_nsec * st->codec->sample_rate - - ts_delay * 1000000000LL + st->codec->sample_rate * 500LL) + - (int64_t)ts_delay * 1000000000LL + st->codec->sample_rate * 500LL) / (st->codec->sample_rate * 1000LL); pkt->size = res * s->frame_size; From 2656036757227148a442d9c0934ee49bb97a31d1 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 13 Oct 2013 15:34:47 +0200 Subject: [PATCH 0688/1037] ffv1: Assume bitdepth 0 means 8bit CC: libav-stable@libav.org Reported-by: debian/726189 (cherry picked from commit a90905db2e6ab1840890f3a88bfd3bf008b9d886) Signed-off-by: Reinhard Tartler --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 97e2bd5873..e74598cd68 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -670,6 +670,7 @@ static int read_header(FFV1Context *f) return AVERROR(ENOSYS); } switch (f->avctx->bits_per_raw_sample) { + case 0: case 8: f->avctx->pix_fmt = AV_PIX_FMT_RGB32; break; From 0358a099f8abe60230dc2e5bec59bfceb7d1be07 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 11 Oct 2013 10:51:53 +0200 Subject: [PATCH 0689/1037] indeo4: Check the block size if reusing the band configuration Sample-Id: 00000287-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 0cb83c563848bf8f8365e7bd30e7e6b57ef360f0) Signed-off-by: Reinhard Tartler --- libavcodec/indeo4.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 42b11305e4..73a7a6672a 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -294,6 +294,7 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, band->is_empty = get_bits1(&ctx->gb); if (!band->is_empty) { + int old_blk_size = band->blk_size; /* skip header size * If header size is not given, header size is 4 bytes. */ if (get_bits1(&ctx->gb)) @@ -379,6 +380,13 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, band->quant_mat); return AVERROR_INVALIDDATA; } + } else { + if (old_blk_size != band->blk_size) { + av_log(avctx, AV_LOG_ERROR, + "The band block size does not match the configuration " + "inherited\n"); + return AVERROR_INVALIDDATA; + } } /* decode block huffman codebook */ From 03457cabd618d4de3e64cb890af268fd67b83aec Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 11 Oct 2013 11:34:03 +0200 Subject: [PATCH 0690/1037] indeo4: Check the inherited quant_mat Invalidate it if not supported. Sample-Id: 00000262-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c9ef6b09326a24010bf86d6b0d19cfa42df4d546) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/indeo4.c --- libavcodec/indeo4.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 73a7a6672a..b250f506b4 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -371,13 +371,17 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, band->scan = scan_index_to_tab[scan_indx]; band->quant_mat = get_bits(&ctx->gb, 5); - if (band->quant_mat == 31) { - av_log(avctx, AV_LOG_ERROR, "Custom quant matrix encountered!\n"); - return AVERROR_INVALIDDATA; - } if (band->quant_mat >= FF_ARRAY_ELEMS(quant_index_to_tab)) { av_log_ask_for_sample(avctx, "Quantization matrix %d", band->quant_mat); + + if (band->quant_mat == 31) + av_log(avctx, AV_LOG_ERROR, + "Custom quant matrix encountered!\n"); + else + av_log_ask_for_sample(avctx, "Quantization matrix %d", + band->quant_mat); + band->quant_mat = -1; return AVERROR_INVALIDDATA; } } else { @@ -387,6 +391,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, "inherited\n"); return AVERROR_INVALIDDATA; } + if (band->quant_mat < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid quant_mat inherited\n"); + return AVERROR_INVALIDDATA; + } } /* decode block huffman codebook */ From 481e55eba7a7942a0497e5bb4191cb1971e19760 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 2 Oct 2013 16:40:02 +0200 Subject: [PATCH 0691/1037] audio_mix: fix channel order in mix_1_to_2_fltp_flt_c CC:libav-stable@libav.org (cherry picked from commit df6737a55f5dc7c0ae5272bc5fa6182836d5481c) Signed-off-by: Reinhard Tartler --- libavresample/audio_mix.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavresample/audio_mix.c b/libavresample/audio_mix.c index c0560288a5..f737a30fc8 100644 --- a/libavresample/audio_mix.c +++ b/libavresample/audio_mix.c @@ -195,23 +195,23 @@ static void mix_1_to_2_fltp_flt_c(float **samples, float **matrix, int len, while (len > 4) { v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; len -= 4; } while (len > 0) { v = *src++; - *dst0++ = v * m1; - *dst1++ = v * m0; + *dst0++ = v * m0; + *dst1++ = v * m1; len--; } } From 1d7a453dcfe4edae7d08aed0bed5ccd993409d42 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 10 Oct 2013 21:02:10 +0200 Subject: [PATCH 0692/1037] prores: Reject negative run and level values Sample-Id: 00000611-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit c0de9a23c7080e2fac8f879b9d9a0ce2b64ea953) Signed-off-by: Reinhard Tartler --- libavcodec/proresdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c index 4b196f6d32..a47f16e575 100644 --- a/libavcodec/proresdec.c +++ b/libavcodec/proresdec.c @@ -392,12 +392,16 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, return; run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]); + if (run < 0) + return AVERROR_INVALIDDATA; bits_left = get_bits_left(gb); if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) return; level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1; + if (level < 0) + return AVERROR_INVALIDDATA; pos += run + 1; if (pos >= max_coeffs) From e361fde8b011bcd556057f949e984f58bfdaa974 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 6 Aug 2013 01:39:07 +0200 Subject: [PATCH 0693/1037] avi: properly fail if the dv demuxer is missing CC: libav-stable@libav.org (cherry picked from commit 1cac9accbd1f9b8596122d0735e37b97a844c514) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 414ed01c55..e0c1988803 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -463,7 +463,8 @@ static int avi_read_header(AVFormatContext *s) avi->dv_demux = avpriv_dv_init_demux(s); if (!avi->dv_demux) goto fail; - } + } else + goto fail; s->streams[0]->priv_data = ast; avio_skip(pb, 3 * 4); ast->scale = avio_rl32(pb); From f53a5332b017da21e57da2d5f4e5e56bfa5f2f2f Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 5 Jan 2014 17:23:12 -0500 Subject: [PATCH 0694/1037] Prepare for 9.11 RELEASE --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 5f3c44015f..d4ce17d7db 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.10 +9.11 From 5bbee02ae04f3c49ae7f76f510fb1702761c0f15 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 4 Sep 2013 19:26:36 +0200 Subject: [PATCH 0695/1037] shorten: Extend fixed_coeffs to properly support pred_order 0 Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit b2148faca9e9e553c14b27844b56e367c85a777e) Signed-off-by: Reinhard Tartler --- libavcodec/shorten.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index fda90fedfe..ea2277218d 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -277,7 +277,8 @@ static void output_buffer(int16_t **samples, int nchan, int blocksize, } } -static const int fixed_coeffs[3][3] = { +static const int fixed_coeffs[][3] = { + { 0, 0, 0 }, { 1, 0, 0 }, { 2, -1, 0 }, { 3, -3, 1 } @@ -306,7 +307,12 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, } else { /* fixed LPC coeffs */ pred_order = command; - coeffs = fixed_coeffs[pred_order - 1]; + if (pred_order > FF_ARRAY_ELEMS(fixed_coeffs)) { + av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", + pred_order); + return AVERROR_INVALIDDATA; + } + coeffs = fixed_coeffs[pred_order]; qshift = 0; } From d149c14a2263cf17e09a18e577b7a99043e26fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 4 Oct 2013 09:52:02 +0300 Subject: [PATCH 0696/1037] mov: Don't allocate arrays with av_malloc that will be realloced MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit b698542ad83284fbb8c22404e3cafeb2dd739d38) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6b89a2d1ba..8c547067b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2313,7 +2313,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!sc->ctts_count && sc->sample_count) { /* Complement ctts table if moov atom doesn't have ctts atom. */ - ctts_data = av_malloc(sizeof(*sc->ctts_data)); + ctts_data = av_realloc(NULL, sizeof(*sc->ctts_data)); if (!ctts_data) return AVERROR(ENOMEM); sc->ctts_data = ctts_data; From 61057f4604eb909ac2b37f08c7d2b0ed758fd4bf Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 6 Aug 2013 03:52:48 +0200 Subject: [PATCH 0697/1037] avi: directly resync on DV in AVI read failure Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index e0c1988803..109b0ab5d8 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -990,6 +990,8 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt) int size = avpriv_dv_get_packet(avi->dv_demux, pkt); if (size >= 0) return size; + else + goto resync; } if(avi->non_interleaved){ From 5ae7ed3aa4f3f4ed07677edeb6edebf9967caa82 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Tue, 22 Oct 2013 16:11:11 +0100 Subject: [PATCH 0698/1037] nut: Fix unchecked allocations CC: libav-stable@libav.org (cherry picked from commit b1fcdc08ceb5df69fac34aa0d57c56905d32b8b4) Signed-off-by: Derek Buitenhuis --- libavformat/nut.c | 10 +++++++++- libavformat/nut.h | 2 +- libavformat/nutdec.c | 5 ++++- libavformat/nutenc.c | 3 ++- 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/libavformat/nut.c b/libavformat/nut.c index 196e04e54f..65d84d1d41 100644 --- a/libavformat/nut.c +++ b/libavformat/nut.c @@ -179,10 +179,16 @@ int ff_nut_sp_pts_cmp(const Syncpoint *a, const Syncpoint *b){ return ((a->ts - b->ts) >> 32) - ((b->ts - a->ts) >> 32); } -void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){ +int ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){ Syncpoint *sp= av_mallocz(sizeof(Syncpoint)); struct AVTreeNode *node = av_tree_node_alloc(); + if (!sp || !node) { + av_freep(&sp); + av_freep(&node); + return AVERROR(ENOMEM); + } + sp->pos= pos; sp->back_ptr= back_ptr; sp->ts= ts; @@ -191,6 +197,8 @@ void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts){ av_free(sp); av_free(node); } + + return 0; } static int enu_free(void *opaque, void *elem) diff --git a/libavformat/nut.h b/libavformat/nut.h index 89b0248fa4..066d186f25 100644 --- a/libavformat/nut.h +++ b/libavformat/nut.h @@ -119,7 +119,7 @@ void ff_nut_reset_ts(NUTContext *nut, AVRational time_base, int64_t val); int64_t ff_lsb2full(StreamContext *stream, int64_t lsb); int ff_nut_sp_pos_cmp(const Syncpoint *a, const Syncpoint *b); int ff_nut_sp_pts_cmp(const Syncpoint *a, const Syncpoint *b); -void ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts); +int ff_nut_add_sp(NUTContext *nut, int64_t pos, int64_t back_ptr, int64_t ts); void ff_nut_free_sp(NUTContext *nut); extern const Dispositions ff_nut_dispositions[]; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index b705987795..1a9390c9d6 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -526,6 +526,7 @@ static int decode_syncpoint(NUTContext *nut, int64_t *ts, int64_t *back_ptr) AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; int64_t end, tmp; + int ret; nut->last_syncpoint_pos = avio_tell(bc) - 8; @@ -547,7 +548,9 @@ static int decode_syncpoint(NUTContext *nut, int64_t *ts, int64_t *back_ptr) *ts = tmp / s->nb_streams * av_q2d(nut->time_base[tmp % s->nb_streams]) * AV_TIME_BASE; - ff_nut_add_sp(nut, nut->last_syncpoint_pos, *back_ptr, *ts); + + if ((ret = ff_nut_add_sp(nut, nut->last_syncpoint_pos, *back_ptr, *ts)) < 0) + return ret; return 0; } diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index df70f94122..51bddf00e7 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -815,7 +815,8 @@ static int nut_write_packet(AVFormatContext *s, AVPacket *pkt) ff_put_v(dyn_bc, sp ? (nut->last_syncpoint_pos - sp->pos) >> 4 : 0); put_packet(nut, bc, dyn_bc, 1, SYNCPOINT_STARTCODE); - ff_nut_add_sp(nut, nut->last_syncpoint_pos, 0 /*unused*/, pkt->dts); + if ((ret = ff_nut_add_sp(nut, nut->last_syncpoint_pos, 0 /*unused*/, pkt->dts)) < 0) + return ret; } assert(nus->last_pts != AV_NOPTS_VALUE); From 65830277d2d2ee3658e1f070a61044fff261ed3e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 10 Oct 2013 08:40:39 +0200 Subject: [PATCH 0699/1037] prores: Add a codepath for decoding errors (cherry picked from commit 44690dfa683f620c77e9f0e8e9bc5682608636b1) Signed-off-by: Derek Buitenhuis --- libavcodec/proresdec.c | 72 ++++++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 30 deletions(-) diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c index a47f16e575..6d63463ab7 100644 --- a/libavcodec/proresdec.c +++ b/libavcodec/proresdec.c @@ -368,7 +368,7 @@ static inline void decode_dc_coeffs(GetBitContext *gb, DCTELEM *out, /** * Decode AC coefficients for all blocks in a slice. */ -static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, +static inline int decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, int blocks_per_slice, int plane_size_factor, const uint8_t *scan) @@ -389,7 +389,7 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, bits_left = get_bits_left(gb); if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) - return; + return AVERROR_INVALIDDATA; run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]); if (run < 0) @@ -397,7 +397,7 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, bits_left = get_bits_left(gb); if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) - return; + return AVERROR_INVALIDDATA; level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1; if (level < 0) @@ -411,22 +411,24 @@ static inline void decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, out[((pos & block_mask) << 6) + scan[pos >> plane_size_factor]] = (level ^ sign) - sign; } + + return 0; } /** * Decode a slice plane (luma or chroma). */ -static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td, - const uint8_t *buf, - int data_size, uint16_t *out_ptr, - int linesize, int mbs_per_slice, - int blocks_per_mb, int plane_size_factor, - const int16_t *qmat, int is_chroma) +static int decode_slice_plane(ProresContext *ctx, ProresThreadData *td, + const uint8_t *buf, + int data_size, uint16_t *out_ptr, + int linesize, int mbs_per_slice, + int blocks_per_mb, int plane_size_factor, + const int16_t *qmat, int is_chroma) { GetBitContext gb; DCTELEM *block_ptr; - int mb_num, blocks_per_slice; + int mb_num, blocks_per_slice, ret; blocks_per_slice = mbs_per_slice * blocks_per_mb; @@ -436,8 +438,10 @@ static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td, decode_dc_coeffs(&gb, td->blocks, blocks_per_slice); - decode_ac_coeffs(&gb, td->blocks, blocks_per_slice, - plane_size_factor, ctx->scantable.permutated); + ret = decode_ac_coeffs(&gb, td->blocks, blocks_per_slice, + plane_size_factor, ctx->scantable.permutated); + if (ret < 0) + return ret; /* inverse quantization, inverse transform and output */ block_ptr = td->blocks; @@ -471,6 +475,7 @@ static void decode_slice_plane(ProresContext *ctx, ProresThreadData *td, } } } + return 0; } @@ -489,6 +494,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata) int i, sf, slice_width_factor; int slice_data_size, hdr_size, y_data_size, u_data_size, v_data_size; int y_linesize, u_linesize, v_linesize; + int ret; buf = ctx->slice_data[slice_num].index; slice_data_size = ctx->slice_data[slice_num + 1].index - buf; @@ -545,28 +551,34 @@ static int decode_slice(AVCodecContext *avctx, void *tdata) } /* decode luma plane */ - decode_slice_plane(ctx, td, buf + hdr_size, y_data_size, - (uint16_t*) (y_data + (mb_y_pos << 4) * y_linesize + - (mb_x_pos << 5)), y_linesize, - mbs_per_slice, 4, slice_width_factor + 2, - td->qmat_luma_scaled, 0); + ret = decode_slice_plane(ctx, td, buf + hdr_size, y_data_size, + (uint16_t*) (y_data + (mb_y_pos << 4) * y_linesize + + (mb_x_pos << 5)), y_linesize, + mbs_per_slice, 4, slice_width_factor + 2, + td->qmat_luma_scaled, 0); + if (ret < 0) + return ret; /* decode U chroma plane */ - decode_slice_plane(ctx, td, buf + hdr_size + y_data_size, u_data_size, - (uint16_t*) (u_data + (mb_y_pos << 4) * u_linesize + - (mb_x_pos << ctx->mb_chroma_factor)), - u_linesize, mbs_per_slice, ctx->num_chroma_blocks, - slice_width_factor + ctx->chroma_factor - 1, - td->qmat_chroma_scaled, 1); + ret = decode_slice_plane(ctx, td, buf + hdr_size + y_data_size, u_data_size, + (uint16_t*) (u_data + (mb_y_pos << 4) * u_linesize + + (mb_x_pos << ctx->mb_chroma_factor)), + u_linesize, mbs_per_slice, ctx->num_chroma_blocks, + slice_width_factor + ctx->chroma_factor - 1, + td->qmat_chroma_scaled, 1); + if (ret < 0) + return ret; /* decode V chroma plane */ - decode_slice_plane(ctx, td, buf + hdr_size + y_data_size + u_data_size, - v_data_size, - (uint16_t*) (v_data + (mb_y_pos << 4) * v_linesize + - (mb_x_pos << ctx->mb_chroma_factor)), - v_linesize, mbs_per_slice, ctx->num_chroma_blocks, - slice_width_factor + ctx->chroma_factor - 1, - td->qmat_chroma_scaled, 1); + ret = decode_slice_plane(ctx, td, buf + hdr_size + y_data_size + u_data_size, + v_data_size, + (uint16_t*) (v_data + (mb_y_pos << 4) * v_linesize + + (mb_x_pos << ctx->mb_chroma_factor)), + v_linesize, mbs_per_slice, ctx->num_chroma_blocks, + slice_width_factor + ctx->chroma_factor - 1, + td->qmat_chroma_scaled, 1); + if (ret < 0) + return ret; return 0; } From a0866c71293db80f271f11176eae72217d773e9a Mon Sep 17 00:00:00 2001 From: Tim Walker Date: Wed, 9 Oct 2013 11:47:04 +0200 Subject: [PATCH 0700/1037] shorten: Fix out-of-array read pred_order == FF_ARRAY_ELEMS(fixed_coeffs) is invalid too. Signed-off-by: Luca Barbato (cherry picked from commit 5f5ada3dbf97e306a74250ba8dcf8619ad59b020) Signed-off-by: Tim Walker --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index ea2277218d..22976e0137 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -307,7 +307,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, } else { /* fixed LPC coeffs */ pred_order = command; - if (pred_order > FF_ARRAY_ELEMS(fixed_coeffs)) { + if (pred_order >= FF_ARRAY_ELEMS(fixed_coeffs)) { av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", pred_order); return AVERROR_INVALIDDATA; From 4de4eb60a1ba54edb2baf6d3c2cce91d92172a97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jan 2014 17:33:59 +0100 Subject: [PATCH 0701/1037] avformat/oggdec: dont read timestamps from EOS pages of ogm videos Some muxers store invalid timestamps there, which breaks seeking Fixes Ticket2739 Signed-off-by: Michael Niedermayer (cherry picked from commit 5e0c7eab2a9d43e6e3be967ec1a6b04a3e0328da) --- libavformat/oggdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index e51db61357..0d283b15c5 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -768,6 +768,11 @@ static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, && !ogg_packet(s, &i, &pstart, &psize, pos_arg)) { if (i == stream_index) { struct ogg_stream *os = ogg->streams + stream_index; + // Dont trust the last timestamps of a ogm video + if ( (os->flags & OGG_FLAG_EOS) + && !(os->flags & OGG_FLAG_BOS) + && os->codec == &ff_ogm_video_codec) + continue; pts = ogg_calc_pts(s, i, NULL); ogg_validate_keyframe(s, i, pstart, psize); if (os->pflags & AV_PKT_FLAG_KEY) { From adb784ad86103e4874e13fa1b9f88e36ab4e9a16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jan 2014 04:49:50 +0100 Subject: [PATCH 0702/1037] avformat/mxfdec: detect loops during header parsing The header parser uses forward and backward parsing, making the bulletproof prevention of loops difficult, thus this simple detection code. If someone improves the forward/backward parsing so it cannot loop then this commit should be reverted Fixes Ticket3278 Signed-off-by: Michael Niedermayer (cherry picked from commit 1c010fd035c1a14dc73827b84f21f593e969a5d6) --- libavformat/mxfdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index dc7930eefe..7b9daa20b7 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1849,6 +1849,8 @@ static int mxf_read_header(AVFormatContext *s) MXFContext *mxf = s->priv_data; KLVPacket klv; int64_t essence_offset = 0; + int64_t last_pos = -1; + uint64_t last_pos_index = 1; int ret; mxf->last_forward_tell = INT64_MAX; @@ -1864,7 +1866,12 @@ static int mxf_read_header(AVFormatContext *s) while (!url_feof(s->pb)) { const MXFMetadataReadTableEntry *metadata; - + if (avio_tell(s->pb) == last_pos) { + av_log(mxf->fc, AV_LOG_ERROR, "MXF structure loop detected\n"); + return AVERROR_INVALIDDATA; + } + if ((1ULL<<61) % last_pos_index++ == 0) + last_pos = avio_tell(s->pb); if (klv_read_packet(&klv, s->pb) < 0) { /* EOF - seek to previous partition or stop */ if(mxf_parse_handle_partition_or_eof(mxf) <= 0) From 3ada932202ae919d432e7337baaf2ff3b0a22859 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 7 Jan 2014 22:49:05 +0100 Subject: [PATCH 0703/1037] Use the h264 parser when decoding VSSH in avi. Fixes ticket #3261 visually. Analyzed-by: Michael Doilnitsyn (cherry picked from commit 94cf4f8bac12c58e30ce3b5d72cf5898baafe9a8) Conflicts: libavformat/avidec.c --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index c8d5818821..f33d3a7108 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -636,6 +636,8 @@ static int avi_read_header(AVFormatContext *s) st->codec->codec_tag = tag1; st->codec->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag1); st->need_parsing = AVSTREAM_PARSE_HEADERS; // This is needed to get the pict type which is necessary for generating correct pts. + if (st->codec->codec_tag == MKTAG('V', 'S', 'S', 'H')) + st->need_parsing = AVSTREAM_PARSE_FULL; if(st->codec->codec_tag==0 && st->codec->height > 0 && st->codec->extradata_size < 1U<<30){ st->codec->extradata_size+= 9; From 5ea2a8d43e692bd4ed61edce3505b49ea65e36ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2014 04:02:58 +0100 Subject: [PATCH 0704/1037] avcodec/msvideo1enc: fix SKIPS_MAX Fixes Ticket3270 Signed-off-by: Michael Niedermayer (cherry picked from commit fb8f5d0510619cea2204246631f1c0dcd994ee25) --- libavcodec/msvideo1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msvideo1enc.c b/libavcodec/msvideo1enc.c index e0efb4823f..2cbf2d48d7 100644 --- a/libavcodec/msvideo1enc.c +++ b/libavcodec/msvideo1enc.c @@ -58,7 +58,7 @@ enum MSV1Mode{ }; #define SKIP_PREFIX 0x8400 -#define SKIPS_MAX 0x0FFF +#define SKIPS_MAX 0x03FF #define MKRGB555(in, off) ((in[off] << 10) | (in[off + 1] << 5) | (in[off + 2])) static const int remap[16] = { 0, 1, 4, 5, 2, 3, 6, 7, 8, 9, 12, 13, 10, 11, 14, 15 }; From 9aa22918c258bfe8ee0769fe158d41a344e3178a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 10 Oct 2013 10:26:31 +0200 Subject: [PATCH 0705/1037] prores: Error out only on surely incomplete ac_coeffs (cherry picked from commit 2df7f7714a12a59d31058aba15fb1e348e36b0ab) Signed-off-by: Luca Barbato --- libavcodec/proresdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c index 6d63463ab7..2049545405 100644 --- a/libavcodec/proresdec.c +++ b/libavcodec/proresdec.c @@ -389,7 +389,7 @@ static inline int decode_ac_coeffs(GetBitContext *gb, DCTELEM *out, bits_left = get_bits_left(gb); if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) - return AVERROR_INVALIDDATA; + return 0; run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]); if (run < 0) From 1017b5914cecb447ee04d7b1c9c8562daa442da3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jan 2014 15:20:18 +0100 Subject: [PATCH 0706/1037] update for 1.1.8 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 2bf1ca5f54..18efdb9ae6 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.7 +1.1.8 diff --git a/VERSION b/VERSION index 2bf1ca5f54..18efdb9ae6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.7 +1.1.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index b68f1932a8..5292ce9845 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.7 +PROJECT_NUMBER = 1.1.8 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From e38c62fe0c24ae4d138f4eff8b91db996a8b7e1d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 13 Jan 2014 11:55:18 +0100 Subject: [PATCH 0707/1037] lavf: simplify handling of offset in av_probe_input_buffer() (cherry picked from commit c1868e7ee7b07b40a0fe15f50df89fe499a01a50) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b0bfea224f..fb6606be9a 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -357,7 +357,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, const char *filename, void *logctx, unsigned int offset, unsigned int max_probe_size) { - AVProbeData pd = { filename ? filename : "", NULL, -offset }; + AVProbeData pd = { filename ? filename : "" }; unsigned char *buf = NULL; int ret = 0, probe_size; @@ -372,16 +372,14 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, if (offset >= max_probe_size) { return AVERROR(EINVAL); } + avio_skip(pb, offset); + max_probe_size -= offset; for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; - if (probe_size < offset) { - continue; - } - /* read probe data */ buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { @@ -394,7 +392,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, ret = 0; /* error was end of file, nothing read */ } pd.buf_size += ret; - pd.buf = &buf[offset]; + pd.buf = buf; memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE); From 539d255871c9b3b2529c7c74167dc0e0a237452f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 13 Jan 2014 11:56:59 +0100 Subject: [PATCH 0708/1037] lavf: use a fixed width type It's shorter and more consistent with the rest of the code. (cherry picked from commit 8b76362836f3c373c3aadc544522edcbef16dd5f) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index fb6606be9a..6cc4178f5c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -358,7 +358,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, unsigned int offset, unsigned int max_probe_size) { AVProbeData pd = { filename ? filename : "" }; - unsigned char *buf = NULL; + uint8_t *buf = NULL; int ret = 0, probe_size; if (!max_probe_size) { From 8575f5362f98c937758b20ff8512d6767a56208e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 13 Jan 2014 13:47:07 +0100 Subject: [PATCH 0709/1037] lavf: make av_probe_input_buffer more robust Always use the actually read size as the offset instead of making possibly invalid assumptions. Addresses: CVE-2012-6618 (cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733) Conflicts: libavformat/utils.c Signed-off-by: Anton Khirnov --- libavformat/utils.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6cc4178f5c..43790c72d9 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -378,11 +378,10 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0; - int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1; /* read probe data */ buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); - if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) { + if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) { /* fail if error was not end of file, otherwise, lower score */ if (ret != AVERROR_EOF) { av_free(buf); From 3ae81880e1ea688e732f736f2008c6f3e4cfab18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2014 04:55:01 +0100 Subject: [PATCH 0710/1037] avcodec/mjpegdec: update cur_scan also for non-LS jpeg This should make no difference but the variable will be used in a subsequent commit Signed-off-by: Michael Niedermayer (cherry picked from commit 8893f31e206358d933abe4a5227b5ae89f5f303d) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 60d3b70d65..78f63fec87 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1596,8 +1596,6 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, int t = 0, b = 0; PutBitContext pb; - s->cur_scan++; - /* find marker */ while (src + t < buf_end) { uint8_t x = src[t++]; @@ -1783,6 +1781,7 @@ eoi_parser: goto the_end; case SOS: + s->cur_scan++; if ((ret = ff_mjpeg_decode_sos(s, NULL, NULL)) < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) goto fail; From 55a4228ac2ee1890c5c139e5af8cc1e980d31953 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2014 04:56:13 +0100 Subject: [PATCH 0711/1037] avcodec/mjpegdec: only run EOI emulation code when there was a scan Signed-off-by: Michael Niedermayer (cherry picked from commit 361e27a3d8096baacc45d2551a1ebfcbfdaa6a67) --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 78f63fec87..60a47f2379 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1811,7 +1811,7 @@ eoi_parser: (get_bits_count(&s->gb) + 7) / 8, get_bits_count(&s->gb)); } } - if (s->got_picture) { + if (s->got_picture && s->cur_scan) { av_log(avctx, AV_LOG_WARNING, "EOI missing, emulating\n"); goto eoi_parser; } From bb26a88193d93d3f9bee65064a92fcac1da7f657 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2014 04:02:11 +0100 Subject: [PATCH 0712/1037] avcodec/mjpegdec: Dont treat the lack of a startcode differently from end of the bitstream Fixes Ticket3303 Signed-off-by: Michael Niedermayer (cherry picked from commit 31e703e899bee74c50efd8eb62c3d012ef5ab26d) --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 60a47f2379..be85fc55a0 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1659,7 +1659,7 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, &unescaped_buf_size); /* EOF */ if (start_code < 0) { - goto the_end; + break; } else if (unescaped_buf_size > INT_MAX / 8) { av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (%d/%d), corrupt data?\n", From 6fa97413578ecf7165850f1259009d73bed45983 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2014 06:20:46 +0100 Subject: [PATCH 0713/1037] avcodec/aacdec: Dont fail if channels arent known yet Fixes Ticket3312 Signed-off-by: Michael Niedermayer (cherry picked from commit 676a395ab903cac623c5d6ddd0928c789e08a59e) Conflicts: libavcodec/aacdec.c --- libavcodec/aacdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 3379f8b701..56f73ae5d7 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -190,6 +190,9 @@ static int frame_configure_elements(AVCodecContext *avctx) } } + if (!avctx->channels) + return 1; + /* get output buffer */ ac->frame.nb_samples = 2048; if ((ret = ff_get_buffer(avctx, &ac->frame)) < 0) { From af9799790d7a6342027e0261b5dd87657abb7a0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 23:14:32 +0200 Subject: [PATCH 0714/1037] dsputil/pngdsp: fix signed/unsigned type in end comparison Fixes out of array accesses and integer overflows. (cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b) Adresses: CVE-2013-7010, CVE-2013-7014 Signed-off-by: Reinhard Tartler --- libavcodec/dsputil.c | 4 ++-- libavcodec/pngdsp.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c index 4696bc7980..338c314f85 100644 --- a/libavcodec/dsputil.c +++ b/libavcodec/dsputil.c @@ -1800,7 +1800,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ long i; - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) { long a = *(long*)(src+i); long b = *(long*)(dst+i); *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); @@ -1825,7 +1825,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ } }else #endif - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ + for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) { long a = *(long*)(src1+i); long b = *(long*)(src2+i); *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); diff --git a/libavcodec/pngdsp.c b/libavcodec/pngdsp.c index 00734d7d10..9220c2080a 100644 --- a/libavcodec/pngdsp.c +++ b/libavcodec/pngdsp.c @@ -30,7 +30,7 @@ static void add_bytes_l2_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w) { long i; - for (i = 0; i <= w - sizeof(long); i += sizeof(long)) { + for (i = 0; i <= w - (int)sizeof(long); i += sizeof(long)) { long a = *(long *)(src1 + i); long b = *(long *)(src2 + i); *(long *)(dst + i) = ((a & pb_7f) + (b & pb_7f)) ^ ((a ^ b) & pb_80); From 10d48fe6d3963842319b1d8d738a318020836e72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2013 23:18:48 +0200 Subject: [PATCH 0715/1037] flashsv: Check diff_start diff_height values Fix out of array accesses. Found-by: ami_stuff Signed-off-by: Michael Niedermayer Adresses: CVE-2013-7015 (cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1) Signed-off-by: Reinhard Tartler --- libavcodec/flashsv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 3c5a35c0dd..d55616e856 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -384,6 +384,12 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } s->diff_start = get_bits(&gb, 8); s->diff_height = get_bits(&gb, 8); + if (s->diff_start + s->diff_height > cur_blk_height) { + av_log(avctx, AV_LOG_ERROR, + "Block parameters invalid: %d + %d > %d\n", + s->diff_start, s->diff_height, cur_blk_height); + return AVERROR_INVALIDDATA; + } av_log(avctx, AV_LOG_DEBUG, "%dx%d diff start %d height %d\n", i, j, s->diff_start, s->diff_height); From 9f9e773881cf8a799e9021157edc18027c05b358 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 9 Oct 2013 05:13:59 +0200 Subject: [PATCH 0716/1037] vmnc: Port to bytestream2 Fix some buffer overreads. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/vmnc.c | 132 ++++++++++++++++++++-------------------------- 1 file changed, 57 insertions(+), 75 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 381475f804..08f7ccd4b8 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -31,6 +31,7 @@ #include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" +#include "bytestream.h" enum EncTypes { MAGIC_WMVd = 0x574D5664, @@ -62,6 +63,7 @@ typedef struct VmncContext { int bigendian; uint8_t pal[768]; int width, height; + GetByteContext gb; /* cursor data */ int cur_w, cur_h; @@ -72,26 +74,25 @@ typedef struct VmncContext { } VmncContext; /* read pixel value from stream */ -static av_always_inline int vmnc_get_pixel(const uint8_t *buf, int bpp, int be) +static av_always_inline int vmnc_get_pixel(GetByteContext *gb, int bpp, int be) { switch (bpp * 2 + be) { case 2: case 3: - return *buf; + return bytestream2_get_byte(gb); case 4: - return AV_RL16(buf); + return bytestream2_get_le16(gb); case 5: - return AV_RB16(buf); + return bytestream2_get_be16(gb); case 8: - return AV_RL32(buf); + return bytestream2_get_le32(gb); case 9: - return AV_RB32(buf); - default: - return 0; + return bytestream2_get_be32(gb); + default: return 0; } } -static void load_cursor(VmncContext *c, const uint8_t *src) +static void load_cursor(VmncContext *c) { int i, j, p; const int bpp = c->bpp2; @@ -101,8 +102,7 @@ static void load_cursor(VmncContext *c, const uint8_t *src) for (j = 0; j < c->cur_h; j++) { for (i = 0; i < c->cur_w; i++) { - p = vmnc_get_pixel(src, bpp, c->bigendian); - src += bpp; + p = vmnc_get_pixel(&c->gb, bpp, c->bigendian); if (bpp == 1) *dst8++ = p; if (bpp == 2) @@ -116,8 +116,7 @@ static void load_cursor(VmncContext *c, const uint8_t *src) dst32 = (uint32_t*)c->curmask; for (j = 0; j < c->cur_h; j++) { for (i = 0; i < c->cur_w; i++) { - p = vmnc_get_pixel(src, bpp, c->bigendian); - src += bpp; + p = vmnc_get_pixel(&c->gb, bpp, c->bigendian); if (bpp == 1) *dst8++ = p; if (bpp == 2) @@ -219,14 +218,13 @@ static av_always_inline void paint_rect(uint8_t *dst, int dx, int dy, } static av_always_inline void paint_raw(uint8_t *dst, int w, int h, - const uint8_t *src, int bpp, + GetByteContext *gb, int bpp, int be, int stride) { int i, j, p; for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { - p = vmnc_get_pixel(src, bpp, be); - src += bpp; + p = vmnc_get_pixel(gb, bpp, be); switch (bpp) { case 1: dst[i] = p; @@ -243,15 +241,14 @@ static av_always_inline void paint_raw(uint8_t *dst, int w, int h, } } -static int decode_hextile(VmncContext *c, uint8_t *dst, const uint8_t *src, - int ssize, int w, int h, int stride) +static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb, + int w, int h, int stride) { int i, j, k; int bg = 0, fg = 0, rects, color, flags, xy, wh; const int bpp = c->bpp2; uint8_t *dst2; int bw = 16, bh = 16; - const uint8_t *ssrc = src; for (j = 0; j < h; j += 16) { dst2 = dst; @@ -259,55 +256,48 @@ static int decode_hextile(VmncContext *c, uint8_t *dst, const uint8_t *src, if (j + 16 > h) bh = h - j; for (i = 0; i < w; i += 16, dst2 += 16 * bpp) { - if (src - ssrc >= ssize) { + if (bytestream2_get_bytes_left(gb) <= 0) { av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); return -1; } if (i + 16 > w) bw = w - i; - flags = *src++; + flags = bytestream2_get_byte(gb); if (flags & HT_RAW) { - if (src - ssrc > ssize - bw * bh * bpp) { + if (bytestream2_get_bytes_left(gb) < bw * bh * bpp) { av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); return -1; } - paint_raw(dst2, bw, bh, src, bpp, c->bigendian, stride); - src += bw * bh * bpp; + paint_raw(dst2, bw, bh, gb, bpp, c->bigendian, stride); } else { - if (flags & HT_BKG) { - bg = vmnc_get_pixel(src, bpp, c->bigendian); - src += bpp; - } - if (flags & HT_FG) { - fg = vmnc_get_pixel(src, bpp, c->bigendian); - src += bpp; - } + if (flags & HT_BKG) + bg = vmnc_get_pixel(gb, bpp, c->bigendian); + if (flags & HT_FG) + fg = vmnc_get_pixel(gb, bpp, c->bigendian); rects = 0; if (flags & HT_SUB) - rects = *src++; + rects = bytestream2_get_byte(gb); color = !!(flags & HT_CLR); paint_rect(dst2, 0, 0, bw, bh, bg, bpp, stride); - if (src - ssrc > ssize - rects * (color * bpp + 2)) { + if (bytestream2_get_bytes_left(gb) < rects * (color * bpp + 2)) { av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); return -1; } for (k = 0; k < rects; k++) { - if (color) { - fg = vmnc_get_pixel(src, bpp, c->bigendian); - src += bpp; - } - xy = *src++; - wh = *src++; - paint_rect(dst2, xy >> 4, xy & 0xF, (wh >> 4) + 1, - (wh & 0xF) + 1, fg, bpp, stride); + if (color) + fg = vmnc_get_pixel(gb, bpp, c->bigendian); + xy = bytestream2_get_byte(gb); + wh = bytestream2_get_byte(gb); + paint_rect(dst2, xy >> 4, xy & 0xF, + (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride); } } } dst += stride * 16; } - return src - ssrc; + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, @@ -316,8 +306,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; VmncContext * const c = avctx->priv_data; + GetByteContext *gb = &c->gb; uint8_t *outptr; - const uint8_t *src = buf; int dx, dy, w, h, depth, enc, chunks, res, size_left; c->pic.reference = 1; @@ -327,6 +317,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return -1; } + bytestream2_init(gb, buf, buf_size); + c->pic.key_frame = 0; c->pic.pict_type = AV_PICTURE_TYPE_P; @@ -358,22 +350,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } } - src += 2; - chunks = AV_RB16(src); - src += 2; + bytestream2_skip(gb, 2); + chunks = bytestream2_get_be16(gb); while (chunks--) { - dx = AV_RB16(src); - src += 2; - dy = AV_RB16(src); - src += 2; - w = AV_RB16(src); - src += 2; - h = AV_RB16(src); - src += 2; - enc = AV_RB32(src); - src += 4; + dx = bytestream2_get_be16(gb); + dy = bytestream2_get_be16(gb); + w = bytestream2_get_be16(gb); + h = bytestream2_get_be16(gb); + enc = bytestream2_get_be32(gb); outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0]; - size_left = buf_size - (src - buf); + size_left = bytestream2_get_bytes_left(gb); switch (enc) { case MAGIC_WMVd: // cursor if (size_left < 2 + w * h * c->bpp2 * 2) { @@ -382,7 +368,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, 2 + w * h * c->bpp2 * 2, size_left); return -1; } - src += 2; + bytestream2_skip(gb, 2); c->cur_w = w; c->cur_h = h; c->cur_hx = dx; @@ -397,44 +383,43 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->curbits = av_realloc(c->curbits, c->cur_w * c->cur_h * c->bpp2); c->curmask = av_realloc(c->curmask, c->cur_w * c->cur_h * c->bpp2); c->screendta = av_realloc(c->screendta, c->cur_w * c->cur_h * c->bpp2); - load_cursor(c, src); - src += w * h * c->bpp2 * 2; + load_cursor(c); break; case MAGIC_WMVe: // unknown - src += 2; + bytestream2_skip(gb, 2); break; case MAGIC_WMVf: // update cursor position c->cur_x = dx - c->cur_hx; c->cur_y = dy - c->cur_hy; break; case MAGIC_WMVg: // unknown - src += 10; + bytestream2_skip(gb, 10); break; case MAGIC_WMVh: // unknown - src += 4; + bytestream2_skip(gb, 4); break; case MAGIC_WMVi: // ServerInitialization struct c->pic.key_frame = 1; c->pic.pict_type = AV_PICTURE_TYPE_I; - depth = *src++; + depth = bytestream2_get_byte(gb); if (depth != c->bpp) { av_log(avctx, AV_LOG_INFO, "Depth mismatch. Container %i bpp, " "Frame data: %i bpp\n", c->bpp, depth); } - src++; - c->bigendian = *src++; + bytestream2_skip(gb, 1); + c->bigendian = bytestream2_get_byte(gb); if (c->bigendian & (~1)) { av_log(avctx, AV_LOG_INFO, "Invalid header: bigendian flag = %i\n", c->bigendian); return -1; } - // skip the rest of pixel format data - src += 13; + //skip the rest of pixel format data + bytestream2_skip(gb, 13); break; case MAGIC_WMVj: // unknown - src += 2; + bytestream2_skip(gb, 2); break; case 0x00000000: // raw rectangle data if ((dx + w > c->width) || (dy + h > c->height)) { @@ -449,9 +434,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w * h * c->bpp2, size_left); return -1; } - paint_raw(outptr, w, h, src, c->bpp2, c->bigendian, + paint_raw(outptr, w, h, gb, c->bpp2, c->bigendian, c->pic.linesize[0]); - src += w * h * c->bpp2; break; case 0x00000005: // HexTile encoded rectangle if ((dx + w > c->width) || (dy + h > c->height)) { @@ -460,11 +444,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w, h, dx, dy, c->width, c->height); return -1; } - res = decode_hextile(c, outptr, src, size_left, w, h, - c->pic.linesize[0]); + res = decode_hextile(c, outptr, gb, w, h, c->pic.linesize[0]); if (res < 0) return -1; - src += res; break; default: av_log(avctx, AV_LOG_ERROR, "Unsupported block type 0x%08X\n", enc); From 969028870c6f5a2ed953bfca8cb68c24ffd9c824 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0717/1037] cavsdec: check ff_get_buffer() return value Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/cavsdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 15a05c862d..c68f7b2e2b 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -928,6 +928,7 @@ static inline int check_for_slice(AVSContext *h) static int decode_pic(AVSContext *h) { + int ret; int skip_count = -1; enum cavs_mb mb_type; @@ -965,7 +966,9 @@ static int decode_pic(AVSContext *h) if (h->cur.f->data[0]) h->avctx->release_buffer(h->avctx, h->cur.f); - ff_get_buffer(h->avctx, h->cur.f); + ret = ff_get_buffer(h->avctx, h->cur.f); + if (ret < 0) + return ret; if (!h->edge_emu_buffer) { int alloc_size = FFALIGN(FFABS(h->cur.f->linesize[0]) + 32, 32); From 4b24eb1a03f2076f177a1f37521175dab7039320 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 9 Oct 2013 05:51:20 +0200 Subject: [PATCH 0718/1037] vmnc: Check the cursor dimensions And manage the reallocation failure path. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5e992a4682d2c09eed3839c6cacf70db3b65c2f4) --- libavcodec/vmnc.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 08f7ccd4b8..346fdb51d0 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -300,6 +300,14 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb, return 0; } +static void reset_buffers(VmncContext *c) +{ + av_freep(&c->curbits); + av_freep(&c->curmask); + av_freep(&c->screendta); + c->cur_w = c->cur_h = 0; +} + static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { @@ -380,9 +388,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->cur_hx, c->cur_hy, c->cur_w, c->cur_h); c->cur_hx = c->cur_hy = 0; } - c->curbits = av_realloc(c->curbits, c->cur_w * c->cur_h * c->bpp2); - c->curmask = av_realloc(c->curmask, c->cur_w * c->cur_h * c->bpp2); - c->screendta = av_realloc(c->screendta, c->cur_w * c->cur_h * c->bpp2); + if (c->cur_w * c->cur_h >= INT_MAX / c->bpp2) { + reset_buffers(c); + return AVERROR(EINVAL); + } else { + int screen_size = c->cur_w * c->cur_h * c->bpp2; + if ((c->curbits = av_realloc(c->curbits, screen_size)) == NULL || + (c->curmask = av_realloc(c->curmask, screen_size)) == NULL || + (c->screendta = av_realloc(c->screendta, screen_size)) == NULL) { + reset_buffers(c); + return screen_size ? AVERROR(ENOMEM) : 0; + } + } load_cursor(c); break; case MAGIC_WMVe: // unknown From d9c82cea11cef662fda21fccbe1a1f62c1689952 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2013 19:02:34 +0200 Subject: [PATCH 0719/1037] h263: Check init_get_bits return value And use init_get_bits8 to check for integer overflows while at it. CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/h263dec.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index db58fd2e12..47e903aa9c 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -384,17 +384,20 @@ uint64_t time= rdtsc(); return buf_size; } + if (s->bitstream_buffer_size && (s->divx_packed || buf_size < 20)) // divx 5.01+/xvid frame reorder + ret = init_get_bits8(&s->gb, s->bitstream_buffer, + s->bitstream_buffer_size); + else + ret = init_get_bits8(&s->gb, buf, buf_size); + s->bitstream_buffer_size = 0; - if(s->bitstream_buffer_size && (s->divx_packed || buf_size<20)){ //divx 5.01+/xvid frame reorder - init_get_bits(&s->gb, s->bitstream_buffer, s->bitstream_buffer_size*8); - }else - init_get_bits(&s->gb, buf, buf_size*8); - s->bitstream_buffer_size=0; + if (ret < 0) + return ret; - if (!s->context_initialized) { - if (ff_MPV_common_init(s) < 0) //we need the idct permutaton for reading a custom matrix - return -1; - } + if (!s->context_initialized) + // we need the idct permutaton for reading a custom matrix + if ((ret = ff_MPV_common_init(s)) < 0) + return ret; /* We need to set current_picture_ptr before reading the header, * otherwise we cannot store anyting in there */ @@ -414,8 +417,11 @@ uint64_t time= rdtsc(); if(s->avctx->extradata_size && s->picture_number==0){ GetBitContext gb; - init_get_bits(&gb, s->avctx->extradata, s->avctx->extradata_size*8); - ret = ff_mpeg4_decode_picture_header(s, &gb); + ret = init_get_bits8(&gb, s->avctx->extradata, + s->avctx->extradata_size); + if (ret < 0) + return ret; + ff_mpeg4_decode_picture_header(s, &gb); } ret = ff_mpeg4_decode_picture_header(s, &s->gb); } else if (CONFIG_H263I_DECODER && s->codec_id == AV_CODEC_ID_H263I) { From 3485a07977f17b8d4709fb327be4fc29031032b7 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 6 Aug 2013 03:38:12 +0200 Subject: [PATCH 0720/1037] avi: DV in AVI must be considered single stream Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavformat/avidec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 109b0ab5d8..759abbcb03 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -887,7 +887,7 @@ start_sync: goto start_sync; } - n= get_stream_idx(d); + n = avi->dv_demux ? 0 : get_stream_idx(d); if(!((i-avi->last_pkt_pos)&1) && get_stream_idx(d+1) < s->nb_streams) continue; @@ -1291,12 +1291,17 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp int64_t pos; AVIStream *ast; + /* Does not matter which stream is requested dv in avi has the + * stream information in the first video stream. + */ + if (avi->dv_demux) + stream_index = 0; + if (!avi->index_loaded) { /* we only load the index on demand */ avi_load_index(s); avi->index_loaded = 1; } - assert(stream_index>= 0); st = s->streams[stream_index]; ast= st->priv_data; @@ -1315,7 +1320,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp /* One and only one real stream for DV in AVI, and it has video */ /* offsets. Calling with other stream indexes should have failed */ /* the av_index_search_timestamp call above. */ - assert(stream_index == 0); /* Feed the DV video stream version of the timestamp to the */ /* DV demux so it can synthesize correct timestamps. */ From b5275ca1a805436ca12540c34dd5ed1671877434 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 09:42:26 +0100 Subject: [PATCH 0721/1037] h264_cavlc: check the size of the intra PCM data. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264_cavlc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 0cc7214666..c01e94b5c1 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -770,6 +770,10 @@ decode_intra_mb: // We assume these blocks are very rare so we do not optimize it. align_get_bits(&s->gb); + if (get_bits_left(&s->gb) < mb_size) { + av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n"); + return AVERROR_INVALIDDATA; + } // The pixels are stored in the same order as levels in h->mb array. for(x=0; x < mb_size; x++){ From f1476459b7013d306eb911573f1dc81e74ccd082 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 9 Oct 2013 12:58:42 +0200 Subject: [PATCH 0722/1037] vmnc: K&R formatting cosmetics Signed-off-by: Diego Biurrun --- libavcodec/vmnc.c | 352 +++++++++++++++++++++++++--------------------- 1 file changed, 195 insertions(+), 157 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 4071cdf51a..381475f804 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -67,50 +67,63 @@ typedef struct VmncContext { int cur_w, cur_h; int cur_x, cur_y; int cur_hx, cur_hy; - uint8_t* curbits, *curmask; - uint8_t* screendta; + uint8_t *curbits, *curmask; + uint8_t *screendta; } VmncContext; /* read pixel value from stream */ -static av_always_inline int vmnc_get_pixel(const uint8_t* buf, int bpp, int be) { - switch(bpp * 2 + be) { +static av_always_inline int vmnc_get_pixel(const uint8_t *buf, int bpp, int be) +{ + switch (bpp * 2 + be) { case 2: - case 3: return *buf; - case 4: return AV_RL16(buf); - case 5: return AV_RB16(buf); - case 8: return AV_RL32(buf); - case 9: return AV_RB32(buf); - default: return 0; + case 3: + return *buf; + case 4: + return AV_RL16(buf); + case 5: + return AV_RB16(buf); + case 8: + return AV_RL32(buf); + case 9: + return AV_RB32(buf); + default: + return 0; } } static void load_cursor(VmncContext *c, const uint8_t *src) { int i, j, p; - const int bpp = c->bpp2; - uint8_t *dst8 = c->curbits; - uint16_t *dst16 = (uint16_t*)c->curbits; - uint32_t *dst32 = (uint32_t*)c->curbits; + const int bpp = c->bpp2; + uint8_t *dst8 = c->curbits; + uint16_t *dst16 = (uint16_t *)c->curbits; + uint32_t *dst32 = (uint32_t *)c->curbits; - for(j = 0; j < c->cur_h; j++) { - for(i = 0; i < c->cur_w; i++) { + for (j = 0; j < c->cur_h; j++) { + for (i = 0; i < c->cur_w; i++) { p = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp; - if(bpp == 1) *dst8++ = p; - if(bpp == 2) *dst16++ = p; - if(bpp == 4) *dst32++ = p; + if (bpp == 1) + *dst8++ = p; + if (bpp == 2) + *dst16++ = p; + if (bpp == 4) + *dst32++ = p; } } - dst8 = c->curmask; + dst8 = c->curmask; dst16 = (uint16_t*)c->curmask; dst32 = (uint32_t*)c->curmask; - for(j = 0; j < c->cur_h; j++) { - for(i = 0; i < c->cur_w; i++) { + for (j = 0; j < c->cur_h; j++) { + for (i = 0; i < c->cur_w; i++) { p = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp; - if(bpp == 1) *dst8++ = p; - if(bpp == 2) *dst16++ = p; - if(bpp == 4) *dst32++ = p; + if (bpp == 1) + *dst8++ = p; + if (bpp == 2) + *dst16++ = p; + if (bpp == 4) + *dst32++ = p; } } } @@ -120,96 +133,101 @@ static void put_cursor(uint8_t *dst, int stride, VmncContext *c, int dx, int dy) int i, j; int w, h, x, y; w = c->cur_w; - if(c->width < c->cur_x + c->cur_w) w = c->width - c->cur_x; + if (c->width < c->cur_x + c->cur_w) + w = c->width - c->cur_x; h = c->cur_h; - if(c->height < c->cur_y + c->cur_h) h = c->height - c->cur_y; + if (c->height < c->cur_y + c->cur_h) + h = c->height - c->cur_y; x = c->cur_x; y = c->cur_y; - if(x < 0) { + if (x < 0) { w += x; - x = 0; + x = 0; } - if(y < 0) { + if (y < 0) { h += y; - y = 0; + y = 0; } - if((w < 1) || (h < 1)) return; + if ((w < 1) || (h < 1)) + return; dst += x * c->bpp2 + y * stride; - if(c->bpp2 == 1) { - uint8_t* cd = c->curbits, *msk = c->curmask; - for(j = 0; j < h; j++) { - for(i = 0; i < w; i++) + if (c->bpp2 == 1) { + uint8_t *cd = c->curbits, *msk = c->curmask; + for (j = 0; j < h; j++) { + for (i = 0; i < w; i++) dst[i] = (dst[i] & cd[i]) ^ msk[i]; msk += c->cur_w; - cd += c->cur_w; + cd += c->cur_w; dst += stride; } - } else if(c->bpp2 == 2) { - uint16_t* cd = (uint16_t*)c->curbits, *msk = (uint16_t*)c->curmask; - uint16_t* dst2; - for(j = 0; j < h; j++) { + } else if (c->bpp2 == 2) { + uint16_t *cd = (uint16_t*)c->curbits, *msk = (uint16_t*)c->curmask; + uint16_t *dst2; + for (j = 0; j < h; j++) { dst2 = (uint16_t*)dst; - for(i = 0; i < w; i++) + for (i = 0; i < w; i++) dst2[i] = (dst2[i] & cd[i]) ^ msk[i]; msk += c->cur_w; - cd += c->cur_w; + cd += c->cur_w; dst += stride; } - } else if(c->bpp2 == 4) { - uint32_t* cd = (uint32_t*)c->curbits, *msk = (uint32_t*)c->curmask; - uint32_t* dst2; - for(j = 0; j < h; j++) { + } else if (c->bpp2 == 4) { + uint32_t *cd = (uint32_t*)c->curbits, *msk = (uint32_t*)c->curmask; + uint32_t *dst2; + for (j = 0; j < h; j++) { dst2 = (uint32_t*)dst; - for(i = 0; i < w; i++) + for (i = 0; i < w; i++) dst2[i] = (dst2[i] & cd[i]) ^ msk[i]; msk += c->cur_w; - cd += c->cur_w; + cd += c->cur_w; dst += stride; } } } /* fill rectangle with given color */ -static av_always_inline void paint_rect(uint8_t *dst, int dx, int dy, int w, int h, int color, int bpp, int stride) +static av_always_inline void paint_rect(uint8_t *dst, int dx, int dy, + int w, int h, int color, + int bpp, int stride) { int i, j; dst += dx * bpp + dy * stride; - if(bpp == 1){ - for(j = 0; j < h; j++) { + if (bpp == 1) { + for (j = 0; j < h; j++) { memset(dst, color, w); dst += stride; } - }else if(bpp == 2){ - uint16_t* dst2; - for(j = 0; j < h; j++) { + } else if (bpp == 2) { + uint16_t *dst2; + for (j = 0; j < h; j++) { dst2 = (uint16_t*)dst; - for(i = 0; i < w; i++) { + for (i = 0; i < w; i++) *dst2++ = color; - } dst += stride; } - }else if(bpp == 4){ - uint32_t* dst2; - for(j = 0; j < h; j++) { + } else if (bpp == 4) { + uint32_t *dst2; + for (j = 0; j < h; j++) { dst2 = (uint32_t*)dst; - for(i = 0; i < w; i++) { + for (i = 0; i < w; i++) dst2[i] = color; - } dst += stride; } } } -static av_always_inline void paint_raw(uint8_t *dst, int w, int h, const uint8_t* src, int bpp, int be, int stride) +static av_always_inline void paint_raw(uint8_t *dst, int w, int h, + const uint8_t *src, int bpp, + int be, int stride) { int i, j, p; - for(j = 0; j < h; j++) { - for(i = 0; i < w; i++) { + for (j = 0; j < h; j++) { + for (i = 0; i < w; i++) { p = vmnc_get_pixel(src, bpp, be); src += bpp; - switch(bpp){ + switch (bpp) { case 1: dst[i] = p; break; @@ -225,58 +243,65 @@ static av_always_inline void paint_raw(uint8_t *dst, int w, int h, const uint8_t } } -static int decode_hextile(VmncContext *c, uint8_t* dst, const uint8_t* src, int ssize, int w, int h, int stride) +static int decode_hextile(VmncContext *c, uint8_t *dst, const uint8_t *src, + int ssize, int w, int h, int stride) { int i, j, k; int bg = 0, fg = 0, rects, color, flags, xy, wh; const int bpp = c->bpp2; uint8_t *dst2; int bw = 16, bh = 16; - const uint8_t *ssrc=src; + const uint8_t *ssrc = src; - for(j = 0; j < h; j += 16) { + for (j = 0; j < h; j += 16) { dst2 = dst; - bw = 16; - if(j + 16 > h) bh = h - j; - for(i = 0; i < w; i += 16, dst2 += 16 * bpp) { - if(src - ssrc >= ssize) { + bw = 16; + if (j + 16 > h) + bh = h - j; + for (i = 0; i < w; i += 16, dst2 += 16 * bpp) { + if (src - ssrc >= ssize) { av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); return -1; } - if(i + 16 > w) bw = w - i; + if (i + 16 > w) + bw = w - i; flags = *src++; - if(flags & HT_RAW) { - if(src - ssrc > ssize - bw * bh * bpp) { + if (flags & HT_RAW) { + if (src - ssrc > ssize - bw * bh * bpp) { av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); return -1; } paint_raw(dst2, bw, bh, src, bpp, c->bigendian, stride); src += bw * bh * bpp; } else { - if(flags & HT_BKG) { - bg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp; + if (flags & HT_BKG) { + bg = vmnc_get_pixel(src, bpp, c->bigendian); + src += bpp; } - if(flags & HT_FG) { - fg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp; + if (flags & HT_FG) { + fg = vmnc_get_pixel(src, bpp, c->bigendian); + src += bpp; } rects = 0; - if(flags & HT_SUB) + if (flags & HT_SUB) rects = *src++; color = !!(flags & HT_CLR); paint_rect(dst2, 0, 0, bw, bh, bg, bpp, stride); - if(src - ssrc > ssize - rects * (color * bpp + 2)) { + if (src - ssrc > ssize - rects * (color * bpp + 2)) { av_log(c->avctx, AV_LOG_ERROR, "Premature end of data!