diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000..a900528e47 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.pnm -diff -text diff --git a/Changelog b/Changelog index 480a2986c9..9d84d8f68c 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,1106 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 2.4.14: +- x264: Support version 153 +- avcodec/exr: Check buf_size more completely +- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() +- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() +- avcodec/flacdec: avoid undefined shift +- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() +- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() +- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() +- avfilter/formats: fix wrong function name in error message +- avcodec/amrwbdec: Fix division by 0 in voice_factor() +- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* +- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. +- Don't manipulate duration when it's AV_NOPTS_VALUE. +- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. +- avformat/utils: Prevent undefined shift with wrap_bits > 64. +- avcodec/j2kenc: Fix out of array access in encode_cblk() +- libvpxenc: remove some unused ctrl id mappings +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() +- avcodec/mlpdsp: Fix signed integer overflow, 2nd try +- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* +- avcodec/mpeg4videodec: Check also for negative versions in the validity check +- Close ogg stream upon error when using AV_EF_EXPLODE. +- Fix undefined shift on assumed 8-bit input. +- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() +- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() +- avcodec/zmbv: Check that the buffer is large enough for mvec +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() +- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() +- avcodec/snowdec: Check for remaining bitstream in decode_blocks() +- avcodec/snowdec: Check intra block dc differences. +- avcodec/h264dec: Fix potential array overread +- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu +- avcodec/mdct_*: Fix integer overflow in addition in RESCALE() +- avcodec/snowdec: Fix integer overflow in header parsing +- avcodec/cngdec: Fix integer clipping +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Check for bitstream end in xan_huffman_decode() +- avformat: Free the internal codec context at the end +- avcodec/xan: Improve overlapping check +- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() +- avcodec/jpeglsdec: Check ilv for being a supported value +- avcodec/snowdec: Check mv_scale +- avcodec/pafvideo: Check for bitstream end in decode_0() +- avcodec/ffv1dec: Fix out of array read in slice counting +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0() +- avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta +- avcodec/truemotion2: Fix integer overflows in tm2_high_chroma() +- avcodec/proresdec2: SKIP_BITS() does not work with len=32 +- avcodec/hevcdsp_template: Fix undefined shift +- avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized +- avcodec/takdec: Fix integer overflow in decode_lpc() +- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift +- avcodec/takdec: Fix integer overflows in decode_subframe() +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() +- avcodec/ffv1dec: Fix integer overflow in read_quant_table() +- avcodec/svq3: Fix overflow in svq3_add_idct_c() +- avcodec/pngdec: Clean up on av_frame_ref() failure +- avcodec/hevc_ps: Fix c?_qp_offset_list size +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avformat/utils: fix memory leak in avformat_free_context +- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() +- avcodec/diracdec: Fix integer overflow in divide3() +- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 +- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 +- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 +- avformat/oggparsecelt: Do not re-allocate os->private +- doc/filters: typo in frei0r +- avcodec/wavpack: Fix invalid shift +- avcodec/vb: Check vertical GMC component before multiply +- avcodec/apedec: Fix integer overflow +- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() +- avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 +- avcodec/wavpack: Fix integer overflow +- avcodec/takdec: Fix integer overflow +- avcodec/hevc_filter: Fix invalid shift +- avcodec/mpeg4videodec: Fix overflow in virtual_ref computation +- avcodec/wavpack: Fix undefined integer negation +- avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 +- avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 +- avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output +- avcodec/hevcpred_template: Fix left shift of negative value +- avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() +- avcodec/jpeg2000dec: Check nonzerobits more completely +- avcodec/shorten: Sanity check maxnlpc +- avcodec/hevcdec: Check nb_sps +- avcodec/hevc_refs: Check nb_refs in add_candidate_ref() +- avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. +- avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case +- avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' +- avcodec/snowdec: Fix runtime error: left shift of negative value -1 +- avcodec/tiff: Fix leak of geotags[].val +- avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' +- avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' +- avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' +- avcodec/pafvideo: Fix assertion failure +- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' +- avcodec/mjpegdec: Check that reference frame matches the current frame +- avcodec/tiff: Avoid loosing allocated geotag values +- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' +- avformat/hls: Check local file extensions +- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' +- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() +- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' +- avcodec/cinepak: Check input packet size before frame reallocation +- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' +- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' +- avcodec/pnm: Use ff_set_dimensions() +- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' +- avformat/avidec: Limit formats in gab2 to srt and ass/ssa +- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' +- avcodec/wavpack: Check float_shift +- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' +- avcodec/ansi: Fix frame memleak +- avcodec/jpeg2000dec: Use ff_set_dimensions() +- avcodec/truemotion2: Fix passing null pointer to memset() +- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' +- avcodec/webp: Fixes null pointer dereference +- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' +- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' +- avcodec/jpeg2000dec: Check tile offsets more completely +- avcodec/wnv1: More strict buffer size check +- avcodec/libfdk-aacdec: Correct buffer_size parameter +- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 +- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error +- avcodec/ra144dec: Fix runtime error: left shift of negative value -17 +- avutil/internal: Do not enable CHECKED with DEBUG +- avcodec/smc: Check remaining input +- avcodec/jpeg2000dec: Fix copy and paste error +- avcodec/jpeg2000dec: Check tile offsets +- avcodec/sanm: Fix uninitialized reference frames +- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture +- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' +- avcodec/vmnc: Check location before use +- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' +- avcodec/takdec: Fix runtime error: left shift of negative value -63 +- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' +- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context +- avcodec/mimic: Use ff_set_dimensions() to set the dimensions +- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' +- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 +- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' +- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' +- avcodec/flicvideo: Check frame_size before decrementing +- avcodec/mlpdec: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix runtime error: left shift of negative value -42 +- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' +- avcodec/svq3: Fix runtime error: left shift of negative value -6 +- avcodec/tiff: reset sampling[] if its invalid +- avcodec/aacps: Fix undefined behavior +- avcodec/opus_silk: Fix integer overflow and out of array read +- avcodec/flacdec: Return error code instead of 0 for failures +- avcodec/snowdec: Check width +- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() +- avcodec/webp: Factor update_canvas_size() out +- avcodec/cllc: Check prefix +- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode +- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' +- libswscale/tests/swscale: Fix uninitialized variables +- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' +- avcodec/webp: Fix signedness in prefix_code check +- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' +- avcodec/mlpdec: Check that there is enough data for headers +- avcodec/ac3dec: Keep track of band structure +- avcodec/webp: Add missing input padding +- avcodec/aacsbr_template: Do not change bs_num_env before its checked +- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 +- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' +- avcodec/avcodec: Limit the number of side data elements per packet +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' +- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 +- avcodec/msmpeg4dec: Check for cbpy VLC errors +- avcodec/cllc: Check num_bits +- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers +- avcodec/dvbsubdec: Check entry_id +- avcodec/webp: Always set pix_fmt +- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 +- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' +- avformat/wavdec: Check chunk_size +- avcodec/cavs: Check updated MV +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' +- avcodec/lagarith: Check scale_factor +- avcodec/lagarith: Fix runtime error: left shift of negative value -1 +- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' +- avcodec/dvbsubdec: check region dimensions +- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' +- avcodec/cavsdec: Check sym_factor +- avcodec/cdxl: Check format for BGR24 +- avcodec/ffv1dec: Fix copying planes of paletted formats +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' +- avcodec/xwddec: Check bpp more completely +- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' +- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' +- avcodec/g726: Fix runtime error: left shift of negative value -2 +- avcodec/ra144: Fix runtime error: left shift of negative value -798 +- avcodec/mss34dsp: Fix multiple signed integer overflow +- avcodec/targa_y216dec: Fix width type +- avcodec/ivi_dsp: Fix multiple left shift of negative value -2 +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' +- avcodec/msmpeg4dec: Correct table depth +- avcodec/cdxl: Check format parameter +- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from +- avcodec/shorten: Check k in get_uint() +- avcodec/webp: Fix null pointer dereference +- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' +- avcodec/mimic: Fix runtime error: left shift of negative value -1 +- avcodec/fic: Fix multiple left shift of negative value -15 +- avcodec/mlpdec: Fix runtime error: left shift of negative value -22 +- avcodec/snowdec: Check qbias +- avcodec/aacsbr_template: Do not leave bs_num_env invalid +- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' +- avcodec/dfa: Fix off by 1 error +- avcodec/nellymoser: Fix multiple left shift of negative value -8591 +- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' +- avcodec/wnv1: Fix runtime error: left shift of negative value -1 +- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' +- avcodec/cavsdec: Fix undefined behavior from integer overflow +- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' +- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit +- avcodec/msvideo1: Check buffer size before re-getting the frame +- avcodec/svq3: Increase offsets to prevent integer overflows +- avcodec/indeo2: Check remaining bits in ir2_decode_plane() +- avcodec/vp3: Check remaining bits in unpack_dct_coeffs() +- avcodec/mdec: Fix runtime error: left shift of negative value -127 +- libavcodec/exr : fix float to uint16 conversion for negative float value +- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter +- avformat/webmdashenc: Require the 'adaptation_sets' option to be set +- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' +- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() +- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit +- avcodec/tiff: Check geotag count for being non zero +- avcodec/vp56: Check avctx->error_concealment before enabling EC +- avcodec/tiff: Check stripsize strippos for overflow +- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 +- avcodec/tiff: Check for multiple geo key directories +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' +- avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 +- avcodec/wavpack: Fix runtime error: left shift of negative value -5 +- avcodec/wavpack: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' +- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value +- avcodec/adxdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 +- avcodec/h264_direct: Fix runtime error: left shift of negative value -14 +- avcodec/pictordec: Check plane value before doing value/mask computations +- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 +- avcodec/eac3dec: Fix runtime error: left shift of negative value -3 +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows +- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts +- avcodec/mpeg4video: Fix runtime error: left shift of negative value +- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 +- avcodec/rv40: Fix runtime error: left shift of negative value +- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 +- avcodec/eac3dec: Fix runtime error: left shift of negative value +- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() +- avcodec/vp56: Reset have_undamaged_frame on resolution changes +- avcodec/vp8: Fix hang with slice threads +- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() +- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() +- avcodec/vp8: remove redundant check +- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() +- avcodec/vp3: Do not return random positive values but the buf size +- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() +- avcodec/vp56: Factorize vp56_render_mb() out +- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' +- Add CHECK/SUINT code +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 +- avcodec/vp56: Implement very basic error concealment +- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 +- avcodec/vp56: Fix sign typo +- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding +- avcodec/pictordec: Do not read more than nb_planes +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value +- avcodec/wavpacl: Fix runtime error: left shift of negative value -1 +- avformat/http: Check for truncated buffers in http_connect() +- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid +- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr +- avcodec/pictordec: Fix logic error +- lavf/matroskadec: fix is_keyframe for early Blocks +- configure: bump year +- avcodec/interplayvideo: Move parameter change check up +- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() +- avformat/flacdec: Check avio_read result when reading flac block header. +- avcodec/utils: correct align value for interplay +- avcodec/vp56: Check for the bitstream end, pass error codes on +- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() +- avcodec/pngdec: Fix off by 1 size in decode_zbuf() +- avcodec/mjpegdec: Check for rgb before flipping +- avutil/random_seed: Reduce the time needed on systems with very low precission clock() +- avutil/random_seed: Improve get_generic_seed() with higher precission clock() +- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() +- avformat/oggdec: Skip streams in duration correction that did not had their duration set. +- avcodec/ffv1enc: Fix size of first slice +- ffserver: Check chunk size +- Avoid using the term "file" and prefer "url" in some docs and comments +- avformat/rtmppkt: Check for packet size mismatches +- zmqsend: Initialize ret to 0 +- avcodec/flacdec: Fix undefined shift in decode_subframe() +- avcodec/get_bits: Fix get_sbits_long(0) +- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() +- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c +- avformat/oggparsespeex: Check frames_per_packet and packet_size +- avformat/utils: Check start/end before computing duration in update_stream_timings() +- avcodec/flac_parser: Update nb_headers_buffered +- avformat/idroqdec: Check chunk_size for being too large +- avformat/mpeg: Adjust vid probe threshold to correct mis-detection +- avcodec/rv40: Test remaining space in loop of get_dimension() +- avcodec/ituh263dec: Avoid spending a long time in slice sync +- avcodec/sunrast: Fix input buffer pointer check +- avcodec/tscc: Check side data size before use +- avcodec/rawdec: Check side data size before use +- avcodec/msvideo1: Check side data size before use +- avcodec/qpeg: Check side data size before use +- avcodec/qtrle: Check side data size before use +- avcodec/msrle: Check side data size before use +- avcodec/kmvc: Check side data size before use +- avcodec/idcinvideo: Check side data size before use +- avcodec/cinepak: Check side data size before use +- avcodec/8bps: Check side data size before use +- avcodec/dvdsubdec: Fix off by 1 error +- avcodec/dvdsubdec: Fix buf_size check +- vp9: change order of operations in adapt_prob(). +- avcodec/interplayvideo: Check side data size before use +- avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() +- lavfi: fix typos +- videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations. +- avformat/avidec: Check nb_streams in read_gab2_sub() +- avformat/avidec: Remove ancient assert +- avcodec/ansi: Check dimensions +- avcodec/cavsdsp: use av_clip_uint8() for idct +- avformat/utils: fix timebase error in avformat_seek_file() +- avcodec/g726: Add missing ADDB output mask +- avcodec/avpacket: clear side_data_elems +- swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices +- swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices +- avformat/avidec: Fix infinite loop in avi_read_nikon() +- cmdutils: fix implicit declaration of SetDllDirectory function +- cmdutils: check for SetDllDirectory() availability +- libavcodec/wmalosslessdec: Check the remaining bits +- avcodec/diracdec: Check numx/y +- avcodec/indeo2: check ctab +- avformat/swfdec: Fix inflate() error code check +- cmdutils: remove the current working directory from the DLL search path on win32 +- avcodec/raw: Fix decoding of ilacetest.mov +- avformat/oggdec: Fix integer overflow with invalid pts +- libavformat/rtpdec_asf: zero initialize the AVIOContext struct +- libavutil/opt: Small bugfix in example. +- libx264: Increase x264 opts character limit to 4096 +- avformat/mov: Check sample size +- avformat/format: Fix registering a format more than once and related races +- avcodec/mpc8: Correct end truncation +- avcodec/mpegvideo: Do not clear the parse context during init +- avcodec/utils: check skip_samples signedness +- avformat/mpegts: Do not trust BSSD descriptor, it is sometimes not an S302M stream +- avcodec/bmp_parser: Check fsize +- avcodec/bmp_parser: reset state +- avcodec/bmp_parser: Fix remaining size +- avcodec/bmp_parser: Fix frame_start_found in cross frame cases +- avfilter/af_amix: dont fail if there are no samples in output_frame() +- avformat/allformats: Making av_register_all() thread-safe. +- avcodec/bmp_parser: Fix state +- avformat/oggparseopus: Fix Undefined behavior in oggparseopus.c and libavformat/utils.c +- doc/developer.texi: Add a code of conduct +- avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id() +- avformat/utils: Do not compute the bitrate from duration == 0 +- ffmpeg: Check that r_frame_rate is set before attempting to use it +- libavformat/oggdec: Free stream private when header parsing fails. +- avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() +- avformat/oggparseopus: Check that granule pos is within the supported range +- avformat/options_table: Add missing identifier for very strict compliance +- avcodec/ttaenc: Reallocate packet if its too small +- pgssubdec: fix subpicture output colorspace and range +- avcodec/ac3dec: Reset SPX when switching from EAC3 to AC3 +- avfilter/vf_drawtext: Check return code of load_glyph() +- avcodec/takdec: add code that got somehow lost in process of REing +- avcodec/apedec: fix decoding of stereo files with one channel full of silence +- avcodec/avpacket: Fix off by 5 error +- avcodec/h264: Fix for H.264 configuration parsing +- avcodec/bmp_parser: Ensure remaining_size is not too small in startcode packet crossing corner case +- avfilter/src_movie: fix how we check for overflows with seek_point +- avcodec/j2kenc: Add attribution to OpenJPEG project: +- avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set +- avformat/rtpdec_jpeg: fix low contrast image on low quality setting +- avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored +- avcodec/resample: Remove disabled and faulty code +- indeo2: Fix banding artefacts +- indeo2data: K&R formatting cosmetics +- avcodec/imgconvert: Support non-planar colorspaces while padding +- avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool +- avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing +- avformat/concatdec: set safe mode to enabled instead of auto +- avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT +- avcodec/avpacket: clear priv in av_init_packet() +- swscale/utils: Fix chrSrcHSubSample for GBRAP16 +- swscale/input: Fix GBRAP16 input +- postproc: fix unaligned access +- avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats +- swscale/x86/output: Fix yuv2planeX_16* with unaligned destination +- swscale/x86/output: Move code into yuv2planeX_mainloop +- MAINTAINERS: add myself as an OS/2 maintainer +- doc/utils: fix typo for min() description + +version 2.4.13: +- mov: Add an option to toggle dref opening +- MAINTAINERS: remove unmaintained releases +- avcodec/jpeg2000dec: More completely check cdef +- avutil/opt: check for and handle errors in av_opt_set_dict2() +- avcodec/flacenc: fix calculation of bits required in case of custom sample rate +- avformat: Document urls a bit +- avformat/concat: Check protocol prefix +- doc/demuxers: Document enable_drefs and use_absolute_path +- avcodec/mjpegdec: Check for end for both bytes in unescaping +- avformat/avformat: Replace some references to filenames by urls +- avcodec/wmaenc: Check ff_wma_init() for failure +- avcodec/mpeg12enc: Move high resolution thread check to before initializing threads +- avformat/avio: Limit url option parsing to the documented cases +- avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get() +- avcodec/gif: Fix lzw buffer size +- avcodec/put_bits: Assert buf_ptr in flush_put_bits() +- avcodec/tiff: Check subsample & rps values more completely +- swscale/swscale: Add some sanity checks for srcSlice* parameters +- swscale/x86/rgb2rgb_template: Fix planar2x() for short width +- swscale/swscale_unscaled: Fix odd height inputs for bayer_to_yv12_wrapper() +- swscale/swscale_unscaled: Fix odd height inputs for bayer_to_rgb24_wrapper() +- avcodec/wavpackenc: print channel count in av_log call +- configure: bump copyright year to 2016 +- avformat/hls: Even stricter URL checks +- avformat/hls: More strict url checks +- swscale/yuv2rgb: Increase YUV2RGB table headroom +- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out +- avformat/hls: forbid all protocols except http(s) & file +- avformat/aviobuf: Fix end check in put_str16() +- avformat/asfenc: Check pts +- avcodec/mpeg4video: Check time_incr +- avcodec/wavpackenc: Check the number of channels +- avcodec/wavpackenc: Headers are per channel +- avcodec/dvdec: Fix "left shift of negative value -254" +- avcodec/mjpegdec: Fix negative shift +- avcodec/mss2: Check for repeat overflow +- avformat: Add integer fps from 31 to 60 to get_std_framerate() +- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range +- avcodec/motion_est: Fix mv_penalty table size +- avcodec/h264_slice: Fix integer overflow in implicit weight computation +- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions +- avcodec/put_bits: Always check buffer end before writing +- swscale/utils: Fix intermediate format for cascaded alpha downscaling +- avcodec/h264_refs: Fix long_idx check +- avfilter/vf_mpdecimate: Add missing emms_c() +- avformat/mxfenc: Do not crash if there is no packet in the first stream +- swscale/swscale-test: Fix slice height in random reference data creation. +- dca: fix misaligned access in avpriv_dca_convert_bitstream +- brstm: fix missing closing brace +- brstm: also allocate b->table in read_packet +- brstm: make sure an ADPC chunk was read for adpcm_thp +- vorbisdec: reject rangebits 0 with non-0 partitions +- vorbisdec: reject channel mapping with less than two channels +- ffmdec: reset packet_end in case of failure +- mjpegdec: extend check for incompatible values of s->rgb and s->ls +- avformat/ipmovie: put video decoding_map_size into packet and use it in decoder +- avcodec/samidec: make sure to properly restore parsing context after a tag +- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse +- avcodec/mpeg4videodec: also for empty partitioned slices +- nuv: sanitize negative fps rate +- rawdec: only exempt BIT0 with need_copy from buffer sanity check +- mlvdec: check that index_entries exist +- nutdec: reject negative value_len in read_sm_data +- xwddec: prevent overflow of lsize * avctx->height +- nutdec: only copy the header if it exists +- exr: fix out of bounds read in get_code +- on2avc: limit number of bits to 30 in get_egolomb +- sonic: make sure num_taps * channels is not larger than frame_size +- opus_silk: fix typo causing overflow in silk_stabilize_lsf +- ffm: reject invalid codec_id and codec_type +- aaccoder: prevent crash of anmr coder +- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* +- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride + +version 2.4.12: +- avcodec/ffv1dec: Clear quant_table_count if its invalid +- avcodec/ffv1dec: Print an error if the quant table count is invalid +- avcodec/hevc: Check max ctb addresses for WPP +- avcodec/vp3: ensure header is parsed successfully before tables +- avcodec/jpeg2000dec: Check bpno in decode_cblk() +- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int +- swscale/utils: Fix for runtime error: left shift of negative value -1 +- avcodec/hevc: Fix integer overflow of entry_point_offset +- avcodec/dirac_parser: Check that there is a previous PU before accessing it +- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset +- avcodec/dirac_parser: Fix potential overflows in pointer checks +- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows +- avcodec/wmaprodec: Fix overflow of cutoff +- avformat/smacker: fix integer overflow with pts_inc +- avcodec/vp3: Fix "runtime error: left shift of negative value" +- mpegencts: Fix overflow in cbr mode period calculations +- avutil/timecode: Fix fps check +- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows +- avcodec/apedec: Check length in long_filter_high_3800() +- avcodec/vp3: always set pix_fmt in theora_decode_header() +- avcodec/mpeg4videodec: Check available data before reading custom matrix +- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd +- avutil/integer: Fix av_mod_i() with negative dividend +- avformat/dump: Fix integer overflow in av_dump_format() +- avcodec/utils: Clear dimensions in ff_get_buffer() on failure +- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() +- avcodec/vp3: Clear context on reinitialization failure +- avcodec/hevc: allocate entries unconditionally +- avcodec/hevc_cabac: Fix multiple integer overflows +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() +- avcodec/hevc: Check entry_point_offsets +- avcodec/cabac: Check initial cabac decoder state +- avcodec/cabac_functions: Fix "left shift of negative value -31767" +- avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized +- avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup +- rtmpcrypt: Do the xtea decryption in little endian mode +- avformat/matroskadec: Check subtitle stream before dereferencing +- avformat/utils: Do not init parser if probing is unfinished +- avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions +- avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range +- avcodec/jpeg2000: Check comp coords to be within the supported size +- avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() +- avcodec/wmaprodec: Check for overread in decode_packet() +- avcodec/smacker: Check that the data size is a multiple of a sample vector +- avcodec/takdec: Skip last p2 sample (which is unused) +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() +- avcodec/error_resilience: avoid accessing previous or next frames tables beyond height +- avcodec/dpx: Move need_align to act per line +- avcodec/flashsv: Check size before updating it +- avcodec/ivi: Check image dimensions +- avcodec/utils: Better check for channels in av_get_audio_frame_duration() +- avcodec/jpeg2000dec: Check for duplicate SIZ marker +- avcodec/jpeg2000dec: Clip all tile coordinates +- avcodec/microdvddec: Check for string end in 'P' case +- avcodec/dirac_parser: Fix undefined memcpy() use +- avformat/xmv: Discard remainder of packet on error +- avformat/xmv: factor return check out of if/else +- libavutil/channel_layout: Check strtol*() for failure +- avcodec/ffv1dec: Check for 0 quant tables +- avcodec/mjpegdec: Reinitialize IDCT on BPP changes +- avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it +- avutil/file_open: avoid file handle inheritance on Windows +- avcodec/ffv1: Initialize vlc_state on allocation +- avcodec/ffv1dec: update progress in case of broken pointer chains +- avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons +- avformat/httpauth: Add space after commas in HTTP/RTSP auth header +- avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise +- avcodec/ffv1dec: Fix off by 1 error in quant_table_count check +- avcodec/ffv1dec: Explicitly check read_quant_table() return value +- avcodec/rangecoder: Check e +- lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream. +- avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG +- avfilter/af_asyncts: use llabs for int64_t +- avcodec/g2meet: Also clear tile dimensions on header_fail +- avcodec/g2meet: Fix potential overflow in tile dimensions check +- avcodec/svq1dec: Check init_get_bits8() for failure +- avcodec/tta: Check init_get_bits8() for failure +- swresample/swresample: Fix integer overflow in seed calculation +- avformat/mov: Fix integer overflow in FFABS +- avutil/common: Add FFNABS() +- avutil/common: Document FFABS() corner case +- avformat/dump: Fix integer overflow in aspect ratio calculation +- avcodec/truemotion1: Check for even width +- avcodec/libopusenc: Fix infinite loop on flushing after 0 input +- doc/filters/drawtext: fix centering example +- avcodec: avoid division by zero in avcodec_string +- mpegvideo: clear overread in clear_context +- dvdsubdec: validate offset2 similar to offset1 +- avcodec/takdec: Use memove, avoid undefined memcpy() use +- jvdec: avoid unsigned overflow in comparison +- avcodec/mpeg12dec: Do not call show_bits() with invalid bits +- opusdec: Don't run vector_fmul_scalar on zero length arrays +- avcodec/opusdec: Fix extra samples read index +- riffdec: prevent negative bit rate +- Merge commit 'd80811c94e068085aab797f9ba35790529126f85' +- imc: use correct position for flcoeffs2 calculation +- snow: remove an obsolete av_assert2 +- wavpack: limit extra_bits to 32 and use get_bits_long +- huffyuvdec: validate image size +- wavpack: use get_bits_long to read up to 32 bits +- nutdec: check maxpos in read_sm_data before returning success +- s302m: fix arithmetic exception +- mpegaudiodec: copy AVFloatDSPContext from first context to all contexts +- vc1dec: use get_bits_long and limit the read bits to 32 +- avcodec/s302m: Only set the sample rate when some data is output +- avidec: check for valid bit_rate range +- vp9: add support for resolution changes in inter frames. +- vp9: avoid infinite loop with broken files +- videodsp: don't overread edges in vfix3 emu_edge. +- avformat/oggenc: Check segments_count for headers too +- avformat/avidec: Workaround broken initial frame +- hevc: properly handle no_rasl_output_flag when removing pictures from the DPB +- hevc: fix wpp threading deadlock. +- avcodec/ffv1: seperate slice_count from max_slice_count +- lavf/img2dec: Fix memory leak +- avcodec/mp3: fix skipping zeros +- doc: mention libavcodec can decode Opus natively + + +version 2.4.11: +- avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops +- avformat/hevc: Fix parsing errors +- ffmpeg: Use correct codec_id for av_parser_change() check +- ffmpeg: Check av_parser_change() for failure +- avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check +- ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE +- ffmpeg: check avpicture_fill() return value +- avformat/mux: Update sidedata in ff_write_chained() +- avcodec/flashsvenc: Correct max dimension in error message +- avcodec/svq1enc: Check dimensions +- avcodec/dcaenc: clear bitstream end +- libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame() +- rawdec: fix mjpeg probing buffer size check +- rawdec: fix mjpeg probing +- avcodec/vp8: Check buffer size in vp8_decode_frame_header() +- avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() +- avcodec/diracdec: Check for hpel_base allocation failure +- avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() +- avfilter/af_aresample: Check ff_all_* for allocation failures +- avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case +- swscale/utils: Clear pix buffers +- avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write() +- avformat/mov: Fix deallocation when MOVStreamContext failed to allocate +- ffmpeg: Fix cleanup with ost = NULL +- avcodec/pthread_frame: check avctx on deallocation +- avcodec/sanm: Reset sizes in destroy_buffers() +- avcodec/alac: Clear pointers in allocate_buffers() +- bytestream2: set the reader to the end when reading more than available +- avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264 +- avcodec/mpegvideo: Clear pointers in ff_mpv_common_init() +- oggparsedirac: check return value of init_get_bits +- wmalosslessdec: reset frame->nb_samples on packet loss +- wmalosslessdec: avoid reading 0 bits with get_bits +- avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2() +- avcodec/aacsbr: Assert that bs_num_env is positive +- avcodec/aacsbr: check that the element type matches before applying SBR +- avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h +- vp9/update_prob: prevent out of bounds table read +- avfilter/vf_transpose: Fix rounding error +- avcodec/pngdec: Only allow one IHDR chunk +- wmavoice: limit wmavoice_decode_packet return value to packet size +- swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian +- ffmpeg: Do not use the data/size of a bitstream filter after failure +- swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext} +- swscale/x86/rgb2rgb_template: add missing xmm clobbers +- vda: unlock the pixel buffer base address. +- swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c() +- swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE +- swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian +- swr: Remember previously set int_sample_format from user +- matroskadec: check audio sample rate +- matroskadec: validate audio channels and bitdepth +- avcodec/dpxenc: implement write16/32 as functions +- postproc: fix unaligned access +- avio: fix potential crashes when combining ffio_ensure_seekback + crc +- h264: er: Copy from the previous reference only if compatible +- sonic: set avctx->channels in sonic_decode_init +- vp8: change mv_{min,max}.{x,y} type to int +- vp9: change type of tile_size from unsigned to int64_t +- arm: only enable setend on ARMv6 +- libopenjpegdec: check existence of image component data +- mov: abort on EOF in ff_mov_read_chan +- ffmpeg_opt: Check for localtime() failure +- avformat: Fix bug in parse_rps for HEVC. +- takdec: ensure chan2 is a valid channel index +- avcodec/h264_slice: Use AVFrame diemensions for grayscale handling +- avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet() +- libavutil/channel_layout: Correctly return layout when channel specification ends with a trailing 'c'. +- avcodec/jpeg2000dec: Check that coords match before applying ICT +- avformat/ffmdec: Check ffio_set_buf_size() return value +- avcodec/adpcm: Check for overreads +- avcodec/alsdec: Check for overread +- avcodec/atrac3plusdec: consume only as many bytes as available +- swresample/swresample: Cleanup on init failure. +- Revert "avformat/rtpenc: check av_packet_get_side_data() return, fix null ptr dereference" +- avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec +- swresample/dither: check memory allocation +- opusdec: properly handle mismatching configurations in multichannel streams +- MAINTAINERS: Remove myself as leader +- h263: Always check both dimensions +- avformat/swfdec: Do not error out on pixel format changes +- avcodec/exr: fix crash caused by merge +- avcodec/x86/h264_weight: handle weight1=128 +- avcodec/hevc_ps: Only discard overread VPS if a previous is available +- avformat/mov: Mark avio context of decompressed atoms as seekable +_ avfilter/x86/vf_hqdn3d: Fix register types + +version 2.4.10: +- diracdec: check if reference could not be allocated +- diracdec: avoid overflow of bytes*8 in decode_lowdelay +- diracdec: prevent overflow in data_unit_size check +- avformat/matroskadec: Use tracks[k]->stream instead of s->streams[k] +- matroskadec: check s->streams[k] before using it +- avcodec/ffv1dec: Check chroma shift parameters +- matroskadec: use uint64_t instead of int for index_scale +- avcodec/wavpack: Check L/R values before use to avoid harmless integer overflow and undefined behavior in fate +- nutdec: fix illegal count check in decode_main_header +- nutdec: check for negative frame rate in decode_info_header +- ffmpeg: remove incorrect network deinit +- OpenCL: Avoid potential buffer overflow in cmdutils_opencl.c +- apedec: set s->samples only when init_frame_decoder succeeded +- OS/2:Makedef.cmd cleanup +- avcodec/golomb: get_ur_golomb_jpegls: Fix reading huge k values +- avformat/mov: Fix parsing short loci +- avformat/mov: Print reason of loci parsing failure +- avcodec/hevc: Fix typo in num_entry_point_offsets check +- avcodec/libtheoraenc: Check for av_malloc failure +- avcodec/dcadec: Check active_bands +- avcodec/dcadec: Check scale table index +- avcodec/sonic: More completely check sample_rate_index and channels +- avcodec/sonic: check memory allocations +- avcodec/smvjpegdec: check avcodec_decode_video2() return code +- avcodec/shorten: More complete pred_order check +- avcodec/shorten: Check skip_bytes() +- png: Set the color range as full range +- mpegts: Update the PSI/SI table only if the version change +- rtsp: Make sure we don't write too many transport entries into a fixed-size array +- rtpenc_jpeg: Handle case of picture dimensions not dividing by 8 +- libvpx: Fix mixed use of av_malloc() and av_reallocp() +- aacpsy: correct calculation of minath in psy_3gpp_init +- avcodec/shorten: Fix code depending on signed overflow behavior +- avcodec/proresdec2: Reset slice_count on deallocation +- ffmpeg_opt: Fix -timestamp parsing +- avcodec/dcadec: Check subsubframes +- avcodec/dcadec: Check nchans +- hevc: make avcodec_decode_video2() fail if get_format() fails +- avcodec/cavsdec: Check esc_code +- avcodec/on2avc: Check run more carefully +- avcodec/mpeg4audio: add some padding/alignment to MAX_PCE_SIZE +- swr: fix alignment issue caused by 8ch sse functions +- avcodec/mjpegdec: fix len computation in ff_mjpeg_decode_dqt() +- avcodec/jpeg2000dec: fix boolean operator +- avcodec/hevc_ps: Explicitly check num_tile_* for negative values +- avcodec/hevc_ps: Check vps_num_hrd_parameters +- avcodec/hevc_ps: More completely check vps_num_layer_sets +- avcodec/hevc: Check num_entry_point_offsets +- avcodec/hevc: Check offset_len +- libswscale/x86/hscale_fast_bilinear_simd.c: Include BX in the clobber list on x86_64, because it isn't implicitly included when PIC is on. +- avcodec/hevc_sei: Check num_sps_ids_minus1 value +- avcodec/vqavideo: Check chunk size +- aacdec: don't return frames without data +- avformat/hevc: Check num_negative_pics and num_positive_pics +- avformat/hevc: Check cpb_cnt_minus1 +- avformat/matroskadec: Cleanup error handling for bz2 & zlib +- avformat/nutdec: Fix use of uinitialized value +- avformat/rtpenc_jpeg: Check remaining buffer size for SOS +- avformat/rtpdec_xiph: Check upper bound on len in xiph_handle_packet() +- tools/graph2dot: use larger data types than int for array/string sizes +- avformat/matroskaenc: Check ff_vorbiscomment_length in put_flac_codecpriv() +- avformat/oggenc: Check ff_vorbiscomment_length in ogg_write_vorbiscomment() +- avformat/flacenc: Check length in flac_write_block_comment() +- avformat/subtitles: Use size_t for len +- avformat/url: Use size_t for len from strlen() +- avutil/avstring: Use size_t in av_strlcatf() +- avformat/vorbiscomment: Check entry length in ff_vorbiscomment_write() +- avutil/dict: Use size_t for appending strings +- libavutil/mem: use size_t for the length in av_strdup() +- aacsbr: break infinite loop in sbr_hf_calc_npatches +- diracdec: check that block length is valid +- ffmpeg_opt: Set the video VBV parameters only for the video stream from -target +- avcodec/bitstream: Assert that there is enough space left in avpriv_copy_bits() +- avcodec/put_bits: Assert that there is enough space left in skip_put_bytes() +- avcodec/mpegvideo_enc: Update the buffer size as more slices are merged +- avcodec/put_bits: Update size_in_bits in set_put_bits_buffer_size() +- avformat/wavdec: Increase dts packet threshold to fix more misdetections +- avformat/wavdec: Increase probe_packets limit +- nutdec: abort if EOF is reached in decode_info_header/read_sm_data +- nutdec: stop skipping bytes at EOF +- nutdec: fix infinite resync loops +- avformat/nutdec: Check X in 2nd branch of index reading +- avformat/nutdec: Fix recovery when immedeately after seeking a failure happens +- avformat/nutdec: Return error on EOF from get_str() +- avcodec/x86/cavsdsp: remove unneeded tmp +- nutdec: fix memleaks on error in nut_read_header +- avformat/avidec: print a warning for negative sample_size +- avidec: avoid infinite loop due to negative ast->sample_size +- nutdec: check chapter creation in decode_info_header +- apedec: prevent out of array writes in decode_array_0000 +- avformat/mpegts: Detect changes in packet through CRC instead of just the 5bit version +- avformat/mpegts: reset last_ver on corrupted packets +- avformat/mpegts: Factorize version checking code out +- avformat/mpegts: Also parse the FMC descriptor if the codec has not been identified yet +- avformat/mpegts: reset last_version on seeking +- avformat/mp3dec: Check for avcodec_alloc_context3() failure +- avformat/mp3dec: properly allocate dummy AVCodecContext +- lavfi/fade: Do not overread input buffer. +- tests: drop bc dependency +- alsdec: limit avctx->bits_per_raw_sample to 32 + + +version 2.4.9: +- alac: reject rice_limit 0 if compression is used +- lavf: Reset global flag on deinit +- bink: check vst->index_entries before using it +- mpeg4videodec: only allow a positive length +- alsdec: check sample pointer range in revert_channel_correlation +- avcodec/h264_refs: Do not set reference to things which do not exist +- avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode +- h264: avoid unnecessary calls to get_format +- avutil/pca: Check for av_malloc* failures +- alsdec: validate time diff index +- avcodec/alsdec: Use av_mallocz_array() for chan_data to ensure the arrays never contain random data +- alsdec: ensure channel reordering is reversible +- avcodec/atrac3plusdsp: fix on stack alignment +- ac3: validate end in ff_ac3_bit_alloc_calc_mask +- aacpsy: avoid psy_band->threshold becoming NaN +- aasc: return correct buffer size from aasc_decode_frame +- aacdec: consistently use avctx for logging in decode_eld_specific_config +- msrledec: use signed pixel_ptr in msrle_decode_pal4 +- swresample/swresample-test: Randomly wipe out channel counts +- swresample: Check channel layouts and channels against each other and print human readable error messages +- swresample: Allow reinitialization without ever setting channel layouts +- swresample: Allow reinitialization without ever setting channel counts +- avcodec/h264: Do not fail with randomly truncated VUIs +- avcodec/h264_ps: Move truncation check from VUI to SPS +- avcodec/h264: Be more tolerant to changing pps id between slices +- avcodec/aacdec: Fix storing state before PCE decode +- avcodec/h264: reset the counts in the correct context +- avcodec/h264_slice: Do not reset mb_aff_frame per slice +- tests: Fix test name for pixfmts tests +- avcodec/h264: finish previous slices before switching to single thread mode +- avcodec/h264: Fix race between slices where one overwrites data from the next +- avformat/utils: avoid discarded streams in av_find_default_stream_index() +- avformat/utils: Ensure that AVFMT_FLAG_CUSTOM_IO is set before use +- avformat/img2dec: do not rewind custom io buffers +- fate: Include branch information in the payload header + + +version 2.4.8: +- avutil/cpu: add missing check for mmxext to av_force_cpu_flags +- avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer +- avcodec/hevc_ps: Check cropping parameters more correctly +- avcodec/dnxhddec: Check that the frame is interlaced before using cur_field +- avformat/mov: Disallow ".." in dref unless use_absolute_path is set +- avformat/mov: Check for string truncation in mov_open_dref() +- ac3_fixed: fix out-of-bound read +- avcodec/012v: redesign main loop +- avcodec/012v: Check dimensions more completely +- asfenc: fix leaking asf->index_ptr on error +- avcodec/options_table: remove extradata_size from the AVOptions table +- ffmdec: limit the backward seek to the last resync position +- ffmdec: make sure the time base is valid +- ffmdec: fix infinite loop at EOF +- avcodec/tiff: move bpp check to after "end:" +- avcodec/opusdec: Fix delayed sample value +- avcodec/utils: Align YUV411 by as much as the other YUV variants +- vp9: fix segmentation map retention with threading enabled. +- doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds +- fix VP9 packet decoder returning 0 instead of the used data size +- avformat/bit: only accept the g729 codec and 1 channel +- avformat/adxdec: check avctx->channels for invalid values +- Fix buffer_size argument to init_put_bits() in multiple encoders. +- mips/acelp_filters: fix incorrect register constraint +- avcodec/hevc_ps: Sanity checks for some log2_* values +- avcodec/zmbv: Check len before reading in decode_frame() +- avcodec/snowdec: Fix ref value check +- swscale/utils: More carefully merge and clear coefficients outside the input +- avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop +- avcodec/a64multienc: don't set incorrect packet size +- webp: ensure that each transform is only used once +- avcodec/hevc_ps: More complete window reset +- vp9: make above buffer pointer 32-byte aligned. +- avformat/rm: limit packet size +- avcodec/webp: validate the distance prefix code +- avcodec/gif: fix off by one in column offsetting finding + + +version 2.4.7: +- avcodec/flac_parser: fix handling EOF if no headers are found +- avfilter/vf_framepack: Check and update frame_rate +- avcodec/hevc: Fix handling of skipped_bytes() reallocation failures +- qpeg: avoid pointless invalid memcpy() +- avcodec/arm/videodsp_armv5te: Fix linking failure with "g++ -shared -D__STDC_CONSTANT_MACROS -o test.so ... libavcodec.a" +- avcodec/mjpegdec: Skip blocks which are outside the visible area +- lavc/aarch64: Do not use the neon horizontal chroma loop filter for H.264 4:2:2. (cherry picked from commit 4faea46bd906b3897018736208123aa36c3f45d5) +- avcodec/h264_slice: assert that reinit does not occur after the first slice +- avcodec/h264_slice: ignore SAR changes in slices after the first +- avcodec/h264_slice: Check picture structure before setting the related fields +- avcodec/h264_slice: Do not change frame_num after the first slice +- avutil/opt: Fix type used to access AV_OPT_TYPE_SAMPLE_FMT +- avutil/opt: Fix types used to access AV_OPT_TYPE_PIXEL_FMT +- avcodec/h264: Be more strict on rejecting pps/sps changes +- avcodec/h264: Be more strict on rejecting pps_id changes +- avcodec/h264_ps: More completely check the bit depths +- avformat/thp: Check av_get_packet() for failure not only for partial output +- swscale/utils: Limit filter shifting so as not to read from prior the array +- avcodec/mpegvideo_motion: Fix gmc chroma dimensions +- avcodec/mjpegdec: Check number of components for JPEG-LS +- avcodec/mjpegdec: Check escape sequence validity +- avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior +- avformat/mpc8: fix broken pointer math +- avformat/mpc8: fix hang with fuzzed file +- avformat/tta: fix crash with corrupted files + +version 2.4.6: +- doc/examples: fix lib math dep for decoding_encoding +- avformat/movenc: workaround bug in "PathScale EKOPath(tm) Compiler Suite Version 4.0.12.1" +- vp9: fix parser return values in error case +- ffmpeg: Clear error message array at init. +- avcodec/dvdsubdec: fix accessing dangling pointers +- avcodec/dvdsubdec: error on bitmaps with size 0 +- avformat/mov: Fix mixed declaration and statement warning +- cmdutils: Use 64bit for file size/offset related variable in cmdutils_read_file() +- avformat/utils: Clear pointer in ff_alloc_extradata() to avoid leaving a stale pointer in memory +- avformat/matroskadec: Use av_freep() to avoid leaving stale pointers in memory +- lavfi: check av_strdup() return value +- mov: Fix negative size calculation in mov_read_default(). +- avformat/mov: fix integer overflow in mov_read_udta_string() +- mov: Avoid overflow with mov_metadata_raw() +- avcodec/dvdsubdec: fix out of bounds accesses +- avfilter/vf_sab: fix filtering tiny images +- avformat/flvdec: Increase string array size +- avformat/flvdec: do not inject dts=0 metadata packets which failed to be parsed into a new data stream +- avformat/cdxl: Fix integer overflow of image_size +- avformat/segment: Use av_freep() avoid leaving stale pointers in memory +- avformat/mov: Fix memleaks for duplicate STCO/CO64/STSC atoms +- mov: avoid a memleak when multiple stss boxes are presen + +version 2.4.5: +- lavu/frame: fix malloc error path in av_frame_copy_props() +- avformat/utils: Do not update programs streams from program-less streams in update_wrap_reference() +- avformat/aviobuf: Check that avio_seek() target is non negative +- swresample/soxr_resample: fix error handling +- avformat/flvdec: fix potential use of uninitialized variables +- avformat/matroskadec: fix handling of recursive SeekHead elements +- doc/examples/transcoding: check encoder before using it +- swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output +- avformat/rmdec: Check codec_data_size +- avformat/aviobuf: Fix infinite loop in ff_get_line() +- vc1: Do not assume seek happens after decoding +- mmvideo: check frame dimensions +- jvdec: check frame dimensions +- avcodec/indeo3: ensure offsets are non negative +- avcodec/h264: Check *log2_weight_denom +- avcodec/hevc_ps: Check diff_cu_qp_delta_depth +- avcodec/h264: Clear delayed_pic on deallocation +- avcodec/hevc: clear filter_slice_edges() on allocation +- avcodec/dcadec: Check that the added xch channel isnt already there +- avcodec/indeo3: use signed variables to avoid underflow +- swscale: increase yuv2rgb table headroom +- avformat/mov: fix integer overflow of size +- avformat/mov: check atom nesting depth +- avcodec/utvideodec: Fix handling of slice_height=0 +- avcodec/vmdvideo: Check len before using it in method 3 +- avformat/flvdec: Use av_freep() avoid leaving stale pointers in memory +- avformat/hdsenc: Use av_freep() avoid leaving stale pointers in memory +- configure: create the tests directory like the doc directory +- v4l2: Make use of the VIDIOC_ENUM_FRAMESIZES ioctl on OpenBSD +- avcodec/motion_est: use 2x8x8 for interlaced qpel +- Treat all '*.pnm' files as non-text file + +version 2.4.4: +- avformat: replace some odd 30-60 rates by higher less odd ones in get_std_framerate() +- swscale: fix yuv2yuvX_8 assembly on x86 +- avcodec/hevc_ps: Check num_long_term_ref_pics_sps +- avcodec/mjpegdec: Fix integer overflow in shift +- avcodec/hevc_ps: Check return code from pps_range_extensions() +- avcodec/rawdec: Check the return code of avpicture_get_size() +- avcodec/pngdec: Check IHDR/IDAT order +- avcodec/flacdec: Call ff_flacdsp_init() unconditionally +- avcodec/utils: Check that the data is complete in avpriv_bprint_to_extradata() +- avcodec/mjpegdec: Fix context fields becoming inconsistent +- avcodec/mjpegdec: Check for pixfmtid 0x42111100 || 0x24111100 with more than 8 bits +- swscale/x86/rgb2rgb_template: handle the first 2 lines with C in rgb24toyv12_*() +- doc/APIchanges: Fix some wrong versions +- avformat/hlsenc: Free context after hls_append_segment +- avcodec/mpeg4video_parser: fix spurious extradata parse warnings +- lavu/opt: fix av_opt_get function +- avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization +- avcodec/utvideodec: fix assumtation that slice_height >= 1 +- avcodec/options_table fix min of audio channels and sample rate +- libavutil/thread.h: Support OS/2 threads +- fix Makefile objects for pulseaudio support +- opusdec: make sure all substreams have the same number of coded samples +- lavu: add wrappers for the pthreads mutex API +- avformat/avidec: fix handling dv in avi +- avfilter/vf_lut: gammaval709() +- cinedec: report white balance gain coefficients using metadata +- swscale/utils: support bayer input + scaling, and bayer input + any supported output +- swscale: support internal scaler cascades +- avformat/dtsdec: dts_probe: check reserved bit, check lfe, check sr_code similarity +- avformat/segment: export inner muxer timebase +- Remove fminf() emulation, fix build issues +- avcodec/mpegaudio_parser: fix off by 1 error in bitrate calculation +- Use -fno-optimize-sibling-calls on parisc also for gcc 4.9. +- ffmpeg_opt: store canvas size in decoder context +- avcodec/mpeg12dec: do not trust AVCodecContext input dimensions + +version 2.4.3: +- avcodec/svq1dec: zero terminate embedded message before printing +- avcodec/cook: check that the subpacket sizes fit in block_align +- avcodec/g2meet: check tile dimensions to avoid integer overflow +- avcodec/utils: Align dimensions by at least their chroma sub-sampling factors. +- avcodec/dnxhddec: treat pix_fmt like width/height +- avcodec/dxa: check dimensions +- avcodec/dirac_arith: fix integer overflow +- avcodec/diracdec: Tighter checks on CODEBLOCKS_X/Y +- avcodec/diracdec: Use 64bit in calculation of codeblock coordinates +- avcodec/sgidec: fix count check +- avcodec/sgidec: fix linesize for 16bit +- avcodec/hevc_ps: Check default display window bitstream and skip if invalid +- avcodec/tiffenc: properly compute packet size +- lavd: export all symbols with av_ prefix +- avformat/mxfdec: Fix termination of mxf_data_essence_container_uls +- postproc: fix qp count +- postproc/postprocess: fix quant store for fq mode +- vf_drawtext: add missing clear of pointers after av_expr_free() +- utvideoenc: properly set slice height/last line +- swresample: fix sample drop loop end condition +- resample: Avoid off-by-1 errors in PTS calcs. +- imc: fix order of operations in coefficients read +- hevc_mvs: make sure to always initialize the temporal MV fully +- hevc_mvs: initialize the temporal MV in case of missing reference + +version 2.4.2: +- avcodec/on2avc: Check number of channels +- avcodec/hevc: fix chroma transform_add size +- avcodec/h264: Check mode before considering mixed mode intra prediction +- avformat/mpegts: use a padded buffer in read_sl_header() +- avformat/mpegts: Check desc_len / get8() return code +- avcodec/vorbisdec: Fix off by 1 error in ptns_to_read +- sdp: add support for H.261 +- avcodec/svq3: Do not memcpy AVFrame +- avcodec/smc: fix off by 1 error +- avcodec/qpeg: fix off by 1 error in MV bounds check +- avcodec/gifdec: factorize interleave end handling out +- avcodec/cinepak: fix integer underflow +- avcodec/pngdec: Check bits per pixel before setting monoblack pixel format +- avcodec/pngdec: Calculate MPNG bytewidth more defensively +- avcodec/tiff: more completely check bpp/bppcount +- avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks +- avcodec/h263dec: Fix decoding messenger.h263 +- avcodec/utils: Add case for jv to avcodec_align_dimensions2() +- avcodec/mjpegdec: check bits per pixel for changes similar to dimensions +- avcodec/jpeglsdec: Check run value more completely in ls_decode_line() +- avformat/hlsenc: export inner muxer timebase +- configure: add noexecstack to linker options if supported. +- avcodec/ac3enc_template: fix out of array read +- avutil/x86/cpu: fix cpuid sub-leaf selection +- avformat/img2dec: enable generic seeking for image pipes +- avformat/img2dec: initialize pkt->pos for image pipes +- avformat/img2dec: pass error code and signal EOF +- avformat/img2dec: fix error code at EOF for pipes +- libavutil/opt: fix av_opt_set_channel_layout() to access correct memory address +- tests/fate-run.sh: Cat .err file in case of error with V>0 +- avformat/riffenc: Filter out "BottomUp" in ff_put_bmp_header() +- avcodec/webp: fix default palette color 0xff000000 -> 0x00000000 +- avcodec/asvenc: fix AAN scaling +- Fix compile error on arm4/arm5 platform + + +version 2.4.1: +- swscale: Allow chroma samples to be above and to the left of luma samples +- avcodec/libilbc: support for latest git of libilbc +- avcodec/webp: treat out-of-bound palette index as translucent black +- vf_deshake: rename Transform.vector to Transform.vec to avoid compiler confusion +- apetag: Fix APE tag size check +- tools/crypto_bench: fix build when AV_READ_TIME is unavailable + + +version 2.4: - Icecast protocol - ported lenscorrection filter from frei0r filter - large optimizations in dctdnoiz to make it usable diff --git a/MAINTAINERS b/MAINTAINERS index c863e41028..008e232c7f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14,7 +14,6 @@ patches and related discussions. Project Leader ============== -Michael Niedermayer final design decisions @@ -529,15 +528,12 @@ Windows ICL Matthew Oliver ADI/Blackfin DSP Marc Hoffman Sparc Roman Shaposhnik x86 Michael Niedermayer +OS/2 KO Myung-Hun Releases ======== -2.3 Michael Niedermayer -2.2 Michael Niedermayer -1.2 Michael Niedermayer - If you want to maintain an older release, please contact us diff --git a/Makefile b/Makefile index 57f6a91c47..3058ba0d75 100644 --- a/Makefile +++ b/Makefile @@ -111,7 +111,7 @@ endef $(foreach P,$(PROGS),$(eval $(call DOPROG,$(P:$(PROGSSUF)$(EXESUF)=)))) -ffprobe.o cmdutils.o : libavutil/ffversion.h +ffprobe.o cmdutils.o libavcodec/utils.o libavformat/utils.o libavdevice/avdevice.o libavfilter/avfilter.o libavutil/utils.o libpostproc/postprocess.o libswresample/swresample.o libswscale/utils.o : libavutil/ffversion.h $(PROGS): %$(PROGSSUF)$(EXESUF): %$(PROGSSUF)_g$(EXESUF) $(CP) $< $@ diff --git a/RELEASE b/RELEASE index c6266be9e6..e5f31291b2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.3.git +2.4.14 diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 5499cfd54d..9d0d7e4cd7 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -53,6 +53,8 @@ • API for live metadata updates through event flags. • UTF-16 support in text subtitles formats. • The ASS muxer now reorders the Dialogue events properly. + • support for H.261 RTP payload format (RFC 4587) + • HEVC/H.265 RTP payload format (draft v6) depacketizer ┌────────────────────────────┐ │ libavfilter │ diff --git a/cmdutils.c b/cmdutils.c index 1143ea10d1..c31cb96a60 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -58,6 +58,9 @@ #include #include #endif +#if HAVE_SETDLLDIRECTORY +#include +#endif static int init_report(const char *env); @@ -111,6 +114,15 @@ static void log_callback_report(void *ptr, int level, const char *fmt, va_list v } } +void init_dynload(void) +{ +#if HAVE_SETDLLDIRECTORY + /* Calling SetDllDirectory with the empty string (but not NULL) removes the + * current working directory from the DLL search path as a security pre-caution. */ + SetDllDirectory(""); +#endif +} + static void (*program_exit)(int ret); void register_exit(void (*cb)(int ret)) @@ -444,7 +456,7 @@ int locate_option(int argc, char **argv, const OptionDef *options, (po->name && !strcmp(optname, po->name))) return i; - if (po->flags & HAS_ARG) + if (!po->name || po->flags & HAS_ARG) i++; } return 0; @@ -1857,7 +1869,7 @@ int read_yesno(void) int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) { - int ret; + int64_t ret; FILE *f = av_fopen_utf8(filename, "rb"); if (!f) { @@ -1865,19 +1877,31 @@ int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) strerror(errno)); return AVERROR(errno); } - fseek(f, 0, SEEK_END); - *size = ftell(f); - fseek(f, 0, SEEK_SET); - if (*size == (size_t)-1) { - av_log(NULL, AV_LOG_ERROR, "IO error: %s\n", strerror(errno)); - fclose(f); - return AVERROR(errno); + + ret = fseek(f, 0, SEEK_END); + if (ret == -1) { + ret = AVERROR(errno); + goto out; } + + ret = ftell(f); + if (ret < 0) { + ret = AVERROR(errno); + goto out; + } + *size = ret; + + ret = fseek(f, 0, SEEK_SET); + if (ret == -1) { + ret = AVERROR(errno); + goto out; + } + *bufptr = av_malloc(*size + 1); if (!*bufptr) { av_log(NULL, AV_LOG_ERROR, "Could not allocate file buffer\n"); - fclose(f); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto out; } ret = fread(*bufptr, 1, *size, f); if (ret < *size) { @@ -1893,6 +1917,8 @@ int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) (*bufptr)[(*size)++] = '\0'; } +out: + av_log(NULL, AV_LOG_ERROR, "IO error: %s\n", av_err2str(ret)); fclose(f); return ret; } diff --git a/cmdutils.h b/cmdutils.h index 76d11a598c..3bd778b94b 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -61,6 +61,11 @@ void register_exit(void (*cb)(int ret)); */ void exit_program(int ret) av_noreturn; +/** + * Initialize dynamic library loading + */ +void init_dynload(void); + /** * Initialize the cmdutils option system, in particular * allocate the *_opts contexts. diff --git a/cmdutils_opencl.c b/cmdutils_opencl.c index 3dfd156195..61478e27af 100644 --- a/cmdutils_opencl.c +++ b/cmdutils_opencl.c @@ -22,6 +22,7 @@ #include "libavutil/time.h" #include "libavutil/log.h" #include "libavutil/opencl.h" +#include "libavutil/avstring.h" #include "cmdutils.h" typedef struct { @@ -238,7 +239,8 @@ int opt_opencl_bench(void *optctx, const char *opt, const char *arg) devices[count].platform_idx = i; devices[count].device_idx = j; devices[count].runtime = score; - strcpy(devices[count].device_name, device_node->device_name); + av_strlcpy(devices[count].device_name, device_node->device_name, + sizeof(devices[count].device_name)); count++; } } diff --git a/configure b/configure index b39b6d3198..90f130786e 100755 --- a/configure +++ b/configure @@ -1620,7 +1620,6 @@ HEADERS_LIST=" asm_types_h cdio_paranoia_h cdio_paranoia_paranoia_h - CL_cl_h dev_bktr_ioctl_bt848_h dev_bktr_ioctl_meteor_h dev_ic_bt8xx_h @@ -1668,7 +1667,6 @@ MATH_FUNCS=" exp2 exp2f expf - fminf isinf isnan ldexpf @@ -1730,6 +1728,7 @@ SYSTEM_FUNCS=" pthread_cancel sched_getaffinity SetConsoleTextAttribute + SetDllDirectory setmode setrlimit Sleep @@ -1744,6 +1743,7 @@ SYSTEM_FUNCS=" TOOLCHAIN_FEATURES=" as_dn_directive as_func + as_object_arch asm_mod_q attribute_may_alias attribute_packed @@ -3934,6 +3934,9 @@ case "$arch" in ;; x86) check_64bit x86_32 x86_64 'sizeof(void *) > 4' + # Treat x32 as x64 for now. Note it also needs spic=$shared + test "$subarch" = "x86_32" && check_cpp_condition stddef.h 'defined(__x86_64__)' && + subarch=x86_64 if test "$subarch" = "x86_64"; then spic=$shared fi @@ -4121,11 +4124,10 @@ case $target_os in SLIBNAME_WITH_VERSION='$(SLIBPREF)$(NAME)-$(LIBVERSION)$(SLIBSUF)' SLIBNAME_WITH_MAJOR='$(SLIBPREF)$(shell echo $(NAME) | cut -c1-6)$(LIBMAJOR)$(SLIBSUF)' SLIB_CREATE_DEF_CMD='echo LIBRARY $(SLIBNAME_WITH_MAJOR) INITINSTANCE TERMINSTANCE > $(SUBDIR)$(NAME).def; \ - echo PROTMODE >> $(SUBDIR)$(NAME).def; \ echo CODE PRELOAD MOVEABLE DISCARDABLE >> $(SUBDIR)$(NAME).def; \ echo DATA PRELOAD MOVEABLE MULTIPLE NONSHARED >> $(SUBDIR)$(NAME).def; \ echo EXPORTS >> $(SUBDIR)$(NAME).def; \ - emxexp -o $(OBJS) >> $(SUBDIR)$(NAME).def' + emxexp $(OBJS) >> $(SUBDIR)$(NAME).def' SLIB_EXTRA_CMD='emximp -o $(SUBDIR)$(LIBPREF)$(NAME)_dll.a $(SUBDIR)$(NAME).def; \ emximp -o $(SUBDIR)$(LIBPREF)$(NAME)_dll.lib $(SUBDIR)$(NAME).def;' SLIB_INSTALL_EXTRA_LIB='$(LIBPREF)$(NAME)_dll.a $(LIBPREF)$(NAME)_dll.lib' @@ -4423,6 +4425,11 @@ if enabled_any arm aarch64 || enabled_all ppc altivec && enabled asm; then check_as < $TMPH <> $TMPH mkdir -p doc +mkdir -p tests echo "@c auto-generated by configure" > doc/config.texi print_config ARCH_ "$config_files" $ARCH_LIST diff --git a/doc/APIchanges b/doc/APIchanges index 8a280297e8..2f1795e9ee 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -148,7 +148,7 @@ API changes, most recent first: Increase FF_INPUT_BUFFER_PADDING_SIZE to 32 due to some corner cases needing it -2014-06-10 - xxxxxxx - lavf 55.43.100 - avformat.h +2014-06-10 - 5482780 - lavf 55.43.100 - avformat.h New field int64_t max_analyze_duration2 instead of deprecated int max_analyze_duration. @@ -172,7 +172,7 @@ API changes, most recent first: Add strict_std_compliance and related AVOptions to support experimental muxing. -2014-05-26 - xxxxxxx - lavu 52.87.100 - threadmessage.h +2014-05-26 - 55cc60c - lavu 52.87.100 - threadmessage.h Add thread message queue API. 2014-05-26 - c37d179 - lavf 55.41.100 - avformat.h @@ -182,7 +182,7 @@ API changes, most recent first: Add av_stream_get_side_data() to access stream-level side data in the same way as av_packet_get_side_data(). -2014-05-xx - xxxxxxx - lavu 52.86.100 - fifo.h +2014-05-20 - 7336e39 - lavu 52.86.100 - fifo.h Add av_fifo_alloc_array() function. 2014-05-19 - ef1d4ee / bddd8cb - lavu 52.85.100 / 53.15.0 - frame.h, display.h @@ -214,10 +214,10 @@ API changes, most recent first: 2014-05-11 - 14aef38 / 66e6c8a - lavu 52.83.100 / 53.14.0 - pixfmt.h Add AV_PIX_FMT_VDA for new-style VDA acceleration. -2014-05-xx - xxxxxxx - lavu 52.82.0 - fifo.h +2014-05-07 - 351f611 - lavu 52.82.100 - fifo.h Add av_fifo_freep() function. -2014-05-02 - ba52fb11 - lavu 52.81.0 - opt.h +2014-05-02 - ba52fb11 - lavu 52.81.100 - opt.h Add av_opt_set_dict2() function. 2014-05-01 - e77b985 / a2941c8 - lavc 55.60.103 / 55.50.3 - avcodec.h @@ -236,10 +236,14 @@ API changes, most recent first: Deprecate CODEC_FLAG_INPUT_PRESERVED. Its functionality is replaced by passing reference-counted frames to encoders. +2014-04-30 - 617e866 - lavu 52.81.100 - pixdesc.h + Add av_find_best_pix_fmt_of_2(), av_get_pix_fmt_loss() + Deprecate avcodec_get_pix_fmt_loss(), avcodec_find_best_pix_fmt_of_2() + 2014-04-29 - 1bf6396 - lavc 55.60.100 - avcodec.h Add AVCodecDescriptor.mime_types field. -2014-04-29 - xxxxxxx - lavu 52.80.0 - hash.h +2014-04-29 - b804eb4 - lavu 52.80.100 - hash.h Add av_hash_final_bin(), av_hash_final_hex() and av_hash_final_b64(). 2014-03-07 - 8b2a130 - lavc 55.50.0 / 55.53.100 - dxva2.h @@ -251,7 +255,7 @@ API changes, most recent first: 2014-04-17 - a8d01a7 / 0983d48 - lavu 53.12.0 / 52.77.100 - crc.h Add AV_CRC_16_ANSI_LE crc variant. -2014-04-XX - xxxxxxx - lavf xx.xx.1xx - avformat.h +2014-04-15 - ef818d8 - lavf 55.37.101 - avformat.h Add av_format_inject_global_side_data() 2014-04-12 - 4f698be - lavu 52.76.100 - log.h @@ -331,7 +335,7 @@ API changes, most recent first: 2014-02-19 - f4c8d00 / 6bb8720 - lavu 52.64.101 / 53.3.1 - opt.h Deprecate unused AV_OPT_FLAG_METADATA. -2014-02-xx - xxxxxxx - lavd 55.10.100 - avdevice.h +2014-02-16 - 81c3f81 - lavd 55.10.100 - avdevice.h Add avdevice_list_devices() and avdevice_free_list_devices() 2014-02-16 - db3c970 - lavf 55.33.100 - avio.h @@ -372,7 +376,7 @@ API changes, most recent first: 2014-01-19 - 1a193c4 - lavf 55.25.100 - avformat.h Add avformat_get_mov_video_tags() and avformat_get_mov_audio_tags(). -2014-01-19 - xxxxxxx - lavu 52.63.100 - rational.h +2014-01-19 - 3532dd5 - lavu 52.63.100 - rational.h Add av_make_q() function. 2014-01-05 - 4cf4da9 / 5b4797a - lavu 52.62.100 / 53.2.0 - frame.h diff --git a/doc/Doxyfile b/doc/Doxyfile index 8697e6c551..20edc63867 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 2.4.14 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/doc/demuxers.texi b/doc/demuxers.texi index e5823227af..0ebc862633 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -78,7 +78,7 @@ All subsequent file-related directives apply to that file. @item @code{ffconcat version 1.0} Identify the script type and version. It also sets the @option{safe} option -to 1 if it was to its default -1. +to 1 if it was -1. To make FFmpeg recognize the format automatically, this directive must appears exactly as is (no extra space or byte-order-mark) on the very first @@ -125,7 +125,9 @@ component. If set to 0, any file name is accepted. -The default is -1, it is equivalent to 1 if the format was automatically +The default is 1. + +-1 is equivalent to 1 if the format was automatically probed and 0 otherwise. @item auto_convert @@ -208,6 +210,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. @@ -339,6 +359,23 @@ ffmpeg -framerate 10 -pattern_type glob -i "*.png" out.mkv @end example @end itemize +@section mov/mp4/3gp/Quicktme + +Quicktime / MP4 demuxer. + +This demuxer accepts the following options: +@table @option +@item enable_drefs +Enable loading of external tracks, disabled by default. +Enabling this can theoretically leak information in some use cases. + +@item use_absolute_path +Allows loading of external tracks via absolute paths, disabled by default. +Enabling this poses a security risk. It should only be enabled if the source +is known to be non malicious. + +@end table + @section mpegts MPEG-2 transport stream demuxer. diff --git a/doc/developer.texi b/doc/developer.texi index 8b1f150ee6..889464ba74 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -399,6 +399,35 @@ finding a new maintainer and also don't forget updating the @file{MAINTAINERS} f We think our rules are not too hard. If you have comments, contact us. +@section Code of conduct + +Be friendly and respectful towards others and third parties. +Treat others the way you yourself want to be treated. + +Be considerate. Not everyone shares the same viewpoint and priorities as you do. +Different opinions and interpretations help the project. +Looking at issues from a different perspective assists development. + +Do not assume malice for things that can be attributed to incompetence. Even if +it is malice, it's rarely good to start with that as initial assumption. + +Stay friendly even if someone acts contrarily. Everyone has a bad day +once in a while. +If you yourself have a bad day or are angry then try to take a break and reply +once you are calm and without anger if you have to. + +Try to help other team members and cooperate if you can. + +The goal of software development is to create technical excellence, not for any +individual to be better and "win" against the others. Large software projects +are only possible and successful through teamwork. + +If someone struggles do not put them down. Give them a helping hand +instead and point them in the right direction. + +Finally, keep in mind the immortal words of Bill and Ted, +"Be excellent to each other." + @anchor{Submitting patches} @section Submitting patches diff --git a/doc/examples/Makefile b/doc/examples/Makefile index 07251fe3c2..9f03f04b57 100644 --- a/doc/examples/Makefile +++ b/doc/examples/Makefile @@ -29,6 +29,7 @@ OBJS=$(addsuffix .o,$(EXAMPLES)) # the following examples make explicit use of the math library avcodec: LDLIBS += -lm +decoding_encoding: LDLIBS += -lm muxing: LDLIBS += -lm resampling_audio: LDLIBS += -lm diff --git a/doc/examples/resampling_audio.c b/doc/examples/resampling_audio.c index 8a43b09039..f35e7e1779 100644 --- a/doc/examples/resampling_audio.c +++ b/doc/examples/resampling_audio.c @@ -199,8 +199,7 @@ int main(int argc, char **argv) fmt, dst_ch_layout, dst_nb_channels, dst_rate, dst_filename); end: - if (dst_file) - fclose(dst_file); + fclose(dst_file); if (src_data) av_freep(&src_data[0]); diff --git a/doc/examples/scaling_video.c b/doc/examples/scaling_video.c index fcb98b7489..587f3abe4f 100644 --- a/doc/examples/scaling_video.c +++ b/doc/examples/scaling_video.c @@ -132,8 +132,7 @@ int main(int argc, char **argv) av_get_pix_fmt_name(dst_pix_fmt), dst_w, dst_h, dst_filename); end: - if (dst_file) - fclose(dst_file); + fclose(dst_file); av_freep(&src_data[0]); av_freep(&dst_data[0]); sws_freeContext(sws_ctx); diff --git a/doc/examples/transcoding.c b/doc/examples/transcoding.c index a8f4210e6e..d7c4a84de9 100644 --- a/doc/examples/transcoding.c +++ b/doc/examples/transcoding.c @@ -116,6 +116,10 @@ static int open_output_file(const char *filename) || dec_ctx->codec_type == AVMEDIA_TYPE_AUDIO) { /* in this example, we choose transcoding to same codec */ encoder = avcodec_find_encoder(dec_ctx->codec_id); + if (!encoder) { + av_log(NULL, AV_LOG_FATAL, "Neccessary encoder not found\n"); + return AVERROR_INVALIDDATA; + } /* In this example, we transcode to same properties (picture size, * sample rate etc.). These properties can be changed for output diff --git a/doc/faq.texi b/doc/faq.texi index fdcb46d334..54b61fc9ea 100644 --- a/doc/faq.texi +++ b/doc/faq.texi @@ -298,7 +298,7 @@ FFmpeg has a @url{http://ffmpeg.org/ffmpeg-protocols.html#concat, @code{concat}} protocol designed specifically for that, with examples in the documentation. -A few multimedia containers (MPEG-1, MPEG-2 PS, DV) allow to concatenate +A few multimedia containers (MPEG-1, MPEG-2 PS, DV) allow one to concatenate video by merely concatenating the files containing them. Hence you may concatenate your multimedia files by first transcoding them to diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 4fc76820e1..862bd472c9 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -11,7 +11,7 @@ @chapter Synopsis -ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_file}@} ... @{[@var{output_file_options}] @file{output_file}@} ... +ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_url}@} ... @{[@var{output_file_options}] @file{output_url}@} ... @chapter Description @c man begin DESCRIPTION @@ -23,10 +23,10 @@ rates and resize video on the fly with a high quality polyphase filter. @command{ffmpeg} reads from an arbitrary number of input "files" (which can be regular files, pipes, network streams, grabbing devices, etc.), specified by the @code{-i} option, and writes to an arbitrary number of output "files", which are -specified by a plain output filename. Anything found on the command line which -cannot be interpreted as an option is considered to be an output filename. +specified by a plain output url. Anything found on the command line which +cannot be interpreted as an option is considered to be an output url. -Each input or output file can, in principle, contain any number of streams of +Each input or output url can, in principle, contain any number of streams of different types (video/audio/subtitle/attachment/data). The allowed number and/or types of streams may be limited by the container format. Selecting which streams from which inputs will go into which output is either done automatically @@ -242,8 +242,8 @@ Force input or output file format. The format is normally auto detected for inpu files and guessed from the file extension for output files, so this option is not needed in most cases. -@item -i @var{filename} (@emph{input}) -input file name +@item -i @var{url} (@emph{input}) +input file url @item -y (@emph{global}) Overwrite output files without asking. @@ -276,7 +276,7 @@ libx264, and the 138th audio, which will be encoded with libvorbis. When used as an input option (before @code{-i}), limit the @var{duration} of data read from the input file. -When used as an output option (before an output filename), stop writing the +When used as an output option (before an output url), stop writing the output after its duration reaches @var{duration}. @var{duration} may be a number in seconds, or in @code{hh:mm:ss[.xxx]} form. @@ -301,7 +301,7 @@ extra segment between the seek point and @var{position} will be decoded and discarded. When doing stream copy or when @option{-noaccurate_seek} is used, it will be preserved. -When used as an output option (before an output filename), decodes but discards +When used as an output option (before an output url), decodes but discards input until the timestamps reach @var{position}. @var{position} may be either in seconds or in @code{hh:mm:ss[.xxx]} form. @@ -1057,7 +1057,7 @@ may be reassigned to a different value. For example, to set the stream 0 PID to 33 and the stream 1 PID to 36 for an output mpegts file: @example -ffmpeg -i infile -streamid 0:33 -streamid 1:36 out.ts +ffmpeg -i inurl -streamid 0:33 -streamid 1:36 out.ts @end example @item -bsf[:@var{stream_specifier}] @var{bitstream_filters} (@emph{output,per-stream}) diff --git a/doc/ffplay.texi b/doc/ffplay.texi index 203085c16d..9b86c6bfc1 100644 --- a/doc/ffplay.texi +++ b/doc/ffplay.texi @@ -11,7 +11,7 @@ @chapter Synopsis -ffplay [@var{options}] [@file{input_file}] +ffplay [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -93,8 +93,8 @@ the input audio. Use the option "-filters" to show all the available filters (including sources and sinks). -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @section Advanced options diff --git a/doc/ffprobe.texi b/doc/ffprobe.texi index 0a39ed4ca5..fdbb6b1985 100644 --- a/doc/ffprobe.texi +++ b/doc/ffprobe.texi @@ -11,7 +11,7 @@ @chapter Synopsis -ffprobe [@var{options}] [@file{input_file}] +ffprobe [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -23,8 +23,8 @@ For example it can be used to check the format of the container used by a multimedia stream and the format and type of each media stream contained in it. -If a filename is specified in input, ffprobe will try to open and -probe the file content. If the file cannot be opened or recognized as +If a url is specified in input, ffprobe will try to open and +probe the url content. If the url cannot be opened or recognized as a multimedia file, a positive exit code is returned. ffprobe may be employed both as a standalone application or in @@ -325,8 +325,8 @@ equivalent of setting both @option{-show_program_version} and Force bitexact output, useful to produce output which is not dependent on the specific build. -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @c man end diff --git a/doc/ffserver.texi b/doc/ffserver.texi index 77273d22e1..58debab381 100644 --- a/doc/ffserver.texi +++ b/doc/ffserver.texi @@ -71,7 +71,7 @@ the HTTP server (configured through the @option{HTTPPort} option), and configuration file. Each feed is associated to a file which is stored on disk. This stored -file is used to allow to send pre-recorded data to a player as fast as +file is used to send pre-recorded data to a player as fast as possible when new content is added in real-time to the stream. A "live-stream" or "stream" is a resource published by diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 7b6afba59f..2a1651bfee 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -234,10 +234,14 @@ Possible flags for this option are: @item sse4.1 @item sse4.2 @item avx +@item avx2 @item xop +@item fma3 @item fma4 @item 3dnow @item 3dnowext +@item bmi1 +@item bmi2 @item cmov @end table @item ARM @@ -248,6 +252,13 @@ Possible flags for this option are: @item vfp @item vfpv3 @item neon +@item setend +@end table +@item AArch64 +@table @samp +@item armv8 +@item vfp +@item neon @end table @item PowerPC @table @samp diff --git a/doc/filters.texi b/doc/filters.texi index bb486eac36..3e7709570b 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -3389,7 +3389,7 @@ Set number overlapping pixels for each block. Since the filter can be slow, you may want to reduce this value, at the cost of a less effective filter and the risk of various artefacts. -If the overlapping value doesn't allow to process the whole input width or +If the overlapping value doesn't permit processing the whole input width or height, a warning will be displayed and according borders won't be denoised. Default value is @var{blocksize}-1, which is the best possible setting. @@ -4146,7 +4146,7 @@ within the parameter list. @item Show the text at the center of the video frame: @example -drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2" +drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2" @end example @item @@ -4956,7 +4956,7 @@ It accepts the following parameters: @item filter_name The name of the frei0r effect to load. If the environment variable @env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the -directories specified by the colon-separated list in @env{FREIOR_PATH}. +directories specified by the colon-separated list in @env{FREI0R_PATH}. Otherwise, the standard frei0r paths are searched, in this order: @file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/}, @file{/usr/lib/frei0r-1/}. diff --git a/doc/formats.texi b/doc/formats.texi index 027510eb6d..910ffd2374 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -23,7 +23,7 @@ Reduce buffering. @item probesize @var{integer} (@emph{input}) Set probing size in bytes, i.e. the size of the data to analyze to get -stream information. A higher value will allow to detect more +stream information. A higher value will enable detecting more information in case it is dispersed into the stream, but will increase latency. Must be an integer not lesser than 32. It is 5000000 by default. @@ -63,7 +63,7 @@ Default is 0. @item analyzeduration @var{integer} (@emph{input}) Specify how many microseconds are analyzed to probe the input. A -higher value will allow to detect more accurate information, but will +higher value will enable detecting more accurate information, but will increase latency. It defaults to 5,000,000 microseconds = 5 seconds. @item cryptokey @var{hexadecimal string} (@emph{input}) diff --git a/doc/general.texi b/doc/general.texi index 8d7555d10f..5ca100b67f 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -935,8 +935,8 @@ following image formats are supported: @item Musepack SV8 @tab @tab X @item Nellymoser Asao @tab X @tab X @item On2 AVC (Audio for Video Codec) @tab @tab X -@item Opus @tab E @tab E - @tab supported through external library libopus +@item Opus @tab E @tab X + @tab encoding supported through external library libopus @item PCM A-law @tab X @tab X @item PCM mu-law @tab X @tab X @item PCM signed 8-bit planar @tab X @tab X diff --git a/doc/indevs.texi b/doc/indevs.texi index ce409b93fb..47bc620fbc 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -1,7 +1,7 @@ @chapter Input Devices @c man begin INPUT DEVICES -Input devices are configured elements in FFmpeg which allow to access +Input devices are configured elements in FFmpeg which enable accessing the data coming from a multimedia device attached to your system. When you configure your FFmpeg build, all the supported input devices diff --git a/doc/platform.texi b/doc/platform.texi index ca76492753..fa91ce2b6c 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -135,8 +135,6 @@ You will need the following prerequisites: (if using MSVC 2012 or earlier) @item @uref{http://www.mingw.org/, MSYS} @item @uref{http://yasm.tortall.net/, YASM} -@item @uref{http://gnuwin32.sourceforge.net/packages/bc.htm, bc for Windows} if -you want to run @uref{fate.html, FATE}. @end itemize To set up a proper environment in MSYS, you need to run @code{msys.bat} from @@ -283,7 +281,7 @@ binutils, gcc4-core, make, git, mingw-runtime, texinfo In order to run FATE you will also need the following "Utils" packages: @example -bc, diffutils +diffutils @end example If you want to build FFmpeg with additional libraries, download Cygwin diff --git a/doc/protocols.texi b/doc/protocols.texi index dc2fdb14fd..702f1573b0 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -1081,8 +1081,8 @@ Set raise error timeout, expressed in microseconds. This option is only relevant in read mode: if no data arrived in more than this time interval, raise error. -@item listen_timeout=@var{microseconds} -Set listen timeout, expressed in microseconds. +@item listen_timeout=@var{milliseconds} +Set listen timeout, expressed in milliseconds. @end table The following example shows how to setup a listening TCP connection diff --git a/doc/t2h.pm b/doc/t2h.pm index 75dc0d304a..a92707190a 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -14,9 +14,9 @@ # FFmpeg is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. +# General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public +# You should have received a copy of the GNU General Public # License along with FFmpeg; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA diff --git a/doc/utils.texi b/doc/utils.texi index b0455af00c..00d6c31c11 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -844,7 +844,7 @@ Return 1.0 if @var{x} is +/-INFINITY, 0.0 otherwise. Return 1.0 if @var{x} is NAN, 0.0 otherwise. @item ld(var) -Allow to load the value of the internal variable with number +Load the value of the internal variable with number @var{var}, which was previously stored with st(@var{var}, @var{expr}). The function returns the loaded value. @@ -861,7 +861,7 @@ Return 1 if @var{x} is lesser than or equal to @var{y}, 0 otherwise. Return the maximum between @var{x} and @var{y}. @item min(x, y) -Return the maximum between @var{x} and @var{y}. +Return the minimum between @var{x} and @var{y}. @item mod(x, y) Compute the remainder of division of @var{x} by @var{y}. @@ -912,7 +912,7 @@ Compute the square root of @var{expr}. This is equivalent to Compute expression @code{1/(1 + exp(4*x))}. @item st(var, expr) -Allow to store the value of the expression @var{expr} in an internal +Store the value of the expression @var{expr} in an internal variable. @var{var} specifies the number of the variable where to store the value, and it is a value ranging from 0 to 9. The function returns the value stored in the internal variable. diff --git a/ffmpeg.c b/ffmpeg.c index ee8039cce8..efd890355e 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -352,7 +352,6 @@ void term_init(void) signal(SIGQUIT, sigterm_handler); /* Quit (POSIX). */ } #endif - avformat_network_deinit(); signal(SIGINT , sigterm_handler); /* Interrupt (ANSI). */ signal(SIGTERM, sigterm_handler); /* Termination (ANSI). */ @@ -467,7 +466,12 @@ static void ffmpeg_cleanup(int ret) } for (i = 0; i < nb_output_streams; i++) { OutputStream *ost = output_streams[i]; - AVBitStreamFilterContext *bsfc = ost->bitstream_filters; + AVBitStreamFilterContext *bsfc; + + if (!ost) + continue; + + bsfc = ost->bitstream_filters; while (bsfc) { AVBitStreamFilterContext *next = bsfc->next; av_bitstream_filter_close(bsfc); @@ -587,7 +591,7 @@ static void close_all_output_streams(OutputStream *ost, OSTFinished this_stream, static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost) { AVBitStreamFilterContext *bsfc = ost->bitstream_filters; - AVCodecContext *avctx = ost->st->codec; + AVCodecContext *avctx = ost->encoding_needed ? ost->enc_ctx : ost->st->codec; int ret; if (!ost->st->codec->extradata_size && ost->enc_ctx->extradata_size) { @@ -646,6 +650,7 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost) if (!new_pkt.buf) exit_program(1); } else if (a < 0) { + new_pkt = *pkt; av_log(NULL, AV_LOG_ERROR, "Failed to open bitstream filter %s for stream %d with codec %s", bsfc->filter->name, pkt->stream_index, avctx->codec ? avctx->codec->name : "copy"); @@ -978,10 +983,8 @@ static void do_video_out(AVFormatContext *s, /* raw pictures are written as AVPicture structure to avoid any copies. We support temporarily the older method. */ - mux_enc->coded_frame->interlaced_frame = in_picture->interlaced_frame; - mux_enc->coded_frame->top_field_first = in_picture->top_field_first; - if (mux_enc->coded_frame->interlaced_frame) - mux_enc->field_order = mux_enc->coded_frame->top_field_first ? AV_FIELD_TB:AV_FIELD_BT; + if (in_picture->interlaced_frame) + mux_enc->field_order = in_picture->top_field_first ? AV_FIELD_TB:AV_FIELD_BT; else mux_enc->field_order = AV_FIELD_PROGRESSIVE; pkt.data = (uint8_t *)in_picture; @@ -1684,17 +1687,21 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p opkt.duration = av_rescale_q(pkt->duration, ist->st->time_base, ost->st->time_base); opkt.flags = pkt->flags; - // FIXME remove the following 2 lines they shall be replaced by the bitstream filters - if ( ost->enc_ctx->codec_id != AV_CODEC_ID_H264 - && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG1VIDEO - && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG2VIDEO - && ost->enc_ctx->codec_id != AV_CODEC_ID_VC1 + if ( ost->st->codec->codec_id != AV_CODEC_ID_H264 + && ost->st->codec->codec_id != AV_CODEC_ID_MPEG1VIDEO + && ost->st->codec->codec_id != AV_CODEC_ID_MPEG2VIDEO + && ost->st->codec->codec_id != AV_CODEC_ID_VC1 ) { - if (av_parser_change(ost->parser, ost->st->codec, + int ret = av_parser_change(ost->parser, ost->st->codec, &opkt.data, &opkt.size, pkt->data, pkt->size, - pkt->flags & AV_PKT_FLAG_KEY)) { + pkt->flags & AV_PKT_FLAG_KEY); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "av_parser_change failed\n"); + exit_program(1); + } + if (ret) { opkt.buf = av_buffer_create(opkt.data, opkt.size, av_buffer_default_free, NULL, 0); if (!opkt.buf) exit_program(1); @@ -1705,9 +1712,15 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p } av_copy_packet_side_data(&opkt, pkt); - if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { + if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + ost->st->codec->codec_id == AV_CODEC_ID_RAWVIDEO && + (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { /* store AVPicture in AVPacket, as expected by the output format */ - avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); + int ret = avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "avpicture_fill failed\n"); + exit_program(1); + } opkt.data = (uint8_t *)&pict; opkt.size = sizeof(AVPicture); opkt.flags |= AV_PKT_FLAG_KEY; @@ -2463,7 +2476,7 @@ static int transcode_init(void) AVFormatContext *oc; OutputStream *ost; InputStream *ist; - char error[1024]; + char error[1024] = {0}; int want_sdp = 1; for (i = 0; i < nb_filtergraphs; i++) { @@ -2515,7 +2528,7 @@ static int transcode_init(void) if (ost->attachment_filename) continue; - enc_ctx = ost->enc_ctx; + enc_ctx = ost->stream_copy ? ost->st->codec : ost->enc_ctx; if (ist) { dec_ctx = ist->dec_ctx; @@ -2562,11 +2575,13 @@ static int transcode_init(void) enc_ctx->rc_max_rate = dec_ctx->rc_max_rate; enc_ctx->rc_buffer_size = dec_ctx->rc_buffer_size; enc_ctx->field_order = dec_ctx->field_order; - enc_ctx->extradata = av_mallocz(extra_size); - if (!enc_ctx->extradata) { - return AVERROR(ENOMEM); + if (dec_ctx->extradata_size) { + enc_ctx->extradata = av_mallocz(extra_size); + if (!enc_ctx->extradata) { + return AVERROR(ENOMEM); + } + memcpy(enc_ctx->extradata, dec_ctx->extradata, dec_ctx->extradata_size); } - memcpy(enc_ctx->extradata, dec_ctx->extradata, dec_ctx->extradata_size); enc_ctx->extradata_size= dec_ctx->extradata_size; enc_ctx->bits_per_coded_sample = dec_ctx->bits_per_coded_sample; @@ -2577,7 +2592,8 @@ static int transcode_init(void) * overhead */ if(!strcmp(oc->oformat->name, "avi")) { - if ( copy_tb<0 && av_q2d(ist->st->r_frame_rate) >= av_q2d(ist->st->avg_frame_rate) + if ( copy_tb<0 && ist->st->r_frame_rate.num + && av_q2d(ist->st->r_frame_rate) >= av_q2d(ist->st->avg_frame_rate) && 0.5/av_q2d(ist->st->r_frame_rate) > av_q2d(ist->st->time_base) && 0.5/av_q2d(ist->st->r_frame_rate) > av_q2d(dec_ctx->time_base) && av_q2d(ist->st->time_base) < 1.0/500 && av_q2d(dec_ctx->time_base) < 1.0/500 @@ -2881,24 +2897,26 @@ static int transcode_init(void) if (ost->enc_ctx->bit_rate && ost->enc_ctx->bit_rate < 1000) av_log(NULL, AV_LOG_WARNING, "The bitrate parameter is set too low." " It takes bits/s as argument, not kbits/s\n"); + + ret = avcodec_copy_context(ost->st->codec, ost->enc_ctx); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, + "Error initializing the output stream codec context.\n"); + exit_program(1); + } + + // copy timebase while removing common factors + ost->st->time_base = av_add_q(ost->enc_ctx->time_base, (AVRational){0, 1}); + ost->st->codec->codec= ost->enc_ctx->codec; } else { if (av_opt_set_dict(ost->enc_ctx, &ost->encoder_opts) < 0) { av_log(NULL, AV_LOG_FATAL, "Error setting up codec context options.\n"); exit_program(1); } + // copy timebase while removing common factors + ost->st->time_base = av_add_q(ost->st->codec->time_base, (AVRational){0, 1}); } - - ret = avcodec_copy_context(ost->st->codec, ost->enc_ctx); - if (ret < 0) { - av_log(NULL, AV_LOG_FATAL, - "Error initializing the output stream codec context.\n"); - exit_program(1); - } - ost->st->codec->codec= ost->enc_ctx->codec; - - // copy timebase while removing common factors - ost->st->time_base = av_add_q(ost->enc_ctx->time_base, (AVRational){0, 1}); } /* init input streams */ @@ -3804,6 +3822,8 @@ int main(int argc, char **argv) int ret; int64_t ti; + init_dynload(); + register_exit(ffmpeg_cleanup); setvbuf(stderr,NULL,_IONBF,0); /* win32 runtime needs this */ diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 05ab652f1a..2629cfd9d9 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -702,7 +702,7 @@ static void add_input_streams(OptionsContext *o, AVFormatContext *ic) MATCH_PER_STREAM_OPT(fix_sub_duration, i, ist->fix_sub_duration, ic, st); MATCH_PER_STREAM_OPT(canvas_sizes, str, canvas_size, ic, st); if (canvas_size && - av_parse_video_size(&dec->width, &dec->height, canvas_size) < 0) { + av_parse_video_size(&ist->dec_ctx->width, &ist->dec_ctx->height, canvas_size) < 0) { av_log(NULL, AV_LOG_FATAL, "Invalid canvas size: %s.\n", canvas_size); exit_program(1); } @@ -1977,8 +1977,8 @@ loop_end: ost->stream_copy = 0; ost->attachment_filename = o->attachments[i]; ost->finished = 1; - ost->enc_ctx->extradata = attachment; - ost->enc_ctx->extradata_size = len; + ost->st->codec->extradata = attachment; + ost->st->codec->extradata_size = len; p = strrchr(o->attachments[i], '/'); av_dict_set(&ost->st->metadata, "filename", (p && *p) ? p + 1 : o->attachments[i], AV_DICT_DONT_OVERWRITE); @@ -2224,9 +2224,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "1150000"); - opt_default(NULL, "maxrate", "1150000"); - opt_default(NULL, "minrate", "1150000"); - opt_default(NULL, "bufsize", "327680"); // 40*1024*8; + opt_default(NULL, "maxrate:v", "1150000"); + opt_default(NULL, "minrate:v", "1150000"); + opt_default(NULL, "bufsize:v", "327680"); // 40*1024*8; opt_default(NULL, "b:a", "224000"); parse_option(o, "ar", "44100", options); @@ -2253,9 +2253,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "2040000"); - opt_default(NULL, "maxrate", "2516000"); - opt_default(NULL, "minrate", "0"); // 1145000; - opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; + opt_default(NULL, "maxrate:v", "2516000"); + opt_default(NULL, "minrate:v", "0"); // 1145000; + opt_default(NULL, "bufsize:v", "1835008"); // 224*1024*8; opt_default(NULL, "scan_offset", "1"); opt_default(NULL, "b:a", "224000"); @@ -2275,9 +2275,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "6000000"); - opt_default(NULL, "maxrate", "9000000"); - opt_default(NULL, "minrate", "0"); // 1500000; - opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; + opt_default(NULL, "maxrate:v", "9000000"); + opt_default(NULL, "minrate:v", "0"); // 1500000; + opt_default(NULL, "bufsize:v", "1835008"); // 224*1024*8; opt_default(NULL, "packetsize", "2048"); // from www.mpucoder.com: DVD sectors contain 2048 bytes of data, this is also the size of one pack. opt_default(NULL, "muxrate", "10080000"); // from mplex project: data_rate = 1260000. mux_rate = data_rate * 8 @@ -2321,6 +2321,9 @@ static int opt_vstats(void *optctx, const char *opt, const char *arg) time_t today2 = time(NULL); struct tm *today = localtime(&today2); + if (!today) + return AVERROR(errno); + snprintf(filename, sizeof(filename), "vstats_%02d%02d%02d.log", today->tm_hour, today->tm_min, today->tm_sec); return opt_vstats_file(NULL, opt, filename); @@ -2648,8 +2651,8 @@ enum OptGroup { }; static const OptionGroupDef groups[] = { - [GROUP_OUTFILE] = { "output file", NULL, OPT_OUTPUT }, - [GROUP_INFILE] = { "input file", "i", OPT_INPUT }, + [GROUP_OUTFILE] = { "output url", NULL, OPT_OUTPUT }, + [GROUP_INFILE] = { "input url", "i", OPT_INPUT }, }; static int open_files(OptionGroupList *l, const char *inout, @@ -2801,7 +2804,7 @@ const OptionDef options[] = { { "itsscale", HAS_ARG | OPT_DOUBLE | OPT_SPEC | OPT_EXPERT | OPT_INPUT, { .off = OFFSET(ts_scale) }, "set the input ts scale", "scale" }, - { "timestamp", HAS_ARG | OPT_PERFILE, { .func_arg = opt_recording_timestamp }, + { "timestamp", HAS_ARG | OPT_PERFILE | OPT_OUTPUT, { .func_arg = opt_recording_timestamp }, "set the recording timestamp ('now' to set the current time)", "time" }, { "metadata", HAS_ARG | OPT_STRING | OPT_SPEC | OPT_OUTPUT, { .off = OFFSET(metadata) }, "add metadata", "string=string" }, diff --git a/ffmpeg_vda.c b/ffmpeg_vda.c index b9f0975f55..fded39e79b 100644 --- a/ffmpeg_vda.c +++ b/ffmpeg_vda.c @@ -77,6 +77,8 @@ static int vda_retrieve_data(AVCodecContext *s, AVFrame *frame) frame->width, frame->height); ret = av_frame_copy_props(vda->tmp_frame, frame); + CVPixelBufferUnlockBaseAddress(pixbuf, kCVPixelBufferLock_ReadOnly); + if (ret < 0) return ret; diff --git a/ffplay.c b/ffplay.c index 833b5b12cf..be7bd2e93b 100644 --- a/ffplay.c +++ b/ffplay.c @@ -3659,6 +3659,8 @@ int main(int argc, char **argv) VideoState *is; char dummy_videodriver[] = "SDL_VIDEODRIVER=dummy"; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); parse_loglevel(argc, argv, options); diff --git a/ffprobe.c b/ffprobe.c index 9bb0f0f10c..bad2f4713b 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1682,6 +1682,16 @@ static inline int show_tags(WriterContext *w, AVDictionary *tags, int section_id return ret; } +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ + const char *val = av_get_colorspace_name(color_space); + if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { + print_str_opt("color_space", "unknown"); + } else { + print_str("color_space", val); + } +} + static void show_packet(WriterContext *w, AVFormatContext *fmt_ctx, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2101,9 +2111,8 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id print_str ("color_range", dec_ctx->color_range == AVCOL_RANGE_MPEG ? "tv": "pc"); else print_str_opt("color_range", "N/A"); - s = av_get_colorspace_name(dec_ctx->colorspace); - if (s) print_str ("color_space", s); - else print_str_opt("color_space", "unknown"); + print_color_space(w, dec_ctx->colorspace); + if (dec_ctx->timecode_frame_start >= 0) { char tcbuf[AV_TIMECODE_STR_SIZE]; av_timecode_make_mpeg_tc_string(tcbuf, dec_ctx->timecode_frame_start); @@ -2962,6 +2971,8 @@ int main(int argc, char **argv) char *w_name = NULL, *w_args = NULL; int ret, i; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); register_exit(ffprobe_cleanup); diff --git a/ffserver.c b/ffserver.c index 24e400504c..e376dae5f1 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2704,8 +2704,10 @@ static int http_receive_data(HTTPContext *c) } else if (c->buffer_ptr - c->buffer >= 2 && !memcmp(c->buffer_ptr - 1, "\r\n", 2)) { c->chunk_size = strtol(c->buffer, 0, 16); - if (c->chunk_size == 0) // end of stream + if (c->chunk_size <= 0) { // end of stream or invalid chunk size + c->chunk_size = 0; goto fail; + } c->buffer_ptr = c->buffer; break; } else if (++loop_run > 10) { @@ -2728,6 +2730,7 @@ static int http_receive_data(HTTPContext *c) /* end of connection : close it */ goto fail; else { + av_assert0(len <= c->chunk_size); c->chunk_size -= len; c->buffer_ptr += len; c->data_count += len; @@ -4724,6 +4727,8 @@ int main(int argc, char **argv) struct sigaction sigact = { { 0 } }; int ret = 0; + init_dynload(); + config_filename = av_strdup("/etc/ffserver.conf"); parse_loglevel(argc, argv, options); diff --git a/libavcodec/012v.c b/libavcodec/012v.c index c2b6a35041..b87551e0a5 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -38,15 +38,15 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx) static int zero12v_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - int line = 0, ret; + int line, ret; const int width = avctx->width; AVFrame *pic = data; uint16_t *y, *u, *v; const uint8_t *line_end, *src = avpkt->data; int stride = avctx->width * 8 / 3; - if (width == 1) { - av_log(avctx, AV_LOG_ERROR, "Width 1 not supported.\n"); + if (width <= 1 || avctx->height <= 0) { + av_log(avctx, AV_LOG_ERROR, "Dimensions %dx%d not supported.\n", width, avctx->height); return AVERROR_INVALIDDATA; } @@ -67,45 +67,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, pic->pict_type = AV_PICTURE_TYPE_I; pic->key_frame = 1; - y = (uint16_t *)pic->data[0]; - u = (uint16_t *)pic->data[1]; - v = (uint16_t *)pic->data[2]; line_end = avpkt->data + stride; + for (line = 0; line < avctx->height; line++) { + uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000}; + uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000}; + uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000}; + int x; + y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); - while (line++ < avctx->height) { - while (1) { - uint32_t t = AV_RL32(src); + for (x = 0; x < width; x += 6) { + uint32_t t; + + if (width - x < 6 || line_end - src < 16) { + y = y_temp; + u = u_temp; + v = v_temp; + } + + if (line_end - src < 4) + break; + + t = AV_RL32(src); src += 4; *u++ = t << 6 & 0xFFC0; *y++ = t >> 4 & 0xFFC0; *v++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; *y++ = t << 6 & 0xFFC0; *u++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (!(width & 1)) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -113,15 +113,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *y++ = t >> 4 & 0xFFC0; *u++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -129,18 +122,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *v++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (width & 1) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (width - x < 6) break; - } } + + if (x < width) { + y = x + (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + memcpy(y, y_temp, sizeof(*y) * (width - x)); + memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); + memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + } + + line_end += stride; + src = line_end - stride; } *got_frame = 1; diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index e00bdfc808..960b15fc0b 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -120,12 +120,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (avctx->bits_per_coded_sample <= 8) { + int size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); - if (pal) { + &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy (frame->data[1], c->pal, AVPALETTE_SIZE); diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 43d73a742e..07658f86b6 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -206,7 +206,7 @@ OBJS-$(CONFIG_DVVIDEO_DECODER) += dvdec.o dv.o dvdata.o OBJS-$(CONFIG_DVVIDEO_ENCODER) += dvenc.o dv.o dvdata.o OBJS-$(CONFIG_DXA_DECODER) += dxa.o OBJS-$(CONFIG_DXTORY_DECODER) += dxtory.o -OBJS-$(CONFIG_EAC3_DECODER) += eac3dec.o eac3_data.o +OBJS-$(CONFIG_EAC3_DECODER) += eac3_data.o OBJS-$(CONFIG_EAC3_ENCODER) += eac3enc.o eac3_data.o OBJS-$(CONFIG_EACMV_DECODER) += eacmv.o OBJS-$(CONFIG_EAMAD_DECODER) += eamad.o eaidct.o mpeg12.o \ @@ -651,7 +651,7 @@ OBJS-$(CONFIG_VAAPI) += vaapi.o OBJS-$(CONFIG_VDA) += vda.o OBJS-$(CONFIG_VDPAU) += vdpau.o -OBJS-$(CONFIG_H263_VAAPI_HWACCEL) += vaapi_mpeg4.o vaapi_mpeg.o +OBJS-$(CONFIG_H263_VAAPI_HWACCEL) += vaapi_mpeg4.o OBJS-$(CONFIG_H263_VDPAU_HWACCEL) += vdpau_mpeg4.o OBJS-$(CONFIG_H264_DXVA2_HWACCEL) += dxva2_h264.o OBJS-$(CONFIG_H264_VAAPI_HWACCEL) += vaapi_h264.o @@ -660,13 +660,13 @@ OBJS-$(CONFIG_H264_VDPAU_HWACCEL) += vdpau_h264.o OBJS-$(CONFIG_MPEG1_VDPAU_HWACCEL) += vdpau_mpeg12.o OBJS-$(CONFIG_MPEG1_XVMC_HWACCEL) += mpegvideo_xvmc.o OBJS-$(CONFIG_MPEG2_DXVA2_HWACCEL) += dxva2_mpeg2.o -OBJS-$(CONFIG_MPEG2_VAAPI_HWACCEL) += vaapi_mpeg2.o vaapi_mpeg.o +OBJS-$(CONFIG_MPEG2_VAAPI_HWACCEL) += vaapi_mpeg2.o OBJS-$(CONFIG_MPEG2_VDPAU_HWACCEL) += vdpau_mpeg12.o OBJS-$(CONFIG_MPEG2_XVMC_HWACCEL) += mpegvideo_xvmc.o -OBJS-$(CONFIG_MPEG4_VAAPI_HWACCEL) += vaapi_mpeg4.o vaapi_mpeg.o +OBJS-$(CONFIG_MPEG4_VAAPI_HWACCEL) += vaapi_mpeg4.o OBJS-$(CONFIG_MPEG4_VDPAU_HWACCEL) += vdpau_mpeg4.o OBJS-$(CONFIG_VC1_DXVA2_HWACCEL) += dxva2_vc1.o -OBJS-$(CONFIG_VC1_VAAPI_HWACCEL) += vaapi_vc1.o vaapi_mpeg.o +OBJS-$(CONFIG_VC1_VAAPI_HWACCEL) += vaapi_vc1.o OBJS-$(CONFIG_VC1_VDPAU_HWACCEL) += vdpau_vc1.o # libavformat dependencies diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index fc00d3fc62..0d926672f6 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -28,6 +28,7 @@ #include "a64tables.h" #include "elbg.h" #include "internal.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" @@ -65,7 +66,7 @@ static const int mc_colors[5]={0x0,0xb,0xc,0xf,0x1}; //static const int mc_colors[5]={0x0,0x8,0xa,0xf,0x7}; //static const int mc_colors[5]={0x0,0x9,0x8,0xa,0x3}; -static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) +static void to_meta_with_crop(AVCodecContext *avctx, const AVFrame *p, int *dest) { int blockx, blocky, x, y; int luma = 0; @@ -78,9 +79,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) for (y = blocky; y < blocky + 8 && y < C64YRES; y++) { for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) { if(x < width && y < height) { - /* build average over 2 pixels */ - luma = (src[(x + 0 + y * p->linesize[0])] + - src[(x + 1 + y * p->linesize[0])]) / 2; + if (x + 1 < width) { + /* build average over 2 pixels */ + luma = (src[(x + 0 + y * p->linesize[0])] + + src[(x + 1 + y * p->linesize[0])]) / 2; + } else { + luma = src[(x + y * p->linesize[0])]; + } /* write blocks as linear data now so they are suitable for elbg */ dest[0] = luma; } @@ -186,7 +191,6 @@ static void render_charset(AVCodecContext *avctx, uint8_t *charset, static av_cold int a64multi_close_encoder(AVCodecContext *avctx) { A64Context *c = avctx->priv_data; - av_frame_free(&avctx->coded_frame); av_freep(&c->mc_meta_charset); av_freep(&c->mc_best_cb); av_freep(&c->mc_charset); @@ -220,7 +224,7 @@ static av_cold int a64multi_encode_init(AVCodecContext *avctx) a64_palette[mc_colors[a]][2] * 0.11; } - if (!(c->mc_meta_charset = av_malloc_array(c->mc_lifetime, 32000 * sizeof(int))) || + if (!(c->mc_meta_charset = av_mallocz_array(c->mc_lifetime, 32000 * sizeof(int))) || !(c->mc_best_cb = av_malloc(CHARSET_CHARS * 32 * sizeof(int))) || !(c->mc_charmap = av_mallocz_array(c->mc_lifetime, 1000 * sizeof(int))) || !