From 04361427e65a687469a3bb0859971292d2dc11e4 Mon Sep 17 00:00:00 2001 From: Andrew Stone Date: Mon, 18 Aug 2014 17:28:23 -0400 Subject: [PATCH 0001/1352] Revert "lavf: eliminate ff_get_audio_frame_size()" This reverts commit 30e50c50274f88f0f5ae829f401cd3c7f5266719. The original commit broke the ability to stream AAC over HTTP/Icecast. It looks like avformat_find_stream_info() gets stuck in an infinite loop, never hitting AVFormatContext.max_analyze_duration since duration is never set for any of the packets. Example stream: http://listen.classicrocklounge.com:8000/aac64 Signed-off-by: Anton Khirnov --- libavformat/internal.h | 2 ++ libavformat/utils.c | 23 ++++++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/libavformat/internal.h b/libavformat/internal.h index 9921ce11e0..2824436286 100644 --- a/libavformat/internal.h +++ b/libavformat/internal.h @@ -326,6 +326,8 @@ int ff_interleave_packet_per_dts(AVFormatContext *s, AVPacket *out, void ff_compute_frame_duration(int *pnum, int *pden, AVStream *st, AVCodecParserContext *pc, AVPacket *pkt); +int ff_get_audio_frame_size(AVCodecContext *enc, int size, int mux); + unsigned int ff_codec_get_tag(const AVCodecTag *tags, enum AVCodecID id); enum AVCodecID ff_codec_get_id(const AVCodecTag *tags, unsigned int tag); diff --git a/libavformat/utils.c b/libavformat/utils.c index 4cc246d9ee..973ab94d6f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -453,6 +453,27 @@ int ff_read_packet(AVFormatContext *s, AVPacket *pkt) /**********************************************************/ +/** + * Get the number of samples of an audio frame. Return -1 on error. + */ +int ff_get_audio_frame_size(AVCodecContext *enc, int size, int mux) +{ + int frame_size; + + /* give frame_size priority if demuxing */ + if (!mux && enc->frame_size > 1) + return enc->frame_size; + + if ((frame_size = av_get_audio_frame_duration(enc, size)) > 0) + return frame_size; + + /* Fall back on using frame_size if muxing. */ + if (enc->frame_size > 1) + return enc->frame_size; + + return -1; +} + /** * Return the frame duration in seconds. Return 0 if not available. */ @@ -488,7 +509,7 @@ void ff_compute_frame_duration(int *pnum, int *pden, AVStream *st, } break; case AVMEDIA_TYPE_AUDIO: - frame_size = av_get_audio_frame_duration(st->codec, pkt->size); + frame_size = ff_get_audio_frame_size(st->codec, pkt->size, 0); if (frame_size <= 0 || st->codec->sample_rate <= 0) break; *pnum = frame_size; From 7dfccac20c0c539e139bd9f75101f72ed4f2736c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 20 Aug 2014 05:40:53 +0000 Subject: [PATCH 0002/1352] electronicarts: do not fail on zero-sized chunks At least one FATE sample contains such chunks and happens to work simply by accident (due to find_stream_info() swallowing the error). CC: libav-stable@libav.org (cherry picked from commit 4d6c5152849e23a4cc0f6a6ac2880c01ebcd301b) Signed-off-by: Anton Khirnov --- libavformat/electronicarts.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 879ed9732d..adcd45a6f2 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -522,7 +522,7 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) while (!packet_read) { chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); - if (chunk_size <= 8) + if (chunk_size < 8) return AVERROR_INVALIDDATA; chunk_size -= 8; @@ -547,6 +547,9 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 8); chunk_size -= 12; } + if (!chunk_size) + continue; + ret = av_get_packet(pb, pkt, chunk_size); if (ret < 0) return ret; @@ -607,6 +610,9 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) goto get_video_packet; case mTCD_TAG: + if (chunk_size < 8) + return AVERROR_INVALIDDATA; + avio_skip(pb, 8); // skip ea DCT header chunk_size -= 8; goto get_video_packet; @@ -617,6 +623,9 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) key = AV_PKT_FLAG_KEY; case MV0F_TAG: get_video_packet: + if (!chunk_size) + continue; + ret = av_get_packet(pb, pkt, chunk_size); if (ret < 0) return ret; From e8f2823f06513d3d1177b8ba7c853d63194e5d8a Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 20 Aug 2014 09:56:26 -0700 Subject: [PATCH 0003/1352] vsrc_movie: Adjust a silly typo from b977b287f61fea48ecd6251d54a26334213b7ec6 (cherry picked from commit 11cd727fbd603197cb1e49654fce3352d56f8fd8) Signed-off-by: Diego Biurrun --- libavfilter/vsrc_movie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vsrc_movie.c b/libavfilter/vsrc_movie.c index 1ee0f168f0..0e5df327d8 100644 --- a/libavfilter/vsrc_movie.c +++ b/libavfilter/vsrc_movie.c @@ -226,7 +226,7 @@ static int movie_get_frame(AVFilterLink *outlink) "movie_get_frame(): file:'%s' pts:%"PRId64" time:%f aspect:%d/%d\n", movie->file_name, movie->frame->pts, (double)movie->frame->pts * - av_q2d(movie->format_ctx->streams[movie->stream_index]), + av_q2d(movie->format_ctx->streams[movie->stream_index]->time_base), movie->frame->sample_aspect_ratio.num, movie->frame->sample_aspect_ratio.den); // We got it. Free the packet since we are returning From d04fb118684f7d57474ee52da9c03cfee7a442b5 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 20 Aug 2014 09:35:08 -0700 Subject: [PATCH 0004/1352] error_resilience: Drop asserts from guess_mv() The asserts check struct members that are not referenced in guess_mv() and one of them fails to compile. (cherry picked from commit 7cb66ebc0be48489785f7166c9d15eac594b0763) Signed-off-by: Diego Biurrun --- libavcodec/error_resilience.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index b41474ad48..33b0360092 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -430,8 +430,6 @@ static void guess_mv(ERContext *s) if (fixed[mb_xy] == MV_FROZEN) continue; - assert(!IS_INTRA(s->cur_pic.mb_type[mb_xy])); - assert(s->last_pic && s->last_pic.f->data[0]); j = 0; if (mb_x > 0 && fixed[mb_xy - 1] == MV_FROZEN) From d2bad216f775da9c17a79c41ffd3df501b403100 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 20 Aug 2014 09:48:54 -0700 Subject: [PATCH 0005/1352] mpeg12enc: Add missing #include for PICT_FRAME (cherry picked from commit 8fc6a70c2167b645b7a37d0cbc0e276e7b787cc9) Signed-off-by: Diego Biurrun --- libavcodec/mpeg12enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index c4089c9582..3376f1075f 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -37,6 +37,7 @@ #include "mathops.h" #include "mpeg12.h" #include "mpeg12data.h" +#include "mpegutils.h" #include "mpegvideo.h" From 63795fe5b967b93bd476aedfd6a9260b99355525 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 20 Aug 2014 09:54:50 -0700 Subject: [PATCH 0006/1352] setpts: Add missing inttypes.h #include for PRId64 Also convert a debug av_log() to av_dlog(). (cherry picked from commit 593aaee953f8b07c141ff115e67bae85ef0350c7) Signed-off-by: Diego Biurrun --- libavfilter/setpts.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/libavfilter/setpts.c b/libavfilter/setpts.c index ff0016d04c..fa7a0be0a9 100644 --- a/libavfilter/setpts.c +++ b/libavfilter/setpts.c @@ -24,6 +24,8 @@ * video presentation timestamp (PTS) modification filter */ +#include + #include "libavutil/eval.h" #include "libavutil/internal.h" #include "libavutil/mathematics.h" @@ -141,15 +143,12 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) d = av_expr_eval(setpts->expr, setpts->var_values, NULL); frame->pts = D2TS(d); -#ifdef DEBUG - av_log(inlink->dst, AV_LOG_DEBUG, - "n:%"PRId64" interlaced:%d pts:%"PRId64" t:%f -> pts:%"PRId64" t:%f\n", - (int64_t)setpts->var_values[VAR_N], - (int)setpts->var_values[VAR_INTERLACED], - in_pts, in_pts * av_q2d(inlink->time_base), - frame->pts, frame->pts * av_q2d(inlink->time_base)); -#endif - + av_dlog(inlink->dst, + "n:%"PRId64" interlaced:%d pts:%"PRId64" t:%f -> pts:%"PRId64" t:%f\n", + (int64_t)setpts->var_values[VAR_N], + (int)setpts->var_values[VAR_INTERLACED], + in_pts, in_pts * av_q2d(inlink->time_base), + frame->pts, frame->pts * av_q2d(inlink->time_base)); if (inlink->type == AVMEDIA_TYPE_VIDEO) { setpts->var_values[VAR_N] += 1.0; From 0263750a0db723760d61bcaafc6964a371adcdfc Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Mon, 25 Aug 2014 17:26:15 +0200 Subject: [PATCH 0007/1352] vfwcap: Add fallback define for HWND_MESSAGE Some obsolete versions of the MinGW32 runtime (<4.0.0) lack the definition. (cherry picked from commit ab56fabe6294524e99815451ad01e4ff50c6d734) Signed-off-by: Diego Biurrun --- libavdevice/vfwcap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavdevice/vfwcap.c b/libavdevice/vfwcap.c index c067be3f83..b47de1b282 100644 --- a/libavdevice/vfwcap.c +++ b/libavdevice/vfwcap.c @@ -27,6 +27,11 @@ #include #include +/* Some obsolete versions of MinGW32 before 4.0.0 lack this. */ +#ifndef HWND_MESSAGE +#define HWND_MESSAGE ((HWND) -3) +#endif + struct vfw_ctx { const AVClass *class; HWND hwnd; From 8c91414803e4cd26dcb27e6147424d09d19cd72a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 24 Aug 2014 19:34:13 +0200 Subject: [PATCH 0008/1352] vc1: Fix the skip condition As written in the comment above, skip must be added only if a start code is found. --- libavcodec/vc1_parser.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_parser.c b/libavcodec/vc1_parser.c index 43ca0ede87..a6532820d1 100644 --- a/libavcodec/vc1_parser.c +++ b/libavcodec/vc1_parser.c @@ -123,6 +123,7 @@ static int vc1_parse(AVCodecParserContext *s, uint8_t *unesc_buffer = vpc->unesc_buffer; size_t unesc_index = vpc->unesc_index; VC1ParseSearchState search_state = vpc->search_state; + int start_code_found; int next = END_NOT_FOUND; int i = vpc->bytes_to_skip; @@ -133,8 +134,8 @@ static int vc1_parse(AVCodecParserContext *s, next = 0; } while (i < buf_size) { - int start_code_found = 0; uint8_t b; + start_code_found = 0; while (i < buf_size && unesc_index < UNESCAPED_THRESHOLD) { b = buf[i++]; unesc_buffer[unesc_index++] = b; @@ -232,7 +233,7 @@ static int vc1_parse(AVCodecParserContext *s, * the start code we've already seen, or cause extra bytes to be * inserted at the start of the unescaped buffer. */ vpc->bytes_to_skip = 4; - if (next < 0) + if (next < 0 && start_code_found) vpc->bytes_to_skip += next; *poutbuf = buf; From c2d6cc2971b365bf3e90b5b57a6ba3fe0e19061f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 25 Aug 2014 21:21:57 +0000 Subject: [PATCH 0009/1352] mpegenc: limit the maximum muxrate It is written to the file as a 22-bit value. CC: libav-stable@libav.org (cherry picked from commit 75bbaf2493a71ee66eaabe3c21fadd84d07888de) Signed-off-by: Anton Khirnov --- libavformat/mpegenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 1ba7647e80..88590b305b 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1157,7 +1157,7 @@ static int mpeg_mux_end(AVFormatContext *ctx) #define OFFSET(x) offsetof(MpegMuxContext, x) #define E AV_OPT_FLAG_ENCODING_PARAM static const AVOption options[] = { - { "muxrate", NULL, OFFSET(mux_rate), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, E }, + { "muxrate", NULL, OFFSET(mux_rate), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, (1 << 22) - 1, E }, { "preload", "Initial demux-decode delay in microseconds.", OFFSET(preload), AV_OPT_TYPE_INT, { .i64 = 500000 }, 0, INT_MAX, E }, { NULL }, }; From 7c4685507498025d11bb48b3f54301a99fcf8582 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 25 Aug 2014 21:24:35 +0000 Subject: [PATCH 0010/1352] avconv: fix the muxrate values for -target The mpegenc private option values are in 50-byte units. CC: libav-stable@libav.org (cherry picked from commit 1688eef25385089026aba55da1885f70a57815ab) Signed-off-by: Anton Khirnov --- avconv_opt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/avconv_opt.c b/avconv_opt.c index f070b99b1c..33ac290b19 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -1803,7 +1803,7 @@ static int opt_target(void *optctx, const char *opt, const char *arg) parse_option(o, "ac", "2", options); opt_default(NULL, "packetsize", "2324"); - opt_default(NULL, "muxrate", "1411200"); // 2352 * 75 * 8; + opt_default(NULL, "muxrate", "3528"); // 2352 * 75 / 50; /* We have to offset the PTS, so that it is consistent with the SCR. SCR starts at 36000, but the first two packs contain only padding @@ -1849,7 +1849,7 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; opt_default(NULL, "packetsize", "2048"); // from www.mpucoder.com: DVD sectors contain 2048 bytes of data, this is also the size of one pack. - opt_default(NULL, "muxrate", "10080000"); // from mplex project: data_rate = 1260000. mux_rate = data_rate * 8 + opt_default(NULL, "muxrate", "25200"); // from mplex project: data_rate = 1260000. mux_rate = data_rate / 50 opt_default(NULL, "b:a", "448000"); parse_option(o, "ar", "48000", options); From e2a89f7f0f8fe1c769c83d33efa717cc7b2edc57 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 26 Aug 2014 06:26:35 +0000 Subject: [PATCH 0011/1352] avconv: fix parsing the AVOptions for -target CC: libav-stable@libav.org (cherry picked from commit f5245a9c6206878b892adf3ccbccc9311c202af5) Signed-off-by: Anton Khirnov --- avconv_opt.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/avconv_opt.c b/avconv_opt.c index 33ac290b19..2d0691252a 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -1870,6 +1870,10 @@ static int opt_target(void *optctx, const char *opt, const char *arg) av_log(NULL, AV_LOG_ERROR, "Unknown target: %s\n", arg); return AVERROR(EINVAL); } + + av_dict_copy(&o->g->codec_opts, codec_opts, 0); + av_dict_copy(&o->g->format_opts, format_opts, 0); + return 0; } From ee099059e71efe44a877af6111b74878dac618ce Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 27 Aug 2014 02:50:58 +0200 Subject: [PATCH 0012/1352] vc1: Initialize start_code_found to 0 --- libavcodec/vc1_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_parser.c b/libavcodec/vc1_parser.c index a6532820d1..7d8d016be9 100644 --- a/libavcodec/vc1_parser.c +++ b/libavcodec/vc1_parser.c @@ -123,7 +123,7 @@ static int vc1_parse(AVCodecParserContext *s, uint8_t *unesc_buffer = vpc->unesc_buffer; size_t unesc_index = vpc->unesc_index; VC1ParseSearchState search_state = vpc->search_state; - int start_code_found; + int start_code_found = 0; int next = END_NOT_FOUND; int i = vpc->bytes_to_skip; From e62f08ca8d6e558956ff3094085338cb4dd6afd8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 23 Aug 2014 19:03:21 +0200 Subject: [PATCH 0013/1352] pulse: Add a wallclock option to be compatible with other other captures alsa and x11grab use av_gettime() to report timestamps. Have it on by default. Bug-Id: 647 (cherry picked from commit 424b929b5cb9ca4094099f25179829260d4b0fa3) (cherry picked from commit 404731bd20e1df5880e6fe381e975ba48afc75b2) Signed-off-by: Luca Barbato --- libavdevice/pulse.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavdevice/pulse.c b/libavdevice/pulse.c index a8e710d279..2136ee3fa4 100644 --- a/libavdevice/pulse.c +++ b/libavdevice/pulse.c @@ -31,6 +31,7 @@ #include "libavformat/avformat.h" #include "libavformat/internal.h" +#include "libavutil/time.h" #include "libavutil/opt.h" #define DEFAULT_CODEC_ID AV_NE(AV_CODEC_ID_PCM_S16BE, AV_CODEC_ID_PCM_S16LE) @@ -47,6 +48,7 @@ typedef struct PulseData { pa_simple *s; int64_t pts; int64_t frame_duration; + int wallclock; } PulseData; static pa_sample_format_t codec_id_to_pulse_format(int codec_id) { @@ -141,6 +143,8 @@ static int pulse_read_packet(AVFormatContext *s, AVPacket *pkt) if (pd->pts == AV_NOPTS_VALUE) { pd->pts = -latency; + if (pd->wallclock) + pd->pts += av_gettime(); } pkt->pts = pd->pts; @@ -168,6 +172,7 @@ static const AVOption options[] = { { "channels", "number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = 2}, 1, INT_MAX, D }, { "frame_size", "number of bytes per frame", OFFSET(frame_size), AV_OPT_TYPE_INT, {.i64 = 1024}, 1, INT_MAX, D }, { "fragment_size", "buffering size, affects latency and cpu usage", OFFSET(fragment_size), AV_OPT_TYPE_INT, {.i64 = -1}, -1, INT_MAX, D }, + { "wallclock", "set the initial pts using the current time", OFFSET(wallclock), AV_OPT_TYPE_INT, {.i64 = 1}, -1, 1, D }, { NULL }, }; From 1f52f82a55a544838f5e49e639488c1f15de8a42 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 18 May 2014 10:52:41 +0200 Subject: [PATCH 0014/1352] doc/APIchanges: fill in missing hashes and dates --- doc/APIchanges | 58 +++++++++++++++++++++++++------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 6d1f0614fa..14ec297f16 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,107 +13,107 @@ libavutil: 2014-08-09 API changes, most recent first: -2014-08-xx - xxxxxxx - lavu 54.03.0 - mem.h +2014-08-13 - 8ddc326 - lavu 54.03.0 - mem.h Add av_strndup(). -2014-xx-xx - xxxxxxx - lavu 54.02.0 - opt.h +2014-08-13 - a8c104a - lavu 54.02.0 - opt.h Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support dictionary types being set as options. -2014-xx-xx - xxxxxxx - lavf 56.01.0 - avformat.h +2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h Add AVFormatContext.event_flags and AVStream.event_flags for signaling to the user when events happen in the file/stream. -2014-04-xx - xxxxxxx - lavr 2.1.0 - avresample.h +2014-08-10 - fb1ddcd - lavr 2.1.0 - avresample.h Add avresample_convert_frame() and avresample_config(). -2014-04-xx - xxxxxxx - lavu 54.1.0 - error.h +2014-08-10 - fb1ddcd - lavu 54.1.0 - error.h Add AVERROR_INPUT_CHANGED and AVERROR_OUTPUT_CHANGED. -2014-08-xx - xxxxxxx - lavc 55.57.4 - avcodec.h +2014-08-08 - d35b94f - lavc 55.57.4 - avcodec.h Deprecate FF_IDCT_XVIDMMX define and xvidmmx idct option. Replaced by FF_IDCT_XVID and xvid respectively. -2014-08-xx - xxxxxxx - lsws 2.1.3 - swscale.h +2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h sws_getCachedContext is not going to be removed in the future. -2014-08-xx - xxxxxxx - lavc 55.57.3 - avcodec.h +2014-08-07 - ad1ee5f - lavc 55.57.3 - avcodec.h reordered_opaque is not going to be removed in the future. -2014-08-xx - xxxxxxx - lavu 53.22.0 - pixfmt.h +2014-08-04 - e9abafc - lavu 53.22.0 - pixfmt.h Add AV_PIX_FMT_YA16 pixel format for 16 bit packed gray with alpha. -2014-08-xx - xxxxxxx - lavu 53.21.1 - avstring.h +2014-08-04 - e96c3b8 - lavu 53.21.1 - avstring.h Rename AV_PIX_FMT_Y400A to AV_PIX_FMT_YA8 to better identify the format. An alias pixel format and color space name are provided for compatibility. -2014-08-xx - xxxxxxx - lavu 53.21.0 - pixdesc.h +2014-08-04 - d2962e9 - lavu 53.21.0 - pixdesc.h Support name aliases for pixel formats. -2014-08-xx - xxxxxxx - lavc 55.57.2 - avcodec.h -2014-08-xx - xxxxxxx - lavu 53.20.0 - frame.h +2014-08-03 - 1ef9e83 - lavc 55.57.2 - avcodec.h +2014-08-03 - 1ef9e83 - lavu 53.20.0 - frame.h Deprecate AVCodecContext.dtg_active_format and use side-data instead. -2014-08-xx - xxxxxxx - lavc 55.57.1 - avcodec.h +2014-08-03 - 9f17685 - lavc 55.57.1 - avcodec.h Deprecate unused FF_IDCT_IPP define and ipp avcodec option. Deprecate unused FF_DEBUG_PTS define and pts avcodec option. Deprecate unused FF_CODER_TYPE_DEFLATE define and deflate avcodec option. Deprecate unused FF_DCT_INT define and int avcodec option. Deprecate unused avcodec option scenechange_factor. -2014-07-xx - xxxxxxx - lavu 53.19.0 - avstring.h +2014-07-29 - 69e7336 - lavu 53.19.0 - avstring.h Make name matching function from lavf public as av_match_name(). -2014-xx-xx - xxxxxxx - lavc 55.57.0 - avcodec.h +2014-07-28 - c5fca01 - lavc 55.57.0 - avcodec.h Add AV_CODEC_PROP_REORDER to mark codecs supporting frame reordering. -2014-07-xx - xxxxxxx - lavu 53.18.0 - display.h +2014-07-09 - a54f03b - lavu 53.18.0 - display.h Add av_display_matrix_flip() to flip the transformation matrix. -2014-07-xx - xxxxxxx - lavc 55.56.0 - dv_profile.h +2014-07-09 - f6ee61f - lavc 55.56.0 - dv_profile.h Add a public API for DV profile handling. -2014-06-xx - xxxxxxx - lavu 53.17.0 - imgutils.h +2014-06-20 - 9e500ef - lavu 53.17.0 - imgutils.h Add av_image_check_sar(). -2014-06-xx - xxxxxxx - lavc 55.55.0 - avcodec.h +2014-06-20 - 874390e - lavc 55.55.0 - avcodec.h Add av_packet_rescale_ts() to simplify timestamp conversion. -2014-xx-xx - xxxxxxx - lavf 55.20.0 - avformat.h +2014-06-18 - 194be1f - lavf 55.20.0 - avformat.h The proper way for providing a hint about the desired timebase to the muxers is now setting AVStream.time_base, instead of AVStream.codec.time_base as was done previously. The old method is now deprecated. -2014-04-xx - xxxxxxx - lavc 55.54.0 - avcodec.h +2014-06-01 - 0957b27 - lavc 55.54.0 - avcodec.h Add AVCodecContext.side_data_only_packets to allow encoders to output packets with only side data. This option may become mandatory in the future, so all users are recommended to update their code and enable this option. -2014-xx-xx - xxxxxxx - lavu 53.16.0 - frame.h, pixfmt.h +2014-06-01 - 8c02adc - lavu 53.16.0 - frame.h, pixfmt.h Move all color-related enums (AVColorPrimaries, AVColorSpace, AVColorRange, AVColorTransferCharacteristic, and AVChromaLocation) inside lavu. Add AVFrame fields for them on the next lavu major bump. -2014-04-xx - xxxxxxx - lavr 1.3.0 - avresample.h +2014-05-28 - b2d4565 - lavr 1.3.0 - avresample.h Add avresample_max_output_samples -2014-05-24 - xxxxxxx - lavf 55.19.0 - avformat.h +2014-05-28 - 6d21259 - lavf 55.19.0 - avformat.h Add strict_std_compliance and related AVOptions to support experimental muxing. -2014-05-19 - xxxxxxx - lavf 55.18.0 - avformat.h +2014-05-20 - c23c96b - lavf 55.18.0 - avformat.h Add av_stream_get_side_data() to access stream-level side data in the same way as av_packet_get_side_data(). -2014-05-xx - xxxxxxx - lavu 53.15.0 - frame.h, display.h +2014-05-19 - bddd8cb - lavu 53.15.0 - frame.h, display.h Add AV_FRAME_DATA_DISPLAYMATRIX for exporting frame-level spatial rendering on video frames for proper display. -2014-05-xx - xxxxxxx - lavc 55.53.0 - avcodec.h +2014-05-19 - bddd8cb - lavc 55.53.0 - avcodec.h Add AV_PKT_DATA_DISPLAYMATRIX for exporting packet-level spatial rendering on video frames for proper display. -2014-05-xx - xxxxxxx - lavf 55.17.1 - avformat.h +2014-05-19 - a312f71 - lavf 55.17.1 - avformat.h Deprecate AVStream.pts and the AVFrac struct, which was its only use case. Those fields were poorly defined and not meant to be public, so there is no replacement for them. From 5694831e0693ad70581a766d1f0ebefbbae8bc2f Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 23 Jul 2014 09:49:24 +0100 Subject: [PATCH 0015/1352] matroska: list supported extensions --- libavformat/matroskadec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 42204a4acf..431fe57348 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2601,6 +2601,7 @@ static int matroska_read_close(AVFormatContext *s) AVInputFormat ff_matroska_demuxer = { .name = "matroska,webm", .long_name = NULL_IF_CONFIG_SMALL("Matroska / WebM"), + .extensions = "mkv,mk3d,mka,mks", .priv_data_size = sizeof(MatroskaDemuxContext), .read_probe = matroska_probe, .read_header = matroska_read_header, From 110841c3ab1d617107f4fb229fcd33d5ca357bbe Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 23 Jul 2014 09:21:28 +0100 Subject: [PATCH 0016/1352] avcodec: add stream-level stereo3d side data --- doc/APIchanges | 3 +++ libavcodec/avcodec.h | 6 ++++++ libavcodec/utils.c | 9 ++++++++ libavcodec/version.h | 2 +- libavformat/dump.c | 50 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 69 insertions(+), 1 deletion(-) diff --git a/doc/APIchanges b/doc/APIchanges index 14ec297f16..7134e786aa 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -13,6 +13,9 @@ libavutil: 2014-08-09 API changes, most recent first: +2014-08-28 - 9301486 - lavc 56.1.0 - avcodec.h + Add AV_PKT_DATA_STEREO3D to export container-level stereo3d information. + 2014-08-13 - 8ddc326 - lavu 54.03.0 - mem.h Add av_strndup(). diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 93aad35d33..14440fe3c1 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -911,6 +911,12 @@ enum AVPacketSideDataType { * See libavutil/display.h for a detailed description of the data. */ AV_PKT_DATA_DISPLAYMATRIX, + + /* + * This side data should be associated with a video stream and contains + * Stereoscopic 3D information in form of the AVStereo3D struct. + */ + AV_PKT_DATA_STEREO3D, }; typedef struct AVPacketSideData { diff --git a/libavcodec/utils.c b/libavcodec/utils.c index afc0396375..c5fa50d06b 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -596,6 +596,15 @@ int ff_decode_frame_props(AVCodecContext *avctx, AVFrame *frame) memcpy(frame_sd->data, packet_sd, size); } + /* copy the stereo3d format to the output frame */ + packet_sd = av_packet_get_side_data(pkt, AV_PKT_DATA_STEREO3D, &size); + if (packet_sd) { + frame_sd = av_frame_new_side_data(frame, AV_FRAME_DATA_STEREO3D, size); + if (!frame_sd) + return AVERROR(ENOMEM); + + memcpy(frame_sd->data, packet_sd, size); + } return 0; } diff --git a/libavcodec/version.h b/libavcodec/version.h index b42b9704ad..8cc2fb0317 100644 --- a/libavcodec/version.h +++ b/libavcodec/version.h @@ -29,7 +29,7 @@ #include "libavutil/version.h" #define LIBAVCODEC_VERSION_MAJOR 56 -#define LIBAVCODEC_VERSION_MINOR 0 +#define LIBAVCODEC_VERSION_MINOR 1 #define LIBAVCODEC_VERSION_MICRO 0 #define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \ diff --git a/libavformat/dump.c b/libavformat/dump.c index cdf2da1ca8..58ed6547a0 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -27,6 +27,7 @@ #include "libavutil/log.h" #include "libavutil/mathematics.h" #include "libavutil/replaygain.h" +#include "libavutil/stereo3d.h" #include "avformat.h" @@ -229,6 +230,51 @@ static void dump_replaygain(void *ctx, AVPacketSideData *sd) print_peak(ctx, "album peak", rg->album_peak); } +static void dump_stereo3d(void *ctx, AVPacketSideData *sd) +{ + AVStereo3D *stereo; + + if (sd->size < sizeof(*stereo)) { + av_log(ctx, AV_LOG_INFO, "invalid data"); + return; + } + + stereo = (AVStereo3D *)sd->data; + + switch (stereo->type) { + case AV_STEREO3D_2D: + av_log(ctx, AV_LOG_INFO, "2D"); + break; + case AV_STEREO3D_SIDEBYSIDE: + av_log(ctx, AV_LOG_INFO, "side by side"); + break; + case AV_STEREO3D_TOPBOTTOM: + av_log(ctx, AV_LOG_INFO, "top and bottom"); + break; + case AV_STEREO3D_FRAMESEQUENCE: + av_log(ctx, AV_LOG_INFO, "frame alternate"); + break; + case AV_STEREO3D_CHECKERBOARD: + av_log(ctx, AV_LOG_INFO, "checkerboard"); + break; + case AV_STEREO3D_LINES: + av_log(ctx, AV_LOG_INFO, "interleaved lines"); + break; + case AV_STEREO3D_COLUMNS: + av_log(ctx, AV_LOG_INFO, "interleaved columns"); + break; + case AV_STEREO3D_SIDEBYSIDE_QUINCUNX: + av_log(ctx, AV_LOG_INFO, "side by side (quincunx subsampling)"); + break; + default: + av_log(ctx, AV_LOG_WARNING, "unknown"); + break; + } + + if (stereo->flags & AV_STEREO3D_FLAG_INVERT) + av_log(ctx, AV_LOG_INFO, " (inverted)"); +} + static void dump_sidedata(void *ctx, AVStream *st, const char *indent) { int i; @@ -262,6 +308,10 @@ static void dump_sidedata(void *ctx, AVStream *st, const char *indent) av_log(ctx, AV_LOG_INFO, "displaymatrix: rotation of %.2f degrees", av_display_rotation_get((int32_t *)sd.data)); break; + case AV_PKT_DATA_STEREO3D: + av_log(ctx, AV_LOG_INFO, "stereo3d: "); + dump_stereo3d(ctx, &sd); + break; default: av_log(ctx, AV_LOG_WARNING, "unknown side data type %d (%d bytes)", sd.type, sd.size); From 152e09fde7f6dd5ea92575c3a8e61129148c8478 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 12 Aug 2014 22:28:49 +0100 Subject: [PATCH 0017/1352] matroskadec: parse stereo mode on decoding Convert the Matroska stereo format to the Stereo3D format, and add a Stereo3D side data to the stream. Bump the doctype version supported. Bug-Id: 728 / https://bugs.debian.org/757185 --- Changelog | 1 + libavformat/matroska.c | 64 +++++++++++++++++++++++++++++++++++++++ libavformat/matroska.h | 3 ++ libavformat/matroskadec.c | 12 ++++++-- 4 files changed, 78 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index ea9d721732..da12f599e3 100644 --- a/Changelog +++ b/Changelog @@ -31,6 +31,7 @@ version : - Icecast protocol - request icecast metadata by default - support for using metadata in stream specifiers in avtools +- matroska 3d support version 10: diff --git a/libavformat/matroska.c b/libavformat/matroska.c index 9628abcda1..237f26f49c 100644 --- a/libavformat/matroska.c +++ b/libavformat/matroska.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/stereo3d.h" + #include "matroska.h" const CodecTags ff_mkv_codec_tags[]={ @@ -103,3 +105,65 @@ const AVMetadataConv ff_mkv_metadata_conv[] = { { "PART_NUMBER" , "track" }, { 0 } }; + +int ff_mkv_stereo3d_conv(AVStream *st, MatroskaVideoStereoModeType stereo_mode) +{ + AVPacketSideData *sd, *tmp; + AVStereo3D *stereo; + + stereo = av_stereo3d_alloc(); + if (!stereo) + return AVERROR(ENOMEM); + + tmp = av_realloc_array(st->side_data, st->nb_side_data + 1, sizeof(*tmp)); + if (!tmp) { + av_freep(&stereo); + return AVERROR(ENOMEM); + } + st->side_data = tmp; + st->nb_side_data++; + + sd = &st->side_data[st->nb_side_data - 1]; + sd->type = AV_PKT_DATA_STEREO3D; + sd->data = (uint8_t *)stereo; + sd->size = sizeof(*stereo); + + // note: the missing breaks are intentional + switch (stereo_mode) { + case MATROSKA_VIDEO_STEREOMODE_TYPE_MONO: + stereo->type = AV_STEREO3D_2D; + break; + case MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT: + stereo->flags |= AV_STEREO3D_FLAG_INVERT; + case MATROSKA_VIDEO_STEREOMODE_TYPE_LEFT_RIGHT: + stereo->type = AV_STEREO3D_SIDEBYSIDE; + break; + case MATROSKA_VIDEO_STEREOMODE_TYPE_BOTTOM_TOP: + stereo->flags |= AV_STEREO3D_FLAG_INVERT; + case MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM: + stereo->type = AV_STEREO3D_TOPBOTTOM; + break; + case MATROSKA_VIDEO_STEREOMODE_TYPE_CHECKERBOARD_RL: + stereo->flags |= AV_STEREO3D_FLAG_INVERT; + case MATROSKA_VIDEO_STEREOMODE_TYPE_CHECKERBOARD_LR: + stereo->type = AV_STEREO3D_CHECKERBOARD; + break; + case MATROSKA_VIDEO_STEREOMODE_TYPE_ROW_INTERLEAVED_RL: + stereo->flags |= AV_STEREO3D_FLAG_INVERT; + case MATROSKA_VIDEO_STEREOMODE_TYPE_ROW_INTERLEAVED_LR: + stereo->type = AV_STEREO3D_LINES; + break; + case MATROSKA_VIDEO_STEREOMODE_TYPE_COL_INTERLEAVED_RL: + stereo->flags |= AV_STEREO3D_FLAG_INVERT; + case MATROSKA_VIDEO_STEREOMODE_TYPE_COL_INTERLEAVED_LR: + stereo->type = AV_STEREO3D_COLUMNS; + break; + case MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_RL: + stereo->flags |= AV_STEREO3D_FLAG_INVERT; + case MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_LR: + stereo->type = AV_STEREO3D_FRAMESEQUENCE; + break; + } + + return 0; +} diff --git a/libavformat/matroska.h b/libavformat/matroska.h index 667f92a720..d8f4f8ebec 100644 --- a/libavformat/matroska.h +++ b/libavformat/matroska.h @@ -237,6 +237,7 @@ typedef enum { MATROSKA_VIDEO_STEREOMODE_TYPE_ANAGLYPH_GREEN_MAG = 12, MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_LR = 13, MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_RL = 14, + MATROSKA_VIDEO_STEREOMODE_TYPE_NB, } MatroskaVideoStereoModeType; /* @@ -255,4 +256,6 @@ extern const CodecTags ff_mkv_codec_tags[]; extern const CodecMime ff_mkv_mime_tags[]; extern const AVMetadataConv ff_mkv_metadata_conv[]; +int ff_mkv_stereo3d_conv(AVStream *st, MatroskaVideoStereoModeType stereo_mode); + #endif /* AVFORMAT_MATROSKA_H */ diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 431fe57348..59fc34b142 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -123,6 +123,7 @@ typedef struct { uint64_t pixel_width; uint64_t pixel_height; uint64_t fourcc; + uint64_t stereo_mode; } MatroskaTrackVideo; typedef struct { @@ -319,7 +320,7 @@ static EbmlSyntax matroska_track_video[] = { { MATROSKA_ID_VIDEOPIXELCROPR, EBML_NONE }, { MATROSKA_ID_VIDEODISPLAYUNIT, EBML_NONE }, { MATROSKA_ID_VIDEOFLAGINTERLACED, EBML_NONE }, - { MATROSKA_ID_VIDEOSTEREOMODE, EBML_NONE }, + { MATROSKA_ID_VIDEOSTEREOMODE, EBML_UINT, 0, offsetof(MatroskaTrackVideo, stereo_mode), { .u = MATROSKA_VIDEO_STEREOMODE_TYPE_NB } }, { MATROSKA_ID_VIDEOASPECTRATIO, EBML_NONE }, { 0 } }; @@ -1786,6 +1787,13 @@ static int matroska_parse_tracks(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); } + // add stream level stereo3d side data if it is a supported format + if (track->video.stereo_mode < MATROSKA_VIDEO_STEREOMODE_TYPE_NB && + track->video.stereo_mode != 10 && track->video.stereo_mode != 12) { + int ret = ff_mkv_stereo3d_conv(st, track->video.stereo_mode); + if (ret < 0) + return ret; + } } else if (track->type == MATROSKA_TRACK_TYPE_AUDIO) { st->codec->codec_type = AVMEDIA_TYPE_AUDIO; st->codec->sample_rate = track->audio.out_samplerate; @@ -1821,7 +1829,7 @@ static int matroska_read_header(AVFormatContext *s) ebml.version > EBML_VERSION || ebml.max_size > sizeof(uint64_t) || ebml.id_length > sizeof(uint32_t) || - ebml.doctype_version > 2) { + ebml.doctype_version > 3) { av_log(matroska->ctx, AV_LOG_ERROR, "EBML header using unsupported features\n" "(EBML version %"PRIu64", doctype %s, doc version %"PRIu64")\n", From 5b740d1eaa63ebc9d210f0c348daa66fcd50a275 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 5 Aug 2014 11:16:17 +0100 Subject: [PATCH 0018/1352] matroskaenc: convert avstream stereo3d side data during encoding Write the StereoMode Embl to bitstream. --- libavformat/matroskaenc.c | 94 +++++++++++++++++++++++++++++++-------- 1 file changed, 76 insertions(+), 18 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index cc4e71a4fb..225f6a6730 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -43,6 +43,7 @@ #include "libavutil/opt.h" #include "libavutil/random_seed.h" #include "libavutil/samplefmt.h" +#include "libavutil/stereo3d.h" #include "libavcodec/xiph.h" #include "libavcodec/mpeg4audio.h" @@ -624,25 +625,78 @@ static int mkv_write_codecprivate(AVFormatContext *s, AVIOContext *pb, return ret; } -static void mkv_write_stereo_mode(AVIOContext *pb, uint8_t stereo_fmt, - int mode) +static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, + AVStream *st, int mode) { - int valid_fmt = 0; + int i; + AVDictionaryEntry *tag; + MatroskaVideoStereoModeType format = MATROSKA_VIDEO_STEREOMODE_TYPE_NB; - switch (mode) { - case MODE_WEBM: - if (stereo_fmt <= MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM || - stereo_fmt == MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT) - valid_fmt = 1; - break; - case MODE_MATROSKAv2: - if (stereo_fmt <= MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_RL) - valid_fmt = 1; - break; + // convert metadata into proper side data and add it to the stream + if ((tag = av_dict_get(s->metadata, "stereo_mode", NULL, 0))) { + int stereo_mode = atoi(tag->value); + if (stereo_mode < MATROSKA_VIDEO_STEREOMODE_TYPE_NB && + stereo_mode != 10 && stereo_mode != 12) { + int ret = ff_mkv_stereo3d_conv(st, stereo_mode); + if (ret < 0) + return ret; + } } - if (valid_fmt) - put_ebml_uint (pb, MATROSKA_ID_VIDEOSTEREOMODE, stereo_fmt); + for (i = 0; i < st->nb_side_data; i++) { + AVPacketSideData sd = st->side_data[i]; + if (sd.type == AV_PKT_DATA_STEREO3D) { + AVStereo3D *stereo = (AVStereo3D *)sd.data; + + switch (stereo->type) { + case AV_STEREO3D_2D: + format = MATROSKA_VIDEO_STEREOMODE_TYPE_MONO; + break; + case AV_STEREO3D_SIDEBYSIDE: + format = (stereo->flags & AV_STEREO3D_FLAG_INVERT) + ? MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT + : MATROSKA_VIDEO_STEREOMODE_TYPE_LEFT_RIGHT; + break; + case AV_STEREO3D_TOPBOTTOM: + format = MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM; + if (stereo->flags & AV_STEREO3D_FLAG_INVERT) + format--; + break; + case AV_STEREO3D_CHECKERBOARD: + format = MATROSKA_VIDEO_STEREOMODE_TYPE_CHECKERBOARD_LR; + if (stereo->flags & AV_STEREO3D_FLAG_INVERT) + format--; + break; + case AV_STEREO3D_LINES: + format = MATROSKA_VIDEO_STEREOMODE_TYPE_ROW_INTERLEAVED_LR; + if (stereo->flags & AV_STEREO3D_FLAG_INVERT) + format--; + break; + case AV_STEREO3D_COLUMNS: + format = MATROSKA_VIDEO_STEREOMODE_TYPE_COL_INTERLEAVED_LR; + if (stereo->flags & AV_STEREO3D_FLAG_INVERT) + format--; + break; + case AV_STEREO3D_FRAMESEQUENCE: + format = MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_LR; + if (stereo->flags & AV_STEREO3D_FLAG_INVERT) + format++; + break; + } + + break; + } + } + + if (mode == MODE_WEBM && + (format > MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM && + format != MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT)) + format = MATROSKA_VIDEO_STEREOMODE_TYPE_NB; + + if (format < MATROSKA_VIDEO_STEREOMODE_TYPE_NB) + put_ebml_uint(pb, MATROSKA_ID_VIDEOSTEREOMODE, format); + + return 0; } static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, @@ -743,9 +797,13 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, // XXX: interlace flag? put_ebml_uint (pb, MATROSKA_ID_VIDEOPIXELWIDTH , codec->width); put_ebml_uint (pb, MATROSKA_ID_VIDEOPIXELHEIGHT, codec->height); - if ((tag = av_dict_get(s->metadata, "stereo_mode", NULL, 0))) { - mkv_write_stereo_mode(pb, atoi(tag->value), mkv->mode); - } + + // check both side data and metadata for stereo information, + // write the result to the bitstream if any is found + ret = mkv_write_stereo_mode(s, pb, st, mkv->mode); + if (ret < 0) + return ret; + if (st->sample_aspect_ratio.num) { int d_width = codec->width*av_q2d(st->sample_aspect_ratio); put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYWIDTH , d_width); From 4cde8bae49275edb2815b98cc3404238bb5799dd Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 27 Aug 2014 13:14:20 +0200 Subject: [PATCH 0019/1352] license: Mention that vf_interlace is GPL, not LGPL (cherry picked from commit 9e8bbe7d4d1dcd5fec491dbfbb98ed2038a7bed5) Signed-off-by: Diego Biurrun --- LICENSE | 1 + 1 file changed, 1 insertion(+) diff --git a/LICENSE b/LICENSE index fb2917830c..701e6e1d6c 100644 --- a/LICENSE +++ b/LICENSE @@ -21,6 +21,7 @@ Specifically, the GPL parts of Libav are - vf_cropdetect.c - vf_delogo.c - vf_hqdn3d.c + - vf_interlace.c Should you, for whatever reason, prefer to use version 3 of the (L)GPL, then the configure parameter --enable-version3 will activate this licensing option From b5d4f49e3cb1a13642542f08c8c54791c3d54dfb Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 30 Aug 2014 11:51:28 -0400 Subject: [PATCH 0020/1352] Prepare for 11_beta2 Release --- RELEASE | 1 + 1 file changed, 1 insertion(+) diff --git a/RELEASE b/RELEASE index 929c0bdb7a..d826aee365 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1,2 @@ 11_beta1 +11_beta2 From 480633c6c2e1434c981cc887c6d54d502e24d6d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Sep 2014 00:48:50 +0100 Subject: [PATCH 0021/1352] avcodec: fix missing doxygen comment marker --- libavcodec/avcodec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 14440fe3c1..253e45ad05 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -912,7 +912,7 @@ enum AVPacketSideDataType { */ AV_PKT_DATA_DISPLAYMATRIX, - /* + /** * This side data should be associated with a video stream and contains * Stereoscopic 3D information in form of the AVStereo3D struct. */ From 9d3e69ae3013027b1d4d79edf2ed5db00e4d5462 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 18 Aug 2014 18:04:47 +0000 Subject: [PATCH 0022/1352] Add release notes for 11. (cherry picked from commit 12f0388f9cb32016ac0dacaeca631b088b29bb96) Signed-off-by: Diego Biurrun --- doc/RELEASE_NOTES | 109 +++++++++++++++++++++------------------------- 1 file changed, 50 insertions(+), 59 deletions(-) diff --git a/doc/RELEASE_NOTES b/doc/RELEASE_NOTES index 478bc1d20e..bda4789aff 100644 --- a/doc/RELEASE_NOTES +++ b/doc/RELEASE_NOTES @@ -1,51 +1,50 @@ Release Notes ============= -* 10 "Eks" +* 11 "One Louder" General notes ------------- -One of the main features of this release is the addition of reference-counted -data buffers to Libav and their use in various structures. Specifically, the -data buffers used by AVPacket and AVFrame can now be reference counted, which -should allow to significantly simplify many use cases. In addition, -reference-counted AVFrames can now be used in libavfilter, avoiding the need -for a separate libavfilter-specific frame structure. Frames can now be passed -straight from the decoders into filters or from filters to encoders. +With this release we are trying to answer the numerous calls from our users for +shorter development cycles. From now on we will aim for approximately two major +releases per year. -These additions made it necessary to bump the major versions of libavcodec, -libavformat, libavdevice, libavfilter, and libavutil, which was accompanied by -dropping some old deprecated APIs. These libraries are thus not ABI- or API- -compatible with the previous release. All the other libraries (libavresample -and libswscale) should be both ABI- and API-compatible. +Libav 11 is API-, but not ABI-compatible with the previous major release. This +means that the code using our libraries needs to be rebuilt, but no source +changes should be required. Note however, that a number of old APIs remain +deprecated and will be dropped in the near future. All users are strongly +encouraged to update their code as soon as possible. The doc/APIchanges file in +the Libav source tree and the migration guide on the wiki should help with +migration to the new APIs. If those are not sufficient, do not hesitate to +contact us on IRC or through the user mailing list. -Another major point is the inclusion of the HEVC (AKA H.265, the successor of -H.264) decoder in the main codebase. It was started in 2012 as a Libav Google -Summer of Code project by Guillaume Martres and subsequently completed with -the assistance of the OpenHEVC project and several Libav developers. +One specific API issue in libavformat deserves mentioning here. When using +libavcodec for decoding or encoding and libavformat for demuxing or muxing, +the standard practice was to use the stream codec context (AVStream.codec) for +actual decoding or encoding. There are multiple problems with this pattern +(the main one is that the decoder/demuxer or encoder/muxer are not necessarily +synchronized and may overwrite each other's state), so it is now strongly +discouraged and will likely be deprecated in the future. Users should instead +allocate a separate decoding or encoding context and populate it from the +demuxing codec context (or the reverse for encoding) with the +avcodec_copy_context() function. -As usual, this release also contains support for other new formats, many smaller -new features and countless bug fixes. We can highlight a native VP9 decoder, -with encoding provided through libvpx, native decoders for WebP, JPEG 2000, and -AIC, as well as improved WavPack support with encoding through libwavpack, -support for more AAC flavors (LD - low delay, ELD - enhanced low delay), slice -multithreading in libavfilter, or muxing chapters in ASF. Furthermore a few new -filters have been introduced, namely compand, to change audio dynamics, framepack, -to create stereoscopic videos, asetpts, to set audio pts, and interlace, to convert -progressive video to interlaced. Finally there is more fine-grained detection of -host and target libc, which should allow better portability to various cross -compilation scenarios. +The main highlights of this release include native Opus, VP7, OpenEXR, and On2 +AVC decoders, HEVC encoding through libx265, new APIs for exporting ReplayGain +and display transformation metadata and countless bug fixes. A large effort was +also expended on internal cleanups which are not very visible to our users, +but should make the codebase cleaner, safer and easier to maintain and extend. +One point worth mentioning is refactoring the large monolithic framework for +architecture-specific codec optimizations into small blocks, which reduces the +size of configurations that selectively enable or disable certain codecs. -See the Changelog file for a fuller list of significant changes. - -Please note that our policy on bug reports has not changed. We still only accept -bug reports against HEAD of the Libav trunk repository. If you are experiencing -issues with any formally released version of Libav, please try a current version -of the development code to check if the issue still exists. If it does, make -your report against the development code following the usual bug reporting -guidelines. +The avserver streaming tool, which has not been maintained for many years and +was mostly broken, was removed from the tree. It was decided that it is a +significant maintenance burden and that we do our users no service by pretending +to support it, while we in fact do not. +See the Changelog file for a more extensive list of significant changes. API changes ----------- @@ -54,31 +53,23 @@ A number of additional APIs have been introduced and some existing functions have been deprecated and are scheduled for removal in the next release. Significant API changes include: -[libavutil] -+ added the reference-counted buffers API (buffers.h) -+ moved the AVFrame struct to libavutil and added a new API for working with - reference-counted AVFrames (frame.h) - [libavcodec] -+ added an API for working with reference-counted AVPackets (av_packet_*) -+- converted VDPAU to the hwaccel framework; the old way of using VDPAU is no - longer supported -- old audio encoding and decoding APIs removed -- old video encoding API removed -- deprecated enum CodecID removed (enum AVCodecID should be used instead) -- deprecated audio resampling API removed (libavresample should be used - instead) ++ Added the avcodec_copy_context() function that must from now on be used for + freeing codec contexts. ++- Added a new VDA hardware acceleration API, since the old one was broken and + not fixable in a compatible way. Deprecated the old VDA API. -[libavfilter] -+- replaced AVFilterBufferRef with AVFrame; AVFilterBufferRef and everything - related to it still exists, but is deprecated -+ converted all filters to use the AVOptions system for configuration, it is - now possible to query the supported options, their values and set them - directly with av_opt_* -+ added a slice multithreading framework -+- merged avfiltergraph.h to avfilter.h, using AVFilterGraph is now explicitly - mandatory (it was implicitly required even before); added new API for - allocating and initializing filters +[libavformat] ++ Added support for exporting stream-global (as opposed to per-packet) side + data. This feature is now used by some demuxers to export ReplayGain or + display transformation matrix (aka rotation) or stereoscopic 3D mode. ++ Added an API for live metadata updates through event flags. ++- Changed the way to provide a hint about the desired timebase to muxers. + Previously it was done by setting AVStream.codec.time_base. Now callers + should set AVStream.time_base. + +[libavresample] ++ Added an API for working with AVFrames. Please see the file doc/APIchanges for details along with similar programmer-centric information. From 07b0ccf5116c3b2ce1ccfed4c8c593641a815fd6 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 3 Sep 2014 00:43:29 +0200 Subject: [PATCH 0023/1352] Mark 11 release in the changelog Also fix some typos in the entries for the 11 release. (cherry picked from commit d9792b773516a560ecb99694b8ee745a50027fac) Signed-off-by: Diego Biurrun --- Changelog | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Changelog b/Changelog index da12f599e3..73e837891b 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 11: - libx265 encoder - shuffleplanes filter - replaygain data export @@ -9,7 +9,7 @@ version : - BRender PIX image decoder - Amazing Studio PAF playback support - XBM decoder -- bmp standalone parser +- BMP standalone parser - OpenEXR image decoder - support encoding and decoding 4-channel SGI images - support decoding 16-bit RLE SGI images @@ -26,12 +26,12 @@ version : - support for decoding through DXVA2 in avconv - libbs2b-based stereo-to-binaural audio filter - native Opus decoder -- display matrix export and rotation api +- display matrix export and rotation API - drop avserver, it was unmaintained for years and largely broken - Icecast protocol -- request icecast metadata by default +- request Icecast metadata by default - support for using metadata in stream specifiers in avtools -- matroska 3d support +- Matroska 3D support version 10: From 7d8ebb877408e03beb9dd6b99a51291b17d9a969 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Fri, 5 Sep 2014 01:04:21 -0400 Subject: [PATCH 0024/1352] Fix RELEASE identification This was accidentally left over in b5d4f49e3cb1a13642542f08c8c54791c3d54dfb --- RELEASE | 1 - 1 file changed, 1 deletion(-) diff --git a/RELEASE b/RELEASE index d826aee365..27383c37cb 100644 --- a/RELEASE +++ b/RELEASE @@ -1,2 +1 @@ -11_beta1 11_beta2 From 4f2d4b98fc9877f8618c1524570b230e51e8d474 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 10 Sep 2014 18:38:15 +0200 Subject: [PATCH 0025/1352] doc: Fix syntax and logical errors in avconv stream combination example Bug-Id: 661 CC: libav-stable@libav.org (cherry picked from commit 775a0b04f0cf8102fe322b2ee03fe1a0633dea04) Signed-off-by: Diego Biurrun --- doc/avconv.texi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/avconv.texi b/doc/avconv.texi index 11561768e1..37733bc2a9 100644 --- a/doc/avconv.texi +++ b/doc/avconv.texi @@ -1129,11 +1129,11 @@ only formats accepting a normal integer are suitable. You can put many streams of the same type in the output: @example -avconv -i test1.avi -i test2.avi -map 0.3 -map 0.2 -map 0.1 -map 0.0 -c copy test12.nut +avconv -i test1.avi -i test2.avi -map 1:1 -map 1:0 -map 0:1 -map 0:0 -c copy -y test12.nut @end example -The resulting output file @file{test12.avi} will contain first four streams from -the input file in reverse order. +The resulting output file @file{test12.nut} will contain the first four streams +from the input files in reverse order. @item To force CBR video output: From f851477889ae48e2f17073cf7486e1d5561b7ae4 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sat, 13 Sep 2014 11:14:46 -0700 Subject: [PATCH 0026/1352] Prepare for 11 release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 27383c37cb..b4de394767 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -11_beta2 +11 From 55b1a1e9c16d2250e3a8f5fdd54872b0e67c2b10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Sep 2014 15:37:11 +0200 Subject: [PATCH 0027/1352] update for 2.4 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index c6266be9e6..6b4950e3de 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.3.git +2.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 8697e6c551..96a8743274 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 2.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 66ac5b96e80a073b6d5451fb6caa4e073d6348ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Sep 2014 12:54:01 +0200 Subject: [PATCH 0028/1352] MAINTAINERS: Add 2.4 to maintained releases, drop 2.3 2.2 is used by 4 distributions, 2.3 by none, thus continuing maintaining 2.2 makes more sense than 2.3 see: https://trac.ffmpeg.org/wiki/Downstreams Signed-off-by: Michael Niedermayer (cherry picked from commit da2186be81b5cb2d24da5671e25affbb8f09920d) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index c863e41028..062ff39088 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -534,7 +534,7 @@ x86 Michael Niedermayer Releases ======== -2.3 Michael Niedermayer +2.4 Michael Niedermayer 2.2 Michael Niedermayer 1.2 Michael Niedermayer From c16e80ee3d1c554fc5d9454cfe96e615e6d00e15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Aug 2014 00:27:14 +0200 Subject: [PATCH 0029/1352] doc/examples: remove unneeded NULL checks dst_file cannot be NULL Signed-off-by: Michael Niedermayer (cherry picked from commit 68bca03951b36755f46d75a5bcfcbba95ced21c4) Signed-off-by: Michael Niedermayer --- doc/examples/resampling_audio.c | 3 +-- doc/examples/scaling_video.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/doc/examples/resampling_audio.c b/doc/examples/resampling_audio.c index 8a43b09039..f35e7e1779 100644 --- a/doc/examples/resampling_audio.c +++ b/doc/examples/resampling_audio.c @@ -199,8 +199,7 @@ int main(int argc, char **argv) fmt, dst_ch_layout, dst_nb_channels, dst_rate, dst_filename); end: - if (dst_file) - fclose(dst_file); + fclose(dst_file); if (src_data) av_freep(&src_data[0]); diff --git a/doc/examples/scaling_video.c b/doc/examples/scaling_video.c index fcb98b7489..587f3abe4f 100644 --- a/doc/examples/scaling_video.c +++ b/doc/examples/scaling_video.c @@ -132,8 +132,7 @@ int main(int argc, char **argv) av_get_pix_fmt_name(dst_pix_fmt), dst_w, dst_h, dst_filename); end: - if (dst_file) - fclose(dst_file); + fclose(dst_file); av_freep(&src_data[0]); av_freep(&dst_data[0]); sws_freeContext(sws_ctx); From 703bd3164736cca9ec27bc809de3743878b680eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Sep 2014 16:47:26 +0200 Subject: [PATCH 0030/1352] Changelog: add 2.4 Signed-off-by: Michael Niedermayer (cherry picked from commit 808db3e68778b77e020aab1b838d32e63a38ae63) Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 480a2986c9..68ae1d7e10 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version : + +version 2.4: - Icecast protocol - ported lenscorrection filter from frei0r filter - large optimizations in dctdnoiz to make it usable From ace90ee26550dc08b7ec48cd1675862f1b0ef8d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Sep 2014 17:09:38 +0200 Subject: [PATCH 0031/1352] avcodec/mjpegenc: the AMV encoder doesnt support yuv422 Fixes Ticket3883 Signed-off-by: Michael Niedermayer (cherry picked from commit b227be34db76541db0269a769dad90c20793353f) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegenc.c b/libavcodec/mjpegenc.c index 6fbc3b48f8..72c56d20b3 100644 --- a/libavcodec/mjpegenc.c +++ b/libavcodec/mjpegenc.c @@ -241,7 +241,7 @@ AVCodec ff_amv_encoder = { .encode2 = amv_encode_picture, .close = ff_mpv_encode_end, .pix_fmts = (const enum AVPixelFormat[]){ - AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_YUVJ422P, AV_PIX_FMT_NONE + AV_PIX_FMT_YUVJ420P, AV_PIX_FMT_NONE }, }; #endif From 8ac3b2cdb751716a8de1dfa0209a0f5c786a4b9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Sep 2014 11:34:50 +0200 Subject: [PATCH 0032/1352] RELEASE_NOTES: add H.261 & HEVC RTP support Suggested-by: Thomas Volkert Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 5499cfd54d..9d0d7e4cd7 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -53,6 +53,8 @@ • API for live metadata updates through event flags. • UTF-16 support in text subtitles formats. • The ASS muxer now reorders the Dialogue events properly. + • support for H.261 RTP payload format (RFC 4587) + • HEVC/H.265 RTP payload format (draft v6) depacketizer ┌────────────────────────────┐ │ libavfilter │ From cc73b4f574b6c99066a0482bdfc20e6da1f400a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Sep 2014 18:04:51 +0200 Subject: [PATCH 0033/1352] tools/crypto_bench: fix build when AV_READ_TIME is unavailable Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4a99134f1a71994a0dc4542a0d6bee8e36146b60) Signed-off-by: Michael Niedermayer --- tools/crypto_bench.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/crypto_bench.c b/tools/crypto_bench.c index 96820ae428..0f62068905 100644 --- a/tools/crypto_bench.c +++ b/tools/crypto_bench.c @@ -33,6 +33,10 @@ #include "libavutil/intreadwrite.h" #include "libavutil/timer.h" +#ifndef AV_READ_TIME +#define AV_READ_TIME(x) 0 +#endif + #if HAVE_UNISTD_H #include /* for getopt */ #endif From b45ab61b24a8f2aeafdd4451491b1b30b7875ee5 Mon Sep 17 00:00:00 2001 From: Katerina Barone-Adesi Date: Tue, 16 Sep 2014 01:40:24 +0200 Subject: [PATCH 0034/1352] apetag: Fix APE tag size check The size variable is (correctly) unsigned, but is passed to several functions which take signed parameters, such as avio_read, sometimes after having numbers added to it. So ensure that size remains within the bounds that these functions can handle. (cherry picked from commit c5560e72d0bb69f8a1ac9536570398f84388f396) Signed-off-by: Diego Biurrun --- libavformat/apetag.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index 22884ef6e0..bd8d0ed485 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -57,8 +57,10 @@ static int ape_tag_read_field(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key); return -1; } - if (size >= UINT_MAX) - return -1; + if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + av_log(s, AV_LOG_ERROR, "APE tag size too large.\n"); + return AVERROR_INVALIDDATA; + } if (flags & APE_TAG_FLAG_IS_BINARY) { uint8_t filename[1024]; enum AVCodecID id; From 9eb442cca23bb8d33b3e6d37b8c0e3afff04c37a Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Wed, 17 Sep 2014 07:08:57 -0700 Subject: [PATCH 0035/1352] Update default FATE URL for release/11 --- tests/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Makefile b/tests/Makefile index 5fad2911fe..eab1eca6f6 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -128,7 +128,7 @@ $(FATE_AVCONV) $(FATE_SAMPLES_AVCONV): avconv$(EXESUF) ifdef SAMPLES FATE += $(FATE_SAMPLES) fate-rsync: - rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES) + rsync -vaLW rsync://fate-suite.libav.org/fate-suite-11/ $(SAMPLES) else fate-rsync: @echo "use 'make fate-rsync SAMPLES=/path/to/samples' to sync the fate suite" From d694ab846cf194862d5a0aa70217849b248c26ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Sep 2014 23:36:53 +0200 Subject: [PATCH 0036/1352] avcodec/x86/vp9lpf: Always include x86util.asm Fixes executable stack Signed-off-by: Michael Niedermayer (cherry picked from commit 41d82b85ab0ee8bb2931c1f783e30c38c2fb5206) Signed-off-by: Michael Niedermayer --- libavcodec/x86/vp9lpf.asm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/vp9lpf.asm b/libavcodec/x86/vp9lpf.asm index cb57a25333..416f08f090 100644 --- a/libavcodec/x86/vp9lpf.asm +++ b/libavcodec/x86/vp9lpf.asm @@ -20,10 +20,10 @@ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ;****************************************************************************** -%if ARCH_X86_64 - %include "libavutil/x86/x86util.asm" +%if ARCH_X86_64 + SECTION_RODATA cextern pb_3 From dc4e34a2f05917deae2c6e68783dba089da5eb8d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 18 Sep 2014 00:08:05 +0200 Subject: [PATCH 0037/1352] vf_deshake: rename Transform.vector to Transform.vec to avoid compiler confusion The token 'vector' is a keyword in the Vector/SIMD Multimedia Extension data types and thus should not be used as a variable name. This fixes building on powerpc/ppc64el. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 739f179dd6a21f3fcbd3d23d3d14cde9bb587ead) Signed-off-by: Michael Niedermayer --- libavfilter/deshake.h | 2 +- libavfilter/vf_deshake.c | 50 ++++++++++++++++++++-------------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/libavfilter/deshake.h b/libavfilter/deshake.h index 62e81c3eaf..becd6c248b 100644 --- a/libavfilter/deshake.h +++ b/libavfilter/deshake.h @@ -48,7 +48,7 @@ typedef struct { } MotionVector; typedef struct { - MotionVector vector; ///< Motion vector + MotionVector vec; ///< Motion vector double angle; ///< Angle of rotation double zoom; ///< Zoom percentage } Transform; diff --git a/libavfilter/vf_deshake.c b/libavfilter/vf_deshake.c index ccc263b5ce..b5d5457c5e 100644 --- a/libavfilter/vf_deshake.c +++ b/libavfilter/vf_deshake.c @@ -294,8 +294,8 @@ static void find_motion(DeshakeContext *deshake, uint8_t *src1, uint8_t *src2, for (x = 0; x < deshake->rx * 2 + 1; x++) { //av_log(NULL, AV_LOG_ERROR, "%5d ", deshake->counts[x][y]); if (deshake->counts[x][y] > count_max_value) { - t->vector.x = x - deshake->rx; - t->vector.y = y - deshake->ry; + t->vec.x = x - deshake->rx; + t->vec.y = y - deshake->ry; count_max_value = deshake->counts[x][y]; } } @@ -304,12 +304,12 @@ static void find_motion(DeshakeContext *deshake, uint8_t *src1, uint8_t *src2, p_x = (center_x - width / 2.0); p_y = (center_y - height / 2.0); - t->vector.x += (cos(t->angle)-1)*p_x - sin(t->angle)*p_y; - t->vector.y += sin(t->angle)*p_x + (cos(t->angle)-1)*p_y; + t->vec.x += (cos(t->angle)-1)*p_x - sin(t->angle)*p_y; + t->vec.y += sin(t->angle)*p_x + (cos(t->angle)-1)*p_y; // Clamp max shift & rotation? - t->vector.x = av_clipf(t->vector.x, -deshake->rx * 2, deshake->rx * 2); - t->vector.y = av_clipf(t->vector.y, -deshake->ry * 2, deshake->ry * 2); + t->vec.x = av_clipf(t->vec.x, -deshake->rx * 2, deshake->rx * 2); + t->vec.y = av_clipf(t->vec.y, -deshake->ry * 2, deshake->ry * 2); t->angle = av_clipf(t->angle, -0.1, 0.1); //av_log(NULL, AV_LOG_ERROR, "%d x %d\n", avg->x, avg->y); @@ -407,8 +407,8 @@ static int config_props(AVFilterLink *link) DeshakeContext *deshake = link->dst->priv; deshake->ref = NULL; - deshake->last.vector.x = 0; - deshake->last.vector.y = 0; + deshake->last.vec.x = 0; + deshake->last.vec.y = 0; deshake->last.angle = 0; deshake->last.zoom = 0; @@ -476,57 +476,57 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) // Copy transform so we can output it later to compare to the smoothed value - orig.vector.x = t.vector.x; - orig.vector.y = t.vector.y; + orig.vec.x = t.vec.x; + orig.vec.y = t.vec.y; orig.angle = t.angle; orig.zoom = t.zoom; // Generate a one-sided moving exponential average - deshake->avg.vector.x = alpha * t.vector.x + (1.0 - alpha) * deshake->avg.vector.x; - deshake->avg.vector.y = alpha * t.vector.y + (1.0 - alpha) * deshake->avg.vector.y; + deshake->avg.vec.x = alpha * t.vec.x + (1.0 - alpha) * deshake->avg.vec.x; + deshake->avg.vec.y = alpha * t.vec.y + (1.0 - alpha) * deshake->avg.vec.y; deshake->avg.angle = alpha * t.angle + (1.0 - alpha) * deshake->avg.angle; deshake->avg.zoom = alpha * t.zoom + (1.0 - alpha) * deshake->avg.zoom; // Remove the average from the current motion to detect the motion that // is not on purpose, just as jitter from bumping the camera - t.vector.x -= deshake->avg.vector.x; - t.vector.y -= deshake->avg.vector.y; + t.vec.x -= deshake->avg.vec.x; + t.vec.y -= deshake->avg.vec.y; t.angle -= deshake->avg.angle; t.zoom -= deshake->avg.zoom; // Invert the motion to undo it - t.vector.x *= -1; - t.vector.y *= -1; + t.vec.x *= -1; + t.vec.y *= -1; t.angle *= -1; // Write statistics to file if (deshake->fp) { - snprintf(tmp, 256, "%f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f\n", orig.vector.x, deshake->avg.vector.x, t.vector.x, orig.vector.y, deshake->avg.vector.y, t.vector.y, orig.angle, deshake->avg.angle, t.angle, orig.zoom, deshake->avg.zoom, t.zoom); + snprintf(tmp, 256, "%f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f, %f\n", orig.vec.x, deshake->avg.vec.x, t.vec.x, orig.vec.y, deshake->avg.vec.y, t.vec.y, orig.angle, deshake->avg.angle, t.angle, orig.zoom, deshake->avg.zoom, t.zoom); fwrite(tmp, sizeof(char), strlen(tmp), deshake->fp); } // Turn relative current frame motion into absolute by adding it to the // last absolute motion - t.vector.x += deshake->last.vector.x; - t.vector.y += deshake->last.vector.y; + t.vec.x += deshake->last.vec.x; + t.vec.y += deshake->last.vec.y; t.angle += deshake->last.angle; t.zoom += deshake->last.zoom; // Shrink motion by 10% to keep things centered in the camera frame - t.vector.x *= 0.9; - t.vector.y *= 0.9; + t.vec.x *= 0.9; + t.vec.y *= 0.9; t.angle *= 0.9; // Store the last absolute motion information - deshake->last.vector.x = t.vector.x; - deshake->last.vector.y = t.vector.y; + deshake->last.vec.x = t.vec.x; + deshake->last.vec.y = t.vec.y; deshake->last.angle = t.angle; deshake->last.zoom = t.zoom; // Generate a luma transformation matrix - avfilter_get_matrix(t.vector.x, t.vector.y, t.angle, 1.0 + t.zoom / 100.0, matrix_y); + avfilter_get_matrix(t.vec.x, t.vec.y, t.angle, 1.0 + t.zoom / 100.0, matrix_y); // Generate a chroma transformation matrix - avfilter_get_matrix(t.vector.x / (link->w / CHROMA_WIDTH(link)), t.vector.y / (link->h / CHROMA_HEIGHT(link)), t.angle, 1.0 + t.zoom / 100.0, matrix_uv); + avfilter_get_matrix(t.vec.x / (link->w / CHROMA_WIDTH(link)), t.vec.y / (link->h / CHROMA_HEIGHT(link)), t.angle, 1.0 + t.zoom / 100.0, matrix_uv); // Transform the luma and chroma planes ret = deshake->transform(link->dst, link->w, link->h, CHROMA_WIDTH(link), CHROMA_HEIGHT(link), matrix_y, matrix_uv, INTERPOLATE_BILINEAR, deshake->edge, in, out); From b7f27199513752999d07fae76876fd50a4862d81 Mon Sep 17 00:00:00 2001 From: Pascal Massimino Date: Tue, 16 Sep 2014 17:01:07 +0200 Subject: [PATCH 0038/1352] libavcodec/webp: treat out-of-bound palette index as translucent black See https://code.google.com/p/webp/issues/detail?id=206 for a description of the problem/fix. Signed-off-by: Michael Niedermayer This patch makes the decoder follow the recommendation of the spec. There is some disagreement (see "[FFmpeg-devel] [PATCH]: libavcodec/webp") about what would be best to be written in the spec, so in case the spec is changed again, this potentially would need to be amended or reverted (cherry picked from commit 4fd21d58a72c38ab63c3a4483b420db260fa7b8d) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index c737f5492d..66c2d57c84 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1028,7 +1028,7 @@ static int apply_color_indexing_transform(WebPContext *s) ImageContext *img; ImageContext *pal; int i, x, y; - uint8_t *p, *pi; + uint8_t *p; img = &s->image[IMAGE_ROLE_ARGB]; pal = &s->image[IMAGE_ROLE_COLOR_INDEXING]; @@ -1066,11 +1066,11 @@ static int apply_color_indexing_transform(WebPContext *s) p = GET_PIXEL(img->frame, x, y); i = p[2]; if (i >= pal->frame->width) { - av_log(s->avctx, AV_LOG_ERROR, "invalid palette index %d\n", i); - return AVERROR_INVALIDDATA; + AV_WB32(p, 0xFF000000); + } else { + const uint8_t *pi = GET_PIXEL(pal->frame, i, 0); + AV_COPY32(p, pi); } - pi = GET_PIXEL(pal->frame, i, 0); - AV_COPY32(p, pi); } } From 3b57d7769a76a243ddfbb8190bf8d2c93ceba4fd Mon Sep 17 00:00:00 2001 From: Gianluigi Tiesi Date: Fri, 19 Sep 2014 04:49:36 +0200 Subject: [PATCH 0039/1352] avcodec/libilbc: support for latest git of libilbc in the latest git commits of libilbc developers removed WebRtc_xxx typedefs This commit uses int types instead, it's safe to apply also for previous versions since WebRtc_Word16 was always a typedef of int16_t and WebRtc_UWord16 a typedef of uint16_t Reviewed-by: Timothy Gu Signed-off-by: Michael Niedermayer (cherry picked from commit 59af5383c18c8cf3fe2a4b5cc1ebf2f3300bdfe5) Signed-off-by: Michael Niedermayer --- libavcodec/libilbc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/libilbc.c b/libavcodec/libilbc.c index 898fe83b1c..9fdd3c83f5 100644 --- a/libavcodec/libilbc.c +++ b/libavcodec/libilbc.c @@ -96,8 +96,7 @@ static int ilbc_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; - WebRtcIlbcfix_DecodeImpl((WebRtc_Word16*) frame->data[0], - (const WebRtc_UWord16*) buf, &s->decoder, 1); + WebRtcIlbcfix_DecodeImpl((int16_t *) frame->data[0], (const uint16_t *) buf, &s->decoder, 1); *got_frame_ptr = 1; @@ -170,7 +169,7 @@ static int ilbc_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if ((ret = ff_alloc_packet2(avctx, avpkt, 50)) < 0) return ret; - WebRtcIlbcfix_EncodeImpl((WebRtc_UWord16*) avpkt->data, (const WebRtc_Word16*) frame->data[0], &s->encoder); + WebRtcIlbcfix_EncodeImpl((uint16_t *) avpkt->data, (const int16_t *) frame->data[0], &s->encoder); avpkt->size = s->encoder.no_of_bytes; *got_packet_ptr = 1; From d38943829649f50e11c4c1e2b0e0bf749c17013c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Sep 2014 12:12:50 +0200 Subject: [PATCH 0040/1352] swscale: Allow chroma samples to be above and to the left of luma samples Found-by: Kierank Signed-off-by: Michael Niedermayer (cherry picked from commit 61af6bebb457c8d9bb00baaccd65a39632437bcd) Signed-off-by: Michael Niedermayer --- libswscale/options.c | 8 ++++---- libswscale/utils.c | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libswscale/options.c b/libswscale/options.c index 5433d55b9b..4d49c3e8cc 100644 --- a/libswscale/options.c +++ b/libswscale/options.c @@ -64,10 +64,10 @@ static const AVOption swscale_options[] = { { "param0", "scaler param 0", OFFSET(param[0]), AV_OPT_TYPE_DOUBLE, { .dbl = SWS_PARAM_DEFAULT }, INT_MIN, INT_MAX, VE }, { "param1", "scaler param 1", OFFSET(param[1]), AV_OPT_TYPE_DOUBLE, { .dbl = SWS_PARAM_DEFAULT }, INT_MIN, INT_MAX, VE }, - { "src_v_chr_pos", "source vertical chroma position in luma grid/256" , OFFSET(src_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1 }, -1, 512, VE }, - { "src_h_chr_pos", "source horizontal chroma position in luma grid/256", OFFSET(src_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1 }, -1, 512, VE }, - { "dst_v_chr_pos", "destination vertical chroma position in luma grid/256" , OFFSET(dst_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1 }, -1, 512, VE }, - { "dst_h_chr_pos", "destination horizontal chroma position in luma grid/256", OFFSET(dst_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1 }, -1, 512, VE }, + { "src_v_chr_pos", "source vertical chroma position in luma grid/256" , OFFSET(src_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513 }, -513, 512, VE }, + { "src_h_chr_pos", "source horizontal chroma position in luma grid/256", OFFSET(src_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513 }, -513, 512, VE }, + { "dst_v_chr_pos", "destination vertical chroma position in luma grid/256" , OFFSET(dst_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513 }, -513, 512, VE }, + { "dst_h_chr_pos", "destination horizontal chroma position in luma grid/256", OFFSET(dst_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513 }, -513, 512, VE }, { "sws_dither", "set dithering algorithm", OFFSET(dither), AV_OPT_TYPE_INT, { .i64 = SWS_DITHER_AUTO }, 0, NB_SWS_DITHER, VE, "sws_dither" }, { "auto", "leave choice to sws", 0, AV_OPT_TYPE_CONST, { .i64 = SWS_DITHER_AUTO }, INT_MIN, INT_MAX, VE, "sws_dither" }, diff --git a/libswscale/utils.c b/libswscale/utils.c index 06fd358d94..56157001f0 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -266,7 +266,7 @@ static double getSplineCoeff(double a, double b, double c, double d, static av_cold int get_local_pos(SwsContext *s, int chr_subsample, int pos, int dir) { - if (pos < 0) { + if (pos == -1 || pos <= -513) { pos = (128 << chr_subsample) - 128; } pos += 128; // relative to ideal left edge From bb5c0ac922efcccf51e3681c53cdd2896d68d786 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Sep 2014 12:12:50 +0200 Subject: [PATCH 0041/1352] avfilter/vf_scale: Allow chroma samples to be above and to the left of luma samples Found-by: Kierank Signed-off-by: Michael Niedermayer (cherry picked from commit e927682e1b258501f3ddecef85801282267277c7) Conflicts: libavfilter/version.h --- libavfilter/vf_scale.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 506254f500..64b88c2357 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -557,10 +557,10 @@ static const AVOption scale_options[] = { { "mpeg", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = AVCOL_RANGE_MPEG}, 0, 0, FLAGS, "range" }, { "tv", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = AVCOL_RANGE_MPEG}, 0, 0, FLAGS, "range" }, { "pc", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = AVCOL_RANGE_JPEG}, 0, 0, FLAGS, "range" }, - { "in_v_chr_pos", "input vertical chroma position in luma grid/256" , OFFSET(in_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1}, -1, 512, FLAGS }, - { "in_h_chr_pos", "input horizontal chroma position in luma grid/256", OFFSET(in_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1}, -1, 512, FLAGS }, - { "out_v_chr_pos", "output vertical chroma position in luma grid/256" , OFFSET(out_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1}, -1, 512, FLAGS }, - { "out_h_chr_pos", "output horizontal chroma position in luma grid/256", OFFSET(out_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -1}, -1, 512, FLAGS }, + { "in_v_chr_pos", "input vertical chroma position in luma grid/256" , OFFSET(in_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513}, -513, 512, FLAGS }, + { "in_h_chr_pos", "input horizontal chroma position in luma grid/256", OFFSET(in_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513}, -513, 512, FLAGS }, + { "out_v_chr_pos", "output vertical chroma position in luma grid/256" , OFFSET(out_v_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513}, -513, 512, FLAGS }, + { "out_h_chr_pos", "output horizontal chroma position in luma grid/256", OFFSET(out_h_chr_pos), AV_OPT_TYPE_INT, { .i64 = -513}, -513, 512, FLAGS }, { "force_original_aspect_ratio", "decrease or increase w/h if necessary to keep the original AR", OFFSET(force_original_aspect_ratio), AV_OPT_TYPE_INT, { .i64 = 0}, 0, 2, FLAGS, "force_oar" }, { "disable", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = 0 }, 0, 0, FLAGS, "force_oar" }, { "decrease", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = 1 }, 0, 0, FLAGS, "force_oar" }, From e1ce4f805f31aecec83fc7c7ecaab623f3b6327f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Sep 2014 23:23:48 +0200 Subject: [PATCH 0042/1352] update for 2.4.1 Signed-off-by: Michael Niedermayer --- Changelog | 9 +++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 68ae1d7e10..2e21a718f8 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,15 @@ releases are sorted from youngest to oldest. version : +version 2.4.1: +- swsscale: Allow chroma samples to be above and to the left of luma samples +- avcodec/libilbc: support for latest git of libilbc +- avcodec/webp: treat out-of-bound palette index as translucent black +- vf_deshake: rename Transform.vector to Transform.vec to avoid compiler confusion +- apetag: Fix APE tag size check +- tools/crypto_bench: fix build when AV_READ_TIME is unavailable + + version 2.4: - Icecast protocol - ported lenscorrection filter from frei0r filter diff --git a/RELEASE b/RELEASE index 6b4950e3de..005119baaa 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4 +2.4.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 96a8743274..ff09b92c37 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4 +PROJECT_NUMBER = 2.4.1 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 09c848855a7bf11a9ab4a69971cced260b17817d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Thu, 25 Sep 2014 11:59:57 +0300 Subject: [PATCH 0043/1352] h264: Always invoke the get_format() callback Signed-off-by: Luca Barbato --- libavcodec/h264_slice.c | 51 +++++++++++++++++++++++++---------------- 1 file changed, 31 insertions(+), 20 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 83d3426353..1ee7a3dfff 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -975,45 +975,54 @@ static int clone_slice(H264Context *dst, H264Context *src) static enum AVPixelFormat get_pixel_format(H264Context *h) { + enum AVPixelFormat pix_fmts[2]; + const enum AVPixelFormat *choices = pix_fmts; + + pix_fmts[1] = AV_PIX_FMT_NONE; + switch (h->sps.bit_depth_luma) { case 9: if (CHROMA444(h)) { if (h->avctx->colorspace == AVCOL_SPC_RGB) { - return AV_PIX_FMT_GBRP9; + pix_fmts[0] = AV_PIX_FMT_GBRP9; } else - return AV_PIX_FMT_YUV444P9; + pix_fmts[0] = AV_PIX_FMT_YUV444P9; } else if (CHROMA422(h)) - return AV_PIX_FMT_YUV422P9; + pix_fmts[0] = AV_PIX_FMT_YUV422P9; else - return AV_PIX_FMT_YUV420P9; + pix_fmts[0] = AV_PIX_FMT_YUV420P9; break; case 10: if (CHROMA444(h)) { if (h->avctx->colorspace == AVCOL_SPC_RGB) { - return AV_PIX_FMT_GBRP10; + pix_fmts[0] = AV_PIX_FMT_GBRP10; } else - return AV_PIX_FMT_YUV444P10; + pix_fmts[0] = AV_PIX_FMT_YUV444P10; } else if (CHROMA422(h)) - return AV_PIX_FMT_YUV422P10; + pix_fmts[0] = AV_PIX_FMT_YUV422P10; else - return AV_PIX_FMT_YUV420P10; + pix_fmts[0] = AV_PIX_FMT_YUV420P10; break; case 8: if (CHROMA444(h)) { - if (h->avctx->colorspace == AVCOL_SPC_RGB) { - return AV_PIX_FMT_GBRP; - } else - return h->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ444P - : AV_PIX_FMT_YUV444P; + if (h->avctx->colorspace == AVCOL_SPC_RGB) + pix_fmts[0] = AV_PIX_FMT_GBRP; + else if (h->avctx->color_range == AVCOL_RANGE_JPEG) + pix_fmts[0] = AV_PIX_FMT_YUVJ444P; + else + pix_fmts[0] = AV_PIX_FMT_YUV444P; } else if (CHROMA422(h)) { - return h->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ422P - : AV_PIX_FMT_YUV422P; + if (h->avctx->color_range == AVCOL_RANGE_JPEG) + pix_fmts[0] = AV_PIX_FMT_YUVJ422P; + else + pix_fmts[0] = AV_PIX_FMT_YUV422P; } else { - return ff_get_format(h->avctx, h->avctx->codec->pix_fmts ? - h->avctx->codec->pix_fmts : - h->avctx->color_range == AVCOL_RANGE_JPEG ? - h264_hwaccel_pixfmt_list_jpeg_420 : - h264_hwaccel_pixfmt_list_420); + if (h->avctx->codec->pix_fmts) + choices = h->avctx->codec->pix_fmts; + else if (h->avctx->color_range == AVCOL_RANGE_JPEG) + choices = h264_hwaccel_pixfmt_list_jpeg_420; + else + choices = h264_hwaccel_pixfmt_list_420; } break; default: @@ -1021,6 +1030,8 @@ static enum AVPixelFormat get_pixel_format(H264Context *h) "Unsupported bit depth %d\n", h->sps.bit_depth_luma); return AVERROR_INVALIDDATA; } + + return ff_get_format(h->avctx, choices); } /* export coded and cropped frame dimensions to AVCodecContext */ From ce0972ecddef3eee3c03e393108e5728821e3e37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Thu, 25 Sep 2014 11:59:58 +0300 Subject: [PATCH 0044/1352] mpeg12: Always invoke the get_format() callback Signed-off-by: Luca Barbato --- libavcodec/mpeg12dec.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index e3bd1675a8..93e3900ce3 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1181,10 +1181,21 @@ static const enum AVPixelFormat mpeg12_hwaccel_pixfmt_list_420[] = { AV_PIX_FMT_NONE }; +static const enum AVPixelFormat mpeg12_pixfmt_list_422[] = { + AV_PIX_FMT_YUV422P, + AV_PIX_FMT_NONE +}; + +static const enum AVPixelFormat mpeg12_pixfmt_list_444[] = { + AV_PIX_FMT_YUV444P, + AV_PIX_FMT_NONE +}; + static enum AVPixelFormat mpeg_get_pixelformat(AVCodecContext *avctx) { Mpeg1Context *s1 = avctx->priv_data; MpegEncContext *s = &s1->mpeg_enc_ctx; + const enum AVPixelFormat *pix_fmts; #if FF_API_XVMC FF_DISABLE_DEPRECATION_WARNINGS @@ -1194,11 +1205,13 @@ FF_ENABLE_DEPRECATION_WARNINGS #endif /* FF_API_XVMC */ if (s->chroma_format < 2) - return ff_get_format(avctx, mpeg12_hwaccel_pixfmt_list_420); + pix_fmts = mpeg12_hwaccel_pixfmt_list_420; else if (s->chroma_format == 2) - return AV_PIX_FMT_YUV422P; + pix_fmts = mpeg12_pixfmt_list_422; else - return AV_PIX_FMT_YUV444P; + pix_fmts = mpeg12_pixfmt_list_444; + + return ff_get_format(avctx, pix_fmts); } /* Call this function when we know all parameters. From 570cefb02b4f149c4263677e1a3eea216ee0ec8c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 17 Sep 2014 19:51:40 +0200 Subject: [PATCH 0045/1352] hevc: Initialize mergecand_list to 0 Unbreak cf6090dc6252f2b276aa4133e3d73a89f4c6046c. CC: libav-stable@libav.org Sample-Id: hevc-conformance-LTRPSPS_A_Qualcomm_1 --- libavcodec/hevc_mvs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc_mvs.c b/libavcodec/hevc_mvs.c index cc5a16ce72..a611b762f1 100644 --- a/libavcodec/hevc_mvs.c +++ b/libavcodec/hevc_mvs.c @@ -556,6 +556,8 @@ void ff_hevc_luma_mv_merge_mode(HEVCContext *s, int x0, int y0, int nPbW, int nPbH2 = nPbH; HEVCLocalContext *lc = &s->HEVClc; + memset(mergecand_list, 0, MRG_MAX_NUM_CANDS * sizeof(*mergecand_list)); + if (s->pps->log2_parallel_merge_level > 2 && nCS == 8) { singleMCLFlag = 1; x0 = lc->cu.x; From ff24824a721576195c3b4a711e3ee2af900de795 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Sep 2014 00:46:50 +0100 Subject: [PATCH 0046/1352] h264: reset ret to avoid propagating minor failures Unbreak 772d150a6e82542c06b0c251e73dd299d98d1027. CC: libav-stable@libav.org Bug-Id: 750 / 905753 Signed-off-by: Vittorio Giovara --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1fd5e506cd..562b1023e3 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1679,6 +1679,7 @@ again: goto end; } + ret = 0; end: /* clean up */ if (h->cur_pic_ptr && !h->droppable) { From 31baa6f199ed581cf06ab47363c631270fdc0cd5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Sep 2014 09:11:38 +0200 Subject: [PATCH 0047/1352] Changelog: fix sws typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: Clément Bœsch Signed-off-by: Michael Niedermayer --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 2e21a718f8..7512496c03 100644 --- a/Changelog +++ b/Changelog @@ -4,7 +4,7 @@ releases are sorted from youngest to oldest. version : version 2.4.1: -- swsscale: Allow chroma samples to be above and to the left of luma samples +- swscale: Allow chroma samples to be above and to the left of luma samples - avcodec/libilbc: support for latest git of libilbc - avcodec/webp: treat out-of-bound palette index as translucent black - vf_deshake: rename Transform.vector to Transform.vec to avoid compiler confusion From 0cda7baa8b22d7ca42437487bbfab76719b807da Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Tue, 23 Sep 2014 20:10:03 +0200 Subject: [PATCH 0048/1352] Fix compile error on arm4/arm5 platform Since these commits http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=adf8227cf4e7b4fccb2ad88e1e09b6dc00dd00ed http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=db7f1c7c5a1d37e7f4da64a79a97bea1c4b6e9f8 compilation on arm4/arm5 fails: libavcodec/libavcodec.so: undefined reference to `ff_startcode_find_candidate_armv6' Because libavcodec/arm/Makefile contains ARMV6-OBJS-$(CONFIG_STARTCODE) += arm/startcode_armv6.o function ff_startcode_find_candidate_armv6 is not included for older ARM archs. The bug was found during automatic buildroot builds: http://autobuild.buildroot.net/results/ec7/ec71e4f16ee9106747dff5f15999cbd17903e76f//build-end.log Quote from configure summary: ARCH arm (armv4t) big-endian no runtime cpu detection yes ARMv5TE enabled no ARMv6 enabled no ARMv6T2 enabled no http://autobuild.buildroot.net/results/be7/be72eb182eaccf0064a32c9dfc2ac1c0d6555506/build-end.log ARCH arm (armv5te) big-endian no runtime cpu detection yes ARMv5TE enabled yes ARMv6 enabled no ARMv6T2 enabled no This patch provides the necessary #if clauses as discussed with Michael: https://ffmpeg.org/pipermail/ffmpeg-devel/2014-September/163329.html Signed-off-by: Bernd Kuhls Signed-off-by: Michael Niedermayer (cherry picked from commit 6b733be755529f2472472d9ed1b2eef3b6398828) Signed-off-by: Michael Niedermayer --- libavcodec/arm/h264dsp_init_arm.c | 2 ++ libavcodec/arm/vc1dsp_init_arm.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/libavcodec/arm/h264dsp_init_arm.c b/libavcodec/arm/h264dsp_init_arm.c index f7aee1faa9..88dfd7580b 100644 --- a/libavcodec/arm/h264dsp_init_arm.c +++ b/libavcodec/arm/h264dsp_init_arm.c @@ -107,8 +107,10 @@ av_cold void ff_h264dsp_init_arm(H264DSPContext *c, const int bit_depth, { int cpu_flags = av_get_cpu_flags(); +#if HAVE_ARMV6 if (have_setend(cpu_flags)) c->startcode_find_candidate = ff_startcode_find_candidate_armv6; +#endif if (have_neon(cpu_flags)) h264dsp_init_neon(c, bit_depth, chroma_format_idc); } diff --git a/libavcodec/arm/vc1dsp_init_arm.c b/libavcodec/arm/vc1dsp_init_arm.c index 9dae22c822..5f2c759048 100644 --- a/libavcodec/arm/vc1dsp_init_arm.c +++ b/libavcodec/arm/vc1dsp_init_arm.c @@ -28,8 +28,10 @@ av_cold void ff_vc1dsp_init_arm(VC1DSPContext *dsp) { int cpu_flags = av_get_cpu_flags(); +#if HAVE_ARMV6 if (have_setend(cpu_flags)) dsp->startcode_find_candidate = ff_startcode_find_candidate_armv6; +#endif if (have_neon(cpu_flags)) ff_vc1dsp_init_neon(dsp); } From a88a57cd2442333ca54108f816d0e8018e495ac8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Sep 2014 15:55:24 +0200 Subject: [PATCH 0049/1352] avcodec/asvenc: fix AAN scaling Signed-off-by: Michael Niedermayer (cherry picked from commit b0f7de3e7c735cf6e222006ecbbd3e11b5f90a21) Signed-off-by: Michael Niedermayer --- libavcodec/asvenc.c | 11 ++++++++-- tests/ref/seek/vsynth2-asv1 | 40 +++++++++++++++++------------------ tests/ref/seek/vsynth2-asv2 | 40 +++++++++++++++++------------------ tests/ref/vsynth/vsynth1-asv1 | 8 +++---- tests/ref/vsynth/vsynth1-asv2 | 8 +++---- tests/ref/vsynth/vsynth2-asv1 | 8 +++---- tests/ref/vsynth/vsynth2-asv2 | 8 +++---- tests/ref/vsynth/vsynth3-asv1 | 8 +++---- tests/ref/vsynth/vsynth3-asv2 | 8 +++---- 9 files changed, 73 insertions(+), 66 deletions(-) diff --git a/libavcodec/asvenc.c b/libavcodec/asvenc.c index bbf4494866..3ad2c31591 100644 --- a/libavcodec/asvenc.c +++ b/libavcodec/asvenc.c @@ -26,8 +26,10 @@ #include "libavutil/attributes.h" #include "libavutil/mem.h" +#include "aandcttab.h" #include "asv.h" #include "avcodec.h" +#include "dct.h" #include "fdctdsp.h" #include "internal.h" #include "mathops.h" @@ -331,8 +333,13 @@ static av_cold int encode_init(AVCodecContext *avctx) ((uint32_t *) avctx->extradata)[1] = av_le2ne32(AV_RL32("ASUS")); for (i = 0; i < 64; i++) { - int q = 32 * scale * ff_mpeg1_default_intra_matrix[i]; - a->q_intra_matrix[i] = ((a->inv_qscale << 16) + q / 2) / q; + if (a->fdsp.fdct == ff_fdct_ifast) { + int q = 32LL * scale * ff_mpeg1_default_intra_matrix[i] * ff_aanscales[i]; + a->q_intra_matrix[i] = (((int64_t)a->inv_qscale << 30) + q / 2) / q; + } else { + int q = 32 * scale * ff_mpeg1_default_intra_matrix[i]; + a->q_intra_matrix[i] = ((a->inv_qscale << 16) + q / 2) / q; + } } return 0; diff --git a/tests/ref/seek/vsynth2-asv1 b/tests/ref/seek/vsynth2-asv1 index 5873bb17b7..e2556a7459 100644 --- a/tests/ref/seek/vsynth2-asv1 +++ b/tests/ref/seek/vsynth2-asv1 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 776840 size: 18256 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 643344 size: 15064 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 305352 size: 16180 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 255232 size: 13312 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 595448 size: 17980 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 493584 size: 14796 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 135516 size: 14868 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 114852 size: 12356 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 404100 size: 16856 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 336180 size: 13824 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 673504 size: 15104 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 704136 size: 18140 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 583312 size: 14956 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 241764 size: 15736 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 202872 size: 12944 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 673504 size: 15104 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 524488 size: 17548 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 435128 size: 14488 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 77020 size: 14496 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 65864 size: 12144 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12152 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 673504 size: 15104 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 337808 size: 16388 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 281884 size: 13412 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 631584 size: 18188 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 523324 size: 14972 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 180212 size: 15168 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 152056 size: 12540 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-asv2 b/tests/ref/seek/vsynth2-asv2 index 7d37b7ac06..cd99c45ac7 100644 --- a/tests/ref/seek/vsynth2-asv2 +++ b/tests/ref/seek/vsynth2-asv2 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 736152 size: 17340 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 630028 size: 14892 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 289708 size: 15300 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 248836 size: 13024 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 564140 size: 17016 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 482700 size: 14532 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 128564 size: 14052 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 111600 size: 12016 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 383244 size: 15896 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 328252 size: 13532 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 659848 size: 14928 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 667016 size: 17172 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 570784 size: 14712 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 229388 size: 14956 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 197536 size: 12724 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 659848 size: 14928 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 496932 size: 16564 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 425316 size: 14116 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 73176 size: 13664 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 64104 size: 11780 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 12072 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 659848 size: 14928 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 320444 size: 15592 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 274964 size: 13176 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 598288 size: 17180 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 511944 size: 14668 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 171012 size: 14392 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 147820 size: 12240 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth1-asv1 b/tests/ref/vsynth/vsynth1-asv1 index b450f0eacf..445197ac7e 100644 --- a/tests/ref/vsynth/vsynth1-asv1 +++ b/tests/ref/vsynth/vsynth1-asv1 @@ -1,4 +1,4 @@ -992195272b94d8779b6216030b85ae18 *tests/data/fate/vsynth1-asv1.avi -1489644 tests/data/fate/vsynth1-asv1.avi -2dfc5dfc2c1cbbc2543257cd3d2df6af *tests/data/fate/vsynth1-asv1.out.rawvideo -stddev: 20.00 PSNR: 22.11 MAXDIFF: 158 bytes: 7603200/ 7603200 +f446db5dfd6bcc14378bca9406e39adb *tests/data/fate/vsynth1-asv1.avi +1298616 tests/data/fate/vsynth1-asv1.avi +a4f95c58e8b9258da52b9d09153b1078 *tests/data/fate/vsynth1-asv1.out.rawvideo +stddev: 11.89 PSNR: 26.62 MAXDIFF: 132 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-asv2 b/tests/ref/vsynth/vsynth1-asv2 index 7bc1a0d530..225712e4ed 100644 --- a/tests/ref/vsynth/vsynth1-asv2 +++ b/tests/ref/vsynth/vsynth1-asv2 @@ -1,4 +1,4 @@ -1e589b4dd70c4a8a7dbf4a466bab31ae *tests/data/fate/vsynth1-asv2.avi -1456044 tests/data/fate/vsynth1-asv2.avi -d451be09793cd0f35b6d91fc36e2571a *tests/data/fate/vsynth1-asv2.out.rawvideo -stddev: 18.82 PSNR: 22.63 MAXDIFF: 131 bytes: 7603200/ 7603200 +06b7b65686a1eb03d43f25e179c03872 *tests/data/fate/vsynth1-asv2.avi +1434408 tests/data/fate/vsynth1-asv2.avi +cb1f5560005800e889bfbb36cdc9fc40 *tests/data/fate/vsynth1-asv2.out.rawvideo +stddev: 8.36 PSNR: 29.68 MAXDIFF: 58 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-asv1 b/tests/ref/vsynth/vsynth2-asv1 index 01fd2bf05e..78118887a7 100644 --- a/tests/ref/vsynth/vsynth2-asv1 +++ b/tests/ref/vsynth/vsynth2-asv1 @@ -1,4 +1,4 @@ -9218843465c3396e9b078e63ce7ba17e *tests/data/fate/vsynth2-asv1.avi -832500 tests/data/fate/vsynth2-asv1.avi -c96ff7fd17c52f99ddb7922a4cb9168f *tests/data/fate/vsynth2-asv1.out.rawvideo -stddev: 10.47 PSNR: 27.73 MAXDIFF: 98 bytes: 7603200/ 7603200 +bffe7188b4b5c3ff76c75561d0bebd77 *tests/data/fate/vsynth2-asv1.avi +689416 tests/data/fate/vsynth2-asv1.avi +a7cdefad200f48ab308c746461a8792e *tests/data/fate/vsynth2-asv1.out.rawvideo +stddev: 5.07 PSNR: 34.03 MAXDIFF: 70 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-asv2 b/tests/ref/vsynth/vsynth2-asv2 index c66f056107..617a77fb8d 100644 --- a/tests/ref/vsynth/vsynth2-asv2 +++ b/tests/ref/vsynth/vsynth2-asv2 @@ -1,4 +1,4 @@ -065323f9873c367dd1e371fa47657ae4 *tests/data/fate/vsynth2-asv2.avi -789060 tests/data/fate/vsynth2-asv2.avi -74a78015b64b2cf8cb9da2e44f508a69 *tests/data/fate/vsynth2-asv2.out.rawvideo -stddev: 10.28 PSNR: 27.89 MAXDIFF: 95 bytes: 7603200/ 7603200 +f8c3b9899bbd9545757fac0c7ecf4e34 *tests/data/fate/vsynth2-asv2.avi +675584 tests/data/fate/vsynth2-asv2.avi +5990db66c7ac0bbe2f98ec2770c1bf3b *tests/data/fate/vsynth2-asv2.out.rawvideo +stddev: 4.57 PSNR: 34.93 MAXDIFF: 47 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth3-asv1 b/tests/ref/vsynth/vsynth3-asv1 index fd5f82dc69..8486b040f8 100644 --- a/tests/ref/vsynth/vsynth3-asv1 +++ b/tests/ref/vsynth/vsynth3-asv1 @@ -1,4 +1,4 @@ -43c51aa52666de02dfa49fd1c10a558f *tests/data/fate/vsynth3-asv1.avi -36664 tests/data/fate/vsynth3-asv1.avi -fd156079afc2753dde7d6a8418b2a25a *tests/data/fate/vsynth3-asv1.out.rawvideo -stddev: 21.25 PSNR: 21.58 MAXDIFF: 122 bytes: 86700/ 86700 +642c88813798d857d236f21bb36d8783 *tests/data/fate/vsynth3-asv1.avi +34700 tests/data/fate/vsynth3-asv1.avi +3c8636e22a96267451684f42d7a6f608 *tests/data/fate/vsynth3-asv1.out.rawvideo +stddev: 13.16 PSNR: 25.74 MAXDIFF: 112 bytes: 86700/ 86700 diff --git a/tests/ref/vsynth/vsynth3-asv2 b/tests/ref/vsynth/vsynth3-asv2 index 360bb07203..2a5d23bb96 100644 --- a/tests/ref/vsynth/vsynth3-asv2 +++ b/tests/ref/vsynth/vsynth3-asv2 @@ -1,4 +1,4 @@ -8958facfc4853267ece3b7868df80229 *tests/data/fate/vsynth3-asv2.avi -35620 tests/data/fate/vsynth3-asv2.avi -ff711d6341966f03ee32b73ae22493ed *tests/data/fate/vsynth3-asv2.out.rawvideo -stddev: 19.98 PSNR: 22.12 MAXDIFF: 113 bytes: 86700/ 86700 +45f865e3d1cac1ef59ae4689f41dead5 *tests/data/fate/vsynth3-asv2.avi +36204 tests/data/fate/vsynth3-asv2.avi +5469c0735b7c9279e5e8e3439fc6acab *tests/data/fate/vsynth3-asv2.out.rawvideo +stddev: 9.07 PSNR: 28.97 MAXDIFF: 51 bytes: 86700/ 86700 From ff6d440d107d2e5183be55292a33937ca98f9a06 Mon Sep 17 00:00:00 2001 From: Pascal Massimino Date: Mon, 22 Sep 2014 14:48:57 -0700 Subject: [PATCH 0050/1352] avcodec/webp: fix default palette color 0xff000000 -> 0x00000000 Signed-off-by: Michael Niedermayer (cherry picked from commit e5b3112996c3da45aa03b39c5ade375d40d4407d) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 66c2d57c84..274708df79 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1066,7 +1066,7 @@ static int apply_color_indexing_transform(WebPContext *s) p = GET_PIXEL(img->frame, x, y); i = p[2]; if (i >= pal->frame->width) { - AV_WB32(p, 0xFF000000); + AV_WB32(p, 0x00000000); } else { const uint8_t *pi = GET_PIXEL(pal->frame, i, 0); AV_COPY32(p, pi); From 7a02b9cb2d033cc6b507dc35ed7a09dbdf6ec573 Mon Sep 17 00:00:00 2001 From: Benoit Fouet Date: Tue, 23 Sep 2014 10:07:10 +0200 Subject: [PATCH 0051/1352] avformat/riffenc: Filter out "BottomUp" in ff_put_bmp_header() Fixes Ticket1304 Commit message and extradata size bugfix by commiter Signed-off-by: Michael Niedermayer (cherry picked from commit 6843b9dc78bc966bb30121828ef4f6b6755cf877) Signed-off-by: Michael Niedermayer --- libavformat/riffenc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/riffenc.c b/libavformat/riffenc.c index ef4d399030..2eb2ae1d0e 100644 --- a/libavformat/riffenc.c +++ b/libavformat/riffenc.c @@ -209,11 +209,15 @@ int ff_put_wav_header(AVIOContext *pb, AVCodecContext *enc, int flags) void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, const AVCodecTag *tags, int for_asf, int ignore_extradata) { + int keep_height = enc->extradata_size >= 9 && + !memcmp(enc->extradata + enc->extradata_size - 9, "BottomUp", 9); + int extradata_size = enc->extradata_size - 9*keep_height; + /* size */ - avio_wl32(pb, 40 + (ignore_extradata ? 0 : enc->extradata_size)); + avio_wl32(pb, 40 + (ignore_extradata ? 0 :extradata_size)); avio_wl32(pb, enc->width); //We always store RGB TopDown - avio_wl32(pb, enc->codec_tag ? enc->height : -enc->height); + avio_wl32(pb, enc->codec_tag || keep_height ? enc->height : -enc->height); /* planes */ avio_wl16(pb, 1); /* depth */ @@ -227,9 +231,9 @@ void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, avio_wl32(pb, 0); if (!ignore_extradata) { - avio_write(pb, enc->extradata, enc->extradata_size); + avio_write(pb, enc->extradata, extradata_size); - if (!for_asf && enc->extradata_size & 1) + if (!for_asf && extradata_size & 1) avio_w8(pb, 0); } } From b8d34604ff166175f1921ac2ade5cd77ddb54e09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Sep 2014 23:38:29 +0200 Subject: [PATCH 0052/1352] tests/fate-run.sh: Cat .err file in case of error with V>0 This may make fate failures where only the console output is available easier to analyze Suggested-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 00d3bb1a074b60fd9687679e4147f56d81886b05) Signed-off-by: Michael Niedermayer --- tests/fate-run.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 7fe7e7495e..b994abab27 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -248,6 +248,7 @@ if test $err = 0; then rm -f $outfile $errfile $cmpfile $cleanfiles elif test $gen = "no"; then echo "Test $test failed. Look at $errfile for details." + test "${V:-0}" -gt 0 && cat $errfile else echo "Updating reference failed, possibly no output file was generated." fi From 9d79848f841d7a89950c66225411cb3ee7b428fb Mon Sep 17 00:00:00 2001 From: Philip DeCamp Date: Wed, 24 Sep 2014 16:15:18 -0400 Subject: [PATCH 0053/1352] libavutil/opt: fix av_opt_set_channel_layout() to access correct memory address Signed-off-by: Philip DeCamp Signed-off-by: Michael Niedermayer (cherry picked from commit 857fc0a71f1b52fbba3281ba64b5a35195458622) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index ca4edb827e..ee72a96471 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -627,7 +627,7 @@ int av_opt_set_channel_layout(void *obj, const char *name, int64_t cl, int searc "The value set by option '%s' is not a channel layout.\n", o->name); return AVERROR(EINVAL); } - *(int *)(((int64_t *)target_obj) + o->offset) = cl; + *(int64_t *)(((uint8_t *)target_obj) + o->offset) = cl; return 0; } From 16c3d6d3927ef4b8e8f5fb58d5fef064957edce2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Sep 2014 15:12:27 +0200 Subject: [PATCH 0054/1352] avformat/img2dec: fix error code at EOF for pipes Signed-off-by: Michael Niedermayer (cherry picked from commit 1dbdcb4a8c76df70ab41e3dacbfe01d59ed4091e) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index a21429f6ae..ad778123f7 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -422,7 +422,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } else { f[0] = s1->pb; if (avio_feof(f[0])) - return AVERROR(EIO); + return AVERROR_EOF; if (s->frame_size > 0) { size[0] = s->frame_size; } else if (!s1->streams[0]->parser) { From 76a5cf1f80a23316b02ab52f9459159b8efec84a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Sep 2014 16:17:08 +0200 Subject: [PATCH 0055/1352] avformat/img2dec: pass error code and signal EOF Found-by: Daemon404 Signed-off-by: Michael Niedermayer (cherry picked from commit 2497914a1846c1dbcfb853ea834da0038f0e22f5) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index ad778123f7..bb941268d6 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -463,7 +463,13 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) { av_free_packet(pkt); - return AVERROR(EIO); /* signal EOF */ + if (ret[0] < 0) { + return ret[0]; + } else if (ret[1] < 0) { + return ret[1]; + } else if (ret[2] < 0) + return ret[2]; + return AVERROR_EOF; } else { s->img_count++; s->img_number++; From 1d109974880907d5c543c7e78f208c1c2534b6bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Sep 2014 17:06:33 +0200 Subject: [PATCH 0056/1352] avformat/img2dec: initialize pkt->pos for image pipes Signed-off-by: Michael Niedermayer (cherry picked from commit 6d35aba167a2333367298fced3724b16261dcdf9) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 3 +++ tests/ref/fate/exif-image-tiff | 2 +- tests/ref/fate/exif-image-webp | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index bb941268d6..c88db69782 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -450,6 +450,9 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->pts = s->pts; } + if (s->is_pipe) + pkt->pos = avio_tell(f[0]); + pkt->size = 0; for (i = 0; i < 3; i++) { if (f[i]) { diff --git a/tests/ref/fate/exif-image-tiff b/tests/ref/fate/exif-image-tiff index 515e3f186d..2b10529a08 100644 --- a/tests/ref/fate/exif-image-tiff +++ b/tests/ref/fate/exif-image-tiff @@ -9,7 +9,7 @@ best_effort_timestamp=0 best_effort_timestamp_time=0.000000 pkt_duration=1 pkt_duration_time=0.040000 -pkt_pos=N/A +pkt_pos=0 pkt_size=67604 width=200 height=112 diff --git a/tests/ref/fate/exif-image-webp b/tests/ref/fate/exif-image-webp index d83feb2b59..88e3c82923 100644 --- a/tests/ref/fate/exif-image-webp +++ b/tests/ref/fate/exif-image-webp @@ -9,7 +9,7 @@ best_effort_timestamp=0 best_effort_timestamp_time=0.000000 pkt_duration=1 pkt_duration_time=0.040000 -pkt_pos=N/A +pkt_pos=0 pkt_size=39276 width=400 height=225 From e1fd837888ce134e9b1af338345f32c7a414d8c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Sep 2014 17:07:04 +0200 Subject: [PATCH 0057/1352] avformat/img2dec: enable generic seeking for image pipes Signed-off-by: Michael Niedermayer (cherry picked from commit ce6e46be72292a748f37af50bfd5001dc5daa0e7) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index c88db69782..70bef9d405 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -703,6 +703,7 @@ AVInputFormat ff_image_ ## imgname ## _pipe_demuxer = {\ .read_header = ff_img_read_header,\ .read_packet = ff_img_read_packet,\ .priv_class = & imgname ## _class,\ + .flags = AVFMT_GENERIC_INDEX, \ .raw_codec_id = codecid,\ }; From da5e52010ce8b29e5ec7815477b49a2f3c0ba3df Mon Sep 17 00:00:00 2001 From: lvqcl Date: Sat, 27 Sep 2014 13:21:31 +0200 Subject: [PATCH 0058/1352] avutil/x86/cpu: fix cpuid sub-leaf selection Signed-off-by: Michael Niedermayer (cherry picked from commit e58fc44649d07d523fcd17aa10d9eb0d3a5ef3f4) Signed-off-by: Michael Niedermayer --- libavutil/x86/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index 8ad478400c..2b62e92479 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -45,7 +45,7 @@ "cpuid \n\t" \ "xchg %%"REG_b", %%"REG_S \ : "=a" (eax), "=S" (ebx), "=c" (ecx), "=d" (edx) \ - : "0" (index)) + : "0" (index), "2"(0)) #define xgetbv(index, eax, edx) \ __asm__ (".byte 0x0f, 0x01, 0xd0" : "=a"(eax), "=d"(edx) : "c" (index)) From a9b9751bc88ac6dc38b99f6370dfecb2bfa6c008 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Sep 2014 20:34:44 +0200 Subject: [PATCH 0059/1352] avcodec/ac3enc_template: fix out of array read Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d85ebea3f3b68ebccfe308fa839fc30fa634e4de) Signed-off-by: Michael Niedermayer --- libavcodec/ac3enc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc_template.c b/libavcodec/ac3enc_template.c index 29e2381c9d..f1f81da290 100644 --- a/libavcodec/ac3enc_template.c +++ b/libavcodec/ac3enc_template.c @@ -263,7 +263,7 @@ static void apply_channel_coupling(AC3EncodeContext *s) energy_cpl = energy[blk][CPL_CH][bnd]; energy_ch = energy[blk][ch][bnd]; blk1 = blk+1; - while (!s->blocks[blk1].new_cpl_coords[ch] && blk1 < s->num_blocks) { + while (blk1 < s->num_blocks && !s->blocks[blk1].new_cpl_coords[ch]) { if (s->blocks[blk1].cpl_in_use) { energy_cpl += energy[blk1][CPL_CH][bnd]; energy_ch += energy[blk1][ch][bnd]; From 6099d1ca0e60cc77936108f88a24a9b6c2b024b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 21 Sep 2014 09:58:10 +0100 Subject: [PATCH 0060/1352] configure: add noexecstack to linker options if supported. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Reimar Döffinger (cherry picked from commit b7082d953fda93f7841ffffe7d15a6c3cd15bdee) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index b39b6d3198..618dfab2e8 100755 --- a/configure +++ b/configure @@ -4608,6 +4608,7 @@ fi check_code cc arm_neon.h "int16x8_t test = vdupq_n_s16(0)" && enable intrinsics_neon check_ldflags -Wl,--as-needed +check_ldflags -Wl,-z,noexecstack if check_func dlopen; then ldl= From 1d987a34d8b509e5de358805f34d46f873555370 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Sep 2014 22:27:33 +0200 Subject: [PATCH 0061/1352] avformat/hlsenc: export inner muxer timebase Fixes "Non-monotonous DTS in output stream 0:0" Fies Ticket 3797 Signed-off-by: Michael Niedermayer (cherry picked from commit b1a0fccd023d9261274a92ec9482da03c4aa82fa) Conflicts: libavformat/hlsenc.c Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 11f1e5be42..cc142fa474 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -22,6 +22,7 @@ #include #include +#include "libavutil/avassert.h" #include "libavutil/mathematics.h" #include "libavutil/parseutils.h" #include "libavutil/avstring.h" @@ -251,6 +252,12 @@ static int hls_write_header(AVFormatContext *s) if ((ret = avformat_write_header(hls->avf, NULL)) < 0) goto fail; + av_assert0(s->nb_streams == hls->avf->nb_streams); + for (i = 0; i < s->nb_streams; i++) { + AVStream *inner_st = hls->avf->streams[i]; + AVStream *outter_st = s->streams[i]; + avpriv_set_pts_info(outter_st, inner_st->pts_wrap_bits, inner_st->time_base.num, inner_st->time_base.den); + } fail: if (ret) { From b29f9897e329c70b430e3b527c82a2ddd2d08d88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Oct 2014 23:17:21 +0200 Subject: [PATCH 0062/1352] avcodec/jpeglsdec: Check run value more completely in ls_decode_line() previously it could have been by 1 too large Fixes out of array access Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8c1e3.jls Fixes: asan_heap-oob_12240f5_1_asan_heap-oob_12240f5_448_t8nde0.jls Fixes: asan_heap-oob_12240fa_1_asan_heap-oob_12240fa_448_t16e3.jls Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 06e7d58410a17dc72c30ee7f3145fcacc425f4f2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index fb3762dad0..bb8c264ae0 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -269,6 +269,11 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, x += stride; } + if (x >= w) { + av_log(NULL, AV_LOG_ERROR, "run overflow\n"); + return; + } + /* decode run termination value */ Rb = R(last, x); RItype = (FFABS(Ra - Rb) <= state->near) ? 1 : 0; From 6f5c5051096a842d49b8ae3b10462a6098d4b890 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 01:50:27 +0200 Subject: [PATCH 0063/1352] avcodec/mjpegdec: check bits per pixel for changes similar to dimensions Fixes out of array accesses Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5c378d6a6df8243f06c87962b873bd563e58cd39) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 4d17c5ff31..89666729ca 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -244,7 +244,7 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id, ret; + int len, nb_components, i, width, height, bits, pix_fmt_id, ret; int h_count[MAX_COMPONENTS]; int v_count[MAX_COMPONENTS]; @@ -254,11 +254,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); s->avctx->bits_per_raw_sample = - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly if(s->lossless && s->avctx->lowres){ @@ -291,7 +291,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray"); @@ -337,11 +337,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* if different size, realloc/alloc picture */ if ( width != s->width || height != s->height + || bits != s->bits || memcmp(s->h_count, h_count, sizeof(h_count)) || memcmp(s->v_count, v_count, sizeof(v_count))) { s->width = width; s->height = height; + s->bits = bits; memcpy(s->h_count, h_count, sizeof(h_count)); memcpy(s->v_count, v_count, sizeof(v_count)); s->interlaced = 0; From f7c0f8355e5d3a2a5749676d32aec6ea437da984 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 04:30:58 +0200 Subject: [PATCH 0064/1352] avcodec/utils: Add case for jv to avcodec_align_dimensions2() Fixes out of array accesses Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 105654e376a736d243aef4a1d121abebce912e6b) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 397819297d..07874c238f 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -387,6 +387,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_JV) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || From 853a27e345f40d034bc8f66b519973b958183300 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 12:32:21 +0200 Subject: [PATCH 0065/1352] avcodec/h263dec: Fix decoding messenger.h263 Fixes http://samples.mplayerhq.hu/V-codecs/h263/h263-raw/messenger.h263 Fixes regression since b239f3f6 Found-by: Josh Allmann Signed-off-by: Michael Niedermayer (cherry picked from commit d225b0f7aaa65eafccc87165130e1c4bab71708b) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index b39a63bfa9..e5870faa29 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -336,6 +336,14 @@ static int decode_slice(MpegEncContext *s) s->padding_bug_score += 32; } + if (s->codec_id == AV_CODEC_ID_H263 && + (s->workaround_bugs & FF_BUG_AUTODETECT) && + get_bits_left(&s->gb) >= 64 && + AV_RB64(s->gb.buffer_end - 8) == 0xCDCDCDCDFC7F0000) { + + s->padding_bug_score += 32; + } + if (s->workaround_bugs & FF_BUG_AUTODETECT) { if (s->padding_bug_score > -2 && !s->data_partitioning) s->workaround_bugs |= FF_BUG_NO_PADDING; From 03d30d4c2c4d622ffd8b5603e6c41a7ca1151245 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 14:45:04 +0200 Subject: [PATCH 0066/1352] avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks Fixes out of array access Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e) Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 026d4630ae..9ff6393aec 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -109,7 +109,7 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (color) { memset(s->frame->data[0] + y*s->frame->linesize[0] + x, color, run_length); - if (half_vert) + if (half_vert && y + half_vert < s->avctx->height) memset(s->frame->data[0] + (y+1)*s->frame->linesize[0] + x, color, run_length); } x+= run_length; From f6476944e1a70e1639ad45791cf94972e66ae5bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 16:08:32 +0200 Subject: [PATCH 0067/1352] avcodec/tiff: more completely check bpp/bppcount Fixes pixel format selection Fixes out of array accesses Fixes: asan_heap-oob_1766029_6_asan_heap-oob_20aa045_332_cov_1823216757_m2-d1d366d7965db766c19a66c7a2ccbb6b.tif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 0352639d2f..4cb6668efb 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -812,13 +812,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - s->bppcount = count; - if (count > 4) { + if (count > 4U) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); + value, count); return AVERROR_INVALIDDATA; } + s->bppcount = count; if (count == 1) s->bpp = value; else { @@ -836,6 +836,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->bpp = -1; } } + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { From 4b4ed88e892007626fb969611ef926d30ccc8b46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:54:21 +0200 Subject: [PATCH 0068/1352] avcodec/pngdec: Calculate MPNG bytewidth more defensively Signed-off-by: Michael Niedermayer (cherry picked from commit e830902934a29df05c7af65aef2a480b15f572c4) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index da91aab7cb..2cd6796b92 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -860,10 +860,11 @@ exit_loop: int i, j; uint8_t *pd = p->data[0]; uint8_t *pd_last = s->last_picture.f->data[0]; + int ls = FFMIN(av_image_get_linesize(p->format, s->width, 0), s->width * s->bpp); ff_thread_await_progress(&s->last_picture, INT_MAX, 0); for (j = 0; j < s->height; j++) { - for (i = 0; i < s->width * s->bpp; i++) + for (i = 0; i < ls; i++) pd[i] += pd_last[i]; pd += s->image_linesize; pd_last += s->image_linesize; From d9bef14e41a49b3ea2be407d02f0fe8d4c4a92eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 17:35:58 +0200 Subject: [PATCH 0069/1352] avcodec/pngdec: Check bits per pixel before setting monoblack pixel format Fixes out of array accesses Fixes: asan_heap-oob_14dbfcf_4_asan_heap-oob_1ce5767_179_add_method_small.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 2cd6796b92..835d962180 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -650,7 +650,7 @@ static int decode_frame(AVCodecContext *avctx, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { From 71f0a3c4adcf86303ed53696a70bb7398ae63c69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 19:33:01 +0200 Subject: [PATCH 0070/1352] avcodec/cinepak: fix integer underflow Fixes out of array access Fixes: asan_heap-oob_4da0ba_6_asan_heap-oob_4da0ba_241_cvid_crash.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e7e5114c506957f40aafd794e06de1a7e341e9d5) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 4746289b76..f651c489bf 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -135,7 +135,7 @@ static int cinepak_decode_vectors (CinepakContext *s, cvid_strip *strip, const uint8_t *eod = (data + size); uint32_t flag, mask; uint8_t *cb0, *cb1, *cb2, *cb3; - unsigned int x, y; + int x, y; char *ip0, *ip1, *ip2, *ip3; flag = 0; From 7f90eef87ac84c617b102b689eb68e7cb140167b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 20:15:52 +0200 Subject: [PATCH 0071/1352] avcodec/gifdec: factorize interleave end handling out also change it to a loop Fixes out of array access Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f1457864be8fb9653643519dea1c6492f1dde57) Signed-off-by: Michael Niedermayer --- libavcodec/gifdec.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index dee48f56af..90de38b2e5 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -271,26 +271,21 @@ static int gif_read_image(GifState *s, AVFrame *frame) case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } From b89f279cd6244b207ad9142ec4f8c757a909b77c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 21:08:52 +0200 Subject: [PATCH 0072/1352] avcodec/qpeg: fix off by 1 error in MV bounds check Fixes out of array access Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 94cb5bd0b6..d61bceafd7 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -163,7 +163,7 @@ static void av_noinline qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); From c0c24bc9b32419c7883a344c74a6779374a3c16a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 22:50:45 +0200 Subject: [PATCH 0073/1352] avcodec/smc: fix off by 1 error Fixes out of array access Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c727401aa9d62335e89d118a5b4e202edf39d905) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 4bfa4a8622..01271b308c 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -70,7 +70,7 @@ typedef struct SmcContext { row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < 0 + !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ From 506368f563b80a1b3663d31194171b00fdbf4bed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 00:13:26 +0200 Subject: [PATCH 0074/1352] avcodec/svq3: Dont memcpy AVFrame This avoids out of array accesses Fixes: asan_heap-uaf_21f42e4_9_asan_heap-uaf_21f42e4_278_gl2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 075a165d2715837d125a9cc714fb430ccf6c9d6b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 97233b19d6..9459329058 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1176,7 +1176,7 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, h->cur_pic_ptr = s->cur_pic; av_frame_unref(&h->cur_pic.f); - h->cur_pic = *s->cur_pic; + memcpy(&h->cur_pic.tf, &s->cur_pic->tf, sizeof(h->cur_pic) - offsetof(H264Picture, tf)); ret = av_frame_ref(&h->cur_pic.f, &s->cur_pic->f); if (ret < 0) return ret; From a16558e12204e5ae4597d5d384bbfca293fe74cb Mon Sep 17 00:00:00 2001 From: Thomas Volkert Date: Sat, 4 Oct 2014 00:17:01 +0200 Subject: [PATCH 0075/1352] sdp: add support for H.261 Signed-off-by: Michael Niedermayer (cherry picked from commit 1c4c78ee4073b2387681d916a167b758369b9216) Conflicts: libavformat/version.h --- libavformat/sdp.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 8c831f3607..bc27eae872 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -414,6 +414,19 @@ static char *sdp_write_media_attributes(char *buff, int size, AVCodecContext *c, payload_type, mode, config ? config : ""); break; } + case AV_CODEC_ID_H261: + { + const char *pic_fmt = NULL; + /* only QCIF and CIF are specified as supported in RFC 4587 */ + if (c->width == 176 && c->height == 144) + pic_fmt = "QCIF=1"; + if (c->width == 352 && c->height == 288) + pic_fmt = "CIF=1"; + av_strlcatf(buff, size, "a=rtpmap:%d H261/90000\r\n", payload_type); + if (pic_fmt) + av_strlcatf(buff, size, "a=fmtp:%d %s\r\n", payload_type, pic_fmt); + break; + } case AV_CODEC_ID_H263: case AV_CODEC_ID_H263P: /* a=framesize is required by 3GPP TS 26.234 (PSS). It From eefc3ca7bed6c389e2c78c4244ee2a41d25b8963 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 03:12:34 +0200 Subject: [PATCH 0076/1352] avcodec/vorbisdec: Fix off by 1 error in ptns_to_read Fixes read of uninitialized memory Fixes: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8c50704ebf1777bee76772c4835d9760b3721057) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 87d1bbb97a..354ab0e466 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1314,7 +1314,9 @@ static av_always_inline int setup_classifs(vorbis_context *vc, vorbis_residue *vr, uint8_t *do_not_decode, unsigned ch_used, - int partition_count) + int partition_count, + int ptns_to_read + ) { int p, j, i; unsigned c_p_c = vc->codebooks[vr->classbook].dimensions; @@ -1336,7 +1338,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { temp2 = (((uint64_t)temp) * inverse_class) >> 32; - if (i < vr->ptns_to_read) + if (i < ptns_to_read) vr->classifs[p + i] = temp - temp2 * vr->classifications; temp = temp2; } @@ -1344,13 +1346,13 @@ static av_always_inline int setup_classifs(vorbis_context *vc, for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { temp2 = temp / vr->classifications; - if (i < vr->ptns_to_read) + if (i < ptns_to_read) vr->classifs[p + i] = temp - temp2 * vr->classifications; temp = temp2; } } } - p += vr->ptns_to_read; + p += ptns_to_read; } return 0; } @@ -1404,7 +1406,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error if (!pass) { int ret; - if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count)) < 0) + if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count, ptns_to_read)) < 0) return ret; } for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) { From 32dbd1f3428b7d071e5d05c19b79c56e59bacdbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 04:29:40 +0200 Subject: [PATCH 0077/1352] avformat/mpegts: Check desc_len / get8() return code Fixes out of array read Fixes: signal_sigsegv_844d59_10_signal_sigsegv_a17bb7_366_mpegts_mpeg2video_mp2_dvbsub_topfield.rec Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c3d7f00ee3e09801f56f25db8b5961f25e842bd2) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 2252b44949..a6b966b779 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1994,7 +1994,7 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len break; desc_len = get8(&p, desc_list_end); desc_end = p + desc_len; - if (desc_end > desc_list_end) + if (desc_len < 0 || desc_end > desc_list_end) break; av_dlog(ts->stream, "tag: 0x%02x len=%d\n", From 32e8922faf2e86d6db1900eb6ab9a0ad0c1542d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 05:14:08 +0200 Subject: [PATCH 0078/1352] avformat/mpegts: use a padded buffer in read_sl_header() Fixes overread Fixes: asan_heap-oob_84f75d_8_asan_heap-oob_a2a00a_341_mbc.ts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 27f6da292118850ca7900de64d06b56e0ebb5070) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index a6b966b779..88082692b1 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -858,8 +858,12 @@ static int read_sl_header(PESContext *pes, SLConfigDescr *sl, int padding_flag = 0, padding_bits = 0, inst_bitrate_flag = 0; int dts_flag = -1, cts_flag = -1; int64_t dts = AV_NOPTS_VALUE, cts = AV_NOPTS_VALUE; + uint8_t buf_padded[128 + FF_INPUT_BUFFER_PADDING_SIZE]; + int buf_padded_size = FFMIN(buf_size, sizeof(buf_padded) - FF_INPUT_BUFFER_PADDING_SIZE); - init_get_bits(&gb, buf, buf_size * 8); + memcpy(buf_padded, buf, buf_padded_size); + + init_get_bits(&gb, buf_padded, buf_padded_size * 8); if (sl->use_au_start) au_start_flag = get_bits1(&gb); From 67991f3a3e5a5cfca9e049a6af0ad8b7325e55b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 14:51:46 +0200 Subject: [PATCH 0079/1352] avcodec/h264: Check mode before considering mixed mode intra prediction Fixes out of array read Fixes: asan_heap-oob_e476fc_2_asan_heap-oob_1333ec6_61_CAMACI3_Sony_C.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9734a7a1de3043f012ad0f1ef11027d9488067e6) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 69fb047d5a..c4f4b052ff 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -215,18 +215,18 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma) if ((h->left_samples_available & 0x8080) != 0x8080) { mode = left[mode]; - if (is_chroma && (h->left_samples_available & 0x8080)) { - // mad cow disease mode, aka MBAFF + constrained_intra_pred - mode = ALZHEIMER_DC_L0T_PRED8x8 + - (!(h->left_samples_available & 0x8000)) + - 2 * (mode == DC_128_PRED8x8); - } if (mode < 0) { av_log(h->avctx, AV_LOG_ERROR, "left block unavailable for requested intra mode at %d %d\n", h->mb_x, h->mb_y); return AVERROR_INVALIDDATA; } + if (is_chroma && (h->left_samples_available & 0x8080)) { + // mad cow disease mode, aka MBAFF + constrained_intra_pred + mode = ALZHEIMER_DC_L0T_PRED8x8 + + (!(h->left_samples_available & 0x8000)) + + 2 * (mode == DC_128_PRED8x8); + } } return mode; From 1d99adc95317d0e671d479a7643c706408736552 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 16:17:32 +0200 Subject: [PATCH 0080/1352] avcodec/hevc: fix chroma transform_add size Fixes accessing misaligned address Fixes: signal_sigsegv_1feb99c_10_signal_sigsegv_2d1d35c_79_cov_691940146_EXT_A_ericsson_3.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df8394c693d3c1e13b7ebf6af01c5e55321cf952) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 5fc7324862..309b3854e9 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -981,7 +981,7 @@ static int hls_transform_unit(HEVCContext *s, int x0, int y0, for (i = 0; i < (size * size); i++) { coeffs[i] = ((lc->tu.res_scale_val * coeffs_y[i]) >> 3); } - s->hevcdsp.transform_add[log2_trafo_size-2](dst, coeffs, stride); + s->hevcdsp.transform_add[log2_trafo_size_c-2](dst, coeffs, stride); } } @@ -1010,7 +1010,7 @@ static int hls_transform_unit(HEVCContext *s, int x0, int y0, for (i = 0; i < (size * size); i++) { coeffs[i] = ((lc->tu.res_scale_val * coeffs_y[i]) >> 3); } - s->hevcdsp.transform_add[log2_trafo_size-2](dst, coeffs, stride); + s->hevcdsp.transform_add[log2_trafo_size_c-2](dst, coeffs, stride); } } } else if (blk_idx == 3) { From 84d26ab6eb07e22ad6ffcd8109ca1d1a0cd57bce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 22:15:07 +0200 Subject: [PATCH 0081/1352] avcodec/on2avc: Check number of channels Fixes out of array access Fixes: asan_heap-oob_4da4f3_7_asan_heap-oob_4da4f3_173_Xmen_avc_500.vp6 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 550f3e9df3410b3dd975e590042c0d83e20a8da3) Signed-off-by: Michael Niedermayer --- libavcodec/on2avc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index ab6048b63e..e5e7cc3879 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -908,6 +908,11 @@ static av_cold int on2avc_decode_init(AVCodecContext *avctx) On2AVCContext *c = avctx->priv_data; int i; + if (avctx->channels > 2U) { + avpriv_request_sample(avctx, "Decoding more than 2 channels"); + return AVERROR_PATCHWELCOME; + } + c->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; avctx->channel_layout = (avctx->channels == 2) ? AV_CH_LAYOUT_STEREO From 09256527be47cc2b39d84aadfc74b8e51125f6a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Oct 2014 00:33:48 +0200 Subject: [PATCH 0082/1352] Update for 2.4.2 Signed-off-by: Michael Niedermayer --- Changelog | 37 +++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 7512496c03..8a6826a99c 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,43 @@ releases are sorted from youngest to oldest. version : +version 2.4.2: +- avcodec/on2avc: Check number of channels +- avcodec/hevc: fix chroma transform_add size +- avcodec/h264: Check mode before considering mixed mode intra prediction +- avformat/mpegts: use a padded buffer in read_sl_header() +- avformat/mpegts: Check desc_len / get8() return code +- avcodec/vorbisdec: Fix off by 1 error in ptns_to_read +- sdp: add support for H.261 +- avcodec/svq3: Do not memcpy AVFrame +- avcodec/smc: fix off by 1 error +- avcodec/qpeg: fix off by 1 error in MV bounds check +- avcodec/gifdec: factorize interleave end handling out +- avcodec/cinepak: fix integer underflow +- avcodec/pngdec: Check bits per pixel before setting monoblack pixel format +- avcodec/pngdec: Calculate MPNG bytewidth more defensively +- avcodec/tiff: more completely check bpp/bppcount +- avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks +- avcodec/h263dec: Fix decoding messenger.h263 +- avcodec/utils: Add case for jv to avcodec_align_dimensions2() +- avcodec/mjpegdec: check bits per pixel for changes similar to dimensions +- avcodec/jpeglsdec: Check run value more completely in ls_decode_line() +- avformat/hlsenc: export inner muxer timebase +- configure: add noexecstack to linker options if supported. +- avcodec/ac3enc_template: fix out of array read +- avutil/x86/cpu: fix cpuid sub-leaf selection +- avformat/img2dec: enable generic seeking for image pipes +- avformat/img2dec: initialize pkt->pos for image pipes +- avformat/img2dec: pass error code and signal EOF +- avformat/img2dec: fix error code at EOF for pipes +- libavutil/opt: fix av_opt_set_channel_layout() to access correct memory address +- tests/fate-run.sh: Cat .err file in case of error with V>0 +- avformat/riffenc: Filter out "BottomUp" in ff_put_bmp_header() +- avcodec/webp: fix default palette color 0xff000000 -> 0x00000000 +- avcodec/asvenc: fix AAN scaling +- Fix compile error on arm4/arm5 platform + + version 2.4.1: - swscale: Allow chroma samples to be above and to the left of luma samples - avcodec/libilbc: support for latest git of libilbc diff --git a/RELEASE b/RELEASE index 005119baaa..8e8299dcc0 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.1 +2.4.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index ff09b92c37..897859a981 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.1 +PROJECT_NUMBER = 2.4.2 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From b02e4faa3ef9384c7d6a307e518e6446b045fb98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Oct 2014 01:49:25 +0200 Subject: [PATCH 0083/1352] avformat/img2dec: Support -loop with pipes Fixes Ticket3976 Signed-off-by: Michael Niedermayer (cherry picked from commit 684508ba15ca15d5d43f67bbed483ce5b6617f10) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 70bef9d405..ee484f6029 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -421,6 +421,8 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) infer_size(&codec->width, &codec->height, size[0]); } else { f[0] = s1->pb; + if (avio_feof(f[0]) && s->loop && s->is_pipe) + avio_seek(f[0], 0, SEEK_SET); if (avio_feof(f[0])) return AVERROR_EOF; if (s->frame_size > 0) { @@ -457,6 +459,12 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) for (i = 0; i < 3; i++) { if (f[i]) { ret[i] = avio_read(f[i], pkt->data + pkt->size, size[i]); + if (s->loop && s->is_pipe && ret[i] == AVERROR_EOF) { + if (avio_seek(f[i], 0, SEEK_SET) >= 0) { + pkt->pos = 0; + ret[i] = avio_read(f[i], pkt->data + pkt->size, size[i]); + } + } if (!s->is_pipe) avio_close(f[i]); if (ret[i] > 0) From d61454e7c1de48f6a9059ca98f55e6beb52a618c Mon Sep 17 00:00:00 2001 From: Alexander Strasser Date: Sun, 5 Oct 2014 03:42:32 +0200 Subject: [PATCH 0084/1352] avformat/img2dec: Attempt to detect non-escaped glob patterns too (-pattern_type glob) Fixes ticket #3948 Based-on-patch-by: Michael Niedermayer Signed-off-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit e079d43af86c38a0c0efb9bc6058e1316e6a18f4) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index ee484f6029..2969b51e32 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -162,6 +162,8 @@ static int img_read_probe(AVProbeData *p) return AVPROBE_SCORE_MAX; else if (is_glob(p->filename)) return AVPROBE_SCORE_MAX; + else if (p->filename[strcspn(p->filename, "*?{")]) // probably PT_GLOB + return AVPROBE_SCORE_EXTENSION + 2; // score chosen to be a tad above the image pipes else if (p->buf_size == 0) return 0; else if (av_match_ext(p->filename, "raw") || av_match_ext(p->filename, "gif")) From de31f857077a52714f3a2f2e92ac037d42d37769 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 29 Sep 2014 16:16:50 +0000 Subject: [PATCH 0085/1352] hevc_mvs: initialize the temporal MV in case of missing ref The caller expects the MV to always be initialized. --- libavcodec/hevc_mvs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_mvs.c b/libavcodec/hevc_mvs.c index a611b762f1..8b172a268d 100644 --- a/libavcodec/hevc_mvs.c +++ b/libavcodec/hevc_mvs.c @@ -257,8 +257,10 @@ static int temporal_luma_motion_vector(HEVCContext *s, int x0, int y0, HEVCFrame *ref = s->ref->collocated_ref; - if (!ref) + if (!ref) { + memset(mvLXCol, 0, sizeof(*mvLXCol)); return 0; + } tab_mvf = ref->tab_mvf; colPic = ref->poc; From 0b41eeac45fb7f7ad6d3f4fc846b00d108824b0b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 29 Sep 2014 16:25:14 +0000 Subject: [PATCH 0086/1352] hevc_mvs: make sure to always initialize the temporal MV fully The spec requires this. Fixes uninitialized reads on some samples. Remove now unnecessary initialization of the whole merge candidate list. --- libavcodec/hevc_mvs.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/libavcodec/hevc_mvs.c b/libavcodec/hevc_mvs.c index 8b172a268d..721eb3af41 100644 --- a/libavcodec/hevc_mvs.c +++ b/libavcodec/hevc_mvs.c @@ -481,14 +481,10 @@ static void derive_spatial_merge_candidates(HEVCContext *s, int x0, int y0, mergecandlist[nb_merge_cand].is_intra = 0; mergecandlist[nb_merge_cand].pred_flag[0] = available_l0; mergecandlist[nb_merge_cand].pred_flag[1] = available_l1; - if (available_l0) { - mergecandlist[nb_merge_cand].mv[0] = mv_l0_col; - mergecandlist[nb_merge_cand].ref_idx[0] = 0; - } - if (available_l1) { - mergecandlist[nb_merge_cand].mv[1] = mv_l1_col; - mergecandlist[nb_merge_cand].ref_idx[1] = 0; - } + AV_ZERO16(mergecandlist[nb_merge_cand].ref_idx); + mergecandlist[nb_merge_cand].mv[0] = mv_l0_col; + mergecandlist[nb_merge_cand].mv[1] = mv_l1_col; + if (merge_idx == nb_merge_cand) return; nb_merge_cand++; @@ -558,8 +554,6 @@ void ff_hevc_luma_mv_merge_mode(HEVCContext *s, int x0, int y0, int nPbW, int nPbH2 = nPbH; HEVCLocalContext *lc = &s->HEVClc; - memset(mergecand_list, 0, MRG_MAX_NUM_CANDS * sizeof(*mergecand_list)); - if (s->pps->log2_parallel_merge_level > 2 && nCS == 8) { singleMCLFlag = 1; x0 = lc->cu.x; From e443165c323406d01da7e7930f042d265d01fb35 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 13 Oct 2014 15:42:28 +0100 Subject: [PATCH 0087/1352] imc: fix order of operations in coefficients read Reported-by: Ruoyu --- libavcodec/imc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index 41ca8c8ec8..500f56408d 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -873,14 +873,14 @@ static int imc_decode_block(AVCodecContext *avctx, IMCContext *q, int ch) flag = get_bits1(&q->gb); if (stream_format_code & 0x1) - imc_decode_level_coefficients_raw(q, chctx->levlCoeffBuf, - chctx->flcoeffs1, chctx->flcoeffs2); - else if (stream_format_code & 0x1) imc_read_level_coeffs_raw(q, stream_format_code, chctx->levlCoeffBuf); else imc_read_level_coeffs(q, stream_format_code, chctx->levlCoeffBuf); - if (stream_format_code & 0x4) + if (stream_format_code & 0x1) + imc_decode_level_coefficients_raw(q, chctx->levlCoeffBuf, + chctx->flcoeffs1, chctx->flcoeffs2); + else if (stream_format_code & 0x4) imc_decode_level_coefficients(q, chctx->levlCoeffBuf, chctx->flcoeffs1, chctx->flcoeffs2); else From ca8c62d187fdca13979379fb2ab172ed662aa2f8 Mon Sep 17 00:00:00 2001 From: "Timothy B. Terriberry" Date: Mon, 13 Oct 2014 17:46:00 -0700 Subject: [PATCH 0088/1352] resample: Avoid off-by-1 errors in PTS calcs. The rounding used in the PTS calculations in filter_frame() does not actually match the number of samples output by the resampler. This leads to off-by-1 errors in the timestamps indicating gaps and underruns, even when the input timestamps are all contiguous. Bug-Id: 753 Signed-off-by: Anton Khirnov (cherry picked from commit 6cbbf0592f4f3940aac7f687850d1b726a2ea836) Signed-off-by: Anton Khirnov --- libavfilter/af_resample.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_resample.c b/libavfilter/af_resample.c index bc8fd8a731..a59e6f8fd1 100644 --- a/libavfilter/af_resample.c +++ b/libavfilter/af_resample.c @@ -42,6 +42,7 @@ typedef struct ResampleContext { AVDictionary *options; int64_t next_pts; + int64_t next_in_pts; /* set by filter_frame() to signal an output frame to request_frame() */ int got_output; @@ -154,6 +155,7 @@ static int config_output(AVFilterLink *outlink) outlink->time_base = (AVRational){ 1, outlink->sample_rate }; s->next_pts = AV_NOPTS_VALUE; + s->next_in_pts = AV_NOPTS_VALUE; av_get_channel_layout_string(buf1, sizeof(buf1), -1, inlink ->channel_layout); @@ -255,7 +257,12 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } out->sample_rate = outlink->sample_rate; - if (in->pts != AV_NOPTS_VALUE) { + /* Only convert in->pts if there is a discontinuous jump. + This ensures that out->pts tracks the number of samples actually + output by the resampler in the absence of such a jump. + Otherwise, the rounding in av_rescale_q() and av_rescale() + causes off-by-1 errors. */ + if (in->pts != AV_NOPTS_VALUE && in->pts != s->next_in_pts) { out->pts = av_rescale_q(in->pts, inlink->time_base, outlink->time_base) - av_rescale(delay, outlink->sample_rate, @@ -264,6 +271,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) out->pts = s->next_pts; s->next_pts = out->pts + out->nb_samples; + s->next_in_pts = in->pts + in->nb_samples; ret = ff_filter_frame(outlink, out); s->got_output = 1; From 81b38caf21fc7e568ec0a874b9921c3c75cd460c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Oct 2014 01:08:20 +0200 Subject: [PATCH 0089/1352] swresample/swresample: fix sample drop loop end condition Fixes Ticket3985 Signed-off-by: Michael Niedermayer (cherry picked from commit f9fefa499f0af48f47ea73c8ce0b25df0976c315) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 32bbee3340..c325513efa 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -663,6 +663,8 @@ int swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_coun in_count = 0; if(ret>0) { s->drop_output -= ret; + if (!s->drop_output && !out_arg) + return 0; continue; } From f3d34cff76819fe2514323bf7da6c446b0ce81ce Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Thu, 9 Oct 2014 23:27:38 +0200 Subject: [PATCH 0090/1352] utvideoenc: properly set slice height/last line Mimic decoder and obey sampling. Does not affect fate tests for utvideo. Fixes ticket #3949. Signed-off-by: Michael Niedermayer (cherry picked from commit cb530dda7d76790b08ee3b7f67e251f3ce48c359) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index cbd34d01fd..355fdb1b8d 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -389,7 +389,7 @@ static int write_huff_codes(uint8_t *src, uint8_t *dst, int dst_size, } static int encode_plane(AVCodecContext *avctx, uint8_t *src, - uint8_t *dst, int stride, + uint8_t *dst, int stride, int plane_no, int width, int height, PutByteContext *pb) { UtvideoContext *c = avctx->priv_data; @@ -399,6 +399,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, HuffEntry he[256]; uint32_t offset = 0, slice_len = 0; + const int cmask = ~(!plane_no && avctx->pix_fmt == AV_PIX_FMT_YUV420P); int i, sstart, send = 0; int symbol; int ret; @@ -408,7 +409,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_NONE: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; av_image_copy_plane(dst + sstart * width, width, src + sstart * stride, stride, width, send - sstart); @@ -417,7 +418,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_LEFT: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; left_predict(src + sstart * stride, dst + sstart * width, stride, width, send - sstart); } @@ -425,7 +426,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, case PRED_MEDIAN: for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; median_predict(c, src + sstart * stride, dst + sstart * width, stride, width, send - sstart); } @@ -489,7 +490,7 @@ static int encode_plane(AVCodecContext *avctx, uint8_t *src, send = 0; for (i = 0; i < c->slices; i++) { sstart = send; - send = height * (i + 1) / c->slices; + send = height * (i + 1) / c->slices & cmask; /* * Write the huffman codes to a buffer, @@ -571,7 +572,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_RGBA: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, c->slice_buffer[i] + 2 * c->slice_stride, - c->slice_buffer[i], c->slice_stride, + c->slice_buffer[i], c->slice_stride, i, width, height, &pb); if (ret) { @@ -583,7 +584,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_YUV422P: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, pic->data[i], c->slice_buffer[0], - pic->linesize[i], width >> !!i, height, &pb); + pic->linesize[i], i, width >> !!i, height, &pb); if (ret) { av_log(avctx, AV_LOG_ERROR, "Error encoding plane %d.\n", i); @@ -594,7 +595,7 @@ static int utvideo_encode_frame(AVCodecContext *avctx, AVPacket *pkt, case AV_PIX_FMT_YUV420P: for (i = 0; i < c->planes; i++) { ret = encode_plane(avctx, pic->data[i], c->slice_buffer[0], - pic->linesize[i], width >> !!i, height >> !!i, + pic->linesize[i], i, width >> !!i, height >> !!i, &pb); if (ret) { From 71af22097d33b9133265977a113bc732bf42ede5 Mon Sep 17 00:00:00 2001 From: Karl Kiniger Date: Sat, 11 Oct 2014 22:34:11 +0200 Subject: [PATCH 0091/1352] vf_drawtext: add missing clear of pointers after av_expr_free() Fixes segfault when using sendcmd with drawtext. Since LIBAVFILTER_VERSION_MAJOR 5 FF_API_DRAWTEXT_OLD_TIMELINE evaluates to 0. Signed-off-by: Karl Kiniger Signed-off-by: Michael Niedermayer (cherry picked from commit 903156aa8a352a5df34cd1e34c21b2193a447d5e) Signed-off-by: Michael Niedermayer --- libavfilter/vf_drawtext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index 4fbb6c08d6..5b725d69b0 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -716,6 +716,8 @@ static av_cold void uninit(AVFilterContext *ctx) #if FF_API_DRAWTEXT_OLD_TIMELINE av_expr_free(s->draw_pexpr); s->x_pexpr = s->y_pexpr = s->draw_pexpr = NULL; +#else + s->x_pexpr = s->y_pexpr = NULL; #endif av_freep(&s->positions); s->nb_positions = 0; From 5a1efc7b8585da037d8c603cf6d1c38d5b9a4cf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Oct 2014 20:26:27 +0200 Subject: [PATCH 0092/1352] postproc/postprocess: fix quant store for fq mode Signed-off-by: Michael Niedermayer (cherry picked from commit 941aaa39e8cd78ba4d16dfcec767290aec9a0136) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 2 +- tests/ref/fate/filter-pp3 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 01ec0f9867..ab12e59086 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -1004,7 +1004,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * QPStride; + const int count= mbHeight * FFMAX(QPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; } diff --git a/tests/ref/fate/filter-pp3 b/tests/ref/fate/filter-pp3 index 00d4595f37..c2f2b4cb16 100644 --- a/tests/ref/fate/filter-pp3 +++ b/tests/ref/fate/filter-pp3 @@ -1 +1 @@ -pp3 f38fdc2dfa4c8d889918efe6d7a7ac3a +pp3 ef0f10f1859af2f75717e8c9d64ee38a From bf7ee2524b8db7207035309b36cafa9f1a48d5b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Oct 2014 16:02:42 +0200 Subject: [PATCH 0093/1352] postproc: fix qp count Found-by: ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit 0b7e5d0d75e7d8762dd04d35f8c0821736164372) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index ab12e59086..670908ca9f 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -979,7 +979,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if(pict_type & PP_PICT_TYPE_QP2){ int i; - const int count= mbHeight * absQPStride; + const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; } @@ -1004,7 +1004,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], if((pict_type&7)!=3){ if (QPStride >= 0){ int i; - const int count= mbHeight * FFMAX(QPStride, mbWidth); + const int count= FFMAX(mbHeight * QPStride, mbWidth); for(i=0; i<(count>>2); i++){ ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; } From 2185103bcdd24c674d1e9648edd701a6a7a6fe60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Oct 2014 01:36:04 +0200 Subject: [PATCH 0094/1352] avformat/mxfdec: Fix termination of mxf_data_essence_container_uls Fixes: asan_static-oob_87d116_10_201.mxf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e3b28f10bb9b6750c97ee282a7e656d60d6d9e34) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 7a4633feb6..1dcdae0a08 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -988,7 +988,7 @@ static const MXFCodecUL mxf_sound_essence_container_uls[] = { static const MXFCodecUL mxf_data_essence_container_uls[] = { { { 0x06,0x0e,0x2b,0x34,0x04,0x01,0x01,0x09,0x0d,0x01,0x03,0x01,0x02,0x0e,0x00,0x00 }, 16, 0 }, - { { 0x06,0x0e,0x2b,0x34,0x04,0x01,0x01,0x09,0x0d,0x01,0x03,0x01,0x02,0x0e,0x00,0x00 }, 16, AV_CODEC_ID_NONE }, + { { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, 0, AV_CODEC_ID_NONE }, }; static const char* const mxf_data_essence_descriptor[] = { From e4d921dc71cdf4d813c3e64bb7ade8536b17971c Mon Sep 17 00:00:00 2001 From: Lukasz Marek Date: Mon, 20 Oct 2014 12:12:20 +0200 Subject: [PATCH 0095/1352] lavd: export all symbols with av_ prefix Signed-off-by: Lukasz Marek (cherry picked from commit e493814d6191c6dd2900296df546b5f5c7e4452d) Signed-off-by: Michael Niedermayer --- libavdevice/libavdevice.v | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/libavdevice.v b/libavdevice/libavdevice.v index 663af85ba8..de7278c193 100644 --- a/libavdevice/libavdevice.v +++ b/libavdevice/libavdevice.v @@ -1,4 +1,4 @@ LIBAVDEVICE_$MAJOR { - global: avdevice_*; + global: avdevice_*; av_*; local: *; }; From 30a0622a5dbf2753553deddbfbf2410f7d7799e6 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sun, 12 Oct 2014 21:10:54 +0200 Subject: [PATCH 0096/1352] avcodec/tiffenc: properly compute packet size The bytes per row is a better indication of it. Helps resolving ticket #3874 by fixing ffmpeg's encoder and transforming the issue in a issue with non-compliant decoders. ffmpeg's one is ok, but unfortunately, many others aren't handling correctly unusual chroma samplings. Signed-off-by: Michael Niedermayer (cherry picked from commit 0e8bfd3c934768f9812dd20d71fa4709de54186d) Signed-off-by: Michael Niedermayer --- libavcodec/tiffenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 5a61f1aefa..138d214c2f 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -305,7 +305,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, strips = (s->height - 1) / s->rps + 1; - packet_size = avctx->height * ((avctx->width * s->bpp + 7) >> 3) * 2 + + bytes_per_row = (((s->width - 1) / s->subsampling[0] + 1) * s->bpp * + s->subsampling[0] * s->subsampling[1] + 7) >> 3; + packet_size = avctx->height * bytes_per_row * 2 + avctx->height * 4 + FF_MIN_BUFFER_SIZE; if ((ret = ff_alloc_packet2(avctx, pkt, packet_size)) < 0) @@ -333,8 +335,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, goto fail; } - bytes_per_row = (((s->width - 1) / s->subsampling[0] + 1) * s->bpp * - s->subsampling[0] * s->subsampling[1] + 7) >> 3; if (is_yuv) { av_fast_padded_malloc(&s->yuv_line, &s->yuv_line_size, bytes_per_row); if (s->yuv_line == NULL) { From 045670a6f7e46d2ab84df0214282bbb07e0eef9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 14:03:09 +0100 Subject: [PATCH 0097/1352] avcodec/hevc_ps: Check default display window bitstream and skip if invalid Fixes Ticket4035 Signed-off-by: Michael Niedermayer (cherry picked from commit 852aaead1fc294bcb63a1f9e384e781f6e51ded6) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index c17ca04350..4e1c56163d 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -525,7 +525,11 @@ static void decode_vui(HEVCContext *s, HEVCSPS *sps) vui->field_seq_flag = get_bits1(gb); vui->frame_field_info_present_flag = get_bits1(gb); - vui->default_display_window_flag = get_bits1(gb); + if (get_bits_left(gb) >= 68 && show_bits_long(gb, 21) == 0x100000) { + vui->default_display_window_flag = 0; + av_log(s->avctx, AV_LOG_WARNING, "Invalid default display window\n"); + } else + vui->default_display_window_flag = get_bits1(gb); // Backup context in case an alternate header is detected memcpy(&backup, gb, sizeof(backup)); From ca47574e16ca6988ad7eda56d65e1d7b4fc35878 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 20:48:58 +0100 Subject: [PATCH 0098/1352] avcodec/sgidec: fix linesize for 16bit Fixes: asan_heap-oob_22b30d4_39_038.sgi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3b20ed85489a14cb5028c873d06960dbc5eef88a) Signed-off-by: Michael Niedermayer --- libavcodec/sgidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 6f51ec3531..8338863637 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -145,7 +145,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s) for (z = 0; z < s->depth; z++) { dest_row = out_buf; for (y = 0; y < s->height; y++) { - linesize = s->width * s->depth * s->bytes_per_channel; + linesize = s->width * s->depth; dest_row -= s->linesize; start_offset = bytestream2_get_be32(&g_table); bytestream2_seek(&s->g, start_offset, SEEK_SET); From 73c6520c096b017e0a464718fee683abae4c5d2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 20:48:58 +0100 Subject: [PATCH 0099/1352] avcodec/sgidec: fix count check Fixes: asan_heap-oob_22b30d4_39_038.sgi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a050cf0c451bdf1c1bd512c4fce6b6f8a5e85102) Signed-off-by: Michael Niedermayer --- libavcodec/sgidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c index 8338863637..3ddbf77bc8 100644 --- a/libavcodec/sgidec.c +++ b/libavcodec/sgidec.c @@ -98,7 +98,7 @@ static int expand_rle_row16(SgiState *s, uint16_t *out_buf, break; /* Check for buffer overflow. */ - if (pixelstride * (count - 1) >= len) { + if (out_end - out_buf <= pixelstride * (count - 1)) { av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n"); return AVERROR_INVALIDDATA; } From 8cba067fe52a717bdd2d3ed16c5c06bce54fa7a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 01:23:40 +0100 Subject: [PATCH 0100/1352] avcodec/diracdec: Use 64bit in calculation of codeblock coordinates Fixes integer overflow Fixes out of array read Fixes: asan_heap-oob_107866c_42_041.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 526886e6069636a918c8c04db17e864e3d8151c1) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index c03f45c928..0511f1c391 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -612,10 +612,10 @@ static av_always_inline void decode_subband_internal(DiracContext *s, SubBand *b top = 0; for (cb_y = 0; cb_y < cb_height; cb_y++) { - bottom = (b->height * (cb_y+1)) / cb_height; + bottom = (b->height * (cb_y+1LL)) / cb_height; left = 0; for (cb_x = 0; cb_x < cb_width; cb_x++) { - right = (b->width * (cb_x+1)) / cb_width; + right = (b->width * (cb_x+1LL)) / cb_width; codeblock(s, b, &gb, &c, left, right, top, bottom, blockcnt_one, is_arith); left = right; } From 8e95ddbe82c4bb50e117e791b1b45edfd1b764dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 01:23:40 +0100 Subject: [PATCH 0101/1352] avcodec/diracdec: Tighter checks on CODEBLOCKS_X/Y Fixes very long but finite loop Fixes: asan_heap-oob_107866c_42_041.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5145d22b88b9835db81c4d286b931a78e08ab76a) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 0511f1c391..aa8e2b0db9 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1004,8 +1004,8 @@ static int dirac_unpack_idwt_params(DiracContext *s) /* Codeblock parameters (core syntax only) */ if (get_bits1(gb)) { for (i = 0; i <= s->wavelet_depth; i++) { - CHECKEDREAD(s->codeblock[i].width , tmp < 1, "codeblock width invalid\n") - CHECKEDREAD(s->codeblock[i].height, tmp < 1, "codeblock height invalid\n") + CHECKEDREAD(s->codeblock[i].width , tmp < 1 || tmp > (s->avctx->width >>s->wavelet_depth-i), "codeblock width invalid\n") + CHECKEDREAD(s->codeblock[i].height, tmp < 1 || tmp > (s->avctx->height>>s->wavelet_depth-i), "codeblock height invalid\n") } CHECKEDREAD(s->codeblock_mode, tmp > 1, "unknown codeblock mode\n") From 3f3e5f8f60ef2ed221b17bc72c989921dba6d9a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 02:14:41 +0100 Subject: [PATCH 0102/1352] avcodec/dirac_arith: fix integer overflow Fixes: asan_heap-oob_1078676_9_008.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 39680caceebfc6abf09b17032048752c014e57a8) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_arith.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dirac_arith.h b/libavcodec/dirac_arith.h index 089c71a698..a1fa96b5bc 100644 --- a/libavcodec/dirac_arith.h +++ b/libavcodec/dirac_arith.h @@ -171,6 +171,10 @@ static inline int dirac_get_arith_uint(DiracArith *c, int follow_ctx, int data_c { int ret = 1; while (!dirac_get_arith_bit(c, follow_ctx)) { + if (ret >= 0x40000000) { + av_log(NULL, AV_LOG_ERROR, "dirac_get_arith_uint overflow\n"); + return -1; + } ret <<= 1; ret += dirac_get_arith_bit(c, data_ctx); follow_ctx = ff_dirac_next_ctx[follow_ctx]; From c7b7e0790c7bf2c799a4f07ae9f54f36c910323d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Oct 2014 15:26:42 +0100 Subject: [PATCH 0103/1352] avcodec/dxa: check dimensions Fixes out of array access Fixes: asan_heap-oob_11222fb_21_020.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e70312dfc22c4e54d5716f28f28db8f99c74cc90) Signed-off-by: Michael Niedermayer --- libavcodec/dxa.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c index 0f64b5e619..c8e3f71399 100644 --- a/libavcodec/dxa.c +++ b/libavcodec/dxa.c @@ -329,6 +329,11 @@ static av_cold int decode_init(AVCodecContext *avctx) { DxaDecContext * const c = avctx->priv_data; + if (avctx->width%4 || avctx->height%4) { + avpriv_request_sample(avctx, "dimensions are not a multiple of 4"); + return AVERROR_INVALIDDATA; + } + c->prev = av_frame_alloc(); if (!c->prev) return AVERROR(ENOMEM); From 66fcf1fa404ea4b32ed02f6cd9ca1b057ae4fc6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 00:57:07 +0100 Subject: [PATCH 0104/1352] avcodec/dnxhddec: treat pix_fmt like width/height Fixes out of array accesses Fixes: asan_heap-oob_22c9a39_16_015.mxf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3c0e0bf6f53df0977f3878d4f5cec99dff8de9e) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 787c6c5ec4..06800746d1 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -38,6 +38,7 @@ typedef struct DNXHDContext { BlockDSPContext bdsp; int64_t cid; ///< compression id unsigned int width, height; + enum AVPixelFormat pix_fmt; unsigned int mb_width, mb_height; uint32_t mb_scan_index[68]; /* max for 1080p */ int cur_field; ///< current interlaced field @@ -141,7 +142,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, ctx->is_444 = 0; if (buf[0x4] == 0x2) { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV444P10; + ctx->pix_fmt = AV_PIX_FMT_YUV444P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -151,7 +152,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, } ctx->is_444 = 1; } else if (buf[0x21] & 0x40) { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P10; + ctx->pix_fmt = AV_PIX_FMT_YUV422P10; ctx->avctx->bits_per_raw_sample = 10; if (ctx->bit_depth != 10) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -160,7 +161,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, AVFrame *frame, ctx->decode_dct_block = dnxhd_decode_dct_block_10; } } else { - ctx->avctx->pix_fmt = AV_PIX_FMT_YUV422P; + ctx->pix_fmt = AV_PIX_FMT_YUV422P; ctx->avctx->bits_per_raw_sample = 8; if (ctx->bit_depth != 8) { ff_blockdsp_init(&ctx->bdsp, ctx->avctx); @@ -446,7 +447,13 @@ decode_coding_unit: avctx->width, avctx->height, ctx->width, ctx->height); first_field = 1; } + if (avctx->pix_fmt != AV_PIX_FMT_NONE && avctx->pix_fmt != ctx->pix_fmt) { + av_log(avctx, AV_LOG_WARNING, "pix_fmt changed: %s -> %s\n", + av_get_pix_fmt_name(avctx->pix_fmt), av_get_pix_fmt_name(ctx->pix_fmt)); + first_field = 1; + } + avctx->pix_fmt = ctx->pix_fmt; ret = ff_set_dimensions(avctx, ctx->width, ctx->height); if (ret < 0) return ret; From 24d725f455742378048e6a7e41dd21ec8df893e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Oct 2014 14:15:29 +0100 Subject: [PATCH 0105/1352] avcodec/utils: Align dimensions by at least their chroma sub-sampling factors. Fixes: out of array accesses Fixes: asan_heap-oob_112c6b3_13_012.