\n"); return -1; } - for(k = 0; k < rects; k++) { - if(color) { - fg = vmnc_get_pixel(src, bpp, c->bigendian); src += bpp; + for (k = 0; k < rects; k++) { + if (color) { + fg = vmnc_get_pixel(src, bpp, c->bigendian); + src += bpp; } xy = *src++; wh = *src++; - paint_rect(dst2, xy >> 4, xy & 0xF, (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride); + paint_rect(dst2, xy >> 4, xy & 0xF, (wh >> 4) + 1, + (wh & 0xF) + 1, fg, bpp, stride); } } } @@ -289,7 +314,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; + int buf_size = avpkt->size; VmncContext * const c = avctx->priv_data; uint8_t *outptr; const uint8_t *src = buf; @@ -305,58 +330,72 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->pic.key_frame = 0; c->pic.pict_type = AV_PICTURE_TYPE_P; - //restore screen after cursor - if(c->screendta) { + // restore screen after cursor + if (c->screendta) { int i; w = c->cur_w; - if(c->width < c->cur_x + w) w = c->width - c->cur_x; + if (c->width < c->cur_x + w) + w = c->width - c->cur_x; h = c->cur_h; - if(c->height < c->cur_y + h) h = c->height - c->cur_y; + if (c->height < c->cur_y + h) + h = c->height - c->cur_y; dx = c->cur_x; - if(dx < 0) { + if (dx < 0) { w += dx; dx = 0; } dy = c->cur_y; - if(dy < 0) { + if (dy < 0) { h += dy; dy = 0; } - if((w > 0) && (h > 0)) { + if ((w > 0) && (h > 0)) { outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0]; - for(i = 0; i < h; i++) { - memcpy(outptr, c->screendta + i * c->cur_w * c->bpp2, w * c->bpp2); + for (i = 0; i < h; i++) { + memcpy(outptr, c->screendta + i * c->cur_w * c->bpp2, + w * c->bpp2); outptr += c->pic.linesize[0]; } } } src += 2; - chunks = AV_RB16(src); src += 2; - while(chunks--) { - dx = AV_RB16(src); src += 2; - dy = AV_RB16(src); src += 2; - w = AV_RB16(src); src += 2; - h = AV_RB16(src); src += 2; - enc = AV_RB32(src); src += 4; + chunks = AV_RB16(src); + src += 2; + while (chunks--) { + dx = AV_RB16(src); + src += 2; + dy = AV_RB16(src); + src += 2; + w = AV_RB16(src); + src += 2; + h = AV_RB16(src); + src += 2; + enc = AV_RB32(src); + src += 4; outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0]; size_left = buf_size - (src - buf); - switch(enc) { + switch (enc) { case MAGIC_WMVd: // cursor - if(size_left < 2 + w * h * c->bpp2 * 2) { - av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", 2 + w * h * c->bpp2 * 2, size_left); + if (size_left < 2 + w * h * c->bpp2 * 2) { + av_log(avctx, AV_LOG_ERROR, + "Premature end of data! (need %i got %i)\n", + 2 + w * h * c->bpp2 * 2, size_left); return -1; } src += 2; - c->cur_w = w; - c->cur_h = h; + c->cur_w = w; + c->cur_h = h; c->cur_hx = dx; c->cur_hy = dy; - if((c->cur_hx > c->cur_w) || (c->cur_hy > c->cur_h)) { - av_log(avctx, AV_LOG_ERROR, "Cursor hot spot is not in image: %ix%i of %ix%i cursor size\n", c->cur_hx, c->cur_hy, c->cur_w, c->cur_h); + if ((c->cur_hx > c->cur_w) || (c->cur_hy > c->cur_h)) { + av_log(avctx, AV_LOG_ERROR, + "Cursor hot spot is not in image: " + "%ix%i of %ix%i cursor size\n", + c->cur_hx, c->cur_hy, c->cur_w, c->cur_h); c->cur_hx = c->cur_hy = 0; } - c->curbits = av_realloc(c->curbits, c->cur_w * c->cur_h * c->bpp2); - c->curmask = av_realloc(c->curmask, c->cur_w * c->cur_h * c->bpp2); + c->curbits = av_realloc(c->curbits, c->cur_w * c->cur_h * c->bpp2); + c->curmask = av_realloc(c->curmask, c->cur_w * c->cur_h * c->bpp2); c->screendta = av_realloc(c->screendta, c->cur_w * c->cur_h * c->bpp2); load_cursor(c, src); src += w * h * c->bpp2 * 2; @@ -378,40 +417,52 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->pic.key_frame = 1; c->pic.pict_type = AV_PICTURE_TYPE_I; depth = *src++; - if(depth != c->bpp) { - av_log(avctx, AV_LOG_INFO, "Depth mismatch. Container %i bpp, Frame data: %i bpp\n", c->bpp, depth); + if (depth != c->bpp) { + av_log(avctx, AV_LOG_INFO, + "Depth mismatch. Container %i bpp, " + "Frame data: %i bpp\n", + c->bpp, depth); } src++; c->bigendian = *src++; - if(c->bigendian & (~1)) { - av_log(avctx, AV_LOG_INFO, "Invalid header: bigendian flag = %i\n", c->bigendian); + if (c->bigendian & (~1)) { + av_log(avctx, AV_LOG_INFO, + "Invalid header: bigendian flag = %i\n", c->bigendian); return -1; } - //skip the rest of pixel format data + // skip the rest of pixel format data src += 13; break; case MAGIC_WMVj: // unknown src += 2; break; case 0x00000000: // raw rectangle data - if((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", w, h, dx, dy, c->width, c->height); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); return -1; } - if(size_left < w * h * c->bpp2) { - av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", w * h * c->bpp2, size_left); + if (size_left < w * h * c->bpp2) { + av_log(avctx, AV_LOG_ERROR, + "Premature end of data! (need %i got %i)\n", + w * h * c->bpp2, size_left); return -1; } - paint_raw(outptr, w, h, src, c->bpp2, c->bigendian, c->pic.linesize[0]); + paint_raw(outptr, w, h, src, c->bpp2, c->bigendian, + c->pic.linesize[0]); src += w * h * c->bpp2; break; case 0x00000005: // HexTile encoded rectangle - if((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", w, h, dx, dy, c->width, c->height); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); return -1; } - res = decode_hextile(c, outptr, src, size_left, w, h, c->pic.linesize[0]); - if(res < 0) + res = decode_hextile(c, outptr, src, size_left, w, h, + c->pic.linesize[0]); + if (res < 0) return -1; src += res; break; @@ -420,60 +471,54 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, chunks = 0; // leave chunks decoding loop } } - if(c->screendta){ + if (c->screendta) { int i; - //save screen data before painting cursor + // save screen data before painting cursor w = c->cur_w; - if(c->width < c->cur_x + w) w = c->width - c->cur_x; + if (c->width < c->cur_x + w) + w = c->width - c->cur_x; h = c->cur_h; - if(c->height < c->cur_y + h) h = c->height - c->cur_y; + if (c->height < c->cur_y + h) + h = c->height - c->cur_y; dx = c->cur_x; - if(dx < 0) { + if (dx < 0) { w += dx; dx = 0; } dy = c->cur_y; - if(dy < 0) { + if (dy < 0) { h += dy; dy = 0; } - if((w > 0) && (h > 0)) { + if ((w > 0) && (h > 0)) { outptr = c->pic.data[0] + dx * c->bpp2 + dy * c->pic.linesize[0]; - for(i = 0; i < h; i++) { - memcpy(c->screendta + i * c->cur_w * c->bpp2, outptr, w * c->bpp2); + for (i = 0; i < h; i++) { + memcpy(c->screendta + i * c->cur_w * c->bpp2, outptr, + w * c->bpp2); outptr += c->pic.linesize[0]; } outptr = c->pic.data[0]; put_cursor(outptr, c->pic.linesize[0], c, c->cur_x, c->cur_y); } } - *got_frame = 1; + *got_frame = 1; *(AVFrame*)data = c->pic; /* always report that the buffer was completely consumed */ return buf_size; } - - -/* - * - * Init VMnc decoder - * - */ static av_cold int decode_init(AVCodecContext *avctx) { VmncContext * const c = avctx->priv_data; - c->avctx = avctx; - - c->width = avctx->width; + c->avctx = avctx; + c->width = avctx->width; c->height = avctx->height; + c->bpp = avctx->bits_per_coded_sample; + c->bpp2 = c->bpp / 8; - c->bpp = avctx->bits_per_coded_sample; - c->bpp2 = c->bpp/8; - - switch(c->bpp){ + switch (c->bpp) { case 8: avctx->pix_fmt = AV_PIX_FMT_PAL8; break; @@ -491,13 +536,6 @@ static av_cold int decode_init(AVCodecContext *avctx) return 0; } - - -/* - * - * Uninit VMnc decoder - * - */ static av_cold int decode_end(AVCodecContext *avctx) { VmncContext * const c = avctx->priv_data; From c85e5f13f6ac9c4c90125e7671d89009e57f9df9 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 13 Oct 2013 03:30:06 +0200 Subject: [PATCH 0723/1037] cavs: Check for negative cbp Sample-Id: 00000647-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/cavsdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 7cfb2ca21b..15a05c862d 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -602,8 +602,8 @@ static inline int decode_residual_inter(AVSContext *h) /* get coded block pattern */ int cbp = get_ue_golomb(&h->gb); - if (cbp > 63) { - av_log(h->avctx, AV_LOG_ERROR, "illegal inter cbp\n"); + if (cbp > 63 || cbp < 0) { + av_log(h->avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp); return -1; } h->cbp = cbp_tab[cbp][1]; @@ -673,7 +673,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) /* get coded block pattern */ if (h->cur.f->pict_type == AV_PICTURE_TYPE_I) cbp_code = get_ue_golomb(gb); - if (cbp_code > 63) { + if (cbp_code > 63 || cbp_code < 0) { av_log(h->avctx, AV_LOG_ERROR, "illegal intra cbp\n"); return -1; } From f728782c0d30433efa11f1238a16aed994e9b563 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0724/1037] segafilm: fix leaks if reading the header fails Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 6892d145a0c80249bd61ee7dd31ec851c5076bcd) Signed-off-by: Reinhard Tartler --- libavformat/segafilm.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 5643f33cc8..53e206625e 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -75,13 +75,23 @@ static int film_probe(AVProbeData *p) return AVPROBE_SCORE_MAX; } +static int film_read_close(AVFormatContext *s) +{ + FilmDemuxContext *film = s->priv_data; + + av_freep(&film->sample_table); + av_freep(&film->stereo_buffer); + + return 0; +} + static int film_read_header(AVFormatContext *s) { FilmDemuxContext *film = s->priv_data; AVIOContext *pb = s->pb; AVStream *st; unsigned char scratch[256]; - int i; + int i, ret; unsigned int data_offset; unsigned int audio_frame_counter; @@ -213,14 +223,16 @@ static int film_read_header(AVFormatContext *s) for (i = 0; i < film->sample_count; i++) { /* load the next sample record and transfer it to an internal struct */ if (avio_read(pb, scratch, 16) != 16) { - av_free(film->sample_table); - return AVERROR(EIO); + ret = AVERROR(EIO); + goto fail; } film->sample_table[i].sample_offset = data_offset + AV_RB32(&scratch[0]); film->sample_table[i].sample_size = AV_RB32(&scratch[4]); - if (film->sample_table[i].sample_size > INT_MAX / 4) - return AVERROR_INVALIDDATA; + if (film->sample_table[i].sample_size > INT_MAX / 4) { + ret = AVERROR_INVALIDDATA; + goto fail; + } if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) { film->sample_table[i].stream = film->audio_stream_index; film->sample_table[i].pts = audio_frame_counter; @@ -241,6 +253,9 @@ static int film_read_header(AVFormatContext *s) film->current_sample = 0; return 0; +fail: + film_read_close(s); + return ret; } static int film_read_packet(AVFormatContext *s, @@ -319,16 +334,6 @@ static int film_read_packet(AVFormatContext *s, return ret; } -static int film_read_close(AVFormatContext *s) -{ - FilmDemuxContext *film = s->priv_data; - - av_free(film->sample_table); - av_free(film->stereo_buffer); - - return 0; -} - AVInputFormat ff_segafilm_demuxer = { .name = "film_cpk", .long_name = NULL_IF_CONFIG_SMALL("Sega FILM / CPK"), From a1b4d42d31ba700c97d4388153a2a553d71ca0ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 13 Jan 2014 14:46:07 +0200 Subject: [PATCH 0725/1037] mov: Free an earlier allocated array if allocating a new one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It could probably also be considered an error if the pointer isn't null at this point, but then we might risk rejecting some slightly broken files that we might have handled so far. Sample-Id: 00000496-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6f1ea6c227..e5d8311fbc 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1649,6 +1649,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (entries >= UINT_MAX / sizeof(*sc->stts_data)) return AVERROR(EINVAL); + av_free(sc->stts_data); sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data)); if (!sc->stts_data) return AVERROR(ENOMEM); From 44079902c49e526f464bb4eb855665e1af867e91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 13 Jan 2014 14:43:23 +0200 Subject: [PATCH 0726/1037] mov: Free intermediate arrays in the normal cleanup function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These arrays are normally freed at the end of mov_read_trak, but make sure they're freed in case mov_read_trak returned early (due to errors) or in case the atoms that allocate arrays are encountered at some other point than within a trak (which we don't have checks against). Sample-Id: 00000496-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit d51f09962d5b4bc999fb70c040f330dd1873212e) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8c547067b7..6f1ea6c227 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2758,6 +2758,14 @@ static int mov_read_close(AVFormatContext *s) av_freep(&sc->drefs); if (sc->pb && sc->pb != s->pb) avio_close(sc->pb); + + av_freep(&sc->chunk_offsets); + av_freep(&sc->stsc_data); + av_freep(&sc->sample_sizes); + av_freep(&sc->keyframes); + av_freep(&sc->stts_data); + av_freep(&sc->stps_data); + av_freep(&sc->rap_group); } if (mov->dv_demux) { From 299c5dcfb0cd3debdf07943edfb46f4aeb02ca91 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0727/1037] h264: reset num_reorder_frames if it is invalid An invalid VUI is not considered a fatal error, so the SPS containing it may still be used. Leaving an invalid value of num_reorder_frames there can result in writing over the bounds of H264Context.delayed_pic. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c) Signed-off-by: Reinhard Tartler Conflicts: libavcodec/h264_ps.c --- libavcodec/h264_ps.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index ff6c077ed3..fad2d7735b 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -236,7 +236,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){ } if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){ - av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames); + av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n", + sps->num_reorder_frames); + sps->num_reorder_frames = 16; return -1; } } From 3cc8d9bc1ffc6c0888960fb009f12fa3047bb663 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2014 15:28:25 +0000 Subject: [PATCH 0728/1037] vc1: Always reset numref when parsing a new frame header. Fixes an issue where the B-frame coding mode switches from interlaced fields to interlaced frames, causing incorrect decisions in the motion compensation code and resulting in visual artifacts. CC: libav-stable@libav.org Signed-off-by: Tim Walker (cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa) Signed-off-by: Reinhard Tartler --- libavcodec/vc1.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 21449bdb6d..d2e1e69b20 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -826,6 +826,7 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */ int scale, shift, i; /* for initializing LUT for intensity compensation */ + v->numref = 0; v->p_frame_skipped = 0; if (v->second_field) { v->s.pict_type = (v->fptype & 1) ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I; @@ -992,8 +993,6 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) v->reffield = get_bits1(gb); v->ref_field_type[0] = v->reffield ^ !v->cur_field_type; } - } else { - v->numref = 0; } if (v->extended_mv) v->mvrange = get_unary(gb, 0, 3); From 03bfd8419fbaf9c72b293457437bd508dea64736 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 12 Dec 2013 07:34:13 +0100 Subject: [PATCH 0729/1037] mathematics: remove asserts from av_rescale_rnd() It is a public function, it must not assert on its parameters. (cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0) Signed-off-by: Reinhard Tartler --- libavutil/mathematics.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 137683eb96..1a38f64823 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -23,7 +23,6 @@ * miscellaneous math routines and tables */ -#include #include #include @@ -58,9 +57,9 @@ int64_t av_gcd(int64_t a, int64_t b){ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd){ int64_t r=0; - assert(c > 0); - assert(b >=0); - assert((unsigned)rnd<=5 && rnd!=4); + + if (c <= 0 || b < 0 || rnd == 4 || rnd > 5) + return INT64_MIN; if(a<0 && a != INT64_MIN) return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd>>1)&1)); From bf7c240a50f8ed99a42e08bb7a8a70262cce34ad Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0730/1037] oggparseogm: check timing variables Fixes a potential divide by zero. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3) Signed-off-by: Reinhard Tartler --- libavformat/oggparseogm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index 56ea5575f2..23136257bf 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -75,6 +75,11 @@ ogm_header(AVFormatContext *s, int idx) time_unit = bytestream2_get_le64(&p); spu = bytestream2_get_le64(&p); + if (!time_unit || !spu) { + av_log(s, AV_LOG_ERROR, "Invalid timing values.\n"); + return AVERROR_INVALIDDATA; + } + bytestream2_skip(&p, 4); /* default_len */ bytestream2_skip(&p, 8); /* buffersize + bits_per_sample */ From 62ed6da016b789eee00e0fff517df4a254e12e5d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0731/1037] h264: check that an IDR NAL only contains I slices Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 29c81966c9..b256969b6e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2655,6 +2655,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->slice_type = slice_type; h->slice_type_nos = slice_type & 3; + if (h->nal_unit_type == NAL_IDR_SLICE && + h->slice_type_nos != AV_PICTURE_TYPE_I) { + av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n"); + return AVERROR_INVALIDDATA; + } + // to make a few old functions happy, it's wrong though s->pict_type = h->slice_type; From 27f60e2b0b419066619c738b3c9b9376a83ed4b1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 2 Feb 2014 13:08:08 -0500 Subject: [PATCH 0732/1037] Update Changelog for 9.11 --- Changelog | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Changelog b/Changelog index 594a6ff929..bc18fef496 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,35 @@ Releases are sorted from youngest to oldest. +version 9.11: +- oggparseogm: check timing variables +- mathematics: remove asserts from av_rescale_rnd() +- vc1: Always reset numref when parsing a new frame header. +- h264: reset num_reorder_frames if it is invalid +- h264: check that an IDR NAL only contains I slices +- mov: Free an earlier allocated array if allocating a new one +- mov: Free intermediate arrays in the normal cleanup function +- segafilm: fix leaks if reading the header fails +- h264_cavlc: check the size of the intra PCM data. +- h263: Check init_get_bits return value +- cavsdec: check ff_get_buffer() return value +- cavs: Check for negative cbp +- avi: DV in AVI must be considered single stream +- vmnc: Check the cursor dimensions +- vmnc: Port to bytestream2 +- vmnc: K&R formatting cosmetics +- flashsv: Check diff_start diff_height values +- dsputil/pngdsp: fix signed/unsigned type in end comparison (CVE-2013-7010, CVE-2013-7014) +- lavf: make av_probe_input_buffer more robust (CVE-2012-6618) +- lavf: use a fixed width type +- lavf: simplify handling of offset in av_probe_input_buffer() +- prores: Error out only on surely incomplete ac_coeffs +- shorten: Fix out-of-array read +- prores: Add a codepath for decoding errors +- nut: Fix unchecked allocations +- avi: directly resync on DV in AVI read failure +- mov: Don't allocate arrays with av_malloc that will be realloced +- shorten: Extend fixed_coeffs to properly support pred_order 0 + version 9.10: - alac: Do bounds checking of lpc_order read from the bitstream - ape: Don't allow the seektable to be omitted From 10238ada6dac6680ea06f40eeae4a68a6d75823e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jan 2014 02:53:32 +0100 Subject: [PATCH 0733/1037] cmdutils: update year Signed-off-by: Michael Niedermayer --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index d44050fe6f..1068baf3d8 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -65,7 +65,7 @@ struct SwsContext *sws_opts; SwrContext *swr_opts; AVDictionary *format_opts, *codec_opts; -const int this_year = 2013; +const int this_year = 2014; static FILE *report_file; From e04f68f7c522d44b2d68fd832ff76d27b72cb47f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jan 2014 20:09:48 +0100 Subject: [PATCH 0734/1037] dnxhdenc: fix mb_rc size Fixes out of array access with RC_VARIANCE set to 0 Signed-off-by: Michael Niedermayer (cherry picked from commit f1caaa1c61310beba705957e6366f0392a0b005b) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 0d1a396d18..1d3fdbd97e 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -235,7 +235,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias) static int dnxhd_init_rc(DNXHDEncContext *ctx) { - FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail); + FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail); if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD) FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail); From 7adf4a92a17dfa26b03869fe842336db9ed21b4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jan 2014 18:08:18 +0100 Subject: [PATCH 0735/1037] avcodec/vmnc: Check that rectangles are within the picture Prevents out of array accesses with CODEC_FLAG_EMU_EDGE Signed-off-by: Michael Niedermayer (cherry picked from commit 6ba02602aa7fc7d38db582e75b8b093fb3c1608d) Conflicts: libavcodec/vmnc.c Signed-off-by: Michael Niedermayer (cherry picked from commit 7c17207ab9acfaa934e8feb8fba90765c9d0b989) Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index eb39fc923d..051e700462 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -276,6 +276,11 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, const uint8_t* src, int } xy = *src++; wh = *src++; + if ( (xy >> 4) + (wh >> 4) + 1 > w - i + || (xy & 0xF) + (wh & 0xF)+1 > h - j) { + av_log(c->avctx, AV_LOG_ERROR, "Rectangle outside picture\n"); + return AVERROR_INVALIDDATA; + } paint_rect(dst2, xy >> 4, xy & 0xF, (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride); } } From 74821341b9aca0be0938f1eabe3aabc1d3a004e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jan 2014 19:16:02 +0100 Subject: [PATCH 0736/1037] avcodec/takdec: always check bits_per_raw_sample Fixes out of array access Fixes: asan_heap-oob_19c7a94_6470_cov_1453611734_luckynight-partial.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f58eab151214d2d35ff0973f2b3e51c5eb372da4) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 86c1a7dda5..a904401c00 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -732,11 +732,9 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - if (s->ti.bps != avctx->bits_per_raw_sample) { - avctx->bits_per_raw_sample = s->ti.bps; - if ((ret = set_bps_params(avctx)) < 0) - return ret; - } + avctx->bits_per_raw_sample = s->ti.bps; + if ((ret = set_bps_params(avctx)) < 0) + return ret; if (s->ti.sample_rate != avctx->sample_rate) { avctx->sample_rate = s->ti.sample_rate; set_sample_rate_params(avctx); From af74599e66b1313bf8e73e14dcd41e60e5e5c8dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2014 19:04:37 +0100 Subject: [PATCH 0737/1037] avcodec/vc1: reset fcm/field_mode in non advanced header parsing Fixes NULL pointer dereference Fixes: signal_sigsegv_1ab8bf4_2847_cov_4254117347_SA10091.vc1 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b51e9354772de446e8196dabf9aad1567b22f74d) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index d988668029..0d4077ba96 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -581,6 +581,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) { int pqindex, lowquant, status; + v->field_mode = 0; + v->fcm = 0; if (v->finterpflag) v->interpfrm = get_bits1(gb); if (!v->s.avctx->codec) From c06f8bac204a2c8274533f183ad61d2a985f693d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Aug 2013 01:07:57 +0200 Subject: [PATCH 0738/1037] avformat/utils: fix av_probe_input_buffer2() so it returns the probe score Signed-off-by: Michael Niedermayer (cherry picked from commit c4810fbe4f53d312ba70f251f7ee4f484cbca565) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 1be62f19c3..89bc141fe4 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -436,6 +436,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, unsigned char *buf = NULL; uint8_t *mime_type; int ret = 0, probe_size, buf_offset = 0; + int score = 0; if (!max_probe_size) { max_probe_size = PROBE_BUF_MAX; @@ -458,12 +459,12 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt; probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { - int score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0; void *buftmp; if (probe_size < offset) { continue; } + score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0; /* read probe data */ buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE); @@ -504,7 +505,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, /* rewind. reuse probe buffer to avoid seeking */ ret = ffio_rewind_with_probe_data(pb, &buf, pd.buf_size); - return ret; + return ret < 0 ? ret : score; } /* open input file and probe the format if necessary */ From 82b44665e98256cd335ac35b4b6f1d46d82126cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jan 2014 22:14:02 +0100 Subject: [PATCH 0739/1037] avformat/utils/av_probe_input_buffer2: Fix pd.buf_size Signed-off-by: Michael Niedermayer (cherry picked from commit 6a2064820b52568c05a9ec8f418f18840e7c43cc) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 9d1dad1807..3a736d18e0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -482,7 +482,8 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, score = 0; ret = 0; /* error was end of file, nothing read */ } - pd.buf_size = buf_offset += ret; + buf_offset += ret; + pd.buf_size = buf_offset - offset; pd.buf = &buf[offset]; memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE); From 3994eebb1e8765a96197811f33fd98a7add4380a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jan 2014 22:17:12 +0100 Subject: [PATCH 0740/1037] avformat/utils/av_probe_input_buffer2: fix offset check The check could fail if avio_read() read less than requested Signed-off-by: Michael Niedermayer (cherry picked from commit 8c3b026a0eeb49464d957b61b0c01cceecc416fd) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3a736d18e0..bd02da6d41 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -461,9 +461,6 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) { void *buftmp; - if (probe_size < offset) { - continue; - } score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0; /* read probe data */ @@ -483,6 +480,8 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, ret = 0; /* error was end of file, nothing read */ } buf_offset += ret; + if (buf_offset < offset) + continue; pd.buf_size = buf_offset - offset; pd.buf = &buf[offset]; From ee3ce73bfb29cfa5a0f0202b0357304af4ba8f9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jan 2014 22:17:12 +0100 Subject: [PATCH 0741/1037] avformat/utils/av_probe_input_buffer2: fix buffer passed to ffio_rewind_with_probe_data() Signed-off-by: Michael Niedermayer (cherry picked from commit 05886c9d4edddb07a4cdc6afee8b30cd9c80b4db) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index bd02da6d41..8e5ec48154 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -503,7 +503,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, } /* rewind. reuse probe buffer to avoid seeking */ - ret = ffio_rewind_with_probe_data(pb, &buf, pd.buf_size); + ret = ffio_rewind_with_probe_data(pb, &buf, buf_offset); return ret < 0 ? ret : score; } From a5c3f596d1f7e092f928f48e8a21de5096d21e05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jan 2014 22:37:31 +0100 Subject: [PATCH 0742/1037] avformat/utils: av_probe_input_buffer2 decrease difference to libav This removes the initialization of 2 unused fields The change was part of c1868e7ee7b07b40a0fe15f50df89fe499a01a50 but wasnt merged as the fields could still be used Signed-off-by: Michael Niedermayer (cherry picked from commit 05c78f345b623a3eed203ab17da6e1419d56abd0) Conflicts: libavformat/utils.c --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 8e5ec48154..48882bed95 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -432,7 +432,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, const char *filename, void *logctx, unsigned int offset, unsigned int max_probe_size) { - AVProbeData pd = { filename ? filename : "", NULL, -offset }; + AVProbeData pd = { filename ? filename : "" }; uint8_t *buf = NULL; uint8_t *mime_type; int ret = 0, probe_size, buf_offset = 0; From d2a065437a96b5ab73f15362fe3d5cde3c61f160 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0743/1037] rpza: limit the number of blocks to the total remaining blocks in the frame Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599) Signed-off-by: Luca Barbato --- libavcodec/rpza.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 59b15c6d4f..63ea706749 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -38,6 +38,7 @@ #include #include +#include "libavutil/common.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -126,6 +127,8 @@ static void rpza_decode_stream(RpzaContext *s) } } + n_blocks = FFMIN(n_blocks, total_blocks); + switch (opcode & 0xe0) { /* Skip blocks */ From 0c1a15db467b9513a10ba074d5d80b9e35fa907d Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Fri, 21 Feb 2014 10:31:39 +0100 Subject: [PATCH 0744/1037] configure: Add missing dependency of Snow decoder on videodsp --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 6ab04ae322..d2b412290d 100755 --- a/configure +++ b/configure @@ -1562,7 +1562,7 @@ rv30_decoder_select="error_resilience golomb h264chroma h264pred h264qpel mpegvi rv40_decoder_select="error_resilience golomb h264chroma h264pred h264qpel mpegvideo" shorten_decoder_select="golomb" sipr_decoder_select="lsp" -snow_decoder_select="dwt rangecoder" +snow_decoder_select="dwt rangecoder videodsp" snow_encoder_select="aandcttables dwt error_resilience mpegvideoenc rangecoder" svq1_decoder_select="error_resilience mpegvideo" svq1_encoder_select="aandcttables error_resilience mpegvideoenc" From 675cf1cdedfba9f37baca59a6a68c64679ee2f4c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 28 Feb 2014 19:22:56 -0500 Subject: [PATCH 0745/1037] Prepare for 9.12 RELEASE --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index d4ce17d7db..5cb42eb14b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.11 +9.12 From 8ba514117b9f224bea10a8aa431daaa645e2fbef Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0746/1037] Add missing header to fix compilation after d2a0654 Signed-off-by: Reinhard Tartler --- libavcodec/rpza.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 63ea706749..d8d689cce3 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -41,6 +41,7 @@ #include "libavutil/common.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" +#include "libavutil/common.h" #include "avcodec.h" typedef struct RpzaContext { From 3e3805b7fae6bda01e40462079028f8e6bfedea9 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Thu, 30 Jan 2014 14:08:38 -0500 Subject: [PATCH 0747/1037] samplefmt: avoid integer overflow in av_samples_get_buffer_size() CC:libav-stable@libav.org (cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6) --- libavutil/samplefmt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/samplefmt.c b/libavutil/samplefmt.c index 389f726d65..bff600447c 100644 --- a/libavutil/samplefmt.c +++ b/libavutil/samplefmt.c @@ -118,6 +118,8 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples, /* auto-select alignment if not specified */ if (!align) { + if (nb_samples > INT_MAX - 31) + return AVERROR(EINVAL); align = 1; nb_samples = FFALIGN(nb_samples, 32); } From f1a7bfea41e56067c3bf4864159c87cdda613c19 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0748/1037] shorten: pad the internal bitstream buffer Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6) --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 22976e0137..31bd943fb3 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -441,7 +441,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, void *tmp_ptr; s->max_framesize = 1024; // should hopefully be enough for the first header tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size, - s->max_framesize); + s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE); if (!tmp_ptr) { av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n"); return AVERROR(ENOMEM); From 13fd80837f85f7d33bfb857ce9a3f33455cf4b3d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0749/1037] truemotion1: check the header size Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602) --- libavcodec/truemotion1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 63cd05b66c..2421dacbf3 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -322,6 +322,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return -1; } + if (header.header_size + 1 > s->size) { + av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n"); + return AVERROR_INVALIDDATA; + } + /* unscramble the header bytes with a XOR operation */ for (i = 1; i < header.header_size; i++) header_buffer[i - 1] = s->buf[i] ^ s->buf[i + 1]; From 7c70cee29cdfef3ae8446875f0cb9f7b05c3e3e8 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Thu, 20 Feb 2014 02:38:32 +0100 Subject: [PATCH 0750/1037] h264: Lower bound check for slice offsets And use the value from the specification. Sample-Id: 00000451-google Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Luca Barbato (cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45) (cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 18 ++++++++++-------- libavcodec/h264_loopfilter.c | 8 ++++---- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b256969b6e..03c1d07ff1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3157,8 +3157,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0) get_se_golomb(&s->gb); /* slice_qs_delta */ h->deblocking_filter = 1; - h->slice_alpha_c0_offset = 52; - h->slice_beta_offset = 52; + h->slice_alpha_c0_offset = 0; + h->slice_beta_offset = 0; if (h->pps.deblocking_filter_parameters_present) { tmp = get_ue_golomb_31(&s->gb); if (tmp > 2) { @@ -3171,10 +3171,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->deblocking_filter ^= 1; // 1<->0 if (h->deblocking_filter) { - h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1; - h->slice_beta_offset += get_se_golomb(&s->gb) << 1; - if (h->slice_alpha_c0_offset > 104U || - h->slice_beta_offset > 104U) { + h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2; + h->slice_beta_offset = get_se_golomb(&s->gb) * 2; + if (h->slice_alpha_c0_offset > 12 || + h->slice_alpha_c0_offset < -12 || + h->slice_beta_offset > 12 || + h->slice_beta_offset < -12) { av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset); @@ -3211,7 +3213,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) } } } - h->qp_thresh = 15 + 52 - + h->qp_thresh = 15 + FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) - FFMAX3(0, h->pps.chroma_qp_index_offset[0], @@ -3280,7 +3282,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->ref_count[0], h->ref_count[1], s->qscale, h->deblocking_filter, - h->slice_alpha_c0_offset / 2 - 26, h->slice_beta_offset / 2 - 26, + h->slice_alpha_c0_offset, h->slice_beta_offset, h->use_weight, h->use_weight == 1 && h->use_weight_chroma ? "c" : "", h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : ""); diff --git a/libavcodec/h264_loopfilter.c b/libavcodec/h264_loopfilter.c index b045d2388a..4417d79bf0 100644 --- a/libavcodec/h264_loopfilter.c +++ b/libavcodec/h264_loopfilter.c @@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h, int top_type= h->top_type; int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8); - int a = h->slice_alpha_c0_offset - qp_bd_offset; - int b = h->slice_beta_offset - qp_bd_offset; + int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset; + int b = 52 + h->slice_beta_offset - qp_bd_offset; int mb_type = s->current_picture.f.mb_type[mb_xy]; int qp = s->current_picture.f.qscale_table[mb_xy]; @@ -711,8 +711,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint av_unused int dir; int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY)); int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8); - int a = h->slice_alpha_c0_offset - qp_bd_offset; - int b = h->slice_beta_offset - qp_bd_offset; + int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset; + int b = 52 + h->slice_beta_offset - qp_bd_offset; if (FRAME_MBAFF // and current and left pair do not have the same interlaced type From b4d72f901c96f526dc1090a77bf84cec4d2e000d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0751/1037] lagarith: reallocate rgb_planes when needed Fixes invalid writes on pixel format changes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b) --- libavcodec/lagarith.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 33dd8b0c53..5290d390b4 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -53,6 +53,7 @@ typedef struct LagarithContext { int zeros; /**< number of consecutive zero bytes encountered */ int zeros_rem; /**< number of zero bytes remaining to output */ uint8_t *rgb_planes; + int rgb_planes_allocated; int rgb_stride; } LagarithContext; @@ -557,13 +558,12 @@ static int lag_decode_frame(AVCodecContext *avctx, offs[1] = offset_gu; offs[2] = offset_ry; + l->rgb_stride = FFALIGN(avctx->width, 16); + av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated, + l->rgb_stride * avctx->height * planes + 1); if (!l->rgb_planes) { - l->rgb_stride = FFALIGN(avctx->width, 16); - l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * planes + 1); - if (!l->rgb_planes) { - av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); - return AVERROR(ENOMEM); - } + av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n"); + return AVERROR(ENOMEM); } for (i = 0; i < planes; i++) srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride; From 8883b5f85bfe35509633bc590d19b6a1b495690e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 22 Feb 2014 11:19:03 +0100 Subject: [PATCH 0752/1037] h264: Fix a typo from the previous commit f777504f640260337974848c7d5d7a3f064bbb45 changed a - in + CC: libav-stable@libav.org (cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c) (cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 03c1d07ff1..d6d3d42495 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3213,7 +3213,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) } } } - h->qp_thresh = 15 + + h->qp_thresh = 15 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) - FFMAX3(0, h->pps.chroma_qp_index_offset[0], From aa2a3ca27a3269e2b975686652204607fad8bc49 Mon Sep 17 00:00:00 2001 From: Keiji Costantini Date: Sat, 1 Mar 2014 18:17:04 +0000 Subject: [PATCH 0753/1037] ituh263: reject b-frame with pp_time = 0 Avoid a division by 0 in ff_mpeg4_set_one_direct_mv. Sample-Id: 00000168-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara (cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f) (cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2) --- libavcodec/ituh263dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index cb26be21df..3cbc7b84d2 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -753,6 +753,8 @@ int ff_h263_decode_mb(MpegEncContext *s, } if(IS_DIRECT(mb_type)){ + if (!s->pp_time) + return AVERROR_INVALIDDATA; s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT; mb_type |= ff_mpeg4_set_direct_mv(s, 0, 0); }else{ From 798c715f4fa5cde37456af6202a32ee62cfb96d9 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 2 Mar 2014 02:11:05 -0500 Subject: [PATCH 0754/1037] configure: enable PIC on s390(x) The s390 architecture requires shared libraries to be built in PIC mode. Otherwise applications will get wrong relocations at run-time, leading to confusing segmentation faults. CC: libav-stable@libav.org (cherry picked from commit 5ddc9f5052316608799b932c604f9e7561f8ce24) (cherry picked from commit 7509c2c4ea2180733cc60ab1a0e0fe4ce2f02a69) --- configure | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/configure b/configure index d2b412290d..d65c112c3b 100755 --- a/configure +++ b/configure @@ -2818,6 +2818,10 @@ case "$arch" in check_64bit ppc ppc64 'sizeof(void *) > 4' spic=$shared ;; + s390) + check_64bit s390 s390x 'sizeof(void *) > 4' + spic=$shared + ;; sparc) check_64bit sparc sparc64 'sizeof(void *) > 4' spic=$shared From 460b9482834e248fa5861d2d88bf9f19ec313d68 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 5 Mar 2014 12:44:57 +0100 Subject: [PATCH 0755/1037] arm: hpeldsp: prevent overreads in armv6 asm Based on a patch by Russel King Bug-Id: 646 CC: libav-stable@libav.org --- libavcodec/arm/dsputil_armv6.S | 20 ++++++++++++-------- libavutil/arm/asm.S | 7 +++++++ 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/libavcodec/arm/dsputil_armv6.S b/libavcodec/arm/dsputil_armv6.S index 61535a121f..616f5c0f33 100644 --- a/libavcodec/arm/dsputil_armv6.S +++ b/libavcodec/arm/dsputil_armv6.S @@ -132,11 +132,12 @@ function ff_put_pixels8_y2_armv6, export=1 uhadd8 r9, r5, r7 eor r11, r5, r7 and r10, r10, r12 - ldr_pre r4, r1, r2 + ldrc_pre ne, r4, r1, r2 uadd8 r8, r8, r10 and r11, r11, r12 uadd8 r9, r9, r11 - ldr r5, [r1, #4] + it ne + ldrne r5, [r1, #4] uhadd8 r10, r4, r6 eor r6, r4, r6 uhadd8 r11, r5, r7 @@ -144,10 +145,11 @@ function ff_put_pixels8_y2_armv6, export=1 eor r7, r5, r7 uadd8 r10, r10, r6 and r7, r7, r12 - ldr_pre r6, r1, r2 + ldrc_pre ne, r6, r1, r2 uadd8 r11, r11, r7 strd_post r8, r9, r0, r2 - ldr r7, [r1, #4] + it ne + ldrne r7, [r1, #4] strd_post r10, r11, r0, r2 bne 1b @@ -192,13 +194,15 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1 1: subs r3, r3, #2 uhadd8 r8, r4, r6 - ldr_pre r4, r1, r2 + ldrc_pre ne, r4, r1, r2 uhadd8 r9, r5, r7 - ldr r5, [r1, #4] + it ne + ldrne r5, [r1, #4] uhadd8 r12, r4, r6 - ldr_pre r6, r1, r2 + ldrc_pre ne, r6, r1, r2 uhadd8 r14, r5, r7 - ldr r7, [r1, #4] + it ne + ldrne r7, [r1, #4] stm r0, {r8,r9} add r0, r0, r2 stm r0, {r12,r14} diff --git a/libavutil/arm/asm.S b/libavutil/arm/asm.S index a1817892f0..f088857f1d 100644 --- a/libavutil/arm/asm.S +++ b/libavutil/arm/asm.S @@ -212,6 +212,13 @@ T ldr \rt, [\rn] T add \rn, \rn, \rm .endm +.macro ldrc_pre cc, rt, rn, rm:vararg +A ldr\cc \rt, [\rn, \rm]! +T itt \cc +T add\cc \rn, \rn, \rm +T ldr\cc \rt, [\rn] +.endm + .macro ldrd_reg rt, rt2, rn, rm A ldrd \rt, \rt2, [\rn, \rm] T add \rt, \rn, \rm From 8b0880ff1b532831d44441df595e75bdb20a6329 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2013 17:45:54 +0200 Subject: [PATCH 0756/1037] avcodec/avpacket/av_packet_split_side_data: ensure that side data padding is initialized Signed-off-by: Michael Niedermayer (cherry picked from commit 240fd8c96f59ebe9dcfc4152a1086cd3f63400c0) Signed-off-by: Michael Niedermayer (cherry picked from commit 1e48318802b3caa493a40c0584afc30cc866d9d0) Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 516f1c972b..c8724de346 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -283,7 +283,7 @@ int av_packet_split_side_data(AVPacket *pkt){ for (i=0; ; i++){ size= AV_RB32(p); av_assert0(size<=INT_MAX && p - pkt->data >= size); - pkt->side_data[i].data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); + pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE); pkt->side_data[i].size = size; pkt->side_data[i].type = p[4]&127; if (!pkt->side_data[i].data) From 67c3e3de55a43c0df0ca510baf1985c8ff5991eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2013 18:38:48 +0200 Subject: [PATCH 0757/1037] avutil/opt: initialize ret Fixes CID1108610 Fixes use of uninitialized variable Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8ccf0adcae09cb9e14b01cfe20e4d77c3bbf5d) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 61c76daa6e..3e0ed75aa5 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -249,7 +249,7 @@ int av_set_string3(void *obj, const char *name, const char *val, int alloc, cons int av_opt_set(void *obj, const char *name, const char *val, int search_flags) { - int ret; + int ret = 0; void *dst, *target_obj; const AVOption *o = av_opt_find2(obj, name, NULL, 0, search_flags, &target_obj); if (!o || !target_obj) From 15d96c605bf213b4e07c6b8d08cebf8595832f9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Oct 2013 23:27:28 +0100 Subject: [PATCH 0758/1037] avcodec/jpeglsdec: check err value for ls_get_code_runterm() Fixes infinite loop Fixes Ticket3086 Signed-off-by: Michael Niedermayer (cherry picked from commit cc0e47b55096361723b364afa43b79a3f5619cdc) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 4ab68da8b4..60bf569a1f 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -142,6 +142,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, int RI ret = ret >> 1; } + if(FFABS(ret) > 0xFFFF) + return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; ret *= state->twonear; From aeccfca26842402304dedb985f1d1955f2fa8e7d Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 15 Nov 2013 01:09:06 +0000 Subject: [PATCH 0759/1037] avcodec/libopusenc: change default frame duration to 20 ms 20 ms is used by libopus encoder. Signed-off-by: Paul B Mahol (cherry picked from commit 74906d3727ec3bd9b7b28dfa7a98ff6e8cf8b6d7) Signed-off-by: Michael Niedermayer --- doc/encoders.texi | 2 +- libavcodec/libopusenc.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/encoders.texi b/doc/encoders.texi index 32d77ee43d..22c125743a 100644 --- a/doc/encoders.texi +++ b/doc/encoders.texi @@ -749,7 +749,7 @@ Set maximum frame size, or duration of a frame in milliseconds. The argument must be exactly the following: 2.5, 5, 10, 20, 40, 60. Smaller frame sizes achieve lower latency but less quality at a given bitrate. Sizes greater than 20ms are only interesting at fairly low bitrates. -The default of FFmpeg is 10ms, but is 20ms in @command{opusenc}. +The default is 20ms. @item packet_loss (@emph{expect-loss}) Set expected packet loss percentage. The default is 0. diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index d198798929..b34bd836ac 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -375,7 +375,7 @@ static const AVOption libopus_options[] = { { "voip", "Favor improved speech intelligibility", 0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_VOIP }, 0, 0, FLAGS, "application" }, { "audio", "Favor faithfulness to the input", 0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_AUDIO }, 0, 0, FLAGS, "application" }, { "lowdelay", "Restrict to only the lowest delay modes", 0, AV_OPT_TYPE_CONST, { .i64 = OPUS_APPLICATION_RESTRICTED_LOWDELAY }, 0, 0, FLAGS, "application" }, - { "frame_duration", "Duration of a frame in milliseconds", OFFSET(frame_duration), AV_OPT_TYPE_FLOAT, { .dbl = 10.0 }, 2.5, 60.0, FLAGS }, + { "frame_duration", "Duration of a frame in milliseconds", OFFSET(frame_duration), AV_OPT_TYPE_FLOAT, { .dbl = 20.0 }, 2.5, 60.0, FLAGS }, { "packet_loss", "Expected packet loss percentage", OFFSET(packet_loss), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 100, FLAGS }, { "vbr", "Variable bit rate mode", OFFSET(vbr), AV_OPT_TYPE_INT, { .i64 = 1 }, 0, 2, FLAGS, "vbr" }, { "off", "Use constant bit rate", 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, 0, 0, FLAGS, "vbr" }, From 1997487f67ec486546b6cd21f38546e8ca042cb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Dec 2013 23:30:34 +0100 Subject: [PATCH 0760/1037] avutil/log: skip IO calls on empty strings These occur when no context is set for example, thus they are common Signed-off-by: Michael Niedermayer (cherry picked from commit a044a183a3fb90b20a8deaa3ea1158510bcdd420) Signed-off-by: Michael Niedermayer --- libavutil/log.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/log.c b/libavutil/log.c index 49dd4d1897..bdb4be0f91 100644 --- a/libavutil/log.c +++ b/libavutil/log.c @@ -101,6 +101,9 @@ static int use_color = -1; static void colored_fputs(int level, const char *str) { + if (!*str) + return; + if (use_color < 0) { #if HAVE_SETCONSOLETEXTATTRIBUTE CONSOLE_SCREEN_BUFFER_INFO con_info; From c6a4083c29e00f769b770964016f694f55c1560c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Feb 2014 00:10:43 +0100 Subject: [PATCH 0761/1037] avdevice/v4l2: only use frame period from v4l2 if valid There is evidence that some drivers do not set a valid value See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718805 Signed-off-by: Michael Niedermayer (cherry picked from commit 4aa4533ee8b51a1e6bdc4fbffaf90aa2b14e2c9f) Conflicts: libavdevice/v4l2.c --- libavdevice/v4l2.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 88cacd9545..00686a490d 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -735,8 +735,11 @@ static int v4l2_set_parameters(AVFormatContext *s1) return AVERROR(errno); } } - s1->streams[0]->codec->time_base.den = tpf->denominator; - s1->streams[0]->codec->time_base.num = tpf->numerator; + if (tpf->denominator > 0 && tpf->numerator > 0) { + s1->streams[0]->codec->time_base.den = tpf->denominator; + s1->streams[0]->codec->time_base.num = tpf->numerator; + } else + av_log(s1, AV_LOG_WARNING, "Time per frame unknown\n"); return 0; } From 51231fa6f6e8daddf56be89bbfd509aeb94ccf2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Feb 2014 00:11:16 +0100 Subject: [PATCH 0762/1037] avdevice/v4l2: only use average frame rate if set It might be unset on some platforms with some drivers and some input Signed-off-by: Michael Niedermayer (cherry picked from commit 0997c2504b25cbc2856800fc063395dcd40b2bf7) Conflicts: libavdevice/v4l2.c --- libavdevice/v4l2.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 00686a490d..002329e14e 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -495,16 +495,18 @@ static int init_convert_timestamp(AVFormatContext *ctx, int64_t ts) return 0; } #if HAVE_CLOCK_GETTIME && defined(CLOCK_MONOTONIC) - now = av_gettime_monotonic(); - if (s->ts_mode == V4L_TS_MONO2ABS || - (ts <= now + 1 * AV_TIME_BASE && ts >= now - 10 * AV_TIME_BASE)) { - int64_t period = av_rescale_q(1, ctx->streams[0]->codec->time_base, - AV_TIME_BASE_Q); - av_log(ctx, AV_LOG_INFO, "Detected monotonic timestamps, converting\n"); - /* microseconds instead of seconds, MHz instead of Hz */ - s->timefilter = ff_timefilter_new(1, period, 1.0E-6); - s->ts_mode = V4L_TS_CONVERT_READY; - return 0; + if (ctx->streams[0]->codec->time_base.den) { + now = av_gettime_monotonic(); + if (s->ts_mode == V4L_TS_MONO2ABS || + (ts <= now + 1 * AV_TIME_BASE && ts >= now - 10 * AV_TIME_BASE)) { + int64_t period = av_rescale_q(1, ctx->streams[0]->codec->time_base, + AV_TIME_BASE_Q); + av_log(ctx, AV_LOG_INFO, "Detected monotonic timestamps, converting\n"); + /* microseconds instead of seconds, MHz instead of Hz */ + s->timefilter = ff_timefilter_new(1, period, 1.0E-6); + s->ts_mode = V4L_TS_CONVERT_READY; + return 0; + } } #endif av_log(ctx, AV_LOG_ERROR, "Unknown timestamps\n"); @@ -892,7 +894,8 @@ static int v4l2_read_header(AVFormatContext *s1) st->codec->codec_tag = MKTAG('Y', 'V', '1', '2'); st->codec->width = s->width; st->codec->height = s->height; - st->codec->bit_rate = s->frame_size * 1/av_q2d(st->codec->time_base) * 8; + if (st->codec->time_base.num) + st->codec->bit_rate = s->frame_size * 1/av_q2d(st->codec->time_base) * 8; out: return res; From b0b02a210109473cbc8d3bb8d7a6bcf4eb6ebb68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2014 15:07:23 +0100 Subject: [PATCH 0763/1037] avcodec/wmalosslessdec: fix mclms_coeffs* array size Fixes corruption of context Fixes: 8835659dde6a4f7dcdf341de6a45c6c8-signal_sigsegv_1dce67b_4564_cov_2504444599_classical_22_16_1_14000_v3c_0_extend_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ec9578d54d09b64bf112c2bf7a34b1ef3b93dbd3) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 4f372619ee..8d56ea0594 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -127,8 +127,8 @@ typedef struct WmallDecodeCtx { int8_t mclms_order; int8_t mclms_scaling; - int16_t mclms_coeffs[128]; - int16_t mclms_coeffs_cur[4]; + int16_t mclms_coeffs[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS * 32]; + int16_t mclms_coeffs_cur[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS]; int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32]; int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32]; int mclms_recent; From 694c3a13c9489c6e05f88486b489dd0746d114fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Feb 2014 13:59:51 +0100 Subject: [PATCH 0764/1037] avformat/mpegtsenc: Check data array size in mpegts_write_pmt() Prevents out of array writes Signed-off-by: Michael Niedermayer (cherry picked from commit 842b6c14bcfc1c5da1a2d288fd65386eb8c158ad) Conflicts: libavformat/mpegtsenc.c (cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb) Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 56b9d8506a..d09e4a012a 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -255,7 +255,7 @@ static void mpegts_write_pat(AVFormatContext *s) data, q - data); } -static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) +static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) { MpegTSWrite *ts = s->priv_data; uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr; @@ -308,6 +308,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) stream_type = STREAM_TYPE_PRIVATE_DATA; break; } + + if (q - data > sizeof(data) - 32) + return AVERROR(EINVAL); + *q++ = stream_type; put16(&q, 0xe000 | ts_st->pid); desc_length_ptr = q; @@ -339,7 +343,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) len_ptr = q++; *len_ptr = 0; - for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) { + for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) { next = strchr(p, ','); if (strlen(p) != 3 && (!next || next != p + 3)) continue; /* not a 3-letter code */ @@ -401,6 +405,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) } mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0, data, q - data); + return 0; } /* NOTE: str == NULL is accepted for an empty string */ From 0c58c165ab51260ba2e6cb606b8057a7c9783ef3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2014 23:08:52 +0100 Subject: [PATCH 0765/1037] avcodec/msrle: use av_image_get_linesize() to calculate the linesize Fixes out of array access Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c919e1ca2ecfc47d796382973ba0e48b8f6f92a2) Conflicts: libavcodec/msrle.c (cherry picked from commit bc1c8ec5e65098fd2ccd8456f667151dfc9cda42) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 5b7ba7fdad..847f115fba 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -35,6 +35,7 @@ #include "avcodec.h" #include "dsputil.h" #include "msrledec.h" +#include "libavutil/imgutils.h" typedef struct MsrleContext { AVCodecContext *avctx; @@ -112,7 +113,7 @@ static int msrle_decode_frame(AVCodecContext *avctx, /* FIXME how to correctly detect RLE ??? */ if (avctx->height * istride == avpkt->size) { /* assume uncompressed */ - int linesize = (avctx->width * avctx->bits_per_coded_sample + 7) / 8; + int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0); uint8_t *ptr = s->frame.data[0]; uint8_t *buf = avpkt->data + (avctx->height-1)*istride; int i, j; From ff5647b253f89e6f31882d1ae91563ff9376dd31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Feb 2014 20:49:42 +0100 Subject: [PATCH 0766/1037] avcodec/ansi: fix integer overflow Fixes out of array read Fixes: 5f9698e86d92f19bb08d54ff0d57027f-signal_sigsegv_b30756_3795_cov_2693691257_ansi256.ans Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d42ec8433c687fcbccefa51a7716d81920218e4f) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index e705da6281..f0351aba6b 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -415,7 +415,7 @@ static int decode_frame(AVCodecContext *avctx, switch(buf[0]) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': - if (s->nb_args < MAX_NB_ARGS) + if (s->nb_args < MAX_NB_ARGS && s->args[s->nb_args] < 6553) s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0'; break; case ';': From 50169747db0ce8c87515d640605f69d82462f366 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2014 02:53:14 +0100 Subject: [PATCH 0767/1037] avcodec/snow: split block clipping checks Fixes out of array read Fixes: d4476f68ca1c1c57afbc45806f581963-asan_heap-oob_2266b27_8607_cov_4044577381_snow_chroma_bug.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 61d59703c91869f4e5cdacd8d6be52f8b89d4ba4) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 2565988a57..a87d7398d0 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -313,7 +313,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(!sliced && !offset_dst) dst -= src_x; src_x=0; - }else if(src_x + b_w > w){ + } + if(src_x + b_w > w){ b_w = w - src_x; } if(src_y<0){ @@ -322,7 +323,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(!sliced && !offset_dst) dst -= src_y*dst_stride; src_y=0; - }else if(src_y + b_h> h){ + } + if(src_y + b_h> h){ b_h = h - src_y; } From d891fc9181dd8ea7485ddaac68db888c5c5dd28c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Mar 2014 02:40:19 +0100 Subject: [PATCH 0768/1037] avcodec/utvideoenc: fix slice_bits size Fixes assertion failure Signed-off-by: Michael Niedermayer (cherry picked from commit 0a8c90202bb906747168a698b6837496f82c717c) Conflicts: libavcodec/utvideoenc.c (cherry picked from commit 57522ca79cc38c279123596d3288ddbf56fa8903) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index 7167278351..17c42456c4 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -468,7 +468,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, * get the offset in bits and convert to bytes. */ offset += write_huff_codes(dst + sstart * width, c->slice_bits, - width * (send - sstart), width, + width * height + 4, width, send - sstart, he) >> 3; slice_len = offset - slice_len; @@ -525,8 +525,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream2_init_writer(&pb, dst, pkt->size); - av_fast_malloc(&c->slice_bits, &c->slice_bits_size, - width * height + FF_INPUT_BUFFER_PADDING_SIZE); + av_fast_padded_malloc(&c->slice_bits, &c->slice_bits_size, width * height + 4); if (!c->slice_bits) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer 2.\n"); From 26e1bccec65d73ee37b5a76791e52cdd6c21658e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Mar 2014 04:14:03 +0100 Subject: [PATCH 0769/1037] update for 1.1.9 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 18efdb9ae6..512a1faa68 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.8 +1.1.9 diff --git a/VERSION b/VERSION index 18efdb9ae6..512a1faa68 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.8 +1.1.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index 5292ce9845..fe8b250c2d 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.8 +PROJECT_NUMBER = 1.1.9 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From cb95c1935f43ee6ae7fd15439df0f674e809f180 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Dec 2012 15:07:20 +0100 Subject: [PATCH 0770/1037] qt-faststart: Check offset_count before reading from the moov_atom buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit bb95334c34d0d9abccea370ae25c4765d7764ab8) (cherry picked from commit 7754d4838178a5c09c3c3953bb2b90d1abc639e3) --- tools/qt-faststart.