(c->mc_colram = av_mallocz(CHARSET_CHARS * sizeof(uint8_t))) || @@ -238,14 +242,6 @@ static av_cold int a64multi_encode_init(AVCodecContext *avctx) AV_WB32(avctx->extradata, c->mc_lifetime); AV_WB32(avctx->extradata + 16, INTERLACED); - avctx->coded_frame = av_frame_alloc(); - if (!avctx->coded_frame) { - a64multi_close_encoder(avctx); - return AVERROR(ENOMEM); - } - - avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I; - avctx->coded_frame->key_frame = 1; if (!avctx->codec_tag) avctx->codec_tag = AV_RL32("a64m"); @@ -270,10 +266,9 @@ static void a64_compress_colram(unsigned char *buf, int *charmap, uint8_t *colra } static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, - const AVFrame *pict, int *got_packet) + const AVFrame *p, int *got_packet) { A64Context *c = avctx->priv_data; - AVFrame *const p = avctx->coded_frame; int frame; int x, y; @@ -304,7 +299,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } /* no data, means end encoding asap */ - if (!pict) { + if (!p) { /* all done, end encoding */ if (!c->mc_lifetime) return 0; /* no more frames in queue, prepare to flush remaining frames */ @@ -317,13 +312,10 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else { /* fill up mc_meta_charset with data until lifetime exceeds */ if (c->mc_frame_counter < c->mc_lifetime) { - *p = *pict; - p->pict_type = AV_PICTURE_TYPE_I; - p->key_frame = 1; to_meta_with_crop(avctx, p, meta + 32000 * c->mc_frame_counter); c->mc_frame_counter++; if (c->next_pts == AV_NOPTS_VALUE) - c->next_pts = pict->pts; + c->next_pts = p->pts; /* lifetime is not reached so wait for next frame first */ return 0; } @@ -334,8 +326,8 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, req_size = 0; /* any frames to encode? */ if (c->mc_lifetime) { - req_size = charset_size + c->mc_lifetime*(screen_size + colram_size); - if ((ret = ff_alloc_packet2(avctx, pkt, req_size)) < 0) + int alloc_size = charset_size + c->mc_lifetime*(screen_size + colram_size); + if ((ret = ff_alloc_packet2(avctx, pkt, alloc_size)) < 0) return ret; buf = pkt->data; @@ -351,6 +343,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, /* advance pointers */ buf += charset_size; + req_size += charset_size; } /* write x frames to buf */ @@ -387,6 +380,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pkt->pts = pkt->dts = c->next_pts; c->next_pts = AV_NOPTS_VALUE; + av_assert0(pkt->size >= req_size); pkt->size = req_size; pkt->flags |= AV_PKT_FLAG_KEY; *got_packet = !!req_size; diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 5bf6a9c155..4b915da2c1 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -691,7 +691,7 @@ static void search_for_quantizers_anmr(AVCodecContext *avctx, AACEncContext *s, } while (idx) { sce->sf_idx[bandaddr[idx]] = minq + q0; - minq = paths[idx][minq].prev; + minq = FFMAX(paths[idx][minq].prev, 0); idx--; } //set the same quantizers inside window groups diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 10c509be82..a2a387fb56 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -425,7 +425,7 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) * Save current output configuration if and only if it has been locked. */ static void push_output_configuration(AACContext *ac) { - if (ac->oc[1].status == OC_LOCKED) { + if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) { ac->oc[0] = ac->oc[1]; } ac->oc[1].status = OC_NONE; @@ -881,7 +881,7 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx, if (len == 15 + 255) len += get_bits(gb, 16); if (get_bits_left(gb) < len * 8 + 4) { - av_log(ac->avctx, AV_LOG_ERROR, overread_err); + av_log(avctx, AV_LOG_ERROR, overread_err); return AVERROR_INVALIDDATA; } skip_bits_long(gb, 8 * len); @@ -1206,6 +1206,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, GetBitContext *gb) { int aot = ac->oc[1].m4ac.object_type; + int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1249,8 +1251,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, ics->swb_offset = ff_swb_offset_512[ac->oc[1].m4ac.sampling_index]; ics->num_swb = ff_aac_num_swb_512[ac->oc[1].m4ac.sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[ac->oc[1].m4ac.sampling_index]; - if (!ics->num_swb || !ics->swb_offset) - return AVERROR_BUG; + if (!ics->num_swb || !ics->swb_offset) { + ret_fail = AVERROR_BUG; + goto fail; + } } else { ics->swb_offset = ff_swb_offset_1024[ac->oc[1].m4ac.sampling_index]; ics->num_swb = ff_aac_num_swb_1024[ac->oc[1].m4ac.sampling_index]; @@ -1274,7 +1278,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); - return AVERROR_PATCHWELCOME; + ret_fail = AVERROR_PATCHWELCOME; + goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(&ics->ltp, gb, ics->max_sfb); @@ -1293,7 +1298,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return 0; fail: ics->max_sfb = 0; - return AVERROR_INVALIDDATA; + return ret_fail; } /** @@ -3021,6 +3026,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, AV_WL32(side, 2*AV_RL32(side)); } + if (!ac->frame->data[0] && samples) { + av_log(avctx, AV_LOG_ERROR, "no frame data found\n"); + err = AVERROR_INVALIDDATA; + goto fail; + } + *got_frame_ptr = !!samples; if (samples) { ac->frame->nb_samples = samples; @@ -3090,7 +3101,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, if (INT_MAX / 8 <= buf_size) return AVERROR_INVALIDDATA; - if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0) + if ((err = init_get_bits8(&gb, buf, buf_size)) < 0) return err; switch (ac->oc[1].m4ac.object_type) { @@ -3300,6 +3311,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb) if (ctx->frame_length_type == 0) { int mux_slot_length = 0; do { + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; tmp = get_bits(gb, 8); mux_slot_length += tmp; } while (tmp == 255); @@ -3329,7 +3342,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx, } if (latmctx->audio_mux_version_A == 0) { int mux_slot_length_bytes = read_payload_length_info(latmctx, gb); - if (mux_slot_length_bytes * 8 > get_bits_left(gb)) { + if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) { av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n"); return AVERROR_INVALIDDATA; } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) { diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 0378f0da1a..94d54eb87f 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -165,7 +165,7 @@ static void put_audio_specific_config(AVCodecContext *avctx) PutBitContext pb; AACEncContext *s = avctx->priv_data; - init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8); + init_put_bits(&pb, avctx->extradata, avctx->extradata_size); put_bits(&pb, 5, 2); //object type - AAC-LC put_bits(&pb, 4, s->samplerate_index); //sample rate index put_bits(&pb, 4, s->channels); @@ -746,10 +746,10 @@ static av_cold int aac_encode_init(AVCodecContext *avctx) s->chan_map = aac_chan_configs[s->channels-1]; - if (ret = dsp_init(avctx, s)) + if ((ret = dsp_init(avctx, s)) < 0) goto fail; - if (ret = alloc_buffers(avctx, s)) + if ((ret = alloc_buffers(avctx, s)) < 0) goto fail; avctx->extradata_size = 5; @@ -761,7 +761,8 @@ static av_cold int aac_encode_init(AVCodecContext *avctx) lengths[1] = ff_aac_num_swb_128[i]; for (i = 0; i < s->chan_map[0]; i++) grouping[i] = s->chan_map[i + 1] == TYPE_CPE; - if (ret = ff_psy_init(&s->psy, avctx, 2, sizes, lengths, s->chan_map[0], grouping)) + if ((ret = ff_psy_init(&s->psy, avctx, 2, sizes, lengths, + s->chan_map[0], grouping)) < 0) goto fail; s->psypp = ff_psy_preprocess_init(avctx); s->coder = &ff_aac_coders[s->options.aac_coder]; diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 20012f9b31..5e6161364a 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -900,7 +900,7 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2 h_step[1][3] = (H22[1][e+1][b] - h[1][3]) * width; } ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd]( - l[k] + start + 1, r[k] + start + 1, + l[k] + 1 + start, r[k] + 1 + start, h, h_step, stop - start); } } diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index 9eeb836523..2be9d62dd6 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -313,7 +313,7 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) { ctx->bitres.size = 6144 - pctx->frame_bits; ctx->bitres.size -= ctx->bitres.size % 8; pctx->fill_level = ctx->bitres.size; - minath = ath(3410, ATH_ADD); + minath = ath(3410 - 0.733 * ATH_ADD, ATH_ADD); for (j = 0; j < 2; j++) { AacPsyCoeffs *coeffs = pctx->psy_coef[j]; const uint8_t *band_sizes = ctx->bands[j]; @@ -727,7 +727,10 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (active_lines > 0.0f) band->thr = calc_reduced_thr_3gpp(band, coeffs[g].min_snr, reduction); pe += calc_pe_3gpp(band); - band->norm_fac = band->active_lines / band->thr; + if (band->thr > 0.0f) + band->norm_fac = band->active_lines / band->thr; + else + band->norm_fac = 0.0f; norm_fac += band->norm_fac; } } diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index f550eadefb..5d18580b6c 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -514,7 +514,7 @@ static int sbr_make_f_master(AACContext *ac, SpectralBandReplication *sbr, /// High Frequency Generation - Patch Construction (14496-3 sp04 p216 fig. 4.46) static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) { - int i, k, sb = 0; + int i, k, last_k = -1, last_msb = -1, sb = 0; int msb = sbr->k[0]; int usb = sbr->kx[1]; int goal_sb = ((1000 << 11) + (sbr->sample_rate >> 1)) / sbr->sample_rate; @@ -528,6 +528,12 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) do { int odd = 0; + if (k == last_k && msb == last_msb) { + av_log(ac->avctx, AV_LOG_ERROR, "patch construction failed\n"); + return AVERROR_INVALIDDATA; + } + last_k = k; + last_msb = msb; for (i = k; i == k || sb > (sbr->k[0] - 1 + msb - odd); i--) { sb = sbr->f_master[i]; odd = (sb + sbr->k[0]) & 1; @@ -556,7 +562,8 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) k = sbr->n_master; } while (sb != sbr->kx[1] + sbr->m[1]); - if (sbr->num_patches > 1 && sbr->patch_num_subbands[sbr->num_patches-1] < 3) + if (sbr->num_patches > 1 && + sbr->patch_num_subbands[sbr->num_patches - 1] < 3) sbr->num_patches--; return 0; @@ -639,24 +646,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; unsigned bs_num_env_old = ch_data->bs_num_env; + int bs_frame_class, bs_num_env; ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env]; ch_data->bs_amp_res = sbr->bs_amp_res_header; ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old]; - switch (ch_data->bs_frame_class = get_bits(gb, 2)) { + switch (bs_frame_class = get_bits(gb, 2)) { case FIXFIX: - ch_data->bs_num_env = 1 << get_bits(gb, 2); + bs_num_env = 1 << get_bits(gb, 2); + if (bs_num_env > 4) { + av_log(ac->avctx, AV_LOG_ERROR, + "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", + bs_num_env); + return -1; + } + ch_data->bs_num_env = bs_num_env; num_rel_lead = ch_data->bs_num_env - 1; if (ch_data->bs_num_env == 1) ch_data->bs_amp_res = 0; - if (ch_data->bs_num_env > 4) { - av_log(ac->avctx, AV_LOG_ERROR, - "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", - ch_data->bs_num_env); - return -1; - } ch_data->t_env[0] = 0; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -704,14 +713,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, abs_bord_trail += get_bits(gb, 2); num_rel_lead = get_bits(gb, 2); num_rel_trail = get_bits(gb, 2); - ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1; + bs_num_env = num_rel_lead + num_rel_trail + 1; - if (ch_data->bs_num_env > 5) { + if (bs_num_env > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", - ch_data->bs_num_env); + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -726,6 +736,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env); break; } + ch_data->bs_frame_class = bs_frame_class; if (bs_pointer > ch_data->bs_num_env + 1) { av_log(ac->avctx, AV_LOG_ERROR, @@ -1011,6 +1022,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr, { unsigned int cnt = get_bits_count(gb); + sbr->id_aac = id_aac; + if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) { if (read_sbr_single_channel_element(ac, sbr, gb)) { sbr_turnoff(sbr); @@ -1681,6 +1694,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, int nch = (id_aac == TYPE_CPE) ? 2 : 1; int err; + if (id_aac != sbr->id_aac) { + av_log(ac->avctx, AV_LOG_ERROR, + "element type mismatch %d != %d\n", id_aac, sbr->id_aac); + sbr_turnoff(sbr); + } + if (!sbr->kx_and_m_pushed) { sbr->kx[0] = sbr->kx[1]; sbr->m[0] = sbr->m[1]; @@ -1704,6 +1723,7 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, sbr->c.sbr_hf_inverse_filter(&sbr->dsp, sbr->alpha0, sbr->alpha1, (const float (*)[40][2]) sbr->X_low, sbr->k[0]); sbr_chirp(sbr, &sbr->data[ch]); + av_assert0(sbr->data[ch].bs_num_env > 0); sbr_hf_gen(ac, sbr, sbr->X_high, (const float (*)[40][2]) sbr->X_low, (const float (*)[2]) sbr->alpha0, diff --git a/libavcodec/aarch64/h264dsp_init_aarch64.c b/libavcodec/aarch64/h264dsp_init_aarch64.c index ed5e4bdd9b..e0f378f5ab 100644 --- a/libavcodec/aarch64/h264dsp_init_aarch64.c +++ b/libavcodec/aarch64/h264dsp_init_aarch64.c @@ -78,6 +78,7 @@ av_cold void ff_h264dsp_init_aarch64(H264DSPContext *c, const int bit_depth, c->h264_v_loop_filter_luma = ff_h264_v_loop_filter_luma_neon; c->h264_h_loop_filter_luma = ff_h264_h_loop_filter_luma_neon; c->h264_v_loop_filter_chroma = ff_h264_v_loop_filter_chroma_neon; + if (chroma_format_idc <= 1) c->h264_h_loop_filter_chroma = ff_h264_h_loop_filter_chroma_neon; c->weight_h264_pixels_tab[0] = ff_weight_h264_pixels_16_neon; diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 65ef782688..469fc5eef6 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -137,7 +137,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, return ret; /* report that the buffer was completely consumed */ - return buf_size; + return avpkt->size; } static av_cold int aasc_decode_end(AVCodecContext *avctx) diff --git a/libavcodec/ac3.c b/libavcodec/ac3.c index 29e132f5d1..8d39bbe83b 100644 --- a/libavcodec/ac3.c +++ b/libavcodec/ac3.c @@ -131,6 +131,9 @@ int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, int band_start, band_end, begin, end1; int lowcomp, fastleak, slowleak; + if (end <= 0) + return AVERROR_INVALIDDATA; + /* excitation function */ band_start = ff_ac3_bin_to_band_tab[start]; band_end = ff_ac3_bin_to_band_tab[end-1] + 1; diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 969e37ffb8..8d59bd7288 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -751,30 +751,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s) * @param[in] default_band_struct default band structure table * @param[out] num_bands number of bands (optionally NULL) * @param[out] band_sizes array containing the number of bins in each band (optionally NULL) + * @param[in,out] band_struct current band structure */ static void decode_band_structure(GetBitContext *gbc, int blk, int eac3, int ecpl, int start_subband, int end_subband, const uint8_t *default_band_struct, - int *num_bands, uint8_t *band_sizes) + int *num_bands, uint8_t *band_sizes, + uint8_t *band_struct, int band_struct_size) { int subbnd, bnd, n_subbands, n_bands=0; uint8_t bnd_sz[22]; - uint8_t coded_band_struct[22]; - const uint8_t *band_struct; n_subbands = end_subband - start_subband; + if (!blk) + memcpy(band_struct, default_band_struct, band_struct_size); + + av_assert0(band_struct_size >= start_subband + n_subbands); + + band_struct += start_subband + 1; + /* decode band structure from bitstream or use default */ if (!eac3 || get_bits1(gbc)) { for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) { - coded_band_struct[subbnd] = get_bits1(gbc); + band_struct[subbnd] = get_bits1(gbc); } - band_struct = coded_band_struct; - } else if (!blk) { - band_struct = &default_band_struct[start_subband+1]; - } else { - /* no change in band structure */ - return; } /* calculate number of bands and band sizes based on band structure. @@ -872,7 +873,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband += start_subband - 7; end_subband = get_bits(gbc, 3) + 5; #if USE_FIXED - s->spx_dst_end_freq = end_freq_inv_tab[end_subband]; + s->spx_dst_end_freq = end_freq_inv_tab[end_subband-5]; #endif if (end_subband > 7) end_subband += end_subband - 7; @@ -901,12 +902,15 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband, end_subband, ff_eac3_default_spx_band_struct, &s->num_spx_bands, - s->spx_band_sizes); - } else { - for (ch = 1; ch <= fbw_channels; ch++) { - s->channel_uses_spx[ch] = 0; - s->first_spx_coords[ch] = 1; - } + s->spx_band_sizes, + s->spx_band_struct, sizeof(s->spx_band_struct)); + } + } + if (!s->eac3 || !s->spx_in_use) { + s->spx_in_use = 0; + for (ch = 1; ch <= fbw_channels; ch++) { + s->channel_uses_spx[ch] = 0; + s->first_spx_coords[ch] = 1; } } @@ -939,7 +943,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) nblend = 0; sblend = 0x800000; } else if (nratio > 0x7fffff) { - nblend = 0x800000; + nblend = 14529495; // sqrt(3) in FP.23 sblend = 0; } else { nblend = fixed_sqrt(nratio, 23); @@ -1035,7 +1039,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband, cpl_end_subband, ff_eac3_default_cpl_band_struct, - &s->num_cpl_bands, s->cpl_band_sizes); + &s->num_cpl_bands, s->cpl_band_sizes, + s->cpl_band_struct, sizeof(s->cpl_band_struct)); } else { /* coupling not in use */ for (ch = 1; ch <= fbw_channels; ch++) { @@ -1336,7 +1341,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) for (ch = 1; ch <= s->channels; ch++) { int audio_channel = 0; INTFLOAT gain; - if (s->channel_mode == AC3_CHMODE_DUALMONO) + if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2) audio_channel = 2-ch; if (s->heavy_compression && s->compression_exists[audio_channel]) gain = s->heavy_dynamic_range[audio_channel]; diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index a213bc0870..123cc2c37c 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -126,6 +126,7 @@ typedef struct AC3DecodeContext { int phase_flags_in_use; ///< phase flags in use (phsflginu) int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg) int num_cpl_bands; ///< number of coupling bands (ncplbnd) + uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS]; uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band int firstchincpl; ///< first channel in coupling int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos) @@ -142,6 +143,7 @@ typedef struct AC3DecodeContext { int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant) ///< the copy region ends at the start of the spx region. int num_spx_bands; ///< number of spx bands (nspxbnds) + uint8_t spx_band_struct[SPX_MAX_BANDS]; uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos) INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact) @@ -243,19 +245,19 @@ typedef struct AC3DecodeContext { * Parse the E-AC-3 frame header. * This parses both the bit stream info and audio frame header. */ -int ff_eac3_parse_header(AC3DecodeContext *s); +static int ff_eac3_parse_header(AC3DecodeContext *s); /** * Decode mantissas in a single channel for the entire frame. * This is used when AHT mode is enabled. */ -void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch); +static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch); /** * Apply spectral extension to each channel by copying lower frequency * coefficients to higher frequency bins and applying side information to * approximate the original high frequency signal. */ -void ff_eac3_apply_spectral_extension(AC3DecodeContext *s); +static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s); #endif /* AVCODEC_AC3DEC_H */ diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index cb3b251589..113af66e57 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -65,11 +65,11 @@ static void scale_coefs ( int len) { int i, shift, round; - int16_t mul; + unsigned mul; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; - shift = 4 - ((dynrng << 23) >> 28); + shift = 4 - (sign_extend(dynrng, 9) >> 5); if (shift > 0 ) { round = 1 << (shift-1); for (i=0; iblocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) { + while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) { if (s->blocks[blk1].cpl_in_use) { energy_cpl += energy[blk1][CPL_CH][bnd]; energy_ch += energy[blk1][ch][bnd]; diff --git a/libavcodec/acelp_pitch_delay.c b/libavcodec/acelp_pitch_delay.c index 3ecec01cbe..02a60e4ade 100644 --- a/libavcodec/acelp_pitch_delay.c +++ b/libavcodec/acelp_pitch_delay.c @@ -135,7 +135,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy, exp2f(M_LOG2_10 * 0.05 * (avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) + energy_mean)) / - sqrtf(fixed_mean_energy); + sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0); // update quantified prediction error energy history memmove(&prediction_error[0], &prediction_error[1], diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 2f95a6ff45..f7ca208993 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -574,6 +574,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_IMA_DK4: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_IMA_RAD: @@ -587,13 +589,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples; break; } case AV_CODEC_ID_ADPCM_MS: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); - nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch; + nb_samples = (buf_size - 6 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_SBPRO_2: case AV_CODEC_ID_ADPCM_SBPRO_3: @@ -606,6 +610,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break; } if (!s->status[0].step_index) { + if (buf_size < ch) + return AVERROR_INVALIDDATA; nb_samples++; buf_size -= ch; } @@ -1524,6 +1530,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; + if (avpkt->size < bytestream2_tell(&gb)) { + av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb)); + return avpkt->size; + } + return bytestream2_tell(&gb); } diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index ea6cc23e97..7692db4d67 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -541,7 +541,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_IMA_QT: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); for (ch = 0; ch < avctx->channels; ch++) { ADPCMChannelStatus *status = &c->status[ch]; @@ -571,7 +571,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_SWF: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); n = frame->nb_samples - 1; diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c index 5115cede6a..3cc2a0a2c3 100644 --- a/libavcodec/adxdec.c +++ b/libavcodec/adxdec.c @@ -81,7 +81,7 @@ static int adx_decode(ADXContext *c, int16_t *out, int offset, s2 = prev->s2; for (i = 0; i < BLOCK_SAMPLES; i++) { d = get_sbits(&gb, 4); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; s2 = s1; s1 = av_clip_int16(s0); *out++ = s1; diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 3472301f53..5882bf1b9a 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -438,8 +438,8 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) ctx->mb_width = FFALIGN(avctx->width, 16) >> 4; ctx->mb_height = FFALIGN(avctx->height, 16) >> 4; - ctx->num_x_slices = 16; - ctx->slice_width = ctx->mb_width / 16; + ctx->num_x_slices = (ctx->mb_width + 15) >> 4; + ctx->slice_width = 16; for (i = 1; i < 32; i++) { if (!(ctx->mb_width % i) && (ctx->mb_width / i < 32)) { ctx->slice_width = ctx->mb_width / i; diff --git a/libavcodec/alac.c b/libavcodec/alac.c index aec7bb4e4e..f018101992 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -316,6 +316,12 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, int lpc_quant[2]; int rice_history_mult[2]; + if (!alac->rice_limit) { + avpriv_request_sample(alac->avctx, + "Compression with rice limit 0"); + return AVERROR(ENOSYS); + } + decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); @@ -528,6 +534,12 @@ static int allocate_buffers(ALACContext *alac) int ch; int buf_size = alac->max_samples_per_frame * sizeof(int32_t); + for (ch = 0; ch < 2; ch++) { + alac->predict_error_buffer[ch] = NULL; + alac->output_samples_buffer[ch] = NULL; + alac->extra_bits_buffer[ch] = NULL; + } + for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) { FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch], buf_size, buf_alloc_fail); diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cfece44285..1855f53921 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -357,11 +357,15 @@ static av_cold int read_specific_config(ALSDecContext *ctx) ctx->cs_switch = 1; + for (i = 0; i < avctx->channels; i++) { + sconf->chan_pos[i] = -1; + } + for (i = 0; i < avctx->channels; i++) { int idx; idx = get_bits(&gb, chan_pos_bits); - if (idx >= avctx->channels) { + if (idx >= avctx->channels || sconf->chan_pos[idx] != -1) { av_log(avctx, AV_LOG_WARNING, "Invalid channel reordering.\n"); ctx->cs_switch = 0; break; @@ -678,7 +682,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (!sconf->rlslms) { - if (sconf->adapt_order) { + if (sconf->adapt_order && sconf->max_order) { int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); @@ -1242,6 +1246,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ALSChannelData *ch = cd[c]; unsigned int dep = 0; unsigned int channels = ctx->avctx->channels; + unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order; if (reverted[c]) return 0; @@ -1272,9 +1277,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples = ctx->raw_samples[c] + offset; for (dep = 0; !ch[dep].stop_flag; dep++) { - unsigned int smp; - unsigned int begin = 1; - unsigned int end = bd->block_length - 1; + ptrdiff_t smp; + ptrdiff_t begin = 1; + ptrdiff_t end = bd->block_length - 1; int64_t y; int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset; @@ -1286,11 +1291,28 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (ch[dep].time_diff_sign) { t = -t; + if (begin < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "begin %td smaller than time diff index %d.\n", begin, t); + return AVERROR_INVALIDDATA; + } begin -= t; } else { + if (end < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "end %td smaller than time diff index %d.\n", end, t); + return AVERROR_INVALIDDATA; + } end -= t; } + if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master || + FFMAX(end + 1, end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1, end + 1 + t), + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1 ]) + @@ -1303,6 +1325,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples[smp] += y >> 7; } } else { + + if (begin - 1 < ctx->raw_buffer - master || + end + 1 > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + begin - 1, master + end + 1, + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1]) + @@ -1461,6 +1493,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) // TODO: read_diff_float_data + if (get_bits_left(gb) < 0) { + av_log(ctx->avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb)); + return AVERROR_INVALIDDATA; + } + return 0; } @@ -1665,6 +1702,12 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->sample_fmt = sconf->resolution > 1 ? AV_SAMPLE_FMT_S32 : AV_SAMPLE_FMT_S16; avctx->bits_per_raw_sample = (sconf->resolution + 1) * 8; + if (avctx->bits_per_raw_sample > 32) { + av_log(avctx, AV_LOG_ERROR, "Bits per raw sample %d larger than 32.\n", + avctx->bits_per_raw_sample); + ret = AVERROR_INVALIDDATA; + goto fail; + } } // set maximum Rice parameter for progressive decoding based on resolution @@ -1727,9 +1770,9 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate and assign channel data buffer for mcc mode if (sconf->mc_coding) { - ctx->chan_data_buffer = av_malloc(sizeof(*ctx->chan_data_buffer) * + ctx->chan_data_buffer = av_mallocz(sizeof(*ctx->chan_data_buffer) * num_buffers * num_buffers); - ctx->chan_data = av_malloc(sizeof(*ctx->chan_data) * + ctx->chan_data = av_mallocz(sizeof(*ctx->chan_data) * num_buffers); ctx->reverted_channels = av_malloc(sizeof(*ctx->reverted_channels) * num_buffers); diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index bf668bbd4b..38dd99d6b4 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -265,7 +265,7 @@ static void decode_pitch_lag_high(int *lag_int, int *lag_frac, int pitch_index, *lag_frac = pitch_index - (*lag_int << 2) + 136; } else if (pitch_index < 440) { *lag_int = (pitch_index + 257 - 376) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2; /* the actual resolution is 1/2 but expressed as 1/4 */ } else { *lag_int = pitch_index - 280; @@ -295,7 +295,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) { if (pitch_index < 116) { *lag_int = (pitch_index + 69) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2; } else { *lag_int = pitch_index - 24; *lag_frac = 0; @@ -305,7 +305,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15); } else { *lag_int = (pitch_index + 1) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1)) << 1; + *lag_frac = (pitch_index - (*lag_int << 1)) * 2; *lag_int += *base_lag_int; } } @@ -614,7 +614,7 @@ static float voice_factor(float *p_vector, float p_gain, AMRWB_SFR_SIZE) * f_gain * f_gain; - return (p_ener - f_ener) / (p_ener + f_ener); + return (p_ener - f_ener) / (p_ener + f_ener + 0.01); } /** diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 45c307f317..1016082e4a 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -80,18 +80,24 @@ static av_cold int decode_init(AVCodecContext *avctx) AnsiContext *s = avctx->priv_data; avctx->pix_fmt = AV_PIX_FMT_PAL8; - s->frame = av_frame_alloc(); - if (!s->frame) - return AVERROR(ENOMEM); - /* defaults */ s->font = avpriv_vga16_font; s->font_height = 16; s->fg = DEFAULT_FG_COLOR; s->bg = DEFAULT_BG_COLOR; - if (!avctx->width || !avctx->height) - ff_set_dimensions(avctx, 80 << 3, 25 << 4); + if (!avctx->width || !avctx->height) { + int ret = ff_set_dimensions(avctx, 80 << 3, 25 << 4); + if (ret < 0) + return ret; + } else if (avctx->width % FONT_WIDTH || avctx->height % s->font_height) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); + return AVERROR(EINVAL); + } + + s->frame = av_frame_alloc(); + if (!s->frame) + return AVERROR(ENOMEM); return 0; } diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 383b7fe669..09272b1523 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -601,14 +601,14 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; - for (i = 0; i < 5; i++) { + for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; if (rice->k >= 24) return; - for (; i < 64; i++) { + for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; @@ -905,6 +905,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int i, j; int32_t dotprod, sign; + if (order >= length) + return; + memset(coeffs, 0, order * sizeof(*coeffs)); for (i = 0; i < order; i++) delay[i] = buffer[i]; @@ -1384,7 +1387,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; - if (ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) { + if ((ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) == APE_FRAMECODE_STEREO_SILENCE) { /* We are pure silence, so we're done. */ av_log(ctx->avctx, AV_LOG_DEBUG, "pure silence stereo\n"); return; @@ -1416,6 +1419,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int32_t *sample24; int i, ch, ret; int blockstodecode; + uint64_t decoded_buffer_size; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -1471,18 +1475,18 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, skip_bits_long(&s->gb, offset); } - if (!nblocks || nblocks > INT_MAX) { + if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n", nblocks); return AVERROR_INVALIDDATA; } - s->samples = nblocks; /* Initialize the frame decoder */ if (init_frame_decoder(s) < 0) { av_log(avctx, AV_LOG_ERROR, "Error reading frame header\n"); return AVERROR_INVALIDDATA; } + s->samples = nblocks; } if (!s->data) { @@ -1497,8 +1501,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, blockstodecode = s->samples; /* reallocate decoded sample buffer if needed */ - av_fast_malloc(&s->decoded_buffer, &s->decoded_size, - 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)); + decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer); + av_assert0(decoded_buffer_size <= INT_MAX); + av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); memset(s->decoded_buffer, 0, s->decoded_size); diff --git a/libavcodec/arm/h264dsp_init_arm.c b/libavcodec/arm/h264dsp_init_arm.c index f7aee1faa9..88dfd7580b 100644 --- a/libavcodec/arm/h264dsp_init_arm.c +++ b/libavcodec/arm/h264dsp_init_arm.c @@ -107,8 +107,10 @@ av_cold void ff_h264dsp_init_arm(H264DSPContext *c, const int bit_depth, { int cpu_flags = av_get_cpu_flags(); +#if HAVE_ARMV6 if (have_setend(cpu_flags)) c->startcode_find_candidate = ff_startcode_find_candidate_armv6; +#endif if (have_neon(cpu_flags)) h264dsp_init_neon(c, bit_depth, chroma_format_idc); } diff --git a/libavcodec/arm/vc1dsp_init_arm.c b/libavcodec/arm/vc1dsp_init_arm.c index 9dae22c822..5f2c759048 100644 --- a/libavcodec/arm/vc1dsp_init_arm.c +++ b/libavcodec/arm/vc1dsp_init_arm.c @@ -28,8 +28,10 @@ av_cold void ff_vc1dsp_init_arm(VC1DSPContext *dsp) { int cpu_flags = av_get_cpu_flags(); +#if HAVE_ARMV6 if (have_setend(cpu_flags)) dsp->startcode_find_candidate = ff_startcode_find_candidate_armv6; +#endif if (have_neon(cpu_flags)) ff_vc1dsp_init_neon(dsp); } diff --git a/libavcodec/arm/videodsp_armv5te.S b/libavcodec/arm/videodsp_armv5te.S index 55bcce5cb6..aff1161ada 100644 --- a/libavcodec/arm/videodsp_armv5te.S +++ b/libavcodec/arm/videodsp_armv5te.S @@ -23,9 +23,10 @@ #include "libavutil/arm/asm.S" function ff_prefetch_arm, export=1 +1: subs r2, r2, #1 pld [r0] add r0, r0, r1 - bne X(ff_prefetch_arm) + bne 1b bx lr endfunc diff --git a/libavcodec/ass_split.c b/libavcodec/ass_split.c index 413e9c8d06..04eebe3ede 100644 --- a/libavcodec/ass_split.c +++ b/libavcodec/ass_split.c @@ -470,7 +470,7 @@ ASSStyle *ff_ass_style_get(ASSSplitContext *ctx, const char *style) if (!style || !*style) style = "Default"; for (i=0; istyles_count; i++) - if (!strcmp(ass->styles[i].name, style)) + if (ass->styles[i].name && !strcmp(ass->styles[i].name, style)) return ass->styles + i; return NULL; } diff --git a/libavcodec/asvenc.c b/libavcodec/asvenc.c index bbf4494866..3ad2c31591 100644 --- a/libavcodec/asvenc.c +++ b/libavcodec/asvenc.c @@ -26,8 +26,10 @@ #include "libavutil/attributes.h" #include "libavutil/mem.h" +#include "aandcttab.h" #include "asv.h" #include "avcodec.h" +#include "dct.h" #include "fdctdsp.h" #include "internal.h" #include "mathops.h" @@ -331,8 +333,13 @@ static av_cold int encode_init(AVCodecContext *avctx) ((uint32_t *) avctx->extradata)[1] = av_le2ne32(AV_RL32("ASUS")); for (i = 0; i < 64; i++) { - int q = 32 * scale * ff_mpeg1_default_intra_matrix[i]; - a->q_intra_matrix[i] = ((a->inv_qscale << 16) + q / 2) / q; + if (a->fdsp.fdct == ff_fdct_ifast) { + int q = 32LL * scale * ff_mpeg1_default_intra_matrix[i] * ff_aanscales[i]; + a->q_intra_matrix[i] = (((int64_t)a->inv_qscale << 30) + q / 2) / q; + } else { + int q = 32 * scale * ff_mpeg1_default_intra_matrix[i]; + a->q_intra_matrix[i] = ((a->inv_qscale << 16) + q / 2) / q; + } } return 0; diff --git a/libavcodec/atrac3plusdec.c b/libavcodec/atrac3plusdec.c index 3a6b3cfa2e..b18592da0a 100644 --- a/libavcodec/atrac3plusdec.c +++ b/libavcodec/atrac3plusdec.c @@ -381,7 +381,7 @@ static int atrac3p_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; - return avctx->block_align; + return FFMIN(avctx->block_align, avpkt->size); } AVCodec ff_atrac3p_decoder = { diff --git a/libavcodec/atrac3plusdsp.c b/libavcodec/atrac3plusdsp.c index 3522af1e5a..3c68f74d25 100644 --- a/libavcodec/atrac3plusdsp.c +++ b/libavcodec/atrac3plusdsp.c @@ -599,8 +599,8 @@ void ff_atrac3p_ipqf(FFTContext *dct_ctx, Atrac3pIPQFChannelCtx *hist, const float *in, float *out) { int i, s, sb, t, pos_now, pos_next; - DECLARE_ALIGNED(32, float, idct_in)[ATRAC3P_SUBBANDS]; - DECLARE_ALIGNED(32, float, idct_out)[ATRAC3P_SUBBANDS]; + LOCAL_ALIGNED(32, float, idct_in, [ATRAC3P_SUBBANDS]); + LOCAL_ALIGNED(32, float, idct_out, [ATRAC3P_SUBBANDS]); memset(out, 0, ATRAC3P_FRAME_SAMPLES * sizeof(*out)); diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index fb1c9ca9ec..f0405b6d02 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1096,6 +1096,16 @@ enum AVPacketSideDataType { * side data includes updated metadata which appeared in the stream. */ AV_PKT_DATA_METADATA_UPDATE, + + /** + * The number of side data elements (in fact a bit more than it). + * This is not part of the public API/ABI in the sense that it may + * change when new side data types are added. + * This must stay the last enum value. + * If its value becomes huge, some code using it + * needs to be updated as it assumes it to be smaller than other limits. + */ + AV_PKT_DATA_NB }; typedef struct AVPacketSideData { diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index a87e8e3ead..1814c99c71 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -59,6 +59,7 @@ void av_init_packet(AVPacket *pkt) #if FF_API_DESTRUCT_PACKET FF_DISABLE_DEPRECATION_WARNINGS pkt->destruct = NULL; + pkt->priv = NULL; FF_ENABLE_DEPRECATION_WARNINGS #endif pkt->buf = NULL; @@ -195,6 +196,7 @@ static int copy_packet_data(AVPacket *pkt, const AVPacket *src, int dup) { pkt->data = NULL; pkt->side_data = NULL; + pkt->side_data_elems = 0; if (pkt->buf) { AVBufferRef *ref = av_buffer_ref(src->buf); if (!ref) @@ -209,9 +211,11 @@ FF_DISABLE_DEPRECATION_WARNINGS pkt->destruct = dummy_destruct_packet; FF_ENABLE_DEPRECATION_WARNINGS #endif - if (pkt->side_data_elems && dup) + if (src->side_data_elems && dup) { pkt->side_data = src->side_data; - if (pkt->side_data_elems && !dup) { + pkt->side_data_elems = src->side_data_elems; + } + if (src->side_data_elems && !dup) { return av_copy_packet_side_data(pkt, src); } return 0; @@ -302,11 +306,12 @@ uint8_t *av_packet_new_side_data(AVPacket *pkt, enum AVPacketSideDataType type, { int elems = pkt->side_data_elems; - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) + if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return NULL; if ((unsigned)size > INT_MAX - FF_INPUT_BUFFER_PADDING_SIZE) return NULL; + pkt->side_data = av_realloc(pkt->side_data, (elems + 1) * sizeof(*pkt->side_data)); if (!pkt->side_data) @@ -388,13 +393,18 @@ int av_packet_split_side_data(AVPacket *pkt){ p = pkt->data + pkt->size - 8 - 5; for (i=1; ; i++){ size = AV_RB32(p); - if (size>INT_MAX || p - pkt->data < size) + if (size>INT_MAX - 5 || p - pkt->data < size) return 0; if (p[4]&128) break; + if (p - pkt->data < size + 5) + return 0; p-= size+5; } + if (i > AV_PKT_DATA_NB) + return AVERROR(ERANGE); + pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); if (!pkt->side_data) return AVERROR(ENOMEM); @@ -402,7 +412,7 @@ int av_packet_split_side_data(AVPacket *pkt){ p= pkt->data + pkt->size - 8 - 5; for (i=0; ; i++){ size= AV_RB32(p); - av_assert0(size<=INT_MAX && p - pkt->data >= size); + av_assert0(size<=INT_MAX - 5 && p - pkt->data >= size); pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE); pkt->side_data[i].size = size; pkt->side_data[i].type = p[4]&127; diff --git a/libavcodec/avs.c b/libavcodec/avs.c index c4eaf2057b..976d325f2c 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -165,9 +165,8 @@ static av_cold int avs_decode_init(AVCodecContext * avctx) return AVERROR(ENOMEM); avctx->pix_fmt = AV_PIX_FMT_PAL8; - ff_set_dimensions(avctx, 318, 198); - return 0; + return ff_set_dimensions(avctx, 318, 198); } static av_cold int avs_decode_end(AVCodecContext *avctx) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index d041643eff..2e102df71b 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -69,6 +69,8 @@ void avpriv_copy_bits(PutBitContext *pb, const uint8_t *src, int length) if (length == 0) return; + av_assert0(length <= put_bits_left(pb)); + if (CONFIG_SMALL || words < 16 || put_bits_count(pb) & 7) { for (i = 0; i < words; i++) put_bits(pb, 16, AV_RB16(src + 2 * i)); diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index c9493dc32d..cd65f02a2e 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -53,7 +53,8 @@ restart: if (bpc->pc.frame_start_found == 0) { if ((state >> 48) == (('B' << 8) | 'M')) { bpc->fsize = av_bswap32(state >> 16); - bpc->pc.frame_start_found = 1; + if (bpc->fsize > 17) + bpc->pc.frame_start_found = 1; } } else if (bpc->pc.frame_start_found == 2+4+4) { // unsigned hsize = av_bswap32(state>>32); @@ -67,8 +68,12 @@ restart: if (bpc->pc.index + i > 17) { next = i - 17; - } else + state = 0; + break; + } else { + bpc->pc.state64 = 0; goto restart; + } } else if (bpc->pc.frame_start_found) bpc->pc.frame_start_found++; } @@ -89,7 +94,10 @@ flush: if (ff_combine_frame(&bpc->pc, next, &buf, &buf_size) < 0) return buf_size; - bpc->pc.frame_start_found = 0; + if (next != END_NOT_FOUND && next < 0) + bpc->pc.frame_start_found = FFMAX(bpc->pc.frame_start_found - i - 1, 0); + else + bpc->pc.frame_start_found = 0; *poutbuf = buf; *poutbuf_size = buf_size; diff --git a/libavcodec/bmvvideo.c b/libavcodec/bmvvideo.c index 5143b2a76b..0e35b9cf21 100644 --- a/libavcodec/bmvvideo.c +++ b/libavcodec/bmvvideo.c @@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, if (src < source || src >= source_end) return AVERROR_INVALIDDATA; shift += 2; - val |= *src << shift; + val |= (unsigned)*src << shift; if (*src & 0xC) break; } diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index c2cb601806..7c05ea6cf5 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -71,8 +71,10 @@ static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g) \ } \ static av_always_inline type bytestream2_get_ ## name(GetByteContext *g) \ { \ - if (g->buffer_end - g->buffer < bytes) \ + if (g->buffer_end - g->buffer < bytes) { \ + g->buffer = g->buffer_end; \ return 0; \ + } \ return bytestream2_get_ ## name ## u(g); \ } \ static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g) \ diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 81a75dd52a..48f70ca30e 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; + if ((c->range<<(CABAC_BITS+1)) < c->low) + return AVERROR_INVALIDDATA; + return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed105..857211c9d9 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 15dba29f8e..2d1d2a6b89 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){ #ifndef get_cabac_inline static void refill2(CABACContext *c){ - int i, x; + int i; + unsigned x; x= c->low ^ (c->low-1); i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)]; @@ -190,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; - ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); + if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) + return NULL; return ptr; } diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index a41a8aa89d..4934e3ae0d 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -30,6 +30,7 @@ #include "golomb.h" #include "h264chroma.h" #include "idctdsp.h" +#include "internal.h" #include "mathops.h" #include "qpeldsp.h" #include "cavs.h" @@ -537,10 +538,9 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type) static inline void scale_mv(AVSContext *h, int *d_x, int *d_y, cavs_vector *src, int distp) { - int den = h->scale_den[FFMAX(src->ref, 0)]; - - *d_x = (src->x * distp * den + 256 + (src->x >> 31)) >> 9; - *d_y = (src->y * distp * den + 256 + (src->y >> 31)) >> 9; + int64_t den = h->scale_den[FFMAX(src->ref, 0)]; + *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; + *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } static inline void mv_pred_median(AVSContext *h, @@ -613,8 +613,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC, mv_pred_median(h, mvP, mvA, mvB, mvC); if (mode < MV_PRED_PSKIP) { - mvP->x += get_se_golomb(&h->gb); - mvP->y += get_se_golomb(&h->gb); + int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x; + int my = get_se_golomb(&h->gb) + (unsigned)mvP->y; + + if (mx != (int16_t)mx || my != (int16_t)my) { + av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my); + } else { + mvP->x = mx; + mvP->y = my; + } } set_mvs(mvP, size); } diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 34b65e6890..74b04c637e 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -466,8 +466,8 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; - int m = col_mv->x >> 31; + unsigned den = h->direct_den[col_mv->ref]; + int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; pmv_bw->dist = h->dist[0]; @@ -476,7 +476,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, /* scale the co-located motion vector according to its temporal span */ pmv_fw->x = (((den + (den * col_mv->x * pmv_fw->dist ^ m) - m - 1) >> 14) ^ m) - m; pmv_bw->x = m - (((den + (den * col_mv->x * pmv_bw->dist ^ m) - m - 1) >> 14) ^ m); - m = col_mv->y >> 31; + m = FF_SIGNBIT(col_mv->y); pmv_fw->y = (((den + (den * col_mv->y * pmv_fw->dist ^ m) - m - 1) >> 14) ^ m) - m; pmv_bw->y = m - (((den + (den * col_mv->y * pmv_bw->dist ^ m) - m - 1) >> 14) ^ m); } @@ -563,6 +563,11 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, return AVERROR_INVALIDDATA; } esc_code = get_ue_code(gb, esc_golomb_order); + if (esc_code < 0 || esc_code > 32767) { + av_log(h->avctx, AV_LOG_ERROR, "esc_code invalid\n"); + return AVERROR_INVALIDDATA; + } + level = esc_code + (run > r->max_run ? 1 : r->level_add[run]); while (level > r->inc_limit) r++; @@ -611,7 +616,7 @@ static inline int decode_residual_inter(AVSContext *h) /* get quantizer */ if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; + h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, @@ -1027,6 +1032,10 @@ static int decode_pic(AVSContext *h) h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0; diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 91f6d7350b..df9490ad8f 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -188,7 +188,6 @@ static void cavs_filter_ch_c(uint8_t *d, int stride, int alpha, int beta, int tc static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { int i; int16_t (*src)[8] = (int16_t(*)[8])block; - const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP; src[0][0] += 8; @@ -243,14 +242,14 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { const int b2 = a5 - a7; const int b3 = a4 - a6; - dst[i + 0*stride] = cm[ dst[i + 0*stride] + ((b0 + b4) >> 7)]; - dst[i + 1*stride] = cm[ dst[i + 1*stride] + ((b1 + b5) >> 7)]; - dst[i + 2*stride] = cm[ dst[i + 2*stride] + ((b2 + b6) >> 7)]; - dst[i + 3*stride] = cm[ dst[i + 3*stride] + ((b3 + b7) >> 7)]; - dst[i + 4*stride] = cm[ dst[i + 4*stride] + ((b3 - b7) >> 7)]; - dst[i + 5*stride] = cm[ dst[i + 5*stride] + ((b2 - b6) >> 7)]; - dst[i + 6*stride] = cm[ dst[i + 6*stride] + ((b1 - b5) >> 7)]; - dst[i + 7*stride] = cm[ dst[i + 7*stride] + ((b0 - b4) >> 7)]; + dst[i + 0*stride] = av_clip_uint8( dst[i + 0*stride] + ((b0 + b4) >> 7)); + dst[i + 1*stride] = av_clip_uint8( dst[i + 1*stride] + ((b1 + b5) >> 7)); + dst[i + 2*stride] = av_clip_uint8( dst[i + 2*stride] + ((b2 + b6) >> 7)); + dst[i + 3*stride] = av_clip_uint8( dst[i + 3*stride] + ((b3 + b7) >> 7)); + dst[i + 4*stride] = av_clip_uint8( dst[i + 4*stride] + ((b3 - b7) >> 7)); + dst[i + 5*stride] = av_clip_uint8( dst[i + 5*stride] + ((b2 - b6) >> 7)); + dst[i + 6*stride] = av_clip_uint8( dst[i + 6*stride] + ((b1 - b5) >> 7)); + dst[i + 7*stride] = av_clip_uint8( dst[i + 7*stride] + ((b0 - b4) >> 7)); } } diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 13ad57c8c1..7b62ae5fc5 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -250,11 +250,11 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, aligned_width = FFALIGN(c->avctx->width, 16); c->padded_bits = aligned_width - c->avctx->width; - if (c->video_size < aligned_width * avctx->height * c->bpp / 8) + if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 4746289b76..bac8bbfa0e 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -135,7 +135,7 @@ static int cinepak_decode_vectors (CinepakContext *s, cvid_strip *strip, const uint8_t *eod = (data + size); uint32_t flag, mask; uint8_t *cb0, *cb1, *cb2, *cb3; - unsigned int x, y; + int x, y; char *ip0, *ip1, *ip2, *ip3; flag = 0; @@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s) int y0 = 0; int encoded_buf_size; - if (s->size < 10) - return AVERROR_INVALIDDATA; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -439,14 +436,20 @@ static int cinepak_decode_frame(AVCodecContext *avctx, s->data = buf; s->size = buf_size; + if (s->size < 10) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; if (s->palette_video) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 9c710bbb9e..00b7d444dc 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -28,6 +28,10 @@ #include "avcodec.h" #include "internal.h" +#define VLC_BITS 7 +#define VLC_DEPTH 2 + + typedef struct CLLCContext { AVCodecContext *avctx; BswapDSPContext bdsp; @@ -50,6 +54,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) num_lens = get_bits(gb, 5); + if (num_lens > VLC_BITS * VLC_DEPTH) { + vlc->table = NULL; + + av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < num_lens; i++) { num_codes = get_bits(gb, 9); num_codes_sum += num_codes; @@ -69,11 +80,15 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) count++; } + if (prefix > (65535 - 256)/2) { + vlc->table = NULL; + return AVERROR_INVALIDDATA; + } prefix <<= 1; } - return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1, + return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1, codes, 2, 2, symbols, 1, 1, 0); } @@ -100,7 +115,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, for (i = 0; i < ctx->avctx->width; i++) { /* Always get the alpha component */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[0].table, 7, 2); + GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH); pred[0] += code; dst[0] = pred[0]; @@ -109,21 +124,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, if (dst[0]) { /* Red */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[1].table, 7, 2); + GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH); pred[1] += code; dst[1] = pred[1]; /* Green */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[2].table, 7, 2); + GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH); pred[2] += code; dst[2] = pred[2]; /* Blue */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[3].table, 7, 2); + GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH); pred[3] += code; dst[3] = pred[3]; @@ -165,7 +180,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; dst[0] = pred; @@ -194,7 +209,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width >> is_chroma; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; outbuf[i] = pred; diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 855baaaa8d..194b9088e5 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -146,7 +146,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data, return ret; buf_out = (int16_t *)frame->data[0]; for (i = 0; i < avctx->frame_size; i++) - buf_out[i] = p->filter_out[i + p->order]; + buf_out[i] = av_clip_int16(p->filter_out[i + p->order]); memcpy(p->filter_out, p->filter_out + avctx->frame_size, p->order * sizeof(*p->filter_out)); diff --git a/libavcodec/cook.c b/libavcodec/cook.c index eb2654e0d5..cfbce2a58a 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1058,7 +1058,7 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->avctx = avctx; /* Take care of the codec specific extradata. */ - if (extradata_size <= 0) { + if (extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Necessary extradata missing!\n"); return AVERROR_INVALIDDATA; } @@ -1215,8 +1215,8 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > MAX_SUBPACKETS) { - avpriv_request_sample(avctx, "subpackets > %d", MAX_SUBPACKETS); + if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); return AVERROR_PATCHWELCOME; } } diff --git a/libavcodec/dca.c b/libavcodec/dca.c index f9529760fc..45e6156919 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -41,8 +41,6 @@ int avpriv_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst, { uint32_t mrk; int i, tmp; - const uint16_t *ssrc = (const uint16_t *) src; - uint16_t *sdst = (uint16_t *) dst; PutBitContext pb; if ((unsigned) src_size > (unsigned) max_size) @@ -54,8 +52,11 @@ int avpriv_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst, memcpy(dst, src, src_size); return src_size; case DCA_MARKER_RAW_LE: - for (i = 0; i < (src_size + 1) >> 1; i++) - *sdst++ = av_bswap16(*ssrc++); + for (i = 0; i < (src_size + 1) >> 1; i++) { + AV_WB16(dst, AV_RL16(src)); + src += 2; + dst += 2; + } return src_size; case DCA_MARKER_14B_BE: case DCA_MARKER_14B_LE: diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 82d96d281c..6f74b146cb 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -583,6 +583,14 @@ static int dca_parse_audio_coding_header(DCAContext *s, int base_channel, } nchans = get_bits(&s->gb, 3) + 1; + if (xxch && nchans >= 3) { + av_log(s->avctx, AV_LOG_ERROR, "nchans %d is too large\n", nchans); + return AVERROR_INVALIDDATA; + } else if (nchans + base_channel > DCA_PRIM_CHANNELS_MAX) { + av_log(s->avctx, AV_LOG_ERROR, "channel sum %d + %d is too large\n", nchans, base_channel); + return AVERROR_INVALIDDATA; + } + s->total_channels = nchans + base_channel; s->prim_channels = s->total_channels; @@ -849,6 +857,10 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) if (!base_channel) { s->subsubframes[s->current_subframe] = get_bits(&s->gb, 2) + 1; + if (block_index + s->subsubframes[s->current_subframe] > s->sample_blocks/8) { + s->subsubframes[s->current_subframe] = 1; + return AVERROR_INVALIDDATA; + } s->partial_samples[s->current_subframe] = get_bits(&s->gb, 3); } @@ -1810,8 +1822,13 @@ static int dca_xbr_parse_frame(DCAContext *s) for(i = 0; i < num_chsets; i++) { n_xbr_ch[i] = get_bits(&s->gb, 3) + 1; k = get_bits(&s->gb, 2) + 5; - for(j = 0; j < n_xbr_ch[i]; j++) + for(j = 0; j < n_xbr_ch[i]; j++) { active_bands[i][j] = get_bits(&s->gb, k) + 1; + if (active_bands[i][j] > DCA_SUBBANDS) { + av_log(s->avctx, AV_LOG_ERROR, "too many active subbands (%d)\n", active_bands[i][j]); + return AVERROR_INVALIDDATA; + } + } } /* skip to the end of the header */ @@ -1853,23 +1870,34 @@ static int dca_xbr_parse_frame(DCAContext *s) for(i = 0; i < n_xbr_ch[chset]; i++) { const uint32_t *scale_table; int nbits; + int scale_table_size; if (s->scalefactor_huffman[chan_base+i] == 6) { scale_table = scale_factor_quant7; + scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant7); } else { scale_table = scale_factor_quant6; + scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant6); } nbits = anctemp[i]; for(j = 0; j < active_bands[chset][i]; j++) { if(abits_high[i][j] > 0) { - scale_table_high[i][j][0] = - scale_table[get_bits(&s->gb, nbits)]; + int index = get_bits(&s->gb, nbits); + if (index >= scale_table_size) { + av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index); + return AVERROR_INVALIDDATA; + } + scale_table_high[i][j][0] = scale_table[index]; if(xbr_tmode && s->transition_mode[i][j]) { - scale_table_high[i][j][1] = - scale_table[get_bits(&s->gb, nbits)]; + int index = get_bits(&s->gb, nbits); + if (index >= scale_table_size) { + av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index); + return AVERROR_INVALIDDATA; + } + scale_table_high[i][j][1] = scale_table[index]; } } } @@ -2359,6 +2387,10 @@ FF_ENABLE_DEPRECATION_WARNINGS #else if (s->xch_present && !s->xch_disable) { #endif + if (avctx->channel_layout & AV_CH_BACK_CENTER) { + avpriv_request_sample(avctx, "XCh with Back center channel"); + return AVERROR_INVALIDDATA; + } avctx->channel_layout |= AV_CH_BACK_CENTER; if (s->lfe) { avctx->channel_layout |= AV_CH_LOW_FREQUENCY; diff --git a/libavcodec/dcaenc.c b/libavcodec/dcaenc.c index 905cdc9ade..182494a208 100644 --- a/libavcodec/dcaenc.c +++ b/libavcodec/dcaenc.c @@ -939,6 +939,10 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt, for (i = 0; i < SUBFRAMES; i++) put_subframe(c, i); + + for (i = put_bits_count(&c->pb); i < 8*c->frame_size; i++) + put_bits(&c->pb, 1, 0); + flush_put_bits(&c->pb); avpkt->pts = frame->pts; diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f13291ef28..a231af3223 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; - int v, count, segments; + int v, count; + unsigned segments; unsigned offset; segments = bytestream2_get_le32(gb); @@ -175,7 +176,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); @@ -249,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; - unsigned delta = -((int16_t)segments * width); + int64_t delta = -((int16_t)segments * (int64_t)width); if (frame_end - frame <= delta || y + lines + skip_lines > height) return AVERROR_INVALIDDATA; frame += delta; diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h index 089c71a698..a1fa96b5bc 100644 --- a/libavcodec/dirac_arith.h +++ b/libavcodec/dirac_arith.h @@ -171,6 +171,10 @@ static inline int dirac_get_arith_uint(DiracArith *c, int follow_ctx, int data_c { int ret = 1; while (!dirac_get_arith_bit(c, follow_ctx)) { + if (ret >= 0x40000000) { + av_log(NULL, AV_LOG_ERROR, "dirac_get_arith_uint overflow\n"); + return -1; + } ret <<= 1; ret += dirac_get_arith_bit(c, data_ctx); follow_ctx = ff_dirac_next_ctx[follow_ctx]; diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index e5e447b0ac..acefd3b3d3 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -84,16 +84,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ - (b1 - ((b0 + b2 + 2) >> 2)) + (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ - (b1 + ((b0 + b2 + 1) >> 1)) + (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4)) + (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) + (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) @@ -102,22 +102,22 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8)) + ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) + ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((1817*(b0 + b2) + 2048) >> 12)) + ((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - (( 113*(b0 + b2) + 64) >> 7)) + ((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + (( 217*(b0 + b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((6497*(b0 + b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 4119e3b660..0c684643a9 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -100,10 +100,12 @@ typedef struct DiracParseUnit { static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, int offset) { - uint8_t *start = pc->buffer + offset; - uint8_t *end = pc->buffer + pc->index; - if (start < pc->buffer || (start + 13 > end)) + int8_t *start; + + if (offset < 0 || pc->index - 13 < offset) return 0; + + start = pc->buffer + offset; pu->pu_type = start[4]; pu->next_pu_offset = AV_RB32(start + 5); @@ -112,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, if (pu->pu_type == 0x10 && pu->next_pu_offset == 0) pu->next_pu_offset = 13; + if (pu->next_pu_offset && pu->next_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset); + return 0; + } + if (pu->prev_pu_offset && pu->prev_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset); + return 0; + } + return 1; } @@ -123,7 +134,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, DiracParseContext *pc = s->priv_data; if (pc->overread_index) { - memcpy(pc->buffer, pc->buffer + pc->overread_index, + memmove(pc->buffer, pc->buffer + pc->overread_index, pc->index - pc->overread_index); pc->index -= pc->overread_index; pc->overread_index = 0; @@ -186,7 +197,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, } /* Get the picture number to set the pts and dts*/ - if (parse_timing_info) { + if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; int pts = AV_RB32(cur_pu + 13); diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index c03f45c928..872f023332 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -284,7 +284,7 @@ static const int qoffset_inter_tab[MAX_QUANT+1] = { /* magic number division by 3 from schroedinger */ static inline int divide3(int x) { - return ((x+1)*21845 + 10922) >> 16; + return (int)((x+1U)*21845 + 10922) >> 16; } static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum) @@ -612,10 +612,10 @@ static av_always_inline void decode_subband_internal(DiracContext *s, SubBand *b top = 0; for (cb_y = 0; cb_y < cb_height; cb_y++) { - bottom = (b->height * (cb_y+1)) / cb_height; + bottom = (b->height * (cb_y+1LL)) / cb_height; left = 0; for (cb_x = 0; cb_x < cb_width; cb_x++) { - right = (b->width * (cb_x+1)) / cb_width; + right = (b->width * (cb_x+1LL)) / cb_width; codeblock(s, b, &gb, &c, left, right, top, bottom, blockcnt_one, is_arith); left = right; } @@ -799,7 +799,10 @@ static void decode_lowdelay(DiracContext *s) slice_num++; buf += bytes; - bufsize -= bytes*8; + if (bufsize/8 >= bytes) + bufsize -= bytes*8; + else + bufsize = 0; } avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num, @@ -896,6 +899,14 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) /*[DIRAC_STD] 11.2.4 motion_data_dimensions() Calculated in function dirac_unpack_block_motion_data */ + if (s->plane[0].xblen % (1 << s->chroma_x_shift) != 0 || + s->plane[0].yblen % (1 << s->chroma_y_shift) != 0 || + !s->plane[0].xblen || !s->plane[0].yblen) { + av_log(s->avctx, AV_LOG_ERROR, + "invalid x/y block length (%d/%d) for x/y chroma shift (%d/%d)\n", + s->plane[0].xblen, s->plane[0].yblen, s->chroma_x_shift, s->chroma_y_shift); + return AVERROR_INVALIDDATA; + } if (!s->plane[0].xbsep || !s->plane[0].ybsep || s->plane[0].xbsep < s->plane[0].xblen/2 || s->plane[0].ybsep < s->plane[0].yblen/2) { av_log(s->avctx, AV_LOG_ERROR, "Block separation too small\n"); return -1; @@ -946,6 +957,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } + if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { + return AVERROR_INVALIDDATA; + } + } } @@ -1004,8 +1019,8 @@ static int dirac_unpack_idwt_params(DiracContext *s) /* Codeblock parameters (core syntax only) */ if (get_bits1(gb)) { for (i = 0; i <= s->wavelet_depth; i++) { - CHECKEDREAD(s->codeblock[i].width , tmp < 1, "codeblock width invalid\n") - CHECKEDREAD(s->codeblock[i].height, tmp < 1, "codeblock height invalid\n") + CHECKEDREAD(s->codeblock[i].width , tmp < 1 || tmp > (s->avctx->width >>s->wavelet_depth-i), "codeblock width invalid\n") + CHECKEDREAD(s->codeblock[i].height, tmp < 1 || tmp > (s->avctx->height>>s->wavelet_depth-i), "codeblock height invalid\n") } CHECKEDREAD(s->codeblock_mode, tmp > 1, "unknown codeblock mode\n") @@ -1017,6 +1032,13 @@ static int dirac_unpack_idwt_params(DiracContext *s) /*[DIRAC_STD] 11.3.4 Slice coding Parameters (low delay syntax only). slice_parameters() */ s->lowdelay.num_x = svq3_get_ue_golomb(gb); s->lowdelay.num_y = svq3_get_ue_golomb(gb); + if (s->lowdelay.num_x * s->lowdelay.num_y == 0 || + s->lowdelay.num_x * (uint64_t)s->lowdelay.num_y > INT_MAX) { + av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); + s->lowdelay.num_x = s->lowdelay.num_y = 0; + return AVERROR_INVALIDDATA; + } + s->lowdelay.bytes.num = svq3_get_ue_golomb(gb); s->lowdelay.bytes.den = svq3_get_ue_golomb(gb); @@ -1184,7 +1206,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) - block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); + block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } @@ -1550,7 +1572,7 @@ static void select_dsp_funcs(DiracContext *s, int width, int height, int xblen, } } -static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height) +static int interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height) { /* chroma allocates an edge of 8 when subsampled which for 4:2:2 means an h edge of 16 and v edge of 8 @@ -1562,11 +1584,14 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in /* no need for hpel if we only have fpel vectors */ if (!s->mv_precision) - return; + return 0; for (i = 1; i < 4; i++) { if (!ref->hpel_base[plane][i]) ref->hpel_base[plane][i] = av_malloc((height+2*edge) * ref->avframe->linesize[plane] + 32); + if (!ref->hpel_base[plane][i]) { + return AVERROR(ENOMEM); + } /* we need to be 16-byte aligned even for chroma */ ref->hpel[plane][i] = ref->hpel_base[plane][i] + edge*ref->avframe->linesize[plane] + 16; } @@ -1580,6 +1605,8 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in s->mpvencdsp.draw_edges(ref->hpel[plane][3], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM); } ref->interpolated[plane] = 1; + + return 0; } /** @@ -1629,8 +1656,11 @@ static int dirac_decode_frame_internal(DiracContext *s) select_dsp_funcs(s, p->width, p->height, p->xblen, p->yblen); - for (i = 0; i < s->num_refs; i++) - interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height); + for (i = 0; i < s->num_refs; i++) { + int ret = interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height); + if (ret < 0) + return ret; + } memset(s->mctmp, 0, 4*p->yoffset*p->stride); @@ -1736,6 +1766,12 @@ static int dirac_decode_picture_header(DiracContext *s) get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); break; } + + if (!s->ref_pics[i]) { + av_log(s->avctx, AV_LOG_ERROR, "Reference could not be allocated\n"); + return -1; + } + } /* retire the reference frames that are not used anymore */ @@ -1788,9 +1824,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame) if (out) { out->avframe->reference ^= DELAYED_PIC_REF; - *got_frame = 1; if((ret = av_frame_ref(picture, out->avframe)) < 0) return ret; + *got_frame = 1; } return 0; @@ -1931,8 +1967,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, break; data_unit_size = AV_RB32(buf+buf_idx+5); - if (buf_idx + data_unit_size > buf_size || !data_unit_size) { - if(buf_idx + data_unit_size > buf_size) + if (data_unit_size > buf_size - buf_idx || !data_unit_size) { + if(data_unit_size > buf_size - buf_idx) av_log(s->avctx, AV_LOG_ERROR, "Data unit with size %d is larger than input buffer, discarding\n", data_unit_size); diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 787c6c5ec4..a8cf0800aa 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -38,6 +38,7 @@ typedef struct DNXHDContext { BlockDSPContext bdsp; int64_t cid; ///< compression id unsigned int width, height; + enum AVPixelFormat pix_fmt; unsigned int mb_width, mb_height; uint32_t mb_scan_index[68]; /* max for 1080p */ int cur_field; ///< current interlaced field @@ -141,7 +142,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, ctx->is_444 = 0; if (buf[0x4] == 0x2) { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV444P10; + ctx->pix_fmt = AV_PIX_FMT_YUV444P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -151,7 +152,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, } ctx->is_444 = 1; } else if (buf[0x21] & 0x40) { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P10; + ctx->pix_fmt = AV_PIX_FMT_YUV422P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -160,7 +161,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, ctx->decode_dct_block = dnxhd_decode_dct_block_10; } } else { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P; + ctx->pix_fmt = AV_PIX_FMT_YUV422P; ctx->avctx->bits_per_raw_sample = 8; if (ctx->bit_depth != 8) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -362,7 +363,7 @@ static int dnxhd_decode_macroblock(DNXHDContext *ctx, AVFrame *frame, dest_u = frame->data[1] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1 + ctx->is_444)); dest_v = frame->data[2] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1 + ctx->is_444)); - if (ctx->cur_field) { + if (frame->interlaced_frame && ctx->cur_field) { dest_y += frame->linesize[0]; dest_u += frame->linesize[1]; dest_v += frame->linesize[2]; @@ -446,7 +447,13 @@ decode_coding_unit: avctx->width, avctx->height, ctx->width, ctx->height); first_field = 1; } + if (avctx->pix_fmt != AV_PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) { + av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n", + av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt)); + first_field = 1; + } + avctx->pix_fmt = ctx->pix_fmt; ret = ff_set_dimensions(avctx, ctx->width, ctx->height); if (ret < 0) return ret; diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index d438fbb64e..6096dcc3ab 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -117,7 +117,7 @@ static int dnxhd_10bit_dct_quantize(MpegEncContext *ctx, int16_t *block, for (i = 1; i < 64; ++i) { int j = scantable[i]; - int sign = block[j] >> 31; + int sign = FF_SIGNBIT(block[j]); int level = (block[j] ^ sign) - sign; level = level * qmat[j] >> DNX10BIT_QMAT_SHIFT; block[j] = (level ^ sign) - sign; diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index 5d8c4f3341..02aa779300 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -334,11 +334,11 @@ static int decode_frame(AVCodecContext *avctx, // For 12 bit, ignore alpha if (elements == 4) buf += 2; - // Jump to next aligned position - buf += need_align; } for (i = 0; i < 3; i++) ptr[i] += p->linesize[i]; + // Jump to next aligned position + buf += need_align; } break; case 16: diff --git a/libavcodec/dpxenc.c b/libavcodec/dpxenc.c index aca745bb58..76aa0cc473 100644 --- a/libavcodec/dpxenc.c +++ b/libavcodec/dpxenc.c @@ -75,17 +75,20 @@ static av_cold int encode_init(AVCodecContext *avctx) return 0; } -#define write16(p, value) \ -do { \ - if (s->big_endian) AV_WB16(p, value); \ - else AV_WL16(p, value); \ -} while(0) +static av_always_inline void write16_internal(int big_endian, void *p, int value) +{ + if (big_endian) AV_WB16(p, value); + else AV_WL16(p, value); +} -#define write32(p, value) \ -do { \ - if (s->big_endian) AV_WB32(p, value); \ - else AV_WL32(p, value); \ -} while(0) +static av_always_inline void write32_internal(int big_endian, void *p, int value) +{ + if (big_endian) AV_WB32(p, value); + else AV_WL32(p, value); +} + +#define write16(p, value) write16_internal(s->big_endian, p, value) +#define write32(p, value) write32_internal(s->big_endian, p, value) static void encode_rgb48_10bit(AVCodecContext *avctx, const AVPicture *pic, uint8_t *dst) { diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index 097597ed91..213a8defec 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -23,6 +23,7 @@ #include "get_bits.h" #include "bytestream.h" #include "libavutil/colorspace.h" +#include "libavutil/imgutils.h" #include "libavutil/opt.h" #define DVBSUB_PAGE_SEGMENT 0x10 @@ -1114,9 +1115,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if (depth & 0x80) + if (depth & 0x80 && entry_id < 4) clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); - else if (depth & 0x40) + else if (depth & 0x40 && entry_id < 16) clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); else if (depth & 0x20) clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); @@ -1138,6 +1139,7 @@ static void dvbsub_parse_region_segment(AVCodecContext *avctx, DVBSubObject *object; DVBSubObjectDisplay *display; int fill; + int ret; if (buf_size < 10) return; @@ -1164,6 +1166,12 @@ static void dvbsub_parse_region_segment(AVCodecContext *avctx, region->height = AV_RB16(buf); buf += 2; + ret = av_image_check_size(region->width, region->height, 0, avctx); + if (ret < 0) { + region->width= region->height= 0; + return; + } + if (region->width * region->height != region->buf_size) { av_free(region->pbuf); diff --git a/libavcodec/dvdec.c b/libavcodec/dvdec.c index 7de7e5b4ce..ccf326923d 100644 --- a/libavcodec/dvdec.c +++ b/libavcodec/dvdec.c @@ -221,7 +221,7 @@ static int dv_decode_video_segment(AVCodecContext *avctx, void *arg) dct_mode * 22 * 64 + (quant + ff_dv_quant_offset[class1]) * 64]; } - dc = dc << 2; + dc = dc * 4; /* convert to unsigned because 128 is not added in the * standard IDCT */ dc += 1024; diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 7355c03ec2..13abb9d33a 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -37,7 +37,7 @@ typedef struct DVDSubContext int has_palette; uint8_t colormap[4]; uint8_t alpha[256]; - uint8_t *buf; + uint8_t buf[0x10000]; int buf_size; #ifdef DEBUG int sub_id; @@ -57,7 +57,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t * cb = *ycbcr++; YUV_TO_RGB1_CCIR(cb, cr); YUV_TO_RGB2_CCIR(r, g, b, y); - *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b; + *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b; } } @@ -105,6 +105,12 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; + if (start >= buf_size) + return -1; + + if (w <= 0 || h <= 0) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -176,16 +182,16 @@ static void guess_palette(DVDSubContext* ctx, for(i = 0; i < 4; i++) { if (alpha[i] != 0) { if (!color_used[colormap[i]]) { - level = level_map[nb_opaque_colors][j]; + level = level_map[nb_opaque_colors - 1][j]; r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; - rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24); + rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24); color_used[colormap[i]] = (i + 1); j++; } else { rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) | - ((alpha[i] * 17) << 24); + ((alpha[i] * 17U) << 24); } } } @@ -337,7 +343,7 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, } } the_end: - if (offset1 >= 0) { + if (offset1 >= 0 && offset2 >= 0) { int w, h; uint8_t *bitmap; @@ -356,10 +362,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; - decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); - decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); + if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) + goto fail; + if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) + goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (!yuv_palette) @@ -498,15 +506,12 @@ static int append_to_cached_buf(AVCodecContext *avctx, { DVDSubContext *ctx = avctx->priv_data; - if (ctx->buf_size > 0xffff - buf_size) { + av_assert0(buf_size >= 0 && ctx->buf_size <= sizeof(ctx->buf)); + if (buf_size >= sizeof(ctx->buf) - ctx->buf_size) { av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct " "too large SPU packets aborted.\n"); - av_freep(&ctx->buf); return AVERROR_INVALIDDATA; } - ctx->buf = av_realloc(ctx->buf, ctx->buf_size + buf_size); - if (!ctx->buf) - return AVERROR(ENOMEM); memcpy(ctx->buf + ctx->buf_size, buf, buf_size); ctx->buf_size += buf_size; return 0; @@ -522,7 +527,7 @@ static int dvdsub_decode(AVCodecContext *avctx, AVSubtitle *sub = data; int is_menu; - if (ctx->buf) { + if (ctx->buf_size) { int ret = append_to_cached_buf(avctx, buf, buf_size); if (ret < 0) { *data_size = 0; @@ -561,7 +566,6 @@ static int dvdsub_decode(AVCodecContext *avctx, } #endif - av_freep(&ctx->buf); ctx->buf_size = 0; *data_size = 1; return buf_size; @@ -583,6 +587,7 @@ static int dvdsub_parse_extradata(AVCodecContext *avctx) { DVDSubContext *ctx = (DVDSubContext*) avctx->priv_data; char *dataorig, *data; + int ret = 1; if (!avctx->extradata || !avctx->extradata_size) return 1; @@ -603,11 +608,9 @@ static int dvdsub_parse_extradata(AVCodecContext *avctx) } else if (strncmp("size:", data, 5) == 0) { int w, h; if (sscanf(data + 5, "%dx%d", &w, &h) == 2) { - int ret = ff_set_dimensions(avctx, w, h); - if (ret < 0) { - av_free(dataorig); - return ret; - } + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + goto fail; } } @@ -615,8 +618,9 @@ static int dvdsub_parse_extradata(AVCodecContext *avctx) data += strspn(data, "\n\r"); } +fail: av_free(dataorig); - return 1; + return ret; } static av_cold int dvdsub_init(AVCodecContext *avctx) @@ -643,7 +647,6 @@ static av_cold int dvdsub_init(AVCodecContext *avctx) static av_cold int dvdsub_close(AVCodecContext *avctx) { DVDSubContext *ctx = avctx->priv_data; - av_freep(&ctx->buf); ctx->buf_size = 0; return 0; } diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 0f64b5e619..c8e3f71399 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -329,6 +329,11 @@ static av_cold int decode_init(AVCodecContext *avctx) { DxaDecContext * const c = avctx->priv_data; + if (avctx->width%4 || avctx->height%4) { + avpriv_request_sample(avctx, "dimensions are not a multiple of 4"); + return AVERROR_INVALIDDATA; + } + c->prev = av_frame_alloc(); if (!c->prev) return AVERROR(ENOMEM); diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 1a59ae7a04..a103eaa064 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -65,7 +65,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 9L / 8) { + if (src_size < FFALIGN(avctx->width, 4) * FFALIGN(avctx->height, 4) * 9LL / 8) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -108,7 +108,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3L / 2) { + if (src_size < FFALIGN(avctx->width, 2) * FFALIGN(avctx->height, 2) * 3LL / 2) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -145,7 +145,7 @@ static int dxtory_decode_v1_444(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3L) { + if (src_size < avctx->width * avctx->height * 3LL) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 8e931fddeb..001a404389 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -63,7 +63,7 @@ typedef enum { #define EAC3_SR_CODE_REDUCED 3 -void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) +static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) { int bin, bnd, ch, i; uint8_t wrapflag[SPX_MAX_BANDS]={1,0,}, num_copy_sections, copy_sizes[SPX_MAX_BANDS]; @@ -101,7 +101,7 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) for (i = 0; i < num_copy_sections; i++) { memcpy(&s->transform_coeffs[ch][bin], &s->transform_coeffs[ch][s->spx_dst_start_freq], - copy_sizes[i]*sizeof(float)); + copy_sizes[i]*sizeof(INTFLOAT)); bin += copy_sizes[i]; } @@ -124,7 +124,7 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) bin = s->spx_src_start_freq - 2; for (bnd = 0; bnd < s->num_spx_bands; bnd++) { if (wrapflag[bnd]) { - float *coeffs = &s->transform_coeffs[ch][bin]; + INTFLOAT *coeffs = &s->transform_coeffs[ch][bin]; coeffs[0] *= atten_tab[0]; coeffs[1] *= atten_tab[1]; coeffs[2] *= atten_tab[2]; @@ -142,6 +142,11 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) for (bnd = 0; bnd < s->num_spx_bands; bnd++) { float nscale = s->spx_noise_blend[ch][bnd] * rms_energy[bnd] * (1.0f / INT32_MIN); float sscale = s->spx_signal_blend[ch][bnd]; +#if USE_FIXED + // spx_noise_blend and spx_signal_blend are both FP.23 + nscale *= 1.0 / (1<<23); + sscale *= 1.0 / (1<<23); +#endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); s->transform_coeffs[ch][bin] *= sscale; @@ -195,7 +200,7 @@ static void idct6(int pre_mant[6]) pre_mant[5] = even0 - odd0; } -void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) +static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) { int bin, blk, gs; int end_bap, gaq_mode; @@ -247,7 +252,7 @@ void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) /* Vector Quantization */ int v = get_bits(gbc, bits); for (blk = 0; blk < 6; blk++) { - s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8; + s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8); } } else { /* Gain Adaptive Quantization */ @@ -266,16 +271,16 @@ void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) int b; int mbits = bits - (2 - log_gain); mant = get_sbits(gbc, mbits); - mant <<= (23 - (mbits - 1)); + mant = ((unsigned)mant) << (23 - (mbits - 1)); /* remap mantissa value to correct for asymmetric quantization */ if (mant >= 0) b = 1 << (23 - log_gain); else - b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8; + b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8); mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ - mant <<= 24 - bits; + mant *= (1 << 24 - bits); if (!log_gain) { /* remap mantissa value for no GAQ or Gk=1 */ mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15; @@ -288,7 +293,7 @@ void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) } } -int ff_eac3_parse_header(AC3DecodeContext *s) +static int ff_eac3_parse_header(AC3DecodeContext *s) { int i, blk, ch; int ac3_exponent_strategy, parse_aht_info, parse_spx_atten_data; diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 711363ca29..c3cbeef3d1 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -151,6 +151,11 @@ static inline int decode_block_intra(MadContext *s, int16_t * block) break; } else if (level != 0) { i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return -1; + } j = scantable[i]; level = (level*quant_matrix[j]) >> 4; level = (level-1)|1; @@ -165,6 +170,11 @@ static inline int decode_block_intra(MadContext *s, int16_t * block) run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6); i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return -1; + } j = scantable[i]; if (level < 0) { level = -level; @@ -176,10 +186,6 @@ static inline int decode_block_intra(MadContext *s, int16_t * block) level = (level-1)|1; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return -1; - } block[j] = level; } @@ -278,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx, if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); - if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb)) return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 864291a95c..2c92d5027d 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -93,7 +93,7 @@ static inline void tqi_idct_put(TqiContext *t, AVFrame *frame, int16_t (*block)[ static void tqi_calculate_qtable(MpegEncContext *s, int quant) { - const int qscale = (215 - 2*quant)*5; + const int64_t qscale = (215 - 2*quant)*5; int i; s->intra_matrix[0] = (ff_inv_aanscales[0]*ff_mpeg1_default_intra_matrix[0])>>11; for(i=1; i<64; i++) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 2ba4a68a98..1210eb0b48 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -377,14 +377,19 @@ static void guess_mv(ERContext *s) #define MV_UNCHANGED 1 const int mb_stride = s->mb_stride; const int mb_width = s->mb_width; - const int mb_height = s->mb_height; + int mb_height = s->mb_height; int i, depth, num_avail; int mb_x, mb_y, mot_step, mot_stride; + if (s->last_pic.f && s->last_pic.f->data[0]) + mb_height = FFMIN(mb_height, (s->last_pic.f->height+15)>>4); + if (s->next_pic.f && s->next_pic.f->data[0]) + mb_height = FFMIN(mb_height, (s->next_pic.f->height+15)>>4); + set_mv_strides(s, &mot_step, &mot_stride); num_avail = 0; - for (i = 0; i < s->mb_num; i++) { + for (i = 0; i < mb_width * mb_height; i++) { const int mb_xy = s->mb_index2xy[i]; int f = 0; int error = s->error_status_table[mb_xy]; @@ -409,7 +414,7 @@ static void guess_mv(ERContext *s) if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) || num_avail <= mb_width / 2) { - for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_dir = (s->last_pic.f && s->last_pic.f->data[0]) ? MV_DIR_FORWARD : MV_DIR_BACKWARD; @@ -438,7 +443,7 @@ static void guess_mv(ERContext *s) int score_sum = 0; changed = 0; - for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_predictor[8][2] = { { 0 } }; @@ -671,7 +676,7 @@ skip_last_mv: if (none_left) return; - for (i = 0; i < s->mb_num; i++) { + for (i = 0; i < mb_width * mb_height; i++) { int mb_xy = s->mb_index2xy[i]; if (fixed[mb_xy]) fixed[mb_xy] = MV_FROZEN; diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 62e8521adc..694e18757f 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -186,9 +186,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf) * * @return normalized 16-bit unsigned int */ -static inline uint16_t exr_flt2uint(uint32_t v) +static inline uint16_t exr_flt2uint(int32_t v) { - unsigned int exp = v >> 23; + int32_t exp = v >> 23; // "HACK": negative values result in exp< 0, so clipping them to 0 // is also handled by this condition, avoids explicit check for sign bit. if (exp <= 127 + 7 - 24) // we would shift out all bits anyway @@ -460,7 +460,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -469,7 +469,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ - if (out + cs > oe) \ + if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -502,7 +502,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -519,7 +519,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; - get_code(pl.p[j], rlc, c, lc, gb, out, oe); + get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -540,7 +540,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } @@ -847,7 +847,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, line_offset = AV_RL64(s->gb.buffer + jobnr * 8); // Check if the buffer has the required bytes needed from the offset - if (line_offset > buf_size - 8) + if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -856,7 +856,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); - if (data_size <= 0 || data_size > buf_size) + if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; s->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); @@ -1011,6 +1011,22 @@ static int decode_header(EXRContext *s) int current_channel_offset = 0; int magic_number, version, flags, i; + s->xmin = ~0; + s->xmax = ~0; + s->ymin = ~0; + s->ymax = ~0; + s->xdelta = ~0; + s->ydelta = ~0; + s->channel_offsets[0] = -1; + s->channel_offsets[1] = -1; + s->channel_offsets[2] = -1; + s->channel_offsets[3] = -1; + s->pixel_type = EXR_UNKNOWN; + s->compression = EXR_UNKN; + s->nb_channels = 0; + s->w = 0; + s->h = 0; + if (bytestream2_get_bytes_left(&s->gb) < 10) { av_log(s->avctx, AV_LOG_ERROR, "Header too short to parse.\n"); return AVERROR_INVALIDDATA; @@ -1351,21 +1367,6 @@ static av_cold int decode_init(AVCodecContext *avctx) float one_gamma = 1.0f / s->gamma; s->avctx = avctx; - s->xmin = ~0; - s->xmax = ~0; - s->ymin = ~0; - s->ymax = ~0; - s->xdelta = ~0; - s->ydelta = ~0; - s->channel_offsets[0] = -1; - s->channel_offsets[1] = -1; - s->channel_offsets[2] = -1; - s->channel_offsets[3] = -1; - s->pixel_type = EXR_UNKNOWN; - s->compression = EXR_UNKN; - s->nb_channels = 0; - s->w = 0; - s->h = 0; if ( one_gamma > 0.9999f && one_gamma < 1.0001f ) { for ( i = 0; i < 65536; ++i ) { diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 155f78da66..ba7096d3b1 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -251,7 +251,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs) PutBitContext pb; int run, mode = ~0, pix_left = width, run_idx = 0; - init_put_bits(&pb, dst, size * 8); + init_put_bits(&pb, dst, size); while (pix_left > 0) { run = runs[run_idx++]; mode = ~mode; diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index ab58a6074f..89c4e61d17 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -66,7 +66,7 @@ av_cold int ffv1_common_init(AVCodecContext *avctx) av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) { - int j; + int j, i; fs->plane_count = f->plane_count; fs->transparency = f->transparency; @@ -80,10 +80,15 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) if (!p->state) return AVERROR(ENOMEM); } else { - if (!p->vlc_state) - p->vlc_state = av_malloc_array(p->context_count, sizeof(VlcState)); - if (!p->vlc_state) - return AVERROR(ENOMEM); + if (!p->vlc_state) { + p->vlc_state = av_mallocz_array(p->context_count, sizeof(VlcState)); + if (!p->vlc_state) + return AVERROR(ENOMEM); + for (i = 0; i < p->context_count; i++) { + p->vlc_state[i].error_sum = 4; + p->vlc_state[i].count = 1; + } + } } } @@ -101,7 +106,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) av_cold int ffv1_init_slices_state(FFV1Context *f) { int i, ret; - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = f->slice_context[i]; if ((ret = ffv1_init_slice_state(f, fs)) < 0) return AVERROR(ENOMEM); @@ -113,10 +118,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) { int i; - f->slice_count = f->num_h_slices * f->num_v_slices; - av_assert0(f->slice_count > 0); + f->max_slice_count = f->num_h_slices * f->num_v_slices; + av_assert0(f->max_slice_count > 0); - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); int sx = i % f->num_h_slices; int sy = i / f->num_h_slices; @@ -201,7 +206,7 @@ av_cold int ffv1_close(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->last_picture); av_frame_free(&s->last_picture.f); - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *fs = s->slice_context[j]; for (i = 0; i < s->plane_count; i++) { PlaneContext *p = &fs->plane[i]; @@ -215,14 +220,14 @@ av_cold int ffv1_close(AVCodecContext *avctx) av_freep(&avctx->stats_out); for (j = 0; j < s->quant_table_count; j++) { av_freep(&s->initial_states[j]); - for (i = 0; i < s->slice_count; i++) { + for (i = 0; i < s->max_slice_count; i++) { FFV1Context *sf = s->slice_context[i]; av_freep(&sf->rc_stat2[j]); } av_freep(&s->rc_stat2[j]); } - for (i = 0; i < s->slice_count; i++) + for (i = 0; i < s->max_slice_count; i++) av_freep(&s->slice_context[i]); return 0; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index 5081397f54..cc354c385e 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -117,6 +117,7 @@ typedef struct FFV1Context { struct FFV1Context *slice_context[MAX_SLICES]; int slice_count; + int max_slice_count; int num_v_slices; int num_h_slices; int slice_width; diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c408f16106..0b8eef9384 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -45,10 +45,14 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, if (get_rac(c, state + 0)) return 0; else { - int i, e, a; + int i, e; + unsigned a; e = 0; - while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10 + while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; + } a = 1; for (i = e - 1; i >= 0; i--) @@ -303,7 +307,7 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return -1; } @@ -406,6 +410,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (ffv1_init_slice_state(f, fs) < 0) return AVERROR(ENOMEM); if (decode_slice_header(f, fs) < 0) { + fs->slice_x = fs->slice_y = fs->slice_height = fs->slice_width = 0; fs->slice_damaged = 1; return AVERROR_INVALIDDATA; } @@ -475,7 +480,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale) memset(state, 128, sizeof(state)); for (v = 0; i < 128; v++) { - unsigned len = get_symbol(c, state, 0) + 1; + unsigned len = get_symbol(c, state, 0) + 1U; if (len > 128 - i) return AVERROR_INVALIDDATA; @@ -500,7 +505,10 @@ static int read_quant_tables(RangeCoder *c, int context_count = 1; for (i = 0; i < 5; i++) { - context_count *= read_quant_table(c, quant_table[i], context_count); + int ret = read_quant_table(c, quant_table[i], context_count); + if (ret < 0) + return ret; + context_count *= ret; if (context_count > 32768U) { return AVERROR_INVALIDDATA; } @@ -546,6 +554,12 @@ static int read_extra_header(FFV1Context *f) f->num_h_slices = 1 + get_symbol(c, state, 0); f->num_v_slices = 1 + get_symbol(c, state, 0); + if (f->chroma_h_shift > 4U || f->chroma_v_shift > 4U) { + av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n", + f->chroma_h_shift, f->chroma_v_shift); + return AVERROR_INVALIDDATA; + } + if (f->num_h_slices > (unsigned)f->width || !f->num_h_slices || f->num_v_slices > (unsigned)f->height || !f->num_v_slices ) { @@ -554,8 +568,11 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { + av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); + f->quant_table_count = 0; return AVERROR_INVALIDDATA; + } for (i = 0; i < f->quant_table_count; i++) { f->context_count[i] = read_quant_tables(c, f->quant_tables[i]); @@ -651,6 +668,12 @@ static int read_header(FFV1Context *f) } } + if (chroma_h_shift > 4U || chroma_v_shift > 4U) { + av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n", + chroma_h_shift, chroma_v_shift); + return AVERROR_INVALIDDATA; + } + f->colorspace = colorspace; f->avctx->bits_per_raw_sample = bits_per_raw_sample; f->chroma_planes = chroma_planes; @@ -758,12 +781,13 @@ static int read_header(FFV1Context *f) av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n"); return AVERROR_INVALIDDATA; } + f->slice_count = f->max_slice_count; } else if (f->version < 3) { f->slice_count = get_symbol(c, state, 0); } else { const uint8_t *p = c->bytestream_end; for (f->slice_count = 0; - f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start; + f->slice_count < MAX_SLICES && 3 + 5*!!f->ec < p - c->bytestream_start; f->slice_count++) { int trailer = 3 + 5*!!f->ec; int size = AV_RB24(p-trailer); @@ -772,8 +796,8 @@ static int read_header(FFV1Context *f) p -= size + trailer; } } - if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) { - av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count); + if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) { + av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count); return AVERROR_INVALIDDATA; } @@ -915,6 +939,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); + ff_thread_report_progress(&f->picture, INT_MAX, 0); return AVERROR_INVALIDDATA; } buf_p -= v; @@ -955,16 +980,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac FFV1Context *fs = f->slice_context[i]; int j; if (fs->slice_damaged && f->last_picture.f->data[0]) { + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); const uint8_t *src[4]; uint8_t *dst[4]; ff_thread_await_progress(&f->last_picture, INT_MAX, 0); - for (j = 0; j < 4; j++) { + for (j = 0; j < desc->nb_components; j++) { int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0; int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0; dst[j] = p->data[j] + p->linesize[j] * (fs->slice_y >> sv) + (fs->slice_x >> sh); src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] * (fs->slice_y >> sv) + (fs->slice_x >> sh); + + } + if (desc->flags & AV_PIX_FMT_FLAG_PAL || + desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) { + dst[1] = p->data[1]; + src[1] = f->last_picture.f->data[1]; } av_image_copy(dst, p->linesize, (const uint8_t **)src, f->last_picture.f->linesize, @@ -996,6 +1028,7 @@ static int init_thread_copy(AVCodecContext *avctx) f->picture.f = NULL; f->last_picture.f = NULL; f->sample_buffer = NULL; + f->max_slice_count = 0; f->slice_count = 0; for (i = 0; i < f->quant_table_count; i++) { @@ -1066,7 +1099,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) av_assert0(!fdst->sample_buffer); } - av_assert1(fdst->slice_count == fsrc->slice_count); + av_assert1(fdst->max_slice_count == fsrc->max_slice_count); ff_thread_release_buffer(dst, &fdst->picture); diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index e2d3707710..924999d4e5 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -166,7 +166,7 @@ static void find_best_state(uint8_t best_state[256][256], best_len[k] = len; best_state[i][k] = j; } - for (m = 0; m < 256; m++) + for (m = 1; m < 256; m++) if (occ[m]) { newocc[ one_state[ m]] += occ[m] * p; newocc[256 - one_state[256 - m]] += occ[m] * (1 - p); @@ -961,6 +961,7 @@ slices_ok: if ((ret = ffv1_init_slice_contexts(s)) < 0) return ret; + s->slice_count = s->max_slice_count; if ((ret = ffv1_init_slices_state(s)) < 0) return ret; @@ -970,7 +971,7 @@ slices_ok: if (!avctx->stats_out) return AVERROR(ENOMEM); for (i = 0; i < s->quant_table_count; i++) - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *sf = s->slice_context[j]; av_assert0(!sf->rc_stat2[i]); sf->rc_stat2[i] = av_mallocz(s->context_count[i] * @@ -1177,7 +1178,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, FFV1Context *f = avctx->priv_data; RangeCoder *const c = &f->slice_context[0]->c; AVFrame *const p = f->picture.f; - int used_count = 0; uint8_t keystate = 128; uint8_t *buf_p; int i, ret; @@ -1194,6 +1194,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, for (i = 0; i < f->quant_table_count; i++) memset(f->rc_stat2[i], 0, f->context_count[i] * sizeof(*f->rc_stat2[i])); + av_assert0(f->slice_count == f->max_slice_count); for (j = 0; j < f->slice_count; j++) { FFV1Context *fs = f->slice_context[j]; for (i = 0; i < 256; i++) { @@ -1261,11 +1262,17 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, } } - for (i = 1; i < f->slice_count; i++) { + for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = f->slice_context[i]; - uint8_t *start = pkt->data + (pkt->size - used_count) * (int64_t)i / f->slice_count; + uint8_t *start = pkt->data + pkt->size * (int64_t)i / f->slice_count; int len = pkt->size / f->slice_count; - ff_init_range_encoder(&fs->c, start, len); + if (i) { + ff_init_range_encoder(&fs->c, start, len); + } else { + av_assert0(fs->c.bytestream_end >= fs->c.bytestream_start + len); + av_assert0(fs->c.bytestream < fs->c.bytestream_start + len); + fs->c.bytestream_end = fs->c.bytestream_start + len; + } } avctx->execute(avctx, encode_slice, &f->slice_context[0], NULL, f->slice_count, sizeof(void *)); diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 5615e69abc..4225a48ddc 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -81,26 +81,26 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { - const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; - const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; - const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; - const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const int t4 = 5793 * (t2 + t0 + 0x800 >> 12); - const int t5 = 5793 * (t3 + t1 + 0x800 >> 12); - const int t6 = t2 - t0; - const int t7 = t3 - t1; - const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; - const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd; - const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd; - blk[0 * step] = ( t4 + t9 + tB) >> shift; - blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; - blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; - blk[3 * step] = ( t5 - t9 + tB) >> shift; - blk[4 * step] = ( -t5 - t9 + tB) >> shift; - blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift; - blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift; - blk[7 * step] = ( -t4 + t9 + tB) >> shift; + const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; + const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; + const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; + const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; + const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); + const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); + const unsigned t6 = t2 - t0; + const unsigned t7 = t3 - t1; + const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; + const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; + const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; + blk[0 * step] = (int)( t4 + t9 + tB) >> shift; + blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift; + blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift; + blk[3 * step] = (int)( t5 - t9 + tB) >> shift; + blk[4 * step] = (int)( -t5 - t9 + tB) >> shift; + blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift; + blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift; + blk[7 * step] = (int)( -t4 + t9 + tB) >> shift; } static void fic_idct_put(uint8_t *dst, int stride, int16_t *block) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index a031dbfc62..33efda53ca 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -579,10 +579,12 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, temp = curr->next; av_freep(&curr->link_penalty); av_free(curr); + fpc->nb_headers_buffered--; } fpc->headers = fpc->best_header->next; av_freep(&fpc->best_header->link_penalty); av_freep(&fpc->best_header); + fpc->nb_headers_buffered--; } /* Find and score new headers. */ @@ -697,7 +699,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, handle_error: *poutbuf = NULL; *poutbuf_size = 0; - return read_end - buf; + return buf_size ? read_end - buf : 0; } static av_cold int flac_parse_init(AVCodecParserContext *c) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index c9dbc14726..407933e80c 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -194,12 +194,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { if (buf_end - buf < 4) - return 0; + return AVERROR_INVALIDDATA; flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ - return 0; + return AVERROR_INVALIDDATA; } buf += metadata_size; } while (!metadata_last); @@ -261,7 +261,8 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, int pred_order, int bps) { const int blocksize = s->blocksize; - int av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d), i; + unsigned av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d); + int i; int ret; /* warm up samples */ @@ -279,7 +280,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, if (pred_order > 2) c = b - decoded[pred_order-2] + decoded[pred_order-3]; if (pred_order > 3) - d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4]; + d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4]; switch (pred_order) { case 0: @@ -402,10 +403,10 @@ static inline int decode_subframe(FLACContext *s, int channel) return AVERROR_INVALIDDATA; } - if (wasted) { + if (wasted && wasted < 32) { int i; for (i = 0; i < s->blocksize; i++) - decoded[i] <<= wasted; + decoded[i] = (unsigned)decoded[i] << wasted; } return 0; @@ -473,10 +474,10 @@ static int decode_frame(FLACContext *s) ret = allocate_buffers(s); if (ret < 0) return ret; - ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); s->got_streaminfo = 1; dump_headers(s->avctx, (FLACStreaminfo *)s); } + ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); // dump_headers(s->avctx, (FLACStreaminfo *)s); diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 62c0a15ff6..776c78da71 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -56,7 +56,7 @@ static void FUNC(flac_decorrelate_indep_c)(uint8_t **out, int32_t **in, for (j = 0; j < len; j++) for (i = 0; i < channels; i++) - S(samples, i, j) = in[i][j] << shift; + S(samples, i, j) = (int)((unsigned)in[i][j] << shift); } static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index 3b72888966..6ad6fd2f81 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -916,7 +916,7 @@ static int count_frame_header(FlacEncodeContext *s) count += 16; /* explicit sample rate */ - count += ((s->sr_code[0] == 12) + (s->sr_code[0] > 12)) * 8; + count += ((s->sr_code[0] == 12) + (s->sr_code[0] > 12) * 2) * 8; /* frame header CRC-8 */ count += 8; diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 8791a2d750..f777f24e19 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } if (has_diff) { + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for diff\n"); + return AVERROR_INVALIDDATA; + } if (!s->keyframe) { av_log(avctx, AV_LOG_ERROR, "Inter frame without keyframe\n"); @@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, int row = get_bits(&gb, 8); av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n", i, j, col, row); + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n"); + return AVERROR_INVALIDDATA; + } size -= 2; avpriv_request_sample(avctx, "zlibprime_curr"); return AVERROR_PATCHWELCOME; diff --git a/libavcodec/flashsv2enc.c b/libavcodec/flashsv2enc.c index 9735a13331..b6c9453f42 100644 --- a/libavcodec/flashsv2enc.c +++ b/libavcodec/flashsv2enc.c @@ -287,7 +287,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size) if (buf_size < 5) return -1; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, (s->block_width >> 4) - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index 7ad15f118f..2b6a25e96b 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -111,7 +111,7 @@ static av_cold int flashsv_encode_init(AVCodecContext *avctx) if (avctx->width > 4095 || avctx->height > 4095) { av_log(avctx, AV_LOG_ERROR, - "Input dimensions too large, input must be max 4096x4096 !\n"); + "Input dimensions too large, input must be max 4095x4095 !\n"); return AVERROR_INVALIDDATA; } @@ -151,7 +151,7 @@ static int encode_bitstream(FlashSVContext *s, const AVFrame *p, uint8_t *buf, int buf_pos, res; int pred_blocks = 0; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, block_width / 16 - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 5bd5fb60ca..67465a5bc9 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -202,6 +202,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size < 16) + return AVERROR_INVALIDDATA; + frame_size -= 16; /* iterate through the chunks */ @@ -272,10 +275,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) { av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); @@ -324,6 +331,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_LC: /* line compressed */ starting_line = bytestream2_get_le16(&g2); + if (starting_line >= s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr = 0; y_ptr += starting_line * s->frame->linesize[0]; @@ -520,6 +529,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, if (frame_size > buf_size) frame_size = buf_size; + if (frame_size < 16) + return AVERROR_INVALIDDATA; frame_size -= 16; /* iterate through the chunks */ @@ -556,9 +567,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else { compressed_lines--; diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 1004e1921e..16f46e2125 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -736,8 +736,10 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, } c->tile_width = bytestream2_get_be32(&bc); c->tile_height = bytestream2_get_be32(&bc); - if (!c->tile_width || !c->tile_height || - ((c->tile_width | c->tile_height) & 0xF)) { + if (c->tile_width <= 0 || c->tile_height <= 0 || + ((c->tile_width | c->tile_height) & 0xF) || + c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 + ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", c->tile_width, c->tile_height); @@ -867,6 +869,8 @@ header_fail: c->height = 0; c->tiles_x = c->tiles_y = 0; + c->tile_width = + c->tile_height = 0; return ret; } diff --git a/libavcodec/g726.c b/libavcodec/g726.c index b0331d8643..858d70a000 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -207,7 +207,7 @@ static int16_t g726_decode(G726Context* c, int I) if (I_sig) /* get the sign */ dq = -dq; - re_signal = c->se + dq; + re_signal = (int16_t)(c->se + dq); /* Update second order predictor coefficient A2 and A1 */ pk0 = (c->sez + dq) ? sgn(c->sez + dq) : 0; @@ -270,7 +270,7 @@ static int16_t g726_decode(G726Context* c, int I) c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]); c->se >>= 1; - return av_clip(re_signal << 2, -0xffff, 0xffff); + return av_clip(re_signal * 4, -0xffff, 0xffff); } static av_cold int g726_reset(G726Context *c) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index b9dec4fe35..8a40aeeae7 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -374,6 +374,10 @@ static inline uint64_t get_bits64(GetBitContext *s, int n) */ static inline int get_sbits_long(GetBitContext *s, int n) { + // sign_extend(x, 0) is undefined + if (!n) + return 0; + return sign_extend(get_bits_long(s, n), n); } diff --git a/libavcodec/gif.c b/libavcodec/gif.c index 27d054e512..b56d58c4df 100644 --- a/libavcodec/gif.c +++ b/libavcodec/gif.c @@ -43,6 +43,7 @@ typedef struct { const AVClass *class; LZWState *lzw; uint8_t *buf; + int buf_size; AVFrame *last_frame; int flags; uint32_t palette[AVPALETTE_COUNT]; ///< local reference palette for !pal8 @@ -105,7 +106,7 @@ static int gif_image_write_image(AVCodecContext *avctx, /* skip common columns */ while (x_start < x_end) { int same_column = 1; - for (y = y_start; y < y_end; y++) { + for (y = y_start; y <= y_end; y++) { if (ref[y*ref_linesize + x_start] != buf[y*linesize + x_start]) { same_column = 0; break; @@ -117,7 +118,7 @@ static int gif_image_write_image(AVCodecContext *avctx, } while (x_end > x_start) { int same_column = 1; - for (y = y_start; y < y_end; y++) { + for (y = y_start; y <= y_end; y++) { if (ref[y*ref_linesize + x_end] != buf[y*linesize + x_end]) { same_column = 0; break; @@ -168,7 +169,7 @@ static int gif_image_write_image(AVCodecContext *avctx, bytestream_put_byte(bytestream, 0x08); - ff_lzw_encode_init(s->lzw, s->buf, 2 * width * height, + ff_lzw_encode_init(s->lzw, s->buf, s->buf_size, 12, FF_LZW_GIF, put_bits); ptr = buf + y_start*linesize + x_start; @@ -224,7 +225,8 @@ static av_cold int gif_encode_init(AVCodecContext *avctx) avctx->coded_frame->key_frame = 1; s->lzw = av_mallocz(ff_lzw_encode_state_size); - s->buf = av_malloc(avctx->width*avctx->height*2); + s->buf_size = avctx->width*avctx->height*2 + 1000; + s->buf = av_malloc(s->buf_size); s->tmpl = av_malloc(avctx->width); if (!s->tmpl || !s->buf || !s->lzw) return AVERROR(ENOMEM); @@ -283,6 +285,7 @@ static int gif_encode_close(AVCodecContext *avctx) av_freep(&s->lzw); av_freep(&s->buf); + s->buf_size = 0; av_frame_free(&s->last_frame); av_freep(&s->tmpl); return 0; diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index dee48f56af..9ba436e14c 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -271,26 +271,21 @@ static int gif_read_image(GifState *s, AVFrame *frame) case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 81d8aeef9e..a65c17e326 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -346,8 +346,16 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, if (i < limit - 1) { if (k) { - buf = SHOW_UBITS(re, gb, k); - LAST_SKIP_BITS(re, gb, k); + if (k > MIN_CACHE_BITS - 1) { + buf = SHOW_UBITS(re, gb, 16) << (k-16); + LAST_SKIP_BITS(re, gb, 16); + UPDATE_CACHE(re, gb); + buf |= SHOW_UBITS(re, gb, k-16); + LAST_SKIP_BITS(re, gb, k-16); + } else { + buf = SHOW_UBITS(re, gb, k); + LAST_SKIP_BITS(re, gb, k); + } } else { buf = 0; } diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index b39a63bfa9..e5870faa29 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -336,6 +336,14 @@ static int decode_slice(MpegEncContext *s) s->padding_bug_score += 32; } + if (s->codec_id == AV_CODEC_ID_H263 && + (s->workaround_bugs & FF_BUG_AUTODETECT) && + get_bits_left(&s->gb) >= 64 && + AV_RB64(s->gb.buffer_end - 8) == 0xCDCDCDCDFC7F0000) { + + s->padding_bug_score += 32; + } + if (s->workaround_bugs & FF_BUG_AUTODETECT) { if (s->padding_bug_score > -2 && !s->data_partitioning) s->workaround_bugs |= FF_BUG_NO_PADDING; diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 69fb047d5a..3fe9e6d905 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -215,18 +215,18 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma) if ((h->left_samples_available & 0x8080) != 0x8080) { mode = left[mode]; - if (is_chroma && (h->left_samples_available & 0x8080)) { - // mad cow disease mode, aka MBAFF + constrained_intra_pred - mode = ALZHEIMER_DC_L0T_PRED8x8 + - (!(h->left_samples_available & 0x8000)) + - 2 * (mode == DC_128_PRED8x8); - } if (mode < 0) { av_log(h->avctx, AV_LOG_ERROR, "left block unavailable for requested intra mode at %d %d\n", h->mb_x, h->mb_y); return AVERROR_INVALIDDATA; } + if (is_chroma && (h->left_samples_available & 0x8080)) { + // mad cow disease mode, aka MBAFF + constrained_intra_pred + mode = ALZHEIMER_DC_L0T_PRED8x8 + + (!(h->left_samples_available & 0x8000)) + + 2 * (mode == DC_128_PRED8x8); + } } return mode; @@ -391,6 +391,7 @@ void ff_h264_free_tables(H264Context *h, int free_rbsp) if (free_rbsp && h->DPB) { for (i = 0; i < H264_MAX_PICTURE_COUNT; i++) ff_h264_unref_picture(h, &h->DPB[i]); + memset(h->delayed_pic, 0, sizeof(h->delayed_pic)); av_freep(&h->DPB); } else if (h->DPB) { for (i = 0; i < H264_MAX_PICTURE_COUNT; i++) @@ -726,8 +727,9 @@ static int decode_init_thread_copy(AVCodecContext *avctx) memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); - h->rbsp_buffer[0] = NULL; - h->rbsp_buffer[1] = NULL; + h->avctx = avctx; + h->rbsp_buffer[0] = NULL; + h->rbsp_buffer[1] = NULL; h->rbsp_buffer_size[0] = 0; h->rbsp_buffer_size[1] = 0; h->context_initialized = 0; @@ -877,7 +879,7 @@ static void decode_postinit(H264Context *h, int setup_finished) if (rotation) { av_display_rotation_set((int32_t *)rotation->data, angle); av_display_matrix_flip((int32_t *)rotation->data, - h->sei_vflip, h->sei_hflip); + h->sei_hflip, h->sei_vflip); } } @@ -990,6 +992,16 @@ int ff_pred_weight_table(H264Context *h) h->luma_log2_weight_denom = get_ue_golomb(&h->gb); if (h->sps.chroma_format_idc) h->chroma_log2_weight_denom = get_ue_golomb(&h->gb); + + if (h->luma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", h->luma_log2_weight_denom); + h->luma_log2_weight_denom = 0; + } + if (h->chroma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", h->chroma_log2_weight_denom); + h->chroma_log2_weight_denom = 0; + } + luma_def = 1 << h->luma_log2_weight_denom; chroma_def = 1 << h->chroma_log2_weight_denom; @@ -1330,43 +1342,6 @@ int ff_set_ref_count(H264Context *h) static const uint8_t start_code[] = { 0x00, 0x00, 0x01 }; -static int find_start_code(const uint8_t *buf, int buf_size, - int buf_index, int next_avc) -{ - // start code prefix search - for (; buf_index + 3 < next_avc; buf_index++) - // This should always succeed in the first iteration. - if (buf[buf_index] == 0 && - buf[buf_index + 1] == 0 && - buf[buf_index + 2] == 1) - break; - - buf_index += 3; - - if (buf_index >= buf_size) - return buf_size; - - return buf_index; -} - -static int get_avc_nalsize(H264Context *h, const uint8_t *buf, - int buf_size, int *buf_index) -{ - int i, nalsize = 0; - - if (*buf_index >= buf_size - h->nal_length_size) - return -1; - - for (i = 0; i < h->nal_length_size; i++) - nalsize = (nalsize << 8) | buf[(*buf_index)++]; - if (nalsize <= 0 || nalsize > buf_size - *buf_index) { - av_log(h->avctx, AV_LOG_ERROR, - "AVC: nal size %d\n", nalsize); - return -1; - } - return nalsize; -} - static int get_bit_length(H264Context *h, const uint8_t *buf, const uint8_t *ptr, int dst_length, int i, int next_avc) @@ -1541,9 +1516,6 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size, continue; again: - if ( !