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df74811cd53e45fcbbd3b77a1c42416816687c5c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 07874c238f..4931444583 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -279,6 +279,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int i; int w_align = 1; int h_align = 1; + AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(s->pix_fmt); + + if (desc) { + w_align = 1 << desc->log2_chroma_w; + h_align = 1 << desc->log2_chroma_h; + } switch (s->pix_fmt) { case AV_PIX_FMT_YUV420P: @@ -406,8 +412,6 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } break; default: - w_align = 1; - h_align = 1; break; } From 1f636a697f6bfe45e97d072fdd27021df8ea61d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 01:19:17 +0100 Subject: [PATCH 0106/1352] avcodec/g2meet: check tile dimensions to avoid integer overflow Fixes out of array access Fixes: asan_heap-oob_12a55d3_30_029.wmv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 32e666c354e4a3160d8cf1d303cb51990b095c87) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 1004e1921e..d0cb88cb56 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -736,8 +736,10 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, } c->tile_width = bytestream2_get_be32(&bc); c->tile_height = bytestream2_get_be32(&bc); - if (!c->tile_width || !c->tile_height || - ((c->tile_width | c->tile_height) & 0xF)) { + if (c->tile_width <= 0 || c->tile_height <= 0 || + ((c->tile_width | c->tile_height) & 0xF) || + c->tile_width * 4LL * c->tile_height >= INT_MAX + ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", c->tile_width, c->tile_height); From 35bc67503e802289d69938953ec7a328dd0eab6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 16:53:09 +0100 Subject: [PATCH 0107/1352] avcodec/cook: check that the subpacket sizes fit in block_align Fixes out of array read Fixes: asan_heap-oob_fb5c50_19_018.rmvb Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 10e32618acce9c3fc64c061eb7907e8a8d2749ae) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index eb2654e0d5..0cc01d05c9 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1215,8 +1215,8 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > MAX_SUBPACKETS) { - avpriv_request_sample(avctx, "subpackets > %d", MAX_SUBPACKETS); + if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); return AVERROR_PATCHWELCOME; } } From 63523485f4d312f9d98eb30dfa633a9f75671b7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 18:16:25 +0100 Subject: [PATCH 0108/1352] avcodec/svq1dec: zero terminate embedded message before printing Fixes out of array access Fixes: asan_stack-oob_49b1e5_10_009.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e91ba2efa949470e9157b652535d207a101f91e0) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 121ebc43e9..052b61839e 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -499,7 +499,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, HpelDSPContext *hdsp, return result; } -static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) +static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257]) { uint8_t seed; int i; @@ -511,6 +511,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) out[i] = get_bits(bitbuf, 8) ^ seed; seed = string_table[out[i] ^ seed]; } + out[i] = 0; } static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) @@ -553,12 +554,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) } if ((s->frame_code ^ 0x10) >= 0x50) { - uint8_t msg[256]; + uint8_t msg[257]; svq1_parse_string(bitbuf, msg); av_log(avctx, AV_LOG_INFO, - "embedded message:\n%s\n", (char *)msg); + "embedded message:\n%s\n", ((char *)msg) + 1); } skip_bits(bitbuf, 2); From 04aa2ffbcf706605499ebdffff1ab063e782d9f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Nov 2014 13:39:52 +0100 Subject: [PATCH 0109/1352] Update for 2.4.3 Signed-off-by: Michael Niedermayer --- Changelog | 26 ++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 8a6826a99c..1002a0fbd6 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,32 @@ releases are sorted from youngest to oldest. version : +version 2.4.3: +- avcodec/svq1dec: zero terminate embedded message before printing +- avcodec/cook: check that the subpacket sizes fit in block_align +- avcodec/g2meet: check tile dimensions to avoid integer overflow +- avcodec/utils: Align dimensions by at least their chroma sub-sampling factors. +- avcodec/dnxhddec: treat pix_fmt like width/height +- avcodec/dxa: check dimensions +- avcodec/dirac_arith: fix integer overflow +- avcodec/diracdec: Tighter checks on CODEBLOCKS_X/Y +- avcodec/diracdec: Use 64bit in calculation of codeblock coordinates +- avcodec/sgidec: fix count check +- avcodec/sgidec: fix linesize for 16bit +- avcodec/hevc_ps: Check default display window bitstream and skip if invalid +- avcodec/tiffenc: properly compute packet size +- lavd: export all symbols with av_ prefix +- avformat/mxfdec: Fix termination of mxf_data_essence_container_uls +- postproc: fix qp count +- postproc/postprocess: fix quant store for fq mode +- vf_drawtext: add missing clear of pointers after av_expr_free() +- utvideoenc: properly set slice height/last line +- swresample: fix sample drop loop end condition +- resample: Avoid off-by-1 errors in PTS calcs. +- imc: fix order of operations in coefficients read +- hevc_mvs: make sure to always initialize the temporal MV fully +- hevc_mvs: initialize the temporal MV in case of missing reference + version 2.4.2: - avcodec/on2avc: Check number of channels - avcodec/hevc: fix chroma transform_add size diff --git a/RELEASE b/RELEASE index 8e8299dcc0..35cee72dcb 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.2 +2.4.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 897859a981..e15895122e 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.2 +PROJECT_NUMBER = 2.4.3 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 857e391697287a97a810114fba0de52179e6c623 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 2 Oct 2014 09:41:57 +0200 Subject: [PATCH 0110/1352] Stop demuxing wtv on eof. Fixes ticket #3991. Fixes ticket #3995. Fixes ticket #3997. Reviewed-by: Peter Ross Reviewed-by: Paul B Mahol (cherry picked from commit 6efe4137ce39fef35e3e7f274160958acdac7581) --- libavformat/wtvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 4cb3295464..9cedae1f8e 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -789,6 +789,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p len = avio_rl32(pb); if (len < 32) { int ret; + if (avio_feof(pb)) + return AVERROR_EOF; av_log(s, AV_LOG_WARNING, "encountered broken chunk\n"); if ((ret = recover(wtv, avio_tell(pb) - 20)) < 0) return ret; From 39518589e73ed08f6afad7dc0d7ced1bcfbdaf92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Oct 2014 21:43:17 +0200 Subject: [PATCH 0111/1352] avformat/options_table: add FF_COMPLIANCE_UNOFFICIAL Fixes ticket 3959 Signed-off-by: Michael Niedermayer (cherry picked from commit c02ea58c5f0a77f20c8046041edb974bb4376f4c) --- libavformat/options_table.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/options_table.h b/libavformat/options_table.h index eb4115cd7b..71024be195 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -93,6 +93,7 @@ static const AVOption avformat_options[] = { {"strict", "how strictly to follow the standards", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, D|E, "strict"}, {"strict", "strictly conform to all the things in the spec no matter what the consequences", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_STRICT }, INT_MIN, INT_MAX, D|E, "strict"}, {"normal", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_NORMAL }, INT_MIN, INT_MAX, D|E, "strict"}, +{"unofficial", "allow unofficial extensions", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_UNOFFICIAL }, INT_MIN, INT_MAX, D|E, "strict"}, {"experimental", "allow non-standardized experimental variants", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_EXPERIMENTAL }, INT_MIN, INT_MAX, D|E, "strict"}, {"max_ts_probe", "maximum number of packets to read while waiting for the first timestamp", OFFSET(max_ts_probe), AV_OPT_TYPE_INT, { .i64 = 50 }, 0, INT_MAX, D }, {NULL}, From a8a6cdfcd7b64964513292da9317645a8a510191 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Oct 2014 20:23:40 +0200 Subject: [PATCH 0112/1352] avformat/matroskadec: do not trust the default duration to be the real 1/timebase if its less than 5fps Fixes Ticket3980 Signed-off-by: Michael Niedermayer (cherry picked from commit be695ee389724d713e1b8a61ef899fe1795193ce) --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index b8ddf67b79..e3cd1e4ecc 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1920,7 +1920,8 @@ static int matroska_parse_tracks(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); #if FF_API_R_FRAME_RATE - if (st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L) + if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L + && st->avg_frame_rate.num > st->avg_frame_rate.den * 5L) st->r_frame_rate = st->avg_frame_rate; #endif } From 25fc3deed8001ecb60f6e0780d049adb01742e75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 1 Nov 2014 13:01:38 +0100 Subject: [PATCH 0113/1352] mpeg4vdpau: Fix priv data size. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Reimar Döffinger (cherry picked from commit 46353759cb3c90ad8eb4af6526c236513d477296) --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 22812926c8..bc9264f5a4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2793,7 +2793,7 @@ AVCodec ff_mpeg4_vdpau_decoder = { .long_name = NULL_IF_CONFIG_SMALL("MPEG-4 part 2 (VDPAU)"), .type = AVMEDIA_TYPE_VIDEO, .id = AV_CODEC_ID_MPEG4, - .priv_data_size = sizeof(MpegEncContext), + .priv_data_size = sizeof(Mpeg4DecContext), .init = decode_init, .close = ff_h263_decode_end, .decode = ff_h263_decode_frame, From 70f6d553d98e6f40f36ac1a85698e079629f7d0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 04:22:42 +0100 Subject: [PATCH 0114/1352] Move get_avc_nalsize() and find_start_code() to h264.h This allows sharing them with the h264 parser Signed-off-by: Michael Niedermayer (cherry picked from commit 4898440f6bd19152373969159fff057b532c6374) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 37 ------------------------------------- libavcodec/h264.h | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 37 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index c4f4b052ff..12713de56b 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1330,43 +1330,6 @@ int ff_set_ref_count(H264Context *h) static const uint8_t start_code[] = { 0x00, 0x00, 0x01 }; -static int find_start_code(const uint8_t *buf, int buf_size, - int buf_index, int next_avc) -{ - // start code prefix search - for (; buf_index + 3 < next_avc; buf_index++) - // This should always succeed in the first iteration. - if (buf[buf_index] == 0 && - buf[buf_index + 1] == 0 && - buf[buf_index + 2] == 1) - break; - - buf_index += 3; - - if (buf_index >= buf_size) - return buf_size; - - return buf_index; -} - -static int get_avc_nalsize(H264Context *h, const uint8_t *buf, - int buf_size, int *buf_index) -{ - int i, nalsize = 0; - - if (*buf_index >= buf_size - h->nal_length_size) - return -1; - - for (i = 0; i < h->nal_length_size; i++) - nalsize = (nalsize << 8) | buf[(*buf_index)++]; - if (nalsize <= 0 || nalsize > buf_size - *buf_index) { - av_log(h->avctx, AV_LOG_ERROR, - "AVC: nal size %d\n", nalsize); - return -1; - } - return nalsize; -} - static int get_bit_length(H264Context *h, const uint8_t *buf, const uint8_t *ptr, int dst_length, int i, int next_avc) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 5ec4f0c255..d0d818c45f 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -1092,6 +1092,43 @@ static av_always_inline int get_dct8x8_allowed(H264Context *h) 0x0001000100010001ULL)); } +static inline int find_start_code(const uint8_t *buf, int buf_size, + int buf_index, int next_avc) +{ + // start code prefix search + for (; buf_index + 3 < next_avc; buf_index++) + // This should always succeed in the first iteration. + if (buf[buf_index] == 0 && + buf[buf_index + 1] == 0 && + buf[buf_index + 2] == 1) + break; + + buf_index += 3; + + if (buf_index >= buf_size) + return buf_size; + + return buf_index; +} + +static inline int get_avc_nalsize(H264Context *h, const uint8_t *buf, + int buf_size, int *buf_index) +{ + int i, nalsize = 0; + + if (*buf_index >= buf_size - h->nal_length_size) + return -1; + + for (i = 0; i < h->nal_length_size; i++) + nalsize = ((unsigned)nalsize << 8) | buf[(*buf_index)++]; + if (nalsize <= 0 || nalsize > buf_size - *buf_index) { + av_log(h->avctx, AV_LOG_ERROR, + "AVC: nal size %d\n", nalsize); + return -1; + } + return nalsize; +} + int ff_h264_field_end(H264Context *h, int in_setup); int ff_h264_ref_picture(H264Context *h, H264Picture *dst, H264Picture *src); From 5405ba7b635b23e565a308172771441ac76d1362 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 04:24:20 +0100 Subject: [PATCH 0115/1352] avcodec/h264: simplify find_start_code() this also uses avpriv_find_start_code(), though no speed change is expected as the area searched is generally small Signed-off-by: Michael Niedermayer (cherry picked from commit 3b678da5e386c138316954e867d595f946666051) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index d0d818c45f..b94f06b6d1 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -36,6 +36,7 @@ #include "h264dsp.h" #include "h264pred.h" #include "h264qpel.h" +#include "internal.h" // for avpriv_find_start_code() #include "me_cmp.h" #include "mpegutils.h" #include "parser.h" @@ -1095,20 +1096,11 @@ static av_always_inline int get_dct8x8_allowed(H264Context *h) static inline int find_start_code(const uint8_t *buf, int buf_size, int buf_index, int next_avc) { - // start code prefix search - for (; buf_index + 3 < next_avc; buf_index++) - // This should always succeed in the first iteration. - if (buf[buf_index] == 0 && - buf[buf_index + 1] == 0 && - buf[buf_index + 2] == 1) - break; + uint32_t state = -1; - buf_index += 3; + buf_index = avpriv_find_start_code(buf + buf_index, buf + next_avc + 1, &state) - buf - 1; - if (buf_index >= buf_size) - return buf_size; - - return buf_index; + return FFMIN(buf_index, buf_size); } static inline int get_avc_nalsize(H264Context *h, const uint8_t *buf, From 9a641b909cb8132aeba0e112e5514b5e6f7b343d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Oct 2014 04:30:11 +0100 Subject: [PATCH 0116/1352] avcodec/h264_parser: rewrite the parse_nal_units() loop logic based on h264.c Fixes Ticket4011 Signed-off-by: Michael Niedermayer (cherry picked from commit 69a9a90d2ef795162074be24e3ad2182a8676af2) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parser.c | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 36cf980c8e..14d709cd1e 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -202,10 +202,10 @@ static int scan_mmco_reset(AVCodecParserContext *s) */ static inline int parse_nal_units(AVCodecParserContext *s, AVCodecContext *avctx, - const uint8_t *buf, int buf_size) + const uint8_t * const buf, int buf_size) { H264Context *h = s->priv_data; - const uint8_t *buf_end = buf + buf_size; + int buf_index, next_avc; unsigned int pps_id; unsigned int slice_type; int state = -1, got_reset = 0; @@ -225,26 +225,26 @@ static inline int parse_nal_units(AVCodecParserContext *s, if (!buf_size) return 0; + buf_index = 0; + next_avc = h->is_avc ? 0 : buf_size; for (;;) { int src_length, dst_length, consumed, nalsize = 0; - if (h->is_avc) { - int i; - if (h->nal_length_size >= buf_end - buf) break; - nalsize = 0; - for (i = 0; i < h->nal_length_size; i++) - nalsize = (nalsize << 8) | *buf++; - if (nalsize <= 0 || nalsize > buf_end - buf) { - av_log(h->avctx, AV_LOG_ERROR, "AVC: nal size %d\n", nalsize); + + if (buf_index >= next_avc) { + nalsize = get_avc_nalsize(h, buf, buf_size, &buf_index); + if (nalsize < 0) break; - } - src_length = nalsize; + next_avc = buf_index + nalsize; } else { - buf = avpriv_find_start_code(buf, buf_end, &state); - if (buf >= buf_end) - break; - --buf; - src_length = buf_end - buf; + buf_index = find_start_code(buf, buf_size, buf_index, next_avc); + if (buf_index >= buf_size) + break; + if (buf_index >= next_avc) + continue; } + src_length = next_avc - buf_index; + + state = buf[buf_index]; switch (state & 0x1f) { case NAL_SLICE: case NAL_IDR_SLICE: @@ -261,10 +261,13 @@ static inline int parse_nal_units(AVCodecParserContext *s, } break; } - ptr = ff_h264_decode_nal(h, buf, &dst_length, &consumed, src_length); + ptr = ff_h264_decode_nal(h, buf + buf_index, &dst_length, + &consumed, src_length); if (!ptr || dst_length < 0) break; + buf_index += consumed; + init_get_bits(&h->gb, ptr, 8 * dst_length); switch (h->nal_unit_type) { case NAL_SPS: @@ -439,7 +442,6 @@ static inline int parse_nal_units(AVCodecParserContext *s, return 0; /* no need to evaluate the rest */ } - buf += h->is_avc ? nalsize : consumed; } if (q264) return 0; From 043f32606046b1470218511ded151edfa7a126ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Nov 2014 01:55:40 +0100 Subject: [PATCH 0117/1352] avcodec/h264_slice: Clear table pointers to avoid stale pointers Might fix Ticket3889 Signed-off-by: Michael Niedermayer (cherry picked from commit 547fce95858ef83f8c25ae347e3ae3b8ba437fd9) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index ffb7de5237..c46cc2453c 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -585,6 +585,17 @@ int ff_h264_update_thread_context(AVCodecContext *dst, h->mb_type_pool = NULL; h->ref_index_pool = NULL; h->motion_val_pool = NULL; + h->intra4x4_pred_mode= NULL; + h->non_zero_count = NULL; + h->slice_table_base = NULL; + h->slice_table = NULL; + h->cbp_table = NULL; + h->chroma_pred_mode_table = NULL; + memset(h->mvd_table, 0, sizeof(h->mvd_table)); + h->direct_table = NULL; + h->list_counts = NULL; + h->mb2b_xy = NULL; + h->mb2br_xy = NULL; for (i = 0; i < 2; i++) { h->rbsp_buffer[i] = NULL; h->rbsp_buffer_size[i] = 0; From cd57d608a4125a996671e7d013767120cb60513d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Nov 2014 01:21:59 +0100 Subject: [PATCH 0118/1352] avcodec/mpeg12dec: do not trust AVCodecContext input dimensions Fixes initial wtv dimensions Fixes Ticket4070 Signed-off-by: Michael Niedermayer (cherry picked from commit 77f1199e8fd9a289ad64eb2bb5bd4deeda8bccb8) --- libavcodec/mpeg12dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 95cc1a8693..d5e1fb6662 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1120,6 +1120,10 @@ static av_cold int mpeg_decode_init(AVCodecContext *avctx) MpegEncContext *s2 = &s->mpeg_enc_ctx; ff_mpv_decode_defaults(s2); + + if ( avctx->codec_tag != AV_RL32("VCR2") + && avctx->codec_tag != AV_RL32("BW10")) + avctx->coded_width = avctx->coded_height = 0; // do not trust dimensions from input ff_mpv_decode_init(s2, avctx); s->mpeg_enc_ctx.avctx = avctx; From f9ca1fecb0fdd427634cfeed4389e7f2a184ef7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Nov 2014 20:19:04 +0100 Subject: [PATCH 0119/1352] ffmpeg_opt: store canvas size in decoder context Fixes canvas size Fixes Ticket4074 Signed-off-by: Michael Niedermayer (cherry picked from commit 66b9e60af0b82ee8bd63d84011127dca4ea1e23f) --- ffmpeg_opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 05ab652f1a..0c7b35a269 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -702,7 +702,7 @@ static void add_input_streams(OptionsContext *o, AVFormatContext *ic) MATCH_PER_STREAM_OPT(fix_sub_duration, i, ist->fix_sub_duration, ic, st); MATCH_PER_STREAM_OPT(canvas_sizes, str, canvas_size, ic, st); if (canvas_size && - av_parse_video_size(&dec->width, &dec->height, canvas_size) < 0) { + av_parse_video_size(&ist->dec_ctx->width, &ist->dec_ctx->height, canvas_size) < 0) { av_log(NULL, AV_LOG_FATAL, "Invalid canvas size: %s.\n", canvas_size); exit_program(1); } From a5cc8775cf1d276189a22a244f3e487782a36fd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Sep 2014 03:57:00 +0200 Subject: [PATCH 0120/1352] avcodec/h264_sei: ff_h264_decode_sei: dont try to parse trailing zeroes reduces noise for tserrors.ts Signed-off-by: Michael Niedermayer (cherry picked from commit 688a40b4ed7d2e07d3f96c2feecf785a4866e60c) --- libavcodec/h264_sei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index aa889b8bba..8e1697a31e 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -281,7 +281,7 @@ static int decode_display_orientation(H264Context *h) int ff_h264_decode_sei(H264Context *h) { - while (get_bits_left(&h->gb) > 16) { + while (get_bits_left(&h->gb) > 16 && show_bits(&h->gb, 16)) { int type = 0; unsigned size = 0; unsigned next; From 9798dc8061c99875fa225b96884b2db1c0ee165a Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 5 Nov 2014 01:35:48 +0100 Subject: [PATCH 0121/1352] Use -fno-optimize-sibling-calls on parisc also for gcc 4.9. Fixes fate on hppa. Found-by: Andreas Cadhalpun. (cherry picked from commit f2ffaae9ac93e221a0e1e11ea3581422323abd2f) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 618dfab2e8..3974b94c14 100755 --- a/configure +++ b/configure @@ -4500,7 +4500,7 @@ elif enabled parisc; then if enabled gcc; then case $($cc -dumpversion) in - 4.[3-8].*) check_cflags -fno-optimize-sibling-calls ;; + 4.[3-9].*) check_cflags -fno-optimize-sibling-calls ;; esac fi From c7b64a904ae3f90f3994a4abd599bbc76ca540be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Nov 2014 00:04:51 +0100 Subject: [PATCH 0122/1352] avcodec/mpegaudio_parser: fix off by 1 error in bitrate calculation Fixes Ticket3918 Signed-off-by: Michael Niedermayer (cherry picked from commit 817663897e59f45f60016fa9d3d16e325b803967) --- libavcodec/mpegaudio_parser.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 3d9e94688a..79dbf635b4 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -73,20 +73,21 @@ static int mpegaudio_parse(AVCodecParserContext *s1, if (i > 4) s->header_count = -2; } else { + int header_threshold = avctx->codec_id != AV_CODEC_ID_NONE && avctx->codec_id != codec_id; if((state&SAME_HEADER_MASK) != (s->header&SAME_HEADER_MASK) && s->header) s->header_count= -3; s->header= state; s->header_count++; s->frame_size = ret-4; - if (s->header_count > 0 + (avctx->codec_id != AV_CODEC_ID_NONE && avctx->codec_id != codec_id)) { + if (s->header_count > header_threshold) { avctx->sample_rate= sr; avctx->channels = channels; s1->duration = frame_size; avctx->codec_id = codec_id; if (s->no_bitrate || !avctx->bit_rate) { s->no_bitrate = 1; - avctx->bit_rate += (bit_rate - avctx->bit_rate) / s->header_count; + avctx->bit_rate += (bit_rate - avctx->bit_rate) / (s->header_count - header_threshold); } } break; From 2be7d565bb2af0e5041378e74227520790f50257 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 8 Nov 2014 10:48:37 +0100 Subject: [PATCH 0123/1352] Remove fminf() emulation. The emulation is unused and causes compilation trouble on systems where fminf() is defined in but missing from libm. This should fix compilation on Debian powerpcspe. (cherry picked from commit 4436a8f44dedc83767b3d9da9beb85d1fae2ca30) --- configure | 2 -- libavutil/libm.h | 10 ---------- 2 files changed, 12 deletions(-) diff --git a/configure b/configure index 3974b94c14..af02064036 100755 --- a/configure +++ b/configure @@ -1668,7 +1668,6 @@ MATH_FUNCS=" exp2 exp2f expf - fminf isinf isnan ldexpf @@ -4782,7 +4781,6 @@ disabled crystalhd || check_lib libcrystalhd/libcrystalhd_if.h DtsCrystalHDVersi atan2f_args=2 ldexpf_args=2 powf_args=2 -fminf_args=2 for func in $MATH_FUNCS; do eval check_mathfunc $func \${${func}_args:-1} diff --git a/libavutil/libm.h b/libavutil/libm.h index 28d5df871b..6c17b287b4 100644 --- a/libavutil/libm.h +++ b/libavutil/libm.h @@ -82,16 +82,6 @@ static av_always_inline float cbrtf(float x) #define exp2f(x) ((float)exp2(x)) #endif /* HAVE_EXP2F */ -#if !HAVE_FMINF -#undef fminf -static av_always_inline av_const float fminf(float x, float y) -{ - //Note, the NaN special case is needed for C spec compliance, it should be - //optimized away if the users compiler is configured to assume no NaN - return x > y ? y : (x == x ? x : y); -} -#endif - #if !HAVE_ISINF static av_always_inline av_const int isinf(float x) { From 56e11cbe323747ed07ea9ce7823876ea2a9221f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Nov 2014 12:43:50 +0100 Subject: [PATCH 0124/1352] Revert "v4l2: setting device parameters early" This reverts commit b1ad9312331759679a9c956233716a67ae681d89. Fixes Ticket #3517 Requested-by: Giorgio Vazzana Merged-by: Michael Niedermayer (cherry picked from commit 6f21fb793238ab6a790b94b86084148d99373ddf) Conflicts: libavdevice/v4l2.c --- libavdevice/v4l2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index cf7a92cdd4..8bfe3de253 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -873,9 +873,6 @@ static int v4l2_read_header(AVFormatContext *ctx) avpriv_set_pts_info(st, 64, 1, 1000000); /* 64 bits pts in us */ - if ((res = v4l2_set_parameters(ctx)) < 0) - goto fail; - if (s->pixel_format) { AVCodec *codec = avcodec_find_decoder_by_name(s->pixel_format); @@ -926,6 +923,9 @@ static int v4l2_read_header(AVFormatContext *ctx) s->frame_format = desired_format; + if ((res = v4l2_set_parameters(ctx)) < 0) + goto fail; + st->codec->pix_fmt = avpriv_fmt_v4l2ff(desired_format, codec_id); s->frame_size = avpicture_get_size(st->codec->pix_fmt, s->width, s->height); From 3e0802e42b07e4c9262240aa2caf208eebac70a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Wed, 12 Nov 2014 09:53:01 +0100 Subject: [PATCH 0125/1352] configure: Hack to treat x32 as x86_64. Allows shared compilation on x32 with --disable-asm. (cherry picked from commit 5e8e2f3861dfbc4864490401c5209fbc24df3c29) --- configure | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configure b/configure index af02064036..83983cc7c1 100755 --- a/configure +++ b/configure @@ -3933,6 +3933,9 @@ case "$arch" in ;; x86) check_64bit x86_32 x86_64 'sizeof(void *) > 4' + # Treat x32 as x64 for now. Note it also needs spic=$shared + test "$subarch" = "x86_32" && check_cpp_condition stddef.h 'defined(__x86_64__)' && + subarch=x86_64 if test "$subarch" = "x86_64"; then spic=$shared fi From 12700b0219521a5f20c8ba47b3ad7857ea9e0554 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 14 Nov 2014 20:20:50 +0100 Subject: [PATCH 0126/1352] mp3enc: fix a triggerable assert We have to check against the number of bytes actually needed, not the theoretical maximum size. --- libavformat/mp3enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index 476d7f71cb..1eaa585eeb 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -196,7 +196,7 @@ static void mp3_write_xing(AVFormatContext *s) avpriv_mpegaudio_decode_header(&mpah, header); - av_assert0(mpah.frame_size >= XING_MAX_SIZE); + av_assert0(mpah.frame_size >= bytes_needed); ffio_fill(s->pb, 0, xing_offset); mp3->xing_offset = avio_tell(s->pb); From cc9c74ea877392a8ee44724a9c588802225503c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Nov 2014 02:49:12 +0100 Subject: [PATCH 0127/1352] avformat/segment: export inner muxer timebase Fixes "Non-monotonous DTS in output stream 0:0" Fixes Ticket4020 Signed-off-by: Michael Niedermayer (cherry picked from commit ce80f9fee97160049687bbbef4eb31a68166c3ee) --- libavformat/segment.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/segment.c b/libavformat/segment.c index f35bbef8dc..eb1cfee4f3 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -567,6 +567,7 @@ static int seg_write_header(AVFormatContext *s) AVFormatContext *oc = NULL; AVDictionary *options = NULL; int ret; + int i; seg->segment_count = 0; if (!seg->write_header_trailer) @@ -672,6 +673,13 @@ static int seg_write_header(AVFormatContext *s) } seg->segment_frame_count = 0; + av_assert0(s->nb_streams == oc->nb_streams); + for (i = 0; i < s->nb_streams; i++) { + AVStream *inner_st = oc->streams[i]; + AVStream *outer_st = s->streams[i]; + avpriv_set_pts_info(outer_st, inner_st->pts_wrap_bits, inner_st->time_base.num, inner_st->time_base.den); + } + if (oc->avoid_negative_ts > 0 && s->avoid_negative_ts < 0) s->avoid_negative_ts = 1; From e5f5df37c8e1972fb5ac3262600dcf3a009242bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Nov 2014 00:09:36 +0100 Subject: [PATCH 0128/1352] avformat/dtsdec: dts_probe: check reserved bit, check lfe, check sr_code similarity Fixes misdetection of s16le Fixes Ticket4109 Signed-off-by: Michael Niedermayer (cherry picked from commit 0dba982bb4f711447fcbb62d381d24f820c35084) --- libavformat/dtsdec.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/libavformat/dtsdec.c b/libavformat/dtsdec.c index f6a939a1d8..d054f43537 100644 --- a/libavformat/dtsdec.c +++ b/libavformat/dtsdec.c @@ -34,7 +34,7 @@ static int dts_probe(AVProbeData *p) { const uint8_t *buf, *bufp; uint32_t state = -1; - int markers[4] = {0}; + int markers[4*16] = {0}; int sum, max, i; int64_t diff = 0; uint8_t hdr[12 + FF_INPUT_BUFFER_PADDING_SIZE] = { 0 }; @@ -43,6 +43,7 @@ static int dts_probe(AVProbeData *p) for(; buf < (p->buf+p->buf_size)-2; buf+=2) { int marker, sample_blocks, sample_rate, sr_code, framesize; + int lfe; GetBitContext gb; bufp = buf; @@ -89,13 +90,27 @@ static int dts_probe(AVProbeData *p) if (sample_rate == 0) continue; + get_bits(&gb, 5); + if (get_bits(&gb, 1)) + continue; + + skip_bits_long(&gb, 9); + lfe = get_bits(&gb, 2); + if (lfe > 2) + continue; + + marker += 4* sr_code; + markers[marker] ++; } - sum = markers[0] + markers[1] + markers[2] + markers[3]; - max = 0; - for (i=1; i<4; i++) + + sum = max = 0; + for (i=0; i 3 && p->buf_size / markers[max] < 32*1024 && markers[max] * 4 > sum * 3 && diff / p->buf_size > 200) From 633a2a082fc1b1b50a70992a181ff48db7acdab4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Oct 2014 02:05:54 +0200 Subject: [PATCH 0129/1352] swscale: support internal scaler cascades Fixes Ticket3170 Signed-off-by: Michael Niedermayer (cherry picked from commit fba894615d694584057adb0ddb4d609486cad807) Conflicts: libswscale/version.h --- libswscale/swscale.c | 13 +++++++++ libswscale/swscale_internal.h | 10 +++++++ libswscale/utils.c | 54 ++++++++++++++++++++++++++++------- 3 files changed, 66 insertions(+), 11 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 59ead121d9..43b8740f9c 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -27,6 +27,7 @@ #include "libavutil/avutil.h" #include "libavutil/bswap.h" #include "libavutil/cpu.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "libavutil/mathematics.h" #include "libavutil/pixdesc.h" @@ -899,6 +900,18 @@ int attribute_align_arg sws_scale(struct SwsContext *c, av_log(c, AV_LOG_ERROR, "One of the input parameters to sws_scale() is NULL, please check the calling code\n"); return 0; } + if (c->cascaded_context[0] && srcSliceY == 0 && srcSliceH == c->cascaded_context[0]->srcH) { + ret = sws_scale(c->cascaded_context[0], + srcSlice, srcStride, srcSliceY, srcSliceH, + c->cascaded_tmp, c->cascaded_tmpStride); + if (ret < 0) + return ret; + ret = sws_scale(c->cascaded_context[1], + (const uint8_t * const * )c->cascaded_tmp, c->cascaded_tmpStride, 0, c->cascaded_context[0]->dstH, + dst, dstStride); + return ret; + } + memcpy(src2, srcSlice, sizeof(src2)); memcpy(dst2, dst, sizeof(dst2)); diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index 335e1f8d7e..f6932943b8 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -61,6 +61,8 @@ # define APCK_SIZE 16 #endif +#define RETCODE_USE_CASCADE -12345 + struct SwsContext; typedef enum SwsDither { @@ -301,6 +303,14 @@ typedef struct SwsContext { int sliceDir; ///< Direction that slices are fed to the scaler (1 = top-to-bottom, -1 = bottom-to-top). double param[2]; ///< Input parameters for scaling algorithms that need them. + /* The cascaded_* fields allow spliting a scaler task into multiple + * sequential steps, this is for example used to limit the maximum + * downscaling factor that needs to be supported in one scaler. + */ + struct SwsContext *cascaded_context[2]; + int cascaded_tmpStride[4]; + uint8_t *cascaded_tmp[4]; + uint32_t pal_yuv[256]; uint32_t pal_rgb[256]; diff --git a/libswscale/utils.c b/libswscale/utils.c index 56157001f0..01e056aef4 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -42,6 +42,7 @@ #include "libavutil/avutil.h" #include "libavutil/bswap.h" #include "libavutil/cpu.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "libavutil/mathematics.h" #include "libavutil/opt.h" @@ -582,8 +583,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, goto fail; if (filterSize >= MAX_FILTER_SIZE * 16 / ((flags & SWS_ACCURATE_RND) ? APCK_SIZE : 16)) { - av_log(NULL, AV_LOG_ERROR, "sws: filterSize %d is too large, try less extreme scaling or set --sws-max-filter-size and recompile\n", - FF_CEIL_RSHIFT((filterSize+1) * ((flags & SWS_ACCURATE_RND) ? APCK_SIZE : 16), 4)); + ret = RETCODE_USE_CASCADE; goto fail; } *outFilterSize = filterSize; @@ -675,7 +675,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, fail: if(ret < 0) - av_log(NULL, AV_LOG_ERROR, "sws: initFilter failed\n"); + av_log(NULL, ret == RETCODE_USE_CASCADE ? AV_LOG_DEBUG : AV_LOG_ERROR, "sws: initFilter failed\n"); av_free(filter); av_free(filter2); return ret; @@ -970,6 +970,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, enum AVPixelFormat dstFormat = c->dstFormat; const AVPixFmtDescriptor *desc_src; const AVPixFmtDescriptor *desc_dst; + int ret = 0; cpu_flags = av_get_cpu_flags(); flags = c->flags; @@ -1295,23 +1296,23 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, const int filterAlign = X86_MMX(cpu_flags) ? 4 : PPC_ALTIVEC(cpu_flags) ? 8 : 1; - if (initFilter(&c->hLumFilter, &c->hLumFilterPos, + if ((ret = initFilter(&c->hLumFilter, &c->hLumFilterPos, &c->hLumFilterSize, c->lumXInc, srcW, dstW, filterAlign, 1 << 14, (flags & SWS_BICUBLIN) ? (flags | SWS_BICUBIC) : flags, cpu_flags, srcFilter->lumH, dstFilter->lumH, c->param, get_local_pos(c, 0, 0, 0), - get_local_pos(c, 0, 0, 0)) < 0) + get_local_pos(c, 0, 0, 0))) < 0) goto fail; - if (initFilter(&c->hChrFilter, &c->hChrFilterPos, + if ((ret = initFilter(&c->hChrFilter, &c->hChrFilterPos, &c->hChrFilterSize, c->chrXInc, c->chrSrcW, c->chrDstW, filterAlign, 1 << 14, (flags & SWS_BICUBLIN) ? (flags | SWS_BILINEAR) : flags, cpu_flags, srcFilter->chrH, dstFilter->chrH, c->param, get_local_pos(c, c->chrSrcHSubSample, c->src_h_chr_pos, 0), - get_local_pos(c, c->chrDstHSubSample, c->dst_h_chr_pos, 0)) < 0) + get_local_pos(c, c->chrDstHSubSample, c->dst_h_chr_pos, 0))) < 0) goto fail; } } // initialize horizontal stuff @@ -1321,22 +1322,22 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, const int filterAlign = X86_MMX(cpu_flags) ? 2 : PPC_ALTIVEC(cpu_flags) ? 8 : 1; - if (initFilter(&c->vLumFilter, &c->vLumFilterPos, &c->vLumFilterSize, + if ((ret = initFilter(&c->vLumFilter, &c->vLumFilterPos, &c->vLumFilterSize, c->lumYInc, srcH, dstH, filterAlign, (1 << 12), (flags & SWS_BICUBLIN) ? (flags | SWS_BICUBIC) : flags, cpu_flags, srcFilter->lumV, dstFilter->lumV, c->param, get_local_pos(c, 0, 0, 1), - get_local_pos(c, 0, 0, 1)) < 0) + get_local_pos(c, 0, 0, 1))) < 0) goto fail; - if (initFilter(&c->vChrFilter, &c->vChrFilterPos, &c->vChrFilterSize, + if ((ret = initFilter(&c->vChrFilter, &c->vChrFilterPos, &c->vChrFilterSize, c->chrYInc, c->chrSrcH, c->chrDstH, filterAlign, (1 << 12), (flags & SWS_BICUBLIN) ? (flags | SWS_BILINEAR) : flags, cpu_flags, srcFilter->chrV, dstFilter->chrV, c->param, get_local_pos(c, c->chrSrcVSubSample, c->src_v_chr_pos, 1), - get_local_pos(c, c->chrDstVSubSample, c->dst_v_chr_pos, 1)) < 0) + get_local_pos(c, c->chrDstVSubSample, c->dst_v_chr_pos, 1))) < 0) goto fail; @@ -1490,6 +1491,32 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, c->swscale = ff_getSwsFunc(c); return 0; fail: // FIXME replace things by appropriate error codes + if (ret == RETCODE_USE_CASCADE) { + int tmpW = sqrt(srcW * (int64_t)dstW); + int tmpH = sqrt(srcH * (int64_t)dstH); + enum AVPixelFormat tmpFormat = AV_PIX_FMT_YUV420P; + + if (srcW*(int64_t)srcH <= 4LL*dstW*dstH) + return AVERROR(EINVAL); + + ret = av_image_alloc(c->cascaded_tmp, c->cascaded_tmpStride, + tmpW, tmpH, tmpFormat, 64); + if (ret < 0) + return ret; + + c->cascaded_context[0] = sws_getContext(srcW, srcH, srcFormat, + tmpW, tmpH, tmpFormat, + flags, srcFilter, NULL, c->param); + if (!c->cascaded_context[0]) + return -1; + + c->cascaded_context[1] = sws_getContext(tmpW, tmpH, tmpFormat, + dstW, dstH, dstFormat, + flags, NULL, dstFilter, c->param); + if (!c->cascaded_context[1]) + return -1; + return 0; + } return -1; } @@ -1901,6 +1928,11 @@ void sws_freeContext(SwsContext *c) av_freep(&c->yuvTable); av_freep(&c->formatConvBuffer); + sws_freeContext(c->cascaded_context[0]); + sws_freeContext(c->cascaded_context[1]); + memset(c->cascaded_context, 0, sizeof(c->cascaded_context)); + av_freep(&c->cascaded_tmp[0]); + av_free(c); } From 222236317bf4554bc49e7750ea35556bf902940e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Nov 2014 23:53:08 +0100 Subject: [PATCH 0130/1352] swscale/utils: support bayer input + scaling, and bayer input + any supported output Fixes Ticket4053 Signed-off-by: Michael Niedermayer (cherry picked from commit 2f6bb86f85886a7fb36e8a10e4dd8cc3a1849377) --- libswscale/utils.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 01e056aef4..0c8a83aa81 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1228,6 +1228,31 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, } } + if (isBayer(srcFormat)) { + if (!unscaled || + (dstFormat != AV_PIX_FMT_RGB24 && dstFormat != AV_PIX_FMT_YUV420P)) { + enum AVPixelFormat tmpFormat = AV_PIX_FMT_RGB24; + + ret = av_image_alloc(c->cascaded_tmp, c->cascaded_tmpStride, + srcW, srcH, tmpFormat, 64); + if (ret < 0) + return ret; + + c->cascaded_context[0] = sws_getContext(srcW, srcH, srcFormat, + srcW, srcH, tmpFormat, + flags, srcFilter, NULL, c->param); + if (!c->cascaded_context[0]) + return -1; + + c->cascaded_context[1] = sws_getContext(srcW, srcH, tmpFormat, + dstW, dstH, dstFormat, + flags, NULL, dstFilter, c->param); + if (!c->cascaded_context[1]) + return -1; + return 0; + } + } + #define USE_MMAP (HAVE_MMAP && HAVE_MPROTECT && defined MAP_ANONYMOUS) /* precalculate horizontal scaler filter coefficients */ From e386241d54a0cc39b4513a4cfc250630c1d560ba Mon Sep 17 00:00:00 2001 From: Peter Ross Date: Sun, 9 Nov 2014 12:05:41 +1100 Subject: [PATCH 0131/1352] cinedec: report white balance gain coefficients using metadata Signed-off-by: Michael Niedermayer (cherry picked from commit 2093c1dc51ee1c08cb558759a1c59e6d1e3358a0) --- libavformat/cinedec.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 9eed006e53..0583ce020a 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -27,6 +27,7 @@ #include "libavutil/intreadwrite.h" #include "libavcodec/bmp.h" +#include "libavutil/intfloat.h" #include "avformat.h" #include "internal.h" @@ -78,6 +79,16 @@ static int set_metadata_int(AVDictionary **dict, const char *key, int value, int return 0; } +static int set_metadata_float(AVDictionary **dict, const char *key, float value, int allow_zero) +{ + if (value != 0 || allow_zero) { + char tmp[64]; + snprintf(tmp, sizeof(tmp), "%f", value); + return av_dict_set(dict, key, tmp, 0); + } + return 0; +} + static int cine_read_header(AVFormatContext *avctx) { AVIOContext *pb = avctx->pb; @@ -177,7 +188,10 @@ static int cine_read_header(AVFormatContext *avctx) set_metadata_int(&st->metadata, "contrast", avio_rl32(pb), 1); set_metadata_int(&st->metadata, "gamma", avio_rl32(pb), 1); - avio_skip(pb, 72); // Reserved1 .. WBView + avio_skip(pb, 12 + 16); // Reserved1 .. AutoExpRect + set_metadata_float(&st->metadata, "wbgain[0].r", av_int2float(avio_rl32(pb)), 1); + set_metadata_float(&st->metadata, "wbgain[0].b", av_int2float(avio_rl32(pb)), 1); + avio_skip(pb, 36); // WBGain[1].. WBView st->codec->bits_per_coded_sample = avio_rl32(pb); From 057ee35924187979ae41f8c3f84fe16659a68656 Mon Sep 17 00:00:00 2001 From: Peter Ross Date: Fri, 14 Nov 2014 09:14:24 +1100 Subject: [PATCH 0132/1352] avfilter/vf_lut: gammaval709() See http://www.itu.int/rec/R-REC-BT.709 Item 1.2, overall opto-electronic transfer characteristics at source Signed-off-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit b186b7131e160d7e3ea8ef4c52745b56ddcb287b) --- libavfilter/vf_lut.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/libavfilter/vf_lut.c b/libavfilter/vf_lut.c index fff5a2ba31..0b7a2cac02 100644 --- a/libavfilter/vf_lut.c +++ b/libavfilter/vf_lut.c @@ -161,15 +161,32 @@ static double compute_gammaval(void *opaque, double gamma) return pow((val-minval)/(maxval-minval), gamma) * (maxval-minval)+minval; } +/** + * Compute Rec.709 gama correction of value val + */ +static double compute_gammaval709(void *opaque, double gamma) +{ + LutContext *s = opaque; + double val = s->var_values[VAR_CLIPVAL]; + double minval = s->var_values[VAR_MINVAL]; + double maxval = s->var_values[VAR_MAXVAL]; + double level = (val - minval) / (maxval - minval); + level = level < 0.018 ? 4.5 * level + : 1.099 * pow(level, 1.0 / gamma) - 0.099; + return level * (maxval - minval) + minval; +} + static double (* const funcs1[])(void *, double) = { (void *)clip, (void *)compute_gammaval, + (void *)compute_gammaval709, NULL }; static const char * const funcs1_names[] = { "clip", "gammaval", + "gammaval709", NULL }; From 944570906b7433846352cbb14730e96e94d232ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Nov 2014 03:08:20 +0100 Subject: [PATCH 0133/1352] avformat/avidec: fix handling dv in avi Fixes Ticket4086 Signed-off-by: Michael Niedermayer (cherry picked from commit f0ae0354d3f04c369257c2a28557524d28c5df15) --- libavformat/avidec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 5b260e2542..a73bf98474 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1141,7 +1141,7 @@ start_sync: goto start_sync; } - n = avi->dv_demux ? 0 : get_stream_idx(d); + n = get_stream_idx(d); if (!((i - avi->last_pkt_pos) & 1) && get_stream_idx(d + 1) < s->nb_streams) @@ -1153,6 +1153,9 @@ start_sync: goto start_sync; } + if (avi->dv_demux && n != 0) + continue; + // parse ##dc/##wb if (n < s->nb_streams) { AVStream *st; From 46a17d886b8559723c40b9f5cdf0e0c6b1c95180 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 23 Nov 2014 21:25:05 +0100 Subject: [PATCH 0134/1352] lavu: add wrappers for the pthreads mutex API Also add no-op fallbacks when threading is disabled. This helps keeping the code clean if Libav is compiled for targets without threading. Since we assume that no threads of any kind are used in such configurations, doing nothing is ok by definition. Based on a patch by wm4 . (cherry picked from commit 2443e522f0059176ff8717c9c753eb6fe7e7bbf1) Signed-off-by: Anton Khirnov --- libavutil/thread.h | 53 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 libavutil/thread.h diff --git a/libavutil/thread.h b/libavutil/thread.h new file mode 100644 index 0000000000..07e3d4ac45 --- /dev/null +++ b/libavutil/thread.h @@ -0,0 +1,53 @@ +/* + * This file is part of Libav. + * + * Libav is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * Libav is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with Libav; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +// This header should only be used to simplify code where +// threading is optional, not as a generic threading abstraction. + +#ifndef AVUTIL_THREAD_H +#define AVUTIL_THREAD_H + +#include "config.h" + +#if HAVE_PTHREADS || HAVE_W32THREADS + +#if HAVE_PTHREADS +#include +#else +#include +#endif + +#define AVMutex pthread_mutex_t + +#define ff_mutex_init pthread_mutex_init +#define ff_mutex_lock pthread_mutex_lock +#define ff_mutex_unlock pthread_mutex_unlock +#define ff_mutex_destroy pthread_mutex_destroy + +#else + +#define AVMutex char + +#define ff_mutex_init(mutex, attr) (0) +#define ff_mutex_lock(mutex) (0) +#define ff_mutex_unlock(mutex) (0) +#define ff_mutex_destroy(mutex) (0) + +#endif + +#endif /* AVUTIL_THREAD_H */ From 517ce1d09b5e6b72afc2ef9490b5f8ca42fa6a65 Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 14 Nov 2014 13:34:50 +0100 Subject: [PATCH 0135/1352] lavu: fix memory leaks by using a mutex instead of atomics The buffer pool has to atomically add and remove entries from the linked list of available buffers. This was done by removing the entire list with a CAS operation, working on it, and then setting it back again (using a retry-loop in case another thread was doing the same thing). This could effectively cause memory leaks: while a thread was working on the buffer list, other threads would allocate new buffers, increasing the pool's total size. There was no real leak, but since these extra buffers were not needed, but not free'd either (except when the buffer pool was destroyed), this had the same effects as a real leak. For some reason, growth was exponential, and could easily kill the process due to OOM in real-world uses. Fix this by using a mutex to protect the list operations. The fancy way atomics remove the whole list to work on it is not needed anymore, which also avoids the situation which was causing the leak. Signed-off-by: Anton Khirnov (cherry picked from commit fbd6c97f9ca858140df16dd07200ea0d4bdc1a83) Signed-off-by: Anton Khirnov --- libavutil/buffer.c | 79 ++++++++++++------------------------- libavutil/buffer_internal.h | 6 ++- 2 files changed, 29 insertions(+), 56 deletions(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index 2b38081e1d..1bc4a93f38 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -23,6 +23,7 @@ #include "buffer_internal.h" #include "common.h" #include "mem.h" +#include "thread.h" AVBufferRef *av_buffer_create(uint8_t *data, int size, void (*free)(void *opaque, uint8_t *data), @@ -199,6 +200,8 @@ AVBufferPool *av_buffer_pool_init(int size, AVBufferRef* (*alloc)(int size)) if (!pool) return NULL; + ff_mutex_init(&pool->mutex, NULL); + pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; @@ -220,6 +223,7 @@ static void buffer_pool_free(AVBufferPool *pool) buf->free(buf->opaque, buf->data); av_freep(&buf); } + ff_mutex_destroy(&pool->mutex); av_freep(&pool); } @@ -236,47 +240,16 @@ void av_buffer_pool_uninit(AVBufferPool **ppool) buffer_pool_free(pool); } -/* remove the whole buffer list from the pool and return it */ -static BufferPoolEntry *get_pool(AVBufferPool *pool) -{ - BufferPoolEntry *cur = NULL, *last = NULL; - - do { - FFSWAP(BufferPoolEntry*, cur, last); - cur = avpriv_atomic_ptr_cas((void * volatile *)&pool->pool, last, NULL); - if (!cur) - return NULL; - } while (cur != last); - - return cur; -} - -static void add_to_pool(BufferPoolEntry *buf) -{ - AVBufferPool *pool; - BufferPoolEntry *cur, *end = buf; - - if (!buf) - return; - pool = buf->pool; - - while (end->next) - end = end->next; - - while ((cur = avpriv_atomic_ptr_cas((void * volatile *)&pool->pool, NULL, buf))) { - /* pool is not empty, retrieve it and append it to our list */ - cur = get_pool(pool); - end->next = cur; - while (end->next) - end = end->next; - } -} - static void pool_release_buffer(void *opaque, uint8_t *data) { BufferPoolEntry *buf = opaque; AVBufferPool *pool = buf->pool; - add_to_pool(buf); + + ff_mutex_lock(&pool->mutex); + buf->next = pool->pool; + pool->pool = buf; + ff_mutex_unlock(&pool->mutex); + if (!avpriv_atomic_int_add_and_fetch(&pool->refcount, -1)) buffer_pool_free(pool); } @@ -306,8 +279,6 @@ static AVBufferRef *pool_alloc_buffer(AVBufferPool *pool) ret->buffer->opaque = buf; ret->buffer->free = pool_release_buffer; - avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); - return ret; } @@ -316,22 +287,22 @@ AVBufferRef *av_buffer_pool_get(AVBufferPool *pool) AVBufferRef *ret; BufferPoolEntry *buf; - /* check whether the pool is empty */ - buf = get_pool(pool); - if (!buf) - return pool_alloc_buffer(pool); - - /* keep the first entry, return the rest of the list to the pool */ - add_to_pool(buf->next); - buf->next = NULL; - - ret = av_buffer_create(buf->data, pool->size, pool_release_buffer, - buf, 0); - if (!ret) { - add_to_pool(buf); - return NULL; + ff_mutex_lock(&pool->mutex); + buf = pool->pool; + if (buf) { + ret = av_buffer_create(buf->data, pool->size, pool_release_buffer, + buf, 0); + if (ret) { + pool->pool = buf->next; + buf->next = NULL; + } + } else { + ret = pool_alloc_buffer(pool); } - avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); + ff_mutex_unlock(&pool->mutex); + + if (ret) + avpriv_atomic_int_add_and_fetch(&pool->refcount, 1); return ret; } diff --git a/libavutil/buffer_internal.h b/libavutil/buffer_internal.h index cce83c3cd1..1032a543e5 100644 --- a/libavutil/buffer_internal.h +++ b/libavutil/buffer_internal.h @@ -22,6 +22,7 @@ #include #include "buffer.h" +#include "thread.h" /** * The buffer is always treated as read-only. @@ -68,11 +69,12 @@ typedef struct BufferPoolEntry { void (*free)(void *opaque, uint8_t *data); AVBufferPool *pool; - struct BufferPoolEntry * volatile next; + struct BufferPoolEntry *next; } BufferPoolEntry; struct AVBufferPool { - BufferPoolEntry * volatile pool; + AVMutex mutex; + BufferPoolEntry *pool; /* * This is used to track when the pool is to be freed. From ca78ee73db9e059f501706ba6108e23902e84933 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 24 Nov 2014 11:16:46 +0100 Subject: [PATCH 0136/1352] opusdec: make sure all substreams have the same number of coded samples Fixes invalid writes with invalid multichannel streams. CC:libav-stable@libav.org (cherry picked from commit 1973079417e8701b52ba810a72cb6c7c6f7f9a56) Signed-off-by: Anton Khirnov --- libavcodec/opusdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index bf3a54b16b..771922e973 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -500,6 +500,12 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Error parsing the packet header.\n"); return ret; } + if (coded_samples != s->packet.frame_count * s->packet.frame_duration) { + av_log(avctx, AV_LOG_ERROR, + "Mismatching coded sample count in substream %d.\n", i); + return AVERROR_INVALIDDATA; + } + s->silk_samplerate = get_silk_samplerate(s->packet.config); } From f783259fdb37e288643fe54ac162d723b1bec548 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Nov 2014 01:01:17 +0100 Subject: [PATCH 0137/1352] avutil/buffer: use the old atomics based code for the release branch the old code worked fine for a long time and was not affected by the bug the new code fixes and the new is not widely tested yet. This can be reverted once the code received more testing in master Signed-off-by: Michael Niedermayer --- libavutil/buffer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index 0f9f1a2992..4e2a94bfe8 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -25,7 +25,8 @@ #include "mem.h" #include "thread.h" -#define USE_ATOMICS !(HAVE_PTHREADS || HAVE_W32THREADS) +//#define USE_ATOMICS !(HAVE_PTHREADS || HAVE_W32THREADS) +#define USE_ATOMICS 1 // can be changed to the above once it received more testing in master AVBufferRef *av_buffer_create(uint8_t *data, int size, void (*free)(void *opaque, uint8_t *data), From 0e216ed40789e382eb6725d1cd0941927bfd1400 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Nov 2014 01:17:56 +0100 Subject: [PATCH 0138/1352] avutil/buffer_internal: leave the buffer pool entries volatile Theres no reason to remove the volatile keyword in a release branch Signed-off-by: Michael Niedermayer --- libavutil/buffer_internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/buffer_internal.h b/libavutil/buffer_internal.h index e6530485d3..befeb684ae 100644 --- a/libavutil/buffer_internal.h +++ b/libavutil/buffer_internal.h @@ -69,12 +69,12 @@ typedef struct BufferPoolEntry { void (*free)(void *opaque, uint8_t *data); AVBufferPool *pool; - struct BufferPoolEntry *next; + struct BufferPoolEntry * volatile next; } BufferPoolEntry; struct AVBufferPool { AVMutex mutex; - BufferPoolEntry *pool; + BufferPoolEntry * volatile pool; /* * This is used to track when the pool is to be freed. From 9984d492dc51249c3f656d50b90c36e7540002f2 Mon Sep 17 00:00:00 2001 From: Michael Stypa Date: Fri, 28 Nov 2014 15:54:50 +0100 Subject: [PATCH 0139/1352] fix Makefile objects for pulseaudio support Signed-off-by: Michael Niedermayer (cherry picked from commit cb58c771ade66afcc623250e1c7ac8191381d991) Signed-off-by: Michael Niedermayer --- libavdevice/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/Makefile b/libavdevice/Makefile index db301e7112..d700d9a7ec 100644 --- a/libavdevice/Makefile +++ b/libavdevice/Makefile @@ -34,7 +34,7 @@ OBJS-$(CONFIG_OPENGL_OUTDEV) += opengl_enc.o OBJS-$(CONFIG_OSS_INDEV) += oss_audio.o oss_audio_dec.o OBJS-$(CONFIG_OSS_OUTDEV) += oss_audio.o oss_audio_enc.o OBJS-$(CONFIG_PULSE_INDEV) += pulse_audio_dec.o \ - pulse_audio_common.o + pulse_audio_common.o timefilter.o OBJS-$(CONFIG_PULSE_OUTDEV) += pulse_audio_enc.o \ pulse_audio_common.o OBJS-$(CONFIG_QTKIT_INDEV) += qtkit.o From 89b52d25b4b847f58bab32901064803f79ac68df Mon Sep 17 00:00:00 2001 From: Dave Yeo Date: Fri, 28 Nov 2014 23:34:20 -0800 Subject: [PATCH 0140/1352] libavutil/thread.h: Support OS/2 threads Signed-off-by: Michael Niedermayer (cherry picked from commit 090a7801a8817c1fbc6db0ed39070bf82255d8f2) Signed-off-by: Michael Niedermayer --- libavutil/thread.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavutil/thread.h b/libavutil/thread.h index 62e1340ceb..a004fba3c8 100644 --- a/libavutil/thread.h +++ b/libavutil/thread.h @@ -24,10 +24,12 @@ #include "config.h" -#if HAVE_PTHREADS || HAVE_W32THREADS +#if HAVE_PTHREADS || HAVE_W32THREADS || HAVE_OS2THREADS #if HAVE_PTHREADS #include +#elif HAVE_OS2THREADS +#include "compat/os2threads.h" #else #include #endif From d48e0aed3c17284f4db71f644bcb5a5646c1cbe8 Mon Sep 17 00:00:00 2001 From: Dave Yeo Date: Fri, 28 Nov 2014 23:36:06 -0800 Subject: [PATCH 0141/1352] libavutil/threads.h: correct an include to be local Signed-off-by: Michael Niedermayer (cherry picked from commit 32eadfe453c32788ea57968e6e80f673f434739d) Signed-off-by: Michael Niedermayer --- libavutil/thread.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/thread.h b/libavutil/thread.h index a004fba3c8..973366182e 100644 --- a/libavutil/thread.h +++ b/libavutil/thread.h @@ -31,7 +31,7 @@ #elif HAVE_OS2THREADS #include "compat/os2threads.h" #else -#include +#include "compat/w32pthreads.h" #endif #define AVMutex pthread_mutex_t From 2719ba9ee35f2dd1243e67ae85889bcdbc4afe7b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Thu, 30 Oct 2014 00:27:04 +0100 Subject: [PATCH 0142/1352] lavc/utils: Make pix_fmt desc pointer const. Fixes an "initialization discards qualifiers from pointer target type" warning. (cherry picked from commit f05855414ed4cce97c06ba2a31f4987af47e6d4e) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 4931444583..ca6fe2d8e4 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -279,7 +279,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int i; int w_align = 1; int h_align = 1; - AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(s->pix_fmt); + AVPixFmtDescriptor const *desc = av_pix_fmt_desc_get(s->pix_fmt); if (desc) { w_align = 1 << desc->log2_chroma_w; From f7e9fcda2df158171727d3a5691e22e312f35fdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Nov 2014 13:20:24 +0100 Subject: [PATCH 0143/1352] avcodec/options_table fix min of audio channels and sample rate Found-by: Lukasz Marek Signed-off-by: Michael Niedermayer (cherry picked from commit 206c98f303e833c9e94427c9e3f9867f85265f78) Signed-off-by: Michael Niedermayer --- libavcodec/options_table.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index ad3d52ecdf..5e79f8204f 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -105,8 +105,8 @@ static const AVOption avcodec_options[] = { {"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, -{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, -{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|D|E}, +{"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, +{"ac", "set number of audio channels", OFFSET(channels), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, {"cutoff", "set cutoff bandwidth", OFFSET(cutoff), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_size", NULL, OFFSET(frame_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, A|E}, {"frame_number", NULL, OFFSET(frame_number), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, From 11dfd1fa20fae31531a3c085cdcc00089dbcaa5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 19:44:20 +0100 Subject: [PATCH 0144/1352] avcodec/utvideodec: fix assumtation that slice_height >= 1 Fixes out of array read Fixes: asan_heap-oob_2573085_3783_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7656c4c6e66f8a787d384f027ad824cc1677fda1) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index afd56ea1bd..05c943f808 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -224,7 +224,7 @@ static void restore_median(uint8_t *src, int step, int stride, A = bsrc[i]; } bsrc += stride; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride]; @@ -284,7 +284,7 @@ static void restore_median_il(uint8_t *src, int step, int stride, A = bsrc[stride + i]; } bsrc += stride2; - if (slice_height == 1) + if (slice_height <= 1) continue; // second line - first element has top prediction, the rest uses median C = bsrc[-stride2]; From cfda2a677c25f407fe4a93213e977e4a0106b3ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Nov 2014 23:07:50 +0100 Subject: [PATCH 0145/1352] avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization Fixes out of array read Fixes: asan_heap-oob_2aec5b0_1828_classical_22_16_2_16000_v3c_0_exclusive_0_29.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5dcb99033df16eccc4dbbc4a099ad64457f9f090) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index f45e1fcdbc..56d6d32831 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -422,6 +422,9 @@ static av_cold int decode_init(AVCodecContext *avctx) offset &= ~3; if (offset > s->sfb_offsets[i][band - 1]) s->sfb_offsets[i][band++] = offset; + + if (offset >= subframe_len) + break; } s->sfb_offsets[i][band - 1] = subframe_len; s->num_sfb[i] = band - 1; From cf8b91a28e9308d49ebc2a107f4a77ac28aeecbc Mon Sep 17 00:00:00 2001 From: Lukasz Marek Date: Tue, 11 Nov 2014 21:17:58 +0100 Subject: [PATCH 0146/1352] lavu/opt: fix av_opt_get function Signed-off-by: Lukasz Marek (cherry picked from commit 173d51c982f1ecaa8d28cd0d8611164be0c9d36d) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index ee72a96471..e9ed765781 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -725,6 +725,10 @@ int av_opt_get(void *obj, const char *name, int search_flags, uint8_t **out_val) return AVERROR(EINVAL); if (!(*out_val = av_malloc(len*2 + 1))) return AVERROR(ENOMEM); + if (!len) { + *out_val[0] = '\0'; + return 0; + } bin = *(uint8_t**)dst; for (i = 0; i < len; i++) snprintf(*out_val + i*2, 3, "%02X", bin[i]); @@ -740,12 +744,14 @@ int av_opt_get(void *obj, const char *name, int search_flags, uint8_t **out_val) break; case AV_OPT_TYPE_DURATION: i64 = *(int64_t *)dst; - ret = snprintf(buf, sizeof(buf), "%"PRIi64"d:%02d:%02d.%06d", + ret = snprintf(buf, sizeof(buf), "%"PRIi64":%02d:%02d.%06d", i64 / 3600000000, (int)((i64 / 60000000) % 60), (int)((i64 / 1000000) % 60), (int)(i64 % 1000000)); break; case AV_OPT_TYPE_COLOR: - ret = snprintf(buf, sizeof(buf), "0x%02x%02x%02x%02x", ((int *)dst)[0], ((int *)dst)[1], ((int *)dst)[2], ((int *)dst)[3]); + ret = snprintf(buf, sizeof(buf), "0x%02x%02x%02x%02x", + (int)((uint8_t *)dst)[0], (int)((uint8_t *)dst)[1], + (int)((uint8_t *)dst)[2], (int)((uint8_t *)dst)[3]); break; case AV_OPT_TYPE_CHANNEL_LAYOUT: i64 = *(int64_t *)dst; From a3fdc0b35bd78b7f89e8bd76cd7b4e912392d530 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Nov 2014 17:30:44 +0100 Subject: [PATCH 0147/1352] avcodec/mpeg4video_parser: fix spurious extradata parse warnings Signed-off-by: Michael Niedermayer (cherry picked from commit 7d37e45f6bac198bc986aeb987afe219edbbd45a) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4video_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4video_parser.c b/libavcodec/mpeg4video_parser.c index b7718f62d9..aa5e87a544 100644 --- a/libavcodec/mpeg4video_parser.c +++ b/libavcodec/mpeg4video_parser.c @@ -88,7 +88,7 @@ static int mpeg4_decode_header(AVCodecParserContext *s1, AVCodecContext *avctx, if (avctx->extradata_size && pc->first_picture) { init_get_bits(gb, avctx->extradata, avctx->extradata_size * 8); ret = ff_mpeg4_decode_picture_header(dec_ctx, gb); - if (ret < 0) + if (ret < -1) av_log(avctx, AV_LOG_WARNING, "Failed to parse extradata\n"); } From 3bb48296ef0f54fad7d73c93a36e676ba391b037 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Nov 2014 04:02:56 +0100 Subject: [PATCH 0148/1352] avformat/hlsenc: Free context after hls_append_segment Fixes reading uninitialized memory Signed-off-by: Michael Niedermayer (cherry picked from commit 530eb6acf8ee867bf00728bf7efaf505da107e17) Conflicts: libavformat/hlsenc.c --- libavformat/hlsenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index cc142fa474..3fceb088f9 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -329,9 +329,10 @@ static int hls_write_trailer(struct AVFormatContext *s) av_write_trailer(oc); avio_closep(&oc->pb); - avformat_free_context(oc); av_free(hls->basename); hls_append_segment(hls, hls->duration); + avformat_free_context(oc); + hls->avf = NULL; hls_window(s, 1); hls_free_segments(hls); From 2abc6e930ba13af44a846438d63c9d06c0e285dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Nov 2014 11:52:17 +0100 Subject: [PATCH 0149/1352] doc/APIchanges: Fix some wrong versions Signed-off-by: Michael Niedermayer (cherry picked from commit 4eae568a0712b8b59cb74b3882963f938c26eab4) Conflicts: doc/APIchanges --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 8a280297e8..7dd110149f 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -214,10 +214,10 @@ API changes, most recent first: 2014-05-11 - 14aef38 / 66e6c8a - lavu 52.83.100 / 53.14.0 - pixfmt.h Add AV_PIX_FMT_VDA for new-style VDA acceleration. -2014-05-xx - xxxxxxx - lavu 52.82.0 - fifo.h +2014-05-xx - xxxxxxx - lavu 52.82.100 - fifo.h Add av_fifo_freep() function. -2014-05-02 - ba52fb11 - lavu 52.81.0 - opt.h +2014-05-02 - ba52fb11 - lavu 52.81.100 - opt.h Add av_opt_set_dict2() function. 2014-05-01 - e77b985 / a2941c8 - lavc 55.60.103 / 55.50.3 - avcodec.h From af0a95ee033b61113a7059ac66e2f5776c90330c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Nov 2014 00:43:45 +0100 Subject: [PATCH 0150/1352] swscale/x86/rgb2rgb_template: handle the first 2 lines with C in rgb24toyv12_*() This avoids out of array accesses Should fix Ticket3451 Signed-off-by: Michael Niedermayer (cherry picked from commit 4388e78a0f022c8572996f9ab568a39b5f716f9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 3899d0a842..7796d384bb 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1634,6 +1634,16 @@ static inline void RENAME(rgb24toyv12)(const uint8_t *src, uint8_t *ydst, uint8_ #define BGR2V_IDX "16*4+16*34" int y; const x86_reg chromWidth= width>>1; + + if (height > 2) { + ff_rgb24toyv12_c(src, ydst, udst, vdst, width, 2, lumStride, chromStride, srcStride, rgb2yuv); + src += 2*srcStride; + ydst += 2*lumStride; + udst += chromStride; + vdst += chromStride; + height -= 2; + } + for (y=0; y Date: Tue, 25 Nov 2014 01:14:38 +0100 Subject: [PATCH 0151/1352] avcodec/mjpegdec: Check for pixfmtid 0x42111100 || 0x24111100 with more than 8 bits These cases are not supported yet Fixes assertion failure Fixes: signal_sigabrt_7ffff6ac7bb9_1_cov_1553101927_00.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0bf416f2628137e5389050fa323c329692dd4ba6) Conflicts: libavcodec/mjpegdec.c --- libavcodec/mjpegdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 89666729ca..2cf55fd877 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -514,6 +514,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) else s->avctx->pix_fmt = AV_PIX_FMT_YUV420P16; s->avctx->color_range = s->cs_itu601 ? AVCOL_RANGE_MPEG : AVCOL_RANGE_JPEG; if (pix_fmt_id == 0x42111100) { + if (s->bits > 8) + goto unk_pixfmt; s->upscale_h = 6; s->chroma_height = (s->height + 1) / 2; } From 8524009161b0430ba961a4e6fcd8125a695edd7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 13:53:06 +0100 Subject: [PATCH 0152/1352] avcodec/mjpegdec: Fix context fields becoming inconsistent Fixes out of array access Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0eecf40935b22644e6cd74c586057237ecfd6844) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 2cf55fd877..5fdf9be221 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1596,6 +1596,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } if (id == AV_RB32("LJIF")) { + int rgb = s->rgb; + int pegasus_rct = s->pegasus_rct; if (s->avctx->debug & FF_DEBUG_PICT_INFO) av_log(s->avctx, AV_LOG_INFO, "Pegasus lossless jpeg header found\n"); @@ -1605,17 +1607,27 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) skip_bits(&s->gb, 16); /* unknown always 0? */ switch (i=get_bits(&s->gb, 8)) { case 1: - s->rgb = 1; - s->pegasus_rct = 0; + rgb = 1; + pegasus_rct = 0; break; case 2: - s->rgb = 1; - s->pegasus_rct = 1; + rgb = 1; + pegasus_rct = 1; break; default: av_log(s->avctx, AV_LOG_ERROR, "unknown colorspace %d\n", i); } + len -= 9; + if (s->got_picture) + if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { + av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); + goto out; + } + + s->rgb = rgb; + s->pegasus_rct = pegasus_rct; + goto out; } if (id == AV_RL32("colr") && len > 0) { From 991a2034796b18012f65b53e6bb8ce521c881a36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Nov 2014 14:45:30 +0100 Subject: [PATCH 0153/1352] avcodec/utils: Check that the data is complete in avpriv_bprint_to_extradata() Fixes out of array read Fixes: asan_heap-oob_4d2250_814_cov_2745172097_JACOsub_capability_tester.jss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5d95db3f5d8e2093e9e19d0c46e86f54ed2a5d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index ca6fe2d8e4..4e95ab039a 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3610,6 +3610,11 @@ int avpriv_bprint_to_extradata(AVCodecContext *avctx, struct AVBPrint *buf) ret = av_bprint_finalize(buf, &str); if (ret < 0) return ret; + if (!av_bprint_is_complete(buf)) { + av_free(str); + return AVERROR(ENOMEM); + } + avctx->extradata = str; /* Note: the string is NUL terminated (so extradata can be read as a * string), but the ending character is not accounted in the size (in From a654f483cd64aa739da5dfaa1b4ca0acb9f478f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 03:29:03 +0100 Subject: [PATCH 0154/1352] avcodec/flacdec: Call ff_flacdsp_init() unconditionally Fixes out of array access Fixes: signal_sigsegv_324b135_3398_cov_246853371_short.flac Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e5c01ccdf5a9a330d4c51a9b9ea721fd8f1fb70b) Conflicts: libavcodec/flacdec.c --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index c9dbc14726..a48b177828 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -473,10 +473,10 @@ static int decode_frame(FLACContext *s) ret = allocate_buffers(s); if (ret < 0) return ret; - ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); s->got_streaminfo = 1; dump_headers(s->avctx, (FLACStreaminfo *)s); } + ff_flacdsp_init(&s->dsp, s->avctx->sample_fmt, s->bps); // dump_headers(s->avctx, (FLACStreaminfo *)s); From f2595a6c38eeed80cd228c5db142873c95f6b4d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 15:45:47 +0100 Subject: [PATCH 0155/1352] avcodec/pngdec: Check IHDR/IDAT order Fixes out of array access Fixes: asan_heap-oob_20a6c26_2690_cov_3434532168_mail.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79ceaf827be0b070675d4cd0a55c3386542defd8) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 835d962180..fa7b71355a 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -582,6 +582,12 @@ static int decode_frame(AVCodecContext *avctx, case MKTAG('I', 'H', 'D', 'R'): if (length != 13) goto fail; + + if (s->state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "IHDR after IDAT\n"); + goto fail; + } + s->width = bytestream2_get_be32(&s->gb); s->height = bytestream2_get_be32(&s->gb); if (av_image_check_size(s->width, s->height, 0, avctx)) { From 12e064d6c2ae66bd501872ab4fc2033588419f85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 18:56:39 +0100 Subject: [PATCH 0156/1352] avcodec/rawdec: Check the return code of avpicture_get_size() Fixes out of array access Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1d3a3b9f8907625b361420d48fe05716859620ff) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 28792a1688..647dfa9a0a 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -172,6 +172,9 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, context->frame_size = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height); } + if (context->frame_size < 0) + return context->frame_size; + need_copy = !avpkt->buf || context->is_2_4_bpp || context->is_yuv2 || context->is_lt_16bpp; frame->pict_type = AV_PICTURE_TYPE_I; From 2ba17ac96c72273f0848cbaf6d73697a68f25277 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Nov 2014 02:31:46 +0100 Subject: [PATCH 0157/1352] avcodec/hevc_ps: Check return code from pps_range_extensions() Fixes out of array read Fixes: asan_heap-oob_177e222_885_cov_1532528832_MERGE_D_TI_3.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9f9440bd8122cc8798139c9370db0873a24ae14b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 4e1c56163d..0d6ede2384 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1375,7 +1375,8 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) int pps_range_extensions_flag = get_bits1(gb); /* int pps_extension_7bits = */ get_bits(gb, 7); if (sps->ptl.general_ptl.profile_idc == FF_PROFILE_HEVC_REXT && pps_range_extensions_flag) { - pps_range_extensions(s, pps, sps); + if ((ret = pps_range_extensions(s, pps, sps)) < 0) + goto err; } } From 18dba3d80d5b741f145e448c242cdfa2ee7f3511 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Nov 2014 19:27:05 +0100 Subject: [PATCH 0158/1352] avcodec/mjpegdec: Fix integer overflow in shift Fixes: signal_sigabrt_7ffff6ac7bb9_2683_cov_4120310995_m_ijpg.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 970a8f1c256f08d2f6414d573a54f2fa035c8e7a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5fdf9be221..686ece9668 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -244,7 +244,8 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, bits, pix_fmt_id, ret; + int len, nb_components, i, width, height, bits, ret; + unsigned pix_fmt_id; int h_count[MAX_COMPONENTS]; int v_count[MAX_COMPONENTS]; @@ -378,7 +379,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) else if (!s->lossless) s->rgb = 0; /* XXX: not complete test ! */ - pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) | + pix_fmt_id = ((unsigned)s->h_count[0] << 28) | (s->v_count[0] << 24) | (s->h_count[1] << 20) | (s->v_count[1] << 16) | (s->h_count[2] << 12) | (s->v_count[2] << 8) | (s->h_count[3] << 4) | s->v_count[3]; From 4b8f3c5bf34e517f8a50c5b5152985b8ef725c6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Nov 2014 03:46:56 +0100 Subject: [PATCH 0159/1352] avcodec/hevc_ps: Check num_long_term_ref_pics_sps Fixes out of array access Fixes: signal_sigsegv_35bd0f0_1182_cov_791726764_STRUCT_B_Samsung_4.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ea38e5a6b75706477898eb1e6582d667dbb9946c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 0d6ede2384..d79740a949 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -951,6 +951,11 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) sps->long_term_ref_pics_present_flag = get_bits1(gb); if (sps->long_term_ref_pics_present_flag) { sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (sps->num_long_term_ref_pics_sps > 31U) { + av_log(0, AV_LOG_ERROR, "num_long_term_ref_pics_sps %d is out of range.\n", + sps->num_long_term_ref_pics_sps); + goto err; + } for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb); From 5c2d8bbffa218b4d0c7e09d2ecbb2a0a02f665b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Nov 2014 21:59:47 +0100 Subject: [PATCH 0160/1352] update for 2.4.4 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 35cee72dcb..79a614418f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.3 +2.4.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index e15895122e..e8638e36c7 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.3 +PROJECT_NUMBER = 2.4.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 6f580e87350c817ac3176a9e75d158bf3faad4e3 Mon Sep 17 00:00:00 2001 From: Kieran Kunhya Date: Sun, 9 Nov 2014 20:39:35 +0100 Subject: [PATCH 0161/1352] swscale: fix yuv2yuvX_8 assembly on x86 use_mmx_vfilter check/fix by commiter Signed-off-by: Michael Niedermayer (cherry picked from commit b546023b9319cbaefb638a2eeac56bdbf53d6f8b) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index c4c0e28e53..7c51979bb2 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -425,7 +425,7 @@ switch(c->dstBpc){ \ case 16: do_16_case; break; \ case 10: if (!isBE(c->dstFormat)) vscalefn = ff_yuv2planeX_10_ ## opt; break; \ case 9: if (!isBE(c->dstFormat)) vscalefn = ff_yuv2planeX_9_ ## opt; break; \ - default: if (condition_8bit) /*vscalefn = ff_yuv2planeX_8_ ## opt;*/ break; \ + case 8: if ((condition_8bit) && !c->use_mmx_vfilter) vscalefn = ff_yuv2planeX_8_ ## opt; break; \ } #define ASSIGN_VSCALE_FUNC(vscalefn, opt1, opt2, opt2chk) \ switch(c->dstBpc){ \ From 06336ce760257ae2dbe350cd568a3eb45f48147f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Nov 2014 12:37:59 +0100 Subject: [PATCH 0162/1352] avformat: replace some odd 30-60 rates by higher less odd ones in get_std_framerate() Fixes Ticket4012 Signed-off-by: Michael Niedermayer (cherry picked from commit 367c9d33d6dd1e8a85b63e14464e7e08ee1315cc) Conflicts: libavformat/version.h Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 2 +- libavformat/utils.c | 12 +++++++++--- tests/ref/fate/cdxl-bitline-ham6 | 2 +- tests/ref/fate/cdxl-ham8 | 2 +- tests/ref/fate/cdxl-pal8 | 2 +- tests/ref/fate/vcr2 | 2 +- 6 files changed, 14 insertions(+), 8 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index b915148ad7..ebf04f6393 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -916,7 +916,7 @@ typedef struct AVStream { /** * Stream information used internally by av_find_stream_info() */ -#define MAX_STD_TIMEBASES (60*12+6) +#define MAX_STD_TIMEBASES (30*12+7+6) struct { int64_t last_dts; int64_t duration_gcd; diff --git a/libavformat/utils.c b/libavformat/utils.c index e899e4d071..d9ffaed0b9 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2743,10 +2743,16 @@ static void compute_chapters_end(AVFormatContext *s) static int get_std_framerate(int i) { - if (i < 60 * 12) + if (i < 30*12) return (i + 1) * 1001; - else - return ((const int[]) { 24, 30, 60, 12, 15, 48 })[i - 60 * 12] * 1000 * 12; + i -= 30*12; + + if (i < 7) + return ((const int[]) { 40, 48, 50, 60, 80, 120, 240})[i] * 1001 * 12; + + i -= 7; + + return ((const int[]) { 24, 30, 60, 12, 15, 48 })[i] * 1000 * 12; } /* Is the time base unreliable? diff --git a/tests/ref/fate/cdxl-bitline-ham6 b/tests/ref/fate/cdxl-bitline-ham6 index 8060f06024..9ba7404b71 100644 --- a/tests/ref/fate/cdxl-bitline-ham6 +++ b/tests/ref/fate/cdxl-bitline-ham6 @@ -1,4 +1,4 @@ -#tb 0: 12/601 +#tb 0: 1/50 0, 0, 0, 1, 63180, 0xcda82c16 0, 1, 1, 1, 63180, 0xa6097bf9 0, 2, 2, 1, 63180, 0x4c2fb091 diff --git a/tests/ref/fate/cdxl-ham8 b/tests/ref/fate/cdxl-ham8 index 269f1f30cf..1eebea37c7 100644 --- a/tests/ref/fate/cdxl-ham8 +++ b/tests/ref/fate/cdxl-ham8 @@ -1,2 +1,2 @@ -#tb 0: 3/158 +#tb 0: 12/281 0, 0, 0, 1, 67584, 0xce0cade5 diff --git a/tests/ref/fate/cdxl-pal8 b/tests/ref/fate/cdxl-pal8 index 82d4d634c7..b2fb04518e 100644 --- a/tests/ref/fate/cdxl-pal8 +++ b/tests/ref/fate/cdxl-pal8 @@ -1,4 +1,4 @@ -#tb 0: 12/601 +#tb 0: 1/50 0, 0, 0, 1, 67584, 0x5eae629b 0, 1, 1, 1, 67584, 0x32591227 0, 2, 2, 1, 67584, 0x4e4424c7 diff --git a/tests/ref/fate/vcr2 b/tests/ref/fate/vcr2 index 521e55fd04..f7e1540b33 100644 --- a/tests/ref/fate/vcr2 +++ b/tests/ref/fate/vcr2 @@ -1,4 +1,4 @@ -#tb 0: 16701/250000 +#tb 0: 1001/15000 0, 0, 0, 1, 38016, 0x50e93e0d 0, 1, 1, 1, 38016, 0x6ac8627d 0, 2, 2, 1, 38016, 0x6f38661e From 883f3e18ddcc64129f25f43d73a82313a5031f78 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 30 Nov 2014 23:47:36 +0100 Subject: [PATCH 0163/1352] doc: correct license template for t2h.pm Signed-off-by: Michael Niedermayer (cherry picked from commit 928322c15f985eb965f0379fbd971d06143763aa) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index 75dc0d304a..a92707190a 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -14,9 +14,9 @@ # FFmpeg is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. +# General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public +# You should have received a copy of the GNU General Public # License along with FFmpeg; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA From dd2394754d8cee3717b3e198c83cc382674cf126 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Dec 2014 02:11:00 +0100 Subject: [PATCH 0164/1352] Changelog: update for 2.4.4 Signed-off-by: Michael Niedermayer --- Changelog | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/Changelog b/Changelog index 1002a0fbd6..28fe41f777 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,43 @@ releases are sorted from youngest to oldest. version : +version 2.4.4: +- avformat: replace some odd 30-60 rates by higher less odd ones in get_std_framerate() +- swscale: fix yuv2yuvX_8 assembly on x86 +- avcodec/hevc_ps: Check num_long_term_ref_pics_sps +- avcodec/mjpegdec: Fix integer overflow in shift +- avcodec/hevc_ps: Check return code from pps_range_extensions() +- avcodec/rawdec: Check the return code of avpicture_get_size() +- avcodec/pngdec: Check IHDR/IDAT order +- avcodec/flacdec: Call ff_flacdsp_init() unconditionally +- avcodec/utils: Check that the data is complete in avpriv_bprint_to_extradata() +- avcodec/mjpegdec: Fix context fields becoming inconsistent +- avcodec/mjpegdec: Check for pixfmtid 0x42111100 || 0x24111100 with more than 8 bits +- swscale/x86/rgb2rgb_template: handle the first 2 lines with C in rgb24toyv12_*() +- doc/APIchanges: Fix some wrong versions +- avformat/hlsenc: Free context after hls_append_segment +- avcodec/mpeg4video_parser: fix spurious extradata parse warnings +- lavu/opt: fix av_opt_get function +- avcodec/wmaprodec: Fix integer overflow in sfb_offsets initialization +- avcodec/utvideodec: fix assumtation that slice_height >= 1 +- avcodec/options_table fix min of audio channels and sample rate +- libavutil/thread.h: Support OS/2 threads +- fix Makefile objects for pulseaudio support +- opusdec: make sure all substreams have the same number of coded samples +- lavu: add wrappers for the pthreads mutex API +- avformat/avidec: fix handling dv in avi +- avfilter/vf_lut: gammaval709() +- cinedec: report white balance gain coefficients using metadata +- swscale/utils: support bayer input + scaling, and bayer input + any supported output +- swscale: support internal scaler cascades +- avformat/dtsdec: dts_probe: check reserved bit, check lfe, check sr_code similarity +- avformat/segment: export inner muxer timebase +- Remove fminf() emulation, fix build issues +- avcodec/mpegaudio_parser: fix off by 1 error in bitrate calculation +- Use -fno-optimize-sibling-calls on parisc also for gcc 4.9. +- ffmpeg_opt: store canvas size in decoder context +- avcodec/mpeg12dec: do not trust AVCodecContext input dimensions + version 2.4.3: - avcodec/svq1dec: zero terminate embedded message before printing - avcodec/cook: check that the subpacket sizes fit in block_align From ce99ef48ea025e90351079964d63be815374f089 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Fri, 28 Nov 2014 09:52:50 -0500 Subject: [PATCH 0165/1352] Treat all '*.pnm' files as non-text file This convinces the pre-receive hook to not consider all *.pnm files as text files to reduce the patch sizes and avoids triggering whitespace checks, Contains a correction by Janne Grunau (cherry picked from commit 0f257e29c5520b215e573e7e3abde8e5a4743309) Signed-off-by: Reinhard Tartler --- .gitattributes | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000..a900528e47 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.pnm -diff -text From b31a3c6f2670d4def5aa8bd3479da9c771ab09e2 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 27 Nov 2014 18:21:03 +0100 Subject: [PATCH 0166/1352] Replace lena.pnm The new reference.pnm is a freely licensed replacement. The photo has been taken by Reinhard Tartler on August 28 2014, and is licensed under the expat license as stated at http://www.jclark.com/xml/copying.txt (cherry picked from commit 8895bf7b78650c0c21c88cec0484e138ec511a4b) Signed-off-by: Reinhard Tartler --- tests/Makefile | 2 +- tests/lena.pnm | 109 ---- tests/ref/seek/vsynth2-asv1 | 40 +- tests/ref/seek/vsynth2-asv2 | 40 +- tests/ref/seek/vsynth2-ffv1 | 40 +- tests/ref/seek/vsynth2-flashsv | 40 +- tests/ref/seek/vsynth2-flv | 40 +- tests/ref/seek/vsynth2-h261 | 40 +- tests/ref/seek/vsynth2-h263 | 40 +- tests/ref/seek/vsynth2-h263p | 40 +- tests/ref/seek/vsynth2-huffyuv | 40 +- tests/ref/seek/vsynth2-jpegls | 40 +- tests/ref/seek/vsynth2-ljpeg | 40 +- tests/ref/seek/vsynth2-mjpeg | 40 +- tests/ref/seek/vsynth2-mpeg1 | 40 +- tests/ref/seek/vsynth2-mpeg1b | 40 +- tests/ref/seek/vsynth2-mpeg2-422 | 40 +- tests/ref/seek/vsynth2-mpeg2-idct-int | 40 +- tests/ref/seek/vsynth2-mpeg2-ilace | 40 +- tests/ref/seek/vsynth2-mpeg2-ivlc-qprd | 40 +- tests/ref/seek/vsynth2-mpeg2-thread | 40 +- tests/ref/seek/vsynth2-mpeg2-thread-ivlc | 40 +- tests/ref/seek/vsynth2-mpeg4 | 48 +- tests/ref/seek/vsynth2-mpeg4-adap | 40 +- tests/ref/seek/vsynth2-mpeg4-adv | 40 +- tests/ref/seek/vsynth2-mpeg4-error | 40 +- tests/ref/seek/vsynth2-mpeg4-nr | 40 +- tests/ref/seek/vsynth2-mpeg4-qpel | 40 +- tests/ref/seek/vsynth2-mpeg4-qprd | 40 +- tests/ref/seek/vsynth2-mpeg4-rc | 40 +- tests/ref/seek/vsynth2-mpeg4-thread | 40 +- tests/ref/seek/vsynth2-msmpeg4 | 40 +- tests/ref/seek/vsynth2-msmpeg4v2 | 40 +- tests/ref/seek/vsynth2-roqvideo | 2 +- tests/ref/seek/vsynth2-rv10 | 55 +- tests/ref/seek/vsynth2-rv20 | 54 +- tests/ref/seek/vsynth2-svq1 | 48 +- tests/ref/seek/vsynth2-wmv1 | 40 +- tests/ref/seek/vsynth2-wmv2 | 40 +- tests/ref/vsynth/vsynth2-asv1 | 8 +- tests/ref/vsynth/vsynth2-asv2 | 8 +- tests/ref/vsynth/vsynth2-cljr | 6 +- tests/ref/vsynth/vsynth2-dnxhd-1080i | 6 +- tests/ref/vsynth/vsynth2-dnxhd-720p | 6 +- tests/ref/vsynth/vsynth2-dnxhd-720p-10bit | 6 +- tests/ref/vsynth/vsynth2-dnxhd-720p-rd | 6 +- tests/ref/vsynth/vsynth2-dv | 6 +- tests/ref/vsynth/vsynth2-dv-411 | 6 +- tests/ref/vsynth/vsynth2-dv-50 | 6 +- tests/ref/vsynth/vsynth2-ffv1 | 6 +- tests/ref/vsynth/vsynth2-ffvhuff | 6 +- tests/ref/vsynth/vsynth2-flashsv | 8 +- tests/ref/vsynth/vsynth2-flv | 8 +- tests/ref/vsynth/vsynth2-h261 | 8 +- tests/ref/vsynth/vsynth2-h263 | 8 +- tests/ref/vsynth/vsynth2-h263-obmc | 8 +- tests/ref/vsynth/vsynth2-h263p | 8 +- tests/ref/vsynth/vsynth2-huffyuv | 6 +- tests/ref/vsynth/vsynth2-jpegls | 8 +- tests/ref/vsynth/vsynth2-ljpeg | 6 +- tests/ref/vsynth/vsynth2-mjpeg | 8 +- tests/ref/vsynth/vsynth2-mpeg1 | 8 +- tests/ref/vsynth/vsynth2-mpeg1b | 8 +- tests/ref/vsynth/vsynth2-mpeg2 | 8 +- tests/ref/vsynth/vsynth2-mpeg2-422 | 8 +- tests/ref/vsynth/vsynth2-mpeg2-idct-int | 8 +- tests/ref/vsynth/vsynth2-mpeg2-ilace | 8 +- tests/ref/vsynth/vsynth2-mpeg2-ivlc-qprd | 8 +- tests/ref/vsynth/vsynth2-mpeg2-thread | 8 +- tests/ref/vsynth/vsynth2-mpeg2-thread-ivlc | 8 +- tests/ref/vsynth/vsynth2-mpeg4 | 8 +- tests/ref/vsynth/vsynth2-mpeg4-adap | 8 +- tests/ref/vsynth/vsynth2-mpeg4-adv | 8 +- tests/ref/vsynth/vsynth2-mpeg4-error | 8 +- tests/ref/vsynth/vsynth2-mpeg4-nr | 8 +- tests/ref/vsynth/vsynth2-mpeg4-qpel | 8 +- tests/ref/vsynth/vsynth2-mpeg4-qprd | 8 +- tests/ref/vsynth/vsynth2-mpeg4-rc | 8 +- tests/ref/vsynth/vsynth2-mpeg4-thread | 8 +- tests/ref/vsynth/vsynth2-msmpeg4 | 8 +- tests/ref/vsynth/vsynth2-msmpeg4v2 | 8 +- tests/ref/vsynth/vsynth2-prores | 8 +- tests/ref/vsynth/vsynth2-qtrle | 8 +- tests/ref/vsynth/vsynth2-rgb | 6 +- tests/ref/vsynth/vsynth2-roqvideo | 8 +- tests/ref/vsynth/vsynth2-rv10 | 8 +- tests/ref/vsynth/vsynth2-rv20 | 8 +- tests/ref/vsynth/vsynth2-svq1 | 8 +- tests/ref/vsynth/vsynth2-v210 | 6 +- tests/ref/vsynth/vsynth2-wmv1 | 8 +- tests/ref/vsynth/vsynth2-wmv2 | 8 +- tests/ref/vsynth/vsynth2-yuv | 4 +- tests/reference.pnm | 696 +++++++++++++++++++++ 93 files changed, 1636 insertions(+), 1050 deletions(-) delete mode 100644 tests/lena.pnm create mode 100644 tests/reference.pnm diff --git a/tests/Makefile b/tests/Makefile index eab1eca6f6..2f9f1c9ad9 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -17,7 +17,7 @@ tests/data/vsynth1.yuv: tests/videogen$(HOSTEXESUF) | tests/data $(M)$< $@ tests/data/vsynth2.yuv: tests/rotozoom$(HOSTEXESUF) | tests/data - $(M)$< $(SRC_PATH)/tests/lena.pnm $@ + $(M)$< $(SRC_PATH)/tests/reference.pnm $@ tests/data/asynth% tests/data/vsynth%.yuv tests/vsynth%/00.pgm: TAG = GEN diff --git a/tests/lena.pnm b/tests/lena.pnm deleted file mode 100644 index 700508c86c..0000000000 --- a/tests/lena.pnm +++ /dev/null @@ -1,109 +0,0 @@ -P6 -# CREATOR: The GIMP's PNM Filter Version 1.0 -256 256 -255 -}߈v|{|rބu݄nފv߂kބj܄pg݂tށsjrvrrwzyvxvtwfvvZaP_@T>\=YEXGXJZIZJ\NWJVLVOZLXLXNXLVNZNZJSJTOVSYTZXZTXZY^Z[\`\^\\Zf_b^ebabbbkhffd`b]b``^g_d^d`a^hahjb^ebfagfebe`ddfbgdhef`d^ffjffefbjfgbidibichjheghknhlffe_ddf^e]cbcbjhibdadddbb\e`hbf`g`jdd\fd``jjplgcd_bbe`d`fgb^b`e``eiebcc^b`cbccabadbbbd^^bcba\`[dZ`ZaX_T[PXHVLPV\`]lbqlzlt܄pވnފrڎv݂nzg~jڀjlހn܀rނr݀pކxނn߀hހj~j߀eހlf}f݂jށh܀eބh܄m܆n݂jކq݈q݄p܂h؄nn﹅ȐΖОԣԜԟȐ⪀rjM\HXPZOZX\Z\Za^`acX\^^ZZ^bdh[c\aZ[[^ZZZ^^^]`_^`c`b^_^]V\`c`bbh``[[bba`[]V\V\VZ\b{v撀zrd}߈v|{|rބu݄nފv߂kބj܄pg݂tށsjrvrrwzyvxvtwfvvZaP_@T>\=YEXGXJZIZJ\NWJVLVOZLXLXNXLVNZNZJSJTOVSYTZXZTXZY^Z[\`\^\\Zf_b^ebabbbkhffd`b]b``^g_d^d`a^hahjb^ebfagfebe`ddfbgdhef`d^ffjffefbjfgbidibichjheghknhlffe_ddf^e]cbcbjhibdadddbb\e`hbf`g`jdd\fd``jjplgcd_bbe`d`fgb^b`e``eiebcc^b`cbccabadbbbd^^bcba\`[dZ`ZaX_T[PXHVLPV\`]lbqlzlt܄pވnފrڎv݂nzg~jڀjlހn܀rނr݀pކxނn߀hހj~j߀eހlf}f݂jށh܀eބh܄m܆n݂jކq݈q݄p܂h؄nn﹅ȐΖОԣԜԟȐ⪀rjM\HXPZOZX\Z\Za^`acX\^^ZZ^bdh[c\aZ[[^ZZZ^^^]`_^`c`b^_^]V\`c`bbh``[[bba`[]V\V\VZ\b{v撀zrd|yvxvvno߄m߆p߀hhބog݀tނn߂lށntqryzyvvuowhomX_O^AW>YT@TKZLYFSFQEPIVFRGSJVHOFNITGOKVLRORVXTXWY\\_Z\V^ZZUZX_\b\a[ec`\b_cba^`abbf`d_c]c`b]c`b\c\fgfdfbf`b^ebe`d^a[f^b^abcdc_c^fcfddaedfdc^b`dhkndfmjbbgbb`d``Zc`jfiebbe`^Xd\d^gdd^h`b`e`a]fbd^ffedd`a\_\`c`^fh^]b`a`a__^bea\abcabaab`^bd_\^^^`[]Z^\fW^T[RZLTKXEPUX\^e`lgvn{nہrۆpވt߈tބmނo~g}go|gހn܀ni݂n߂lfi߁fe~cih݀j߀f}deނg݂i܂l݄m܄rނk݂jiہhxʐКқԞ֞ҕÉߞsd_HXJWP]V]V[[]TW[^Z]ZZ`^Z^`a\^^b_d]^^\a[___[`_^]]\\^\Z^^[`^^``]b\[bd`\_`[\[]`cb`VZET~,KfEiprntrklknjiށn~m~hl~ijmrrwsrnpldtfjaWZNX=R:Q8N:O@RDTDRDPHSFPDNLWGRKRHRGOHNHRJTLUPYOXQYVZUWZ]YW]]^Y^]]Xa^]]`^_[d]c_b`b^d_d`a^b]b^d^b\b^f_bac`fagbfah^had^b_gbhadbb`kheddafbdba`efcad`bf`_`bdbb^gfba`\^\`]fbgdhced^V_[b\e_dcb^a]c`b[b_b\cad^fbec`\a^b``\bb]]b]`^`]\\^`^^]^baa__\`[b`[[^]]]_^\^Y_YaTXPXQSLUHTJUSY]^ffqlxp{n܂qބtߊu߅r߂n݂pހj~jރkl߂ijބm߁ijkge߁jg߀jj}eށj߂jރj܂l܁l݁nہm܁l܁kځh~mމn쮀Œ̙КӞӛԙ͒~ЄlU[LYNUS\SZXZZ]\^Z_Z\]^[^]a\a\]X[Z`\^^^`^[X_^Z\_[\_^Z]\]^`\`c```]`_a]bbbd_^_\NT/Id@\B\Alnizkoklknnki~hhlbhjjnoqsonhm}eo^f]\[KT;O8Q8Ppnje߄nhljmjgjgހjiippqrvrnnmof~hr^bVX\NW>RW>X[9_@llshjihkkmipmlppronqppsjuod{jreje^aQ\@S8M9L?P@MDMCNBNFPGRLTIWFPHTJTFODNJSDLKSNRQWUZSWY_XXY\WZ^[\\YV`]`\^``[a_^\a\d\dbc_c]fdd`fca^b_daa]b`c``[aadbfbd_d_f`c_b^b^dac\b\ca^[bcjidbb^dbcbabaadbdagea`dfbe`bfbgbf`_]_^b]d]gagfigjfgddcfbdafcd`b_gffb`^a^\[a`cdcbde_Z`^^b_``\bbcaadab\Z__aa^dbg^dZ`VZTYS\P[NXNXHVFXQ^[gfgolxq~u܂utrxvwooqrummqjmjonphkdj݁l~l~jl}jـpln~izexf߉jŊΕӠԞ֟֝̓ЅlNXISM\NVTZV^TZX_Z\\Z_`\`_[``\]]`^`bb]^__^^b^bd^]b`fbg^gdiaZ[>Lu$CZ`;jonlljmkll~nnnnoqtoprnopklod|fqbhb^^V\BR=O9N=J>JBPFPFOOWIRFNKQHPIQCODLKPELEKFROXOVRUQPUUVVWVZY\YZW\V\\\X_^a[`^a`a[cb`__]ef_[c`b`dab`dcbZabc`d\a`a]c`d`c^`ZaZc``_babad_cbaaeec``]`]_\ecfgbba`acbbb`jfbbe`c`cabb^\`Zb`a]caedghkmooefdeb^fdb_b`bafc`Za`]_b[_``]```\\]Z[```^^\`^``_^_\_^^Z^`\`]h\delV\PXT\LZJXNYFTOYV^ecokztzn܁s߄pvyvvpotxrnrpolnporfsjރp}k~n~lj܀jځol}o|k}l{kyetɒϚӠ֠ؤӘƌwjbLTR[NUT[PWX^X\X\Z\\``aZ^[]\_`eZ^^`aehjababb_feedhgiglf\]?Nx#D[AR@ZFXFX@\CZB]?aAql~ilminmrlnmjimtnttnlppljrh{hwhhe`dOZ@R8N;N?OAKALDNGPQXDMFODNELHNGNHNELIPGNHPLQPTNQUUSVZYWXWVZXZV\W\\`\_]`[c^b[`Yc_`\ccc_c``\`bb[`^b``Zc_dbb]b]c]dba^cf`]c]`[b_^Zc^_Zb^ec^^b^d`\X_[b`^]]]`\b^a^``\[b^c]b^``c`^\`\_Ybbfdbbedfdffbbc`bca`b`dbb`b]e`aaa_`[dd[Y\_]\\]^Z`^^Z`Z\]^\Z\\Za_`\]]\`[`[bY]X`RVQZPZS\JWJZO[P[`djixpzv܀x݄tyvwxnrmpstnkoqgmjjhmhl~jۀl|kۀj}j~l|i{k~k~lvevf܄j|É̒қԞ՞עҗf֌iTWJSPUPZRVV[Y\VXV\UX\\_][^\]WZ\`Z\adbcfidhddedgdhild\[>OnA_IV@XEZA\ LZ?]>\>bMW=Xc9pomjhnlhoojruotrtrpshkoqhnlcsZgZXRJNW=V:ZCXA[BW;^?^f'Ljqpmmkpiqnqnvrwrtrrljnrtknmfs^gXXUKP=K:N4Kb=eslnkmlnprtrqurqropkjmmllilg~er[fVVPHM>K6L;M;KBPBR@MIRGPHPHQJQFMFNISEKCMBMCMEOLTOWOURRSVSUXXWT[ZZV]Y\\[Z\Y`]__^]][`]_]_X`^ZZ]\YZ^`a_ceb^^`^\ZX``bd`ba``^^e`e``^^`_^]`acgda``^`][[XZYWUXY[\XZX[XVX[Z[\^^^b`XV[ZWWYWYX]\[X_^abaf_aefbcbfejgffjaa^\bd`_`abaa_\`][^^]\]Z]`]\]\\X[]`]]]^]_``d]^[_W^W^RYT^P[P[RZJXLYQ^VaYcbfhkqnwq}t}t߁utކvtuބvqo߄nkmnnnim݅pnppl߁on߃mހpmr߁p~op~p~pxjzjtctcves˗ҠרګۦڥΘ賆vfLUJSNXPWQTVYVX\]^^ZX[\^adhbbdbhg]\?Pu>Z9W;V=Z=Z@a"LaBfFdCf;iAdeVYC^D`FdDdCe>d@d?^>d=cAa<^;vnogrjqpsurrosojfkenkjrolng}gq]i]XQFK6F0C3G8J?NBNCPDJGMKTCKGNFNDLGPHNHQGPBNEPKRNSQTSUSUSXZ\VXVXVYW]^^]Y\]\\_Z[W]\_]^^\Y\ZVV]]`c`^^_`_ab^^ab^ZZY`^`b_a^]`c`b_a`c`^\\^\bc\[]]\[Z[[YZZZZ\]YZTT\^XYVVXX[XZZTSVTTXVVTWZ[Y[\^\Z\\`b]`_dbhbeehacab``^^^^^_^`^a```^Z\^a`_\Z]_^\[^Z\]X_`[X[\]\]bY^ZcV\UXV_WaWdU`NVJXHYKYR`]fchhkpnwszszq~o݀u܀u݄tv߅xކs߂o܆tjohpp߂lmo~j~kjroloރsnn~m~lzkzjzlyiwfufqbparbp˔Ԟ٪ڪ۬ܩҙ΃hJRDOOXPVPTRYUZW`Y[_dacdfheW[>Nn@YY?V=\Cb"Od'Pe#Kj%Ld$GdDb>d@b>_?^<`Cwpnpjpqvtuvopoikfkjlnmqjhlg}fp[bVUPAJ:I0F2G\>Z@^@d@fAdAa>b<`@`_9Z>\>mpopkppsyrxjlhfcfejnrhoojklzfp\gXYUEM7K1H4I:NHw"A^>VY>]A_BaHg"If&KdCb@_DaD`B]?^<^:]>\;pklllrquuvmheghbeigdmhnlnln|fubbWVSDM=L/E3F=M=NAMCPDQENEOGREQBNHRHOFLFPFOFPHPLRIRPTU\RVVVVXVXXY\Z^[ZY\Y][[Z\X\Y^`ZY\[Z[\^^\^b]]`bbl[^^^\_[]ZX_bc`^^`_^_bc\_ab[Z^`Z_[YbbbbZZ^ZXYZY[\_\[\Z^X[Z^Xcdqhrȇuzņy~v~jpkr[`X^WVWVXW[XXZWZ^^\_Z_[_X\^a^^^`^`^c]`^aaebc`d\\]]]^\``cb^[U^Z]Z]`]^\^Z^]\Y_S\T^Q\R\VaPXJTJZLYP\T`^chglknfvqtiwpzr}s|v|n݀uނtނrރq߁oހl߀mm܁ql߂pjjkii~hoi}hzlzgzjwjujqdwhqerctbrcsbp_rd{dxŌΘ֤ڨکܪ٣̐}hZFRJTKSPXU\RZ^bb`X\@Nv@[>X?W=X@X>\A_AdCa FeFg"IgFaEa@dAb>^9^<`;_>]OCLFQFNHSKTLUGNFRGQFMENFPHNGNPWNURYQYUTXUWXZYVXZXZVYU[Z[Y\Z]\[\\`^c[\ZX]a^]a\\\[^`b^b`b]]Z]\]\^lj_a``bbdm]`\`]_YY_`[[^\hf_eY\\`Z\bn_fzpuus{xńʝϔΠԜΡКѨԤͤɠu}[]VYRTTTVVVZXZ\aZZZ_Z]\^Y]_b]abfbf`hac_d_cY_[]]a\\ZZYZ__\^[ZZ]Y_YYV\T_R[Q\S[R^LVKTHTNYUaU_`egdklqnsmuptoulxr{uzrہx݀tހo݃r߁lނp~j~mn}oހlހnigli|h~i|i|hyhvfxfvhwlvdvjrctgudpavdsdqaqbpȒӜצ۪ܪ۩ԜĈזtRWW_OXSZU]Y^_aVV8Jq B\:V?ZBZAY]=\<^?\X:W>Z:`@`Ae!Ga@f$Id$Jb"Gd"FbE^>[:Z:\;a<^;`<`=qrnntqsuqhbt]t\p^n\qcv`jomnlqqlnihscgXZVFL:G2H6F9I:G>N?LBRFPERIQDNDMENGPHPHOENFKJOMNNVOTQVTVY]WVXZVRWT\YZT`_ZT\X\Y[Z_\\Z[\\[eg`b_`__^`^b^^ac\\]aY^]`^]_`a\f_]\\\^\\YZXZ\[fivw{ɂ}ƃǃʐҠ̘͐͘ϞզԭѨͣҦҩЧѦң֯۶ڴسϥĔpz]fU[NWWYUXZ[Y[X^^b`ddjah_e^b`c\_^^Z^ZY\_\Z\[[^\^XYVWT_VZS[W`SXMWOZMWLYJ\KVP\V\_ffamlrltjsjsjumuqvlzmzr{nހsnހq߀n~nl߀p߀mk|h~o|g~gizf|hzhvfubwgudrdqgsbpfpfpapbp^pfn^n_pbve߄nƑК֧ڪܭئɎvc[PXX\]]XX=Lq>[;S:UZ?^?bDcCcBfCdBdEbA`EZ>X9Z:^8a8]7_=^;tlkrmpplmhx`r\lWiZm]kYw^glhoplosih|dr\fWWREM8G2E3F6KX>V>X=[>Z>`@dDfDbCb>d@`>`@\@\@[>^<`9b:\8Z9]8hoisrornhesXlY`R^ReZl]u^gjimnplkpejrZjZVPFL6F.C6I5J:KXAXD\D`@`DbCcFdEd Eb@b>d@^>W?X>\FbHb=`:_?^9\9`M@LAMDO@LDLFOERBNFPIRIQFOISMTTZOQTVSRUVWVYVUT\\XZ\]WWZXYU[YZY`^YZ[ZZZ^^Z\_`]\`c\^\[XZYXXZ]]^`bneoppyjw`kdvtxˀv~zx~|~v{zxzzłȂx~ǂɁȆƐʇΒ͓̕ӠҤԨѢҦϢҩ՞ҪԯקӫڵݴشۺỦ޶̞jrPYPUT\X`]g[b`i`h^f\bZ_Zb\`\^Y`Z^VZX^XZUXS[RWNVQZR\NUR]JSO[HVQ^NVY_^_jipondshvmukritmuowoyqwq}x{v|u|m|q}iylvjzgxhwevcubxcwft`thrarbtcp`peqck`ndm`kXpbo]pbp`o^o^pbl^l`f֮̕ڮܬ߮ݩ̓yMR~#CXU=W;Z?Z@_CdBgCe?cEcAb@cAaBZ@Z?`F`B`B]:\>Z9Z;_<`:ompozmmlzbrXdTVKSORNdZvh~lgllilllnnh}`vdh[VPCL4F*B/F2EAX>M@O>M>LANBKFS@ICMDL?L@JJSJPFOJROTNSQRTWTTTTVTXXX\VWZ\ZXZ\XUW\XT]X]^\Y^\^^Z\\_]^]^[ZZZX]U]alZkkx~~~rzfmXeYdixhrnspxrvx|rwqwvzȂ}ɄxzȁʆȍLjʔΘ̙ϔ͖ҤҜϗѨ֧ϜҬ٨ӫڸخֲܺݶܼܶ޼༦๥ֵ~T_NVV_[dV_Y`^e\dV\V[Xc[`Y^X]Z\X\W\TZRXR\QWNWMXOULVMYGTFTIWMZOVR\]`fdmlrkvnulultjsmsmtpvpzwwuxs|p}r}n|nzhugwftbxhxfsbr_veteuducqdp^rfpcpbpen`pfl\m`l^l`oao^o`sbmal\q\sĐϟתܭޱ߮ڠ񼈩HP\>RAV@U?XAZAZ?X>bAeDf>d@bBd@eBdD_C^D[@^>aD`>]=\A]?\:_:b9rmxnvpjfzfiZXPJJEJOL`Xrb|dimpkommkjjgt[k\[PDM6H3G.G5M;N7J=LCSFPGTALAKAJDMALDKEMFQISHRKSJUMSLQTZSTUURUXZZ\UTW[TXWU\_YWZZVU\[[^ZX]`Z[]^^\[^UXX\TZelߛyс}|v{owbibi\c\i_ndllwlvnsfmkpjrzxqwutȁ|{ʅˀ~Ȅˆ͓Ґϒ͞ћʔ̘ҢԤҫգӞ״ܮ֬ظܱܰڷߺ⺡ݴۻ侦ݺǝguR_XcPXS[R\WZX_YZV^X^X^V\V]X^X]V]T[PTPXPVQWNXL\LWKUDREQKXOXRW`hedpiritnvnultirjqjwjwmvnsmvr}q|rzk|n~rzltdqctdqepbrbr`uetcvgqbr`pbqepbpgo`l`pap_n_o_pfrco`rdo_m^k^}dőҠبݰޣ򾀑.CM 8P>R=W?V@\@Z=\>dBhCc@bBbBdE`=]?Z=\B_@g#I_@^BW<^B`?_6d=f:rrpvqjhx`p]^OKM@J@JUPdXug~fdtlmjmlmoi~hvaf[XSFO6J,D0F2J8L6H:L=L=N@N@N?KANAMBIFMCLCLFOELJQLVNXPVQVTVPRTYWYZ^XZTSXXVUZZXVYZZVXX[\[YZYZ\XZXXY\XXwb``daemqllgjcj^jbh\g[j\h`rgnnzlpnvfrerhpwhtrxy|~}ʈȄň̎Ж͎͎Иɓ͠МЦ֬ѝҲײլֱۯ֥ײݸڮױܼ޹ݸ޼޺հXfNZNXPXV]T\SZT[[`V]W[UXU_WYV[UZTZOWMSPZKWJYLWFSGU@JKWKUT^^`hflbqhwjvntmthslsjtnwrvowrunvn{uxkyl}o}qwhuirbn`nbrasbsbvftcqasgp`rbufpepcodpbpbo^p_sbqathqfl_oapfsfsОتްԐ|_Z8P>Q=T>W>Z?\@_?bBfBeDdAdCeA`<[Z>`@d!Db?]<\=X;\9`;b:hAf=mvsrvddw^iXQKBF3C9ERNbVsbfhnhmljnnmn}hv\fZWOCI4G+B-C2F0E4G:I?N?L@O=JCNAKDJCMBLFSFTFNHSHNMVFKOVRYQRTWS[VYSRUVRUZ[WZ[]Z\XWW[^_Z\ZZWY[^WUXYV\g_rNMV[_d\d_c`eX]]g\e\f`n^cblmsnvlpipdohpptsxprpwtw|~~t|˅˄~ΒɅĉ̖͍ӧӛКզٮٱֲڰ֥ԯڲ۲۵ڶްڭڸ໦ຨܸڻܾ⾪۷ÖcmLXNXNWNXT\YdT]U\SXTYS[SXTZS]TYQ\NVOVMXP_GTLXFSFTFRLZS\_affnhtivjyoujtgsjsjqitnrjtnsnuptnun|k|qyixopdpbnando`o^pbqavfp`oaqdscrdpeo`k`pbn^l_pauerfsetjrdpcqen`yk|ʕצ߲Օp)AL :Q>Q 9U=X>YB^@dCgGfCcBdBhBb@[:Yc9\8pxrmkixbq``WJI:J+B>FQOe\ta~eknkljqjknhzbrYf[VNFN2E-F)C.G4H8M>N;L:G>L@K>K@MCOBQEPDOENHTBNGMFRDNNTNVPSQURXVVQTPSTX`cZ[XX\[Z[Z^ZYVVZXZZZ[XXQWXZ}o\:TNY\cZb`iX[^eX``j[e\eWbbijpflkoegfpjrlvnukos{nwxrtzƆŃăȌˉҥԞЛΣԤԦְخգشڴ٨ر۸ޮתص๠ݶܺ޿޼໭ڻڼںݺԮt{N[FTIVOZU`PWNSRYRXR[TZRXT\PYLVOYJULYLZKXHQFRAQFVNZW^_ajfmgtlwlxnylxltfuqrmsptlqlrmpmpiupunxp{k{nrbphlbn`nanep`sdtbtepdoarfodqapeo`pbohoaqesgtep`tdugrfufteshmҞۥҖxBHT=N>Q>T@T@V<\Bb?gCf Fd@f EgAhC`BX>Y=]?cBbA^@X:Z?[>`;d>k?d>T2I2rwwrj}ftddVTRV@U>V<[=\=dAa>d@cBfBgA`AZ@\A]@`BdA_AV=Z@[>\=bBi"Cg!DW9F3D3~pokhx^lYZTFN.>*C0F?LRNc\p\yagljrniqnmk{`lXfXVQEK/D(C(B2J8L4G;R@RFWHVGYHXBPGRCOAQEPDRIUDRKVJTITNRRXTYJPMQSVSXUXUZVZUYUVUZX[XX\[[\YXWZZ\XYZVpgNRMURZKVV]W_V]V_ZaZ^_h\e\g\edmlpnqksenkujsovoriracktt{krjt{yżЊ͒ӗԚӤآњҭإϠөۯ֣Ԧظ޶ܱ۸ߺ߱۵޾ᾥວݻݾ޻ܼúóˡYgCUBPHSHQJSJRMTPWRXNXPYNXNZMVK^IVJULXIYANFTJXR\Z]ihnfwnzrznzjyn|qyrwnrlmijllkjhklgdlhoiwkylvhthpbpbp_reofsft`tipao`piqbpfpdoesircrgtepesdtgtjtjwiujzn}p{nu}iV=X]>`n(Jp,ObAI -3?0R9ztlefr\cWTS;H.D(A3EBJQSbXp[|hjnpttrnlgj{boZg\TPBI-B,B(@1E6J:K>P?ODVDUARL^DTCN>MBN@MEQ?NEOGRKULXKRPXNXTZTZRUQYTWRTXYUXTTUVWWTXZZXXYXUVV[SWppdWMUQ[SVVXRWPWMVSaU\Vb^d\gbi^b`ijm^agnmpjrljmonmeoenrznr|yrp{~|w͍ΆΖӘБԣՙӜ֭ذڪը״߸ܱڶݹܵ۵߻ย๩ܻݿ߻ںٹ·õĭΥbo>MBN>JBNDNIRLWR[KRPWLXJXHWJVL^PVIUETBRFVIXS\^ejjqnvh}n|k|m~pylzotlsjmfhdfdficfb_baiepixpymvirbobp`peqetguisdq_pepdp`oeobrfqfshrcsgrdvfqbvhxjyixjwjnllo\2C_AU?ZBVAV=Z@[?a?`=b@f>e>f@f;b>[ZEV@Z>bEbCq)Ls.QfBT;D6K;E]xrnlxdl^VSDH1B-D*B4FBOVXdYn\hhlnqssmoiixar\bWVUCK,B*D*@2G6H:M@P=MBTAODRGSCQGSBRDQBQBODPERHRHRMVKTQYPWPVPZNTPUSWVUVZTVUVVUX[X\ZZXYYVWWW[f`~PQMXSWPSOUMVKWPWS]V]Y[ahfk[a`ghe_d]bgjlpjlopnpjwkouxmspplswzqx{˃z|ȍʇɖϐΎП׬ؠ֨װܨڭ۳ݹݴ۲ܺ߶ݵ޼෢޼ܼۺ޻߼ܾܾ޶ڴݾƺҲ~tSbV=VdAgBdF\GZAYD]BfDh$Gr+Ng"EV:J5O;:Survpl~fq\`TLN5G9M2J,D4HCNUSdXq]{bhiojpnrkif|ct`bUVR@I,D*D*D1F4F3I@R?LGY@M>P@R@MDRCRCODOERDOFNHPJQLTOTMTNSSRT\QTQVRVZ[UVSVXZSXX\VXSVWX\\YXTZwpmUNUQPNSIPJSIPP]QVX`Y]T\]aX_cibe\a_cfllneihrchnnqupqprjllxszekxzz||~zǀ|͑˂~˚Ԥԙզ٭تکٳܲڨڱ۸ᴜ۰ܷ߸ສ޸ݻ༧޸ֶػڸӬѰҽξ`h5H;MDQMZIRKWLWHPDTHTGUIVFXFXBYEVK\S^bdnmsm{p~nmnn~s{n|sxlodd`\_V^PZTXT\`_edpiulxkufpdrdsgrbxgvjtdn^nepcp`pdpcrlrgrdqfreukqerhuiwixj{hoowhKPk@XAU@V?W=WbDc?fBc@h@fY=^AeCe DfG]BXC\A\@`Dh!Fr2Sh$HS;JTGXK\O`_clhukwl{np~lp|nzk{l|rrigbX^PXDNJVIVTZ]^kjoiwnxntir`rhrcrdtesdpfn`rhpcrepdodqfqepdobtgrbvlwkwlzn~qn|gVVz'HXCU@X>X@V 8[AX<`@`>d@h@c=c<`8[:Z<]N?P@O?NFRER@NERFRDQCOETJPLVMVLSNUQXRWPVPUV[X\[\X_VW\bVZ\ZX^TTTWZ\Z]gb[VQRKRHPMXKTNWO[T]^^RXRXX_]c^d\c\d]b^bemdlcj[bjldolrhlqojiishlrv΂ll|xπ}ˊΌ~ӟء֠ڰ޲ܩئ۶۫اٲݸްݴ۸๦޲ٯٱتӰԿ̾ھ|1H4K>MCRGTDQHVCTFTFWBSDTDV@VDXN\Q^`cgbslwi}n~l}kk}n|n}q|orfg`ZYJP?J;M;MIXU^cakmtpxlujsdoapbo`tcrdpbpdncqdodqhuiqgtirerdrfsbshwhthzlnzk_Z.JZ>VET=X?X<\>^>`>c?f Da>e@f>b@]AX=Z=cBjBhC\AVAXBX=^B`Go-R|:[t5XdHW=o)KXhxzۃuwvhtcdVQP@K.F0H4H4G0H5HCNTUd\q`|bfkknqrjtpkz`m[aZOP>K0F+C+F2F6I;L>R>LNFSBQESESDPBSFVDSBV=UBVKZP\`djhrluhzjm{i~l|mzn|ozrsklj_`NW8J1H2J6MJX[_hinjtkvpserfobreufr`pboaofrjpbndpfqhvjrgshshsiulvivitpmcT?U 8Z8Z8[;b>c>d@d@d@f=b>`@Wi?`BU?ZBYB\AcFi(Or-Ts0Tn+P`?p&JSdpr~wهvߋu|dybm^ZQEO5J.D4K4I5H6J8HDOTTbVq_|dfnllpnnomdz_n[`TMQML5J+E,F2H6H8J?N@N?QBP@NBOCT@PL[HWDRFSANHUBOJRNVOWQTTXQTQXRZVYSVX[TXWVW]VVZ[VY]XYY[\aXPRHPMTIQKRLTOTX`V`V`T`]b\cVZZbZc]bT^^]Xbal`gfggnjmlnroipvvcfprklqvrsjnz|vẁҋφՙכלܯ߮ܩڬ޵ລݰٲڴܦԤΜϤѲĿʹ˽ɾɿɼ̺ŻʵдBT2F7LP>MDR@O@QDV@QAU?R>TKZPY]defnjxlpm|k{mzn~p|pxpqjle_\NW:J%C"A(D@RTZcehirlvjujtkn`rfvetirgpdqdrhn`ndrfthobpdqfsjtjxivmylnviLPmCU=U9T :V 7[:]@b?d@f@fBc>f@c@`W=_@d>iBbAZ=W@\?^B`Bg"Mq1Wv6[l)Pg%Jz1RNcmrx}t~uՆyvar^aRLL7G.B6L5H:L9J1D;NBLTVdXo[{hnhplrrnnmdzbn[bUTRFM6J-E2L3G:L8L:LOCU@TASF[@R?T:O@TIXPX[_fcokzn~p~mzm|k|l}o|qzsqklfbdQW7M~=q@x=4ILWX\fhlmumvmvgriocofresindmdtloephpgrhpfnbodpfnepfxo~l|mc`%@[:R 9U8X 6Y :Z:^=eBgCgChCdBgCaBY@T ;\Bd?hBa>\@Y@\B_Cf1Vh2Zm'Rr6Zp1Xn*Rx2TLcls|xЁwzuzs}rq^fVTP>J2I2E7K8I8G4C2D7KEOTVe[sc{bpnloqlqqkey_o\bXROCM5I,F(C2G3G:O;N@P;Q>M?RFTFRFSHUFUEOCTDOESKSKTLTKSOVPVSURUT[QWVXW\VVVXXXXXYYXX\^`\RROXJQJOLXHPPUS]NVPXU^Z\Y_UZQX`gTXV`U_U`W\cg^bgj^glpkmorjidjqsfjnptxmrrrtvzwt}w҆~|דؔՓأީ١֡ڳۦҕϔʕմʸȼƺ¼ŴʼžȻȿķɼǺɹμƺ˹ӻ2G0H0F9NRASGTPZZ\gdqnzn~q|l~m~k{l|pxnytvkljafV[@R"Dh=p>$@;LQX\ahgpiuozotjpfpfpdthqgogpbqfpgqirdshn_reqfqfui{q}jl_5FbAT8V?Y>Z;Z<`@dBjBgDdBfAf@`@\AU@Y>h Dj"Bd?\=X?YB^Aa#Je&Oh)Sl-Vt8az/Z~3YPiiuzx́~ЂzwsrqulfR^NFJ7G2H6H8J6G:G7E6H4EEMQR`Zq_ybfronnplnlbycnZ`UPLDN2G(B,E4J;NP@SDVGUCNHVFPDNERCPCRHQIRJPJRLTPUPSSUTXPTTXWVZ`ZZXZQTZ\WZXY^YXUJQNXGNKQOXKWQ[RYMZ[`\aRWX_T_Z[W\QZQ^Z`^d[\djc`X_fjkovsgfnptrlmrnqquxvtrs|xzz|}yvρ|Ԍӆѐ٤ܪڝ٥۬ס̄~ƍϦݹȺȼ˶ĵļ¼ȾʸȴȿǽǺµȸżǹƹ[k/E1I6F8M7M>NCU?R@Rb@jBfB]AY>[@\?`=d$Lh%Nm+Vt4_u0\:`Khfwvx|zЁxӃwqnnl΂zZNQN=H1I6I8L?N8J:M5G9J6G>LTS^Xr`{ghrpotnlngdz`lZ^SRR@H6I,G+F8L8LY;\>ah>hAd>gBfA_>Z>X?a?n Bm$E]=Z@]D^D_@^Ab"Gh*Xl.Yv7b:_Jgatt|yw~{Ёx|xon΀wԋRPDH2F2F7H>N>L:I8H:H2D4HAMQQc^q\xbffnsqsunlj|dn``TOM@H3G+F1J4OaC_AaBfLi&Tr5b~8bPnbwv}~|zw|sqr{qԋ|ؐ{CK9I3F5N6G:L:K;K9L6F1D8J=IPTbYnZw`ijvpsurnul~in^e`RRLT2F)E4I5K;OO,B.B0B2F:G4K:NDQRZ]^hboixk}s~m}q~ryl{p~rynwnphdaY_c9UBWFg G3MBTIU\\bbmhtntnufrbnbndmbmfmeoirlqjrhsjxjylzltiNPq>Z?Q -9V 8W;W=`BfDjEj"DfAe@dBb;^P:G;N9L4H4GDPOS^UmZyhfhmprtrllkydj[^VTSDL7K*C+B+E9L;Q@P?RBRCRBQDU@OCN@OBODOAOFPFRJOJQJSMUOZRVTYSUSVNQT[VWXXV]WY_ae^QVNTLVQWTZPVOWLTRXQWT[V^T\OVYcXc\dX`WdZbYaeifhbhjn`flrtrkotrfmnsurjjvmnnsrnlinrrpm|zxtvwӍٖԊ|ppo~̥߲໱幦ķ߹ƺɼȾ᾵⺬Ļܾ۴ڿฦøʺŶིྶ޼úú¸ʻ4F-F)A0F3H3H:LBOOZ\^icolwkp~p|lt~l|nzr}vztqldaVX>M&Af:X=X@`f?]d>qCjC`@W@[BbB`CcD`Ie"Jh$Rl(S;_[nrzzz{z΀|΀vvx|zӌ}ՔՐ}ד:N4H7JU:W 9f9~;4JFVV]a`gethtgterfn_lblbqgpgndqitlulxm{kj`8Ib5T 8T 8T9Y<\<^^?\D\=fFbCc I`Lb!Nm$R{9^Rinxwxy|xv΁yzxxzщ~א~֑֓ؑ~T:V`Af@j Bh@i@h=fBeDa<[@_AgAjBf H\>\>c"Gb@cBaD`I]Hb Nv3\Vnlxywxw|zwxxxz΅~Ӑ}֔֔גՎ}4J8H:LPBNUYaZo`uanopruvrpojzepbbXRTBMQ>MFUIVBL@MBPBOEMDQDQELIPLSJQNVPVRXTWVZXYVYRXPU\_݊uSTHMBPEPEPEPNRRXV[RXKTSUOXTXU^PVR\X_VbX``_hkadfrrrijuvwunorvljnpvwqynturflmrlrlmhhmrrlknemjs|њܦᶡඦ࿴࿰ྰ߯߸ܸ۱޶ܸڴຮອ޴ݶžƷᾶƱɾ߽ƲʿȾƺȼʾøŸʻ̾ʾȼξؼξVjv:~"@)A4H>KNVZYd`ngyozl~p|ozm}pzr|o~uwnnkdcTZBN-Hj<\8[9X6X5b 5v6+E>JWZ][fcnfritendk_k`jbjatjrhtlznygc\(F^;V^i>h@f@eBh"DcA^@[?dAh Fc<\;V:^?`Bc?h$IZB]H\Mp(TNjlx{||xvxyqusv~xҊ֔֔ՓՒԐ~6K4J:K>PN@N=K:L:N;LGSQWc\lZvbmnpprtshrj{fp_f`RSDO6L,G,F/F5K:NKZ7[ 7f5~>2FDNUS`Zh`obvirak^j\k`lbrerhwpzmma>Ib:X>X`;iAj>hAgBi!EhAdC`@Z?^>gBfD`CY>^@dAfB`>_AVA_Kj%R?acwy}΁}{|rtnvpsҌ}ҏԒՑ~Ք֓~֑L9J7I:J9J7L4FCPSX`Wnbzempoosqttro|ipccbRSEP^;\>^9\7[ -6^ 4m5"=8FIOVU`Xj`qbpbj[j\h[n`qdtjwlvkRTt=Vh^BcBiDcBZA^DaCjBiF`@X@R=`IPM`<_:`:\ 5\ 5] 5l5$>:GHNVXvyҐ֣֟Њi`nd܄}zjwfcZ'D[=YAW;[@Z;`Bb@h?j$Ig?f=iEhDdB_C^Bd>fDeE\?\BbBhBi!Cb>X=P 9T@r*SUtt|}~}~x{pwprzuшӌ}Ռ֑|ԏԎ|ԎՎ|Ռ|O=J=O:M:L0F4G>PMPd_pdxchnmrossovt}ir`c\SVFT4N.J+G2L6L7K>N>N:L>Ka:_:[7\6X 5Z -0g7+DUkɠҺĴԠܯ÷┌md8Hb?V>UZC]@^>fBh@g@gBdBg!Fi"Jf I^DcCf@b@^>ZAaDhEgAd?`=Y@T@h"LIjn|~|zvvptpxvv̄~ԌԌyՎ~Ԏӌ}֊zԊzԊ~֌{MOT_Znaygjonspsoqtrzcpde`\\KV8L,I-H0H2E:JL@LBNCP@PBPBQ>NEVGXN\ITKSIPLSJROWNTNTLPKTFV_^őwYW>RGTHVERGRHRMXNXPXPXLSJUGVNZX^T_[_\a_cfaafhlfhejnnvspolkjedklpljqn`cP[`j\bVePcuԑێݫ޲ൢߤ⬔ڣ߫ݳݳܹ١ו֗د߲ߵⷦ⺰ྲ޺⻬۸⼮㼯Ƹ»¼Ŀ·޼ܽƹ¶õǼȿȻ²̿̾ӻCZy>2HAQWXf`ndvpyjyj{j|n|q|m}nxm|tokcaZ_BP0Jp?acBi!DfAgBe?hBeDf$HbB^@fDdE^?_?^Ad@h Eb@\LMP\Tnhwhjptrquvwrmzeo]dXSSCQ9N$B(F.G2H7J6K8I;MOLDWBSDRHRDPHRGTLTLTNULTOTJPBPBXۓȒcPV>PHXERBRJTJVLVRVTXKVNVPXMXR\X\S\P_aeajclhhnrkngidkssjiZ^fnjhopkf[^Ub\fW]Sc\nzٛڡؙ୕㺪ᰜۨښ؝آޱ޸ܪҞרܴ୙߲ܲݺส໰޵Ἡ߽ຮ༫ݼ޺÷ļܽ޼ٹؼǽǾóȽ޽øȼʾʿx@*C?NRVcaliwnzm{l~l~n~l~n~q|r{spncbVZIT/Jn>\?\<\L@L?Np#NQmtπ}}wytwtx~ӈ~Ր֑ԒՌ}эҊ~ԋ~ӊzӈ{Ԍ|ԉx6I:O8I:L=M=LN=J;M9K1F`@^>^>b@c@bAX>[AcBh DfAfD[@ZAj$ODej|Ӏy||uzvx||ІՋ~ԍ֎ՎӊՎ|ԋҌҋ~Ҍ|҈{҉{:L:K;K;J;GQ?L8G;K5F?JOP\XiXvefrputrpqpm~gpcbYQQ=I2E&D'C(B,C3G;LAL:J@M@MBPBMDRBP@M@LCQ@MEOHPISDNFNLPOSNUNWGSBXӈ|͗xuaKRER?QBTDPLVDOJVRVX`KTPUNZV\TZP``i]bffhgXZVbdaPZN]dhigkighccad]YQUMZP`{}؎ِަݦޢݛؑՋאך۴ۡԕצܥ۩ܚ٨ܪܳ۶ޭ۷߳޸ڭᵦ޺޺޹۲ܲ֬׮ݼᾸĻĻᾱ޻۾޾ǼȾļĽǼQf.FHJ\Xjfnlz~u~qjo~n{nzoxnohccUY=K|=]5N8I 4IZ@\@dBf>fC_DZBdL8\cxwЀ~~~wzqv{|ІԊ֋֎~֋~Ս~Ս~ӌ~Ӊzӊ~ӊ~҉{Ԋ|ӈz>R:M=LM@PBODOBP@JDN?JBN@MDN@NDNEPGPJSHOKQPUU[V_FQGXƌzo]HT=PBSFVGSFRHOLUOSVYFNLW[`JRVb^_ccfkaaXc`jY_Pc\gcghkhb`^\fc`RTPWLXI`ȂەܜښߧޟؔڐؓԒ՗ڦ֏Ւڦᯜܫۤלٚߵ޲߹ذݬ۰ܬݶ۬ⶡڻ޴ئ׫޽޺亨έ῱޻๧ἰ¶¹޼·޿ܾ÷źȿƾ˾6LCN[Viatjtrnmoo~orzplfc^NRe@b@cA`<`L;K=LI>L?K=L6H@LKR]YiXv`flsqrurnsj{dqdbYTTEM0F'@)B,D0F5H;N>N@LCP@M@MCLENBLDMBLDJDKEPELHPKTOWLPNRNTQ]HYOXkocAM:L@MFSDSJTJUPXPU@L@PW[MZX^\_af^`b`[bZ_OYVe^fjmrp^`TZ`afbU[PXLXVi~ڌܚޟܧژ؍֎אՖܣږԒڥܧޞܤܦئأڮ৕޼ܮ޹خܪݧڮ߷٩ڢ֣۲⿶㿵๲⹨޼ὰ۴ݮ⻪ø´޾¶úļĻŻǼŻƶŸüſɿμevBKYUhaul|lm~joj~lh}otcojZZHJ:Gg6J8F>o>aҼ޺ʐʢϽ˻̾̾ɸŶƽńMcKDP@ZAZB^Ab@b?fBbB`<`=`;b<\>V9]Ab?c>iAbB]EYCgH@dj}ЂԂ~zzxxx{~|ш׌֊|؇zֈyԇ|Ԋ{Պ}ՈzӉ~҆|ԉxъ~Ҋz׊yN>M>N@OCOCREMAL@L@JDPISHSGPIOJQJRMSOUPTFR@R[YМq|aHT:MGTDRHWMWGSHR>QGUNUU\Y`X`\_]`T]^fY`N`Zk_c`ghgdf]gbfjd`dRWGTYeԋފڋܜٔ֓֊ۣ҄ٛ׌ؗݦߧުٟۡۛݪ߲߰ڪާױ۩ݴۮ۴ڦڠٝխ޸ݳḨ⾵ུയඦῴᾮܺݲᾮ¶¸߽࿵³ľ࿰޿ڹؾľƼǾŸȾ̶htXXcXtfyh}h~ilhj~lxeschbRQBI-D]:]#Jfʸ̴۴ȖΰооλλǹݻŸķȺĂK`JDR@\C\D`GdDdC`8\:\9]:d@`;[@]A_>eBfBd>Y[F|*R\t|ф|z~t|~шԌ׉׉|֌~և|ԋ|ӈ~ҋ҈yԊ~ч|ԇxԇ}ӊ~։y>M@N>L@KBO@JDNAK@L?K>K=J@LNRZXnct`jnnxqwpllpgvefYSWFO4G0F+E0F4J8I>O?LBODNALDPBPALCNDNBL@LEMIPFPHMMSMRMPPRMPJRBUrhΞg`VKS@NGR@LJTGSEN8QJXTbVZNYY\abTXZb\]R^_j^dR]\fhgdlrtnngh`aKRDTajxyۅwܛےڎڈzԊԉؘ֞؇zԇؖ૜ݦकޣ٣՞۪ܪ߲ۨެثڤدݦ۲ڣ֘Қڤ޸ޭ߱ݶ们⾶⼰޻ܵന߼༬޼ݶ⿫÷ܼݳ޺֧նھۺ´ĻĹƻȼžȻɈbYp\zd{b|ag~dj}fwbugaWPP5D~&FIgҿ⾣Ԫ΢̽˼ʻƶºķĶ˿D]HBPB[C]EbHf"EfEa<_;`:`8]6Z8\=`>gBfK@LEPAL?I?GI9GBJJO`[jXufgpxprxqwptcxhh[RRCN3F+E.E.D5G=K?L?NCNCP?JGNEPBMDPJOEOAJDMHPKSKRLRLRRTOTPVFR>Wyʐz`\TIV=L>L@PDOCR@RKWO]VZMR[^ORTYa]R[HXZaW`Ze_g`bgnceZb]``_HT`]J@HHK\TjZxihtrqstnsplivdhcVTCJ2F*B0E0G5I5F>O=K@LBNBOBLBNCMHRHNCNALAHDMOVJMLPOPLMPRQTETCVꬖʔ~q[SOOT@M=K>OENGTLQNZIQKVPVAJLY][NWIY^b\fXe_d]d_c[^R]Y``^MZF]fq|w؂z܌َvtyoӃxyэ֒|ԍޠܞژݘܚܨګܤݲؠ؝ڟأڬؤۧڦדϏע۪ۦܤݴ۲ڰا޲ݴധ޺߻ݲᾰùܼ༮޷Ԟ˒ҩݶ޼¹ƺºùúھؼľ¸}nv^fd|`yfybxbo[e]^dsάӻརմ׳մ;ͽʹŶĴƻ¸ŷǻȽͼf$DOET_>^;^?eBb>h>f>_

G@Q;IALNO\Tk\vdglrrpwmtnkjydi`VTIK2F)A,E/C6J4H`>ZL@MALANFPEMEN@LELDMAN@JDKDNHMHLJOMPKOGQJGXAN_<\=\>\:b>g=e>`@]>hA.UYtz~ҁҀ{{wx}և׋،~֊Ո~Պ~Ԉ|ՈwԈ~҅z҈}ӈ|ЇzЈ}҆z҅yσ{ԅy҄xCRFOBN?HBL@LCPBLFTQNVIR@TR^X^T`Y^RZJXW`\aS_R`Uesvyrwv{ov|suuvvԁ҈diy~ՉڐٍՁژۦڠם֒ؓהԒُܪۦ߰٦׉҃֙ܬܡ۝١ښ୘ܪܠۤؤؚݦج؞ۦ߸ອߴߪ߰ئИ֬۳޸ڲڲحׯ۸ڵغڼڻݶݸ۶ڴۼؾؼյֲպԴع»ź݄yz]zbxfxk؏ܲʼͶᶜٳڵ٪طʼξʸǺŹ´Ĺĸƺ¶ƺȻ̿οܼv|KCRJX"I^H^E`AbAa@b>\:\I@KGJNK_WlZ{hnqsmvrt}xvj{giZXPBL2G.F.D3I;OJCGPM]Vm]zflnmrpswu~rp{fn^UQFL6D+D.C3F?O@P8EI?K>LDN>LAKBLDNFLJPFLBK9O`Ad#EdD]@Y;Z8`>d>a?dIk$Pq$P1\Imf{{}~~x{wzy|τ҉֌}،~؍~׊֊֊֊҇ӆ~ӈӆ|Ԋ|҆zцyԆx҆|҅{̆}҈z҆}FUAMBPBNDP:L@MBNDPAIDKBLHMQR^Tl^yaglrmxvrmrri{gkZROIO5G,B+@0B4D8F=L:H=JJBL@LAMCM@I@LDMIODNBHAL8NFRͩǏx|x_zc\W]XLUVRKTDPFVCRJVKPJRPVRQOTX_bdV_]d``P_F[hruw|wwwsqnnpnxv|rad_jpsxtuv|ԀӁy֔|{}yօ֍ْםؑڞܥ؞ԃҀ֎ܪܠؓܜ۞ژڗۤڜܠ؛֘הڗۨܦݨؤإڨܩܪܫܭ֤֦ڱٲڸԯڲضٳزܪګبכԤ֫֯հԤҮӪԭΤʚȜΪҪ׵±俨߰ޭ޽ສ޸öʻ̼ȷ³⽫³࿰߿߾·÷ƸøŷƸຮ۱ܸúɽʿξظ›L>O =X>[<_@]:cAb>[>\;Y<`Ab=f=gDdFbEn%R:c[vt}~}|wzvz~~҇Չ؎׍Ռ֊Պֈ~Ԇӈӆԇ}ӉԆ{шч|҆ц~҆}҅{҇{ӅzFWAO>NCPDQAN>H@M>J=I@L?GENQN\Vn`xchssmssyrzqnydhZURIN3E'@)C.E6F8H=LAL?I@M=JAK@M>KALBN@M>I@JCLBJEMINFNBHFR6NLQУʼnqn|cqcj^`Z\UVTNQRXGRHXGRGVMUKV>NQWTWTZ\cY\VaN[`nqsvrz|ytlphlwwԋ_ahouvzyzy~|ՊsupnՆ}z~،ٜڞܚםԍֆ{ևԅڟܡڏݘܜܖܙޜܦڛڐܢ۞ڜ؟֖؜ڔڢՠٟޮ۰٪أئ֨מצٮخ۸մԮڰزةتաלԠԜը֭֭ԩСϠѢɖʐǙԱòêݬץӦۺ༰ݼŹʼ̸ǸIJ۸ܼ޿߻޾࿳ø¸ŻĹƸ٨נܲ߾ƼȽʽպ^fKCR ;Z=[<]=^Db>dD\BX=Y=]JBN?LBJBN@K?LCK?J@KFNDNCMHNDJBM7NTXԭwts\zch_jbQSjbTSMNCNHPCPP[FRHZJ\SXYdT\PTP`L`ckrxjlwyzulqnpvwрwY^Zfpr|t|yyvԂ~ԆztgkprprԇՍ؏ܥٙؔ֋pt֊ݤޠޠܚՍی{ޟܜܚޢݧٛۖܠڞכؙ׏טڗܛ٧ݦۦۣڞ֨ܬ٪ןڨخٵڶײר٢٦ة֮Ӣԛӣ֘֫թըϖ̠Ɋő͢ݿ®޳՞գ޹޺ྲĹǸǶƸƶ²ܼܺ޿߿ྴ÷úƼ÷ƶƹץҖҕۥڵƺĶƸѺɴo,HQ@Tc$L_&LV;`>a;eDhDcDY@ZA3\cy|~ԃz|v|z|Ѓъ֌׊|֌׍~։׋֌׋~֌Պԇ}ӈԊ~ԋxӉԉ|Ӊ|Ԉ}҆}ԊzՌ{ԆzGBNCJ>IDJ>H?LFODJGNIODN@I7P\T׫€zjzoper`aX]VZSHNHQJVDOETIYRXGV[b\YGRAWHXlsxuhjtpurkjsurpЀrT_\hnlyvtrzvՁՁ|opktxz~xy،zцՇ~ٜ҂}Ԋۙߚݡڜ۔۔Տݐݞڞܜޜߢژ،ւ֔٣֕֍ܖ۠ڜܠҐ֜ץ٢ܪگحڟګڱد׫ץ؟נئؤ٭ק֘ԡ՘Ԧԟ̐ƎǖۻĮṞ֪׫ٶܳߺƶƵö±±޽ݼ޾߿߽´ĸźĹƹŶܰԔъӌ؛ݸජް伮ʼήƕTU@Z@]>`@_?^;]AZ?\>_;`9_=`C_H_Hn!LJjn}~}y|v|҈Ԍ֌~֏֏ٍ֋ֈ׊ԌԋՆyԈ|ԇ|Ӊ|Ԉ~ӈ{҇|Շ{ӌ{҈{ӈ}Ԇ}Ԇz@LAJAJBQ>NAN>L@M=I@K>I?HGPNO`Xo`zbnlouvzxtvxi|jjZXWFP2H.F*E3I9H>N?L?L@L?MHSBNBO@L?KBJ@JAN>HCNBLDMAJEKBIAM5QVTԮ~ulghwar^mXj]Z[QTPOIP2FBSMSDPUZXYRXHTFXdjtsspmnfdnvmnԀtrrP^Xfrpvu{xz|zwӂ|vx|{ry|ׅԊrxns֒΃tp}ڑߞݞۓُڐښٕ۔ג؊ܖڠٖڋ؎ה֐Ӎڍؘ؜ؘՏҍГՠ֙؜ؤ؟ۮܮڪ֡קקסآ֞Ֆ٧ר֧إҖԚЉК̒ȓԪ®ڧ٬۷ݴݺ¸Ķ°²༮޸ܺݹܽݽ༰߿޽õ¸ŸƻȾ²՛ҋ͈Ћ֤أ΀z؞ḭĮϸLWQ@T@]"J]C`A`@aB`A^@W=\8`<^9Z<^Cn&Vz0\:_cyy|}zxwzy|Ђ҈~֋׋،،Պ׋|؊Ԉԏԉ}ԇ~ӌш}ӌ~ш~Ҋ{Ԉ|ӌҌӆ|Ӈt҉Նx@JBN>JESK?LBLBNNSa\oalhlruvpsvylkz`k\[VGO6J0F.D.F6H>P>O>PERDP@N@NBL@L@KAL@K@K@LEOBJBLHP@KBL?M7V`WԬp{fmd|jpYogdZg]\VNS@NBR\;\Bb Oy.Z8dXrt|{|}vzvỳ҈ҋԋ׌Ԍ֊ք}֋׊֋֊ӉҊ҈{҉҈҈Ҋԉ|҉Ҍ|ԇ|҆yԈ}Ԉ@L@K;J>H>L:LL>I?L@NBOQRbZrb{cfpruwtsrvojzcl\XRHP8H)D/H.F5JJBMAJ>H@IAHDHAJENAI@I>M4Pl\̜|lqgheobj\pfm_XUFNFS@M8NHQLSHPEO@TmrtqmjioifeglnppqoP\Zjjnllllxt׀}tssrlotrԁvp~x~֊օ{yjp}{ۖւو܏ډ݊ܘٌۖڒؖܒؓ؋ֆ؂|ߠٌؔݑٗՍ~ϋѕԓ֙֕ؔ۟ܞוؗԓء۬أמ֓ԙ՝ԞӑӚԕգҚŎŃΔٱު֥٭ڪ޲ȼĴòݹܯڸݺܶڵݺ໲޾µøȾȽǺǵ⽭̇ˈюأإkjnqӋ۠ߴѴv}Pc<\>_Fl#R~1\Ijo}z|{z{vzz}Є׉ԌՎՌҏЎև~ԌՇ}ӈҊ|Ԋ~ҌՋ҆~ІԈz҇y҈}Ӎҋ}ԊyІ{ϊ~҇~JBK@L=J>I>L@J?LDPSX`[n^|dilrvrytvxqm|dr`YTFN6H*D,F0H8L>M=LBOBPBQAN@KBN;G>LAJ@MANAJBJFQ@IAK@J?H8K2NziΞjxko_rf{^m`fYpf[RJOGTCTJUJPLWETEYdlrqpqkjjiY`intuaaZhXe`iqqwuqrrptortnqvqryqjgr|x؄ׂ~ցos{zz܊ّ҇{ׂz؇܌ݣے؆ي؆؊ّڐ֎ۆݘٖvqықӍ֊֔׌ۖ֗ڔڜڔٌؚؔۘכՖ֜ӒؘԜΐҔˌΐΐȐب㼦ⱑښ՞ܯܰ޾ȸŲ¯ܺܶٹܸܺ۸ܷܺݼྴ³µ߿¸ĸøļȼɻ˺ɸ՘ˆҒڢנpnw}ʆؙܟ㶤ҼBTN K@M?L=J>L>L>KLM@K@L@KK]EU:^$KaBeBdB^E_Jk+X8bdt}Ҁ}|uxvyЀщӉԌՌՋԈъ҆~ӄ|ӈԈ~Ԉ|ҋ҉}ш҇}ҋ}Љ|ц}ъyω|҆|ч|щ~χ}҉ӈx=K?JBRBPANL>LIBNAM>I:D2G0I찆Ŏyz|ppj~_dTyco]f^LNHPK@M@NBPAPAM>P>J@JBMDLHRHNTT`Xm^zcirttvrvtpml|fqca]DK5E*C'?.F4H;L>OAQM>LJ>JCL@I@K>H@HWXf{ⶬؼ̬T?KbBl)LcDbFcNj!Q2\`v}ւ~xxyzz|Ђ~ӈ~Ӌ،~׊Ԋ~ԈՉ~ӈԆ{Ԇ}҆|Ѕ~шԈ~ԅ{ч~ӆ{҇yшzӆuш}ЉzχzЈ~Ѕ|φ~цz΅}DQ>NBO@NJ?LAMNBPASANBPBPCLDNHPSVd[q^{_fossrsstnsnppa]THL6D+@$?+@9K8L=JBNAL?LBPAKDN?I>JDJ@K?KJ:D>JdOzăْۏԌw_TSZ~Wx`sшڈӆǎzV~pkx^pw5pf Omʆvxؤ㳚঎؏ؖۦⶡƴ²⸥ජຨܹܹڶ۸ڷٹڻܺܽ·øĹŸ¶ĺĸĺķȺοоܮҕ̇|h`;H3Jf>h D_G^Kh N3\_vz}|}zx|wyт~Ӌҍӈ}ԉՊ҈~Ռ|ԇ|҇Ԉшшчц~ш~ц|Ї}фzЈ|цzшzЇ~υyΆ}І}Є|͂zΈ|΃zDNBP>MDQDQ@O?MBMBP>NAJCHJPTQdXpZ{bklvuqpvnvplfp^\RHN4D'>,E0D0D8HLAQ@O=M@LAN>KAKBK=KBP@J@L@F=H>F\;`<]9Y9Y:c?iCbA[B\In%RLjp~}~~|x{v||ӆԋ֏ԌՋԈՌ~Չ~ԌԊ|Ԇ|х|ӈч~Јх|ц~І~Ј~Є{ЄxЃ|φ΅|τ{Ά}Ѕz̓xЈxρw@NDPBMBQ@NJV@PCRFSGPFLHOOQYVf\q^~fhktvqvtvutfio[\VHQ7J*E$?,C2F6H=K>MIFQFM=M?LFS>J@JAM?I?K?E@Fh@^?TD^HK@M?NBNBPBL?JBOFP=H=J?L?JBJJH\"Vnٖ֮}ϒذ߼侭彨㻪⸦Ὥ޸޸߸޼Ἢݹܺڴضٻܺ޻߾´ྰྮ⽭ǺƸŹƽƻǺڪvdXTDM>L@O9J:G9H@PBWXd̃ݧ跤̳ìv/BY$IR=X=[Aa?a@\@\?V@a@h@g@aAX@O@bJIfox~z}vwsx|{ӈԌԎӎӍӌԋԊ~Ԋӌҋ~ԊъЇцωҁ|̃|υΆφ~Ї~·}͆}̈́{̄|΅{І|φ|҆z҃v?PEPEQHQFPAODPAPDN@KHOIOJNVRf\r^~`fpprrtvtuqllrc^RKQ0F&B)A1F4H8N=N@P>LCRAM>JG=E5C,IZNΟɖz~jeeVPLbT^Qc^UWT`R]NZU]dgFRRcQ^_kjnhmhmfjhkfhU`^ddjfljqeodkjq`hdpnrrrlvntdtIoZvo|n|`RvZyhzQhJxfj^8m|1i~BtD}>ph^9qv6kr4ke#Xh"`RXk,Xi+bj,hm0dr5hWKRCN?K -:RQONNQ`۪ϊ}xЏ޼ðı仪໮޵޺ܶ޶߷޹ܹ߻ݹٶڸ۹ܼܺ޾߾޾ུ߸⿱ɻķǸɼྤЕ{\VEN;J;IKSDQBr*SXnwz{xx{w~x~҃ԍ֑ԋҌԎԋ~֊ӌՌ~Ԍ҉҈Ӊ~ъωχІ~΅ͅυ~΃~Ї~Ά{υ}ψ{І}υ|΂xςx΅xфyCPDNERHPFNBKBL=JAMJRHNFKLLWOcTr`|`nlrttvqpsslip^`XGN4F.D(B2G3FLDQ>J?MDKBJBJ?IDMAL@M@KBP?IBKfn1h\!MVDM>C 9B -:HD{Dlͤܠurv|͚ݬ⼬潤⾭ẫ⻬ߺ߹ݷܺݸݶ߻໩ݸݹڸطܹܶܺ߾ݺܼ÷ŵ°ƹʺʷéƋrMNBO9L9L9J7JbAb@c@_=^?[>_Dd=j?eCX@PBXE?dj|}|{xzv|΀~Ӊ׎ؑ֎׎ӋԌԏԋԌԋҌΊъчч~ΈψшЈχ΄~Ѓ{Ї}І|χ~΄{΅~υ|΄|΄{уzBRDSFRGRFQDP?K>I@MFPDNFLMPXTeYp`~ggltspqqrvongoW_ZGN3F)C,B0H/D:GIDR>J@J=H>GNBR=N>O9L9I>MHWVg^ooy҆簤뾣ħtmZ7V>W<\<\>_BcAa>`=^<]AX8b>f=j AbEXDUJl&SSnt~}x|zu|y~Єӎ׏֏Վ؎ӎ҇ԋӌԌҋҌъҌ҈ъ·҈ІІЅ|τ}Ά}І~τxʅ~̆~΅|̈́|χ̅~΅~JTIRGQFNHQBN>JAK?LDNFLHNJJWQdTs`zbitnrrrstorlgp^aXFM6F1F,E,F4E9J=H;K=J>M?I@J>JBJ@LDPAL;H@HBNBI;Fuj"T:lAvOXx0ev<{v=xXRlAer@tF >C -<@@d,fn֮Ԇv[ffuԢ⹠幜۪߮٬حڶݸܵ۳ܵ޷٫ױ۷ܶٴ۶سٻڸںܼۻܻ߾ܿ޿ིԫxpcx@V>LAP:L[<_>`>eEd?fA^:^K=IAL?JBJ>I@KDPBMBLAJ@LDL?NTJ^aoksЂ|܉|ߋz旁柎ꬔÓ|m#>T FBKBKBI>G:E-E8K‘Ƙ|m}cmj\ZڀuheyehnHYEVVb_knrfhhnjkenO`Wh\hbo^h]e`ffn`hZi_hjqgjkmjlirhz>dhfvMo>lv,`fRg!XJLzl'SdL_LbL\DfQ]L;uj]Z~v2`]FX F`N[Fyl,eI|LzXFJEHB|WqAHHg/Y~ܞrlfoɆݳⷢ㵞ޯة֦ةٱٱڱڰٲٱڱٯڮٯسܴ۸ڲ۶ضܺܺܺྰ޽޺zFXB_XvVvuxly`ohomjzztwv|z蛄馒Ƒ~g6T>X<^<^=_IRNI?[f3g|H|<\Hk=`UqNkjxЀ݊urxwx|蕂Ⓜ蚋쪔Ĥԣj!cAf Cj Db?dAe>_:aA]=a>d;j?a9Wi4vF @QJXKoƋڐsdfhq̒ޭ廤⼨ܮ٪֦֤ԩ֮ح׫ըҧԪԧ֨׭֬ٯڱ޶޸ܴ޶ܺݻ߼ἢ̤IGdJ@K@L?KBM@K>K=I>JBMAL@GCHDLEKFP@I9E/IFKƟǍċtp袄rߌumU^\ATZc\c`finkmceXbRb_l[d^gafZhZhbl\gU`holpjlhp[sJlb6l|˙zm_fcnє߸ಢ亥߹֦֮ѤبتԪ٬֪֩ԦԧӨҞӨױ״۴ݲ۱ܳݸݺ޹ٸjf;fDMf?jy,RwkTpdRrt̆ډ}{|v|ꚁ漣٩v)BR9V?Y;^=^c?e?c?c?d?`<[7_>`=g>d@]E^IdKA`juy}yytxvz҂|֐ؒגؕ֓ԑ֔וՑԑՎՐӐԑӎӎΌҌҊщΆ̈Ήϊω~Έ|ψ̈Ά̆ʄ͈̈́{ͅ|ɂFPJRGSITHUDQDPBNBOALDMFGFIOO]Qn\zchnrqszqurusnr`e^KP6H&B$@,F0H:M8H;J>L?N;H=I>L>LCLCL=L>J>H@K>K>KELEKFNDHDN>H9L6Nv[ز͗|l~堄k_]8HNYdddl[f`bfmR_CVbo`k]fbfVbYfUf[fWeckflnqlsjtHf-NFb6_x,X{:ft8kn+^y3i?|p1el*^f S^Lm'VN^CQ -bR~>vx;bx4b^DbGbJh$RN~t*bCyNo1gP Go>xxQLEHiƓ{sZeftИḦ罧严᳡ݴدԪӦԩ֩ӥ֫ԩѥҡңӤѦФ֯ششܹڶ߳ඥܶשfY.ElEf?FbWn8aLd}[xm\{gz{{yxy임꽖rXo&:U6S 5X7]:a:a=f?d@d@hDf Dc Ba?_@\=`8b=e;b?Z@_Jp(QPlpzwxx|pvyzֈ}ؔؔוՑח֐֑ב֓ՒՐӐԐҐяԊьЉъЋΊ͉ҊϊЉ~І̊Έ~Έ̇|˄͈ˁ}̄{˂~NZKTKUKZIUHRITBNALALENAIDJPQ]Vm[zbmpqvwsuxmuhjp_bYMN4F(C&C/H5H6I:L>L>M;I?KHF3HBM춄ԯ„Ɠ짆mzx~e_BT^agjdkbh^f[dN\Tg\e^f`l\lYhWj[jZm\lltcl]fUeNd@bt'Vm"Pv"S{4dq6dm(Z?q|;ko0`e&Xb PTD\IRaC\Fi"N4X^orvnupvlt~|׏֓ؕٔՔההԕԑԍԐԑՒӏӏԐԌӍЋҋϊ҉Ћ·΋ϊ~Έ~Έ͉·̅΃x̅˃ẑ|΄}HSJTJWNXMVIRGRES@LAI>H>HCIPN^Sm^{dlpvtyquusqliub`XJM4G+D(B0H5G0F8JMAPAO@K@L>J=I>J?NI@LALEOFMHOHLHNCKDJ;H2JaPƔХƎ禉{쨂{g`cf`aagdldoZgRbTf\fbgflal`oZq\rUl]xjxarSpSsTrXrKlHnf=c=jBfAk Dg=\dD_Gj$Qt(SHdhroxlsjtptцؖחْڔՒ֒Ԑ~Ԑ֏ӎՎ֏֐ԑՐ֎ԍӍҐҌьюЌЋъЌ~ЉЉΊ~̈~ˈˆΆ|̄}~˂|N\MRLVKUEOFRHREOCLCP>H>H@ELL\SjZzhjttxzxvvrrohs`bXMQ3H)C(B.F/B5H:JOBN?L?I>LBNAN?M>J>NBLDODLGLJPFLHLFMDN?I8L5RߕlҦĒ彩~}o=Fyb^[VZaibp[gViXe_hdq]wng_aV\^b~a}^oUgB[=XP2]4TbRtLrSw`vzf~dkǀ܉v]*>Z:X?X:X;^i@h?fh>f@^=]=`?^8b>e>dD`Hi$O4XWjpunsfrdpv|Ҏוؖח֕ӒԐԎՑ~ԑԎ֐ؐגՑՎӑӎЌЍЍϊЈЋϏюЌ~Јщ̉͊˅̉Ά~˅}ˇ΄~KVJTLVKWFRHTEQCN?NDM>GKz>z>}p%cXw8sk)lRP_l]`ʝ˞ްⰜܮݯ۴հجԩӧҦӧѥԧҢҠҢҢԟҬլլѪլڪ殤骠ꯨ봪빮깬殢⠓qrHU:N7^Y>Z>]<[8f>j>f>j!Fh@eAf@f>k?b<\;Z:b=`:fM;E:HJM]Yl[zgnoxtvvxvwpmhvbf[LN5F&A$?+F2E4F8H9I;L>L=J?N@LJ?IBL@M>K?L@KEPEPHQJRLPPTJPKOEKBJ8K6Q詄زxhu^\[Y`S_V]IYL_Yeajcq^nOeRbI`]rbr`p\sbvj~XqFop%Yp%V|/dr&X0a0`9gFt|;km.Zd"PdLXJVGj$X|7jAni"Tf Rn(Sp2^[?^>aB^@` EaCi"Lf$N^FbJ|Auj)Zn,dyAt}ALz^ĚƏҢ۪ܦؤ֬ذԬԤѝҞҟѥҞўӡҤӢҢѡѤϥҦڪ䲬豪갦걨촩봭ﶯO밡㌄^b;J7Ox-Xn,Ha:[~8bAavqp}֊qnXX)F[ :Z =X;ZAY>]>a>f9g=h>j@h>j@i Bj@h A^9Z9[;`=b=g>bA^Cf Ly/VOgjqowfshsmtΈ֖֙Ԕ՗ԕԔՐԔӑԏԓ֒֐ԏ~ӎӍӒҐҐҎҍѐӎЏόΊ~ЋЋ|щω͈}΋̈́~Ά{̄zʁ}ɅHTMVLVGSFRHPDPCLBP@K>JL>N?L>L:H>J@N@K@MBLBPDMHPGNJRPVMVJQHOBI;N5PzљҤribXb^d^jJ^DXRh`p^k]lWjSjQefnfnbo[qFgH`gs\sDjw*So,Zo*]dPi!Un!Vz1dAp~7gq*\g!VZFXO`Pp-bl$Zx4k?v>rh#NZB]@^<]=^>_C_C\>Z=T=R@l-ar*ZFtz;nm/nzK]l~ԡڥ֞եըիҢΞΛ͖ҦѠϠҢԣӡҠϢϤ̚Ϥᰨ궩밨격찪쵬촪ﶩ蜎njFO6K-LkOr0JNo@ct'Rf}nx}ɀhmQS(BYV;Z=^jAl DjCg@jBe?a=^:Z8Z6`_@`Hp'S=_drqtlpandotw͈֔וԔ՘Ք֓ՒјѐԒґԒԓӒՐԎԐԐҐҎӐӎԐҎЋъ~Ј}ЉЊψЈ|·~͆|ω{̂{ʃ΄zIVJRHUHOHWFPFRBNBKBM=I7F;JIMXSj[vchouwtwxvxtnmtcbXNM4G(B&@0G,D1FK@OCKDNHPDNMTQSNTKQLOKJDL:N2NߖӮΖȚz`X\Z]Zc\dTdRk\g\eTaTjRg`plphjaf\h\mHeOgSc?Z5X.Wt,dh#PcL[K^Ln+Z{4gx.dq(^y4hp)\d!U^Jw4m^Ot8pTM~k$UW:[=^BZ>]>^B^HZ@T`>T;X :X:]=bI@I?K:E7FN8KBQ>N@P?NDREPANAN?M?Lqa QXHu3d^Kd$YRg|:kV<\@]>^BZ@V9XBSHb4Z~5\lnutwHRl@\>X<\^=d;d;j Af@k!Ej>iAl#DiBd>_<`A[9\:b_>ZAbJ=`aqrvpvkpfntvȇьӐӑ֔֓֒Ր}ԓӑՓ|Ӎҏ|֐~Ԑԑԏ~֓ԒԐ~ӏԐӎАЍыҍҊҊюҋ҈}Њш}χ͇̂zzˀ}KVLVESKXJVJSGQFSBLBN;F;G8HEM[[hbu`mtvwvwvvxqnltf`VMQ2F*D*E'B4H7N=PNANCQ@N@OCR@K?MAL@MBLFPFQHPMRRVSVPYNSLOJRjl$Yv2bBs^ NVJu4icRUKv=wbil'Z^G[@Y?Y=V;P :N 6L?h!Mc|ZtKo?bج٧ۧجڲڳװԨЗʒ͎̙̔ϟӫҤ˗Ljϒޛ磙詜ꮡ촬춨O﹬칭ッ︨犂ZZ;J2JtA]>YBn!F9\y.W\rxʂy.IeA^E]B^>]>_;e;j?l?k!DlEj Gp,Mm#Hl&Hc@^<]9_:`;f:c;Y<[Hk!LIdjrvuqsfpkp|}͆̅І|ҐՔ֔֓Փ֕֔ӒґЎҎӎԏҏԏԐ֐ԒҎҍЌԋҎҊЉЊъщЊьш~·҆zЇw΄~HXJVKULZJVEPFTCPANAK?H;H:HJOZZi^wfiv|twy{ywypntce[OP;I-H&@*B1E5F@VN@NCPAQBRDPCR@R@L>LBNBPEQHUFNJRJSLSNTNWNPJRKN@M8Tr]ֳљ͔XNDNFMKSRXP[S^TeJ[Ra]c\iZgOYelVcRf\n\n<^V@Z@hJ}=llI]@ZB[>X>\HXFd$R~9jx.ho%Xz9fr.bWIq:gh VQ B\RyCvwIBxExdQN -8N:I -8H ?^Flz}zFfJkĂٝk۰֣٪ٴܶ޸بқϔʑ΍̓НҨԪҞяێ敍蘍ꦝꨝ鰢춧첢춨ﺫꔊmjAL7JzBT=ZC^<:Xx)TGfϐuy&Fa@[>X@]:^>`?d:ji@jAn%Fl"Dm#DkB^8^;]:]8b7d?_=\DbJ|2T\muvutnqjpzyɂ|ʆzɁzȂx͆ΊҐ~ՑԕՕԔԔӒҐҒ}ӏҎՎԌԒ֒Ւԏԍэҋ~ҋϊЉҋ~э~΋Љ~ϋ~Έ͈Јz΄xЄ{~zDQHVIUFRHRDODRBNENER@K7F=HIP[Xi]xhpxtwvsxxwwvj{nc\PY/E1F5GO?NBNBNAK@NEOBP@OBOAOBPENEPEMKQIRLTSXTXMPLRJQDL>ROTȜўԜsFMKRKQKWLVU\R[VdXg`i\aaibgBXRgOdPcG_C\7V[A^D7b@i]>XY:b@_=b\=ZEj!PB\iuxvqpjqptǂ·~˅~ʂyʁȳ{ǃ}͆ω~ъҏԒЎҏӐՐ|֎~ӍҎӎ~Ԑ~ԐՓӐԌэььΌшЉЊъ~Ћ~Ҍ{ψ~ψzЇ}Єy΃|yEPHTFTIUHTGSFQEQ@KDP@N:INBODQCOCPDRDRAMENDPCRBUDNCO?MGRmuRUPURUNTPRLQIM>O>Q쬁֫ӜށjPZLPSXS[OZPXFUL`hjbdXdT^T_7W0Q9\0T}$L/Q3VkJ_GDo{1^Xk!P_Aj"N\A\E\Bl)Ts/`h"Qg#Wm(^{S 8M 8K 5E5O>Zi֎xSaSgΉ߬۔ڏՎvĖԜ۴ԤըқћМ̖͕ϜզҊ{z㈁䎄昊蝍覛ꨜ첦첥춧켯LöôƷdzǴ﬚{V[n?j"EeAfCh?hDl Do)Jl%Dl @b>^9]>_g=c@W>\Fr(PVhu{ztnpdp{v̈ЎΆʆȃ|̈́~Ƃ~Ɂ~Ȃ̄΅~χ΋ю}ЌЌ|Ԑ~ҏӌӎӏ~ӒҐӒҌЍЍԌяшЋщЈ~щ|҈|Ї{х{І|ς|΂||BQITITCNHTGSDNDLDNAN>LNg҉yajQeЃݢܚؔؑӔ{̦ҩ׶׳֦ЗИҜΜҝЛӅ|yzቆ䍇撇嘑蟕꬞ꦚĴĸõǺŴɸ꓊bdAJ,Dr?V@T:] :jE}+\C`ҕÃ7Y`HdDZ>`Af>h=fBi BkEl"Jl"Fp(In'HiAaAZ<\8bJ:I;HJPYVj`tfksvzxzyuuwpktbd]QX?S,I*F.F2F6Hc>Z9]:`:f;j=[=WAaFCalqyvtxhjzxωҕϐΌ͉z̈~̆Ʌ}ɆȃȅȀzȁzɁ|ʆȂ|Ʉ˄}˄y˄|ψЌь{ҎҏЍЍяЍϊ҉͊ψ|Љ{ψ~Іzυ|υ~υz΂yЁ|tFRHTISFREQ>NBLBNBLAP:H9KBNHMXQh[tbjvvuvyvvwwrnu`h^TZ>T1P-L3O4N7O?RATETCRCQCPFPAQDPBNBN@N@LDPDNHQPSPWNVRYPWTVRVUZQVRTRVKTGZ|bܮTSSTOSFQV\\\\a_hV_hr^pU^DXB]!IkD`Ij$PeGPx?zw3cF~:C~r2^D6E ;{5Uǀxi`Wjsޫᖇ࢔ި٦١֥ϓԚ۰޾ڸҚјњ̐΍|z{z⃁䆂搆哉撈蜓꥙묠첧﹨ﻭòŸƵƺȶȹŴyqHP4F!@`:J 8S ;YAz0Wu&T‰Г€AXl H`F^DbDl FeAhBl$Hl En#Fq$Iq(Hl%DfA]<^=]=b:dV>YDt*T\pvwxuprkn}}ҏ֔ԔӏЌΊ}͈z̄|ǃ|ȃ|Ƃ|Ȃ}~}|ƀ|Ƃ{ƃyƁz~{|yƂ}Ȃ}ʄ|ωΌЍΌΌΉΈψ|Ί~Έ}φ|φ}̈́|χ~΄|˂{~wҀy}tHRJSHSHRDP>NAOEP?J=KP?PR(IdMaNq/`^aAX@`EC_l{{zutnrqs˄{єՔҒ~ғђϒϐ͊}ɉlj~Ȇ|ʈ{DžȄ~Ȅ|ń}Ã}€z~}~€}z|z~{Ƅʄ~Ɇʇ͊Ί΄~Ά}ʃ|ˆ{ͅ{͆z̅z̈Ѓzуzс{}zEQITFQFRESCRALCQ=JQ>P@RBPESBOESCOFOFTFTFRFQBPEPGQIR^\MTUZPVUXUXUYWZYZTZPUQWT\}`vZRTXER_cb`fk`nbrhyexM_6Qm@bI`Ra!PJzw6gV ?T?ZDWDbHHrk NVD]Fz`@bBhDgDh&Hj$IhBg!Dk#DmCg@c@^?]<`X;XBiHNhtw{ttrnp{{΍֖ԖВҒђҎ|А̎~̏Ώˌ̉ˇˇ̆|ˇ~ɇ~ǂ{{}~~xz~~}~~ǀ~~ẑ|̈́{̓|̆̂|˅{͂z͆υ{ЂwЂwрw}tCPGRFPBPEPDRBN>MBK@LOETDRCOBRFSERJSESBSDRDQBRFRIUIRQ[SXQWNPPTRRPQQSSQORRS\Yc_[Mq]MPTTUYa_kuftic_Sp8ZpE`Gr.cXBS ?xExh"SVBj-aZA^HU =bFz2d`J{:kz2^\B[=bG]FWAv8hbEx4d^GYEVEf YIz`OH 8F\Ε֘FZm!Ep$I]>cCh"Gi Al"Cl"Dn&Jl%Hk)Ii"Eb>`?`@b@e@f@`_dwxrtooppw}yВԔґҐҐѐϒЎΏЖӔя~ААΎ̌Ά{ˈ}ʉ|ń}}~}y{ă}}|~~{~|~|zt|xx~yʅʁzʅ|Ά|ψ{τ|ЂxπxрvCMGTBOIUFNDOEN=I@JDR=N7G;KEOYYh\vjpx{|zx{svuqjudf\NP;L,G,H0H4K6K=RARFVBRETCSHUFTHVGRFQBPBRFSIRGRKRNTRXRTSVPVPYNSLRLVKTPTn\VH8HMPTVFLcbYddze_g^|Ib.RZBl2`o)\M @L aHXBVFi SJ~FphI[>W9fMZB\AFxS@f Or/ddPaT[Geh&TG5F6M=Deo{T`Taʍܞچ|ۊ׊Ԏ֛۰ر׭خΣЧԨҔДч~ᆅ⌌ↆᅆ⋍䌊璏薐薎阒Ꚏꠔ꜔죘뭠촧´ŵƶȼȸtpHQ9H&D^?P 9R>Z@|.U2UɋכZiw&LgF_>aDjBfDhFh"Gn(Ip(Hn%Fh F]>]:b?b\?XDdNNikyxwqpnrsp΃{ԑ֑~ԒӎҎҎΎ΍ΐ~ϑҔӓґӓҔύ~Ί|·͉~Ȇ„|zy}~|}}~z}~zyy{yzzx}z|z}zʄ̇~Ɂ{ˁ|Ёx́xπyDRHQEOENCS@PCL=J?LBN>L6F:IDMYYibzqqx|z|xz~{urmtbb[KN;M.K(E.G6M5Nnk0TR>RGH XCt*O.V|ٞdv~,Pk&JeFi$Kp*Nh"Fm&Ji!Fl'Jn(Ik&Hf@]@_BbBa>e@aV>Z@dL[Ig(Mp2[S >\FU`LY>|FvWF]VRLaErx_a;Swݫܑ~ݘܠؙԍԊ֝۱׳ֱزҪөѤ|kTZ`iqwxy~ᆉ⋍⍉損敕癒Ꙓ꜔ꞔ뜏ꛑ뜐좔죕쮞봤ﳡﶦ︦ŲȸƸ|NV,F}Bc9U :R:V?kGw"Px٣q{+N{,LdHn,Nm*Ne Ef Hk$Eo%Ho*GjCb>^>bBa@d?f!E^?TBe K@dbsrwrslqnsȀ|ҌҐ~ӑҐґҏ~ґЍ~ЍΏБzђҒӒӘҕґґώϊ̋~ˌ}Ȉ~Æ|ƒy}~}{||~|{}y{{|{{y}wyz|{~yxwr|w{x}vGRCOFRDO@MBN@L@M>LAM=J;I8HEPUTjfqfox|y||zzvvqqvddYNR:L.L*H0K6P8NRERCPDPBQBNGTHQJRLSQTPPTWTRSZUTSWR\Ն㮉քdbPb:n6t:(=ZnjdcmV]LURV9TdJm.lu;g|KxL -=NHb"Xcv8iP :Y@`Dk"Pp&OdDaDeJZ;V ;X@]A^DaHf'N_GT Bh.`O^Kg&Zw7id$YQCQ>\h}nDY]lݰݓܢܪԗЄ~ҁ՛۳ڶܹܴ׳̟PJ*>:PJ^Q`_lhsjpru݀⍌哒藒뜕렕띒ꙑ階똌뚍졑쪞봢촦ﶤﺥðôðꛉvqDL@p=aH 9D[}qLZN^Ԝࠆߖݡ߮޴Ҏ΅Ίبܳܺ޺ڸʐHPBWK^KZEW@NBV6I?UK_Vfmrۂ㐊蚓ꢘ뜔뚍ꚑ욒ꕊ뚉죒쨗겣몜밞®㒁vnRX3Jx@j:a8X 6S;V ?iD{.^JeݪƀLedIhCv,Qj$Ii"HiEm'Hr-Jm%De=_>]>b?dCb@fGXBZFx/WWqptvxpvgpz{Њ|Ր~Ս|э}ӌ|Њ}ЋxҌ~э{ϋz΋|Ό{όz̊~Ў~Ґϐю~ђґ~͊zˆzʇ~͌|̉{ʊ~ljlj{LJ~…~ă†Ā~|z}{|zyx{wzw|xx|szrrBOFRETBREPCQES@LBLAOT =gELkufRX+H-M+NhSj*c{Bm^RCQJb#^D~pq6`M7W?RdGX=V@XAr,\HdKt$@$>4HFXjo݂斋ꘐ陊靕陎疉ꗌ웏쪛겣쫟뭠ꭔߏrmX]JXJs~QU ;)ACUpr㊀摆瑇鍇蒊阍뜎쩜䘁vgUTEN4K1M8SFXBV?L1Dt:f;W=U>^?p%S~_?d@h"GdD^DfLFbp|tvluhrtt΄|֏|׎|֎|ԋ~ԋ|ъ|щ|Њϋ|ЊzΊ|ψvψ|̈~΋~̌~͌Ό΍|΍}͈|̊ˈyˆ~Ɉ|ˉ}Ȉ|ʋzȈʈ~ˊʋljŇĄ||~{x|u}rytzntBMBRGPCSJVKVFQFPBL@JAP5H8JBMTWbYwh{msyxs|x|zzxlxeh\QR:N,I1N1M8N:PBQ>QARJXGSBQDQBPCOAP:IBO?IGRDMDMJRGNJPOUO[fi{vtojne}jVemE:Vp0SJBPvcqbo1Q6R7Ty"IhMp-bMt7p]R\Uv@wM^Qh3ZhV@TDV@p)XcHSBWGn1`Kxk#OV8T 6X8X:Z?_"Qm7VYYDh*UL7G6>V΄vb`lxܫޗܗܤݲ߾ٳЌ·ԟڵܽ֬^YRW\c]`kkijjqH\vt|uuZbaa?P?P8J2H/I2KGYhn㊄抆猆ꍆ鐈얋죘뢒ꡐ{tTV8M=TJbI\UiVcdjLNCJ4Bv=o=Y;T?[G:J6E4CCMVXg\v`ptxz}wywz~to|il`TY;L,H)G2K4J8M>PASDSDRDQBQERANEOBO>KFPAKAJCNDKJNGQKULUTZxnށuހyzpvllؠnq|~lzFdbU`jf=Rp(Il"D[Kk$_{7o`x0hp&fp0hXn1fK@ZH[e%TVEYD}=n\BP=RCh(VR}t-[T:U 6Z 5`>\:V:Z?` Fr4fN -8J:f!B~y[`Zfڦݠܖޡ߲⺪ྭ٦ғӖڮΞJLBHJNFPHMOPPNKQ[Cw,Xv,PњΊ_jB[ab?d>b@f?a@_Af J3Ybvswrugmkm̀zԋ|ԍ|Պ~Չ~Ԉ{Ԇyӊz҆|҈zшx҈v·χxЇxχ{ΉzΈ|όxЌ}ьzϊwΉẅÿ|̆wˆ{ˆzʆ~Ƅ~ȈȊ~̌͋ɊɌņĂ~ƃƅ}~vzu}u~oy@TFRERHWFRDSBMAMDNsdT|7vv3j[g&XG>RCsR=R ?[L{AkP~YBV`>d@^?U=eJIbpwwzquhovv΅zՎ~ՍzՌ~ՊzҊy҅zЇ}ц{ӊzӉvӇwІyЄyЄyЇ|Ј|ЈzΊzЉwΊzΊxІzˆy΅v̅zʆẍ}ʊ{dž̉|ȉɈ͉ȉȆł€}~|~}zv~w{r~@NHRDNDQAPDQ@MDN>HAO8E8G0E>IVTf^uh|jrwtwvyx|ztnxdhZRS;J3L*D*B2F3I9J=K@ODNBLDMBJAJBLL?HBLL9w3QˇYclv޳ݗݝޣⳣ߾۲ڮ۪߼Åo+<*B&< c@^@d>fCYBR NDNBN>ODQ@QLHQBM@H>J>J@L>K@L;I5H4NF^łؚLjz^l_vfvf{p~r|rzwfrB\lFKXfk`eZb\ddiklrxxu덆᠋[Z(BjDd@eCk>~(F|(Do=hzL=LANJ@N:H;K:H8I6D,B+E5HPTbWrc~fswxtrv~tvnhxbe\RT8J(C&C(B2F6J:J:J?J=J>HBNL;H>J9G8G0H.Nτ~tZQnbravelladox^o-Mz-Sm@X@J DLEU^l'X^IYd)SXOxT:T=TCm4_VGty:pgOZ6U -5J ;H -:H]͂zHWΌ㲙ݖܢުྰ߻޳ܼȐ{*@)B!>u7g9f;i7k:h:i;]=hCtJFfXpt$E[ 7Z 6a:*GXXbdYbZ\bjejnouw}zꊄµŭ篖PVj=aD\C^Lp!K2dWvk~?Vk<^ 5f8m>p?n>c7h:a=V;^@{.WpFȆ١`rAYt'Jo Hv.Ps-Km"Eg@a<^<`>b[E_G;Yjsxvvuor{{Ί|ՎyԈzҌ{Љ}҆x҇z҄wτyЃvςzцyЂyτvЃuщЃzσyЈzЊ|Ά|΄|Άzυz΅ÿ́tΈ~Ά|̄|Ʌ{Dž|‚|ŃĄƅ€~~||||z|y|u}u{vzw|t|t|qx>MEPBQKAN?K?K?M=HCLRIXNp>pVzk#VVF{Izs9aJ BNHv6l_F}YDpVHP>WG`FT>XHWF{Onx[AZ?bBW>b)Ls7abHT -:K=a@xw]`\n೥ܘޚަۤٯĸ࿳໧Ț7E4D*B|9g8a 7k?2IvAs"BpDT 8d@0W8T֮Ѩ~+Ns=;Z(GOTXbR[V[`gejnrpl~{銃Ǻ̵èoc|AbB`CZF\Jx*Nx[sȏfv*Id9b7j8n9jAd;d;_\@WBl"OPfryztttpq{ӊ|ԋzՉ|ӈzӉzшyщw΂wЇz҅|уtτzЂtЃxυzΆ~ЄwЄwΆ~ςx΄yІuΆ|ˆ~͆v̈́v̄xˆ|̈́{Ƀzł}Ɓ|Ă}ƅ‚}|yzyyxvztzw{pvt|t|q{s|pxDNBNAO?P?L@O=N;K6K4E2E,B'@8IPQf^r`krrxxyvxwnxbdZRP:L(C)A0E2E;JBP>L@KBJBL@M>LBNELBK?L9H9D4G!F[]ࡔݦ{ިׂvptlxjxikm[h{h8Rc@dALE^TFzDr\FXGo2hp0Yd"XPKYRx:nd|;s[~>o^KUBV@U>V=ZCSEk1SYe"M`DT 9X>Z=^E\=U7YAVFR@^Rr(gNfvmEW֤㬒ܖݢݬٯྲ·լFNAM6F"?s;g8k:#BIY1P|/N>`lEt(HCeo(PҮ潾ܰn~&HLU@T@IRXLVT^Zcdkghjp{v쏊лвۘ>K(HgDz0NbCdCx+O?dTrԛ|9Jv>a8gb:`>a>a;`=Z>Y@]I}0R^pvvttssstτzԌ҉~Ӊx҇{Ԉ|ԉyΆ̈́|͂x҂vтvσxЅvσyЀv҂sтyЄyςv͂w΂xτ|πv΅{̄z̄w˄~̄zȀ{Ɓz~~|ā|{~~}z|y}z~v|s{ovrxoxovlxo{vzANAQGT=LCP>J?MK+B*C1G2F>KANAKDLCKBLFNDNGNEP@LFP@Lj(N^{@Zlڥ҇ɀ͒צܺ¶ܼױZ^GWR^HV8L2H{\8aTCSAO BXKx^i$Fc=\:Z>dCNdryytuttyvъyҌ|ъ{Јx҆yІ{Έ|̂wυv̀x΅z̓v̈́{΄|΃wρyЄw΀yЅxЅx΁x̓zςyτxςv̂w΄uȀz}xĀzx}y{{~zx|swt|txr|mtozltrwy}{ȊД؞@NFQCPBN@LBN@N9J;J:K2F*C$@6FLS`Yub~nryvzx{~~zoxfdZRP>M0G1H4I8I>JCLEMGNJPHOIPHNEL?F3<)R@M?TJs4nK|;tq5nh(aZKl0jv7nyQ8N :J 8RLD\wxBVڨՂzܟڨ޷߼ܿۻԪZVR_VaR\VdhmjocjTf6R2N@TQgezaZuΧḺ忽ļ析mpso\gNW_cPVNXU[[d[d_hin~똒һ⮞P\m9n;n6o=c>Y<`C_Br,Lu+RdLcvڣ8\>`>^;Vl&G`>`>_>];^=k>f>\>Z?n(MZfuxssqrtt˃Ҏ~Љzщz҇wЇzцv΄|΅w΄v˂wЂx΂ẅ́zΐ̅|ʃsυx̃|υx·{·wʅz̓y΃z΁xʂẑsɀw{ǀx|w|yyyyzxwwvyxqvqxnvlwtz~{Ň|ʏԖ؞ۢોDQEPFPANBNBN@M8L8K:J6G)@&A2GPQcYsblsu|uy|~vq{jg[WT@N4I5J3D8IOCPDuB_LByw6mr2lt8xjgk(db|>rh"Ke$VR=[>T -4V 8]A^@^Ag GdB`A^=^#C\>R6J 7K tb>Z8dC8Vgtxwsunr{ẍЌχ|ΆyҊx͆x̓t΅ȳv̓x~z̃z΃vΆ|όΓ̃zхw΂xЄzΆzˆ{́ỹẁv̀vɀw~t~y|vyv|xzxyzt{vyxxstqxnttx}}ƍ{Г֘ۤݧ઄䮇粌JVIQDRDRITFN>K9H8J1F0D-D$>2DMPb\sbmtwz{y|{wp{hk\UR@M2F1F7HIFPGQNRLROYKS^PXY\8\ 8*PJfƅ͂wyrΊۥifb CY RTNVP{G|PPW}Erl/Y|Gx_MJ @MC[NXUJ|H}v6pl,kv8xYvGR~~Bwn1ar9hSAY@S:UU˕ଛړ۟ݮ޹öݿҮLNDNP\_i^hdmcnjqnuospvkq\hcr[fGXRd>Q[lgpfinldk~ؑۗܛލnqW`V_VbZhXb\d\fkqzz闒氪ޘ֎΀p~vdp]gnrprJT4F&>\>`?\KDLDNEKLRKVKOFPXJhciA+Kbvlyڍnjjc~}S`j&Vn-`e QZF\RaRf^n,d`\V}IyRFRDTJ]IR`$ZwCtJTSn2nY][sDVrZCR<\AW?ZBX;\<_@^>[9_C`>V5T 4J -5H `@^>_?Z9h@hA]?dB8S]mtxrrmqvw˄|эԌ{ω~Άyυ{Іyτt΄{ʆ{΃xƄȁxs͂w˄y˂ŷvͅzȀzˀx˃v̅|˂{ʂzʀy~x{v|tzvxrxztsrssxttq{rwz}Ɉ~ϒ֞~ܥુ⬇泆沆糈汆汌籈DRHRGPCNCQBP;L9L1E5G0D)B%>+@JNaXrdlp{|xx||x|hjZWPCJ.D.E2D9F>KCMFLKQPSJPFPJWypapprdtŠ^k8Xp,Sy4^Gmv2^_JW>PAWLONh5g{lXsK~Kd"W^ TO FxCsg'bn2eXj,lh6lNPlnk|d*NP>\H^JV<]AaBZ:`B`@]>_D^>X8N -6D4S>foqkFT˂֙ڕڣڨݻò׶NM0BANPY\dbmgurzoxs|tzx~qulpppwwkrjqhk_jcnjrkxjxx~܁|vzw}YhVf`jbk\dZcVc_nxꊏ龴ޜڈ}oxdp^jcp\i^iQa>K4K>L@J=I/?|8y8_ 6`8c>[jtrsmnhpyu΋|э҉zω|̈́yφz̓zτzˀx̓ẃxȅʃy˄|̄x̀ŝx̂vȂ|Ʉvʂ{ɂ|ɂvȃzɀuxxzv~xyyvuxyvwsstwptpy~}Ύ~֚ܦ஄氄洂贅鵇泆贇賅氄粂CQGTDPCT@O>O9I5I2E6F.C%A:.CFJ^Wqfrwz~yx|z}n~jm^ZSAJ,D,B4Htm-]h#RX<\<[<]>\:\;cB\?\;XhFs*Fn$N`PRkԎաp2T}2Rp$DeBg@`F[@_;o(A`;V;c@I_puqrnplm~{щ~шxЊz·~˂zχ~Їy˃|ˀx̀z˃y̆ẑw΀vˁzʁyǁxʂvɂyɁx̂xɃ|Ȅ|~z{x~u{tyvxvztz|ttrsrtmxtz‚ӗۦᮈ䲅趈귃뵆궆洆泉貇賅籄鲇DRBP@NG.D/B6G8FX;Y9[;ZJ @Z@ope^FS~ޡޥܫߵóŮhX&>:GHRLVTYblbllsv|z||}℈䅈儂ㄈ⁅y|ށ|ރᇈ⎐㑔ጎ␖ᆊ݄kt]kckjrchXbZhYbYjqx劌訪ĺ⮧⤡ߎ߄x|qw`l^f^hVZPZR^PYJS8G<|=c9h:f>p"Dv,Jn&N\MNiӍקw7]~6Sr(Jb>f=ZAK_Zqd}hv|뜀||~ws}fkZYP@I4E*A2D9G=G@KHNLTLPKPKTJXVf]w^zOpRiEfy-bz?{KQr1_\H_NUJ^MzBzq+fJ[a~@u\Wq5iRf#TI ?ND^Tb[w@q|Aw\ \W Vran,dt@zyAxn9_QBX@_B\>]AZ?Y:Z@\D^HZHUGNFPEEVzkETXf֜ޠެ߲⾬ʰo!>.B?LMSQ\V^^dfsiruxw{~懇厌懆勉甊䔑⌋䊈⌊㌌䖓◓㔏㑐⌌䒏⊊ፈ||jrflopkpch\d[aZfYgov厎騪ǻ䱧ᥝߘމ܁|xyjsdl^hY`RbRaL[HUg:h>h>s#Dx&DkEXFFdюޤ3Yv/Jp"FbXJ@QFZKe&_Jdz@{l2nl4jwDvdHbff$Rh&Mh!G`D^B^@]AX=X;ZDWFXHRDNGeDxs_ZJZˋܟਕߴสĚw=&B5EFRLSV]W`Zbhsgqprx~}}慄摎懆捉蔌蘑䔏䏍掌吐攎甏㑎掓䔓ⓐ⎎yvlthontfn`bYd\fY`U^fr倅訨汪चߏ܃zztxkndhbh]fW_VcS[NUz-HoCW F?`ҎܥLj<]r&Fm A[6jB[A\:d=_<[(?>JYVncoo|zwzx~uoilZTP@H0C,B3E;J;G>F>KCTHXQq\nx}Éy^~Vvz?ki)Yd!Rf%Tl-`e Ux;nMu6n_WA{XbFu[HL?R@O:ZJUN_T{DtNX\M~>x|\n.X\}Hc9P3TR}HR\Xpbjo|xy|z||{n~ikZYU@L,C*@1B7G7H?NDcNthȄzppup|:V^!Sb'Zv=ph)X` Rh&Yi&Zh$Wm&Z~GB|x;s^z@zfnIth*VWGYHT?P?XASEUKd*Yr3ot8l_kkl6\NARJx2VuhuPc4UWFYE[>X?VBWDSBSFNF_ J}zbaP`|ܨட߷ǬGL]8<.Bl Bt$Ds"C0Hd>YG|-RЊۜ̍\sm"AcCY8k>\;bH/C,A0B6G9LETatht\bQ^XkdaeLx6hk$\m)a|:nv7hg#Ug'Yb Rf']j)b|?xu[D<\otnuP_v*N\DTAY>Y@V@V@SBNDRIM`zpT]\dӝޢⴢ຤̲zhO9g9<:JDLQVUXV\Y`^`_gfnpxoryv~~胂挈鏊蔌ꖍ꜔ꜘ隒階雔蘐皏盏꜒薌玆懄|~|uxqsnslrgl^a^d[dXb`iw晙䢙ޓތ߇ႂwykrep`kZhZjZdX[RW@M|?v@^Ao?nCu'F3Nd?VDy*NΆԔ̄sl=`8Z 4`6^7e:bmH|>uAt~?rr1]s)ZiN_Vp-gHW_ \r6nkvbk)Xi1]n1f\I_HZ@Y@XDXCXB[HXIWEr.Rv:ncC6IXR;XCN=J @j&J}|efTdɀⲥᰟ߰࿧¡XK ;K 8M]tjP]\fڰⰘ⶧ݴr9FM>Z@l>'BPZnjspqnxvЈ{Ґӌ{Έzχu˃y·{̅|̅yˆ~͂zʀxv́xȂxƁz~|~zȁw}yǀv~u}zzv~w{{x{xxutrqmphnŀy؜{츄칀칄칆꺊뻋쿔ŜĞŠĢ2J2J,F*C(B*E'D(C'E$@}>w?u:%C:D\Woj~lx{v{{x||xzo~hk\\XAJ,A.D2D8L9JETFRFPGNMSMVP`*Z=|dnav/c{"B8Nb8Z -=jEĂٜv}̍?ZT:X -6Z:t*Dd>]>b@*FadtktnppʈՙӓӌyωzΈ|χy·zˉ|̃xʄ}ˁx̂xǂyǀw~z}||z{Ā}|v}w~vyu|xywzwxutwopnpkotuԑ{⪂괂ﺂ캀칃캃칇ęŜƜƛƞŢ-G,H.L,G/H.H.I(G~%D&Cx>t:q:">:F[[ro|ltx|xyx|zxuw|dlZZS?M*B,I3J>THi?NCNFOJQJSK`M{JyX|w1f;oUGzs-_]Nzc%Y^&\e&^d&bXWqBtv|CvU\Pf'RgO]J`Dj$MYBXAY@V=ZBWC\#FPvX;^5o =R>\=CZZv>aPQ֗xyx2QO>H 8J9N 7Y=DPreJRZa֤ౣ微ʶƫXBJ :UBlCr:#D8IFRNUUXX^Y^]c_agkghnptvtwzxzv䀀戂猄ꐍꗏ閎Ꙏ뚌ꗒ萈ꒆꐃ猄{|xtsqkngnhjijbdZYVaVY\c`lruよꜝᥠލކ||uxzmtfp_l^iZ]V\DN&Bp>X=e@ixؚw˄Vl^ER 9V:n$@eD[@h>8Nihsjqnop̈́~՚ԕ҈x҈{Їz͇y͆}̄y̆x͂xˆ}ʀtyɀ|~{~zx{}z|w{tyv|x{x|x{yxxspptmpoṗxޢ鰆ﻃﺂﶁ}츅캈켍ėƛǞƝƞŞĞß-H/J-L,J*H.L1O'G~(H|'Hv Bo>l= =>KYVpj~mot|y{z|xxnnxdm]YP?L,B'C.LJbi@S>NGTF\TyqwLfn*XdU>sqTs2dgJqZOZQzHl,fq0p_ aYzPqh(Z`!Nd"Pb"RcGl(QXBWDTYET >^"Hr5LhCkAn<`@vKHcr`d)GQUҌv|}`?J;P:R =^;jia_LXnt⿵㾳IJʳCJI 9M <^>{%Ds='B5FAOJSPVX^[`[`_`bdjngortxzxx~~}{悀狄쎅ꘊ딍떎ꕌ閌鎉钉錆芁z|txtkibhcgbehj`dX^X[T[Y^ckjsည霝ļ㪧݄݇~sxszhrfm`h^h\dTZ@N AdBX@h@jDnA|*D:NY6T:a `BXBj_B_lѓs~Ƅgxn(HK -7b>e@^=X>w*JYaujrkpo|uяzԎzԎxՎ}҈vҊyψz̈wΆz̆|΄{˄zȂ|ǀ}Ƃ|~yx~x~|}xzuzw}wxuvuzwuwvxsuknpr΋u{|z~|z뼃Ɩǜˠ̡ˢɠƘ–š0J1L/K0N5P/N1P(Hz"Fy#FsBlQwPTwƆrSxdf{&XbTz,ealBjSz>ie#Z`"`\ Zt@{Heq6u|TqYou>lrd#Pd$Rd)P`Ff NV=P 8M8H 7V>jH=NZg:K&@b@7[Hwq⣘ߥWdYD7FjpkBC4@4S:iiibXddhݯƮģZ4K -6P 8N -6i!A0Hx:!;1DDNFNOYX_Zb]`[c]`djdjlqrxwz|~{v~憃}熀掇捈萄ꎂ萈莄舁w{tvvihdd^d_dad[cY]TZSZVZX`jm~蘒ﴮźۂ{߄|zzttpvmtbo]j^fZ\HR/Iq@T@Y@`Av"Cs'G-GS 8T>O:n FfP|*EQY>PwB2`Fi^rFU؞᪚nr^.B?KHLNV\`T\Z_\bbddidmjmrvpqzzvw}|}|~|挄艁猄刀芁抁|yvpohfb`^c]d]`[bV\SYRXTZXcfly~挍쪨ۉއ~|{zsrrwhpen_k\aTWFP-I^AV@`G_qF>x~Fc!Yt:xzBr3phOp4t~ZzCfx4prJrg*\NU?TA`El4d>b6R8S*Qw~a`SX+G9Bh_JW^:W4dDN 5K9R 8S[l^Wbcl޵ƮĤ][K 7PL~ATcCw(Gx'D+A/Dd:Q4Y ;9T͍̆||xx8UV;\>R9Z~d0TPN?SA[FU>^FdF\ET?Y =e"F7as&H/TG\wtHO3Fy HOiC_aEP5W;]@F2ZQ>UB`A]@v"C}*E.G~(>jK -;Q>hu|fmP\Pf|wʈ|xn%JS 8O 6Z8W6W@u*BK]%<&=0C:FKQORTZY]YZX\_b`egghnnqmnoqxsxvuuzv{z}~~x~|~~惀|{vsmlmlSYFRQY_egielgmhn`gX]Y_bllp芊Ȼӿߕtsuqvwtwlrdj^f]cW^N]&CY@V@Z?aB\A{%B.H+E+Bf;T3[ ;r>v~͓ʅ̄}\mg=R;K 9XHJSPWX^SZ]bY^\b`cachllnmpmpppwvwtxu|~{zyz允~~|vorwpoV]DMR[chjkejjjkjjmZ\QXWXlo熀Իζۏtqwuuxnripdi\eY`X]BPfDRX<_?a?u$A{)G~+D~&Be:Z 6^=f?mxҔͅ}~bln$CS:H 8ZPASDXTuXtPv6gq&Zf&[C|N\M}8ll-cXNh(f~Ten.eXXUTbCp3q`ZvPsbSD`EZBY@g=4PN -9L_pГΒxzdpt$FUvv3uh5]~ZGXGZDu-Tj"@4NN 4M;N8D=HJLPQSTRTWYZ\ZX^afhdhfjlplnwsqrvxxu{xyuz|}z~{z{₀yssrljblPY^^bXWQ6t6%9>BCERRTWVZbd芇ﻭ}zvxuvttnrho^h\`Z^APe?T?WBT@ZGcFi>}%C0Dt>(De8f8\ :X -VB|,Jdg~o|nyjvӌ|ҋ|Ήz͇|̇|̈{̄yȁwȂxȂ{̀v̀vɂxȀzȂx}w{z~z‚|~t|tzr{s}tyxyxrpptkp}tܙ~鯁~~ﻀƕǘǗřƞǜȞˠʡʤ̧̤˧ͩ˦ɥȩ0J0I/G-G.F.G1G)B#>"?$>y:{;/DNVbatl~tvv門|z~y|}{q~hn`]dFT.G%A.E5E:J>MBMDSMdQy?h1\6gz0dBxH{pIwv1hVHLM\ml&`j2f|@Z'\vH}Q~BjO`%S\KTDW?y5Nt$Du(Da?L -7J 8L #@7ISZhhyoruzꕁ|z}{ukk[[W@H.F&B2I9Kf=f3c{6g>pw1gCnv1bj'`M Jq@{wPi$`uF||G\ZxJ}`yG|a~vl,dj*YF -8K 8^>aAYge`f>LAHO@TbjFR :f Hf@j Ha Fl%F6Z^dqtЄz؎ߙߦyr)BP -8W :Zij܋tHVX6? 9E @WN^@h\LH :<\:\PiOfYpqNR[^\`fnϭȰf$^e&J`6b6[6^Hw-J`mEY.@:GHPJOPSRXVZV[YU^eZ\_ebgdjlnnomntrptqsvutt}~ux{x}|~|yyvxvtplnfj`kUYX[YZ^^``QXQ^fxՅܝ嫤欞晎⋅܁{{uynvhpbkcfX\/L\@XCZEVEVE`CdDnF9L2N|(B*Df8k9`7V ->qHŃҘls{~G]^Dl$B`fxi{pwh{oҊzҋzΊzцtφzΆz̄{ɃwɃwˁvȀyˀvƂzƂ{ȁzɀyƁyv||x{|sys{wzt|xtqponnztڔ{讀~}ÐĖʛɟȝȞɠȟȜʠΣͦͩˣ̠ͣȡɥȥ˭,F3H.D,B&>0C.D*E#B&B)B+B5MBR\aop|tyvzwxvz~z{{vfp`[TBJ1F'A1F5I:I?M?PK]RfQcRyjNRDj$X?sv4bn']`U\ VfHo` O`Uu:os2pn4m{G|QV|BlB~[yiRCN9fD^BZf،n|f]:@ -:E 9uJql#Gr&Et*Sz3VD[PhZrˡmbNRDUZeŋв[ZN>R?S:^:c@g$DbDf;b:Z9Z<{2KaoBQ-C:FHNMQPVTWTUVZYXZbXZ^d`dadhjklnommosqrtvrqz|zx|{zzzy䂁}x}}~|zxtvnplqaj`lagkm{xtyoz㊌벩踭赥嫟旑⌇{|yxtxpvhnej_bLXdBXDX>ZFVETCdGh Hp$F?N.E4J%@n9t$@^:\ >hAv}әjtu}CYlE.Ill{oyk|p̀pьxЉz·x͈z͈|˄źw̃w˄yȂzƂ{ʀvĀ{|Ƃxƃzy~vĀvŀu|v~y~wzxxtvrsrrqpm}rޛz벀}~ŔǛʜȚǜɢȟțɟʡ̢ˤ̦̤ϥʥʣʧˬ̮.H4K.H.E4K0F0H+A)B&E$?,F;RHZ^err~vxz{tx{z~~~|tjpe`ZDO1H,F1I5G:K\A^Dz1O`qGZ0F>KHQLVTXT[UXXZSVYZ]b`bbhfihllmljlopslposwuyz{z}|僂~}|}z|yvvvvtqtklimnp|z服䞙}}琋괤鶪賦䮡暎}|uzptkpblbl^e9SZH[IXBXET@WIaFr&Jo EFSz&A:O{$@oivԙkru~>S(KATrmzlxewi΄qҌxшv͆y̆|̇z̈z˂w̄z̈́ýxȀuzwĀxƀzŁ|x|w}u|xƀv|y|v|uztxypnpppnΆv|~~~~Ɣʛʝʜʠƛƚɞʞʞ̞̤̥̦̦ͤͥͪήͲ3A0F(@*C.E.D*F)?&@~;~=)?@TJX`iqs{tvxxvxv|}uvks``ZFN0D*D/H8N>O@PDVJ`eyWpz,`]Pj&]~Bzo*dB\lj.Z]RTOZSl,`q3hf+ep9pQy?tXe{D}S~wY{Yn-ap*Y5a:]F];\n'Sl(Pj&LG>TL{;dtn~͔ҢҫHPDR9WhlӬ˯l.EVDZF_!N`"JbHd$Jh%Iq'Hj"HfA`B\Gw0OZlM`8L@NITPXW^V\W_[^\^]`]`ahgkglikhgfilnkrnrsvyxyzzzz|{z~z倀{~~zxyv{zxxurutpppo|w荈겤紨⏎瘍괦跮账籦䗎v~qwswjvgkflU`fBYEWHVGYHXFYFk*Kt&Mt%D@Pw&B1F{"Cp >u#DgD\?ZDVeҘw~x~>U8RW^vl|juh|nЂtҌ|φzΉ~͇zˇzʃvʂyƂ{ʂẑvāvȂxȀzȂzƁz{w~y~xƀy{x~v~uwrvqxsrsnmqpҊww﵀}|ƒʛʜ˚ȚȘƗǘțɜʠʞˢ̤Ψ̧Ϩ̨α̮ͭ*B.B&@+B(B'@+C*B!={8=(B8ON^dlrv~t{y|yt}w~~{zrjq^]WDL3H*B0F2F6JZ@g HMCp*XĉƄ͕Сհw=M?P@XjnԻv9@U9Y=[>]>b:dw;d6V 8X ;=>'B=QN\bjpt|vxvwxux|yztlr\`YFJ1E&?*?4G5IU;Z=j>]=Zʇ~}mt>TVfc^ve{gva~lЉxцwΆv̈zʇ|Ȅ~ɂxʁuǁxɀvz~zǀwŃyā|xzt|vvxt~w}x}z~vzpxqwlrqlnsmؒvxz~ŒȖ̞˜ʛɛǗɝɜʞɝ˞Ȟʠ˦ͭΪ̪ͨΪ̪̱ΰ+B(B(@(B%?!<%<&@"@}"A$?.F4JJY]hpq|vxsxwvt}~yzzsktd\TCH.F%>.D4J0MB^m\vJbapNznUr"Z>yUlx;kTGbRd,Wp5li+_c(Wm.f]L}Brn,[h.bo.kq/d^c#`n3q]lbbdFeʊt8aFV 7p#Dz+Te?n?fC`:l;c8n @~,Cz(EdL_HZQe1EGTJPPVTZV[[`YY\aZ^^`ehagfjlldhfikkcdjhhjikppssstqqrqtq|xrpxvrvvuxx~}~y~䎈馜Ǻ´槝攐쯥긬箛䔌z|ntqvkwktek?XYDYBXCZDXAZAYEbFs&Lj$I4I4J*E/Fr8y%Bq=e=Z9S ?@]ƀzĈjs=Vcjj_uewbzn΁wΉx̄xΊ|ʇ|̂yʇ|̅x̆uxɀvɄ~~xƀ|āzŀz}x~y}v~y}vw~y}vxnzptpprmlmowmڗxv}ƑȔ̜ʗʙəțʜʡʞȜʝɜʣ̪Эϭ̨ͬͪίͭα*D&C&A$B$@%?%?%A>z <&>+E7LG\\jmt|yyzv{u}z}임}ypltc^SGI,A#>-D1M;VghH^FVdrHvk V5on<{-F~,Fp?c:\ 7h:O`DSLb0DXDb&JYFXDXAe"En$Gx)H1I2L%?.Fs >v"?v!~7UwzˊknE_`gmasbwd}qΆrΊyΆvІu͈xΈẑv̆xɀyswwÀ{~zł}~z~yȀx}x}x~|}x|y|u{pxtuprmorljzpޘvxđȔ˚˚˚ɚʘʘ˞˞ʜɘȚʞΧΩЭΫϭΫήέϯΰ,B| @{ > <#?)D'B$D!B~ >#A&@5MDW]lnt~z߃x{xy||{~|{vis`^VJO*D%B(G/OZsnCZASHV]t>mp&Yr*_]HYHy_Lc"T_Nn5fc&X_&Xn9rh,b{Fxw:p~@st5kh.do6kp7m|Ftz@~YWh,dlcrp0[@@IB}0V`rs˖ȕ۳ظ˝>HJUCW^gƤx?KPDO@R?3F:Pd@a@Z8l>e=l=x(E8Nr"@b6`PL^5J8FEPJPOSVZY\ZZ][[[\_ggcafjffhjheekcdehihlnlhefjlnlhjglonroprkroqzzxzztt꓁虇쳘뛎苋ꈈ暏⒐fn_ldslsjqDYZHVAV>[Ea&LXBZA_BbAu)Hz)H4K8P~&B0F-Fx">(>e7T -5X>n)Lw|ГdjPcieqau_x`zh΄sϊwЈv͈{̇z̅yʂw̄zʄ{Ƃy}xƀwƃzȅwĀ}ĀwƀxĀzys}v}x}y|uzsypwrwqtrnkkp{lޜx|ŠŒʜΞ˜̙ɚɘ˞ˠ̠˞ʡʟ˦ͦͬҰЭϯάͪϬΪά(Ex?x>{:~"@#=&C$A$B~= ?,C2IFW`lpq~{xz}{}~z~{whueZRCK-E&H*LB\sIc:M>SJ]l?ifO[L_#WZad"Mb$T^ Qf*[f$XZSd+cg(dq;kTAuJ~z>wu-D|,Fx"?`@b :l}(Bg9T 5Y v=tGHSMYS]Z`Y\Y[VWXQQOOPOPMKMLNHRRVWXf`ba>D3@DMNS>LFUadrtovJ\]CVDXA[@dDXB\BZ>fAf@3JlB2F,D*@8K{%>k8z&@p=U 5\ 8cDhv͍Yjjsodzgxa|ivnφxΈvΉv̈zʂūz˅xǂxȂvǃzǀw~zƃv€{Ă|€yƂvz{}w~y|u|r{r|uzuusrqknhh͂ut|Ŏȕ̟΢˟̢̠̝̞ʛȚ̠ʞˡͤͨЬЪЮѰЯϭϮϯЭҭpAp>s>vAv"?}#A&@=}>=%A.F:SK\blvw~|yx~|}~~{uvmo_ZRDM-K&Omg~:T0L:Te~yl0`bQo)\|kA] 5d9b8h:r @q ?|+D3Jc 3Z 6f8H\(FER3H*@*=0<6>:@:B@HHL>F;D8C4A/=4B?HGOLRRXER?T6TDXWfQ^\blpuxinv$FW@UDY>`BeCZ>Z@bBfAt*Gz*Jm C8L*B0E6Hz">e 50Az)D[8]@^DZlʍhtvzoa|hxb|j}qЊẏy͒̆vʅw˅uʆwʄwʃvȃ{xĀ{ŀu‚|{}x~yÁw~z}w{x|s~y|u{sxutpnmjlkh҄qx|Ɛ˜Τ̜̞͠͠˜ʛɛʜˡ̢̠̦ͧάάϭүӭЮЮѰЮάl@l?p>q?v?|>&A~!A~= B$@8O:UL]`jvv~uxy~z~{z|{qlnb[ZBU/T\rBW.J2LLhrm_z~,\bKu2ch#O[HR?d&Rh-Zc,Wl5ff$Yj0bh*j^ bwHvkLHKOTDv;yL}|I~e'\j3n]"\>nh{mkb`bf伶̾ӬLRES8Q\hΩ~oSAXA`s >]=bLv>y?} =|>|=z"B,E>UAZQeeosr}sxvz~}}{|zqlqgVbC`g|B\,E.LU=`:p"Br <^9a;j?r"Ao!BpBr"@2Hm?^@e>CYz)F6J6L1H7I@JMQOOSUYUTRTWXXZ\ZZ_aabffghposnqnonnnfdZZVWVXU[RbNWKVSZZi_pZpmw{儜脡듬젵뤱잫w_{bvrstvnnpo__mAV?XCVBb@fB[AXAZAgAh Dy%CjBw&C:L-E.G5K}(Gh>z*@6O_=_<\BB[ʌw|}ys`ׁqwdǹrыtʉyˈw̄wʃwʆ{ʇzɄwɆzʃx̄{ŁxÀwÁy~v~vx€vÀw|xz~vzy~vzvvrvunogimf׋v~ŒΞΞУΠ̟̠͠Ρ͠˞ΠͣΧϩЪѩЮЭѯЬϬΪΪΩϨͤj>iBp@r@u@z!A#B"@z={?*F8L@VK\alsq}vvt~zz{y}vzzpwWrh|EZ)D,E0NKhuVtOhJl9fm)\f"PSk(U_ LN>XKSHvBzp*^b!S~JV\xXed+cd(d{IW]Dzk:t!Bt">~+Ht@]g?X`<]D>\ː|uxbׁrxdрr̃s̊z̊z̉{Ίwƅyɉ|ʅx̄w̅vʆ{ȄxƃxńwÃzăwĀvƒxy~x}zzv|v~vzwzvqnoqfnoj؎t|˚ΞУΝΞΠ̜Ξ͡ΤͥΧϧΥϭШЬѬЫШϩϦΤͤͤ͟ʜhCkAl>ry>z<| =w/J:O@UHX^hrp}t߇xw{z}}{z}|鐀␔|lpB[$B$B+K:[`xIfIbDkw,V|2ks2`zp*WTp@r At#B},Dx(D`U=Vh?d\F>^ɋɄzw~hֆyzaрrˁr͊v̋w΋x̊xʊžzʈyȇzʅxȄwȆxɈyĂwÄ{ăzƅyĀx|w~t~yz|wzw~vztvtrnklhkmlےx첄ď̚ҤПУΜΠˢΠ΢΢ШЦϨϦЦѬѨШϦϤ˟˞͡ɚəɘȗm Dg?l>n>v:x9v9v:s:w<,G8L?SDT\cpp~vvxy}}}|}|욈瑊匉nxNW'D>$F/QRtɁRlC`Oi=dfOl&ZU~ff KZFZHRJd/`Lg"WAl8mt6u]b` \q9nzF_%_xNwjTS~LZPĄwtJ]˸pwSatkr躓ihZHYKZG[F`Ed!Fg CbBZ>^f@b@f>t)BlAn"By*Fw(Ec>cC}6Q.J9K0Hz!=*D6IBLHRKOLPMMMRQTTVZZXY_dZa_ffghijhlopmmliecb`f^[WVTWVZXZYZVYT`^pbxbykidzbzcx`vfzt|vt|xlnfh4KXBXBVCSAZCdA^@`>]>h>f8r"AdDWe_ʈΉ~t~n؆x{f͂tˆỷzʊw͉xˈxȅxȆxʉ{Ɇy̆wʅxɇxƄzĆxāzĂwĆ{āz€x}y{|~y~{|t}uvtrrnndnnjܒwʔРңѤРϟΠ͠ΠШѩШҬЩѩүӬѨΡ̞̟ʛșȔǔƒƖǔe>d:j:m9l:sv-H0L3F2Hy"@,D-A;HBJDLDILOOTRYTUX\XXabadbdddfkfjhlijkfmjddbd^__`YZ[`XYQTQWQZXZZc]hdv]g\jWfVbdsuvxwsrttjjDMx#DTx:FVi;d@`G;_Ȇώ}m׀p؆tj̈́sʉvˊvȋz̈u͉xȇzɆzˉ|ˋÿwȅyDžzDŽwńxą{ÃxzĂvzx~x~y|xywvszrttqmlmcoliݕ{ʔҦӨҢѢΞФϡТϦҬӫӮҪҨѧТΠʙȘȖƔƗŖǗȖƖƚf&Lcw;3FAM8L=NV]jfvoށtux}~}}|~|oqf[T@K)D"H$NTnĀFiC\LbNil"NcUo&Y~TyQ =^HSHRKPj1^XP\!Vx=~FΜvo1n|RqVlw=tg,bb$czPrMvo|?kx_~zUoŏ½܂px쥏ئ{v*KXNXJ\H\ L` LdDhAj!Ca@Z?`Bg!B`?_@`Bq!Cp$DhBt(Bn"@t(Bx&Ek?a@o$C3P|,C6Ls >|(D'@1AR^?]>hBeDn"Ccf>k@h;h8j8f6k;z"@O>NV^hbrn|rt|{{{{~{{wpqd[YBL*ED'PXru@^F`Rj{7]\L^Ty2ct=bXAXFOJ\'XI~g&X\TNPa&dfȞGg5nbnGq*Cc@V>UBT?Z>aBcDdCl+Im$Cd @e>j>i>k>GW3K.I8Hh>f=iUBX@`B`BhBg Bj#D`?f;d8g=j:Fw%Dk8fGt,N„ԓ~o؊y|o|nˋyɅx͊xʋ|ʉwʈ|ƇzȆzɊzɈ{ʈʄż|ȇ}Ƈ|Ć|z|||x~{|v}zzvxwsqklgjbigjۗvҡ֪֪֥ңѣѤԪԬҪӨҩФϢ̠˞˜̡̡̠˞͡ˢͦͣΣ̡̣bBb@d\@h Da=c@c@\@aChAm"Cl@p @t#Aq$@h<`a9d@n>LX5J-D7J7E/C(A.D6F|'Bf^=d>c@c>a>b@rC;KFPHTFSJS^edbqhwjpx|z|}{wqsb^VDO1J"D&L;Z\QtNl3`v.\s-]Kt>ev8b`JVELDNHr:fx;lQH`Pf"^Z[}WyZT_Sr}\^Nv;wp:tsBupPvEhkr:dYJiӖȱjh$G\IUGZI[J`!J^ H]G`De?l Dm Dd?W@`Aj"@_@f\<`;j Bi>nt&Ai=b;l>v$Dn ?{,Bh=q;+@:!80>gAo?S_7L0F>Q1F-G&@.F8N{(Ep>mKp H„֚ևzڐuiʆxʆyʐy̋|ɌzɊ~ɌĊȈ~NJÅƄdž~…}ņ}Ċƈ|‚y|Ä|~z}v{w|yzxwvrrlpek`limޢĕӧ׬է֦ԣУТТХ΢΢Π΢ΤΤϤ΢Σϧ̥ʟʚʝɘȜțƖƚ^:`;b:a`Ft>6HJTJSDRLV^_d`ne|tqv{yꚀzy}zxora[UCJ.FB*H7RLhHlJi8fw/Zu5a;aGmr2\`"OXJNFMFu@mx6gPIZNf"Vj)j~PvqQuB}Yd]thm_Tn9vl6nyR~Ldpr7bKxPvuйt:RXJf FUDZB[E\A\CZC_;i$Eo'Fn<`AX]<`l=n;r ?lAf.A";r67-=2>:B@HBIJNRVVW`d`cacbffjfkinormtnptxxx䅄၂愄叉蔌葉玅萌准䊈߈}~v|||un/IX>kAw$CTAUAXDTBbHb!Dm$FhAo%Ca;q$Bo!@b:l;x AO\8P3I@V:M'C'?.D3Hv$B~&GkEr$L…ԕֈt؏tiƂtLJx͑|̌xɎzȆ|ʌ~Ň|ȉŇ|Ć{Ȅ{Ć~Ń}Ȉ|Çzˆ~Å{‡}|~|||}z|v{yxxuvttlphp`jprଋ˞֧جת֦ҢѢСΡϤΠϣЦҨШФϣΞ͠˜ʞˠɜȜȞȜǜƜÔ_:]>]>`>_>]@]A\@t @;LIQJRGTGR\^hdnexox{꜂v|w|}xtqs_\TCL+GB,H4QNfGhKiw&Rj)So*]h#R\m0YZLa OUIOHrf@Y>`=`?f;kk?rt%?t"Ah9-D,Ao6p46&:0>jAy$FVb?P2LDW6G(B0G.C*Bv$@.JbBlI‰יֆ~֋ykȄ~ʇxˎ~ʌ|ȌzNJzƅă~ƆĆ~Ä|„}~Ä|Æ{Ɔ{{„z{}|x}z{zzy{xvtssqpnphj_mwv紏̟צٮקԢϚΜΠΟϤΦҦѧѤҥϢΠ˝əɚǘǚƙǜǘŞƚĖ^=^_E`>n>_;^k @m?n>l:k?k@p$Blz(B,Arv%D^FWK^!JVJXJ_ J^Gn$Cr(Ef:`=j!l=x#AT_=R5OGZ2G*D9H0F.Hv&@/Kp"HjHÆٜ؈|֏xoƀwɉxʋxʋɌ~Ȋ{Ljz‚z~Ć}Ć}~…{|}{|z|{zxxxzyvtqqnqckcnx긎Сک۰֥ҞΙ͙ΛΝФТѥҨѦѧΟ̘ʙƖŖȖŕĒÓÔꪂ^B\>`D`C[B\AY@[>mA.E:LBPGRPXabiang|ntxz|뚀zz|||tnr`^X@K*F D(H4NG^PbcG^GbLYRe.Z_~eAx(C_@`B`Ai$FaA[@d@]:b>k Bn!Bhd=lAn#Ep =t'Df@r#?~+D+Bh0A>HJLRVSZTZ\a`ibfcmkkrtqvvtv|vy䂂≄扈捍撍璑揋匈玊䎋⋇݀rzyvml@IY;[i@iL/GCT.F)@6J/D0Gx"@3LjFgHȆ֖؇w׏|tŁyĄuĆzȊyŇ|ň}…‚}ĄŅ~†~ƒ|†~|z~}~y|z||ywxwxvxtrvnqjkbldkɊzҢۭۮզО̘͛ϜОСңҨҩЦΡ˝ɚƙƓǙÔÒホ쵄|z؇egOa?\?]=\=[j<]4^YKd&Sl(Vd"Rp.\h,ZSHUKUQJPRsP_Vs9ro5q{D|WKfa}^sx4cyAfMeIdZ"LRKT"LTJZJ\J\H\JYHd Jr&Hw+H~,HcAWBc>v(D]@^Dd CgBe D[@b@bA`?f?l!@j Bn%Ck%Dh>nBn!Co#DgBo"D.F+By"AjhAjA^@_=c>[h@o"An BjCq(Fs&Er(FiDl D~+G+D,E|!>u>q>n:x<{7"; :":&<0@;I@KMXTbZa\cdjjnnwwzxytz~|㇆䉆劄Ⴢ{zzx|x|zpuppkh^S0BX@ZB_FXJ\"MZLX$N`#Na!L]Jn,Jl!DcCiBbBaR=S8M/F=P:N7I&@6Lo Kt)Oȏאֈ~΂xrohffflkrlvnuwzwz|{~~„ˆ„~~~}|y~~||}|yxuxvwsunqdp`kouިǗԤ٩֦ӣϞ̙ΜΝΝϟΞΠ˟̛ȘȚǓ’t~hUL0?i8^Y@[>`A]>ZV>];q B-DBPAOANTVe_pc߀rry|~|x|z~tln_TPe<{-D_?`A\A_?hA^?`?d>]>c=dBf@n!Aq%Bo"Cp$Dr%Ds%Bo!Bh=p!@&A6G-D~"=z@~#?/J.M6O5O>[H^H`LcKbQcUl\lXh_jdtdzuu~|z၇⋍⊊~}|p|hriplbVU4KYF\F[L\#NY'OY(SY La%M^"L^Go,Nj$Ff Dd@a@_@d=r$D,HN`BV^@`=`A^>X>Vgv4]aKj$Pj(Rf#Pm*S\H`JTFSETHNOb0`|njt8dy9kf&b`!]~HswzC|n6toot>x{~Tq2[Nmah0YNBM@RDVBZGZDlC0H4Hu(GTc?_=e@`?g?m$Cj#Ei?o!Al!Am Ag=j<'=,A-B0E1H?NLZOZQ`\gajbkenptpvjminlnpznruyuz܇܃މބ}߄~މߏޏᕎߔ۔ו՚؝Ïav{A_e.MW#HY'PZ(NZ#NY$L[!H^"N^Gl#Dh"Fe D`>^BaA`=t%D|*FLZHY8MFV:T2L8N:N0I}(B,H{+S~5WЖׇtՈmhX[bbRXV^ZX`faebbfionhlntsttuwxvu~xÁ|~~y}z}|yxx|xvsvqpmphp`i_kƉ{꼏ϝէ՞ϙ˒̖̘˘̜ʚʚʖȔǑǓ笆~хoZQ/@e;X;T:O:R<`eCf DfBfA\=W=T:RsvfhNu8fj.d[Ob%XwFswAZqv>|Rwx@xb"Tu6`f1aGCNFSFUE`Dn@.H8Ks @T>T=o*Fy(B^@]@`>^>cCh?\>a>b>\d Dg An"BjfS@P:Z>e8w"=.F*Di>i"Dl$Fd!Ed@^?Z>U:V 8l=z!=/A/F/EKQcblb{mvz{~||욁~{rzjklj۫ܰBH}0Ru&Pc K[xj*PL?MDNFw8^Bhp,VdNl)Rn)R` M`Q~Dmd!Q] M[LXPp4jkmZx~|Fv^&UNK]#]WfxPwD|ReT|iFzd P_vÓa0`MKSFVFbEs#G-G:KmBXDXBt.Hx-I]C]CbF]B_@fB`@_=`>_>_@bBbBjBo#CkAl?r#Ce?d;f@m>-C2G:JFSQXV^`f_d^gY^_c`abcfeedglihjomppqvuvtzy|zwwyvvtutxtzwہۈߔ⟌⨖絡跥캤쾨༬kn?aX,QW(PYH^HeEc E^BVBXB^DdEv.N1LGUJa2K;PAZ3M0L:O6N1H/Mw,U>[יրn΀ybcZb]ecdZbV\YaR]\bX`V`YcZ`Yd\b\gahdihljpmpprpwtvuysvuxrsorktfr`mdn؞ēϚҝ͘Ɛȑǐǖ˜ʚɚəȗÎ굌⦋ה|rjDLoB\BS:W;a>k @})D1G4H/Hx,Hu*Jp(Hm%IhCfA`CV@W@f>{#?)A%=,BBLWXf^thsx}|z||}wwt~v~߭Ӓu4Hx$H8[f"T|<_xVDLELCLDn*VDjv*TdLg&Ri'S^NeT|Ej~njrSmwp7w`*fq9tPwkh1jwJzF|Ffp~Dn}@lt8vIijT"MODVFf Es)P,H:LhEWCXDj%Fy/NfH\Fb D\CZ?cCh"G`B`>bCbDfD`@eAm#Fm&FjBl Ce@i Af2G7K:KJ\T^[`]`_dZa[`]c`gfjbcejhlknilgmnsqqvtvwsrrtqqtuqxrtvu{ތ♋⟌㪘洞纤躣鼤꾨«⿭ȪusDg[,NV!G]G[H` HUCTCZCdFp(G>WIWOb5P=SgCr B+C0G8M5J3INdBZ5L{,Ft%Dj>f>_@a?q>}$>{$>t<~"<4FNR`Xtjtwzx{|wxy|玅䌎贞ٌrEP#Dx$I~0^t+VWaMBJ>J@K ->\ H;dy.YW@d%N_H^J`P~GkNys*[l)Zf%Sb$YUQm8fxa|Axmfotwl3du>}s^>i DaA_@bB_Ad=aB`>l"?l#Bk Cp@hChAf>k:*C8N=KLVP[YZX^\_Z]Z^ZbZ_^cbhdkjlhnijklknpnrsqpkjrpllpprrro{xހzᖉ⢍㬕洞湣黢꾦뾤뾥쿨迪ϲ|u@\Z BR?Z>O:N>P;`=p!D=U8LPb/J:T8O/K.K=P4K~&E~3Pr#JQbٚ~ltmfilkqmljqlniedfdbh^c\`U`VbPYP[OWOWLWL[Q[UaX\[hX`X`[b\d\i\e]jXcUfagۡ˖̒ŊËďǖɘʚʛəʚț봊䧄ړvfX=Fqt"B*E1G8H7L5J?NkzcvRdCW5M}.Gv$Dj@jAz"@x:tlKENLdq`s8ja)UtAiM|luFqo7vxF~Px?xb^Y[PfŖTn|7hvB^o8cVAgBmB)D5K`@RBVCx-C1L_?^BbA\>\@Z`>a@]?^?a?dGl$Hp&Ci Bs BkBj?g>f:~(D5Jm>z&Ax&B~(D*B8J4G4J9LGTTnc~n{z~}zz蔂砏|ttg^YBT,PMw`lЩw(DT?M>L>L=O=VARFr-WPwItG7L=[Nm&W`Drw2ew8exCrJ @J C^"Tbxg|JzCvv:pWp^#ZUVLTLgf^Yaf}Cj~:ct/e|De|e"MiChB'D/I`?T?U=y+C~-Ca>`@a@Z@\BY>iBg Bd@_B[A\?bBh BfAm$Dl"B{0Ip!Bl@g=b0F?JHPPURXXYY]Y\V\\d[`_e]dhkfgdddihjjllninouknkmomrnvvxuށ}~ߕ⠊䫐毗粖洜跚鶜껝뾦¬ëƯȱWvR#CHh;(D>HTRncqt{wzy||~zrrtb\]C[Ddgw}ƊW?RCNAQAQ?TDR?WNi(VQuHpE 9Hf!IdDj'Ib!F`B]B`BgBdCi Eq%H|,Hz(Fo BjBc@r B4KDVHRNWNUQZY_X\[_]d`d^`_haffgehkhjjnkjllmmnjjmnrrppvt}yބyᗇ㝉䧎宕尖沚篖粖距긟깛콤ᆪƬȲɮ׿~\-PJ:VPӍsȒȎƌƐʙ̠ɚǘȖŕzܒjhY8GgP9Mzv}yshvWjL\@U@N3F{#@d8e4(@>HRRncq{zyxw{z|{wlrfZ^du^uzzH]RFP?QBRQ?ODv;rUYDsSIGDXUUvu0`y7hHra%PXKQHi,`N|u2cd"XzJy^y~Kpd(]k2iq6xh2fff_HohtYLboy|ZN^ MLpm,UeD|&EnCYBS?W@1G~.Gd?cF_BbD^BXC\CfFh&Gh,L_A^C^BcAhDi"Do"E|,H4Jn"DfBbAo B6JBUHURXQXRXVZY\\b[`^dZaahdhhkiknplnlnkmhhjndemrstttxvށyއ~ᚋ㠋䦒䫔粚氕殙豙踜鶠鵜뻤쾤ᄂ£©ĬƮȰ˳ʱm:ZQAfBeBx1MK\u(J}2N4Ny(F0G9L'D,GlDs%M{ֆzwjqt~yt|w~|~uzvxtvuuvtvtwsvrvorjmgobjel_fZeR_T]TbHV@TOYXZk`eYSNDR+IFTږwʖʕȕɔΞΞ̛ɚȕđ窀؄eUQ|$>_7a:u$B0E6L0F1I3H:O;L?P@NAM7I2G7Nxt}ylw\lK[EU7H}&@f8e9z=L9N 8H -r%Fi%Hx%Gw$A5Hy%Df?hDmA9L?SLYRTRZTYT[[a\a[`Z\ajaddiiknqpommlmnmddfkfgoqrmvlxރy~ᔃ☉䣑䨒宓嫖殐沘貖鲖鴗븛ᄂħƬƮȰʶ̮t@^\>WAl$DBTp"Ft(Dy,Ht"B~(A4J(C(DfAr#Jąnunuŏxȁz}v~x~z}v|wxyyzwxxwuxqutvopopkpincf_h`iZbWeSaGWOV\YjTk\XPBN2N^Z~đʘ̘˘̛ΙΜ˘ȕƕᅬݛr\Wz$>\@Z9t!B;K:H7F0F0G1H;M?OCRDQ>L8K2D8Nnv|m|`hP^;K(@j=^ 7w @=IYVnjtz}y{|uv{vnnkj{Ƹԕ=]@Z1Yd"RTBP>V>P7T?P@VCk)Ta!Jc%J|;`VvLlu1\n.[v8hc!Vb([k0fx@|fTu^HTHo2bym-X^"Vf.ba$[]"\r>rNr8P9NP[PSQWWZ^`Z\Z^TXZbgkikgkdfiknllllnlmffhljmljtnzv߁{{ᎀᑆ㖆⠋䢍婒娓檒谓殑貔級긜캞츝ħīȰɱʳ̵δŭDdT?j D:NjBo!?t%Bn C.D/H+By#D_?t#F̄ցuvqtoʃxxƂx}y~x|v{tzy|xz||zvvsususurrlnkogmhoclal`k_kR`X\bVkXjUXQDQL>N8L8K2I9NDQFRJUCP?N:L6H@Ol~t~|nz`jHV.Fl @\8y#Bl;p!@-Dx"D/H},LYE4N֔ufwrwr~xł{Ƃs€xx}vxr~zzszx{xy{vvwxuwvvsvrxnrmplpitjqdlcj``dYjViUdPTP_Sy‘̛ΙК͜ΚΜΝȒxՉeXSwAf@~(D>P=Lb8| ;@LWZnerxz~{{z}ypnphހzᵪAhHTfjJ=M>S@T;ZA[CX?^Ao2Xl%Ko+R]D]BZ!LXDZKw:h}>lf(P_ IS@PBQCp5^^"NPFZ SuBoVb&[VLh*`d)\p6nk/ltBt^FzQ8L>N=O?RHTPYTYMTHTCR=N@QGUJYm*L~:\\rp}puP^u!@`9v=;GVXsjq{z}~}{~|ytkrhڇ~Xx{/Qf AL=Q>V@Q;T>]@UA^Dr3\\@e#HeHTCUBQC\KJxK}d!Mk-W\KKCQFr<_v8gLDNKf1cTGvYQ^$Tl2jo3fh,fn5s|QYy>vknp|nEodq%Ux|\OeL\;r#@{*Dz$E>PQUSVEPrr%Ch=[AJ[דq`vm~vŀvÀtr~uu~w|u}zxtxv|vxz||wvyyutttrvqtrvmqlujtilinhfmZsXqUhS`S؄f﹄əѠКΜКΘ͛ʚĎ讀ւdXP1J{(H4MANCQ:M=N@NBUFVPXQYRXLSDT@O:PAQHXKYZ9HXYphry~|~|{|홀wjvtw͚_p2Tk"LO>O=R>R>T;\AUCutt;f}Cy_"Zh-bw:ps6ni4ih2f[D|iZ[bxy[r[Ie*J:pL>N 8M:Q>{,Bn$Fm Ar%Ff?eB_@V@aCcCl$Fo$Ea"HbH]@Z:q#>x(B|$B@LUXRTEJ|!:`:q$B6GL_GTMZ[acbcd^a^`cfeffmlikklkgckkhfjmnlllrnpnxrzszruxy||䓂㚄㚈㞇椊柊襎箎謎걖겓ìưǵ̶̺ѿ׺պR?REVBRFWOZU\W\LV@P@P@RBTL\J^L\P 8\?z9[Zqs{fm1I[ 6n<7LXXvlt|~|}|훀|{zsfsgt`ܞWy@`v8]K;M\>V>]A_Gt3Ts+J`B`Be(L^9p>t<$@DNTVUTJK%>` 7j=0JH[TZUUY[acedadch]`dhegfiljlfmllhmhjjllmkmlvtxs|u}vv}z~y~┃㔃㘄䙈䟉䢋禐媌諐걕겖춖ªưůʶ͸ϼֶ\b@kk̂vmbwq}tĂ{Āt}t}u}v|ruÀv{txr|xwtxuyyvuvvuxtuuyqspsltnolsgeealZoXvXv[w[uЛӡΜϛН͘˕ȓ~۔rTN.D.H6L=N@Q:NFTFUDSJUTYRZJTBPNBRGUJWM`J_N 5V8fGBakot6P[4d72FV[ulry~욀||저{ytjxfdbY\ēJYw0MG yw@sQWLj2lq=r\z>vosXzRz_"UD Cd&UzyY@MEF?P~/I`>b=_=Z=bB^Cq(Gx/L\BcF_C^:n?s=2HLURUSRDJ"<^ 8d@4NK^PTRT][bb^\aeahcgb`dbgcjemkigkhlhmimlprrlrqvnuqyq}ru{z}㒄☄⛆䟌堊觏䤎欐糘鲑뵘츙ªìůŰ˸˸ͺ׻ʴE]X>b8j9a7nP9N@TGRKZOWRWSXFRBP:N8L=LJYIWJ\H\LeJ5K 4^Bx6Ymov8NU -4\ 3,@[Xrdr}{yx{x~{vkxfdZP\̓z2R^CLAVDT@R<[!N^!Jj&O]EU?WBZGVBT>TA[Go,Wm~BrQCf'Pz8^^EN 9M P90Et!>w!>2GaAb@\BXA^D^ Gr)Ep"E\A_?_A_:li=:PFRTWRT\Y``XX^`fecb__`^gfdflklfmjlhlflhtsuqyvxtunztu~txy{␁㔅㗆♇䜊䢎壐复媒讔箘괕캠캜ᄂîƱȴȵ˸νҿ־طÕ[8\9f8^ 3a7R -zq҈mgxmʃrȂw~r|p}pr|q{s~s|xywzwxwyxusstsvxustssrunpjnhkhg_ahfxh܊quxɗМҠҚЛΖ̖ƌlgP:H5L9NBP@R8OBQHUKWQXTWNVDN=O8K;M?NJXKYLaJbL`L 6M<[Dq-Tayrtt(BP 4\9.@WTtfnvꞀzz{|zti{fc[KdUbsTAM@YFUAR=ZCf(N_D^AYAYDUBUGYESCUK|iFtv:nYJr5mf-\H}Fx\R~J}r9pvC{s6qT~^KRCz8meRȨ̵T:I ;B ;N <.DnBw&BAT\?c>[@[>`@b@q&Ai!B[A]@c#FfBp@~(DANNNJL>GDH0Ag7o;MBP=PANGUIRMTSXOTJQCT=N>N?OEOLWJWF]K`NbH -6R@XBl(RYt£¤ipo+HN :]92DWWtesx||{}zvuk|hhae~_phjPHWLZHRDUE`&N`"IXE_EXBX@VCZH[BRKXRWx8cNAQ>}8\j(NN 9bKaMUA`(P\K[Eb%SVIu;mf&\{H}E~R~J|xE|n4kwB{r:uV|wx>qK?_J^P~ƳJ?K=KDTA8Jv&Fu$CCU_EgA\D^HaAcDt(FfEYi;r=1HFLHK?HHNPS0@f:l>>OCRPV[[aa_[]^\`cdhbgdhdidfbf`hajdkemgollipntnplsoyr~stx߃xz{᐀⏀▇▂❌⚎㡐嫓媓媒殕籖궛뻠ᆭíǰŲ̺ʸ̻Ͻ׷Z -4\ 4S.\ -3O6.E{lׄrqn~vȂsȂtƄuƄu|r~pȀt~r{t|r|x|rutyvtststttrtrnpnjlmgiffd^of܎qȓМӢҟҞћ͖ȌojR@J8M>M?LP;M>PDTGRM[HVCZNbPdI2L -5V@j,WVoģkpt-HL5[ -4+@XUr_qu|zz}{x}ylyhg^ؔepz?]NEa GR?Q@a#Od%QZDX:`BU>T>[F\DUBRIa%Zsuv2XL>O=l+Mm(OR:Hr Bz'C5I`p*Hf(K[B\F@JGPZZST6FgK;I:KDNJWMVRVUXUWHS?N@S:MARJSIRJXH\I_SgQeI1K3O -7bJRmmqv0JQ2^7)>TTrblv{x|{x|zthzcf]؎^jn9ZN?bJTC]Gh)O^DWAV@Z?XBT<_IM 9L @NIyJpju.ZNCQBYDa$LT>r4\cJYJZJ[$PTCXKWHZLt3ji0bw=vQc~H{l6ik4n`%fSnjm|_j)hd Tv;`sJ=H c=d?b>bBg?bG^$J_De>t"@"<5GFNNQWZWVSR8He 8w"B?NJUOP]\`d`caa`]gddec`hdedfed_eeebfcfdlfsqrjrmtnrjwo{r|t}v߂xw}{㐁☇✈垌䠎䤎歕存汗귞긠Įűɲȷȶͼ;־յfpP 6N5U3P5LXwdvn{qpƂuǀtātxt~tp|p|v|qtqzrwrtntrqnrporlnkpmolnkl`bjb}̜Ϡ̚ēċɔНԠԞҟϘʍjsXJIJ=L>M?ODNGPSVTWTXTZES=P:N>NERNXMXL[J`HZMbH^G0I 2L6^DJl{ţŸrvx1KP0\ 6&?VWr\pv{{}{~xzwqdyah\}uHdR>PAdH\Id"N]BZAV:WNAR=` H\Dr-S^AbJS=ZJVCa"QWHTHl,\b)Wj4ju@opZ^ R^![a&eXzB|Ll~I~k¡w|\GK?d>,Dk?x(Cr"Dj Bg@j"Di@`?c>h@b@^DdGhAu?0EGTRSXZY\ZWTR:Hg9~,GXAYBO@MEd&X_ZFgIlbINAM?QD[Fj)Pp,TU9b HO 8O=VEh*T`"PP>k/^d&V]&\`$[dgg(df.htEcz{zDqrx5hlqz_jQ@V>n"@}(Da?r!Bm!As'DeBf!Bl!Bd@h"DdN>RFQNZL\L\MaPfK_J\:RH.J4M -:\CDctƨ¡xyBTU 4\ -4#;QRp_lvy{|~|x~nj}ijfbbCdbOh%Rj&RZEXGS>X>X@Z<[>Y@VDRH^Ld|Fj^LNz~Bdg.XTEPCSF\!Kv4]k&LR8`GRn$Bb?f Bf?a?l$Ad@b@bAoA(B-FDKWSZX[ZXZTTLO&>g:

MKTXVXV\]`_b[ebgdj`f^gdh^gcf_hejgjdjhhcnlphpjrlpjvpxnvm~r~uw߅|~⌁⌀⑄㚌䝋㡌㤐妑䮘沚浘踣뺦뽩ƱĴƴǷʺɻ̼οտвYhA1H5a:lgl]zjytȊ|r|r~r~v~s~t|t{rxuxvxtyrzvuswrrsrrqqmmjmfgfe`ab`֌rΞզҞ͒ȓɑϞԢԥѝΗNjz_iTNPIMHOBN@J?J@KGPRRXTMRIUCR=NY@WWGZLi*Zn2[j.PQHYJb~O@PBRJXLZL]J^JZCV@T9R5RH3F0L4W?w@bt¤z|Uac:^2 =NPodnv|뜀痂~|ߔ}◂{u|rkifykk(UXFYJTCVDW@X>W@`HZFWHm3\Fp]EUFTGbMAi~bVCWHTDc*Pd"Kf(QXCU>VFTC]Jj1ZXFZQi+V}Bpe%VTFUJZXm:njpd~lU~}>hs:_zQpsbxvRz>nGfo&Hf Cj Bk F}0L9Pm>e@hAi>d;`N;K>NHVMYI[PcEZJZBZY6RF/D2J:U>v9^j}ä~~U]]7[ 0#T<`B]DXBe*Ma#GUA]HZKYHBk}?dv2W^HRD_#Lc&OWC`$J^EYHZEZHZGd*S^R^P|Bk}@qYJTHF BQNi5nffrqpFlJuM -7O :i0Kp1XX:h#A?QG[Rpol\s_Y{>Vj@n @c>c;k>a;e>o>(B4I@NOQ\ZWY[\]bXVHM%FtA?PHTTZ[V]^c`d`a`abfeicljjehbidgcdac_b\c]f_jeheohnemfnjwrzsym~y~v}x߄y߇{߆~⌀⒂┇㐈ᡍ㨎䩔存氚泠鸦軨꼫ò±Ĵƶʷ˼νͿѿҺ̯=WF:*Dh]tg|s{sĀrĊ|~s~v|r{x~t}twsxowrxsxryrzrxtsrtsmnjnghgehdgdnb|ēϘњȎÉčʓҞզҢˆjyY]TTPXVKNJPBLCM?KDNJNPSNRDL>OWD[AXJ 4H2G6R>n1UdxåĢS`c8\9"@NQk]ky{yy{럀||ztkzfwum~Fjd"ObFXG[DW@] FX>ZA^BY>U@YBVD] Jc#LXEXFw7\r5^j)PbFYGg*S[HUC`$Gc"H[BY>S@Q@d&R^ RXHOtt8fLWTCXFY=RAYA[B]I5H2I -8R?f%L_u¤äUbf<_4%BLPl`nwz|v|z}xqozboqsEhbH[A[@d"LZ=V@W=X>\HZCUBYH^"Le(PZFTFc Nq2Yj.Uc!KYD^"L\FXGXGg+Nh-TX@S;N=T>g%SOD\NPvr9kMJX$Pv@k,dt@zLh[dlQntf\E];TvR7g>b;H?]@w,HfCYDp1Ja"Ht$G?M]fo&Hh>b;`<_>o@*A5FLbWxg|uvĂw‚s{zw|tzv~tzsxoxrzrwqytwuxtxuvrrroonokllmlgeXobsȒ͐NJÉ̗ԢԠϕĈx܆b\NWVTQRSOUHNDN>J:GEPEMIP?L6J8Lf$K[sYdf<^:'FLQk`htszyy|xzytsxey|vKkgHbEZAdHU=WBS@V@^HUAVFd$Pq/Vg)PVCXKXGj*Wd(Lf(Ng&M^ LR?UDTD]HuyTPs@q|Bu?kL|}Jvg`X}IzZtHy[>Y|T9d=Pp&Bpu)Dh@m ?a?|-@r&D^@^;[9b:z$A2C6FBNJOVV[Z\^bd_]TV/DjB:LLZRX_^`a`^gghfhfhefdlelflhngmdhffcdZfdc^gdhbjbh_mbndpfpmsnvrxo}u~wހxyއދ}Ꮑ⑂ߚ➊䦎䨑孒䵝财跥黪켭꾭´òŵƴȺʿͼͿξжo EBLfZxixv…|yt}w|p|t|v~vzr{t{vxtzvzxxqwutrsqnmmppprnlel]l`چdxÌΚ֤Ԟňm|XWSTRQTNRJNLVDM@M>JDLJPb LUl_jm$Cd<#BHNj^iuxyxz{|zyrgtfۀ}z`ufEo&PV>`FQ>R>P ;VG]HUIu7b@ek'L^CTBTDZIh*Sb#Md$Kb#G[F^JZFVJSGd)O`PO^>d>i#C_?]<^8j:$=3G8HHNJRW]VV^_^`]\NS#CnD:NIVUW`]c`bajgkhifjigikejgkfkghbiiecfbgfedfbkeg\f`iblblgtotlupuowqttuރz~ߍ~⏀ߐ⛆⥍䦐䭔氚涢浢漪꽬齭³ƴŲȸɼ̼ʾ̾̽Ϻ̮VjGOj]zf|txmxz|x~t}w~t}yzus~w|u|t{uzvytzvvuvtrrnprlnmpeo`m\sZ܇`nrvxÍϝ֢ҚʋirUTRPRLOLOFODKN:M 9[FJf}dlx0Jj>)DFNi_|du}zz~|{}|qkxhvvڇWmkF>d\BZAL>NBN@_Im&R~=ey:]c!CX>TAPDTGb(Tk(Qf*S^FYFVHh&R_$LZ#PRJZ$It8hRBbLXG`(\e.\m2[b%Wd$Zs:bRLLIIpȊb|d^L~i.gd+ddfn_zFp}N <[Dn AeD\Dh Bj Ap"B`>b@`>c>_>Z8a:p >1B5D;ELPPTVX[^\ZZXVWDNnC~,JBTLX\^^]ffgfhfkijghfmiqpifg`gbf^gaf^hdc`ibfae`e]f\jdldnhpjupvp{uzs}r|txx݆z|~ጀ⒁ᘄ☄➊㢎䬒䫖洠泠纩黨輮óķĵʸɼ˺̽˻̿λΰ̌LNpcxftjherpwnwrzu{u~zw‚t~xz|x|t|w{v|vywwtusopsqrmtpthtfr\t_t\ZގbfzƎњآЗɊ}`iVRPMNKQEMDM>L9LALHT@N>M1G.H9NGTT\LXHVGY?S;TASF[H\BZH[H^8OR:M 7M 9J -9WB~Ddunu~:Pn?&CFLi\h{tz}z{~xpnxfpr܎Zrs&MBb^JXCO?OD^ Nw8^{;^h$K[HSBSBTARDVHj-Zd Om-X^I\I`$Nk)Tm,Uc)RWIPCk,W`$N\HQJd*VR^GUD]Mc$RZm4fOMS IoBdq?obhep8d\R]TxK|gvfN:^@k@^=T,D>HFPORTVVW^^YXY\TZ3Gh?4JBQU\]\adedfeginjmhjkleqmmhldhajfieh_hdc^fdd\daf_d[mepjlkpkslsiwnxl|s}t}s߁uބ{ބvߋ|߉zߐߖញ⨍㩏䬔谝紤踦黨輮꾱±ŷƸɺ̿ʼ̼ʼ̼̿ϸ䶫WXw^xae`Z[cfffijnjpksnxs~t~wyw}wx~u~v|y{uzttrztsnxoxnykvft\q^iRsZلdxȐ֢ןғƉq\aRPPNPJO>HBP9LR>V@TEXF]DYNb@R0JN:M 6L -5NAR@zA`xlr;Pn>&>BJfY{btvzvww{x~xs{jfeچzats'K?`b I[CUBUC\C`E_CWEWEXEV@ZHTF\ Jd"Nk+Xj+P_ LYIh,Ue#P_Ic"Ld!La!Ij*N]APCLDk6]}Fq\FPEYNl0c`Bzi/bUKWKVKWNtHr}X[K\Rn0lrBso_$JYX;r!>e!C`>]JLPOTPRXX^`YYXVIM}@lD=REQZZ_Xdbbbghhggfjfkhidpksnlfhhhdkbldlahbfcdagckbfalhmfllphsowqwmxpys{o|r߁u݂w݅{݇~ߊ|Ⓚᝈ⢉⦐㨐䰜洠帤踦轪꿭ĶȸȺȼɻ̽;̾̾Ϻʷspv^iXORDQTZOUY^\_fjgfnlqtxuzv|s{zx|y}z|tyuvswp|u~ŕo}hwft^tdk\viֆk췄̖٣֞ϐÆg|Z[NNLMPHNDPag*PRCYE\@c#I]AS@OAP?wBjb J`IUJXNx@uigi0^o6jZHX HLFSO`zm[P\"RJ~Gxr4^wVuO 9a=j>e>R7]8h*?6DFKKNPTRRUX\^Y[XX9LiIx&FH:J6IN 5L 2M -8M :WB|<]k|Ŧqt:Or$@(@?Ge\|frzxzx{~zywm~bf]bdVn~4V>^p(PT>N?SA]Fa"IYDYGXCTBTC]Ja&Qe&Lb&Pj(SVIWLd,Ur5Xl+PVDT@SVLf1Tob<^8^9^@^6T 4X 6]7i=u&C~(C,@>HNOORSSSTZX]]ZTPO&@c>/IANZ\fdd`b[cdfdhfkfkfnjlfnlmjpnlhjfjcnggdhbd\hfhbcbgbicjbkfrkrhulxpum{p|q~r|txވx݉|ߊz|ߒ~ᘂ㡈⧎䰗䯜沢綢带龯ŵƷȷɼ;˽ϿԺ亩ZV6F2D'?6C,=8E7GDNDRFPOUR\^_adbfjjnnpqprutyw~{Ăw΂oчtщkz`tXiQiTnW~bzŐҜءҒƂrXbSQMFJ=I1G0F5J>LDM>K.F(B2H:NN[IXDTDVFZCT>XBWN`ObEZEZ>T6Mt%@j @L 4L7J 2L -6Y@o,Pf}¤§z|G[n!?~ ?>GaUvensv~y|}||ukck^`ePn4Z;^{3[N>N@ZAj%LZ@WAT@RDVGXHj(Qj*RVDd+Tb&PUKWJg(Oh&Jr.V]EXCXAT>R8]DQ>ZFYBWHa,ii0aXNNpm;p[Lj0\l0hVCe#L`!N\Jd%Ubr/ZJtbd CX;bYNHVNcBTBVCWCYAVBXD\PbOcF]EY8Pz-FlO>`FdAV@V@VBUCTFZHo0V\HSHl,V^MQJXNk,Vj(Mj)OaF`DY?R@WF\B_G\FSF_'LnErFDpBlZ|E|hjx>ua&Vf(Sj(br2az8fv2fElZBf#Br4KbB`=d9]6R 5b@]:W8Z>\=W;W9]5i @q;0C1DN2I5J3I2H6J/E1D5D2E4D:H>KCOETIXP]\ffjrl~pЊpӊl|b͂hч]Ё`|_ۍjЛ֤ԘȅvXdNJKM9H.C,E:NIYJ]K]BTAXFV@T?SGVLbRgI`H^AW}0Lt*Cg=l:O:J7G 6F1L 9g"Ol|Ƨȧblu">&@>H]Wvdptzv{z||{{pck^?Pb}:`Bcx3ZK bFX;RAV@R?RB\Km.Vi'OTFUGo0U\KRGXHi(Ri(On,Sc!Lh(ObFP=U@[D\D`K\JZCZHF ARHxF{v:v[a_] Rn5hK^[j%Do#>U?XMBNDS>N6I6H:L0F*A,Av&By(Ax+Dz)Ay,Cv.Fx.Fz.FAPNV``l^r^|fԌgݜpݖf؃^ՄcuÎҝ֝ЕxduWSJ:B.B;};'?2F8F2G3F.H3IFVN\JX