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/qt-faststart.c b/tools/qt-faststart.c index f33d6fa80c..47f5c73cb9 100644 --- a/tools/qt-faststart.c +++ b/tools/qt-faststart.c @@ -225,6 +225,10 @@ int main(int argc, char *argv[]) goto error_out; } offset_count = BE_32(&moov_atom[i + 8]); + if (i + 12 + offset_count * UINT64_C(4) > moov_atom_size) { + printf(" bad atom size/element count\n"); + goto error_out; + } for (j = 0; j < offset_count; j++) { current_offset = BE_32(&moov_atom[i + 12 + j * 4]); current_offset += moov_atom_size; @@ -242,6 +246,10 @@ int main(int argc, char *argv[]) goto error_out; } offset_count = BE_32(&moov_atom[i + 8]); + if (i + 12 + offset_count * UINT64_C(8) > moov_atom_size) { + printf(" bad atom size/element count\n"); + goto error_out; + } for (j = 0; j < offset_count; j++) { current_offset = BE_64(&moov_atom[i + 12 + j * 8]); current_offset += moov_atom_size; From 7a2254ab26b24255a4d6ea476ba5fd38525a9bb3 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 8 Mar 2014 11:52:14 +0100 Subject: [PATCH 0771/1037] arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6 The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41 broke the computation for the last row since it prevented the safe reading from the height+1-th row. --- libavcodec/arm/dsputil_armv6.S | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/libavcodec/arm/dsputil_armv6.S b/libavcodec/arm/dsputil_armv6.S index 616f5c0f33..2230613d41 100644 --- a/libavcodec/arm/dsputil_armv6.S +++ b/libavcodec/arm/dsputil_armv6.S @@ -132,12 +132,11 @@ function ff_put_pixels8_y2_armv6, export=1 uhadd8 r9, r5, r7 eor r11, r5, r7 and r10, r10, r12 - ldrc_pre ne, r4, r1, r2 + ldr_pre r4, r1, r2 uadd8 r8, r8, r10 and r11, r11, r12 uadd8 r9, r9, r11 - it ne - ldrne r5, [r1, #4] + ldr r5, [r1, #4] uhadd8 r10, r4, r6 eor r6, r4, r6 uhadd8 r11, r5, r7 @@ -194,10 +193,9 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1 1: subs r3, r3, #2 uhadd8 r8, r4, r6 - ldrc_pre ne, r4, r1, r2 + ldr_pre r4, r1, r2 uhadd8 r9, r5, r7 - it ne - ldrne r5, [r1, #4] + ldr r5, [r1, #4] uhadd8 r12, r4, r6 ldrc_pre ne, r6, r1, r2 uhadd8 r14, r5, r7 From a32e45df82751784f9461f01310e63f4bed721dc Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 23 Dec 2013 01:03:48 +0100 Subject: [PATCH 0772/1037] configure: Support preprocessor macros as header names New versions of FreeType have moved the location of their API header(s) and hide the location behind a macro. Since the location changes between versions and no other way to know the location exists, this workaround becomes necessary. Signed-off-by: Luca Barbato (cherry picked from commit 52ccc4a0ece88030e67254418317d72089a0ecc8) Signed-off-by: Luca Barbato --- configure | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/configure b/configure index d65c112c3b..2734003b3b 100755 --- a/configure +++ b/configure @@ -738,6 +738,13 @@ check_ld(){ check_cmd $ld $LDFLAGS $flags $(ld_o $TMPE) $TMPO $libs $extralibs } +print_include(){ + hdr=$1 + test "${hdr%.h}" = "${hdr}" && + echo "#include $hdr" || + echo "#include <$hdr>" +} + check_code(){ log check_code "$@" check=$1 @@ -746,7 +753,7 @@ check_code(){ shift 3 { for hdr in $headers; do - echo "#include <$hdr>" + print_include $hdr done echo "int main(void) { $code; return 0; }" } | check_$check "$@" @@ -822,7 +829,7 @@ check_func_headers(){ shift 2 { for hdr in $headers; do - echo "#include <$hdr>" + print_include $hdr done for func in $funcs; do echo "long check_$func(void) { return (long) $func; }" From 29b3ca743dd02efbe00565c0b997e735e4daa772 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 5 Jan 2014 12:30:45 +0100 Subject: [PATCH 0773/1037] drawtext: Drop pointless header It should be forward compatible with newer freetype. (cherry picked from commit d68dc3c9446e38b4d686cc0f55433c9e8d7c128b) Signed-off-by: Luca Barbato --- libavfilter/vf_drawtext.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index f8800d2820..70f034fce4 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -47,7 +47,6 @@ #include "video.h" #include -#include #include FT_FREETYPE_H #include FT_GLYPH_H From b00444c0bbbc78ae477ec697d6569893609f420d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 21 Dec 2013 17:59:59 +0100 Subject: [PATCH 0774/1037] configure: Update freetype check to follow upstream The freetype tutorial suggests to use #include FT_FREETYPE_H. Bug-Id: 616 Signed-off-by: Luca Barbato (cherry picked from commit e61b8fa5605b16a02a2a0ea75afbfc31d7832bba) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 2734003b3b..569d29a6c3 100755 --- a/configure +++ b/configure @@ -3492,7 +3492,7 @@ enabled frei0r && { check_header frei0r.h || die "ERROR: frei0r.h header not enabled gnutls && require_pkg_config gnutls gnutls/gnutls.h gnutls_global_init enabled libfaac && require2 libfaac "stdint.h faac.h" faacEncGetVersion -lfaac enabled libfdk_aac && require libfdk_aac fdk-aac/aacenc_lib.h aacEncOpen -lfdk-aac -enabled libfreetype && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType +enabled libfreetype && require_pkg_config freetype2 "ft2build.h FT_FREETYPE_H" FT_Init_FreeType enabled libgsm && require libgsm gsm/gsm.h gsm_create -lgsm enabled libilbc && require libilbc ilbc.h WebRtcIlbcfix_InitDecode -lilbc enabled libmp3lame && require "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_quality -lmp3lame From f1a2364cebe472a98a5ea157071f4eee4429ce9f Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 13 Mar 2014 20:57:03 -0400 Subject: [PATCH 0775/1037] Update Changelog for 9.12 --- Changelog | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Changelog b/Changelog index bc18fef496..1c4114f2d2 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,25 @@ Releases are sorted from youngest to oldest. +version 9.12: +- configure: Update freetype check to follow upstream +- drawtext: Drop pointless header +- configure: Support preprocessor macros as header names +- arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6 +- qt-faststart: Check offset_count before reading from the moov_atom buffer +- arm: hpeldsp: prevent overreads in armv6 asm +- configure: enable PIC on s390(x) +- ituh263: reject b-frame with pp_time = 0 +- lagarith: reallocate rgb_planes when needed +- truemotion1: check the header size +- shorten: pad the internal bitstream buffer +- samplefmt: avoid integer overflow in av_samples_get_buffer_size() +- h264: Fix a typo from the previous commit +- h264: Lower bound check for slice offsets +- Add missing header to fix compilation after d2a0654 +- configure: Add missing dependency of Snow decoder on videodsp +- rpza: limit the number of blocks to the total remaining blocks in the frame + + version 9.11: - oggparseogm: check timing variables - mathematics: remove asserts from av_rescale_rnd() From d791e8c990a752435d993df01516ebe469d94535 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 12 Mar 2014 13:46:04 +0200 Subject: [PATCH 0776/1037] doc: Point to the correct, actually maintained gas-preprocessor repo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit d15c536123a44362ace6299c391a492c90b83fc7) Signed-off-by: Martin Storsjö --- doc/platform.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/platform.texi b/doc/platform.texi index da08962e01..c2a73033db 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -51,8 +51,8 @@ The toolchain provided with Xcode is sufficient to build the basic unacelerated code. OS X on PowerPC or ARM (iPhone) requires a preprocessor from -@url{http://github.com/yuvi/gas-preprocessor} to build the optimized -assembler functions. Just download the Perl script and put it somewhere +@url{git://git.libav.org/gas-preprocessor.git} to build the optimized +assembler functions. Put the Perl script somewhere in your PATH, Libav's configure will pick it up automatically. OS X on AMD64 and x86 requires @command{yasm} to build most of the From cf4099161a33643ca620796a4dc4d183c5b48b3a Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 4 Nov 2013 16:22:27 +0100 Subject: [PATCH 0777/1037] avformat/mov: only force parsing for video tracks if stss is empty Fixes playback of some AAC streams, which are otherwise mangled by the parser, and stss is typically only valid for video anyway. Fixes a regression since e41ea866. Signed-off-by: Michael Niedermayer (cherry picked from commit 019247bdc326a90bf20d3ce5d2413cc642e8bb08) --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0f0c411373..4f12f0f8f8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1684,7 +1684,7 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) { sc->keyframe_absent = 1; - if (!st->need_parsing) + if (!st->need_parsing && st->codec->codec_type == AVMEDIA_TYPE_VIDEO) st->need_parsing = AVSTREAM_PARSE_HEADERS; return 0; } From c6f2ad9f944d07379072553a310bedc94cd2e74f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Feb 2014 06:32:51 +0100 Subject: [PATCH 0778/1037] avformat/mov: fix keyframe flags for sample from chromium Issue 340865 Fixes ticket #3362. Signed-off-by: Michael Niedermayer (cherry picked from commit a0911b059763b8f13c70adcbbe71e10382855104) --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4f12f0f8f8..bab6d73586 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2027,6 +2027,11 @@ static void mov_build_index(MOVContext *mov, AVStream *st) rap_group_index++; } } + if (sc->keyframe_absent + && !sc->stps_count + && !rap_group_present + && st->codec->codec_type == AVMEDIA_TYPE_AUDIO) + keyframe = 1; if (keyframe) distance = 0; sample_size = sc->alt_sample_size > 0 ? sc->alt_sample_size : sc->sample_sizes[current_sample]; From 4c1e4bc6af1596995e895cd7da9f3b436051114c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 29 Mar 2014 13:10:29 -0400 Subject: [PATCH 0779/1037] Prepare for 9.13 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 5cb42eb14b..2645a7f91a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.12 +9.13 From fc53a09909ae046dbe4d339bffc744cfc328253e Mon Sep 17 00:00:00 2001 From: Johan Andersson Date: Sat, 4 Jan 2014 20:47:32 +0100 Subject: [PATCH 0780/1037] cmdutils: update copyright year to 2014. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 7ce88e5ec41484c452da56853a6897803da9c2a5) --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 8fa608233a..b65326bf59 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -56,7 +56,7 @@ struct SwsContext *sws_opts; AVDictionary *format_opts, *codec_opts; -static const int this_year = 2013; +static const int this_year = 2014; void init_opts(void) { From af40847681b978441fdd25276685414f9e17820a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 10:15:24 +0100 Subject: [PATCH 0781/1037] h264: check buffer size before accessing it Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index d6d3d42495..20fa82cae2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3941,7 +3941,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size, s->workaround_bugs |= FF_BUG_TRUNCATED; if (!(s->workaround_bugs & FF_BUG_TRUNCATED)) - while (ptr[dst_length - 1] == 0 && dst_length > 0) + while (dst_length > 0 && ptr[dst_length - 1] == 0) dst_length--; bit_length = !dst_length ? 0 : (8 * dst_length - From 30e58e65e543d04d5e52bf188b31abf4dd41a104 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Nov 2013 19:06:23 +0100 Subject: [PATCH 0782/1037] h264_refs: make sure not to write over the bounds of the default ref list Fixes invalid writes. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264_refs.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 0e4bd76931..81c5f798d6 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -62,20 +62,22 @@ static int split_field_copy(Picture *dest, Picture *src, return match; } -static int build_def_list(Picture *def, Picture **in, int len, int is_long, int sel){ +static int build_def_list(Picture *def, int def_len, + Picture **in, int len, int is_long, int sel) +{ int i[2]={0}; int index=0; - while(i[0]f.reference & sel))) i[0]++; while (i[1] < len && !(in[ i[1] ] && (in[ i[1] ]->f.reference & (sel^3)))) i[1]++; - if(i[0] < len){ + if (i[0] < len && index < def_len) { in[ i[0] ]->pic_id= is_long ? i[0] : in[ i[0] ]->frame_num; split_field_copy(&def[index++], in[ i[0]++ ], sel , 1); } - if(i[1] < len){ + if (i[1] < len && index < def_len) { in[ i[1] ]->pic_id= is_long ? i[1] : in[ i[1] ]->frame_num; split_field_copy(&def[index++], in[ i[1]++ ], sel^3, 0); } @@ -123,9 +125,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){ len= add_sorted(sorted , h->short_ref, h->short_ref_count, cur_poc, 1^list); len+=add_sorted(sorted+len, h->short_ref, h->short_ref_count, cur_poc, 0^list); assert(len<=32); - len= build_def_list(h->default_ref_list[list] , sorted , len, 0, s->picture_structure); - len+=build_def_list(h->default_ref_list[list]+len, h->long_ref, 16 , 1, s->picture_structure); - assert(len<=32); + + len = build_def_list(h->default_ref_list[list], FF_ARRAY_ELEMS(h->default_ref_list[0]), + sorted, len, 0, s->picture_structure); + len += build_def_list(h->default_ref_list[list] + len, + FF_ARRAY_ELEMS(h->default_ref_list[0]) - len, + h->long_ref, 16, 1, s->picture_structure); if(len < h->ref_count[list]) memset(&h->default_ref_list[list][len], 0, sizeof(Picture)*(h->ref_count[list] - len)); @@ -138,9 +143,12 @@ int ff_h264_fill_default_ref_list(H264Context *h){ FFSWAP(Picture, h->default_ref_list[1][0], h->default_ref_list[1][1]); } }else{ - len = build_def_list(h->default_ref_list[0] , h->short_ref, h->short_ref_count, 0, s->picture_structure); - len+= build_def_list(h->default_ref_list[0]+len, h-> long_ref, 16 , 1, s->picture_structure); - assert(len <= 32); + len = build_def_list(h->default_ref_list[0], FF_ARRAY_ELEMS(h->default_ref_list[0]), + h->short_ref, h->short_ref_count, 0, s->picture_structure); + len += build_def_list(h->default_ref_list[0] + len, + FF_ARRAY_ELEMS(h->default_ref_list[0]) - len, + h-> long_ref, 16, 1, s->picture_structure); + if(len < h->ref_count[0]) memset(&h->default_ref_list[0][len], 0, sizeof(Picture)*(h->ref_count[0] - len)); } From 1147d39bca135df8673031d16989ba486a52172a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0783/1037] h264: reset data_partitioning if decoding the slice header for NAL_DPA fails If it was set before then we can end up trying to decode a slice without a valid slice header, which can lead to invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 58312b2472d3a44d7458865c459d59ef2e02bf1a) --- libavcodec/h264.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 20fa82cae2..7acc5a7019 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4061,8 +4061,13 @@ again: hx->intra_gb_ptr = hx->inter_gb_ptr = NULL; - if ((err = decode_slice_header(hx, h)) < 0) + if ((err = decode_slice_header(hx, h)) < 0) { + /* make sure data_partitioning is cleared if it was set + * before, so we don't try decoding a slice without a valid + * slice header later */ + s->data_partitioning = 0; break; + } hx->s.data_partitioning = 1; break; From b6a0f5cde808d84626f07b11c381cc6ef0954940 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0784/1037] h264: do not use 422 functions for monochrome Fixes invalid memory access. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/arm/h264dsp_init_arm.c | 2 +- libavcodec/h264dsp.c | 12 ++++++------ libavcodec/h264pred.c | 10 +++++----- libavcodec/ppc/h264_altivec.c | 2 +- libavcodec/x86/h264_intrapred_init.c | 20 ++++++++++---------- libavcodec/x86/h264dsp_init.c | 14 +++++++------- 6 files changed, 30 insertions(+), 30 deletions(-) diff --git a/libavcodec/arm/h264dsp_init_arm.c b/libavcodec/arm/h264dsp_init_arm.c index b4277a514f..761d96dda2 100644 --- a/libavcodec/arm/h264dsp_init_arm.c +++ b/libavcodec/arm/h264dsp_init_arm.c @@ -88,7 +88,7 @@ static void ff_h264dsp_init_neon(H264DSPContext *c, const int bit_depth, const i c->h264_idct_dc_add = ff_h264_idct_dc_add_neon; c->h264_idct_add16 = ff_h264_idct_add16_neon; c->h264_idct_add16intra = ff_h264_idct_add16intra_neon; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_neon; c->h264_idct8_add = ff_h264_idct8_add_neon; c->h264_idct8_dc_add = ff_h264_idct8_dc_add_neon; diff --git a/libavcodec/h264dsp.c b/libavcodec/h264dsp.c index 1353c1a72f..877302c2aa 100644 --- a/libavcodec/h264dsp.c +++ b/libavcodec/h264dsp.c @@ -54,13 +54,13 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo c->h264_idct8_dc_add= FUNC(ff_h264_idct8_dc_add, depth);\ c->h264_idct_add16 = FUNC(ff_h264_idct_add16, depth);\ c->h264_idct8_add4 = FUNC(ff_h264_idct8_add4, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_idct_add8 = FUNC(ff_h264_idct_add8, depth);\ else\ c->h264_idct_add8 = FUNC(ff_h264_idct_add8_422, depth);\ c->h264_idct_add16intra= FUNC(ff_h264_idct_add16intra, depth);\ c->h264_luma_dc_dequant_idct= FUNC(ff_h264_luma_dc_dequant_idct, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma_dc_dequant_idct, depth);\ else\ c->h264_chroma_dc_dequant_idct= FUNC(ff_h264_chroma422_dc_dequant_idct, depth);\ @@ -81,20 +81,20 @@ void ff_h264dsp_init(H264DSPContext *c, const int bit_depth, const int chroma_fo c->h264_h_loop_filter_luma_intra= FUNC(h264_h_loop_filter_luma_intra, depth);\ c->h264_h_loop_filter_luma_mbaff_intra= FUNC(h264_h_loop_filter_luma_mbaff_intra, depth);\ c->h264_v_loop_filter_chroma= FUNC(h264_v_loop_filter_chroma, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma, depth);\ else\ c->h264_h_loop_filter_chroma= FUNC(h264_h_loop_filter_chroma422, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma_mbaff, depth);\ else\ c->h264_h_loop_filter_chroma_mbaff= FUNC(h264_h_loop_filter_chroma422_mbaff, depth);\ c->h264_v_loop_filter_chroma_intra= FUNC(h264_v_loop_filter_chroma_intra, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma_intra, depth);\ else\ c->h264_h_loop_filter_chroma_intra= FUNC(h264_h_loop_filter_chroma422_intra, depth);\ - if (chroma_format_idc == 1)\ + if (chroma_format_idc <= 1)\ c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma_mbaff_intra, depth);\ else\ c->h264_h_loop_filter_chroma_mbaff_intra= FUNC(h264_h_loop_filter_chroma422_mbaff_intra, depth);\ diff --git a/libavcodec/h264pred.c b/libavcodec/h264pred.c index 94cf9d06d7..d16e2b15d3 100644 --- a/libavcodec/h264pred.c +++ b/libavcodec/h264pred.c @@ -471,7 +471,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, h->pred8x8l[TOP_DC_PRED ]= FUNCC(pred8x8l_top_dc , depth);\ h->pred8x8l[DC_128_PRED ]= FUNCC(pred8x8l_128_dc , depth);\ \ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8[VERT_PRED8x8 ]= FUNCC(pred8x8_vertical , depth);\ h->pred8x8[HOR_PRED8x8 ]= FUNCC(pred8x8_horizontal , depth);\ } else {\ @@ -479,7 +479,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, h->pred8x8[HOR_PRED8x8 ]= FUNCC(pred8x16_horizontal , depth);\ }\ if (codec_id != AV_CODEC_ID_VP8) {\ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x8_plane , depth);\ } else {\ h->pred8x8[PLANE_PRED8x8]= FUNCC(pred8x16_plane , depth);\ @@ -487,7 +487,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, } else\ h->pred8x8[PLANE_PRED8x8]= FUNCD(pred8x8_tm_vp8);\ if(codec_id != AV_CODEC_ID_RV40 && codec_id != AV_CODEC_ID_VP8){\ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8[DC_PRED8x8 ]= FUNCC(pred8x8_dc , depth);\ h->pred8x8[LEFT_DC_PRED8x8]= FUNCC(pred8x8_left_dc , depth);\ h->pred8x8[TOP_DC_PRED8x8 ]= FUNCC(pred8x8_top_dc , depth);\ @@ -513,7 +513,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, h->pred8x8[DC_129_PRED8x8]= FUNCC(pred8x8_129_dc , depth);\ }\ }\ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x8_128_dc , depth);\ } else {\ h->pred8x8[DC_128_PRED8x8 ]= FUNCC(pred8x16_128_dc , depth);\ @@ -547,7 +547,7 @@ void ff_h264_pred_init(H264PredContext *h, int codec_id, const int bit_depth, h->pred4x4_add [ HOR_PRED ]= FUNCC(pred4x4_horizontal_add , depth);\ h->pred8x8l_add [VERT_PRED ]= FUNCC(pred8x8l_vertical_add , depth);\ h->pred8x8l_add [ HOR_PRED ]= FUNCC(pred8x8l_horizontal_add , depth);\ - if (chroma_format_idc == 1) {\ + if (chroma_format_idc <= 1) {\ h->pred8x8_add [VERT_PRED8x8]= FUNCC(pred8x8_vertical_add , depth);\ h->pred8x8_add [ HOR_PRED8x8]= FUNCC(pred8x8_horizontal_add , depth);\ } else {\ diff --git a/libavcodec/ppc/h264_altivec.c b/libavcodec/ppc/h264_altivec.c index 73e2adb776..246ed1c77e 100644 --- a/libavcodec/ppc/h264_altivec.c +++ b/libavcodec/ppc/h264_altivec.c @@ -1005,7 +1005,7 @@ void ff_h264dsp_init_ppc(H264DSPContext *c, const int bit_depth, const int chrom if (av_get_cpu_flags() & AV_CPU_FLAG_ALTIVEC) { if (bit_depth == 8) { c->h264_idct_add = ff_h264_idct_add_altivec; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_altivec; c->h264_idct_add16 = ff_h264_idct_add16_altivec; c->h264_idct_add16intra = ff_h264_idct_add16intra_altivec; diff --git a/libavcodec/x86/h264_intrapred_init.c b/libavcodec/x86/h264_intrapred_init.c index 454dd3f0e1..e536f36ca1 100644 --- a/libavcodec/x86/h264_intrapred_init.c +++ b/libavcodec/x86/h264_intrapred_init.c @@ -187,7 +187,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth if (EXTERNAL_MMX(mm_flags)) { h->pred16x16[VERT_PRED8x8 ] = ff_pred16x16_vertical_8_mmx; h->pred16x16[HOR_PRED8x8 ] = ff_pred16x16_horizontal_8_mmx; - if (chroma_format_idc == 1) { + if (chroma_format_idc <= 1) { h->pred8x8 [VERT_PRED8x8 ] = ff_pred8x8_vertical_8_mmx; h->pred8x8 [HOR_PRED8x8 ] = ff_pred8x8_horizontal_8_mmx; } @@ -196,7 +196,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred8x8 [PLANE_PRED8x8 ] = ff_pred8x8_tm_vp8_8_mmx; h->pred4x4 [TM_VP8_PRED ] = ff_pred4x4_tm_vp8_8_mmx; } else { - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_8_mmx; if (codec_id == AV_CODEC_ID_SVQ3) { if (mm_flags & AV_CPU_FLAG_CMOV) @@ -212,7 +212,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth if (EXTERNAL_MMXEXT(mm_flags)) { h->pred16x16[HOR_PRED8x8 ] = ff_pred16x16_horizontal_8_mmxext; h->pred16x16[DC_PRED8x8 ] = ff_pred16x16_dc_8_mmxext; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8[HOR_PRED8x8 ] = ff_pred8x8_horizontal_8_mmxext; h->pred8x8l [TOP_DC_PRED ] = ff_pred8x8l_top_dc_8_mmxext; h->pred8x8l [DC_PRED ] = ff_pred8x8l_dc_8_mmxext; @@ -237,7 +237,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred4x4 [HOR_UP_PRED ] = ff_pred4x4_horizontal_up_8_mmxext; } if (codec_id == AV_CODEC_ID_SVQ3 || codec_id == AV_CODEC_ID_H264) { - if (chroma_format_idc == 1) { + if (chroma_format_idc <= 1) { h->pred8x8[TOP_DC_PRED8x8 ] = ff_pred8x8_top_dc_8_mmxext; h->pred8x8[DC_PRED8x8 ] = ff_pred8x8_dc_8_mmxext; } @@ -249,7 +249,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred4x4 [TM_VP8_PRED ] = ff_pred4x4_tm_vp8_8_mmxext; h->pred4x4 [VERT_PRED ] = ff_pred4x4_vertical_vp8_8_mmxext; } else { - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_8_mmxext; if (codec_id == AV_CODEC_ID_SVQ3) { h->pred16x16[PLANE_PRED8x8 ] = ff_pred16x16_plane_svq3_8_mmxext; @@ -276,7 +276,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred16x16[PLANE_PRED8x8 ] = ff_pred16x16_tm_vp8_8_sse2; h->pred8x8 [PLANE_PRED8x8 ] = ff_pred8x8_tm_vp8_8_sse2; } else { - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_8_sse2; if (codec_id == AV_CODEC_ID_SVQ3) { h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_8_sse2; @@ -291,7 +291,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth if (EXTERNAL_SSSE3(mm_flags)) { h->pred16x16[HOR_PRED8x8 ] = ff_pred16x16_horizontal_8_ssse3; h->pred16x16[DC_PRED8x8 ] = ff_pred16x16_dc_8_ssse3; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [HOR_PRED8x8 ] = ff_pred8x8_horizontal_8_ssse3; h->pred8x8l [TOP_DC_PRED ] = ff_pred8x8l_top_dc_8_ssse3; h->pred8x8l [DC_PRED ] = ff_pred8x8l_dc_8_ssse3; @@ -307,7 +307,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred8x8 [PLANE_PRED8x8 ] = ff_pred8x8_tm_vp8_8_ssse3; h->pred4x4 [TM_VP8_PRED ] = ff_pred4x4_tm_vp8_8_ssse3; } else { - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8 [PLANE_PRED8x8] = ff_pred8x8_plane_8_ssse3; if (codec_id == AV_CODEC_ID_SVQ3) { h->pred16x16[PLANE_PRED8x8] = ff_pred16x16_plane_svq3_8_ssse3; @@ -323,7 +323,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred4x4[DC_PRED ] = ff_pred4x4_dc_10_mmxext; h->pred4x4[HOR_UP_PRED ] = ff_pred4x4_horizontal_up_10_mmxext; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) h->pred8x8[DC_PRED8x8 ] = ff_pred8x8_dc_10_mmxext; h->pred8x8l[DC_128_PRED ] = ff_pred8x8l_128_dc_10_mmxext; @@ -342,7 +342,7 @@ void ff_h264_pred_init_x86(H264PredContext *h, int codec_id, const int bit_depth h->pred4x4[VERT_RIGHT_PRED ] = ff_pred4x4_vertical_right_10_sse2; h->pred4x4[HOR_DOWN_PRED ] = ff_pred4x4_horizontal_down_10_sse2; - if (chroma_format_idc == 1) { + if (chroma_format_idc <= 1) { h->pred8x8[DC_PRED8x8 ] = ff_pred8x8_dc_10_sse2; h->pred8x8[TOP_DC_PRED8x8 ] = ff_pred8x8_top_dc_10_sse2; h->pred8x8[PLANE_PRED8x8 ] = ff_pred8x8_plane_10_sse2; diff --git a/libavcodec/x86/h264dsp_init.c b/libavcodec/x86/h264dsp_init.c index 73d4990899..fdb2e4a40c 100644 --- a/libavcodec/x86/h264dsp_init.c +++ b/libavcodec/x86/h264dsp_init.c @@ -212,7 +212,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, { int mm_flags = av_get_cpu_flags(); - if (chroma_format_idc == 1 && EXTERNAL_MMXEXT(mm_flags)) + if (chroma_format_idc <= 1 && EXTERNAL_MMXEXT(mm_flags)) c->h264_loop_filter_strength = ff_h264_loop_filter_strength_mmxext; if (bit_depth == 8) { @@ -224,7 +224,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, c->h264_idct_add16 = ff_h264_idct_add16_8_mmx; c->h264_idct8_add4 = ff_h264_idct8_add4_8_mmx; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_8_mmx; c->h264_idct_add16intra = ff_h264_idct_add16intra_8_mmx; if (mm_flags & AV_CPU_FLAG_CMOV) @@ -235,13 +235,13 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, c->h264_idct8_dc_add = ff_h264_idct8_dc_add_8_mmxext; c->h264_idct_add16 = ff_h264_idct_add16_8_mmxext; c->h264_idct8_add4 = ff_h264_idct8_add4_8_mmxext; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_8_mmxext; c->h264_idct_add16intra = ff_h264_idct_add16intra_8_mmxext; c->h264_v_loop_filter_chroma = ff_deblock_v_chroma_8_mmxext; c->h264_v_loop_filter_chroma_intra = ff_deblock_v_chroma_intra_8_mmxext; - if (chroma_format_idc == 1) { + if (chroma_format_idc <= 1) { c->h264_h_loop_filter_chroma = ff_deblock_h_chroma_8_mmxext; c->h264_h_loop_filter_chroma_intra = ff_deblock_h_chroma_intra_8_mmxext; } @@ -264,7 +264,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, c->h264_idct_add16 = ff_h264_idct_add16_8_sse2; c->h264_idct8_add4 = ff_h264_idct8_add4_8_sse2; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_8_sse2; c->h264_idct_add16intra = ff_h264_idct_add16intra_8_sse2; c->h264_luma_dc_dequant_idct = ff_h264_luma_dc_dequant_idct_sse2; @@ -309,7 +309,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, c->h264_idct8_dc_add = ff_h264_idct8_dc_add_10_sse2; c->h264_idct_add16 = ff_h264_idct_add16_10_sse2; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_10_sse2; c->h264_idct_add16intra = ff_h264_idct_add16intra_10_sse2; #if HAVE_ALIGNED_STACK @@ -349,7 +349,7 @@ void ff_h264dsp_init_x86(H264DSPContext *c, const int bit_depth, c->h264_idct8_dc_add = ff_h264_idct8_dc_add_10_avx; c->h264_idct_add16 = ff_h264_idct_add16_10_avx; - if (chroma_format_idc == 1) + if (chroma_format_idc <= 1) c->h264_idct_add8 = ff_h264_idct_add8_10_avx; c->h264_idct_add16intra = ff_h264_idct_add16intra_10_avx; #if HAVE_ALIGNED_STACK From 7e513d85e80d730718695d09fcaf0295ae24699e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0785/1037] h264: check that execute_decode_slices() is not called too many times Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 9eef9eb3014b2ed9c3ff4aac510a9f04edb555cf) --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 7acc5a7019..b5f4493c57 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3833,6 +3833,12 @@ static int execute_decode_slices(H264Context *h, int context_count) H264Context *hx; int i; + if (s->mb_y >= s->mb_height) { + av_log(s->avctx, AV_LOG_ERROR, + "Input contains more MB rows than the frame height.\n"); + return AVERROR_INVALIDDATA; + } + if (s->avctx->hwaccel || s->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU) return 0; From 7f604a048e9b6128cdf9ce7e95f21d1a9822ba39 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0786/1037] h264: reject mismatching luma/chroma bit depths during sps parsing There is no point in delaying the check and it avoids bugs with a half-initialized context. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 6 ------ libavcodec/h264_ps.c | 5 +++++ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index b5f4493c57..38764d1814 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2427,12 +2427,6 @@ static int h264_set_parameter_from_sps(H264Context *h) if (s->avctx->has_b_frames < 2) s->avctx->has_b_frames = !s->low_delay; - if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) { - av_log_missing_feature(s->avctx, - "Different bit depth between chroma and luma", 1); - return AVERROR_PATCHWELCOME; - } - if (s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc) { if (s->avctx->codec && diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index fad2d7735b..a1dfbda9c8 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -349,6 +349,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; + if (sps->bit_depth_chroma != sps->bit_depth_luma) { + av_log_missing_feature(s->avctx, + "Different bit depth between chroma and luma", 1); + goto fail; + } sps->transform_bypass = get_bits1(&s->gb); decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8); }else{ From 175b53d051cf9e17583106c828c35d169f335ea3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0787/1037] h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3 Higher modes are not allowed for 16x16/chroma, which is what this function is used for. Otherwise this function would return 0 (vertical prediction) for invalid higher modes, which could result in invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 38764d1814..f5f7de4b41 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -128,10 +128,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h) int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma) { MpegEncContext *const s = &h->s; - static const int8_t top[7] = { LEFT_DC_PRED8x8, 1, -1, -1 }; - static const int8_t left[7] = { TOP_DC_PRED8x8, -1, 2, -1, DC_128_PRED8x8 }; + static const int8_t top[4] = { LEFT_DC_PRED8x8, 1, -1, -1 }; + static const int8_t left[5] = { TOP_DC_PRED8x8, -1, 2, -1, DC_128_PRED8x8 }; - if (mode > 6U) { + if (mode > 3U) { av_log(h->s.avctx, AV_LOG_ERROR, "out of range intra chroma pred mode at %d %d\n", s->mb_x, s->mb_y); From 7fd6c9fb49573870b48a995947edc83eedd7e86e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0788/1037] h264: reset first_field if frame_start() fails for missing refs In this case we may not have a current frame, while first_field being set implies we do. Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index f5f7de4b41..db336f0fc5 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2910,8 +2910,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0) Picture *prev = h->short_ref_count ? h->short_ref[0] : NULL; av_log(h->s.avctx, AV_LOG_DEBUG, "Frame num gap %d %d\n", h->frame_num, h->prev_frame_num); - if (ff_h264_frame_start(h) < 0) + if (ff_h264_frame_start(h) < 0) { + s0->first_field = 0; return -1; + } h->prev_frame_num++; h->prev_frame_num %= 1 << h->sps.log2_max_frame_num; s->current_picture_ptr->frame_num = h->prev_frame_num; From 7e8d27c8510a024e6d66d2e1116bb8692d9cb98a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0789/1037] h264: reset ref count if decoding the slice header fails Otherwise the ER code might try to use some already freed references. Fixes possible access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index db336f0fc5..7904e64576 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4137,9 +4137,10 @@ again: context_count = 0; } - if (err < 0) + if (err < 0) { av_log(h->s.avctx, AV_LOG_ERROR, "decode_slice_header error\n"); - else if (err == 1) { + h->ref_count[0] = h->ref_count[1] = h->list_count = 0; + } else if (err == 1) { /* Slice could not be decoded in parallel mode, copy down * NAL unit stuff to context 0 and restart. Note that * rbsp_buffer is not transferred, but since we no longer From d8e89a37267f276afd404bd062e5112a336d1a36 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0790/1037] h264: reset data partitioning at the beginning of each decode call Prevents using GetBitContexts with data from previous calls. Fixes access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/h264.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 7904e64576..702a272d98 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4059,6 +4059,13 @@ again: } break; case NAL_DPA: + if (s->flags2 & CODEC_FLAG2_CHUNKS) { + av_log(h->s.avctx, AV_LOG_ERROR, + "Decoding in chunks is not supported for " + "partitioned slices.\n"); + return AVERROR(ENOSYS); + } + init_get_bits(&hx->s.gb, ptr, bit_length); hx->intra_gb_ptr = hx->inter_gb_ptr = NULL; @@ -4191,6 +4198,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, s->flags = avctx->flags; s->flags2 = avctx->flags2; + /* reset data partitioning here, to ensure GetBitContexts from previous + * packets do not get used. */ + s->data_partitioning = 0; /* end of stream, output what is still in the buffers */ out: From c9be276f8b040e7d441a77f774afe94b6f137be6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0791/1037] mpegvideo: set reference/pict_type on generated reference frames Otherwise the generic code will unref them, which can then result in last_picture_ptr == current_picture_ptr, which causes deadlocks at least in rv40. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org --- libavcodec/mpegvideo.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index eb71670379..c3d799d25d 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1481,6 +1481,10 @@ int ff_MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) return i; } s->last_picture_ptr = &s->picture[i]; + + s->last_picture_ptr->f.reference = 3; + s->last_picture_ptr->f.pict_type = AV_PICTURE_TYPE_I; + if (ff_alloc_picture(s, s->last_picture_ptr, 0) < 0) { s->last_picture_ptr = NULL; return -1; @@ -1499,6 +1503,10 @@ int ff_MPV_frame_start(MpegEncContext *s, AVCodecContext *avctx) return i; } s->next_picture_ptr = &s->picture[i]; + + s->next_picture_ptr->f.reference = 3; + s->next_picture_ptr->f.pict_type = AV_PICTURE_TYPE_I; + if (ff_alloc_picture(s, s->next_picture_ptr, 0) < 0) { s->next_picture_ptr = NULL; return -1; From ff409c7d80b6781e4b81dd860badb569061ddaa5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 28 Nov 2013 10:54:35 +0100 Subject: [PATCH 0792/1037] adx: check that the offset is not negative Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 5569146d48f06564e8fa393424782cceed510916) --- libavcodec/adx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adx.c b/libavcodec/adx.c index 870216c606..9b58e378c2 100644 --- a/libavcodec/adx.c +++ b/libavcodec/adx.c @@ -48,7 +48,7 @@ int avpriv_adx_decode_header(AVCodecContext *avctx, const uint8_t *buf, offset = AV_RB16(buf + 2) + 4; /* if copyright string is within the provided data, validate it */ - if (bufsize >= offset && memcmp(buf + offset - 6, "(c)CRI", 6)) + if (bufsize >= offset && offset >= 6 && memcmp(buf + offset - 6, "(c)CRI", 6)) return AVERROR_INVALIDDATA; /* check for encoding=3 block_size=18, sample_size=4 */ From ea1806ce650f0502dd25939c335b9216fa4a955f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 2 Jan 2014 09:34:20 +0100 Subject: [PATCH 0793/1037] sgidec: fix buffer size check in expand_rle_row() Right now it will spuriously fail if the linesize is exactly equal to the data width. CC:libav-stable@libav.org --- libavcodec/sgidec.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 0e72751564..94de9fdcd1 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -26,6 +26,7 @@ #include "sgi.h" typedef struct SgiState { + AVCodecContext *avctx; AVFrame picture; unsigned int width; unsigned int height; @@ -39,12 +40,12 @@ typedef struct SgiState { * Expand an RLE row into a channel. * @param s the current image state * @param out_buf Points to one line after the output buffer. - * @param out_end end of line in output buffer + * @param len length of out_buf in bytes * @param pixelstride pixel stride of input buffer * @return size of output in bytes, -1 if buffer overflows */ static int expand_rle_row(SgiState *s, uint8_t *out_buf, - uint8_t *out_end, int pixelstride) + int len, int pixelstride) { unsigned char pixel, count; unsigned char *orig = out_buf; @@ -58,7 +59,10 @@ static int expand_rle_row(SgiState *s, uint8_t *out_buf, } /* Check for buffer overflow. */ - if(out_buf + pixelstride * count >= out_end) return -1; + if (pixelstride * (count - 1) >= len) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n"); + return AVERROR_INVALIDDATA; + } if (pixel & 0x80) { while (count--) { @@ -101,7 +105,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s) dest_row -= s->linesize; start_offset = bytestream2_get_be32(&g_table); bytestream2_seek(&s->g, start_offset, SEEK_SET); - if (expand_rle_row(s, dest_row + z, dest_row + FFABS(s->linesize), + if (expand_rle_row(s, dest_row + z, FFABS(s->linesize) - z, s->depth) != s->width) { return AVERROR_INVALIDDATA; } @@ -259,6 +263,15 @@ static av_cold int sgi_end(AVCodecContext *avctx) return 0; } +static av_cold int sgi_decode_init(AVCodecContext *avctx) +{ + SgiState *s = avctx->priv_data; + + s->avctx = avctx; + + return 0; +} + AVCodec ff_sgi_decoder = { .name = "sgi", .type = AVMEDIA_TYPE_VIDEO, @@ -267,6 +280,7 @@ AVCodec ff_sgi_decoder = { .init = sgi_init, .close = sgi_end, .decode = decode_frame, + .init = sgi_decode_init, .long_name = NULL_IF_CONFIG_SMALL("SGI image"), .capabilities = CODEC_CAP_DR1, }; From b701e26a4e89e3816490bc74bc47f82e6b7f7002 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 24 Jan 2014 16:22:44 +0100 Subject: [PATCH 0794/1037] mpeg12: check scantable indices in all decode_block functions Add checks to the fast functions used with CODEC_FLAGS2_FAST and move the check for all other functions to before the invalid memory is accessed. Fixes https://trac.videolan.org/vlc/ticket/9713 with CODEC_FLAGS2_FAST. CC: libav-stable@libav.org --- libavcodec/mpeg12.c | 48 +++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 7a9b54a789..445dbcca25 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -80,6 +80,15 @@ static int mpeg_decode_motion(MpegEncContext *s, int fcode, int pred) return sign_extend(val, 5 + shift); } +#define check_scantable_index(ctx, x) \ + do { \ + if ((x) > 63) { \ + av_log(ctx->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", \ + ctx->mb_x, ctx->mb_y); \ + return AVERROR_INVALIDDATA; \ + } \ + } while (0) \ + static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n) { int level, dc, diff, i, j, run; @@ -111,6 +120,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in break; } else if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 4; level = (level - 1) | 1; @@ -127,6 +137,7 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in level = SHOW_UBITS(re, &s->gb, 8) ; LAST_SKIP_BITS(re, &s->gb, 8); } i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = -level; @@ -138,10 +149,6 @@ static inline int mpeg1_decode_block_intra(MpegEncContext *s, DCTELEM *block, in level = (level - 1) | 1; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return -1; - } block[j] = level; } @@ -261,6 +268,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = ((level * 2 + 1) * qscale) >> 1; level = (level - 1) | 1; @@ -277,6 +285,7 @@ static inline int mpeg1_fast_decode_block_inter(MpegEncContext *s, DCTELEM *bloc level = SHOW_UBITS(re, &s->gb, 8) ; SKIP_BITS(re, &s->gb, 8); } i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = -level; @@ -342,6 +351,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5; level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1); @@ -353,6 +363,7 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12); i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = ((-level * 2 + 1) * qscale * quant_matrix[j]) >> 5; @@ -361,10 +372,6 @@ static inline int mpeg2_decode_block_non_intra(MpegEncContext *s, DCTELEM *block level = ((level * 2 + 1) * qscale * quant_matrix[j]) >> 5; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return -1; - } mismatch ^= level; block[j] = level; @@ -411,6 +418,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s, if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = ((level * 2 + 1) * qscale) >> 1; level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1); @@ -422,6 +430,7 @@ static inline int mpeg2_fast_decode_block_non_intra(MpegEncContext *s, level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12); i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = ((-level * 2 + 1) * qscale) >> 1; @@ -488,6 +497,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in break; } else if (level != 0) { i += run; + check_scantable_index(s, i); j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 4; level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1); @@ -498,6 +508,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in UPDATE_CACHE(re, &s->gb); level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12); i += run; + check_scantable_index(s, i); j = scantable[i]; if (level < 0) { level = (-level * qscale * quant_matrix[j]) >> 4; @@ -506,10 +517,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in level = (level * qscale * quant_matrix[j]) >> 4; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return -1; - } mismatch ^= level; block[j] = level; @@ -524,10 +531,10 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, DCTELEM *block, in static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *block, int n) { - int level, dc, diff, j, run; + int level, dc, diff, i, j, run; int component; RLTable *rl; - uint8_t * scantable = s->intra_scantable.permutated; + uint8_t * const scantable = s->intra_scantable.permutated; const uint16_t *quant_matrix; const int qscale = s->qscale; @@ -546,6 +553,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc dc += diff; s->last_dc[component] = dc; block[0] = dc << (3 - s->intra_dc_precision); + i = 0; if (s->intra_vlc_format) rl = &ff_rl_mpeg2; else @@ -561,8 +569,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc if (level == 127) { break; } else if (level != 0) { - scantable += run; - j = *scantable; + i += run; + check_scantable_index(s, i); + j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 4; level = (level ^ SHOW_SBITS(re, &s->gb, 1)) - SHOW_SBITS(re, &s->gb, 1); LAST_SKIP_BITS(re, &s->gb, 1); @@ -571,8 +580,9 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc run = SHOW_UBITS(re, &s->gb, 6) + 1; LAST_SKIP_BITS(re, &s->gb, 6); UPDATE_CACHE(re, &s->gb); level = SHOW_SBITS(re, &s->gb, 12); SKIP_BITS(re, &s->gb, 12); - scantable += run; - j = *scantable; + i += run; + check_scantable_index(s, i); + j = scantable[i]; if (level < 0) { level = (-level * qscale * quant_matrix[j]) >> 4; level = -level; @@ -586,7 +596,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, DCTELEM *bloc CLOSE_READER(re, &s->gb); } - s->block_last_index[n] = scantable - s->intra_scantable.permutated; + s->block_last_index[n] = i; return 0; } From 2eb15cdeef29eb8a0a32658154decba94b4b89cb Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 19 Feb 2014 20:33:28 +0100 Subject: [PATCH 0795/1037] pthread: flush all threads on flush, not just the first one avcodec_flush_buffers() must release all internally held references according to its documentation, for which all the threads need to be flushed. CC:libav-stable@libav.org Bug-Id: vlc/9665 --- libavcodec/pthread.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index 8ae494b0b5..d0c92f4f82 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -885,8 +885,6 @@ void ff_thread_flush(AVCodecContext *avctx) if (fctx->prev_thread) { if (fctx->prev_thread != &fctx->threads[0]) update_context_from_thread(fctx->threads[0].avctx, fctx->prev_thread->avctx, 0); - if (avctx->codec->flush) - avctx->codec->flush(fctx->threads[0].avctx); } fctx->next_decoding = fctx->next_finished = 0; @@ -898,6 +896,9 @@ void ff_thread_flush(AVCodecContext *avctx) p->got_frame = 0; release_delayed_buffers(p); + + if (avctx->codec->flush) + avctx->codec->flush(p->avctx); } } From 1bccf68caeee787139f22679e1300a5eea048cf5 Mon Sep 17 00:00:00 2001 From: Pierre Lejeune Date: Sat, 8 Mar 2014 12:19:17 +0000 Subject: [PATCH 0796/1037] build: Use pkg-config for openjpeg Bug-Id: 387 CC: libav-stable@libav.org --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 569d29a6c3..441007ce33 100755 --- a/configure +++ b/configure @@ -3499,7 +3499,7 @@ enabled libmp3lame && require "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_q enabled libopencore_amrnb && require libopencore_amrnb opencore-amrnb/interf_dec.h Decoder_Interface_init -lopencore-amrnb enabled libopencore_amrwb && require libopencore_amrwb opencore-amrwb/dec_if.h D_IF_init -lopencore-amrwb enabled libopencv && require_pkg_config opencv opencv/cv.h cvCreateImageHeader -enabled libopenjpeg && require libopenjpeg openjpeg.h opj_version -lopenjpeg +enabled libopenjpeg && require_pkg_config libopenjpeg openjpeg.h opj_version enabled libopus && require_pkg_config opus opus_multistream.h opus_multistream_decoder_create enabled libpulse && require_pkg_config libpulse-simple pulse/simple.h pa_simple_new enabled librtmp && require_pkg_config librtmp librtmp/rtmp.h RTMP_Socket From b1432e905d462198a8d7834b256848f2b9e4f8e6 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 5 Mar 2014 10:41:33 +0100 Subject: [PATCH 0797/1037] avfilter: Add missing emms_c when needed Arch specific calls should have an emms_c following to keep the cpu state consistent. Reported-By: wm4 CC: libav-stable@libav.org (cherry picked from commit e995cf1bccc6e91bbaa6a8771e23fb3ab259c110) --- libavfilter/af_volume.c | 2 ++ libavfilter/vf_gradfun.c | 1 + libavfilter/vf_hqdn3d.c | 1 + 3 files changed, 4 insertions(+) diff --git a/libavfilter/af_volume.c b/libavfilter/af_volume.c index 3f3ad47258..c8e88975e7 100644 --- a/libavfilter/af_volume.c +++ b/libavfilter/af_volume.c @@ -282,6 +282,8 @@ static int filter_frame(AVFilterLink *inlink, AVFilterBufferRef *buf) } } + emms_c(); + if (buf != out_buf) avfilter_unref_buffer(buf); diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index 79e149009d..b9fd50f826 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -117,6 +117,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, uint8_t *src, int width, i ctx->filter_line(dst + y * dst_linesize, src + y * src_linesize, dc - r / 2, width, thresh, dither[y & 7]); if (++y >= height) break; } + emms_c(); } static av_cold int init(AVFilterContext *ctx, const char *args) diff --git a/libavfilter/vf_hqdn3d.c b/libavfilter/vf_hqdn3d.c index e2d90d53ab..ae794d8df0 100644 --- a/libavfilter/vf_hqdn3d.c +++ b/libavfilter/vf_hqdn3d.c @@ -155,6 +155,7 @@ static void denoise_depth(HQDN3DContext *hqdn3d, else denoise_temporal(src, dst, frame_ant, w, h, sstride, dstride, temporal, depth); + emms_c(); } #define denoise(...) \ From d375d6395c0a5203932d89c087f77a5757a08138 Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Mon, 3 Mar 2014 20:20:14 +0000 Subject: [PATCH 0798/1037] matroskaenc: allow override of "writing application" tag Signed-off-by: Tim Walker CC: libav-stable@libav.org (cherry picked from commit 0092c1dd8dac2d9e185b58503b447a0d3fb5230d) --- libavformat/matroskaenc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index b37d10cba1..77e11aafe9 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -776,7 +776,8 @@ static int mkv_write_tag(AVFormatContext *s, AVDictionary *m, unsigned int eleme end_ebml_master(s->pb, targets); while ((t = av_dict_get(m, "", t, AV_DICT_IGNORE_SUFFIX))) - if (av_strcasecmp(t->key, "title")) + if (av_strcasecmp(t->key, "title") && + av_strcasecmp(t->key, "encoding_tool")) mkv_write_simpletag(s->pb, t); end_ebml_master(s->pb, tag); @@ -936,7 +937,10 @@ static int mkv_write_header(AVFormatContext *s) segment_uid[i] = av_lfg_get(&lfg); put_ebml_string(pb, MATROSKA_ID_MUXINGAPP , LIBAVFORMAT_IDENT); - put_ebml_string(pb, MATROSKA_ID_WRITINGAPP, LIBAVFORMAT_IDENT); + if ((tag = av_dict_get(s->metadata, "encoding_tool", NULL, 0))) + put_ebml_string(pb, MATROSKA_ID_WRITINGAPP, tag->value); + else + put_ebml_string(pb, MATROSKA_ID_WRITINGAPP, LIBAVFORMAT_IDENT); put_ebml_binary(pb, MATROSKA_ID_SEGMENTUID, segment_uid, 16); } From 9f7119b7fe003e94d72e81f3aa922568c2827dce Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Mon, 3 Mar 2014 20:20:15 +0000 Subject: [PATCH 0799/1037] movenc: allow override of "writing application" tag Signed-off-by: Tim Walker CC: libav-stable@libav.org (cherry picked from commit 565e0c6d866ce08d4b06427456d3d1f4fd856e9c) --- libavformat/movenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 39495203df..b7b64779e7 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1806,7 +1806,8 @@ static int mov_write_ilst_tag(AVIOContext *pb, MOVMuxContext *mov, mov_write_string_metadata(s, pb, "\251wrt", "composer" , 1); mov_write_string_metadata(s, pb, "\251alb", "album" , 1); mov_write_string_metadata(s, pb, "\251day", "date" , 1); - mov_write_string_tag(pb, "\251too", LIBAVFORMAT_IDENT, 0, 1); + if (!mov_write_string_metadata(s, pb, "\251too", "encoding_tool", 1)) + mov_write_string_tag(pb, "\251too", LIBAVFORMAT_IDENT, 0, 1); mov_write_string_metadata(s, pb, "\251cmt", "comment" , 1); mov_write_string_metadata(s, pb, "\251gen", "genre" , 1); mov_write_string_metadata(s, pb, "\251cpy", "copyright", 1); From ee21d270f8dc5fdb2263f5dd87407aae9fe1ecd1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 4 Mar 2014 07:19:46 +0100 Subject: [PATCH 0800/1037] af_channelmap: fix ONE_STR mapping mode get_channel() returns 0 on success CC:libav-stable@libav.org --- libavfilter/af_channelmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index c4b87daeef..c39207ebf5 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -197,7 +197,7 @@ static av_cold int channelmap_init(AVFilterContext *ctx, const char *args) s->map[i].out_channel_idx = i; break; case MAP_ONE_STR: - if (!get_channel(&mapping, &in_ch, ',')) { + if (get_channel(&mapping, &in_ch, ',') < 0) { av_log(ctx, AV_LOG_ERROR, err); ret = AVERROR(EINVAL); goto fail; From 03562c44c0c1e59d2a598390c5b2181ac406611c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Apr 2014 09:11:10 +0200 Subject: [PATCH 0801/1037] avi: Improve non-interleaved detection Additional fixes by Nigel Touati-Evans . Check the index for streams with a time drift of 2s or a buffer drift of 64MB. Bug-Id: 666 CC: libav-stable@libav.org Sample-Id: yet-another-broken-interleaved-avi.avi Signed-off-by: Vittorio Giovara Signed-off-by: Luca Barbato Signed-off-by: Diego Biurrun --- libavformat/avidec.c | 70 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 68 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 759abbcb03..f6990eccba 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -732,7 +732,11 @@ static int avi_read_header(AVFormatContext *s) if(!avi->index_loaded && pb->seekable) avi_load_index(s); avi->index_loaded = 1; - avi->non_interleaved |= guess_ni_flag(s); + + if ((ret = guess_ni_flag(s)) < 0) + return ret; + + avi->non_interleaved |= ret; for(i=0; inb_streams; i++){ AVStream *st = s->streams[i]; if(st->nb_index_entries) @@ -1204,6 +1208,64 @@ static int avi_read_idx1(AVFormatContext *s, int size) return 0; } +/* Scan the index and consider any file with streams more than + * 2 seconds or 64MB apart non-interleaved. */ +static int check_stream_max_drift(AVFormatContext *s) +{ + int64_t min_pos, pos; + int i; + int *idx = av_mallocz_array(s->nb_streams, sizeof(*idx)); + if (!idx) + return AVERROR(ENOMEM); + + for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) { + int64_t max_dts = INT64_MIN / 2; + int64_t min_dts = INT64_MAX / 2; + int64_t max_buffer = 0; + + min_pos = INT64_MAX; + + for (i = 0; i < s->nb_streams; i++) { + AVStream *st = s->streams[i]; + AVIStream *ast = st->priv_data; + int n = st->nb_index_entries; + while (idx[i] < n && st->index_entries[idx[i]].pos < pos) + idx[i]++; + if (idx[i] < n) { + int64_t dts; + dts = av_rescale_q(st->index_entries[idx[i]].timestamp / + FFMAX(ast->sample_size, 1), + st->time_base, AV_TIME_BASE_Q); + min_dts = FFMIN(min_dts, dts); + min_pos = FFMIN(min_pos, st->index_entries[idx[i]].pos); + } + } + for (i = 0; i < s->nb_streams; i++) { + AVStream *st = s->streams[i]; + AVIStream *ast = st->priv_data; + + if (idx[i] && min_dts != INT64_MAX / 2) { + int64_t dts; + dts = av_rescale_q(st->index_entries[idx[i] - 1].timestamp / + FFMAX(ast->sample_size, 1), + st->time_base, AV_TIME_BASE_Q); + max_dts = FFMAX(max_dts, dts); + max_buffer = FFMAX(max_buffer, + av_rescale(dts - min_dts, + st->codec->bit_rate, + AV_TIME_BASE)); + } + } + if (max_dts - min_dts > 2 * AV_TIME_BASE || + max_buffer > 1024 * 1024 * 8 * 8) { + av_free(idx); + return 1; + } + } + av_free(idx); + return 0; +} + static int guess_ni_flag(AVFormatContext *s){ int i; int64_t last_start=0; @@ -1232,7 +1294,11 @@ static int guess_ni_flag(AVFormatContext *s){ first_end= st->index_entries[n-1].pos; } avio_seek(s->pb, oldpos, SEEK_SET); - return last_start > first_end; + + if (last_start > first_end) + return 1; + + return check_stream_max_drift(s); } static int avi_load_index(AVFormatContext *s) From d21bf0d27b547adcaabaa28d475e6b9f97dfe20a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 4 Mar 2014 21:18:27 +0100 Subject: [PATCH 0802/1037] resample: fix avresample_get_delay() return value The correct "next" input sample is not the first sample of the resampling buffer, but the center sample of the filter_length-sized block at the beginning. CC:libav-stable@libav.org --- libavresample/resample.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavresample/resample.c b/libavresample/resample.c index dc121fe56d..047572bcb9 100644 --- a/libavresample/resample.c +++ b/libavresample/resample.c @@ -46,6 +46,7 @@ struct ResampleContext { void (*resample_one)(struct ResampleContext *c, int no_filter, void *dst0, int dst_index, const void *src0, int src_size, int index, int frac); + int padding_size; }; @@ -211,6 +212,7 @@ ResampleContext *ff_audio_resample_init(AVAudioResampleContext *avr) goto error; c->ideal_dst_incr = c->dst_incr; + c->padding_size = (c->filter_length - 1) / 2; c->index = -phase_count * ((c->filter_length - 1) / 2); c->frac = 0; @@ -461,8 +463,10 @@ int ff_audio_resample(ResampleContext *c, AudioData *dst, AudioData *src) int avresample_get_delay(AVAudioResampleContext *avr) { + ResampleContext *c = avr->resample; + if (!avr->resample_needed || !avr->resample) return 0; - return avr->resample->buffer->nb_samples; + return FFMAX(c->buffer->nb_samples - c->padding_size, 0); } From 0c5e6c542f5efffb4cd770e84967478b0076a6e5 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 21 Mar 2012 00:10:18 +0000 Subject: [PATCH 0803/1037] bytestream: add functions for accessing size of buffer Signed-off-by: Paul B Mahol Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles CC:libav-stable@libav.org (cherry picked from commit de9d2705f61ef569487ec5f8974a9c7ce34ec783) --- libavcodec/bytestream.