(avctx->active_thread_type & FF_THREAD_FRAME) - || nals_needed >= nal_index) - h->au_pps_id = -1; /* Ignore per frame NAL unit type during extradata * parsing. Decoding slices is not possible in codec init * with frame-mt */ @@ -1579,8 +1551,14 @@ again: ret = -1; goto end; } - if(!idr_cleared) + if(!idr_cleared) { + if (h->current_slice && (avctx->active_thread_type & FF_THREAD_SLICE)) { + av_log(h, AV_LOG_ERROR, "invalid mixed IDR / non IDR frames cannot be decoded in slice multithreading mode\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } idr(h); // FIXME ensure we don't lose some frames if there is reordering + } idr_cleared = 1; h->has_recovery_point = 1; case NAL_SLICE: @@ -1589,6 +1567,10 @@ again: hx->inter_gb_ptr = &hx->gb; hx->data_partitioning = 0; + if ( nals_needed >= nal_index + || (!(avctx->active_thread_type & FF_THREAD_FRAME) && !context_count)) + h->au_pps_id = -1; + if ((err = ff_h264_decode_slice_header(hx, h))) break; @@ -1710,7 +1692,9 @@ again: break; case NAL_SPS: init_get_bits(&h->gb, ptr, bit_length); - if (ff_h264_decode_seq_parameter_set(h) < 0 && (h->is_avc ? nalsize : 1)) { + if (ff_h264_decode_seq_parameter_set(h, 0) >= 0) + break; + if (h->is_avc ? nalsize : 1) { av_log(h->avctx, AV_LOG_DEBUG, "SPS decoding failure, trying again with the complete NAL\n"); if (h->is_avc) @@ -1719,8 +1703,11 @@ again: break; init_get_bits(&h->gb, &buf[buf_index + 1 - consumed], 8*(next_avc - buf_index + consumed - 1)); - ff_h264_decode_seq_parameter_set(h); + if (ff_h264_decode_seq_parameter_set(h, 0) >= 0) + break; } + init_get_bits(&h->gb, ptr, bit_length); + ff_h264_decode_seq_parameter_set(h, 1); break; case NAL_PPS: @@ -1753,8 +1740,14 @@ again: if (err < 0 || err == SLICE_SKIPED) { if (err < 0) av_log(h->avctx, AV_LOG_ERROR, "decode_slice_header error\n"); - h->ref_count[0] = h->ref_count[1] = h->list_count = 0; + hx->ref_count[0] = hx->ref_count[1] = hx->list_count = 0; } else if (err == SLICE_SINGLETHREAD) { + if (context_count > 1) { + ret = ff_h264_execute_decode_slices(h, context_count - 1); + if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE)) + goto end; + context_count = 0; + } /* Slice could not be decoded in parallel mode, copy down * NAL unit stuff to context 0 and restart. Note that * rbsp_buffer is not transferred, but since we no longer @@ -1828,7 +1821,7 @@ static int is_extra(const uint8_t *buf, int buf_size) const uint8_t *p= buf+6; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x67) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 7) return 0; p += nalsize; } @@ -1837,7 +1830,7 @@ static int is_extra(const uint8_t *buf, int buf_size) return 0; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x68) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 8) return 0; p += nalsize; } diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 5ec4f0c255..bf9f4e12cb 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -36,6 +36,7 @@ #include "h264dsp.h" #include "h264pred.h" #include "h264qpel.h" +#include "internal.h" // for avpriv_find_start_code() #include "me_cmp.h" #include "mpegutils.h" #include "parser.h" @@ -337,6 +338,7 @@ typedef struct H264Picture { * H264Context */ typedef struct H264Context { + AVClass *av_class; AVCodecContext *avctx; MECmpContext mecc; VideoDSPContext vdsp; @@ -519,6 +521,7 @@ typedef struct H264Context { uint8_t *direct_table; uint8_t direct_cache[5 * 8]; + uint8_t scan_padding[16]; uint8_t zigzag_scan[16]; uint8_t zigzag_scan8x8[64]; uint8_t zigzag_scan8x8_cavlc[64]; @@ -537,6 +540,7 @@ typedef struct H264Context { int mb_x, mb_y; int resync_mb_x; int resync_mb_y; + int mb_index_end; int mb_skip_run; int mb_height, mb_width; int mb_stride; @@ -776,7 +780,7 @@ int ff_h264_decode_sei(H264Context *h); /** * Decode SPS */ -int ff_h264_decode_seq_parameter_set(H264Context *h); +int ff_h264_decode_seq_parameter_set(H264Context *h, int ignore_truncation); /** * compute profile from sps @@ -1092,6 +1096,34 @@ static av_always_inline int get_dct8x8_allowed(H264Context *h) 0x0001000100010001ULL)); } +static inline int find_start_code(const uint8_t *buf, int buf_size, + int buf_index, int next_avc) +{ + uint32_t state = -1; + + buf_index = avpriv_find_start_code(buf + buf_index, buf + next_avc + 1, &state) - buf - 1; + + return FFMIN(buf_index, buf_size); +} + +static inline int get_avc_nalsize(H264Context *h, const uint8_t *buf, + int buf_size, int *buf_index) +{ + int i, nalsize = 0; + + if (*buf_index >= buf_size - h->nal_length_size) + return -1; + + for (i = 0; i < h->nal_length_size; i++) + nalsize = ((unsigned)nalsize << 8) | buf[(*buf_index)++]; + if (nalsize <= 0 || nalsize > buf_size - *buf_index) { + av_log(h->avctx, AV_LOG_ERROR, + "AVC: nal size %d\n", nalsize); + return -1; + } + return nalsize; +} + int ff_h264_field_end(H264Context *h, int in_setup); int ff_h264_ref_picture(H264Context *h, H264Picture *dst, H264Picture *src); diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index c2e183d76b..78a0908853 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1281,7 +1281,7 @@ void ff_h264_init_cabac_states(H264Context *h) { } static int decode_cabac_field_decoding_flag(H264Context *h) { - const long mbb_xy = h->mb_xy - 2L*h->mb_stride; + const int mbb_xy = h->mb_xy - 2*h->mb_stride; unsigned long ctx = 0; @@ -1713,7 +1713,7 @@ decode_cabac_residual_internal(H264Context *h, int16_t *block, \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while(get_cabac_bypass( CC ) && j<30) { \ + while (get_cabac_bypass(CC) && j < 30) { \ j++; \ } \ \ @@ -1721,7 +1721,7 @@ decode_cabac_residual_internal(H264Context *h, int16_t *block, while( j-- ) { \ coeff_abs += coeff_abs + get_cabac_bypass( CC ); \ } \ - coeff_abs+= 14; \ + coeff_abs+= 14U; \ } \ \ if( is_dc ) { \ @@ -1999,6 +1999,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; + int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2015,7 +2016,9 @@ decode_intra_mb: h->intra_pcm_ptr = ptr; ptr += mb_size; - ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr); + ret = ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr); + if (ret < 0) + return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; @@ -2308,21 +2311,40 @@ decode_intra_mb: if (CHROMA444(h) && IS_8x8DCT(mb_type)){ int i; uint8_t *nnz_cache = h->non_zero_count_cache; - for (i = 0; i < 2; i++){ - if (h->left_type[LEFT(i)] && !IS_8x8DCT(h->left_type[LEFT(i)])){ - nnz_cache[3+8* 1 + 2*8*i]= - nnz_cache[3+8* 2 + 2*8*i]= - nnz_cache[3+8* 6 + 2*8*i]= - nnz_cache[3+8* 7 + 2*8*i]= - nnz_cache[3+8*11 + 2*8*i]= - nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + if (h->x264_build < 151U) { + for (i = 0; i < 2; i++){ + if (h->left_type[LEFT(i)] && !IS_8x8DCT(h->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + } + } + if (h->top_type && !IS_8x8DCT(h->top_type)){ + uint32_t top_empty = !IS_INTRA(mb_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); + } + } else { + for (i = 0; i < 2; i++){ + if (h->left_type[LEFT(i)] && !IS_8x8DCT(h->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= !IS_INTRA_PCM(h->left_type[LEFT(i)]) ? 0 : 64; + } + } + if (h->top_type && !IS_8x8DCT(h->top_type)){ + uint32_t top_empty = !IS_INTRA_PCM(h->top_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); } - } - if (h->top_type && !IS_8x8DCT(h->top_type)){ - uint32_t top_empty = CABAC(h) && !IS_INTRA(mb_type) ? 0 : 0x40404040; - AV_WN32A(&nnz_cache[4+8* 0], top_empty); - AV_WN32A(&nnz_cache[4+8* 5], top_empty); - AV_WN32A(&nnz_cache[4+8*10], top_empty); } } h->cur_pic.mb_type[mb_xy] = mb_type; diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index 3289fe4700..6b7347b3f8 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -600,7 +600,7 @@ single_col: { const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride]; - int my_col = (mv_col[1] << y_shift) / 2; + int my_col = (mv_col[1] * (1 << y_shift)) / 2; int mx = (scale * mv_col[0] + 128) >> 8; int my = (scale * my_col + 128) >> 8; fill_rectangle(&h->mv_cache[0][scan8[i8 * 4]], 2, 2, 8, diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index 7feae5761c..b5ebba10e0 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -630,7 +630,7 @@ static av_always_inline void hl_decode_mb_predict_luma(H264Context *h, uint8_t *const ptr = dest_y + block_offset[i]; const int dir = h->intra4x4_pred_mode_cache[scan8[i]]; if (transform_bypass && h->sps.profile_idc == 244 && dir <= 1) { - if (h->x264_build != -1) { + if (h->x264_build < 151U) { h->hpc.pred8x8l_add[dir](ptr, h->mb + (i * 16 + p * 256 << pixel_shift), linesize); } else h->hpc.pred8x8l_filter_add[dir](ptr, h->mb + (i * 16 + p * 256 << pixel_shift), diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 739ff95cfd..c4f10f97e8 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -173,7 +173,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, buf += ctx->length_size; unit_type = *buf & 0x1f; - if (buf + nal_size > buf_end || nal_size < 0) + if (nal_size > buf_end - buf || nal_size < 0) goto fail; if (unit_type == 7 || unit_type == 8) diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h index 5f1e9a1ee5..03dc7352fe 100644 --- a/libavcodec/h264_mvpred.h +++ b/libavcodec/h264_mvpred.h @@ -243,7 +243,7 @@ static av_always_inline void pred_8x16_motion(H264Context *const h, if (IS_INTERLACED(type)) { \ refn >>= 1; \ AV_COPY32(mvbuf[idx], mvn); \ - mvbuf[idx][1] <<= 1; \ + mvbuf[idx][1] *= 2; \ mvn = mvbuf[idx]; \ } \ } \ diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 36cf980c8e..d57bf5f60b 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -202,10 +202,10 @@ static int scan_mmco_reset(AVCodecParserContext *s) */ static inline int parse_nal_units(AVCodecParserContext *s, AVCodecContext *avctx, - const uint8_t *buf, int buf_size) + const uint8_t * const buf, int buf_size) { H264Context *h = s->priv_data; - const uint8_t *buf_end = buf + buf_size; + int buf_index, next_avc; unsigned int pps_id; unsigned int slice_type; int state = -1, got_reset = 0; @@ -225,26 +225,26 @@ static inline int parse_nal_units(AVCodecParserContext *s, if (!buf_size) return 0; + buf_index = 0; + next_avc = h->is_avc ? 0 : buf_size; for (;;) { int src_length, dst_length, consumed, nalsize = 0; - if (h->is_avc) { - int i; - if (h->nal_length_size >= buf_end - buf) break; - nalsize = 0; - for (i = 0; i < h->nal_length_size; i++) - nalsize = (nalsize << 8) | *buf++; - if (nalsize <= 0 || nalsize > buf_end - buf) { - av_log(h->avctx, AV_LOG_ERROR, "AVC: nal size %d\n", nalsize); + + if (buf_index >= next_avc) { + nalsize = get_avc_nalsize(h, buf, buf_size, &buf_index); + if (nalsize < 0) break; - } - src_length = nalsize; + next_avc = buf_index + nalsize; } else { - buf = avpriv_find_start_code(buf, buf_end, &state); - if (buf >= buf_end) - break; - --buf; - src_length = buf_end - buf; + buf_index = find_start_code(buf, buf_size, buf_index, next_avc); + if (buf_index >= buf_size) + break; + if (buf_index >= next_avc) + continue; } + src_length = next_avc - buf_index; + + state = buf[buf_index]; switch (state & 0x1f) { case NAL_SLICE: case NAL_IDR_SLICE: @@ -261,14 +261,17 @@ static inline int parse_nal_units(AVCodecParserContext *s, } break; } - ptr = ff_h264_decode_nal(h, buf, &dst_length, &consumed, src_length); + ptr = ff_h264_decode_nal(h, buf + buf_index, &dst_length, + &consumed, src_length); if (!ptr || dst_length < 0) break; + buf_index += consumed; + init_get_bits(&h->gb, ptr, 8 * dst_length); switch (h->nal_unit_type) { case NAL_SPS: - ff_h264_decode_seq_parameter_set(h); + ff_h264_decode_seq_parameter_set(h, 0); break; case NAL_PPS: ff_h264_decode_picture_parameter_set(h, h->gb.size_in_bits); @@ -439,7 +442,6 @@ static inline int parse_nal_units(AVCodecParserContext *s, return 0; /* no need to evaluate the rest */ } - buf += h->is_avc ? nalsize : consumed; } if (q264) return 0; diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 20136704d4..0e8be36413 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -261,12 +261,6 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps) } } - if (get_bits_left(&h->gb) < 0) { - av_log(h->avctx, AV_LOG_ERROR, - "Overread VUI by %d bits\n", -get_bits_left(&h->gb)); - return AVERROR_INVALIDDATA; - } - return 0; } @@ -323,7 +317,7 @@ static void decode_scaling_matrices(H264Context *h, SPS *sps, } } -int ff_h264_decode_seq_parameter_set(H264Context *h) +int ff_h264_decode_seq_parameter_set(H264Context *h, int ignore_truncation) { int profile_idc, level_idc, constraint_set_flags = 0; unsigned int sps_id; @@ -391,7 +385,8 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) "Different chroma and luma bit depth"); goto fail; } - if (sps->bit_depth_luma > 14U || sps->bit_depth_chroma > 14U) { + if (sps->bit_depth_luma < 8 || sps->bit_depth_luma > 14 || + sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 14) { av_log(h->avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", sps->bit_depth_luma, sps->bit_depth_chroma); goto fail; @@ -479,10 +474,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) #endif sps->crop = get_bits1(&h->gb); if (sps->crop) { - int crop_left = get_ue_golomb(&h->gb); - int crop_right = get_ue_golomb(&h->gb); - int crop_top = get_ue_golomb(&h->gb); - int crop_bottom = get_ue_golomb(&h->gb); + unsigned int crop_left = get_ue_golomb(&h->gb); + unsigned int crop_right = get_ue_golomb(&h->gb); + unsigned int crop_top = get_ue_golomb(&h->gb); + unsigned int crop_bottom = get_ue_golomb(&h->gb); int width = 16 * sps->mb_width; int height = 16 * sps->mb_height * (2 - sps->frame_mbs_only_flag); @@ -542,6 +537,13 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) goto fail; } + if (get_bits_left(&h->gb) < 0) { + av_log(h->avctx, ignore_truncation ? AV_LOG_WARNING : AV_LOG_ERROR, + "Overread %s by %d bits\n", sps->vui_parameters_present_flag ? "VUI" : "SPS", -get_bits_left(&h->gb)); + if (!ignore_truncation) + goto fail; + } + if (!sps->sar.den) sps->sar.den = 1; diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 12da9210be..d0a902c06e 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -283,7 +283,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h) long_idx = pic_num_extract(h, pic_id, &pic_structure); - if (long_idx > 31) { + if (long_idx > 31U) { av_log(h->avctx, AV_LOG_ERROR, "long_term_pic_idx overflow\n"); return AVERROR_INVALIDDATA; @@ -707,7 +707,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count) */ if (h->short_ref_count && h->short_ref[0] == h->cur_pic_ptr) { /* Just mark the second field valid */ - h->cur_pic_ptr->reference = PICT_FRAME; + h->cur_pic_ptr->reference |= h->picture_structure; } else if (h->cur_pic_ptr->long_ref) { av_log(h->avctx, AV_LOG_ERROR, "illegal short term reference " "assignment for second field " diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index aa889b8bba..8e1697a31e 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -281,7 +281,7 @@ static int decode_display_orientation(H264Context *h) int ff_h264_decode_sei(H264Context *h) { - while (get_bits_left(&h->gb) > 16) { + while (get_bits_left(&h->gb) > 16 && show_bits(&h->gb, 16)) { int type = 0; unsigned size = 0; unsigned next; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 453094a7d4..e0a25b762e 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -278,11 +278,11 @@ static int alloc_picture(H264Context *h, H264Picture *pic) av_pix_fmt_get_chroma_sub_sample(pic->f.format, &h_chroma_shift, &v_chroma_shift); - for(i=0; iavctx->height, v_chroma_shift); i++) { + for(i=0; if.height, v_chroma_shift); i++) { memset(pic->f.data[1] + pic->f.linesize[1]*i, - 0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift)); + 0x80, FF_CEIL_RSHIFT(pic->f.width, h_chroma_shift)); memset(pic->f.data[2] + pic->f.linesize[2]*i, - 0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift)); + 0x80, FF_CEIL_RSHIFT(pic->f.width, h_chroma_shift)); } } @@ -585,6 +585,17 @@ int ff_h264_update_thread_context(AVCodecContext *dst, h->mb_type_pool = NULL; h->ref_index_pool = NULL; h->motion_val_pool = NULL; + h->intra4x4_pred_mode= NULL; + h->non_zero_count = NULL; + h->slice_table_base = NULL; + h->slice_table = NULL; + h->cbp_table = NULL; + h->chroma_pred_mode_table = NULL; + memset(h->mvd_table, 0, sizeof(h->mvd_table)); + h->direct_table = NULL; + h->list_counts = NULL; + h->mb2b_xy = NULL; + h->mb2br_xy = NULL; for (i = 0; i < 2; i++) { h->rbsp_buffer[i] = NULL; h->rbsp_buffer_size[i] = 0; @@ -636,8 +647,11 @@ int ff_h264_update_thread_context(AVCodecContext *dst, h->cur_pic_ptr = REBASE_PICTURE(h1->cur_pic_ptr, h, h1); ff_h264_unref_picture(h, &h->cur_pic); - if (h1->cur_pic.f.buf[0] && (ret = ff_h264_ref_picture(h, &h->cur_pic, &h1->cur_pic)) < 0) - return ret; + if (h1->cur_pic.f.buf[0]) { + ret = ff_h264_ref_picture(h, &h->cur_pic, &h1->cur_pic); + if (ret < 0) + return ret; + } h->workaround_bugs = h1->workaround_bugs; h->low_delay = h1->low_delay; @@ -913,7 +927,7 @@ static void implicit_weight_table(H264Context *h, int field) cur_poc = h->cur_pic_ptr->field_poc[h->picture_structure - 1]; } if (h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF(h) && - h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2 * cur_poc) { + h->ref_list[0][0].poc + (int64_t)h->ref_list[1][0].poc == 2 * cur_poc) { h->use_weight = 0; h->use_weight_chroma = 0; return; @@ -934,7 +948,7 @@ static void implicit_weight_table(H264Context *h, int field) h->chroma_log2_weight_denom = 5; for (ref0 = ref_start; ref0 < ref_count0; ref0++) { - int poc0 = h->ref_list[0][ref0].poc; + int64_t poc0 = h->ref_list[0][ref0].poc; for (ref1 = ref_start; ref1 < ref_count1; ref1++) { int w = 32; if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) { @@ -1025,76 +1039,79 @@ static int clone_slice(H264Context *dst, H264Context *src) static enum AVPixelFormat get_pixel_format(H264Context *h, int force_callback) { + enum AVPixelFormat pix_fmts[2]; + const enum AVPixelFormat *choices = pix_fmts; + int i; + + pix_fmts[1] = AV_PIX_FMT_NONE; + switch (h->sps.bit_depth_luma) { case 9: if (CHROMA444(h)) { if (h->avctx->colorspace == AVCOL_SPC_RGB) { - return AV_PIX_FMT_GBRP9; + pix_fmts[0] = AV_PIX_FMT_GBRP9; } else - return AV_PIX_FMT_YUV444P9; + pix_fmts[0] = AV_PIX_FMT_YUV444P9; } else if (CHROMA422(h)) - return AV_PIX_FMT_YUV422P9; + pix_fmts[0] = AV_PIX_FMT_YUV422P9; else - return AV_PIX_FMT_YUV420P9; + pix_fmts[0] = AV_PIX_FMT_YUV420P9; break; case 10: if (CHROMA444(h)) { if (h->avctx->colorspace == AVCOL_SPC_RGB) { - return AV_PIX_FMT_GBRP10; + pix_fmts[0] = AV_PIX_FMT_GBRP10; } else - return AV_PIX_FMT_YUV444P10; + pix_fmts[0] = AV_PIX_FMT_YUV444P10; } else if (CHROMA422(h)) - return AV_PIX_FMT_YUV422P10; + pix_fmts[0] = AV_PIX_FMT_YUV422P10; else - return AV_PIX_FMT_YUV420P10; + pix_fmts[0] = AV_PIX_FMT_YUV420P10; break; case 12: if (CHROMA444(h)) { if (h->avctx->colorspace == AVCOL_SPC_RGB) { - return AV_PIX_FMT_GBRP12; + pix_fmts[0] = AV_PIX_FMT_GBRP12; } else - return AV_PIX_FMT_YUV444P12; + pix_fmts[0] = AV_PIX_FMT_YUV444P12; } else if (CHROMA422(h)) - return AV_PIX_FMT_YUV422P12; + pix_fmts[0] = AV_PIX_FMT_YUV422P12; else - return AV_PIX_FMT_YUV420P12; + pix_fmts[0] = AV_PIX_FMT_YUV420P12; break; case 14: if (CHROMA444(h)) { if (h->avctx->colorspace == AVCOL_SPC_RGB) { - return AV_PIX_FMT_GBRP14; + pix_fmts[0] = AV_PIX_FMT_GBRP14; } else - return AV_PIX_FMT_YUV444P14; + pix_fmts[0] = AV_PIX_FMT_YUV444P14; } else if (CHROMA422(h)) - return AV_PIX_FMT_YUV422P14; + pix_fmts[0] = AV_PIX_FMT_YUV422P14; else - return AV_PIX_FMT_YUV420P14; + pix_fmts[0] = AV_PIX_FMT_YUV420P14; break; case 8: if (CHROMA444(h)) { - if (h->avctx->colorspace == AVCOL_SPC_RGB) { - av_log(h->avctx, AV_LOG_DEBUG, "Detected GBR colorspace.\n"); - return AV_PIX_FMT_GBR24P; - } else if (h->avctx->colorspace == AVCOL_SPC_YCGCO) { + if (h->avctx->colorspace == AVCOL_SPC_YCGCO) av_log(h->avctx, AV_LOG_WARNING, "Detected unsupported YCgCo colorspace.\n"); - } - return h->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ444P - : AV_PIX_FMT_YUV444P; + if (h->avctx->colorspace == AVCOL_SPC_RGB) + pix_fmts[0] = AV_PIX_FMT_GBRP; + else if (h->avctx->color_range == AVCOL_RANGE_JPEG) + pix_fmts[0] = AV_PIX_FMT_YUVJ444P; + else + pix_fmts[0] = AV_PIX_FMT_YUV444P; } else if (CHROMA422(h)) { - return h->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ422P - : AV_PIX_FMT_YUV422P; + if (h->avctx->color_range == AVCOL_RANGE_JPEG) + pix_fmts[0] = AV_PIX_FMT_YUVJ422P; + else + pix_fmts[0] = AV_PIX_FMT_YUV422P; } else { - int i; - const enum AVPixelFormat * fmt = h->avctx->codec->pix_fmts ? - h->avctx->codec->pix_fmts : - h->avctx->color_range == AVCOL_RANGE_JPEG ? - h264_hwaccel_pixfmt_list_jpeg_420 : - h264_hwaccel_pixfmt_list_420; - - for (i=0; fmt[i] != AV_PIX_FMT_NONE; i++) - if (fmt[i] == h->avctx->pix_fmt && !force_callback) - return fmt[i]; - return ff_thread_get_format(h->avctx, fmt); + if (h->avctx->codec->pix_fmts) + choices = h->avctx->codec->pix_fmts; + else if (h->avctx->color_range == AVCOL_RANGE_JPEG) + choices = h264_hwaccel_pixfmt_list_jpeg_420; + else + choices = h264_hwaccel_pixfmt_list_420; } break; default: @@ -1102,6 +1119,11 @@ static enum AVPixelFormat get_pixel_format(H264Context *h, int force_callback) "Unsupported bit depth %d\n", h->sps.bit_depth_luma); return AVERROR_INVALIDDATA; } + + for (i=0; choices[i] != AV_PIX_FMT_NONE; i++) + if (choices[i] == h->avctx->pix_fmt && !force_callback) + return choices[i]; + return ff_thread_get_format(h->avctx, choices); } /* export coded and cropped frame dimensions to AVCodecContext */ @@ -1189,6 +1211,7 @@ static int h264_slice_header_init(H264Context *h, int reinit) nb_slices = max_slices; } h->slice_context_count = nb_slices; + h->max_contexts = FFMIN(h->max_contexts, nb_slices); if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) { ret = ff_h264_context_init(h); @@ -1286,6 +1309,10 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int must_reinit; int needs_reinit = 0; int field_pic_flag, bottom_field_flag; + int first_slice = h == h0 && !h0->current_slice; + int frame_num, picture_structure, droppable; + int mb_aff_frame, last_mb_aff_frame; + PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; h->qpel_avg = h->h264qpel.avg_h264_qpel_pixels_tab; @@ -1359,18 +1386,27 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h0->au_pps_id, pps_id); return AVERROR_INVALIDDATA; } - h->pps = *h0->pps_buffers[pps_id]; - if (!h0->sps_buffers[h->pps.sps_id]) { + pps = h0->pps_buffers[pps_id]; + + if (!h0->sps_buffers[pps->sps_id]) { av_log(h->avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id); return AVERROR_INVALIDDATA; } + if (first_slice) + h->pps = *h0->pps_buffers[pps_id]; - if (h->pps.sps_id != h->sps.sps_id || - h->pps.sps_id != h->current_sps_id || - h0->sps_buffers[h->pps.sps_id]->new) { + if (pps->sps_id != h->sps.sps_id || + pps->sps_id != h->current_sps_id || + h0->sps_buffers[pps->sps_id]->new) { + + if (!first_slice) { + av_log(h->avctx, AV_LOG_ERROR, + "SPS changed in the middle of the frame\n"); + return AVERROR_INVALIDDATA; + } h->sps = *h0->sps_buffers[h->pps.sps_id]; @@ -1400,11 +1436,14 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) || 16*h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) != h->avctx->coded_height || h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc - || av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio) || h->mb_width != h->sps.mb_width || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) )); - if (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0))) + if (h0->avctx->pix_fmt == AV_PIX_FMT_NONE + || (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0)))) + must_reinit = 1; + + if (first_slice && av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)) must_reinit = 1; h->mb_width = h->sps.mb_width; @@ -1437,6 +1476,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) if (h->context_initialized && (must_reinit || needs_reinit)) { + h->context_initialized = 0; if (h != h0) { av_log(h->avctx, AV_LOG_ERROR, "changing width %d -> %d / height %d -> %d on " @@ -1447,6 +1487,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) return AVERROR_INVALIDDATA; } + av_assert1(first_slice); + ff_h264_flush_change(h); if ((ret = get_pixel_format(h, 1)) < 0) @@ -1480,44 +1522,50 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) } } - if (h == h0 && h->dequant_coeff_pps != pps_id) { + if (first_slice && h->dequant_coeff_pps != pps_id) { h->dequant_coeff_pps = pps_id; h264_init_dequant_tables(h); } - h->frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num); + frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num); + if (!first_slice) { + if (h0->frame_num != frame_num) { + av_log(h->avctx, AV_LOG_ERROR, "Frame num change from %d to %d\n", + h0->frame_num, frame_num); + return AVERROR_INVALIDDATA; + } + } h->mb_mbaff = 0; - h->mb_aff_frame = 0; + mb_aff_frame = 0; + last_mb_aff_frame = h0->mb_aff_frame; last_pic_structure = h0->picture_structure; last_pic_droppable = h0->droppable; - h->droppable = h->nal_ref_idc == 0; + droppable = h->nal_ref_idc == 0; if (h->sps.frame_mbs_only_flag) { - h->picture_structure = PICT_FRAME; + picture_structure = PICT_FRAME; } else { if (!h->sps.direct_8x8_inference_flag && slice_type == AV_PICTURE_TYPE_B) { av_log(h->avctx, AV_LOG_ERROR, "This stream was generated by a broken encoder, invalid 8x8 inference\n"); return -1; } field_pic_flag = get_bits1(&h->gb); + if (field_pic_flag) { bottom_field_flag = get_bits1(&h->gb); - h->picture_structure = PICT_TOP_FIELD + bottom_field_flag; + picture_structure = PICT_TOP_FIELD + bottom_field_flag; } else { - h->picture_structure = PICT_FRAME; - h->mb_aff_frame = h->sps.mb_aff; + picture_structure = PICT_FRAME; + mb_aff_frame = h->sps.mb_aff; } } - h->mb_field_decoding_flag = h->picture_structure != PICT_FRAME; - - if (h0->current_slice != 0) { - if (last_pic_structure != h->picture_structure || - last_pic_droppable != h->droppable) { + if (h0->current_slice) { + if (last_pic_structure != picture_structure || + last_pic_droppable != droppable || + last_mb_aff_frame != mb_aff_frame) { av_log(h->avctx, AV_LOG_ERROR, "Changing field mode (%d -> %d) between slices is not allowed\n", last_pic_structure, h->picture_structure); - h->picture_structure = last_pic_structure; - h->droppable = last_pic_droppable; return AVERROR_INVALIDDATA; } else if (!h0->cur_pic_ptr) { av_log(h->avctx, AV_LOG_ERROR, @@ -1525,7 +1573,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h0->current_slice + 1); return AVERROR_INVALIDDATA; } - } else { + } + + h->picture_structure = picture_structure; + h->droppable = droppable; + h->frame_num = frame_num; + h->mb_aff_frame = mb_aff_frame; + h->mb_field_decoding_flag = picture_structure != PICT_FRAME; + + if (h0->current_slice == 0) { /* Shorten frame num gaps so we don't have to allocate reference * frames just to throw them away */ if (h->frame_num != h->prev_frame_num) { @@ -1635,14 +1691,17 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) * vectors. Given we are concealing a lost frame, this probably * is not noticeable by comparison, but it should be fixed. */ if (h->short_ref_count) { - if (prev) { + if (prev && + h->short_ref[0]->f.width == prev->f.width && + h->short_ref[0]->f.height == prev->f.height && + h->short_ref[0]->f.format == prev->f.format) { av_image_copy(h->short_ref[0]->f.data, h->short_ref[0]->f.linesize, (const uint8_t **)prev->f.data, prev->f.linesize, - h->avctx->pix_fmt, - h->mb_width * 16, - h->mb_height * 16); + prev->f.format, + prev->f.width, + prev->f.height); h->short_ref[0]->poc = prev->poc + 2; } h->short_ref[0]->frame_num = h->prev_frame_num; @@ -2386,20 +2445,32 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } if (h->pps.cabac) { + int ret; /* realign */ align_get_bits(&h->gb); /* init cabac */ - ff_init_cabac_decoder(&h->cabac, + ret = ff_init_cabac_decoder(&h->cabac, h->gb.buffer + get_bits_count(&h->gb) / 8, (get_bits_left(&h->gb) + 7) / 8); + if (ret < 0) + return ret; ff_h264_init_cabac_states(h); for (;;) { // START_TIMER - int ret = ff_h264_decode_mb_cabac(h); - int eos; + int ret, eos; + + if (h->mb_x + h->mb_y * h->mb_width >= h->mb_index_end) { + av_log(h->avctx, AV_LOG_ERROR, "Slice overlaps next at %d\n", + h->mb_index_end); + er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x, + h->mb_y, ER_MB_ERROR); + return AVERROR_INVALIDDATA; + } + + ret = ff_h264_decode_mb_cabac(h); // STOP_TIMER("decode_mb_cabac") if (ret >= 0) @@ -2461,7 +2532,17 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } } else { for (;;) { - int ret = ff_h264_decode_mb_cavlc(h); + int ret; + + if (h->mb_x + h->mb_y * h->mb_width >= h->mb_index_end) { + av_log(h->avctx, AV_LOG_ERROR, "Slice overlaps next at %d\n", + h->mb_index_end); + er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x, + h->mb_y, ER_MB_ERROR); + return AVERROR_INVALIDDATA; + } + + ret = ff_h264_decode_mb_cavlc(h); if (ret >= 0) ff_h264_hl_decode_mb(h); @@ -2549,19 +2630,33 @@ int ff_h264_execute_decode_slices(H264Context *h, unsigned context_count) av_assert0(h->mb_y < h->mb_height); + h->mb_index_end = INT_MAX; + if (h->avctx->hwaccel || h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU) return 0; if (context_count == 1) { return decode_slice(avctx, &h); } else { + int j, mb_index; av_assert0(context_count > 0); - for (i = 1; i < context_count; i++) { + for (i = 0; i < context_count; i++) { + int mb_index_end = h->mb_width * h->mb_height; hx = h->thread_context[i]; - if (CONFIG_ERROR_RESILIENCE) { + mb_index = hx->resync_mb_x + hx->resync_mb_y * h->mb_width; + if (CONFIG_ERROR_RESILIENCE && i) { hx->er.error_count = 0; } hx->x264_build = h->x264_build; + for (j = 0; j < context_count; j++) { + H264Context *sl2 = h->thread_context[j]; + int mb_index2 = sl2->resync_mb_x + sl2->resync_mb_y * h->mb_width; + + if (i==j || mb_index > mb_index2) + continue; + mb_index_end = FFMIN(mb_index_end, mb_index2); + } + hx->mb_index_end = mb_index_end; } avctx->execute(avctx, decode_slice, h->thread_context, diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index abf888ed96..e402c9636b 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1); const int a7 = block[i+3*8] + block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1); - const int b1 = (a7>>2) + a1; - const int b3 = a3 + (a5>>2); - const int b5 = (a3>>2) - a5; - const int b7 = a7 - (a1>>2); + const int b1 = (a7>>2) + (unsigned)a1; + const int b3 = (unsigned)a3 + (a5>>2); + const int b5 = (a3>>2) - (unsigned)a5; + const int b7 = (unsigned)a7 - (a1>>2); block[i+0*8] = b0 + b7; block[i+7*8] = b0 - b7; diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 5fc7324862..6925f3da54 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -108,7 +108,7 @@ static int pic_arrays_init(HEVCContext *s, const HEVCSPS *sps) if (!s->tab_ipm || !s->cbf_luma || !s->is_pcm) goto fail; - s->filter_slice_edges = av_malloc(ctb_count); + s->filter_slice_edges = av_mallocz(ctb_count); s->tab_slice_address = av_malloc_array(pic_size_in_ctb, sizeof(*s->tab_slice_address)); s->qp_y_tab = av_malloc_array(pic_size_in_ctb, @@ -144,7 +144,7 @@ static void pred_weight_table(HEVCContext *s, GetBitContext *gb) uint8_t luma_weight_l1_flag[16]; uint8_t chroma_weight_l1_flag[16]; - s->sh.luma_log2_weight_denom = get_ue_golomb_long(gb); + s->sh.luma_log2_weight_denom = av_clip_c(get_ue_golomb_long(gb), 0, 7); if (s->sps->chroma_format_idc != 0) { int delta = get_se_golomb(gb); s->sh.chroma_log2_weight_denom = av_clip(s->sh.luma_log2_weight_denom + delta, 0, 7); @@ -240,6 +240,8 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) nb_sps = get_ue_golomb_long(gb); nb_sh = get_ue_golomb_long(gb); + if (nb_sps > sps->num_long_term_ref_pics_sps) + return AVERROR_INVALIDDATA; if (nb_sh + (uint64_t)nb_sps > FF_ARRAY_ELEMS(rps->poc)) return AVERROR_INVALIDDATA; @@ -263,12 +265,16 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) delta_poc_msb_present = get_bits1(gb); if (delta_poc_msb_present) { - int delta = get_ue_golomb_long(gb); + int64_t delta = get_ue_golomb_long(gb); + int64_t poc; if (i && i != nb_sps) delta += prev_delta_msb; - rps->poc[i] += s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + poc = rps->poc[i] + s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + if (poc != (int32_t)poc) + return AVERROR_INVALIDDATA; + rps->poc[i] = poc; prev_delta_msb = delta; } } @@ -674,15 +680,29 @@ static int hls_slice_header(HEVCContext *s) sh->num_entry_point_offsets = 0; if (s->pps->tiles_enabled_flag || s->pps->entropy_coding_sync_enabled_flag) { - sh->num_entry_point_offsets = get_ue_golomb_long(gb); + unsigned num_entry_point_offsets = get_ue_golomb_long(gb); + // It would be possible to bound this tighter but this here is simpler + if (num_entry_point_offsets > get_bits_left(gb)) { + av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets); + return AVERROR_INVALIDDATA; + } + + sh->num_entry_point_offsets = num_entry_point_offsets; if (sh->num_entry_point_offsets > 0) { int offset_len = get_ue_golomb_long(gb) + 1; int segments = offset_len >> 4; int rest = (offset_len & 15); + + if (offset_len < 1 || offset_len > 32) { + sh->num_entry_point_offsets = 0; + av_log(s->avctx, AV_LOG_ERROR, "offset_len %d is invalid\n", offset_len); + return AVERROR_INVALIDDATA; + } + av_freep(&sh->entry_point_offset); av_freep(&sh->offset); av_freep(&sh->size); - sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); + sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned)); sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); if (!sh->entry_point_offset || !sh->offset || !sh->size) { @@ -755,6 +775,8 @@ static int hls_slice_header(HEVCContext *s) s->HEVClc->tu.cu_qp_offset_cb = 0; s->HEVClc->tu.cu_qp_offset_cr = 0; + s->no_rasl_output_flag = IS_IDR(s) || IS_BLA(s) || (s->nal_unit_type == NAL_CRA_NUT && s->last_eos); + return 0; } @@ -981,7 +1003,7 @@ static int hls_transform_unit(HEVCContext *s, int x0, int y0, for (i = 0; i < (size * size); i++) { coeffs[i] = ((lc->tu.res_scale_val * coeffs_y[i]) >> 3); } - s->hevcdsp.transform_add[log2_trafo_size-2](dst, coeffs, stride); + s->hevcdsp.transform_add[log2_trafo_size_c-2](dst, coeffs, stride); } } @@ -1010,7 +1032,7 @@ static int hls_transform_unit(HEVCContext *s, int x0, int y0, for (i = 0; i < (size * size); i++) { coeffs[i] = ((lc->tu.res_scale_val * coeffs_y[i]) >> 3); } - s->hevcdsp.transform_add[log2_trafo_size-2](dst, coeffs, stride); + s->hevcdsp.transform_add[log2_trafo_size_c-2](dst, coeffs, stride); } } } else if (blk_idx == 3) { @@ -2354,6 +2376,8 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int if (more_data < 0) { s->tab_slice_address[ctb_addr_rs] = -1; + avpriv_atomic_int_set(&s1->wpp_err, 1); + ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP); return more_data; } @@ -2391,15 +2415,22 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) HEVCLocalContext *lc = s->HEVClc; int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); - int offset; - int startheader, cmpt = 0; + int64_t offset; + int64_t startheader, cmpt = 0; int i, j, res = 0; + if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * s->sps->ctb_width >= s->sps->ctb_width * s->sps->ctb_height) { + av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d %d)\n", + s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets, + s->sps->ctb_width, s->sps->ctb_height + ); + res = AVERROR_INVALIDDATA; + goto error; + } + + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { - ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); - - for (i = 1; i < s->threads_number; i++) { s->sList[i] = av_malloc(sizeof(HEVCContext)); memcpy(s->sList[i], s, sizeof(HEVCContext)); @@ -2432,6 +2463,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) } if (s->sh.num_entry_point_offsets != 0) { offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt; + if (length < offset) { + av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n"); + res = AVERROR_INVALIDDATA; + goto error; + } s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset; s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset; @@ -2458,6 +2494,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) for (i = 0; i <= s->sh.num_entry_point_offsets; i++) res += ret[i]; +error: av_free(ret); av_free(arg); return res; @@ -2532,7 +2569,7 @@ static int set_side_data(HEVCContext *s) av_display_rotation_set((int32_t *)rotation->data, angle); av_display_matrix_flip((int32_t *)rotation->data, - s->sei_vflip, s->sei_hflip); + s->sei_hflip, s->sei_vflip); } return 0; @@ -2888,17 +2925,30 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length) if (s->nals_allocated < s->nb_nals + 1) { int new_size = s->nals_allocated + 1; - HEVCNAL *tmp = av_realloc_array(s->nals, new_size, sizeof(*tmp)); + void *tmp = av_realloc_array(s->nals, new_size, sizeof(*s->nals)); + ret = AVERROR(ENOMEM); if (!tmp) { - ret = AVERROR(ENOMEM); goto fail; } s->nals = tmp; memset(s->nals + s->nals_allocated, 0, - (new_size - s->nals_allocated) * sizeof(*tmp)); - av_reallocp_array(&s->skipped_bytes_nal, new_size, sizeof(*s->skipped_bytes_nal)); - av_reallocp_array(&s->skipped_bytes_pos_size_nal, new_size, sizeof(*s->skipped_bytes_pos_size_nal)); - av_reallocp_array(&s->skipped_bytes_pos_nal, new_size, sizeof(*s->skipped_bytes_pos_nal)); + (new_size - s->nals_allocated) * sizeof(*s->nals)); + + tmp = av_realloc_array(s->skipped_bytes_nal, new_size, sizeof(*s->skipped_bytes_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_nal = tmp; + + tmp = av_realloc_array(s->skipped_bytes_pos_size_nal, new_size, sizeof(*s->skipped_bytes_pos_size_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_pos_size_nal = tmp; + + tmp = av_realloc_array(s->skipped_bytes_pos_nal, new_size, sizeof(*s->skipped_bytes_pos_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_pos_nal = tmp; + s->skipped_bytes_pos_size_nal[s->nals_allocated] = 1024; // initial buffer size s->skipped_bytes_pos_nal[s->nals_allocated] = av_malloc_array(s->skipped_bytes_pos_size_nal[s->nals_allocated], sizeof(*s->skipped_bytes_pos)); s->nals_allocated = new_size; @@ -2934,7 +2984,6 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length) /* parse the NAL units */ for (i = 0; i < s->nb_nals; i++) { - int ret; s->skipped_bytes = s->skipped_bytes_nal[i]; s->skipped_bytes_pos = s->skipped_bytes_pos_nal[i]; @@ -3282,6 +3331,7 @@ static int hevc_update_thread_context(AVCodecContext *dst, s->pocTid0 = s0->pocTid0; s->max_ra = s0->max_ra; s->eos = s0->eos; + s->no_rasl_output_flag = s0->no_rasl_output_flag; s->is_nalff = s0->is_nalff; s->nal_length_size = s0->nal_length_size; @@ -3376,6 +3426,7 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx) s->enable_parallel_tiles = 0; s->picture_struct = 0; + s->eos = 1; if(avctx->active_thread_type & FF_THREAD_SLICE) s->threads_number = avctx->thread_count; @@ -3417,6 +3468,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); s->max_ra = INT_MAX; + s->eos = 1; } #define OFFSET(x) offsetof(HEVCContext, x) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 0369d8fb53..d7e0d52de7 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -298,10 +298,10 @@ typedef struct RefPicListTab { } RefPicListTab; typedef struct HEVCWindow { - int left_offset; - int right_offset; - int top_offset; - int bottom_offset; + unsigned int left_offset; + unsigned int right_offset; + unsigned int top_offset; + unsigned int bottom_offset; } HEVCWindow; typedef struct VUI { @@ -537,8 +537,8 @@ typedef struct HEVCPPS { uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; - int8_t cb_qp_offset_list[5]; - int8_t cr_qp_offset_list[5]; + int8_t cb_qp_offset_list[6]; + int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; @@ -607,7 +607,7 @@ typedef struct SliceHeader { unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand - int *entry_point_offset; + unsigned *entry_point_offset; int * offset; int * size; int num_entry_point_offsets; @@ -844,6 +844,7 @@ typedef struct HEVCContext { int bs_height; int is_decoded; + int no_rasl_output_flag; HEVCPredContext hpc; HEVCDSPContext hevcdsp; diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 2b3d8c09a3..60cc5d0d5a 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -685,8 +685,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return AVERROR_INVALIDDATA; + } while (k--) suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k; @@ -883,11 +885,13 @@ static av_always_inline int mvd_decode(HEVCContext *s) int k = 1; while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { - ret += 1 << k; + ret += 1U << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return 0; + } while (k--) ret += get_cabac_bypass(&s->HEVClc->cc) << k; return get_cabac_bypass_sign(&s->HEVClc->cc, -ret); @@ -1025,8 +1029,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) + if (prefix == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 3aaf3e55f2..a1ccaacb56 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -330,7 +330,7 @@ static int get_pcm(HEVCContext *s, int x, int y) #define TC_CALC(qp, bs) \ tctable[av_clip((qp) + DEFAULT_INTRA_TC_OFFSET * ((bs) - 1) + \ - (tc_offset >> 1 << 1), \ + (tc_offset & -2), \ 0, MAX_QP + DEFAULT_INTRA_TC_OFFSET)] static void deblocking_filter_CTB(HEVCContext *s, int x0, int y0) diff --git a/libavcodec/hevc_mvs.c b/libavcodec/hevc_mvs.c index 3bc982b8ad..826d084662 100644 --- a/libavcodec/hevc_mvs.c +++ b/libavcodec/hevc_mvs.c @@ -227,8 +227,10 @@ static int temporal_luma_motion_vector(HEVCContext *s, int x0, int y0, HEVCFrame *ref = s->ref->collocated_ref; - if (!ref) + if (!ref) { + memset(mvLXCol, 0, sizeof(*mvLXCol)); return 0; + } tab_mvf = ref->tab_mvf; colPic = ref->poc; @@ -415,14 +417,10 @@ static void derive_spatial_merge_candidates(HEVCContext *s, int x0, int y0, if (available_l0 || available_l1) { mergecandlist[nb_merge_cand].pred_flag = available_l0 + (available_l1 << 1); - if (available_l0) { - mergecandlist[nb_merge_cand].mv[0] = mv_l0_col; - mergecandlist[nb_merge_cand].ref_idx[0] = 0; - } - if (available_l1) { - mergecandlist[nb_merge_cand].mv[1] = mv_l1_col; - mergecandlist[nb_merge_cand].ref_idx[1] = 0; - } + AV_ZERO16(mergecandlist[nb_merge_cand].ref_idx); + mergecandlist[nb_merge_cand].mv[0] = mv_l0_col; + mergecandlist[nb_merge_cand].mv[1] = mv_l1_col; + if (merge_idx == nb_merge_cand) return; nb_merge_cand++; diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index c17ca04350..a8608e7463 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -133,6 +133,12 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, } } + if (k >= FF_ARRAY_ELEMS(rps->used)) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid num_delta_pocs: %d\n", k); + return AVERROR_INVALIDDATA; + } + rps->num_delta_pocs = k; rps->num_negative_pics = k0; // sort in increasing order (smallest first) @@ -182,6 +188,9 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + return AVERROR_INVALIDDATA; + } prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -189,6 +198,9 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + return AVERROR_INVALIDDATA; + } prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); @@ -424,7 +436,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) vps->vps_max_layer_id = get_bits(gb, 6); vps->vps_num_layer_sets = get_ue_golomb_long(gb) + 1; - if ((vps->vps_num_layer_sets - 1LL) * (vps->vps_max_layer_id + 1LL) > get_bits_left(gb)) { + if (vps->vps_num_layer_sets < 1 || vps->vps_num_layer_sets > 1024 || + (vps->vps_num_layer_sets - 1LL) * (vps->vps_max_layer_id + 1LL) > get_bits_left(gb)) { av_log(s->avctx, AV_LOG_ERROR, "too many layer_id_included_flags\n"); goto err; } @@ -441,6 +454,11 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) if (vps->vps_poc_proportional_to_timing_flag) vps->vps_num_ticks_poc_diff_one = get_ue_golomb_long(gb) + 1; vps->vps_num_hrd_parameters = get_ue_golomb_long(gb); + if (vps->vps_num_hrd_parameters > (unsigned)vps->vps_num_layer_sets) { + av_log(s->avctx, AV_LOG_ERROR, + "vps_num_hrd_parameters %d is invalid\n", vps->vps_num_hrd_parameters); + goto err; + } for (i = 0; i < vps->vps_num_hrd_parameters; i++) { int common_inf_present = 1; @@ -455,7 +473,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) if (get_bits_left(gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "Overread VPS by %d bits\n", -get_bits_left(gb)); - goto err; + if (s->vps_list[vps_id]) + goto err; } av_buffer_unref(&s->vps_list[vps_id]); @@ -525,7 +544,11 @@ static void decode_vui(HEVCContext *s, HEVCSPS *sps) vui->field_seq_flag = get_bits1(gb); vui->frame_field_info_present_flag = get_bits1(gb); - vui->default_display_window_flag = get_bits1(gb); + if (get_bits_left(gb) >= 68 && show_bits_long(gb, 21) == 0x100000) { + vui->default_display_window_flag = 0; + av_log(s->avctx, AV_LOG_WARNING, "Invalid default display window\n"); + } else + vui->default_display_window_flag = get_bits1(gb); // Backup context in case an alternate header is detected memcpy(&backup, gb, sizeof(backup)); @@ -672,7 +695,7 @@ static int scaling_list_data(HEVCContext *s, ScalingList *sl, HEVCSPS *sps) ff_hevc_diag_scan8x8_x[i]; scaling_list_delta_coef = get_se_golomb(gb); - next_coef = (next_coef + scaling_list_delta_coef + 256) % 256; + next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256; sl->sl[size_id][matrix_id][pos] = next_coef; } } @@ -891,11 +914,30 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) sps->log2_max_trafo_size = log2_diff_max_min_transform_block_size + sps->log2_min_tb_size; - if (sps->log2_min_tb_size >= sps->log2_min_cb_size) { + if (sps->log2_min_cb_size < 3 || sps->log2_min_cb_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_min_cb_size", sps->log2_min_cb_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + + if (sps->log2_diff_max_min_coding_block_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_diff_max_min_coding_block_size", sps->log2_diff_max_min_coding_block_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + + if (sps->log2_min_tb_size >= sps->log2_min_cb_size || sps->log2_min_tb_size < 2) { av_log(s->avctx, AV_LOG_ERROR, "Invalid value for log2_min_tb_size"); ret = AVERROR_INVALIDDATA; goto err; } + + if (log2_diff_max_min_transform_block_size < 0 || log2_diff_max_min_transform_block_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_diff_max_min_transform_block_size", log2_diff_max_min_transform_block_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + sps->max_transform_hierarchy_depth_inter = get_ue_golomb_long(gb); sps->max_transform_hierarchy_depth_intra = get_ue_golomb_long(gb); @@ -947,6 +989,11 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) sps->long_term_ref_pics_present_flag = get_bits1(gb); if (sps->long_term_ref_pics_present_flag) { sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (sps->num_long_term_ref_pics_sps > 31U) { + av_log(0, AV_LOG_ERROR, "num_long_term_ref_pics_sps %d is out of range.\n", + sps->num_long_term_ref_pics_sps); + goto err; + } for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb); @@ -1012,7 +1059,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) (sps->output_window.left_offset + sps->output_window.right_offset); sps->output_height = sps->height - (sps->output_window.top_offset + sps->output_window.bottom_offset); - if (sps->output_width <= 0 || sps->output_height <= 0) { + if (sps->width <= sps->output_window.left_offset + (int64_t)sps->output_window.right_offset || + sps->height <= sps->output_window.top_offset + (int64_t)sps->output_window.bottom_offset) { av_log(s->avctx, AV_LOG_WARNING, "Invalid visible frame dimensions: %dx%d.\n", sps->output_width, sps->output_height); if (s->avctx->err_recognition & AV_EF_EXPLODE) { @@ -1021,10 +1069,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) } av_log(s->avctx, AV_LOG_WARNING, "Displaying the whole video surface.\n"); - sps->pic_conf_win.left_offset = - sps->pic_conf_win.right_offset = - sps->pic_conf_win.top_offset = - sps->pic_conf_win.bottom_offset = 0; + memset(&sps->pic_conf_win, 0, sizeof(sps->pic_conf_win)); + memset(&sps->output_window, 0, sizeof(sps->output_window)); sps->output_width = sps->width; sps->output_height = sps->height; } @@ -1181,6 +1227,7 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) int i, j, x, y, ctb_addr_rs, tile_id; int ret = 0; unsigned int pps_id = 0; + unsigned log2_parallel_merge_level_minus2; AVBufferRef *pps_buf; HEVCPPS *pps = av_mallocz(sizeof(*pps)); @@ -1248,6 +1295,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) if (pps->cu_qp_delta_enabled_flag) pps->diff_cu_qp_delta_depth = get_ue_golomb_long(gb); + if (pps->diff_cu_qp_delta_depth < 0 || + pps->diff_cu_qp_delta_depth > sps->log2_diff_max_min_coding_block_size) { + av_log(s->avctx, AV_LOG_ERROR, "diff_cu_qp_delta_depth %d is invalid\n", + pps->diff_cu_qp_delta_depth); + ret = AVERROR_INVALIDDATA; + goto err; + } + pps->cb_qp_offset = get_se_golomb(gb); if (pps->cb_qp_offset < -12 || pps->cb_qp_offset > 12) { av_log(s->avctx, AV_LOG_ERROR, "pps_cb_qp_offset out of range: %d\n", @@ -1274,14 +1329,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) if (pps->tiles_enabled_flag) { pps->num_tile_columns = get_ue_golomb_long(gb) + 1; pps->num_tile_rows = get_ue_golomb_long(gb) + 1; - if (pps->num_tile_columns == 0 || + if (pps->num_tile_columns <= 0 || pps->num_tile_columns >= sps->width) { av_log(s->avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n", pps->num_tile_columns - 1); ret = AVERROR_INVALIDDATA; goto err; } - if (pps->num_tile_rows == 0 || + if (pps->num_tile_rows <= 0 || pps->num_tile_rows >= sps->height) { av_log(s->avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n", pps->num_tile_rows - 1); @@ -1357,13 +1412,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) goto err; } pps->lists_modification_present_flag = get_bits1(gb); - pps->log2_parallel_merge_level = get_ue_golomb_long(gb) + 2; - if (pps->log2_parallel_merge_level > sps->log2_ctb_size) { + log2_parallel_merge_level_minus2 = get_ue_golomb_long(gb); + if (log2_parallel_merge_level_minus2 > sps->log2_ctb_size) { av_log(s->avctx, AV_LOG_ERROR, "log2_parallel_merge_level_minus2 out of range: %d\n", - pps->log2_parallel_merge_level - 2); + log2_parallel_merge_level_minus2); ret = AVERROR_INVALIDDATA; goto err; } + pps->log2_parallel_merge_level = log2_parallel_merge_level_minus2 + 2; pps->slice_header_extension_present_flag = get_bits1(gb); @@ -1371,7 +1427,8 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) int pps_range_extensions_flag = get_bits1(gb); /* int pps_extension_7bits = */ get_bits(gb, 7); if (sps->ptl.general_ptl.profile_idc == FF_PROFILE_HEVC_REXT && pps_range_extensions_flag) { - pps_range_extensions(s, pps, sps); + if ((ret = pps_range_extensions(s, pps, sps)) < 0) + goto err; } } diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index b3a97871d5..b99d20faed 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -158,7 +158,7 @@ int ff_hevc_output_frame(HEVCContext *s, AVFrame *out, int flush) int min_poc = INT_MAX; int i, min_idx, ret; - if (s->sh.no_output_of_prior_pics_flag == 1) { + if (s->sh.no_output_of_prior_pics_flag == 1 && s->no_rasl_output_flag == 1) { for (i = 0; i < FF_ARRAY_ELEMS(s->DPB); i++) { HEVCFrame *frame = &s->DPB[i]; if (!(frame->flags & HEVC_FRAME_FLAG_BUMPING) && frame->poc != s->poc && @@ -419,7 +419,7 @@ static int add_candidate_ref(HEVCContext *s, RefPicList *list, { HEVCFrame *ref = find_ref_idx(s, poc); - if (ref == s->ref) + if (ref == s->ref || list->nb_refs >= MAX_REFS) return AVERROR_INVALIDDATA; if (!ref) { diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 5bb5c9010a..570534bd44 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -126,6 +126,11 @@ static int active_parameter_sets(HEVCContext *s) get_bits(gb, 1); // num_sps_ids_minus1 num_sps_ids_minus1 = get_ue_golomb_long(gb); // num_sps_ids_minus1 + if (num_sps_ids_minus1 < 0 || num_sps_ids_minus1 > 15) { + av_log(s->avctx, AV_LOG_ERROR, "num_sps_ids_minus1 %d invalid\n", num_sps_ids_minus1); + return AVERROR_INVALIDDATA; + } + active_seq_parameter_set_id = get_ue_golomb_long(gb); if (active_seq_parameter_set_id >= MAX_SPS_COUNT) { av_log(s->avctx, AV_LOG_ERROR, "active_parameter_set_id %d invalid\n", active_seq_parameter_set_id); @@ -149,11 +154,15 @@ static int decode_nal_sei_message(HEVCContext *s) av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { + if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { + if (get_bits_left(gb) < 8 + 8LL*payload_size) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; } diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 8a843f54d7..96ba2af9d6 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -152,7 +152,7 @@ static void FUNC(transform_skip)(int16_t *_coeffs, int16_t log2_size) } else { for (y = 0; y < size; y++) { for (x = 0; x < size; x++) { - *coeffs = *coeffs << -shift; + *coeffs = *(uint16_t*)coeffs << -shift; coeffs++; } } @@ -643,7 +643,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride, ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { - dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; @@ -965,7 +965,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -1020,7 +1020,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -1101,7 +1101,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; @@ -1405,7 +1405,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -1457,7 +1457,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -1536,7 +1536,7 @@ static void FUNC(put_hevc_epel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 81242304dd..4fca10efc4 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -35,7 +35,7 @@ static av_always_inline void FUNC(intra_pred)(HEVCContext *s, int x0, int y0, #define MVF(x, y) \ (s->ref->tab_mvf[(x) + (y) * min_pu_width]) #define MVF_PU(x, y) \ - MVF(PU(x0 + ((x) << hshift)), PU(y0 + ((y) << vshift))) + MVF(PU(x0 + ((x) * (1 << hshift))), PU(y0 + ((y) * (1 << vshift)))) #define IS_INTRA(x, y) \ (MVF_PU(x, y).pred_flag == PF_INTRA) #define MIN_TB_ADDR_ZS(x, y) \ diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index d8c51d0b75..31995bc75c 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -22,6 +22,7 @@ #include +#include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" #include "libavutil/mem.h" @@ -453,6 +454,7 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, static av_cold int hnm_decode_init(AVCodecContext *avctx) { Hnm4VideoContext *hnm = avctx->priv_data; + int ret; if (avctx->extradata_size < 1) { av_log(avctx, AV_LOG_ERROR, @@ -460,6 +462,10 @@ static av_cold int hnm_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + if (ret < 0) + return ret; + hnm->version = avctx->extradata[0]; avctx->pix_fmt = AV_PIX_FMT_PAL8; hnm->width = avctx->width; diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 3b2b0f7f59..2746595d5b 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -37,6 +37,7 @@ #include "huffyuv.h" #include "huffyuvdsp.h" #include "thread.h" +#include "libavutil/imgutils.h" #include "libavutil/pixdesc.h" #define classic_shift_luma_table_size 42 @@ -277,6 +278,10 @@ static av_cold int decode_init(AVCodecContext *avctx) HYuvContext *s = avctx->priv_data; int ret; + ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + if (ret < 0) + return ret; + ff_huffyuvdsp_init(&s->hdsp); memset(s->vlc, 0, 4 * sizeof(VLC)); diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index 7765376cbf..3e674168cd 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -215,7 +215,8 @@ static int idcin_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; IdcinContext *s = avctx->priv_data; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); AVFrame *frame = data; int ret; @@ -228,9 +229,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, if (idcin_decode_vlcs(s, frame)) return AVERROR_INVALIDDATA; - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } /* make the palette available on the way out */ memcpy(frame->data[1], s->pal, AVPALETTE_SIZE); diff --git a/libavcodec/imc.c b/libavcodec/imc.c index 2a5eac9b7c..00076c9a87 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -420,7 +420,7 @@ static void imc_decode_level_coefficients_raw(IMCContext *q, int *levlCoeffBuf, pos = q->coef0_pos; flcoeffs1[pos] = 20000.0 / pow (2, levlCoeffBuf[0] * 0.18945); // 0.18945 = log2(10) * 0.05703125 - flcoeffs2[pos] = log2f(flcoeffs1[0]); + flcoeffs2[pos] = log2f(flcoeffs1[pos]); tmp = flcoeffs1[pos]; tmp2 = flcoeffs2[pos]; @@ -887,14 +887,14 @@ static int imc_decode_block(AVCodecContext *avctx, IMCContext *q, int ch) flag = get_bits1(&q->gb); if (stream_format_code & 0x1) - imc_decode_level_coefficients_raw(q, chctx->levlCoeffBuf, - chctx->flcoeffs1, chctx->flcoeffs2); - else if (stream_format_code & 0x1) imc_read_level_coeffs_raw(q, stream_format_code, chctx->levlCoeffBuf); else imc_read_level_coeffs(q, stream_format_code, chctx->levlCoeffBuf); - if (stream_format_code & 0x4) + if (stream_format_code & 0x1) + imc_decode_level_coefficients_raw(q, chctx->levlCoeffBuf, + chctx->flcoeffs1, chctx->flcoeffs2); + else if (stream_format_code & 0x4) imc_decode_level_coefficients(q, chctx->levlCoeffBuf, chctx->flcoeffs1, chctx->flcoeffs2); else @@ -1018,7 +1018,7 @@ static int imc_decode_frame(AVCodecContext *avctx, void *data, IMCContext *q = avctx->priv_data; - LOCAL_ALIGNED_16(uint16_t, buf16, [IMC_BLOCK_SIZE / 2 + FF_INPUT_BUFFER_PADDING_SIZE/2]); + LOCAL_ALIGNED_16(uint16_t, buf16, [(IMC_BLOCK_SIZE + FF_INPUT_BUFFER_PADDING_SIZE) / 2]); if (buf_size < IMC_BLOCK_SIZE * avctx->channels) { av_log(avctx, AV_LOG_ERROR, "frame too small!\n"); diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 158bc739a1..c6e52b381a 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -236,9 +236,41 @@ int av_picture_pad(AVPicture *dst, const AVPicture *src, int height, int width, int x_shift; int yheight; int i, y; + int max_step[4]; - if (pix_fmt < 0 || pix_fmt >= AV_PIX_FMT_NB || - !is_yuv_planar(desc)) return -1; + if (pix_fmt < 0 || pix_fmt >= AV_PIX_FMT_NB) + return -1; + + if (!is_yuv_planar(desc)) { + if (src) + return -1; //TODO: Not yet implemented + + av_image_fill_max_pixsteps(max_step, NULL, desc); + + if (padtop || padleft) { + memset(dst->data[0], color[0], + dst->linesize[0] * padtop + (padleft * max_step[0])); + } + + if (padleft || padright) { + optr = dst->data[0] + dst->linesize[0] * padtop + + (dst->linesize[0] - (padright * max_step[0])); + yheight = height - 1 - (padtop + padbottom); + for (y = 0; y < yheight; y++) { + memset(optr, color[0], (padleft + padright) * max_step[0]); + optr += dst->linesize[0]; + } + } + + if (padbottom || padright) { + optr = dst->data[0] + dst->linesize[0] * (height - padbottom) - + (padright * max_step[0]); + memset(optr, color[0], dst->linesize[0] * padbottom + + (padright * max_step[0])); + } + + return 0; + } for (i = 0; i < 3; i++) { x_shift = i ? desc->log2_chroma_w : 0; @@ -284,6 +316,7 @@ int av_picture_pad(AVPicture *dst, const AVPicture *src, int height, int width, (padbottom >> y_shift) + (padright >> x_shift)); } } + return 0; } diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index cccac44bf3..792b24d903 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -78,6 +78,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -117,6 +119,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -148,6 +152,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, AVFrame *picture = data; AVFrame * const p = s->picture; int start, ret; + int ltab, ctab; if ((ret = ff_reget_buffer(avctx, p)) < 0) return ret; @@ -169,34 +174,42 @@ static int ir2_decode_frame(AVCodecContext *avctx, init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); + ltab = buf[0x22] & 3; + ctab = buf[0x22] >> 2; + + if (ctab > 3) { + av_log(avctx, AV_LOG_ERROR, "ctab %d is invalid\n", ctab); + return AVERROR_INVALIDDATA; + } + if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } else { /* interframe */ if ((ret = ir2_decode_plane_inter(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 0d6d82f22c..e05c91ff58 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -27,115 +27,211 @@ #define IR2_CODES 143 static const uint16_t ir2_codes[IR2_CODES][2] = { #ifdef BITSTREAM_READER_LE -{0x0000, 3}, {0x0004, 3}, {0x0006, 3}, {0x0001, 5}, -{0x0009, 5}, {0x0019, 5}, {0x000D, 5}, {0x001D, 5}, -{0x0023, 6}, {0x0013, 6}, {0x0033, 6}, {0x000B, 6}, -{0x002B, 6}, {0x001B, 6}, {0x0007, 8}, {0x0087, 8}, -{0x0027, 8}, {0x00A7, 8}, {0x0067, 8}, {0x00E7, 8}, -{0x0097, 8}, {0x0057, 8}, {0x0037, 8}, {0x00B7, 8}, -{0x00F7, 8}, {0x000F, 9}, {0x008F, 9}, {0x018F, 9}, -{0x014F, 9}, {0x00CF, 9}, {0x002F, 9}, {0x012F, 9}, -{0x01AF, 9}, {0x006F, 9}, {0x00EF, 9}, {0x01EF, 9}, -{0x001F, 10}, {0x021F, 10}, {0x011F, 10}, {0x031F, 10}, -{0x009F, 10}, {0x029F, 10}, {0x019F, 10}, {0x039F, 10}, -{0x005F, 10}, {0x025F, 10}, {0x015F, 10}, {0x035F, 10}, -{0x00DF, 10}, {0x02DF, 10}, {0x01DF, 10}, {0x03DF, 10}, -{0x003F, 13}, {0x103F, 13}, {0x083F, 13}, {0x183F, 13}, -{0x043F, 13}, {0x143F, 13}, {0x0C3F, 13}, {0x1C3F, 13}, -{0x023F, 13}, {0x123F, 13}, {0x0A3F, 13}, {0x1A3F, 13}, -{0x063F, 13}, {0x163F, 13}, {0x0E3F, 13}, {0x1E3F, 13}, -{0x013F, 13}, {0x113F, 13}, {0x093F, 13}, {0x193F, 13}, -{0x053F, 13}, {0x153F, 13}, {0x0D3F, 13}, {0x1D3F, 13}, -{0x033F, 13}, {0x133F, 13}, {0x0B3F, 13}, {0x1B3F, 13}, -{0x073F, 13}, {0x173F, 13}, {0x0F3F, 13}, {0x1F3F, 13}, -{0x00BF, 13}, {0x10BF, 13}, {0x08BF, 13}, {0x18BF, 13}, -{0x04BF, 13}, {0x14BF, 13}, {0x0CBF, 13}, {0x1CBF, 13}, -{0x02BF, 13}, {0x12BF, 13}, {0x0ABF, 13}, {0x1ABF, 13}, -{0x06BF, 13}, {0x16BF, 13}, {0x0EBF, 13}, {0x1EBF, 13}, -{0x01BF, 13}, {0x11BF, 13}, {0x09BF, 13}, {0x19BF, 13}, -{0x05BF, 13}, {0x15BF, 13}, {0x0DBF, 13}, {0x1DBF, 13}, -{0x03BF, 13}, {0x13BF, 13}, {0x0BBF, 13}, {0x1BBF, 13}, -{0x07BF, 13}, {0x17BF, 13}, {0x0FBF, 13}, {0x1FBF, 13}, -{0x007F, 14}, {0x207F, 14}, {0x107F, 14}, {0x307F, 14}, -{0x087F, 14}, {0x287F, 14}, {0x187F, 14}, {0x387F, 14}, -{0x047F, 14}, {0x247F, 14}, {0x147F, 14}, {0x0002, 3}, -{0x0011, 5}, {0x0005, 5}, {0x0015, 5}, {0x0003, 6}, -{0x003B, 6}, {0x0047, 8}, {0x00C7, 8}, {0x0017, 8}, -{0x00D7, 8}, {0x0077, 8}, {0x010F, 9}, {0x004F, 9}, -{0x01CF, 9}, {0x00AF, 9}, {0x016F, 9}, + { 0x0000, 3 }, { 0x0004, 3 }, { 0x0006, 3 }, { 0x0001, 5 }, + { 0x0009, 5 }, { 0x0019, 5 }, { 0x000D, 5 }, { 0x001D, 5 }, + { 0x0023, 6 }, { 0x0013, 6 }, { 0x0033, 6 }, { 0x000B, 6 }, + { 0x002B, 6 }, { 0x001B, 6 }, { 0x0007, 8 }, { 0x0087, 8 }, + { 0x0027, 8 }, { 0x00A7, 8 }, { 0x0067, 8 }, { 0x00E7, 8 }, + { 0x0097, 8 }, { 0x0057, 8 }, { 0x0037, 8 }, { 0x00B7, 8 }, + { 0x00F7, 8 }, { 0x000F, 9 }, { 0x008F, 9 }, { 0x018F, 9 }, + { 0x014F, 9 }, { 0x00CF, 9 }, { 0x002F, 9 }, { 0x012F, 9 }, + { 0x01AF, 9 }, { 0x006F, 9 }, { 0x00EF, 9 }, { 0x01EF, 9 }, + { 0x001F, 10 }, { 0x021F, 10 }, { 0x011F, 10 }, { 0x031F, 10 }, + { 0x009F, 10 }, { 0x029F, 10 }, { 0x019F, 10 }, { 0x039F, 10 }, + { 0x005F, 10 }, { 0x025F, 10 }, { 0x015F, 10 }, { 0x035F, 10 }, + { 0x00DF, 10 }, { 0x02DF, 10 }, { 0x01DF, 10 }, { 0x03DF, 10 }, + { 0x003F, 13 }, { 0x103F, 13 }, { 0x083F, 13 }, { 0x183F, 13 }, + { 0x043F, 13 }, { 0x143F, 13 }, { 0x0C3F, 13 }, { 0x1C3F, 13 }, + { 0x023F, 13 }, { 0x123F, 13 }, { 0x0A3F, 13 }, { 0x1A3F, 13 }, + { 0x063F, 13 }, { 0x163F, 13 }, { 0x0E3F, 13 }, { 0x1E3F, 13 }, + { 0x013F, 13 }, { 0x113F, 13 }, { 0x093F, 13 }, { 0x193F, 13 }, + { 0x053F, 13 }, { 0x153F, 13 }, { 0x0D3F, 13 }, { 0x1D3F, 13 }, + { 0x033F, 13 }, { 0x133F, 13 }, { 0x0B3F, 13 }, { 0x1B3F, 13 }, + { 0x073F, 13 }, { 0x173F, 13 }, { 0x0F3F, 13 }, { 0x1F3F, 13 }, + { 0x00BF, 13 }, { 0x10BF, 13 }, { 0x08BF, 13 }, { 0x18BF, 13 }, + { 0x04BF, 13 }, { 0x14BF, 13 }, { 0x0CBF, 13 }, { 0x1CBF, 13 }, + { 0x02BF, 13 }, { 0x12BF, 13 }, { 0x0ABF, 13 }, { 0x1ABF, 13 }, + { 0x06BF, 13 }, { 0x16BF, 13 }, { 0x0EBF, 13 }, { 0x1EBF, 13 }, + { 0x01BF, 13 }, { 0x11BF, 13 }, { 0x09BF, 13 }, { 0x19BF, 13 }, + { 0x05BF, 13 }, { 0x15BF, 13 }, { 0x0DBF, 13 }, { 0x1DBF, 13 }, + { 0x03BF, 13 }, { 0x13BF, 13 }, { 0x0BBF, 13 }, { 0x1BBF, 13 }, + { 0x07BF, 13 }, { 0x17BF, 13 }, { 0x0FBF, 13 }, { 0x1FBF, 13 }, + { 0x007F, 14 }, { 0x207F, 14 }, { 0x107F, 14 }, { 0x307F, 14 }, + { 0x087F, 14 }, { 0x287F, 14 }, { 0x187F, 14 }, { 0x387F, 14 }, + { 0x047F, 14 }, { 0x247F, 14 }, { 0x147F, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0005, 5 }, { 0x0015, 5 }, { 0x0003, 6 }, + { 0x003B, 6 }, { 0x0047, 8 }, { 0x00C7, 8 }, { 0x0017, 8 }, + { 0x00D7, 8 }, { 0x0077, 8 }, { 0x010F, 9 }, { 0x004F, 9 }, + { 0x01CF, 9 }, { 0x00AF, 9 }, { 0x016F, 9 }, #else - {0x0000, 3}, {0x0001, 3}, {0x0003, 3}, {0x0010, 5}, - {0x0012, 5}, {0x0013, 5}, {0x0016, 5}, {0x0017, 5}, - {0x0031, 6}, {0x0032, 6}, {0x0033, 6}, {0x0034, 6}, - {0x0035, 6}, {0x0036, 6}, {0x00E0, 8}, {0x00E1, 8}, - {0x00E4, 8}, {0x00E5, 8}, {0x00E6, 8}, {0x00E7, 8}, - {0x00E9, 8}, {0x00EA, 8}, {0x00EC, 8}, {0x00ED, 8}, - {0x00EF, 8}, {0x01E0, 9}, {0x01E2, 9}, {0x01E3, 9}, - {0x01E5, 9}, {0x01E6, 9}, {0x01E8, 9}, {0x01E9, 9}, - {0x01EB, 9}, {0x01EC, 9}, {0x01EE, 9}, {0x01EF, 9}, - {0x03E0, 10}, {0x03E1, 10}, {0x03E2, 10}, {0x03E3, 10}, - {0x03E4, 10}, {0x03E5, 10}, {0x03E6, 10}, {0x03E7, 10}, - {0x03E8, 10}, {0x03E9, 10}, {0x03EA, 10}, {0x03EB, 10}, - {0x03EC, 10}, {0x03ED, 10}, {0x03EE, 10}, {0x03EF, 10}, - {0x1F80, 13}, {0x1F81, 13}, {0x1F82, 13}, {0x1F83, 13}, - {0x1F84, 13}, {0x1F85, 13}, {0x1F86, 13}, {0x1F87, 13}, - {0x1F88, 13}, {0x1F89, 13}, {0x1F8A, 13}, {0x1F8B, 13}, - {0x1F8C, 13}, {0x1F8D, 13}, {0x1F8E, 13}, {0x1F8F, 13}, - {0x1F90, 13}, {0x1F91, 13}, {0x1F92, 13}, {0x1F93, 13}, - {0x1F94, 13}, {0x1F95, 13}, {0x1F96, 13}, {0x1F97, 13}, - {0x1F98, 13}, {0x1F99, 13}, {0x1F9A, 13}, {0x1F9B, 13}, - {0x1F9C, 13}, {0x1F9D, 13}, {0x1F9E, 13}, {0x1F9F, 13}, - {0x1FA0, 13}, {0x1FA1, 13}, {0x1FA2, 13}, {0x1FA3, 13}, - {0x1FA4, 13}, {0x1FA5, 13}, {0x1FA6, 13}, {0x1FA7, 13}, - {0x1FA8, 13}, {0x1FA9, 13}, {0x1FAA, 13}, {0x1FAB, 13}, - {0x1FAC, 13}, {0x1FAD, 13}, {0x1FAE, 13}, {0x1FAF, 13}, - {0x1FB0, 13}, {0x1FB1, 13}, {0x1FB2, 13}, {0x1FB3, 13}, - {0x1FB4, 13}, {0x1FB5, 13}, {0x1FB6, 13}, {0x1FB7, 13}, - {0x1FB8, 13}, {0x1FB9, 13}, {0x1FBA, 13}, {0x1FBB, 13}, - {0x1FBC, 13}, {0x1FBD, 13}, {0x1FBE, 13}, {0x1FBF, 13}, - {0x3F80, 14}, {0x3F81, 14}, {0x3F82, 14}, {0x3F83, 14}, - {0x3F84, 14}, {0x3F85, 14}, {0x3F86, 14}, {0x3F87, 14}, - {0x3F88, 14}, {0x3F89, 14}, {0x3F8A, 14}, {0x0002, 3}, - {0x0011, 5}, {0x0014, 5}, {0x0015, 5}, {0x0030, 6}, - {0x0037, 6}, {0x00E2, 8}, {0x00E3, 8}, {0x00E8, 8}, - {0x00EB, 8}, {0x00EE, 8}, {0x01E1, 9}, {0x01E4, 9}, - {0x01E7, 9}, {0x01EA, 9}, {0x01ED, 9} + { 0x0000, 3 }, { 0x0001, 3 }, { 0x0003, 3 }, { 0x0010, 5 }, + { 0x0012, 5 }, { 0x0013, 5 }, { 0x0016, 5 }, { 0x0017, 5 }, + { 0x0031, 6 }, { 0x0032, 6 }, { 0x0033, 6 }, { 0x0034, 6 }, + { 0x0035, 6 }, { 0x0036, 6 }, { 0x00E0, 8 }, { 0x00E1, 8 }, + { 0x00E4, 8 }, { 0x00E5, 8 }, { 0x00E6, 8 }, { 0x00E7, 8 }, + { 0x00E9, 8 }, { 0x00EA, 8 }, { 0x00EC, 8 }, { 0x00ED, 8 }, + { 0x00EF, 8 }, { 0x01E0, 9 }, { 0x01E2, 9 }, { 0x01E3, 9 }, + { 0x01E5, 9 }, { 0x01E6, 9 }, { 0x01E8, 9 }, { 0x01E9, 9 }, + { 0x01EB, 9 }, { 0x01EC, 9 }, { 0x01EE, 9 }, { 0x01EF, 9 }, + { 0x03E0, 10 }, { 0x03E1, 10 }, { 0x03E2, 10 }, { 0x03E3, 10 }, + { 0x03E4, 10 }, { 0x03E5, 10 }, { 0x03E6, 10 }, { 0x03E7, 10 }, + { 0x03E8, 10 }, { 0x03E9, 10 }, { 0x03EA, 10 }, { 0x03EB, 10 }, + { 0x03EC, 10 }, { 0x03ED, 10 }, { 0x03EE, 10 }, { 0x03EF, 10 }, + { 0x1F80, 13 }, { 0x1F81, 13 }, { 0x1F82, 13 }, { 0x1F83, 13 }, + { 0x1F84, 13 }, { 0x1F85, 13 }, { 0x1F86, 13 }, { 0x1F87, 13 }, + { 0x1F88, 13 }, { 0x1F89, 13 }, { 0x1F8A, 13 }, { 0x1F8B, 13 }, + { 0x1F8C, 13 }, { 0x1F8D, 13 }, { 0x1F8E, 13 }, { 0x1F8F, 13 }, + { 0x1F90, 13 }, { 0x1F91, 13 }, { 0x1F92, 13 }, { 0x1F93, 13 }, + { 0x1F94, 13 }, { 0x1F95, 13 }, { 0x1F96, 13 }, { 0x1F97, 13 }, + { 0x1F98, 13 }, { 0x1F99, 13 }, { 0x1F9A, 13 }, { 0x1F9B, 13 }, + { 0x1F9C, 13 }, { 0x1F9D, 13 }, { 0x1F9E, 13 }, { 0x1F9F, 13 }, + { 0x1FA0, 13 }, { 0x1FA1, 13 }, { 0x1FA2, 13 }, { 0x1FA3, 13 }, + { 0x1FA4, 13 }, { 0x1FA5, 13 }, { 0x1FA6, 13 }, { 0x1FA7, 13 }, + { 0x1FA8, 13 }, { 0x1FA9, 13 }, { 0x1FAA, 13 }, { 0x1FAB, 13 }, + { 0x1FAC, 13 }, { 0x1FAD, 13 }, { 0x1FAE, 13 }, { 0x1FAF, 13 }, + { 0x1FB0, 13 }, { 0x1FB1, 13 }, { 0x1FB2, 13 }, { 0x1FB3, 13 }, + { 0x1FB4, 13 }, { 0x1FB5, 13 }, { 0x1FB6, 13 }, { 0x1FB7, 13 }, + { 0x1FB8, 13 }, { 0x1FB9, 13 }, { 0x1FBA, 13 }, { 0x1FBB, 13 }, + { 0x1FBC, 13 }, { 0x1FBD, 13 }, { 0x1FBE, 13 }, { 0x1FBF, 13 }, + { 0x3F80, 14 }, { 0x3F81, 14 }, { 0x3F82, 14 }, { 0x3F83, 14 }, + { 0x3F84, 14 }, { 0x3F85, 14 }, { 0x3F86, 14 }, { 0x3F87, 14 }, + { 0x3F88, 14 }, { 0x3F89, 14 }, { 0x3F8A, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0014, 5 }, { 0x0015, 5 }, { 0x0030, 6 }, + { 0x0037, 6 }, { 0x00E2, 8 }, { 0x00E3, 8 }, { 0x00E8, 8 }, + { 0x00EB, 8 }, { 0x00EE, 8 }, { 0x01E1, 9 }, { 0x01E4, 9 }, + { 0x01E7, 9 }, { 0x01EA, 9 }, { 0x01ED, 9 }, #endif }; -static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80 +static const uint8_t ir2_delta_table[4][256] = { + { 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }, + { 0x80, 0x80, 0x85, 0x85, 0x7B, 0x7B, 0x7E, 0x87, + 0x82, 0x79, 0x87, 0x7E, 0x79, 0x82, 0x8F, 0x8F, + 0x71, 0x71, 0x84, 0x8F, 0x7C, 0x71, 0x8F, 0x84, + 0x71, 0x7C, 0x75, 0x8B, 0x8B, 0x75, 0x8B, 0x75, + 0x75, 0x8B, 0x8E, 0x9A, 0x72, 0x66, 0x9A, 0x8E, + 0x66, 0x72, 0x7B, 0x93, 0x85, 0x6D, 0x93, 0x7B, + 0x6D, 0x85, 0x9B, 0x9B, 0x65, 0x65, 0x82, 0x9D, + 0x7E, 0x63, 0x9D, 0x82, 0x63, 0x7E, 0x9B, 0xA8, + 0x65, 0x58, 0xA8, 0x9B, 0x58, 0x65, 0xA9, 0xA9, + 0x57, 0x57, 0x8D, 0xAA, 0x73, 0x56, 0xAA, 0x8D, + 0x56, 0x73, 0x6E, 0x99, 0x92, 0x67, 0x99, 0x6E, + 0x67, 0x92, 0x76, 0xA2, 0x8A, 0x5E, 0xA2, 0x76, + 0x5E, 0x8A, 0x7F, 0xAF, 0x81, 0x51, 0xAF, 0x7F, + 0x51, 0x81, 0xAB, 0xBA, 0x55, 0x46, 0xBA, 0xAB, + 0x46, 0x55, 0x9A, 0xBB, 0x66, 0x45, 0xBB, 0x9A, + 0x45, 0x66, 0xBB, 0xBB, 0x45, 0x45, 0x60, 0xA0, + 0xA0, 0x60, 0xA0, 0x60, 0x60, 0xA0, 0x8B, 0xBE, + 0x75, 0x42, 0xBE, 0x8B, 0x42, 0x75, 0x66, 0xAA, + 0x9A, 0x56, 0xAA, 0x66, 0x56, 0x9A, 0x70, 0xB5, + 0x90, 0x4B, 0xB5, 0x70, 0x4B, 0x90, 0xBE, 0xCF, + 0x42, 0x31, 0xCF, 0xBE, 0x31, 0x42, 0xAB, 0xD0, + 0x55, 0x30, 0xD0, 0xAB, 0x30, 0x55, 0xD1, 0xD1, + 0x2F, 0x2F, 0x9A, 0xD3, 0x66, 0x2D, 0xD3, 0x9A, + 0x2D, 0x66, 0x7B, 0xC5, 0x85, 0x3B, 0xC5, 0x7B, + 0x3B, 0x85, 0x54, 0xB4, 0xAC, 0x4C, 0xB4, 0x54, + 0x4C, 0xAC, 0x5E, 0xBE, 0xA2, 0x42, 0xBE, 0x5E, + 0x42, 0xA2, 0x87, 0xD8, 0x79, 0x28, 0xD8, 0x87, + 0x28, 0x79, 0xC0, 0xE8, 0x40, 0x18, 0xE8, 0xC0, + 0x18, 0x40, 0xD5, 0xE8, 0x2B, 0x18, 0xE8, 0xD5, + 0x18, 0x2B, 0xAB, 0xE9, 0x55, 0x17, 0xE9, 0xAB, + 0x17, 0x55, 0x68, 0xCD, 0x98, 0x33, 0xCD, 0x68, + 0x33, 0x98, 0xEA, 0xEA, 0x16, 0x16, 0x80, 0x80, }, + { 0x80, 0x80, 0x86, 0x86, 0x7A, 0x7A, 0x7E, 0x88, + 0x82, 0x78, 0x88, 0x7E, 0x78, 0x82, 0x92, 0x92, + 0x6E, 0x6E, 0x85, 0x92, 0x7B, 0x6E, 0x92, 0x85, + 0x6E, 0x7B, 0x73, 0x8D, 0x8D, 0x73, 0x8D, 0x73, + 0x73, 0x8D, 0x91, 0x9E, 0x6F, 0x62, 0x9E, 0x91, + 0x62, 0x6F, 0x79, 0x97, 0x87, 0x69, 0x97, 0x79, + 0x69, 0x87, 0xA0, 0xA0, 0x60, 0x60, 0x83, 0xA2, + 0x7D, 0x5E, 0xA2, 0x83, 0x5E, 0x7D, 0xA0, 0xB0, + 0x60, 0x50, 0xB0, 0xA0, 0x50, 0x60, 0xB1, 0xB1, + 0x4F, 0x4F, 0x8F, 0xB2, 0x71, 0x4E, 0xB2, 0x8F, + 0x4E, 0x71, 0x6B, 0x9E, 0x95, 0x62, 0x9E, 0x6B, + 0x62, 0x95, 0x74, 0xA9, 0x8C, 0x57, 0xA9, 0x74, + 0x57, 0x8C, 0x7F, 0xB8, 0x81, 0x48, 0xB8, 0x7F, + 0x48, 0x81, 0xB4, 0xC5, 0x4C, 0x3B, 0xC5, 0xB4, + 0x3B, 0x4C, 0x9F, 0xC6, 0x61, 0x3A, 0xC6, 0x9F, + 0x3A, 0x61, 0xC6, 0xC6, 0x3A, 0x3A, 0x59, 0xA7, + 0xA7, 0x59, 0xA7, 0x59, 0x59, 0xA7, 0x8D, 0xCA, + 0x73, 0x36, 0xCA, 0x8D, 0x36, 0x73, 0x61, 0xB2, + 0x9F, 0x4E, 0xB2, 0x61, 0x4E, 0x9F, 0x6D, 0xBF, + 0x93, 0x41, 0xBF, 0x6D, 0x41, 0x93, 0xCA, 0xDF, + 0x36, 0x21, 0xDF, 0xCA, 0x21, 0x36, 0xB3, 0xDF, + 0x4D, 0x21, 0xDF, 0xB3, 0x21, 0x4D, 0xE1, 0xE1, + 0x1F, 0x1F, 0x9F, 0xE3, 0x61, 0x1D, 0xE3, 0x9F, + 0x1D, 0x61, 0x7A, 0xD3, 0x86, 0x2D, 0xD3, 0x7A, + 0x2D, 0x86, 0x4C, 0xBE, 0xB4, 0x42, 0xBE, 0x4C, + 0x42, 0xB4, 0x57, 0xCA, 0xA9, 0x36, 0xCA, 0x57, + 0x36, 0xA9, 0x88, 0xE9, 0x78, 0x17, 0xE9, 0x88, + 0x17, 0x78, 0xCC, 0xFB, 0x34, 0x05, 0xFB, 0xCC, + 0x05, 0x34, 0xE6, 0xFB, 0x1A, 0x05, 0xFB, 0xE6, + 0x05, 0x1A, 0xB4, 0xFD, 0x4C, 0x03, 0xFD, 0xB4, + 0x03, 0x4C, 0x63, 0xDC, 0x9D, 0x24, 0xDC, 0x63, + 0x24, 0x9D, 0xFE, 0xFE, 0x02, 0x02, 0x80, 0x80, }, + { 0x80, 0x80, 0x87, 0x87, 0x79, 0x79, 0x7E, 0x89, + 0x82, 0x77, 0x89, 0x7E, 0x77, 0x82, 0x95, 0x95, + 0x6B, 0x6B, 0x86, 0x96, 0x7A, 0x6A, 0x96, 0x86, + 0x6A, 0x7A, 0x70, 0x90, 0x90, 0x70, 0x90, 0x70, + 0x70, 0x90, 0x94, 0xA4, 0x6C, 0x5C, 0xA4, 0x94, + 0x5C, 0x6C, 0x78, 0x9B, 0x88, 0x65, 0x9B, 0x78, + 0x65, 0x88, 0xA6, 0xA6, 0x5A, 0x5A, 0x83, 0xA9, + 0x7D, 0x57, 0xA9, 0x83, 0x57, 0x7D, 0xA6, 0xB9, + 0x5A, 0x47, 0xB9, 0xA6, 0x47, 0x5A, 0xBA, 0xBA, + 0x46, 0x46, 0x92, 0xBC, 0x6E, 0x44, 0xBC, 0x92, + 0x44, 0x6E, 0x67, 0xA3, 0x99, 0x5D, 0xA3, 0x67, + 0x5D, 0x99, 0x72, 0xB0, 0x8E, 0x50, 0xB0, 0x72, + 0x50, 0x8E, 0x7F, 0xC3, 0x81, 0x3D, 0xC3, 0x7F, + 0x3D, 0x81, 0xBE, 0xD2, 0x42, 0x2E, 0xD2, 0xBE, + 0x2E, 0x42, 0xA5, 0xD4, 0x5B, 0x2C, 0xD4, 0xA5, + 0x2C, 0x5B, 0xD4, 0xD4, 0x2C, 0x2C, 0x52, 0xAE, + 0xAE, 0x52, 0xAE, 0x52, 0x52, 0xAE, 0x8F, 0xD8, + 0x71, 0x28, 0xD8, 0x8F, 0x28, 0x71, 0x5B, 0xBB, + 0xA5, 0x45, 0xBB, 0x5B, 0x45, 0xA5, 0x69, 0xCB, + 0x97, 0x35, 0xCB, 0x69, 0x35, 0x97, 0xD8, 0xF0, + 0x28, 0x10, 0xF0, 0xD8, 0x10, 0x28, 0xBD, 0xF1, + 0x43, 0x0F, 0xF1, 0xBD, 0x0F, 0x43, 0xF3, 0xF3, + 0x0D, 0x0D, 0xA5, 0xF6, 0x5B, 0x0A, 0xF6, 0xA5, + 0x0A, 0x5B, 0x78, 0xE2, 0x88, 0x1E, 0xE2, 0x78, + 0x1E, 0x88, 0x42, 0xC9, 0xBE, 0x37, 0xC9, 0x42, + 0x37, 0xBE, 0x4F, 0xD8, 0xB1, 0x28, 0xD8, 0x4F, + 0x28, 0xB1, 0x8A, 0xFD, 0x76, 0x03, 0xFD, 0x8A, + 0x03, 0x76, 0xDB, 0xFF, 0x25, 0x01, 0xFF, 0xDB, + 0x01, 0x25, 0xF9, 0xFF, 0x07, 0x01, 0xFF, 0xF9, + 0x01, 0x07, 0xBE, 0xFF, 0x42, 0x01, 0xFF, 0xBE, + 0x01, 0x42, 0x5E, 0xED, 0xA2, 0x13, 0xED, 0x5E, + 0x13, 0xA2, 0xFF, 0xFF, 0x01, 0x01, 0x80, 0x80, }, }; #endif /* AVCODEC_INDEO2DATA_H */ diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index d38765ea40..9fde0fdf6c 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext { int16_t width, height; uint32_t frame_num; ///< current frame number (zero-based) - uint32_t data_size; ///< size of the frame data in bytes + int data_size; ///< size of the frame data in bytes uint16_t frame_flags; ///< frame properties uint8_t cb_offset; ///< needed for selecting VQ tables uint8_t buf_sel; ///< active frame buffer: 0 - primary, 1 -secondary @@ -899,7 +899,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, GetByteContext gb; const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; - uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; + int y_offset, u_offset, v_offset; + uint32_t starts[3], ends[3]; uint16_t height, width; int i, j; @@ -981,7 +982,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_size = ends[0] - starts[0]; ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; - if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + if (FFMIN3(y_offset, v_offset, u_offset) < 0 || + FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); diff --git a/libavcodec/internal.h b/libavcodec/internal.h index dcb2113f6f..b8ceb2e9f1 100644 --- a/libavcodec/internal.h +++ b/libavcodec/internal.h @@ -35,6 +35,8 @@ #define FF_SANE_NB_CHANNELS 63U +#define FF_SIGNBIT(x) (x >> CHAR_BIT * sizeof(x) - 1) + #if HAVE_AVX # define STRIDE_ALIGN 32 #elif HAVE_SIMD_ALIGN_16 diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 96c0cd1397..d1294a8679 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -38,6 +38,7 @@ #include #include +#include "libavutil/intreadwrite.h" #include "avcodec.h" #include "bytestream.h" #include "hpeldsp.h" @@ -949,7 +950,7 @@ static void ipvideo_decode_opcodes(IpvideoContext *s, AVFrame *frame) } } if (bytestream2_get_bytes_left(&s->stream_ptr) > 1) { - av_log(s->avctx, AV_LOG_ERROR, + av_log(s->avctx, AV_LOG_DEBUG, "decode finished with %d bytes left over\n", bytestream2_get_bytes_left(&s->stream_ptr)); } @@ -987,31 +988,38 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; - /* decoding map contains 4 bits of information per 8x8 block */ - s->decoding_map_size = avctx->width * avctx->height / (8 * 8 * 2); - - /* compressed buffer needs to be large enough to at least hold an entire - * decoding map */ - if (buf_size < s->decoding_map_size) - return buf_size; - if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { av_frame_unref(s->last_frame); av_frame_unref(s->second_last_frame); } - s->decoding_map = buf; - bytestream2_init(&s->stream_ptr, buf + s->decoding_map_size, + if (buf_size < 2) + return AVERROR_INVALIDDATA; + + /* decoding map contains 4 bits of information per 8x8 block */ + s->decoding_map_size = AV_RL16(avpkt->data); + + /* compressed buffer needs to be large enough to at least hold an entire + * decoding map */ + if (buf_size < s->decoding_map_size + 2) + return buf_size; + + + s->decoding_map = buf + 2; + bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, buf_size - s->decoding_map_size); if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; if (!s->is_16bpp) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 70a8ffe7d7..44a649a53c 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -31,6 +31,7 @@ #include #include "libavutil/attributes.h" +#include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/mathematics.h" #include "avcodec.h" @@ -162,6 +163,7 @@ static int h263_decode_gob_header(MpegEncContext *s) /* We have a GBSC probably with GSTUFF */ skip_bits(&s->gb, 16); /* Drop the zeros */ left= get_bits_left(&s->gb); + left = FFMIN(left, 32); //MN: we must check the bits left or we might end in a infinite loop (or segfault) for(;left>13; left--){ if(get_bits1(&s->gb)) break; /* Seek the '1' bit */ @@ -520,7 +522,7 @@ retry: }else{ level = SHOW_UBITS(re, &s->gb, 5); SKIP_CACHE(re, &s->gb, 5); - level |= SHOW_SBITS(re, &s->gb, 6)<<5; + level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5); SKIP_COUNTER(re, &s->gb, 5 + 6); } } @@ -872,7 +874,7 @@ end: /* most is hardcoded. should extend to handle all h263 streams */ int ff_h263_decode_picture_header(MpegEncContext *s) { - int format, width, height, i; + int format, width, height, i, ret; uint32_t startcode; align_get_bits(&s->gb); @@ -927,8 +929,6 @@ int ff_h263_decode_picture_header(MpegEncContext *s) /* H.263v1 */ width = ff_h263_format[format][0]; height = ff_h263_format[format][1]; - if (!width) - return -1; s->pict_type = AV_PICTURE_TYPE_I + get_bits1(&s->gb); @@ -1084,10 +1084,9 @@ int ff_h263_decode_picture_header(MpegEncContext *s) s->qscale = get_bits(&s->gb, 5); } - if (s->width == 0 || s->height == 0) { - av_log(s->avctx, AV_LOG_ERROR, "dimensions 0\n"); - return -1; - } + if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0) + return ret; + s->mb_width = (s->width + 15) / 16; s->mb_height = (s->height + 15) / 16; s->mb_num = s->mb_width * s->mb_height; diff --git a/libavcodec/ituh263enc.c b/libavcodec/ituh263enc.c index 43ad08026f..7a91dc0e86 100644 --- a/libavcodec/ituh263enc.c +++ b/libavcodec/ituh263enc.c @@ -43,7 +43,7 @@ /** * Table of number of bits a motion vector component needs. */ -static uint8_t mv_penalty[MAX_FCODE+1][MAX_MV*2+1]; +static uint8_t mv_penalty[MAX_FCODE+1][MAX_DMV*2+1]; /** * Minimal fcode that a motion vector component would need. @@ -676,7 +676,7 @@ static av_cold void init_mv_penalty_and_fcode(MpegEncContext *s) int mv; for(f_code=1; f_code<=MAX_FCODE; f_code++){ - for(mv=-MAX_MV; mv<=MAX_MV; mv++){ + for(mv=-MAX_DMV; mv<=MAX_DMV; mv++){ int len; if(mv==0) len= ff_mvtab[0][1]; @@ -697,7 +697,7 @@ static av_cold void init_mv_penalty_and_fcode(MpegEncContext *s) } } - mv_penalty[f_code][mv+MAX_MV]= len; + mv_penalty[f_code][mv+MAX_DMV]= len; } } diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 379508123f..80b0676287 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -30,6 +30,7 @@ #define BITSTREAM_READER_LE #include "libavutil/attributes.h" +#include "libavutil/imgutils.h" #include "libavutil/timer.h" #include "avcodec.h" #include "get_bits.h" @@ -310,7 +311,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg, ivi_free_buffers(planes); - if (cfg->pic_width < 1 || cfg->pic_height < 1 || + if (av_image_check_size(cfg->pic_width, cfg->pic_height, 0, NULL) < 0 || cfg->luma_bands < 1 || cfg->chroma_bands < 1) return AVERROR_INVALIDDATA; diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 89121ac080..6690770963 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b0_2 = b0_ptr[pitch+indx+1]; tmp1 = tmp0 + b0_1; - p0 = tmp0 << 4; - p1 = tmp1 << 3; - p2 = (tmp0 + tmp2) << 3; - p3 = (tmp1 + tmp2 + b0_2) << 2; + p0 = tmp0 * 16; + p1 = tmp1 * 8; + p2 = (tmp0 + tmp2) * 8; + p3 = (tmp1 + tmp2 + b0_2) * 4; } /* process the HL-band by applying HPF vertically and LPF horizontally */ @@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp2 = tmp1 - tmp0*6 + b1_3; b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 3; - p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2; - p2 += tmp2 << 2; - p3 += (tmp2 + b1_3) << 1; + p0 += (tmp0 + tmp1) * 8; + p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4; + p2 += tmp2 * 4; + p3 += (tmp2 + b1_3) * 2; } /* process the LH-band by applying LPF vertically and HPF horizontally */ @@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp0 = b2_1 + b2_2; tmp1 = b2_1 - b2_2*6 + b2_3; - p0 += tmp0 << 3; - p1 += tmp1 << 2; - p2 += (tmp0 + b2_4 + b2_5) << 2; - p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1; + p0 += tmp0 * 8; + p1 += tmp1 * 4; + p2 += (tmp0 + b2_4 + b2_5) * 4; + p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2; } /* process the HH-band by applying HPF both vertically and horizontally */ @@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 2; - p1 += (tmp0 - tmp1*6 + tmp2) << 1; - p2 += (b3_7 + b3_8) << 1; + p0 += (tmp0 + tmp1) * 4; + p1 += (tmp0 - tmp1*6 + tmp2) * 2; + p2 += (b3_7 + b3_8) * 2; p3 += b3_7 - b3_8*6 + b3_9; } @@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst, #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = (s1) << 1; t5 = (s5) << 1;\ + t1 = (s1) * 2; t5 = (s5) * 2;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 4); - sp1 = src[ 0] << shift; - sp2 = src[ 8] << shift; - sp3 = src[16] << shift; - sp4 = src[24] << shift; + sp1 = src[ 0] * (1 << shift); + sp2 = src[ 8] * (1 << shift); + sp3 = src[16] * (1 << shift); + sp4 = src[24] * (1 << shift); INV_HAAR8( sp1, sp2, sp3, sp4, src[32], src[40], src[48], src[56], dst[ 0], dst[ 8], dst[16], dst[24], @@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 2); - sp1 = src[0] << shift; - sp2 = src[4] << shift; + sp1 = src[0] * (1 << shift); + sp2 = src[4] * (1 << shift); INV_HAAR4( sp1, sp2, src[8], src[12], dst[0], dst[4], dst[8], dst[12], t0, t1, t2, t3, t4); diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index ddb0b686cb..2b0322e88a 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -17,8 +17,46 @@ * You should have received a copy of the GNU Lesser General Public * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + * ********************************************************************************************************************** + * + * + * + * This source code incorporates work covered by the following copyright and + * permission notice: + * + * Copyright (c) 2002-2007, Communications and Remote Sensing Laboratory, Universite catholique de Louvain (UCL), Belgium + * Copyright (c) 2002-2007, Professor Benoit Macq + * Copyright (c) 2001-2003, David Janssens + * Copyright (c) 2002-2003, Yannick Verschueren + * Copyright (c) 2003-2007, Francois-Olivier Devaux and Antonin Descampe + * Copyright (c) 2005, Herve Drolon, FreeImage Team + * Copyright (c) 2007, Callum Lerwick + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. */ + /** * JPEG2000 image encoder * @file @@ -625,7 +663,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20 cblk->ninclpasses = passno; // TODO: optional flush on each pass - cblk->passes[passno-1].rate = ff_mqc_flush(&t1->mqc); + if (passno) + cblk->passes[passno-1].rate = ff_mqc_flush(&t1->mqc); } /* tier-2 routines: */ diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index ede1a791c8..99261a28f4 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -28,6 +28,7 @@ #include "libavutil/attributes.h" #include "libavutil/avassert.h" #include "libavutil/common.h" +#include "libavutil/imgutils.h" #include "libavutil/mem.h" #include "avcodec.h" #include "jpeg2000.h" @@ -210,9 +211,17 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, codsty->nreslevels2decode - 1, codsty->transform)) return ret; - // component size comp->coord is uint16_t so ir cannot overflow + + if (av_image_check_size(comp->coord[0][1] - comp->coord[0][0], + comp->coord[1][1] - comp->coord[1][0], 0, avctx)) + return AVERROR_INVALIDDATA; csize = (comp->coord[0][1] - comp->coord[0][0]) * (comp->coord[1][1] - comp->coord[1][0]); + if (comp->coord[0][1] > 32768 || + comp->coord[1][1] > 32768) { + av_log(avctx, AV_LOG_ERROR, "component size too large\n"); + return AVERROR_PATCHWELCOME; + } if (codsty->transform == FF_DWT97) { comp->i_data = NULL; @@ -243,6 +252,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, // update precincts size: 2^n value reslevel->log2_prec_width = codsty->log2_prec_widths[reslevelno]; reslevel->log2_prec_height = codsty->log2_prec_heights[reslevelno]; + if (!reslevel->log2_prec_width || !reslevel->log2_prec_height) { + return AVERROR_INVALIDDATA; + } /* Number of bands for each resolution level */ if (reslevelno == 0) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index acdba62a07..eaa8f61c5c 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -211,7 +211,7 @@ static inline int ff_jpeg2000_ceildivpow2(int a, int b) static inline int ff_jpeg2000_ceildiv(int a, int b) { - return (a + b - 1) / b; + return (a + (int64_t)b - 1) / b; } /* TIER-1 routines */ diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index d6204bbfc7..6174d6797e 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -231,6 +231,7 @@ static int get_siz(Jpeg2000DecoderContext *s) uint32_t log2_chroma_wh = 0; const enum AVPixelFormat *possible_fmts = NULL; int possible_fmts_nb = 0; + int ret; if (bytestream2_get_bytes_left(&s->g) < 36) return AVERROR_INVALIDDATA; @@ -250,6 +251,10 @@ static int get_siz(Jpeg2000DecoderContext *s) avpriv_request_sample(s->avctx, "Support for image offsets"); return AVERROR_PATCHWELCOME; } + if (s->width > 32768U || s->height > 32768U) { + avpriv_request_sample(s->avctx, "Large Dimensions"); + return AVERROR_PATCHWELCOME; + } if (ncomponents <= 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n", @@ -263,6 +268,16 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_PATCHWELCOME; } + if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || + s->image_offset_x < s->tile_offset_x || + s->image_offset_y < s->tile_offset_y || + s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x || + s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y + ) { + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); + return AVERROR_INVALIDDATA; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { @@ -312,10 +327,13 @@ static int get_siz(Jpeg2000DecoderContext *s) } /* compute image size with reduction factor */ - s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, - s->reduction_factor); - s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, - s->reduction_factor); + ret = ff_set_dimensions(s->avctx, + ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, + s->reduction_factor), + ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, + s->reduction_factor)); + if (ret < 0) + return ret; if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K || s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) { @@ -684,10 +702,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int tileno) Jpeg2000QuantStyle *qntsty = tile->qntsty + compno; int ret; // global bandno - comp->coord_o[0][0] = FFMAX(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x); - comp->coord_o[0][1] = FFMIN((tilex + 1) * s->tile_width + s->tile_offset_x, s->width); - comp->coord_o[1][0] = FFMAX(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y); - comp->coord_o[1][1] = FFMIN((tiley + 1) * s->tile_height + s->tile_offset_y, s->height); + comp->coord_o[0][0] = av_clip(tilex * (int64_t)s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[0][1] = av_clip((tilex + 1) * (int64_t)s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[1][0] = av_clip(tiley * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[1][1] = av_clip((tiley + 1) * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); comp->coord[0][0] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][0], s->reduction_factor); comp->coord[0][1] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][1], s->reduction_factor); @@ -767,9 +785,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, if (!cblk->npasses) { int v = expn[bandno] + numgbits - 1 - tag_tree_decode(s, prec->zerobits + cblkno, 100); - if (v < 0) { + if (v < 0 || v > 30) { av_log(s->avctx, AV_LOG_ERROR, - "nonzerobits %d invalid\n", v); + "nonzerobits %d invalid or unsupported\n", v); return AVERROR_INVALIDDATA; } cblk->nonzerobits = v; @@ -1075,6 +1093,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(&t1->mqc, cblk->data); while (passno--) { + if (bpno < 0) { + av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); + return AVERROR_INVALIDDATA; + } switch(pass_t) { case 0: decode_sigpass(t1, width, height, bpno + 1, bandpos, @@ -1162,11 +1184,16 @@ static void mct_decode(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) int32_t *src[3], i0, i1, i2; float *srcf[3], i0f, i1f, i2f; - for (i = 1; i < 3; i++) + for (i = 1; i < 3; i++) { if (tile->codsty[0].transform != tile->codsty[i].transform) { av_log(s->avctx, AV_LOG_ERROR, "Transforms mismatch, MCT not supported\n"); return; } + if (memcmp(tile->comp[0].coord, tile->comp[i].coord, sizeof(tile->comp[0].coord))) { + av_log(s->avctx, AV_LOG_ERROR, "Coords mismatch, MCT not supported\n"); + return; + } + } for (i = 0; i < 3; i++) if (tile->codsty[0].transform == FF_DWT97) @@ -1279,11 +1306,15 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (tile->codsty[0].mct) mct_decode(s, tile); - if (s->cdef[0] < 0) { - for (x = 0; x < s->ncomponents; x++) - s->cdef[x] = x + 1; - if ((s->ncomponents & 1) == 0) - s->cdef[s->ncomponents-1] = 0; + for (x = 0; x < s->ncomponents; x++) { + if (s->cdef[x] < 0) { + for (x = 0; x < s->ncomponents; x++) { + s->cdef[x] = x + 1; + } + if ((s->ncomponents & 1) == 0) + s->cdef[s->ncomponents-1] = 0; + break; + } } if (s->precision <= 8) { @@ -1398,6 +1429,7 @@ static void jpeg2000_dec_cleanup(Jpeg2000DecoderContext *s) memset(s->codsty, 0, sizeof(s->codsty)); memset(s->qntsty, 0, sizeof(s->qntsty)); s->numXtiles = s->numYtiles = 0; + s->ncomponents = 0; } static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s) @@ -1452,6 +1484,10 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s) switch (marker) { case JPEG2000_SIZ: + if (s->ncomponents) { + av_log(s->avctx, AV_LOG_ERROR, "Duplicate SIZ\n"); + return AVERROR_INVALIDDATA; + } ret = get_siz(s); if (!s->tile) s->numXtiles = s->numYtiles = 0; @@ -1606,7 +1642,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) int cn = bytestream2_get_be16(&s->g); int av_unused typ = bytestream2_get_be16(&s->g); int asoc = bytestream2_get_be16(&s->g); - if (cn < 4 || asoc < 4) + if (cn < 4 && asoc < 4) s->cdef[cn] = asoc; } } diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index ceceda36dc..925adea13b 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -540,6 +540,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, uint16_t border[2][2], int ff_dwt_encode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch(s->type){ case FF_DWT97: dwt_encode97_float(s, t); break; @@ -555,6 +558,9 @@ int ff_dwt_encode(DWTContext *s, void *t) int ff_dwt_decode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch (s->type) { case FF_DWT97: dwt_decode97_float(s, t); diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index fb3762dad0..dea02ff8e8 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -224,6 +224,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, while (x < w) { int err, pred; + if (get_bits_left(&s->gb) <= 0) + return; + /* compute gradients */ Ra = x ? R(dst, x - stride) : R(last, x); Rb = R(last, x); @@ -269,6 +272,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, x += stride; } + if (x >= w) { + av_log(NULL, AV_LOG_ERROR, "run overflow\n"); + return; + } + /* decode run termination value */ Rb = R(last, x); RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0; @@ -364,6 +372,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); } + if (get_bits_left(&s->gb) < s->height) { + ret = AVERROR_INVALIDDATA; + goto end; + } if (ilv == 0) { /* separate planes */ if (s->cur_scan > s->nb_components) { ret = AVERROR_INVALIDDATA; @@ -413,6 +425,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, avpriv_report_missing_feature(s->avctx, "Sample interleaved images"); ret = AVERROR_PATCHWELCOME; goto end; + } else { /* unknown interleaving */ + avpriv_report_missing_feature(s->avctx, "Unknown interleaved images"); + ret = AVERROR_PATCHWELCOME; + goto end; } if (s->xfrm && s->nb_components == 3) { diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 47e8edcae6..9c4a8d4ca3 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -43,6 +43,13 @@ static av_cold int decode_init(AVCodecContext *avctx) { JvContext *s = avctx->priv_data; + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index b81ba75325..8b51b64c3b 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h = (buf[1] + 1) * 8; buf += 2; + if (avpkt->size < 2 + w*h / 513) + return AVERROR_INVALIDDATA; + if (w != avctx->width || h != avctx->height) { av_freep(&c->frame_buffer); av_freep(&c->last_frame_buffer); diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index f879c353e7..5053a27385 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -268,7 +268,8 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, int i, ret; int header; int blocksize; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); bytestream2_init(&ctx->g, avpkt->data, avpkt->size); @@ -303,9 +304,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, } } - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(ctx->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } if (ctx->setpal) { diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index a08d7fde1b..5ed0217ea5 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa) static uint8_t lag_calc_zero_run(int8_t x) { - return (x << 1) ^ (x >> 7); + return (x * 2) ^ (x >> 7); } static int lag_decode_prob(GetBitContext *gb, uint32_t *value) @@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } scale_factor++; - cumulative_target = 1 << scale_factor; + if (scale_factor >= 32U) + return AVERROR_INVALIDDATA; + cumulative_target = 1U << scale_factor; if (scaled_cumul_prob > cumulative_target) { av_log(rac->avctx, AV_LOG_ERROR, diff --git a/libavcodec/libfdk-aacdec.c b/libavcodec/libfdk-aacdec.c index 624d57959c..a1903805ae 100644 --- a/libavcodec/libfdk-aacdec.c +++ b/libavcodec/libfdk-aacdec.c @@ -235,7 +235,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void *data, return AVERROR(ENOMEM); } - err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) buf, buf_size, 0); + err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) buf, buf_size / sizeof(INT_PCM), 0); if (err == AAC_DEC_NOT_ENOUGH_BITS) { ret = avpkt->size - valid; goto end; diff --git a/libavcodec/libilbc.c b/libavcodec/libilbc.c index 898fe83b1c..9fdd3c83f5 100644 --- a/libavcodec/libilbc.c +++ b/libavcodec/libilbc.c @@ -96,8 +96,7 @@ static int ilbc_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - WebRtcIlbcfix_DecodeImpl((WebRtc_Word16*) frame->data[0], - (const WebRtc_UWord16*) buf, &s->decoder, 1); + WebRtcIlbcfix_DecodeImpl((int16_t *) frame->data[0], (const uint16_t *) buf, &s->decoder, 1); *got_frame_ptr = 1; @@ -170,7 +169,7 @@ static int ilbc_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if ((ret = ff_alloc_packet2(avctx, avpkt, 50)) < 0) return ret; - WebRtcIlbcfix_EncodeImpl((WebRtc_UWord16*) avpkt->data, (const WebRtc_Word16*) frame->data[0], &s->encoder); + WebRtcIlbcfix_EncodeImpl((uint16_t *) avpkt->data, (const int16_t *) frame->data[0], &s->encoder); avpkt->size = s->encoder.no_of_bytes; *got_packet_ptr = 1; diff --git a/libavcodec/libopenjpegdec.c b/libavcodec/libopenjpegdec.c index 0cf46e613d..33c570fd8a 100644 --- a/libavcodec/libopenjpegdec.c +++ b/libavcodec/libopenjpegdec.c @@ -356,6 +356,15 @@ static int libopenjpeg_decode_frame(AVCodecContext *avctx, goto done; } + for (i = 0; i < image->numcomps; i++) { + if (!image->comps[i].data) { + av_log(avctx, AV_LOG_ERROR, + "Image component %d contains no data.\n", i); + ret = AVERROR_INVALIDDATA; + goto done; + } + } + desc = av_pix_fmt_desc_get(avctx->pix_fmt); pixel_size = desc->comp[0].step_minus1 + 1; ispacked = libopenjpeg_ispacked(avctx->pix_fmt); diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index 66633f4ad2..458cf7c2c1 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -164,6 +164,9 @@ static opj_image_t *mj2_create_image(AVCodecContext *avctx, opj_cparameters_t *p img = opj_image_create(numcomps, cmptparm, color_space); + if (!img) + return NULL; + // x0, y0 is the top left corner of the image // x1, y1 is the width, height of the reference grid img->x0 = 0; diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 75e82dac0d..dadd7f01e8 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -170,10 +170,11 @@ static av_cold int libopus_encode_init(AVCodecContext *avctx) /* FIXME: Opus can handle up to 255 channels. However, the mapping for * anything greater than 8 is undefined. */ - if (avctx->channels > 8) - av_log(avctx, AV_LOG_WARNING, + if (avctx->channels > 8) { + av_log(avctx, AV_LOG_ERROR, "Channel layout undefined for %d channels.\n", avctx->channels); - + return AVERROR_PATCHWELCOME; + } if (!avctx->bit_rate) { /* Sane default copied from opusenc */ avctx->bit_rate = 64000 * opus->stream_count + @@ -323,7 +324,7 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, } else audio = frame->data[0]; } else { - if (!opus->afq.remaining_samples) + if (!opus->afq.remaining_samples || (!opus->afq.frame_alloc && !opus->afq.frame_count)) return 0; audio = opus->samples; memset(audio, 0, opus->opts.packet_size * sample_size); diff --git a/libavcodec/libtheoraenc.c b/libavcodec/libtheoraenc.c index 4c90822439..36d48fbbb3 100644 --- a/libavcodec/libtheoraenc.c +++ b/libavcodec/libtheoraenc.c @@ -108,6 +108,8 @@ static int get_stats(AVCodecContext *avctx, int eos) // libtheora generates a summary header at the end memcpy(h->stats, buf, bytes); avctx->stats_out = av_malloc(b64_size); + if (!avctx->stats_out) + return AVERROR(ENOMEM); av_base64_encode(avctx->stats_out, b64_size, h->stats, h->stats_offset); } return 0; diff --git a/libavcodec/libtwolame.c b/libavcodec/libtwolame.c index e26454bb84..098196b0c1 100644 --- a/libavcodec/libtwolame.c +++ b/libavcodec/libtwolame.c @@ -152,8 +152,8 @@ static int twolame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if (ret < 0) // twolame error return AVERROR_UNKNOWN; - avpkt->duration = ff_samples_to_time_base(avctx, frame->nb_samples); if (frame) { + avpkt->duration = ff_samples_to_time_base(avctx, frame->nb_samples); if (frame->pts != AV_NOPTS_VALUE) avpkt->pts = frame->pts - ff_samples_to_time_base(avctx, avctx->delay); } else { diff --git a/libavcodec/libutvideodec.cpp b/libavcodec/libutvideodec.cpp index 60dbd15fa8..346f43f24a 100644 --- a/libavcodec/libutvideodec.cpp +++ b/libavcodec/libutvideodec.cpp @@ -162,9 +162,19 @@ static int utvideo_decode_frame(AVCodecContext *avctx, void *data, pic->data[0] = utv->buffer + utv->buf_size + pic->linesize[0]; break; } + pic->width = w; + pic->height = h; + pic->format = avctx->pix_fmt; + + if (avctx->refcounted_frames) { + int ret = av_frame_ref((AVFrame*)data, pic); + if (ret < 0) + return ret; + } else { + av_frame_move_ref((AVFrame*)data, pic); + } *got_frame = 1; - av_frame_move_ref((AVFrame*)data, pic); return avpkt->size; } diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 163d12aca6..e10d3a407b 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -101,19 +101,11 @@ typedef struct VP8EncoderContext { /** String mappings for enum vp8e_enc_control_id */ static const char *const ctlidstr[] = { - [VP8E_UPD_ENTROPY] = "VP8E_UPD_ENTROPY", - [VP8E_UPD_REFERENCE] = "VP8E_UPD_REFERENCE", - [VP8E_USE_REFERENCE] = "VP8E_USE_REFERENCE", - [VP8E_SET_ROI_MAP] = "VP8E_SET_ROI_MAP", - [VP8E_SET_ACTIVEMAP] = "VP8E_SET_ACTIVEMAP", - [VP8E_SET_SCALEMODE] = "VP8E_SET_SCALEMODE", [VP8E_SET_CPUUSED] = "VP8E_SET_CPUUSED", [VP8E_SET_ENABLEAUTOALTREF] = "VP8E_SET_ENABLEAUTOALTREF", [VP8E_SET_NOISE_SENSITIVITY] = "VP8E_SET_NOISE_SENSITIVITY", - [VP8E_SET_SHARPNESS] = "VP8E_SET_SHARPNESS", [VP8E_SET_STATIC_THRESHOLD] = "VP8E_SET_STATIC_THRESHOLD", [VP8E_SET_TOKEN_PARTITIONS] = "VP8E_SET_TOKEN_PARTITIONS", - [VP8E_GET_LAST_QUANTIZER] = "VP8E_GET_LAST_QUANTIZER", [VP8E_SET_ARNR_MAXFRAMES] = "VP8E_SET_ARNR_MAXFRAMES", [VP8E_SET_ARNR_STRENGTH] = "VP8E_SET_ARNR_STRENGTH", [VP8E_SET_ARNR_TYPE] = "VP8E_SET_ARNR_TYPE", @@ -376,7 +368,7 @@ static av_cold int vpx_init(AVCodecContext *avctx, if (enccfg.g_pass == VPX_RC_FIRST_PASS) enccfg.g_lag_in_frames = 0; else if (enccfg.g_pass == VPX_RC_LAST_PASS) { - int decode_size; + int decode_size, ret; if (!avctx->stats_in) { av_log(avctx, AV_LOG_ERROR, "No stats file for second pass\n"); @@ -384,12 +376,12 @@ static av_cold int vpx_init(AVCodecContext *avctx, } ctx->twopass_stats.sz = strlen(avctx->stats_in) * 3 / 4; - ctx->twopass_stats.buf = av_malloc(ctx->twopass_stats.sz); - if (!ctx->twopass_stats.buf) { + ret = av_reallocp(&ctx->twopass_stats.buf, ctx->twopass_stats.sz); + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Stat buffer alloc (%"SIZE_SPECIFIER" bytes) failed\n", ctx->twopass_stats.sz); - return AVERROR(ENOMEM); + return ret; } decode_size = av_base64_decode(ctx->twopass_stats.buf, avctx->stats_in, ctx->twopass_stats.sz); diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 8830f592cc..97fc62f2c4 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -167,7 +167,11 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, x264_picture_init( &x4->pic ); x4->pic.img.i_csp = x4->params.i_csp; +#if X264_BUILD >= 153 + if (x4->params.i_bitdepth > 8) +#else if (x264_bit_depth > 8) +#endif x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH; x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt); @@ -393,6 +397,9 @@ static av_cold int X264_init(AVCodecContext *avctx) x4->params.p_log_private = avctx; x4->params.i_log_level = X264_LOG_DEBUG; x4->params.i_csp = convert_pix_fmt(avctx->pix_fmt); +#if X264_BUILD >= 153 + x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth_minus1 + 1; +#endif OPT_STR("weightp", x4->wpredp); @@ -640,8 +647,8 @@ static av_cold int X264_init(AVCodecContext *avctx) if(x4->x264opts){ const char *p= x4->x264opts; while(p){ - char param[256]={0}, val[256]={0}; - if(sscanf(p, "%255[^:=]=%255[^:]", param, val) == 1){ + char param[4096]={0}, val[4096]={0}; + if(sscanf(p, "%4095[^:=]=%4095[^:]", param, val) == 1){ OPT_STR(param, "1"); }else OPT_STR(param, val); @@ -731,6 +738,21 @@ static const enum AVPixelFormat pix_fmts_10bit[] = { AV_PIX_FMT_NV20, AV_PIX_FMT_NONE }; +static const enum AVPixelFormat pix_fmts_all[] = { + AV_PIX_FMT_YUV420P, + AV_PIX_FMT_YUVJ420P, + AV_PIX_FMT_YUV422P, + AV_PIX_FMT_YUVJ422P, + AV_PIX_FMT_YUV444P, + AV_PIX_FMT_YUVJ444P, + AV_PIX_FMT_NV12, + AV_PIX_FMT_NV16, + AV_PIX_FMT_YUV420P10, + AV_PIX_FMT_YUV422P10, + AV_PIX_FMT_YUV444P10, + AV_PIX_FMT_NV20, + AV_PIX_FMT_NONE +}; static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { #ifdef X264_CSP_BGR AV_PIX_FMT_BGR24, @@ -741,12 +763,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { static av_cold void X264_init_static(AVCodec *codec) { +#if X264_BUILD < 153 if (x264_bit_depth == 8) codec->pix_fmts = pix_fmts_8bit; else if (x264_bit_depth == 9) codec->pix_fmts = pix_fmts_9bit; else if (x264_bit_depth == 10) codec->pix_fmts = pix_fmts_10bit; +#else + codec->pix_fmts = pix_fmts_all; +#endif } #define OFFSET(x) offsetof(X264Context, x) diff --git a/libavcodec/mdct_fixed.c b/libavcodec/mdct_fixed.c index a32cb00ca0..aabf0c88f8 100644 --- a/libavcodec/mdct_fixed.c +++ b/libavcodec/mdct_fixed.c @@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const FFTSample *input) /* pre rotation */ for(i=0;i> 6) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6) #else /* FFT_FIXED_32 */ -# define RSCALE(x) ((x) >> 1) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1) #endif /* FFT_FIXED_32 */ #endif @@ -175,13 +175,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const FFTSample *input) /* pre rotation */ for(i=0;i= 0xffff) return AVERROR_INVALIDDATA; a->last_dc[component] += diff; - block[0] = a->last_dc[component] << 3; + block[0] = a->last_dc[component] * (1 << 3); } i = 0; @@ -88,7 +88,12 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (level == 127) { break; } else if (level != 0) { - i += run; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 3; level = (level ^ SHOW_SBITS(re, &a->gb, 1)) - SHOW_SBITS(re, &a->gb, 1); @@ -98,22 +103,23 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) run = SHOW_UBITS(re, &a->gb, 6)+1; LAST_SKIP_BITS(re, &a->gb, 6); UPDATE_CACHE(re, &a->gb); level = SHOW_SBITS(re, &a->gb, 10); SKIP_BITS(re, &a->gb, 10); - i += run; - j = scantable[i]; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } + j = scantable[i]; if (level < 0) { level = -level; - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; level = -level; } else { - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; } } - if (i > 63) { - av_log(a->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); - return AVERROR_INVALIDDATA; - } block[j] = level; } diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index 1355a23807..ee6327add8 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -553,7 +553,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -593,7 +593,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1, int16_t dct[8][8]; int i, sum = 0; - s->pdsp.diff_pixels(dct[0], src1, src2, stride); + s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -620,7 +620,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -639,7 +639,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); s->mb_intra = 0; - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -742,7 +742,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff --git a/libavcodec/microdvddec.c b/libavcodec/microdvddec.c index f3c640f932..3780fe28b5 100644 --- a/libavcodec/microdvddec.c +++ b/libavcodec/microdvddec.c @@ -148,6 +148,8 @@ static char *microdvd_load_tags(struct microdvd_tag *tags, char *s) /* Position */ case 'P': + if (!