TBVEW>T>TDWLbNdD[F[?V~2Hm!>k=k@W9R7P -4R5R :f"KhvžǪȪjtv&?|$>`:[t-WN?\G\AS=V>S=R@YGv6`b!G` LTCTFr4]\LSH[Ln+Tf"Km-Tf'Qf'QaG[ET=d LVA^"K^!HVDN@OFXMQFzJLgqoSgIxBpSuFt`FO| <2J6I2F,D0H:ODSQcP_FYAT=S=S?V@T@THZLbObI^DW7Rs$?n ?i:h;`<^;b;hAhCp(Lftȫɬģkpy+E}'A@K`[whsxxzxzx}z~pfWY9Ti~6Xp&LeKL>\ IT@R=XBS@[Hf$Lh&KXEb$OYDUDe*P[IQD_$Lo0Tc"Je%Mb#Kc"L\De$Jb"HXBP>R@^$Ib"KVG[HUENBUNxG|V}[v\Fz}Axp0^Sxt5bT;R:^P>R8P=R>TBXJZPhLbH[dHR?TEYDf$OdFWAYCWCc#LW>SEZHh&TTBh(Ti+Qc%Mc"Nc Ic"Lb"NZD]ER=SAN aP8J2F~1Ht N:L6N9RB]^rŸˮϲʪrv@R-C@I\Pteruzxw||y~vp|bL]D[pFfj"LZBWB]DVF^Jq2Zh%IY@VBT?XDa!I[IUHYFd$N^Il,V^ Kb'Mj(Sd&Pf(Nd LVBUESBS?YBR=T:f"P[Bv6`c JVBPDMFq9fnq|RX>qRh_R?W?c?W:X\8^:p<0D.D@NVU`^]Se`e_c[c^f_mhgejhhcjghajdjficohlfplngojldpfmdh]g_iai`hbh`ici^jbj`i^kdpfrhtjrfxjn݁s߃v݀xރyz|~◃㘁䚉䤑㤎䫘峢赦繩缮辭õźɽǹɼ˿̿ϿӶڮ=M>OJTJSP]PXRXPXLVFSFV>P=P8O~.Fq"Ai D^8X!:q>p>z#@*D/F0D,H+I6ODVN_VfJZ:Q6N9R8O8O8M>UNbXmVkJ`@W8Q|2Jx,Gp%Dj>l!ABRDV?P?QE\I`dwʬ̰Ȭ|yIW4ICO\Vvdrux|{wy|}urzfU_LbezCct,TQ>SAXBd#J`Ca DYBW@XBZA[DXB\DWE[G]H`%Li)OZFh+Um,Xi*Te&Lf$MR@UDR@P>ZG^GL>b"Gn+Uh*Rd K\KVHXLf,^p:ea~t|D~G{j_X?^@[.A.@>GLMRPTSRPWQOK%;[ 7Z=v%D9JPQ]V^U^Zg_d[dbd`halaleidg`hakhhciehgpjlelhmgnhmfngj`h_janfh^f^e\iai\mbjag_kcpkpjugsixl|p~oނt߀tzވzxⓀⓂ♅䞊㥎定氞洤纪纪羰³ĶƵŷȻȽ˾̾̿ϾѶDZLX8NCROWT\PXRWPVMUFRGV=NAR9P2J|1Kq&Ah"@]y#B&@0F&?'?)B3MCTNaSaL\>T:N6N1J5N8N@VG^Ui]pNdK_@V6Q5Pz)Fn#?k!@s'D:PBP?PCXK`Vjn~Ūɰʮ¢Ta0DDNXQtcqxy|zz|~vpnzcL^Nh`s@`u*SXB[GX=XCX?ZB[DX?VAX?]Ja%L` HXFWEV@XAZDYGi-Tm.X^!JZIf&Od)STBVBRDVBh&Na#NP=e$Lj,Ud&P\Mb"Rm/^b$Np0\j.\m8]Zxfaf3O[A\@_AYAT9IJP\W\Y]Z_[b\f]feb[hbhhjfhfjahelgjchehfngnflikflcohpih]kamfhbg^edd]jdiamdndkdibmcsfrgrgzi|p{n|q߂tކyފ|ފz~xߒ㘅✌⨐䧕䫚沢洣湧迭龴¶ĹƻǺǻ˾̾Ƕ˼ϼβtx3DBPJTR\SYRWSZOUKUDSGUCR8L9M5Jx,Bt'Bf>`:^@jE:Lւbzyxu~zi{T@Cx;j_GT?YDYDX@ZD[@ZCX@ZCb%JbIWGZGYEUCTDc%Pd%Le'QVJVHp4\|>fVBZHVFL@g&Q|@j`LTDf%Js5f\LXLs>gu;raQw@svApOqU>T>\@T;V8U=N=R 7[:`5n9,@,@3BBJFOQPWROKDHv9S -7Wk>u"A)B*A"?~$B3K?QJYL]L`BX>R6L2L/H6L6O@YLbUj\qPgE`H\=U4Nx.Jm$Cp"Dt0Lu.Kx-J>PL\Xh\mdvtƨǫŧ\d6GFPZWsgtr蚀xzz~vzs߂i6RbvUn;_ZBQB`HRAXGW@\FXAaJbJVB]Df$J_FS@VDTFUF`'Su5bj/Zj1]TD^!Ox>d|Ad[FSAZHKAf(Y~Ei|>g^L]LzBmZH`&\a0X}Jyf'`v>olld&Pp1]p@XJud?Z@U?T>W;\HHNONXUZX^Z^X`\a[e`h^d^j`j`ibh_jcjchbiejdkgldnikbjblgngohoelbldkdmdhajjk_ifndh^h`fZl`pfphreujwjvh~qr~uވzx|}│ᒄ➐㦖㭚䱣䲧座漮迲´Ƹƺǻʼ̼ʻμж侬CR:KCRJUKQPXPTPXLVHVFQMXDTFS;P8O8J2J3J6I3NGU|l贂ǔ̖Ȓzi|TbQBJ*Du"@n;n@v&E.F,B)B|"B/F8OFXQbO_MZ?U2M2M.J2L4M>VNbTh[nRhMeBZHZ=R~4Mt*Hr&Et,Gq*Jm Ak">?WJ[Zn^o^oj{ũħ^iN?YCTB`"N]Cd&NT?f&N_IWC^Db%Hg'NWEQ=SCTFb'P}8duAnk6`SJe&UvAf~Djr4\N@R@VG] I|Cnk,Sj,V_#Te+MwAu[ Jj+\`!Rw:nl0iT~Mzv4jTAwAhn'OU>Q;SPrLGRVPrdmwz||}졀|xkn>XIfTny2TN@N>XCTD]"KX@b!JZBk'O`FT@XG]Fq2\b&OSAXFVDl.Yv0^yLuv7cTHb$Tu@jLt~Aj`LRA]JV@Fli)TQ>WJ]%Ohb%Vd&Y^Rq:it9u|Axaq5d\Ih.Vj.YRQHUxf樄{ց^HJ4G4K~.F|(Fw!A,D.E2H.D*D.H:QK^TcWjN\CU:L2Hx(Fu(Gz&B4MBWF\VhYlVgQgMaH]>Vy.Gl"Bq&Bz,Hx-Ht,Gh!BZ6o'C~9PDZF[Ke\tuǫȪdn>IENXQp`߂nwv||xzvlmP`7XD`n(OQ@TAU>YE] I[H_GT>m+Vf"JZBZHX@vTHc&ZsHa`b#QY Td(_uBxWd_\E^Fd+SS;P8U9Y>T=ZAX8[8^8f3i8i8e8^>S7W9[>j!D,F;OBPDNHLNSTUUT]^XTXXZV^Z_Ya\^Zcagafehaebjfg^jajcfbfdkhmflhldngpdpjtrphsftlsmnhlhnfphodjehbldpfnbnflbodphrgtfxlynzr~suބw߇{}ፀⓃᖆ➊❉⡓⤔䬘䮜䳦䵥漯龰ķȾļ̹̾ήܮ9G;H@OFOJULVOXSZR\LWR\PZMZFZJYM^P\P`NXGUGTc\ۏupޚnyZJJ8N8N:K0I,D0F/D2J/F*E/J8PFZRa[jMYAQ9L2J~5Pz(Ct'F|-F;OM`Qf^mZo\nPgNcFZ7Mr(Dp&Fr,Fw*Ft(Fj!CgAW:f >p*HU>X?YE\J^Jk'Pg K\I\H\F|GsVEVDZHWId!Nd#PzNxk*XMG`$SE_YTj'TV"QTL^LUz`(VLHSEb$Wat7fn2f_!Ut>pb^rzFt`L`&NR]?\8^5[2U 5T6^j @u1L;TA\Jggxæ¦lqRWKTXSkZlxzꝀ~|은trddr!Ev5ZT@XFRCV@\)M\ATAZDb"Lh*Tb!L` Pd"O`K}Mub LVBYFZKd*Wn,Y~Nvc MOCZL|@vT_Zj0]PGKBt[F\FR=YAb Kk*Te%Qb%Qb"N_Mn:Zq5fTDQBVHc M{BdzCkXFPGSGvQ@RHVFRHT>O:M5I2G6J7PBVPeJ^H[8L6N6M2H{*Fw,Fv&F;TJ^XlZmbwfxYjTfNbCZ|/Kv+Fo$Ck @l"Do"?gAb U?T:W=]9h9l3t58*:5B:FBHOLNNOKPONNTSXVYWZX^\ZX^\][^U\V\W_W]W[Y`Xgbb\d`hhfZd^daf]f_jeibgbh`kenfjhnflemhripjskpipisjtlpkqlwqrfpfodrerincphtlvkvhxhvj|rzp}sހruޅzߊ{⎀ᑄ╆♊ᢐ㠒⣔⫝̸ᮛⰣ乨巪绮¶ȸʻɻǹ̸̽ͱװ3H0D=LCSITMWQZU]Y`Xb[d]e^h_d]a`^XVTUVVQTNRITKTHTFPDRGUNRNXIRBO:L2H3J8O@TF\JZ7N6L~2G}+B0C.C}2L|.H2K@TN`\l`lap`sTfTeFZ6Ox+El Bj @n>f>e:d:b8f6^=b BdBbAj(Jj)Nn-SYpжµóֹ_fT[ZXn\lr{|~pS^z,QdDh%N^C_JV@\ I[DUBVE_Hc%Pf%N\Jb Md$Mf(TXIoAao3cP@VH]Ka|@mTLUNTLzAp^hYR}w}GxZ"PPEqGoVzOyr/^H?J>v0`zC_hVNPEr3e}Jubl.dR>b$MP?T;ZAV@\>c8k8q0!60?9A?ICGNOMJPKRPNKQPSRWU[VZUZY\X^X_WZTa\\S^TaX^X^Zd\`Yf_c[e\dZh`fZg`i`iag]f\mdj`lclfmdqkphpinirqrkulqlskqhulrhrlrdncripfwlrfthvhxgxjwkzpznpޅvޅzߌ{~㑀ᓃᖆ᠔⤏ঐ⪚⭞஠䵦溯罯迱ķƺɺȽǼ̼͵îKZ|.G;KBVDOQYR\RYXbVb[f`fafaf`^YZUUVUVVUXQTQVJTJRDTFRQVTVQUHR@N:N6N=RDVI`I\AZ:L~,Dz*A|,D~.G~)>~6N4N;NPd\haqs^nZoPeEY?Uy1Hn)Gh$Ah @i>h"@f>f;fd"@bA_@h"Eg%Jo.Wav۾óij°޾ΩpoRZZVjZnpx{~~|ylpOlx'Pc KVCbFf&NZAZDQBYB`#PbHfKb"Ld"Nj(Qi-UZL\&IzGvL@TGb'Tuz8bVEWOVH~Etbo'_w8h}jb#LOBRFy@hT_"J`#SI @j'Ou/^XsFxOBq0dn1c[yJum6po4\T=P:V 7S6_6l6s2!70;7><@EGGGMHPNQJTLTNRNSMWSXS]UZVXP^YZRXV^X^Z`YcZ`Y^Y^XaZaTd[aXhah`h`f]dah`fZjghciekdjahgogqjlepnrkrstitkpjtfxopjvpsjrexqvltntitkznxjyl|q~kzp}mvtx|ᙋࠐ⤓ᡎᩜ⬜ᮟ䴦漬溬龲õĶȻȻʽͺ͹ʱox{.J8H>JGUGPHTT]TbT`Zbbibfae``ZY[YVQTTUVRTOUJPLTNVVYWXVVRYLTAR@Q=TDZF\H^K_>V6J~.C}-F.I}0F}/H0I=SM^Wdbndubp\pVjJ`BU4Lr)Fh#Cd>h">k%Cf:h;i2HY<`=`@`>d&GcHk*Pbz̤۽³ijòݼӰwPW\\m`jrvxx|{~|~snndo3VcJYE\D`DXD_KPA_"Jb-Sf&PfMd Pi"Nn)Um+Tf"RTFzJpb PVLg-Wrs2^[JVJ\NQ|eeR}4qUvs4dPBSJh*W\g,ac&Pe"TZA:dn.TNucTi)[p,`TGV_ZDL 6N 2X 1c3u4#;.<5=9?DIHJGGNKJJPNTOSPVQRPVOZU`Y\U\X]VYR[V]Va^`X_Xb\`[^R_Y_Vd\aZd[f^f_b[g_mfj^hdh`kdg^lblhplnjnisnoeqiulritkthqkvjwmthujxmsjsltftgwlzlyn~s|s{pzoz{yߑᚆ⠊ឈ࢒䨖⭜௝䲡䶨亭羰ĶķȺȺʼʻ˹αʓ}/J{4L>LHRR[MYP\NZVc\b^cad]`\^][[WXVUVUVOQOURSQSWY[V_XXWOQGR?P@UDXNbF]BZ@Y[=b?`@d"EaEj'P\rΦڼñ޻ղ~R\ZXnbkuvwx|{|xߓxYbNbv-QbF^DWAX>ZAc JUH^H`#LdLk%Rh"Nr*Vz6\z5]r2\[Jd$Ms0`\OsDn\q,XcJ[Nj"WFq`TB~?ut0dzd[KRIk/b_XXJe&Pf&Tr0T}9BFHDEGFPQPNOLWTUQUPWTXQXO_W]VZW\X^T`[`UbX]Z`Xb\bY\T^Th_d[jdf`eXc]`Xf`jhjbgemkkfgdicngnjpdrgtjrgsjkirfshqjrhrfzpwnxitgxlvhrfuhxozj{l~l}or~rwv}~|݊ᒂᖇᣒ㩗㬝ᮝ㲞浨幧缱辱·ƷƸʽʺʺͲڲ:N4Ie>g=p&By(C5H?J^:c D^Fc&OOmˢڻ޾ݿڸҮyNX\Xn_߄ntw{적|좀}vޑwJWA^j"Gf$NdHR@P<_Bh%LP?g*V[Hh)Rn(Rg#Pp-Vs*Tx5Zx6b\JbMp0fj.^oHpbLg!T` QiRLubP@w8fv3fu4B1?7@?FGHHIMJQNSRPPTTXSXSWU\SZRZXZX^[]T]T]T^X_T\U\XaZ`Z^X^VcXa\e[e[i`f_^WdZc[d\hhh_hdlfjcnhrgrfpfphrjrjkfrlsjtosmrgwlxluhtlvhyoymtgxj{pwkyortpsy|ᎀ~ߓᘊ⤕⪕⯟䱠崦帨帬翰꿰ĶƼǻʼηĮVl>Z?PDSHN@JBMJVW`W_Y`X[^_e_g\`V[V\WZTXTZWb[h[kXdY]UTRIR>NBQ>O:P7Q{4Q4R6SBY>X@T:Q:P4MDUK^Zkgpn|ktgu]kH^:Qv/Hg >a<_6`:`8c;j?u+F4J@RFRANR9^>`=\=` C[>`HHfęڼ޾ܾܾغѬzqS^`\l\mnx을z|잀{JWFdh&Nj%LY>Q>P:d"Gi*PH8g(RV@r0Yr2[k"Mq*Vm&Nt-Xx4^f%ObS|@t|;hr4Y`Fq.`VBd RGm^THi(Tt4`p+d|Fkns2l\!Nx|EhN=YFSJZDo*Xy:`e-Se"PTD_L}Lso.a`FLzz7NRz8/D1A2>:D8@@DDFHKJJLNQRSRWTVQXQZPXQZTbZa[ZW]T\T\V]W\T`\b^b\d]`T^X^W`Ye^ibe_e]`Xc\d\b^fdhfhdnhihhbojndrlnfpfnnmcrkrhqhrjrhvjxiypwlvhxlxqyixl{ozt{prtxtt~ጂߌߐᔊ☌⦔᪘ᬘ峢䳤䷤䶨溰辰´Źļʻ˵ȷnRIhEZDRBPHTHRPWRZPYbff^j]h\c\`V\X]T[T`\j^l[kZfZXPRSBKZ@]AXBZv,N~8PBVGTDNHQ \ No newline at end of file diff --git a/tests/ref/seek/vsynth2-asv1 b/tests/ref/seek/vsynth2-asv1 index 5873bb17b7..b3cca3b0c7 100644 --- a/tests/ref/seek/vsynth2-asv1 +++ b/tests/ref/seek/vsynth2-asv1 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 17484 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 17484 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 776840 size: 18256 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 939696 size: 22704 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 305352 size: 16180 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 364636 size: 19476 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 595448 size: 17980 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 717284 size: 21768 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 135516 size: 14868 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 160544 size: 17672 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 404100 size: 16856 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 484496 size: 20396 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 17484 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 985140 size: 22640 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 704136 size: 18140 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 849824 size: 22364 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 241764 size: 15736 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 288188 size: 18920 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 17484 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 985140 size: 22640 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 524488 size: 17548 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 631032 size: 21416 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 77020 size: 14496 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 90952 size: 17244 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 14316 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 17484 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 813396 size: 18296 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 985140 size: 22640 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 337808 size: 16388 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 403836 size: 20024 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 631584 size: 18188 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 761056 size: 22012 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 180212 size: 15168 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 214224 size: 18228 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-asv2 b/tests/ref/seek/vsynth2-asv2 index 7d37b7ac06..906c2358e4 100644 --- a/tests/ref/seek/vsynth2-asv2 +++ b/tests/ref/seek/vsynth2-asv2 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 16584 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 16584 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 736152 size: 17340 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 891064 size: 21664 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 289708 size: 15300 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 343044 size: 18440 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 564140 size: 17016 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 678500 size: 20848 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 128564 size: 14052 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 151024 size: 16584 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 383244 size: 15896 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 456544 size: 19448 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 16584 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 934400 size: 21624 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 667016 size: 17172 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 805248 size: 21364 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 229388 size: 14956 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 271044 size: 17784 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 16584 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 934400 size: 21624 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 496932 size: 16564 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 596008 size: 20456 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 73176 size: 13664 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 85924 size: 16152 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 13732 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5656 size: 16584 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 770852 size: 17400 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 934400 size: 21624 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 320444 size: 15592 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 380220 size: 18948 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 598288 size: 17180 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 720420 size: 21060 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 171012 size: 14392 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 201408 size: 17128 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-ffv1 b/tests/ref/seek/vsynth2-ffv1 index 715a27227c..153becbae1 100644 --- a/tests/ref/seek/vsynth2-ffv1 +++ b/tests/ref/seek/vsynth2-ffv1 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71679 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71768 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71679 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71768 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:2498334 size: 75937 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:2589296 size: 81788 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:1630830 size: 72682 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:1666112 size: 77204 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:2498334 size: 75937 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:2589296 size: 81788 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 801262 size: 69457 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 808352 size: 70696 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:1630830 size: 72682 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:1666112 size: 77204 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71679 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71768 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:3392418 size: 77461 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:3550788 size: 83738 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:3392418 size: 77461 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:3550788 size: 83738 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 801262 size: 69457 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 808352 size: 70696 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71679 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71768 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:3392418 size: 77461 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:3550788 size: 83738 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:2498334 size: 75937 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:2589296 size: 81788 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71679 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71768 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71679 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5688 size: 71768 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:3392418 size: 77461 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:3550788 size: 83738 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:1630830 size: 72682 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos:1666112 size: 77204 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:2498334 size: 75937 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:2589296 size: 81788 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 801262 size: 69457 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 808352 size: 70696 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-flashsv b/tests/ref/seek/vsynth2-flashsv index 5c3dfbdfc5..82acde81d6 100644 --- a/tests/ref/seek/vsynth2-flashsv +++ b/tests/ref/seek/vsynth2-flashsv @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:240757 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:219405 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:240757 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:219405 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos:11605742 size:254053 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos:10902646 size:244577 ret: 0 st: 0 flags:0 ts: 0.788000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:4820497 size:245503 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:4458610 size:230521 ret:-1 st: 0 flags:1 ts:-0.317000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:8811891 size:253041 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos:8234830 size:240794 ret: 0 st: 0 flags:0 ts: 0.365000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: 0.400000 pos:2387432 size:241101 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: 0.400000 pos:2201083 size:221959 ret:-1 st: 0 flags:1 ts:-0.741000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos:6302814 size:248927 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos:5853907 size:235507 ret: 0 st: 0 flags:0 ts:-0.058000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:240757 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:219405 ret: 0 st: 0 flags:1 ts: 2.836000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:12114692 size:254237 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:11391906 size:244616 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.760000 pts: 1.760000 pos:10843556 size:253913 +ret: 0 st: 0 flags:1 dts: 1.760000 pts: 1.760000 pos:10170977 size:243403 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.600000 pts: 0.600000 pos:3598785 size:243372 +ret: 0 st: 0 flags:1 dts: 0.600000 pts: 0.600000 pos:3319311 size:226082 ret: 0 st: 0 flags:0 ts:-0.482000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:240757 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:219405 ret: 0 st: 0 flags:1 ts: 2.413000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:12114692 size:254237 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:11391906 size:244616 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos:8053696 size:252195 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos:7515896 size:239079 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos:1187801 size:238567 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos:1098674 size:220236 ret: 0 st: 0 flags:0 ts:-0.905000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:240757 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size:219405 ret: 0 st: 0 flags:1 ts: 1.989000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:12114692 size:254237 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:11391906 size:244616 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.920000 pts: 0.920000 pos:5559218 size:247341 +ret: 0 st: 0 flags:1 dts: 0.920000 pts: 0.920000 pos:5152576 size:233102 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.672000 ret: 0 st: 0 flags:1 ts: 1.566000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos:9572227 size:254219 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos:8958199 size:241837 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:2870233 size:242377 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:2645880 size:223865 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-flv b/tests/ref/seek/vsynth2-flv index 9542a3154d..ba2efdd1c9 100644 --- a/tests/ref/seek/vsynth2-flv +++ b/tests/ref/seek/vsynth2-flv @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 10380 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 12771 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 10380 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 12771 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83220 size: 12295 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108745 size: 16158 ret: 0 st: 0 flags:0 ts: 0.788000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 52565 size: 11127 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 67792 size: 14392 ret:-1 st: 0 flags:1 ts:-0.317000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83220 size: 12295 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108745 size: 16158 ret: 0 st: 0 flags:0 ts: 0.365000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 25940 size: 10089 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 32529 size: 12708 ret:-1 st: 0 flags:1 ts:-0.741000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 52565 size: 11127 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 67792 size: 14392 ret: 0 st: 0 flags:0 ts:-0.058000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 10380 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 12771 ret: 0 st: 0 flags:1 ts: 2.836000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 117138 size: 12730 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 155318 size: 17185 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 117138 size: 12730 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 155318 size: 17185 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 25940 size: 10089 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 32529 size: 12708 ret: 0 st: 0 flags:0 ts:-0.482000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 10380 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 12771 ret: 0 st: 0 flags:1 ts: 2.413000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 117138 size: 12730 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 155318 size: 17185 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83220 size: 12295 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108745 size: 16158 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 10380 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 12771 ret: 0 st: 0 flags:0 ts:-0.905000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 10380 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 179 size: 12771 ret: 0 st: 0 flags:1 ts: 1.989000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 117138 size: 12730 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 155318 size: 17185 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 52565 size: 11127 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 67792 size: 14392 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.672000 ret: 0 st: 0 flags:1 ts: 1.566000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83220 size: 12295 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108745 size: 16158 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 25940 size: 10089 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 32529 size: 12708 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-h261 b/tests/ref/seek/vsynth2-h261 index 1789adc408..4aa0c43cc9 100644 --- a/tests/ref/seek/vsynth2-h261 +++ b/tests/ref/seek/vsynth2-h261 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9645 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11732 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9645 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11732 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 126502 size: 11377 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 168350 size: 14793 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 82060 size: 10322 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 106950 size: 13195 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 126502 size: 11377 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 168350 size: 14793 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 44666 size: 9404 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 55568 size: 11639 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 82060 size: 10322 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 106950 size: 13195 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9645 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11732 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 175870 size: 11707 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 237672 size: 15734 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 175870 size: 11707 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 237672 size: 15734 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 44666 size: 9404 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 55568 size: 11639 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9645 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11732 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 175870 size: 11707 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 237672 size: 15734 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 126502 size: 11377 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 168350 size: 14793 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9645 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11732 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9645 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11732 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 175870 size: 11707 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 237672 size: 15734 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 82060 size: 10322 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 106950 size: 13195 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 126502 size: 11377 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 168350 size: 14793 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 44666 size: 9404 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 55568 size: 11639 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-h263 b/tests/ref/seek/vsynth2-h263 index b92074fa0c..3e0c9245dd 100644 --- a/tests/ref/seek/vsynth2-h263 +++ b/tests/ref/seek/vsynth2-h263 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10381 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12772 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10381 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12772 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 103702 size: 12296 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 139428 size: 16159 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 66792 size: 11128 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 88646 size: 14393 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 103702 size: 12296 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 139428 size: 16159 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36438 size: 10090 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 45784 size: 12709 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 66792 size: 11128 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 88646 size: 14393 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10381 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12772 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 144546 size: 12731 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 195658 size: 17186 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 144546 size: 12731 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 195658 size: 17186 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36438 size: 10090 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 45784 size: 12709 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10381 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12772 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 144546 size: 12731 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 195658 size: 17186 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 103702 size: 12296 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 139428 size: 16159 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10381 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12772 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10381 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12772 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 144546 size: 12731 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 195658 size: 17186 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 66792 size: 11128 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 88646 size: 14393 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 103702 size: 12296 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 139428 size: 16159 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36438 size: 10090 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 45784 size: 12709 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-h263p b/tests/ref/seek/vsynth2-h263p index 9d842a665c..673f412d49 100644 --- a/tests/ref/seek/vsynth2-h263p +++ b/tests/ref/seek/vsynth2-h263p @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 36208 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 43985 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 36208 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 43985 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 569926 size: 45151 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 733908 size: 56338 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 355976 size: 40907 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 448856 size: 50481 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 569926 size: 45151 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 733908 size: 56338 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 171042 size: 36515 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 210394 size: 43217 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 355976 size: 40907 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 448856 size: 50481 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 36208 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 43985 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 804366 size: 46411 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:1051592 size: 59232 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 804366 size: 46411 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:1051592 size: 59232 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 171042 size: 36515 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 210394 size: 43217 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 36208 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 43985 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 804366 size: 46411 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:1051592 size: 59232 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 569926 size: 45151 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 733908 size: 56338 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 36208 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 43985 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 36208 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 43985 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 804366 size: 46411 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos:1051592 size: 59232 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 355976 size: 40907 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 448856 size: 50481 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 569926 size: 45151 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 733908 size: 56338 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 171042 size: 36515 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 210394 size: 43217 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-huffyuv b/tests/ref/seek/vsynth2-huffyuv index 69a37f559b..a3e176b9ca 100644 --- a/tests/ref/seek/vsynth2-huffyuv +++ b/tests/ref/seek/vsynth2-huffyuv @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:129760 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:120468 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:129760 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:120468 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos:6069172 size:128520 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos:6010684 size:136724 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:2579612 size:129192 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:2445132 size:126464 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos:4778228 size:129424 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos:4658492 size:133884 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos:1160248 size:128504 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos:1085808 size:121284 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos:3355284 size:129424 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos:3211900 size:129428 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:129760 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:120468 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:6326124 size:128288 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:6284380 size:137136 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos:5553996 size:129016 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos:5466432 size:135664 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos:2062492 size:129204 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos:1944388 size:124456 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:129760 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:120468 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:6326124 size:128288 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:6284380 size:137136 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos:4260860 size:129280 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos:4126904 size:132312 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 646908 size:128204 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 604036 size:120044 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:129760 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5724 size:120468 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:6326124 size:128288 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:6284380 size:137136 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:2838068 size:129268 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:2698592 size:127564 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos:5037024 size:129284 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos:4926660 size:134484 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:1546172 size:128860 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:1451012 size:122720 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-jpegls b/tests/ref/seek/vsynth2-jpegls index 3c0da21283..1b27a3654a 100644 --- a/tests/ref/seek/vsynth2-jpegls +++ b/tests/ref/seek/vsynth2-jpegls @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:164074 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:154766 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:164074 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:154766 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos:7804118 size:176295 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos:7767024 size:181048 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:3172780 size:164643 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:3057326 size:163405 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos:6052974 size:174097 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos:5971676 size:177984 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos:1402344 size:157283 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos:1334822 size:150568 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos:4170248 size:168401 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos:4056260 size:170347 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:164074 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:154766 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:8157016 size:176793 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:8129364 size:181472 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos:7101754 size:175326 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos:7045426 size:180307 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos:2519260 size:162522 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos:2414840 size:159022 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:164074 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:154766 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:8157016 size:176793 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:8129364 size:181472 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos:5360818 size:172183 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos:5265990 size:175400 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 779834 size:154579 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 742066 size:147109 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:164074 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size:154766 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:8157016 size:176793 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:8129364 size:181472 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:3502828 size:166017 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:3385508 size:165810 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos:6401452 size:174815 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos:6328220 size:178473 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:1876416 size:159659 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:1789916 size:154383 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-ljpeg b/tests/ref/seek/vsynth2-ljpeg index 92264c9c4e..47f64c6dda 100644 --- a/tests/ref/seek/vsynth2-ljpeg +++ b/tests/ref/seek/vsynth2-ljpeg @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 96069 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 86580 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 96069 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 86580 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos:4481864 size: 94870 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos:4406068 size:102731 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:1902318 size: 95465 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos:1761620 size: 92236 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos:3527724 size: 95724 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos:3394414 size: 99800 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 854944 size: 94635 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 778564 size: 87118 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos:2475566 size: 95649 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos:2323284 size: 95279 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 96069 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 86580 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:4671498 size: 94595 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:4611786 size:103108 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos:4101338 size: 95353 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos:3997920 size:101607 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos:1520284 size: 95410 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos:1397770 size: 90251 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 96069 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 86580 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:4671498 size: 94595 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:4611786 size:103108 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos:3145114 size: 95587 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos:2999316 size: 98183 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 477226 size: 94261 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 433426 size: 85897 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 96069 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 86580 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:4671498 size: 94595 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos:4611786 size:103108 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:2093302 size: 95528 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos:1946636 size: 93348 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos:3719126 size: 95615 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos:3594390 size:100410 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:1139238 size: 95032 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos:1041206 size: 88501 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mjpeg b/tests/ref/seek/vsynth2-mjpeg index 59db09a53f..6072ddfb97 100644 --- a/tests/ref/seek/vsynth2-mjpeg +++ b/tests/ref/seek/vsynth2-mjpeg @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12096 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14531 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12096 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14531 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 627854 size: 14811 +ret: 0 st: 0 flags:1 dts: 1.880000 pts: 1.880000 pos: 771990 size: 19172 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 247488 size: 12959 +ret: 0 st: 0 flags:1 dts: 0.800000 pts: 0.800000 pos: 294112 size: 15816 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 480758 size: 14528 +ret: 0 st: 0 flags:1 dts: 1.480000 pts: 1.480000 pos: 584836 size: 18250 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 111000 size: 11927 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: 0.360000 pos: 130062 size: 14140 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 326672 size: 13489 +ret: 0 st: 0 flags:1 dts: 1.040000 pts: 1.040000 pos: 391598 size: 16843 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12096 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14531 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 657522 size: 14881 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 810344 size: 19135 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 568652 size: 14746 +ret: 0 st: 0 flags:1 dts: 1.720000 pts: 1.720000 pos: 696224 size: 18821 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 196416 size: 12719 +ret: 0 st: 0 flags:1 dts: 0.640000 pts: 0.640000 pos: 232462 size: 15159 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12096 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14531 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 657522 size: 14881 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 810344 size: 19135 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 423482 size: 14119 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: 1.320000 pos: 512664 size: 17924 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 63860 size: 11714 +ret: 0 st: 0 flags:1 dts: 0.200000 pts: 0.200000 pos: 74366 size: 13812 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 12096 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14531 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 657522 size: 14881 +ret: 0 st: 0 flags:1 dts: 1.960000 pts: 1.960000 pos: 810344 size: 19135 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 273508 size: 13131 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: 0.880000 pos: 325950 size: 16219 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 509926 size: 14597 +ret: 0 st: 0 flags:1 dts: 1.560000 pts: 1.560000 pos: 621546 size: 18498 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 146958 size: 12168 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 173092 size: 14609 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg1 b/tests/ref/seek/vsynth2-mpeg1 index a85055a270..52eef058ae 100644 --- a/tests/ref/seek/vsynth2-mpeg1 +++ b/tests/ref/seek/vsynth2-mpeg1 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 0 size: 9779 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 0 size: 11963 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9779 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11963 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 124245 size: 11796 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 168537 size: 15165 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 76694 size: 10792 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 103348 size: 13767 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 124245 size: 11796 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 168537 size: 15165 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 37721 size: 9873 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 48976 size: 12270 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 76694 size: 10792 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 103348 size: 13767 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9779 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11963 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 177089 size: 12057 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 240894 size: 16003 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 177089 size: 12057 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 240894 size: 16003 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 37721 size: 9873 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 48976 size: 12270 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9779 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11963 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 177089 size: 12057 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 240894 size: 16003 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 124245 size: 11796 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 168537 size: 15165 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9779 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11963 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9779 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11963 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 177089 size: 12057 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 240894 size: 16003 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 76694 size: 10792 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 103348 size: 13767 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 124245 size: 11796 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 168537 size: 15165 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 37721 size: 9873 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 48976 size: 12270 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg1b b/tests/ref/seek/vsynth2-mpeg1b index 3b0b084a74..6e3af809f3 100644 --- a/tests/ref/seek/vsynth2-mpeg1b +++ b/tests/ref/seek/vsynth2-mpeg1b @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 0 size: 11817 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 0 size: 14617 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11817 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 14617 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 194420 size: 14837 +ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 255467 size: 19667 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.840000 pts: NOPTS pos: 80757 size: 13267 +ret: 0 st: 0 flags:1 dts: 0.840000 pts: NOPTS pos: 101700 size: 16809 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: NOPTS pos: 133899 size: 14470 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: NOPTS pos: 172617 size: 18608 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: NOPTS pos: 34797 size: 12009 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: NOPTS pos: 43550 size: 14859 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.840000 pts: NOPTS pos: 80757 size: 13267 +ret: 0 st: 0 flags:1 dts: 0.840000 pts: NOPTS pos: 101700 size: 16809 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11817 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 14617 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 194420 size: 14837 +ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 255467 size: 19667 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 194420 size: 14837 +ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 255467 size: 19667 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.360000 pts: NOPTS pos: 34797 size: 12009 +ret: 0 st: 0 flags:1 dts: 0.360000 pts: NOPTS pos: 43550 size: 14859 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11817 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 14617 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 194420 size: 14837 +ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 255467 size: 19667 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: NOPTS pos: 133899 size: 14470 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: NOPTS pos: 172617 size: 18608 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11817 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 14617 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11817 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 14617 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 194420 size: 14837 +ret: 0 st: 0 flags:1 dts: 1.800000 pts: NOPTS pos: 255467 size: 19667 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: NOPTS pos: 133899 size: 14470 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: NOPTS pos: 172617 size: 18608 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.320000 pts: NOPTS pos: 133899 size: 14470 +ret: 0 st: 0 flags:1 dts: 1.320000 pts: NOPTS pos: 172617 size: 18608 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.840000 pts: NOPTS pos: 80757 size: 13267 +ret: 0 st: 0 flags:1 dts: 0.840000 pts: NOPTS pos: 101700 size: 16809 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg2-422 b/tests/ref/seek/vsynth2-mpeg2-422 index f07a93cb88..d2a79baa06 100644 --- a/tests/ref/seek/vsynth2-mpeg2-422 +++ b/tests/ref/seek/vsynth2-mpeg2-422 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17509 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 19047 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17509 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 19047 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 325187 size: 19948 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 349153 size: 20638 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 200760 size: 22587 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 231235 size: 21776 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 265500 size: 21341 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 291308 size: 22619 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 104466 size: 28996 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 128388 size: 34098 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 200760 size: 22587 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 231235 size: 21776 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17509 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 19047 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 325187 size: 19948 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 349153 size: 20638 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 325187 size: 19948 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 349153 size: 20638 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 104466 size: 28996 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 128388 size: 34098 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17509 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 19047 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 325187 size: 19948 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 349153 size: 20638 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 265500 size: 21341 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 291308 size: 22619 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17509 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 19047 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17509 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 19047 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 325187 size: 19948 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 349153 size: 20638 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 200760 size: 22587 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 231235 size: 21776 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 265500 size: 21341 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 291308 size: 22619 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 200760 size: 22587 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 231235 size: 21776 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg2-idct-int b/tests/ref/seek/vsynth2-mpeg2-idct-int index 8086c9c36a..0b369e2498 100644 --- a/tests/ref/seek/vsynth2-mpeg2-idct-int +++ b/tests/ref/seek/vsynth2-mpeg2-idct-int @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9923 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12092 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9923 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12092 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 127961 size: 11930 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 172048 size: 15287 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 79127 size: 10921 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 105687 size: 13892 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 127961 size: 11930 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 172048 size: 15287 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 39004 size: 9997 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 50238 size: 12392 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 79127 size: 10921 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 105687 size: 13892 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9923 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12092 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 182186 size: 12195 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 245946 size: 16133 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 182186 size: 12195 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 245946 size: 16133 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 39004 size: 9997 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 50238 size: 12392 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9923 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12092 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 182186 size: 12195 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 245946 size: 16133 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 127961 size: 11930 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 172048 size: 15287 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9923 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12092 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9923 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12092 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 182186 size: 12195 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 245946 size: 16133 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 79127 size: 10921 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 105687 size: 13892 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 127961 size: 11930 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 172048 size: 15287 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 39004 size: 9997 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 50238 size: 12392 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg2-ilace b/tests/ref/seek/vsynth2-mpeg2-ilace index 824f8ada95..590d10d3a9 100644 --- a/tests/ref/seek/vsynth2-mpeg2-ilace +++ b/tests/ref/seek/vsynth2-mpeg2-ilace @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 132643 size: 11982 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 177672 size: 15343 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 82176 size: 10977 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 109003 size: 13947 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 132643 size: 11982 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 177672 size: 15343 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 40558 size: 10057 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 51717 size: 12445 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 82176 size: 10977 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 109003 size: 13947 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 188477 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 253343 size: 16183 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 188477 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 253343 size: 16183 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 40558 size: 10057 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 51717 size: 12445 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 188477 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 253343 size: 16183 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 132643 size: 11982 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 177672 size: 15343 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 188477 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: NOPTS pos: 253343 size: 16183 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 82176 size: 10977 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: NOPTS pos: 109003 size: 13947 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 132643 size: 11982 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: NOPTS pos: 177672 size: 15343 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 40558 size: 10057 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: NOPTS pos: 51717 size: 12445 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg2-ivlc-qprd b/tests/ref/seek/vsynth2-mpeg2-ivlc-qprd index a65dee8ddd..9b6174f2db 100644 --- a/tests/ref/seek/vsynth2-mpeg2-ivlc-qprd +++ b/tests/ref/seek/vsynth2-mpeg2-ivlc-qprd @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 16251 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17896 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 16251 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17896 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 227553 size: 12737 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 253840 size: 12176 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 164191 size: 13933 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 192257 size: 13312 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 196718 size: 13170 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 223884 size: 13628 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 98760 size: 29177 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 119729 size: 33112 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 164191 size: 13933 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 192257 size: 13312 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 16251 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17896 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 227553 size: 12737 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 253840 size: 12176 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 227553 size: 12737 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 253840 size: 12176 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 98760 size: 29177 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 119729 size: 33112 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 16251 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17896 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 227553 size: 12737 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 253840 size: 12176 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 196718 size: 13170 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 223884 size: 13628 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 16251 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17896 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 16251 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 17896 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 227553 size: 12737 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 253840 size: 12176 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 164191 size: 13933 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 192257 size: 13312 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 196718 size: 13170 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 223884 size: 13628 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 164191 size: 13933 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 192257 size: 13312 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg2-thread b/tests/ref/seek/vsynth2-mpeg2-thread index d66fd875f5..644513bf8c 100644 --- a/tests/ref/seek/vsynth2-mpeg2-thread +++ b/tests/ref/seek/vsynth2-mpeg2-thread @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 158273 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 201811 size: 16183 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 67814 size: 10977 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 83616 size: 13947 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 110366 size: 11982 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 138764 size: 15343 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 30759 size: 10057 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 37634 size: 12445 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 67814 size: 10977 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 83616 size: 13947 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 158273 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 201811 size: 16183 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 158273 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 201811 size: 16183 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 30759 size: 10057 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 37634 size: 12445 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 158273 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 201811 size: 16183 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 110366 size: 11982 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 138764 size: 15343 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9973 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 12146 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 158273 size: 12244 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 201811 size: 16183 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 67814 size: 10977 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 83616 size: 13947 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 110366 size: 11982 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 138764 size: 15343 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 67814 size: 10977 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 83616 size: 13947 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg2-thread-ivlc b/tests/ref/seek/vsynth2-mpeg2-thread-ivlc index 6f6ff7af61..a799f0a782 100644 --- a/tests/ref/seek/vsynth2-mpeg2-thread-ivlc +++ b/tests/ref/seek/vsynth2-mpeg2-thread-ivlc @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9966 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11855 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9966 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11855 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 157726 size: 11942 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 199749 size: 15473 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 67747 size: 10803 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 82883 size: 13398 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 110116 size: 11709 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 137402 size: 14693 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 30756 size: 9992 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 37332 size: 12068 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 67747 size: 10803 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 82883 size: 13398 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9966 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11855 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 157726 size: 11942 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 199749 size: 15473 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 157726 size: 11942 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 199749 size: 15473 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 30756 size: 9992 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 37332 size: 12068 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9966 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11855 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 157726 size: 11942 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 199749 size: 15473 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 110116 size: 11709 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 137402 size: 14693 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9966 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11855 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 9966 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 0 size: 11855 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 157726 size: 11942 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 199749 size: 15473 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 67747 size: 10803 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 82883 size: 13398 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 110116 size: 11709 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 137402 size: 14693 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 67747 size: 10803 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 82883 size: 13398 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg4 b/tests/ref/seek/vsynth2-mpeg4 index 0600ed0273..36ba46c06c 100644 --- a/tests/ref/seek/vsynth2-mpeg4 +++ b/tests/ref/seek/vsynth2-mpeg4 @@ -1,50 +1,50 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 75140 size: 10776 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98347 size: 14396 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 47228 size: 9634 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 60954 size: 12631 ret: 0 st: 0 flags:1 ts:-0.320000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 75140 size: 10776 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98347 size: 14396 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 23271 size: 8524 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29166 size: 10862 ret: 0 st: 0 flags:1 ts:-0.760000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 47228 size: 9634 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 60954 size: 12631 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 106167 size: 11182 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 141019 size: 15358 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 106167 size: 11182 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 141019 size: 15358 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 23271 size: 8524 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29166 size: 10862 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 106167 size: 11182 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 141019 size: 15358 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 75140 size: 10776 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98347 size: 14396 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 106167 size: 11182 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 141019 size: 15358 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 47228 size: 9634 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 60954 size: 12631 ret: 0 st:-1 flags:1 ts:-0.222493 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 75140 size: 10776 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98347 size: 14396 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 23271 size: 8524 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29166 size: 10862 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 8719 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 44 size: 10965 diff --git a/tests/ref/seek/vsynth2-mpeg4-adap b/tests/ref/seek/vsynth2-mpeg4-adap index 87b80ccb46..152d020ff3 100644 --- a/tests/ref/seek/vsynth2-mpeg4-adap +++ b/tests/ref/seek/vsynth2-mpeg4-adap @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6855 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6951 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6855 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6951 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 174444 size: 16883 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 189122 size: 18125 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 98216 size: 17063 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 114966 size: 16429 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 135586 size: 17525 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 151228 size: 18225 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 59442 size: 17261 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 73890 size: 20238 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 98216 size: 17063 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 114966 size: 16429 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6855 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6951 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 174444 size: 16883 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 189122 size: 18125 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 174444 size: 16883 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 189122 size: 18125 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 59442 size: 17261 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 73890 size: 20238 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6855 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6951 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 174444 size: 16883 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 189122 size: 18125 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 135586 size: 17525 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 151228 size: 18225 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6855 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6951 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6855 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 6951 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 174444 size: 16883 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 189122 size: 18125 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 98216 size: 17063 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 114966 size: 16429 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 135586 size: 17525 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 151228 size: 18225 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 98216 size: 17063 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 114966 size: 16429 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg4-adv b/tests/ref/seek/vsynth2-mpeg4-adv index 676586440a..06d88ae796 100644 --- a/tests/ref/seek/vsynth2-mpeg4-adv +++ b/tests/ref/seek/vsynth2-mpeg4-adv @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8653 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10951 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8653 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10951 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 91718 size: 11013 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 118586 size: 14495 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 59492 size: 9815 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 75418 size: 12802 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 91718 size: 11013 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 118586 size: 14495 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 31932 size: 8753 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 38714 size: 11015 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 59492 size: 9815 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 75418 size: 12802 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8653 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10951 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 127612 size: 11279 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 168206 size: 15537 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 127612 size: 11279 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 168206 size: 15537 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 31932 size: 8753 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 38714 size: 11015 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8653 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10951 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 127612 size: 11279 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 168206 size: 15537 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 91718 size: 11013 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 118586 size: 14495 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8653 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10951 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8653 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10951 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 127612 size: 11279 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 168206 size: 15537 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 59492 size: 9815 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 75418 size: 12802 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 91718 size: 11013 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 118586 size: 14495 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 31932 size: 8753 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 38714 size: 11015 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg4-error b/tests/ref/seek/vsynth2-mpeg4-error index 322bcabdb3..45550476b1 100644 --- a/tests/ref/seek/vsynth2-mpeg4-error +++ b/tests/ref/seek/vsynth2-mpeg4-error @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9564 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14897 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9564 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14897 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 113130 size: 12795 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 158910 size: 19939 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 71648 size: 11680 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 100670 size: 17313 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 113130 size: 12795 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 158910 size: 19939 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36770 size: 10310 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 50630 size: 14739 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 71648 size: 11680 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 100670 size: 17313 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9564 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14897 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 159358 size: 13895 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 226622 size: 19001 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 159358 size: 13895 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 226622 size: 19001 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36770 size: 10310 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 50630 size: 14739 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9564 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14897 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 159358 size: 13895 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 226622 size: 19001 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 113130 size: 12795 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 158910 size: 19939 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9564 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14897 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9564 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 14897 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 159358 size: 13895 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 226622 size: 19001 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 71648 size: 11680 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 100670 size: 17313 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 113130 size: 12795 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 158910 size: 19939 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36770 size: 10310 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 50630 size: 14739 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg4-nr b/tests/ref/seek/vsynth2-mpeg4-nr index 5273ae1862..e0abfe8544 100644 --- a/tests/ref/seek/vsynth2-mpeg4-nr +++ b/tests/ref/seek/vsynth2-mpeg4-nr @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10673 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 13402 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10673 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 13402 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 100628 size: 12464 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 130650 size: 16609 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 65468 size: 11181 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83222 size: 14678 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 100628 size: 12464 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 130650 size: 16609 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35300 size: 9987 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 42834 size: 12656 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 65468 size: 11181 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83222 size: 14678 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10673 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 13402 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139412 size: 12911 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 184792 size: 17684 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139412 size: 12911 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 184792 size: 17684 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35300 size: 9987 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 42834 size: 12656 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10673 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 13402 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139412 size: 12911 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 184792 size: 17684 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 100628 size: 12464 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 130650 size: 16609 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10673 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 13402 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10673 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 13402 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139412 size: 12911 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 184792 size: 17684 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 65468 size: 11181 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83222 size: 14678 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 100628 size: 12464 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 130650 size: 16609 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35300 size: 9987 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 42834 size: 12656 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg4-qpel b/tests/ref/seek/vsynth2-mpeg4-qpel index 195fb3001d..6f23d126ab 100644 --- a/tests/ref/seek/vsynth2-mpeg4-qpel +++ b/tests/ref/seek/vsynth2-mpeg4-qpel @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 11942 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15135 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 11942 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15135 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 141518 size: 15562 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 180366 size: 21181 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 64104 size: 13382 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 79512 size: 17332 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 100356 size: 15057 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 126396 size: 19941 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 32806 size: 11813 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 39736 size: 14805 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 64104 size: 13382 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 79512 size: 17332 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 11942 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15135 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 141518 size: 15562 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 180366 size: 21181 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 141518 size: 15562 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 180366 size: 21181 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 32806 size: 11813 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 39736 size: 14805 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 11942 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15135 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 141518 size: 15562 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 180366 size: 21181 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 100356 size: 15057 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 126396 size: 19941 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 11942 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15135 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 11942 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15135 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 141518 size: 15562 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 180366 size: 21181 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 64104 size: 13382 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 79512 size: 17332 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 100356 size: 15057 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 126396 size: 19941 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 64104 size: 13382 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 79512 size: 17332 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg4-qprd b/tests/ref/seek/vsynth2-mpeg4-qprd index 4c3c7f501e..675e993a9b 100644 --- a/tests/ref/seek/vsynth2-mpeg4-qprd +++ b/tests/ref/seek/vsynth2-mpeg4-qprd @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14873 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 16904 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14873 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 16904 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 211020 size: 14638 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228068 size: 15339 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 150654 size: 14502 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 169864 size: 14172 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 180770 size: 14371 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 198340 size: 15560 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 93024 size: 29366 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 111330 size: 29024 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 150654 size: 14502 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 169864 size: 14172 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14873 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 16904 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 211020 size: 14638 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228068 size: 15339 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 211020 size: 14638 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228068 size: 15339 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 93024 size: 29366 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 111330 size: 29024 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14873 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 16904 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 211020 size: 14638 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228068 size: 15339 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 180770 size: 14371 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 198340 size: 15560 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14873 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 16904 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14873 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 16904 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 211020 size: 14638 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228068 size: 15339 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 150654 size: 14502 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 169864 size: 14172 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 180770 size: 14371 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 198340 size: 15560 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 150654 size: 14502 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 169864 size: 14172 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg4-rc b/tests/ref/seek/vsynth2-mpeg4-rc index 5c96c78cdc..21aca4c8ae 100644 --- a/tests/ref/seek/vsynth2-mpeg4-rc +++ b/tests/ref/seek/vsynth2-mpeg4-rc @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15766 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 20139 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15766 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 20139 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 207956 size: 13826 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 236670 size: 14086 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 153800 size: 13382 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 185808 size: 12662 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 180948 size: 13326 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 210456 size: 14427 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 94582 size: 32807 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 114894 size: 39545 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 153800 size: 13382 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 185808 size: 12662 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15766 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 20139 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 207956 size: 13826 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 236670 size: 14086 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 207956 size: 13826 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 236670 size: 14086 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 94582 size: 32807 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 114894 size: 39545 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15766 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 20139 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 207956 size: 13826 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 236670 size: 14086 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 180948 size: 13326 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 210456 size: 14427 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15766 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 20139 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 15766 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 20139 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 207956 size: 13826 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 236670 size: 14086 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 153800 size: 13382 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 185808 size: 12662 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 180948 size: 13326 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 210456 size: 14427 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 153800 size: 13382 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 185808 size: 12662 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-mpeg4-thread b/tests/ref/seek/vsynth2-mpeg4-thread index 8c4f663184..2b0f0d310c 100644 --- a/tests/ref/seek/vsynth2-mpeg4-thread +++ b/tests/ref/seek/vsynth2-mpeg4-thread @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14874 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 18099 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14874 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 18099 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228210 size: 16324 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 247612 size: 15696 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 162150 size: 16475 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 186128 size: 14685 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 195320 size: 16136 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 215778 size: 16807 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 97832 size: 33332 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 117134 size: 37486 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 162150 size: 16475 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 186128 size: 14685 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14874 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 18099 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228210 size: 16324 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 247612 size: 15696 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228210 size: 16324 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 247612 size: 15696 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 97832 size: 33332 +ret: 0 st: 0 flags:1 dts: 0.400000 pts: NOPTS pos: 117134 size: 37486 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14874 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 18099 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228210 size: 16324 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 247612 size: 15696 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 195320 size: 16136 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 215778 size: 16807 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14874 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 18099 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 14874 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: NOPTS pos: 5648 size: 18099 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 228210 size: 16324 +ret: 0 st: 0 flags:1 dts: 1.840000 pts: NOPTS pos: 247612 size: 15696 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 162150 size: 16475 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 186128 size: 14685 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 195320 size: 16136 +ret: 0 st: 0 flags:1 dts: 1.360000 pts: NOPTS pos: 215778 size: 16807 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 162150 size: 16475 +ret: 0 st: 0 flags:1 dts: 0.880000 pts: NOPTS pos: 186128 size: 14685 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-msmpeg4 b/tests/ref/seek/vsynth2-msmpeg4 index 323f96a959..c2a708166a 100644 --- a/tests/ref/seek/vsynth2-msmpeg4 +++ b/tests/ref/seek/vsynth2-msmpeg4 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8637 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10925 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8637 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10925 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 82508 size: 10783 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 107648 size: 14494 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 53846 size: 9624 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 68772 size: 12670 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 82508 size: 10783 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 107648 size: 14494 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29388 size: 8502 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35828 size: 10859 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 53846 size: 9624 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 68772 size: 12670 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8637 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10925 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 114264 size: 11180 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 152100 size: 15457 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 114264 size: 11180 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 152100 size: 15457 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29388 size: 8502 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35828 size: 10859 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8637 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10925 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 114264 size: 11180 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 152100 size: 15457 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 82508 size: 10783 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 107648 size: 14494 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8637 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10925 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8637 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 10925 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 114264 size: 11180 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 152100 size: 15457 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 53846 size: 9624 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 68772 size: 12670 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 82508 size: 10783 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 107648 size: 14494 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29388 size: 8502 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35828 size: 10859 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-msmpeg4v2 b/tests/ref/seek/vsynth2-msmpeg4v2 index 177898ebac..bf992fdc3a 100644 --- a/tests/ref/seek/vsynth2-msmpeg4v2 +++ b/tests/ref/seek/vsynth2-msmpeg4v2 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9003 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11321 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9003 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11321 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83870 size: 11165 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108682 size: 14845 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54778 size: 10010 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69622 size: 13068 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83870 size: 11165 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108682 size: 14845 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29770 size: 8869 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36266 size: 11274 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54778 size: 10010 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69622 size: 13068 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9003 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11321 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 116100 size: 11578 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 153222 size: 15792 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 116100 size: 11578 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 153222 size: 15792 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29770 size: 8869 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36266 size: 11274 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9003 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11321 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 116100 size: 11578 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 153222 size: 15792 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83870 size: 11165 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108682 size: 14845 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9003 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11321 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 9003 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11321 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 116100 size: 11578 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 153222 size: 15792 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54778 size: 10010 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69622 size: 13068 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83870 size: 11165 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108682 size: 14845 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29770 size: 8869 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 36266 size: 11274 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-roqvideo b/tests/ref/seek/vsynth2-roqvideo index d003a37404..6ed78b54ed 100644 --- a/tests/ref/seek/vsynth2-roqvideo +++ b/tests/ref/seek/vsynth2-roqvideo @@ -1,4 +1,4 @@ -ret: 0 st: 0 flags:0 dts: 0.000000 pts: 0.000000 pos: 24 size: 26082 +ret: 0 st: 0 flags:0 dts: 0.000000 pts: 0.000000 pos: 24 size: 25810 ret:-1 st:-1 flags:0 ts:-1.000000 ret:-1 st:-1 flags:1 ts: 1.894167 ret:-1 st: 0 flags:0 ts: 0.800000 diff --git a/tests/ref/seek/vsynth2-rv10 b/tests/ref/seek/vsynth2-rv10 index 123b03c1cc..e31a7f9f10 100644 --- a/tests/ref/seek/vsynth2-rv10 +++ b/tests/ref/seek/vsynth2-rv10 @@ -1,53 +1,52 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 -ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98608 size: 12303 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 +ret:-1 st:-1 flags:1 ts: 1.894167 ret: 0 st: 0 flags:0 ts: 0.788000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 61592 size: 11135 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83441 size: 14400 ret: 0 st: 0 flags:1 ts:-0.317000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 ret: 0 st:-1 flags:0 ts: 2.576668 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139556 size: 12738 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 190667 size: 17194 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98608 size: 12303 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 134324 size: 16167 ret: 0 st: 0 flags:0 ts: 0.365000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 31132 size: 10097 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 40479 size: 12716 ret: 0 st: 0 flags:1 ts:-0.741000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 ret: 0 st:-1 flags:0 ts: 2.153336 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139556 size: 12738 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 190667 size: 17194 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 61592 size: 11135 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83441 size: 14400 ret: 0 st: 0 flags:0 ts:-0.058000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 ret: 0 st: 0 flags:1 ts: 2.836000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139556 size: 12738 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 190667 size: 17194 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139556 size: 12738 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 190667 size: 17194 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 31132 size: 10097 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 40479 size: 12716 ret: 0 st: 0 flags:0 ts:-0.482000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 ret: 0 st: 0 flags:1 ts: 2.413000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139556 size: 12738 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 190667 size: 17194 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98608 size: 12303 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 134324 size: 16167 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 ret: 0 st: 0 flags:0 ts:-0.905000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 ret: 0 st: 0 flags:1 ts: 1.989000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139556 size: 12738 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 190667 size: 17194 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 61592 size: 11135 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83441 size: 14400 ret: 0 st:-1 flags:1 ts:-0.222493 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 ret: 0 st: 0 flags:0 ts: 2.672000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139556 size: 12738 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 190667 size: 17194 ret: 0 st: 0 flags:1 ts: 1.566000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98608 size: 12303 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 134324 size: 16167 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 31132 size: 10097 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 40479 size: 12716 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 10388 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 12779 diff --git a/tests/ref/seek/vsynth2-rv20 b/tests/ref/seek/vsynth2-rv20 index f2b24e300e..0a69c7165e 100644 --- a/tests/ref/seek/vsynth2-rv20 +++ b/tests/ref/seek/vsynth2-rv20 @@ -1,53 +1,53 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98158 size: 11344 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 134767 size: 14896 ret: 0 st: 0 flags:0 ts: 0.788000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 61133 size: 10166 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83421 size: 13120 ret: 0 st: 0 flags:1 ts:-0.317000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st:-1 flags:0 ts: 2.576668 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139145 size: 11803 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 191423 size: 15859 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98158 size: 11344 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 134767 size: 14896 ret: 0 st: 0 flags:0 ts: 0.365000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 30753 size: 9101 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 40479 size: 11414 ret: 0 st: 0 flags:1 ts:-0.741000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st:-1 flags:0 ts: 2.153336 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139145 size: 11803 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 191423 size: 15859 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 61133 size: 10166 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83421 size: 13120 ret: 0 st: 0 flags:0 ts:-0.058000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st: 0 flags:1 ts: 2.836000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139145 size: 11803 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 191423 size: 15859 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139145 size: 11803 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 191423 size: 15859 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 30753 size: 9101 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 40479 size: 11414 ret: 0 st: 0 flags:0 ts:-0.482000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st: 0 flags:1 ts: 2.413000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139145 size: 11803 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 191423 size: 15859 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98158 size: 11344 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 134767 size: 14896 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st: 0 flags:0 ts:-0.905000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st: 0 flags:1 ts: 1.989000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139145 size: 11803 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 191423 size: 15859 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 61133 size: 10166 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 83421 size: 13120 ret: 0 st:-1 flags:1 ts:-0.222493 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 ret: 0 st: 0 flags:0 ts: 2.672000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 139145 size: 11803 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 191423 size: 15859 ret: 0 st: 0 flags:1 ts: 1.566000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 98158 size: 11344 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 134767 size: 14896 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 30753 size: 9101 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 40479 size: 11414 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 9361 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 239 size: 11720 diff --git a/tests/ref/seek/vsynth2-svq1 b/tests/ref/seek/vsynth2-svq1 index 17bb99e618..5b90ec8049 100644 --- a/tests/ref/seek/vsynth2-svq1 +++ b/tests/ref/seek/vsynth2-svq1 @@ -1,50 +1,50 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 517568 size: 25636 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 630104 size: 31344 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 326556 size: 23552 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 392428 size: 28568 ret: 0 st: 0 flags:1 ts:-0.320000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 517568 size: 25636 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 630104 size: 31344 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 157040 size: 21896 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 185116 size: 25544 ret: 0 st: 0 flags:1 ts:-0.760000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 326556 size: 23552 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 392428 size: 28568 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 722804 size: 25888 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 886184 size: 32128 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 722804 size: 25888 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 886184 size: 32128 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 157040 size: 21896 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 185116 size: 25544 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 722804 size: 25888 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 886184 size: 32128 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 517568 size: 25636 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 630104 size: 31344 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 722804 size: 25888 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 886184 size: 32128 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 326556 size: 23552 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 392428 size: 28568 ret: 0 st:-1 flags:1 ts:-0.222493 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 517568 size: 25636 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 630104 size: 31344 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 157040 size: 21896 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 185116 size: 25544 ret: 0 st:-1 flags:1 ts:-0.645825 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 22300 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 36 size: 25188 diff --git a/tests/ref/seek/vsynth2-wmv1 b/tests/ref/seek/vsynth2-wmv1 index 85465b37a5..47b79b80ee 100644 --- a/tests/ref/seek/vsynth2-wmv1 +++ b/tests/ref/seek/vsynth2-wmv1 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8990 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11126 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8990 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11126 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83742 size: 11099 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108444 size: 14988 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54758 size: 9931 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69132 size: 13137 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83742 size: 11099 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108444 size: 14988 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29794 size: 8796 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35874 size: 11167 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54758 size: 9931 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69132 size: 13137 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8990 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11126 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 115812 size: 11487 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 153546 size: 15956 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 115812 size: 11487 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 153546 size: 15956 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29794 size: 8796 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35874 size: 11167 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8990 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11126 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 115812 size: 11487 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 153546 size: 15956 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83742 size: 11099 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108444 size: 14988 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8990 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11126 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 8990 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5648 size: 11126 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 115812 size: 11487 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 153546 size: 15956 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54758 size: 9931 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69132 size: 13137 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83742 size: 11099 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 108444 size: 14988 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29794 size: 8796 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35874 size: 11167 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/seek/vsynth2-wmv2 b/tests/ref/seek/vsynth2-wmv2 index 53680d0f7e..3ba67649e1 100644 --- a/tests/ref/seek/vsynth2-wmv2 +++ b/tests/ref/seek/vsynth2-wmv2 @@ -1,46 +1,46 @@ -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 8917 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 11264 ret: 0 st:-1 flags:0 ts:-1.000000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 8917 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 11264 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83764 size: 11170 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 109154 size: 15153 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54534 size: 9989 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69348 size: 13297 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83764 size: 11170 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 109154 size: 15153 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29588 size: 8839 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35954 size: 11342 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54534 size: 9989 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69348 size: 13297 ret: 0 st: 0 flags:0 ts:-0.040000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 8917 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 11264 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 116062 size: 11554 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 154736 size: 16130 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 116062 size: 11554 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 154736 size: 16130 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29588 size: 8839 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35954 size: 11342 ret: 0 st: 0 flags:0 ts:-0.480000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 8917 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 11264 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 116062 size: 11554 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 154736 size: 16130 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83764 size: 11170 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 109154 size: 15153 ret: 0 st:-1 flags:1 ts: 0.200839 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 8917 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 11264 ret: 0 st: 0 flags:0 ts:-0.920000 -ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 8917 +ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 11264 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 116062 size: 11554 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 154736 size: 16130 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 54534 size: 9989 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 69348 size: 13297 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 83764 size: 11170 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 109154 size: 15153 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 29588 size: 8839 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 35954 size: 11342 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth2-asv1 b/tests/ref/vsynth/vsynth2-asv1 index 282435b06b..de8892fcc1 100644 --- a/tests/ref/vsynth/vsynth2-asv1 +++ b/tests/ref/vsynth/vsynth2-asv1 @@ -1,4 +1,4 @@ -ae8d79e0e421138a9a67a148a42c26c5 *tests/data/fate/vsynth2-asv1.avi -832500 tests/data/fate/vsynth2-asv1.avi -c96ff7fd17c52f99ddb7922a4cb9168f *tests/data/fate/vsynth2-asv1.out.rawvideo -stddev: 10.47 PSNR: 27.73 MAXDIFF: 98 bytes: 7603200/ 7603200 +50f5bba0ab3f7ebe687619368b20d29a *tests/data/fate/vsynth2-asv1.avi +1008588 tests/data/fate/vsynth2-asv1.avi +bd8e5390a51f062d3ec9545fc93e7ca2 *tests/data/fate/vsynth2-asv1.out.rawvideo +stddev: 12.39 PSNR: 26.26 MAXDIFF: 110 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-asv2 b/tests/ref/vsynth/vsynth2-asv2 index 89428628f7..b7a8f1345d 100644 --- a/tests/ref/vsynth/vsynth2-asv2 +++ b/tests/ref/vsynth/vsynth2-asv2 @@ -1,4 +1,4 @@ -ccf6762758395eee9a29ef7a4ef3cd58 *tests/data/fate/vsynth2-asv2.avi -789060 tests/data/fate/vsynth2-asv2.avi -74a78015b64b2cf8cb9da2e44f508a69 *tests/data/fate/vsynth2-asv2.out.rawvideo -stddev: 10.28 PSNR: 27.89 MAXDIFF: 95 bytes: 7603200/ 7603200 +fc746339bb82e299d14049ea8c7e9a4e *tests/data/fate/vsynth2-asv2.avi +956832 tests/data/fate/vsynth2-asv2.avi +4b3fe82b31221ac2b0f292760017668f *tests/data/fate/vsynth2-asv2.out.rawvideo +stddev: 12.19 PSNR: 26.41 MAXDIFF: 111 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-cljr b/tests/ref/vsynth/vsynth2-cljr index 39c74c3fd3..b372fa43d7 100644 --- a/tests/ref/vsynth/vsynth2-cljr +++ b/tests/ref/vsynth/vsynth2-cljr @@ -1,4 +1,4 @@ -5745ff1d80a6f454ae448dcf0bce50e0 *tests/data/fate/vsynth2-cljr.avi +624a1bcef30a52b39f616d73ded8bb30 *tests/data/fate/vsynth2-cljr.avi 5075648 tests/data/fate/vsynth2-cljr.avi -cfe7802bf34aafed7df5dcaa5126ef23 *tests/data/fate/vsynth2-cljr.out.rawvideo -stddev: 3.69 PSNR: 36.78 MAXDIFF: 22 bytes: 7603200/ 7603200 +273b2f8fb471602a683049f91f7c4cbb *tests/data/fate/vsynth2-cljr.out.rawvideo +stddev: 3.69 PSNR: 36.79 MAXDIFF: 36 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-dnxhd-1080i b/tests/ref/vsynth/vsynth2-dnxhd-1080i index 35db6d2789..4a4424b6ab 100644 --- a/tests/ref/vsynth/vsynth2-dnxhd-1080i +++ b/tests/ref/vsynth/vsynth2-dnxhd-1080i @@ -1,4 +1,4 @@ -c456f2a7ac9435ea5bfea86bc69c1c41 *tests/data/fate/vsynth2-dnxhd-1080i.mov +1bc9fe8d89bae57ed54ae4d5b5262209 *tests/data/fate/vsynth2-dnxhd-1080i.mov 3031875 tests/data/fate/vsynth2-dnxhd-1080i.mov -42262a2325441b38b3b3c8a42d888e7d *tests/data/fate/vsynth2-dnxhd-1080i.out.rawvideo -stddev: 1.31 PSNR: 45.77 MAXDIFF: 23 bytes: 7603200/ 760320 +da7f9fbf6034c3a99a1467e77dd62f6b *tests/data/fate/vsynth2-dnxhd-1080i.out.rawvideo +stddev: 1.53 PSNR: 44.43 MAXDIFF: 31 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth2-dnxhd-720p b/tests/ref/vsynth/vsynth2-dnxhd-720p index afc6fde333..a6e3ae0c33 100644 --- a/tests/ref/vsynth/vsynth2-dnxhd-720p +++ b/tests/ref/vsynth/vsynth2-dnxhd-720p @@ -1,4 +1,4 @@ -58e07cc6ae0a2d36787044d0e82708a6 *tests/data/fate/vsynth2-dnxhd-720p.dnxhd +71c7491a41545882b36f07ee98021b4b *tests/data/fate/vsynth2-dnxhd-720p.dnxhd 2293760 tests/data/fate/vsynth2-dnxhd-720p.dnxhd -ab601eaafef74d80d3d20b780dddd836 *tests/data/fate/vsynth2-dnxhd-720p.out.rawvideo -stddev: 1.36 PSNR: 45.45 MAXDIFF: 127 bytes: 7603200/ 760320 +adef978dc9c9e4f10dc7c30418af62af *tests/data/fate/vsynth2-dnxhd-720p.out.rawvideo +stddev: 6.69 PSNR: 31.62 MAXDIFF: 171 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth2-dnxhd-720p-10bit b/tests/ref/vsynth/vsynth2-dnxhd-720p-10bit index f087c133b1..749d5f0d28 100644 --- a/tests/ref/vsynth/vsynth2-dnxhd-720p-10bit +++ b/tests/ref/vsynth/vsynth2-dnxhd-720p-10bit @@ -1,4 +1,4 @@ -4b57da2c0c1280469ff3579f7151c227 *tests/data/fate/vsynth2-dnxhd-720p-10bit.dnxhd +4798978f178cdb91203cda27e76ce75e *tests/data/fate/vsynth2-dnxhd-720p-10bit.dnxhd 2293760 tests/data/fate/vsynth2-dnxhd-720p-10bit.dnxhd -31a6aa8b8702e85fa3b48e73f035c4e4 *tests/data/fate/vsynth2-dnxhd-720p-10bit.out.rawvideo -stddev: 1.35 PSNR: 45.46 MAXDIFF: 23 bytes: 7603200/ 760320 +7ce1b7e73432498b530c6aa970566757 *tests/data/fate/vsynth2-dnxhd-720p-10bit.out.rawvideo +stddev: 1.56 PSNR: 44.24 MAXDIFF: 31 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth2-dnxhd-720p-rd b/tests/ref/vsynth/vsynth2-dnxhd-720p-rd index c1b8f9630d..d9500e33cd 100644 --- a/tests/ref/vsynth/vsynth2-dnxhd-720p-rd +++ b/tests/ref/vsynth/vsynth2-dnxhd-720p-rd @@ -1,4 +1,4 @@ -092ffb7b8cf3c11556bb05dbb8b476ac *tests/data/fate/vsynth2-dnxhd-720p-rd.dnxhd +819a7714098e098981bf08253ef2e490 *tests/data/fate/vsynth2-dnxhd-720p-rd.dnxhd 2293760 tests/data/fate/vsynth2-dnxhd-720p-rd.dnxhd -33547ca318acff9448cba719cb99296d *tests/data/fate/vsynth2-dnxhd-720p-rd.out.rawvideo -stddev: 1.32 PSNR: 45.66 MAXDIFF: 22 bytes: 7603200/ 760320 +a05c35b99e5e74a9c8b3a9c66da01775 *tests/data/fate/vsynth2-dnxhd-720p-rd.out.rawvideo +stddev: 1.53 PSNR: 44.39 MAXDIFF: 31 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth2-dv b/tests/ref/vsynth/vsynth2-dv index 2aac5ff815..fd1f3c6778 100644 --- a/tests/ref/vsynth/vsynth2-dv +++ b/tests/ref/vsynth/vsynth2-dv @@ -1,4 +1,4 @@ -bfa766f89bfeabc0ae1044f3954bed52 *tests/data/fate/vsynth2-dv.dv +dbea9acebf1bd2e3a827ab37777ff4bf *tests/data/fate/vsynth2-dv.dv 7200000 tests/data/fate/vsynth2-dv.dv -7ec62bd3350a6848364669e6e1e4b9cc *tests/data/fate/vsynth2-dv.out.rawvideo -stddev: 1.71 PSNR: 43.47 MAXDIFF: 33 bytes: 7603200/ 7603200 +be0a13c96af0065541aa7b3f6a1d688f *tests/data/fate/vsynth2-dv.out.rawvideo +stddev: 1.99 PSNR: 42.11 MAXDIFF: 38 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-dv-411 b/tests/ref/vsynth/vsynth2-dv-411 index 00ecace283..608ee665eb 100644 --- a/tests/ref/vsynth/vsynth2-dv-411 +++ b/tests/ref/vsynth/vsynth2-dv-411 @@ -1,4 +1,4 @@ -00a9d8683ac6826af41bcf7223fb0389 *tests/data/fate/vsynth2-dv-411.dv +1bf5ee0be63310b567fe01235c6b81d7 *tests/data/fate/vsynth2-dv-411.dv 7200000 tests/data/fate/vsynth2-dv-411.dv -3cd4b85065d67bfb7fbab3bea4039711 *tests/data/fate/vsynth2-dv-411.out.rawvideo -stddev: 2.89 PSNR: 38.91 MAXDIFF: 45 bytes: 7603200/ 7603200 +653619342dbecd1e1314fa1eed0488fa *tests/data/fate/vsynth2-dv-411.out.rawvideo +stddev: 3.48 PSNR: 37.28 MAXDIFF: 56 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-dv-50 b/tests/ref/vsynth/vsynth2-dv-50 index e7e5dc1245..0ba19befc4 100644 --- a/tests/ref/vsynth/vsynth2-dv-50 +++ b/tests/ref/vsynth/vsynth2-dv-50 @@ -1,4 +1,4 @@ -61e31c79e8949b25c849753a0785b0d7 *tests/data/fate/vsynth2-dv-50.dv +ef9ec02d39b706ce491c027567ffb41a *tests/data/fate/vsynth2-dv-50.dv 14400000 tests/data/fate/vsynth2-dv-50.dv -af3f2dd5ab62c1a1d98b07d4aeb6852f *tests/data/fate/vsynth2-dv-50.out.rawvideo -stddev: 0.82 PSNR: 49.82 MAXDIFF: 12 bytes: 7603200/ 7603200 +8ba68c2a400fd4974a8489dcecd3d82c *tests/data/fate/vsynth2-dv-50.out.rawvideo +stddev: 0.88 PSNR: 49.21 MAXDIFF: 17 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-ffv1 b/tests/ref/vsynth/vsynth2-ffv1 index 8263b01afd..4dc2169443 100644 --- a/tests/ref/vsynth/vsynth2-ffv1 +++ b/tests/ref/vsynth/vsynth2-ffv1 @@ -1,4 +1,4 @@ -9d8486fc8a260204d8ee3212d95915b5 *tests/data/fate/vsynth2-ffv1.avi -3546258 tests/data/fate/vsynth2-ffv1.avi -dde5895817ad9d219f79a52d0bdfb001 *tests/data/fate/vsynth2-ffv1.out.rawvideo +4af788aeb692573717fe205f3ba20a33 *tests/data/fate/vsynth2-ffv1.avi +3716494 tests/data/fate/vsynth2-ffv1.avi +36d7ca943916e1743cefa609eba0205c *tests/data/fate/vsynth2-ffv1.out.rawvideo stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-ffvhuff b/tests/ref/vsynth/vsynth2-ffvhuff index 8daed2bd8a..40c29bbb76 100644 --- a/tests/ref/vsynth/vsynth2-ffvhuff +++ b/tests/ref/vsynth/vsynth2-ffvhuff @@ -1,4 +1,4 @@ -f6a213ef136012a3d189d09468d80dd3 *tests/data/fate/vsynth2-ffvhuff.avi -4988044 tests/data/fate/vsynth2-ffvhuff.avi -dde5895817ad9d219f79a52d0bdfb001 *tests/data/fate/vsynth2-ffvhuff.out.rawvideo +9884966783a0d092b45462ea586df2f8 *tests/data/fate/vsynth2-ffvhuff.avi +4951180 tests/data/fate/vsynth2-ffvhuff.avi +36d7ca943916e1743cefa609eba0205c *tests/data/fate/vsynth2-ffvhuff.out.rawvideo stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-flashsv b/tests/ref/vsynth/vsynth2-flashsv index b05e746f8c..de7446bb5e 100644 --- a/tests/ref/vsynth/vsynth2-flashsv +++ b/tests/ref/vsynth/vsynth2-flashsv @@ -1,4 +1,4 @@ -cd771e2b159450e63e38e26b872e548e *tests/data/fate/vsynth2-flashsv.flv -12368933 tests/data/fate/vsynth2-flashsv.flv -592b3321994e26a990deb3a0a1415de9 *tests/data/fate/vsynth2-flashsv.out.rawvideo -stddev: 0.65 PSNR: 51.84 MAXDIFF: 14 bytes: 7603200/ 7603200 +52701f9112732b42aa425129265ef499 *tests/data/fate/vsynth2-flashsv.flv +11636526 tests/data/fate/vsynth2-flashsv.flv +eed2322f11b95fc7abe5356306f00d97 *tests/data/fate/vsynth2-flashsv.out.rawvideo +stddev: 1.21 PSNR: 46.42 MAXDIFF: 20 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-flv b/tests/ref/vsynth/vsynth2-flv index 3047fb714e..818b1110b9 100644 --- a/tests/ref/vsynth/vsynth2-flv +++ b/tests/ref/vsynth/vsynth2-flv @@ -1,4 +1,4 @@ -747633a169bbfe4622c6c1a7990deafd *tests/data/fate/vsynth2-flv.flv -131340 tests/data/fate/vsynth2-flv.flv -8999c8264fb0941561f64c4a736e9d88 *tests/data/fate/vsynth2-flv.out.rawvideo -stddev: 5.33 PSNR: 33.59 MAXDIFF: 80 bytes: 7603200/ 7603200 +1be21ea941eb8b5ef5ecde9cac40ada0 *tests/data/fate/vsynth2-flv.flv +174657 tests/data/fate/vsynth2-flv.flv +c6e9b6c165558d052541309e48b5f551 *tests/data/fate/vsynth2-flv.out.rawvideo +stddev: 6.02 PSNR: 32.53 MAXDIFF: 83 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-h261 b/tests/ref/vsynth/vsynth2-h261 index 71ea191c7c..2c3d99b3ae 100644 --- a/tests/ref/vsynth/vsynth2-h261 +++ b/tests/ref/vsynth/vsynth2-h261 @@ -1,4 +1,4 @@ -921e06dffd04667d336449c7cd1c6589 *tests/data/fate/vsynth2-h261.avi -191074 tests/data/fate/vsynth2-h261.avi -db7ceff174823b98834faa2320ca89ac *tests/data/fate/vsynth2-h261.out.rawvideo -stddev: 6.37 PSNR: 32.03 MAXDIFF: 77 bytes: 7603200/ 7603200 +b5187bd5be8b422ff220f297de90fbcb *tests/data/fate/vsynth2-h261.avi +257928 tests/data/fate/vsynth2-h261.avi +1a9bb0d52bd24cb62162c5e3c2aed317 *tests/data/fate/vsynth2-h261.out.rawvideo +stddev: 7.21 PSNR: 30.97 MAXDIFF: 96 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-h263 b/tests/ref/vsynth/vsynth2-h263 index b2ce3706c5..ce63aab7e7 100644 --- a/tests/ref/vsynth/vsynth2-h263 +++ b/tests/ref/vsynth/vsynth2-h263 @@ -1,4 +1,4 @@ -329c0318b8727d66946ec729c6e960fc *tests/data/fate/vsynth2-h263.avi -160094 tests/data/fate/vsynth2-h263.avi -61213b91b359697ebcefb9e0a53ac54a *tests/data/fate/vsynth2-h263.out.rawvideo -stddev: 5.43 PSNR: 33.42 MAXDIFF: 77 bytes: 7603200/ 7603200 +350cf3bdc9b0ddbac5648d3343f6311f *tests/data/fate/vsynth2-h263.avi +216468 tests/data/fate/vsynth2-h263.avi +4d9c35b109b48f49a62d2a9208e3f0e7 *tests/data/fate/vsynth2-h263.out.rawvideo +stddev: 6.12 PSNR: 32.39 MAXDIFF: 83 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-h263-obmc b/tests/ref/vsynth/vsynth2-h263-obmc index 67fd2fddfd..40ab3f5f68 100644 --- a/tests/ref/vsynth/vsynth2-h263-obmc +++ b/tests/ref/vsynth/vsynth2-h263-obmc @@ -1,4 +1,4 @@ -3abbe86e18ef9d407cc3817dd31ebeba *tests/data/fate/vsynth2-h263-obmc.avi -154716 tests/data/fate/vsynth2-h263-obmc.avi -6f326547cf1cbd95a8c0a5ddce9eb71a *tests/data/fate/vsynth2-h263-obmc.out.rawvideo -stddev: 5.39 PSNR: 33.49 MAXDIFF: 82 bytes: 7603200/ 7603200 +c42dc221b17353b814c72202eb2d9e54 *tests/data/fate/vsynth2-h263-obmc.avi +208520 tests/data/fate/vsynth2-h263-obmc.avi +cec8aa66f5ee1c8569f40b572c1ea100 *tests/data/fate/vsynth2-h263-obmc.out.rawvideo +stddev: 6.10 PSNR: 32.41 MAXDIFF: 90 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-h263p b/tests/ref/vsynth/vsynth2-h263p index 826dcd15ce..5a72e729d1 100644 --- a/tests/ref/vsynth/vsynth2-h263p +++ b/tests/ref/vsynth/vsynth2-h263p @@ -1,4 +1,4 @@ -865ca965ab4fdfe225db7de3d23b4ad8 *tests/data/fate/vsynth2-h263p.avi -868006 tests/data/fate/vsynth2-h263p.avi -4b0ee791f280029dc03c528f76f195d4 *tests/data/fate/vsynth2-h263p.out.rawvideo -stddev: 1.91 PSNR: 42.50 MAXDIFF: 19 bytes: 7603200/ 7603200 +a0527f9eab97e5e6543a5feb901283d0 *tests/data/fate/vsynth2-h263p.avi +1134962 tests/data/fate/vsynth2-h263p.avi +66e8c0bd40918f970e62b6cdd7df79a5 *tests/data/fate/vsynth2-h263p.out.rawvideo +stddev: 2.01 PSNR: 42.04 MAXDIFF: 21 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-huffyuv b/tests/ref/vsynth/vsynth2-huffyuv index 7d062dd3cc..0d4f1f92e0 100644 --- a/tests/ref/vsynth/vsynth2-huffyuv +++ b/tests/ref/vsynth/vsynth2-huffyuv @@ -1,4 +1,4 @@ -30d509aca4a7298cf7667581a5e37671 *tests/data/fate/vsynth2-huffyuv.avi -6455220 tests/data/fate/vsynth2-huffyuv.avi -dde5895817ad9d219f79a52d0bdfb001 *tests/data/fate/vsynth2-huffyuv.out.rawvideo +37c68caa7a0bd66a7511e6439c1ada49 *tests/data/fate/vsynth2-huffyuv.avi +6422324 tests/data/fate/vsynth2-huffyuv.avi +36d7ca943916e1743cefa609eba0205c *tests/data/fate/vsynth2-huffyuv.out.rawvideo stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-jpegls b/tests/ref/vsynth/vsynth2-jpegls index 75ad4030db..fba01fe610 100644 --- a/tests/ref/vsynth/vsynth2-jpegls +++ b/tests/ref/vsynth/vsynth2-jpegls @@ -1,4 +1,4 @@ -f34315ed0e30cf4d94dd21ff1d4cea1b *tests/data/fate/vsynth2-jpegls.avi -8334618 tests/data/fate/vsynth2-jpegls.avi -592b3321994e26a990deb3a0a1415de9 *tests/data/fate/vsynth2-jpegls.out.rawvideo -stddev: 0.65 PSNR: 51.84 MAXDIFF: 14 bytes: 7603200/ 7603200 +d5901351df4887fd45c6e5da9bdaffcf *tests/data/fate/vsynth2-jpegls.avi +8311644 tests/data/fate/vsynth2-jpegls.avi +eed2322f11b95fc7abe5356306f00d97 *tests/data/fate/vsynth2-jpegls.out.rawvideo +stddev: 1.21 PSNR: 46.42 MAXDIFF: 20 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-ljpeg b/tests/ref/vsynth/vsynth2-ljpeg index a7b8a2d245..fe78d715e8 100644 --- a/tests/ref/vsynth/vsynth2-ljpeg +++ b/tests/ref/vsynth/vsynth2-ljpeg @@ -1,4 +1,4 @@ -5d603cecd59db0f255a53bda837a6bae *tests/data/fate/vsynth2-ljpeg.avi -4766902 tests/data/fate/vsynth2-ljpeg.avi -dde5895817ad9d219f79a52d0bdfb001 *tests/data/fate/vsynth2-ljpeg.out.rawvideo +5198a8578e3a4a82a622eaf91ac13548 *tests/data/fate/vsynth2-ljpeg.avi +4715702 tests/data/fate/vsynth2-ljpeg.avi +36d7ca943916e1743cefa609eba0205c *tests/data/fate/vsynth2-ljpeg.out.rawvideo stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mjpeg b/tests/ref/vsynth/vsynth2-mjpeg index 981d01bd50..4fc585893d 100644 --- a/tests/ref/vsynth/vsynth2-mjpeg +++ b/tests/ref/vsynth/vsynth2-mjpeg @@ -1,4 +1,4 @@ -ba05f4fad7f34a96c77964e8cdf9d5c0 *tests/data/fate/vsynth2-mjpeg.avi -673212 tests/data/fate/vsynth2-mjpeg.avi -a96a4e15ffcb13e44360df642d049496 *tests/data/fate/vsynth2-mjpeg.out.rawvideo -stddev: 4.32 PSNR: 35.40 MAXDIFF: 49 bytes: 7603200/ 7603200 +972d25dee3c6fe965304fa34e2f75f8a *tests/data/fate/vsynth2-mjpeg.avi +830288 tests/data/fate/vsynth2-mjpeg.avi +5f979b021284f8b2868f558f6cc593fe *tests/data/fate/vsynth2-mjpeg.out.rawvideo +stddev: 4.87 PSNR: 34.37 MAXDIFF: 55 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg1 b/tests/ref/vsynth/vsynth2-mpeg1 index a9759732fc..eebc514546 100644 --- a/tests/ref/vsynth/vsynth2-mpeg1 +++ b/tests/ref/vsynth/vsynth2-mpeg1 @@ -1,4 +1,4 @@ -73ca6f1deab02d1d67a0e8495c026a9e *tests/data/fate/vsynth2-mpeg1.mpeg1video -192783 tests/data/fate/vsynth2-mpeg1.mpeg1video -56147e94b12f08df7213e610e177823d *tests/data/fate/vsynth2-mpeg1.out.rawvideo -stddev: 4.95 PSNR: 34.22 MAXDIFF: 57 bytes: 7603200/ 7603200 +9daec4f4e4b6fb8960c3509c84eae0c7 *tests/data/fate/vsynth2-mpeg1.mpeg1video +262171 tests/data/fate/vsynth2-mpeg1.mpeg1video +33916bea6d2bc5db93aaf38ee706ba46 *tests/data/fate/vsynth2-mpeg1.out.rawvideo +stddev: 5.54 PSNR: 33.26 MAXDIFF: 77 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg1b b/tests/ref/vsynth/vsynth2-mpeg1b index 4b92ac570a..4aab85ecce 100644 --- a/tests/ref/vsynth/vsynth2-mpeg1b +++ b/tests/ref/vsynth/vsynth2-mpeg1b @@ -1,4 +1,4 @@ -e026a2fef80c9679776d2b5c8be09338 *tests/data/fate/vsynth2-mpeg1b.mpeg1video -225198 tests/data/fate/vsynth2-mpeg1b.mpeg1video -1150495f4bd487486ee53326c42d0bb8 *tests/data/fate/vsynth2-mpeg1b.out.rawvideo -stddev: 4.10 PSNR: 35.86 MAXDIFF: 59 bytes: 7603200/ 7603200 +30d6d3f9b7b4234e74d3ed22c012ab31 *tests/data/fate/vsynth2-mpeg1b.mpeg1video +298135 tests/data/fate/vsynth2-mpeg1b.mpeg1video +bbac65e2e1fd7e14d83f50072e188852 *tests/data/fate/vsynth2-mpeg1b.out.rawvideo +stddev: 4.60 PSNR: 34.87 MAXDIFF: 77 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg2 b/tests/ref/vsynth/vsynth2-mpeg2 index c346fc4e68..7f441cb1f7 100644 --- a/tests/ref/vsynth/vsynth2-mpeg2 +++ b/tests/ref/vsynth/vsynth2-mpeg2 @@ -1,4 +1,4 @@ -bc0dfd0449235fc82c4e08e639c60738 *tests/data/fate/vsynth2-mpeg2.mpeg2video -198727 tests/data/fate/vsynth2-mpeg2.mpeg2video -b7cae8a1f751b821cddcbe4d5dbc518c *tests/data/fate/vsynth2-mpeg2.out.rawvideo -stddev: 4.96 PSNR: 34.20 MAXDIFF: 59 bytes: 7603200/ 7603200 +48d5feed5d7866457216577a75b60d59 *tests/data/fate/vsynth2-mpeg2.mpeg2video +268229 tests/data/fate/vsynth2-mpeg2.mpeg2video +5887392ff0a05babc480e9f29a1797a3 *tests/data/fate/vsynth2-mpeg2.out.rawvideo +stddev: 5.55 PSNR: 33.23 MAXDIFF: 77 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg2-422 b/tests/ref/vsynth/vsynth2-mpeg2-422 index d898c6fba6..ea30134fe8 100644 --- a/tests/ref/vsynth/vsynth2-mpeg2-422 +++ b/tests/ref/vsynth/vsynth2-mpeg2-422 @@ -1,4 +1,4 @@ -15424b60d15080836cf868657968cb3d *tests/data/fate/vsynth2-mpeg2-422.mpeg2video -356161 tests/data/fate/vsynth2-mpeg2-422.mpeg2video -9fbde6cc707068edf15de2050adb8da7 *tests/data/fate/vsynth2-mpeg2-422.out.rawvideo -stddev: 3.16 PSNR: 38.13 MAXDIFF: 49 bytes: 7603200/ 7603200 +392cd150d65892060374ef0ca98b53c3 *tests/data/fate/vsynth2-mpeg2-422.mpeg2video +379371 tests/data/fate/vsynth2-mpeg2-422.mpeg2video +fa9fda9c92a455b39ae7e516b7de6919 *tests/data/fate/vsynth2-mpeg2-422.out.rawvideo +stddev: 4.16 PSNR: 35.73 MAXDIFF: 70 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg2-idct-int b/tests/ref/vsynth/vsynth2-mpeg2-idct-int index bb8c1c6df6..fe1ed8d3b0 100644 --- a/tests/ref/vsynth/vsynth2-mpeg2-idct-int +++ b/tests/ref/vsynth/vsynth2-mpeg2-idct-int @@ -1,4 +1,4 @@ -46aa32897fe88df6db156731332e3667 *tests/data/fate/vsynth2-mpeg2-idct-int.mpeg2video -198101 tests/data/fate/vsynth2-mpeg2-idct-int.mpeg2video -92794e70e4a19a494f10efe353d9895d *tests/data/fate/vsynth2-mpeg2-idct-int.out.rawvideo -stddev: 4.97 PSNR: 34.19 MAXDIFF: 58 bytes: 7603200/ 7603200 +4fa4ce9e167fb1816522126d36acfd3c *tests/data/fate/vsynth2-mpeg2-idct-int.mpeg2video +267430 tests/data/fate/vsynth2-mpeg2-idct-int.mpeg2video +b750f48d58f157da94613fe92012e7a5 *tests/data/fate/vsynth2-mpeg2-idct-int.out.rawvideo +stddev: 5.56 PSNR: 33.22 MAXDIFF: 77 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg2-ilace b/tests/ref/vsynth/vsynth2-mpeg2-ilace index 4492c8d891..565caf3d02 100644 --- a/tests/ref/vsynth/vsynth2-mpeg2-ilace +++ b/tests/ref/vsynth/vsynth2-mpeg2-ilace @@ -1,4 +1,4 @@ -f2f0aa5808066cc6b4e79c78b2fd2223 *tests/data/fate/vsynth2-mpeg2-ilace.mpeg2video -204639 tests/data/fate/vsynth2-mpeg2-ilace.mpeg2video -ea5057b60146c06d40449cdfc686bf13 *tests/data/fate/vsynth2-mpeg2-ilace.out.rawvideo -stddev: 4.98 PSNR: 34.18 MAXDIFF: 65 bytes: 7603200/ 7603200 +be3bd3d5393320419e82afaaea6c6fb6 *tests/data/fate/vsynth2-mpeg2-ilace.mpeg2video +275014 tests/data/fate/vsynth2-mpeg2-ilace.mpeg2video +fe069b1be5c6aa5808c0840008485912 *tests/data/fate/vsynth2-mpeg2-ilace.out.rawvideo +stddev: 5.57 PSNR: 33.20 MAXDIFF: 77 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg2-ivlc-qprd b/tests/ref/vsynth/vsynth2-mpeg2-ivlc-qprd index 1b1554f94c..58feb93943 100644 --- a/tests/ref/vsynth/vsynth2-mpeg2-ivlc-qprd +++ b/tests/ref/vsynth/vsynth2-mpeg2-ivlc-qprd @@ -1,4 +1,4 @@ -d5513b33636854d4956078d6f40f9758 *tests/data/fate/vsynth2-mpeg2-ivlc-qprd.mpeg2video -244761 tests/data/fate/vsynth2-mpeg2-ivlc-qprd.mpeg2video -e38edc0ae8e422bcd9346b15da41a438 *tests/data/fate/vsynth2-mpeg2-ivlc-qprd.out.rawvideo -stddev: 4.15 PSNR: 35.76 MAXDIFF: 74 bytes: 7603200/ 7603200 +5e938746a4b50f496db6faa10cbe98d6 *tests/data/fate/vsynth2-mpeg2-ivlc-qprd.mpeg2video +269774 tests/data/fate/vsynth2-mpeg2-ivlc-qprd.mpeg2video +91316e6e990ee20b4a8de33f9e6adc56 *tests/data/fate/vsynth2-mpeg2-ivlc-qprd.out.rawvideo +stddev: 5.54 PSNR: 33.25 MAXDIFF: 94 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg2-thread b/tests/ref/vsynth/vsynth2-mpeg2-thread index 7293a33ccd..9c44e9f2cd 100644 --- a/tests/ref/vsynth/vsynth2-mpeg2-thread +++ b/tests/ref/vsynth/vsynth2-mpeg2-thread @@ -1,4 +1,4 @@ -33dc9ed754788b68d27e694b20f29fe9 *tests/data/fate/vsynth2-mpeg2-thread.mpeg2video -179710 tests/data/fate/vsynth2-mpeg2-thread.mpeg2video -8c6a7ed2eb73bd18fd2bb9829464100d *tests/data/fate/vsynth2-mpeg2-thread.out.rawvideo -stddev: 4.72 PSNR: 34.65 MAXDIFF: 72 bytes: 7603200/ 7603200 +722c04a6a442e0ae716e879dff4b6639 *tests/data/fate/vsynth2-mpeg2-thread.mpeg2video +230678 tests/data/fate/vsynth2-mpeg2-thread.mpeg2video +f35531461e7b31bfba66802954329f2e *tests/data/fate/vsynth2-mpeg2-thread.out.rawvideo +stddev: 5.31 PSNR: 33.62 MAXDIFF: 73 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg2-thread-ivlc b/tests/ref/vsynth/vsynth2-mpeg2-thread-ivlc index 2cacf32463..6e6763ee18 100644 --- a/tests/ref/vsynth/vsynth2-mpeg2-thread-ivlc +++ b/tests/ref/vsynth/vsynth2-mpeg2-thread-ivlc @@ -1,4 +1,4 @@ -31b7429e67bbeec0bb9b86d8f2e596de *tests/data/fate/vsynth2-mpeg2-thread-ivlc.mpeg2video -178861 tests/data/fate/vsynth2-mpeg2-thread-ivlc.mpeg2video -8c6a7ed2eb73bd18fd2bb9829464100d *tests/data/fate/vsynth2-mpeg2-thread-ivlc.out.rawvideo -stddev: 4.72 PSNR: 34.65 MAXDIFF: 72 bytes: 7603200/ 7603200 +32abf166f7a6fdb8e4b46795a60761cc *tests/data/fate/vsynth2-mpeg2-thread-ivlc.mpeg2video +227906 tests/data/fate/vsynth2-mpeg2-thread-ivlc.mpeg2video +f35531461e7b31bfba66802954329f2e *tests/data/fate/vsynth2-mpeg2-thread-ivlc.out.rawvideo +stddev: 5.31 PSNR: 33.62 MAXDIFF: 73 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4 b/tests/ref/vsynth/vsynth2-mpeg4 index a654c13819..1aa75a8cb0 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4 +++ b/tests/ref/vsynth/vsynth2-mpeg4 @@ -1,4 +1,4 @@ -0282105e98166fac06f7ba9e857cfbfe *tests/data/fate/vsynth2-mpeg4.mp4 -119833 tests/data/fate/vsynth2-mpeg4.mp4 -90a3577850239083a9042bef33c50e85 *tests/data/fate/vsynth2-mpeg4.out.rawvideo -stddev: 5.34 PSNR: 33.57 MAXDIFF: 83 bytes: 7603200/ 7603200 +f60260ca447624a19ad8307abad7a431 *tests/data/fate/vsynth2-mpeg4.mp4 +159432 tests/data/fate/vsynth2-mpeg4.mp4 +871fda3853f4766669ad875923920bd5 *tests/data/fate/vsynth2-mpeg4.out.rawvideo +stddev: 6.02 PSNR: 32.53 MAXDIFF: 89 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4-adap b/tests/ref/vsynth/vsynth2-mpeg4-adap index fb4c206414..4cfbf4936f 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4-adap +++ b/tests/ref/vsynth/vsynth2-mpeg4-adap @@ -1,4 +1,4 @@ -76c8962b06b7a0d748bd7eb3f6fc0e18 *tests/data/fate/vsynth2-mpeg4-adap.avi -198498 tests/data/fate/vsynth2-mpeg4-adap.avi -4affb83f6adc94f31024b4f9e0168945 *tests/data/fate/vsynth2-mpeg4-adap.out.rawvideo -stddev: 3.75 PSNR: 36.65 MAXDIFF: 71 bytes: 7603200/ 7603200 +00b903b1de8c943b344d493312cea9e7 *tests/data/fate/vsynth2-mpeg4-adap.avi +214026 tests/data/fate/vsynth2-mpeg4-adap.avi +a004e972aebc9baf8c84965226115526 *tests/data/fate/vsynth2-mpeg4-adap.out.rawvideo +stddev: 4.87 PSNR: 34.37 MAXDIFF: 86 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4-adv b/tests/ref/vsynth/vsynth2-mpeg4-adv index b3bf2646ea..4ae4a84eb7 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4-adv +++ b/tests/ref/vsynth/vsynth2-mpeg4-adv @@ -1,4 +1,4 @@ -1875ae5a45936c08778c4430a22e87eb *tests/data/fate/vsynth2-mpeg4-adv.avi -141534 tests/data/fate/vsynth2-mpeg4-adv.avi -3f3a21e9db85a9c0f7022f557a5374c1 *tests/data/fate/vsynth2-mpeg4-adv.out.rawvideo -stddev: 4.94 PSNR: 34.25 MAXDIFF: 69 bytes: 7603200/ 7603200 +e18d6c882c22ac06bffffeb8ef0c1899 *tests/data/fate/vsynth2-mpeg4-adv.avi +187242 tests/data/fate/vsynth2-mpeg4-adv.avi +505bdffb9b051dc2123d07a4ae183faf *tests/data/fate/vsynth2-mpeg4-adv.out.rawvideo +stddev: 5.51 PSNR: 33.30 MAXDIFF: 80 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4-error b/tests/ref/vsynth/vsynth2-mpeg4-error index 35dd03db6e..fd908aa293 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4-error +++ b/tests/ref/vsynth/vsynth2-mpeg4-error @@ -1,4 +1,4 @@ -d3025e5f784efeb2ab9b84f8924eda19 *tests/data/fate/vsynth2-mpeg4-error.avi -176576 tests/data/fate/vsynth2-mpeg4-error.avi -96baa9e4c24c837a3ba5abd8dd2cdd30 *tests/data/fate/vsynth2-mpeg4-error.out.rawvideo -stddev: 8.98 PSNR: 29.06 MAXDIFF: 184 bytes: 7603200/ 7603200 +054264098fa7da0a04d154a7e76ae0e5 *tests/data/fate/vsynth2-mpeg4-error.avi +248248 tests/data/fate/vsynth2-mpeg4-error.avi +d341895eb9a76a2236f0eac8b4e331c3 *tests/data/fate/vsynth2-mpeg4-error.out.rawvideo +stddev: 6.52 PSNR: 31.83 MAXDIFF: 209 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4-nr b/tests/ref/vsynth/vsynth2-mpeg4-nr index 7fdce67eeb..63e6c43760 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4-nr +++ b/tests/ref/vsynth/vsynth2-mpeg4-nr @@ -1,4 +1,4 @@ -75725f3c2a08efa145a2692a20373a21 *tests/data/fate/vsynth2-mpeg4-nr.avi -155032 tests/data/fate/vsynth2-mpeg4-nr.avi -f7fc191308679f709405e62271f5c65f *tests/data/fate/vsynth2-mpeg4-nr.out.rawvideo -stddev: 4.73 PSNR: 34.63 MAXDIFF: 64 bytes: 7603200/ 7603200 +cf978cf6801e09440877c04cd09bee3b *tests/data/fate/vsynth2-mpeg4-nr.avi +205964 tests/data/fate/vsynth2-mpeg4-nr.avi +2968ea4618c7fe646fb3e142cea0b8ee *tests/data/fate/vsynth2-mpeg4-nr.out.rawvideo +stddev: 5.32 PSNR: 33.61 MAXDIFF: 78 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4-qpel b/tests/ref/vsynth/vsynth2-mpeg4-qpel index cab264afaf..18860d5153 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4-qpel +++ b/tests/ref/vsynth/vsynth2-mpeg4-qpel @@ -1,4 +1,4 @@ -c45101c6c3b681f5d420a938c0689a37 *tests/data/fate/vsynth2-mpeg4-qpel.avi -163676 tests/data/fate/vsynth2-mpeg4-qpel.avi -26dc7c78955fa678fbf150e236eb5627 *tests/data/fate/vsynth2-mpeg4-qpel.out.rawvideo -stddev: 3.97 PSNR: 36.14 MAXDIFF: 54 bytes: 7603200/ 7603200 +41eaa93241ac0eeda43326d063191c05 *tests/data/fate/vsynth2-mpeg4-qpel.avi +209952 tests/data/fate/vsynth2-mpeg4-qpel.avi +597bcb0df5f17cbbac0c1e9fcfeadc0b *tests/data/fate/vsynth2-mpeg4-qpel.out.rawvideo +stddev: 4.42 PSNR: 35.22 MAXDIFF: 56 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4-qprd b/tests/ref/vsynth/vsynth2-mpeg4-qprd index 1779dd77a7..6971ca4303 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4-qprd +++ b/tests/ref/vsynth/vsynth2-mpeg4-qprd @@ -1,4 +1,4 @@ -81afd85c3ab00b685588e1b61cc3e4b3 *tests/data/fate/vsynth2-mpeg4-qprd.avi -231446 tests/data/fate/vsynth2-mpeg4-qprd.avi -de8a883865e2dff7a51f66da6c48df48 *tests/data/fate/vsynth2-mpeg4-qprd.out.rawvideo -stddev: 3.71 PSNR: 36.72 MAXDIFF: 61 bytes: 7603200/ 7603200 +a8b93de39254468708ebf2744ff8239e *tests/data/fate/vsynth2-mpeg4-qprd.avi +248702 tests/data/fate/vsynth2-mpeg4-qprd.avi +baa8d0d57a7fb5e393642cb20efed2c2 *tests/data/fate/vsynth2-mpeg4-qprd.out.rawvideo +stddev: 4.85 PSNR: 34.40 MAXDIFF: 85 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4-rc b/tests/ref/vsynth/vsynth2-mpeg4-rc index 74e7962048..7ead7f624e 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4-rc +++ b/tests/ref/vsynth/vsynth2-mpeg4-rc @@ -1,4 +1,4 @@ -e3621649079539ec118e8581c54bc2ef *tests/data/fate/vsynth2-mpeg4-rc.avi -226320 tests/data/fate/vsynth2-mpeg4-rc.avi -2b34e606af895b62a250de98749a19b0 *tests/data/fate/vsynth2-mpeg4-rc.out.rawvideo -stddev: 4.23 PSNR: 35.60 MAXDIFF: 85 bytes: 7603200/ 7603200 +0e2fdca5f87e09c33c638aadd11cadfd *tests/data/fate/vsynth2-mpeg4-rc.avi +254748 tests/data/fate/vsynth2-mpeg4-rc.avi +4cf9c72a43a42af3eedef8483a33abef *tests/data/fate/vsynth2-mpeg4-rc.out.rawvideo +stddev: 5.57 PSNR: 33.20 MAXDIFF: 116 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-mpeg4-thread b/tests/ref/vsynth/vsynth2-mpeg4-thread index 61478a0604..902d2a858b 100644 --- a/tests/ref/vsynth/vsynth2-mpeg4-thread +++ b/tests/ref/vsynth/vsynth2-mpeg4-thread @@ -1,4 +1,4 @@ -69b716c9f99c5acb86a744521c32cf72 *tests/data/fate/vsynth2-mpeg4-thread.avi -250128 tests/data/fate/vsynth2-mpeg4-thread.avi -5355deb8c7609a3f1ff2173aab1dee70 *tests/data/fate/vsynth2-mpeg4-thread.out.rawvideo -stddev: 3.69 PSNR: 36.78 MAXDIFF: 65 bytes: 7603200/ 7603200 +8dfa6ee464e24417797af572398befdb *tests/data/fate/vsynth2-mpeg4-thread.avi +268392 tests/data/fate/vsynth2-mpeg4-thread.avi +75042fdb02de159446ab599cb7fe6bb9 *tests/data/fate/vsynth2-mpeg4-thread.out.rawvideo +stddev: 4.89 PSNR: 34.34 MAXDIFF: 86 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-msmpeg4 b/tests/ref/vsynth/vsynth2-msmpeg4 index a7cc94e771..162e420ecc 100644 --- a/tests/ref/vsynth/vsynth2-msmpeg4 +++ b/tests/ref/vsynth/vsynth2-msmpeg4 @@ -1,4 +1,4 @@ -f602d25096c83f166bdab01fa07a34c1 *tests/data/fate/vsynth2-msmpeg4.avi -127668 tests/data/fate/vsynth2-msmpeg4.avi -0e1c6e25c71c6a8fa8e506e3d97ca4c9 *tests/data/fate/vsynth2-msmpeg4.out.rawvideo -stddev: 5.33 PSNR: 33.59 MAXDIFF: 78 bytes: 7603200/ 7603200 +5c1986c0a11537a6fe8d42c56bd0794e *tests/data/fate/vsynth2-msmpeg4.avi +170436 tests/data/fate/vsynth2-msmpeg4.avi +ce58683e7a261aedd4958de6cdbcffd9 *tests/data/fate/vsynth2-msmpeg4.out.rawvideo +stddev: 6.02 PSNR: 32.53 MAXDIFF: 89 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-msmpeg4v2 b/tests/ref/vsynth/vsynth2-msmpeg4v2 index 542dfe5851..aee7782f6b 100644 --- a/tests/ref/vsynth/vsynth2-msmpeg4v2 +++ b/tests/ref/vsynth/vsynth2-msmpeg4v2 @@ -1,4 +1,4 @@ -43d6ca9b63993b4603d4f08fa6aaeab3 *tests/data/fate/vsynth2-msmpeg4v2.avi -129906 tests/data/fate/vsynth2-msmpeg4v2.avi -8920194f8bf8f9cdd6c65b3df9e1a292 *tests/data/fate/vsynth2-msmpeg4v2.out.rawvideo -stddev: 5.33 PSNR: 33.59 MAXDIFF: 80 bytes: 7603200/ 7603200 +84a9d7579bbaac6b48b5c319d22a8f55 *tests/data/fate/vsynth2-msmpeg4v2.avi +171910 tests/data/fate/vsynth2-msmpeg4v2.avi +0213600e1a77c1f28708233cb5a790ac *tests/data/fate/vsynth2-msmpeg4v2.out.rawvideo +stddev: 6.02 PSNR: 32.53 MAXDIFF: 83 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-prores b/tests/ref/vsynth/vsynth2-prores index 9d56b95831..248b7ce643 100644 --- a/tests/ref/vsynth/vsynth2-prores +++ b/tests/ref/vsynth/vsynth2-prores @@ -1,4 +1,4 @@ -7d167fee27e8c34968bbecec282f927a *tests/data/fate/vsynth2-prores.mov -3884722 tests/data/fate/vsynth2-prores.mov -ca2f6c1162635dedfa468c90f1fdc0ef *tests/data/fate/vsynth2-prores.out.rawvideo -stddev: 0.92 PSNR: 48.77 MAXDIFF: 10 bytes: 7603200/ 7603200 +b7e8f1fc9cba6db205a89b16ca7ae1da *tests/data/fate/vsynth2-prores.mov +3868288 tests/data/fate/vsynth2-prores.mov +549787c514c9172f1f698e9282f009f2 *tests/data/fate/vsynth2-prores.out.rawvideo +stddev: 1.17 PSNR: 46.72 MAXDIFF: 14 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-qtrle b/tests/ref/vsynth/vsynth2-qtrle index ac2b557f14..b55bc5bb2a 100644 --- a/tests/ref/vsynth/vsynth2-qtrle +++ b/tests/ref/vsynth/vsynth2-qtrle @@ -1,4 +1,4 @@ -fe3db3dd385b8e5dc43cccc17b50f7f0 *tests/data/fate/vsynth2-qtrle.mov -14798419 tests/data/fate/vsynth2-qtrle.mov -b2418e0e3a9a8619b31219cbcf24dc82 *tests/data/fate/vsynth2-qtrle.out.rawvideo -stddev: 1.26 PSNR: 46.06 MAXDIFF: 13 bytes: 7603200/ 7603200 +3ad59e9e4586a67328d0642dea77782e *tests/data/fate/vsynth2-qtrle.mov +14036000 tests/data/fate/vsynth2-qtrle.mov +abbfc86dbfdac158525addbf48cbb15f *tests/data/fate/vsynth2-qtrle.out.rawvideo +stddev: 1.54 PSNR: 44.34 MAXDIFF: 17 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-rgb b/tests/ref/vsynth/vsynth2-rgb index 5c9a98e3f6..b50d064a75 100644 --- a/tests/ref/vsynth/vsynth2-rgb +++ b/tests/ref/vsynth/vsynth2-rgb @@ -1,4 +1,4 @@ -01199075994e44f282fbb6a8e3ccc668 *tests/data/fate/vsynth2-rgb.avi +f218f8f0e6bdaf486b8a20ebf8363944 *tests/data/fate/vsynth2-rgb.avi 15213248 tests/data/fate/vsynth2-rgb.avi -b2418e0e3a9a8619b31219cbcf24dc82 *tests/data/fate/vsynth2-rgb.out.rawvideo -stddev: 1.26 PSNR: 46.06 MAXDIFF: 13 bytes: 7603200/ 7603200 +abbfc86dbfdac158525addbf48cbb15f *tests/data/fate/vsynth2-rgb.out.rawvideo +stddev: 1.54 PSNR: 44.34 MAXDIFF: 17 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-roqvideo b/tests/ref/vsynth/vsynth2-roqvideo index d4c075a89d..3343765e55 100644 --- a/tests/ref/vsynth/vsynth2-roqvideo +++ b/tests/ref/vsynth/vsynth2-roqvideo @@ -1,4 +1,4 @@ -b46f899b2363065c60f3782ba1f8b7bd *tests/data/fate/vsynth2-roqvideo.roq -92786 tests/data/fate/vsynth2-roqvideo.roq -e69fca960dd0911e9b8d589c13e11dc1 *tests/data/fate/vsynth2-roqvideo.out.rawvideo -stddev: 3.81 PSNR: 36.49 MAXDIFF: 54 bytes: 7603200/ 760320 +217bc0f8cc28558f88a6c8e1aba56ebd *tests/data/fate/vsynth2-roqvideo.roq +91575 tests/data/fate/vsynth2-roqvideo.roq +64385eb8f2c5a15a44f23c914b7d007f *tests/data/fate/vsynth2-roqvideo.out.rawvideo +stddev: 4.82 PSNR: 34.45 MAXDIFF: 71 bytes: 7603200/ 760320 diff --git a/tests/ref/vsynth/vsynth2-rv10 b/tests/ref/vsynth/vsynth2-rv10 index 7afe4fca40..e1fd75d811 100644 --- a/tests/ref/vsynth/vsynth2-rv10 +++ b/tests/ref/vsynth/vsynth2-rv10 @@ -1,4 +1,4 @@ -b1467b0e8d8cad730e36d1e8ab49d573 *tests/data/fate/vsynth2-rv10.rm -154310 tests/data/fate/vsynth2-rv10.rm -61213b91b359697ebcefb9e0a53ac54a *tests/data/fate/vsynth2-rv10.out.rawvideo -stddev: 5.43 PSNR: 33.42 MAXDIFF: 77 bytes: 7603200/ 7603200 +3b46a4ecefe76e021bb81cc8cbd09fdc *tests/data/fate/vsynth2-rv10.rm +210685 tests/data/fate/vsynth2-rv10.rm +4d9c35b109b48f49a62d2a9208e3f0e7 *tests/data/fate/vsynth2-rv10.out.rawvideo +stddev: 6.12 PSNR: 32.39 MAXDIFF: 83 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-rv20 b/tests/ref/vsynth/vsynth2-rv20 index a3440fa0cb..38c0c8b633 100644 --- a/tests/ref/vsynth/vsynth2-rv20 +++ b/tests/ref/vsynth/vsynth2-rv20 @@ -1,4 +1,4 @@ -96acb098850b9bf309f89e48b08fe96f *tests/data/fate/vsynth2-rv20.rm -153302 tests/data/fate/vsynth2-rv20.rm -46f314e70d9bac2e7d82cfc230534977 *tests/data/fate/vsynth2-rv20.out.rawvideo -stddev: 5.48 PSNR: 33.35 MAXDIFF: 81 bytes: 7603200/ 7603200 +1bfdb1840495e6c2876ddab73d1c98b6 *tests/data/fate/vsynth2-rv20.rm +210666 tests/data/fate/vsynth2-rv20.rm +d32edd26c6a04dceb75b19cf837b9d95 *tests/data/fate/vsynth2-rv20.out.rawvideo +stddev: 6.19 PSNR: 32.28 MAXDIFF: 81 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-svq1 b/tests/ref/vsynth/vsynth2-svq1 index e2af545e59..9d8dcead95 100644 --- a/tests/ref/vsynth/vsynth2-svq1 +++ b/tests/ref/vsynth/vsynth2-svq1 @@ -1,4 +1,4 @@ -c15de1e0b0439981dc94b927b1933889 *tests/data/fate/vsynth2-svq1.mov -766851 tests/data/fate/vsynth2-svq1.mov -aa03471dac3f49455a33a2b19fda1098 *tests/data/fate/vsynth2-svq1.out.rawvideo -stddev: 3.23 PSNR: 37.93 MAXDIFF: 61 bytes: 7603200/ 7603200 +9118e474af8b119c6c44e828a8dfaa8d *tests/data/fate/vsynth2-svq1.mov +940439 tests/data/fate/vsynth2-svq1.mov +a8cd3b833cd7f570ddbf1e6b3eb125b6 *tests/data/fate/vsynth2-svq1.out.rawvideo +stddev: 3.71 PSNR: 36.72 MAXDIFF: 210 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-v210 b/tests/ref/vsynth/vsynth2-v210 index eb80b3424d..5e934de41b 100644 --- a/tests/ref/vsynth/vsynth2-v210 +++ b/tests/ref/vsynth/vsynth2-v210 @@ -1,4 +1,4 @@ -ddc80f41b9e92c26adbe09567a4c7a1d *tests/data/fate/vsynth2-v210.avi +87bb634932b3f5cacd4d08142798db17 *tests/data/fate/vsynth2-v210.avi 14752448 tests/data/fate/vsynth2-v210.avi -a627fb50c8276200fd71383977d87ca3 *tests/data/fate/vsynth2-v210.out.rawvideo -stddev: 0.34 PSNR: 57.43 MAXDIFF: 6 bytes: 7603200/ 7603200 +8bb1c449e1a2a94fd0d98841c04246bb *tests/data/fate/vsynth2-v210.out.rawvideo +stddev: 0.39 PSNR: 56.17 MAXDIFF: 9 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-wmv1 b/tests/ref/vsynth/vsynth2-wmv1 index 188b5184d4..1e20493c62 100644 --- a/tests/ref/vsynth/vsynth2-wmv1 +++ b/tests/ref/vsynth/vsynth2-wmv1 @@ -1,4 +1,4 @@ -73f3b72208ed1e61be60f1412dbf35e2 *tests/data/fate/vsynth2-wmv1.avi -129518 tests/data/fate/vsynth2-wmv1.avi -81eee429b665254d19a06607463c0b5e *tests/data/fate/vsynth2-wmv1.out.rawvideo -stddev: 5.33 PSNR: 33.60 MAXDIFF: 77 bytes: 7603200/ 7603200 +54e3a0432da62f1a11543a1df4aa05eb *tests/data/fate/vsynth2-wmv1.avi +172394 tests/data/fate/vsynth2-wmv1.avi +73fbdc771422e590afe213d1242943a2 *tests/data/fate/vsynth2-wmv1.out.rawvideo +stddev: 6.01 PSNR: 32.54 MAXDIFF: 88 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-wmv2 b/tests/ref/vsynth/vsynth2-wmv2 index 25c0deec07..6cc0642465 100644 --- a/tests/ref/vsynth/vsynth2-wmv2 +++ b/tests/ref/vsynth/vsynth2-wmv2 @@ -1,4 +1,4 @@ -c7db61ce6fc07e8fb9a7204992c2e4c4 *tests/data/fate/vsynth2-wmv2.avi -129848 tests/data/fate/vsynth2-wmv2.avi -288bdf1b411b814a067ceb00ac6b9d16 *tests/data/fate/vsynth2-wmv2.out.rawvideo -stddev: 5.33 PSNR: 33.59 MAXDIFF: 77 bytes: 7603200/ 7603200 +2e22f5024860163d1e11a125b283f261 *tests/data/fate/vsynth2-wmv2.avi +173824 tests/data/fate/vsynth2-wmv2.avi +65c4485e592d7fc48b55ba3b6051ddff *tests/data/fate/vsynth2-wmv2.out.rawvideo +stddev: 6.02 PSNR: 32.54 MAXDIFF: 88 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-yuv b/tests/ref/vsynth/vsynth2-yuv index d79e98677c..335660a78f 100644 --- a/tests/ref/vsynth/vsynth2-yuv +++ b/tests/ref/vsynth/vsynth2-yuv @@ -1,4 +1,4 @@ -d08219372af7a764c1afbc99a1002fe0 *tests/data/fate/vsynth2-yuv.avi +57fa20652deda0945e57251bf261399a *tests/data/fate/vsynth2-yuv.avi 7610048 tests/data/fate/vsynth2-yuv.avi -dde5895817ad9d219f79a52d0bdfb001 *tests/data/fate/vsynth2-yuv.out.rawvideo +36d7ca943916e1743cefa609eba0205c *tests/data/fate/vsynth2-yuv.out.rawvideo stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 7603200/ 7603200 diff --git a/tests/reference.pnm b/tests/reference.pnm new file mode 100644 index 0000000000..e81bd7c2ef --- /dev/null +++ b/tests/reference.pnm @@ -0,0 +1,696 @@ +P6 +# CREATOR: GIMP PNM Filter Version 1.1 +256 256 +255 +ҸܼὟ澟庞輟齟䷛麝縘跘崒淒縗齇ޯ鵐££ĥǫȬɭȭˮ˭˭ˬ̮ͭΰϰгαͭͲѵͲͯ˫ʪȨ˪ˮɩǥǦƤĢĢţţġàŸ辛羛澙翛众彙⼘ỗ俛àģŤᾚ߼⿝ĢǥǥŤǧƥǥȦɧͫϭ˩ȣǢȤʣɠššƢƣƣŸáŠɤʥɢ˥ȟȞʡϧΨ˥ƠȢƝ̣ϨѫҭΩѫӬٲعӵ̦պkh8P"JHKEDz?w;|B}E!Y3~iCtVy\oMtcH[M8A9,"    + + + + + +   + + +  +     +   +        +      + +    + +  yϧ佢ᷙ缞澜幛庙蹘涔蹗黙巐缕͚᳆뷐¤èèƩƪǩȪͮίͮͮϰϯϰгҲή̬ϰήͭάͬ˩ɧɧɦɧɧǦäâŦä¢龜辜优会㻘伙鿠忝⾜ὛţŢǤƢƦƦȥ̪Ϊά̪ȥǤɥɥȡǠǢàŠġšĠšȣȣɤɣȣȟɢ̦ͥ˥ĚĜǠɠͦҬЪϪ̦Ҭײ޿ղұˣ׻onAT*JLO#HD~D|?wAzN,|\5}fDwlNt_A_Q6?9%$     + + + + + + + + + + + + + + + + + +   + + +    +  +    + +  + + + +  + + + + +    +   +  + \D.dK1}^Ffǟ~Ϥ߳ᶗ߳ⵖ渕幙给꽗默軖ϛ乍빓Ħǫɭɭɭ̱̬ͬϯήίдϲѳѳв̮̭ΰͮ˭ˬ̪ȥǥƢŦƣšĠžŸž漝㽜仗⻗依忝俛㿝Ἓᾜ ƢŸġâƥǦ˩ʧ˨ͫɣɤ̨ʥɠʣžƟŝŝĝğÛƢƣȟŚƞǠǡ̤̣ǟژěȟˣΧͧΦΧЪӮ۹߾޼ڷӰѬ̤ؾžquG]2S Q$Q#L$H&}C~D{E"|Q0vX4o];bU4J?$3(   + + + + + +  + + + + + +  + + +           +  +     +   +      +    bJ5iK8gO9gKv]ouԧթۮݱ幔底缘躙꺕Т乒깑캘츚¥æĨãȦʨɧ˨̬Ϯϯͭаѳίίϰг̯αΰ˭ȩʫˬȧȩĢàĥŤž侞⼘㾛庛⼛⼜侞ἚນỚ༙⿜šğĠǣǤ˨˩ȤɥȦǥʤˣȢǤşǠƝĜƝɣɡȡȠÚěǟɢʠǙÙտĘǛˡˢ̣ˣɟˢͤӰֱձԯѭϩʥٿǡq{Ld6]+V+Q)I"H%~D|CO2R6vR3N?%80  +  + + +  + + + + + +   + + +       +   +    + + +   +  +  +    +  + iQ:gN5qXvW<^F,7,  +    + + + + + + + + + + + + + + + + + +        +         + + + +    +   +           kX@yaCzXyhCrOxܴݶӪܲ余归㹔ḕޭ֣תۮ 츛츖ãžƦɨ˩̪ͮίϰͮϰϱѳΰ̭ϭίͰͭͮˬ˫̫˫ɨťģƦ¡伜⽛㽜߹߹ݺ޸὚ཛŸŸ ĠǣĠŢǤǣšǣƜȣƟǢȥɤȢȢȤşƞɡʡʢǠØĘƙțɜÖվÚŝȠʠǠŜŜȢɣ˥ˣ̥Ψ̦˦ØѰhtHa0V)M"EH$U1hAmIw_CTH'*!  +    + + + + + + + + +         + + +                 +  +     +  +       ĪīԾϮίҽӻӺɫ¡ͬཝحР{Ѧ֬滛켠뻞쾣콢칟츛츜최붚컘ġĠǧƦȨʪɪʫ˫ʬίΰαͯϱήϱвαΰϯ̭̭˫ɨɩȨŤ¢ã從俚⼜ߺݹ޶໖⿙⿚žġġťȥĠġġšȠǣȤ˥ɢǤĠŜƞŞɣ̨ɢĝĘƞśǚƙտֽşŜśŝĚĜ›ĝȡǡȟȡȟˤǞѲ_tF\-R)HH Q(iC_ZmMUL/&!   + +   + + +        +  + + +   + + +                     + + # )&4/A=0ʲҷӹΰĨȫȩ㿡ժȦã¤๙ȞxǝyҦ縞黝껝뻞켟뼞콡뻞뺝컟컟춛뵗춝쵝쵕추뵖츚칙캖켜ĥȪƨǧɩǨȪɪǨȩʭ˭̮ʬͮ˯ΰͮί̫ͯ˩ʩɧȦɧȦģŠğ俜໖߹ܷỖᾙབྷ߼ᾙ࿛ġĠƢƤţƤĢġġǢƢǣŠǟƢŝÛǠȟ˥ɧȠƟÛĜŜǚ•پؽÚĝĝĜÞپœšŞĚƜěȠˡƚϱZb:U2N)K$M)a@}Tcgz[VO/'# +   + +                  +    + + + + +              !#!0.'@>/OL;]\PolYox²ӮյƩŧٿؾٷ޺ΦЧΦү̪ձ۷ǠznȘu䳘麦黠꺟鹢꺠鸜깜麛뺟鸜鶙츙췙괘궙뵚괘봖괖뵗봔鲓굔鷔뺙뺝áǥƤƤáŤãťŦƧŧǨŦƦâǧȧʪ̭ʪɨŤʩŦ˩ǦǥƤŤƣŢá¡ཚ῜ຘ⾝߼߼޻߼߾៹šǥţĠŢġƢĠÞšĝÜÙɢȢ˧ɣǟŗƙŚ×•սÚĚÚؽœ—ÝĚÜƜڿŧw}NZ)zH~L'N&\;sPgmqe^U4-+  + + +                +         +  +  + + +  + + + + + + + + + +        +    $&%*)63<9!PL:]XEmkTxsesyʱѿǦħ׺ɪţťھָնӱӮظȨ~ǩĤ{qnŔsӣգݪݭ௜ᬘᲡⱘಜ䴜௒ఔⳘ㲙㱓泔嬎寐箏诐鱔譍篑篒곕괗鶕뻘Ƥåũţ濡弚鿡连¢ĥĤãĤŤŤğġġ⾙⿚߼὘߼ݺܹ޽ݽ࿛áĢţĤßšĞġŞŠŸÜơȡɣʦȢšŜĜÙֿֿ׾̙šœտսվ›ؿ•պki>|R&uEyK(Y9jO[k{vjg]::1 +      +    +  +         +  +      + + + + + + +  + + + + +  +      ! ""/+?:*ED8QK2XVBkhTxrYerʻ벚ŦȨ̬ԹʭǩƩؿٻԵѭѯͬǩzsoǑtɑqgu~}Ñ|Ė|ș|ȗ|ə~̜ɘx͚ӛқ{ܥߨ৆㪌⨊㪊䬑䮔毓贘콠£ä輚缛辜輛纙迟迣ƫŸ廛ݲᴙ೗ۮܰگݱܯۯܱܲݲߵ໗Ἓ俞忙⿗⿚߼㿚ᾙབྷ߼߻ۺܻۼܼܻ߼޾ܾßœۿĞƠɣǠƞĜٖ׿־ջѹӼӼٿڿ׿տԼֺۿԽٿ›־βbj>vP%yR(b?mJ_j|rtiFE:     +                   +   + + +   + + + + + + + + + +   + + + +  +    *'75$;9)KG0RM8\YElfNys]~lɿɷν澢ĢǧίαʭɬħֽѲʩɥzȦzϫȪrÞx̐juЏkc@&cE2oN5uS?}YH}]H~^I`LeSgOnSlNoXmPsWvZi͔Ԝ~֛}֜۞~ڡ|۠ܡޤ~䩋贘麘꼞㲓嵔㲑䴕涘嵖鿟溕߰ݬ֥ۨӤҟ̙{ΚΘϚϝПϝѠӢ֨٬گڰڲ۱ڳܴ۶ܸڷݸܷڷ׵׵׶ش״ֵغعڸطָԵԵѲշҳӴѲٺŢپּӼԹиηȲé®Ʈ̱ѸպһҺҹպӼ׾ԽսؽؼպʮnoC|b8fBqOUh{svZUL-.' (! +"& +'#" !   +                   + +  + + + + +  + + + +    + )&/+:7"DC0LG5XTC\[IjiXyrb{muwıȱҾὟäͰͮǦɫȣۿԵΰϭ԰~׬}ͩ|Ǣr׭s׆قŠJ8  *.!/ 2#?-T8$mE3yA,y>&A3E0T>lXkΏv̍qˏrΒtϒtԗ|ҔwҖuכ{ইݨ٧أۥ٧ܪڧ૑ᮎⳍݬئפϛyʖtƑqÏpŽoj‹kčmÌlŏmÍjƑoƑoɓnʖq̙zɘp˝~˝~˟}͡}ˤȨЧͥѩΨϫʨͪϨϨɣȡʥƥ¡¢~{~x{uu}ǩʬͲū{}~rmwv}ŮɳȲʳ϶ежӼеиѸƯp~PxMzO]gu{wzXujIqfHwjI}rZ}r_xpTkcFdZ?RL1C@#61*'    +   +  +      +    +     "#*)!,,!31"?;%IB,NM3]YBjbHulS}gk{ȾdzȳйáäŤáţپѴġͨş׸аЮҬ}ܭڡtqˆE:   + +  +  9)X:(i8"n3p1y3!A.bN~dˋx͎xΎtʌtˎs̍t͎s̎pΒsАuӗ{іxГuәљ}ә}՜՝؟֟֞И{ϖxƎrÌpdccdeˆjkhecgfijjlonmuuqtsptu}vpmjbafbc~`|X|Z~]Z~[\ozsqroqrtlc`^gkvƭǯǮéwjkqqx|ŷ;ŨѼѻ̷ͷտ¤ħƬ˷ow[i`JTN8A8.)   +  + +   (%2.10 92 MG2TRA][NkjYusX|cxy}ŻкĢâààšЭճʥԸͯίשxr͑inJB#  +   A4 _G;nN?k<(r4$v4%=,`NdɉrɌrȋpʋrɊqȊpȊoňlNJnˏsȋnɉlɊǒr̍pΏȕrϒtғzГzГyѕzˍtƈohedegijefa]``_a`bfcioijbdbe}^fx]xZu[tXlRnThGgI{eHzcC~hLzgIzeFzeF~mL~jJrQ}_`ejfehf]}XxRzU|X_gorwwuu||z{}zywwyʻѿȨϯѲؽڼܿʭntTf_FA< (&   % 6.JC1bY>mcHxnTiu}îǰкĢġˬѳүѯЬȟᾆw翄ݚuk_R*! I:2qULx]GvNi[?j\?pbDr`BsfJ{nP~rSvVzW~]\c`]^{YzXyWyX]`jovosnnnnpty{x}{Ѯ߾۽ܽٺۻٹֵ׷Բմָڿٿͳpey\oO~_ư ǥç弜ڤۖtRZ:ZIwӅkd֥}BbEh3#     MA5zfYxfhUxJ9l3 p4%K>jWjÃll„mme~fih}ef}e|`z_gkjnhnilg|cz_uYv]x`vZx^w_t_sYmRpVtZqVvZvYsWrVqSpVjPjFhDydFt`Al_@eX7dV8`S4_Q6dU:_P6`R6aS7bT8dW;eW;eV:fX;i]=n_Co`FmaBseHveExiJ{mO~qSsTzZ^Zce_Z}\xXwRxU`cjluwtpnmorvwww~zϼؾ޿ܾܽܽ޿ڻڻٺ׷ٹں޿ؼѳ̱³ö˿ֽ欘˞ÏrjiJRANEG1\DF3gvLiլⴄ]C}4* +   PB3ziY{noavK7g2 i0 E5bJ{djf|a|c{cxazcx_|du\u]v[v\w]{`z`|cz^y`w]y]u\t\rWnTrZpWjQiOjNkOeIeHjOgMhIhGhMjMiJfJdHz_Er\?n^?cU6cV6`Q6_R6`S8bS9aR:aS:bT:bT;aS9dU=fXhY>jZ@p]Cp^Cp^DpbGseIwiJxhG|pQrQrNuRZ^gaa_|[sNtQwV}[hjlotonjkrsoolvIJȦӻպzzirh]WC+K@B5M:T=K<㺆NW9qRiǎ㺖VB5.  +I<-vfWqpe{Q=b2a,yA0\FnYzcycy_xau_r]t`u`q^p]q]q]mYo\oYv]pZqZoZqaq[r[kXjUiVcLcFbHcGbGcGbF`D`EbF`?a@y[;tZ8yb?t^?q_Bo\?fU8cR3cQ6bR7`Q5`Q5bR;eTn\?mZ?dS7dU9iX;gT:iVnZCo[Bq_Eq\Cn\AsaDubHufGweI{mP|kM~pSrUtTvVxTyV]^]^\}XyUzQ}SZ\bc`^cd`c\`]_^yɤSJMCE9>2A39'4(9%>+C/}_V@= I/R9\ܤpF8%    + F7/o_Mspo_sR9cD4h9.wH:^OnYlWoWoYnZl\l\jVhUkZkYkWhQjVdOiUgShReNbIbJdL_G_F\CyW>z[CxYAwXApR:oT8pT9mR6nS8kQ6mS7nT:oW=mX>m\BlY=o\Bm\@kZjWs_Er`Es`Fq]BvbGv`B{hJzgJ|gEjFlMnKqPtRwRyWyV|Y\~Z_^ZY~Y}ZXUWZ^^^[XYXZZYTYЬ[-k3i.l,o1 113 -) :'*.=V5㵃P>. +     + E80zgYyxhnYsSCqP7zT?dSo[p\p^o]kVjXl]hTiWhWjVgRiRhReKdJcKdLbLcM]F~_F|_H|_Iz]Hz]Hx_GpT@qWBoU=pS=mS;nT9tY?rW=oT:sZ@t\Aw]Ev]Cy_FxaGwbFw`DxaBwcGv`GzeKv^G|bK~eM}eN}gN~fLeLhO~fMiOiPnTrYqUsSwWrRtUyWyTzV|W|X{ZXVYX]Y_W\Z_\]`\]_\[YX\YX[nŝZ,h2#h+o.o0!v-|/|**35/3E*{Sˣ^[? +   +  @6)q`Qv}ploW_GgPzgh~huduarbp^kXo\kVgRjVjVhQhReOdKeIbJaKaKeL{_DbJ}`LxaJz`Ix^Fz`Jy]Fy]FuZA{^E{^EaIy]DfLeL~cJjRiQkPlTmOlPjKnTnToVsYsYqYu`r]sZw`u]xbw]z`|cy^|_{^{^yZ~^^~]~\^\[[[_bbaf_]`_``b^^`^^[\\aY\_ʵӱ_/!d- g,l-j-m(p(t&'.107*oexsX     + 80"iYEk~su~ezfzku~upzfuhp`t_p\r`m_kWq_o_oZhQhRiOkOiUiTmWjWkTpZmVpVnWoYoYjRnXmXqZqYqWrZvbv_uVvay`zdz^|[{e}d{a{]~bce~g}_eadb_^_i~a\be~]~\`aebcdchdfefecfbaccenqqkkiaba_d|Šܿݾ[.!]- i-k+n*n't*w(&++0D={h㳈t"  +    8)o^Ir{z~¥ç}zvtvo}i{gzdub{f{iv`xeva}g{ijzd|f|dzdxag{dig~dihh}cfijk~`elhejidfjcdbdffjeg[~b~]bhcjumilgpklgehjghkmwwíƲyyzwpkzÝپܼݽܻڹ۹ݽZ+`, i,l-l,n%t(|().-1 @/fDt豭B:I0"L4&S8$N8"SC5WE:\K:r_MmǪɬƫĪƬ͵ռҷֹѵγٻԶӴضЫ˨{y|yx|q}wtxonollklproqlnipnlqnknkkmnkjtyvrz}y|rmu|}}~z}uw«­DzşͩɢˤǟӾκϼʴл͹Ǟݻݻ۹ضں׼ھY-],g1!h)k)r'w+}))-*4$A7k]㵁佾{k~joqu|˲׺ðįŸɴʺ˶ҽҿѻҿҾѼϼսйŴݸҬʞėɧͰ̮̬ʭ˫ƢƦzxyzu~|xwtxz}|©ê©Ŭɱ̷ӼδϻкϹ˶ŰŮŮ˯ʵ˴йӼáĠпѾѽмҽġšȡʨϪյ׹۾۽طٹ׵׶ղԲӲЯέԳݺٵ׷׶׸Ե׹ܿY-g:'d-g'o)p#x*}&'*+4$=3VVmº栕ཪ߿߿ıǶɹȸ̼ҿིѪƜzvṷèȲƮİ°ؾԸѶҷ̯˯ʰ˲̲Ŭɯͱж̰ɮǮʱ̳εϷѹҼӼտԽ©ǭɬ˭ͱ̰иӷԾӽи̰ʪɯɳ˱ϴеԼּֽپջԵӳֶӳҰֳհѲүҰұЮշػټݿڼܿټںڻٻڿ׽ٽݽػ׸նշָغ۾W+k8(d.h)d#q&|+'#%*.3(G@`Ux宝ۼxdt]iQmWp[zǬˬҼӽԾлк͵Ͷ̵˴̳Ǯ˴ɰʳ˲ɳǰ˸ɴɳ˵Ͷ̵ζϷѻкҼԾֿվؿٽܾٻظԴάƤϿƟ˧Ъմڽپ۽ؼپؿپڿݿۿ^0!g3"j2 f&es({*#""&(3#5!D2I;Z屳ﱯ}kRhVcRkWhRkWzcūӼѾѾҾҿлҽӾܾ۽ھػѰоwolm~ɸğͱټٿھܾڼ۽ؽٿ׽c4$i9'r:%m1u2 z,("!!&//8(8?(k>կ坌멕ϻҲzccLcMfOfOdIkTzaӺտստԾҽҾһӽԾվӳ͹r_qGygBvdAr_8mFUsѾ˫ٺڼڼپڿڿc;,wE0}E%?%<%/("&#(/27"4<,qM^ߟ|͹ĢmWcKdJbMeRdQkWkɬսֿԽҾҼҼҼԾܿٻƣ~{WpOoL~kIua-?00'&(,1++45C.[C㼆ڹiMyİ~dQcL_D]FeRhSt[tλѵ׿տӽؾǦvuPnMkLlLyd>mX2fS.dQ.dQ1xhGnϾҳܿeBeJgME8F5/*(+(,*/46B*Z;㹇ۺgOږ{ԾܶnfNaH_EcKdNkQw¬Ͷؾʪ]}gHyfCub:ta*5 42224"23>(A'^AǗ߶dEؒnvkRlQfMkPtVsɱҹŨ̴|_xXnGjGxfߥDڝ7֝5ݫN\sĄЛҞ֦ܴγʩxVd@U6>%8%155"4"04"8 =,D/J/oji\Gϕpӳy\rVpVnVs[z`нջҹĦϺ©u^zNwCqD|NђM>Gf͔ܽܽ۹ڸسНɆ~wuu\Nߟ;ޙ2ޟ7ݚ5ؘ4ҏ%ё(ԛ4آDڨP۩Qݮ[ܭ\pȆО۱æwwUB%;*='76430516;!A/lVoMqV]G̎oлvaw^sXtYvZnͱսɯǯ̺Ȳm[ĐXK8+Ն'ZӧӻέʥǤ˧Ҩթѣōt{xq|kQߟ@KGܜ6ٔ-ՌʇЏ#ӕ-ѕ/ך6֚2՛5Ә)В'ٝ8ީYqɇ٧˲ȥaI*6$B07!85!5316 59='VFZFeS^H̒oƵu{e{ey^uZ~gªͰâͭzTFڈ/|s +˃$߯aϚطۻŧ¯ҽ̠Ԩў…oojk~uMPXT@ې%֎Ή˄ˈ̍#ё)ғ'ԕ-ӓ*ʉБ)כ;՚7җ<ۤUiŌϞۻѮxZ:t< ?)8 67%56!13537 I2P@XIcKƍh׷{j~f{b}bz]lðA.{h adɃ۳]ɘԱؽϰǴrzlOqa:{jE}]c~нÓwnߺjٱ^zxY^YߴMMߢ;ݟ3ۚ/֑%я"ʋ͎!А%Ϗ'ԗ0ї0ٞ=ڗ9Ј$~u+}+}$Ɗ6̓Gرt۪ǫȧz~O3G-H-7453352 6$7 :L=XS_GŌdʴyez_w\zbeп湃ߍ,ۈ$n^Ub{ޟ<`ڽɟھԺʳϾjtfGcS1`N)]M&bU,qb5n=LZͪk~trnݳ_߻i߸fҥJܰQܴVZ_UODڞ4ד&Ԕ(Ғ'ؘ-֗1ӗ2ݫLcמBn gmpqqm qǑIŽХݷӶҲt]yN-I)}>:762752-9'VEVMaK†cnrYoYmRzdoԵ֗Oӂw iVfz؎%ܑ)ܑ3١ZХj˳ÝӸαԹ̪ĤlZxW{iDrPxfDp]3j_3eV&iWo\&s6ծjrߺggi۵dҪYحT߶Wemk\UޱGݨB՟3ҕ'Ќ"Ԏ$ҏ&ҕ.avڭQupy|ul o qrw&ȓFܮgʐڮ۽®¡vrUP1|E$:!;#53022*8'SEXQZFa϶ӸwcoVmVt]{csʺඏy6zw nt +|׏*ޒ7օ#z"z)Ā8{7FpӳиԶڹϲȤΫɦ˺zgb\\]|SZYV{RuJ|HBMov޸n޶gܷcߺfߺhز]ݶ^Zdj߻b۶S޴Q۱NܭG֣;ҝ9З3Ȋ"ҍ'ђ,ej֨G"ƅ$ʐ2Ƈ&ukffgm +t}ɓ:ڨSګZyō֥ϹѰuX[:~L.y7"~351/33-/K=UQ\KwUʱҹ||iydzf{g}hxгΔ]q$̈́Ѐzyv~yrvjen+v7q.`ʳոٻЯ׳ѯĢͫǷ³q^_ed^^lr{{yzgܪdsur޸jܷf޹fݸg߼hjܶ]޹\i߽cׯSܵY`߹]޵TשFըDҡ>ď/ԠA٨G^ײTСCƓ7Ŕ>ϠGΜBÇ#ocgchon {%͓:̓C̗7ԣHoէԵ̨kI`?U4r= }<#|7}5.}+/%4F-M@e[{g⻞ǜinjlu{epƱߺףTם>ۥDآCԖ9ω(oh +i h h`` \` cj y,ˍ>ŎӴɢƥĠɪ˪տw|Nb]zQWSVuG~Oehw{ŶоƢͰֽҰolgܷ^lh޼dd`ܵZܰVܧEԙ8Ɉ&|pvzОA֫JխU߾fkܶ^ձ_۸gٶeˣKș?ɚBѤOРKŌ/ufedghjmsĐ,,ɖAٳxԧѸƟϸǭêǫθ϶հqNuXa?\9N1F+?":9!43@/XKibԀn߻ܶr~innms|f٬lԜD٣BۧEۨEӖ1|}rgd ^_bdim#w"́"כBȈӳѿuszkuLwLzMzN|NSPUsANyʺɺǠͧմ׺ծ޷o޲]eܴ[߸_g߽e߹^VM߰LKާBݣ>ٙ:˄!p srr%ǝC߿iuxwղbطhęD:˝GϣNТM˓:xo +ffgfht x{!&Ő5őAݸzٽ̰ϲǫwĤ}ƨжλҽ߽u}`xTmCY7I)I'D C<7D0_Ztf؇q޹ͽ~sojmone޻ʓAȌ,˕2̘6Lj$Lj$͋&ʂ"m fed +^flrz!zԉ&ٟJʼn̡мudxNtFXY|GtDwCxF~NMT^e[xĕѤձܼ޾ɛӦU٭Ycaba]`TNߦ@ߥ;>ݢ;۠9ғ1smo qo(k}yp׳]ճeɡN?ǜMФSϢOʐ6m_^fjlp v | $2ȚRֵ֫ʡԼ̵ťŦ|y¥zжɥٶԽһũ~b~ZzV`=T.O*P%O#^:aCU4q^zύtܷΟvqpjnk{dgɯڰڳiˡT3"" Ƌ)͊+}rkdfovy}#΀̀ю0ԧd˥lIp?h5}K]LvAsW_`۲p͈DžƊ֦̓׬ڮܵ۲ٵڻ״ճԱѲɪȩĥhǕEܬTa][\WWNH?=ߤ=ܣ7ަ>֘5{lfk kl +-۴`tpڵ`ֳ^ȢTDAɞRϤRƌ.|pdafhkr v {"-Î=ݾԲʨͷʳȮǬǫԹӵԸ͵̰ԯfzRwUiG^=Y4b=X.xUw[~]܏q嘊Ж׳佱Ívljkin~g~gpԸ޲ܮث֡آٟܧݩީߨ՝ƃ̩X7‰,ɍ2ό. vsqxxх&̀{rpyҏ=ۚT{9i)GadvDq;yDw?ShͮpضlˁΆхӌ͈̊ϐѕћ͗ϼxz©vmeZo1ibzi6ۤDޟ;ߟ;ڛ5ۘ3ݚ5ޞ:BB@ߢ6Cݤ6ޤ=ޡ<ӏ&w +tquol vΜKݴl۶eӫ]ɠUěNGǞS͡Pɕ5ymfadjmq t #}%,1ҮqҳаέơԾɩվиཛྷqqNiLfDfDg?mK^8xZ͈m՝{檍Ϛֵʗslmjk~i~gz_ߴל͏Ä~ؿ}һq־uux|{̉˄ψΊψь֔ڛݥܔuʪSɤL8ǐ2lj*Ʉ)ǀ%}"{!̄&ӊ+̂yq lm +puiu2Q]Nv?t>v;VzΉԍфπ̃ΆҊχ̅Ί֘כˏβzδzۿ~Ĉʦ]2 В+ܕ,ސ*ڒ)א$֌ ۍ$֋$ݞ;B9ܠ3ؙ1ݠ3ޥ9ܝ9ٕ/ˀ}x~|o +ptʜK֮dԬcѧ]BJǝQͥV˝Mym ^]fip v x ! { z%|)Чk۽ۿѻǩͨjtUkIjGi@rOpK`ڦ߲潙巐ř{ɧܵsqlljhi|efκگȑѺx˭`©Yƫ[ƩXͮ_̱]Ҹd׻hؼh׼lmily}}~Є́ЅӎבؐՍٕwơN*~$ŀ#Ȃ)̃(Ɂ#ˁ$f_fhf RQt,TJu;t6u<Ğ_ȀԉՋӊ~Ӎ֐ܕږ֐ӍҒԙҘғ֘ӕҏ֏҉чӈӆ߲V1ݓ&ޕ+ߔ.ݗ-ߚ-ړ(׋֎"ߝ?8986ؘ0~{*~"~vvmwƚGȞE/B̦[ѨZ͞Nz%e \WZam t u o)-'{x$})v&3ڶԾͶ͵Ұ}f|ZqOqLvJbpʘvʕz‹pnŸ䶡qrnniii}ew[wҲўªbM8=;47=ĥ7ƥ8ǧ;Ȫ8ǧ(ͨ0ɣ+ʥ&ȥ'̦)˨/ֹH׃ͳAΰ;ټLپXmjvx~ςτхݖَ˫bu!nz ǀ$wpa^^XGECDS v,Ww)ߤVsyo{ӈ׌۔ۓאԌ΄ט؜ؙؚ֗ڞ՘ҐψՍ؎x\W?2#ݓ*׎$ڒ%ݗ,ؑ&א$ؑ$ޝ/ߠ/B<ޤ7ڞ5١;ї3)͛;˟HʝE691} x{ ,3ĚPϦ]ѩ]9fj]^f `hspn v(*wvxv#y)@ھҸζͳ׼ȧ~qwOmIvU~a_cjkhw͘tiklkke}_~[¬ݿ߼ι}J)%%+-($!  + + +_ϴBɣ(ɤ+ӵE״ETy|~z΂ܛ֛?N +b†=߳_nqvَ҆ݓߖޒܖ׏φ̂Ԏ٘חύ͌ӏъыאבے׎vdZA80-ݕ,ޕ-֏$Ջ#τ̃ЇӉԌ(ޠ3ۣ7ɖ0ǖ4ҧI;͠=ɣDǠF&.:82&x"-ǟQͤ\ǚE|'ihZVad i +jki +l!~%s"ge jr&ƚ^ֿͣռѺ͵Ʃڼͮ¢py`rQoKsR{Z|`ea{^k滤Ȏqlinlmf}\p̭ݴ̳|D, + + +ĝϬ&pniruӑҴuxTvM{M s-z+dO=>AB=;}8u/DːAcwπԊ֌ِ׌׍ڐޘٓՎړݝڕ̄вhzȃ˃Њٖږܕ׎rdQ?9/ڐ ؉Ԇԅ~Ԉτ΃щ҉!ڛ.׫CճMܽ]ݾd3$-05<4}$6@1z'=̝S-neV +PMUa ekd ag +{'y"aZ d`z;ϸ԰ֻֿԾϸȪĪϰƥitTtWuZwVyZ~d{_|euԽآƍ}‡srˆrÊspgbaεϫڹϺ}G4 }xrn{ÔĘ Pͩ+ѭ1ָKk΃ۢÉgG R._5}LU O=68>=8x2i.e)k'Â6iч׍ړ؎τЁ҉Չ׎۔ܕޘݘݘ֏|ЊЈӌ֏ڒݖݔՈ|\NHB3ܔ%цст΀̀ӃЇό٥<۶R]޼ZΪQ3z$|'.JаaE/3@5~+mĔD.o^TMNOP[ d]ZWr%o!Y +W_dHϼɥѯӽӼԾ׿ԾһϲˬƫݽӲˮxvYvYqUsTxY{]}azbt點˓z̔{ƎwČw‹pƎxmebĩɢ߽ǜ[vBΧڱT-"} ~|~ęę|st|~–ĖǛțǚ ʢԲCuڛӸ`B +A P(X4{MK:78}8}9s1g)]%XWYݯb҇֏؎ӆ}uрՍ׎ޘޘܕܕّٔՌԍӌ׎ڒړ؍؉ԁgVXQܓ ډՇӉтЂЃ͂̀֋ۥ>hں[ҮQÝ;95p~1746FHw$w&77tq*jT RK}ILNU[Z V[jeUT\m,›jζǷ¤ç˴ϷϷӺؾ׿׿ֿӻѶ̲̯˭ȭֺƥi|`x]qXu\gfemѴïנΔ{ɎzǎsƎtǐsɑyh}Zt¡ѱոػٿپڽܭاѢ忎q9wHyCɖ@' vwzx{ɟɘƙÝ ƘǛ̞ ˞ +ʟǜ ̥$nԕeS0@F!R,jE|K>|89z6q3d*Y$S PK{Gۧ]z΁Ռ֋Ӊ}ovԉړّ؏ؑ׎҉чՇҋ~Ӆْx׉ׄqZbDׂ{ +ӆ֌!ч̀΃x ֤̆@޽aϳWãG27,}+E6C@Jͭ],b04w\ oTLM|GyE}ENWW ~LMQ d[T[d&Lßåʺñïij˺ĦٿѷӸռս׿ԼӻԽϷͯɩƦڽԷӵ|g_}\{bkjdiҿͻ赡њʓ|ʒ~ʒ{ɑzȑypuU~\˪абӶӵնӶֹӶ۽׮pf\ޤZݞWЊKZuKWʙ7srss{×Ú×–Ц ˡ̥řȘʛ̡ҥ Ѣ ӤѡդקԢɝҭ1ԋȌj-S-C >E$Q+f:r:r4s7g.^+OJIDDi; כQgrЀԅ׋ْ҈xՌؑڔՍٓؐ׏Ս׎ԇ{ًٍNkstng[Ӑ { ؈ّ+և| ҅Ё˃̌#՚2ԬLέQ3-9(;MظjŠHί_RĢWU},q:œI:ob IzDwCvBxEzGxFTM~K|IR +XWYaq5Ը͸˻̼ɫеӾվϳҵҵԵּҷӴҰ̨ǦƤڽҴ׸mkiotmio޸ӽ«ݤϘʐ{ȍyɑ}ȑ{tuWlEaʳɩͯήҴӵԷԷҴҴԷۿۡkZPHJޖJ̈́:_O +G۰Anmu|ÖÖҨΣ +Ɠ“ŖŕɘʙȗƗʝƗƛư̈̄Ԥ֤צ٨ܫܮ ݸ9zԗW^vK k@_8J)U1T/e4f4`-RIJED=AK_̄;ޢSdnՍՍ҉֌΅̀֍ؐ׏ڕۓڏ؇،ܔ|ڊ,օ&IM\ge6ۍ"۔)Ԇ!֋ Ԍ ϋљ2΢AծSͫOB {&.CSLCڻnŤXJ=v#6:5>8l|Hu?o;r?uAuByF|N +{J +yG}JWXW]f(¨{ìůƷϿŨŧͱ̱Ͱ˭ΰͯϮίΰʧǡŠ ۿڽԸԵҳҲây|ěž~z}vuݵԺ굞җ͒zΐ|ȎxƋrozbjBoIvѻʧ˭аѳӵԷҴҵѴҴֿΧܐMLC=ޘ=ڒ;|-^V >ŁguuƘșƚɚ˛͜˛ɛ˛˛əΜ̛ʛȚđ˖Л͜Ԥߵ[یڴgʗJǍDКPרZƐKF:bvIk>[*LLGA>CBHr3J bq'u+҇CۡSirzчՈ׏ٓՈ׉~~؈ڐۏqڃ#k +g +sPfcB52ݙ+ՇՉ*ԡ9ѬL:ġFģN($$7 PG>=C<96{-z+B>{(|*7qRq9m7p8n:m:rCwHqBvDJ +RSRb+bǨӼ˾̿¤ξȶȷŴ͸ƴ˭ʭʫ̭ɩغؼٻַַٻոԵ˨ŝ̩ʥğ~Ğw׭Ҷͳߩϕ|ɐtʐ{Ǎul|`pPjB{[̨ϭҰԵӴոҵԷӶҵֹÑ،Bޕ=ݖ:ݕ<ْ8ӊ.romˌH3yėŘ̝Ν͞ɜĘ}ϡ ӠОϟϝџĔƖϢ߾UoݕЊgqqsǀ|vӋ֎ȂٳfÕI~4Sh4J<ACM#_4o8x3;@D >R p$Ռ=ޝNakjmZ]hwֈ،҄Y܆$re +^ؖ0I]DA>B7ENc۾`7ţE?>5-.QH;L=:;?{,u(8?|'y(3x R j5i4k4e2l;p@qAk;qA{G KR$yLmϻ˲ԾӹԼȮ{vnräĥɨȩģټָշնӵԶַغھغִʥΪԱѲϭϮɧ|ժƦѻ뾝ӛ{̓zȎvǍuhgnIlKYťѰӰѲշָ׺Է׺ҵӵԶ׻澊֍D؎:ْ9Ԍ3א7Ս3΅+ˁ)~*֐Fڬx¢,ĚȔΟ̟ңҦΠĘ{oƗНѠџҡПר ̛ΜțĖ ,ԽfԆӌʂ{}אّݗٕޚەݙݙ׌Ԋ֊bLJ@J K DF"V2oA p?t;K~:l.l+z2HZn*v.g{/ҋ?~1mԌ?X`ܱR_Kԁr ]e͇߯ITDELLHKP߹SӰP9?@ȡG630J9HT9Q<:y#|,7@y)t$u,y+Va/Y+c2_0h8n<c4g7q> +wDnAU«ÚǛȧδ̳з̼sdb`ֿ׿ƧģǥؾپֺպֻپڿŸŸĠš۽ġִܿǡ{֫Ʈ͵׾ͷݨЙ}̑wɎv…l|YsPqKyUyͫݿۻۻڼ۽ٽ׺ԸӶԷֵپ庋т@ӈ5Ӊ0ԉ2Ԍ1Պ1Ӈ/΂)ˀ.ՑB٥ڑսfή4Ϊ˥ѥҦ΢ɚŖq×ϟӤҢѡ +եӨϩ"ϭ9ػSiՊ֍Љӊܕגܗޘݗߞߜߝޛܖܖߙڐ΁n؟UP?DI'[5m>j3v?w@ Z"W _(y52G PCBQLAPj#ώ0ڛ:׉yp ṽاAPVWRG֝/=EسU̫OɫT<̧QɧTѳ^æWMAHO67ĥTN0{,3;61|*q!1ZZ*V&W)Z)b0c5a0^0^2K&H+zK˷ĔŝɩʬˬʹѸҺʮvdzZǧȦǣȦȣǢşßßǢʦ̨Ϭ˨ͩԲѬ˨αͲȮğث͸ѽ૏љz͑vˊuiuRrHyRyãٽػػӵԵӵմڿ٩p;х/Ӈ*Ӈ,Ջ/Ӌ+ԉ/΄%̀+Ռ:՞ٔӌkHھHַ6ί;'(5+ϰ5ֶ0ObuׄݒՕpduאܓޛޗޛޙّٓڔӆi9T*??I&\3i2g2f.Y UUV `"i(u0w-v,v,u,x,4FQZvDߕ.؇~рӏ*؞=MWZLۤ:؝2ՠ8բ=ҫJήUͭQD@ͮ\ϳaƧUD=BM$\+^)a&WX TUWV]"l)i%f"k%k'n'u-;EϘ9ޛ9܊'لnhm sv ӑ+U]צ<Ι.ʗ2ҤCʤH@A<8R˭\αcQRͰc¥QOMP@B=@9572B>_K<C >B!D!6.139D)|e8Ÿàǩǩ̳ͷϸҽֿϾrؾۿؽٿٿ۾ۿؽսӻдԿɭĬ껡箏ͤ{޷{ɊjcqӰھ˔[y7Ԉ9ӊ+ш*Ԋ)҉+Ӊ-΄%х)҈0Ŋ߷ߴ߶ܯ߱ܧܥު߭U +ݯڥ֢ЖјȈ~پzҳc֪Rן8FuхۓޙݕޖߘۑՄUkW'<9:AL!['j1d+SOMPTZ_!c!g&g%h%h!h!v/B\҃}r tjfcei|U߰MΞ7ɘ8ѨJǢK>NGFعrٻnӴbHMɪ[[JKLCH>KBJM0~0t%X8)'--,-132;"=&X:YʷœƧǨ˱̱ʹϺѼֿֿеIJwܿٽչϳʭƧʰ繣ꤍƣƣ鮑ҨˬڸNJQ{6҆3ԋ+ԋ-҉)ӈ(Ї$φ$Ѓ%υ.q߲ߵܳݳۮڮة՛ҘіҘA:ϗ˓ɏƇćٺx׶kҲdϭ`̟LҚ9'JօߛݚߞߚݖݖޖۓuՖHQ ?664=Db/vA +h3X&NMMWZ!]!c"f%f#f#h%i%j(y0\؉xmh]_c_fn |p 9ϪOşFãL;;UԶnBEˬ]ʩ]H@OQMç]§`ɪeML?E==9xP/"%-,17: ?'I'U*tD `kιŤŤʭζηҹһپǯ¬vռѷ˯ɰ«챠ij黧ǯʲն׻׼ѳͰԺܿȋQz0҈/ч*Ԋ-ԋ-ӈ+҅$σӄ%Չ.bܯ޸ܴܷٯ٫שץӝϘїϒ=wdɋƋ†Çۼ}ںwԱhЭd͠SϘ>ٚ2ݖ!Uߛ֏ܜܚߜߜӌِِڎԈ[t#9@48:L$[.yBD +i5X%PNKOTZa#h&f#g%i'e#g){7ޜEޕ&wid\]\ZZ\epy̥I̭P?׹gC-FåYFLEMAOORRɬdKMJC{+6;:>wL.*((+/3H*Q+c;l9ENPIŮ;ϻžŨȯͶζѺ˭ʶƳñԻ͵͹ȴĮ챘쯖İ̱Ҷϵʱ̵ֶи̱ҶڿƅA*ц.х)ф'Є!ф%ς!τӅ"х(SҠ޶ܲݵܲ٬ڭ׫רاѢϚΑ͔=}s܂!ʊĀݽ~նsسlѫ^ʤVȚHΗD\ޜ#݆ܙٖٕߛߠޘؑ֎ّۏۑЄDVt/L#R)^-p9}E SZKe.W&QLMORW^ b#d#e%h'd b$E ٕ5׋#{ ofb_[[[\g 6@2˧NmsHHRĨR̯Z/Cͮbȫ\JMTIJAA7x*D}/3|1mF +)-/49!B#S-o;}BIPQRT b#bij˸ɷο¥ƪȭֿͯչԽʹɫγҸҹư쵛魗穙奕䢋⨐̷ϵĥ̳컥뻞ŦҷؿپڿڿۼͅL}0-̀%σ'υ#΅Ӈ&҄"тЄ(ܖAʇڪޱܳٯجתԧԤԢӤϚΕɖIwqh1ܾyظuյqӫeЪ`΢WƘIӡQz= hדݘݗߙڎ{ԓMGEQQAL<@=BF99t+Z8=%B&M)[/m7s;DFKNPRQTW f!iŴɷͽ̸мнɯٿ꾨˴ç⩎赘赘߫ߧݦգܭéѸw|ʪ崜̯ԸԹҸҶӹѷҸ׼ؿ׽x=z1}/'ш*֊-҆$Ԉ'Չ(Ӈ*҆)׋0Yϖةڪשרר֨ѝОϙΗɑ˖Ntohmߕ/߶kԵoԲhҫaˣYʝSƔ@ӠHwa||}iޜݗޘߙڑ`tDMX Y WV V ]YMh1W%V"W[#WV]"c$g%d"e$d$a"\N g]jghorgcad{ʝ7ЯT)Bΰ_NC2TZѴjϮa;78:;0ƩZDGFT@IA;Ft+K*Y3uC I I E~AEGMLLPRSSRz;¬zǷǶʶɹĬٿ׾ɱ̮ۿ׻ѳҵԻͶϯηơw|èԢʲ϶δδͳζϴѸ׹Էq/}3Պ6ԉ,Ԍ,؍,َ.׌*؎(ԉ&֋)ֆ(O#S%U$Z&\&["^$f(k+k*h(d%] `#=c\[ggpfhccnͅ$Σ@H-ãM>x#8CŦ]G]C:8CKåT6¤\PDHM4D2}/Bk!A#U/qCQOCADJKPORQORT\Xƹ̽Ǫ׽ֿվƬѾξʼĥվȫ۾ӳΥ“|||Տऋ뽠뼣ǰɵ̷ξѾαx:у2֌2ُ.ّ.ܒ+ے+ޒ-ܑ,ߑ1َ.Ո,ى0׌:ݧeǍϑΘΜ͚Ϝ̖˕˕˔ǐ]sigmsj~ܩ4˦SɠVŘD̑7Fvߑ܎uuwn}y٘ړߘܗӆ̑6N|9W=kˀyز`œ?aGBm8YOP"GS ]$i)o.q/p.o(h&c%n-d \^e]v jjdfr̅ ϡDJ5ǥPB}-8@¥^UOťYSL89GHAJ6DL7n=r'[1Q,O,N(O+S,yHUTROQQPSSVWWW dƗ̴ҼиҼҺӹ㹟㿥Ʈŭǰ侥๢มඡ丞踠䲙䯛٦ۮ޾✑qw[tkQwwvyʷȫ⾘t5π1Ѕ/ф*х&ЄЅ Є!ӃЁ~yxhX +^q.Á=ņDӡ_ϟW۬iڳp߷{v~Mvmiihkllmх8qԆJjhlloopoHgunpqsgmoGӒ6̀́~уЁ~~vqrnhbܯLpRM_lw'2r"Mo<Y'IK P#z@XUSRRRU]]eЈ#ޯPIPLL6EZPBBIH£V8/9BAK=q%}06u)u%0]W/M,N,Q,P-m?W]URQSRUTQVZTU ZCˣ ӽλθѻкѼ׭ยฝพ㹣⷟߲۲֮Ҧ͠Ȝ{Öv_ϏuDzޥni}ʫǸʹܵv4҄3҇2҇)ч&ӆ(΃!΁ }Ё|wspn] +X gx3y3w-~46Ć>ǍBÎ@̒B +nheeejnpgvֈTsrfdfmlkjt|+kkomouj[FBjz̀~y|zxmnefXح?դ7gc d mmk^ +_XREAq;y>VRRPOJS]]^}ߧKEFGX@@[S£[IƧVĤUKFAP83D3s!t"z){):mk?J(J+K*K)l;O\`ZVTVUWXUVXWUXaŝfԼӻͲζͷ͵ʹâӱɬΩʢǧÞ~}pq~az`iI`Dynպ䩛|f׭̬ʷʴگt3Ђ2Є*І(҉)Ӈ(Ѕ σ"τӄӄ҃ҁ|vp^S[ eo'q'w&x(v(tswtlhebdhjndu"N}ucdfoggyxQoghgj^ެGؕ0L|z{zvxyumpb\L߱>ب8#lk mmgede\ _ a `][ULOMPT[ab fϔ64Eɯ`pӹpCO>XP̱dҶmʨ[JSJ;DF3z.8={&r#ZV.I*J(P*k<LWYY\YXVXZ[]YZ[Zf +ku+ϸտɰ̵̵Ѻηtuw|ìsvWgM\;V=jS䴈罦ڮ庡Ƴįרwq.}*σ/Ӊ.׌/׋,֌'Պ)ԇ&ӄԅсӄՅҁ|yuk] XSW Yegmknzofkegfelrjr)Uޟ%^bglicqtx \bdeZLިAך5rurؓzzzvrgg[[޵F۰=צ1ԟ7mnpnke fegbc ca ]QKLOLVZe^[ю477ΰ\׼iwUZVXMV_5DKG@EZ@4@:-l~QT-S+d4zEVY[[\[[ZZ_[^]\]^hprr"Qƞʞvltsżžī̶̳}a\=X:T6mTzѼӟjm'|0ӈ3Ӌ/ӌ+Ԋ$ԋ$Ԉ'ЃρρՆ"Շ#҂Ѐπ{#wmfaRMONLOTsjgedefdi{jm5cV[lqkioq .d[Y߲V۬Eؤ=Qosvzyw}reZSLO߶HMڻUԠ3|opojnkf e e d ab_QLOHKTZ\\b$>>ƥV̰dдkSPͰl[gx,?GɨZ˭aU@GKFA54~'Xb8Y1sAY^\_]]]`]X_[[\[^]hqvw"t"r%έsֹ̬Ƚ˱˲ػmeFgD^߷˚cl)|0Ѕ.Є+҈*υ&φ#΂ ΁΀Շ"ֈ$׋'ۍ(ݍ-Ն&ӂ!҂!т!΀zqpph c\[Xnikgcdbcds}hsVWbjifom.MޭH۪FݩCآ;bltztsuigZHߴD۱AݰAש8۶Eҡ5l +l klnoli hea`a\HNMOTQTWa {B4LģVMFJQ[V95K:KSHPA53y-y(b d9rAVb\]]_b___^]]_^^`]m suvvx!t";Đ˱³ĭǫ̽й˶ƭԹϭָֻ̧͒bw5{-(̀(Ѕ,̓$ц&ԉ(ч ЄԈ֋&ڋ(؊&܎+ڌ)ڌ+ً*׈&؈&؍1և&т!{ztoqrppmhjifcbei{gvZS\eihjsq +٦9ئ@ן9֞2ekgppxre][X߷HܰAܯ=٩4?Ԥ1Λ-Ŋ$iak j j lkj k j j g +g aEEHMP^WO]|"00JHH@DSŦX̮^NA:t7PAJ6zUo\yLzE|GPaca]`_\]^aa_^^][_jtvwwxwrpàZŠѼظöȼǺ̳̼ڿɉWw34Ӈ3Ԋ2Ѕ+ӊ+Ԋ-Є%ԇ(҇$֋&ڐ.܎,׈&ڌ'ً'ً'ۍ)؊&ً(؉&Շ"т!҃#~|vwuxvzihgeebehoot{glMR`echmq}١*Ԡ7ԛ.Ԝ.fdimomhcdXYP߶M٬=ة7ӥ2ԧ9Θ&˕(ƌ&oq lnl +qqsrponli Q@DHHPQP]{ /9?Jȫ[D|+XոrF4:@/x(3I=_GwSpwNRT`cedbefcddb`dad]^`or uswyy{"vpy,ѻʱִֿyͿϾؿąM{9φ3ӈ0Ӊ0ӈ/Ӊ-̓%Є$ς"҅%Ӈ&ф#Ӆ%Ն$ԅ!؉$؊&؉&ً'׉&Ԅ ҂Շ%Ԅև$҃ԃ |{ }}u`efeaebcf} y +oPOYefclol}و ֖ϖ*В#Y]aedc`[`WQݴF٨<ة;ӡ2գ6ͥ:̠6Ƒ'ċ#rp ppnqptqsomqmaAA<DJLOWy.=9KFCATS:/32@C@Hr%9!fCwRxJ^addfggfegaeaa`adgZir tw|zx| zxuoOǩнʹȺư⿽}Cw5Ѓ4х0Ї.ч-҇+ˁ ́!͂΂ Є%ц"Ӆ&ӄ$Ё ԅ#ֆ"َ)և$Ն$Ն"Շ"֊$ӈ$Ն#ԅ Ն ԇу} {igbedb^^VW]}]IPckadhiqgo ȆPNYZ[UXUUQNLݴM`orsq޾b߸Xɏ5od nlqpsr n lnmoj] A9:@JGPf+I55;ABƣTQGL69<ɧ^B?AFFBܩD_wruxxwxwwuwvsiН9u n o q +q l k k h +h +Ox5n+q.w4=DMl:H̪ZMģVɩXHHáRIF0c +xKjBh?Qdcjkhkmjhijieegnsromwtu zq +vzxtuwxxy#v!w$q!Ü\и津݆ypfmbi^VHaPPAPBQ@PB_RdJn]xdmʝӷضt8w5{1΂3̀*́/̀.́)~'΂*ρ%Є,ф)ς%ς$ρ$Ђ$ӂ!ֆ(Ӈ'Ԉ-Ѕ!цՊ*Ԋ#҆#ф$́Ѕч Ѓρ}y{ubad`aa^RKNNQIJNYcabig]dY_`pْ!ޞ,ߝ*ߞ,3ۡ5ڡ3ޣ<[gprttz|z{uwvuwvdܸVեDu vq qpnm mEp0d+^&c)s6y:@W w!DšPEáQF:@H/2d b?c=N_gfhjigkifgfihcgiw x {x w +x v +u yt wywzxw{vzx#u sx1ָa\`X\V\PUI]IUFP9N8M9E2A-H0I5RAK2E.M;J8wXԷְr7z;6Ђ1ф0σ.Ԇ5Є/ф/ρ-҅/҃.Ӆ.ӄ,Ђ)҆,Ѓ(҃,Ђ/Є#Ԉ'Є$ӆ,҆%ӈ"҇'ς ΂́΄Ђρ΀ ρ Ѓ ~dabba_ZNNLLPMCERTcbdcdddYVX| ד۔(ڗ#ؕ&ܗ,ؔ(Hdlswty}}~zzxytma޽]S͐$r}pn pk X Dl+Y)LAb/9E[{&SƢMB9{%u}"k ih@uE\n hlknm jjkkiedefdeis +~~~}|z{w xzyyxxvzyx too'd橚`bZW^V_TXFS=P=K:N8K8I6I0B(D(B*D,>*?+D1J1M/M.L-ŁY٫tȦQЍIщ?ы?ъ>͆6Ή9Ή=͇;͈>͈:Ї?ՋAӐJ՜YhU׈@҄0҃*ӆ*ӆ1،2Ӈ(҅%σ σ̀ρ~ЁЁ҄҃ф{^e]\]_SIJKNKD@FMRW^odb`ZNT_rՄ ӈЇЅؚ/Yhk֣u}z{z}{{u|{x{x]ݾYٷNٰ@Vd՛7yyrijOt0K24])@Pf™G7y#dt?|FZ4i=yEWjjnm m r s +o nmkghehjihfky ~w yz{zussvxywwpi$j)ɠƹYUTPc]]TaP_LO;O>L:G/J3E0B+>#B(F/I5D5A(?,F7O4G(C%G$Y:ݠpz߭uޮs}㼁‰őʖϢѤժԤԢ~_XމPۍLօ=Ԇ,҅+Ӈ+ф%΀!ς#Ѓ#ӆ&҅$ӄӃρσ҇ӇԆw]_[]_[KIMLOG<ECGNXxa[e[QRO^cu} Yihqś}}zytxyuցߊia޼T۱DݵLҠ8ˀ{vm ih^ KZ'<0Cs=Y %z"c pAY+P%j;Qfj p g d|lo +q okjijgjjmkjlkx }}{}xywur q p xttnll \L䷤v됆oo^]`X[N^O`OW?Q7P9O0K/H,L0H(K)L.G#I0J.E*B)P9O6J+C&?{Mޮw٫tܭt߱{߶ẃ㼅ŚʠЫԱ԰Ӭ踊ލ][ߋT^WۊKҀ6т.ф*σ(҇+ф)֊,Ԉ'ٍ1ٌ+׌%҅ԉ، ֊ڍًjW\^`^LHIHQQF?>CFLddcb`PPOUUXkڗ3^dnszٚҌ}yxxtqrqtҁto^Y޹OٯJΗ1́ʀ~|woga`Uy=X$;/Q(R}JW/\2l>Udid[U[:nmjkkjhikkkllejv|}w{{yvuron oigedf gb +`] WYtopeed`SRUKSCXEO8T/|CΊR|?i9N(K)D&?M(1790-37%11P,y޲zްzܮwݳẈ߸Ἄ໏ǟͩӱϭɟޓfbb__[[ފQ;΁/͂*ф+ӆ0Պ.֌/؋.َ.׌,׎-֌&Ո ؎#ؑ!ّ"؂VW]_]ZJKKLPM?@>>BIVj\eZHMMTU_Najr|~ρ۠ґ|vxvrssqr|jd߿Z߼WڳMխEМ3Њ#΄΄#̀rlif +`^_Pj7A#9E J&i7VbgdZWV`̄ܡ4MLpmr kkjgljggkdjhkq r +r niikjifhibg babc` Z` XVxHb/yrefd\TM@I>UCB*J3U8ܠbϜVy9t5ōJw!ⴄخwڮy۱}޵ḋ住็ỏ従ßţɣƣǤߨ܉ae݆a_eleލYߐ\܊U}8Ђ+Ԋ2׌4֌1Ӌ,Ӌ,ؐ,Ս*؏*ڒ*ۓ*ؐ&ڑ#ؒ"؉]RN[^SNFEDI>699;<?I`eWQHIJZ0Vipstvwsttttqonkkli߽]a۴PׯJկJѨDΝ4ϊ"ъ$Ї"ˁ!vq l jjpm j k k i j nw{x ӎԕ%Ň{Âݬ;L[kuŚ2kmlmifdfgcbaggea‡%m _`]\^ZXT\YYTWU[W XW YUt;ݾۿ絠rjyclXXLL;G(A ЌUТdէdЧ_֫^ѣWs1.r>V@ӡbMp A7 ԋdܮz٪wڮ{ܲെ⺌⽒™˜˦̪˪ήƣՐu݄d܂^߆cdpsi؅SބRb܎Vw0҄3ԋ:Ԋ2ӊ+؏1ݕ7ؐ0׎-ޘ5ܗ.ܔ)ؓ ܔ$ږ"v ROT^[QGFGIB15;88;?IVWWLFEWJaiqptvtsprhkj߾h޽g߽eg߿f޽^ڴPڴQذLذKҩDЦBϘ0Ҋ#ψ̄͂xytt vuxtstvzŁǀЈښ*MNF֨6ܪ5߬)M8L.F#CޙdΝWʠZΥ\Ш]ѦYΠP̚LUx4ALyCwÈE^0MX*E& +% 1|}ڭs~۱|”ě”Ơɥ̩ϬҳΫ麝ډo|Y߆f܆dkssObIUQOJFvM]inqsvuwn߽i޼fݾfi߾gdbٺ[ڵRٲMְH֭KөEөEլGФCƆɁ}zwx|xvvwr puuxхב#ԓ!MߴMJݳCOݴCOTVX^roӯKadm i ~Î)ʝ9޵Sbxqqrip{֮Oߩ@ڗ0jUYWUTUVVTRUSRRSM M +o7fƙtѳͱƭˬÛ{`C.;"9< ?$: 9 75;lHyOe8d&K!o2˟SǜN̟G5ǐ?H}8–?٩VWWZ$U"Mf;ɋYzܭtګr㷂幆ŗؗśɠʢȦͭ˨ͩͩĠ秋volr~kJ[;rInq܉div{|cܙBݕ7ޖ9ߗ4ޗ/3ߚ/ݗ,ܗ$SKPVVPHFFD8/.>8337<MYXKG1H`iilklol޻fݻegj߼bۺ^ܹ\۶YسVذL׭HӬFѧIХCҥ@ѪE˝>}!uwvtsnnq kkiheatޕ-؜6ީ?߲KGKQLJ޶LUU\WeoplϞ7ݠ=ާi=|~zݲw⺁㼆ÑƚřشƢɩ˫Эǧ䪊݋lۂg݀djlkދbh݊fތfk܋_ք]؂YzRuEێRޘTߛVޛDޘ876552ޘ&+ׅNLQVOJGEA;6*3=FDT\fniZH1IYgjlmgdiܺdط^ڵZ۸_۷YشU״XٴY۳R׬IХAЦB͡?͡<Ҥ@ЪLÙ?wru o +qmmkhceggfЂݗ.J]Q޵QNXQJ޲BHMS޷NSimnrdްGELNZ`nqkolnfZhjkpy XTTVUWUUX Y SSUUUTRd+dȼܽ췙ꥃ栃ֈm@'789S0`֐m{{\,*)257 u;m5Y`3pFb2y*:AÚAȗEifiz@ fh#Y!ުsŠōx{忇߸~~⻃ἉȚˡɤʩ̫Ƨ؍t܁jzbychnk܃e܃a܆cފf݈hۇg܋cԃ_}X|RoHi@؇T}DݔLQG69>6)׊\ONRSLHDILQ\dhjph``^beo0NVZ_߽a߻`޹^۴Yٴ[ص\شZկPׯVӮUײVױTֱTҪHҦDΟ:Р;ț5˝8ϣDƝ;;n n +ln jihcdgcdeЅ"ޝ7M^]Z]`YKGGܱ?ܭ=ޯ>QafnsrpܶQۮGۯJQ_cqpcllk]WcjkşC[ WVUVSRQQRQRS +QQ P +NPf5r籜}斅랃o\B7#2->#jBn̞轍㵊ӏlX72-4- j2j5k5Y,dYn:xx))5<1-h1eYp8y>ڨj߲q߰v}羆⻃ݺ|ݴz޹ݷȚͩˬѰճ䲐ێsby`{ceol܃d݆g߇fމi܈ky܋lڈh؇e}Tes>v:`ڑ;ߖ1ޗ1ە.ِ(׏ۆ oh_]X`Zfhidcegefdb[QRSZ]h#ߠ0FݰOٰSخPٰWٰVײYسZرV֯TذXԬRԪOժNҧE΢@ˠ?˝:ʜ7Ƙ2ϣCΪS@5i decg cc`cb^aφLctnhgT_TTKܭ<ݱBߴCBU``miojܶV֩EܱT߷Q\bjnonkb޶RܵR]ڳPbݹcfWYSVTUSQU U SP IM UY%_+_ֹϼ{qe\c_`_td[EA15 4;`?ٜh亏嵊幑yVc:`:P0) +r1f4e4[*[1uKDƣIܱLXkorvv޺^ԧ?ק@ѡ8Ѡ;͢;ݱM_~UQPRVS Zdp0v9MbiȬŜҴؾîkbca^WONC;@->%4"4E*L$c9֋_٘oٟuᴊܯ{ZuPiFcBfAK k.[,T.V/a9yU gv}"0,my|119|5l$ΚbВ_Ҍ_ЄSNzIvHlJ̈́]~߸—ŞʧʬãğơÛ軓榌ݒqۇiۀcx\~\ڄ`ތfrߎrۈkۋkvԂ^hC[7M+{Hp6yDՋKv"y|yz{΍/bbaZWTTT]`^__`^\Z\SDDDEGYZcڀי*ї0Ѡ;ΠDТDϢ?͢AѣNңFѤG̞@˞>ɚ>ŕ5’.ď-ē3ˠĮPЭY>0ec c f d +f babd~DWUWfffjed߷Rۯ>ڭ:զ4֤1Ԧ0ئ6ߴF۳GQSo]ܸQuѭQ޴V`tmkjḅC͜4˜2Ο7ժIׯLڰK٭JYɤNGUũnɳ}ō˛Ϡ۬rka`VLMA?5L6@)>&13W1W.V7dBǂV٤r庋Αa}TvVjOeCf@a@hGC])S0[=mI;ru}[kni n,:u)̟aҬnէmԘhԑa҉UMyKm?lGhCnHٓk踎㼐žĢĝݲ}YԂ]l݈gڃguۊiڇcފoۇjنgهhՄbىcmIY7J(d4j2e1s5m%q%u)t%rpƋ{Ya[VTMKIT`_Z`Z^VVRNDBAADQVRe ҇Γ7ɗ9Ǘ7Ǘ;ʛ?ɗ>ʛAŖ<Ș=‘5ē:Ŕ721:ɥṰTѳ_A7e eif f f fg fs4UӤ?^k_ZbhngҨDե;ث<׬:ګ=Ӣ.ק6ڪ:ثA޶O^nlq؀kҩF߹V߿_ܷTݵSҫBխGܵQim߷OԩE׭J֬HQٵUަ۠ldWMRH`YYJH2>(612D'Y.b?֔m䲄㹎渏xOyU]sToQd:dBgEfJZ7ER*C֯]5!}Z |VoITUMؽʔ̘đҢmԗfא_׎[ԈUсRvFrIlF]7R0uQ䯃ܲํžŤ幘井єovZw_y]{_z]b؃f؂iكgՁeوj҃fՅjuVV9D(Q.d8d-f0d#eedefݩPkQDŽ1oX C;>=FNVTNVTT[RKDBDAISPJW~Nj7ō8Ő8ő;Đ6Ƒ8Ï63Ê2*)+9ŧYָiռoδjJbc hfkhigj ߡ?]ڮNfkqխNbYbb`VS۱Cժ9ة8ګ9ڬ@Λ(~ ר?gbr||yʧEرHѦ=˚4ԧEӨDծG޼]i_ɘ/ѡ:ԫF޸[۳Mהڽjfr_ͅn_]Y^Pe[[FM5>%8#4"/0>&fB㩁䲌繎̋msWuZەxىrՁcyVpGiFiItOxLz@;{)<ʟH.ŞDǞK-~,ٱrŕݰ˚ݼḆїlԎ]֌\׎^ԅ[҅W΃VwVX9S4T8jQ㭅޴忘ඎ޲ܮܮ՚yrRtXy]y]z]}a{b}b|cԀgՅoՇqՇhR7?*N.]4d7`3c2c*cbdĉHٵѧɜֿնtӪcϗXВOыB{,iWP@ACAMUK>Hi~&&-,0}$z#z xqSӕڜ̭gؾtɋءPgeigd hj̔7Տ*_qeamqfdݹWedjTٯGخ=ݱ@Λ&֧5ܮ>Ȕ#ĊߵI_ggw~ֳW Ő)Ɣ1ң@֫MذNְLԬNխJŘ0լBXܹTxݪň׵i_io^Y|ܹgYledMR5H0D.;!5!/.4<"yUݦ{䰉䰄蹔ˈdjMkQdՀf~^؆^vLqSrMvPqK{Jd*Sa2ȢI3{%fx/ǑXɚ̚ɚǛԛn҉^Ӊ[҈ZՊ`цYЃXyVc'<(:&6".-.+K/ڜw~௅ޫ~⫆xZnSu\Մe~`քcԂ\]fKuRvPkAj@o@TN Qr*ofVXKբةʝē̟Ԛiш\ӈ^҈[Պ_πSmClKmF6V>mL^AQ4~إ}բxکݲ޶⼚ທףs]t[jOnZpSw]hRnZqdjQoTmS23B(iDQ/S2S$Z(d%b!o.ď׽׼ֻ׼չپؾջǙĘɝˡʚԤӠ֦ޱ߳ݳ̘Ӿʮw]O^)V:ĚϵmȃբשԤ׭߶șE@dafg`linnllfa]X޴GܳB޶Fܰ=٭7Ν'ڦ/ӥ3Ҧ5ԩ;“&ǚ*athЭHӫFׯHԦEԫHլHөF۱MӨEݻ^eǝ8ė<šCŚ>ҨMflmlgcarՊo[A';+:#;*4%.1 (0"5%鰐٣|اyˤě㮊xZeJmQۇkx[y\x^vUmIsOmDj@mDa4c:V(PK M UPG ݪtПѣ̠ǗЎf҆^҅\҅Y֋]ˀXd>uMnH;I-\DfM^MYGܑo՝sګݱߴ߷ݺ޺ԢwYhPkUkPeQfN`JkVbFfGgN9$,8!U;L1K%ER)c%g(e(‹ؽӸԹԸԸдӶֺչֻ׽Ô׾׼׿Вďǐɖ˛͙ΜРҥثܮءʰolj‡դ̯֨mڝ,Ⲃݨݨß潑աtڤvܦvЎkjPxZvVpNpRpStTxNh>b;X3Y(`+Z+LQ'OKJ˝Ȝ⺑ޯ؛pˈZшUӏi㼒٩ыeՖiآuЋj;F&mGcAT:D+=$<&ۯڰ۱ٲڶթѡfT;R:N:Q=XEP>P0>/ܝ٫ݲի׬٬əuŎqcPO8K0U@L7U@M5T>N:L4q"19$/XHZ1f6m:˧u׸Ӵϱά|Юί~ѵбϰϲαͭ~ήϲϴ~δҹӹҷϵееӹмѻԽս׽ջּ׽׾׽ÑÐđǏȑǐÎɯuN͙ɓҢĵ.Hgn`qzyurslݷ]ioaXcYݳFLJ޵Cڭ;Cݰ7CQPR\`djo3)‘(Ѡ6جEOVSZ`mnisup޹bb߹W]߰Ӳۤٓzچo<,7'7-#,%-+cN籍x`|[켑ⳆߥޝyԕjՐezZ_[yW}`wYttPlF|[Y2B87O.K#]2a>˦٫}͙izRڢҟyզʫدsG{S`6Q3X>nLnDa7cCր\zTgK^DbKeMؘ{Ӥ٫Ӥ֧ʛzmpL;L-Q7F8H5I9N8D1K3rc aqB%xT_@Q,U'Z0gԳѰ̫{Ϯ~έϮ̯̮~ͯίΰ̮ͯˬγԻˬxˮ}Ȭz˰~ϴѶϴӸжϵӹѶֻҷӹּ׽ؿٿ׿ؿؿƑսkJǐԿËϠͧ.ҕ5Yisvx|{nkprspinaaaٯJN޵DHܯ=޲Aة4ڮ9ݵBLM۲F޸QZirڼ_{ʛ*Ӥ7ש;کDݰI߳LݳK޸QUkprwd߾]mf`^ܪ΄iEݨ㳐ޛn\O69"M2/#(+)﹖罒ߗulIbKdWkNՀZtޕrҋdь_̈́ZXuSuS}`؁dـdւdփ`rGyPh;_6D!<%:!M+_8c7쿒ׯΙlƆ`Ʌbک֩Ģ߻ˇ_O(`DeBR4P5pG܇[`3S1Z@jLmLlIkq\\B΍uӤѡϜ|ȕxnycrYC.J77(7070]Gzcr``Jx2Tc +q +y (4%R3jPdmpoݺYbbb`aԟənJǖw͇o寓ydfWcOB*;!1$)"m^븎ߕyaJT:`EdLeGkNcCwUzQ̀V΁^^vVZԂ`]ےr̀XyV\|[Ԁ`iDt}wQ;:;ڞuѡr˓g~X֝~ğˣǤګ0C-X?d@V5mK܁R[P&M+N+qTT3~\w[cE4$B8g˜|ɗzős~coYvWK;1-,!2(eOo]WD%cO8&a +ry} } w G/|U̥ʦ~ǥxɧxȥy̦ẉzÖo\”kŠv›r vxro§wǫxƪy̱ʮ|˯yβ˰ϲͲϵϲϲееӸҶԾֺٿֻֽе{ǫmѸ}̱xbF]Ʃkihmmjn)0ŏ-ܡ>_surw~yryvs߻bծZgn޷Q`bd^SOE޵>ߴ@֪5˜ʟ/˚*լIg`d޼^ɢ?͞/Р3ϟ0͚%ѝ#դ0ѡ)Ԡ+ک6޳I]޺]fdmjbhc\ȇбdƐjڔ{gPבxo^jZQDM=<&2"$"ﲘ⢃`KVCTA[D_FgMlT`GfOR?lSӁbхaxv鮋墁魆媅⪇嵕ݟ{͆_zؠrښrߝwX9=kDڡ|ΝpȐjnP孈ʨɤӮc. M4dB_:{Tc8K I R0XW;;)M44<)-'1&UDƒrˡtdoPfOJ82)@9_O5-r`] j svyu 4(sPˤßwr^eAK%889<<D%]@rTrĤwpoħxĦvūyƭ|Ƭ{Ȭy˯~˰˰~ϱαгеѶӶչԹԷԸԹպӷѴˮxXFT¤iPYbeNq!&ѕ2KhqitzЄςwu{ڲTʛ:өMrtjaddaLܴ=ߴ>٬5Т-է4w +WlׯCݵO^_cۻWЭEʝ3$͜0Ξ.Ο+Ϟ+Ӣ,֨4դ-ԣ,֥6ڭBS߼Yikwmgi^[~˙lN`D՘}xe]D`rVfVRFG:?/.]H稍hUTIO>QEYF\EeOaNXEXCL9F2x^؈j]u~Y`Aw[׆fَmٝwڝzڠzীߥ|ܢwޥ}ݠ{⦀٠yߩӝumR)B1^NYIx^Y;?#('T:qLc:K$I#EL({TM*P:B0:J54)/!TGf[gXĐrmsXQ8B/XG2"w{XK9)c nvws*(]IÛwl\>:"0+5,& " '(*29c?_vwovũ{©}ũ~ɭ˭˰ˮˬ~ϲΰгѲԵշѴԷѶӵԵϳ~ˮvNFZVI\XXElʗ>Ȅ%Ll|~׌ӈՍ~sqp3’5lsqolfmaԩ7ݳBܳBը1ש4ϟ-XYٱIڷOYZ]ԳQϬL$Ö+Р2Ϟ-ѣ0ب:ګ<ب8ب9ة:گ?߶O\ggntsjV[ňСyXiEmN⧗o^aEu_hUgYWDRGH2*4%塂kPXJQEN?K:Q=ZCbM]GXAT>H0?-K7cFnRcG]A[C\HcLaDyTזr֛qੀީުڠy۟zҗrΐqюl!) J7cJB&G28ԁTV)N'P)M%X,nCL#ZA?+=$@-3!(D5aZw xbi{aO1Q@})r tr t vVIL?b f qqr(&VHqX20%#7#Q5,! "(" +&$'+7iDlejfx{}Ū{Ũzƪ{ͬ}ˬ{ϯ|έ}ԳЯ{Ѱ|ԵӲϯ{ұ~Ю{ϮyǩqL>>{:f-zJSHM@Н8k +Aw֋ՊЄπٶc۶]ذZ3ܶ[qtuhjia[ڮ=HF۫7ҡ+ڮ;ɜ-զ7PVZYݾUϭGƣCĠ>Š:—.Ǚ,ӣ4ԥ5ޱC٪;ڭ;٩8۬;ګ;HQ`hlwrlXYعz͏f=O&R)_<ڦzdmV~meTdU[N[MVBcNքrYJP@K7H5L8P>ZAZB[DW@J7B.6 >0H-U:ZCZDR:O=RmjvcXB<,m o i hm s y{}:6]Y] ` mom|#!*'#L4Q?(#& (! # ! (2K(`ifktvqm¥vȨt̪wέ{Ϯ~ѯЭzЮ{ϭzͬxάyϮyЯ{̬xãkH8t)aG.;'A,D-},ʡ<բ1l +ߨGqсՈԉ΁҆҆́ЀoزXfrssgfc]_MQNܰ<ר1F֩3ե4ר8߳DݴHSXٺRʧ>ɥCնWe)ț2Ο0ե9ڬ<ݰ?޲@٨5ݮ>ܮ=ۮ=ܵKXbimj߼`\SչphP4f@pD yQ/^ԕqz[qX~ibR^P\MZKH5xhhWL@K>I6H5QD[H]F\I^IWEJ9F.6&='U=X>S:S@N7N8L4]H҄k؟z᳎ޮୈ㯍岌䰌洐ؠ~(>1?/9090628/."(  ݔrb7T)T*_4b4vP[1F!20,$~$<1`V v;2rlNP/Xg +e l f + m +sv81?7j\gmpts% "/!3% $!!"   +(.I)heholqmoĥqȩyˬ|Я~Ϯ~ϭ|άzͩzͪv˪v˫sΫvƨtcA7s+eI +8'9+Z@ h˦H׫Bޯ@}SqрԄӉЂӇІ͂~ΩUׯVrxwiffbXVJKOG޵EڲBƓ(Η%ק8ٮ>޳K޷HUٸTյWټ_bqŞ4Ŗ/͟6΢4ӧ<֨:ب;ۮ=ܯ>۱AڰA۳DS]_fߺX޶UݷRߺP׺s^C U3R3 Q2 M2 WٞxuTqV_IbReZWOQ<@*?7TIM:C1D3L7K8\MhPgNWB[EUCI:>):)U@VFPgbDW_hdcjl m +x0*M:oT +Xnrpvw2"#"" $n)2 ! !&%+ X4cgfVnlol̤wȤwϫ{ΧvϩuʣoƢsƤsǥsɨpɦnåp^|8z-h ?-0)`$ʠ?ܳNۯF٫:Б/Bl~҃Ӊ֊Ӌ҅{~ҬWԪOrrxfڰKҤFTJNKKڰCKݳBԦ4 ש5Ҥ4۱?޶HYغUaedvԱPȝ5Ѧ;թDש;ګ<ج<֧8ڬ=٪?ݲIR_e]W߸N޵LN׋hLxO$uJk<j<_1mڧ~~\fI>.=+C6I9M7(;4I9J8@/D2KASD\NcPfUUDXGXGF<0;1WE7-/@0D5K=MAYTULYTRNUU]RPDTKRDPBUBT?SAS=PKN޴EܱBӤ1Ѥ6ٮE֫;ح=۲D߷H[_a`cj|̩Gǜ4Ң5Ԩ=ڰC۫A׫Aگ?ت;ݲFQXQYV߷SݴRޭBڨ:Ę;ΰs޻vzNuKe7^)^-^'m?xI]6kB{YhO;-4,I9( )4#A5SGQLROUPPSLKJMECFAQLREUEXDVAWDQ=Q=N9S:N;O=S>QAQ@]JgOۏnܓsr[^AlLmKmN`{뽎洊ʁe7*=/=-@-=/J/I'M(W*Q,T,=-|u a [ Q L +K +J +:722+l@m0bzTmwQ{T}U}T[s5v3]Ke^ g"T [ \ +b +d +i msv}}-G!ҡxгئf_F}|+ z% +r%X7[W,/..240.5/ . - 7=K(MYDp*k!bBdh :ҬQسV[ڱAթ<Ҥ8ŀޤ=ݳUg޽ftхЃԆЀπ|z{tձVٵXfdSRLNOL΢4ŔĔ ׭>۲=۱?F۰=HS`gdlvs+ϡ7իFٰD׭@ӣ6ٮ<Ԩ6E߶IRNUݳH۱DٯDܧ9զ;Ę?Ƨeߠ\d7h?h9wBv@sEm8ƁOZ&N%Id?pNP=?1?5(%"H4THQGVPJGNHNNHDIGDF<:NLXNZNZJWJVIXDT@XCSAVAT?T?U?XCYB^JbJaHhMnNvTnKeG_ClCn崈٤xءu<&=29.@.A2VE5;-+G;XMQKOKMHPMNONJFA=:64<@VUXMYNYL^T^O]LXHZJVEQ>XCVB_J^H]G`IdNfFkLgGc=_9U3O/P2tTΈ`ƂRɂ\4%7(=-=)Q9_8N'X:Z9G=4*v +a O + M +K C? ;976@|O_ ~UyTk[vSyW{X|Wu#}Y~Z"i*_W +S +VS +JR V [ ` d jv; b"\^d/T&zGyC +zF +xE GNKG!]4qLҀbWBjV[HJ5M?tfWSMIMJQPLMJKGHDK<@;>LMUNQKXN]RYO^MWDXI\HT?ZF[EVA^L_HbKeNfKjMaC_?U2K)I(E)@R-|UחlZ>1D,C,D-K4O.J$[=J0B%9."r Z L JB A@>;::e3UY}[yWiwUvTxVyXtRhp#yUi1WR R S I >KNP +Z \ o5[}Xl#tSwVuStRqOqP rQvV _wA k'hnjV= ] )&(352-  & ($% !!'1K +8Ɨ>ʛ7˚5ʓ,ɗ'˝-ɗ)Ē(˗*xޛ8aou}}vo~}uwreeܵQ̚*ը?:`UveiaVVOLMHFDGKKHEHBKRXPQRSTSOTXSWOZQVGXIYLYJ^IYFYF[GfQgMbOeR_D`F]GU9J*@#=?%P-Ӆa{\_?.=0[A\EZGU>J+P0F,B%>'7/#t \LM +B>A@<? IxD T~W0ivUuTwVxVtRyVwSoqOi:WS UP +]($; A@G + K + TX%}]wOxV SmMjOjLlNiJlNlNsU zZa"mBm+^U> W} '*+1.+& "'+& %$ " "( +,]&ʜMə>̚7͞9ʘ3Ŕ+Ǚ/Ȗ)t xLsy~҃{qyuvxmdYS۱KTWQNR[^Y߻Q׭Bե7Ө9С3ڬ;گ=G߷GOPM߾RSѪ?,Ҥ:Ҧ;ٯAڳBHKQUFHܯB٦7ӓ$ʤQǪ^OxT⤐oqI}KQ#_/W#`+`.i5˒g䳊䷇ҌjoRjNmWޚxd]P('37XO^Ka[TSIHDG@DILGINNOQVXLITQQOPMWOXPUMVHUETDRBWGXHVE]K^JcO^K^IV>P8J1@'=%05<(A)N:A5C8[C^G^N[DQ8I-<":= Q3C0-(*(/(6*w!NAAUS[a, ~NWvR=pNuTsRpNnLsRsPzWtQnIh@X)Q QN VU+9 :<B ]-\jJlJxX |bsSiNfIfHdEdHfGnPyV }[x\xUU&Q2 Kv "1%*.,*.++.( %# $!#&/ΘXʛEɘ;̝=ϛ7Ɣ&ē&ʛ.ə.q j օ&R_w{yx|}vb^^XPRQNOR߸OSZXR޷N׮HҦ;̛*ե5ש8ܲAJROٲA߸L۶EZ^Ȝ6Μ+ש:׬<ݳEK޴EHBDH۩:֟0э Α-̫`ʮi>|]妍oc7k8 +n>m=rAwD~FFԨz۱㾖͋kW=R7T9mVr`LA++ I@vfUMNIDBAC<;EF9=ILQPRQSOPKOKQNVLNE;/D:NGOATA]LWCYH[K]IZEZEU@K7E/="3.B&7@%}  "?5RCWF^N^FTAR;F/X@;+#{}t q TK Q bs1(m,l4{N }WxTpOuTsRsRoNpPoOrRwWwWrNfDT,JPK O`*#V-$+ 7 8[4]k'rTsUv[hMeJdH_CbGbF`EcDsT +z\oPtYuXG%4 Hk| #(.:#7"G/-)%' /$ & IșHș?ŕ4Ő*ʟ7̠:Ǘ0n +\Xk ׍*PkovrdkcSRV߹M޵KܲF޵IL޴KڭDدFݵKVZߺSUݵKگAƖ&ѣ4֧7ڰ?OXܴEӨ2Ш1ݸK\dݹSē%О1ڬ<߳AIEAݭ=ب9٤6ן4Е)x ϢHĬcêdnVԠrЏ`Ɉ]zLc4NQ w=V-{Q߱⽚ݧN5cQkTiQ@+6,@:817-&PGVKMDC?><:9810-16KMLKMMJDKAI@9+4%/%) F4I@K9T=T>WH[KZFXCRĪ__ZQ7϶_ŏXӖfӓcі`טbښdє^āTnKiElH}diRTFjSQEA1[MD0<4SHTAfS^JhSXFF>;3807*/+&)18QNSDF8PCB0D0B3%.60E+H9!v +v 2.B;I^B^B_D`EiMmQtVtS pQK#Rbt{   #%3 A%ݣ㿨౐L-'!xV{%y"*#0$qyOc<"t ERXih˜8ɐ*͘5ҡ:ڱJ߷R޴OݲEΠ7$!$֬NڮOթCΡ8Ϥ5С3֦9ج?ح>ٮ<Ԩ7ʠ-Ч:^`kbݽYΠ6ՠ2՞/Ӛ.Ў Ԉ х̄~qÉ2ƦZ_©eTK7ͲɴyHm8p=}FS%_-f3}LȆWZ:T3U;K2bE>+1$2!IDF:I=>/;7M:J:D6S>dS]O9/5,8-C11&I:SGQDVFA29,RAE5.!%$ !>0J=M:S?RBM=B1:/2*! !3!9,4!0!-%y |{j + 81M=]K&}wrf ]cihj +s@ wSrPrQvSvUnOrQkMiLgGhHjMjNçOwX +aC D? GG Y(%KR'!E## Q8Y<\@_EjOkQgPeIbF`E]A\A_D^CaFeInPtW pSmM +dBN\mw{ {  (,=%L3F+#  + }t8 x*9@ne]-ɛDʟG>y|Ҋ,ݔ'NZeڭLƓ-z"Ɠ,Ȕ-˛/ש@Ӣ2ǔ(opxr{|*/Ǜ4΢<Ӧ=̟0ש7Ң/ը9ت5޴BܶCڵE޻T[ec_Ҡ5ɉɁwmfoen3Lǯgïlh\FTEջνwI*O*i=`2 h9l9 k:m9 }<I1L5:(P@u\fPK=:4HT@>0:,,$')!(.$'0$C:E>VINCE>8,--B.*!&3'&%&'!1.7-v +?8P>v#~yqh akks$i!nBtQrNoNuRoNoOnNhIeHdHeHgLhN1u&K3> 7 6 += T#Q"K?@/C,R8X>]BcIkNmRcJ`F]B\A^B]AaE_DcFkLmRiMlN +dD_9Q`gpnx +  # ),! #  xb#w,EjZ:T:$u-ɡJɠLϨQسb&p$ׅ.JפFϢB׫KըDɟCƘ5Ɠ*ɗ-ӥ=ѣ:دEc~Nllt(',$#&ѡ6ة9̜*̟,Ӥ/ث7߶J߷K޹JP`hۺXbfQT]cp +r  7N\cR6$k[2¯}P0M'K)U*T(NrAvDD$E'3%3%@5\KH4E5`M@06*, 2@7A7?48+:5;,;-A6O:S>F<,+0)_GWA9,-(-#1&*$F:?)&&54C@F>@7>8)(+<($#!9*<0!$90MAE46-*#uo ~!~zvqk x4"g\ nArMpMrPqPrQlNmOhKeIbGcIfLgLGmR J470 +3 +9C X+P ?1 0 <#O:S;Y@bFhMjQaI]E^CZ@]B^C`E_EeJeIgLmQoR kM`;X0K T_ioxw}! +# )'# +# +"!R*Te2QZť]KQK̫UϦT?Bj Vci%Տ(Ԇ#ݗ9O۱R^f_[Zf]Ǟ=zQ3k !%*&# Ț1ѣ3֤4Ԥ0Ԧ4ѡ0ڭ?߶LRVceho _[dlq%/7Rb]U;E0vM˷rOk@X-S+K FER(Q4Q9D'=%9/9+4+9/A5D/?,4%2O4ZJF9:0G:>37&;#K5A01)NB-;., *'(#2/p^I.4.;/B8D96/)"F9[I3$' ;-&!"SAaT%( "!~yqlnu%B.f) +j@lCpLmLnNqPtTjJfIcFbD`FiMnRd`G B/303 +: @ @ +@rM$`>. 6G0R8X?[B\CZB^D\D]B]A\@]C_DbF`EaFbGhLpY pYaD^9N%@LUajry!#0X.{PӛjềЗ՗ޡߤԊ؊یٍ؊}Ђъֻo=sW +tQ lҪOg֟BԜ=٪L߷Zܺ]jeglڱRײWjܽjv˪X7(*-~!&'ɜ1Ԫ<ب9ڪ:۱@ܴFٱEڱH߷OUaisάNgcr }$&,KOX[{AV5R5bŵʹaΓfNJ`Ç^ŌbŌ^c>O*X4K1I6>-8&QHQD>4I5:.3#1#/!\JnZYLE4?.M?F69*A,]HRD@1<)6!,&/#6)7%6(B32$+ )$'#ZNQ=69'*2*A7?=512(O>/82;1:*}}|!"(eW! #$%"-"|omg f G*r7 h?oFmGkHpM}a{+pNfHdGaE`DhL{`{_T?>,0((. 1 / :mN*fK':/9#F/N5Q:T=T<V<ZB^B[?Z?^B^BaFbGbFcHfKiNsWfKaAT1<= EQ [fj-g>Ȕe㹄͕ԙ۟ݢߥŕDĖL;D֪_ẋ~+qJtMGՃxurhcpgڷeomv{q׵dճ_նdۺfݻdۺbΥ<Ҥ=ת;߷LKݵL޷O޸NPY]nvh*s||'(@MS[fMC#P5T:{Lzȥ];c8kEwSˆ\ȋ^lC]DR3^CVFG6K?D6G3KB`SX>902(*$0(XGE88.4$F4<0C5C5P>hY[L@2D70!$ 8.A25)4-/)*/'3,0)2-A7."4 6&1 !#78B>>3*!4,84~ }t t =7 %"#$#$##$(%*)-11)!~!zmmL6r7lFlGkFnKpNy,q*jOfMgIaF`JbKqY ~c K5=-1!!"# 7X6nJpMQ/@$2"4&<+G5G3H5N9U?ZAW>ZA]A\D`EbF`E^DaFiNnR +pSbCW7C/ +5EG {@&ƜtΞۥߤݦ̎ÄήqW|Bb*WZbUv5ϫmՑӺmwwFhܾq؋zyˁԮ_ҨVhsz߿qvuttnlٴSӨC޵LP߷LXXWX[ZkyٽgϳVnsv,GKXYJL2F.I2_KuF~t{ԻϻpN._=b>~R/k=F#X9eLO;SA@0A/Q<^MD7iYwfdT^P;1/$90TDA1<11'1&;.>2;16/;+G5H9@6?6*!%#-#@/?1NBD:1&80A<0,,$*"& (+*%$}6.MF.",! |~xu ~'$$|"!)!$#!$"$'#'%2+& #( w"u%C(o1mElGlHlJoNy\r5gMfLdG_HbHeOzb`LK68(* !2\;c&l$j#h#o$xX qR ^EK5=(C-K6J5P;S=V>W?W>ZBY@^CZ@hOcGhMiNoS gJT8J(" 'xO0Ϫ֥۫ԡđөrOn2EËMŒK~g[&M̯vٳvҘߤݿg2v*FۻqݗՉɢJ͟SϪ^ww{ztpqm޼c۲QدFڲFݵKQTV[[hovxmts+1EGFXu^'6!8'E0eSsEwooyz|վl@"qI#tP.rE%tE"K.`KmO[ID.:'6#G2cPB0sX\D[KS>G85,++:-N@F84%5%9*:/-'5,SBaKJ58/.++"%!=)G57/(4&:/,#,#, 8-)%!*$!>;IB?::7&#)#*)!'#~#twz4&ty~~{"+'/# ! "!'"*('/-""|z0?"l1lDmHlHmJlMһeIdGaF_HdNdNl%T@F27&) +>% +iH}Z_ +a d?Esc }\c +kPW:J5E0J8K6O:T=T;U=X>]E`GaFcHfIgKcHdLX9K)H- uNǘpck=S%OR(d9ď_Ӭrʼn͑җޢҋ„Ă֐ޚܚޜ֑Ћʄڱdu҈ߘՌpϪSҫ^x،ی~߿xvu}{{{xkb߼a[ܴM߶M޳MݵHڰH߸PS]ov}ЂzɮV~(O§VNL@V@.&1 6&hQ$qEsH{KjvxzѸŅcDU2W0^7R4eNWClQă`M9@);)A,G5<)I3cKUC[JUC9*;0H:?.?0D4C2C4;)8$-3&3(5$.+!/'1.2)'1'6%)&0B0E=4.1,A4[P*#7)4$NFWN?2?6%'!/%.%) %!|**|#wu!!ssy{| &"(* ###!!#")')6+-)## }x}$>+h5 f@hDpKoOkNjN _B`G\CcKeMs[N87*0%%<) _G uW ~[f~]gr"{)KÎ8˛KˤUЪXԮ[׽knvײf;Wb@X<x^#׺qzy|srrf߻_ڲQ۴L۱KڰJӤ6׬?߸Q߿Z`jvЁӉtpĤSֽrѺuNOQu73!/!7#0"jY)p[0iNi8TqwyʌeFH#H&iIp]aHhTkZ_IX?N<[?A*M6H8D1RDpcjHH9E8@381:*2)>-+1.!:8722-2(,('"'!*&+","+"724+1*81.&4$UD]NkZ=3:/&&|4-<,,#!|zxvvz}$otz{|!!" # "! !""77,&}%"!"!sA)e4fAiFiFiLoQ͝YiK_D[BYAaIbH]GJ57),#$O< iP zXa 1ʣb +ee v srj bb^qPS8@/@/G3J4O<X?]DdN bFeJbG^DL.dFq?iÒک֛ԲvǦjn2j1i,c"o,eЗOˆ?o(WO ^^UL N g&w2{2ԥQipӃ҄u֯gB>|-QY2, hOϋІ|wvr޿gj۹[կJٮHײGڴMҨ=Х8حCY]kyЀчulʫ[ռpռuERNWC0 7%8$?,lZ*P=YAsX(yJ_ivw|˾ȣrMjFjH]BbLjSdYbRYLn\[J{hmSn\PATE_JaQwaXH<07+80.$2(XR]K>+?.3#<-C6B7RAQ8.J?UB0%0*2&-$'"'%,!.#-%+!4*(1).%2'Q;<%(~% y|}&(|}" } vu|/+)-mx|z~~|:;55}~ ~ ~$)!x!x._)hBhFjHmLoS~^~afJ`F]EY@X@_IU?B.4"&&\D +oQa +~^ +fлu(d beuskgcbaoON7>.>.E1L7P;W@V@ZBZAY@j+ӹzєާΘϰuPq?`(UUKr<LUOĞjEq(w4x1=HŘRӮpܺ{džāݼ{ҭk?5{).֠Rۯ`o~ޕߙߙڕянxN~;ˊߚܖ́xpilۺ_خNФ>ѪBܱQҨFҨBڲL߻X]mv΁҈τɀ̰hҽw͵qFQ|i0;#=%@*6E+eQ!XFaM#pAzLV`c`pcGS1ZANCYOscN8QBYEcQnVuecTu\ʈuiXud_MVFC4829.B30)2'L/3&D83 &3)gP?03(2$3*)&$# ,$, ()*..%,#5-3)-~{! {|vxy{uurtq|.1" v|y~~~|87.*y}~ $&!$ y!0!a, aA gCgFmOqU oS +fKbH\BYAV>S<U>F4>,0,fMrW}^a +_bjm ecelfldbb~[wWF4:.?-D2B/K:L6Q;`FfӕۛÅ_SMqAY/Y6X1R)MQj2QҭsʒۤԍڷfԧW͚M?74Ԯ_Ўߚ֍qjjܺa޶U 3ΤFҭLլKݹW]t{́ӊщǀγj̳mǬgJER= B-K1J.M0YCaO!fU&iY*wi7WVXYajϐcFL0E.dNhYjUQDQ@G=QEXNsej\mb_LlcQFODTM\N]L;1F9E5=6>3B4C59'?->0=,cOO83!0#'7+E4;-F2A0F74&#%E33).$)-%.!5-,&1+"y{! tqqrtrstutu:/"~~!}~#"+)y!~$%|%!$&%#'z/^*d? +c>gDiLjLjKaEaCY?T=T=S=K8=06&'4'eI rQxV`_}]bdgbbbaecedeemV?/8(;,;*?/@,eKҹ֗ޤ¥eP(;88D^-V0RͩxȎؒ}ܹmشnʦZԯ[͆ڏڔq۹_կNѭI*{&׮Pܹ\ݾ[bt{Ѕ҉ӌzZƬjVEaJ4 :&<#;$A)]L aO"hV)o_1q\*xKY~TW]gpϗoTF'@)B0\FbHO4ULTKG==3>;SPODtiJA`WRL@;^LٙJ4fRpRx[ŋpÉn6 "*(+''%# "'$xuokils|+"qtqtuy[ML=-$*("""!1(%'2-4+,),#+!+*"!# }"-$}#{"&)!/#1%2"1"<#p1_7a<cCkM gLgH`AX<[BT9W?R8:)-   <, eInQyY__bfefhlk +cc_bdigm|"H0'6#Nܥ˖čӝݙϊټwʥ\ٹqۙ׌xrsrqrlpujr}̂ҏ͈ԹlB{2K6@,nRc+sR\6J1q`.]Mk[-nZ)ra0yh7|ORXWjyϼoI=MDLB80=7A5J::)9,kh^Y`c[Y_]ii1.ϒxmaOjad_͠rZJ:F2]J[DX@dE[D3N9K1eGzvnlRBw*#+'L:|cÎrϚwԙueCJ6@;-+~|~ xz ptlitoz(%y*$spprv/)n^N7,21)'&#))0+900,.'?.F(B/^f#_ |NoLxa+_QiW'nZ'uc6rc5vK{PVWh˺s@6<;1.60KCEF={+#kg b![,]:[<gK oR]@Y=N5J0=&/%   #V<kErPtRzY`agh +j +hִɹl,\abbi ilwWDכݦńڳqجh{ٲpҤb̠aڰwٲr͡`ƊWv?Cׯo޻zۻt{|}~߾x޻yخkծmدfz΀qΣTCl!Zy$ΘMڲbݹiΞIϒA{-1ΠNݷkẅ́޾mpǣWy-NxV~` FƩ[rnݿiv}wұXo~ʀΈϊ˃Ȯar+`CxVi"ae$`!yVyZ#fU$kY)o^.ra3tc3{i?|RT\e̗:1<1;2/0F4K9cTOQJua̞|z`y*rjrxvnhnz(&t#qv' s$m!hloq w&$t'YKgYWJB83(.,~%,!90<.F3E>M?A7D/J5jTt\o\^K3+&&w 8-:'u,!r#dr'|:)q4Z/R4Z;eG^?Y9R9C*9"-$   B4 fDpLtQzT~[bdg gg"Q͆g`_gh e +da ΎԖă޳qp۩f֤`רdw΍۠ޥ͚͖͐ɊܰvǓTf)ȓP‡ғؘܙܴ̂mҥ\č@50+9ǖRˣXͥYˠVԨ^w޼pƖ|8^@ +;$N6Ivsux԰[ͧRعb}ˀ˄ЋӍ̂зjjH +_o(\]f(o0eTi[,l[*p]/s`3uc6wfB5B2R=t%qjgkmi]]d!g$"a [^[P P RUt-+RJaYbWʈ{R?Ʉo߮P7w`mPċliu.n&X e^ [Z_r3+qfQ:?/|,(NArUU;6"gnqxuqlolmn s$}1,z2/C7z3.p!v" x##{.'TG@2>-0&p"m!h{.&y0%y6*{7#H7O77(~0'u-;)iRgRw5)g"|+$x$z*#}1)5+0(}1$j|6(J3Q2oC!L+W9 W6U4K.@&1,&#  + :+\>hDoJyOyT^acdccecdba^hduWѶhٛ|МVˎJ֣`͙U~sܾj޿otݿmrq}̂̂τ҉|ؽpjncZ}M +\"y?\JcY+k[)p_1p^1t`5xh>qFVWo̤`RH>>4JCHBHAUJx"-%on!6/mq%'e`i"8;p*,b "_n-+WNQ T\p,+IAWPnfcKcKv^m]ʘyčqĎpF4k$b"m,)>8m.-b^Wc }<4@+t&jQCD+F/jOls w" x suo},#7,}-0y)(p#s" s)"D:;7x'+(?:>15)}-h ` +_daq)!l%n.!z7%_KZJ>):'H3z3 5(E1l'g!l"4)w-egd\[fo-$s0!c,P! +T-S,F'7 ,)%   +L6 +a=mItJuP}Y[]^^e +j haabb^yWLƋӗTă?Á;آ]ڭf?QY Gҭs͒ϙԝҙ٤ݣٚԖNJ׺yέiϧ`˛S΢YɒHf!Sv4їQۯexגۘʃ̃{ρpkwʁ˃Ɂ̂ˁ΃І}s=m"x*m"i'{=q4ZIl\,r_/m[.p_/ra4tf7yj8Vb˖RG<39/XBJ>D?UNH84(;0NEGK@7KpUB>+;)}6(n#{.<.90r't%{/$s+!j#_e!Z +S `_RKFC?.'&%     8& ]8a;oDtKzQ~W[__^e +a~[]~\}\~_x"Ր̏?d&x2ΐGɒK:^u-׭qҞܙܕܕщ͢[˜`رnwٳl͢SΜQ͟Ty׋ܖߙܘՎՏֳͅ_۷gˀ{~~шˀؽmåWZk!di"u1u9aSm\-mZ*pa3r`3uc8q_2yd8|Re˄1*4+5&F3=0=0GAM?_HZCSBlazhr_r5-j &x14t/*E8t4-WZ\ XWN H +J ]90=1K@F0=/E1p_bUv:*i+c#ad^f#`^XZ`s1%K=`QbRzhlZaJs2!\ mtpv#519440/*-&}+*z*&2)7->78,3%s!m"\[U +Q U ^b Zg$l("{7/ZGLx6(\RZk o w&6.PHJ9H<[HM:5.4,3!r`^V O O SXa]e$$f&!\#a$s5&h%i!j$_bdbaiw)&|+*z%$~,)x(&{*,z+&q($t+*s//k&#e`e!`#XE 9 +.$ + +   ! $ %J-G)N/U5d=lDkDtMvQwRxUwSvSvPuQk Ҕޠx<`5 b+= PȓإךݦءՓ׼wFz9w2|3}5čBجcАߝݛۙؓՈ3T,n!ɤQۼirtt|}̓{p#{Lf&m/tc&iX'n]1o]0td9rb6p`9yfA{jKhϚKBC;<0H;G@?;OCYG."il' t3+\Q U!HDn',f!#h%'h#']WY!T< NNE E W gN;H?;7fo!dp.)p.*d"l,'m2(n2'o3)s36v76EFrnj74n//PFUGL>G:B8q1(L +L P k')y*${(#95ZMI9O?cVI=6/}/#s&~2-d_WS ]MD`g(]c m-)x<3t7,|;5l("j' ebch i _S +Yx(,1.0/-)+)*'m# z1-l))p+&e\VWTQKD8 +5>$$ +'& * +  E,qYFuS;a7J"B(K+Y6c>f@hEkFmKkHoKoLpLlGгmߥ護THSd-߿ܛғӕώ޻sѭbœGʗS|ݠݜڗՍеhjJ X7pK5Ӭ]޽m|wuǁ̅˫`jm*o7iW lZ+hY,u^3m^4wd9ve>{i?i׿ͦaSA7J;YSojYJ?'5%{#rd[SS W}C>j+,X\"XSSZ Y" NLSK `Tc4!E5aSw lk!o.(x7/j)"v91s9-d*t8,k.*x;2a\xjm52v77C@~?8{5*=1p+%f%!O K + +K +\?4?4?;QJ5+YH_NH>9*z.:%q)"fa\`m.%l,%b% YTh.!~E;@6~:2v/-m##dbebk#k!!dNM^4/8:?;;3w%#[[ Zo(#k#k'%h&"^WRPC = + = +E7 +- / 61 / +_C2^MQHs:*h,V# EI%P-V1Y7[:_>_;aAcChI`C~C՗讘o2c-Qڠٗ߾zҫbɖLդ]ǂؗߝߟڙוɀ7Y8Q1aA\3ְcuؾvֽtyҵkw+s.o4jV$iW&l^/p]3tc9vd9tPwԺ͠OEQDC?TR\PMA{!s q^R RSRp/*m1*YOLOMTZWXVW]R hS@F7`VJ9r$a h$r5*NFu51q3'o2)e)!i,#l-(m5,MESEl4&OFy=6<8|<6r4)[M L + +N + +ZB5bZ<2<CC==z*&]S N + Xcq')p,&t3+j$]MG? @ @8 +6 4 +;;@P,c2l0%j/!h.b-G=D"I&K,P2T6V7X8Y8Y8[A ӹ~ߩڽ׹}vϩ`Jɡ^yڔޛܜۙדЉԺnnQ;%F-H-W9?޺oz{ʰhy4s.q4lY%iX'n_1sa6te<27/-dS + L CL ^q,&t,(k%a#SF +? C< 8 +7 5=83 L \+i3$k7%g3 d/X% 62??#E*E)G+J.K.L.k8ީߗޕߙ۔ٔԌܕ֍̓tܮh٧`ׯi۶qݷyܵsԨeܰkąי֖ܣˎݸ~ܵrǁ}ƀהܛޛݘЎ˪fz-Qٖ̃ۚۛ҉u<<%A(7%6(cCƢ]ھr|Ɉ̲or,~f#j0jW"kY'oa2sc6wg@e׽׼ּ[]OZV`DG3)M9|c~fzav_cMb%_#!SYj21WWK NMLKMY!o3'u1%fL S r5#fSF>JAu-j :0_HMAF=ICs6&k/*y81{?2N=H=i'%l+(N?p=4?;q40`"H F F +K f C;ZRA:404.4.E:8&8-da^`\]]^f'%m,*h'$s3*~E7^!\]]`z1-p'k'k#ZB += + +> + +> + H b0.=5741/r"W N I C=M_a$UWTH QQT"\*!W(=8 + <n@6c3 ]*e2c/b.`+W&B-7<>">"A&C'C%ȭvިώ޺wϨdӻ̮uҠY٫`٤Zڪ`ت[ԢT̛OƐK͗TӣZث`ϢWKF=ƍF˘PԤ_Π[͟YǕUÏNNOHDs0B̟\̞ZɐKňD>…@ÊEnjG˛VӰs̉ޤڙʁġUDҳi֑؏ԍzTS6<%2#-4_(ϭh۾u~~U,HN[)"wHAm5!u(nQa!C3UO.(43v,'o+$o)$gp*#H;~3+C6I<[LM>h1#g,%t75C4VJ@7\QD>f+)N F + +D +H N j""1*0*/(3+>44.3/1!A6dT [][[Y[_Xc&!k-#n0(]aU \m##j akr-"K +? +> < ; C f#"}.+550)0075gR O?96> H V VYc&F7O?{J;q@.])L +DJe1)Y%M`-c-e.h/h/g/Q(7++-02L2Ϣ߮ӖvўVѠX~<^{?Lիeǂ̉ˉ{޽tܽw޽|}эؘٖ۟ٚۛݝߣߤΒصzѪiܼ~Ύؚ՘΍ִs–Vz;VJTcBΪlϊޚݜܙȂT R̈́Ԍ̃˴kxW[9T2S3J.I*o-ˮjʲubCp6sa,l\-iW&n`1pa4sc:÷Ի׾ֽtfrh\PPI<.aKŠlocdnZh'`e)"_$"MQQNMK HKa/)WHT@m-S U{9->5656281ku0(?3l$!q.+y4.~7,u3,y;1bKk8'e'!v:4QOUOHHMJNGD<]SK I +LRw..1./-,(80703+72{+ s*{5+d!_!YZYVYWYa#d&"n1)dbadfchr+[@ = +; +? += +F b$|0-6572-,83w&&o \A:677? HFUg%u7,p5*[ UF C C +B= +E [)j/%i-o3$o3$q6's;'m8'Q"7+% t^;զߣתcӣ^ܳvƉϑҗל΋̃ԍ֑֓Ԏ~ՒܘܡғɫkǧmKe&]$>үhҒ۞ߠޠߤؘ˲iSv̄yt/^8Y5T2T6Q2W6tWqQfLP7q9r]'lZ+m[*m]/ra5|pLƦּ׼ؾ\Mr`uoVMC5H3O8_F^D{A-[VYVUSRMI J +HF R yL=lUYHF Ep7*RGD<;822z,!}5"PA?5~4'x2%;3x3&c LDW@f, e)"pcNCr.-|<=E?D@l*)M +RT URd63><8100/';3.+2*2&~1!t+z4(e#cg%c%!^[UU]j*,q3-GBB;u'"l gn!q+d#F @ @ ? A ? ? d#%|/2}/04/72203215~.4_F > +:8< <9<D I E +B +D +I I C +G L `#_(l."i)n,!o,s1"s1 u/$m/`&Y$D 3fרުԕݫg֙W̖Sy֛ٜńܫfΏI̅B~:ǀ;ΓKգY:k#ą=ŐHΥ`zٜܟˊֺ{βtӮj׶qăŀю֖ݝؔφ˫[BԶj}`?&56"="B(I-E,M1P2V: v?s[$iZ(kZ&n`0tb6{nFѲջؾ׽ɰIB^TcWKCM;L7*t&^ JPRP Ua%"ZS= +C +T +H C tD0eN_KY%L +c&A/8)TI>41+v*?0UH8-A0M=n-#h+%y=/KAx:.n-*D:s2!t5(|B5L=P@A1aI L QN ^z-"4-@7TA1*1+)$>=3-2$D*p%k%!j&'KEp-(n11b QPQm6,KHy54~64|*'nmhhTH A C +D +A C ? +Eq/*w)"y)"s't0#4/383666//p"#R F @ +< +;:89< ;? > +B KUY_h!h"cgj l&t(x1'}6*s*t+"n$h%f/ոץٖxЕMʊCסZˋϓoΖR{4p0ƀ>͓TϕUϕRϟ[ץbÎFy7v0{1v/m'p+DԠ]xܝߣ۟͐~ЭbЬaήaѨ\̥YȤQC{1ؼsλwaG ?#30-+*/3V?u>q_(jY'jX$n^/wf9zVӸֽ׿ʣC:C8N8C:=19)|+n#j'S +Xb'WP TWVS^%h*d*c2&VEF-\!K +k-&;.3+:0C??8B1o q)!|;-l-l+r5)n."u;+t5)o.'v43x85E<{>1H?SKmaPAl"W K I +M_u%#8-NJfU^K@7@78,=8<3P=P?|.%<5QOq0(k($aP QP O^d!bknlf U M +C A F H G HNSZ w31}5.w*%v*%K>?E G B CJ +M _f$i$c_ ` fgj!r%w0":-@0S@L7R3Z;եxmnݴlxnاi֨pӥe}=w6a'm/֥iϑߪޡ؝ٜ۠؛ʆҳtĕW@{=x:̟^޽|ӏޡڜϊӷmƠSڭ`Ы_Ӵgp"V Cxg&f:_6K'91+(+P?f4l[(iW'lZ*o`/ub7fֻ־ʞP7<1M<`N6#7,9'e!OX W a"VWVYR ^ Xl+a$[XI O i)z1#4%91<1TQFF>9t)]$n1$g$m-v7)s5$p1%s1(h&#i('h%%i''{;2:/y5:;<>7L@`PG3fSF+7/973-+($8.o'`^SR[ZQ +Z[]f:/=0>//$~.#y+k"m(jebl!!l#q)#k!mq$v(v&>6/'306:55.///53)-('pjmx"#{"|'&}(#/$8/0))'|%{%^ Vg!d hhkip 5#|3QJ7|>&<(u1L1\2c7j< o: l; +Z2M4 +ta5uc3tb4r_4sb5ue7wd9¨ؼֽˑM6E2d u%|/"q!t#jd h!{20n(n!o#|21s**v.)>8WEeP\GI8<+4$J6MGS@A2<6<0D5@7C66/948/YLdUaN_QQ?L۳wΓޣלƉŜ]F˚Z׭kŅߤܗ˂{~?T: +Q.`3e8h5 `7 b>V7 t_1qa/uc7p^2tc5wf;zi=е־̈?#y4%q/%n!x( mb]U J>1m&|2%w0%}5+|8.{/.<:jVoVgOcJA/@+YEiaL><(@6K?9/@6<1>5;3:)~)w$x#{"*~*iTI L + L LL + +I<{@0[ +f!WA6/<6[JUCA25*0%[IUHK=>1HENDK;?6?:=9:64278725.2/:3@;;:03).*%(")'/,>6B:A8D7+,53;0:1z0)t**m""m!!hnnu# }&51ZJUE4#3-/)3+,+-'-%,%-)-".(0.45-)0&<2=2C2;.9+7&{5x@B$n& n&u)x.{1o*i* c*V,޽ϖܢӑqїRT@Qԣd՘ˎѱwɛ[ƖTͣ`ʊٛϏʄƯkcLB&d;d;g= gAnBhFj5q`/td5tb5tc5td7xLѱռ׾|2j!i$j l[B 3 /R(L>k(u.t,$=6J;60A:bLoWcSTBR@`IeSH>=3A8ZMB3<3C<>4WKK:@7C>9)0'|$/"r +`O K W\YYz;0z4,v("x-#Q;5)6.dMƂefN<-5"+%*%/+/*214/<1NBRLB65698:8++,$3:B=C7UKOFZP\U~5,z* o&b"b!]#l&:.0(1(~/&x)"v(!v+'o"o%emq$~*3+aKqX_EQB<4/#-)1'1)0',#0&2(0&(#5.@0C2E6L:S=9$6 8!i+}I(K$L%|E$T.W+V*^3k7x@ճxʔ١ՒڡZz9I:c!֩nߪ֙Ɍֹyӱm޽vˆ֗ܡܚٚώʋ€o2=!S0W1W0T/^: kQtCqa4td5r_5ve7rb6dִּieX P D ,& *9\.G;w2*t,#w06+J8G6LDG:H7G:D>J@`N[JI6E6J?G5?,F;A7?3SD_JE90,)%+%1+)5#u'm}-&4/JA^PG@<6D8E6A-<29,H9^M\G[IG.=+.,1$1(*"=9^Sia<,<4[Tn_I@PIje[W;3?:f$YL= 764446Qr&#v"t$#v$#lq#q#t&hgky%1 `C}\yYfHF54(4)1%4(2'+-!-!'71E7I3J8K7D4e([ +[c`$d:yL!]0[/e3f3rDrAl4l1ΫoćٞޢWfI4bsԒƂӬdHbʉ֔ΊʍГFC-N5Z=W8X9Q7kV)n=we2r`4r`3n]/vc8yֻپջw0c 9 *+4=C <E Y#v@2F1G;^M^MPBI/<)<(@,kWugUDP;_Lm[[KD6B9r-)U?632226 6 2:>@ H +Vk#(ba# {31okof_ k y',P@wY~]|\rV\J7'7(6*1"/"-&+!&D?D3D1{+d L JUVV\% U( +X(a1g6f2m7f3g2^'pRdҔݦzs*?1eqޡdž>H FϋښґɆБ̎`N9gXwd%^HL2W< qZ/vd7r`2ra4tb6tc5vc9ּּؿSD88R'V- S( S.O,K' ^8 vXyanVjN?5ohRB:)B4I9@7@/L:ZCcNbP]O`HN>H>RAWCT>?5VGTF8-8'8)5,4-8*5*3*,*%%(&>1F>MBA4?-B2G:\M\HL9K9Q9M5Q9P8@4PAD;=5XFMB4$WAD7y* l]I E B ;8878 858 +5 7 D D +I N ZX1Rq.!x**q#o"giq p A0qS]~]wVsXR:9(5)4'3*1%-!6+A5?$s+X GIIWU`!Z(L^1f3h4e3n8l7k3a)d.Kٵuȇ؞ߦחʐI=~+Tݳlݡ eWٿyҏ۝ߡڙΏʈΏ͎^;:.#<,R;H8@659#P=\@M4UCP==.6/'$~"tY +^c]` _[N QOC ; ;8 < ; 9 88 +; +@ C F G Uc3 +" :{4)z. t&t'u)m n!}-@&R6N3O5eJcG?)4&2&3)0&8+>3q.@8:9;=FOSHT+P\#_)k8j/h/k1l,k0{<ʩd|ѓڠݢߺvNx&5EܞޡѓϏDŽҹtԸsғݟߞؗ΍ʉ̏ΐL1!A(X2X0[/bCta3p_2ta6ud8q`2q_2s`5jӴؽ׿S) X1Y.c6f8e:h9wI(S2^>wzQ7Z=`?eQ?:;3G<[JYBQ>P?E6@27#8'>2F6F3?3=&>(B.I5S=nU~gmQ@%7.?(H24(A68,7'PC6)7-D:I;1-6&9%6#:5?,A.H3<*~-1<&D/9/+$1)@1 H +]aY Y U WL C ;> ? ? = ; >@ B? @ @ H +g%{/,@ $ +% ? `(;19,7)x(x'z(|*~,~),<(C-;,:.9,:*@4G25'A156615:L#V)e=mFpGwL|Q_*l3j/j2i.o1o/Rӱmϑ֛ٛFn'q(_ńٙ׾{AšYʆݞݝߟߠݞؔӐˋ͌̎ʎ{H-/>(C&H,aG{i8we6sa3sb3r`4sa0p_2vi>ȼؾi;[2U.N)R)M*]6oE#sE$Z:^c>sBE"I2G8G:H;D-1$4'4%6)E38$<)ZJ^TQ?`NN7L8E0K3R>L6W@ZCx.l1 S=J8F1VGJ?dRYED;:2K?ZGjQgObIH=q"^\XVU` l%y,0}%u$2 0 >IPRXSH @ +B B A ? ? RYOFI +[ k*x2"p+>% +))5u4&J2>3A-RBUDYB[HS?D73'3(C92+Y3Q C.9\<Ɩ|{zalNaLXJbPL7@,6(x,"a \ XXUP TY\ +^ f!r(v: +  " ) 0I +Ze"^RVNNrA.}E3v9%n7'm2%j'k&s)@(e- + *< ?E+h/e-y6 9!:5;+70;#>&7 U;V9|? _+ MF??L$X- a3 ^1 \1`9 b9d: pHqHoJwQyPpG nHuN}T}UyR|V{V|>ԳxȎ޿pE MR ɑآƈߵuݩlҗ\HFp3t0u5x5x5{9ÆDGEJČJƒPϗTʗSΧaѱjă͈՗ޣܢߡߡޡݡҕͯk˩aǀ֖ܞ۝ښ۝ؘח֔ҐёΎɇˊɎ̷mS )+218%eR'pa/o_4r`3ue7xhU4 S1 S2 U2S/V.e:|B-='8"H1G0]GH1L5G5~-$@+M6PR>>5?8K?@1|#2 $ >S9@yL.wTrVO2K4z1!l$g i dY W TX[ [ [ [XY[ W\ +t)A   ' +% ,'5I Zg'z4%t,#k#s,dD^GM8TF>&|0#5*?/w:%> 28C$ c0I! +49OS& ^-n1r4s3B%y9j0r9!`1U' Z. d5^1`6f9j;k=o@o=rBq?sCzHyL yLzLY}SxO{Q{R{Q}U}V|VsJ +{W_‚ϭhZ4U&R؜՞|ɌQƈPҖ[סg٧p٧nԨrͤfΤgҭlάkϯtԮnֱqشtԯnЧdϢdțXǚbőYy8m+u6q0x1FͥdܿyʆՓܡߠߠޢߢߢޠ۝ՖёЊԔԕؗז֙֘ԓԓҐБʋȆljņeP; /8; : =&p]3m_.m\1sb4uc5td8tc8vc:ua7WдV6U6T2L*P1K,Q0 _;^8X6 W5V3V4X6Y7W3b7`2\%W d-t8z9$:"9 0"4"6%3)|, },w r"~0@&V>B)Z . )JY"[$ 9:FFCBLP +W[ XTRd f_ ajo*j+ ^^\Xp*M ( D Q\+P$ +<<LR NQc%{6)=/B*[BR5B-D.E(?-?.m)NP& I"D$? 9?"A&E$-*/2:F#@E M$L$N' +V,S) Z1b7o?!n@uH#wJ&wGr@rAyJ!~N$P"S(O"Q O!X"e%h(f&g*X\][[XvO u2ͩg˪fg9 +vD׹٘xؗX~Cђ\ѣߧޤٜۡ؝ϖĄմvˣcƜ[LAr2v.;NЪk}юڜܝ۝ޞܟ۝ݠؙז՗ЎɆӑ֙ҎԔӑΌ͋Ƅ€‚ҿzC0%*>"B$@&N6vc=m^.l]0yg:wf8wh/8\- b,Y%LLN@647<@? FS[ f k#jm z/<G'v,u#p q"0&R/ R" ^#a&a)]'^(Y%W" T Y [!We(n/:{9;I&I C{>{?H!K!~Eh7a3 U/ R. H&?0@' 8<#B(I, I- H- K/ K+ K+ M/ Q1 Y5_7mDpD tH#xI&yL$wHzH}Q'U(U%V$~PT X"a%e&i)j-q5o6q2j+j,h)c$\ZKâaf-IΏݥВjϐHՔOuݦܟ֛ϔȉԶrŠ\vh9{j?}kGxи׿U9Z<U7S5N1 +V6O1 O4 S4 X5 [8W6 U3 +U2 \9[2W2T/Y2]5c9e:a5f5g3d'yA&p;i&m'b Z \ t$t(D7N 54_3uB wD&v@"n6s6h-^$MEGKLMN Ta&o+y/z-z*;&R3_@;&"*z%MR|?v9t5o0 k1 f- h/ i/ i2\)[%^+i4`(g. f. k4zFP ~P#X+X,R$R$M#K Gv@sAnBe<[9W3 +W3 L- +G,G+H-I0 +E*G-H.I.M2T4T5 T8 X6Z7kCmGzO)tL$wO#{Q{P }R"UZ&`#i-i*d#k.l1p8j)q2r3r2n-l.b%f(^bϲsϒڠԘwґۚiՎCْJu۠ߤߥٛԕʊѸuɪfU}7n'?ʟ_ؾwΌ؟؛חטՕҒвlǞVāВΑˊŃνyͺ}rAV@ 2#4K.V2 N0 _Gp_1k]-o_1sa5tb4wg;zj;wOϴֽ׿kJaC Y< +V: U4Y;Q2 T6 Z5 +lBcCU:R0 S1 W5T1U5U7S0 T1b7c5d9g7_,Z'^.^,j1g+g(b# k">2F9Z#69Ap<|F$K(L(K A~>x9r:n6h2 f/ _( Z_$ V ]!d$ h*h+ k-p/q0q0f% d%a# f$e"a&x9BF!EBCIEGDq4 b+[*_+f2b1f6 e6 b4 W,^3d6 +l<}GKLP&MK {I}L |GvBoAoDpG#lE d;a5X6Z4 [5 Q6O3U7Y7 U8 O5S:P2 [;Z8a=c=iCnF{S Y'^#a)f-k1j,k*l1j.i*n,s3l*p.t2n-e Yu;_ջˎמݧˎΚT٧]ّ̃}ܪWΈ4d΋߰ةڸ}خpȞ_˜]ɠ^ʦhѷu}̎֘ޡߣܟ؟ԗ΍϶wSs6e%u1LѴqʊӓՕԕؖ<_ŌŅԿ|ҿ~ϼ{ɵylZsVm5@'9"O/W7Z@iR#jZ*iZ+l[.q`/we5vh4XƣӵԺֽֽ׿Ή\!Y`&a'ZvJpJ^<Z8 oG!gF[>Z8a@U5N.N5Q6[9\<h?j?k@l@_5 X,[.V) +a/ a.e/m4s4|='\'7 7 ;I j:h9yF%G%~C~D}EF{<}:?A}>Aq2f- a&_%_&V U$JLT$QMQ!`(]$]'g0 p6}BKKNMMMQR G~DzCw@o< m;c3b5\1X.Y,]2 \0Y2U1]5`9mAuF{K$T,V(N~N#X.S*~M!Q!}O~Q%vJmFnIoKf>b@T4V8_?Y8R3 +X8 `>^>fCpJsLnHtMb1^*d+d)d,a(a)e+p3m,g$k*k+h'f#d'CΫlҘؠ߬ՙχzdۜHˀ)֔?{ߣ֜̋۫kȉLÚpխQ|5q.x4s8 {> Pe'v:Iȝ]ڳpʈՖۜߣޣߣݡ۟ٞ؛ȊҴv\o.Yc#I‚юՕ֘ЎVHrκ|Ѻvȳqdzptaj.vZ&s;:$V5\6_>kNva-m['hY'm]+sa0ve6ylAmҰֹ׽ּؿ˕e$Z`#_!h(c%b(e0^(Z&~V#xR"hB[9 U5_BkI gC[9 `=b:h@oEtIrGp@m?j?i8h6e1c1Z( O;6BGT.j@i>l@vD"sD`5c6zEO#G!DCF~@|@|AH C|>w9f-^+N!S$U%R%X) X*P"OW+X-].e3p9 EOOQRU!TT#LNN~H|HvCg7b3`.[6 Q/N,I+T/Z3`8 +j=k9c;b; +qAuHX'SV'U'[(Y'}PW$Z*Z'S#xNoImFuMc? `@cBbA_?kIlIlGfDdB nIoHqKxQY#yR{Ua*l0g*f&k*h'g&e%^b"PұvȈѓנݧݛߺfʊ;x$k |"اSگfף]ʖLą>o1f&YSPÐ|< u4 +f.Z+X%_%c#`#i(w3CWr4GȤ\ݿЍڛܞޤݦާߥߣܠݡܡܡ۠؟֟ӒȇеtDmA lADĉӛҖɈ͸sH=aɳ{İohXzES7 y`0\GD+fAmEiEqQ#q[,iU#m[*n\(rb/uf8zkGԹպռԻտȺLG{;e+e%c&a&f+i,l.q u> ~INPOTMJ~HJ|HK{Ek=_9W0V/Z2]6f= n>f: [1V+W/`7 a;]4lB|K|LX#[-_,[*X(U!QY#Y(U#wLvMvKnIgB dA b@_= gEuSjHkGnIsOsLlB sL W[Z]j)j)g&e#f&h'k1\ϱpĄΐء۠ߠrLj6iV \ [ +`a[ \ex<ƑRթkֲvҮx̦u˦pĠh\UTyAo:c%VN@ B~39O e?Ыg׼uБ֖ۣٛ۟ܠ۠۞ٜڞؚ؛ԗΎώ̵qumCf@f>d9 a7 Y1\6 ]4 +a6 c7 _4 Z2 Z3 +X-]-r? ~DGPS!W&U!RW UVW!U WY*Jv@d8X,W/Q*E$DGL'IG!M%Q%Y1b4b5f8sA +~IOX"V ROSNsD sFi=h> +j: h; ]2Z.[0[0]6 +^5a8 d; d;i< m@wJTSVUX U!T U!S R!W#xJtJqHkC qJtOyR|UvRySqI gC oNwRxSxS ~X[Zab$e'd"|X|[PӴvƒ͏Ֆ۞ޜuȍ +nFrHj=nC}RwLpGoHrItKmFmFi@a: X3 W4 +Y3 W2U0L+B%M.\4 +h;e4 +l=vFv@ r={Bw@MR V%\)d-h2f5g8`+WSTTIr9p=p> +k=^3c8b5b8i; +c3Z-_3k: q?yGOROVUOKyGvBvEyHxFsCj; `4i=i> h9e9a6b6a:mClA mElC mC vIzNzQT\&_'^+Y%Z"\WX{PU^#\$^&XvNwQ~Z%yUvR[!Z^!a&^$^'YwO[7pP\̮lń͏ՙݧߥܝw͗Si#HAT +y2əSִr}ьڜߪߩܦަڢՙВLjӺxǩcUFn*UWf%|5KĠ[ҲtÅӛӛ՝ԚҘјϒˌȈniƳxbLcéobi8zZ$x>|h4E9 )!0!G1 gBi> lA|Od3u_-oX)mX)iV&n\+p^0vd7rH˩Թ׻׾׾׿ȡUѫe׵m׺vչt׹pҲjյoնkӴmֵnЭgͪdѮkȠ\Q{8x/q+p)n+q,v1q,k'e#_Y~SV ~OoEjBk@sIhA nEvJrKrHlFmFnEe@`A[8Q2U4M0J.K+K,L.P/V4U1P,T1g<l@uFvI{O!K~JOT%Y&W#Z$W U [)\,W!TTRO~G{@ +|FyEu? wAzEwBq<n:s>{GzE|GK|GzGuCuCuDwDtCsDsCtByH}KzIxHvCq@j@ +qDmElDg?f< h?oGrIuMvNV V#X$_+c,h1d%`"f/i-l6o6h/i/h0l3f/d*c&b c#a!Z|XzW{TnGW8sS[дr~ВԞڡҐɗMo,U>Q ŖM}Ֆݥݨާݦڠםכ͒ƈζuRhF ~?G Rk1^ɑЕієϏΑˊƅą‰κ˶|ȴzP}\`)VVg.dE nZ(E3 +! !5"=%A)O2 N1\;kJmV#gT&jX+gY(n\-r`3vg:dϲջּּ׾ռΩ`ЭcӴo׸uݾzٻxնnϮjέgմnԵqήgϭgѭhѭgЪ`ͥYЧ\Ϧ_ÙOA{1z6s0s0n$n)k-f%c"e&b"^TUsMcB b;kCzS uOqJtL{T'oN#iFgFeDb? d?b?Q2K3F.I/G-B'K0P1T3X4 Q.R0b7 f; d; +^4 e: l?}JHKW"RPV#UZ"X \ [#X#OIIFyA yAt=q:u<vA yD yE r? m< q?sAr@p?sCyH}LP~MQQOQ#^0V"QyLpC h; +c7i>oGpHrJqIxMtKvI}O}TWg(r4vAt;r7w;s8o1u9v5w8p3n.o/k*g%a XxQzUpKfF +[<a'VԷoˊБۺsy6O BBBĀݤݦݦݥڟ۠מ՜җȊRN`(K X#^-n<̵~̏ʍ̎ʉņȈłѾлκ~įsXqMc<wAKxVL7<.- ' &0$>';$:";";"G0V?mS#iW)iW*jX)kY+q_2zjp@tEzGyGxGzGSV!Z%X!STUPyGyJxJvInBpEsFn?j@uJyN|TYe$i-g(l.n2r6i)n2w7zZΦgӓܤޥߨߪߨݦߦޢ۠۟ڝٞ؜؜ҔіѶwi'V$6/@e.ưuƋnjƌÄĈν{λ|̴wɮoĪimY`+lJp1r9K7/!;,3&:%S9 ^DW8 +N4F,C(A(H. +U>hS%iV(iW*jX+p]0r`3td9uԴռջּؿٿ׿ؿ׿ʡbɟZȠ[ѰiέiϬhǣ[Ȧ^˥\ʤ_̩eśṾX̦^˩]ѫ`ѫ\ΥZϩ]ծgְi֮cϧ]ְkկfլaխ]ӭ_ɡ]ÚYSAm.i#f d#c"j'p,h&e$_YY ]"`'[#\%Y#wP vLtOtP}T$uLgA bChDiB jFiEiCnHqLhBkDmHc@Q0I,L,V2`9 a: Z4 V,_4\6 d>xNW'[)\.])]$VY[!WVPKJwAp?k=o>p@m< i8f; d9 n@wEr?o?n>sEtE xH}L}K~KJOKNUSO~K|KtC tH +vKzN}S}S]#`&a#\\"`#b%c*h'o0q3t5q1r7o6n0p6o5p4i*g-o9`*~Ue*VƧg˭kz:Av4An1Ը{՝ٟܟݤݤߪޤޤߨߩߪިީީߩݦݧܤܥܦء֝ל֛֚֝Җ͐„KU+2 %9j7ƲzԿӿԿҽ~͸zɲvȰpìnj_bOy?|]&yc*J=)+8%=)X;lCwR%uS)lKcDZ?Z?[AdK&iT'kW+kX-lY0n]4rb7te=չպֽ׾ռֽؿֽ°GIJSROÞXßTƟVMOKLʢ[ϩbɤXϧ^ԭfϩ`ծfҮeѮfO?̝OȟVˢS׫]uߺr۹pԬdΣ^ȜSMO}=k"k l!h"j'o(j)s8e*f+m1l.U#zPX {U}V]!~SfCg@kFoJnLlFnJoIlFjDjHZ; S7P4L1V3W5Y4 S1X4S1Q,M-N-W3 +]9oB|KTSX!["Y UY%[!Z!RNMJzItGnAh:d:a5h8f9e9 +`4 g:i< f: j? j> j= +n>n? xINRU!RVXTUSYRSSSXYY~YX ]'_$h1g2j0m4i3h.k/n6o5p9l0j1r6s9a(|T!]+HXl)l4b%{=m,ٿҙ՝ԙ٢٥١ڥݩܧިݦݨާީݧܣݦܥۤڣܤۣۤ٣ؠؠןӖәҙҗΑȌĈ^`?0#;!yHDZxϸη}ͺ˷DZwůtjd__\K~Bu8nRD0!-!B+_=rK|R'{T0sN oK!eEkLkS'kS-hQ&fT)jV,j[.m]1qa5wg?ƻԶ׼ּֽֽֽëDOD>>>KK—MŜURSRVXģZá\ѭjѬcԯbѬaѬ`Ъ`ƟSȝNŚOˣUϥWը\ի]Ч\ҧ^Ӫaѩ_Ҫ`ѭaԬeɡYI8z2{3t,i b%d&o6r5m4j1d*g+a%}V}VWxUpJzRV+yS%vOwOqLfDiHhH[: W;_< aAaA_=T8 +T5U9 +X7 V3U3Q0M-K,K*V4 +`8 +i= sF|J|K~H{KSQRRS"S#P R!~NxJ#vJ!nCl=c4 ]2[3]1b8_9 _6 ^6 b: b8 a6b7oBsBuG}KMOTUWYY!YZ#VP~PRxKxIwITX]&^!`%b&f*f,d*d(k4j0i-o1x8l0h1|T{Ql0WV)Ha0q2ʱ{Ċ̗ΕЛӟԞס֣٦٥ڦ٦ۤ٢ڢڢڢؠڢלם֞ם՝֝ӗҖΒϒ͑ːɌƈҾk~^&> 4[EYǰvîxƯzưxmol^XONNyEn/eP7)*=%L.^>gCkM!kN"lKjL!kPnU+iT+dS'bR$gV)gV+o^2qa6~nJƪպ׽ֿ׿ֽ־Řp7t:FDt8o.i&s0s,>`àaTTVPLOSĝUˤ^ѪaӯcЩ`ΥXϧZϦYϦYժ[ɟQƜQʞT̢Yͤ[ȟUʢW͢UΤUҨ[ѥ[ΥXЧ^̤Y˥ZSI>y8u7r1p,m-f&\^`%Z[!Z!U{S~V {SwOgDlKiJ[< _CpLuNvR['vX#nMdD _>b; \6\:X6 T3O-J,Q-J-Q0c8 c:d6h<j: oAoBuGtFzMxN~R O!P"R%O!Q%~LuEl@j=e: a8 ]3_5 Z1Y2^4Y0[3W/T-Y1`5b5f7 +m@ }MKR"Z'\"[TQ~LyJvGqB vF}RVX |TY!\&[$Y \#d.e(i-k-l,m.l0d&vNfC ^==7O&j2pͲ}Ϸ}ňȊʎϕҜҝ՟ԝ֟՝נן՞ؠ՛ԙӘѕҗϓєΑ͏͐ϖʎȌɎćк|ìtTi,r] {D]prl`^Y^RDz@q9n7t](M:0!)#.!4$8&E0I3S9 Q=T=S<W>\CfO#eQ%hT)cP%fW*fV*p]5rb:wR˯շּ־׾׿Žf0seCfAa>gC_?Z8 Q.G-F,H1P1R1S1W4U0[6 ^6 Z3Z1d<i?l@tGxJ{N$}O$Q$xIxGxHwIvFtCqBk< b6Y-P+M*I(E"E%K)K'N*Q,W1 +\4 f;tHRSPNQPR~PT!R S"U$}T!U VZ%}SWZ$\$b.b+f-d+h2`+|XdCW7 8(8eOQ\£nũḻrӴvÄʔ̓ʎЕИҙіҖїіѕіДДΒΑɍ͐LJɍNjăĆҽϻθ}Ůuh]V[^e`^RKJxCq?l/zb%rUZ?C-'# 8![; lH jDmB [9[8U4R5P7Q:B'A'@(G-V>`M!aO#gX-jZ.hX.jZ1qc=dͲշսֽ׿ؿ׿W6 eGwV'iGOYŸYɣ[ǟYØQŜSɟS̤XΦXѩYΧUӫXӫZЧ]ΥXΣP̠LʡPƛIŗEĜIɢQƝLƝOĝPMRɡ\ͬdʩgƢYVJNBs-p*l)f%g&o&v/y0n&g)c!Y^A aD jE uQ|X!{Y$uV pRjHdAeBeCa?c@cAgEpHkD`>Y; +U9 Q2J.Q0Q0L,P0R1Q-R0U4 +Z3 +Y3 +Y3 ^5 c;i>j>mBqEvFuG}LzGzLwIwGnAf>`7 \7M+H&G'E$@$A%@&F+A(J/U8P/Q/d>iAoF{P&yO|R!R!V!VY#~X W!|S!{R!{OT{RzPR V]%Z%~W$|V#yU!oJM/*$>+u\+v ^; +]; +_?^< X7Q3N.Q.S0T1X3 +X0W0V0 X. `7 `6 g=lAf; tGpDrFpBuGvGvHpAl@h= `8 [7 V0T-@$>#9$4"7"4$5#5!7";'B-N3 O4Z<kDvJsIS"U"~V#|U!}T'zMxNtMtKtKuNW vOqKtOpLsNeEG,(%@%X: pN b2v?FWebåiƭq͵ӹzջ{ņɔĆNJʊNjŅƅ҂Ҿҿм|͸w˶xdzuŮkǫpmjjcYXYMEzDrEĜYĝVͧ]ͧ^ʟTɜRÛRMȞQʡSʣTϨYЧTͥRШWӬ`ϩ\ˢUЩ[Ъ^׵kѫbɟTЩ`ЩaШašSSÙP̠Vӧ\Х]ϧ^˟UěPHF>|7w2r-o)q.n({6|8v1o-i(e!f%\vOyWWW~X"|RxPsJvLqFpC pGjDlCsNwR pJgAhCb: [8 U1Q0Q.O.S0T0 \6 \5 ]5 [2`5 +a6 a7 +e<pCqCl?lBk@h; h=d9b7_7Z1 M*F,D)>'5- /"0"1$0"2&;(B,G-K.Y5 `: gDkGrKnEpJrJsKsKqJySsMqHlCoFqJmKiAR1F.D)C'I+I/]? wTi5u:AQWiƩtǭsɱtе~ѶҺ}ҹ~Ծ~ѽԾԼ}һ˷|̶{ȱwɯtƭtçjic`TYQNDD{Fw?p:g0~^lO[BA+,"-E1 R8 mOyWg-r6g4W\b e f!egf"k-h*l-p4{E{h:eS'dR$dV'jV+k\0tc;thHջռֽ׾׾׿rM0mJ&pI$eAc<U8 L0K1 +H/Z>bI"gJqX,pQ$uQV'\%`#n6|?}Bu7t5r3}X>[=oT%rPzW%f/l;m4i,n4{BGESD=u0}8HQRJJNMKMƞSȢYȦ^ϭb̪_Դjܼrմkɤ\ʥ[ɢVʣ[̣\ȡVÙOʡWҪbϧ[ҥ\޷nrծfϦaҦXϠY̞UΡXУYԠSРYɚSHA}1y0j$iii!i)h)h-h*k*j)WyP{R{R\+_/c0f1i2a%^#\$a,`,g3a,UuKd< +f= +b>`:_9 +[7 [5[4X0V/Y2W1T/S,T0T2S/V/ W0 X2 _7e9c9b7b7a8b5e9g<a7Q2 Q/ P3O0 I+ +E*H, K- K-M0 K.K/L-M/F*M/V4 Z7_>\:a=fAmE!sG|R+yP+vL"wO'rL"mG lGd@]<M.H+K+U0]: oNf)r6{=}?MQ\aY`XV\QVPQHzGw@x:m3h6a*|^&vX!jO^C S5@'5*,3#=(K0I.K.W<cA +c= jCrKrK](f/^][T[\T{JN RW^&i0kSbS$bT$eU(fW)jZ-l`:znKɤԸռԼ־u_T8Q4T5P5N4 J2 O5X?bHX=W<^AhIuT*]3l:n?~KKPD>LWUNLIPKHHLHGŞQɣYϧ^ӮcȨaʧaѫcɤ^Ȥ\ƞUʣZǠWǞV×NǛPϥZի^ի`Х\ΦYҨ]ʡXLȚPȕH̞MϢR֯`ݸiװaΤZЦ[̣ZI6z4p+i*g'g%n'k#_]!^'ZVyQX_&\#XWX#\'a/^)['U vKvJlBb;^7Z5X5 W5_<Y3`9 ]7 Y5 U2S0O/K+L+I&M*L,T/T0 T/ a6a:c:c;iAhAe<d;b<b9a=a>]9\:Z9Q2 R3U3 T6O2 H,H.I,L1T4P0 +P0 S2 ^;b?hCrH!oIqK$oIqHrIqIpFnEa9]3P*P+J*P0[: fDsR a&k1rAt@yAtk5f1d-z\(u\)iPjM^?S5L0E)=&;$:E+K/]=c? +`= bCjFb:a8a=fB a< +`<c= a;dAmIqNwK rHtK RURyK|M +N Ua'k4nW"bQ#_Q cU&hW,i\2l_8xUɤҶӹ׾Ȥ~q~qWvfHucIkFb;f?|^6xR0oM2dEc?^?T6O3Q1Q6O7I0 I1 I3 J1 N5 ^AfF kJ|W%h0qAr9x8}@~ANJKOWTMÙPȞTGFHM™QMŚUǟZͤ_ʨbà\SJTĜV™URHėNŗNŘIȝTЧZӫbҪ_ҫg̠W”GĔDѥ^խbӪZׯc޹htrߵdѨVŝQėRE7w2v5l)m'r3m*j(b"[Z!Y X[&T!rFo@ oEzOvIrHuLxNsKrJsImEoDj> d: b;b;_9 ^9Y6 W4S1 O-J, H)G*K- N,L*M+W3 \6\5b:a<`6c;b=c=gAkI'oK)kDkI$gDeFd@a=\:S1 P1 N.U8R4 O1 P2 E*I-M1S3 T4Y7]:`=iFlDjEoGpHqHoFlFe>]7 P/K,L*L-K.V:Z;_@Z? aEfHiMbF`GX<T: P5F-A)?%47259F.Y< +fG rRxQU_!ZVSuI +vLiD nD lE c=`;^6`8a;`:_7f<nBtFxIxK +vI}O {M zMZf1gOaQ#^NfU#fX)iZ1h[5gͱչԽ׾ʹ˰ëƼpwRpQjMpTnQeFuT4qQ5kH(b@b>\>V:L5 F0 +H4D,G3K7D. D1 +Q7cFrV(~Y-e1l9l=k6z@JKPUŜSˤ\ȡWśP™QšWRLEQTNšSVŸZOSQMOHEOƟQΡVФ[Ψ]Φ^ҨfѨbШ^Ԫ`Ӫ_ЧZ΢UϢSٱcܵiٰagikhӫV׬YڴoְkĚR?z4r6m%l'n*j+e'`[[QqG nE uLvJvIX%[$c-_(a)`*_'UtKnDa9 f?d=b>W6 Q2 T4 O1J+M/ V4 V3 R. +O-S0 W3 W3 V2 T0U0 U2 N+ Y5`;hEqJ%mGqI%qI(uO+tN)nGjE nD#kD%b?a=\>T7M/I, +M0K/ K/ N/ +L/ P2 W6Z6 \;Z8a>dBkGnGoH!pGpDpFe;^8U/T1R0H)J)H)D)>#A'>#<$9657#3=$<C&L-O+P/]> lI|RW]$Z#YZ\ZXZVQN O +xN +mIvGg:g<j?h>i>qDtGyL uHvJyL +lClB ySt]*cP^MdR!_Q&hX,jZ0m^5rγҷ־ϸϸθͷγ̵͵ƾ~kq^|gK}iGx\5wY;wZ6jHiE Y=U:R;H1G3C1F1F1B- B0 A+S9_Cx[2pM{O\*i+p3x6LIPQLÙVUX—VKSPMDMLMÜTVPPQNOŝVƝUȠXШ_ԩ]ѧbϥ`̣XΦZҩ]ө\ѥWϢMөUݻlܸn۰_׫Wߴ_jgg۷jyvsܷpѨf—PVHHu.n)g*h&f%_%^!W!WWX{SxOoKpIuKrIzRtLtJyR%}V$]'xSeA^9 Y6 V6Y4P0X8 W2 +V2 S0Y6 ^:Z6V2 +S. T0N*L( N+T3_:[8]8a<lI(jB!lI$pG#nG#nI$oI!nHhCa@^<\8X6T3 S2 +J.Q2 N/O0Q1S2 Q0V6 Z6 ]7 `<b>d<g=h>d:h=jAh< e<j@e?`; Y4 Z6 +T/S1Q.L,H(I,P0P/V3R1W3a9 +f? c:e; oEvJ~N|MPXVYXY[XZZW[\YYR |LyJtK wL }O S R}K{KvFl> +a8nGiS aOcR&_P aR$`P#hX+l^5ҵԺսͳδͲͲεδεθйϻ̵Ĭĸtt]{gLv^9u^;v]\:b?jGyU&~W!`"g(o5v7{:EI[×^NKLHGLOF:CDKQMÙVÛTOVɞU΢ỤUͣWѥWΥXХT΢Q͡OʝHʜIΣSԪ]ٱ_֬Z۱^iڰaհ`ܶellsˁzy߼qְjհk԰gӪaΥ]Gt/p0o2j(g!`"_ _"SsNmGe=h? d? +b> kHsNyQwPyT!sM mGiCa;^7 Y7Y8 [:W4 T2 T1T2 +Y5U1 V2 +Y5 X3S/ J+K,R0P/Q2U4R0T1S2Y8bAa@jG"iFhEcBbAa=dA^:^<\:\:T1 P/K*J,K)T2 Y2\5 [4 +Z1 \5]5Z3 +_6Y0^6`6 d7 b8 `6 d;f;e;e=f<d9e;b8 `8 a9 a8 a8 a8`8a8 h=c8c:k@rGzKxJOQRQUWY_\]ZYVVY\^][^dm(gd[{P iB `9gFiP_M]LeR&_P!cS%m]1rb=ҹվվտζкϸйͼ͵лйкκйϺкм˶ŮĹvx`}qUua>nV5iW8bR6XB&]B%^DT<M2 K0 I1 F1 F2 H3 D. G.P5 T9 `BhHX"^)j.m7m5}FSJJQMKLVP<<@AB@IQMLPÚRǞWǞWɠTʠSȟRˢWˡQ̠QΣWϢQԩ\׫]֪YժZ֯cիZЪXѥQ׮]կ\ܷcrxyoݸoܷoty}xլgȝY `?hEb< kBoJuQ"}V&^+xRlFlHpN pNb@T5 J/O0T0[8\9W5W4S4L0N.N/Q3I.L1H- D( A* +B( +H, O3P4V5]<aA!`CdBiE`?[:bAfAdBS2 K*L,L*R*U1U1 T0 +T,Q. +S, U- +U, S. +R+R,O+V0Q,S1 X2Y7 `9_:a<`5 c5 d7 f8a3 +e7e8 c7 d8 a5_3]3a6j@o@ +o@xE +vB{G LN O T ]Z``YVR VY[^bfl"t)t)n(h aW}SpMdOaQ#`O"aO"dT(eV,h[-ugBջԾռҾѼλμϻн̺ι϶ϼλйηϺ˱˳ìqz_sbEiO6iO*cK*fI-Y=\< V5P1M1 I. I0A- D/K4P4O3hE}_,b1^,a({EKONHJUYRKIMMF{88>DCDGORƝVǞU™NLŝQɟOȠQʣTɠNШW֬_ҩY֮^׬X׮]ѪXհ_׳aֲ]ڵhٵeٵhܸnܸo߼rwwwwzyݹvԮpĞZ?A?}<}:u,f$Z#RW#[#}VnGjEkDmGvN}PyOoJlIsOxSvQfER8 O3Y9 b>`=V4T3 T4K/J,M.L/L0J.I. H, F+ @& A(<#<& @( D+ J/ U8V7Y9\:\9d@gD!_>c@mF`;Y6X0 R,S.W3S. P,O*S. V1 Y1 V0 N+I)I)E(I+F%H,N/ +Q0 O-T. +X1 ]2 _5]4a6 d7 +d7 f: e9`5f; +e9f;j=j<h9j;n@rAsDsCzITU\ZYVTXU Y]\glm$m'q*p&if'g&]%gS%]N!\N"^R$aQ$fX/i[.}pNԻ׿ѻкӿϷѸηͶδѹѺҹйϻҼѺζɳŻs}g{lRp[AkO6mM8jG-c?!Z7_D#T2N2M5G,C-S4 [:a@iHtJ!]1d7n9uBxEr?r6>FKQTXR~>{6=AE?8>:FPKHIKJNIDÚKϢUФVөXԫXֲaٶhݾpu߽sزiձeԯgױkٴmܺp߾vw߾wu{t޸yٳoЩ_ɡZ̥_ěRSD9z@r7p3r2e$UxOsOrMtKqHf? +]= hEnExQ{U#W$sQrQoImH kD iAgCf? V7L0K0M.H, F* +I.H/ H- B+ B(A):%<';%?'?%E, E+ F+ +N1N0W7X7jCtJ!wN%mDe=b:Z4V0 U,U- +X/ +[2\5_4\1 X1 U. S/Q-J)E%G%E(E)G(H(D$H)K+L*S-X1[1]4c; +^3d: d8e8g8h9k;j9j9l;n;o<n=p={IM RQ XX \\`fgk"l jhi"h!g#f%b"^#bS![M [O%[P&^O#cS(hV.|Z̶ӼտռԿһϹϹккѽϻѻѼѻϺӾѺѹζ̷ín~kTv`KrXa=oK"yT$Y(["b$k,l'q-x=ROTTQTPLCDMKNM>=?DIHKGOJN̦Zկ^ֲaӲfΪ_ͧbճlմkֶk״kձkѭdհgڵkٶlװhزe۷k۵iزlڶnٱkЩ`ԮcشhְmΧdǞVęYĝ]SIR@aY]&YVvStQsKpIwOX!`$a%[SxJnEqJrIqJ%Y7K. Q3Y8`@U6 L/D. I/ H0I1I/ G/ ?&>);%:%?%?&D+ +B)B&D* C) P1 a>a<e>d=e?f?_<_5[5Y3Y/ X0 ^3b6e8b6c7`6 ]2 W,T+K)I+H)H*I'G(C'H&J%J&M*O+P*R,U/[3b7_4f6f6i9k:j:k;l;l<i7uB{FN S S ]]`cg"i l#o%r(kff!f!e%d$Z ^MWMZM&ZN$cV1bV,lZ2qˮպԼ׾ӽԾӽӽѺϹйҺѻϹѺѻθιпѻ͸Ǵns\hM{`GgN,qU6aFP4 L2J4J3H*Q4P8N7 \<gCwS|UU `*i)s:u5z@KOVQJNORQPG:5v+v%>AEEFFKFŝQϩYֳ`ѫ`ɣ^ͧaƟXϭdײk׶n׵iӰeЫ`հdԪaѨ_ΥW˟VƚRěQϥbЧbЧ^ձfݹmsڶkխbϦ_̤bʟ^ɜWĖNG?t2w.u:l._%TTY`a`"\XyNpIsJlF iFY9T5 U3a=gBnGnJ!cCW:N4 Q6P5 N5L0 C,?'>'='A+ +D- F- B*?(;!?&qAwE~LP R VW\\d!ai!n)p(l%h#i*g%d&e&vT^NZN#[N(\O)`S.cV5j^<δӹռҸԾտտԾӾһѻкйѹ϶ҽѻпѼҾ͹ѻϹη˵ùbnKrZ7sZ=jT5`D'_B&\B$P6L4M0 P1L3Q;b?kHpGzR&](f,l8{BIMQNZ[VPMA}3s'q%s&v+w/:ADNHFIœM̩\ЯdִlմlճjҮdѭc׵mֵpԱjӬgӫgҪcͦ^ɟYOOśUˢYШ^ԩ_֬^۲hشiܶh߶nݷrԩiǛUĕQǗQ’LGțQǜTG>|6p,j"c[ Y]XZ!yQuNnHgD_>R4P3W; dBoLvQwT$jIeE`>eCbBhEX7P1 Q3 +K/J/ G.G.E+ B*:"58#;#<#<#?&>"C&G(N- R1V1W1U/W0V0 Y3X0 +X0 V1 \7`:j;sA"o?h:m<sAh9]0 \/]0 Y/Y-Y,[0[0\1`1a2]._0b3i7i7j8p@tD +l;n>sCxH |J PTYXZX_`eg"d b^`"d'e-uY#YLVKZN#]Q(_S+_R/i]9ѻҺҺӾӽӾվտԾӽѻҼκѺҼмϼϺӽҽԾӽѺͳkzaoOvd=w[7iM'gO#\DI5K4R7 Y?]AaBpN${U"a-\*c3h3l:~EGOQQLJJCG?}9t1p0}:CMLǥYHH›QPʥ\ЬbӬeѬeϩ^زjӱiЬbˣ^ţ\ɤ[̥aÛSTTOƝTȟVˢXҥ]ͥ]͡Uѧ]ӧaխhׯkѩbȟUǜR–QėOϣYש^ԧZңUϠR͞T’G?;x7v4u0q.g&c$WwNqKaA aB aB +gDnGqKuOrMtLqKrKsLsLtM vP$pJlG`<P3Q6L1C)@'C* :"9"7#6 8#<&8">%B(C'M+L, M- L+ M-Q. Q- N. H*F)M/ X3a7c:b8j<sD!rCj<l<p@sAj< f7h7j:d3d5`0]/d2g4j8g5i7p>p@l<g6l<qAwFNTWWZZ^]ac]USP["^'hQ#[M!ZN$]P*[O(cU/dX2rgDкҹԼӽҼӽӽվԾѽмҼҼкҼտԾҽӻӼԼѹӻкƪĺ{mqMt`>fR7cJ-]G W?K8P=M8U:fM(tV-pO%qN wM]&g.p8{=y>x9@CDGGI=~={5;;BIIUVSTRSǣ`ʥ\ɢVȣWʥYŜPORşWʟWɠYǟ[śWśUOŘOřOĖM™N™NŚOШ_ԪaѧYˣVΥ[ˠUȡS͢UԨ`Ӧ\Ӧ]٬aةYب[֥VΟKҝRӡZΛNʕJŕL=?z9g!]VZYSwPyM|R~U{QyOtIuJvLuNvNoIlEjHgEiL!hM$gL$_BY=[@F.:&6";(8$8#9#<%C&D(B(@%@&H+J, G)F)F(I)K* Q- T. Y2X0 ]4b5c7n;uByEvFq?q= o9 i8l= i9i6k9l: i9k8g4h8h7k9k9n=pBtE +uG}O}RSY\VZ]`c#\RzMtMqS#gO!\J\Q']J&ZO&ZM(aT/ulIѻѺҺѼԾҼԾԾӼԾϹӾҼлԾӻӻҺԽӺѸҹԻҺʳtoNsc>gZ9gT&hR([DX>]<E5 +V9W:b?qHyS$^']!e-n.v5y7|8=AA@{4::<;BFXSKTX\PQUPMIIIIǙPƝZƙTřRNKJKCAǘJˠRΟRʝOΣTҦXХTѥWԨZԨ[ӥ]Ԧ^է]զ[֨Zڭaڭ_߱bܮeګ^بVبY֧XԣVǘGEA?%<%;%8"9 =%?%?%B(C'E)H*P- R0 R. Q,U. X4 a4 q9t>t=vAu=v<u>uCs? r8wA uA vB s>s>m=i9f5m;p@q? i<g= oG qHoFwOvNtLtNyQ[^XvL +tItOiP#bN"[IXJ"^Q-_R-]R'e[2bæ϶изҹտӾӽҼҼվһӻսҺԽԽһսԼиӻԸҹҺ̲ǰs~]qDxa>oU.ZI%ZAY@Y;]=dAkGqNyU](_)r8p0y7t3x5|=>>}:~7{4>IMIGKPNDQOOMFFA}9@K?ILIGHFGØEʜMɜPʞTϤWХZΣV̝L͟RΠXΟVҤ\ӥ\̞U̝PϡR٬`ܱ^g޴fݱ^ڭ`שYӣQԥRϟKʛJțJəJȚPDFHx3o,b#S|QWV}WsMa<e@ fFhLwX"^.a.]-Z(~\'jKaGX>]CY?O5P:O8F-@*C, +A*?) @*=#=&8 <$=$@'B'G+I,L+H(G'J)P- V.U. a5b5 i8 n9l5o< t?r;wB {GyBzD +}HvE zHxGwEtD j<e;e= mFiA +kBlFjDiA hA h@ qFtNnH_;`?^E`N$ZK#YO#WJ"ZM(^Q+\P(cW/nʹϹѹϵйҽҽҼӾӽտҺӽӽҽӽԿԽһδγǻ}brW}b@mY6gM)aD^@gMgM!\=hFqO[$^&f0j2h1v9?=z9x6~>AKFAB@~6~;y7?ALKE>~:~ĘJƜSʠYˢXΣVɜJʟLƙI˜JΟTΠM˜LɚIȘG̝NΠMҥQԦSФQΡMУPҥSѤPҡN˘Hœ@ĔA”EǚLǚNŘPJABfClHpN!cJaEeK^CR6 L4 N5 +O4P4L3 E+>&>%>%>%9<";:< C$K%N&N)Q)X-V*[0 `3 e5d6 g9 pA{IxCOR!V#S!Y&X X ^$^f/a+|T"nKnMlIc; T6K1P7 UDXHWK [N)]P-^P+`T,g]7ɪϸиѸѹѼкѹӻվԽԿҹԻֽ׽Ӻ־־ֽѸʭȾpyYyjGqY1mP&cM ]C^= d?nM%[+\'h/p9s5y8~>H~?~@=:~8y6u/p-u3v8{=~;AAAA=>GKFFJDA=7558=>DDƖJ͞U͛KƖE’EC::BǛLəJƗGĔGC:7;ɛHÔB8>38:=7BÔLǚTǙSGB=:3~5v4t1o,l'p-n(n,l)f(b \ |TxQuLvQrMkLhImLiIfGjJkJa@W;W; X<F.?'>&A(B(;#<"78<"@#A$D$F%F'K)J)L)N,Q/P.X7 _5`5 h=uGwIO"T$S!Y"a(h/k2j0c+b.[&X#pKjE`AX@WFTHXL#ZM&\O)\O,bU/xmN̰иηγҹзҼкҼտռֿ־վֿռ־ֽռԺѷȮr`tLmY1eO*bP$`HiJlJoLV'`.m3n/n0w<B@;A=y7x8s2v7w8z={>{>x=x9@BDD<;6EH?54}6w0z2}4{3>BIėLED;/32?DĔGǗKB66?ŖCŕDÓCA?6y/}-9ÔIțP͠[ʛSŗIȘNϟ[əGʚFșIʚQŕHAB4x/v.r(r+o,l'j%`VxRsMnMlJiElHzS"xTuOkHsNvPbCO7 R7 Z<R5 P4 P8 C/ +:(@(B(E+H*H*G*G)M,L-I*G*I(J*K(O+O*X2b9h= h?qE{LX#W!_(c0b.a-`+X!~M|NqI`HTCUJWJ"ZO$ZM(^R-`R,xXÿ̳εκклѻϺҼӽտտտռ׾־տսԼԼֽӹӵϵĬkxTp_5jV.gP(eEdDxR|RR!]*`&h,n4q5|?}@{;DGw;w;n3t8r6s:u<|B{Bx:w5u.r)~8;867~58:|9x3}8:6A=@8y,66;=DC==?=Ŕ@ƕCǗIÓAŗI•CC46@ƙK˞T͞U͞R͞SƕJΝNѡOש_ש`٬^ۭ`ٮZЦW˞N5/6=6|1x2m!j&c!e,^&~X!{S|R|S|UW%X UzUqKqK"hFhFoNdB`CR;R8 S7 S8N4 H*I+H-G*H+H+E'E&I'A$E'G%O.Y5\6[8 [7b; hBnFqKwOwPyO!S |P{L{R vT!fMUFWJ$VI"YK&YL'\P*_R-l¨͵϶ѻзкϹѻлӽԾԾӽӾӿԿֿֿ׿־ؿֿ־վӻҽʱūúmyQxc6jY-jN d?iEtMyOY$]'d.k4o3zC}CEC|Ay>v:u9w8z:w7v7u4q+n+u/z2{.|49:=CAv-|6w0o#t,w.853>AA=@@DĔDÓCƗFəHȗCĖHƘJʞPǜNęMD>9<”EĔI˛KҤU֩[ҥS׫XثWТPҤUت^ܰ_گ`֬YϞJɗAœ>ǖEɘG̛LʙMœH;4z2u3r,m.f#[WZ!\&[XSV#qIpJmHmJjElLwW#rRgGZ8 Y8 \@R8V9P2L4 E*B%D(K+N.H)N.O0P1M-R0T3U3 X5 Y7 b> [: a=b=gClIoQ#mT&fM"YHXK#XG\J'[N*_S5dY4nʰ̲ͳ̶ϷѹӽӽԿտտҿԾԿտӾԼԿʲƨƼx]wh=cO$cJgGiEpH|Q Xb,g/o;zH{Ez@s9t:t:v:w:w>AHB|:w4t.q.n+n)u0{-5:DHGÓG“C“DțMȚI̞N˝MʝIǚLƛLřIƙGǚHHDD>?A<˚KӤTتVߵ_߷^۰_ϢNѤPӤRԥRԤPѡN͞K̝G˙FΞKӥQРNӤQӣOԧUУUʛLAJ;q.f!i'h)c ^XZyPuMqKnNqM['i0d/xU"aDgLnT&wY2nP&bES8 +L.F.L4X:O0K-F(F+F(G,J.K-O/N-R1P/S2U3Y8 Z8 `?dJ`N"aN#XGRBSEXL)YN+^S3gZ:ũδ̴ιҼӽԾӾԾѼҿҿҿѾҽҿԿԾԾӽӼӾԹέɬŻ}]ndɘFӤS׬Wݳ`ۮ_٭Y֩V֩VکXѣOΚDȖA;Ŕ@ĔA͜HѣPԧSڭ[ٯ^ح]۱cٮ^׭\ԩ]ͣYțRŗNHFGB9o)p1g.o6x@|Cw<|HIvAk:y['pQtPvUf2j2i4b0~Y*sM'hB^>[<V9S2Q2S1\8Y8 +U5N0O4S6U: +X=aI`L VH"UH!WI&XL*ZO1_T6znQ˱˳ͷ̶ԾԿҽӾӿսӻѺзɯ˲ҽֿйƬs[vRya;w]4sS'W)_/b-c+j2u=x>y;x9v:u8w7u6v9u8r1r6s5w7v9v8BG<;:<>:@”JțRʝMɝK@Bu6w8v6t9y9z:{>|=}9|8;ABCFFHE>=0AKϧ[Ҩ\ʡT˜P–KÖFDCÓC@B>‘B@>ƗAțKѢQթVתSתV٭[ٯYܱ\۰^ڰ\תT׫YԦTѤQըXԨVӨX֪]֬_֫^֬bѩ_Ҫ_֭dիdҪbШ`ͥ^̤Zͣ[Чcͥ]ϧb̤_ǙWF@{3t,j+g$dr5~FDBr.f*}WwQrJoHkE jD dCoHTxSrM\< P5O3U;U=V>bK]IQEPBVF!VJ&YL,\P3qĨʮδͶϹӾӾӽӾӿӼֿԾζ̵ստҹ׽Իѷʮ§ueVxGt=o8p:f.k3q8u:x>~Cz<}?v7y=xCDA;935;IʡVԨZˣUɢUƜP–IE“JƙKǚLƖJÖHB“C“BÓB@?̛LҥN֧WѦUԧVѥ]ӧVث[ح\٭XجWثWڭZ֫W׭Zح^ح]֭^֭aҪ]ѧ\̟TФVϦ^ͤ[ʡWʡWʠWϧ^խdխbծeӫ`Ҧ_ʜTH??{2{:y3x6{7|m9n:u@|Hw;|C{C}C~C{?w8z:|={9|JțPƜOɡVǞSěQ—KE•GǗKǙMǙOĕJ×JCA>@A=H•HGĖK•EǘH͞R֩[گ[ۯ_٭XۯZگ[޴cܳcٲbڳhխbΤZˢWɠQШ\Υ]ˢZɠUȞTʟUͥ[Ӭd֮eӫbѧ\ө`Υ\̟SśQĘNI<=7:{3p'n#k-k,_~UzSzSXW~VwPnKb?fEfEdEZFgO ZGL=PE$SF%VK(YL-laCμ˲ͷθѼѿӿԿӾԹҿӻֽվսֿ׿׿ּҶɮǽzlY|NzF|DJ~HFEE~AFBx7y9y;|8~8:w6p&j'[[ tTrRsR%tT&pV&WFI;QDRE#[N.\N.zoS˱ͷͷѼԽҾҾӾҿտǵ~׿ջеɮʺ¯v[UWxAw<~Dx?s7r4x@z;|;{=|;|<{:}=~A@?HFKG><@>;989@BDH–I˜NÙNB@A=8CAC@ŕG̟VʠTǜỌYͦXͦYȠUɦ[ѩ]ӫdЩfΨaѩ^ʡRɟSͤZͤWΥXˡUˢT̤ṾVѨ[Ѫ^ѩZѩ[Ѩ[լ`խbҫa֮aױbر_ծ^̥SϤSɝMȟTƞXěQSKK~7r0p6k9j:g1pZ(WGMCPCWK'SG&\M.}gĻ̴ϹθлҾҿԿԻ¼qøԾٿؼѸɩƷk\~Ms~={>A}>}>{;|=~=>~;@HGGÖLGCCDH˜HØMÙN™OÛOŚMIŜRɠQǝVŚU˜PʡWʤ\ͤ`̢^ɟYȞUɡYˢWͤVˢXɠRȟSǝRɠRΥWϧ]Ѩ\ΥVΩZΧYΩ[Ϩ]ԫbԫ[خbױ_֯]ի]ӨZӧ\Ҩ\̤WϨdΨcƠ`ĚZIQTN{Jq[+SFNEPCSH#UJ+]P4~fĻζϹкҾԾ̴vç׿ֽֽ־ּӼͳģķtcQzHyE{@}A|AC~Bw:xs=sEBC?CAAHIMMNQěWÜTÛROMšP›QŚQśPęN›NHJEK×MHƚOÖIŘIŘNǛOʜNȟPȞOˢW̤VΥXͤVӭbկjױnֶrմpͧaȣ_ʣcĠa]x=kW$VJTJ"SG!UH"`T6l_HεкϹѺѾտmӼؾؾ׾Էϰƨŷ|fXMPLMDDx=y5w9u6p.s1v2~;z6}:{8~;~;~;;?ECF7>8>COšVLNPĞWÞUPQIQKšOFNĝUÚRNJ™O˜KD™KĚNLØKDIÕIŚMƚPŚQƜNȟSЩeЫfέkΪf̥`ʣ`ɥešcYzFkS#ZN#\P)XK%[O&_S.ynQεϷиѼӿӿҼտԿӾyjؿԺαˮʽqd^KG{Aw9m/m2k-l/m/v8x6}=}:;}:>|>C<;>JKIDCA~=DMMLEQUŸ\USUSß[àXƢZ̨b˨dʦ`ʧ_̩bɢ[ŝRÜQORPH@@GENOZĢj£kXj3jVhS"gU,hW,fY/o\;~īз϶кҼվԾԿӾӾԾտ|kwȶԼӸȪßƻqZMzCzJ|H{@z?y=y?wJNKGHPVWWVŸ^]QLBORœXPLPTedfgOsa+jZ(m\/l[-m\1xi=vũζкϷӻԿտѽԿӽԿӿ|kѽֽϹŪǽvp_`SNNNONPVXTPI|?}>>GPRPPW[VTUTVQHGPYVLIIP[a]\Jo`.hY*m\1p_3sc:xPαѸѸϸӻӾԿԿҾŠ|eӾѷʯɼzynih[UVZ_`XPNQRJQTW\XYVSTNOKKKMLLBGQ]c_WyAp`0k]-k\0m^2vg>oæϵҹҺӺһԼսӾӽԾտԾѽҾԿӿҿēqɾҽֿҷѸƪæɿƹñvwlnea_Z\YVTTVWYVRRONJONNI=>?ENV[TRq8o^+l^.qb4ue{r βѷзҸӺԾԾӽտӾҿҿӿεؿսжɰ¥;¶|ndjf_\TRXSLKQTWQKM~DJMR^YQi9o_-pe7reChĺѶѹӸԹӻҼտտԾԾн϶׾չҺδŦɺwof]YZVUOPYTOPIK~KSY[~Nwf7o_4rf>z]ɯҹҹԺӻԽԼԿԾտտԿҼӾѾӿѿҺֿռҹҹεäͼĵò}qeYWXNPL}I|J~NUL~MqIwe9rf=zVĭѸҹѼһӾҼտӾӽԿҾѼҿҾ \ No newline at end of file From 60ccc1a748bf3d26201411479146d0798e1ecff9 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Mon, 1 Dec 2014 21:39:01 -0500 Subject: [PATCH 0167/1352] Update changelog for v11.1 --- Changelog | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Changelog b/Changelog index 73e837891b..b9d8dd0f27 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,25 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 11.1: + +- Replace lena.pnm (debian#771126) +- Treat all '*.pnm' files as non-text file +- opusdec: make sure all substreams have the same number of coded samples +- lavu: fix memory leaks by using a mutex instead of atomics +- lavu: add wrappers for the pthreads mutex API +- mp3enc: fix a triggerable assert +- resample: Avoid off-by-1 errors in PTS calcs. (libav#753) +- imc: fix order of operations in coefficients read +- hevc_mvs: make sure to always initialize the temporal MV fully +- hevc_mvs: initialize the temporal MV in case of missing ref +- h264: reset ret to avoid propagating minor failures (libav#750 / lp#905753) +- hevc: Initialize mergecand_list to 0 +- mpeg12: Always invoke the get_format() callback +- h264: Always invoke the get_format() callback +- Update default FATE URL for release/11 +- apetag: Fix APE tag size check + version 11: - libx265 encoder - shuffleplanes filter From 1cc6fef0671c5522c952671ee06bf973135a22c4 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Mon, 1 Dec 2014 21:39:37 -0500 Subject: [PATCH 0168/1352] Prepare for 11.1 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index b4de394767..ef32e3201b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -11 +11.1 From 93df243a59e4c0152b50c4da97a6bbe13d1ee357 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Dec 2014 13:23:24 +0100 Subject: [PATCH 0169/1352] avcodec/motion_est: use 2x8x8 for interlaced qpel Fixes out of array read Fixes Ticket4121 Signed-off-by: Michael Niedermayer (cherry picked from commit b50e003e1cb6a215df44ffa3354603bf600b4aa3) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 81ee2bd6b3..aae215f1d2 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -193,7 +193,13 @@ static av_always_inline int cmp_inline(MpegEncContext *s, const int x, const int int uvdxy; /* no, it might not be used uninitialized */ if(dxy){ if(qpel){ - c->qpel_put[size][dxy](c->temp, ref[0] + x + y*stride, stride); //FIXME prototype (add h) + if (h << size == 16) { + c->qpel_put[size][dxy](c->temp, ref[0] + x + y*stride, stride); //FIXME prototype (add h) + } else if (size == 0 && h == 8) { + c->qpel_put[1][dxy](c->temp , ref[0] + x + y*stride , stride); + c->qpel_put[1][dxy](c->temp + 8, ref[0] + x + y*stride + 8, stride); + } else + av_assert2(0); if(chroma){ int cx= hx/2; int cy= hy/2; From 89dbef73296645b849371fa916b5656442406801 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Mon, 20 Oct 2014 00:09:55 -0400 Subject: [PATCH 0170/1352] v4l2: Make use of the VIDIOC_ENUM_FRAMESIZES ioctl on OpenBSD Make use of the V4L2 VIDIOC_ENUM_FRAMESIZES ioctl on OpenBSD. Signed-off-by: Michael Niedermayer (cherry picked from commit 04a4fb81b3d1a92f52b5404738da8971c018946f) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 83983cc7c1..c93876a7ed 100755 --- a/configure +++ b/configure @@ -4944,6 +4944,7 @@ check_header linux/videodev2.h check_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_safe struct_v4l2_frmivalenum_discrete check_header sys/videoio.h +check_code cc sys/videoio.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_safe struct_v4l2_frmivalenum_discrete check_func_headers "windows.h vfw.h" capCreateCaptureWindow "$vfwcap_indev_extralibs" # check that WM_CAP_DRIVER_CONNECT is defined to the proper value From 864c0c50eb0e7a112b20007459b0cb94b61cb8d3 Mon Sep 17 00:00:00 2001 From: Julien Ramseier Date: Sun, 14 Dec 2014 02:00:04 +0100 Subject: [PATCH 0171/1352] avconv: Use the mpeg12 private option scan_offset Introduced in aed790070486b1b01b48106310d9d0ca1730e459 Bug-Id: debian/773055 CC: libav-stable@libav.org Signed-off-by: Luca Barbato Signed-off-by: Anton Khirnov (cherry picked from commit fd665f7f48fa7db89eb9a93ac33919f6adc40f9d) Signed-off-by: Anton Khirnov --- avconv_opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avconv_opt.c b/avconv_opt.c index 2d0691252a..6d43bc1609 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -1825,7 +1825,7 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "maxrate", "2516000"); opt_default(NULL, "minrate", "0"); // 1145000; opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; - opt_default(NULL, "flags", "+scan_offset"); + opt_default(NULL, "scan_offset", "1"); opt_default(NULL, "b:a", "224000"); From 8815ddc29fa43049413c032638bd39945c15fd01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Dec 2014 04:32:23 +0100 Subject: [PATCH 0172/1352] configure: create the tests directory like the doc directory This fixes an issue where the tests directory is not created for out of tree builds before its needed Tested-by: Dave Yeo Signed-off-by: Michael Niedermayer (cherry picked from commit e631872f13b6be0583603d45a11e53319754bc8d) Signed-off-by: Michael Niedermayer --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index c93876a7ed..2104232881 100755 --- a/configure +++ b/configure @@ -5628,6 +5628,7 @@ enabled getenv || echo "#define getenv(x) NULL" >> $TMPH mkdir -p doc +mkdir -p tests echo "@c auto-generated by configure" > doc/config.texi print_config ARCH_ "$config_files" $ARCH_LIST From da52c0ebc641acd652254d14fc93751d46d6a129 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 15:01:05 +0100 Subject: [PATCH 0173/1352] avformat/hdsenc: Use av_freep() avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 16d763fa45b95783c6770edc559769d9a83d6a10) Signed-off-by: Michael Niedermayer --- libavformat/hdsenc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/hdsenc.c b/libavformat/hdsenc.c index 1f77785f95..7530aa9150 100644 --- a/libavformat/hdsenc.c +++ b/libavformat/hdsenc.c @@ -145,15 +145,15 @@ static void hds_free(AVFormatContext *s) if (os->ctx && os->ctx_inited) av_write_trailer(os->ctx); if (os->ctx && os->ctx->pb) - av_free(os->ctx->pb); + av_freep(&os->ctx->pb); if (os->ctx) avformat_free_context(os->ctx); - av_free(os->metadata); + av_freep(&os->metadata); for (j = 0; j < os->nb_extra_packets; j++) - av_free(os->extra_packets[j]); + av_freep(&os->extra_packets[j]); for (j = 0; j < os->nb_fragments; j++) - av_free(os->fragments[j]); - av_free(os->fragments); + av_freep(&os->fragments[j]); + av_freep(&os->fragments); } av_freep(&c->streams); } @@ -506,7 +506,7 @@ static int hds_flush(AVFormatContext *s, OutputStream *os, int final, if (remove > 0) { for (i = 0; i < remove; i++) { unlink(os->fragments[i]->file); - av_free(os->fragments[i]); + av_freep(&os->fragments[i]); } os->nb_fragments -= remove; memmove(os->fragments, os->fragments + remove, From a4ffcf024e99fa4d8410883c1d1d9946e423bf0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 15:03:32 +0100 Subject: [PATCH 0174/1352] avformat/flvdec: Use av_freep() avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 91ea466551c148bd897706a1b6a168e783761a06) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 12d25b20ae..4b014cec67 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -623,7 +623,7 @@ static int flv_read_close(AVFormatContext *s) static int flv_get_extradata(AVFormatContext *s, AVStream *st, int size) { - av_free(st->codec->extradata); + av_freep(&st->codec->extradata); if (ff_get_extradata(st->codec, s->pb, size) < 0) return AVERROR(ENOMEM); return 0; From 195e8ecacc8b81b71e86d283ce7742bbdc230826 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 16:24:55 +0100 Subject: [PATCH 0175/1352] avcodec/vmdvideo: Check len before using it in method 3 Fixes out of array access Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd) Signed-off-by: Michael Niedermayer --- libavcodec/vmdvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vmdvideo.c b/libavcodec/vmdvideo.c index fa0fbe32d4..a2ba1c959b 100644 --- a/libavcodec/vmdvideo.c +++ b/libavcodec/vmdvideo.c @@ -339,6 +339,9 @@ static int vmd_decode(VmdVideoContext *s, AVFrame *frame) ofs += slen; bytestream2_skip(&gb, len); } else { + if (ofs + len > frame_width || + bytestream2_get_bytes_left(&gb) < len) + return AVERROR_INVALIDDATA; bytestream2_get_buffer(&gb, &dp[ofs], len); ofs += len; } From 64fdce7802632801d36f9d3973a065e0e011c154 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 20:45:31 +0100 Subject: [PATCH 0176/1352] avcodec/utvideodec: Fix handling of slice_height=0 Fixes out of array accesses Fixes: asan_heap-oob_25bcd7e_3783_cov_3553517262_utvideo_rgba_median.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3881606240953b9275a247a1c98a567f3c44890f) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 05c943f808..abf550b081 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -214,6 +214,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; // first line - left neighbour prediction @@ -269,6 +271,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; From 65d426bddd0b9210788bf9be7af21b80b30d422a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 21:14:40 +0100 Subject: [PATCH 0177/1352] avformat/mov: check atom nesting depth Fixes call stack overflow Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit caa7a3914f499f74b3ee346f26d598ebdc0ec210) Conflicts: libavformat/isom.h --- libavformat/isom.h | 1 + libavformat/mov.c | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index 979e967d14..6fb0c4d41b 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -171,6 +171,7 @@ typedef struct MOVContext { int *bitrates; ///< bitrates read before streams creation int bitrates_count; int moov_retry; + int atom_depth; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index ae48c02287..06037174b5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3172,6 +3172,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVAtom a; int i; + if (c->atom_depth > 10) { + av_log(c->fc, AV_LOG_ERROR, "Atoms too deeply nested\n"); + return AVERROR_INVALIDDATA; + } + c->atom_depth ++; + if (atom.size < 0) atom.size = INT64_MAX; while (total_size + 8 <= atom.size && !avio_feof(pb)) { @@ -3201,6 +3207,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) { av_log(c->fc, AV_LOG_ERROR, "Broken file, trak/mdat not at top-level\n"); avio_skip(pb, -8); + c->atom_depth --; return 0; } } @@ -3237,13 +3244,16 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) int64_t start_pos = avio_tell(pb); int64_t left; int err = parse(c, pb, a); - if (err < 0) + if (err < 0) { + c->atom_depth --; return err; + } if (c->found_moov && c->found_mdat && ((!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) || start_pos + a.size == avio_size(pb))) { if (!pb->seekable || c->fc->flags & AVFMT_FLAG_IGNIDX) c->next_root_atom = start_pos + a.size; + c->atom_depth --; return 0; } left = a.size - avio_tell(pb) + start_pos; @@ -3263,6 +3273,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (total_size < atom.size && atom.size < 0x7ffff) avio_skip(pb, atom.size - total_size); + c->atom_depth --; return 0; } From ea5b4c682caeb8beb2617a031211a89fbb1ad01a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 21:29:27 +0100 Subject: [PATCH 0178/1352] avformat/mov: fix integer overflow of size Fixes: case1_call_stack_overflow.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 06037174b5..7806ef564e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1453,7 +1453,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, static void mov_parse_stsd_subtitle(MOVContext *c, AVIOContext *pb, AVStream *st, MOVStreamContext *sc, - int size) + int64_t size) { // ttxt stsd contains display flags, justification, background // color, fonts, and default styles, so fake an atom to read it @@ -1518,10 +1518,10 @@ static int mov_rewrite_dvd_sub_extradata(AVStream *st) static int mov_parse_stsd_data(MOVContext *c, AVIOContext *pb, AVStream *st, MOVStreamContext *sc, - int size) + int64_t size) { if (st->codec->codec_tag == MKTAG('t','m','c','d')) { - if (ff_get_extradata(st->codec, pb, size) < 0) + if ((int)size != size || ff_get_extradata(st->codec, pb, size) < 0) return AVERROR(ENOMEM); if (size > 16) { MOVStreamContext *tmcd_ctx = st->priv_data; From dce726f0914fa34523420e34faf2ef696ddcea1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Dec 2014 22:21:21 +0100 Subject: [PATCH 0179/1352] swscale: increase yuv2rgb table headroom Fixes out of array access Fixes: case2_bad_read_yuv2rgbx32.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index f6932943b8..bfd24c95a5 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -39,7 +39,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 128 +#define YUVRGB_TABLE_HEADROOM 256 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE From da811dfc93a9e3d5f9669acd3dd5f1703b8cb21e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 01:31:48 +0100 Subject: [PATCH 0180/1352] avcodec/h264: make the first field of H264Context an AVClass Fixes use of freed memory Fixes: asan_heap-uaf_3660f67_757_cov_1257014655_Hi422FR1_SONY_A.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f3b5b139ad853b6f69c6a0b036815a60e7b3f261) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index b94f06b6d1..cb7e6f9246 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -338,6 +338,7 @@ typedef struct H264Picture { * H264Context */ typedef struct H264Context { + AVClass *av_class; AVCodecContext *avctx; MECmpContext mecc; VideoDSPContext vdsp; From cd51f41791395d76a015851295a88d06069117c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 03:14:21 +0100 Subject: [PATCH 0181/1352] avcodec/indeo3: use signed variables to avoid underflow Fixes out of array read Fixes: signal_sigsegv_1b0a4da_1865_cov_2167818389_computer_anger.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3305acdc92fa37869f160a11a87741c8a0de0454) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index d38765ea40..cafed5172b 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -94,7 +94,7 @@ typedef struct Indeo3DecodeContext { int16_t width, height; uint32_t frame_num; ///< current frame number (zero-based) - uint32_t data_size; ///< size of the frame data in bytes + int data_size; ///< size of the frame data in bytes uint16_t frame_flags; ///< frame properties uint8_t cb_offset; ///< needed for selecting VQ tables uint8_t buf_sel; ///< active frame buffer: 0 - primary, 1 -secondary @@ -899,7 +899,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, GetByteContext gb; const uint8_t *bs_hdr; uint32_t frame_num, word2, check_sum, data_size; - uint32_t y_offset, u_offset, v_offset, starts[3], ends[3]; + int y_offset, u_offset, v_offset; + uint32_t starts[3], ends[3]; uint16_t height, width; int i, j; From bd62554ad243a94ee483c48adac29297d16f9fa2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 15:33:05 +0100 Subject: [PATCH 0182/1352] avcodec/dcadec: Check that the added xch channel isnt already there Fixes null pointer dereference Fixes: signal_sigsegv_369609d_623_cov_2008234281_ES_6.1_16bit.dts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7d593495e42e92693cc8f3ce9b42cf3edcea377a) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 82d96d281c..7d798b00fb 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -2359,6 +2359,10 @@ FF_ENABLE_DEPRECATION_WARNINGS #else if (s->xch_present && !s->xch_disable) { #endif + if (avctx->channel_layout & AV_CH_BACK_CENTER) { + avpriv_request_sample(avctx, "XCh with Back center channel"); + return AVERROR_INVALIDDATA; + } avctx->channel_layout |= AV_CH_BACK_CENTER; if (s->lfe) { avctx->channel_layout |= AV_CH_LOW_FREQUENCY; From de882ec2b15f02eed000f1ee357ab81344b18684 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 19:42:57 +0100 Subject: [PATCH 0183/1352] avcodec/hevc: clear filter_slice_edges() on allocation This avoids use of uninitialized memory Fixes: asan_static-oob_17aa046_582_cov_212287884_DBLK_G_VIXS_1.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8aa8d12554868c32436750f881954193087219c8) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 309b3854e9..2acc192b9e 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -108,7 +108,7 @@ static int pic_arrays_init(HEVCContext *s, const HEVCSPS *sps) if (!s->tab_ipm || !s->cbf_luma || !s->is_pcm) goto fail; - s->filter_slice_edges = av_malloc(ctb_count); + s->filter_slice_edges = av_mallocz(ctb_count); s->tab_slice_address = av_malloc_array(pic_size_in_ctb, sizeof(*s->tab_slice_address)); s->qp_y_tab = av_malloc_array(pic_size_in_ctb, From a9c77e5c227bc8c23778def2f7180b987d4da5c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Dec 2014 21:27:37 +0100 Subject: [PATCH 0184/1352] avcodec/h264: Clear delayed_pic on deallocation Fixes use of freed memory Fixes: case5_av_frame_copy_props.mp4 Found-by: Michal Zalewski Signed-off-by: Michael Niedermayer (cherry picked from commit e8714f6f93d1a32f4e4655209960afcf4c185214) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 12713de56b..7914c46074 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -391,6 +391,7 @@ void ff_h264_free_tables(H264Context *h, int free_rbsp) if (free_rbsp && h->DPB) { for (i = 0; i < H264_MAX_PICTURE_COUNT; i++) ff_h264_unref_picture(h, &h->DPB[i]); + memset(h->delayed_pic, 0, sizeof(h->delayed_pic)); av_freep(&h->DPB); } else if (h->DPB) { for (i = 0; i < H264_MAX_PICTURE_COUNT; i++) From b6dc16bd95375e99a0a887496eb22071ff0001f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 02:09:23 +0100 Subject: [PATCH 0185/1352] avcodec/hevc_ps: Check diff_cu_qp_delta_depth Fixes undefined behavior Fixes: asan_static-oob_17aa046_582_cov_1577759978_DBLK_G_VIXS_1.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3281fa892599d71b4dc298a426af8296419cd90e) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index d79740a949..0cd2269409 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1257,6 +1257,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) if (pps->cu_qp_delta_enabled_flag) pps->diff_cu_qp_delta_depth = get_ue_golomb_long(gb); + if (pps->diff_cu_qp_delta_depth < 0 || + pps->diff_cu_qp_delta_depth > sps->log2_diff_max_min_coding_block_size) { + av_log(s->avctx, AV_LOG_ERROR, "diff_cu_qp_delta_depth %d is invalid\n", + pps->diff_cu_qp_delta_depth); + ret = AVERROR_INVALIDDATA; + goto err; + } + pps->cb_qp_offset = get_se_golomb(gb); if (pps->cb_qp_offset < -12 || pps->cb_qp_offset > 12) { av_log(s->avctx, AV_LOG_ERROR, "pps_cb_qp_offset out of range: %d\n", From bb97f243baa05aff35c1a1bbc6921b95a0378f5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 03:16:39 +0100 Subject: [PATCH 0186/1352] avcodec/h264: Check *log2_weight_denom Fixes undefined behavior Fixes: signal_sigsegv_14768d2_2248_cov_3629497219_h264_h264___pi_20070614T182942.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 61296d41e2de3b41304339e4631dd44c2e15f805) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 7914c46074..ba5bb407cc 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -991,6 +991,16 @@ int ff_pred_weight_table(H264Context *h) h->luma_log2_weight_denom = get_ue_golomb(&h->gb); if (h->sps.chroma_format_idc) h->chroma_log2_weight_denom = get_ue_golomb(&h->gb); + + if (h->luma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", h->luma_log2_weight_denom); + h->luma_log2_weight_denom = 0; + } + if (h->chroma_log2_weight_denom > 7U) { + av_log(h->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", h->chroma_log2_weight_denom); + h->chroma_log2_weight_denom = 0; + } + luma_def = 1 << h->luma_log2_weight_denom; chroma_def = 1 << h->chroma_log2_weight_denom; From e2324b5b371c613faed33be52b6908da540557d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Dec 2014 18:57:27 +0100 Subject: [PATCH 0187/1352] avcodec/indeo3: ensure offsets are non negative Signed-off-by: Michael Niedermayer (cherry picked from commit 368642361f3a589d7b0c23ea327d988edb434e3f) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index cafed5172b..9fde0fdf6c 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -982,7 +982,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, ctx->y_data_size = ends[0] - starts[0]; ctx->v_data_size = ends[1] - starts[1]; ctx->u_data_size = ends[2] - starts[2]; - if (FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || + if (FFMIN3(y_offset, v_offset, u_offset) < 0 || + FFMAX3(y_offset, v_offset, u_offset) >= ctx->data_size - 16 || FFMIN3(y_offset, v_offset, u_offset) < gb.buffer - bs_hdr + 16 || FFMIN3(ctx->y_data_size, ctx->v_data_size, ctx->u_data_size) <= 0) { av_log(avctx, AV_LOG_ERROR, "One of the y/u/v offsets is invalid\n"); From 396195c50591a655c6c444925e813ae6a45cb3cc Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 0188/1352] jvdec: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 8. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer See: 105654e376a736d243aef4a1d121abebce912e6b These should be redundant, but are backported for saftey anyway (cherry picked from commit e012cb8dea7969c7b3927dbf846ef2742cd4a7ab) Signed-off-by: Michael Niedermayer --- libavcodec/jvdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 47e8edcae6..9c4a8d4ca3 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -43,6 +43,13 @@ static av_cold int decode_init(AVCodecContext *avctx) { JvContext *s = avctx->priv_data; + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 9bafd6a8f6a013c5f45141f596574a9a3fbfb561 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 0189/1352] mmvideo: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 2. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer See: 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e These should be redundant, but are backported for saftey anyway (cherry picked from commit b0273232d8fffdc8a977ccdad460b8071a0e353c) Signed-off-by: Michael Niedermayer --- libavcodec/mmvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index 9ff6393aec..51d455964d 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -61,6 +61,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 3ea49fc5081d63277ecbc12ed440af4b02ddfdf9 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 4 Oct 2014 12:40:35 +0200 Subject: [PATCH 0190/1352] vc1: Do not assume seek happens after decoding If a seek is requested before the decoding start there is no current picture. CC: libav-stable@libav.org (cherry picked from commit 3e348ecfc6ab1830e43288a9e12e8f0a000afbcb) Signed-off-by: Luca Barbato --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 8ad4f0f7de..4c9ff036c3 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5503,7 +5503,7 @@ static void vc1_sprite_flush(AVCodecContext *avctx) Since we can't enforce it, clear to black the missing sprite. This is wrong but it looks better than doing nothing. */ - if (f->data[0]) + if (f && f->data[0]) for (plane = 0; plane < (s->flags&CODEC_FLAG_GRAY ? 1 : 3); plane++) for (i = 0; i < v->sprite_height>>!!plane; i++) memset(f->data[plane] + i * f->linesize[plane], From f30a89e15f9ffa77fd2484d6ae73067f319133b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sat, 20 Dec 2014 00:17:43 +0100 Subject: [PATCH 0191/1352] avformat/rsd: make tag_buf string larger av_get_codec_tag_string() uses more that 1 char for unprintable characters. (cherry picked from commit edbbb11488e1fce9b9703535936d2e1731e2e318) --- libavformat/rsd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index bb2f3bc7a2..1eff5de7e6 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -70,7 +70,7 @@ static int rsd_read_header(AVFormatContext *s) codec->codec_tag = avio_rl32(pb); codec->codec_id = ff_codec_get_id(rsd_tags, codec->codec_tag); if (!codec->codec_id) { - char tag_buf[5]; + char tag_buf[32]; av_get_codec_tag_string(tag_buf, sizeof(tag_buf), codec->codec_tag); for (i=0; i < FF_ARRAY_ELEMS(rsd_unsupported_tags); i++) { From c4e18917d4f7cf9ff27895330e43289f2ac00e89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 19:05:56 +0100 Subject: [PATCH 0192/1352] avformat/aviobuf: Fix infinite loop in ff_get_line() Fixes ticket4152 Signed-off-by: Michael Niedermayer (cherry picked from commit eac5c7b8377f3f0e8262ab44e5ccb2c7ed060cdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 9795ba46df..b1752cd234 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -674,7 +674,7 @@ int ff_get_line(AVIOContext *s, char *buf, int maxlen) if (c && i < maxlen-1) buf[i++] = c; } while (c != '\n' && c != '\r' && c); - if (c == '\r' && avio_r8(s) != '\n') + if (c == '\r' && avio_r8(s) != '\n' && !avio_feof(s)) avio_skip(s, -1); buf[i] = 0; From 117dcc209796eaec36da0fdeb82ae05c22de5c61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:01:18 +0100 Subject: [PATCH 0193/1352] avformat/rmdec: Check codec_data_size Fixes infinite loop Fixes Ticket4154 Signed-off-by: Michael Niedermayer (cherry picked from commit a6f730730b82645a9d31aad0968487cb77d6946c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 5d9c9b5b4f..d7f7b93df8 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -312,6 +312,9 @@ ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, int64_t codec_pos; int ret; + if (codec_data_size < 0) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From f36b3c5df97da465757563b7e14c90a9f9e7537e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 20:21:56 +0100 Subject: [PATCH 0194/1352] swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output Fixes Ticket4151 Signed-off-by: Michael Niedermayer (cherry picked from commit 8524558858b7e14bc50afa10233e0194f591ab9d) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 7796d384bb..e71c7ebfe3 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,6 +1887,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; + if (width >= 16) #if COMPILE_TEMPLATE_SSE2 __asm__( "xor %%"REG_a", %%"REG_a" \n\t" From 82db2f2ac8c3aaf731e50f584646798edf73f378 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Dec 2014 03:06:43 +0100 Subject: [PATCH 0195/1352] ffmpeg: drop usage of coded_frame It causes all kinds of problems and there is no code in the muxers that reads this field Signed-off-by: Michael Niedermayer (cherry picked from commit 242f1152bf906a4a3164a9a8e40bd52723bd5afe) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index ee8039cce8..ffcb9dd92e 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -978,10 +978,8 @@ static void do_video_out(AVFormatContext *s, /* raw pictures are written as AVPicture structure to avoid any copies. We support temporarily the older method. */ - mux_enc->coded_frame->interlaced_frame = in_picture->interlaced_frame; - mux_enc->coded_frame->top_field_first = in_picture->top_field_first; - if (mux_enc->coded_frame->interlaced_frame) - mux_enc->field_order = mux_enc->coded_frame->top_field_first ? AV_FIELD_TB:AV_FIELD_BT; + if (in_picture->interlaced_frame) + mux_enc->field_order = in_picture->top_field_first ? AV_FIELD_TB:AV_FIELD_BT; else mux_enc->field_order = AV_FIELD_PROGRESSIVE; pkt.data = (uint8_t *)in_picture; From fd72ff6f31f9626e1e871079cf4f2259b26f1a27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Dec 2014 18:58:38 +0100 Subject: [PATCH 0196/1352] doc/examples/transcoding: check encoder before using it Fixes null pointer exception Found-by: stoupeace Signed-off-by: Michael Niedermayer (cherry picked from commit bde27e1e617dfeb3c026f530f48a77f5ed8aa2ea) Signed-off-by: Michael Niedermayer --- doc/examples/transcoding.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/examples/transcoding.c b/doc/examples/transcoding.c index a8f4210e6e..d7c4a84de9 100644 --- a/doc/examples/transcoding.c +++ b/doc/examples/transcoding.c @@ -116,6 +116,10 @@ static int open_output_file(const char *filename) || dec_ctx->codec_type == AVMEDIA_TYPE_AUDIO) { /* in this example, we choose transcoding to same codec */ encoder = avcodec_find_encoder(dec_ctx->codec_id); + if (!encoder) { + av_log(NULL, AV_LOG_FATAL, "Neccessary encoder not found\n"); + return AVERROR_INVALIDDATA; + } /* In this example, we transcode to same properties (picture size, * sample rate etc.). These properties can be changed for output From 95c298b125022779bef5ec261c3118028fff4750 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 6 Dec 2014 16:53:30 +0100 Subject: [PATCH 0197/1352] avformat/matroskadec: fix handling of recursive SeekHead elements When matroska_execute_seekhead() is called, it goes through the list of seekhead entries and attempts to read elements not read yet. When doing this, the parser can find further SeekHead elements, and will extend the matroska->seekhead list. This can lead to a (practically) infinite loop with certain broken files. (Maybe it can happen even with valid files. The demuxer doesn't seem to check correctly whether an element has already been read.) Fix this by ignoring elements that were added to the seekhead field during executing seekhead entries. This does not fix the possible situation when multiple SeekHead elements after the file header (i.e. occur after the "before_pos" file position) point to the same elements. These elements will probably be parsed multiple times, likely leading to bugs. Fixes ticket #4162. Signed-off-by: Michael Niedermayer (cherry picked from commit 6551acab6877addae815decd02aeca33ba4990c8) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e3cd1e4ecc..26717dfbb3 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1412,13 +1412,17 @@ static void matroska_execute_seekhead(MatroskaDemuxContext *matroska) EbmlList *seekhead_list = &matroska->seekhead; int64_t before_pos = avio_tell(matroska->ctx->pb); int i; + int nb_elem; // we should not do any seeking in the streaming case if (!matroska->ctx->pb->seekable || (matroska->ctx->flags & AVFMT_FLAG_IGNIDX)) return; - for (i = 0; i < seekhead_list->nb_elem; i++) { + // do not read entries that are added while parsing seekhead entries + nb_elem = seekhead_list->nb_elem; + + for (i = 0; i < nb_elem; i++) { MatroskaSeekhead *seekhead = seekhead_list->elem; if (seekhead[i].pos <= before_pos) continue; From 787e4d12daf53bd389fc455d5981502b7c9a5256 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Dec 2014 13:30:51 +0100 Subject: [PATCH 0198/1352] avformat/flvdec: fix potential use of uninitialized variables Signed-off-by: Michael Niedermayer (cherry picked from commit 0fadbd3623cf9132832f48810c0edb93aa63f51b) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 4b014cec67..9e0ee2f551 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -459,11 +459,11 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, } if (key) { + acodec = astream ? astream->codec : NULL; + vcodec = vstream ? vstream->codec : NULL; + // stream info doesn't live any deeper than the first object if (depth == 1) { - acodec = astream ? astream->codec : NULL; - vcodec = vstream ? vstream->codec : NULL; - if (amf_type == AMF_DATA_TYPE_NUMBER || amf_type == AMF_DATA_TYPE_BOOL) { if (!strcmp(key, "duration")) From 3b332ef33cecc71b74c6d12b1d0000a3733b788d Mon Sep 17 00:00:00 2001 From: Rob Sykes Date: Sat, 13 Dec 2014 21:12:56 +0100 Subject: [PATCH 0199/1352] swresample/soxr_resample: fix error handling Fixes CID1257659 Signed-off-by: Michael Niedermayer (cherry picked from commit 4b6f2253741f3023928e61ae5105ccd4b1c515fb) Signed-off-by: Michael Niedermayer --- libswresample/soxr_resample.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libswresample/soxr_resample.c b/libswresample/soxr_resample.c index 064451df45..9e87f2fc4b 100644 --- a/libswresample/soxr_resample.c +++ b/libswresample/soxr_resample.c @@ -76,8 +76,12 @@ static int process( AudioData *src, int src_size, int *consumed){ size_t idone, odone; soxr_error_t error = soxr_set_error((soxr_t)c, soxr_set_num_channels((soxr_t)c, src->ch_count)); - error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, - &idone, dst->ch, (size_t)dst_size, &odone); + if (!error) + error = soxr_process((soxr_t)c, src->ch, (size_t)src_size, + &idone, dst->ch, (size_t)dst_size, &odone); + else + idone = 0; + *consumed = (int)idone; return error? -1 : odone; } From 0d277be45ae9bfbf4fb51408c3f3ef5b42296d66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 17:26:11 +0100 Subject: [PATCH 0200/1352] avformat/aviobuf: Check that avio_seek() target is non negative Fixes out of array access Suggested-by: Andrew Scherkus Signed-off-by: Michael Niedermayer (cherry picked from commit ed86dbd05d61363dc1c0d33f3267e2177c985fdd) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index b1752cd234..d39b0c12eb 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -221,6 +221,9 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) return offset1; offset += offset1; } + if (offset < 0) + return AVERROR(EINVAL); + offset1 = offset - pos; if (!s->must_flush && (!s->direct || !s->seek) && offset1 >= 0 && offset1 <= buffer_size) { From 0fb2b616142e42a3384cafc4281dfa196c7b4be6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Dec 2014 19:46:31 +0100 Subject: [PATCH 0201/1352] avformat/utils: Do not update programs streams from program-less streams in update_wrap_reference() Fixes Ticket3686 Signed-off-by: Michael Niedermayer (cherry picked from commit a29524bf2e197dd8d582445de0fe17f03b79f79d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index d9ffaed0b9..b657b9e8b5 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -568,6 +568,8 @@ static int update_wrap_reference(AVFormatContext *s, AVStream *st, int stream_in int default_stream_index = av_find_default_stream_index(s); if (s->streams[default_stream_index]->pts_wrap_reference == AV_NOPTS_VALUE) { for (i = 0; i < s->nb_streams; i++) { + if (av_find_program_from_stream(s, NULL, i)) + continue; s->streams[i]->pts_wrap_reference = pts_wrap_reference; s->streams[i]->pts_wrap_behavior = pts_wrap_behavior; } From 14d6ea0c459ca22b818977859d2476783fcc7d1a Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 15 Dec 2014 04:32:58 +0100 Subject: [PATCH 0202/1352] lavu/frame: fix malloc error path in av_frame_copy_props() The error path frees all side data, but forgets to reset the side data count. This can blow up later in av_frame_unref() and free_side_data(). Signed-off-by: Michael Niedermayer (cherry picked from commit a400edbb6d00c0211de38e4f1b4f593681db91d8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/frame.c b/libavutil/frame.c index 4ee06306ce..5c9aa2914c 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -503,6 +503,7 @@ int av_frame_copy_props(AVFrame *dst, const AVFrame *src) free_side_data(&dst->side_data[i]); } av_freep(&dst->side_data); + dst->nb_side_data = 0; return AVERROR(ENOMEM); } memcpy(sd_dst->data, sd_src->data, sd_src->size); From 820f41e1a1b4fc2ad74bdb4a598c29d3427af1a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Dec 2014 18:04:40 +0100 Subject: [PATCH 0203/1352] Add FFMPEG_VERSION into the binary libs This simplifies identifying from which revision a binary of a lib came from Signed-off-by: Michael Niedermayer (cherry picked from commit 649c158e8c94ac0cff7f03e97d6ea8bbf71b7f02) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ libavdevice/avdevice.c | 3 +++ libavfilter/avfilter.c | 3 +++ libavformat/utils.c | 3 +++ libavutil/utils.c | 3 +++ libpostproc/postprocess.c | 3 +++ libswresample/swresample.c | 3 +++ 7 files changed, 21 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 4e95ab039a..0888beb062 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -66,6 +66,9 @@ #include "compat/os2threads.h" #endif +#include "libavutil/ffversion.h" +const char av_codec_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + #if HAVE_PTHREADS || HAVE_W32THREADS || HAVE_OS2THREADS static int default_lockmgr_cb(void **arg, enum AVLockOp op) { diff --git a/libavdevice/avdevice.c b/libavdevice/avdevice.c index 6a75bd79d7..c391931ac2 100644 --- a/libavdevice/avdevice.c +++ b/libavdevice/avdevice.c @@ -23,6 +23,9 @@ #include "avdevice.h" #include "config.h" +#include "libavutil/ffversion.h" +const char av_device_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + #define E AV_OPT_FLAG_ENCODING_PARAM #define D AV_OPT_FLAG_DECODING_PARAM #define A AV_OPT_FLAG_AUDIO_PARAM diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index 7b114676aa..8628445ed0 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -37,6 +37,9 @@ #include "formats.h" #include "internal.h" +#include "libavutil/ffversion.h" +const char av_filter_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + static int ff_filter_frame_framed(AVFilterLink *link, AVFrame *frame); void ff_tlog_ref(void *ctx, AVFrame *ref, int end) diff --git a/libavformat/utils.c b/libavformat/utils.c index b657b9e8b5..6ff4570f5c 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -53,6 +53,9 @@ #include "riff.h" #include "url.h" +#include "libavutil/ffversion.h" +const char av_format_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + /** * @file * various utility functions for use within FFmpeg diff --git a/libavutil/utils.c b/libavutil/utils.c index aafd3b909e..da8b5ae2d3 100644 --- a/libavutil/utils.c +++ b/libavutil/utils.c @@ -27,6 +27,9 @@ * various utility functions */ +#include "libavutil/ffversion.h" +const char av_util_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned avutil_version(void) { static int checks_done; diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index 670908ca9f..a42b0794a5 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -89,6 +89,9 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks #include "postprocess_internal.h" #include "libavutil/avstring.h" +#include "libavutil/ffversion.h" +const char postproc_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned postproc_version(void) { av_assert0(LIBPOSTPROC_VERSION_MICRO >= 100); diff --git a/libswresample/swresample.c b/libswresample/swresample.c index c325513efa..991aa13204 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -28,6 +28,9 @@ #define ALIGN 32 +#include "libavutil/ffversion.h" +const char swr_ffversion[] = "FFmpeg version " FFMPEG_VERSION; + unsigned swresample_version(void) { av_assert0(LIBSWRESAMPLE_VERSION_MICRO >= 100); From 5d1d143a4eb482033d8e3d3e65469b7e16dedad9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Dec 2014 02:51:59 +0100 Subject: [PATCH 0204/1352] Update for FFmpeg 2.4.5 Signed-off-by: Michael Niedermayer --- Changelog | 33 +++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 28fe41f777..3aa4ef52b9 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,39 @@ releases are sorted from youngest to oldest. version : +version 2.4.5: +- lavu/frame: fix malloc error path in av_frame_copy_props() +- avformat/utils: Do not update programs streams from program-less streams in update_wrap_reference() +- avformat/aviobuf: Check that avio_seek() target is non negative +- swresample/soxr_resample: fix error handling +- avformat/flvdec: fix potential use of uninitialized variables +- avformat/matroskadec: fix handling of recursive SeekHead elements +- doc/examples/transcoding: check encoder before using it +- swscale/x86/rgb2rgb_template: fix crash with tiny size and nv12 output +- avformat/rmdec: Check codec_data_size +- avformat/aviobuf: Fix infinite loop in ff_get_line() +- vc1: Do not assume seek happens after decoding +- mmvideo: check frame dimensions +- jvdec: check frame dimensions +- avcodec/indeo3: ensure offsets are non negative +- avcodec/h264: Check *log2_weight_denom +- avcodec/hevc_ps: Check diff_cu_qp_delta_depth +- avcodec/h264: Clear delayed_pic on deallocation +- avcodec/hevc: clear filter_slice_edges() on allocation +- avcodec/dcadec: Check that the added xch channel isnt already there +- avcodec/indeo3: use signed variables to avoid underflow +- swscale: increase yuv2rgb table headroom +- avformat/mov: fix integer overflow of size +- avformat/mov: check atom nesting depth +- avcodec/utvideodec: Fix handling of slice_height=0 +- avcodec/vmdvideo: Check len before using it in method 3 +- avformat/flvdec: Use av_freep() avoid leaving stale pointers in memory +- avformat/hdsenc: Use av_freep() avoid leaving stale pointers in memory +- configure: create the tests directory like the doc directory +- v4l2: Make use of the VIDIOC_ENUM_FRAMESIZES ioctl on OpenBSD +- avcodec/motion_est: use 2x8x8 for interlaced qpel +- Treat all '*.pnm' files as non-text file + version 2.4.4: - avformat: replace some odd 30-60 rates by higher less odd ones in get_std_framerate() - swscale: fix yuv2yuvX_8 assembly on x86 diff --git a/RELEASE b/RELEASE index 79a614418f..59aa62c1fa 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.4 +2.4.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index e8638e36c7..0b229d5e00 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.4 +PROJECT_NUMBER = 2.4.5 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 4afe2684d8f50b28ce6743c7ee999f3157c9857f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Dec 2014 04:09:01 +0100 Subject: [PATCH 0205/1352] Makefile: add dependencies which require ffversion.h Without this ffversion.h could sometimes be built too late Signed-off-by: Michael Niedermayer (cherry picked from commit 4ae87554f3c8bc54db572873f5049427a7e6cb31) Signed-off-by: Michael Niedermayer --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 57f6a91c47..3058ba0d75 100644 --- a/Makefile +++ b/Makefile @@ -111,7 +111,7 @@ endef $(foreach P,$(PROGS),$(eval $(call DOPROG,$(P:$(PROGSSUF)$(EXESUF)=)))) -ffprobe.o cmdutils.o : libavutil/ffversion.h +ffprobe.o cmdutils.o libavcodec/utils.o libavformat/utils.o libavdevice/avdevice.o libavfilter/avfilter.o libavutil/utils.o libpostproc/postprocess.o libswresample/swresample.o libswscale/utils.o : libavutil/ffversion.h $(PROGS): %$(PROGSSUF)$(EXESUF): %$(PROGSSUF)_g$(EXESUF) $(CP) $< $@ From 577f1feb3fd1e51fd14af7ce6d79d468faa3b929 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 12 Aug 2014 14:39:10 +0000 Subject: [PATCH 0206/1352] mov: avoid a memleak when multiple stss boxes are present CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 64f7575fbd64e5b65d5c644347408588c776f1fe) Signed-off-by: Anton Khirnov --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3734689fd1..9077b7d042 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1702,6 +1702,7 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) } if (entries >= UINT_MAX / sizeof(int)) return AVERROR_INVALIDDATA; + av_freep(&sc->keyframes); sc->keyframes = av_malloc(entries * sizeof(int)); if (!sc->keyframes) return AVERROR(ENOMEM); From aa7a19b41774ce5f8a4e43f3692a4f9d90aa5c92 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 20:52:13 +0100 Subject: [PATCH 0207/1352] mjpegdec: check for pixel format changes Fixes possible invalid memory access. Based on code by Michael Niedermayer CC: libav-stable@libav.org Bug-ID: CVE-2014-8541 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 809c3023b699c54c90511913d3b6140dd2436550) Signed-off-by: Anton Khirnov --- libavcodec/mjpegdec.c | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d9a73d8426..9118df6ee6 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -220,18 +220,20 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id, ret; + int h_count[MAX_COMPONENTS] = { 0 }; + int v_count[MAX_COMPONENTS] = { 0 }; + int len, nb_components, i, width, height, bits, pix_fmt_id, ret; /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly - if (s->bits != 8 && !s->lossless) { + if (bits != 8 && !s->lossless) { av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); return -1; } @@ -258,7 +260,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray"); @@ -270,25 +272,25 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) for (i = 0; i < nb_components; i++) { /* component id */ s->component_id[i] = get_bits(&s->gb, 8) - 1; - s->h_count[i] = get_bits(&s->gb, 4); - s->v_count[i] = get_bits(&s->gb, 4); + h_count[i] = get_bits(&s->gb, 4); + v_count[i] = get_bits(&s->gb, 4); /* compute hmax and vmax (only used in interleaved case) */ - if (s->h_count[i] > s->h_max) - s->h_max = s->h_count[i]; - if (s->v_count[i] > s->v_max) - s->v_max = s->v_count[i]; + if (h_count[i] > s->h_max) + s->h_max = h_count[i]; + if (v_count[i] > s->v_max) + s->v_max = v_count[i]; s->quant_index[i] = get_bits(&s->gb, 8); if (s->quant_index[i] >= 4) return AVERROR_INVALIDDATA; - if (!s->h_count[i] || !s->v_count[i]) { + if (!h_count[i] || !v_count[i]) { av_log(s->avctx, AV_LOG_ERROR, "Invalid sampling factor in component %d %d:%d\n", - i, s->h_count[i], s->v_count[i]); + i, h_count[i], v_count[i]); return AVERROR_INVALIDDATA; } av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n", - i, s->h_count[i], s->v_count[i], + i, h_count[i], v_count[i], s->component_id[i], s->quant_index[i]); } @@ -301,10 +303,14 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) s->rgb = 1; /* if different size, realloc/alloc picture */ - /* XXX: also check h_count and v_count */ - if (width != s->width || height != s->height) { + if (width != s->width || height != s->height || bits != s->bits || + memcmp(s->h_count, h_count, sizeof(h_count)) || + memcmp(s->v_count, v_count, sizeof(v_count))) { s->width = width; s->height = height; + s->bits = bits; + memcpy(s->h_count, h_count, sizeof(h_count)); + memcpy(s->v_count, v_count, sizeof(v_count)); s->interlaced = 0; /* test interlaced mode */ From 55788572ea7b89cdd77bab1cf4bf06d14ead34f5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 0208/1352] jvdec: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 8. CC: libav-stable@libav.org Bug-ID: CVE-2014-8542 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 88626e5af8d006e67189bf10b96b982502a7e8ad) Signed-off-by: Anton Khirnov --- libavcodec/jvdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index bb347e045a..2a7aa10254 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -43,6 +43,13 @@ static av_cold int decode_init(AVCodecContext *avctx) { JvContext *s = avctx->priv_data; + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 69a930b988ff4f88ae27e4fc24ff6ed116840b5e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 14 Dec 2014 21:01:59 +0100 Subject: [PATCH 0209/1352] mmvideo: check frame dimensions The frame size must be set by the caller and each dimension must be a multiple of 2. CC: libav-stable@libav.org Bug-ID: CVE-2014-8543 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit 17ba719d9ba30c970f65747f42d5fbb1e447ca28) Signed-off-by: Anton Khirnov --- libavcodec/mmvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index d80c832a31..25124a3edf 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -61,6 +61,13 @@ static av_cold int mm_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From eac49477aa95cf727d87d2741ee8e60be59d394b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 20:15:52 +0200 Subject: [PATCH 0210/1352] gifdec: refactor interleave end handling Fixes invalid writes with very small image heights. CC: libav-stable@libav.org Bug-ID: CVE-2014-8547 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 0b39ac6f54505a538c21fe49a626de94c518c903) Signed-off-by: Anton Khirnov --- libavcodec/gifdec.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index cdb7f23fd4..df5ab78aba 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -125,26 +125,21 @@ static int gif_read_image(GifState *s, AVFrame *frame) case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } From 58dc526ebf722d33bf09275c1241674e0e6b9ef1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Oct 2014 22:50:45 +0200 Subject: [PATCH 0211/1352] smc: fix the bounds check Fixes invalid writes when there are more blocks in a run than total remaining blocks. CC: libav-stable@libav.org Bug-ID: CVE-2014-8548 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit d423dd72be451462c6fb1cbbe313bed0194001ab) Signed-off-by: Anton Khirnov --- libavcodec/smc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 46903ab2af..c6541da843 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -70,7 +70,7 @@ typedef struct SmcContext { row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ From 48952116352ab03565cc14805e0f1d63cf0318fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Oct 2014 22:15:07 +0200 Subject: [PATCH 0212/1352] on2avc: check number of channels Fixes invalid memory access. CC: libav-stable@libav.org Bug-ID: CVE-2014-8549 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit cee4490b521fd0d02476d46aa2598af24fb8d686) Signed-off-by: Anton Khirnov --- libavcodec/on2avc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 60f451c68f..1c4b3c9ea9 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -918,6 +918,10 @@ static av_cold int on2avc_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "0x500 version should be mono\n"); return AVERROR_INVALIDDATA; } + if (avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "Only 1 or 2 channels are supported.\n"); + return AVERROR(EINVAL); + } if (avctx->channels == 2) av_log(avctx, AV_LOG_WARNING, "Stereo mode support is not good, patch is welcome\n"); From a058cbcfdf490aab3aa12b45511c7315ed1bd35b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Nov 2014 18:16:15 +0100 Subject: [PATCH 0213/1352] avformat/mov: Fix memleaks for duplicate STCO/CO64/STSC atoms Also see [FFmpeg-devel] [PATCH] avformat/mov: strengthen some table allocations which contains more fixes but is unfinished Fixes: signal_sigabrt_7ffff6ac7bb9_3484_cov_1830000177_starfox2.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1b5d11240692025f036e945bc37968735679320a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7806ef564e..2ccb030bd4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1177,6 +1177,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (entries >= UINT_MAX/sizeof(int64_t)) return AVERROR_INVALIDDATA; + if (sc->chunk_offsets) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STCO atom\n"); + av_free(sc->chunk_offsets); + sc->chunk_count = 0; sc->chunk_offsets = av_malloc(entries * sizeof(int64_t)); if (!sc->chunk_offsets) return AVERROR(ENOMEM); @@ -1768,6 +1772,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; if (entries >= UINT_MAX / sizeof(*sc->stsc_data)) return AVERROR_INVALIDDATA; + if (sc->stsc_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSC atom\n"); + av_free(sc->stsc_data); + sc->stsc_count = 0; sc->stsc_data = av_malloc(entries * sizeof(*sc->stsc_data)); if (!sc->stsc_data) return AVERROR(ENOMEM); From 47e4a1ac6d1c0ed32f28ed6922ce9a08965f4473 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 10 Nov 2014 18:21:28 +0100 Subject: [PATCH 0214/1352] avformat/mov: strengthen some table allocations (cherry picked from commit 5ab882d7283f57560c889919c35f2688253b1d9c) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 48 ++++++++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2ccb030bd4..397e8dfa09 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1174,14 +1174,12 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX/sizeof(int64_t)) - return AVERROR_INVALIDDATA; if (sc->chunk_offsets) av_log(c->fc, AV_LOG_WARNING, "Duplicate STCO atom\n"); av_free(sc->chunk_offsets); sc->chunk_count = 0; - sc->chunk_offsets = av_malloc(entries * sizeof(int64_t)); + sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); if (!sc->chunk_offsets) return AVERROR(ENOMEM); sc->chunk_count = entries; @@ -1770,13 +1768,11 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(*sc->stsc_data)) - return AVERROR_INVALIDDATA; if (sc->stsc_data) av_log(c->fc, AV_LOG_WARNING, "Duplicate STSC atom\n"); av_free(sc->stsc_data); sc->stsc_count = 0; - sc->stsc_data = av_malloc(entries * sizeof(*sc->stsc_data)); + sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data)); if (!sc->stsc_data) return AVERROR(ENOMEM); @@ -1808,9 +1804,11 @@ static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb32(pb); // version + flags entries = avio_rb32(pb); - if (entries >= UINT_MAX / sizeof(*sc->stps_data)) - return AVERROR_INVALIDDATA; - sc->stps_data = av_malloc(entries * sizeof(*sc->stps_data)); + if (sc->stps_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STPS atom\n"); + av_free(sc->stps_data); + sc->stps_count = 0; + sc->stps_data = av_malloc_array(entries, sizeof(*sc->stps_data)); if (!sc->stps_data) return AVERROR(ENOMEM); @@ -1852,9 +1850,11 @@ static int mov_read_stss(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->need_parsing = AVSTREAM_PARSE_HEADERS; return 0; } - if (entries >= UINT_MAX / sizeof(int)) - return AVERROR_INVALIDDATA; - sc->keyframes = av_malloc(entries * sizeof(int)); + if (sc->keyframes) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSS atom\n"); + av_free(sc->keyframes); + sc->keyframe_count = 0; + sc->keyframes = av_malloc_array(entries, sizeof(*sc->keyframes)); if (!sc->keyframes) return AVERROR(ENOMEM); @@ -1913,9 +1913,13 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) / field_size) + if (entries >= (UINT_MAX - 4) / field_size) return AVERROR_INVALIDDATA; - sc->sample_sizes = av_malloc(entries * sizeof(int)); + if (sc->sample_sizes) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STSZ atom\n"); + av_free(sc->sample_sizes); + sc->sample_count = 0; + sc->sample_sizes = av_malloc_array(entries, sizeof(*sc->sample_sizes)); if (!sc->sample_sizes) return AVERROR(ENOMEM); @@ -1969,11 +1973,11 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dlog(c->fc, "track[%i].stts.entries = %i\n", c->fc->nb_streams-1, entries); - if (entries >= UINT_MAX / sizeof(*sc->stts_data)) - return -1; - + if (sc->stts_data) + av_log(c->fc, AV_LOG_WARNING, "Duplicate STTS atom\n"); av_free(sc->stts_data); - sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data)); + sc->stts_count = 0; + sc->stts_data = av_malloc_array(entries, sizeof(*sc->stts_data)); if (!sc->stts_data) return AVERROR(ENOMEM); @@ -2112,9 +2116,11 @@ static int mov_read_sbgp(MOVContext *c, AVIOContext *pb, MOVAtom atom) entries = avio_rb32(pb); if (!entries) return 0; - if (entries >= UINT_MAX / sizeof(*sc->rap_group)) - return AVERROR_INVALIDDATA; - sc->rap_group = av_malloc(entries * sizeof(*sc->rap_group)); + if (sc->rap_group) + av_log(c->fc, AV_LOG_WARNING, "Duplicate SBGP atom\n"); + av_free(sc->rap_group); + sc->rap_group_count = 0; + sc->rap_group = av_malloc_array(entries, sizeof(*sc->rap_group)); if (!sc->rap_group) return AVERROR(ENOMEM); From 883795fb0face00a07349fbd32f4775431a9f30d Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 25 Dec 2014 22:46:39 +0100 Subject: [PATCH 0215/1352] h264: restore a block mistakenly removed in e10fd08a CC: libav-stable@libav.org Bug-ID: 781 (cherry picked from commit 60d4c6ff76467d4d8f55c1cc61ab6c618e8ea2f3) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 562b1023e3..4bc0a03c24 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1454,6 +1454,8 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size, buf_index = find_start_code(buf, buf_size, buf_index, next_avc); if (buf_index >= buf_size) break; + if (buf_index >= next_avc) + continue; } hx = h->thread_context[context_count]; From 0775653b4c4736e593040a81123c8c284714e0ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Dec 2014 12:38:20 +0100 Subject: [PATCH 0216/1352] avformat/segment: Use av_freep() avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 68fa549230af35179df2a2af2bdb84ee6c825bed) Signed-off-by: Michael Niedermayer --- libavformat/segment.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index eb1cfee4f3..da9193a02a 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -340,7 +340,7 @@ static int segment_end(AVFormatContext *s, int write_trailer, int is_last) if (seg->list_size && seg->segment_count >= seg->list_size) { entry = seg->segment_list_entries; seg->segment_list_entries = seg->segment_list_entries->next; - av_free(entry->filename); + av_freep(&entry->filename); av_freep(&entry); } @@ -498,10 +498,10 @@ static int open_null_ctx(AVIOContext **ctx) return 0; } -static void close_null_ctx(AVIOContext *pb) +static void close_null_ctxp(AVIOContext **pb) { - av_free(pb->buffer); - av_free(pb); + av_freep(&(*pb)->buffer); + av_freep(pb); } static int select_reference_stream(AVFormatContext *s) @@ -684,7 +684,7 @@ static int seg_write_header(AVFormatContext *s) s->avoid_negative_ts = 1; if (!seg->write_header_trailer) { - close_null_ctx(oc->pb); + close_null_ctxp(&oc->pb); if ((ret = avio_open2(&oc->pb, oc->filename, AVIO_FLAG_WRITE, &s->interrupt_callback, NULL)) < 0) goto fail; @@ -821,7 +821,7 @@ static int seg_write_trailer(struct AVFormatContext *s) goto fail; open_null_ctx(&oc->pb); ret = av_write_trailer(oc); - close_null_ctx(oc->pb); + close_null_ctxp(&oc->pb); } else { ret = segment_end(s, 1, 1); } @@ -837,7 +837,7 @@ fail: cur = seg->segment_list_entries; while (cur) { next = cur->next; - av_free(cur->filename); + av_freep(&cur->filename); av_free(cur); cur = next; } From 6ac156864ca5055b9971ef0a8e7a35d2eecbb46f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Dec 2014 21:41:46 +0100 Subject: [PATCH 0217/1352] avformat/cdxl: Fix integer overflow of image_size Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128) Signed-off-by: Michael Niedermayer --- libavformat/cdxl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index e3e379aef7..6d8e750b83 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -127,6 +127,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); + if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + return AVERROR_INVALIDDATA; image_size = FFALIGN(width, 16) * height * cdxl->header[19] / 8; video_size = palette_size + image_size; From d9ec3070d18dc3779516080d6a1fcea037fe183f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jan 2015 18:07:24 +0100 Subject: [PATCH 0218/1352] avformat/flvdec: do not inject dts=0 metadata packets which failed to be parsed into a new data stream Such data streams (which then contain no other packets except the faulty one) confuse some user applications, like VLC Works around vlcticket 12389 Signed-off-by: Michael Niedermayer (cherry picked from commit 322f0f5960a743cac47252d90a0f1ea7a025feff) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 9e0ee2f551..c7f1e71c5a 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -558,13 +558,13 @@ static int flv_read_metabody(AVFormatContext *s, int64_t next_pos) type = avio_r8(ioc); if (type != AMF_DATA_TYPE_STRING || amf_get_string(ioc, buffer, sizeof(buffer)) < 0) - return -1; + return 2; if (!strcmp(buffer, "onTextData")) return 1; if (strcmp(buffer, "onMetaData") && strcmp(buffer, "onCuePoint")) - return -1; + return 2; // find the streams now so that amf_parse_object doesn't need to do // the lookup every time it is called. @@ -822,7 +822,7 @@ static int flv_read_packet(AVFormatContext *s, AVPacket *pkt) stream_type=FLV_STREAM_TYPE_DATA; if (size > 13 + 1 + 4 && dts == 0) { // Header-type metadata stuff meta_pos = avio_tell(s->pb); - if (flv_read_metabody(s, next) == 0) { + if (flv_read_metabody(s, next) <= 0) { goto skip; } avio_seek(s->pb, meta_pos, SEEK_SET); From 54e3aff10e2d3c7fc2d2823b658c7e66bc82661d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jan 2015 18:15:16 +0100 Subject: [PATCH 0219/1352] avformat/flvdec: Increase string array size Fixes parsing httphostheader of Scarlatti\,\ Pieter-Jan\ Belder\ -\ Sonata\ K113\ in\ A\ major\ -\ Alle.flv Signed-off-by: Michael Niedermayer (cherry picked from commit eb767a276bfdb9a0493bdb0b38203638230b7ccb) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c7f1e71c5a..cfe657d289 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -390,7 +390,7 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, FLVContext *flv = s->priv_data; AVIOContext *ioc; AMFDataType amf_type; - char str_val[256]; + char str_val[1024]; double num_val; num_val = 0; From efdd30df06973d51131add3afbffab6841476c85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jan 2015 01:03:26 +0100 Subject: [PATCH 0220/1352] avfilter/vf_sab: fix filtering tiny images Fixes out of array reads Signed-off-by: Michael Niedermayer (cherry picked from commit 9bff052b51f27f6cce04e8d7d8b405c710d7ad67) Signed-off-by: Michael Niedermayer --- libavfilter/vf_sab.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/libavfilter/vf_sab.c b/libavfilter/vf_sab.c index aa38b533fe..b8af27cdcd 100644 --- a/libavfilter/vf_sab.c +++ b/libavfilter/vf_sab.c @@ -220,6 +220,19 @@ static int config_props(AVFilterLink *inlink) #define NB_PLANES 4 +static inline int mirror(int x, int w) +{ + if (!w) + return 0; + + while ((unsigned)x > (unsigned)w) { + x = -x; + if (x < 0) + x += 2 * w; + } + return x; +} + static void blur(uint8_t *dst, const int dst_linesize, const uint8_t *src, const int src_linesize, const int w, const int h, FilterParam *fp) @@ -253,8 +266,7 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2 + 1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { const int ix = x+dx - radius; @@ -265,13 +277,11 @@ static void blur(uint8_t *dst, const int dst_linesize, for (dy = 0; dy < radius*2+1; dy++) { int dx; int iy = y+dy - radius; - if (iy < 0) iy = -iy; - else if (iy >= h) iy = h+h-iy-1; + iy = mirror(iy, h-1); for (dx = 0; dx < radius*2 + 1; dx++) { int ix = x+dx - radius; - if (ix < 0) ix = -ix; - else if (ix >= w) ix = w+w-ix-1; + ix = mirror(ix, w-1); UPDATE_FACTOR; } } From e2e145db89913e86e9b8573b1b90f001c46dee5e Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 5 Jan 2015 04:45:26 +0100 Subject: [PATCH 0221/1352] avcodec/dvdsubdec: fix out of bounds accesses The code blindly trusted buffer offsets read from the file in the RLE decoder. Explicitly check the offset. Also error out on other RLE decoding errors. Signed-off-by: Michael Niedermayer (cherry picked from commit c9151de7c42553bb145be608df8513c1287f1f24) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 7355c03ec2..5e225566b7 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -105,6 +105,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, int x, y, len, color; uint8_t *d; + if (start >= buf_size) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); @@ -356,10 +359,12 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, sub_header->rects[0] = av_mallocz(sizeof(AVSubtitleRect)); sub_header->num_rects = 1; sub_header->rects[0]->pict.data[0] = bitmap; - decode_rle(bitmap, w * 2, w, (h + 1) / 2, - buf, offset1, buf_size, is_8bit); - decode_rle(bitmap + w, w * 2, w, h / 2, - buf, offset2, buf_size, is_8bit); + if (decode_rle(bitmap, w * 2, w, (h + 1) / 2, + buf, offset1, buf_size, is_8bit) < 0) + goto fail; + if (decode_rle(bitmap + w, w * 2, w, h / 2, + buf, offset2, buf_size, is_8bit) < 0) + goto fail; sub_header->rects[0]->pict.data[1] = av_mallocz(AVPALETTE_SIZE); if (is_8bit) { if (!yuv_palette) From 134ff88c6a80672a108c607d8df459f401560d3c Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:19:09 -0800 Subject: [PATCH 0222/1352] mov: Avoid overflow with mov_metadata_raw() The code previously added 1 to len without checking its size, resulting in an overflow which can corrupt value[-1] -- which may be used to store unaligned ptr information for certain allocators. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index dfd4bce0b7..f78680a0e9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -210,6 +210,9 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + // Check for overflow. + if (len >= INT_MAX) + return AVERROR(EINVAL); char *value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); From 0787163cf369f114862bc7402b8410ff32bdef37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 04:29:10 +0100 Subject: [PATCH 0223/1352] avformat/mov: fix integer overflow in mov_read_udta_string() Found-by: Paul Mehta Signed-off-by: Michael Niedermayer (cherry picked from commit 3859868c75313e318ebc5d0d33baada62d45dd75) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f78680a0e9..98eb5ccbd6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -358,7 +358,7 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!key) return 0; - if (atom.size < 0) + if (atom.size < 0 || str_size >= INT_MAX/2) return AVERROR_INVALIDDATA; str_size = FFMIN3(sizeof(str)-1, str_size, atom.size); From 54b76eb5951502d24618c335d0bb275f70d31f3c Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 5 Jan 2015 16:34:17 -0800 Subject: [PATCH 0224/1352] mov: Fix negative size calculation in mov_read_default(). The previous code assumed if an atom was marked with a 64-bit size extension, it actually had that data available. The new code verfies there's enough data in the atom for this to be done. Failure to verify causes total_size > atom.size which will result in negative size calculations later on. Found-by: Paul Mehta Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 3ebd76a9c57558e284e94da367dd23b435e6a6d0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 98eb5ccbd6..8ffe32bf22 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3231,7 +3231,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) } } total_size += 8; - if (a.size == 1) { /* 64 bit extended size */ + if (a.size == 1 && total_size + 8 <= atom.size) { /* 64 bit extended size */ a.size = avio_rb64(pb) - 8; total_size += 8; } From 20a4cf0d09701fb0c623ba42399facf867fb1146 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 6 Jan 2015 09:42:59 +0000 Subject: [PATCH 0225/1352] lavfi: check av_strdup() return value Signed-off-by: Paul B Mahol (cherry picked from commit 145a84717b62e086cdb5f26649ad9f1b51ef38d0) Signed-off-by: Michael Niedermayer --- libavfilter/af_amix.c | 2 ++ libavfilter/af_join.c | 2 ++ libavfilter/split.c | 2 ++ libavfilter/src_movie.c | 2 ++ 4 files changed, 8 insertions(+) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index d8a6651fce..afd7f7eace 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -496,6 +496,8 @@ static av_cold int init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; ff_insert_inpad(ctx, i, &pad); diff --git a/libavfilter/af_join.c b/libavfilter/af_join.c index 560c5c82dc..afcc34ec43 100644 --- a/libavfilter/af_join.c +++ b/libavfilter/af_join.c @@ -214,6 +214,8 @@ static av_cold int join_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "input%d", i); pad.type = AVMEDIA_TYPE_AUDIO; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.filter_frame = filter_frame; pad.needs_fifo = 1; diff --git a/libavfilter/split.c b/libavfilter/split.c index 6abd5ee2e0..7353810677 100644 --- a/libavfilter/split.c +++ b/libavfilter/split.c @@ -52,6 +52,8 @@ static av_cold int split_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "output%d", i); pad.type = ctx->filter->inputs[0].type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); ff_insert_outpad(ctx, i, &pad); } diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index 0b97b827e4..908c03e1d3 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -289,6 +289,8 @@ static av_cold int movie_common_init(AVFilterContext *ctx) snprintf(name, sizeof(name), "out%d", i); pad.type = movie->st[i].st->codec->codec_type; pad.name = av_strdup(name); + if (!pad.name) + return AVERROR(ENOMEM); pad.config_props = movie_config_output_props; pad.request_frame = movie_request_frame; ff_insert_outpad(ctx, i, &pad); From 63007901446f13ab3b04a66fee856c4f58c08778 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 12:48:38 +0100 Subject: [PATCH 0226/1352] avformat/matroskadec: Use av_freep() to avoid leaving stale pointers in memory Signed-off-by: Michael Niedermayer (cherry picked from commit 6e70e4aca50696040cc9256ec96e5c31d9641432) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 26717dfbb3..beb1aefb17 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1078,7 +1078,7 @@ static void ebml_free(EbmlSyntax *syntax, void *data) for (j = 0; j < list->nb_elem; j++, ptr += syntax[i].list_elem_size) ebml_free(syntax[i].def.n, ptr); - av_free(list->elem); + av_freep(&list->elem); } else ebml_free(syntax[i].def.n, data_off); default: @@ -2132,7 +2132,7 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, { if (matroska->num_packets > 0) { memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); - av_free(matroska->packets[0]); + av_freep(&matroska->packets[0]); if (matroska->num_packets > 1) { void *newpackets; memmove(&matroska->packets[0], &matroska->packets[1], @@ -2163,7 +2163,7 @@ static void matroska_clear_queue(MatroskaDemuxContext *matroska) int n; for (n = 0; n < matroska->num_packets; n++) { av_free_packet(matroska->packets[n]); - av_free(matroska->packets[n]); + av_freep(&matroska->packets[n]); } av_freep(&matroska->packets); matroska->num_packets = 0; @@ -2995,7 +2995,7 @@ static int matroska_read_close(AVFormatContext *s) for (n = 0; n < matroska->tracks.nb_elem; n++) if (tracks[n].type == MATROSKA_TRACK_TYPE_AUDIO) - av_free(tracks[n].audio.buf); + av_freep(&tracks[n].audio.buf); ebml_free(matroska_cluster, &matroska->current_cluster); ebml_free(matroska_segment, matroska); From 45069582897c0b59ec7c2ffd0f933b9fc3c2926e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 12:53:53 +0100 Subject: [PATCH 0227/1352] avformat/utils: Clear pointer in ff_alloc_extradata() to avoid leaving a stale pointer in memory Signed-off-by: Michael Niedermayer (cherry picked from commit bbfca8e84b0e69abba523d665536c0135fc1c00e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 6ff4570f5c..b1f7909ae0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2792,6 +2792,7 @@ int ff_alloc_extradata(AVCodecContext *avctx, int size) int ret; if (size < 0 || size >= INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) { + avctx->extradata = NULL; avctx->extradata_size = 0; return AVERROR(EINVAL); } From fe457ce4d16966d7f7d3cc87d2398325aa1a80e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 13:12:22 +0100 Subject: [PATCH 0228/1352] cmdutils: Use 64bit for file size/offset related variable in cmdutils_read_file() Signed-off-by: Michael Niedermayer (cherry picked from commit 369b4cd4120bf67aa5187b6bc72574970a24ca22) Signed-off-by: Michael Niedermayer --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 1143ea10d1..82e69ec06b 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -1857,7 +1857,7 @@ int read_yesno(void) int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) { - int ret; + int64_t ret; FILE *f = av_fopen_utf8(filename, "rb"); if (!f) { From 86f4ac93659f4da9c26e55971fde0ced89432a21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jan 2015 19:51:38 +0100 Subject: [PATCH 0229/1352] avformat/mov: Fix mixed declaration and statement warning Signed-off-by: Michael Niedermayer (cherry picked from commit db27f50e0658e91758e8a17fdcf390e6bc93c1d2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8ffe32bf22..12fa707c7b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -210,10 +210,11 @@ static int mov_read_covr(MOVContext *c, AVIOContext *pb, int type, int len) static int mov_metadata_raw(MOVContext *c, AVIOContext *pb, unsigned len, const char *key) { + char *value; // Check for overflow. if (len >= INT_MAX) return AVERROR(EINVAL); - char *value = av_malloc(len + 1); + value = av_malloc(len + 1); if (!value) return AVERROR(ENOMEM); avio_read(pb, value, len); From 51e880fed97faae571a872cf51a6960e9f172094 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 3 Jan 2015 01:40:02 -0300 Subject: [PATCH 0230/1352] configure: bump year Happy new year! (cherry picked from commit b8db25a3338b67186837c49580fe538d63dd73c7) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 2104232881..2f363547f2 100755 --- a/configure +++ b/configure @@ -5600,7 +5600,7 @@ cat > $TMPH < Date: Wed, 7 Jan 2015 23:57:50 +0100 Subject: [PATCH 0231/1352] avcodec/dvdsubdec: error on bitmaps with size 0 Attemtping to decode them could lead to invalid writes with some fuzzed samples. Signed-off-by: Michael Niedermayer (cherry picked from commit bcaa9099b3648b47060e1724a97dc98b63c83702) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 5e225566b7..28027c233e 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -108,6 +108,9 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, if (start >= buf_size) return -1; + if (w <= 0 || h <= 0) + return -1; + bit_len = (buf_size - start) * 8; init_get_bits(&gb, buf + start, bit_len); From 3b4e9dddcff61eaf01a9a5b63c1abcc4102a313a Mon Sep 17 00:00:00 2001 From: wm4 Date: Thu, 8 Jan 2015 17:19:17 +0100 Subject: [PATCH 0232/1352] avcodec/dvdsubdec: fix accessing dangling pointers dvdsub_decode() can call append_to_cached_buf() 2 times, the second time with ctx->buf as argument. If the second append_to_cached_buf() reallocs ctx->buf, the argument will be a pointer to the previous, freed block. This can cause invalid reads at least with some fuzzed files - and possibly with valid files. Since packets can apparently not be larger than 64K (even if packets are combined), just use a fixed size buffer. It will be allocated as part of the DVDSubContext, and although some memory is "wasted", it's relatively minimal by modern standards and should be acceptable. Signed-off-by: Michael Niedermayer (cherry picked from commit 816577716bc6170bccfea3b9e865618b69a4b426) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 28027c233e..54dd2c4f90 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -37,7 +37,7 @@ typedef struct DVDSubContext int has_palette; uint8_t colormap[4]; uint8_t alpha[256]; - uint8_t *buf; + uint8_t buf[0x10000]; int buf_size; #ifdef DEBUG int sub_id; @@ -506,15 +506,11 @@ static int append_to_cached_buf(AVCodecContext *avctx, { DVDSubContext *ctx = avctx->priv_data; - if (ctx->buf_size > 0xffff - buf_size) { + if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) { av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct " "too large SPU packets aborted.\n"); - av_freep(&ctx->buf); return AVERROR_INVALIDDATA; } - ctx->buf = av_realloc(ctx->buf, ctx->buf_size + buf_size); - if (!ctx->buf) - return AVERROR(ENOMEM); memcpy(ctx->buf + ctx->buf_size, buf, buf_size); ctx->buf_size += buf_size; return 0; @@ -530,7 +526,7 @@ static int dvdsub_decode(AVCodecContext *avctx, AVSubtitle *sub = data; int is_menu; - if (ctx->buf) { + if (ctx->buf_size) { int ret = append_to_cached_buf(avctx, buf, buf_size); if (ret < 0) { *data_size = 0; @@ -569,7 +565,6 @@ static int dvdsub_decode(AVCodecContext *avctx, } #endif - av_freep(&ctx->buf); ctx->buf_size = 0; *data_size = 1; return buf_size; @@ -651,7 +646,6 @@ static av_cold int dvdsub_init(AVCodecContext *avctx) static av_cold int dvdsub_close(AVCodecContext *avctx) { DVDSubContext *ctx = avctx->priv_data; - av_freep(&ctx->buf); ctx->buf_size = 0; return 0; } From 07c9df792cd4ee1c13243ea5c27d0a64b13e9d80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jan 2015 23:02:30 +0100 Subject: [PATCH 0233/1352] ffmpeg: Clear error message array at init. This avoids printing uninitialized bytes if no error message is set Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1a2efb8ac399a003ea7d3b6f8c641d192567ee) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index ffcb9dd92e..3868b017ad 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2461,7 +2461,7 @@ static int transcode_init(void) AVFormatContext *oc; OutputStream *ost; InputStream *ist; - char error[1024]; + char error[1024] = {0}; int want_sdp = 1; for (i = 0; i < nb_filtergraphs; i++) { From 1b3332659a77c8167b1d4328a88ff4ae2498147e Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 9 Jan 2015 02:13:36 +0100 Subject: [PATCH 0234/1352] vp9: fix parser return values in error case The parser must always set the out_size and out_data pointers. The API seems to require it, and the common code in parser.c also relies on it. Signed-off-by: Michael Niedermayer (cherry picked from commit b88e80589bd11ef935a5e9dab53d4edb00de16e4) Signed-off-by: Michael Niedermayer --- libavcodec/vp9_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index af033c25e6..922f36f381 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -77,6 +77,8 @@ static int parse(AVCodecParserContext *ctx, idx += a; \ if (sz > size) { \ s->n_frames = 0; \ + *out_size = 0; \ + *out_data = data; \ av_log(avctx, AV_LOG_ERROR, \ "Superframe packet size too big: %u > %d\n", \ sz, size); \ From 0b0293ceafd68f3e7b75e3a42ccc6091a94d2178 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jan 2015 03:43:54 +0100 Subject: [PATCH 0235/1352] avformat/movenc: workaround bug in "PathScale EKOPath(tm) Compiler Suite Version 4.0.12.1" Signed-off-by: Michael Niedermayer (cherry picked from commit 7824dc5150c0ea44ffa7cd4d57803f9a9697e7d7) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 021fe784e4..c1af01b72b 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -2190,7 +2190,8 @@ static int mov_write_mvhd_tag(AVIOContext *pb, MOVMuxContext *mov) } version = max_track_len < UINT32_MAX ? 0 : 1; - (version == 1) ? avio_wb32(pb, 120) : avio_wb32(pb, 108); /* size */ + avio_wb32(pb, version == 1 ? 120 : 108); /* size */ + ffio_wfourcc(pb, "mvhd"); avio_w8(pb, version); avio_wb24(pb, 0); /* flags */ From 9cc1d21e76b5ec08a9581d17a75b289c36197544 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 9 Jan 2015 17:50:27 +0100 Subject: [PATCH 0236/1352] doc/examples: fix lib math dep for decoding_encoding It uses at least sin(). Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit f97f2a3527eac2cf60ba86206d1bae9a970a7e71) Signed-off-by: Michael Niedermayer --- doc/examples/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/examples/Makefile b/doc/examples/Makefile index 07251fe3c2..9f03f04b57 100644 --- a/doc/examples/Makefile +++ b/doc/examples/Makefile @@ -29,6 +29,7 @@ OBJS=$(addsuffix .o,$(EXAMPLES)) # the following examples make explicit use of the math library avcodec: LDLIBS += -lm +decoding_encoding: LDLIBS += -lm muxing: LDLIBS += -lm resampling_audio: LDLIBS += -lm From 932caa50a5dec7f2a69da8a417ccae84d19ae5e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 3 Jan 2015 21:27:21 +0200 Subject: [PATCH 0237/1352] libavformat: Check for malloc failures in avformat_new_stream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 9f810a9b374e0ff8e2a19fd8a7347afe2933e229) Signed-off-by: Luca Barbato --- libavformat/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 973ab94d6f..73e3039421 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2535,6 +2535,11 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) } st->codec = avcodec_alloc_context3(c); + if (!st->codec) { + av_free(st->info); + av_free(st); + return NULL; + } if (s->iformat) { /* no default bitrate if decoding */ st->codec->bit_rate = 0; From 61335ab33e594d47b84fde7367ee10dc66fc3465 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Thu, 18 Dec 2014 20:26:57 +0100 Subject: [PATCH 0238/1352] opt: check memory allocation CC: libav-stable@libav.org Bug-Id: CID 1257771 (cherry picked from commit 07a0c0f0005072d115ace61e60f46be68582cc3a) Signed-off-by: Luca Barbato --- libavutil/opt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/opt.c b/libavutil/opt.c index 28adef6877..059c525c39 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -119,6 +119,8 @@ static int set_string_binary(void *obj, const AVOption *o, const char *val, uint len /= 2; ptr = bin = av_malloc(len); + if (!ptr) + return AVERROR(ENOMEM); while (*val) { int a = hexchar2int(*val++); int b = hexchar2int(*val++); From 3280b86c85f5a88397fce0230d1878fee79fbb93 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 17 Dec 2014 16:02:07 +0100 Subject: [PATCH 0239/1352] swscale: check memory allocations CC: libav-stable@libav.org Bug-Id: CID 1257779 (cherry picked from commit 1dd797e3c9f179f957316a0becbec048b42df8aa) Signed-off-by: Luca Barbato --- libswscale/yuv2rgb.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 480fbe3999..a4f7a1178e 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -736,9 +736,13 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], av_free(c->yuvTable); +#define ALLOC_YUV_TABLE(x) \ + c->yuvTable = av_malloc(x); \ + if (!c->yuvTable) \ + return AVERROR(ENOMEM); switch (bpp) { case 1: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(1024); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 110; i++) { @@ -753,7 +757,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 3 : 0; gbase = 1; bbase = isRgb ? 0 : 3; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(1024 * 3); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 110; i++) { @@ -772,7 +776,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 5 : 0; gbase = isRgb ? 2 : 3; bbase = isRgb ? 0 : 6; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(1024 * 3); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 38; i++) { @@ -791,7 +795,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 8 : 0; gbase = 4; bbase = isRgb ? 0 : 8; - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(1024 * 3 * 2); y_table16 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -814,7 +818,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? bpp - 5 : 0; gbase = 5; bbase = isRgb ? 0 : (bpp - 5); - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(1024 * 3 * 2); y_table16 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -834,7 +838,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], break; case 24: case 48: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(1024); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -855,7 +859,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], needAlpha = CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat); if (!needAlpha) abase = (base + 24) & 31; - c->yuvTable = av_malloc(1024 * 3 * 4); + ALLOC_YUV_TABLE(1024 * 3 * 4); y_table32 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { From f6c82b34a320f105af266997f5951cbe7dfc8a05 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 5 Jan 2015 10:40:41 +0100 Subject: [PATCH 0240/1352] segment: Fix the failure paths A failure in segment_end() or segment_start() would lead to freeing a dangling pointer and in general further calls to seg_write_packet() or to seg_write_trailer() would have the same faulty behaviour. CC: libav-stable@libav.org Reported-By: luodalongde@gmail.com (cherry picked from commit b3f04657368a32a9903406395f865e230b1de348) Signed-off-by: Luca Barbato --- libavformat/segment.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/libavformat/segment.c b/libavformat/segment.c index 9c757e4359..61ec93fdde 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -183,6 +183,13 @@ static void close_null_ctx(AVIOContext *pb) av_free(pb); } +static void seg_free_context(SegmentContext *seg) +{ + avio_closep(&seg->pb); + avformat_free_context(seg->avf); + seg->avf = NULL; +} + static int seg_write_header(AVFormatContext *s) { SegmentContext *seg = s->priv_data; @@ -264,12 +271,9 @@ static int seg_write_header(AVFormatContext *s) } fail: - if (ret) { - if (seg->list) - avio_close(seg->pb); - if (seg->avf) - avformat_free_context(seg->avf); - } + if (ret < 0) + seg_free_context(seg); + return ret; } @@ -281,6 +285,9 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) int64_t end_pts = seg->recording_time * seg->number; int ret, can_split = 1; + if (!oc) + return AVERROR(EINVAL); + if (seg->has_video) { can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && pkt->flags & AV_PKT_FLAG_KEY; @@ -321,11 +328,8 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) ret = ff_write_chained(oc, pkt->stream_index, pkt, s); fail: - if (ret < 0) { - if (seg->list) - avio_close(seg->pb); - avformat_free_context(oc); - } + if (ret < 0) + seg_free_context(seg); return ret; } @@ -334,7 +338,11 @@ static int seg_write_trailer(struct AVFormatContext *s) { SegmentContext *seg = s->priv_data; AVFormatContext *oc = seg->avf; - int ret; + int ret = 0; + + if (!oc) + goto fail; + if (!seg->write_header_trailer) { if ((ret = segment_end(oc, 0)) < 0) goto fail; From bfe18be88a66da25b60a091de6011197dcb231fd Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 1 Jan 2015 17:56:56 +0100 Subject: [PATCH 0241/1352] mpeg4audio: check the init_get_bits() return value Fixes possible invalid reads. CC:libav-stable@libav.org (cherry picked from commit 7e4e010b80e76862e83afbd41c25d50e72f0b44c) Signed-off-by: Luca Barbato --- libavcodec/mpeg4audio.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c index 0fb9b96c80..2363cb637d 100644 --- a/libavcodec/mpeg4audio.c +++ b/libavcodec/mpeg4audio.c @@ -80,9 +80,11 @@ int avpriv_mpeg4audio_get_config(MPEG4AudioConfig *c, const uint8_t *buf, int bit_size, int sync_extension) { GetBitContext gb; - int specific_config_bitindex; + int specific_config_bitindex, ret; - init_get_bits(&gb, buf, bit_size); + ret = init_get_bits(&gb, buf, bit_size); + if (ret < 0) + return ret; c->object_type = get_object_type(&gb); c->sample_rate = get_sample_rate(&gb, &c->sampling_index); c->chan_config = get_bits(&gb, 4); From 3d0752d82f8eaa326cff306ae50b0186a5b4d304 Mon Sep 17 00:00:00 2001 From: Alexandre Colucci Date: Wed, 7 Jan 2015 12:18:08 +0100 Subject: [PATCH 0242/1352] xsub: Support DXSA subtitles These have a DXSA tag and contain alpha in addition to color values for palette. Signed-off-by: Jean-Baptiste Kempf Signed-off-by: Luca Barbato (cherry picked from commit 5a1addd7c1d8ff218ed4b84f4f02fdb83980094c) Signed-off-by: Luca Barbato --- libavcodec/xsubdec.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index 3d85973de6..d01b410829 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -56,11 +56,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, int w, h, x, y, i; int64_t packet_time = 0; GetBitContext gb; + int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); memset(sub, 0, sizeof(*sub)); // check that at least header fits - if (buf_size < 27 + 7 * 2 + 4 * 3) { + if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { av_log(avctx, AV_LOG_ERROR, "coded frame too small\n"); return -1; } @@ -107,9 +108,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, // read palette for (i = 0; i < sub->rects[0]->nb_colors; i++) ((uint32_t*)sub->rects[0]->pict.data[1])[i] = bytestream_get_be24(&buf); - // make all except background (first entry) non-transparent - for (i = 1; i < sub->rects[0]->nb_colors; i++) - ((uint32_t*)sub->rects[0]->pict.data[1])[i] |= 0xff000000; + + if (!has_alpha) { + // make all except background (first entry) non-transparent + for (i = 1; i < sub->rects[0]->nb_colors; i++) + ((uint32_t *)sub->rects[0]->pict.data[1])[i] |= 0xff000000; + } else { + for (i = 0; i < sub->rects[0]->nb_colors; i++) + ((uint32_t *)sub->rects[0]->pict.data[1])[i] |= *buf++ << 24; + } // process RLE-compressed data init_get_bits(&gb, buf, (buf_end - buf) * 8); From 76e9a17f3392e752193015765e9216c2f0716b96 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 17 Dec 2014 15:19:43 +0100 Subject: [PATCH 0243/1352] lavfi: always check av_expr_parse_and_eval() return value CC: libav-stable@libav.org Bug-Id: CID 703624 (cherry picked from commit 63be97ec403023fb664798432acedaf6e6922527) Signed-off-by: Luca Barbato --- libavfilter/vf_pad.c | 14 ++++++++------ libavfilter/vf_scale.c | 7 ++++--- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/libavfilter/vf_pad.c b/libavfilter/vf_pad.c index 634af4c941..bacb5051e1 100644 --- a/libavfilter/vf_pad.c +++ b/libavfilter/vf_pad.c @@ -158,9 +158,10 @@ static int config_input(AVFilterLink *inlink) var_values[VAR_VSUB] = 1<vsub; /* evaluate width and height */ - av_expr_parse_and_eval(&res, (expr = s->w_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx); + if ((ret = av_expr_parse_and_eval(&res, (expr = s->w_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) + goto eval_fail; s->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = s->h_expr), var_names, var_values, @@ -175,9 +176,10 @@ static int config_input(AVFilterLink *inlink) s->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; /* evaluate x and y */ - av_expr_parse_and_eval(&res, (expr = s->x_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx); + if ((ret = av_expr_parse_and_eval(&res, (expr = s->x_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) + goto eval_fail; s->x = var_values[VAR_X] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = s->y_expr), var_names, var_values, diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 73ea9d23e0..2b9e7e839b 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -177,9 +177,10 @@ static int config_props(AVFilterLink *outlink) var_values[VAR_VSUB] = 1 << desc->log2_chroma_h; /* evaluate width and height */ - av_expr_parse_and_eval(&res, (expr = scale->w_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx); + if ((ret = av_expr_parse_and_eval(&res, (expr = scale->w_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) + goto fail; scale->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = scale->h_expr), var_names, var_values, From 1411f073fdceeff1f39dbaa035c3c0275f69095f Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 17 Dec 2014 14:53:43 +0100 Subject: [PATCH 0244/1352] aacenc: correctly check returned value CC: libav-stable@libav.org (cherry picked from commit 971099ff5a85377579eb5b8d3620e283957f097e) Signed-off-by: Luca Barbato --- libavcodec/aacenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 55aa2f1a2f..a7d144c1c4 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -750,10 +750,10 @@ static av_cold int aac_encode_init(AVCodecContext *avctx) s->chan_map = aac_chan_configs[s->channels-1]; - if (ret = dsp_init(avctx, s)) + if ((ret = dsp_init(avctx, s)) < 0) goto fail; - if (ret = alloc_buffers(avctx, s)) + if ((ret = alloc_buffers(avctx, s)) < 0) goto fail; avctx->extradata_size = 5; @@ -765,7 +765,8 @@ static av_cold int aac_encode_init(AVCodecContext *avctx) lengths[1] = ff_aac_num_swb_128[i]; for (i = 0; i < s->chan_map[0]; i++) grouping[i] = s->chan_map[i + 1] == TYPE_CPE; - if (ret = ff_psy_init(&s->psy, avctx, 2, sizes, lengths, s->chan_map[0], grouping)) + if ((ret = ff_psy_init(&s->psy, avctx, 2, sizes, lengths, + s->chan_map[0], grouping)) < 0) goto fail; s->psypp = ff_psy_preprocess_init(avctx); s->coder = &ff_aac_coders[2]; From cbfdbba58e1460bd0791911ad84a6c76b5500a0e Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 16 Dec 2014 10:43:48 +0100 Subject: [PATCH 0245/1352] cmdutils: check file access functions return values CC: libav-stable@libav.org Bug-Id: CID 703706 (cherry picked from commit 38129c26c51b933d7db423f904ba0cd6a88ca1ed) Signed-off-by: Luca Barbato --- cmdutils.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/cmdutils.c b/cmdutils.c index 202b288a60..a7b00604d3 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -1395,14 +1395,31 @@ int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) strerror(errno)); return AVERROR(errno); } - fseek(f, 0, SEEK_END); - *size = ftell(f); - fseek(f, 0, SEEK_SET); + + ret = fseek(f, 0, SEEK_END); + if (ret == -1) { + ret = AVERROR(errno); + goto out; + } + + ret = ftell(f); + if (ret < 0) { + ret = AVERROR(errno); + goto out; + } + *size = ret; + + ret = fseek(f, 0, SEEK_SET); + if (ret == -1) { + ret = AVERROR(errno); + goto out; + } + *bufptr = av_malloc(*size + 1); if (!*bufptr) { av_log(NULL, AV_LOG_ERROR, "Could not allocate file buffer\n"); - fclose(f); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto out; } ret = fread(*bufptr, 1, *size, f); if (ret < *size) { @@ -1418,6 +1435,7 @@ int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) (*bufptr)[(*size)++] = '\0'; } +out: fclose(f); return ret; } From 21683549edf436024cc3efbc4f8d1d55221c5336 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Aug 2014 02:50:41 +0200 Subject: [PATCH 0246/1352] h261dec: Fix context initialization sequence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ff_mpv_common_init sets s->context_initialized. This fixes decoding of h261 in the cases where the demuxer hasn't already set the frame size. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 3bb465245fed6069512e6821000391beae8a6066) Signed-off-by: Luca Barbato --- libavcodec/h261dec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/h261dec.c b/libavcodec/h261dec.c index eefb5d33f4..39c1a32672 100644 --- a/libavcodec/h261dec.c +++ b/libavcodec/h261dec.c @@ -600,11 +600,10 @@ retry: s->parse_context = pc; } - if (!s->context_initialized) + if (!s->context_initialized) { if ((ret = ff_mpv_common_init(s)) < 0) return ret; - if (!s->context_initialized) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From cbf31d5f15774b3ffd1e2009159dc7154a767b09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 17 Dec 2014 13:50:06 +0200 Subject: [PATCH 0247/1352] rtpdec_h263_rfc2190: Clear the stored bits if discarding buffered data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we throw away the buffered incomplete frame, make sure to also throw away the buffered bits of an incomplete byte at the same time. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit df07c07b3de0a5e8890078944de1eb5cb8372ef8) Signed-off-by: Luca Barbato --- libavformat/rtpdec_h263_rfc2190.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/rtpdec_h263_rfc2190.c b/libavformat/rtpdec_h263_rfc2190.c index 116db75065..d507ef7ef3 100644 --- a/libavformat/rtpdec_h263_rfc2190.c +++ b/libavformat/rtpdec_h263_rfc2190.c @@ -83,6 +83,7 @@ static int h263_handle_packet(AVFormatContext *ctx, PayloadContext *data, avio_close_dyn_buf(data->buf, &p); av_free(p); data->buf = NULL; + data->endbyte_bits = 0; } if (len < 4) { From 9bd4561d74a46dd6557140e286228e09e380674c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Dec 2014 02:44:20 +0100 Subject: [PATCH 0248/1352] tiff: Check the check_size() return value and forward it Also use the same type for add_entry and check_size. Bug-Id: CID 700699 CC: libav-stable@libav.org Signed-off-by: Luca Barbato Signed-off-by: Vittorio Giovara --- libavcodec/tiffenc.c | 63 ++++++++++++++++++++++++++++---------------- 1 file changed, 40 insertions(+), 23 deletions(-) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 93c151e167..5d410b19e9 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -112,8 +112,8 @@ static void tnput(uint8_t **p, int n, const uint8_t *val, enum TiffTypes type, * @param count The number of values * @param ptr_val Pointer to values */ -static void add_entry(TiffEncoderContext *s, enum TiffTags tag, - enum TiffTypes type, int count, const void *ptr_val) +static int add_entry(TiffEncoderContext *s, enum TiffTags tag, + enum TiffTypes type, int count, const void *ptr_val) { uint8_t *entries_ptr = s->entries + 12 * s->num_entries; @@ -127,19 +127,22 @@ static void add_entry(TiffEncoderContext *s, enum TiffTags tag, tnput(&entries_ptr, count, ptr_val, type, 0); } else { bytestream_put_le32(&entries_ptr, *s->buf - s->buf_start); - check_size(s, count * type_sizes2[type]); + if (check_size(s, count * type_sizes2[type])) + return AVERROR_INVALIDDATA; tnput(s->buf, count, ptr_val, type, 0); } s->num_entries++; + return 0; } -static void add_entry1(TiffEncoderContext *s, - enum TiffTags tag, enum TiffTypes type, int val) +static int add_entry1(TiffEncoderContext *s, + enum TiffTags tag, enum TiffTypes type, int val) { uint16_t w = val; uint32_t dw = val; - add_entry(s, tag, type, 1, type == TIFF_SHORT ? (void *)&w : (void *)&dw); + return add_entry(s, tag, type, 1, + type == TIFF_SHORT ? (void *)&w : (void *)&dw); } /** @@ -200,6 +203,20 @@ static void pack_yuv(TiffEncoderContext *s, const AVFrame *p, } } +#define ADD_ENTRY(s, tag, type, count, ptr_val) \ + do { \ + ret = add_entry(s, tag, type, count, ptr_val); \ + if (ret < 0) \ + goto fail; \ + } while(0); + +#define ADD_ENTRY1(s, tag, type, val) \ + do { \ + ret = add_entry1(s, tag, type, val); \ + if (ret < 0) \ + goto fail; \ + } while(0); + static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *pict, int *got_packet) { @@ -405,28 +422,28 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, s->num_entries = 0; - add_entry1(s, TIFF_SUBFILE, TIFF_LONG, 0); - add_entry1(s, TIFF_WIDTH, TIFF_LONG, s->width); - add_entry1(s, TIFF_HEIGHT, TIFF_LONG, s->height); + ADD_ENTRY1(s, TIFF_SUBFILE, TIFF_LONG, 0); + ADD_ENTRY1(s, TIFF_WIDTH, TIFF_LONG, s->width); + ADD_ENTRY1(s, TIFF_HEIGHT, TIFF_LONG, s->height); if (s->bpp_tab_size) - add_entry(s, TIFF_BPP, TIFF_SHORT, s->bpp_tab_size, bpp_tab); + ADD_ENTRY(s, TIFF_BPP, TIFF_SHORT, s->bpp_tab_size, bpp_tab); - add_entry1(s, TIFF_COMPR, TIFF_SHORT, s->compr); - add_entry1(s, TIFF_PHOTOMETRIC, TIFF_SHORT, s->photometric_interpretation); - add_entry(s, TIFF_STRIP_OFFS, TIFF_LONG, strips, strip_offsets); + ADD_ENTRY1(s, TIFF_COMPR, TIFF_SHORT, s->compr); + ADD_ENTRY1(s, TIFF_PHOTOMETRIC, TIFF_SHORT, s->photometric_interpretation); + ADD_ENTRY(s, TIFF_STRIP_OFFS, TIFF_LONG, strips, strip_offsets); if (s->bpp_tab_size) - add_entry1(s, TIFF_SAMPLES_PER_PIXEL, TIFF_SHORT, s->bpp_tab_size); + ADD_ENTRY1(s, TIFF_SAMPLES_PER_PIXEL, TIFF_SHORT, s->bpp_tab_size); - add_entry1(s, TIFF_ROWSPERSTRIP, TIFF_LONG, s->rps); - add_entry(s, TIFF_STRIP_SIZE, TIFF_LONG, strips, strip_sizes); - add_entry(s, TIFF_XRES, TIFF_RATIONAL, 1, res); - add_entry(s, TIFF_YRES, TIFF_RATIONAL, 1, res); - add_entry1(s, TIFF_RES_UNIT, TIFF_SHORT, 2); + ADD_ENTRY1(s, TIFF_ROWSPERSTRIP, TIFF_LONG, s->rps); + ADD_ENTRY(s, TIFF_STRIP_SIZE, TIFF_LONG, strips, strip_sizes); + ADD_ENTRY(s, TIFF_XRES, TIFF_RATIONAL, 1, res); + ADD_ENTRY(s, TIFF_YRES, TIFF_RATIONAL, 1, res); + ADD_ENTRY1(s, TIFF_RES_UNIT, TIFF_SHORT, 2); if (!(avctx->flags & CODEC_FLAG_BITEXACT)) - add_entry(s, TIFF_SOFTWARE_NAME, TIFF_STRING, + ADD_ENTRY(s, TIFF_SOFTWARE_NAME, TIFF_STRING, strlen(LIBAVCODEC_IDENT) + 1, LIBAVCODEC_IDENT); if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { @@ -437,13 +454,13 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, pal[i + 256] = ((rgb >> 8) & 0xff) * 257; pal[i + 512] = (rgb & 0xff) * 257; } - add_entry(s, TIFF_PAL, TIFF_SHORT, 256 * 3, pal); + ADD_ENTRY(s, TIFF_PAL, TIFF_SHORT, 256 * 3, pal); } if (is_yuv) { /** according to CCIR Recommendation 601.1 */ uint32_t refbw[12] = { 15, 1, 235, 1, 128, 1, 240, 1, 128, 1, 240, 1 }; - add_entry(s, TIFF_YCBCR_SUBSAMPLING, TIFF_SHORT, 2, s->subsampling); - add_entry(s, TIFF_REFERENCE_BW, TIFF_RATIONAL, 6, refbw); + ADD_ENTRY(s, TIFF_YCBCR_SUBSAMPLING, TIFF_SHORT, 2, s->subsampling); + ADD_ENTRY(s, TIFF_REFERENCE_BW, TIFF_RATIONAL, 6, refbw); } // write offset to dir bytestream_put_le32(&offset, ptr - pkt->data); From 23fe589e19487bc9a40b77dae9509068da5b14b8 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 10 Dec 2014 01:43:50 +0100 Subject: [PATCH 0249/1352] prores: Evaluate all the quantizers Prevent an uninitialized data access. CC: libav-stable@libav.org Bug-Id: CID 703824 / CID 703825 Signed-off-by: Vittorio Giovara Signed-off-by: Luca Barbato --- libavcodec/proresenc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/proresenc.c b/libavcodec/proresenc.c index 3a82c2c893..f61aa60a20 100644 --- a/libavcodec/proresenc.c +++ b/libavcodec/proresenc.c @@ -820,10 +820,9 @@ static int find_slice_quant(AVCodecContext *avctx, const AVFrame *pic, if (ctx->alpha_bits) bits += estimate_alpha_plane(ctx, &error, src, linesize[3], mbs_per_slice, q, td->blocks[3]); - if (bits > 65000 * 8) { + if (bits > 65000 * 8) error = SCORE_LIMIT; - break; - } + slice_bits[q] = bits; slice_score[q] = error; } From 20d6ae4626a42fbc6e7b9c0040bdd64397b23e11 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 10 Dec 2014 01:41:44 +0000 Subject: [PATCH 0250/1352] hevc: always clip luma_log2_weight_denom Its value shall be between 0 and 7 according to the specifications. CC: libav-stable@libav.org Bug-Id: CID 1257502 --- libavcodec/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index ef41ddfe7b..4e237a76c2 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -251,7 +251,7 @@ static void pred_weight_table(HEVCContext *s, GetBitContext *gb) uint8_t luma_weight_l1_flag[16]; uint8_t chroma_weight_l1_flag[16]; - s->sh.luma_log2_weight_denom = get_ue_golomb_long(gb); + s->sh.luma_log2_weight_denom = av_clip_c(get_ue_golomb_long(gb), 0, 7); if (s->sps->chroma_format_idc != 0) { int delta = get_se_golomb(gb); s->sh.chroma_log2_weight_denom = av_clip_c(s->sh.luma_log2_weight_denom + delta, 0, 7); From 20f9cf744a9a82ac4b269cb4317a5d59a8553baf Mon Sep 17 00:00:00 2001 From: Thiago Santos Date: Sun, 14 Dec 2014 22:59:27 +0200 Subject: [PATCH 0251/1352] vaapi: wrap codec specific functions in appropiate #ifs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix linking when only a subset of vaapi decoders is enabled. Bug-Id: 760 CC: libav-stable@libav.org Signed-off-by: Rémi Denis-Courmont Signed-off-by: Luca Barbato --- libavcodec/vaapi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vaapi.c b/libavcodec/vaapi.c index b2dc41d7fe..fcc6243899 100644 --- a/libavcodec/vaapi.c +++ b/libavcodec/vaapi.c @@ -194,6 +194,9 @@ void ff_vaapi_common_end_frame(AVCodecContext *avctx) vactx->slice_params_alloc = 0; } +#if CONFIG_H263_VAAPI_HWACCEL || CONFIG_MPEG1_VAAPI_HWACCEL || \ + CONFIG_MPEG2_VAAPI_HWACCEL || CONFIG_MPEG4_VAAPI_HWACCEL || \ + CONFIG_VC1_VAAPI_HWACCEL || CONFIG_WMV3_VAAPI_HWACCEL int ff_vaapi_mpeg_end_frame(AVCodecContext *avctx) { struct vaapi_context * const vactx = avctx->hwaccel_context; @@ -215,5 +218,6 @@ finish: ff_vaapi_common_end_frame(avctx); return ret; } +#endif /* @} */ From 1fd55ec507f6f47b4d9fddf8e79a0df4540ef6e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Dec 2014 11:40:30 +0100 Subject: [PATCH 0252/1352] svq1dec: Unbreak the scratch buffer allocation The input packets are always assumed to be padded and the av_fast_ family of function takes a pointer to a pointer. Thanks to Nicolas Dufresne for a similar patch. Introduced in 7b588bb691644e1b3c168b99accf74248a24e3cf. Bug-Id: 766 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer Signed-off-by: Luca Barbato --- libavcodec/svq1dec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 14ff41cc18..789a0132fb 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -637,8 +637,9 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated, - buf_size); + av_fast_padded_malloc(&s->pkt_swapped, + &s->pkt_swapped_allocated, + buf_size); if (!s->pkt_swapped) return AVERROR(ENOMEM); From bbb86717b303a3e4c0809d3cc6fb55580766a17e Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 5 Dec 2014 02:15:09 +0000 Subject: [PATCH 0253/1352] vf_frei0r: do not increment string if it reached the end Bug-Id: 778 CC: libav-stable@libav.org --- libavfilter/vf_frei0r.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_frei0r.c b/libavfilter/vf_frei0r.c index 771443d02e..0122b8d905 100644 --- a/libavfilter/vf_frei0r.c +++ b/libavfilter/vf_frei0r.c @@ -149,7 +149,8 @@ static int set_params(AVFilterContext *ctx, const char *params) if (*params) { if (!