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 0f89558e3d..63d61f1132 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -190,6 +190,16 @@ static av_always_inline int bytestream2_tell_p(PutByteContext *p) return (int)(p->buffer - p->buffer_start); } +static av_always_inline int bytestream2_size(GetByteContext *g) +{ + return (int)(g->buffer_end - g->buffer_start); +} + +static av_always_inline int bytestream2_size_p(PutByteContext *p) +{ + return (int)(p->buffer_end - p->buffer_start); +} + static av_always_inline int bytestream2_seek(GetByteContext *g, int offset, int whence) From d946e4c1bcfb6accd97f6d4cbfa324ef01913c8d Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 29 Sep 2013 19:45:57 -0400 Subject: [PATCH 0804/1037] bytestream: add bytestream2_copy_buffer() functions This is basically an overread/overwrite-safe memcpy between a GetByteContext and a PutByteContext. CC:libav-stable@libav.org (cherry picked from commit 5748faf291fec297ef25d81962b52b3438f54278) --- libavcodec/bytestream.h | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 63d61f1132..3eab225f9c 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -325,6 +325,32 @@ static av_always_inline unsigned int bytestream2_get_eof(PutByteContext *p) return p->eof; } +static av_always_inline unsigned int bytestream2_copy_bufferu(PutByteContext *p, + GetByteContext *g, + unsigned int size) +{ + memcpy(p->buffer, g->buffer, size); + p->buffer += size; + g->buffer += size; + return size; +} + +static av_always_inline unsigned int bytestream2_copy_buffer(PutByteContext *p, + GetByteContext *g, + unsigned int size) +{ + int size2; + + if (p->eof) + return 0; + size = FFMIN(g->buffer_end - g->buffer, size); + size2 = FFMIN(p->buffer_end - p->buffer, size); + if (size2 != size) + p->eof = 1; + + return bytestream2_copy_bufferu(p, g, size2); +} + static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size) From 85b8b169175a55fc862e01ecc96f649374bc14d2 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 29 Sep 2013 19:47:55 -0400 Subject: [PATCH 0805/1037] tiffdec: use bytestream2 to simplify overread/overwrite protection Based on a patch by Paul B Mahol CC:libav-stable@libav.org --- libavcodec/tiff.c | 249 +++++++++++++++++++++------------------------- 1 file changed, 113 insertions(+), 136 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 264e98501b..309f1a9e1b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -26,6 +26,7 @@ */ #include "avcodec.h" +#include "bytestream.h" #include "config.h" #if CONFIG_ZLIB #include @@ -42,6 +43,7 @@ typedef struct TiffContext { AVCodecContext *avctx; AVFrame picture; + GetByteContext gb; int width, height; unsigned int bpp, bppcount; @@ -56,33 +58,27 @@ typedef struct TiffContext { int strips, rps, sstype; int sot; - const uint8_t *stripdata; - const uint8_t *stripsizes; - int stripsize, stripoff; + int stripsizesoff, stripsize, stripoff, strippos; LZWState *lzw; } TiffContext; -static unsigned tget_short(const uint8_t **p, int le) +static unsigned tget_short(GetByteContext *gb, int le) { - unsigned v = le ? AV_RL16(*p) : AV_RB16(*p); - *p += 2; - return v; + return le ? bytestream2_get_le16(gb) : bytestream2_get_be16(gb); } -static unsigned tget_long(const uint8_t **p, int le) +static unsigned tget_long(GetByteContext *gb, int le) { - unsigned v = le ? AV_RL32(*p) : AV_RB32(*p); - *p += 4; - return v; + return le ? bytestream2_get_le32(gb) : bytestream2_get_be32(gb); } -static unsigned tget(const uint8_t **p, int type, int le) +static unsigned tget(GetByteContext *gb, int type, int le) { switch (type) { - case TIFF_BYTE : return *(*p)++; - case TIFF_SHORT: return tget_short(p, le); - case TIFF_LONG : return tget_long(p, le); - default : return UINT_MAX; + case TIFF_BYTE: return bytestream2_get_byte(gb); + case TIFF_SHORT: return tget_short(gb, le); + case TIFF_LONG: return tget_long(gb, le); + default: return UINT_MAX; } } @@ -112,8 +108,8 @@ static int tiff_uncompress(uint8_t *dst, unsigned long *len, const uint8_t *src, static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, const uint8_t *src, int size, int lines) { + PutByteContext pb; int c, line, pixels, code; - const uint8_t *ssrc = src; int width = ((s->width * s->bpp) + 7) >> 3; if (size <= 0) @@ -151,6 +147,16 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, av_log(s->avctx, AV_LOG_ERROR, "Error initializing LZW decoder\n"); return -1; } + for (line = 0; line < lines; line++) { + pixels = ff_lzw_decode(s->lzw, dst, width); + if (pixels < width) { + av_log(s->avctx, AV_LOG_ERROR, "Decoded only %i bytes of %i\n", + pixels, width); + return AVERROR_INVALIDDATA; + } + dst += stride; + } + return 0; } if (s->compr == TIFF_CCITT_RLE || s->compr == TIFF_G3 || s->compr == TIFF_G4) { @@ -187,63 +193,40 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t *dst, int stride, av_free(src2); return ret; } + + bytestream2_init(&s->gb, src, size); + bytestream2_init_writer(&pb, dst, stride * lines); + for (line = 0; line < lines; line++) { - if (src - ssrc > size) { - av_log(s->avctx, AV_LOG_ERROR, "Source data overread\n"); - return -1; - } + if (bytestream2_get_bytes_left(&s->gb) == 0 || bytestream2_get_eof(&pb)) + break; + bytestream2_seek_p(&pb, stride * line, SEEK_SET); switch (s->compr) { case TIFF_RAW: - if (ssrc + size - src < width) - return AVERROR_INVALIDDATA; if (!s->fill_order) { - memcpy(dst, src, width); + bytestream2_copy_buffer(&pb, &s->gb, width); } else { int i; for (i = 0; i < width; i++) - dst[i] = ff_reverse[src[i]]; + bytestream2_put_byte(&pb, ff_reverse[bytestream2_get_byte(&s->gb)]); } - src += width; break; case TIFF_PACKBITS: for (pixels = 0; pixels < width;) { - if (ssrc + size - src < 2) - return AVERROR_INVALIDDATA; - code = (int8_t) * src++; + code = (int8_t)bytestream2_get_byte(&s->gb); if (code >= 0) { code++; - if (pixels + code > width || - ssrc + size - src < code) { - av_log(s->avctx, AV_LOG_ERROR, - "Copy went out of bounds\n"); - return -1; - } - memcpy(dst + pixels, src, code); - src += code; + bytestream2_copy_buffer(&pb, &s->gb, code); pixels += code; } else if (code != -128) { // -127..-1 code = (-code) + 1; - if (pixels + code > width) { - av_log(s->avctx, AV_LOG_ERROR, - "Run went out of bounds\n"); - return -1; - } - c = *src++; - memset(dst + pixels, c, code); + c = bytestream2_get_byte(&s->gb); + bytestream2_set_buffer(&pb, c, code); pixels += code; } } break; - case TIFF_LZW: - pixels = ff_lzw_decode(s->lzw, dst, width); - if (pixels < width) { - av_log(s->avctx, AV_LOG_ERROR, "Decoded only %i bytes of %i\n", - pixels, width); - return -1; - } - break; } - dst += stride; } return 0; } @@ -302,20 +285,19 @@ static int init_image(TiffContext *s) return 0; } -static int tiff_decode_tag(TiffContext *s, const uint8_t *start, - const uint8_t *buf, const uint8_t *end_buf) +static int tiff_decode_tag(TiffContext *s) { unsigned tag, type, count, off, value = 0; - int i, j; + int i, start; uint32_t *pal; - const uint8_t *rp, *gp, *bp; - if (end_buf - buf < 12) + if (bytestream2_get_bytes_left(&s->gb) < 12) return -1; - tag = tget_short(&buf, s->le); - type = tget_short(&buf, s->le); - count = tget_long(&buf, s->le); - off = tget_long(&buf, s->le); + tag = tget_short(&s->gb, s->le); + type = tget_short(&s->gb, s->le); + count = tget_long(&s->gb, s->le); + off = tget_long(&s->gb, s->le); + start = bytestream2_tell(&s->gb); if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) { av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", @@ -327,35 +309,26 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, switch (type) { case TIFF_BYTE: case TIFF_SHORT: - buf -= 4; - value = tget(&buf, type, s->le); - buf = NULL; + bytestream2_seek(&s->gb, -4, SEEK_CUR); + value = tget(&s->gb, type, s->le); break; case TIFF_LONG: value = off; - buf = NULL; break; case TIFF_STRING: if (count <= 4) { - buf -= 4; + bytestream2_seek(&s->gb, -4, SEEK_CUR); break; } default: value = UINT_MAX; - buf = start + off; + bytestream2_seek(&s->gb, off, SEEK_SET); } } else { - if (count <= 4 && type_sizes[type] * count <= 4) { - buf -= 4; - } else { - buf = start + off; - } - } - - if (buf && (buf < start || buf > end_buf)) { - av_log(s->avctx, AV_LOG_ERROR, - "Tag referencing position outside the image\n"); - return -1; + if (count <= 4 && type_sizes[type] * count <= 4) + bytestream2_seek(&s->gb, -4, SEEK_CUR); + else + bytestream2_seek(&s->gb, off, SEEK_SET); } switch (tag) { @@ -384,8 +357,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, case TIFF_SHORT: case TIFF_LONG: s->bpp = 0; - for (i = 0; i < count && buf < end_buf; i++) - s->bpp += tget(&buf, type, s->le); + for (i = 0; i < count; i++) + s->bpp += tget(&s->gb, type, s->le); break; default: s->bpp = -1; @@ -446,35 +419,25 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, break; case TIFF_STRIP_OFFS: if (count == 1) { - s->stripdata = NULL; + s->strippos = 0; s->stripoff = value; } else - s->stripdata = start + off; + s->strippos = off; s->strips = count; if (s->strips == 1) s->rps = s->height; s->sot = type; - if (s->stripdata > end_buf) { - av_log(s->avctx, AV_LOG_ERROR, - "Tag referencing position outside the image\n"); - return -1; - } break; case TIFF_STRIP_SIZE: if (count == 1) { - s->stripsizes = NULL; - s->stripsize = value; - s->strips = 1; + s->stripsizesoff = 0; + s->stripsize = value; + s->strips = 1; } else { - s->stripsizes = start + off; + s->stripsizesoff = off; } s->strips = count; s->sstype = type; - if (s->stripsizes > end_buf) { - av_log(s->avctx, AV_LOG_ERROR, - "Tag referencing position outside the image\n"); - return -1; - } break; case TIFF_PREDICTOR: s->predictor = value; @@ -504,23 +467,27 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, } s->fill_order = value - 1; break; - case TIFF_PAL: + case TIFF_PAL: { + GetByteContext pal_gb[3]; pal = (uint32_t *) s->palette; off = type_sizes[type]; - if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3) + if (count / 3 > 256 || + bytestream2_get_bytes_left(&s->gb) < count / 3 * off * 3) return -1; - rp = buf; - gp = buf + count / 3 * off; - bp = buf + count / 3 * off * 2; + pal_gb[0] = pal_gb[1] = pal_gb[2] = s->gb; + bytestream2_skip(&pal_gb[1], count / 3 * off); + bytestream2_skip(&pal_gb[2], count / 3 * off * 2); off = (type_sizes[type] - 1) << 3; for (i = 0; i < count / 3; i++) { - j = (tget(&rp, type, s->le) >> off) << 16; - j |= (tget(&gp, type, s->le) >> off) << 8; - j |= tget(&bp, type, s->le) >> off; - pal[i] = j; + uint32_t p = 0xFF000000; + p |= (tget(&pal_gb[0], type, s->le) >> off) << 16; + p |= (tget(&pal_gb[1], type, s->le) >> off) << 8; + p |= tget(&pal_gb[2], type, s->le) >> off; + pal[i] = p; } s->palette_is_set = 1; break; + } case TIFF_PLANAR: if (value == 2) { av_log(s->avctx, AV_LOG_ERROR, "Planar format is not supported\n"); @@ -539,30 +506,31 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, av_log(s->avctx, AV_LOG_DEBUG, "Unknown or unsupported tag %d/0X%0X\n", tag, tag); } + bytestream2_seek(&s->gb, start, SEEK_SET); return 0; } static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; - int buf_size = avpkt->size; TiffContext *const s = avctx->priv_data; AVFrame *picture = data; AVFrame *const p = &s->picture; - const uint8_t *orig_buf = buf, *end_buf = buf + buf_size; unsigned off; int id, le, ret; int i, j, entries; int stride; unsigned soff, ssize; uint8_t *dst; + GetByteContext stripsizes; + GetByteContext stripdata; + + bytestream2_init(&s->gb, avpkt->data, avpkt->size); //parse image header - if (end_buf - buf < 8) + if (avpkt->size < 8) return AVERROR_INVALIDDATA; - id = AV_RL16(buf); - buf += 2; + id = bytestream2_get_le16(&s->gb); if (id == 0x4949) le = 1; else if (id == 0x4D4D) @@ -577,27 +545,26 @@ static int decode_frame(AVCodecContext *avctx, s->fill_order = 0; // As TIFF 6.0 specification puts it "An arbitrary but carefully chosen number // that further identifies the file as a TIFF file" - if (tget_short(&buf, le) != 42) { + if (tget_short(&s->gb, le) != 42) { av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n"); return -1; } - // Reset these pointers so we can tell if they were set this frame - s->stripsizes = s->stripdata = NULL; + // Reset these offsets so we can tell if they were set this frame + s->stripsizesoff = s->strippos = 0; /* parse image file directory */ - off = tget_long(&buf, le); - if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) { + off = tget_long(&s->gb, le); + if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; } - buf = orig_buf + off; - entries = tget_short(&buf, le); + bytestream2_seek(&s->gb, off, SEEK_SET); + entries = tget_short(&s->gb, le); for (i = 0; i < entries; i++) { - if (tiff_decode_tag(s, orig_buf, buf, end_buf) < 0) + if (tiff_decode_tag(s) < 0) return -1; - buf += 12; } - if (!s->stripdata && !s->stripoff) { + if (!s->strippos && !s->stripoff) { av_log(avctx, AV_LOG_ERROR, "Image data is missing\n"); return -1; } @@ -607,30 +574,40 @@ static int decode_frame(AVCodecContext *avctx, if (s->strips == 1 && !s->stripsize) { av_log(avctx, AV_LOG_WARNING, "Image data size missing\n"); - s->stripsize = buf_size - s->stripoff; + s->stripsize = avpkt->size - s->stripoff; } stride = p->linesize[0]; dst = p->data[0]; + + if (s->stripsizesoff) { + if (s->stripsizesoff >= avpkt->size) + return AVERROR_INVALIDDATA; + bytestream2_init(&stripsizes, avpkt->data + s->stripsizesoff, + avpkt->size - s->stripsizesoff); + } + if (s->strippos) { + if (s->strippos >= avpkt->size) + return AVERROR_INVALIDDATA; + bytestream2_init(&stripdata, avpkt->data + s->strippos, + avpkt->size - s->strippos); + } + for (i = 0; i < s->height; i += s->rps) { - if (s->stripsizes) { - if (s->stripsizes >= end_buf) - return AVERROR_INVALIDDATA; - ssize = tget(&s->stripsizes, s->sstype, s->le); - } else + if (s->stripsizesoff) + ssize = tget(&stripsizes, s->sstype, le); + else ssize = s->stripsize; - if (s->stripdata) { - if (s->stripdata >= end_buf) - return AVERROR_INVALIDDATA; - soff = tget(&s->stripdata, s->sot, s->le); - } else + if (s->strippos) + soff = tget(&stripdata, s->sot, le); + else soff = s->stripoff; - if (soff > buf_size || ssize > buf_size - soff) { + if (soff > avpkt->size || ssize > avpkt->size - soff) { av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n"); return -1; } - if (tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, + if (tiff_unpack_strip(s, dst, stride, avpkt->data + soff, ssize, FFMIN(s->rps, s->height - i)) < 0) break; dst += s->rps * stride; @@ -660,7 +637,7 @@ static int decode_frame(AVCodecContext *avctx, *picture = s->picture; *got_frame = 1; - return buf_size; + return avpkt->size; } static av_cold int tiff_init(AVCodecContext *avctx) From dccac759d39e761398d3d4172ae0b98c0186efa5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 20 Mar 2014 20:40:24 +0100 Subject: [PATCH 0806/1037] lavr: allocate the resampling buffer with a positive size This fixes cases where very few input samples (fewer than needed for one output sample) are passed to lavr at the beginning. CC:libav-stable@libav.org (cherry picked from commit ac976ed91e323754e9a84509873ebdb437372797) --- libavresample/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavresample/utils.c b/libavresample/utils.c index 36d9d04430..bf2eaf226f 100644 --- a/libavresample/utils.c +++ b/libavresample/utils.c @@ -117,7 +117,7 @@ int avresample_open(AVAudioResampleContext *avr) } if (avr->resample_needed) { avr->resample_out_buffer = ff_audio_data_alloc(avr->out_channels, - 0, avr->internal_sample_fmt, + 1024, avr->internal_sample_fmt, "resample_out_buffer"); if (!avr->resample_out_buffer) { ret = AVERROR(EINVAL); From b77819afbc44016143b4a11b46109625203c4cef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 13 Apr 2014 13:44:03 +0300 Subject: [PATCH 0807/1037] rtmpproto: Make sure to pass on the error code if read_connect failed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, if read_connect failed, the ret variable was unmodified and had the value 0, indicating success, which then was returned from the rtmp_open function, even though it actually failed. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 6477139721f559b26eafd415e23e13ea2b0c27e1) --- libavformat/rtmpproto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index 9989b28737..b18d4b3c5b 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2443,7 +2443,7 @@ reconnect: if ((ret = gen_connect(s, rt)) < 0) goto fail; } else { - if (read_connect(s, s->priv_data) < 0) + if ((ret = read_connect(s, s->priv_data)) < 0) goto fail; rt->is_input = 1; } From ca14a2d0e40720d018421e06995737e5682c33c9 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 10 Mar 2014 11:48:04 +0100 Subject: [PATCH 0808/1037] configure: Use the right pkgconf file for openjpeg The current release of version 1 uses libopenjpeg1. (cherry picked from commit 4a8562394b685e83ae4a38a93eef43625755a231) Conflicts: configure Signed-off-by: Anton Khirnov --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 441007ce33..362d788598 100755 --- a/configure +++ b/configure @@ -3499,7 +3499,7 @@ enabled libmp3lame && require "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_q enabled libopencore_amrnb && require libopencore_amrnb opencore-amrnb/interf_dec.h Decoder_Interface_init -lopencore-amrnb enabled libopencore_amrwb && require libopencore_amrwb opencore-amrwb/dec_if.h D_IF_init -lopencore-amrwb enabled libopencv && require_pkg_config opencv opencv/cv.h cvCreateImageHeader -enabled libopenjpeg && require_pkg_config libopenjpeg openjpeg.h opj_version +enabled libopenjpeg && require_pkg_config libopenjpeg1 openjpeg.h opj_version enabled libopus && require_pkg_config opus opus_multistream.h opus_multistream_decoder_create enabled libpulse && require_pkg_config libpulse-simple pulse/simple.h pa_simple_new enabled librtmp && require_pkg_config librtmp librtmp/rtmp.h RTMP_Socket From ce364088ef53dbaf90e74a471d12b732b697e0cd Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 12 Mar 2014 09:30:07 +0000 Subject: [PATCH 0809/1037] configure: Support older version of openjpeg1 It should work best for debian stable and people not installing the .pc file. (cherry picked from commit aa807425395caa17a85ed2833133278e8bd44a76) Conflicts: configure Signed-off-by: Anton Khirnov --- configure | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 362d788598..466ce54c21 100755 --- a/configure +++ b/configure @@ -3499,7 +3499,8 @@ enabled libmp3lame && require "libmp3lame >= 3.98.3" lame/lame.h lame_set_VBR_q enabled libopencore_amrnb && require libopencore_amrnb opencore-amrnb/interf_dec.h Decoder_Interface_init -lopencore-amrnb enabled libopencore_amrwb && require libopencore_amrwb opencore-amrwb/dec_if.h D_IF_init -lopencore-amrwb enabled libopencv && require_pkg_config opencv opencv/cv.h cvCreateImageHeader -enabled libopenjpeg && require_pkg_config libopenjpeg1 openjpeg.h opj_version +enabled libopenjpeg && { { check_header openjpeg.h && check_lib2 openjpeg.h opj_version -lopenjpeg; } || + { require_pkg_config libopenjpeg1 openjpeg.h opj_version; } } enabled libopus && require_pkg_config opus opus_multistream.h opus_multistream_decoder_create enabled libpulse && require_pkg_config libpulse-simple pulse/simple.h pa_simple_new enabled librtmp && require_pkg_config librtmp librtmp/rtmp.h RTMP_Socket From fb487e2f6668ccb67100acc7a9b86f68af9c523b Mon Sep 17 00:00:00 2001 From: Alexander Strasser Date: Fri, 6 Dec 2013 17:20:26 +0100 Subject: [PATCH 0810/1037] configure: Special case libfreetype test Include the freetype header, in-directly through a macro, like it is done in the drawtext filter. Do not break if the header is moved. Unfortunately the drawtext filter included the file where the include macros are defined in a wrong way. This is not needed and breaks the build. Remove that #include line too. Signed-off-by: Alexander Strasser (cherry picked from commit cea5812fa723c08b89d929eeba73462e05de2973) Conflicts: configure Signed-off-by: Michael Niedermayer --- configure | 22 +++++++++++++++++++++- libavfilter/vf_drawtext.c | 1 - 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/configure b/configure index d8120659ff..9c01958e9f 100755 --- a/configure +++ b/configure @@ -1060,6 +1060,26 @@ require_pkg_config(){ add_extralibs $(get_safe ${pkg}_libs) } +require_libfreetype(){ + log require_libfreetype "$@" + pkg="freetype2" + check_cmd $pkg_config --exists --print-errors $pkg \ + || die "ERROR: $pkg not found" + pkg_cflags=$($pkg_config --cflags $pkg) + pkg_libs=$($pkg_config --libs $pkg) + { + echo "#include " + echo "#include FT_FREETYPE_H" + echo "long check_func(void) { return (long) FT_Init_FreeType; }" + echo "int main(void) { return 0; }" + } | check_ld "cc" $pkg_cflags $pkg_libs \ + && set_safe ${pkg}_cflags $pkg_cflags \ + && set_safe ${pkg}_libs $pkg_libs \ + || die "ERROR: $pkg not found" + add_cflags $(get_safe ${pkg}_cflags) + add_extralibs $(get_safe ${pkg}_libs) +} + hostcc_o(){ eval printf '%s\\n' $HOSTCC_O } @@ -3853,7 +3873,7 @@ enabled libfaac && require2 libfaac "stdint.h faac.h" faacEncGetVersion -lfaa enabled libfdk_aac && require libfdk_aac fdk-aac/aacenc_lib.h aacEncOpen -lfdk-aac flite_libs="-lflite_cmu_time_awb -lflite_cmu_us_awb -lflite_cmu_us_kal -lflite_cmu_us_kal16 -lflite_cmu_us_rms -lflite_cmu_us_slt -lflite_usenglish -lflite_cmulex -lflite" enabled libflite && require2 libflite "flite/flite.h" flite_init $flite_libs -enabled libfreetype && require_pkg_config freetype2 "ft2build.h freetype/freetype.h" FT_Init_FreeType +enabled libfreetype && require_libfreetype enabled libgsm && require libgsm gsm/gsm.h gsm_create -lgsm enabled libilbc && require libilbc ilbc.h WebRtcIlbcfix_InitDecode -lilbc enabled libmodplug && require libmodplug libmodplug/modplug.h ModPlug_Load -lmodplug diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index 53a60b1679..412786eaa6 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -48,7 +48,6 @@ #include "video.h" #include -#include #include FT_FREETYPE_H #include FT_GLYPH_H #if CONFIG_FONTCONFIG From 40e6c148f5dc668c6104cfcca5b25a8a8f2c459b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2013 19:51:30 +0200 Subject: [PATCH 0811/1037] h264/ff_h264_check_intra_pred_mode: fix input value check Signed-off-by: Michael Niedermayer (cherry picked from commit 2005fddcbb4e18e8f7c34326e40609e4a2d83c31) Conflicts: libavcodec/h264.c Merged-by: Michael Niedermayer --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index fd8a878ee2..9f4a61cafa 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -144,7 +144,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma) static const int8_t top[7] = { LEFT_DC_PRED8x8, 1, -1, -1 }; static const int8_t left[7] = { TOP_DC_PRED8x8, -1, 2, -1, DC_128_PRED8x8 }; - if (mode > 6U) { + if (mode > 3U) { av_log(h->s.avctx, AV_LOG_ERROR, "out of range intra chroma pred mode at %d %d\n", s->mb_x, s->mb_y); From f294748cbce9627718d0c4112d8a1c0d2d93dfb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2013 19:39:45 +0200 Subject: [PATCH 0812/1037] h264: fix size of arrays in ff_h264_check_intra_pred_mode() Signed-off-by: Michael Niedermayer (cherry picked from commit d6a33f5d20b6ef2eae2cbb959b001cb125a564b7) Conflicts: libavcodec/h264.c Merged-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9f4a61cafa..3851070158 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -141,8 +141,8 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h) int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma) { MpegEncContext *const s = &h->s; - static const int8_t top[7] = { LEFT_DC_PRED8x8, 1, -1, -1 }; - static const int8_t left[7] = { TOP_DC_PRED8x8, -1, 2, -1, DC_128_PRED8x8 }; + static const int8_t top[4] = { LEFT_DC_PRED8x8, 1, -1, -1 }; + static const int8_t left[5] = { TOP_DC_PRED8x8, -1, 2, -1, DC_128_PRED8x8 }; if (mode > 3U) { av_log(h->s.avctx, AV_LOG_ERROR, From 6294d84dca46c1d8cb44c00369a85c5618c00a2d Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 23 Feb 2014 16:39:18 -0800 Subject: [PATCH 0813/1037] configure: use pkg-config to detect libbluray The current configure fails when static libbluray is compiled with libxml2 support. Signed-off-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit baa650cc7946a9eb1cf5a083f61a581a97122f03) Signed-off-by: Timothy Gu Conflicts: configure --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 9c01958e9f..96703ec2ee 100755 --- a/configure +++ b/configure @@ -3864,7 +3864,7 @@ enabled gnutls && require_pkg_config gnutls gnutls/gnutls.h gnutls_global_in enabled libiec61883 && require libiec61883 libiec61883/iec61883.h iec61883_cmp_connect -lraw1394 -lavc1394 -lrom1394 -liec61883 enabled libaacplus && require "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus enabled libass && require_pkg_config libass ass/ass.h ass_library_init -enabled libbluray && require libbluray libbluray/bluray.h bd_open -lbluray +enabled libbluray && require_pkg_config libbluray libbluray/bluray.h bd_open enabled libcelt && require libcelt celt/celt.h celt_decode -lcelt0 && { check_lib celt/celt.h celt_decoder_create_custom -lcelt0 || die "ERROR: libcelt must be installed and version must be >= 0.11.0."; } From e770488b50445a29fae5369e099ebf2fa35414f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Mar 2014 22:52:22 +0100 Subject: [PATCH 0814/1037] swscale/x86/swscale: fix missing xmm clobbers in yuv2yuvX_sse3() Signed-off-by: Michael Niedermayer (cherry picked from commit 6c47a4e972485e5f0c812159373f703c6f1d089f) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index 02c454e08f..92579032c7 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -261,7 +261,8 @@ static void yuv2yuvX_sse3(const int16_t *filter, int filterSize, "jb 1b \n\t"\ :: "g" (filter), "r" (dest-offset), "g" ((x86_reg)(dstW+offset)), "m" (offset) - : "%"REG_d, "%"REG_S, "%"REG_c + : XMM_CLOBBERS("%xmm0" , "%xmm1" , "%xmm2" , "%xmm3" , "%xmm4" , "%xmm5" , "%xmm7" ,) + "%"REG_d, "%"REG_S, "%"REG_c ); } #endif From af1bf7f2772a7a9c2af511c7e933500f0361878d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Mar 2014 18:06:17 +0100 Subject: [PATCH 0815/1037] avcodec/h263dec: Fix use of uninitialized memory from the bitstream buffer Signed-off-by: Michael Niedermayer (cherry picked from commit f07cebcd910c97ff6012085c21493231752990e9) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index a0cb82c624..8809e8e5d4 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -720,10 +720,10 @@ frame_end: } if(startcode_found){ - av_fast_malloc( + av_fast_padded_mallocz( &s->bitstream_buffer, &s->allocated_bitstream_buffer_size, - buf_size - current_pos + FF_INPUT_BUFFER_PADDING_SIZE); + buf_size - current_pos); if (!s->bitstream_buffer) return AVERROR(ENOMEM); memcpy(s->bitstream_buffer, buf + current_pos, buf_size - current_pos); From f741c39752a001f47e6c5228ed24e11c8cafaf64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Mar 2014 00:15:52 +0100 Subject: [PATCH 0816/1037] avcodec/x86/mpegvideoenc_template: fix integer overflow Signed-off-by: Michael Niedermayer --- libavcodec/x86/mpegvideoenc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/mpegvideoenc_template.c b/libavcodec/x86/mpegvideoenc_template.c index 47c3b43f94..2506ba0fe3 100644 --- a/libavcodec/x86/mpegvideoenc_template.c +++ b/libavcodec/x86/mpegvideoenc_template.c @@ -216,7 +216,7 @@ static int RENAME(dct_quantize)(MpegEncContext *s, "psubusw "MM"1, "MM"4 \n\t" "packuswb "MM"4, "MM"4 \n\t" #if COMPILE_TEMPLATE_SSE2 - "packuswb "MM"4, "MM"4 \n\t" + "packsswb "MM"4, "MM"4 \n\t" #endif "movd "MM"4, %0 \n\t" // *overflow : "=g" (*overflow) From 8130449f32bbf2de1bed23a1a4ef825446e38eea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Mar 2014 18:09:23 +0100 Subject: [PATCH 0817/1037] avcodec/h264_mp4toannexb_bsf: prepend global headers before any in stream parameter sets Fixes h264_mp4toannexb_bsf_failure.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 289b149cecb381522cc9ccdf382825330169c655) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 2dea93301a..f9c3621d3f 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -154,7 +154,7 @@ pps: goto fail; /* prepend only to the first type 5 NAL unit of an IDR picture */ - if (ctx->first_idr && unit_type == 5) { + if (ctx->first_idr && (unit_type == 5 || unit_type == 7 || unit_type == 8)) { if ((ret=alloc_and_copy(poutbuf, poutbuf_size, avctx->extradata, avctx->extradata_size, buf, nal_size)) < 0) From 88ec8021ce474b36256b48c741ca9df42316a955 Mon Sep 17 00:00:00 2001 From: Lukasz Marek Date: Fri, 4 Apr 2014 19:28:45 +0200 Subject: [PATCH 0818/1037] lavu/opt: validate range before dereference This change make error handling simplier. av_opt_freep_ranges may be called when some ranges are NULL, for example after memory allocation fail. Signed-off-by: Lukasz Marek Signed-off-by: Michael Niedermayer (cherry picked from commit 3aac5fcfa9d3748659d78ab2a66d0ccce22cfd4f) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 3e0ed75aa5..d6c82ba3a9 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -1291,8 +1291,10 @@ void av_opt_freep_ranges(AVOptionRanges **rangesp) for (i = 0; i < ranges->nb_ranges; i++) { AVOptionRange *range = ranges->range[i]; - av_freep(&range->str); - av_freep(&ranges->range[i]); + if (range) { + av_freep(&range->str); + av_freep(&ranges->range[i]); + } } av_freep(&ranges->range); av_freep(rangesp); From 93fe53da91f2223e354ca57e7b8de86e513a3469 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Apr 2014 21:34:03 +0200 Subject: [PATCH 0819/1037] avcodec/wma: use av_freep(), do not leave stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit d167faafe9dfa0b82bebb267c3c4e5fa5286bd67) Signed-off-by: Michael Niedermayer --- libavcodec/wma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wma.c b/libavcodec/wma.c index d0c0b34868..3aefd5eabf 100644 --- a/libavcodec/wma.c +++ b/libavcodec/wma.c @@ -382,9 +382,9 @@ int ff_wma_end(AVCodecContext *avctx) } for (i = 0; i < 2; i++) { ff_free_vlc(&s->coef_vlc[i]); - av_free(s->run_table[i]); - av_free(s->level_table[i]); - av_free(s->int_table[i]); + av_freep(&s->run_table[i]); + av_freep(&s->level_table[i]); + av_freep(&s->int_table[i]); } return 0; From 0143eb91098f7de89ba5f6885a91f0aa3e6e34ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Apr 2014 00:19:07 +0200 Subject: [PATCH 0820/1037] swresample/resample: Limit filter length Related to CID1197063 The limit choosen is arbitrary and much larger than what makes sense. It avoids the need for checking arithmetic operations with the length for overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f9158b01d0f3effb58e87fb07db0382bc1e47de5) Signed-off-by: Michael Niedermayer --- libswresample/resample.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswresample/resample.c b/libswresample/resample.c index 6cd2b8cbcb..96bc921eab 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -229,6 +229,11 @@ static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_r av_assert0(0); } + if (filter_size/factor > INT32_MAX/256) { + av_log(NULL, AV_LOG_ERROR, "Filter length too large\n"); + goto error; + } + c->phase_shift = phase_shift; c->phase_mask = phase_count - 1; c->linear = linear; From 2880de35b53d3ff677db97bcd089ecbc51ec0694 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Apr 2014 00:29:06 +0200 Subject: [PATCH 0821/1037] swresample/dither: use av_malloc_array() Signed-off-by: Michael Niedermayer (cherry picked from commit a5290cb1ac047851563da7aca06569e3ada55f79) Signed-off-by: Michael Niedermayer --- libswresample/dither.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/dither.c b/libswresample/dither.c index 79113f4c23..28cfbdd501 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -24,7 +24,7 @@ void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat out_fmt, enum AVSampleFormat in_fmt) { double scale = 0; #define TMP_EXTRA 2 - double *tmp = av_malloc((len + TMP_EXTRA) * sizeof(double)); + double *tmp = av_malloc_array(len + TMP_EXTRA, sizeof(double)); int i; out_fmt = av_get_packed_sample_fmt(out_fmt); From eea1c5daa0504e7e0ca2e0b7d2c99659f34f3b55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Apr 2014 00:29:26 +0200 Subject: [PATCH 0822/1037] swresample/resample: use av_malloc_array() where appropriate Signed-off-by: Michael Niedermayer (cherry picked from commit 5027f39712fdce25b9008e72d52e5abfeefd5fe6) Signed-off-by: Michael Niedermayer --- libswresample/resample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/resample.c b/libswresample/resample.c index 96bc921eab..4ced9fafeb 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -95,7 +95,7 @@ static int build_filter(ResampleContext *c, void *filter, double factor, int tap int filter_type, int kaiser_beta){ int ph, i; double x, y, w; - double *tab = av_malloc(tap_count * sizeof(*tab)); + double *tab = av_malloc_array(tap_count, sizeof(*tab)); const int center= (tap_count-1)/2; if (!tab) From 8f596a45998e9e515bab76a2ba438e4718f9f2de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Apr 2014 18:12:12 +0200 Subject: [PATCH 0823/1037] swscale/x86/swscale_template: loose hardcoded dstw_offset Signed-off-by: Michael Niedermayer (cherry picked from commit f6759d9ad4a8b71e6f212ca4f1e7da9fa56d3298) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale_template.c | 78 +++++++++++++++---------------- 1 file changed, 37 insertions(+), 41 deletions(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 62265db30f..2beace708c 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -321,7 +321,7 @@ static void RENAME(yuv2yuvX)(const int16_t *filter, int filterSize, MOVNTQ( q3, 24(dst, index, 4))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEBGR32(dst, dstw, index, b, g, r, a, q0, q2, q3, t) REAL_WRITEBGR32(dst, dstw, index, b, g, r, a, q0, q2, q3, t) @@ -347,13 +347,13 @@ static void RENAME(yuv2rgb32_X_ar)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm3, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm2, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm3, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm2, %%mm6) YSCALEYUV2PACKEDX_END } else { YSCALEYUV2PACKEDX_ACCURATE YSCALEYUV2RGBX "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } } @@ -376,13 +376,13 @@ static void RENAME(yuv2rgb32_X)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } else { YSCALEYUV2PACKEDX YSCALEYUV2RGBX "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%4, %5, %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%4, "%5", %%REGa, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) YSCALEYUV2PACKEDX_END } } @@ -411,7 +411,7 @@ static void RENAME(yuv2rgb32_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm1, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITERGB16(dst, dstw, index) REAL_WRITERGB16(dst, dstw, index) @@ -435,7 +435,7 @@ static void RENAME(yuv2rgb565_X_ar)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4\n\t" "paddusb "RED_DITHER"(%0), %%mm5\n\t" #endif - WRITERGB16(%4, %5, %%REGa) + WRITERGB16(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -459,7 +459,7 @@ static void RENAME(yuv2rgb565_X)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4 \n\t" "paddusb "RED_DITHER"(%0), %%mm5 \n\t" #endif - WRITERGB16(%4, %5, %%REGa) + WRITERGB16(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -488,7 +488,7 @@ static void RENAME(yuv2rgb565_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm1, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITERGB15(dst, dstw, index) REAL_WRITERGB15(dst, dstw, index) @@ -512,7 +512,7 @@ static void RENAME(yuv2rgb555_X_ar)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4\n\t" "paddusb "RED_DITHER"(%0), %%mm5\n\t" #endif - WRITERGB15(%4, %5, %%REGa) + WRITERGB15(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -536,7 +536,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "paddusb "GREEN_DITHER"(%0), %%mm4 \n\t" "paddusb "RED_DITHER"(%0), %%mm5 \n\t" #endif - WRITERGB15(%4, %5, %%REGa) + WRITERGB15(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -590,7 +590,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "add $24, "#dst" \n\t"\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEBGR24MMXEXT(dst, dstw, index) \ @@ -638,7 +638,7 @@ static void RENAME(yuv2rgb555_X)(SwsContext *c, const int16_t *lumFilter, "add $24, "#dst" \n\t"\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #if COMPILE_TEMPLATE_MMXEXT @@ -665,7 +665,7 @@ static void RENAME(yuv2bgr24_X_ar)(SwsContext *c, const int16_t *lumFilter, "pxor %%mm7, %%mm7 \n\t" "lea (%%"REG_a", %%"REG_a", 2), %%"REG_c"\n\t" //FIXME optimize "add %4, %%"REG_c" \n\t" - WRITEBGR24(%%REGc, %5, %%REGa) + WRITEBGR24(%%REGc, "%5", %%REGa) :: "r" (&c->redDither), "m" (dummy), "m" (dummy), "m" (dummy), "r" (dest), "m" (dstW_reg), "m"(uv_off) @@ -689,7 +689,7 @@ static void RENAME(yuv2bgr24_X)(SwsContext *c, const int16_t *lumFilter, "pxor %%mm7, %%mm7 \n\t" "lea (%%"REG_a", %%"REG_a", 2), %%"REG_c" \n\t" //FIXME optimize "add %4, %%"REG_c" \n\t" - WRITEBGR24(%%REGc, %5, %%REGa) + WRITEBGR24(%%REGc, "%5", %%REGa) :: "r" (&c->redDither), "m" (dummy), "m" (dummy), "m" (dummy), "r" (dest), "m" (dstW_reg), "m"(uv_off) @@ -710,7 +710,7 @@ static void RENAME(yuv2bgr24_X)(SwsContext *c, const int16_t *lumFilter, MOVNTQ(%%mm7, 8(dst, index, 2))\ \ "add $8, "#index" \n\t"\ - "cmp "#dstw", "#index" \n\t"\ + "cmp "dstw", "#index" \n\t"\ " jb 1b \n\t" #define WRITEYUY2(dst, dstw, index) REAL_WRITEYUY2(dst, dstw, index) @@ -731,7 +731,7 @@ static void RENAME(yuv2yuyv422_X_ar)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm4 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" - WRITEYUY2(%4, %5, %%REGa) + WRITEYUY2(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -752,7 +752,7 @@ static void RENAME(yuv2yuyv422_X)(SwsContext *c, const int16_t *lumFilter, "psraw $3, %%mm4 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm7 \n\t" - WRITEYUY2(%4, %5, %%REGa) + WRITEYUY2(%4, "%5", %%REGa) YSCALEYUV2PACKEDX_END } @@ -853,7 +853,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "psraw $3, %%mm1 \n\t" /* abuf0[eax] - abuf1[eax] >>7*/ "psraw $3, %%mm7 \n\t" /* abuf0[eax] - abuf1[eax] >>7*/ "packuswb %%mm7, %%mm1 \n\t" - WRITEBGR32(%4, 8280(%5), %%r8, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%4, DSTW_OFFSET"(%5)", %%r8, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "r" (dest), "a" (&c->redDither), "r" (abuf0), "r" (abuf1) @@ -877,7 +877,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "packuswb %%mm7, %%mm1 \n\t" "pop %1 \n\t" "pop %0 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm1, %%mm0, %%mm7, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -891,7 +891,7 @@ static void RENAME(yuv2rgb32_2)(SwsContext *c, const int16_t *buf[2], "push %%"REG_BP" \n\t" YSCALEYUV2RGB(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -908,14 +908,13 @@ static void RENAME(yuv2bgr24_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2RGB(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -931,7 +930,6 @@ static void RENAME(yuv2rgb555_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" @@ -944,7 +942,7 @@ static void RENAME(yuv2rgb555_2)(SwsContext *c, const int16_t *buf[2], "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -960,7 +958,6 @@ static void RENAME(yuv2rgb565_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" @@ -973,7 +970,7 @@ static void RENAME(yuv2rgb565_2)(SwsContext *c, const int16_t *buf[2], "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1029,13 +1026,12 @@ static void RENAME(yuv2yuyv422_2)(SwsContext *c, const int16_t *buf[2], const int16_t *buf0 = buf[0], *buf1 = buf[1], *ubuf0 = ubuf[0], *ubuf1 = ubuf[1]; - //Note 8280 == DSTW_OFFSET but the preprocessor can't handle that there :( __asm__ volatile( "mov %%"REG_b", "ESP_OFFSET"(%5) \n\t" "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1178,7 +1174,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) YSCALEYUV2RGB1_ALPHA(%%REGBP) - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (abuf0), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1191,7 +1187,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1207,7 +1203,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) YSCALEYUV2RGB1_ALPHA(%%REGBP) - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (abuf0), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1220,7 +1216,7 @@ static void RENAME(yuv2rgb32_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) "pcmpeqd %%mm7, %%mm7 \n\t" - WRITEBGR32(%%REGb, 8280(%5), %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) + WRITEBGR32(%%REGb, DSTW_OFFSET"(%5)", %%REGBP, %%mm2, %%mm4, %%mm5, %%mm7, %%mm0, %%mm1, %%mm3, %%mm6) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1246,7 +1242,7 @@ static void RENAME(yuv2bgr24_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1260,7 +1256,7 @@ static void RENAME(yuv2bgr24_1)(SwsContext *c, const int16_t *buf0, "push %%"REG_BP" \n\t" YSCALEYUV2RGB1b(%%REGBP, %5) "pxor %%mm7, %%mm7 \n\t" - WRITEBGR24(%%REGb, 8280(%5), %%REGBP) + WRITEBGR24(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1291,7 +1287,7 @@ static void RENAME(yuv2rgb555_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1311,7 +1307,7 @@ static void RENAME(yuv2rgb555_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB15(%%REGb, 8280(%5), %%REGBP) + WRITERGB15(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1342,7 +1338,7 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1362,7 +1358,7 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0, "paddusb "GREEN_DITHER"(%5), %%mm4 \n\t" "paddusb "RED_DITHER"(%5), %%mm5 \n\t" #endif - WRITERGB16(%%REGb, 8280(%5), %%REGBP) + WRITERGB16(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1423,7 +1419,7 @@ static void RENAME(yuv2yuyv422_1)(SwsContext *c, const int16_t *buf0, "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED1(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), @@ -1436,7 +1432,7 @@ static void RENAME(yuv2yuyv422_1)(SwsContext *c, const int16_t *buf0, "mov %4, %%"REG_b" \n\t" "push %%"REG_BP" \n\t" YSCALEYUV2PACKED1b(%%REGBP, %5) - WRITEYUY2(%%REGb, 8280(%5), %%REGBP) + WRITEYUY2(%%REGb, DSTW_OFFSET"(%5)", %%REGBP) "pop %%"REG_BP" \n\t" "mov "ESP_OFFSET"(%5), %%"REG_b" \n\t" :: "c" (buf0), "d" (buf1), "S" (ubuf0), "D" (ubuf1), "m" (dest), From b546b7a029a6409a4e6324f81ca8a89767ea02b0 Mon Sep 17 00:00:00 2001 From: Anthoine Bourgeois Date: Wed, 9 Apr 2014 12:18:32 +0200 Subject: [PATCH 0824/1037] avcodec/dirac_arith: Fix build with PIC and stack-check options Fixes Ticket3540 The function dirac_get_arith_bit in libavcodec/dirac_arith.h can't be built with PIC and check-stack because the asm code needs 6 registers and PIC and check-stack options take 1 each and x86 is quite limited in this area. Signed-off-by: Michael Niedermayer (cherry picked from commit d8ab7f31dd819f7b3e0d460a2fa4261aaae87b98) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_arith.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h index f9a8bba5fd..089c71a698 100644 --- a/libavcodec/dirac_arith.h +++ b/libavcodec/dirac_arith.h @@ -28,6 +28,7 @@ #ifndef AVCODEC_DIRAC_ARITH_H #define AVCODEC_DIRAC_ARITH_H +#include "libavutil/x86/asm.h" #include "bytestream.h" #include "get_bits.h" @@ -134,7 +135,7 @@ static inline int dirac_get_arith_bit(DiracArith *c, int ctx) range_times_prob = (c->range * prob_zero) >> 16; -#if HAVE_FAST_CMOV && HAVE_INLINE_ASM +#if HAVE_FAST_CMOV && HAVE_INLINE_ASM && HAVE_6REGS low -= range_times_prob << 16; range -= range_times_prob; bit = 0; From 15f122316eefef111605e7f747e7a5843d6b9560 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Apr 2014 17:29:27 +0200 Subject: [PATCH 0825/1037] avcodec/x86/idct_sse2_xvid: fix non C99 inline function Found-by: Matt Oliver Signed-off-by: Michael Niedermayer (cherry picked from commit 46d5625f44185271862337d61cd246fd569c42a4) Signed-off-by: Michael Niedermayer --- libavcodec/x86/idct_sse2_xvid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/idct_sse2_xvid.c b/libavcodec/x86/idct_sse2_xvid.c index d121b25031..bb424eed6f 100644 --- a/libavcodec/x86/idct_sse2_xvid.c +++ b/libavcodec/x86/idct_sse2_xvid.c @@ -344,7 +344,7 @@ DECLARE_ASM_CONST(16, int32_t, walkenIdctRounders)[] = { "movdqa %%xmm6, 4*16("dct") \n\t" \ "movdqa "SREG2", 7*16("dct") \n\t" -inline void ff_idct_xvid_sse2(short *block) +av_extern_inline void ff_idct_xvid_sse2(short *block) { __asm__ volatile( "movq "MANGLE(m127)", %%mm0 \n\t" From e459c80fdd13ec3b43a19c5383c6a934ed43644c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 01:55:08 +0200 Subject: [PATCH 0826/1037] swscale/swscale: fix srcStride/srcSlice typo Fixes part of Ticket3466 Found by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit 14fa7fc6a81d5e59e05243cdc92108eab1b138ac) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 2c9e3da86e..74b7940841 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -794,7 +794,7 @@ int attribute_align_arg sws_scale(struct SwsContext *c, uint8_t *dst2[4]; uint8_t *rgb0_tmp = NULL; - if (!srcSlice || !dstStride || !dst || !srcSlice) { + if (!srcStride || !dstStride || !dst || !srcSlice) { av_log(c, AV_LOG_ERROR, "One of the input parameters to sws_scale() is NULL, please check the calling code\n"); return 0; } From f30bd7c21569cffa35725cdb2a32195e43b962f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 0827/1037] avformat/mpegts: Remove redundant check Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit ff6fa0b4b980fc5b9f7653d7b159ae02c3d95210) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 274b85690a..cecb228559 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1263,7 +1263,7 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, int section_le AVStream *st; if (ts->pids[pid]->es_id != mp4_descr[i].es_id) continue; - if (!(ts->pids[pid] && ts->pids[pid]->type == MPEGTS_PES)) { + if (ts->pids[pid]->type != MPEGTS_PES) { av_log(s, AV_LOG_ERROR, "pid %x is not PES\n", pid); continue; } From d51e0dd9b4d4169722092462feeb8e7c4b6bcf81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 0828/1037] avcodec/diracdec: fix undefined behavior with shifts Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit b8598f6ce61ccda3f2ff0c730b009fb650e42986) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index c431b97019..2f1a4a58dd 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1342,8 +1342,8 @@ static int mc_subpel(DiracContext *s, DiracBlock *block, const uint8_t *src[5], motion_y >>= s->chroma_y_shift; } - mx = motion_x & ~(-1 << s->mv_precision); - my = motion_y & ~(-1 << s->mv_precision); + mx = motion_x & ~(-1U << s->mv_precision); + my = motion_y & ~(-1U << s->mv_precision); motion_x >>= s->mv_precision; motion_y >>= s->mv_precision; /* normalize subpel coordinates to epel */ From 47c23f93925d3ae196eaa82ffbe552063ee06c5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:55:13 +0200 Subject: [PATCH 0829/1037] avcodec/g723_1: add assert to help static code analyzers Signed-off-by: Michael Niedermayer (cherry picked from commit 1457f3fd90e17745791354fbb87899fc4803085a) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c index c2e86d96d3..560110ff77 100644 --- a/libavcodec/g723_1.c +++ b/libavcodec/g723_1.c @@ -2292,7 +2292,8 @@ static int pack_bitstream(G723_1_Context *p, unsigned char *frame, int size) if (p->cur_rate == RATE_6300) { info_bits = 0; put_bits(&pb, 2, info_bits); - } + }else + av_assert0(0); put_bits(&pb, 8, p->lsp_index[2]); put_bits(&pb, 8, p->lsp_index[1]); From 353ff5b4ebf4011efbab7d8ee1e551b770bcbd66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Apr 2014 02:06:37 +0200 Subject: [PATCH 0830/1037] avfilter/vf_deshake: fix loss of precission with odd resolutions Fixes part of Ticket3466 Found-by: Andrey_Karpov / PVS-Studio Signed-off-by: Michael Niedermayer (cherry picked from commit 73734282e0e4df92269984ee1671424e39249481) Signed-off-by: Michael Niedermayer --- libavfilter/vf_deshake.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_deshake.c b/libavfilter/vf_deshake.c index c03919c96d..4e79254ace 100644 --- a/libavfilter/vf_deshake.c +++ b/libavfilter/vf_deshake.c @@ -318,8 +318,8 @@ static void find_motion(DeshakeContext *deshake, uint8_t *src1, uint8_t *src2, //av_log(NULL, AV_LOG_ERROR, "\n"); } - p_x = (center_x - width / 2); - p_y = (center_y - height / 2); + p_x = (center_x - width / 2.0); + p_y = (center_y - height / 2.0); t->vector.x += (cos(t->angle)-1)*p_x - sin(t->angle)*p_y; t->vector.y += sin(t->angle)*p_x + (cos(t->angle)-1)*p_y; From b24e68c9c313d91d0a44174520e700927d8434cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Apr 2014 11:33:17 +0200 Subject: [PATCH 0831/1037] avfilter/filtfmts: Support dynamically allocated in/outputs Fixes crash Fixes Ticket3468 Signed-off-by: Michael Niedermayer (cherry picked from commit 59c7615d58b5b7ea9caff2c8c774677973eb4f1c) Signed-off-by: Michael Niedermayer --- libavfilter/filtfmts.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavfilter/filtfmts.c b/libavfilter/filtfmts.c index 72867292a9..789d10d724 100644 --- a/libavfilter/filtfmts.c +++ b/libavfilter/filtfmts.c @@ -38,7 +38,7 @@ static void print_formats(AVFilterContext *filter_ctx) for (j = 0; j < fmts->format_count; j++) \ if(av_get_pix_fmt_name(fmts->formats[j])) \ printf(#INOUT "PUT[%d] %s: fmt:%s\n", \ - i, filter_ctx->filter->inout##puts[i].name, \ + i, filter_ctx->inout##put_pads[i].name, \ av_get_pix_fmt_name(fmts->formats[j])); \ } else if (filter_ctx->inout##puts[i]->type == AVMEDIA_TYPE_AUDIO) { \ AVFilterFormats *fmts; \ @@ -47,7 +47,7 @@ static void print_formats(AVFilterContext *filter_ctx) fmts = filter_ctx->inout##puts[i]->outin##_formats; \ for (j = 0; j < fmts->format_count; j++) \ printf(#INOUT "PUT[%d] %s: fmt:%s\n", \ - i, filter_ctx->filter->inout##puts[i].name, \ + i, filter_ctx->inout##put_pads[i].name, \ av_get_sample_fmt_name(fmts->formats[j])); \ \ layouts = filter_ctx->inout##puts[i]->outin##_channel_layouts; \ @@ -56,7 +56,7 @@ static void print_formats(AVFilterContext *filter_ctx) av_get_channel_layout_string(buf, sizeof(buf), -1, \ layouts->channel_layouts[j]); \ printf(#INOUT "PUT[%d] %s: chlayout:%s\n", \ - i, filter_ctx->filter->inout##puts[i].name, buf); \ + i, filter_ctx->inout##put_pads[i].name, buf); \ } \ } \ } \ @@ -106,12 +106,12 @@ int main(int argc, char **argv) /* create a link for each of the input pads */ for (i = 0; i < filter_ctx->input_count; i++) { AVFilterLink *link = av_mallocz(sizeof(AVFilterLink)); - link->type = filter_ctx->filter->inputs[i].type; + link->type = filter_ctx->input_pads[i].type; filter_ctx->inputs[i] = link; } for (i = 0; i < filter_ctx->output_count; i++) { AVFilterLink *link = av_mallocz(sizeof(AVFilterLink)); - link->type = filter_ctx->filter->outputs[i].type; + link->type = filter_ctx->output_pads[i].type; filter_ctx->outputs[i] = link; } From 5f390ee944f5b66ae62744f51129eb93359b2545 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Apr 2014 01:01:20 +0200 Subject: [PATCH 0832/1037] Update for FFmpeg 1.1.10 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 512a1faa68..5ed5faa5f1 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.9 +1.1.10 diff --git a/VERSION b/VERSION index 512a1faa68..5ed5faa5f1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.9 +1.1.10 diff --git a/doc/Doxyfile b/doc/Doxyfile index fe8b250c2d..0b7b9580ce 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.9 +PROJECT_NUMBER = 1.1.10 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From cf7bb6ceb1da7682aa54989f83d81c67a5e6790d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 24 Apr 2014 07:40:34 +0200 Subject: [PATCH 0833/1037] Revert "pthread: flush all threads on flush, not just the first one" This reverts commit 2eb15cdeef29eb8a0a32658154decba94b4b89cb. It does not work correctly in pre-refcounting threading code. --- libavcodec/pthread.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index d0c92f4f82..8ae494b0b5 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -885,6 +885,8 @@ void ff_thread_flush(AVCodecContext *avctx) if (fctx->prev_thread) { if (fctx->prev_thread != &fctx->threads[0]) update_context_from_thread(fctx->threads[0].avctx, fctx->prev_thread->avctx, 0); + if (avctx->codec->flush) + avctx->codec->flush(fctx->threads[0].avctx); } fctx->next_decoding = fctx->next_finished = 0; @@ -896,9 +898,6 @@ void ff_thread_flush(AVCodecContext *avctx) p->got_frame = 0; release_delayed_buffers(p); - - if (avctx->codec->flush) - avctx->codec->flush(p->avctx); } } From 945a1b7ab9b9df317e175e480a135a41e7e05b5c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 23 Apr 2014 22:26:40 +0200 Subject: [PATCH 0834/1037] h264: reset next_output_pic earlier in start_frame() In case start_frame() fails, this potentially invalid frame can still be output to the caller. Bug-Id: 672 Bug-Id: debian/741240 Bug-Id: ubuntu/1288206 --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 702a272d98..fab23a5ffc 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1290,6 +1290,8 @@ int ff_h264_frame_start(H264Context *h) int i; const int pixel_shift = h->pixel_shift; + h->next_output_pic = NULL; + if (ff_MPV_frame_start(s, s->avctx) < 0) return -1; ff_er_frame_start(s); @@ -1341,8 +1343,6 @@ int ff_h264_frame_start(H264Context *h) s->current_picture_ptr->field_poc[0] = s->current_picture_ptr->field_poc[1] = INT_MAX; - h->next_output_pic = NULL; - assert(s->current_picture_ptr->long_ref == 0); return 0; From 42a8d326978f6cf64fdc6deec8a3d91e5e1eaf07 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Wed, 21 Mar 2012 14:18:16 -0700 Subject: [PATCH 0835/1037] movdec: handle 0x7fff langcode as macintosh per the specs The correct point that seperates ISO and MAC language codes is 0x400 according to the current QT spec. Old QT specs did not list where this seperation is but apparently only defined the meaning of the first 137. (cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059) (cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa) --- libavformat/isom.c | 2 +- libavformat/mov.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/isom.c b/libavformat/isom.c index ccf4ca1e84..c9b894fd15 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -342,7 +342,7 @@ int ff_mov_lang_to_iso639(unsigned code, char to[4]) memset(to, 0, 4); /* is it the mangled iso code? */ /* see http://www.geocities.com/xhelmboyx/quicktime/formats/mp4-layout.txt */ - if (code > 138) { + if (code >= 0x400 && code != 0x7fff) { for (i = 2; i >= 0; i--) { to[i] = 0x60 + (code & 0x1f); code >>= 5; diff --git a/libavformat/mov.c b/libavformat/mov.c index e5d8311fbc..4453d6deff 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -300,7 +300,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (parse) parse(c, pb, str_size, key); else { - if (data_type == 3 || (data_type == 0 && langcode < 0x800)) { // MAC Encoded + if (data_type == 3 || (data_type == 0 && (langcode < 0x400 || langcode == 0x7fff))) { // MAC Encoded mov_read_mac_string(c, pb, str_size, str, sizeof(str)); } else { avio_read(pb, str, str_size); From b5f92f9603c2b46c37b20134e9e2338805844f0f Mon Sep 17 00:00:00 2001 From: Mark Himsley Date: Fri, 1 Nov 2013 11:22:53 +0000 Subject: [PATCH 0836/1037] isom: lpcm in mov default to big endian It is my understanding that "Unless otherwise stated, all data in a QuickTime movie is stored in big-endian byte ordering" [1] in MOV files. I have a couple of thousand files, which technically are invalid because their sound sample description element 4CC is 'lpcm' but its version is 0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or twos-complement ('twos') format" [2] Because isom.c only contains a mapping for 4CC 'lpcm' to AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when it is actually BE. This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'. [1] https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf page 21 [2] https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf page 178 Reviewed-by: Yusuke Nakamura (cherry picked from commit 360022bd3b894cc01ea112b275fa4c8f53881808) (cherry picked from commit d37fac6dbbdddb76225aa691b83ffd9a0c7dae6b) --- libavformat/isom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index c9b894fd15..b016686d7a 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -259,6 +259,7 @@ const AVCodecTag ff_codec_movaudio_tags[] = { { AV_CODEC_ID_PCM_MULAW, MKTAG('u', 'l', 'a', 'w') }, { AV_CODEC_ID_PCM_S16BE, MKTAG('t', 'w', 'o', 's') }, { AV_CODEC_ID_PCM_S16LE, MKTAG('s', 'o', 'w', 't') }, + { AV_CODEC_ID_PCM_S16BE, MKTAG('l', 'p', 'c', 'm') }, { AV_CODEC_ID_PCM_S16LE, MKTAG('l', 'p', 'c', 'm') }, { AV_CODEC_ID_PCM_S24BE, MKTAG('i', 'n', '2', '4') }, { AV_CODEC_ID_PCM_S24LE, MKTAG('i', 'n', '2', '4') }, From 05de372350f8720461d3cadba40836546f1bb95c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Tue, 27 Aug 2013 17:35:49 +0200 Subject: [PATCH 0837/1037] apedec: do not buffer decoded samples over AVPackets Only consume an AVPacket when all the samples have been read. When the rate of samples output is limited (by the default value of max_samples), consuming the first packet immediately will cause timing problems: - The first packet with PTS 0 will output 4608 samples and be consumed entirely - The second packet with PTS 64 will output the remaining samples (typically, a lot, that's why max_samples exist) until the decoded samples of the first packet have been exhausted, at which point the samples of the second packet will be decoded and output when av_decode_frame is called with the next packet). That means there's a PTS jump since the first packet is 'decoded' immediately, which can be seen with avplay or mplayer: the timing jumps immediately to 6.2s (which is the size of a packet). Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape Bug-Debian: http://bugs.debian.org/744901 Signed-off-by: Justin Ruggles (cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d) Signed-off-by: Reinhard Tartler --- libavcodec/apedec.