*s) + break; tag.persistent = MICRODVD_PERSISTENT_ON; tag.data1 = (*s++ == '1'); if (*s != '}') diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index 24724fa75d..9417f3d2a1 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -263,7 +263,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale) coeff = vlcdec_lookup[num_bits][value]; if (pos < 3) - coeff <<= 4; + coeff *= 16; else /* TODO Use >> 10 instead of / 1001 */ coeff = (coeff * qscale) / 1001; @@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + res = ff_set_dimensions(avctx, width, height); + if (res < 0) + return res; + ctx->avctx = avctx; - avctx->width = width; - avctx->height = height; avctx->pix_fmt = AV_PIX_FMT_YUV420P; for (i = 0; i < 3; i++) { ctx->num_vblocks[i] = FF_CEIL_RSHIFT(height, 3 + !!i); diff --git a/libavcodec/mips/acelp_filters_mips.c b/libavcodec/mips/acelp_filters_mips.c index c8d980aa00..ffc0fe6250 100644 --- a/libavcodec/mips/acelp_filters_mips.c +++ b/libavcodec/mips/acelp_filters_mips.c @@ -89,7 +89,7 @@ static void ff_acelp_interpolatef_mips(float *out, const float *in, "addu %[p_filter_coeffs_m], %[p_filter_coeffs_m], %[prec] \n\t" "madd.s %[v],%[v],%[in_val_m], %[fc_val_m] \n\t" - : [v] "=&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), + : [v] "+&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), [p_filter_coeffs_p] "+r" (p_filter_coeffs_p), [in_val_p] "=&f" (in_val_p), [in_val_m] "=&f" (in_val_m), [fc_val_p] "=&f" (fc_val_p), [fc_val_m] "=&f" (fc_val_m), diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 4d17c5ff31..2b8f074f5b 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -96,6 +96,15 @@ static void parse_avid(MJpegDecodeContext *s, uint8_t *buf, int len) av_log(s->avctx, AV_LOG_INFO, "AVID: len:%d %d\n", len, len > 14 ? buf[12] : -1); } +static void init_idct(AVCodecContext *avctx) +{ + MJpegDecodeContext *s = avctx->priv_data; + + ff_idctdsp_init(&s->idsp, avctx); + ff_init_scantable(s->idsp.idct_permutation, &s->scantable, + ff_zigzag_direct); +} + av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx) { MJpegDecodeContext *s = avctx->priv_data; @@ -110,9 +119,7 @@ av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx) s->avctx = avctx; ff_blockdsp_init(&s->bdsp, avctx); ff_hpeldsp_init(&s->hdsp, avctx->flags); - ff_idctdsp_init(&s->idsp, avctx); - ff_init_scantable(s->idsp.idct_permutation, &s->scantable, - ff_zigzag_direct); + init_idct(avctx); s->buffer_size = 0; s->buffer = NULL; s->start_code = -1; @@ -182,7 +189,7 @@ int ff_mjpeg_decode_dqt(MJpegDecodeContext *s) s->quant_matrixes[index][s->scantable.permutated[8]]) >> 1; av_log(s->avctx, AV_LOG_DEBUG, "qscale[%d]: %d\n", index, s->qscale[index]); - len -= 65; + len -= 1 + 64 * (1+pr); } return 0; } @@ -244,21 +251,26 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id, ret; - int h_count[MAX_COMPONENTS]; - int v_count[MAX_COMPONENTS]; + int len, nb_components, i, width, height, bits, ret; + unsigned pix_fmt_id; + int h_count[MAX_COMPONENTS] = { 0 }; + int v_count[MAX_COMPONENTS] = { 0 }; s->cur_scan = 0; s->upscale_h = s->upscale_v = 0; /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->avctx->bits_per_raw_sample = - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); + if (s->avctx->bits_per_raw_sample != bits) { + av_log(s->avctx, AV_LOG_INFO, "Changeing bps to %d\n", bits); + s->avctx->bits_per_raw_sample = bits; + init_idct(s->avctx); + } if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly if(s->lossless && s->avctx->lowres){ @@ -291,7 +303,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray"); @@ -300,8 +312,6 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) s->nb_components = nb_components; s->h_max = 1; s->v_max = 1; - memset(h_count, 0, sizeof(h_count)); - memset(v_count, 0, sizeof(v_count)); for (i = 0; i < nb_components; i++) { /* component id */ s->component_id[i] = get_bits(&s->gb, 8) - 1; @@ -336,12 +346,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* if different size, realloc/alloc picture */ - if ( width != s->width || height != s->height - || memcmp(s->h_count, h_count, sizeof(h_count)) - || memcmp(s->v_count, v_count, sizeof(v_count))) { + if (width != s->width || height != s->height || bits != s->bits || + memcmp(s->h_count, h_count, sizeof(h_count)) || + memcmp(s->v_count, v_count, sizeof(v_count))) { s->width = width; s->height = height; + s->bits = bits; memcpy(s->h_count, h_count, sizeof(h_count)); memcpy(s->v_count, v_count, sizeof(v_count)); s->interlaced = 0; @@ -376,7 +387,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) else if (!s->lossless) s->rgb = 0; /* XXX: not complete test ! */ - pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) | + pix_fmt_id = ((unsigned)s->h_count[0] << 28) | (s->v_count[0] << 24) | (s->h_count[1] << 20) | (s->v_count[1] << 16) | (s->h_count[2] << 12) | (s->v_count[2] << 8) | (s->h_count[3] << 4) | s->v_count[3]; @@ -512,6 +523,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) else s->avctx->pix_fmt = AV_PIX_FMT_YUV420P16; s->avctx->color_range = s->cs_itu601 ? AVCOL_RANGE_MPEG : AVCOL_RANGE_JPEG; if (pix_fmt_id == 0x42111100) { + if (s->bits > 8) + goto unk_pixfmt; s->upscale_h = 6; s->chroma_height = (s->height + 1) / 2; } @@ -534,9 +547,12 @@ unk_pixfmt: } if (s->ls) { s->upscale_h = s->upscale_v = 0; - if (s->nb_components > 1) + if (s->nb_components == 3) { s->avctx->pix_fmt = AV_PIX_FMT_RGB24; - else if (s->palette_index && s->bits <= 8) + } else if (s->nb_components != 1) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components); + return AVERROR_PATCHWELCOME; + } else if (s->palette_index && s->bits <= 8) s->avctx->pix_fmt = AV_PIX_FMT_PAL8; else if (s->bits <= 8) s->avctx->pix_fmt = AV_PIX_FMT_GRAY8; @@ -568,7 +584,8 @@ unk_pixfmt: av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len); } - if (s->rgb && !s->lossless && !s->ls) { + if ((s->rgb && !s->lossless && !s->ls) || + (!s->rgb && s->ls && s->nb_components > 1)) { av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n"); return AVERROR_PATCHWELCOME; } @@ -662,7 +679,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block, int component, int dc_index, int16_t *quant_matrix, int Al) { - int val; + unsigned val; s->bdsp.clear_block(block); val = mjpeg_decode_dc(s, dc_index); if (val == 0xfffff) { @@ -681,7 +698,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block, int16_t *quant_matrix, int ss, int se, int Al, int *EOBRUN) { - int code, i, j, level, val, run; + int code, i, j, val, run; + unsigned level; if (*EOBRUN) { (*EOBRUN)--; @@ -933,7 +951,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = - mask & (pred + (dc << point_transform)); + mask & (pred + (dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { @@ -941,7 +959,14 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p skip_bits(&s->gb, 16); /* skip RSTn */ } } - if (s->nb_components == 4) { + if (s->rct && s->nb_components == 4) { + for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + ptr[4*mb_x + 2] = buffer[mb_x][0] - ((buffer[mb_x][1] + buffer[mb_x][2] - 0x200) >> 2); + ptr[4*mb_x + 1] = buffer[mb_x][1] + ptr[4*mb_x + 2]; + ptr[4*mb_x + 3] = buffer[mb_x][2] + ptr[4*mb_x + 2]; + ptr[4*mb_x + 0] = buffer[mb_x][3]; + } + } else if (s->nb_components == 4) { for(i=0; icomp_index[i]; if (s->bits <= 8) { @@ -1003,6 +1028,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, for (mb_y = 0; mb_y < s->mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in yuv_scan\n"); + return AVERROR_INVALIDDATA; + } if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; @@ -1032,7 +1061,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap if(y==0 && toprow){ if(x==0 && leftcol){ @@ -1051,7 +1083,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr += linesize >> 1; pred &= mask; - *ptr= pred + (dc << point_transform); + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ @@ -1071,7 +1103,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr16 += linesize >> 1; pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { x = 0; @@ -1100,20 +1132,23 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); pred &= mask; - *ptr = pred + (dc << point_transform); + *ptr = pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor); pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { @@ -1168,7 +1203,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, int mb_bitmask_size, const AVFrame *reference) { - int i, mb_x, mb_y; + int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width, chroma_height; uint8_t *data[MAX_COMPONENTS]; const uint8_t *reference_data[MAX_COMPONENTS]; int linesize[MAX_COMPONENTS]; @@ -1185,6 +1220,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, s->restart_count = 0; + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift, + &chroma_v_shift); + chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift); + chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift); + for (i = 0; i < nb_components; i++) { int c = s->comp_index[i]; data[c] = s->picture_ptr->data[c]; @@ -1221,13 +1261,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - ptr = data[c] + block_offset; + if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ? chroma_width : s->width) + && 8*(v * mb_y + y) < ((c == 1) || (c == 2) ? chroma_height : s->height)) { + ptr = data[c] + block_offset; + } else + ptr = NULL; if (!s->progressive) { - if (copy_mb) - mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, - linesize[c], s->avctx->lowres); + if (copy_mb) { + if (ptr) + mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, + linesize[c], s->avctx->lowres); - else { + } else { s->bdsp.clear_block(s->block); if (decode_block(s, s->block, i, s->dc_index[i], s->ac_index[i], @@ -1236,9 +1281,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, "error y=%d x=%d\n", mb_y, mb_x); return AVERROR_INVALIDDATA; } - s->idsp.idct_put(ptr, linesize[c], s->block); - if (s->bits & 7) - shift_output(s, ptr, linesize[c]); + if (ptr) { + s->idsp.idct_put(ptr, linesize[c], s->block); + if (s->bits & 7) + shift_output(s, ptr, linesize[c]); + } } } else { int block_idx = s->block_stride[c] * (v * mb_y + y) + @@ -1305,6 +1352,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int block_idx = mb_y * s->block_stride[c]; int16_t (*block)[64] = &s->blocks[c][block_idx]; uint8_t *last_nnz = &s->last_nnz[c][block_idx]; + if (get_bits_left(&s->gb) <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream truncated in mjpeg_decode_scan_progressive_ac\n"); + return AVERROR_INVALIDDATA; + } for (mb_x = 0; mb_x < s->mb_width; mb_x++, block++, last_nnz++) { int ret; if (s->restart_interval && !s->restart_count) @@ -1349,6 +1400,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, return -1; } + if (reference) { + if (reference->width != s->picture_ptr->width || + reference->height != s->picture_ptr->height || + reference->format != s->picture_ptr->format) { + av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n"); + return AVERROR_INVALIDDATA; + } + } + av_assert0(s->picture_ptr->data[0]); /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); @@ -1592,6 +1652,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RB32("LJIF")) { + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); @@ -1601,17 +1663,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknown always 0? */ switch (i=get_bits(&s->gb, 8)) { case 1: - s->rgb = 1; - s->pegasus_rct = 0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb = 1; - s->pegasus_rct = 1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace %d\n", i); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } if (id == AV_RL32("colr") && len > 0) { @@ -1861,8 +1933,12 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, while (b < t) { uint8_t x = src[b++]; put_bits(&pb, 8, x); - if (x == 0xFF) { + if (x == 0xFF && b < t) { x = src[b++]; + if (x & 0x80) { + av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); + x &= 0x7f; + } put_bits(&pb, 7, x); bit_count--; } @@ -2141,7 +2217,7 @@ the_end: } } } - if (s->flipped) { + if (s->flipped && !s->rgb) { int j; avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); for (index=0; index<4; index++) { diff --git a/libavcodec/mjpegenc.c b/libavcodec/mjpegenc.c index 6fbc3b48f8..72c56d20b3 100644 --- a/libavcodec/mjpegenc.c +++ b/libavcodec/mjpegenc.c @@ -241,7 +241,7 @@ AVCodec ff_amv_encoder = { .encode2 = amv_encode_picture, .close = ff_mpv_encode_end, .pix_fmts = (const enum AVPixelFormat[]){ - AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_NONE + AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_NONE }, }; #endif diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 8a5b99f227..c0854613a0 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -117,14 +117,27 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) uint8_t *ptr; if (avctx->sample_aspect_ratio.num > 0 && avctx->sample_aspect_ratio.den > 0) { + AVRational sar = avctx->sample_aspect_ratio; + + if (sar.num > 65535 || sar.den > 65535) { + if (!av_reduce(&sar.num, &sar.den, avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 65535)) + av_log(avctx, AV_LOG_WARNING, + "Cannot store exact aspect ratio %d:%d\n", + avctx->sample_aspect_ratio.num, + avctx->sample_aspect_ratio.den); + } + /* JFIF header */ put_marker(p, APP0); put_bits(p, 16, 16); avpriv_put_string(p, "JFIF", 1); /* this puts the trailing zero-byte too */ - put_bits(p, 16, 0x0102); /* v 1.02 */ + /* The most significant byte is used for major revisions, the least + * significant byte for minor revisions. Version 1.02 is the current + * released revision. */ + put_bits(p, 16, 0x0102); put_bits(p, 8, 0); /* units type: 0 - aspect ratio */ - put_bits(p, 16, avctx->sample_aspect_ratio.num); - put_bits(p, 16, avctx->sample_aspect_ratio.den); + put_bits(p, 16, sar.num); + put_bits(p, 16, sar.den); put_bits(p, 8, 0); /* thumbnail width */ put_bits(p, 8, 0); /* thumbnail height */ } diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index ed6a7fb58c..9b5edd2101 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -261,7 +261,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp, result = (result << lsb_bits) + get_bits(gbp, lsb_bits); result += cp->sign_huff_offset; - result <<= quant_step_size; + result *= 1 << quant_step_size; m->sample_buffer[pos + s->blockpos][channel] = result; } @@ -690,7 +690,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, } for (i = 0; i < order; i++) - fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift; + fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift); if (get_bits1(gbp)) { int state_bits, state_shift; @@ -707,7 +707,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, /* TODO: Check validity of state data. */ for (i = 0; i < order; i++) - fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0; + fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0; } } @@ -735,7 +735,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); - return AVERROR_INVALIDDATA; + goto error; } for (mat = 0; mat < s->num_primitive_matrices; mat++) { @@ -748,12 +748,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Invalid channel %d specified as output from matrix.\n", s->matrix_out_ch[mat]); - return AVERROR_INVALIDDATA; + goto error; } if (frac_bits > 14) { av_log(m->avctx, AV_LOG_ERROR, "Too many fractional bits specified.\n"); - return AVERROR_INVALIDDATA; + goto error; } max_chan = s->max_matrix_channel; @@ -765,7 +765,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo if (get_bits1(gbp)) coeff_val = get_sbits(gbp, frac_bits + 2); - s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits); + s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits)); } if (s->noise_type) @@ -775,6 +775,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo } return 0; +error: + s->num_primitive_matrices = 0; + memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch)); + + return AVERROR_INVALIDDATA; } /** Read channel parameters. */ @@ -1005,8 +1010,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr) for (i = 0; i < s->blockpos; i++) { uint16_t seed_shr7 = seed >> 7; - m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift; - m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift; + m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift); + m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift); seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5); } @@ -1175,6 +1180,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, substr_header_size += 2; } + if (length < header_size + substr_header_size) { + av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + goto error; + } + if (!(nonrestart_substr ^ m->is_major_sync_unit)) { av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n"); goto error; diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 3ae8c37708..32a4503b64 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -113,11 +113,11 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (i = 0; i < blockpos; i++) { for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; - int32_t sample = sample_buffer[i][mat_ch] - << output_shift[mat_ch]; + int32_t sample = sample_buffer[i][mat_ch] * + (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample << 8; + *data_32++ = sample * 256U; else *data_16++ = sample >> 8; } diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 026d4630ae..51d455964d 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -61,6 +61,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); @@ -109,7 +116,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (color) { memset(s->frame->data[0] + y*s->frame->linesize[0] + x, color, run_length); - if (half_vert) + if (half_vert && y + half_vert < s->avctx->height) memset(s->frame->data[0] + (y+1)*s->frame->linesize[0] + x, color, run_length); } x+= run_length; diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 81ee2bd6b3..f45ef3e011 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -193,7 +193,13 @@ static av_always_inline int cmp_inline(MpegEncContext *s, const int x, const int int uvdxy; /* no, it might not be used uninitialized */ if(dxy){ if(qpel){ - c->qpel_put[size][dxy](c->temp, ref[0] + x + y*stride, stride); //FIXME prototype (add h) + if (h << size == 16) { + c->qpel_put[size][dxy](c->temp, ref[0] + x + y*stride, stride); //FIXME prototype (add h) + } else if (size == 0 && h == 8) { + c->qpel_put[1][dxy](c->temp , ref[0] + x + y*stride , stride); + c->qpel_put[1][dxy](c->temp + 8, ref[0] + x + y*stride + 8, stride); + } else + av_assert2(0); if(chroma){ int cx= hx/2; int cy= hy/2; @@ -900,7 +906,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); c->sub_penalty_factor= get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_sub_cmp); c->mb_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->mb_cmp); - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; get_limits(s, 16*mb_x, 16*mb_y); c->skip=0; @@ -1096,7 +1102,7 @@ int ff_pre_estimate_p_frame_motion(MpegEncContext * s, av_assert0(s->quarter_sample==0 || s->quarter_sample==1); c->pre_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_pre_cmp); - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; get_limits(s, 16*mb_x, 16*mb_y); c->skip=0; @@ -1145,7 +1151,7 @@ static int estimate_motion_b(MpegEncContext *s, int mb_x, int mb_y, const int shift= 1+s->quarter_sample; const int mot_stride = s->mb_stride; const int mot_xy = mb_y*mot_stride + mb_x; - uint8_t * const mv_penalty= c->mv_penalty[f_code] + MAX_MV; + uint8_t * const mv_penalty= c->mv_penalty[f_code] + MAX_DMV; int mv_scale; c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); @@ -1219,8 +1225,8 @@ static inline int check_bidir_mv(MpegEncContext * s, //FIXME better f_code prediction (max mv & distance) //FIXME pointers MotionEstContext * const c= &s->me; - uint8_t * const mv_penalty_f= c->mv_penalty[s->f_code] + MAX_MV; // f_code of the prev frame - uint8_t * const mv_penalty_b= c->mv_penalty[s->b_code] + MAX_MV; // f_code of the prev frame + uint8_t * const mv_penalty_f= c->mv_penalty[s->f_code] + MAX_DMV; // f_code of the prev frame + uint8_t * const mv_penalty_b= c->mv_penalty[s->b_code] + MAX_DMV; // f_code of the prev frame int stride= c->stride; uint8_t *dest_y = c->scratchpad; uint8_t *ptr; @@ -1433,7 +1439,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) int mx, my, xmin, xmax, ymin, ymax; int16_t (*mv_table)[2]= s->b_direct_mv_table; - c->current_mv_penalty= c->mv_penalty[1] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[1] + MAX_DMV; ymin= xmin=(-32)>>shift; ymax= xmax= 31>>shift; @@ -1569,11 +1575,11 @@ void ff_estimate_b_frame_motion(MpegEncContext * s, if(s->flags & CODEC_FLAG_INTERLACED_ME){ //FIXME mb type penalty c->skip=0; - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; fimin= interlaced_search(s, 0, s->b_field_mv_table[0], s->b_field_select_table[0], s->b_forw_mv_table[xy][0], s->b_forw_mv_table[xy][1], 0); - c->current_mv_penalty= c->mv_penalty[s->b_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->b_code] + MAX_DMV; bimin= interlaced_search(s, 2, s->b_field_mv_table[1], s->b_field_select_table[1], s->b_back_mv_table[xy][0], s->b_back_mv_table[xy][1], 0); diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 29c65f9ef5..af15f66952 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -415,10 +415,14 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data, c->cur_frame++; c->last_bits_used = get_bits_count(gb); - if(get_bits_left(gb) < 8) // we have only padding left - c->last_bits_used = buf_size << 3; if(c->cur_frame >= c->frames) c->cur_frame = 0; + if(c->cur_frame == 0 && get_bits_left(gb) < 8) {// we have only padding left + c->last_bits_used = buf_size << 3; + } else if (get_bits_left(gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb)); + c->last_bits_used = buf_size << 3; + } *got_frame_ptr = 1; diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index ed3490b1ba..1ed1851b89 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -917,8 +917,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) s->last_mv[i][0][1]); /* full_pel: only for MPEG-1 */ if (s->full_pel[i]) { - s->mv[i][0][0] <<= 1; - s->mv[i][0][1] <<= 1; + s->mv[i][0][0] *= 2; + s->mv[i][0][1] *= 2; } } } @@ -1000,8 +1000,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) dmy = get_dmv(s); - s->last_mv[i][0][1] = my << my_shift; - s->last_mv[i][1][1] = my << my_shift; + s->last_mv[i][0][1] = my * (1 << my_shift); + s->last_mv[i][1][1] = my * (1 << my_shift); s->mv[i][0][0] = mx; s->mv[i][0][1] = my; @@ -1046,7 +1046,7 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1); if (mb_block_count > 6) { - cbp <<= mb_block_count - 6; + cbp *= 1 << mb_block_count - 6; cbp |= get_bits(&s->gb, mb_block_count - 6); s->bdsp.clear_blocks(s->block[6]); } @@ -1120,6 +1120,10 @@ static av_cold int mpeg_decode_init(AVCodecContext *avctx) MpegEncContext *s2 = &s->mpeg_enc_ctx; ff_mpv_decode_defaults(s2); + + if ( avctx->codec_tag != AV_RL32("VCR2") + && avctx->codec_tag != AV_RL32("BW10")) + avctx->coded_width = avctx->coded_height = 0; // do not trust dimensions from input ff_mpv_decode_init(s2, avctx); s->mpeg_enc_ctx.avctx = avctx; @@ -1209,6 +1213,16 @@ static const enum AVPixelFormat mpeg2_hwaccel_pixfmt_list_420[] = { AV_PIX_FMT_NONE }; +static const enum AVPixelFormat mpeg12_pixfmt_list_422[] = { + AV_PIX_FMT_YUV422P, + AV_PIX_FMT_NONE +}; + +static const enum AVPixelFormat mpeg12_pixfmt_list_444[] = { + AV_PIX_FMT_YUV444P, + AV_PIX_FMT_NONE +}; + static inline int uses_vdpau(AVCodecContext *avctx) { return avctx->pix_fmt == AV_PIX_FMT_VDPAU_MPEG1 || avctx->pix_fmt == AV_PIX_FMT_VDPAU_MPEG2; } @@ -1217,16 +1231,18 @@ static enum AVPixelFormat mpeg_get_pixelformat(AVCodecContext *avctx) { Mpeg1Context *s1 = avctx->priv_data; MpegEncContext *s = &s1->mpeg_enc_ctx; + const enum AVPixelFormat *pix_fmts; if (s->chroma_format < 2) - return ff_thread_get_format(avctx, - avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO ? + pix_fmts = avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO ? mpeg1_hwaccel_pixfmt_list_420 : - mpeg2_hwaccel_pixfmt_list_420); + mpeg2_hwaccel_pixfmt_list_420; else if (s->chroma_format == 2) - return AV_PIX_FMT_YUV422P; + pix_fmts = mpeg12_pixfmt_list_422; else - return AV_PIX_FMT_YUV444P; + pix_fmts = mpeg12_pixfmt_list_444; + + return ff_thread_get_format(avctx, pix_fmts); } static void setup_hwaccel_for_pixfmt(AVCodecContext *avctx) @@ -1891,7 +1907,7 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y, (left && show_bits(&s->gb, FFMIN(left, 23)) && !is_d10) || ((avctx->err_recognition & (AV_EF_BITSTREAM | AV_EF_AGGRESSIVE)) && left > 8)) { av_log(avctx, AV_LOG_ERROR, "end mismatch left=%d %0X\n", - left, show_bits(&s->gb, FFMIN(left, 23))); + left, left>0 ? show_bits(&s->gb, FFMIN(left, 23)) : 0); return -1; } else goto eos; diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 827812ef55..0e2f2a9318 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -52,7 +52,7 @@ static const uint8_t svcd_scan_offset_placeholder[] = { 0x81, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, }; -static uint8_t mv_penalty[MAX_FCODE + 1][MAX_MV * 2 + 1]; +static uint8_t mv_penalty[MAX_FCODE + 1][MAX_DMV * 2 + 1]; static uint8_t fcode_tab[MAX_MV * 2 + 1]; static uint8_t uni_mpeg1_ac_vlc_len[64 * 64 * 2]; @@ -144,9 +144,6 @@ static av_cold int encode_init(AVCodecContext *avctx) { MpegEncContext *s = avctx->priv_data; - if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && avctx->height > 2800) - avctx->thread_count = 1; - if (ff_mpv_encode_init(avctx) < 0) return -1; @@ -1050,7 +1047,7 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) } for (f_code = 1; f_code <= MAX_FCODE; f_code++) - for (mv = -MAX_MV; mv <= MAX_MV; mv++) { + for (mv = -MAX_DMV; mv <= MAX_DMV; mv++) { int len; if (mv == 0) { @@ -1073,7 +1070,7 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) 2 + bit_size; } - mv_penalty[f_code][mv + MAX_MV] = len; + mv_penalty[f_code][mv + MAX_DMV] = len; } diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c index 68448e6fa2..188d843eee 100644 --- a/libavcodec/mpeg4audio.c +++ b/libavcodec/mpeg4audio.c @@ -82,10 +82,15 @@ int avpriv_mpeg4audio_get_config(MPEG4AudioConfig *c, const uint8_t *buf, int bit_size, int sync_extension) { GetBitContext gb; - int specific_config_bitindex; + int specific_config_bitindex, ret; - if (bit_size <= 0 || init_get_bits(&gb, buf, bit_size) < 0) + if (bit_size <= 0) return AVERROR_INVALIDDATA; + + ret = init_get_bits(&gb, buf, bit_size); + if (ret < 0) + return ret; + c->object_type = get_object_type(&gb); c->sample_rate = get_sample_rate(&gb, &c->sampling_index); c->chan_config = get_bits(&gb, 4); diff --git a/libavcodec/mpeg4audio.h b/libavcodec/mpeg4audio.h index 0f410455f5..a1f3ffc59b 100644 --- a/libavcodec/mpeg4audio.h +++ b/libavcodec/mpeg4audio.h @@ -101,7 +101,7 @@ enum AudioObjectType { AOT_USAC, ///< N Unified Speech and Audio Coding }; -#define MAX_PCE_SIZE 304 ///extradata_size && pc->first_picture) { init_get_bits(gb, avctx->extradata, avctx->extradata_size * 8); ret = ff_mpeg4_decode_picture_header(dec_ctx, gb); - if (ret < 0) + if (ret < -1) av_log(avctx, AV_LOG_WARNING, "Failed to parse extradata\n"); } diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 22812926c8..d9d5e27c69 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -168,13 +168,15 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int a = 2 << s->sprite_warping_accuracy; int rho = 3 - s->sprite_warping_accuracy; int r = 16 / a; - int alpha = 0; + int alpha = 1; int beta = 0; int w = s->width; int h = s->height; int min_ab, i, w2, h2, w3, h3; int sprite_ref[4][2]; int virtual_ref[2][2]; + int64_t sprite_offset[2][2]; + int64_t sprite_delta[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -189,14 +191,14 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int x = 0, y = 0; length = get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3); - if (length) + if (length > 0) x = get_xbits(gb, length); if (!(ctx->divx_version == 500 && ctx->divx_build == 413)) skip_bits1(gb); /* marker bit */ length = get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3); - if (length) + if (length > 0) y = get_xbits(gb, length); skip_bits1(gb); /* marker bit */ @@ -239,71 +241,71 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g * from w&h based to w2&h2 based which are of the 2^x form. */ virtual_ref[0][0] = 16 * (vop_ref[0][0] + w2) + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - w2 * (r * sprite_ref[1][0] - 16 * vop_ref[1][0])), w); + (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + w2 * (r * sprite_ref[1][0] - 16LL * vop_ref[1][0])), w); virtual_ref[0][1] = 16 * vop_ref[0][1] + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - w2 * (r * sprite_ref[1][1] - 16 * vop_ref[1][1])), w); + (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + w2 * (r * sprite_ref[1][1] - 16LL * vop_ref[1][1])), w); virtual_ref[1][0] = 16 * vop_ref[0][0] + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - h2 * (r * sprite_ref[2][0] - 16 * vop_ref[2][0])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + h2 * (r * sprite_ref[2][0] - 16LL * vop_ref[2][0])), h); virtual_ref[1][1] = 16 * (vop_ref[0][1] + h2) + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - h2 * (r * sprite_ref[2][1] - 16 * vop_ref[2][1])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + h2 * (r * sprite_ref[2][1] - 16LL * vop_ref[2][1])), h); switch (ctx->num_sprite_warping_points) { case 0: - s->sprite_offset[0][0] = - s->sprite_offset[0][1] = - s->sprite_offset[1][0] = - s->sprite_offset[1][1] = 0; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_offset[0][0] = + sprite_offset[0][1] = + sprite_offset[1][0] = + sprite_offset[1][1] = 0; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; case 1: // GMC only - s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; - s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; - s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - + sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; + sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; + sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - a * (vop_ref[0][0] / 2); - s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - + sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][0]) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][0] + 1) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); - s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); - s->sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_offset[0][0] = ((int64_t) sprite_ref[0][0] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[0][1] = ((int64_t) sprite_ref[0][1] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[1][0] = (((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[1][1] = (((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); + sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); + sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); ctx->sprite_shift[0] = alpha + rho; ctx->sprite_shift[1] = alpha + rho + 2; @@ -312,69 +314,105 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + beta + rho - min_ab)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + beta + rho - min_ab)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][0] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][1] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; - s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; - s->sprite_delta[1][1] = (-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3; + sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_delta[0][0] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[0][0]) * h3; + sprite_delta[0][1] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[1][0]) * w3; + sprite_delta[1][0] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[0][1]) * h3; + sprite_delta[1][1] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[1][1]) * w3; ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; } /* try to simplify the situation */ - if (s->sprite_delta[0][0] == a << ctx->sprite_shift[0] && - s->sprite_delta[0][1] == 0 && - s->sprite_delta[1][0] == 0 && - s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { - s->sprite_offset[0][0] >>= ctx->sprite_shift[0]; - s->sprite_offset[0][1] >>= ctx->sprite_shift[0]; - s->sprite_offset[1][0] >>= ctx->sprite_shift[1]; - s->sprite_offset[1][1] >>= ctx->sprite_shift[1]; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = 0; - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && + sprite_delta[0][1] == 0 && + sprite_delta[1][0] == 0 && + sprite_delta[1][1] == a << ctx->sprite_shift[0]) { + sprite_offset[0][0] >>= ctx->sprite_shift[0]; + sprite_offset[0][1] >>= ctx->sprite_shift[0]; + sprite_offset[1][0] >>= ctx->sprite_shift[1]; + sprite_offset[1][1] >>= ctx->sprite_shift[1]; + sprite_delta[0][0] = a; + sprite_delta[0][1] = 0; + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = 0; ctx->sprite_shift[1] = 0; s->real_sprite_warping_points = 1; } else { int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; + for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] <<= shift_y; - s->sprite_offset[1][i] <<= shift_c; - s->sprite_delta[0][i] <<= shift_y; - s->sprite_delta[1][i] <<= shift_y; + if (shift_c < 0 || shift_y < 0 || + FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || + FFABS( sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_delta[1][i]) >= INT_MAX >> shift_y + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); + goto overflow; + } + } + + for (i = 0; i < 2; i++) { + sprite_offset[0][i] *= 1 << shift_y; + sprite_offset[1][i] *= 1 << shift_c; + sprite_delta[0][i] *= 1 << shift_y; + sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; + + } + for (i = 0; i < 2; i++) { + int64_t sd[2] = { + sprite_delta[i][0] - a * (1LL<<16), + sprite_delta[i][1] - a * (1LL<<16) + }; + + if (llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sd[0]) >= INT_MAX || + llabs(sd[1]) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX + ) { + avpriv_request_sample(s->avctx, "Overflow on sprite points"); + goto overflow; + } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } + for (i = 0; i < 4; i++) { + s->sprite_offset[i&1][i>>1] = sprite_offset[i&1][i>>1]; + s->sprite_delta [i&1][i>>1] = sprite_delta [i&1][i>>1]; + } + return 0; +overflow: + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + return AVERROR_PATCHWELCOME; } static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) { @@ -500,7 +538,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) if (ctx->divx_version == 500 && ctx->divx_build == 413) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else - sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a); + sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); } else { dx = s->sprite_delta[n][0]; dy = s->sprite_delta[n][1]; @@ -881,7 +919,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx) const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END; mb_num = mpeg4_decode_partition_a(ctx); - if (mb_num < 0) { + if (mb_num <= 0) { ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, part_a_error); return -1; @@ -1873,6 +1911,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; @@ -1896,6 +1938,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; @@ -2090,8 +2136,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, &ver2, &ver3, &build); if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; - if (e > 1) - build = (ver << 16) + (ver2 << 8) + ver3; + if (e > 1) { + if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) { + av_log(s->avctx, AV_LOG_WARNING, + "Unknown Lavc version string encountered, %d.%d.%d; " + "clamping sub-version values to 8-bits.\n", + ver, ver2, ver3); + } + build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF); + } } if (e != 4) { if (strcmp(buf, "ffmpeg") == 0) @@ -2226,6 +2279,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) int time_incr, time_increment; int64_t pts; + s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->flags & CODEC_FLAG_LOW_DELAY)) { @@ -2394,16 +2448,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan); } - if (s->pict_type == AV_PICTURE_TYPE_S && - (ctx->vol_sprite_usage == STATIC_SPRITE || - ctx->vol_sprite_usage == GMC_SPRITE)) { - if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) - return AVERROR_INVALIDDATA; - if (ctx->sprite_brightness_change) - av_log(s->avctx, AV_LOG_ERROR, - "sprite_brightness_change not supported\n"); - if (ctx->vol_sprite_usage == STATIC_SPRITE) - av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + if (s->pict_type == AV_PICTURE_TYPE_S) { + if((ctx->vol_sprite_usage == STATIC_SPRITE || + ctx->vol_sprite_usage == GMC_SPRITE)) { + if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) + return AVERROR_INVALIDDATA; + if (ctx->sprite_brightness_change) + av_log(s->avctx, AV_LOG_ERROR, + "sprite_brightness_change not supported\n"); + if (ctx->vol_sprite_usage == STATIC_SPRITE) + av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + } else { + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + } } if (ctx->shape != BIN_ONLY_SHAPE) { @@ -2793,7 +2851,7 @@ AVCodec ff_mpeg4_vdpau_decoder = { .long_name = NULL_IF_CONFIG_SMALL("MPEG-4 part 2 (VDPAU)"), .type = AVMEDIA_TYPE_VIDEO, .id = AV_CODEC_ID_MPEG4, - .priv_data_size = sizeof(MpegEncContext), + .priv_data_size = sizeof(Mpeg4DecContext), .init = decode_init, .close = ff_h263_decode_end, .decode = ff_h263_decode_frame, diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 5751432a31..c47b6e8410 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1086,7 +1086,7 @@ static void mpeg4_encode_vol_header(MpegEncContext *s, } /* write mpeg4 VOP header */ -void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) { int time_incr; int time_div, time_mod; @@ -1112,6 +1112,12 @@ void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) time_mod = FFUMOD(s->time, s->avctx->time_base.den); time_incr = time_div - s->last_time_base; av_assert0(time_incr >= 0); + + // This limits the frame duration to max 1 hour + if (time_incr > 3600) { + av_log(s->avctx, AV_LOG_ERROR, "time_incr %d too large\n", time_incr); + return AVERROR(EINVAL); + } while (time_incr--) put_bits(&s->pb, 1, 1); @@ -1137,6 +1143,8 @@ void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) put_bits(&s->pb, 3, s->f_code); /* fcode_for */ if (s->pict_type == AV_PICTURE_TYPE_B) put_bits(&s->pb, 3, s->b_code); /* fcode_back */ + + return 0; } static av_cold void init_uni_dc_tab(void) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 3d9e94688a..79dbf635b4 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -73,20 +73,21 @@ static int mpegaudio_parse(AVCodecParserContext *s1, if (i > 4) s->header_count = -2; } else { + int header_threshold = avctx->codec_id != AV_CODEC_ID_NONE && avctx->codec_id != codec_id; if((state&SAME_HEADER_MASK) != (s->header&SAME_HEADER_MASK) && s->header) s->header_count= -3; s->header= state; s->header_count++; s->frame_size = ret-4; - if (s->header_count > 0 + (avctx->codec_id != AV_CODEC_ID_NONE && avctx->codec_id != codec_id)) { + if (s->header_count > header_threshold) { avctx->sample_rate= sr; avctx->channels = channels; s1->duration = frame_size; avctx->codec_id = codec_id; if (s->no_bitrate || !avctx->bit_rate) { s->no_bitrate = 1; - avctx->bit_rate += (bit_rate - avctx->bit_rate) / s->header_count; + avctx->bit_rate += (bit_rate - avctx->bit_rate) / (s->header_count - header_threshold); } } break; diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index c4c03d9106..9f9e8bfe92 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -252,7 +252,7 @@ static inline int l3_unscale(int value, int exponent) #endif if (e > 31) return 0; - m = (m + (1 << (e - 1))) >> e; + m = (m + ((1U << e)>>1)) >> e; return m; } @@ -1642,9 +1642,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, uint32_t header; int ret; + int skipped = 0; while(buf_size && !*buf){ buf++; buf_size--; + skipped++; } if (buf_size < HEADER_SIZE) @@ -1653,7 +1655,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, header = AV_RB32(buf); if (header>>8 == AV_RB32("TAG")>>8) { av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n"); - return buf_size; + return buf_size + skipped; } if (ff_mpa_check_header(header) < 0) { av_log(avctx, AV_LOG_ERROR, "Header missing\n"); @@ -1699,7 +1701,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, return ret; } s->frame_size = 0; - return buf_size; + return buf_size + skipped; } static void mp_flush(MPADecodeContext *ctx) @@ -1878,6 +1880,7 @@ static av_cold int decode_init_mp3on4(AVCodecContext * avctx) s->mp3decctx[i]->adu_mode = 1; s->mp3decctx[i]->avctx = avctx; s->mp3decctx[i]->mpadsp = s->mp3decctx[0]->mpadsp; + s->mp3decctx[i]->fdsp = s->mp3decctx[0]->fdsp; } return 0; diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index f043bbdace..743e7a2117 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1285,6 +1285,81 @@ fail: return AVERROR(ENOMEM); } +static void clear_context(MpegEncContext *s) +{ + int i, j, k; + + memset(&s->next_picture, 0, sizeof(s->next_picture)); + memset(&s->last_picture, 0, sizeof(s->last_picture)); + memset(&s->current_picture, 0, sizeof(s->current_picture)); + memset(&s->new_picture, 0, sizeof(s->new_picture)); + + memset(s->thread_context, 0, sizeof(s->thread_context)); + + s->me.map = NULL; + s->me.score_map = NULL; + s->dct_error_sum = NULL; + s->block = NULL; + s->blocks = NULL; + memset(s->pblocks, 0, sizeof(s->pblocks)); + s->ac_val_base = NULL; + s->ac_val[0] = + s->ac_val[1] = + s->ac_val[2] =NULL; + s->edge_emu_buffer = NULL; + s->me.scratchpad = NULL; + s->me.temp = + s->rd_scratchpad = + s->b_scratchpad = + s->obmc_scratchpad = NULL; + + + s->bitstream_buffer = NULL; + s->allocated_bitstream_buffer_size = 0; + s->picture = NULL; + s->mb_type = NULL; + s->p_mv_table_base = NULL; + s->b_forw_mv_table_base = NULL; + s->b_back_mv_table_base = NULL; + s->b_bidir_forw_mv_table_base = NULL; + s->b_bidir_back_mv_table_base = NULL; + s->b_direct_mv_table_base = NULL; + s->p_mv_table = NULL; + s->b_forw_mv_table = NULL; + s->b_back_mv_table = NULL; + s->b_bidir_forw_mv_table = NULL; + s->b_bidir_back_mv_table = NULL; + s->b_direct_mv_table = NULL; + for (i = 0; i < 2; i++) { + for (j = 0; j < 2; j++) { + for (k = 0; k < 2; k++) { + s->b_field_mv_table_base[i][j][k] = NULL; + s->b_field_mv_table[i][j][k] = NULL; + } + s->b_field_select_table[i][j] = NULL; + s->p_field_mv_table_base[i][j] = NULL; + s->p_field_mv_table[i][j] = NULL; + } + s->p_field_select_table[i] = NULL; + } + + s->dc_val_base = NULL; + s->coded_block_base = NULL; + s->mbintra_table = NULL; + s->cbp_table = NULL; + s->pred_dir_table = NULL; + + s->mbskip_table = NULL; + + s->er.error_status_table = NULL; + s->er.er_temp_buffer = NULL; + s->mb_index2xy = NULL; + s->lambda_table = NULL; + + s->cplx_tab = NULL; + s->bits_tab = NULL; +} + /** * init common structure for both encoder and decoder. * this assumes that some variables like width/height are already set @@ -1296,6 +1371,8 @@ av_cold int ff_mpv_common_init(MpegEncContext *s) s->avctx->active_thread_type & FF_THREAD_SLICE) ? s->avctx->thread_count : 1; + clear_context(s); + if (s->encoding && s->avctx->slices) nb_slices = s->avctx->slices; @@ -1343,10 +1420,6 @@ av_cold int ff_mpv_common_init(MpegEncContext *s) if (!s->picture[i].f) goto fail; } - memset(&s->next_picture, 0, sizeof(s->next_picture)); - memset(&s->last_picture, 0, sizeof(s->last_picture)); - memset(&s->current_picture, 0, sizeof(s->current_picture)); - memset(&s->new_picture, 0, sizeof(s->new_picture)); s->next_picture.f = av_frame_alloc(); if (!s->next_picture.f) goto fail; diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 87fe87ff99..6c3757cb94 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -64,6 +64,7 @@ enum OutputFormat { #define MAX_FCODE 7 #define MAX_MV 4096 +#define MAX_DMV (2*MAX_MV) #define MAX_THREADS 32 #define MAX_PICTURE_COUNT 36 @@ -196,7 +197,7 @@ typedef struct MotionEstContext{ op_pixels_func (*hpel_avg)[4]; qpel_mc_func (*qpel_put)[16]; qpel_mc_func (*qpel_avg)[16]; - uint8_t (*mv_penalty)[MAX_MV*2+1]; ///< amount of bits needed to encode a MV + uint8_t (*mv_penalty)[MAX_DMV*2+1]; ///< amount of bits needed to encode a MV uint8_t *current_mv_penalty; int (*sub_motion_search)(struct MpegEncContext * s, int *mx_ptr, int *my_ptr, int dmin, @@ -851,7 +852,7 @@ extern const uint8_t ff_aic_dc_scale_table[32]; extern const uint8_t ff_h263_chroma_qscale_table[32]; /* rv10.c */ -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); int ff_rv_decode_dc(MpegEncContext *s, int n); void ff_rv20_encode_picture_header(MpegEncContext *s, int picture_number); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 40f82777c1..b77dc9c239 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -70,7 +70,7 @@ static int sse_mb(MpegEncContext *s); static void denoise_dct_c(MpegEncContext *s, int16_t *block); static int dct_quantize_trellis_c(MpegEncContext *s, int16_t *block, int n, int qscale, int *overflow); -static uint8_t default_mv_penalty[MAX_FCODE + 1][MAX_MV * 2 + 1]; +static uint8_t default_mv_penalty[MAX_FCODE + 1][MAX_DMV * 2 + 1]; static uint8_t default_fcode_tab[MAX_MV * 2 + 1]; const AVOption ff_mpv_generic_options[] = { @@ -316,6 +316,7 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) break; } + avctx->bits_per_raw_sample = av_clip(avctx->bits_per_raw_sample, 0, 8); s->bit_rate = avctx->bit_rate; s->width = avctx->width; s->height = avctx->height; @@ -389,18 +390,18 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) switch(avctx->codec_id) { case AV_CODEC_ID_MPEG1VIDEO: case AV_CODEC_ID_MPEG2VIDEO: - avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112L / 15000000 * 16384; + avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112LL / 15000000 * 16384; break; case AV_CODEC_ID_MPEG4: case AV_CODEC_ID_MSMPEG4V1: case AV_CODEC_ID_MSMPEG4V2: case AV_CODEC_ID_MSMPEG4V3: if (avctx->rc_max_rate >= 15000000) { - avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000L) * (760-320) / (38400000 - 15000000); + avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000LL) * (760-320) / (38400000 - 15000000); } else if(avctx->rc_max_rate >= 2000000) { - avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000L) * (320- 80) / (15000000 - 2000000); + avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000LL) * (320- 80) / (15000000 - 2000000); } else if(avctx->rc_max_rate >= 384000) { - avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000L) * ( 80- 40) / ( 2000000 - 384000); + avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000LL) * ( 80- 40) / ( 2000000 - 384000); } else avctx->rc_buffer_size = 40; avctx->rc_buffer_size *= 16384; @@ -3655,10 +3656,15 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_wmv2_encode_picture_header(s, picture_number); else if (CONFIG_MSMPEG4_ENCODER && s->msmpeg4_version) ff_msmpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_MPEG4_ENCODER && s->h263_pred) - ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) - ff_rv10_encode_picture_header(s, picture_number); + else if (CONFIG_MPEG4_ENCODER && s->h263_pred) { + ret = ff_mpeg4_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + ret = ff_rv10_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV20_ENCODER && s->codec_id == AV_CODEC_ID_RV20) ff_rv20_encode_picture_header(s, picture_number); else if (CONFIG_FLV_ENCODER && s->codec_id == AV_CODEC_ID_FLV1) @@ -3681,6 +3687,8 @@ static int encode_picture(MpegEncContext *s, int picture_number) } s->avctx->execute(s->avctx, encode_thread, &s->thread_context[0], NULL, context_count, sizeof(void*)); for(i=1; ipb.buf_end == s->thread_context[i]->pb.buf) + set_put_bits_buffer_size(&s->pb, FFMIN(s->thread_context[i]->pb.buf_end - s->pb.buf, INT_MAX/8-32)); merge_context_after_encode(s, s->thread_context[i]); } emms_c(); diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index e7a585dd5f..b6f20d9e91 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -47,8 +47,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[0][1]; src_x = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -16, s->width); if (src_x == s->width) motion_x = 0; @@ -94,8 +94,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[1][1]; src_x = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -8, s->width >> 1); if (src_x == s->width >> 1) motion_x = 0; @@ -178,7 +178,7 @@ static void gmc_motion(MpegEncContext *s, s->sprite_delta[0][0], s->sprite_delta[0][1], s->sprite_delta[1][0], s->sprite_delta[1][1], a + 1, (1 << (2 * a + 1)) - s->no_rounding, - s->h_edge_pos >> 1, s->v_edge_pos >> 1); + (s->h_edge_pos + 1) >> 1, (s->v_edge_pos + 1) >> 1); ptr = ref_picture[2]; s->mdsp.gmc(dest_cr, ptr, uvlinesize, 8, @@ -186,7 +186,7 @@ static void gmc_motion(MpegEncContext *s, s->sprite_delta[0][0], s->sprite_delta[0][1], s->sprite_delta[1][0], s->sprite_delta[1][1], a + 1, (1 << (2 * a + 1)) - s->no_rounding, - s->h_edge_pos >> 1, s->v_edge_pos >> 1); + (s->h_edge_pos + 1) >> 1, (s->v_edge_pos + 1) >> 1); } static inline int hpel_motion(MpegEncContext *s, diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 94ea3c27ba..8cf2ffb7d1 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -139,7 +139,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) if(s->msmpeg4_version==2) cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1); else - cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1); + cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2); if(cbp<0 || cbp>3){ av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; @@ -168,12 +168,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) s->mv[0][0][1] = my; *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16; } else { + int v; if(s->msmpeg4_version==2){ s->ac_pred = get_bits1(&s->gb); - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; } else{ s->ac_pred = 0; - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C; } *mb_type_ptr = MB_TYPE_INTRA; diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 260ad807ea..291ca36a91 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -99,11 +99,14 @@ static int msrle_decode_frame(AVCodecContext *avctx, return ret; if (avctx->bits_per_coded_sample > 1 && avctx->bits_per_coded_sample <= 8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available */ memcpy(s->frame->data[1], s->pal, AVPALETTE_SIZE); diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index 4d3da5ba17..200221a0ee 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -36,17 +36,15 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, unsigned char rle_code; unsigned char extra_byte, odd_pixel; unsigned char stream_byte; - unsigned int pixel_ptr = 0; - int row_dec = pic->linesize[0]; - int row_ptr = (avctx->height - 1) * row_dec; - int frame_size = row_dec * avctx->height; + int pixel_ptr = 0; + int line = avctx->height - 1; int i; - while (row_ptr >= 0) { + while (line >= 0 && pixel_ptr <= avctx->width) { if (bytestream2_get_bytes_left(gb) <= 0) { av_log(avctx, AV_LOG_ERROR, - "MS RLE: bytestream overrun, %d rows left\n", - row_ptr); + "MS RLE: bytestream overrun, %dx%d left\n", + avctx->width - pixel_ptr, line); return AVERROR_INVALIDDATA; } rle_code = stream_byte = bytestream2_get_byteu(gb); @@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, stream_byte = bytestream2_get_byte(gb); if (stream_byte == 0) { /* line is done, goto the next one */ - row_ptr -= row_dec; + line--; pixel_ptr = 0; } else if (stream_byte == 1) { /* decode is done */ @@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, stream_byte = bytestream2_get_byte(gb); pixel_ptr += stream_byte; stream_byte = bytestream2_get_byte(gb); - row_ptr -= stream_byte * row_dec; } else { // copy pixels from encoded stream odd_pixel = stream_byte & 1; rle_code = (stream_byte + 1) / 2; extra_byte = rle_code & 0x01; - if (row_ptr + pixel_ptr + stream_byte > frame_size || + if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width || bytestream2_get_bytes_left(gb) < rle_code) { av_log(avctx, AV_LOG_ERROR, "MS RLE: frame/stream ptr just went out of bounds (copy)\n"); @@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, if (pixel_ptr >= avctx->width) break; stream_byte = bytestream2_get_byteu(gb); - pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4; pixel_ptr++; if (i + 1 == rle_code && odd_pixel) break; if (pixel_ptr >= avctx->width) break; - pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F; pixel_ptr++; } @@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, } } else { // decode a run of data - if (row_ptr + pixel_ptr + stream_byte > frame_size) { + if (pixel_ptr + rle_code > avctx->width + 1) { av_log(avctx, AV_LOG_ERROR, "MS RLE: frame ptr just went out of bounds (run)\n"); return AVERROR_INVALIDDATA; @@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, if (pixel_ptr >= avctx->width) break; if ((i & 1) == 0) - pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4; else - pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F; pixel_ptr++; } } diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 4d53f8ab8f..ea448dabc5 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -209,8 +209,13 @@ static int decode_555(GetByteContext *gB, uint16_t *dst, int stride, last_symbol = b << 8 | bytestream2_get_byte(gB); else if (b > 129) { repeat = 0; - while (b-- > 130) + while (b-- > 130) { + if (repeat >= (INT_MAX >> 8) - 1) { + av_log(NULL, AV_LOG_ERROR, "repeat overflow\n"); + return AVERROR_INVALIDDATA; + } repeat = (repeat << 8) + bytestream2_get_byte(gB) + 1; + } if (last_symbol == -2) { int skip = FFMIN((unsigned)repeat, dst + w - p); repeat -= skip; diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 075685b902..3b97320c6a 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m) static int rac_get_model_sym(RangeCoder *c, Model *m) { - int prob, prob2, helper, val; + int val; int end, end2; + unsigned prob, prob2, helper; prob = 0; prob2 = c->range; diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c index 0397add17d..4965ac514d 100644 --- a/libavcodec/mss34dsp.c +++ b/libavcodec/mss34dsp.c @@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma) } #define DCT_TEMPLATE(blk, step, SOP, shift) \ - const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \ - const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \ - const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \ - const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \ - const int t4 = blk[3 * step] + blk[7 * step]; \ - const int t5 = blk[1 * step] + blk[5 * step]; \ - const int t6 = 77062 * t4 + 51491 * t5; \ - const int t7 = 77062 * t5 - 51491 * t4; \ - const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \ - const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \ - const int tA = SOP(blk[0 * step] - blk[4 * step]); \ - const int tB = SOP(blk[0 * step] + blk[4 * step]); \ + const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \ + const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \ + const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \ + const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \ + const unsigned t4 = blk[3 * step] + blk[7 * step]; \ + const unsigned t5 = blk[1 * step] + blk[5 * step]; \ + const unsigned t6 = 77062U * t4 + 51491U * t5; \ + const unsigned t7 = 77062U * t5 - 51491U * t4; \ + const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \ + const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \ + const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \ + const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \ \ - blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \ - blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \ - blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \ - blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \ - blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \ - blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \ - blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ - blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ + blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \ + blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \ + blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \ + blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \ + blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \ + blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \ + blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \ + blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) (((a) << 16) + 0x2000) -#define SOP_COL(a) (((a) + 32) << 16) +#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000) +#define SOP_COL(a) (((a) + 32) * (1U << 16)) void ff_mss34_dct_put(uint8_t *dst, int stride, int *block) { diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 88397beb00..1a04af22a9 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -302,15 +302,24 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + // Discard frame if its smaller than the minimum frame size + if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; if (s->mode_8bit) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { memcpy(s->pal, pal, AVPALETTE_SIZE); s->frame->palette_has_changed = 1; + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } diff --git a/libavcodec/nellymoser.c b/libavcodec/nellymoser.c index 0740c75a0f..d6d5b7a910 100644 --- a/libavcodec/nellymoser.c +++ b/libavcodec/nellymoser.c @@ -85,7 +85,7 @@ const int16_t ff_nelly_delta_table[32] = { static inline int signed_shift(int i, int shift) { if (shift > 0) - return i << shift; + return (unsigned)i << shift; return i >> -shift; } @@ -109,7 +109,7 @@ static int headroom(int *la) return 31; } l = 30 - av_log2(FFABS(*la)); - *la <<= l; + *la *= 1< num_bands - band - run_len) { + av_log(c->avctx, AV_LOG_ERROR, "Invalid band type run\n"); + return AVERROR_INVALIDDATA; + } run_len += run; } while (run == esc_val); - if (band + run_len > num_bands) { - av_log(c->avctx, AV_LOG_ERROR, "Invalid band type run\n"); - return AVERROR_INVALIDDATA; - } for (i = band; i < band + run_len; i++) { c->band_type[i] = band_type; c->band_run_end[i] = band + run_len; @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; - while (get_bits1(gb)) v++; + while (get_bits1(gb)) { + v++; + if (v > 30) { + av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); + v = 30; + break; + } + } - return (1 << v) + get_bits(gb, v); + return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, @@ -908,6 +915,11 @@ static av_cold int on2avc_decode_init(AVCodecContext *avctx) On2AVCContext *c = avctx->priv_data; int i; + if (avctx->channels > 2U) { + avpriv_request_sample(avctx, "Decoding more than 2 channels"); + return AVERROR_PATCHWELCOME; + } + c->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; avctx->channel_layout = (avctx->channels == 2) ? AV_CH_LAYOUT_STEREO @@ -918,6 +930,7 @@ static av_cold int on2avc_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "0x500 version should be mono\n"); return AVERROR_INVALIDDATA; } + if (avctx->channels == 2) av_log(avctx, AV_LOG_WARNING, "Stereo mode support is not good, patch is welcome\n"); diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index ad3d52ecdf..790e676d02 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -102,11 +102,10 @@ static const AVOption avcodec_options[] = { {"hex", "hex motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_HEX }, INT_MIN, INT_MAX, V|E, "me_method" }, {"umh", "umh motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_UMH }, INT_MIN, INT_MAX, V|E, "me_method" }, {"iter", "iter motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_ITER }, INT_MIN, INT_MAX, V|E, "me_method" }, -{"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, -{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, -{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, +{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, +{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, {"cutoff", "set cutoff bandwidth", OFFSET(cutoff), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_size", NULL, OFFSET(frame_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_number", NULL, OFFSET(frame_number), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, diff --git a/libavcodec/opus.h b/libavcodec/opus.h index 543d90c609..34b5ed9fc6 100644 --- a/libavcodec/opus.h +++ b/libavcodec/opus.h @@ -164,6 +164,16 @@ typedef struct ChannelMap { typedef struct OpusContext { OpusStreamContext *streams; + + /* current output buffers for each streams */ + float **out; + int *out_size; + /* Buffers for synchronizing the streams when they have different + * resampling delays */ + AVAudioFifo **sync_buffers; + /* number of decoded samples for each stream */ + int *decoded_samples; + int nb_streams; int nb_stereo_streams; diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 7a89479fb9..6207299d11 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ /* upper extent */ for (i = order; i > k; i--) - max_center -= min_delta[k]; + max_center -= min_delta[i]; max_center -= min_delta[k] >> 1; /* move apart */ @@ -851,8 +851,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ if (nlsf[0] < min_delta[0]) nlsf[0] = min_delta[0]; for (i = 1; i < order; i++) - if (nlsf[i] < nlsf[i - 1] + min_delta[i]) - nlsf[i] = nlsf[i - 1] + min_delta[i]; + nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767)); /* push backwards to increase distance */ if (nlsf[order-1] > 32768 - min_delta[order]) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index b28edfbcd9..c22a2db6c2 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -366,12 +366,17 @@ static int opus_decode_frame(OpusStreamContext *s, const uint8_t *data, int size static int opus_decode_subpacket(OpusStreamContext *s, const uint8_t *buf, int buf_size, + float **out, int out_size, int nb_samples) { int output_samples = 0; int flush_needed = 0; int i, j, ret; + s->out[0] = out[0]; + s->out[1] = out[1]; + s->out_size = out_size; + /* check if we need to flush the resampler */ if (swr_is_initialized(s->swr)) { if (buf) { @@ -449,9 +454,19 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; int coded_samples = 0; - int decoded_samples = 0; + int decoded_samples = INT_MAX; + int delayed_samples = 0; int i, ret; + /* calculate the number of delayed samples */ + for (i = 0; i < c->nb_streams; i++) { + OpusStreamContext *s = &c->streams[i]; + s->out[0] = + s->out[1] = NULL; + delayed_samples = FFMAX(delayed_samples, + s->delayed_samples + av_audio_fifo_size(c->sync_buffers[i])); + } + /* decode the header of the first sub-packet to find out the sample count */ if (buf) { OpusPacket *pkt = &c->streams[0].packet; @@ -464,7 +479,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, c->streams[0].silk_samplerate = get_silk_samplerate(pkt->config); } - frame->nb_samples = coded_samples + c->streams[0].delayed_samples; + frame->nb_samples = coded_samples + delayed_samples; /* no input or buffered data => nothing to do */ if (!frame->nb_samples) { @@ -480,14 +495,43 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, } frame->nb_samples = 0; + memset(c->out, 0, c->nb_streams * 2 * sizeof(*c->out)); for (i = 0; i < avctx->channels; i++) { ChannelMap *map = &c->channel_maps[i]; if (!map->copy) - c->streams[map->stream_idx].out[map->channel_idx] = (float*)frame->extended_data[i]; + c->out[2 * map->stream_idx + map->channel_idx] = (float*)frame->extended_data[i]; } - for (i = 0; i < c->nb_streams; i++) - c->streams[i].out_size = frame->linesize[0]; + /* read the data from the sync buffers */ + for (i = 0; i < c->nb_streams; i++) { + float **out = c->out + 2 * i; + int sync_size = av_audio_fifo_size(c->sync_buffers[i]); + + float sync_dummy[32]; + int out_dummy = (!out[0]) | ((!out[1]) << 1); + + if (!out[0]) + out[0] = sync_dummy; + if (!out[1]) + out[1] = sync_dummy; + if (out_dummy && sync_size > FF_ARRAY_ELEMS(sync_dummy)) + return AVERROR_BUG; + + ret = av_audio_fifo_read(c->sync_buffers[i], (void**)out, sync_size); + if (ret < 0) + return ret; + + if (out_dummy & 1) + out[0] = NULL; + else + out[0] += ret; + if (out_dummy & 2) + out[1] = NULL; + else + out[1] += ret; + + c->out_size[i] = frame->linesize[0] - ret * sizeof(float); + } /* decode each sub-packet */ for (i = 0; i < c->nb_streams; i++) { @@ -499,23 +543,40 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Error parsing the packet header.\n"); return ret; } + if (coded_samples != s->packet.frame_count * s->packet.frame_duration) { + av_log(avctx, AV_LOG_ERROR, + "Mismatching coded sample count in substream %d.\n", i); + return AVERROR_INVALIDDATA; + } + s->silk_samplerate = get_silk_samplerate(s->packet.config); } - ret = opus_decode_subpacket(&c->streams[i], buf, - s->packet.data_size, coded_samples); + ret = opus_decode_subpacket(&c->streams[i], buf, s->packet.data_size, + c->out + 2 * i, c->out_size[i], coded_samples); if (ret < 0) return ret; - if (decoded_samples && ret != decoded_samples) { - av_log(avctx, AV_LOG_ERROR, "Different numbers of decoded samples " - "in a multi-channel stream\n"); - return AVERROR_INVALIDDATA; - } - decoded_samples = ret; + c->decoded_samples[i] = ret; + decoded_samples = FFMIN(decoded_samples, ret); + buf += s->packet.packet_size; buf_size -= s->packet.packet_size; } + /* buffer the extra samples */ + for (i = 0; i < c->nb_streams; i++) { + int buffer_samples = c->decoded_samples[i] - decoded_samples; + if (buffer_samples) { + float *buf[2] = { c->out[2 * i + 0] ? c->out[2 * i + 0] : (float*)frame->extended_data[0], + c->out[2 * i + 1] ? c->out[2 * i + 1] : (float*)frame->extended_data[0] }; + buf[0] += decoded_samples; + buf[1] += decoded_samples; + ret = av_audio_fifo_write(c->sync_buffers[i], (void**)buf, buffer_samples); + if (ret < 0) + return ret; + } + } + for (i = 0; i < avctx->channels; i++) { ChannelMap *map = &c->channel_maps[i]; @@ -528,7 +589,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, memset(frame->extended_data[i], 0, frame->linesize[0]); } - if (c->gain_i) { + if (c->gain_i && decoded_samples > 0) { c->fdsp.vector_fmul_scalar((float*)frame->extended_data[i], (float*)frame->extended_data[i], c->gain, FFALIGN(decoded_samples, 8)); @@ -556,6 +617,8 @@ static av_cold void opus_decode_flush(AVCodecContext *ctx) av_audio_fifo_drain(s->celt_delay, av_audio_fifo_size(s->celt_delay)); swr_close(s->swr); + av_audio_fifo_drain(c->sync_buffers[i], av_audio_fifo_size(c->sync_buffers[i])); + ff_silk_flush(s->silk); ff_celt_flush(s->celt); } @@ -580,6 +643,16 @@ static av_cold int opus_decode_close(AVCodecContext *avctx) } av_freep(&c->streams); + + if (c->sync_buffers) { + for (i = 0; i < c->nb_streams; i++) + av_audio_fifo_free(c->sync_buffers[i]); + } + av_freep(&c->sync_buffers); + av_freep(&c->decoded_samples); + av_freep(&c->out); + av_freep(&c->out_size); + c->nb_streams = 0; av_freep(&c->channel_maps); @@ -604,7 +677,11 @@ static av_cold int opus_decode_init(AVCodecContext *avctx) /* allocate and init each independent decoder */ c->streams = av_mallocz_array(c->nb_streams, sizeof(*c->streams)); - if (!c->streams) { + c->out = av_mallocz_array(c->nb_streams, 2 * sizeof(*c->out)); + c->out_size = av_mallocz_array(c->nb_streams, sizeof(*c->out_size)); + c->sync_buffers = av_mallocz_array(c->nb_streams, sizeof(*c->sync_buffers)); + c->decoded_samples = av_mallocz_array(c->nb_streams, sizeof(*c->decoded_samples)); + if (!c->streams || !c->sync_buffers || !c->decoded_samples || !c->out || !c->out_size) { c->nb_streams = 0; ret = AVERROR(ENOMEM); goto fail; @@ -652,6 +729,13 @@ static av_cold int opus_decode_init(AVCodecContext *avctx) ret = AVERROR(ENOMEM); goto fail; } + + c->sync_buffers[i] = av_audio_fifo_alloc(avctx->sample_fmt, + s->output_channels, 32); + if (!c->sync_buffers[i]) { + ret = AVERROR(ENOMEM); + goto fail; + } } return 0; diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index a27afed56d..72287e7b56 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) dend = c->frame[page] + c->frame_size; offset = (x & 0x7F) * 2; j = bytestream2_get_le16(&c->gb) + offset; + if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16) + return AVERROR_INVALIDDATA; do { offset++; if (dst + 3 * c->width + 4 > dend) @@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) do { set_src_position(c, &src, &send); if ((src + 3 * c->width + 4 > send) || - (dst + 3 * c->width + 4 > dend)) + (dst + 3 * c->width + 4 > dend) || + bytestream2_get_bytes_left(&c->gb) < 4) return AVERROR_INVALIDDATA; copy_block4(dst, src, c->width, c->width, 4); i++; @@ -267,12 +270,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, uint8_t code, *dst, *end; int i, frame, ret; - if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) - return ret; + if (pkt->size < 2) + return AVERROR_INVALIDDATA; bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); + if ((code & 0xF) > 4 || (code & 0xF) == 3) { + avpriv_request_sample(avctx, "unknown/invalid code"); + return AVERROR_INVALIDDATA; + } + + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) + return ret; + if (code & 0x20) { // frame is keyframe for (i = 0; i < 4; i++) memset(c->frame[i], 0, c->frame_size); @@ -367,8 +378,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, } break; default: - avpriv_request_sample(avctx, "unknown/invalid code"); - return AVERROR_INVALIDDATA; + av_assert0(0); } av_image_copy_plane(c->pic->data[0], c->pic->linesize[0], diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 36f1f8265a..6603cc2927 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -33,7 +33,7 @@ #include "libavutil/imgutils.h" #include "libavutil/opt.h" -#define RGBA(r,g,b,a) (((a) << 24) | ((r) << 16) | ((g) << 8) | (b)) +#define RGBA(r,g,b,a) (((unsigned)(a) << 24) | ((r) << 16) | ((g) << 8) | (b)) #define MAX_EPOCH_PALETTES 8 // Max 8 allowed per PGS epoch #define MAX_EPOCH_OBJECTS 64 // Max 64 allowed per PGS epoch #define MAX_OBJECT_REFS 2 // Max objects per display set @@ -354,8 +354,14 @@ static int parse_palette_segment(AVCodecContext *avctx, cb = bytestream_get_byte(&buf); alpha = bytestream_get_byte(&buf); - YUV_TO_RGB1(cb, cr); - YUV_TO_RGB2(r, g, b, y); + /* Default to BT.709 colorimetry. In case of <= 576 height use BT.601 */ + if (avctx->height <= 0 || avctx->height > 576) { + YUV_TO_RGB1_CCIR_BT709(cb, cr); + } else { + YUV_TO_RGB1_CCIR(cb, cr); + } + + YUV_TO_RGB2_CCIR(r, g, b, y); av_dlog(avctx, "Color %d := (%d,%d,%d,%d)\n", color_id, r, g, b, alpha); diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 1bc51bcf24..988da37f33 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -77,10 +77,10 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, if (*y < 0) { *y = s->height - 1; *plane += 1; + if (*plane >= s->nb_planes) + return; value <<= bits_per_plane; mask <<= bits_per_plane; - if (*plane >= s->nb_planes) - break; } } } @@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx, if (av_image_check_size(s->width, s->height, 0, avctx) < 0) return -1; - if (s->width != avctx->width && s->height != avctx->height) { + if (s->width != avctx->width || s->height != avctx->height) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; @@ -236,7 +236,7 @@ static int decode_frame(AVCodecContext *avctx, } } - if (x < avctx->width) { + if (plane < s->nb_planes && x < avctx->width) { int run = (y + 1) * avctx->width - x; if (bits_per_plane == 8) picmemset_8bpp(s, frame, val, run, &x, &y); diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c index ebde68b6a4..03422508b1 100644 --- a/libavcodec/pixblockdsp.c +++ b/libavcodec/pixblockdsp.c @@ -55,6 +55,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx) { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; + c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h index d4b8590341..ab9ff3e4a6 100644 --- a/libavcodec/pixblockdsp.h +++ b/libavcodec/pixblockdsp.h @@ -31,6 +31,11 @@ typedef struct PixblockDSPContext { const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, int stride); + void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, + const uint8_t *s1, + const uint8_t *s2, + int stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index da91aab7cb..9b236a245b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -421,13 +421,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, av_bprint_init(bp, 0, -1); while (zstream.avail_in > 0) { - av_bprint_get_buffer(bp, 1, &buf, &buf_size); - if (!buf_size) { + av_bprint_get_buffer(bp, 2, &buf, &buf_size); + if (buf_size < 2) { ret = AVERROR(ENOMEM); goto fail; } zstream.next_out = buf; - zstream.avail_out = buf_size; + zstream.avail_out = buf_size - 1; ret = inflate(&zstream, Z_PARTIAL_FLUSH); if (ret != Z_OK && ret != Z_STREAM_END) { ret = AVERROR_EXTERNAL; @@ -582,6 +582,17 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n"); + goto fail; + } + + if (s->state & PNG_IHDR) { + av_log(avctx, AV_LOG_ERROR, "Multiple IHDR\n"); + goto fail; + } + s->width = bytestream2_get_be32(&s->gb); s->height = bytestream2_get_be32(&s->gb); if (av_image_check_size(s->width, s->height, 0, avctx)) { @@ -650,7 +661,7 @@ static int decode_frame(AVCodecContext *avctx, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { @@ -860,10 +871,11 @@ exit_loop: int i, j; uint8_t *pd = p->data[0]; uint8_t *pd_last = s->last_picture.f->data[0]; + int ls = FFMIN(av_image_get_linesize(p->format, s->width, 0), s->width * s->bpp); ff_thread_await_progress(&s->last_picture, INT_MAX, 0); for (j = 0; j < s->height; j++) { - for (i = 0; i < s->width * s->bpp; i++) + for (i = 0; i < ls; i++) pd[i] += pd_last[i]; pd += s->image_linesize; pd_last += s->image_linesize; @@ -876,7 +888,7 @@ exit_loop: metadata = NULL; if ((ret = av_frame_ref(data, s->picture.f)) < 0) - return ret; + goto the_end; *got_frame = 1; @@ -911,6 +923,7 @@ static av_cold int png_dec_init(AVCodecContext *avctx) { PNGDecContext *s = avctx->priv_data; + avctx->color_range = AVCOL_RANGE_JPEG; s->avctx = avctx; s->last_picture.f = av_frame_alloc(); s->picture.f = av_frame_alloc(); diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index 502e550097..314e7d7704 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -24,6 +24,7 @@ #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" #include "pnm.h" static inline int pnm_space(int c) @@ -61,6 +62,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) { char buf1[32], tuple_type[32]; int h, w, depth, maxval; + int ret; pnm_get(s, buf1, sizeof(buf1)); if(buf1[0] != 'P') @@ -110,8 +112,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; s->maxval = maxval; if (depth == 1) { if (maxval == 1) { @@ -150,8 +153,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) { pnm_get(s, buf1, sizeof(buf1)); diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 4d04a0ad85..97b0d5f606 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -183,6 +183,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons if (ctx->slice_count != slice_count || !ctx->slices) { av_freep(&ctx->slices); + ctx->slice_count = 0; ctx->slices = av_mallocz_array(slice_count, sizeof(*ctx->slices)); if (!ctx->slices) return AVERROR(ENOMEM); @@ -262,6 +263,8 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ + if (bits > FFMIN(MIN_CACHE_BITS, 31)) \ + return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ SKIP_BITS(re, gb, bits); \ @@ -281,7 +284,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70}; -static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, +static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out, int blocks_per_slice) { int16_t prev_dc; @@ -305,6 +308,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, out[0] = prev_dc; } CLOSE_READER(re, gb); + return 0; } // adaptive codebook switching lut according to previous run/level values @@ -371,7 +375,8 @@ static int decode_slice_luma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; @@ -404,7 +409,8 @@ static int decode_slice_chroma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; diff --git a/libavcodec/proresdec_lgpl.c b/libavcodec/proresdec_lgpl.c index f2e24ec786..a8bb9234ec 100644 --- a/libavcodec/proresdec_lgpl.c +++ b/libavcodec/proresdec_lgpl.c @@ -366,6 +366,7 @@ static inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, } } +#define MAX_PADDING 16 /** * Decode AC coefficients for all blocks in a slice. @@ -390,7 +391,7 @@ static inline int decode_ac_coeffs(GetBitContext *gb, int16_t *out, lev_cb_index = ff_prores_lev_to_cb_index[FFMIN(level, 9)]; bits_left = get_bits_left(gb); - if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) + if (bits_left <= 0 || (bits_left <= MAX_PADDING && !show_bits(gb, bits_left))) return 0; run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]); @@ -398,7 +399,7 @@ static inline int decode_ac_coeffs(GetBitContext *gb, int16_t *out, return AVERROR_INVALIDDATA; bits_left = get_bits_left(gb); - if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) + if (bits_left <= 0 || (bits_left <= MAX_PADDING && !show_bits(gb, bits_left))) return AVERROR_INVALIDDATA; level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1; diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index f471f4987e..801d58ed7b 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -304,7 +304,7 @@ static int encode_slice_plane(AVCodecContext *avctx, int mb_count, } blocks_per_slice = mb_count << (2 - chroma); - init_put_bits(&pb, buf, buf_size << 3); + init_put_bits(&pb, buf, buf_size); encode_dc_coeffs(&pb, blocks, blocks_per_slice, qmat); encode_ac_coeffs(avctx, &pb, blocks, blocks_per_slice, qmat); diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 9f7c03efca..2ad7f748f9 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -824,10 +824,9 @@ static int find_slice_quant(AVCodecContext *avctx, const AVFrame *pic, if (ctx->alpha_bits) bits += estimate_alpha_plane(ctx, &error, src, linesize[3], mbs_per_slice, q, td->blocks[3]); - if (bits > 65000 * 8) { + if (bits > 65000 * 8) error = SCORE_LIMIT; - break; - } + slice_bits[q] = bits; slice_score[q] = error; } @@ -1058,7 +1057,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, slice_hdr = pkt->data + (slice_hdr - start); tmp = pkt->data + (tmp - start); } - init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); + init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf))); ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); if (ret < 0) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 1db46fcf96..93bc6871d4 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -573,7 +573,7 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) pthread_join(p->thread, NULL); p->thread_init=0; - if (codec->close) + if (codec->close && p->avctx) codec->close(p->avctx); avctx->codec = NULL; @@ -593,12 +593,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) av_packet_unref(&p->avpkt); av_freep(&p->released_buffers); - if (i) { + if (i && p->avctx) { av_freep(&p->avctx->priv_data); av_freep(&p->avctx->slice_offset); } - av_freep(&p->avctx->internal); + if (p->avctx) + av_freep(&p->avctx->internal); av_freep(&p->avctx); } @@ -670,6 +671,7 @@ int ff_frame_thread_init(AVCodecContext *avctx) copy->internal = av_malloc(sizeof(AVCodecInternal)); if (!copy->internal) { + copy->priv_data = NULL; err = AVERROR(ENOMEM); goto error; } diff --git a/libavcodec/pthread_slice.c b/libavcodec/pthread_slice.c index fea989fc4c..4fcbcb175a 100644 --- a/libavcodec/pthread_slice.c +++ b/libavcodec/pthread_slice.c @@ -181,6 +181,12 @@ int ff_slice_thread_init(AVCodecContext *avctx) w32thread_init(); #endif + // We cannot do this in the encoder init as the threads are created before + if (av_codec_is_encoder(avctx->codec) && + avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && + avctx->height > 2800) + thread_count = avctx->thread_count = 1; + if (!thread_count) { int nb_cpus = av_cpu_count(); if (avctx->height) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 8081fb9ea5..392b90a5e0 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -88,7 +88,7 @@ static inline void flush_put_bits(PutBitContext *s) s->bit_buf <<= s->bit_left; #endif while (s->bit_left < 32) { - /* XXX: should test end of buffer */ + av_assert0(s->buf_ptr < s->buf_end); #ifdef BITSTREAM_WRITER_LE *s->buf_ptr++ = s->bit_buf; s->bit_buf >>= 8; @@ -146,9 +146,13 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) #ifdef BITSTREAM_WRITER_LE bit_buf |= value << (32 - bit_left); if (n >= bit_left) { - av_assert2(s->buf_ptr+3buf_end); - AV_WL32(s->buf_ptr, bit_buf); - s->buf_ptr += 4; + if (3 < s->buf_end - s->buf_ptr) { + AV_WL32(s->buf_ptr, bit_buf); + s->buf_ptr += 4; + } else { + av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer too small\n"); + av_assert2(0); + } bit_buf = (bit_left == 32) ? 0 : value >> bit_left; bit_left += 32; } @@ -160,9 +164,13 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) } else { bit_buf <<= bit_left; bit_buf |= value >> (n - bit_left); - av_assert2(s->buf_ptr+3buf_end); - AV_WB32(s->buf_ptr, bit_buf); - s->buf_ptr += 4; + if (3 < s->buf_end - s->buf_ptr) { + AV_WB32(s->buf_ptr, bit_buf); + s->buf_ptr += 4; + } else { + av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer too small\n"); + av_assert2(0); + } bit_left += 32 - n; bit_buf = value; } @@ -212,6 +220,7 @@ static inline void skip_put_bytes(PutBitContext *s, int n) { av_assert2((put_bits_count(s) & 7) == 0); av_assert2(s->bit_left == 32); + av_assert0(n <= s->buf_end - s->buf_ptr); s->buf_ptr += n; } @@ -235,6 +244,7 @@ static inline void skip_put_bits(PutBitContext *s, int n) static inline void set_put_bits_buffer_size(PutBitContext *s, int size) { s->buf_end = s->buf + size; + s->size_in_bits = 8*size; } #endif /* AVCODEC_PUT_BITS_H */ diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 94cb5bd0b6..3d083ae76c 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -120,12 +120,13 @@ static void av_noinline qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, int filled = 0; int orig_height; - if(!refdata) - refdata= dst; - - /* copy prev frame */ - for(i = 0; i < height; i++) - memcpy(dst + (i * stride), refdata + (i * stride), width); + if (refdata) { + /* copy prev frame */ + for (i = 0; i < height; i++) + memcpy(dst + (i * stride), refdata + (i * stride), width); + } else { + refdata = dst; + } orig_height = height; height--; @@ -163,7 +164,7 @@ static void av_noinline qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); @@ -259,7 +260,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame * const ref = a->ref; uint8_t* outdata; int delta, ret; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); if (avpkt->size < 0x86) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); @@ -286,9 +288,11 @@ static int decode_frame(AVCodecContext *avctx, } /* make the palette available on the way out */ - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { p->palette_has_changed = 1; memcpy(a->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } memcpy(p->data[1], a->pal, AVPALETTE_SIZE); diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index b367643782..0c2dd944f3 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -485,11 +485,14 @@ static int qtrle_decode_frame(AVCodecContext *avctx, } if(has_palette) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available on the way out */ diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 696a49e7ab..67f0e84469 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1512,7 +1512,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, v[0] = 0; for (i=!skip_first; i<3; i++) - v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n]; + v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n]; if (v[0]) { for (i=0; i < BLOCKSIZE; i++) @@ -1573,7 +1573,7 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12; + bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) @@ -1598,10 +1598,10 @@ void ff_eval_coefs(int *coefs, const int *refl) int i, j; for (i=0; i < LPC_ORDER; i++) { - b1[i] = refl[i] << 4; + b1[i] = refl[i] * 16; for (j=0; j < i; j++) - b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; + b1[j] = ((int)(refl[i] * (unsigned)b2[i-j-1]) >> 12) + b2[j]; FFSWAP(int *, b1, b2); } @@ -1701,7 +1701,7 @@ void ff_subblock_synthesis(RA144Context *ractx, const int16_t *lpc_coefs, if (cba_idx) { cba_idx += BLOCKSIZE/2 - 1; ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx); - m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12; + m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12; } else { m[0] = 0; } diff --git a/libavcodec/ra144dec.c b/libavcodec/ra144dec.c index 29c78229bb..6b4b56d01f 100644 --- a/libavcodec/ra144dec.c +++ b/libavcodec/ra144dec.c @@ -113,7 +113,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data, do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb); for (j=0; j < BLOCKSIZE; j++) - *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2); + *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2)); } ractx->old_energy = energy; diff --git a/libavcodec/raw.c b/libavcodec/raw.c index 62ad338b9f..f8637c9ac6 100644 --- a/libavcodec/raw.c +++ b/libavcodec/raw.c @@ -31,6 +31,7 @@ const PixelFormatTag ff_raw_pix_fmt_tags[] = { { AV_PIX_FMT_YUV420P, MKTAG('I', '4', '2', '0') }, /* Planar formats */ { AV_PIX_FMT_YUV420P, MKTAG('I', 'Y', 'U', 'V') }, + { AV_PIX_FMT_YUV420P, MKTAG('y', 'v', '1', '2') }, { AV_PIX_FMT_YUV420P, MKTAG('Y', 'V', '1', '2') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'U', 'V', '9') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'V', 'U', '9') }, diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 28792a1688..dd56680129 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -172,6 +172,9 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, context->frame_size = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height); } + if (context->frame_size < 0) + return context->frame_size; + need_copy = !avpkt->buf || context->is_2_4_bpp || context->is_yuv2 || context->is_lt_16bpp; frame->pict_type = AV_PICTURE_TYPE_I; @@ -255,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); - if (buf_size < len && (avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0)) { + if (buf_size < len && ((avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(&frame->buf[0]); return AVERROR(EINVAL); @@ -268,8 +271,13 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, } if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { + int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); + &pal_size); + if (pal_size != AVPALETTE_SIZE) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); + pal = NULL; + } if (pal) { av_buffer_unref(&context->palette); diff --git a/libavcodec/rawenc.c b/libavcodec/rawenc.c index c579230013..9bcf5c4cc6 100644 --- a/libavcodec/rawenc.c +++ b/libavcodec/rawenc.c @@ -51,7 +51,7 @@ static int raw_encode(AVCodecContext *avctx, AVPacket *pkt, if (ret < 0) return ret; - if ((ret = ff_alloc_packet2(avctx, pkt, ret)) < 0) + if ((ret = ff_alloc_packet(pkt, ret)) < 0) return ret; if ((ret = avpicture_layout((const AVPicture *)frame, avctx->pix_fmt, avctx->width, avctx->height, pkt->data, pkt->size)) < 0) diff --git a/libavcodec/resample.c b/libavcodec/resample.c index c45aa16cd1..ec311c7bfb 100644 --- a/libavcodec/resample.c +++ b/libavcodec/resample.c @@ -290,12 +290,6 @@ int audio_resample(ReSampleContext *s, short *output, short *input, int nb_sampl short *output_bak = NULL; int lenout; - if (s->input_channels == s->output_channels && s->ratio == 1.0 && 0) { - /* nothing to do */ - memcpy(output, input, nb_samples * s->input_channels * sizeof(short)); - return nb_samples; - } - if (s->sample_fmt[0] != AV_SAMPLE_FMT_S16) { int istride[1] = { s->sample_size[0] }; int ostride[1] = { 2 }; diff --git a/libavcodec/roqaudioenc.c b/libavcodec/roqaudioenc.c index b0b76d0883..2c59074fce 100644 --- a/libavcodec/roqaudioenc.c +++ b/libavcodec/roqaudioenc.c @@ -148,9 +148,8 @@ static int roq_dpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, return 0; } } - if (context->input_frames < 8) { + if (context->input_frames < 8) in = context->frame_buffer; - } if (stereo) { context->lastSample[0] &= 0xFF00; diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index 1c5970f68b..7fbbb85419 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -966,6 +966,8 @@ static av_cold int roq_encode_init(AVCodecContext *avctx) av_lfg_init(&enc->randctx, 1); + enc->avctx = avctx; + enc->framesSinceKeyframe = 0; if ((avctx->width & 0xf) || (avctx->height & 0xf)) { av_log(avctx, AV_LOG_ERROR, "Dimensions must be divisible by 16\n"); diff --git a/libavcodec/rv10enc.c b/libavcodec/rv10enc.c index 25411322a6..45f11365c9 100644 --- a/libavcodec/rv10enc.c +++ b/libavcodec/rv10enc.c @@ -28,7 +28,7 @@ #include "mpegvideo.h" #include "put_bits.h" -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) { int full_frame= 0; @@ -48,12 +48,18 @@ void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) /* if multiple packets per frame are sent, the position at which to display the macroblocks is coded here */ if(!full_frame){ + if (s->mb_width * s->mb_height >= (1U << 12)) { + avpriv_report_missing_feature(s->avctx, "Encoding frames with %d (>= 4096) macroblocks", + s->mb_width * s->mb_height); + return AVERROR(ENOSYS); + } put_bits(&s->pb, 6, 0); /* mb_x */ put_bits(&s->pb, 6, 0); /* mb_y */ put_bits(&s->pb, 12, s->mb_width * s->mb_height); } put_bits(&s->pb, 3, 0); /* ignored */ + return 0; } FF_MPV_GENERIC_CLASS(rv10) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index a232ab2593..2997285a67 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1534,7 +1534,14 @@ int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx) if (avctx->internal->is_copy) { r->tmp_b_block_base = NULL; + r->cbp_chroma = NULL; + r->cbp_luma = NULL; + r->deblock_coefs = NULL; + r->intra_types_hist = NULL; + r->mb_type = NULL; + ff_mpv_idct_init(&r->s); + if ((err = ff_mpv_common_init(&r->s)) < 0) return err; if ((err = rv34_decoder_alloc(r)) < 0) { @@ -1620,7 +1627,7 @@ static AVRational update_sar(int old_w, int old_h, AVRational sar, int new_w, in if (!sar.num) sar = (AVRational){1, 1}; - sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h}); + sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h})); return sar; } diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index 043fd724a9..0b5f3ff92f 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -109,6 +109,8 @@ static int get_dimension(GetBitContext *gb, const int *dim) val = dim[get_bits1(gb) - val]; if(!val){ do{ + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; t = get_bits(gb, 8); val += t << 2; }while(t == 0xFF); @@ -186,7 +188,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row B = ptr[-r->intra_types_stride]; C = ptr[-1]; - pattern = A + (B << 4) + (C << 8); + pattern = A + B * (1 << 4) + C * (1 << 8); for(k = 0; k < MODE2_PATTERNS_NUM; k++) if(pattern == rv40_aic_table_index[k]) break; diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 19b0e93696..95ba0a9259 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src, if (u > 3 - (filter_p1 && filter_q1)) continue; - t <<= 2; + t *= 1 << 2; if (filter_p1 && filter_q1) t += src[-2*step] - src[1*step]; diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index 7639a0f1c9..ff33421abe 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -79,11 +79,6 @@ static int s302m_parse_frame_header(AVCodecContext *avctx, const uint8_t *buf, case 8: avctx->channel_layout = AV_CH_LAYOUT_5POINT1_BACK | AV_CH_LAYOUT_STEREO_DOWNMIX; } - avctx->sample_rate = 48000; - avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + - 32 * (48000 / (buf_size * 8 / - (avctx->channels * - (avctx->bits_per_raw_sample + 4)))); return frame_size; } @@ -109,15 +104,17 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; + avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + + 32 * 48000 / frame->nb_samples; buf_size = (frame->nb_samples * avctx->channels / 2) * block_size; if (avctx->bits_per_raw_sample == 24) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 6; buf_size -= 7) { - *o++ = (ff_reverse[buf[2]] << 24) | + *o++ = ((unsigned)ff_reverse[buf[2]] << 24) | (ff_reverse[buf[1]] << 16) | (ff_reverse[buf[0]] << 8); - *o++ = (ff_reverse[buf[6] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) | (ff_reverse[buf[5]] << 20) | (ff_reverse[buf[4]] << 12) | (ff_reverse[buf[3] & 0x0f] << 4); @@ -126,10 +123,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } else if (avctx->bits_per_raw_sample == 20) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 5; buf_size -= 6) { - *o++ = (ff_reverse[buf[2] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) | (ff_reverse[buf[1]] << 20) | (ff_reverse[buf[0]] << 12); - *o++ = (ff_reverse[buf[5] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) | (ff_reverse[buf[4]] << 20) | (ff_reverse[buf[3]] << 12); buf += 6; @@ -146,6 +143,8 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } } + avctx->sample_rate = 48000; + *got_frame_ptr = 1; return avpkt->size; diff --git a/libavcodec/s302menc.c b/libavcodec/s302menc.c index 540ac29dab..e738f09d19 100644 --- a/libavcodec/s302menc.c +++ b/libavcodec/s302menc.c @@ -82,7 +82,7 @@ static int s302m_encode2_frame(AVCodecContext *avctx, AVPacket *avpkt, return ret; o = avpkt->data; - init_put_bits(&pb, o, buf_size * 8); + init_put_bits(&pb, o, buf_size); put_bits(&pb, 16, buf_size - AES3_HEADER_LEN); put_bits(&pb, 2, (avctx->channels - 2) >> 1); // number of channels put_bits(&pb, 8, 0); // channel ID diff --git a/libavcodec/samidec.c b/libavcodec/samidec.c index 39ac6082bc..14dbc5b33e 100644 --- a/libavcodec/samidec.c +++ b/libavcodec/samidec.c @@ -91,6 +91,7 @@ static int sami_paragraph_to_ass(AVCodecContext *avctx, const char *src) break; if (*p == '>') p++; + continue; } if (!av_isspace(*p)) av_bprint_chars(dst, *p, 1); diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 9e5ec5400e..17096587b4 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -457,15 +457,16 @@ static void destroy_buffers(SANMVideoContext *ctx) ctx->frm0_size = ctx->frm1_size = ctx->frm2_size = 0; + init_sizes(ctx, 0, 0); } static av_cold int init_buffers(SANMVideoContext *ctx) { - av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); if (!ctx->version) - av_fast_padded_malloc(&ctx->stored_frame, + av_fast_padded_mallocz(&ctx->stored_frame, &ctx->stored_frame_size, ctx->buf_size); if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 || diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h index e28fccda09..ff00acba0d 100644 --- a/libavcodec/sbr.h +++ b/libavcodec/sbr.h @@ -137,6 +137,7 @@ typedef struct AACSBRContext { struct SpectralBandReplication { int sample_rate; int start; + int id_aac; int reset; SpectrumParameters spectrum_params; int bs_amp_res_header; diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 6f51ec3531..3ddbf77bc8 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -98,7 +98,7 @@ static int expand_rle_row16(SgiState *s, uint16_t *out_buf, break; /* Check for buffer overflow. */ - if (pixelstride * (count - 1) >= len) { + if (out_end - out_buf <= pixelstride * (count - 1)) { av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n"); return AVERROR_INVALIDDATA; } @@ -145,7 +145,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s) for (z = 0; z < s->depth; z++) { dest_row = out_buf; for (y = 0; y < s->height; y++) { - linesize = s->width * s->depth * s->bytes_per_channel; + linesize = s->width * s->depth; dest_row -= s->linesize; start_offset = bytestream2_get_be32(&g_table); bytestream2_seek(&s->g, start_offset, SEEK_SET); diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5c4bf816b9..e00a7f1ec6 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -129,8 +129,7 @@ static int allocate_buffers(ShortenContext *s) av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); return AVERROR_INVALIDDATA; } - if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) || - s->blocksize + s->nwrap <= (unsigned)s->nwrap) { + if (s->blocksize + (uint64_t)s->nwrap >= UINT_MAX / sizeof(int32_t)) { av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); return AVERROR_INVALIDDATA; @@ -157,8 +156,11 @@ static int allocate_buffers(ShortenContext *s) static inline unsigned int get_uint(ShortenContext *s, int k) { - if (s->version != 0) + if (s->version != 0) { k = get_ur_golomb_shorten(&s->gb, ULONGSIZE); + if (k > 31U) + return AVERROR_INVALIDDATA; + } return get_ur_golomb_shorten(&s->gb, k); } @@ -278,7 +280,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, if (command == FN_QLPC) { /* read/validate prediction order */ pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); - if (pred_order > s->nwrap) { + if ((unsigned)pred_order > s->nwrap) { av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", pred_order); return AVERROR(EINVAL); @@ -367,9 +369,18 @@ static int read_header(ShortenContext *s) s->blocksize = blocksize; maxnlpc = get_uint(s, LPCQSIZE); + if (maxnlpc > 1024U) { + av_log(s->avctx, AV_LOG_ERROR, "maxnlpc is: %d\n", maxnlpc); + return AVERROR_INVALIDDATA; + } s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); + if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { + av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < skip_bytes; i++) skip_bits(&s->gb, 8); } diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 518bdad3ec..bdabe7fecb 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -667,6 +667,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); + if (unp_size % (avctx->channels * (bits + 1))) { + av_log(avctx, AV_LOG_ERROR, "unp_size %d is odd\n", unp_size); + return AVERROR(EINVAL); + } if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; samples = (int16_t *)frame->data[0]; diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 4bfa4a8622..304cb34a4e 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -70,7 +70,7 @@ typedef struct SmcContext { row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ @@ -132,6 +132,10 @@ static void smc_decode_stream(SmcContext *s) row_ptr, image_size); return; } + if (bytestream2_get_bytes_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "input too small\n"); + return; + } opcode = bytestream2_get_byte(&s->gb); switch (opcode & 0xF0) { diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c index 69327cd798..88912ca212 100644 --- a/libavcodec/smvjpegdec.c +++ b/libavcodec/smvjpegdec.c @@ -137,6 +137,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz if (!cur_frame) { av_frame_unref(mjpeg_data); ret = avcodec_decode_video2(s->avctx, mjpeg_data, &s->mjpeg_data_size, avpkt); + if (ret < 0) { + s->mjpeg_data_size = 0; + return ret; + } } else if (!s->mjpeg_data_size) return AVERROR(EINVAL); diff --git a/libavcodec/snow.h b/libavcodec/snow.h index b6a8bf4d7f..2a5d3a66dd 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -296,6 +296,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer BlockNode *lb= lt+b_stride; BlockNode *rb= lb+1; uint8_t *block[4]; + // When src_stride is large enough, it is possible to interleave the blocks. + // Otherwise the blocks are written sequentially in the tmp buffer. int tmp_step= src_stride >= 7*MB_SIZE ? MB_SIZE : MB_SIZE*src_stride; uint8_t *tmp = s->scratchbuf; uint8_t *ptmp; @@ -339,8 +341,6 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(b_w<=0 || b_h<=0) return; - av_assert2(src_stride > 2*MB_SIZE + 5); - if(!sliced && offset_dst) dst += src_x + src_y*dst_stride; dst8+= src_x + src_y*src_stride; @@ -551,10 +551,13 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1; diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 327157b0d2..5f3332459c 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -115,7 +115,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ - register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; + register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; @@ -152,19 +152,28 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int l = left->color[0]; int cb= left->color[1]; int cr= left->color[2]; - int ref = 0; + unsigned ref = 0; int ref_context= av_log2(2*left->ref) + av_log2(2*top->ref); int mx_context= av_log2(2*FFABS(left->mx - top->mx)) + 0*av_log2(2*FFABS(tr->mx - top->mx)); int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ? BLOCK_INTRA : 0; - if(type){ + int ld, cbd, crd; pred_mv(s, &mx, &my, 0, left, top, tr); - l += get_symbol(&s->c, &s->block_state[32], 1); + ld = get_symbol(&s->c, &s->block_state[32], 1); + if (ld < -255 || ld > 255) { + return AVERROR_INVALIDDATA; + } + l += ld; if (s->nb_planes > 2) { - cb+= get_symbol(&s->c, &s->block_state[64], 1); - cr+= get_symbol(&s->c, &s->block_state[96], 1); + cbd = get_symbol(&s->c, &s->block_state[64], 1); + crd = get_symbol(&s->c, &s->block_state[96], 1); + if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) { + return AVERROR_INVALIDDATA; + } + cb += cbd; + cr += crd; } }else{ if(s->ref_frames > 1) @@ -330,7 +339,7 @@ static int decode_header(SnowContext *s){ Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps > HTAPS_MAX || htaps==0) + if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ @@ -349,7 +358,7 @@ static int decode_header(SnowContext *s){ } } - s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1); + s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->spatial_decomposition_type > 1U){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type); return AVERROR_INVALIDDATA; @@ -359,15 +368,25 @@ static int decode_header(SnowContext *s){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); return AVERROR_INVALIDDATA; } + if (s->avctx->width > 65536-4) { + av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); + return AVERROR_INVALIDDATA; + } - s->qlog += get_symbol(&s->c, s->header_state, 1); - s->mv_scale += get_symbol(&s->c, s->header_state, 1); - s->qbias += get_symbol(&s->c, s->header_state, 1); - s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); - if(s->block_max_depth > 1 || s->block_max_depth < 0){ + s->qlog += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->mv_scale += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->qbias += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1); + if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; + s->mv_scale = 0; + return AVERROR_INVALIDDATA; + } + if (FFABS(s->qbias) > 127) { + av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias); + s->qbias = 0; return AVERROR_INVALIDDATA; } @@ -394,6 +413,8 @@ static int decode_blocks(SnowContext *s){ for(y=0; yc.bytestream >= s->c.bytestream_end) + return AVERROR_INVALIDDATA; if ((res = decode_q_branch(s, 0, x, y)) < 0) return res; } @@ -544,7 +565,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for(; yqsb, yq); for(x=0; xpenalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); c->sub_penalty_factor= get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_sub_cmp); c->mb_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->mb_cmp); - c->current_mv_penalty= c->mv_penalty[s->m.f_code=1] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->m.f_code=1] + MAX_DMV; c->xmin = - x*block_w - 16+3; c->ymin = - y*block_w - 16+3; diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index a5e573a7aa..ab947c47b0 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -497,12 +497,15 @@ static int predictor_calc_error(int *k, int *state, int order, int error) // copes better with quantization, and calculates the // actual whitened result as it goes. -static void modified_levinson_durbin(int *window, int window_entries, +static int modified_levinson_durbin(int *window, int window_entries, int *out, int out_entries, int channels, int *tap_quant) { int i; int *state = av_calloc(window_entries, sizeof(*state)); + if (!state) + return AVERROR(ENOMEM); + memcpy(state, window, 4* window_entries); for (i = 0; i < out_entries; i++) @@ -567,6 +570,7 @@ static void modified_levinson_durbin(int *window, int window_entries, } av_free(state); + return 0; } static inline int code_samplerate(int samplerate) @@ -627,6 +631,9 @@ static av_cold int sonic_encode_init(AVCodecContext *avctx) // generate taps s->tap_quant = av_calloc(s->num_taps, sizeof(*s->tap_quant)); + if (!s->tap_quant) + return AVERROR(ENOMEM); + for (i = 0; i < s->num_taps; i++) s->tap_quant[i] = ff_sqrt(i+1); @@ -656,7 +663,7 @@ static av_cold int sonic_encode_init(AVCodecContext *avctx) s->window_size = ((2*s->tail_size)+s->frame_size); s->window = av_calloc(s->window_size, sizeof(*s->window)); - if (!s->window) + if (!s->window || !s->int_samples) return AVERROR(ENOMEM); avctx->extradata = av_mallocz(16); @@ -769,8 +776,11 @@ static int sonic_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, s->tail[i] = s->int_samples[s->frame_size - s->tail_size + i]; // generate taps - modified_levinson_durbin(s->window, s->window_size, + ret = modified_levinson_durbin(s->window, s->window_size, s->predictor_k, s->num_taps, s->channels, s->tap_quant); + if (ret < 0) + return ret; + if ((ret = intlist_write(&c, state, s->predictor_k, s->num_taps, 0)) < 0) return ret; @@ -873,17 +883,24 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) if (s->version >= 1) { + int sample_rate_index; s->channels = get_bits(&gb, 2); - s->samplerate = samplerate_table[get_bits(&gb, 4)]; + sample_rate_index = get_bits(&gb, 4); + if (sample_rate_index >= FF_ARRAY_ELEMS(samplerate_table)) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample_rate_index %d\n", sample_rate_index); + return AVERROR_INVALIDDATA; + } + s->samplerate = samplerate_table[sample_rate_index]; av_log(avctx, AV_LOG_INFO, "Sonicv2 chans: %d samprate: %d\n", s->channels, s->samplerate); } - if (s->channels > MAX_CHANNELS) + if (s->channels > MAX_CHANNELS || s->channels < 1) { av_log(avctx, AV_LOG_ERROR, "Only mono and stereo streams are supported by now\n"); return AVERROR_INVALIDDATA; } + avctx->channels = s->channels; s->lossless = get_bits1(&gb); if (!s->lossless) @@ -908,11 +925,21 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; + if (s->num_taps * s->channels > s->frame_size) { + av_log(avctx, AV_LOG_ERROR, + "number of taps times channels (%d * %d) larger than frame size %d\n", + s->num_taps, s->channels, s->frame_size); + return AVERROR_INVALIDDATA; + } + av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n", s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling); // generate taps s->tap_quant = av_calloc(s->num_taps, sizeof(*s->tap_quant)); + if (!s->tap_quant) + return AVERROR(ENOMEM); + for (i = 0; i < s->num_taps; i++) s->tap_quant[i] = ff_sqrt(i+1); @@ -932,6 +959,8 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) return AVERROR(ENOMEM); } s->int_samples = av_calloc(s->frame_size, sizeof(*s->int_samples)); + if (!s->int_samples) + return AVERROR(ENOMEM); avctx->sample_fmt = AV_SAMPLE_FMT_S16; return 0; diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index d9918f48b9..c6e50e53e1 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -168,7 +168,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } } else { for (y = 0; y < h; y++) { - if (buf_end - buf < len) + if (buf_end - buf < alen) break; memcpy(ptr, buf, len); ptr += stride; diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 121ebc43e9..1212522a69 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -499,7 +499,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, HpelDSPContext *hdsp, return result; } -static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) +static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257]) { uint8_t seed; int i; @@ -511,6 +511,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) out[i] = get_bits(bitbuf, 8) ^ seed; seed = string_table[out[i] ^ seed]; } + out[i] = 0; } static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) @@ -553,12 +554,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) } if ((s->frame_code ^ 0x10) >= 0x50) { - uint8_t msg[256]; + uint8_t msg[257]; svq1_parse_string(bitbuf, msg); av_log(avctx, AV_LOG_INFO, - "embedded message:\n%s\n", (char *)msg); + "embedded message:\n%s\n", ((char *)msg) + 1); } skip_bits(bitbuf, 2); @@ -616,9 +617,12 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, uint8_t *current; int result, i, x, y, width, height; svq1_pmv *pmv; + int ret; /* initialize bit buffer */ - init_get_bits8(&s->gb, buf, buf_size); + ret = init_get_bits8(&s->gb, buf, buf_size); + if (ret < 0) + return ret; /* decode frame header */ s->frame_code = get_bits(&s->gb, 22); @@ -635,8 +639,9 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - av_fast_padded_malloc(&s->pkt_swapped, &s->pkt_swapped_allocated, - buf_size); + av_fast_padded_malloc(&s->pkt_swapped, + &s->pkt_swapped_allocated, + buf_size); if (!s->pkt_swapped) return AVERROR(ENOMEM); diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 850630f288..2d7f7703df 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -514,6 +514,11 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int ret; + if (avctx->width >= 4096 || avctx->height >= 4096) { + av_log(avctx, AV_LOG_ERROR, "Dimensions too large, maximum is 4095x4095\n"); + return AVERROR(EINVAL); + } + ff_hpeldsp_init(&s->hdsp, avctx->flags); ff_me_cmp_init(&s->mecc, avctx); ff_mpegvideoencdsp_init(&s->m.mpvencdsp, avctx); diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 97233b19d6..7360cf27fb 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -166,7 +166,7 @@ static int svq3_decode_end(AVCodecContext *avctx); void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) { - const int qmul = svq3_dequant_coeff[qp]; + const unsigned qmul = svq3_dequant_coeff[qp]; #define stride 16 int i; int temp[16]; @@ -191,10 +191,10 @@ void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) const int z2 = 7 * temp[4 * 1 + i] - 17 * temp[4 * 3 + i]; const int z3 = 17 * temp[4 * 1 + i] + 7 * temp[4 * 3 + i]; - output[stride * 0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20; - output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20; - output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20; - output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20; + output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20; + output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20; + output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20; + output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20; } } #undef stride @@ -206,7 +206,7 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block, int i; if (dc) { - dc = 13 * 13 * (dc == 1 ? 1538 * block[0] + dc = 13 * 13 * (dc == 1 ? 