(param = av_get_token(¶ms, "|"))) return AVERROR(ENOMEM); - params++; /* skip ':' */ + if (*params) + params++; /* skip ':' */ ret = set_param(ctx, info, i, param); av_free(param); if (ret < 0) From 4baee1124b905cbd75240530e081c8ffa68fddbe Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 6 Dec 2014 12:32:25 +0100 Subject: [PATCH 0254/1352] mp3: Tweak the probe scores Having more than 10 consecutive frames decoded as mp3 should be considered a clear signal that the sample is mp3 and not mpegps. Reported-By: Florian Iragne CC: libav-stable@libav.org --- libavformat/mp3dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 14d8254f4c..ce734b76b9 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -80,7 +80,10 @@ static int mp3_read_probe(AVProbeData *p) } // keep this in sync with ac3 probe, both need to avoid // issues with MPEG-files! - if (first_frames >= 4) return AVPROBE_SCORE_EXTENSION + 1; + if (first_frames >= 10) + return AVPROBE_SCORE_EXTENSION + 5; + if (first_frames >= 4) + return AVPROBE_SCORE_EXTENSION + 1; if (max_frames) { int pes = 0, i; From da35008c314eae5a10a8c070f5185b7694c0a37e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 5 Dec 2014 15:31:20 +0100 Subject: [PATCH 0255/1352] latm: Do not give a score for a single instance Bug-Id: 773 CC: libav-stable@libav.org --- libavformat/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index 09fdbc327f..65cb6bb00f 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -155,7 +155,7 @@ static int latm_read_probe(AVProbeData *p) return AVPROBE_SCORE_EXTENSION; else if (max_frames >= 3) return AVPROBE_SCORE_EXTENSION / 2; - else if (max_frames >= 1) + else if (max_frames > 1) return 1; else return 0; From 036f5c5420e4529f05fa5180f5fa28ca2c5c4065 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 4 Dec 2014 12:00:01 +0100 Subject: [PATCH 0256/1352] rm: Use the correct codec_data_size signedness The function takes a size and not an offset. CC: libav-stable@libav.org Sample-Id: rm_deadlock.rm Signed-off-by: Luca Barbato --- libavformat/rdt.c | 2 +- libavformat/rm.h | 2 +- libavformat/rmdec.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/rdt.c b/libavformat/rdt.c index 304f4cf210..cc30694756 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -132,7 +132,7 @@ static int rdt_load_mdpr (PayloadContext *rdt, AVStream *st, int rule_nr) { AVIOContext pb; - int size; + unsigned int size; uint32_t tag; /** diff --git a/libavformat/rm.h b/libavformat/rm.h index a06ea01a5a..3aa17732f1 100644 --- a/libavformat/rm.h +++ b/libavformat/rm.h @@ -50,7 +50,7 @@ extern AVInputFormat ff_rdt_demuxer; */ int ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, AVStream *st, RMStream *rst, - int codec_data_size); + unsigned int codec_data_size); /** * Parse one rm-stream packet from the input bytestream. diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 79a07566de..848d0316c6 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -282,9 +282,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, return 0; } -int -ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, - AVStream *st, RMStream *rst, int codec_data_size) +int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, + AVStream *st, RMStream *rst, + unsigned int codec_data_size) { unsigned int v; int size; From b31bb39bdd7b5a53e0d282acc0f0f62b32b17acc Mon Sep 17 00:00:00 2001 From: Michael Lynch Date: Tue, 14 Oct 2014 16:30:39 -0400 Subject: [PATCH 0257/1352] rtsp: Check a memory allocation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC: libav-stable@libav.org Signed-off-by: Martin Storsjö --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 23d7da1b1b..4e79bc12d6 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1146,6 +1146,8 @@ start: if (content_length > 0) { /* leave some room for a trailing '\0' (useful for simple parsing) */ content = av_malloc(content_length + 1); + if (!content) + return AVERROR(ENOMEM); ffurl_read_complete(rt->rtsp_hd, content, content_length); content[content_length] = '\0'; } From bb823e26b1cbb91b475c10772cdfd867d4809a65 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 15 Oct 2014 02:35:55 +0200 Subject: [PATCH 0258/1352] avformat: Make avformat_free_context handle NULL Work as the other free()-like functions. Bug-Id: CID 1087081 CC: libav-stable@libav.org --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 73e3039421..94431e1923 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2447,6 +2447,9 @@ void avformat_free_context(AVFormatContext *s) int i, j; AVStream *st; + if (!s) + return; + av_opt_free(s); if (s->iformat && s->iformat->priv_class && s->priv_data) av_opt_free(s->priv_data); From 4d48691622149ba5998de08a0acec85d1f4ed46a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 15 Oct 2014 02:43:30 +0200 Subject: [PATCH 0259/1352] cmdutils: Use the correct guard The OptionDef arrays are terminated with a { NULL } element not NULL. CC: libav-stable@libav.org Bug-Id: CID 703769 --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index a7b00604d3..3415c0fe69 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -414,7 +414,7 @@ int locate_option(int argc, char **argv, const OptionDef *options, (po->name && !strcmp(optname, po->name))) return i; - if (!po || po->flags & HAS_ARG) + if (!po->name || po->flags & HAS_ARG) i++; } return 0; From 608e8d8dd754199b657b439f9e722e0b45f84461 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 17 Oct 2014 10:07:10 +0100 Subject: [PATCH 0260/1352] vf_drawtext: Do not leak the mmapped textfile And validate its size while at it. CC: libav-stable@libav.org Bug-Id: CID 1244189 --- libavfilter/vf_drawtext.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index 892104dade..d954fdf2cd 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -398,8 +398,11 @@ static av_cold int init(AVFilterContext *ctx) return err; } - if (!(s->text = av_malloc(textbuf_size+1))) + if (textbuf_size > SIZE_MAX - 1 || + !(s->text = av_malloc(textbuf_size + 1))) { + av_file_unmap(textbuf, textbuf_size); return AVERROR(ENOMEM); + } memcpy(s->text, textbuf, textbuf_size); s->text[textbuf_size] = 0; av_file_unmap(textbuf, textbuf_size); From 2496dbd68b29bd36fbf4753a46163d33f6dae70e Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 17 Oct 2014 10:07:09 +0100 Subject: [PATCH 0261/1352] vf_showinfo: Forward the av_image_get_linesize error CC: libav-stable@libav.org Bug-Id: CID 1087086 --- libavfilter/vf_showinfo.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index cc9ec1c1d0..ede1765d1e 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -78,9 +78,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) int i, plane, vsub = desc->log2_chroma_h; for (plane = 0; frame->data[plane] && plane < 4; plane++) { - size_t linesize = av_image_get_linesize(frame->format, frame->width, plane); uint8_t *data = frame->data[plane]; int h = plane == 1 || plane == 2 ? inlink->h >> vsub : inlink->h; + int linesize = av_image_get_linesize(frame->format, frame->width, plane); + if (linesize < 0) + return linesize; for (i = 0; i < h; i++) { plane_checksum[plane] = av_adler32_update(plane_checksum[plane], data, linesize); From daef7feb09a0dde2265d56f77de8ae03f9612d47 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 17 Oct 2014 10:07:11 +0100 Subject: [PATCH 0262/1352] af_resample: check av_opt_set_dict return value CC: libav-stable@libav.org Bug-Id: CID 1087076 --- libavfilter/af_resample.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_resample.c b/libavfilter/af_resample.c index a59e6f8fd1..fbe61056e3 100644 --- a/libavfilter/af_resample.c +++ b/libavfilter/af_resample.c @@ -136,11 +136,14 @@ static int config_output(AVFilterLink *outlink) return AVERROR(ENOMEM); if (s->options) { + int ret; AVDictionaryEntry *e = NULL; while ((e = av_dict_get(s->options, "", e, AV_DICT_IGNORE_SUFFIX))) av_log(ctx, AV_LOG_VERBOSE, "lavr option: %s=%s\n", e->key, e->value); - av_opt_set_dict(s->avr, &s->options); + ret = av_opt_set_dict(s->avr, &s->options); + if (ret < 0) + return ret; } av_opt_set_int(s->avr, "in_channel_layout", inlink ->channel_layout, 0); From c246b0b4c3a3b02a714e99423cf23d59f8f81409 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 15 Oct 2014 17:32:57 +0100 Subject: [PATCH 0263/1352] avresample: Make sure the even check does not overflow CC: libav-stable@libav.org Bug-Id: CID 732225 --- libavresample/audio_mix_matrix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavresample/audio_mix_matrix.c b/libavresample/audio_mix_matrix.c index 487869b5fd..5182ae1bf9 100644 --- a/libavresample/audio_mix_matrix.c +++ b/libavresample/audio_mix_matrix.c @@ -60,7 +60,7 @@ static av_always_inline int even(uint64_t layout) { - return (!layout || (layout & (layout - 1))); + return (!layout || !!(layout & (layout - 1))); } static int sane_layout(uint64_t layout) From 51f76e4e932ebdce8ccf6cf0797651d632cfc3e2 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Wed, 15 Oct 2014 17:32:54 +0100 Subject: [PATCH 0264/1352] oss_audio: use a macro to simplify ioctl() error checking Also add a note about SNDCTL_DSP_GETFMTS which may fail even if OSS is available. CC: libav-stable@libav.org Bug-Id: CID 1238992 Signed-off-by: Vittorio Giovara --- libavdevice/oss_audio.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/libavdevice/oss_audio.c b/libavdevice/oss_audio.c index ad52d78188..4feb937134 100644 --- a/libavdevice/oss_audio.c +++ b/libavdevice/oss_audio.c @@ -48,6 +48,7 @@ int ff_oss_audio_open(AVFormatContext *s1, int is_output, int audio_fd; int tmp, err; char *flip = getenv("AUDIO_FLIP_LEFT"); + char errbuff[128]; if (is_output) audio_fd = avpriv_open(audio_device, O_WRONLY); @@ -68,8 +69,18 @@ int ff_oss_audio_open(AVFormatContext *s1, int is_output, s->frame_size = OSS_AUDIO_BLOCK_SIZE; - /* select format : favour native format */ - err = ioctl(audio_fd, SNDCTL_DSP_GETFMTS, &tmp); +#define CHECK_IOCTL_ERROR(event) \ + if (err < 0) { \ + av_strerror(AVERROR(errno), errbuff, sizeof(errbuff)); \ + av_log(s1, AV_LOG_ERROR, #event ": %s\n", errbuff); \ + goto fail; \ + } + + /* select format : favour native format + * We don't CHECK_IOCTL_ERROR here because even if failed OSS still may be + * usable. If OSS is not usable the SNDCTL_DSP_SETFMTS later is going to + * fail anyway. */ + (void) ioctl(audio_fd, SNDCTL_DSP_GETFMTS, &tmp); #if HAVE_BIGENDIAN if (tmp & AFMT_S16_BE) { @@ -102,24 +113,15 @@ int ff_oss_audio_open(AVFormatContext *s1, int is_output, return AVERROR(EIO); } err=ioctl(audio_fd, SNDCTL_DSP_SETFMT, &tmp); - if (err < 0) { - av_log(s1, AV_LOG_ERROR, "SNDCTL_DSP_SETFMT: %s\n", strerror(errno)); - goto fail; - } + CHECK_IOCTL_ERROR(SNDCTL_DSP_SETFMTS) tmp = (s->channels == 2); err = ioctl(audio_fd, SNDCTL_DSP_STEREO, &tmp); - if (err < 0) { - av_log(s1, AV_LOG_ERROR, "SNDCTL_DSP_STEREO: %s\n", strerror(errno)); - goto fail; - } + CHECK_IOCTL_ERROR(SNDCTL_DSP_STEREO) tmp = s->sample_rate; err = ioctl(audio_fd, SNDCTL_DSP_SPEED, &tmp); - if (err < 0) { - av_log(s1, AV_LOG_ERROR, "SNDCTL_DSP_SPEED: %s\n", strerror(errno)); - goto fail; - } + CHECK_IOCTL_ERROR(SNDCTL_DSP_SPEED) s->sample_rate = tmp; /* store real sample rate */ s->fd = audio_fd; @@ -127,6 +129,7 @@ int ff_oss_audio_open(AVFormatContext *s1, int is_output, fail: close(audio_fd); return AVERROR(EIO); +#undef CHECK_IOCTL_ERROR } int ff_oss_audio_close(OSSAudioData *s) From 27487944eff721ef8e310db1a2a52329d9377f71 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 17 Oct 2014 14:31:35 +0100 Subject: [PATCH 0265/1352] swscale: fix sign extensions in yuv planar conversion Casting the left-most byte to unsigned avoids an undefined result of the shift by 24 if bit 7 is set. yuvPlanartouyvy_c and yuvPlanartoyuy2_c are affected. CC: libav-stable@libav.org Bug-Id: CID 732281 / CID 732282 --- libswscale/rgb2rgb_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 65ea5dda8c..693c7f2d0e 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -376,9 +376,9 @@ static inline void yuvPlanartoyuy2_c(const uint8_t *ysrc, const uint8_t *usrc, const uint8_t *yc = ysrc, *uc = usrc, *vc = vsrc; for (i = 0; i < chromWidth; i += 2) { uint64_t k = yc[0] + (uc[0] << 8) + - (yc[1] << 16) + (vc[0] << 24); + (yc[1] << 16) + ((unsigned) vc[0] << 24); uint64_t l = yc[2] + (uc[1] << 8) + - (yc[3] << 16) + (vc[1] << 24); + (yc[3] << 16) + ((unsigned) vc[1] << 24); *ldst++ = k + (l << 32); yc += 4; uc += 2; @@ -440,9 +440,9 @@ static inline void yuvPlanartouyvy_c(const uint8_t *ysrc, const uint8_t *usrc, const uint8_t *yc = ysrc, *uc = usrc, *vc = vsrc; for (i = 0; i < chromWidth; i += 2) { uint64_t k = uc[0] + (yc[0] << 8) + - (vc[0] << 16) + (yc[1] << 24); + (vc[0] << 16) + ((unsigned) yc[1] << 24); uint64_t l = uc[1] + (yc[2] << 8) + - (vc[1] << 16) + (yc[3] << 24); + (vc[1] << 16) + ((unsigned) yc[3] << 24); *ldst++ = k + (l << 32); yc += 4; uc += 2; From 5aceced0a0d235d485e88fda502019b221dbf3d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Oct 2014 01:12:12 +0100 Subject: [PATCH 0266/1352] avio: fix sizeof argument CC: libav-stable@libav.org Bug-Id: CID 732284 --- libavformat/avio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 7f6449c087..f68994cef1 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -361,7 +361,7 @@ int ffurl_get_multi_file_handle(URLContext *h, int **handles, int *numhandles) if (!h->prot->url_get_multi_file_handle) { if (!h->prot->url_get_file_handle) return AVERROR(ENOSYS); - *handles = av_malloc(sizeof(*handles)); + *handles = av_malloc(sizeof(**handles)); if (!*handles) return AVERROR(ENOMEM); *numhandles = 1; From 6cf27b550d66963b89b5917568b85c4b49fb18ba Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Sat, 18 Oct 2014 01:12:13 +0100 Subject: [PATCH 0267/1352] aviobuf: check context before using it Avoid a possible null pointer dereference. CC: libav-stable@libav.org Bug-Id: CID 1135769 --- libavformat/aviobuf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index cc79146225..6923b78ea1 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -965,7 +965,7 @@ int ffio_open_dyn_packet_buf(AVIOContext **s, int max_packet_size) int avio_close_dyn_buf(AVIOContext *s, uint8_t **pbuffer) { - DynBuffer *d = s->opaque; + DynBuffer *d; int size; static const char padbuf[FF_INPUT_BUFFER_PADDING_SIZE] = {0}; int padding = 0; @@ -983,6 +983,7 @@ int avio_close_dyn_buf(AVIOContext *s, uint8_t **pbuffer) avio_flush(s); + d = s->opaque; *pbuffer = d->buffer; size = d->size; av_free(d); From d1ad85fc020653be5ad25ed1d3d5091e89fee782 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Sat, 18 Oct 2014 16:10:35 +0100 Subject: [PATCH 0268/1352] vf_format: check input validity CC: libav-stable@libav.org --- libavfilter/vf_format.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_format.c b/libavfilter/vf_format.c index d37f870537..914089deab 100644 --- a/libavfilter/vf_format.c +++ b/libavfilter/vf_format.c @@ -59,6 +59,11 @@ static av_cold int init(AVFilterContext *ctx) int nb_formats = 1; int i; + if (!s->pix_fmts) { + av_log(ctx, AV_LOG_ERROR, "Empty output format string.\n"); + return AVERROR(EINVAL); + } + /* count the formats */ cur = s->pix_fmts; while ((cur = strchr(cur, '|'))) { From 4cd0041d38664adcb6f4b3038e277631b85d5dc8 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 20 Oct 2014 14:11:17 +0100 Subject: [PATCH 0269/1352] rmdec: check av_new_packet return value CC: libav-stable@libav.org Bug-Id: CID 733714 --- libavformat/rmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 848d0316c6..dae1235420 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -816,7 +816,9 @@ ff_rm_retrieve_cache (AVFormatContext *s, AVIOContext *pb, ast->deint_id == DEINT_ID_VBRS) av_get_packet(pb, pkt, ast->sub_packet_lengths[ast->sub_packet_cnt - rm->audio_pkt_cnt]); else { - av_new_packet(pkt, st->codec->block_align); + int ret = av_new_packet(pkt, st->codec->block_align); + if (ret < 0) + return ret; memcpy(pkt->data, ast->pkt.data + st->codec->block_align * //FIXME avoid this (ast->sub_packet_h * ast->audio_framesize / st->codec->block_align - rm->audio_pkt_cnt), st->codec->block_align); From 1551602b423755c4ed98c5b7b2c2d6504416726e Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 20 Oct 2014 14:11:19 +0100 Subject: [PATCH 0270/1352] nutdec: check av_new_packet return value CC: libav-stable@libav.org Bug-Id: CID 733713 --- libavformat/nutdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 6c95d5507b..36ca754fa1 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -822,7 +822,7 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) { AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; - int size, stream_id, discard; + int size, stream_id, discard, ret; int64_t pts, last_IP_pts; StreamContext *stc; uint8_t header_idx; @@ -847,7 +847,9 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) return 1; } - av_new_packet(pkt, size + nut->header_len[header_idx]); + ret = av_new_packet(pkt, size + nut->header_len[header_idx]); + if (ret < 0) + return ret; memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME avio_read(bc, pkt->data + nut->header_len[header_idx], size); From 556a5090f2b0a20fd9998e1a327875f5b0c8d1d5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 18 Oct 2014 16:25:16 +0200 Subject: [PATCH 0271/1352] mp3dec: fix reading the Xing tag The quality scale field is only supposed to be present if the fourth bit is set. In practice, lame always sets it, but other tools might not. CC:libav-stable@libav.org --- libavformat/mp3dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index ce734b76b9..bf12fdb2c5 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -36,6 +36,7 @@ #define XING_FLAG_FRAMES 0x01 #define XING_FLAG_SIZE 0x02 #define XING_FLAG_TOC 0x04 +#define XING_FLAC_QSCALE 0x08 #define XING_TOC_COUNT 100 @@ -168,7 +169,8 @@ static void mp3_parse_info_tag(AVFormatContext *s, AVStream *st, st->time_base)); /* VBR quality */ - avio_rb32(s->pb); + if (v & XING_FLAC_QSCALE) + avio_rb32(s->pb); /* Encoder short version string */ memset(version, 0, sizeof(version)); From a7e79f6a43bdc7e3b164dd78b060f0d5575a0cf0 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 20 Oct 2014 14:11:13 +0100 Subject: [PATCH 0272/1352] avfilter: check filter link validity Remove now redundant check. CC: libav-stable@libav.org Bug-Id: CID 700371 --- libavfilter/avfilter.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavfilter/avfilter.c b/libavfilter/avfilter.c index c9617dc2ff..40989731cf 100644 --- a/libavfilter/avfilter.c +++ b/libavfilter/avfilter.c @@ -152,6 +152,11 @@ int avfilter_config_links(AVFilterContext *filter) AVFilterLink *link = filter->inputs[i]; if (!link) continue; + if (!link->src || !link->dst) { + av_log(filter, AV_LOG_ERROR, + "Not all input and output are properly linked (%d).\n", i); + return AVERROR(EINVAL); + } switch (link->init_state) { case AVLINK_INIT: @@ -181,7 +186,7 @@ int avfilter_config_links(AVFilterContext *filter) } if (link->time_base.num == 0 && link->time_base.den == 0) - link->time_base = link->src && link->src->nb_inputs ? + link->time_base = link->src->nb_inputs ? link->src->inputs[0]->time_base : AV_TIME_BASE_Q; if (link->type == AVMEDIA_TYPE_VIDEO) { From 7c710c38f6481b892e01d3c1e4781ad160b2935e Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 20 Oct 2014 14:11:14 +0100 Subject: [PATCH 0273/1352] audiointerleave: check av_new_packet return value CC: libav-stable@libav.org Bug-Id: CID 1087078 --- libavformat/audiointerleave.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/audiointerleave.c b/libavformat/audiointerleave.c index e49c77fe0b..ba78d4e988 100644 --- a/libavformat/audiointerleave.c +++ b/libavformat/audiointerleave.c @@ -75,12 +75,14 @@ static int interleave_new_audio_packet(AVFormatContext *s, AVPacket *pkt, { AVStream *st = s->streams[stream_index]; AudioInterleaveContext *aic = st->priv_data; - + int ret; int size = FFMIN(av_fifo_size(aic->fifo), *aic->samples * aic->sample_size); if (!size || (!flush && size == av_fifo_size(aic->fifo))) return 0; - av_new_packet(pkt, size); + ret = av_new_packet(pkt, size); + if (ret < 0) + return ret; av_fifo_generic_read(aic->fifo, pkt->data, size, NULL); pkt->dts = pkt->pts = aic->dts; From b9b689550e7531b1a2cc893d2af623e37f266936 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 20 Oct 2014 14:11:15 +0100 Subject: [PATCH 0274/1352] img2dec: check av_new_packet return value CC: libav-stable@libav.org Bug-Id: CID 1087077 --- libavformat/img2dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 9acb6f6927..f7f0a11e6a 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -221,7 +221,7 @@ static int img_read_packet(AVFormatContext *s1, AVPacket *pkt) { VideoDemuxData *s = s1->priv_data; char filename[1024]; - int i; + int i, res; int size[3] = { 0 }, ret[3] = { 0 }; AVIOContext *f[3] = { NULL }; AVCodecContext *codec = s1->streams[0]->codec; @@ -262,7 +262,9 @@ static int img_read_packet(AVFormatContext *s1, AVPacket *pkt) size[0] = 4096; } - av_new_packet(pkt, size[0] + size[1] + size[2]); + res = av_new_packet(pkt, size[0] + size[1] + size[2]); + if (res < 0) + return res; pkt->stream_index = 0; pkt->flags |= AV_PKT_FLAG_KEY; From 19fc283dbb53a5f7d6658fd4edcfa59b99369b58 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 20 Oct 2014 00:48:49 +0200 Subject: [PATCH 0275/1352] lavf: replace rename() with ff_rename() The new function wraps errno so that its value is correctly reported when other functions overwrite it (eg. in case of logging). CC: libav-stable@libav.org Bug-Id: CID 1135748 Signed-off-by: Vittorio Giovara --- libavformat/hdsenc.c | 10 +++++----- libavformat/internal.h | 14 ++++++++++++++ libavformat/smoothstreamingenc.c | 11 +++++++---- 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/libavformat/hdsenc.c b/libavformat/hdsenc.c index 6217c1f51f..3a0f36d8c2 100644 --- a/libavformat/hdsenc.c +++ b/libavformat/hdsenc.c @@ -204,8 +204,7 @@ static int write_manifest(AVFormatContext *s, int final) avio_printf(out, "\n"); avio_flush(out); avio_close(out); - rename(temp_filename, filename); - return 0; + return ff_rename(temp_filename, filename); } static void update_size(AVIOContext *out, int64_t pos) @@ -286,8 +285,7 @@ static int write_abst(AVFormatContext *s, OutputStream *os, int final) update_size(out, afrt_pos); update_size(out, 0); avio_close(out); - rename(temp_filename, filename); - return 0; + return ff_rename(temp_filename, filename); } static int init_file(AVFormatContext *s, OutputStream *os, int64_t start_ts) @@ -477,7 +475,9 @@ static int hds_flush(AVFormatContext *s, OutputStream *os, int final, snprintf(target_filename, sizeof(target_filename), "%s/stream%dSeg1-Frag%d", s->filename, index, os->fragment_index); - rename(os->temp_filename, target_filename); + ret = ff_rename(os->temp_filename, target_filename); + if (ret < 0) + return ret; add_fragment(os, target_filename, os->frag_start_ts, end_ts - os->frag_start_ts); if (!final) { diff --git a/libavformat/internal.h b/libavformat/internal.h index 2824436286..8a9a88fbc6 100644 --- a/libavformat/internal.h +++ b/libavformat/internal.h @@ -353,4 +353,18 @@ enum AVCodecID ff_get_pcm_codec_id(int bps, int flt, int be, int sflags); */ int ff_generate_avci_extradata(AVStream *st); +/** + * Wrap errno on rename() error. + * + * @param oldpath source path + * @param newpath destination path + * @return 0 or AVERROR on failure + */ +static inline int ff_rename(const char *oldpath, const char *newpath) +{ + if (rename(oldpath, newpath) == -1) + return AVERROR(errno); + return 0; +} + #endif /* AVFORMAT_INTERNAL_H */ diff --git a/libavformat/smoothstreamingenc.c b/libavformat/smoothstreamingenc.c index 457472dc83..137d8fdbbe 100644 --- a/libavformat/smoothstreamingenc.c +++ b/libavformat/smoothstreamingenc.c @@ -34,6 +34,7 @@ #include "libavutil/opt.h" #include "libavutil/avstring.h" +#include "libavutil/file.h" #include "libavutil/mathematics.h" #include "libavutil/intreadwrite.h" @@ -282,8 +283,7 @@ static int write_manifest(AVFormatContext *s, int final) avio_printf(out, "\n"); avio_flush(out); avio_close(out); - rename(temp_filename, filename); - return 0; + return ff_rename(temp_filename, filename); } static int ism_write_header(AVFormatContext *s) @@ -533,8 +533,11 @@ static int ism_flush(AVFormatContext *s, int final) snprintf(header_filename, sizeof(header_filename), "%s/FragmentInfo(%s=%"PRIu64")", os->dirname, os->stream_type_tag, start_ts); snprintf(target_filename, sizeof(target_filename), "%s/Fragments(%s=%"PRIu64")", os->dirname, os->stream_type_tag, start_ts); copy_moof(s, filename, header_filename, moof_size); - rename(filename, target_filename); - add_fragment(os, target_filename, header_filename, start_ts, duration, start_pos, size); + ret = ff_rename(filename, target_filename); + if (ret < 0) + break; + add_fragment(os, target_filename, header_filename, start_ts, duration, + os->cur_start_pos, size); } if (c->window_size || (final && c->remove_at_exit)) { From 8a982092cc3436c25d68ec15b27277c176ce0061 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 24 Oct 2014 00:05:57 +0100 Subject: [PATCH 0276/1352] mxfdec: add missing break CC: libav-stable@libav.org Bug-Id: CID 732232 --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 879e73e8eb..9aedd477f4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1571,6 +1571,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) } /* Turn field height into frame height. */ st->codec->height *= 2; + break; default: av_log(mxf->fc, AV_LOG_INFO, "Unknown frame layout type: %d\n", From 26ba78adacd8469fca97c8c833e2e6364b13b7c8 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 20 Oct 2014 14:11:25 +0100 Subject: [PATCH 0277/1352] mov: fix assigment check CC: libav-stable@libav.org Bug-Id: CID 1197050 --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9077b7d042..d14dc7c745 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3092,7 +3092,7 @@ static int mov_read_header(AVFormatContext *s) MOVStreamContext *sc = st->priv_data; if (st->codec->codec_type == AVMEDIA_TYPE_SUBTITLE) { - if (st->codec->width <= 0 && st->codec->width <= 0) { + if (st->codec->width <= 0 || st->codec->height <= 0) { st->codec->width = sc->width; st->codec->height = sc->height; } From bae05e5326703dad3bfe0ed5b31ba73ee9254515 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 22 Oct 2014 14:36:32 +0100 Subject: [PATCH 0278/1352] matroskaenc: write correct Display{Width, Height} in stereo encoding should be the raw amount of pixels (for example 3840x1080 for full HD side by side) and the DisplayWidth/Height in pixels should be the amount of pixels for one plane (1920x1080 for that full HD stream)." So, move the aspect ratio check in the mkv_write_stereo_mode() function and always write the embl when stereo format and/or aspect ration is set. Also add a few comments to that function. CC: libav-stable@libav.org Found-by: Asan Usipov --- libavformat/matroskaenc.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 225f6a6730..b39d1b2fda 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -629,6 +629,9 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, AVStream *st, int mode) { int i; + int display_width, display_height; + int h_width = 1, h_height = 1; + AVCodecContext *codec = st->codec; AVDictionaryEntry *tag; MatroskaVideoStereoModeType format = MATROSKA_VIDEO_STEREOMODE_TYPE_NB; @@ -643,6 +646,7 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, } } + // iterate to find the stereo3d side data for (i = 0; i < st->nb_side_data; i++) { AVPacketSideData sd = st->side_data[i]; if (sd.type == AV_PKT_DATA_STEREO3D) { @@ -656,11 +660,13 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, format = (stereo->flags & AV_STEREO3D_FLAG_INVERT) ? MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT : MATROSKA_VIDEO_STEREOMODE_TYPE_LEFT_RIGHT; + h_width = 2; break; case AV_STEREO3D_TOPBOTTOM: format = MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + h_height = 2; break; case AV_STEREO3D_CHECKERBOARD: format = MATROSKA_VIDEO_STEREOMODE_TYPE_CHECKERBOARD_LR; @@ -671,11 +677,13 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, format = MATROSKA_VIDEO_STEREOMODE_TYPE_ROW_INTERLEAVED_LR; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + h_height = 2; break; case AV_STEREO3D_COLUMNS: format = MATROSKA_VIDEO_STEREOMODE_TYPE_COL_INTERLEAVED_LR; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + h_width = 2; break; case AV_STEREO3D_FRAMESEQUENCE: format = MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_LR; @@ -688,14 +696,30 @@ static int mkv_write_stereo_mode(AVFormatContext *s, AVIOContext *pb, } } + // if webm, do not write unsupported modes if (mode == MODE_WEBM && (format > MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM && format != MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT)) format = MATROSKA_VIDEO_STEREOMODE_TYPE_NB; + // write StereoMode if format is valid if (format < MATROSKA_VIDEO_STEREOMODE_TYPE_NB) put_ebml_uint(pb, MATROSKA_ID_VIDEOSTEREOMODE, format); + // write DisplayWidth and DisplayHeight, they contain the size of + // a single source view and/or the display aspect ratio + display_width = codec->width / h_width; + display_height = codec->height / h_height; + if (st->sample_aspect_ratio.num) { + display_width *= av_q2d(st->sample_aspect_ratio); + put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYUNIT, 3); // DAR + } + if (st->sample_aspect_ratio.num || + format < MATROSKA_VIDEO_STEREOMODE_TYPE_NB) { + put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYWIDTH, display_width); + put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYHEIGHT, display_height); + } + return 0; } @@ -804,12 +828,6 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, if (ret < 0) return ret; - if (st->sample_aspect_ratio.num) { - int d_width = codec->width*av_q2d(st->sample_aspect_ratio); - put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYWIDTH , d_width); - put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYHEIGHT, codec->height); - put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYUNIT, 3); - } end_ebml_master(pb, subinfo); break; From 242fc6394fecb403bcbd0f652920f2647d0b08ae Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 24 Oct 2014 13:15:36 +0100 Subject: [PATCH 0279/1352] mtv: improve header check and avoid division by zero CC: libav-stable@libav.org Bug-Id: CID 732203 / CID 732204 --- libavformat/mtv.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mtv.c b/libavformat/mtv.c index 5a7f0477ff..7ad7618434 100644 --- a/libavformat/mtv.c +++ b/libavformat/mtv.c @@ -96,14 +96,17 @@ static int mtv_read_header(AVFormatContext *s) /* Calculate width and height if missing from header */ - if(!mtv->img_width) + if (!mtv->img_width && mtv->img_height > 0 && mtv->img_bpp >= 8) mtv->img_width=mtv->img_segment_size / (mtv->img_bpp>>3) / mtv->img_height; - if(!mtv->img_height) + if (!mtv->img_height && mtv->img_width > 0 && mtv->img_bpp >= 8) mtv->img_height=mtv->img_segment_size / (mtv->img_bpp>>3) / mtv->img_width; + if (!mtv->img_width || !mtv->img_height) + return AVERROR_INVALIDDATA; + avio_skip(pb, 4); audio_subsegments = avio_rl16(pb); From 34e7f70f9f493f340daab80eba4f12d005ec3e63 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 24 Oct 2014 13:15:40 +0100 Subject: [PATCH 0280/1352] assdec: check av_new_packet return value CC: libav-stable@libav.org Bug-Id: CID 703626 --- libavformat/assdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/assdec.c b/libavformat/assdec.c index 7bd3d173ac..08c1222264 100644 --- a/libavformat/assdec.c +++ b/libavformat/assdec.c @@ -151,6 +151,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) { ASSContext *ass = s->priv_data; uint8_t *p, *end; + int ret; if (ass->event_index >= ass->event_count) return AVERROR(EIO); @@ -158,7 +159,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) p = ass->event[ass->event_index]; end = strchr(p, '\n'); - av_new_packet(pkt, end ? end - p + 1 : strlen(p)); + ret = av_new_packet(pkt, end ? end - p + 1 : strlen(p)); + if (ret < 0) + return ret; pkt->flags |= AV_PKT_FLAG_KEY; pkt->pos = p - ass->event_buffer + s->streams[0]->codec->extradata_size; pkt->pts = pkt->dts = get_pts(p); From 2a75c0b1ca16b5480497de0d4c79ef122406a0b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Oct 2014 00:52:04 +0000 Subject: [PATCH 0281/1352] aacsbr: change order of operation to prevent out of array read CC: libav-stable@libav.org Bug-Id: CID 732250 --- libavcodec/aacsbr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 4d2ac6cbd2..dbfb167781 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -549,7 +549,8 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) k = sbr->n_master; } while (sb != sbr->kx[1] + sbr->m[1]); - if (sbr->patch_num_subbands[sbr->num_patches-1] < 3 && sbr->num_patches > 1) + if (sbr->num_patches > 1 && + sbr->patch_num_subbands[sbr->num_patches - 1] < 3) sbr->num_patches--; return 0; From 4edbb0955e043d698dcc1b5073b6e714f9cc7960 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Sun, 9 Nov 2014 08:48:35 +0100 Subject: [PATCH 0282/1352] png_parser: fix size of chunk_lenght Fixes the comparison against constant value 0x7fffffff. CC: libav-stable@libav.org Bug-Id: CID 1198260 --- libavcodec/png_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/png_parser.c b/libavcodec/png_parser.c index d07f288c4b..c66caf31a3 100644 --- a/libavcodec/png_parser.c +++ b/libavcodec/png_parser.c @@ -36,7 +36,7 @@ typedef struct PNGParseContext { ParseContext pc; int chunk_pos; ///< position inside current chunk - int chunk_length; ///< length of the current chunk + uint32_t chunk_length; ///< length of the current chunk int remaining_size; ///< remaining size of the current chunk } PNGParseContext; From e7ee74485b436c34591177c18c8643764a55d516 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 24 Nov 2014 01:04:39 +0100 Subject: [PATCH 0283/1352] hnm4: Use av_image_check_size As done for all the other codecs not calling it indirectly. CC: libav-stable@libav.org Bug-Id: CID 1135770 / CID 1135771 --- libavcodec/hnm4video.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index b200e89a6a..4220202e15 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -22,6 +22,7 @@ #include +#include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" #include "libavutil/mem.h" @@ -406,6 +407,7 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, static av_cold int hnm_decode_init(AVCodecContext *avctx) { Hnm4VideoContext *hnm = avctx->priv_data; + int ret; if (avctx->extradata_size < 1) { av_log(avctx, AV_LOG_ERROR, @@ -413,6 +415,10 @@ static av_cold int hnm_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + if (ret < 0) + return ret; + hnm->version = avctx->extradata[0]; avctx->pix_fmt = AV_PIX_FMT_PAL8; hnm->width = avctx->width; From 12e1a7013a53ad957c4ff11a3aebc0763024d24b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Nov 2014 11:13:10 +0100 Subject: [PATCH 0284/1352] roqaudio: Always use the frame buffer on flush Prevent NULL dereference. CC: libav-stable@libav.org Bug-Id: CID 703669 Signed-off-by: Vittorio Giovara (cherry picked from commit 55b59fab880a9fcdd30f97c5170af282087ac4f7) Signed-off-by: Luca Barbato --- libavcodec/roqaudioenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/roqaudioenc.c b/libavcodec/roqaudioenc.c index f97d5d6e0c..402eb78be5 100644 --- a/libavcodec/roqaudioenc.c +++ b/libavcodec/roqaudioenc.c @@ -147,15 +147,16 @@ static int roq_dpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, context->input_frames++; return 0; } - in = context->frame_buffer; } + if (context->input_frames < 8) + in = context->frame_buffer; if (stereo) { context->lastSample[0] &= 0xFF00; context->lastSample[1] &= 0xFF00; } - if (context->input_frames == 7 || !in) + if (context->input_frames == 7) data_size = avctx->channels * context->buffered_samples; else data_size = avctx->channels * avctx->frame_size; From b82170336f90d06c645d8252ddeccfc92c2f9ccb Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Sun, 9 Nov 2014 08:48:43 +0100 Subject: [PATCH 0285/1352] tiffenc: initialize return value 'ret' can only be used without initialization if s->height <= 0, which can only happen if avctx->height <= 0, which is validated elsewhere. Doesn't hurt to still initialize it though. CC: libav-stable@libav.org Bug-Id: CID 732296 (cherry picked from commit 0562887a984388fdc7a9b71c9374ff9c756fb4f1) Signed-off-by: Luca Barbato --- libavcodec/tiffenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 5d410b19e9..6c2cde92e2 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -231,7 +231,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, int bytes_per_row; uint32_t res[2] = { 72, 1 }; // image resolution (72/1) uint16_t bpp_tab[] = { 8, 8, 8, 8 }; - int ret; + int ret = 0; int is_yuv = 0; uint8_t *yuv_line = NULL; int shift_h, shift_v; From 484e015dc8b9983297e9269b406c65084daf4528 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 23 Nov 2014 16:09:05 +0100 Subject: [PATCH 0286/1352] cook: Make sure there is enough extradata At least 8 bytes are needed (Mono audio). Bug-Id: CID 741418 CC: libav-stable@libav.org (cherry picked from commit 299d8ab104fb350254eb2e6d9ecdce892a2a55b1) Signed-off-by: Luca Barbato --- libavcodec/cook.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 056c7d90f6..8c2fab7a27 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1051,7 +1051,7 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->avctx = avctx; /* Take care of the codec specific extradata. */ - if (extradata_size <= 0) { + if (extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Necessary extradata missing!\n"); return AVERROR_INVALIDDATA; } From fbc20c3b85be169389b6c9f8806a311d3dea91ea Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 21 Nov 2014 12:57:40 +0000 Subject: [PATCH 0287/1352] aacdec: avoid an out-of-bounds write Also move the check in the case it is actually used. CC: libav-stable@libav.org Bug-Id: CID 1087090 (cherry picked from commit b99ca863506f0630514921b740b78364de67a3ff) Signed-off-by: Luca Barbato --- libavcodec/aacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 4bdf52fc66..2258aed0ae 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -143,8 +143,6 @@ static av_cold int che_configure(AACContext *ac, enum ChannelPosition che_pos, int type, int id, int *channels) { - if (*channels >= MAX_CHANNELS) - return AVERROR_INVALIDDATA; if (che_pos) { if (!ac->che[type][id]) { if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) @@ -152,6 +150,8 @@ static av_cold int che_configure(AACContext *ac, ff_aac_sbr_ctx_init(ac, &ac->che[type][id]->sbr); } if (type != TYPE_CCE) { + if (*channels >= MAX_CHANNELS - 2) + return AVERROR_INVALIDDATA; ac->output_element[(*channels)++] = &ac->che[type][id]->ch[0]; if (type == TYPE_CPE || (type == TYPE_SCE && ac->oc[1].m4ac.ps == 1)) { From cce99f72d1b49d3dfee859136eeff3db32553750 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 21 Nov 2014 12:57:42 +0000 Subject: [PATCH 0288/1352] mpegenc: prevent a NULL pointer dereference CC: libav-stable@libav.org Bug-Id: CID 29261 (cherry picked from commit 065923b0781b06a2604f69f4e2c2407b7750a854) Signed-off-by: Luca Barbato --- libavformat/mpegenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 88590b305b..8a62c54c32 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1052,7 +1052,7 @@ retry: es_size -= stream->premux_packet->unwritten_size; stream->premux_packet = stream->premux_packet->next; } - if (es_size) + if (stream->premux_packet && es_size) stream->premux_packet->unwritten_size -= es_size; if (remove_decoded_packets(ctx, s->last_scr) < 0) From e9aeaa6441f6fd18fc951d9737887dcf8a9584c0 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 12 Nov 2014 19:10:44 +0100 Subject: [PATCH 0289/1352] qdm2: avoid integer overflow CC: libav-stable@libav.org Bug-Id: CID 700555 (cherry picked from commit 1f80742f49a9a4e846c9f099387881abc87150b2) Signed-off-by: Luca Barbato --- libavcodec/qdm2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 94bda9169a..4718b34942 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -730,7 +730,7 @@ static void fill_coding_method_array(sb_int8_array tone_level_idx, for (j = 0; j < 64; j++) acc += tone_level_idx_temp[ch][sb][j]; - multres = 0x66666667 * (acc * 10); + multres = 0x66666667LL * (acc * 10); esp_40 = (multres >> 32) / 8 + ((multres & 0xffffffff) >> 31); for (ch = 0; ch < nb_channels; ch++) for (sb = 0; sb < 30; sb++) From 5891fd017aa7bed4c423b8511090cf8641a0afa4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 9 Nov 2014 08:48:47 +0100 Subject: [PATCH 0290/1352] dvdsubdec: Do not leak on failure path CC: libav-stable@libav.org Bug-Id: CID 1198262 (cherry picked from commit d466d82faaf6e0e57a3a4be5e38e3902ef251ac3) Signed-off-by: Luca Barbato --- libavcodec/dvdsubdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 5d6db41d35..15abac0738 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -503,6 +503,7 @@ static av_cold int dvdsub_init(AVCodecContext *avctx) { DVDSubContext *ctx = avctx->priv_data; char *data, *cur; + int ret = 0; if (!avctx->extradata || !avctx->extradata_size) return 0; @@ -527,16 +528,18 @@ static av_cold int dvdsub_init(AVCodecContext *avctx) } else if (!strncmp("size:", cur, 5)) { int w, h; if (sscanf(cur + 5, "%dx%d", &w, &h) == 2) { - int ret = ff_set_dimensions(avctx, w, h); + ret = ff_set_dimensions(avctx, w, h); if (ret < 0) - return ret; + goto fail; } } cur += strcspn(cur, "\n\r"); cur += strspn(cur, "\n\r"); } + +fail: av_free(data); - return 0; + return ret; } AVCodec ff_dvdsub_decoder = { From 4d11e4b47db6387077682595d53e9a17b50511cb Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 21 Nov 2014 11:56:59 +0000 Subject: [PATCH 0291/1352] libtwolame: prevent a NULL pointer dereference CC: libav-stable@libav.org Bug-Id: CID 1250330 / CID 1250335 (cherry picked from commit a42d5c861fea8d18d997c6ba3f4a1d8aa95a288b) Signed-off-by: Luca Barbato --- libavcodec/libtwolame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libtwolame.c b/libavcodec/libtwolame.c index def5feeb9d..7f7b2f7590 100644 --- a/libavcodec/libtwolame.c +++ b/libavcodec/libtwolame.c @@ -148,8 +148,8 @@ static int twolame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if (ret < 0) // twolame error return AVERROR_UNKNOWN; - avpkt->duration = ff_samples_to_time_base(avctx, frame->nb_samples); if (frame) { + avpkt->duration = ff_samples_to_time_base(avctx, frame->nb_samples); if (frame->pts != AV_NOPTS_VALUE) avpkt->pts = frame->pts - ff_samples_to_time_base(avctx, avctx->delay); } else { From 32701252af65014bb68194bb61d67ec1882ae75d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 17 Nov 2014 00:22:21 +0100 Subject: [PATCH 0292/1352] xwma: Do not leak on failure path CC: libav-stable@libav.org Bug-Id: CID 1087092 (cherry picked from commit fd9badd3cb3b60f5c54dcea35523e1ecca2f67a6) Signed-off-by: Luca Barbato --- libavformat/xwma.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 45d74de0dd..af916ad169 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -44,7 +44,7 @@ static int xwma_probe(AVProbeData *p) static int xwma_read_header(AVFormatContext *s) { int64_t size; - int ret; + int ret = 0; uint32_t dpds_table_size = 0; uint32_t *dpds_table = 0; unsigned int tag; @@ -130,8 +130,10 @@ static int xwma_read_header(AVFormatContext *s) /* parse the remaining RIFF chunks */ for (;;) { - if (pb->eof_reached) - return -1; + if (pb->eof_reached) { + ret = AVERROR_INVALIDDATA; + goto fail; + } /* read next chunk tag */ tag = avio_rl32(pb); size = avio_rl32(pb); @@ -152,7 +154,8 @@ static int xwma_read_header(AVFormatContext *s) /* Error out if there is more than one dpds chunk. */ if (dpds_table) { av_log(s, AV_LOG_ERROR, "two dpds chunks present\n"); - return -1; + ret = AVERROR_INVALIDDATA; + goto fail; } /* Compute the number of entries in the dpds chunk. */ @@ -184,8 +187,10 @@ static int xwma_read_header(AVFormatContext *s) } /* Determine overall data length */ - if (size < 0) - return -1; + if (size < 0) { + ret = AVERROR_INVALIDDATA; + goto fail; + } if (!size) { xwma->data_end = INT64_MAX; } else @@ -204,7 +209,8 @@ static int xwma_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid bits_per_coded_sample %d for %d channels\n", st->codec->bits_per_coded_sample, st->codec->channels); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->duration = total_decoded_bytes / bytes_per_sample; @@ -239,9 +245,10 @@ static int xwma_read_header(AVFormatContext *s) st->duration = (size<<3) * st->codec->sample_rate / st->codec->bit_rate; } +fail: av_free(dpds_table); - return 0; + return ret; } static int xwma_read_packet(AVFormatContext *s, AVPacket *pkt) From 527617485914004dc8b772056322ea5ae74c800d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 21 Nov 2014 14:23:02 +0200 Subject: [PATCH 0293/1352] lavc: Move the libtwolame encoder registration to the list for external libraries This makes sure the default behaviour of using the internal encoder stays the same regardless if libtwolame is enabled or not (as for any external library). This fixes fate-lavf-mpg if libav is built with libtwolame enabled. CC: libav-stable@libav.org Signed-off-by: Vittorio Giovara (cherry picked from commit aa8b39d999589154f79300de9038994d0093cd34) Signed-off-by: Luca Barbato --- libavcodec/allcodecs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/allcodecs.c b/libavcodec/allcodecs.c index bd74e0ba37..6a71b2cdc0 100644 --- a/libavcodec/allcodecs.c +++ b/libavcodec/allcodecs.c @@ -240,7 +240,6 @@ void avcodec_register_all(void) REGISTER_DECODER(SVQ3, svq3); REGISTER_ENCDEC (TARGA, targa); REGISTER_DECODER(THEORA, theora); - REGISTER_ENCODER(LIBTWOLAME, libtwolame); REGISTER_DECODER(THP, thp); REGISTER_DECODER(TIERTEXSEQVIDEO, tiertexseqvideo); REGISTER_ENCDEC (TIFF, tiff); @@ -448,6 +447,7 @@ void avcodec_register_all(void) REGISTER_ENCDEC (LIBSCHROEDINGER, libschroedinger); REGISTER_ENCDEC (LIBSPEEX, libspeex); REGISTER_ENCODER(LIBTHEORA, libtheora); + REGISTER_ENCODER(LIBTWOLAME, libtwolame); REGISTER_ENCODER(LIBVO_AACENC, libvo_aacenc); REGISTER_ENCODER(LIBVO_AMRWBENC, libvo_amrwbenc); REGISTER_ENCODER(LIBVORBIS, libvorbis); From 93bf4a74de99300fdc0deb83f672bf12e6f1c262 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 18 Nov 2014 13:52:26 +0200 Subject: [PATCH 0294/1352] configure: Fix enabling memalign_hack automatically MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit simd_align_16 is a configure item that can be enabled or disabled, it's not a variable containing a list of other configure items as need_memalign previously. This was broken in eba2233b5. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 7813e6752bdab38a5686c301e869ee71d97bce69) Signed-off-by: Luca Barbato --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index c073f30b11..ee57ed945b 100755 --- a/configure +++ b/configure @@ -4469,7 +4469,7 @@ enabled_all dxva2 CoTaskMemFree && enable dxva2_lib ! enabled_any memalign posix_memalign aligned_malloc && - enabled $simd_align_16 && enable memalign_hack + enabled simd_align_16 && enable memalign_hack map 'enabled $v && intrinsics=${v#intrinsics_}' $INTRINSICS_LIST From 61fdbf7ff64c0ae1bdd6a8d573092dc6924c1dba Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 17 Nov 2014 00:22:27 +0100 Subject: [PATCH 0295/1352] lavc: fix bitshifts amount bigger than the type CC: libav-stable@libav.org Bug-Id: CID 1194387 / CID 1194389 / CID 1194393 / CID 1206638 (cherry picked from commit 85dc006b1a829726dd5e3a9b0fcc6a1dbfe6dffa) Signed-off-by: Luca Barbato --- libavcodec/cavs.c | 5 +++-- libavcodec/cavsdec.c | 4 ++-- libavcodec/dnxhdenc.c | 2 +- libavcodec/internal.h | 2 ++ libavcodec/vp8.c | 4 ++-- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 2be50a7c4a..788fcada21 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -30,6 +30,7 @@ #include "golomb.h" #include "h264chroma.h" #include "idctdsp.h" +#include "internal.h" #include "mathops.h" #include "qpeldsp.h" #include "cavs.h" @@ -529,8 +530,8 @@ static inline void scale_mv(AVSContext *h, int *d_x, int *d_y, { int den = h->scale_den[src->ref]; - *d_x = (src->x * distp * den + 256 + (src->x >> 31)) >> 9; - *d_y = (src->y * distp * den + 256 + (src->y >> 31)) >> 9; + *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; + *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } static inline void mv_pred_median(AVSContext *h, diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index fbbd04803a..a091eeb393 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -473,7 +473,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; int den = h->direct_den[col_mv->ref]; - int m = col_mv->x >> 31; + int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; pmv_bw->dist = h->dist[0]; @@ -482,7 +482,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, /* scale the co-located motion vector according to its temporal span */ pmv_fw->x = (((den + (den * col_mv->x * pmv_fw->dist ^ m) - m - 1) >> 14) ^ m) - m; pmv_bw->x = m - (((den + (den * col_mv->x * pmv_bw->dist ^ m) - m - 1) >> 14) ^ m); - m = col_mv->y >> 31; + m = FF_SIGNBIT(col_mv->y); pmv_fw->y = (((den + (den * col_mv->y * pmv_fw->dist ^ m) - m - 1) >> 14) ^ m) - m; pmv_bw->y = m - (((den + (den * col_mv->y * pmv_bw->dist ^ m) - m - 1) >> 14) ^ m); } diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 42945107dd..6896fc1843 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -108,7 +108,7 @@ static int dnxhd_10bit_dct_quantize(MpegEncContext *ctx, int16_t *block, for (i = 1; i < 64; ++i) { int j = scantable[i]; - int sign = block[j] >> 31; + int sign = FF_SIGNBIT(block[j]); int level = (block[j] ^ sign) - sign; level = level * qmat[j] >> DNX10BIT_QMAT_SHIFT; block[j] = (level ^ sign) - sign; diff --git a/libavcodec/internal.h b/libavcodec/internal.h index 3b2ae40ca4..a68d6134e3 100644 --- a/libavcodec/internal.h +++ b/libavcodec/internal.h @@ -35,6 +35,8 @@ #define FF_SANE_NB_CHANNELS 63U +#define FF_SIGNBIT(x) (x >> CHAR_BIT * sizeof(x) - 1) + typedef struct FramePool { /** * Pools for each data plane. For audio all the planes have the same size, diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 5426555793..ce9d3cfba4 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -1882,8 +1882,8 @@ void inter_predict(VP8Context *s, VP8ThreadData *td, uint8_t *dst[3], mb->bmv[2 * y * 4 + 2 * x + 1].y + mb->bmv[(2 * y + 1) * 4 + 2 * x ].y + mb->bmv[(2 * y + 1) * 4 + 2 * x + 1].y; - uvmv.x = (uvmv.x + 2 + (uvmv.x >> (INT_BIT - 1))) >> 2; - uvmv.y = (uvmv.y + 2 + (uvmv.y >> (INT_BIT - 1))) >> 2; + uvmv.x = (uvmv.x + 2 + FF_SIGNBIT(uvmv.x)) >> 2; + uvmv.y = (uvmv.y + 2 + FF_SIGNBIT(uvmv.y)) >> 2; if (s->profile == 3) { uvmv.x &= ~7; uvmv.y &= ~7; From 29e720da76ca353dbda9f881562902b41c355b77 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 17 Nov 2014 00:22:22 +0100 Subject: [PATCH 0296/1352] librtmp: append the correct field to the string Also prevent a NULL pointer dereference. CC: libav-stable@libav.org Bug-Id: CID 1250329 / CID 1250331 (cherry picked from commit a28468d0daf4be14761c16a3ddd33266b2380123) Signed-off-by: Luca Barbato --- libavformat/librtmp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/librtmp.c b/libavformat/librtmp.c index 74e2c49572..fac3a35196 100644 --- a/libavformat/librtmp.c +++ b/libavformat/librtmp.c @@ -169,7 +169,7 @@ static int rtmp_open(URLContext *s, const char *uri, int flags) } if (ctx->swfurl) { av_strlcat(filename, " swfUrl=", len); - av_strlcat(filename, ctx->pageurl, len); + av_strlcat(filename, ctx->swfurl, len); } if (ctx->flashver) { av_strlcat(filename, " flashVer=", len); From dd195c2c587f44dbc4be7f059ed182f7d83e6cb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Nov 2014 11:13:01 +0100 Subject: [PATCH 0297/1352] on2avc: Fix out of array access CC: libav-stable@libav.org Bug-Id: CID 1206648 (cherry picked from commit 2fa6d21124bd2fc0b186290f5313179263bfcfb7) Signed-off-by: Luca Barbato --- libavcodec/on2avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 1c4b3c9ea9..c00339f7b0 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -172,7 +172,7 @@ static int on2avc_decode_band_scales(On2AVCContext *c, GetBitContext *gb) } else { scale += get_vlc2(gb, c->scale_diff.table, 9, 3) - 60; } - if (scale < 0 || scale > 128) { + if (scale < 0 || scale > 127) { av_log(c->avctx, AV_LOG_ERROR, "Invalid scale value %d\n", scale); return AVERROR_INVALIDDATA; From 21aeae9c679657a1537d0d9127eff280bafc901a Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 12 Nov 2014 11:13:07 +0100 Subject: [PATCH 0298/1352] svq1enc: check ff_get_buffer return value CC: libav-stable@libav.org Bug-Id: CID 747723 (cherry picked from commit 59846452af762f6af5ced4399e8dcd709ca50fcd) Signed-off-by: Luca Barbato --- libavcodec/svq1enc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 361c465569..d70bba3b9d 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -580,8 +580,12 @@ static int svq1_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } if (!s->current_picture->data[0]) { - ff_get_buffer(avctx, s->current_picture, 0); - ff_get_buffer(avctx, s->last_picture, 0); + ret = ff_get_buffer(avctx, s->current_picture, 0); + if (ret < 0) + return ret; + ret = ff_get_buffer(avctx, s->last_picture, 0); + if (ret < 0) + return ret; s->scratchbuf = av_malloc(s->current_picture->linesize[0] * 16 * 2); } From 39e07ac9fcaf3d412f9a33f427072e8ded032d24 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 12 Nov 2014 11:13:06 +0100 Subject: [PATCH 0299/1352] ansi: check ff_set_dimensions return value CC: libav-stable@libav.org Bug-Id: CID 1135737 (cherry picked from commit 994ab1804b8bf532f44876927b07b51f1f63247f) Signed-off-by: Luca Barbato --- libavcodec/ansi.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 95b5be4678..556bfe4461 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -88,9 +88,11 @@ static av_cold int decode_init(AVCodecContext *avctx) s->fg = DEFAULT_FG_COLOR; s->bg = DEFAULT_BG_COLOR; - if (!avctx->width || !avctx->height) - ff_set_dimensions(avctx, 80 << 3, 25 << 4); - + if (!avctx->width || !avctx->height) { + int ret = ff_set_dimensions(avctx, 80 << 3, 25 << 4); + if (ret < 0) + return ret; + } return 0; } From 9e0a38d32b36fac7fd73bdb93e820ae0b9e03616 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 12 Nov 2014 11:13:05 +0100 Subject: [PATCH 0300/1352] avs: check ff_set_dimensions return value CC: libav-stable@libav.org Bug-Id: CID 1135738 (cherry picked from commit c7384664ba0cbb12d882effafbc6d321ae706cff) Signed-off-by: Luca Barbato --- libavcodec/avs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 53e3320424..eb2da66928 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -165,9 +165,8 @@ static av_cold int avs_decode_init(AVCodecContext * avctx) return AVERROR(ENOMEM); avctx->pix_fmt = AV_PIX_FMT_PAL8; - ff_set_dimensions(avctx, 318, 198); - return 0; + return ff_set_dimensions(avctx, 318, 198); } static av_cold int avs_decode_end(AVCodecContext *avctx) From 796bd81835ebcb69d40bc87b33f13924a5937a1b Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 12 Nov 2014 11:13:04 +0100 Subject: [PATCH 0301/1352] g2meet: check ff_set_dimensions return value CC: libav-stable@libav.org Bug-Id: CID 1135739 (cherry picked from commit 2b5c1efa1465d8646f8be525cace7a21404e40ad) Signed-off-by: Luca Barbato --- libavcodec/g2meet.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index c405f38e42..33934f1bf7 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -719,8 +719,11 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto header_fail; } - if (c->width != avctx->width || c->height != avctx->height) - ff_set_dimensions(avctx, c->width, c->height); + if (c->width != avctx->width || c->height != avctx->height) { + ret = ff_set_dimensions(avctx, c->width, c->height); + if (ret < 0) + return ret; + } c->compression = bytestream2_get_be32(&bc); if (c->compression != 2 && c->compression != 3) { av_log(avctx, AV_LOG_ERROR, From 3aba00b1b331461611d32cfd56ebe8334f6d1b93 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 12 Nov 2014 11:13:02 +0100 Subject: [PATCH 0302/1352] indeo3: check ff_set_dimensions return value CC: libav-stable@libav.org Bug-Id: CID 1135740 (cherry picked from commit c6d7c201dfa80502cb6cefbee7dc9160cedb5187) Signed-off-by: Luca Barbato --- libavcodec/indeo3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index a9c02b2889..f74ac42ded 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -944,7 +944,8 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx, free_frame_buffers(ctx); if ((res = allocate_frame_buffers(ctx, avctx)) < 0) return res; - ff_set_dimensions(avctx, width, height); + if ((res = ff_set_dimensions(avctx, width, height)) < 0) + return res; } y_offset = bytestream2_get_le32(&gb); From 3f09d4f6d43468dbc9307bb937516a32287008dc Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 11 Nov 2014 17:40:04 +0100 Subject: [PATCH 0303/1352] ffv1: fix out-of-bounds read CC: libav-stable@libav.org Bug-Id: CID 1047234 (cherry picked from commit 6abe7edabb7d57e82d7ea6312d30cf05d2192c5b) Signed-off-by: Luca Barbato --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 179453db5e..93630b42e8 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -71,7 +71,7 @@ static void find_best_state(uint8_t best_state[256][256], best_len[k] = len; best_state[i][k] = j; } - for (m = 0; m < 256; m++) + for (m = 1; m < 256; m++) if (occ[m]) { newocc[one_state[m]] += occ[m] * p; newocc[256 - one_state[256 - m]] += occ[m] * (1 - p); From 88411b87b4bb3c5820ec232f26ba4a284c11a7f9 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 11 Nov 2014 13:27:02 +0100 Subject: [PATCH 0304/1352] display: fix order of operands CC: libav-stable@libav.org Bug-Id: CID 1238828 / CID 1238832 (cherry picked from commit b1b1a7370e141c912e3d0bbaa668dcee05c3ad67) Signed-off-by: Luca Barbato --- libavcodec/h264.c | 2 +- libavcodec/hevc.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 4bc0a03c24..208aa929b4 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -837,7 +837,7 @@ static void decode_postinit(H264Context *h, int setup_finished) av_display_rotation_set((int32_t *)rotation->data, angle); av_display_matrix_flip((int32_t *)rotation->data, - h->sei_vflip, h->sei_hflip); + h->sei_hflip, h->sei_vflip); } // FIXME do something with unavailable reference frames diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 4e237a76c2..21d437cf4f 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2434,7 +2434,7 @@ static int set_side_data(HEVCContext *s) av_display_rotation_set((int32_t *)rotation->data, angle); av_display_matrix_flip((int32_t *)rotation->data, - s->sei_vflip, s->sei_hflip); + s->sei_hflip, s->sei_vflip); } return 0; From 431f57f0467244686ae63a3d06a8cf51f60090ed Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 11 Nov 2014 13:26:55 +0100 Subject: [PATCH 0305/1352] libopusenc: prevent an out-of-bounds read by returning early CC: libav-stable@libav.org Bug-Id: CID 1244188 (cherry picked from commit 8dd0a2c5cf40a8a49faae985adc11750b6429132) Signed-off-by: Luca Barbato --- libavcodec/libopusenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 9af8bcda7e..8f754668c9 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -163,10 +163,11 @@ static int av_cold libopus_encode_init(AVCodecContext *avctx) /* FIXME: Opus can handle up to 255 channels. However, the mapping for * anything greater than 8 is undefined. */ - if (avctx->channels > 8) - av_log(avctx, AV_LOG_WARNING, + if (avctx->channels > 8) { + av_log(avctx, AV_LOG_ERROR, "Channel layout undefined for %d channels.\n", avctx->channels); - + return AVERROR_PATCHWELCOME; + } if (!avctx->bit_rate) { /* Sane default copied from opusenc */ avctx->bit_rate = 64000 * opus->stream_count + From ff77fa754bf2d6e7231d2e050babefa9a13d1fec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Nov 2014 13:27:00 +0100 Subject: [PATCH 0306/1352] vp7: fix checking vp7_feature_value_size() CC: libav-stable@libav.org Bug-Id: CID 1197061 (cherry picked from commit 29234f56818135faf2f1868ab324c073abd28fbd) Signed-off-by: Luca Barbato --- libavcodec/vp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index ce9d3cfba4..63c0ce7dfd 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -529,7 +529,7 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->feature_index_prob[i][j] = vp8_rac_get(c) ? vp8_rac_get_uint(c, 8) : 255; - if (vp7_feature_value_size[i]) + if (vp7_feature_value_size[s->profile][i]) for (j = 0; j < 4; j++) s->feature_value[i][j] = vp8_rac_get(c) ? vp8_rac_get_uint(c, vp7_feature_value_size[s->profile][i]) : 0; From 5f6f2412211609e46d3f3573f4ac4e136534f1d4 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 13 Jan 2015 00:33:23 +0100 Subject: [PATCH 0307/1352] doc: Update the Changelog for release 11.2 --- Changelog | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/Changelog b/Changelog index b9d8dd0f27..60c662670c 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,29 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 11.2: + +- h264: restore a block mistakenly removed in e10fd08a (libav #781) +- on2avc: check number of channels (CVE-2014-8549) +- smc: fix the bounds check (CVE-2014-8548) +- gifdec: refactor interleave end handling (CVE-2014-8547) +- mmvideo: check frame dimensions (CVE-2014-8543) +- jvdec: check frame dimensions (CVE-2014-8542) +- mjpegdec: check for pixel format changes (CVE-2014-8541) +- mov: avoid a memleak when multiple stss boxes are present +- vc1: Do not assume seek happens after decoding +- avconv: Use the mpeg12 private option scan_offset (debian/773055) +- xsub: Support DXSA subtitles +- mp3dec: fix reading the Xing tag +- matroskaenc: write correct Display{Width, Height} in stereo encoding +- configure: Fix enabling memalign_hack automatically +- mp3enc: fix a triggerable assert +- latm: Do not give a score for a single instance +- mp3: Tweak the probe scores +- matroskaenc: write correct Display{Width, Height} in stereo encoding +- configure: Fix enabling memalign_hack automatically +- coverity: Fix most of the reported warnings and issues + version 11.1: - Replace lena.pnm (debian#771126) From 1fd7fb9036fcfb1620068014d8a52112067d2d59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jan 2015 17:14:46 +0100 Subject: [PATCH 0308/1352] Update for 2.4.6 Signed-off-by: Michael Niedermayer --- Changelog | 25 +++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 3aa4ef52b9..d74254e1c6 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,31 @@ releases are sorted from youngest to oldest. version : + +version 2.4.6: +- doc/examples: fix lib math dep for decoding_encoding +- avformat/movenc: workaround bug in "PathScale EKOPath(tm) Compiler Suite Version 4.0.12.1" +- vp9: fix parser return values in error case +- ffmpeg: Clear error message array at init. +- avcodec/dvdsubdec: fix accessing dangling pointers +- avcodec/dvdsubdec: error on bitmaps with size 0 +- avformat/mov: Fix mixed declaration and statement warning +- cmdutils: Use 64bit for file size/offset related variable in cmdutils_read_file() +- avformat/utils: Clear pointer in ff_alloc_extradata() to avoid leaving a stale pointer in memory +- avformat/matroskadec: Use av_freep() to avoid leaving stale pointers in memory +- lavfi: check av_strdup() return value +- mov: Fix negative size calculation in mov_read_default(). +- avformat/mov: fix integer overflow in mov_read_udta_string() +- mov: Avoid overflow with mov_metadata_raw() +- avcodec/dvdsubdec: fix out of bounds accesses +- avfilter/vf_sab: fix filtering tiny images +- avformat/flvdec: Increase string array size +- avformat/flvdec: do not inject dts=0 metadata packets which failed to be parsed into a new data stream +- avformat/cdxl: Fix integer overflow of image_size +- avformat/segment: Use av_freep() avoid leaving stale pointers in memory +- avformat/mov: Fix memleaks for duplicate STCO/CO64/STSC atoms +- mov: avoid a memleak when multiple stss boxes are presen + version 2.4.5: - lavu/frame: fix malloc error path in av_frame_copy_props() - avformat/utils: Do not update programs streams from program-less streams in update_wrap_reference() diff --git a/RELEASE b/RELEASE index 59aa62c1fa..7bf4b6a8ae 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.5 +2.4.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0b229d5e00..05257ca3bd 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.5 +PROJECT_NUMBER = 2.4.6 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 4039f11ed82d84009b5146f0a563f33ced33e4db Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 14 Jan 2015 18:05:57 +0100 Subject: [PATCH 0309/1352] Prepare for 11.2 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index ef32e3201b..26d6dad929 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -11.1 +11.2 From b96163f055ee44484ca4a06382221c2abb1e0914 Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 12 Dec 2014 22:22:55 +0100 Subject: [PATCH 0310/1352] avformat/utils: check for malloc failure Signed-off-by: Michael Niedermayer (cherry picked from commit a66893ac949864352b36b39e48c4cd72bbd81e54) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index b1f7909ae0..b399ccd53d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3610,6 +3610,11 @@ AVStream *avformat_new_stream(AVFormatContext *s, const AVCodec *c) st->info->last_dts = AV_NOPTS_VALUE; st->codec = avcodec_alloc_context3(c); + if (!st->codec) { + av_free(st->info); + av_free(st); + return NULL; + } if (s->iformat) { /* no default bitrate if decoding */ st->codec->bit_rate = 0; From 705e0e05131fc64df76631947136571eafea8bfb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Dec 2014 22:33:09 +0100 Subject: [PATCH 0311/1352] avformat/mpeg: do not count PES packets inside PES packets during probing Fixes: misdetection of test2.mp3 Signed-off-by: Michael Niedermayer (cherry picked from commit e15b29bb18bee8b65fab5a3c873540e01fd20afe) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index b153727ac6..c2ec1e21e4 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -70,20 +70,23 @@ static int mpegps_probe(AVProbeData *p) int i; int sys = 0, pspack = 0, priv1 = 0, vid = 0; int audio = 0, invalid = 0, score = 0; + int endpes = 0; for (i = 0; i < p->buf_size; i++) { code = (code << 8) + p->buf[i]; if ((code & 0xffffff00) == 0x100) { int len = p->buf[i + 1] << 8 | p->buf[i + 2]; - int pes = check_pes(p->buf + i, p->buf + p->buf_size); + int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) pspack++; - else if ((code & 0xf0) == VIDEO_ID && pes) + else if ((code & 0xf0) == VIDEO_ID && pes) { + endpes = i + len; vid++; + } // skip pes payload to avoid start code emulation for private // and audio streams else if ((code & 0xe0) == AUDIO_ID && pes) {audio++; i+=len;} From aded1110a32e7a14569d9128992c43fee18a2ed8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Dec 2014 00:17:30 +0100 Subject: [PATCH 0312/1352] avformat/rmdec: rm_read_extradata: add error message for oversized extradata Signed-off-by: Michael Niedermayer (cherry picked from commit 50f9de59a08f4bbacda298377339318e3eb87b8e) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 314c141727..d281228f0d 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -86,8 +86,10 @@ static void get_str8(AVIOContext *pb, char *buf, int buf_size) static int rm_read_extradata(AVIOContext *pb, AVCodecContext *avctx, unsigned size) { - if (size >= 1<<24) + if (size >= 1<<24) { + av_log(avctx, AV_LOG_ERROR, "extradata size %u too large\n", size); return -1; + } if (ff_get_extradata(avctx, pb, size) < 0) return AVERROR(ENOMEM); return 0; From 564d943b2755a00df6857a86eb57101609f4b5a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Dec 2014 00:18:29 +0100 Subject: [PATCH 0313/1352] avformat/rmdec: Check for overflow in ff_rm_read_mdpr_codecdata() Signed-off-by: Michael Niedermayer (cherry picked from commit 03abf55f252945c70f4a79eaf4d609cee4d98710) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index d281228f0d..59bbef685a 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -414,7 +414,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, skip: /* skip codec info */ size = avio_tell(pb) - codec_pos; - avio_skip(pb, codec_data_size - size); + if (codec_data_size >= size) { + avio_skip(pb, codec_data_size - size); + } else { + av_log(s, AV_LOG_WARNING, "codec_data_size %u < size %d\n", codec_data_size, size); + } return 0; } From 375c1050bf74f28afb83f5190b73425d6ea0775d Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 13 Oct 2014 12:22:41 +0000 Subject: [PATCH 0314/1352] libavcodec/libtwolame: fix null pointer dereference Signed-off-by: Paul B Mahol (cherry picked from commit a586b3d9b1df9099c18d3e15c9b261f6612ad2ac) Signed-off-by: Michael Niedermayer --- libavcodec/libtwolame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libtwolame.c b/libavcodec/libtwolame.c index e26454bb84..098196b0c1 100644 --- a/libavcodec/libtwolame.c +++ b/libavcodec/libtwolame.c @@ -152,8 +152,8 @@ static int twolame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if (ret < 0) // twolame error return AVERROR_UNKNOWN; - avpkt->duration = ff_samples_to_time_base(avctx, frame->nb_samples); if (frame) { + avpkt->duration = ff_samples_to_time_base(avctx, frame->nb_samples); if (frame->pts != AV_NOPTS_VALUE) avpkt->pts = frame->pts - ff_samples_to_time_base(avctx, avctx->delay); } else { From e82140b09b0f6ab7b64899bec12221dc582f1b95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Nov 2014 12:36:23 +0100 Subject: [PATCH 0315/1352] avformat/librtmp: fix swfurl Found-by: JULIAN GARDNER Signed-off-by: Michael Niedermayer (cherry picked from commit d1970929b5f8b873aac171586343c9d8142897ad) Signed-off-by: Michael Niedermayer --- libavformat/librtmp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/librtmp.c b/libavformat/librtmp.c index c57699cc9e..67939b912e 100644 --- a/libavformat/librtmp.c +++ b/libavformat/librtmp.c @@ -169,7 +169,7 @@ static int rtmp_open(URLContext *s, const char *uri, int flags) } if (ctx->swfurl) { av_strlcat(filename, " swfUrl=", len); - av_strlcat(filename, ctx->pageurl, len); + av_strlcat(filename, ctx->swfurl, len); } if (ctx->flashver) { av_strlcat(filename, " flashVer=", len); From 891de4b27a07b808839b9e873b6a886248c8fd6b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 13 Sep 2014 00:26:21 +0200 Subject: [PATCH 0316/1352] log: Unbreak no-tty support on 256color terminals --- libavutil/log.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/log.c b/libavutil/log.c index 5a8f293f20..d38e40bfda 100644 --- a/libavutil/log.c +++ b/libavutil/log.c @@ -75,7 +75,8 @@ static void check_color_terminal(void) char *term = getenv("TERM"); use_color = !getenv("NO_COLOR") && !getenv("AV_LOG_FORCE_NOCOLOR") && (getenv("TERM") && isatty(2) || getenv("AV_LOG_FORCE_COLOR")); - use_color += term && strstr(term, "256color"); + if (use_color) + use_color += term && strstr(term, "256color"); #else use_color = getenv("AV_LOG_FORCE_COLOR") && !getenv("NO_COLOR") && !getenv("AV_LOG_FORCE_NOCOLOR"); From 532c96a2158c04f265d750d54f2f103b8d9fe0ef Mon Sep 17 00:00:00 2001 From: Xiaohan Wang Date: Thu, 6 Nov 2014 12:59:54 -0800 Subject: [PATCH 0317/1352] matroskadec: Fix read-after-free in matroska_read_seek() In matroska_read_seek(), |tracks| is assigned at the begining of the function. However, functions like matroska_parse_cues() could reallocate the tracks and invalidate |tracks|. This assigns |tracks| only before using it, so that it will not get invalidated elsewhere. Bug-Id: chromium/427266 --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 59fc34b142..f3844582e2 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2532,7 +2532,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { MatroskaDemuxContext *matroska = s->priv_data; - MatroskaTrack *tracks = matroska->tracks.elem; + MatroskaTrack *tracks = NULL; AVStream *st = s->streams[stream_index]; int i, index, index_sub, index_min; @@ -2562,6 +2562,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, return 0; index_min = index; + tracks = matroska->tracks.elem; for (i = 0; i < matroska->tracks.nb_elem; i++) { tracks[i].audio.pkt_cnt = 0; tracks[i].audio.sub_packet_cnt = 0; From 2c1d5f43cfaa6191690f0682d829bf54614a1b11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 8 Feb 2015 14:27:51 +0100 Subject: [PATCH 0318/1352] avfilter/dctdnoiz: fix slice_h computation ceilf() can only work if the reminder of the division is not 0. This fixes memory errors with for instance: ffmpeg -f lavfi -i testsrc=s=800x500 -threads 3 -vf dctdnoiz -frames:v 1 -f null - (cherry picked from commit eb7efaa9244720c5f2051d76d76faeec864eca7a) --- libavfilter/vf_dctdnoiz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index a9017b1f1c..7246b01d0b 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -534,7 +534,7 @@ static int config_input(AVFilterLink *inlink) /* each slice will need to (pre & re)process the top and bottom block of * the previous one in in addition to its processing area. This is because * each pixel is averaged by all the surrounding blocks */ - slice_h = (int)ceilf(s->pr_height / s->nb_threads) + (s->bsize - 1) * 2; + slice_h = (int)ceilf(s->pr_height / (float)s->nb_threads) + (s->bsize - 1) * 2; for (i = 0; i < s->nb_threads; i++) { s->slices[i] = av_malloc_array(linesize, slice_h * sizeof(*s->slices[i])); if (!s->slices[i]) From 0a878d0c941c44a8243c7e223f65e5ae4cf3a6b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jan 2015 13:09:21 +0100 Subject: [PATCH 0319/1352] doc/APIchanges: Fill in some more missing hash values Signed-off-by: Michael Niedermayer (cherry picked from commit bbdd940f36662d4b6156464b1bda5131fc382465) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 7dd110149f..bba06fbb0d 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -148,7 +148,7 @@ API changes, most recent first: Increase FF_INPUT_BUFFER_PADDING_SIZE to 32 due to some corner cases needing it -2014-06-10 - xxxxxxx - lavf 55.43.100 - avformat.h +2014-06-10 - 5482780 - lavf 55.43.100 - avformat.h New field int64_t max_analyze_duration2 instead of deprecated int max_analyze_duration. @@ -172,7 +172,7 @@ API changes, most recent first: Add strict_std_compliance and related AVOptions to support experimental muxing. -2014-05-26 - xxxxxxx - lavu 52.87.100 - threadmessage.h +2014-05-26 - 55cc60c - lavu 52.87.100 - threadmessage.h Add thread message queue API. 2014-05-26 - c37d179 - lavf 55.41.100 - avformat.h @@ -182,7 +182,7 @@ API changes, most recent first: Add av_stream_get_side_data() to access stream-level side data in the same way as av_packet_get_side_data(). -2014-05-xx - xxxxxxx - lavu 52.86.100 - fifo.h +2014-05-xx - 7336e39 - lavu 52.86.100 - fifo.h Add av_fifo_alloc_array() function. 2014-05-19 - ef1d4ee / bddd8cb - lavu 52.85.100 / 53.15.0 - frame.h, display.h From 2029acb6679b073aa4d72824a27fb96ea0cda43f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jan 2015 12:27:36 +0100 Subject: [PATCH 0320/1352] doc/APIchanges: Add av_find_best_pix_fmt_of_2() and av_get_pix_fmt_loss() also add deprecation note for avcodec_get_pix_fmt_loss(), avcodec_find_best_pix_fmt_of_2() Found-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit f7a1c5e4d2294a8970ede7f6deb2fe0a64e202a5) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/APIchanges b/doc/APIchanges index bba06fbb0d..37ad708212 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -236,6 +236,10 @@ API changes, most recent first: Deprecate CODEC_FLAG_INPUT_PRESERVED. Its functionality is replaced by passing reference-counted frames to encoders. +2014-04-30 - 617e866 - lavu 52.81.100 - pixdesc.h + Add av_find_best_pix_fmt_of_2(), av_get_pix_fmt_loss() + Deprecate avcodec_get_pix_fmt_loss(), avcodec_find_best_pix_fmt_of_2() + 2014-04-29 - 1bf6396 - lavc 55.60.100 - avcodec.h Add AVCodecDescriptor.mime_types field. From 5080ab26d3045bffc443b69e14d0cfb775a99122 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Jan 2015 14:24:08 +0100 Subject: [PATCH 0321/1352] doc/APIchanges: fill in and correct some values Signed-off-by: Michael Niedermayer (cherry picked from commit 0d64982828aee5f3495a71050e4930fa2898ca15) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 37ad708212..1ac68ece46 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -214,7 +214,7 @@ API changes, most recent first: 2014-05-11 - 14aef38 / 66e6c8a - lavu 52.83.100 / 53.14.0 - pixfmt.h Add AV_PIX_FMT_VDA for new-style VDA acceleration. -2014-05-xx - xxxxxxx - lavu 52.82.100 - fifo.h +2014-05-07 - 351f611 - lavu 52.82.100 - fifo.h Add av_fifo_freep() function. 2014-05-02 - ba52fb11 - lavu 52.81.100 - opt.h @@ -243,7 +243,7 @@ API changes, most recent first: 2014-04-29 - 1bf6396 - lavc 55.60.100 - avcodec.h Add AVCodecDescriptor.mime_types field. -2014-04-29 - xxxxxxx - lavu 52.80.0 - hash.h +2014-04-29 - b804eb4 - lavu 52.80.100 - hash.h Add av_hash_final_bin(), av_hash_final_hex() and av_hash_final_b64(). 2014-03-07 - 8b2a130 - lavc 55.50.0 / 55.53.100 - dxva2.h @@ -255,7 +255,7 @@ API changes, most recent first: 2014-04-17 - a8d01a7 / 0983d48 - lavu 53.12.0 / 52.77.100 - crc.h Add AV_CRC_16_ANSI_LE crc variant. -2014-04-XX - xxxxxxx - lavf xx.xx.1xx - avformat.h +2014-04-15 - ef818d8 - lavf 55.37.101 - avformat.h Add av_format_inject_global_side_data() 2014-04-12 - 4f698be - lavu 52.76.100 - log.h From 05a8114c7190b4efacf29f468e747d47c19ef650 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Jan 2015 15:09:21 +0100 Subject: [PATCH 0322/1352] doc/APIchanges: fill in more missing hash values and dates all values before 2.5 seem to be filled in now Signed-off-by: Michael Niedermayer (cherry picked from commit 8c8ee17e8d2800144116ec52f26a435a06b49420) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 1ac68ece46..2f1795e9ee 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -182,7 +182,7 @@ API changes, most recent first: Add av_stream_get_side_data() to access stream-level side data in the same way as av_packet_get_side_data(). -2014-05-xx - 7336e39 - lavu 52.86.100 - fifo.h +2014-05-20 - 7336e39 - lavu 52.86.100 - fifo.h Add av_fifo_alloc_array() function. 2014-05-19 - ef1d4ee / bddd8cb - lavu 52.85.100 / 53.15.0 - frame.h, display.h @@ -335,7 +335,7 @@ API changes, most recent first: 2014-02-19 - f4c8d00 / 6bb8720 - lavu 52.64.101 / 53.3.1 - opt.h Deprecate unused AV_OPT_FLAG_METADATA. -2014-02-xx - xxxxxxx - lavd 55.10.100 - avdevice.h +2014-02-16 - 81c3f81 - lavd 55.10.100 - avdevice.h Add avdevice_list_devices() and avdevice_free_list_devices() 2014-02-16 - db3c970 - lavf 55.33.100 - avio.h @@ -376,7 +376,7 @@ API changes, most recent first: 2014-01-19 - 1a193c4 - lavf 55.25.100 - avformat.h Add avformat_get_mov_video_tags() and avformat_get_mov_audio_tags(). -2014-01-19 - xxxxxxx - lavu 52.63.100 - rational.h +2014-01-19 - 3532dd5 - lavu 52.63.100 - rational.h Add av_make_q() function. 2014-01-05 - 4cf4da9 / 5b4797a - lavu 52.62.100 / 53.2.0 - frame.h From 01b5e61845b8098c386814c1b354bdd1a50547ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:19:25 +0100 Subject: [PATCH 0323/1352] avformat/utils: Fix number suffixes in tb_unreliable() Signed-off-by: Michael Niedermayer (cherry picked from commit 4b15bba2aec93776bfdc69a1bca42a4795a7d191) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b399ccd53d..f1610d6798 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2768,8 +2768,8 @@ static int get_std_framerate(int i) * And there are "variable" fps files this needs to detect as well. */ static int tb_unreliable(AVCodecContext *c) { - if (c->time_base.den >= 101L * c->time_base.num || - c->time_base.den < 5L * c->time_base.num || + if (c->time_base.den >= 101LL * c->time_base.num || + c->time_base.den < 5LL * c->time_base.num || // c->codec_tag == AV_RL32("DIVX") || // c->codec_tag == AV_RL32("XVID") || c->codec_tag == AV_RL32("mp4v") || From 1ecce1c6a7522089421d71cc34d61043f8a89059 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:27:00 +0100 Subject: [PATCH 0324/1352] swresample/dither: Cleanup number suffixes The <<31 case needs LL Signed-off-by: Michael Niedermayer (cherry picked from commit c77cc2c1766666cdb5f14daee0f75e397bf7a194) Signed-off-by: Michael Niedermayer --- libswresample/dither.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswresample/dither.c b/libswresample/dither.c index b8b592a7ce..8121f11c2f 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -84,14 +84,14 @@ int swri_dither_init(SwrContext *s, enum AVSampleFormat out_fmt, enum AVSampleFo in_fmt = av_get_packed_sample_fmt( in_fmt); if(in_fmt == AV_SAMPLE_FMT_FLT || in_fmt == AV_SAMPLE_FMT_DBL){ - if(out_fmt == AV_SAMPLE_FMT_S32) scale = 1.0/(1L<<31); - if(out_fmt == AV_SAMPLE_FMT_S16) scale = 1.0/(1L<<15); - if(out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1.0/(1L<< 7); + if(out_fmt == AV_SAMPLE_FMT_S32) scale = 1.0/(1LL<<31); + if(out_fmt == AV_SAMPLE_FMT_S16) scale = 1.0/(1LL<<15); + if(out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1.0/(1LL<< 7); } if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S32 && (s->dither.output_sample_bits&31)) scale = 1; - if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S16) scale = 1L<<16; - if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1L<<24; - if(in_fmt == AV_SAMPLE_FMT_S16 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1L<<8; + if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_S16) scale = 1<<16; + if(in_fmt == AV_SAMPLE_FMT_S32 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1<<24; + if(in_fmt == AV_SAMPLE_FMT_S16 && out_fmt == AV_SAMPLE_FMT_U8 ) scale = 1<<8; scale *= s->dither.scale; From 096fd2698ae976dae38f7942356db4938bececdf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:29:20 +0100 Subject: [PATCH 0325/1352] avcodec/dxtory: Use LL instead of L number suffix This is probably unneeded and normal int would be fine, but its safer to use LL and this isnt speed relevant Signed-off-by: Michael Niedermayer (cherry picked from commit b4ad2853c50d055e9ba8c29f2e1c83b292f29d7a) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 1a59ae7a04..5e32107756 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -65,7 +65,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 9L / 8) { + if (src_size < avctx->width * avctx->height * 9LL / 8) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -108,7 +108,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3L / 2) { + if (src_size < avctx->width * avctx->height * 3LL / 2) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } @@ -145,7 +145,7 @@ static int dxtory_decode_v1_444(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3L) { + if (src_size < avctx->width * avctx->height * 3LL) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } From 1497f355c7eaee08123870049c697f623f85d5e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:34:52 +0100 Subject: [PATCH 0326/1352] avformat/matroskadec: Fix number suffixes Signed-off-by: Michael Niedermayer (cherry picked from commit fc3cdb00d084222a107e61e7168903bf3d3d0b47) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2d5aa62532..047abe1f0d 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1924,8 +1924,8 @@ static int matroska_parse_tracks(AVFormatContext *s) av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, 1000000000, track->default_duration, 30000); #if FF_API_R_FRAME_RATE - if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000L - && st->avg_frame_rate.num > st->avg_frame_rate.den * 5L) + if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL + && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) st->r_frame_rate = st->avg_frame_rate; #endif } From 84e5b314f354ce733bb6a06d404a6b9f13447d4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:36:13 +0100 Subject: [PATCH 0327/1352] avformat/smacker: Fix number suffix Signed-off-by: Michael Niedermayer (cherry picked from commit 465f3705b1ef832fd6904750d018f81f9044f3ab) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 284cdc196a..5dcf4adafe 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -321,7 +321,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) int err; size = avio_rl32(s->pb) - 4; - if (!size || size + 4L > frame_size) { + if (!size || size + 4LL > frame_size) { av_log(s, AV_LOG_ERROR, "Invalid audio part size\n"); return AVERROR_INVALIDDATA; } From b8546aee84319617587e5b093e06cc50cc5a016d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:36:36 +0100 Subject: [PATCH 0328/1352] avformat/omadec: fix number suffix Signed-off-by: Michael Niedermayer (cherry picked from commit f1f7f5903ab49b84789af5341492afbaba808a70) Signed-off-by: Michael Niedermayer --- libavformat/omadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 9f3d3aa860..42954130bc 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -174,7 +174,7 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size, taglen = AV_RB32(&enc_header[pos + 32]); datalen = AV_RB32(&enc_header[pos + 36]) >> 4; - pos += 44L + taglen; + pos += 44LL + taglen; if (pos + (((uint64_t)datalen) << 4) > size) return -1; From 8a16b27de9c3642715fd0834924dec3870b83a14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:39:22 +0100 Subject: [PATCH 0329/1352] avcodec/h264_cabac: use int instead of long for mbb_xy The mb address fits in int Signed-off-by: Michael Niedermayer (cherry picked from commit 592ba6ec106206f97133c9345313010c76361e12) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index c2e183d76b..d4ed266972 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1281,7 +1281,7 @@ void ff_h264_init_cabac_states(H264Context *h) { } static int decode_cabac_field_decoding_flag(H264Context *h) { - const long mbb_xy = h->mb_xy - 2L*h->mb_stride; + const int mbb_xy = h->mb_xy - 2*h->mb_stride; unsigned long ctx = 0; From a31fdcef55e4e53da8a15805f79feb9cdf0b2fc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Feb 2015 19:40:13 +0100 Subject: [PATCH 0330/1352] avcodec/mpegvideo_enc: Fix number suffixes in rc_buffer_size calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 4531e2c489d279bfc90d54ca26ed898c5b265a7f) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 40f82777c1..61d75313a6 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -389,18 +389,18 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) switch(avctx->codec_id) { case AV_CODEC_ID_MPEG1VIDEO: case AV_CODEC_ID_MPEG2VIDEO: - avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112L / 15000000 * 16384; + avctx->rc_buffer_size = FFMAX(avctx->rc_max_rate, 15000000) * 112LL / 15000000 * 16384; break; case AV_CODEC_ID_MPEG4: case AV_CODEC_ID_MSMPEG4V1: case AV_CODEC_ID_MSMPEG4V2: case AV_CODEC_ID_MSMPEG4V3: if (avctx->rc_max_rate >= 15000000) { - avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000L) * (760-320) / (38400000 - 15000000); + avctx->rc_buffer_size = 320 + (avctx->rc_max_rate - 15000000LL) * (760-320) / (38400000 - 15000000); } else if(avctx->rc_max_rate >= 2000000) { - avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000L) * (320- 80) / (15000000 - 2000000); + avctx->rc_buffer_size = 80 + (avctx->rc_max_rate - 2000000LL) * (320- 80) / (15000000 - 2000000); } else if(avctx->rc_max_rate >= 384000) { - avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000L) * ( 80- 40) / ( 2000000 - 384000); + avctx->rc_buffer_size = 40 + (avctx->rc_max_rate - 384000LL) * ( 80- 40) / ( 2000000 - 384000); } else avctx->rc_buffer_size = 40; avctx->rc_buffer_size *= 16384; From e2e835f017d6d21fe0e042b1700ff095fc8c4941 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 14:41:10 +0100 Subject: [PATCH 0331/1352] avformat/tta: fix crash with corrupted files av_add_index_entry() can fail, for example because the parameters are invalid, or because memory allocation fails. Check this; it can actually happen with corrupted files. The second hunk is just for robustness. Just in case functions like ff_reduce_index() remove entries. (Not sure if this can actually happen.) Fixes ticket #4294. Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6a0cd529a35190d9374b0b26504e71857cd67b83) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 7174fd5438..d3b3fb0471 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -118,8 +118,10 @@ static int tta_read_header(AVFormatContext *s) ffio_init_checksum(s->pb, tta_check_crc, UINT32_MAX); for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); - av_add_index_entry(st, framepos, i * c->frame_size, size, 0, - AVINDEX_KEYFRAME); + int r; + if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + AVINDEX_KEYFRAME)) < 0) + return r; framepos += size; } crc = ffio_get_checksum(s->pb) ^ UINT32_MAX; @@ -153,6 +155,11 @@ static int tta_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->currentframe >= c->totalframes) return AVERROR_EOF; + if (st->nb_index_entries < c->totalframes) { + av_log(s, AV_LOG_ERROR, "Index entry disappeared\n"); + return AVERROR_INVALIDDATA; + } + size = st->index_entries[c->currentframe].size; ret = av_get_packet(s->pb, pkt, size); From 2515de3b1534ac92762e39d914fcad557860d3d8 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:12 +0100 Subject: [PATCH 0332/1352] avformat/mpc8: fix hang with fuzzed file This can lead to an endless loop by seeking back a few bytes after each attempted chunk read. Assuming negative sizes are always invalid, this is easy to fix. Other code in this demuxer treats negative sizes as invalid as well. Fixes ticket #4262. Signed-off-by: Michael Niedermayer (cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index a15dc25a69..722d0ee05f 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s) while(!avio_feof(pb)){ pos = avio_tell(pb); mpc8_get_chunk_header(pb, &tag, &size); + if (size < 0) { + av_log(s, AV_LOG_ERROR, "Invalid chunk length\n"); + return AVERROR_INVALIDDATA; + } if(tag == TAG_STREAMHDR) break; mpc8_handle_chunk(s, tag, pos, size); From 600c6ebc7d0409f244c8b6e7b424f9c3d60ca493 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 3 Feb 2015 19:04:11 +0100 Subject: [PATCH 0333/1352] avformat/mpc8: fix broken pointer math MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This could overflow and crash at least on 32 bit systems. Reviewed-by: Reimar Döffinger Signed-off-by: Michael Niedermayer (cherry picked from commit b737a2c52857b214be246ff615c6293730033cfa) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 722d0ee05f..6524c7e489 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p) size = bs_get_v(&bs); if (size < 2) return 0; - if (bs + size - 2 >= bs_end) + if (size >= bs_end - bs + 2) return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but no header yet if (header_found) { if (size < 11 || size > 28) From ee8e48d38677225afc8903f7640ea1f48913cd47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 14:47:41 +0100 Subject: [PATCH 0334/1352] avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 05e161952954acf247e0fd1fdef00559675c4d4d) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 6524c7e489..684a0eeae0 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -57,7 +57,7 @@ typedef struct { static inline int64_t bs_get_v(const uint8_t **bs) { - int64_t v = 0; + uint64_t v = 0; int br = 0; int c; @@ -108,7 +108,7 @@ static int mpc8_probe(AVProbeData *p) static inline int64_t gb_get_v(GetBitContext *gb) { - int64_t v = 0; + uint64_t v = 0; int bits = 0; while(get_bits1(gb) && bits < 64-7){ v <<= 7; From 3531ff8db31926c115ac771b3d5232261b1530f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:13:18 +0100 Subject: [PATCH 0335/1352] avcodec/mjpegdec: Check escape sequence validity Fixes assertion failure Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit afa92907f3c6a0c3bdad766ec8d938ee17ee1c9e) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 95a066f3d6..e8bbf6080a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1877,6 +1877,10 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, put_bits(&pb, 8, x); if (x == 0xFF) { x = src[b++]; + if (x & 0x80) { + av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); + x &= 0x7f; + } put_bits(&pb, 7, x); bit_count--; } From 08822122987f563b72dff77b019ae3f98b0acebb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 20:48:30 +0100 Subject: [PATCH 0336/1352] avcodec/mjpegdec: Check number of components for JPEG-LS Fixes out of array accesses Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fabbfaa095660982cc0bc63242c459561fa37037) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e8bbf6080a..a7479ae7e1 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -536,9 +536,12 @@ unk_pixfmt: } if (s->ls) { s->upscale_h = s->upscale_v = 0; - if (s->nb_components > 1) + if (s->nb_components == 3) { s->avctx->pix_fmt = AV_PIX_FMT_RGB24; - else if (s->palette_index && s->bits <= 8) + } else if (s->nb_components != 1) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components); + return AVERROR_PATCHWELCOME; + } else if (s->palette_index && s->bits <= 8) s->avctx->pix_fmt = AV_PIX_FMT_PAL8; else if (s->bits <= 8) s->avctx->pix_fmt = AV_PIX_FMT_GRAY8; From 8413ddcd39ee16e885f49ecf781eaea3d63ec934 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Feb 2015 22:30:08 +0100 Subject: [PATCH 0337/1352] avcodec/mpegvideo_motion: Fix gmc chroma dimensions Fixes integer overflow and out of array read Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit fd52d2d3d1ee41822a9801dffd41c0e1a2db32a8) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_motion.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index e7a585dd5f..e320511947 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -178,7 +178,7 @@ static void gmc_motion(MpegEncContext *s, s->sprite_delta[0][0], s->sprite_delta[0][1], s->sprite_delta[1][0], s->sprite_delta[1][1], a + 1, (1 << (2 * a + 1)) - s->no_rounding, - s->h_edge_pos >> 1, s->v_edge_pos >> 1); + (s->h_edge_pos + 1) >> 1, (s->v_edge_pos + 1) >> 1); ptr = ref_picture[2]; s->mdsp.gmc(dest_cr, ptr, uvlinesize, 8, @@ -186,7 +186,7 @@ static void gmc_motion(MpegEncContext *s, s->sprite_delta[0][0], s->sprite_delta[0][1], s->sprite_delta[1][0], s->sprite_delta[1][1], a + 1, (1 << (2 * a + 1)) - s->no_rounding, - s->h_edge_pos >> 1, s->v_edge_pos >> 1); + (s->h_edge_pos + 1) >> 1, (s->v_edge_pos + 1) >> 1); } static inline int hpel_motion(MpegEncContext *s, From 076b98c9b74c98db89177700d48793fc2ce521c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 00:12:08 +0100 Subject: [PATCH 0338/1352] swscale/utils: Limit filter shifting so as not to read from prior the array Fixes out of array read Fixes: asan_heap-oob_1fb2f9b_3780_cov_3984375136_usf.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 692b22626ec9a9585f667c124a186b1a9796e432) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 0c8a83aa81..858c5c29f8 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -622,14 +622,15 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, } if ((*filterPos)[i] + filterSize > srcW) { - int shift = (*filterPos)[i] + filterSize - srcW; + int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + // move filter coefficients right to compensate for filterPos for (j = filterSize - 2; j >= 0; j--) { int right = FFMIN(j + shift, filterSize - 1); filter[i * filterSize + right] += filter[i * filterSize + j]; filter[i * filterSize + j] = 0; } - (*filterPos)[i]= srcW - filterSize; + (*filterPos)[i]-= shift; } } From 0c125519ecc41e7102829b03046643f195c7df53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Feb 2015 03:45:21 +0100 Subject: [PATCH 0339/1352] avformat/thp: Check av_get_packet() for failure not only for partial output Fixes null pointer dereference Fixes: signal_sigsegv_db2c1f_3108_cov_163322880_pikmin2_opening1_partial.thp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f2579dbb4b31e6ae731e7f5555680528ef3020ab) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 714cec6cd3..91fa90f942 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -184,6 +184,8 @@ static int thp_read_packet(AVFormatContext *s, pkt->stream_index = thp->video_stream_index; } else { ret = av_get_packet(pb, pkt, thp->audiosize); + if (ret < 0) + return ret; if (ret != thp->audiosize) { av_free_packet(pkt); return AVERROR(EIO); From 3e46e3a33c84bf29e366b56fbe80bf58ba204eb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 04:11:56 +0100 Subject: [PATCH 0340/1352] avcodec/h264_ps: More completely check the bit depths Fixes out of array read Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 69aa79365c1e8e1cb597d33e77bf1062c2ef47d4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 20136704d4..7c303d6ad4 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -391,7 +391,8 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) "Different chroma and luma bit depth"); goto fail; } - if (sps->bit_depth_luma > 14U || sps->bit_depth_chroma > 14U) { + if (sps->bit_depth_luma < 8 || sps->bit_depth_luma > 14 || + sps->bit_depth_chroma < 8 || sps->bit_depth_chroma > 14) { av_log(h->avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n", sps->bit_depth_luma, sps->bit_depth_chroma); goto fail; From 724c79276ab270992c3c36d60ec0e3ccf2f8e6df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 15:01:17 +0100 Subject: [PATCH 0341/1352] avcodec/h264: Be more strict on rejecting pps_id changes Fixes race condition Signed-off-by: Michael Niedermayer (cherry picked from commit 31cc9c04ca386dce289864021982da62190982ab) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index e5073089d9..438c43f613 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1515,8 +1515,8 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size, continue; again: - if ( !(avctx->active_thread_type & FF_THREAD_FRAME) - || nals_needed >= nal_index) + if ( (!(avctx->active_thread_type & FF_THREAD_FRAME) || nals_needed >= nal_index) + && !h->current_slice) h->au_pps_id = -1; /* Ignore per frame NAL unit type during extradata * parsing. Decoding slices is not possible in codec init From 9dc8f4482985e30bda3518d0e11d9045a350d720 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 15:09:54 +0100 Subject: [PATCH 0342/1352] avcodec/h264: Be more strict on rejecting pps/sps changes Fixes race condition Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6fafc62b0bd0e206deb77a7aabbf3a370ad80789) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index c46cc2453c..b1709f9bba 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1305,6 +1305,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int must_reinit; int needs_reinit = 0; int field_pic_flag, bottom_field_flag; + int first_slice = h == h0 && !h0->current_slice; + PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; h->qpel_avg = h->h264qpel.avg_h264_qpel_pixels_tab; @@ -1378,18 +1380,27 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h0->au_pps_id, pps_id); return AVERROR_INVALIDDATA; } - h->pps = *h0->pps_buffers[pps_id]; - if (!h0->sps_buffers[h->pps.sps_id]) { + pps = h0->pps_buffers[pps_id]; + + if (!h0->sps_buffers[pps->sps_id]) { av_log(h->avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id); return AVERROR_INVALIDDATA; } + if (first_slice) + h->pps = *h0->pps_buffers[pps_id]; - if (h->pps.sps_id != h->sps.sps_id || - h->pps.sps_id != h->current_sps_id || - h0->sps_buffers[h->pps.sps_id]->new) { + if (pps->sps_id != h->sps.sps_id || + pps->sps_id != h->current_sps_id || + h0->sps_buffers[pps->sps_id]->new) { + + if (!first_slice) { + av_log(h->avctx, AV_LOG_ERROR, + "SPS changed in the middle of the frame\n"); + return AVERROR_INVALIDDATA; + } h->sps = *h0->sps_buffers[h->pps.sps_id]; From 1cc419eae8a1e2572037a19b406f37bb103340cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 22:14:15 +0100 Subject: [PATCH 0343/1352] avutil/opt: Fix types used to access AV_OPT_TYPE_PIXEL_FMT Signed-off-by: Michael Niedermayer (cherry picked from commit a0640e63463e6428b80422c89e1bfc96147ecfc6) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 7f8a0c4267..a5e1d68f97 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -75,7 +75,7 @@ static int read_number(const AVOption *o, void *dst, double *num, int *den, int6 { switch (o->type) { case AV_OPT_TYPE_FLAGS: *intnum = *(unsigned int*)dst;return 0; - case AV_OPT_TYPE_PIXEL_FMT: + case AV_OPT_TYPE_PIXEL_FMT: *intnum = *(enum AVPixelFormat *)dst;return 0; case AV_OPT_TYPE_SAMPLE_FMT: case AV_OPT_TYPE_INT: *intnum = *(int *)dst;return 0; case AV_OPT_TYPE_CHANNEL_LAYOUT: @@ -110,8 +110,8 @@ static int write_number(void *obj, const AVOption *o, void *dst, double num, int } switch (o->type) { + case AV_OPT_TYPE_PIXEL_FMT: *(enum AVPixelFormat *)dst = llrint(num/den) * intnum; break; case AV_OPT_TYPE_FLAGS: - case AV_OPT_TYPE_PIXEL_FMT: case AV_OPT_TYPE_SAMPLE_FMT: case AV_OPT_TYPE_INT: *(int *)dst= llrint(num/den)*intnum; break; case AV_OPT_TYPE_DURATION: From b250375e77a587a072108bb036ffc4d553bc8c3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Feb 2015 22:16:08 +0100 Subject: [PATCH 0344/1352] avutil/opt: Fix type used to access AV_OPT_TYPE_SAMPLE_FMT Signed-off-by: Michael Niedermayer (cherry picked from commit 1750b45cdf7498d0a05bea29cafcb26aa576d595) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index a5e1d68f97..8a378040e7 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -76,7 +76,7 @@ static int read_number(const AVOption *o, void *dst, double *num, int *den, int6 switch (o->type) { case AV_OPT_TYPE_FLAGS: *intnum = *(unsigned int*)dst;return 0; case AV_OPT_TYPE_PIXEL_FMT: *intnum = *(enum AVPixelFormat *)dst;return 0; - case AV_OPT_TYPE_SAMPLE_FMT: + case AV_OPT_TYPE_SAMPLE_FMT:*intnum = *(enum AVSampleFormat*)dst;return 0; case AV_OPT_TYPE_INT: *intnum = *(int *)dst;return 0; case AV_OPT_TYPE_CHANNEL_LAYOUT: case AV_OPT_TYPE_DURATION: @@ -111,8 +111,8 @@ static int write_number(void *obj, const AVOption *o, void *dst, double num, int switch (o->type) { case AV_OPT_TYPE_PIXEL_FMT: *(enum AVPixelFormat *)dst = llrint(num/den) * intnum; break; + case AV_OPT_TYPE_SAMPLE_FMT:*(enum AVSampleFormat*)dst = llrint(num/den) * intnum; break; case AV_OPT_TYPE_FLAGS: - case AV_OPT_TYPE_SAMPLE_FMT: case AV_OPT_TYPE_INT: *(int *)dst= llrint(num/den)*intnum; break; case AV_OPT_TYPE_DURATION: case AV_OPT_TYPE_CHANNEL_LAYOUT: From 7b213e88b5e6d39a2c8a8340c746b70d1019e89c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 02:06:20 +0100 Subject: [PATCH 0345/1352] avcodec/h264_slice: Do not change frame_num after the first slice Fixes potential race condition Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f906982c9411f3062e3ce68013309b37c213c4dd) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index b1709f9bba..2ed62c9423 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1306,6 +1306,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int needs_reinit = 0; int field_pic_flag, bottom_field_flag; int first_slice = h == h0 && !h0->current_slice; + int frame_num; PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; @@ -1515,7 +1516,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h264_init_dequant_tables(h); } - h->frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num); + frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num); + if (!first_slice) { + if (h0->frame_num != frame_num) { + av_log(h->avctx, AV_LOG_ERROR, "Frame num change from %d to %d\n", + h0->frame_num, frame_num); + return AVERROR_INVALIDDATA; + } + } + h->frame_num = frame_num; h->mb_mbaff = 0; h->mb_aff_frame = 0; From 2073ab266eef2c01bd750f20d1177db4ca71ea63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 02:22:44 +0100 Subject: [PATCH 0346/1352] avcodec/h264_slice: Check picture structure before setting the related fields This might fix a hypothetical race condition Signed-off-by: Michael Niedermayer (cherry picked from commit f111831ed61103f9fa8fdda41473a23da016bdaa) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 2ed62c9423..113bcc31ec 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1306,7 +1306,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int needs_reinit = 0; int field_pic_flag, bottom_field_flag; int first_slice = h == h0 && !h0->current_slice; - int frame_num; + int frame_num, picture_structure, droppable; PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; @@ -1524,39 +1524,35 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) return AVERROR_INVALIDDATA; } } - h->frame_num = frame_num; h->mb_mbaff = 0; h->mb_aff_frame = 0; last_pic_structure = h0->picture_structure; last_pic_droppable = h0->droppable; - h->droppable = h->nal_ref_idc == 0; + droppable = h->nal_ref_idc == 0; if (h->sps.frame_mbs_only_flag) { - h->picture_structure = PICT_FRAME; + picture_structure = PICT_FRAME; } else { if (!h->sps.direct_8x8_inference_flag && slice_type == AV_PICTURE_TYPE_B) { av_log(h->avctx, AV_LOG_ERROR, "This stream was generated by a broken encoder, invalid 8x8 inference\n"); return -1; } field_pic_flag = get_bits1(&h->gb); + if (field_pic_flag) { bottom_field_flag = get_bits1(&h->gb); - h->picture_structure = PICT_TOP_FIELD + bottom_field_flag; + picture_structure = PICT_TOP_FIELD + bottom_field_flag; } else { - h->picture_structure = PICT_FRAME; + picture_structure = PICT_FRAME; h->mb_aff_frame = h->sps.mb_aff; } } - h->mb_field_decoding_flag = h->picture_structure != PICT_FRAME; - - if (h0->current_slice != 0) { - if (last_pic_structure != h->picture_structure || - last_pic_droppable != h->droppable) { + if (h0->current_slice) { + if (last_pic_structure != picture_structure || + last_pic_droppable != droppable) { av_log(h->avctx, AV_LOG_ERROR, "Changing field mode (%d -> %d) between slices is not allowed\n", last_pic_structure, h->picture_structure); - h->picture_structure = last_pic_structure; - h->droppable = last_pic_droppable; return AVERROR_INVALIDDATA; } else if (!h0->cur_pic_ptr) { av_log(h->avctx, AV_LOG_ERROR, @@ -1564,7 +1560,14 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h0->current_slice + 1); return AVERROR_INVALIDDATA; } - } else { + } + + h->picture_structure = picture_structure; + h->droppable = droppable; + h->frame_num = frame_num; + h->mb_field_decoding_flag = picture_structure != PICT_FRAME; + + if (h0->current_slice == 0) { /* Shorten frame num gaps so we don't have to allocate reference * frames just to throw them away */ if (h->frame_num != h->prev_frame_num) { From 4d5beea7a1820289e211345db06ba185d51772d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 03:34:48 +0100 Subject: [PATCH 0347/1352] avcodec/h264_slice: ignore SAR changes in slices after the first Fixes race condition and null pointer dereference Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 38d5241b7f36c1571a88517a0650caade16dd5f4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 113bcc31ec..641ec23af4 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1431,13 +1431,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) || 16*h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) != h->avctx->coded_height || h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma || h->cur_chroma_format_idc != h->sps.chroma_format_idc - || av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio) || h->mb_width != h->sps.mb_width || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) )); if (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0))) must_reinit = 1; + if (first_slice && av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)) + must_reinit = 1; + h->mb_width = h->sps.mb_width; h->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag); h->mb_num = h->mb_width * h->mb_height; From 6005f375aab60d620badc2726d1f43dcca9f94cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Feb 2015 03:45:14 +0100 Subject: [PATCH 0348/1352] avcodec/h264_slice: assert that reinit does not occur after the first slice Signed-off-by: Michael Niedermayer (cherry picked from commit 2fd9ce92af43e6dcbc8ed7c26c00b052de48ccad) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 641ec23af4..8b4511ce47 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1480,6 +1480,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) return AVERROR_INVALIDDATA; } + av_assert1(first_slice); + ff_h264_flush_change(h); if ((ret = get_pixel_format(h, 1)) < 0) From ca98c016cd44d1eef61c02f46f40ef5674d3cc31 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sat, 31 Jan 2015 10:01:37 +0100 Subject: [PATCH 0349/1352] lavc/aarch64: Do not use the neon horizontal chroma loop filter for H.264 4:2:2. (cherry picked from commit 4faea46bd906b3897018736208123aa36c3f45d5) Signed-off-by: Michael Niedermayer --- libavcodec/aarch64/h264dsp_init_aarch64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aarch64/h264dsp_init_aarch64.c b/libavcodec/aarch64/h264dsp_init_aarch64.c index ed5e4bdd9b..e0f378f5ab 100644 --- a/libavcodec/aarch64/h264dsp_init_aarch64.c +++ b/libavcodec/aarch64/h264dsp_init_aarch64.c @@ -78,6 +78,7 @@ av_cold void ff_h264dsp_init_aarch64(H264DSPContext *c, const int bit_depth, c->h264_v_loop_filter_luma = ff_h264_v_loop_filter_luma_neon; c->h264_h_loop_filter_luma = ff_h264_h_loop_filter_luma_neon; c->h264_v_loop_filter_chroma = ff_h264_v_loop_filter_chroma_neon; + if (chroma_format_idc <= 1) c->h264_h_loop_filter_chroma = ff_h264_h_loop_filter_chroma_neon; c->weight_h264_pixels_tab[0] = ff_weight_h264_pixels_16_neon; From 492818d724d910d3b5933c5f762b5151f764bbea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Feb 2015 03:33:53 +0100 Subject: [PATCH 0350/1352] avcodec/mjpegdec: Skip blocks which are outside the visible area Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash.avi Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 08509c8f86626815a3e9e68d600d1aacbb8df4bf) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a7479ae7e1..04018741f4 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1226,13 +1226,18 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - ptr = data[c] + block_offset; + if ( 8*(h * mb_x + x) < s->width + && 8*(v * mb_y + y) < s->height) { + ptr = data[c] + block_offset; + } else + ptr = NULL; if (!s->progressive) { - if (copy_mb) - mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, - linesize[c], s->avctx->lowres); + if (copy_mb) { + if (ptr) + mjpeg_copy_block(s, ptr, reference_data[c] + block_offset, + linesize[c], s->avctx->lowres); - else { + } else { s->bdsp.clear_block(s->block); if (decode_block(s, s->block, i, s->dc_index[i], s->ac_index[i], @@ -1241,9 +1246,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, "error y=%d x=%d\n", mb_y, mb_x); return AVERROR_INVALIDDATA; } - s->idsp.idct_put(ptr, linesize[c], s->block); - if (s->bits & 7) - shift_output(s, ptr, linesize[c]); + if (ptr) { + s->idsp.idct_put(ptr, linesize[c], s->block); + if (s->bits & 7) + shift_output(s, ptr, linesize[c]); + } } } else { int block_idx = s->block_stride[c] * (v * mb_y + y) + From 1a263f0dd96a7acae8a5d9290cd158b03dfaca82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Feb 2015 16:35:29 +0100 Subject: [PATCH 0351/1352] avcodec/arm/videodsp_armv5te: Fix linking failure with "g++ -shared -D__STDC_CONSTANT_MACROS -o test.so ... libavcodec.a" Tested-by: Andreas Haupt Signed-off-by: Michael Niedermayer (cherry picked from commit cab6302534962331753fb69c674df86a458b098d) Signed-off-by: Michael Niedermayer --- libavcodec/arm/videodsp_armv5te.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/arm/videodsp_armv5te.S b/libavcodec/arm/videodsp_armv5te.S index 55bcce5cb6..aff1161ada 100644 --- a/libavcodec/arm/videodsp_armv5te.S +++ b/libavcodec/arm/videodsp_armv5te.S @@ -23,9 +23,10 @@ #include "libavutil/arm/asm.S" function ff_prefetch_arm, export=1 +1: subs r2, r2, #1 pld [r0] add r0, r0, r1 - bne X(ff_prefetch_arm) + bne 1b bx lr endfunc From d705125b949bc49889f52ea8ea4a036a7d8d2e2b Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 13 Jan 2015 14:47:47 +0100 Subject: [PATCH 0352/1352] qpeg: avoid pointless invalid memcpy() If refdata was NULL, the memcpy() ended up copying the same memory block onto itself, which is not only pointless, but also undefined behavior. Signed-off-by: Michael Niedermayer (cherry picked from commit 921706691a87c3ea5f5b92afd9b423e5f8c6e9d9) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index d61bceafd7..71f322b828 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -120,12 +120,13 @@ static void av_noinline qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, int filled = 0; int orig_height; - if(!refdata) - refdata= dst; - - /* copy prev frame */ - for(i = 0; i < height; i++) - memcpy(dst + (i * stride), refdata + (i * stride), width); + if (refdata) { + /* copy prev frame */ + for (i = 0; i < height; i++) + memcpy(dst + (i * stride), refdata + (i * stride), width); + } else { + refdata = dst; + } orig_height = height; height--; From 43924a8e992fdc6cf882b711f758a442c2eec6a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Jan 2015 18:51:33 +0100 Subject: [PATCH 0353/1352] avcodec/hevc: Fix handling of skipped_bytes() reallocation failures Fixes CID1260704 Signed-off-by: Michael Niedermayer (cherry picked from commit e172f5e53ae4dbbcdcf81c9a3b962dc9f5a8a98d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index fa9854d737..4551bd445c 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2888,17 +2888,30 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length) if (s->nals_allocated < s->nb_nals + 1) { int new_size = s->nals_allocated + 1; - HEVCNAL *tmp = av_realloc_array(s->nals, new_size, sizeof(*tmp)); + void *tmp = av_realloc_array(s->nals, new_size, sizeof(*s->nals)); + ret = AVERROR(ENOMEM); if (!tmp) { - ret = AVERROR(ENOMEM); goto fail; } s->nals = tmp; memset(s->nals + s->nals_allocated, 0, - (new_size - s->nals_allocated) * sizeof(*tmp)); - av_reallocp_array(&s->skipped_bytes_nal, new_size, sizeof(*s->skipped_bytes_nal)); - av_reallocp_array(&s->skipped_bytes_pos_size_nal, new_size, sizeof(*s->skipped_bytes_pos_size_nal)); - av_reallocp_array(&s->skipped_bytes_pos_nal, new_size, sizeof(*s->skipped_bytes_pos_nal)); + (new_size - s->nals_allocated) * sizeof(*s->nals)); + + tmp = av_realloc_array(s->skipped_bytes_nal, new_size, sizeof(*s->skipped_bytes_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_nal = tmp; + + tmp = av_realloc_array(s->skipped_bytes_pos_size_nal, new_size, sizeof(*s->skipped_bytes_pos_size_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_pos_size_nal = tmp; + + tmp = av_realloc_array(s->skipped_bytes_pos_nal, new_size, sizeof(*s->skipped_bytes_pos_nal)); + if (!tmp) + goto fail; + s->skipped_bytes_pos_nal = tmp; + s->skipped_bytes_pos_size_nal[s->nals_allocated] = 1024; // initial buffer size s->skipped_bytes_pos_nal[s->nals_allocated] = av_malloc_array(s->skipped_bytes_pos_size_nal[s->nals_allocated], sizeof(*s->skipped_bytes_pos)); s->nals_allocated = new_size; From 416501da1aa7818530d758edea9e129797bb07c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Jan 2015 02:10:35 +0100 Subject: [PATCH 0354/1352] avdevice: Use av_format_get_control_message_cb() This is required as the location of this field could change and is specified in libavformat not avdevice Signed-off-by: Michael Niedermayer (cherry picked from commit ba97cf2c4562b60fbef89103b61516891e31845e) Signed-off-by: Michael Niedermayer --- libavdevice/avdevice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/avdevice.c b/libavdevice/avdevice.c index c391931ac2..a80eb457ea 100644 --- a/libavdevice/avdevice.c +++ b/libavdevice/avdevice.c @@ -134,9 +134,9 @@ int avdevice_app_to_dev_control_message(struct AVFormatContext *s, enum AVAppToD int avdevice_dev_to_app_control_message(struct AVFormatContext *s, enum AVDevToAppMessageType type, void *data, size_t data_size) { - if (!s->control_message_cb) + if (!av_format_get_control_message_cb(s)) return AVERROR(ENOSYS); - return s->control_message_cb(s, type, data, data_size); + return av_format_get_control_message_cb(s)(s, type, data, data_size); } int avdevice_capabilities_create(AVDeviceCapabilitiesQuery **caps, AVFormatContext *s, From 74c7273b5d5c39c6fb12adbab3e98d71c96df5ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Jan 2015 21:36:26 +0100 Subject: [PATCH 0355/1352] avfilter/vf_framepack: Check and update frame_rate The frame_rate update was missing leaving the output frame rate wrong. Signed-off-by: Michael Niedermayer (cherry picked from commit a46a23d30fea9c8a5570e07ec4d9c9b4eaa6eb4f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_framepack.c | 13 +++++++++++- tests/ref/fate/filter-framepack-frameseq | 26 ++++++++++++------------ 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/libavfilter/vf_framepack.c b/libavfilter/vf_framepack.c index 8a7d4e8f32..f5215fed9d 100644 --- a/libavfilter/vf_framepack.c +++ b/libavfilter/vf_framepack.c @@ -82,6 +82,7 @@ static int config_output(AVFilterLink *outlink) int width = ctx->inputs[LEFT]->w; int height = ctx->inputs[LEFT]->h; AVRational time_base = ctx->inputs[LEFT]->time_base; + AVRational frame_rate = ctx->inputs[LEFT]->frame_rate; // check size and fps match on the other input if (width != ctx->inputs[RIGHT]->w || @@ -93,11 +94,18 @@ static int config_output(AVFilterLink *outlink) return AVERROR_INVALIDDATA; } else if (av_cmp_q(time_base, ctx->inputs[RIGHT]->time_base) != 0) { av_log(ctx, AV_LOG_ERROR, - "Left and right framerates differ (%d/%d vs %d/%d).\n", + "Left and right time bases differ (%d/%d vs %d/%d).\n", time_base.num, time_base.den, ctx->inputs[RIGHT]->time_base.num, ctx->inputs[RIGHT]->time_base.den); return AVERROR_INVALIDDATA; + } else if (av_cmp_q(frame_rate, ctx->inputs[RIGHT]->frame_rate) != 0) { + av_log(ctx, AV_LOG_ERROR, + "Left and right framerates differ (%d/%d vs %d/%d).\n", + frame_rate.num, frame_rate.den, + ctx->inputs[RIGHT]->frame_rate.num, + ctx->inputs[RIGHT]->frame_rate.den); + return AVERROR_INVALIDDATA; } s->pix_desc = av_pix_fmt_desc_get(outlink->format); @@ -108,6 +116,8 @@ static int config_output(AVFilterLink *outlink) switch (s->format) { case AV_STEREO3D_FRAMESEQUENCE: time_base.den *= 2; + frame_rate.num *= 2; + s->double_pts = AV_NOPTS_VALUE; break; case AV_STEREO3D_COLUMNS: @@ -126,6 +136,7 @@ static int config_output(AVFilterLink *outlink) outlink->w = width; outlink->h = height; outlink->time_base = time_base; + outlink->frame_rate= frame_rate; return 0; } diff --git a/tests/ref/fate/filter-framepack-frameseq b/tests/ref/fate/filter-framepack-frameseq index c3d2a15e8e..83c08a0324 100644 --- a/tests/ref/fate/filter-framepack-frameseq +++ b/tests/ref/fate/filter-framepack-frameseq @@ -1,16 +1,16 @@ -#tb 0: 1/25 +#tb 0: 1/50 0, 0, 0, 1, 152064, 0x05b789ef 0, 1, 1, 1, 152064, 0x05b789ef 0, 2, 2, 1, 152064, 0x4bb46551 -0, 3, 3, 1, 152064, 0x9dddf64a -0, 4, 4, 1, 152064, 0x2a8380b0 -0, 5, 5, 1, 152064, 0x4de3b652 -0, 6, 6, 1, 152064, 0xedb5a8e6 -0, 7, 7, 1, 152064, 0xe20f7c23 -0, 8, 8, 1, 152064, 0x5ab58bac -0, 9, 9, 1, 152064, 0x1f1b8026 -0, 10, 10, 1, 152064, 0x91373915 -0, 11, 11, 1, 152064, 0x02344760 -0, 12, 12, 1, 152064, 0x30f5fcd5 -0, 13, 13, 1, 152064, 0xc711ad61 -0, 14, 14, 1, 152064, 0x24eca223 +0, 3, 3, 1, 152064, 0x4bb46551 +0, 4, 4, 1, 152064, 0x9dddf64a +0, 5, 5, 1, 152064, 0x9dddf64a +0, 6, 6, 1, 152064, 0x2a8380b0 +0, 7, 7, 1, 152064, 0x2a8380b0 +0, 8, 8, 1, 152064, 0x4de3b652 +0, 9, 9, 1, 152064, 0x4de3b652 +0, 10, 10, 1, 152064, 0xedb5a8e6 +0, 11, 11, 1, 152064, 0xedb5a8e6 +0, 12, 12, 1, 152064, 0xe20f7c23 +0, 13, 13, 1, 152064, 0xe20f7c23 +0, 14, 14, 1, 152064, 0x5ab58bac From cb7d72ed1814b41d42d2d293ca7c16bcdd1137c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jan 2015 01:56:03 +0100 Subject: [PATCH 0356/1352] avcodec/flac_parser: fix handling EOF if no headers are found Fixes assertion failure Fixes Ticket4269 Signed-off-by: Michael Niedermayer (cherry picked from commit c4d85fc23c100f7a27d9bad710eb153214868e27) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index a031dbfc62..7faf1389ea 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -697,7 +697,7 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, handle_error: *poutbuf = NULL; *poutbuf_size = 0; - return read_end - buf; + return buf_size ? read_end - buf : 0; } static av_cold int flac_parse_init(AVCodecParserContext *c) From d66d5d61881f7cd4f511f67186387539de5e9475 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Feb 2015 21:18:42 +0100 Subject: [PATCH 0357/1352] Update for 2.4.7 Signed-off-by: Michael Niedermayer --- Changelog | 26 ++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index d74254e1c6..2371d9da5f 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,32 @@ releases are sorted from youngest to oldest. version : +version 2.4.7: +- avcodec/flac_parser: fix handling EOF if no headers are found +- avfilter/vf_framepack: Check and update frame_rate +- avcodec/hevc: Fix handling of skipped_bytes() reallocation failures +- qpeg: avoid pointless invalid memcpy() +- avcodec/arm/videodsp_armv5te: Fix linking failure with "g++ -shared -D__STDC_CONSTANT_MACROS -o test.so ... libavcodec.a" +- avcodec/mjpegdec: Skip blocks which are outside the visible area +- lavc/aarch64: Do not use the neon horizontal chroma loop filter for H.264 4:2:2. (cherry picked from commit 4faea46bd906b3897018736208123aa36c3f45d5) +- avcodec/h264_slice: assert that reinit does not occur after the first slice +- avcodec/h264_slice: ignore SAR changes in slices after the first +- avcodec/h264_slice: Check picture structure before setting the related fields +- avcodec/h264_slice: Do not change frame_num after the first slice +- avutil/opt: Fix type used to access AV_OPT_TYPE_SAMPLE_FMT +- avutil/opt: Fix types used to access AV_OPT_TYPE_PIXEL_FMT +- avcodec/h264: Be more strict on rejecting pps/sps changes +- avcodec/h264: Be more strict on rejecting pps_id changes +- avcodec/h264_ps: More completely check the bit depths +- avformat/thp: Check av_get_packet() for failure not only for partial output +- swscale/utils: Limit filter shifting so as not to read from prior the array +- avcodec/mpegvideo_motion: Fix gmc chroma dimensions +- avcodec/mjpegdec: Check number of components for JPEG-LS +- avcodec/mjpegdec: Check escape sequence validity +- avformat/mpc8: Use uint64_t in *_get_v() to avoid undefined behavior +- avformat/mpc8: fix broken pointer math +- avformat/mpc8: fix hang with fuzzed file +- avformat/tta: fix crash with corrupted files version 2.4.6: - doc/examples: fix lib math dep for decoding_encoding diff --git a/RELEASE b/RELEASE index 7bf4b6a8ae..e30309f735 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.6 +2.4.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 05257ca3bd..c81c7991fe 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.6 +PROJECT_NUMBER = 2.4.7 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From a78b7c504a7b5e0a40507f281d70a0e153071f51 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 31 Dec 2014 02:15:08 -0300 Subject: [PATCH 0358/1352] x86/swr: add missing alignment check to pack_6ch functions Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 5f14f9e9849579b3418aebfde8a162d9c172d0ea) --- libswresample/x86/audio_convert.asm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libswresample/x86/audio_convert.asm b/libswresample/x86/audio_convert.asm index b6e9e5d79d..eead735bdf 100644 --- a/libswresample/x86/audio_convert.asm +++ b/libswresample/x86/audio_convert.asm @@ -221,6 +221,8 @@ cglobal pack_6ch_%2_to_%1_%3, 2,8,7, dst, src, src1, src2, src3, src4, src5, len jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test srcq, mmsize-1 jne pack_6ch_%2_to_%1_u_int %+ SUFFIX + test src1q, mmsize-1 + jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test src2q, mmsize-1 jne pack_6ch_%2_to_%1_u_int %+ SUFFIX test src3q, mmsize-1 From 3c63503792147a996997023694a3b45f27ab3f78 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 12 Jan 2015 13:48:52 -0300 Subject: [PATCH 0359/1352] avutil/opencl: don't include config.h It's not an installed header. Tested-by: Thilo Borgmann Tested-by: Wei Gao Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 3aaff803489af21011b8cf03847e17b29643c922) --- configure | 2 -- libavutil/opencl.h | 7 +++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/configure b/configure index 2f363547f2..f2ba6afcd5 100755 --- a/configure +++ b/configure @@ -1620,7 +1620,6 @@ HEADERS_LIST=" asm_types_h cdio_paranoia_h cdio_paranoia_paranoia_h - CL_cl_h dev_bktr_ioctl_bt848_h dev_bktr_ioctl_meteor_h dev_ic_bt8xx_h @@ -4710,7 +4709,6 @@ check_func_headers glob.h glob enabled xlib && check_func_headers "X11/Xlib.h X11/extensions/Xvlib.h" XvGetPortAttribute -lXv -lX11 -lXext -check_header cl/cl.h check_header direct.h check_header dlfcn.h check_header dxva.h diff --git a/libavutil/opencl.h b/libavutil/opencl.h index 9e6dc55ee8..8c1dfeb037 100644 --- a/libavutil/opencl.h +++ b/libavutil/opencl.h @@ -32,11 +32,10 @@ #ifndef LIBAVUTIL_OPENCL_H #define LIBAVUTIL_OPENCL_H -#include "config.h" -#if HAVE_CL_CL_H -#include -#else +#ifdef __APPLE__ #include +#else +#include #endif #include #include "dict.h" From dbda57469456f03ed7ba921b97744751d0ccee39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 16 Feb 2015 17:23:34 +0100 Subject: [PATCH 0360/1352] avcodec/gif: fix off by one in column offsetting finding (cherry picked from commit f9240ec01abb097263fe578d2b6fb076bb7b9263) --- libavcodec/gif.c | 4 ++-- tests/ref/fate/gifenc-bgr8 | 10 +++++----- tests/ref/fate/gifenc-rgb8 | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/gif.c b/libavcodec/gif.c index 27d054e512..def1b83e9d 100644 --- a/libavcodec/gif.c +++ b/libavcodec/gif.c @@ -105,7 +105,7 @@ static int gif_image_write_image(AVCodecContext *avctx, /* skip common columns */ while (x_start < x_end) { int same_column = 1; - for (y = y_start; y < y_end; y++) { + for (y = y_start; y <= y_end; y++) { if (ref[y*ref_linesize + x_start] != buf[y*linesize + x_start]) { same_column = 0; break; @@ -117,7 +117,7 @@ static int gif_image_write_image(AVCodecContext *avctx, } while (x_end > x_start) { int same_column = 1; - for (y = y_start; y < y_end; y++) { + for (y = y_start; y <= y_end; y++) { if (ref[y*ref_linesize + x_end] != buf[y*linesize + x_end]) { same_column = 0; break; diff --git a/tests/ref/fate/gifenc-bgr8 b/tests/ref/fate/gifenc-bgr8 index 9f4a593f4d..f3b7772785 100644 --- a/tests/ref/fate/gifenc-bgr8 +++ b/tests/ref/fate/gifenc-bgr8 @@ -35,15 +35,15 @@ 0, 33, 33, 1, 4295, 0xf71b0b38, S=1, 1024, 0xf351799f 0, 34, 34, 1, 2044, 0x5adcb93b, S=1, 1024, 0xf351799f 0, 35, 35, 1, 3212, 0xcf79eeed, S=1, 1024, 0xf351799f -0, 36, 36, 1, 2281, 0x68464d30, S=1, 1024, 0xf351799f +0, 36, 36, 1, 2292, 0xb4386334, S=1, 1024, 0xf351799f 0, 37, 37, 1, 3633, 0x0010992f, S=1, 1024, 0xf351799f 0, 38, 38, 1, 3552, 0x23697490, S=1, 1024, 0xf351799f 0, 39, 39, 1, 3690, 0x62afdbb8, S=1, 1024, 0xf351799f -0, 40, 40, 1, 1558, 0x7a13e53b, S=1, 1024, 0xf351799f -0, 41, 41, 1, 940, 0xb1b6cba2, S=1, 1024, 0xf351799f +0, 40, 40, 1, 1559, 0x5baef54a, S=1, 1024, 0xf351799f +0, 41, 41, 1, 954, 0xca75ca79, S=1, 1024, 0xf351799f 0, 42, 42, 1, 273, 0x3687799b, S=1, 1024, 0xf351799f 0, 43, 43, 1, 930, 0x29f3b0c4, S=1, 1024, 0xf351799f -0, 44, 44, 1, 271, 0xe7af807c, S=1, 1024, 0xf351799f +0, 44, 44, 1, 271, 0x305e8094, S=1, 1024, 0xf351799f 0, 45, 45, 1, 196, 0xf5ab51ee, S=1, 1024, 0xf351799f 0, 46, 46, 1, 4299, 0x67ec0d55, S=1, 1024, 0xf351799f 0, 47, 47, 1, 4895, 0xb394406c, S=1, 1024, 0xf351799f @@ -56,7 +56,7 @@ 0, 54, 54, 1, 5179, 0x860fc6a1, S=1, 1024, 0xf351799f 0, 55, 55, 1, 5046, 0xce9183d3, S=1, 1024, 0xf351799f 0, 56, 56, 1, 5140, 0xa6d7b9af, S=1, 1024, 0xf351799f -0, 57, 57, 1, 4289, 0xb415f717, S=1, 1024, 0xf351799f +0, 57, 57, 1, 4301, 0x03b6ef3f, S=1, 1024, 0xf351799f 0, 58, 58, 1, 5079, 0xa8d59e01, S=1, 1024, 0xf351799f 0, 59, 59, 1, 5284, 0xea34e3b3, S=1, 1024, 0xf351799f 0, 60, 60, 1, 5426, 0x556a15cd, S=1, 1024, 0xf351799f diff --git a/tests/ref/fate/gifenc-rgb8 b/tests/ref/fate/gifenc-rgb8 index a894173225..d1a990d07e 100644 --- a/tests/ref/fate/gifenc-rgb8 +++ b/tests/ref/fate/gifenc-rgb8 @@ -35,15 +35,15 @@ 0, 33, 33, 1, 4295, 0xc1850a80, S=1, 1024, 0xcfc8799f 0, 34, 34, 1, 2044, 0x0440c072, S=1, 1024, 0xcfc8799f 0, 35, 35, 1, 3212, 0xe91af08f, S=1, 1024, 0xcfc8799f -0, 36, 36, 1, 2281, 0x6a414aa1, S=1, 1024, 0xcfc8799f +0, 36, 36, 1, 2292, 0x6765633e, S=1, 1024, 0xcfc8799f 0, 37, 37, 1, 3633, 0xac779aa3, S=1, 1024, 0xcfc8799f 0, 38, 38, 1, 3552, 0xed2c75b2, S=1, 1024, 0xcfc8799f 0, 39, 39, 1, 3690, 0x2020dd0d, S=1, 1024, 0xcfc8799f -0, 40, 40, 1, 1558, 0x2c14e4b2, S=1, 1024, 0xcfc8799f -0, 41, 41, 1, 940, 0x4927cd90, S=1, 1024, 0xcfc8799f +0, 40, 40, 1, 1559, 0x596ef330, S=1, 1024, 0xcfc8799f +0, 41, 41, 1, 954, 0xac12c9c5, S=1, 1024, 0xcfc8799f 0, 42, 42, 1, 273, 0x138c7831, S=1, 1024, 0xcfc8799f 0, 43, 43, 1, 930, 0xf1c3ae3f, S=1, 1024, 0xcfc8799f -0, 44, 44, 1, 271, 0x6d338044, S=1, 1024, 0xcfc8799f +0, 44, 44, 1, 271, 0x921a80af, S=1, 1024, 0xcfc8799f 0, 45, 45, 1, 196, 0xa5de5322, S=1, 1024, 0xcfc8799f 0, 46, 46, 1, 4299, 0x5bac0d86, S=1, 1024, 0xcfc8799f 0, 47, 47, 1, 4895, 0xc43639a6, S=1, 1024, 0xcfc8799f @@ -56,7 +56,7 @@ 0, 54, 54, 1, 5179, 0x97aac3a1, S=1, 1024, 0xcfc8799f 0, 55, 55, 1, 5046, 0x836a80cd, S=1, 1024, 0xcfc8799f 0, 56, 56, 1, 5140, 0xa725c1e7, S=1, 1024, 0xcfc8799f -0, 57, 57, 1, 4289, 0x7b3afbc0, S=1, 1024, 0xcfc8799f +0, 57, 57, 1, 4301, 0x0203f239, S=1, 1024, 0xcfc8799f 0, 58, 58, 1, 5079, 0xb2e7a2de, S=1, 1024, 0xcfc8799f 0, 59, 59, 1, 5284, 0xb757dfe1, S=1, 1024, 0xcfc8799f 0, 60, 60, 1, 5426, 0xf9f11e57, S=1, 1024, 0xcfc8799f From 1dbfaa34e615606cb3f1a3ecabb117e354459edc Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 12 Feb 2015 12:26:58 +0100 Subject: [PATCH 0361/1352] h264: only ref cur_pic in update_thread_context if it is initialized It may be empty if the previous thread's decode call did not contain a valid frame. (cherry picked from commit 0dea4c77ccf5956561bb8991311b3d834bb5fa40) Signed-off-by: Anton Khirnov --- libavcodec/h264_slice.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 1ee7a3dfff..e47a4484e6 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -589,8 +589,11 @@ int ff_h264_update_thread_context(AVCodecContext *dst, h->cur_pic_ptr = REBASE_PICTURE(h1->cur_pic_ptr, h, h1); ff_h264_unref_picture(h, &h->cur_pic); - if ((ret = ff_h264_ref_picture(h, &h->cur_pic, &h1->cur_pic)) < 0) - return ret; + if (h1->cur_pic.f.buf[0]) { + ret = ff_h264_ref_picture(h, &h->cur_pic, &h1->cur_pic); + if (ret < 0) + return ret; + } h->workaround_bugs = h1->workaround_bugs; h->low_delay = h1->low_delay; From 06d433366c02ab81a1aaad33d32934b4180d354b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Aug 2013 03:01:19 +0200 Subject: [PATCH 0362/1352] h264: Do not share rbsp_buffer across threads Signed-off-by: Luca Barbato CC: libav-stable@libav.org (cherry picked from commit 61928b68dc28e080b8c8191afe5541123c682bbd) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 208aa929b4..6dca22b94e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -686,6 +686,10 @@ static int decode_init_thread_copy(AVCodecContext *avctx) memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); + h->rbsp_buffer[0] = NULL; + h->rbsp_buffer[1] = NULL; + h->rbsp_buffer_size[0] = 0; + h->rbsp_buffer_size[1] = 0; h->context_initialized = 0; return 0; From 2686dab45eec54f99866413153aa0b36381e48be Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 12 Feb 2015 13:06:49 +0100 Subject: [PATCH 0363/1352] h264: initialize H264Context.avctx in init_thread_copy This prevents using a wrong (first thread's) AVCodecContext if decoding a frame in the first pass over all threads fails. (cherry picked from commit a06b0b1295c51d100101e0ca0434e199ad6de6b5) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 6dca22b94e..e9236e9184 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -686,6 +686,7 @@ static int decode_init_thread_copy(AVCodecContext *avctx) memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); + h->avctx = avctx; h->rbsp_buffer[0] = NULL; h->rbsp_buffer[1] = NULL; h->rbsp_buffer_size[0] = 0; From 2d1309c3528f89bfafe1298badf39fe7a1be0542 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Sun, 22 Feb 2015 17:46:49 +0000 Subject: [PATCH 0364/1352] hevc_deblock: Fix compilation with nasm CC: libav-stable@libav.org Bug-Id: 795 Signed-off-by: Vittorio Giovara --- libavcodec/x86/hevc_deblock.asm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/hevc_deblock.asm b/libavcodec/x86/hevc_deblock.asm index 45b8703251..1e895f0aa5 100644 --- a/libavcodec/x86/hevc_deblock.asm +++ b/libavcodec/x86/hevc_deblock.asm @@ -356,7 +356,7 @@ ALIGN 16 %if %1 > 8 shl betaq, %1 - 8 %endif - movd m13, betaq + movd m13, betad SPLATW m13, m13, 0 ;end beta calculations @@ -620,7 +620,7 @@ ALIGN 16 paddw m15, m2; p1' ;beta calculations - movd m10, betaq + movd m10, betad SPLATW m10, m10, 0 movd m13, r7d; 1dp0 + 1dp3 From 07db7a0dd8239e255c08800162eb45b82c2c49fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Jan 2013 04:20:24 +0100 Subject: [PATCH 0365/1352] h264_cabac: Break infinite loops MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes out of array reads and/or infinite loops. 30 is the maximum number of bits that can be read into coeff_abs below. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Martin Storsjö --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index f1ab97a144..cce6450b0f 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1711,7 +1711,7 @@ decode_cabac_residual_internal(H264Context *h, int16_t *block, \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while( get_cabac_bypass( CC ) ) { \ + while (get_cabac_bypass(CC) && j < 30) { \ j++; \ } \ \ From 4cd54b2f976738682cdf8a38a1719b8bba1a018c Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Tue, 6 Jan 2015 16:47:18 +0100 Subject: [PATCH 0366/1352] img2dec: correctly use the parsed value from -start_number Previously the image sequence was always starting from the minimum number rather than the requested one. CC: libav-stable@libav.org --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index f7f0a11e6a..b73554e096 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -194,7 +194,7 @@ static int img_read_header(AVFormatContext *s1) return AVERROR(ENOENT); s->img_first = first_index; s->img_last = last_index; - s->img_number = first_index; + s->img_number = s->start_number != 1 ? s->start_number : first_index; /* compute duration */ st->start_time = 0; st->duration = last_index - first_index + 1; From e10028431d5cd90db7b2a4b0d16721bb1a6d75e3 Mon Sep 17 00:00:00 2001 From: Mark McGough Date: Sun, 12 Oct 2014 18:24:07 +0800 Subject: [PATCH 0367/1352] icecast: Do not use chunked post Icecast uses HTTP 1.0 while Libav uses HTTP 1.1 and enables by default chunked post. Icecast actually forwards the HTTP chunk headers to the listener as part of the media stream (without the chunk encoding HTTP headers) causing the players to lose sync. Disabling the option is enough to feed icecast properly. (cherry picked from commit 76c70e33d2244a688832f03b53862eb5d9ad3b01) Signed-off-by: Luca Barbato --- libavformat/icecast.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/icecast.c b/libavformat/icecast.c index b671d8ced9..155396fcc4 100644 --- a/libavformat/icecast.c +++ b/libavformat/icecast.c @@ -126,6 +126,7 @@ static int icecast_open(URLContext *h, const char *uri, int flags) av_dict_set(&opt_dict, "method", s->legacy_icecast ? "SOURCE" : "PUT", 0); av_dict_set(&opt_dict, "auth_type", "basic", 0); av_dict_set(&opt_dict, "headers", headers, 0); + av_dict_set(&opt_dict, "chunked_post", "0", 0); if (NOT_EMPTY(s->content_type)) av_dict_set(&opt_dict, "content_type", s->content_type, 0); if (NOT_EMPTY(s->user_agent)) From cf3523c6e7dde33a513e003639d5a8c0b7f3a49d Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 25 Feb 2015 15:29:15 +0100 Subject: [PATCH 0368/1352] prores: Extend the padding check to 16bit Some files produced by the official encoder have up to 16bit of padding instead of the expected padding to the byte. Use a self-explanatory macro instead of a simple number. CC: libav-stable@libav.org (cherry picked from commit dbc1163b203b175d246b7454c32ac176f84006d1) Signed-off-by: Luca Barbato --- libavcodec/proresdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/proresdec.c b/libavcodec/proresdec.c index 03f63d9dce..da5feffd28 100644 --- a/libavcodec/proresdec.c +++ b/libavcodec/proresdec.c @@ -365,6 +365,7 @@ static inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, } } +#define MAX_PADDING 16 /** * Decode AC coefficients for all blocks in a slice. @@ -389,7 +390,7 @@ static inline int decode_ac_coeffs(GetBitContext *gb, int16_t *out, lev_cb_index = ff_prores_lev_to_cb_index[FFMIN(level, 9)]; bits_left = get_bits_left(gb); - if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) + if (bits_left <= 0 || (bits_left <= MAX_PADDING && !show_bits(gb, bits_left))) return 0; run = decode_vlc_codeword(gb, ff_prores_ac_codebook[run_cb_index]); @@ -397,7 +398,7 @@ static inline int decode_ac_coeffs(GetBitContext *gb, int16_t *out, return AVERROR_INVALIDDATA; bits_left = get_bits_left(gb); - if (bits_left <= 0 || (bits_left <= 8 && !show_bits(gb, bits_left))) + if (bits_left <= 0 || (bits_left <= MAX_PADDING && !show_bits(gb, bits_left))) return AVERROR_INVALIDDATA; level = decode_vlc_codeword(gb, ff_prores_ac_codebook[lev_cb_index]) + 1; From 7071b8192d26c51c751ec8f8e0bc809d7377c95f Mon Sep 17 00:00:00 2001 From: Srikanth G Date: Wed, 4 Mar 2015 18:48:54 -0600 Subject: [PATCH 0369/1352] avutil/opencl: is_compiled flag not being cleared in av_opencl_uninit When OpenCL kernels are compiled, is_compiled flag is being set for each kernel. But, in opencl uninit, this flag is not being cleared. This causes an error when an OpenCL kernel is tried on different OpenCL devices on same platform. Here is the patch with a fix Reviewed-by; Wei Gao Signed-off-by: Michael Niedermayer (cherry picked from commit 0f2359b86926ed33da4bd64ca76d84d03d5ad380) --- libavutil/opencl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/opencl.c b/libavutil/opencl.c index 0b4f83b910..f80cde7001 100644 --- a/libavutil/opencl.c +++ b/libavutil/opencl.c @@ -633,6 +633,9 @@ void av_opencl_uninit(void) } opencl_ctx.context = NULL; } + for (i = 0; i < opencl_ctx.kernel_code_count; i++) { + opencl_ctx.kernel_code[i].is_compiled = 0; + } free_device_list(&opencl_ctx.device_list); end: if (opencl_ctx.init_count <= 0) From 7c1fe31617699ddefe6b0f39f16e7c3d79e998e2 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 11:06:15 -0400 Subject: [PATCH 0370/1352] Prepare for 11.3 Release --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index 26d6dad929..8bb4222390 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -11.2 +11.3 From fc3c1156e361202ab97ad63ffb4dacc416906d33 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 11:12:14 -0400 Subject: [PATCH 0371/1352] doc: Update changelog for v11.3 --- Changelog | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog b/Changelog index 60c662670c..9e325fd73f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,19 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 11.3: + +- prores: Extend the padding check to 16bit +- icecast: Do not use chunked post, allows feeding to icecast properly +- img2dec: correctly use the parsed value from -start_number +- h264_cabac: Break infinite loops +- hevc_deblock: Fix compilation with nasm (libav #795) +- h264: initialize H264Context.avctx in init_thread_copy +- h264: Do not share rbsp_buffer across threads +- h264: only ref cur_pic in update_thread_context if it is initialized +- matroskadec: Fix read-after-free in matroska_read_seek() (chromium #427266) +- log: Unbreak no-tty support on 256color terminals + version 11.2: - h264: restore a block mistakenly removed in e10fd08a (libav #781) From 450b02307cb631f501793b52b98b610c3a54378b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 5 Mar 2015 23:38:00 +0200 Subject: [PATCH 0372/1352] arm: Suppress tags about used cpu arch and extensions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When all the codepaths using manually set .arch/.fpu code is behind runtime detection, the elf attributes should be suppressed. This allows tools to know that the final built binary doesn't strictly require these extensions. Signed-off-by: Martin Storsjö (cherry picked from commit dcae2e32f7d8a1ca5fb8c1e4aa81313be854dd73 and b77e335e441040a40fc6156b8e4a134745d10233) Signed-off-by: Martin Storsjö --- configure | 6 ++++++ libavutil/arm/asm.S | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/configure b/configure index ee57ed945b..d3e545f369 100755 --- a/configure +++ b/configure @@ -1477,6 +1477,7 @@ SYSTEM_FUNCS=" TOOLCHAIN_FEATURES=" as_dn_directive as_func + as_object_arch asm_mod_q attribute_may_alias attribute_packed @@ -3868,6 +3869,11 @@ EOF check_as < Date: Tue, 3 Mar 2015 11:05:15 +0100 Subject: [PATCH 0373/1352] vorbis: Check the vlc value in setup_classifs The valid returned values are always at most 11bit. Remove the previous check that assumed larger values plausible and use a signed integer to check get_vlc2 return values. CC: libav-stable@libav.org (cherry picked from commit 0025f7408a0fab2cab4a950064e4784a67463994) Signed-off-by: Luca Barbato --- libavcodec/vorbisdec.c | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index d7fec98c6e..1ce9e26417 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1308,7 +1308,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, int p, j, i; unsigned c_p_c = vc->codebooks[vr->classbook].dimensions; unsigned inverse_class = ff_inverse[vr->classifications]; - unsigned temp, temp2; + int temp, temp2; for (p = 0, j = 0; j < ch_used; ++j) { if (!do_not_decode[j]) { temp = get_vlc2(&vc->gb, vc->codebooks[vr->classbook].vlc.table, @@ -1316,22 +1316,18 @@ static av_always_inline int setup_classifs(vorbis_context *vc, av_dlog(NULL, "Classword: %u\n", temp); - if (temp <= 65536) { - for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { - temp2 = (((uint64_t)temp) * inverse_class) >> 32; + if (temp < 0) { + av_log(vc->avctx, AV_LOG_ERROR, + "Invalid vlc code decoding %d channel.", j); + return AVERROR_INVALIDDATA; + } - if (i < vr->ptns_to_read) - vr->classifs[p + i] = temp - temp2 * vr->classifications; - temp = temp2; - } - } else { - for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { - temp2 = temp / vr->classifications; + for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { + temp2 = (((uint64_t)temp) * inverse_class) >> 32; - if (i < vr->ptns_to_read) - vr->classifs[p + i] = temp - temp2 * vr->classifications; - temp = temp2; - } + if (i < vr->ptns_to_read) + vr->classifs[p + i] = temp - temp2 * vr->classifications; + temp = temp2; } } p += vr->ptns_to_read; @@ -1381,7 +1377,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, voffset = vr->begin; for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error if (!pass) { - setup_classifs(vc, vr, do_not_decode, ch_used, partition_count); + int ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count); + if (ret < 0) + return ret; } for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) { for (j_times_ptns_to_read = 0, j = 0; j < ch_used; ++j) { From f3dafb63d05896aacf84caf0e4c81c216476d60e Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 27 Feb 2015 19:00:25 +0000 Subject: [PATCH 0374/1352] aic: Fix decoding files with odd dimensions Normally the aic decoder finds the proper slice combination (multiple of some number less than 32) but in case of odd width, it resorts to the default values, which were actually swapped. The number of slices is modified to account for such odd width cases. CC: libav-stable@libav.org (cherry picked from commit e878ec0d47cd6228c367b2f3128b76d7523f7255) Signed-off-by: Luca Barbato --- libavcodec/aic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index dac9d8b7fd..5687dbeb00 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -434,8 +434,8 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) ctx->mb_width = FFALIGN(avctx->width, 16) >> 4; ctx->mb_height = FFALIGN(avctx->height, 16) >> 4; - ctx->num_x_slices = 16; - ctx->slice_width = ctx->mb_width / 16; + ctx->num_x_slices = (ctx->mb_width + 15) >> 4; + ctx->slice_width = 16; for (i = 1; i < 32; i++) { if (!(ctx->mb_width % i) && (ctx->mb_width / i < 32)) { ctx->slice_width = ctx->mb_width / i; From 77eb3d9a60a9c2bb6d87c960ac186af242bbcc9e Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 7 Mar 2015 22:06:59 +0100 Subject: [PATCH 0375/1352] tiff: Check that there is no aliasing in pixel format selection Fixes possible issues with unexpected bpp/bppcount values. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-8544 (cherry picked from commit ae5e1f3d663a8c9a532d89e588cbc61f171c9186) Signed-off-by: Luca Barbato --- libavcodec/tiff.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 3b2fc7d900..4732e67abf 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -248,6 +248,14 @@ static int init_image(TiffContext *s, AVFrame *frame) { int ret; + // make sure there is no aliasing in the following switch + if (s->bpp >= 100 || s->bppcount >= 10) { + av_log(s->avctx, AV_LOG_ERROR, + "Unsupported image parameters: bpp=%d, bppcount=%d\n", + s->bpp, s->bppcount); + return AVERROR_INVALIDDATA; + } + switch (s->bpp * 10 + s->bppcount) { case 11: s->avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; From 4070e02dfcf8c7d871b4a41d8b591ec0c130c70a Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Sun, 22 Feb 2015 19:49:52 +0000 Subject: [PATCH 0376/1352] configure: Properly fail when libcdio/cdparanoia is not found --- configure | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure b/configure index d3e545f369..33a7a85cfa 100755 --- a/configure +++ b/configure @@ -4248,7 +4248,8 @@ enabled_any sndio_indev sndio_outdev && check_lib2 sndio.h sio_open -lsndio if enabled libcdio; then check_lib2 "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open -lcdio_paranoia -lcdio_cdda -lcdio || - check_lib2 "cdio/paranoia/cdda.h cdio/paranoia/paranoia.h" cdio_cddap_open -lcdio_paranoia -lcdio_cdda -lcdio + check_lib2 "cdio/paranoia/cdda.h cdio/paranoia/paranoia.h" cdio_cddap_open -lcdio_paranoia -lcdio_cdda -lcdio || + die "ERROR: No usable libcdio/cdparanoia found" fi check_lib X11/Xlib.h XOpenDisplay -lX11 && enable xlib From 2c63081b48d98f3a0d0bed7b0ec3c0347b99144c Mon Sep 17 00:00:00 2001 From: Federico Tomassetti Date: Wed, 18 Feb 2015 12:11:43 +0000 Subject: [PATCH 0377/1352] mdec: check for out of bounds read Bug-Id: CID 1257501 CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/mdec.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 6b70e37e76..2a779c1176 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -86,7 +86,12 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (level == 127) { break; } else if (level != 0) { - i += run; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } j = scantable[i]; level = (level * qscale * quant_matrix[j]) >> 3; level = (level ^ SHOW_SBITS(re, &a->gb, 1)) - SHOW_SBITS(re, &a->gb, 1); @@ -96,8 +101,13 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) run = SHOW_UBITS(re, &a->gb, 6)+1; LAST_SKIP_BITS(re, &a->gb, 6); UPDATE_CACHE(re, &a->gb); level = SHOW_SBITS(re, &a->gb, 10); SKIP_BITS(re, &a->gb, 10); - i += run; - j = scantable[i]; + i += run; + if (i > 63) { + av_log(a->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); + return AVERROR_INVALIDDATA; + } + j = scantable[i]; if (level < 0) { level = -level; level = (level * qscale * quant_matrix[j]) >> 3; @@ -108,10 +118,6 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) level = (level - 1) | 1; } } - if (i > 63) { - av_log(a->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y); - return AVERROR_INVALIDDATA; - } block[j] = level; } From e818da77240146b36d6669b1c4e0565239dc55d3 Mon Sep 17 00:00:00 2001 From: Federico Tomassetti Date: Wed, 18 Feb 2015 12:11:44 +0000 Subject: [PATCH 0378/1352] eamad: check for out of bounds read Bug-Id: CID 1257500 CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/eamad.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index ceccfe4052..28b933aa47 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -145,6 +145,11 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) break; } else if (level != 0) { i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return; + } j = scantable[i]; level = (level*quant_matrix[j]) >> 4; level = (level-1)|1; @@ -159,6 +164,11 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6); i += run; + if (i > 63) { + av_log(s->avctx, AV_LOG_ERROR, + "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); + return; + } j = scantable[i]; if (level < 0) { level = -level; @@ -170,10 +180,6 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) level = (level-1)|1; } } - if (i > 63) { - av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y); - return; - } block[j] = level; } From 8aee35acb1b40e51a4fc8d7f7c561088e25d6d2e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 3 Mar 2015 21:31:15 +0100 Subject: [PATCH 0379/1352] rv10: check size of s->mb_width * s->mb_height If it doesn't fit into 12 bits it triggers an assertion. Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo.h | 2 +- libavcodec/mpegvideo_enc.c | 7 +++++-- libavcodec/rv10enc.c | 8 +++++++- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 6df828837a..c69751edfb 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -816,7 +816,7 @@ extern const uint8_t ff_aic_dc_scale_table[32]; extern const uint8_t ff_h263_chroma_qscale_table[32]; /* rv10.c */ -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); int ff_rv_decode_dc(MpegEncContext *s, int n); void ff_rv20_encode_picture_header(MpegEncContext *s, int picture_number); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 380eff67da..bbb44223cc 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3412,8 +3412,11 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_msmpeg4_encode_picture_header(s, picture_number); else if (CONFIG_MPEG4_ENCODER && s->h263_pred) ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) - ff_rv10_encode_picture_header(s, picture_number); + else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + ret = ff_rv10_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV20_ENCODER && s->codec_id == AV_CODEC_ID_RV20) ff_rv20_encode_picture_header(s, picture_number); else if (CONFIG_FLV_ENCODER && s->codec_id == AV_CODEC_ID_FLV1) diff --git a/libavcodec/rv10enc.c b/libavcodec/rv10enc.c index ca760524a8..2eca9c3c88 100644 --- a/libavcodec/rv10enc.c +++ b/libavcodec/rv10enc.c @@ -28,7 +28,7 @@ #include "mpegvideo.h" #include "put_bits.h" -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) { int full_frame= 0; @@ -48,12 +48,18 @@ void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) /* if multiple packets per frame are sent, the position at which to display the macroblocks is coded here */ if(!full_frame){ + if (s->mb_width * s->mb_height >= (1U << 12)) { + avpriv_report_missing_feature(s->avctx, "Encoding frames with %d (>= 4096) macroblocks", + s->mb_width * s->mb_height); + return AVERROR(ENOSYS); + } put_bits(&s->pb, 6, 0); /* mb_x */ put_bits(&s->pb, 6, 0); /* mb_y */ put_bits(&s->pb, 12, s->mb_width * s->mb_height); } put_bits(&s->pb, 3, 0); /* ignored */ + return 0; } FF_MPV_GENERIC_CLASS(rv10) From 905172d75c9cfd93c757b09fa4b8afa0e926a13c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 20:47:57 +0100 Subject: [PATCH 0380/1352] webp: validate the distance prefix code According to the WebP Lossless Bitstream Specification the highest allowed value for a prefix code is 39. If prefix_code is too large, the calculated extra_bits has an invalid value and triggers an assertion in get_bits. Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov --- libavcodec/webp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index b98fa4dea4..58f7810793 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -688,6 +688,11 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); + if (prefix_code > 39) { + av_log(s->avctx, AV_LOG_ERROR, + "distance prefix code too large: %d\n", prefix_code); + return AVERROR_INVALIDDATA; + } if (prefix_code < 4) { distance = prefix_code + 1; } else { From 2ef2f60b4f0308d1c871091c9c1a9641d14ec585 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 16:52:26 +0100 Subject: [PATCH 0381/1352] rmenc: limit packet size The chunk size is limited to UINT16_MAX (written by avio_wb16), so make sure that the packet size is not too large. Such large frames need to be split into slices smaller than 64 kB, but that is currently supported neither by the rv10/rv20 encoders nor the rm muxer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov --- libavformat/rmenc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index 9ff9f318a5..adaae5d32b 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -44,6 +44,10 @@ typedef struct { /* in ms */ #define BUFFER_DURATION 0 +/* the header needs at most 7 + 4 + 12 B */ +#define MAX_HEADER_SIZE (7 + 4 + 12) +/* UINT16_MAX is the maximal chunk size */ +#define MAX_PACKET_SIZE (UINT16_MAX - MAX_HEADER_SIZE) static void put_str(AVIOContext *s, const char *tag) @@ -389,6 +393,10 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + if (size > MAX_PACKET_SIZE) { + avpriv_report_missing_feature(s, "Muxing packets larger than 64 kB"); + return AVERROR(ENOSYS); + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); From a73b2c288e3dace6e054a5b48640978be1d5df84 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 01:06:57 +0100 Subject: [PATCH 0382/1352] adxdec: set avctx->channels in adx_read_header It is used in adx_read_packet, which currently depends on the decoder/parser setting this value between reading the file header and demuxing the first packet. Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov --- libavformat/adxdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index fc83ff263b..9d3ebe398b 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -89,8 +89,14 @@ static int adx_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid extradata size.\n"); return AVERROR_INVALIDDATA; } + avctx->channels = AV_RB8(avctx->extradata + 7); avctx->sample_rate = AV_RB32(avctx->extradata + 8); + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + st->codec->codec_type = AVMEDIA_TYPE_AUDIO; st->codec->codec_id = s->iformat->raw_codec_id; From 3a417a86b330b7c1acf9db4f729be7d619caaded Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Mar 2015 17:36:14 +0000 Subject: [PATCH 0383/1352] utvideodec: Handle slice_height being zero Fixes out of array accesses. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Bug-Id: CVE-2014-9604 Signed-off-by: Vittorio Giovara Signed-off-by: Luca Barbato (cherry picked from commit 0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d) --- libavcodec/utvideodec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 7d75c59336..bb8c7aac1e 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -213,6 +213,8 @@ static void restore_median(uint8_t *src, int step, int stride, slice_start = ((slice * height) / slices) & cmask; slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; + if (!slice_height) + continue; bsrc = src + slice_start * stride; @@ -269,6 +271,8 @@ static void restore_median_il(uint8_t *src, int step, int stride, slice_height = ((((slice + 1) * height) / slices) & cmask) - slice_start; slice_height >>= 1; + if (!slice_height) + continue; bsrc = src + slice_start * stride; From d08db138e2109725ba2963f152b0a2b1fffded1b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 20:27:26 +0100 Subject: [PATCH 0384/1352] avcodec/rv10: check size of s->mb_width * s->mb_height If it doesn't fit into 12 bits it triggers an assertion. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 2578a546183da09d49d5bba8ab5e982dece1dede) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.h | 2 +- libavcodec/mpegvideo_enc.c | 7 +++++-- libavcodec/rv10enc.c | 7 ++++++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 87fe87ff99..63ce8e77c7 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -851,7 +851,7 @@ extern const uint8_t ff_aic_dc_scale_table[32]; extern const uint8_t ff_h263_chroma_qscale_table[32]; /* rv10.c */ -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number); int ff_rv_decode_dc(MpegEncContext *s, int n); void ff_rv20_encode_picture_header(MpegEncContext *s, int picture_number); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 61d75313a6..6b17855da6 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3657,8 +3657,11 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_msmpeg4_encode_picture_header(s, picture_number); else if (CONFIG_MPEG4_ENCODER && s->h263_pred) ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) - ff_rv10_encode_picture_header(s, picture_number); + else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + ret = ff_rv10_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV20_ENCODER && s->codec_id == AV_CODEC_ID_RV20) ff_rv20_encode_picture_header(s, picture_number); else if (CONFIG_FLV_ENCODER && s->codec_id == AV_CODEC_ID_FLV1) diff --git a/libavcodec/rv10enc.c b/libavcodec/rv10enc.c index 25411322a6..37efe6cca4 100644 --- a/libavcodec/rv10enc.c +++ b/libavcodec/rv10enc.c @@ -28,7 +28,7 @@ #include "mpegvideo.h" #include "put_bits.h" -void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) { int full_frame= 0; @@ -48,12 +48,17 @@ void ff_rv10_encode_picture_header(MpegEncContext *s, int picture_number) /* if multiple packets per frame are sent, the position at which to display the macroblocks is coded here */ if(!full_frame){ + if (s->mb_width * s->mb_height >= (1U << 12)) { + avpriv_report_missing_feature(s, "Encoding frames with 4096 or more macroblocks"); + return AVERROR(ENOSYS); + } put_bits(&s->pb, 6, 0); /* mb_x */ put_bits(&s->pb, 6, 0); /* mb_y */ put_bits(&s->pb, 12, s->mb_width * s->mb_height); } put_bits(&s->pb, 3, 0); /* ignored */ + return 0; } FF_MPV_GENERIC_CLASS(rv10) From 897a51f47b38ed3391d49590788e45fb6ba5c310 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 20:47:57 +0100 Subject: [PATCH 0385/1352] avcodec/webp: validate the distance prefix code According to the WebP Lossless Bitstream Specification the highest allowed value for a prefix code is 39. If prefix_code is too large, the calculated extra_bits has an invalid value and triggers an assertion in get_bits. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 5de2dab12b951b2fe121eb18503accfc91cd1565) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 274708df79..31c5bd9ca8 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -694,6 +694,11 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); + if (prefix_code > 39) { + av_log(s->avctx, AV_LOG_ERROR, + "distance prefix code too large: %d\n", prefix_code); + return AVERROR_INVALIDDATA; + } if (prefix_code < 4) { distance = prefix_code + 1; } else { From 73ca672fb6e6661a5e1b5d1ec3ad06bfbe144fd4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 2 Mar 2015 15:46:44 +0100 Subject: [PATCH 0386/1352] avformat/rm: limit packet size The chunk size is limited to 0xFFFF (written by avio_wb16), so make sure that the packet size is not too large. Such large frames need to be split into slices smaller than 64 kB, but that is currently supported neither by the rv10/rv20 encoders nor the rm muxer. Signed-off-by: Andreas Cadhalpun See Ticket244 Signed-off-by: Michael Niedermayer (cherry picked from commit 08728f400b8367dc8c983036cb2eff3a2891322b) Signed-off-by: Michael Niedermayer --- libavformat/rmenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/rmenc.c b/libavformat/rmenc.c index 2e50ed338c..27b5d8264d 100644 --- a/libavformat/rmenc.c +++ b/libavformat/rmenc.c @@ -394,6 +394,11 @@ static int rm_write_video(AVFormatContext *s, const uint8_t *buf, int size, int /* Well, I spent some time finding the meaning of these bits. I am not sure I understood everything, but it works !! */ #if 1 + /* 0xFFFF is the maximal chunk size; header needs at most 7 + 4 + 12 B */ + if (size > 0xFFFF - 7 - 4 - 12) { + av_log(s, AV_LOG_ERROR, "large packet size %d not supported\n", size); + return AVERROR_PATCHWELCOME; + } write_packet_header(s, stream, size + 7 + (size >= 0x4000)*4, key_frame); /* bit 7: '1' if final packet of a frame converted in several packets */ avio_w8(pb, 0x81); From 72f83ad277ca93b29c0a76504735e88ab7d7e647 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 01:06:57 +0100 Subject: [PATCH 0387/1352] avformat/adxdec: set avctx->channels in adx_read_header It is used in adx_read_packet, which currently depends on the decoder/parser setting this value between reading the file header and demuxing the first packet. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 64ea4a0598e7ca61b95cf6c93fd409151a448001) Signed-off-by: Michael Niedermayer --- libavformat/adxdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index ddaa201179..e57d0516dc 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -83,8 +83,14 @@ static int adx_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid extradata size.\n"); return AVERROR_INVALIDDATA; } + avctx->channels = AV_RB8(avctx->extradata + 7); avctx->sample_rate = AV_RB32(avctx->extradata + 8); + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + st->codec->codec_type = AVMEDIA_TYPE_AUDIO; st->codec->codec_id = s->iformat->raw_codec_id; From 00abc0080d2f5f179f18534713659ce79b22e647 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 8 Mar 2015 21:51:11 -0400 Subject: [PATCH 0388/1352] doc: More changelog updates for v11.3 --- Changelog | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Changelog b/Changelog index 9e325fd73f..6b8cabcb1a 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,18 @@ releases are sorted from youngest to oldest. version 11.3: +- utvideodec: Handle slice_height being zero (CVE-2014-9604) +- adxdec: set avctx->channels in adx_read_header +- rmenc: limit packet size +- webp: validate the distance prefix code +- rv10: check size of s->mb_width * s->mb_height +- eamad: check for out of bounds read (CID/1257500) +- mdec: check for out of bounds read (CID/1257501) +- configure: Properly fail when libcdio/cdparanoia is not found +- tiff: Check that there is no aliasing in pixel format selection (CVE-2014-8544) +- aic: Fix decoding files with odd dimensions +- vorbis: Check the vlc value in setup_classifs +- arm: Suppress tags about used cpu arch and extensions - prores: Extend the padding check to 16bit - icecast: Do not use chunked post, allows feeding to icecast properly - img2dec: correctly use the parsed value from -start_number From 491c4bbb38adb8614acbe17726508267f65939cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 09:59:27 +0100 Subject: [PATCH 0389/1352] Revert "avutil/opencl: is_compiled flag not being cleared in av_opencl_uninit" Fixed build with opencl enabled Found-by: WJ Liu This reverts commit 0f2359b86926ed33da4bd64ca76d84d03d5ad380. (cherry picked from commit ebd59d271c24601e08c3569681b129cd27bf4070) --- libavutil/opencl.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavutil/opencl.c b/libavutil/opencl.c index f80cde7001..0b4f83b910 100644 --- a/libavutil/opencl.c +++ b/libavutil/opencl.c @@ -633,9 +633,6 @@ void av_opencl_uninit(void) } opencl_ctx.context = NULL; } - for (i = 0; i < opencl_ctx.kernel_code_count; i++) { - opencl_ctx.kernel_code[i].is_compiled = 0; - } free_device_list(&opencl_ctx.device_list); end: if (opencl_ctx.init_count <= 0) From a219add4e8e2d3192d99d6c6efe97ec7c429c5ad Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 20 Mar 2015 21:28:34 +0100 Subject: [PATCH 0390/1352] hevc: make the crop sizes unsigned (cherry picked from commit c929659bdd7d2d5848ea52e685a3164c7b901bb0) Signed-off-by: Anton Khirnov --- libavcodec/hevc.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 93c5125665..aa84cdcde5 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -284,10 +284,10 @@ typedef struct RefPicListTab { } RefPicListTab; typedef struct HEVCWindow { - int left_offset; - int right_offset; - int top_offset; - int bottom_offset; + unsigned int left_offset; + unsigned int right_offset; + unsigned int top_offset; + unsigned int bottom_offset; } HEVCWindow; typedef struct VUI { From a529f6648ed450f7e846a0e704a0a3260aaa4b62 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 20 Mar 2015 21:30:29 +0100 Subject: [PATCH 0391/1352] hevc: zero the correct variables on invalid crop parameters It's the output_window that is applied to the output frame, not pic_conf_win (cherry picked from commit 5127c00b971b674f72609369b39a9c0f7c36977d) Signed-off-by: Anton Khirnov --- libavcodec/hevc_ps.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index bc18990f1c..db658bed2d 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -883,10 +883,10 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) } av_log(s->avctx, AV_LOG_WARNING, "Displaying the whole video surface.\n"); - sps->pic_conf_win.left_offset = - sps->pic_conf_win.right_offset = - sps->pic_conf_win.top_offset = - sps->pic_conf_win.bottom_offset = 0; + sps->output_window.left_offset = + sps->output_window.right_offset = + sps->output_window.top_offset = + sps->output_window.bottom_offset = 0; sps->output_width = sps->width; sps->output_height = sps->height; } From 9cef65434e5e5ffbd4a856ce7ae9c067dec039b7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 20 Mar 2015 21:49:23 +0100 Subject: [PATCH 0392/1352] h264_ps: properly check cropping parameters against overflow CC: libav-stable@libav.org (cherry picked from commit d8a45d2d49f54fde042b195f9d5859251252493d) Signed-off-by: Anton Khirnov --- libavcodec/h264_ps.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index b439fa8e4a..ad284da5f9 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -439,10 +439,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) #endif sps->crop = get_bits1(&h->gb); if (sps->crop) { - int crop_left = get_ue_golomb(&h->gb); - int crop_right = get_ue_golomb(&h->gb); - int crop_top = get_ue_golomb(&h->gb); - int crop_bottom = get_ue_golomb(&h->gb); + unsigned int crop_left = get_ue_golomb(&h->gb); + unsigned int crop_right = get_ue_golomb(&h->gb); + unsigned int crop_top = get_ue_golomb(&h->gb); + unsigned int crop_bottom = get_ue_golomb(&h->gb); if (h->avctx->flags2 & CODEC_FLAG2_IGNORE_CROP) { av_log(h->avctx, AV_LOG_DEBUG, "discarding sps cropping, original " @@ -469,6 +469,18 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) crop_left); } + if (INT_MAX / step_x <= crop_left || + INT_MAX / step_x - crop_left <= crop_right || + 16 * sps->mb_width <= step_x * (crop_left + crop_right) || + INT_MAX / step_y <= crop_top || + INT_MAX / step_y - crop_top <= crop_bottom || + 16 * sps->mb_height <= step_y * (crop_top + crop_bottom)) { + av_log(h->avctx, AV_LOG_WARNING, "Invalid crop parameters\n"); + if (h->avctx->err_recognition & AV_EF_EXPLODE) + goto fail; + crop_left = crop_right = crop_top = crop_bottom = 0; + } + sps->crop_left = crop_left * step_x; sps->crop_right = crop_right * step_x; sps->crop_top = crop_top * step_y; From b7c8a1fbbd0b6ac0b096ef0402dee440ff27ecb7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 5 Mar 2015 22:48:28 +0100 Subject: [PATCH 0393/1352] webp: ensure that each transform is only used once According to the WebP Lossless Bitstream Specification "each transform is allowed to be used only once". If a transform is more than once this can lead to memory corruption. Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov (cherry picked from commit 30e6abd1a8cc4fd5daf2e23ad2e768862c39e975) Signed-off-by: Anton Khirnov --- libavcodec/webp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 58f7810793..62f35f7480 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1081,7 +1081,7 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, unsigned int data_size, int is_alpha_chunk) { WebPContext *s = avctx->priv_data; - int w, h, ret, i; + int w, h, ret, i, used; if (!is_alpha_chunk) { s->lossless = 1; @@ -1131,9 +1131,17 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, /* parse transformations */ s->nb_transforms = 0; s->reduced_width = 0; + used = 0; while (get_bits1(&s->gb)) { enum TransformType transform = get_bits(&s->gb, 2); s->transforms[s->nb_transforms++] = transform; + if (used & (1 << transform)) { + av_log(avctx, AV_LOG_ERROR, "Transform %d used more than once\n", + transform); + ret = AVERROR_INVALIDDATA; + goto free_and_return; + } + used |= (1 << transform); switch (transform) { case PREDICTOR_TRANSFORM: ret = parse_transform_predictor(s); From f3b8cd748168efc37ba44b292bcbfd9500bbd853 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 21 Mar 2015 17:12:48 -0300 Subject: [PATCH 0394/1352] vp9: make above buffer pointer 32-byte aligned. Fixes ticket #4383 Signed-off-by: James Almer (cherry picked from commit 1fd1f58bd6a58f2067a8d6b4919e1a0f34eb1f22) --- libavcodec/vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 31725e6f84..2239bd61d7 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -2495,7 +2495,7 @@ static void intra_recon(AVCodecContext *ctx, ptrdiff_t y_off, ptrdiff_t uv_off) for (x = 0; x < end_x; x += uvstep1d, ptr += 4 * uvstep1d, ptr_r += 4 * uvstep1d, n += step) { int mode = b->uvmode; - uint8_t *a = &a_buf[16]; + uint8_t *a = &a_buf[32]; int eob = b->skip ? 0 : b->uvtx > TX_8X8 ? AV_RN16A(&s->uveob[p][n]) : s->uveob[p][n]; mode = check_intra_mode(s, mode, &a, ptr_r, From 7bce99216f744f76bf9e8cb449cd11a5e301ef68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Nov 2014 15:03:35 +0100 Subject: [PATCH 0395/1352] avcodec/hevc_ps: More complete window reset Fixes out of array read Fixes: signal_sigsegv_35bcf26_471_cov_2806540268_CAINIT_A_SHARP_4.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 57e5812198aada016e9ba4149123c541f8c8a7ec) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 0cd2269409..11e6eb6132 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1030,10 +1030,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) } av_log(s->avctx, AV_LOG_WARNING, "Displaying the whole video surface.\n"); - sps->pic_conf_win.left_offset = - sps->pic_conf_win.right_offset = - sps->pic_conf_win.top_offset = - sps->pic_conf_win.bottom_offset = 0; + memset(&sps->pic_conf_win, 0, sizeof(sps->pic_conf_win)); + memset(&sps->output_window, 0, sizeof(sps->output_window)); sps->output_width = sps->width; sps->output_height = sps->height; } From 53fa0d370cbbf7605687a2d3c669f7f015136931 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 5 Mar 2015 22:48:28 +0100 Subject: [PATCH 0396/1352] webp: ensure that each transform is only used once According to the WebP Lossless Bitstream Specification "each transform is allowed to be used only once". If a transform is more than once this can lead to memory corruption. Signed-off-by: Michael Niedermayer (cherry picked from commit c089e720c1b753790c746a13053636d7facf6bf0) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 31c5bd9ca8..c92539fd93 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1087,7 +1087,7 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, unsigned int data_size, int is_alpha_chunk) { WebPContext *s = avctx->priv_data; - int w, h, ret, i; + int w, h, ret, i, used; if (!is_alpha_chunk) { s->lossless = 1; @@ -1137,8 +1137,16 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, /* parse transformations */ s->nb_transforms = 0; s->reduced_width = 0; + used = 0; while (get_bits1(&s->gb)) { enum TransformType transform = get_bits(&s->gb, 2); + if (used & (1 << transform)) { + av_log(avctx, AV_LOG_ERROR, "Transform %d used more than once\n", + transform); + ret = AVERROR_INVALIDDATA; + goto free_and_return; + } + used |= (1 << transform); s->transforms[s->nb_transforms++] = transform; switch (transform) { case PREDICTOR_TRANSFORM: From 1ee7f2d77e36c59cf79ea2bea2a29b7fd744f9b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:13:06 +0100 Subject: [PATCH 0397/1352] avformat/idcin: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit d1923d15a3544cbb94563a59e7169291db76b312) Signed-off-by: Michael Niedermayer --- libavformat/idcin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/idcin.c b/libavformat/idcin.c index d7a46a17fd..4e455bfcee 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -359,7 +359,7 @@ static int idcin_read_seek(AVFormatContext *s, int stream_index, IdcinDemuxContext *idcin = s->priv_data; if (idcin->first_pkt_pos > 0) { - int ret = avio_seek(s->pb, idcin->first_pkt_pos, SEEK_SET); + int64_t ret = avio_seek(s->pb, idcin->first_pkt_pos, SEEK_SET); if (ret < 0) return ret; ff_update_cur_dts(s, s->streams[idcin->video_stream_index], 0); From 2046275aaffaa6c47b14e52f028e814044d9e148 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:14:56 +0100 Subject: [PATCH 0398/1352] avformat/gxf: Use 64bit for res to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 12987f89007ee82b9d3a6090085dfaef8461ab8b) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 6c624f00a8..d9b629d7de 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -560,7 +560,7 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { } static int gxf_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { - int res = 0; + int64_t res = 0; uint64_t pos; uint64_t maxlen = 100 * 1024 * 1024; AVStream *st = s->streams[0]; From 81ee3385ee14840bd049b265d7c64fc92d530dff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:41:35 +0100 Subject: [PATCH 0399/1352] avformat/mvdec: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 26c0cc154e06cb0064b3a3da49447ac44d82444f) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 6e7c3ffd11..186b581f89 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -394,7 +394,7 @@ static int mv_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVStream *st = avctx->streams[mv->stream_index]; const AVIndexEntry *index; int frame = mv->frame[mv->stream_index]; - int ret; + int64_t ret; uint64_t pos; if (frame < st->nb_index_entries) { From 8f65bedbaff42b046061b1874a4980f4d65b589e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 20:57:31 +0100 Subject: [PATCH 0400/1352] avformat/wtvdec: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit d44e0d8b930732a4a247b4884d75cf62b4ad3664) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 9cedae1f8e..a7334fc9d4 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -760,7 +760,7 @@ static int recover(WtvContext *wtv, uint64_t broken_pos) int i; for (i = 0; i < wtv->nb_index_entries; i++) { if (wtv->index_entries[i].pos > broken_pos) { - int ret = avio_seek(pb, wtv->index_entries[i].pos, SEEK_SET); + int64_t ret = avio_seek(pb, wtv->index_entries[i].pos, SEEK_SET); if (ret < 0) return ret; wtv->pts = wtv->index_entries[i].timestamp; From 5169df2122f68d856ee06a8e2ae4f17a62f3c9b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 21:00:57 +0100 Subject: [PATCH 0401/1352] avformat/vqf: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit cb08687180683a755d0fe9d425280d0e4d1e6db2) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 15e8246432..a8a639d8dc 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -261,7 +261,7 @@ static int vqf_read_seek(AVFormatContext *s, { VqfContext *c = s->priv_data; AVStream *st; - int ret; + int64_t ret; int64_t pos; st = s->streams[stream_index]; From 093e3f4d5b90004657520b0e95ecb645bcd6643c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Feb 2015 21:01:54 +0100 Subject: [PATCH 0402/1352] avformat/omadec: Use 64bit for ret to avoid overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 0f55bc29d41585d110b126cb4ed4b395fd46d7ac) Signed-off-by: Michael Niedermayer --- libavformat/omadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 42954130bc..7cf1e1a4b2 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -464,7 +464,7 @@ static int oma_read_seek(struct AVFormatContext *s, int stream_index, int64_t timestamp, int flags) { OMAContext *oc = s->priv_data; - int err = ff_pcm_read_seek(s, stream_index, timestamp, flags); + int64_t err = ff_pcm_read_seek(s, stream_index, timestamp, flags); if (!oc->encrypted) return err; From 88c06ca25149f141c7e0f07616ccd0b3f1704c8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Feb 2015 16:25:29 +0100 Subject: [PATCH 0403/1352] avcodec/x86/mlpdsp_init: Simplify mlp_filter_channel_x86() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on patch by Francisco Blas Izquierdo Riera Commit message partly taken from carl fixes a compilation error in mlpdsp_init.c with -fstack-check and some gcc compilers (I reproduced the issue with gcc 4.7.3) by simplifying the code. See also https://bugs.gentoo.org/show_bug.cgi?id=471756 $ make libavcodec/x86/mlpdsp_init.o libavcodec/x86/mlpdsp_init.c: In function ‘mlp_filter_channel_x86’: libavcodec/x86/mlpdsp_init.c:142:5: error: can’t find a register in class ‘GENERAL_REGS’ while reloading ‘asm’ libavcodec/x86/mlpdsp_init.c:142:5: error: ‘asm’ operand has impossible constraints 4551 -> 4509 dezicycles Reviewed-by: Ramiro Polla Signed-off-by: Michael Niedermayer (cherry picked from commit 03f39fbb2a558153a3c464edec1378d637a755fe) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mlpdsp.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/mlpdsp.c b/libavcodec/x86/mlpdsp.c index f090fd79b4..a6da229228 100644 --- a/libavcodec/x86/mlpdsp.c +++ b/libavcodec/x86/mlpdsp.c @@ -132,8 +132,8 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, FIRMUL (ff_mlp_firorder_6, 0x14 ) FIRMUL (ff_mlp_firorder_5, 0x10 ) FIRMUL (ff_mlp_firorder_4, 0x0c ) - FIRMULREG(ff_mlp_firorder_3, 0x08,10) - FIRMULREG(ff_mlp_firorder_2, 0x04, 9) + FIRMUL (ff_mlp_firorder_3, 0x08 ) + FIRMUL (ff_mlp_firorder_2, 0x04 ) FIRMULREG(ff_mlp_firorder_1, 0x00, 8) LABEL_MANGLE(ff_mlp_firorder_0)":\n\t" "jmp *%6 \n\t" @@ -162,8 +162,6 @@ static void mlp_filter_channel_x86(int32_t *state, const int32_t *coeff, : /* 4*/"r"((x86_reg)mask), /* 5*/"r"(firjump), /* 6*/"r"(iirjump) , /* 7*/"c"(filter_shift) , /* 8*/"r"((int64_t)coeff[0]) - , /* 9*/"r"((int64_t)coeff[1]) - , /*10*/"r"((int64_t)coeff[2]) : "rax", "rdx", "rsi" #else /* ARCH_X86_32 */ /* 3*/"+m"(blocksize) From 3167bba15ec3c7b23b73bd8f2500bd951f0ec005 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:43:30 +0100 Subject: [PATCH 0404/1352] avcodec/a64multienc: use av_frame_ref instead of copying the frame This fixes freeing the frame buffer twice on cleanup leading to a crash. Signed-off-by: Michael Niedermayer (cherry picked from commit 39e4ed7c1d8d840be47f6d604704d47a59a9ae5d) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index fc00d3fc62..60644a2644 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -317,7 +317,9 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else { /* fill up mc_meta_charset with data until lifetime exceeds */ if (c->mc_frame_counter < c->mc_lifetime) { - *p = *pict; + ret = av_frame_ref(p, pict); + if (ret < 0) + return ret; p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; to_meta_with_crop(avctx, p, meta + 32000 * c->mc_frame_counter); From acfe143736d8428918579002c47b84a5d87f03ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Feb 2015 01:21:30 +0100 Subject: [PATCH 0405/1352] avcodec/a64multienc: don't set incorrect packet size This fixes invalid reads of the packet buffer in av_dup_packet Based on patch by Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d96142e9af92ded84f2580620c571ab96c4bb657) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 60644a2644..889e8eb670 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -336,8 +336,8 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, req_size = 0; /* any frames to encode? */ if (c->mc_lifetime) { - req_size = charset_size + c->mc_lifetime*(screen_size + colram_size); - if ((ret = ff_alloc_packet2(avctx, pkt, req_size)) < 0) + int alloc_size = charset_size + c->mc_lifetime*(screen_size + colram_size); + if ((ret = ff_alloc_packet2(avctx, pkt, alloc_size)) < 0) return ret; buf = pkt->data; @@ -353,6 +353,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, /* advance pointers */ buf += charset_size; + req_size += charset_size; } /* write x frames to buf */ From 584d90b277d8005a611fb919a1cae2cbb3f23b6f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:47:50 +0100 Subject: [PATCH 0406/1352] avcodec/a64multienc: initialize mc_meta_charset to zero This fixes the use of uninitialized values in avpriv_do_elbg. Signed-off-by: Michael Niedermayer (cherry picked from commit ab759f8f4a3f7178361e32ab719e6bc49d8afecb) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 889e8eb670..9f3bc0d64d 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -220,7 +220,7 @@ static av_cold int a64multi_encode_init(AVCodecContext *avctx) a64_palette[mc_colors[a]][2] * 0.11; } - if (!(c->mc_meta_charset = av_malloc_array(c->mc_lifetime, 32000 * sizeof(int))) || + if (!(c->mc_meta_charset = av_mallocz_array(c->mc_lifetime, 32000 * sizeof(int))) || !(c->mc_best_cb = av_malloc(CHARSET_CHARS * 32 * sizeof(int))) || !(c->mc_charmap = av_mallocz_array(c->mc_lifetime, 1000 * sizeof(int))) || !(c->mc_colram = av_mallocz(CHARSET_CHARS * sizeof(uint8_t))) || From 37941c03b73d39fbc18e9476a09d859a9fdfd904 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 22 Feb 2015 20:48:38 +0100 Subject: [PATCH 0407/1352] avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop Averaging over 2 pixels doesn't work correctly for the last pixel, because the rest of the buffer is not initialized. Signed-off-by: Michael Niedermayer (cherry picked from commit 87513d654546a99f8ddb045ca4fa5d33778a617e) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 9f3bc0d64d..d54b37e222 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -78,9 +78,13 @@ static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) for (y = blocky; y < blocky + 8 && y < C64YRES; y++) { for (x = blockx; x < blockx + 8 && x < C64XRES; x += 2) { if(x < width && y < height) { - /* build average over 2 pixels */ - luma = (src[(x + 0 + y * p->linesize[0])] + - src[(x + 1 + y * p->linesize[0])]) / 2; + if (x + 1 < width) { + /* build average over 2 pixels */ + luma = (src[(x + 0 + y * p->linesize[0])] + + src[(x + 1 + y * p->linesize[0])]) / 2; + } else { + luma = src[(x + y * p->linesize[0])]; + } /* write blocks as linear data now so they are suitable for elbg */ dest[0] = luma; } From 35a79bdf7df718de107d75b73c7c588d2e9647fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Feb 2015 00:55:13 +0100 Subject: [PATCH 0408/1352] avcodec/a64multienc: simplify frame handling code This also fixes a memleak Signed-off-by: Michael Niedermayer (cherry picked from commit 4da351ff0cff460db2110cf22f2e3eded8733a58) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index d54b37e222..34e5b2dc99 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -65,7 +65,7 @@ static const int mc_colors[5]={0x0,0xb,0xc,0xf,0x1}; //static const int mc_colors[5]={0x0,0x8,0xa,0xf,0x7}; //static const int mc_colors[5]={0x0,0x9,0x8,0xa,0x3}; -static void to_meta_with_crop(AVCodecContext *avctx, AVFrame *p, int *dest) +static void to_meta_with_crop(AVCodecContext *avctx, const AVFrame *p, int *dest) { int blockx, blocky, x, y; int luma = 0; @@ -190,7 +190,6 @@ static void render_charset(AVCodecContext *avctx, uint8_t *charset, static av_cold int a64multi_close_encoder(AVCodecContext *avctx) { A64Context *c = avctx->priv_data; - av_frame_free(&avctx->coded_frame); av_freep(&c->mc_meta_charset); av_freep(&c->mc_best_cb); av_freep(&c->mc_charset); @@ -242,14 +241,6 @@ static av_cold int a64multi_encode_init(AVCodecContext *avctx) AV_WB32(avctx->extradata, c->mc_lifetime); AV_WB32(avctx->extradata + 16, INTERLACED); - avctx->coded_frame = av_frame_alloc(); - if (!avctx->coded_frame) { - a64multi_close_encoder(avctx); - return AVERROR(ENOMEM); - } - - avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I; - avctx->coded_frame->key_frame = 1; if (!avctx->codec_tag) avctx->codec_tag = AV_RL32("a64m"); @@ -274,10 +265,9 @@ static void a64_compress_colram(unsigned char *buf, int *charmap, uint8_t *colra } static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, - const AVFrame *pict, int *got_packet) + const AVFrame *p, int *got_packet) { A64Context *c = avctx->priv_data; - AVFrame *const p = avctx->coded_frame; int frame; int x, y; @@ -308,7 +298,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } /* no data, means end encoding asap */ - if (!pict) { + if (!p) { /* all done, end encoding */ if (!c->mc_lifetime) return 0; /* no more frames in queue, prepare to flush remaining frames */ @@ -321,15 +311,10 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } else { /* fill up mc_meta_charset with data until lifetime exceeds */ if (c->mc_frame_counter < c->mc_lifetime) { - ret = av_frame_ref(p, pict); - if (ret < 0) - return ret; - p->pict_type = AV_PICTURE_TYPE_I; - p->key_frame = 1; to_meta_with_crop(avctx, p, meta + 32000 * c->mc_frame_counter); c->mc_frame_counter++; if (c->next_pts == AV_NOPTS_VALUE) - c->next_pts = pict->pts; + c->next_pts = p->pts; /* lifetime is not reached so wait for next frame first */ return 0; } From 9dc686815554d98e9c1070183187d0df8337fa0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Feb 2015 01:58:11 +0100 Subject: [PATCH 0409/1352] avcodec/a64multienc: Assert that the Packet size does not grow Signed-off-by: Michael Niedermayer (cherry picked from commit 29bbc1be488ea4fc591d3e0ef12f0fc7c8812afb) Signed-off-by: Michael Niedermayer --- libavcodec/a64multienc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/a64multienc.c b/libavcodec/a64multienc.c index 34e5b2dc99..0d926672f6 100644 --- a/libavcodec/a64multienc.c +++ b/libavcodec/a64multienc.c @@ -28,6 +28,7 @@ #include "a64tables.h" #include "elbg.h" #include "internal.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" @@ -379,6 +380,7 @@ static int a64multi_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pkt->pts = pkt->dts = c->next_pts; c->next_pts = AV_NOPTS_VALUE; + av_assert0(pkt->size >= req_size); pkt->size = req_size; pkt->flags |= AV_PKT_FLAG_KEY; *got_packet = !!req_size; From 2dde6d5d367e853a085abb595cf6fbd26bda5fc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 00:32:39 +0100 Subject: [PATCH 0410/1352] swscale/utils: More carefully merge and clear coefficients outside the input Fixes out of array read Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1895d414aaacece3b57d7bf19502305e9a064fae) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 858c5c29f8..ff82deea31 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -623,14 +623,24 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, if ((*filterPos)[i] + filterSize > srcW) { int shift = (*filterPos)[i] + FFMIN(filterSize - srcW, 0); + int64_t acc = 0; - // move filter coefficients right to compensate for filterPos - for (j = filterSize - 2; j >= 0; j--) { - int right = FFMIN(j + shift, filterSize - 1); - filter[i * filterSize + right] += filter[i * filterSize + j]; - filter[i * filterSize + j] = 0; + for (j = filterSize - 1; j >= 0; j--) { + if ((*filterPos)[i] + j >= srcW) { + acc += filter[i * filterSize + j]; + filter[i * filterSize + j] = 0; + } } + for (j = filterSize - 1; j >= 0; j--) { + if (j < shift) { + filter[i * filterSize + j] = 0; + } else { + filter[i * filterSize + j] = filter[i * filterSize + j - shift]; + } + } + (*filterPos)[i]-= shift; + filter[i * filterSize + srcW - 1 - (*filterPos)[i]] += acc; } } From 49543062280ccf2e961b01784d8bbbcf09e1197c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 03:12:22 +0100 Subject: [PATCH 0411/1352] avcodec/snowdec: Fix ref value check Fixes integer overflow and out of array read. Fixes: signal_sigsegv_24169e6_3445_cov_3778346427_snow_chroma_bug.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f4cbf940212079a34753c7f4d6c6b5a43586d30) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 327157b0d2..c5fa20339a 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -152,7 +152,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int l = left->color[0]; int cb= left->color[1]; int cr= left->color[2]; - int ref = 0; + unsigned ref = 0; int ref_context= av_log2(2*left->ref) + av_log2(2*top->ref); int mx_context= av_log2(2*FFABS(left->mx - top->mx)) + 0*av_log2(2*FFABS(tr->mx - top->mx)); int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); From ba59d9212869577ae9ca11f890d06ac08952736c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Feb 2015 20:49:07 +0100 Subject: [PATCH 0412/1352] avcodec/h264: Only reinit quant tables if a new PPS is allowed Fixes null pointer dereference Fixes: signal_sigsegv_3042097_3007_cov_1741463594_non_monotone_timestamps1.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c23a0e77dd492d6c794f89dbff3a438c95745e70) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 0d48064838..d3d5a92eb0 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1518,7 +1518,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) } } - if (h == h0 && h->dequant_coeff_pps != pps_id) { + if (first_slice && h->dequant_coeff_pps != pps_id) { h->dequant_coeff_pps = pps_id; h264_init_dequant_tables(h); } From ca663f79e95fb03431dadb198ae1b97fe1f667e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Feb 2015 12:29:10 +0100 Subject: [PATCH 0413/1352] avcodec/zmbv: Check len before reading in decode_frame() Fixes out of array read Fixes: asan_heap-oob_4d4eb0_3994_cov_3169972261_zmbv_15bit.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5c7781e63d6519192ada59c1e36bcecc92791d) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index c16d912117..82ae169ef4 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -410,11 +410,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int hi_ver, lo_ver, ret; /* parse header */ + if (len < 1) + return AVERROR_INVALIDDATA; c->flags = buf[0]; buf++; len--; if (c->flags & ZMBV_KEYFRAME) { void *decode_intra = NULL; c->decode_intra= NULL; + + if (len < 6) + return AVERROR_INVALIDDATA; hi_ver = buf[0]; lo_ver = buf[1]; c->comp = buf[2]; From e8a44b8387e3924f361a218e5be0c86bc476214d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Feb 2015 15:51:28 +0100 Subject: [PATCH 0414/1352] avcodec/hevc_ps: Sanity checks for some log2_* values log2 values which imply numeric overflow are not supported Signed-off-by: Michael Niedermayer (cherry picked from commit 205b2ba3d677330e023aac2f4bd3f624039256b9) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 11e6eb6132..3309377455 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -895,11 +895,30 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) sps->log2_max_trafo_size = log2_diff_max_min_transform_block_size + sps->log2_min_tb_size; - if (sps->log2_min_tb_size >= sps->log2_min_cb_size) { + if (sps->log2_min_cb_size < 3 || sps->log2_min_cb_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_min_cb_size", sps->log2_min_cb_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + + if (sps->log2_diff_max_min_coding_block_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_diff_max_min_coding_block_size", sps->log2_diff_max_min_coding_block_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + + if (sps->log2_min_tb_size >= sps->log2_min_cb_size || sps->log2_min_tb_size < 2) { av_log(s->avctx, AV_LOG_ERROR, "Invalid value for log2_min_tb_size"); ret = AVERROR_INVALIDDATA; goto err; } + + if (log2_diff_max_min_transform_block_size < 0 || log2_diff_max_min_transform_block_size > 30) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid value %d for log2_diff_max_min_transform_block_size", log2_diff_max_min_transform_block_size); + ret = AVERROR_INVALIDDATA; + goto err; + } + sps->max_transform_hierarchy_depth_inter = get_ue_golomb_long(gb); sps->max_transform_hierarchy_depth_intra = get_ue_golomb_long(gb); From 198aa9fabde1d6e13accdcc49f792b33b94986ca Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Thu, 26 Feb 2015 13:42:52 +0000 Subject: [PATCH 0415/1352] mips/acelp_filters: fix incorrect register constraint Change register constraint on the v variable from = to +. This was causing GCC to think that the v variable was never read and therefore not initialize it. This fixes about 20 fate failures on mips64el. Signed-off-by: James Cowgill Signed-off-by: Michael Niedermayer (cherry picked from commit b9de1303a6414174ab2f3bccefa801bfabcf0f88) Signed-off-by: Michael Niedermayer --- libavcodec/mips/acelp_filters_mips.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mips/acelp_filters_mips.c b/libavcodec/mips/acelp_filters_mips.c index c8d980aa00..ffc0fe6250 100644 --- a/libavcodec/mips/acelp_filters_mips.c +++ b/libavcodec/mips/acelp_filters_mips.c @@ -89,7 +89,7 @@ static void ff_acelp_interpolatef_mips(float *out, const float *in, "addu %[p_filter_coeffs_m], %[p_filter_coeffs_m], %[prec] \n\t" "madd.s %[v],%[v],%[in_val_m], %[fc_val_m] \n\t" - : [v] "=&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), + : [v] "+&f" (v),[p_in_p] "+r" (p_in_p), [p_in_m] "+r" (p_in_m), [p_filter_coeffs_p] "+r" (p_filter_coeffs_p), [in_val_p] "=&f" (in_val_p), [in_val_m] "=&f" (in_val_m), [fc_val_p] "=&f" (fc_val_p), [fc_val_m] "=&f" (fc_val_m), From bcbae2d95fc5e5df6116200f7a249ebb4805e415 Mon Sep 17 00:00:00 2001 From: Dyami Caliri Date: Thu, 26 Feb 2015 10:17:01 -0800 Subject: [PATCH 0416/1352] Fix buffer_size argument to init_put_bits() in multiple encoders. Several encoders were multiplying the buffer size by 8, in order to get a bit size. However, the buffer_size argument is for the byte size of the buffer. We had experienced crashes encoding prores (Anatoliy) at size 4096x4096. (cherry picked from commit 50833c9f7b4e1922197a8955669f8ab3589c8cef) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- libavcodec/adpcmenc.c | 4 ++-- libavcodec/faxcompr.c | 2 +- libavcodec/flashsv2enc.c | 2 +- libavcodec/flashsvenc.c | 2 +- libavcodec/nellymoserenc.c | 2 +- libavcodec/proresenc_anatoliy.c | 2 +- libavcodec/proresenc_kostya.c | 2 +- libavcodec/s302menc.c | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index b3bd9c8610..94d54eb87f 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -165,7 +165,7 @@ static void put_audio_specific_config(AVCodecContext *avctx) PutBitContext pb; AACEncContext *s = avctx->priv_data; - init_put_bits(&pb, avctx->extradata, avctx->extradata_size*8); + init_put_bits(&pb, avctx->extradata, avctx->extradata_size); put_bits(&pb, 5, 2); //object type - AAC-LC put_bits(&pb, 4, s->samplerate_index); //sample rate index put_bits(&pb, 4, s->channels); diff --git a/libavcodec/adpcmenc.c b/libavcodec/adpcmenc.c index ea6cc23e97..7692db4d67 100644 --- a/libavcodec/adpcmenc.c +++ b/libavcodec/adpcmenc.c @@ -541,7 +541,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_IMA_QT: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); for (ch = 0; ch < avctx->channels; ch++) { ADPCMChannelStatus *status = &c->status[ch]; @@ -571,7 +571,7 @@ static int adpcm_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, case AV_CODEC_ID_ADPCM_SWF: { PutBitContext pb; - init_put_bits(&pb, dst, pkt_size * 8); + init_put_bits(&pb, dst, pkt_size); n = frame->nb_samples - 1; diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 155f78da66..ba7096d3b1 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -251,7 +251,7 @@ static void put_line(uint8_t *dst, int size, int width, const int *runs) PutBitContext pb; int run, mode = ~0, pix_left = width, run_idx = 0; - init_put_bits(&pb, dst, size * 8); + init_put_bits(&pb, dst, size); while (pix_left > 0) { run = runs[run_idx++]; mode = ~mode; diff --git a/libavcodec/flashsv2enc.c b/libavcodec/flashsv2enc.c index 9735a13331..b6c9453f42 100644 --- a/libavcodec/flashsv2enc.c +++ b/libavcodec/flashsv2enc.c @@ -287,7 +287,7 @@ static int write_header(FlashSV2Context * s, uint8_t * buf, int buf_size) if (buf_size < 5) return -1; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, (s->block_width >> 4) - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index 7ad15f118f..6d406e9fa6 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -151,7 +151,7 @@ static int encode_bitstream(FlashSVContext *s, const AVFrame *p, uint8_t *buf, int buf_pos, res; int pred_blocks = 0; - init_put_bits(&pb, buf, buf_size * 8); + init_put_bits(&pb, buf, buf_size); put_bits(&pb, 4, block_width / 16 - 1); put_bits(&pb, 12, s->image_width); diff --git a/libavcodec/nellymoserenc.c b/libavcodec/nellymoserenc.c index 98e33f0e2e..e879d57459 100644 --- a/libavcodec/nellymoserenc.c +++ b/libavcodec/nellymoserenc.c @@ -303,7 +303,7 @@ static void encode_block(NellyMoserEncodeContext *s, unsigned char *output, int apply_mdct(s); - init_put_bits(&pb, output, output_size * 8); + init_put_bits(&pb, output, output_size); i = 0; for (band = 0; band < NELLY_BANDS; band++) { diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index f471f4987e..801d58ed7b 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -304,7 +304,7 @@ static int encode_slice_plane(AVCodecContext *avctx, int mb_count, } blocks_per_slice = mb_count << (2 - chroma); - init_put_bits(&pb, buf, buf_size << 3); + init_put_bits(&pb, buf, buf_size); encode_dc_coeffs(&pb, blocks, blocks_per_slice, qmat); encode_ac_coeffs(avctx, &pb, blocks, blocks_per_slice, qmat); diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index c9cb063ae8..2ad7f748f9 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -1057,7 +1057,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, slice_hdr = pkt->data + (slice_hdr - start); tmp = pkt->data + (tmp - start); } - init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8); + init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf))); ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice); if (ret < 0) diff --git a/libavcodec/s302menc.c b/libavcodec/s302menc.c index 540ac29dab..e738f09d19 100644 --- a/libavcodec/s302menc.c +++ b/libavcodec/s302menc.c @@ -82,7 +82,7 @@ static int s302m_encode2_frame(AVCodecContext *avctx, AVPacket *avpkt, return ret; o = avpkt->data; - init_put_bits(&pb, o, buf_size * 8); + init_put_bits(&pb, o, buf_size); put_bits(&pb, 16, buf_size - AES3_HEADER_LEN); put_bits(&pb, 2, (avctx->channels - 2) >> 1); // number of channels put_bits(&pb, 8, 0); // channel ID From f33a2ea2eea70e805dd97659751284becccf9c3d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 25 Feb 2015 22:55:44 +0100 Subject: [PATCH 0417/1352] avformat/adxdec: check avctx->channels for invalid values This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7faa40af982960608b117e20fec999b48011e5e0) Signed-off-by: Michael Niedermayer --- libavformat/adxdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/adxdec.c b/libavformat/adxdec.c index e57d0516dc..e7107ac579 100644 --- a/libavformat/adxdec.c +++ b/libavformat/adxdec.c @@ -40,6 +40,11 @@ static int adx_read_packet(AVFormatContext *s, AVPacket *pkt) AVCodecContext *avctx = s->streams[0]->codec; int ret, size; + if (avctx->channels <= 0) { + av_log(s, AV_LOG_ERROR, "invalid number of channels %d\n", avctx->channels); + return AVERROR_INVALIDDATA; + } + size = BLOCK_SIZE * avctx->channels; pkt->pos = avio_tell(s->pb); From 6fbd897caba6e4e9378c99030e9ce13652d785a6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:38:50 +0100 Subject: [PATCH 0418/1352] avformat/bit: check that pkt->size is 10 in write_packet Ohter packet sizes are not supported by this muxer. This avoids a null pointer dereference of pkt->data. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit eeda2c3de8a8484d9e7d1e47ac836bec850b31fc) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bit.c b/libavformat/bit.c index 7b807b9bc1..5d05da0f81 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -133,6 +133,9 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) GetBitContext gb; int i; + if (pkt->size != 10) + return AVERROR(EINVAL); + avio_wl16(pb, SYNC_WORD); avio_wl16(pb, 8 * 10); From 2ec6a7a1e048dab6dd9ef9e4d569e1419eed5e79 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Feb 2015 21:42:02 +0100 Subject: [PATCH 0419/1352] avformat/bit: only accept the g729 codec and 1 channel Other codecs/channel numbers are not supported by this muxer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d0b8640f75ff7569c98d6fdb03d83451104e088c) Signed-off-by: Michael Niedermayer --- libavformat/bit.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/bit.c b/libavformat/bit.c index 5d05da0f81..138d2feadb 100644 --- a/libavformat/bit.c +++ b/libavformat/bit.c @@ -119,8 +119,12 @@ static int write_header(AVFormatContext *s) { AVCodecContext *enc = s->streams[0]->codec; - enc->codec_id = AV_CODEC_ID_G729; - enc->channels = 1; + if ((enc->codec_id != AV_CODEC_ID_G729) || enc->channels != 1) { + av_log(s, AV_LOG_ERROR, + "only codec g729 with 1 channel is supported by this format\n"); + return AVERROR(EINVAL); + } + enc->bits_per_coded_sample = 16; enc->block_align = (enc->bits_per_coded_sample * enc->channels) >> 3; From eceea69567acc0d8f9368c300d9d52a3b1199512 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Feb 2015 03:12:23 +0100 Subject: [PATCH 0420/1352] swscale/utils: clear formatConvBuffer on allocation Fixes use of uninitialized memory Fixes: asan_heap-oob_35ca682_1474_cov_3230122439_aletrek_tga_16bit.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 007498fc1a639ecee2cda1892cbcff66c7c8c951) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index ff82deea31..98a9e4d380 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1188,7 +1188,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, c->chrDstW = FF_CEIL_RSHIFT(dstW, c->chrDstHSubSample); c->chrDstH = FF_CEIL_RSHIFT(dstH, c->chrDstVSubSample); - FF_ALLOC_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); + FF_ALLOCZ_OR_GOTO(c, c->formatConvBuffer, FFALIGN(srcW*2+78, 16) * 2, fail); c->srcBpc = 1 + desc_src->comp[0].depth_minus1; if (c->srcBpc < 8) From d42540499c51182175880dd83be1040bcb108609 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Feb 2015 21:57:11 +0100 Subject: [PATCH 0421/1352] avutil/imgutils: correctly check for negative SAR components These could trigger assert failures previously Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 5705dc527687fd84d94c934169b6bd753459744f) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 00b203182b..26321cef8e 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -245,7 +245,7 @@ int av_image_check_sar(unsigned int w, unsigned int h, AVRational sar) { int64_t scaled_dim; - if (!sar.den) + if (sar.den <= 0 || sar.num < 0) return AVERROR(EINVAL); if (!sar.num || sar.num == sar.den) From ddffbf720a84807270b4b3f9fc9f310335b41e2d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 28 Feb 2015 20:11:36 +0100 Subject: [PATCH 0422/1352] avcodec/utils: use correct printf specifier in ff_set_sar Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 732c3ebffaff5005367d7f947fa903f3b6e92f68) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 0888beb062..9d1a15c7b4 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -246,7 +246,7 @@ int ff_set_sar(AVCodecContext *avctx, AVRational sar) int ret = av_image_check_sar(avctx->width, avctx->height, sar); if (ret < 0) { - av_log(avctx, AV_LOG_WARNING, "ignoring invalid SAR: %u/%u\n", + av_log(avctx, AV_LOG_WARNING, "ignoring invalid SAR: %d/%d\n", sar.num, sar.den); avctx->sample_aspect_ratio = (AVRational){ 0, 1 }; return ret; From a80b38d7d24863a8275d73cc4e041761ce5257cc Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 28 Feb 2015 20:58:31 +0100 Subject: [PATCH 0423/1352] avformat/flvenc: check that the codec_tag fits in the available bits flags is later written with avio_w8 and if it doesn't fit in one byte it triggers an av_assert2. Signed-off-by: Michael Niedermayer (cherry picked from commit e8565d21c276ab9ac5ce785549420321fbd0b093) Signed-off-by: Michael Niedermayer --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index febc5e5b30..857f3fbb9e 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -489,7 +489,7 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) avio_w8(pb, FLV_TAG_TYPE_VIDEO); flags = enc->codec_tag; - if (flags == 0) { + if (flags <= 0 || flags > 15) { av_log(s, AV_LOG_ERROR, "Video codec '%s' is not compatible with FLV\n", avcodec_get_name(enc->codec_id)); From 2a6f0c7e077eee6d834a58a5193e374bbfe18285 Mon Sep 17 00:00:00 2001 From: Steve Lhomme Date: Tue, 3 Mar 2015 12:06:40 +0100 Subject: [PATCH 0424/1352] fix VP9 packet decoder returning 0 instead of the used data size See https://trac.videolan.org/vlc/ticket/14022#comment:6 Signed-off-by: Michael Niedermayer (cherry picked from commit 4851db80a4f80ddade1d50d2ec741375c763f001) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 2239bd61d7..c8653d048d 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3747,7 +3747,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, if ((res = av_frame_ref(frame, s->refs[ref].f)) < 0) return res; *got_frame = 1; - return 0; + return pkt->size; } data += res; size -= res; @@ -3957,7 +3957,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, *got_frame = 1; } - return 0; + return pkt->size; } static void vp9_decode_flush(AVCodecContext *ctx) From 99de009e97d079dede1eb7a11525c69ddc44ed1e Mon Sep 17 00:00:00 2001 From: Stefano Sabatini Date: Thu, 5 Mar 2015 12:05:17 +0100 Subject: [PATCH 0425/1352] doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds s->listen_timeout is passed to ff_listen_bind(), which accepts a timeout value expressed in milliseconds. The unit was incorrectly set in 1b4da43ce02452843a1e9bb976da1a39e18a945c. (cherry picked from commit 6db20926c32ea297418f1f819585007c6b7b6160) Signed-off-by: Michael Niedermayer --- doc/protocols.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/protocols.texi b/doc/protocols.texi index dc2fdb14fd..702f1573b0 100644 --- a/doc/protocols.texi +++ b/doc/protocols.texi @@ -1081,8 +1081,8 @@ Set raise error timeout, expressed in microseconds. This option is only relevant in read mode: if no data arrived in more than this time interval, raise error. -@item listen_timeout=@var{microseconds} -Set listen timeout, expressed in microseconds. +@item listen_timeout=@var{milliseconds} +Set listen timeout, expressed in milliseconds. @end table The following example shows how to setup a listening TCP connection From 54d40b7c459e1d87cea813eb34f14558f537e515 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 6 Mar 2015 21:07:54 -0500 Subject: [PATCH 0426/1352] vp9: fix segmentation map retention with threading enabled. Fixes ticket 4359. Signed-off-by: Michael Niedermayer (cherry picked from commit efff3854f05d171f5ad3e4f4206533b255a6d267) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index c8653d048d..8861cc09bb 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -278,7 +278,8 @@ static int vp9_alloc_frame(AVCodecContext *ctx, VP9Frame *f) // retain segmentation map if it doesn't update if (s->segmentation.enabled && !s->segmentation.update_map && - !s->intraonly && !s->keyframe && !s->errorres) { + !s->intraonly && !s->keyframe && !s->errorres && + ctx->active_thread_type != FF_THREAD_FRAME) { memcpy(f->segmentation_map, s->frames[LAST_FRAME].segmentation_map, sz); } @@ -1350,9 +1351,18 @@ static void decode_mode(AVCodecContext *ctx) if (!s->last_uses_2pass) ff_thread_await_progress(&s->frames[LAST_FRAME].tf, row >> 3, 0); - for (y = 0; y < h4; y++) + for (y = 0; y < h4; y++) { + int idx_base = (y + row) * 8 * s->sb_cols + col; for (x = 0; x < w4; x++) - pred = FFMIN(pred, refsegmap[(y + row) * 8 * s->sb_cols + x + col]); + pred = FFMIN(pred, refsegmap[idx_base + x]); + if (!s->segmentation.update_map && ctx->active_thread_type == FF_THREAD_FRAME) { + // FIXME maybe retain reference to previous frame as + // segmap reference instead of copying the whole map + // into a new buffer + memcpy(&s->frames[CUR_FRAME].segmentation_map[idx_base], + &refsegmap[idx_base], w4); + } + } av_assert1(pred < 8); b->seg_id = pred; } else { From 9821cf9e6e6e509f4fba95eddd048b0f78ce372d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 14:30:34 +0100 Subject: [PATCH 0427/1352] avcodec/utils: Align YUV411 by as much as the other YUV variants Fixes out of array accesses Fixes: ffmpeg_mjpeg_crash2.avi Found-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit e3201c38d53d2b8b24d0bc95d726b2cb1752dc12) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9d1a15c7b4..737bf43ce6 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -374,7 +374,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_YUVJ411P: case AV_PIX_FMT_UYYVYY411: w_align = 32; - h_align = 8; + h_align = 16 * 2; break; case AV_PIX_FMT_YUV410P: if (s->codec_id == AV_CODEC_ID_SVQ1) { From ee820d05127343a14f056b1ca0aec5f9f7db6a38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 15:11:39 +0100 Subject: [PATCH 0428/1352] avcodec/opusdec: Clear out pointers per packet This is safer than to assume that all error pathes cleared them and nothing will use uncleared pointers. Signed-off-by: Michael Niedermayer (cherry picked from commit 1ae092587fc196da5098dea346d7ece81ec35153) Signed-off-by: Michael Niedermayer --- libavcodec/opusdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 3ce519d1dc..bd27ec592f 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -452,6 +452,12 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, int decoded_samples = 0; int i, ret; + for (i = 0; i < c->nb_streams; i++) { + OpusStreamContext *s = &c->streams[i]; + s->out[0] = + s->out[1] = NULL; + } + /* decode the header of the first sub-packet to find out the sample count */ if (buf) { OpusPacket *pkt = &c->streams[0].packet; From 7470003e80d757de308cb2b11f44acdacc4f67fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2015 15:34:19 +0100 Subject: [PATCH 0429/1352] avcodec/opusdec: Fix delayed sample value Fixes out of array access Fixes: ffmpeg_opus_crash1.ogg This solution is likely not optimal in terms of error concealment but its simple and fixes the out of array access. Found-by: Thomas Lindroth Tested-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 6c583e9048fe9db2ed4d7bbc75f4f1d76e82761a) Signed-off-by: Michael Niedermayer --- libavcodec/opusdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index bd27ec592f..bbf76308e8 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -451,11 +451,13 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, int coded_samples = 0; int decoded_samples = 0; int i, ret; + int delayed_samples = 0; for (i = 0; i < c->nb_streams; i++) { OpusStreamContext *s = &c->streams[i]; s->out[0] = s->out[1] = NULL; + delayed_samples = FFMAX(delayed_samples, s->delayed_samples); } /* decode the header of the first sub-packet to find out the sample count */ @@ -470,7 +472,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, c->streams[0].silk_samplerate = get_silk_samplerate(pkt->config); } - frame->nb_samples = coded_samples + c->streams[0].delayed_samples; + frame->nb_samples = coded_samples + delayed_samples; /* no input or buffered data => nothing to do */ if (!frame->nb_samples) { From 23666f0e229e28cfa1909c766d653a5ad023579a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 7 Mar 2015 19:36:07 +0100 Subject: [PATCH 0430/1352] doc: avoid the incorrect phrase 'allow to' Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 10fd7ff814f2a35b5b49a9c3b0d426ead6c7e83f) Signed-off-by: Michael Niedermayer --- doc/faq.texi | 2 +- doc/ffserver.texi | 2 +- doc/filters.texi | 2 +- doc/formats.texi | 4 ++-- doc/indevs.texi | 2 +- doc/utils.texi | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/faq.texi b/doc/faq.texi index fdcb46d334..54b61fc9ea 100644 --- a/doc/faq.texi +++ b/doc/faq.texi @@ -298,7 +298,7 @@ FFmpeg has a @url{http://ffmpeg.org/ffmpeg-protocols.html#concat, @code{concat}} protocol designed specifically for that, with examples in the documentation. -A few multimedia containers (MPEG-1, MPEG-2 PS, DV) allow to concatenate +A few multimedia containers (MPEG-1, MPEG-2 PS, DV) allow one to concatenate video by merely concatenating the files containing them. Hence you may concatenate your multimedia files by first transcoding them to diff --git a/doc/ffserver.texi b/doc/ffserver.texi index 77273d22e1..58debab381 100644 --- a/doc/ffserver.texi +++ b/doc/ffserver.texi @@ -71,7 +71,7 @@ the HTTP server (configured through the @option{HTTPPort} option), and configuration file. Each feed is associated to a file which is stored on disk. This stored -file is used to allow to send pre-recorded data to a player as fast as +file is used to send pre-recorded data to a player as fast as possible when new content is added in real-time to the stream. A "live-stream" or "stream" is a resource published by diff --git a/doc/filters.texi b/doc/filters.texi index bb486eac36..97714a08a9 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -3389,7 +3389,7 @@ Set number overlapping pixels for each block. Since the filter can be slow, you may want to reduce this value, at the cost of a less effective filter and the risk of various artefacts. -If the overlapping value doesn't allow to process the whole input width or +If the overlapping value doesn't permit processing the whole input width or height, a warning will be displayed and according borders won't be denoised. Default value is @var{blocksize}-1, which is the best possible setting. diff --git a/doc/formats.texi b/doc/formats.texi index 027510eb6d..910ffd2374 100644 --- a/doc/formats.texi +++ b/doc/formats.texi @@ -23,7 +23,7 @@ Reduce buffering. @item probesize @var{integer} (@emph{input}) Set probing size in bytes, i.e. the size of the data to analyze to get -stream information. A higher value will allow to detect more +stream information. A higher value will enable detecting more information in case it is dispersed into the stream, but will increase latency. Must be an integer not lesser than 32. It is 5000000 by default. @@ -63,7 +63,7 @@ Default is 0. @item analyzeduration @var{integer} (@emph{input}) Specify how many microseconds are analyzed to probe the input. A -higher value will allow to detect more accurate information, but will +higher value will enable detecting more accurate information, but will increase latency. It defaults to 5,000,000 microseconds = 5 seconds. @item cryptokey @var{hexadecimal string} (@emph{input}) diff --git a/doc/indevs.texi b/doc/indevs.texi index ce409b93fb..47bc620fbc 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -1,7 +1,7 @@ @chapter Input Devices @c man begin INPUT DEVICES -Input devices are configured elements in FFmpeg which allow to access +Input devices are configured elements in FFmpeg which enable accessing the data coming from a multimedia device attached to your system. When you configure your FFmpeg build, all the supported input devices diff --git a/doc/utils.texi b/doc/utils.texi index b0455af00c..79bf2a22ac 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -844,7 +844,7 @@ Return 1.0 if @var{x} is +/-INFINITY, 0.0 otherwise. Return 1.0 if @var{x} is NAN, 0.0 otherwise. @item ld(var) -Allow to load the value of the internal variable with number +Load the value of the internal variable with number @var{var}, which was previously stored with st(@var{var}, @var{expr}). The function returns the loaded value. @@ -912,7 +912,7 @@ Compute the square root of @var{expr}. This is equivalent to Compute expression @code{1/(1 + exp(4*x))}. @item st(var, expr) -Allow to store the value of the expression @var{expr} in an internal +Store the value of the expression @var{expr} in an internal variable. @var{var} specifies the number of the variable where to store the value, and it is a value ranging from 0 to 9. The function returns the value stored in the internal variable. From 6a671797d769201e79cd1e8fb666c2a67e34a6dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Mar 2015 23:27:43 +0100 Subject: [PATCH 0431/1352] avcodec/tiff: move bpp check to after "end:" This ensures that all current and future code-pathes get bpp checked Signed-off-by: Michael Niedermayer (cherry picked from commit d5e9fc782150d4596c72440a0aa02b7f4f1254b1) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index eb2a9630da..9434794185 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -844,13 +844,6 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->bpp = -1; } } - if (s->bpp > 64U) { - av_log(s->avctx, AV_LOG_ERROR, - "This format is not supported (bpp=%d, %d components)\n", - s->bpp, count); - s->bpp = 0; - return AVERROR_INVALIDDATA; - } break; case TIFF_SAMPLES_PER_PIXEL: if (count != 1) { @@ -1163,6 +1156,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) } } end: + if (s->bpp > 64U) { + av_log(s->avctx, AV_LOG_ERROR, + "This format is not supported (bpp=%d, %d components)\n", + s->bpp, count); + s->bpp = 0; + return AVERROR_INVALIDDATA; + } bytestream2_seek(&s->gb, start, SEEK_SET); return 0; } From d81150929d35efc423b488e548d4dc881cde5dbd Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 23:31:48 +0100 Subject: [PATCH 0432/1352] ffmdec: fix infinite loop at EOF If EOF is reached, while skipping bytes, avio_tell(pb) won't change anymore, resulting in an infinite loop. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6fa98822eba501a4898fdec5b75acd3026201005) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 448762b026..cbbac78526 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -354,7 +354,7 @@ static int ffm2_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ @@ -481,7 +481,7 @@ static int ffm_read_header(AVFormatContext *s) } /* get until end of block reached */ - while ((avio_tell(pb) % ffm->packet_size) != 0) + while ((avio_tell(pb) % ffm->packet_size) != 0 && !pb->eof_reached) avio_r8(pb); /* init packet demux */ From 443fc852034b7d2971db6810c2a84f04e9da9a3f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Mar 2015 23:12:59 +0100 Subject: [PATCH 0433/1352] ffmdec: make sure the time base is valid A negative time base can trigger assertions. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4c91d81be23ffacfa3897b2bcfa77445bb0c2f89) Conflicts: libavformat/ffmdec.c --- libavformat/ffmdec.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index cbbac78526..9e5b562709 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -299,6 +299,12 @@ static int ffm2_read_header(AVFormatContext *s) case MKBETAG('S', 'T', 'V', 'I'): codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + ret = AVERROR_INVALIDDATA; + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); @@ -423,6 +429,11 @@ static int ffm_read_header(AVFormatContext *s) case AVMEDIA_TYPE_VIDEO: codec->time_base.num = avio_rb32(pb); codec->time_base.den = avio_rb32(pb); + if (codec->time_base.num <= 0 || codec->time_base.den <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n", + codec->time_base.num, codec->time_base.den); + goto fail; + } codec->width = avio_rb16(pb); codec->height = avio_rb16(pb); codec->gop_size = avio_rb16(pb); From 820b84d0658a695b697342b9f8ee11581ce50d55 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 14:59:44 +0100 Subject: [PATCH 0434/1352] ffmdec: limit the backward seek to the last resync position If resyncing leads to the same position as previously, it will again lead to a resync attempt, resulting in an infinite loop. Thus don't seek back beyond the last syncpoint. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6b8263b03ab3d16d70525ae1893cb106be7852f1) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 9e5b562709..5c40539c83 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -79,6 +79,7 @@ static int ffm_read_data(AVFormatContext *s, FFMContext *ffm = s->priv_data; AVIOContext *pb = s->pb; int len, fill_size, size1, frame_offset, id; + int64_t last_pos = -1; size1 = size; while (size > 0) { @@ -98,9 +99,11 @@ static int ffm_read_data(AVFormatContext *s, avio_seek(pb, tell, SEEK_SET); } id = avio_rb16(pb); /* PACKET_ID */ - if (id != PACKET_ID) + if (id != PACKET_ID) { if (ffm_resync(s, id) < 0) return -1; + last_pos = avio_tell(pb); + } fill_size = avio_rb16(pb); ffm->dts = avio_rb64(pb); frame_offset = avio_rb16(pb); @@ -114,7 +117,9 @@ static int ffm_read_data(AVFormatContext *s, if (!frame_offset) { /* This packet has no frame headers in it */ if (avio_tell(pb) >= ffm->packet_size * 3LL) { - avio_seek(pb, -ffm->packet_size * 2LL, SEEK_CUR); + int64_t seekback = FFMIN(ffm->packet_size * 2LL, avio_tell(pb) - last_pos); + seekback = FFMAX(seekback, 0); + avio_seek(pb, -seekback, SEEK_CUR); goto retry_read; } /* This is bad, we cannot find a valid frame header */ From 770094752528841e44789e559560c97bf4fdf316 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Mar 2015 03:42:00 +0100 Subject: [PATCH 0435/1352] avcodec/options_table: remove extradata_size from the AVOptions table allowing access to the size but not the extradata itself is not useful and could lead to potential problems if writing happens through this field Reviewed-by: Andreas Cadhalpun Reviewed-by: Lukasz Marek Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 1f4088b28540080ce1d42345c5614be3e1a6a197) Signed-off-by: Michael Niedermayer --- libavcodec/options_table.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/options_table.h b/libavcodec/options_table.h index 5e79f8204f..790e676d02 100644 --- a/libavcodec/options_table.h +++ b/libavcodec/options_table.h @@ -102,7 +102,6 @@ static const AVOption avcodec_options[] = { {"hex", "hex motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_HEX }, INT_MIN, INT_MAX, V|E, "me_method" }, {"umh", "umh motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_UMH }, INT_MIN, INT_MAX, V|E, "me_method" }, {"iter", "iter motion estimation", 0, AV_OPT_TYPE_CONST, {.i64 = ME_ITER }, INT_MIN, INT_MAX, V|E, "me_method" }, -{"extradata_size", NULL, OFFSET(extradata_size), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX}, {"time_base", NULL, OFFSET(time_base), AV_OPT_TYPE_RATIONAL, {.dbl = 0}, INT_MIN, INT_MAX}, {"g", "set the group of picture (GOP) size", OFFSET(gop_size), AV_OPT_TYPE_INT, {.i64 = 12 }, INT_MIN, INT_MAX, V|E}, {"ar", "set audio sampling rate (in Hz)", OFFSET(sample_rate), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, 0, INT_MAX, A|D|E}, From 7b3d8ae32d2909c6e2149ae874b565392fd183b2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:24:09 +0100 Subject: [PATCH 0436/1352] roqvideoenc: set enc->avctx in roq_encode_init So far it is only set in roq_encode_frame, but it is used in roq_encode_end to free the coded_frame. This currently segfaults if roq_encode_frame is not called between roq_encode_init and roq_encode_end. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit cf82c426fadf90105e1fb9d5ecd267cc3aa2b288) Signed-off-by: Michael Niedermayer --- libavcodec/roqvideoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index 1c5970f68b..7fbbb85419 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -966,6 +966,8 @@ static av_cold int roq_encode_init(AVCodecContext *avctx) av_lfg_init(&enc->randctx, 1); + enc->avctx = avctx; + enc->framesSinceKeyframe = 0; if ((avctx->width & 0xf) || (avctx->height & 0xf)) { av_log(avctx, AV_LOG_ERROR, "Dimensions must be divisible by 16\n"); From de2f46c59dade95fe45b7b99fb4c0619943ef3ad Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:31:39 +0100 Subject: [PATCH 0437/1352] asfenc: fix leaking asf->index_ptr on error Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 2c8cff2be4a044c66e4904efa156dafd0d332d25) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index cccbf858c7..ece840eba6 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -664,6 +664,7 @@ static int asf_write_header(AVFormatContext *s) * It is needed to use asf as a streamable format. */ if (asf_write_header1(s, 0, DATA_HEADER_SIZE) < 0) { //av_free(asf); + av_freep(&asf->index_ptr); return -1; } From 8639c37d2b5480e2fd28ea9699c85a20c6ff33f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Mar 2015 20:21:14 +0100 Subject: [PATCH 0438/1352] avcodec/012v: Check dimensions more completely Fixes division by 0 Found-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit d3b25383daffac154846daeb4e4fb46569e728db) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index c2b6a35041..7526e8fcba 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -45,8 +45,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, const uint8_t *line_end, *src = avpkt->data; int stride = avctx->width * 8 / 3; - if (width == 1) { - av_log(avctx, AV_LOG_ERROR, "Width 1 not supported.\n"); + if (width <= 1 || avctx->height <= 0) { + av_log(avctx, AV_LOG_ERROR, "Dimensions %dx%d not supported.\n", width, avctx->height); return AVERROR_INVALIDDATA; } From f11afe6bc654bb7a0c3c8f153680a7bba300d251 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Mar 2015 19:18:34 +0100 Subject: [PATCH 0439/1352] avcodec/012v: redesign main loop Fixes out of array accesses Fixes: ffmpeg_012v_crash.ts Found-by: Thomas Lindroth Reviewed-by: Thomas Lindroth Signed-off-by: Michael Niedermayer (cherry picked from commit 48df30d36c3ca360c407d84f96749888d1fbe853) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 82 ++++++++++++++++++++++------------------------- 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index 7526e8fcba..b87551e0a5 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -38,7 +38,7 @@ static av_cold int zero12v_decode_init(AVCodecContext *avctx) static int zero12v_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket *avpkt) { - int line = 0, ret; + int line, ret; const int width = avctx->width; AVFrame *pic = data; uint16_t *y, *u, *v; @@ -67,45 +67,45 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, pic->pict_type = AV_PICTURE_TYPE_I; pic->key_frame = 1; - y = (uint16_t *)pic->data[0]; - u = (uint16_t *)pic->data[1]; - v = (uint16_t *)pic->data[2]; line_end = avpkt->data + stride; + for (line = 0; line < avctx->height; line++) { + uint16_t y_temp[6] = {0x8000, 0x8000, 0x8000, 0x8000, 0x8000, 0x8000}; + uint16_t u_temp[3] = {0x8000, 0x8000, 0x8000}; + uint16_t v_temp[3] = {0x8000, 0x8000, 0x8000}; + int x; + y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); - while (line++ < avctx->height) { - while (1) { - uint32_t t = AV_RL32(src); + for (x = 0; x < width; x += 6) { + uint32_t t; + + if (width - x < 6 || line_end - src < 16) { + y = y_temp; + u = u_temp; + v = v_temp; + } + + if (line_end - src < 4) + break; + + t = AV_RL32(src); src += 4; *u++ = t << 6 & 0xFFC0; *y++ = t >> 4 & 0xFFC0; *v++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; *y++ = t << 6 & 0xFFC0; *u++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (!(width & 1)) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -113,15 +113,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *y++ = t >> 4 & 0xFFC0; *u++ = t >> 14 & 0xFFC0; - if (src >= line_end - 1) { - *y = 0x80; - src++; - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (line_end - src < 4) break; - } t = AV_RL32(src); src += 4; @@ -129,18 +122,21 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, *v++ = t >> 4 & 0xFFC0; *y++ = t >> 14 & 0xFFC0; - if (src >= line_end - 2) { - if (width & 1) { - *y = 0x80; - src += 2; - } - line_end += stride; - y = (uint16_t *)(pic->data[0] + line * pic->linesize[0]); - u = (uint16_t *)(pic->data[1] + line * pic->linesize[1]); - v = (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + if (width - x < 6) break; - } } + + if (x < width) { + y = x + (uint16_t *)(pic->data[0] + line * pic->linesize[0]); + u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); + v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); + memcpy(y, y_temp, sizeof(*y) * (width - x)); + memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); + memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + } + + line_end += stride; + src = line_end - stride; } *got_frame = 1; From f45f3f99a4d92099c710f9547abfd33da4af1d40 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 13 Mar 2015 22:28:42 +0100 Subject: [PATCH 0440/1352] ac3dec_fixed: always use the USE_FIXED=1 variant of the AC3DecodeContext The AC3DecodeContext has a float (USE_FIXED=0) and an integer (USE_FIXED=1) variant, both of which can be present in the same binary. This is not only very confusing, but it also breaks horribly, when one variant is used by code expecting the other. This currently happens, because eac3dec.c is only compiled for the float variant, but also used from ac3dec_fixed.c, which uses the integer variant. The result is memory corruption, leading to crashes. So compile eac3dec.c once for each variant and adapt it, so that it works with the integer variant. A loss of precission and scaling bug has been fixed by the committer Signed-off-by: Michael Niedermayer (cherry picked from commit 7b05b5093ea67a3397b0c37cf398bab471e1ce2b) Signed-off-by: Michael Niedermayer --- libavcodec/Makefile | 2 +- libavcodec/ac3dec.h | 6 +++--- libavcodec/ac3dec_fixed.c | 1 + libavcodec/ac3dec_float.c | 1 + libavcodec/eac3dec.c | 13 ++++++++----- 5 files changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index eda2f8b284..07658f86b6 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -206,7 +206,7 @@ OBJS-$(CONFIG_DVVIDEO_DECODER) += dvdec.o dv.o dvdata.o OBJS-$(CONFIG_DVVIDEO_ENCODER) += dvenc.o dv.o dvdata.o OBJS-$(CONFIG_DXA_DECODER) += dxa.o OBJS-$(CONFIG_DXTORY_DECODER) += dxtory.o -OBJS-$(CONFIG_EAC3_DECODER) += eac3dec.o eac3_data.o +OBJS-$(CONFIG_EAC3_DECODER) += eac3_data.o OBJS-$(CONFIG_EAC3_ENCODER) += eac3enc.o eac3_data.o OBJS-$(CONFIG_EACMV_DECODER) += eacmv.o OBJS-$(CONFIG_EAMAD_DECODER) += eamad.o eaidct.o mpeg12.o \ diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index a213bc0870..c5a348ab16 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -243,19 +243,19 @@ typedef struct AC3DecodeContext { * Parse the E-AC-3 frame header. * This parses both the bit stream info and audio frame header. */ -int ff_eac3_parse_header(AC3DecodeContext *s); +static int ff_eac3_parse_header(AC3DecodeContext *s); /** * Decode mantissas in a single channel for the entire frame. * This is used when AHT mode is enabled. */ -void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch); +static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch); /** * Apply spectral extension to each channel by copying lower frequency * coefficients to higher frequency bins and applying side information to * approximate the original high frequency signal. */ -void ff_eac3_apply_spectral_extension(AC3DecodeContext *s); +static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s); #endif /* AVCODEC_AC3DEC_H */ diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index cb3b251589..b4beee6dd7 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -164,6 +164,7 @@ static void ac3_downmix_c_fixed16(int16_t **samples, int16_t (*matrix)[2], } } +#include "eac3dec.c" #include "ac3dec.c" static const AVOption options[] = { diff --git a/libavcodec/ac3dec_float.c b/libavcodec/ac3dec_float.c index e7fc5cbed1..d74a0df68d 100644 --- a/libavcodec/ac3dec_float.c +++ b/libavcodec/ac3dec_float.c @@ -28,6 +28,7 @@ * Upmix delay samples from stereo to original channel layout. */ #include "ac3dec.h" +#include "eac3dec.c" #include "ac3dec.c" static const AVOption options[] = { diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 8e931fddeb..cd2eec8d00 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -63,7 +63,7 @@ typedef enum { #define EAC3_SR_CODE_REDUCED 3 -void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) +static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) { int bin, bnd, ch, i; uint8_t wrapflag[SPX_MAX_BANDS]={1,0,}, num_copy_sections, copy_sizes[SPX_MAX_BANDS]; @@ -101,7 +101,7 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) for (i = 0; i < num_copy_sections; i++) { memcpy(&s->transform_coeffs[ch][bin], &s->transform_coeffs[ch][s->spx_dst_start_freq], - copy_sizes[i]*sizeof(float)); + copy_sizes[i]*sizeof(INTFLOAT)); bin += copy_sizes[i]; } @@ -124,7 +124,7 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) bin = s->spx_src_start_freq - 2; for (bnd = 0; bnd < s->num_spx_bands; bnd++) { if (wrapflag[bnd]) { - float *coeffs = &s->transform_coeffs[ch][bin]; + INTFLOAT *coeffs = &s->transform_coeffs[ch][bin]; coeffs[0] *= atten_tab[0]; coeffs[1] *= atten_tab[1]; coeffs[2] *= atten_tab[2]; @@ -142,6 +142,9 @@ void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) for (bnd = 0; bnd < s->num_spx_bands; bnd++) { float nscale = s->spx_noise_blend[ch][bnd] * rms_energy[bnd] * (1.0f / INT32_MIN); float sscale = s->spx_signal_blend[ch][bnd]; +#if USE_FIXED + nscale *= 1.0 / (1<<23); +#endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); s->transform_coeffs[ch][bin] *= sscale; @@ -195,7 +198,7 @@ static void idct6(int pre_mant[6]) pre_mant[5] = even0 - odd0; } -void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) +static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) { int bin, blk, gs; int end_bap, gaq_mode; @@ -288,7 +291,7 @@ void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) } } -int ff_eac3_parse_header(AC3DecodeContext *s) +static int ff_eac3_parse_header(AC3DecodeContext *s) { int i, blk, ch; int ac3_exponent_strategy, parse_aht_info, parse_spx_atten_data; From 40dab450503125f22a82cebf03453b2bdd65d748 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sat, 14 Mar 2015 11:48:57 +0000 Subject: [PATCH 0441/1352] ac3_fixed: fix out-of-bound read Should also improve decoding, but actually doesn't... Signed-off-by: Michael Niedermayer (cherry picked from commit b0834400608b3980c06bf6d2cf747116e60d10c7) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 969e37ffb8..80b93946f6 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -872,7 +872,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband += start_subband - 7; end_subband = get_bits(gbc, 3) + 5; #if USE_FIXED - s->spx_dst_end_freq = end_freq_inv_tab[end_subband]; + s->spx_dst_end_freq = end_freq_inv_tab[end_subband-5]; #endif if (end_subband > 7) end_subband += end_subband - 7; From 691f9dee0060458e5d3c36346af8c41cf9e74500 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sat, 14 Mar 2015 11:48:58 +0000 Subject: [PATCH 0442/1352] ac3_fixed: fix computation of spx_noise_blend It was set to 1 instead of sqrt(3) Signed-off-by: Michael Niedermayer (cherry picked from commit c4bf3833f4663fd484441907f73c5bc4700021a4) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 80b93946f6..a0cdb5af69 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -939,7 +939,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) nblend = 0; sblend = 0x800000; } else if (nratio > 0x7fffff) { - nblend = 0x800000; + nblend = 14529495; // sqrt(3) in FP.23 sblend = 0; } else { nblend = fixed_sqrt(nratio, 23); From b9b56ded7dd4987fc3395bc58320c42493c41a62 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sat, 14 Mar 2015 11:48:59 +0000 Subject: [PATCH 0443/1352] eac3dec: fix scaling This is the remaining error, the output on the SPX samples, respectively csi_miami_stereo_128_spx.eac3 and csi_miami_5.1_256_spx.eac3, goes from: stddev: 8.71 PSNR: 77.52 MAXDIFF: 235 stddev:24270.51 PSNR: 22.17 MAXDIFF:47166 to: stddev: 0.12 PSNR:114.12 MAXDIFF: 1 stddev: 0.12 PSNR:114.73 MAXDIFF: 1 Signed-off-by: Michael Niedermayer (cherry picked from commit 0c3339f4bd7aceebfd74deb437ba2e5c04ef3d0e) Signed-off-by: Michael Niedermayer --- libavcodec/eac3dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index cd2eec8d00..ef815afb55 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -143,7 +143,9 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) float nscale = s->spx_noise_blend[ch][bnd] * rms_energy[bnd] * (1.0f / INT32_MIN); float sscale = s->spx_signal_blend[ch][bnd]; #if USE_FIXED + // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); + sscale *= 1.0 / (1<<23); #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); From e168db3eaef0ee19af3bc5ce748b8d423e1d6135 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:23:32 +0100 Subject: [PATCH 0444/1352] avformat/mov: Use sizeof(filename) instead of a literal number Signed-off-by: Michael Niedermayer (cherry picked from commit 21a53dd08dce7cc5b3fdf9c4826b4b74d8300ea0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c8b3f75eac..ab09665002 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2392,9 +2392,9 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, filename[src_path - src] = 0; for (i = 1; i < ref->nlvl_from; i++) - av_strlcat(filename, "../", 1024); + av_strlcat(filename, "../", sizeof(filename)); - av_strlcat(filename, ref->path + l + 1, 1024); + av_strlcat(filename, ref->path + l + 1, sizeof(filename)); if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) return 0; From e0975c31f1888d2b1b8ff21ec8c6c56fe1da9cdb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:24:54 +0100 Subject: [PATCH 0445/1352] avformat/mov: Check for string truncation in mov_open_dref() Signed-off-by: Michael Niedermayer (cherry picked from commit 8003816e1619e77d8de051883264aa090e0d78cc) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ab09665002..7746cc197c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2366,7 +2366,7 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, /* try relative path, we do not try the absolute because it can leak information about our system to an attacker */ if (ref->nlvl_to > 0 && ref->nlvl_from > 0) { - char filename[1024]; + char filename[1025]; const char *src_path; int i, l; @@ -2396,6 +2396,8 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, av_strlcat(filename, ref->path + l + 1, sizeof(filename)); + if (strlen(filename) + 1 == sizeof(filename)) + return AVERROR(ENOENT); if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) return 0; } From 17e6d249b702b8b6aa3452c3deef5e2042fc0f23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Mar 2015 21:32:35 +0100 Subject: [PATCH 0446/1352] avformat/mov: Disallow ".." in dref unless use_absolute_path is set as this kind of allows to circumvent it to some extend. We also could add a separate parameter or value to choose this Found-by: ramiro Signed-off-by: Michael Niedermayer (cherry picked from commit 1e4d0498df6621143da1a550006ddc3526ad51cb) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7746cc197c..6b20a57d07 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2395,6 +2395,9 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, av_strlcat(filename, "../", sizeof(filename)); av_strlcat(filename, ref->path + l + 1, sizeof(filename)); + if (!use_absolute_path) + if(strstr(ref->path + l + 1, "..") || ref->nlvl_from > 1) + return AVERROR(ENOENT); if (strlen(filename) + 1 == sizeof(filename)) return AVERROR(ENOENT); From 760c384f7db44e7d7ecc01a834fd57c33fca360d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Mar 2015 23:28:39 +0100 Subject: [PATCH 0447/1352] avcodec/dnxhddec: Check that the frame is interlaced before using cur_field Fixes Ticket4227 Signed-off-by: Michael Niedermayer (cherry picked from commit 2c660e34cf3c2b77cd2bef6f292920334dfd9192) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 06800746d1..a8cf0800aa 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -363,7 +363,7 @@ static int dnxhd_decode_macroblock(DNXHDContext *ctx, AVFrame *frame, dest_u = frame->data[1] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1 + ctx->is_444)); dest_v = frame->data[2] + ((y * dct_linesize_chroma) << 4) + (x << (3 + shift1 + ctx->is_444)); - if (ctx->cur_field) { + if (frame->interlaced_frame && ctx->cur_field) { dest_y += frame->linesize[0]; dest_u += frame->linesize[1]; dest_v += frame->linesize[2]; From 2049d95f2feec2d7306429867f9ae388de839dbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Mar 2015 12:54:16 +0100 Subject: [PATCH 0448/1352] avcodec/hevc_ps: Check cropping parameters more correctly Signed-off-by: Michael Niedermayer (cherry picked from commit 06c70d45373dedc600f28e345685b130b60203c1) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 3309377455..d7e78b1b77 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1040,7 +1040,8 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) (sps->output_window.left_offset + sps->output_window.right_offset); sps->output_height = sps->height - (sps->output_window.top_offset + sps->output_window.bottom_offset); - if (sps->output_width <= 0 || sps->output_height <= 0) { + if (sps->width <= sps->output_window.left_offset + (int64_t)sps->output_window.right_offset || + sps->height <= sps->output_window.top_offset + (int64_t)sps->output_window.bottom_offset) { av_log(s->avctx, AV_LOG_WARNING, "Invalid visible frame dimensions: %dx%d.\n", sps->output_width, sps->output_height); if (s->avctx->err_recognition & AV_EF_EXPLODE) { From 539172c85b13796fe5ce2a7482f436b6e9b33cf6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Mar 2015 15:50:12 +0100 Subject: [PATCH 0449/1352] avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer Fixes out of array access Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f7e1367f58263593e6cee3c282f7277d7ee9d553) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index 4d3da5ba17..deb6f86523 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -37,16 +37,14 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, unsigned char extra_byte, odd_pixel; unsigned char stream_byte; unsigned int pixel_ptr = 0; - int row_dec = pic->linesize[0]; - int row_ptr = (avctx->height - 1) * row_dec; - int frame_size = row_dec * avctx->height; + int line = avctx->height - 1; int i; - while (row_ptr >= 0) { + while (line >= 0 && pixel_ptr <= avctx->width) { if (bytestream2_get_bytes_left(gb) <= 0) { av_log(avctx, AV_LOG_ERROR, - "MS RLE: bytestream overrun, %d rows left\n", - row_ptr); + "MS RLE: bytestream overrun, %dx%d left\n", + avctx->width - pixel_ptr, line); return AVERROR_INVALIDDATA; } rle_code = stream_byte = bytestream2_get_byteu(gb); @@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, stream_byte = bytestream2_get_byte(gb); if (stream_byte == 0) { /* line is done, goto the next one */ - row_ptr -= row_dec; + line--; pixel_ptr = 0; } else if (stream_byte == 1) { /* decode is done */ @@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, stream_byte = bytestream2_get_byte(gb); pixel_ptr += stream_byte; stream_byte = bytestream2_get_byte(gb); - row_ptr -= stream_byte * row_dec; } else { // copy pixels from encoded stream odd_pixel = stream_byte & 1; rle_code = (stream_byte + 1) / 2; extra_byte = rle_code & 0x01; - if (row_ptr + pixel_ptr + stream_byte > frame_size || + if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width || bytestream2_get_bytes_left(gb) < rle_code) { av_log(avctx, AV_LOG_ERROR, "MS RLE: frame/stream ptr just went out of bounds (copy)\n"); @@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, if (pixel_ptr >= avctx->width) break; stream_byte = bytestream2_get_byteu(gb); - pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4; pixel_ptr++; if (i + 1 == rle_code && odd_pixel) break; if (pixel_ptr >= avctx->width) break; - pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F; pixel_ptr++; } @@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, } } else { // decode a run of data - if (row_ptr + pixel_ptr + stream_byte > frame_size) { + if (pixel_ptr + rle_code > avctx->width + 1) { av_log(avctx, AV_LOG_ERROR, "MS RLE: frame ptr just went out of bounds (run)\n"); return AVERROR_INVALIDDATA; @@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, if (pixel_ptr >= avctx->width) break; if ((i & 1) == 0) - pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4; else - pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F; + pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F; pixel_ptr++; } } From e74ad9035f3eed5fdf951e5c62116ba39184971b Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 26 Mar 2015 02:11:55 -0300 Subject: [PATCH 0450/1352] avutil/cpu: add missing check for mmxext to av_force_cpu_flags Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 1f5d1eed78fad63f1c80a3766d3dc2421b99104d) --- libavutil/cpu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/cpu.c b/libavutil/cpu.c index 53c12273ef..1617464980 100644 --- a/libavutil/cpu.c +++ b/libavutil/cpu.c @@ -49,6 +49,7 @@ static int flags, checked; void av_force_cpu_flags(int arg){ if ( (arg & ( AV_CPU_FLAG_3DNOW | AV_CPU_FLAG_3DNOWEXT | + AV_CPU_FLAG_MMXEXT | AV_CPU_FLAG_SSE | AV_CPU_FLAG_SSE2 | AV_CPU_FLAG_SSE2SLOW | From 2c8c55195da97ee45fb0daf6d68c22b942e14ade Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Mar 2015 01:28:28 +0200 Subject: [PATCH 0451/1352] Update for 2.4.8 Signed-off-by: Michael Niedermayer --- Changelog | 39 +++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 2371d9da5f..43639aec66 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,45 @@ releases are sorted from youngest to oldest. version : +version 2.4.8: +- avutil/cpu: add missing check for mmxext to av_force_cpu_flags +- avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer +- avcodec/hevc_ps: Check cropping parameters more correctly +- avcodec/dnxhddec: Check that the frame is interlaced before using cur_field +- avformat/mov: Disallow ".." in dref unless use_absolute_path is set +- avformat/mov: Check for string truncation in mov_open_dref() +- ac3_fixed: fix out-of-bound read +- avcodec/012v: redesign main loop +- avcodec/012v: Check dimensions more completely +- asfenc: fix leaking asf->index_ptr on error +- avcodec/options_table: remove extradata_size from the AVOptions table +- ffmdec: limit the backward seek to the last resync position +- ffmdec: make sure the time base is valid +- ffmdec: fix infinite loop at EOF +- avcodec/tiff: move bpp check to after "end:" +- avcodec/opusdec: Fix delayed sample value +- avcodec/utils: Align YUV411 by as much as the other YUV variants +- vp9: fix segmentation map retention with threading enabled. +- doc/protocols/tcp: fix units of listen_timeout option value, from microseconds to milliseconds +- fix VP9 packet decoder returning 0 instead of the used data size +- avformat/bit: only accept the g729 codec and 1 channel +- avformat/adxdec: check avctx->channels for invalid values +- Fix buffer_size argument to init_put_bits() in multiple encoders. +- mips/acelp_filters: fix incorrect register constraint +- avcodec/hevc_ps: Sanity checks for some log2_* values +- avcodec/zmbv: Check len before reading in decode_frame() +- avcodec/snowdec: Fix ref value check +- swscale/utils: More carefully merge and clear coefficients outside the input +- avcodec/a64multienc: fix use of uninitialized values in to_meta_with_crop +- avcodec/a64multienc: don't set incorrect packet size +- webp: ensure that each transform is only used once +- avcodec/hevc_ps: More complete window reset +- vp9: make above buffer pointer 32-byte aligned. +- avformat/rm: limit packet size +- avcodec/webp: validate the distance prefix code +- avcodec/gif: fix off by one in column offsetting finding + + version 2.4.7: - avcodec/flac_parser: fix handling EOF if no headers are found - avfilter/vf_framepack: Check and update frame_rate diff --git a/RELEASE b/RELEASE index e30309f735..f041bc6dba 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.7 +2.4.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index c81c7991fe..3f942b57ee 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.7 +PROJECT_NUMBER = 2.4.8 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 420aa06a2487469259a04f9be66fd15535372796 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 2 Apr 2015 06:09:05 +0200 Subject: [PATCH 0452/1352] avconv: do not overwrite the stream codec context for streamcopy Since we are not doing encoding, there is no point in ever touching the separate encoding context. Always use the stream codec context. Fixes writing attachments. CC:libav-devel@libav.org (cherry picked from commit 3892bdab9b652eb003ab95e167f1765e0b0ea035) Signed-off-by: Anton Khirnov Conflicts: avconv.c --- avconv.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/avconv.c b/avconv.c index 634101a452..66148c04b7 100644 --- a/avconv.c +++ b/avconv.c @@ -318,7 +318,7 @@ static void update_sample_fmt(AVCodecContext *dec, AVCodec *dec_codec, static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost) { AVBitStreamFilterContext *bsfc = ost->bitstream_filters; - AVCodecContext *avctx = ost->enc_ctx; + AVCodecContext *avctx = ost->encoding_needed ? ost->enc_ctx : ost->st->codec; int ret; /* @@ -1703,7 +1703,7 @@ static int transcode_init(void) if (ost->attachment_filename) continue; - enc_ctx = ost->enc_ctx; + enc_ctx = ost->stream_copy ? ost->st->codec : ost->enc_ctx; if (ist) { dec_ctx = ist->dec_ctx; @@ -1962,18 +1962,19 @@ static int transcode_init(void) if (ost->enc_ctx->bit_rate && ost->enc_ctx->bit_rate < 1000) av_log(NULL, AV_LOG_WARNING, "The bitrate parameter is set too low." "It takes bits/s as argument, not kbits/s\n"); + + ret = avcodec_copy_context(ost->st->codec, ost->enc_ctx); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, + "Error initializing the output stream codec context.\n"); + exit_program(1); + } + + ost->st->time_base = ost->enc_ctx->time_base; } else { av_opt_set_dict(ost->enc_ctx, &ost->encoder_opts); + ost->st->time_base = ost->st->codec->time_base; } - - ret = avcodec_copy_context(ost->st->codec, ost->enc_ctx); - if (ret < 0) { - av_log(NULL, AV_LOG_FATAL, - "Error initializing the output stream codec context.\n"); - exit_program(1); - } - - ost->st->time_base = ost->enc_ctx->time_base; } /* init input streams */ From 17b27a7cbe26c790a5ef2967c04a7f5e2add8b93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Apr 2015 23:44:38 +0200 Subject: [PATCH 0453/1352] ffmpeg: Fix extradata allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 4d02dfbde475d249916eb19c360e890059aa6aa5) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 3868b017ad..ab0093edf0 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2560,11 +2560,13 @@ static int transcode_init(void) enc_ctx->rc_max_rate = dec_ctx->rc_max_rate; enc_ctx->rc_buffer_size = dec_ctx->rc_buffer_size; enc_ctx->field_order = dec_ctx->field_order; - enc_ctx->extradata = av_mallocz(extra_size); - if (!enc_ctx->extradata) { - return AVERROR(ENOMEM); + if (dec_ctx->extradata_size) { + enc_ctx->extradata = av_mallocz(extra_size); + if (!enc_ctx->extradata) { + return AVERROR(ENOMEM); + } + memcpy(enc_ctx->extradata, dec_ctx->extradata, dec_ctx->extradata_size); } - memcpy(enc_ctx->extradata, dec_ctx->extradata, dec_ctx->extradata_size); enc_ctx->extradata_size= dec_ctx->extradata_size; enc_ctx->bits_per_coded_sample = dec_ctx->bits_per_coded_sample; From 5598d62a0703063ce510f756c890670d4a914c1e Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 10 Apr 2015 20:51:11 -0300 Subject: [PATCH 0454/1352] doc: add missing x86 cpuflags to fftools documentation Signed-off-by: James Almer (cherry picked from commit 410c93cfd5ab509d8c9f907f88ae09a87fb743e6) --- doc/fftools-common-opts.texi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 7b6afba59f..1dc18dff29 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -234,10 +234,14 @@ Possible flags for this option are: @item sse4.1 @item sse4.2 @item avx +@item avx2 @item xop +@item fma3 @item fma4 @item 3dnow @item 3dnowext +@item bmi1 +@item bmi2 @item cmov @end table @item ARM From 4b817e2fff3a37afa1a207fd5f2b744f7c0bd919 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 10 Apr 2015 20:51:35 -0300 Subject: [PATCH 0455/1352] doc: add missing arm cpuflags to fftools documentation Signed-off-by: James Almer (cherry picked from commit 666ec9bd097201eaacb9c04da526cb2710cb9cab) --- doc/fftools-common-opts.texi | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 1dc18dff29..5b40e0fd4f 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -252,6 +252,7 @@ Possible flags for this option are: @item vfp @item vfpv3 @item neon +@item setend @end table @item PowerPC @table @samp From 3a5b4afd911f596651f9ba67188ab01c8aea7bbf Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 10 Apr 2015 20:52:29 -0300 Subject: [PATCH 0456/1352] doc: add aarch64 cpuflags to fftools documentation Signed-off-by: James Almer (cherry picked from commit 9fc45681e0c4736e4475966a70402d22c76a2965) --- doc/fftools-common-opts.texi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 5b40e0fd4f..2a1651bfee 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -254,6 +254,12 @@ Possible flags for this option are: @item neon @item setend @end table +@item AArch64 +@table @samp +@item armv8 +@item vfp +@item neon +@end table @item PowerPC @table @samp @item altivec From 3e1c9da38b849ce2982b516004370081fdd89ed0 Mon Sep 17 00:00:00 2001 From: Thomas Guillem Date: Fri, 10 Apr 2015 19:04:51 +0200 Subject: [PATCH 0457/1352] matroskadec: fix crash when parsing invalid mkv CC: libav-stable@libav.org Signed-off-by: Anton Khirnov (cherry picked from commit b8d7f3186e86234f6255f5e8ee9e98573b4d9a6e) Signed-off-by: Anton Khirnov --- libavformat/matroskadec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f3844582e2..67df4b349f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1825,8 +1825,12 @@ static int matroska_read_header(AVFormatContext *s) matroska->ctx = s; /* First read the EBML header. */ - if (ebml_parse(matroska, ebml_syntax, &ebml) || - ebml.version > EBML_VERSION || + if (ebml_parse(matroska, ebml_syntax, &ebml) || !ebml.doctype) { + av_log(matroska->ctx, AV_LOG_ERROR, "EBML header parsing failed\n"); + ebml_free(ebml_syntax, &ebml); + return AVERROR_INVALIDDATA; + } + if (ebml.version > EBML_VERSION || ebml.max_size > sizeof(uint64_t) || ebml.id_length > sizeof(uint32_t) || ebml.doctype_version > 3) { From 0014b243733d4860cc01c2f7e7943f4c171fae9c Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 12 Apr 2015 08:28:42 -0700 Subject: [PATCH 0458/1352] fate: Include branch information in the payload header The server is properly equiped not to choke on that now. Signed-off-by: Michael Niedermayer (cherry picked from commit 7ad27f1221562b037178d1fb605510ba349f04cc) Signed-off-by: Michael Niedermayer --- tests/fate.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/fate.sh b/tests/fate.sh index 5a78018b42..b55d87efc0 100755 --- a/tests/fate.sh +++ b/tests/fate.sh @@ -83,8 +83,7 @@ clean(){ report(){ date=$(date -u +%Y%m%d%H%M%S) - echo "fate:0:${date}:${slot}:${version}:$1:$2:${comment}" >report -# echo "fate:1:${date}:${slot}:${version}:$1:$2:${branch}:${comment}" >report + echo "fate:1:${date}:${slot}:${version}:$1:$2:${branch}:${comment}" >report cat ${build}/config.fate >>report cat ${build}/tests/data/fate/*.rep >>report || for i in ${build}/tests/data/fate/*.rep ; do cat "$i" >>report ; done test -n "$fate_recv" && $tar report *.log | gzip | $fate_recv From 8c832e3cc05c4590054cf49630b2f026eec4c734 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Apr 2015 23:59:53 +0200 Subject: [PATCH 0459/1352] avformat/img2dec: do not rewind custom io buffers Fixes double free with some applications Fixes vlc ticket14121 Signed-off-by: Michael Niedermayer (cherry picked from commit e6e8cc8ce9c2a398fbb51254a5067f4bd3c4fa8a) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 6f10369b8a..1509f19426 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -339,7 +339,10 @@ int ff_img_read_header(AVFormatContext *s1) break; } } - ffio_rewind_with_probe_data(s1->pb, &probe_buffer, probe_buffer_size); + if (s1->flags & AVFMT_FLAG_CUSTOM_IO) { + avio_seek(s1->pb, 0, SEEK_SET); + } else + ffio_rewind_with_probe_data(s1->pb, &probe_buffer, probe_buffer_size); } if (st->codec->codec_id == AV_CODEC_ID_NONE) st->codec->codec_id = ff_guess_image2_codec(s->path); From 81e4b6f11a01afe459b616511f7d18a8c1464b29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Apr 2015 22:22:31 +0200 Subject: [PATCH 0460/1352] avformat/utils: Ensure that AVFMT_FLAG_CUSTOM_IO is set before use Signed-off-by: Michael Niedermayer (cherry picked from commit ba631b791435c395361e2026fc7419b341e57813) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index f1610d6798..ac68a132c5 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -399,6 +399,9 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, if (options) av_dict_copy(&tmp, *options, 0); + if (s->pb) // must be before any goto fail + s->flags |= AVFMT_FLAG_CUSTOM_IO; + if ((ret = av_opt_set_dict(s, &tmp)) < 0) goto fail; From d7071efae4a285dd3bd40d21aee00f13d044b339 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Apr 2015 04:20:51 +0200 Subject: [PATCH 0461/1352] avformat/utils: avoid discarded streams in av_find_default_stream_index() Fixes Ticket2010 Signed-off-by: Michael Niedermayer (cherry picked from commit ff6841c6bb2d35f8d461419e45d59be7542d03fe) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index ac68a132c5..0b20b0901f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1544,6 +1544,9 @@ int av_find_default_stream_index(AVFormatContext *s) score += 50; } + if (st->discard != AVDISCARD_ALL) + score += 200; + if (score > best_score) { best_score = score; best_stream = i; From 27993da8e789707f1f35bab1adac5f988dd31033 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2015 00:40:21 +0200 Subject: [PATCH 0462/1352] avcodec/h264: Fix race between slices where one overwrites data from the next Fixes non deterministic crash in ticket4408/fuzz2.264 Likely fixes other samples as well Signed-off-by: Michael Niedermayer (cherry picked from commit 43b434210e597d484aef57c4139c3126d22b7e2b) Conflicts: libavcodec/h264.h libavcodec/h264_slice.c (cherry picked from commit dbbc42858e87cdd04e6c3b7694f8b394d4bfcdc6) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 1 + libavcodec/h264_slice.c | 43 ++++++++++++++++++++++++++++++++++++----- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index cb7e6f9246..ec0b023267 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -539,6 +539,7 @@ typedef struct H264Context { int mb_x, mb_y; int resync_mb_x; int resync_mb_y; + int mb_index_end; int mb_skip_run; int mb_height, mb_width; int mb_stride; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d3d5a92eb0..b7103f14be 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2447,8 +2447,17 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) for (;;) { // START_TIMER - int ret = ff_h264_decode_mb_cabac(h); - int eos; + int ret, eos; + + if (h->mb_x + h->mb_y * h->mb_width >= h->mb_index_end) { + av_log(h->avctx, AV_LOG_ERROR, "Slice overlaps next at %d\n", + h->mb_index_end); + er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x, + h->mb_y, ER_MB_ERROR); + return AVERROR_INVALIDDATA; + } + + ret = ff_h264_decode_mb_cabac(h); // STOP_TIMER("decode_mb_cabac") if (ret >= 0) @@ -2510,7 +2519,17 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } } else { for (;;) { - int ret = ff_h264_decode_mb_cavlc(h); + int ret; + + if (h->mb_x + h->mb_y * h->mb_width >= h->mb_index_end) { + av_log(h->avctx, AV_LOG_ERROR, "Slice overlaps next at %d\n", + h->mb_index_end); + er_add_slice(h, h->resync_mb_x, h->resync_mb_y, h->mb_x, + h->mb_y, ER_MB_ERROR); + return AVERROR_INVALIDDATA; + } + + ret = ff_h264_decode_mb_cavlc(h); if (ret >= 0) ff_h264_hl_decode_mb(h); @@ -2598,19 +2617,33 @@ int ff_h264_execute_decode_slices(H264Context *h, unsigned context_count) av_assert0(h->mb_y < h->mb_height); + h->mb_index_end = INT_MAX; + if (h->avctx->hwaccel || h->avctx->codec->capabilities & CODEC_CAP_HWACCEL_VDPAU) return 0; if (context_count == 1) { return decode_slice(avctx, &h); } else { + int j, mb_index; av_assert0(context_count > 0); - for (i = 1; i < context_count; i++) { + for (i = 0; i < context_count; i++) { + int mb_index_end = h->mb_width * h->mb_height; hx = h->thread_context[i]; - if (CONFIG_ERROR_RESILIENCE) { + mb_index = hx->resync_mb_x + hx->resync_mb_y * h->mb_width; + if (CONFIG_ERROR_RESILIENCE && i) { hx->er.error_count = 0; } hx->x264_build = h->x264_build; + for (j = 0; j < context_count; j++) { + H264Context *sl2 = h->thread_context[j]; + int mb_index2 = sl2->resync_mb_x + sl2->resync_mb_y * h->mb_width; + + if (i==j || mb_index > mb_index2) + continue; + mb_index_end = FFMIN(mb_index_end, mb_index2); + } + hx->mb_index_end = mb_index_end; } avctx->execute(avctx, decode_slice, h->thread_context, From 7493c54ad075920721c2b80a9b0d86cf02f41f4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2015 02:47:36 +0200 Subject: [PATCH 0463/1352] avcodec/h264: finish previous slices before switching to single thread mode Fixes null pointer dereference Fixes Ticket4438 Signed-off-by: Michael Niedermayer (cherry picked from commit c4b2017ba66e1623da9f527704c61c86a6e74844) Conflicts: libavcodec/h264.c (cherry picked from commit 09cc7aee3f4d1bd1d7107d38520f782c62c14036) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 7b5c5063b8..704c0898fb 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1730,6 +1730,12 @@ again: av_log(h->avctx, AV_LOG_ERROR, "decode_slice_header error\n"); h->ref_count[0] = h->ref_count[1] = h->list_count = 0; } else if (err == SLICE_SINGLETHREAD) { + if (context_count > 1) { + ret = ff_h264_execute_decode_slices(h, context_count - 1); + if (ret < 0 && (h->avctx->err_recognition & AV_EF_EXPLODE)) + goto end; + context_count = 0; + } /* Slice could not be decoded in parallel mode, copy down * NAL unit stuff to context 0 and restart. Note that * rbsp_buffer is not transferred, but since we no longer From 155e0e9fd964683969f2a905626ba975c5cddf1a Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Sun, 9 Nov 2014 21:37:18 -0800 Subject: [PATCH 0464/1352] tests: Fix test name for pixfmts tests(cherry picked from commit e1ee0521a698809ed216e9e5c11bd2bbb466ed04) Signed-off-by: Michael Niedermayer --- tests/fate-run.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/fate-run.sh b/tests/fate-run.sh index b994abab27..c466e06b0d 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -197,12 +197,14 @@ pixfmts(){ $showfiltfmts $filter | awk -F '[ \r]' '/^INPUT/{ fmt=substr($3, 5); print fmt }' | sort >$in_fmts pix_fmts=$(comm -12 $scale_exclude_fmts $in_fmts) + outertest=$test for pix_fmt in $pix_fmts; do test=$pix_fmt video_filter "${prefilter_chain}format=$pix_fmt,$filter=$filter_args" -pix_fmt $pix_fmt done rm $in_fmts $scale_in_fmts $scale_out_fmts $scale_exclude_fmts + test=$outertest } mkdir -p "$outdir" From e617d6f98844082404a031859b4faf05c3a91bab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Apr 2015 12:29:47 +0200 Subject: [PATCH 0465/1352] avcodec/h264_slice: Dont reset mb_aff_frame per slice Fixes null pointer dereference Fixes Ticket4440 Signed-off-by: Michael Niedermayer (cherry picked from commit 386601286fed2dff5e1955bc21a0256f6f35ab19) Conflicts: libavcodec/h264_slice.c (cherry picked from commit ce6d38e9ed0842870f3cd5414937bb6d1f2417d9) --- libavcodec/h264_slice.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index b7103f14be..38273e34c7 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1310,6 +1310,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) int field_pic_flag, bottom_field_flag; int first_slice = h == h0 && !h0->current_slice; int frame_num, picture_structure, droppable; + int mb_aff_frame, last_mb_aff_frame; PPS *pps; h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; @@ -1533,7 +1534,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) } h->mb_mbaff = 0; - h->mb_aff_frame = 0; + mb_aff_frame = 0; + last_mb_aff_frame = h0->mb_aff_frame; last_pic_structure = h0->picture_structure; last_pic_droppable = h0->droppable; droppable = h->nal_ref_idc == 0; @@ -1551,12 +1553,13 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) picture_structure = PICT_TOP_FIELD + bottom_field_flag; } else { picture_structure = PICT_FRAME; - h->mb_aff_frame = h->sps.mb_aff; + mb_aff_frame = h->sps.mb_aff; } } if (h0->current_slice) { if (last_pic_structure != picture_structure || - last_pic_droppable != droppable) { + last_pic_droppable != droppable || + last_mb_aff_frame != mb_aff_frame) { av_log(h->avctx, AV_LOG_ERROR, "Changing field mode (%d -> %d) between slices is not allowed\n", last_pic_structure, h->picture_structure); @@ -1572,6 +1575,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) h->picture_structure = picture_structure; h->droppable = droppable; h->frame_num = frame_num; + h->mb_aff_frame = mb_aff_frame; h->mb_field_decoding_flag = picture_structure != PICT_FRAME; if (h0->current_slice == 0) { From 4191e01e9906a88f4686ee2e20928538da3d4b96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Apr 2015 13:38:55 +0200 Subject: [PATCH 0466/1352] avcodec/h264: reset the counts in the correct context Fixes null pointer dereference Signed-off-by: Michael Niedermayer (cherry picked from commit 8f8d632220100bfde26587b27da73901b05cb774) --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 704c0898fb..28217475dc 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1728,7 +1728,7 @@ again: if (err < 0 || err == SLICE_SKIPED) { if (err < 0) av_log(h->avctx, AV_LOG_ERROR, "decode_slice_header error\n"); - h->ref_count[0] = h->ref_count[1] = h->list_count = 0; + hx->ref_count[0] = hx->ref_count[1] = hx->list_count = 0; } else if (err == SLICE_SINGLETHREAD) { if (context_count > 1) { ret = ff_h264_execute_decode_slices(h, context_count - 1); From 2adcdf50844a541ccec0da0474adf28cddc51ff3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Apr 2015 00:04:44 +0200 Subject: [PATCH 0467/1352] avcodec/aacdec: Fix storing state before PCE decode Fixes Ticket4460 Signed-off-by: Michael Niedermayer (cherry picked from commit e88b3852aefaa39b2170ef185ad03dda18732821) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 10c509be82..7d802e8517 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -425,7 +425,7 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) * Save current output configuration if and only if it has been locked. */ static void push_output_configuration(AACContext *ac) { - if (ac->oc[1].status == OC_LOCKED) { + if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) { ac->oc[0] = ac->oc[1]; } ac->oc[1].status = OC_NONE; From 9c4b09c4bdfa6dde530b9cae13bc9d76698228d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Apr 2015 13:50:07 +0200 Subject: [PATCH 0468/1352] avcodec/h264: Be more tolerant to changing pps id between slices Fixes Ticket4446 Signed-off-by: Michael Niedermayer (cherry picked from commit 98d0c4236c7542c87f012228d3bc88aea67bddc2) Conflicts: libavcodec/h264.c (cherry picked from commit 0cd0fa9d0baabd2dc0442ed8b53ba65282733b61) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 28217475dc..4fde3441f1 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1516,9 +1516,6 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size, continue; again: - if ( (!(avctx->active_thread_type & FF_THREAD_FRAME) || nals_needed >= nal_index) - && !h->current_slice) - h->au_pps_id = -1; /* Ignore per frame NAL unit type during extradata * parsing. Decoding slices is not possible in codec init * with frame-mt */ @@ -1564,6 +1561,10 @@ again: hx->inter_gb_ptr = &hx->gb; hx->data_partitioning = 0; + if ( nals_needed >= nal_index + || (!(avctx->active_thread_type & FF_THREAD_FRAME) && !context_count)) + h->au_pps_id = -1; + if ((err = ff_h264_decode_slice_header(hx, h))) break; From cf80856cbc790c8dc1b743bd5bdd1093a08467ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Apr 2015 22:18:35 +0200 Subject: [PATCH 0469/1352] avcodec/h264_ps: Move truncation check from VUI to SPS This more completely checks for truncation Signed-off-by: Michael Niedermayer (cherry picked from commit 32e06c485be94a4967bff87022cbb065d3cbfd0d) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 641e72dc58..d969aa1e3e 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -261,12 +261,6 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps) } } - if (get_bits_left(&h->gb) < 0) { - av_log(h->avctx, AV_LOG_ERROR, - "Overread VUI by %d bits\n", -get_bits_left(&h->gb)); - return AVERROR_INVALIDDATA; - } - return 0; } @@ -543,6 +537,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) goto fail; } + if (get_bits_left(&h->gb) < 0) { + av_log(h->avctx, AV_LOG_ERROR, + "Overread %s by %d bits\n", sps->vui_parameters_present_flag ? "VUI" : "SPS", -get_bits_left(&h->gb)); + goto fail; + } + if (!sps->sar.den) sps->sar.den = 1; From fd90005b4619b5f2731a5ec83af8c60a6bb1a5eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Apr 2015 18:35:07 +0200 Subject: [PATCH 0470/1352] avcodec/h264: Do not fail with randomly truncated VUIs Fixes Ticket4445 Tested-by: Vittorio Giovara Signed-off-by: Michael Niedermayer (cherry picked from commit bc48c88918f767e0dffcd138ae8e5c3052e8a92f) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 9 +++++++-- libavcodec/h264.h | 2 +- libavcodec/h264_parser.c | 2 +- libavcodec/h264_ps.c | 7 ++++--- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 4fde3441f1..47570154cd 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1686,7 +1686,9 @@ again: break; case NAL_SPS: init_get_bits(&h->gb, ptr, bit_length); - if (ff_h264_decode_seq_parameter_set(h) < 0 && (h->is_avc ? nalsize : 1)) { + if (ff_h264_decode_seq_parameter_set(h, 0) >= 0) + break; + if (h->is_avc ? nalsize : 1) { av_log(h->avctx, AV_LOG_DEBUG, "SPS decoding failure, trying again with the complete NAL\n"); if (h->is_avc) @@ -1695,8 +1697,11 @@ again: break; init_get_bits(&h->gb, &buf[buf_index + 1 - consumed], 8*(next_avc - buf_index + consumed - 1)); - ff_h264_decode_seq_parameter_set(h); + if (ff_h264_decode_seq_parameter_set(h, 0) >= 0) + break; } + init_get_bits(&h->gb, ptr, bit_length); + ff_h264_decode_seq_parameter_set(h, 1); break; case NAL_PPS: diff --git a/libavcodec/h264.h b/libavcodec/h264.h index ec0b023267..2c975934a2 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -779,7 +779,7 @@ int ff_h264_decode_sei(H264Context *h); /** * Decode SPS */ -int ff_h264_decode_seq_parameter_set(H264Context *h); +int ff_h264_decode_seq_parameter_set(H264Context *h, int ignore_truncation); /** * compute profile from sps diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 14d709cd1e..d57bf5f60b 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -271,7 +271,7 @@ static inline int parse_nal_units(AVCodecParserContext *s, init_get_bits(&h->gb, ptr, 8 * dst_length); switch (h->nal_unit_type) { case NAL_SPS: - ff_h264_decode_seq_parameter_set(h); + ff_h264_decode_seq_parameter_set(h, 0); break; case NAL_PPS: ff_h264_decode_picture_parameter_set(h, h->gb.size_in_bits); diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index d969aa1e3e..0e8be36413 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -317,7 +317,7 @@ static void decode_scaling_matrices(H264Context *h, SPS *sps, } } -int ff_h264_decode_seq_parameter_set(H264Context *h) +int ff_h264_decode_seq_parameter_set(H264Context *h, int ignore_truncation) { int profile_idc, level_idc, constraint_set_flags = 0; unsigned int sps_id; @@ -538,9 +538,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h) } if (get_bits_left(&h->gb) < 0) { - av_log(h->avctx, AV_LOG_ERROR, + av_log(h->avctx, ignore_truncation ? AV_LOG_WARNING : AV_LOG_ERROR, "Overread %s by %d bits\n", sps->vui_parameters_present_flag ? "VUI" : "SPS", -get_bits_left(&h->gb)); - goto fail; + if (!ignore_truncation) + goto fail; } if (!sps->sar.den) From 72ddcb2459faac7fe41d7c563356f860ef2d0396 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2015 19:43:08 +0200 Subject: [PATCH 0471/1352] swresample: Allow reinitialization without ever setting channel counts Signed-off-by: Michael Niedermayer (cherry picked from commit d7b9cb2f7a51351586791e65fa22e6536ee58c9f) Signed-off-by: Michael Niedermayer --- libswresample/options.c | 12 ++++++------ libswresample/swresample.c | 4 ++++ libswresample/swresample_internal.h | 4 ++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/libswresample/options.c b/libswresample/options.c index 01cdb1e141..e970d3bac8 100644 --- a/libswresample/options.c +++ b/libswresample/options.c @@ -35,12 +35,12 @@ #define PARAM AV_OPT_FLAG_AUDIO_PARAM static const AVOption options[]={ -{"ich" , "set input channel count" , OFFSET( in.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"in_channel_count" , "set input channel count" , OFFSET( in.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"och" , "set output channel count" , OFFSET(out.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"out_channel_count" , "set output channel count" , OFFSET(out.ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"uch" , "set used channel count" , OFFSET(used_ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, -{"used_channel_count" , "set used channel count" , OFFSET(used_ch_count ), AV_OPT_TYPE_INT , {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"ich" , "set input channel count" , OFFSET(user_in_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"in_channel_count" , "set input channel count" , OFFSET(user_in_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"och" , "set output channel count" , OFFSET(user_out_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"out_channel_count" , "set output channel count" , OFFSET(user_out_ch_count ), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"uch" , "set used channel count" , OFFSET(user_used_ch_count), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, +{"used_channel_count" , "set used channel count" , OFFSET(user_used_ch_count), AV_OPT_TYPE_INT, {.i64=0 }, 0 , SWR_CH_MAX, PARAM}, {"isr" , "set input sample rate" , OFFSET( in_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, {"in_sample_rate" , "set input sample rate" , OFFSET( in_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, {"osr" , "set output sample rate" , OFFSET(out_sample_rate), AV_OPT_TYPE_INT , {.i64=0 }, 0 , INT_MAX , PARAM}, diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 991aa13204..e552626783 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -164,6 +164,10 @@ av_cold int swr_init(struct SwrContext *s){ return AVERROR(EINVAL); } + s->out.ch_count = s-> user_out_ch_count; + s-> in.ch_count = s-> user_in_ch_count; + s->used_ch_count = s->user_used_ch_count; + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); s->in_ch_layout = 0; diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index 3761843e3b..b892fea379 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -90,6 +90,10 @@ struct SwrContext { int used_ch_count; ///< number of used input channels (mapped channel count if channel_map, otherwise in.ch_count) enum SwrEngine engine; + int user_in_ch_count; ///< User set input channel count + int user_out_ch_count; ///< User set output channel count + int user_used_ch_count; ///< User set used channel count + struct DitherContext dither; int filter_size; /**< length of each FIR filter in the resampling filterbank relative to the cutoff frequency */ From 6a87a152e8340778a1320603e88566ea5be54ee3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2015 20:50:53 +0200 Subject: [PATCH 0472/1352] swresample: Allow reinitialization without ever setting channel layouts (cherry picked from commit 80a28c7509a11114e1aea5b208d56c6646d69c07) Signed-off-by: Michael Niedermayer --- libswresample/options.c | 8 ++++---- libswresample/rematrix.c | 4 ++-- libswresample/swresample.c | 7 +++++-- libswresample/swresample_internal.h | 2 ++ 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/libswresample/options.c b/libswresample/options.c index e970d3bac8..de84672834 100644 --- a/libswresample/options.c +++ b/libswresample/options.c @@ -51,10 +51,10 @@ static const AVOption options[]={ {"out_sample_fmt" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"tsf" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"internal_sample_fmt" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"icl" , "set input channel layout" , OFFSET( in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"in_channel_layout" , "set input channel layout" , OFFSET( in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"ocl" , "set output channel layout" , OFFSET(out_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, -{"out_channel_layout" , "set output channel layout" , OFFSET(out_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"icl" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"in_channel_layout" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"ocl" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, +{"out_channel_layout" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"clev" , "set center mix level" , OFFSET(clev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, {"center_mix_level" , "set center mix level" , OFFSET(clev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, {"slev" , "set surround mix level" , OFFSET(slev ), AV_OPT_TYPE_FLOAT, {.dbl=C_30DB }, -32 , 32 , PARAM}, diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 6552a2fea2..2238f0aae3 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -65,8 +65,8 @@ int swr_set_matrix(struct SwrContext *s, const double *matrix, int stride) if (!s || s->in_convert) // s needs to be allocated but not initialized return AVERROR(EINVAL); memset(s->matrix, 0, sizeof(s->matrix)); - nb_in = av_get_channel_layout_nb_channels(s->in_ch_layout); - nb_out = av_get_channel_layout_nb_channels(s->out_ch_layout); + nb_in = av_get_channel_layout_nb_channels(s->user_in_ch_layout); + nb_out = av_get_channel_layout_nb_channels(s->user_out_ch_layout); for (out = 0; out < nb_out; out++) { for (in = 0; in < nb_in; in++) s->matrix[out][in] = matrix[in]; diff --git a/libswresample/swresample.c b/libswresample/swresample.c index e552626783..17082f1352 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -86,10 +86,10 @@ struct SwrContext *swr_alloc_set_opts(struct SwrContext *s, if (av_opt_set_int(s, "tsf", AV_SAMPLE_FMT_NONE, 0) < 0) goto fail; - if (av_opt_set_int(s, "ich", av_get_channel_layout_nb_channels(s-> in_ch_layout), 0) < 0) + if (av_opt_set_int(s, "ich", av_get_channel_layout_nb_channels(s-> user_in_ch_layout), 0) < 0) goto fail; - if (av_opt_set_int(s, "och", av_get_channel_layout_nb_channels(s->out_ch_layout), 0) < 0) + if (av_opt_set_int(s, "och", av_get_channel_layout_nb_channels(s->user_out_ch_layout), 0) < 0) goto fail; av_opt_set_int(s, "uch", 0, 0); @@ -168,6 +168,9 @@ av_cold int swr_init(struct SwrContext *s){ s-> in.ch_count = s-> user_in_ch_count; s->used_ch_count = s->user_used_ch_count; + s-> in_ch_layout = s-> user_in_ch_layout; + s->out_ch_layout = s->user_out_ch_layout; + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); s->in_ch_layout = 0; diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index b892fea379..1bc6837926 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -93,6 +93,8 @@ struct SwrContext { int user_in_ch_count; ///< User set input channel count int user_out_ch_count; ///< User set output channel count int user_used_ch_count; ///< User set used channel count + int64_t user_in_ch_layout; ///< User set input channel layout + int64_t user_out_ch_layout; ///< User set output channel layout struct DitherContext dither; From 115961acc15c5d11b4b4b58a906580dd176da2f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2015 21:08:09 +0200 Subject: [PATCH 0473/1352] swresample: Check channel layouts and channels against each other and print human readable error messages Signed-off-by: Michael Niedermayer (cherry picked from commit 3c77bb5f23b2e149495c814759beab7eedeede6c) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 17082f1352..4685a8909d 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -152,6 +152,7 @@ av_cold void swr_close(SwrContext *s){ av_cold int swr_init(struct SwrContext *s){ int ret; + char l1[1024], l2[1024]; clear_context(s); @@ -278,10 +279,18 @@ av_cold int swr_init(struct SwrContext *s){ return -1; } + av_get_channel_layout_string(l1, sizeof(l1), s-> in.ch_count, s-> in_ch_layout); + av_get_channel_layout_string(l2, sizeof(l2), s->out.ch_count, s->out_ch_layout); + if (s->out_ch_layout && s->out.ch_count != av_get_channel_layout_nb_channels(s->out_ch_layout)) { + av_log(s, AV_LOG_ERROR, "Output channel layout %s mismatches specified channel count %d\n", l2, s->out.ch_count); + return AVERROR(EINVAL); + } + if (s->in_ch_layout && s->used_ch_count != av_get_channel_layout_nb_channels(s->in_ch_layout)) { + av_log(s, AV_LOG_ERROR, "Input channel layout %s mismatches specified channel count %d\n", l1, s->used_ch_count); + return AVERROR(EINVAL); + } + if ((!s->out_ch_layout || !s->in_ch_layout) && s->used_ch_count != s->out.ch_count && !s->rematrix_custom) { - char l1[1024], l2[1024]; - av_get_channel_layout_string(l1, sizeof(l1), s-> in.ch_count, s-> in_ch_layout); - av_get_channel_layout_string(l2, sizeof(l2), s->out.ch_count, s->out_ch_layout); av_log(s, AV_LOG_ERROR, "Rematrix is needed between %s and %s " "but there is not enough information to do it\n", l1, l2); return -1; From 164ababc623884c862d01e98824c19f91919f0be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2015 22:08:52 +0200 Subject: [PATCH 0474/1352] swresample/swresample-test: Randomly wipe out channel counts Signed-off-by: Michael Niedermayer (cherry picked from commit ff50b1b13be965c93a9a7169edb62631a928e308) Signed-off-by: Michael Niedermayer --- libswresample/swresample-test.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswresample/swresample-test.c b/libswresample/swresample-test.c index c0162cd646..694880648a 100644 --- a/libswresample/swresample-test.c +++ b/libswresample/swresample-test.c @@ -314,6 +314,11 @@ int main(int argc, char **argv){ fprintf(stderr, "Failed to init backw_ctx\n"); return 1; } + if (uint_rand(rand_seed) % 3 == 0) + av_opt_set_int(forw_ctx, "ich", 0, 0); + if (uint_rand(rand_seed) % 3 == 0) + av_opt_set_int(forw_ctx, "och", 0, 0); + if(swr_init( forw_ctx) < 0) fprintf(stderr, "swr_init(->) failed\n"); if(swr_init(backw_ctx) < 0) From 65b257b21c7f4398458fe17af3c99e8a0d717a0c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 14:49:08 +0200 Subject: [PATCH 0475/1352] msrledec: use signed pixel_ptr in msrle_decode_pal4 This fixes segmentation faults, when pic->linesize[0] is negative. In that case 'line * pic->linesize[0] + pixel_ptr' is treated as unsigned and wraps around. This reverts commit 7d78a964. The problem was introduced in commit f7e1367f, which should obsolete that commit. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ae6fd7300b4e9f81d3b5ba201096ffe7cccf26fb) Signed-off-by: Michael Niedermayer --- libavcodec/msrledec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index deb6f86523..200221a0ee 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -36,7 +36,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, unsigned char rle_code; unsigned char extra_byte, odd_pixel; unsigned char stream_byte; - unsigned int pixel_ptr = 0; + int pixel_ptr = 0; int line = avctx->height - 1; int i; From d2ff2c9dd32426b59ffbc4b6ebe2d8fb22979ef7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 16:58:32 +0200 Subject: [PATCH 0476/1352] aacdec: consistently use avctx for logging in decode_eld_specific_config ac may be NULL and then accessing ac->avctx results in a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 5b75689b987e4c4dd4f34d5c8be389547e9cc701) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 7d802e8517..e92f1a1d9c 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -881,7 +881,7 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx, if (len == 15 + 255) len += get_bits(gb, 16); if (get_bits_left(gb) < len * 8 + 4) { - av_log(ac->avctx, AV_LOG_ERROR, overread_err); + av_log(avctx, AV_LOG_ERROR, overread_err); return AVERROR_INVALIDDATA; } skip_bits_long(gb, 8 * len); From cfbfe6cd4d5aa52a8fbdb750f9fe1cfa637ccc12 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 19:12:02 +0200 Subject: [PATCH 0477/1352] aasc: return correct buffer size from aasc_decode_frame Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 0be54ad280cf114c02306b7063147e8379f8ed1e) Signed-off-by: Michael Niedermayer --- libavcodec/aasc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 65ef782688..469fc5eef6 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -137,7 +137,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, return ret; /* report that the buffer was completely consumed */ - return buf_size; + return avpkt->size; } static av_cold int aasc_decode_end(AVCodecContext *avctx) From 6458ee5af8f994f2f8e42a3a4a2f407b978103f4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 20:04:54 +0200 Subject: [PATCH 0478/1352] aacpsy: avoid psy_band->threshold becoming NaN If band->thr is 0.0f, the division is undefined, making norm_fac not a number or infinity, which causes psy_band->threshold to become NaN. This is passed on to other variables until it finally reaches sce->sf_idx and is converted to an integer (-2147483648). This causes a segmentation fault when it is used as array index. Signed-off-by: Andreas Cadhalpun Reviewed-by: Claudio Freire Signed-off-by: Michael Niedermayer (cherry picked from commit e224aa41917454e7b5c23d9f2541425743ce595a) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index 9eeb836523..cee4bf2921 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -727,7 +727,10 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (active_lines > 0.0f) band->thr = calc_reduced_thr_3gpp(band, coeffs[g].min_snr, reduction); pe += calc_pe_3gpp(band); - band->norm_fac = band->active_lines / band->thr; + if (band->thr > 0.0f) + band->norm_fac = band->active_lines / band->thr; + else + band->norm_fac = 0.0f; norm_fac += band->norm_fac; } } From 6b1c8797f4640ac3ce7b10118d8eab74612171a2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 21:25:26 +0200 Subject: [PATCH 0479/1352] ac3: validate end in ff_ac3_bit_alloc_calc_mask This fixes an invalid read if end is 0: band_end = ff_ac3_bin_to_band_tab[end-1] + 1; Depending on what is before the array, this can cause stack smashing, when band_end becomes too large. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit bc4fee7f2a51635fa3c0f61d1e5164da1efeded3) Signed-off-by: Michael Niedermayer --- libavcodec/ac3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ac3.c b/libavcodec/ac3.c index 29e132f5d1..8d39bbe83b 100644 --- a/libavcodec/ac3.c +++ b/libavcodec/ac3.c @@ -131,6 +131,9 @@ int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, int band_start, band_end, begin, end1; int lowcomp, fastleak, slowleak; + if (end <= 0) + return AVERROR_INVALIDDATA; + /* excitation function */ band_start = ff_ac3_bin_to_band_tab[start]; band_end = ff_ac3_bin_to_band_tab[end-1] + 1; From b28fab2ebe39f04b26167474ff887559fddd3a9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Apr 2015 11:58:41 +0200 Subject: [PATCH 0480/1352] avcodec/atrac3plusdsp: fix on stack alignment Fixes fate failure on ARM (cherry picked from commit 38f67260684aec8a02d87ab4056b1a1fbf964c03) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3plusdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/atrac3plusdsp.c b/libavcodec/atrac3plusdsp.c index 3522af1e5a..3c68f74d25 100644 --- a/libavcodec/atrac3plusdsp.c +++ b/libavcodec/atrac3plusdsp.c @@ -599,8 +599,8 @@ void ff_atrac3p_ipqf(FFTContext *dct_ctx, Atrac3pIPQFChannelCtx *hist, const float *in, float *out) { int i, s, sb, t, pos_now, pos_next; - DECLARE_ALIGNED(32, float, idct_in)[ATRAC3P_SUBBANDS]; - DECLARE_ALIGNED(32, float, idct_out)[ATRAC3P_SUBBANDS]; + LOCAL_ALIGNED(32, float, idct_in, [ATRAC3P_SUBBANDS]); + LOCAL_ALIGNED(32, float, idct_out, [ATRAC3P_SUBBANDS]); memset(out, 0, ATRAC3P_FRAME_SAMPLES * sizeof(*out)); From 1a8b4158c574e95c6a2311c5f2955e76aedba1f9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 18:31:36 +0200 Subject: [PATCH 0481/1352] alsdec: ensure channel reordering is reversible If the same idx is used for more than one i, at least one entry in sconf->chan_pos remains uninitialized. This can cause segmentation faults. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ef16501aebed43e34a3721336e8bee732eca2877) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cfece44285..e5397951d0 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -357,11 +357,15 @@ static av_cold int read_specific_config(ALSDecContext *ctx) ctx->cs_switch = 1; + for (i = 0; i < avctx->channels; i++) { + sconf->chan_pos[i] = -1; + } + for (i = 0; i < avctx->channels; i++) { int idx; idx = get_bits(&gb, chan_pos_bits); - if (idx >= avctx->channels) { + if (idx >= avctx->channels || sconf->chan_pos[idx] != -1) { av_log(avctx, AV_LOG_WARNING, "Invalid channel reordering.\n"); ctx->cs_switch = 0; break; From 4c20249c86e1c0cc9aea2261758f477820b1456b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Apr 2015 20:50:23 +0200 Subject: [PATCH 0482/1352] avcodec/alsdec: Use av_mallocz_array() for chan_data to ensure the arrays never contain random data Signed-off-by: Michael Niedermayer (cherry picked from commit 7e104647a3556fc61a139483cee1cb7dfa2dc5bd) Conflicts: libavcodec/alsdec.c --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e5397951d0..8a8bff15e9 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1731,9 +1731,9 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate and assign channel data buffer for mcc mode if (sconf->mc_coding) { - ctx->chan_data_buffer = av_malloc(sizeof(*ctx->chan_data_buffer) * + ctx->chan_data_buffer = av_mallocz(sizeof(*ctx->chan_data_buffer) * num_buffers * num_buffers); - ctx->chan_data = av_malloc(sizeof(*ctx->chan_data) * + ctx->chan_data = av_mallocz(sizeof(*ctx->chan_data) * num_buffers); ctx->reverted_channels = av_malloc(sizeof(*ctx->reverted_channels) * num_buffers); From 3bd7aa46601ada27c8051b7dd0cef168ff4a2206 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 20:09:28 +0200 Subject: [PATCH 0483/1352] alsdec: validate time diff index If begin is smaller than t, the subtraction 'begin -= t' wraps around, because begin is unsigned. The same applies for end < t. This causes segmentation faults. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit faf9fe2c224ea81a98afd53e2f0be0a2e13aeca9) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 8a8bff15e9..0a6be7bf90 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1290,8 +1290,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (ch[dep].time_diff_sign) { t = -t; + if (t > 0 && begin < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t); + return AVERROR_INVALIDDATA; + } begin -= t; } else { + if (t > 0 && end < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t); + return AVERROR_INVALIDDATA; + } end -= t; } From 3fd66f7f4589dbc31d144454546506a0bb939647 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Mar 2015 04:37:42 +0200 Subject: [PATCH 0484/1352] avutil/pca: Check for av_malloc* failures Signed-off-by: Michael Niedermayer (cherry picked from commit dadc43eee4d9036aa532665a04720238cc15e922) Signed-off-by: Michael Niedermayer --- libavutil/pca.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavutil/pca.c b/libavutil/pca.c index 26d5bbb157..86cb37ea28 100644 --- a/libavutil/pca.c +++ b/libavutil/pca.c @@ -41,12 +41,20 @@ PCA *ff_pca_init(int n){ return NULL; pca= av_mallocz(sizeof(*pca)); + if (!pca) + return NULL; + pca->n= n; pca->z = av_malloc_array(n, sizeof(*pca->z)); pca->count=0; pca->covariance= av_calloc(n*n, sizeof(double)); pca->mean= av_calloc(n, sizeof(double)); + if (!pca->z || !pca->covariance || !pca->mean) { + ff_pca_free(pca); + return NULL; + } + return pca; } From 07a7f384217df47442178280ac7172c4fcbf0ccb Mon Sep 17 00:00:00 2001 From: Rainer Hochecker Date: Tue, 31 Mar 2015 08:27:01 +0200 Subject: [PATCH 0485/1352] h264: avoid unnecessary calls to get_format Signed-off-by: Michael Niedermayer (cherry picked from commit 2197b4018920e5cd7ac465de007b675565687b23) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 38273e34c7..3a7ea4d0e3 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1438,7 +1438,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) || h->mb_width != h->sps.mb_width || h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) )); - if (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0))) + if (h0->avctx->pix_fmt == AV_PIX_FMT_NONE + || (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0)))) must_reinit = 1; if (first_slice && av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)) From 7572cf7fdcc998b8fd1fdadc1ba3ff90349b6978 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Apr 2015 19:28:33 +0200 Subject: [PATCH 0486/1352] avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode Fixes Ticket4408 Signed-off-by: Michael Niedermayer (cherry picked from commit fc58d5c43b4c7396fc69081eb0dfe5b6a21cb10d) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 47570154cd..5f29267eeb 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1551,8 +1551,14 @@ again: ret = -1; goto end; } - if(!idr_cleared) + if(!idr_cleared) { + if (h->current_slice && (avctx->active_thread_type & FF_THREAD_SLICE)) { + av_log(h, AV_LOG_ERROR, "invalid mixed IDR / non IDR frames cannot be decoded in slice multithreading mode\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } idr(h); // FIXME ensure we don't lose some frames if there is reordering + } idr_cleared = 1; h->has_recovery_point = 1; case NAL_SLICE: From 1deebf3b225d4f0ae5e15ec4414b343355e68157 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Apr 2015 18:08:23 +0200 Subject: [PATCH 0487/1352] avcodec/h264_refs: Do not set reference to things which dont exist Fixes deadlock Fixes Ticket4428 Fixes Ticket4429 Signed-off-by: Michael Niedermayer (cherry picked from commit 429de043202286a2b5bcc082cc02de860b734db2) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 12da9210be..045f1846d3 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -707,7 +707,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count) */ if (h->short_ref_count && h->short_ref[0] == h->cur_pic_ptr) { /* Just mark the second field valid */ - h->cur_pic_ptr->reference = PICT_FRAME; + h->cur_pic_ptr->reference |= h->picture_structure; } else if (h->cur_pic_ptr->long_ref) { av_log(h->avctx, AV_LOG_ERROR, "illegal short term reference " "assignment for second field " From 8b9cfdc9270a4ef708e4729716020edd2fb42ae9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 21 Apr 2015 19:25:50 +0200 Subject: [PATCH 0488/1352] alsdec: check sample pointer range in revert_channel_correlation Also change the type of begin, end and smp to ptrdiff_t to make the comparison well-defined. Signed-off-by: Andreas Cadhalpun Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit afc7748d1f6abc4b3b1cc957b0fa6941837db3d0) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 0a6be7bf90..9ee33bf2e6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1246,6 +1246,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ALSChannelData *ch = cd[c]; unsigned int dep = 0; unsigned int channels = ctx->avctx->channels; + unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order; if (reverted[c]) return 0; @@ -1276,9 +1277,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples = ctx->raw_samples[c] + offset; for (dep = 0; !ch[dep].stop_flag; dep++) { - unsigned int smp; - unsigned int begin = 1; - unsigned int end = bd->block_length - 1; + ptrdiff_t smp; + ptrdiff_t begin = 1; + ptrdiff_t end = bd->block_length - 1; int64_t y; int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset; @@ -1290,19 +1291,28 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, if (ch[dep].time_diff_sign) { t = -t; - if (t > 0 && begin < t) { - av_log(ctx->avctx, AV_LOG_ERROR, "begin %u smaller than time diff index %d.\n", begin, t); + if (begin < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "begin %td smaller than time diff index %d.\n", begin, t); return AVERROR_INVALIDDATA; } begin -= t; } else { - if (t > 0 && end < t) { - av_log(ctx->avctx, AV_LOG_ERROR, "end %u smaller than time diff index %d.\n", end, t); + if (end < t) { + av_log(ctx->avctx, AV_LOG_ERROR, "end %td smaller than time diff index %d.\n", end, t); return AVERROR_INVALIDDATA; } end -= t; } + if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master || + FFMAX(end + 1, end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1, end + 1 + t), + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1 ]) + @@ -1315,6 +1325,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples[smp] += y >> 7; } } else { + + if (begin - 1 < ctx->raw_buffer - master || + end + 1 > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + begin - 1, master + end + 1, + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1]) + From f7a6a6d5917475a2df43751a9e147e09dfcc43a6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 16:32:42 +0200 Subject: [PATCH 0489/1352] mpeg4videodec: only allow a positive length Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit b3408ae4c64cb674b1d5f0f30171759113ce722a) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index bc9264f5a4..227ba27372 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -189,14 +189,14 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int x = 0, y = 0; length = get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3); - if (length) + if (length > 0) x = get_xbits(gb, length); if (!(ctx->divx_version == 500 && ctx->divx_build == 413)) skip_bits1(gb); /* marker bit */ length = get_vlc2(gb, sprite_trajectory.table, SPRITE_TRAJ_VLC_BITS, 3); - if (length) + if (length > 0) y = get_xbits(gb, length); skip_bits1(gb); /* marker bit */ From 9a9379ff7fc32e8e259d8c090cd8ccf08b27b09d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 17:08:51 +0200 Subject: [PATCH 0490/1352] bink: check vst->index_entries before using it This fixes a NULL pointer dereference if vst->duration is 0. The problem was introduced in commit 0588acaf. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 86d00ede4f9acb02690a0615490173648e1d933c) Signed-off-by: Michael Niedermayer --- libavformat/bink.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/bink.c b/libavformat/bink.c index 395c8d9aa8..350c64f7bb 100644 --- a/libavformat/bink.c +++ b/libavformat/bink.c @@ -194,7 +194,10 @@ static int read_header(AVFormatContext *s) return ret; } - avio_seek(pb, vst->index_entries[0].pos, SEEK_SET); + if (vst->index_entries) + avio_seek(pb, vst->index_entries[0].pos, SEEK_SET); + else + avio_skip(pb, 4); bink->current_track = -1; return 0; From ee3d4e2b098121baa7a5795b9f977cb0e7f3facd Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 22 Apr 2015 14:59:56 +0100 Subject: [PATCH 0491/1352] lavf: Reset global flag on deinit Signed-off-by: Michael Niedermayer (cherry picked from commit 32da94fa7f73ac749e0a1e2f20499fad2f6f57fe) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0b20b0901f..d93f43452e 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4066,6 +4066,7 @@ int avformat_network_deinit(void) #if CONFIG_NETWORK ff_network_close(); ff_tls_deinit(); + ff_network_inited_globally = 0; #endif return 0; } From b16a6c67099852f5c1485b70611a7803acd9a782 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 16:03:41 +0200 Subject: [PATCH 0492/1352] alsdec: only adapt order for positive max_order For max_order = 0 the clipping range is invalid. (amin = 2, amax = 1) Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 58d605ee9b3277289278dc40e022311f8e083833) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 9ee33bf2e6..a55354b7fd 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -682,7 +682,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (!sconf->rlslms) { - if (sconf->adapt_order) { + if (sconf->adapt_order && sconf->max_order) { int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); From dfe37f2be202a0db5b1b06552ea2aaf33eb70628 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 24 Apr 2015 00:01:43 +0200 Subject: [PATCH 0493/1352] alac: reject rice_limit 0 if compression is used If rice_limit is 0, k can be 0 in decode_scalar, which calls show_bits(gb, k). Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4b657a1b1eedcf38bcf36e89a2f4be6f76b5ce09) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index aec7bb4e4e..f5a5b86145 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -316,6 +316,11 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, int lpc_quant[2]; int rice_history_mult[2]; + if (!alac->rice_limit) { + avpriv_request_sample(alac->avctx, "Compression with rice limit 0"); + return AVERROR(ENOSYS); + } + decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); From f6dd6b4fd28fbd3250d61956ab2c3de6cfaa13a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Apr 2015 04:27:56 +0200 Subject: [PATCH 0494/1352] tests/fate-run: do not attempt to parse tiny_psnrs output if it failed This avoids confusing syntax errors with awk later Likely fixes awk errors at: http://buildd.debian-ports.org/status/fetch.php?pkg=ffmpeg&arch=sparc64&ver=7%3A2.6.2-1&stamp=1428928967 Reviewed-by: Timothy Gu Thanks-to: Andreas Cadhalpun for the link Signed-off-by: Michael Niedermayer (cherry picked from commit c0d847e457c1ef72843a63853f1135d52b74131e) Signed-off-by: Michael Niedermayer --- tests/fate-run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate-run.sh b/tests/fate-run.sh index c466e06b0d..6e3373a3ae 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -42,7 +42,7 @@ compare(){ } do_tiny_psnr(){ - psnr=$(tests/tiny_psnr "$1" "$2" $cmp_unit $cmp_shift 0) + psnr=$(tests/tiny_psnr "$1" "$2" $cmp_unit $cmp_shift 0) || return 1 val=$(expr "$psnr" : ".*$3: *\([0-9.]*\)") size1=$(expr "$psnr" : '.*bytes: *\([0-9]*\)') size2=$(expr "$psnr" : '.*bytes:[ 0-9]*/ *\([0-9]*\)') From 73af011c7929c892bd7a3e5613c488751b13948e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Apr 2015 17:10:18 +0200 Subject: [PATCH 0495/1352] Update for FFmpeg 2.4.9 release Signed-off-by: Michael Niedermayer --- Changelog | 38 +++++++++++++++++++++++++++++++++++++- RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 43639aec66..e82ae69c13 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,43 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 2.4.9: +- alac: reject rice_limit 0 if compression is used +- lavf: Reset global flag on deinit +- bink: check vst->index_entries before using it +- mpeg4videodec: only allow a positive length +- alsdec: check sample pointer range in revert_channel_correlation +- avcodec/h264_refs: Do not set reference to things which dont exist +- avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode +- h264: avoid unnecessary calls to get_format +- avutil/pca: Check for av_malloc* failures +- alsdec: validate time diff index +- avcodec/alsdec: Use av_mallocz_array() for chan_data to ensure the arrays never contain random data +- alsdec: ensure channel reordering is reversible +- avcodec/atrac3plusdsp: fix on stack alignment +- ac3: validate end in ff_ac3_bit_alloc_calc_mask +- aacpsy: avoid psy_band->threshold becoming NaN +- aasc: return correct buffer size from aasc_decode_frame +- aacdec: consistently use avctx for logging in decode_eld_specific_config +- msrledec: use signed pixel_ptr in msrle_decode_pal4 +- swresample/swresample-test: Randomly wipe out channel counts +- swresample: Check channel layouts and channels against each other and print human readable error messages +- swresample: Allow reinitialization without ever setting channel layouts +- swresample: Allow reinitialization without ever setting channel counts +- avcodec/h264: Do not fail with randomly truncated VUIs +- avcodec/h264_ps: Move truncation check from VUI to SPS +- avcodec/h264: Be more tolerant to changing pps id between slices +- avcodec/aacdec: Fix storing state before PCE decode +- avcodec/h264: reset the counts in the correct context +- avcodec/h264_slice: Dont reset mb_aff_frame per slice +- tests: Fix test name for pixfmts tests +- avcodec/h264: finish previous slices before switching to single thread mode +- avcodec/h264: Fix race between slices where one overwrites data from the next +- avformat/utils: avoid discarded streams in av_find_default_stream_index() +- avformat/utils: Ensure that AVFMT_FLAG_CUSTOM_IO is set before use +- avformat/img2dec: do not rewind custom io buffers +- fate: Include branch information in the payload header + version 2.4.8: - avutil/cpu: add missing check for mmxext to av_force_cpu_flags diff --git a/RELEASE b/RELEASE index f041bc6dba..3f5987a5cb 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.8 +2.4.