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 61eecfe273..ddfebaa609 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -833,7 +833,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int32_t *sample24; int i, ch, ret; int blockstodecode; - int bytes_used = 0; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -889,7 +888,6 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - bytes_used = avpkt->size; } if (!s->data) { @@ -958,7 +956,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; *(AVFrame *)data = s->frame; - return bytes_used; + return (s->samples == 0) ? avpkt->size : 0; } static void ape_flush(AVCodecContext *avctx) From eb89e1b98d3676aac1287d97c633b527c1ff4ea4 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Sun, 24 Jun 2012 11:38:18 +0200 Subject: [PATCH 0838/1037] oggdec: add support for Opus in Ogg demuxing Fixes: https://bugzilla.libav.org/show_bug.cgi?id=603 Fixes: http://bugs.debian.org/720563 (cherry picked from commit ecab1c77410f023b437c6ed3a3281be8f039e574) Signed-off-by: Reinhard Tartler --- libavformat/Makefile | 1 + libavformat/oggdec.c | 1 + libavformat/oggdec.h | 1 + libavformat/oggparseopus.c | 142 +++++++++++++++++++++++++++++++++++++ libavformat/version.h | 2 +- 5 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 libavformat/oggparseopus.c diff --git a/libavformat/Makefile b/libavformat/Makefile index 14e3e1ed68..2553b8d312 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -203,6 +203,7 @@ OBJS-$(CONFIG_OGG_DEMUXER) += oggdec.o \ oggparsedirac.o \ oggparseflac.o \ oggparseogm.o \ + oggparseopus.o \ oggparseskeleton.o \ oggparsespeex.o \ oggparsetheora.o \ diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 03ec50e084..7fd36c9431 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -46,6 +46,7 @@ static const struct ogg_codec * const ogg_codecs[] = { &ff_theora_codec, &ff_flac_codec, &ff_celt_codec, + &ff_opus_codec, &ff_old_dirac_codec, &ff_old_flac_codec, &ff_ogm_video_codec, diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index d11ff9f591..918378d2ea 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -116,6 +116,7 @@ extern const struct ogg_codec ff_ogm_text_codec; extern const struct ogg_codec ff_ogm_video_codec; extern const struct ogg_codec ff_old_dirac_codec; extern const struct ogg_codec ff_old_flac_codec; +extern const struct ogg_codec ff_opus_codec; extern const struct ogg_codec ff_skeleton_codec; extern const struct ogg_codec ff_speex_codec; extern const struct ogg_codec ff_theora_codec; diff --git a/libavformat/oggparseopus.c b/libavformat/oggparseopus.c new file mode 100644 index 0000000000..babd0f0fa6 --- /dev/null +++ b/libavformat/oggparseopus.c @@ -0,0 +1,142 @@ +/* + * Opus parser for Ogg + * Copyright (c) 2012 Nicolas George + * + * This file is part of Libav. + * + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * Libav is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include + +#include "libavutil/intreadwrite.h" +#include "avformat.h" +#include "internal.h" +#include "oggdec.h" + +struct oggopus_private { + int need_comments; + unsigned pre_skip; + int64_t cur_dts; +}; + +#define OPUS_HEAD_SIZE 19 + +static int opus_header(AVFormatContext *avf, int idx) +{ + struct ogg *ogg = avf->priv_data; + struct ogg_stream *os = &ogg->streams[idx]; + AVStream *st = avf->streams[idx]; + struct oggopus_private *priv = os->private; + uint8_t *packet = os->buf + os->pstart; + uint8_t *extradata; + + if (!priv) { + priv = os->private = av_mallocz(sizeof(*priv)); + if (!priv) + return AVERROR(ENOMEM); + } + if (os->flags & OGG_FLAG_BOS) { + if (os->psize < OPUS_HEAD_SIZE || (AV_RL8(packet + 8) & 0xF0) != 0) + return AVERROR_INVALIDDATA; + + st->codec->codec_type = AVMEDIA_TYPE_AUDIO; + st->codec->codec_id = AV_CODEC_ID_OPUS; + st->codec->channels = AV_RL8(packet + 9); + priv->pre_skip = AV_RL16(packet + 10); + + extradata = av_malloc(os->psize + FF_INPUT_BUFFER_PADDING_SIZE); + if (!extradata) + return AVERROR(ENOMEM); + + memcpy(extradata, packet, os->psize); + st->codec->extradata = extradata; + st->codec->extradata_size = os->psize; + + st->codec->sample_rate = 48000; + avpriv_set_pts_info(st, 64, 1, 48000); + priv->need_comments = 1; + return 1; + } + + if (priv->need_comments) { + if (os->psize < 8 || memcmp(packet, "OpusTags", 8)) + return AVERROR_INVALIDDATA; + ff_vorbis_comment(avf, &st->metadata, packet + 8, os->psize - 8); + priv->need_comments--; + return 1; + } + + return 0; +} + +static int opus_packet(AVFormatContext *avf, int idx) +{ + struct ogg *ogg = avf->priv_data; + struct ogg_stream *os = &ogg->streams[idx]; + AVStream *st = avf->streams[idx]; + struct oggopus_private *priv = os->private; + uint8_t *packet = os->buf + os->pstart; + unsigned toc, toc_config, toc_count, frame_size, nb_frames = 1; + + if (!os->psize) + return AVERROR_INVALIDDATA; + + toc = *packet; + toc_config = toc >> 3; + toc_count = toc & 3; + frame_size = toc_config < 12 ? FFMAX(480, 960 * (toc_config & 3)) : + toc_config < 16 ? 480 << (toc_config & 1) : + 120 << (toc_config & 3); + if (toc_count == 3) { + if (os->psize < 2) + return AVERROR_INVALIDDATA; + nb_frames = packet[1] & 0x3F; + } else if (toc_count) { + nb_frames = 2; + } + + os->pduration = frame_size * nb_frames; + if (os->lastpts != AV_NOPTS_VALUE) { + if (st->start_time == AV_NOPTS_VALUE) + st->start_time = os->lastpts; + priv->cur_dts = os->lastdts = os->lastpts -= priv->pre_skip; + } + + priv->cur_dts += os->pduration; + if ((os->flags & OGG_FLAG_EOS)) { + int64_t skip = priv->cur_dts - os->granule + priv->pre_skip; + skip = FFMIN(skip, os->pduration); + if (skip > 0) { + os->pduration = skip < os->pduration ? os->pduration - skip : 1; + av_log(avf, AV_LOG_WARNING, + "Last packet is truncated to %d (because of unimplemented end trim support).\n", + os->pduration); + return AVERROR_PATCHWELCOME; + } + } + + return 0; +} + +const struct ogg_codec ff_opus_codec = { + .name = "Opus", + .magic = "OpusHead", + .magicsize = 8, + .header = opus_header, + .packet = opus_packet, + .granule_is_start = 1, + .nb_header = 1, +}; diff --git a/libavformat/version.h b/libavformat/version.h index c2c1e3a8d6..2944d5e1f8 100644 --- a/libavformat/version.h +++ b/libavformat/version.h @@ -31,7 +31,7 @@ #define LIBAVFORMAT_VERSION_MAJOR 54 #define LIBAVFORMAT_VERSION_MINOR 20 -#define LIBAVFORMAT_VERSION_MICRO 3 +#define LIBAVFORMAT_VERSION_MICRO 4 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \ LIBAVFORMAT_VERSION_MINOR, \ From 3938b6762132d3d7ef1b5782e7dc8bf73ac8145d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Apr 2014 18:22:53 +0200 Subject: [PATCH 0839/1037] mp3enc: Properly write bitrate value in XING header Instead of using a fixed bitrate_idx, calculate a matching bitrate for the XING header. Using a fixed bitrate_idx causes tools such as file(1) and mediainfo(1) to report wrong bitrate and bitrate mode when using CBR. Bug-Id: https://bugs.debian.org/736088 Signed-off-by: Luca Barbato (cherry picked from commit 617a1a98a6be3e59db6fbfc21afab2fb9a049c03) Signed-off-by: Reinhard Tartler (cherry picked from commit 0f6e309b97e3da83a0fa75fbf1c4b50cd72047eb) --- libavformat/mp3enc.c | 46 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index c969777255..e37abf5530 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -118,8 +118,11 @@ static void mp3_write_xing(AVFormatContext *s) MPADecodeHeader mpah; int srate_idx, i, channels; int bitrate_idx; + int best_bitrate_idx; + int best_bitrate_error = INT_MAX; int xing_offset; int ver = 0; + int lsf, bytes_needed; if (!s->pb->seekable) return; @@ -149,21 +152,51 @@ static void mp3_write_xing(AVFormatContext *s) return; } - /* 64 kbps frame, should be large enough */ - bitrate_idx = (ver == 3) ? 5 : 8; - /* dummy MPEG audio header */ header = 0xff << 24; // sync header |= (0x7 << 5 | ver << 3 | 0x1 << 1 | 0x1) << 16; // sync/audio-version/layer 3/no crc*/ - header |= (bitrate_idx << 4 | srate_idx << 2) << 8; + header |= (srate_idx << 2) << 8; header |= channels << 6; + + lsf = !((header & (1 << 20) && header & (1 << 19))); + + xing_offset = xing_offtbl[ver != 3][channels == 1]; + bytes_needed = 4 // header + + xing_offset + + 4 // xing tag + + 4 // frames/size/toc flags + + 4 // frames + + 4 // size + + XING_TOC_SIZE; // toc + + for (bitrate_idx = 1; bitrate_idx < 15; bitrate_idx++) { + int bit_rate = 1000 * avpriv_mpa_bitrate_tab[lsf][3 - 1][bitrate_idx]; + int error = FFABS(bit_rate - codec->bit_rate); + + if (error < best_bitrate_error){ + best_bitrate_error = error; + best_bitrate_idx = bitrate_idx; + } + } + + for (bitrate_idx = best_bitrate_idx; bitrate_idx < 15; bitrate_idx++) { + int32_t mask = bitrate_idx << (4 + 8); + header |= mask; + + avpriv_mpegaudio_decode_header(&mpah, header); + + if (bytes_needed <= mpah.frame_size) + break; + + header &= ~mask; + } + avio_wb32(s->pb, header); avpriv_mpegaudio_decode_header(&mpah, header); av_assert0(mpah.frame_size >= XING_MAX_SIZE); - xing_offset = xing_offtbl[ver != 3][codec->channels == 1]; ffio_fill(s->pb, 0, xing_offset); mp3->xing_offset = avio_tell(s->pb); ffio_wfourcc(s->pb, "Xing"); @@ -179,8 +212,7 @@ static void mp3_write_xing(AVFormatContext *s) for (i = 0; i < XING_TOC_SIZE; i++) avio_w8(s->pb, 255 * i / XING_TOC_SIZE); - mpah.frame_size -= 4 + xing_offset + 4 + 4 + 4 + 4 + XING_TOC_SIZE; - ffio_fill(s->pb, 0, mpah.frame_size); + ffio_fill(s->pb, 0, mpah.frame_size - bytes_needed); } /* From 696a74e81560889ef2fde76b045c5158a325a7a5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 27 Apr 2014 13:40:11 +0200 Subject: [PATCH 0840/1037] matroska: add the Opus mapping (cherry picked from commit 141fdc763c2841b572d29a2ad78513e8d5325870) Signed-off-by: Reinhard Tartler (cherry picked from commit 79041d92ee7421853ee8c57fc13891cb0c272e0e) --- libavformat/matroska.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroska.c b/libavformat/matroska.c index edb7ab7910..fe5d1c8959 100644 --- a/libavformat/matroska.c +++ b/libavformat/matroska.c @@ -32,6 +32,7 @@ const CodecTags ff_mkv_codec_tags[]={ {"A_MPEG/L2" , AV_CODEC_ID_MP2}, {"A_MPEG/L1" , AV_CODEC_ID_MP2}, {"A_MPEG/L3" , AV_CODEC_ID_MP3}, + {"A_OPUS" , AV_CODEC_ID_OPUS}, {"A_PCM/FLOAT/IEEE" , AV_CODEC_ID_PCM_F32LE}, {"A_PCM/FLOAT/IEEE" , AV_CODEC_ID_PCM_F64LE}, {"A_PCM/INT/BIG" , AV_CODEC_ID_PCM_S16BE}, From 9a2387cfb1a99e4b00593c22074929cdc73410f0 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 2 May 2014 00:21:23 +0200 Subject: [PATCH 0841/1037] swscale: Fix an undefined behaviour Prevent a division by zero down the codepath. Sample-Id: 00001721-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 3a177a9cca924e097265b32f9282814f6b653e08) (cherry picked from commit 0499f7809c1fcc33ed710cdf771a18b374702135) --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index f0a2b464fc..23eb4a48a1 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -316,7 +316,7 @@ static int initFilter(int16_t **outFilter, int32_t **filterPos, xDstInSrc = xInc - 0x10000; for (i = 0; i < dstW; i++) { - int xx = (xDstInSrc - ((filterSize - 2) << 16)) / (1 << 17); + int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17); int j; (*filterPos)[i] = xx; for (j = 0; j < filterSize; j++) { From 1f5678c5e404ebd326f6eae1b527beadaa85a528 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 4 May 2014 10:37:49 -0400 Subject: [PATCH 0842/1037] Update Changelog for v9.13 --- Changelog | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Changelog b/Changelog index 1c4114f2d2..a50431f670 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,35 @@ Releases are sorted from youngest to oldest. +Version 9.13: +- swscale: Fix an undefined behaviour +- matroska: add the Opus mapping +- mp3enc: Properly write bitrate value in XING header (Fixes: debian/736088) +- origin/pu/9 oggdec: add support for Opus in Ogg demuxing (Fixes: libav/603, debian/720563) +- apedec: do not buffer decoded samples over AVPackets +- isom: lpcm in mov default to big endian +- movdec: handle 0x7fff langcode as macintosh per the specs +- h264: reset next_output_pic earlier in start_frame() (Fixes: libav/672, debian/741240, ubuntu/1288206) +- Revert "pthread: flush all threads on flush, not just the first one" +- rtmpproto: Make sure to pass on the error code if read_connect failed +- lavr: allocate the resampling buffer with a positive size +- tiffdec: use bytestream2 to simplify overread/overwrite protection +- bytestream: add bytestream2_copy_buffer() functions +- bytestream: add functions for accessing size of buffer +- resample: fix avresample_get_delay() return value +- avi: Improve non-interleaved detection (Fixes: libav/666) +- af_channelmap: fix ONE_STR mapping mode +- movenc: allow override of "writing application" tag +- matroskaenc: allow override of "writing application" tag +- avfilter: Add missing emms_c when needed +- build: Use pkg-config for openjpeg (Fixes: libav/387) +- pthread: flush all threads on flush, not just the first one (Fixes: vlc/9665) +- mpeg12: check scantable indices in all decode_block functions +- sgidec: fix buffer size check in expand_rle_row() +- adx: check that the offset is not negative +- mpegvideo: set reference/pict_type on generated reference frames +- h264: Fix various crashes found in samples pointed by Mateusz "j00ru" Jurczyk and Gynvael Coldwind - Thanks! + + version 9.12: - configure: Update freetype check to follow upstream - drawtext: Drop pointless header From 2340ce6954db2c0a79c57fcba7f45e2fcc20cdc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Tue, 27 Aug 2013 17:35:49 +0200 Subject: [PATCH 0843/1037] update Changelog --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index a50431f670..8a74804bb1 100644 --- a/Changelog +++ b/Changelog @@ -5,7 +5,7 @@ Version 9.13: - matroska: add the Opus mapping - mp3enc: Properly write bitrate value in XING header (Fixes: debian/736088) - origin/pu/9 oggdec: add support for Opus in Ogg demuxing (Fixes: libav/603, debian/720563) -- apedec: do not buffer decoded samples over AVPackets +- apedec: do not buffer decoded samples over AVPackets (Fixes: debian/744901) - isom: lpcm in mov default to big endian - movdec: handle 0x7fff langcode as macintosh per the specs - h264: reset next_output_pic earlier in start_frame() (Fixes: libav/672, debian/741240, ubuntu/1288206) From d4e85004ec6f6a1fd5c67862971601a4402f442b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Apr 2014 20:03:24 +0200 Subject: [PATCH 0844/1037] avformat/mp3enc: drop redundant and uninitialized variable Signed-off-by: Michael Niedermayer (cherry picked from commit eccec203978e53f897a3c6105d011bbdff2a978b) Signed-off-by: Michael Niedermayer --- libavformat/mp3enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index 9491b646bc..eba70a1ab8 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -127,7 +127,7 @@ static int mp3_write_xing(AVFormatContext *s) int best_bitrate_error = INT_MAX; int xing_offset; int ver = 0; - int bytes_needed, lsf; + int bytes_needed; const char *vendor = (codec->flags & CODEC_FLAG_BITEXACT) ? "Lavf" : LIBAVFORMAT_IDENT; if (!s->pb->seekable) @@ -164,7 +164,7 @@ static int mp3_write_xing(AVFormatContext *s) header |= channels << 6; for (bitrate_idx = 1; bitrate_idx < 15; bitrate_idx++) { - int bit_rate = 1000 * avpriv_mpa_bitrate_tab[lsf][3 - 1][bitrate_idx]; + int bit_rate = 1000 * avpriv_mpa_bitrate_tab[ver != 3][3 - 1][bitrate_idx]; int error = FFABS(bit_rate - codec->bit_rate); if (error < best_bitrate_error) { From 8713b8e3fb76c64cdeedeb36caa7b4703824ba7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Apr 2014 06:04:50 +0200 Subject: [PATCH 0845/1037] avformat/mux: Check for and remove invalid packet durations Fixes assertion failure Fixes Ticket3575 Signed-off-by: Michael Niedermayer (cherry picked from commit dc6a17cf74a90e41d70ea1753cdb70c0a5b2ced8) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mux.c b/libavformat/mux.c index 649b4961d9..72ac40ddc8 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -410,6 +410,12 @@ static int compute_pkt_fields2(AVFormatContext *s, AVStream *st, AVPacket *pkt) av_dlog(s, "compute_pkt_fields2: pts:%s dts:%s cur_dts:%s b:%d size:%d st:%d\n", av_ts2str(pkt->pts), av_ts2str(pkt->dts), av_ts2str(st->cur_dts), delay, pkt->size, pkt->stream_index); + if (pkt->duration < 0 && st->codec->codec_type != AVMEDIA_TYPE_SUBTITLE) { + av_log(s, AV_LOG_WARNING, "Packet with invalid duration %d in stream %d\n", + pkt->duration, pkt->stream_index); + pkt->duration = 0; + } + /* duration field */ if (pkt->duration == 0) { ff_compute_frame_duration(&num, &den, st, NULL, pkt); From 3d5c38ca7d906521f2b23d8cc80414721dbf5242 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Apr 2014 21:47:48 +0200 Subject: [PATCH 0846/1037] avformat/h263dec: Fix h263 probe The code was missing 1 bit in the src format Signed-off-by: Michael Niedermayer (cherry picked from commit fc145e576a443bfc89efdf35b91fd3c9ca0d8388) Signed-off-by: Michael Niedermayer --- libavformat/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/h263dec.c b/libavformat/h263dec.c index 667fdbdcbb..30fd454c49 100644 --- a/libavformat/h263dec.c +++ b/libavformat/h263dec.c @@ -35,7 +35,7 @@ static int h263_probe(AVProbeData *p) for(i=0; ibuf_size; i++){ code = (code<<8) + p->buf[i]; if ((code & 0xfffffc0000) == 0x800000) { - src_fmt= (code>>2)&3; + src_fmt= (code>>2)&7; if( src_fmt != last_src_fmt && last_src_fmt>0 && last_src_fmt<6 && src_fmt<6) From e8411c3b6d92cc2a0e994e83032851221b4b3a3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Apr 2014 01:25:46 +0200 Subject: [PATCH 0847/1037] swresample: fix AV_CH_LAYOUT_STEREO_DOWNMIX input Fixes Ticket 3542 Signed-off-by: Michael Niedermayer (cherry picked from commit 291d464161a5bf3b566bc147f83e4242b0c18d74) Signed-off-by: Michael Niedermayer --- libswresample/rematrix.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 541f46a782..392eec838c 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -122,6 +122,11 @@ av_cold static int auto_matrix(SwrContext *s) ) out_ch_layout = AV_CH_LAYOUT_STEREO; + if( in_ch_layout == AV_CH_LAYOUT_STEREO_DOWNMIX + && (out_ch_layout & AV_CH_LAYOUT_STEREO_DOWNMIX) == 0 + ) + in_ch_layout = AV_CH_LAYOUT_STEREO; + if(!sane_layout(in_ch_layout)){ av_get_channel_layout_string(buf, sizeof(buf), -1, s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel layout '%s' is not supported\n", buf); From d2ceca6e8bf0f4fdacc70c99c8283cb6779556f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Apr 2014 03:45:12 +0200 Subject: [PATCH 0848/1037] ffmpeg_filter: fix pointer to local outside scope Fixes CID1206652 Signed-off-by: Michael Niedermayer (cherry picked from commit 09b16619d33ddf93005060d0782f28a1c1cbb7f6) Signed-off-by: Michael Niedermayer --- ffmpeg_filter.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/ffmpeg_filter.c b/ffmpeg_filter.c index 60309307c5..7672bc1f60 100644 --- a/ffmpeg_filter.c +++ b/ffmpeg_filter.c @@ -41,12 +41,15 @@ enum AVPixelFormat choose_pixel_fmt(AVStream *st, AVCodec *codec, enum AVPixelFo const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(target); int has_alpha = desc ? desc->nb_components % 2 == 0 : 0; enum AVPixelFormat best= AV_PIX_FMT_NONE; + const enum AVPixelFormat mjpeg_formats[] = { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE }; + const enum AVPixelFormat ljpeg_formats[] = { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P, + AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE }; + if (st->codec->strict_std_compliance <= FF_COMPLIANCE_UNOFFICIAL) { if (st->codec->codec_id == AV_CODEC_ID_MJPEG) { - p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUV422P, AV_PIX_FMT_NONE }; + p = mjpeg_formats; } else if (st->codec->codec_id == AV_CODEC_ID_LJPEG) { - p = (const enum AVPixelFormat[]) { AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_YUV420P, - AV_PIX_FMT_YUV422P, AV_PIX_FMT_YUV444P, AV_PIX_FMT_BGRA, AV_PIX_FMT_NONE }; + p =ljpeg_formats; } } for (; *p != AV_PIX_FMT_NONE; p++) { From cb0d255e2fc548c8fbb50ba13fc1402a9f36783a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Apr 2014 05:32:56 +0200 Subject: [PATCH 0849/1037] avcodec/mjpegdec: Fix undefined shift Fixes CID1194388 Signed-off-by: Michael Niedermayer (cherry picked from commit b4329605289e25bb071ec1c1182bf25fc83b09aa) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index be85fc55a0..1608b4f9e2 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1140,7 +1140,7 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, } if (!Al) { - s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss); + s->coefs_finished[c] |= (2LL << se) - (1LL << ss); last_scan = !~s->coefs_finished[c]; } From 3af977d4d64409d4cd8a07c2d27ed880f61e0cd8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Apr 2014 04:01:50 +0200 Subject: [PATCH 0850/1037] avfilter/graphdump: Fix pointer to local outside scope Fixes CID1194435 Signed-off-by: Michael Niedermayer (cherry picked from commit 18af0ce62da322176f7bd283b85314d2f41bee2c) Signed-off-by: Michael Niedermayer --- libavfilter/graphdump.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/graphdump.c b/libavfilter/graphdump.c index 45f64c0146..478afc654a 100644 --- a/libavfilter/graphdump.c +++ b/libavfilter/graphdump.c @@ -31,9 +31,10 @@ static int print_link_prop(AVBPrint *buf, AVFilterLink *link) { char *format; char layout[64]; + AVBPrint dummy_buffer = { 0 }; if (!buf) - buf = &(AVBPrint){ 0 }; /* dummy buffer */ + buf = &dummy_buffer; switch (link->type) { case AVMEDIA_TYPE_VIDEO: format = av_x_if_null(av_get_pix_fmt_name(link->format), "?"); From 8e8dc210cd5a1c5754accfc665499316137a19fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Apr 2014 06:21:58 +0200 Subject: [PATCH 0851/1037] sws: dont use the optimized 410->420 unscaled conversion when height%4 Fixes Ticket3594 Signed-off-by: Michael Niedermayer (cherry picked from commit 421b21ca8a02a346ba03cea3bb2ecc33f791fc30) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 44a6902e24..deabce2f5f 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -943,7 +943,7 @@ void ff_get_unscaled_swscale(SwsContext *c) c->swScale = ff_yuv2rgb_get_func_ptr(c); } - if (srcFormat == AV_PIX_FMT_YUV410P && + if (srcFormat == AV_PIX_FMT_YUV410P && !(dstH & 3) && (dstFormat == AV_PIX_FMT_YUV420P || dstFormat == AV_PIX_FMT_YUVA420P) && !(flags & SWS_BITEXACT)) { c->swScale = yvu9ToYv12Wrapper; From 03bda44689914b68f0ebc6e39d6a30f5591b3781 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 May 2014 22:12:32 +0200 Subject: [PATCH 0852/1037] Update for 1.1.11 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 5ed5faa5f1..9ee1f786d5 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.10 +1.1.11 diff --git a/VERSION b/VERSION index 5ed5faa5f1..9ee1f786d5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.10 +1.1.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0b7b9580ce..8675bf675f 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.10 +PROJECT_NUMBER = 1.1.11 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 9455a023be9f3915ccf5511a0b8fdb5b8897b2b6 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 1 Jun 2014 12:40:20 +0200 Subject: [PATCH 0853/1037] matroskaenc: do not write negative timestamps Bug-Id: 597, 341 --- libavformat/matroskaenc.c | 13 +++++++++++- tests/ref/lavf/mkv | 2 +- tests/ref/seek/lavf-mkv | 44 +++++++++++++++++++-------------------- 3 files changed, 35 insertions(+), 24 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 77e11aafe9..653ba4241e 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -94,6 +94,8 @@ typedef struct MatroskaMuxContext { AVPacket cur_audio_pkt; int have_attachments; + + int64_t ts_offset; } MatroskaMuxContext; @@ -1203,9 +1205,18 @@ static int mkv_write_packet(AVFormatContext *s, AVPacket *pkt) AVIOContext *pb = s->pb->seekable ? s->pb : mkv->dyn_bc; AVCodecContext *codec = s->streams[pkt->stream_index]->codec; int ret, keyframe = !!(pkt->flags & AV_PKT_FLAG_KEY); - int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; + int64_t ts; int cluster_size = avio_tell(pb) - (s->pb->seekable ? mkv->cluster_pos : 0); + if (pkt->dts < 0 && !mkv->ts_offset) + mkv->ts_offset = -pkt->dts; + + pkt->dts += mkv->ts_offset; + if (pkt->pts != AV_NOPTS_VALUE) + pkt->pts += mkv->ts_offset; + + ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; + // start a new cluster every 5 MB or 5 sec, or 32k / 1 sec for streaming or // after 4k and on a keyframe if (mkv->cluster_pos && diff --git a/tests/ref/lavf/mkv b/tests/ref/lavf/mkv index 5ea3638b83..cb3bcc7134 100644 --- a/tests/ref/lavf/mkv +++ b/tests/ref/lavf/mkv @@ -1,3 +1,3 @@ -2c6fbc2c818c849e77702141294d775d *./tests/data/lavf/lavf.mkv +af61b3dcd6a9d2608c2368136c96b437 *./tests/data/lavf/lavf.mkv 320262 ./tests/data/lavf/lavf.mkv ./tests/data/lavf/lavf.mkv CRC=0xd86284dd diff --git a/tests/ref/seek/lavf-mkv b/tests/ref/seek/lavf-mkv index e51e9c9c3b..1324739033 100644 --- a/tests/ref/seek/lavf-mkv +++ b/tests/ref/seek/lavf-mkv @@ -1,53 +1,53 @@ -ret: 0 st: 1 flags:1 dts:-0.011000 pts:-0.011000 pos: 512 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 728 size: 27837 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 292150 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292150 size: 27834 ret: 0 st: 0 flags:0 ts: 0.788000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 292150 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292150 size: 27834 ret: 0 st: 0 flags:1 ts:-0.317000 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 728 size: 27837 ret: 0 st: 1 flags:0 ts: 2.577000 ret:-EOF ret: 0 st: 1 flags:1 ts: 1.471000 -ret: 0 st: 1 flags:1 dts: 0.982000 pts: 0.982000 pos: 319991 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319991 size: 209 ret: 0 st:-1 flags:0 ts: 0.365002 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 146703 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146703 size: 27925 ret: 0 st:-1 flags:1 ts:-0.740831 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 728 size: 27837 ret: 0 st: 0 flags:0 ts: 2.153000 ret:-EOF ret: 0 st: 0 flags:1 ts: 1.048000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 292150 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292150 size: 27834 ret: 0 st: 1 flags:0 ts:-0.058000 -ret: 0 st: 1 flags:1 dts: 0.015000 pts: 0.015000 pos: 512 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 ret: 0 st: 1 flags:1 ts: 2.836000 -ret: 0 st: 1 flags:1 dts: 0.982000 pts: 0.982000 pos: 319991 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319991 size: 209 ret: 0 st:-1 flags:0 ts: 1.730004 ret:-EOF ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 146703 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146703 size: 27925 ret: 0 st: 0 flags:0 ts:-0.482000 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 728 size: 27837 ret: 0 st: 0 flags:1 ts: 2.413000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 292150 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292150 size: 27834 ret: 0 st: 1 flags:0 ts: 1.307000 ret:-EOF ret: 0 st: 1 flags:1 ts: 0.201000 -ret: 0 st: 1 flags:1 dts: 0.015000 pts: 0.015000 pos: 512 size: 208 +ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 ret: 0 st:-1 flags:0 ts:-0.904994 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 728 size: 27837 ret: 0 st:-1 flags:1 ts: 1.989173 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 292150 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292150 size: 27834 ret: 0 st: 0 flags:0 ts: 0.883000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 292150 size: 27834 +ret: 0 st: 0 flags:1 dts: 0.971000 pts: 0.971000 pos: 292150 size: 27834 ret: 0 st: 0 flags:1 ts:-0.222000 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 728 size: 27837 ret: 0 st: 1 flags:0 ts: 2.672000 ret:-EOF ret: 0 st: 1 flags:1 ts: 1.566000 -ret: 0 st: 1 flags:1 dts: 0.982000 pts: 0.982000 pos: 319991 size: 209 +ret: 0 st: 1 flags:1 dts: 0.993000 pts: 0.993000 pos: 319991 size: 209 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 146703 size: 27925 +ret: 0 st: 0 flags:1 dts: 0.491000 pts: 0.491000 pos: 146703 size: 27925 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 1 flags:1 dts: 0.000000 pts: 0.000000 pos: 512 size: 208 +ret: 0 st: 0 flags:1 dts: 0.011000 pts: 0.011000 pos: 728 size: 27837 From e0fcad77618a0455ca9c2451ea0aa538597a08c0 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 10 Jun 2014 17:41:57 +0200 Subject: [PATCH 0854/1037] avconv: make -shortest work with streamcopy CC: libav-stable@libav.org (cherry picked from commit 48e50921337984ba4ec2c1cafe45d43787f84498) Signed-off-by: Anton Khirnov --- avconv.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/avconv.c b/avconv.c index 6544fc6fb7..ad64c520d7 100644 --- a/avconv.c +++ b/avconv.c @@ -720,6 +720,19 @@ static int poll_filter(OutputStream *ost) return 0; } +static void finish_output_stream(OutputStream *ost) +{ + OutputFile *of = output_files[ost->file_index]; + int i; + + ost->finished = 1; + + if (of->shortest) { + for (i = 0; i < of->ctx->nb_streams; i++) + output_streams[of->ost_index + i]->finished = 1; + } +} + /* * Read as many frames from possible from lavfi and encode them. * @@ -730,7 +743,7 @@ static int poll_filter(OutputStream *ost) */ static int poll_filters(void) { - int i, j, ret = 0; + int i, ret = 0; while (ret >= 0 && !received_sigterm) { OutputStream *ost = NULL; @@ -757,15 +770,7 @@ static int poll_filters(void) ret = poll_filter(ost); if (ret == AVERROR_EOF) { - OutputFile *of = output_files[ost->file_index]; - - ost->finished = 1; - - if (of->shortest) { - for (j = 0; j < of->ctx->nb_streams; j++) - output_streams[of->ost_index + j]->finished = 1; - } - + finish_output_stream(ost); ret = 0; } else if (ret == AVERROR(EAGAIN)) return 0; @@ -2127,7 +2132,7 @@ static int process_input(void) if (ost->source_index == ifile->ist_index + i && (ost->stream_copy || ost->enc->type == AVMEDIA_TYPE_SUBTITLE)) - ost->finished= 1; + finish_output_stream(ost); } } From ba8ab4e7ae016cf970b0f335a7933f2db53784bc Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 24 Apr 2013 08:34:44 +0200 Subject: [PATCH 0855/1037] avconv: do not send non-monotonous DTS to the muxers. Hack partially based on a commit by Michael Niedermayer Should fix (or work around) bug 458. (cherry picked from commit 76d23f40314fc1dcd74a3d470b17782cc0ee5a3a) Signed-off-by: Anton Khirnov --- avconv.c | 19 +++++++++++++++++++ avconv.h | 2 ++ avconv_opt.c | 1 + 3 files changed, 22 insertions(+) diff --git a/avconv.c b/avconv.c index ad64c520d7..bd2ea69b60 100644 --- a/avconv.c +++ b/avconv.c @@ -346,6 +346,25 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost) bsfc = bsfc->next; } + if (!(s->oformat->flags & AVFMT_NOTIMESTAMPS) && + ost->last_mux_dts != AV_NOPTS_VALUE && + pkt->dts < ost->last_mux_dts + !(s->oformat->flags & AVFMT_TS_NONSTRICT)) { + av_log(NULL, AV_LOG_WARNING, "Non-monotonous DTS in output stream " + "%d:%d; previous: %"PRId64", current: %"PRId64"; ", + ost->file_index, ost->st->index, ost->last_mux_dts, pkt->dts); + if (exit_on_error) { + av_log(NULL, AV_LOG_FATAL, "aborting.\n"); + exit(1); + } + av_log(NULL, AV_LOG_WARNING, "changing to %"PRId64". This may result " + "in incorrect timestamps in the output file.\n", + ost->last_mux_dts + 1); + pkt->dts = ost->last_mux_dts + 1; + if (pkt->pts != AV_NOPTS_VALUE) + pkt->pts = FFMAX(pkt->pts, pkt->dts); + } + ost->last_mux_dts = pkt->dts; + pkt->stream_index = ost->index; ret = av_interleaved_write_frame(s, pkt); if (ret < 0) { diff --git a/avconv.h b/avconv.h index defdf59c4a..0bf7998ca2 100644 --- a/avconv.h +++ b/avconv.h @@ -267,6 +267,8 @@ typedef struct OutputStream { /* pts of the first frame encoded for this stream, used for limiting * recording time */ int64_t first_pts; + /* dts of the last packet sent to the muxer */ + int64_t last_mux_dts; AVBitStreamFilterContext *bitstream_filters; AVCodec *enc; int64_t max_frames; diff --git a/avconv_opt.c b/avconv_opt.c index e67abefd77..d6a6f8f278 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -845,6 +845,7 @@ static OutputStream *new_output_stream(OptionsContext *o, AVFormatContext *oc, e av_opt_get_int(o->g->sws_opts, "sws_flags", 0, &ost->sws_flags); ost->pix_fmts[0] = ost->pix_fmts[1] = AV_PIX_FMT_NONE; + ost->last_mux_dts = AV_NOPTS_VALUE; return ost; } From 4310ba273d3bcb7f19a4e40b55b9e832568e56e5 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 2 Jun 2014 17:42:17 -0400 Subject: [PATCH 0856/1037] sgidec: fix an incorrect backport Bug-Id: 691 Signed-off-by: Anton Khirnov --- libavcodec/sgidec.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 94de9fdcd1..4799e831e3 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -247,6 +247,8 @@ static int decode_frame(AVCodecContext *avctx, static av_cold int sgi_init(AVCodecContext *avctx){ SgiState *s = avctx->priv_data; + s->avctx = avctx; + avcodec_get_frame_defaults(&s->picture); avctx->coded_frame = &s->picture; @@ -263,15 +265,6 @@ static av_cold int sgi_end(AVCodecContext *avctx) return 0; } -static av_cold int sgi_decode_init(AVCodecContext *avctx) -{ - SgiState *s = avctx->priv_data; - - s->avctx = avctx; - - return 0; -} - AVCodec ff_sgi_decoder = { .name = "sgi", .type = AVMEDIA_TYPE_VIDEO, @@ -280,7 +273,6 @@ AVCodec ff_sgi_decoder = { .init = sgi_init, .close = sgi_end, .decode = decode_frame, - .init = sgi_decode_init, .long_name = NULL_IF_CONFIG_SMALL("SGI image"), .capabilities = CODEC_CAP_DR1, }; From 1f2f6b247aaf780e0a4e780935ead0fb12cd2981 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Jun 2014 03:15:28 +0200 Subject: [PATCH 0857/1037] avutil/lzo: Fix integer overflow Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list) Fixes: LMS-2014-06-16-4 Found-by: "Don A. Bailey" See: ccda51b14c0fcae2fad73a24872dce75a7964996 Signed-off-by: Michael Niedermayer (cherry picked from commit d6af26c55c1ea30f85a7d9edbc373f53be1743ee) Signed-off-by: Michael Niedermayer --- libavutil/lzo.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 221a66b9ab..82dba94771 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -65,8 +65,13 @@ static inline int get_len(LZOContext *c, int x, int mask) { int cnt = x & mask; if (!cnt) { - while (!(x = get_byte(c))) + while (!(x = get_byte(c))) { + if (cnt >= INT_MAX - 1000) { + c->error |= AV_LZO_ERROR; + break; + } cnt += 255; + } cnt += mask + x; } return cnt; From 574bf2ce4ccd4f1a9ca054d5d6a6affe6c507387 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Jun 2014 14:45:47 +0200 Subject: [PATCH 0858/1037] avutil/lzo: add asserts to be double sure against overflows These asserts cannot fail since d6af26c55c1ea30f85a7d9edbc373f53be1743ee Based-on: ccda51b14c0fcae2fad73a24872dce75a7964996 Signed-off-by: Michael Niedermayer (cherry picked from commit cf2b7c01f81c1fb3283a1390c0ca9a2f81f4f4a8) Signed-off-by: Michael Niedermayer --- libavutil/lzo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 82dba94771..6104fc3085 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -22,6 +22,7 @@ #include #include "avutil.h" +#include "avassert.h" #include "common.h" #include "intreadwrite.h" #include "lzo.h" @@ -85,6 +86,7 @@ static inline void copy(LZOContext *c, int cnt) { register const uint8_t *src = c->in; register uint8_t *dst = c->out; + av_assert0(cnt >= 0); if (cnt > c->in_end - src) { cnt = FFMAX(c->in_end - src, 0); c->error |= AV_LZO_INPUT_DEPLETED; @@ -116,6 +118,7 @@ static inline void copy(LZOContext *c, int cnt) static inline void copy_backptr(LZOContext *c, int back, int cnt) { register uint8_t *dst = c->out; + av_assert0(cnt > 0); if (dst - c->out_start < back) { c->error |= AV_LZO_INVALID_BACKPTR; return; From 503322f97c5a25a020933ed4ab510697d5f5b4af Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 19 Jun 2014 23:26:58 +0200 Subject: [PATCH 0859/1037] lzo: Handle integer overflow get_len can overflow for specially crafted payload. Reported-By: Don A. Baley CC: libav-stable@libav.org (cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996) Signed-off-by: Luca Barbato --- libavutil/lzo.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 5c5ebc850a..e458165261 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -80,6 +80,10 @@ static inline void copy(LZOContext *c, int cnt) { register const uint8_t *src = c->in; register uint8_t *dst = c->out; + if (cnt < 0) { + c->error |= AV_LZO_ERROR; + return; + } if (cnt > c->in_end - src) { cnt = FFMAX(c->in_end - src, 0); c->error |= AV_LZO_INPUT_DEPLETED; @@ -103,7 +107,7 @@ static inline void copy(LZOContext *c, int cnt) /** * @brief Copies previously decoded bytes to current position. * @param back how many bytes back we start - * @param cnt number of bytes to copy, must be >= 0 + * @param cnt number of bytes to copy, must be > 0 * * cnt > back is valid, this will copy the bytes we just copied, * thus creating a repeating pattern with a period length of back. @@ -111,6 +115,10 @@ static inline void copy(LZOContext *c, int cnt) static inline void copy_backptr(LZOContext *c, int back, int cnt) { register uint8_t *dst = c->out; + if (cnt <= 0) { + c->error |= AV_LZO_ERROR; + return; + } if (dst - c->out_start < back) { c->error |= AV_LZO_INVALID_BACKPTR; return; From 4533e8b30a384e8b9bff9d228a028c1f58b4c6aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 May 2014 06:19:23 +0200 Subject: [PATCH 0860/1037] avcodec/diracdec: move mc buffer allocation to per frame Fixes out of array accesses for non default buffers with large strides Signed-off-by: Michael Niedermayer (cherry picked from commit 4a30f08505a4e85718896ff233c97be41a9754ca) (cherry picked from commit 9c9fc79d9237d28e33161cb2e75082d8ad232b2e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 47 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 2f1a4a58dd..fa342cc7e1 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -200,6 +200,7 @@ typedef struct DiracContext { uint16_t *mctmp; /* buffer holding the MC data multipled by OBMC weights */ uint8_t *mcscratch; + int buffer_stride; DECLARE_ALIGNED(16, uint8_t, obmc_weight)[3][MAX_BLOCKSIZE*MAX_BLOCKSIZE]; @@ -342,22 +343,44 @@ static int alloc_sequence_buffers(DiracContext *s) return AVERROR(ENOMEM); } - w = s->source.width; - h = s->source.height; - /* fixme: allocate using real stride here */ - s->sbsplit = av_malloc(sbwidth * sbheight); - s->blmotion = av_malloc(sbwidth * sbheight * 16 * sizeof(*s->blmotion)); - s->edge_emu_buffer_base = av_malloc((w+64)*MAX_BLOCKSIZE); + s->sbsplit = av_malloc_array(sbwidth, sbheight); + s->blmotion = av_malloc_array(sbwidth, sbheight * 16 * sizeof(*s->blmotion)); - s->mctmp = av_malloc((w+64+MAX_BLOCKSIZE) * (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp)); - s->mcscratch = av_malloc((w+64)*MAX_BLOCKSIZE); - - if (!s->sbsplit || !s->blmotion || !s->mctmp || !s->mcscratch) + if (!s->sbsplit || !s->blmotion) return AVERROR(ENOMEM); return 0; } +static int alloc_buffers(DiracContext *s, int stride) +{ + int w = s->source.width; + int h = s->source.height; + + av_assert0(stride >= w); + stride += 64; + + if (s->buffer_stride >= stride) + return 0; + s->buffer_stride = 0; + + av_freep(&s->edge_emu_buffer_base); + memset(s->edge_emu_buffer, 0, sizeof(s->edge_emu_buffer)); + av_freep(&s->mctmp); + av_freep(&s->mcscratch); + + s->edge_emu_buffer_base = av_malloc_array(stride, MAX_BLOCKSIZE); + + s->mctmp = av_malloc_array((stride+MAX_BLOCKSIZE), (h+MAX_BLOCKSIZE) * sizeof(*s->mctmp)); + s->mcscratch = av_malloc_array(stride, MAX_BLOCKSIZE); + + if (!s->edge_emu_buffer_base || !s->mctmp || !s->mcscratch) + return AVERROR(ENOMEM); + + s->buffer_stride = stride; + return 0; +} + static void free_sequence_buffers(DiracContext *s) { int i, j, k; @@ -381,6 +404,7 @@ static void free_sequence_buffers(DiracContext *s) av_freep(&s->plane[i].idwt_tmp); } + s->buffer_stride = 0; av_freep(&s->sbsplit); av_freep(&s->blmotion); av_freep(&s->edge_emu_buffer_base); @@ -1817,6 +1841,9 @@ static int dirac_decode_data_unit(AVCodecContext *avctx, const uint8_t *buf, int s->plane[1].stride = pic->avframe.linesize[1]; s->plane[2].stride = pic->avframe.linesize[2]; + if (alloc_buffers(s, FFMAX3(FFABS(s->plane[0].stride), FFABS(s->plane[1].stride), FFABS(s->plane[2].stride))) < 0) + return AVERROR(ENOMEM); + /* [DIRAC_STD] 11.1 Picture parse. picture_parse() */ if (dirac_decode_picture_header(s)) return -1; From e68114868ffdca34694345599db2c452d7f54a94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 May 2014 05:23:52 +0200 Subject: [PATCH 0861/1037] avutil/cpu: force mmx on selection of higher x86 SIMD features Fixes various runtime failures with manually set flags that represent no existing CPU Fixes Ticket3653 Signed-off-by: Michael Niedermayer (cherry picked from commit 6310eb8010b7a3b3016e297132380cbd4e3d2d10) Signed-off-by: Michael Niedermayer --- libavutil/cpu.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/libavutil/cpu.c b/libavutil/cpu.c index a1d1547033..85bc2d6499 100644 --- a/libavutil/cpu.c +++ b/libavutil/cpu.c @@ -23,6 +23,24 @@ static int flags, checked; void av_force_cpu_flags(int arg){ + if ( (arg & ( AV_CPU_FLAG_3DNOW | + AV_CPU_FLAG_3DNOWEXT | + AV_CPU_FLAG_SSE | + AV_CPU_FLAG_SSE2 | + AV_CPU_FLAG_SSE2SLOW | + AV_CPU_FLAG_SSE3 | + AV_CPU_FLAG_SSE3SLOW | + AV_CPU_FLAG_SSSE3 | + AV_CPU_FLAG_SSE4 | + AV_CPU_FLAG_SSE42 | + AV_CPU_FLAG_AVX | + AV_CPU_FLAG_XOP | + AV_CPU_FLAG_FMA4 )) + && !(arg & AV_CPU_FLAG_MMX)) { + av_log(NULL, AV_LOG_WARNING, "MMX implied by specified flags\n"); + arg |= AV_CPU_FLAG_MMX; + } + flags = arg; checked = arg != -1; } From bd2266975cbdb16b47da5740dbfeda86c0c2d42e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 May 2014 03:02:06 +0200 Subject: [PATCH 0862/1037] avcodec/libvorbisenc: dont add the duration to AV_NOPTS_VALUE Signed-off-by: Michael Niedermayer (cherry picked from commit 19e66c7232d96e4ae8f05b52da2b84dfaa4e4da3) Signed-off-by: Michael Niedermayer --- libavcodec/libvorbisenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libvorbisenc.c b/libavcodec/libvorbisenc.c index 188c8cc9c5..5424f8bf45 100644 --- a/libavcodec/libvorbisenc.c +++ b/libavcodec/libvorbisenc.c @@ -362,7 +362,8 @@ static int oggvorbis_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, avctx->delay = duration; av_assert0(!s->afq.remaining_delay); s->afq.frames->duration += duration; - s->afq.frames->pts -= duration; + if (s->afq.frames->pts != AV_NOPTS_VALUE) + s->afq.frames->pts -= duration; s->afq.remaining_samples += duration; } ff_af_queue_remove(&s->afq, duration, &avpkt->pts, &avpkt->duration); From 80588930fffbc6f26cbd8c534e63b507b6f2075c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Jun 2014 12:03:31 +0200 Subject: [PATCH 0863/1037] avformat/flvenc: Do not allow creating h263/mpeg4 in flv without unofficial format extensions being enabled. Found-by: Jean-Baptiste Kempf Signed-off-by: Michael Niedermayer (cherry picked from commit 74760883fcb4443d105814ed246b3cf51d7e9dca) Signed-off-by: Michael Niedermayer --- libavformat/flvenc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index e1dd43f716..c5ed800ac8 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -218,6 +218,18 @@ static int flv_write_header(AVFormatContext *s) avcodec_get_name(enc->codec_id), i); return AVERROR(EINVAL); } + if (enc->codec_id == AV_CODEC_ID_MPEG4 || + enc->codec_id == AV_CODEC_ID_H263) { + int error = enc->strict_std_compliance > FF_COMPLIANCE_UNOFFICIAL; + av_log(s, error ? AV_LOG_ERROR : AV_LOG_WARNING, + "Codec %s is not supported in the official FLV specification,\n", avcodec_get_name(enc->codec_id)); + + if (error) { + av_log(s, AV_LOG_ERROR, + "use vstrict=-1 / -strict -1 to use it anyway.\n"); + return AVERROR(EINVAL); + } + } break; case AVMEDIA_TYPE_AUDIO: audio_enc = enc; From 71a4a9183f3e4faaaf83281c4b4e515faa82a77b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jun 2014 14:30:30 +0200 Subject: [PATCH 0864/1037] avcodec/alsdec: Clear MPEG4AudioConfig so that no use of uninitialized memory is possible Signed-off-by: Michael Niedermayer (cherry picked from commit 6e6bd5481cf42a9765c492c77754d4633092cece) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 9f05f52798..90acf2c8c1 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -285,7 +285,7 @@ static av_cold int read_specific_config(ALSDecContext *ctx) GetBitContext gb; uint64_t ht_size; int i, config_offset; - MPEG4AudioConfig m4ac; + MPEG4AudioConfig m4ac = {0}; ALSSpecificConfig *sconf = &ctx->sconf; AVCodecContext *avctx = ctx->avctx; uint32_t als_id, header_size, trailer_size; From f0d56d4f5542ebf48b699bbb80838a952628c831 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Jun 2014 00:49:02 +0200 Subject: [PATCH 0865/1037] avformat/mpc: attempt to allocate a packet that is not smaller than the data inside it Signed-off-by: Michael Niedermayer (cherry picked from commit 86a9370e2b91d67375e66a06d6eb573b5a017775) Signed-off-by: Michael Niedermayer --- libavformat/mpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc.c b/libavformat/mpc.c index b0f6f533e1..a46919ba36 100644 --- a/libavformat/mpc.c +++ b/libavformat/mpc.c @@ -153,7 +153,7 @@ static int mpc_read_packet(AVFormatContext *s, AVPacket *pkt) } c->curbits = (curbits + size2) & 0x1F; - if ((ret = av_new_packet(pkt, size)) < 0) + if ((ret = av_new_packet(pkt, size + 4)) < 0) return ret; pkt->data[0] = curbits; From 4dfd4399eaca17360fbe302153ee6f0ad86603e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Jun 2014 00:13:49 +0200 Subject: [PATCH 0866/1037] Update for FFmpeg 1.1.12 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 9ee1f786d5..ccad953ac5 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.11 +1.1.12 diff --git a/VERSION b/VERSION index 9ee1f786d5..ccad953ac5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.11 +1.1.12 diff --git a/doc/Doxyfile b/doc/Doxyfile index 8675bf675f..8731640cd6 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.11 +PROJECT_NUMBER = 1.1.12 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 7997acee0542f6e0bb9ea42ff783f80b70878a2f Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 22 Jun 2014 13:11:32 -0400 Subject: [PATCH 0867/1037] Check if an mp3 header is using a reserved sample rate. Fixes an invalid read past the end of avpriv_mpa_freq_tab. Fixes divide-by-zero due to sample_rate being set to 0. Bug-Id: 705 CC:libav-stable@libav.org Conflicts: libavcodec/mpegaudiodecheader.c --- libavcodec/mpegaudiodecheader.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpegaudiodecheader.c b/libavcodec/mpegaudiodecheader.c index f8fc833124..e789d467b0 100644 --- a/libavcodec/mpegaudiodecheader.c +++ b/libavcodec/mpegaudiodecheader.c @@ -25,6 +25,8 @@ */ //#define DEBUG +#include "libavutil/common.h" + #include "avcodec.h" #include "mpegaudio.h" #include "mpegaudiodata.h" @@ -46,6 +48,8 @@ int avpriv_mpegaudio_decode_header(MPADecodeHeader *s, uint32_t header) s->layer = 4 - ((header >> 17) & 3); /* extract frequency */ sample_rate_index = (header >> 10) & 3; + if (sample_rate_index >= FF_ARRAY_ELEMS(avpriv_mpa_freq_tab)) + sample_rate_index = 0; sample_rate = avpriv_mpa_freq_tab[sample_rate_index] >> (s->lsf + mpeg25); sample_rate_index += 3 * (s->lsf + mpeg25); s->sample_rate_index = sample_rate_index; From d7dbc687e312a91ef2ccf797d57b95c61d0e8a2f Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 22 Jun 2014 13:19:36 -0400 Subject: [PATCH 0868/1037] Check mp3 header before calling avpriv_mpegaudio_decode_header(). As indicated in the function documentation, the header MUST be checked prior to calling it because no consistency check is done there. CC:libav-stable@libav.org (cherry picked from commit f2f2e7627f0c878d13275af5d166ec5932665e28) Signed-off-by: Luca Barbato --- libavcodec/libmp3lame.c | 8 +++++++- libavformat/mp3enc.c | 15 +++++++++------ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index 2e501cac0b..5f6704de2b 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -190,6 +190,7 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, MPADecodeHeader hdr; int len, ret, ch; int lame_result; + uint32_t h; if (frame) { switch (avctx->sample_fmt) { @@ -245,7 +246,12 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, determine the frame size. */ if (s->buffer_index < 4) return 0; - if (avpriv_mpegaudio_decode_header(&hdr, AV_RB32(s->buffer))) { + h = AV_RB32(s->buffer); + if (ff_mpa_check_header(h) < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid mp3 header at start of buffer\n"); + return AVERROR_BUG; + } + if (avpriv_mpegaudio_decode_header(&hdr, h)) { av_log(avctx, AV_LOG_ERROR, "free format output not supported\n"); return -1; } diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index e37abf5530..631705c0a5 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -251,13 +251,16 @@ static int mp3_write_audio_packet(AVFormatContext *s, AVPacket *pkt) if (mp3->xing_offset && pkt->size >= 4) { MPADecodeHeader c; + uint32_t h; - avpriv_mpegaudio_decode_header(&c, AV_RB32(pkt->data)); - - if (!mp3->initial_bitrate) - mp3->initial_bitrate = c.bit_rate; - if ((c.bit_rate == 0) || (mp3->initial_bitrate != c.bit_rate)) - mp3->has_variable_bitrate = 1; + h = AV_RB32(pkt->data); + if (ff_mpa_check_header(h) == 0) { + avpriv_mpegaudio_decode_header(&c, h); + if (!mp3->initial_bitrate) + mp3->initial_bitrate = c.bit_rate; + if ((c.bit_rate == 0) || (mp3->initial_bitrate != c.bit_rate)) + mp3->has_variable_bitrate = 1; + } mp3_xing_add_frame(mp3, pkt); } From 744e7eea5d815efea777b6179d96e8d94b63ccfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 5 Jun 2014 11:48:53 +0300 Subject: [PATCH 0869/1037] adpcm: Avoid reading out of bounds in the IMA QT trellis encoder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was broken in 095be4fb - samples+ch (for the previous non-planar case) equals &samples_p[ch][0]. The confusion probably stemmed from the IMA WAV case where it originally was &samples[avctx->channels + ch], which was correctly changed into &samples_p[ch][1]. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 3d79d0c93e5b37a35b1b22d6c18699c233aad1ba) Signed-off-by: Luca Barbato --- libavcodec/adpcmenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index f81d7fde83..116458bdd8 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -557,7 +557,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, put_bits(&pb, 7, status->step_index); if (avctx->trellis > 0) { uint8_t buf[64]; - adpcm_compress_trellis(avctx, &samples_p[ch][1], buf, status, + adpcm_compress_trellis(avctx, &samples_p[ch][0], buf, status, 64, 1); for (i = 0; i < 64; i++) put_bits(&pb, 4, buf[i ^ 1]); From 21d3e0ac9e1719d8444b3f5466983587ac0ad240 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 5 Jun 2014 14:49:14 +0300 Subject: [PATCH 0870/1037] adpcm: Write the proper predictor in trellis mode in IMA QT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The actual predictor value, set by the trellis code, never was written back into the variable that was written into the block header. This was accidentally removed in b304244b. This significantly improves the audio quality of the trellis case, which was plain broken since b304244b. Encoding IMA QT with trellis still actually gives a slightly worse quality than without trellis, since the trellis encoder doesn't use the exact same way of rounding as in adpcm_ima_qt_compress_sample and adpcm_ima_qt_expand_nibble. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 0776e0ef6ba4160281ef3fabea43e670f3792b4a) Signed-off-by: Luca Barbato --- libavcodec/adpcmenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index 116458bdd8..aa883959ae 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -561,6 +561,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, 64, 1); for (i = 0; i < 64; i++) put_bits(&pb, 4, buf[i ^ 1]); + status->prev_sample = status->predictor; } else { for (i = 0; i < 64; i += 2) { int t1, t2; From 5e8eaa26b227255505f52b4d980c7a3c2f52b1fd Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 26 Jun 2014 21:23:39 -0400 Subject: [PATCH 0871/1037] Prepare for 9.14 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 2645a7f91a..3f678b45c6 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.13 +9.14 From 3ecbd911ff9177097820e5d00401c9bf29e5d167 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 26 Jun 2014 21:27:56 -0400 Subject: [PATCH 0872/1037] Update Changelog for v9.14 --- Changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Changelog b/Changelog index 8a74804bb1..b23f5ef768 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,13 @@ Releases are sorted from youngest to oldest. +version 9.14: +- adpcm: Write the proper predictor in trellis mode in IMA QT +- adpcm: Avoid reading out of bounds in the IMA QT trellis encoder +- Check mp3 header before calling avpriv_mpegaudio_decode_header() (bug/705) +- Check if an mp3 header is using a reserved sample rate +- lzo: Handle integer overflow (bug/704) +- avconv: make -shortest work with streamcopy + Version 9.13: - swscale: Fix an undefined behaviour - matroska: add the Opus mapping From e8ff7972064631afbdf240ec6bfd9dec30cf2ce8 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 20 Jul 2014 12:06:47 +0000 Subject: [PATCH 0873/1037] eamad: use the bytestream2 API instead of AV_RL This is safer and possibly fixes invalid reads on truncated data. (cherry-picked from commit 541427ab4d5b4b6f5a90a687a06decdb78e7bc3c) CC:libav-stable@libav.org Conflicts: libavcodec/eamad.c (cherry picked from commit f9204ec56a4cf73843d1e5b8563d3584c2c05b47) Signed-off-by: Diego Biurrun --- libavcodec/eamad.c | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index bb4c7babde..405cc2a6ac 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -29,6 +29,7 @@ */ #include "avcodec.h" +#include "bytestream.h" #include "get_bits.h" #include "dsputil.h" #include "aandcttab.h" @@ -224,29 +225,31 @@ static int decode_frame(AVCodecContext *avctx, { const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; - const uint8_t *buf_end = buf+buf_size; MadContext *s = avctx->priv_data; + GetByteContext gb; int width, height; int chunk_type; int inter; - if (buf_size < 17) { - av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n"); - *got_frame = 0; - return -1; - } + bytestream2_init(&gb, buf, buf_size); - chunk_type = AV_RL32(&buf[0]); + chunk_type = bytestream2_get_le32(&gb); inter = (chunk_type == MADm_TAG || chunk_type == MADe_TAG); - buf += 8; + bytestream2_skip(&gb, 10); av_reduce(&avctx->time_base.num, &avctx->time_base.den, - AV_RL16(&buf[6]), 1000, 1<<30); + bytestream2_get_le16(&gb), 1000, 1<<30); - width = AV_RL16(&buf[8]); - height = AV_RL16(&buf[10]); - calc_quant_matrix(s, buf[13]); - buf += 16; + width = bytestream2_get_le16(&gb); + height = bytestream2_get_le16(&gb); + bytestream2_skip(&gb, 1); + calc_quant_matrix(s, bytestream2_get_byte(&gb)); + bytestream2_skip(&gb, 2); + + if (bytestream2_get_bytes_left(&gb) < 2) { + av_log(avctx, AV_LOG_ERROR, "Input data too small\n"); + return AVERROR_INVALIDDATA; + } if (avctx->width != width || avctx->height != height) { if (av_image_check_size(width, height, 0, avctx) < 0) @@ -280,12 +283,12 @@ static int decode_frame(AVCodecContext *avctx, } av_fast_padded_malloc(&s->bitstream_buf, &s->bitstream_buf_size, - buf_end - buf); + bytestream2_get_bytes_left(&gb)); if (!s->bitstream_buf) return AVERROR(ENOMEM); - s->dsp.bswap16_buf(s->bitstream_buf, (const uint16_t*)buf, (buf_end-buf)/2); - init_get_bits(&s->gb, s->bitstream_buf, 8*(buf_end-buf)); - + s->dsp.bswap16_buf(s->bitstream_buf, (const uint16_t *)(buf + bytestream2_tell(&gb)), + bytestream2_get_bytes_left(&gb) / 2); + init_get_bits(&s->gb, s->bitstream_buf, 8*(bytestream2_get_bytes_left(&gb))); for (s->mb_y=0; s->mb_y < (avctx->height+15)/16; s->mb_y++) for (s->mb_x=0; s->mb_x < (avctx->width +15)/16; s->mb_x++) decode_mb(s, inter); From 3a6bc3e381647bb4434317113f131f7e0ab5bf83 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 29 Jul 2014 05:43:04 -0700 Subject: [PATCH 0874/1037] vf_select: Drop a debug av_log with an unchecked double to enum conversion CC: libav-stable@libav.org (cherry picked from commit a8d803a320fb08b3ad5db4fffc79abd401206905) Signed-off-by: Diego Biurrun --- libavfilter/vf_select.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/libavfilter/vf_select.c b/libavfilter/vf_select.c index 674151d4ef..924dc1d4f6 100644 --- a/libavfilter/vf_select.c +++ b/libavfilter/vf_select.c @@ -203,19 +203,6 @@ static int select_frame(AVFilterContext *ctx, AVFilterBufferRef *picref) select->var_values[VAR_PICT_TYPE] = picref->video->pict_type; res = av_expr_eval(select->expr, select->var_values, NULL); - av_log(inlink->dst, AV_LOG_DEBUG, - "n:%d pts:%d t:%f pos:%d interlace_type:%c key:%d pict_type:%c " - "-> select:%f\n", - (int)select->var_values[VAR_N], - (int)select->var_values[VAR_PTS], - select->var_values[VAR_T], - (int)select->var_values[VAR_POS], - select->var_values[VAR_INTERLACE_TYPE] == INTERLACE_TYPE_P ? 'P' : - select->var_values[VAR_INTERLACE_TYPE] == INTERLACE_TYPE_T ? 'T' : - select->var_values[VAR_INTERLACE_TYPE] == INTERLACE_TYPE_B ? 'B' : '?', - (int)select->var_values[VAR_KEY], - av_get_picture_type_char(select->var_values[VAR_PICT_TYPE]), - res); select->var_values[VAR_N] += 1.0; From d16515ae5fe7daa6327d903cafb9a5ee43477b1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= Date: Sun, 27 Jul 2014 08:38:59 -0700 Subject: [PATCH 0875/1037] video4linux2: Avoid a floating point exception This avoids a segfault in avconv_opt.c:opt_target when trying to determine the norm. (cherry picked from commit dc71f1958846bb1d96de43a4603983dc8450cfcc) Signed-off-by: Diego Biurrun --- avconv_opt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/avconv_opt.c b/avconv_opt.c index d6a6f8f278..17ec0d97bb 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -1520,7 +1520,8 @@ static int opt_target(void *optctx, const char *opt, const char *arg) for (j = 0; j < nb_input_files; j++) { for (i = 0; i < input_files[j]->nb_streams; i++) { AVCodecContext *c = input_files[j]->ctx->streams[i]->codec; - if (c->codec_type != AVMEDIA_TYPE_VIDEO) + if (c->codec_type != AVMEDIA_TYPE_VIDEO || + !c->time_base.num) continue; fr = c->time_base.den * 1000 / c->time_base.num; if (fr == 25000) { From 58d7b835e3cec48ab5a2393405fe82dee72c06a0 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 25 Jun 2014 17:09:13 -0700 Subject: [PATCH 0876/1037] fate: Add dependencies for dct/fft/mdct/rdft tests (cherry picked from commit d396987c303bdc4eea7d1a1ff6776475d9bbd9ea) Signed-off-by: Diego Biurrun Conflicts: libavcodec/fft-test.c --- libavcodec/fft-test.c | 22 ++++++++++++++++++++++ tests/fate/fft.mak | 32 ++++++++++++++++---------------- 2 files changed, 38 insertions(+), 16 deletions(-) diff --git a/libavcodec/fft-test.c b/libavcodec/fft-test.c index 1e4675019c..74b4b6f78e 100644 --- a/libavcodec/fft-test.c +++ b/libavcodec/fft-test.c @@ -112,6 +112,7 @@ static void fft_ref(FFTComplex *tabr, FFTComplex *tab, int nbits) } } +#if CONFIG_MDCT static void imdct_ref(FFTSample *out, FFTSample *in, int nbits) { int n = 1<fft_permute(s, tab); @@ -375,6 +387,7 @@ int main(int argc, char **argv) err = check_diff((FFTSample *)tab_ref, (FFTSample *)tab, fft_size * 2, 1.0); break; #if CONFIG_FFT_FLOAT +#if CONFIG_RDFT case TRANSFORM_RDFT: fft_size_2 = fft_size >> 1; if (do_inverse) { @@ -406,6 +419,8 @@ int main(int argc, char **argv) err = check_diff((float *)tab_ref, (float *)tab2, fft_size, 1.0); } break; +#endif /* CONFIG_RDFT */ +#if CONFIG_DCT case TRANSFORM_DCT: memcpy(tab, tab1, fft_size * sizeof(FFTComplex)); d->dct_calc(d, tab); @@ -416,6 +431,7 @@ int main(int argc, char **argv) } err = check_diff((float *)tab_ref, (float *)tab, fft_size, 1.0); break; +#endif /* CONFIG_DCT */ #endif } @@ -467,19 +483,25 @@ int main(int argc, char **argv) } switch (transform) { +#if CONFIG_MDCT case TRANSFORM_MDCT: ff_mdct_end(m); break; +#endif /* CONFIG_MDCT */ case TRANSFORM_FFT: ff_fft_end(s); break; #if CONFIG_FFT_FLOAT +#if CONFIG_RDFT case TRANSFORM_RDFT: ff_rdft_end(r); break; +#endif /* CONFIG_RDFT */ +#if CONFIG_DCT case TRANSFORM_DCT: ff_dct_end(d); break; +#endif /* CONFIG_DCT */ #endif } diff --git a/tests/fate/fft.mak b/tests/fate/fft.mak index 20d563828f..d2a390404b 100644 --- a/tests/fate/fft.mak +++ b/tests/fate/fft.mak @@ -1,8 +1,8 @@ define DEF_FFT -FATE_FFT += fate-fft-$(1) fate-ifft-$(1) \ - fate-mdct-$(1) fate-imdct-$(1) \ - fate-rdft-$(1) fate-irdft-$(1) \ - fate-dct1d-$(1) fate-idct1d-$(1) +FATE_FFT-$(CONFIG_DCT) += fate-dct1d-$(1) fate-idct1d-$(1) +FATE_FFT-$(CONFIG_FFT) += fate-fft-$(1) fate-ifft-$(1) +FATE_FFT-$(CONFIG_MDCT) += fate-mdct-$(1) fate-imdct-$(1) +FATE_FFT-$(CONFIG_RDFT) += fate-rdft-$(1) fate-irdft-$(1) fate-fft-$(N): ARGS = -n$(1) fate-ifft-$(N): ARGS = -n$(1) -i @@ -16,14 +16,14 @@ endef $(foreach N, 4 5 6 7 8 9 10 11 12, $(eval $(call DEF_FFT,$(N)))) -fate-fft-test: $(FATE_FFT) -$(FATE_FFT): libavcodec/fft-test$(EXESUF) -$(FATE_FFT): CMD = run libavcodec/fft-test $(CPUFLAGS:%=-c%) $(ARGS) -$(FATE_FFT): REF = /dev/null +fate-fft-float: $(FATE_FFT-yes) +$(FATE_FFT-yes): libavcodec/fft-test$(EXESUF) +$(FATE_FFT-yes): CMD = run libavcodec/fft-test $(CPUFLAGS:%=-c%) $(ARGS) +$(FATE_FFT-yes): REF = /dev/null define DEF_FFT_FIXED -FATE_FFT_FIXED += fate-fft-fixed-$(1) fate-ifft-fixed-$(1) \ - fate-mdct-fixed-$(1) fate-imdct-fixed-$(1) +FATE_FFT_FIXED-$(CONFIG_FFT) += fate-fft-fixed-$(1) fate-ifft-fixed-$(1) +FATE_FFT_FIXED-$(CONFIG_MDCT) += fate-mdct-fixed-$(1) fate-imdct-fixed-$(1) fate-fft-fixed-$(1): ARGS = -n$(1) fate-ifft-fixed-$(1): ARGS = -n$(1) -i @@ -33,10 +33,10 @@ endef $(foreach N, 4 5 6 7 8 9 10 11 12, $(eval $(call DEF_FFT_FIXED,$(N)))) -fate-fft-fixed-test: $(FATE_FFT_FIXED) -$(FATE_FFT_FIXED): libavcodec/fft-fixed-test$(EXESUF) -$(FATE_FFT_FIXED): CMD = run libavcodec/fft-fixed-test $(CPUFLAGS:%=-c%) $(ARGS) -$(FATE_FFT_FIXED): REF = /dev/null +fate-fft-fixed: $(FATE_FFT_FIXED-yes) +$(FATE_FFT_FIXED-yes): libavcodec/fft-fixed-test$(EXESUF) +$(FATE_FFT_FIXED-yes): CMD = run libavcodec/fft-fixed-test $(CPUFLAGS:%=-c%) $(ARGS) +$(FATE_FFT_FIXED-yes): REF = /dev/null -FATE-$(call ALLYES, AVCODEC FFT) += $(FATE_FFT) $(FATE_FFT_FIXED) -fate-fft: $(FATE_FFT) $(FATE_FFT_FIXED) +FATE-$(CONFIG_AVCODEC) += $(FATE_FFT-yes) $(FATE_FFT_FIXED-yes) +fate-fft: $(FATE_FFT-yes) $(FATE_FFT_FIXED-yes) From 00915d3cd2ce61db3d6dc11f63566630a9aff4ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Jul 2014 21:31:19 -0400 Subject: [PATCH 0877/1037] pgssubdec: Check RLE size before copying Make sure the buffer size does not exceed the expected RLE size. Prevent an out of array bound write. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Bug-Id: CVE-2013-0852 Signed-off-by: Luca Barbato (cherry picked from commit a1f7844a11010d8552c75424d1a831b37a0ae5d9) Signed-off-by: Diego Biurrun --- libavcodec/pgssubdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index f22088a747..a46297857f 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -194,6 +194,13 @@ static int parse_picture_segment(AVCodecContext *avctx, /* Decode rle bitmap length, stored size includes width/height data */ rle_bitmap_len = bytestream_get_be24(&buf) - 2*2; + if (buf_size > rle_bitmap_len) { + av_log(avctx, AV_LOG_ERROR, + "Buffer dimension %d larger than the expected RLE data %d\n", + buf_size, rle_bitmap_len); + return AVERROR_INVALIDDATA; + } + /* Get bitmap dimensions from data */ width = bytestream_get_be16(&buf); height = bytestream_get_be16(&buf); From 01f9540320279954b2764645ab7136847d53d89f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2013 16:26:25 +0200 Subject: [PATCH 0878/1037] h264_sei: check SEI size Signed-off-by: Anton Khirnov Signed-off-by: Vittorio Giovara --- libavcodec/h264_sei.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index 2e5fb65f0d..5995a8efec 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -177,6 +177,12 @@ int ff_h264_decode_sei(H264Context *h){ size+= show_bits(&s->gb, 8); }while(get_bits(&s->gb, 8) == 255); + if (size > get_bits_left(&s->gb) / 8) { + av_log(s->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n", + type, get_bits_left(&s->gb)); + return AVERROR_INVALIDDATA; + } + switch(type){ case SEI_TYPE_PIC_TIMING: // Picture timing SEI if(decode_picture_timing(h) < 0) From 512354191328c559fcff56070dab897ee2a1b4c1 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 30 Jul 2014 19:33:36 +0100 Subject: [PATCH 0879/1037] h264: prevent theoretical infinite loop in SEI parsing Properly address CVE-2011-3946 and parse bitstream as described in the spec. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/h264_sei.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index 5995a8efec..776ce57d46 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -165,17 +165,22 @@ int ff_h264_decode_sei(H264Context *h){ MpegEncContext * const s = &h->s; while (get_bits_left(&s->gb) > 16) { - int size, type; + int type = 0; + int size = 0; + int last = 0; - type=0; - do{ - type+= show_bits(&s->gb, 8); - }while(get_bits(&s->gb, 8) == 255); + while (get_bits_left(&s->gb) >= 8 && + (last = get_bits(&s->gb, 8)) == 255) { + type += 255; + } + type += last; - size=0; - do{ - size+= show_bits(&s->gb, 8); - }while(get_bits(&s->gb, 8) == 255); + last = 0; + while (get_bits_left(&s->gb) >= 8 && + (last = get_bits(&s->gb, 8)) == 255) { + size += 255; + } + size += last; if (size > get_bits_left(&s->gb) / 8) { av_log(s->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n", From 43d676432740c6d5e5234ed343f13902909fd124 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 3 Aug 2014 12:19:10 -0700 Subject: [PATCH 0880/1037] huffyuv: Check and propagate function return values Bug-Id: CVE-2013-0868 inspired by a patch from Michael Niedermayer Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 744b406ff3474e77543bcf86125a2f7bc7deaa18) Signed-off-by: Diego Biurrun Conflicts: libavcodec/huffyuvdec.c --- libavcodec/huffyuvdec.c | 106 +++++++++++++++++++++++----------------- 1 file changed, 61 insertions(+), 45 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 0946d3d47e..f471b28ebe 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -105,11 +105,13 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb) return 0; } -static void generate_joint_tables(HYuvContext *s) +static int generate_joint_tables(HYuvContext *s) { uint16_t symbols[1 << VLC_BITS]; uint16_t bits[1 << VLC_BITS]; uint8_t len[1 << VLC_BITS]; + int ret; + if (s->bitstream_bpp < 24) { int p, i, y, u; for (p = 0; p < 3; p++) { @@ -130,8 +132,9 @@ static void generate_joint_tables(HYuvContext *s) } } ff_free_vlc(&s->vlc[3 + p]); - ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1, - bits, 2, 2, symbols, 2, 2, 0); + if ((ret = ff_init_vlc_sparse(&s->vlc[3 + p], VLC_BITS, i, len, 1, 1, + bits, 2, 2, symbols, 2, 2, 0)) < 0) + return ret; } } else { uint8_t (*map)[4] = (uint8_t(*)[4])s->pix_bgr_map; @@ -172,29 +175,34 @@ static void generate_joint_tables(HYuvContext *s) } } ff_free_vlc(&s->vlc[3]); - init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, bits, 2, 2, 0); + if ((ret = init_vlc(&s->vlc[3], VLC_BITS, i, len, 1, 1, + bits, 2, 2, 0)) < 0) + return ret; } + return 0; } static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length) { GetBitContext gb; - int i; + int i, ret; - init_get_bits(&gb, src, length * 8); + if ((ret = init_get_bits(&gb, src, length * 8)) < 0) + return ret; for (i = 0; i < 3; i++) { - if (read_len_table(s->len[i], &gb) < 0) - return -1; - if (ff_huffyuv_generate_bits_table(s->bits[i], s->len[i]) < 0) { - return -1; - } + if ((ret = read_len_table(s->len[i], &gb)) < 0) + return ret; + if ((ret = ff_huffyuv_generate_bits_table(s->bits[i], s->len[i])) < 0) + return ret; ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, - s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, + s->bits[i], 4, 4, 0)) < 0) + return ret; } - generate_joint_tables(s); + if ((ret = generate_joint_tables(s)) < 0) + return ret; return (get_bits_count(&gb) + 7) / 8; } @@ -202,17 +210,19 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length) static int read_old_huffman_tables(HYuvContext *s) { GetBitContext gb; - int i; + int i, ret; - init_get_bits(&gb, classic_shift_luma, - classic_shift_luma_table_size * 8); - if (read_len_table(s->len[0], &gb) < 0) - return -1; + if ((ret = init_get_bits(&gb, classic_shift_luma, + classic_shift_luma_table_size * 8)) < 0) + return ret; + if ((ret = read_len_table(s->len[0], &gb)) < 0) + return ret; - init_get_bits(&gb, classic_shift_chroma, - classic_shift_chroma_table_size * 8); - if (read_len_table(s->len[1], &gb) < 0) - return -1; + if ((ret = init_get_bits(&gb, classic_shift_chroma, + classic_shift_chroma_table_size * 8)) < 0) + return ret; + if ((ret = read_len_table(s->len[1], &gb)) < 0) + return ret; for(i=0; i<256; i++) s->bits[0][i] = classic_add_luma [i]; for(i=0; i<256; i++) s->bits[1][i] = classic_add_chroma[i]; @@ -226,11 +236,13 @@ static int read_old_huffman_tables(HYuvContext *s) for (i = 0; i < 3; i++) { ff_free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, - s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, + s->bits[i], 4, 4, 0)) < 0) + return ret; } - generate_joint_tables(s); + if ((ret = generate_joint_tables(s)) < 0) + return ret; return 0; } @@ -238,6 +250,7 @@ static int read_old_huffman_tables(HYuvContext *s) static av_cold int decode_init(AVCodecContext *avctx) { HYuvContext *s = avctx->priv_data; + int ret; ff_huffyuv_common_init(avctx); memset(s->vlc, 0, 3 * sizeof(VLC)); @@ -272,9 +285,9 @@ static av_cold int decode_init(AVCodecContext *avctx) s->interlaced = (interlace == 1) ? 1 : (interlace == 2) ? 0 : s->interlaced; s->context = ((uint8_t*)avctx->extradata)[2] & 0x40 ? 1 : 0; - if ( read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4, - avctx->extradata_size - 4) < 0) - return -1; + if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4, + avctx->extradata_size - 4)) < 0) + return ret; }else{ switch (avctx->bits_per_coded_sample & 7) { case 1: @@ -301,8 +314,8 @@ static av_cold int decode_init(AVCodecContext *avctx) s->bitstream_bpp = avctx->bits_per_coded_sample & ~7; s->context = 0; - if (read_old_huffman_tables(s) < 0) - return -1; + if ((ret = read_old_huffman_tables(s)) < 0) + return ret; } switch (s->bitstream_bpp) { @@ -328,7 +341,8 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - ff_huffyuv_alloc_temp(s); + if ((ret = ff_huffyuv_alloc_temp(s)) < 0) + return ret; return 0; } @@ -336,21 +350,22 @@ static av_cold int decode_init(AVCodecContext *avctx) static av_cold int decode_init_thread_copy(AVCodecContext *avctx) { HYuvContext *s = avctx->priv_data; - int i; + int i, ret; avctx->coded_frame= &s->picture; - ff_huffyuv_alloc_temp(s); + if ((ret = ff_huffyuv_alloc_temp(s)) < 0) + return ret; for (i = 0; i < 6; i++) s->vlc[i].table = NULL; if (s->version == 2) { - if (read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4, - avctx->extradata_size) < 0) - return -1; + if ((ret = read_huffman_tables(s, ((uint8_t*)avctx->extradata) + 4, + avctx->extradata_size)) < 0) + return ret; } else { - if (read_old_huffman_tables(s) < 0) - return -1; + if ((ret = read_old_huffman_tables(s)) < 0) + return ret; } return 0; @@ -484,7 +499,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, const int height = s->height; int fake_ystride, fake_ustride, fake_vstride; AVFrame * const p = &s->picture; - int table_size = 0; + int table_size = 0, ret; AVFrame *picture = data; @@ -502,22 +517,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, ff_thread_release_buffer(avctx, p); p->reference = 0; - if (ff_thread_get_buffer(avctx, p) < 0) { + if ((ret = ff_thread_get_buffer(avctx, p)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); - return -1; + return ret; } if (s->context) { table_size = read_huffman_tables(s, s->bitstream_buffer, buf_size); if (table_size < 0) - return -1; + return table_size; } if ((unsigned)(buf_size-table_size) >= INT_MAX / 8) return -1; - init_get_bits(&s->gb, s->bitstream_buffer+table_size, - (buf_size-table_size) * 8); + if ((ret = init_get_bits(&s->gb, s->bitstream_buffer + table_size, + (buf_size - table_size) * 8)) < 0) + return ret; fake_ystride = s->interlaced ? p->linesize[0] * 2 : p->linesize[0]; fake_ustride = s->interlaced ? p->linesize[1] * 2 : p->linesize[1]; From 146b187113e3cc20c2a97c5f264da13e701ca247 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 4 Aug 2014 14:15:45 +0200 Subject: [PATCH 0881/1037] lavc: Check the image size before calling get_buffer Bug-Id: CVE-2011-3935 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 19c8a99ff5..42be6450af 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -465,6 +465,8 @@ int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame) { switch (avctx->codec_type) { case AVMEDIA_TYPE_VIDEO: + if (av_image_check_size(avctx->width, avctx->height, 0, avctx)) + return AVERROR_INVALIDDATA; frame->width = avctx->width; frame->height = avctx->height; frame->format = avctx->pix_fmt; From 36d8914f1b94e4731d2fc67162902839c106e72e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2014 15:07:23 +0100 Subject: [PATCH 0882/1037] wmalosslessdec: fix mclms_coeffs* array size Fixes corruption of context Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org Bug-Id: CVE-2014-2098 Signed-off-by: Anton Khirnov (cherry picked from commit 849b9d34c7ef70b370c53e7af3940f51cbc07d0f) Signed-off-by: Anton Khirnov --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 747ac37dc0..8060d279b5 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -127,8 +127,8 @@ typedef struct WmallDecodeCtx { int8_t mclms_order; int8_t mclms_scaling; - int16_t mclms_coeffs[128]; - int16_t mclms_coeffs_cur[4]; + int16_t mclms_coeffs[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS * 32]; + int16_t mclms_coeffs_cur[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS]; int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32]; int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32]; int mclms_recent; From ede738880032db62b7dc5b3712f769d3826f5974 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Aug 2014 19:24:18 +0100 Subject: [PATCH 0883/1037] mmvideo: check horizontal coordinate too Fixes out of array accesses. Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara Signed-off-by: Anton Khirnov (cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94) Signed-off-by: Anton Khirnov --- libavcodec/mmvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 784b939734..e1ae991dee 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -150,6 +150,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert) int replace_array = bytestream2_get_byte(&s->gb); for(j=0; j<8; j++) { int replace = (replace_array >> (7-j)) & 1; + if (x + half_horiz >= s->avctx->width) + return AVERROR_INVALIDDATA; if (replace) { int color = bytestream2_get_byte(&data_ptr); s->frame.data[0][y*s->frame.linesize[0] + x] = color; From c53effc41b9359261b17c8da3b7062369cafd686 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Aug 2014 00:54:33 +0100 Subject: [PATCH 0884/1037] huffyuvdec: check width size for yuv422p Avoid out of array accesses. CC: libav-stable@libav.org Bug-Id: CVE-2013-0848 Signed-off-by: Vittorio Giovara Signed-off-by: Anton Khirnov (cherry picked from commit a7153444df9040bf6ae103e0bbf6104b66f974cb) Signed-off-by: Anton Khirnov --- libavcodec/huffyuvdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index f471b28ebe..18e4c8771f 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -341,6 +341,13 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && + avctx->width % 4) { + av_log(avctx, AV_LOG_ERROR, "width must be multiple of 4 " + "for this combination of colorspace and predictor type.\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_huffyuv_alloc_temp(s)) < 0) return ret; From 8cd67ddde46a42a33149e7d42a2ab47852ff2a83 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Aug 2014 10:46:50 +0000 Subject: [PATCH 0885/1037] cdgraphics: switch to bytestream2 Fixes possible invalid memory accesses on corrupted data. CC:libav-stable@libav.org Bug-ID: CVE-2013-3674 (cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812) Signed-off-by: Anton Khirnov --- libavcodec/cdgraphics.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index e4ed83b9d4..8dbcd423d6 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -269,7 +269,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data, static int cdg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - const uint8_t *buf = avpkt->data; + GetByteContext gb; int buf_size = avpkt->size; int ret; uint8_t command, inst; @@ -277,10 +277,8 @@ static int cdg_decode_frame(AVCodecContext *avctx, AVFrame new_frame; CDGraphicsContext *cc = avctx->priv_data; - if (buf_size < CDG_MINIMUM_PKT_SIZE) { - av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n"); - return AVERROR(EINVAL); - } + bytestream2_init(&gb, avpkt->data, avpkt->size); + ret = avctx->reget_buffer(avctx, &cc->frame); if (ret) { @@ -288,11 +286,11 @@ static int cdg_decode_frame(AVCodecContext *avctx, return ret; } - command = bytestream_get_byte(&buf); - inst = bytestream_get_byte(&buf); + command = bytestream2_get_byte(&gb); + inst = bytestream2_get_byte(&gb); inst &= CDG_MASK; - buf += 2; /// skipping 2 unneeded bytes - bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); + bytestream2_skip(&gb, 2); + bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data)); if ((command & CDG_MASK) == CDG_COMMAND) { switch (inst) { From 80c268eaaee402695a74d14acf76063100692a99 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Aug 2014 10:56:34 +0000 Subject: [PATCH 0886/1037] cdgraphics: do not return 0 from the decode function 0 means no data consumed, so it can trigger an infinite loop in the caller. CC:libav-stable@libav.org (cherry picked from commit c7d9b473e28238d4a4ef1b7e8b42c1cca256da36) Signed-off-by: Anton Khirnov Conflicts: libavcodec/cdgraphics.c --- libavcodec/cdgraphics.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 8dbcd423d6..9eb91b925d 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -349,11 +349,10 @@ static int cdg_decode_frame(AVCodecContext *avctx, *got_frame = 1; } else { *got_frame = 0; - buf_size = 0; } *(AVFrame *) data = cc->frame; - return buf_size; + return avpkt->size; } static av_cold int cdg_decode_end(AVCodecContext *avctx) From af9b62654d5aa023a96906215365532d18541a09 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 3 Aug 2014 10:14:48 +0200 Subject: [PATCH 0887/1037] svq1: do not modify the input packet The input data must remain constant, make a copy instead. This is in theory a performance hit, but since I failed to find any samples using this feature, this should not matter in practice. Also, check the size of the header, avoiding invalid reads on truncated data. CC:libav-stable@libav.org (cherry picked from commit 7b588bb691644e1b3c168b99accf74248a24e3cf) Signed-off-by: Anton Khirnov Conflicts: libavcodec/svq1dec.c --- libavcodec/svq1dec.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 82f9301e93..75eb6b2746 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -61,6 +61,10 @@ typedef struct SVQ1Context { DSPContext dsp; GetBitContext gb; AVFrame *cur, *prev; + + uint8_t *pkt_swapped; + int pkt_swapped_allocated; + int width; int height; int frame_code; @@ -630,7 +634,24 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, /* swap some header bytes (why?) */ if (s->frame_code != 0x20) { - uint32_t *src = (uint32_t *)(buf + 4); + uint32_t *src; + + if (buf_size < 9 * 4) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); + return AVERROR_INVALIDDATA; + } + + av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated, + buf_size); + if (!s->pkt_swapped) + return AVERROR(ENOMEM); + + memcpy(s->pkt_swapped, buf, buf_size); + buf = s->pkt_swapped; + init_get_bits(&s->gb, buf, buf_size * 8); + skip_bits(&s->gb, 22); + + src = (uint32_t *)(s->pkt_swapped + 4); for (i = 0; i < 4; i++) src[i] = ((src[i] << 16) | (src[i] >> 16)) ^ src[7 - i]; @@ -803,6 +824,7 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx) avctx->release_buffer(avctx, s->prev); avcodec_free_frame(&s->cur); avcodec_free_frame(&s->prev); + av_freep(&s->pkt_swapped); return 0; } From 52254067b312e78d30bbe79fc33dbdf995b22b4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Aug 2014 18:19:57 +0100 Subject: [PATCH 0888/1037] error_concealment: avoid using the picture if not fully setup Fixes state becoming inconsistent and a null pointer dereference. CC: libav-stable@libav.org Bug-Id: CVE-2013-0860 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara Signed-off-by: Anton Khirnov --- libavcodec/error_resilience.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index ae9ef68617..73b69aff75 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -896,6 +896,12 @@ void ff_er_frame_end(MpegEncContext *s) return; }; + if (s->picture_structure == PICT_FRAME && + s->current_picture.f.linesize[0] != s->current_picture_ptr->f.linesize[0]) { + av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n"); + return; + } + if (s->current_picture.f.motion_val[0] == NULL) { av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n"); From ecda9b90eccc687202fe9fa20f7ca61d92d816b4 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 6 Aug 2014 20:07:33 -0400 Subject: [PATCH 0889/1037] Update Changelog for v9.15 --- Changelog | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/Changelog b/Changelog index b23f5ef768..96171c9e59 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,23 @@ Releases are sorted from youngest to oldest. +version 9.15: +- error_concealment: avoid using the picture if not fully setup (CVE-2013-0860) +- svq1: do not modify the input packet +- cdgraphics: do not return 0 from the decode function +- cdgraphics: switch to bytestream2 (CVE-2013-3674) +- huffyuvdec: check width size for yuv422p (CVE-2013-0848) +- mmvideo: check horizontal coordinate too (CVE-2013-3672) +- wmalosslessdec: fix mclms_coeffs* array size (CVE-2014-2098) +- lavc: Check the image size before calling get_buffer (CVE-2011-3935) +- huffyuv: Check and propagate function return values (CVE-2013-0868) +- h264: prevent theoretical infinite loop in SEI parsing (CVE-2011-3946) +- h264_sei: check SEI size +- pgssubdec: Check RLE size before copying (CVE-2013-0852) +- fate: Add dependencies for dct/fft/mdct/rdft tests +- video4linux2: Avoid a floating point exception +- vf_select: Drop a debug av_log with an unchecked double to enum conversion +- eamad: use the bytestream2 API instead of AV_RL (CVE-2013-0851) + version 9.14: - adpcm: Write the proper predictor in trellis mode in IMA QT - adpcm: Avoid reading out of bounds in the IMA QT trellis encoder From 694b7cd873f8b06af109036eff1ccd741afdd28e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 3 Aug 2014 19:27:07 +0200 Subject: [PATCH 0890/1037] mpegts: Define the section length with a constant The specification says the value is expressed in 10 bits including the 4-byte CRC. --- libavformat/mpegtsenc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 29d83c668a..86fc631d55 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -122,6 +122,10 @@ static const AVClass mpegts_muxer_class = { .version = LIBAVUTIL_VERSION_INT, }; +/* The section length is 12 bits. The first 2 are set to 0, the remaining + * 10 bits should not exceed 1021. */ +#define SECTION_LENGTH 1020 + /* NOTE: 4 bytes must be left at the end for the crc32 */ static void mpegts_write_section(MpegTSSection *s, uint8_t *buf, int len) { @@ -233,7 +237,7 @@ static void mpegts_write_pat(AVFormatContext *s) { MpegTSWrite *ts = s->priv_data; MpegTSService *service; - uint8_t data[1012], *q; + uint8_t data[SECTION_LENGTH], *q; int i; q = data; @@ -249,7 +253,7 @@ static void mpegts_write_pat(AVFormatContext *s) static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) { MpegTSWrite *ts = s->priv_data; - uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr; + uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr; int val, stream_type, i; q = data; @@ -401,7 +405,7 @@ static void mpegts_write_sdt(AVFormatContext *s) { MpegTSWrite *ts = s->priv_data; MpegTSService *service; - uint8_t data[1012], *q, *desc_list_len_ptr, *desc_len_ptr; + uint8_t data[SECTION_LENGTH], *q, *desc_list_len_ptr, *desc_len_ptr; int i, running_status, free_ca_mode, val; q = data; From addbaf134836aea4e14f73add8c6d753a1373257 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 7 Aug 2014 17:10:32 +0200 Subject: [PATCH 0891/1037] mpegts: Do not try to write a PMT larger than SECTION_SIZE Prevent out of array write. Similar to what Michael Niedermayer did to address the same issue. Bug-Id: CVE-2014-2263 CC: libav-stable@libav.org --- libavformat/mpegtsenc.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 86fc631d55..c0b17a8175 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -254,7 +254,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) { MpegTSWrite *ts = s->priv_data; uint8_t data[SECTION_LENGTH], *q, *desc_length_ptr, *program_info_length_ptr; - int val, stream_type, i; + int val, stream_type, i, err = 0; q = data; put16(&q, 0xe000 | service->pcr_pid); @@ -272,6 +272,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) AVStream *st = s->streams[i]; MpegTSWriteStream *ts_st = st->priv_data; AVDictionaryEntry *lang = av_dict_get(st->metadata, "language", NULL,0); + + if (q - data > SECTION_LENGTH - 3 - 2 - 6) { + err = 1; + break; + } switch(st->codec->codec_id) { case AV_CODEC_ID_MPEG1VIDEO: case AV_CODEC_ID_MPEG2VIDEO: @@ -321,6 +326,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) *len_ptr = 0; for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) { + if (q - data > SECTION_LENGTH - 4) { + err = 1; + break; + } next = strchr(p, ','); if (strlen(p) != 3 && (!next || next != p + 3)) continue; /* not a 3-letter code */ @@ -355,6 +364,11 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) *q++ = language[1]; *q++ = language[2]; *q++ = 0x10; /* normal subtitles (0x20 = if hearing pb) */ + + if (q - data > SECTION_LENGTH - 4) { + err = 1; + break; + } if(st->codec->extradata_size == 4) { memcpy(q, st->codec->extradata, 4); q += 4; @@ -380,6 +394,14 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) desc_length_ptr[0] = val >> 8; desc_length_ptr[1] = val; } + + if (err) + av_log(s, AV_LOG_ERROR, + "The PMT section is too small for stream %d and following.\n" + "Try reducing the number of languages in the audio streams " + "or the total number of streams.\n", + i); + mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0, data, q - data); } From 09e3fe79fc09459e62db73350909bda138792019 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Aug 2014 02:27:07 +0200 Subject: [PATCH 0892/1037] avcodec/svq1dec: Fix multiple bugs from "svq1: do not modify the input packet" Add padding, clear size, use the correct pointer. Signed-off-by: Michael Niedermayer (cherry picked from commit 4213fc5b9eebec53c7d22b770c3f1ceecca1c113) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 9aac8c74c4..d5f7581264 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -639,7 +639,7 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated, + av_fast_padded_malloc(&s->pkt_swapped, &s->pkt_swapped_allocated, buf_size); if (!s->pkt_swapped) return AVERROR(ENOMEM); @@ -826,6 +826,7 @@ static av_cold int svq1_decode_end(AVCodecContext *avctx) avcodec_free_frame(&s->cur); avcodec_free_frame(&s->prev); av_freep(&s->pkt_swapped); + s->pkt_swapped_allocated = 0; return 0; } From 437848e37ae7ef73cd8101031dc570d1f009ffd5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Aug 2014 01:12:47 +0100 Subject: [PATCH 0893/1037] vp3: Copy all 3 frames for thread updates Fixes a double release of the current frame on deinit. Bug-Id: CVE-2011-3934 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara --- libavcodec/vp3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 1d68c09ad6..c33436398a 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1869,7 +1869,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * ||s->width != s1->width ||s->height!= s1->height) { if (s != s1) - copy_fields(s, s1, golden_frame, current_frame); + copy_fields(s, s1, golden_frame, keyframe); return -1; } From fe461238d33e3b1ea9a8fdd8925d0ac584474fb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Jul 2014 01:07:59 +0200 Subject: [PATCH 0894/1037] avformat/utils: do not wait for packets from discarded streams for genpts Fixes long loop Fixes Ticket3208 Signed-off-by: Michael Niedermayer (cherry picked from commit 8202c49b43621c04e26d4a3aa83a10e1e5cc1836) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 48882bed95..e42c1fc8f9 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1532,7 +1532,8 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) } /* read packet from packet buffer, if there is data */ - if (!(next_pkt->pts == AV_NOPTS_VALUE && + st = s->streams[next_pkt->stream_index]; + if (!(next_pkt->pts == AV_NOPTS_VALUE && st->discard < AVDISCARD_ALL && next_pkt->dts != AV_NOPTS_VALUE && !eof)) { ret = read_from_packet_buffer(&s->packet_buffer, &s->packet_buffer_end, pkt); From e5fcc16a1fa7386e89277387f47f1b20b297304b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 00:27:23 +0200 Subject: [PATCH 0895/1037] avcodec/dvdsub_parser: never return 0 when the input isnt 0 Fixes a infinite loop Fixes Ticket3804 Signed-off-by: Michael Niedermayer (cherry picked from commit cfdb30d2f1241de9354a8efdbf8252d0f1a6f933) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index e50c3396e4..9a6457e8b4 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -46,7 +46,7 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_index == 0) { if (buf_size < 2) - return 0; + return buf_size; pc->packet_len = AV_RB16(buf); if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); From 1298aa83180edeb49cf7e4038e5a5edfc245cf43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 01:15:37 +0200 Subject: [PATCH 0896/1037] avcodec/dvdsub_parser: Check buf_size before reading 32bit packet size Signed-off-by: Michael Niedermayer (cherry picked from commit 81c1657a593b1c0f8e46fca00ead1d30ee1cd418) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 9a6457e8b4..07ed4f72fc 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -45,8 +45,9 @@ static int dvdsub_parse(AVCodecParserContext *s, DVDSubParseContext *pc = s->priv_data; if (pc->packet_index == 0) { - if (buf_size < 2) + if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { return buf_size; + } pc->packet_len = AV_RB16(buf); if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); From a04bb8d6e7f726040bb56f972b7b106f4ba86cae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Aug 2014 01:16:14 +0200 Subject: [PATCH 0897/1037] avcodec/dvdsub_parser: print message if packet is smaller than the packet size field Signed-off-by: Michael Niedermayer (cherry picked from commit bcc898dd2643c883522ffa565be4b226ce798c78) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 07ed4f72fc..32a945ed65 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -46,6 +46,8 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_index == 0) { if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { + if (buf_size) + av_log(avctx, AV_LOG_DEBUG, "Parser input %d too small\n", buf_size); return buf_size; } pc->packet_len = AV_RB16(buf); From 41e859151543a25652b217f637ac62f55f7b256e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Aug 2014 22:45:52 +0200 Subject: [PATCH 0898/1037] update for 1.1.13 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index ccad953ac5..9ea63dbccb 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.12 +1.1.13 diff --git a/VERSION b/VERSION index ccad953ac5..9ea63dbccb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.12 +1.1.13 diff --git a/doc/Doxyfile b/doc/Doxyfile index 8731640cd6..ec41e77324 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.12 +PROJECT_NUMBER = 1.1.13 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 8da037af332790c704de6127406d5f6b3734acf0 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 8 Aug 2014 20:46:15 -0400 Subject: [PATCH 0899/1037] Update Changelog for v9.15 --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index 96171c9e59..27de0aacd7 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,9 @@ Releases are sorted from youngest to oldest. version 9.15: +- vp3: Copy all 3 frames for thread updates (CVE-2011-3934) +- mpegts: Do not try to write a PMT larger than SECTION_SIZE (CVE-2014-2263) +- mpegts: Define the section length with a constant - error_concealment: avoid using the picture if not fully setup (CVE-2013-0860) - svq1: do not modify the input packet - cdgraphics: do not return 0 from the decode function From e86074e6ef23f14273cbf4af84c8d2491f744a79 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 8 Aug 2014 21:57:46 -0400 Subject: [PATCH 0900/1037] Prepare for 9.15 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 3f678b45c6..68d3e62efe 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.14 +9.15 From bd41211395fd1f968e9f3a4746daffebea60f41e Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 9 Aug 2014 08:55:45 -0400 Subject: [PATCH 0901/1037] Re-release 9.15 as 9.16 This is a clean fixup of the tagging mistake in the v9.15 release --- Changelog | 2 +- RELEASE | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 27de0aacd7..d3cf1ef4b8 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,6 @@ Releases are sorted from youngest to oldest. -version 9.15: +version 9.16: - vp3: Copy all 3 frames for thread updates (CVE-2011-3934) - mpegts: Do not try to write a PMT larger than SECTION_SIZE (CVE-2014-2263) - mpegts: Define the section length with a constant diff --git a/RELEASE b/RELEASE index 68d3e62efe..fd9cd75295 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.15 +9.16 From e4fb53c73abece15a7c5df0019df9a0371db2297 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Aug 2013 04:51:09 +0200 Subject: [PATCH 0902/1037] ffv1dec: check that global parameters do not change in version 0/1 Such changes are neither allowed nor supported Found-by: ami_stuff Bug-Id: CVE-2013-7020 CC: libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit da7d839a0d3ec40423a665dc85e0cfaed3f92eb8) Signed-off-by: Anton Khirnov --- libavcodec/ffv1dec.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index e74598cd68..d0709045b5 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -542,6 +542,7 @@ static int read_header(FFV1Context *f) memset(state, 128, sizeof(state)); if (f->version < 2) { + int chroma_planes, chroma_h_shift, chroma_v_shift, transparency, colorspace, bits_per_raw_sample; unsigned v = get_symbol(c, state, 0); if (v > 1) { av_log(f->avctx, AV_LOG_ERROR, @@ -558,15 +559,32 @@ static int read_header(FFV1Context *f) get_symbol(c, state, 1) + c->one_state[i]; } - f->colorspace = get_symbol(c, state, 0); //YUV cs type + colorspace = get_symbol(c, state, 0); //YUV cs type + bits_per_raw_sample = f->version > 0 ? get_symbol(c, state, 0) : f->avctx->bits_per_raw_sample; + chroma_planes = get_rac(c, state); + chroma_h_shift = get_symbol(c, state, 0); + chroma_v_shift = get_symbol(c, state, 0); + transparency = get_rac(c, state); - if (f->version > 0) - f->avctx->bits_per_raw_sample = get_symbol(c, state, 0); + if (f->plane_count) { + if (colorspace != f->colorspace || + bits_per_raw_sample != f->avctx->bits_per_raw_sample || + chroma_planes != f->chroma_planes || + chroma_h_shift != f->chroma_h_shift || + chroma_v_shift != f->chroma_v_shift || + transparency != f->transparency) { + av_log(f->avctx, AV_LOG_ERROR, "Invalid change of global parameters\n"); + return AVERROR_INVALIDDATA; + } + } + + f->colorspace = colorspace; + f->avctx->bits_per_raw_sample = bits_per_raw_sample; + f->chroma_planes = chroma_planes; + f->chroma_h_shift = chroma_h_shift; + f->chroma_v_shift = chroma_v_shift; + f->transparency = transparency; - f->chroma_planes = get_rac(c, state); - f->chroma_h_shift = get_symbol(c, state, 0); - f->chroma_v_shift = get_symbol(c, state, 0); - f->transparency = get_rac(c, state); f->plane_count = 2 + f->transparency; } From bbd632082b18e6c5ce9c2d6be8bc260c05ae9417 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 25 Aug 2014 21:21:57 +0000 Subject: [PATCH 0903/1037] mpegenc: limit the maximum muxrate It is written to the file as a 22-bit value. CC: libav-stable@libav.org (cherry picked from commit 75bbaf2493a71ee66eaabe3c21fadd84d07888de) Signed-off-by: Anton Khirnov Conflicts: libavformat/mpegenc.c (cherry picked from commit 3ac0638d573fc483ba6be3444858b26711c5d67d) Signed-off-by: Anton Khirnov --- libavformat/mpegenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 4f7bde848c..218c2eb929 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1132,7 +1132,7 @@ static int mpeg_mux_end(AVFormatContext *ctx) #define OFFSET(x) offsetof(MpegMuxContext, x) #define E AV_OPT_FLAG_ENCODING_PARAM static const AVOption options[] = { - { "muxrate", NULL, OFFSET(mux_rate), AV_OPT_TYPE_INT, {.i64 = 0}, 0, INT_MAX, E }, + { "muxrate", NULL, OFFSET(mux_rate), AV_OPT_TYPE_INT, {.i64 = 0}, 0, (1 << 22) - 1, E }, { "preload", "Initial demux-decode delay in microseconds.", OFFSET(preload), AV_OPT_TYPE_INT, {.i64 = 500000}, 0, INT_MAX, E}, { NULL }, }; From 8d7839fc7c52574dfc22db0181b1cef9cb929910 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 25 Aug 2014 21:24:35 +0000 Subject: [PATCH 0904/1037] avconv: fix the muxrate values for -target The mpegenc private option values are in 50-byte units. CC: libav-stable@libav.org (cherry picked from commit 1688eef25385089026aba55da1885f70a57815ab) Signed-off-by: Anton Khirnov (cherry picked from commit 7bc37641e3e6c24d472ae06fcbecaba4c863829b) Signed-off-by: Anton Khirnov --- avconv_opt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/avconv_opt.c b/avconv_opt.c index 17ec0d97bb..8f7fb3a150 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -1566,7 +1566,7 @@ static int opt_target(void *optctx, const char *opt, const char *arg) parse_option(o, "ac", "2", options); opt_default(NULL, "packetsize", "2324"); - opt_default(NULL, "muxrate", "1411200"); // 2352 * 75 * 8; + opt_default(NULL, "muxrate", "3528"); // 2352 * 75 / 50; /* We have to offset the PTS, so that it is consistent with the SCR. SCR starts at 36000, but the first two packs contain only padding @@ -1612,7 +1612,7 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; opt_default(NULL, "packetsize", "2048"); // from www.mpucoder.com: DVD sectors contain 2048 bytes of data, this is also the size of one pack. - opt_default(NULL, "muxrate", "10080000"); // from mplex project: data_rate = 1260000. mux_rate = data_rate * 8 + opt_default(NULL, "muxrate", "25200"); // from mplex project: data_rate = 1260000. mux_rate = data_rate / 50 opt_default(NULL, "b:a", "448000"); parse_option(o, "ar", "48000", options); From e1f0c41e1aa37a9c166c43abf1b526c796ed7649 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 26 Aug 2014 06:26:35 +0000 Subject: [PATCH 0905/1037] avconv: fix parsing the AVOptions for -target CC: libav-stable@libav.org (cherry picked from commit f5245a9c6206878b892adf3ccbccc9311c202af5) Signed-off-by: Anton Khirnov (cherry picked from commit f7395926f204051af9ad459a6d876b96ee6179ee) Signed-off-by: Anton Khirnov --- avconv_opt.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/avconv_opt.c b/avconv_opt.c index 8f7fb3a150..3c82657a58 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -1633,6 +1633,10 @@ static int opt_target(void *optctx, const char *opt, const char *arg) av_log(NULL, AV_LOG_ERROR, "Unknown target: %s\n", arg); return AVERROR(EINVAL); } + + av_dict_copy(&o->g->codec_opts, codec_opts, 0); + av_dict_copy(&o->g->format_opts, format_opts, 0); + return 0; } From 124ec8b1303d4f29b833099ce9008e31ac6d7c86 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 23 Aug 2014 19:03:21 +0200 Subject: [PATCH 0906/1037] pulse: Add a wallclock option to be compatible with other other captures alsa and x11grab use av_gettime() to report timestamps. Have it on by default. Bug-Id: 647 (cherry picked from commit 424b929b5cb9ca4094099f25179829260d4b0fa3) (cherry picked from commit 404731bd20e1df5880e6fe381e975ba48afc75b2) Signed-off-by: Luca Barbato --- libavdevice/pulse.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavdevice/pulse.c b/libavdevice/pulse.c index a8e710d279..2136ee3fa4 100644 --- a/libavdevice/pulse.c +++ b/libavdevice/pulse.c @@ -31,6 +31,7 @@ #include "libavformat/avformat.h" #include "libavformat/internal.h" +#include "libavutil/time.h" #include "libavutil/opt.h" #define DEFAULT_CODEC_ID AV_NE(AV_CODEC_ID_PCM_S16BE, AV_CODEC_ID_PCM_S16LE) @@ -47,6 +48,7 @@ typedef struct PulseData { pa_simple *s; int64_t pts; int64_t frame_duration; + int wallclock; } PulseData; static pa_sample_format_t codec_id_to_pulse_format(int codec_id) { @@ -141,6 +143,8 @@ static int pulse_read_packet(AVFormatContext *s, AVPacket *pkt) if (pd->pts == AV_NOPTS_VALUE) { pd->pts = -latency; + if (pd->wallclock) + pd->pts += av_gettime(); } pkt->pts = pd->pts; @@ -168,6 +172,7 @@ static const AVOption options[] = { { "channels", "number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = 2}, 1, INT_MAX, D }, { "frame_size", "number of bytes per frame", OFFSET(frame_size), AV_OPT_TYPE_INT, {.i64 = 1024}, 1, INT_MAX, D }, { "fragment_size", "buffering size, affects latency and cpu usage", OFFSET(fragment_size), AV_OPT_TYPE_INT, {.i64 = -1}, -1, INT_MAX, D }, + { "wallclock", "set the initial pts using the current time", OFFSET(wallclock), AV_OPT_TYPE_INT, {.i64 = 1}, -1, 1, D }, { NULL }, }; From 5865d599c38850b2a1fd33fe197eb8fcc6c970a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Aug 2014 21:59:33 +0200 Subject: [PATCH 0907/1037] avcodec/iff: check pixfmt for rgb8 / rgbn Fixes out of array access Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 3539d6c63a16e1b2874bb037a86f317449c58770) Conflicts: libavcodec/iff.c (cherry picked from commit 656f930160db48e0b7b25069c62abc340e7f0628) Conflicts: libavcodec/iff.c (cherry picked from commit abc1fa7c5a1dca1345b9471b81cfcda00c56220d) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index bebf6a5272..37b7f25a52 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -832,9 +832,9 @@ static int decode_frame(AVCodecContext *avctx, break; case 4: bytestream2_init(&gb, buf, buf_size); - if (avctx->codec_tag == MKTAG('R','G','B','8')) + if (avctx->codec_tag == MKTAG('R','G','B','8') && avctx->pix_fmt == AV_PIX_FMT_RGB32) decode_rgb8(&gb, s->frame.data[0], avctx->width, avctx->height, s->frame.linesize[0]); - else if (avctx->codec_tag == MKTAG('R','G','B','N')) + else if (avctx->codec_tag == MKTAG('R','G','B','N') && avctx->pix_fmt == AV_PIX_FMT_RGB444) decode_rgbn(&gb, s->frame.data[0], avctx->width, avctx->height, s->frame.linesize[0]); else return unsupported(avctx); From 11a61dd0e2b51bdb610a80e322667c3284f6d761 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Mon, 11 Aug 2014 22:06:08 +0000 Subject: [PATCH 0908/1037] proresenc_kostya: report buffer overflow If the allocated size, despite best efforts, is too small, exit with the appropriate error. Signed-off-by: Michael Niedermayer (cherry picked from commit 52b81ff4635c077b2bc8b8d3637d933b6629d803) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 0462c74b13..9f2aa584c4 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -455,6 +455,11 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic, num_cblocks, plane_factor, qmat); total_size += sizes[i]; + if (put_bits_left(pb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Serious underevaluation of" + "required buffer size"); + return AVERROR_BUFFER_TOO_SMALL; + } } return total_size; } @@ -753,9 +758,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I; avctx->coded_frame->key_frame = 1; - pkt_size = ctx->frame_size_upper_bound + FF_MIN_BUFFER_SIZE; + pkt_size = ctx->frame_size_upper_bound; - if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size)) < 0) + if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size + FF_MIN_BUFFER_SIZE)) < 0) return ret; orig_buf = pkt->data; @@ -832,7 +837,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, slice_hdr = buf; buf += slice_hdr_size - 1; init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); - encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); + ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); + if (ret < 0) + return ret; bytestream_put_byte(&slice_hdr, q); slice_size = slice_hdr_size + sizes[ctx->num_planes - 1]; From c58d7f9eb56abc4c90d98011c23a4a031077af4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Aug 2014 01:15:57 +0200 Subject: [PATCH 0909/1037] avcodec: fix aac/ac3 parser bitstream buffer size Buffers containing copies of the AAC and AC3 header bits were not padded before parsing, violating init_get_bits() buffer padding requirement, leading to potential buffer read overflows. This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer for parsing the header in each of aac_parser.c and ac3_parser.c. Based on patch by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit fccd85b9f30525f88692f53134eba41f1f2d90db) Signed-off-by: Michael Niedermayer --- libavcodec/aac_parser.c | 2 +- libavcodec/ac3_parser.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c index ab6ca4e268..cb93ba9482 100644 --- a/libavcodec/aac_parser.c +++ b/libavcodec/aac_parser.c @@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info, int size; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp; tmp.u64 = av_be2ne64(state); diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 8dc4c0d480..acfbc2ea66 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -147,7 +147,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info, int err; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp = { av_be2ne64(state) }; AC3HeaderInfo hdr; GetBitContext gbc; From 0bf0de718524cb6025a6568c46f3296acdd4fd5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Aug 2014 23:33:40 +0200 Subject: [PATCH 0910/1037] avcodec/utils: add GBRP16 to avcodec_align_dimensions2() Fixes Ticket3869 Signed-off-by: Michael Niedermayer (cherry picked from commit 3fe9e7be4c70c8fccdcd56fd19276e668cfb7de8) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index c25d6412c6..4bf0392687 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -234,6 +234,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRP12BE: case AV_PIX_FMT_GBRP14LE: case AV_PIX_FMT_GBRP14BE: + case AV_PIX_FMT_GBRP16LE: + case AV_PIX_FMT_GBRP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height break; From 96d1a8f0145bd8d8e3b73d064afcb969376c3b5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Aug 2014 02:12:10 +0200 Subject: [PATCH 0911/1037] avcodec/snow: check coeffs for validity Fixes deadlock Fixes integer overflow Fixes Ticket 3892 Signed-off-by: Michael Niedermayer (cherry picked from commit 596636a474ab201badaae269f3a2cef4824b8c1f) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index a87d7398d0..813fcba8fc 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -650,7 +650,10 @@ static inline void unpack_coeffs(SnowContext *s, SubBand *b, SubBand * parent, i if(v){ v= 2*(get_symbol2(&s->c, b->state[context + 2], context-4) + 1); v+=get_rac(&s->c, &b->state[0][16 + 1 + 3 + ff_quant3bA[l&0xFF] + 3*ff_quant3bA[t&0xFF]]); - + if ((uint16_t)v != v) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient damaged\n"); + v = 1; + } xc->x=x; (xc++)->coeff= v; } @@ -660,6 +663,10 @@ static inline void unpack_coeffs(SnowContext *s, SubBand *b, SubBand * parent, i else run= INT_MAX; v= 2*(get_symbol2(&s->c, b->state[0 + 2], 0-4) + 1); v+=get_rac(&s->c, &b->state[0][16 + 1 + 3]); + if ((uint16_t)v != v) { + av_log(s->avctx, AV_LOG_ERROR, "Coefficient damaged\n"); + v = 1; + } xc->x=x; (xc++)->coeff= v; From 195fcbff2b64f3b8b9e9b8ae7dfe8c192ef1918e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Aug 2014 21:44:13 +0200 Subject: [PATCH 0912/1037] Update for 1.1.14 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- VERSION | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE b/RELEASE index 9ea63dbccb..e9bc14996e 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.13 +1.1.14 diff --git a/VERSION b/VERSION index 9ea63dbccb..e9bc14996e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.13 +1.1.14 diff --git a/doc/Doxyfile b/doc/Doxyfile index ec41e77324..972bcaf046 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.13 +PROJECT_NUMBER = 1.1.14 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 4ede955d864d6d8163abdf490f8af6cc49154e38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jul 2014 02:22:11 +0200 Subject: [PATCH 0913/1037] remove VERSION file it overrides what version.sh prints and thus makes its output from release branches rather useless Signed-off-by: Michael Niedermayer (cherry picked from commit 2f71aeb30161edb5cb0fea5d3080094a22cc3038) Conflicts: VERSION (cherry picked from commit f543d32455a30c7e11206241184dfb16b8a8081c) Conflicts: VERSION (cherry picked from commit 59b2a9ef957ec796ccf457aad263a52bc457b610) Conflicts: VERSION Signed-off-by: Michael Niedermayer --- VERSION | 1 - 1 file changed, 1 deletion(-) delete mode 100644 VERSION diff --git a/VERSION b/VERSION deleted file mode 100644 index e9bc14996e..0000000000 --- a/VERSION +++ /dev/null @@ -1 +0,0 @@ -1.1.14 From 3ed4dc92284cfa1ce06e5af4458fdd374b3ca43d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jul 2014 02:40:35 +0200 Subject: [PATCH 0914/1037] version.sh: Print versions based on the last git tag for release branches release branches are detected by checking if "git" is not in RELEASE This changes "N-64706-g2f71aeb" to "n2.3-8-g2f71aeb" for git master theres no change This should improve the readability of lists of versions which come from more than 1 release branch or master + release. fate.ffmpeg.org is one possible example Reviewed-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit ee606fd0317df202b59946cf9b738c0a01056316) Signed-off-by: Michael Niedermayer (cherry picked from commit 1f4d779e87050111f831f24645580f04e0b1917b) Signed-off-by: Michael Niedermayer (cherry picked from commit 0a64e9a0299b8ded2508be4c6f4949f8f8f57724) Signed-off-by: Michael Niedermayer --- version.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/version.sh b/version.sh index 8d084c2df3..2309176f7a 100755 --- a/version.sh +++ b/version.sh @@ -2,7 +2,11 @@ # check for git short hash if ! test "$revision"; then - revision=$(cd "$1" && git describe --tags --match N 2> /dev/null) + if (cd "$1" && grep git RELEASE 2> /dev/null >/dev/null) ; then + revision=$(cd "$1" && git describe --tags --match N 2> /dev/null) + else + revision=$(cd "$1" && git describe --tags --always 2> /dev/null) + fi fi # Shallow Git clones (--depth) do not have the N tag: From 552fe9b07f6b0cd6879869e1b4a17e9293fbd5a5 Mon Sep 17 00:00:00 2001 From: Jon Morley Date: Tue, 19 Aug 2014 11:17:49 -0700 Subject: [PATCH 0915/1037] avcodec/adpcm: Fix incorrect AVSampleFormat for sample_fmts_s16p The AVSampleFormat list of sample_fmts_s16p is missing the trailing "P" for planar formats. AV_SAMPLE_FMT_S16 vs AV_SAMPLE_FMT_S16P Signed-off-by: Michael Niedermayer (cherry picked from commit 18e70006e7d39f256079cd461a0fe75f1e9cbfd2) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index cd68257256..40ead437f8 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1387,7 +1387,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, static const enum AVSampleFormat sample_fmts_s16[] = { AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }; -static const enum AVSampleFormat sample_fmts_s16p[] = { AV_SAMPLE_FMT_S16, +static const enum AVSampleFormat sample_fmts_s16p[] = { AV_SAMPLE_FMT_S16P, AV_SAMPLE_FMT_NONE }; static const enum AVSampleFormat sample_fmts_both[] = { AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_S16P, From 3231e7ab64efaf073037f2bab08f0e8b1f0116d0 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Tue, 19 Aug 2014 12:26:47 +0000 Subject: [PATCH 0916/1037] wavpack: report if there is no bits left Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 11a39bdf534a4ead634b4a593c66ebf756910b9b) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 36f3ad7767..2493089d20 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -398,6 +398,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, return sign ? ~ret : ret; error: + ret = get_bits_left(gb); + if (ret <= 0) { + av_log(ctx->avctx, AV_LOG_ERROR, "Too few bits (%d) left\n", ret); + } *last = 1; return 0; } From 7f7cf051edd3562af199be97864e03bc3e3ceda0 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sun, 17 Aug 2014 17:09:13 +0000 Subject: [PATCH 0917/1037] alacenc: increase predictor buffer This change is almost cosmetical only, and reduces the changes needed to fix the 24bps case. Signed-off-by: Michael Niedermayer (cherry picked from commit c0d18cc085b13cdfb05ea90a20b46235fb4fa0a9) Signed-off-by: Michael Niedermayer --- libavcodec/alacenc.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/alacenc.c b/libavcodec/alacenc.c index 5354d0b940..e92831f621 100644 --- a/libavcodec/alacenc.c +++ b/libavcodec/alacenc.c @@ -67,7 +67,7 @@ typedef struct AlacEncodeContext { int write_sample_size; int extra_bits; int32_t sample_buf[2][DEFAULT_FRAME_SIZE]; - int32_t predictor_buf[DEFAULT_FRAME_SIZE]; + int32_t predictor_buf[2][DEFAULT_FRAME_SIZE]; int interlacing_shift; int interlacing_leftweight; PutBitContext pbctx; @@ -254,13 +254,14 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch) { int i; AlacLPCContext lpc = s->lpc[ch]; + int32_t *residual = s->predictor_buf[ch]; if (lpc.lpc_order == 31) { - s->predictor_buf[0] = s->sample_buf[ch][0]; + residual[0] = s->sample_buf[ch][0]; for (i = 1; i < s->frame_size; i++) { - s->predictor_buf[i] = s->sample_buf[ch][i ] - - s->sample_buf[ch][i - 1]; + residual[i] = s->sample_buf[ch][i ] - + s->sample_buf[ch][i - 1]; } return; @@ -270,7 +271,6 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch) if (lpc.lpc_order > 0) { int32_t *samples = s->sample_buf[ch]; - int32_t *residual = s->predictor_buf; // generate warm-up samples residual[0] = samples[0]; @@ -314,11 +314,11 @@ static void alac_linear_predictor(AlacEncodeContext *s, int ch) } } -static void alac_entropy_coder(AlacEncodeContext *s) +static void alac_entropy_coder(AlacEncodeContext *s, int ch) { unsigned int history = s->rc.initial_history; int sign_modifier = 0, i, k; - int32_t *samples = s->predictor_buf; + int32_t *samples = s->predictor_buf[ch]; for (i = 0; i < s->frame_size;) { int x; @@ -433,10 +433,11 @@ static void write_element(AlacEncodeContext *s, // TODO: determine when this will actually help. for now it's not used. if (prediction_type == 15) { // 2nd pass 1st order filter + int32_t *residual = s->predictor_buf[channels]; for (j = s->frame_size - 1; j > 0; j--) - s->predictor_buf[j] -= s->predictor_buf[j - 1]; + residual[j] -= residual[j - 1]; } - alac_entropy_coder(s); + alac_entropy_coder(s, i); } } } From 60f94f708414b187724d42e904b1b3aabe24ad85 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sun, 17 Aug 2014 18:56:45 +0200 Subject: [PATCH 0918/1037] alacenc: fix extra bits extraction The raw coded bits are extracted prior to decorrelation, as is correctly performed by the decoder, and not after. Fixes ticket #2768. Signed-off-by: Michael Niedermayer (cherry picked from commit 96d217832598da7001bc204706476dd1e37f377e) Signed-off-by: Michael Niedermayer --- libavcodec/alacenc.