1538U* block[0] : qmul * (block[0] >> 3) / 2); block[0] = 0; } @@ -224,16 +224,16 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block, } for (i = 0; i < 4; i++) { - const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); - const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); - const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; - const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; - const int rr = (dc + 0x80000); + const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); + const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); + const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; + const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; + const int rr = (dc + 0x80000u); - dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20)); - dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20)); - dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20)); - dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20)); + dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); + dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); + dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20)); + dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20)); } memset(block, 0, 16 * sizeof(int16_t)); @@ -395,8 +395,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, if (mode != PREDICT_MODE) { pred_motion(h, k, part_width >> 2, dir, 1, &mx, &my); } else { - mx = s->next_pic->motion_val[0][b_xy][0] << 1; - my = s->next_pic->motion_val[0][b_xy][1] << 1; + mx = s->next_pic->motion_val[0][b_xy][0] * 2; + my = s->next_pic->motion_val[0][b_xy][1] * 2; if (dir == 0) { mx = mx * h->frame_num_offset / @@ -433,8 +433,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -442,8 +442,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -451,8 +451,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg); @@ -1176,7 +1176,7 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, h->cur_pic_ptr = s->cur_pic; av_frame_unref(&h->cur_pic.f); - h->cur_pic = *s->cur_pic; + memcpy(&h->cur_pic.tf, &s->cur_pic->tf, sizeof(h->cur_pic) - offsetof(H264Picture, tf)); ret = av_frame_ref(&h->cur_pic.f, &s->cur_pic->f); if (ret < 0) return ret; diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 5810a01c24..738f1e4a4b 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -192,7 +192,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a1 = *coeffs++; for (i = 0; i < length - 1 >> 1; i++) { *coeffs += a1; - coeffs[1] += *coeffs; + coeffs[1] += (unsigned)*coeffs; a1 = coeffs[1]; coeffs += 2; } @@ -224,6 +224,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a3 = coeffs[2]; int a4 = a3 + a1; int a5 = a4 + a2; + coeffs[2] = a5; coeffs += 3; for (i = 0; i < length - 3; i++) { a3 += *coeffs; @@ -252,11 +253,11 @@ static int decode_segment(TAKDecContext *s, int8_t mode, int32_t *decoded, int l code = xcodes[mode - 1]; for (i = 0; i < len; i++) { - int x = get_bits_long(gb, code.init); + unsigned x = get_bits_long(gb, code.init); if (x >= code.escape && get_bits1(gb)) { x |= 1 << code.init; if (x >= code.aescape) { - int scale = get_unary(gb, 1, 9); + unsigned scale = get_unary(gb, 1, 9); if (scale == 9) { int scale_bits = get_bits(gb, 3); if (scale_bits > 0) { @@ -468,13 +469,13 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, int v = 1 << (filter_quant - 1); if (filter_order & -16) - v += s->adsp.scalarproduct_int16(&s->residues[i], s->filter, + v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { - v += s->residues[i + j + 3] * s->filter[j + 3] + - s->residues[i + j + 2] * s->filter[j + 2] + - s->residues[i + j + 1] * s->filter[j + 1] + - s->residues[i + j ] * s->filter[j ]; + v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] + + s->residues[i + j + 2] * (unsigned)s->filter[j + 2] + + s->residues[i + j + 1] * (unsigned)s->filter[j + 1] + + s->residues[i + j ] * (unsigned)s->filter[j ]; } v = (av_clip(v >> filter_quant, -8192, 8191) << dshift) - *decoded; *decoded++ = v; @@ -632,7 +633,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) for (; length2 > 0; length2 -= tmp) { tmp = FFMIN(length2, x); - for (i = 0; i < tmp; i++) + for (i = 0; i < tmp - (tmp == length2); i++) s->residues[filter_order + i] = *p2++ >> dshift; for (i = 0; i < tmp; i++) { @@ -656,7 +657,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) *p1++ = v; } - memcpy(s->residues, &s->residues[tmp], 2 * filter_order); + memmove(s->residues, &s->residues[tmp], 2 * filter_order); } emms_c(); @@ -799,6 +800,12 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->mcdparams[i].present) { s->mcdparams[i].index = get_bits(gb, 2); s->mcdparams[i].chan2 = get_bits(gb, 4); + if (s->mcdparams[i].chan2 >= avctx->channels) { + av_log(avctx, AV_LOG_ERROR, + "invalid channel 2 (%d) for %d channel(s)\n", + s->mcdparams[i].chan2, avctx->channels); + return AVERROR_INVALIDDATA; + } if (s->mcdparams[i].index == 1) { if ((nbit == s->mcdparams[i].chan2) || (ch_mask & 1 << s->mcdparams[i].chan2)) @@ -848,7 +855,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] <<= s->sample_shift[chan]; + decoded[i] *= 1U << s->sample_shift[chan]; } } @@ -875,7 +882,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, uint8_t *samples = (uint8_t *)frame->extended_data[chan]; int32_t *decoded = s->decoded[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] = decoded[i] + 0x80; + samples[i] = decoded[i] + 0x80U; } break; case AV_SAMPLE_FMT_S16P: @@ -890,7 +897,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] <<= 8; + samples[i] *= 1U << 8; } break; } diff --git a/libavcodec/targa_y216dec.c b/libavcodec/targa_y216dec.c index 5f4eeaaad2..15c95ef2db 100644 --- a/libavcodec/targa_y216dec.c +++ b/libavcodec/targa_y216dec.c @@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data, { AVFrame *pic = data; const uint16_t *src = (uint16_t *)avpkt->data; - uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4); + uint16_t *y, *u, *v; + int aligned_width = FFALIGN(avctx->width, 4); int i, j, ret; if (avpkt->size < 4 * avctx->height * aligned_width) { diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index 7c62208dc5..e75f70aee2 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int static av_cold int seqvideo_decode_init(AVCodecContext *avctx) { SeqVideoContext *seq = avctx->priv_data; + int ret; seq->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 256, 128); + if (ret < 0) + return ret; + seq->frame = av_frame_alloc(); if (!seq->frame) return AVERROR(ENOMEM); diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 0352639d2f..aaeb143f86 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -407,7 +407,7 @@ static int tiff_unpack_lzma(TiffContext *s, AVFrame *p, uint8_t *dst, int stride const uint8_t *src, int size, int width, int lines, int strip_start, int is_yuv) { - uint64_t outlen = width * lines; + uint64_t outlen = width * (uint64_t)lines; int ret, line; uint8_t *buf = av_malloc(outlen); if (!buf) @@ -655,6 +655,14 @@ static int init_image(TiffContext *s, ThreadFrame *frame) int ret; int create_gray_palette = 0; + // make sure there is no aliasing in the following switch + if (s->bpp >= 100 || s->bppcount >= 10) { + av_log(s->avctx, AV_LOG_ERROR, + "Unsupported image parameters: bpp=%d, bppcount=%d\n", + s->bpp, s->bppcount); + return AVERROR_INVALIDDATA; + } + switch (s->planar * 1000 + s->bpp * 10 + s->bppcount) { case 11: if (!s->palette_is_set) { @@ -812,13 +820,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - s->bppcount = count; - if (count > 4) { + if (count > 4U) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); + value, count); return AVERROR_INVALIDDATA; } + s->bppcount = count; if (count == 1) s->bpp = value; else { @@ -897,6 +905,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_OFFS: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "strippos %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->strippos = 0; s->stripoff = value; } else @@ -908,6 +921,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_SIZE: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "stripsize %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->stripsizesoff = 0; s->stripsize = value; s->strips = 1; @@ -997,8 +1015,14 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) av_log(s->avctx, AV_LOG_ERROR, "subsample count invalid\n"); return AVERROR_INVALIDDATA; } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { s->subsampling[i] = ff_tget(&s->gb, type, s->le); + if (s->subsampling[i] <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + s->subsampling[i] = 1; + return AVERROR_INVALIDDATA; + } + } break; case TIFF_T4OPTIONS: if (s->compr == TIFF_G3) @@ -1023,6 +1047,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) ADD_METADATA(count, "ModelTiepointTag", NULL); break; case TIFF_GEO_KEY_DIRECTORY: + if (s->geotag_count) { + avpriv_request_sample(s->avctx, "Multiple geo key directories\n"); + return AVERROR_INVALIDDATA; + } ADD_METADATA(1, "GeoTIFF_Version", NULL); ADD_METADATA(2, "GeoTIFF_Key_Revision", "."); s->geotag_count = ff_tget_short(&s->gb, s->le); @@ -1030,7 +1058,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->geotag_count = count / 4 - 1; av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n"); } - if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) { + if ( bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4 + || s->geotag_count == 0) { s->geotag_count = 0; return -1; } @@ -1068,6 +1097,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (s->geotags[i].count == 0 || s->geotags[i].offset + s->geotags[i].count > count) { av_log(s->avctx, AV_LOG_WARNING, "Invalid GeoTIFF key %d\n", s->geotags[i].key); + } else if (s->geotags[i].val) { + av_log(s->avctx, AV_LOG_WARNING, "Duplicate GeoTIFF key %d\n", s->geotags[i].key); } else { char *ap = doubles2str(&dp[s->geotags[i].offset], s->geotags[i].count, ", "); if (!ap) { @@ -1094,6 +1125,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) bytestream2_seek(&s->gb, pos + s->geotags[i].offset, SEEK_SET); if (bytestream2_get_bytes_left(&s->gb) < s->geotags[i].count) return AVERROR_INVALIDDATA; + if (s->geotags[i].val) + return AVERROR_INVALIDDATA; ap = av_malloc(s->geotags[i].count); if (!ap) { av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n"); @@ -1148,6 +1181,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) } } end: + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } bytestream2_seek(&s->gb, start, SEEK_SET); return 0; } @@ -1239,7 +1279,7 @@ static int decode_frame(AVCodecContext *avctx, avpkt->size - s->strippos); } - if (s->rps <= 0) { + if (s->rps <= 0 || s->rps % s->subsampling[1]) { av_log(avctx, AV_LOG_ERROR, "rps %d invalid\n", s->rps); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 5a61f1aefa..1176968169 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -123,8 +123,8 @@ static void tnput(uint8_t **p, int n, const uint8_t *val, enum TiffTypes type, * @param count the number of values * @param ptr_val pointer to values */ -static void add_entry(TiffEncoderContext *s, enum TiffTags tag, - enum TiffTypes type, int count, const void *ptr_val) +static int add_entry(TiffEncoderContext *s, enum TiffTags tag, + enum TiffTypes type, int count, const void *ptr_val) { uint8_t *entries_ptr = s->entries + 12 * s->num_entries; @@ -138,19 +138,22 @@ static void add_entry(TiffEncoderContext *s, enum TiffTags tag, tnput(&entries_ptr, count, ptr_val, type, 0); } else { bytestream_put_le32(&entries_ptr, *s->buf - s->buf_start); - check_size(s, count * (int64_t)type_sizes2[type]); + if (check_size(s, count * (int64_t)type_sizes2[type])) + return AVERROR_INVALIDDATA; tnput(s->buf, count, ptr_val, type, 0); } s->num_entries++; + return 0; } -static void add_entry1(TiffEncoderContext *s, - enum TiffTags tag, enum TiffTypes type, int val) +static int add_entry1(TiffEncoderContext *s, + enum TiffTags tag, enum TiffTypes type, int val) { uint16_t w = val; uint32_t dw = val; - add_entry(s, tag, type, 1, type == TIFF_SHORT ? (void *)&w : (void *)&dw); + return add_entry(s, tag, type, 1, + type == TIFF_SHORT ? (void *)&w : (void *)&dw); } /** @@ -222,6 +225,20 @@ static void pack_yuv(TiffEncoderContext *s, const AVFrame *p, } } +#define ADD_ENTRY(s, tag, type, count, ptr_val) \ + do { \ + ret = add_entry(s, tag, type, count, ptr_val); \ + if (ret < 0) \ + goto fail; \ + } while(0); + +#define ADD_ENTRY1(s, tag, type, val) \ + do { \ + ret = add_entry1(s, tag, type, val); \ + if (ret < 0) \ + goto fail; \ + } while(0); + static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *pict, int *got_packet) { @@ -235,7 +252,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, int bytes_per_row; uint32_t res[2] = { s->dpi, 1 }; // image resolution (72/1) uint16_t bpp_tab[4]; - int ret = -1; + int ret = 0; int is_yuv = 0, alpha = 0; int shift_h, shift_v; int packet_size; @@ -305,7 +322,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, strips = (s->height - 1) / s->rps + 1; - packet_size = avctx->height * ((avctx->width * s->bpp + 7) >> 3) * 2 + + bytes_per_row = (((s->width - 1) / s->subsampling[0] + 1) * s->bpp * + s->subsampling[0] * s->subsampling[1] + 7) >> 3; + packet_size = avctx->height * bytes_per_row * 2 + avctx->height * 4 + FF_MIN_BUFFER_SIZE; if ((ret = ff_alloc_packet2(avctx, pkt, packet_size)) < 0) @@ -333,8 +352,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, goto fail; } - bytes_per_row = (((s->width - 1) / s->subsampling[0] + 1) * s->bpp * - s->subsampling[0] * s->subsampling[1] + 7) >> 3; if (is_yuv) { av_fast_padded_malloc(&s->yuv_line, &s->yuv_line_size, bytes_per_row); if (s->yuv_line == NULL) { @@ -421,23 +438,23 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, s->num_entries = 0; - add_entry1(s, TIFF_SUBFILE, TIFF_LONG, 0); - add_entry1(s, TIFF_WIDTH, TIFF_LONG, s->width); - add_entry1(s, TIFF_HEIGHT, TIFF_LONG, s->height); + ADD_ENTRY1(s, TIFF_SUBFILE, TIFF_LONG, 0); + ADD_ENTRY1(s, TIFF_WIDTH, TIFF_LONG, s->width); + ADD_ENTRY1(s, TIFF_HEIGHT, TIFF_LONG, s->height); if (s->bpp_tab_size) - add_entry(s, TIFF_BPP, TIFF_SHORT, s->bpp_tab_size, bpp_tab); + ADD_ENTRY(s, TIFF_BPP, TIFF_SHORT, s->bpp_tab_size, bpp_tab); - add_entry1(s, TIFF_COMPR, TIFF_SHORT, s->compr); - add_entry1(s, TIFF_PHOTOMETRIC, TIFF_SHORT, s->photometric_interpretation); - add_entry(s, TIFF_STRIP_OFFS, TIFF_LONG, strips, s->strip_offsets); + ADD_ENTRY1(s, TIFF_COMPR, TIFF_SHORT, s->compr); + ADD_ENTRY1(s, TIFF_PHOTOMETRIC, TIFF_SHORT, s->photometric_interpretation); + ADD_ENTRY(s, TIFF_STRIP_OFFS, TIFF_LONG, strips, s->strip_offsets); if (s->bpp_tab_size) - add_entry1(s, TIFF_SAMPLES_PER_PIXEL, TIFF_SHORT, s->bpp_tab_size); + ADD_ENTRY1(s, TIFF_SAMPLES_PER_PIXEL, TIFF_SHORT, s->bpp_tab_size); - add_entry1(s, TIFF_ROWSPERSTRIP, TIFF_LONG, s->rps); - add_entry(s, TIFF_STRIP_SIZE, TIFF_LONG, strips, s->strip_sizes); - add_entry(s, TIFF_XRES, TIFF_RATIONAL, 1, res); + ADD_ENTRY1(s, TIFF_ROWSPERSTRIP, TIFF_LONG, s->rps); + ADD_ENTRY(s, TIFF_STRIP_SIZE, TIFF_LONG, strips, s->strip_sizes); + ADD_ENTRY(s, TIFF_XRES, TIFF_RATIONAL, 1, res); if (avctx->sample_aspect_ratio.num > 0 && avctx->sample_aspect_ratio.den > 0) { AVRational y = av_mul_q(av_make_q(s->dpi, 1), @@ -445,11 +462,11 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, res[0] = y.num; res[1] = y.den; } - add_entry(s, TIFF_YRES, TIFF_RATIONAL, 1, res); - add_entry1(s, TIFF_RES_UNIT, TIFF_SHORT, 2); + ADD_ENTRY(s, TIFF_YRES, TIFF_RATIONAL, 1, res); + ADD_ENTRY1(s, TIFF_RES_UNIT, TIFF_SHORT, 2); if (!(avctx->flags & CODEC_FLAG_BITEXACT)) - add_entry(s, TIFF_SOFTWARE_NAME, TIFF_STRING, + ADD_ENTRY(s, TIFF_SOFTWARE_NAME, TIFF_STRING, strlen(LIBAVCODEC_IDENT) + 1, LIBAVCODEC_IDENT); if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { @@ -460,17 +477,17 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, pal[i + 256] = ((rgb >> 8) & 0xff) * 257; pal[i + 512] = (rgb & 0xff) * 257; } - add_entry(s, TIFF_PAL, TIFF_SHORT, 256 * 3, pal); + ADD_ENTRY(s, TIFF_PAL, TIFF_SHORT, 256 * 3, pal); } if (alpha) add_entry1(s,TIFF_EXTRASAMPLES, TIFF_SHORT, 2); if (is_yuv) { /** according to CCIR Recommendation 601.1 */ uint32_t refbw[12] = { 15, 1, 235, 1, 128, 1, 240, 1, 128, 1, 240, 1 }; - add_entry(s, TIFF_YCBCR_SUBSAMPLING, TIFF_SHORT, 2, s->subsampling); + ADD_ENTRY(s, TIFF_YCBCR_SUBSAMPLING, TIFF_SHORT, 2, s->subsampling); if (avctx->chroma_sample_location == AVCHROMA_LOC_TOPLEFT) add_entry1(s, TIFF_YCBCR_POSITIONING, TIFF_SHORT, 2); - add_entry(s, TIFF_REFERENCE_BW, TIFF_RATIONAL, 6, refbw); + ADD_ENTRY(s, TIFF_REFERENCE_BW, TIFF_RATIONAL, 6, refbw); } // write offset to dir bytestream_put_le32(&offset, ptr - pkt->data); diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 660ecf5413..cacf625236 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) int lo, hi; lo = ydt[p1]; - lo += (lo << 5) + (lo << 10); + lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; - hi += (hi << 5) + (hi << 10); - return (lo + (hi << 16)) << 1; + hi += (hi * 32) + (hi * 1024); + return (lo + (hi * (1U << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) int r, b, lo; b = cdt[p2]; - r = cdt[p1] << 10; + r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo << 16)) << 1; + return (lo + (lo * (1U << 16))) * 2; } #if HAVE_BIGENDIAN @@ -402,6 +402,10 @@ static int truemotion1_decode_header(TrueMotion1Context *s) new_pix_fmt = AV_PIX_FMT_RGB555; // RGB565 is supported as well s->w >>= width_shift; + if (s->w & 1) { + avpriv_request_sample(s->avctx, "Frame with odd width"); + return AVERROR_PATCHWELCOME; + } if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 18d7c1e685..9976dcbc75 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -271,7 +271,7 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) for (i = 0; i < d; i++) { v = get_bits_long(&ctx->gb, mb); if (v & (1 << (mb - 1))) - ctx->deltas[stream_id][i] = v - (1 << mb); + ctx->deltas[stream_id][i] = v - (1U << mb); else ctx->deltas[stream_id][i] = v; } @@ -456,7 +456,7 @@ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *de } } -static inline void tm2_high_chroma(int *data, int stride, int *last, int *CD, int *deltas) +static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *CD, int *deltas) { int i, j; for (j = 0; j < 2; j++) { @@ -906,7 +906,8 @@ static int decode_frame(AVCodecContext *avctx, buf_size - offset); if (t < 0) { int j = tm2_stream_order[i]; - memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); + if (l->tok_lens[j]) + memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); return t; } offset += t; diff --git a/libavcodec/tscc.c b/libavcodec/tscc.c index 628a6b3c36..1283ef6c57 100644 --- a/libavcodec/tscc.c +++ b/libavcodec/tscc.c @@ -99,11 +99,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, /* make the palette available on the way out */ if (c->avctx->pix_fmt == AV_PIX_FMT_PAL8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy(frame->data[1], c->pal, AVPALETTE_SIZE); } diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 5fdbac8d44..1c4316b421 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -123,6 +123,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) TTAContext *s = avctx->priv_data; GetBitContext gb; int total_frames; + int ret; s->avctx = avctx; @@ -131,7 +132,10 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) return AVERROR_INVALIDDATA; s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); - init_get_bits8(&gb, avctx->extradata, avctx->extradata_size); + ret = init_get_bits8(&gb, avctx->extradata, avctx->extradata_size); + if (ret < 0) + return ret; + if (show_bits_long(&gb, 32) == AV_RL32("TTA1")) { /* signature */ skip_bits_long(&gb, 32); diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index ccd41a90c9..37624a9c62 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -114,9 +114,12 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, { TTAEncContext *s = avctx->priv_data; PutBitContext pb; - int ret, i, out_bytes, cur_chan = 0, res = 0, samples = 0; + int ret, i, out_bytes, cur_chan, res, samples; + int64_t pkt_size = frame->nb_samples * 2LL * avctx->channels * s->bps; - if ((ret = ff_alloc_packet2(avctx, avpkt, frame->nb_samples * 2 * avctx->channels * s->bps)) < 0) +pkt_alloc: + cur_chan = 0, res = 0, samples = 0; + if ((ret = ff_alloc_packet2(avctx, avpkt, pkt_size)) < 0) return ret; init_put_bits(&pb, avpkt->data, avpkt->size); @@ -174,6 +177,14 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, rice->k1++; unary = 1 + (outval >> k); + if (unary + 100LL > put_bits_left(&pb)) { + if (pkt_size < INT_MAX/2) { + pkt_size *= 2; + av_packet_unref(avpkt); + goto pkt_alloc; + } else + return AVERROR(ENOMEM); + } do { if (unary > 31) { put_bits(&pb, 31, 0x7FFFFFFF); diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 397819297d..01438cabf1 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -66,6 +66,9 @@ #include "compat/os2threads.h" #endif +#include "libavutil/ffversion.h" +const char av_codec_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + #if HAVE_PTHREADS || HAVE_W32THREADS || HAVE_OS2THREADS static int default_lockmgr_cb(void **arg, enum AVLockOp op) { @@ -243,7 +246,7 @@ int ff_set_sar(AVCodecContext *avctx, AVRational sar) int ret = av_image_check_sar(avctx->width, avctx->height, sar); if (ret < 0) { - av_log(avctx, AV_LOG_WARNING, "ignoring invalid SAR: %u/%u\n", + av_log(avctx, AV_LOG_WARNING, "ignoring invalid SAR: %d/%d\n", sar.num, sar.den); avctx->sample_aspect_ratio = (AVRational){ 0, 1 }; return ret; @@ -279,6 +282,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int i; int w_align = 1; int h_align = 1; + AVPixFmtDescriptor const *desc = av_pix_fmt_desc_get(s->pix_fmt); + + if (desc) { + w_align = 1 << desc->log2_chroma_w; + h_align = 1 << desc->log2_chroma_h; + } switch (s->pix_fmt) { case AV_PIX_FMT_YUV420P: @@ -365,7 +374,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_YUVJ411P: case AV_PIX_FMT_UYYVYY411: w_align = 32; - h_align = 8; + h_align = 16 * 2; break; case AV_PIX_FMT_YUV410P: if (s->codec_id == AV_CODEC_ID_SVQ1) { @@ -378,6 +387,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_PAL8: case AV_PIX_FMT_BGR8: @@ -387,6 +400,11 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_JV || + s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || @@ -402,8 +420,6 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } break; default: - w_align = 1; - h_align = 1; break; } @@ -413,10 +429,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); - if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) + if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) { // some of the optimized chroma MC reads one line too much // which is also done in mpeg decoders with lowres > 0 *height += 2; + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; @@ -1025,8 +1043,10 @@ end: int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags) { int ret = get_buffer_internal(avctx, frame, flags); - if (ret < 0) + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + frame->width = frame->height = 0; + } return ret; } @@ -1101,6 +1121,7 @@ int avcodec_default_execute(AVCodecContext *c, int (*func)(AVCodecContext *c2, v if (ret) ret[i] = r; } + emms_c(); return 0; } @@ -1113,6 +1134,7 @@ int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, if (ret) ret[i] = r; } + emms_c(); return 0; } @@ -2452,7 +2474,7 @@ int attribute_align_arg avcodec_decode_audio4(AVCodecContext *avctx, avctx->internal->skip_samples); discard_padding = AV_RL32(side + 4); } - if (avctx->internal->skip_samples && *got_frame_ptr) { + if (avctx->internal->skip_samples > 0 && *got_frame_ptr) { if(frame->nb_samples <= avctx->internal->skip_samples){ *got_frame_ptr = 0; avctx->internal->skip_samples -= frame->nb_samples; @@ -2947,8 +2969,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) enc->width, enc->height); if (enc->sample_aspect_ratio.num) { av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - enc->width * enc->sample_aspect_ratio.num, - enc->height * enc->sample_aspect_ratio.den, + enc->width * (int64_t)enc->sample_aspect_ratio.num, + enc->height * (int64_t)enc->sample_aspect_ratio.den, 1024 * 1024); snprintf(buf + strlen(buf), buf_size - strlen(buf), " [SAR %d:%d DAR %d:%d]", @@ -2957,6 +2979,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) } if (av_log_get_level() >= AV_LOG_DEBUG) { int g = av_gcd(enc->time_base.num, enc->time_base.den); + if (!g) + g = 1; snprintf(buf + strlen(buf), buf_size - strlen(buf), ", %d/%d", enc->time_base.num / g, enc->time_base.den / g); @@ -3248,7 +3272,7 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) return frame_bytes * 8 / bps; } - if (ch > 0) { + if (ch > 0 && ch < INT_MAX/16) { /* calc from frame_bytes and channels */ switch (id) { case AV_CODEC_ID_ADPCM_AFC: @@ -3602,6 +3626,11 @@ int avpriv_bprint_to_extradata(AVCodecContext *avctx, struct AVBPrint *buf) ret = av_bprint_finalize(buf, &str); if (ret < 0) return ret; + if (!av_bprint_is_complete(buf)) { + av_free(str); + return AVERROR(ENOMEM); + } + avctx->extradata = str; /* Note: the string is NUL terminated (so extradata can be read as a * string), but the ending character is not accounted in the size (in diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index afd56ea1bd..abf550b081 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -214,6 +214,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; // first line - left neighbour prediction @@ -224,7 +226,7 @@ static void restore_median(uint8_t *src, int step, int stride, A = bsrc[i]; } bsrc += stride; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride]; @@ -269,6 +271,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; @@ -284,7 +288,7 @@ static void restore_median_il(uint8_t *src, int step, int stride, A = bsrc[stride + i]; } bsrc += stride2; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride2]; diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index cbd34d01fd..355fdb1b8d 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -389,7 +389,7 @@ static int write_huff_codes(uint8_t *src, uint8_t *dst, int dst_size, } static int encode_plane(AVCodecContext *avctx, uint8_t *src, - uint8_t *dst, int stride, + uint8_t *dst, int stride, int plane_no, int width, int height, PutByteContext *pb) { UtvideoContext *c = avctx->priv_data; @@ -399,6 +399,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, HuffEntry he[256]; uint32_t offset = 0, slice_len = 0; + const int cmask = ~(!plane_no && avctx->pix_fmt == AV_PIX_FMT_YUV420P); int i, sstart, send = 0; int symbol; int ret; @@ -408,7 +409,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_NONE: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; av_image_copy_plane(dst + sstart * width, width, src + sstart * stride, stride, width, send - sstart); @@ -417,7 +418,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_LEFT: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; left_predict(src + sstart * stride, dst + sstart * width, stride, width, send - sstart); } @@ -425,7 +426,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_MEDIAN: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; median_predict(c, src + sstart * stride, dst + sstart * width, stride, width, send - sstart); } @@ -489,7 +490,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, send = 0; for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; /* * Write the huffman codes to a buffer, @@ -571,7 +572,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_RGBA: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, c->slice_buffer[i] + 2 * c->slice_stride, - c->slice_buffer[i], c->slice_stride, + c->slice_buffer[i], c->slice_stride, i, width, height, &pb); if (ret) { @@ -583,7 +584,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_YUV422P: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, pic->data[i], c->slice_buffer[0], - pic->linesize[i], width >> !!i, height, &pb); + pic->linesize[i], i, width >> !!i, height, &pb); if (ret) { av_log(avctx, AV_LOG_ERROR, "Error encoding plane %d.\n", i); @@ -594,7 +595,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_YUV420P: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, pic->data[i], c->slice_buffer[0], - pic->linesize[i], width >> !!i, height >> !!i, + pic->linesize[i], i, width >> !!i, height >> !!i, &pb); if (ret) { diff --git a/libavcodec/vaapi.c b/libavcodec/vaapi.c index db4d29dbbc..15531e46bd 100644 --- a/libavcodec/vaapi.c +++ b/libavcodec/vaapi.c @@ -197,4 +197,30 @@ void ff_vaapi_common_end_frame(AVCodecContext *avctx) vactx->slice_params_alloc = 0; } +#if CONFIG_H263_VAAPI_HWACCEL || CONFIG_MPEG1_VAAPI_HWACCEL || \ + CONFIG_MPEG2_VAAPI_HWACCEL || CONFIG_MPEG4_VAAPI_HWACCEL || \ + CONFIG_VC1_VAAPI_HWACCEL || CONFIG_WMV3_VAAPI_HWACCEL +int ff_vaapi_mpeg_end_frame(AVCodecContext *avctx) +{ + struct vaapi_context * const vactx = avctx->hwaccel_context; + MpegEncContext *s = avctx->priv_data; + int ret; + + ret = ff_vaapi_commit_slices(vactx); + if (ret < 0) + goto finish; + + ret = ff_vaapi_render_picture(vactx, + ff_vaapi_get_surface_id(s->current_picture_ptr->f)); + if (ret < 0) + goto finish; + + ff_mpeg_draw_horiz_band(s, 0, s->avctx->height); + +finish: + ff_vaapi_common_end_frame(avctx); + return ret; +} +#endif + /* @} */ diff --git a/libavcodec/vaapi_mpeg.c b/libavcodec/vaapi_mpeg.c deleted file mode 100644 index 63879e5fe4..0000000000 --- a/libavcodec/vaapi_mpeg.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Video Acceleration API (video decoding) - * HW decode acceleration for MPEG-2, MPEG-4, H.264 and VC-1 - * - * Copyright (C) 2013 Anton Khirnov - * - * This file is part of FFmpeg. - * - * FFmpeg is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * FFmpeg is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with FFmpeg; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - */ - -#include "avcodec.h" -#include "vaapi_internal.h" - -int ff_vaapi_mpeg_end_frame(AVCodecContext *avctx) -{ - struct vaapi_context * const vactx = avctx->hwaccel_context; - MpegEncContext *s = avctx->priv_data; - int ret; - - ret = ff_vaapi_commit_slices(vactx); - if (ret < 0) - goto finish; - - ret = ff_vaapi_render_picture(vactx, - ff_vaapi_get_surface_id(s->current_picture_ptr->f)); - if (ret < 0) - goto finish; - - ff_mpeg_draw_horiz_band(s, 0, s->avctx->height); - -finish: - ff_vaapi_common_end_frame(avctx); - return ret; -} - diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 3c89a2986e..7bb0515eec 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -205,6 +205,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (flags & VB_HAS_GMC) { i = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream); + if (FFABS(j) > avctx->height) { + av_log(avctx, AV_LOG_ERROR, "GMV out of range\n"); + return AVERROR_INVALIDDATA; + } offset = i + j * avctx->width; } if (flags & VB_HAS_VIDEO) { diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index a25c3d955c..0790bd6ecf 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5669,7 +5669,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) count = avctx->extradata_size*8 - get_bits_count(&gb); if (count > 0) { av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n", - count, get_bits(&gb, count)); + count, get_bits_long(&gb, FFMIN(count, 32))); } else if (count < 0) { av_log(avctx, AV_LOG_INFO, "Read %i bits in overflow\n", -count); } diff --git a/libavcodec/vmdvideo.c b/libavcodec/vmdvideo.c index fa0fbe32d4..a2ba1c959b 100644 --- a/libavcodec/vmdvideo.c +++ b/libavcodec/vmdvideo.c @@ -339,6 +339,9 @@ static int vmd_decode(VmdVideoContext *s, AVFrame *frame) ofs += slen; bytestream2_skip(&gb, len); } else { + if (ofs + len > frame_width || + bytestream2_get_bytes_left(&gb) < len) + return AVERROR_INVALIDDATA; bytestream2_get_buffer(&gb, &dp[ofs], len); ofs += len; } diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 46bd52ee26..71b3c1d3e0 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -374,6 +374,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w = bytestream2_get_be16(gb); h = bytestream2_get_be16(gb); enc = bytestream2_get_be32(gb); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); + return AVERROR_INVALIDDATA; + } outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0]; size_left = bytestream2_get_bytes_left(gb); switch (enc) { @@ -451,12 +457,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(gb, 2); break; case 0x00000000: // raw rectangle data - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } if (size_left < w * h * c->bpp2) { av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", @@ -467,12 +467,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->pic->linesize[0]); break; case 0x00000005: // HexTile encoded rectangle - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]); if (res < 0) return res; diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 86d10407f4..80d5198c62 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -73,7 +73,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) if (bits[p] > 32) return AVERROR_INVALIDDATA; for (i = 0; i < bits[p]; ++i) - exit_at_level[i+1] = 1 << i; + exit_at_level[i+1] = 1u << i; #ifdef DEBUG av_log(NULL, AV_LOG_INFO, " %u. of %u code len %d code %d - ", p, num, bits[p], codes[p]); @@ -105,7 +105,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) exit_at_level[i] = 0; // construct code (append 0s to end) and introduce new exits for (j = i + 1 ;j <= bits[p]; ++j) - exit_at_level[j] = code + (1 << (j - 1)); + exit_at_level[j] = code + (1u << (j - 1)); codes[p] = code; #ifdef DEBUG diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 87d1bbb97a..0ef4701c1e 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -567,6 +567,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) return AVERROR(ENOMEM); rangebits = get_bits(gb, 4); + if (!rangebits && floor_setup->data.t1.partitions) { + av_log(vc->avctx, AV_LOG_ERROR, + "A rangebits value of 0 is not compliant with the Vorbis I specification.\n"); + return AVERROR_INVALIDDATA; + } rangemax = (1 << rangebits); if (rangemax > vc->blocksize[1] / 2) { av_log(vc->avctx, AV_LOG_ERROR, @@ -783,6 +788,11 @@ static int vorbis_parse_setup_hdr_mappings(vorbis_context *vc) if (get_bits1(gb)) { mapping_setup->coupling_steps = get_bits(gb, 8) + 1; + if (vc->audio_channels < 2) { + av_log(vc->avctx, AV_LOG_ERROR, + "Square polar channel mapping with less than two channels is not compliant with the Vorbis I specification.\n"); + return AVERROR_INVALIDDATA; + } mapping_setup->magnitude = av_mallocz(mapping_setup->coupling_steps * sizeof(*mapping_setup->magnitude)); mapping_setup->angle = av_mallocz(mapping_setup->coupling_steps * @@ -1314,12 +1324,14 @@ static av_always_inline int setup_classifs(vorbis_context *vc, vorbis_residue *vr, uint8_t *do_not_decode, unsigned ch_used, - int partition_count) + int partition_count, + int ptns_to_read + ) { int p, j, i; unsigned c_p_c = vc->codebooks[vr->classbook].dimensions; unsigned inverse_class = ff_inverse[vr->classifications]; - unsigned temp, temp2; + int temp, temp2; for (p = 0, j = 0; j < ch_used; ++j) { if (!do_not_decode[j]) { temp = get_vlc2(&vc->gb, vc->codebooks[vr->classbook].vlc.table, @@ -1327,30 +1339,25 @@ static av_always_inline int setup_classifs(vorbis_context *vc, av_dlog(NULL, "Classword: %u\n", temp); - if ((int)temp < 0) - return temp; + av_assert0(temp < 65536); + + if (temp < 0) { + av_log(vc->avctx, AV_LOG_ERROR, + "Invalid vlc code decoding %d channel.", j); + return AVERROR_INVALIDDATA; + } av_assert0(vr->classifications > 1); //needed for inverse[] - if (temp <= 65536) { - for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { - temp2 = (((uint64_t)temp) * inverse_class) >> 32; + for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { + temp2 = (((uint64_t)temp) * inverse_class) >> 32; - if (i < vr->ptns_to_read) - vr->classifs[p + i] = temp - temp2 * vr->classifications; - temp = temp2; - } - } else { - for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { - temp2 = temp / vr->classifications; - - if (i < vr->ptns_to_read) - vr->classifs[p + i] = temp - temp2 * vr->classifications; - temp = temp2; - } + if (i < ptns_to_read) + vr->classifs[p + i] = temp - temp2 * vr->classifications; + temp = temp2; } } - p += vr->ptns_to_read; + p += ptns_to_read; } return 0; } @@ -1403,8 +1410,8 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, voffset = vr->begin; for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error if (!pass) { - int ret; - if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count)) < 0) + int ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count, ptns_to_read); + if (ret < 0) return ret; } for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) { diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 4a72d0dbbd..8bd23e9c24 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = { typedef struct Vp3DecodeContext { AVCodecContext *avctx; - int theora, theora_tables; + int theora, theora_tables, theora_header; int version; int width, height; int chroma_x_shift, chroma_y_shift; @@ -206,8 +206,8 @@ typedef struct Vp3DecodeContext { int16_t *dct_tokens[3][64]; int16_t *dct_tokens_base; #define TOKEN_EOB(eob_run) ((eob_run) << 2) -#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 1) -#define TOKEN_COEFF(coeff) (((coeff) << 2) + 2) +#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 1) +#define TOKEN_COEFF(coeff) (((coeff) * 4) + 2) /** * number of blocks that contain DCT coefficients at @@ -1068,6 +1068,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->dct_tokens[0][0] = s->dct_tokens_base; + if (get_bits_left(gb) < 16) + return AVERROR_INVALIDDATA; + /* fetch the DC table indexes */ dc_y_table = get_bits(gb, 4); dc_c_table = get_bits(gb, 4); @@ -1077,6 +1080,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) 0, residual_eob_run); if (residual_eob_run < 0) return residual_eob_run; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -1099,6 +1104,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->fragment_width[1], s->fragment_height[1]); } + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); ac_c_table = get_bits(gb, 4); @@ -2010,18 +2017,22 @@ static int vp3_decode_frame(AVCodecContext *avctx, vp3_decode_end(avctx); ret = theora_decode_header(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); - return ret; + return ret; + } + return buf_size; } else if (type == 2) { ret = theora_decode_tables(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); - return ret; + return ret; + } + return buf_size; } av_log(avctx, AV_LOG_ERROR, @@ -2238,6 +2249,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); @@ -2297,7 +2309,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) return AVERROR_INVALIDDATA; } skip_bits(gb, 3); /* reserved */ - } + } else + avctx->pix_fmt = AV_PIX_FMT_YUV420P; // align_get_bits(gb); @@ -2320,6 +2333,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) avctx->color_trc = AVCOL_TRC_BT709; } + s->theora_header = 1; return 0; } @@ -2328,6 +2342,9 @@ static int theora_decode_tables(AVCodecContext *avctx, GetBitContext *gb) Vp3DecodeContext *s = avctx->priv_data; int i, n, matrices, inter, plane; + if (!s->theora_header) + return AVERROR_INVALIDDATA; + if (s->theora >= 0x030200) { n = get_bits(gb, 3); /* loop filter limit values table */ diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index d8a3e0a354..37997431d3 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -41,7 +41,7 @@ #define xC6S2 25080 #define xC7S1 12785 -#define M(a, b) (((a) * (b)) >> 16) +#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16) static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int type) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 1923d6335c..7aba484f9c 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -39,8 +39,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { VP56RangeCoder *c = &s->c; int rows, cols; + int ret; - ff_vp56_init_range_decoder(&s->c, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size); + if (ret < 0) + return ret; s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c); vp56_rac_get(c); ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); @@ -171,7 +174,7 @@ static int vp5_parse_coeff_models(VP56Context *s) return 0; } -static void vp5_parse_coeff(VP56Context *s) +static int vp5_parse_coeff(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -181,6 +184,11 @@ static void vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end <= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ @@ -246,6 +254,7 @@ static void vp5_parse_coeff(VP56Context *s) s->coeff_ctx[ff_vp56_b6to4[b]][i] = 5; s->above_blocks[s->above_block_idx[b]].not_null_dc = s->coeff_ctx[ff_vp56_b6to4[b]][0]; } + return 0; } static void vp5_default_models_init(VP56Context *s) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index ba39b56436..32f0082551 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -261,6 +261,25 @@ static VP56mb vp56_decode_mv(VP56Context *s, int row, int col) return s->mb_type; } +static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col) +{ + VP56mv *mv, vect = {0,0}; + int b; + + s->mb_type = VP56_MB_INTER_NOVEC_PF; + s->macroblocks[row * s->mb_width + col].type = s->mb_type; + + mv = &vect; + + s->macroblocks[row*s->mb_width + col].mv = *mv; + + /* same vector for all blocks */ + for (b=0; b<6; b++) + s->mv[b] = *mv; + + return s->mb_type; +} + static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame) { int idx = s->idct_scantable[0]; @@ -381,20 +400,11 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type) { - AVFrame *frame_current, *frame_ref; - VP56mb mb_type; - VP56Frame ref_frame; int b, ab, b_max, plane, off; - - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - mb_type = VP56_MB_INTRA; - else - mb_type = vp56_decode_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - - s->parse_coeff(s); + AVFrame *frame_current, *frame_ref; + VP56Frame ref_frame = ff_vp56_reference_frame[mb_type]; vp56_add_predictors_dc(s, ref_frame); @@ -453,6 +463,39 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) } } +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + int ret; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_decode_mv(s, row, col); + + ret = s->parse_coeff(s); + if (ret < 0) + return ret; + + vp56_render_mb(s, row, col, is_alpha, mb_type); + + return 0; +} + +static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_conceal_mv(s, row, col); + + vp56_render_mb(s, row, col, is_alpha, mb_type); + + return 0; +} + static int vp56_size_changed(VP56Context *s) { AVCodecContext *avctx = s->avctx; @@ -464,6 +507,8 @@ static int vp56_size_changed(VP56Context *s) s->plane_height[0] = s->plane_height[3] = avctx->coded_height; s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2; + s->have_undamaged_frame = 0; + for (i=0; i<4; i++) s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i]; @@ -568,8 +613,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } + s->discard_frame = 0; avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1); + if (s->discard_frame) + return AVERROR_INVALIDDATA; + if ((res = av_frame_ref(data, p)) < 0) return res; *got_frame = 1; @@ -588,6 +637,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int block, y, uv; ptrdiff_t stride_y, stride_uv; int res; + int damaged = 0; if (p->key_frame) { p->pict_type = AV_PICTURE_TYPE_I; @@ -652,7 +702,18 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (!damaged) { + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) { + damaged = 1; + if (!s->have_undamaged_frame || !avctx->error_concealment) { + s->discard_frame = 1; + return AVERROR_INVALIDDATA; + } + } + } + if (damaged) + vp56_conceal_mb(s, mb_row, mb_col, is_alpha); for (y=0; y<4; y++) { s->above_block_idx[y] += 2; @@ -666,6 +727,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, } } + if (!damaged) + s->have_undamaged_frame = 1; + next: if (p->key_frame || s->golden_frame) { av_frame_unref(s->frames[VP56_FRAME_GOLDEN]); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 56c30919b7..c049399df8 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -74,7 +74,7 @@ typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, int offset1, int offset2, int stride, VP56mv mv, int mask, int select, int luma); -typedef void (*VP56ParseCoeff)(VP56Context *s); +typedef int (*VP56ParseCoeff)(VP56Context *s); typedef void (*VP56DefaultModelsInit)(VP56Context *s); typedef void (*VP56ParseVectorModels)(VP56Context *s); typedef int (*VP56ParseCoeffModels)(VP56Context *s); @@ -203,6 +203,9 @@ struct vp56_context { VLC runv_vlc[2]; VLC ract_vlc[2][3][6]; unsigned int nb_null[2][2]; /* number of consecutive NULL DC/AC */ + + int have_undamaged_frame; + int discard_frame; }; @@ -221,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, */ extern const uint8_t ff_vp56_norm_shift[256]; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) { diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index 6061b7ee72..e70302bf85 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, }; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) { c->high = 255; c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + if (buf_size < 1) + return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); + return 0; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index a18b8ff523..320fb97804 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -40,8 +40,8 @@ #define VP6_MAX_HUFF_SIZE 12 -static void vp6_parse_coeff(VP56Context *s); -static void vp6_parse_coeff_huffman(VP56Context *s); +static int vp6_parse_coeff(VP56Context *s); +static int vp6_parse_coeff_huffman(VP56Context *s); static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { @@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) int sub_version; int rows, cols; int res = 0; + int ret; int separated_coeff = buf[0] & 1; s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->avctx->coded_width = 16 * cols; s->avctx->coded_height = 16 * rows; } else { - int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); + ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); if (ret < 0) return ret; @@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) res = VP56_SIZE_CHANGE; } - ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + if (ret < 0) + goto fail; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += 2; buf_size -= 2; } - ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + if (ret < 0) + return ret; s->golden_frame = vp56_rac_get(c); if (s->filter_header) { @@ -157,15 +162,16 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += coeff_offset; buf_size -= coeff_offset; if (buf_size < 0) { - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - ff_set_dimensions(s->avctx, 0, 0); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); } else { - ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + if (ret < 0) + goto fail; s->ccp = &s->cc; } } else { @@ -173,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } return res; +fail: + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(s->avctx, 0, 0); + return ret; } static void vp6_coeff_order_table_init(VP56Context *s) @@ -380,7 +390,7 @@ static unsigned vp6_get_nb_null(VP56Context *s) return val; } -static void vp6_parse_coeff_huffman(VP56Context *s) +static int vp6_parse_coeff_huffman(VP56Context *s) { VP56Model *model = s->modelp; uint8_t *permute = s->idct_scantable; @@ -402,7 +412,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) break; } else { if (get_bits_left(&s->gb) <= 0) - return; + return AVERROR_INVALIDDATA; coeff = get_vlc2(&s->gb, vlc_coeff->table, FF_HUFFMAN_BITS, 3); if (coeff == 0) { if (coeff_idx) { @@ -437,9 +447,10 @@ static void vp6_parse_coeff_huffman(VP56Context *s) vlc_coeff = &s->ract_vlc[pt][ct][cg]; } } + return 0; } -static void vp6_parse_coeff(VP56Context *s) +static int vp6_parse_coeff(VP56Context *s) { VP56RangeCoder *c = s->ccp; VP56Model *model = s->modelp; @@ -449,6 +460,11 @@ static void vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end <= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ int run = 1; @@ -512,6 +528,7 @@ static void vp6_parse_coeff(VP56Context *s) s->left_block[ff_vp56_b6to4[b]].not_null_dc = s->above_blocks[s->above_block_idx[b]].not_null_dc = !!s->block_coeff[b][0]; } + return 0; } static int vp6_block_variance(uint8_t *src, int stride) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index d72fb57311..5c71ef2959 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -164,7 +164,7 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) s->mb_height = (s->avctx->coded_height + 15) / 16; s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE && - FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1; + avctx->thread_count > 1; if (!s->mb_layout) { // Frame threading and one thread s->macroblocks_base = av_mallocz((s->mb_width + s->mb_height * 2 + 1) * sizeof(*s->macroblocks)); @@ -254,6 +254,7 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) { const uint8_t *sizes = buf; int i; + int ret; s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2); @@ -267,13 +268,13 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) if (buf_size - size < 0) return -1; - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + if (ret < 0) + return ret; buf += size; buf_size -= size; } - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - - return 0; + return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) @@ -507,7 +508,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab)); - ff_vp56_init_range_decoder(c, buf, part1_size); + ret = ff_vp56_init_range_decoder(c, buf, part1_size); + if (ret < 0) + return ret; buf += part1_size; buf_size -= part1_size; @@ -559,7 +562,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->lf_delta.enabled = 0; s->num_coeff_partitions = 1; - ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + if (ret < 0) + return ret; if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height || @@ -633,6 +638,11 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si int width = s->avctx->width; int height = s->avctx->height; + if (buf_size < 3) { + av_log(s->avctx, AV_LOG_ERROR, "Insufficent data (%d) for header\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->keyframe = !(buf[0] & 1); s->profile = (buf[0]>>1) & 7; s->invisible = !(buf[0] & 0x10); @@ -683,7 +693,9 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } - ff_vp56_init_range_decoder(c, buf, header_size); + ret = ff_vp56_init_range_decoder(c, buf, header_size); + if (ret < 0) + return ret; buf += header_size; buf_size -= header_size; @@ -750,8 +762,10 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si static av_always_inline void clamp_mv(VP8Context *s, VP56mv *dst, const VP56mv *src) { - dst->x = av_clip(src->x, s->mv_min.x, s->mv_max.x); - dst->y = av_clip(src->y, s->mv_min.y, s->mv_max.y); + dst->x = av_clip(src->x, av_clip(s->mv_min.x, INT16_MIN, INT16_MAX), + av_clip(s->mv_max.x, INT16_MIN, INT16_MAX)); + dst->y = av_clip(src->y, av_clip(s->mv_min.y, INT16_MIN, INT16_MAX), + av_clip(s->mv_max.y, INT16_MIN, INT16_MAX)); } /** @@ -1915,8 +1929,8 @@ void inter_predict(VP8Context *s, VP8ThreadData *td, uint8_t *dst[3], mb->bmv[2 * y * 4 + 2 * x + 1].y + mb->bmv[(2 * y + 1) * 4 + 2 * x ].y + mb->bmv[(2 * y + 1) * 4 + 2 * x + 1].y; - uvmv.x = (uvmv.x + 2 + (uvmv.x >> (INT_BIT - 1))) >> 2; - uvmv.y = (uvmv.y + 2 + (uvmv.y >> (INT_BIT - 1))) >> 2; + uvmv.x = (uvmv.x + 2 + FF_SIGNBIT(uvmv.x)) >> 2; + uvmv.y = (uvmv.y + 2 + FF_SIGNBIT(uvmv.y)) >> 2; if (s->profile == 3) { uvmv.x &= ~7; uvmv.y &= ~7; @@ -2256,7 +2270,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, #define update_pos(td, mb_y, mb_x) #endif -static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr, int is_vp7) { VP8Context *s = avctx->priv_data; @@ -2272,6 +2286,10 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize, curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; + + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; + if (mb_y == 0) prev_td = td; else @@ -2300,6 +2318,8 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { if (threadnr != 0) { @@ -2375,18 +2395,19 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void update_pos(td, mb_y, mb_x); } } + return 0; } -static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); } -static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); } static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata, @@ -2469,13 +2490,16 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, VP8ThreadData *next_td = NULL, *prev_td = NULL; VP8Frame *curframe = s->curframe; int mb_y, num_jobs = s->num_jobs; + int ret; td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { - if (mb_y >= s->mb_height) - break; td->thread_mb_pos = mb_y << 16; - s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + if (ret < 0) { + update_pos(td, s->mb_height, INT_MAX & 0xFFFF); + return ret; + } if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); @@ -2512,6 +2536,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, enum AVDiscard skip_thresh; VP8Frame *av_uninit(curframe), *prev_frame; + av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P); + if (is_vp7) ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size); else @@ -2673,6 +2699,9 @@ av_cold int ff_vp8_decode_free(AVCodecContext *avctx) VP8Context *s = avctx->priv_data; int i; + if (!s) + return 0; + vp8_decode_flush_impl(avctx, 1); for (i = 0; i < FF_ARRAY_ELEMS(s->frames); i++) av_frame_free(&s->frames[i].tf.f); diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index 83729c8b92..4f0ad2fcd0 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -134,6 +134,11 @@ typedef struct VP8Frame { AVBufferRef *seg_map; } VP8Frame; +typedef struct VP8intmv { + int x; + int y; +} VP8intmv; + #define MAX_THREADS 8 typedef struct VP8Context { VP8ThreadData *thread_data; @@ -152,8 +157,8 @@ typedef struct VP8Context { uint8_t deblock_filter; uint8_t mbskip_enabled; uint8_t profile; - VP56mv mv_min; - VP56mv mv_max; + VP8intmv mv_min; + VP8intmv mv_max; int8_t sign_bias[4]; ///< one state [0, 1] per ref frame type int ref_count[3]; @@ -274,7 +279,7 @@ typedef struct VP8Context { */ int mb_layout; - void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); + int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); int vp7; diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index e1a91bb8c6..f56c84befe 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16], \ #if CONFIG_VP7_DECODER static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170; c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274; d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540; - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; AV_ZERO64(dc + i * 4); - block[0][i][0] = (a1 + d1 + 0x20000) >> 18; - block[3][i][0] = (a1 - d1 + 0x20000) >> 18; - block[1][i][0] = (b1 + c1 + 0x20000) >> 18; - block[2][i][0] = (b1 - c1 + 0x20000) >> 18; + block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18; + block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18; + block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18; + block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18; } } @@ -95,7 +96,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16]) static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -104,10 +106,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274; d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540; AV_ZERO64(block + i * 4); - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -116,13 +118,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] + - ((a1 + d1 + 0x20000) >> 18)); + ((int)(a1 + d1 + 0x20000) >> 18)); dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] + - ((a1 - d1 + 0x20000) >> 18)); + ((int)(a1 - d1 + 0x20000) >> 18)); dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] + - ((b1 + c1 + 0x20000) >> 18)); + ((int)(b1 + c1 + 0x20000) >> 18)); dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] + - ((b1 - c1 + 0x20000) >> 18)); + ((int)(b1 - c1 + 0x20000) >> 18)); } } diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 31725e6f84..0157d7b73c 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -239,7 +239,7 @@ typedef struct VP9Context { // whole-frame cache uint8_t *intra_pred_data[3]; struct VP9Filter *lflvl; - DECLARE_ALIGNED(32, uint8_t, edge_emu_buffer)[71*80]; + DECLARE_ALIGNED(32, uint8_t, edge_emu_buffer)[135*144]; // block reconstruction intermediates int block_alloc_using_2pass; @@ -248,6 +248,8 @@ typedef struct VP9Context { struct { int x, y; } min_mv, max_mv; DECLARE_ALIGNED(32, uint8_t, tmp_y)[64*64]; DECLARE_ALIGNED(32, uint8_t, tmp_uv)[2][32*32]; + uint16_t mvscale[3][2]; + uint8_t mvstep[3][2]; } VP9Context; static const uint8_t bwh_tab[2][N_BS_SIZES][2] = { @@ -278,7 +280,8 @@ static int vp9_alloc_frame(AVCodecContext *ctx, VP9Frame *f) // retain segmentation map if it doesn't update if (s->segmentation.enabled && !s->segmentation.update_map && - !s->intraonly && !s->keyframe && !s->errorres) { + !s->intraonly && !s->keyframe && !s->errorres && + ctx->active_thread_type != FF_THREAD_FRAME) { memcpy(f->segmentation_map, s->frames[LAST_FRAME].segmentation_map, sz); } @@ -408,7 +411,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m) // differential forward probability updates static int update_prob(VP56RangeCoder *c, int p) { - static const int inv_map_table[254] = { + static const int inv_map_table[255] = { 7, 20, 33, 46, 59, 72, 85, 98, 111, 124, 137, 150, 163, 176, 189, 202, 215, 228, 241, 254, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22, 23, 24, @@ -427,7 +430,7 @@ static int update_prob(VP56RangeCoder *c, int p) 207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, - 252, 253, + 252, 253, 253, }; int d; @@ -457,6 +460,7 @@ static int update_prob(VP56RangeCoder *c, int p) if (d >= 65) d = (d << 1) - 65 + vp8_rac_get(c); d += 64; + av_assert2(d < FF_ARRAY_ELEMS(inv_map_table)); } return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) : @@ -580,6 +584,26 @@ static int decode_frame_header(AVCodecContext *ctx, s->varcompref[1] = 2; } } + + for (i = 0; i < 3; i++) { + AVFrame *ref = s->refs[s->refidx[i]].f; + int refw = ref->width, refh = ref->height; + + if (refw == w && refh == h) { + s->mvscale[i][0] = s->mvscale[i][1] = 0; + } else { + if (w * 2 < refw || h * 2 < refh || w > 16 * refw || h > 16 * refh) { + av_log(ctx, AV_LOG_ERROR, + "Invalid ref frame dimensions %dx%d for frame size %dx%d\n", + refw, refh, w, h); + return AVERROR_INVALIDDATA; + } + s->mvscale[i][0] = (refw << 14) / w; + s->mvscale[i][1] = (refh << 14) / h; + s->mvstep[i][0] = 16 * s->mvscale[i][0] >> 14; + s->mvstep[i][1] = 16 * s->mvscale[i][1] >> 14; + } + } } } s->refreshctx = s->errorres ? 0 : get_bits1(&s->gb); @@ -747,7 +771,10 @@ static int decode_frame_header(AVCodecContext *ctx, av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n"); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c, data2, size2); + res = ff_vp56_init_range_decoder(&s->c, data2, size2); + if (res < 0) + return res; + if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n"); return AVERROR_INVALIDDATA; @@ -1350,9 +1377,18 @@ static void decode_mode(AVCodecContext *ctx) if (!s->last_uses_2pass) ff_thread_await_progress(&s->frames[LAST_FRAME].tf, row >> 3, 0); - for (y = 0; y < h4; y++) + for (y = 0; y < h4; y++) { + int idx_base = (y + row) * 8 * s->sb_cols + col; for (x = 0; x < w4; x++) - pred = FFMIN(pred, refsegmap[(y + row) * 8 * s->sb_cols + x + col]); + pred = FFMIN(pred, refsegmap[idx_base + x]); + if (!s->segmentation.update_map && ctx->active_thread_type == FF_THREAD_FRAME) { + // FIXME maybe retain reference to previous frame as + // segmap reference instead of copying the whole map + // into a new buffer + memcpy(&s->frames[CUR_FRAME].segmentation_map[idx_base], + &refsegmap[idx_base], w4); + } + } av_assert1(pred < 8); b->seg_id = pred; } else { @@ -2495,7 +2531,7 @@ static void intra_recon(AVCodecContext *ctx, ptrdiff_t y_off, ptrdiff_t uv_off) for (x = 0; x < end_x; x += uvstep1d, ptr += 4 * uvstep1d, ptr_r += 4 * uvstep1d, n += step) { int mode = b->uvmode; - uint8_t *a = &a_buf[16]; + uint8_t *a = &a_buf[32]; int eob = b->skip ? 0 : b->uvtx > TX_8X8 ? AV_RN16A(&s->uveob[p][n]) : s->uveob[p][n]; mode = check_intra_mode(s, mode, &a, ptr_r, @@ -2513,12 +2549,118 @@ static void intra_recon(AVCodecContext *ctx, ptrdiff_t y_off, ptrdiff_t uv_off) } } -static av_always_inline void mc_luma_dir(VP9Context *s, vp9_mc_func (*mc)[2], - uint8_t *dst, ptrdiff_t dst_stride, - const uint8_t *ref, ptrdiff_t ref_stride, - ThreadFrame *ref_frame, - ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, - int bw, int bh, int w, int h) +static av_always_inline void mc_luma_scaled(VP9Context *s, vp9_scaled_mc_func smc, + uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h, + const uint16_t *scale, const uint8_t *step) +{ +#define scale_mv(n, dim) (((int64_t)n * scale[dim]) >> 14) + // BUG libvpx seems to scale the two components separately. This introduces + // rounding errors but we have to reproduce them to be exactly compatible + // with the output from libvpx... + int mx = scale_mv(mv->x * 2, 0) + scale_mv(x * 16, 0); + int my = scale_mv(mv->y * 2, 1) + scale_mv(y * 16, 1); + int refbw_m1, refbh_m1; + int th; + + y = my >> 4; + x = mx >> 4; + ref += y * ref_stride + x; + mx &= 15; + my &= 15; + refbw_m1 = ((bw - 1) * step[0] + mx) >> 4; + refbh_m1 = ((bh - 1) * step[1] + my) >> 4; + // FIXME bilinear filter only needs 0/1 pixels, not 3/4 + // we use +7 because the last 7 pixels of each sbrow can be changed in + // the longest loopfilter of the next sbrow + th = (y + refbh_m1 + 4 + 7) >> 6; + ff_thread_await_progress(ref_frame, FFMAX(th, 0), 0); + if (x < 3 || y < 3 || x + 4 >= w - refbw_m1 || y + 4 >= h - refbh_m1) { + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref - 3 * ref_stride - 3, + 144, ref_stride, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref = s->edge_emu_buffer + 3 * 144 + 3; + ref_stride = 144; + } + smc(dst, dst_stride, ref, ref_stride, bh, mx, my, step[0], step[1]); +} + +static av_always_inline void mc_chroma_scaled(VP9Context *s, vp9_scaled_mc_func smc, + uint8_t *dst_u, uint8_t *dst_v, + ptrdiff_t dst_stride, + const uint8_t *ref_u, ptrdiff_t src_stride_u, + const uint8_t *ref_v, ptrdiff_t src_stride_v, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h, + const uint16_t *scale, const uint8_t *step) +{ + // BUG https://code.google.com/p/webm/issues/detail?id=820 + int mx = scale_mv(mv->x, 0) + (scale_mv(x * 16, 0) & ~15) + (scale_mv(x * 32, 0) & 15); + int my = scale_mv(mv->y, 1) + (scale_mv(y * 16, 1) & ~15) + (scale_mv(y * 32, 1) & 15); +#undef scale_mv + int refbw_m1, refbh_m1; + int th; + + y = my >> 4; + x = mx >> 4; + ref_u += y * src_stride_u + x; + ref_v += y * src_stride_v + x; + mx &= 15; + my &= 15; + refbw_m1 = ((bw - 1) * step[0] + mx) >> 4; + refbh_m1 = ((bh - 1) * step[1] + my) >> 4; + // FIXME bilinear filter only needs 0/1 pixels, not 3/4 + // we use +7 because the last 7 pixels of each sbrow can be changed in + // the longest loopfilter of the next sbrow + th = (y + refbh_m1 + 4 + 7) >> 5; + ff_thread_await_progress(ref_frame, FFMAX(th, 0), 0); + if (x < 3 || y < 3 || x + 4 >= w - refbw_m1 || y + 4 >= h - refbh_m1) { + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref_u - 3 * src_stride_u - 3, + 144, src_stride_u, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref_u = s->edge_emu_buffer + 3 * 144 + 3; + smc(dst_u, dst_stride, ref_u, 144, bh, mx, my, step[0], step[1]); + + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref_v - 3 * src_stride_v - 3, + 144, src_stride_v, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref_v = s->edge_emu_buffer + 3 * 144 + 3; + smc(dst_v, dst_stride, ref_v, 144, bh, mx, my, step[0], step[1]); + } else { + smc(dst_u, dst_stride, ref_u, src_stride_u, bh, mx, my, step[0], step[1]); + smc(dst_v, dst_stride, ref_v, src_stride_v, bh, mx, my, step[0], step[1]); + } +} + +#define FN(x) x##_scaled +#define mc_luma_dir(s, mc, dst, dst_ls, src, src_ls, tref, row, col, mv, bw, bh, w, h, i) \ + mc_luma_scaled(s, s->dsp.s##mc, dst, dst_ls, src, src_ls, tref, row, col, \ + mv, bw, bh, w, h, s->mvscale[b->ref[i]], s->mvstep[b->ref[i]]) +#define mc_chroma_dir(s, mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, i) \ + mc_chroma_scaled(s, s->dsp.s##mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, s->mvscale[b->ref[i]], s->mvstep[b->ref[i]]) +#include "vp9_mc_template.c" +#undef mc_luma_dir +#undef mc_chroma_dir +#undef FN + +static av_always_inline void mc_luma_unscaled(VP9Context *s, vp9_mc_func (*mc)[2], + uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h) { int mx = mv->x, my = mv->y, th; @@ -2545,14 +2687,14 @@ static av_always_inline void mc_luma_dir(VP9Context *s, vp9_mc_func (*mc)[2], mc[!!mx][!!my](dst, dst_stride, ref, ref_stride, bh, mx << 1, my << 1); } -static av_always_inline void mc_chroma_dir(VP9Context *s, vp9_mc_func (*mc)[2], - uint8_t *dst_u, uint8_t *dst_v, - ptrdiff_t dst_stride, - const uint8_t *ref_u, ptrdiff_t src_stride_u, - const uint8_t *ref_v, ptrdiff_t src_stride_v, - ThreadFrame *ref_frame, - ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, - int bw, int bh, int w, int h) +static av_always_inline void mc_chroma_unscaled(VP9Context *s, vp9_mc_func (*mc)[2], + uint8_t *dst_u, uint8_t *dst_v, + ptrdiff_t dst_stride, + const uint8_t *ref_u, ptrdiff_t src_stride_u, + const uint8_t *ref_v, ptrdiff_t src_stride_v, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h) { int mx = mv->x, my = mv->y, th; @@ -2590,156 +2732,32 @@ static av_always_inline void mc_chroma_dir(VP9Context *s, vp9_mc_func (*mc)[2], } } +#define FN(x) x +#define mc_luma_dir(s, mc, dst, dst_ls, src, src_ls, tref, row, col, mv, bw, bh, w, h, i) \ + mc_luma_unscaled(s, s->dsp.mc, dst, dst_ls, src, src_ls, tref, row, col, \ + mv, bw, bh, w, h) +#define mc_chroma_dir(s, mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, i) \ + mc_chroma_unscaled(s, s->dsp.mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h) +#include "vp9_mc_template.c" +#undef mc_luma_dir_dir +#undef mc_chroma_dir_dir +#undef FN + static void inter_recon(AVCodecContext *ctx) { - static const uint8_t bwlog_tab[2][N_BS_SIZES] = { - { 0, 0, 1, 1, 1, 2, 2, 2, 3, 3, 3, 4, 4 }, - { 1, 1, 2, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4 }, - }; VP9Context *s = ctx->priv_data; VP9Block *b = s->b; int row = s->row, col = s->col; - ThreadFrame *tref1 = &s->refs[s->refidx[b->ref[0]]], *tref2; - AVFrame *ref1 = tref1->f, *ref2; - int w1 = ref1->width, h1 = ref1->height, w2, h2; - ptrdiff_t ls_y = s->y_stride, ls_uv = s->uv_stride; - if (b->comp) { - tref2 = &s->refs[s->refidx[b->ref[1]]]; - ref2 = tref2->f; - w2 = ref2->width; - h2 = ref2->height; - } - - // y inter pred - if (b->bs > BS_8x8) { - if (b->bs == BS_8x4) { - mc_luma_dir(s, s->dsp.mc[3][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 8, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[3][b->filter][0], - s->dst[0] + 4 * ls_y, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, col << 3, &b->mv[2][0], 8, 4, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[3][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 8, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[3][b->filter][1], - s->dst[0] + 4 * ls_y, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, col << 3, &b->mv[2][1], 8, 4, w2, h2); - } - } else if (b->bs == BS_4x8) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 4, 8, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0] + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, (col << 3) + 4, &b->mv[1][0], 4, 8, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 4, 8, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0] + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, (col << 3) + 4, &b->mv[1][1], 4, 8, w2, h2); - } - } else { - av_assert2(b->bs == BS_4x4); - - // FIXME if two horizontally adjacent blocks have the same MV, - // do a w8 instead of a w4 call - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0] + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, (col << 3) + 4, &b->mv[1][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], - s->dst[0] + 4 * ls_y, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, col << 3, &b->mv[2][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], - s->dst[0] + 4 * ls_y + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, (col << 3) + 4, &b->mv[3][0], 4, 4, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0] + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, (col << 3) + 4, &b->mv[1][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], - s->dst[0] + 4 * ls_y, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, col << 3, &b->mv[2][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], - s->dst[0] + 4 * ls_y + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, (col << 3) + 4, &b->mv[3][1], 4, 4, w2, h2); - } - } + if (s->mvscale[b->ref[0]][0] || (b->comp && s->mvscale[b->ref[1]][0])) { + inter_pred_scaled(ctx); } else { - int bwl = bwlog_tab[0][b->bs]; - int bw = bwh_tab[0][b->bs][0] * 4, bh = bwh_tab[0][b->bs][1] * 4; - - mc_luma_dir(s, s->dsp.mc[bwl][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0],bw, bh, w1, h1); - - if (b->comp) - mc_luma_dir(s, s->dsp.mc[bwl][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], bw, bh, w2, h2); + inter_pred(ctx); } - - // uv inter pred - { - int bwl = bwlog_tab[1][b->bs]; - int bw = bwh_tab[1][b->bs][0] * 4, bh = bwh_tab[1][b->bs][1] * 4; - VP56mv mvuv; - - w1 = (w1 + 1) >> 1; - h1 = (h1 + 1) >> 1; - if (b->comp) { - w2 = (w2 + 1) >> 1; - h2 = (h2 + 1) >> 1; - } - if (b->bs > BS_8x8) { - mvuv.x = ROUNDED_DIV(b->mv[0][0].x + b->mv[1][0].x + b->mv[2][0].x + b->mv[3][0].x, 4); - mvuv.y = ROUNDED_DIV(b->mv[0][0].y + b->mv[1][0].y + b->mv[2][0].y + b->mv[3][0].y, 4); - } else { - mvuv = b->mv[0][0]; - } - - mc_chroma_dir(s, s->dsp.mc[bwl][b->filter][0], - s->dst[1], s->dst[2], ls_uv, - ref1->data[1], ref1->linesize[1], - ref1->data[2], ref1->linesize[2], tref1, - row << 2, col << 2, &mvuv, bw, bh, w1, h1); - - if (b->comp) { - if (b->bs > BS_8x8) { - mvuv.x = ROUNDED_DIV(b->mv[0][1].x + b->mv[1][1].x + b->mv[2][1].x + b->mv[3][1].x, 4); - mvuv.y = ROUNDED_DIV(b->mv[0][1].y + b->mv[1][1].y + b->mv[2][1].y + b->mv[3][1].y, 4); - } else { - mvuv = b->mv[0][1]; - } - mc_chroma_dir(s, s->dsp.mc[bwl][b->filter][1], - s->dst[1], s->dst[2], ls_uv, - ref2->data[1], ref2->linesize[1], - ref2->data[2], ref2->linesize[2], tref2, - row << 2, col << 2, &mvuv, bw, bh, w2, h2); - } - } - if (!b->skip) { - /* mostly copied intra_reconn() */ + /* mostly copied intra_recon() */ int w4 = bwh_tab[1][b->bs][0] << 1, step1d = 1 << b->tx, n; int h4 = bwh_tab[1][b->bs][1] << 1, x, y, step = 1 << (b->tx * 2); @@ -3462,11 +3480,10 @@ static av_always_inline void adapt_prob(uint8_t *p, unsigned ct0, unsigned ct1, if (!ct) return; + update_factor = FASTDIV(update_factor * FFMIN(ct, max_count), max_count); p1 = *p; - p2 = ((ct0 << 8) + (ct >> 1)) / ct; + p2 = ((((int64_t) ct0) << 8) + (ct >> 1)) / ct; p2 = av_clip(p2, 1, 255); - ct = FFMIN(ct, max_count); - update_factor = FASTDIV(update_factor * ct, max_count); // (p1 * (256 - update_factor) + p2 * update_factor + 128) >> 8 *p = p1 + (((p2 - p1) * update_factor + 128) >> 8); @@ -3747,7 +3764,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, if ((res = av_frame_ref(frame, s->refs[ref].f)) < 0) return res; *got_frame = 1; - return 0; + return pkt->size; } data += res; size -= res; @@ -3831,7 +3848,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, tile_row, s->tiling.log2_tile_rows, s->sb_rows); if (s->pass != 2) { for (tile_col = 0; tile_col < s->tiling.tile_cols; tile_col++) { - unsigned tile_size; + int64_t tile_size; if (tile_col == s->tiling.tile_cols - 1 && tile_row == s->tiling.tile_rows - 1) { @@ -3845,7 +3862,9 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, ff_thread_report_progress(&s->frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + if (res < 0) + return res; if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit ff_thread_report_progress(&s->frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; @@ -3957,7 +3976,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, *got_frame = 1; } - return 0; + return pkt->size; } static void vp9_decode_flush(AVCodecContext *ctx) diff --git a/libavcodec/vp9_mc_template.c b/libavcodec/vp9_mc_template.c new file mode 100644 index 0000000000..c6ae432e26 --- /dev/null +++ b/libavcodec/vp9_mc_template.c @@ -0,0 +1,171 @@ +/* + * VP9 compatible video decoder + * + * Copyright (C) 2013 Ronald S. Bultje + * Copyright (C) 2013 Clément Bœsch + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +static void FN(inter_pred)(AVCodecContext *ctx) +{ + static const uint8_t bwlog_tab[2][N_BS_SIZES] = { + { 0, 0, 1, 1, 1, 2, 2, 2, 3, 3, 3, 4, 4 }, + { 1, 1, 2, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4 }, + }; + VP9Context *s = ctx->priv_data; + VP9Block *b = s->b; + int row = s->row, col = s->col; + ThreadFrame *tref1 = &s->refs[s->refidx[b->ref[0]]], *tref2; + AVFrame *ref1 = tref1->f, *ref2; + int w1 = ref1->width, h1 = ref1->height, w2, h2; + ptrdiff_t ls_y = s->y_stride, ls_uv = s->uv_stride; + + if (b->comp) { + tref2 = &s->refs[s->refidx[b->ref[1]]]; + ref2 = tref2->f; + w2 = ref2->width; + h2 = ref2->height; + } + + // y inter pred + if (b->bs > BS_8x8) { + if (b->bs == BS_8x4) { + mc_luma_dir(s, mc[3][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 8, 4, w1, h1, 0); + mc_luma_dir(s, mc[3][b->filter][0], + s->dst[0] + 4 * ls_y, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, col << 3, &b->mv[2][0], 8, 4, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[3][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 8, 4, w2, h2, 1); + mc_luma_dir(s, mc[3][b->filter][1], + s->dst[0] + 4 * ls_y, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, col << 3, &b->mv[2][1], 8, 4, w2, h2, 1); + } + } else if (b->bs == BS_4x8) { + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 4, 8, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0] + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, (col << 3) + 4, &b->mv[1][0], 4, 8, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 4, 8, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0] + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, (col << 3) + 4, &b->mv[1][1], 4, 8, w2, h2, 1); + } + } else { + av_assert2(b->bs == BS_4x4); + + // FIXME if two horizontally adjacent blocks have the same MV, + // do a w8 instead of a w4 call + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0] + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, (col << 3) + 4, &b->mv[1][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], + s->dst[0] + 4 * ls_y, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, col << 3, &b->mv[2][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], + s->dst[0] + 4 * ls_y + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, (col << 3) + 4, &b->mv[3][0], 4, 4, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0] + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, (col << 3) + 4, &b->mv[1][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], + s->dst[0] + 4 * ls_y, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, col << 3, &b->mv[2][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], + s->dst[0] + 4 * ls_y + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, (col << 3) + 4, &b->mv[3][1], 4, 4, w2, h2, 1); + } + } + } else { + int bwl = bwlog_tab[0][b->bs]; + int bw = bwh_tab[0][b->bs][0] * 4, bh = bwh_tab[0][b->bs][1] * 4; + + mc_luma_dir(s, mc[bwl][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0],bw, bh, w1, h1, 0); + + if (b->comp) + mc_luma_dir(s, mc[bwl][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], bw, bh, w2, h2, 1); + } + + // uv inter pred + { + int bwl = bwlog_tab[1][b->bs]; + int bw = bwh_tab[1][b->bs][0] * 4, bh = bwh_tab[1][b->bs][1] * 4; + VP56mv mvuv; + + w1 = (w1 + 1) >> 1; + h1 = (h1 + 1) >> 1; + if (b->comp) { + w2 = (w2 + 1) >> 1; + h2 = (h2 + 1) >> 1; + } + if (b->bs > BS_8x8) { + mvuv.x = ROUNDED_DIV(b->mv[0][0].x + b->mv[1][0].x + b->mv[2][0].x + b->mv[3][0].x, 4); + mvuv.y = ROUNDED_DIV(b->mv[0][0].y + b->mv[1][0].y + b->mv[2][0].y + b->mv[3][0].y, 4); + } else { + mvuv = b->mv[0][0]; + } + + mc_chroma_dir(s, mc[bwl][b->filter][0], + s->dst[1], s->dst[2], ls_uv, + ref1->data[1], ref1->linesize[1], + ref1->data[2], ref1->linesize[2], tref1, + row << 2, col << 2, &mvuv, bw, bh, w1, h1, 0); + + if (b->comp) { + if (b->bs > BS_8x8) { + mvuv.x = ROUNDED_DIV(b->mv[0][1].x + b->mv[1][1].x + b->mv[2][1].x + b->mv[3][1].x, 4); + mvuv.y = ROUNDED_DIV(b->mv[0][1].y + b->mv[1][1].y + b->mv[2][1].y + b->mv[3][1].y, 4); + } else { + mvuv = b->mv[0][1]; + } + mc_chroma_dir(s, mc[bwl][b->filter][1], + s->dst[1], s->dst[2], ls_uv, + ref2->data[1], ref2->linesize[1], + ref2->data[2], ref2->linesize[2], tref2, + row << 2, col << 2, &mvuv, bw, bh, w2, h2, 1); + } + } +} diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index af033c25e6..8e55d2593e 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -1,5 +1,8 @@ /* - * Copyright (C) 2008 Michael Niedermayer + * VP9 compatible video decoder + * + * Copyright (C) 2013 Ronald S. Bultje + * Copyright (C) 2013 Clément Bœsch * * This file is part of FFmpeg. * @@ -43,6 +46,7 @@ static int parse(AVCodecParserContext *ctx, const uint8_t *data, int size) { VP9ParseContext *s = ctx->priv_data; + int full_size = size; int marker; if (size <= 0) { @@ -77,10 +81,12 @@ static int parse(AVCodecParserContext *ctx, idx += a; \ if (sz > size) { \ s->n_frames = 0; \ + *out_size = size; \ + *out_data = data; \ av_log(avctx, AV_LOG_ERROR, \ "Superframe packet size too big: %u > %d\n", \ sz, size); \ - return size; \ + return full_size; \ } \ if (first) { \ first = 0; \ diff --git a/libavcodec/vp9dsp.c b/libavcodec/vp9dsp.c index 6356adde32..95b7eb5c71 100644 --- a/libavcodec/vp9dsp.c +++ b/libavcodec/vp9dsp.c @@ -1707,8 +1707,9 @@ copy_avg_fn(4) #undef fpel_fn #undef copy_avg_fn -static const int8_t vp9_subpel_filters[3][15][8] = { +static const int16_t vp9_subpel_filters[3][16][8] = { [FILTER_8TAP_REGULAR] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { 0, 1, -5, 126, 8, -3, 1, 0 }, { -1, 3, -10, 122, 18, -6, 2, 0 }, { -1, 4, -13, 118, 27, -9, 3, -1 }, @@ -1725,6 +1726,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { { 0, 2, -6, 18, 122, -10, 3, -1 }, { 0, 1, -3, 8, 126, -5, 1, 0 }, }, [FILTER_8TAP_SHARP] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { -1, 3, -7, 127, 8, -3, 1, 0 }, { -2, 5, -13, 125, 17, -6, 3, -1 }, { -3, 7, -17, 121, 27, -10, 5, -2 }, @@ -1741,6 +1743,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { { -1, 3, -6, 17, 125, -13, 5, -2 }, { 0, 1, -3, 8, 127, -7, 3, -1 }, }, [FILTER_8TAP_SMOOTH] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { -3, -1, 32, 64, 38, 1, -3, 0 }, { -2, -2, 29, 63, 41, 2, -3, 0 }, { -2, -2, 26, 63, 43, 4, -4, 0 }, @@ -1772,7 +1775,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { static av_always_inline void do_8tap_1d_c(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *src, ptrdiff_t src_stride, int w, int h, ptrdiff_t ds, - const int8_t *filter, int avg) + const int16_t *filter, int avg) { do { int x; @@ -1792,7 +1795,7 @@ static av_always_inline void do_8tap_1d_c(uint8_t *dst, ptrdiff_t dst_stride, #define filter_8tap_1d_fn(opn, opa, dir, ds) \ static av_noinline void opn##_8tap_1d_##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ - int w, int h, const int8_t *filter) \ + int w, int h, const int16_t *filter) \ { \ do_8tap_1d_c(dst, dst_stride, src, src_stride, w, h, ds, filter, opa); \ } @@ -1806,8 +1809,8 @@ filter_8tap_1d_fn(avg, 1, h, 1) static av_always_inline void do_8tap_2d_c(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *src, ptrdiff_t src_stride, - int w, int h, const int8_t *filterx, - const int8_t *filtery, int avg) + int w, int h, const int16_t *filterx, + const int16_t *filtery, int avg) { int tmp_h = h + 7; uint8_t tmp[64 * 71], *tmp_ptr = tmp; @@ -1842,8 +1845,8 @@ static av_always_inline void do_8tap_2d_c(uint8_t *dst, ptrdiff_t dst_stride, #define filter_8tap_2d_fn(opn, opa) \ static av_noinline void opn##_8tap_2d_hv_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ - int w, int h, const int8_t *filterx, \ - const int8_t *filtery) \ + int w, int h, const int16_t *filterx, \ + const int16_t *filtery) \ { \ do_8tap_2d_c(dst, dst_stride, src, src_stride, w, h, filterx, filtery, opa); \ } @@ -1853,15 +1856,13 @@ filter_8tap_2d_fn(avg, 1) #undef filter_8tap_2d_fn -#undef FILTER_8TAP - #define filter_fn_1d(sz, dir, dir_m, type, type_idx, avg) \ static void avg##_8tap_##type##_##sz##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ int h, int mx, int my) \ { \ avg##_8tap_1d_##dir##_c(dst, dst_stride, src, src_stride, sz, h, \ - vp9_subpel_filters[type_idx][dir_m - 1]); \ + vp9_subpel_filters[type_idx][dir_m]); \ } #define filter_fn_2d(sz, type, type_idx, avg) \ @@ -1870,8 +1871,8 @@ static void avg##_8tap_##type##_##sz##hv_c(uint8_t *dst, ptrdiff_t dst_stride, \ int h, int mx, int my) \ { \ avg##_8tap_2d_hv_c(dst, dst_stride, src, src_stride, sz, h, \ - vp9_subpel_filters[type_idx][mx - 1], \ - vp9_subpel_filters[type_idx][my - 1]); \ + vp9_subpel_filters[type_idx][mx], \ + vp9_subpel_filters[type_idx][my]); \ } #define FILTER_BILIN(src, x, mxy, stride) \ @@ -1957,8 +1958,6 @@ bilin_2d_fn(avg, 1) #undef bilin_2d_fn -#undef FILTER_BILIN - #define bilinf_fn_1d(sz, dir, dir_m, avg) \ static void avg##_bilin_##sz##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ @@ -2053,12 +2052,190 @@ static av_cold void vp9dsp_mc_init(VP9DSPContext *dsp) #undef init_subpel3 } +static av_always_inline void do_scaled_8tap_c(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *src, ptrdiff_t src_stride, + int w, int h, int mx, int my, + int dx, int dy, int avg, + const int16_t (*filters)[8]) +{ + int tmp_h = (((h - 1) * dy + my) >> 4) + 8; + uint8_t tmp[64 * 135], *tmp_ptr = tmp; + + src -= src_stride * 3; + do { + int x; + int imx = mx, ioff = 0; + + for (x = 0; x < w; x++) { + tmp_ptr[x] = FILTER_8TAP(src, ioff, filters[imx], 1); + imx += dx; + ioff += imx >> 4; + imx &= 0xf; + } + + tmp_ptr += 64; + src += src_stride; + } while (--tmp_h); + + tmp_ptr = tmp + 64 * 3; + do { + int x; + const int16_t *filter = filters[my]; + + for (x = 0; x < w; x++) + if (avg) { + dst[x] = (dst[x] + FILTER_8TAP(tmp_ptr, x, filter, 64) + 1) >> 1; + } else { + dst[x] = FILTER_8TAP(tmp_ptr, x, filter, 64); + } + + my += dy; + tmp_ptr += (my >> 4) * 64; + my &= 0xf; + dst += dst_stride; + } while (--h); +} + +#define scaled_filter_8tap_fn(opn, opa) \ +static av_noinline void opn##_scaled_8tap_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int w, int h, int mx, int my, int dx, int dy, \ + const int16_t (*filters)[8]) \ +{ \ + do_scaled_8tap_c(dst, dst_stride, src, src_stride, w, h, mx, my, dx, dy, \ + opa, filters); \ +} + +scaled_filter_8tap_fn(put, 0) +scaled_filter_8tap_fn(avg, 1) + +#undef scaled_filter_8tap_fn + +#undef FILTER_8TAP + +#define scaled_filter_fn(sz, type, type_idx, avg) \ +static void avg##_scaled_##type##_##sz##_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int h, int mx, int my, int dx, int dy) \ +{ \ + avg##_scaled_8tap_c(dst, dst_stride, src, src_stride, sz, h, mx, my, dx, dy, \ + vp9_subpel_filters[type_idx]); \ +} + +static av_always_inline void do_scaled_bilin_c(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *src, ptrdiff_t src_stride, + int w, int h, int mx, int my, + int dx, int dy, int avg) +{ + uint8_t tmp[64 * 129], *tmp_ptr = tmp; + int tmp_h = (((h - 1) * dy + my) >> 4) + 2; + + do { + int x; + int imx = mx, ioff = 0; + + for (x = 0; x < w; x++) { + tmp_ptr[x] = FILTER_BILIN(src, ioff, imx, 1); + imx += dx; + ioff += imx >> 4; + imx &= 0xf; + } + + tmp_ptr += 64; + src += src_stride; + } while (--tmp_h); + + tmp_ptr = tmp; + do { + int x; + + for (x = 0; x < w; x++) + if (avg) { + dst[x] = (dst[x] + FILTER_BILIN(tmp_ptr, x, my, 64) + 1) >> 1; + } else { + dst[x] = FILTER_BILIN(tmp_ptr, x, my, 64); + } + + my += dy; + tmp_ptr += (my >> 4) * 64; + my &= 0xf; + dst += dst_stride; + } while (--h); +} + +#define scaled_bilin_fn(opn, opa) \ +static av_noinline void opn##_scaled_bilin_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int w, int h, int mx, int my, int dx, int dy) \ +{ \ + do_scaled_bilin_c(dst, dst_stride, src, src_stride, w, h, mx, my, dx, dy, opa); \ +} + +scaled_bilin_fn(put, 0) +scaled_bilin_fn(avg, 1) + +#undef scaled_bilin_fn + +#undef FILTER_BILIN + +#define scaled_bilinf_fn(sz, avg) \ +static void avg##_scaled_bilin_##sz##_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int h, int mx, int my, int dx, int dy) \ +{ \ + avg##_scaled_bilin_c(dst, dst_stride, src, src_stride, sz, h, mx, my, dx, dy); \ +} + +#define scaled_filter_fns(sz, avg) \ +scaled_filter_fn(sz, regular, FILTER_8TAP_REGULAR, avg) \ +scaled_filter_fn(sz, smooth, FILTER_8TAP_SMOOTH, avg) \ +scaled_filter_fn(sz, sharp, FILTER_8TAP_SHARP, avg) \ +scaled_bilinf_fn(sz, avg) + +#define scaled_filter_fn_set(avg) \ +scaled_filter_fns(64, avg) \ +scaled_filter_fns(32, avg) \ +scaled_filter_fns(16, avg) \ +scaled_filter_fns(8, avg) \ +scaled_filter_fns(4, avg) + +scaled_filter_fn_set(put) +scaled_filter_fn_set(avg) + +#undef scaled_filter_fns +#undef scaled_filter_fn_set +#undef scaled_filter_fn +#undef scaled_bilinf_fn + +static av_cold void vp9dsp_scaled_mc_init(VP9DSPContext *dsp) +{ +#define init_scaled(idx1, idx2, sz, type) \ + dsp->smc[idx1][FILTER_8TAP_SMOOTH ][idx2] = type##_scaled_smooth_##sz##_c; \ + dsp->smc[idx1][FILTER_8TAP_REGULAR][idx2] = type##_scaled_regular_##sz##_c; \ + dsp->smc[idx1][FILTER_8TAP_SHARP ][idx2] = type##_scaled_sharp_##sz##_c; \ + dsp->smc[idx1][FILTER_BILINEAR ][idx2] = type##_scaled_bilin_##sz##_c + +#define init_scaled_put_avg(idx, sz) \ + init_scaled(idx, 0, sz, put); \ + init_scaled(idx, 1, sz, avg) + + init_scaled_put_avg(0, 64); + init_scaled_put_avg(1, 32); + init_scaled_put_avg(2, 16); + init_scaled_put_avg(3, 8); + init_scaled_put_avg(4, 4); + +#undef init_scaled_put_avg +#undef init_scaled +} + av_cold void ff_vp9dsp_init(VP9DSPContext *dsp) { vp9dsp_intrapred_init(dsp); vp9dsp_itxfm_init(dsp); vp9dsp_loopfilter_init(dsp); vp9dsp_mc_init(dsp); + vp9dsp_scaled_mc_init(dsp); if (ARCH_X86) ff_vp9dsp_init_x86(dsp); } diff --git a/libavcodec/vp9dsp.h b/libavcodec/vp9dsp.h index db0a92e210..33dfc09acd 100644 --- a/libavcodec/vp9dsp.h +++ b/libavcodec/vp9dsp.h @@ -32,6 +32,9 @@ typedef void (*vp9_mc_func)(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *ref, ptrdiff_t ref_stride, int h, int mx, int my); +typedef void (*vp9_scaled_mc_func)(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + int h, int mx, int my, int dx, int dy); typedef struct VP9DSPContext { /* @@ -109,6 +112,12 @@ typedef struct VP9DSPContext { * dst/stride are aligned by hsize */ vp9_mc_func mc[5][4][2][2][2]; + + /* + * for scalable MC, first 3 dimensions identical to above, the other two + * don't exist since it changes per stepsize. + */ + vp9_scaled_mc_func smc[5][4][2]; } VP9DSPContext; void ff_vp9dsp_init(VP9DSPContext *dsp); diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 4dcebd4849..bf55571fe9 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -231,6 +231,12 @@ static int decode_format80(VqaContext *s, int src_size, unsigned char color; int i; + if (src_size < 0 || src_size > bytestream2_get_bytes_left(&s->gb)) { + av_log(s->avctx, AV_LOG_ERROR, "Chunk size %d is out of range\n", + src_size); + return AVERROR_INVALIDDATA; + } + start = bytestream2_tell(&s->gb); while (bytestream2_tell(&s->gb) - start < src_size) { opcode = bytestream2_get_byte(&s->gb); diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 1ad3901600..fd11580325 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -155,7 +155,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (t >= 2) { if (get_bits_left(gb) < t - 1) goto error; - t = get_bits(gb, t - 1) | (1 << (t - 1)); + t = get_bits_long(gb, t - 1) | (1 << (t - 1)); } else { if (get_bits_left(gb) < 0) goto error; @@ -184,9 +184,9 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, goto error; t += t2; } else { - if (get_bits_left(gb) < t2 - 1) + if (t2 >= 32 || get_bits_left(gb) < t2 - 1) goto error; - t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } } @@ -219,7 +219,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, INC_MED(1); DEC_MED(2); } else { - base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2); + base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2U); add = GET_MED(2) - 1; INC_MED(0); INC_MED(1); @@ -239,7 +239,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (get_bits_left(gb) <= 0) goto error; if (get_bits1(gb)) { - add -= (mid - base); + add -= (mid - (unsigned)base); base = mid; } else add = mid - base - 1; @@ -267,11 +267,11 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int bit; if (s->extra_bits) { - S <<= s->extra_bits; + S *= 1 << s->extra_bits; if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { - S |= get_bits(&s->gb_extra_bits, s->extra_bits); + S |= get_bits_long(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S & 0xffff) * 3 + ((unsigned)S >> 16); } } @@ -307,8 +307,8 @@ static float wv_get_value_float(WavpackFrameContext *s, uint32_t *crc, int S) S <<= s->float_shift; sign = S < 0; if (sign) - S = -S; - if (S >= 0x1000000) { + S = -(unsigned)S; + if (S >= 0x1000000U) { if (s->got_extra_bits && get_bits1(&s->gb_extra_bits)) S = get_bits(&s->gb_extra_bits, 23); else @@ -472,6 +472,14 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, s->decorr[i].samplesB[0] = L; } } + + if (type == AV_SAMPLE_FMT_S16P) { + if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { + av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); + return AVERROR_INVALIDDATA; + } + } + pos = (pos + 1) & 7; if (s->joint) L += (R -= (L >> 1)); @@ -540,7 +548,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else - S = T + ((s->decorr[i].weightA * A + 512) >> 10); + S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; @@ -672,7 +680,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1); - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); + s->hybrid_minclip = ((-1UL << (orig_bpp - 1))); s->CRC = bytestream2_get_le32(&gb); // parse metadata blocks @@ -726,13 +734,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } for (i = 0; i < weights; i++) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightA = t << 3; + s->decorr[s->terms - i - 1].weightA = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightA > 0) s->decorr[s->terms - i - 1].weightA += (s->decorr[s->terms - i - 1].weightA + 64) >> 7; if (s->stereo_in) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightB = t << 3; + s->decorr[s->terms - i - 1].weightB = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightB > 0) s->decorr[s->terms - i - 1].weightB += (s->decorr[s->terms - i - 1].weightB + 64) >> 7; @@ -827,7 +835,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0]) { + if (val[0] > 30) { + av_log(avctx, AV_LOG_ERROR, + "Invalid INT32INFO, extra_bits = %d (> 30)\n", val[0]); + continue; + } else if (val[0]) { s->extra_bits = val[0]; } else if (val[1]) { s->shift = val[1]; @@ -858,6 +870,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->float_flag = bytestream2_get_byte(&gb); s->float_shift = bytestream2_get_byte(&gb); s->float_max_exp = bytestream2_get_byte(&gb); + if (s->float_shift > 31) { + av_log(avctx, AV_LOG_ERROR, + "Invalid FLOATINFO, shift = %d (> 31)\n", s->float_shift); + s->float_shift = 0; + continue; + } got_float = 1; bytestream2_skip(&gb, 1); break; diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index 6cb49a1b3e..db482115ab 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -94,7 +94,7 @@ typedef struct Decorr { typedef struct WvChannel { int median[3]; int slow_level, error_limit; - int bitrate_acc, bitrate_delta; + unsigned bitrate_acc, bitrate_delta; } WvChannel; // macros for manipulating median values diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 63971c6755..4bfeadb2e6 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -128,6 +128,11 @@ static av_cold int wavpack_encode_init(AVCodecContext *avctx) s->avctx = avctx; + if (avctx->channels > 255) { + av_log(avctx, AV_LOG_ERROR, "Invalid channel count: %d\n", avctx->channels); + return AVERROR(EINVAL); + } + if (!avctx->frame_size) { int block_samples; if (!(avctx->sample_rate & 1)) @@ -2882,7 +2887,7 @@ static int wavpack_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } buf_size = s->block_samples * avctx->channels * 8 - + 200 /* for headers */; + + 200 * avctx->channels /* for headers */; if ((ret = ff_alloc_packet2(avctx, avpkt, buf_size)) < 0) return ret; buf = avpkt->data; diff --git a/libavcodec/webp.c b/libavcodec/webp.c index c737f5492d..44be965229 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -694,6 +694,11 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); + if (prefix_code > 39U) { + av_log(s->avctx, AV_LOG_ERROR, + "distance prefix code too large: %d\n", prefix_code); + return AVERROR_INVALIDDATA; + } if (prefix_code < 4) { distance = prefix_code + 1; } else { @@ -1028,7 +1033,7 @@ static int apply_color_indexing_transform(WebPContext *s) ImageContext *img; ImageContext *pal; int i, x, y; - uint8_t *p, *pi; + uint8_t *p; img = &s->image[IMAGE_ROLE_ARGB]; pal = &s->image[IMAGE_ROLE_COLOR_INDEXING]; @@ -1038,7 +1043,7 @@ static int apply_color_indexing_transform(WebPContext *s) uint8_t *line; int pixel_bits = 8 >> pal->size_reduction; - line = av_malloc(img->frame->linesize[0]); + line = av_malloc(img->frame->linesize[0] + FF_INPUT_BUFFER_PADDING_SIZE); if (!line) return AVERROR(ENOMEM); @@ -1066,23 +1071,38 @@ static int apply_color_indexing_transform(WebPContext *s) p = GET_PIXEL(img->frame, x, y); i = p[2]; if (i >= pal->frame->width) { - av_log(s->avctx, AV_LOG_ERROR, "invalid palette index %d\n", i); - return AVERROR_INVALIDDATA; + AV_WB32(p, 0x00000000); + } else { + const uint8_t *pi = GET_PIXEL(pal->frame, i, 0); + AV_COPY32(p, pi); } - pi = GET_PIXEL(pal->frame, i, 0); - AV_COPY32(p, pi); } } return 0; } +static void update_canvas_size(AVCodecContext *avctx, int w, int h) +{ + WebPContext *s = avctx->priv_data; + if (s->width && s->width != w) { + av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", + s->width, w); + } + s->width = w; + if (s->height && s->height != h) { + av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", + s->height, h); + } + s->height = h; +} + static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, uint8_t *data_start, unsigned int data_size, int is_alpha_chunk) { WebPContext *s = avctx->priv_data; - int w, h, ret, i; + int w, h, ret, i, used; if (!is_alpha_chunk) { s->lossless = 1; @@ -1101,16 +1121,8 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, w = get_bits(&s->gb, 14) + 1; h = get_bits(&s->gb, 14) + 1; - if (s->width && s->width != w) { - av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", - s->width, w); - } - s->width = w; - if (s->height && s->height != h) { - av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", - s->width, w); - } - s->height = h; + + update_canvas_size(avctx, w, h); ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) @@ -1132,8 +1144,16 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, /* parse transformations */ s->nb_transforms = 0; s->reduced_width = 0; + used = 0; while (get_bits1(&s->gb)) { enum TransformType transform = get_bits(&s->gb, 2); + if (used & (1 << transform)) { + av_log(avctx, AV_LOG_ERROR, "Transform %d used more than once\n", + transform); + ret = AVERROR_INVALIDDATA; + goto free_and_return; + } + used |= (1 << transform); s->transforms[s->nb_transforms++] = transform; switch (transform) { case PREDICTOR_TRANSFORM: @@ -1297,9 +1317,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (!s->initialized) { ff_vp8_decode_init(avctx); s->initialized = 1; - if (s->has_alpha) - avctx->pix_fmt = AV_PIX_FMT_YUVA420P; } + avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; s->lossless = 0; if (data_size > INT_MAX) { @@ -1312,6 +1331,14 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, pkt.size = data_size; ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); + if (ret < 0) + return ret; + + if (!*got_frame) + return AVERROR_INVALIDDATA; + + update_canvas_size(avctx, avctx->width, avctx->height); + if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index dfa4ad9484..18e3706db7 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -32,6 +32,7 @@ static av_cold int encode_init(AVCodecContext *avctx) WMACodecContext *s = avctx->priv_data; int i, flags1, flags2, block_align; uint8_t *extradata; + int ret; s->avctx = avctx; @@ -78,7 +79,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (avctx->channels == 2) s->ms_stereo = 1; - ff_wma_init(avctx, flags2); + if ((ret = ff_wma_init(avctx, flags2)) < 0) + return ret; /* init MDCT */ for (i = 0; i < s->nb_block_sizes; i++) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8e2ac5ffc6..2cd3a0282e 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -487,7 +487,7 @@ static int decode_cdlms(WmallDecodeCtx *s) if ((1 << cbits) < s->cdlms[c][i].scaling + 1) cbits++; - s->cdlms[c][i].bitsend = get_bits(&s->gb, cbits) + 2; + s->cdlms[c][i].bitsend = (cbits ? get_bits(&s->gb, cbits) : 0) + 2; shift_l = 32 - s->cdlms[c][i].bitsend; shift_r = 32 - s->cdlms[c][i].scaling - 2; for (j = 0; j < s->cdlms[c][i].coefsend; j++) @@ -1029,6 +1029,7 @@ static int decode_frame(WmallDecodeCtx *s) if ((ret = ff_get_buffer(s->avctx, s->frame, 0)) < 0) { /* return an error if no frame could be decoded at all */ s->packet_loss = 1; + s->frame->nb_samples = 0; return ret; } for (i = 0; i < s->num_channels; i++) { @@ -1276,6 +1277,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, } } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /* save the rest of the data so that it can be decoded diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index f45e1fcdbc..4351e3fedf 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -296,6 +296,12 @@ static av_cold int decode_init(AVCodecContext *avctx) s->decode_flags = AV_RL16(edata_ptr+14); channel_mask = AV_RL32(edata_ptr+2); s->bits_per_sample = AV_RL16(edata_ptr); + + if (s->bits_per_sample > 32 || s->bits_per_sample < 1) { + avpriv_request_sample(avctx, "bits per sample is %d", s->bits_per_sample); + return AVERROR_PATCHWELCOME; + } + /** dump the extradata */ for (i = 0; i < avctx->extradata_size; i++) av_dlog(avctx, "[%x] ", avctx->extradata[i]); @@ -422,6 +428,9 @@ static av_cold int decode_init(AVCodecContext *avctx) offset &= ~3; if (offset > s->sfb_offsets[i][band - 1]) s->sfb_offsets[i][band++] = offset; + + if (offset >= subframe_len) + break; } s->sfb_offsets[i][band - 1] = subframe_len; s->num_sfb[i] = band - 1; @@ -470,7 +479,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /** calculate subwoofer cutoff values */ for (i = 0; i < num_possible_block_sizes; i++) { int block_size = s->samples_per_frame >> i; - int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1) + int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1) / s->avctx->sample_rate; s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size); } @@ -1616,6 +1625,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, s->packet_done = 1; } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /** save the rest of the data so that it can be decoded diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index c2737abd47..1c9958891f 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1982,7 +1982,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, *got_frame_ptr) { cnt += s->spillover_nbits; s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_ERROR, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + return AVERROR_INVALIDDATA; + } + return res; } else skip_bits_long (gb, s->spillover_nbits - cnt + get_bits_count(gb)); // resync @@ -2001,7 +2008,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, } else if (*got_frame_ptr) { int cnt = get_bits_count(gb); s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_ERROR, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + return AVERROR_INVALIDDATA; + } + return res; } else if ((s->sframe_cache_size = pos) > 0) { /* rewind bit reader to start of last (incomplete) superframe... */ init_get_bits(gb, avpkt->data, size << 3); diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index d9cbfd15ed..af6c25ded2 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -29,7 +29,7 @@ #include "wmv2.h" -static void parse_mb_skip(Wmv2Context *w) +static int parse_mb_skip(Wmv2Context *w) { int mb_x, mb_y; MpegEncContext *const s = &w->s; @@ -44,6 +44,8 @@ static void parse_mb_skip(Wmv2Context *w) MB_TYPE_16x16 | MB_TYPE_L0; break; case SKIP_TYPE_MPEG: + if (get_bits_left(&s->gb) < s->mb_height * s->mb_width) + return AVERROR_INVALIDDATA; for (mb_y = 0; mb_y < s->mb_height; mb_y++) for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -51,6 +53,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_ROW: for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -64,6 +68,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_COL: for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -76,6 +82,7 @@ static void parse_mb_skip(Wmv2Context *w) } break; } + return 0; } static int decode_ext_header(Wmv2Context *w) @@ -169,9 +176,12 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } } else { int cbp_index; + int ret; w->j_type = 0; - parse_mb_skip(w); + ret = parse_mb_skip(w); + if (ret < 0) + return ret; cbp_index = decode012(&s->gb); if (s->qscale <= 10) { int map[3] = { 0, 2, 1 }; @@ -360,6 +370,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) w->hshift = 0; return 0; } + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_mb_non_intra_vlc[w->cbp_table_index].table, MB_NON_INTRA_VLC_BITS, 3); @@ -370,6 +382,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) cbp = code & 0x3f; } else { s->mb_intra = 1; + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2); if (code < 0) { av_log(s->avctx, AV_LOG_ERROR, diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index 40e0bef0da..7b59d10a43 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -48,8 +48,8 @@ static void wmv2_idct_row(short * b) a4 = W0 * b[0] - W0 * b[4]; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8; @@ -78,8 +78,8 @@ static void wmv2_idct_col(short * b) a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14; diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 99aee3cd1c..4e5f3ba69a 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -52,7 +52,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value) if (v == 15) return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; else - return base_value + ((v - 7) << w->shift); + return base_value + ((v - 7U) << w->shift); } static int decode_frame(AVCodecContext *avctx, @@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; - if (buf_size <= 8) { + if (buf_size < 8 + avctx->height * (avctx->width/2)/8) { av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/x86/cavsdsp.c b/libavcodec/x86/cavsdsp.c index d155fb20bc..c366942b97 100644 --- a/libavcodec/x86/cavsdsp.c +++ b/libavcodec/x86/cavsdsp.c @@ -142,9 +142,7 @@ static void cavs_idct8_add_mmx(uint8_t *dst, int16_t *block, int stride) DECLARE_ALIGNED(8, int16_t, b2)[64]; for(i=0; i<2; i++){ - DECLARE_ALIGNED(8, uint64_t, tmp); - - cavs_idct8_1d(block+4*i, ff_pw_4.a); + cavs_idct8_1d(block + 4 * i, ff_pw_4.a); __asm__ volatile( "psraw $3, %%mm7 \n\t" @@ -155,20 +153,20 @@ static void cavs_idct8_add_mmx(uint8_t *dst, int16_t *block, int stride) "psraw $3, %%mm2 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm0 \n\t" - "movq %%mm7, %0 \n\t" + "movq %%mm7, (%0) \n\t" TRANSPOSE4( %%mm0, %%mm2, %%mm4, %%mm6, %%mm7 ) - "movq %%mm0, 8(%1) \n\t" - "movq %%mm6, 24(%1) \n\t" - "movq %%mm7, 40(%1) \n\t" - "movq %%mm4, 56(%1) \n\t" - "movq %0, %%mm7 \n\t" + "movq %%mm0, 8(%0) \n\t" + "movq %%mm6, 24(%0) \n\t" + "movq %%mm7, 40(%0) \n\t" + "movq %%mm4, 56(%0) \n\t" + "movq (%0), %%mm7 \n\t" TRANSPOSE4( %%mm7, %%mm5, %%mm3, %%mm1, %%mm0 ) - "movq %%mm7, (%1) \n\t" - "movq %%mm1, 16(%1) \n\t" - "movq %%mm0, 32(%1) \n\t" - "movq %%mm3, 48(%1) \n\t" - : "=m"(tmp) - : "r"(b2+32*i) + "movq %%mm7, (%0) \n\t" + "movq %%mm1, 16(%0) \n\t" + "movq %%mm0, 32(%0) \n\t" + "movq %%mm3, 48(%0) \n\t" + : + : "r"(b2 + 32 * i) : "memory" ); } diff --git a/libavcodec/x86/h264_weight.asm b/libavcodec/x86/h264_weight.asm index b4fb9db309..1e1219ddde 100644 --- a/libavcodec/x86/h264_weight.asm +++ b/libavcodec/x86/h264_weight.asm @@ -135,8 +135,11 @@ WEIGHT_FUNC_HALF_MM 8, 8 add off_regd, 1 or off_regd, 1 add r4, 1 + cmp r6d, 128 + je .nonnormal cmp r5, 128 jne .normal +.nonnormal sar r5, 1 sar r6, 1 sar off_regd, 1 diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 1cca05d658..6298f5ed19 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -23,6 +23,7 @@ #define AVCODEC_X86_MATHOPS_H #include "config.h" + #include "libavutil/common.h" #include "libavutil/x86/asm.h" @@ -100,6 +101,7 @@ __asm__ volatile(\ : "r" (y), "r" (b), "r" (d)\ ); #endif /* HAVE_6REGS */ + #endif /* HAVE_I686 */ #define MASK_ABS(mask, level) \ diff --git a/libavcodec/x86/mlpdsp.c b/libavcodec/x86/mlpdsp.c index f090fd79b4..a6da229228 100644 --- a/libavcodec/x86/mlpdsp.c +++ b/libavcodec/x86/mlpdsp.c @@ -132,8 +132,8 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, FIRMUL (ff_mlp_firorder_6, 0x14 ) FIRMUL (ff_mlp_firorder_5, 0x10 ) FIRMUL (ff_mlp_firorder_4, 0x0c ) - FIRMULREG(ff_mlp_firorder_3, 0x08,10) - FIRMULREG(ff_mlp_firorder_2, 0x04, 9) + FIRMUL (ff_mlp_firorder_3, 0x08 ) + FIRMUL (ff_mlp_firorder_2, 0x04 ) FIRMULREG(ff_mlp_firorder_1, 0x00, 8) LABEL_MANGLE(ff_mlp_firorder_0)":\n\t" "jmp *%6 \n\t" @@ -162,8 +162,6 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, : /* 4*/"r"((x86_reg)mask), /* 5*/"r"(firjump), /* 6*/"r"(iirjump) , /* 7*/"c"(filter_shift) , /* 8*/"r"((int64_t)coeff[0]) - , /* 9*/"r"((int64_t)coeff[1]) - , /*10*/"r"((int64_t)coeff[2]) : "rax", "rdx", "rsi" #else /* ARCH_X86_32 */ /* 3*/"+m"(blocksize) diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c index 941a8e2e4c..5dcfd76a61 100644 --- a/libavcodec/x86/mpegvideodsp.c +++ b/libavcodec/x86/mpegvideodsp.c @@ -53,8 +53,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src, const int dyh = (dyy - (1 << (16 + shift))) * (h - 1); const int dxh = dxy * (h - 1); const int dyw = dyx * (w - 1); - int need_emu = (unsigned) ix >= width - w || - (unsigned) iy >= height - h; + int need_emu = (unsigned) ix >= width - w || width < w || + (unsigned) iy >= height - h || height< h + ; if ( // non-constant fullpel offset (3% of blocks) ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) | diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c index 4d06a44c6d..b9027dee54 100644 --- a/libavcodec/x86/pixblockdsp_init.c +++ b/libavcodec/x86/pixblockdsp_init.c @@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c, if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } diff --git a/libavcodec/x86/sbrdsp.asm b/libavcodec/x86/sbrdsp.asm index 6f2e4f48d9..f7f7fe9a14 100644 --- a/libavcodec/x86/sbrdsp.asm +++ b/libavcodec/x86/sbrdsp.asm @@ -381,6 +381,7 @@ apply_noise_main: %else %define count m_maxq %endif + movsxdifnidn noiseq, noised dec noiseq shl count, 2 %ifdef PIC diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm index 1ac02574d6..0685b03c2b 100644 --- a/libavcodec/x86/videodsp.asm +++ b/libavcodec/x86/videodsp.asm @@ -184,10 +184,10 @@ hvar_fn mov valb, [srcq+%2-1] %elif (%2-%%off) == 2 mov valw, [srcq+%2-2] -%elifidn %1, body - mov vald, [srcq+%2-3] %else - movd mm %+ %%mmx_idx, [srcq+%2-3] + mov valb, [srcq+%2-1] + ror vald, 16 + mov valw, [srcq+%2-3] %endif %endif ; (%2-%%off) >= 1 %endmacro ; READ_NUM_BYTES @@ -240,15 +240,13 @@ hvar_fn mov [dstq+%2-1], valb %elif (%2-%%off) == 2 mov [dstq+%2-2], valw -%elifidn %1, body - mov [dstq+%2-3], valw - shr vald, 16 - mov [dstq+%2-1], valb %else - movd vald, mm %+ %%mmx_idx mov [dstq+%2-3], valw - shr vald, 16 + ror vald, 16 mov [dstq+%2-1], valb +%ifnidn %1, body + ror vald, 16 +%endif %endif %endif ; (%2-%%off) >= 1 %endmacro ; WRITE_NUM_BYTES diff --git a/libavcodec/x86/vp9lpf.asm b/libavcodec/x86/vp9lpf.asm index cb57a25333..416f08f090 100644 --- a/libavcodec/x86/vp9lpf.asm +++ b/libavcodec/x86/vp9lpf.asm @@ -20,10 +20,10 @@ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ;****************************************************************************** -%if ARCH_X86_64 - %include "libavutil/x86/x86util.asm" +%if ARCH_X86_64 + SECTION_RODATA cextern pb_3 diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 968464c65b..cc33597d87 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -130,7 +130,10 @@ static int xan_huffman_decode(uint8_t *dest, int dest_len, return ret; while (val != 0x16) { - unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + unsigned idx; + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; + idx = val - 0x17 + get_bits1(&gb) * byte; if (idx >= 2 * byte) return AVERROR_INVALIDDATA; val = src[idx]; @@ -262,7 +265,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, AVFrame *frame, prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - if (prev_palette_plane == palette_plane && FFABS(curframe_index - prevframe_index) < pixel_count) { + if (prev_palette_plane == palette_plane && FFABS(motion_x + width*motion_y) < pixel_count) { avpriv_request_sample(s->avctx, "Overlapping copy\n"); return ; } diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index 174d74ed81..94a68e2bb4 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -59,7 +59,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); // check that at least header fits - if (buf_size < 27 + 7 * 2 + 4 * 3) { + if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { av_log(avctx, AV_LOG_ERROR, "coded frame size %d too small\n", buf_size); return -1; } @@ -106,9 +106,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, // read palette for (i = 0; i < sub->rects[0]->nb_colors; i++) ((uint32_t*)sub->rects[0]->pict.data[1])[i] = bytestream_get_be24(&buf); - // make all except background (first entry) non-transparent - for (i = 0; i < sub->rects[0]->nb_colors; i++) - ((uint32_t*)sub->rects[0]->pict.data[1])[i] |= (has_alpha ? *buf++ : (i ? 0xff : 0)) << 24; + + if (!has_alpha) { + // make all except background (first entry) non-transparent + for (i = 1; i < sub->rects[0]->nb_colors; i++) + ((uint32_t *)sub->rects[0]->pict.data[1])[i] |= 0xff000000; + } else { + for (i = 0; i < sub->rects[0]->nb_colors; i++) + ((uint32_t *)sub->rects[0]->pict.data[1])[i] |= *buf++ << 24; + } // process RLE-compressed data init_get_bits(&gb, buf, (buf_end - buf) * 8); diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 62dfdace16..a06054fbd4 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { + if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } @@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, case XWD_GRAY_SCALE: if (bpp != 1 && bpp != 8) return AVERROR_INVALIDDATA; - if (pixdepth == 1) { + if (bpp == 1 && pixdepth == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOWHITE; - } else if (pixdepth == 8) { + } else if (bpp == 8 && pixdepth == 8) { avctx->pix_fmt = AV_PIX_FMT_GRAY8; } break; diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index c16d912117..ed526b4d0a 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -410,11 +410,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int hi_ver, lo_ver, ret; /* parse header */ + if (len < 1) + return AVERROR_INVALIDDATA; c->flags = buf[0]; buf++; len--; if (c->flags & ZMBV_KEYFRAME) { void *decode_intra = NULL; c->decode_intra= NULL; + + if (len < 6) + return AVERROR_INVALIDDATA; hi_ver = buf[0]; lo_ver = buf[1]; c->comp = buf[2]; @@ -534,6 +539,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } else { frame->key_frame = 0; frame->pict_type = AV_PICTURE_TYPE_P; + if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) + return AVERROR_INVALIDDATA; if (c->decomp_len) c->decode_xor(c); } diff --git a/libavdevice/Makefile b/libavdevice/Makefile index db301e7112..d700d9a7ec 100644 --- a/libavdevice/Makefile +++ b/libavdevice/Makefile @@ -34,7 +34,7 @@ OBJS-$(CONFIG_OPENGL_OUTDEV) += opengl_enc.o OBJS-$(CONFIG_OSS_INDEV) += oss_audio.o oss_audio_dec.o OBJS-$(CONFIG_OSS_OUTDEV) += oss_audio.o oss_audio_enc.o OBJS-$(CONFIG_PULSE_INDEV) += pulse_audio_dec.o \ - pulse_audio_common.o + pulse_audio_common.o timefilter.o OBJS-$(CONFIG_PULSE_OUTDEV) += pulse_audio_enc.o \ pulse_audio_common.o OBJS-$(CONFIG_QTKIT_INDEV) += qtkit.o diff --git a/libavdevice/avdevice.c b/libavdevice/avdevice.c index 6a75bd79d7..a80eb457ea 100644 --- a/libavdevice/avdevice.c +++ b/libavdevice/avdevice.c @@ -23,6 +23,9 @@ #include "avdevice.h" #include "config.h" +#include "libavutil/ffversion.h" +const char av_device_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + #define E AV_OPT_FLAG_ENCODING_PARAM #define D AV_OPT_FLAG_DECODING_PARAM #define A AV_OPT_FLAG_AUDIO_PARAM @@ -131,9 +134,9 @@ int avdevice_app_to_dev_control_message(struct AVFormatContext *s, enum AVAppToD int avdevice_dev_to_app_control_message(struct AVFormatContext *s, enum AVDevToAppMessageType type, void *data, size_t data_size) { - if (!s->control_message_cb) + if (!av_format_get_control_message_cb(s)) return AVERROR(ENOSYS); - return s->control_message_cb(s, type, data, data_size); + return av_format_get_control_message_cb(s)(s, type, data, data_size); } int avdevice_capabilities_create(AVDeviceCapabilitiesQuery **caps, AVFormatContext *s, diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c index 1398ece508..f6c92bcac2 100644 --- a/libavdevice/lavfi.c +++ b/libavdevice/lavfi.c @@ -339,7 +339,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt) continue; } else if (ret < 0) return ret; - d = av_rescale_q(frame->pts, tb, AV_TIME_BASE_Q); + d = av_rescale_q_rnd(frame->pts, tb, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); av_dlog(avctx, "sink_idx:%d time:%f\n", i, d); av_frame_unref(frame); diff --git a/libavdevice/libavdevice.v b/libavdevice/libavdevice.v index 663af85ba8..de7278c193 100644 --- a/libavdevice/libavdevice.v +++ b/libavdevice/libavdevice.v @@ -1,4 +1,4 @@ LIBAVDEVICE_$MAJOR { - global: avdevice_*; + global: avdevice_*; av_*; local: *; }; diff --git a/libavdevice/oss_audio.c b/libavdevice/oss_audio.c index 951acbcc36..4eb6a50702 100644 --- a/libavdevice/oss_audio.c +++ b/libavdevice/oss_audio.c @@ -49,6 +49,7 @@ int ff_oss_audio_open(AVFormatContext *s1, int is_output, int audio_fd; int tmp, err; char *flip = getenv("AUDIO_FLIP_LEFT"); + char errbuff[128]; if (is_output) audio_fd = avpriv_open(audio_device, O_WRONLY); @@ -74,14 +75,15 @@ int ff_oss_audio_open(AVFormatContext *s1, int is_output, #define CHECK_IOCTL_ERROR(event) \ if (err < 0) { \ - av_log(s1, AV_LOG_ERROR, #event ": %s\n", strerror(errno)); \ + av_strerror(AVERROR(errno), errbuff, sizeof(errbuff)); \ + av_log(s1, AV_LOG_ERROR, #event ": %s\n", errbuff); \ goto fail; \ } /* select format : favour native format * We don't CHECK_IOCTL_ERROR here because even if failed OSS still may be * usable. If OSS is not usable the SNDCTL_DSP_SETFMTS later is going to - * fail anyway. `err =` kept to eliminate compiler warning. */ + * fail anyway. */ err = ioctl(audio_fd, SNDCTL_DSP_GETFMTS, &tmp); if (err < 0) { av_log(s1, AV_LOG_WARNING, "SNDCTL_DSP_GETFMTS: %s\n", strerror(errno)); diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index cf7a92cdd4..8bfe3de253 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -873,9 +873,6 @@ static int v4l2_read_header(AVFormatContext *ctx) avpriv_set_pts_info(st, 64, 1, 1000000); /* 64 bits pts in us */ - if ((res = v4l2_set_parameters(ctx)) < 0) - goto fail; - if (s->pixel_format) { AVCodec *codec = avcodec_find_decoder_by_name(s->pixel_format); @@ -926,6 +923,9 @@ static int v4l2_read_header(AVFormatContext *ctx) s->frame_format = desired_format; + if ((res = v4l2_set_parameters(ctx)) < 0) + goto fail; + st->codec->pix_fmt = avpriv_fmt_v4l2ff(desired_format, codec_id); s->frame_size = avpicture_get_size(st->codec->pix_fmt, s->width, s->height); diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index d8a6651fce..fddf1fe0e1 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -276,6 +276,9 @@ static int output_frame(AVFilterLink *outlink, int nb_samples) calculate_scales(s, nb_samples); + if (nb_samples == 0) + return 0; + out_buf = ff_get_audio_buffer(outlink, nb_samples); if (!out_buf) return AVERROR(ENOMEM); @@ -496,6 +499,8 @@ static av_cold int init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; ff_insert_inpad(ctx, i, &pad); diff --git a/libavfilter/af_aresample.c b/libavfilter/af_aresample.c index 5f34321fe8..f010c2767e 100644 --- a/libavfilter/af_aresample.c +++ b/libavfilter/af_aresample.c @@ -86,15 +86,24 @@ static int query_formats(AVFilterContext *ctx) AVFilterLink *inlink = ctx->inputs[0]; AVFilterLink *outlink = ctx->outputs[0]; - AVFilterFormats *in_formats = ff_all_formats(AVMEDIA_TYPE_AUDIO); - AVFilterFormats *out_formats; - AVFilterFormats *in_samplerates = ff_all_samplerates(); - AVFilterFormats *out_samplerates; - AVFilterChannelLayouts *in_layouts = ff_all_channel_counts(); - AVFilterChannelLayouts *out_layouts; + AVFilterFormats *in_formats, *out_formats; + AVFilterFormats *in_samplerates, *out_samplerates; + AVFilterChannelLayouts *in_layouts, *out_layouts; + + in_formats = ff_all_formats(AVMEDIA_TYPE_AUDIO); + if (!in_formats) + return AVERROR(ENOMEM); ff_formats_ref (in_formats, &inlink->out_formats); + + in_samplerates = ff_all_samplerates(); + if (!in_samplerates) + return AVERROR(ENOMEM); ff_formats_ref (in_samplerates, &inlink->out_samplerates); + + in_layouts = ff_all_channel_counts(); + if (!in_layouts) + return AVERROR(ENOMEM); ff_channel_layouts_ref(in_layouts, &inlink->out_channel_layouts); if(out_rate > 0) { diff --git a/libavfilter/af_asyncts.c b/libavfilter/af_asyncts.c index 5f8e1f61cc..4be093b194 100644 --- a/libavfilter/af_asyncts.c +++ b/libavfilter/af_asyncts.c @@ -205,7 +205,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *buf) delta = pts - s->pts - get_delay(s); out_size = avresample_available(s->avr); - if (labs(delta) > s->min_delta || + if (llabs(delta) > s->min_delta || (s->first_frame && delta && s->first_pts != AV_NOPTS_VALUE)) { av_log(ctx, AV_LOG_VERBOSE, "Discontinuity - %"PRId64" samples.