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3f942b57ee..af2b79faec 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.8 +PROJECT_NUMBER = 2.4.9 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From de7b74d2544d2cb5ff85db20a9853116ea72ed47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Apr 2015 17:47:03 +0200 Subject: [PATCH 0496/1352] Changelog, fix typos Signed-off-by: Michael Niedermayer --- Changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index e82ae69c13..4b1edd2190 100644 --- a/Changelog +++ b/Changelog @@ -7,7 +7,7 @@ version 2.4.9: - bink: check vst->index_entries before using it - mpeg4videodec: only allow a positive length - alsdec: check sample pointer range in revert_channel_correlation -- avcodec/h264_refs: Do not set reference to things which dont exist +- avcodec/h264_refs: Do not set reference to things which do not exist - avcodec/h264: Fail for invalid mixed IDR / non IDR frames in slice threading mode - h264: avoid unnecessary calls to get_format - avutil/pca: Check for av_malloc* failures @@ -29,7 +29,7 @@ version 2.4.9: - avcodec/h264: Be more tolerant to changing pps id between slices - avcodec/aacdec: Fix storing state before PCE decode - avcodec/h264: reset the counts in the correct context -- avcodec/h264_slice: Dont reset mb_aff_frame per slice +- avcodec/h264_slice: Do not reset mb_aff_frame per slice - tests: Fix test name for pixfmts tests - avcodec/h264: finish previous slices before switching to single thread mode - avcodec/h264: Fix race between slices where one overwrites data from the next From 0d3a7dd26490156b607541dd2e1faeaa0fc61a88 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 16 Apr 2015 19:12:02 +0200 Subject: [PATCH 0497/1352] aasc: return correct buffer size from aasc_decode_frame CC: libav-stable@libav.org Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov (cherry picked from commit 8fc8024ea56e814cd257d5fe27b21a865080782f) Signed-off-by: Anton Khirnov --- libavcodec/aasc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 468e39440a..1e457ce962 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -97,7 +97,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, return ret; /* report that the buffer was completely consumed */ - return buf_size; + return avpkt->size; } static av_cold int aasc_decode_end(AVCodecContext *avctx) From 97010c74cbff177b58daf9a092b4e37a7da26f85 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 20:29:13 +0200 Subject: [PATCH 0498/1352] alsdec: limit avctx->bits_per_raw_sample to 32 avctx->bits_per_raw_sample is used in get_sbits_long, which only supports up to 32 bits. CC: libav-stable@libav.org Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov (cherry picked from commit e191aaca44b986816695e3b7ecfae64697fd6631) Signed-off-by: Anton Khirnov --- libavcodec/alsdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index b1965a8b87..0a47305700 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1641,6 +1641,12 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->sample_fmt = sconf->resolution > 1 ? AV_SAMPLE_FMT_S32 : AV_SAMPLE_FMT_S16; avctx->bits_per_raw_sample = (sconf->resolution + 1) * 8; + if (avctx->bits_per_raw_sample > 32) { + av_log(avctx, AV_LOG_ERROR, "Bits per raw sample %d larger than 32.\n", + avctx->bits_per_raw_sample); + ret = AVERROR_INVALIDDATA; + goto fail; + } } // set maximum Rice parameter for progressive decoding based on resolution From 7b66cf5ce7fdb8b3fa13459aab3f4d6ab559f1ea Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 21 Apr 2015 18:43:55 +0200 Subject: [PATCH 0499/1352] aacpsy: correct calculation of minath in psy_3gpp_init The minimum of the ath(x, ATH_ADD) function depends on ATH_ADD. This patch uses the first order approximation to determine it. For ATH_ADD = 4 this results in the value at 3407.06812 (-5.24241638) not the one at 3410 (-5.24237967). CC: libav-stabl@libav.org Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov (cherry picked from commit 110f7f35fb615b97d983b1c6c6a714fddd28bcbe) Signed-off-by: Anton Khirnov --- libavcodec/aacpsy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index 66cf6d5f40..ee465a6c45 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -307,7 +307,7 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) { ctx->bitres.size = 6144 - pctx->frame_bits; ctx->bitres.size -= ctx->bitres.size % 8; pctx->fill_level = ctx->bitres.size; - minath = ath(3410, ATH_ADD); + minath = ath(3410 - 0.733 * ATH_ADD, ATH_ADD); for (j = 0; j < 2; j++) { AacPsyCoeffs *coeffs = pctx->psy_coef[j]; const uint8_t *band_sizes = ctx->bands[j]; From 41a89cba6086de2bd24f9ec7e21200fa162505e9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 21 Apr 2015 19:28:30 +0200 Subject: [PATCH 0500/1352] alsdec: check sample pointer range in revert_channel_correlation Also change the type of begin, end and smp to ptrdiff_t to make the comparison well-defined. CC: libav-stable@libav.org Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov (cherry picked from commit 94bb1ce882a12b6d7a1fa32715a68121b39ee838) Signed-off-by: Anton Khirnov --- libavcodec/alsdec.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 0a47305700..44857e6714 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1223,6 +1223,7 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, ALSChannelData *ch = cd[c]; unsigned int dep = 0; unsigned int channels = ctx->avctx->channels; + unsigned int channel_size = ctx->sconf.frame_length + ctx->sconf.max_order; if (reverted[c]) return 0; @@ -1254,9 +1255,9 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, dep = 0; while (!ch[dep].stop_flag) { - unsigned int smp; - unsigned int begin = 1; - unsigned int end = bd->block_length - 1; + ptrdiff_t smp; + ptrdiff_t begin = 1; + ptrdiff_t end = bd->block_length - 1; int64_t y; int32_t *master = ctx->raw_samples[ch[dep].master_channel] + offset; @@ -1270,6 +1271,15 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, end -= t; } + if (FFMIN(begin - 1, begin - 1 + t) < ctx->raw_buffer - master || + FFMAX(end + 1, end + 1 + t) > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + FFMIN(begin - 1, begin - 1 + t), master + FFMAX(end + 1, end + 1 + t), + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1 ]) + @@ -1282,6 +1292,16 @@ static int revert_channel_correlation(ALSDecContext *ctx, ALSBlockData *bd, bd->raw_samples[smp] += y >> 7; } } else { + + if (begin - 1 < ctx->raw_buffer - master || + end + 1 > ctx->raw_buffer + channels * channel_size - master) { + av_log(ctx->avctx, AV_LOG_ERROR, + "sample pointer range [%p, %p] not contained in raw_buffer [%p, %p].\n", + master + begin - 1, master + end + 1, + ctx->raw_buffer, ctx->raw_buffer + channels * channel_size); + return AVERROR_INVALIDDATA; + } + for (smp = begin; smp < end; smp++) { y = (1 << 6) + MUL64(ch[dep].weighting[0], master[smp - 1]) + From 378ee3bad5b99e8f90864af9bc851590e0f64825 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 16:03:41 +0200 Subject: [PATCH 0501/1352] alsdec: only adapt order for positive max_order For max_order = 0 the clipping range is invalid. (amin = 2, amax = 1) CC: libav-stable@libav.org Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov (cherry picked from commit 60f1cc4a1ffcbf24acbb543988ceeaec76b70818) Signed-off-by: Anton Khirnov --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 44857e6714..997c16233c 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -663,7 +663,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (!sconf->rlslms) { - if (sconf->adapt_order) { + if (sconf->adapt_order && sconf->max_order) { int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); From 8b86c2ed2eb29dce137b26e66a9bddd50f72817f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 2 May 2015 09:09:52 +0200 Subject: [PATCH 0502/1352] Revert "lavfi: always check av_expr_parse_and_eval() return value" This reverts commit 63be97ec403023fb664798432acedaf6e6922527. All those calls were unchecked on purpose, as explained in the comments in the code. (cherry picked from commit 3735b5c616770429572f86aabdaec39c6ebb8818) Signed-off-by: Anton Khirnov --- libavfilter/vf_pad.c | 14 ++++++-------- libavfilter/vf_scale.c | 7 +++---- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/libavfilter/vf_pad.c b/libavfilter/vf_pad.c index bacb5051e1..634af4c941 100644 --- a/libavfilter/vf_pad.c +++ b/libavfilter/vf_pad.c @@ -158,10 +158,9 @@ static int config_input(AVFilterLink *inlink) var_values[VAR_VSUB] = 1<vsub; /* evaluate width and height */ - if ((ret = av_expr_parse_and_eval(&res, (expr = s->w_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) - goto eval_fail; + av_expr_parse_and_eval(&res, (expr = s->w_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx); s->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = s->h_expr), var_names, var_values, @@ -176,10 +175,9 @@ static int config_input(AVFilterLink *inlink) s->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; /* evaluate x and y */ - if ((ret = av_expr_parse_and_eval(&res, (expr = s->x_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) - goto eval_fail; + av_expr_parse_and_eval(&res, (expr = s->x_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx); s->x = var_values[VAR_X] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = s->y_expr), var_names, var_values, diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 2b9e7e839b..73ea9d23e0 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -177,10 +177,9 @@ static int config_props(AVFilterLink *outlink) var_values[VAR_VSUB] = 1 << desc->log2_chroma_h; /* evaluate width and height */ - if ((ret = av_expr_parse_and_eval(&res, (expr = scale->w_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) - goto fail; + av_expr_parse_and_eval(&res, (expr = scale->w_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx); scale->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = scale->h_expr), var_names, var_values, From 1cb470934a26a6e73c61a2cc36f0d5063bdced29 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 18 Apr 2015 20:29:13 +0200 Subject: [PATCH 0503/1352] alsdec: limit avctx->bits_per_raw_sample to 32 avctx->bits_per_raw_sample is used in get_sbits_long, which only supports up to 32 bits. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 4c2b88678b436f59132386d9be2fc143e3ee480d) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index a55354b7fd..7a13a4c393 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1697,6 +1697,12 @@ static av_cold int decode_init(AVCodecContext *avctx) avctx->sample_fmt = sconf->resolution > 1 ? AV_SAMPLE_FMT_S32 : AV_SAMPLE_FMT_S16; avctx->bits_per_raw_sample = (sconf->resolution + 1) * 8; + if (avctx->bits_per_raw_sample > 32) { + av_log(avctx, AV_LOG_ERROR, "Bits per raw sample %d larger than 32.\n", + avctx->bits_per_raw_sample); + ret = AVERROR_INVALIDDATA; + goto fail; + } } // set maximum Rice parameter for progressive decoding based on resolution From 07256a7a6ec8a6a5bf6190cd85f3d60141376279 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 19 Jan 2015 22:56:59 +0100 Subject: [PATCH 0504/1352] tests: drop bc dependency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We already have a dependency on awk and bc is sometimes not found in the base system. Signed-off-by: Martin Storsjö (cherry picked from commit a982c5d74fbc7ff5bd2f2f73af61ae48e9b1bcc6) Signed-off-by: Timothy Gu Conflicts: doc/platform.texi --- doc/platform.texi | 4 +--- tests/fate-run.sh | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/doc/platform.texi b/doc/platform.texi index ca76492753..fa91ce2b6c 100644 --- a/doc/platform.texi +++ b/doc/platform.texi @@ -135,8 +135,6 @@ You will need the following prerequisites: (if using MSVC 2012 or earlier) @item @uref{http://www.mingw.org/, MSYS} @item @uref{http://yasm.tortall.net/, YASM} -@item @uref{http://gnuwin32.sourceforge.net/packages/bc.htm, bc for Windows} if -you want to run @uref{fate.html, FATE}. @end itemize To set up a proper environment in MSYS, you need to run @code{msys.bat} from @@ -283,7 +281,7 @@ binutils, gcc4-core, make, git, mingw-runtime, texinfo In order to run FATE you will also need the following "Utils" packages: @example -bc, diffutils +diffutils @end example If you want to build FFmpeg with additional libraries, download Cygwin diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 6e3373a3ae..e3b1b5efba 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -38,7 +38,7 @@ target_path(){ # $1=value1, $2=value2, $3=threshold # prints 0 if absolute difference between value1 and value2 is <= threshold compare(){ - echo "scale=2; v = $1 - $2; if (v < 0) v = -v; if (v > $3) r = 1; r" | bc + awk "BEGIN { v = $1 - $2; printf ((v < 0 ? -v : v) > $3) }" } do_tiny_psnr(){ From 09764c9909bf1e0816bbf32f9f249b594a2d647b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 25 Feb 2015 15:07:18 +0100 Subject: [PATCH 0505/1352] lavfi/fade: Do not overread input buffer. (cherry picked from commit ab3ff19f08b7a83e320c39ab066f289c242b8030) --- libavfilter/vf_fade.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_fade.c b/libavfilter/vf_fade.c index 80ce75dcda..a7597cdff0 100644 --- a/libavfilter/vf_fade.c +++ b/libavfilter/vf_fade.c @@ -138,7 +138,9 @@ static int config_props(AVFilterLink *inlink) s->hsub = pixdesc->log2_chroma_w; s->vsub = pixdesc->log2_chroma_h; - s->bpp = av_get_bits_per_pixel(pixdesc) >> 3; + s->bpp = pixdesc->flags & AV_PIX_FMT_FLAG_PLANAR ? + 1 : + av_get_bits_per_pixel(pixdesc) >> 3; s->alpha &= !!(pixdesc->flags & AV_PIX_FMT_FLAG_ALPHA); s->is_packed_rgb = ff_fill_rgba_map(s->rgba_map, inlink->format) >= 0; From 7244cefd6e6ba7258cb022dfd7a284099d88a3e8 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Sun, 8 Mar 2015 21:08:16 +0000 Subject: [PATCH 0506/1352] libvpx: Fix mixed use of av_malloc() and av_reallocp() This buffer is resized when vpx_codec_get_cx_data() returns a VPX_CODEC_STATS_PKT packet. CC: libav-stable@libav.org Signed-off-by: Vittorio Giovara --- libavcodec/libvpxenc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 2c438951c6..03238851d5 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -291,7 +291,7 @@ static av_cold int vpx_init(AVCodecContext *avctx, if (enccfg.g_pass == VPX_RC_FIRST_PASS) enccfg.g_lag_in_frames = 0; else if (enccfg.g_pass == VPX_RC_LAST_PASS) { - int decode_size; + int decode_size, ret; if (!avctx->stats_in) { av_log(avctx, AV_LOG_ERROR, "No stats file for second pass\n"); @@ -299,12 +299,12 @@ static av_cold int vpx_init(AVCodecContext *avctx, } ctx->twopass_stats.sz = strlen(avctx->stats_in) * 3 / 4; - ctx->twopass_stats.buf = av_malloc(ctx->twopass_stats.sz); - if (!ctx->twopass_stats.buf) { + ret = av_reallocp(&ctx->twopass_stats.buf, ctx->twopass_stats.sz); + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Stat buffer alloc (%zu bytes) failed\n", ctx->twopass_stats.sz); - return AVERROR(ENOMEM); + return ret; } decode_size = av_base64_decode(ctx->twopass_stats.buf, avctx->stats_in, ctx->twopass_stats.sz); From 78a3a4580c5a547af4ae8682c662ea3a4699a599 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 9 Mar 2015 23:02:00 +0000 Subject: [PATCH 0507/1352] mp3: Properly use AVCodecContext API Rather than having an unitialized context on the stack, allocate it with defaults and free it when unneeded. CC: libav-stable@libav.org --- libavformat/mp3dec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index bf12fdb2c5..cba67783f9 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -31,6 +31,7 @@ #include "id3v1.h" #include "replaygain.h" +#include "libavcodec/avcodec.h" #include "libavcodec/mpegaudiodecheader.h" #define XING_FLAG_FRAMES 0x01 @@ -55,7 +56,10 @@ static int mp3_read_probe(AVProbeData *p) int fsize, frames, sample_rate; uint32_t header; uint8_t *buf, *buf0, *buf2, *end; - AVCodecContext avctx; + AVCodecContext *avctx = avcodec_alloc_context3(NULL); + + if (!avctx) + return AVERROR(ENOMEM); buf0 = p->buf; end = p->buf + p->buf_size - sizeof(uint32_t); @@ -70,7 +74,9 @@ static int mp3_read_probe(AVProbeData *p) for(frames = 0; buf2 < end; frames++) { header = AV_RB32(buf2); - fsize = avpriv_mpa_decode_header(&avctx, header, &sample_rate, &sample_rate, &sample_rate, &sample_rate); + fsize = avpriv_mpa_decode_header(avctx, header, &sample_rate, + &sample_rate, &sample_rate, + &sample_rate); if(fsize < 0) break; buf2 += fsize; @@ -79,6 +85,7 @@ static int mp3_read_probe(AVProbeData *p) if(buf == buf0) first_frames= frames; } + avcodec_free_context(&avctx); // keep this in sync with ac3 probe, both need to avoid // issues with MPEG-files! if (first_frames >= 10) From 9f6c36d961d27283808310e3ca1d8390b55fce9b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 9 Mar 2015 19:24:09 +0100 Subject: [PATCH 0508/1352] roqvideoenc: set enc->avctx in roq_encode_init So far it is only set in roq_encode_frame, but it is used in roq_encode_end to free the coded_frame. This currently segfaults if roq_encode_frame is not called between roq_encode_init and roq_encode_end. CC:libav-stable@libav.org Signed-off-by: Andreas Cadhalpun Signed-off-by: Anton Khirnov --- libavcodec/roqvideoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/roqvideoenc.c b/libavcodec/roqvideoenc.c index af0089fb7f..871371be96 100644 --- a/libavcodec/roqvideoenc.c +++ b/libavcodec/roqvideoenc.c @@ -959,6 +959,8 @@ static av_cold int roq_encode_init(AVCodecContext *avctx) av_lfg_init(&enc->randctx, 1); + enc->avctx = avctx; + enc->framesSinceKeyframe = 0; if ((avctx->width & 0xf) || (avctx->height & 0xf)) { av_log(avctx, AV_LOG_ERROR, "Dimensions must be divisible by 16\n"); From 2af720fe5f0418612a8fc26b0147a0e10414fcbe Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 16 Mar 2015 11:26:48 +0100 Subject: [PATCH 0509/1352] x86: Put COPY3_IF_LT under HAVE_6REGS It uses 6 registers, unbreaks building on hardened x86 system. Bug-Id: gentoo/541930 CC: libav-stable@libav.org --- libavcodec/x86/mathops.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index a62094ee97..2c04d9d1bd 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -23,7 +23,9 @@ #define AVCODEC_X86_MATHOPS_H #include "config.h" + #include "libavutil/common.h" +#include "libavutil/x86/asm.h" #if HAVE_INLINE_ASM @@ -88,6 +90,7 @@ static inline av_const int mid_pred(int a, int b, int c) return i; } +#if HAVE_6REGS #define COPY3_IF_LT(x, y, a, b, c, d)\ __asm__ volatile(\ "cmpl %0, %3 \n\t"\ @@ -97,6 +100,8 @@ __asm__ volatile(\ : "+&r" (x), "+&r" (a), "+r" (c)\ : "r" (y), "r" (b), "r" (d)\ ); +#endif /* HAVE_6REGS */ + #endif /* HAVE_I686 */ #define MASK_ABS(mask, level) \ From 8ae4d4e117626313e0b7df746e82de84d00d160a Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Fri, 13 Mar 2015 19:45:14 +0000 Subject: [PATCH 0510/1352] mov: Fix little endian audio detection Set this field to TRUE if the audio component is to operate on little-endian data, and FALSE otherwise. However TRUE and FALSE are not defined. Since this flag is just a boolean, interpret all values except for 0 as little endian. Sample-Id: 64bit_FLOAT_Little_Endian.mov --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d14dc7c745..60d171deb5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -864,7 +864,7 @@ static int mov_read_enda(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; st = c->fc->streams[c->fc->nb_streams-1]; - little_endian = avio_rb16(pb); + little_endian = !!avio_rb16(pb); av_dlog(c->fc, "enda %d\n", little_endian); if (little_endian == 1) { switch (st->codec->codec_id) { From 4415d0f3bbaeb287327ef101ae98d727a69d9af1 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Sat, 11 Apr 2015 00:54:10 +0300 Subject: [PATCH 0511/1352] rtpenc_jpeg: Handle case of picture dimensions not dividing by 8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes the calculation of the number of needed blocks to make sure that ALL pixels are represented by the result. Signed-off-by: Martin Storsjö --- libavformat/rtpenc_jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index 9d0915b04b..b8c880aadf 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -40,8 +40,8 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) s->timestamp = s->cur_timestamp; /* convert video pixel dimensions from pixels to blocks */ - w = s1->streams[0]->codec->width >> 3; - h = s1->streams[0]->codec->height >> 3; + w = (s1->streams[0]->codec->width + 7) >> 3; + h = (s1->streams[0]->codec->height + 7) >> 3; /* get the pixel format type or fail */ if (s1->streams[0]->codec->pix_fmt == AV_PIX_FMT_YUVJ422P || From f77c9d71615e17414aacbb1720693b800a5a32d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 24 Apr 2015 12:38:09 +0300 Subject: [PATCH 0512/1352] rtsp: Make sure we don't write too many transport entries into a fixed-size array MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CC: libav-stable@libav.org Signed-off-by: Martin Storsjö --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 4e79bc12d6..3d040d308d 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -927,6 +927,8 @@ static void rtsp_parse_transport(RTSPMessageHeader *reply, const char *p) p++; reply->nb_transports++; + if (reply->nb_transports >= RTSP_MAX_TRANSPORTS) + break; } } From 844201e35fe575710be8218d45828df49b77f205 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?John=20H=C3=B6gberg?= Date: Tue, 28 Apr 2015 10:20:33 +0200 Subject: [PATCH 0513/1352] mpegts: Update the PSI/SI table only if the version change If a PAT is finished while a PMT section filter is opened but not yet finished, the PMT section filter is closed and all the received data is discarded. This is usually not an issue but some multiplexers (With very quick PAT/PMT repetition settings) consistently emit a PMT section start, then a PAT, and then the rest of the PMT, causing the aforementioned behavior to result in no PMT being finished. In the most pathologic situation the stream information are lost and the probe fallback miscategorizes subtitles as mp3 audio. Avoid the issue through eliminating redundant PSI/SI table updates by checking their version field, which is required by the standard to be incremented on every change no matter how minor. CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavformat/mpegts.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index dced5370e4..57efabdb4c 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -73,6 +73,7 @@ typedef void SetServiceCallback (void *opaque, int ret); typedef struct MpegTSSectionFilter { int section_index; int section_h_size; + int last_ver; uint8_t *section_buf; unsigned int check_crc : 1; unsigned int end_of_section_reached : 1; @@ -354,6 +355,8 @@ static MpegTSFilter *mpegts_open_section_filter(MpegTSContext *ts, sec->opaque = opaque; sec->section_buf = av_malloc(MAX_SECTION_SIZE); sec->check_crc = check_crc; + sec->last_ver = -1; + if (!sec->section_buf) { av_free(filter); return NULL; @@ -1234,6 +1237,7 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) { MpegTSContext *ts = filter->u.section_filter.opaque; + MpegTSSectionFilter *tssf = &filter->u.section_filter; SectionHeader h; const uint8_t *p, *p_end; AVIOContext pb; @@ -1248,6 +1252,9 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, return; if (h.tid != M4OD_TID) return; + if (h.version == tssf->last_ver) + return; + tssf->last_ver = h.version; mp4_read_od(s, p, (unsigned) (p_end - p), mp4_descr, &mp4_descr_count, MAX_MP4_DESCR_COUNT); @@ -1433,6 +1440,7 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) { MpegTSContext *ts = filter->u.section_filter.opaque; + MpegTSSectionFilter *tssf = &filter->u.section_filter; SectionHeader h1, *h = &h1; PESContext *pes; AVStream *st; @@ -1452,6 +1460,9 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len p = section; if (parse_section_header(h, &p, p_end) < 0) return; + if (h->version == tssf->last_ver) + return; + tssf->last_ver = h->version; av_dlog(ts->stream, "sid=0x%x sec_num=%d/%d\n", h->id, h->sec_num, h->last_sec_num); @@ -1583,6 +1594,7 @@ out: static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) { MpegTSContext *ts = filter->u.section_filter.opaque; + MpegTSSectionFilter *tssf = &filter->u.section_filter; SectionHeader h1, *h = &h1; const uint8_t *p, *p_end; int sid, pmt_pid; @@ -1596,6 +1608,9 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len return; if (h->tid != PAT_TID) return; + if (h->version == tssf->last_ver) + return; + tssf->last_ver = h->version; clear_programs(ts); for (;;) { @@ -1626,6 +1641,7 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len) { MpegTSContext *ts = filter->u.section_filter.opaque; + MpegTSSectionFilter *tssf = &filter->u.section_filter; SectionHeader h1, *h = &h1; const uint8_t *p, *p_end, *desc_list_end, *desc_end; int onid, val, sid, desc_list_len, desc_tag, desc_len, service_type; @@ -1640,6 +1656,10 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len return; if (h->tid != SDT_TID) return; + if (h->version == tssf->last_ver) + return; + tssf->last_ver = h->version; + onid = get16(&p, p_end); if (onid < 0) return; From 744d813bcf527481f2217428fa08bfee8642935b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 28 Apr 2015 01:55:10 +0200 Subject: [PATCH 0514/1352] avresample: Reallocate the internal buffer to the correct size Fixes the corner case in which the internal buffer size is larger than input buffer provided and resizing it before moving the left over samples would make it write to now unallocated memory. Bug-Id: 825 CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavresample/resample.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavresample/resample.c b/libavresample/resample.c index 4553b2c6eb..679e9e9ef4 100644 --- a/libavresample/resample.c +++ b/libavresample/resample.c @@ -432,7 +432,9 @@ int ff_audio_resample(ResampleContext *c, AudioData *dst, AudioData *src) int bps = av_get_bytes_per_sample(c->avr->internal_sample_fmt); int i; - ret = ff_audio_data_realloc(c->buffer, in_samples + c->padding_size); + ret = ff_audio_data_realloc(c->buffer, + FFMAX(in_samples, in_leftover) + + c->padding_size); if (ret < 0) { av_log(c->avr, AV_LOG_ERROR, "Error reallocating resampling buffer\n"); return AVERROR(ENOMEM); From 386e80610de282c92ad5897683ccaf2675766ac5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 May 2015 23:55:42 +0100 Subject: [PATCH 0515/1352] mux: Do not leave stale side data pointers in ff_interleave_add_packet() Signed-off-by: Michael Niedermayer Signed-off-by: Vittorio Giovara --- libavformat/mux.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mux.c b/libavformat/mux.c index df4f57a7f3..d4492d129f 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -400,6 +400,8 @@ FF_DISABLE_DEPRECATION_WARNINGS FF_ENABLE_DEPRECATION_WARNINGS #endif pkt->buf = NULL; + pkt->side_data = NULL; + pkt->side_data_elems = 0; // Duplicate the packet if it uses non-allocated memory if ((ret = av_dup_packet(&this_pktl->pkt)) < 0) { av_free(this_pktl); From ac1660509ecfbeca7b63eb5ab8360011180e705b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 29 Apr 2015 20:39:22 +0200 Subject: [PATCH 0516/1352] ape: Support _0000 files with nblock smaller than 64 The decode_array_0000 assumed that 64 is the minimal block size while it is not. CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 344c85bff0..131c6f32d7 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -614,12 +614,12 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; - for (i = 0; i < 5; i++) { + for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; - for (; i < 64; i++) { + for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; From cb5324200ccdc693dd5b28dcd7d4b722fad83ea2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 24 Apr 2015 00:01:43 +0200 Subject: [PATCH 0517/1352] alac: Reject rice_limit 0 if compression is used If in compression mode rice_limit = 0 leads to call `show_bits(gb, k)` in `decode_scalar` with k = 0. Request a sample in case it is valid and it should be accepted. Signed-off-by: Luca Barbato CC: libav-stable@libav.org --- libavcodec/alac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 5272f8416c..5c792c4e6a 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -307,6 +307,12 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, int lpc_quant[2]; int rice_history_mult[2]; + if (!alac->rice_limit) { + avpriv_request_sample(alac->avctx, + "Compression with rice limit 0"); + return AVERROR(ENOSYS); + } + decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); From 21b21aed797b5e636adcf2df811f96a95f208930 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:57:59 +0200 Subject: [PATCH 0518/1352] nut: Check chapter creation in decode_info_header This fixes a segmentation fault when accessing the metadata. Signed-off-by: Luca Barbato CC: libav-stable@libav.org --- libavformat/nutdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 36ca754fa1..116c3d4e13 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -482,6 +482,10 @@ static int decode_info_header(NUTContext *nut) nut->time_base[chapter_start % nut->time_base_count], start, start + chapter_len, NULL); + if (!chapter) { + av_log(s, AV_LOG_ERROR, "Could not create chapter.\n"); + return AVERROR(ENOMEM); + } metadata = &chapter->metadata; } else if (stream_id_plus1) { st = s->streams[stream_id_plus1 - 1]; From a55a70644872027fdf76a75edf12a09c9008880f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 6 May 2015 02:26:57 +0200 Subject: [PATCH 0519/1352] avi: Validate sample_size And either error out or set it to 0 if it is negative. CC: libav-stable@libav.org Signed-off-by: Luca Barbato --- libavformat/avidec.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index c24a6c495d..54c4814060 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -569,6 +569,23 @@ static int avi_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "unknown stream type %X\n", tag1); goto fail; } + + if (ast->sample_size < 0) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, + "Invalid sample_size %d at stream %d\n", + ast->sample_size, + stream_index); + goto fail; + } + av_log(s, AV_LOG_WARNING, + "Invalid sample_size %d at stream %d " + "setting it to 0\n", + ast->sample_size, + stream_index); + ast->sample_size = 0; + } + if (ast->sample_size == 0) st->duration = st->nb_frames; ast->frame_offset = ast->cum_len; From 0f50c53cfb959162f2bccc1a2c2e066d35723595 Mon Sep 17 00:00:00 2001 From: wm4 Date: Fri, 8 May 2015 17:01:50 +0200 Subject: [PATCH 0520/1352] png: Set the color range as full range The format uses full range for the gray formats. CC: libav-stable@libav.org --- libavcodec/pngdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index fa7f7cc0a6..2790bf432b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -645,6 +645,8 @@ static av_cold int png_dec_init(AVCodecContext *avctx) { PNGDecContext *s = avctx->priv_data; + avctx->color_range = AVCOL_RANGE_JPEG; + s->prev = av_frame_alloc(); if (!s->prev) return AVERROR(ENOMEM); From 1f64b018cbec018fa66a4a20f79958d9707913de Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 29 Apr 2015 21:29:49 +0200 Subject: [PATCH 0521/1352] nut: Make sure to clean up on read_header failure Based on Andreas Cadhalpun work. CC: libav-stable@libav.org --- libavformat/nutdec.c | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 116c3d4e13..d669733f12 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -682,6 +682,20 @@ fail: return ret; } +static int nut_read_close(AVFormatContext *s) +{ + NUTContext *nut = s->priv_data; + int i; + + av_freep(&nut->time_base); + av_freep(&nut->stream); + ff_nut_free_sp(nut); + for (i = 1; i < nut->header_count; i++) + av_freep(&nut->header[i]); + + return 0; +} + static int nut_read_header(AVFormatContext *s) { NUTContext *nut = s->priv_data; @@ -697,7 +711,7 @@ static int nut_read_header(AVFormatContext *s) pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); - return AVERROR_INVALIDDATA; + goto fail; } } while (decode_main_header(nut) < 0); @@ -707,7 +721,7 @@ static int nut_read_header(AVFormatContext *s) pos = find_startcode(bc, STREAM_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "Not all stream headers found.\n"); - return AVERROR_INVALIDDATA; + goto fail; } if (decode_stream_header(nut) >= 0) initialized_stream_count++; @@ -721,7 +735,7 @@ static int nut_read_header(AVFormatContext *s) if (startcode == 0) { av_log(s, AV_LOG_ERROR, "EOF before video frames\n"); - return AVERROR_INVALIDDATA; + goto fail; } else if (startcode == SYNCPOINT_STARTCODE) { nut->next_startcode = startcode; break; @@ -744,6 +758,11 @@ static int nut_read_header(AVFormatContext *s) ff_metadata_conv_ctx(s, NULL, ff_nut_metadata_conv); return 0; + +fail: + nut_read_close(s); + + return AVERROR_INVALIDDATA; } static int decode_frame_header(NUTContext *nut, int64_t *pts, int *stream_id, @@ -1018,20 +1037,6 @@ static int read_seek(AVFormatContext *s, int stream_index, return 0; } -static int nut_read_close(AVFormatContext *s) -{ - NUTContext *nut = s->priv_data; - int i; - - av_freep(&nut->time_base); - av_freep(&nut->stream); - ff_nut_free_sp(nut); - for (i = 1; i < nut->header_count; i++) - av_freep(&nut->header[i]); - - return 0; -} - AVInputFormat ff_nut_demuxer = { .name = "nut", .long_name = NULL_IF_CONFIG_SMALL("NUT"), From 5549f693d2181b3211427f65e48eaa2f4fc5a402 Mon Sep 17 00:00:00 2001 From: Shiina Hideaki Date: Thu, 7 May 2015 01:46:55 +0100 Subject: [PATCH 0522/1352] mjpegenc: Fix JFIF header byte ordering The header had a wrong version description. Bug-Id: 808 Signed-off-by: Shiina Hideaki Signed-off-by: Vittorio Giovara --- libavcodec/mjpegenc_common.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index adb335e5e1..9373e4a467 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -96,7 +96,10 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) put_marker(p, APP0); put_bits(p, 16, 16); avpriv_put_string(p, "JFIF", 1); /* this puts the trailing zero-byte too */ - put_bits(p, 16, 0x0201); /* v 1.02 */ + /* The most significant byte is used for major revisions, the least + * significant byte for minor revisions. Version 1.02 is the current + * released revision. */ + put_bits(p, 16, 0x0102); put_bits(p, 8, 0); /* units type: 0 - aspect ratio */ put_bits(p, 16, avctx->sample_aspect_ratio.num); put_bits(p, 16, avctx->sample_aspect_ratio.den); From b37bfbfbe53917820d1f97312fa0b2e8c7a15217 Mon Sep 17 00:00:00 2001 From: Mikulas Patocka Date: Mon, 15 Sep 2014 05:11:21 -0700 Subject: [PATCH 0523/1352] configure: Disable i686 for i586 and lower CPUs --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 33a7a85cfa..dd97ddf7db 100755 --- a/configure +++ b/configure @@ -3282,6 +3282,7 @@ elif enabled x86; then case $cpu in i[345]86|pentium) cpuflags="-march=$cpu" + disable i686 disable mmx ;; # targets that do NOT support nopl and conditional mov (cmov) From a7dedd8ea53394cb7dc532aa8f2598c02327aa68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Feb 2015 19:59:44 +0100 Subject: [PATCH 0524/1352] avformat/mp3dec: properly allocate dummy AVCodecContext Fixes (harmless) use of uninitialized variable Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit 6ad42b3e15478284321dd285acaf189a16590854) Conflicts: libavformat/mp3dec.c --- libavformat/mp3dec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index ea9f2c35aa..7ad6845e5c 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -61,7 +61,7 @@ static int mp3_read_probe(AVProbeData *p) int fsize, frames, sample_rate; uint32_t header; const uint8_t *buf, *buf0, *buf2, *end; - AVCodecContext avctx; + AVCodecContext *avctx = avcodec_alloc_context3(NULL); buf0 = p->buf; end = p->buf + p->buf_size - sizeof(uint32_t); @@ -78,7 +78,7 @@ static int mp3_read_probe(AVProbeData *p) for(frames = 0; buf2 < end; frames++) { header = AV_RB32(buf2); - fsize = avpriv_mpa_decode_header(&avctx, header, &sample_rate, &sample_rate, &sample_rate, &sample_rate); + fsize = avpriv_mpa_decode_header(avctx, header, &sample_rate, &sample_rate, &sample_rate, &sample_rate); if(fsize < 0) break; buf2 += fsize; @@ -87,6 +87,7 @@ static int mp3_read_probe(AVProbeData *p) if(buf == buf0) first_frames= frames; } + avcodec_free_context(&avctx); // keep this in sync with ac3 probe, both need to avoid // issues with MPEG-files! if (first_frames>=4) return AVPROBE_SCORE_EXTENSION + 1; From 86be9cda97d2577165127c3b7075aa6a038995ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Feb 2015 20:11:19 +0100 Subject: [PATCH 0525/1352] avformat/mp3dec: Check for avcodec_alloc_context3() failure Signed-off-by: Michael Niedermayer (cherry picked from commit b851bc20c6931c084710e69f7eec30d8c1bdb68e) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 7ad6845e5c..b3a78d0d8a 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -63,6 +63,9 @@ static int mp3_read_probe(AVProbeData *p) const uint8_t *buf, *buf0, *buf2, *end; AVCodecContext *avctx = avcodec_alloc_context3(NULL); + if (!avctx) + return 0; + buf0 = p->buf; end = p->buf + p->buf_size - sizeof(uint32_t); while(buf0 < end && !*buf0) From 74b856e58bd91a626f2212e323f7e9bb27846966 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Apr 2015 05:00:51 +0200 Subject: [PATCH 0526/1352] avformat/mpegts: reset last_version on seeking Signed-off-by: Michael Niedermayer (cherry picked from commit 639781492684fcad05da52e7700bcbf6086599ea) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 3fe6aa460c..3aa616a54a 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2293,6 +2293,8 @@ static int handle_packets(MpegTSContext *ts, int64_t nb_packets) av_buffer_unref(&pes->buffer); pes->data_index = 0; pes->state = MPEGTS_SKIP; /* skip until pes header */ + } else if (ts->pids[i]->type == MPEGTS_SECTION) { + ts->pids[i]->u.section_filter.last_ver = -1; } ts->pids[i]->last_cc = -1; ts->pids[i]->last_pcr = -1; From 52242a387b36fc05bf5fa65c4905927543b43ba7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Apr 2015 06:26:18 +0200 Subject: [PATCH 0527/1352] avformat/mpegts: Also parse the FMC descriptor if the codec has not been identified yet Fixes Detecting AAC with such descriptor if the parts needed for detection are later in the stream Signed-off-by: Michael Niedermayer (cherry picked from commit 14e9a20083c9c17c9431754bf13e458293c1ead4) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 3aa616a54a..455615ff2b 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1555,7 +1555,9 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type case 0x1F: /* FMC descriptor */ get16(pp, desc_end); if (mp4_descr_count > 0 && - (st->codec->codec_id == AV_CODEC_ID_AAC_LATM || st->request_probe > 0) && + (st->codec->codec_id == AV_CODEC_ID_AAC_LATM || + (st->request_probe == 0 && st->codec->codec_id == AV_CODEC_ID_NONE) || + st->request_probe > 0) && mp4_descr->dec_config_descr_len && mp4_descr->es_id == pid) { AVIOContext pb; ffio_init_context(&pb, mp4_descr->dec_config_descr, From 3d296c0ec1d517260a658f02b5404def689918ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Apr 2015 22:24:09 +0200 Subject: [PATCH 0528/1352] avformat/mpegts: Factorize version checking code out Signed-off-by: Michael Niedermayer (cherry picked from commit 4e8d01f20ce82b49f47c704a461c5d30866affaf) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 455615ff2b..62ecd64559 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -568,6 +568,16 @@ typedef struct SectionHeader { uint8_t last_sec_num; } SectionHeader; +static int skip_identical(const SectionHeader *h, MpegTSSectionFilter *tssf) +{ + if (h->version == tssf->last_ver) + return 1; + + tssf->last_ver = h->version; + + return 0; +} + static inline int get8(const uint8_t **pp, const uint8_t *p_end) { const uint8_t *p; @@ -1455,9 +1465,8 @@ static void m4sl_cb(MpegTSFilter *filter, const uint8_t *section, return; if (h.tid != M4OD_TID) return; - if (h.version == tssf->last_ver) + if (skip_identical(&h, tssf)) return; - tssf->last_ver = h.version; mp4_read_od(s, p, (unsigned) (p_end - p), mp4_descr, &mp4_descr_count, MAX_MP4_DESCR_COUNT); @@ -1749,9 +1758,8 @@ static void pmt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len p = section; if (parse_section_header(h, &p, p_end) < 0) return; - if (h->version == tssf->last_ver) + if (skip_identical(h, tssf)) return; - tssf->last_ver = h->version; av_dlog(ts->stream, "sid=0x%x sec_num=%d/%d\n", h->id, h->sec_num, h->last_sec_num); @@ -1917,9 +1925,8 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len if (ts->skip_changes) return; - if (h->version == tssf->last_ver) + if (skip_identical(h, tssf)) return; - tssf->last_ver = h->version; ts->stream->ts_id = h->id; clear_programs(ts); @@ -1990,9 +1997,8 @@ static void sdt_cb(MpegTSFilter *filter, const uint8_t *section, int section_len return; if (ts->skip_changes) return; - if (h->version == tssf->last_ver) + if (skip_identical(h, tssf)) return; - tssf->last_ver = h->version; onid = get16(&p, p_end); if (onid < 0) From 5b1befb074cfcb0590f0f4d1cc352630d0609336 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 May 2015 02:13:26 +0200 Subject: [PATCH 0529/1352] avformat/mpegts: reset last_ver on corrupted packets Signed-off-by: Michael Niedermayer (cherry picked from commit 4b6be54bed27eb7fc8f005505ff38e71b3c86cec) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 62ecd64559..8f035006ab 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -416,8 +416,11 @@ static void write_section_data(MpegTSContext *ts, MpegTSFilter *tss1, }else crc_valid = 2; } - if (crc_valid) + if (crc_valid) { tss->section_cb(tss1, tss->section_buf, tss->section_h_size); + if (crc_valid != 1) + tss->last_ver = -1; + } } } From 8f3787d068c14ac2988a098de21118d122504498 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 May 2015 02:14:14 +0200 Subject: [PATCH 0530/1352] avformat/mpegts: Detect changes in packet through CRC instead of just the 5bit version Signed-off-by: Michael Niedermayer (cherry picked from commit e0153145f6f8f3aa813652980862bafc8fd9b5c9) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 8f035006ab..af5db08a45 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -76,6 +76,8 @@ typedef struct MpegTSSectionFilter { int section_index; int section_h_size; int last_ver; + unsigned crc; + unsigned last_crc; uint8_t *section_buf; unsigned int check_crc : 1; unsigned int end_of_section_reached : 1; @@ -409,6 +411,9 @@ static void write_section_data(MpegTSContext *ts, MpegTSFilter *tss1, if (tss->check_crc) { crc_valid = !av_crc(av_crc_get_table(AV_CRC_32_IEEE), -1, tss->section_buf, tss->section_h_size); + if (tss->section_h_size >= 4) + tss->crc = AV_RB32(tss->section_buf + tss->section_h_size - 4); + if (crc_valid) { ts->crc_validity[ tss1->pid ] = 100; }else if (ts->crc_validity[ tss1->pid ] > -10) { @@ -573,10 +578,11 @@ typedef struct SectionHeader { static int skip_identical(const SectionHeader *h, MpegTSSectionFilter *tssf) { - if (h->version == tssf->last_ver) + if (h->version == tssf->last_ver && tssf->last_crc == tssf->crc) return 1; tssf->last_ver = h->version; + tssf->last_crc = tssf->crc; return 0; } From 4e4708ad8093151b2b79276b7c2950a4462108b4 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 11:13:43 +0200 Subject: [PATCH 0531/1352] apedec: prevent out of array writes in decode_array_0000 s->decoded_buffer is allocated with a min_size of: 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer) Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8) to s->decoded[1]) and passed as out buffer to decode_array_0000. In this function 64 elements of the out buffer are written unconditionally and outside the array if blockstodecode is too small. This causes memory corruption, leading to segmentation faults or other crashes. Thus change decode_array_0000 to write at most blockstodecode elements of the out buffer. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 383b7fe669..860721484a 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -601,14 +601,14 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int ksummax, ksummin; rice->ksum = 0; - for (i = 0; i < 5; i++) { + for (i = 0; i < FFMIN(blockstodecode, 5); i++) { out[i] = get_rice_ook(&ctx->gb, 10); rice->ksum += out[i]; } rice->k = av_log2(rice->ksum / 10) + 1; if (rice->k >= 24) return; - for (; i < 64; i++) { + for (; i < FFMIN(blockstodecode, 64); i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); rice->ksum += out[i]; rice->k = av_log2(rice->ksum / ((i + 1) * 2)) + 1; From 63afe5b9140bacdf587cff0cd9427ab03fa76b72 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:57:59 +0200 Subject: [PATCH 0532/1352] nutdec: check chapter creation in decode_info_header This fixes a segmentation fault when accessing the metadata. Signed-off-by: Michael Niedermayer (cherry picked from commit 3ff1af2b0db7132d5717be6395227a94c8abab07) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 11e7e43a79..7ae722b74c 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -505,6 +505,10 @@ static int decode_info_header(NUTContext *nut) nut->time_base[chapter_start % nut->time_base_count], start, start + chapter_len, NULL); + if (!chapter) { + av_log(s, AV_LOG_ERROR, "could not create chapter\n"); + return AVERROR(ENOMEM); + } metadata = &chapter->metadata; } else if (stream_id_plus1) { st = s->streams[stream_id_plus1 - 1]; From df0003030a979d7790180b3aa7e265e6f2b2fb1c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 May 2015 23:01:45 +0200 Subject: [PATCH 0533/1352] avidec: avoid infinite loop due to negative ast->sample_size If max in clean_index is set to a negative ast->sample_size, the following loop never ends: while (max < 1024) max += max; Thus set ast->sample_size to 0 if it would otherwise be negative. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ca234639ac49a0dc073ac1f10977979acdb94f97) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index a73bf98474..d6dea6e9bf 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -685,6 +685,7 @@ static int avi_read_header(AVFormatContext *s) default: av_log(s, AV_LOG_INFO, "unknown stream type %X\n", tag1); } + ast->sample_size = FFMAX(ast->sample_size, 0); if (ast->sample_size == 0) { st->duration = st->nb_frames; if (st->duration > 0 && avi->io_fsize > 0 && avi->riff_end > avi->io_fsize) { From 9f4979b24c9a455b1ef16ee97dfeb21e4cfde1ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2015 23:42:24 +0200 Subject: [PATCH 0534/1352] avformat/avidec: print a warning for negative sample_size Signed-off-by: Michael Niedermayer (cherry picked from commit c7369f3a4bd21ea64571c1b0c4fcbf39f8daf68c) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index d6dea6e9bf..8c638de7b5 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -685,6 +685,8 @@ static int avi_read_header(AVFormatContext *s) default: av_log(s, AV_LOG_INFO, "unknown stream type %X\n", tag1); } + if (ast->sample_size < 0) + av_log(s, AV_LOG_WARNING, "sample size %d is invalid\n", ast->sample_size); ast->sample_size = FFMAX(ast->sample_size, 0); if (ast->sample_size == 0) { st->duration = st->nb_frames; From 91aa6d8a8b9b18ca9bf5f83ccbc6abb302403a0b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:58:21 +0200 Subject: [PATCH 0535/1352] nutdec: fix memleaks on error in nut_read_header Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 361702660d2c37a63b7d6381d39e1e1de8405260) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index f8c3fecfb8..5c705ac5a1 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -744,12 +744,14 @@ fail: return ret; } +static int nut_read_close(AVFormatContext *s); + static int nut_read_header(AVFormatContext *s) { NUTContext *nut = s->priv_data; AVIOContext *bc = s->pb; int64_t pos; - int initialized_stream_count; + int initialized_stream_count, ret = 0; nut->avf = s; @@ -759,7 +761,8 @@ static int nut_read_header(AVFormatContext *s) pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto end; } } while (decode_main_header(nut) < 0); @@ -769,7 +772,8 @@ static int nut_read_header(AVFormatContext *s) pos = find_startcode(bc, STREAM_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "Not all stream headers found.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto end; } if (decode_stream_header(nut) >= 0) initialized_stream_count++; @@ -783,7 +787,8 @@ static int nut_read_header(AVFormatContext *s) if (startcode == 0) { av_log(s, AV_LOG_ERROR, "EOF before video frames\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto end; } else if (startcode == SYNCPOINT_STARTCODE) { nut->next_startcode = startcode; break; @@ -805,7 +810,10 @@ static int nut_read_header(AVFormatContext *s) ff_metadata_conv_ctx(s, NULL, ff_nut_metadata_conv); - return 0; +end: + if (ret < 0) + nut_read_close(s); + return FFMIN(ret, 0); } static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int is_meta, int64_t maxpos) From 4dc0fbb13c33b4e5bdb766652f4daf900ccc952f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2015 12:38:35 +0200 Subject: [PATCH 0536/1352] x86: cavs: Remove an unneeded scratch buffer Simplifies the code and makes it build on certain compilers running out of registers on x86. CC: libav-stable@libav.org Reported-By: mudler (cherry picked from commit e4610300de6869bd6b3b00e76cfeabb6d7653dcd) Signed-off-by: Luca Barbato --- libavcodec/x86/cavsdsp.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/libavcodec/x86/cavsdsp.c b/libavcodec/x86/cavsdsp.c index b323a105f2..39eec4b3ee 100644 --- a/libavcodec/x86/cavsdsp.c +++ b/libavcodec/x86/cavsdsp.c @@ -142,9 +142,7 @@ static void cavs_idct8_add_mmx(uint8_t *dst, int16_t *block, int stride) DECLARE_ALIGNED(8, int16_t, b2)[64]; for(i=0; i<2; i++){ - DECLARE_ALIGNED(8, uint64_t, tmp); - - cavs_idct8_1d(block+4*i, ff_pw_4.a); + cavs_idct8_1d(block + 4 * i, ff_pw_4.a); __asm__ volatile( "psraw $3, %%mm7 \n\t" @@ -155,20 +153,20 @@ static void cavs_idct8_add_mmx(uint8_t *dst, int16_t *block, int stride) "psraw $3, %%mm2 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm0 \n\t" - "movq %%mm7, %0 \n\t" + "movq %%mm7, (%0) \n\t" TRANSPOSE4( %%mm0, %%mm2, %%mm4, %%mm6, %%mm7 ) - "movq %%mm0, 8(%1) \n\t" - "movq %%mm6, 24(%1) \n\t" - "movq %%mm7, 40(%1) \n\t" - "movq %%mm4, 56(%1) \n\t" - "movq %0, %%mm7 \n\t" + "movq %%mm0, 8(%0) \n\t" + "movq %%mm6, 24(%0) \n\t" + "movq %%mm7, 40(%0) \n\t" + "movq %%mm4, 56(%0) \n\t" + "movq (%0), %%mm7 \n\t" TRANSPOSE4( %%mm7, %%mm5, %%mm3, %%mm1, %%mm0 ) - "movq %%mm7, (%1) \n\t" - "movq %%mm1, 16(%1) \n\t" - "movq %%mm0, 32(%1) \n\t" - "movq %%mm3, 48(%1) \n\t" - : "=m"(tmp) - : "r"(b2+32*i) + "movq %%mm7, (%0) \n\t" + "movq %%mm1, 16(%0) \n\t" + "movq %%mm0, 32(%0) \n\t" + "movq %%mm3, 48(%0) \n\t" + : + : "r"(b2 + 32 * i) : "memory" ); } From e4e64f2fea0a0a1ba8eb89f0f6fa1930ff1ec389 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Mar 2015 14:28:11 +0100 Subject: [PATCH 0537/1352] avcodec/x86/cavsdsp: remove unneeded tmp This is faster and simpler as well Signed-off-by: Michael Niedermayer (cherry picked from commit d79f7bf0d63a81ee66026ee92a6946a7303d04bd) Conflicts: libavcodec/x86/cavsdsp.c --- libavcodec/x86/cavsdsp.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavcodec/x86/cavsdsp.c b/libavcodec/x86/cavsdsp.c index d155fb20bc..6199a33209 100644 --- a/libavcodec/x86/cavsdsp.c +++ b/libavcodec/x86/cavsdsp.c @@ -142,8 +142,6 @@ static void cavs_idct8_add_mmx(uint8_t *dst, int16_t *block, int stride) DECLARE_ALIGNED(8, int16_t, b2)[64]; for(i=0; i<2; i++){ - DECLARE_ALIGNED(8, uint64_t, tmp); - cavs_idct8_1d(block+4*i, ff_pw_4.a); __asm__ volatile( @@ -155,19 +153,19 @@ static void cavs_idct8_add_mmx(uint8_t *dst, int16_t *block, int stride) "psraw $3, %%mm2 \n\t" "psraw $3, %%mm1 \n\t" "psraw $3, %%mm0 \n\t" - "movq %%mm7, %0 \n\t" + "movq %%mm7, (%0) \n\t" TRANSPOSE4( %%mm0, %%mm2, %%mm4, %%mm6, %%mm7 ) - "movq %%mm0, 8(%1) \n\t" - "movq %%mm6, 24(%1) \n\t" - "movq %%mm7, 40(%1) \n\t" - "movq %%mm4, 56(%1) \n\t" - "movq %0, %%mm7 \n\t" + "movq %%mm0, 8(%0) \n\t" + "movq %%mm6, 24(%0) \n\t" + "movq %%mm7, 40(%0) \n\t" + "movq %%mm4, 56(%0) \n\t" + "movq (%0), %%mm7 \n\t" TRANSPOSE4( %%mm7, %%mm5, %%mm3, %%mm1, %%mm0 ) - "movq %%mm7, (%1) \n\t" - "movq %%mm1, 16(%1) \n\t" - "movq %%mm0, 32(%1) \n\t" - "movq %%mm3, 48(%1) \n\t" - : "=m"(tmp) + "movq %%mm7, (%0) \n\t" + "movq %%mm1, 16(%0) \n\t" + "movq %%mm0, 32(%0) \n\t" + "movq %%mm3, 48(%0) \n\t" + : : "r"(b2+32*i) : "memory" ); From 70642090960c35dcd6da941c869bdf55d4f3bb00 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 25 May 2015 21:53:26 +0200 Subject: [PATCH 0538/1352] msrle: Use FFABS to determine the frame size in msrle_decode_pal4 As done in msrle_decode_8_16_24_32. Bug-Id: CVE-2015-3395 CC: libav-stable@libav.org --- libavcodec/msrledec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index af2a2478b1..370d9bdfce 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -39,7 +39,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic, unsigned int pixel_ptr = 0; int row_dec = pic->linesize[0]; int row_ptr = (avctx->height - 1) * row_dec; - int frame_size = row_dec * avctx->height; + int frame_size = FFABS(row_dec) * avctx->height; int i; while (row_ptr >= 0) { From 3b69f245dbe6e2016659a45c4bfe284f6c5ac57e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 25 May 2015 22:30:10 +0200 Subject: [PATCH 0539/1352] h264: Make sure reinit failures mark the context as not initialized Bug-Id: CVE-2015-3417 CC: libav-stable@libav.org --- libavcodec/h264_slice.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index e47a4484e6..c2c3e9ff1e 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1319,6 +1319,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) } if (h->context_initialized && needs_reinit) { + h->context_initialized = 0; if (h != h0) { av_log(h->avctx, AV_LOG_ERROR, "changing width %d -> %d / height %d -> %d on " From 0069d4597bda5723fbcae410784bbfa4750df706 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sun, 24 May 2015 10:36:42 +0200 Subject: [PATCH 0540/1352] Update changelog for v11.4 --- Changelog | 36 ++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 6b8cabcb1a..9fc1556bbb 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,42 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 11.4: + + - h264: Make sure reinit failures mark the context as not initialized (CVE-2015-3417) + - msrle: Use FFABS to determine the frame size in msrle_decode_pal4 (CVE-2015-3395) + - cavs: Remove an unneeded scratch buffer + - configure: Disable i686 for i586 and lower CPUs (debian/783082) + - mjpegenc: Fix JFIF header byte ordering (bug/808) + - nut: Make sure to clean up on read_header failure + - png: Set the color range as full range + - avi: Validate sample_size + - nut: Check chapter creation in decode_info_header + - alac: Reject rice_limit 0 if compression is used + - ape: Support _0000 files with nblock smaller than 64 + - mux: Do not leave stale side data pointers in ff_interleave_add_packet() + - avresample: Reallocate the internal buffer to the correct size (bug/825) + - mpegts: Update the PSI/SI table only if the version change + - rtsp: Make sure we don't write too many transport entries into a fixed-size array + - rtpenc_jpeg: Handle case of picture dimensions not dividing by 8 + - mov: Fix little endian audio detection + - x86: Put COPY3_IF_LT under HAVE_6REGS (gentoo/541930) + - roqvideoenc: set enc->avctx in roq_encode_init + - mp3: Properly use AVCodecContext API + - libvpx: Fix mixed use of av_malloc() and av_reallocp() + - Revert "lavfi: always check av_expr_parse_and_eval() return value" + - alsdec: only adapt order for positive max_order + - alsdec: check sample pointer range in revert_channel_correlation + - aacpsy: correct calculation of minath in psy_3gpp_init + - alsdec: limit avctx->bits_per_raw_sample to 32 + - aasc: return correct buffer size from aasc_decode_frame + - matroskadec: fix crash when parsing invalid mkv + - avconv: do not overwrite the stream codec context for streamcopy + - webp: ensure that each transform is only used once + - h264_ps: properly check cropping parameters against overflow + - hevc: zero the correct variables on invalid crop parameters + - hevc: make the crop sizes unsigned + version 11.3: - utvideodec: Handle slice_height being zero (CVE-2014-9604) diff --git a/RELEASE b/RELEASE index 8bb4222390..1c7134df6c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -11.3 +11.4 From 179d850ded0f69961fbd86445da466817a7f602e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 May 2015 17:13:15 +0200 Subject: [PATCH 0541/1352] avformat/nutdec: Return error on EOF from get_str() Signed-off-by: Michael Niedermayer (cherry picked from commit 6bbb2f8f4da67af374d62403742482cc5962aa21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 6b3e94bac7..b52d7d26c6 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -52,6 +52,8 @@ static int get_str(AVIOContext *bc, char *string, unsigned int maxlen) if (maxlen) string[FFMIN(len, maxlen - 1)] = 0; + if (bc->eof_reached) + return AVERROR_EOF; if (maxlen == len) return -1; else From b45f67b05acdbb3d5b71eb30e6cbe7fa6841334e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 May 2015 17:32:48 +0200 Subject: [PATCH 0542/1352] avformat/nutdec: Fix recovery when immedeately after seeking a failure happens Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit b3496b4a33e806b7afdcbbf6f468b0332b676d7c) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index b52d7d26c6..94dd11976a 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1219,6 +1219,7 @@ static int read_seek(AVFormatContext *s, int stream_index, av_log(NULL, AV_LOG_DEBUG, "SEEKTO: %"PRId64"\n", pos2); pos = find_startcode(s->pb, SYNCPOINT_STARTCODE, pos2); avio_seek(s->pb, pos, SEEK_SET); + nut->last_syncpoint_pos = pos; av_log(NULL, AV_LOG_DEBUG, "SP: %"PRId64"\n", pos); if (pos2 > pos || pos2 + 15 < pos) av_log(NULL, AV_LOG_ERROR, "no syncpoint at backptr pos\n"); From 236452f83e5d4de2187a3a71e91807a7a5bbf496 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 May 2015 00:23:05 +0200 Subject: [PATCH 0543/1352] avformat/nutdec: Check X in 2nd branch of index reading Prevents read of uninitialized variable Based on patch by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ebb0ca3d70465ab6d369a66b2ef43bb059705db8) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 94dd11976a..488ae1683d 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -703,6 +703,10 @@ static int find_and_decode_index(NUTContext *nut) has_keyframe[n++] = flag; has_keyframe[n++] = !flag; } else { + if (x <= 1) { + av_log(s, AV_LOG_ERROR, "index: x %"PRIu64" is invalid\n", x); + goto fail; + } while (x != 1) { if (n >= syncpoint_count + 1) { av_log(s, AV_LOG_ERROR, "index overflow B\n"); From 936a5dd2c5c9141bcc02c4bd6749e26f1e4454b2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:06:05 +0200 Subject: [PATCH 0544/1352] nutdec: fix infinite resync loops nut->last_syncpoint_pos doesn't necessarily change between resync attempts, so find_any_startcode can return the same startcode again. Thus remember where the last resync happened and don't try to resync before that. This can't be done locally in nut_read_packet, because this wouldn't prevent infinite resync loops, where after the resync a packet is returned and while reading a following packet the resync happens again. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 37e679881d364b6da817d829d35869d657218ab3) Signed-off-by: Michael Niedermayer --- libavformat/nut.h | 1 + libavformat/nutdec.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/nut.h b/libavformat/nut.h index 943081caf6..0c678a51b9 100644 --- a/libavformat/nut.h +++ b/libavformat/nut.h @@ -102,6 +102,7 @@ typedef struct NUTContext { unsigned int max_distance; unsigned int time_base_count; int64_t last_syncpoint_pos; + int64_t last_resync_pos; int header_count; AVRational *time_base; struct AVTreeNode *syncpoints; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 488ae1683d..3fdbd72c1c 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1129,7 +1129,8 @@ static int nut_read_packet(AVFormatContext *s, AVPacket *pkt) default: resync: av_log(s, AV_LOG_DEBUG, "syncing from %"PRId64"\n", pos); - tmp = find_any_startcode(bc, nut->last_syncpoint_pos + 1); + tmp = find_any_startcode(bc, FFMAX(nut->last_syncpoint_pos, nut->last_resync_pos) + 1); + nut->last_resync_pos = avio_tell(bc); if (tmp == 0) return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "sync\n"); @@ -1230,6 +1231,8 @@ static int read_seek(AVFormatContext *s, int stream_index, for (i = 0; i < s->nb_streams; i++) nut->stream[i].skip_until_key_frame = 1; + nut->last_resync_pos = 0; + return 0; } From b947ff898596558c64e4b72657860ed2b57f58fd Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:31:24 +0200 Subject: [PATCH 0545/1352] nutdec: stop skipping bytes at EOF This can unnecessarily waste a lot of time. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit fa7dec8cb00d2d0dd96ff9863ccda38428610a21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 3fdbd72c1c..59d88db6d0 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -47,6 +47,8 @@ static int get_str(AVIOContext *bc, char *string, unsigned int maxlen) while (len > maxlen) { avio_r8(bc); len--; + if (bc->eof_reached) + len = maxlen; } if (maxlen) @@ -213,8 +215,11 @@ static int skip_reserved(AVIOContext *bc, int64_t pos) avio_seek(bc, pos, SEEK_CUR); return AVERROR_INVALIDDATA; } else { - while (pos--) + while (pos--) { + if (bc->eof_reached) + return AVERROR_INVALIDDATA; avio_r8(bc); + } return 0; } } @@ -293,8 +298,13 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 7) tmp_head_idx = ffio_read_varlen(bc); - while (tmp_fields-- > 8) + while (tmp_fields-- > 8) { + if (bc->eof_reached) { + av_log(s, AV_LOG_ERROR, "reached EOF while decoding main header\n"); + return AVERROR_INVALIDDATA; + } ffio_read_varlen(bc); + } if (count == 0 || i + count > 256) { av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i); @@ -995,8 +1005,13 @@ static int decode_frame_header(NUTContext *nut, int64_t *pts, int *stream_id, *header_idx = ffio_read_varlen(bc); if (flags & FLAG_RESERVED) reserved_count = ffio_read_varlen(bc); - for (i = 0; i < reserved_count; i++) + for (i = 0; i < reserved_count; i++) { + if (bc->eof_reached) { + av_log(s, AV_LOG_ERROR, "reached EOF while decoding frame header\n"); + return AVERROR_INVALIDDATA; + } ffio_read_varlen(bc); + } if (*header_idx >= (unsigned)nut->header_count) { av_log(s, AV_LOG_ERROR, "header_idx invalid\n"); From 9f99f29f23778efe04c4abdeb3f593162f0d3a0a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 20 May 2015 00:34:42 +0200 Subject: [PATCH 0546/1352] nutdec: abort if EOF is reached in decode_info_header/read_sm_data These loops can take a lot of time if count is very large. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit bb23a15df507440deb0dcf25099d321d0f73dc28) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 59d88db6d0..d56c4a5287 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -492,7 +492,7 @@ static int decode_info_header(NUTContext *nut) AVIOContext *bc = s->pb; uint64_t tmp, chapter_start, chapter_len; unsigned int stream_id_plus1, count; - int chapter_id, i; + int chapter_id, i, ret; int64_t value, end; char name[256], str_value[1024], type_str[256]; const char *type; @@ -534,7 +534,11 @@ static int decode_info_header(NUTContext *nut) } for (i = 0; i < count; i++) { - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n"); + return ret; + } value = get_s(bc); if (value == -1) { type = "UTF-8"; @@ -855,14 +859,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int int sample_rate = 0; int width = 0; int height = 0; - int i; + int i, ret; for (i=0; i= maxpos) return AVERROR_INVALIDDATA; - get_str(bc, name, sizeof(name)); + ret = get_str(bc, name, sizeof(name)); + if (ret < 0) { + av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n"); + return ret; + } value = get_s(bc); if (value == -1) { From a39a2978d5a58faac38d0e6cce824d924b3dcd92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 May 2015 12:03:38 +0200 Subject: [PATCH 0547/1352] avformat/wavdec: Increase probe_packets limit Fixes DTS detection of b2429e5ba9.dts Signed-off-by: Michael Niedermayer (cherry picked from commit 9f5769437aaab30a359cde254f39d9a28b1ce657) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 9c4e2dfa14..763e2e4926 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -114,7 +114,7 @@ static void handle_stream_probing(AVStream *st) { if (st->codec->codec_id == AV_CODEC_ID_PCM_S16LE) { st->request_probe = AVPROBE_SCORE_EXTENSION; - st->probe_packets = FFMIN(st->probe_packets, 14); + st->probe_packets = FFMIN(st->probe_packets, 20); } } From 6d3f0fe24d20cf1453b67d8a01d22fd7444a36ef Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Sat, 23 May 2015 14:07:14 +0200 Subject: [PATCH 0548/1352] avformat/wavdec: Increase dts packet threshold to fix more misdetections Signed-off-by: Michael Niedermayer (cherry picked from commit 40a3e1e9c54997e4dfc7802b5a758b68ceb64982) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 763e2e4926..66fd7664f7 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -114,7 +114,7 @@ static void handle_stream_probing(AVStream *st) { if (st->codec->codec_id == AV_CODEC_ID_PCM_S16LE) { st->request_probe = AVPROBE_SCORE_EXTENSION; - st->probe_packets = FFMIN(st->probe_packets, 20); + st->probe_packets = FFMIN(st->probe_packets, 32); } } From e03fa4b88daf97eec4d37b665a753fbee6760546 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 04:53:09 +0200 Subject: [PATCH 0549/1352] avcodec/put_bits: Update size_in_bits in set_put_bits_buffer_size() Signed-off-by: Michael Niedermayer (cherry picked from commit e4c2ec879b1121c02279cd60a54643da0d249e40) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 8081fb9ea5..fff08f675d 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -235,6 +235,7 @@ static inline void skip_put_bits(PutBitContext *s, int n) static inline void set_put_bits_buffer_size(PutBitContext *s, int size) { s->buf_end = s->buf + size; + s->size_in_bits = 8*size; } #endif /* AVCODEC_PUT_BITS_H */ From b56de5859e60f5b5c41c37923221d2da04b3e3be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 04:54:41 +0200 Subject: [PATCH 0550/1352] avcodec/mpegvideo_enc: Update the buffer size as more slices are merged Signed-off-by: Michael Niedermayer (cherry picked from commit 561d3a57aaa95c7e8e65e96b36dd069100603650) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 6b17855da6..8e56730a45 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3684,6 +3684,8 @@ static int encode_picture(MpegEncContext *s, int picture_number) } s->avctx->execute(s->avctx, encode_thread, &s->thread_context[0], NULL, context_count, sizeof(void*)); for(i=1; ipb.buf_end == s->thread_context[i]->pb.buf) + set_put_bits_buffer_size(&s->pb, FFMIN(s->thread_context[i]->pb.buf_end - s->pb.buf, INT_MAX/8-32)); merge_context_after_encode(s, s->thread_context[i]); } emms_c(); From 5b5002279d5dc85c90c302c540a5cdd53ac31f64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 03:45:38 +0200 Subject: [PATCH 0551/1352] avcodec/put_bits: Assert that there is enough space left in skip_put_bytes() Signed-off-by: Michael Niedermayer (cherry picked from commit 8f5ffed183e099128a732a00976f69fdc641d093) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index fff08f675d..c07f19595a 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -212,6 +212,7 @@ static inline void skip_put_bytes(PutBitContext *s, int n) { av_assert2((put_bits_count(s) & 7) == 0); av_assert2(s->bit_left == 32); + av_assert0(n <= s->buf_end - s->buf_ptr); s->buf_ptr += n; } From 796cc5a5eb58c0dc307813ebfda453636685dad2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 03:48:45 +0200 Subject: [PATCH 0552/1352] avcodec/bitstream: Assert that there is enough space left in avpriv_copy_bits() Signed-off-by: Michael Niedermayer (cherry picked from commit 291ad5cc9cf815eb110b062487980fab2d107936) Signed-off-by: Michael Niedermayer --- libavcodec/bitstream.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index d041643eff..2e102df71b 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -69,6 +69,8 @@ void avpriv_copy_bits(PutBitContext *pb, const uint8_t *src, int length) if (length == 0) return; + av_assert0(length <= put_bits_left(pb)); + if (CONFIG_SMALL || words < 16 || put_bits_count(pb) & 7) { for (i = 0; i < words; i++) put_bits(pb, 16, AV_RB16(src + 2 * i)); From 8c8a9a20cf225165605ec812263b47f4997923e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 12:13:53 +0200 Subject: [PATCH 0553/1352] ffmpeg_opt: Set the video VBV parameters only for the video stream from -target Signed-off-by: Michael Niedermayer (cherry picked from commit 2ce6e419113f8276f417a9a8b50122c5467d9bc5) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 239a030031..855a08af40 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2224,9 +2224,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "1150000"); - opt_default(NULL, "maxrate", "1150000"); - opt_default(NULL, "minrate", "1150000"); - opt_default(NULL, "bufsize", "327680"); // 40*1024*8; + opt_default(NULL, "maxrate:v", "1150000"); + opt_default(NULL, "minrate:v", "1150000"); + opt_default(NULL, "bufsize:v", "327680"); // 40*1024*8; opt_default(NULL, "b:a", "224000"); parse_option(o, "ar", "44100", options); @@ -2253,9 +2253,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "2040000"); - opt_default(NULL, "maxrate", "2516000"); - opt_default(NULL, "minrate", "0"); // 1145000; - opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; + opt_default(NULL, "maxrate:v", "2516000"); + opt_default(NULL, "minrate:v", "0"); // 1145000; + opt_default(NULL, "bufsize:v", "1835008"); // 224*1024*8; opt_default(NULL, "scan_offset", "1"); opt_default(NULL, "b:a", "224000"); @@ -2275,9 +2275,9 @@ static int opt_target(void *optctx, const char *opt, const char *arg) opt_default(NULL, "g", norm == PAL ? "15" : "18"); opt_default(NULL, "b:v", "6000000"); - opt_default(NULL, "maxrate", "9000000"); - opt_default(NULL, "minrate", "0"); // 1500000; - opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; + opt_default(NULL, "maxrate:v", "9000000"); + opt_default(NULL, "minrate:v", "0"); // 1500000; + opt_default(NULL, "bufsize:v", "1835008"); // 224*1024*8; opt_default(NULL, "packetsize", "2048"); // from www.mpucoder.com: DVD sectors contain 2048 bytes of data, this is also the size of one pack. opt_default(NULL, "muxrate", "10080000"); // from mplex project: data_rate = 1260000. mux_rate = data_rate * 8 From f61ebd555dcbf120372bf94392513d1f3e65b1e8 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 6 May 2015 15:34:53 +0200 Subject: [PATCH 0554/1352] diracdec: check that block length is valid In init_planes p->xblen and p->yblen are set to: p->xblen = s->plane[0].xblen >> s->chroma_x_shift; p->yblen = s->plane[0].yblen >> s->chroma_y_shift; These are later used as block_w and block_h arguments of s->vdsp.emulated_edge_mc. If one of them is 0 it triggers an av_assert2 in emulated_edge_mc: av_assert2(start_x < end_x && block_w > 0); av_assert2(start_y < end_y && block_h > 0); Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 75fc81c8318505aa7946e05a9bee08d47241fc66) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index aa8e2b0db9..5f3cc9eeb5 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -896,6 +896,14 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) /*[DIRAC_STD] 11.2.4 motion_data_dimensions() Calculated in function dirac_unpack_block_motion_data */ + if (s->plane[0].xblen % (1 << s->chroma_x_shift) != 0 || + s->plane[0].yblen % (1 << s->chroma_y_shift) != 0 || + !s->plane[0].xblen || !s->plane[0].yblen) { + av_log(s->avctx, AV_LOG_ERROR, + "invalid x/y block length (%d/%d) for x/y chroma shift (%d/%d)\n", + s->plane[0].xblen, s->plane[0].yblen, s->chroma_x_shift, s->chroma_y_shift); + return AVERROR_INVALIDDATA; + } if (!s->plane[0].xbsep || !s->plane[0].ybsep || s->plane[0].xbsep < s->plane[0].xblen/2 || s->plane[0].ybsep < s->plane[0].yblen/2) { av_log(s->avctx, AV_LOG_ERROR, "Block separation too small\n"); return -1; From 17fd68e9d71ca53b78b1d55dcd0d3fe814b355c9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 22 Apr 2015 15:23:24 +0200 Subject: [PATCH 0555/1352] aacsbr: break infinite loop in sbr_hf_calc_npatches Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 584cc1ade10a3297ef9c107ef3a2081c04024156) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 45dd92fe0a..2a03b3236c 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -514,7 +514,7 @@ static int sbr_make_f_master(AACContext *ac, SpectralBandReplication *sbr, /// High Frequency Generation - Patch Construction (14496-3 sp04 p216 fig. 4.46) static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) { - int i, k, sb = 0; + int i, k, last_k = -1, last_msb = -1, sb = 0; int msb = sbr->k[0]; int usb = sbr->kx[1]; int goal_sb = ((1000 << 11) + (sbr->sample_rate >> 1)) / sbr->sample_rate; @@ -528,6 +528,12 @@ static int sbr_hf_calc_npatches(AACContext *ac, SpectralBandReplication *sbr) do { int odd = 0; + if (k == last_k && msb == last_msb) { + av_log(ac->avctx, AV_LOG_ERROR, "patch construction failed\n"); + return AVERROR_INVALIDDATA; + } + last_k = k; + last_msb = msb; for (i = k; i == k || sb > (sbr->k[0] - 1 + msb - odd); i--) { sb = sbr->f_master[i]; odd = (sb + sbr->k[0]) & 1; From e75393c65943e3c9b5b637be2bb7552db4c78ca0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2015 16:06:50 +0200 Subject: [PATCH 0556/1352] libavutil/mem: use size_t for the length in av_strdup() the string length is not constrained to INT_MAX Signed-off-by: Michael Niedermayer (cherry picked from commit 4950bd4ebedbb6289734234bb2a719820f565c41) Signed-off-by: Michael Niedermayer --- libavutil/mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mem.c b/libavutil/mem.c index 35a82e8a2d..9dc1ac7a49 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -259,7 +259,7 @@ char *av_strdup(const char *s) { char *ptr = NULL; if (s) { - int len = strlen(s) + 1; + size_t len = strlen(s) + 1; ptr = av_realloc(NULL, len); if (ptr) memcpy(ptr, s, len); From 618c7a91eefe1b54635118e38390ba8432f25d11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2015 16:09:07 +0200 Subject: [PATCH 0557/1352] avutil/dict: Use size_t for appending strings the string length is not constrained to INT_MAX Signed-off-by: Michael Niedermayer (cherry picked from commit 4c128ea1629116fc4936edc5f96bbd18f3ef1647) Conflicts: libavutil/dict.c --- libavutil/dict.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/dict.c b/libavutil/dict.c index 475e906350..76fa0032ee 100644 --- a/libavutil/dict.c +++ b/libavutil/dict.c @@ -102,7 +102,7 @@ int av_dict_set(AVDictionary **pm, const char *key, const char *value, if (flags & AV_DICT_DONT_STRDUP_VAL) { m->elems[m->count].value = (char*)(intptr_t)value; } else if (oldval && flags & AV_DICT_APPEND) { - int len = strlen(oldval) + strlen(value) + 1; + size_t len = strlen(oldval) + strlen(value) + 1; char *newval = av_mallocz(len); if (!newval) goto err_out; From 27a0dab9140f569efc06c05cbe5a7b6bb9d8ef6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:23:51 +0200 Subject: [PATCH 0558/1352] avformat/vorbiscomment: Check entry length in ff_vorbiscomment_write() Signed-off-by: Michael Niedermayer (cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578) Signed-off-by: Michael Niedermayer --- libavformat/vorbiscomment.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/vorbiscomment.c b/libavformat/vorbiscomment.c index cc9b6620ef..e953d83d65 100644 --- a/libavformat/vorbiscomment.c +++ b/libavformat/vorbiscomment.c @@ -61,8 +61,10 @@ int ff_vorbiscomment_write(uint8_t **p, AVDictionary **m, AVDictionaryEntry *tag = NULL; bytestream_put_le32(p, count); while ((tag = av_dict_get(*m, "", tag, AV_DICT_IGNORE_SUFFIX))) { - unsigned int len1 = strlen(tag->key); - unsigned int len2 = strlen(tag->value); + int64_t len1 = strlen(tag->key); + int64_t len2 = strlen(tag->value); + if (len1+1+len2 > UINT32_MAX) + return AVERROR(EINVAL); bytestream_put_le32(p, len1+1+len2); bytestream_put_buffer(p, tag->key, len1); bytestream_put_byte(p, '='); From 8c6bbc6728d8ddb57c059a2a5bb011a346706c6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 20:01:15 +0200 Subject: [PATCH 0559/1352] avutil/avstring: Use size_t in av_strlcatf() Signed-off-by: Michael Niedermayer (cherry picked from commit ae4eea8be45a0b212fd57ceaac1f11089ab81d98) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index fd010e407c..3243aaa590 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -100,7 +100,7 @@ size_t av_strlcat(char *dst, const char *src, size_t size) size_t av_strlcatf(char *dst, size_t size, const char *fmt, ...) { - int len = strlen(dst); + size_t len = strlen(dst); va_list vl; va_start(vl, fmt); From 2c50cc497dd7d91e5ae763e3fcbd8e7892f1e5ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 03:50:01 +0200 Subject: [PATCH 0560/1352] avformat/url: Use size_t for len from strlen() Signed-off-by: Michael Niedermayer (cherry picked from commit 95efc651294b3cf3e5ec4b3ed36e79d7261545ff) Signed-off-by: Michael Niedermayer --- libavformat/url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/url.c b/libavformat/url.c index acfb0cf2f0..5dd28a253d 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -68,7 +68,7 @@ int ff_url_join(char *str, int size, const char *proto, av_strlcatf(str, size, ":%d", port); if (fmt) { va_list vl; - int len = strlen(str); + size_t len = strlen(str); va_start(vl, fmt); vsnprintf(str + len, size > len ? size - len : 0, fmt, vl); From 81941153aba04465ee3be5e43afbc2d917882036 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2015 15:38:40 +0200 Subject: [PATCH 0561/1352] avformat/subtitles: Use size_t for len MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit string length could theoretically be larger than int Reviewed-by: Clément Bœsch Signed-off-by: Michael Niedermayer (cherry picked from commit a633928d47057426a9c328da594407d1c7da8a5c) Signed-off-by: Michael Niedermayer --- libavformat/subtitles.c | 4 ++-- libavformat/subtitles.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 95faca6e48..517907d832 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -106,7 +106,7 @@ int ff_text_peek_r8(FFTextReader *r) } AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, - const uint8_t *event, int len, int merge) + const uint8_t *event, size_t len, int merge) { AVPacket *subs, *sub; @@ -300,7 +300,7 @@ int ff_smil_extract_next_text_chunk(FFTextReader *tr, AVBPrint *buf, char *c) const char *ff_smil_get_attr_ptr(const char *s, const char *attr) { int in_quotes = 0; - const int len = strlen(attr); + const size_t len = strlen(attr); while (*s) { while (*s) { diff --git a/libavformat/subtitles.h b/libavformat/subtitles.h index 903c24d9df..d400496f9f 100644 --- a/libavformat/subtitles.h +++ b/libavformat/subtitles.h @@ -114,7 +114,7 @@ typedef struct { * previous one instead of adding a new entry, 0 otherwise */ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, - const uint8_t *event, int len, int merge); + const uint8_t *event, size_t len, int merge); /** * Set missing durations and sort subtitles by PTS, and then byte position. From 02fe112c7c00283bcd4f4edbfe4a09d3cf60def1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:30:32 +0200 Subject: [PATCH 0562/1352] avformat/flacenc: Check length in flac_write_block_comment() Signed-off-by: Michael Niedermayer (cherry picked from commit 40a7700b82aec0036622f8673ce64e070a520891) Signed-off-by: Michael Niedermayer --- libavformat/flacenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c index b3695a27ba..83fc4c21f4 100644 --- a/libavformat/flacenc.c +++ b/libavformat/flacenc.c @@ -50,12 +50,14 @@ static int flac_write_block_comment(AVIOContext *pb, AVDictionary **m, int last_block, int bitexact) { const char *vendor = bitexact ? "ffmpeg" : LIBAVFORMAT_IDENT; - unsigned int len; + int64_t len; uint8_t *p, *p0; ff_metadata_conv(m, ff_vorbiscomment_metadata_conv, NULL); len = ff_vorbiscomment_length(*m, vendor); + if (len >= ((1<<24) - 4)) + return AVERROR(EINVAL); p0 = av_malloc(len+4); if (!p0) return AVERROR(ENOMEM); From 9193fd9ddfa44b282a9d18fdd3f934176254f0b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:34:28 +0200 Subject: [PATCH 0563/1352] avformat/oggenc: Check ff_vorbiscomment_length in ogg_write_vorbiscomment() Signed-off-by: Michael Niedermayer (cherry picked from commit 0db5b2b9f8a96298eeba7988d43c4eb44220fab3) Signed-off-by: Michael Niedermayer --- libavformat/oggenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index 4a54126f8f..bfa9a25edc 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -279,16 +279,18 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, return 0; } -static uint8_t *ogg_write_vorbiscomment(int offset, int bitexact, +static uint8_t *ogg_write_vorbiscomment(int64_t offset, int bitexact, int *header_len, AVDictionary **m, int framing_bit) { const char *vendor = bitexact ? "ffmpeg" : LIBAVFORMAT_IDENT; - int size; + int64_t size; uint8_t *p, *p0; ff_metadata_conv(m, ff_vorbiscomment_metadata_conv, NULL); size = offset + ff_vorbiscomment_length(*m, vendor) + framing_bit; + if (size > INT_MAX) + return NULL; p = av_mallocz(size); if (!p) return NULL; From c0ca9773a7024911fd50d6e3d66cbfa68a95ecc5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2015 15:37:38 +0200 Subject: [PATCH 0564/1352] avformat/matroskaenc: Check ff_vorbiscomment_length in put_flac_codecpriv() Its currently guaranteed to be smaller but its safer to check anyway Signed-off-by: Michael Niedermayer (cherry picked from commit 66f26b3e8ec075298e7ba329a55893d085bafe96) Signed-off-by: Michael Niedermayer --- libavformat/matroskaenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e6230f95c7..395df0f413 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -543,12 +543,15 @@ static int put_flac_codecpriv(AVFormatContext *s, "Lavf" : LIBAVFORMAT_IDENT; AVDictionary *dict = NULL; uint8_t buf[32], *data, *p; - int len; + int64_t len; snprintf(buf, sizeof(buf), "0x%"PRIx64, codec->channel_layout); av_dict_set(&dict, "WAVEFORMATEXTENSIBLE_CHANNEL_MASK", buf, 0); len = ff_vorbiscomment_length(dict, vendor); + if (len >= ((1<<24) - 4)) + return AVERROR(EINVAL); + data = av_malloc(len + 4); if (!data) { av_dict_free(&dict); From bec4b3c856e1399de3046ec2a0e0cef642188b6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 03:59:30 +0200 Subject: [PATCH 0565/1352] tools/graph2dot: use larger data types than int for array/string sizes Signed-off-by: Michael Niedermayer (cherry picked from commit acf4925f444636a828534ab47d0f86c21a7a9b4e) Signed-off-by: Michael Niedermayer --- tools/graph2dot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/graph2dot.c b/tools/graph2dot.c index 964322d080..868c62f0d8 100644 --- a/tools/graph2dot.c +++ b/tools/graph2dot.c @@ -153,7 +153,7 @@ int main(int argc, char **argv) /* read from infile and put it in a buffer */ { - unsigned int count = 0; + int64_t count = 0; struct line *line, *last_line, *first_line; char *p; last_line = first_line = av_malloc(sizeof(struct line)); @@ -169,7 +169,7 @@ int main(int argc, char **argv) graph_string = av_malloc(count + 1); p = graph_string; for (line = first_line; line->next; line = line->next) { - unsigned int l = strlen(line->data); + size_t l = strlen(line->data); memcpy(p, line->data, l); p += l; } From 18e83992f20e31d71b0bf87f2deb4e95e3abc333 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:03:55 +0200 Subject: [PATCH 0566/1352] avformat/rtpdec_xiph: Check upper bound on len in xiph_handle_packet() Larger packets are not supported and would cause problems later Signed-off-by: Michael Niedermayer (cherry picked from commit aa5169935e160551fb1c290d1397da2f04325817) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_xiph.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_xiph.c b/libavformat/rtpdec_xiph.c index dc34f9e224..da9a1e2c22 100644 --- a/libavformat/rtpdec_xiph.c +++ b/libavformat/rtpdec_xiph.c @@ -112,7 +112,7 @@ static int xiph_handle_packet(AVFormatContext *ctx, PayloadContext *data, return data->split_pkts > 0; } - if (len < 6) { + if (len < 6 || len > INT_MAX/2) { av_log(ctx, AV_LOG_ERROR, "Invalid %d byte packet\n", len); return AVERROR_INVALIDDATA; } From fbd9ab5967f6163d6e31c40934f86164b7b0f88c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 17:55:40 +0200 Subject: [PATCH 0567/1352] avformat/rtpenc_jpeg: Check remaining buffer size for SOS Fixes CID1238818 Signed-off-by: Michael Niedermayer (cherry picked from commit 81198a68370e88f7d02f16de58db36713c2a50b6) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_jpeg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index c4f7b5e7d2..be7ba6190f 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -84,6 +84,11 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) } else if (buf[i + 1] == SOS) { /* SOS is last marker in the header */ i += AV_RB16(&buf[i + 2]) + 2; + if (i > size) { + av_log(s1, AV_LOG_ERROR, + "Insufficient data. Aborted!\n"); + return; + } break; } } From 7c4e3ddda17929516325c3816eb259cc4c70ebe1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:20:23 +0200 Subject: [PATCH 0568/1352] avformat/nutdec: Fix use of uinitialized value Fixes CID1041175 Signed-off-by: Michael Niedermayer (cherry picked from commit 56abf35151c635caa3eb04bbb90454bae5463a09) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index d56c4a5287..6fff2bb132 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -540,6 +540,8 @@ static int decode_info_header(NUTContext *nut) return ret; } value = get_s(bc); + str_value[0] = 0; + if (value == -1) { type = "UTF-8"; get_str(bc, str_value, sizeof(str_value)); From 3bd85e1f834dff4a12afea3d9debc4f42148b825 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 18:32:12 +0200 Subject: [PATCH 0569/1352] avformat/matroskadec: Cleanup error handling for bz2 & zlib Fixes CID703652 Signed-off-by: Michael Niedermayer (cherry picked from commit 171af59d58fc67d82dce8ff7ed11fa671108baa5) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 83f3046026..699c272fc0 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1216,15 +1216,13 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, newpktdata = av_realloc(pkt_data, pkt_size); if (!newpktdata) { inflateEnd(&zstream); + result = AVERROR(ENOMEM); goto failed; } pkt_data = newpktdata; zstream.avail_out = pkt_size - zstream.total_out; zstream.next_out = pkt_data + zstream.total_out; - if (pkt_data) { - result = inflate(&zstream, Z_NO_FLUSH); - } else - result = Z_MEM_ERROR; + result = inflate(&zstream, Z_NO_FLUSH); } while (result == Z_OK && pkt_size < 10000000); pkt_size = zstream.total_out; inflateEnd(&zstream); @@ -1251,15 +1249,13 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, newpktdata = av_realloc(pkt_data, pkt_size); if (!newpktdata) { BZ2_bzDecompressEnd(&bzstream); + result = AVERROR(ENOMEM); goto failed; } pkt_data = newpktdata; bzstream.avail_out = pkt_size - bzstream.total_out_lo32; bzstream.next_out = pkt_data + bzstream.total_out_lo32; - if (pkt_data) { - result = BZ2_bzDecompress(&bzstream); - } else - result = BZ_MEM_ERROR; + result = BZ2_bzDecompress(&bzstream); } while (result == BZ_OK && pkt_size < 10000000); pkt_size = bzstream.total_out_lo32; BZ2_bzDecompressEnd(&bzstream); From ce3bb011197dfa6d3b8d8a65b7cc6a8f079e82ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 19:09:06 +0200 Subject: [PATCH 0570/1352] avformat/hevc: Check cpb_cnt_minus1 Fixes CID1239014 Signed-off-by: Michael Niedermayer (cherry picked from commit 2cddc0b19a20dd061dbf199bf88005b37c540d2f) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 45b00c45bc..8ef3c1f986 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -189,7 +189,7 @@ static void skip_sub_layer_hrd_parameters(GetBitContext *gb, } } -static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, +static int skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, unsigned int max_sub_layers_minus1) { unsigned int i; @@ -246,8 +246,11 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, else low_delay_hrd_flag = get_bits1(gb); - if (!low_delay_hrd_flag) + if (!low_delay_hrd_flag) { cpb_cnt_minus1 = get_ue_golomb_long(gb); + if (cpb_cnt_minus1 > 31) + return AVERROR_INVALIDDATA; + } if (nal_hrd_parameters_present_flag) skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1, @@ -257,6 +260,8 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag, skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1, sub_pic_hrd_params_present_flag); } + + return 0; } static void skip_timing_info(GetBitContext *gb) From f30ab69b38324d156f0511c2c59a4f0d232c2b88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 19:28:15 +0200 Subject: [PATCH 0571/1352] avformat/hevc: Check num_negative_pics and num_positive_pics Fixes CID1238994 Signed-off-by: Michael Niedermayer (cherry picked from commit b62b3292d8e25d3240e462c1b1cd8ac69195c46b) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 8ef3c1f986..c92e9eb118 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -462,6 +462,9 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx, unsigned int num_negative_pics = get_ue_golomb_long(gb); unsigned int num_positive_pics = get_ue_golomb_long(gb); + if ((num_positive_pics + (uint64_t)num_negative_pics) * 2 > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + num_delta_pocs[rps_idx] = num_negative_pics + num_positive_pics; for (i = 0; i < num_negative_pics; i++) { From de648a11d8688ff4b0d02cf7e78bea870a5ea903 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 12 May 2015 20:27:21 +0200 Subject: [PATCH 0572/1352] aacdec: don't return frames without data Since commit 676a395a aac->frame->data is not necessarily allocated at the end of aac_decode_frame_int if avctx->channels is 0. In this case a bogus frame without any data, but non-zero nb_samples is returned. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit ec38a1ba404b8cb8d71ccee2b8dcd6f3fcbde273) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index e92f1a1d9c..4a8c2431b1 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -3021,6 +3021,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, AV_WL32(side, 2*AV_RL32(side)); } + if (!ac->frame->data[0] && samples) { + av_log(avctx, AV_LOG_ERROR, "no frame data found\n"); + err = AVERROR_INVALIDDATA; + goto fail; + } + *got_frame_ptr = !!samples; if (samples) { ac->frame->nb_samples = samples; From 96de4bbf38c29e35c7175fc2d23fc9aa1bec8952 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 00:41:38 +0200 Subject: [PATCH 0573/1352] avcodec/vqavideo: Check chunk size Fixes CID1239154 Signed-off-by: Michael Niedermayer (cherry picked from commit 8a62b80ce6c8e87e7937f9a5d68f83882c1c8da2) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 4dcebd4849..bf55571fe9 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -231,6 +231,12 @@ static int decode_format80(VqaContext *s, int src_size, unsigned char color; int i; + if (src_size < 0 || src_size > bytestream2_get_bytes_left(&s->gb)) { + av_log(s->avctx, AV_LOG_ERROR, "Chunk size %d is out of range\n", + src_size); + return AVERROR_INVALIDDATA; + } + start = bytestream2_tell(&s->gb); while (bytestream2_tell(&s->gb) - start < src_size) { opcode = bytestream2_get_byte(&s->gb); From 959423e8d7afec74aad92d3927b6ce6006b7b82e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 01:31:15 +0200 Subject: [PATCH 0574/1352] avcodec/hevc_sei: Check num_sps_ids_minus1 value Fixes CID1271794 Signed-off-by: Michael Niedermayer (cherry picked from commit 93b0ee21a2f534f6d3b812686f3acde110e94f18) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 5bb5c9010a..13ebcd3ede 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -126,6 +126,11 @@ static int active_parameter_sets(HEVCContext *s) get_bits(gb, 1); // num_sps_ids_minus1 num_sps_ids_minus1 = get_ue_golomb_long(gb); // num_sps_ids_minus1 + if (num_sps_ids_minus1 < 0 || num_sps_ids_minus1 > 15) { + av_log(s->avctx, AV_LOG_ERROR, "num_sps_ids_minus1 %d invalid\n", num_sps_ids_minus1); + return AVERROR_INVALIDDATA; + } + active_seq_parameter_set_id = get_ue_golomb_long(gb); if (active_seq_parameter_set_id >= MAX_SPS_COUNT) { av_log(s->avctx, AV_LOG_ERROR, "active_parameter_set_id %d invalid\n", active_seq_parameter_set_id); From 7bda5b378d0a1d4988993e70ea390fc200e2ab06 Mon Sep 17 00:00:00 2001 From: Nick Lewycky Date: Tue, 12 May 2015 18:07:57 -0700 Subject: [PATCH 0575/1352] libswscale/x86/hscale_fast_bilinear_simd.c: Include BX in the clobber list on x86_64, because it isn't implicitly included when PIC is on. Signed-off-by: Michael Niedermayer (cherry picked from commit 48e9f68384a2af257b9ca7633bf14f0c2748edc6) Signed-off-by: Michael Niedermayer --- libswscale/x86/hscale_fast_bilinear_simd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/x86/hscale_fast_bilinear_simd.c b/libswscale/x86/hscale_fast_bilinear_simd.c index 103793d27a..7887b6b651 100644 --- a/libswscale/x86/hscale_fast_bilinear_simd.c +++ b/libswscale/x86/hscale_fast_bilinear_simd.c @@ -277,7 +277,7 @@ void ff_hyscale_fast_mmxext(SwsContext *c, int16_t *dst, ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D -#if !defined(PIC) +#if ARCH_X86_64 || !defined(PIC) ,"%"REG_b #endif ); @@ -361,7 +361,7 @@ void ff_hcscale_fast_mmxext(SwsContext *c, int16_t *dst1, int16_t *dst2, ,"m"(retsave) #endif : "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D -#if !defined(PIC) +#if ARCH_X86_64 || !defined(PIC) ,"%"REG_b #endif ); From f1b0d65237532d603efc6a8a10aa1b1e6e75f3a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:13:07 +0200 Subject: [PATCH 0576/1352] avcodec/hevc: Check offset_len Fixes CID1239099 part 1 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e9d5e16ad9799f6b6faae4f21120d23146b84c9) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 4551bd445c..8c6b1b55f7 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -679,6 +679,13 @@ static int hls_slice_header(HEVCContext *s) int offset_len = get_ue_golomb_long(gb) + 1; int segments = offset_len >> 4; int rest = (offset_len & 15); + + if (offset_len < 1 || offset_len > 32) { + sh->num_entry_point_offsets = 0; + av_log(s->avctx, AV_LOG_ERROR, "offset_len %d is invalid\n", offset_len); + return AVERROR_INVALIDDATA; + } + av_freep(&sh->entry_point_offset); av_freep(&sh->offset); av_freep(&sh->size); From 57b7a009c00705d3d36d01a2ad7d51d760fccf17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:21:52 +0200 Subject: [PATCH 0577/1352] avcodec/hevc: Check num_entry_point_offsets Fixes CID1239099 part 2 Signed-off-by: Michael Niedermayer (cherry picked from commit 1c6ae98d4a9ff9ea607df87908393eda4ebdf4e8) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 8c6b1b55f7..cf61a06ba3 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -674,7 +674,14 @@ static int hls_slice_header(HEVCContext *s) sh->num_entry_point_offsets = 0; if (s->pps->tiles_enabled_flag || s->pps->entropy_coding_sync_enabled_flag) { - sh->num_entry_point_offsets = get_ue_golomb_long(gb); + unsigned num_entry_point_offsets = get_ue_golomb_long(gb); + // It would be possible to bound this tighter but this here is simpler + if (sh->num_entry_point_offsets > get_bits_left(gb)) { + av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets); + return AVERROR_INVALIDDATA; + } + + sh->num_entry_point_offsets = num_entry_point_offsets; if (sh->num_entry_point_offsets > 0) { int offset_len = get_ue_golomb_long(gb) + 1; int segments = offset_len >> 4; From 65b47dddcf3511a13dabefd05a09190183d89548 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:35:37 +0200 Subject: [PATCH 0578/1352] avcodec/hevc_ps: More completely check vps_num_layer_sets Fixes CID1239052 part1 Signed-off-by: Michael Niedermayer (cherry picked from commit 16c95b107365cdbfcde1945370b59fc7e17e0309) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index d7e78b1b77..45b92e14fb 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -424,7 +424,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) vps->vps_max_layer_id = get_bits(gb, 6); vps->vps_num_layer_sets = get_ue_golomb_long(gb) + 1; - if ((vps->vps_num_layer_sets - 1LL) * (vps->vps_max_layer_id + 1LL) > get_bits_left(gb)) { + if (vps->vps_num_layer_sets < 1 || vps->vps_num_layer_sets > 1024 || + (vps->vps_num_layer_sets - 1LL) * (vps->vps_max_layer_id + 1LL) > get_bits_left(gb)) { av_log(s->avctx, AV_LOG_ERROR, "too many layer_id_included_flags\n"); goto err; } From 73ea11d721ad59a631b09ff968838f85f7883ed1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:35:57 +0200 Subject: [PATCH 0579/1352] avcodec/hevc_ps: Check vps_num_hrd_parameters Fix CID1239052 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit b195aa5d529040f43ab3acf0079cecbeb111bd57) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 45b92e14fb..8fe9a0c216 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -442,6 +442,11 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) if (vps->vps_poc_proportional_to_timing_flag) vps->vps_num_ticks_poc_diff_one = get_ue_golomb_long(gb) + 1; vps->vps_num_hrd_parameters = get_ue_golomb_long(gb); + if (vps->vps_num_hrd_parameters > (unsigned)vps->vps_num_layer_sets) { + av_log(s->avctx, AV_LOG_ERROR, + "vps_num_hrd_parameters %d is invalid\n", vps->vps_num_hrd_parameters); + goto err; + } for (i = 0; i < vps->vps_num_hrd_parameters; i++) { int common_inf_present = 1; From 6d7a0c37b1e6112565578b171d16cb1433c39ad1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 13:53:33 +0200 Subject: [PATCH 0580/1352] avcodec/hevc_ps: Explicitly check num_tile_* for negative values This fixes nothing but maybe helps coverity which does not see that this is failing later Signed-off-by: Michael Niedermayer (cherry picked from commit 65e5032955cb5022f0f39160aa3839f0799456bd) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 8fe9a0c216..8d80e19692 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1315,14 +1315,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) if (pps->tiles_enabled_flag) { pps->num_tile_columns = get_ue_golomb_long(gb) + 1; pps->num_tile_rows = get_ue_golomb_long(gb) + 1; - if (pps->num_tile_columns == 0 || + if (pps->num_tile_columns <= 0 || pps->num_tile_columns >= sps->width) { av_log(s->avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n", pps->num_tile_columns - 1); ret = AVERROR_INVALIDDATA; goto err; } - if (pps->num_tile_rows == 0 || + if (pps->num_tile_rows <= 0 || pps->num_tile_rows >= sps->height) { av_log(s->avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n", pps->num_tile_rows - 1); From 5766f99f71c972a0d2f36103eeb2795822819068 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 15:15:55 +0200 Subject: [PATCH 0581/1352] avcodec/jpeg2000dec: fix boolean operator Fixes CID1271791 #7-6 Signed-off-by: Michael Niedermayer (cherry picked from commit f8f155a18ac454e7ff3312e0e0c3a70eb4359143) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index d6204bbfc7..eb299c5140 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1606,7 +1606,7 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) int cn = bytestream2_get_be16(&s->g); int av_unused typ = bytestream2_get_be16(&s->g); int asoc = bytestream2_get_be16(&s->g); - if (cn < 4 || asoc < 4) + if (cn < 4 && asoc < 4) s->cdef[cn] = asoc; } } From 748194b58bff5ab195fe7c3c4cf9dc0e55c8efcd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2015 18:36:19 +0200 Subject: [PATCH 0582/1352] avcodec/mjpegdec: fix len computation in ff_mjpeg_decode_dqt() Signed-off-by: Michael Niedermayer (cherry picked from commit 81cf9108563510dee24f73b2c5d94a7bd07ff747) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 04018741f4..c2a92fae36 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -182,7 +182,7 @@ int ff_mjpeg_decode_dqt(MJpegDecodeContext *s) s->quant_matrixes[index][s->scantable.permutated[8]]) >> 1; av_log(s->avctx, AV_LOG_DEBUG, "qscale[%d]: %d\n", index, s->qscale[index]); - len -= 65; + len -= 1 + 64 * (1+pr); } return 0; } From a99169ea4a635dd2d21cdbf390b4f260d5d7195f Mon Sep 17 00:00:00 2001 From: Rainer Hochecker Date: Wed, 13 May 2015 18:31:27 +0200 Subject: [PATCH 0583/1352] swr: fix alignment issue caused by 8ch sse functions Fix crash when doing 8 ch conversion from apps compiled with MSVS Thanks to Ronald for giving this hint: https://ffmpeg.org/pipermail/ffmpeg-devel/2015-May/173049.html Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit adb7372f7495927a226edf9b8e1d0ac9453985ea) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 4685a8909d..9dd8135d8c 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -23,6 +23,7 @@ #include "audioconvert.h" #include "libavutil/avassert.h" #include "libavutil/channel_layout.h" +#include "libavutil/internal.h" #include @@ -658,8 +659,8 @@ int swr_is_initialized(struct SwrContext *s) { return !!s->in_buffer.ch_count; } -int swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_count, - const uint8_t *in_arg [SWR_CH_MAX], int in_count){ +int attribute_align_arg swr_convert(struct SwrContext *s, uint8_t *out_arg[SWR_CH_MAX], int out_count, + const uint8_t *in_arg [SWR_CH_MAX], int in_count){ AudioData * in= &s->in; AudioData *out= &s->out; From 85558c3da46a2e65747c957aa1f3125269ab85b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 00:09:56 +0200 Subject: [PATCH 0584/1352] avcodec/mpeg4audio: add some padding/alignment to MAX_PCE_SIZE This avoids potential accesses over the end Signed-off-by: Michael Niedermayer (cherry picked from commit 93cfa7d1692c25cff045f99ba1af2c9e5772c45e) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4audio.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4audio.h b/libavcodec/mpeg4audio.h index 0f410455f5..a1f3ffc59b 100644 --- a/libavcodec/mpeg4audio.h +++ b/libavcodec/mpeg4audio.h @@ -101,7 +101,7 @@ enum AudioObjectType { AOT_USAC, ///< N Unified Speech and Audio Coding }; -#define MAX_PCE_SIZE 304 /// Date: Thu, 14 May 2015 01:01:35 +0200 Subject: [PATCH 0585/1352] avcodec/on2avc: Check run more carefully Fixes CID1239106 Signed-off-by: Michael Niedermayer (cherry picked from commit 22f15f5735389e992ec9aed43b0680e75746b3a1) Signed-off-by: Michael Niedermayer --- libavcodec/on2avc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 2ad88d106e..c864e14bc8 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -119,12 +119,12 @@ static int on2avc_decode_band_types(On2AVCContext *c, GetBitContext *gb) run_len = 1; do { run = get_bits(gb, bits_per_sect); + if (run > num_bands - band - run_len) { + av_log(c->avctx, AV_LOG_ERROR, "Invalid band type run\n"); + return AVERROR_INVALIDDATA; + } run_len += run; } while (run == esc_val); - if (band + run_len > num_bands) { - av_log(c->avctx, AV_LOG_ERROR, "Invalid band type run\n"); - return AVERROR_INVALIDDATA; - } for (i = band; i < band + run_len; i++) { c->band_type[i] = band_type; c->band_run_end[i] = band + run_len; From 62e4fe09ed0bece519e845df11e380ead0d6a295 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 17:54:40 +0200 Subject: [PATCH 0586/1352] avcodec/cavsdec: Check esc_code Signed-off-by: Michael Niedermayer (cherry picked from commit 139e1c8009df7729a53eaaae7036ca01071aced5) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index f2ff10b536..a05e5c5b97 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -563,6 +563,11 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, return AVERROR_INVALIDDATA; } esc_code = get_ue_code(gb, esc_golomb_order); + if (esc_code < 0 || esc_code > 32767) { + av_log(h->avctx, AV_LOG_ERROR, "esc_code invalid\n"); + return AVERROR_INVALIDDATA; + } + level = esc_code + (run > r->max_run ? 1 : r->level_add[run]); while (level > r->inc_limit) r++; From fea9ed39e670736c492deac42785a451e0d6282e Mon Sep 17 00:00:00 2001 From: wm4 Date: Thu, 14 May 2015 18:27:31 +0200 Subject: [PATCH 0587/1352] hevc: make avcodec_decode_video2() fail if get_format() fails Personally, I need the decoder to back out if get_format() returns no usable pixel format. This didn't work because the error code was not propagated down the call chain. This in turn happened because the variable declaration removed in this patch shadowed the variable, whose value is returned at the end of the function. Consequently, failures of decode_nal_unit() were ignored in this place. Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit cc5e4bb48476a89cc8ce0c41bc2bd2e8fda9b37c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index cf61a06ba3..8c5581f2af 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2961,7 +2961,6 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length) /* parse the NAL units */ for (i = 0; i < s->nb_nals; i++) { - int ret; s->skipped_bytes = s->skipped_bytes_nal[i]; s->skipped_bytes_pos = s->skipped_bytes_pos_nal[i]; From c55a6bac6c3c976a2861faaa96634cdf2176f44c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 20:49:25 +0200 Subject: [PATCH 0588/1352] avcodec/dcadec: Check nchans Fixes CID1239110 Signed-off-by: Michael Niedermayer (cherry picked from commit a6a45774d045007f8262cd7c614804390e53122e) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 7d798b00fb..7cdf4b4beb 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -583,6 +583,14 @@ static int dca_parse_audio_coding_header(DCAContext *s, int base_channel, } nchans = get_bits(&s->gb, 3) + 1; + if (xxch && nchans >= 3) { + av_log(s->avctx, AV_LOG_ERROR, "nchans %d is too large\n", nchans); + return AVERROR_INVALIDDATA; + } else if (nchans + base_channel > DCA_PRIM_CHANNELS_MAX) { + av_log(s->avctx, AV_LOG_ERROR, "channel sum %d + %d is too large\n", nchans, base_channel); + return AVERROR_INVALIDDATA; + } + s->total_channels = nchans + base_channel; s->prim_channels = s->total_channels; From 6e7f434ad29ec432106a80ccb8b41ca598998ff1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 May 2015 21:29:19 +0200 Subject: [PATCH 0589/1352] avcodec/dcadec: Check subsubframes Fixes: CID1239152 Signed-off-by: Michael Niedermayer (cherry picked from commit a9bf628bfdad142763880a3d1ccb6058040dda57) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 7cdf4b4beb..a32b17b9b6 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -857,6 +857,10 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index) if (!base_channel) { s->subsubframes[s->current_subframe] = get_bits(&s->gb, 2) + 1; + if (block_index + s->subsubframes[s->current_subframe] > s->sample_blocks/8) { + s->subsubframes[s->current_subframe] = 1; + return AVERROR_INVALIDDATA; + } s->partial_samples[s->current_subframe] = get_bits(&s->gb, 3); } From 91767369a79af0be8dbb67d572756e125bfd94d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 May 2015 13:07:00 +0200 Subject: [PATCH 0590/1352] ffmpeg_opt: Fix -timestamp parsing Signed-off-by: Michael Niedermayer (cherry picked from commit 107e4da47644fe615ea821d6a19682d73789aca7) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 855a08af40..d84a4ea506 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2801,7 +2801,7 @@ const OptionDef options[] = { { "itsscale", HAS_ARG | OPT_DOUBLE | OPT_SPEC | OPT_EXPERT | OPT_INPUT, { .off = OFFSET(ts_scale) }, "set the input ts scale", "scale" }, - { "timestamp", HAS_ARG | OPT_PERFILE, { .func_arg = opt_recording_timestamp }, + { "timestamp", HAS_ARG | OPT_PERFILE | OPT_OUTPUT, { .func_arg = opt_recording_timestamp }, "set the recording timestamp ('now' to set the current time)", "time" }, { "metadata", HAS_ARG | OPT_STRING | OPT_SPEC | OPT_OUTPUT, { .off = OFFSET(metadata) }, "add metadata", "string=string" }, From b628942eefe420af4f657d0bb8b87faed861b450 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 15:23:32 +0200 Subject: [PATCH 0591/1352] avcodec/proresdec2: Reset slice_count on deallocation Signed-off-by: Michael Niedermayer (cherry picked from commit c4c6aea397f62421bf8ef0449b2b465a53e4ab4d) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 4d04a0ad85..a1d497f049 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -183,6 +183,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons if (ctx->slice_count != slice_count || !ctx->slices) { av_freep(&ctx->slices); + ctx->slice_count = 0; ctx->slices = av_mallocz_array(slice_count, sizeof(*ctx->slices)); if (!ctx->slices) return AVERROR(ENOMEM); From deefa1580a563166e77d3a5832862b05a10944b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 16:58:51 +0200 Subject: [PATCH 0592/1352] avcodec/shorten: Fix code depending on signed overflow behavior Signed-off-by: Michael Niedermayer (cherry picked from commit 2d15588124ab1d4c0612cab66f02a716f1509211) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5c4bf816b9..4e63274b39 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -129,8 +129,7 @@ static int allocate_buffers(ShortenContext *s) av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); return AVERROR_INVALIDDATA; } - if (s->blocksize + s->nwrap >= UINT_MAX / sizeof(int32_t) || - s->blocksize + s->nwrap <= (unsigned)s->nwrap) { + if (s->blocksize + (uint64_t)s->nwrap >= UINT_MAX / sizeof(int32_t)) { av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n"); return AVERROR_INVALIDDATA; From 49664f160e079659fc22e96820f43648f751a10f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 16:48:31 +0200 Subject: [PATCH 0593/1352] avcodec/shorten: Check skip_bytes() Fixes CID1210526 Signed-off-by: Michael Niedermayer (cherry picked from commit d201becfc0d89c6a5dfe44e96f1044fbc2aadb70) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4e63274b39..7eb3ac4080 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -369,6 +369,11 @@ static int read_header(ShortenContext *s) s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); + if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { + av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < skip_bytes; i++) skip_bits(&s->gb, 8); } From 078ae8cbb7a2bebc851919c1f3056557d3631413 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:02:28 +0200 Subject: [PATCH 0594/1352] avcodec/shorten: More complete pred_order check Fixes CID1239055 Signed-off-by: Michael Niedermayer (cherry picked from commit 294469416d8193a28710d802bb0c46e5fa09fad7) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 7eb3ac4080..587c22a2b9 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -277,7 +277,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, if (command == FN_QLPC) { /* read/validate prediction order */ pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); - if (pred_order > s->nwrap) { + if ((unsigned)pred_order > s->nwrap) { av_log(s->avctx, AV_LOG_ERROR, "invalid pred_order %d\n", pred_order); return AVERROR(EINVAL); From 7969c0c6f1560f9e0f440ab79a381fc166c2a455 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:21:10 +0200 Subject: [PATCH 0595/1352] avcodec/smvjpegdec: check avcodec_decode_video2() return code Fixes CID1271810 Signed-off-by: Michael Niedermayer (cherry picked from commit cdd25f9a3df3905543a5546cf6076d2eaf895736) Signed-off-by: Michael Niedermayer --- libavcodec/smvjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c index 69327cd798..88912ca212 100644 --- a/libavcodec/smvjpegdec.c +++ b/libavcodec/smvjpegdec.c @@ -137,6 +137,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz if (!cur_frame) { av_frame_unref(mjpeg_data); ret = avcodec_decode_video2(s->avctx, mjpeg_data, &s->mjpeg_data_size, avpkt); + if (ret < 0) { + s->mjpeg_data_size = 0; + return ret; + } } else if (!s->mjpeg_data_size) return AVERROR(EINVAL); From 41cb92151224e33adf0c791ba50b5f9ff5ea63e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:26:25 +0200 Subject: [PATCH 0596/1352] avcodec/sonic: check memory allocations Signed-off-by: Michael Niedermayer (cherry picked from commit c131a9fead5bf63215b6e1172b3c5c183cf90b85) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index a5e573a7aa..81fe1ef5c8 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -497,12 +497,15 @@ static int predictor_calc_error(int *k, int *state, int order, int error) // copes better with quantization, and calculates the // actual whitened result as it goes. -static void modified_levinson_durbin(int *window, int window_entries, +static int modified_levinson_durbin(int *window, int window_entries, int *out, int out_entries, int channels, int *tap_quant) { int i; int *state = av_calloc(window_entries, sizeof(*state)); + if (!state) + return AVERROR(ENOMEM); + memcpy(state, window, 4* window_entries); for (i = 0; i < out_entries; i++) @@ -567,6 +570,7 @@ static void modified_levinson_durbin(int *window, int window_entries, } av_free(state); + return 0; } static inline int code_samplerate(int samplerate) @@ -627,6 +631,9 @@ static av_cold int sonic_encode_init(AVCodecContext *avctx) // generate taps s->tap_quant = av_calloc(s->num_taps, sizeof(*s->tap_quant)); + if (!s->tap_quant) + return AVERROR(ENOMEM); + for (i = 0; i < s->num_taps; i++) s->tap_quant[i] = ff_sqrt(i+1); @@ -656,7 +663,7 @@ static av_cold int sonic_encode_init(AVCodecContext *avctx) s->window_size = ((2*s->tail_size)+s->frame_size); s->window = av_calloc(s->window_size, sizeof(*s->window)); - if (!s->window) + if (!s->window || !s->int_samples) return AVERROR(ENOMEM); avctx->extradata = av_mallocz(16); @@ -769,8 +776,11 @@ static int sonic_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, s->tail[i] = s->int_samples[s->frame_size - s->tail_size + i]; // generate taps - modified_levinson_durbin(s->window, s->window_size, + ret = modified_levinson_durbin(s->window, s->window_size, s->predictor_k, s->num_taps, s->channels, s->tap_quant); + if (ret < 0) + return ret; + if ((ret = intlist_write(&c, state, s->predictor_k, s->num_taps, 0)) < 0) return ret; @@ -913,6 +923,9 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) // generate taps s->tap_quant = av_calloc(s->num_taps, sizeof(*s->tap_quant)); + if (!s->tap_quant) + return AVERROR(ENOMEM); + for (i = 0; i < s->num_taps; i++) s->tap_quant[i] = ff_sqrt(i+1); @@ -932,6 +945,8 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) return AVERROR(ENOMEM); } s->int_samples = av_calloc(s->frame_size, sizeof(*s->int_samples)); + if (!s->int_samples) + return AVERROR(ENOMEM); avctx->sample_fmt = AV_SAMPLE_FMT_S16; return 0; From a593e8190f90555baa0e1f466b7ad60537bbe92b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 17:31:58 +0200 Subject: [PATCH 0597/1352] avcodec/sonic: More completely check sample_rate_index and channels Fixes CID1271783 Signed-off-by: Michael Niedermayer (cherry picked from commit ade8a46154cb45c88b1cb5c616eaa6320c941187) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 81fe1ef5c8..3db77f30a3 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -883,13 +883,19 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) if (s->version >= 1) { + int sample_rate_index; s->channels = get_bits(&gb, 2); - s->samplerate = samplerate_table[get_bits(&gb, 4)]; + sample_rate_index = get_bits(&gb, 4); + if (sample_rate_index >= FF_ARRAY_ELEMS(samplerate_table)) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample_rate_index %d\n", sample_rate_index); + return AVERROR_INVALIDDATA; + } + s->samplerate = samplerate_table[sample_rate_index]; av_log(avctx, AV_LOG_INFO, "Sonicv2 chans: %d samprate: %d\n", s->channels, s->samplerate); } - if (s->channels > MAX_CHANNELS) + if (s->channels > MAX_CHANNELS || s->channels < 1) { av_log(avctx, AV_LOG_ERROR, "Only mono and stereo streams are supported by now\n"); return AVERROR_INVALIDDATA; From 0719b1849c9f495a6a51c12b22106f5424693487 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 18:04:12 +0200 Subject: [PATCH 0598/1352] avcodec/dcadec: Check scale table index Fixes CID1297594 part 1 Signed-off-by: Michael Niedermayer (cherry picked from commit 0f3e6959bfa67d12cd5a173b86eb15abd7d9e4d5) Conflicts: libavcodec/dcadec.c --- libavcodec/dcadec.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index a32b17b9b6..cf412465d2 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -1865,23 +1865,34 @@ static int dca_xbr_parse_frame(DCAContext *s) for(i = 0; i < n_xbr_ch[chset]; i++) { const uint32_t *scale_table; int nbits; + int scale_table_size; if (s->scalefactor_huffman[chan_base+i] == 6) { scale_table = scale_factor_quant7; + scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant7); } else { scale_table = scale_factor_quant6; + scale_table_size = FF_ARRAY_ELEMS(scale_factor_quant6); } nbits = anctemp[i]; for(j = 0; j < active_bands[chset][i]; j++) { if(abits_high[i][j] > 0) { - scale_table_high[i][j][0] = - scale_table[get_bits(&s->gb, nbits)]; + int index = get_bits(&s->gb, nbits); + if (index >= scale_table_size) { + av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index); + return AVERROR_INVALIDDATA; + } + scale_table_high[i][j][0] = scale_table[index]; if(xbr_tmode && s->transition_mode[i][j]) { - scale_table_high[i][j][1] = - scale_table[get_bits(&s->gb, nbits)]; + int index = get_bits(&s->gb, nbits); + if (index >= scale_table_size) { + av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index); + return AVERROR_INVALIDDATA; + } + scale_table_high[i][j][1] = scale_table[index]; } } } From 55ee305beba3ab749ecea9f1b86df6a903cc98de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 18:29:40 +0200 Subject: [PATCH 0599/1352] avcodec/dcadec: Check active_bands Fixes CID1297594 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit fc624ec9ba7e5c4e8d905ac10f605a43d123f95a) Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index cf412465d2..6f74b146cb 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -1822,8 +1822,13 @@ static int dca_xbr_parse_frame(DCAContext *s) for(i = 0; i < num_chsets; i++) { n_xbr_ch[i] = get_bits(&s->gb, 3) + 1; k = get_bits(&s->gb, 2) + 5; - for(j = 0; j < n_xbr_ch[i]; j++) + for(j = 0; j < n_xbr_ch[i]; j++) { active_bands[i][j] = get_bits(&s->gb, k) + 1; + if (active_bands[i][j] > DCA_SUBBANDS) { + av_log(s->avctx, AV_LOG_ERROR, "too many active subbands (%d)\n", active_bands[i][j]); + return AVERROR_INVALIDDATA; + } + } } /* skip to the end of the header */ From eac07625f94c2db613eeccece02b64350bcfbe44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 22:02:12 +0200 Subject: [PATCH 0600/1352] avcodec/libtheoraenc: Check for av_malloc failure Fixes CID1257799 Signed-off-by: Michael Niedermayer (cherry picked from commit c64b2d480b4a35d4face9928b4265a0fda3f3dd9) Signed-off-by: Michael Niedermayer --- libavcodec/libtheoraenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/libtheoraenc.c b/libavcodec/libtheoraenc.c index 4c90822439..36d48fbbb3 100644 --- a/libavcodec/libtheoraenc.c +++ b/libavcodec/libtheoraenc.c @@ -108,6 +108,8 @@ static int get_stats(AVCodecContext *avctx, int eos) // libtheora generates a summary header at the end memcpy(h->stats, buf, bytes); avctx->stats_out = av_malloc(b64_size); + if (!avctx->stats_out) + return AVERROR(ENOMEM); av_base64_encode(avctx->stats_out, b64_size, h->stats, h->stats_offset); } return 0; From b60895a13b329ff428af7e2e273613bf6a417fea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 May 2015 22:12:08 +0200 Subject: [PATCH 0601/1352] avcodec/hevc: Fix typo in num_entry_point_offsets check Signed-off-by: Michael Niedermayer (cherry picked from commit 3051e7fa712dfe2136f19b7157211453895f2a3c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 8c5581f2af..81495eb6e1 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -676,7 +676,7 @@ static int hls_slice_header(HEVCContext *s) if (s->pps->tiles_enabled_flag || s->pps->entropy_coding_sync_enabled_flag) { unsigned num_entry_point_offsets = get_ue_golomb_long(gb); // It would be possible to bound this tighter but this here is simpler - if (sh->num_entry_point_offsets > get_bits_left(gb)) { + if (num_entry_point_offsets > get_bits_left(gb)) { av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets); return AVERROR_INVALIDDATA; } From f073ed665107a2955201ada99e1b35c2e592b4f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 May 2015 13:50:38 +0200 Subject: [PATCH 0602/1352] avformat/mov: Print reason of loci parsing failure Signed-off-by: Michael Niedermayer (cherry picked from commit 9e4f0cfc8ff4ab635ea12bdbd8d85d8bb1ba25f9) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6b20a57d07..64135deb0a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -230,8 +230,10 @@ static int mov_metadata_loci(MOVContext *c, AVIOContext *pb, unsigned len) double longitude, latitude; const char *key = "location"; - if (len < 4 + 2 + 1 + 1 + 4 + 4 + 4) + if (len < 4 + 2 + 1 + 1 + 4 + 4 + 4) { + av_log(c->fc, AV_LOG_ERROR, "loci too short\n"); return AVERROR_INVALIDDATA; + } avio_skip(pb, 4); // version+flags langcode = avio_rb16(pb); @@ -239,13 +241,17 @@ static int mov_metadata_loci(MOVContext *c, AVIOContext *pb, unsigned len) len -= 6; len -= avio_get_str(pb, len, buf, sizeof(buf)); // place name - if (len < 1) + if (len < 1) { + av_log(c->fc, AV_LOG_ERROR, "place name too long\n"); return AVERROR_INVALIDDATA; + } avio_skip(pb, 1); // role len -= 1; - if (len < 14) + if (len < 14) { + av_log(c->fc, AV_LOG_ERROR, "no space for coordinates left (%d)\n", len); return AVERROR_INVALIDDATA; + } longitude = ((int32_t) avio_rb32(pb)) / (float) (1 << 16); latitude = ((int32_t) avio_rb32(pb)) / (float) (1 << 16); From 9ce3e804ffae7267716d130dd3e5b3be4a12534f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 May 2015 13:51:18 +0200 Subject: [PATCH 0603/1352] avformat/mov: Fix parsing short loci Fixes Ticket4557 Signed-off-by: Michael Niedermayer (cherry picked from commit 50393bce31a5618f5125aaaf97bb69886fc4261d) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 64135deb0a..aacb6b3ac7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -248,7 +248,7 @@ static int mov_metadata_loci(MOVContext *c, AVIOContext *pb, unsigned len) avio_skip(pb, 1); // role len -= 1; - if (len < 14) { + if (len < 12) { av_log(c->fc, AV_LOG_ERROR, "no space for coordinates left (%d)\n", len); return AVERROR_INVALIDDATA; } From 666295ebabc46127b70deb16bba4496a873e83bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 May 2015 19:07:17 +0200 Subject: [PATCH 0604/1352] avcodec/golomb: get_ur_golomb_jpegls: Fix reading huge k values Signed-off-by: Michael Niedermayer (cherry picked from commit c720b9ce9850710e74a103d9626869e397a89faa) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 81d8aeef9e..a65c17e326 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -346,8 +346,16 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, if (i < limit - 1) { if (k) { - buf = SHOW_UBITS(re, gb, k); - LAST_SKIP_BITS(re, gb, k); + if (k > MIN_CACHE_BITS - 1) { + buf = SHOW_UBITS(re, gb, 16) << (k-16); + LAST_SKIP_BITS(re, gb, 16); + UPDATE_CACHE(re, gb); + buf |= SHOW_UBITS(re, gb, k-16); + LAST_SKIP_BITS(re, gb, k-16); + } else { + buf = SHOW_UBITS(re, gb, k); + LAST_SKIP_BITS(re, gb, k); + } } else { buf = 0; } From d818b8338c238f4b8dea7a4a13dd1e9b427d249e Mon Sep 17 00:00:00 2001 From: Dave Yeo Date: Tue, 5 May 2015 21:07:59 -0700 Subject: [PATCH 0605/1352] OS/2:Makedef.cmd cleanup Remove PROTMODE as it doesn't make sense for DLLs. Also fixes a warning with the OpenWatcom linker Export symbols as names rather then ordinals for better compatibility for minor releases. Signed-off-by: Michael Niedermayer --- configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index b09bfa1874..51432db3ba 100755 --- a/configure +++ b/configure @@ -4123,11 +4123,10 @@ case $target_os in SLIBNAME_WITH_VERSION='$(SLIBPREF)$(NAME)-$(LIBVERSION)$(SLIBSUF)' SLIBNAME_WITH_MAJOR='$(SLIBPREF)$(shell echo $(NAME) | cut -c1-6)$(LIBMAJOR)$(SLIBSUF)' SLIB_CREATE_DEF_CMD='echo LIBRARY $(SLIBNAME_WITH_MAJOR) INITINSTANCE TERMINSTANCE > $(SUBDIR)$(NAME).def; \ - echo PROTMODE >> $(SUBDIR)$(NAME).def; \ echo CODE PRELOAD MOVEABLE DISCARDABLE >> $(SUBDIR)$(NAME).def; \ echo DATA PRELOAD MOVEABLE MULTIPLE NONSHARED >> $(SUBDIR)$(NAME).def; \ echo EXPORTS >> $(SUBDIR)$(NAME).def; \ - emxexp -o $(OBJS) >> $(SUBDIR)$(NAME).def' + emxexp $(OBJS) >> $(SUBDIR)$(NAME).def' SLIB_EXTRA_CMD='emximp -o $(SUBDIR)$(LIBPREF)$(NAME)_dll.a $(SUBDIR)$(NAME).def; \ emximp -o $(SUBDIR)$(LIBPREF)$(NAME)_dll.lib $(SUBDIR)$(NAME).def;' SLIB_INSTALL_EXTRA_LIB='$(LIBPREF)$(NAME)_dll.a $(LIBPREF)$(NAME)_dll.lib' From 427cf443ab1f905056399cbe19aa46107e275f98 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 00:30:51 +0200 Subject: [PATCH 0606/1352] apedec: set s->samples only when init_frame_decoder succeeded Otherwise range_start_decoding is not necessarily run and thus ctx->rc.range still 0 in range_dec_normalize leading to an infinite loop. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 464c49155ce7ffc88ed39eb2511e7a75565c24be) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 860721484a..577d0aa260 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1476,13 +1476,13 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, nblocks); return AVERROR_INVALIDDATA; } - s->samples = nblocks; /* Initialize the frame decoder */ if (init_frame_decoder(s) < 0) { av_log(avctx, AV_LOG_ERROR, "Error reading frame header\n"); return AVERROR_INVALIDDATA; } + s->samples = nblocks; } if (!s->data) { From 5260ba3e16a23a2b8a0ff161cfb9a57cdf91992f Mon Sep 17 00:00:00 2001 From: Maneesh Gupta Date: Tue, 28 Apr 2015 13:08:31 +0530 Subject: [PATCH 0607/1352] OpenCL: Avoid potential buffer overflow in cmdutils_opencl.c The opt_opencl_bench function copied the device name using strcpy without checking if the source string was larger. This patch fixes this by replacing the strcpy with av_strlcpy, with the string copy size capped to the destination buffer size. Signed-off-by: Maneesh Gupta Signed-off-by: Michael Niedermayer (cherry picked from commit cf234552b83a9503ff96572de2658b921b8842eb) Signed-off-by: Michael Niedermayer --- cmdutils_opencl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cmdutils_opencl.c b/cmdutils_opencl.c index 3dfd156195..61478e27af 100644 --- a/cmdutils_opencl.c +++ b/cmdutils_opencl.c @@ -22,6 +22,7 @@ #include "libavutil/time.h" #include "libavutil/log.h" #include "libavutil/opencl.h" +#include "libavutil/avstring.h" #include "cmdutils.h" typedef struct { @@ -238,7 +239,8 @@ int opt_opencl_bench(void *optctx, const char *opt, const char *arg) devices[count].platform_idx = i; devices[count].device_idx = j; devices[count].runtime = score; - strcpy(devices[count].device_name, device_node->device_name); + av_strlcpy(devices[count].device_name, device_node->device_name, + sizeof(devices[count].device_name)); count++; } } From 723d2b0c5b6b8e433fc1d8ed001e571107578079 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Apr 2015 14:29:47 +0200 Subject: [PATCH 0608/1352] ffmpeg: remove incorrect network deinit Signed-off-by: Michael Niedermayer (cherry picked from commit e2877bdf3862325c2982c3237d9bf28f1bbf793f) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 1 - 1 file changed, 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 83c51aa675..44e03e77db 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -352,7 +352,6 @@ void term_init(void) signal(SIGQUIT, sigterm_handler); /* Quit (POSIX). */ } #endif - avformat_network_deinit(); signal(SIGINT , sigterm_handler); /* Interrupt (ANSI). */ signal(SIGTERM, sigterm_handler); /* Termination (ANSI). */ From e0ef1b8c0b21122850458d1c2c229d8bd852a74d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 20:31:56 +0200 Subject: [PATCH 0609/1352] nutdec: check for negative frame rate in decode_info_header A negative frame rate triggers an av_assert2 in av_rescale_rnd. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 6621105877ce0d65724a8ab60b3a50160adbe65d) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 6fff2bb132..def89849f5 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -575,7 +575,8 @@ static int decode_info_header(NUTContext *nut) if (stream_id_plus1 && !strcmp(name, "r_frame_rate")) { sscanf(str_value, "%d/%d", &st->r_frame_rate.num, &st->r_frame_rate.den); - if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den) + if (st->r_frame_rate.num >= 1000LL*st->r_frame_rate.den || + st->r_frame_rate.num < 0 || st->r_frame_rate.num < 0) st->r_frame_rate.num = st->r_frame_rate.den = 0; continue; } From 35a0d4801f26a3f695ac5bd75f90ebea735ef86b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 28 Apr 2015 22:37:19 +0200 Subject: [PATCH 0610/1352] nutdec: fix illegal count check in decode_main_header The existing check has two problems: 1) i + count can overflow, so that the check '< 256' returns true. 2) In the (i == 'N') case occurs a j-- so that the loop runs once more. This can trigger the assertion 'nut->header_len[0] == 0' or cause segmentation faults or infinite hangs. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index def89849f5..8d2b145d8d 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -306,7 +306,7 @@ static int decode_main_header(NUTContext *nut) ffio_read_varlen(bc); } - if (count == 0 || i + count > 256) { + if (count <= 0 || count > 256 - (i <= 'N') - i) { av_log(s, AV_LOG_ERROR, "illegal count %d at %d\n", count, i); return AVERROR_INVALIDDATA; } From 3126d6ee02ccdde1beb66ea9e65af5b392117ca6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 May 2015 15:54:21 +0200 Subject: [PATCH 0611/1352] avcodec/wavpack: Check L/R values before use to avoid harmless integer overflow and undefined behavior in fate Signed-off-by: Michael Niedermayer (cherry picked from commit 042260cde4ecf716438c5fc92d15ad5f037ee2e1) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 1ad3901600..b51a21cc9d 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -472,6 +472,14 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, s->decorr[i].samplesB[0] = L; } } + + if (type == AV_SAMPLE_FMT_S16P) { + if (FFABS(L) + FFABS(R) > (1<<19)) { + av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); + return AVERROR_INVALIDDATA; + } + } + pos = (pos + 1) & 7; if (s->joint) L += (R -= (L >> 1)); From 25b56dfa5c067440830f4d3e2bef23e75d0a4c80 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 23:07:20 +0200 Subject: [PATCH 0612/1352] matroskadec: use uint64_t instead of int for index_scale index_scale is set to matroska->time_scale of type uint64_t. When index_scale is int, the assignment can overflow and e.g. result in index_scale = 0. This causes a floating point exception due to the division by index_scale. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit eb9fb508b0e09d85d234fe694333b2005e1d7a7e) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 699c272fc0..c06bc2e6be 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1441,7 +1441,7 @@ static void matroska_add_index_entries(MatroskaDemuxContext *matroska) { EbmlList *index_list; MatroskaIndex *index; - int index_scale = 1; + uint64_t index_scale = 1; int i, j; index_list = &matroska->index; From 43bfe0ada57f585f79b06215d6e0e9976e6e59c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2015 13:37:26 +0200 Subject: [PATCH 0613/1352] avcodec/ffv1dec: Check chroma shift parameters Signed-off-by: Michael Niedermayer (cherry picked from commit d43cd6b08ed555c303478e3133717fbb2236be6e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c408f16106..376546f44c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -546,6 +546,12 @@ static int read_extra_header(FFV1Context *f) f->num_h_slices = 1 + get_symbol(c, state, 0); f->num_v_slices = 1 + get_symbol(c, state, 0); + if (f->chroma_h_shift > 4U || f->chroma_v_shift > 4U) { + av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n", + f->chroma_h_shift, f->chroma_v_shift); + return AVERROR_INVALIDDATA; + } + if (f->num_h_slices > (unsigned)f->width || !f->num_h_slices || f->num_v_slices > (unsigned)f->height || !f->num_v_slices ) { @@ -651,6 +657,12 @@ static int read_header(FFV1Context *f) } } + if (chroma_h_shift > 4U || chroma_v_shift > 4U) { + av_log(f->avctx, AV_LOG_ERROR, "chroma shift parameters %d %d are invalid\n", + chroma_h_shift, chroma_v_shift); + return AVERROR_INVALIDDATA; + } + f->colorspace = colorspace; f->avctx->bits_per_raw_sample = bits_per_raw_sample; f->chroma_planes = chroma_planes; From 84cc40cbe154ecc7ad460b879d39ad9df62957a6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 May 2015 23:55:20 +0200 Subject: [PATCH 0614/1352] matroskadec: check s->streams[k] before using it This fixes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit e54540655f229d06667dc7fa7005f2a20e101e80) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index c06bc2e6be..7618284d8c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1942,7 +1942,7 @@ static int matroska_parse_tracks(AVFormatContext *s) snprintf(buf, sizeof(buf), "%s_%d", ff_matroska_video_stereo_plane[planes[j].type], i); for (k=0; k < matroska->tracks.nb_elem; k++) - if (planes[j].uid == tracks[k].uid) { + if (planes[j].uid == tracks[k].uid && s->streams[k]) { av_dict_set(&s->streams[k]->metadata, "stereo_mode", buf, 0); break; From f9f1c50b41bfd42b14c11fcbf43ecc1303da3a86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2015 15:47:54 +0200 Subject: [PATCH 0615/1352] avformat/matroskadec: Use tracks[k]->stream instead of s->streams[k] The later is not correct Signed-off-by: Michael Niedermayer (cherry picked from commit 5d309d309108684f742bbf5fc2393f1c519cda72) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 7618284d8c..21b000252c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1942,8 +1942,8 @@ static int matroska_parse_tracks(AVFormatContext *s) snprintf(buf, sizeof(buf), "%s_%d", ff_matroska_video_stereo_plane[planes[j].type], i); for (k=0; k < matroska->tracks.nb_elem; k++) - if (planes[j].uid == tracks[k].uid && s->streams[k]) { - av_dict_set(&s->streams[k]->metadata, + if (planes[j].uid == tracks[k].uid && tracks[k].stream) { + av_dict_set(&tracks[k].stream->metadata, "stereo_mode", buf, 0); break; } From 10429a5284cd820c0a641622749b07dbc02d703f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 21:33:08 +0200 Subject: [PATCH 0616/1352] diracdec: prevent overflow in data_unit_size check buf_idx + data_unit_size can overflow, causing the '> buf_size' check to wrongly fail. This causes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 984f50deb2d48f6844d65e10991b996a6d29e87c) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 5f3cc9eeb5..a6b52e0016 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1939,8 +1939,8 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, break; data_unit_size = AV_RB32(buf+buf_idx+5); - if (buf_idx + data_unit_size > buf_size || !data_unit_size) { - if(buf_idx + data_unit_size > buf_size) + if (data_unit_size > buf_size - buf_idx || !data_unit_size) { + if(data_unit_size > buf_size - buf_idx) av_log(s->avctx, AV_LOG_ERROR, "Data unit with size %d is larger than input buffer, discarding\n", data_unit_size); From 68c11b665458bf43d5f751131c43c6e402e5e02f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 22:10:44 +0200 Subject: [PATCH 0617/1352] diracdec: avoid overflow of bytes*8 in decode_lowdelay If bytes is large enough, bytes*8 can overflow and become negative. In that case 'bufsize -= bytes*8' causes bufsize to increase instead of decrease. This leads to a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 9e66b39aa87eb653a6e5d15f70b792ccbf719de7) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index a6b52e0016..533f37b460 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -799,7 +799,10 @@ static void decode_lowdelay(DiracContext *s) slice_num++; buf += bytes; - bufsize -= bytes*8; + if (bufsize/8 >= bytes) + bufsize -= bytes*8; + else + bufsize = 0; } avctx->execute(avctx, decode_lowdelay_slice, slices, NULL, slice_num, From c646ee3da747337adfb865e703efeb6269ec541d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 5 May 2015 23:51:48 +0200 Subject: [PATCH 0618/1352] diracdec: check if reference could not be allocated s->ref_pics[i] is later used as ref argument of interpolate_refplane, where it is dereferenced. If it is NULL, it causes a segmentation fault. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit d93181ef3eacdb862d93448f31c97765a523d1db) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 533f37b460..1bfe6be0a4 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1747,6 +1747,12 @@ static int dirac_decode_picture_header(DiracContext *s) get_buffer_with_edge(s->avctx, s->ref_pics[i]->avframe, AV_GET_BUFFER_FLAG_REF); break; } + + if (!s->ref_pics[i]) { + av_log(s->avctx, AV_LOG_ERROR, "Reference could not be allocated\n"); + return -1; + } + } /* retire the reference frames that are not used anymore */ From c6f343d7c4360d85a701b8397bd9855541bc8af6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jun 2015 01:12:40 +0200 Subject: [PATCH 0619/1352] Update for 2.4.10 Signed-off-by: Michael Niedermayer --- Changelog | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 105 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 4b1edd2190..183fff9ef7 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,109 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.4.10: +- diracdec: check if reference could not be allocated +- diracdec: avoid overflow of bytes*8 in decode_lowdelay +- diracdec: prevent overflow in data_unit_size check +- avformat/matroskadec: Use tracks[k]->stream instead of s->streams[k] +- matroskadec: check s->streams[k] before using it +- avcodec/ffv1dec: Check chroma shift parameters +- matroskadec: use uint64_t instead of int for index_scale +- avcodec/wavpack: Check L/R values before use to avoid harmless integer overflow and undefined behavior in fate +- nutdec: fix illegal count check in decode_main_header +- nutdec: check for negative frame rate in decode_info_header +- ffmpeg: remove incorrect network deinit +- OpenCL: Avoid potential buffer overflow in cmdutils_opencl.c +- apedec: set s->samples only when init_frame_decoder succeeded +- OS/2:Makedef.cmd cleanup +- avcodec/golomb: get_ur_golomb_jpegls: Fix reading huge k values +- avformat/mov: Fix parsing short loci +- avformat/mov: Print reason of loci parsing failure +- avcodec/hevc: Fix typo in num_entry_point_offsets check +- avcodec/libtheoraenc: Check for av_malloc failure +- avcodec/dcadec: Check active_bands +- avcodec/dcadec: Check scale table index +- avcodec/sonic: More completely check sample_rate_index and channels +- avcodec/sonic: check memory allocations +- avcodec/smvjpegdec: check avcodec_decode_video2() return code +- avcodec/shorten: More complete pred_order check +- avcodec/shorten: Check skip_bytes() +- png: Set the color range as full range +- mpegts: Update the PSI/SI table only if the version change +- rtsp: Make sure we don't write too many transport entries into a fixed-size array +- rtpenc_jpeg: Handle case of picture dimensions not dividing by 8 +- libvpx: Fix mixed use of av_malloc() and av_reallocp() +- aacpsy: correct calculation of minath in psy_3gpp_init +- avcodec/shorten: Fix code depending on signed overflow behavior +- avcodec/proresdec2: Reset slice_count on deallocation +- ffmpeg_opt: Fix -timestamp parsing +- avcodec/dcadec: Check subsubframes +- avcodec/dcadec: Check nchans +- hevc: make avcodec_decode_video2() fail if get_format() fails +- avcodec/cavsdec: Check esc_code +- avcodec/on2avc: Check run more carefully +- avcodec/mpeg4audio: add some padding/alignment to MAX_PCE_SIZE +- swr: fix alignment issue caused by 8ch sse functions +- avcodec/mjpegdec: fix len computation in ff_mjpeg_decode_dqt() +- avcodec/jpeg2000dec: fix boolean operator +- avcodec/hevc_ps: Explicitly check num_tile_* for negative values +- avcodec/hevc_ps: Check vps_num_hrd_parameters +- avcodec/hevc_ps: More completely check vps_num_layer_sets +- avcodec/hevc: Check num_entry_point_offsets +- avcodec/hevc: Check offset_len +- libswscale/x86/hscale_fast_bilinear_simd.c: Include BX in the clobber list on x86_64, because it isn't implicitly included when PIC is on. +- avcodec/hevc_sei: Check num_sps_ids_minus1 value +- avcodec/vqavideo: Check chunk size +- aacdec: don't return frames without data +- avformat/hevc: Check num_negative_pics and num_positive_pics +- avformat/hevc: Check cpb_cnt_minus1 +- avformat/matroskadec: Cleanup error handling for bz2 & zlib +- avformat/nutdec: Fix use of uinitialized value +- avformat/rtpenc_jpeg: Check remaining buffer size for SOS +- avformat/rtpdec_xiph: Check upper bound on len in xiph_handle_packet() +- tools/graph2dot: use larger data types than int for array/string sizes +- avformat/matroskaenc: Check ff_vorbiscomment_length in put_flac_codecpriv() +- avformat/oggenc: Check ff_vorbiscomment_length in ogg_write_vorbiscomment() +- avformat/flacenc: Check length in flac_write_block_comment() +- avformat/subtitles: Use size_t for len +- avformat/url: Use size_t for len from strlen() +- avutil/avstring: Use size_t in av_strlcatf() +- avformat/vorbiscomment: Check entry length in ff_vorbiscomment_write() +- avutil/dict: Use size_t for appending strings +- libavutil/mem: use size_t for the length in av_strdup() +- aacsbr: break infinite loop in sbr_hf_calc_npatches +- diracdec: check that block length is valid +- ffmpeg_opt: Set the video VBV parameters only for the video stream from -target +- avcodec/bitstream: Assert that there is enough space left in avpriv_copy_bits() +- avcodec/put_bits: Assert that there is enough space left in skip_put_bytes() +- avcodec/mpegvideo_enc: Update the buffer size as more slices are merged +- avcodec/put_bits: Update size_in_bits in set_put_bits_buffer_size() +- avformat/wavdec: Increase dts packet threshold to fix more misdetections +- avformat/wavdec: Increase probe_packets limit +- nutdec: abort if EOF is reached in decode_info_header/read_sm_data +- nutdec: stop skipping bytes at EOF +- nutdec: fix infinite resync loops +- avformat/nutdec: Check X in 2nd branch of index reading +- avformat/nutdec: Fix recovery when immedeately after seeking a failure happens +- avformat/nutdec: Return error on EOF from get_str() +- avcodec/x86/cavsdsp: remove unneeded tmp +- nutdec: fix memleaks on error in nut_read_header +- avformat/avidec: print a warning for negative sample_size +- avidec: avoid infinite loop due to negative ast->sample_size +- nutdec: check chapter creation in decode_info_header +- apedec: prevent out of array writes in decode_array_0000 +- avformat/mpegts: Detect changes in packet through CRC instead of just the 5bit version +- avformat/mpegts: reset last_ver on corrupted packets +- avformat/mpegts: Factorize version checking code out +- avformat/mpegts: Also parse the FMC descriptor if the codec has not been identified yet +- avformat/mpegts: reset last_version on seeking +- avformat/mp3dec: Check for avcodec_alloc_context3() failure +- avformat/mp3dec: properly allocate dummy AVCodecContext +- lavfi/fade: Do not overread input buffer. +- tests: drop bc dependency +- alsdec: limit avctx->bits_per_raw_sample to 32 + + version 2.4.9: - alac: reject rice_limit 0 if compression is used - lavf: Reset global flag on deinit diff --git a/RELEASE b/RELEASE index 3f5987a5cb..b0f6bf0cd2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.9 +2.4.10 diff --git a/doc/Doxyfile b/doc/Doxyfile index af2b79faec..2b998d7ccc 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.9 +PROJECT_NUMBER = 2.4.10 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From bf6ba4a0328167802236e5e4727342a0c2f225f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jun 2015 00:48:29 +0200 Subject: [PATCH 0620/1352] swresample: Check the return value of resampler->init() Signed-off-by: Michael Niedermayer (cherry picked from commit 02915602d9313aa4b108342a3081244b9d2422bf) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 9dd8135d8c..ba0ef49d11 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -255,6 +255,10 @@ av_cold int swr_init(struct SwrContext *s){ if (s->out_sample_rate!=s->in_sample_rate || (s->flags & SWR_FLAG_RESAMPLE)){ s->resample = s->resampler->init(s->resample, s->out_sample_rate, s->in_sample_rate, s->filter_size, s->phase_shift, s->linear_interp, s->cutoff, s->int_sample_fmt, s->filter_type, s->kaiser_beta, s->precision, s->cheby); + if (!s->resample) { + av_log(s, AV_LOG_ERROR, "Failed to initilaize resampler\n"); + return AVERROR(ENOMEM); + } }else s->resampler->free(&s->resample); if( s->int_sample_fmt != AV_SAMPLE_FMT_S16P From 1047c286fa20c79dde8ddd7577a3b87cc1effdb7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 1 Jun 2015 00:51:30 +0200 Subject: [PATCH 0621/1352] libopenjpegenc: add NULL check for img before accessing it If opj_image_create fails to allocate an image it returns NULL, which causes a segmentation fault at 'img->x0 = 0'. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1577526b47439f33a999339efdec5d624b70e1da) Signed-off-by: Michael Niedermayer --- libavcodec/libopenjpegenc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/libopenjpegenc.c b/libavcodec/libopenjpegenc.c index 66633f4ad2..458cf7c2c1 100644 --- a/libavcodec/libopenjpegenc.c +++ b/libavcodec/libopenjpegenc.c @@ -164,6 +164,9 @@ static opj_image_t *mj2_create_image(AVCodecContext *avctx, opj_cparameters_t *p img = opj_image_create(numcomps, cmptparm, color_space); + if (!img) + return NULL; + // x0, y0 is the top left corner of the image // x1, y1 is the width, height of the reference grid img->x0 = 0; From 65d61a4bbbb95ca91019e9cb0e1cd3291538e0fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 May 2015 04:31:30 +0200 Subject: [PATCH 0622/1352] avfilter/x86/vf_hqdn3d: Fix register types Fixes Ticket4301 Signed-off-by: Michael Niedermayer (cherry picked from commit 52fc3e372f8ed4de5735abed1f7f7569fe37b023) --- libavfilter/x86/vf_hqdn3d.asm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/x86/vf_hqdn3d.asm b/libavfilter/x86/vf_hqdn3d.asm index 961127e670..e3b1bdca53 100644 --- a/libavfilter/x86/vf_hqdn3d.asm +++ b/libavfilter/x86/vf_hqdn3d.asm @@ -27,8 +27,8 @@ SECTION .text %if lut_bits != 8 sar %1q, 8-lut_bits %endif - movsx %1d, word [%3q+%1q*2] - add %1d, %2d + movsx %1q, word [%3q+%1q*2] + add %1q, %2q %endmacro %macro LOAD 3 ; dstreg, x, bitdepth From 57d094e3e399c317df082562f57c6369fc60b3f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 May 2015 01:26:55 +0200 Subject: [PATCH 0623/1352] avformat/mov: Mark avio context of decompressed atoms as seekable Fixes Ticket4329 Signed-off-by: Michael Niedermayer (cherry picked from commit 8ce564ea280b61d21eebf8a2fd741f792ce81638) --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index aacb6b3ac7..7fafd5a1c5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2987,6 +2987,7 @@ static int mov_read_cmov(MOVContext *c, AVIOContext *pb, MOVAtom atom) goto free_and_return; if (ffio_init_context(&ctx, moov_data, moov_len, 0, NULL, NULL, NULL, NULL) != 0) goto free_and_return; + ctx.seekable = AVIO_SEEKABLE_NORMAL; atom.type = MKTAG('m','o','o','v'); atom.size = moov_len; ret = mov_read_default(c, &ctx, atom); From bd28de1b4df5022a88ac0df95c241145d4bb3292 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jun 2015 18:03:21 +0200 Subject: [PATCH 0624/1352] avcodec/hevc_ps: Only discard overread VPS if a previous is available Fixes Ticket4621 Signed-off-by: Michael Niedermayer (cherry picked from commit 57078e4d255a06246fef27846073f5ffb312b5dc) --- libavcodec/hevc_ps.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 8d80e19692..5f5bad224f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -461,7 +461,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) if (get_bits_left(gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "Overread VPS by %d bits\n", -get_bits_left(gb)); - goto err; + if (s->vps_list[vps_id]) + goto err; } av_buffer_unref(&s->vps_list[vps_id]); From ff02eeafd8b36d15a4b1331a41899a17cc5f94e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 05:11:09 +0200 Subject: [PATCH 0625/1352] avcodec/x86/h264_weight: handle weight1=128 Fix ticket4596 Signed-off-by: Michael Niedermayer (cherry picked from commit e1009665759d4a3938dd2dd07b7e84d8bc9c5290) --- libavcodec/x86/h264_weight.asm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/x86/h264_weight.asm b/libavcodec/x86/h264_weight.asm index b4fb9db309..1e1219ddde 100644 --- a/libavcodec/x86/h264_weight.asm +++ b/libavcodec/x86/h264_weight.asm @@ -135,8 +135,11 @@ WEIGHT_FUNC_HALF_MM 8, 8 add off_regd, 1 or off_regd, 1 add r4, 1 + cmp r6d, 128 + je .nonnormal cmp r5, 128 jne .normal +.nonnormal sar r5, 1 sar r6, 1 sar off_regd, 1 From 1a4cb3b29cdaa30b19a95e776fdd668dc0b66664 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 6 Jun 2015 15:56:06 +0000 Subject: [PATCH 0626/1352] avcodec/exr: fix crash caused by merge Various header informations need to be reset when decoding next frame. Regression since: 95582b5c Fixes ticket #4597. Signed-off-by: Paul B Mahol (cherry picked from commit a03b69478b7f1c0c31e53acb0cf392917c0f967a) --- libavcodec/exr.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 62e8521adc..ff2d7b062c 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1011,6 +1011,22 @@ static int decode_header(EXRContext *s) int current_channel_offset = 0; int magic_number, version, flags, i; + s->xmin = ~0; + s->xmax = ~0; + s->ymin = ~0; + s->ymax = ~0; + s->xdelta = ~0; + s->ydelta = ~0; + s->channel_offsets[0] = -1; + s->channel_offsets[1] = -1; + s->channel_offsets[2] = -1; + s->channel_offsets[3] = -1; + s->pixel_type = EXR_UNKNOWN; + s->compression = EXR_UNKN; + s->nb_channels = 0; + s->w = 0; + s->h = 0; + if (bytestream2_get_bytes_left(&s->gb) < 10) { av_log(s->avctx, AV_LOG_ERROR, "Header too short to parse.\n"); return AVERROR_INVALIDDATA; @@ -1351,21 +1367,6 @@ static av_cold int decode_init(AVCodecContext *avctx) float one_gamma = 1.0f / s->gamma; s->avctx = avctx; - s->xmin = ~0; - s->xmax = ~0; - s->ymin = ~0; - s->ymax = ~0; - s->xdelta = ~0; - s->ydelta = ~0; - s->channel_offsets[0] = -1; - s->channel_offsets[1] = -1; - s->channel_offsets[2] = -1; - s->channel_offsets[3] = -1; - s->pixel_type = EXR_UNKNOWN; - s->compression = EXR_UNKN; - s->nb_channels = 0; - s->w = 0; - s->h = 0; if ( one_gamma > 0.9999f && one_gamma < 1.0001f ) { for ( i = 0; i < 65536; ++i ) { From d9655621b3dc24ce04523f37ca6ab14b31f17245 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jul 2015 02:43:02 +0200 Subject: [PATCH 0627/1352] avformat/swfdec: Do not error out on pixel format changes Instead print an error and continue Fixes Ticket4702 Signed-off-by: Michael Niedermayer (cherry picked from commit 6a1204a1a46674084b1e6b92562f81aaab7aac69) --- libavformat/swfdec.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index 528bc236f2..b2c652eb9c 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -390,10 +390,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt) } if (st->codec->pix_fmt != AV_PIX_FMT_NONE && st->codec->pix_fmt != pix_fmt) { av_log(s, AV_LOG_ERROR, "pixel format change unsupported\n"); - res = AVERROR_PATCHWELCOME; - goto bitmap_end; - } - st->codec->pix_fmt = pix_fmt; + }else + st->codec->pix_fmt = pix_fmt; if (linesize * height > pkt->size) { res = AVERROR_INVALIDDATA; From 02477323b92aacdabe0a2d129eeb0c15fbd1ec9e Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 8 Jun 2015 14:45:12 +0200 Subject: [PATCH 0628/1352] aac_parser: add required padding for GetBitContext buffer Fixes stack buffer overflow errors detected by address sanitizer in various fate tests. CC: libav-stable@libav.org --- libavcodec/aac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c index fdaa5f8144..acb05d4de1 100644 --- a/libavcodec/aac_parser.c +++ b/libavcodec/aac_parser.c @@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info, int size; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp; tmp.u64 = av_be2ne64(state); From a9f108bd78e842a47ade2f7c8b22a1764d01d4e6 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 8 Jun 2015 14:48:26 +0200 Subject: [PATCH 0629/1352] ac3_parser: add required padding for GetBitContext buffer Fixes stack buffer overflow errors detected by address sanitizer in various fate tests. CC: libav-stable@libav.org --- libavcodec/ac3_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 5ea09f8fcd..69d88c1a76 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -150,7 +150,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info, int err; union { uint64_t u64; - uint8_t u8[8]; + uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; } tmp = { av_be2ne64(state) }; AC3HeaderInfo hdr; GetBitContext gbc; From aa3ec219e1a5cc0e96ddec6ea83312ec780448f5 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 8 Jun 2015 14:48:54 +0200 Subject: [PATCH 0630/1352] imc: add required padding for GetBitContext buffer Fixes stack buffer overflow errors detected by address sanitizer in fate-imc. CC: libav-stable@libav.org --- libavcodec/imc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index 500f56408d..26fbcd4195 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -997,7 +997,7 @@ static int imc_decode_frame(AVCodecContext *avctx, void *data, IMCContext *q = avctx->priv_data; - LOCAL_ALIGNED_16(uint16_t, buf16, [IMC_BLOCK_SIZE / 2]); + LOCAL_ALIGNED_16(uint16_t, buf16, [(IMC_BLOCK_SIZE + FF_INPUT_BUFFER_PADDING_SIZE) / 2]); if (buf_size < IMC_BLOCK_SIZE * avctx->channels) { av_log(avctx, AV_LOG_ERROR, "frame too small!