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavcodec/alacenc.c b/libavcodec/alacenc.c index e92831f621..56cbfdcedb 100644 --- a/libavcodec/alacenc.c +++ b/libavcodec/alacenc.c @@ -395,6 +395,19 @@ static void write_element(AlacEncodeContext *s, init_sample_buffers(s, channels, samples); write_element_header(s, element, instance); + // extract extra bits if needed + if (s->extra_bits) { + uint32_t mask = (1 << s->extra_bits) - 1; + for (j = 0; j < channels; j++) { + int32_t *extra = s->predictor_buf[j]; + int32_t *smp = s->sample_buf[j]; + for (i = 0; i < s->frame_size; i++) { + extra[i] = smp[i] & mask; + smp[i] >>= s->extra_bits; + } + } + } + if (channels == 2) alac_stereo_decorrelation(s); else @@ -420,8 +433,7 @@ static void write_element(AlacEncodeContext *s, uint32_t mask = (1 << s->extra_bits) - 1; for (i = 0; i < s->frame_size; i++) { for (j = 0; j < channels; j++) { - put_bits(pb, s->extra_bits, s->sample_buf[j][i] & mask); - s->sample_buf[j][i] >>= s->extra_bits; + put_bits(pb, s->extra_bits, s->predictor_buf[j][i] & mask); } } } From f3c8a8b087d08019604fd641970b49144cc3dfa2 Mon Sep 17 00:00:00 2001 From: Piotr Bandurski Date: Sun, 17 Aug 2014 18:17:13 +0200 Subject: [PATCH 0919/1037] avcodec/lcldec: fix decoding of YUV444 sample Signed-off-by: Michael Niedermayer (cherry picked from commit a3329a09f93455a44ff3c9c64886c4da1f66bcfb) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 5708a12d3d..68930186d9 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -199,7 +199,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac case AV_CODEC_ID_MSZH: switch (c->compression) { case COMP_MSZH: - if (c->imgtype == IMGTYPE_RGB24 && len == width * height * 3) { + if (c->imgtype == IMGTYPE_RGB24 && len == width * height * 3 || + c->imgtype == IMGTYPE_YUV111 && len == width * height * 3) { ; } else if (c->flags & FLAG_MULTITHREAD) { mthread_inlen = AV_RL32(encoded); From 9920a8a83f578821e00212da6b79c8997a725fa8 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 10 Sep 2014 18:38:15 +0200 Subject: [PATCH 0920/1037] doc: Fix syntax and logical errors in avconv stream combination example Bug-Id: 661 CC: libav-stable@libav.org (cherry picked from commit 775a0b04f0cf8102fe322b2ee03fe1a0633dea04) Signed-off-by: Diego Biurrun --- doc/avconv.texi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/avconv.texi b/doc/avconv.texi index 7341d2fda6..d393383829 100644 --- a/doc/avconv.texi +++ b/doc/avconv.texi @@ -1039,11 +1039,11 @@ only formats accepting a normal integer are suitable. You can put many streams of the same type in the output: @example -avconv -i test1.avi -i test2.avi -map 0.3 -map 0.2 -map 0.1 -map 0.0 -c copy test12.nut +avconv -i test1.avi -i test2.avi -map 1:1 -map 1:0 -map 0:1 -map 0:0 -c copy -y test12.nut @end example -The resulting output file @file{test12.avi} will contain first four streams from -the input file in reverse order. +The resulting output file @file{test12.nut} will contain the first four streams +from the input files in reverse order. @item To force CBR video output: From 2cd5640bce0ee8f515ff05040ce1c18d6af2694c Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 10 Sep 2014 12:58:01 -0700 Subject: [PATCH 0921/1037] Prepare for 9.17 release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index fd9cd75295..b17b48a035 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.16 +9.17 From 606bbd50b1ebaa3c040fc7cab84f1d8bb5d3d248 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 10 Sep 2014 12:58:33 -0700 Subject: [PATCH 0922/1037] Update Changelog for v9.17 --- Changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Changelog b/Changelog index d3cf1ef4b8..355b7dc8e6 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,13 @@ Releases are sorted from youngest to oldest. +version 9.17: +- ffv1dec: check that global parameters do not change in version 0/1 +- mpegenc: limit the maximum muxrate +- avconv: fix the muxrate values for -target +- avconv: fix parsing the AVOptions for -target +- pulse: Add a wallclock option to be compatible with other other captures +- doc: Fix syntax and logical errors in avconv stream combination example + version 9.16: - vp3: Copy all 3 frames for thread updates (CVE-2011-3934) - mpegts: Do not try to write a PMT larger than SECTION_SIZE (CVE-2014-2263) From 56ac2cbd0464e0146e62c91843e2b1f5e0908504 Mon Sep 17 00:00:00 2001 From: Katerina Barone-Adesi Date: Tue, 16 Sep 2014 01:40:24 +0200 Subject: [PATCH 0923/1037] apetag: Fix APE tag size check The size variable is (correctly) unsigned, but is passed to several functions which take signed parameters, such as avio_read, sometimes after having numbers added to it. So ensure that size remains within the bounds that these functions can handle. (cherry picked from commit d14696c99ccac12a052ce10e70859ffc0293ed6a) Signed-off-by: Diego Biurrun --- libavformat/apetag.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index bb8b2dfadc..df5a957204 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -53,8 +53,10 @@ static int ape_tag_read_field(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - if (size >= UINT_MAX) - return -1; + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n"); + return AVERROR_INVALIDDATA; + } if (flags & APE_TAG_FLAG_IS_BINARY) { uint8_t filename[1024]; enum AVCodecID id; From 489c180451b1cde469f6aeea44f8bdb11cd941d0 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Tue, 16 Sep 2014 03:36:36 -0700 Subject: [PATCH 0924/1037] Add some bug references to the changelog --- Changelog | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Changelog b/Changelog index 355b7dc8e6..320112cbe9 100644 --- a/Changelog +++ b/Changelog @@ -1,12 +1,12 @@ Releases are sorted from youngest to oldest. version 9.17: -- ffv1dec: check that global parameters do not change in version 0/1 +- ffv1dec: check that global parameters do not change in version 0/1 (CVE-2013-7020) - mpegenc: limit the maximum muxrate - avconv: fix the muxrate values for -target - avconv: fix parsing the AVOptions for -target -- pulse: Add a wallclock option to be compatible with other other captures -- doc: Fix syntax and logical errors in avconv stream combination example +- pulse: Add a wallclock option to be compatible with other captures (libav/647) +- doc: Fix syntax and logical errors in avconv stream combination example (libav/661) version 9.16: - vp3: Copy all 3 frames for thread updates (CVE-2011-3934) @@ -435,7 +435,7 @@ version 9.2: - H.264: fix ff_generate_sliding_window_mmcos() prototype - H.264: don't clobber mmco opcode tables for non-first slice headers - libx264: use the library specific default rc_initial_buffer_occupancy -- lavc: set the default rc_initial_buffer_occupancy +- lavc: set the default rc_initial_buffer_occupancy (libav/222, ubuntu/1023408) - lavc: introduce the convenience function init_get_bits8 - lavc: check for overflow in init_get_bits - configure: enable pic for shared libs on AArch64 From ce424e57d629072652935501b439c1a6310c2089 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 14 Nov 2014 20:20:50 +0100 Subject: [PATCH 0925/1037] mp3enc: fix a triggerable assert We have to check against the number of bytes actually needed, not the theoretical maximum size. (cherry picked from commit 12700b0219521a5f20c8ba47b3ad7857ea9e0554) Signed-off-by: Anton Khirnov (cherry picked from commit 871d99ef77336069e5a8ece947c8160d9bc4d5ea) Signed-off-by: Anton Khirnov --- libavformat/mp3enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index 631705c0a5..0596d60dee 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -195,7 +195,7 @@ static void mp3_write_xing(AVFormatContext *s) avpriv_mpegaudio_decode_header(&mpah, header); - av_assert0(mpah.frame_size >= XING_MAX_SIZE); + av_assert0(mpah.frame_size >= bytes_needed); ffio_fill(s->pb, 0, xing_offset); mp3->xing_offset = avio_tell(s->pb); From 93f919d0b4c4341ccee366c98ac9af813f8fe622 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 12 Aug 2014 14:39:10 +0000 Subject: [PATCH 0926/1037] mov: avoid a memleak when multiple stss boxes are present CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 64f7575fbd64e5b65d5c644347408588c776f1fe) Signed-off-by: Anton Khirnov (cherry picked from commit 577f1feb3fd1e51fd14af7ce6d79d468faa3b929) Signed-off-by: Anton Khirnov (cherry picked from commit 931f5b235112f1c2a09dead36f0a228061d23942) Signed-off-by: Anton Khirnov --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4453d6deff..e2d3f9380b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1530,6 +1530,7 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) } if (entries >= UINT_MAX / sizeof(int)) return AVERROR_INVALIDDATA; + av_freep(&sc->keyframes); sc->keyframes = av_malloc(entries * sizeof(int)); if (!sc->keyframes) return AVERROR(ENOMEM); From 50cb695bf124b0bd4d9e2b3c1bfdd08b35b14438 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 0927/1037] jvdec: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 8. CC: libav-stable@libav.org Bug-ID: CVE-2014-8542 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 88626e5af8d006e67189bf10b96b982502a7e8ad) Signed-off-by: Anton Khirnov (cherry picked from commit 55788572ea7b89cdd77bab1cf4bf06d14ead34f5) Signed-off-by: Anton Khirnov (cherry picked from commit 8f238dd9bdd9eba569fcaa564a07fbdd89412a14) Signed-off-by: Anton Khirnov Conflicts: libavcodec/jvdec.c --- libavcodec/jvdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 8c919d290e..dad2c49f38 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -40,6 +40,14 @@ typedef struct JvContext { static av_cold int decode_init(AVCodecContext *avctx) { JvContext *s = avctx->priv_data; + + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + avctx->pix_fmt = AV_PIX_FMT_PAL8; ff_dsputil_init(&s->dsp, avctx); return 0; From 03dba25a4001495226651068232b4c6b1e75fd02 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 0928/1037] mmvideo: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 2. CC: libav-stable@libav.org Bug-ID: CVE-2014-8543 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 17ba719d9ba30c970f65747f42d5fbb1e447ca28) Signed-off-by: Anton Khirnov (cherry picked from commit 69a930b988ff4f88ae27e4fc24ff6ed116840b5e) Signed-off-by: Anton Khirnov (cherry picked from commit 3f10a779b465fd22d3aec1b744ca8544bc2da970) Signed-off-by: Anton Khirnov Conflicts: libavcodec/mmvideo.c --- libavcodec/mmvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index e1ae991dee..9ec2acf700 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -60,6 +60,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame.reference = 1; return 0; From 02de44073a8e116ea177b53081219d32ef135ad8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 20:15:52 +0200 Subject: [PATCH 0929/1037] gifdec: refactor interleave end handling Fixes invalid writes with very small image heights. CC: libav-stable@libav.org Bug-ID: CVE-2014-8547 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 0b39ac6f54505a538c21fe49a626de94c518c903) Signed-off-by: Anton Khirnov (cherry picked from commit eac49477aa95cf727d87d2741ee8e60be59d394b) Signed-off-by: Anton Khirnov (cherry picked from commit 92888e9ed4ea4e761ae953bbe28c85cc658abc8f) Signed-off-by: Anton Khirnov --- libavcodec/gifdec.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 99c24d50ab..5297ed6ea7 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -128,26 +128,21 @@ static int gif_read_image(GifState *s) case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } From 306ee95088243fefa2dfcb5c355d439db75e2d2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 22:50:45 +0200 Subject: [PATCH 0930/1037] smc: fix the bounds check Fixes invalid writes when there are more blocks in a run than total remaining blocks. CC: libav-stable@libav.org Bug-ID: CVE-2014-8548 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit d423dd72be451462c6fb1cbbe313bed0194001ab) Signed-off-by: Anton Khirnov (cherry picked from commit 58dc526ebf722d33bf09275c1241674e0e6b9ef1) Signed-off-by: Anton Khirnov (cherry picked from commit f249e9889155599ee3ad0172832d38f68b0c625d) Signed-off-by: Anton Khirnov --- libavcodec/smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 1834003a39..66e701ec33 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -69,7 +69,7 @@ typedef struct SmcContext { row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ From 8df5b0250d109a2995238c05128d6a770c03005c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Sep 2014 05:22:26 +0200 Subject: [PATCH 0931/1037] avformat/swfdec: Use side data to communicate w/h changes to the decoder Fixes reading from freed data Fixes part of Ticket3539 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1c55d0ff3202a04ebc67a72d72391104e9bdb633) Signed-off-by: Michael Niedermayer (cherry picked from commit a9734e7d3017ffc9539eaac2a8acce3ad427f746) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 8fb4aeb37a..ad587ea7d5 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -346,11 +346,15 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) avpriv_set_pts_info(vst, 64, 256, swf->frame_rate); st = vst; } - st->codec->width = width; - st->codec->height = height; if ((res = av_new_packet(pkt, out_len - colormapsize * colormapbpp)) < 0) goto bitmap_end; + if (!st->codec->width && !st->codec->height) { + st->codec->width = width; + st->codec->height = height; + } else { + ff_add_param_change(pkt, 0, 0, 0, width, height); + } pkt->pos = pos; pkt->stream_index = st->index; From 857eaa45ba94579cd18fec2a6fd4a4d64b9865c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Sep 2014 16:42:33 +0200 Subject: [PATCH 0932/1037] avformat/swfdec: Do not change the pixel format This is currently not supported Fixes part of Ticket 3539 Signed-off-by: Michael Niedermayer (cherry picked from commit c2430304dfb3cc0e3a59ce6d1b59ebdcc934a0c2) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index ad587ea7d5..2e3731210f 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -282,6 +282,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) const int bmp_fmt = avio_r8(pb); const int width = avio_rl16(pb); const int height = avio_rl16(pb); + int pix_fmt; len -= 2+1+2+2; @@ -360,7 +361,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) switch (bmp_fmt) { case 3: - st->codec->pix_fmt = AV_PIX_FMT_PAL8; + pix_fmt = AV_PIX_FMT_PAL8; for (i = 0; i < colormapsize; i++) if (alpha_bmp) colormap[i] = buf[3]<<24 | AV_RB24(buf + 4*i); else colormap[i] = 0xffU <<24 | AV_RB24(buf + 3*i); @@ -372,14 +373,20 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) memcpy(pal, colormap, AVPALETTE_SIZE); break; case 4: - st->codec->pix_fmt = AV_PIX_FMT_RGB555; + pix_fmt = AV_PIX_FMT_RGB555; break; case 5: - st->codec->pix_fmt = alpha_bmp ? AV_PIX_FMT_ARGB : AV_PIX_FMT_0RGB; + pix_fmt = alpha_bmp ? AV_PIX_FMT_ARGB : AV_PIX_FMT_0RGB; break; default: av_assert0(0); } + if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { + av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); + res = AVERROR_PATCHWELCOME; + goto bitmap_end; + } + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; From a2933aa59a466ae4ca50c8f41a6a16bf7df35400 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 12:52:24 +0200 Subject: [PATCH 0933/1037] avcodec/mpegvideo: Use "goto fail" for all error paths in ff_mpv_common_frame_size_change() Signed-off-by: Michael Niedermayer (cherry picked from commit 2762323c37511fbbc98b164c07620b9ebc59ec68) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 566c0d2e2c..37da6e5534 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1063,7 +1063,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) if ((s->width || s->height) && av_image_check_size(s->width, s->height, 0, s->avctx)) - return AVERROR_INVALIDDATA; + goto fail; if ((err = init_context_frame(s))) goto fail; From 91c3a829a4ed933dbf7be1adc9e47dae6a52762a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 13:00:47 +0200 Subject: [PATCH 0934/1037] avcodec/mpegvideo: check that the context is initialized in ff_mpv_common_frame_size_change() The function otherwise would initialize the context without setting context_initialized alternatively we could set context_initialized Fixes valgrind anomalies related to ticket 3928 Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0f7f0ba43f64312ae4a05d97afecf1b7b1330c) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 37da6e5534..6035d5130e 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1034,6 +1034,9 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) { int i, err = 0; + if (!s->context_initialized) + return AVERROR(EINVAL); + if (s->slice_context_count > 1) { for (i = 0; i < s->slice_context_count; i++) { free_duplicate_context(s->thread_context[i]); From 66b1f5894a1dccc3db849675c9eaef50cd06e50c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 14:14:52 +0200 Subject: [PATCH 0935/1037] avcodec/mpegvideo: Set err on failure in ff_mpv_common_frame_size_change() Found-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit cfce6f7efd28130bf0dd409b2367ca0f8c9b2417) Conflicts: libavcodec/mpegvideo.c --- libavcodec/mpegvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 6035d5130e..b227415dc7 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1065,7 +1065,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) s->mb_height = (s->height + 15) / 16; if ((s->width || s->height) && - av_image_check_size(s->width, s->height, 0, s->avctx)) + (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) goto fail; if ((err = init_context_frame(s))) @@ -1082,7 +1082,7 @@ int ff_MPV_common_frame_size_change(MpegEncContext *s) } for (i = 0; i < nb_slices; i++) { - if (init_duplicate_context(s->thread_context[i], s) < 0) + if ((err = init_duplicate_context(s->thread_context[i], s)) < 0) goto fail; s->thread_context[i]->start_mb_y = (s->mb_height * (i) + nb_slices / 2) / nb_slices; From a76198ed288bc93e9a4019c4f04f79a9cf210285 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Sep 2014 16:39:39 +0200 Subject: [PATCH 0936/1037] avformat/m4vdec: Check for non startcode 00 00 00 sequences in probe Fixes miss detection of PCM as m4v Fixes Ticket 3928 Signed-off-by: Michael Niedermayer (cherry picked from commit 7c1835c52a4be2e4e996f83c91a8d5a147b01100) Signed-off-by: Michael Niedermayer --- libavformat/m4vdec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/m4vdec.c b/libavformat/m4vdec.c index e72fb42f1d..2deff32906 100644 --- a/libavformat/m4vdec.c +++ b/libavformat/m4vdec.c @@ -33,13 +33,15 @@ static int mpeg4video_probe(AVProbeData *probe_packet) for(i=0; ibuf_size; i++){ temp_buffer = (temp_buffer<<8) + probe_packet->buf[i]; - if ((temp_buffer & 0xffffff00) != 0x100) + if (temp_buffer & 0xfffffe00) + continue; + if (temp_buffer < 2) continue; if (temp_buffer == VOP_START_CODE) VOP++; else if (temp_buffer == VISUAL_OBJECT_START_CODE) VISO++; - else if (temp_buffer < 0x120) VO++; - else if (temp_buffer < 0x130) VOL++; + else if (temp_buffer >= 0x100 && temp_buffer < 0x120) VO++; + else if (temp_buffer >= 0x120 && temp_buffer < 0x130) VOL++; else if ( !(0x1AF < temp_buffer && temp_buffer < 0x1B7) && !(0x1B9 < temp_buffer && temp_buffer < 0x1C4)) res++; } From 1eb59e4d54023fb4ca86d587b380b1cf3067d170 Mon Sep 17 00:00:00 2001 From: lvqcl Date: Sat, 27 Sep 2014 13:21:31 +0200 Subject: [PATCH 0937/1037] avutil/x86/cpu: fix cpuid sub-leaf selection Signed-off-by: Michael Niedermayer (cherry picked from commit e58fc44649d07d523fcd17aa10d9eb0d3a5ef3f4) Signed-off-by: Michael Niedermayer --- libavutil/x86/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index a3a5239159..9f8d7491e8 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -44,7 +44,7 @@ "cpuid \n\t" \ "xchg %%"REG_b", %%"REG_S \ : "=a" (eax), "=S" (ebx), "=c" (ecx), "=d" (edx) \ - : "0" (index)) + : "0" (index), "2"(0)) #define xgetbv(index, eax, edx) \ __asm__ (".byte 0x0f, 0x01, 0xd0" : "=a"(eax), "=d"(edx) : "c" (index)) From 135a09c46ee6354957737926aa735fb2289ad1ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Sep 2014 20:34:44 +0200 Subject: [PATCH 0938/1037] avcodec/ac3enc_template: fix out of array read Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d85ebea3f3b68ebccfe308fa839fc30fa634e4de) Signed-off-by: Michael Niedermayer --- libavcodec/ac3enc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc_template.c b/libavcodec/ac3enc_template.c index 904e0bb9ef..5b06531b56 100644 --- a/libavcodec/ac3enc_template.c +++ b/libavcodec/ac3enc_template.c @@ -259,7 +259,7 @@ static void apply_channel_coupling(AC3EncodeContext *s) energy_cpl = energy[blk][CPL_CH][bnd]; energy_ch = energy[blk][ch][bnd]; blk1 = blk+1; - while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) { + while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) { if (s->blocks[blk1].cpl_in_use) { energy_cpl += energy[blk1][CPL_CH][bnd]; energy_ch += energy[blk1][ch][bnd]; From 0872359f9fff2d7f404ad3b202bcd96517812c1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 21 Sep 2014 09:58:10 +0100 Subject: [PATCH 0939/1037] configure: add noexecstack to linker options if supported. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Reimar Döffinger (cherry picked from commit b7082d953fda93f7841ffffe7d15a6c3cd15bdee) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 96703ec2ee..c5ccd3eda1 100755 --- a/configure +++ b/configure @@ -3691,6 +3691,7 @@ EOF fi check_ldflags -Wl,--as-needed +check_ldflags -Wl,-z,noexecstack if check_func dlopen; then ldl= From d44d87e172648ece39bb7328edf80577c66914db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Oct 2014 23:17:21 +0200 Subject: [PATCH 0940/1037] avcodec/jpeglsdec: Check run value more completely in ls_decode_line() previously it could have been by 1 too large Fixes out of array access Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 06e7d58410a17dc72c30ee7f3145fcacc425f4f2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 60bf569a1f..564a93f0cc 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -207,6 +207,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, void * x += stride; } + if (x >= w) { + av_log(NULL, AV_LOG_ERROR, "run overflow\n"); + return; + } + /* decode run termination value */ Rb = R(last, x); RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0; From 29abba35723ad6ce481dfe277dad6d0575f2dbb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 01:50:27 +0200 Subject: [PATCH 0941/1037] avcodec/mjpegdec: check bits per pixel for changes similar to dimensions Fixes out of array accesses Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c378d6a6df8243f06c87962b873bd563e58cd39) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit 94371a404c663c3dae3d542fa43951567ab67f82) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 1608b4f9e2..9a69bed3b1 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -211,7 +211,7 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id; + int len, nb_components, i, width, height, bits, pix_fmt_id; int h_count[MAX_COMPONENTS]; int v_count[MAX_COMPONENTS]; @@ -220,14 +220,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly - if (s->bits != 8 && !s->lossless) { + if (bits != 8 && !s->lossless) { av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); return -1; } @@ -259,7 +259,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { av_log_missing_feature(s->avctx, "For JPEG-LS anything except <= 8 bits/component" " or 16-bit gray", 0); @@ -307,12 +307,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* if different size, realloc/alloc picture */ if ( width != s->width || height != s->height + || bits != s->bits || memcmp(s->h_count, h_count, sizeof(h_count[0])*nb_components) || memcmp(s->v_count, v_count, sizeof(v_count[0])*nb_components)) { av_freep(&s->qscale_table); s->width = width; s->height = height; + s->bits = bits; memcpy(s->h_count, h_count, sizeof(h_count)); memcpy(s->v_count, v_count, sizeof(v_count)); s->interlaced = 0; From 37800352bba2c46401995d9f5c82791809a78646 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 04:30:58 +0200 Subject: [PATCH 0942/1037] avcodec/utils: Add case for jv to avcodec_align_dimensions2() Fixes out of array accesses Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 105654e376a736d243aef4a1d121abebce912e6b) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 4bf0392687..4163349d61 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -263,6 +263,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_JV) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || From d68ae96ea8d8bac872854fc617ce6ad696ff2c2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 14:45:04 +0200 Subject: [PATCH 0943/1037] avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks Fixes out of array access Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e) Conflicts: libavcodec/mmvideo.c Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 91aca94e7e..aa61755b1f 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -116,7 +116,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (color) { memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length); - if (half_vert) + if (half_vert && y + half_vert < s->avctx->height) memset(s->frame.data[0] + (y+1)*s->frame.linesize[0] + x, color, run_length); } x+= run_length; From aa17021e812eb2527033d85ba0390cc4f7d6c9d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 16:08:32 +0200 Subject: [PATCH 0944/1037] avcodec/tiff: more completely check bpp/bppcount Fixes pixel format selection Fixes out of array accesses Fixes: asan_heap-oob_1766029_6_asan_heap-oob_20aa045_332_cov_1823216757_m2-d1d366d7965db766c19a66c7a2ccbb6b.tif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5) Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 7394655c8e..d85a7d1df6 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -720,13 +720,13 @@ static int tiff_decode_tag(TiffContext *s) s->height = value; break; case TIFF_BPP: - s->bppcount = count; - if (count > 4) { + if (count > 4U) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); + value, count); return -1; } + s->bppcount = count; if (count == 1) s->bpp = value; else { @@ -747,6 +747,13 @@ static int tiff_decode_tag(TiffContext *s) s->bpp = -1; } } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { From 0b99a18ebc4109574ae4a619ba3716208d367e70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:35:58 +0200 Subject: [PATCH 0945/1037] avcodec/pngdec: Check bits per pixel before setting monoblack pixel format Fixes out of array accesses Fixes: asan_heap-oob_14dbfcf_4_asan_heap-oob_1ce5767_179_add_method_small.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 4740932c41..2180f66979 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -634,7 +634,7 @@ static int decode_frame(AVCodecContext *avctx, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { From d37e539d5ef08932c316cf50c00d52cc15e6b413 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:54:21 +0200 Subject: [PATCH 0946/1037] avcodec/pngdec: Calculate MPNG bytewidth more defensively Signed-off-by: Michael Niedermayer (cherry picked from commit e830902934a29df05c7af65aef2a480b15f572c4) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 2180f66979..b911c32540 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -841,9 +841,10 @@ static int decode_frame(AVCodecContext *avctx, int i, j; uint8_t *pd = s->current_picture->data[0]; uint8_t *pd_last = s->last_picture->data[0]; + int ls = FFMIN(av_image_get_linesize(s->current_picture->format, s->width, 0), s->width * s->bpp); for(j=0; j < s->height; j++) { - for(i=0; i < s->width * s->bpp; i++) { + for(i=0; i < ls; i++) { pd[i] += pd_last[i]; } pd += s->image_linesize; From 86e57695257fde22da2045b6468ccaef34e848a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 21:08:52 +0200 Subject: [PATCH 0947/1037] avcodec/qpeg: fix off by 1 error in MV bounds check Fixes out of array access Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 2446060cdb..f0cf376c02 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -163,7 +163,7 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); From 5e8b8e4b9d157d8be779e6e3e6d302988c8694d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 04:29:40 +0200 Subject: [PATCH 0948/1037] avformat/mpegts: Check desc_len / get8() return code Fixes out of array read Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index cecb228559..244eb40eae 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1693,7 +1693,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len break; desc_len = get8(&p, desc_list_end); desc_end = p + desc_len; - if (desc_end > desc_list_end) + if (desc_len < 0 || desc_end > desc_list_end) break; av_dlog(ts->stream, "tag: 0x%02x len=%d\n", From f6cfd160ca45fa8402336d47199af8dc1ad23b3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 14:51:46 +0200 Subject: [PATCH 0949/1037] avcodec/h264: Check mode before considering mixed mode intra prediction Fixes out of array read Fixes: asan_heap-oob_e476fc_2_asan_heap-oob_1333ec6_61_CAMACI3_Sony_C.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9734a7a1de3043f012ad0f1ef11027d9488067e6) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 9599b1486c..66ca83f62f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -163,18 +163,18 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma) if ((h->left_samples_available & 0x8080) != 0x8080) { mode = left[mode]; - if (is_chroma && (h->left_samples_available & 0x8080)) { - // mad cow disease mode, aka MBAFF + constrained_intra_pred - mode = ALZHEIMER_DC_L0T_PRED8x8 + - (!(h->left_samples_available & 0x8000)) + - 2 * (mode == DC_128_PRED8x8); - } if (mode < 0) { av_log(h->s.avctx, AV_LOG_ERROR, "left block unavailable for requested intra mode at %d %d\n", s->mb_x, s->mb_y); return -1; } + if (is_chroma && (h->left_samples_available & 0x8080)) { + // mad cow disease mode, aka MBAFF + constrained_intra_pred + mode = ALZHEIMER_DC_L0T_PRED8x8 + + (!(h->left_samples_available & 0x8000)) + + 2 * (mode == DC_128_PRED8x8); + } } return mode; From 03ea3982275eeaf9811fb816359ee366a5448714 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Oct 2014 20:26:27 +0200 Subject: [PATCH 0950/1037] postproc/postprocess: fix quant store for fq mode Signed-off-by: Michael Niedermayer (cherry picked from commit 941aaa39e8cd78ba4d16dfcec767290aec9a0136) Conflicts: tests/ref/fate/filter-pp3 (cherry picked from commit 705748caf3f6a4a3e74ad3d2fc547a5a0213a521) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 2 +- tests/ref/lavfi/pp3 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index facfd2cdd9..3a1b78d371 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -1000,7 +1000,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * QPStride; + const int count= mbHeight * FFMAX(QPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; } diff --git a/tests/ref/lavfi/pp3 b/tests/ref/lavfi/pp3 index ccf2eebc62..1af87610c8 100644 --- a/tests/ref/lavfi/pp3 +++ b/tests/ref/lavfi/pp3 @@ -1 +1 @@ -pp3 39af1a30d0ea0e906df264773adfcaa6 +pp3 c8277ef31ab01bad51356841c9634522 From 26dddec4665aa0423ffce7aabf534cfda1b33c91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Oct 2014 16:02:42 +0200 Subject: [PATCH 0951/1037] postproc: fix qp count Found-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit 0b7e5d0d75e7d8762dd04d35f8c0821736164372) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 3a1b78d371..78404e8ca3 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -975,7 +975,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if(pict_type & PP_PICT_TYPE_QP2){ int i; - const int count= mbHeight * absQPStride; + const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; } @@ -1000,7 +1000,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * FFMAX(QPStride, mbWidth); + const int count= FFMAX(mbHeight * QPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; } From 251d66d746ca543f12f4b0c284021d5c6b9aeb38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 15:26:42 +0100 Subject: [PATCH 0952/1037] avcodec/dxa: check dimensions Fixes out of array access Fixes: asan_heap-oob_11222fb_21_020.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90) Conflicts: libavcodec/dxa.c Signed-off-by: Michael Niedermayer --- libavcodec/dxa.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 3fda64cfef..e6caa7f0f5 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -304,6 +304,11 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (avctx->width%4 || avctx->height%4) { + av_log(avctx, AV_LOG_ERROR, "dimensions are not a multiple of 4"); + return AVERROR_INVALIDDATA; + } + avcodec_get_frame_defaults(&c->pic); avcodec_get_frame_defaults(&c->prev); From e43872c3a93c584a768643cfb85fc981f3cd4c44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 00:57:07 +0100 Subject: [PATCH 0953/1037] avcodec/dnxhddec: treat pix_fmt like width/height Fixes out of array accesses Fixes: asan_heap-oob_22c9a39_16_015.mxf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3c0e0bf6f53df0977f3878d4f5cec99dff8de9e) Conflicts: libavcodec/dnxhddec.c Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 104b94354c..515280cb72 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -39,6 +39,7 @@ typedef struct DNXHDContext { GetBitContext gb; int64_t cid; ///< compression id unsigned int width, height; + enum AVPixelFormat pix_fmt; unsigned int mb_width, mb_height; uint32_t mb_scan_index[68]; /* max for 1080p */ int cur_field; ///< current interlaced field @@ -135,7 +136,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si av_dlog(ctx->avctx, "width %d, height %d\n", ctx->width, ctx->height); if (buf[0x21] & 0x40) { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P10; + ctx->pix_fmt = AV_PIX_FMT_YUV422P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { ff_dsputil_init(&ctx->dsp, ctx->avctx); @@ -143,7 +144,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si ctx->decode_dct_block = dnxhd_decode_dct_block_10; } } else { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P; + ctx->pix_fmt = AV_PIX_FMT_YUV422P; ctx->avctx->bits_per_raw_sample = 8; if (ctx->bit_depth != 8) { ff_dsputil_init(&ctx->dsp, ctx->avctx); @@ -381,9 +382,15 @@ static int dnxhd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, avctx->width, avctx->height, ctx->width, ctx->height); first_field = 1; } + if (avctx->pix_fmt != AV_PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) { + av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n", + av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt)); + first_field = 1; + } if (av_image_check_size(ctx->width, ctx->height, 0, avctx)) return -1; + avctx->pix_fmt = ctx->pix_fmt; avcodec_set_dimensions(avctx, ctx->width, ctx->height); if (first_field) { From 961bbb98cf146553af858bd3a13a70751df23fa3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 14:15:29 +0100 Subject: [PATCH 0954/1037] avcodec/utils: Align dimensions by at least their chroma sub-sampling factors. Fixes: out of array accesses Fixes: asan_heap-oob_112c6b3_13_012.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df74811cd53e45fcbbd3b77a1c42416816687c5c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 4163349d61..75d785e2c1 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -183,6 +183,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int i; int w_align = 1; int h_align = 1; + AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(s->pix_fmt); + + if (desc) { + w_align = 1 << desc->log2_chroma_w; + h_align = 1 << desc->log2_chroma_h; + } switch (s->pix_fmt) { case AV_PIX_FMT_YUV420P: @@ -276,8 +282,6 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } break; default: - w_align = 1; - h_align = 1; break; } From 6c5a57db94b50f091cd56b09cf537b68ebfe50f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 18:16:25 +0100 Subject: [PATCH 0955/1037] avcodec/svq1dec: zero terminate embedded message before printing Fixes out of array access Fixes: asan_stack-oob_49b1e5_10_009.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e91ba2efa949470e9157b652535d207a101f91e0) Conflicts: libavcodec/svq1dec.c --- libavcodec/svq1dec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index d5f7581264..473bb806d4 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -500,7 +500,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp, return result; } -static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) +static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257]) { uint8_t seed; int i; @@ -512,6 +512,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) out[i] = get_bits(bitbuf, 8) ^ seed; seed = string_table[out[i] ^ seed]; } + out[i] = 0; } static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) @@ -554,12 +555,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) } if ((s->frame_code ^ 0x10) >= 0x50) { - uint8_t msg[256]; + uint8_t msg[257]; svq1_parse_string(bitbuf, msg); av_log(avctx, AV_LOG_INFO, - "embedded message: \"%s\"\n", (char *)msg); + "embedded message: \"%s\"\n", ((char *)msg) + 1); } skip_bits(bitbuf, 2); From 3535f0867e413d240d7736294fd340c756c226cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Nov 2014 01:55:40 +0100 Subject: [PATCH 0956/1037] avcodec/h264_slice: Clear table pointers to avoid stale pointers Might fix Ticket3889 Signed-off-by: Michael Niedermayer (cherry picked from commit 547fce95858ef83f8c25ae347e3ae3b8ba437fd9) Conflicts: libavcodec/h264_slice.c Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 66ca83f62f..bf75f3f3d1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1249,6 +1249,18 @@ static int decode_update_thread_context(AVCodecContext *dst, memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); + h->intra4x4_pred_mode= NULL; + h->non_zero_count = NULL; + h->slice_table_base = NULL; + h->slice_table = NULL; + h->cbp_table = NULL; + h->chroma_pred_mode_table = NULL; + memset(h->mvd_table, 0, sizeof(h->mvd_table)); + h->direct_table = NULL; + h->list_counts = NULL; + h->mb2b_xy = NULL; + h->mb2br_xy = NULL; + if (s1->context_initialized) { if (ff_h264_alloc_tables(h) < 0) { av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n"); From ce35c10b88d1301fc233825c436199f3cf1bc9f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Nov 2014 13:20:24 +0100 Subject: [PATCH 0957/1037] avcodec/options_table fix min of audio channels and sample rate Found-by: Lukasz Marek Signed-off-by: Michael Niedermayer (cherry picked from commit 206c98f303e833c9e94427c9e3f9867f85265f78) Signed-off-by: Michael Niedermayer --- libavcodec/options_table.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index 2a31fa64cc..963fdd4020 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -101,8 +101,8 @@ static const AVOption options[]={ {"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, -{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, -{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, +{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, +{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, {"cutoff", "set cutoff bandwidth", OFFSET(cutoff), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_size", NULL, OFFSET(frame_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_number", NULL, OFFSET(frame_number), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, From c1e048dffea161d7c8ab37b55bc4f36ae1369c1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 19:44:20 +0100 Subject: [PATCH 0958/1037] avcodec/utvideodec: fix assumtation that slice_height >= 1 Fixes out of array read Fixes: asan_heap-oob_2573085_3783_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7656c4c6e66f8a787d384f027ad824cc1677fda1) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 259030aac5..b7af31e48f 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -222,7 +222,7 @@ static void restore_median(uint8_t *src, int step, int stride, A = bsrc[i]; } bsrc += stride; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride]; @@ -282,7 +282,7 @@ static void restore_median_il(uint8_t *src, int step, int stride, A = bsrc[stride + i]; } bsrc += stride2; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride2]; From b4f08f34a852a52a6cf11b490e7a66357132abb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 23:07:50 +0100 Subject: [PATCH 0959/1037] avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization Fixes out of array read Fixes: asan_heap-oob_2aec5b0_1828_classical_22_16_2_16000_v3c_0_exclusive_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5dcb99033df16eccc4dbbc4a099ad64457f9f090) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 0878b5f33d..ce92c7f88a 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -419,6 +419,9 @@ static av_cold int decode_init(AVCodecContext *avctx) offset &= ~3; if (offset > s->sfb_offsets[i][band - 1]) s->sfb_offsets[i][band++] = offset; + + if (offset >= subframe_len) + break; } s->sfb_offsets[i][band - 1] = subframe_len; s->num_sfb[i] = band - 1; From 07b98ea3963f1bf4a94b6adce540af90e767d881 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 13:53:06 +0100 Subject: [PATCH 0960/1037] avcodec/mjpegdec: Fix context fields becoming inconsistent Fixes out of array access Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 9a69bed3b1..19feb38b9f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1436,6 +1436,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RL32("LJIF")) { + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); @@ -1445,17 +1447,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknown always 0? */ switch (get_bits(&s->gb, 8)) { case 1: - s->rgb = 1; - s->pegasus_rct = 0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb = 1; - s->pegasus_rct = 1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace\n"); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } From 46dfd59ae1997d0bc6b38dcf19b427b6484f20c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 14:45:30 +0100 Subject: [PATCH 0961/1037] avcodec/utils: Check that the data is complete in avpriv_bprint_to_extradata() Fixes out of array read Fixes: asan_heap-oob_4d2250_814_cov_2745172097_JACOsub_capability_tester.jss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5d95db3f5d8e2093e9e19d0c46e86f54ed2a5d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 75d785e2c1..6bae2a8e71 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -2713,6 +2713,11 @@ int avpriv_bprint_to_extradata(AVCodecContext *avctx, struct AVBPrint *buf) ret = av_bprint_finalize(buf, &str); if (ret < 0) return ret; + if (!av_bprint_is_complete(buf)) { + av_free(str); + return AVERROR(ENOMEM); + } + avctx->extradata = str; /* Note: the string is NUL terminated (so extradata can be read as a * string), but the ending character is not accounted in the size (in From 2fcfcd5c8787fd05bbf80d97543caa7713afc927 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 03:29:03 +0100 Subject: [PATCH 0962/1037] avcodec/flacdec: Call ff_flacdsp_init() unconditionally Fixes out of array access Fixes: signal_sigsegv_324b135_3398_cov_246853371_short.flac Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e5c01ccdf5a9a330d4c51a9b9ea721fd8f1fb70b) Conflicts: libavcodec/flacdec.c --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 9d5ecd04cf..cfde037587 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -467,10 +467,10 @@ static int decode_frame(FLACContext *s) ret = allocate_buffers(s); if (ret < 0) return ret; - ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); s->got_streaminfo = 1; dump_headers(s->avctx, (FLACStreaminfo *)s); } + ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); // dump_headers(s->avctx, (FLACStreaminfo *)s); From 33d74e62c25a1d706ef13b9471cd139d0e0d6541 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 15:45:47 +0100 Subject: [PATCH 0963/1037] avcodec/pngdec: Check IHDR/IDAT order Fixes out of array access Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index b911c32540..0809d713f1 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -567,6 +567,12 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n"); + goto fail; + } + s->width = bytestream2_get_be32(&s->gb); s->height = bytestream2_get_be32(&s->gb); if(av_image_check_size(s->width, s->height, 0, avctx)){ From ed75a9a60ecb4c60343aac24cec59848f26dceae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:01:18 +0100 Subject: [PATCH 0964/1037] avformat/rmdec: Check codec_data_size Fixes infinite loop Fixes Ticket4154 Signed-off-by: Michael Niedermayer (cherry picked from commit a6f730730b82645a9d31aad0968487cb77d6946c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 37d91ec12f..38f101fc53 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -308,6 +308,9 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, int64_t codec_pos; int ret; + if (codec_data_size < 0) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From b3e98715c0e5d9d8d2fc467b9f2fed9aa6bb0381 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:21:56 +0100 Subject: [PATCH 0965/1037] swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output Fixes Ticket4151 Signed-off-by: Michael Niedermayer (cherry picked from commit 8524558858b7e14bc50afa10233e0194f591ab9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index d802ab4227..242a7b2301 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1864,6 +1864,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; + if (width >= 16) #if COMPILE_TEMPLATE_SSE2 __asm__( "xor %%"REG_a", %%"REG_a" \n\t" From 437e50b3d65fecd374b56c39c55bc6d340004502 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 6 Dec 2014 16:53:30 +0100 Subject: [PATCH 0966/1037] avformat/matroskadec: fix handling of recursive SeekHead elements When matroska_execute_seekhead() is called, it goes through the list of seekhead entries and attempts to read elements not read yet. When doing this, the parser can find further SeekHead elements, and will extend the matroska->seekhead list. This can lead to a (practically) infinite loop with certain broken files. (Maybe it can happen even with valid files. The demuxer doesn't seem to check correctly whether an element has already been read.) Fix this by ignoring elements that were added to the seekhead field during executing seekhead entries. This does not fix the possible situation when multiple SeekHead elements after the file header (i.e. occur after the "before_pos" file position) point to the same elements. These elements will probably be parsed multiple times, likely leading to bugs. Fixes ticket #4162. Signed-off-by: Michael Niedermayer (cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 5f5ab91bd5..aabf4e7af3 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1346,13 +1346,17 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) EbmlList *seekhead_list = &matroska->seekhead; int64_t before_pos = avio_tell(matroska->ctx->pb); int i; + int nb_elem; // we should not do any seeking in the streaming case if (!matroska->ctx->pb->seekable || (matroska->ctx->flags & AVFMT_FLAG_IGNIDX)) return; - for (i = 0; i < seekhead_list->nb_elem; i++) { + // do not read entries that are added while parsing seekhead entries + nb_elem = seekhead_list->nb_elem; + + for (i = 0; i < nb_elem; i++) { MatroskaSeekhead *seekhead = seekhead_list->elem; if (seekhead[i].pos <= before_pos) continue; From 7520f1fb3acaf9f3b80db6d16cd7ca2b2ffcdec5 Mon Sep 17 00:00:00 2001 From: Rob Sykes Date: Sat, 13 Dec 2014 21:12:56 +0100 Subject: [PATCH 0967/1037] swresample/soxr_resample: fix error handling Fixes CID1257659 Signed-off-by: Michael Niedermayer (cherry picked from commit 4b6f2253741f3023928e61ae5105ccd4b1c515fb) Signed-off-by: Michael Niedermayer --- libswresample/soxr_resample.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libswresample/soxr_resample.c b/libswresample/soxr_resample.c index 15fcc83bf1..57aa51a53b 100644 --- a/libswresample/soxr_resample.c +++ b/libswresample/soxr_resample.c @@ -72,8 +72,12 @@ static int process( AudioData *src, int src_size, int *consumed){ size_t idone, odone; soxr_error_t error = soxr_set_error((soxr_t)c, soxr_set_num_channels((soxr_t)c, src->ch_count)); - error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, - &idone, dst->ch, (size_t)dst_size, &odone); + if (!error) + error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, + &idone, dst->ch, (size_t)dst_size, &odone); + else + idone = 0; + *consumed = (int)idone; return error? -1 : odone; } From 9189ae8ff4b74984775850cdae72dc833f401867 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 17:26:11 +0100 Subject: [PATCH 0968/1037] avformat/aviobuf: Check that avio_seek() target is non negative Fixes out of array access Suggested-by: Andrew Scherkus Signed-off-by: Michael Niedermayer (cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 7a73a1791f..dc7dbb233b 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -216,6 +216,9 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) return offset1; offset += offset1; } + if (offset < 0) + return AVERROR(EINVAL); + offset1 = offset - pos; if (!s->must_flush && (!s->direct || !s->seek) && offset1 >= 0 && offset1 <= (s->buf_end - s->buffer)) { From 24fefa73dba44d07b4cef8b6243cfa37f6ec3e54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 16:24:55 +0100 Subject: [PATCH 0969/1037] avcodec/vmdvideo: Check len before using it in method 3 Fixes out of array access Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd) Conflicts: libavcodec/vmdav.c --- libavcodec/vmdav.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c index 9c24a01ba7..f17bd493f0 100644 --- a/libavcodec/vmdav.c +++ b/libavcodec/vmdav.c @@ -340,8 +340,12 @@ static int vmd_decode(VmdVideoContext *s) len = rle_unpack(gb.buffer, &dp[ofs], len, bytestream2_get_bytes_left(&gb), frame_width - ofs); - else + else { + if (ofs + len > frame_width || + bytestream2_get_bytes_left(&gb) < len) + return AVERROR_INVALIDDATA; bytestream2_get_buffer(&gb, &dp[ofs], len); + } bytestream2_skip(&gb, len); } else { /* interframe pixel copy */ From b9d2c2e9870142e8255d93fa6a004d012b4caa42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 20:45:31 +0100 Subject: [PATCH 0970/1037] avcodec/utvideodec: Fix handling of slice_height=0 Fixes out of array accesses Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index b7af31e48f..188322dff8 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -212,6 +212,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; // first line - left neighbour prediction @@ -267,6 +269,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; From 2c5898c1d303093adccb0e9b117c435ca878735f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 21:14:40 +0100 Subject: [PATCH 0971/1037] avformat/mov: check atom nesting depth Fixes call stack overflow Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit caa7a3914f499f74b3ee346f26d598ebdc0ec210) Conflicts: libavformat/isom.h --- libavformat/isom.h | 1 + libavformat/mov.c | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index 0360c53f11..83fb91851c 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -161,6 +161,7 @@ typedef struct MOVContext { int use_absolute_path; int ignore_editlist; int64_t next_root_atom; ///< offset of the next root atom + int atom_depth; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index 888d2ac588..081305b34f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2806,6 +2806,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVAtom a; int i; + if (c->atom_depth > 10) { + av_log(c->fc, AV_LOG_ERROR, "Atoms too deeply nested\n"); + return AVERROR_INVALIDDATA; + } + c->atom_depth ++; + if (atom.size < 0) atom.size = INT64_MAX; while (total_size + 8 <= atom.size && !url_feof(pb)) { @@ -2822,6 +2828,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) { av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n"); avio_skip(pb, -8); + c->atom_depth --; return 0; } } @@ -2858,13 +2865,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) int64_t start_pos = avio_tell(pb); int64_t left; int err = parse(c, pb, a); - if (err < 0) + if (err < 0) { + c->atom_depth --; return err; + } if (c->found_moov && c->found_mdat && ((!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) || start_pos + a.size == avio_size(pb))) { if (!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) c->next_root_atom = start_pos + a.size; + c->atom_depth --; return 0; } left = a.size - avio_tell(pb) + start_pos; @@ -2884,6 +2894,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (total_size < atom.size && atom.size < 0x7ffff) avio_skip(pb, atom.size - total_size); + c->atom_depth --; return 0; } From dc1cf5febb7faefa4b24e991eaf3a09447b2c878 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 22:21:21 +0100 Subject: [PATCH 0972/1037] swscale: increase yuv2rgb table headroom Fixes out of array access Fixes: case2_bad_read_yuv2rgbx32.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 6a942d6799..55911b532a 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -37,7 +37,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 128 +#define YUVRGB_TABLE_HEADROOM 256 #define FAST_BGR2YV12 // use 7-bit instead of 15-bit coefficients From e78e2dc6e15d8699bf0b60299b0f7d5c20830c22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 03:14:21 +0100 Subject: [PATCH 0973/1037] avcodec/indeo3: use signed variables to avoid underflow Fixes out of array read Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 9a93f5726f..85af6224e9 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext { int16_t width, height; uint32_t frame_num; ///< current frame number (zero-based) - uint32_t data_size; ///< size of the frame data in bytes + int data_size; ///< size of the frame data in bytes uint16_t frame_flags; ///< frame properties uint8_t cb_offset; ///< needed for selecting VQ tables uint8_t buf_sel; ///< active frame buffer: 0 - primary, 1 -secondary @@ -906,7 +906,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, GetByteContext gb; const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; - uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; + int y_offset, u_offset, v_offset; + uint32_t starts[3], ends[3]; uint16_t height, width; int i, j; From 45509d0730e34423ccc637475a6db694fdf95341 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 18:57:27 +0100 Subject: [PATCH 0974/1037] avcodec/indeo3: ensure offsets are non negative Signed-off-by: Michael Niedermayer (cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 85af6224e9..1f6d3420ad 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -988,7 +988,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_size = ends[0] - starts[0]; ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; - if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + if (FFMIN3(y_offset, v_offset, u_offset) < 0 || + FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); From c5f52a9440e7786459b322d9db5b2f9ced746571 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Dec 2014 04:51:41 +0100 Subject: [PATCH 0975/1037] Update for 1.1.15 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index e9bc14996e..645377eea8 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.14 +1.1.15 diff --git a/doc/Doxyfile b/doc/Doxyfile index 972bcaf046..65ee69da75 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.14 +PROJECT_NUMBER = 1.1.15 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 6222ee068eeb3d29a2bcc4a89ce31effdef5a061 Mon Sep 17 00:00:00 2001 From: Xiaohan Wang Date: Thu, 6 Nov 2014 12:59:54 -0800 Subject: [PATCH 0976/1037] matroskadec: Fix read-after-free in matroska_read_seek() In matroska_read_seek(), |tracks| is assigned at the begining of the function. However, functions like matroska_parse_cues() could reallocate the tracks and invalidate |tracks|. This assigns |tracks| only before using it, so that it will not get invalidated elsewhere. Bug-Id: chromium/427266 --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 730285afdc..14b99150f6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2222,7 +2222,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { MatroskaDemuxContext *matroska = s->priv_data; - MatroskaTrack *tracks = matroska->tracks.elem; + MatroskaTrack *tracks = NULL; AVStream *st = s->streams[stream_index]; int i, index, index_sub, index_min; @@ -2251,6 +2251,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, return 0; index_min = index; + tracks = matroska->tracks.elem; for (i=0; i < matroska->tracks.nb_elem; i++) { tracks[i].audio.pkt_cnt = 0; tracks[i].audio.sub_packet_cnt = 0; From eb1aa871d4ef9fc11484de436fa02c352b1b7cac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Jan 2013 04:20:24 +0100 Subject: [PATCH 0977/1037] h264_cabac: Break infinite loops MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes out of array reads and/or infinite loops. 30 is the maximum number of bits that can be read into coeff_abs below. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Martin Storsjö --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 92c1c03740..a8063bd1e1 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1713,7 +1713,7 @@ decode_cabac_residual_internal(H264Context *h, DCTELEM *block, \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while( get_cabac_bypass( CC ) ) { \ + while (get_cabac_bypass(CC) && j < 30) { \ j++; \ } \ \ From 11f98c83d1c2a4eecd213bd94a907831fb36a590 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 6 Jan 2015 16:47:18 +0100 Subject: [PATCH 0978/1037] img2dec: correctly use the parsed value from -start_number Previously the image sequence was always starting from the minimum number rather than the requested one. CC: libav-stable@libav.org --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 1d437f5b4d..6c8a3b3494 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -194,7 +194,7 @@ static int img_read_header(AVFormatContext *s1) return AVERROR(ENOENT); s->img_first = first_index; s->img_last = last_index; - s->img_number = first_index; + s->img_number = s->start_number != 1 ? s->start_number : first_index; /* compute duration */ st->start_time = 0; st->duration = last_index - first_index + 1; From 473281193bed8dcb3f6954a18d03cf6298d651b3 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 11:24:45 -0400 Subject: [PATCH 0979/1037] Update Changelog for v9.18 --- Changelog | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Changelog b/Changelog index 320112cbe9..9c0ecf6c20 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,17 @@ Releases are sorted from youngest to oldest. +version 9.18: +- img2dec: correctly use the parsed value from -start_number +- h264_cabac: Break infinite loops +- matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266) +- smc: fix the bounds check (CVE-2014-8548) +- gifdec: refactor interleave end handling (CVE-2014-8547) +- mmvideo: check frame dimensions (CVE-2014-8543) +- jvdec: check frame dimensions (CVE-2014-8542) +- mov: avoid a memleak when multiple stss boxes are present +- mp3enc: fix a triggerable assert +- apetag: Fix APE tag size check + version 9.17: - ffv1dec: check that global parameters do not change in version 0/1 (CVE-2013-7020) - mpegenc: limit the maximum muxrate From 42eaec076bbe2629c466695f71e7aa283a6fda51 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 11:25:19 -0400 Subject: [PATCH 0980/1037] Prepare for 9.18 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index b17b48a035..128edb0fb2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -9.17 +9.18 From 9841654c158c80e9d525ba03754135d3f34e306e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 5 Mar 2015 23:38:00 +0200 Subject: [PATCH 0981/1037] arm: Suppress tags about used cpu arch and extensions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When all the codepaths using manually set .arch/.fpu code is behind runtime detection, the elf attributes should be suppressed. This allows tools to know that the final built binary doesn't strictly require these extensions. Signed-off-by: Martin Storsjö (cherry picked from commit dcae2e32f7d8a1ca5fb8c1e4aa81313be854dd73 and b77e335e441040a40fc6156b8e4a134745d10233) Signed-off-by: Martin Storsjö --- configure | 6 ++++++ libavutil/arm/asm.S | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/configure b/configure index 466ce54c21..042692f23d 100755 --- a/configure +++ b/configure @@ -1204,6 +1204,7 @@ HAVE_LIST=" alsa_asoundlib_h altivec_h arpa_inet_h + as_object_arch asm_mod_q asm_mod_y attribute_may_alias @@ -3223,6 +3224,11 @@ EOF enabled_all armv6t2 shared !pic && enable_pic + # llvm's integrated assembler supports .object_arch from llvm 3.5 + [ "$objformat" = elf ] && check_as < Date: Wed, 18 Feb 2015 12:11:44 +0000 Subject: [PATCH 0982/1037] eamad: check for out of bounds read Bug-Id: CID 1257500 CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/eamad.