\n", delta); out_size = av_clipl_int32((int64_t)out_size + delta); diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c index 560c5c82dc..afcc34ec43 100644 --- a/libavfilter/af_join.c +++ b/libavfilter/af_join.c @@ -214,6 +214,8 @@ static av_cold int join_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; pad.needs_fifo = 1; diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 4ba77a7366..bea8d1b356 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -109,7 +109,7 @@ static av_cold int init(AVFilterContext *ctx) if (!pan->args) { av_log(ctx, AV_LOG_ERROR, "pan filter needs a channel layout and a set " - "of channels definitions as parameter\n"); + "of channel definitions as parameter\n"); return AVERROR(EINVAL); } if (!args) @@ -274,7 +274,7 @@ static int config_props(AVFilterLink *link) if (link->channels > MAX_CHANNELS || pan->nb_output_channels > MAX_CHANNELS) { av_log(ctx, AV_LOG_ERROR, - "af_pan support a maximum of %d channels. " + "af_pan supports a maximum of %d channels. " "Feel free to ask for a higher limit.\n", MAX_CHANNELS); return AVERROR_PATCHWELCOME; } diff --git a/libavfilter/af_resample.c b/libavfilter/af_resample.c index 03467a747b..d65d4bc64a 100644 --- a/libavfilter/af_resample.c +++ b/libavfilter/af_resample.c @@ -41,6 +41,7 @@ typedef struct ResampleContext { AVDictionary *options; int64_t next_pts; + int64_t next_in_pts; /* set by filter_frame() to signal an output frame to request_frame() */ int got_output; @@ -134,11 +135,14 @@ static int config_output(AVFilterLink *outlink) return AVERROR(ENOMEM); if (s->options) { + int ret; AVDictionaryEntry *e = NULL; while ((e = av_dict_get(s->options, "", e, AV_DICT_IGNORE_SUFFIX))) av_log(ctx, AV_LOG_VERBOSE, "lavr option: %s=%s\n", e->key, e->value); - av_opt_set_dict(s->avr, &s->options); + ret = av_opt_set_dict(s->avr, &s->options); + if (ret < 0) + return ret; } av_opt_set_int(s->avr, "in_channel_layout", inlink ->channel_layout, 0); @@ -153,6 +157,7 @@ static int config_output(AVFilterLink *outlink) outlink->time_base = (AVRational){ 1, outlink->sample_rate }; s->next_pts = AV_NOPTS_VALUE; + s->next_in_pts = AV_NOPTS_VALUE; av_get_channel_layout_string(buf1, sizeof(buf1), -1, inlink ->channel_layout); @@ -254,7 +259,12 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } out->sample_rate = outlink->sample_rate; - if (in->pts != AV_NOPTS_VALUE) { + /* Only convert in->pts if there is a discontinuous jump. + This ensures that out->pts tracks the number of samples actually + output by the resampler in the absence of such a jump. + Otherwise, the rounding in av_rescale_q() and av_rescale() + causes off-by-1 errors. */ + if (in->pts != AV_NOPTS_VALUE && in->pts != s->next_in_pts) { out->pts = av_rescale_q(in->pts, inlink->time_base, outlink->time_base) - av_rescale(delay, outlink->sample_rate, @@ -263,6 +273,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) out->pts = s->next_pts; s->next_pts = out->pts + out->nb_samples; + s->next_in_pts = in->pts + in->nb_samples; ret = ff_filter_frame(outlink, out); s->got_output = 1; diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index 7b114676aa..18c9ae8617 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -37,6 +37,9 @@ #include "formats.h" #include "internal.h" +#include "libavutil/ffversion.h" +const char av_filter_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + static int ff_filter_frame_framed(AVFilterLink *link, AVFrame *frame); void ff_tlog_ref(void *ctx, AVFrame *ref, int end) @@ -227,6 +230,11 @@ int avfilter_config_links(AVFilterContext *filter) AVFilterLink *inlink; if (!link) continue; + if (!link->src || !link->dst) { + av_log(filter, AV_LOG_ERROR, + "Not all input and output are properly linked (%d).\n", i); + return AVERROR(EINVAL); + } inlink = link->src->nb_inputs ? link->src->inputs[0] : NULL; link->current_pts = AV_NOPTS_VALUE; diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 9178939f77..d01cc5a7f5 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -817,6 +817,8 @@ static void swap_samplerates_on_filter(AVFilterContext *filter) for (j = 0; j < outlink->in_samplerates->nb_formats; j++) { int diff = abs(sample_rate - outlink->in_samplerates->formats[j]); + av_assert0(diff < INT_MAX); // This would lead to the use of uninitialized best_diff but is only possible with invalid sample rates + if (diff < best_diff) { best_diff = diff; best_idx = j; diff --git a/libavfilter/deshake.h b/libavfilter/deshake.h index 62e81c3eaf..becd6c248b 100644 --- a/libavfilter/deshake.h +++ b/libavfilter/deshake.h @@ -48,7 +48,7 @@ typedef struct { } MotionVector; typedef struct { - MotionVector vector; ///< Motion vector + MotionVector vec; ///< Motion vector double angle; ///< Angle of rotation double zoom; ///< Zoom percentage } Transform; diff --git a/libavfilter/formats.c b/libavfilter/formats.c index 816042987d..71caf169f8 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -72,7 +72,7 @@ do { for (j = 0; j < b->nb; j++) \ if (a->fmts[i] == b->fmts[j]) { \ if(k >= FFMIN(a->nb, b->nb)){ \ - av_log(NULL, AV_LOG_ERROR, "Duplicate formats in avfilter_merge_formats() detected\n"); \ + av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s detected\n", __FUNCTION__); \ av_free(ret->fmts); \ av_free(ret); \ return NULL; \ diff --git a/libavfilter/split.c b/libavfilter/split.c index 6abd5ee2e0..7353810677 100644 --- a/libavfilter/split.c +++ b/libavfilter/split.c @@ -52,6 +52,8 @@ static av_cold int split_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "output%d", i); pad.type = ctx->filter->inputs[0].type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); ff_insert_outpad(ctx, i, &pad); } diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index 0b97b827e4..6df52f75cc 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -240,7 +240,7 @@ static av_cold int movie_common_init(AVFilterContext *ctx) timestamp = movie->seek_point; // add the stream start time, should it exist if (movie->format_ctx->start_time != AV_NOPTS_VALUE) { - if (timestamp > INT64_MAX - movie->format_ctx->start_time) { + if (timestamp > 0 && movie->format_ctx->start_time > INT64_MAX - timestamp) { av_log(ctx, AV_LOG_ERROR, "%s: seek value overflow with start_time:%"PRId64" seek_point:%"PRId64"\n", movie->file_name, movie->format_ctx->start_time, movie->seek_point); @@ -289,6 +289,8 @@ static av_cold int movie_common_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "out%d", i); pad.type = movie->st[i].st->codec->codec_type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.config_props = movie_config_output_props; pad.request_frame = movie_request_frame; ff_insert_outpad(ctx, i, &pad); diff --git a/libavfilter/vf_blackframe.c b/libavfilter/vf_blackframe.c index 1be9fcca9d..65b9c01b66 100644 --- a/libavfilter/vf_blackframe.c +++ b/libavfilter/vf_blackframe.c @@ -102,8 +102,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) #define OFFSET(x) offsetof(BlackFrameContext, x) #define FLAGS AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_FILTERING_PARAM static const AVOption blackframe_options[] = { - { "amount", "Percentage of the pixels that have to be below the threshold " - "for the frame to be considered black.", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, + { "amount", "percentage of the pixels that have to be below the threshold " + "for the frame to be considered black", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, { "threshold", "threshold below which a pixel value is considered black", OFFSET(bthresh), AV_OPT_TYPE_INT, { .i64 = 32 }, 0, 255, FLAGS }, { "thresh", "threshold below which a pixel value is considered black", diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index a9017b1f1c..7246b01d0b 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -534,7 +534,7 @@ static int config_input(AVFilterLink *inlink) /* each slice will need to (pre & re)process the top and bottom block of * the previous one in in addition to its processing area. This is because * each pixel is averaged by all the surrounding blocks */ - slice_h = (int)ceilf(s->pr_height / s->nb_threads) + (s->bsize - 1) * 2; + slice_h = (int)ceilf(s->pr_height / (float)s->nb_threads) + (s->bsize - 1) * 2; for (i = 0; i < s->nb_threads; i++) { s->slices[i] = av_malloc_array(linesize, slice_h * sizeof(*s->slices[i])); if (!s->slices[i]) diff --git a/libavfilter/vf_deshake.c b/libavfilter/vf_deshake.c index ccc263b5ce..b5d5457c5e 100644 --- a/libavfilter/vf_deshake.c +++ b/libavfilter/vf_deshake.c @@ -294,8 +294,8 @@ static void find_motion(DeshakeContext *deshake, uint8_t *src1, uint8_t *src2, for (x = 0; x < deshake->rx * 2 + 1; x++) { //av_log(NULL, AV_LOG_ERROR, "%5d ", deshake->counts[x][y]); if (deshake->counts[x][y] > count_max_value) { - t->vector.x = x - deshake->rx; - t->vector.y = y - deshake->ry; + t->vec.x = x - deshake->rx; + t->vec.y = y - deshake->ry; count_max_value = deshake->counts[x][y]; } } @@ -304,12 +304,12 @@ static void find_motion(DeshakeContext *deshake, uint8_t *src1, uint8_t *src2, p_x = (center_x - width / 2.0); p_y = (center_y - height / 2.0); - t->vector.x += (cos(t->angle)-1)*p_x - sin(t->angle)*p_y; - t->vector.y += sin(t->angle)*p_x + (cos(t->angle)-1)*p_y; + t->vec.x += (cos(t->angle)-1)*p_x - sin(t->angle)*p_y; + t->vec.y += sin(t->angle)*p_x + (cos(t->angle)-1)*p_y; // Clamp max shift & rotation? - t->vector.x = av_clipf(t->vector.x, -deshake->rx * 2, deshake->rx * 2); - t->vector.y = av_clipf(t->vector.y, -deshake->ry * 2, deshake->ry * 2); + t->vec.x = av_clipf(t->vec.x, -deshake->rx * 2, deshake->rx * 2); + t->vec.y = av_clipf(t->vec.y, -deshake->ry * 2, deshake->ry * 2); t->angle = av_clipf(t->angle, -0.1, 0.1); //av_log(NULL, AV_LOG_ERROR, "%d x %d\n", avg->x, avg->y); @@ -407,8 +407,8 @@ static int config_props(AVFilterLink *link) DeshakeContext *deshake = link->dst->priv; deshake->ref = NULL; - deshake->last.vector.x = 0; - deshake->last.vector.y = 0; + deshake->last.vec.x = 0; + deshake->last.vec.y = 0; deshake->last.angle = 0; deshake->last.zoom = 0; @@ -476,57 +476,57 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) // Copy transform so we can output it later to compare to the smoothed value - orig.vector.x = t.vector.x; - orig.vector.y = t.vector.y; + orig.vec.x = t.vec.x; + orig.vec.y = t.vec.y; orig.angle = t.angle; orig.zoom = t.zoom; // Generate a one-sided moving exponential average - deshake->avg.vector.x = alpha * t.vector.x + (1.0 - alpha) * deshake->avg.vector.x; - deshake->avg.vector.y = alpha * t.vector.y + (1.0 - alpha) * deshake->avg.vector.y; + deshake->avg.vec.x = alpha * t.vec.x + (1.0 - alpha) * deshake->avg.vec.x; + deshake->avg.vec.y = alpha * t.vec.y + (1.0 - alpha) * deshake->avg.vec.y; deshake->avg.angle = alpha * t.angle + (1.0 - alpha) * deshake->avg.angle; deshake->avg.zoom = alpha * t.zoom + (1.0 - alpha) * deshake->avg.zoom; // Remove the average from the current motion to detect the motion that // is not on purpose, just as jitter from bumping the camera - t.vector.x -= deshake->avg.vector.x; - t.vector.y -= deshake->avg.vector.y; + t.vec.x -= deshake->avg.vec.x; + t.vec.y -= deshake->avg.vec.y; t.angle -= deshake->avg.angle; t.zoom -= deshake->avg.zoom; // Invert the motion to undo it - t.vector.x *= -1; - t.vector.y *= -1; + t.vec.x *= -1; + t.vec.y *= -1; t.angle *= -1; // Write statistics to file if (deshake->fp) { - snprintf(tmp, 256, "%f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f\n", orig.vector.x, deshake->avg.vector.x, t.vector.x, orig.vector.y, deshake->avg.vector.y, t.vector.y, orig.angle, deshake->avg.angle, t.angle, orig.zoom, deshake->avg.zoom, t.zoom); + snprintf(tmp, 256, "%f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f\n", orig.vec.x, deshake->avg.vec.x, t.vec.x, orig.vec.y, deshake->avg.vec.y, t.vec.y, orig.angle, deshake->avg.angle, t.angle, orig.zoom, deshake->avg.zoom, t.zoom); fwrite(tmp, sizeof(char), strlen(tmp), deshake->fp); } // Turn relative current frame motion into absolute by adding it to the // last absolute motion - t.vector.x += deshake->last.vector.x; - t.vector.y += deshake->last.vector.y; + t.vec.x += deshake->last.vec.x; + t.vec.y += deshake->last.vec.y; t.angle += deshake->last.angle; t.zoom += deshake->last.zoom; // Shrink motion by 10% to keep things centered in the camera frame - t.vector.x *= 0.9; - t.vector.y *= 0.9; + t.vec.x *= 0.9; + t.vec.y *= 0.9; t.angle *= 0.9; // Store the last absolute motion information - deshake->last.vector.x = t.vector.x; - deshake->last.vector.y = t.vector.y; + deshake->last.vec.x = t.vec.x; + deshake->last.vec.y = t.vec.y; deshake->last.angle = t.angle; deshake->last.zoom = t.zoom; // Generate a luma transformation matrix - avfilter_get_matrix(t.vector.x, t.vector.y, t.angle, 1.0 + t.zoom / 100.0, matrix_y); + avfilter_get_matrix(t.vec.x, t.vec.y, t.angle, 1.0 + t.zoom / 100.0, matrix_y); // Generate a chroma transformation matrix - avfilter_get_matrix(t.vector.x / (link->w / CHROMA_WIDTH(link)), t.vector.y / (link->h / CHROMA_HEIGHT(link)), t.angle, 1.0 + t.zoom / 100.0, matrix_uv); + avfilter_get_matrix(t.vec.x / (link->w / CHROMA_WIDTH(link)), t.vec.y / (link->h / CHROMA_HEIGHT(link)), t.angle, 1.0 + t.zoom / 100.0, matrix_uv); // Transform the luma and chroma planes ret = deshake->transform(link->dst, link->w, link->h, CHROMA_WIDTH(link), CHROMA_HEIGHT(link), matrix_y, matrix_uv, INTERPOLATE_BILINEAR, deshake->edge, in, out); diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index 4fbb6c08d6..b41a195184 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -485,7 +485,7 @@ static int load_textfile(AVFilterContext *ctx) return err; } - if (!(tmp = av_realloc(s->text, textbuf_size + 1))) { + if (textbuf_size > SIZE_MAX - 1 || !(tmp = av_realloc(s->text, textbuf_size + 1))) { av_file_unmap(textbuf, textbuf_size); return AVERROR(ENOMEM); } @@ -716,6 +716,8 @@ static av_cold void uninit(AVFilterContext *ctx) #if FF_API_DRAWTEXT_OLD_TIMELINE av_expr_free(s->draw_pexpr); s->x_pexpr = s->y_pexpr = s->draw_pexpr = NULL; +#else + s->x_pexpr = s->y_pexpr = NULL; #endif av_freep(&s->positions); s->nb_positions = 0; @@ -1208,7 +1210,9 @@ static int draw_text(AVFilterContext *ctx, AVFrame *frame, dummy.code = code; glyph = av_tree_find(s->glyphs, &dummy, glyph_cmp, NULL); if (!glyph) { - load_glyph(ctx, &glyph, code); + ret = load_glyph(ctx, &glyph, code); + if (ret < 0) + return ret; } y_min = FFMIN(glyph->bbox.yMin, y_min); diff --git a/libavfilter/vf_fade.c b/libavfilter/vf_fade.c index 80ce75dcda..a7597cdff0 100644 --- a/libavfilter/vf_fade.c +++ b/libavfilter/vf_fade.c @@ -138,7 +138,9 @@ static int config_props(AVFilterLink *inlink) s->hsub = pixdesc->log2_chroma_w; s->vsub = pixdesc->log2_chroma_h; - s->bpp = av_get_bits_per_pixel(pixdesc) >> 3; + s->bpp = pixdesc->flags & AV_PIX_FMT_FLAG_PLANAR ? + 1 : + av_get_bits_per_pixel(pixdesc) >> 3; s->alpha &= !!(pixdesc->flags & AV_PIX_FMT_FLAG_ALPHA); s->is_packed_rgb = ff_fill_rgba_map(s->rgba_map, inlink->format) >= 0; diff --git a/libavfilter/vf_format.c b/libavfilter/vf_format.c index 13b41e4663..96cb7fd077 100644 --- a/libavfilter/vf_format.c +++ b/libavfilter/vf_format.c @@ -60,8 +60,10 @@ static av_cold int init(AVFilterContext *ctx) int i; int ret; - if (!s->pix_fmts) + if (!s->pix_fmts) { + av_log(ctx, AV_LOG_ERROR, "Empty output format string.\n"); return AVERROR(EINVAL); + } /* count the formats */ cur = s->pix_fmts; diff --git a/libavfilter/vf_framepack.c b/libavfilter/vf_framepack.c index 8a7d4e8f32..f5215fed9d 100644 --- a/libavfilter/vf_framepack.c +++ b/libavfilter/vf_framepack.c @@ -82,6 +82,7 @@ static int config_output(AVFilterLink *outlink) int width = ctx->inputs[LEFT]->w; int height = ctx->inputs[LEFT]->h; AVRational time_base = ctx->inputs[LEFT]->time_base; + AVRational frame_rate = ctx->inputs[LEFT]->frame_rate; // check size and fps match on the other input if (width != ctx->inputs[RIGHT]->w || @@ -93,11 +94,18 @@ static int config_output(AVFilterLink *outlink) return AVERROR_INVALIDDATA; } else if (av_cmp_q(time_base, ctx->inputs[RIGHT]->time_base) != 0) { av_log(ctx, AV_LOG_ERROR, - "Left and right framerates differ (%d/%d vs %d/%d).\n", + "Left and right time bases differ (%d/%d vs %d/%d).\n", time_base.num, time_base.den, ctx->inputs[RIGHT]->time_base.num, ctx->inputs[RIGHT]->time_base.den); return AVERROR_INVALIDDATA; + } else if (av_cmp_q(frame_rate, ctx->inputs[RIGHT]->frame_rate) != 0) { + av_log(ctx, AV_LOG_ERROR, + "Left and right framerates differ (%d/%d vs %d/%d).\n", + frame_rate.num, frame_rate.den, + ctx->inputs[RIGHT]->frame_rate.num, + ctx->inputs[RIGHT]->frame_rate.den); + return AVERROR_INVALIDDATA; } s->pix_desc = av_pix_fmt_desc_get(outlink->format); @@ -108,6 +116,8 @@ static int config_output(AVFilterLink *outlink) switch (s->format) { case AV_STEREO3D_FRAMESEQUENCE: time_base.den *= 2; + frame_rate.num *= 2; + s->double_pts = AV_NOPTS_VALUE; break; case AV_STEREO3D_COLUMNS: @@ -126,6 +136,7 @@ static int config_output(AVFilterLink *outlink) outlink->w = width; outlink->h = height; outlink->time_base = time_base; + outlink->frame_rate= frame_rate; return 0; } diff --git a/libavfilter/vf_lut.c b/libavfilter/vf_lut.c index fff5a2ba31..0b7a2cac02 100644 --- a/libavfilter/vf_lut.c +++ b/libavfilter/vf_lut.c @@ -161,15 +161,32 @@ static double compute_gammaval(void *opaque, double gamma) return pow((val-minval)/(maxval-minval), gamma) * (maxval-minval)+minval; } +/** + * Compute Rec.709 gama correction of value val + */ +static double compute_gammaval709(void *opaque, double gamma) +{ + LutContext *s = opaque; + double val = s->var_values[VAR_CLIPVAL]; + double minval = s->var_values[VAR_MINVAL]; + double maxval = s->var_values[VAR_MAXVAL]; + double level = (val - minval) / (maxval - minval); + level = level < 0.018 ? 4.5 * level + : 1.099 * pow(level, 1.0 / gamma) - 0.099; + return level * (maxval - minval) + minval; +} + static double (* const funcs1[])(void *, double) = { (void *)clip, (void *)compute_gammaval, + (void *)compute_gammaval709, NULL }; static const char * const funcs1_names[] = { "clip", "gammaval", + "gammaval709", NULL }; diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c index 3ed96024c3..94c9e0bd9d 100644 --- a/libavfilter/vf_mpdecimate.c +++ b/libavfilter/vf_mpdecimate.c @@ -120,10 +120,13 @@ static int decimate_frame(AVFilterContext *ctx, cur->data[plane], cur->linesize[plane], ref->data[plane], ref->linesize[plane], FF_CEIL_RSHIFT(ref->width, hsub), - FF_CEIL_RSHIFT(ref->height, vsub))) + FF_CEIL_RSHIFT(ref->height, vsub))) { + emms_c(); return 0; + } } + emms_c(); return 1; } diff --git a/libavfilter/vf_sab.c b/libavfilter/vf_sab.c index aa38b533fe..b8af27cdcd 100644 --- a/libavfilter/vf_sab.c +++ b/libavfilter/vf_sab.c @@ -220,6 +220,19 @@ static int config_props(AVFilterLink *inlink) #define NB_PLANES 4 +static inline int mirror(int x, int w) +{ + if (!w) + return 0; + + while ((unsigned)x > (unsigned)w) { + x = -x; + if (x < 0) + x += 2 * w; + } + return x; +} + static void blur(uint8_t *dst, const int dst_linesize, const uint8_t *src, const int src_linesize, const int w, const int h, FilterParam *fp) @@ -253,8 +266,7 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2 + 1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { const int ix = x+dx - radius; @@ -265,13 +277,11 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2+1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { int ix = x+dx - radius; - if (ix < 0) ix = -ix; - else if (ix >= w) ix = w+w-ix-1; + ix = mirror(ix, w-1); UPDATE_FACTOR; } } diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 506254f500..64b88c2357 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -557,10 +557,10 @@ static const AVOption scale_options[] = { { "mpeg", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = AVCOL_RANGE_MPEG}, 0, 0, FLAGS, "range" }, { "tv", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = AVCOL_RANGE_MPEG}, 0, 0, FLAGS, "range" }, { "pc", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = AVCOL_RANGE_JPEG}, 0, 0, FLAGS, "range" }, - { "in_v_chr_pos", "input vertical chroma position in luma grid/256" , OFFSET(in_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1}, -1, 512, FLAGS }, - { "in_h_chr_pos", "input horizontal chroma position in luma grid/256", OFFSET(in_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1}, -1, 512, FLAGS }, - { "out_v_chr_pos", "output vertical chroma position in luma grid/256" , OFFSET(out_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1}, -1, 512, FLAGS }, - { "out_h_chr_pos", "output horizontal chroma position in luma grid/256", OFFSET(out_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1}, -1, 512, FLAGS }, + { "in_v_chr_pos", "input vertical chroma position in luma grid/256" , OFFSET(in_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513}, -513, 512, FLAGS }, + { "in_h_chr_pos", "input horizontal chroma position in luma grid/256", OFFSET(in_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513}, -513, 512, FLAGS }, + { "out_v_chr_pos", "output vertical chroma position in luma grid/256" , OFFSET(out_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513}, -513, 512, FLAGS }, + { "out_h_chr_pos", "output horizontal chroma position in luma grid/256", OFFSET(out_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513}, -513, 512, FLAGS }, { "force_original_aspect_ratio", "decrease or increase w/h if necessary to keep the original AR", OFFSET(force_original_aspect_ratio), AV_OPT_TYPE_INT, { .i64 = 0}, 0, 2, FLAGS, "force_oar" }, { "disable", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = 0 }, 0, 0, FLAGS, "force_oar" }, { "decrease", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = 1 }, 0, 0, FLAGS, "force_oar" }, diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index 8201c2d44a..aa3bc83090 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -86,9 +86,9 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) int i, plane, vsub = desc->log2_chroma_h; for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { - int64_t linesize = av_image_get_linesize(frame->format, frame->width, plane); uint8_t *data = frame->data[plane]; int h = plane == 1 || plane == 2 ? FF_CEIL_RSHIFT(inlink->h, vsub) : inlink->h; + int linesize = av_image_get_linesize(frame->format, frame->width, plane); if (linesize < 0) return linesize; diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index d9b165cfeb..6ae5fce815 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -152,7 +152,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int hsub = plane == 1 || plane == 2 ? trans->hsub : 0; int vsub = plane == 1 || plane == 2 ? trans->vsub : 0; int pixstep = trans->pixsteps[plane]; - int inh = in->height >> vsub; + int inh = FF_CEIL_RSHIFT(in->height, vsub); int outw = FF_CEIL_RSHIFT(out->width, hsub); int outh = FF_CEIL_RSHIFT(out->height, vsub); int start = (outh * jobnr ) / nb_jobs; diff --git a/libavfilter/x86/vf_hqdn3d.asm b/libavfilter/x86/vf_hqdn3d.asm index 961127e670..e3b1bdca53 100644 --- a/libavfilter/x86/vf_hqdn3d.asm +++ b/libavfilter/x86/vf_hqdn3d.asm @@ -27,8 +27,8 @@ SECTION .text %if lut_bits != 8 sar %1q, 8-lut_bits %endif - movsx %1d, word [%3q+%1q*2] - add %1d, %2d + movsx %1q, word [%3q+%1q*2] + add %1q, %2q %endmacro %macro LOAD 3 ; dstreg, x, bitdepth diff --git a/libavformat/act.c b/libavformat/act.c index 3f223d57b6..faa693ccb9 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -75,7 +75,7 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(pb, st->codec, size); + ff_get_wav_header(s, pb, st->codec, size); /* 8000Hz (Fine-rec) file format has 10 bytes long diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index ddaa201179..e7107ac579 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -40,6 +40,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket *pkt) AVCodecContext *avctx = s->streams[0]->codec; int ret, size; + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + size = BLOCK_SIZE * avctx->channels; pkt->pos = avio_tell(s->pb); @@ -83,8 +88,14 @@ static int adx_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid extradata size.\n"); return AVERROR_INVALIDDATA; } + avctx->channels = AV_RB8(avctx->extradata + 7); avctx->sample_rate = AV_RB32(avctx->extradata + 8); + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + st->codec->codec_type = AVMEDIA_TYPE_AUDIO; st->codec->codec_id = s->iformat->raw_codec_id; diff --git a/libavformat/allformats.c b/libavformat/allformats.c index 8f70c4b12a..0ca0e98f30 100644 --- a/libavformat/allformats.c +++ b/libavformat/allformats.c @@ -54,7 +54,6 @@ void av_register_all(void) if (initialized) return; - initialized = 1; avcodec_register_all(); @@ -381,4 +380,6 @@ void av_register_all(void) REGISTER_PROTOCOL(LIBRTMPTE, librtmpte); REGISTER_PROTOCOL(LIBSSH, libssh); REGISTER_PROTOCOL(LIBSMBCLIENT, libsmbclient); + + initialized = 1; } diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 7d2f0b3222..c8d1bdca5a 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -55,8 +55,10 @@ static int ape_tag_read_field(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - if (size >= UINT_MAX) - return -1; + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n"); + return AVERROR_INVALIDDATA; + } if (flags & APE_TAG_FLAG_IS_BINARY) { uint8_t filename[1024]; enum AVCodecID id; diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 7f7bb4d5d4..94892328aa 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -423,7 +423,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) st->codec->codec_type = type; if (type == AVMEDIA_TYPE_AUDIO) { - int ret = ff_get_wav_header(pb, st->codec, type_specific_size); + int ret = ff_get_wav_header(s, pb, st->codec, type_specific_size); if (ret < 0) return ret; if (is_dvr_ms_audio) { @@ -694,13 +694,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; @@ -1524,6 +1526,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t pos = s->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); + if (avio_feof(s->pb)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index cccbf858c7..6d8bfcf9e4 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -664,6 +664,7 @@ static int asf_write_header(AVFormatContext *s) * It is needed to use asf as a streamable format. */ if (asf_write_header1(s, 0, DATA_HEADER_SIZE) < 0) { //av_free(asf); + av_freep(&asf->index_ptr); return -1; } @@ -928,6 +929,11 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; av_assert0(pts != AV_NOPTS_VALUE); + if ( pts < - PREROLL_TIME + || pts > (INT_MAX-3)/10000LL * ASF_INDEXED_INTERVAL - PREROLL_TIME) { + av_log(s, AV_LOG_ERROR, "input pts %"PRId64" is invalid\n", pts); + return AVERROR(EINVAL); + } pts *= 10000; asf->duration = FFMAX(asf->duration, pts + pkt->duration * 10000); diff --git a/libavformat/audiointerleave.c b/libavformat/audiointerleave.c index 80bf768579..b64010ff44 100644 --- a/libavformat/audiointerleave.c +++ b/libavformat/audiointerleave.c @@ -80,13 +80,14 @@ static int interleave_new_audio_packet(AVFormatContext *s, AVPacket *pkt, { AVStream *st = s->streams[stream_index]; AudioInterleaveContext *aic = st->priv_data; - + int ret; int size = FFMIN(av_fifo_size(aic->fifo), *aic->samples * aic->sample_size); if (!size || (!flush && size == av_fifo_size(aic->fifo))) return 0; - if (av_new_packet(pkt, size) < 0) - return AVERROR(ENOMEM); + ret = av_new_packet(pkt, size); + if (ret < 0) + return ret; av_fifo_generic_read(aic->fifo, pkt->data, size, NULL); pkt->dts = pkt->pts = aic->dts; diff --git a/libavformat/avformat.h b/libavformat/avformat.h index b915148ad7..c6fd395724 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -78,6 +78,18 @@ * if its AVClass is non-NULL, and the protocols layer. See the discussion on * nesting in @ref avoptions documentation to learn how to access those. * + * @section urls + * URL strings in libavformat are made of a scheme/protocol, a ':', and a + * scheme specific string. URLs without a scheme and ':' used for local files + * are supported but deprecated. "file:" should be used for local files. + * + * It is important that the scheme string is not taken from untrusted + * sources without checks. + * + * Note that some schemes/protocols are quite powerful, allowing access to + * both local and remote files, parts of them, concatenations of them, local + * audio and video devices and so on. + * * @defgroup lavf_decoding Demuxing * @{ * Demuxers read a media file and split it into chunks of data (@em packets). A @@ -88,10 +100,10 @@ * cleanup. * * @section lavf_decoding_open Opening a media file - * The minimum information required to open a file is its URL or filename, which + * The minimum information required to open a file is its URL, which * is passed to avformat_open_input(), as in the following code: * @code - * const char *url = "in.mp3"; + * const char *url = "file:in.mp3"; * AVFormatContext *s = NULL; * int ret = avformat_open_input(&s, url, NULL, NULL); * if (ret < 0) @@ -916,7 +928,7 @@ typedef struct AVStream { /** * Stream information used internally by av_find_stream_info() */ -#define MAX_STD_TIMEBASES (60*12+6) +#define MAX_STD_TIMEBASES (30*12+30+3+6) struct { int64_t last_dts; int64_t duration_gcd; @@ -1938,7 +1950,7 @@ AVInputFormat *av_probe_input_format3(AVProbeData *pd, int is_opened, int *score * * @param pb the bytestream to probe * @param fmt the input format is put here - * @param filename the filename of the stream + * @param url the url of the stream * @param logctx the log context * @param offset the offset within the bytestream to probe from * @param max_probe_size the maximum probe buffer size (zero for default) @@ -1947,14 +1959,14 @@ AVInputFormat *av_probe_input_format3(AVProbeData *pd, int is_opened, int *score * AVERROR code otherwise */ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt, - const char *filename, void *logctx, + const char *url, void *logctx, unsigned int offset, unsigned int max_probe_size); /** * Like av_probe_input_buffer2() but returns 0 on success */ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, - const char *filename, void *logctx, + const char *url, void *logctx, unsigned int offset, unsigned int max_probe_size); /** @@ -1965,7 +1977,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, * May be a pointer to NULL, in which case an AVFormatContext is allocated by this * function and written into ps. * Note that a user-supplied AVFormatContext will be freed on failure. - * @param filename Name of the stream to open. + * @param url URL of the stream to open. * @param fmt If non-NULL, this parameter forces a specific input format. * Otherwise the format is autodetected. * @param options A dictionary filled with AVFormatContext and demuxer-private options. @@ -1976,7 +1988,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, * * @note If you want to use custom IO, preallocate the format context and set its pb field. */ -int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputFormat *fmt, AVDictionary **options); +int avformat_open_input(AVFormatContext **ps, const char *url, AVInputFormat *fmt, AVDictionary **options); attribute_deprecated int av_demuxer_open(AVFormatContext *ic); diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 5b260e2542..08f6f67a50 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -340,14 +340,14 @@ static void avi_metadata_creation_time(AVDictionary **metadata, char *date) static void avi_read_nikon(AVFormatContext *s, uint64_t end) { - while (avio_tell(s->pb) < end) { + while (avio_tell(s->pb) < end && !avio_feof(s->pb)) { uint32_t tag = avio_rl32(s->pb); uint32_t size = avio_rl32(s->pb); switch (tag) { case MKTAG('n', 'c', 't', 'g'): /* Nikon Tags */ { uint64_t tag_end = avio_tell(s->pb) + size; - while (avio_tell(s->pb) < tag_end) { + while (avio_tell(s->pb) < tag_end && !avio_feof(s->pb)) { uint16_t tag = avio_rl16(s->pb); uint16_t size = avio_rl16(s->pb); const char *name = NULL; @@ -447,6 +447,7 @@ static int calculate_bitrate(AVFormatContext *s) int64_t len = 0; AVStream *st = s->streams[i]; int64_t duration; + int64_t bitrate; for (j = 0; j < st->nb_index_entries; j++) len += st->index_entries[j].size; @@ -454,7 +455,10 @@ static int calculate_bitrate(AVFormatContext *s) if (st->nb_index_entries < 2 || st->codec->bit_rate > 0) continue; duration = st->index_entries[j-1].timestamp - st->index_entries[0].timestamp; - st->codec->bit_rate = av_rescale(8*len, st->time_base.den, duration * st->time_base.num); + bitrate = av_rescale(8*len, st->time_base.den, duration * st->time_base.num); + if (bitrate <= INT_MAX && bitrate > 0) { + st->codec->bit_rate = bitrate; + } } return 1; } @@ -685,6 +689,23 @@ static int avi_read_header(AVFormatContext *s) default: av_log(s, AV_LOG_INFO, "unknown stream type %X\n", tag1); } + + if (ast->sample_size < 0) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, + "Invalid sample_size %d at stream %d\n", + ast->sample_size, + stream_index); + goto fail; + } + av_log(s, AV_LOG_WARNING, + "Invalid sample_size %d at stream %d " + "setting it to 0\n", + ast->sample_size, + stream_index); + ast->sample_size = 0; + } + if (ast->sample_size == 0) { st->duration = st->nb_frames; if (st->duration > 0 && avi->io_fsize > 0 && avi->riff_end > avi->io_fsize) { @@ -790,7 +811,7 @@ static int avi_read_header(AVFormatContext *s) // avio_skip(pb, size - 5 * 4); break; case AVMEDIA_TYPE_AUDIO: - ret = ff_get_wav_header(pb, st->codec, size); + ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return ret; ast->dshow_block_align = st->codec->block_align; @@ -1031,11 +1052,16 @@ static int read_gab2_sub(AVStream *st, AVPacket *pkt) if (!sub_demuxer) goto error; + if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass")) + goto error; + if (!(ast->sub_ctx = avformat_alloc_context())) goto error; ast->sub_ctx->pb = pb; if (!avformat_open_input(&ast->sub_ctx, "", sub_demuxer, NULL)) { + if (ast->sub_ctx->nb_streams != 1) + goto error; ff_read_packet(ast->sub_ctx, &ast->sub_pkt); *st->codec = *ast->sub_ctx->streams[0]->codec; ast->sub_ctx->streams[0]->codec->extradata = NULL; @@ -1141,7 +1167,7 @@ start_sync: goto start_sync; } - n = avi->dv_demux ? 0 : get_stream_idx(d); + n = get_stream_idx(d); if (!((i - avi->last_pkt_pos) & 1) && get_stream_idx(d + 1) < s->nb_streams) @@ -1153,6 +1179,9 @@ start_sync: goto start_sync; } + if (avi->dv_demux && n != 0) + continue; + // parse ##dc/##wb if (n < s->nb_streams) { AVStream *st; @@ -1524,7 +1553,8 @@ static int avi_read_idx1(AVFormatContext *s, int size) ast = st->priv_data; if (first_packet && first_packet_pos) { - data_offset = first_packet_pos - pos; + if (avi->movi_list + 4 != pos || pos + 500 > first_packet_pos) + data_offset = first_packet_pos - pos; first_packet = 0; } pos += data_offset; @@ -1780,7 +1810,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, continue; // av_assert1(st2->codec->block_align); - av_assert0(fabs(av_q2d(st2->time_base) - ast2->scale / (double)ast2->rate) < av_q2d(st2->time_base) * 0.00000001); index = av_index_search_timestamp(st2, av_rescale_q(timestamp, st->time_base, diff --git a/libavformat/avio.c b/libavformat/avio.c index 326bb0aa78..78d15cc40d 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -155,9 +155,16 @@ static int url_alloc_for_protocol(URLContext **puc, struct URLProtocol *up, char sep= *++p; char *key, *val; p++; + + if (strcmp(up->name, "subfile")) + ret = AVERROR(EINVAL); + while(ret >= 0 && (key= strchr(p, sep)) && ppriv_data, p, key+1, 0); + if (strcmp(p, "start") && strcmp(p, "end")) { + ret = AVERROR_OPTION_NOT_FOUND; + } else + ret= av_opt_set(uc->priv_data, p, key+1, 0); if (ret == AVERROR_OPTION_NOT_FOUND) av_log(uc, AV_LOG_ERROR, "Key '%s' not found.\n", p); *val= *key= sep; @@ -222,7 +229,7 @@ static struct URLProtocol *url_find_protocol(const char *filename) size_t proto_len = strspn(filename, URL_SCHEME_CHARS); if (filename[proto_len] != ':' && - (filename[proto_len] != ',' || !strchr(filename + proto_len + 1, ':')) || + (strncmp(filename, "subfile,", 8) || !strchr(filename + proto_len + 1, ':')) || is_dos_path(filename)) strcpy(proto_str, "file"); else diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 9795ba46df..8033041fe6 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -219,8 +219,13 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } + if (offset < 0) + return AVERROR(EINVAL); + offset1 = offset - pos; if (!s->must_flush && (!s->direct || !s->seek) && offset1 >= 0 && offset1 <= buffer_size) { @@ -353,6 +358,8 @@ int avio_put_str16le(AVIOContext *s, const char *str) invalid: av_log(s, AV_LOG_ERROR, "Invaid UTF8 sequence in avio_put_str16le\n"); err = AVERROR(EINVAL); + if (!*(q-1)) + break; } avio_wl16(s, 0); if (err) @@ -674,7 +681,7 @@ int ff_get_line(AVIOContext *s, char *buf, int maxlen) if (c && i < maxlen-1) buf[i++] = c; } while (c != '\n' && c != '\r' && c); - if (c == '\r' && avio_r8(s) != '\n') + if (c == '\r' && avio_r8(s) != '\n' && !avio_feof(s)) avio_skip(s, -1); buf[i] = 0; @@ -780,6 +787,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; int filled = s->buf_end - s->buffer; + ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1; buf_size += s->buf_ptr - s->buffer + max_buffer_size; @@ -797,6 +805,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) s->buf_end = buffer + (s->buf_end - s->buffer); s->buffer = buffer; s->buffer_size = buf_size; + if (checksum_ptr_offset >= 0) + s->checksum_ptr = s->buffer + checksum_ptr_offset; return 0; } @@ -1095,7 +1105,6 @@ int avio_close_dyn_buf(AVIOContext *s, uint8_t **pbuffer) *pbuffer = NULL; return 0; } - d = s->opaque; /* don't attempt to pad fixed-size packet buffers */ if (!s->max_packet_size) { @@ -1105,6 +1114,7 @@ int avio_close_dyn_buf(AVIOContext *s, uint8_t **pbuffer) avio_flush(s); + d = s->opaque; *pbuffer = d->buffer; size = d->size; av_free(d); diff --git a/libavformat/bink.c b/libavformat/bink.c index 395c8d9aa8..350c64f7bb 100644 --- a/libavformat/bink.c +++ b/libavformat/bink.c @@ -194,7 +194,10 @@ static int read_header(AVFormatContext *s) return ret; } - avio_seek(pb, vst->index_entries[0].pos, SEEK_SET); + if (vst->index_entries) + avio_seek(pb, vst->index_entries[0].pos, SEEK_SET); + else + avio_skip(pb, 4); bink->current_track = -1; return 0; diff --git a/libavformat/bit.c b/libavformat/bit.c index 7b807b9bc1..138d2feadb 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -119,8 +119,12 @@ static int write_header(AVFormatContext *s) { AVCodecContext *enc = s->streams[0]->codec; - enc->codec_id = AV_CODEC_ID_G729; - enc->channels = 1; + if ((enc->codec_id != AV_CODEC_ID_G729) || enc->channels != 1) { + av_log(s, AV_LOG_ERROR, + "only codec g729 with 1 channel is supported by this format\n"); + return AVERROR(EINVAL); + } + enc->bits_per_coded_sample = 16; enc->block_align = (enc->bits_per_coded_sample * enc->channels) >> 3; @@ -133,6 +137,9 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) GetBitContext gb; int i; + if (pkt->size != 10) + return AVERROR(EINVAL); + avio_wl16(pb, SYNC_WORD); avio_wl16(pb, 8 * 10); diff --git a/libavformat/brstm.c b/libavformat/brstm.c index 19a4a2a96b..6afae73b2f 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -260,6 +260,16 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (codec->codec_id == AV_CODEC_ID_ADPCM_THP) { uint8_t *dst; + if (!b->adpc) { + av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); + return AVERROR_INVALIDDATA; + } + if (!b->table) { + b->table = av_mallocz(32 * codec->channels); + if (!b->table) + return AVERROR(ENOMEM); + } + if (av_new_packet(pkt, 8 + (32 + 4) * codec->channels + size) < 0) return AVERROR(ENOMEM); dst = pkt->data; diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index e3e379aef7..6d8e750b83 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -127,6 +127,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); + if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + return AVERROR_INVALIDDATA; image_size = FFALIGN(width, 16) * height * cdxl->header[19] / 8; video_size = palette_size + image_size; diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 9eed006e53..22af00771c 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -27,6 +27,7 @@ #include "libavutil/intreadwrite.h" #include "libavcodec/bmp.h" +#include "libavutil/intfloat.h" #include "avformat.h" #include "internal.h" @@ -78,6 +79,16 @@ static int set_metadata_int(AVDictionary **dict, const char *key, int value, int return 0; } +static int set_metadata_float(AVDictionary **dict, const char *key, float value, int allow_zero) +{ + if (value != 0 || allow_zero) { + char tmp[64]; + snprintf(tmp, sizeof(tmp), "%f", value); + return av_dict_set(dict, key, tmp, 0); + } + return 0; +} + static int cine_read_header(AVFormatContext *avctx) { AVIOContext *pb = avctx->pb; @@ -177,7 +188,10 @@ static int cine_read_header(AVFormatContext *avctx) set_metadata_int(&st->metadata, "contrast", avio_rl32(pb), 1); set_metadata_int(&st->metadata, "gamma", avio_rl32(pb), 1); - avio_skip(pb, 72); // Reserved1 .. WBView + avio_skip(pb, 12 + 16); // Reserved1 .. AutoExpRect + set_metadata_float(&st->metadata, "wbgain[0].r", av_int2float(avio_rl32(pb)), 1); + set_metadata_float(&st->metadata, "wbgain[0].b", av_int2float(avio_rl32(pb)), 1); + avio_skip(pb, 36); // WBGain[1].. WBView st->codec->bits_per_coded_sample = avio_rl32(pb); @@ -253,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } diff --git a/libavformat/concat.c b/libavformat/concat.c index 3bbc83dfef..a1ab772193 100644 --- a/libavformat/concat.c +++ b/libavformat/concat.c @@ -64,7 +64,10 @@ static av_cold int concat_open(URLContext *h, const char *uri, int flags) struct concat_data *data = h->priv_data; struct concat_nodes *nodes; - av_strstart(uri, "concat:", &uri); + if (!av_strstart(uri, "concat:", &uri)) { + av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); + return AVERROR(EINVAL); + } for (i = 0, len = 1; uri[i]; i++) if (uri[i] == *AV_CAT_SEPARATOR) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 9e9857958d..a749515021 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -604,7 +604,7 @@ static int concat_seek(AVFormatContext *avf, int stream, static const AVOption options[] = { { "safe", "enable safe mode", - OFFSET(safe), AV_OPT_TYPE_INT, {.i64 = -1}, -1, 1, DEC }, + OFFSET(safe), AV_OPT_TYPE_INT, {.i64 = 1}, -1, 1, DEC }, { "auto_convert", "automatically convert bitstream format", OFFSET(auto_convert), AV_OPT_TYPE_INT, {.i64 = 0}, 0, 1, DEC }, { NULL } diff --git a/libavformat/dtsdec.c b/libavformat/dtsdec.c index f6a939a1d8..d054f43537 100644 --- a/libavformat/dtsdec.c +++ b/libavformat/dtsdec.c @@ -34,7 +34,7 @@ static int dts_probe(AVProbeData *p) { const uint8_t *buf, *bufp; uint32_t state = -1; - int markers[4] = {0}; + int markers[4*16] = {0}; int sum, max, i; int64_t diff = 0; uint8_t hdr[12 + FF_INPUT_BUFFER_PADDING_SIZE] = { 0 }; @@ -43,6 +43,7 @@ static int dts_probe(AVProbeData *p) for(; buf < (p->buf+p->buf_size)-2; buf+=2) { int marker, sample_blocks, sample_rate, sr_code, framesize; + int lfe; GetBitContext gb; bufp = buf; @@ -89,13 +90,27 @@ static int dts_probe(AVProbeData *p) if (sample_rate == 0) continue; + get_bits(&gb, 5); + if (get_bits(&gb, 1)) + continue; + + skip_bits_long(&gb, 9); + lfe = get_bits(&gb, 2); + if (lfe > 2) + continue; + + marker += 4* sr_code; + markers[marker] ++; } - sum = markers[0] + markers[1] + markers[2] + markers[3]; - max = 0; - for (i=1; i<4; i++) + + sum = max = 0; + for (i=0; i 3 && p->buf_size / markers[max] < 32*1024 && markers[max] * 4 > sum * 3 && diff / p->buf_size > 200) diff --git a/libavformat/dump.c b/libavformat/dump.c index 3a7adbe014..4a88e0743c 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -363,8 +363,8 @@ static void dump_stream_format(AVFormatContext *ic, int i, av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)) { AVRational display_aspect_ratio; av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - st->codec->width * st->sample_aspect_ratio.num, - st->codec->height * st->sample_aspect_ratio.den, + st->codec->width * (int64_t)st->sample_aspect_ratio.num, + st->codec->height * (int64_t)st->sample_aspect_ratio.den, 1024 * 1024); av_log(NULL, AV_LOG_INFO, ", SAR %d:%d DAR %d:%d", st->sample_aspect_ratio.num, st->sample_aspect_ratio.den, @@ -430,7 +430,7 @@ void av_dump_format(AVFormatContext *ic, int index, av_log(NULL, AV_LOG_INFO, " Duration: "); if (ic->duration != AV_NOPTS_VALUE) { int hours, mins, secs, us; - int64_t duration = ic->duration + 5000; + int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 5000 ? 5000 : 0); secs = duration / AV_TIME_BASE; us = duration % AV_TIME_BASE; mins = secs / 60; diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 6ad1c9ffac..9ddfbc3212 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -106,7 +106,7 @@ static int dxa_read_header(AVFormatContext *s) ast = avformat_new_stream(s, NULL); if (!ast) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, ast->codec, fsize); + ret = ff_get_wav_header(s, pb, ast->codec, fsize); if (ret < 0) return ret; if (ast->codec->sample_rate > 0) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 448762b026..9a7d3a2e71 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -79,6 +79,7 @@ static int ffm_read_data(AVFormatContext *s, FFMContext *ffm = s->priv_data; AVIOContext *pb = s->pb; int len, fill_size, size1, frame_offset, id; + int64_t last_pos = -1; size1 = size; while (size > 0) { @@ -94,35 +95,44 @@ static int ffm_read_data(AVFormatContext *s, retry_read: if (pb->buffer_size != ffm->packet_size) { int64_t tell = avio_tell(pb); - ffio_set_buf_size(pb, ffm->packet_size); + int ret = ffio_set_buf_size(pb, ffm->packet_size); + if (ret < 0) + return ret; avio_seek(pb, tell, SEEK_SET); } id = avio_rb16(pb); /* PACKET_ID */ - if (id != PACKET_ID) + if (id != PACKET_ID) { if (ffm_resync(s, id) < 0) return -1; + last_pos = avio_tell(pb); + } fill_size = avio_rb16(pb); ffm->dts = avio_rb64(pb); frame_offset = avio_rb16(pb); avio_read(pb, ffm->packet, ffm->packet_size - FFM_HEADER_SIZE); - ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size); - if (ffm->packet_end < ffm->packet || frame_offset < 0) + if (ffm->packet_size < FFM_HEADER_SIZE + fill_size || frame_offset < 0) { return -1; + } + ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size); /* if first packet or resynchronization packet, we must handle it specifically */ if (ffm->first_packet || (frame_offset & 0x8000)) { if (!frame_offset) { /* This packet has no frame headers in it */ if (avio_tell(pb) >= ffm->packet_size * 3LL) { - avio_seek(pb, -ffm->packet_size * 2LL, SEEK_CUR); + int64_t seekback = FFMIN(ffm->packet_size * 2LL, avio_tell(pb) - last_pos); + seekback = FFMAX(seekback, 0); + avio_seek(pb, -seekback, SEEK_CUR); goto retry_read; } /* This is bad, we cannot find a valid frame header */ return 0; } ffm->first_packet = 0; - if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) + if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) { + ffm->packet_end = ffm->packet_ptr; return -1; + } ffm->packet_ptr = ffm->packet + (frame_offset & 0x7fff) - FFM_HEADER_SIZE; if (!header) break; @@ -236,6 +246,7 @@ static int ffm2_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int ret; ffm->packet_size = avio_rb32(pb); @@ -282,7 +293,20 @@ static int ffm2_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -299,6 +323,12 @@ static int ffm2_read_header(AVFormatContext *s) case MKBETAG('S', 'T', 'V', 'I'): codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + ret = AVERROR_INVALIDDATA; + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); @@ -354,7 +384,7 @@ static int ffm2_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ @@ -376,6 +406,7 @@ static int ffm_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int i, nb_streams; uint32_t tag; @@ -413,7 +444,20 @@ static int ffm_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); /* codec_type */ + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -423,6 +467,11 @@ static int ffm_read_header(AVFormatContext *s) case AVMEDIA_TYPE_VIDEO: codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); @@ -481,7 +530,7 @@ static int ffm_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index c291393954..b1a8d5a6cd 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -50,7 +50,8 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { - avio_read(s->pb, header, 4); + if (avio_read(s->pb, header, 4) != 4) + return AVERROR(AVERROR_INVALIDDATA); flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c index b3695a27ba..83fc4c21f4 100644 --- a/libavformat/flacenc.c +++ b/libavformat/flacenc.c @@ -50,12 +50,14 @@ static int flac_write_block_comment(AVIOContext *pb, AVDictionary **m, int last_block, int bitexact) { const char *vendor = bitexact ? "ffmpeg" : LIBAVFORMAT_IDENT; - unsigned int len; + int64_t len; uint8_t *p, *p0; ff_metadata_conv(m, ff_vorbiscomment_metadata_conv, NULL); len = ff_vorbiscomment_length(*m, vendor); + if (len >= ((1<<24) - 4)) + return AVERROR(EINVAL); p0 = av_malloc(len+4); if (!p0) return AVERROR(ENOMEM); diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 12d25b20ae..cfe657d289 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -390,7 +390,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, FLVContext *flv = s->priv_data; AVIOContext *ioc; AMFDataType amf_type; - char str_val[256]; + char str_val[1024]; double num_val; num_val = 0; @@ -459,11 +459,11 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, } if (key) { + acodec = astream ? astream->codec : NULL; + vcodec = vstream ? vstream->codec : NULL; + // stream info doesn't live any deeper than the first object if (depth == 1) { - acodec = astream ? astream->codec : NULL; - vcodec = vstream ? vstream->codec : NULL; - if (amf_type == AMF_DATA_TYPE_NUMBER || amf_type == AMF_DATA_TYPE_BOOL) { if (!strcmp(key, "duration")) @@ -558,13 +558,13 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) type = avio_r8(ioc); if (type != AMF_DATA_TYPE_STRING || amf_get_string(ioc, buffer, sizeof(buffer)) < 0) - return -1; + return 2; if (!strcmp(buffer, "onTextData")) return 1; if (strcmp(buffer, "onMetaData") && strcmp(buffer, "onCuePoint")) - return -1; + return 2; // find the streams now so that amf_parse_object doesn't need to do // the lookup every time it is called. @@ -623,7 +623,7 @@ static int flv_read_close(AVFormatContext *s) static int flv_get_extradata(AVFormatContext *s, AVStream *st, int size) { - av_free(st->codec->extradata); + av_freep(&st->codec->extradata); if (ff_get_extradata(st->codec, s->pb, size) < 0) return AVERROR(ENOMEM); return 0; @@ -822,7 +822,7 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt) stream_type=FLV_STREAM_TYPE_DATA; if (size > 13 + 1 + 4 && dts == 0) { // Header-type metadata stuff meta_pos = avio_tell(s->pb); - if (flv_read_metabody(s, next) == 0) { + if (flv_read_metabody(s, next) <= 0) { goto skip; } avio_seek(s->pb, meta_pos, SEEK_SET); diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index febc5e5b30..857f3fbb9e 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -489,7 +489,7 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) avio_w8(pb, FLV_TAG_TYPE_VIDEO); flags = enc->codec_tag; - if (flags == 0) { + if (flags <= 0 || flags > 15) { av_log(s, AV_LOG_ERROR, "Video codec '%s' is not compatible with FLV\n", avcodec_get_name(enc->codec_id)); diff --git a/libavformat/format.c b/libavformat/format.c index 1026c8f7a7..b53d367d98 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -62,20 +62,24 @@ void av_register_input_format(AVInputFormat *format) { AVInputFormat **p = last_iformat; - format->next = NULL; - while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) + // Note, format could be added after the first 2 checks but that implies that *p is no longer NULL + while(p != &format->next && !format->next && avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) p = &(*p)->next; - last_iformat = &format->next; + + if (!format->next) + last_iformat = &format->next; } void av_register_output_format(AVOutputFormat *format) { AVOutputFormat **p = last_oformat; - format->next = NULL; - while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) + // Note, format could be added after the first 2 checks but that implies that *p is no longer NULL + while(p != &format->next && !format->next && avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) p = &(*p)->next; - last_oformat = &format->next; + + if (!format->next) + last_oformat = &format->next; } int av_match_ext(const char *filename, const char *extensions) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 6c624f00a8..d9b629d7de 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -560,7 +560,7 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { } static int gxf_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { - int res = 0; + int64_t res = 0; uint64_t pos; uint64_t maxlen = 100 * 1024 * 1024; AVStream *st = s->streams[0]; diff --git a/libavformat/hdsenc.c b/libavformat/hdsenc.c index 1f77785f95..9182ca40ee 100644 --- a/libavformat/hdsenc.c +++ b/libavformat/hdsenc.c @@ -145,15 +145,15 @@ static void hds_free(AVFormatContext *s) if (os->ctx && os->ctx_inited) av_write_trailer(os->ctx); if (os->ctx && os->ctx->pb) - av_free(os->ctx->pb); + av_freep(&os->ctx->pb); if (os->ctx) avformat_free_context(os->ctx); - av_free(os->metadata); + av_freep(&os->metadata); for (j = 0; j < os->nb_extra_packets; j++) - av_free(os->extra_packets[j]); + av_freep(&os->extra_packets[j]); for (j = 0; j < os->nb_fragments; j++) - av_free(os->fragments[j]); - av_free(os->fragments); + av_freep(&os->fragments[j]); + av_freep(&os->fragments); } av_freep(&c->streams); } @@ -204,11 +204,7 @@ static int write_manifest(AVFormatContext *s, int final) avio_printf(out, "\n"); avio_flush(out); avio_close(out); - if (rename(temp_filename, filename) == -1) { - av_log(s, AV_LOG_ERROR, "failed to rename file %s to %s\n", temp_filename, filename); - return AVERROR(errno); - } - return 0; + return ff_rename(temp_filename, filename); } static void update_size(AVIOContext *out, int64_t pos) @@ -289,11 +285,7 @@ static int write_abst(AVFormatContext *s, OutputStream *os, int final) update_size(out, afrt_pos); update_size(out, 0); avio_close(out); - if (rename(temp_filename, filename) == -1) { - av_log(s, AV_LOG_ERROR, "failed to rename file %s to %s\n", temp_filename, filename); - return AVERROR(errno); - } - return 0; + return ff_rename(temp_filename, filename); } static int init_file(AVFormatContext *s, OutputStream *os, int64_t start_ts) @@ -487,10 +479,9 @@ static int hds_flush(AVFormatContext *s, OutputStream *os, int final, snprintf(target_filename, sizeof(target_filename), "%s/stream%dSeg1-Frag%d", s->filename, index, os->fragment_index); - if (rename(os->temp_filename, target_filename) == -1) { - av_log(s, AV_LOG_ERROR, "failed to rename file %s to %s\n", os->temp_filename, target_filename); - return AVERROR(errno); - } + ret = ff_rename(os->temp_filename, target_filename); + if (ret < 0) + return ret; add_fragment(os, target_filename, os->frag_start_ts, end_ts - os->frag_start_ts); if (!final) { @@ -506,7 +497,7 @@ static int hds_flush(AVFormatContext *s, OutputStream *os, int final, if (remove > 0) { for (i = 0; i < remove; i++) { unlink(os->fragments[i]->file); - av_free(os->fragments[i]); + av_freep(&os->fragments[i]); } os->nb_fragments -= remove; memmove(os->fragments, os->fragments + remove, diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 45b00c45bc..f403e1c522 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -189,7 +189,7 @@ static void skip_sub_layer_hrd_parameters(GetBitContext *gb, } } -static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, +static int skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, unsigned int max_sub_layers_minus1) { unsigned int i; @@ -246,8 +246,11 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, else low_delay_hrd_flag = get_bits1(gb); - if (!low_delay_hrd_flag) + if (!low_delay_hrd_flag) { cpb_cnt_minus1 = get_ue_golomb_long(gb); + if (cpb_cnt_minus1 > 31) + return AVERROR_INVALIDDATA; + } if (nal_hrd_parameters_present_flag) skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1, @@ -257,6 +260,8 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1, sub_pic_hrd_params_present_flag); } + + return 0; } static void skip_timing_info(GetBitContext *gb) @@ -444,7 +449,7 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx, * * NumDeltaPocs[RefRpsIdx]: num_delta_pocs[rps_idx - 1] */ - for (i = 0; i < num_delta_pocs[rps_idx - 1]; i++) { + for (i = 0; i <= num_delta_pocs[rps_idx - 1]; i++) { uint8_t use_delta_flag = 0; uint8_t used_by_curr_pic_flag = get_bits1(gb); if (!used_by_curr_pic_flag) @@ -457,6 +462,9 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx, unsigned int num_negative_pics = get_ue_golomb_long(gb); unsigned int num_positive_pics = get_ue_golomb_long(gb); + if ((num_positive_pics + (uint64_t)num_negative_pics) * 2 > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + num_delta_pocs[rps_idx] = num_negative_pics + num_positive_pics; for (i = 0; i < num_negative_pics; i++) { @@ -557,7 +565,10 @@ static int hvcc_parse_sps(GetBitContext *gb, } if (get_bits1(gb)) { // long_term_ref_pics_present_flag - for (i = 0; i < get_ue_golomb_long(gb); i++) { // num_long_term_ref_pics_sps + unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (num_long_term_ref_pics_sps > 31U) + return AVERROR_INVALIDDATA; + for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16); skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i] skip_bits1(gb); // used_by_curr_pic_lt_sps_flag[i] @@ -608,11 +619,12 @@ static int hvcc_parse_pps(GetBitContext *gb, get_se_golomb_long(gb); // pps_cr_qp_offset /* + * pps_slice_chroma_qp_offsets_present_flag u(1) * weighted_pred_flag u(1) * weighted_bipred_flag u(1) * transquant_bypass_enabled_flag u(1) */ - skip_bits(gb, 3); + skip_bits(gb, 4); tiles_enabled_flag = get_bits1(gb); entropy_coding_sync_enabled_flag = get_bits1(gb); diff --git a/libavformat/hls.c b/libavformat/hls.c index 0c86461f0f..b58d050fca 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -164,6 +164,7 @@ struct variant { }; typedef struct HLSContext { + AVClass *class; int n_variants; struct variant **variants; int n_playlists; @@ -179,6 +180,8 @@ typedef struct HLSContext { char *user_agent; ///< holds HTTP user agent set as an AVOption to the HTTP protocol context char *cookies; ///< holds HTTP cookie values set in either the initial response or as an AVOption to the HTTP protocol context char *headers; ///< holds HTTP headers set as an AVOption to the HTTP protocol context + char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -900,6 +903,34 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, pls->is_id3_timestamped = (pls->id3_mpegts_timestamp != AV_NOPTS_VALUE); } + +static int check_url(HLSContext *c, const char *url) { + const char *proto_name = avio_find_protocol_name(url); + + if (!proto_name) + return AVERROR_INVALIDDATA; + + if (av_strstart(proto_name, "file", NULL)) { + if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) { + av_log(c, AV_LOG_ERROR, + "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n" + "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n", + url); + return AVERROR_INVALIDDATA; + } + } else if (av_strstart(proto_name, "http", NULL)) { + ; + } else + return AVERROR_INVALIDDATA; + + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') + return 0; + else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5)) + return AVERROR_INVALIDDATA; + + return 0; +} + static int open_input(HLSContext *c, struct playlist *pls) { AVDictionary *opts = NULL; @@ -927,6 +958,10 @@ static int open_input(HLSContext *c, struct playlist *pls) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { + ret = check_url(c, seg->url); + if (ret < 0) + goto cleanup; + ret = ffurl_open(&pls->input, seg->url, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts); @@ -934,6 +969,10 @@ static int open_input(HLSContext *c, struct playlist *pls) char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { URLContext *uc; + ret = check_url(c, seg->key); + if (ret < 0) + goto cleanup; + if (ffurl_open(&uc, seg->key, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts2) == 0) { if (ffurl_read_complete(uc, pls->key, sizeof(pls->key)) @@ -1004,6 +1043,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1034,6 +1074,9 @@ restart: reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -1702,6 +1745,25 @@ static int hls_probe(AVProbeData *p) return 0; } +#define OFFSET(x) offsetof(HLSContext, x) +#define FLAGS AV_OPT_FLAG_DECODING_PARAM +static const AVOption hls_options[] = { + {"allowed_extensions", "List of file extensions that hls is allowed to access", + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, + {NULL} +}; + +static const AVClass hls_class = { + .class_name = "hls,applehttp", + .item_name = av_default_item_name, + .option = hls_options, + .version = LIBAVUTIL_VERSION_INT, +}; + AVInputFormat ff_hls_demuxer = { .name = "hls,applehttp", .long_name = NULL_IF_CONFIG_SMALL("Apple HTTP Live Streaming"), @@ -1711,4 +1773,5 @@ AVInputFormat ff_hls_demuxer = { .read_packet = hls_read_packet, .read_close = hls_close, .read_seek = hls_read_seek, + .priv_class = &hls_class, }; diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 11f1e5be42..3fceb088f9 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -22,6 +22,7 @@ #include #include +#include "libavutil/avassert.h" #include "libavutil/mathematics.h" #include "libavutil/parseutils.h" #include "libavutil/avstring.h" @@ -251,6 +252,12 @@ static int hls_write_header(AVFormatContext *s) if ((ret = avformat_write_header(hls->avf, NULL)) < 0) goto fail; + av_assert0(s->nb_streams == hls->avf->nb_streams); + for (i = 0; i < s->nb_streams; i++) { + AVStream *inner_st = hls->avf->streams[i]; + AVStream *outter_st = s->streams[i]; + avpriv_set_pts_info(outter_st, inner_st->pts_wrap_bits, inner_st->time_base.num, inner_st->time_base.den); + } fail: if (ret) { @@ -322,9 +329,10 @@ static int hls_write_trailer(struct AVFormatContext *s) av_write_trailer(oc); avio_closep(&oc->pb); - avformat_free_context(oc); av_free(hls->basename); hls_append_segment(hls, hls->duration); + avformat_free_context(oc); + hls->avf = NULL; hls_window(s, 1); hls_free_segments(hls); diff --git a/libavformat/http.c b/libavformat/http.c index 018d25c9d7..d3a63de877 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -686,6 +686,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int len = 0; const char *method; int send_expect_100 = 0; + int ret; /* send http header */ post = h->flags & AVIO_FLAG_WRITE; @@ -776,7 +777,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, if (s->headers) av_strlcpy(headers + len, s->headers, sizeof(headers) - len); - snprintf(s->buffer, sizeof(s->buffer), + ret = snprintf(s->buffer, sizeof(s->buffer), "%s %s HTTP/1.1\r\n" "%s" "%s" @@ -792,6 +793,14 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, av_log(h, AV_LOG_DEBUG, "request: %s\n", s->buffer); + if (strlen(headers) + 1 == sizeof(headers) || + ret >= sizeof(s->buffer)) { + av_log(h, AV_LOG_ERROR, "overlong headers\n"); + err = AVERROR(EINVAL); + goto done; + } + + if ((err = ffurl_write(s->hd, s->buffer, strlen(s->buffer))) < 0) goto done; diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c index dbe3eff48f..18cf36bcfe 100644 --- a/libavformat/httpauth.c +++ b/libavformat/httpauth.c @@ -220,21 +220,21 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username, /* TODO: Escape the quoted strings properly. */ av_strlcatf(authstr, len, "username=\"%s\"", username); - av_strlcatf(authstr, len, ",realm=\"%s\"", state->realm); - av_strlcatf(authstr, len, ",nonce=\"%s\"", digest->nonce); - av_strlcatf(authstr, len, ",uri=\"%s\"", uri); - av_strlcatf(authstr, len, ",response=\"%s\"", response); + av_strlcatf(authstr, len, ", realm=\"%s\"", state->realm); + av_strlcatf(authstr, len, ", nonce=\"%s\"", digest->nonce); + av_strlcatf(authstr, len, ", uri=\"%s\"", uri); + av_strlcatf(authstr, len, ", response=\"%s\"", response); // we are violating the RFC and use "" because all others seem to do that too. if (digest->algorithm[0]) - av_strlcatf(authstr, len, ",algorithm=\"%s\"", digest->algorithm); + av_strlcatf(authstr, len, ", algorithm=\"%s\"", digest->algorithm); if (digest->opaque[0]) - av_strlcatf(authstr, len, ",opaque=\"%s\"", digest->opaque); + av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque); if (digest->qop[0]) { - av_strlcatf(authstr, len, ",qop=\"%s\"", digest->qop); - av_strlcatf(authstr, len, ",cnonce=\"%s\"", cnonce); - av_strlcatf(authstr, len, ",nc=%s", nc); + av_strlcatf(authstr, len, ", qop=\"%s\"", digest->qop); + av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce); + av_strlcatf(authstr, len, ", nc=%s", nc); } av_strlcatf(authstr, len, "\r\n"); diff --git a/libavformat/icecast.c b/libavformat/icecast.c index 56a2976f06..7d60e44a4a 100644 --- a/libavformat/icecast.c +++ b/libavformat/icecast.c @@ -114,6 +114,7 @@ static int icecast_open(URLContext *h, const char *uri, int flags) av_dict_set(&opt_dict, "method", s->legacy_icecast ? "SOURCE" : "PUT", 0); av_dict_set(&opt_dict, "auth_type", "basic", 0); av_dict_set(&opt_dict, "headers", headers, 0); + av_dict_set(&opt_dict, "chunked_post", "0", 0); if (NOT_EMPTY(s->content_type)) av_dict_set(&opt_dict, "content_type", s->content_type, 0); if (NOT_EMPTY(s->user_agent)) diff --git a/libavformat/idcin.c b/libavformat/idcin.c index d7a46a17fd..4e455bfcee 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -359,7 +359,7 @@ static int idcin_read_seek(AVFormatContext *s, int stream_index, IdcinDemuxContext *idcin = s->priv_data; if (idcin->first_pkt_pos > 0) { - int ret = avio_seek(s->pb, idcin->first_pkt_pos, SEEK_SET); + int64_t ret = avio_seek(s->pb, idcin->first_pkt_pos, SEEK_SET); if (ret < 0) return ret; ff_update_cur_dts(s, s->streams[idcin->video_stream_index], 0); diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index 76bb3924b1..d733953a04 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -157,6 +157,9 @@ static int roq_read_packet(AVFormatContext *s, chunk_size = AV_RL32(&preamble[2]) + RoQ_CHUNK_PREAMBLE_SIZE * 2 + codebook_size; + if (chunk_size > INT_MAX) + return AVERROR_INVALIDDATA; + /* rewind */ avio_seek(pb, codebook_offset, SEEK_SET); diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index a21429f6ae..308062c7ad 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -162,6 +162,8 @@ static int img_read_probe(AVProbeData *p) return AVPROBE_SCORE_MAX; else if (is_glob(p->filename)) return AVPROBE_SCORE_MAX; + else if (p->filename[strcspn(p->filename, "*?{")]) // probably PT_GLOB + return AVPROBE_SCORE_EXTENSION + 2; // score chosen to be a tad above the image pipes else if (p->buf_size == 0) return 0; else if (av_match_ext(p->filename, "raw") || av_match_ext(p->filename, "gif")) @@ -337,7 +339,10 @@ int ff_img_read_header(AVFormatContext *s1) break; } } - ffio_rewind_with_probe_data(s1->pb, &probe_buffer, probe_buffer_size); + if (s1->flags & AVFMT_FLAG_CUSTOM_IO) { + avio_seek(s1->pb, 0, SEEK_SET); + } else + ffio_rewind_with_probe_data(s1->pb, &probe_buffer, probe_buffer_size); } if (st->codec->codec_id == AV_CODEC_ID_NONE) st->codec->codec_id = ff_guess_image2_codec(s->path); @@ -358,7 +363,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) VideoDemuxData *s = s1->priv_data; char filename_bytes[1024]; char *filename = filename_bytes; - int i; + int i, res; int size[3] = { 0 }, ret[3] = { 0 }; AVIOContext *f[3] = { NULL }; AVCodecContext *codec = s1->streams[0]->codec; @@ -421,8 +426,10 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) infer_size(&codec->width, &codec->height, size[0]); } else { f[0] = s1->pb; + if (avio_feof(f[0]) && s->loop && s->is_pipe) + avio_seek(f[0], 0, SEEK_SET); if (avio_feof(f[0])) - return AVERROR(EIO); + return AVERROR_EOF; if (s->frame_size > 0) { size[0] = s->frame_size; } else if (!s1->streams[0]->parser) { @@ -432,14 +439,18 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } } - if (av_new_packet(pkt, size[0] + size[1] + size[2]) < 0) - return AVERROR(ENOMEM); + res = av_new_packet(pkt, size[0] + size[1] + size[2]); + if (res < 0) { + goto fail; + } pkt->stream_index = 0; pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; - if (stat(filename, &img_stat)) - return AVERROR(EIO); + if (stat(filename, &img_stat)) { + res = AVERROR(EIO); + goto fail; + } pkt->pts = (int64_t)img_stat.st_mtime; #if HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC if (s->ts_from_file == 2) @@ -450,10 +461,19 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->pts = s->pts; } + if (s->is_pipe) + pkt->pos = avio_tell(f[0]); + pkt->size = 0; for (i = 0; i < 3; i++) { if (f[i]) { ret[i] = avio_read(f[i], pkt->data + pkt->size, size[i]); + if (s->loop && s->is_pipe && ret[i] == AVERROR_EOF) { + if (avio_seek(f[i], 0, SEEK_SET) >= 0) { + pkt->pos = 0; + ret[i] = avio_read(f[i], pkt->data + pkt->size, size[i]); + } + } if (!s->is_pipe) avio_close(f[i]); if (ret[i] > 0) @@ -463,13 +483,30 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) { av_free_packet(pkt); - return AVERROR(EIO); /* signal EOF */ + if (ret[0] < 0) { + res = ret[0]; + } else if (ret[1] < 0) { + res = ret[1]; + } else if (ret[2] < 0) { + res = ret[2]; + } else { + res = AVERROR_EOF; + } + goto fail; } else { s->img_count++; s->img_number++; s->pts++; return 0; } + +fail: + if (!s->is_pipe) { + for (i = 0; i < 3; i++) { + avio_closep(&f[i]); + } + } + return res; } static int img_read_close(struct AVFormatContext* s1) @@ -694,6 +731,7 @@ AVInputFormat ff_image_ ## imgname ## _pipe_demuxer = {\ .read_header = ff_img_read_header,\ .read_packet = ff_img_read_packet,\ .priv_class = & imgname ## _class,\ + .flags = AVFMT_GENERIC_INDEX, \ .raw_codec_id = codecid,\ }; diff --git a/libavformat/internal.h b/libavformat/internal.h index 30117069a9..671df094d0 100644 --- a/libavformat/internal.h +++ b/libavformat/internal.h @@ -371,6 +371,20 @@ AVRational ff_choose_timebase(AVFormatContext *s, AVStream *st, int min_precisio */ int ff_generate_avci_extradata(AVStream *st); +/** + * Wrap errno on rename() error. + * + * @param oldpath source path + * @param newpath destination path + * @return 0 or AVERROR on failure + */ +static inline int ff_rename(const char *oldpath, const char *newpath) +{ + if (rename(oldpath, newpath) == -1) + return AVERROR(errno); + return 0; +} + /** * Allocate extradata with additional FF_INPUT_BUFFER_PADDING_SIZE at end * which is always set to 0. diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 01e70e858f..0112009d9b 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -156,7 +156,7 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, /* send both the decode map and the video data together */ - if (av_new_packet(pkt, s->decode_map_chunk_size + s->video_chunk_size)) + if (av_new_packet(pkt, 2 + s->decode_map_chunk_size + s->video_chunk_size)) return CHUNK_NOMEM; if (s->has_palette) { @@ -178,7 +178,8 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, avio_seek(pb, s->decode_map_chunk_offset, SEEK_SET); s->decode_map_chunk_offset = 0; - if (avio_read(pb, pkt->data, s->decode_map_chunk_size) != + AV_WL16(pkt->data, s->decode_map_chunk_size); + if (avio_read(pb, pkt->data + 2, s->decode_map_chunk_size) != s->decode_map_chunk_size) { av_free_packet(pkt); return CHUNK_EOF; @@ -187,7 +188,7 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, avio_seek(pb, s->video_chunk_offset, SEEK_SET); s->video_chunk_offset = 0; - if (avio_read(pb, pkt->data + s->decode_map_chunk_size, + if (avio_read(pb, pkt->data + 2 + s->decode_map_chunk_size, s->video_chunk_size) != s->video_chunk_size) { av_free_packet(pkt); return CHUNK_EOF; diff --git a/libavformat/isom.h b/libavformat/isom.h index 979e967d14..42b87c6494 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -171,6 +171,8 @@ typedef struct MOVContext { int *bitrates; ///< bitrates read before streams creation int bitrates_count; int moov_retry; + int atom_depth; + int enable_drefs; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c index 21eb14d265..9053c61cf2 100644 --- a/libavformat/jvdec.c +++ b/libavformat/jvdec.c @@ -54,7 +54,7 @@ typedef struct { static int read_probe(AVProbeData *pd) { - if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 && + if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size && !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC))) return AVPROBE_SCORE_MAX; return 0; diff --git a/libavformat/librtmp.c b/libavformat/librtmp.c index c57699cc9e..67939b912e 100644 --- a/libavformat/librtmp.c +++ b/libavformat/librtmp.c @@ -169,7 +169,7 @@ static int rtmp_open(URLContext *s, const char *uri, int flags) } if (ctx->swfurl) { av_strlcat(filename, " swfUrl=", len); - av_strlcat(filename, ctx->pageurl, len); + av_strlcat(filename, ctx->swfurl, len); } if (ctx->flashver) { av_strlcat(filename, " flashVer=", len); diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index b8ddf67b79..64a66a53ab 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -81,6 +81,7 @@ typedef const struct EbmlSyntax { int list_elem_size; int data_offset; union { + int64_t i; uint64_t u; double f; const char *s; @@ -582,7 +583,7 @@ static EbmlSyntax matroska_blockgroup[] = { { MATROSKA_ID_SIMPLEBLOCK, EBML_BIN, 0, offsetof(MatroskaBlock, bin) }, { MATROSKA_ID_BLOCKDURATION, EBML_UINT, 0, offsetof(MatroskaBlock, duration) }, { MATROSKA_ID_DISCARDPADDING, EBML_SINT, 0, offsetof(MatroskaBlock, discard_padding) }, - { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference) }, + { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference), { .i = INT64_MIN } }, { MATROSKA_ID_CODECSTATE, EBML_NONE }, { 1, EBML_UINT, 0, offsetof(MatroskaBlock, non_simple), { .u = 1 } }, { 0 } @@ -952,6 +953,9 @@ static int ebml_parse_nest(MatroskaDemuxContext *matroska, EbmlSyntax *syntax, for (i = 0; syntax[i].id; i++) switch (syntax[i].type) { + case EBML_SINT: + *(int64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.i; + break; case EBML_UINT: *(uint64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.u; break; @@ -1078,7 +1082,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data) for (j = 0; j < list->nb_elem; j++, ptr += syntax[i].list_elem_size) ebml_free(syntax[i].def.n, ptr); - av_free(list->elem); + av_freep(&list->elem); } else ebml_free(syntax[i].def.n, data_off); default: @@ -1216,15 +1220,13 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, newpktdata = av_realloc(pkt_data, pkt_size); if (!newpktdata) { inflateEnd(&zstream); + result = AVERROR(ENOMEM); goto failed; } pkt_data = newpktdata; zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; - if (pkt_data) { - result = inflate(&zstream, Z_NO_FLUSH); - } else - result = Z_MEM_ERROR; + result = inflate(&zstream, Z_NO_FLUSH); } while (result == Z_OK && pkt_size < 10000000); pkt_size = zstream.total_out; inflateEnd(&zstream); @@ -1251,15 +1253,13 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, newpktdata = av_realloc(pkt_data, pkt_size); if (!newpktdata) { BZ2_bzDecompressEnd(&bzstream); + result = AVERROR(ENOMEM); goto failed; } pkt_data = newpktdata; bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; - if (pkt_data) { - result = BZ2_bzDecompress(&bzstream); - } else - result = BZ_MEM_ERROR; + result = BZ2_bzDecompress(&bzstream); } while (result == BZ_OK && pkt_size < 10000000); pkt_size = bzstream.total_out_lo32; BZ2_bzDecompressEnd(&bzstream); @@ -1412,13 +1412,17 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) EbmlList *seekhead_list = &matroska->seekhead; int64_t before_pos = avio_tell(matroska->ctx->pb); int i; + int nb_elem; // we should not do any seeking in the streaming case if (!matroska->ctx->pb->seekable || (matroska->ctx->flags & AVFMT_FLAG_IGNIDX)) return; - for (i = 0; i < seekhead_list->nb_elem; i++) { + // do not read entries that are added while parsing seekhead entries + nb_elem = seekhead_list->nb_elem; + + for (i = 0; i < nb_elem; i++) { MatroskaSeekhead *seekhead = seekhead_list->elem; if (seekhead[i].pos <= before_pos) continue; @@ -1441,7 +1445,7 @@ static void matroska_add_index_entries(MatroskaDemuxContext *matroska) { EbmlList *index_list; MatroskaIndex *index; - int index_scale = 1; + uint64_t index_scale = 1; int i, j; index_list = &matroska->index; @@ -1602,6 +1606,14 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || + isnan(track->audio.samplerate)) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid sample rate %f, defaulting to 8000 instead.\n", + track->audio.samplerate); + track->audio.samplerate = 8000; + } + if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { if (!track->default_duration && track->video.frame_rate > 0) track->default_duration = 1000000000 / track->video.frame_rate; @@ -1706,7 +1718,7 @@ static int matroska_parse_tracks(AVFormatContext *s) ffio_init_context(&b, track->codec_priv.data, track->codec_priv.size, 0, NULL, NULL, NULL, NULL); - ret = ff_get_wav_header(&b, st->codec, track->codec_priv.size); + ret = ff_get_wav_header(s, &b, st->codec, track->codec_priv.size); if (ret < 0) return ret; codec_id = st->codec->codec_id; @@ -1797,6 +1809,18 @@ static int matroska_parse_tracks(AVFormatContext *s) NULL, NULL, NULL, NULL); avio_write(&b, "TTA1", 4); avio_wl16(&b, 1); + if (track->audio.channels > UINT16_MAX || + track->audio.bitdepth > UINT16_MAX) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Too large audio channel number %"PRIu64 + " or bitdepth %"PRIu64". Skipping track.\n", + track->audio.channels, track->audio.bitdepth); + av_freep(&extradata); + if (matroska->ctx->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + continue; + } avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) @@ -1920,7 +1944,8 @@ static int matroska_parse_tracks(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); #if FF_API_R_FRAME_RATE - if (st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L) + if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL + && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) st->r_frame_rate = st->avg_frame_rate; #endif } @@ -1941,8 +1966,8 @@ static int matroska_parse_tracks(AVFormatContext *s) snprintf(buf, sizeof(buf), "%s_%d", ff_matroska_video_stereo_plane[planes[j].type], i); for (k=0; k < matroska->tracks.nb_elem; k++) - if (planes[j].uid == tracks[k].uid) { - av_dict_set(&s->streams[k]->metadata, + if (planes[j].uid == tracks[k].uid && tracks[k].stream) { + av_dict_set(&tracks[k].stream->metadata, "stereo_mode", buf, 0); break; } @@ -2008,12 +2033,15 @@ static int matroska_read_header(AVFormatContext *s) matroska->ctx = s; /* First read the EBML header. */ - if (ebml_parse(matroska, ebml_syntax, &ebml) || - ebml.version > EBML_VERSION || + if (ebml_parse(matroska, ebml_syntax, &ebml) || !ebml.doctype) { + av_log(matroska->ctx, AV_LOG_ERROR, "EBML header parsing failed\n"); + ebml_free(ebml_syntax, &ebml); + return AVERROR_INVALIDDATA; + } + if (ebml.version > EBML_VERSION || ebml.max_size > sizeof(uint64_t) || ebml.id_length > sizeof(uint32_t) || - ebml.doctype_version > 3 || - !ebml.doctype) { + ebml.doctype_version > 3) { av_log(matroska->ctx, AV_LOG_ERROR, "EBML header using unsupported features\n" "(EBML version %"PRIu64", doctype %s, doc version %"PRIu64")\n", @@ -2127,7 +2155,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, { if (matroska->num_packets > 0) { memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); - av_free(matroska->packets[0]); + av_freep(&matroska->packets[0]); if (matroska->num_packets > 1) { void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], @@ -2158,7 +2186,7 @@ static void matroska_clear_queue(MatroskaDemuxContext *matroska) int n; for (n = 0; n < matroska->num_packets; n++) { av_free_packet(matroska->packets[n]); - av_free(matroska->packets[n]); + av_freep(&matroska->packets[n]); } av_freep(&matroska->packets); matroska->num_packets = 0; @@ -2838,7 +2866,7 @@ static int matroska_parse_cluster_incremental(MatroskaDemuxContext *matroska) matroska->current_cluster_num_blocks = blocks_list->nb_elem; i = blocks_list->nb_elem - 1; if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; uint8_t* additional = blocks[i].additional.size > 0 ? blocks[i].additional.data : NULL; if (!blocks[i].non_simple) @@ -2876,7 +2904,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) blocks = blocks_list->elem; for (i = 0; i < blocks_list->nb_elem; i++) if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; res = matroska_parse_block(matroska, blocks[i].bin.data, blocks[i].bin.size, blocks[i].bin.pos, cluster.timecode, blocks[i].duration, @@ -2906,7 +2934,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { MatroskaDemuxContext *matroska = s->priv_data; - MatroskaTrack *tracks = matroska->tracks.elem; + MatroskaTrack *tracks = NULL; AVStream *st = s->streams[stream_index]; int i, index, index_sub, index_min; @@ -2936,12 +2964,14 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, goto err; index_min = index; + tracks = matroska->tracks.elem; for (i = 0; i < matroska->tracks.nb_elem; i++) { tracks[i].audio.pkt_cnt = 0; tracks[i].audio.sub_packet_cnt = 0; tracks[i].audio.buf_timecode = AV_NOPTS_VALUE; tracks[i].end_timecode = 0; if (tracks[i].type == MATROSKA_TRACK_TYPE_SUBTITLE && + tracks[i].stream && tracks[i].stream->discard != AVDISCARD_ALL) { index_sub = av_index_search_timestamp( tracks[i].stream, st->index_entries[index].timestamp, @@ -2990,7 +3020,7 @@ static int matroska_read_close(AVFormatContext *s) for (n = 0; n < matroska->tracks.nb_elem; n++) if (tracks[n].type == MATROSKA_TRACK_TYPE_AUDIO) - av_free(tracks[n].audio.buf); + av_freep(&tracks[n].audio.buf); ebml_free(matroska_cluster, &matroska->current_cluster); ebml_free(matroska_segment, matroska); diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 3fa4babbdb..395df0f413 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -543,12 +543,15 @@ static int put_flac_codecpriv(AVFormatContext *s, "Lavf" : LIBAVFORMAT_IDENT; AVDictionary *dict = NULL; uint8_t buf[32], *data, *p; - int len; + int64_t len; snprintf(buf, sizeof(buf), "0x%"PRIx64, codec->channel_layout); av_dict_set(&dict, "WAVEFORMATEXTENSIBLE_CHANNEL_MASK", buf, 0); len = ff_vorbiscomment_length(dict, vendor); + if (len >= ((1<<24) - 4)) + return AVERROR(EINVAL); + data = av_malloc(len + 4); if (!data) { av_dict_free(&dict); @@ -696,13 +699,15 @@ static int mkv_write_codecprivate(AVFormatContext *s, AVIOContext *pb, static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, - AVStream *st, int mode) + AVStream *st, int mode, int *h_width, int *h_height) { int i; int ret = 0; AVDictionaryEntry *tag; MatroskaVideoStereoModeType format = MATROSKA_VIDEO_STEREOMODE_TYPE_NB; + *h_width = 1; + *h_height = 1; // convert metadata into proper side data and add it to the stream if ((tag = av_dict_get(st->metadata, "stereo_mode", NULL, 0)) || (tag = av_dict_get( s->metadata, "stereo_mode", NULL, 0))) { @@ -722,6 +727,7 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, } } + // iterate to find the stereo3d side data for (i = 0; i < st->nb_side_data; i++) { AVPacketSideData sd = st->side_data[i]; if (sd.type == AV_PKT_DATA_STEREO3D) { @@ -735,11 +741,13 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, format = (stereo->flags & AV_STEREO3D_FLAG_INVERT) ? MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT : MATROSKA_VIDEO_STEREOMODE_TYPE_LEFT_RIGHT; + *h_width = 2; break; case AV_STEREO3D_TOPBOTTOM: format = MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + *h_height = 2; break; case AV_STEREO3D_CHECKERBOARD: format = MATROSKA_VIDEO_STEREOMODE_TYPE_CHECKERBOARD_LR; @@ -750,11 +758,13 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, format = MATROSKA_VIDEO_STEREOMODE_TYPE_ROW_INTERLEAVED_LR; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + *h_height = 2; break; case AV_STEREO3D_COLUMNS: format = MATROSKA_VIDEO_STEREOMODE_TYPE_COL_INTERLEAVED_LR; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + *h_width = 2; break; case AV_STEREO3D_FRAMESEQUENCE: format = MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_LR; @@ -762,8 +772,6 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, format++; break; } - ret = stereo->type; - break; } } @@ -771,6 +779,7 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, if (format == MATROSKA_VIDEO_STEREOMODE_TYPE_NB) return ret; + // if webm, do not write unsupported modes if ((mode == MODE_WEBM && format > MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM && format != MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT) @@ -781,6 +790,7 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, return AVERROR(EINVAL); } + // write StereoMode if format is valid put_ebml_uint(pb, MATROSKA_ID_VIDEOSTEREOMODE, format); return ret; @@ -926,27 +936,20 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, // check both side data and metadata for stereo information, // write the result to the bitstream if any is found - ret = mkv_write_stereo_mode(s, pb, st, mkv->mode); + ret = mkv_write_stereo_mode(s, pb, st, mkv->mode, + &display_width_div, + &display_height_div); if (ret < 0) return ret; - switch (ret) { - case AV_STEREO3D_SIDEBYSIDE: - case AV_STEREO3D_COLUMNS: - display_width_div = 2; - break; - case AV_STEREO3D_TOPBOTTOM: - case AV_STEREO3D_LINES: - display_height_div = 2; - break; - } - if (((tag = av_dict_get(st->metadata, "alpha_mode", NULL, 0)) && atoi(tag->value)) || ((tag = av_dict_get( s->metadata, "alpha_mode", NULL, 0)) && atoi(tag->value)) || (codec->pix_fmt == AV_PIX_FMT_YUVA420P)) { put_ebml_uint(pb, MATROSKA_ID_VIDEOALPHAMODE, 1); } + // write DisplayWidth and DisplayHeight, they contain the size of + // a single source view and/or the display aspect ratio if (st->sample_aspect_ratio.num) { int64_t d_width = av_rescale(codec->width, st->sample_aspect_ratio.num, st->sample_aspect_ratio.den); if (d_width > INT_MAX) { @@ -964,6 +967,7 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, uint32_t color_space = av_le2ne32(codec->codec_tag); put_ebml_binary(pb, MATROSKA_ID_VIDEOCOLORSPACE, &color_space, sizeof(color_space)); } + end_ebml_master(pb, subinfo); break; diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 1855ea46ce..98373bd496 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -142,7 +142,7 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f vst->codec->codec_tag = MKTAG('B', 'I', 'T', 16); size -= 164; } else if (ast && type == MKTAG('W', 'A', 'V', 'I') && size >= 16) { - ret = ff_get_wav_header(pb, ast->codec, 16); + ret = ff_get_wav_header(avctx, pb, ast->codec, 16); if (ret < 0) return ret; size -= 16; @@ -363,6 +363,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; + if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { + av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); + return AVERROR_INVALIDDATA; + } + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst) diff --git a/libavformat/mov.c b/libavformat/mov.c index ae48c02287..fa0471add6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -210,7 +210,11 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { - char *value = av_malloc(len + 1); + char *value; + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); + value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); avio_read(pb, value, len); @@ -226,8 +230,10 @@ static int mov_metadata_loci(MOVContext *c, AVIOContext *pb, unsigned len) double longitude, latitude; const char *key = "location"; - if (len < 4 + 2 + 1 + 1 + 4 + 4 + 4) + if (len < 4 + 2 + 1 + 1 + 4 + 4 + 4) { + av_log(c->fc, AV_LOG_ERROR, "loci too short\n"); return AVERROR_INVALIDDATA; + } avio_skip(pb, 4); // version+flags langcode = avio_rb16(pb); @@ -235,13 +241,17 @@ static int mov_metadata_loci(MOVContext *c, AVIOContext *pb, unsigned len) len -= 6; len -= avio_get_str(pb, len, buf, sizeof(buf)); // place name - if (len < 1) + if (len < 1) { + av_log(c->fc, AV_LOG_ERROR, "place name too long\n"); return AVERROR_INVALIDDATA; + } avio_skip(pb, 1); // role len -= 1; - if (len < 14) + if (len < 12) { + av_log(c->fc, AV_LOG_ERROR, "no space for coordinates left (%d)\n", len); return AVERROR_INVALIDDATA; + } longitude = ((int32_t) avio_rb32(pb)) / (float) (1 << 16); latitude = ((int32_t) avio_rb32(pb)) / (float) (1 << 16); @@ -355,7 +365,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); @@ -566,6 +576,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom) title_size = atom.size - 24; if (title_size > 0) { + if (title_size > FFMIN(INT_MAX, SIZE_MAX-1)) + return AVERROR_INVALIDDATA; title_str = av_malloc(title_size + 1); /* Add null terminator */ if (!title_str) return AVERROR(ENOMEM); @@ -686,7 +698,7 @@ static int mov_read_wfex(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; st = c->fc->streams[c->fc->nb_streams-1]; - if (ff_get_wav_header(pb, st->codec, atom.size) < 0) { + if (ff_get_wav_header(c->fc, pb, st->codec, atom.size) < 0) { av_log(c->fc, AV_LOG_WARNING, "get_wav_header failed\n"); } @@ -1174,10 +1186,12 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX/sizeof(int64_t)) - return AVERROR_INVALIDDATA; - sc->chunk_offsets = av_malloc(entries * sizeof(int64_t)); + if (sc->chunk_offsets) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STCO atom\n"); + av_free(sc->chunk_offsets); + sc->chunk_count = 0; + sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); if (!sc->chunk_offsets) return AVERROR(ENOMEM); sc->chunk_count = entries; @@ -1453,7 +1467,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, static void mov_parse_stsd_subtitle(MOVContext *c, AVIOContext *pb, AVStream *st, MOVStreamContext *sc, - int size) + int64_t size) { // ttxt stsd contains display flags, justification, background // color, fonts, and default styles, so fake an atom to read it @@ -1518,10 +1532,10 @@ static int mov_rewrite_dvd_sub_extradata(AVStream *st) static int mov_parse_stsd_data(MOVContext *c, AVIOContext *pb, AVStream *st, MOVStreamContext *sc, - int size) + int64_t size) { if (st->codec->codec_tag == MKTAG('t','m','c','d')) { - if (ff_get_extradata(st->codec, pb, size) < 0) + if ((int)size != size || ff_get_extradata(st->codec, pb, size) < 0) return AVERROR(ENOMEM); if (size > 16) { MOVStreamContext *tmcd_ctx = st->priv_data; @@ -1766,9 +1780,11 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(*sc->stsc_data)) - return AVERROR_INVALIDDATA; - sc->stsc_data = av_malloc(entries * sizeof(*sc->stsc_data)); + if (sc->stsc_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSC atom\n"); + av_free(sc->stsc_data); + sc->stsc_count = 0; + sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data)); if (!sc->stsc_data) return AVERROR(ENOMEM); @@ -1800,9 +1816,11 @@ static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb32(pb); // version + flags entries = avio_rb32(pb); - if (entries >= UINT_MAX / sizeof(*sc->stps_data)) - return AVERROR_INVALIDDATA; - sc->stps_data = av_malloc(entries * sizeof(*sc->stps_data)); + if (sc->stps_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STPS atom\n"); + av_free(sc->stps_data); + sc->stps_count = 0; + sc->stps_data = av_malloc_array(entries, sizeof(*sc->stps_data)); if (!sc->stps_data) return AVERROR(ENOMEM); @@ -1844,9 +1862,13 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->need_parsing = AVSTREAM_PARSE_HEADERS; return 0; } + if (sc->keyframes) + av_log(c->fc, AV_LOG_WARNING, "Duplicated STSS atom\n"); if (entries >= UINT_MAX / sizeof(int)) return AVERROR_INVALIDDATA; - sc->keyframes = av_malloc(entries * sizeof(int)); + av_freep(&sc->keyframes); + sc->keyframe_count = 0; + sc->keyframes = av_malloc_array(entries, sizeof(*sc->keyframes)); if (!sc->keyframes) return AVERROR(ENOMEM); @@ -1905,9 +1927,13 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) / field_size) + if (entries >= (UINT_MAX - 4) / field_size) return AVERROR_INVALIDDATA; - sc->sample_sizes = av_malloc(entries * sizeof(int)); + if (sc->sample_sizes) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSZ atom\n"); + av_free(sc->sample_sizes); + sc->sample_count = 0; + sc->sample_sizes = av_malloc_array(entries, sizeof(*sc->sample_sizes)); if (!sc->sample_sizes) return AVERROR(ENOMEM); @@ -1961,11 +1987,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dlog(c->fc, "track[%i].stts.entries = %i\n", c->fc->nb_streams-1, entries); - if (entries >= UINT_MAX / sizeof(*sc->stts_data)) - return -1; - + if (sc->stts_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STTS atom\n"); av_free(sc->stts_data); - sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data)); + sc->stts_count = 0; + sc->stts_data = av_malloc_array(entries, sizeof(*sc->stts_data)); if (!sc->stts_data) return AVERROR(ENOMEM); @@ -2059,7 +2085,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dlog(c->fc, "count=%d, duration=%d\n", count, duration); - if (FFABS(duration) > (1<<28) && i+2fc, AV_LOG_WARNING, "CTTS invalid\n"); av_freep(&sc->ctts_data); sc->ctts_count = 0; @@ -2104,9 +2130,11 @@ static int mov_read_sbgp(MOVContext *c, AVIOContext *pb, MOVAtom atom) entries = avio_rb32(pb); if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(*sc->rap_group)) - return AVERROR_INVALIDDATA; - sc->rap_group = av_malloc(entries * sizeof(*sc->rap_group)); + if (sc->rap_group) + av_log(c->fc, AV_LOG_WARNING, "Duplicate SBGP atom\n"); + av_free(sc->rap_group); + sc->rap_group_count = 0; + sc->rap_group = av_malloc_array(entries, sizeof(*sc->rap_group)); if (!sc->rap_group) return AVERROR(ENOMEM); @@ -2224,7 +2252,12 @@ static void mov_build_index(MOVContext *mov, AVStream *st) sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { - AVIndexEntry *e = &st->index_entries[st->nb_index_entries++]; + AVIndexEntry *e; + if (sample_size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", sample_size); + return; + } + e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; e->size = sample_size; @@ -2322,6 +2355,10 @@ static void mov_build_index(MOVContext *mov, AVStream *st) av_log(mov->fc, AV_LOG_ERROR, "wrong chunk count %d\n", total); return; } + if (size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", size); + return; + } e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; @@ -2346,7 +2383,7 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, /* try relative path, we do not try the absolute because it can leak information about our system to an attacker */ if (ref->nlvl_to > 0 && ref->nlvl_from > 0) { - char filename[1024]; + char filename[1025]; const char *src_path; int i, l; @@ -2372,10 +2409,15 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, filename[src_path - src] = 0; for (i = 1; i < ref->nlvl_from; i++) - av_strlcat(filename, "../", 1024); + av_strlcat(filename, "../", sizeof(filename)); - av_strlcat(filename, ref->path + l + 1, 1024); + av_strlcat(filename, ref->path + l + 1, sizeof(filename)); + if (!use_absolute_path) + if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1) + return AVERROR(ENOENT); + if (strlen(filename) + 1 == sizeof(filename)) + return AVERROR(ENOENT); if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) return 0; } @@ -2434,13 +2476,23 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (sc->dref_id-1 < sc->drefs_count && sc->drefs[sc->dref_id-1].path) { MOVDref *dref = &sc->drefs[sc->dref_id - 1]; - if (mov_open_dref(&sc->pb, c->fc->filename, dref, &c->fc->interrupt_callback, - c->use_absolute_path, c->fc) < 0) - av_log(c->fc, AV_LOG_ERROR, - "stream %d, error opening alias: path='%s', dir='%s', " - "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d\n", + if (c->enable_drefs) { + if (mov_open_dref(&sc->pb, c->fc->filename, dref, &c->fc->interrupt_callback, + c->use_absolute_path, c->fc) < 0) + av_log(c->fc, AV_LOG_ERROR, + "stream %d, error opening alias: path='%s', dir='%s', " + "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d\n", + st->index, dref->path, dref->dir, dref->filename, + dref->volume, dref->nlvl_from, dref->nlvl_to); + } else { + av_log(c->fc, AV_LOG_WARNING, + "Skipped opening external track: " + "stream %d, alias: path='%s', dir='%s', " + "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d." + "Set enable_drefs to allow this.\n", st->index, dref->path, dref->dir, dref->filename, dref->volume, dref->nlvl_from, dref->nlvl_to); + } } else { sc->pb = c->fc->pb; sc->pb_is_copied = 1; @@ -2956,6 +3008,7 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom) goto free_and_return; if (ffio_init_context(&ctx, moov_data, moov_len, 0, NULL, NULL, NULL, NULL) != 0) goto free_and_return; + ctx.seekable = AVIO_SEEKABLE_NORMAL; atom.type = MKTAG('m','o','o','v'); atom.size = moov_len; ret = mov_read_default(c, &ctx, atom); @@ -3039,7 +3092,7 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) 0xba, 0x2f, 0x08, 0x00, 0x20, 0x0c, 0x9a, 0x66 }; - if (atom.size < sizeof(uuid) || atom.size == INT64_MAX) + if (atom.size < sizeof(uuid) || atom.size >= FFMIN(INT_MAX, SIZE_MAX)) return AVERROR_INVALIDDATA; ret = avio_read(pb, uuid, sizeof(uuid)); @@ -3172,9 +3225,15 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVAtom a; int i; + if (c->atom_depth > 10) { + av_log(c->fc, AV_LOG_ERROR, "Atoms too deeply nested\n"); + return AVERROR_INVALIDDATA; + } + c->atom_depth ++; + if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; @@ -3201,11 +3260,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) { av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n"); avio_skip(pb, -8); + c->atom_depth --; return 0; } } total_size += 8; - if (a.size == 1) { /* 64 bit extended size */ + if (a.size == 1 && total_size + 8 <= atom.size) { /* 64 bit extended size */ a.size = avio_rb64(pb) - 8; total_size += 8; } @@ -3237,13 +3297,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) int64_t start_pos = avio_tell(pb); int64_t left; int err = parse(c, pb, a); - if (err < 0) + if (err < 0) { + c->atom_depth --; return err; + } if (c->found_moov && c->found_mdat && ((!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) || start_pos + a.size == avio_size(pb))) { if (!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) c->next_root_atom = start_pos + a.size; + c->atom_depth --; return 0; } left = a.size - avio_tell(pb) + start_pos; @@ -3263,6 +3326,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (total_size < atom.size && atom.size < 0x7ffff) avio_skip(pb, atom.size - total_size); + c->atom_depth --; return 0; } @@ -3474,6 +3538,9 @@ static int mov_read_close(AVFormatContext *s) AVStream *st = s->streams[i]; MOVStreamContext *sc = st->priv_data; + if (!sc) + continue; + av_freep(&sc->ctts_data); for (j = 0; j < sc->drefs_count; j++) { av_freep(&sc->drefs[j].path); @@ -3614,7 +3681,7 @@ static int mov_read_header(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, sc->time_scale*(int64_t)sc->nb_frames_for_fps, sc->duration_for_fps, INT_MAX); if (st->codec->codec_type == AVMEDIA_TYPE_SUBTITLE) { - if (st->codec->width <= 0 && st->codec->height <= 0) { + if (st->codec->width <= 0 || st->codec->height <= 0) { st->codec->width = sc->width; st->codec->height = sc->height; } @@ -3858,6 +3925,8 @@ static int mov_read_seek(AVFormatContext *s, int stream_index, int64_t sample_ti return 0; } +#define OFFSET(x) offsetof(MOVContext, x) +#define FLAGS AV_OPT_FLAG_VIDEO_PARAM | AV_OPT_FLAG_DECODING_PARAM static const AVOption options[] = { {"use_absolute_path", "allow using absolute path when opening alias, this is a possible security issue", @@ -3865,6 +3934,8 @@ static const AVOption options[] = { 0, 1, AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_DECODING_PARAM}, {"ignore_editlist", "", offsetof(MOVContext, ignore_editlist), FF_OPT_TYPE_INT, {.i64 = 0}, 0, 1, AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_DECODING_PARAM}, + { "enable_drefs", "Enable external track support.", OFFSET(enable_drefs), AV_OPT_TYPE_INT, + {.i64 = 0}, 0, 1, FLAGS }, {NULL} }; diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index 3b91ed7054..b63310b270 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -566,6 +566,11 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, label_mask = 0; for (i = 0; i < num_descr; i++) { uint32_t label; + if (pb->eof_reached) { + av_log(s, AV_LOG_ERROR, + "reached EOF while reading channel layout\n"); + return AVERROR_INVALIDDATA; + } label = avio_rb32(pb); // mChannelLabel avio_rb32(pb); // mChannelFlags avio_rl32(pb); // mCoordinates[0] diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 021fe784e4..c1af01b72b 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2190,7 +2190,8 @@ static int mov_write_mvhd_tag(AVIOContext *pb, MOVMuxContext *mov) } version = max_track_len < UINT32_MAX ? 0 : 1; - (version == 1) ? avio_wb32(pb, 120) : avio_wb32(pb, 108); /* size */ + avio_wb32(pb, version == 1 ? 120 : 108); /* size */ + ffio_wfourcc(pb, "mvhd"); avio_w8(pb, version); avio_wb24(pb, 0); /* flags */ diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 4872afc43c..dab0aad228 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -32,11 +32,13 @@ #include "id3v1.h" #include "replaygain.h" +#include "libavcodec/avcodec.h" #include "libavcodec/mpegaudiodecheader.h" #define XING_FLAG_FRAMES 0x01 #define XING_FLAG_SIZE 0x02 #define XING_FLAG_TOC 0x04 +#define XING_FLAC_QSCALE 0x08 #define XING_TOC_COUNT 100 @@ -60,7 +62,10 @@ static int mp3_read_probe(AVProbeData *p) int fsize, frames, sample_rate; uint32_t header; const uint8_t *buf, *buf0, *buf2, *end; - AVCodecContext avctx; + AVCodecContext *avctx = avcodec_alloc_context3(NULL); + + if (!avctx) + return AVERROR(ENOMEM); buf0 = p->buf; end = p->buf + p->buf_size - sizeof(uint32_t); @@ -77,7 +82,8 @@ static int mp3_read_probe(AVProbeData *p) for(frames = 0; buf2 < end; frames++) { header = AV_RB32(buf2); - fsize = avpriv_mpa_decode_header(&avctx, header, &sample_rate, &sample_rate, &sample_rate, &sample_rate); + fsize = avpriv_mpa_decode_header(avctx, header, + &sample_rate, &sample_rate, &sample_rate, &sample_rate); if(fsize < 0) break; buf2 += fsize; @@ -86,6 +92,7 @@ static int mp3_read_probe(AVProbeData *p) if(buf == buf0) first_frames= frames; } + avcodec_free_context(&avctx); // keep this in sync with ac3 probe, both need to avoid // issues with MPEG-files! if (first_frames>=4) return AVPROBE_SCORE_EXTENSION + 1; @@ -168,8 +175,8 @@ static void mp3_parse_info_tag(AVFormatContext *s, AVStream *st, (AVRational){spf, c->sample_rate}, st->time_base)); /* VBR quality */ - if(v & 8) - avio_skip(s->pb, 4); + if (v & XING_FLAC_QSCALE) + avio_rb32(s->pb); /* Encoder short version string */ memset(version, 0, sizeof(version)); diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index a15dc25a69..684a0eeae0 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -57,7 +57,7 @@ typedef struct { static inline int64_t bs_get_v(const uint8_t **bs) { - int64_t v = 0; + uint64_t v = 0; int br = 0; int c; @@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p) size = bs_get_v(&bs); if (size < 2) return 0; - if (bs + size - 2 >= bs_end) + if (size >= bs_end - bs + 2) return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but no header yet if (header_found) { if (size < 11 || size > 28) @@ -108,7 +108,7 @@ static int mpc8_probe(AVProbeData *p) static inline int64_t gb_get_v(GetBitContext *gb) { - int64_t v = 0; + uint64_t v = 0; int bits = 0; while(get_bits1(gb) && bits < 64-7){ v <<= 7; @@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s) while(!avio_feof(pb)){ pos = avio_tell(pb); mpc8_get_chunk_header(pb, &tag, &size); + if (size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid chunk length\n"); + return AVERROR_INVALIDDATA; + } if(tag == TAG_STREAMHDR) break; mpc8_handle_chunk(s, tag, pos, size); diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index b153727ac6..22fded6f52 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -70,20 +70,23 @@ static int mpegps_probe(AVProbeData *p) int i; int sys = 0, pspack = 0, priv1 = 0, vid = 0; int audio = 0, invalid = 0, score = 0; + int endpes = 0; for (i = 0; i < p->buf_size; i++) { code = (code << 8) + p->buf[i]; if ((code & 0xffffff00) == 0x100) { int len = p->buf[i + 1] << 8 | p->buf[i + 2]; - int pes = check_pes(p->buf + i, p->buf + p->buf_size); + int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) pspack++; - else if ((code & 0xf0) == VIDEO_ID && pes) + else if ((code & 0xf0) == VIDEO_ID && pes) { + endpes = i + len; vid++; + } // skip pes payload to avoid start code emulation for private // and audio streams else if ((code & 0xe0) == AUDIO_ID && pes) {audio++; i+=len;} @@ -107,7 +110,7 @@ static int mpegps_probe(AVProbeData *p) : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg if ((!!vid ^ !!audio) && (audio > 4 || vid > 1) && !sys && !pspack && p->buf_size > 2048 && vid + audio > invalid) /* PES stream */ - return (audio > 12 || vid > 3 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 + return (audio > 12 || vid > 6 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 02-Penguin.flac has sys:0 priv1:0 pspack:0 vid:0 audio:1 diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 2252b44949..c1ef22cc38 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -75,6 +75,9 @@ typedef void SetServiceCallback (void *opaque, int ret); typedef struct MpegTSSectionFilter { int section_index; int section_h_size; + int last_ver; + unsigned crc; + unsigned last_crc; uint8_t *section_buf; unsigned int check_crc : 1; unsigned int end_of_section_reached : 1; @@ -408,6 +411,9 @@ static void write_section_data(MpegTSContext *ts, MpegTSFilter *tss1, if (tss->check_crc) { crc_valid = !av_crc(av_crc_get_table(AV_CRC_32_IEEE), -1, tss->section_buf, tss->section_h_size); + if (tss->section_h_size >= 4) + tss->crc = AV_RB32(tss->section_buf + tss->section_h_size - 4); + if (crc_valid) { ts->crc_validity[ tss1->pid ] = 100; }else if (ts->crc_validity[ tss1->pid ] > -10) { @@ -415,8 +421,11 @@ static void write_section_data(MpegTSContext *ts, MpegTSFilter *tss1, }else crc_valid = 2; } - if (crc_valid) + if (crc_valid) { tss->section_cb(tss1, tss->section_buf, tss->section_h_size); + if (crc_valid != 1) + tss->last_ver = -1; + } } } @@ -459,6 +468,8 @@ static MpegTSFilter *mpegts_open_section_filter(MpegTSContext *ts, sec->opaque = opaque; sec->section_buf = av_malloc(MAX_SECTION_SIZE); sec->check_crc = check_crc; + sec->last_ver = -1; + if (!sec->section_buf) { av_free(filter); return NULL; @@ -565,6 +576,17 @@ typedef struct SectionHeader { uint8_t last_sec_num; } SectionHeader; +static int skip_identical(const SectionHeader *h, MpegTSSectionFilter *tssf) +{ + if (h->version == tssf->last_ver && tssf->last_crc == tssf->crc) + return 1; + + tssf->last_ver = h->version; + tssf->last_crc = tssf->crc; + + return 0; +} + static inline int get8(const uint8_t **pp, const uint8_t *p_end) { const uint8_t *p; @@ -858,8 +880,12 @@ static int read_sl_header(PESContext *pes, SLConfigDescr *sl, int padding_flag = 0, padding_bits = 0, inst_bitrate_flag = 0; int dts_flag = -1, cts_flag = -1; int64_t dts = AV_NOPTS_VALUE, cts = AV_NOPTS_VALUE; + uint8_t buf_padded[128 + FF_INPUT_BUFFER_PADDING_SIZE]; + int buf_padded_size = FFMIN(buf_size, sizeof(buf_padded) - FF_INPUT_BUFFER_PADDING_SIZE); - init_get_bits(&gb, buf, buf_size * 8); + memcpy(buf_padded, buf, buf_padded_size); + + init_get_bits(&gb, buf_padded, buf_padded_size * 8); if (sl->use_au_start) au_start_flag = get_bits1(&gb); @@ -1433,6 +1459,7 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) { MpegTSContext *ts = filter->u.section_filter.opaque; + MpegTSSectionFilter *tssf = &filter->u.section_filter; SectionHeader h; const uint8_t *p, *p_end; AVIOContext pb; @@ -1447,6 +1474,8 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, return; if (h.tid != M4OD_TID) return; + if (skip_identical(&h, tssf)) + return; mp4_read_od(s, p, (unsigned) (p_end - p), mp4_descr, &mp4_descr_count, MAX_MP4_DESCR_COUNT); @@ -1544,7 +1573,9 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type case 0x1F: /* FMC descriptor */ get16(pp, desc_end); if (mp4_descr_count > 0 && - (st->codec->codec_id == AV_CODEC_ID_AAC_LATM || st->request_probe > 0) && + (st->codec->codec_id == AV_CODEC_ID_AAC_LATM || + (st->request_probe == 0 && st->codec->codec_id == AV_CODEC_ID_NONE) || + st->request_probe > 0) && mp4_descr->dec_config_descr_len && mp4_descr->es_id == pid) { AVIOContext pb; ffio_init_context(&pb, mp4_descr->dec_config_descr, @@ -1691,8 +1722,11 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type case 0x05: /* registration descriptor */ st->codec->codec_tag = bytestream_get_le32(pp); av_dlog(fc, "reg_desc=%.4s\n", (char *)&st->codec->codec_tag); - if (st->codec->codec_id == AV_CODEC_ID_NONE) + if (st->codec->codec_id == AV_CODEC_ID_NONE) { mpegts_find_stream_type(st, st->codec->codec_tag, REGD_types); + if (st->codec->codec_tag == MKTAG('B', 'S', 'S', 'D')) + st->request_probe = 50; + } break; case 0x52: /* stream identifier descriptor */ st->stream_identifier = 1 + get8(pp, desc_end); @@ -1716,6 +1750,7 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) { MpegTSContext *ts = filter->u.section_filter.opaque; + MpegTSSectionFilter *tssf = &filter->u.section_filter; SectionHeader h1, *h = &h1; PESContext *pes; AVStream *st; @@ -1735,6 +1770,8 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len p = section; if (parse_section_header(h, &p, p_end) < 0) return; + if (skip_identical(h, tssf)) + return; av_dlog(ts->stream, "sid=0x%x sec_num=%d/%d\n", h->id, h->sec_num, h->last_sec_num); @@ -1882,6 +1919,7 @@ out: static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) { MpegTSContext *ts = filter->u.section_filter.opaque; + MpegTSSectionFilter *tssf = &filter->u.section_filter; SectionHeader h1, *h = &h1; const uint8_t *p, *p_end; int sid, pmt_pid; @@ -1899,6 +1937,8 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len if (ts->skip_changes) return; + if (skip_identical(h, tssf)) + return; ts->stream->ts_id = h->id; clear_programs(ts); @@ -1952,6 +1992,7 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) { MpegTSContext *ts = filter->u.section_filter.opaque; + MpegTSSectionFilter *tssf = &filter->u.section_filter; SectionHeader h1, *h = &h1; const uint8_t *p, *p_end, *desc_list_end, *desc_end; int onid, val, sid, desc_list_len, desc_tag, desc_len, service_type; @@ -1968,6 +2009,9 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len return; if (ts->skip_changes) return; + if (skip_identical(h, tssf)) + return; + onid = get16(&p, p_end); if (onid < 0) return; @@ -1994,7 +2038,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len break; desc_len = get8(&p, desc_list_end); desc_end = p + desc_len; - if (desc_end > desc_list_end) + if (desc_len < 0 || desc_end > desc_list_end) break; av_dlog(ts->stream, "tag: 0x%02x len=%d\n", @@ -2269,6 +2313,8 @@ static int handle_packets(MpegTSContext *ts, int64_t nb_packets) av_buffer_unref(&pes->buffer); pes->data_index = 0; pes->state = MPEGTS_SKIP; /* skip until pes header */ + } else if (ts->pids[i]->type == MPEGTS_SECTION) { + ts->pids[i]->u.section_filter.last_ver = -1; } ts->pids[i]->last_cc = -1; ts->pids[i]->last_pcr = -1; diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 0184d87149..f58b3d36a1 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -738,11 +738,11 @@ static int mpegts_write_header(AVFormatContext *s) ts_st = pcr_st->priv_data; if (ts->mux_rate > 1) { - service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) / + service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period / (TS_PACKET_SIZE * 8 * 1000); - ts->sdt_packet_period = (ts->mux_rate * SDT_RETRANS_TIME) / + ts->sdt_packet_period = (int64_t)ts->mux_rate * SDT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); - ts->pat_packet_period = (ts->mux_rate * PAT_RETRANS_TIME) / + ts->pat_packet_period = (int64_t)ts->mux_rate * PAT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); if (ts->copyts < 1) diff --git a/libavformat/mtv.c b/libavformat/mtv.c index 1d5f26673a..addad24440 100644 --- a/libavformat/mtv.c +++ b/libavformat/mtv.c @@ -112,7 +112,7 @@ static int mtv_read_header(AVFormatContext *s) mtv->audio_identifier = avio_rl24(pb); mtv->audio_br = avio_rl16(pb); mtv->img_colorfmt = avio_rl24(pb); - mtv->img_bpp = avio_r8(pb)>>3; + mtv->img_bpp = avio_r8(pb); mtv->img_width = avio_rl16(pb); mtv->img_height = avio_rl16(pb); mtv->img_segment_size = avio_rl16(pb); @@ -128,17 +128,17 @@ static int mtv_read_header(AVFormatContext *s) /* Calculate width and height if missing from header */ - if(!mtv->img_width && mtv->img_height) - mtv->img_width=mtv->img_segment_size / (mtv->img_bpp) + if (!mtv->img_width && mtv->img_height > 0 && mtv->img_bpp >= 8) + mtv->img_width=mtv->img_segment_size / (mtv->img_bpp>>3) / mtv->img_height; - if(!mtv->img_height && mtv->img_width) - mtv->img_height=mtv->img_segment_size / (mtv->img_bpp) + if (!mtv->img_height && mtv->img_width > 0 && mtv->img_bpp >= 8) + mtv->img_height=mtv->img_segment_size / (mtv->img_bpp>>3) / mtv->img_width; if(!mtv->img_height || !mtv->img_width || !mtv->img_segment_size){ av_log(s, AV_LOG_ERROR, "width or height or segment_size is invalid and I cannot calculate them from other information\n"); - return AVERROR(EINVAL); + return AVERROR_INVALIDDATA; } avio_skip(pb, 4); diff --git a/libavformat/mux.c b/libavformat/mux.c index 55add43ebb..c337377393 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -991,6 +991,8 @@ int ff_write_chained(AVFormatContext *dst, int dst_stream, AVPacket *pkt, if (interleave) ret = av_interleaved_write_frame(dst, &local_pkt); else ret = av_write_frame(dst, &local_pkt); pkt->buf = local_pkt.buf; + pkt->side_data = local_pkt.side_data; + pkt->side_data_elems = local_pkt.side_data_elems; pkt->destruct = local_pkt.destruct; return ret; } diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 6e7c3ffd11..609095286d 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -327,6 +327,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); @@ -394,7 +396,7 @@ static int mv_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVStream *st = avctx->streams[mv->stream_index]; const AVIndexEntry *index; int frame = mv->frame[mv->stream_index]; - int ret; + int64_t ret; uint64_t pos; if (frame < st->nb_index_entries) { diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 7a4633feb6..2e5056ffe7 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -421,7 +421,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } @@ -762,6 +762,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -769,6 +771,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg return AVERROR(ENOMEM); for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); @@ -988,7 +992,7 @@ static const MXFCodecUL mxf_sound_essence_container_uls[] = { static const MXFCodecUL mxf_data_essence_container_uls[] = { { { 0x06,0x0e,0x2b,0x34,0x04,0x01,0x01,0x09,0x0d,0x01,0x03,0x01,0x02,0x0e,0x00,0x00 }, 16, 0 }, - { { 0x06,0x0e,0x2b,0x34,0x04,0x01,0x01,0x09,0x0d,0x01,0x03,0x01,0x02,0x0e,0x00,0x00 }, 16, AV_CODEC_ID_NONE }, + { { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, 0, AV_CODEC_ID_NONE }, }; static const char* const mxf_data_essence_descriptor[] = { diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 6a6b7c2079..7ffd6b65f7 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1730,9 +1730,10 @@ static int mxf_write_header(AVFormatContext *s) return ret; sc->video_bit_rate = st->codec->bit_rate ? st->codec->bit_rate : st->codec->rc_max_rate; if (s->oformat == &ff_mxf_d10_muxer) { - if (sc->video_bit_rate == 50000000) { - if (mxf->time_base.den == 25) sc->index = 3; - else sc->index = 5; + if ((sc->video_bit_rate == 50000000) && (mxf->time_base.den == 25)) { + sc->index = 3; + } else if ((sc->video_bit_rate == 49999840 || sc->video_bit_rate == 50000000) && (mxf->time_base.den != 25)) { + sc->index = 5; } else if (sc->video_bit_rate == 40000000) { if (mxf->time_base.den == 25) sc->index = 7; else sc->index = 9; @@ -2006,6 +2007,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) } mxf->edit_units_count++; } else if (!mxf->edit_unit_byte_count && st->index == 1) { + if (!mxf->edit_units_count) { + av_log(s, AV_LOG_ERROR, "No packets in first stream\n"); + return AVERROR_PATCHWELCOME; + } mxf->index_entries[mxf->edit_units_count-1].slice_offset = mxf->body_offset - mxf->index_entries[mxf->edit_units_count-1].offset; } diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 05dfd539e4..fb36cace0d 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { diff --git a/libavformat/nut.h b/libavformat/nut.h index 943081caf6..0c678a51b9 100644 --- a/libavformat/nut.h +++ b/libavformat/nut.h @@ -102,6 +102,7 @@ typedef struct NUTContext { unsigned int max_distance; unsigned int time_base_count; int64_t last_syncpoint_pos; + int64_t last_resync_pos; int header_count; AVRational *time_base; struct AVTreeNode *syncpoints; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 1b00cdb954..df371dacb0 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -47,11 +47,15 @@ static int get_str(AVIOContext *bc, char *string, unsigned int maxlen) while (len > maxlen) { avio_r8(bc); len--; + if (bc->eof_reached) + len = maxlen; } if (maxlen) string[FFMIN(len, maxlen - 1)] = 0; + if (bc->eof_reached) + return AVERROR_EOF; if (maxlen == len) return -1; else @@ -211,8 +215,11 @@ static int skip_reserved(AVIOContext *bc, int64_t pos) avio_seek(bc, pos, SEEK_CUR); return AVERROR_INVALIDDATA; } else { - while (pos--) + while (pos--) { + if (bc->eof_reached) + return AVERROR_INVALIDDATA; avio_r8(bc); + } return 0; } } @@ -291,10 +298,15 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 7) tmp_head_idx = ffio_read_varlen(bc); - while (tmp_fields-- > 8) + while (tmp_fields-- > 8) { + if (bc->eof_reached) { + av_log(s, AV_LOG_ERROR, "reached EOF while decoding main header\n"); + return AVERROR_INVALIDDATA; + } ffio_read_varlen(bc); + } - if (count == 0 || i + count > 256) { + if (count <= 0 || count > 256 - (i <= 'N') - i) { av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i); return AVERROR_INVALIDDATA; } @@ -480,7 +492,7 @@ static int decode_info_header(NUTContext *nut) AVIOContext *bc = s->pb; uint64_t tmp, chapter_start, chapter_len; unsigned int stream_id_plus1, count; - int chapter_id, i; + int chapter_id, i, ret; int64_t value, end; char name[256], str_value[1024], type_str[256]; const char *type; @@ -505,6 +517,10 @@ static int decode_info_header(NUTContext *nut) nut->time_base[chapter_start % nut->time_base_count], start, start + chapter_len, NULL); + if (!chapter) { + av_log(s, AV_LOG_ERROR, "Could not create chapter.\n"); + return AVERROR(ENOMEM); + } metadata = &chapter->metadata; } else if (stream_id_plus1) { st = s->streams[stream_id_plus1 - 1]; @@ -518,8 +534,14 @@ static int decode_info_header(NUTContext *nut) } for (i = 0; i < count; i++) { - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n"); + return ret; + } value = get_s(bc); + str_value[0] = 0; + if (value == -1) { type = "UTF-8"; get_str(bc, str_value, sizeof(str_value)); @@ -553,7 +575,8 @@ static int decode_info_header(NUTContext *nut) if (stream_id_plus1 && !strcmp(name, "r_frame_rate")) { sscanf(str_value, "%d/%d", &st->r_frame_rate.num, &st->r_frame_rate.den); - if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den) + if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den || + st->r_frame_rate.num < 0 || st->r_frame_rate.num < 0) st->r_frame_rate.num = st->r_frame_rate.den = 0; continue; } @@ -697,6 +720,10 @@ static int find_and_decode_index(NUTContext *nut) has_keyframe[n++] = flag; has_keyframe[n++] = !flag; } else { + if (x <= 1) { + av_log(s, AV_LOG_ERROR, "index: x %"PRIu64" is invalid\n", x); + goto fail; + } while (x != 1) { if (n >= syncpoint_count + 1) { av_log(s, AV_LOG_ERROR, "index overflow B\n"); @@ -740,12 +767,26 @@ fail: return ret; } +static int nut_read_close(AVFormatContext *s) +{ + NUTContext *nut = s->priv_data; + int i; + + av_freep(&nut->time_base); + av_freep(&nut->stream); + ff_nut_free_sp(nut); + for (i = 1; i < nut->header_count; i++) + av_freep(&nut->header[i]); + + return 0; +} + static int nut_read_header(AVFormatContext *s) { NUTContext *nut = s->priv_data; AVIOContext *bc = s->pb; int64_t pos; - int initialized_stream_count; + int initialized_stream_count, ret = 0; nut->avf = s; @@ -755,7 +796,7 @@ static int nut_read_header(AVFormatContext *s) pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); - return AVERROR_INVALIDDATA; + goto fail; } } while (decode_main_header(nut) < 0); @@ -765,7 +806,7 @@ static int nut_read_header(AVFormatContext *s) pos = find_startcode(bc, STREAM_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "Not all stream headers found.\n"); - return AVERROR_INVALIDDATA; + goto fail; } if (decode_stream_header(nut) >= 0) initialized_stream_count++; @@ -779,7 +820,7 @@ static int nut_read_header(AVFormatContext *s) if (startcode == 0) { av_log(s, AV_LOG_ERROR, "EOF before video frames\n"); - return AVERROR_INVALIDDATA; + goto fail; } else if (startcode == SYNCPOINT_STARTCODE) { nut->next_startcode = startcode; break; @@ -801,7 +842,14 @@ static int nut_read_header(AVFormatContext *s) ff_metadata_conv_ctx(s, NULL, ff_nut_metadata_conv); - return 0; +end: + if (ret < 0) + nut_read_close(s); + return FFMIN(ret, 0); +fail: + nut_read_close(s); + + return AVERROR_INVALIDDATA; } static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int is_meta, int64_t maxpos) @@ -814,14 +862,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int int sample_rate = 0; int width = 0; int height = 0; - int i; + int i, ret; for (i=0; i= maxpos) return AVERROR_INVALIDDATA; - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n"); + return ret; + } value = get_s(bc); if (value == -1) { @@ -833,7 +885,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int get_str(bc, type_str, sizeof(type_str)); value_len = ffio_read_varlen(bc); - if (avio_tell(bc) + value_len >= maxpos) + if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); @@ -911,6 +963,9 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int AV_WL32(dst+4, skip_end); } + if (avio_tell(bc) >= maxpos) + return AVERROR_INVALIDDATA; + return 0; } @@ -964,8 +1019,13 @@ static int decode_frame_header(NUTContext *nut, int64_t *pts, int *stream_id, *header_idx = ffio_read_varlen(bc); if (flags & FLAG_RESERVED) reserved_count = ffio_read_varlen(bc); - for (i = 0; i < reserved_count; i++) + for (i = 0; i < reserved_count; i++) { + if (bc->eof_reached) { + av_log(s, AV_LOG_ERROR, "reached EOF while decoding frame header\n"); + return AVERROR_INVALIDDATA; + } ffio_read_varlen(bc); + } if (*header_idx >= (unsigned)nut->header_count) { av_log(s, AV_LOG_ERROR, "header_idx invalid\n"); @@ -994,11 +1054,10 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) { AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; - int size, stream_id, discard; + int size, stream_id, discard, ret; int64_t pts, last_IP_pts; StreamContext *stc; uint8_t header_idx; - int ret; size = decode_frame_header(nut, &pts, &stream_id, &header_idx, frame_code); if (size < 0) @@ -1020,9 +1079,11 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) return 1; } - if (av_new_packet(pkt, size + nut->header_len[header_idx]) < 0) - return AVERROR(ENOMEM); - memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); + ret = av_new_packet(pkt, size + nut->header_len[header_idx]); + if (ret < 0) + return ret; + if (nut->header[header_idx]) + memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; @@ -1098,7 +1159,8 @@ static int nut_read_packet(AVFormatContext *s, AVPacket *pkt) default: resync: av_log(s, AV_LOG_DEBUG, "syncing from %"PRId64"\n", pos); - tmp = find_any_startcode(bc, nut->last_syncpoint_pos + 1); + tmp = find_any_startcode(bc, FFMAX(nut->last_syncpoint_pos, nut->last_resync_pos) + 1); + nut->last_resync_pos = avio_tell(bc); if (tmp == 0) return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "sync\n"); @@ -1192,25 +1254,14 @@ static int read_seek(AVFormatContext *s, int stream_index, av_log(NULL, AV_LOG_DEBUG, "SEEKTO: %"PRId64"\n", pos2); pos = find_startcode(s->pb, SYNCPOINT_STARTCODE, pos2); avio_seek(s->pb, pos, SEEK_SET); + nut->last_syncpoint_pos = pos; av_log(NULL, AV_LOG_DEBUG, "SP: %"PRId64"\n", pos); if (pos2 > pos || pos2 + 15 < pos) av_log(NULL, AV_LOG_ERROR, "no syncpoint at backptr pos\n"); for (i = 0; i < s->nb_streams; i++) nut->stream[i].skip_until_key_frame = 1; - return 0; -} - -static int nut_read_close(AVFormatContext *s) -{ - NUTContext *nut = s->priv_data; - int i; - - av_freep(&nut->time_base); - av_freep(&nut->stream); - ff_nut_free_sp(nut); - for (i = 1; i < nut->header_count; i++) - av_freep(&nut->header[i]); + nut->last_resync_pos = 0; return 0; } diff --git a/libavformat/nuv.c b/libavformat/nuv.c index e7f0eeae8e..f1bc93e2f8 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -171,6 +171,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0.9999 && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); + if (fps < 0.0f) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); + return AVERROR_INVALIDDATA; + } else { + av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); + fps = 0.0f; + } + } // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 8f146e49fe..4c68b3d4a8 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -619,6 +619,8 @@ static int ogg_get_length(AVFormatContext *s) int64_t pts; if (i < 0) continue; pts = ogg_calc_pts(s, i, NULL); + if (s->streams[i]->duration == AV_NOPTS_VALUE) + continue; if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start) { s->streams[i]->duration -= pts; ogg->streams[i].got_start= 1; @@ -677,13 +679,16 @@ static int ogg_read_header(AVFormatContext *s) if (ogg->streams[i].header < 0) { av_log(s, AV_LOG_ERROR, "Header parsing failed for stream %d\n", i); ogg->streams[i].codec = NULL; + av_freep(&ogg->streams[i].private); } else if (os->codec && os->nb_header < os->codec->nb_header) { av_log(s, AV_LOG_WARNING, "Headers mismatch for stream %d: " "expected %d received %d.\n", i, os->codec->nb_header, os->nb_header); - if (s->error_recognition & AV_EF_EXPLODE) + if (s->error_recognition & AV_EF_EXPLODE) { + ogg_read_close(s); return AVERROR_INVALIDDATA; + } } if (os->start_granule != OGG_NOGRANULE_VALUE) os->lastpts = s->streams[i]->start_time = diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index 7dc7716036..c52604f644 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -161,6 +161,11 @@ ogg_gptopts (AVFormatContext * s, int i, uint64_t gp, int64_t *dts) if (dts) *dts = pts; } + if (pts > INT64_MAX && pts != AV_NOPTS_VALUE) { + // The return type is unsigned, we thus cannot return negative pts + av_log(s, AV_LOG_ERROR, "invalid pts %"PRId64"\n", pts); + pts = AV_NOPTS_VALUE; + } return pts; } diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index 4a54126f8f..e87cbba231 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -257,7 +257,7 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, if (i == total_segments) page->granule = granule; - if (!header) { + { AVStream *st = s->streams[page->stream_index]; int64_t start = av_rescale_q(page->start_granule, st->time_base, @@ -265,10 +265,13 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, int64_t next = av_rescale_q(page->granule, st->time_base, AV_TIME_BASE_Q); - if (page->segments_count == 255 || - (ogg->pref_size > 0 && page->size >= ogg->pref_size) || - (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + if (page->segments_count == 255) { ogg_buffer_page(s, oggstream); + } else if (!header) { + if ((ogg->pref_size > 0 && page->size >= ogg->pref_size) || + (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + ogg_buffer_page(s, oggstream); + } } } } @@ -279,16 +282,18 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, return 0; } -static uint8_t *ogg_write_vorbiscomment(int offset, int bitexact, +static uint8_t *ogg_write_vorbiscomment(int64_t offset, int bitexact, int *header_len, AVDictionary **m, int framing_bit) { const char *vendor = bitexact ? "ffmpeg" : LIBAVFORMAT_IDENT; - int size; + int64_t size; uint8_t *p, *p0; ff_metadata_conv(m, ff_vorbiscomment_metadata_conv, NULL); size = offset + ff_vorbiscomment_length(*m, vendor) + framing_bit; + if (size > INT_MAX) + return NULL; p = av_mallocz(size); if (!p) return NULL; diff --git a/libavformat/oggparsecelt.c b/libavformat/oggparsecelt.c index 2c0c511c7b..6880314055 100644 --- a/libavformat/oggparsecelt.c +++ b/libavformat/oggparsecelt.c @@ -65,9 +65,14 @@ static int celt_header(AVFormatContext *s, int idx) st->codec->channels = nb_channels; if (sample_rate) avpriv_set_pts_info(st, 64, 1, sample_rate); - priv->extra_headers_left = 1 + extra_headers; - av_free(os->private); + + if (os->private) { + av_free(priv); + priv = os->private; + } os->private = priv; + priv->extra_headers_left = 1 + extra_headers; + AV_WL32(st->codec->extradata + 0, overlap); AV_WL32(st->codec->extradata + 4, version); return 1; diff --git a/libavformat/oggparsedirac.c b/libavformat/oggparsedirac.c index 73bc495aa8..26d42f302f 100644 --- a/libavformat/oggparsedirac.c +++ b/libavformat/oggparsedirac.c @@ -31,14 +31,19 @@ static int dirac_header(AVFormatContext *s, int idx) AVStream *st = s->streams[idx]; dirac_source_params source; GetBitContext gb; + int ret; // already parsed the header if (st->codec->codec_id == AV_CODEC_ID_DIRAC) return 0; - init_get_bits(&gb, os->buf + os->pstart + 13, (os->psize - 13) * 8); - if (avpriv_dirac_parse_sequence_header(st->codec, &gb, &source) < 0) - return -1; + ret = init_get_bits8(&gb, os->buf + os->pstart + 13, (os->psize - 13)); + if (ret < 0) + return ret; + + ret = avpriv_dirac_parse_sequence_header(st->codec, &gb, &source); + if (ret < 0) + return ret; st->codec->codec_type = AVMEDIA_TYPE_VIDEO; st->codec->codec_id = AV_CODEC_ID_DIRAC; diff --git a/libavformat/oggparseopus.c b/libavformat/oggparseopus.c index c8b02fab4d..8bb2a41366 100644 --- a/libavformat/oggparseopus.c +++ b/libavformat/oggparseopus.c @@ -117,6 +117,10 @@ static int opus_packet(AVFormatContext *avf, int idx) if (!os->psize) return AVERROR_INVALIDDATA; + if (os->granule > (1LL << 62)) { + av_log(avf, AV_LOG_ERROR, "Unsupported huge granule pos %"PRId64 "\n", os->granule); + return AVERROR_INVALIDDATA; + } if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) { int seg, d; diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c index 9b5c65f453..55bf72b221 100644 --- a/libavformat/oggparsespeex.c +++ b/libavformat/oggparsespeex.c @@ -74,6 +74,13 @@ static int speex_header(AVFormatContext *s, int idx) { spxp->packet_size = AV_RL32(p + 56); frames_per_packet = AV_RL32(p + 64); + if (spxp->packet_size < 0 || + frames_per_packet < 0 || + spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) { + av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet); + spxp->packet_size = 0; + return AVERROR_INVALIDDATA; + } if (frames_per_packet) spxp->packet_size *= frames_per_packet; diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index 5959d32b6a..e3ca775d22 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -116,7 +116,7 @@ static int vp8_packet(AVFormatContext *s, int idx) os->lastpts = os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration && s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 9f3d3aa860..7cf1e1a4b2 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -174,7 +174,7 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, taglen = AV_RB32(&enc_header[pos + 32]); datalen = AV_RB32(&enc_header[pos + 36]) >> 4; - pos += 44L + taglen; + pos += 44LL + taglen; if (pos + (((uint64_t)datalen) << 4) > size) return -1; @@ -464,7 +464,7 @@ static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { OMAContext *oc = s->priv_data; - int err = ff_pcm_read_seek(s, stream_index, timestamp, flags); + int64_t err = ff_pcm_read_seek(s, stream_index, timestamp, flags); if (!oc->encrypted) return err; diff --git a/libavformat/options_table.h b/libavformat/options_table.h index eb4115cd7b..f58e4bc399 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -91,8 +91,10 @@ static const AVOption avformat_options[] = { {"max_interleave_delta", "maximum buffering duration for interleaving", OFFSET(max_interleave_delta), AV_OPT_TYPE_INT64, { .i64 = 10000000 }, 0, INT64_MAX, E }, {"f_strict", "how strictly to follow the standards (deprecated; use strict, save via avconv)", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, D|E, "strict"}, {"strict", "how strictly to follow the standards", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, D|E, "strict"}, +{"very", "strictly conform to a older more strict version of the spec or reference software", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_VERY_STRICT }, INT_MIN, INT_MAX, D|E, "strict"}, {"strict", "strictly conform to all the things in the spec no matter what the consequences", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_STRICT }, INT_MIN, INT_MAX, D|E, "strict"}, {"normal", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_NORMAL }, INT_MIN, INT_MAX, D|E, "strict"}, +{"unofficial", "allow unofficial extensions", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_UNOFFICIAL }, INT_MIN, INT_MAX, D|E, "strict"}, {"experimental", "allow non-standardized experimental variants", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_EXPERIMENTAL }, INT_MIN, INT_MAX, D|E, "strict"}, {"max_ts_probe", "maximum number of packets to read while waiting for the first timestamp", OFFSET(max_ts_probe), AV_OPT_TYPE_INT, { .i64 = 50 }, 0, INT_MAX, D }, {NULL}, diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index ca9b2829d6..b747bbd014 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -186,10 +186,10 @@ static int mjpeg_probe(AVProbeData *p) } if (nb_invalid*4 + 1 < nb_frames) { - static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n\r\n"; + static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n"; int i; - for (i=0; ibuf_size - sizeof(ct_jpeg), 100); i++) + for (i=0; ibuf_size - (int)sizeof(ct_jpeg), 100); i++) if (!memcmp(p->buf + i, ct_jpeg, sizeof(ct_jpeg) - 1)) return AVPROBE_SCORE_EXTENSION; diff --git a/libavformat/rdt.c b/libavformat/rdt.c index e8dc8f5892..b3c6160b49 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -132,7 +132,7 @@ static int rdt_load_mdpr (PayloadContext *rdt, AVStream *st, int rule_nr) { AVIOContext pb; - int size; + unsigned int size; uint32_t tag; /** diff --git a/libavformat/riff.h b/libavformat/riff.h index 88a77b07c8..e045bb84e8 100644 --- a/libavformat/riff.h +++ b/libavformat/riff.h @@ -62,7 +62,7 @@ void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, const AVCodecTag *t int ff_put_wav_header(AVIOContext *pb, AVCodecContext *enc, int flags); enum AVCodecID ff_wav_codec_get_id(unsigned int tag, int bps); -int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size); +int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecContext *codec, int size); extern const AVCodecTag ff_codec_bmp_tags[]; // exposed through avformat_get_riff_video_tags() extern const AVCodecTag ff_codec_wav_tags[]; diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 09fee9d603..3d4d5d09a2 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -80,7 +80,8 @@ static void parse_waveformatex(AVIOContext *pb, AVCodecContext *c) } } -int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) +int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, + AVCodecContext *codec, int size) { int id; @@ -90,6 +91,14 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) codec->sample_rate = avio_rl32(pb); codec->bit_rate = avio_rl32(pb) * 8; codec->block_align = avio_rl16(pb); + if (codec->bit_rate < 0) { + av_log(s, AV_LOG_WARNING, + "Invalid bit rate: %d\n", codec->bit_rate); + if (s->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + codec->bit_rate = 0; + } if (size == 14) { /* We're dealing with plain vanilla WAVEFORMAT */ codec->bits_per_coded_sample = 8; } else @@ -122,7 +131,7 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) avio_skip(pb, size); } if (codec->sample_rate <= 0) { - av_log(NULL, AV_LOG_ERROR, + av_log(s, AV_LOG_ERROR, "Invalid sample rate: %d\n", codec->sample_rate); return AVERROR_INVALIDDATA; } diff --git a/libavformat/riffenc.c b/libavformat/riffenc.c index ef4d399030..2eb2ae1d0e 100644 --- a/libavformat/riffenc.c +++ b/libavformat/riffenc.c @@ -209,11 +209,15 @@ int ff_put_wav_header(AVIOContext *pb, AVCodecContext *enc, int flags) void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, const AVCodecTag *tags, int for_asf, int ignore_extradata) { + int keep_height = enc->extradata_size >= 9 && + !memcmp(enc->extradata + enc->extradata_size - 9, "BottomUp", 9); + int extradata_size = enc->extradata_size - 9*keep_height; + /* size */ - avio_wl32(pb, 40 + (ignore_extradata ? 0 : enc->extradata_size)); + avio_wl32(pb, 40 + (ignore_extradata ? 0 :extradata_size)); avio_wl32(pb, enc->width); //We always store RGB TopDown - avio_wl32(pb, enc->codec_tag ? enc->height : -enc->height); + avio_wl32(pb, enc->codec_tag || keep_height ? enc->height : -enc->height); /* planes */ avio_wl16(pb, 1); /* depth */ @@ -227,9 +231,9 @@ void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, avio_wl32(pb, 0); if (!ignore_extradata) { - avio_write(pb, enc->extradata, enc->extradata_size); + avio_write(pb, enc->extradata, extradata_size); - if (!for_asf && enc->extradata_size & 1) + if (!for_asf && extradata_size & 1) avio_w8(pb, 0); } } diff --git a/libavformat/rl2.c b/libavformat/rl2.c index d354339ea3..fe3658d88f 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;i= 1<<24) + if (size >= 1<<24) { + av_log(avctx, AV_LOG_ERROR, "extradata size %u too large\n", size); return -1; + } if (ff_get_extradata(avctx, pb, size) < 0) return AVERROR(ENOMEM); return 0; @@ -303,15 +305,18 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, return 0; } -int -ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, - AVStream *st, RMStream *rst, int codec_data_size, const uint8_t *mime) +int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, + AVStream *st, RMStream *rst, + unsigned int codec_data_size, const uint8_t *mime) { unsigned int v; int size; int64_t codec_pos; int ret; + if (codec_data_size > INT_MAX) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); @@ -409,7 +414,11 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, skip: /* skip codec info */ size = avio_tell(pb) - codec_pos; - avio_skip(pb, codec_data_size - size); + if (codec_data_size >= size) { + avio_skip(pb, codec_data_size - size); + } else { + av_log(s, AV_LOG_WARNING, "codec_data_size %u < size %d\n", codec_data_size, size); + } return 0; } @@ -918,8 +927,9 @@ ff_rm_retrieve_cache (AVFormatContext *s, AVIOContext *pb, ast->deint_id == DEINT_ID_VBRS) av_get_packet(pb, pkt, ast->sub_packet_lengths[ast->sub_packet_cnt - rm->audio_pkt_cnt]); else { - if(av_new_packet(pkt, st->codec->block_align) < 0) - return AVERROR(ENOMEM); + int ret = av_new_packet(pkt, st->codec->block_align); + if (ret < 0) + return ret; memcpy(pkt->data, ast->pkt.data + st->codec->block_align * //FIXME avoid this (ast->sub_packet_h * ast->audio_framesize / st->codec->block_align - rm->audio_pkt_cnt), st->codec->block_align); diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index 2e50ed338c..a22b01b4a0 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -44,6 +44,10 @@ typedef struct { /* in ms */ #define BUFFER_DURATION 0 +/* the header needs at most 7 + 4 + 12 B */ +#define MAX_HEADER_SIZE (7 + 4 + 12) +/* UINT16_MAX is the maximal chunk size */ +#define MAX_PACKET_SIZE (UINT16_MAX - MAX_HEADER_SIZE) static void put_str(AVIOContext *s, const char *tag) @@ -394,6 +398,10 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + if (size > MAX_PACKET_SIZE) { + av_log(s, AV_LOG_ERROR, "Muxing packets larger than 64 kB (%d) is not supported\n", size); + return AVERROR_PATCHWELCOME; + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); diff --git a/libavformat/rsd.c b/libavformat/rsd.c index bb2f3bc7a2..1eff5de7e6 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -70,7 +70,7 @@ static int rsd_read_header(AVFormatContext *s) codec->codec_tag = avio_rl32(pb); codec->codec_id = ff_codec_get_id(rsd_tags, codec->codec_tag); if (!codec->codec_id) { - char tag_buf[5]; + char tag_buf[32]; av_get_codec_tag_string(tag_buf, sizeof(tag_buf), codec->codec_tag); for (i=0; i < FF_ARRAY_ELEMS(rsd_unsupported_tags); i++) { diff --git a/libavformat/rtmpcrypt.c b/libavformat/rtmpcrypt.c index 2312527d37..fb46449a67 100644 --- a/libavformat/rtmpcrypt.c +++ b/libavformat/rtmpcrypt.c @@ -184,9 +184,14 @@ int ff_rtmpe_compute_secret_key(URLContext *h, const uint8_t *serverdata, static void rtmpe8_sig(const uint8_t *in, uint8_t *out, int key_id) { struct AVXTEA ctx; + uint8_t tmpbuf[8]; av_xtea_init(&ctx, rtmpe8_keys[key_id]); - av_xtea_crypt(&ctx, out, in, 1, NULL, 0); + AV_WB32(tmpbuf, AV_RL32(in)); + AV_WB32(tmpbuf + 4, AV_RL32(in + 4)); + av_xtea_crypt(&ctx, tmpbuf, tmpbuf, 1, NULL, 0); + AV_WL32(out, AV_RB32(tmpbuf)); + AV_WL32(out + 4, AV_RB32(tmpbuf + 4)); } static void rtmpe9_sig(const uint8_t *in, uint8_t *out, int key_id) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 92172dc366..461c9f45d8 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -235,6 +235,14 @@ static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p, if (hdr != RTMP_PS_TWELVEBYTES) timestamp += prev_pkt[channel_id].timestamp; + if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) { + av_log(NULL, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n", + size, + prev_pkt[channel_id].size); + ff_rtmp_packet_destroy(&prev_pkt[channel_id]); + prev_pkt[channel_id].read = 0; + } + if (!prev_pkt[channel_id].read) { if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp, size)) < 0) @@ -418,96 +426,139 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt) pkt->size = 0; } -int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +static int amf_tag_skip(GetByteContext *gb) { - const uint8_t *base = data; AMFDataType type; unsigned nb = -1; int parse_key = 1; - if (data >= data_end) + if (bytestream2_get_bytes_left(gb) < 1) return -1; - switch ((type = *data++)) { - case AMF_DATA_TYPE_NUMBER: return 9; - case AMF_DATA_TYPE_BOOL: return 2; - case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data); - case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data); - case AMF_DATA_TYPE_NULL: return 1; + + type = bytestream2_get_byte(gb); + switch (type) { + case AMF_DATA_TYPE_NUMBER: + bytestream2_get_be64(gb); + return 0; + case AMF_DATA_TYPE_BOOL: + bytestream2_get_byte(gb); + return 0; + case AMF_DATA_TYPE_STRING: + bytestream2_skip(gb, bytestream2_get_be16(gb)); + return 0; + case AMF_DATA_TYPE_LONG_STRING: + bytestream2_skip(gb, bytestream2_get_be32(gb)); + return 0; + case AMF_DATA_TYPE_NULL: + return 0; case AMF_DATA_TYPE_ARRAY: parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: - nb = bytestream_get_be32(&data); + nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { int t; if (parse_key) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) { - data++; + bytestream2_get_byte(gb); break; } - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; + bytestream2_skip(gb, size); } - t = ff_amf_tag_size(data, data_end); - if (t < 0 || t >= data_end - data) + t = amf_tag_skip(gb); + if (t < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += t; } - return data - base; - case AMF_DATA_TYPE_OBJECT_END: return 1; + return 0; + case AMF_DATA_TYPE_OBJECT_END: return 0; default: return -1; } } -int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, +int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +{ + GetByteContext gb; + int ret; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + ret = amf_tag_skip(&gb); + if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0) + return -1; + av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data); + return bytestream2_tell(&gb); +} + +static int amf_get_field_value2(GetByteContext *gb, const uint8_t *name, uint8_t *dst, int dst_size) { int namelen = strlen(name); int len; - while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) { - len = ff_amf_tag_size(data, data_end); - if (len < 0) - len = data_end - data; - data += len; + while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) { + int ret = amf_tag_skip(gb); + if (ret < 0) + return -1; } - if (data_end - data < 3) + if (bytestream2_get_bytes_left(gb) < 3) return -1; - data++; + bytestream2_get_byte(gb); + for (;;) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) break; - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; - if (size == namelen && !memcmp(data-size, name, namelen)) { - switch (*data++) { + bytestream2_skip(gb, size); + if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) { + switch (bytestream2_get_byte(gb)) { case AMF_DATA_TYPE_NUMBER: - snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data))); + snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb))); break; case AMF_DATA_TYPE_BOOL: - snprintf(dst, dst_size, "%s", *data ? "true" : "false"); + snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false"); break; case AMF_DATA_TYPE_STRING: - len = bytestream_get_be16(&data); - av_strlcpy(dst, data, FFMIN(len+1, dst_size)); + len = bytestream2_get_be16(gb); + if (dst_size < 1) + return -1; + if (dst_size < len + 1) + len = dst_size - 1; + bytestream2_get_buffer(gb, dst, len); + dst[len] = 0; break; default: return -1; } return 0; } - len = ff_amf_tag_size(data, data_end); - if (len < 0 || len >= data_end - data) + len = amf_tag_skip(gb); + if (len < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += len; } return -1; } +int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, + const uint8_t *name, uint8_t *dst, int dst_size) +{ + GetByteContext gb; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + return amf_get_field_value2(&gb, name, dst, dst_size); +} + static const char* rtmp_packet_type(int type) { switch (type) { diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 8e196545de..1b0ae8ab29 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -97,7 +97,7 @@ int ff_wms_parse_sdp_a_line(AVFormatContext *s, const char *p) { int ret = 0; if (av_strstart(p, "pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,", &p)) { - AVIOContext pb; + AVIOContext pb = { 0 }; RTSPState *rt = s->priv_data; AVDictionary *opts = NULL; int len = strlen(p) * 6 / 8; diff --git a/libavformat/rtpdec_h263_rfc2190.c b/libavformat/rtpdec_h263_rfc2190.c index a2279013dc..8a36e5334c 100644 --- a/libavformat/rtpdec_h263_rfc2190.c +++ b/libavformat/rtpdec_h263_rfc2190.c @@ -83,6 +83,7 @@ static int h263_handle_packet(AVFormatContext *ctx, PayloadContext *data, avio_close_dyn_buf(data->buf, &p); av_free(p); data->buf = NULL; + data->endbyte_bits = 0; } if (len < 4) { diff --git a/libavformat/rtpdec_jpeg.c b/libavformat/rtpdec_jpeg.c index ccd80ad7e8..cefc00a370 100644 --- a/libavformat/rtpdec_jpeg.c +++ b/libavformat/rtpdec_jpeg.c @@ -207,16 +207,17 @@ static void create_default_qtables(uint8_t *qtables, uint8_t q) { int factor = q; int i; + uint16_t S; factor = av_clip(q, 1, 99); if (q < 50) - q = 5000 / factor; + S = 5000 / factor; else - q = 200 - factor * 2; + S = 200 - factor * 2; for (i = 0; i < 128; i++) { - int val = (default_quantizers[i] * q + 50) / 100; + int val = (default_quantizers[i] * S + 50) / 100; /* Limit the quantizers to 1 <= q <= 255. */ val = av_clip(val, 1, 255); diff --git a/libavformat/rtpdec_xiph.c b/libavformat/rtpdec_xiph.c index dc34f9e224..da9a1e2c22 100644 --- a/libavformat/rtpdec_xiph.c +++ b/libavformat/rtpdec_xiph.c @@ -112,7 +112,7 @@ static int xiph_handle_packet(AVFormatContext *ctx, PayloadContext *data, return data->split_pkts > 0; } - if (len < 6) { + if (len < 6 || len > INT_MAX/2) { av_log(ctx, AV_LOG_ERROR, "Invalid %d byte packet\n", len); return AVERROR_INVALIDDATA; } diff --git a/libavformat/rtpenc.c b/libavformat/rtpenc.c index 9c587d2dc5..c64e8ce936 100644 --- a/libavformat/rtpenc.c +++ b/libavformat/rtpenc.c @@ -282,7 +282,8 @@ static void rtcp_send_sr(AVFormatContext *s1, int64_t ntp_time, int bye) avio_w8(s1->pb, RTCP_SR); avio_wb16(s1->pb, 6); /* length in words - 1 */ avio_wb32(s1->pb, s->ssrc); - avio_wb64(s1->pb, NTP_TO_RTP_FORMAT(ntp_time)); + avio_wb32(s1->pb, ntp_time / 1000000); + avio_wb32(s1->pb, ((ntp_time % 1000000) << 32) / 1000000); avio_wb32(s1->pb, rtp_ts); avio_wb32(s1->pb, s->packet_count); avio_wb32(s1->pb, s->octet_count); @@ -566,10 +567,6 @@ static int rtp_write_packet(AVFormatContext *s1, AVPacket *pkt) const uint8_t *mb_info = av_packet_get_side_data(pkt, AV_PKT_DATA_H263_MB_INFO, &mb_info_size); - if (!mb_info) { - av_log(s1, AV_LOG_ERROR, "failed to allocate side data\n"); - return AVERROR(ENOMEM); - } ff_rtp_send_h263_rfc2190(s1, pkt->data, size, mb_info, mb_info_size); break; } diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index c35332953c..be7ba6190f 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -40,8 +40,8 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) s->timestamp = s->cur_timestamp; /* convert video pixel dimensions from pixels to blocks */ - w = s1->streams[0]->codec->width >> 3; - h = s1->streams[0]->codec->height >> 3; + w = (s1->streams[0]->codec->width + 7) >> 3; + h = (s1->streams[0]->codec->height + 7) >> 3; /* get the pixel format type or fail */ if (s1->streams[0]->codec->pix_fmt == AV_PIX_FMT_YUVJ422P || @@ -84,6 +84,11 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) } else if (buf[i + 1] == SOS) { /* SOS is last marker in the header */ i += AV_RB16(&buf[i + 2]) + 2; + if (i > size) { + av_log(s1, AV_LOG_ERROR, + "Insufficient data. Aborted!\n"); + return; + } break; } } diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index ce4763edee..03b9ac9578 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -931,6 +931,8 @@ static void rtsp_parse_transport(RTSPMessageHeader *reply, const char *p) p++; reply->nb_transports++; + if (reply->nb_transports >= RTSP_MAX_TRANSPORTS) + break; } } @@ -1150,6 +1152,8 @@ start: if (content_length > 0) { /* leave some room for a trailing '\0' (useful for simple parsing) */ content = av_malloc(content_length + 1); + if (!content) + return AVERROR(ENOMEM); ffurl_read_complete(rt->rtsp_hd, content, content_length); content[content_length] = '\0'; } diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 8c831f3607..bc27eae872 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -414,6 +414,19 @@ static char *sdp_write_media_attributes(char *buff, int size, AVCodecContext *c, payload_type, mode, config ? config : ""); break; } + case AV_CODEC_ID_H261: + { + const char *pic_fmt = NULL; + /* only QCIF and CIF are specified as supported in RFC 4587 */ + if (c->width == 176 && c->height == 144) + pic_fmt = "QCIF=1"; + if (c->width == 352 && c->height == 288) + pic_fmt = "CIF=1"; + av_strlcatf(buff, size, "a=rtpmap:%d H261/90000\r\n", payload_type); + if (pic_fmt) + av_strlcatf(buff, size, "a=fmtp:%d %s\r\n", payload_type, pic_fmt); + break; + } case AV_CODEC_ID_H263: case AV_CODEC_ID_H263P: /* a=framesize is required by 3GPP TS 26.234 (PSS). It diff --git a/libavformat/segment.c b/libavformat/segment.c index f35bbef8dc..7182b510f2 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -340,7 +340,7 @@ static int segment_end(AVFormatContext *s, int write_trailer, int is_last) if (seg->list_size && seg->segment_count >= seg->list_size) { entry = seg->segment_list_entries; seg->segment_list_entries = seg->segment_list_entries->next; - av_free(entry->filename); + av_freep(&entry->filename); av_freep(&entry); } @@ -498,10 +498,10 @@ static int open_null_ctx(AVIOContext **ctx) return 0; } -static void close_null_ctx(AVIOContext *pb) +static void close_null_ctxp(AVIOContext **pb) { - av_free(pb->buffer); - av_free(pb); + av_freep(&(*pb)->buffer); + av_freep(pb); } static int select_reference_stream(AVFormatContext *s) @@ -561,12 +561,20 @@ static int select_reference_stream(AVFormatContext *s) return 0; } +static void seg_free_context(SegmentContext *seg) +{ + avio_closep(&seg->list_pb); + avformat_free_context(seg->avf); + seg->avf = NULL; +} + static int seg_write_header(AVFormatContext *s) { SegmentContext *seg = s->priv_data; AVFormatContext *oc = NULL; AVDictionary *options = NULL; int ret; + int i; seg->segment_count = 0; if (!seg->write_header_trailer) @@ -672,11 +680,18 @@ static int seg_write_header(AVFormatContext *s) } seg->segment_frame_count = 0; + av_assert0(s->nb_streams == oc->nb_streams); + for (i = 0; i < s->nb_streams; i++) { + AVStream *inner_st = oc->streams[i]; + AVStream *outer_st = s->streams[i]; + avpriv_set_pts_info(outer_st, inner_st->pts_wrap_bits, inner_st->time_base.num, inner_st->time_base.den); + } + if (oc->avoid_negative_ts > 0 && s->avoid_negative_ts < 0) s->avoid_negative_ts = 1; if (!seg->write_header_trailer) { - close_null_ctx(oc->pb); + close_null_ctxp(&oc->pb); if ((ret = avio_open2(&oc->pb, oc->filename, AVIO_FLAG_WRITE, &s->interrupt_callback, NULL)) < 0) goto fail; @@ -684,12 +699,9 @@ static int seg_write_header(AVFormatContext *s) fail: av_dict_free(&options); - if (ret) { - if (seg->list) - avio_close(seg->list_pb); - if (seg->avf) - avformat_free_context(seg->avf); - } + if (ret < 0) + seg_free_context(seg); + return ret; } @@ -704,6 +716,9 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) int64_t usecs; int64_t wrapped_val; + if (!seg->avf) + return AVERROR(EINVAL); + if (seg->times) { end_pts = seg->segment_count < seg->nb_times ? seg->times[seg->segment_count] : INT64_MAX; @@ -798,6 +813,9 @@ fail: seg->segment_frame_count++; } + if (ret < 0) + seg_free_context(seg); + return ret; } @@ -806,14 +824,17 @@ static int seg_write_trailer(struct AVFormatContext *s) SegmentContext *seg = s->priv_data; AVFormatContext *oc = seg->avf; SegmentListEntry *cur, *next; + int ret = 0; + + if (!oc) + goto fail; - int ret; if (!seg->write_header_trailer) { if ((ret = segment_end(s, 0, 1)) < 0) goto fail; open_null_ctx(&oc->pb); ret = av_write_trailer(oc); - close_null_ctx(oc->pb); + close_null_ctxp(&oc->pb); } else { ret = segment_end(s, 1, 1); } @@ -829,7 +850,7 @@ fail: cur = seg->segment_list_entries; while (cur) { next = cur->next; - av_free(cur->filename); + av_freep(&cur->filename); av_free(cur); cur = next; } diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 284cdc196a..de8bbdb07a 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s) smk->height = avio_rl32(pb); smk->frames = avio_rl32(pb); smk->pts_inc = (int32_t)avio_rl32(pb); + if (smk->pts_inc > INT_MAX / 100) { + av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc); + return AVERROR_INVALIDDATA; + } + smk->flags = avio_rl32(pb); if(smk->flags & SMACKER_FLAG_RING_FRAME) smk->frames++; @@ -321,7 +326,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) int err; size = avio_rl32(s->pb) - 4; - if (!size || size + 4L > frame_size) { + if (!size || size + 4LL > frame_size) { av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); return AVERROR_INVALIDDATA; } diff --git a/libavformat/smoothstreamingenc.c b/libavformat/smoothstreamingenc.c index d2b7c9e924..5c2d730081 100644 --- a/libavformat/smoothstreamingenc.c +++ b/libavformat/smoothstreamingenc.c @@ -34,6 +34,7 @@ #include "libavutil/opt.h" #include "libavutil/avstring.h" +#include "libavutil/file.h" #include "libavutil/mathematics.h" #include "libavutil/intreadwrite.h" @@ -282,8 +283,7 @@ static int write_manifest(AVFormatContext *s, int final) avio_printf(out, "\n"); avio_flush(out); avio_close(out); - rename(temp_filename, filename); - return 0; + return ff_rename(temp_filename, filename); } static int ism_write_header(AVFormatContext *s) @@ -539,8 +539,11 @@ static int ism_flush(AVFormatContext *s, int final) snprintf(header_filename, sizeof(header_filename), "%s/FragmentInfo(%s=%"PRIu64")", os->dirname, os->stream_type_tag, start_ts); snprintf(target_filename, sizeof(target_filename), "%s/Fragments(%s=%"PRIu64")", os->dirname, os->stream_type_tag, start_ts); copy_moof(s, filename, header_filename, moof_size); - rename(filename, target_filename); - add_fragment(os, target_filename, header_filename, start_ts, duration, start_pos, size); + ret = ff_rename(filename, target_filename); + if (ret < 0) + break; + add_fragment(os, target_filename, header_filename, start_ts, duration, + start_pos, size); } if (c->window_size || (final && c->remove_at_exit)) { diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 95faca6e48..517907d832 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -106,7 +106,7 @@ int ff_text_peek_r8(FFTextReader *r) } AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, - const uint8_t *event, int len, int merge) + const uint8_t *event, size_t len, int merge) { AVPacket *subs, *sub; @@ -300,7 +300,7 @@ int ff_smil_extract_next_text_chunk(FFTextReader *tr, AVBPrint *buf, char *c) const char *ff_smil_get_attr_ptr(const char *s, const char *attr) { int in_quotes = 0; - const int len = strlen(attr); + const size_t len = strlen(attr); while (*s) { while (*s) { diff --git a/libavformat/subtitles.h b/libavformat/subtitles.h index 903c24d9df..d400496f9f 100644 --- a/libavformat/subtitles.h +++ b/libavformat/subtitles.h @@ -114,7 +114,7 @@ typedef struct { * previous one instead of adding a new entry, 0 otherwise */ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, - const uint8_t *event, int len, int merge); + const uint8_t *event, size_t len, int merge); /** * Set missing durations and sort subtitles by PTS, and then byte position. diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 528bc236f2..db683ac59b 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -90,10 +90,10 @@ retry: z->avail_out = buf_size; ret = inflate(z, Z_NO_FLUSH); - if (ret < 0) - return AVERROR(EINVAL); if (ret == Z_STREAM_END) return AVERROR_EOF; + if (ret != Z_OK) + return AVERROR(EINVAL); if (buf_size - z->avail_out == 0) goto retry; @@ -390,10 +390,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) } if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); - res = AVERROR_PATCHWELCOME; - goto bitmap_end; - } - st->codec->pix_fmt = pix_fmt; + }else + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; diff --git a/libavformat/thp.c b/libavformat/thp.c index 714cec6cd3..91fa90f942 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -184,6 +184,8 @@ static int thp_read_packet(AVFormatContext *s, pkt->stream_index = thp->video_stream_index; } else { ret = av_get_packet(pb, pkt, thp->audiosize); + if (ret < 0) + return ret; if (ret != thp->audiosize) { av_free_packet(pkt); return AVERROR(EIO); diff --git a/libavformat/tta.c b/libavformat/tta.c index 7174fd5438..d3b3fb0471 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -118,8 +118,10 @@ static int tta_read_header(AVFormatContext *s) ffio_init_checksum(s->pb, tta_check_crc, UINT32_MAX); for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); - av_add_index_entry(st, framepos, i * c->frame_size, size, 0, - AVINDEX_KEYFRAME); + int r; + if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + AVINDEX_KEYFRAME)) < 0) + return r; framepos += size; } crc = ffio_get_checksum(s->pb) ^ UINT32_MAX; @@ -153,6 +155,11 @@ static int tta_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->currentframe >= c->totalframes) return AVERROR_EOF; + if (st->nb_index_entries < c->totalframes) { + av_log(s, AV_LOG_ERROR, "Index entry disappeared\n"); + return AVERROR_INVALIDDATA; + } + size = st->index_entries[c->currentframe].size; ret = av_get_packet(s->pb, pkt, size); diff --git a/libavformat/url.c b/libavformat/url.c index acfb0cf2f0..5dd28a253d 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -68,7 +68,7 @@ int ff_url_join(char *str, int size, const char *proto, av_strlcatf(str, size, ":%d", port); if (fmt) { va_list vl; - int len = strlen(str); + size_t len = strlen(str); va_start(vl, fmt); vsnprintf(str + len, size > len ? size - len : 0, fmt, vl); diff --git a/libavformat/utils.c b/libavformat/utils.c index e899e4d071..71dde3da52 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -53,6 +53,9 @@ #include "riff.h" #include "url.h" +#include "libavutil/ffversion.h" +const char av_format_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + /** * @file * various utility functions for use within FFmpeg @@ -396,6 +399,9 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, if (options) av_dict_copy(&tmp, *options, 0); + if (s->pb) // must be before any goto fail + s->flags |= AVFMT_FLAG_CUSTOM_IO; + if ((ret = av_opt_set_dict(s, &tmp)) < 0) goto fail; @@ -568,6 +574,8 @@ static int update_wrap_reference(AVFormatContext *s, AVStream *st, int stream_in int default_stream_index = av_find_default_stream_index(s); if (s->streams[default_stream_index]->pts_wrap_reference == AV_NOPTS_VALUE) { for (i = 0; i < s->nb_streams; i++) { + if (av_find_program_from_stream(s, NULL, i)) + continue; s->streams[i]->pts_wrap_reference = pts_wrap_reference; s->streams[i]->pts_wrap_behavior = pts_wrap_behavior; } @@ -1429,13 +1437,14 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; + av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && - (av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << (wrap_bits - 1)) < 0)) { - if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL << (wrap_bits - 1))) { + av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { + if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL << (wrap_bits - 1))) { // not B-frame next_pkt->pts = pktl->pkt.dts; } @@ -1536,6 +1545,9 @@ int av_find_default_stream_index(AVFormatContext *s) score += 50; } + if (st->discard != AVDISCARD_ALL) + score += 200; + if (score > best_score) { best_score = score; best_stream = i; @@ -2112,6 +2124,7 @@ int avformat_seek_file(AVFormatContext *s, int stream_index, int64_t min_ts, max_ts = av_rescale_rnd(max_ts, time_base.den, time_base.num * (int64_t)AV_TIME_BASE, AV_ROUND_DOWN | AV_ROUND_PASS_MINMAX); + stream_index = 0; } ret = s->iformat->read_seek2(s, stream_index, min_ts, @@ -2223,17 +2236,20 @@ static void update_stream_timings(AVFormatContext *ic) if (ic->nb_programs) { for (i = 0; i < ic->nb_programs; i++) { p = ic->programs[i]; - if (p->start_time != AV_NOPTS_VALUE && p->end_time > p->start_time) + if (p->start_time != AV_NOPTS_VALUE && + p->end_time > p->start_time && + p->end_time - (uint64_t)p->start_time <= INT64_MAX) duration = FFMAX(duration, p->end_time - p->start_time); } - } else + } else if (end_time >= start_time && end_time - (uint64_t)start_time <= INT64_MAX) { duration = FFMAX(duration, end_time - start_time); + } } } if (duration != INT64_MIN && duration > 0 && ic->duration == AV_NOPTS_VALUE) { ic->duration = duration; } - if (ic->pb && (filesize = avio_size(ic->pb)) > 0 && ic->duration != AV_NOPTS_VALUE) { + if (ic->pb && (filesize = avio_size(ic->pb)) > 0 && ic->duration > 0) { /* compute the bitrate */ double bitrate = (double) filesize * 8.0 * AV_TIME_BASE / (double) ic->duration; @@ -2308,7 +2324,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) } #define DURATION_MAX_READ_SIZE 250000LL -#define DURATION_MAX_RETRY 4 +#define DURATION_MAX_RETRY 6 /* only usable for MPEG-PS streams */ static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset) @@ -2639,6 +2655,9 @@ enum AVCodecID ff_codec_get_id(const AVCodecTag *tags, unsigned int tag) enum AVCodecID ff_get_pcm_codec_id(int bps, int flt, int be, int sflags) { + if (bps <= 0 || bps > 64) + return AV_CODEC_ID_NONE; + if (flt) { switch (bps) { case 32: @@ -2743,10 +2762,20 @@ static void compute_chapters_end(AVFormatContext *s) static int get_std_framerate(int i) { - if (i < 60 * 12) + if (i < 30*12) return (i + 1) * 1001; - else - return ((const int[]) { 24, 30, 60, 12, 15, 48 })[i - 60 * 12] * 1000 * 12; + i -= 30*12; + + if (i < 30) + return (i + 31) * 1001 * 12; + i -= 30; + + if (i < 3) + return ((const int[]) { 80, 120, 240})[i] * 1001 * 12; + + i -= 3; + + return ((const int[]) { 24, 30, 60, 12, 15, 48 })[i] * 1000 * 12; } /* Is the time base unreliable? @@ -2757,8 +2786,8 @@ static int get_std_framerate(int i) * And there are "variable" fps files this needs to detect as well. */ static int tb_unreliable(AVCodecContext *c) { - if (c->time_base.den >= 101L * c->time_base.num || - c->time_base.den < 5L * c->time_base.num || + if (c->time_base.den >= 101LL * c->time_base.num || + c->time_base.den < 5LL * c->time_base.num || // c->codec_tag == AV_RL32("DIVX") || // c->codec_tag == AV_RL32("XVID") || c->codec_tag == AV_RL32("mp4v") || @@ -2781,6 +2810,7 @@ int ff_alloc_extradata(AVCodecContext *avctx, int size) int ret; if (size < 0 || size >= INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + avctx->extradata = NULL; avctx->extradata_size = 0; return AVERROR(EINVAL); } @@ -2980,7 +3010,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) st->codec->time_base = st->time_base; } // only for the split stuff - if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE)) { + if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE) && st->request_probe <= 0) { st->parser = av_parser_init(st->codec->codec_id); if (st->parser) { if (st->need_parsing == AVSTREAM_PARSE_HEADERS) { @@ -3244,12 +3274,6 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } av_opt_set(ic, "skip_clear", "0", AV_OPT_SEARCH_CHILDREN); - // close codecs which were opened in try_decode_frame() - for (i = 0; i < ic->nb_streams; i++) { - st = ic->streams[i]; - avcodec_close(st->codec); - } - ff_rfps_calculate(ic); for (i = 0; i < ic->nb_streams; i++) { @@ -3358,6 +3382,7 @@ find_stream_info_err: ic->streams[i]->codec->thread_count = 0; if (st->info) av_freep(&st->info->duration_error); + avcodec_close(st->codec); av_freep(&ic->streams[i]->info); } if (ic->pb) @@ -3525,8 +3550,8 @@ void avformat_free_context(AVFormatContext *s) av_freep(&s->chapters); av_dict_free(&s->metadata); av_freep(&s->streams); - av_freep(&s->internal); flush_packet_queue(s); + av_freep(&s->internal); av_free(s); } @@ -3598,6 +3623,11 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) st->info->last_dts = AV_NOPTS_VALUE; st->codec = avcodec_alloc_context3(c); + if (!st->codec) { + av_free(st->info); + av_free(st); + return NULL; + } if (s->iformat) { /* no default bitrate if decoding */ st->codec->bit_rate = 0; @@ -4043,6 +4073,7 @@ int avformat_network_deinit(void) #if CONFIG_NETWORK ff_network_close(); ff_tls_deinit(); + ff_network_inited_globally = 0; #endif return 0; } diff --git a/libavformat/vorbiscomment.c b/libavformat/vorbiscomment.c index cc9b6620ef..e953d83d65 100644 --- a/libavformat/vorbiscomment.c +++ b/libavformat/vorbiscomment.c @@ -61,8 +61,10 @@ int ff_vorbiscomment_write(uint8_t **p, AVDictionary **m, AVDictionaryEntry *tag = NULL; bytestream_put_le32(p, count); while ((tag = av_dict_get(*m, "", tag, AV_DICT_IGNORE_SUFFIX))) { - unsigned int len1 = strlen(tag->key); - unsigned int len2 = strlen(tag->value); + int64_t len1 = strlen(tag->key); + int64_t len2 = strlen(tag->value); + if (len1+1+len2 > UINT32_MAX) + return AVERROR(EINVAL); bytestream_put_le32(p, len1+1+len2); bytestream_put_buffer(p, tag->key, len1); bytestream_put_byte(p, '='); diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 15e8246432..a8a639d8dc 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -261,7 +261,7 @@ static int vqf_read_seek(AVFormatContext *s, { VqfContext *c = s->priv_data; AVStream *st; - int ret; + int64_t ret; int64_t pos; st = s->streams[stream_index]; diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 9c4e2dfa14..a42e463abb 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -114,7 +114,7 @@ static void handle_stream_probing(AVStream *st) { if (st->codec->codec_id == AV_CODEC_ID_PCM_S16LE) { st->request_probe = AVPROBE_SCORE_EXTENSION; - st->probe_packets = FFMIN(st->probe_packets, 14); + st->probe_packets = FFMIN(st->probe_packets, 32); } } @@ -128,7 +128,7 @@ static int wav_parse_fmt_tag(AVFormatContext *s, int64_t size, AVStream **st) if (!*st) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, (*st)->codec, size); + ret = ff_get_wav_header(s, pb, (*st)->codec, size); if (ret < 0) return ret; handle_stream_probing(*st); @@ -662,7 +662,7 @@ static int w64_read_header(AVFormatContext *s) if (!memcmp(guid, ff_w64_guid_fmt, 16)) { /* subtract chunk header size - normal wav file doesn't count it */ - ret = ff_get_wav_header(pb, st->codec, size - 24); + ret = ff_get_wav_header(s, pb, st->codec, size - 24); if (ret < 0) return ret; avio_skip(pb, FFALIGN(size, INT64_C(8)) - size); @@ -699,6 +699,8 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 77f6170a26..91b2af354a 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -215,6 +215,10 @@ static int parse_adaptation_sets(AVFormatContext *s) char *p = w->adaptation_sets; char *q; enum { new_set, parsed_id, parsing_streams } state; + if (!w->adaptation_sets) { + av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n"); + return AVERROR(EINVAL); + } // syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on state = new_set; while (p < w->adaptation_sets + strlen(w->adaptation_sets)) { @@ -241,7 +245,11 @@ static int parse_adaptation_sets(AVFormatContext *s) as->streams = av_realloc(as->streams, sizeof(*as->streams) * ++as->nb_streams); if (as->streams == NULL) return -1; as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); - if (as->streams[as->nb_streams - 1] < 0) return -1; + if (as->streams[as->nb_streams - 1] < 0 || + as->streams[as->nb_streams - 1] >= s->nb_streams) { + av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n"); + return AVERROR(EINVAL); + } if (*q == '\0') break; if (*q == ' ') state = new_set; p = ++q; diff --git a/libavformat/webvttenc.c b/libavformat/webvttenc.c index b93993d55c..c386538718 100644 --- a/libavformat/webvttenc.c +++ b/libavformat/webvttenc.c @@ -46,8 +46,14 @@ static void webvtt_write_time(AVIOContext *pb, int64_t millisec) static int webvtt_write_header(AVFormatContext *ctx) { AVStream *s = ctx->streams[0]; + AVCodecContext *avctx = ctx->streams[0]->codec; AVIOContext *pb = ctx->pb; + if (ctx->nb_streams != 1 || avctx->codec_id != AV_CODEC_ID_WEBVTT) { + av_log(ctx, AV_LOG_ERROR, "Exactly one WebVTT stream is needed.\n"); + return AVERROR(EINVAL); + } + avpriv_set_pts_info(s, 64, 1, 1000); avio_printf(pb, "WEBVTT\n"); diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 4cb3295464..a887f583c7 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -663,7 +663,7 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, if (!st) return NULL; if (!ff_guidcmp(formattype, ff_format_waveformatex)) { - int ret = ff_get_wav_header(pb, st->codec, size); + int ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return NULL; } else { @@ -760,7 +760,7 @@ static int recover(WtvContext *wtv, uint64_t broken_pos) int i; for (i = 0; i < wtv->nb_index_entries; i++) { if (wtv->index_entries[i].pos > broken_pos) { - int ret = avio_seek(pb, wtv->index_entries[i].pos, SEEK_SET); + int64_t ret = avio_seek(pb, wtv->index_entries[i].pos, SEEK_SET); if (ret < 0) return ret; wtv->pts = wtv->index_entries[i].timestamp; @@ -789,6 +789,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p len = avio_rl32(pb); if (len < 32) { int ret; + if (avio_feof(pb)) + return AVERROR_EOF; av_log(s, AV_LOG_WARNING, "encountered broken chunk\n"); if ((ret = recover(wtv, avio_tell(pb) - 20)) < 0) return ret; diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 6eac4d21e8..1410bff8ee 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -547,16 +547,17 @@ static int xmv_read_packet(AVFormatContext *s, /* Fetch a video frame */ result = xmv_fetch_video_packet(s, pkt); - if (result) - return result; - } else { /* Fetch an audio frame */ result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1); - if (result) - return result; } + if (result) { + xmv->current_stream = 0; + xmv->video.current_frame = xmv->video.frame_count; + return result; + } + /* Increase our counters */ if (++xmv->current_stream >= xmv->stream_count) { diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 127c097c44..dec1c3ea53 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -44,7 +44,7 @@ static int xwma_probe(AVProbeData *p) static int xwma_read_header(AVFormatContext *s) { int64_t size; - int ret; + int ret = 0; uint32_t dpds_table_size = 0; uint32_t *dpds_table = NULL; unsigned int tag; @@ -75,7 +75,7 @@ static int xwma_read_header(AVFormatContext *s) if (!st) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, st->codec, size); + ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return ret; st->need_parsing = AVSTREAM_PARSE_NONE; @@ -132,7 +132,7 @@ static int xwma_read_header(AVFormatContext *s) for (;;) { if (pb->eof_reached) { ret = AVERROR_EOF; - goto end; + goto fail; } /* read next chunk tag */ tag = avio_rl32(pb); @@ -155,7 +155,7 @@ static int xwma_read_header(AVFormatContext *s) if (dpds_table) { av_log(s, AV_LOG_ERROR, "two dpds chunks present\n"); ret = AVERROR_INVALIDDATA; - goto end; + goto fail; } /* Compute the number of entries in the dpds chunk. */ @@ -189,7 +189,7 @@ static int xwma_read_header(AVFormatContext *s) /* Determine overall data length */ if (size < 0) { ret = AVERROR_INVALIDDATA; - goto end; + goto fail; } if (!size) { xwma->data_end = INT64_MAX; @@ -210,7 +210,7 @@ static int xwma_read_header(AVFormatContext *s) "Invalid bits_per_coded_sample %d for %d channels\n", st->codec->bits_per_coded_sample, st->codec->channels); ret = AVERROR_INVALIDDATA; - goto end; + goto fail; } st->duration = total_decoded_bytes / bytes_per_sample; @@ -245,7 +245,7 @@ static int xwma_read_header(AVFormatContext *s) st->duration = (size<<3) * st->codec->sample_rate / st->codec->bit_rate; } -end: +fail: av_free(dpds_table); return ret; diff --git a/libavresample/audio_mix_matrix.c b/libavresample/audio_mix_matrix.c index bcbe181a80..5d92351a0e 100644 --- a/libavresample/audio_mix_matrix.c +++ b/libavresample/audio_mix_matrix.c @@ -60,7 +60,7 @@ static av_always_inline int even(uint64_t layout) { - return (!layout || (layout & (layout - 1))); + return (!layout || !!(layout & (layout - 1))); } static int sane_layout(uint64_t layout) diff --git a/libavresample/resample.c b/libavresample/resample.c index bdc74a2e05..a155fbb401 100644 --- a/libavresample/resample.c +++ b/libavresample/resample.c @@ -432,7 +432,9 @@ int ff_audio_resample(ResampleContext *c, AudioData *dst, AudioData *src) int bps = av_get_bytes_per_sample(c->avr->internal_sample_fmt); int i; - ret = ff_audio_data_realloc(c->buffer, in_samples + c->padding_size); + ret = ff_audio_data_realloc(c->buffer, + FFMAX(in_samples, in_leftover) + + c->padding_size); if (ret < 0) { av_log(c->avr, AV_LOG_ERROR, "Error reallocating resampling buffer\n"); return AVERROR(ENOMEM); diff --git a/libavutil/arm/asm.S b/libavutil/arm/asm.S index 35559ce27a..30b3dc2ca5 100644 --- a/libavutil/arm/asm.S +++ b/libavutil/arm/asm.S @@ -49,11 +49,17 @@ #elif HAVE_ARMV5TE .arch armv5te #endif +#if HAVE_AS_OBJECT_ARCH +ELF .object_arch armv4 +#endif #if HAVE_NEON .fpu neon +ELF .eabi_attribute 10, 0 @ suppress Tag_FP_arch +ELF .eabi_attribute 12, 0 @ suppress Tag_Advanced_SIMD_arch #elif HAVE_VFP .fpu vfp +ELF .eabi_attribute 10, 0 @ suppress Tag_FP_arch #endif .syntax unified diff --git a/libavutil/arm/cpu.c b/libavutil/arm/cpu.c index f1683e8d76..02def0b470 100644 --- a/libavutil/arm/cpu.c +++ b/libavutil/arm/cpu.c @@ -128,7 +128,7 @@ int ff_get_cpu_flags_arm(void) trickle down. */ if (flags & (AV_CPU_FLAG_VFPV3 | AV_CPU_FLAG_NEON)) flags |= AV_CPU_FLAG_ARMV6T2; - else + else if (flags & (AV_CPU_FLAG_ARMV6T2 | AV_CPU_FLAG_ARMV6)) /* Some functions use the 'setend' instruction which is deprecated on ARMv8 * and serializing on some ARMv7 cores. This ensures such functions * are only enabled on ARMv6. */ diff --git a/libavutil/avstring.c b/libavutil/avstring.c index fd010e407c..3243aaa590 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -100,7 +100,7 @@ size_t av_strlcat(char *dst, const char *src, size_t size) size_t av_strlcatf(char *dst, size_t size, const char *fmt, ...) { - int len = strlen(dst); + size_t len = strlen(dst); va_list vl; va_start(vl, fmt); diff --git a/libavutil/buffer.c b/libavutil/buffer.c index e9bf54b96c..4e2a94bfe8 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -23,6 +23,10 @@ #include "buffer_internal.h" #include "common.h" #include "mem.h" +#include "thread.h" + +//#define USE_ATOMICS !(HAVE_PTHREADS || HAVE_W32THREADS) +#define USE_ATOMICS 1 // can be changed to the above once it received more testing in master AVBufferRef *av_buffer_create(uint8_t *data, int size, void (*free)(void *opaque, uint8_t *data), @@ -209,6 +213,8 @@ AVBufferPool *av_buffer_pool_init(int size, AVBufferRef* (*alloc)(int size)) if (!pool) return NULL; + ff_mutex_init(&pool->mutex, NULL); + pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; @@ -230,6 +236,7 @@ static void buffer_pool_free(AVBufferPool *pool) buf->free(buf->opaque, buf->data); av_freep(&buf); } + ff_mutex_destroy(&pool->mutex); av_freep(&pool); } @@ -290,7 +297,15 @@ static void pool_release_buffer(void *opaque, uint8_t *data) if(CONFIG_MEMORY_POISONING) memset(buf->data, FF_MEMORY_POISON, pool->size); +#if USE_ATOMICS add_to_pool(buf); +#else + ff_mutex_lock(&pool->mutex); + buf->next = pool->pool; + pool->pool = buf; + ff_mutex_unlock(&pool->mutex); +#endif + if (!avpriv_atomic_int_add_and_fetch(&pool->refcount, -1)) buffer_pool_free(pool); } @@ -320,8 +335,10 @@ static AVBufferRef *pool_alloc_buffer(AVBufferPool *pool) ret->buffer->opaque = buf; ret->buffer->free = pool_release_buffer; +#if USE_ATOMICS avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); avpriv_atomic_int_add_and_fetch(&pool->nb_allocated, 1); +#endif return ret; } @@ -331,6 +348,7 @@ AVBufferRef *av_buffer_pool_get(AVBufferPool *pool) AVBufferRef *ret; BufferPoolEntry *buf; +#if USE_ATOMICS /* check whether the pool is empty */ buf = get_pool(pool); if (!buf && pool->refcount <= pool->nb_allocated) { @@ -352,7 +370,24 @@ AVBufferRef *av_buffer_pool_get(AVBufferPool *pool) add_to_pool(buf); return NULL; } - avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); +#else + ff_mutex_lock(&pool->mutex); + buf = pool->pool; + if (buf) { + ret = av_buffer_create(buf->data, pool->size, pool_release_buffer, + buf, 0); + if (ret) { + pool->pool = buf->next; + buf->next = NULL; + } + } else { + ret = pool_alloc_buffer(pool); + } + ff_mutex_unlock(&pool->mutex); +#endif + + if (ret) + avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); return ret; } diff --git a/libavutil/buffer_internal.h b/libavutil/buffer_internal.h index c29190839e..befeb684ae 100644 --- a/libavutil/buffer_internal.h +++ b/libavutil/buffer_internal.h @@ -22,6 +22,7 @@ #include #include "buffer.h" +#include "thread.h" /** * The buffer is always treated as read-only. @@ -72,6 +73,7 @@ typedef struct BufferPoolEntry { } BufferPoolEntry; struct AVBufferPool { + AVMutex mutex; BufferPoolEntry * volatile pool; /* diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index 4c0677f794..7aceb81971 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -94,7 +94,7 @@ static const struct { { "6.0(front)", 6, AV_CH_LAYOUT_6POINT0_FRONT }, { "hexagonal", 6, AV_CH_LAYOUT_HEXAGONAL }, { "6.1", 7, AV_CH_LAYOUT_6POINT1 }, - { "6.1", 7, AV_CH_LAYOUT_6POINT1_BACK }, + { "6.1(back)", 7, AV_CH_LAYOUT_6POINT1_BACK }, { "6.1(front)", 7, AV_CH_LAYOUT_6POINT1_FRONT }, { "7.0", 7, AV_CH_LAYOUT_7POINT0 }, { "7.0(front)", 7, AV_CH_LAYOUT_7POINT0_FRONT }, @@ -125,6 +125,8 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) strlen(channel_names[i].name) == name_len && !memcmp(channel_names[i].name, name, name_len)) return (int64_t)1 << i; + + errno = 0; i = strtol(name, &end, 10); #if FF_API_GET_CHANNEL_LAYOUT_COMPAT @@ -138,19 +140,20 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) "switch to the syntax '%.*sc' otherwise it will be interpreted as a " "channel layout number in a later version\n", name_len, name, name_len, name); - return layout; } + return layout; } } else { #endif - if ((end + 1 - name == name_len && *end == 'c')) + if (!errno && (end + 1 - name == name_len && *end == 'c')) return av_get_default_channel_layout(i); #if FF_API_GET_CHANNEL_LAYOUT_COMPAT } #endif + errno = 0; layout = strtoll(name, &end, 0); - if (end - name == name_len) + if (!errno && end - name == name_len) return FFMAX(layout, 0); return 0; } diff --git a/libavutil/colorspace.h b/libavutil/colorspace.h index f438159811..dbb0ce8b8e 100644 --- a/libavutil/colorspace.h +++ b/libavutil/colorspace.h @@ -41,6 +41,16 @@ b_add = FIX(1.77200*255.0/224.0) * cb + ONE_HALF;\ } +#define YUV_TO_RGB1_CCIR_BT709(cb1, cr1)\ +{\ + cb = (cb1) - 128;\ + cr = (cr1) - 128;\ + r_add = FIX(1.5747*255.0/224.0) * cr + ONE_HALF;\ + g_add = - FIX(0.1873*255.0/224.0) * cb - FIX(0.4682*255.0/224.0) * cr + \ + ONE_HALF;\ + b_add = FIX(1.8556*255.0/224.0) * cb + ONE_HALF;\ +} + #define YUV_TO_RGB2_CCIR(r, g, b, y1)\ {\ y = ((y1) - 16) * FIX(255.0/219.0);\ diff --git a/libavutil/common.h b/libavutil/common.h index c82a3a6240..526f5c6e51 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -58,9 +58,24 @@ : ((a) + (1<<(b)) - 1) >> (b)) #define FFUDIV(a,b) (((a)>0 ?(a):(a)-(b)+1) / (b)) #define FFUMOD(a,b) ((a)-(b)*FFUDIV(a,b)) + +/** + * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as they + * are not representable as absolute values of their type. This is the same + * as with *abs() + * @see FFNABS() + */ #define FFABS(a) ((a) >= 0 ? (a) : (-(a))) #define FFSIGN(a) ((a) > 0 ? 1 : -1) +/** + * Negative Absolute value. + * this works for all integers of all types. + * As with many macros, this evaluates its argument twice, it thus must not have + * a sideeffect, that is FFNABS(x++) has undefined behavior. + */ +#define FFNABS(a) ((a) <= 0 ? (a) : (-(a))) + #define FFMAX(a,b) ((a) > (b) ? (a) : (b)) #define FFMAX3(a,b,c) FFMAX(FFMAX(a,b),c) #define FFMIN(a,b) ((a) > (b) ? (b) : (a)) diff --git a/libavutil/cpu.c b/libavutil/cpu.c index 53c12273ef..1617464980 100644 --- a/libavutil/cpu.c +++ b/libavutil/cpu.c @@ -49,6 +49,7 @@ static int flags, checked; void av_force_cpu_flags(int arg){ if ( (arg & ( AV_CPU_FLAG_3DNOW | AV_CPU_FLAG_3DNOWEXT | + AV_CPU_FLAG_MMXEXT | AV_CPU_FLAG_SSE | AV_CPU_FLAG_SSE2 | AV_CPU_FLAG_SSE2SLOW | diff --git a/libavutil/dict.c b/libavutil/dict.c index 475e906350..76fa0032ee 100644 --- a/libavutil/dict.c +++ b/libavutil/dict.c @@ -102,7 +102,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const char *value, if (flags & AV_DICT_DONT_STRDUP_VAL) { m->elems[m->count].value = (char*)(intptr_t)value; } else if (oldval && flags & AV_DICT_APPEND) { - int len = strlen(oldval) + strlen(value) + 1; + size_t len = strlen(oldval) + strlen(value) + 1; char *newval = av_mallocz(len); if (!newval) goto err_out; diff --git a/libavutil/fifo.c b/libavutil/fifo.c index 77391ee7f2..7cb212eb0e 100644 --- a/libavutil/fifo.c +++ b/libavutil/fifo.c @@ -129,7 +129,8 @@ int av_fifo_generic_write(AVFifoBuffer *f, void *src, int size, do { int len = FFMIN(f->end - wptr, size); if (func) { - if (func(src, wptr, len) <= 0) + len = func(src, wptr, len); + if (len <= 0) break; } else { memcpy(wptr, src, len); diff --git a/libavutil/file_open.c b/libavutil/file_open.c index f3164ebe68..619dc571f7 100644 --- a/libavutil/file_open.c +++ b/libavutil/file_open.c @@ -82,6 +82,9 @@ int avpriv_open(const char *filename, int flags, ...) #ifdef O_CLOEXEC flags |= O_CLOEXEC; #endif +#ifdef O_NOINHERIT + flags |= O_NOINHERIT; +#endif fd = open(filename, flags, mode); #if HAVE_FCNTL diff --git a/libavutil/frame.c b/libavutil/frame.c index 4ee06306ce..5c9aa2914c 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -503,6 +503,7 @@ int av_frame_copy_props(AVFrame *dst, const AVFrame *src) free_side_data(&dst->side_data[i]); } av_freep(&dst->side_data); + dst->nb_side_data = 0; return AVERROR(ENOMEM); } memcpy(sd_dst->data, sd_src->data, sd_src->size); diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 00b203182b..26321cef8e 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -245,7 +245,7 @@ int av_image_check_sar(unsigned int w, unsigned int h, AVRational sar) { int64_t scaled_dim; - if (!sar.den) + if (sar.den <= 0 || sar.num < 0) return AVERROR(EINVAL); if (!sar.num || sar.num == sar.den) diff --git a/libavutil/integer.c b/libavutil/integer.c index 5bcde0dc6e..6d6855fa1b 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -29,6 +29,8 @@ #include "integer.h" #include "avassert.h" +static const AVInteger zero_i; + AVInteger av_add_i(AVInteger a, AVInteger b){ int i, carry=0; @@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger b){ AVInteger quot_temp; if(!quot) quot = "_temp; + if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) { + a = av_mod_i(quot, av_sub_i(zero_i, a), b); + *quot = av_sub_i(zero_i, *quot); + return av_sub_i(zero_i, a); + } + av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && (int16_t)b.v[AV_INTEGER_SIZE-1] >= 0); av_assert2(av_log2_i(b)>=0); diff --git a/libavutil/internal.h b/libavutil/internal.h index 612b5f26af..ff61f2e70b 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,6 +30,9 @@ # define NDEBUG #endif +// This can be enabled to allow detection of additional integer overflows with ubsan +//#define CHECKED + #include #include #include @@ -252,6 +255,17 @@ void avpriv_request_sample(void *avc, #define SIZE_SPECIFIER "zu" #endif + +// For debuging we use signed operations so overflows can be detected (by ubsan) +// For production we use unsigned so there are no undefined operations +#ifdef CHECKED +#define SUINT int +#define SUINT32 int32_t +#else +#define SUINT unsigned +#define SUINT32 uint32_t +#endif + /** * A wrapper for open() setting O_CLOEXEC. */ diff --git a/libavutil/libm.h b/libavutil/libm.h index 28d5df871b..6c17b287b4 100644 --- a/libavutil/libm.h +++ b/libavutil/libm.h @@ -82,16 +82,6 @@ static av_always_inline float cbrtf(float x) #define exp2f(x) ((float)exp2(x)) #endif /* HAVE_EXP2F */ -#if !HAVE_FMINF -#undef fminf -static av_always_inline av_const float fminf(float x, float y) -{ - //Note, the NaN special case is needed for C spec compliance, it should be - //optimized away if the users compiler is configured to assume no NaN - return x > y ? y : (x == x ? x : y); -} -#endif - #if !HAVE_ISINF static av_always_inline av_const int isinf(float x) { diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 126cffc3f0..78a87d8457 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) rnd -= AV_ROUND_PASS_MINMAX; } - if (a < 0 && a != INT64_MIN) - return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1)); + if (a < 0) + return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; @@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) if (b <= INT_MAX && c <= INT_MAX) { if (a <= INT_MAX) return (a * b + r) / c; - else - return a / c * b + (a % c * b + r) / c; + else { + int64_t ad = a / c; + int64_t a2 = (a % c * b + r) / c; + if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b) + return INT64_MIN; + return ad * b + a2; + } } else { #if 1 uint64_t a0 = a & 0xFFFFFFFF; @@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) t1++; } } + if (t1 > INT64_MAX) + return INT64_MIN; return t1; } #else diff --git a/libavutil/mem.c b/libavutil/mem.c index 35a82e8a2d..9dc1ac7a49 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -259,7 +259,7 @@ char *av_strdup(const char *s) { char *ptr = NULL; if (s) { - int len = strlen(s) + 1; + size_t len = strlen(s) + 1; ptr = av_realloc(NULL, len); if (ptr) memcpy(ptr, s, len); diff --git a/libavutil/opencl.h b/libavutil/opencl.h index 9e6dc55ee8..8c1dfeb037 100644 --- a/libavutil/opencl.h +++ b/libavutil/opencl.h @@ -32,11 +32,10 @@ #ifndef LIBAVUTIL_OPENCL_H #define LIBAVUTIL_OPENCL_H -#include "config.h" -#if HAVE_CL_CL_H -#include -#else +#ifdef __APPLE__ #include +#else +#include #endif #include #include "dict.h" diff --git a/libavutil/opt.c b/libavutil/opt.c index ca4edb827e..cd948af23b 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -75,8 +75,8 @@ static int read_number(const AVOption *o, void *dst, double *num, int *den, int6 { switch (o->type) { case AV_OPT_TYPE_FLAGS: *intnum = *(unsigned int*)dst;return 0; - case AV_OPT_TYPE_PIXEL_FMT: - case AV_OPT_TYPE_SAMPLE_FMT: + case AV_OPT_TYPE_PIXEL_FMT: *intnum = *(enum AVPixelFormat *)dst;return 0; + case AV_OPT_TYPE_SAMPLE_FMT:*intnum = *(enum AVSampleFormat*)dst;return 0; case AV_OPT_TYPE_INT: *intnum = *(int *)dst;return 0; case AV_OPT_TYPE_CHANNEL_LAYOUT: case AV_OPT_TYPE_DURATION: @@ -110,9 +110,9 @@ static int write_number(void *obj, const AVOption *o, void *dst, double num, int } switch (o->type) { + case AV_OPT_TYPE_PIXEL_FMT: *(enum AVPixelFormat *)dst = llrint(num/den) * intnum; break; + case AV_OPT_TYPE_SAMPLE_FMT:*(enum AVSampleFormat*)dst = llrint(num/den) * intnum; break; case AV_OPT_TYPE_FLAGS: - case AV_OPT_TYPE_PIXEL_FMT: - case AV_OPT_TYPE_SAMPLE_FMT: case AV_OPT_TYPE_INT: *(int *)dst= llrint(num/den)*intnum; break; case AV_OPT_TYPE_DURATION: case AV_OPT_TYPE_CHANNEL_LAYOUT: @@ -150,6 +150,8 @@ static int set_string_binary(void *obj, const AVOption *o, const char *val, uint len /= 2; ptr = bin = av_malloc(len); + if (!ptr) + return AVERROR(ENOMEM); while (*val) { int a = hexchar2int(*val++); int b = hexchar2int(*val++); @@ -627,7 +629,7 @@ int av_opt_set_channel_layout(void *obj, const char *name, int64_t cl, int searc "The value set by option '%s' is not a channel layout.\n", o->name); return AVERROR(EINVAL); } - *(int *)(((int64_t *)target_obj) + o->offset) = cl; + *(int64_t *)(((uint8_t *)target_obj) + o->offset) = cl; return 0; } @@ -725,6 +727,10 @@ int av_opt_get(void *obj, const char *name, int search_flags, uint8_t **out_val) return AVERROR(EINVAL); if (!(*out_val = av_malloc(len*2 + 1))) return AVERROR(ENOMEM); + if (!len) { + *out_val[0] = '\0'; + return 0; + } bin = *(uint8_t**)dst; for (i = 0; i < len; i++) snprintf(*out_val + i*2, 3, "%02X", bin[i]); @@ -740,12 +746,14 @@ int av_opt_get(void *obj, const char *name, int search_flags, uint8_t **out_val) break; case AV_OPT_TYPE_DURATION: i64 = *(int64_t *)dst; - ret = snprintf(buf, sizeof(buf), "%"PRIi64"d:%02d:%02d.%06d", + ret = snprintf(buf, sizeof(buf), "%"PRIi64":%02d:%02d.%06d", i64 / 3600000000, (int)((i64 / 60000000) % 60), (int)((i64 / 1000000) % 60), (int)(i64 % 1000000)); break; case AV_OPT_TYPE_COLOR: - ret = snprintf(buf, sizeof(buf), "0x%02x%02x%02x%02x", ((int *)dst)[0], ((int *)dst)[1], ((int *)dst)[2], ((int *)dst)[3]); + ret = snprintf(buf, sizeof(buf), "0x%02x%02x%02x%02x", + (int)((uint8_t *)dst)[0], (int)((uint8_t *)dst)[1], + (int)((uint8_t *)dst)[2], (int)((uint8_t *)dst)[3]); break; case AV_OPT_TYPE_CHANNEL_LAYOUT: i64 = *(int64_t *)dst; @@ -1460,10 +1468,11 @@ int av_opt_set_dict2(void *obj, AVDictionary **options, int search_flags) while ((t = av_dict_get(*options, "", t, AV_DICT_IGNORE_SUFFIX))) { ret = av_opt_set(obj, t->key, t->value, search_flags); if (ret == AVERROR_OPTION_NOT_FOUND) - av_dict_set(&tmp, t->key, t->value, 0); - else if (ret < 0) { + ret = av_dict_set(&tmp, t->key, t->value, 0); + if (ret < 0) { av_log(obj, AV_LOG_ERROR, "Error setting option %s to value %s.\n", t->key, t->value); - break; + av_dict_free(&tmp); + return ret; } ret = 0; } diff --git a/libavutil/opt.h b/libavutil/opt.h index 4905ee30c0..59bdd6498a 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -57,7 +57,7 @@ * The following example illustrates an AVOptions-enabled struct: * @code * typedef struct test_struct { - * AVClass *class; + * const AVClass *class; * int int_opt; * char *str_opt; * uint8_t *bin_opt; @@ -95,7 +95,7 @@ * @code * test_struct *alloc_test_struct(void) * { - * test_struct *ret = av_malloc(sizeof(*ret)); + * test_struct *ret = av_mallocz(sizeof(*ret)); * ret->class = &test_class; * av_opt_set_defaults(ret); * return ret; diff --git a/libavutil/pca.c b/libavutil/pca.c index 26d5bbb157..86cb37ea28 100644 --- a/libavutil/pca.c +++ b/libavutil/pca.c @@ -41,12 +41,20 @@ PCA *ff_pca_init(int n){ return NULL; pca= av_mallocz(sizeof(*pca)); + if (!pca) + return NULL; + pca->n= n; pca->z = av_malloc_array(n, sizeof(*pca->z)); pca->count=0; pca->covariance= av_calloc(n*n, sizeof(double)); pca->mean= av_calloc(n, sizeof(double)); + if (!pca->z || !pca->covariance || !pca->mean) { + ff_pca_free(pca); + return NULL; + } + return pca; } diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index 154392af20..13f69fa56f 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -2116,6 +2116,7 @@ enum AVPixelFormat av_pix_fmt_swap_endianness(enum AVPixelFormat pix_fmt) #define FF_COLOR_GRAY 1 /**< gray color space */ #define FF_COLOR_YUV 2 /**< YUV color space. 16 <= Y <= 235, 16 <= U, V <= 240 */ #define FF_COLOR_YUV_JPEG 3 /**< YUV color space. 0 <= Y <= 255, 0 <= U, V <= 255 */ +#define FF_COLOR_XYZ 4 #define pixdesc_has_alpha(pixdesc) \ ((pixdesc)->nb_components == 2 || (pixdesc)->nb_components == 4 || (pixdesc)->flags & AV_PIX_FMT_FLAG_PAL) @@ -2131,6 +2132,9 @@ static int get_color_type(const AVPixFmtDescriptor *desc) { if(desc->name && !strncmp(desc->name, "yuvj", 4)) return FF_COLOR_YUV_JPEG; + if(desc->name && !strncmp(desc->name, "xyz", 3)) + return FF_COLOR_XYZ; + if(desc->flags & AV_PIX_FMT_FLAG_RGB) return FF_COLOR_RGB; diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 8aa8c3879b..67000e4a1f 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -67,6 +67,7 @@ static uint32_t get_generic_seed(void) uint8_t tmp[120]; struct AVSHA *sha = (void*)tmp; clock_t last_t = 0; + clock_t last_td = 0; static uint64_t i = 0; static uint32_t buffer[512] = { 0 }; unsigned char digest[20]; @@ -86,19 +87,25 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - - if (last_t == t) { - buffer[i & 511]++; + if (last_t + 2*last_td + (CLOCKS_PER_SEC > 1000) >= t) { + last_td = t - last_t; + buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { - buffer[++i & 511] += (t - last_t) % 3294638521U; + last_td = t - last_t; + buffer[++i & 511] += last_td % 3294638521U; if (last_i && i - last_i > 4 || i - last_i > 64 || TEST && i - last_i > 8) break; } last_t = t; } - if(TEST) + if(TEST) { buffer[0] = buffer[1] = 0; + } else { +#ifdef AV_READ_TIME + buffer[111] += AV_READ_TIME(); +#endif + } av_sha_init(sha, 160); av_sha_update(sha, (const uint8_t *)buffer, sizeof(buffer)); diff --git a/libavutil/thread.h b/libavutil/thread.h new file mode 100644 index 0000000000..973366182e --- /dev/null +++ b/libavutil/thread.h @@ -0,0 +1,55 @@ +/* + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +// This header should only be used to simplify code where +// threading is optional, not as a generic threading abstraction. + +#ifndef AVUTIL_THREAD_H +#define AVUTIL_THREAD_H + +#include "config.h" + +#if HAVE_PTHREADS || HAVE_W32THREADS || HAVE_OS2THREADS + +#if HAVE_PTHREADS +#include +#elif HAVE_OS2THREADS +#include "compat/os2threads.h" +#else +#include "compat/w32pthreads.h" +#endif + +#define AVMutex pthread_mutex_t + +#define ff_mutex_init pthread_mutex_init +#define ff_mutex_lock pthread_mutex_lock +#define ff_mutex_unlock pthread_mutex_unlock +#define ff_mutex_destroy pthread_mutex_destroy + +#else + +#define AVMutex char + +#define ff_mutex_init(mutex, attr) (0) +#define ff_mutex_lock(mutex) (0) +#define ff_mutex_unlock(mutex) (0) +#define ff_mutex_destroy(mutex) (0) + +#endif + +#endif /* AVUTIL_THREAD_H */ diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 1dfd040868..bf463ed515 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -151,7 +151,7 @@ static int check_fps(int fps) static int check_timecode(void *log_ctx, AVTimecode *tc) { - if (tc->fps <= 0) { + if ((int)tc->fps <= 0) { av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be specified\n"); return AVERROR(EINVAL); } diff --git a/libavutil/utils.c b/libavutil/utils.c index aafd3b909e..da8b5ae2d3 100644 --- a/libavutil/utils.c +++ b/libavutil/utils.c @@ -27,6 +27,9 @@ * various utility functions */ +#include "libavutil/ffversion.h" +const char av_util_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned avutil_version(void) { static int checks_done; diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index 8ad478400c..2b62e92479 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -45,7 +45,7 @@ "cpuid \n\t" \ "xchg %%"REG_b", %%"REG_S \ : "=a" (eax), "=S" (ebx), "=c" (ecx), "=d" (edx) \ - : "0" (index)) + : "0" (index), "2"(0)) #define xgetbv(index, eax, edx) \ __asm__ (".byte 0x0f, 0x01, 0xd0" : "=a"(eax), "=d"(edx) : "c" (index)) diff --git a/libavutil/x86/float_dsp.asm b/libavutil/x86/float_dsp.asm index ec3d22b230..c4484a28e6 100644 --- a/libavutil/x86/float_dsp.asm +++ b/libavutil/x86/float_dsp.asm @@ -332,10 +332,10 @@ VECTOR_FMUL_REVERSE ; float scalarproduct_float_sse(const float *v1, const float *v2, int len) INIT_XMM sse cglobal scalarproduct_float, 3,3,2, v1, v2, offset + shl offsetd, 2 + add v1q, offsetq + add v2q, offsetq neg offsetq - shl offsetq, 2 - sub v1q, offsetq - sub v2q, offsetq xorps xmm0, xmm0 .loop: movaps xmm1, [v1q+offsetq] diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 01ec0f9867..0376725af7 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -76,6 +76,7 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks #include "config.h" #include "libavutil/avutil.h" #include "libavutil/avassert.h" +#include "libavutil/intreadwrite.h" #include #include #include @@ -89,6 +90,9 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks #include "postprocess_internal.h" #include "libavutil/avstring.h" +#include "libavutil/ffversion.h" +const char postproc_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned postproc_version(void) { av_assert0(LIBPOSTPROC_VERSION_MICRO >= 100); @@ -979,9 +983,9 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if(pict_type & PP_PICT_TYPE_QP2){ int i; - const int count= mbHeight * absQPStride; + const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; + AV_WN32(c->stdQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) >> 1 & 0x7F7F7F7F); } for(i<<=2; istdQPTable[i] = QP_store[i]>>1; @@ -1004,9 +1008,9 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * QPStride; + const int count= FFMAX(mbHeight * QPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; + AV_WN32(c->nonBQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) & 0x3F3F3F3F); } for(i<<=2; inonBQPTable[i] = QP_store[i] & 0x3F; diff --git a/libswresample/dither.c b/libswresample/dither.c index b8b592a7ce..23e7e12ede 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -23,12 +23,15 @@ #include "noise_shaping_data.c" -void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { +int swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { double scale = s->dither.noise_scale; #define TMP_EXTRA 2 double *tmp = av_malloc_array(len + TMP_EXTRA, sizeof(double)); int i; + if (!tmp) + return AVERROR(ENOMEM); + for(i=0; idither.output_sample_bits&31)) scale = 1; - if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S16) scale = 1L<<16; - if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1L<<24; - if(in_fmt == AV_SAMPLE_FMT_S16 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1L<<8; + if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S16) scale = 1<<16; + if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1<<24; + if(in_fmt == AV_SAMPLE_FMT_S16 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1<<8; scale *= s->dither.scale; diff --git a/libswresample/options.c b/libswresample/options.c index 01cdb1e141..1bc1a70510 100644 --- a/libswresample/options.c +++ b/libswresample/options.c @@ -35,12 +35,12 @@ #define PARAM AV_OPT_FLAG_AUDIO_PARAM static const AVOption options[]={ -{"ich" , "set input channel count" , OFFSET( in.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"in_channel_count" , "set input channel count" , OFFSET( in.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"och" , "set output channel count" , OFFSET(out.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"out_channel_count" , "set output channel count" , OFFSET(out.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"uch" , "set used channel count" , OFFSET(used_ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"used_channel_count" , "set used channel count" , OFFSET(used_ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"ich" , "set input channel count" , OFFSET(user_in_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"in_channel_count" , "set input channel count" , OFFSET(user_in_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"och" , "set output channel count" , OFFSET(user_out_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"out_channel_count" , "set output channel count" , OFFSET(user_out_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"uch" , "set used channel count" , OFFSET(user_used_ch_count), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"used_channel_count" , "set used channel count" , OFFSET(user_used_ch_count), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, {"isr" , "set input sample rate" , OFFSET( in_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, {"in_sample_rate" , "set input sample rate" , OFFSET( in_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, {"osr" , "set output sample rate" , OFFSET(out_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, @@ -49,12 +49,12 @@ static const AVOption options[]={ {"in_sample_fmt" , "set input sample format" , OFFSET( in_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"osf" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"out_sample_fmt" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"tsf" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"internal_sample_fmt" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"icl" , "set input channel layout" , OFFSET( in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"in_channel_layout" , "set input channel layout" , OFFSET( in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"ocl" , "set output channel layout" , OFFSET(out_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"out_channel_layout" , "set output channel layout" , OFFSET(out_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"tsf" , "set internal sample format" , OFFSET(user_int_sample_fmt), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, +{"internal_sample_fmt" , "set internal sample format" , OFFSET(user_int_sample_fmt), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, +{"icl" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"in_channel_layout" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"ocl" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"out_channel_layout" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"clev" , "set center mix level" , OFFSET(clev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, {"center_mix_level" , "set center mix level" , OFFSET(clev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, {"slev" , "set surround mix level" , OFFSET(slev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 6552a2fea2..2238f0aae3 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -65,8 +65,8 @@ int swr_set_matrix(struct SwrContext *s, const double *matrix, int stride) if (!s || s->in_convert) // s needs to be allocated but not initialized return AVERROR(EINVAL); memset(s->matrix, 0, sizeof(s->matrix)); - nb_in = av_get_channel_layout_nb_channels(s->in_ch_layout); - nb_out = av_get_channel_layout_nb_channels(s->out_ch_layout); + nb_in = av_get_channel_layout_nb_channels(s->user_in_ch_layout); + nb_out = av_get_channel_layout_nb_channels(s->user_out_ch_layout); for (out = 0; out < nb_out; out++) { for (in = 0; in < nb_in; in++) s->matrix[out][in] = matrix[in]; diff --git a/libswresample/soxr_resample.c b/libswresample/soxr_resample.c index 064451df45..9e87f2fc4b 100644 --- a/libswresample/soxr_resample.c +++ b/libswresample/soxr_resample.c @@ -76,8 +76,12 @@ static int process( AudioData *src, int src_size, int *consumed){ size_t idone, odone; soxr_error_t error = soxr_set_error((soxr_t)c, soxr_set_num_channels((soxr_t)c, src->ch_count)); - error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, - &idone, dst->ch, (size_t)dst_size, &odone); + if (!error) + error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, + &idone, dst->ch, (size_t)dst_size, &odone); + else + idone = 0; + *consumed = (int)idone; return error? -1 : odone; } diff --git a/libswresample/swresample-test.c b/libswresample/swresample-test.c index c0162cd646..694880648a 100644 --- a/libswresample/swresample-test.c +++ b/libswresample/swresample-test.c @@ -314,6 +314,11 @@ int main(int argc, char **argv){ fprintf(stderr, "Failed to init backw_ctx\n"); return 1; } + if (uint_rand(rand_seed) % 3 == 0) + av_opt_set_int(forw_ctx, "ich", 0, 0); + if (uint_rand(rand_seed) % 3 == 0) + av_opt_set_int(forw_ctx, "och", 0, 0); + if(swr_init( forw_ctx) < 0) fprintf(stderr, "swr_init(->) failed\n"); if(swr_init(backw_ctx) < 0) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 32bbee3340..e9bc659e08 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -23,11 +23,15 @@ #include "audioconvert.h" #include "libavutil/avassert.h" #include "libavutil/channel_layout.h" +#include "libavutil/internal.h" #include #define ALIGN 32 +#include "libavutil/ffversion.h" +const char swr_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned swresample_version(void) { av_assert0(LIBSWRESAMPLE_VERSION_MICRO >= 100); @@ -83,10 +87,10 @@ struct SwrContext *swr_alloc_set_opts(struct SwrContext *s, if (av_opt_set_int(s, "tsf", AV_SAMPLE_FMT_NONE, 0) < 0) goto fail; - if (av_opt_set_int(s, "ich", av_get_channel_layout_nb_channels(s-> in_ch_layout), 0) < 0) + if (av_opt_set_int(s, "ich", av_get_channel_layout_nb_channels(s-> user_in_ch_layout), 0) < 0) goto fail; - if (av_opt_set_int(s, "och", av_get_channel_layout_nb_channels(s->out_ch_layout), 0) < 0) + if (av_opt_set_int(s, "och", av_get_channel_layout_nb_channels(s->user_out_ch_layout), 0) < 0) goto fail; av_opt_set_int(s, "uch", 0, 0); @@ -149,6 +153,7 @@ av_cold void swr_close(SwrContext *s){ av_cold int swr_init(struct SwrContext *s){ int ret; + char l1[1024], l2[1024]; clear_context(s); @@ -161,6 +166,15 @@ av_cold int swr_init(struct SwrContext *s){ return AVERROR(EINVAL); } + s->out.ch_count = s-> user_out_ch_count; + s-> in.ch_count = s-> user_in_ch_count; + s->used_ch_count = s->user_used_ch_count; + + s-> in_ch_layout = s-> user_in_ch_layout; + s->out_ch_layout = s->user_out_ch_layout; + + s->int_sample_fmt= s->user_int_sample_fmt; + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); s->in_ch_layout = 0; @@ -243,6 +257,10 @@ av_cold int swr_init(struct SwrContext *s){ if (s->out_sample_rate!=s->in_sample_rate || (s->flags & SWR_FLAG_RESAMPLE)){ s->resample = s->resampler->init(s->resample, s->out_sample_rate, s->in_sample_rate, s->filter_size, s->phase_shift, s->linear_interp, s->cutoff, s->int_sample_fmt, s->filter_type, s->kaiser_beta, s->precision, s->cheby); + if (!s->resample) { + av_log(s, AV_LOG_ERROR, "Failed to initilaize resampler\n"); + return AVERROR(ENOMEM); + } }else s->resampler->free(&s->resample); if( s->int_sample_fmt != AV_SAMPLE_FMT_S16P @@ -251,7 +269,8 @@ av_cold int swr_init(struct SwrContext *s){ && s->int_sample_fmt != AV_SAMPLE_FMT_DBLP && s->resample){ av_log(s, AV_LOG_ERROR, "Resampling only supported with internal s16/s32/flt/dbl\n"); - return -1; + ret = AVERROR(EINVAL); + goto fail; } #define RSC 1 //FIXME finetune @@ -265,16 +284,28 @@ av_cold int swr_init(struct SwrContext *s){ if(!s-> in.ch_count){ av_assert0(!s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel count and layout are unset\n"); - return -1; + ret = AVERROR(EINVAL); + goto fail; + } + + av_get_channel_layout_string(l1, sizeof(l1), s-> in.ch_count, s-> in_ch_layout); + av_get_channel_layout_string(l2, sizeof(l2), s->out.ch_count, s->out_ch_layout); + if (s->out_ch_layout && s->out.ch_count != av_get_channel_layout_nb_channels(s->out_ch_layout)) { + av_log(s, AV_LOG_ERROR, "Output channel layout %s mismatches specified channel count %d\n", l2, s->out.ch_count); + ret = AVERROR(EINVAL); + goto fail; + } + if (s->in_ch_layout && s->used_ch_count != av_get_channel_layout_nb_channels(s->in_ch_layout)) { + av_log(s, AV_LOG_ERROR, "Input channel layout %s mismatches specified channel count %d\n", l1, s->used_ch_count); + ret = AVERROR(EINVAL); + goto fail; } if ((!s->out_ch_layout || !s->in_ch_layout) && s->used_ch_count != s->out.ch_count && !s->rematrix_custom) { - char l1[1024], l2[1024]; - av_get_channel_layout_string(l1, sizeof(l1), s-> in.ch_count, s-> in_ch_layout); - av_get_channel_layout_string(l2, sizeof(l2), s->out.ch_count, s->out_ch_layout); av_log(s, AV_LOG_ERROR, "Rematrix is needed between %s and %s " "but there is not enough information to do it\n", l1, l2); - return -1; + ret = AVERROR(EINVAL); + goto fail; } av_assert0(s->used_ch_count); @@ -296,8 +327,10 @@ av_assert0(s->out.ch_count); s->out_convert= swri_audio_convert_alloc(s->out_sample_fmt, s->int_sample_fmt, s->out.ch_count, NULL, 0); - if (!s->in_convert || !s->out_convert) - return AVERROR(ENOMEM); + if (!s->in_convert || !s->out_convert) { + ret = AVERROR(ENOMEM); + goto fail; + } s->postin= s->in; s->preout= s->out; @@ -324,12 +357,19 @@ av_assert0(s->out.ch_count); } if ((ret = swri_dither_init(s, s->out_sample_fmt, s->int_sample_fmt)) < 0) - return ret; + goto fail; - if(s->rematrix || s->dither.method) - return swri_rematrix_init(s); + if(s->rematrix || s->dither.method) { + ret = swri_rematrix_init(s); + if (ret < 0) + goto fail; + } return 0; +fail: + swr_close(s); + return ret; + } int swri_realloc_audio(AudioData *a, int count){ @@ -598,7 +638,8 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co return ret; if(ret) for(ch=0; chdither.noise.ch_count; ch++) - swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt); + if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, (12345678913579ULL*ch + 3141592) % 2718281828U, s->dither.noise.fmt))<0) + return ret; av_assert0(s->dither.noise.ch_count == preout->ch_count); if(s->dither.noise_pos + out_count > s->dither.noise.count) @@ -639,8 +680,8 @@ int swr_is_initialized(struct SwrContext *s) { return !!s->in_buffer.ch_count; } -int swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_count, - const uint8_t *in_arg [SWR_CH_MAX], int in_count){ +int attribute_align_arg swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_count, + const uint8_t *in_arg [SWR_CH_MAX], int in_count){ AudioData * in= &s->in; AudioData *out= &s->out; @@ -663,6 +704,8 @@ int swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_coun in_count = 0; if(ret>0) { s->drop_output -= ret; + if (!s->drop_output && !out_arg) + return 0; continue; } diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index 3761843e3b..f55bd9df6d 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -90,6 +90,13 @@ struct SwrContext { int used_ch_count; ///< number of used input channels (mapped channel count if channel_map, otherwise in.ch_count) enum SwrEngine engine; + int user_in_ch_count; ///< User set input channel count + int user_out_ch_count; ///< User set output channel count + int user_used_ch_count; ///< User set used channel count + int64_t user_in_ch_layout; ///< User set input channel layout + int64_t user_out_ch_layout; ///< User set output channel layout + enum AVSampleFormat user_int_sample_fmt; ///< User set internal sample format + struct DitherContext dither; int filter_size; /**< length of each FIR filter in the resampling filterbank relative to the cutoff frequency */ @@ -185,7 +192,7 @@ void swri_rematrix_free(SwrContext *s); int swri_rematrix(SwrContext *s, AudioData *out, AudioData *in, int len, int mustcopy); void swri_rematrix_init_x86(struct SwrContext *s); -void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt); +int swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt); int swri_dither_init(SwrContext *s, enum AVSampleFormat out_fmt, enum AVSampleFormat in_fmt); void swri_audio_convert_init_aarch64(struct AudioConvert *ac, diff --git a/libswresample/x86/audio_convert.asm b/libswresample/x86/audio_convert.asm index b6e9e5d79d..eead735bdf 100644 --- a/libswresample/x86/audio_convert.asm +++ b/libswresample/x86/audio_convert.asm @@ -221,6 +221,8 @@ cglobal pack_6ch_%2_to_%1_%3, 2,8,7, dst, src, src1, src2, src3, src4, src5, len jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test srcq, mmsize-1 jne pack_6ch_%2_to_%1_u_int %+ SUFFIX + test src1q, mmsize-1 + jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test src2q, mmsize-1 jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test src3q, mmsize-1 diff --git a/libswscale/input.c b/libswscale/input.c index 6716f0dcec..18a0fe628f 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -808,6 +808,19 @@ static av_always_inline void planar_rgb16_to_y(uint8_t *_dst, const uint8_t *_sr } } +static av_always_inline void planar_rgb16_to_a(uint8_t *_dst, const uint8_t *_src[4], + int width, int bpc, int is_be, int32_t *rgb2yuv) +{ + int i; + const uint16_t **src = (const uint16_t **)_src; + uint16_t *dst = (uint16_t *)_dst; + int shift = bpc < 16 ? bpc : 14; + + for (i = 0; i < width; i++) { + dst[i] = rdpx(src[3] + i) << (14 - shift); + } +} + static av_always_inline void planar_rgb16_to_uv(uint8_t *_dstU, uint8_t *_dstV, const uint8_t *_src[4], int width, int bpc, int is_be, int32_t *rgb2yuv) @@ -836,6 +849,11 @@ static void planar_rgb##nbits##endian_name##_to_y(uint8_t *dst, const uint8_t *s { \ planar_rgb16_to_y(dst, src, w, nbits, endian, rgb2yuv); \ } \ +static void planar_rgb##nbits##endian_name##_to_a(uint8_t *dst, const uint8_t *src[4], \ + int w, int32_t *rgb2yuv) \ +{ \ + planar_rgb16_to_a(dst, src, w, nbits, endian, rgb2yuv); \ +} \ static void planar_rgb##nbits##endian_name##_to_uv(uint8_t *dstU, uint8_t *dstV, \ const uint8_t *src[4], int w, int32_t *rgb2yuv) \ { \ @@ -1158,6 +1176,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14le_to_y; break; case AV_PIX_FMT_GBRAP16LE: + c->readAlpPlanar = planar_rgb16le_to_a; case AV_PIX_FMT_GBRP16LE: c->readLumPlanar = planar_rgb16le_to_y; break; @@ -1174,6 +1193,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14be_to_y; break; case AV_PIX_FMT_GBRAP16BE: + c->readAlpPlanar = planar_rgb16be_to_a; case AV_PIX_FMT_GBRP16BE: c->readLumPlanar = planar_rgb16be_to_y; break; diff --git a/libswscale/options.c b/libswscale/options.c index 5433d55b9b..4d49c3e8cc 100644 --- a/libswscale/options.c +++ b/libswscale/options.c @@ -64,10 +64,10 @@ static const AVOption swscale_options[] = { { "param0", "scaler param 0", OFFSET(param[0]), AV_OPT_TYPE_DOUBLE, { .dbl = SWS_PARAM_DEFAULT }, INT_MIN, INT_MAX, VE }, { "param1", "scaler param 1", OFFSET(param[1]), AV_OPT_TYPE_DOUBLE, { .dbl = SWS_PARAM_DEFAULT }, INT_MIN, INT_MAX, VE }, - { "src_v_chr_pos", "source vertical chroma position in luma grid/256" , OFFSET(src_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1 }, -1, 512, VE }, - { "src_h_chr_pos", "source horizontal chroma position in luma grid/256", OFFSET(src_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1 }, -1, 512, VE }, - { "dst_v_chr_pos", "destination vertical chroma position in luma grid/256" , OFFSET(dst_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1 }, -1, 512, VE }, - { "dst_h_chr_pos", "destination horizontal chroma position in luma grid/256", OFFSET(dst_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1 }, -1, 512, VE }, + { "src_v_chr_pos", "source vertical chroma position in luma grid/256" , OFFSET(src_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513 }, -513, 512, VE }, + { "src_h_chr_pos", "source horizontal chroma position in luma grid/256", OFFSET(src_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513 }, -513, 512, VE }, + { "dst_v_chr_pos", "destination vertical chroma position in luma grid/256" , OFFSET(dst_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513 }, -513, 512, VE }, + { "dst_h_chr_pos", "destination horizontal chroma position in luma grid/256", OFFSET(dst_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513 }, -513, 512, VE }, { "sws_dither", "set dithering algorithm", OFFSET(dither), AV_OPT_TYPE_INT, { .i64 = SWS_DITHER_AUTO }, 0, NB_SWS_DITHER, VE, "sws_dither" }, { "auto", "leave choice to sws", 0, AV_OPT_TYPE_CONST, { .i64 = SWS_DITHER_AUTO }, INT_MIN, INT_MAX, VE, "sws_dither" }, diff --git a/libswscale/rgb2rgb.c b/libswscale/rgb2rgb.c index 5b1fcf73ca..340174fd65 100644 --- a/libswscale/rgb2rgb.c +++ b/libswscale/rgb2rgb.c @@ -51,6 +51,7 @@ void (*rgb16to15)(const uint8_t *src, uint8_t *dst, int src_size); void (*rgb15to16)(const uint8_t *src, uint8_t *dst, int src_size); void (*rgb15to32)(const uint8_t *src, uint8_t *dst, int src_size); +void (*shuffle_bytes_0321)(const uint8_t *src, uint8_t *dst, int src_size); void (*shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, int src_size); void (*yv12toyuy2)(const uint8_t *ysrc, const uint8_t *usrc, @@ -333,7 +334,6 @@ void shuffle_bytes_ ## a ## b ## c ## d(const uint8_t *src, \ } \ } -DEFINE_SHUFFLE_BYTES(0, 3, 2, 1) DEFINE_SHUFFLE_BYTES(1, 2, 3, 0) DEFINE_SHUFFLE_BYTES(3, 0, 1, 2) DEFINE_SHUFFLE_BYTES(3, 2, 1, 0) diff --git a/libswscale/rgb2rgb.h b/libswscale/rgb2rgb.h index 5df5dea420..8faebe6a43 100644 --- a/libswscale/rgb2rgb.h +++ b/libswscale/rgb2rgb.h @@ -50,6 +50,7 @@ extern void (*rgb24to15)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*rgb32tobgr16)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*rgb32tobgr15)(const uint8_t *src, uint8_t *dst, int src_size); +extern void (*shuffle_bytes_0321)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, int src_size); void rgb64tobgr48_nobswap(const uint8_t *src, uint8_t *dst, int src_size); @@ -71,7 +72,6 @@ void rgb15tobgr15(const uint8_t *src, uint8_t *dst, int src_size); void rgb12tobgr12(const uint8_t *src, uint8_t *dst, int src_size); void rgb12to15(const uint8_t *src, uint8_t *dst, int src_size); -void shuffle_bytes_0321(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_1230(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_3012(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_3210(const uint8_t *src, uint8_t *dst, int src_size); diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 121f4ef2e5..1cc28cdd13 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -322,12 +322,26 @@ static inline void shuffle_bytes_2103_c(const uint8_t *src, uint8_t *dst, uint8_t *d = dst - idx; for (; idx < 15; idx += 4) { - register int v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; v &= 0xff00ff; *(uint32_t *)&d[idx] = (v >> 16) + g + (v << 16); } } +static inline void shuffle_bytes_0321_c(const uint8_t *src, uint8_t *dst, + int src_size) +{ + int idx = 15 - src_size; + const uint8_t *s = src - idx; + uint8_t *d = dst - idx; + + for (; idx < 15; idx += 4) { + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0x00ff00ff; + v &= 0xff00ff00; + *(uint32_t *)&d[idx] = (v >> 16) + g + (v << 16); + } +} + static inline void rgb24tobgr24_c(const uint8_t *src, uint8_t *dst, int src_size) { unsigned i; @@ -355,9 +369,9 @@ static inline void yuvPlanartoyuy2_c(const uint8_t *ysrc, const uint8_t *usrc, const uint8_t *yc = ysrc, *uc = usrc, *vc = vsrc; for (i = 0; i < chromWidth; i += 2) { uint64_t k = yc[0] + (uc[0] << 8) + - (yc[1] << 16) + (unsigned)(vc[0] << 24); + (yc[1] << 16) + ((unsigned) vc[0] << 24); uint64_t l = yc[2] + (uc[1] << 8) + - (yc[3] << 16) + (unsigned)(vc[1] << 24); + (yc[3] << 16) + ((unsigned) vc[1] << 24); *ldst++ = k + (l << 32); yc += 4; uc += 2; @@ -419,9 +433,9 @@ static inline void yuvPlanartouyvy_c(const uint8_t *ysrc, const uint8_t *usrc, const uint8_t *yc = ysrc, *uc = usrc, *vc = vsrc; for (i = 0; i < chromWidth; i += 2) { uint64_t k = uc[0] + (yc[0] << 8) + - (vc[0] << 16) + (unsigned)(yc[1] << 24); + (vc[0] << 16) + ((unsigned) yc[1] << 24); uint64_t l = uc[1] + (yc[2] << 8) + - (vc[1] << 16) + (unsigned)(yc[3] << 24); + (vc[1] << 16) + ((unsigned) yc[3] << 24); *ldst++ = k + (l << 32); yc += 4; uc += 2; @@ -929,7 +943,13 @@ static av_cold void rgb2rgb_init_c(void) rgb24to15 = rgb24to15_c; rgb24to16 = rgb24to16_c; rgb24tobgr24 = rgb24tobgr24_c; +#if HAVE_BIGENDIAN + shuffle_bytes_0321 = shuffle_bytes_2103_c; + shuffle_bytes_2103 = shuffle_bytes_0321_c; +#else + shuffle_bytes_0321 = shuffle_bytes_0321_c; shuffle_bytes_2103 = shuffle_bytes_2103_c; +#endif rgb32tobgr16 = rgb32tobgr16_c; rgb32tobgr15 = rgb32tobgr15_c; yv12toyuy2 = yv12toyuy2_c; diff --git a/libswscale/swscale-test.c b/libswscale/swscale-test.c index 661ff5b7b2..45e25a378c 100644 --- a/libswscale/swscale-test.c +++ b/libswscale/swscale-test.c @@ -298,10 +298,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, struct Results r; enum AVPixelFormat srcFormat; char srcStr[12]; - int srcW, srcH; + int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; char dstStr[12]; - int dstW, dstH; + int dstW = 0, dstH = 0; int flags; int ret; @@ -399,7 +399,7 @@ bad_option: for (y = 0; y < H; y++) for (x = 0; x < W * 4; x++) rgb_data[ x + y * 4 * W] = av_lfg_get(&rand); - sws_scale(sws, rgb_src, rgb_stride, 0, H, src, stride); + sws_scale(sws, rgb_src, rgb_stride, 0, H / 12, src, stride); sws_freeContext(sws); av_free(rgb_data); diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 59ead121d9..87fd63a8ce 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -27,6 +27,7 @@ #include "libavutil/avutil.h" #include "libavutil/bswap.h" #include "libavutil/cpu.