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 405cc2a6ac..72eae0f248 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -134,6 +134,11 @@ static inline void decode_block_intra(MadContext *s, DCTELEM * block) break; } else if (level != 0) { i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return; + } j = scantable[i]; level = (level*quant_matrix[j]) >> 4; level = (level-1)|1; @@ -148,6 +153,11 @@ static inline void decode_block_intra(MadContext *s, DCTELEM * block) run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6); i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return; + } j = scantable[i]; if (level < 0) { level = -level; @@ -159,10 +169,6 @@ static inline void decode_block_intra(MadContext *s, DCTELEM * block) level = (level-1)|1; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return; - } block[j] = level; } From ded9931d165544c342795a1b66e4777b6e7daeb0 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 3 Mar 2015 21:31:15 +0100 Subject: [PATCH 0983/1037] rv10: check size of s->mb_width * s->mb_height If it doesn't fit into 12 bits it triggers an assertion. Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov Signed-off-by: Vittorio Giovara --- libavcodec/mpegvideo.h | 2 +- libavcodec/mpegvideo_enc.c | 7 +++++-- libavcodec/rv10enc.c | 7 ++++++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 38d9ab6d52..c965bbc623 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -897,7 +897,7 @@ int ff_h261_get_picture_format(int width, int height); /* rv10.c */ -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); int ff_rv_decode_dc(MpegEncContext *s, int n); void ff_rv20_encode_picture_header(MpegEncContext *s, int picture_number); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index f783dc7892..987f8d0276 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3295,8 +3295,11 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_msmpeg4_encode_picture_header(s, picture_number); else if (CONFIG_MPEG4_ENCODER && s->h263_pred) ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) - ff_rv10_encode_picture_header(s, picture_number); + else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + ret = ff_rv10_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV20_ENCODER && s->codec_id == AV_CODEC_ID_RV20) ff_rv20_encode_picture_header(s, picture_number); else if (CONFIG_FLV_ENCODER && s->codec_id == AV_CODEC_ID_FLV1) diff --git a/libavcodec/rv10enc.c b/libavcodec/rv10enc.c index d3cd12c3f8..a2df8f1696 100644 --- a/libavcodec/rv10enc.c +++ b/libavcodec/rv10enc.c @@ -28,7 +28,7 @@ #include "mpegvideo.h" #include "put_bits.h" -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) { int full_frame= 0; @@ -48,12 +48,17 @@ void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) /* if multiple packets per frame are sent, the position at which to display the macroblocks is coded here */ if(!full_frame){ + if (s->mb_width * s->mb_height >= (1U << 12)) { + av_log_missing_feature(s->avctx, "Encoding frames with 4096 macroblocks or more", 0); + return AVERROR(ENOSYS); + } put_bits(&s->pb, 6, 0); /* mb_x */ put_bits(&s->pb, 6, 0); /* mb_y */ put_bits(&s->pb, 12, s->mb_width * s->mb_height); } put_bits(&s->pb, 3, 0); /* ignored */ + return 0; } FF_MPV_GENERIC_CLASS(rv10) From 3756b306a259d1376ce90404771c4d0ea7e23162 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 16:52:26 +0100 Subject: [PATCH 0984/1037] rmenc: limit packet size The chunk size is limited to UINT16_MAX (written by avio_wb16), so make sure that the packet size is not too large. Such large frames need to be split into slices smaller than 64 kB, but that is currently supported neither by the rv10/rv20 encoders nor the rm muxer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov Signed-off-by: Vittorio Giovara --- libavformat/rmenc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index ed1ba7c75b..f8bdbcc92a 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -44,6 +44,10 @@ typedef struct { /* in ms */ #define BUFFER_DURATION 0 +/* the header needs at most 7 + 4 + 12 B */ +#define MAX_HEADER_SIZE (7 + 4 + 12) +/* UINT16_MAX is the maximal chunk size */ +#define MAX_PACKET_SIZE (UINT16_MAX - MAX_HEADER_SIZE) static void put_str(AVIOContext *s, const char *tag) @@ -387,6 +391,10 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + if (size > MAX_PACKET_SIZE) { + av_log_missing_feature(s, "Muxing packets larger than 64 kB", 0); + return AVERROR(ENOSYS); + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); From 789f433bc6376e6e45d41ae491007d482fa1df85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Mar 2015 17:36:14 +0000 Subject: [PATCH 0985/1037] utvideodec: Handle slice_height being zero Fixes out of array accesses. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-9604 Signed-off-by: Vittorio Giovara Signed-off-by: Luca Barbato (cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d) (cherry picked from commit 3a417a86b330b7c1acf9db4f729be7d619caaded) Signed-off-by: Reinhard Tartler (cherry picked from commit e032e647dd79e7748145792dfee0358eccb1982e) Signed-off-by: Reinhard Tartler --- libavcodec/utvideodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 3f8f690ee0..3367ed4a1c 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -211,6 +211,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; @@ -267,6 +269,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; From 62b0462e5fa78901380ca229ddb6a7625efd61a2 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 7 Mar 2015 22:06:59 +0100 Subject: [PATCH 0986/1037] tiff: Check that there is no aliasing in pixel format selection Fixes possible issues with unexpected bpp/bppcount values. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-8544 (cherry picked from commit ae5e1f3d663a8c9a532d89e588cbc61f171c9186) Signed-off-by: Luca Barbato (cherry picked from commit eb9041403d820634c45ed4ee98570246a252507a) Signed-off-by: Reinhard Tartler --- libavcodec/tiff.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 309f1a9e1b..67dc5bd5a3 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -236,6 +236,14 @@ static int init_image(TiffContext *s) int i, ret; uint32_t *pal; + // make sure there is no aliasing in the following switch + if (s->bpp >= 100 || s->bppcount >= 10) { + av_log(s->avctx, AV_LOG_ERROR, + "Unsupported image parameters: bpp=%d, bppcount=%d\n", + s->bpp, s->bppcount); + return AVERROR_INVALIDDATA; + } + switch (s->bpp * 10 + s->bppcount) { case 11: s->avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; From 798b3ed3fbc31672e6400e18db37deef03fff44f Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 22:22:28 -0400 Subject: [PATCH 0987/1037] doc: More changelog updates for v9.18 --- Changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Changelog b/Changelog index 9c0ecf6c20..9f1f138c39 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,12 @@ Releases are sorted from youngest to oldest. version 9.18: +- tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544) +- utvideodec: Handle slice_height being zero (CVE-2014-9604) +- rmenc: limit packet size +- rv10: check size of s->mb_width * s->mb_height +- eamad: check for out of bounds read (CID/1257500) +- arm: Suppress tags about used cpu arch and extensions - img2dec: correctly use the parsed value from -start_number - h264_cabac: Break infinite loops - matroskadec: Fix read-after-free in matroska_read_seek() (chromium/427266) From 9f650fb5fb3270df6ef570a919b988a0a97a2e1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Mar 2015 20:21:14 +0100 Subject: [PATCH 0988/1037] avcodec/012v: Check dimensions more completely Fixes division by 0 Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit d3b25383daffac154846daeb4e4fb46569e728db) Conflicts: libavcodec/012v.c --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index 6f4533b14c..8151e2a330 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -54,8 +54,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, if (pic->data[0]) avctx->release_buffer(avctx, pic); - if (width == 1) { - av_log(avctx, AV_LOG_ERROR, "Width 1 not supported.\n"); + if (width <= 1 || avctx->height <= 0) { + av_log(avctx, AV_LOG_ERROR, "Dimensions %dx%d not supported.\n", width, avctx->height); return AVERROR_INVALIDDATA; } if (avpkt->size < avctx->height * stride) { From e76a5a9c284c033210485b952ec4cadc05034503 Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Tue, 21 Jan 2014 19:58:41 +0100 Subject: [PATCH 0989/1037] lavf/segment: remove duplicated and inconsistent cleanup code in seg_write_packet() In particular, avoid to leave around the seg->avf pointer to freed structure, and fix crash with: ffmpeg -f lavfi -i testsrc -c:v h264 -map 0 -f segment foo-%d.ts (cherry picked from commit 169065fbfb3da1ab776379c333aebc54bb1f1bc4) Found-by: Qinghao Tang Signed-off-by: Michael Niedermayer --- libavformat/segment.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index efc35c8bf5..76616f8a0b 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -656,12 +656,6 @@ fail: if (pkt->stream_index == seg->reference_stream_index) seg->frame_count++; - if (ret < 0) { - if (seg->list) - avio_close(seg->list_pb); - avformat_free_context(oc); - } - return ret; } From 93c9f1b97cdd898699a47751a39ae6fbae87d49e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Dec 2014 21:41:46 +0100 Subject: [PATCH 0990/1037] avformat/cdxl: Fix integer overflow of image_size Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128) Signed-off-by: Michael Niedermayer --- libavformat/cdxl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index 185b745bb0..226a704650 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -127,6 +127,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); + if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + return AVERROR_INVALIDDATA; image_size = FFALIGN(width, 16) * height * cdxl->header[19] / 8; video_size = palette_size + image_size; From 1b9a62c357b1e0045b5c1eb6fb6e5f3cdbd979ce Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 5 Jan 2015 04:45:26 +0100 Subject: [PATCH 0991/1037] avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index cc9e11bc92..8beec5015a 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -98,6 +98,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; + if (start >= buf_size) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -339,10 +342,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; - decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); - decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); + if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) + goto fail; + if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) + goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (yuv_palette == 0) From b41bc711438abed7b67499ea4865127f97df6745 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:19:09 -0800 Subject: [PATCH 0992/1037] mov: Avoid overflow with mov_metadata_raw() The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 081305b34f..dd5352e2da 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -281,6 +281,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); From e2e66f2f998242c7a9342df6d68f9a98fda774c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 04:29:10 +0100 Subject: [PATCH 0993/1037] avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index dd5352e2da..df3dc39f8c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -388,7 +388,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); From 3eee7e0db60dc2d3756bde814f21f3df72eb0b0b Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:34:17 -0800 Subject: [PATCH 0994/1037] mov: Fix negative size calculation in mov_read_default(). The previous code assumed if an atom was marked with a 64-bit size extension, it actually had that data available. The new code verfies there's enough data in the atom for this to be done. Failure to verify causes total_size > atom.size which will result in negative size calculations later on. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index df3dc39f8c..c55834e838 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2836,7 +2836,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) } } total_size += 8; - if (a.size == 1) { /* 64 bit extended size */ + if (a.size == 1 && total_size + 8 <= atom.size) { /* 64 bit extended size */ a.size = avio_rb64(pb) - 8; total_size += 8; } From ad0c39c1f10f127ab8981f75c37fd48f45aaae52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 19:51:38 +0100 Subject: [PATCH 0995/1037] avformat/mov: Fix mixed declaration and statement warning Signed-off-by: Michael Niedermayer (cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c55834e838..9f226c7b36 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -281,10 +281,11 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + char *value; // Check for overflow. if (len >= INT_MAX) return AVERROR(EINVAL); - char *value = av_malloc(len + 1); + value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); avio_read(pb, value, len); From 77c20198bbbb2b48ddef15784217e786200853f3 Mon Sep 17 00:00:00 2001 From: Johan Andersson Date: Sat, 3 Jan 2015 17:31:36 +0100 Subject: [PATCH 0996/1037] cmdutils: update copyright year to 2015. (cherry picked from commit 3e160652219ff4da433f5672ae1e5f4956abb815) Conflicts: cmdutils.c --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 1068baf3d8..c67f7e3c8a 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -65,7 +65,7 @@ struct SwsContext *sws_opts; SwrContext *swr_opts; AVDictionary *format_opts, *codec_opts; -const int this_year = 2014; +const int this_year = 2015; static FILE *report_file; From 633461d8bb1d58838c48b29136f6db58712821c1 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 7 Jan 2015 23:57:50 +0100 Subject: [PATCH 0997/1037] avcodec/dvdsubdec: error on bitmaps with size 0 Attemtping to decode them could lead to invalid writes with some fuzzed samples. Signed-off-by: Michael Niedermayer (cherry picked from commit bcaa9099b3648b47060e1724a97dc98b63c83702) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 8beec5015a..b4032a6a19 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -101,6 +101,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, if (start >= buf_size) return -1; + if (w <= 0 || h <= 0) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); From e9179e6673ba9eb89e81ccb8f3bef84b715a8aee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jan 2015 23:02:30 +0100 Subject: [PATCH 0998/1037] ffmpeg: Clear error message array at init. This avoids printing uninitialized bytes if no error message is set Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1a2efb8ac399a003ea7d3b6f8c641d192567ee) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index b8f5bbac6d..611d6a8277 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2020,7 +2020,7 @@ static int transcode_init(void) AVCodecContext *codec; OutputStream *ost; InputStream *ist; - char error[1024]; + char error[1024] = {0}; int want_sdp = 1; /* init framerate emulation */ From de84d683b28974d9e83b3d6ce1bd8f11d225babe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jan 2015 01:56:03 +0100 Subject: [PATCH 0999/1037] avcodec/flac_parser: fix handling EOF if no headers are found Fixes assertion failure Fixes Ticket4269 Signed-off-by: Michael Niedermayer (cherry picked from commit c4d85fc23c100f7a27d9bad710eb153214868e27) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 52ec1ee683..0d28c85f87 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -655,7 +655,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, handle_error: *poutbuf = NULL; *poutbuf_size = 0; - return read_end - buf; + return buf_size ? read_end - buf : 0; } static int flac_parse_init(AVCodecParserContext *c) From bbef5b0b86f6603ced05a77fe38be4fef486cb17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:19:25 +0100 Subject: [PATCH 1000/1037] avformat/utils: Fix number suffixes in tb_unreliable() Signed-off-by: Michael Niedermayer (cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191) Conflicts: libavformat/utils.c (cherry picked from commit e651a2f88c219e74c9851563e74100f7652a6005) --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e42c1fc8f9..360847fe68 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2652,8 +2652,8 @@ static int get_std_framerate(int i){ * And there are "variable" fps files this needs to detect as well. */ static int tb_unreliable(AVCodecContext *c){ - if( c->time_base.den >= 101L*c->time_base.num - || c->time_base.den < 5L*c->time_base.num + if( c->time_base.den >= 101LL*c->time_base.num + || c->time_base.den < 5LL*c->time_base.num /* || c->codec_tag == AV_RL32("DIVX") || c->codec_tag == AV_RL32("XVID")*/ || c->codec_tag == AV_RL32("mp4v") From 2894f27761c696346328fa73d9257471fc884344 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:36:13 +0100 Subject: [PATCH 1001/1037] avformat/smacker: Fix number suffix Signed-off-by: Michael Niedermayer (cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 47f4417f37..1af3111f99 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -310,7 +310,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) uint8_t *tmpbuf; size = avio_rl32(s->pb) - 4; - if (!size || size + 4L > frame_size) { + if (!size || size + 4LL > frame_size) { av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); return AVERROR_INVALIDDATA; } From a1fec9d14116b5fd4f1021b70dc1cf10f700b502 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:40:13 +0100 Subject: [PATCH 1002/1037] avcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 4531e2c489d279bfc90d54ca26ed898c5b265a7f) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 90350a7a65..fe3bfd9174 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -411,18 +411,18 @@ av_cold int ff_MPV_encode_init(AVCodecContext *avctx) switch(avctx->codec_id) { case AV_CODEC_ID_MPEG1VIDEO: case AV_CODEC_ID_MPEG2VIDEO: - avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112L / 15000000 * 16384; + avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112LL / 15000000 * 16384; break; case AV_CODEC_ID_MPEG4: case AV_CODEC_ID_MSMPEG4V1: case AV_CODEC_ID_MSMPEG4V2: case AV_CODEC_ID_MSMPEG4V3: if (avctx->rc_max_rate >= 15000000) { - avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000L) * (760-320) / (38400000 - 15000000); + avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000LL) * (760-320) / (38400000 - 15000000); } else if(avctx->rc_max_rate >= 2000000) { - avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000L) * (320- 80) / (15000000 - 2000000); + avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000LL) * (320- 80) / (15000000 - 2000000); } else if(avctx->rc_max_rate >= 384000) { - avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000L) * ( 80- 40) / ( 2000000 - 384000); + avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000LL) * ( 80- 40) / ( 2000000 - 384000); } else avctx->rc_buffer_size = 40; avctx->rc_buffer_size *= 16384; From 0a3371f3829eedf4291946e6a0a2103b680145f4 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 14:41:10 +0100 Subject: [PATCH 1003/1037] avformat/tta: fix crash with corrupted files av_add_index_entry() can fail, for example because the parameters are invalid, or because memory allocation fails. Check this; it can actually happen with corrupted files. The second hunk is just for robustness. Just in case functions like ff_reduce_index() remove entries. (Not sure if this can actually happen.) Fixes ticket #4294. Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6a0cd529a35190d9374b0b26504e71857cd67b83) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 445389ed95..2dce38f217 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -96,8 +96,10 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); - av_add_index_entry(st, framepos, i * c->frame_size, size, 0, - AVINDEX_KEYFRAME); + int r; + if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + AVINDEX_KEYFRAME)) < 0) + return r; framepos += size; } avio_skip(s->pb, 4); // seektable crc @@ -135,6 +137,11 @@ static int tta_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->currentframe >= c->totalframes) return AVERROR_EOF; + if (st->nb_index_entries < c->totalframes) { + av_log(s, AV_LOG_ERROR, "Index entry disappeared\n"); + return AVERROR_INVALIDDATA; + } + size = st->index_entries[c->currentframe].size; ret = av_get_packet(s->pb, pkt, size); From 5601f216bf01584249b5dcd8f5f55e0bc06220f4 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:12 +0100 Subject: [PATCH 1004/1037] avformat/mpc8: fix hang with fuzzed file This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 1c9ae4c360..23fb637cd1 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -216,6 +216,10 @@ static int mpc8_read_header(AVFormatContext *s) while(!url_feof(pb)){ pos = avio_tell(pb); mpc8_get_chunk_header(pb, &tag, &size); + if (size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid chunk length\n"); + return AVERROR_INVALIDDATA; + } if(tag == TAG_STREAMHDR) break; mpc8_handle_chunk(s, tag, pos, size); From 21ebfcdd43860c3cd071ced8b558bc1b41c47f1f Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:11 +0100 Subject: [PATCH 1005/1037] avformat/mpc8: fix broken pointer math MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This could overflow and crash at least on 32 bit systems. Reviewed-by: Reimar Döffinger Signed-off-by: Michael Niedermayer (cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa) Conflicts: libavformat/mpc8.c (cherry picked from commit 49dd89f9027f3def12e170bb7d986d37812eedba) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 23fb637cd1..aa885f2dd5 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p) size = bs_get_v(&bs); if (size < 2) return 0; - if (bs + size - 2 >= bs_end) + if (size >= bs_end - bs + 2) return AVPROBE_SCORE_MAX / 4 - 1; //seems to be valid MPC but no header yet if (header_found) { if (size < 11 || size > 28) From 485f78be206fac4dd74090a62a4498eabb1d488d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 14:47:41 +0100 Subject: [PATCH 1006/1037] avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index aa885f2dd5..f434c89227 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -57,7 +57,7 @@ typedef struct { static inline int64_t bs_get_v(const uint8_t **bs) { - int64_t v = 0; + uint64_t v = 0; int br = 0; int c; @@ -108,7 +108,7 @@ static int mpc8_probe(AVProbeData *p) static inline int64_t gb_get_v(GetBitContext *gb) { - int64_t v = 0; + uint64_t v = 0; int bits = 0; while(get_bits1(gb) && bits < 64-7){ v <<= 7; From 6b4fc845f5c7b5618c3bf964ac89efc91b534093 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:13:18 +0100 Subject: [PATCH 1007/1037] avcodec/mjpegdec: Check escape sequence validity Fixes assertion failure Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 19feb38b9f..f9d712c5d3 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1631,6 +1631,10 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, put_bits(&pb, 8, x); if (x == 0xFF) { x = src[b++]; + if (x & 0x80) { + av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); + x &= 0x7f; + } put_bits(&pb, 7, x); bit_count--; } From 3a691185f732cbb5b350fbf2327817087b2a3a30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:48:30 +0100 Subject: [PATCH 1008/1037] avcodec/mjpegdec: Check number of components for JPEG-LS Fixes out of array accesses Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index f9d712c5d3..5a2b93b53f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -439,9 +439,12 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) } if (s->ls) { s->upscale_h = s->upscale_v = 0; - if (s->nb_components > 1) + if (s->nb_components == 3) { s->avctx->pix_fmt = AV_PIX_FMT_RGB24; - else if (s->bits <= 8) + } else if (s->nb_components != 1) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components); + return AVERROR_PATCHWELCOME; + } else if (s->bits <= 8) s->avctx->pix_fmt = AV_PIX_FMT_GRAY8; else s->avctx->pix_fmt = AV_PIX_FMT_GRAY16; From 097417299a0ef87cb3d459388a4b313272d74c38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 00:12:08 +0100 Subject: [PATCH 1009/1037] swscale/utils: Limit filter shifting so as not to read from prior the array Fixes out of array read Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 692b22626ec9a9585f667c124a186b1a9796e432) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 55ade89fc4..92e712bf42 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -571,14 +571,15 @@ static int initFilter(int16_t **outFilter, int32_t **filterPos, } if ((*filterPos)[i] + filterSize > srcW) { - int shift = (*filterPos)[i] + filterSize - srcW; + int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + // move filter coefficients right to compensate for filterPos for (j = filterSize - 2; j >= 0; j--) { int right = FFMIN(j + shift, filterSize - 1); filter[i * filterSize + right] += filter[i * filterSize + j]; filter[i * filterSize + j] = 0; } - (*filterPos)[i]= srcW - filterSize; + (*filterPos)[i]-= shift; } } From 7add0b069258af653b256882348a90dfe596e2af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 03:45:21 +0100 Subject: [PATCH 1010/1037] avformat/thp: Check av_get_packet() for failure not only for partial output Fixes null pointer dereference Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 3717b8f12c..703a648a55 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -180,6 +180,8 @@ static int thp_read_packet(AVFormatContext *s, pkt->stream_index = thp->video_stream_index; } else { ret = av_get_packet(pb, pkt, thp->audiosize); + if (ret < 0) + return ret; if (ret != thp->audiosize) { av_free_packet(pkt); return AVERROR(EIO); From 9d49f4e08121aedbdd128e64080382d0fe6943c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 04:11:56 +0100 Subject: [PATCH 1011/1037] avcodec/h264_ps: More completely check the bit depths Fixes out of array read Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4) Conflicts: libavcodec/h264_ps.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index b96a8be982..79da0bc85e 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -387,7 +387,9 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ } sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8; sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8; - if (sps->bit_depth_luma > 14U || sps->bit_depth_chroma > 14U || sps->bit_depth_luma != sps->bit_depth_chroma) { + if (sps->bit_depth_luma < 8 || sps->bit_depth_luma > 14 || + sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 14 || + sps->bit_depth_luma != sps->bit_depth_chroma) { av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", sps->bit_depth_luma, sps->bit_depth_chroma); goto fail; From 9db3ed258319e8b268b57d94331ef41f264071bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Feb 2015 03:33:53 +0100 Subject: [PATCH 1012/1037] avcodec/mjpegdec: Skip blocks which are outside the visible area Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash.avi Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5a2b93b53f..d021e8ffda 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1079,12 +1079,17 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - ptr = data[c] + block_offset; + if ( 8*(h * mb_x + x) < s->width + && 8*(v * mb_y + y) < s->height) { + ptr = data[c] + block_offset; + } else + ptr = NULL; if (!s->progressive) { - if (copy_mb) - mjpeg_copy_block(ptr, reference_data[c] + block_offset, - linesize[c], s->avctx->lowres); - else { + if (copy_mb) { + if (ptr) + mjpeg_copy_block(ptr, reference_data[c] + block_offset, + linesize[c], s->avctx->lowres); + } else { s->dsp.clear_block(s->block); if (decode_block(s, s->block, i, s->dc_index[i], s->ac_index[i], @@ -1093,7 +1098,9 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, "error y=%d x=%d\n", mb_y, mb_x); return AVERROR_INVALIDDATA; } - s->dsp.idct_put(ptr, linesize[c], s->block); + if (ptr) { + s->dsp.idct_put(ptr, linesize[c], s->block); + } } } else { int block_idx = s->block_stride[c] * (v * mb_y + y) + From aa3b63a6a5eb5ddd9557d899ff18baeb0e6290f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:14:56 +0100 Subject: [PATCH 1013/1037] avformat/gxf: Use 64bit for res to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 86e629135d..464a9bd747 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -548,7 +548,7 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { } static int gxf_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { - int res = 0; + int64_t res = 0; uint64_t pos; uint64_t maxlen = 100 * 1024 * 1024; AVStream *st = s->streams[0]; From aef0c97b45fe97e1c9e3d4e089a25b38ba92ee55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:41:35 +0100 Subject: [PATCH 1014/1037] avformat/mvdec: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 26c0cc154e06cb0064b3a3da49447ac44d82444f) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index bb1c5d0dd8..81ebb60a3a 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -354,7 +354,7 @@ static int mv_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVStream *st = avctx->streams[mv->stream_index]; const AVIndexEntry *index; int frame = mv->frame[mv->stream_index]; - int ret; + int64_t ret; uint64_t pos; if (frame < st->nb_frames) { From 07dcf5b05a198d10375faac71f63442df2406f11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 21:00:57 +0100 Subject: [PATCH 1015/1037] avformat/vqf: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit cb08687180683a755d0fe9d425280d0e4d1e6db2) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 81c1b39b81..0d82ad1401 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -262,7 +262,7 @@ static int vqf_read_seek(AVFormatContext *s, { VqfContext *c = s->priv_data; AVStream *st; - int ret; + int64_t ret; int64_t pos; st = s->streams[stream_index]; From 03be529f3917dd1cc766e701ad96dc5df631051d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Feb 2015 16:25:29 +0100 Subject: [PATCH 1016/1037] avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch by Francisco Blas Izquierdo Riera Commit message partly taken from carl fixes a compilation error in mlpdsp_init.c with -fstack-check and some gcc compilers (I reproduced the issue with gcc 4.7.3) by simplifying the code. See also https://bugs.gentoo.org/show_bug.cgi?id=471756 $ make libavcodec/x86/mlpdsp_init.o libavcodec/x86/mlpdsp_init.c: In function ‘mlp_filter_channel_x86’: libavcodec/x86/mlpdsp_init.c:142:5: error: can’t find a register in class ‘GENERAL_REGS’ while reloading ‘asm’ libavcodec/x86/mlpdsp_init.c:142:5: error: ‘asm’ operand has impossible constraints 4551 -> 4509 dezicycles Reviewed-by: Ramiro Polla Signed-off-by: Michael Niedermayer (cherry picked from commit 03f39fbb2a558153a3c464edec1378d637a755fe) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mlpdsp.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/mlpdsp.c b/libavcodec/x86/mlpdsp.c index de28e22b52..5541b287ba 100644 --- a/libavcodec/x86/mlpdsp.c +++ b/libavcodec/x86/mlpdsp.c @@ -129,8 +129,8 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, FIRMUL (ff_mlp_firorder_6, 0x14 ) FIRMUL (ff_mlp_firorder_5, 0x10 ) FIRMUL (ff_mlp_firorder_4, 0x0c ) - FIRMULREG(ff_mlp_firorder_3, 0x08,10) - FIRMULREG(ff_mlp_firorder_2, 0x04, 9) + FIRMUL (ff_mlp_firorder_3, 0x08 ) + FIRMUL (ff_mlp_firorder_2, 0x04 ) FIRMULREG(ff_mlp_firorder_1, 0x00, 8) LABEL_MANGLE(ff_mlp_firorder_0)":\n\t" "jmp *%6 \n\t" @@ -159,8 +159,6 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, : /* 4*/"r"((x86_reg)mask), /* 5*/"r"(firjump), /* 6*/"r"(iirjump) , /* 7*/"c"(filter_shift) , /* 8*/"r"((int64_t)coeff[0]) - , /* 9*/"r"((int64_t)coeff[1]) - , /*10*/"r"((int64_t)coeff[2]) : "rax", "rdx", "rsi" #else /* ARCH_X86_32 */ /* 3*/"+m"(blocksize) From cbda3825262c211d14cd349f38e65b42e4845037 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:48:38 +0100 Subject: [PATCH 1017/1037] avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop Averaging over 2 pixels doesn't work correctly for the last pixel, because the rest of the buffer is not initialized. Signed-off-by: Michael Niedermayer (cherry picked from commit 87513d654546a99f8ddb045ca4fa5d33778a617e) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 0f6cc7636a..84a828f9f0 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -57,9 +57,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) for (y = blocky; y < blocky + 8 && y < C64YRES; y++) { for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) { if(x < width && y < height) { - /* build average over 2 pixels */ - luma = (src[(x + 0 + y * p->linesize[0])] + - src[(x + 1 + y * p->linesize[0])]) / 2; + if (x + 1 < width) { + /* build average over 2 pixels */ + luma = (src[(x + 0 + y * p->linesize[0])] + + src[(x + 1 + y * p->linesize[0])]) / 2; + } else { + luma = src[(x + y * p->linesize[0])]; + } /* write blocks as linear data now so they are suitable for elbg */ dest[0] = luma; } From 81f80d7b48ec0e8b1e5c68304345877773d29362 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 00:32:39 +0100 Subject: [PATCH 1018/1037] swscale/utils: More carefully merge and clear coefficients outside the input Fixes out of array read Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1895d414aaacece3b57d7bf19502305e9a064fae) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 92e712bf42..50d0498680 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -572,14 +572,24 @@ static int initFilter(int16_t **outFilter, int32_t **filterPos, if ((*filterPos)[i] + filterSize > srcW) { int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + int64_t acc = 0; - // move filter coefficients right to compensate for filterPos - for (j = filterSize - 2; j >= 0; j--) { - int right = FFMIN(j + shift, filterSize - 1); - filter[i * filterSize + right] += filter[i * filterSize + j]; - filter[i * filterSize + j] = 0; + for (j = filterSize - 1; j >= 0; j--) { + if ((*filterPos)[i] + j >= srcW) { + acc += filter[i * filterSize + j]; + filter[i * filterSize + j] = 0; + } } + for (j = filterSize - 1; j >= 0; j--) { + if (j < shift) { + filter[i * filterSize + j] = 0; + } else { + filter[i * filterSize + j] = filter[i * filterSize + j - shift]; + } + } + (*filterPos)[i]-= shift; + filter[i * filterSize + srcW - 1 - (*filterPos)[i]] += acc; } } From ec02afcb6e3302f00c1f5da3f59a46e84f36e965 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 03:12:22 +0100 Subject: [PATCH 1019/1037] avcodec/snowdec: Fix ref value check Fixes integer overflow and out of array read. Fixes: signal_sigsegv_24169e6_3445_cov_3778346427_snow_chroma_bug.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f4cbf940212079a34753c7f4d6c6b5a43586d30) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index c4baf0a7d1..87406eac71 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -156,7 +156,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int l = left->color[0]; int cb= left->color[1]; int cr= left->color[2]; - int ref = 0; + unsigned ref = 0; int ref_context= av_log2(2*left->ref) + av_log2(2*top->ref); int mx_context= av_log2(2*FFABS(left->mx - top->mx)) + 0*av_log2(2*FFABS(tr->mx - top->mx)); int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); From facd212f4a14f7b14bfe494d07cc34f89d8ee657 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Feb 2015 12:29:10 +0100 Subject: [PATCH 1020/1037] avcodec/zmbv: Check len before reading in decode_frame() Fixes out of array read Fixes: asan_heap-oob_4d4eb0_3994_cov_3169972261_zmbv_15bit.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5c7781e63d6519192ada59c1e36bcecc92791d) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 9be612bd03..c9bfcd2751 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -418,11 +418,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } /* parse header */ + if (len < 1) + return AVERROR_INVALIDDATA; c->flags = buf[0]; buf++; len--; if (c->flags & ZMBV_KEYFRAME) { void *decode_intra = NULL; c->decode_intra= NULL; + + if (len < 6) + return AVERROR_INVALIDDATA; hi_ver = buf[0]; lo_ver = buf[1]; c->comp = buf[2]; From 9814419debd96d8576841b5173357ff282d0512e Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Thu, 26 Feb 2015 13:42:52 +0000 Subject: [PATCH 1021/1037] mips/acelp_filters: fix incorrect register constraint Change register constraint on the v variable from = to +. This was causing GCC to think that the v variable was never read and therefore not initialize it. This fixes about 20 fate failures on mips64el. Signed-off-by: James Cowgill Signed-off-by: Michael Niedermayer (cherry picked from commit b9de1303a6414174ab2f3bccefa801bfabcf0f88) Signed-off-by: Michael Niedermayer --- libavcodec/mips/acelp_filters_mips.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mips/acelp_filters_mips.c b/libavcodec/mips/acelp_filters_mips.c index 1e0845c3b4..9a6fdae086 100644 --- a/libavcodec/mips/acelp_filters_mips.c +++ b/libavcodec/mips/acelp_filters_mips.c @@ -89,7 +89,7 @@ static void ff_acelp_interpolatef_mips(float *out, const float *in, "addu %[p_filter_coeffs_m], %[p_filter_coeffs_m], %[prec] \n\t" "madd.s %[v],%[v],%[in_val_m], %[fc_val_m] \n\t" - : [v] "=&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), + : [v] "+&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), [p_filter_coeffs_p] "+r" (p_filter_coeffs_p), [in_val_p] "=&f" (in_val_p), [in_val_m] "=&f" (in_val_m), [fc_val_p] "=&f" (fc_val_p), [fc_val_m] "=&f" (fc_val_m), From 2f4c2cc6d367e087c3bca7240efacbd82a30dcee Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 25 Feb 2015 22:55:44 +0100 Subject: [PATCH 1022/1037] avformat/adxdec: check avctx->channels for invalid values This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7faa40af982960608b117e20fec999b48011e5e0) Signed-off-by: Michael Niedermayer --- libavformat/adxdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index 49e19307d5..2cde39da7b 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -41,6 +41,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket *pkt) AVCodecContext *avctx = s->streams[0]->codec; int ret, size; + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + size = BLOCK_SIZE * avctx->channels; pkt->pos = avio_tell(s->pb); From c34ec56ea8f2e7b17e88f49cdc6a66a36702461c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:38:50 +0100 Subject: [PATCH 1023/1037] avformat/bit: check that pkt->size is 10 in write_packet Ohter packet sizes are not supported by this muxer. This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit eeda2c3de8a8484d9e7d1e47ac836bec850b31fc) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bit.c b/libavformat/bit.c index 9f6ea4a415..daad7ccc7d 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -133,6 +133,9 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) GetBitContext gb; int i; + if (pkt->size != 10) + return AVERROR(EINVAL); + avio_wl16(pb, SYNC_WORD); avio_wl16(pb, 8 * 10); From 327b284b582e2d739241419bcc9d6109d0ce56b3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:42:02 +0100 Subject: [PATCH 1024/1037] avformat/bit: only accept the g729 codec and 1 channel Other codecs/channel numbers are not supported by this muxer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d0b8640f75ff7569c98d6fdb03d83451104e088c) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/bit.c b/libavformat/bit.c index daad7ccc7d..9930856f33 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -119,8 +119,12 @@ static int write_header(AVFormatContext *s) { AVCodecContext *enc = s->streams[0]->codec; - enc->codec_id = AV_CODEC_ID_G729; - enc->channels = 1; + if ((enc->codec_id != AV_CODEC_ID_G729) || enc->channels != 1) { + av_log(s, AV_LOG_ERROR, + "only codec g729 with 1 channel is supported by this format\n"); + return AVERROR(EINVAL); + } + enc->bits_per_coded_sample = 16; enc->block_align = (enc->bits_per_coded_sample * enc->channels) >> 3; From 190e8b42834cb7a8af12db25b0f5c8b63abf99a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Feb 2015 03:12:23 +0100 Subject: [PATCH 1025/1037] swscale/utils: clear formatConvBuffer on allocation Fixes use of uninitialized memory Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 007498fc1a639ecee2cda1892cbcff66c7c8c951) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 50d0498680..80a079b05e 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1050,7 +1050,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, c->chrDstW = -((-dstW) >> c->chrDstHSubSample); c->chrDstH = -((-dstH) >> c->chrDstVSubSample); - FF_ALLOC_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); + FF_ALLOCZ_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); /* unscaled special cases */ if (unscaled && !usesHFilter && !usesVFilter && From c80c0b2637d83a4066cec38f2d2c00c0cff2a1ff Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 28 Feb 2015 20:58:31 +0100 Subject: [PATCH 1026/1037] avformat/flvenc: check that the codec_tag fits in the available bits flags is later written with avio_w8 and if it doesn't fit in one byte it triggers an av_assert2. Signed-off-by: Michael Niedermayer (cherry picked from commit e8565d21c276ab9ac5ce785549420321fbd0b093) Signed-off-by: Michael Niedermayer --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index c5ed800ac8..893536513c 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -475,7 +475,7 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) avio_w8(pb, FLV_TAG_TYPE_VIDEO); flags = enc->codec_tag; - if (flags == 0) { + if (flags <= 0 || flags > 15) { av_log(s, AV_LOG_ERROR, "Video codec '%s' is not compatible with FLV\n", avcodec_get_name(enc->codec_id)); From 95d6bd95b1296128b2750151924790b148cb20c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 14:30:34 +0100 Subject: [PATCH 1027/1037] avcodec/utils: Align YUV411 by as much as the other YUV variants Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash2.avi Found-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit e3201c38d53d2b8b24d0bc95d726b2cb1752dc12) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6bae2a8e71..0d823955ff 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -248,7 +248,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_YUV411P: case AV_PIX_FMT_UYYVYY411: w_align = 32; - h_align = 8; + h_align = 16 * 2; break; case AV_PIX_FMT_YUV410P: if (s->codec_id == AV_CODEC_ID_SVQ1) { From 676dff8c546274a8b5ab93038acca7fc0c347405 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Mar 2015 23:27:43 +0100 Subject: [PATCH 1028/1037] avcodec/tiff: move bpp check to after "end:" This ensures that all current and future code-pathes get bpp checked Signed-off-by: Michael Niedermayer (cherry picked from commit d5e9fc782150d4596c72440a0aa02b7f4f1254b1) Conflicts: libavcodec/tiff.c --- libavcodec/tiff.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 239750d3d6..7278afbf86 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -755,13 +755,6 @@ static int tiff_decode_tag(TiffContext *s) s->bpp = -1; } } - if (s->bpp > 64U) { - av_log(s->avctx, AV_LOG_ERROR, - "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); - s->bpp = 0; - return AVERROR_INVALIDDATA; - } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { @@ -1037,6 +1030,13 @@ static int tiff_decode_tag(TiffContext *s) av_log(s->avctx, AV_LOG_DEBUG, "Unknown or unsupported tag %d/0X%0X\n", tag, tag); } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } bytestream2_seek(&s->gb, start, SEEK_SET); return 0; } From fdb05ff57b8fdbd67feeaf2332e3000f02d471cc Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 23:31:48 +0100 Subject: [PATCH 1029/1037] ffmdec: fix infinite loop at EOF If EOF is reached, while skipping bytes, avio_tell(pb) won't change anymore, resulting in an infinite loop. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6fa98822eba501a4898fdec5b75acd3026201005) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 02cf790f87..601ddaaf8e 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -347,7 +347,7 @@ static int ffm2_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ @@ -477,7 +477,7 @@ static int ffm_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ From 8d0112d8fc734f6d81f9160448b80a153f4346c7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 14:59:44 +0100 Subject: [PATCH 1030/1037] ffmdec: limit the backward seek to the last resync position If resyncing leads to the same position as previously, it will again lead to a resync attempt, resulting in an infinite loop. Thus don't seek back beyond the last syncpoint. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6b8263b03ab3d16d70525ae1893cb106be7852f1) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 601ddaaf8e..e927b21607 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -77,6 +77,7 @@ static int ffm_read_data(AVFormatContext *s, FFMContext *ffm = s->priv_data; AVIOContext *pb = s->pb; int len, fill_size, size1, frame_offset, id; + int64_t last_pos = -1; size1 = size; while (size > 0) { @@ -96,9 +97,11 @@ static int ffm_read_data(AVFormatContext *s, avio_seek(pb, tell, SEEK_SET); } id = avio_rb16(pb); /* PACKET_ID */ - if (id != PACKET_ID) + if (id != PACKET_ID) { if (ffm_resync(s, id) < 0) return -1; + last_pos = avio_tell(pb); + } fill_size = avio_rb16(pb); ffm->dts = avio_rb64(pb); frame_offset = avio_rb16(pb); @@ -112,7 +115,9 @@ static int ffm_read_data(AVFormatContext *s, if (!frame_offset) { /* This packet has no frame headers in it */ if (avio_tell(pb) >= ffm->packet_size * 3LL) { - avio_seek(pb, -ffm->packet_size * 2LL, SEEK_CUR); + int64_t seekback = FFMIN(ffm->packet_size * 2LL, avio_tell(pb) - last_pos); + seekback = FFMAX(seekback, 0); + avio_seek(pb, -seekback, SEEK_CUR); goto retry_read; } /* This is bad, we cannot find a valid frame header */ From 3cb84900661e554041a1f9d144c3662b842e83fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Mar 2015 03:42:00 +0100 Subject: [PATCH 1031/1037] avcodec/options_table: remove extradata_size from the AVOptions table allowing access to the size but not the extradata itself is not useful and could lead to potential problems if writing happens through this field Reviewed-by: Andreas Cadhalpun Reviewed-by: Lukasz Marek Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 1f4088b28540080ce1d42345c5614be3e1a6a197) Signed-off-by: Michael Niedermayer --- libavcodec/options_table.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index 963fdd4020..5bc6b533e1 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -98,7 +98,6 @@ static const AVOption options[]={ {"hex", "hex motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_HEX }, INT_MIN, INT_MAX, V|E, "me_method" }, {"umh", "umh motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_UMH }, INT_MIN, INT_MAX, V|E, "me_method" }, {"iter", "iter motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_ITER }, INT_MIN, INT_MAX, V|E, "me_method" }, -{"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, {"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, From e2565069507693280060557d3f2774d6733542ad Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:24:09 +0100 Subject: [PATCH 1032/1037] roqvideoenc: set enc->avctx in roq_encode_init So far it is only set in roq_encode_frame, but it is used in roq_encode_end to free the coded_frame. This currently segfaults if roq_encode_frame is not called between roq_encode_init and roq_encode_end. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288) Signed-off-by: Michael Niedermayer --- libavcodec/roqvideoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index 02f1a452ae..0ce11d0970 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -942,6 +942,8 @@ static int roq_encode_init(AVCodecContext *avctx) av_lfg_init(&enc->randctx, 1); + enc->avctx = avctx; + enc->framesSinceKeyframe = 0; if ((avctx->width & 0xf) || (avctx->height & 0xf)) { av_log(avctx, AV_LOG_ERROR, "Dimensions must be divisible by 16\n"); From b8c5cd5b8d6e0c2f8a66217448b5dd247d1eba89 Mon Sep 17 00:00:00 2001 From: Dyami Caliri Date: Thu, 26 Feb 2015 10:17:01 -0800 Subject: [PATCH 1033/1037] Fix buffer_size argument to init_put_bits() in multiple encoders. Several encoders were multiplying the buffer size by 8, in order to get a bit size. However, the buffer_size argument is for the byte size of the buffer. We had experienced crashes encoding prores (Anatoliy) at size 4096x4096. (cherry picked from commit 50833c9f7b4e1922197a8955669f8ab3589c8cef) Conflicts: libavcodec/proresenc_kostya.c Conflicts: libavcodec/faxcompr.c libavcodec/s302menc.c --- libavcodec/aacenc.c | 2 +- libavcodec/adpcmenc.c | 4 ++-- libavcodec/faxcompr.c | 2 +- libavcodec/flashsv2enc.c | 2 +- libavcodec/flashsvenc.c | 2 +- libavcodec/nellymoserenc.c | 2 +- libavcodec/proresenc_anatoliy.c | 2 +- libavcodec/proresenc_kostya.c | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 348d3a20d2..4dcd60459e 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -166,7 +166,7 @@ static void put_audio_specific_config(AVCodecContext *avctx) PutBitContext pb; AACEncContext *s = avctx->priv_data; - init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8); + init_put_bits(&pb, avctx->extradata, avctx->extradata_size); put_bits(&pb, 5, 2); //object type - AAC-LC put_bits(&pb, 4, s->samplerate_index); //sample rate index put_bits(&pb, 4, s->channels); diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index 7924bb349b..c2bc963a5c 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -550,7 +550,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_IMA_QT: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); for (ch = 0; ch < avctx->channels; ch++) { ADPCMChannelStatus *status = &c->status[ch]; @@ -580,7 +580,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_SWF: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); n = frame->nb_samples - 1; diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 3e51a3e793..a8d5d240b3 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -247,7 +247,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs) PutBitContext pb; int run, mode = ~0, pix_left = width, run_idx = 0; - init_put_bits(&pb, dst, size*8); + init_put_bits(&pb, dst, size); while(pix_left > 0){ run = runs[run_idx++]; mode = ~mode; diff --git a/libavcodec/flashsv2enc.c b/libavcodec/flashsv2enc.c index 1d0d1963f6..3e2961771a 100644 --- a/libavcodec/flashsv2enc.c +++ b/libavcodec/flashsv2enc.c @@ -288,7 +288,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size) if (buf_size < 5) return -1; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, (s->block_width >> 4) - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index e6b181f2ae..34384b3956 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -131,7 +131,7 @@ static int encode_bitstream(FlashSVContext *s, AVFrame *p, uint8_t *buf, int buf_pos, res; int pred_blocks = 0; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, block_width / 16 - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/nellymoserenc.c b/libavcodec/nellymoserenc.c index 0fdec2c3b5..41df93c6cd 100644 --- a/libavcodec/nellymoserenc.c +++ b/libavcodec/nellymoserenc.c @@ -315,7 +315,7 @@ static void encode_block(NellyMoserEncodeContext *s, unsigned char *output, int apply_mdct(s); - init_put_bits(&pb, output, output_size * 8); + init_put_bits(&pb, output, output_size); i = 0; for (band = 0; band < NELLY_BANDS; band++) { diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index 8c71ca5aea..0e79afb5ca 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -303,7 +303,7 @@ static int encode_slice_plane(AVCodecContext *avctx, int mb_count, } blocks_per_slice = mb_count << (2 - chroma); - init_put_bits(&pb, buf, buf_size << 3); + init_put_bits(&pb, buf, buf_size); encode_dc_coeffs(&pb, blocks, blocks_per_slice, qmat); encode_ac_coeffs(avctx, &pb, blocks, blocks_per_slice, qmat); diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 9f2aa584c4..4a8a8aea06 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -836,7 +836,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream_put_byte(&buf, slice_hdr_size << 3); slice_hdr = buf; buf += slice_hdr_size - 1; - init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); + init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf))); ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); if (ret < 0) return ret; From 645a299132bad3a6f3cb95f01c18cb5e957cf934 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 23:12:59 +0100 Subject: [PATCH 1034/1037] ffmdec: make sure the time base is valid A negative time base can trigger assertions. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4c91d81be23ffacfa3897b2bcfa77445bb0c2f89) Conflicts: libavformat/ffmdec.c (cherry picked from commit 9678ceb6976ca8194848b24535785a298521211f) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index e927b21607..2b1891fa23 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -297,6 +297,11 @@ static int ffm2_read_header(AVFormatContext *s) case MKBETAG('S', 'T', 'V', 'I'): codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); @@ -421,6 +426,11 @@ static int ffm_read_header(AVFormatContext *s) case AVMEDIA_TYPE_VIDEO: codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); From 86dac9d6b197ba90c9b6e91b20b635fe5a928d6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Mar 2015 19:18:34 +0100 Subject: [PATCH 1035/1037] avcodec/012v: redesign main loop Fixes out of array accesses Fixes: ffmpeg_012v_crash.ts Found-by: Thomas Lindroth Reviewed-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 48df30d36c3ca360c407d84f96749888d1fbe853) Conflicts: libavcodec/012v.c --- libavcodec/012v.c | 82 ++++++++++++++++++++++------------------------- 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index 8151e2a330..58c76ab5d9 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -44,7 +44,7 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx) static int zero12v_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - int line = 0, ret; + int line, ret; const int width = avctx->width; AVFrame *pic = avctx->coded_frame; uint16_t *y, *u, *v; @@ -68,45 +68,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, pic)) < 0) return ret; - y = (uint16_t *)pic->data[0]; - u = (uint16_t *)pic->data[1]; - v = (uint16_t *)pic->data[2]; line_end = avpkt->data + stride; + for (line = 0; line < avctx->height; line++) { + uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000}; + uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000}; + uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000}; + int x; + y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); - while (line++ < avctx->height) { - while (1) { - uint32_t t = AV_RL32(src); + for (x = 0; x < width; x += 6) { + uint32_t t; + + if (width - x < 6 || line_end - src < 16) { + y = y_temp; + u = u_temp; + v = v_temp; + } + + if (line_end - src < 4) + break; + + t = AV_RL32(src); src += 4; *u++ = t << 6 & 0xFFC0; *y++ = t >> 4 & 0xFFC0; *v++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; *y++ = t << 6 & 0xFFC0; *u++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (!(width & 1)) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -114,15 +114,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *y++ = t >> 4 & 0xFFC0; *u++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -130,18 +123,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *v++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (width & 1) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (width - x < 6) break; - } } + + if (x < width) { + y = x + (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + memcpy(y, y_temp, sizeof(*y) * (width - x)); + memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); + memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + } + + line_end += stride; + src = line_end - stride; } *got_frame = 1; From 73bfb216720123a6fe9de6f214c0915f05b8fbb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Mar 2015 18:09:08 +0100 Subject: [PATCH 1036/1037] Update for 1.1.16 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 645377eea8..63b283b23a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -1.1.15 +1.1.16 diff --git a/doc/Doxyfile b/doc/Doxyfile index 65ee69da75..4b2ffb906c 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 1.1.15 +PROJECT_NUMBER = 1.1.16 # With the PROJECT_LOGO tag one can specify an logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 7608871734c8d951f6f1fd80bef54d77714b65a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jul 2015 15:54:38 +0200 Subject: [PATCH 1037/1037] MAINTAINERS: Remove myself as leader Signed-off-by: Michael Niedermayer (cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index b2bccb2159..6fe014a6a2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14,7 +14,6 @@ and related discussions. Project Leader ============== -Michael Niedermayer final design decisions