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "libavutil/mathematics.h" #include "libavutil/pixdesc.h" @@ -894,11 +895,31 @@ int attribute_align_arg sws_scale(struct SwsContext *c, const uint8_t *src2[4]; uint8_t *dst2[4]; uint8_t *rgb0_tmp = NULL; + int macro_height = isBayer(c->srcFormat) ? 2 : (1 << c->chrSrcVSubSample); if (!srcStride || !dstStride || !dst || !srcSlice) { av_log(c, AV_LOG_ERROR, "One of the input parameters to sws_scale() is NULL, please check the calling code\n"); return 0; } + + if ((srcSliceY & (macro_height-1)) || + ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) || + srcSliceY + srcSliceH > c->srcH) { + av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); + return AVERROR(EINVAL); + } + if (c->cascaded_context[0] && srcSliceY == 0 && srcSliceH == c->cascaded_context[0]->srcH) { + ret = sws_scale(c->cascaded_context[0], + srcSlice, srcStride, srcSliceY, srcSliceH, + c->cascaded_tmp, c->cascaded_tmpStride); + if (ret < 0) + return ret; + ret = sws_scale(c->cascaded_context[1], + (const uint8_t * const * )c->cascaded_tmp, c->cascaded_tmpStride, 0, c->cascaded_context[0]->dstH, + dst, dstStride); + return ret; + } + memcpy(src2, srcSlice, sizeof(src2)); memcpy(dst2, dst, sizeof(dst2)); diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 335e1f8d7e..baea85010e 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -39,7 +39,8 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 128 +#define YUVRGB_TABLE_HEADROOM 512 +#define YUVRGB_TABLE_LUMA_HEADROOM 512 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE @@ -61,6 +62,8 @@ # define APCK_SIZE 16 #endif +#define RETCODE_USE_CASCADE -12345 + struct SwsContext; typedef enum SwsDither { @@ -301,6 +304,14 @@ typedef struct SwsContext { int sliceDir; ///< Direction that slices are fed to the scaler (1 = top-to-bottom, -1 = bottom-to-top). double param[2]; ///< Input parameters for scaling algorithms that need them. + /* The cascaded_* fields allow spliting a scaler task into multiple + * sequential steps, this is for example used to limit the maximum + * downscaling factor that needs to be supported in one scaler. + */ + struct SwsContext *cascaded_context[2]; + int cascaded_tmpStride[4]; + uint8_t *cascaded_tmp[4]; + uint32_t pal_yuv[256]; uint32_t pal_rgb[256]; diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index da457dfbdb..41d6b2b2f3 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -352,6 +352,7 @@ static int packed_16bpc_bswap(SwsContext *c, const uint8_t *src[], int min_stride = FFMIN(FFABS(srcstr), FFABS(dststr)); if(!dstPtr || !srcPtr) continue; + dstPtr += (srcSliceY >> c->chrDstVSubSample) * dststr; for (i = 0; i < (srcSliceH >> c->chrDstVSubSample); i++) { for (j = 0; j < min_stride; j++) { dstPtr[j] = av_bswap16(srcPtr[j]); @@ -557,6 +558,8 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], int bpc = dst_format->comp[0].depth_minus1 + 1; int alpha = src_format->flags & AV_PIX_FMT_FLAG_ALPHA; int swap = 0; + int i; + if ( HAVE_BIGENDIAN && !(src_format->flags & AV_PIX_FMT_FLAG_BE) || !HAVE_BIGENDIAN && src_format->flags & AV_PIX_FMT_FLAG_BE) swap++; @@ -570,6 +573,12 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], src_format->name, dst_format->name); return srcSliceH; } + + for(i=0; i<4; i++) { + dst2013[i] += stride2013[i] * srcSliceY / 2; + dst1023[i] += stride1023[i] * srcSliceY / 2; + } + switch (c->srcFormat) { case AV_PIX_FMT_RGB48LE: case AV_PIX_FMT_RGB48BE: @@ -1058,6 +1067,8 @@ static int bayer_to_rgb24_wrapper(SwsContext *c, const uint8_t* src[], int srcSt default: return 0; } + av_assert0(srcSliceH > 1); + copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); srcPtr += 2 * srcStride[0]; dstPtr += 2 * dstStride[0]; @@ -1068,7 +1079,10 @@ static int bayer_to_rgb24_wrapper(SwsContext *c, const uint8_t* src[], int srcSt dstPtr += 2 * dstStride[0]; } - copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); + if (i + 1 == srcSliceH) { + copy(srcPtr, -srcStride[0], dstPtr, -dstStride[0], c->srcW); + } else if (i < srcSliceH) + copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); return srcSliceH; } @@ -1104,6 +1118,8 @@ static int bayer_to_yv12_wrapper(SwsContext *c, const uint8_t* src[], int srcStr default: return 0; } + av_assert0(srcSliceH > 1); + copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); srcPtr += 2 * srcStride[0]; dstY += 2 * dstStride[0]; @@ -1118,7 +1134,10 @@ static int bayer_to_yv12_wrapper(SwsContext *c, const uint8_t* src[], int srcStr dstV += dstStride[1]; } - copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); + if (i + 1 == srcSliceH) { + copy(srcPtr, -srcStride[0], dstY, dstU, dstV, -dstStride[0], c->srcW, c->input_rgb2yuv_table); + } else if (i < srcSliceH) + copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); return srcSliceH; } @@ -1242,6 +1261,11 @@ static rgbConvFn findRgbConvFn(SwsContext *c) if ((dstFormat == AV_PIX_FMT_RGB32_1 || dstFormat == AV_PIX_FMT_BGR32_1) && !isRGBA32(srcFormat) && ALT32_CORR<0) return NULL; + // Maintain symmetry between endianness + if (c->flags & SWS_BITEXACT) + if ((dstFormat == AV_PIX_FMT_RGB32 || dstFormat == AV_PIX_FMT_BGR32 ) && !isRGBA32(srcFormat) && ALT32_CORR>0) + return NULL; + return conv; } diff --git a/libswscale/utils.c b/libswscale/utils.c index 06fd358d94..89c5d95c12 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -42,6 +42,7 @@ #include "libavutil/avutil.h" #include "libavutil/bswap.h" #include "libavutil/cpu.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "libavutil/mathematics.h" #include "libavutil/opt.h" @@ -266,7 +267,7 @@ static double getSplineCoeff(double a, double b, double c, double d, static av_cold int get_local_pos(SwsContext *s, int chr_subsample, int pos, int dir) { - if (pos < 0) { + if (pos == -1 || pos <= -513) { pos = (128 << chr_subsample) - 128; } pos += 128; // relative to ideal left edge @@ -390,7 +391,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x10000LL)>>7); for (i = 0; i < dstW; i++) { - int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17); + int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17); int j; (*filterPos)[i] = xx; for (j = 0; j < filterSize; j++) { @@ -582,8 +583,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, goto fail; if (filterSize >= MAX_FILTER_SIZE * 16 / ((flags & SWS_ACCURATE_RND) ? APCK_SIZE : 16)) { - av_log(NULL, AV_LOG_ERROR, "sws: filterSize %d is too large, try less extreme scaling or set --sws-max-filter-size and recompile\n", - FF_CEIL_RSHIFT((filterSize+1) * ((flags & SWS_ACCURATE_RND) ? APCK_SIZE : 16), 4)); + ret = RETCODE_USE_CASCADE; goto fail; } *outFilterSize = filterSize; @@ -622,14 +622,25 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, } if ((*filterPos)[i] + filterSize > srcW) { - int shift = (*filterPos)[i] + filterSize - srcW; - // move filter coefficients right to compensate for filterPos - for (j = filterSize - 2; j >= 0; j--) { - int right = FFMIN(j + shift, filterSize - 1); - filter[i * filterSize + right] += filter[i * filterSize + j]; - filter[i * filterSize + j] = 0; + int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + int64_t acc = 0; + + for (j = filterSize - 1; j >= 0; j--) { + if ((*filterPos)[i] + j >= srcW) { + acc += filter[i * filterSize + j]; + filter[i * filterSize + j] = 0; + } } - (*filterPos)[i]= srcW - filterSize; + for (j = filterSize - 1; j >= 0; j--) { + if (j < shift) { + filter[i * filterSize + j] = 0; + } else { + filter[i * filterSize + j] = filter[i * filterSize + j - shift]; + } + } + + (*filterPos)[i]-= shift; + filter[i * filterSize + srcW - 1 - (*filterPos)[i]] += acc; } } @@ -675,7 +686,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, fail: if(ret < 0) - av_log(NULL, AV_LOG_ERROR, "sws: initFilter failed\n"); + av_log(NULL, ret == RETCODE_USE_CASCADE ? AV_LOG_DEBUG : AV_LOG_ERROR, "sws: initFilter failed\n"); av_free(filter); av_free(filter2); return ret; @@ -970,6 +981,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, enum AVPixelFormat dstFormat = c->dstFormat; const AVPixFmtDescriptor *desc_src; const AVPixFmtDescriptor *desc_dst; + int ret = 0; cpu_flags = av_get_cpu_flags(); flags = c->flags; @@ -1044,6 +1056,12 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcW, srcH, dstW, dstH); return AVERROR(EINVAL); } + if (flags & SWS_FAST_BILINEAR) { + if (srcW < 8 || dstW < 8) { + flags ^= SWS_FAST_BILINEAR | SWS_BILINEAR; + c->flags = flags; + } + } if (!dstFilter) dstFilter = &dummyFilter; @@ -1166,6 +1184,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcFormat != AV_PIX_FMT_GBRP12BE && srcFormat != AV_PIX_FMT_GBRP12LE && srcFormat != AV_PIX_FMT_GBRP14BE && srcFormat != AV_PIX_FMT_GBRP14LE && srcFormat != AV_PIX_FMT_GBRP16BE && srcFormat != AV_PIX_FMT_GBRP16LE && + srcFormat != AV_PIX_FMT_GBRAP16BE && srcFormat != AV_PIX_FMT_GBRAP16LE && ((dstW >> c->chrDstHSubSample) <= (srcW >> 1) || (flags & SWS_FAST_BILINEAR))) c->chrSrcHSubSample = 1; @@ -1176,7 +1195,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, c->chrDstW = FF_CEIL_RSHIFT(dstW, c->chrDstHSubSample); c->chrDstH = FF_CEIL_RSHIFT(dstH, c->chrDstVSubSample); - FF_ALLOC_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); + FF_ALLOCZ_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); c->srcBpc = 1 + desc_src->comp[0].depth_minus1; if (c->srcBpc < 8) @@ -1227,6 +1246,31 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, } } + if (isBayer(srcFormat)) { + if (!unscaled || + (dstFormat != AV_PIX_FMT_RGB24 && dstFormat != AV_PIX_FMT_YUV420P)) { + enum AVPixelFormat tmpFormat = AV_PIX_FMT_RGB24; + + ret = av_image_alloc(c->cascaded_tmp, c->cascaded_tmpStride, + srcW, srcH, tmpFormat, 64); + if (ret < 0) + return ret; + + c->cascaded_context[0] = sws_getContext(srcW, srcH, srcFormat, + srcW, srcH, tmpFormat, + flags, srcFilter, NULL, c->param); + if (!c->cascaded_context[0]) + return -1; + + c->cascaded_context[1] = sws_getContext(srcW, srcH, tmpFormat, + dstW, dstH, dstFormat, + flags, NULL, dstFilter, c->param); + if (!c->cascaded_context[1]) + return -1; + return 0; + } + } + #define USE_MMAP (HAVE_MMAP && HAVE_MPROTECT && defined MAP_ANONYMOUS) /* precalculate horizontal scaler filter coefficients */ @@ -1295,23 +1339,23 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, const int filterAlign = X86_MMX(cpu_flags) ? 4 : PPC_ALTIVEC(cpu_flags) ? 8 : 1; - if (initFilter(&c->hLumFilter, &c->hLumFilterPos, + if ((ret = initFilter(&c->hLumFilter, &c->hLumFilterPos, &c->hLumFilterSize, c->lumXInc, srcW, dstW, filterAlign, 1 << 14, (flags & SWS_BICUBLIN) ? (flags | SWS_BICUBIC) : flags, cpu_flags, srcFilter->lumH, dstFilter->lumH, c->param, get_local_pos(c, 0, 0, 0), - get_local_pos(c, 0, 0, 0)) < 0) + get_local_pos(c, 0, 0, 0))) < 0) goto fail; - if (initFilter(&c->hChrFilter, &c->hChrFilterPos, + if ((ret = initFilter(&c->hChrFilter, &c->hChrFilterPos, &c->hChrFilterSize, c->chrXInc, c->chrSrcW, c->chrDstW, filterAlign, 1 << 14, (flags & SWS_BICUBLIN) ? (flags | SWS_BILINEAR) : flags, cpu_flags, srcFilter->chrH, dstFilter->chrH, c->param, get_local_pos(c, c->chrSrcHSubSample, c->src_h_chr_pos, 0), - get_local_pos(c, c->chrDstHSubSample, c->dst_h_chr_pos, 0)) < 0) + get_local_pos(c, c->chrDstHSubSample, c->dst_h_chr_pos, 0))) < 0) goto fail; } } // initialize horizontal stuff @@ -1321,22 +1365,22 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, const int filterAlign = X86_MMX(cpu_flags) ? 2 : PPC_ALTIVEC(cpu_flags) ? 8 : 1; - if (initFilter(&c->vLumFilter, &c->vLumFilterPos, &c->vLumFilterSize, + if ((ret = initFilter(&c->vLumFilter, &c->vLumFilterPos, &c->vLumFilterSize, c->lumYInc, srcH, dstH, filterAlign, (1 << 12), (flags & SWS_BICUBLIN) ? (flags | SWS_BICUBIC) : flags, cpu_flags, srcFilter->lumV, dstFilter->lumV, c->param, get_local_pos(c, 0, 0, 1), - get_local_pos(c, 0, 0, 1)) < 0) + get_local_pos(c, 0, 0, 1))) < 0) goto fail; - if (initFilter(&c->vChrFilter, &c->vChrFilterPos, &c->vChrFilterSize, + if ((ret = initFilter(&c->vChrFilter, &c->vChrFilterPos, &c->vChrFilterSize, c->chrYInc, c->chrSrcH, c->chrDstH, filterAlign, (1 << 12), (flags & SWS_BICUBLIN) ? (flags | SWS_BILINEAR) : flags, cpu_flags, srcFilter->chrV, dstFilter->chrV, c->param, get_local_pos(c, c->chrSrcVSubSample, c->src_v_chr_pos, 1), - get_local_pos(c, c->chrDstVSubSample, c->dst_v_chr_pos, 1)) < 0) + get_local_pos(c, c->chrDstVSubSample, c->dst_v_chr_pos, 1))) < 0) goto fail; @@ -1384,9 +1428,9 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* Allocate pixbufs (we use dynamic allocation because otherwise we would * need to allocate several megabytes to handle all possible cases) */ - FF_ALLOC_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); - FF_ALLOC_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); - FF_ALLOC_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) FF_ALLOCZ_OR_GOTO(c, c->alpPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); /* Note we need at least one pixel more at the end because of the MMX code @@ -1490,6 +1534,35 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, c->swscale = ff_getSwsFunc(c); return 0; fail: // FIXME replace things by appropriate error codes + if (ret == RETCODE_USE_CASCADE) { + int tmpW = sqrt(srcW * (int64_t)dstW); + int tmpH = sqrt(srcH * (int64_t)dstH); + enum AVPixelFormat tmpFormat = AV_PIX_FMT_YUV420P; + + if (isALPHA(srcFormat)) + tmpFormat = AV_PIX_FMT_YUVA420P; + + if (srcW*(int64_t)srcH <= 4LL*dstW*dstH) + return AVERROR(EINVAL); + + ret = av_image_alloc(c->cascaded_tmp, c->cascaded_tmpStride, + tmpW, tmpH, tmpFormat, 64); + if (ret < 0) + return ret; + + c->cascaded_context[0] = sws_getContext(srcW, srcH, srcFormat, + tmpW, tmpH, tmpFormat, + flags, srcFilter, NULL, c->param); + if (!c->cascaded_context[0]) + return -1; + + c->cascaded_context[1] = sws_getContext(tmpW, tmpH, tmpFormat, + dstW, dstH, dstFormat, + flags, NULL, dstFilter, c->param); + if (!c->cascaded_context[1]) + return -1; + return 0; + } return -1; } @@ -1901,6 +1974,11 @@ void sws_freeContext(SwsContext *c) av_freep(&c->yuvTable); av_freep(&c->formatConvBuffer); + sws_freeContext(c->cascaded_context[0]); + sws_freeContext(c->cascaded_context[1]); + memset(c->cascaded_context, 0, sizeof(c->cascaded_context)); + av_freep(&c->cascaded_tmp[0]); + av_free(c); } diff --git a/libswscale/x86/hscale_fast_bilinear_simd.c b/libswscale/x86/hscale_fast_bilinear_simd.c index 103793d27a..7887b6b651 100644 --- a/libswscale/x86/hscale_fast_bilinear_simd.c +++ b/libswscale/x86/hscale_fast_bilinear_simd.c @@ -277,7 +277,7 @@ void ff_hyscale_fast_mmxext(SwsContext *c, int16_t *dst, ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D -#if !defined(PIC) +#if ARCH_X86_64 || !defined(PIC) ,"%"REG_b #endif ); @@ -361,7 +361,7 @@ void ff_hcscale_fast_mmxext(SwsContext *c, int16_t *dst1, int16_t *dst2, ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D -#if !defined(PIC) +#if ARCH_X86_64 || !defined(PIC) ,"%"REG_b #endif ); diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9ea4af9535..133817cb71 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,6 +54,118 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- +%macro yuv2planeX_mainloop 2 +.pixelloop_%2: +%assign %%i 0 + ; the rep here is for the 8bit output mmx case, where dither covers + ; 8 pixels but we can only handle 2 pixels per register, and thus 4 + ; pixels per iteration. In order to not have to keep track of where + ; we are w.r.t. dithering, we unroll the mmx/8bit loop x2. +%if %1 == 8 +%assign %%repcnt 16/mmsize +%else +%assign %%repcnt 1 +%endif + +%rep %%repcnt + +%if %1 == 8 +%if ARCH_X86_32 + mova m2, [rsp+mmsize*(0+%%i)] + mova m1, [rsp+mmsize*(1+%%i)] +%else ; x86-64 + mova m2, m8 + mova m1, m_dith +%endif ; x86-32/64 +%else ; %1 == 9/10/16 + mova m1, [yuv2yuvX_%1_start] + mova m2, m1 +%endif ; %1 == 8/9/10/16 + movsx cntr_reg, fltsizem +.filterloop_%2_ %+ %%i: + ; input pixels + mov r6, [srcq+gprsize*cntr_reg-2*gprsize] +%if %1 == 16 + mova m3, [r6+r5*4] + mova m5, [r6+r5*4+mmsize] +%else ; %1 == 8/9/10 + mova m3, [r6+r5*2] +%endif ; %1 == 8/9/10/16 + mov r6, [srcq+gprsize*cntr_reg-gprsize] +%if %1 == 16 + mova m4, [r6+r5*4] + mova m6, [r6+r5*4+mmsize] +%else ; %1 == 8/9/10 + mova m4, [r6+r5*2] +%endif ; %1 == 8/9/10/16 + + ; coefficients + movd m0, [filterq+2*cntr_reg-4] ; coeff[0], coeff[1] +%if %1 == 16 + pshuflw m7, m0, 0 ; coeff[0] + pshuflw m0, m0, 0x55 ; coeff[1] + pmovsxwd m7, m7 ; word -> dword + pmovsxwd m0, m0 ; word -> dword + + pmulld m3, m7 + pmulld m5, m7 + pmulld m4, m0 + pmulld m6, m0 + + paddd m2, m3 + paddd m1, m5 + paddd m2, m4 + paddd m1, m6 +%else ; %1 == 10/9/8 + punpcklwd m5, m3, m4 + punpckhwd m3, m4 + SPLATD m0 + + pmaddwd m5, m0 + pmaddwd m3, m0 + + paddd m2, m5 + paddd m1, m3 +%endif ; %1 == 8/9/10/16 + + sub cntr_reg, 2 + jg .filterloop_%2_ %+ %%i + +%if %1 == 16 + psrad m2, 31 - %1 + psrad m1, 31 - %1 +%else ; %1 == 10/9/8 + psrad m2, 27 - %1 + psrad m1, 27 - %1 +%endif ; %1 == 8/9/10/16 + +%if %1 == 8 + packssdw m2, m1 + packuswb m2, m2 + movh [dstq+r5*1], m2 +%else ; %1 == 9/10/16 +%if %1 == 16 + packssdw m2, m1 + paddw m2, [minshort] +%else ; %1 == 9/10 +%if cpuflag(sse4) + packusdw m2, m1 +%else ; mmxext/sse2 + packssdw m2, m1 + pmaxsw m2, m6 +%endif ; mmxext/sse2/sse4/avx + pminsw m2, [yuv2yuvX_%1_upper] +%endif ; %1 == 9/10/16 + mov%2 [dstq+r5*2], m2 +%endif ; %1 == 8/9/10/16 + + add r5, mmsize/2 + sub wd, mmsize/2 + +%assign %%i %%i+2 +%endrep + jg .pixelloop_%2 +%endmacro %macro yuv2planeX_fn 3 @@ -123,116 +235,16 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset xor r5, r5 -.pixelloop: -%assign %%i 0 - ; the rep here is for the 8bit output mmx case, where dither covers - ; 8 pixels but we can only handle 2 pixels per register, and thus 4 - ; pixels per iteration. In order to not have to keep track of where - ; we are w.r.t. dithering, we unroll the mmx/8bit loop x2. -%if %1 == 8 -%assign %%repcnt 16/mmsize -%else -%assign %%repcnt 1 -%endif - -%rep %%repcnt - -%if %1 == 8 -%if ARCH_X86_32 - mova m2, [rsp+mmsize*(0+%%i)] - mova m1, [rsp+mmsize*(1+%%i)] -%else ; x86-64 - mova m2, m8 - mova m1, m_dith -%endif ; x86-32/64 -%else ; %1 == 9/10/16 - mova m1, [yuv2yuvX_%1_start] - mova m2, m1 -%endif ; %1 == 8/9/10/16 - movsx cntr_reg, fltsizem -.filterloop_ %+ %%i: - ; input pixels - mov r6, [srcq+gprsize*cntr_reg-2*gprsize] -%if %1 == 16 - mova m3, [r6+r5*4] - mova m5, [r6+r5*4+mmsize] -%else ; %1 == 8/9/10 - mova m3, [r6+r5*2] -%endif ; %1 == 8/9/10/16 - mov r6, [srcq+gprsize*cntr_reg-gprsize] -%if %1 == 16 - mova m4, [r6+r5*4] - mova m6, [r6+r5*4+mmsize] -%else ; %1 == 8/9/10 - mova m4, [r6+r5*2] -%endif ; %1 == 8/9/10/16 - - ; coefficients - movd m0, [filterq+2*cntr_reg-4] ; coeff[0], coeff[1] -%if %1 == 16 - pshuflw m7, m0, 0 ; coeff[0] - pshuflw m0, m0, 0x55 ; coeff[1] - pmovsxwd m7, m7 ; word -> dword - pmovsxwd m0, m0 ; word -> dword - - pmulld m3, m7 - pmulld m5, m7 - pmulld m4, m0 - pmulld m6, m0 - - paddd m2, m3 - paddd m1, m5 - paddd m2, m4 - paddd m1, m6 -%else ; %1 == 10/9/8 - punpcklwd m5, m3, m4 - punpckhwd m3, m4 - SPLATD m0 - - pmaddwd m5, m0 - pmaddwd m3, m0 - - paddd m2, m5 - paddd m1, m3 -%endif ; %1 == 8/9/10/16 - - sub cntr_reg, 2 - jg .filterloop_ %+ %%i - -%if %1 == 16 - psrad m2, 31 - %1 - psrad m1, 31 - %1 -%else ; %1 == 10/9/8 - psrad m2, 27 - %1 - psrad m1, 27 - %1 -%endif ; %1 == 8/9/10/16 - -%if %1 == 8 - packssdw m2, m1 - packuswb m2, m2 - movh [dstq+r5*1], m2 -%else ; %1 == 9/10/16 -%if %1 == 16 - packssdw m2, m1 - paddw m2, [minshort] -%else ; %1 == 9/10 -%if cpuflag(sse4) - packusdw m2, m1 -%else ; mmxext/sse2 - packssdw m2, m1 - pmaxsw m2, m6 -%endif ; mmxext/sse2/sse4/avx - pminsw m2, [yuv2yuvX_%1_upper] -%endif ; %1 == 9/10/16 - mova [dstq+r5*2], m2 -%endif ; %1 == 8/9/10/16 - - add r5, mmsize/2 - sub wd, mmsize/2 - -%assign %%i %%i+2 -%endrep - jg .pixelloop +%if mmsize == 8 || %1 == 8 + yuv2planeX_mainloop %1, a +%else ; mmsize == 16 + test dstq, 15 + jnz .unaligned + yuv2planeX_mainloop %1, a + REP_RET +.unaligned: + yuv2planeX_mainloop %1, u +%endif ; mmsize == 8/16 %if %1 == 8 %if ARCH_X86_32 diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 3899d0a842..73af74e6aa 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1090,7 +1090,7 @@ static inline void RENAME(shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, : "r" (s), "r" (d), "m" (mask32b), "m" (mask32r), "m" (mmx_one) : "memory"); for (; idx<15; idx+=4) { - register int v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; v &= 0xff00ff; *(uint32_t *)&d[idx] = (v>>16) + g + (v<<16); } @@ -1434,7 +1434,9 @@ static inline void RENAME(planar2x)(const uint8_t *src, uint8_t *dst, int srcWid dst+= dstStride; for (y=1; y> 2; + dst[dstStride] = (src[0] + 3 * src[srcStride]) >> 2; + } for (x=mmxSize-1; x>2; @@ -1634,6 +1641,16 @@ static inline void RENAME(rgb24toyv12)(const uint8_t *src, uint8_t *ydst, uint8_ #define BGR2V_IDX "16*4+16*34" int y; const x86_reg chromWidth= width>>1; + + if (height > 2) { + ff_rgb24toyv12_c(src, ydst, udst, vdst, width, 2, lumStride, chromStride, srcStride, rgb2yuv); + src += 2*srcStride; + ydst += 2*lumStride; + udst += chromStride; + vdst += chromStride; + height -= 2; + } + for (y=0; y= 16) { #if COMPILE_TEMPLATE_SSE2 + if (!((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15)) { __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1894,9 +1913,10 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui "cmp %3, %%"REG_a" \n\t" " jb 1b \n\t" ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) - : "memory", "%"REG_a"" + : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); -#else + } else +#endif __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1922,7 +1942,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", "%"REG_a ); -#endif + + } for (w= (width&(~15)); w < width; w++) { dest[2*w+0] = src1[w]; dest[2*w+1] = src2[w]; diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index c4c0e28e53..7c51979bb2 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -425,7 +425,7 @@ switch(c->dstBpc){ \ case 16: do_16_case; break; \ case 10: if (!isBE(c->dstFormat)) vscalefn = ff_yuv2planeX_10_ ## opt; break; \ case 9: if (!isBE(c->dstFormat)) vscalefn = ff_yuv2planeX_9_ ## opt; break; \ - default: if (condition_8bit) /*vscalefn = ff_yuv2planeX_8_ ## opt;*/ break; \ + case 8: if ((condition_8bit) && !c->use_mmx_vfilter) vscalefn = ff_yuv2planeX_8_ ## opt; break; \ } #define ASSIGN_VSCALE_FUNC(vscalefn, opt1, opt2, opt2chk) \ switch(c->dstBpc){ \ diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 8e92e6da3e..86de94cfe7 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -720,7 +720,8 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], uint16_t *y_table16; uint32_t *y_table32; int i, base, rbase, gbase, bbase, av_uninit(abase), needAlpha; - const int yoffs = fullRange ? 384 : 326; + const int yoffs = (fullRange ? 384 : 326) + YUVRGB_TABLE_LUMA_HEADROOM; + const int table_plane_size = 1024 + 2*YUVRGB_TABLE_LUMA_HEADROOM; int64_t crv = inv_table[0]; int64_t cbu = inv_table[1]; @@ -771,12 +772,16 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], av_freep(&c->yuvTable); +#define ALLOC_YUV_TABLE(x) \ + c->yuvTable = av_malloc(x); \ + if (!c->yuvTable) \ + return AVERROR(ENOMEM); switch (bpp) { case 1: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(table_plane_size); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 110; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 110; i++) { y_table[i + 110] = av_clip_uint8((yb + 0x8000) >> 16) >> 7; yb += cy; } @@ -788,60 +793,60 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 3 : 0; gbase = 1; bbase = isRgb ? 0 : 3; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(table_plane_size * 3); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 110; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 110; i++) { int yval = av_clip_uint8((yb + 0x8000) >> 16); y_table[i + 110] = (yval >> 7) << rbase; - y_table[i + 37 + 1024] = ((yval + 43) / 85) << gbase; - y_table[i + 110 + 2048] = (yval >> 7) << bbase; + y_table[i + 37 + table_plane_size] = ((yval + 43) / 85) << gbase; + y_table[i + 110 + 2*table_plane_size] = (yval >> 7) << bbase; yb += cy; } fill_table(c->table_rV, 1, crv, y_table + yoffs); - fill_table(c->table_gU, 1, cgu, y_table + yoffs + 1024); - fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2048); + fill_table(c->table_gU, 1, cgu, y_table + yoffs + table_plane_size); + fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 1, cgv); break; case 8: rbase = isRgb ? 5 : 0; gbase = isRgb ? 2 : 3; bbase = isRgb ? 0 : 6; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(table_plane_size * 3); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 38; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 38; i++) { int yval = av_clip_uint8((yb + 0x8000) >> 16); y_table[i + 16] = ((yval + 18) / 36) << rbase; - y_table[i + 16 + 1024] = ((yval + 18) / 36) << gbase; - y_table[i + 37 + 2048] = ((yval + 43) / 85) << bbase; + y_table[i + 16 + table_plane_size] = ((yval + 18) / 36) << gbase; + y_table[i + 37 + 2*table_plane_size] = ((yval + 43) / 85) << bbase; yb += cy; } fill_table(c->table_rV, 1, crv, y_table + yoffs); - fill_table(c->table_gU, 1, cgu, y_table + yoffs + 1024); - fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2048); + fill_table(c->table_gU, 1, cgu, y_table + yoffs + table_plane_size); + fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 1, cgv); break; case 12: rbase = isRgb ? 8 : 0; gbase = 4; bbase = isRgb ? 0 : 8; - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(table_plane_size * 3 * 2); y_table16 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { uint8_t yval = av_clip_uint8((yb + 0x8000) >> 16); y_table16[i] = (yval >> 4) << rbase; - y_table16[i + 1024] = (yval >> 4) << gbase; - y_table16[i + 2048] = (yval >> 4) << bbase; + y_table16[i + table_plane_size] = (yval >> 4) << gbase; + y_table16[i + 2*table_plane_size] = (yval >> 4) << bbase; yb += cy; } if (isNotNe) - for (i = 0; i < 1024 * 3; i++) + for (i = 0; i < table_plane_size * 3; i++) y_table16[i] = av_bswap16(y_table16[i]); fill_table(c->table_rV, 2, crv, y_table16 + yoffs); - fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + 1024); - fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2048); + fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + table_plane_size); + fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 2, cgv); break; case 15: @@ -849,30 +854,30 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? bpp - 5 : 0; gbase = 5; bbase = isRgb ? 0 : (bpp - 5); - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(table_plane_size * 3 * 2); y_table16 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { uint8_t yval = av_clip_uint8((yb + 0x8000) >> 16); y_table16[i] = (yval >> 3) << rbase; - y_table16[i + 1024] = (yval >> (18 - bpp)) << gbase; - y_table16[i + 2048] = (yval >> 3) << bbase; + y_table16[i + table_plane_size] = (yval >> (18 - bpp)) << gbase; + y_table16[i + 2*table_plane_size] = (yval >> 3) << bbase; yb += cy; } if (isNotNe) - for (i = 0; i < 1024 * 3; i++) + for (i = 0; i < table_plane_size * 3; i++) y_table16[i] = av_bswap16(y_table16[i]); fill_table(c->table_rV, 2, crv, y_table16 + yoffs); - fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + 1024); - fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2048); + fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + table_plane_size); + fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 2, cgv); break; case 24: case 48: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(table_plane_size); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { y_table[i] = av_clip_uint8((yb + 0x8000) >> 16); yb += cy; } @@ -891,20 +896,20 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], needAlpha = CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat); if (!needAlpha) abase = (base + 24) & 31; - c->yuvTable = av_malloc(1024 * 3 * 4); + ALLOC_YUV_TABLE(table_plane_size * 3 * 4); y_table32 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { unsigned yval = av_clip_uint8((yb + 0x8000) >> 16); y_table32[i] = (yval << rbase) + (needAlpha ? 0 : (255u << abase)); - y_table32[i + 1024] = yval << gbase; - y_table32[i + 2048] = yval << bbase; + y_table32[i + table_plane_size] = yval << gbase; + y_table32[i + 2*table_plane_size] = yval << bbase; yb += cy; } fill_table(c->table_rV, 4, crv, y_table32 + yoffs); - fill_table(c->table_gU, 4, cgu, y_table32 + yoffs + 1024); - fill_table(c->table_bU, 4, cbu, y_table32 + yoffs + 2048); + fill_table(c->table_gU, 4, cgu, y_table32 + yoffs + table_plane_size); + fill_table(c->table_bU, 4, cbu, y_table32 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 4, cgv); break; default: diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 7fe7e7495e..e3b1b5efba 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -38,11 +38,11 @@ target_path(){ # $1=value1, $2=value2, $3=threshold # prints 0 if absolute difference between value1 and value2 is <= threshold compare(){ - echo "scale=2; v = $1 - $2; if (v < 0) v = -v; if (v > $3) r = 1; r" | bc + awk "BEGIN { v = $1 - $2; printf ((v < 0 ? -v : v) > $3) }" } do_tiny_psnr(){ - psnr=$(tests/tiny_psnr "$1" "$2" $cmp_unit $cmp_shift 0) + psnr=$(tests/tiny_psnr "$1" "$2" $cmp_unit $cmp_shift 0) || return 1 val=$(expr "$psnr" : ".*$3: *\([0-9.]*\)") size1=$(expr "$psnr" : '.*bytes: *\([0-9]*\)') size2=$(expr "$psnr" : '.*bytes:[ 0-9]*/ *\([0-9]*\)') @@ -197,12 +197,14 @@ pixfmts(){ $showfiltfmts $filter | awk -F '[ \r]' '/^INPUT/{ fmt=substr($3, 5); print fmt }' | sort >$in_fmts pix_fmts=$(comm -12 $scale_exclude_fmts $in_fmts) + outertest=$test for pix_fmt in $pix_fmts; do test=$pix_fmt video_filter "${prefilter_chain}format=$pix_fmt,$filter=$filter_args" -pix_fmt $pix_fmt done rm $in_fmts $scale_in_fmts $scale_out_fmts $scale_exclude_fmts + test=$outertest } mkdir -p "$outdir" @@ -248,6 +250,7 @@ if test $err = 0; then rm -f $outfile $errfile $cmpfile $cleanfiles elif test $gen = "no"; then echo "Test $test failed. Look at $errfile for details." + test "${V:-0}" -gt 0 && cat $errfile else echo "Updating reference failed, possibly no output file was generated." fi diff --git a/tests/fate.sh b/tests/fate.sh index 5a78018b42..b55d87efc0 100755 --- a/tests/fate.sh +++ b/tests/fate.sh @@ -83,8 +83,7 @@ clean(){ report(){ date=$(date -u +%Y%m%d%H%M%S) - echo "fate:0:${date}:${slot}:${version}:$1:$2:${comment}" >report -# echo "fate:1:${date}:${slot}:${version}:$1:$2:${branch}:${comment}" >report + echo "fate:1:${date}:${slot}:${version}:$1:$2:${branch}:${comment}" >report cat ${build}/config.fate >>report cat ${build}/tests/data/fate/*.rep >>report || for i in ${build}/tests/data/fate/*.rep ; do cat "$i" >>report ; done test -n "$fate_recv" && $tar report *.log | gzip | $fate_recv diff --git a/tests/fate/acodec.mak b/tests/fate/acodec.mak index 325bbd9e32..37fc688730 100644 --- a/tests/fate/acodec.mak +++ b/tests/fate/acodec.mak @@ -103,7 +103,7 @@ fate-acodec-dca: tests/data/asynth-44100-2.wav fate-acodec-dca: SRC = tests/data/asynth-44100-2.wav fate-acodec-dca: CMD = md5 -i $(TARGET_PATH)/$(SRC) -c:a dca -strict -2 -f dts -flags +bitexact fate-acodec-dca: CMP = oneline -fate-acodec-dca: REF = fe28cef432ed88de4ee01b87537fd2bd +fate-acodec-dca: REF = c54ca9a13711755ef90fa143a9b38386 FATE_ACODEC-$(call ENCDEC, DCA, WAV) += fate-acodec-dca2 fate-acodec-dca2: CMD = enc_dec_pcm dts wav s16le $(SRC) -c:a dca -strict -2 -flags +bitexact diff --git a/tests/ref/fate/cdxl-bitline-ham6 b/tests/ref/fate/cdxl-bitline-ham6 index 8060f06024..9ba7404b71 100644 --- a/tests/ref/fate/cdxl-bitline-ham6 +++ b/tests/ref/fate/cdxl-bitline-ham6 @@ -1,4 +1,4 @@ -#tb 0: 12/601 +#tb 0: 1/50 0, 0, 0, 1, 63180, 0xcda82c16 0, 1, 1, 1, 63180, 0xa6097bf9 0, 2, 2, 1, 63180, 0x4c2fb091 diff --git a/tests/ref/fate/cdxl-ham8 b/tests/ref/fate/cdxl-ham8 index 269f1f30cf..1eebea37c7 100644 --- a/tests/ref/fate/cdxl-ham8 +++ b/tests/ref/fate/cdxl-ham8 @@ -1,2 +1,2 @@ -#tb 0: 3/158 +#tb 0: 12/281 0, 0, 0, 1, 67584, 0xce0cade5 diff --git a/tests/ref/fate/cdxl-pal8 b/tests/ref/fate/cdxl-pal8 index 82d4d634c7..b2fb04518e 100644 --- a/tests/ref/fate/cdxl-pal8 +++ b/tests/ref/fate/cdxl-pal8 @@ -1,4 +1,4 @@ -#tb 0: 12/601 +#tb 0: 1/50 0, 0, 0, 1, 67584, 0x5eae629b 0, 1, 1, 1, 67584, 0x32591227 0, 2, 2, 1, 67584, 0x4e4424c7 diff --git a/tests/ref/fate/exif-image-tiff b/tests/ref/fate/exif-image-tiff index 515e3f186d..2b10529a08 100644 --- a/tests/ref/fate/exif-image-tiff +++ b/tests/ref/fate/exif-image-tiff @@ -9,7 +9,7 @@ best_effort_timestamp=0 best_effort_timestamp_time=0.000000 pkt_duration=1 pkt_duration_time=0.040000 -pkt_pos=N/A +pkt_pos=0 pkt_size=67604 width=200 height=112 diff --git a/tests/ref/fate/exif-image-webp b/tests/ref/fate/exif-image-webp index d83feb2b59..88e3c82923 100644 --- a/tests/ref/fate/exif-image-webp +++ b/tests/ref/fate/exif-image-webp @@ -9,7 +9,7 @@ best_effort_timestamp=0 best_effort_timestamp_time=0.000000 pkt_duration=1 pkt_duration_time=0.040000 -pkt_pos=N/A +pkt_pos=0 pkt_size=39276 width=400 height=225 diff --git a/tests/ref/fate/filter-framepack-frameseq b/tests/ref/fate/filter-framepack-frameseq index c3d2a15e8e..83c08a0324 100644 --- a/tests/ref/fate/filter-framepack-frameseq +++ b/tests/ref/fate/filter-framepack-frameseq @@ -1,16 +1,16 @@ -#tb 0: 1/25 +#tb 0: 1/50 0, 0, 0, 1, 152064, 0x05b789ef 0, 1, 1, 1, 152064, 0x05b789ef 0, 2, 2, 1, 152064, 0x4bb46551 -0, 3, 3, 1, 152064, 0x9dddf64a -0, 4, 4, 1, 152064, 0x2a8380b0 -0, 5, 5, 1, 152064, 0x4de3b652 -0, 6, 6, 1, 152064, 0xedb5a8e6 -0, 7, 7, 1, 152064, 0xe20f7c23 -0, 8, 8, 1, 152064, 0x5ab58bac -0, 9, 9, 1, 152064, 0x1f1b8026 -0, 10, 10, 1, 152064, 0x91373915 -0, 11, 11, 1, 152064, 0x02344760 -0, 12, 12, 1, 152064, 0x30f5fcd5 -0, 13, 13, 1, 152064, 0xc711ad61 -0, 14, 14, 1, 152064, 0x24eca223 +0, 3, 3, 1, 152064, 0x4bb46551 +0, 4, 4, 1, 152064, 0x9dddf64a +0, 5, 5, 1, 152064, 0x9dddf64a +0, 6, 6, 1, 152064, 0x2a8380b0 +0, 7, 7, 1, 152064, 0x2a8380b0 +0, 8, 8, 1, 152064, 0x4de3b652 +0, 9, 9, 1, 152064, 0x4de3b652 +0, 10, 10, 1, 152064, 0xedb5a8e6 +0, 11, 11, 1, 152064, 0xedb5a8e6 +0, 12, 12, 1, 152064, 0xe20f7c23 +0, 13, 13, 1, 152064, 0xe20f7c23 +0, 14, 14, 1, 152064, 0x5ab58bac diff --git a/tests/ref/fate/filter-pp3 b/tests/ref/fate/filter-pp3 index 00d4595f37..c2f2b4cb16 100644 --- a/tests/ref/fate/filter-pp3 +++ b/tests/ref/fate/filter-pp3 @@ -1 +1 @@ -pp3 f38fdc2dfa4c8d889918efe6d7a7ac3a +pp3 ef0f10f1859af2f75717e8c9d64ee38a diff --git a/tests/ref/fate/gifenc-bgr8 b/tests/ref/fate/gifenc-bgr8 index 9f4a593f4d..f3b7772785 100644 --- a/tests/ref/fate/gifenc-bgr8 +++ b/tests/ref/fate/gifenc-bgr8 @@ -35,15 +35,15 @@ 0, 33, 33, 1, 4295, 0xf71b0b38, S=1, 1024, 0xf351799f 0, 34, 34, 1, 2044, 0x5adcb93b, S=1, 1024, 0xf351799f 0, 35, 35, 1, 3212, 0xcf79eeed, S=1, 1024, 0xf351799f -0, 36, 36, 1, 2281, 0x68464d30, S=1, 1024, 0xf351799f +0, 36, 36, 1, 2292, 0xb4386334, S=1, 1024, 0xf351799f 0, 37, 37, 1, 3633, 0x0010992f, S=1, 1024, 0xf351799f 0, 38, 38, 1, 3552, 0x23697490, S=1, 1024, 0xf351799f 0, 39, 39, 1, 3690, 0x62afdbb8, S=1, 1024, 0xf351799f -0, 40, 40, 1, 1558, 0x7a13e53b, S=1, 1024, 0xf351799f -0, 41, 41, 1, 940, 0xb1b6cba2, S=1, 1024, 0xf351799f +0, 40, 40, 1, 1559, 0x5baef54a, S=1, 1024, 0xf351799f +0, 41, 41, 1, 954, 0xca75ca79, S=1, 1024, 0xf351799f 0, 42, 42, 1, 273, 0x3687799b, S=1, 1024, 0xf351799f 0, 43, 43, 1, 930, 0x29f3b0c4, S=1, 1024, 0xf351799f -0, 44, 44, 1, 271, 0xe7af807c, S=1, 1024, 0xf351799f +0, 44, 44, 1, 271, 0x305e8094, S=1, 1024, 0xf351799f 0, 45, 45, 1, 196, 0xf5ab51ee, S=1, 1024, 0xf351799f 0, 46, 46, 1, 4299, 0x67ec0d55, S=1, 1024, 0xf351799f 0, 47, 47, 1, 4895, 0xb394406c, S=1, 1024, 0xf351799f @@ -56,7 +56,7 @@ 0, 54, 54, 1, 5179, 0x860fc6a1, S=1, 1024, 0xf351799f 0, 55, 55, 1, 5046, 0xce9183d3, S=1, 1024, 0xf351799f 0, 56, 56, 1, 5140, 0xa6d7b9af, S=1, 1024, 0xf351799f -0, 57, 57, 1, 4289, 0xb415f717, S=1, 1024, 0xf351799f +0, 57, 57, 1, 4301, 0x03b6ef3f, S=1, 1024, 0xf351799f 0, 58, 58, 1, 5079, 0xa8d59e01, S=1, 1024, 0xf351799f 0, 59, 59, 1, 5284, 0xea34e3b3, S=1, 1024, 0xf351799f 0, 60, 60, 1, 5426, 0x556a15cd, S=1, 1024, 0xf351799f diff --git a/tests/ref/fate/gifenc-rgb8 b/tests/ref/fate/gifenc-rgb8 index a894173225..d1a990d07e 100644 --- a/tests/ref/fate/gifenc-rgb8 +++ b/tests/ref/fate/gifenc-rgb8 @@ -35,15 +35,15 @@ 0, 33, 33, 1, 4295, 0xc1850a80, S=1, 1024, 0xcfc8799f 0, 34, 34, 1, 2044, 0x0440c072, S=1, 1024, 0xcfc8799f 0, 35, 35, 1, 3212, 0xe91af08f, S=1, 1024, 0xcfc8799f -0, 36, 36, 1, 2281, 0x6a414aa1, S=1, 1024, 0xcfc8799f +0, 36, 36, 1, 2292, 0x6765633e, S=1, 1024, 0xcfc8799f 0, 37, 37, 1, 3633, 0xac779aa3, S=1, 1024, 0xcfc8799f 0, 38, 38, 1, 3552, 0xed2c75b2, S=1, 1024, 0xcfc8799f 0, 39, 39, 1, 3690, 0x2020dd0d, S=1, 1024, 0xcfc8799f -0, 40, 40, 1, 1558, 0x2c14e4b2, S=1, 1024, 0xcfc8799f -0, 41, 41, 1, 940, 0x4927cd90, S=1, 1024, 0xcfc8799f +0, 40, 40, 1, 1559, 0x596ef330, S=1, 1024, 0xcfc8799f +0, 41, 41, 1, 954, 0xac12c9c5, S=1, 1024, 0xcfc8799f 0, 42, 42, 1, 273, 0x138c7831, S=1, 1024, 0xcfc8799f 0, 43, 43, 1, 930, 0xf1c3ae3f, S=1, 1024, 0xcfc8799f -0, 44, 44, 1, 271, 0x6d338044, S=1, 1024, 0xcfc8799f +0, 44, 44, 1, 271, 0x921a80af, S=1, 1024, 0xcfc8799f 0, 45, 45, 1, 196, 0xa5de5322, S=1, 1024, 0xcfc8799f 0, 46, 46, 1, 4299, 0x5bac0d86, S=1, 1024, 0xcfc8799f 0, 47, 47, 1, 4895, 0xc43639a6, S=1, 1024, 0xcfc8799f @@ -56,7 +56,7 @@ 0, 54, 54, 1, 5179, 0x97aac3a1, S=1, 1024, 0xcfc8799f 0, 55, 55, 1, 5046, 0x836a80cd, S=1, 1024, 0xcfc8799f 0, 56, 56, 1, 5140, 0xa725c1e7, S=1, 1024, 0xcfc8799f -0, 57, 57, 1, 4289, 0x7b3afbc0, S=1, 1024, 0xcfc8799f +0, 57, 57, 1, 4301, 0x0203f239, S=1, 1024, 0xcfc8799f 0, 58, 58, 1, 5079, 0xb2e7a2de, S=1, 1024, 0xcfc8799f 0, 59, 59, 1, 5284, 0xb757dfe1, S=1, 1024, 0xcfc8799f 0, 60, 60, 1, 5426, 0xf9f11e57, S=1, 1024, 0xcfc8799f diff --git a/tests/ref/fate/png-ya16 b/tests/ref/fate/png-ya16 index 07906c4a70..dffdaf7038 100644 --- a/tests/ref/fate/png-ya16 +++ b/tests/ref/fate/png-ya16 @@ -1,2 +1,2 @@ #tb 0: 1/25 -0, 0, 0, 1, 49152, 0x93ce1cd5 +0, 0, 0, 1, 49152, 0x0801ce78 diff --git a/tests/ref/fate/png-ya8 b/tests/ref/fate/png-ya8 index 3a5c99d9eb..1318af80c6 100644 --- a/tests/ref/fate/png-ya8 +++ b/tests/ref/fate/png-ya8 @@ -1,2 +1,2 @@ #tb 0: 1/25 -0, 0, 0, 1, 49152, 0xed73bf03 +0, 0, 0, 1, 49152, 0x5a1481f8 diff --git a/tests/ref/fate/vcr2 b/tests/ref/fate/vcr2 index 521e55fd04..f7e1540b33 100644 --- a/tests/ref/fate/vcr2 +++ b/tests/ref/fate/vcr2 @@ -1,4 +1,4 @@ -#tb 0: 16701/250000 +#tb 0: 1001/15000 0, 0, 0, 1, 38016, 0x50e93e0d 0, 1, 1, 1, 38016, 0x6ac8627d 0, 2, 2, 1, 38016, 0x6f38661e diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 0e601ba811..f044567fd9 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -245,4 +245,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xedcff050 +0, 246, 246, 1, 233472, 0xbf73f1b7 diff --git a/tests/ref/seek/vsynth2-asv1 b/tests/ref/seek/vsynth2-asv1 index 5873bb17b7..e2556a7459 100644 --- a/tests/ref/seek/vsynth2-asv1 +++ b/tests/ref/seek/vsynth2-asv1 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 776840 size: 18256 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 643344 size: 15064 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 305352 size: 16180 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 255232 size: 13312 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 595448 size: 17980 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 493584 size: 14796 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 135516 size: 14868 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 114852 size: 12356 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 404100 size: 16856 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 336180 size: 13824 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 673504 size: 15104 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 704136 size: 18140 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 583312 size: 14956 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 241764 size: 15736 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 202872 size: 12944 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 673504 size: 15104 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 524488 size: 17548 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 435128 size: 14488 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 77020 size: 14496 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 65864 size: 12144 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 673504 size: 15104 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 337808 size: 16388 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 281884 size: 13412 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 631584 size: 18188 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 523324 size: 14972 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 180212 size: 15168 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 152056 size: 12540 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-asv2 b/tests/ref/seek/vsynth2-asv2 index 7d37b7ac06..cd99c45ac7 100644 --- a/tests/ref/seek/vsynth2-asv2 +++ b/tests/ref/seek/vsynth2-asv2 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 736152 size: 17340 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 630028 size: 14892 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 289708 size: 15300 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 248836 size: 13024 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 564140 size: 17016 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 482700 size: 14532 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 128564 size: 14052 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 111600 size: 12016 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 383244 size: 15896 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 328252 size: 13532 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 659848 size: 14928 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 667016 size: 17172 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 570784 size: 14712 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 229388 size: 14956 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 197536 size: 12724 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 659848 size: 14928 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 496932 size: 16564 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 425316 size: 14116 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 73176 size: 13664 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 64104 size: 11780 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 659848 size: 14928 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 320444 size: 15592 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 274964 size: 13176 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 598288 size: 17180 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 511944 size: 14668 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 171012 size: 14392 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 147820 size: 12240 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth1-asv1 b/tests/ref/vsynth/vsynth1-asv1 index b450f0eacf..445197ac7e 100644 --- a/tests/ref/vsynth/vsynth1-asv1 +++ b/tests/ref/vsynth/vsynth1-asv1 @@ -1,4 +1,4 @@ -992195272b94d8779b6216030b85ae18 *tests/data/fate/vsynth1-asv1.avi -1489644 tests/data/fate/vsynth1-asv1.avi -2dfc5dfc2c1cbbc2543257cd3d2df6af *tests/data/fate/vsynth1-asv1.out.rawvideo -stddev: 20.00 PSNR: 22.11 MAXDIFF: 158 bytes: 7603200/ 7603200 +f446db5dfd6bcc14378bca9406e39adb *tests/data/fate/vsynth1-asv1.avi +1298616 tests/data/fate/vsynth1-asv1.avi +a4f95c58e8b9258da52b9d09153b1078 *tests/data/fate/vsynth1-asv1.out.rawvideo +stddev: 11.89 PSNR: 26.62 MAXDIFF: 132 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-asv2 b/tests/ref/vsynth/vsynth1-asv2 index 7bc1a0d530..225712e4ed 100644 --- a/tests/ref/vsynth/vsynth1-asv2 +++ b/tests/ref/vsynth/vsynth1-asv2 @@ -1,4 +1,4 @@ -1e589b4dd70c4a8a7dbf4a466bab31ae *tests/data/fate/vsynth1-asv2.avi -1456044 tests/data/fate/vsynth1-asv2.avi -d451be09793cd0f35b6d91fc36e2571a *tests/data/fate/vsynth1-asv2.out.rawvideo -stddev: 18.82 PSNR: 22.63 MAXDIFF: 131 bytes: 7603200/ 7603200 +06b7b65686a1eb03d43f25e179c03872 *tests/data/fate/vsynth1-asv2.avi +1434408 tests/data/fate/vsynth1-asv2.avi +cb1f5560005800e889bfbb36cdc9fc40 *tests/data/fate/vsynth1-asv2.out.rawvideo +stddev: 8.36 PSNR: 29.68 MAXDIFF: 58 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-asv1 b/tests/ref/vsynth/vsynth2-asv1 index 01fd2bf05e..78118887a7 100644 --- a/tests/ref/vsynth/vsynth2-asv1 +++ b/tests/ref/vsynth/vsynth2-asv1 @@ -1,4 +1,4 @@ -9218843465c3396e9b078e63ce7ba17e *tests/data/fate/vsynth2-asv1.avi -832500 tests/data/fate/vsynth2-asv1.avi -c96ff7fd17c52f99ddb7922a4cb9168f *tests/data/fate/vsynth2-asv1.out.rawvideo -stddev: 10.47 PSNR: 27.73 MAXDIFF: 98 bytes: 7603200/ 7603200 +bffe7188b4b5c3ff76c75561d0bebd77 *tests/data/fate/vsynth2-asv1.avi +689416 tests/data/fate/vsynth2-asv1.avi +a7cdefad200f48ab308c746461a8792e *tests/data/fate/vsynth2-asv1.out.rawvideo +stddev: 5.07 PSNR: 34.03 MAXDIFF: 70 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-asv2 b/tests/ref/vsynth/vsynth2-asv2 index c66f056107..617a77fb8d 100644 --- a/tests/ref/vsynth/vsynth2-asv2 +++ b/tests/ref/vsynth/vsynth2-asv2 @@ -1,4 +1,4 @@ -065323f9873c367dd1e371fa47657ae4 *tests/data/fate/vsynth2-asv2.avi -789060 tests/data/fate/vsynth2-asv2.avi -74a78015b64b2cf8cb9da2e44f508a69 *tests/data/fate/vsynth2-asv2.out.rawvideo -stddev: 10.28 PSNR: 27.89 MAXDIFF: 95 bytes: 7603200/ 7603200 +f8c3b9899bbd9545757fac0c7ecf4e34 *tests/data/fate/vsynth2-asv2.avi +675584 tests/data/fate/vsynth2-asv2.avi +5990db66c7ac0bbe2f98ec2770c1bf3b *tests/data/fate/vsynth2-asv2.out.rawvideo +stddev: 4.57 PSNR: 34.93 MAXDIFF: 47 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth3-asv1 b/tests/ref/vsynth/vsynth3-asv1 index fd5f82dc69..8486b040f8 100644 --- a/tests/ref/vsynth/vsynth3-asv1 +++ b/tests/ref/vsynth/vsynth3-asv1 @@ -1,4 +1,4 @@ -43c51aa52666de02dfa49fd1c10a558f *tests/data/fate/vsynth3-asv1.avi -36664 tests/data/fate/vsynth3-asv1.avi -fd156079afc2753dde7d6a8418b2a25a *tests/data/fate/vsynth3-asv1.out.rawvideo -stddev: 21.25 PSNR: 21.58 MAXDIFF: 122 bytes: 86700/ 86700 +642c88813798d857d236f21bb36d8783 *tests/data/fate/vsynth3-asv1.avi +34700 tests/data/fate/vsynth3-asv1.avi +3c8636e22a96267451684f42d7a6f608 *tests/data/fate/vsynth3-asv1.out.rawvideo +stddev: 13.16 PSNR: 25.74 MAXDIFF: 112 bytes: 86700/ 86700 diff --git a/tests/ref/vsynth/vsynth3-asv2 b/tests/ref/vsynth/vsynth3-asv2 index 360bb07203..2a5d23bb96 100644 --- a/tests/ref/vsynth/vsynth3-asv2 +++ b/tests/ref/vsynth/vsynth3-asv2 @@ -1,4 +1,4 @@ -8958facfc4853267ece3b7868df80229 *tests/data/fate/vsynth3-asv2.avi -35620 tests/data/fate/vsynth3-asv2.avi -ff711d6341966f03ee32b73ae22493ed *tests/data/fate/vsynth3-asv2.out.rawvideo -stddev: 19.98 PSNR: 22.12 MAXDIFF: 113 bytes: 86700/ 86700 +45f865e3d1cac1ef59ae4689f41dead5 *tests/data/fate/vsynth3-asv2.avi +36204 tests/data/fate/vsynth3-asv2.avi +5469c0735b7c9279e5e8e3439fc6acab *tests/data/fate/vsynth3-asv2.out.rawvideo +stddev: 9.07 PSNR: 28.97 MAXDIFF: 51 bytes: 86700/ 86700 diff --git a/tests/reference.pnm b/tests/reference.pnm new file mode 100644 index 0000000000..e81bd7c2ef --- /dev/null +++ b/tests/reference.pnm @@ -0,0 +1,696 @@ +P6 +# CREATOR: GIMP PNM Filter Version 1.1 +256 256 +255 +ҸܼὟ澟庞輟齟䷛麝縘跘崒淒縗齇ޯ鵐££ĥǫȬɭȭˮ˭˭ˬ̮ͭΰϰгαͭͲѵͲͯ˫ʪȨ˪ˮɩǥǦƤĢĢţţġàŸ辛羛澙翛众彙⼘ỗ俛àģŤᾚ߼⿝ĢǥǥŤǧƥǥȦɧͫϭ˩ȣǢȤʣɠššƢƣƣŸáŠɤʥɢ˥ȟȞʡϧΨ˥ƠȢƝ̣ϨѫҭΩѫӬٲعӵ̦պkh8P"JHKEDz?w;|B}E!Y3~iCtVy\oMtcH[M8A9,"    + + + + + +   + + +  +     +   +        +      + +    + +  yϧ佢ᷙ缞澜幛庙蹘涔蹗黙巐缕͚᳆뷐¤èèƩƪǩȪͮίͮͮϰϯϰгҲή̬ϰήͭάͬ˩ɧɧɦɧɧǦäâŦä¢龜辜优会㻘伙鿠忝⾜ὛţŢǤƢƦƦȥ̪Ϊά̪ȥǤɥɥȡǠǢàŠġšĠšȣȣɤɣȣȟɢ̦ͥ˥ĚĜǠɠͦҬЪϪ̦Ҭײ޿ղұˣ׻onAT*JLO#HD~D|?wAzN,|\5}fDwlNt_A_Q6?9%$     + + + + + + + + + + + + + + + + + +   + + +    +  +    + +  + + + +  + + + + +    +   +  + \D.dK1}^Ffǟ~Ϥ߳ᶗ߳ⵖ渕幙给꽗默軖ϛ乍빓Ħǫɭɭɭ̱̬ͬϯήίдϲѳѳв̮̭ΰͮ˭ˬ̪ȥǥƢŦƣšĠžŸž漝㽜仗⻗依忝俛㿝Ἓᾜ ƢŸġâƥǦ˩ʧ˨ͫɣɤ̨ʥɠʣžƟŝŝĝğÛƢƣȟŚƞǠǡ̤̣ǟژěȟˣΧͧΦΧЪӮ۹߾޼ڷӰѬ̤ؾžquG]2S Q$Q#L$H&}C~D{E"|Q0vX4o];bU4J?$3(   + + + + + +  + + + + + +  + + +           +  +     +   +      +    bJ5iK8gO9gKv]ouԧթۮݱ幔底缘躙꺕Т乒깑캘츚¥æĨãȦʨɧ˨̬Ϯϯͭаѳίίϰг̯αΰ˭ȩʫˬȧȩĢàĥŤž侞⼘㾛庛⼛⼜侞ἚນỚ༙⿜šğĠǣǤ˨˩ȤɥȦǥʤˣȢǤşǠƝĜƝɣɡȡȠÚěǟɢʠǙÙտĘǛˡˢ̣ˣɟˢͤӰֱձԯѭϩʥٿǡq{Ld6]+V+Q)I"H%~D|CO2R6vR3N?%80  +  + + +  + + + + + +   + + +       +   +    + + +   +  +  +    +  + iQ:gN5qXvW<^F,7,  +    + + + + + + + + + + + + + + + + + +        +         + + + +    +   +           kX@yaCzXyhCrOxܴݶӪܲ余归㹔ḕޭ֣תۮ 츛츖ãžƦɨ˩̪ͮίϰͮϰϱѳΰ̭ϭίͰͭͮˬ˫̫˫ɨťģƦ¡伜⽛㽜߹߹ݺ޸὚ཛŸŸ ĠǣĠŢǤǣšǣƜȣƟǢȥɤȢȢȤşƞɡʡʢǠØĘƙțɜÖվÚŝȠʠǠŜŜȢɣ˥ˣ̥Ψ̦˦ØѰhtHa0V)M"EH$U1hAmIw_CTH'*!  +    + + + + + + + + +         + + +                 +  +     +  +       ĪīԾϮίҽӻӺɫ¡ͬཝحР{Ѧ֬滛켠뻞쾣콢칟츛츜최붚컘ġĠǧƦȨʪɪʫ˫ʬίΰαͯϱήϱвαΰϯ̭̭˫ɨɩȨŤ¢ã從俚⼜ߺݹ޶໖⿙⿚žġġťȥĠġġšȠǣȤ˥ɢǤĠŜƞŞɣ̨ɢĝĘƞśǚƙտֽşŜśŝĚĜ›ĝȡǡȟȡȟˤǞѲ_tF\-R)HH Q(iC_ZmMUL/&!   + +   + + +        +  + + +   + + +                     + + # )&4/A=0ʲҷӹΰĨȫȩ㿡ժȦã¤๙ȞxǝyҦ縞黝껝뻞켟뼞콡뻞뺝컟컟춛뵗춝쵝쵕추뵖츚칙캖켜ĥȪƨǧɩǨȪɪǨȩʭ˭̮ʬͮ˯ΰͮί̫ͯ˩ʩɧȦɧȦģŠğ俜໖߹ܷỖᾙབྷ߼ᾙ࿛ġĠƢƤţƤĢġġǢƢǣŠǟƢŝÛǠȟ˥ɧȠƟÛĜŜǚ•پؽÚĝĝĜÞپœšŞĚƜěȠˡƚϱZb:U2N)K$M)a@}Tcgz[VO/'# +   + +                  +    + + + + +              !#!0.'@>/OL;]\PolYox²ӮյƩŧٿؾٷ޺ΦЧΦү̪ձ۷ǠznȘu䳘麦黠꺟鹢꺠鸜깜麛뺟鸜鶙츙췙괘궙뵚괘봖괖뵗봔鲓굔鷔뺙뺝áǥƤƤáŤãťŦƧŧǨŦƦâǧȧʪ̭ʪɨŤʩŦ˩ǦǥƤŤƣŢá¡ཚ῜ຘ⾝߼߼޻߼߾៹šǥţĠŢġƢĠÞšĝÜÙɢȢ˧ɣǟŗƙŚ×•սÚĚÚؽœ—ÝĚÜƜڿŧw}NZ)zH~L'N&\;sPgmqe^U4-+  + + +                +         +  +  + + +  + + + + + + + + + +        +    $&%*)63<9!PL:]XEmkTxsesyʱѿǦħ׺ɪţťھָնӱӮظȨ~ǩĤ{qnŔsӣգݪݭ௜ᬘᲡⱘಜ䴜௒ఔⳘ㲙㱓泔嬎寐箏诐鱔譍篑篒곕괗鶕뻘Ƥåũţ濡弚鿡连¢ĥĤãĤŤŤğġġ⾙⿚߼὘߼ݺܹ޽ݽ࿛áĢţĤßšĞġŞŠŸÜơȡɣʦȢšŜĜÙֿֿ׾̙šœտսվ›ؿ•պki>|R&uEyK(Y9jO[k{vjg]::1 +      +    +  +         +  +      + + + + + + +  + + + + +  +      ! ""/+?:*ED8QK2XVBkhTxrYerʻ벚ŦȨ̬ԹʭǩƩؿٻԵѭѯͬǩzsoǑtɑqgu~}Ñ|Ė|ș|ȗ|ə~̜ɘx͚ӛқ{ܥߨ৆㪌⨊㪊䬑䮔毓贘콠£ä輚缛辜輛纙迟迣ƫŸ廛ݲᴙ೗ۮܰگݱܯۯܱܲݲߵ໗Ἓ俞忙⿗⿚߼㿚ᾙབྷ߼߻ۺܻۼܼܻ߼޾ܾßœۿĞƠɣǠƞĜٖ׿־ջѹӼӼٿڿ׿տԼֺۿԽٿ›־βbj>vP%yR(b?mJ_j|rtiFE:     +                   +   + + +   + + + + + + + + + +   + + + +  +    *'75$;9)KG0RM8\YElfNys]~lɿɷν澢ĢǧίαʭɬħֽѲʩɥzȦzϫȪrÞx̐juЏkc@&cE2oN5uS?}YH}]H~^I`LeSgOnSlNoXmPsWvZi͔Ԝ~֛}֜۞~ڡ|۠ܡޤ~䩋贘麘꼞㲓嵔㲑䴕涘嵖鿟溕߰ݬ֥ۨӤҟ̙{ΚΘϚϝПϝѠӢ֨٬گڰڲ۱ڳܴ۶ܸڷݸܷڷ׵׵׶ش״ֵغعڸطָԵԵѲշҳӴѲٺŢپּӼԹиηȲé®Ʈ̱ѸպһҺҹպӼ׾ԽսؽؼպʮnoC|b8fBqOUh{svZUL-.' (! +"& +'#" !   +                   + +  + + + + +  + + + +    + )&/+:7"DC0LG5XTC\[IjiXyrb{muwıȱҾὟäͰͮǦɫȣۿԵΰϭ԰~׬}ͩ|Ǣr׭s׆قŠJ8  *.!/ 2#?-T8$mE3yA,y>&A3E0T>lXkΏv̍qˏrΒtϒtԗ|ҔwҖuכ{ইݨ٧أۥ٧ܪڧ૑ᮎⳍݬئפϛyʖtƑqÏpŽoj‹kčmÌlŏmÍjƑoƑoɓnʖq̙zɘp˝~˝~˟}͡}ˤȨЧͥѩΨϫʨͪϨϨɣȡʥƥ¡¢~{~x{uu}ǩʬͲū{}~rmwv}ŮɳȲʳ϶ежӼеиѸƯp~PxMzO]gu{wzXujIqfHwjI}rZ}r_xpTkcFdZ?RL1C@#61*'    +   +  +      +    +     "#*)!,,!31"?;%IB,NM3]YBjbHulS}gk{ȾdzȳйáäŤáţپѴġͨş׸аЮҬ}ܭڡtqˆE:   + +  +  9)X:(i8"n3p1y3!A.bN~dˋx͎xΎtʌtˎs̍t͎s̎pΒsАuӗ{іxГuәљ}ә}՜՝؟֟֞И{ϖxƎrÌpdccdeˆjkhecgfijjlonmuuqtsptu}vpmjbafbc~`|X|Z~]Z~[\ozsqroqrtlc`^gkvƭǯǮéwjkqqx|ŷ;ŨѼѻ̷ͷտ¤ħƬ˷ow[i`JTN8A8.)   +  + +   (%2.10 92 MG2TRA][NkjYusX|cxy}ŻкĢâààšЭճʥԸͯίשxr͑inJB#  +   A4 _G;nN?k<(r4$v4%=,`NdɉrɌrȋpʋrɊqȊpȊoňlNJnˏsȋnɉlɊǒr̍pΏȕrϒtғzГzГyѕzˍtƈohedegijefa]``_a`bfcioijbdbe}^fx]xZu[tXlRnThGgI{eHzcC~hLzgIzeFzeF~mL~jJrQ}_`ejfehf]}XxRzU|X_gorwwuu||z{}zywwyʻѿȨϯѲؽڼܿʭntTf_FA< (&   % 6.JC1bY>mcHxnTiu}îǰкĢġˬѳүѯЬȟᾆw翄ݚuk_R*! I:2qULx]GvNi[?j\?pbDr`BsfJ{nP~rSvVzW~]\c`]^{YzXyWyX]`jovosnnnnpty{x}{Ѯ߾۽ܽٺۻٹֵ׷Բմָڿٿͳpey\oO~_ư ǥç弜ڤۖtRZ:ZIwӅkd֥}BbEh3#     MA5zfYxfhUxJ9l3 p4%K>jWjÃll„mme~fih}ef}e|`z_gkjnhnilg|cz_uYv]x`vZx^w_t_sYmRpVtZqVvZvYsWrVqSpVjPjFhDydFt`Al_@eX7dV8`S4_Q6dU:_P6`R6aS7bT8dW;eW;eV:fX;i]=n_Co`FmaBseHveExiJ{mO~qSsTzZ^Zce_Z}\xXwRxU`cjluwtpnmorvwww~zϼؾ޿ܾܽܽ޿ڻڻٺ׷ٹں޿ؼѳ̱³ö˿ֽ欘˞ÏrjiJRANEG1\DF3gvLiլⴄ]C}4* +   PB3ziY{noavK7g2 i0 E5bJ{djf|a|c{cxazcx_|du\u]v[v\w]{`z`|cz^y`w]y]u\t\rWnTrZpWjQiOjNkOeIeHjOgMhIhGhMjMiJfJdHz_Er\?n^?cU6cV6`Q6_R6`S8bS9aR:aS:bT:bT;aS9dU=fXhY>jZ@p]Cp^Cp^DpbGseIwiJxhG|pQrQrNuRZ^gaa_|[sNtQwV}[hjlotonjkrsoolvIJȦӻպzzirh]WC+K@B5M:T=K<㺆NW9qRiǎ㺖VB5.  +I<-vfWqpe{Q=b2a,yA0\FnYzcycy_xau_r]t`u`q^p]q]q]mYo\oYv]pZqZoZqaq[r[kXjUiVcLcFbHcGbGcGbF`D`EbF`?a@y[;tZ8yb?t^?q_Bo\?fU8cR3cQ6bR7`Q5`Q5bR;eTn\?mZ?dS7dU9iX;gT:iVnZCo[Bq_Eq\Cn\AsaDubHufGweI{mP|kM~pSrUtTvVxTyV]^]^\}XyUzQ}SZ\bc`^cd`c\`]_^yɤSJMCE9>2A39'4(9%>+C/}_V@= I/R9\ܤpF8%    + F7/o_Mspo_sR9cD4h9.wH:^OnYlWoWoYnZl\l\jVhUkZkYkWhQjVdOiUgShReNbIbJdL_G_F\CyW>z[CxYAwXApR:oT8pT9mR6nS8kQ6mS7nT:oW=mX>m\BlY=o\Bm\@kZjWs_Er`Es`Fq]BvbGv`B{hJzgJ|gEjFlMnKqPtRwRyWyV|Y\~Z_^ZY~Y}ZXUWZ^^^[XYXZZYTYЬ[-k3i.l,o1 113 -) :'*.=V5㵃P>. +     + E80zgYyxhnYsSCqP7zT?dSo[p\p^o]kVjXl]hTiWhWjVgRiRhReKdJcKdLbLcM]F~_F|_H|_Iz]Hz]Hx_GpT@qWBoU=pS=mS;nT9tY?rW=oT:sZ@t\Aw]Ev]Cy_FxaGwbFw`DxaBwcGv`GzeKv^G|bK~eM}eN}gN~fLeLhO~fMiOiPnTrYqUsSwWrRtUyWyTzV|W|X{ZXVYX]Y_W\Z_\]`\]_\[YX\YX[nŝZ,h2#h+o.o0!v-|/|**35/3E*{Sˣ^[? +   +  @6)q`Qv}ploW_GgPzgh~huduarbp^kXo\kVgRjVjVhQhReOdKeIbJaKaKeL{_DbJ}`LxaJz`Ix^Fz`Jy]Fy]FuZA{^E{^EaIy]DfLeL~cJjRiQkPlTmOlPjKnTnToVsYsYqYu`r]sZw`u]xbw]z`|cy^|_{^{^yZ~^^~]~\^\[[[_bbaf_]`_``b^^`^^[\\aY\_ʵӱ_/!d- g,l-j-m(p(t&'.107*oexsX     + 80"iYEk~su~ezfzku~upzfuhp`t_p\r`m_kWq_o_oZhQhRiOkOiUiTmWjWkTpZmVpVnWoYoYjRnXmXqZqYqWrZvbv_uVvay`zdz^|[{e}d{a{]~bce~g}_eadb_^_i~a\be~]~\`aebcdchdfefecfbaccenqqkkiaba_d|Šܿݾ[.!]- i-k+n*n't*w(&++0D={h㳈t"  +    8)o^Ir{z~¥ç}zvtvo}i{gzdub{f{iv`xeva}g{ijzd|f|dzdxag{dig~dihh}cfijk~`elhejidfjcdbdffjeg[~b~]bhcjumilgpklgehjghkmwwíƲyyzwpkzÝپܼݽܻڹ۹ݽZ+`, i,l-l,n%t(|().-1 @/fDt豭B:I0"L4&S8$N8"SC5WE:\K:r_MmǪɬƫĪƬ͵ռҷֹѵγٻԶӴضЫ˨{y|yx|q}wtxonollklproqlnipnlqnknkkmnkjtyvrz}y|rmu|}}~z}uw«­DzşͩɢˤǟӾκϼʴл͹Ǟݻݻ۹ضں׼ھY-],g1!h)k)r'w+}))-*4$A7k]㵁佾{k~joqu|˲׺ðįŸɴʺ˶ҽҿѻҿҾѼϼսйŴݸҬʞėɧͰ̮̬ʭ˫ƢƦzxyzu~|xwtxz}|©ê©Ŭɱ̷ӼδϻкϹ˶ŰŮŮ˯ʵ˴йӼáĠпѾѽмҽġšȡʨϪյ׹۾۽طٹ׵׶ղԲӲЯέԳݺٵ׷׶׸Ե׹ܿY-g:'d-g'o)p#x*}&'*+4$=3VVmº栕ཪ߿߿ıǶɹȸ̼ҿིѪƜzvṷèȲƮİ°ؾԸѶҷ̯˯ʰ˲̲Ŭɯͱж̰ɮǮʱ̳εϷѹҼӼտԽ©ǭɬ˭ͱ̰иӷԾӽи̰ʪɯɳ˱ϴеԼּֽپջԵӳֶӳҰֳհѲүҰұЮշػټݿڼܿټںڻٻڿ׽ٽݽػ׸նշָغ۾W+k8(d.h)d#q&|+'#%*.3(G@`Ux宝ۼxdt]iQmWp[zǬˬҼӽԾлк͵Ͷ̵˴̳Ǯ˴ɰʳ˲ɳǰ˸ɴɳ˵Ͷ̵ζϷѻкҼԾֿվؿٽܾٻظԴάƤϿƟ˧Ъմڽپ۽ؼپؿپڿݿۿ^0!g3"j2 f&es({*#""&(3#5!D2I;Z屳ﱯ}kRhVcRkWhRkWzcūӼѾѾҾҿлҽӾܾ۽ھػѰоwolm~ɸğͱټٿھܾڼ۽ؽٿ׽c4$i9'r:%m1u2 z,("!!&//8(8?(k>կ坌멕ϻҲzccLcMfOfOdIkTzaӺտստԾҽҾһӽԾվӳ͹r_qGygBvdAr_8mFUsѾ˫ٺڼڼپڿڿc;,wE0}E%?%<%/("&#(/27"4<,qM^ߟ|͹ĢmWcKdJbMeRdQkWkɬսֿԽҾҼҼҼԾܿٻƣ~{WpOoL~kIua-?00'&(,1++45C.[C㼆ڹiMyİ~dQcL_D]FeRhSt[tλѵ׿տӽؾǦvuPnMkLlLyd>mX2fS.dQ.dQ1xhGnϾҳܿeBeJgME8F5/*(+(,*/46B*Z;㹇ۺgOږ{ԾܶnfNaH_EcKdNkQw¬Ͷؾʪ]}gHyfCub:ta*5 42224"23>(A'^AǗ߶dEؒnvkRlQfMkPtVsɱҹŨ̴|_xXnGjGxfߥDڝ7֝5ݫN\sĄЛҞ֦ܴγʩxVd@U6>%8%155"4"04"8 =,D/J/oji\Gϕpӳy\rVpVnVs[z`нջҹĦϺ©u^zNwCqD|NђM>Gf͔ܽܽ۹ڸسНɆ~wuu\Nߟ;ޙ2ޟ7ݚ5ؘ4ҏ%ё(ԛ4آDڨP۩Qݮ[ܭ\pȆО۱æwwUB%;*='76430516;!A/lVoMqV]G̎oлvaw^sXtYvZnͱսɯǯ̺Ȳm[ĐXK8+Ն'ZӧӻέʥǤ˧Ҩթѣōt{xq|kQߟ@KGܜ6ٔ-ՌʇЏ#ӕ-ѕ/ך6֚2՛5Ә)В'ٝ8ީYqɇ٧˲ȥaI*6$B07!85!5316 59='VFZFeS^H̒oƵu{e{ey^uZ~gªͰâͭzTFڈ/|s +˃$߯aϚطۻŧ¯ҽ̠Ԩў…oojk~uMPXT@ې%֎Ή˄ˈ̍#ё)ғ'ԕ-ӓ*ʉБ)כ;՚7җ<ۤUiŌϞۻѮxZ:t< ?)8 67%56!13537 I2P@XIcKƍh׷{j~f{b}bz]lðA.{h adɃ۳]ɘԱؽϰǴrzlOqa:{jE}]c~нÓwnߺjٱ^zxY^YߴMMߢ;ݟ3ۚ/֑%я"ʋ͎!А%Ϗ'ԗ0ї0ٞ=ڗ9Ј$~u+}+}$Ɗ6̓Gرt۪ǫȧz~O3G-H-7453352 6$7 :L=XS_GŌdʴyez_w\zbeп湃ߍ,ۈ$n^Ub{ޟ<`ڽɟھԺʳϾjtfGcS1`N)]M&bU,qb5n=LZͪk~trnݳ_߻i߸fҥJܰQܴVZ_UODڞ4ד&Ԕ(Ғ'ؘ-֗1ӗ2ݫLcמBn gmpqqm qǑIŽХݷӶҲt]yN-I)}>:762752-9'VEVMaK†cnrYoYmRzdoԵ֗Oӂw iVfz؎%ܑ)ܑ3١ZХj˳ÝӸαԹ̪ĤlZxW{iDrPxfDp]3j_3eV&iWo\&s6ծjrߺggi۵dҪYحT߶Wemk\UޱGݨB՟3ҕ'Ќ"Ԏ$ҏ&ҕ.avڭQupy|ul o qrw&ȓFܮgʐڮ۽®¡vrUP1|E$:!;#53022*8'SEXQZFa϶ӸwcoVmVt]{csʺඏy6zw nt +|׏*ޒ7օ#z"z)Ā8{7FpӳиԶڹϲȤΫɦ˺zgb\\]|SZYV{RuJ|HBMov޸n޶gܷcߺfߺhز]ݶ^Zdj߻b۶S޴Q۱NܭG֣;ҝ9З3Ȋ"ҍ'ђ,ej֨G"ƅ$ʐ2Ƈ&ukffgm +t}ɓ:ڨSګZyō֥ϹѰuX[:~L.y7"~351/33-/K=UQ\KwUʱҹ||iydzf{g}hxгΔ]q$̈́Ѐzyv~yrvjen+v7q.`ʳոٻЯ׳ѯĢͫǷ³q^_ed^^lr{{yzgܪdsur޸jܷf޹fݸg߼hjܶ]޹\i߽cׯSܵY`߹]޵TשFըDҡ>ď/ԠA٨G^ײTСCƓ7Ŕ>ϠGΜBÇ#ocgchon {%͓:̓C̗7ԣHoէԵ̨kI`?U4r= }<#|7}5.}+/%4F-M@e[{g⻞ǜinjlu{epƱߺףTם>ۥDآCԖ9ω(oh +i h h`` \` cj y,ˍ>ŎӴɢƥĠɪ˪տw|Nb]zQWSVuG~Oehw{ŶоƢͰֽҰolgܷ^lh޼dd`ܵZܰVܧEԙ8Ɉ&|pvzОA֫JխU߾fkܶ^ձ_۸gٶeˣKș?ɚBѤOРKŌ/ufedghjmsĐ,,ɖAٳxԧѸƟϸǭêǫθ϶հqNuXa?\9N1F+?":9!43@/XKibԀn߻ܶr~innms|f٬lԜD٣BۧEۨEӖ1|}rgd ^_bdim#w"́"כBȈӳѿuszkuLwLzMzN|NSPUsANyʺɺǠͧմ׺ծ޷o޲]eܴ[߸_g߽e߹^VM߰LKާBݣ>ٙ:˄!p srr%ǝC߿iuxwղbطhęD:˝GϣNТM˓:xo +ffgfht x{!&Ő5őAݸzٽ̰ϲǫwĤ}ƨжλҽ߽u}`xTmCY7I)I'D C<7D0_Ztf؇q޹ͽ~sojmone޻ʓAȌ,˕2̘6Lj$Lj$͋&ʂ"m fed +^flrz!zԉ&ٟJʼn̡мudxNtFXY|GtDwCxF~NMT^e[xĕѤձܼ޾ɛӦU٭Ycaba]`TNߦ@ߥ;>ݢ;۠9ғ1smo qo(k}yp׳]ճeɡN?ǜMФSϢOʐ6m_^fjlp v | $2ȚRֵ֫ʡԼ̵ťŦ|y¥zжɥٶԽһũ~b~ZzV`=T.O*P%O#^:aCU4q^zύtܷΟvqpjnk{dgɯڰڳiˡT3"" Ƌ)͊+}rkdfovy}#΀̀ю0ԧd˥lIp?h5}K]LvAsW_`۲p͈DžƊ֦̓׬ڮܵ۲ٵڻ״ճԱѲɪȩĥhǕEܬTa][\WWNH?=ߤ=ܣ7ަ>֘5{lfk kl +-۴`tpڵ`ֳ^ȢTDAɞRϤRƌ.|pdafhkr v {"-Î=ݾԲʨͷʳȮǬǫԹӵԸ͵̰ԯfzRwUiG^=Y4b=X.xUw[~]܏q嘊Ж׳佱Ívljkin~g~gpԸ޲ܮث֡آٟܧݩީߨ՝ƃ̩X7‰,ɍ2ό. vsqxxх&̀{rpyҏ=ۚT{9i)GadvDq;yDw?ShͮpضlˁΆхӌ͈̊ϐѕћ͗ϼxz©vmeZo1ibzi6ۤDޟ;ߟ;ڛ5ۘ3ݚ5ޞ:BB@ߢ6Cݤ6ޤ=ޡ<ӏ&w +tquol vΜKݴl۶eӫ]ɠUěNGǞS͡Pɕ5ymfadjmq t #}%,1ҮqҳаέơԾɩվиཛྷqqNiLfDfDg?mK^8xZ͈m՝{檍Ϛֵʗslmjk~i~gz_ߴל͏Ä~ؿ}һq־uux|{̉˄ψΊψь֔ڛݥܔuʪSɤL8ǐ2lj*Ʉ)ǀ%}"{!̄&ӊ+̂yq lm +puiu2Q]Nv?t>v;VzΉԍфπ̃ΆҊχ̅Ί֘כˏβzδzۿ~Ĉʦ]2 В+ܕ,ސ*ڒ)א$֌ ۍ$֋$ݞ;B9ܠ3ؙ1ݠ3ޥ9ܝ9ٕ/ˀ}x~|o +ptʜK֮dԬcѧ]BJǝQͥV˝Mym ^]fip v x ! { z%|)Чk۽ۿѻǩͨjtUkIjGi@rOpK`ڦ߲潙巐ř{ɧܵsqlljhi|efκگȑѺx˭`©Yƫ[ƩXͮ_̱]Ҹd׻hؼh׼lmily}}~Є́ЅӎבؐՍٕwơN*~$ŀ#Ȃ)̃(Ɂ#ˁ$f_fhf RQt,TJu;t6u<Ğ_ȀԉՋӊ~Ӎ֐ܕږ֐ӍҒԙҘғ֘ӕҏ֏҉чӈӆ߲V1ݓ&ޕ+ߔ.ݗ-ߚ-ړ(׋֎"ߝ?8986ؘ0~{*~"~vvmwƚGȞE/B̦[ѨZ͞Nz%e \WZam t u o)-'{x$})v&3ڶԾͶ͵Ұ}f|ZqOqLvJbpʘvʕz‹pnŸ䶡qrnniii}ew[wҲўªbM8=;47=ĥ7ƥ8ǧ;Ȫ8ǧ(ͨ0ɣ+ʥ&ȥ'̦)˨/ֹH׃ͳAΰ;ټLپXmjvx~ςτхݖَ˫bu!nz ǀ$wpa^^XGECDS v,Ww)ߤVsyo{ӈ׌۔ۓאԌ΄ט؜ؙؚ֗ڞ՘ҐψՍ؎x\W?2#ݓ*׎$ڒ%ݗ,ؑ&א$ؑ$ޝ/ߠ/B<ޤ7ڞ5١;ї3)͛;˟HʝE691} x{ ,3ĚPϦ]ѩ]9fj]^f `hspn v(*wvxv#y)@ھҸζͳ׼ȧ~qwOmIvU~a_cjkhw͘tiklkke}_~[¬ݿ߼ι}J)%%+-($!  + + +_ϴBɣ(ɤ+ӵE״ETy|~z΂ܛ֛?N +b†=߳_nqvَ҆ݓߖޒܖ׏φ̂Ԏ٘חύ͌ӏъыאבے׎vdZA80-ݕ,ޕ-֏$Ջ#τ̃ЇӉԌ(ޠ3ۣ7ɖ0ǖ4ҧI;͠=ɣDǠF&.:82&x"-ǟQͤ\ǚE|'ihZVad i +jki +l!~%s"ge jr&ƚ^ֿͣռѺ͵Ʃڼͮ¢py`rQoKsR{Z|`ea{^k滤Ȏqlinlmf}\p̭ݴ̳|D, + + +ĝϬ&pniruӑҴuxTvM{M s-z+dO=>AB=;}8u/DːAcwπԊ֌ِ׌׍ڐޘٓՎړݝڕ̄вhzȃ˃Њٖږܕ׎rdQ?9/ڐ ؉Ԇԅ~Ԉτ΃щ҉!ڛ.׫CճMܽ]ݾd3$-05<4}$6@1z'=̝S-neV +PMUa ekd ag +{'y"aZ d`z;ϸ԰ֻֿԾϸȪĪϰƥitTtWuZwVyZ~d{_|euԽآƍ}‡srˆrÊspgbaεϫڹϺ}G4 }xrn{ÔĘ Pͩ+ѭ1ָKk΃ۢÉgG R._5}LU O=68>=8x2i.e)k'Â6iч׍ړ؎τЁ҉Չ׎۔ܕޘݘݘ֏|ЊЈӌ֏ڒݖݔՈ|\NHB3ܔ%цст΀̀ӃЇό٥<۶R]޼ZΪQ3z$|'.JаaE/3@5~+mĔD.o^TMNOP[ d]ZWr%o!Y +W_dHϼɥѯӽӼԾ׿ԾһϲˬƫݽӲˮxvYvYqUsTxY{]}azbt點˓z̔{ƎwČw‹pƎxmebĩɢ߽ǜ[vBΧڱT-"} ~|~ęę|st|~–ĖǛțǚ ʢԲCuڛӸ`B +A P(X4{MK:78}8}9s1g)]%XWYݯb҇֏؎ӆ}uрՍ׎ޘޘܕܕّٔՌԍӌ׎ڒړ؍؉ԁgVXQܓ ډՇӉтЂЃ͂̀֋ۥ>hں[ҮQÝ;95p~1746FHw$w&77tq*jT RK}ILNU[Z V[jeUT\m,›jζǷ¤ç˴ϷϷӺؾ׿׿ֿӻѶ̲̯˭ȭֺƥi|`x]qXu\gfemѴïנΔ{ɎzǎsƎtǐsɑyh}Zt¡ѱոػٿپڽܭاѢ忎q9wHyCɖ@' vwzx{ɟɘƙÝ ƘǛ̞ ˞ +ʟǜ ̥$nԕeS0@F!R,jE|K>|89z6q3d*Y$S PK{Gۧ]z΁Ռ֋Ӊ}ovԉړّ؏ؑ׎҉чՇҋ~Ӆْx׉ׄqZbDׂ{ +ӆ֌!ч̀΃x ֤̆@޽aϳWãG27,}+E6C@Jͭ],b04w\ oTLM|GyE}ENWW ~LMQ d[T[d&Lßåʺñïij˺ĦٿѷӸռս׿ԼӻԽϷͯɩƦڽԷӵ|g_}\{bkjdiҿͻ赡њʓ|ʒ~ʒ{ɑzȑypuU~\˪абӶӵնӶֹӶ۽׮pf\ޤZݞWЊKZuKWʙ7srss{×Ú×–Ц ˡ̥řȘʛ̡ҥ Ѣ ӤѡդקԢɝҭ1ԋȌj-S-C >E$Q+f:r:r4s7g.^+OJIDDi; כQgrЀԅ׋ْ҈xՌؑڔՍٓؐ׏Ս׎ԇ{ًٍNkstng[Ӑ { ؈ّ+և| ҅Ё˃̌#՚2ԬLέQ3-9(;MظjŠHί_RĢWU},q:œI:ob IzDwCvBxEzGxFTM~K|IR +XWYaq5Ը͸˻̼ɫеӾվϳҵҵԵּҷӴҰ̨ǦƤڽҴ׸mkiotmio޸ӽ«ݤϘʐ{ȍyɑ}ȑ{tuWlEaʳɩͯήҴӵԷԷҴҴԷۿۡkZPHJޖJ̈́:_O +G۰Anmu|ÖÖҨΣ +Ɠ“ŖŕɘʙȗƗʝƗƛư̈̄Ԥ֤צ٨ܫܮ ݸ9zԗW^vK k@_8J)U1T/e4f4`-RIJED=AK_̄;ޢSdnՍՍ҉֌΅̀֍ؐ׏ڕۓڏ؇،ܔ|ڊ,օ&IM\ge6ۍ"۔)Ԇ!֋ Ԍ ϋљ2΢AծSͫOB {&.CSLCڻnŤXJ=v#6:5>8l|Hu?o;r?uAuByF|N +{J +yG}JWXW]f(¨{ìůƷϿŨŧͱ̱Ͱ˭ΰͯϮίΰʧǡŠ ۿڽԸԵҳҲây|ěž~z}vuݵԺ굞җ͒zΐ|ȎxƋrozbjBoIvѻʧ˭аѳӵԷҴҵѴҴֿΧܐMLC=ޘ=ڒ;|-^V >ŁguuƘșƚɚ˛͜˛ɛ˛˛əΜ̛ʛȚđ˖Л͜Ԥߵ[یڴgʗJǍDКPרZƐKF:bvIk>[*LLGA>CBHr3J bq'u+҇CۡSirzчՈ׏ٓՈ׉~~؈ڐۏqڃ#k +g +sPfcB52ݙ+ՇՉ*ԡ9ѬL:ġFģN($$7 PG>=C<96{-z+B>{(|*7qRq9m7p8n:m:rCwHqBvDJ +RSRb+bǨӼ˾̿¤ξȶȷŴ͸ƴ˭ʭʫ̭ɩغؼٻַַٻոԵ˨ŝ̩ʥğ~Ğw׭Ҷͳߩϕ|ɐtʐ{Ǎul|`pPjB{[̨ϭҰԵӴոҵԷӶҵֹÑ،Bޕ=ݖ:ݕ<ْ8ӊ.romˌH3yėŘ̝Ν͞ɜĘ}ϡ ӠОϟϝџĔƖϢ߾UoݕЊgqqsǀ|vӋ֎ȂٳfÕI~4Sh4J<ACM#_4o8x3;@D >R p$Ռ=ޝNakjmZ]hwֈ،҄Y܆$re +^ؖ0I]DA>B7ENc۾`7ţE?>5-.QH;L=:;?{,u(8?|'y(3x R j5i4k4e2l;p@qAk;qA{G KR$yLmϻ˲ԾӹԼȮ{vnräĥɨȩģټָշնӵԶַغھغִʥΪԱѲϭϮɧ|ժƦѻ뾝ӛ{̓zȎvǍuhgnIlKYťѰӰѲշָ׺Է׺ҵӵԶ׻澊֍D؎:ْ9Ԍ3א7Ս3΅+ˁ)~*֐Fڬx¢,ĚȔΟ̟ңҦΠĘ{oƗНѠџҡПר ̛ΜțĖ ,ԽfԆӌʂ{}אّݗٕޚەݙݙ׌Ԋ֊bLJ@J K DF"V2oA p?t;K~:l.l+z2HZn*v.g{/ҋ?~1mԌ?X`ܱR_Kԁr ]e͇߯ITDELLHKP߹SӰP9?@ȡG630J9HT9Q<:y#|,7@y)t$u,y+Va/Y+c2_0h8n<c4g7q> +wDnAU«ÚǛȧδ̳з̼sdb`ֿ׿ƧģǥؾپֺպֻپڿŸŸĠš۽ġִܿǡ{֫Ʈ͵׾ͷݨЙ}̑wɎv…l|YsPqKyUyͫݿۻۻڼ۽ٽ׺ԸӶԷֵپ庋т@ӈ5Ӊ0ԉ2Ԍ1Պ1Ӈ/΂)ˀ.ՑB٥ڑսfή4Ϊ˥ѥҦ΢ɚŖq×ϟӤҢѡ +եӨϩ"ϭ9ػSiՊ֍Љӊܕגܗޘݗߞߜߝޛܖܖߙڐ΁n؟UP?DI'[5m>j3v?w@ Z"W _(y52G PCBQLAPj#ώ0ڛ:׉yp ṽاAPVWRG֝/=EسU̫OɫT<̧QɧTѳ^æWMAHO67ĥTN0{,3;61|*q!1ZZ*V&W)Z)b0c5a0^0^2K&H+zK˷ĔŝɩʬˬʹѸҺʮvdzZǧȦǣȦȣǢşßßǢʦ̨Ϭ˨ͩԲѬ˨αͲȮğث͸ѽ૏љz͑vˊuiuRrHyRyãٽػػӵԵӵմڿ٩p;х/Ӈ*Ӈ,Ջ/Ӌ+ԉ/΄%̀+Ռ:՞ٔӌkHھHַ6ί;'(5+ϰ5ֶ0ObuׄݒՕpduאܓޛޗޛޙّٓڔӆi9T*??I&\3i2g2f.Y UUV `"i(u0w-v,v,u,x,4FQZvDߕ.؇~рӏ*؞=MWZLۤ:؝2ՠ8բ=ҫJήUͭQD@ͮ\ϳaƧUD=BM$\+^)a&WX TUWV]"l)i%f"k%k'n'u-;EϘ9ޛ9܊'لnhm sv ӑ+U]צ<Ι.ʗ2ҤCʤH@A<8R˭\αcQRͰc¥QOMP@B=@9572B>_K<C >B!D!6.139D)|e8Ÿàǩǩ̳ͷϸҽֿϾrؾۿؽٿٿ۾ۿؽսӻдԿɭĬ껡箏ͤ{޷{ɊjcqӰھ˔[y7Ԉ9ӊ+ш*Ԋ)҉+Ӊ-΄%х)҈0Ŋ߷ߴ߶ܯ߱ܧܥު߭U +ݯڥ֢ЖјȈ~پzҳc֪Rן8FuхۓޙݕޖߘۑՄUkW'<9:AL!['j1d+SOMPTZ_!c!g&g%h%h!h!v/B\҃}r tjfcei|U߰MΞ7ɘ8ѨJǢK>NGFعrٻnӴbHMɪ[[JKLCH>KBJM0~0t%X8)'--,-132;"=&X:YʷœƧǨ˱̱ʹϺѼֿֿеIJwܿٽչϳʭƧʰ繣ꤍƣƣ鮑ҨˬڸNJQ{6҆3ԋ+ԋ-҉)ӈ(Ї$φ$Ѓ%υ.q߲ߵܳݳۮڮة՛ҘіҘA:ϗ˓ɏƇćٺx׶kҲdϭ`̟LҚ9'JօߛݚߞߚݖݖޖۓuՖHQ ?664=Db/vA +h3X&NMMWZ!]!c"f%f#f#h%i%j(y0\؉xmh]_c_fn |p 9ϪOşFãL;;UԶnBEˬ]ʩ]H@OQMç]§`ɪeML?E==9xP/"%-,17: ?'I'U*tD `kιŤŤʭζηҹһپǯ¬vռѷ˯ɰ«챠ij黧ǯʲն׻׼ѳͰԺܿȋQz0҈/ч*Ԋ-ԋ-ӈ+҅$σӄ%Չ.bܯ޸ܴܷٯ٫שץӝϘїϒ=wdɋƋ†Çۼ}ںwԱhЭd͠SϘ>ٚ2ݖ!Uߛ֏ܜܚߜߜӌِِڎԈ[t#9@48:L$[.yBD +i5X%PNKOTZa#h&f#g%i'e#g){7ޜEޕ&wid\]\ZZ\epy̥I̭P?׹gC-FåYFLEMAOORRɬdKMJC{+6;:>wL.*((+/3H*Q+c;l9ENPIŮ;ϻžŨȯͶζѺ˭ʶƳñԻ͵͹ȴĮ챘쯖İ̱Ҷϵʱ̵ֶи̱ҶڿƅA*ц.х)ф'Є!ф%ς!τӅ"х(SҠ޶ܲݵܲ٬ڭ׫רاѢϚΑ͔=}s܂!ʊĀݽ~նsسlѫ^ʤVȚHΗD\ޜ#݆ܙٖٕߛߠޘؑ֎ّۏۑЄDVt/L#R)^-p9}E SZKe.W&QLMORW^ b#d#e%h'd b$E ٕ5׋#{ ofb_[[[\g 6@2˧NmsHHRĨR̯Z/Cͮbȫ\JMTIJAA7x*D}/3|1mF +)-/49!B#S-o;}BIPQRT b#bij˸ɷο¥ƪȭֿͯչԽʹɫγҸҹư쵛魗穙奕䢋⨐̷ϵĥ̳컥뻞ŦҷؿپڿڿۼͅL}0-̀%σ'υ#΅Ӈ&҄"тЄ(ܖAʇڪޱܳٯجתԧԤԢӤϚΕɖIwqh1ܾyظuյqӫeЪ`΢WƘIӡQz= hדݘݗߙڎ{ԓMGEQQAL<@=BF99t+Z8=%B&M)[/m7s;DFKNPRQTW f!iŴɷͽ̸мнɯٿ꾨˴ç⩎赘赘߫ߧݦգܭéѸw|ʪ崜̯ԸԹҸҶӹѷҸ׼ؿ׽x=z1}/'ш*֊-҆$Ԉ'Չ(Ӈ*҆)׋0Yϖةڪשרר֨ѝОϙΗɑ˖Ntohmߕ/߶kԵoԲhҫaˣYʝSƔ@ӠHwa||}iޜݗޘߙڑ`tDMX Y WV V ]YMh1W%V"W[#WV]"c$g%d"e$d$a"\N g]jghorgcad{ʝ7ЯT)Bΰ_NC2TZѴjϮa;78:;0ƩZDGFT@IA;Ft+K*Y3uC I I E~AEGMLLPRSSRz;¬zǷǶʶɹĬٿ׾ɱ̮ۿ׻ѳҵԻͶϯηơw|èԢʲ϶δδͳζϴѸ׹Էq/}3Պ6ԉ,Ԍ,؍,َ.׌*؎(ԉ&֋)ֆ(O#S%U$Z&\&["^$f(k+k*h(d%] `#=c\[ggpfhccnͅ$Σ@H-ãM>x#8CŦ]G]C:8CKåT6¤\PDHM4D2}/Bk!A#U/qCQOCADJKPORQORT\Xƹ̽Ǫ׽ֿվƬѾξʼĥվȫ۾ӳΥ“|||Տऋ뽠뼣ǰɵ̷ξѾαx:у2֌2ُ.ّ.ܒ+ے+ޒ-ܑ,ߑ1َ.Ո,ى0׌:ݧeǍϑΘΜ͚Ϝ̖˕˕˔ǐ]sigmsj~ܩ4˦SɠVŘD̑7Fvߑ܎uuwn}y٘ړߘܗӆ̑6N|9W=kˀyز`œ?aGBm8YOP"GS ]$i)o.q/p.o(h&c%n-d \^e]v jjdfr̅ ϡDJ5ǥPB}-8@¥^UOťYSL89GHAJ6DL7n=r'[1Q,O,N(O+S,yHUTROQQPSSVWWW dƗ̴ҼиҼҺӹ㹟㿥Ʈŭǰ侥๢มඡ丞踠䲙䯛٦ۮ޾✑qw[tkQwwvyʷȫ⾘t5π1Ѕ/ф*х&ЄЅ Є!ӃЁ~yxhX +^q.Á=ņDӡ_ϟW۬iڳp߷{v~Mvmiihkllmх8qԆJjhlloopoHgunpqsgmoGӒ6̀́~уЁ~~vqrnhbܯLpRM_lw'2r"Mo<Y'IK P#z@XUSRRRU]]eЈ#ޯPIPLL6EZPBBIH£V8/9BAK=q%}06u)u%0]W/M,N,Q,P-m?W]URQSRUTQVZTU ZCˣ ӽλθѻкѼ׭ยฝพ㹣⷟߲۲֮Ҧ͠Ȝ{Öv_ϏuDzޥni}ʫǸʹܵv4҄3҇2҇)ч&ӆ(΃!΁ }Ё|wspn] +X gx3y3w-~46Ć>ǍBÎ@̒B +nheeejnpgvֈTsrfdfmlkjt|+kkomouj[FBjz̀~y|zxmnefXح?դ7gc d mmk^ +_XREAq;y>VRRPOJS]]^}ߧKEFGX@@[S£[IƧVĤUKFAP83D3s!t"z){):mk?J(J+K*K)l;O\`ZVTVUWXUVXWUXaŝfԼӻͲζͷ͵ʹâӱɬΩʢǧÞ~}pq~az`iI`Dynպ䩛|f׭̬ʷʴگt3Ђ2Є*І(҉)Ӈ(Ѕ σ"τӄӄ҃ҁ|vp^S[ eo'q'w&x(v(tswtlhebdhjndu"N}ucdfoggyxQoghgj^ެGؕ0L|z{zvxyumpb\L߱>ب8#lk mmgede\ _ a `][ULOMPT[ab fϔ64Eɯ`pӹpCO>XP̱dҶmʨ[JSJ;DF3z.8={&r#ZV.I*J(P*k<LWYY\YXVXZ[]YZ[Zf +ku+ϸտɰ̵̵Ѻηtuw|ìsvWgM\;V=jS䴈罦ڮ庡Ƴįרwq.}*σ/Ӊ.׌/׋,֌'Պ)ԇ&ӄԅсӄՅҁ|yuk] XSW Yegmknzofkegfelrjr)Uޟ%^bglicqtx \bdeZLިAך5rurؓzzzvrgg[[޵F۰=צ1ԟ7mnpnke fegbc ca ]QKLOLVZe^[ю477ΰ\׼iwUZVXMV_5DKG@EZ@4@:-l~QT-S+d4zEVY[[\[[ZZ_[^]\]^hprr"Qƞʞvltsżžī̶̳}a\=X:T6mTzѼӟjm'|0ӈ3Ӌ/ӌ+Ԋ$ԋ$Ԉ'ЃρρՆ"Շ#҂Ѐπ{#wmfaRMONLOTsjgedefdi{jm5cV[lqkioq .d[Y߲V۬Eؤ=Qosvzyw}reZSLO߶HMڻUԠ3|opojnkf e e d ab_QLOHKTZ\\b$>>ƥV̰dдkSPͰl[gx,?GɨZ˭aU@GKFA54~'Xb8Y1sAY^\_]]]`]X_[[\[^]hqvw"t"r%έsֹ̬Ƚ˱˲ػmeFgD^߷˚cl)|0Ѕ.Є+҈*υ&φ#΂ ΁΀Շ"ֈ$׋'ۍ(ݍ-Ն&ӂ!҂!т!΀zqpph c\[Xnikgcdbcds}hsVWbjifom.MޭH۪FݩCآ;bltztsuigZHߴD۱AݰAש8۶Eҡ5l +l klnoli hea`a\HNMOTQTWa {B4LģVMFJQ[V95K:KSHPA53y-y(b d9rAVb\]]_b___^]]_^^`]m suvvx!t";Đ˱³ĭǫ̽й˶ƭԹϭָֻ̧͒bw5{-(̀(Ѕ,̓$ц&ԉ(ч ЄԈ֋&ڋ(؊&܎+ڌ)ڌ+ً*׈&؈&؍1և&т!{ztoqrppmhjifcbei{gvZS\eihjsq +٦9ئ@ן9֞2ekgppxre][X߷HܰAܯ=٩4?Ԥ1Λ-Ŋ$iak j j lkj k j j g +g aEEHMP^WO]|"00JHH@DSŦX̮^NA:t7PAJ6zUo\yLzE|GPaca]`_\]^aa_^^][_jtvwwxwrpàZŠѼظöȼǺ̳̼ڿɉWw34Ӈ3Ԋ2Ѕ+ӊ+Ԋ-Є%ԇ(҇$֋&ڐ.܎,׈&ڌ'ً'ً'ۍ)؊&ً(؉&Շ"т!҃#~|vwuxvzihgeebehoot{glMR`echmq}١*Ԡ7ԛ.Ԝ.fdimomhcdXYP߶M٬=ة7ӥ2ԧ9Θ&˕(ƌ&oq lnl +qqsrponli Q@DHHPQP]{ /9?Jȫ[D|+XոrF4:@/x(3I=_GwSpwNRT`cedbefcddb`dad]^`or uswyy{"vpy,ѻʱִֿyͿϾؿąM{9φ3ӈ0Ӊ0ӈ/Ӊ-̓%Є$ς"҅%Ӈ&ф#Ӆ%Ն$ԅ!؉$؊&؉&ً'׉&Ԅ ҂Շ%Ԅև$҃ԃ |{ }}u`efeaebcf} y +oPOYefclol}و ֖ϖ*В#Y]aedc`[`WQݴF٨<ة;ӡ2գ6ͥ:̠6Ƒ'ċ#rp ppnqptqsomqmaAA<DJLOWy.=9KFCATS:/32@C@Hr%9!fCwRxJ^addfggfegaeaa`adgZir tw|zx| zxuoOǩнʹȺư⿽}Cw5Ѓ4х0Ї.ч-҇+ˁ ́!͂΂ Є%ц"Ӆ&ӄ$Ё ԅ#ֆ"َ)և$Ն$Ն"Շ"֊$ӈ$Ն#ԅ Ն ԇу} {igbedb^^VW]}]IPckadhiqgo ȆPNYZ[UXUUQNLݴM`orsq޾b߸Xɏ5od nlqpsr n lnmoj] A9:@JGPf+I55;ABƣTQGL69<ɧ^B?AFFBܩD_wruxxwxwwuwvsiН9u n o q +q l k k h +h +Ox5n+q.w4=DMl:H̪ZMģVɩXHHáRIF0c +xKjBh?Qdcjkhkmjhijieegnsromwtu zq +vzxtuwxxy#v!w$q!Ü\и津݆ypfmbi^VHaPPAPBQ@PB_RdJn]xdmʝӷضt8w5{1΂3̀*́/̀.́)~'΂*ρ%Є,ф)ς%ς$ρ$Ђ$ӂ!ֆ(Ӈ'Ԉ-Ѕ!цՊ*Ԋ#҆#ф$́Ѕч Ѓρ}y{ubad`aa^RKNNQIJNYcabig]dY_`pْ!ޞ,ߝ*ߞ,3ۡ5ڡ3ޣ<[gprttz|z{uwvuwvdܸVեDu vq qpnm mEp0d+^&c)s6y:@W w!DšPEáQF:@H/2d b?c=N_gfhjigkifgfihcgiw x {x w +x v +u yt wywzxw{vzx#u sx1ָa\`X\V\PUI]IUFP9N8M9E2A-H0I5RAK2E.M;J8wXԷְr7z;6Ђ1ф0σ.Ԇ5Є/ф/ρ-҅/҃.Ӆ.ӄ,Ђ)҆,Ѓ(҃,Ђ/Є#Ԉ'Є$ӆ,҆%ӈ"҇'ς ΂́΄Ђρ΀ ρ Ѓ ~dabba_ZNNLLPMCERTcbdcdddYVX| ד۔(ڗ#ؕ&ܗ,ؔ(Hdlswty}}~zzxytma޽]S͐$r}pn pk X Dl+Y)LAb/9E[{&SƢMB9{%u}"k ih@uE\n hlknm jjkkiedefdeis +~~~}|z{w xzyyxxvzyx too'd橚`bZW^V_TXFS=P=K:N8K8I6I0B(D(B*D,>*?+D1J1M/M.L-ŁY٫tȦQЍIщ?ы?ъ>͆6Ή9Ή=͇;͈>͈:Ї?ՋAӐJ՜YhU׈@҄0҃*ӆ*ӆ1،2Ӈ(҅%σ σ̀ρ~ЁЁ҄҃ф{^e]\]_SIJKNKD@FMRW^odb`ZNT_rՄ ӈЇЅؚ/Yhk֣u}z{z}{{u|{x{x]ݾYٷNٰ@Vd՛7yyrijOt0K24])@Pf™G7y#dt?|FZ4i=yEWjjnm m r s +o nmkghehjihfky ~w yz{zussvxywwpi$j)ɠƹYUTPc]]TaP_LO;O>L:G/J3E0B+>#B(F/I5D5A(?,F7O4G(C%G$Y:ݠpz߭uޮs}㼁‰őʖϢѤժԤԢ~_XމPۍLօ=Ԇ,҅+Ӈ+ф%΀!ς#Ѓ#ӆ&҅$ӄӃρσ҇ӇԆw]_[]_[KIMLOG<ECGNXxa[e[QRO^cu} Yihqś}}zytxyuցߊia޼T۱DݵLҠ8ˀ{vm ih^ KZ'<0Cs=Y %z"c pAY+P%j;Qfj p g d|lo +q okjijgjjmkjlkx }}{}xywur q p xttnll \L䷤v됆oo^]`X[N^O`OW?Q7P9O0K/H,L0H(K)L.G#I0J.E*B)P9O6J+C&?{Mޮw٫tܭt߱{߶ẃ㼅ŚʠЫԱ԰Ӭ踊ލ][ߋT^WۊKҀ6т.ф*σ(҇+ф)֊,Ԉ'ٍ1ٌ+׌%҅ԉ، ֊ڍًjW\^`^LHIHQQF?>CFLddcb`PPOUUXkڗ3^dnszٚҌ}yxxtqrqtҁto^Y޹OٯJΗ1́ʀ~|woga`Uy=X$;/Q(R}JW/\2l>Udid[U[:nmjkkjhikkkllejv|}w{{yvuron oigedf gb +`] WYtopeed`SRUKSCXEO8T/|CΊR|?i9N(K)D&?M(1790-37%11P,y޲zްzܮwݳẈ߸Ἄ໏ǟͩӱϭɟޓfbb__[[ފQ;΁/͂*ф+ӆ0Պ.֌/؋.َ.׌,׎-֌&Ո ؎#ؑ!ّ"؂VW]_]ZJKKLPM?@>>BIVj\eZHMMTU_Najr|~ρ۠ґ|vxvrssqr|jd߿Z߼WڳMխEМ3Њ#΄΄#̀rlif +`^_Pj7A#9E J&i7VbgdZWV`̄ܡ4MLpmr kkjgljggkdjhkq r +r niikjifhibg babc` Z` XVxHb/yrefd\TM@I>UCB*J3U8ܠbϜVy9t5ōJw!ⴄخwڮy۱}޵ḋ住็ỏ従ßţɣƣǤߨ܉ae݆a_eleލYߐ\܊U}8Ђ+Ԋ2׌4֌1Ӌ,Ӌ,ؐ,Ս*؏*ڒ*ۓ*ؐ&ڑ#ؒ"؉]RN[^SNFEDI>699;<?I`eWQHIJZ0Vipstvwsttttqonkkli߽]a۴PׯJկJѨDΝ4ϊ"ъ$Ї"ˁ!vq l jjpm j k k i j nw{x ӎԕ%Ň{Âݬ;L[kuŚ2kmlmifdfgcbaggea‡%m _`]\^ZXT\YYTWU[W XW YUt;ݾۿ絠rjyclXXLL;G(A ЌUТdէdЧ_֫^ѣWs1.r>V@ӡbMp A7 ԋdܮz٪wڮ{ܲെ⺌⽒™˜˦̪˪ήƣՐu݄d܂^߆cdpsi؅SބRb܎Vw0҄3ԋ:Ԋ2ӊ+؏1ݕ7ؐ0׎-ޘ5ܗ.ܔ)ؓ ܔ$ږ"v ROT^[QGFGIB15;88;?IVWWLFEWJaiqptvtsprhkj߾h޽g߽eg߿f޽^ڴPڴQذLذKҩDЦBϘ0Ҋ#ψ̄͂xytt vuxtstvzŁǀЈښ*MNF֨6ܪ5߬)M8L.F#CޙdΝWʠZΥ\Ш]ѦYΠP̚LUx4ALyCwÈE^0MX*E& +% 1|}ڭs~۱|”ě”Ơɥ̩ϬҳΫ麝ډo|Y߆f܆dkssObIUQOJFvM]inqsvuwn߽i޼fݾfi߾gdbٺ[ڵRٲMְH֭KөEөEլGФCƆɁ}zwx|xvvwr puuxхב#ԓ!MߴMJݳCOݴCOTVX^roӯKadm i ~Î)ʝ9޵Sbxqqrip{֮Oߩ@ڗ0jUYWUTUVVTRUSRRSM M +o7fƙtѳͱƭˬÛ{`C.;"9< ?$: 9 75;lHyOe8d&K!o2˟SǜN̟G5ǐ?H}8–?٩VWWZ$U"Mf;ɋYzܭtګr㷂幆ŗؗśɠʢȦͭ˨ͩͩĠ秋volr~kJ[;rInq܉div{|cܙBݕ7ޖ9ߗ4ޗ/3ߚ/ݗ,ܗ$SKPVVPHFFD8/.>8337<MYXKG1H`iilklol޻fݻegj߼bۺ^ܹ\۶YسVذL׭HӬFѧIХCҥ@ѪE˝>}!uwvtsnnq kkiheatޕ-؜6ީ?߲KGKQLJ޶LUU\WeoplϞ7ݠ=ާi=|~zݲw⺁㼆ÑƚřشƢɩ˫Эǧ䪊݋lۂg݀djlkދbh݊fތfk܋_ք]؂YzRuEێRޘTߛVޛDޘ876552ޘ&+ׅNLQVOJGEA;6*3=FDT\fniZH1IYgjlmgdiܺdط^ڵZ۸_۷YشU״XٴY۳R׬IХAЦB͡?͡<Ҥ@ЪLÙ?wru o +qmmkhceggfЂݗ.J]Q޵QNXQJ޲BHMS޷NSimnrdްGELNZ`nqkolnfZhjkpy XTTVUWUUX Y SSUUUTRd+dȼܽ췙ꥃ栃ֈm@'789S0`֐m{{\,*)257 u;m5Y`3pFb2y*:AÚAȗEifiz@ fh#Y!ުsŠōx{忇߸~~⻃ἉȚˡɤʩ̫Ƨ؍t܁jzbychnk܃e܃a܆cފf݈hۇg܋cԃ_}X|RoHi@؇T}DݔLQG69>6)׊\ONRSLHDILQ\dhjph``^beo0NVZ_߽a߻`޹^۴Yٴ[ص\شZկPׯVӮUײVױTֱTҪHҦDΟ:Р;ț5˝8ϣDƝ;;n n +ln jihcdgcdeЅ"ޝ7M^]Z]`YKGGܱ?ܭ=ޯ>QafnsrpܶQۮGۯJQ_cqpcllk]WcjkşC[ WVUVSRQQRQRS +QQ P +NPf5r籜}斅랃o\B7#2->#jBn̞轍㵊ӏlX72-4- j2j5k5Y,dYn:xx))5<1-h1eYp8y>ڨj߲q߰v}羆⻃ݺ|ݴz޹ݷȚͩˬѰճ䲐ێsby`{ceol܃d݆g߇fމi܈ky܋lڈh؇e}Tes>v:`ڑ;ߖ1ޗ1ە.ِ(׏ۆ oh_]X`Zfhidcegefdb[QRSZ]h#ߠ0FݰOٰSخPٰWٰVײYسZرV֯TذXԬRԪOժNҧE΢@ˠ?˝:ʜ7Ƙ2ϣCΪS@5i decg cc`cb^aφLctnhgT_TTKܭ<ݱBߴCBU``miojܶV֩EܱT߷Q\bjnonkb޶RܵR]ڳPbݹcfWYSVTUSQU U SP IM UY%_+_ֹϼ{qe\c_`_td[EA15 4;`?ٜh亏嵊幑yVc:`:P0) +r1f4e4[*[1uKDƣIܱLXkorvv޺^ԧ?ק@ѡ8Ѡ;͢;ݱM_~UQPRVS Zdp0v9MbiȬŜҴؾîkbca^WONC;@->%4"4E*L$c9֋_٘oٟuᴊܯ{ZuPiFcBfAK k.[,T.V/a9yU gv}"0,my|119|5l$ΚbВ_Ҍ_ЄSNzIvHlJ̈́]~߸—ŞʧʬãğơÛ軓榌ݒqۇiۀcx\~\ڄ`ތfrߎrۈkۋkvԂ^hC[7M+{Hp6yDՋKv"y|yz{΍/bbaZWTTT]`^__`^\Z\SDDDEGYZcڀי*ї0Ѡ;ΠDТDϢ?͢AѣNңFѤG̞@˞>ɚ>ŕ5’.ď-ē3ˠĮPЭY>0ec c f d +f babd~DWUWfffjed߷Rۯ>ڭ:զ4֤1Ԧ0ئ6ߴF۳GQSo]ܸQuѭQ޴V`tmkjḅC͜4˜2Ο7ժIׯLڰK٭JYɤNGUũnɳ}ō˛Ϡ۬rka`VLMA?5L6@)>&13W1W.V7dBǂV٤r庋Αa}TvVjOeCf@a@hGC])S0[=mI;ru}[kni n,:u)̟aҬnէmԘhԑa҉UMyKm?lGhCnHٓk踎㼐žĢĝݲ}YԂ]l݈gڃguۊiڇcފoۇjنgهhՄbىcmIY7J(d4j2e1s5m%q%u)t%rpƋ{Ya[VTMKIT`_Z`Z^VVRNDBAADQVRe ҇Γ7ɗ9Ǘ7Ǘ;ʛ?ɗ>ʛAŖ<Ș=‘5ē:Ŕ721:ɥṰTѳ_A7e eif f f fg fs4UӤ?^k_ZbhngҨDե;ث<׬:ګ=Ӣ.ק6ڪ:ثA޶O^nlq؀kҩF߹V߿_ܷTݵSҫBխGܵQim߷OԩE׭J֬HQٵUަ۠ldWMRH`YYJH2>(612D'Y.b?֔m䲄㹎渏xOyU]sToQd:dBgEfJZ7ER*C֯]5!}Z |VoITUMؽʔ̘đҢmԗfא_׎[ԈUсRvFrIlF]7R0uQ䯃ܲํžŤ幘井єovZw_y]{_z]b؃f؂iكgՁeوj҃fՅjuVV9D(Q.d8d-f0d#eedefݩPkQDŽ1oX C;>=FNVTNVTT[RKDBDAISPJW~Nj7ō8Ő8ő;Đ6Ƒ8Ï63Ê2*)+9ŧYָiռoδjJbc hfkhigj ߡ?]ڮNfkqխNbYbb`VS۱Cժ9ة8ګ9ڬ@Λ(~ ר?gbr||yʧEرHѦ=˚4ԧEӨDծG޼]i_ɘ/ѡ:ԫF޸[۳Mהڽjfr_ͅn_]Y^Pe[[FM5>%8#4"/0>&fB㩁䲌繎̋msWuZەxىrՁcyVpGiFiItOxLz@;{)<ʟH.ŞDǞK-~,ٱrŕݰ˚ݼḆїlԎ]֌\׎^ԅ[҅W΃VwVX9S4T8jQ㭅޴忘ඎ޲ܮܮ՚yrRtXy]y]z]}a{b}b|cԀgՅoՇqՇhR7?*N.]4d7`3c2c*cbdĉHٵѧɜֿնtӪcϗXВOыB{,iWP@ACAMUK>Hi~&&-,0}$z#z xqSӕڜ̭gؾtɋءPgeigd hj̔7Տ*_qeamqfdݹWedjTٯGخ=ݱ@Λ&֧5ܮ>Ȕ#ĊߵI_ggw~ֳW Ő)Ɣ1ң@֫MذNְLԬNխJŘ0լBXܹTxݪň׵i_io^Y|ܹgYledMR5H0D.;!5!/.4<"yUݦ{䰉䰄蹔ˈdjMkQdՀf~^؆^vLqSrMvPqK{Jd*Sa2ȢI3{%fx/ǑXɚ̚ɚǛԛn҉^Ӊ[҈ZՊ`цYЃXyVc'<(:&6".-.+K/ڜw~௅ޫ~⫆xZnSu\Մe~`քcԂ\]fKuRvPkAj@o@TN Qr*ofVXKբةʝē̟Ԛiш\ӈ^҈[Պ_πSmClKmF6V>mL^AQ4~إ}բxکݲ޶⼚ທףs]t[jOnZpSw]hRnZqdjQoTmS23B(iDQ/S2S$Z(d%b!o.ď׽׼ֻ׼չپؾջǙĘɝˡʚԤӠ֦ޱ߳ݳ̘Ӿʮw]O^)V:ĚϵmȃբשԤ׭߶șE@dafg`linnllfa]X޴GܳB޶Fܰ=٭7Ν'ڦ/ӥ3Ҧ5ԩ;“&ǚ*athЭHӫFׯHԦEԫHլHөF۱MӨEݻ^eǝ8ė<šCŚ>ҨMflmlgcarՊo[A';+:#;*4%.1 (0"5%鰐٣|اyˤě㮊xZeJmQۇkx[y\x^vUmIsOmDj@mDa4c:V(PK M UPG ݪtПѣ̠ǗЎf҆^҅\҅Y֋]ˀXd>uMnH;I-\DfM^MYGܑo՝sګݱߴ߷ݺ޺ԢwYhPkUkPeQfN`JkVbFfGgN9$,8!U;L1K%ER)c%g(e(‹ؽӸԹԸԸдӶֺչֻ׽Ô׾׼׿Вďǐɖ˛͙ΜРҥثܮءʰolj‡դ̯֨mڝ,Ⲃݨݨß潑աtڤvܦvЎkjPxZvVpNpRpStTxNh>b;X3Y(`+Z+LQ'OKJ˝Ȝ⺑ޯ؛pˈZшUӏi㼒٩ыeՖiآuЋj;F&mGcAT:D+=$<&ۯڰ۱ٲڶթѡfT;R:N:Q=XEP>P0>/ܝ٫ݲի׬٬əuŎqcPO8K0U@L7U@M5T>N:L4q"19$/XHZ1f6m:˧u׸Ӵϱά|Юί~ѵбϰϲαͭ~ήϲϴ~δҹӹҷϵееӹмѻԽս׽ջּ׽׾׽ÑÐđǏȑǐÎɯuN͙ɓҢĵ.Hgn`qzyurslݷ]ioaXcYݳFLJ޵Cڭ;Cݰ7CQPR\`djo3)‘(Ѡ6جEOVSZ`mnisup޹bb߹W]߰Ӳۤٓzچo<,7'7-#,%-+cN籍x`|[켑ⳆߥޝyԕjՐezZ_[yW}`wYttPlF|[Y2B87O.K#]2a>˦٫}͙izRڢҟyզʫدsG{S`6Q3X>nLnDa7cCր\zTgK^DbKeMؘ{Ӥ٫Ӥ֧ʛzmpL;L-Q7F8H5I9N8D1K3rc aqB%xT_@Q,U'Z0gԳѰ̫{Ϯ~έϮ̯̮~ͯίΰ̮ͯˬγԻˬxˮ}Ȭz˰~ϴѶϴӸжϵӹѶֻҷӹּ׽ؿٿ׿ؿؿƑսkJǐԿËϠͧ.ҕ5Yisvx|{nkprspinaaaٯJN޵DHܯ=޲Aة4ڮ9ݵBLM۲F޸QZirڼ_{ʛ*Ӥ7ש;کDݰI߳LݳK޸QUkprwd߾]mf`^ܪ΄iEݨ㳐ޛn\O69"M2/#(+)﹖罒ߗulIbKdWkNՀZtޕrҋdь_̈́ZXuSuS}`؁dـdւdփ`rGyPh;_6D!<%:!M+_8c7쿒ׯΙlƆ`Ʌbک֩Ģ߻ˇ_O(`DeBR4P5pG܇[`3S1Z@jLmLlIkq\\B΍uӤѡϜ|ȕxnycrYC.J77(7070]Gzcr``Jx2Tc +q +y (4%R3jPdmpoݺYbbb`aԟənJǖw͇o寓ydfWcOB*;!1$)"m^븎ߕyaJT:`EdLeGkNcCwUzQ̀V΁^^vVZԂ`]ےr̀XyV\|[Ԁ`iDt}wQ;:;ڞuѡr˓g~X֝~ğˣǤګ0C-X?d@V5mK܁R[P&M+N+qTT3~\w[cE4$B8g˜|ɗzős~coYvWK;1-,!2(eOo]WD%cO8&a +ry} } w G/|U̥ʦ~ǥxɧxȥy̦ẉzÖo\”kŠv›r vxro§wǫxƪy̱ʮ|˯yβ˰ϲͲϵϲϲееӸҶԾֺٿֻֽе{ǫmѸ}̱xbF]Ʃkihmmjn)0ŏ-ܡ>_surw~yryvs߻bծZgn޷Q`bd^SOE޵>ߴ@֪5˜ʟ/˚*լIg`d޼^ɢ?͞/Р3ϟ0͚%ѝ#դ0ѡ)Ԡ+ک6޳I]޺]fdmjbhc\ȇбdƐjڔ{gPבxo^jZQDM=<&2"$"ﲘ⢃`KVCTA[D_FgMlT`GfOR?lSӁbхaxv鮋墁魆媅⪇嵕ݟ{͆_zؠrښrߝwX9=kDڡ|ΝpȐjnP孈ʨɤӮc. M4dB_:{Tc8K I R0XW;;)M44<)-'1&UDƒrˡtdoPfOJ82)@9_O5-r`] j svyu 4(sPˤßwr^eAK%889<<D%]@rTrĤwpoħxĦvūyƭ|Ƭ{Ȭy˯~˰˰~ϱαгеѶӶչԹԷԸԹպӷѴˮxXFT¤iPYbeNq!&ѕ2KhqitzЄςwu{ڲTʛ:өMrtjaddaLܴ=ߴ>٬5Т-է4w +WlׯCݵO^_cۻWЭEʝ3$͜0Ξ.Ο+Ϟ+Ӣ,֨4դ-ԣ,֥6ڭBS߼Yikwmgi^[~˙lN`D՘}xe]D`rVfVRFG:?/.]H稍hUTIO>QEYF\EeOaNXEXCL9F2x^؈j]u~Y`Aw[׆fَmٝwڝzڠzীߥ|ܢwޥ}ݠ{⦀٠yߩӝumR)B1^NYIx^Y;?#('T:qLc:K$I#EL({TM*P:B0:J54)/!TGf[gXĐrmsXQ8B/XG2"w{XK9)c nvws*(]IÛwl\>:"0+5,& " '(*29c?_vwovũ{©}ũ~ɭ˭˰ˮˬ~ϲΰгѲԵշѴԷѶӵԵϳ~ˮvNFZVI\XXElʗ>Ȅ%Ll|~׌ӈՍ~sqp3’5lsqolfmaԩ7ݳBܳBը1ש4ϟ-XYٱIڷOYZ]ԳQϬL$Ö+Р2Ϟ-ѣ0ب:ګ<ب8ب9ة:گ?߶O\ggntsjV[ňСyXiEmN⧗o^aEu_hUgYWDRGH2*4%塂kPXJQEN?K:Q=ZCbM]GXAT>H0?-K7cFnRcG]A[C\HcLaDyTזr֛qੀީުڠy۟zҗrΐqюl!) J7cJB&G28ԁTV)N'P)M%X,nCL#ZA?+=$@-3!(D5aZw xbi{aO1Q@})r tr t vVIL?b f qqr(&VHqX20%#7#Q5,! "(" +&$'+7iDlejfx{}Ū{Ũzƪ{ͬ}ˬ{ϯ|έ}ԳЯ{Ѱ|ԵӲϯ{ұ~Ю{ϮyǩqL>>{:f-zJSHM@Н8k +Aw֋ՊЄπٶc۶]ذZ3ܶ[qtuhjia[ڮ=HF۫7ҡ+ڮ;ɜ-զ7PVZYݾUϭGƣCĠ>Š:—.Ǚ,ӣ4ԥ5ޱC٪;ڭ;٩8۬;ګ;HQ`hlwrlXYعz͏f=O&R)_<ڦzdmV~meTdU[N[MVBcNքrYJP@K7H5L8P>ZAZB[DW@J7B.6 >0H-U:ZCZDR:O=RmjvcXB<,m o i hm s y{}:6]Y] ` mom|#!*'#L4Q?(#& (! # ! (2K(`ifktvqm¥vȨt̪wέ{Ϯ~ѯЭzЮ{ϭzͬxάyϮyЯ{̬xãkH8t)aG.;'A,D-},ʡ<բ1l +ߨGqсՈԉ΁҆҆́ЀoزXfrssgfc]_MQNܰ<ר1F֩3ե4ר8߳DݴHSXٺRʧ>ɥCնWe)ț2Ο0ե9ڬ<ݰ?޲@٨5ݮ>ܮ=ۮ=ܵKXbimj߼`\SչphP4f@pD yQ/^ԕqz[qX~ibR^P\MZKH5xhhWL@K>I6H5QD[H]F\I^IWEJ9F.6&='U=X>S:S@N7N8L4]H҄k؟z᳎ޮୈ㯍岌䰌洐ؠ~(>1?/9090628/."(  ݔrb7T)T*_4b4vP[1F!20,$~$<1`V v;2rlNP/Xg +e l f + m +sv81?7j\gmpts% "/!3% $!!"   +(.I)heholqmoĥqȩyˬ|Я~Ϯ~ϭ|άzͩzͪv˪v˫sΫvƨtcA7s+eI +8'9+Z@ h˦H׫Bޯ@}SqрԄӉЂӇІ͂~ΩUׯVrxwiffbXVJKOG޵EڲBƓ(Η%ק8ٮ>޳K޷HUٸTյWټ_bqŞ4Ŗ/͟6΢4ӧ<֨:ب;ۮ=ܯ>۱AڰA۳DS]_fߺX޶UݷRߺP׺s^C U3R3 Q2 M2 WٞxuTqV_IbReZWOQ<@*?7TIM:C1D3L7K8\MhPgNWB[EUCI:>):)U@VFPgbDW_hdcjl m +x0*M:oT +Xnrpvw2"#"" $n)2 ! !&%+ X4cgfVnlol̤wȤwϫ{ΧvϩuʣoƢsƤsǥsɨpɦnåp^|8z-h ?-0)`$ʠ?ܳNۯF٫:Б/Bl~҃Ӊ֊Ӌ҅{~ҬWԪOrrxfڰKҤFTJNKKڰCKݳBԦ4 ש5Ҥ4۱?޶HYغUaedvԱPȝ5Ѧ;թDש;ګ<ج<֧8ڬ=٪?ݲIR_e]W߸N޵LN׋hLxO$uJk<j<_1mڧ~~\fI>.=+C6I9M7(;4I9J8@/D2KASD\NcPfUUDXGXGF<0;1WE7-/@0D5K=MAYTULYTRNUU]RPDTKRDPBUBT?SAS=PKN޴EܱBӤ1Ѥ6ٮE֫;ح=۲D߷H[_a`cj|̩Gǜ4Ң5Ԩ=ڰC۫A׫Aگ?ت;ݲFQXQYV߷SݴRޭBڨ:Ę;ΰs޻vzNuKe7^)^-^'m?xI]6kB{YhO;-4,I9( )4#A5SGQLROUPPSLKJMECFAQLREUEXDVAWDQ=Q=N9S:N;O=S>QAQ@]JgOۏnܓsr[^AlLmKmN`{뽎洊ʁe7*=/=-@-=/J/I'M(W*Q,T,=-|u a [ Q L +K +J +:722+l@m0bzTmwQ{T}U}T[s5v3]Ke^ g"T [ \ +b +d +i msv}}-G!ҡxгئf_F}|+ z% +r%X7[W,/..240.5/ . - 7=K(MYDp*k!bBdh :ҬQسV[ڱAթ<Ҥ8ŀޤ=ݳUg޽ftхЃԆЀπ|z{tձVٵXfdSRLNOL΢4ŔĔ ׭>۲=۱?F۰=HS`gdlvs+ϡ7իFٰD׭@ӣ6ٮ<Ԩ6E߶IRNUݳH۱DٯDܧ9զ;Ę?Ƨeߠ\d7h?h9wBv@sEm8ƁOZ&N%Id?pNP=?1?5(%"H4THQGVPJGNHNNHDIGDF<:NLXNZNZJWJVIXDT@XCSAVAT?T?U?XCYB^JbJaHhMnNvTnKeG_ClCn崈٤xءu<&=29.@.A2VE5;-+G;XMQKOKMHPMNONJFA=:64<@VUXMYNYL^T^O]LXHZJVEQ>XCVB_J^H]G`IdNfFkLgGc=_9U3O/P2tTΈ`ƂRɂ\4%7(=-=)Q9_8N'X:Z9G=4*v +a O + M +K C? ;976@|O_ ~UyTk[vSyW{X|Wu#}Y~Z"i*_W +S +VS +JR V [ ` d jv; b"\^d/T&zGyC +zF +xE GNKG!]4qLҀbWBjV[HJ5M?tfWSMIMJQPLMJKGHDK<@;>LMUNQKXN]RYO^MWDXI\HT?ZF[EVA^L_HbKeNfKjMaC_?U2K)I(E)@R-|UחlZ>1D,C,D-K4O.J$[=J0B%9."r Z L JB A@>;::e3UY}[yWiwUvTxVyXtRhp#yUi1WR R S I >KNP +Z \ o5[}Xl#tSwVuStRqOqP rQvV _wA k'hnjV= ] )&(352-  & ($% !!'1K +8Ɨ>ʛ7˚5ʓ,ɗ'˝-ɗ)Ē(˗*xޛ8aou}}vo~}uwreeܵQ̚*ը?:`UveiaVVOLMHFDGKKHEHBKRXPQRSTSOTXSWOZQVGXIYLYJ^IYFYF[GfQgMbOeR_D`F]GU9J*@#=?%P-Ӆa{\_?.=0[A\EZGU>J+P0F,B%>'7/#t \LM +B>A@<? IxD T~W0ivUuTwVxVtRyVwSoqOi:WS UP +]($; A@G + K + TX%}]wOxV SmMjOjLlNiJlNlNsU zZa"mBm+^U> W} '*+1.+& "'+& %$ " "( +,]&ʜMə>̚7͞9ʘ3Ŕ+Ǚ/Ȗ)t xLsy~҃{qyuvxmdYS۱KTWQNR[^Y߻Q׭Bե7Ө9С3ڬ;گ=G߷GOPM߾RSѪ?,Ҥ:Ҧ;ٯAڳBHKQUFHܯB٦7ӓ$ʤQǪ^OxT⤐oqI}KQ#_/W#`+`.i5˒g䳊䷇ҌjoRjNmWޚxd]P('37XO^Ka[TSIHDG@DILGINNOQVXLITQQOPMWOXPUMVHUETDRBWGXHVE]K^JcO^K^IV>P8J1@'=%05<(A)N:A5C8[C^G^N[DQ8I-<":= Q3C0-(*(/(6*w!NAAUS[a, ~NWvR=pNuTsRpNnLsRsPzWtQnIh@X)Q QN VU+9 :<B ]-\jJlJxX |bsSiNfIfHdEdHfGnPyV }[x\xUU&Q2 Kv "1%*.,*.++.( %# $!#&/ΘXʛEɘ;̝=ϛ7Ɣ&ē&ʛ.ə.q j օ&R_w{yx|}vb^^XPRQNOR߸OSZXR޷N׮HҦ;̛*ե5ש8ܲAJROٲA߸L۶EZ^Ȝ6Μ+ש:׬<ݳEK޴EHBDH۩:֟0э Α-̫`ʮi>|]妍oc7k8 +n>m=rAwD~FFԨz۱㾖͋kW=R7T9mVr`LA++ I@vfUMNIDBAC<;EF9=ILQPRQSOPKOKQNVLNE;/D:NGOATA]LWCYH[K]IZEZEU@K7E/="3.B&7@%}  "?5RCWF^N^FTAR;F/X@;+#{}t q TK Q bs1(m,l4{N }WxTpOuTsRsRoNpPoOrRwWwWrNfDT,JPK O`*#V-$+ 7 8[4]k'rTsUv[hMeJdH_CbGbF`EcDsT +z\oPtYuXG%4 Hk| #(.:#7"G/-)%' /$ & IșHș?ŕ4Ő*ʟ7̠:Ǘ0n +\Xk ׍*PkovrdkcSRV߹M޵KܲF޵IL޴KڭDدFݵKVZߺSUݵKگAƖ&ѣ4֧7ڰ?OXܴEӨ2Ш1ݸK\dݹSē%О1ڬ<߳AIEAݭ=ب9٤6ן4Е)x ϢHĬcêdnVԠrЏ`Ɉ]zLc4NQ w=V-{Q߱⽚ݧN5cQkTiQ@+6,@:817-&PGVKMDC?><:9810-16KMLKMMJDKAI@9+4%/%) F4I@K9T=T>WH[KZFXCRĪ__ZQ7϶_ŏXӖfӓcі`טbښdє^āTnKiElH}diRTFjSQEA1[MD0<4SHTAfS^JhSXFF>;3807*/+&)18QNSDF8PCB0D0B3%.60E+H9!v +v 2.B;I^B^B_D`EiMmQtVtS pQK#Rbt{   #%3 A%ݣ㿨౐L-'!xV{%y"*#0$qyOc<"t ERXih˜8ɐ*͘5ҡ:ڱJ߷R޴OݲEΠ7$!$֬NڮOթCΡ8Ϥ5С3֦9ج?ح>ٮ<Ԩ7ʠ-Ч:^`kbݽYΠ6ՠ2՞/Ӛ.Ў Ԉ х̄~qÉ2ƦZ_©eTK7ͲɴyHm8p=}FS%_-f3}LȆWZ:T3U;K2bE>+1$2!IDF:I=>/;7M:J:D6S>dS]O9/5,8-C11&I:SGQDVFA29,RAE5.!%$ !>0J=M:S?RBM=B1:/2*! !3!9,4!0!-%y |{j + 81M=]K&}wrf ]cihj +s@ wSrPrQvSvUnOrQkMiLgGhHjMjNçOwX +aC D? GG Y(%KR'!E## Q8Y<\@_EjOkQgPeIbF`E]A\A_D^CaFeInPtW pSmM +dBN\mw{ {  (,=%L3F+#  + }t8 x*9@ne]-ɛDʟG>y|Ҋ,ݔ'NZeڭLƓ-z"Ɠ,Ȕ-˛/ש@Ӣ2ǔ(opxr{|*/Ǜ4΢<Ӧ=̟0ש7Ң/ը9ت5޴BܶCڵE޻T[ec_Ҡ5ɉɁwmfoen3Lǯgïlh\FTEջνwI*O*i=`2 h9l9 k:m9 }<I1L5:(P@u\fPK=:4HT@>0:,,$')!(.$'0$C:E>VINCE>8,--B.*!&3'&%&'!1.7-v +?8P>v#~yqh akks$i!nBtQrNoNuRoNoOnNhIeHdHeHgLhN1u&K3> 7 6 += T#Q"K?@/C,R8X>]BcIkNmRcJ`F]B\A^B]AaE_DcFkLmRiMlN +dD_9Q`gpnx +  # ),! #  xb#w,EjZ:T:$u-ɡJɠLϨQسb&p$ׅ.JפFϢB׫KըDɟCƘ5Ɠ*ɗ-ӥ=ѣ:دEc~Nllt(',$#&ѡ6ة9̜*̟,Ӥ/ث7߶J߷K޹JP`hۺXbfQT]cp +r  7N\cR6$k[2¯}P0M'K)U*T(NrAvDD$E'3%3%@5\KH4E5`M@06*, 2@7A7?48+:5;,;-A6O:S>F<,+0)_GWA9,-(-#1&*$F:?)&&54C@F>@7>8)(+<($#!9*<0!$90MAE46-*#uo ~!~zvqk x4"g\ nArMpMrPqPrQlNmOhKeIbGcIfLgLGmR J470 +3 +9C X+P ?1 0 <#O:S;Y@bFhMjQaI]E^CZ@]B^C`E_EeJeIgLmQoR kM`;X0K T_ioxw}! +# )'# +# +"!R*Te2QZť]KQK̫UϦT?Bj Vci%Տ(Ԇ#ݗ9O۱R^f_[Zf]Ǟ=zQ3k !%*&# Ț1ѣ3֤4Ԥ0Ԧ4ѡ0ڭ?߶LRVceho _[dlq%/7Rb]U;E0vM˷rOk@X-S+K FER(Q4Q9D'=%9/9+4+9/A5D/?,4%2O4ZJF9:0G:>37&;#K5A01)NB-;., *'(#2/p^I.4.;/B8D96/)"F9[I3$' ;-&!"SAaT%( "!~yqlnu%B.f) +j@lCpLmLnNqPtTjJfIcFbD`FiMnRd`G B/303 +: @ @ +@rM$`>. 6G0R8X?[B\CZB^D\D]B]A\@]C_DbF`EaFbGhLpY pYaD^9N%@LUajry!#0X.{PӛjềЗ՗ޡߤԊ؊یٍ؊}Ђъֻo=sW +tQ lҪOg֟BԜ=٪L߷Zܺ]jeglڱRײWjܽjv˪X7(*-~!&'ɜ1Ԫ<ب9ڪ:۱@ܴFٱEڱH߷OUaisάNgcr }$&,KOX[{AV5R5bŵʹaΓfNJ`Ç^ŌbŌ^c>O*X4K1I6>-8&QHQD>4I5:.3#1#/!\JnZYLE4?.M?F69*A,]HRD@1<)6!,&/#6)7%6(B32$+ )$'#ZNQ=69'*2*A7?=512(O>/82;1:*}}|!"(eW! #$%"-"|omg f G*r7 h?oFmGkHpM}a{+pNfHdGaE`DhL{`{_T?>,0((. 1 / :mN*fK':/9#F/N5Q:T=T<V<ZB^B[?Z?^B^BaFbGbFcHfKiNsWfKaAT1<= EQ [fj-g>Ȕe㹄͕ԙ۟ݢߥŕDĖL;D֪_ẋ~+qJtMGՃxurhcpgڷeomv{q׵dճ_նdۺfݻdۺbΥ<Ҥ=ת;߷LKݵL޷O޸NPY]nvh*s||'(@MS[fMC#P5T:{Lzȥ];c8kEwSˆ\ȋ^lC]DR3^CVFG6K?D6G3KB`SX>902(*$0(XGE88.4$F4<0C5C5P>hY[L@2D70!$ 8.A25)4-/)*/'3,0)2-A7."4 6&1 !#78B>>3*!4,84~ }t t =7 %"#$#$##$(%*)-11)!~!zmmL6r7lFlGkFnKpNy,q*jOfMgIaF`JbKqY ~c K5=-1!!"# 7X6nJpMQ/@$2"4&<+G5G3H5N9U?ZAW>ZA]A\D`EbF`E^DaFiNnR +pSbCW7C/ +5EG {@&ƜtΞۥߤݦ̎ÄήqW|Bb*WZbUv5ϫmՑӺmwwFhܾq؋zyˁԮ_ҨVhsz߿qvuttnlٴSӨC޵LP߷LXXWX[ZkyٽgϳVnsv,GKXYJL2F.I2_KuF~t{ԻϻpN._=b>~R/k=F#X9eLO;SA@0A/Q<^MD7iYwfdT^P;1/$90TDA1<11'1&;.>2;16/;+G5H9@6?6*!%#-#@/?1NBD:1&80A<0,,$*"& (+*%$}6.MF.",! |~xu ~'$$|"!)!$#!$"$'#'%2+& #( w"u%C(o1mElGlHlJoNy\r5gMfLdG_HbHeOzb`LK68(* !2\;c&l$j#h#o$xX qR ^EK5=(C-K6J5P;S=V>W?W>ZBY@^CZ@hOcGhMiNoS gJT8J(" 'xO0Ϫ֥۫ԡđөrOn2EËMŒK~g[&M̯vٳvҘߤݿg2v*FۻqݗՉɢJ͟SϪ^ww{ztpqm޼c۲QدFڲFݵKQTV[[hovxmts+1EGFXu^'6!8'E0eSsEwooyz|վl@"qI#tP.rE%tE"K.`KmO[ID.:'6#G2cPB0sX\D[KS>G85,++:-N@F84%5%9*:/-'5,SBaKJ58/.++"%!=)G57/(4&:/,#,#, 8-)%!*$!>;IB?::7&#)#*)!'#~#twz4&ty~~{"+'/# ! "!'"*('/-""|z0?"l1lDmHlHmJlMһeIdGaF_HdNdNl%T@F27&) +>% +iH}Z_ +a d?Esc }\c +kPW:J5E0J8K6O:T=T;U=X>]E`GaFcHfIgKcHdLX9K)H- uNǘpck=S%OR(d9ď_Ӭrʼn͑җޢҋ„Ă֐ޚܚޜ֑Ћʄڱdu҈ߘՌpϪSҫ^x،ی~߿xvu}{{{xkb߼a[ܴM߶M޳MݵHڰH߸PS]ov}ЂzɮV~(O§VNL@V@.&1 6&hQ$qEsH{KjvxzѸŅcDU2W0^7R4eNWClQă`M9@);)A,G5<)I3cKUC[JUC9*;0H:?.?0D4C2C4;)8$-3&3(5$.+!/'1.2)'1'6%)&0B0E=4.1,A4[P*#7)4$NFWN?2?6%'!/%.%) %!|**|#wu!!ssy{| &"(* ###!!#")')6+-)## }x}$>+h5 f@hDpKoOkNjN _B`G\CcKeMs[N87*0%%<) _G uW ~[f~]gr"{)KÎ8˛KˤUЪXԮ[׽knvײf;Wb@X<x^#׺qzy|srrf߻_ڲQ۴L۱KڰJӤ6׬?߸Q߿Z`jvЁӉtpĤSֽrѺuNOQu73!/!7#0"jY)p[0iNi8TqwyʌeFH#H&iIp]aHhTkZ_IX?N<[?A*M6H8D1RDpcjHH9E8@381:*2)>-+1.!:8722-2(,('"'!*&+","+"724+1*81.&4$UD]NkZ=3:/&&|4-<,,#!|zxvvz}$otz{|!!" # "! !""77,&}%"!"!sA)e4fAiFiFiLoQ͝YiK_D[BYAaIbH]GJ57),#$O< iP zXa 1ʣb +ee v srj bb^qPS8@/@/G3J4O<X?]DdN bFeJbG^DL.dFq?iÒک֛ԲvǦjn2j1i,c"o,eЗOˆ?o(WO ^^UL N g&w2{2ԥQipӃ҄u֯gB>|-QY2, hOϋІ|wvr޿gj۹[կJٮHײGڴMҨ=Х8حCY]kyЀчulʫ[ռpռuERNWC0 7%8$?,lZ*P=YAsX(yJ_ivw|˾ȣrMjFjH]BbLjSdYbRYLn\[J{hmSn\PATE_JaQwaXH<07+80.$2(XR]K>+?.3#<-C6B7RAQ8.J?UB0%0*2&-$'"'%,!.#-%+!4*(1).%2'Q;<%(~% y|}&(|}" } vu|/+)-mx|z~~|:;55}~ ~ ~$)!x!x._)hBhFjHmLoS~^~afJ`F]EY@X@_IU?B.4"&&\D +oQa +~^ +fлu(d beuskgcbaoON7>.>.E1L7P;W@V@ZBZAY@j+ӹzєާΘϰuPq?`(UUKr<LUOĞjEq(w4x1=HŘRӮpܺ{džāݼ{ҭk?5{).֠Rۯ`o~ޕߙߙڕянxN~;ˊߚܖ́xpilۺ_خNФ>ѪBܱQҨFҨBڲL߻X]mv΁҈τɀ̰hҽw͵qFQ|i0;#=%@*6E+eQ!XFaM#pAzLV`c`pcGS1ZANCYOscN8QBYEcQnVuecTu\ʈuiXud_MVFC4829.B30)2'L/3&D83 &3)gP?03(2$3*)&$# ,$, ()*..%,#5-3)-~{! {|vxy{uurtq|.1" v|y~~~|87.*y}~ $&!$ y!0!a, aA gCgFmOqU oS +fKbH\BYAV>S<U>F4>,0,fMrW}^a +_bjm ecelfldbb~[wWF4:.?-D2B/K:L6Q;`FfӕۛÅ_SMqAY/Y6X1R)MQj2QҭsʒۤԍڷfԧW͚M?74Ԯ_Ўߚ֍qjjܺa޶U 3ΤFҭLլKݹW]t{́ӊщǀγj̳mǬgJER= B-K1J.M0YCaO!fU&iY*wi7WVXYajϐcFL0E.dNhYjUQDQ@G=QEXNsej\mb_LlcQFODTM\N]L;1F9E5=6>3B4C59'?->0=,cOO83!0#'7+E4;-F2A0F74&#%E33).$)-%.!5-,&1+"y{! tqqrtrstutu:/"~~!}~#"+)y!~$%|%!$&%#'z/^*d? +c>gDiLjLjKaEaCY?T=T=S=K8=06&'4'eI rQxV`_}]bdgbbbaecedeemV?/8(;,;*?/@,eKҹ֗ޤ¥eP(;88D^-V0RͩxȎؒ}ܹmشnʦZԯ[͆ڏڔq۹_կNѭI*{&׮Pܹ\ݾ[bt{Ѕ҉ӌzZƬjVEaJ4 :&<#;$A)]L aO"hV)o_1q\*xKY~TW]gpϗoTF'@)B0\FbHO4ULTKG==3>;SPODtiJA`WRL@;^LٙJ4fRpRx[ŋpÉn6 "*(+''%# "'$xuokils|+"qtqtuy[ML=-$*("""!1(%'2-4+,),#+!+*"!# }"-$}#{"&)!/#1%2"1"<#p1_7a<cCkM gLgH`AX<[BT9W?R8:)-   <, eInQyY__bfefhlk +cc_bdigm|"H0'6#Nܥ˖čӝݙϊټwʥ\ٹqۙ׌xrsrqrlpujr}̂ҏ͈ԹlB{2K6@,nRc+sR\6J1q`.]Mk[-nZ)ra0yh7|ORXWjyϼoI=MDLB80=7A5J::)9,kh^Y`c[Y_]ii1.ϒxmaOjad_͠rZJ:F2]J[DX@dE[D3N9K1eGzvnlRBw*#+'L:|cÎrϚwԙueCJ6@;-+~|~ xz ptlitoz(%y*$spprv/)n^N7,21)'&#))0+900,.'?.F(B/^f#_ |NoLxa+_QiW'nZ'uc6rc5vK{PVWh˺s@6<;1.60KCEF={+#kg b![,]:[<gK oR]@Y=N5J0=&/%   #V<kErPtRzY`agh +j +hִɹl,\abbi ilwWDכݦńڳqجh{ٲpҤb̠aڰwٲr͡`ƊWv?Cׯo޻zۻt{|}~߾x޻yخkծmدfz΀qΣTCl!Zy$ΘMڲbݹiΞIϒA{-1ΠNݷkẅ́޾mpǣWy-NxV~` FƩ[rnݿiv}wұXo~ʀΈϊ˃Ȯar+`CxVi"ae$`!yVyZ#fU$kY)o^.ra3tc3{i?|RT\e̗:1<1;2/0F4K9cTOQJua̞|z`y*rjrxvnhnz(&t#qv' s$m!hloq w&$t'YKgYWJB83(.,~%,!90<.F3E>M?A7D/J5jTt\o\^K3+&&w 8-:'u,!r#dr'|:)q4Z/R4Z;eG^?Y9R9C*9"-$   B4 fDpLtQzT~[bdg gg"Q͆g`_gh e +da ΎԖă޳qp۩f֤`רdw΍۠ޥ͚͖͐ɊܰvǓTf)ȓP‡ғؘܙܴ̂mҥ\č@50+9ǖRˣXͥYˠVԨ^w޼pƖ|8^@ +;$N6Ivsux԰[ͧRعb}ˀ˄ЋӍ̂зjjH +_o(\]f(o0eTi[,l[*p]/s`3uc6wfB5B2R=t%qjgkmi]]d!g$"a [^[P P RUt-+RJaYbWʈ{R?Ʉo߮P7w`mPċliu.n&X e^ [Z_r3+qfQ:?/|,(NArUU;6"gnqxuqlolmn s$}1,z2/C7z3.p!v" x##{.'TG@2>-0&p"m!h{.&y0%y6*{7#H7O77(~0'u-;)iRgRw5)g"|+$x$z*#}1)5+0(}1$j|6(J3Q2oC!L+W9 W6U4K.@&1,&#  + :+\>hDoJyOyT^acdccecdba^hduWѶhٛ|МVˎJ֣`͙U~sܾj޿otݿmrq}̂̂τ҉|ؽpjncZ}M +\"y?\JcY+k[)p_1p^1t`5xh>qFVWo̤`RH>>4JCHBHAUJx"-%on!6/mq%'e`i"8;p*,b "_n-+WNQ T\p,+IAWPnfcKcKv^m]ʘyčqĎpF4k$b"m,)>8m.-b^Wc }<4@+t&jQCD+F/jOls w" x suo},#7,}-0y)(p#s" s)"D:;7x'+(?:>15)}-h ` +_daq)!l%n.!z7%_KZJ>):'H3z3 5(E1l'g!l"4)w-egd\[fo-$s0!c,P! +T-S,F'7 ,)%   +L6 +a=mItJuP}Y[]^^e +j haabb^yWLƋӗTă?Á;آ]ڭf?QY Gҭs͒ϙԝҙ٤ݣٚԖNJ׺yέiϧ`˛S΢YɒHf!Sv4їQۯexגۘʃ̃{ρpkwʁ˃Ɂ̂ˁ΃І}s=m"x*m"i'{=q4ZIl\,r_/m[.p_/ra4tf7yj8Vb˖RG<39/XBJ>D?UNH84(;0NEGK@7KpUB>+;)}6(n#{.<.90r't%{/$s+!j#_e!Z +S `_RKFC?.'&%     8& ]8a;oDtKzQ~W[__^e +a~[]~\}\~_x"Ր̏?d&x2ΐGɒK:^u-׭qҞܙܕܕщ͢[˜`رnwٳl͢SΜQ͟Ty׋ܖߙܘՎՏֳͅ_۷gˀ{~~шˀؽmåWZk!di"u1u9aSm\-mZ*pa3r`3uc8q_2yd8|Re˄1*4+5&F3=0=0GAM?_HZCSBlazhr_r5-j &x14t/*E8t4-WZ\ XWN H +J ]90=1K@F0=/E1p_bUv:*i+c#ad^f#`^XZ`s1%K=`QbRzhlZaJs2!\ mtpv#519440/*-&}+*z*&2)7->78,3%s!m"\[U +Q U ^b Zg$l("{7/ZGLx6(\RZk o w&6.PHJ9H<[HM:5.4,3!r`^V O O SXa]e$$f&!\#a$s5&h%i!j$_bdbaiw)&|+*z%$~,)x(&{*,z+&q($t+*s//k&#e`e!`#XE 9 +.$ + +   ! $ %J-G)N/U5d=lDkDtMvQwRxUwSvSvPuQk Ҕޠx<`5 b+= PȓإךݦءՓ׼wFz9w2|3}5čBجcАߝݛۙؓՈ3T,n!ɤQۼirtt|}̓{p#{Lf&m/tc&iX'n]1o]0td9rb6p`9yfA{jKhϚKBC;<0H;G@?;OCYG."il' t3+\Q U!HDn',f!#h%'h#']WY!T< NNE E W gN;H?;7fo!dp.)p.*d"l,'m2(n2'o3)s36v76EFrnj74n//PFUGL>G:B8q1(L +L P k')y*${(#95ZMI9O?cVI=6/}/#s&~2-d_WS ]MD`g(]c m-)x<3t7,|;5l("j' ebch i _S +Yx(,1.0/-)+)*'m# z1-l))p+&e\VWTQKD8 +5>$$ +'& * +  E,qYFuS;a7J"B(K+Y6c>f@hEkFmKkHoKoLpLlGгmߥ護THSd-߿ܛғӕώ޻sѭbœGʗS|ݠݜڗՍеhjJ X7pK5Ӭ]޽m|wuǁ̅˫`jm*o7iW lZ+hY,u^3m^4wd9ve>{i?i׿ͦaSA7J;YSojYJ?'5%{#rd[SS W}C>j+,X\"XSSZ Y" NLSK `Tc4!E5aSw lk!o.(x7/j)"v91s9-d*t8,k.*x;2a\xjm52v77C@~?8{5*=1p+%f%!O K + +K +\?4?4?;QJ5+YH_NH>9*z.:%q)"fa\`m.%l,%b% YTh.!~E;@6~:2v/-m##dbebk#k!!dNM^4/8:?;;3w%#[[ Zo(#k#k'%h&"^WRPC = + = +E7 +- / 61 / +_C2^MQHs:*h,V# EI%P-V1Y7[:_>_;aAcChI`C~C՗讘o2c-Qڠٗ߾zҫbɖLդ]ǂؗߝߟڙוɀ7Y8Q1aA\3ְcuؾvֽtyҵkw+s.o4jV$iW&l^/p]3tc9vd9tPwԺ͠OEQDC?TR\PMA{!s q^R RSRp/*m1*YOLOMTZWXVW]R hS@F7`VJ9r$a h$r5*NFu51q3'o2)e)!i,#l-(m5,MESEl4&OFy=6<8|<6r4)[M L + +N + +ZB5bZ<2<CC==z*&]S N + Xcq')p,&t3+j$]MG? @ @8 +6 4 +;;@P,c2l0%j/!h.b-G=D"I&K,P2T6V7X8Y8Y8[A ӹ~ߩڽ׹}vϩ`Jɡ^yڔޛܜۙדЉԺnnQ;%F-H-W9?޺oz{ʰhy4s.q4lY%iX'n_1sa6te<27/-dS + L CL ^q,&t,(k%a#SF +? C< 8 +7 5=83 L \+i3$k7%g3 d/X% 62??#E*E)G+J.K.L.k8ީߗޕߙ۔ٔԌܕ֍̓tܮh٧`ׯi۶qݷyܵsԨeܰkąי֖ܣˎݸ~ܵrǁ}ƀהܛޛݘЎ˪fz-Qٖ̃ۚۛ҉u<<%A(7%6(cCƢ]ھr|Ɉ̲or,~f#j0jW"kY'oa2sc6wg@e׽׼ּ[]OZV`DG3)M9|c~fzav_cMb%_#!SYj21WWK NMLKMY!o3'u1%fL S r5#fSF>JAu-j :0_HMAF=ICs6&k/*y81{?2N=H=i'%l+(N?p=4?;q40`"H F F +K f C;ZRA:404.4.E:8&8-da^`\]]^f'%m,*h'$s3*~E7^!\]]`z1-p'k'k#ZB += + +> + +> + H b0.=5741/r"W N I C=M_a$UWTH QQT"\*!W(=8 + <n@6c3 ]*e2c/b.`+W&B-7<>">"A&C'C%ȭvިώ޺wϨdӻ̮uҠY٫`٤Zڪ`ت[ԢT̛OƐK͗TӣZث`ϢWKF=ƍF˘PԤ_Π[͟YǕUÏNNOHDs0B̟\̞ZɐKňD>…@ÊEnjG˛VӰs̉ޤڙʁġUDҳi֑؏ԍzTS6<%2#-4_(ϭh۾u~~U,HN[)"wHAm5!u(nQa!C3UO.(43v,'o+$o)$gp*#H;~3+C6I<[LM>h1#g,%t75C4VJ@7\QD>f+)N F + +D +H N j""1*0*/(3+>44.3/1!A6dT [][[Y[_Xc&!k-#n0(]aU \m##j akr-"K +? +> < ; C f#"}.+550)0075gR O?96> H V VYc&F7O?{J;q@.])L +DJe1)Y%M`-c-e.h/h/g/Q(7++-02L2Ϣ߮ӖvўVѠX~<^{?Lիeǂ̉ˉ{޽tܽw޽|}эؘٖ۟ٚۛݝߣߤΒصzѪiܼ~Ύؚ՘΍ִs–Vz;VJTcBΪlϊޚݜܙȂT R̈́Ԍ̃˴kxW[9T2S3J.I*o-ˮjʲubCp6sa,l\-iW&n`1pa4sc:÷Ի׾ֽtfrh\PPI<.aKŠlocdnZh'`e)"_$"MQQNMK HKa/)WHT@m-S U{9->5656281ku0(?3l$!q.+y4.~7,u3,y;1bKk8'e'!v:4QOUOHHMJNGD<]SK I +LRw..1./-,(80703+72{+ s*{5+d!_!YZYVYWYa#d&"n1)dbadfchr+[@ = +; +? += +F b$|0-6572-,83w&&o \A:677? HFUg%u7,p5*[ UF C C +B= +E [)j/%i-o3$o3$q6's;'m8'Q"7+% t^;զߣתcӣ^ܳvƉϑҗל΋̃ԍ֑֓Ԏ~ՒܘܡғɫkǧmKe&]$>үhҒ۞ߠޠߤؘ˲iSv̄yt/^8Y5T2T6Q2W6tWqQfLP7q9r]'lZ+m[*m]/ra5|pLƦּ׼ؾ\Mr`uoVMC5H3O8_F^D{A-[VYVUSRMI J +HF R yL=lUYHF Ep7*RGD<;822z,!}5"PA?5~4'x2%;3x3&c LDW@f, e)"pcNCr.-|<=E?D@l*)M +RT URd63><8100/';3.+2*2&~1!t+z4(e#cg%c%!^[UU]j*,q3-GBB;u'"l gn!q+d#F @ @ ? A ? ? d#%|/2}/04/72203215~.4_F > +:8< <9<D I E +B +D +I I C +G L `#_(l."i)n,!o,s1"s1 u/$m/`&Y$D 3fרުԕݫg֙W̖Sy֛ٜńܫfΏI̅B~:ǀ;ΓKգY:k#ą=ŐHΥ`zٜܟˊֺ{βtӮj׶qăŀю֖ݝؔφ˫[BԶj}`?&56"="B(I-E,M1P2V: v?s[$iZ(kZ&n`0tb6{nFѲջؾ׽ɰIB^TcWKCM;L7*t&^ JPRP Ua%"ZS= +C +T +H C tD0eN_KY%L +c&A/8)TI>41+v*?0UH8-A0M=n-#h+%y=/KAx:.n-*D:s2!t5(|B5L=P@A1aI L QN ^z-"4-@7TA1*1+)$>=3-2$D*p%k%!j&'KEp-(n11b QPQm6,KHy54~64|*'nmhhTH A C +D +A C ? +Eq/*w)"y)"s't0#4/383666//p"#R F @ +< +;:89< ;? > +B KUY_h!h"cgj l&t(x1'}6*s*t+"n$h%f/ոץٖxЕMʊCסZˋϓoΖR{4p0ƀ>͓TϕUϕRϟ[ץbÎFy7v0{1v/m'p+DԠ]xܝߣ۟͐~ЭbЬaήaѨ\̥YȤQC{1ؼsλwaG ?#30-+*/3V?u>q_(jY'jX$n^/wf9zVӸֽ׿ʣC:C8N8C:=19)|+n#j'S +Xb'WP TWVS^%h*d*c2&VEF-\!K +k-&;.3+:0C??8B1o q)!|;-l-l+r5)n."u;+t5)o.'v43x85E<{>1H?SKmaPAl"W K I +M_u%#8-NJfU^K@7@78,=8<3P=P?|.%<5QOq0(k($aP QP O^d!bknlf U M +C A F H G HNSZ w31}5.w*%v*%K>?E G B CJ +M _f$i$c_ ` fgj!r%w0":-@0S@L7R3Z;եxmnݴlxnاi֨pӥe}=w6a'm/֥iϑߪޡ؝ٜ۠؛ʆҳtĕW@{=x:̟^޽|ӏޡڜϊӷmƠSڭ`Ы_Ӵgp"V Cxg&f:_6K'91+(+P?f4l[(iW'lZ*o`/ub7fֻ־ʞP7<1M<`N6#7,9'e!OX W a"VWVYR ^ Xl+a$[XI O i)z1#4%91<1TQFF>9t)]$n1$g$m-v7)s5$p1%s1(h&#i('h%%i''{;2:/y5:;<>7L@`PG3fSF+7/973-+($8.o'`^SR[ZQ +Z[]f:/=0>//$~.#y+k"m(jebl!!l#q)#k!mq$v(v&>6/'306:55.///53)-('pjmx"#{"|'&}(#/$8/0))'|%{%^ Vg!d hhkip 5#|3QJ7|>&<(u1L1\2c7j< o: l; +Z2M4 +ta5uc3tb4r_4sb5ue7wd9¨ؼֽˑM6E2d u%|/"q!t#jd h!{20n(n!o#|21s**v.)>8WEeP\GI8<+4$J6MGS@A2<6<0D5@7C66/948/YLdUaN_QQ?L۳wΓޣלƉŜ]F˚Z׭kŅߤܗ˂{~?T: +Q.`3e8h5 `7 b>V7 t_1qa/uc7p^2tc5wf;zi=е־̈?#y4%q/%n!x( mb]U J>1m&|2%w0%}5+|8.{/.<:jVoVgOcJA/@+YEiaL><(@6K?9/@6<1>5;3:)~)w$x#{"*~*iTI L + L LL + +I<{@0[ +f!WA6/<6[JUCA25*0%[IUHK=>1HENDK;?6?:=9:64278725.2/:3@;;:03).*%(")'/,>6B:A8D7+,53;0:1z0)t**m""m!!hnnu# }&51ZJUE4#3-/)3+,+-'-%,%-)-".(0.45-)0&<2=2C2;.9+7&{5x@B$n& n&u)x.{1o*i* c*V,޽ϖܢӑqїRT@Qԣd՘ˎѱwɛ[ƖTͣ`ʊٛϏʄƯkcLB&d;d;g= gAnBhFj5q`/td5tb5tc5td7xLѱռ׾|2j!i$j l[B 3 /R(L>k(u.t,$=6J;60A:bLoWcSTBR@`IeSH>=3A8ZMB3<3C<>4WKK:@7C>9)0'|$/"r +`O K W\YYz;0z4,v("x-#Q;5)6.dMƂefN<-5"+%*%/+/*214/<1NBRLB65698:8++,$3:B=C7UKOFZP\U~5,z* o&b"b!]#l&:.0(1(~/&x)"v(!v+'o"o%emq$~*3+aKqX_EQB<4/#-)1'1)0',#0&2(0&(#5.@0C2E6L:S=9$6 8!i+}I(K$L%|E$T.W+V*^3k7x@ճxʔ١ՒڡZz9I:c!֩nߪ֙Ɍֹyӱm޽vˆ֗ܡܚٚώʋ€o2=!S0W1W0T/^: kQtCqa4td5r_5ve7rb6dִּieX P D ,& *9\.G;w2*t,#w06+J8G6LDG:H7G:D>J@`N[JI6E6J?G5?,F;A7?3SD_JE90,)%+%1+)5#u'm}-&4/JA^PG@<6D8E6A-<29,H9^M\G[IG.=+.,1$1(*"=9^Sia<,<4[Tn_I@PIje[W;3?:f$YL= 764446Qr&#v"t$#v$#lq#q#t&hgky%1 `C}\yYfHF54(4)1%4(2'+-!-!'71E7I3J8K7D4e([ +[c`$d:yL!]0[/e3f3rDrAl4l1ΫoćٞޢWfI4bsԒƂӬdHbʉ֔ΊʍГFC-N5Z=W8X9Q7kV)n=we2r`4r`3n]/vc8yֻپջw0c 9 *+4=C <E Y#v@2F1G;^M^MPBI/<)<(@,kWugUDP;_Lm[[KD6B9r-)U?632226 6 2:>@ H +Vk#(ba# {31okof_ k y',P@wY~]|\rV\J7'7(6*1"/"-&+!&D?D3D1{+d L JUVV\% U( +X(a1g6f2m7f3g2^'pRdҔݦzs*?1eqޡdž>H FϋښґɆБ̎`N9gXwd%^HL2W< qZ/vd7r`2ra4tb6tc5vc9ּּؿSD88R'V- S( S.O,K' ^8 vXyanVjN?5ohRB:)B4I9@7@/L:ZCcNbP]O`HN>H>RAWCT>?5VGTF8-8'8)5,4-8*5*3*,*%%(&>1F>MBA4?-B2G:\M\HL9K9Q9M5Q9P8@4PAD;=5XFMB4$WAD7y* l]I E B ;8878 858 +5 7 D D +I N ZX1Rq.!x**q#o"giq p A0qS]~]wVsXR:9(5)4'3*1%-!6+A5?$s+X GIIWU`!Z(L^1f3h4e3n8l7k3a)d.Kٵuȇ؞ߦחʐI=~+Tݳlݡ eWٿyҏ۝ߡڙΏʈΏ͎^;:.#<,R;H8@659#P=\@M4UCP==.6/'$~"tY +^c]` _[N QOC ; ;8 < ; 9 88 +; +@ C F G Uc3 +" :{4)z. t&t'u)m n!}-@&R6N3O5eJcG?)4&2&3)0&8+>3q.@8:9;=FOSHT+P\#_)k8j/h/k1l,k0{<ʩd|ѓڠݢߺvNx&5EܞޡѓϏDŽҹtԸsғݟߞؗ΍ʉ̏ΐL1!A(X2X0[/bCta3p_2ta6ud8q`2q_2s`5jӴؽ׿S) X1Y.c6f8e:h9wI(S2^>wzQ7Z=`?eQ?:;3G<[JYBQ>P?E6@27#8'>2F6F3?3=&>(B.I5S=nU~gmQ@%7.?(H24(A68,7'PC6)7-D:I;1-6&9%6#:5?,A.H3<*~-1<&D/9/+$1)@1 H +]aY Y U WL C ;> ? ? = ; >@ B? @ @ H +g%{/,@ $ +% ? `(;19,7)x(x'z(|*~,~),<(C-;,:.9,:*@4G25'A156615:L#V)e=mFpGwL|Q_*l3j/j2i.o1o/Rӱmϑ֛ٛFn'q(_ńٙ׾{AšYʆݞݝߟߠݞؔӐˋ͌̎ʎ{H-/>(C&H,aG{i8we6sa3sb3r`4sa0p_2vi>ȼؾi;[2U.N)R)M*]6oE#sE$Z:^c>sBE"I2G8G:H;D-1$4'4%6)E38$<)ZJ^TQ?`NN7L8E0K3R>L6W@ZCx.l1 S=J8F1VGJ?dRYED;:2K?ZGjQgObIH=q"^\XVU` l%y,0}%u$2 0 >IPRXSH @ +B B A ? ? RYOFI +[ k*x2"p+>% +))5u4&J2>3A-RBUDYB[HS?D73'3(C92+Y3Q C.9\<Ɩ|{zalNaLXJbPL7@,6(x,"a \ XXUP TY\ +^ f!r(v: +  " ) 0I +Ze"^RVNNrA.}E3v9%n7'm2%j'k&s)@(e- + *< ?E+h/e-y6 9!:5;+70;#>&7 U;V9|? _+ MF??L$X- a3 ^1 \1`9 b9d: pHqHoJwQyPpG nHuN}T}UyR|V{V|>ԳxȎ޿pE MR ɑآƈߵuݩlҗ\HFp3t0u5x5x5{9ÆDGEJČJƒPϗTʗSΧaѱjă͈՗ޣܢߡߡޡݡҕͯk˩aǀ֖ܞ۝ښ۝ؘח֔ҐёΎɇˊɎ̷mS )+218%eR'pa/o_4r`3ue7xhU4 S1 S2 U2S/V.e:|B-='8"H1G0]GH1L5G5~-$@+M6PR>>5?8K?@1|#2 $ >S9@yL.wTrVO2K4z1!l$g i dY W TX[ [ [ [XY[ W\ +t)A   ' +% ,'5I Zg'z4%t,#k#s,dD^GM8TF>&|0#5*?/w:%> 28C$ c0I! +49OS& ^-n1r4s3B%y9j0r9!`1U' Z. d5^1`6f9j;k=o@o=rBq?sCzHyL yLzLY}SxO{Q{R{Q}U}V|VsJ +{W_‚ϭhZ4U&R؜՞|ɌQƈPҖ[סg٧p٧nԨrͤfΤgҭlάkϯtԮnֱqشtԯnЧdϢdțXǚbőYy8m+u6q0x1FͥdܿyʆՓܡߠߠޢߢߢޠ۝ՖёЊԔԕؗז֙֘ԓԓҐБʋȆljņeP; /8; : =&p]3m_.m\1sb4uc5td8tc8vc:ua7WдV6U6T2L*P1K,Q0 _;^8X6 W5V3V4X6Y7W3b7`2\%W d-t8z9$:"9 0"4"6%3)|, },w r"~0@&V>B)Z . )JY"[$ 9:FFCBLP +W[ XTRd f_ ajo*j+ ^^\Xp*M ( D Q\+P$ +<<LR NQc%{6)=/B*[BR5B-D.E(?-?.m)NP& I"D$? 9?"A&E$-*/2:F#@E M$L$N' +V,S) Z1b7o?!n@uH#wJ&wGr@rAyJ!~N$P"S(O"Q O!X"e%h(f&g*X\][[XvO u2ͩg˪fg9 +vD׹٘xؗX~Cђ\ѣߧޤٜۡ؝ϖĄմvˣcƜ[LAr2v.;NЪk}юڜܝ۝ޞܟ۝ݠؙז՗ЎɆӑ֙ҎԔӑΌ͋Ƅ€‚ҿzC0%*>"B$@&N6vc=m^.l]0yg:wf8wh/8\- b,Y%LLN@647<@? FS[ f k#jm z/<G'v,u#p q"0&R/ R" ^#a&a)]'^(Y%W" T Y [!We(n/:{9;I&I C{>{?H!K!~Eh7a3 U/ R. H&?0@' 8<#B(I, I- H- K/ K+ K+ M/ Q1 Y5_7mDpD tH#xI&yL$wHzH}Q'U(U%V$~PT X"a%e&i)j-q5o6q2j+j,h)c$\ZKâaf-IΏݥВjϐHՔOuݦܟ֛ϔȉԶrŠ\vh9{j?}kGxи׿U9Z<U7S5N1 +V6O1 O4 S4 X5 [8W6 U3 +U2 \9[2W2T/Y2]5c9e:a5f5g3d'yA&p;i&m'b Z \ t$t(D7N 54_3uB wD&v@"n6s6h-^$MEGKLMN Ta&o+y/z-z*;&R3_@;&"*z%MR|?v9t5o0 k1 f- h/ i/ i2\)[%^+i4`(g. f. k4zFP ~P#X+X,R$R$M#K Gv@sAnBe<[9W3 +W3 L- +G,G+H-I0 +E*G-H.I.M2T4T5 T8 X6Z7kCmGzO)tL$wO#{Q{P }R"UZ&`#i-i*d#k.l1p8j)q2r3r2n-l.b%f(^bϲsϒڠԘwґۚiՎCْJu۠ߤߥٛԕʊѸuɪfU}7n'?ʟ_ؾwΌ؟؛חטՕҒвlǞVāВΑˊŃνyͺ}rAV@ 2#4K.V2 N0 _Gp_1k]-o_1sa5tb4wg;zj;wOϴֽ׿kJaC Y< +V: U4Y;Q2 T6 Z5 +lBcCU:R0 S1 W5T1U5U7S0 T1b7c5d9g7_,Z'^.^,j1g+g(b# k">2F9Z#69Ap<|F$K(L(K A~>x9r:n6h2 f/ _( Z_$ V ]!d$ h*h+ k-p/q0q0f% d%a# f$e"a&x9BF!EBCIEGDq4 b+[*_+f2b1f6 e6 b4 W,^3d6 +l<}GKLP&MK {I}L |GvBoAoDpG#lE d;a5X6Z4 [5 Q6O3U7Y7 U8 O5S:P2 [;Z8a=c=iCnF{S Y'^#a)f-k1j,k*l1j.i*n,s3l*p.t2n-e Yu;_ջˎמݧˎΚT٧]ّ̃}ܪWΈ4d΋߰ةڸ}خpȞ_˜]ɠ^ʦhѷu}̎֘ޡߣܟ؟ԗ΍϶wSs6e%u1LѴqʊӓՕԕؖ<_ŌŅԿ|ҿ~ϼ{ɵylZsVm5@'9"O/W7Z@iR#jZ*iZ+l[.q`/we5vh4XƣӵԺֽֽ׿Ή\!Y`&a'ZvJpJ^<Z8 oG!gF[>Z8a@U5N.N5Q6[9\<h?j?k@l@_5 X,[.V) +a/ a.e/m4s4|='\'7 7 ;I j:h9yF%G%~C~D}EF{<}:?A}>Aq2f- a&_%_&V U$JLT$QMQ!`(]$]'g0 p6}BKKNMMMQR G~DzCw@o< m;c3b5\1X.Y,]2 \0Y2U1]5`9mAuF{K$T,V(N~N#X.S*~M!Q!}O~Q%vJmFnIoKf>b@T4V8_?Y8R3 +X8 `>^>fCpJsLnHtMb1^*d+d)d,a(a)e+p3m,g$k*k+h'f#d'CΫlҘؠ߬ՙχzdۜHˀ)֔?{ߣ֜̋۫kȉLÚpխQ|5q.x4s8 {> Pe'v:Iȝ]ڳpʈՖۜߣޣߣݡ۟ٞ؛ȊҴv\o.Yc#I‚юՕ֘ЎVHrκ|Ѻvȳqdzptaj.vZ&s;:$V5\6_>kNva-m['hY'm]+sa0ve6ylAmҰֹ׽ּؿ˕e$Z`#_!h(c%b(e0^(Z&~V#xR"hB[9 U5_BkI gC[9 `=b:h@oEtIrGp@m?j?i8h6e1c1Z( O;6BGT.j@i>l@vD"sD`5c6zEO#G!DCF~@|@|AH C|>w9f-^+N!S$U%R%X) X*P"OW+X-].e3p9 EOOQRU!TT#LNN~H|HvCg7b3`.[6 Q/N,I+T/Z3`8 +j=k9c;b; +qAuHX'SV'U'[(Y'}PW$Z*Z'S#xNoImFuMc? `@cBbA_?kIlIlGfDdB nIoHqKxQY#yR{Ua*l0g*f&k*h'g&e%^b"PұvȈѓנݧݛߺfʊ;x$k |"اSگfף]ʖLą>o1f&YSPÐ|< u4 +f.Z+X%_%c#`#i(w3CWr4GȤ\ݿЍڛܞޤݦާߥߣܠݡܡܡ۠؟֟ӒȇеtDmA lADĉӛҖɈ͸sH=aɳ{İohXzES7 y`0\GD+fAmEiEqQ#q[,iU#m[*n\(rb/uf8zkGԹպռԻտȺLG{;e+e%c&a&f+i,l.q u> ~INPOTMJ~HJ|HK{Ek=_9W0V/Z2]6f= n>f: [1V+W/`7 a;]4lB|K|LX#[-_,[*X(U!QY#Y(U#wLvMvKnIgB dA b@_= gEuSjHkGnIsOsLlB sL W[Z]j)j)g&e#f&h'k1\ϱpĄΐء۠ߠrLj6iV \ [ +`a[ \ex<ƑRթkֲvҮx̦u˦pĠh\UTyAo:c%VN@ B~39O e?Ыg׼uБ֖ۣٛ۟ܠ۠۞ٜڞؚ؛ԗΎώ̵qumCf@f>d9 a7 Y1\6 ]4 +a6 c7 _4 Z2 Z3 +X-]-r? ~DGPS!W&U!RW UVW!U WY*Jv@d8X,W/Q*E$DGL'IG!M%Q%Y1b4b5f8sA +~IOX"V ROSNsD sFi=h> +j: h; ]2Z.[0[0]6 +^5a8 d; d;i< m@wJTSVUX U!T U!S R!W#xJtJqHkC qJtOyR|UvRySqI gC oNwRxSxS ~X[Zab$e'd"|X|[PӴvƒ͏Ֆ۞ޜuȍ +nFrHj=nC}RwLpGoHrItKmFmFi@a: X3 W4 +Y3 W2U0L+B%M.\4 +h;e4 +l=vFv@ r={Bw@MR V%\)d-h2f5g8`+WSTTIr9p=p> +k=^3c8b5b8i; +c3Z-_3k: q?yGOROVUOKyGvBvEyHxFsCj; `4i=i> h9e9a6b6a:mClA mElC mC vIzNzQT\&_'^+Y%Z"\WX{PU^#\$^&XvNwQ~Z%yUvR[!Z^!a&^$^'YwO[7pP\̮lń͏ՙݧߥܝw͗Si#HAT +y2əSִr}ьڜߪߩܦަڢՙВLjӺxǩcUFn*UWf%|5KĠ[ҲtÅӛӛ՝ԚҘјϒˌȈniƳxbLcéobi8zZ$x>|h4E9 )!0!G1 gBi> lA|Od3u_-oX)mX)iV&n\+p^0vd7rH˩Թ׻׾׾׿ȡUѫe׵m׺vչt׹pҲjյoնkӴmֵnЭgͪdѮkȠ\Q{8x/q+p)n+q,v1q,k'e#_Y~SV ~OoEjBk@sIhA nEvJrKrHlFmFnEe@`A[8Q2U4M0J.K+K,L.P/V4U1P,T1g<l@uFvI{O!K~JOT%Y&W#Z$W U [)\,W!TTRO~G{@ +|FyEu? wAzEwBq<n:s>{GzE|GK|GzGuCuCuDwDtCsDsCtByH}KzIxHvCq@j@ +qDmElDg?f< h?oGrIuMvNV V#X$_+c,h1d%`"f/i-l6o6h/i/h0l3f/d*c&b c#a!Z|XzW{TnGW8sS[дr~ВԞڡҐɗMo,U>Q ŖM}Ֆݥݨާݦڠםכ͒ƈζuRhF ~?G Rk1^ɑЕієϏΑˊƅą‰κ˶|ȴzP}\`)VVg.dE nZ(E3 +! !5"=%A)O2 N1\;kJmV#gT&jX+gY(n\-r`3vg:dϲջּּ׾ռΩ`ЭcӴo׸uݾzٻxնnϮjέgմnԵqήgϭgѭhѭgЪ`ͥYЧ\Ϧ_ÙOA{1z6s0s0n$n)k-f%c"e&b"^TUsMcB b;kCzS uOqJtL{T'oN#iFgFeDb? d?b?Q2K3F.I/G-B'K0P1T3X4 Q.R0b7 f; d; +^4 e: l?}JHKW"RPV#UZ"X \ [#X#OIIFyA yAt=q:u<vA yD yE r? m< q?sAr@p?sCyH}LP~MQQOQ#^0V"QyLpC h; +c7i>oGpHrJqIxMtKvI}O}TWg(r4vAt;r7w;s8o1u9v5w8p3n.o/k*g%a XxQzUpKfF +[<a'VԷoˊБۺsy6O BBBĀݤݦݦݥڟ۠מ՜җȊRN`(K X#^-n<̵~̏ʍ̎ʉņȈłѾлκ~įsXqMc<wAKxVL7<.- ' &0$>';$:";";"G0V?mS#iW)iW*jX)kY+q_2zjp@tEzGyGxGzGSV!Z%X!STUPyGyJxJvInBpEsFn?j@uJyN|TYe$i-g(l.n2r6i)n2w7zZΦgӓܤޥߨߪߨݦߦޢ۠۟ڝٞ؜؜ҔіѶwi'V$6/@e.ưuƋnjƌÄĈν{λ|̴wɮoĪimY`+lJp1r9K7/!;,3&:%S9 ^DW8 +N4F,C(A(H. +U>hS%iV(iW*jX+p]0r`3td9uԴռջּؿٿ׿ؿ׿ʡbɟZȠ[ѰiέiϬhǣ[Ȧ^˥\ʤ_̩eśṾX̦^˩]ѫ`ѫ\ΥZϩ]ծgְi֮cϧ]ְkկfլaխ]ӭ_ɡ]ÚYSAm.i#f d#c"j'p,h&e$_YY ]"`'[#\%Y#wP vLtOtP}T$uLgA bChDiB jFiEiCnHqLhBkDmHc@Q0I,L,V2`9 a: Z4 V,_4\6 d>xNW'[)\.])]$VY[!WVPKJwAp?k=o>p@m< i8f; d9 n@wEr?o?n>sEtE xH}L}K~KJOKNUSO~K|KtC tH +vKzN}S}S]#`&a#\\"`#b%c*h'o0q3t5q1r7o6n0p6o5p4i*g-o9`*~Ue*VƧg˭kz:Av4An1Ը{՝ٟܟݤݤߪޤޤߨߩߪިީީߩݦݧܤܥܦء֝ל֛֚֝Җ͐„KU+2 %9j7ƲzԿӿԿҽ~͸zɲvȰpìnj_bOy?|]&yc*J=)+8%=)X;lCwR%uS)lKcDZ?Z?[AdK&iT'kW+kX-lY0n]4rb7te=չպֽ׾ռֽؿֽ°GIJSROÞXßTƟVMOKLʢ[ϩbɤXϧ^ԭfϩ`ծfҮeѮfO?̝OȟVˢS׫]uߺr۹pԬdΣ^ȜSMO}=k"k l!h"j'o(j)s8e*f+m1l.U#zPX {U}V]!~SfCg@kFoJnLlFnJoIlFjDjHZ; S7P4L1V3W5Y4 S1X4S1Q,M-N-W3 +]9oB|KTSX!["Y UY%[!Z!RNMJzItGnAh:d:a5h8f9e9 +`4 g:i< f: j? j> j= +n>n? xINRU!RVXTUSYRSSSXYY~YX ]'_$h1g2j0m4i3h.k/n6o5p9l0j1r6s9a(|T!]+HXl)l4b%{=m,ٿҙ՝ԙ٢٥١ڥݩܧިݦݨާީݧܣݦܥۤڣܤۣۤ٣ؠؠןӖәҙҗΑȌĈ^`?0#;!yHDZxϸη}ͺ˷DZwůtjd__\K~Bu8nRD0!-!B+_=rK|R'{T0sN oK!eEkLkS'kS-hQ&fT)jV,j[.m]1qa5wg?ƻԶ׼ּֽֽֽëDOD>>>KK—MŜURSRVXģZá\ѭjѬcԯbѬaѬ`Ъ`ƟSȝNŚOˣUϥWը\ի]Ч\ҧ^Ӫaѩ_Ҫ`ѭaԬeɡYI8z2{3t,i b%d&o6r5m4j1d*g+a%}V}VWxUpJzRV+yS%vOwOqLfDiHhH[: W;_< aAaA_=T8 +T5U9 +X7 V3U3Q0M-K,K*V4 +`8 +i= sF|J|K~H{KSQRRS"S#P R!~NxJ#vJ!nCl=c4 ]2[3]1b8_9 _6 ^6 b: b8 a6b7oBsBuG}KMOTUWYY!YZ#VP~PRxKxIwITX]&^!`%b&f*f,d*d(k4j0i-o1x8l0h1|T{Ql0WV)Ha0q2ʱ{Ċ̗ΕЛӟԞס֣٦٥ڦ٦ۤ٢ڢڢڢؠڢלם֞ם՝֝ӗҖΒϒ͑ːɌƈҾk~^&> 4[EYǰvîxƯzưxmol^XONNyEn/eP7)*=%L.^>gCkM!kN"lKjL!kPnU+iT+dS'bR$gV)gV+o^2qa6~nJƪպ׽ֿ׿ֽ־Řp7t:FDt8o.i&s0s,>`àaTTVPLOSĝUˤ^ѪaӯcЩ`ΥXϧZϦYϦYժ[ɟQƜQʞT̢Yͤ[ȟUʢW͢UΤUҨ[ѥ[ΥXЧ^̤Y˥ZSI>y8u7r1p,m-f&\^`%Z[!Z!U{S~V {SwOgDlKiJ[< _CpLuNvR['vX#nMdD _>b; \6\:X6 T3O-J,Q-J-Q0c8 c:d6h<j: oAoBuGtFzMxN~R O!P"R%O!Q%~LuEl@j=e: a8 ]3_5 Z1Y2^4Y0[3W/T-Y1`5b5f7 +m@ }MKR"Z'\"[TQ~LyJvGqB vF}RVX |TY!\&[$Y \#d.e(i-k-l,m.l0d&vNfC ^==7O&j2pͲ}Ϸ}ňȊʎϕҜҝ՟ԝ֟՝נן՞ؠ՛ԙӘѕҗϓєΑ͏͐ϖʎȌɎćк|ìtTi,r] {D]prl`^Y^RDz@q9n7t](M:0!)#.!4$8&E0I3S9 Q=T=S<W>\CfO#eQ%hT)cP%fW*fV*p]5rb:wR˯շּ־׾׿Žf0seCfAa>gC_?Z8 Q.G-F,H1P1R1S1W4U0[6 ^6 Z3Z1d<i?l@tGxJ{N$}O$Q$xIxGxHwIvFtCqBk< b6Y-P+M*I(E"E%K)K'N*Q,W1 +\4 f;tHRSPNQPR~PT!R S"U$}T!U VZ%}SWZ$\$b.b+f-d+h2`+|XdCW7 8(8eOQ\£nũḻrӴvÄʔ̓ʎЕИҙіҖїіѕіДДΒΑɍ͐LJɍNjăĆҽϻθ}Ůuh]V[^e`^RKJxCq?l/zb%rUZ?C-'# 8![; lH jDmB [9[8U4R5P7Q:B'A'@(G-V>`M!aO#gX-jZ.hX.jZ1qc=dͲշսֽ׿ؿ׿W6 eGwV'iGOYŸYɣ[ǟYØQŜSɟS̤XΦXѩYΧUӫXӫZЧ]ΥXΣP̠LʡPƛIŗEĜIɢQƝLƝOĝPMRɡ\ͬdʩgƢYVJNBs-p*l)f%g&o&v/y0n&g)c!Y^A aD jE uQ|X!{Y$uV pRjHdAeBeCa?c@cAgEpHkD`>Y; +U9 Q2J.Q0Q0L,P0R1Q-R0U4 +Z3 +Y3 +Y3 ^5 c;i>j>mBqEvFuG}LzGzLwIwGnAf>`7 \7M+H&G'E$@$A%@&F+A(J/U8P/Q/d>iAoF{P&yO|R!R!V!VY#~X W!|S!{R!{OT{RzPR V]%Z%~W$|V#yU!oJM/*$>+u\+v ^; +]; +_?^< X7Q3N.Q.S0T1X3 +X0W0V0 X. `7 `6 g=lAf; tGpDrFpBuGvGvHpAl@h= `8 [7 V0T-@$>#9$4"7"4$5#5!7";'B-N3 O4Z<kDvJsIS"U"~V#|U!}T'zMxNtMtKtKuNW vOqKtOpLsNeEG,(%@%X: pN b2v?FWebåiƭq͵ӹzջ{ņɔĆNJʊNjŅƅ҂Ҿҿм|͸w˶xdzuŮkǫpmjjcYXYMEzDrEĜYĝVͧ]ͧ^ʟTɜRÛRMȞQʡSʣTϨYЧTͥRШWӬ`ϩ\ˢUЩ[Ъ^׵kѫbɟTЩ`ЩaШašSSÙP̠Vӧ\Х]ϧ^˟UěPHF>|7w2r-o)q.n({6|8v1o-i(e!f%\vOyWWW~X"|RxPsJvLqFpC pGjDlCsNwR pJgAhCb: [8 U1Q0Q.O.S0T0 \6 \5 ]5 [2`5 +a6 a7 +e<pCqCl?lBk@h; h=d9b7_7Z1 M*F,D)>'5- /"0"1$0"2&;(B,G-K.Y5 `: gDkGrKnEpJrJsKsKqJySsMqHlCoFqJmKiAR1F.D)C'I+I/]? wTi5u:AQWiƩtǭsɱtе~ѶҺ}ҹ~Ծ~ѽԾԼ}һ˷|̶{ȱwɯtƭtçjic`TYQNDD{Fw?p:g0~^lO[BA+,"-E1 R8 mOyWg-r6g4W\b e f!egf"k-h*l-p4{E{h:eS'dR$dV'jV+k\0tc;thHջռֽ׾׾׿rM0mJ&pI$eAc<U8 L0K1 +H/Z>bI"gJqX,pQ$uQV'\%`#n6|?}Bu7t5r3}X>[=oT%rPzW%f/l;m4i,n4{BGESD=u0}8HQRJJNMKMƞSȢYȦ^ϭb̪_Դjܼrմkɤ\ʥ[ɢVʣ[̣\ȡVÙOʡWҪbϧ[ҥ\޷nrծfϦaҦXϠY̞UΡXУYԠSРYɚSHA}1y0j$iii!i)h)h-h*k*j)WyP{R{R\+_/c0f1i2a%^#\$a,`,g3a,UuKd< +f= +b>`:_9 +[7 [5[4X0V/Y2W1T/S,T0T2S/V/ W0 X2 _7e9c9b7b7a8b5e9g<a7Q2 Q/ P3O0 I+ +E*H, K- K-M0 K.K/L-M/F*M/V4 Z7_>\:a=fAmE!sG|R+yP+vL"wO'rL"mG lGd@]<M.H+K+U0]: oNf)r6{=}?MQ\aY`XV\QVPQHzGw@x:m3h6a*|^&vX!jO^C S5@'5*,3#=(K0I.K.W<cA +c= jCrKrK](f/^][T[\T{JN RW^&i0kSbS$bT$eU(fW)jZ-l`:znKɤԸռԼ־u_T8Q4T5P5N4 J2 O5X?bHX=W<^AhIuT*]3l:n?~KKPD>LWUNLIPKHHLHGŞQɣYϧ^ӮcȨaʧaѫcɤ^Ȥ\ƞUʣZǠWǞV×NǛPϥZի^ի`Х\ΦYҨ]ʡXLȚPȕH̞MϢR֯`ݸiװaΤZЦ[̣ZI6z4p+i*g'g%n'k#_]!^'ZVyQX_&\#XWX#\'a/^)['U vKvJlBb;^7Z5X5 W5_<Y3`9 ]7 Y5 U2S0O/K+L+I&M*L,T/T0 T/ a6a:c:c;iAhAe<d;b<b9a=a>]9\:Z9Q2 R3U3 T6O2 H,H.I,L1T4P0 +P0 S2 ^;b?hCrH!oIqK$oIqHrIqIpFnEa9]3P*P+J*P0[: fDsR a&k1rAt@yAtk5f1d-z\(u\)iPjM^?S5L0E)=&;$:E+K/]=c? +`= bCjFb:a8a=fB a< +`<c= a;dAmIqNwK rHtK RURyK|M +N Ua'k4nW"bQ#_Q cU&hW,i\2l_8xUɤҶӹ׾Ȥ~q~qWvfHucIkFb;f?|^6xR0oM2dEc?^?T6O3Q1Q6O7I0 I1 I3 J1 N5 ^AfF kJ|W%h0qAr9x8}@~ANJKOWTMÙPȞTGFHM™QMŚUǟZͤ_ʨbà\SJTĜV™URHėNŗNŘIȝTЧZӫbҪ_ҫg̠W”GĔDѥ^խbӪZׯc޹htrߵdѨVŝQėRE7w2v5l)m'r3m*j(b"[Z!Y X[&T!rFo@ oEzOvIrHuLxNsKrJsImEoDj> d: b;b;_9 ^9Y6 W4S1 O-J, H)G*K- N,L*M+W3 \6\5b:a<`6c;b=c=gAkI'oK)kDkI$gDeFd@a=\:S1 P1 N.U8R4 O1 P2 E*I-M1S3 T4Y7]:`=iFlDjEoGpHqHoFlFe>]7 P/K,L*L-K.V:Z;_@Z? aEfHiMbF`GX<T: P5F-A)?%47259F.Y< +fG rRxQU_!ZVSuI +vLiD nD lE c=`;^6`8a;`:_7f<nBtFxIxK +vI}O {M zMZf1gOaQ#^NfU#fX)iZ1h[5gͱչԽ׾ʹ˰ëƼpwRpQjMpTnQeFuT4qQ5kH(b@b>\>V:L5 F0 +H4D,G3K7D. D1 +Q7cFrV(~Y-e1l9l=k6z@JKPUŜSˤ\ȡWśP™QšWRLEQTNšSVŸZOSQMOHEOƟQΡVФ[Ψ]Φ^ҨfѨbШ^Ԫ`Ӫ_ЧZ΢UϢSٱcܵiٰagikhӫV׬YڴoְkĚR?z4r6m%l'n*j+e'`[[QqG nE uLvJvIX%[$c-_(a)`*_'UtKnDa9 f?d=b>W6 Q2 T4 O1J+M/ V4 V3 R. +O-S0 W3 W3 V2 T0U0 U2 N+ Y5`;hEqJ%mGqI%qI(uO+tN)nGjE nD#kD%b?a=\>T7M/I, +M0K/ K/ N/ +L/ P2 W6Z6 \;Z8a>dBkGnGoH!pGpDpFe;^8U/T1R0H)J)H)D)>#A'>#<$9657#3=$<C&L-O+P/]> lI|RW]$Z#YZ\ZXZVQN O +xN +mIvGg:g<j?h>i>qDtGyL uHvJyL +lClB ySt]*cP^MdR!_Q&hX,jZ0m^5rγҷ־ϸϸθͷγ̵͵ƾ~kq^|gK}iGx\5wY;wZ6jHiE Y=U:R;H1G3C1F1F1B- B0 A+S9_Cx[2pM{O\*i+p3x6LIPQLÙVUX—VKSPMDMLMÜTVPPQNOŝVƝUȠXШ_ԩ]ѧbϥ`̣XΦZҩ]ө\ѥWϢMөUݻlܸn۰_׫Wߴ_jgg۷jyvsܷpѨf—PVHHu.n)g*h&f%_%^!W!WWX{SxOoKpIuKrIzRtLtJyR%}V$]'xSeA^9 Y6 V6Y4P0X8 W2 +V2 S0Y6 ^:Z6V2 +S. T0N*L( N+T3_:[8]8a<lI(jB!lI$pG#nG#nI$oI!nHhCa@^<\8X6T3 S2 +J.Q2 N/O0Q1S2 Q0V6 Z6 ]7 `<b>d<g=h>d:h=jAh< e<j@e?`; Y4 Z6 +T/S1Q.L,H(I,P0P/V3R1W3a9 +f? c:e; oEvJ~N|MPXVYXY[XZZW[\YYR |LyJtK wL }O S R}K{KvFl> +a8nGiS aOcR&_P aR$`P#hX+l^5ҵԺսͳδͲͲεδεθйϻ̵Ĭĸtt]{gLv^9u^;v]\:b?jGyU&~W!`"g(o5v7{:EI[×^NKLHGLOF:CDKQMÙVÛTOVɞU΢ỤUͣWѥWΥXХT΢Q͡OʝHʜIΣSԪ]ٱ_֬Z۱^iڰaհ`ܶellsˁzy߼qְjհk԰gӪaΥ]Gt/p0o2j(g!`"_ _"SsNmGe=h? d? +b> kHsNyQwPyT!sM mGiCa;^7 Y7Y8 [:W4 T2 T1T2 +Y5U1 V2 +Y5 X3S/ J+K,R0P/Q2U4R0T1S2Y8bAa@jG"iFhEcBbAa=dA^:^<\:\:T1 P/K*J,K)T2 Y2\5 [4 +Z1 \5]5Z3 +_6Y0^6`6 d7 b8 `6 d;f;e;e=f<d9e;b8 `8 a9 a8 a8 a8`8a8 h=c8c:k@rGzKxJOQRQUWY_\]ZYVVY\^][^dm(gd[{P iB `9gFiP_M]LeR&_P!cS%m]1rb=ҹվվտζкϸйͼ͵лйкκйϺкм˶ŮĹvx`}qUua>nV5iW8bR6XB&]B%^DT<M2 K0 I1 F1 F2 H3 D. G.P5 T9 `BhHX"^)j.m7m5}FSJJQMKLVP<<@AB@IQMLPÚRǞWǞWɠTʠSȟRˢWˡQ̠QΣWϢQԩ\׫]֪YժZ֯cիZЪXѥQ׮]կ\ܷcrxyoݸoܷoty}xլgȝY `?hEb< kBoJuQ"}V&^+xRlFlHpN pNb@T5 J/O0T0[8\9W5W4S4L0N.N/Q3I.L1H- D( A* +B( +H, O3P4V5]<aA!`CdBiE`?[:bAfAdBS2 K*L,L*R*U1U1 T0 +T,Q. +S, U- +U, S. +R+R,O+V0Q,S1 X2Y7 `9_:a<`5 c5 d7 f8a3 +e7e8 c7 d8 a5_3]3a6j@o@ +o@xE +vB{G LN O T ]Z``YVR VY[^bfl"t)t)n(h aW}SpMdOaQ#`O"aO"dT(eV,h[-ugBջԾռҾѼλμϻн̺ι϶ϼλйηϺ˱˳ìqz_sbEiO6iO*cK*fI-Y=\< V5P1M1 I. I0A- D/K4P4O3hE}_,b1^,a({EKONHJUYRKIMMF{88>DCDGORƝVǞU™NLŝQɟOȠQʣTɠNШW֬_ҩY֮^׬X׮]ѪXհ_׳aֲ]ڵhٵeٵhܸnܸo߼rwwwwzyݹvԮpĞZ?A?}<}:u,f$Z#RW#[#}VnGjEkDmGvN}PyOoJlIsOxSvQfER8 O3Y9 b>`=V4T3 T4K/J,M.L/L0J.I. H, F+ @& A(<#<& @( D+ J/ U8V7Y9\:\9d@gD!_>c@mF`;Y6X0 R,S.W3S. P,O*S. V1 Y1 V0 N+I)I)E(I+F%H,N/ +Q0 O-T. +X1 ]2 _5]4a6 d7 +d7 f: e9`5f; +e9f;j=j<h9j;n@rAsDsCzITU\ZYVTXU Y]\glm$m'q*p&if'g&]%gS%]N!\N"^R$aQ$fX/i[.}pNԻ׿ѻкӿϷѸηͶδѹѺҹйϻҼѺζɳŻs}g{lRp[AkO6mM8jG-c?!Z7_D#T2N2M5G,C-S4 [:a@iHtJ!]1d7n9uBxEr?r6>FKQTXR~>{6=AE?8>:FPKHIKJNIDÚKϢUФVөXԫXֲaٶhݾpu߽sزiձeԯgױkٴmܺp߾vw߾wu{t޸yٳoЩ_ɡZ̥_ěRSD9z@r7p3r2e$UxOsOrMtKqHf? +]= hEnExQ{U#W$sQrQoImH kD iAgCf? V7L0K0M.H, F* +I.H/ H- B+ B(A):%<';%?'?%E, E+ F+ +N1N0W7X7jCtJ!wN%mDe=b:Z4V0 U,U- +X/ +[2\5_4\1 X1 U. S/Q-J)E%G%E(E)G(H(D$H)K+L*S-X1[1]4c; +^3d: d8e8g8h9k;j9j9l;n;o<n=p={IM RQ XX \\`fgk"l jhi"h!g#f%b"^#bS![M [O%[P&^O#cS(hV.|Z̶ӼտռԿһϹϹккѽϻѻѼѻϺӾѺѹζ̷ín~kTv`KrXa=oK"yT$Y(["b$k,l'q-x=ROTTQTPLCDMKNM>=?DIHKGOJN̦Zկ^ֲaӲfΪ_ͧbճlմkֶk״kձkѭdհgڵkٶlװhزe۷k۵iزlڶnٱkЩ`ԮcشhְmΧdǞVęYĝ]SIR@aY]&YVvStQsKpIwOX!`$a%[SxJnEqJrIqJ%Y7K. Q3Y8`@U6 L/D. I/ H0I1I/ G/ ?&>);%:%?%?&D+ +B)B&D* C) P1 a>a<e>d=e?f?_<_5[5Y3Y/ X0 ^3b6e8b6c7`6 ]2 W,T+K)I+H)H*I'G(C'H&J%J&M*O+P*R,U/[3b7_4f6f6i9k:j:k;l;l<i7uB{FN S S ]]`cg"i l#o%r(kff!f!e%d$Z ^MWMZM&ZN$cV1bV,lZ2qˮպԼ׾ӽԾӽӽѺϹйҺѻϹѺѻθιпѻ͸Ǵns\hM{`GgN,qU6aFP4 L2J4J3H*Q4P8N7 \<gCwS|UU `*i)s:u5z@KOVQJNORQPG:5v+v%>AEEFFKFŝQϩYֳ`ѫ`ɣ^ͧaƟXϭdײk׶n׵iӰeЫ`հdԪaѨ_ΥW˟VƚRěQϥbЧbЧ^ձfݹmsڶkխbϦ_̤bʟ^ɜWĖNG?t2w.u:l._%TTY`a`"\XyNpIsJlF iFY9T5 U3a=gBnGnJ!cCW:N4 Q6P5 N5L0 C,?'>'='A+ +D- F- B*?(;!?&qAwE~LP R VW\\d!ai!n)p(l%h#i*g%d&e&vT^NZN#[N(\O)`S.cV5j^<δӹռҸԾտտԾӾһѻкйѹ϶ҽѻпѼҾ͹ѻϹη˵ùbnKrZ7sZ=jT5`D'_B&\B$P6L4M0 P1L3Q;b?kHpGzR&](f,l8{BIMQNZ[VPMA}3s'q%s&v+w/:ADNHFIœM̩\ЯdִlմlճjҮdѭc׵mֵpԱjӬgӫgҪcͦ^ɟYOOśUˢYШ^ԩ_֬^۲hشiܶh߶nݷrԩiǛUĕQǗQ’LGțQǜTG>|6p,j"c[ Y]XZ!yQuNnHgD_>R4P3W; dBoLvQwT$jIeE`>eCbBhEX7P1 Q3 +K/J/ G.G.E+ B*:"58#;#<#<#?&>"C&G(N- R1V1W1U/W0V0 Y3X0 +X0 V1 \7`:j;sA"o?h:m<sAh9]0 \/]0 Y/Y-Y,[0[0\1`1a2]._0b3i7i7j8p@tD +l;n>sCxH |J PTYXZX_`eg"d b^`"d'e-uY#YLVKZN#]Q(_S+_R/i]9ѻҺҺӾӽӾվտԾӽѻҼκѺҼмϼϺӽҽԾӽѺͳkzaoOvd=w[7iM'gO#\DI5K4R7 Y?]AaBpN${U"a-\*c3h3l:~EGOQQLJJCG?}9t1p0}:CMLǥYHH›QPʥ\ЬbӬeѬeϩ^زjӱiЬbˣ^ţ\ɤ[̥aÛSTTOƝTȟVˢXҥ]ͥ]͡Uѧ]ӧaխhׯkѩbȟUǜR–QėOϣYש^ԧZңUϠR͞T’G?;x7v4u0q.g&c$WwNqKaA aB aB +gDnGqKuOrMtLqKrKsLsLtM vP$pJlG`<P3Q6L1C)@'C* :"9"7#6 8#<&8">%B(C'M+L, M- L+ M-Q. Q- N. H*F)M/ X3a7c:b8j<sD!rCj<l<p@sAj< f7h7j:d3d5`0]/d2g4j8g5i7p>p@l<g6l<qAwFNTWWZZ^]ac]USP["^'hQ#[M!ZN$]P*[O(cU/dX2rgDкҹԼӽҼӽӽվԾѽмҼҼкҼտԾҽӻӼԼѹӻкƪĺ{mqMt`>fR7cJ-]G W?K8P=M8U:fM(tV-pO%qN wM]&g.p8{=y>x9@CDGGI=~={5;;BIIUVSTRSǣ`ʥ\ɢVȣWʥYŜPORşWʟWɠYǟ[śWśUOŘOřOĖM™N™NŚOШ_ԪaѧYˣVΥ[ˠUȡS͢UԨ`Ӧ\Ӧ]٬aةYب[֥VΟKҝRӡZΛNʕJŕL=?z9g!]VZYSwPyM|R~U{QyOtIuJvLuNvNoIlEjHgEiL!hM$gL$_BY=[@F.:&6";(8$8#9#<%C&D(B(@%@&H+J, G)F)F(I)K* Q- T. Y2X0 ]4b5c7n;uByEvFq?q= o9 i8l= i9i6k9l: i9k8g4h8h7k9k9n=pBtE +uG}O}RSY\VZ]`c#\RzMtMqS#gO!\J\Q']J&ZO&ZM(aT/ulIѻѺҺѼԾҼԾԾӼԾϹӾҼлԾӻӻҺԽӺѸҹԻҺʳtoNsc>gZ9gT&hR([DX>]<E5 +V9W:b?qHyS$^']!e-n.v5y7|8=AA@{4::<;BFXSKTX\PQUPMIIIIǙPƝZƙTřRNKJKCAǘJˠRΟRʝOΣTҦXХTѥWԨZԨ[ӥ]Ԧ^է]զ[֨Zڭaڭ_߱bܮeګ^بVبY֧XԣVǘGEA?%<%;%8"9 =%?%?%B(C'E)H*P- R0 R. Q,U. X4 a4 q9t>t=vAu=v<u>uCs? r8wA uA vB s>s>m=i9f5m;p@q? i<g= oG qHoFwOvNtLtNyQ[^XvL +tItOiP#bN"[IXJ"^Q-_R-]R'e[2bæ϶изҹտӾӽҼҼվһӻսҺԽԽһսԼиӻԸҹҺ̲ǰs~]qDxa>oU.ZI%ZAY@Y;]=dAkGqNyU](_)r8p0y7t3x5|=>>}:~7{4>IMIGKPNDQOOMFFA}9@K?ILIGHFGØEʜMɜPʞTϤWХZΣV̝L͟RΠXΟVҤ\ӥ\̞U̝PϡR٬`ܱ^g޴fݱ^ڭ`שYӣQԥRϟKʛJțJəJȚPDFHx3o,b#S|QWV}WsMa<e@ fFhLwX"^.a.]-Z(~\'jKaGX>]CY?O5P:O8F-@*C, +A*?) @*=#=&8 <$=$@'B'G+I,L+H(G'J)P- V.U. a5b5 i8 n9l5o< t?r;wB {GyBzD +}HvE zHxGwEtD j<e;e= mFiA +kBlFjDiA hA h@ qFtNnH_;`?^E`N$ZK#YO#WJ"ZM(^Q+\P(cW/nʹϹѹϵйҽҽҼӾӽտҺӽӽҽӽԿԽһδγǻ}brW}b@mY6gM)aD^@gMgM!\=hFqO[$^&f0j2h1v9?=z9x6~>AKFAB@~6~;y7?ALKE>~:~ĘJƜSʠYˢXΣVɜJʟLƙI˜JΟTΠM˜LɚIȘG̝NΠMҥQԦSФQΡMУPҥSѤPҡN˘Hœ@ĔA”EǚLǚNŘPJABfClHpN!cJaEeK^CR6 L4 N5 +O4P4L3 E+>&>%>%>%9<";:< C$K%N&N)Q)X-V*[0 `3 e5d6 g9 pA{IxCOR!V#S!Y&X X ^$^f/a+|T"nKnMlIc; T6K1P7 UDXHWK [N)]P-^P+`T,g]7ɪϸиѸѹѼкѹӻվԽԿҹԻֽ׽Ӻ־־ֽѸʭȾpyYyjGqY1mP&cM ]C^= d?nM%[+\'h/p9s5y8~>H~?~@=:~8y6u/p-u3v8{=~;AAAA=>GKFFJDA=7558=>DDƖJ͞U͛KƖE’EC::BǛLəJƗGĔGC:7;ɛHÔB8>38:=7BÔLǚTǙSGB=:3~5v4t1o,l'p-n(n,l)f(b \ |TxQuLvQrMkLhImLiIfGjJkJa@W;W; X<F.?'>&A(B(;#<"78<"@#A$D$F%F'K)J)L)N,Q/P.X7 _5`5 h=uGwIO"T$S!Y"a(h/k2j0c+b.[&X#pKjE`AX@WFTHXL#ZM&\O)\O,bU/xmN̰иηγҹзҼкҼտռֿ־վֿռ־ֽռԺѷȮr`tLmY1eO*bP$`HiJlJoLV'`.m3n/n0w<B@;A=y7x8s2v7w8z={>{>x=x9@BDD<;6EH?54}6w0z2}4{3>BIėLED;/32?DĔGǗKB66?ŖCŕDÓCA?6y/}-9ÔIțP͠[ʛSŗIȘNϟ[əGʚFșIʚQŕHAB4x/v.r(r+o,l'j%`VxRsMnMlJiElHzS"xTuOkHsNvPbCO7 R7 Z<R5 P4 P8 C/ +:(@(B(E+H*H*G*G)M,L-I*G*I(J*K(O+O*X2b9h= h?qE{LX#W!_(c0b.a-`+X!~M|NqI`HTCUJWJ"ZO$ZM(^R-`R,xXÿ̳εκклѻϺҼӽտտտռ׾־տսԼԼֽӹӵϵĬkxTp_5jV.gP(eEdDxR|RR!]*`&h,n4q5|?}@{;DGw;w;n3t8r6s:u<|B{Bx:w5u.r)~8;867~58:|9x3}8:6A=@8y,66;=DC==?=Ŕ@ƕCǗIÓAŗI•CC46@ƙK˞T͞U͞R͞SƕJΝNѡOש_ש`٬^ۭ`ٮZЦW˞N5/6=6|1x2m!j&c!e,^&~X!{S|R|S|UW%X UzUqKqK"hFhFoNdB`CR;R8 S7 S8N4 H*I+H-G*H+H+E'E&I'A$E'G%O.Y5\6[8 [7b; hBnFqKwOwPyO!S |P{L{R vT!fMUFWJ$VI"YK&YL'\P*_R-l¨͵϶ѻзкϹѻлӽԾԾӽӾӿԿֿֿ׿־ؿֿ־վӻҽʱūúmyQxc6jY-jN d?iEtMyOY$]'d.k4o3zC}CEC|Ay>v:u9w8z:w7v7u4q+n+u/z2{.|49:=CAv-|6w0o#t,w.853>AA=@@DĔDÓCƗFəHȗCĖHƘJʞPǜNęMD>9<”EĔI˛KҤU֩[ҥS׫XثWТPҤUت^ܰ_گ`֬YϞJɗAœ>ǖEɘG̛LʙMœH;4z2u3r,m.f#[WZ!\&[XSV#qIpJmHmJjElLwW#rRgGZ8 Y8 \@R8V9P2L4 E*B%D(K+N.H)N.O0P1M-R0T3U3 X5 Y7 b> [: a=b=gClIoQ#mT&fM"YHXK#XG\J'[N*_S5dY4nʰ̲ͳ̶ϷѹӽӽԿտտҿԾԿտӾԼԿʲƨƼx]wh=cO$cJgGiEpH|Q Xb,g/o;zH{Ez@s9t:t:v:w:w>AHB|:w4t.q.n+n)u0{-5:DHGÓG“C“DțMȚI̞N˝MʝIǚLƛLřIƙGǚHHDD>?A<˚KӤTتVߵ_߷^۰_ϢNѤPӤRԥRԤPѡN͞K̝G˙FΞKӥQРNӤQӣOԧUУUʛLAJ;q.f!i'h)c ^XZyPuMqKnNqM['i0d/xU"aDgLnT&wY2nP&bES8 +L.F.L4X:O0K-F(F+F(G,J.K-O/N-R1P/S2U3Y8 Z8 `?dJ`N"aN#XGRBSEXL)YN+^S3gZ:ũδ̴ιҼӽԾӾԾѼҿҿҿѾҽҿԿԾԾӽӼӾԹέɬŻ}]ndɘFӤS׬Wݳ`ۮ_٭Y֩V֩VکXѣOΚDȖA;Ŕ@ĔA͜HѣPԧSڭ[ٯ^ح]۱cٮ^׭\ԩ]ͣYțRŗNHFGB9o)p1g.o6x@|Cw<|HIvAk:y['pQtPvUf2j2i4b0~Y*sM'hB^>[<V9S2Q2S1\8Y8 +U5N0O4S6U: +X=aI`L VH"UH!WI&XL*ZO1_T6znQ˱˳ͷ̶ԾԿҽӾӿսӻѺзɯ˲ҽֿйƬs[vRya;w]4sS'W)_/b-c+j2u=x>y;x9v:u8w7u6v9u8r1r6s5w7v9v8BG<;:<>:@”JțRʝMɝK@Bu6w8v6t9y9z:{>|=}9|8;ABCFFHE>=0AKϧ[Ҩ\ʡT˜P–KÖFDCÓC@B>‘B@>ƗAțKѢQթVתSתV٭[ٯYܱ\۰^ڰ\תT׫YԦTѤQըXԨVӨX֪]֬_֫^֬bѩ_Ҫ_֭dիdҪbШ`ͥ^̤Zͣ[Чcͥ]ϧb̤_ǙWF@{3t,j+g$dr5~FDBr.f*}WwQrJoHkE jD dCoHTxSrM\< P5O3U;U=V>bK]IQEPBVF!VJ&YL,\P3qĨʮδͶϹӾӾӽӾӿӼֿԾζ̵ստҹ׽Իѷʮ§ueVxGt=o8p:f.k3q8u:x>~Cz<}?v7y=xCDA;935;IʡVԨZˣUɢUƜP–IE“JƙKǚLƖJÖHB“C“BÓB@?̛LҥN֧WѦUԧVѥ]ӧVث[ح\٭XجWثWڭZ֫W׭Zح^ح]֭^֭aҪ]ѧ\̟TФVϦ^ͤ[ʡWʡWʠWϧ^խdխbծeӫ`Ҧ_ʜTH??{2{:y3x6{7|m9n:u@|Hw;|C{C}C~C{?w8z:|={9|JțPƜOɡVǞSěQ—KE•GǗKǙMǙOĕJ×JCA>@A=H•HGĖK•EǘH͞R֩[گ[ۯ_٭XۯZگ[޴cܳcٲbڳhխbΤZˢWɠQШ\Υ]ˢZɠUȞTʟUͥ[Ӭd֮eӫbѧ\ө`Υ\̟SśQĘNI<=7:{3p'n#k-k,_~UzSzSXW~VwPnKb?fEfEdEZFgO ZGL=PE$SF%VK(YL-laCμ˲ͷθѼѿӿԿӾԹҿӻֽվսֿ׿׿ּҶɮǽzlY|NzF|DJ~HFEE~AFBx7y9y;|8~8:w6p&j'[[ tTrRsR%tT&pV&WFI;QDRE#[N.\N.zoS˱ͷͷѼԽҾҾӾҿտǵ~׿ջеɮʺ¯v[UWxAw<~Dx?s7r4x@z;|;{=|;|<{:}=~A@?HFKG><@>;989@BDH–I˜NÙNB@A=8CAC@ŕG̟VʠTǜỌYͦXͦYȠUɦ[ѩ]ӫdЩfΨaѩ^ʡRɟSͤZͤWΥXˡUˢT̤ṾVѨ[Ѫ^ѩZѩ[Ѩ[լ`խbҫa֮aױbر_ծ^̥SϤSɝMȟTƞXěQSKK~7r0p6k9j:g1pZ(WGMCPCWK'SG&\M.}gĻ̴ϹθлҾҿԿԻ¼qøԾٿؼѸɩƷk\~Ms~={>A}>}>{;|=~=>~;@HGGÖLGCCDH˜HØMÙN™OÛOŚMIŜRɠQǝVŚU˜PʡWʤ\ͤ`̢^ɟYȞUɡYˢWͤVˢXɠRȟSǝRɠRΥWϧ]Ѩ\ΥVΩZΧYΩ[Ϩ]ԫbԫ[خbױ_֯]ի]ӨZӧ\Ҩ\̤WϨdΨcƠ`ĚZIQTN{Jq[+SFNEPCSH#UJ+]P4~fĻζϹкҾԾ̴vç׿ֽֽ־ּӼͳģķtcQzHyE{@}A|AC~Bw:xs=sEBC?CAAHIMMNQěWÜTÛROMšP›QŚQśPęN›NHJEK×MHƚOÖIŘIŘNǛOʜNȟPȞOˢW̤VΥXͤVӭbկjױnֶrմpͧaȣ_ʣcĠa]x=kW$VJTJ"SG!UH"`T6l_HεкϹѺѾտmӼؾؾ׾Էϰƨŷ|fXMPLMDDx=y5w9u6p.s1v2~;z6}:{8~;~;~;;?ECF7>8>COšVLNPĞWÞUPQIQKšOFNĝUÚRNJ™O˜KD™KĚNLØKDIÕIŚMƚPŚQƜNȟSЩeЫfέkΪf̥`ʣ`ɥešcYzFkS#ZN#\P)XK%[O&_S.ynQεϷиѼӿӿҼտԿӾyjؿԺαˮʽqd^KG{Aw9m/m2k-l/m/v8x6}=}:;}:>|>C<;>JKIDCA~=DMMLEQUŸ\USUSß[àXƢZ̨b˨dʦ`ʧ_̩bɢ[ŝRÜQORPH@@GENOZĢj£kXj3jVhS"gU,hW,fY/o\;~īз϶кҼվԾԿӾӾԾտ|kwȶԼӸȪßƻqZMzCzJ|H{@z?y=y?wJNKGHPVWWVŸ^]QLBORœXPLPTedfgOsa+jZ(m\/l[-m\1xi=vũζкϷӻԿտѽԿӽԿӿ|kѽֽϹŪǽvp_`SNNNONPVXTPI|?}>>GPRPPW[VTUTVQHGPYVLIIP[a]\Jo`.hY*m\1p_3sc:xPαѸѸϸӻӾԿԿҾŠ|eӾѷʯɼzynih[UVZ_`XPNQRJQTW\XYVSTNOKKKMLLBGQ]c_WyAp`0k]-k\0m^2vg>oæϵҹҺӺһԼսӾӽԾտԾѽҾԿӿҿēqɾҽֿҷѸƪæɿƹñvwlnea_Z\YVTTVWYVRRONJONNI=>?ENV[TRq8o^+l^.qb4ue{r βѷзҸӺԾԾӽտӾҿҿӿεؿսжɰ¥;¶|ndjf_\TRXSLKQTWQKM~DJMR^YQi9o_-pe7reChĺѶѹӸԹӻҼտտԾԾн϶׾չҺδŦɺwof]YZVUOPYTOPIK~KSY[~Nwf7o_4rf>z]ɯҹҹԺӻԽԼԿԾտտԿҼӾѾӿѿҺֿռҹҹεäͼĵò}qeYWXNPL}I|J~NUL~MqIwe9rf=zVĭѸҹѼһӾҼտӾӽԿҾѼҿҾ \ No newline at end of file diff --git a/tools/crypto_bench.c b/tools/crypto_bench.c index 96820ae428..0f62068905 100644 --- a/tools/crypto_bench.c +++ b/tools/crypto_bench.c @@ -33,6 +33,10 @@ #include "libavutil/intreadwrite.h" #include "libavutil/timer.h" +#ifndef AV_READ_TIME +#define AV_READ_TIME(x) 0 +#endif + #if HAVE_UNISTD_H #include /* for getopt */ #endif diff --git a/tools/graph2dot.c b/tools/graph2dot.c index 964322d080..868c62f0d8 100644 --- a/tools/graph2dot.c +++ b/tools/graph2dot.c @@ -153,7 +153,7 @@ int main(int argc, char **argv) /* read from infile and put it in a buffer */ { - unsigned int count = 0; + int64_t count = 0; struct line *line, *last_line, *first_line; char *p; last_line = first_line = av_malloc(sizeof(struct line)); @@ -169,7 +169,7 @@ int main(int argc, char **argv) graph_string = av_malloc(count + 1); p = graph_string; for (line = first_line; line->next; line = line->next) { - unsigned int l = strlen(line->data); + size_t l = strlen(line->data); memcpy(p, line->data, l); p += l; } diff --git a/tools/zmqsend.c b/tools/zmqsend.c index d47bf216b4..6148bd623c 100644 --- a/tools/zmqsend.c +++ b/tools/zmqsend.c @@ -53,7 +53,7 @@ int main(int argc, char **argv) { AVBPrint src; char c, *src_buf, *recv_buf; - int recv_buf_size, ret; + int recv_buf_size, ret = 0; void *zmq_ctx, *socket; const char *bind_address = "tcp://localhost:5555"; const char *infilename = NULL;