\n"); From 859ce02c9815b492da627d3098548b4f69bbc80e Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 26 Jun 2015 15:57:16 +0200 Subject: [PATCH 0631/1352] h263: Always check both dimensions CC: libav-stable@libav.org Found-By: ago@gentoo.org --- libavcodec/ituh263dec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index dc3de30bb0..dd705c70d7 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -30,6 +30,7 @@ #include #include "libavutil/attributes.h" +#include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/mathematics.h" #include "avcodec.h" @@ -866,7 +867,7 @@ end: /* most is hardcoded. should extend to handle all h263 streams */ int ff_h263_decode_picture_header(MpegEncContext *s) { - int format, width, height, i; + int format, width, height, i, ret; uint32_t startcode; align_get_bits(&s->gb); @@ -917,8 +918,6 @@ int ff_h263_decode_picture_header(MpegEncContext *s) /* H.263v1 */ width = ff_h263_format[format][0]; height = ff_h263_format[format][1]; - if (!width) - return -1; s->pict_type = AV_PICTURE_TYPE_I + get_bits1(&s->gb); @@ -1071,6 +1070,9 @@ int ff_h263_decode_picture_header(MpegEncContext *s) s->qscale = get_bits(&s->gb, 5); } + if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0) + return ret; + s->mb_width = (s->width + 15) / 16; s->mb_height = (s->height + 15) / 16; s->mb_num = s->mb_width * s->mb_height; From dfc147d24feb2c4269748feb36bfbdda68aca773 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jul 2015 15:54:38 +0200 Subject: [PATCH 0632/1352] MAINTAINERS: Remove myself as leader Signed-off-by: Michael Niedermayer (cherry picked from commit f2c58931e629343f7d68258cc2b2d62c5f501ba5) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 - 1 file changed, 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 062ff39088..e558f28161 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14,7 +14,6 @@ patches and related discussions. Project Leader ============== -Michael Niedermayer final design decisions From c49b88b93bca53c04f18d78c27dbf1dc6daea909 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 27 Jul 2015 11:13:53 +0200 Subject: [PATCH 0633/1352] opusdec: properly handle mismatching configurations in multichannel streams The substreams can have different resampling delays, so an additional level of buffering is needed to synchronize them. Bug-Id: 876 --- libavcodec/opus.h | 10 +++++ libavcodec/opusdec.c | 103 +++++++++++++++++++++++++++++++++++++------ 2 files changed, 99 insertions(+), 14 deletions(-) diff --git a/libavcodec/opus.h b/libavcodec/opus.h index c2fac063bc..accb998943 100644 --- a/libavcodec/opus.h +++ b/libavcodec/opus.h @@ -164,6 +164,16 @@ typedef struct ChannelMap { typedef struct OpusContext { OpusStreamContext *streams; + + /* current output buffers for each streams */ + float **out; + int *out_size; + /* Buffers for synchronizing the streams when they have different + * resampling delays */ + AVAudioFifo **sync_buffers; + /* number of decoded samples for each stream */ + int *decoded_samples; + int nb_streams; int nb_stereo_streams; diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 771922e973..80a80b4e52 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -367,12 +367,17 @@ static int opus_decode_frame(OpusStreamContext *s, const uint8_t *data, int size static int opus_decode_subpacket(OpusStreamContext *s, const uint8_t *buf, int buf_size, + float **out, int out_size, int nb_samples) { int output_samples = 0; int flush_needed = 0; int i, j, ret; + s->out[0] = out[0]; + s->out[1] = out[1]; + s->out_size = out_size; + /* check if we need to flush the resampler */ if (avresample_is_open(s->avr)) { if (buf) { @@ -450,9 +455,16 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; int coded_samples = 0; - int decoded_samples = 0; + int decoded_samples = INT_MAX; + int delayed_samples = 0; int i, ret; + /* calculate the number of delayed samples */ + for (i = 0; i < c->nb_streams; i++) { + delayed_samples = FFMAX(delayed_samples, + c->streams[i].delayed_samples + av_audio_fifo_size(c->sync_buffers[i])); + } + /* decode the header of the first sub-packet to find out the sample count */ if (buf) { OpusPacket *pkt = &c->streams[0].packet; @@ -465,7 +477,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, c->streams[0].silk_samplerate = get_silk_samplerate(pkt->config); } - frame->nb_samples = coded_samples + c->streams[0].delayed_samples; + frame->nb_samples = coded_samples + delayed_samples; /* no input or buffered data => nothing to do */ if (!frame->nb_samples) { @@ -481,14 +493,43 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, } frame->nb_samples = 0; + memset(c->out, 0, c->nb_streams * 2 * sizeof(*c->out)); for (i = 0; i < avctx->channels; i++) { ChannelMap *map = &c->channel_maps[i]; if (!map->copy) - c->streams[map->stream_idx].out[map->channel_idx] = (float*)frame->extended_data[i]; + c->out[2 * map->stream_idx + map->channel_idx] = (float*)frame->extended_data[i]; } - for (i = 0; i < c->nb_streams; i++) - c->streams[i].out_size = frame->linesize[0]; + /* read the data from the sync buffers */ + for (i = 0; i < c->nb_streams; i++) { + float **out = c->out + 2 * i; + int sync_size = av_audio_fifo_size(c->sync_buffers[i]); + + float sync_dummy[32]; + int out_dummy = (!out[0]) | ((!out[1]) << 1); + + if (!out[0]) + out[0] = sync_dummy; + if (!out[1]) + out[1] = sync_dummy; + if (out_dummy && sync_size > FF_ARRAY_ELEMS(sync_dummy)) + return AVERROR_BUG; + + ret = av_audio_fifo_read(c->sync_buffers[i], (void**)out, sync_size); + if (ret < 0) + return ret; + + if (out_dummy & 1) + out[0] = NULL; + else + out[0] += ret; + if (out_dummy & 2) + out[1] = NULL; + else + out[1] += ret; + + c->out_size[i] = frame->linesize[0] - ret * sizeof(float); + } /* decode each sub-packet */ for (i = 0; i < c->nb_streams; i++) { @@ -509,20 +550,31 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, s->silk_samplerate = get_silk_samplerate(s->packet.config); } - ret = opus_decode_subpacket(&c->streams[i], buf, - s->packet.data_size, coded_samples); + ret = opus_decode_subpacket(&c->streams[i], buf, s->packet.data_size, + c->out + 2 * i, c->out_size[i], coded_samples); if (ret < 0) return ret; - if (decoded_samples && ret != decoded_samples) { - av_log(avctx, AV_LOG_ERROR, "Different numbers of decoded samples " - "in a multi-channel stream\n"); - return AVERROR_INVALIDDATA; - } - decoded_samples = ret; + c->decoded_samples[i] = ret; + decoded_samples = FFMIN(decoded_samples, ret); + buf += s->packet.packet_size; buf_size -= s->packet.packet_size; } + /* buffer the extra samples */ + for (i = 0; i < c->nb_streams; i++) { + int buffer_samples = c->decoded_samples[i] - decoded_samples; + if (buffer_samples) { + float *buf[2] = { c->out[2 * i + 0] ? c->out[2 * i + 0] : (float*)frame->extended_data[0], + c->out[2 * i + 1] ? c->out[2 * i + 1] : (float*)frame->extended_data[0] }; + buf[0] += buffer_samples; + buf[1] += buffer_samples; + ret = av_audio_fifo_write(c->sync_buffers[i], (void**)buf, buffer_samples); + if (ret < 0) + return ret; + } + } + for (i = 0; i < avctx->channels; i++) { ChannelMap *map = &c->channel_maps[i]; @@ -563,6 +615,8 @@ static av_cold void opus_decode_flush(AVCodecContext *ctx) av_audio_fifo_drain(s->celt_delay, av_audio_fifo_size(s->celt_delay)); avresample_close(s->avr); + av_audio_fifo_drain(c->sync_buffers[i], av_audio_fifo_size(c->sync_buffers[i])); + ff_silk_flush(s->silk); ff_celt_flush(s->celt); } @@ -587,6 +641,16 @@ static av_cold int opus_decode_close(AVCodecContext *avctx) } av_freep(&c->streams); + + if (c->sync_buffers) { + for (i = 0; i < c->nb_streams; i++) + av_audio_fifo_free(c->sync_buffers[i]); + } + av_freep(&c->sync_buffers); + av_freep(&c->decoded_samples); + av_freep(&c->out); + av_freep(&c->out_size); + c->nb_streams = 0; av_freep(&c->channel_maps); @@ -611,7 +675,11 @@ static av_cold int opus_decode_init(AVCodecContext *avctx) /* allocate and init each independent decoder */ c->streams = av_mallocz_array(c->nb_streams, sizeof(*c->streams)); - if (!c->streams) { + c->out = av_mallocz_array(c->nb_streams, 2 * sizeof(*c->out)); + c->out_size = av_mallocz_array(c->nb_streams, sizeof(*c->out_size)); + c->sync_buffers = av_mallocz_array(c->nb_streams, sizeof(*c->sync_buffers)); + c->decoded_samples = av_mallocz_array(c->nb_streams, sizeof(*c->decoded_samples)); + if (!c->streams || !c->sync_buffers || !c->decoded_samples || !c->out || !c->out_size) { c->nb_streams = 0; ret = AVERROR(ENOMEM); goto fail; @@ -658,6 +726,13 @@ static av_cold int opus_decode_init(AVCodecContext *avctx) ret = AVERROR(ENOMEM); goto fail; } + + c->sync_buffers[i] = av_audio_fifo_alloc(avctx->sample_fmt, + s->output_channels, 32); + if (!c->sync_buffers[i]) { + ret = AVERROR(ENOMEM); + goto fail; + } } return 0; From 35ab85884b66c04ca7b9758effab7ec6e3bd3016 Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Tue, 2 Jun 2015 23:17:48 -0400 Subject: [PATCH 0634/1352] swresample/dither: check memory allocation check memory allocation in swri_get_dither() Signed-off-by: Michael Niedermayer (cherry picked from commit 196b885a5f0aa3ca022c1fa99509f47341239784) Signed-off-by: Michael Niedermayer --- libswresample/dither.c | 6 +++++- libswresample/swresample.c | 3 ++- libswresample/swresample_internal.h | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/libswresample/dither.c b/libswresample/dither.c index 8121f11c2f..23e7e12ede 100644 --- a/libswresample/dither.c +++ b/libswresample/dither.c @@ -23,12 +23,15 @@ #include "noise_shaping_data.c" -void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { +int swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt) { double scale = s->dither.noise_scale; #define TMP_EXTRA 2 double *tmp = av_malloc_array(len + TMP_EXTRA, sizeof(double)); int i; + if (!tmp) + return AVERROR(ENOMEM); + for(i=0; idither.noise.ch_count; ch++) - swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt); + if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt))<0) + return ret; av_assert0(s->dither.noise.ch_count == preout->ch_count); if(s->dither.noise_pos + out_count > s->dither.noise.count) diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index 1bc6837926..fcc63a676c 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -191,7 +191,7 @@ void swri_rematrix_free(SwrContext *s); int swri_rematrix(SwrContext *s, AudioData *out, AudioData *in, int len, int mustcopy); void swri_rematrix_init_x86(struct SwrContext *s); -void swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt); +int swri_get_dither(SwrContext *s, void *dst, int len, unsigned seed, enum AVSampleFormat noise_fmt); int swri_dither_init(SwrContext *s, enum AVSampleFormat out_fmt, enum AVSampleFormat in_fmt); void swri_audio_convert_init_aarch64(struct AudioConvert *ac, From 39430866566a087919a31641fa24ecfdd4d7719a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jun 2015 21:35:02 +0200 Subject: [PATCH 0635/1352] avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec This is the maximum rate possible based on the frame size limit of MXF D-10 Previous version reviewed by tim nicholson Signed-off-by: Michael Niedermayer (cherry picked from commit d7a762553c6f6c422adb6632354bcc4ff577b701) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 6a6b7c2079..3c0283b502 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1730,9 +1730,10 @@ static int mxf_write_header(AVFormatContext *s) return ret; sc->video_bit_rate = st->codec->bit_rate ? st->codec->bit_rate : st->codec->rc_max_rate; if (s->oformat == &ff_mxf_d10_muxer) { - if (sc->video_bit_rate == 50000000) { - if (mxf->time_base.den == 25) sc->index = 3; - else sc->index = 5; + if ((sc->video_bit_rate == 50000000) && (mxf->time_base.den == 25)) { + sc->index = 3; + } else if ((sc->video_bit_rate == 49999840 || sc->video_bit_rate == 50000000) && (mxf->time_base.den != 25)) { + sc->index = 5; } else if (sc->video_bit_rate == 40000000) { if (mxf->time_base.den == 25) sc->index = 7; else sc->index = 9; From 8498cf60b209f3038efb8cd88bc6fdfd74bd1666 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jun 2015 22:39:27 +0200 Subject: [PATCH 0636/1352] Revert "avformat/rtpenc: check av_packet_get_side_data() return, fix null ptr dereference" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was simply wrong Found-by: Martin Storsjö This reverts commit 5d8e4f6da03c0342157e6ac7fab1a8ac3a87a8b0. (cherry picked from commit 3e34b7498f14c04baadde1700a6f73a7e9e86fa6) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libavformat/rtpenc.c b/libavformat/rtpenc.c index 9c587d2dc5..8c5ce9763e 100644 --- a/libavformat/rtpenc.c +++ b/libavformat/rtpenc.c @@ -566,10 +566,6 @@ static int rtp_write_packet(AVFormatContext *s1, AVPacket *pkt) const uint8_t *mb_info = av_packet_get_side_data(pkt, AV_PKT_DATA_H263_MB_INFO, &mb_info_size); - if (!mb_info) { - av_log(s1, AV_LOG_ERROR, "failed to allocate side data\n"); - return AVERROR(ENOMEM); - } ff_rtp_send_h263_rfc2190(s1, pkt->data, size, mb_info, mb_info_size); break; } From df2258f18d1819719f6085427d4fee37a1bf5334 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 03:47:55 +0200 Subject: [PATCH 0637/1352] swresample/swresample: Cleanup on init failure. This avoids leaks if the user doest call swr_close() after a failed init Found-by: James Almer Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit c3f87f7545d42520921bc448b9fbd7324c574e49) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 01bf8dbaee..7aa080472c 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -267,7 +267,8 @@ av_cold int swr_init(struct SwrContext *s){ && s->int_sample_fmt != AV_SAMPLE_FMT_DBLP && s->resample){ av_log(s, AV_LOG_ERROR, "Resampling only supported with internal s16/s32/flt/dbl\n"); - return -1; + ret = AVERROR(EINVAL); + goto fail; } #define RSC 1 //FIXME finetune @@ -281,24 +282,28 @@ av_cold int swr_init(struct SwrContext *s){ if(!s-> in.ch_count){ av_assert0(!s->in_ch_layout); av_log(s, AV_LOG_ERROR, "Input channel count and layout are unset\n"); - return -1; + ret = AVERROR(EINVAL); + goto fail; } av_get_channel_layout_string(l1, sizeof(l1), s-> in.ch_count, s-> in_ch_layout); av_get_channel_layout_string(l2, sizeof(l2), s->out.ch_count, s->out_ch_layout); if (s->out_ch_layout && s->out.ch_count != av_get_channel_layout_nb_channels(s->out_ch_layout)) { av_log(s, AV_LOG_ERROR, "Output channel layout %s mismatches specified channel count %d\n", l2, s->out.ch_count); - return AVERROR(EINVAL); + ret = AVERROR(EINVAL); + goto fail; } if (s->in_ch_layout && s->used_ch_count != av_get_channel_layout_nb_channels(s->in_ch_layout)) { av_log(s, AV_LOG_ERROR, "Input channel layout %s mismatches specified channel count %d\n", l1, s->used_ch_count); - return AVERROR(EINVAL); + ret = AVERROR(EINVAL); + goto fail; } if ((!s->out_ch_layout || !s->in_ch_layout) && s->used_ch_count != s->out.ch_count && !s->rematrix_custom) { av_log(s, AV_LOG_ERROR, "Rematrix is needed between %s and %s " "but there is not enough information to do it\n", l1, l2); - return -1; + ret = AVERROR(EINVAL); + goto fail; } av_assert0(s->used_ch_count); @@ -320,8 +325,10 @@ av_assert0(s->out.ch_count); s->out_convert= swri_audio_convert_alloc(s->out_sample_fmt, s->int_sample_fmt, s->out.ch_count, NULL, 0); - if (!s->in_convert || !s->out_convert) - return AVERROR(ENOMEM); + if (!s->in_convert || !s->out_convert) { + ret = AVERROR(ENOMEM); + goto fail; + } s->postin= s->in; s->preout= s->out; @@ -348,12 +355,19 @@ av_assert0(s->out.ch_count); } if ((ret = swri_dither_init(s, s->out_sample_fmt, s->int_sample_fmt)) < 0) - return ret; + goto fail; - if(s->rematrix || s->dither.method) - return swri_rematrix_init(s); + if(s->rematrix || s->dither.method) { + ret = swri_rematrix_init(s); + if (ret < 0) + goto fail; + } return 0; +fail: + swr_close(s); + return ret; + } int swri_realloc_audio(AudioData *a, int count){ From 0081afeaa7413333a512950cb2f61105405f0bf6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 22:47:24 +0200 Subject: [PATCH 0638/1352] avcodec/atrac3plusdec: consume only as many bytes as available Signed-off-by: Michael Niedermayer (cherry picked from commit 6b6ae7c3ead5dee786a4aea929820076a7c82da4) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3plusdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3plusdec.c b/libavcodec/atrac3plusdec.c index 3a6b3cfa2e..b18592da0a 100644 --- a/libavcodec/atrac3plusdec.c +++ b/libavcodec/atrac3plusdec.c @@ -381,7 +381,7 @@ static int atrac3p_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; - return avctx->block_align; + return FFMIN(avctx->block_align, avpkt->size); } AVCodec ff_atrac3p_decoder = { From 4121c1db15e121d85a9ed44372948701bbcea78a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 22:59:34 +0200 Subject: [PATCH 0639/1352] avcodec/alsdec: Check for overread Signed-off-by: Michael Niedermayer (cherry picked from commit c2657633187e325a439e3297fd9ccd0522ab2e39) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 7a13a4c393..1855f53921 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1493,6 +1493,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) // TODO: read_diff_float_data + if (get_bits_left(gb) < 0) { + av_log(ctx->avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb)); + return AVERROR_INVALIDDATA; + } + return 0; } From 5709ac5c42a7d566d9373e7084be04d4962338b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jun 2015 22:34:12 +0200 Subject: [PATCH 0640/1352] avcodec/adpcm: Check for overreads See: vlc ticket 14649 Reported-by: carl Signed-off-by: Michael Niedermayer (cherry picked from commit 3c803ed9cb23e5a8d76b6c31d8a8c71cac27e769) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 2f95a6ff45..f7ca208993 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -574,6 +574,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_IMA_DK4: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_IMA_RAD: @@ -587,13 +589,15 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, int bsamples = ff_adpcm_ima_block_samples[avctx->bits_per_coded_sample - 2]; if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); + if (buf_size < 4 * ch) + return AVERROR_INVALIDDATA; nb_samples = 1 + (buf_size - 4 * ch) / (bsize * ch) * bsamples; break; } case AV_CODEC_ID_ADPCM_MS: if (avctx->block_align > 0) buf_size = FFMIN(buf_size, avctx->block_align); - nb_samples = 2 + (buf_size - 7 * ch) * 2 / ch; + nb_samples = (buf_size - 6 * ch) * 2 / ch; break; case AV_CODEC_ID_ADPCM_SBPRO_2: case AV_CODEC_ID_ADPCM_SBPRO_3: @@ -606,6 +610,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, case AV_CODEC_ID_ADPCM_SBPRO_4: samples_per_byte = 2; break; } if (!s->status[0].step_index) { + if (buf_size < ch) + return AVERROR_INVALIDDATA; nb_samples++; buf_size -= ch; } @@ -1524,6 +1530,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, *got_frame_ptr = 1; + if (avpkt->size < bytestream2_tell(&gb)) { + av_log(avctx, AV_LOG_ERROR, "Overread of %d < %d\n", avpkt->size, bytestream2_tell(&gb)); + return avpkt->size; + } + return bytestream2_tell(&gb); } From 8fc8b3eebe95aa0c810b6ceacf41d54b785d0589 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2015 14:55:10 +0200 Subject: [PATCH 0641/1352] avformat/ffmdec: Check ffio_set_buf_size() return value Signed-off-by: Michael Niedermayer (cherry picked from commit dc55477a64cefebf8dcc611f026be71382814ae2) Signed-off-by: Michael Niedermayer --- libavformat/ffmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 5c40539c83..2753f2c2d3 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -95,7 +95,9 @@ static int ffm_read_data(AVFormatContext *s, retry_read: if (pb->buffer_size != ffm->packet_size) { int64_t tell = avio_tell(pb); - ffio_set_buf_size(pb, ffm->packet_size); + int ret = ffio_set_buf_size(pb, ffm->packet_size); + if (ret < 0) + return ret; avio_seek(pb, tell, SEEK_SET); } id = avio_rb16(pb); /* PACKET_ID */ From 84cf7418618ff452c32d94b678650b5a94658a79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2015 00:37:26 +0200 Subject: [PATCH 0642/1352] avcodec/jpeg2000dec: Check that coords match before applying ICT This avoid potential out of array accesses Signed-off-by: Michael Niedermayer (cherry picked from commit 12ba1b2b4d5592c0e27b0fcc83db929e8d6a8eee) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index eb299c5140..30e069e76f 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1162,11 +1162,16 @@ static void mct_decode(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) int32_t *src[3], i0, i1, i2; float *srcf[3], i0f, i1f, i2f; - for (i = 1; i < 3; i++) + for (i = 1; i < 3; i++) { if (tile->codsty[0].transform != tile->codsty[i].transform) { av_log(s->avctx, AV_LOG_ERROR, "Transforms mismatch, MCT not supported\n"); return; } + if (memcmp(tile->comp[0].coord, tile->comp[i].coord, sizeof(tile->comp[0].coord))) { + av_log(s->avctx, AV_LOG_ERROR, "Coords mismatch, MCT not supported\n"); + return; + } + } for (i = 0; i < 3; i++) if (tile->codsty[0].transform == FF_DWT97) From d7682421528f76cd0b64fbe649f9501e61e5ec59 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Tue, 9 Jun 2015 04:55:57 +0200 Subject: [PATCH 0643/1352] libavutil/channel_layout: Correctly return layout when channel specification ends with a trailing 'c'. Return layout when FF_API_GET_CHANNEL_LAYOUT_COMPAT is set even if the layout itself is not in the deprecated style. Signed-off-by: Simon Thelen Signed-off-by: Michael Niedermayer (cherry picked from commit 83307a32eb0c9f0843f655c44bb65e3e999153f8) Signed-off-by: Michael Niedermayer --- libavutil/channel_layout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index 4c0677f794..cd5cf426d4 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -138,8 +138,8 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) "switch to the syntax '%.*sc' otherwise it will be interpreted as a " "channel layout number in a later version\n", name_len, name, name_len, name); - return layout; } + return layout; } } else { #endif From 402f832984637d75284a28f5cd1e8d46b10eed9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jun 2015 00:47:43 +0200 Subject: [PATCH 0644/1352] avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet() Signed-off-by: Michael Niedermayer (cherry picked from commit 913685f55208efd78bfc34d82b261bd449e69774) Signed-off-by: Michael Niedermayer --- libavdevice/lavfi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/lavfi.c b/libavdevice/lavfi.c index 1398ece508..f6c92bcac2 100644 --- a/libavdevice/lavfi.c +++ b/libavdevice/lavfi.c @@ -339,7 +339,7 @@ static int lavfi_read_packet(AVFormatContext *avctx, AVPacket *pkt) continue; } else if (ret < 0) return ret; - d = av_rescale_q(frame->pts, tb, AV_TIME_BASE_Q); + d = av_rescale_q_rnd(frame->pts, tb, AV_TIME_BASE_Q, AV_ROUND_NEAR_INF|AV_ROUND_PASS_MINMAX); av_dlog(avctx, "sink_idx:%d time:%f\n", i, d); av_frame_unref(frame); From 6ff5c4cd49ec33472cd132dc57ae53e1f1d396d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jun 2015 11:37:48 +0200 Subject: [PATCH 0645/1352] avcodec/h264_slice: Use AVFrame diemensions for grayscale handling The AVFrame values are closer to the AVFrame bitmap changed instead of the AVCodecContext values, so this should be more robust Signed-off-by: Michael Niedermayer (cherry picked from commit aef0e0f009802f1a5e21eb6465498632071e4475) Conflicts: libavcodec/h264_slice.c --- libavcodec/h264_slice.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 8f8660d61b..d63e6143eb 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -278,11 +278,11 @@ static int alloc_picture(H264Context *h, H264Picture *pic) av_pix_fmt_get_chroma_sub_sample(pic->f.format, &h_chroma_shift, &v_chroma_shift); - for(i=0; iavctx->height, v_chroma_shift); i++) { + for(i=0; if.height, v_chroma_shift); i++) { memset(pic->f.data[1] + pic->f.linesize[1]*i, - 0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift)); + 0x80, FF_CEIL_RSHIFT(pic->f.width, h_chroma_shift)); memset(pic->f.data[2] + pic->f.linesize[2]*i, - 0x80, FF_CEIL_RSHIFT(h->avctx->width, h_chroma_shift)); + 0x80, FF_CEIL_RSHIFT(pic->f.width, h_chroma_shift)); } } From 670832e2a2736080324164d8b96e548e5aee3073 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 10 Jun 2015 00:12:38 +0200 Subject: [PATCH 0646/1352] takdec: ensure chan2 is a valid channel index If chan2 is not smaller than the number of channels, it can cause segmentation faults due to dereferencing a NULL pointer. Signed-off-by: Andreas Cadhalpun Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 05c57ba2f42324da2fdc93d83d65bb68dd637613) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 5810a01c24..614385803d 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -799,6 +799,12 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->mcdparams[i].present) { s->mcdparams[i].index = get_bits(gb, 2); s->mcdparams[i].chan2 = get_bits(gb, 4); + if (s->mcdparams[i].chan2 >= avctx->channels) { + av_log(avctx, AV_LOG_ERROR, + "invalid channel 2 (%d) for %d channel(s)\n", + s->mcdparams[i].chan2, avctx->channels); + return AVERROR_INVALIDDATA; + } if (s->mcdparams[i].index == 1) { if ((nbit == s->mcdparams[i].chan2) || (ch_mask & 1 << s->mcdparams[i].chan2)) From d54ca4167c48a1a48167eed7a062a85360723f2b Mon Sep 17 00:00:00 2001 From: Deliang Fu Date: Wed, 10 Jun 2015 12:30:46 +0800 Subject: [PATCH 0647/1352] avformat: Fix bug in parse_rps for HEVC. Make the logic in libavformat/hevc.c parse_rps align with libavcodec/hevc_ps.c ff_hevc_decode_short_term_rps Signed-off-by: Michael Niedermayer (cherry picked from commit 6e1f8780c833ef55815111d4771b95ff78567cdb) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index c92e9eb118..32192badca 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -449,7 +449,7 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx, * * NumDeltaPocs[RefRpsIdx]: num_delta_pocs[rps_idx - 1] */ - for (i = 0; i < num_delta_pocs[rps_idx - 1]; i++) { + for (i = 0; i <= num_delta_pocs[rps_idx - 1]; i++) { uint8_t use_delta_flag = 0; uint8_t used_by_curr_pic_flag = get_bits1(gb); if (!used_by_curr_pic_flag) From 22349b9f7d4ff813a08b50fa79113cf1e36f4936 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Jun 2015 15:36:20 +0200 Subject: [PATCH 0648/1352] ffmpeg_opt: Check for localtime() failure Found-by: Daemon404 Signed-off-by: Michael Niedermayer (cherry picked from commit 8e91d9652ea5048d9014e7636e12c6ed4732d7b7) Signed-off-by: Michael Niedermayer --- ffmpeg_opt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index d84a4ea506..7218d9133e 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2321,6 +2321,9 @@ static int opt_vstats(void *optctx, const char *opt, const char *arg) time_t today2 = time(NULL); struct tm *today = localtime(&today2); + if (!today) + return AVERROR(errno); + snprintf(filename, sizeof(filename), "vstats_%02d%02d%02d.log", today->tm_hour, today->tm_min, today->tm_sec); return opt_vstats_file(NULL, opt, filename); From cd83ff5d4c7036e1f95aecac502e9b7e66a77c81 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 23 May 2015 23:32:12 +0200 Subject: [PATCH 0649/1352] mov: abort on EOF in ff_mov_read_chan Otherwise the loop can take a lot of time if num_descr is very large. Signed-off-by: Andreas Cadhalpun (cherry picked from commit a5718863da99b54b6c853d45c84871c4a96a57c0) Signed-off-by: Michael Niedermayer --- libavformat/mov_chan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index 3b91ed7054..b63310b270 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -566,6 +566,11 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, label_mask = 0; for (i = 0; i < num_descr; i++) { uint32_t label; + if (pb->eof_reached) { + av_log(s, AV_LOG_ERROR, + "reached EOF while reading channel layout\n"); + return AVERROR_INVALIDDATA; + } label = avio_rb32(pb); // mChannelLabel avio_rb32(pb); // mChannelFlags avio_rl32(pb); // mCoordinates[0] From 18aef7c075606a3661f84af13d4f84a41707566b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 30 May 2015 16:18:48 +0200 Subject: [PATCH 0650/1352] libopenjpegdec: check existence of image component data libopenjpeg can return images with components without data. This fixes segmentation faults. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3ef5702926c495232ffe685303ba8661bdff1149) Signed-off-by: Michael Niedermayer --- libavcodec/libopenjpegdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/libopenjpegdec.c b/libavcodec/libopenjpegdec.c index 0cf46e613d..33c570fd8a 100644 --- a/libavcodec/libopenjpegdec.c +++ b/libavcodec/libopenjpegdec.c @@ -356,6 +356,15 @@ static int libopenjpeg_decode_frame(AVCodecContext *avctx, goto done; } + for (i = 0; i < image->numcomps; i++) { + if (!image->comps[i].data) { + av_log(avctx, AV_LOG_ERROR, + "Image component %d contains no data.\n", i); + ret = AVERROR_INVALIDDATA; + goto done; + } + } + desc = av_pix_fmt_desc_get(avctx->pix_fmt); pixel_size = desc->comp[0].step_minus1 + 1; ispacked = libopenjpeg_ispacked(avctx->pix_fmt); From 8c8406462bb523e576c794b9d200bb939467b1c0 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 4 Jun 2015 23:07:44 +0200 Subject: [PATCH 0651/1352] arm: only enable setend on ARMv6 Without this check it causes SIGILL crashes on ARMv5. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5bf84a584e9ce681b439a5747671e2809a019c83) Signed-off-by: Michael Niedermayer --- libavutil/arm/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/arm/cpu.c b/libavutil/arm/cpu.c index f1683e8d76..02def0b470 100644 --- a/libavutil/arm/cpu.c +++ b/libavutil/arm/cpu.c @@ -128,7 +128,7 @@ int ff_get_cpu_flags_arm(void) trickle down. */ if (flags & (AV_CPU_FLAG_VFPV3 | AV_CPU_FLAG_NEON)) flags |= AV_CPU_FLAG_ARMV6T2; - else + else if (flags & (AV_CPU_FLAG_ARMV6T2 | AV_CPU_FLAG_ARMV6)) /* Some functions use the 'setend' instruction which is deprecated on ARMv8 * and serializing on some ARMv7 cores. This ensures such functions * are only enabled on ARMv6. */ From 9da5ba1f57a4185d97edac743b42215319307b8c Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 7 Jun 2015 18:50:43 +0200 Subject: [PATCH 0652/1352] vp9: change type of tile_size from unsigned to int64_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise the check 'tile_size < size' treats a negative size as unsigned, causing the check to pass. This subsequently leads to segmentation faults. This was originally fixed as part of Libav commit 72ca83, so the original author is one of the following developers: Anton Khirnov Diego Biurrun Luca Barbato Martin Storsjö Reviewed-by: Ronald S. Bultje Signed-off-by: Andreas Cadhalpun (cherry picked from commit b18eac7ff22332c9344769af15f7b245dd13cc64) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 8861cc09bb..3be17c000f 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3841,7 +3841,7 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, tile_row, s->tiling.log2_tile_rows, s->sb_rows); if (s->pass != 2) { for (tile_col = 0; tile_col < s->tiling.tile_cols; tile_col++) { - unsigned tile_size; + int64_t tile_size; if (tile_col == s->tiling.tile_cols - 1 && tile_row == s->tiling.tile_rows - 1) { From 13a9a0c1a492d344a8f36dd4ef3f3957b010963b Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 8 Jun 2015 22:38:29 +0200 Subject: [PATCH 0653/1352] vp8: change mv_{min,max}.{x,y} type to int If one of the dimensions is larger than 8176, s->mb_width or s->mb_height is larger than 511, leading to an int16_t overflow of s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax. Changing the type to int avoids the overflow and has no negative effect, because s->mv_max is only used in clamp_mv for clipping. Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't increase the absolute value. The input to av_clip is an int16_t, and thus the output fits into int16_t as well. For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range before use. Reviewed-by: Ronald S. Bultje Signed-off-by: Andreas Cadhalpun (cherry picked from commit 6fdbaa2b7fb56623ab2163f861952bc1408c39b3) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 ++++-- libavcodec/vp8.h | 9 +++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index e79c35dca4..45a57586fc 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -750,8 +750,10 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si static av_always_inline void clamp_mv(VP8Context *s, VP56mv *dst, const VP56mv *src) { - dst->x = av_clip(src->x, s->mv_min.x, s->mv_max.x); - dst->y = av_clip(src->y, s->mv_min.y, s->mv_max.y); + dst->x = av_clip(src->x, av_clip(s->mv_min.x, INT16_MIN, INT16_MAX), + av_clip(s->mv_max.x, INT16_MIN, INT16_MAX)); + dst->y = av_clip(src->y, av_clip(s->mv_min.y, INT16_MIN, INT16_MAX), + av_clip(s->mv_max.y, INT16_MIN, INT16_MAX)); } /** diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index 83729c8b92..4ed8931d21 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -134,6 +134,11 @@ typedef struct VP8Frame { AVBufferRef *seg_map; } VP8Frame; +typedef struct VP8intmv { + int x; + int y; +} VP8intmv; + #define MAX_THREADS 8 typedef struct VP8Context { VP8ThreadData *thread_data; @@ -152,8 +157,8 @@ typedef struct VP8Context { uint8_t deblock_filter; uint8_t mbskip_enabled; uint8_t profile; - VP56mv mv_min; - VP56mv mv_max; + VP8intmv mv_min; + VP8intmv mv_max; int8_t sign_bias[4]; ///< one state [0, 1] per ref frame type int ref_count[3]; From c5dd6fefd41eec9c6dc62a4947aaa4ef7a1491a9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 9 Jun 2015 22:41:24 +0200 Subject: [PATCH 0654/1352] sonic: set avctx->channels in sonic_decode_init Otherwise it can be 0 in sonic_decode_frame, causing SIGFPE crashes. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 58995f647b5fa2e1efa33ae4f8b8a76a81ec99df) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 3db77f30a3..c5076f9d8e 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -900,6 +900,7 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Only mono and stereo streams are supported by now\n"); return AVERROR_INVALIDDATA; } + avctx->channels = s->channels; s->lossless = get_bits1(&gb); if (!s->lossless) From 5302adb32367c95b765c82122b1d922d0df93b52 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 14 Jun 2015 12:40:18 +0200 Subject: [PATCH 0655/1352] h264: er: Copy from the previous reference only if compatible Also use the frame pixel format instead of the one from the codec context, which is more robust. Signed-off-by: Luca Barbato Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit fdc64a104410f5fcc7f35b62287b0ae502b7061a) Conflicts: libavcodec/h264_slice.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d63e6143eb..ade642fa61 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1690,12 +1690,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) * vectors. Given we are concealing a lost frame, this probably * is not noticeable by comparison, but it should be fixed. */ if (h->short_ref_count) { - if (prev) { + if (prev && + h->short_ref[0]->f.width == prev->f.width && + h->short_ref[0]->f.height == prev->f.height && + h->short_ref[0]->f.format == prev->f.format) { av_image_copy(h->short_ref[0]->f.data, h->short_ref[0]->f.linesize, (const uint8_t **)prev->f.data, prev->f.linesize, - h->avctx->pix_fmt, + prev->f.format, h->mb_width * 16, h->mb_height * 16); h->short_ref[0]->poc = prev->poc + 2; From 9d0aa058c997db60de84d2e05b08dabead9cb6e0 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 17 Jun 2015 00:21:02 +0200 Subject: [PATCH 0656/1352] avio: fix potential crashes when combining ffio_ensure_seekback + crc Calling ffio_ensure_seekback() if ffio_init_checksum() has been called on the same context can lead to out of bounds memory accesses and crashes. The reason is that ffio_ensure_seekback() does not update checksum_ptr after reallocating the buffer, resulting in a dangling pointer. This effectively fixes potential crashes when opening mp3 files. Signed-off-by: Michael Niedermayer (cherry picked from commit dc87758775e2ce8be84e4fe598e12416e83d2845) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 30db4a66dc..74686d1d15 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -783,6 +783,7 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) int max_buffer_size = s->max_packet_size ? s->max_packet_size : IO_BUFFER_SIZE; int filled = s->buf_end - s->buffer; + ptrdiff_t checksum_ptr_offset = s->checksum_ptr ? s->checksum_ptr - s->buffer : -1; buf_size += s->buf_ptr - s->buffer + max_buffer_size; @@ -800,6 +801,8 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) s->buf_end = buffer + (s->buf_end - s->buffer); s->buffer = buffer; s->buffer_size = buf_size; + if (checksum_ptr_offset >= 0) + s->checksum_ptr = s->buffer + checksum_ptr_offset; return 0; } From 7de7d81ee55adbe77650f61831fa8b0c3e4159fa Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 18 Jun 2015 20:15:12 +0200 Subject: [PATCH 0657/1352] postproc: fix unaligned access QP_store is only 8-bit-aligned, so accessing it as uint32_t causes SIGBUS crashes on sparc. The AV_RN32/AV_WN32 macros only do unaligned access in the HAVE_FAST_UNALIGNED case. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 590743101dc934043f34013f1c9bb9fb261355b0) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index a42b0794a5..c1deb71ec9 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -76,6 +76,7 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks #include "config.h" #include "libavutil/avutil.h" #include "libavutil/avassert.h" +#include "libavutil/intreadwrite.h" #include #include #include @@ -1009,7 +1010,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int i; const int count= FFMAX(mbHeight * QPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->nonBQPTable)[i] = ((const uint32_t*)QP_store)[i] & 0x3F3F3F3F; + AV_WN32(c->nonBQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) & 0x3F3F3F3F); } for(i<<=2; inonBQPTable[i] = QP_store[i] & 0x3F; From e588252a429ca60408813191350891680e848dfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jun 2015 16:46:06 +0200 Subject: [PATCH 0658/1352] avcodec/dpxenc: implement write16/32 as functions Fixes undefined behavior and segfault Signed-off-by: Michael Niedermayer (cherry picked from commit 8edc17b639c4ac47913c467107ffb43c67c64890) Signed-off-by: Michael Niedermayer --- libavcodec/dpxenc.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/libavcodec/dpxenc.c b/libavcodec/dpxenc.c index aca745bb58..76aa0cc473 100644 --- a/libavcodec/dpxenc.c +++ b/libavcodec/dpxenc.c @@ -75,17 +75,20 @@ static av_cold int encode_init(AVCodecContext *avctx) return 0; } -#define write16(p, value) \ -do { \ - if (s->big_endian) AV_WB16(p, value); \ - else AV_WL16(p, value); \ -} while(0) +static av_always_inline void write16_internal(int big_endian, void *p, int value) +{ + if (big_endian) AV_WB16(p, value); + else AV_WL16(p, value); +} -#define write32(p, value) \ -do { \ - if (s->big_endian) AV_WB32(p, value); \ - else AV_WL32(p, value); \ -} while(0) +static av_always_inline void write32_internal(int big_endian, void *p, int value) +{ + if (big_endian) AV_WB32(p, value); + else AV_WL32(p, value); +} + +#define write16(p, value) write16_internal(s->big_endian, p, value) +#define write32(p, value) write32_internal(s->big_endian, p, value) static void encode_rgb48_10bit(AVCodecContext *avctx, const AVPicture *pic, uint8_t *dst) { From 933ae708c5fca9e65dde3abf8927e10498bdee55 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 15 Jun 2015 21:06:51 +0200 Subject: [PATCH 0659/1352] matroskadec: validate audio channels and bitdepth In the TTA extradata re-construction the values are written with avio_wl16 and if they don't fit into uint16_t, this triggers an av_assert2 in avio_w8. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 92e79a2f7bf2f8bb0cb2d1a3e4d76737557071c4) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 21b000252c..d14ad2de51 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1797,6 +1797,18 @@ static int matroska_parse_tracks(AVFormatContext *s) NULL, NULL, NULL, NULL); avio_write(&b, "TTA1", 4); avio_wl16(&b, 1); + if (track->audio.channels > UINT16_MAX || + track->audio.bitdepth > UINT16_MAX) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Too large audio channel number %"PRIu64 + " or bitdepth %"PRIu64". Skipping track.\n", + track->audio.channels, track->audio.bitdepth); + av_freep(&extradata); + if (matroska->ctx->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + continue; + } avio_wl16(&b, track->audio.channels); avio_wl16(&b, track->audio.bitdepth); if (track->audio.out_samplerate < 0 || track->audio.out_samplerate > INT_MAX) From b3745ce8c26138cf5d1239a822335a9dbd2fb45d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 15 Jun 2015 20:59:22 +0200 Subject: [PATCH 0660/1352] matroskadec: check audio sample rate And default to 8000 if it is invalid. An invalid sample rate can trigger av_assert2 in av_rescale_rnd. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5b76c82fd7a5f4f36bb901b8c43d7f7319599599) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index d14ad2de51..09f7e66ca2 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1602,6 +1602,14 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || + isnan(track->audio.samplerate)) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid sample rate %f, defaulting to 8000 instead.\n", + track->audio.samplerate); + track->audio.samplerate = 8000; + } + if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { if (!track->default_duration && track->video.frame_rate > 0) track->default_duration = 1000000000 / track->video.frame_rate; From 00772989041ad9283f1e2cdcce0a2acc838f7ada Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2015 18:27:27 +0200 Subject: [PATCH 0661/1352] swr: Remember previously set int_sample_format from user Signed-off-by: Michael Niedermayer (cherry picked from commit d4325b2fea9e2f4f4a17d0b929f12425e9c39964) Signed-off-by: Michael Niedermayer --- libswresample/options.c | 4 ++-- libswresample/swresample.c | 2 ++ libswresample/swresample_internal.h | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/libswresample/options.c b/libswresample/options.c index de84672834..1bc1a70510 100644 --- a/libswresample/options.c +++ b/libswresample/options.c @@ -49,8 +49,8 @@ static const AVOption options[]={ {"in_sample_fmt" , "set input sample format" , OFFSET( in_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"osf" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"out_sample_fmt" , "set output sample format" , OFFSET(out_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"tsf" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, -{"internal_sample_fmt" , "set internal sample format" , OFFSET(int_sample_fmt ), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, +{"tsf" , "set internal sample format" , OFFSET(user_int_sample_fmt), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, +{"internal_sample_fmt" , "set internal sample format" , OFFSET(user_int_sample_fmt), AV_OPT_TYPE_SAMPLE_FMT , {.i64=AV_SAMPLE_FMT_NONE}, -1 , INT_MAX, PARAM}, {"icl" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"in_channel_layout" , "set input channel layout" , OFFSET(user_in_ch_layout ), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, {"ocl" , "set output channel layout" , OFFSET(user_out_ch_layout), AV_OPT_TYPE_CHANNEL_LAYOUT, {.i64=0 }, 0 , INT64_MAX , PARAM, "channel_layout"}, diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 7aa080472c..3e23912d35 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -173,6 +173,8 @@ av_cold int swr_init(struct SwrContext *s){ s-> in_ch_layout = s-> user_in_ch_layout; s->out_ch_layout = s->user_out_ch_layout; + s->int_sample_fmt= s->user_int_sample_fmt; + if(av_get_channel_layout_nb_channels(s-> in_ch_layout) > SWR_CH_MAX) { av_log(s, AV_LOG_WARNING, "Input channel layout 0x%"PRIx64" is invalid or unsupported.\n", s-> in_ch_layout); s->in_ch_layout = 0; diff --git a/libswresample/swresample_internal.h b/libswresample/swresample_internal.h index fcc63a676c..f55bd9df6d 100644 --- a/libswresample/swresample_internal.h +++ b/libswresample/swresample_internal.h @@ -95,6 +95,7 @@ struct SwrContext { int user_used_ch_count; ///< User set used channel count int64_t user_in_ch_layout; ///< User set input channel layout int64_t user_out_ch_layout; ///< User set output channel layout + enum AVSampleFormat user_int_sample_fmt; ///< User set internal sample format struct DitherContext dither; From 60a3bd625f4d643c8e8d7ef9dc4b6e7a6c5ecf35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2015 22:23:22 +0200 Subject: [PATCH 0662/1352] swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian The function is specific to little endian Signed-off-by: Michael Niedermayer (cherry picked from commit 4df3cf90bf7a54793e90304bd1b6c7599673f36a) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index f9a98a8701..70294aec97 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -929,7 +929,9 @@ static av_cold void rgb2rgb_init_c(void) rgb24to15 = rgb24to15_c; rgb24to16 = rgb24to16_c; rgb24tobgr24 = rgb24tobgr24_c; +#if !HAVE_BIGENDIAN shuffle_bytes_2103 = shuffle_bytes_2103_c; +#endif rgb32tobgr16 = rgb32tobgr16_c; rgb32tobgr15 = rgb32tobgr15_c; yv12toyuy2 = yv12toyuy2_c; From 2f1bff16900067e5c477f725fe9280721e8ab755 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2015 04:36:02 +0200 Subject: [PATCH 0663/1352] swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE Signed-off-by: Michael Niedermayer (cherry picked from commit abb833c5681b84d7025c083e2191140eaa30dca7) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb.c | 2 +- libswscale/rgb2rgb.h | 2 +- libswscale/rgb2rgb_template.c | 20 +++++++++++++++++++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/libswscale/rgb2rgb.c b/libswscale/rgb2rgb.c index 5b1fcf73ca..340174fd65 100644 --- a/libswscale/rgb2rgb.c +++ b/libswscale/rgb2rgb.c @@ -51,6 +51,7 @@ void (*rgb16to15)(const uint8_t *src, uint8_t *dst, int src_size); void (*rgb15to16)(const uint8_t *src, uint8_t *dst, int src_size); void (*rgb15to32)(const uint8_t *src, uint8_t *dst, int src_size); +void (*shuffle_bytes_0321)(const uint8_t *src, uint8_t *dst, int src_size); void (*shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, int src_size); void (*yv12toyuy2)(const uint8_t *ysrc, const uint8_t *usrc, @@ -333,7 +334,6 @@ void shuffle_bytes_ ## a ## b ## c ## d(const uint8_t *src, \ } \ } -DEFINE_SHUFFLE_BYTES(0, 3, 2, 1) DEFINE_SHUFFLE_BYTES(1, 2, 3, 0) DEFINE_SHUFFLE_BYTES(3, 0, 1, 2) DEFINE_SHUFFLE_BYTES(3, 2, 1, 0) diff --git a/libswscale/rgb2rgb.h b/libswscale/rgb2rgb.h index 5df5dea420..8faebe6a43 100644 --- a/libswscale/rgb2rgb.h +++ b/libswscale/rgb2rgb.h @@ -50,6 +50,7 @@ extern void (*rgb24to15)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*rgb32tobgr16)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*rgb32tobgr15)(const uint8_t *src, uint8_t *dst, int src_size); +extern void (*shuffle_bytes_0321)(const uint8_t *src, uint8_t *dst, int src_size); extern void (*shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, int src_size); void rgb64tobgr48_nobswap(const uint8_t *src, uint8_t *dst, int src_size); @@ -71,7 +72,6 @@ void rgb15tobgr15(const uint8_t *src, uint8_t *dst, int src_size); void rgb12tobgr12(const uint8_t *src, uint8_t *dst, int src_size); void rgb12to15(const uint8_t *src, uint8_t *dst, int src_size); -void shuffle_bytes_0321(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_1230(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_3012(const uint8_t *src, uint8_t *dst, int src_size); void shuffle_bytes_3210(const uint8_t *src, uint8_t *dst, int src_size); diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 70294aec97..5b446debfa 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -328,6 +328,20 @@ static inline void shuffle_bytes_2103_c(const uint8_t *src, uint8_t *dst, } } +static inline void shuffle_bytes_0321_c(const uint8_t *src, uint8_t *dst, + int src_size) +{ + int idx = 15 - src_size; + const uint8_t *s = src - idx; + uint8_t *d = dst - idx; + + for (; idx < 15; idx += 4) { + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0x00ff00ff; + v &= 0xff00ff00; + *(uint32_t *)&d[idx] = (v >> 16) + g + (v << 16); + } +} + static inline void rgb24tobgr24_c(const uint8_t *src, uint8_t *dst, int src_size) { unsigned i; @@ -929,7 +943,11 @@ static av_cold void rgb2rgb_init_c(void) rgb24to15 = rgb24to15_c; rgb24to16 = rgb24to16_c; rgb24tobgr24 = rgb24tobgr24_c; -#if !HAVE_BIGENDIAN +#if HAVE_BIGENDIAN + shuffle_bytes_0321 = shuffle_bytes_2103_c; + shuffle_bytes_2103 = shuffle_bytes_0321_c; +#else + shuffle_bytes_0321 = shuffle_bytes_0321_c; shuffle_bytes_2103 = shuffle_bytes_2103_c; #endif rgb32tobgr16 = rgb32tobgr16_c; From bada03d7463424d1c8b3921c3fdf75af4639ed7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2015 05:09:11 +0200 Subject: [PATCH 0664/1352] swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 7604358018229f345dfdf88b16c8930a67984435) Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 5b446debfa..1cc28cdd13 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -322,7 +322,7 @@ static inline void shuffle_bytes_2103_c(const uint8_t *src, uint8_t *dst, uint8_t *d = dst - idx; for (; idx < 15; idx += 4) { - register int v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; v &= 0xff00ff; *(uint32_t *)&d[idx] = (v >> 16) + g + (v << 16); } From d50d11c56cd409ce4cdf38ea3298c8e2b220aec9 Mon Sep 17 00:00:00 2001 From: Sebastien Zwickert Date: Sat, 20 Jun 2015 13:19:29 +0200 Subject: [PATCH 0665/1352] vda: unlock the pixel buffer base address. The pixel buffer base address is never unlocked this causes a bug with some pixel format types that are produced natively by the hardware decoder: the first buffer was always used. Unlock the pixel buffer base address fixes the issue. (cherry picked from commit c06fdacc3dc706e70d953917fea845532d3703ca) Signed-off-by: Michael Niedermayer --- ffmpeg_vda.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg_vda.c b/ffmpeg_vda.c index b9f0975f55..fded39e79b 100644 --- a/ffmpeg_vda.c +++ b/ffmpeg_vda.c @@ -77,6 +77,8 @@ static int vda_retrieve_data(AVCodecContext *s, AVFrame *frame) frame->width, frame->height); ret = av_frame_copy_props(vda->tmp_frame, frame); + CVPixelBufferUnlockBaseAddress(pixbuf, kCVPixelBufferLock_ReadOnly); + if (ret < 0) return ret; From 1795bef7c736c2ab2442174a71191a78d6995b58 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 23 Jun 2015 01:14:16 -0300 Subject: [PATCH 0666/1352] swscale/x86/rgb2rgb_template: add missing xmm clobbers Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 910eeab48026060b5f7780b2560445c069eb4d6b) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e71c7ebfe3..fd04923dae 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1905,7 +1905,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui "cmp %3, %%"REG_a" \n\t" " jb 1b \n\t" ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) - : "memory", "%"REG_a"" + : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); #else __asm__( From 286e14667fe4ac58e4951c29fe6e2a83f4c96913 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 23 Jun 2015 01:15:07 -0300 Subject: [PATCH 0667/1352] swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext} Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit e22edbfd413242dda720dc5191fc00a51c24d74c) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index fd04923dae..e9b131e033 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1090,7 +1090,7 @@ static inline void RENAME(shuffle_bytes_2103)(const uint8_t *src, uint8_t *dst, : "r" (s), "r" (d), "m" (mask32b), "m" (mask32r), "m" (mmx_one) : "memory"); for (; idx<15; idx+=4) { - register int v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; + register unsigned v = *(const uint32_t *)&s[idx], g = v & 0xff00ff00; v &= 0xff00ff; *(uint32_t *)&d[idx] = (v>>16) + g + (v<<16); } From 925adad3e07421daddc73148af87d91550a2c6b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jun 2015 13:27:39 +0200 Subject: [PATCH 0668/1352] ffmpeg: Do not use the data/size of a bitstream filter after failure Found-by: Rodger Combs Signed-off-by: Michael Niedermayer (cherry picked from commit 8f0f678f090d9939b0014ba85641e2cb83d39cb8) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ffmpeg.c b/ffmpeg.c index 44e03e77db..a83ed73e84 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -645,6 +645,7 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, OutputStream *ost) if (!new_pkt.buf) exit_program(1); } else if (a < 0) { + new_pkt = *pkt; av_log(NULL, AV_LOG_ERROR, "Failed to open bitstream filter %s for stream %d with codec %s", bsfc->filter->name, pkt->stream_index, avctx->codec ? avctx->codec->name : "copy"); From a47bc9a05601138d8ccb529432e4c77d0f404430 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 13:51:43 +0200 Subject: [PATCH 0669/1352] swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian Fixes fate/dds-rgb16 on big endian Signed-off-by: Michael Niedermayer (cherry picked from commit f6ab967eae497733f6adc12b30075980fd6eea98) Conflicts: tests/ref/fate/dds-rgb16 --- libswscale/swscale_unscaled.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index da457dfbdb..d3d0cf30b2 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1242,6 +1242,11 @@ static rgbConvFn findRgbConvFn(SwsContext *c) if ((dstFormat == AV_PIX_FMT_RGB32_1 || dstFormat == AV_PIX_FMT_BGR32_1) && !isRGBA32(srcFormat) && ALT32_CORR<0) return NULL; + // Maintain symmetry between endianness + if (c->flags & SWS_BITEXACT) + if ((dstFormat == AV_PIX_FMT_RGB32 || dstFormat == AV_PIX_FMT_BGR32 ) && !isRGBA32(srcFormat) && ALT32_CORR>0) + return NULL; + return conv; } From 2789d15114cf78dff2806357d3b3a5ff51bbd735 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 28 Jun 2015 12:40:12 +0200 Subject: [PATCH 0670/1352] wmavoice: limit wmavoice_decode_packet return value to packet size Claiming to have decoded more bytes than the packet size is wrong. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index c2737abd47..1c9958891f 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1982,7 +1982,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, *got_frame_ptr) { cnt += s->spillover_nbits; s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_ERROR, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + return AVERROR_INVALIDDATA; + } + return res; } else skip_bits_long (gb, s->spillover_nbits - cnt + get_bits_count(gb)); // resync @@ -2001,7 +2008,14 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data, } else if (*got_frame_ptr) { int cnt = get_bits_count(gb); s->skip_bits_next = cnt & 7; - return cnt >> 3; + res = cnt >> 3; + if (res > avpkt->size) { + av_log(ctx, AV_LOG_ERROR, + "Trying to skip %d bytes in packet of size %d\n", + res, avpkt->size); + return AVERROR_INVALIDDATA; + } + return res; } else if ((s->sframe_cache_size = pos) > 0) { /* rewind bit reader to start of last (incomplete) superframe... */ init_get_bits(gb, avpkt->data, size << 3); From e35c5348900a371c467816a9189031192f08865a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2015 21:08:05 +0200 Subject: [PATCH 0671/1352] avcodec/pngdec: Only allow one IHDR chunk Multiple IHDR chunks are forbidden in PNG Fixes inconsistency and out of array accesses Fixes: asan_heap-oob_4d5c5a_1738_cov_2638287726_c-m2-8f2b481b7fd9bd745e620b7c01a18df2.png Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 47f4e2d8960ca756ca153ab8e3e93d80449b8c91) Conflicts: libavcodec/pngdec.c --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index c2f417e169..8c22da0d78 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -588,6 +588,11 @@ static int decode_frame(AVCodecContext *avctx, goto fail; } + if (s->state & PNG_IHDR) { + av_log(avctx, AV_LOG_ERROR, "Multiple IHDR\n"); + goto fail; + } + s->width = bytestream2_get_be32(&s->gb); s->height = bytestream2_get_be32(&s->gb); if (av_image_check_size(s->width, s->height, 0, avctx)) { From 3dfadef52216a858ca75a28cc6dfa9620a203c4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 16:01:15 +0200 Subject: [PATCH 0672/1352] avfilter/vf_transpose: Fix rounding error Fixes out of array access Fixes: asan_heap-oob_7f875d_3482_cov_1818465256_ssudec.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0083c16605aa5997534e87e68f97ef85a8c3b7b8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_transpose.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index d9b165cfeb..6ae5fce815 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -152,7 +152,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int hsub = plane == 1 || plane == 2 ? trans->hsub : 0; int vsub = plane == 1 || plane == 2 ? trans->vsub : 0; int pixstep = trans->pixsteps[plane]; - int inh = in->height >> vsub; + int inh = FF_CEIL_RSHIFT(in->height, vsub); int outw = FF_CEIL_RSHIFT(out->width, hsub); int outh = FF_CEIL_RSHIFT(out->height, vsub); int start = (outh * jobnr ) / nb_jobs; From c6e16ec711c2644d236aa06e677e8efacd2cf33c Mon Sep 17 00:00:00 2001 From: James Zern Date: Mon, 29 Jun 2015 23:03:14 -0700 Subject: [PATCH 0673/1352] vp9/update_prob: prevent out of bounds table read the max value of the lookup in expanded form is: (((1 << 7) - 1) << 1) - 65 + 1 + 64 = 254 add one entry of padding to inv_map_table[] to prevent out of bounds access with non-conforming / fuzzed bitstreams Signed-off-by: James Zern Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit e91f860ea74e11e9178500fe8794c47f57dbf48c) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 3be17c000f..8327134d37 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -409,7 +409,7 @@ static av_always_inline int inv_recenter_nonneg(int v, int m) // differential forward probability updates static int update_prob(VP56RangeCoder *c, int p) { - static const int inv_map_table[254] = { + static const int inv_map_table[255] = { 7, 20, 33, 46, 59, 72, 85, 98, 111, 124, 137, 150, 163, 176, 189, 202, 215, 228, 241, 254, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22, 23, 24, @@ -428,7 +428,7 @@ static int update_prob(VP56RangeCoder *c, int p) 207, 208, 209, 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, - 252, 253, + 252, 253, 253, }; int d; @@ -458,6 +458,7 @@ static int update_prob(VP56RangeCoder *c, int p) if (d >= 65) d = (d << 1) - 65 + vp8_rac_get(c); d += 64; + av_assert2(d < FF_ARRAY_ELEMS(inv_map_table)); } return p <= 128 ? 1 + inv_recenter_nonneg(inv_map_table[d], p - 1) : From 47a5cde6ac03476a4eec08e2cc56cf633bc7582b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 19:37:12 +0200 Subject: [PATCH 0674/1352] avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h Fixes out of array access Fixes: asan_heap-oob_4d5bb0_682_cov_3124593265_Fraunhofer__a_driving_force_in_innovation__small.mp4 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 330863c9f19a23c500ba7901a23f1cc377b353bb) Conflicts: libavcodec/h264_slice.c --- libavcodec/h264_slice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index ade642fa61..3b50114dc5 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1699,8 +1699,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) (const uint8_t **)prev->f.data, prev->f.linesize, prev->f.format, - h->mb_width * 16, - h->mb_height * 16); + prev->f.width, + prev->f.height); h->short_ref[0]->poc = prev->poc + 2; } h->short_ref[0]->frame_num = h->prev_frame_num; From 514d0e29c8cd27fbc55ae1feb0f246c623608558 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2015 02:05:43 +0200 Subject: [PATCH 0675/1352] avcodec/aacsbr: check that the element type matches before applying SBR Fixes out of array access Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79a98294da6cd85f8c86b34764c5e0c43b09eea3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 8 ++++++++ libavcodec/sbr.h | 1 + 2 files changed, 9 insertions(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 2a03b3236c..783783c8f5 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1018,6 +1018,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr, { unsigned int cnt = get_bits_count(gb); + sbr->id_aac = id_aac; + if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) { if (read_sbr_single_channel_element(ac, sbr, gb)) { sbr_turnoff(sbr); @@ -1688,6 +1690,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, int nch = (id_aac == TYPE_CPE) ? 2 : 1; int err; + if (id_aac != sbr->id_aac) { + av_log(ac->avctx, AV_LOG_ERROR, + "element type mismatch %d != %d\n", id_aac, sbr->id_aac); + sbr_turnoff(sbr); + } + if (!sbr->kx_and_m_pushed) { sbr->kx[0] = sbr->kx[1]; sbr->m[0] = sbr->m[1]; diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h index e28fccda09..ff00acba0d 100644 --- a/libavcodec/sbr.h +++ b/libavcodec/sbr.h @@ -137,6 +137,7 @@ typedef struct AACSBRContext { struct SpectralBandReplication { int sample_rate; int start; + int id_aac; int reset; SpectrumParameters spectrum_params; int bs_amp_res_header; From 7fdc2ba3d46e6f5e8cd0634f1bd4d84fee8e078c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2015 02:08:25 +0200 Subject: [PATCH 0676/1352] avcodec/aacsbr: Assert that bs_num_env is positive Signed-off-by: Michael Niedermayer (cherry picked from commit 2e13a45b1a9a69456631e582bbb06954d169eb55) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 783783c8f5..9d12cb868f 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1719,6 +1719,7 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, sbr->c.sbr_hf_inverse_filter(&sbr->dsp, sbr->alpha0, sbr->alpha1, (const float (*)[40][2]) sbr->X_low, sbr->k[0]); sbr_chirp(sbr, &sbr->data[ch]); + av_assert0(sbr->data[ch].bs_num_env > 0); sbr_hf_gen(ac, sbr, sbr->X_high, (const float (*)[40][2]) sbr->X_low, (const float (*)[2]) sbr->alpha0, From 7ecaa736e781c4a4c6dd25601927dafde423c5d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Jul 2015 20:00:15 +0200 Subject: [PATCH 0677/1352] avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2() the later is not optimal when the buffer size is well known at allocation time This avoids a memcpy() Overall 2.5% speedup with a random 1920x1080 video Signed-off-by: Michael Niedermayer (cherry picked from commit 47496eb97cff8130991313d1b7292613620d8592) Signed-off-by: Michael Niedermayer --- libavcodec/rawenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawenc.c b/libavcodec/rawenc.c index c579230013..9bcf5c4cc6 100644 --- a/libavcodec/rawenc.c +++ b/libavcodec/rawenc.c @@ -51,7 +51,7 @@ static int raw_encode(AVCodecContext *avctx, AVPacket *pkt, if (ret < 0) return ret; - if ((ret = ff_alloc_packet2(avctx, pkt, ret)) < 0) + if ((ret = ff_alloc_packet(pkt, ret)) < 0) return ret; if ((ret = avpicture_layout((const AVPicture *)frame, avctx->pix_fmt, avctx->width, avctx->height, pkt->data, pkt->size)) < 0) From 9e52f6b98672eb38699d81870fb2c4c0d148726e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 3 Jul 2015 00:01:56 +0200 Subject: [PATCH 0678/1352] wmalosslessdec: avoid reading 0 bits with get_bits Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f9020d514e9ed5043496a710b36daba1ab182e97) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8e2ac5ffc6..75fc84bc7e 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -487,7 +487,7 @@ static int decode_cdlms(WmallDecodeCtx *s) if ((1 << cbits) < s->cdlms[c][i].scaling + 1) cbits++; - s->cdlms[c][i].bitsend = get_bits(&s->gb, cbits) + 2; + s->cdlms[c][i].bitsend = (cbits ? get_bits(&s->gb, cbits) : 0) + 2; shift_l = 32 - s->cdlms[c][i].bitsend; shift_r = 32 - s->cdlms[c][i].scaling - 2; for (j = 0; j < s->cdlms[c][i].coefsend; j++) From 9463930faf9f7aeb7242de0697def18342bd9374 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 3 Jul 2015 00:02:44 +0200 Subject: [PATCH 0679/1352] wmalosslessdec: reset frame->nb_samples on packet loss Otherwise a frame with non-zero nb_samples but without any data can be returned. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 42e7a5b3c704985c2c18970cc94a837b413df9d9) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 75fc84bc7e..05d660e6d4 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1029,6 +1029,7 @@ static int decode_frame(WmallDecodeCtx *s) if ((ret = ff_get_buffer(s->avctx, s->frame, 0)) < 0) { /* return an error if no frame could be decoded at all */ s->packet_loss = 1; + s->frame->nb_samples = 0; return ret; } for (i = 0; i < s->num_channels; i++) { From 3fb241210af6000ec16aed5e1b445a6b12a367a7 Mon Sep 17 00:00:00 2001 From: Chris Watkins Date: Tue, 7 Jul 2015 10:23:44 -0700 Subject: [PATCH 0680/1352] oggparsedirac: check return value of init_get_bits If init_get_bits fails the GetBitContext is invalid and must not be used. Check the return value in dirac_header and propogate the error. Signed-off-by: Michael Niedermayer (cherry picked from commit 4f5c2e651a95b950f6a3fb36f2342cbc32515f17) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedirac.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavformat/oggparsedirac.c b/libavformat/oggparsedirac.c index 73bc495aa8..26d42f302f 100644 --- a/libavformat/oggparsedirac.c +++ b/libavformat/oggparsedirac.c @@ -31,14 +31,19 @@ static int dirac_header(AVFormatContext *s, int idx) AVStream *st = s->streams[idx]; dirac_source_params source; GetBitContext gb; + int ret; // already parsed the header if (st->codec->codec_id == AV_CODEC_ID_DIRAC) return 0; - init_get_bits(&gb, os->buf + os->pstart + 13, (os->psize - 13) * 8); - if (avpriv_dirac_parse_sequence_header(st->codec, &gb, &source) < 0) - return -1; + ret = init_get_bits8(&gb, os->buf + os->pstart + 13, (os->psize - 13)); + if (ret < 0) + return ret; + + ret = avpriv_dirac_parse_sequence_header(st->codec, &gb, &source); + if (ret < 0) + return ret; st->codec->codec_type = AVMEDIA_TYPE_VIDEO; st->codec->codec_id = AV_CODEC_ID_DIRAC; From c58b0d981ea7537507c79c29f5d4337d616da377 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jul 2015 22:16:15 +0200 Subject: [PATCH 0681/1352] avcodec/mpegvideo: Clear pointers in ff_mpv_common_init() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This ensures that no stale pointers leak through on any path Fixes: signal_sigsegv_c3097a_991_xtrem_e2_m64q15_a32sxx.3gp Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b160fc290cf49b516c5b6ee0730fd9da7fc623b1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 82 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 78 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index f043bbdace..bea62d9b88 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1285,6 +1285,82 @@ fail: return AVERROR(ENOMEM); } +static void clear_context(MpegEncContext *s) +{ + int i, j, k; + + memset(&s->next_picture, 0, sizeof(s->next_picture)); + memset(&s->last_picture, 0, sizeof(s->last_picture)); + memset(&s->current_picture, 0, sizeof(s->current_picture)); + memset(&s->new_picture, 0, sizeof(s->new_picture)); + + memset(s->thread_context, 0, sizeof(s->thread_context)); + + s->me.map = NULL; + s->me.score_map = NULL; + s->dct_error_sum = NULL; + s->block = NULL; + s->blocks = NULL; + memset(s->pblocks, 0, sizeof(s->pblocks)); + s->ac_val_base = NULL; + s->ac_val[0] = + s->ac_val[1] = + s->ac_val[2] =NULL; + s->edge_emu_buffer = NULL; + s->me.scratchpad = NULL; + s->me.temp = + s->rd_scratchpad = + s->b_scratchpad = + s->obmc_scratchpad = NULL; + + s->parse_context.buffer = NULL; + s->parse_context.buffer_size = 0; + s->bitstream_buffer = NULL; + s->allocated_bitstream_buffer_size = 0; + s->picture = NULL; + s->mb_type = NULL; + s->p_mv_table_base = NULL; + s->b_forw_mv_table_base = NULL; + s->b_back_mv_table_base = NULL; + s->b_bidir_forw_mv_table_base = NULL; + s->b_bidir_back_mv_table_base = NULL; + s->b_direct_mv_table_base = NULL; + s->p_mv_table = NULL; + s->b_forw_mv_table = NULL; + s->b_back_mv_table = NULL; + s->b_bidir_forw_mv_table = NULL; + s->b_bidir_back_mv_table = NULL; + s->b_direct_mv_table = NULL; + for (i = 0; i < 2; i++) { + for (j = 0; j < 2; j++) { + for (k = 0; k < 2; k++) { + s->b_field_mv_table_base[i][j][k] = NULL; + s->b_field_mv_table[i][j][k] = NULL; + } + s->b_field_select_table[i][j] = NULL; + s->p_field_mv_table_base[i][j] = NULL; + s->p_field_mv_table[i][j] = NULL; + } + s->p_field_select_table[i] = NULL; + } + + s->dc_val_base = NULL; + s->coded_block_base = NULL; + s->mbintra_table = NULL; + s->cbp_table = NULL; + s->pred_dir_table = NULL; + + s->mbskip_table = NULL; + + s->er.error_status_table = NULL; + s->er.er_temp_buffer = NULL; + s->mb_index2xy = NULL; + s->lambda_table = NULL; + + s->cplx_tab = NULL; + s->bits_tab = NULL; +} + /** * init common structure for both encoder and decoder. * this assumes that some variables like width/height are already set @@ -1296,6 +1372,8 @@ av_cold int ff_mpv_common_init(MpegEncContext *s) s->avctx->active_thread_type & FF_THREAD_SLICE) ? s->avctx->thread_count : 1; + clear_context(s); + if (s->encoding && s->avctx->slices) nb_slices = s->avctx->slices; @@ -1343,10 +1421,6 @@ av_cold int ff_mpv_common_init(MpegEncContext *s) if (!s->picture[i].f) goto fail; } - memset(&s->next_picture, 0, sizeof(s->next_picture)); - memset(&s->last_picture, 0, sizeof(s->last_picture)); - memset(&s->current_picture, 0, sizeof(s->current_picture)); - memset(&s->new_picture, 0, sizeof(s->new_picture)); s->next_picture.f = av_frame_alloc(); if (!s->next_picture.f) goto fail; From cbc5d2bf30d0d8f70ab1e350badfef079288a6b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jul 2015 02:01:17 +0200 Subject: [PATCH 0682/1352] avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264 Fixes Assertion failure Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 7ef6656b1e5bfbc7499013d3b38b093b6b2f31ec) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 737bf43ce6..12cf577343 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -424,10 +424,12 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); - if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) + if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) { // some of the optimized chroma MC reads one line too much // which is also done in mpeg decoders with lowres > 0 *height += 2; + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; From a23a6bf06b996d85b9c9ae31518cddfdba33a712 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 10 Jul 2015 09:31:24 +0200 Subject: [PATCH 0683/1352] bytestream2: set the reader to the end when reading more than available This prevents possible infinite loops with the calling code along the lines of while (bytestream2_get_bytes_left()) { ... }, where the reader does not advance. CC: libav-stable@libav.org (cherry picked from commit 86eee85daddb682fa072c2e2657c90a514b855e3) Signed-off-by: Michael Niedermayer --- libavcodec/bytestream.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index c2cb601806..7c05ea6cf5 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -71,8 +71,10 @@ static av_always_inline type bytestream2_get_ ## name ## u(GetByteContext *g) \ } \ static av_always_inline type bytestream2_get_ ## name(GetByteContext *g) \ { \ - if (g->buffer_end - g->buffer < bytes) \ + if (g->buffer_end - g->buffer < bytes) { \ + g->buffer = g->buffer_end; \ return 0; \ + } \ return bytestream2_get_ ## name ## u(g); \ } \ static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g) \ From 41fba53525f70827764716d55ba66585d604523e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 15:46:10 +0200 Subject: [PATCH 0684/1352] avcodec/alac: Clear pointers in allocate_buffers() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 06a4edb39ad8a9883175f9bd428334a2_signal_sigsegv_7ffff713351a_706_mov__alac__ALAC_6ch.mov Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f7068bf277a37479aecde2832208d820682b35e6) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 604774addb..f018101992 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -534,6 +534,12 @@ static int allocate_buffers(ALACContext *alac) int ch; int buf_size = alac->max_samples_per_frame * sizeof(int32_t); + for (ch = 0; ch < 2; ch++) { + alac->predict_error_buffer[ch] = NULL; + alac->output_samples_buffer[ch] = NULL; + alac->extra_bits_buffer[ch] = NULL; + } + for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) { FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch], buf_size, buf_alloc_fail); From f78573466d447546d26fc959f2a94a1d10c9e425 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 16:05:21 +0200 Subject: [PATCH 0685/1352] avcodec/sanm: Reset sizes in destroy_buffers() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes crash in 1288a2fe8e9ae6b00ca40e089d08ca65_signal_sigsegv_7ffff71426a7_354_accident.san with allocation limit 65536 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 9e5ec5400e..2547abb840 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -457,6 +457,7 @@ static void destroy_buffers(SANMVideoContext *ctx) ctx->frm0_size = ctx->frm1_size = ctx->frm2_size = 0; + init_sizes(ctx, 0, 0); } static av_cold int init_buffers(SANMVideoContext *ctx) From bd5cf1dd8f9e52ecf2398904204e502a956d8fc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 21:19:04 +0200 Subject: [PATCH 0686/1352] avcodec/pthread_frame: check avctx on deallocation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereferences Fixes: af1a5a33e67e479f439239097bd0d4fd_signal_sigsegv_7ffff713351a_152_Dolby_Rain_Logo.pmp with memlimit of 8388608 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5d346feafa817c4fbc30f7ed0b93b2dad6cef15b) Signed-off-by: Michael Niedermayer --- libavcodec/pthread_frame.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 1db46fcf96..fb4b5b8166 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -573,7 +573,7 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) pthread_join(p->thread, NULL); p->thread_init=0; - if (codec->close) + if (codec->close && p->avctx) codec->close(p->avctx); avctx->codec = NULL; @@ -593,12 +593,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) av_packet_unref(&p->avpkt); av_freep(&p->released_buffers); - if (i) { + if (i && p->avctx) { av_freep(&p->avctx->priv_data); av_freep(&p->avctx->slice_offset); } - av_freep(&p->avctx->internal); + if (p->avctx) + av_freep(&p->avctx->internal); av_freep(&p->avctx); } From cf27b297ca0b60c41afa0e43ce046be56a0ed872 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jul 2015 23:33:18 +0200 Subject: [PATCH 0687/1352] ffmpeg: Fix cleanup with ost = NULL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 09e670595acbdafb226974b08dab66e3_signal_sigabrt_7ffff70eccc9_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 1048576 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 503ec7139f887bf8ed8d57da07ce93c4e88447a6) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index a83ed73e84..d165eee200 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -466,7 +466,12 @@ static void ffmpeg_cleanup(int ret) } for (i = 0; i < nb_output_streams; i++) { OutputStream *ost = output_streams[i]; - AVBitStreamFilterContext *bsfc = ost->bitstream_filters; + AVBitStreamFilterContext *bsfc; + + if (!ost) + continue; + + bsfc = ost->bitstream_filters; while (bsfc) { AVBitStreamFilterContext *next = bsfc->next; av_bitstream_filter_close(bsfc); From 634605f79e361b06215f83724e2c67e192519c0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Jul 2015 14:14:16 +0200 Subject: [PATCH 0688/1352] avformat/mov: Fix deallocation when MOVStreamContext failed to allocate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 260813283176b57b3c9974fe284eebc3_signal_sigsegv_7ffff713351a_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 262144 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 15629129dde771446a005282ee33c4ea1199e696) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7fafd5a1c5..cabba3755c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3517,6 +3517,9 @@ static int mov_read_close(AVFormatContext *s) AVStream *st = s->streams[i]; MOVStreamContext *sc = st->priv_data; + if (!sc) + continue; + av_freep(&sc->ctts_data); for (j = 0; j < sc->drefs_count; j++) { av_freep(&sc->drefs[j].path); From 7a7ec3ccd9b63e898bb9bafe31ff2475c47cd210 Mon Sep 17 00:00:00 2001 From: Zhang Rui Date: Tue, 14 Jul 2015 14:47:26 +0800 Subject: [PATCH 0689/1352] avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write() Signed-off-by: Michael Niedermayer (cherry picked from commit fcbea93cf8777bbef2a393d26942b5d3c70a448d) Signed-off-by: Michael Niedermayer --- libavutil/fifo.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/fifo.c b/libavutil/fifo.c index 77391ee7f2..7cb212eb0e 100644 --- a/libavutil/fifo.c +++ b/libavutil/fifo.c @@ -129,7 +129,8 @@ int av_fifo_generic_write(AVFifoBuffer *f, void *src, int size, do { int len = FFMIN(f->end - wptr, size); if (func) { - if (func(src, wptr, len) <= 0) + len = func(src, wptr, len); + if (len <= 0) break; } else { memcpy(wptr, src, len); From 3bc20fe48c5e374d92948e39a09d28332c339e0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jul 2015 19:20:19 +0200 Subject: [PATCH 0690/1352] swscale/utils: Clear pix buffers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized memory Fixes: a96874b9466b6edc660a519c7ad47977_signal_sigsegv_7ffff713351a_744_nc_sample.avi with memlimit 2147483648 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a5d44d5c220e12ca0cb7a4eceb0f74759cb13111) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 98a9e4d380..84c58ca5f5 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1421,9 +1421,9 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* Allocate pixbufs (we use dynamic allocation because otherwise we would * need to allocate several megabytes to handle all possible cases) */ - FF_ALLOC_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); - FF_ALLOC_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); - FF_ALLOC_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->lumPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); + FF_ALLOCZ_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail); if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) FF_ALLOCZ_OR_GOTO(c, c->alpPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail); /* Note we need at least one pixel more at the end because of the MMX code From e3bacdbaaddaa818a41cc27baabd136d08faa3a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jul 2015 11:52:33 +0200 Subject: [PATCH 0691/1352] avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: b4b47bc2b3fb7ca710bfffe5aa969e37_signal_sigabrt_7ffff70eccc9_744_nc_sample2.avi with memlimit of 4194304 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f1a38264f20382731cf2cc75fdd98f4c9a84a626) Signed-off-by: Michael Niedermayer --- libavcodec/pthread_frame.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index fb4b5b8166..93bc6871d4 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -671,6 +671,7 @@ int ff_frame_thread_init(AVCodecContext *avctx) copy->internal = av_malloc(sizeof(AVCodecInternal)); if (!copy->internal) { + copy->priv_data = NULL; err = AVERROR(ENOMEM); goto error; } From 649f09c4cfe916912b115092e4551aedd5fe304e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jul 2015 20:27:25 +0200 Subject: [PATCH 0692/1352] avfilter/af_aresample: Check ff_all_* for allocation failures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signal_sigabrt_7ffff70eccc9_498_divx502.avi with memlimit 1572864 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 2ea8a480832acad3095783bcb11d5f290bec56cf) Signed-off-by: Michael Niedermayer --- libavfilter/af_aresample.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavfilter/af_aresample.c b/libavfilter/af_aresample.c index 5f34321fe8..f010c2767e 100644 --- a/libavfilter/af_aresample.c +++ b/libavfilter/af_aresample.c @@ -86,15 +86,24 @@ static int query_formats(AVFilterContext *ctx) AVFilterLink *inlink = ctx->inputs[0]; AVFilterLink *outlink = ctx->outputs[0]; - AVFilterFormats *in_formats = ff_all_formats(AVMEDIA_TYPE_AUDIO); - AVFilterFormats *out_formats; - AVFilterFormats *in_samplerates = ff_all_samplerates(); - AVFilterFormats *out_samplerates; - AVFilterChannelLayouts *in_layouts = ff_all_channel_counts(); - AVFilterChannelLayouts *out_layouts; + AVFilterFormats *in_formats, *out_formats; + AVFilterFormats *in_samplerates, *out_samplerates; + AVFilterChannelLayouts *in_layouts, *out_layouts; + + in_formats = ff_all_formats(AVMEDIA_TYPE_AUDIO); + if (!in_formats) + return AVERROR(ENOMEM); ff_formats_ref (in_formats, &inlink->out_formats); + + in_samplerates = ff_all_samplerates(); + if (!in_samplerates) + return AVERROR(ENOMEM); ff_formats_ref (in_samplerates, &inlink->out_samplerates); + + in_layouts = ff_all_channel_counts(); + if (!in_layouts) + return AVERROR(ENOMEM); ff_channel_layouts_ref(in_layouts, &inlink->out_channel_layouts); if(out_rate > 0) { From 24f1698758f0bd2ed5968cde35ce96ad58ba4c8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 11:24:45 +0200 Subject: [PATCH 0693/1352] avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoids leaving stale pointers Fixes: signal_sigabrt_7ffff70eccc9_819_sabtriple.rm with memlimit 536870912 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index a232ab2593..6e86ebd35e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1534,7 +1534,14 @@ int ff_rv34_decode_init_thread_copy(AVCodecContext *avctx) if (avctx->internal->is_copy) { r->tmp_b_block_base = NULL; + r->cbp_chroma = NULL; + r->cbp_luma = NULL; + r->deblock_coefs = NULL; + r->intra_types_hist = NULL; + r->mb_type = NULL; + ff_mpv_idct_init(&r->s); + if ((err = ff_mpv_common_init(&r->s)) < 0) return err; if ((err = rv34_decoder_alloc(r)) < 0) { From 7ae349a324f1fc2ec1a7fe280c423e4c4d035bca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 17:55:19 +0200 Subject: [PATCH 0694/1352] avcodec/diracdec: Check for hpel_base allocation failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Fixes: signal_sigsegv_b02a96_280_RL_420p_ffdirac.drc with memlimit of 67108864 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1c5b712c0a643a039d6f34269b4102de313a050a) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 1bfe6be0a4..6b93d8632b 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1561,7 +1561,7 @@ static void select_dsp_funcs(DiracContext *s, int width, int height, int xblen, } } -static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height) +static int interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, int width, int height) { /* chroma allocates an edge of 8 when subsampled which for 4:2:2 means an h edge of 16 and v edge of 8 @@ -1573,11 +1573,14 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in /* no need for hpel if we only have fpel vectors */ if (!s->mv_precision) - return; + return 0; for (i = 1; i < 4; i++) { if (!ref->hpel_base[plane][i]) ref->hpel_base[plane][i] = av_malloc((height+2*edge) * ref->avframe->linesize[plane] + 32); + if (!ref->hpel_base[plane][i]) { + return AVERROR(ENOMEM); + } /* we need to be 16-byte aligned even for chroma */ ref->hpel[plane][i] = ref->hpel_base[plane][i] + edge*ref->avframe->linesize[plane] + 16; } @@ -1591,6 +1594,8 @@ static void interpolate_refplane(DiracContext *s, DiracFrame *ref, int plane, in s->mpvencdsp.draw_edges(ref->hpel[plane][3], ref->avframe->linesize[plane], width, height, edge, edge, EDGE_TOP | EDGE_BOTTOM); } ref->interpolated[plane] = 1; + + return 0; } /** @@ -1640,8 +1645,11 @@ static int dirac_decode_frame_internal(DiracContext *s) select_dsp_funcs(s, p->width, p->height, p->xblen, p->yblen); - for (i = 0; i < s->num_refs; i++) - interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height); + for (i = 0; i < s->num_refs; i++) { + int ret = interpolate_refplane(s, s->ref_pics[i], comp, p->width, p->height); + if (ret < 0) + return ret; + } memset(s->mctmp, 0, 4*p->yoffset*p->stride); From 8fe79605fdcec35f2b277126f5de2d0338468a90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 19:02:26 +0200 Subject: [PATCH 0695/1352] avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signal_sigsegv_d5de23_967_vp80_00_comprehensive_010.ivf with memlimit 524288 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a84f0e8d8f293df3c535f9b893730a835bed6520) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 45a57586fc..57d1eb10b8 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2675,6 +2675,9 @@ av_cold int ff_vp8_decode_free(AVCodecContext *avctx) VP8Context *s = avctx->priv_data; int i; + if (!s) + return 0; + vp8_decode_flush_impl(avctx, 1); for (i = 0; i < FF_ARRAY_ELEMS(s->frames); i++) av_frame_free(&s->frames[i].tf.f); From d2b0aae5e1b298075c7e840828b67a4236669f78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2015 19:18:24 +0200 Subject: [PATCH 0696/1352] avcodec/vp8: Check buffer size in vp8_decode_frame_header() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit avoids null pointer dereference Fixes: signal_sigsegv_d5de40_964_vp80-00-comprehensive-010.ivf with memlimit of 1048576 Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 599d746e07319dc792ed2e511b666fe482f1ff88) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 57d1eb10b8..9017ab8c5d 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -633,6 +633,11 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si int width = s->avctx->width; int height = s->avctx->height; + if (buf_size < 3) { + av_log(s->avctx, AV_LOG_ERROR, "Insufficent data (%d) for header\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->keyframe = !(buf[0] & 1); s->profile = (buf[0]>>1) & 7; s->invisible = !(buf[0] & 0x10); From 2d582d142c185fbf7bc9240903423c9bbac7784f Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 29 Jul 2015 22:11:18 +0200 Subject: [PATCH 0697/1352] rawdec: fix mjpeg probing There can be other headers than "Content-Type:" (in this case, a "Content-Length:" header was following), so checking for a trailing newline is wrong. Signed-off-by: Michael Niedermayer (cherry picked from commit bf51fcd304d5594a4d8eed2bedf0ef0f68fa65f8) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index ca9b2829d6..19bdfc3afd 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -186,7 +186,7 @@ static int mjpeg_probe(AVProbeData *p) } if (nb_invalid*4 + 1 < nb_frames) { - static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n\r\n"; + static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n"; int i; for (i=0; ibuf_size - sizeof(ct_jpeg), 100); i++) From 43956940ea20b8f51ec6d34ced42c63f853072bb Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 29 Jul 2015 22:33:44 +0200 Subject: [PATCH 0698/1352] rawdec: fix mjpeg probing buffer size check Signed-off-by: Michael Niedermayer (cherry picked from commit 4c6beaed9210f01290e5a5a4e377f93f145172cc) Signed-off-by: Michael Niedermayer --- libavformat/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rawdec.c b/libavformat/rawdec.c index 19bdfc3afd..b747bbd014 100644 --- a/libavformat/rawdec.c +++ b/libavformat/rawdec.c @@ -189,7 +189,7 @@ static int mjpeg_probe(AVProbeData *p) static const char ct_jpeg[] = "\r\nContent-Type: image/jpeg\r\n"; int i; - for (i=0; ibuf_size - sizeof(ct_jpeg), 100); i++) + for (i=0; ibuf_size - (int)sizeof(ct_jpeg), 100); i++) if (!memcmp(p->buf + i, ct_jpeg, sizeof(ct_jpeg) - 1)) return AVPROBE_SCORE_EXTENSION; From 33629ff60fb301c954718ce91a42b01a262406c8 Mon Sep 17 00:00:00 2001 From: Emanuel Czirai Date: Mon, 3 Aug 2015 00:58:46 +0200 Subject: [PATCH 0699/1352] libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame() related to ticket4749 Signed-off-by: Michael Niedermayer (cherry picked from commit 7ab1c57a64b629455805d7fa74a8a20c689fc1f6) Conflicts: libavcodec/aacdec_template.c (cherry picked from commit dabb6dd98af52a22a922bca4a9196acf68b084dd) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 4a8c2431b1..5f5e5f96c1 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -3096,7 +3096,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, if (INT_MAX / 8 <= buf_size) return AVERROR_INVALIDDATA; - if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0) + if ((err = init_get_bits8(&gb, buf, buf_size)) < 0) return err; switch (ac->oc[1].m4ac.object_type) { From 595af5a036f45870217b936323a71fa71b341d53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Aug 2015 03:11:15 +0200 Subject: [PATCH 0700/1352] avcodec/dcaenc: clear bitstream end This avoids leaving uninitialized bits in the output Signed-off-by: Michael Niedermayer (cherry picked from commit e322b7061f873e8fd33b9e518caa19b87616a528) Signed-off-by: Michael Niedermayer --- libavcodec/dcaenc.c | 4 ++++ tests/fate/acodec.mak | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dcaenc.c b/libavcodec/dcaenc.c index 905cdc9ade..182494a208 100644 --- a/libavcodec/dcaenc.c +++ b/libavcodec/dcaenc.c @@ -939,6 +939,10 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *avpkt, for (i = 0; i < SUBFRAMES; i++) put_subframe(c, i); + + for (i = put_bits_count(&c->pb); i < 8*c->frame_size; i++) + put_bits(&c->pb, 1, 0); + flush_put_bits(&c->pb); avpkt->pts = frame->pts; diff --git a/tests/fate/acodec.mak b/tests/fate/acodec.mak index 325bbd9e32..37fc688730 100644 --- a/tests/fate/acodec.mak +++ b/tests/fate/acodec.mak @@ -103,7 +103,7 @@ fate-acodec-dca: tests/data/asynth-44100-2.wav fate-acodec-dca: SRC = tests/data/asynth-44100-2.wav fate-acodec-dca: CMD = md5 -i $(TARGET_PATH)/$(SRC) -c:a dca -strict -2 -f dts -flags +bitexact fate-acodec-dca: CMP = oneline -fate-acodec-dca: REF = fe28cef432ed88de4ee01b87537fd2bd +fate-acodec-dca: REF = c54ca9a13711755ef90fa143a9b38386 FATE_ACODEC-$(call ENCDEC, DCA, WAV) += fate-acodec-dca2 fate-acodec-dca2: CMD = enc_dec_pcm dts wav s16le $(SRC) -c:a dca -strict -2 -flags +bitexact From eac75d405b979b42fd5dc7f910f2561534b14e8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2015 14:54:36 +0200 Subject: [PATCH 0701/1352] avcodec/svq1enc: Check dimensions Fixes assertion failure Signed-off-by: Michael Niedermayer (cherry picked from commit 88fe45e0fe379d7ea86c8ac1e1e8cf2c3f62389f) Signed-off-by: Michael Niedermayer --- libavcodec/svq1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 850630f288..2d7f7703df 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -514,6 +514,11 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int ret; + if (avctx->width >= 4096 || avctx->height >= 4096) { + av_log(avctx, AV_LOG_ERROR, "Dimensions too large, maximum is 4095x4095\n"); + return AVERROR(EINVAL); + } + ff_hpeldsp_init(&s->hdsp, avctx->flags); ff_me_cmp_init(&s->mecc, avctx); ff_mpegvideoencdsp_init(&s->m.mpvencdsp, avctx); From ac3358d73ad2874f733eef3e6a5ad819cd0d9d3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2015 15:21:04 +0200 Subject: [PATCH 0702/1352] avcodec/flashsvenc: Correct max dimension in error message Signed-off-by: Michael Niedermayer (cherry picked from commit b1f59bb6606721ef5eeade4ada541630d51510fe) Signed-off-by: Michael Niedermayer --- libavcodec/flashsvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flashsvenc.c b/libavcodec/flashsvenc.c index 6d406e9fa6..2b6a25e96b 100644 --- a/libavcodec/flashsvenc.c +++ b/libavcodec/flashsvenc.c @@ -111,7 +111,7 @@ static av_cold int flashsv_encode_init(AVCodecContext *avctx) if (avctx->width > 4095 || avctx->height > 4095) { av_log(avctx, AV_LOG_ERROR, - "Input dimensions too large, input must be max 4096x4096 !\n"); + "Input dimensions too large, input must be max 4095x4095 !\n"); return AVERROR_INVALIDDATA; } From cbaa9ef0d601856c467a771e600af1aadb1d0f00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2015 03:35:10 +0200 Subject: [PATCH 0703/1352] avformat/mux: Update sidedata in ff_write_chained() Fixes Ticket4777 Signed-off-by: Michael Niedermayer (cherry picked from commit db91e0edb63afc682ae709f73e3732a4c832944d) Signed-off-by: Michael Niedermayer --- libavformat/mux.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mux.c b/libavformat/mux.c index 55add43ebb..c337377393 100644 --- a/libavformat/mux.c +++ b/libavformat/mux.c @@ -991,6 +991,8 @@ int ff_write_chained(AVFormatContext *dst, int dst_stream, AVPacket *pkt, if (interleave) ret = av_interleaved_write_frame(dst, &local_pkt); else ret = av_write_frame(dst, &local_pkt); pkt->buf = local_pkt.buf; + pkt->side_data = local_pkt.side_data; + pkt->side_data_elems = local_pkt.side_data_elems; pkt->destruct = local_pkt.destruct; return ret; } From 98f167202262bd6cce85a1845915023a4b2e2b49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2015 15:06:19 +0200 Subject: [PATCH 0704/1352] Update for 2.4.11 Signed-off-by: Michael Niedermayer --- Changelog | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 83 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 183fff9ef7..bc7ac97da7 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,87 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.4.11: +- avformat/mux: Update sidedata in ff_write_chained() +- avcodec/flashsvenc: Correct max dimension in error message +- avcodec/svq1enc: Check dimensions +- avcodec/dcaenc: clear bitstream end +- libavcodec/aacdec_template: Use init_get_bits8() in aac_decode_frame() +- rawdec: fix mjpeg probing buffer size check +- rawdec: fix mjpeg probing +- avcodec/vp8: Check buffer size in vp8_decode_frame_header() +- avcodec/vp8: Fix null pointer dereference in ff_vp8_decode_free() +- avcodec/diracdec: Check for hpel_base allocation failure +- avcodec/rv34: Clear pointers in ff_rv34_decode_init_thread_copy() +- avfilter/af_aresample: Check ff_all_* for allocation failures +- avcodec/pthread_frame: clear priv_data, avoid stale pointer in error case +- swscale/utils: Clear pix buffers +- avutil/fifo: Fix the case where func() returns less bytes than requested in av_fifo_generic_write() +- avformat/mov: Fix deallocation when MOVStreamContext failed to allocate +- ffmpeg: Fix cleanup with ost = NULL +- avcodec/pthread_frame: check avctx on deallocation +- avcodec/sanm: Reset sizes in destroy_buffers() +- avcodec/alac: Clear pointers in allocate_buffers() +- bytestream2: set the reader to the end when reading more than available +- avcodec/utils: use a minimum 32pixel width in avcodec_align_dimensions2() for H.264 +- avcodec/mpegvideo: Clear pointers in ff_mpv_common_init() +- oggparsedirac: check return value of init_get_bits +- wmalosslessdec: reset frame->nb_samples on packet loss +- wmalosslessdec: avoid reading 0 bits with get_bits +- avcodec/rawenc: Use ff_alloc_packet() instead of ff_alloc_packet2() +- avcodec/aacsbr: Assert that bs_num_env is positive +- avcodec/aacsbr: check that the element type matches before applying SBR +- avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h +- vp9/update_prob: prevent out of bounds table read +- avfilter/vf_transpose: Fix rounding error +- avcodec/pngdec: Only allow one IHDR chunk +- wmavoice: limit wmavoice_decode_packet return value to packet size +- swscale/swscale_unscaled: Fix rounding difference with RGBA output between little and big endian +- ffmpeg: Do not use the data/size of a bitstream filter after failure +- swscale/x86/rgb2rgb_template: fix signedness of v in shuffle_bytes_2103_{mmx,mmxext} +- swscale/x86/rgb2rgb_template: add missing xmm clobbers +- vda: unlock the pixel buffer base address. +- swscale/rgb2rgb_template: Fix signedness of v in shuffle_bytes_2103_c() +- swscale/rgb2rgb_template: Implement shuffle_bytes_0321_c and fix shuffle_bytes_2103_c on BE +- swscale/rgb2rgb_template: Disable shuffle_bytes_2103_c on big endian +- swr: Remember previously set int_sample_format from user +- matroskadec: check audio sample rate +- matroskadec: validate audio channels and bitdepth +- avcodec/dpxenc: implement write16/32 as functions +- postproc: fix unaligned access +- avio: fix potential crashes when combining ffio_ensure_seekback + crc +- h264: er: Copy from the previous reference only if compatible +- sonic: set avctx->channels in sonic_decode_init +- vp8: change mv_{min,max}.{x,y} type to int +- vp9: change type of tile_size from unsigned to int64_t +- arm: only enable setend on ARMv6 +- libopenjpegdec: check existence of image component data +- mov: abort on EOF in ff_mov_read_chan +- ffmpeg_opt: Check for localtime() failure +- avformat: Fix bug in parse_rps for HEVC. +- takdec: ensure chan2 is a valid channel index +- avcodec/h264_slice: Use AVFrame diemensions for grayscale handling +- avdevice/lavfi: do not rescale AV_NOPTS_VALUE in lavfi_read_packet() +- libavutil/channel_layout: Correctly return layout when channel specification ends with a trailing 'c'. +- avcodec/jpeg2000dec: Check that coords match before applying ICT +- avformat/ffmdec: Check ffio_set_buf_size() return value +- avcodec/adpcm: Check for overreads +- avcodec/alsdec: Check for overread +- avcodec/atrac3plusdec: consume only as many bytes as available +- swresample/swresample: Cleanup on init failure. +- Revert "avformat/rtpenc: check av_packet_get_side_data() return, fix null ptr dereference" +- avformat/mxfenc: Accept MXF D-10 with 49.999840 Mbit/sec +- swresample/dither: check memory allocation +- opusdec: properly handle mismatching configurations in multichannel streams +- MAINTAINERS: Remove myself as leader +- h263: Always check both dimensions +- avformat/swfdec: Do not error out on pixel format changes +- avcodec/exr: fix crash caused by merge +- avcodec/x86/h264_weight: handle weight1=128 +- avcodec/hevc_ps: Only discard overread VPS if a previous is available +- avformat/mov: Mark avio context of decompressed atoms as seekable +_ avfilter/x86/vf_hqdn3d: Fix register types + version 2.4.10: - diracdec: check if reference could not be allocated - diracdec: avoid overflow of bytes*8 in decode_lowdelay diff --git a/RELEASE b/RELEASE index b0f6bf0cd2..11e3212692 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.10 +2.4.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index 2b998d7ccc..13ebdc1adb 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.10 +PROJECT_NUMBER = 2.4.11 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From b15311eb6f979fa2c14b72db9a05710503e4e6f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:02:05 +0200 Subject: [PATCH 0705/1352] ffmpeg: check avpicture_fill() return value Signed-off-by: Michael Niedermayer (cherry picked from commit 15ff3f3fdfc788c0e4e584badd7ec300abfbd716) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index d165eee200..714a45e7e5 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1710,7 +1710,11 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { /* store AVPicture in AVPacket, as expected by the output format */ - avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); + int ret = avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "avpicture_fill failed\n"); + exit_program(1); + } opkt.data = (uint8_t *)&pict; opkt.size = sizeof(AVPicture); opkt.flags |= AV_PKT_FLAG_KEY; From 1c058d94b9ea7f9cfe418495c74204c6962a6d65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:16:31 +0200 Subject: [PATCH 0706/1352] ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE The null muxer has AVFMT_RAWPICTURE set but can be fed with non-raw material related to Ticket4778 Signed-off-by: Michael Niedermayer (cherry picked from commit c8890941d63df786bb7a8cab92677416499bb7c3) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 714a45e7e5..db8ada6b94 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1708,7 +1708,9 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p } av_copy_packet_side_data(&opkt, pkt); - if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { + if (ost->st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + ost->st->codec->codec_id == AV_CODEC_ID_RAWVIDEO && + (of->ctx->oformat->flags & AVFMT_RAWPICTURE)) { /* store AVPicture in AVPacket, as expected by the output format */ int ret = avpicture_fill(&pict, opkt.data, ost->st->codec->pix_fmt, ost->st->codec->width, ost->st->codec->height); if (ret < 0) { From 5b41bb29d73eaff18f7fd8e7efe78ec82578f5d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 02:49:21 +0200 Subject: [PATCH 0707/1352] avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check Fixes Ticket4778 Signed-off-by: Michael Niedermayer (cherry picked from commit 2bb54b82b5094fd906aa28c0443be08c95662a31) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index 739ff95cfd..c4f10f97e8 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -173,7 +173,7 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc, buf += ctx->length_size; unit_type = *buf & 0x1f; - if (buf + nal_size > buf_end || nal_size < 0) + if (nal_size > buf_end - buf || nal_size < 0) goto fail; if (unit_type == 7 || unit_type == 8) From 3faf444010121374637c23109a0582fdb9e536bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 03:02:55 +0200 Subject: [PATCH 0708/1352] ffmpeg: Check av_parser_change() for failure No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit ac0ba6f233698f02ebb75b03242e94333dbe13d4) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index db8ada6b94..30f0be7090 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1694,10 +1694,15 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG2VIDEO && ost->enc_ctx->codec_id != AV_CODEC_ID_VC1 ) { - if (av_parser_change(ost->parser, ost->st->codec, + int ret = av_parser_change(ost->parser, ost->st->codec, &opkt.data, &opkt.size, pkt->data, pkt->size, - pkt->flags & AV_PKT_FLAG_KEY)) { + pkt->flags & AV_PKT_FLAG_KEY); + if (ret < 0) { + av_log(NULL, AV_LOG_FATAL, "av_parser_change failed\n"); + exit_program(1); + } + if (ret) { opkt.buf = av_buffer_create(opkt.data, opkt.size, av_buffer_default_free, NULL, 0); if (!opkt.buf) exit_program(1); From e0bd87de8fa35d9a7bd94603fe1a22637143da72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Aug 2015 03:04:41 +0200 Subject: [PATCH 0709/1352] ffmpeg: Use correct codec_id for av_parser_change() check No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit 45f3d4e63e7807ff3d281f269625ed83f11e4cdc) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 30f0be7090..3efa7ff579 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -1687,12 +1687,11 @@ static void do_streamcopy(InputStream *ist, OutputStream *ost, const AVPacket *p opkt.duration = av_rescale_q(pkt->duration, ist->st->time_base, ost->st->time_base); opkt.flags = pkt->flags; - // FIXME remove the following 2 lines they shall be replaced by the bitstream filters - if ( ost->enc_ctx->codec_id != AV_CODEC_ID_H264 - && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG1VIDEO - && ost->enc_ctx->codec_id != AV_CODEC_ID_MPEG2VIDEO - && ost->enc_ctx->codec_id != AV_CODEC_ID_VC1 + if ( ost->st->codec->codec_id != AV_CODEC_ID_H264 + && ost->st->codec->codec_id != AV_CODEC_ID_MPEG1VIDEO + && ost->st->codec->codec_id != AV_CODEC_ID_MPEG2VIDEO + && ost->st->codec->codec_id != AV_CODEC_ID_VC1 ) { int ret = av_parser_change(ost->parser, ost->st->codec, &opkt.data, &opkt.size, From cc39b2be236f00c07a31cbc05cb24133260d348f Mon Sep 17 00:00:00 2001 From: Arthur Grant Date: Mon, 24 Aug 2015 12:19:03 +0200 Subject: [PATCH 0710/1352] avformat/hevc: Fix parsing errors Signed-off-by: Michael Niedermayer (cherry picked from commit 781efd07415cdf6f676cca5b22147e5d6be0a4c4) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 32192badca..9932d92298 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -565,7 +565,8 @@ static int hvcc_parse_sps(GetBitContext *gb, } if (get_bits1(gb)) { // long_term_ref_pics_present_flag - for (i = 0; i < get_ue_golomb_long(gb); i++) { // num_long_term_ref_pics_sps + unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16); skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i] skip_bits1(gb); // used_by_curr_pic_lt_sps_flag[i] @@ -616,11 +617,12 @@ static int hvcc_parse_pps(GetBitContext *gb, get_se_golomb_long(gb); // pps_cr_qp_offset /* + * pps_slice_chroma_qp_offsets_present_flag u(1) * weighted_pred_flag u(1) * weighted_bipred_flag u(1) * transquant_bypass_enabled_flag u(1) */ - skip_bits(gb, 3); + skip_bits(gb, 4); tiles_enabled_flag = get_bits1(gb); entropy_coding_sync_enabled_flag = get_bits1(gb); From b06958917cca35a0dc7ac1da4d8e681cdea811ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Aug 2015 13:04:38 +0200 Subject: [PATCH 0711/1352] avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops Signed-off-by: Michael Niedermayer (cherry picked from commit ee155c18a2c50b339ba5f6f223fbb6dc343fd471) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 9932d92298..f403e1c522 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -566,6 +566,8 @@ static int hvcc_parse_sps(GetBitContext *gb, if (get_bits1(gb)) { // long_term_ref_pics_present_flag unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (num_long_term_ref_pics_sps > 31U) + return AVERROR_INVALIDDATA; for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16); skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i] From 0045969e411bcf946b2393e7bcb42032cb71a9a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Aug 2015 02:40:41 +0200 Subject: [PATCH 0712/1352] Update Changelog Signed-off-by: Michael Niedermayer --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog b/Changelog index bc7ac97da7..9914409829 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,13 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 2.4.11: +- avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops +- avformat/hevc: Fix parsing errors +- ffmpeg: Use correct codec_id for av_parser_change() check +- ffmpeg: Check av_parser_change() for failure +- avcodec/h264_mp4toannexb_bsf: Reorder operations in nal_size check +- ffmpeg: Check for RAWVIDEO and do not relay only on AVFMT_RAWPICTURE +- ffmpeg: check avpicture_fill() return value - avformat/mux: Update sidedata in ff_write_chained() - avcodec/flashsvenc: Correct max dimension in error message - avcodec/svq1enc: Check dimensions From 30f45124778c2479e0a295df817b49edf7a571cf Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 20 Sep 2015 23:20:43 -0300 Subject: [PATCH 0713/1352] doc: mention libavcodec can decode Opus natively Signed-off-by: James Almer (cherry picked from commit fd9ac48dc8aebcbd601af34336234d5102b36e21) --- doc/general.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/general.texi b/doc/general.texi index 8d7555d10f..5ca100b67f 100644 --- a/doc/general.texi +++ b/doc/general.texi @@ -935,8 +935,8 @@ following image formats are supported: @item Musepack SV8 @tab @tab X @item Nellymoser Asao @tab X @tab X @item On2 AVC (Audio for Video Codec) @tab @tab X -@item Opus @tab E @tab E - @tab supported through external library libopus +@item Opus @tab E @tab X + @tab encoding supported through external library libopus @item PCM A-law @tab X @tab X @item PCM mu-law @tab X @tab X @item PCM signed 8-bit planar @tab X @tab X From f5ce1a7626913a596d555983c5a03880b178cb30 Mon Sep 17 00:00:00 2001 From: wm4 Date: Wed, 30 Sep 2015 14:53:35 +0200 Subject: [PATCH 0714/1352] avcodec/mp3: fix skipping zeros Commits 43bc5cf9 and c5371f77 add code for skipping initial zeros in mp3 packets. This code forgot to report to the user that data was skipped at all. Since audio codecs allow partial packet decoding, the user application has to rely on the return value. It will remove the data reported as consumed by the decoder, and feed it to the decoder again. This resulted in the mp3 frame after the zero region to be decoded over and over again, until the zero region was finally skipped by the application. Fix this by including the amount of skipped bytes to the number of consumed bytes returned by the decode call. Fixes trac ticket #4890. (cherry picked from commit cb1da9fb8d71bb611a7b0028914c97afc3f5711d) --- libavcodec/mpegaudiodec_template.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index c4c03d9106..f3a335c52a 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1642,9 +1642,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, uint32_t header; int ret; + int skipped = 0; while(buf_size && !*buf){ buf++; buf_size--; + skipped++; } if (buf_size < HEADER_SIZE) @@ -1699,7 +1701,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, return ret; } s->frame_size = 0; - return buf_size; + return buf_size + skipped; } static void mp_flush(MPADecodeContext *ctx) From 13b34510b6bc50ccabffe7e6b0d570942d89ec58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Sobala?= Date: Tue, 29 Sep 2015 15:25:07 +0200 Subject: [PATCH 0715/1352] lavf/img2dec: Fix memory leak Fixes #4886 Signed-off-by: Michael Niedermayer (cherry picked from commit 01dd7e025c246d9001f1a30f4a5d8fa2936d1a5e) --- libavformat/img2dec.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 1509f19426..308062c7ad 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -440,14 +440,17 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } res = av_new_packet(pkt, size[0] + size[1] + size[2]); - if (res < 0) - return res; + if (res < 0) { + goto fail; + } pkt->stream_index = 0; pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; - if (stat(filename, &img_stat)) - return AVERROR(EIO); + if (stat(filename, &img_stat)) { + res = AVERROR(EIO); + goto fail; + } pkt->pts = (int64_t)img_stat.st_mtime; #if HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC if (s->ts_from_file == 2) @@ -481,18 +484,29 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) { av_free_packet(pkt); if (ret[0] < 0) { - return ret[0]; + res = ret[0]; } else if (ret[1] < 0) { - return ret[1]; - } else if (ret[2] < 0) - return ret[2]; - return AVERROR_EOF; + res = ret[1]; + } else if (ret[2] < 0) { + res = ret[2]; + } else { + res = AVERROR_EOF; + } + goto fail; } else { s->img_count++; s->img_number++; s->pts++; return 0; } + +fail: + if (!s->is_pipe) { + for (i = 0; i < 3; i++) { + avio_closep(&f[i]); + } + } + return res; } static int img_read_close(struct AVFormatContext* s1) From 6e629b0b66c71d50af72ad591548f1a26dd075e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2015 23:49:30 +0200 Subject: [PATCH 0716/1352] avcodec/ffv1: seperate slice_count from max_slice_count Fix segfault with too large slice_count Fixes Ticket4879 Signed-off-by: Michael Niedermayer (cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568) Conflicts: libavcodec/ffv1enc.c libavcodec/ffv1.c --- libavcodec/ffv1.c | 14 +++++++------- libavcodec/ffv1.h | 1 + libavcodec/ffv1dec.c | 8 +++++--- libavcodec/ffv1enc.c | 4 +++- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index ab58a6074f..6073bc4461 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -101,7 +101,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) av_cold int ffv1_init_slices_state(FFV1Context *f) { int i, ret; - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = f->slice_context[i]; if ((ret = ffv1_init_slice_state(f, fs)) < 0) return AVERROR(ENOMEM); @@ -113,10 +113,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f) { int i; - f->slice_count = f->num_h_slices * f->num_v_slices; - av_assert0(f->slice_count > 0); + f->max_slice_count = f->num_h_slices * f->num_v_slices; + av_assert0(f->max_slice_count > 0); - for (i = 0; i < f->slice_count; i++) { + for (i = 0; i < f->max_slice_count; i++) { FFV1Context *fs = av_mallocz(sizeof(*fs)); int sx = i % f->num_h_slices; int sy = i / f->num_h_slices; @@ -201,7 +201,7 @@ av_cold int ffv1_close(AVCodecContext *avctx) ff_thread_release_buffer(avctx, &s->last_picture); av_frame_free(&s->last_picture.f); - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *fs = s->slice_context[j]; for (i = 0; i < s->plane_count; i++) { PlaneContext *p = &fs->plane[i]; @@ -215,14 +215,14 @@ av_cold int ffv1_close(AVCodecContext *avctx) av_freep(&avctx->stats_out); for (j = 0; j < s->quant_table_count; j++) { av_freep(&s->initial_states[j]); - for (i = 0; i < s->slice_count; i++) { + for (i = 0; i < s->max_slice_count; i++) { FFV1Context *sf = s->slice_context[i]; av_freep(&sf->rc_stat2[j]); } av_freep(&s->rc_stat2[j]); } - for (i = 0; i < s->slice_count; i++) + for (i = 0; i < s->max_slice_count; i++) av_freep(&s->slice_context[i]); return 0; diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h index 5081397f54..cc354c385e 100644 --- a/libavcodec/ffv1.h +++ b/libavcodec/ffv1.h @@ -117,6 +117,7 @@ typedef struct FFV1Context { struct FFV1Context *slice_context[MAX_SLICES]; int slice_count; + int max_slice_count; int num_v_slices; int num_h_slices; int slice_width; diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 376546f44c..760d74faf7 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -770,6 +770,7 @@ static int read_header(FFV1Context *f) av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n"); return AVERROR_INVALIDDATA; } + f->slice_count = f->max_slice_count; } else if (f->version < 3) { f->slice_count = get_symbol(c, state, 0); } else { @@ -784,8 +785,8 @@ static int read_header(FFV1Context *f) p -= size + trailer; } } - if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) { - av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count); + if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) { + av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count); return AVERROR_INVALIDDATA; } @@ -1008,6 +1009,7 @@ static int init_thread_copy(AVCodecContext *avctx) f->picture.f = NULL; f->last_picture.f = NULL; f->sample_buffer = NULL; + f->max_slice_count = 0; f->slice_count = 0; for (i = 0; i < f->quant_table_count; i++) { @@ -1078,7 +1080,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) av_assert0(!fdst->sample_buffer); } - av_assert1(fdst->slice_count == fsrc->slice_count); + av_assert1(fdst->max_slice_count == fsrc->max_slice_count); ff_thread_release_buffer(dst, &fdst->picture); diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index cf2a13dc6b..25b70d673e 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -961,6 +961,7 @@ slices_ok: if ((ret = ffv1_init_slice_contexts(s)) < 0) return ret; + s->slice_count = s->max_slice_count; if ((ret = ffv1_init_slices_state(s)) < 0) return ret; @@ -970,7 +971,7 @@ slices_ok: if (!avctx->stats_out) return AVERROR(ENOMEM); for (i = 0; i < s->quant_table_count; i++) - for (j = 0; j < s->slice_count; j++) { + for (j = 0; j < s->max_slice_count; j++) { FFV1Context *sf = s->slice_context[j]; av_assert0(!sf->rc_stat2[i]); sf->rc_stat2[i] = av_mallocz(s->context_count[i] * @@ -1194,6 +1195,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, for (i = 0; i < f->quant_table_count; i++) memset(f->rc_stat2[i], 0, f->context_count[i] * sizeof(*f->rc_stat2[i])); + av_assert0(f->slice_count == f->max_slice_count); for (j = 0; j < f->slice_count; j++) { FFV1Context *fs = f->slice_context[j]; for (i = 0; i < 256; i++) { From f085ce32656381f8924e2f2f485669a46ed3209d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 20 Sep 2015 12:39:14 +0200 Subject: [PATCH 0717/1352] hevc: fix wpp threading deadlock. Fixes ticket 4258. (cherry picked from commit 74e4948235bc8f8946eeca20525258bbf383f75d) --- libavcodec/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 81495eb6e1..e5b4bb1048 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2368,6 +2368,8 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int if (more_data < 0) { s->tab_slice_address[ctb_addr_rs] = -1; + avpriv_atomic_int_set(&s1->wpp_err, 1); + ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP); return more_data; } From 4edb236c49722bed5bdc72346c81c7224881106d Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Sat, 12 Sep 2015 21:50:24 +0200 Subject: [PATCH 0718/1352] hevc: properly handle no_rasl_output_flag when removing pictures from the DPB Fixes ticket #4185. Reviewed-By: Mickael Raulet Signed-off-by: Hendrik Leppkes (cherry picked from commit 0118158efa8e45761f9f65a3bb74f33907bd2aec) --- libavcodec/hevc.c | 5 +++++ libavcodec/hevc.h | 1 + libavcodec/hevc_refs.c | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index e5b4bb1048..fbfcb95e30 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -769,6 +769,8 @@ static int hls_slice_header(HEVCContext *s) s->HEVClc->tu.cu_qp_offset_cb = 0; s->HEVClc->tu.cu_qp_offset_cr = 0; + s->no_rasl_output_flag = IS_IDR(s) || IS_BLA(s) || (s->nal_unit_type == NAL_CRA_NUT && s->last_eos); + return 0; } @@ -3310,6 +3312,7 @@ static int hevc_update_thread_context(AVCodecContext *dst, s->pocTid0 = s0->pocTid0; s->max_ra = s0->max_ra; s->eos = s0->eos; + s->no_rasl_output_flag = s0->no_rasl_output_flag; s->is_nalff = s0->is_nalff; s->nal_length_size = s0->nal_length_size; @@ -3404,6 +3407,7 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx) s->enable_parallel_tiles = 0; s->picture_struct = 0; + s->eos = 1; if(avctx->active_thread_type & FF_THREAD_SLICE) s->threads_number = avctx->thread_count; @@ -3445,6 +3449,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); s->max_ra = INT_MAX; + s->eos = 1; } #define OFFSET(x) offsetof(HEVCContext, x) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 92b0423751..7efafe11e2 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -844,6 +844,7 @@ typedef struct HEVCContext { int bs_height; int is_decoded; + int no_rasl_output_flag; HEVCPredContext hpc; HEVCDSPContext hevcdsp; diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index b3a97871d5..dc35d3591a 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -158,7 +158,7 @@ int ff_hevc_output_frame(HEVCContext *s, AVFrame *out, int flush) int min_poc = INT_MAX; int i, min_idx, ret; - if (s->sh.no_output_of_prior_pics_flag == 1) { + if (s->sh.no_output_of_prior_pics_flag == 1 && s->no_rasl_output_flag == 1) { for (i = 0; i < FF_ARRAY_ELEMS(s->DPB); i++) { HEVCFrame *frame = &s->DPB[i]; if (!(frame->flags & HEVC_FRAME_FLAG_BUMPING) && frame->poc != s->poc && From 6b4a22b5e9b37d8631d1e5af13ec687fa842622a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Sep 2015 04:01:27 +0200 Subject: [PATCH 0719/1352] avformat/avidec: Workaround broken initial frame Fixes Ticket4851 Signed-off-by: Michael Niedermayer (cherry picked from commit 3e2ef00394b8079e93835d47c993868229f07502) --- libavformat/avidec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index eec748f9d0..7387217ce9 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1544,7 +1544,8 @@ static int avi_read_idx1(AVFormatContext *s, int size) ast = st->priv_data; if (first_packet && first_packet_pos) { - data_offset = first_packet_pos - pos; + if (avi->movi_list + 4 != pos || pos + 500 > first_packet_pos) + data_offset = first_packet_pos - pos; first_packet = 0; } pos += data_offset; From 18f36c70ec7a61140f92fdaf637e09cdcd2f4c8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 04:08:42 +0200 Subject: [PATCH 0720/1352] avformat/oggenc: Check segments_count for headers too Fixes infinite loop and segfault in ogg_buffer_data() Fixes Ticket4806 Signed-off-by: Michael Niedermayer (cherry picked from commit 81a8701eb52d2b6469ae16ef442ce425388141b7) --- libavformat/oggenc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/oggenc.c b/libavformat/oggenc.c index bfa9a25edc..e87cbba231 100644 --- a/libavformat/oggenc.c +++ b/libavformat/oggenc.c @@ -257,7 +257,7 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, if (i == total_segments) page->granule = granule; - if (!header) { + { AVStream *st = s->streams[page->stream_index]; int64_t start = av_rescale_q(page->start_granule, st->time_base, @@ -265,10 +265,13 @@ static int ogg_buffer_data(AVFormatContext *s, AVStream *st, int64_t next = av_rescale_q(page->granule, st->time_base, AV_TIME_BASE_Q); - if (page->segments_count == 255 || - (ogg->pref_size > 0 && page->size >= ogg->pref_size) || - (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + if (page->segments_count == 255) { ogg_buffer_page(s, oggstream); + } else if (!header) { + if ((ogg->pref_size > 0 && page->size >= ogg->pref_size) || + (ogg->pref_duration > 0 && next - start >= ogg->pref_duration)) { + ogg_buffer_page(s, oggstream); + } } } } From d3af86c867c709dadaf4caa472b9d5c3d6b9a841 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 23 Oct 2015 11:11:53 -0400 Subject: [PATCH 0721/1352] videodsp: don't overread edges in vfix3 emu_edge. Fixes trac ticket 3226. Also see Andreas' analysis in https://bugs.debian.org/801745, which was very helpful. (cherry picked from commit 52f84d82bdf1851ecfcc412c1719e5f6f3396209) --- libavcodec/x86/videodsp.asm | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm index 1ac02574d6..77189fa6ef 100644 --- a/libavcodec/x86/videodsp.asm +++ b/libavcodec/x86/videodsp.asm @@ -185,8 +185,12 @@ hvar_fn %elif (%2-%%off) == 2 mov valw, [srcq+%2-2] %elifidn %1, body - mov vald, [srcq+%2-3] -%else + mov valb, [srcq+%2-1] + sal vald, 16 + mov valw, [srcq+%2-3] +%elifidn %1, bottom + movd mm %+ %%mmx_idx, [srcq+%2-4] +%else ; top movd mm %+ %%mmx_idx, [srcq+%2-3] %endif %endif ; (%2-%%off) >= 1 @@ -242,12 +246,15 @@ hvar_fn mov [dstq+%2-2], valw %elifidn %1, body mov [dstq+%2-3], valw - shr vald, 16 + sar vald, 16 mov [dstq+%2-1], valb %else movd vald, mm %+ %%mmx_idx +%ifidn %1, bottom + sar vald, 8 +%endif mov [dstq+%2-3], valw - shr vald, 16 + sar vald, 16 mov [dstq+%2-1], valb %endif %endif ; (%2-%%off) >= 1 From f3e33608a5d65bec0cb303641e066681b69f3131 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 10 Jan 2015 18:00:08 +0100 Subject: [PATCH 0722/1352] vp9: avoid infinite loop with broken files With a certain fuzzed file, the parser will always return 0 consumed bytes, which makes calling code call the parser infinitely. Return the full packet size on error instead. (Here it would be nice if parsers could return errors at all.) Additionally, _if_ there's some data left, return that too, which might help with somewhat broken but still somehow playable files. Fixes ticket #4242. Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 09b4ad15681be197fff8c57ce7c988a4718d6e03) Signed-off-by: Andreas Cadhalpun --- libavcodec/vp9_parser.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index 922f36f381..b188785456 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -43,6 +43,7 @@ static int parse(AVCodecParserContext *ctx, const uint8_t *data, int size) { VP9ParseContext *s = ctx->priv_data; + int full_size = size; int marker; if (size <= 0) { @@ -77,12 +78,12 @@ static int parse(AVCodecParserContext *ctx, idx += a; \ if (sz > size) { \ s->n_frames = 0; \ - *out_size = 0; \ + *out_size = size; \ *out_data = data; \ av_log(avctx, AV_LOG_ERROR, \ "Superframe packet size too big: %u > %d\n", \ sz, size); \ - return size; \ + return full_size; \ } \ if (first) { \ first = 0; \ From d837407ae0bcdfe676713c16871daadddc99649f Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 21 Apr 2015 20:54:51 -0400 Subject: [PATCH 0723/1352] vp9: add support for resolution changes in inter frames. Signed-off-by: Michael Niedermayer (cherry picked from commit e8b4f6d6befc5062db74916ea8a4d830e83022a8) Signed-off-by: Andreas Cadhalpun --- libavcodec/vp9.c | 316 ++++++++++++++++++----------------- libavcodec/vp9_mc_template.c | 171 +++++++++++++++++++ libavcodec/vp9_parser.c | 5 +- libavcodec/vp9dsp.c | 205 +++++++++++++++++++++-- libavcodec/vp9dsp.h | 9 + 5 files changed, 535 insertions(+), 171 deletions(-) create mode 100644 libavcodec/vp9_mc_template.c diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 8327134d37..dd75e9e79d 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -239,7 +239,7 @@ typedef struct VP9Context { // whole-frame cache uint8_t *intra_pred_data[3]; struct VP9Filter *lflvl; - DECLARE_ALIGNED(32, uint8_t, edge_emu_buffer)[71*80]; + DECLARE_ALIGNED(32, uint8_t, edge_emu_buffer)[135*144]; // block reconstruction intermediates int block_alloc_using_2pass; @@ -248,6 +248,8 @@ typedef struct VP9Context { struct { int x, y; } min_mv, max_mv; DECLARE_ALIGNED(32, uint8_t, tmp_y)[64*64]; DECLARE_ALIGNED(32, uint8_t, tmp_uv)[2][32*32]; + uint16_t mvscale[3][2]; + uint8_t mvstep[3][2]; } VP9Context; static const uint8_t bwh_tab[2][N_BS_SIZES][2] = { @@ -582,6 +584,26 @@ static int decode_frame_header(AVCodecContext *ctx, s->varcompref[1] = 2; } } + + for (i = 0; i < 3; i++) { + AVFrame *ref = s->refs[s->refidx[i]].f; + int refw = ref->width, refh = ref->height; + + if (refw == w && refh == h) { + s->mvscale[i][0] = s->mvscale[i][1] = 0; + } else { + if (w * 2 < refw || h * 2 < refh || w > 16 * refw || h > 16 * refh) { + av_log(ctx, AV_LOG_ERROR, + "Invalid ref frame dimensions %dx%d for frame size %dx%d\n", + refw, refh, w, h); + return AVERROR_INVALIDDATA; + } + s->mvscale[i][0] = (refw << 14) / w; + s->mvscale[i][1] = (refh << 14) / h; + s->mvstep[i][0] = 16 * s->mvscale[i][0] >> 14; + s->mvstep[i][1] = 16 * s->mvscale[i][1] >> 14; + } + } } } s->refreshctx = s->errorres ? 0 : get_bits1(&s->gb); @@ -2524,12 +2546,118 @@ static void intra_recon(AVCodecContext *ctx, ptrdiff_t y_off, ptrdiff_t uv_off) } } -static av_always_inline void mc_luma_dir(VP9Context *s, vp9_mc_func (*mc)[2], - uint8_t *dst, ptrdiff_t dst_stride, - const uint8_t *ref, ptrdiff_t ref_stride, - ThreadFrame *ref_frame, - ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, - int bw, int bh, int w, int h) +static av_always_inline void mc_luma_scaled(VP9Context *s, vp9_scaled_mc_func smc, + uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h, + const uint16_t *scale, const uint8_t *step) +{ +#define scale_mv(n, dim) (((int64_t)n * scale[dim]) >> 14) + // BUG libvpx seems to scale the two components separately. This introduces + // rounding errors but we have to reproduce them to be exactly compatible + // with the output from libvpx... + int mx = scale_mv(mv->x * 2, 0) + scale_mv(x * 16, 0); + int my = scale_mv(mv->y * 2, 1) + scale_mv(y * 16, 1); + int refbw_m1, refbh_m1; + int th; + + y = my >> 4; + x = mx >> 4; + ref += y * ref_stride + x; + mx &= 15; + my &= 15; + refbw_m1 = ((bw - 1) * step[0] + mx) >> 4; + refbh_m1 = ((bh - 1) * step[1] + my) >> 4; + // FIXME bilinear filter only needs 0/1 pixels, not 3/4 + // we use +7 because the last 7 pixels of each sbrow can be changed in + // the longest loopfilter of the next sbrow + th = (y + refbh_m1 + 4 + 7) >> 6; + ff_thread_await_progress(ref_frame, FFMAX(th, 0), 0); + if (x < 3 || y < 3 || x + 4 >= w - refbw_m1 || y + 4 >= h - refbh_m1) { + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref - 3 * ref_stride - 3, + 144, ref_stride, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref = s->edge_emu_buffer + 3 * 144 + 3; + ref_stride = 144; + } + smc(dst, dst_stride, ref, ref_stride, bh, mx, my, step[0], step[1]); +} + +static av_always_inline void mc_chroma_scaled(VP9Context *s, vp9_scaled_mc_func smc, + uint8_t *dst_u, uint8_t *dst_v, + ptrdiff_t dst_stride, + const uint8_t *ref_u, ptrdiff_t src_stride_u, + const uint8_t *ref_v, ptrdiff_t src_stride_v, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h, + const uint16_t *scale, const uint8_t *step) +{ + // BUG https://code.google.com/p/webm/issues/detail?id=820 + int mx = scale_mv(mv->x, 0) + (scale_mv(x * 16, 0) & ~15) + (scale_mv(x * 32, 0) & 15); + int my = scale_mv(mv->y, 1) + (scale_mv(y * 16, 1) & ~15) + (scale_mv(y * 32, 1) & 15); +#undef scale_mv + int refbw_m1, refbh_m1; + int th; + + y = my >> 4; + x = mx >> 4; + ref_u += y * src_stride_u + x; + ref_v += y * src_stride_v + x; + mx &= 15; + my &= 15; + refbw_m1 = ((bw - 1) * step[0] + mx) >> 4; + refbh_m1 = ((bh - 1) * step[1] + my) >> 4; + // FIXME bilinear filter only needs 0/1 pixels, not 3/4 + // we use +7 because the last 7 pixels of each sbrow can be changed in + // the longest loopfilter of the next sbrow + th = (y + refbh_m1 + 4 + 7) >> 5; + ff_thread_await_progress(ref_frame, FFMAX(th, 0), 0); + if (x < 3 || y < 3 || x + 4 >= w - refbw_m1 || y + 4 >= h - refbh_m1) { + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref_u - 3 * src_stride_u - 3, + 144, src_stride_u, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref_u = s->edge_emu_buffer + 3 * 144 + 3; + smc(dst_u, dst_stride, ref_u, 144, bh, mx, my, step[0], step[1]); + + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, + ref_v - 3 * src_stride_v - 3, + 144, src_stride_v, + refbw_m1 + 8, refbh_m1 + 8, + x - 3, y - 3, w, h); + ref_v = s->edge_emu_buffer + 3 * 144 + 3; + smc(dst_v, dst_stride, ref_v, 144, bh, mx, my, step[0], step[1]); + } else { + smc(dst_u, dst_stride, ref_u, src_stride_u, bh, mx, my, step[0], step[1]); + smc(dst_v, dst_stride, ref_v, src_stride_v, bh, mx, my, step[0], step[1]); + } +} + +#define FN(x) x##_scaled +#define mc_luma_dir(s, mc, dst, dst_ls, src, src_ls, tref, row, col, mv, bw, bh, w, h, i) \ + mc_luma_scaled(s, s->dsp.s##mc, dst, dst_ls, src, src_ls, tref, row, col, \ + mv, bw, bh, w, h, s->mvscale[b->ref[i]], s->mvstep[b->ref[i]]) +#define mc_chroma_dir(s, mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, i) \ + mc_chroma_scaled(s, s->dsp.s##mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, s->mvscale[b->ref[i]], s->mvstep[b->ref[i]]) +#include "vp9_mc_template.c" +#undef mc_luma_dir +#undef mc_chroma_dir +#undef FN + +static av_always_inline void mc_luma_unscaled(VP9Context *s, vp9_mc_func (*mc)[2], + uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h) { int mx = mv->x, my = mv->y, th; @@ -2556,14 +2684,14 @@ static av_always_inline void mc_luma_dir(VP9Context *s, vp9_mc_func (*mc)[2], mc[!!mx][!!my](dst, dst_stride, ref, ref_stride, bh, mx << 1, my << 1); } -static av_always_inline void mc_chroma_dir(VP9Context *s, vp9_mc_func (*mc)[2], - uint8_t *dst_u, uint8_t *dst_v, - ptrdiff_t dst_stride, - const uint8_t *ref_u, ptrdiff_t src_stride_u, - const uint8_t *ref_v, ptrdiff_t src_stride_v, - ThreadFrame *ref_frame, - ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, - int bw, int bh, int w, int h) +static av_always_inline void mc_chroma_unscaled(VP9Context *s, vp9_mc_func (*mc)[2], + uint8_t *dst_u, uint8_t *dst_v, + ptrdiff_t dst_stride, + const uint8_t *ref_u, ptrdiff_t src_stride_u, + const uint8_t *ref_v, ptrdiff_t src_stride_v, + ThreadFrame *ref_frame, + ptrdiff_t y, ptrdiff_t x, const VP56mv *mv, + int bw, int bh, int w, int h) { int mx = mv->x, my = mv->y, th; @@ -2601,156 +2729,32 @@ static av_always_inline void mc_chroma_dir(VP9Context *s, vp9_mc_func (*mc)[2], } } +#define FN(x) x +#define mc_luma_dir(s, mc, dst, dst_ls, src, src_ls, tref, row, col, mv, bw, bh, w, h, i) \ + mc_luma_unscaled(s, s->dsp.mc, dst, dst_ls, src, src_ls, tref, row, col, \ + mv, bw, bh, w, h) +#define mc_chroma_dir(s, mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h, i) \ + mc_chroma_unscaled(s, s->dsp.mc, dstu, dstv, dst_ls, srcu, srcu_ls, srcv, srcv_ls, tref, \ + row, col, mv, bw, bh, w, h) +#include "vp9_mc_template.c" +#undef mc_luma_dir_dir +#undef mc_chroma_dir_dir +#undef FN + static void inter_recon(AVCodecContext *ctx) { - static const uint8_t bwlog_tab[2][N_BS_SIZES] = { - { 0, 0, 1, 1, 1, 2, 2, 2, 3, 3, 3, 4, 4 }, - { 1, 1, 2, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4 }, - }; VP9Context *s = ctx->priv_data; VP9Block *b = s->b; int row = s->row, col = s->col; - ThreadFrame *tref1 = &s->refs[s->refidx[b->ref[0]]], *tref2; - AVFrame *ref1 = tref1->f, *ref2; - int w1 = ref1->width, h1 = ref1->height, w2, h2; - ptrdiff_t ls_y = s->y_stride, ls_uv = s->uv_stride; - if (b->comp) { - tref2 = &s->refs[s->refidx[b->ref[1]]]; - ref2 = tref2->f; - w2 = ref2->width; - h2 = ref2->height; - } - - // y inter pred - if (b->bs > BS_8x8) { - if (b->bs == BS_8x4) { - mc_luma_dir(s, s->dsp.mc[3][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 8, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[3][b->filter][0], - s->dst[0] + 4 * ls_y, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, col << 3, &b->mv[2][0], 8, 4, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[3][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 8, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[3][b->filter][1], - s->dst[0] + 4 * ls_y, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, col << 3, &b->mv[2][1], 8, 4, w2, h2); - } - } else if (b->bs == BS_4x8) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 4, 8, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0] + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, (col << 3) + 4, &b->mv[1][0], 4, 8, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 4, 8, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0] + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, (col << 3) + 4, &b->mv[1][1], 4, 8, w2, h2); - } - } else { - av_assert2(b->bs == BS_4x4); - - // FIXME if two horizontally adjacent blocks have the same MV, - // do a w8 instead of a w4 call - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], s->dst[0] + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, (col << 3) + 4, &b->mv[1][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], - s->dst[0] + 4 * ls_y, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, col << 3, &b->mv[2][0], 4, 4, w1, h1); - mc_luma_dir(s, s->dsp.mc[4][b->filter][0], - s->dst[0] + 4 * ls_y + 4, ls_y, - ref1->data[0], ref1->linesize[0], tref1, - (row << 3) + 4, (col << 3) + 4, &b->mv[3][0], 4, 4, w1, h1); - - if (b->comp) { - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], s->dst[0] + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, (col << 3) + 4, &b->mv[1][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], - s->dst[0] + 4 * ls_y, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, col << 3, &b->mv[2][1], 4, 4, w2, h2); - mc_luma_dir(s, s->dsp.mc[4][b->filter][1], - s->dst[0] + 4 * ls_y + 4, ls_y, - ref2->data[0], ref2->linesize[0], tref2, - (row << 3) + 4, (col << 3) + 4, &b->mv[3][1], 4, 4, w2, h2); - } - } + if (s->mvscale[b->ref[0]][0] || (b->comp && s->mvscale[b->ref[1]][0])) { + inter_pred_scaled(ctx); } else { - int bwl = bwlog_tab[0][b->bs]; - int bw = bwh_tab[0][b->bs][0] * 4, bh = bwh_tab[0][b->bs][1] * 4; - - mc_luma_dir(s, s->dsp.mc[bwl][b->filter][0], s->dst[0], ls_y, - ref1->data[0], ref1->linesize[0], tref1, - row << 3, col << 3, &b->mv[0][0],bw, bh, w1, h1); - - if (b->comp) - mc_luma_dir(s, s->dsp.mc[bwl][b->filter][1], s->dst[0], ls_y, - ref2->data[0], ref2->linesize[0], tref2, - row << 3, col << 3, &b->mv[0][1], bw, bh, w2, h2); + inter_pred(ctx); } - - // uv inter pred - { - int bwl = bwlog_tab[1][b->bs]; - int bw = bwh_tab[1][b->bs][0] * 4, bh = bwh_tab[1][b->bs][1] * 4; - VP56mv mvuv; - - w1 = (w1 + 1) >> 1; - h1 = (h1 + 1) >> 1; - if (b->comp) { - w2 = (w2 + 1) >> 1; - h2 = (h2 + 1) >> 1; - } - if (b->bs > BS_8x8) { - mvuv.x = ROUNDED_DIV(b->mv[0][0].x + b->mv[1][0].x + b->mv[2][0].x + b->mv[3][0].x, 4); - mvuv.y = ROUNDED_DIV(b->mv[0][0].y + b->mv[1][0].y + b->mv[2][0].y + b->mv[3][0].y, 4); - } else { - mvuv = b->mv[0][0]; - } - - mc_chroma_dir(s, s->dsp.mc[bwl][b->filter][0], - s->dst[1], s->dst[2], ls_uv, - ref1->data[1], ref1->linesize[1], - ref1->data[2], ref1->linesize[2], tref1, - row << 2, col << 2, &mvuv, bw, bh, w1, h1); - - if (b->comp) { - if (b->bs > BS_8x8) { - mvuv.x = ROUNDED_DIV(b->mv[0][1].x + b->mv[1][1].x + b->mv[2][1].x + b->mv[3][1].x, 4); - mvuv.y = ROUNDED_DIV(b->mv[0][1].y + b->mv[1][1].y + b->mv[2][1].y + b->mv[3][1].y, 4); - } else { - mvuv = b->mv[0][1]; - } - mc_chroma_dir(s, s->dsp.mc[bwl][b->filter][1], - s->dst[1], s->dst[2], ls_uv, - ref2->data[1], ref2->linesize[1], - ref2->data[2], ref2->linesize[2], tref2, - row << 2, col << 2, &mvuv, bw, bh, w2, h2); - } - } - if (!b->skip) { - /* mostly copied intra_reconn() */ + /* mostly copied intra_recon() */ int w4 = bwh_tab[1][b->bs][0] << 1, step1d = 1 << b->tx, n; int h4 = bwh_tab[1][b->bs][1] << 1, x, y, step = 1 << (b->tx * 2); diff --git a/libavcodec/vp9_mc_template.c b/libavcodec/vp9_mc_template.c new file mode 100644 index 0000000000..c6ae432e26 --- /dev/null +++ b/libavcodec/vp9_mc_template.c @@ -0,0 +1,171 @@ +/* + * VP9 compatible video decoder + * + * Copyright (C) 2013 Ronald S. Bultje + * Copyright (C) 2013 Clément Bœsch + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +static void FN(inter_pred)(AVCodecContext *ctx) +{ + static const uint8_t bwlog_tab[2][N_BS_SIZES] = { + { 0, 0, 1, 1, 1, 2, 2, 2, 3, 3, 3, 4, 4 }, + { 1, 1, 2, 2, 2, 3, 3, 3, 4, 4, 4, 4, 4 }, + }; + VP9Context *s = ctx->priv_data; + VP9Block *b = s->b; + int row = s->row, col = s->col; + ThreadFrame *tref1 = &s->refs[s->refidx[b->ref[0]]], *tref2; + AVFrame *ref1 = tref1->f, *ref2; + int w1 = ref1->width, h1 = ref1->height, w2, h2; + ptrdiff_t ls_y = s->y_stride, ls_uv = s->uv_stride; + + if (b->comp) { + tref2 = &s->refs[s->refidx[b->ref[1]]]; + ref2 = tref2->f; + w2 = ref2->width; + h2 = ref2->height; + } + + // y inter pred + if (b->bs > BS_8x8) { + if (b->bs == BS_8x4) { + mc_luma_dir(s, mc[3][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 8, 4, w1, h1, 0); + mc_luma_dir(s, mc[3][b->filter][0], + s->dst[0] + 4 * ls_y, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, col << 3, &b->mv[2][0], 8, 4, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[3][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 8, 4, w2, h2, 1); + mc_luma_dir(s, mc[3][b->filter][1], + s->dst[0] + 4 * ls_y, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, col << 3, &b->mv[2][1], 8, 4, w2, h2, 1); + } + } else if (b->bs == BS_4x8) { + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 4, 8, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0] + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, (col << 3) + 4, &b->mv[1][0], 4, 8, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 4, 8, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0] + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, (col << 3) + 4, &b->mv[1][1], 4, 8, w2, h2, 1); + } + } else { + av_assert2(b->bs == BS_4x4); + + // FIXME if two horizontally adjacent blocks have the same MV, + // do a w8 instead of a w4 call + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], s->dst[0] + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, (col << 3) + 4, &b->mv[1][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], + s->dst[0] + 4 * ls_y, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, col << 3, &b->mv[2][0], 4, 4, w1, h1, 0); + mc_luma_dir(s, mc[4][b->filter][0], + s->dst[0] + 4 * ls_y + 4, ls_y, + ref1->data[0], ref1->linesize[0], tref1, + (row << 3) + 4, (col << 3) + 4, &b->mv[3][0], 4, 4, w1, h1, 0); + + if (b->comp) { + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], s->dst[0] + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, (col << 3) + 4, &b->mv[1][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], + s->dst[0] + 4 * ls_y, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, col << 3, &b->mv[2][1], 4, 4, w2, h2, 1); + mc_luma_dir(s, mc[4][b->filter][1], + s->dst[0] + 4 * ls_y + 4, ls_y, + ref2->data[0], ref2->linesize[0], tref2, + (row << 3) + 4, (col << 3) + 4, &b->mv[3][1], 4, 4, w2, h2, 1); + } + } + } else { + int bwl = bwlog_tab[0][b->bs]; + int bw = bwh_tab[0][b->bs][0] * 4, bh = bwh_tab[0][b->bs][1] * 4; + + mc_luma_dir(s, mc[bwl][b->filter][0], s->dst[0], ls_y, + ref1->data[0], ref1->linesize[0], tref1, + row << 3, col << 3, &b->mv[0][0],bw, bh, w1, h1, 0); + + if (b->comp) + mc_luma_dir(s, mc[bwl][b->filter][1], s->dst[0], ls_y, + ref2->data[0], ref2->linesize[0], tref2, + row << 3, col << 3, &b->mv[0][1], bw, bh, w2, h2, 1); + } + + // uv inter pred + { + int bwl = bwlog_tab[1][b->bs]; + int bw = bwh_tab[1][b->bs][0] * 4, bh = bwh_tab[1][b->bs][1] * 4; + VP56mv mvuv; + + w1 = (w1 + 1) >> 1; + h1 = (h1 + 1) >> 1; + if (b->comp) { + w2 = (w2 + 1) >> 1; + h2 = (h2 + 1) >> 1; + } + if (b->bs > BS_8x8) { + mvuv.x = ROUNDED_DIV(b->mv[0][0].x + b->mv[1][0].x + b->mv[2][0].x + b->mv[3][0].x, 4); + mvuv.y = ROUNDED_DIV(b->mv[0][0].y + b->mv[1][0].y + b->mv[2][0].y + b->mv[3][0].y, 4); + } else { + mvuv = b->mv[0][0]; + } + + mc_chroma_dir(s, mc[bwl][b->filter][0], + s->dst[1], s->dst[2], ls_uv, + ref1->data[1], ref1->linesize[1], + ref1->data[2], ref1->linesize[2], tref1, + row << 2, col << 2, &mvuv, bw, bh, w1, h1, 0); + + if (b->comp) { + if (b->bs > BS_8x8) { + mvuv.x = ROUNDED_DIV(b->mv[0][1].x + b->mv[1][1].x + b->mv[2][1].x + b->mv[3][1].x, 4); + mvuv.y = ROUNDED_DIV(b->mv[0][1].y + b->mv[1][1].y + b->mv[2][1].y + b->mv[3][1].y, 4); + } else { + mvuv = b->mv[0][1]; + } + mc_chroma_dir(s, mc[bwl][b->filter][1], + s->dst[1], s->dst[2], ls_uv, + ref2->data[1], ref2->linesize[1], + ref2->data[2], ref2->linesize[2], tref2, + row << 2, col << 2, &mvuv, bw, bh, w2, h2, 1); + } + } +} diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c index b188785456..8e55d2593e 100644 --- a/libavcodec/vp9_parser.c +++ b/libavcodec/vp9_parser.c @@ -1,5 +1,8 @@ /* - * Copyright (C) 2008 Michael Niedermayer + * VP9 compatible video decoder + * + * Copyright (C) 2013 Ronald S. Bultje + * Copyright (C) 2013 Clément Bœsch * * This file is part of FFmpeg. * diff --git a/libavcodec/vp9dsp.c b/libavcodec/vp9dsp.c index 6356adde32..95b7eb5c71 100644 --- a/libavcodec/vp9dsp.c +++ b/libavcodec/vp9dsp.c @@ -1707,8 +1707,9 @@ copy_avg_fn(4) #undef fpel_fn #undef copy_avg_fn -static const int8_t vp9_subpel_filters[3][15][8] = { +static const int16_t vp9_subpel_filters[3][16][8] = { [FILTER_8TAP_REGULAR] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { 0, 1, -5, 126, 8, -3, 1, 0 }, { -1, 3, -10, 122, 18, -6, 2, 0 }, { -1, 4, -13, 118, 27, -9, 3, -1 }, @@ -1725,6 +1726,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { { 0, 2, -6, 18, 122, -10, 3, -1 }, { 0, 1, -3, 8, 126, -5, 1, 0 }, }, [FILTER_8TAP_SHARP] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { -1, 3, -7, 127, 8, -3, 1, 0 }, { -2, 5, -13, 125, 17, -6, 3, -1 }, { -3, 7, -17, 121, 27, -10, 5, -2 }, @@ -1741,6 +1743,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { { -1, 3, -6, 17, 125, -13, 5, -2 }, { 0, 1, -3, 8, 127, -7, 3, -1 }, }, [FILTER_8TAP_SMOOTH] = { + { 0, 0, 0, 128, 0, 0, 0, 0 }, { -3, -1, 32, 64, 38, 1, -3, 0 }, { -2, -2, 29, 63, 41, 2, -3, 0 }, { -2, -2, 26, 63, 43, 4, -4, 0 }, @@ -1772,7 +1775,7 @@ static const int8_t vp9_subpel_filters[3][15][8] = { static av_always_inline void do_8tap_1d_c(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *src, ptrdiff_t src_stride, int w, int h, ptrdiff_t ds, - const int8_t *filter, int avg) + const int16_t *filter, int avg) { do { int x; @@ -1792,7 +1795,7 @@ static av_always_inline void do_8tap_1d_c(uint8_t *dst, ptrdiff_t dst_stride, #define filter_8tap_1d_fn(opn, opa, dir, ds) \ static av_noinline void opn##_8tap_1d_##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ - int w, int h, const int8_t *filter) \ + int w, int h, const int16_t *filter) \ { \ do_8tap_1d_c(dst, dst_stride, src, src_stride, w, h, ds, filter, opa); \ } @@ -1806,8 +1809,8 @@ filter_8tap_1d_fn(avg, 1, h, 1) static av_always_inline void do_8tap_2d_c(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *src, ptrdiff_t src_stride, - int w, int h, const int8_t *filterx, - const int8_t *filtery, int avg) + int w, int h, const int16_t *filterx, + const int16_t *filtery, int avg) { int tmp_h = h + 7; uint8_t tmp[64 * 71], *tmp_ptr = tmp; @@ -1842,8 +1845,8 @@ static av_always_inline void do_8tap_2d_c(uint8_t *dst, ptrdiff_t dst_stride, #define filter_8tap_2d_fn(opn, opa) \ static av_noinline void opn##_8tap_2d_hv_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ - int w, int h, const int8_t *filterx, \ - const int8_t *filtery) \ + int w, int h, const int16_t *filterx, \ + const int16_t *filtery) \ { \ do_8tap_2d_c(dst, dst_stride, src, src_stride, w, h, filterx, filtery, opa); \ } @@ -1853,15 +1856,13 @@ filter_8tap_2d_fn(avg, 1) #undef filter_8tap_2d_fn -#undef FILTER_8TAP - #define filter_fn_1d(sz, dir, dir_m, type, type_idx, avg) \ static void avg##_8tap_##type##_##sz##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ int h, int mx, int my) \ { \ avg##_8tap_1d_##dir##_c(dst, dst_stride, src, src_stride, sz, h, \ - vp9_subpel_filters[type_idx][dir_m - 1]); \ + vp9_subpel_filters[type_idx][dir_m]); \ } #define filter_fn_2d(sz, type, type_idx, avg) \ @@ -1870,8 +1871,8 @@ static void avg##_8tap_##type##_##sz##hv_c(uint8_t *dst, ptrdiff_t dst_stride, \ int h, int mx, int my) \ { \ avg##_8tap_2d_hv_c(dst, dst_stride, src, src_stride, sz, h, \ - vp9_subpel_filters[type_idx][mx - 1], \ - vp9_subpel_filters[type_idx][my - 1]); \ + vp9_subpel_filters[type_idx][mx], \ + vp9_subpel_filters[type_idx][my]); \ } #define FILTER_BILIN(src, x, mxy, stride) \ @@ -1957,8 +1958,6 @@ bilin_2d_fn(avg, 1) #undef bilin_2d_fn -#undef FILTER_BILIN - #define bilinf_fn_1d(sz, dir, dir_m, avg) \ static void avg##_bilin_##sz##dir##_c(uint8_t *dst, ptrdiff_t dst_stride, \ const uint8_t *src, ptrdiff_t src_stride, \ @@ -2053,12 +2052,190 @@ static av_cold void vp9dsp_mc_init(VP9DSPContext *dsp) #undef init_subpel3 } +static av_always_inline void do_scaled_8tap_c(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *src, ptrdiff_t src_stride, + int w, int h, int mx, int my, + int dx, int dy, int avg, + const int16_t (*filters)[8]) +{ + int tmp_h = (((h - 1) * dy + my) >> 4) + 8; + uint8_t tmp[64 * 135], *tmp_ptr = tmp; + + src -= src_stride * 3; + do { + int x; + int imx = mx, ioff = 0; + + for (x = 0; x < w; x++) { + tmp_ptr[x] = FILTER_8TAP(src, ioff, filters[imx], 1); + imx += dx; + ioff += imx >> 4; + imx &= 0xf; + } + + tmp_ptr += 64; + src += src_stride; + } while (--tmp_h); + + tmp_ptr = tmp + 64 * 3; + do { + int x; + const int16_t *filter = filters[my]; + + for (x = 0; x < w; x++) + if (avg) { + dst[x] = (dst[x] + FILTER_8TAP(tmp_ptr, x, filter, 64) + 1) >> 1; + } else { + dst[x] = FILTER_8TAP(tmp_ptr, x, filter, 64); + } + + my += dy; + tmp_ptr += (my >> 4) * 64; + my &= 0xf; + dst += dst_stride; + } while (--h); +} + +#define scaled_filter_8tap_fn(opn, opa) \ +static av_noinline void opn##_scaled_8tap_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int w, int h, int mx, int my, int dx, int dy, \ + const int16_t (*filters)[8]) \ +{ \ + do_scaled_8tap_c(dst, dst_stride, src, src_stride, w, h, mx, my, dx, dy, \ + opa, filters); \ +} + +scaled_filter_8tap_fn(put, 0) +scaled_filter_8tap_fn(avg, 1) + +#undef scaled_filter_8tap_fn + +#undef FILTER_8TAP + +#define scaled_filter_fn(sz, type, type_idx, avg) \ +static void avg##_scaled_##type##_##sz##_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int h, int mx, int my, int dx, int dy) \ +{ \ + avg##_scaled_8tap_c(dst, dst_stride, src, src_stride, sz, h, mx, my, dx, dy, \ + vp9_subpel_filters[type_idx]); \ +} + +static av_always_inline void do_scaled_bilin_c(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *src, ptrdiff_t src_stride, + int w, int h, int mx, int my, + int dx, int dy, int avg) +{ + uint8_t tmp[64 * 129], *tmp_ptr = tmp; + int tmp_h = (((h - 1) * dy + my) >> 4) + 2; + + do { + int x; + int imx = mx, ioff = 0; + + for (x = 0; x < w; x++) { + tmp_ptr[x] = FILTER_BILIN(src, ioff, imx, 1); + imx += dx; + ioff += imx >> 4; + imx &= 0xf; + } + + tmp_ptr += 64; + src += src_stride; + } while (--tmp_h); + + tmp_ptr = tmp; + do { + int x; + + for (x = 0; x < w; x++) + if (avg) { + dst[x] = (dst[x] + FILTER_BILIN(tmp_ptr, x, my, 64) + 1) >> 1; + } else { + dst[x] = FILTER_BILIN(tmp_ptr, x, my, 64); + } + + my += dy; + tmp_ptr += (my >> 4) * 64; + my &= 0xf; + dst += dst_stride; + } while (--h); +} + +#define scaled_bilin_fn(opn, opa) \ +static av_noinline void opn##_scaled_bilin_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int w, int h, int mx, int my, int dx, int dy) \ +{ \ + do_scaled_bilin_c(dst, dst_stride, src, src_stride, w, h, mx, my, dx, dy, opa); \ +} + +scaled_bilin_fn(put, 0) +scaled_bilin_fn(avg, 1) + +#undef scaled_bilin_fn + +#undef FILTER_BILIN + +#define scaled_bilinf_fn(sz, avg) \ +static void avg##_scaled_bilin_##sz##_c(uint8_t *dst, ptrdiff_t dst_stride, \ + const uint8_t *src, ptrdiff_t src_stride, \ + int h, int mx, int my, int dx, int dy) \ +{ \ + avg##_scaled_bilin_c(dst, dst_stride, src, src_stride, sz, h, mx, my, dx, dy); \ +} + +#define scaled_filter_fns(sz, avg) \ +scaled_filter_fn(sz, regular, FILTER_8TAP_REGULAR, avg) \ +scaled_filter_fn(sz, smooth, FILTER_8TAP_SMOOTH, avg) \ +scaled_filter_fn(sz, sharp, FILTER_8TAP_SHARP, avg) \ +scaled_bilinf_fn(sz, avg) + +#define scaled_filter_fn_set(avg) \ +scaled_filter_fns(64, avg) \ +scaled_filter_fns(32, avg) \ +scaled_filter_fns(16, avg) \ +scaled_filter_fns(8, avg) \ +scaled_filter_fns(4, avg) + +scaled_filter_fn_set(put) +scaled_filter_fn_set(avg) + +#undef scaled_filter_fns +#undef scaled_filter_fn_set +#undef scaled_filter_fn +#undef scaled_bilinf_fn + +static av_cold void vp9dsp_scaled_mc_init(VP9DSPContext *dsp) +{ +#define init_scaled(idx1, idx2, sz, type) \ + dsp->smc[idx1][FILTER_8TAP_SMOOTH ][idx2] = type##_scaled_smooth_##sz##_c; \ + dsp->smc[idx1][FILTER_8TAP_REGULAR][idx2] = type##_scaled_regular_##sz##_c; \ + dsp->smc[idx1][FILTER_8TAP_SHARP ][idx2] = type##_scaled_sharp_##sz##_c; \ + dsp->smc[idx1][FILTER_BILINEAR ][idx2] = type##_scaled_bilin_##sz##_c + +#define init_scaled_put_avg(idx, sz) \ + init_scaled(idx, 0, sz, put); \ + init_scaled(idx, 1, sz, avg) + + init_scaled_put_avg(0, 64); + init_scaled_put_avg(1, 32); + init_scaled_put_avg(2, 16); + init_scaled_put_avg(3, 8); + init_scaled_put_avg(4, 4); + +#undef init_scaled_put_avg +#undef init_scaled +} + av_cold void ff_vp9dsp_init(VP9DSPContext *dsp) { vp9dsp_intrapred_init(dsp); vp9dsp_itxfm_init(dsp); vp9dsp_loopfilter_init(dsp); vp9dsp_mc_init(dsp); + vp9dsp_scaled_mc_init(dsp); if (ARCH_X86) ff_vp9dsp_init_x86(dsp); } diff --git a/libavcodec/vp9dsp.h b/libavcodec/vp9dsp.h index db0a92e210..33dfc09acd 100644 --- a/libavcodec/vp9dsp.h +++ b/libavcodec/vp9dsp.h @@ -32,6 +32,9 @@ typedef void (*vp9_mc_func)(uint8_t *dst, ptrdiff_t dst_stride, const uint8_t *ref, ptrdiff_t ref_stride, int h, int mx, int my); +typedef void (*vp9_scaled_mc_func)(uint8_t *dst, ptrdiff_t dst_stride, + const uint8_t *ref, ptrdiff_t ref_stride, + int h, int mx, int my, int dx, int dy); typedef struct VP9DSPContext { /* @@ -109,6 +112,12 @@ typedef struct VP9DSPContext { * dst/stride are aligned by hsize */ vp9_mc_func mc[5][4][2][2][2]; + + /* + * for scalable MC, first 3 dimensions identical to above, the other two + * don't exist since it changes per stepsize. + */ + vp9_scaled_mc_func smc[5][4][2]; } VP9DSPContext; void ff_vp9dsp_init(VP9DSPContext *dsp); From 045121959e20db1e66da9e3934fa70cd20f5a4f2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 May 2015 21:07:52 +0200 Subject: [PATCH 0724/1352] avidec: check for valid bit_rate range If bit_rate is negative, it can trigger an av_assert2 in av_rescale_rnd. Since av_rescale returns int64_t, but st->codec_bit_rate is int, it can also overflow into a negative value. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 0eec40b713eee84e2aec8af35ccce059817cad2a) Signed-off-by: Andreas Cadhalpun --- libavformat/avidec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 7387217ce9..417fb74398 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -447,6 +447,7 @@ static int calculate_bitrate(AVFormatContext *s) int64_t len = 0; AVStream *st = s->streams[i]; int64_t duration; + int64_t bitrate; for (j = 0; j < st->nb_index_entries; j++) len += st->index_entries[j].size; @@ -454,7 +455,10 @@ static int calculate_bitrate(AVFormatContext *s) if (st->nb_index_entries < 2 || st->codec->bit_rate > 0) continue; duration = st->index_entries[j-1].timestamp - st->index_entries[0].timestamp; - st->codec->bit_rate = av_rescale(8*len, st->time_base.den, duration * st->time_base.num); + bitrate = av_rescale(8*len, st->time_base.den, duration * st->time_base.num); + if (bitrate <= INT_MAX && bitrate > 0) { + st->codec->bit_rate = bitrate; + } } return 1; } From 46a7fe2417df341edce3ebf3e0ef05dca043619b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2015 00:59:16 +0200 Subject: [PATCH 0725/1352] avcodec/s302m: Only set the sample rate when some data is output This way ffplay chooses the mp2 stream for Ticket3890 Signed-off-by: Michael Niedermayer (cherry picked from commit 802cca5905abe1fe8392e85a812462b959889aaa) Signed-off-by: Andreas Cadhalpun --- libavcodec/s302m.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index 7639a0f1c9..2ce1038330 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -79,7 +79,6 @@ static int s302m_parse_frame_header(AVCodecContext *avctx, const uint8_t *buf, case 8: avctx->channel_layout = AV_CH_LAYOUT_5POINT1_BACK | AV_CH_LAYOUT_STEREO_DOWNMIX; } - avctx->sample_rate = 48000; avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + 32 * (48000 / (buf_size * 8 / (avctx->channels * @@ -146,6 +145,8 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } } + avctx->sample_rate = 48000; + *got_frame_ptr = 1; return avpkt->size; From 6e288d527428af7851a173e8cc6e0e30bf9359ca Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 25 Jun 2015 22:47:38 +0200 Subject: [PATCH 0726/1352] vc1dec: use get_bits_long and limit the read bits to 32 get_bits should not be used with more than 25 bits. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1f1e0a2971b2a01f275bb5088c2e36166514be64) Signed-off-by: Andreas Cadhalpun --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index a25c3d955c..0790bd6ecf 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5669,7 +5669,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) count = avctx->extradata_size*8 - get_bits_count(&gb); if (count > 0) { av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n", - count, get_bits(&gb, count)); + count, get_bits_long(&gb, FFMIN(count, 32))); } else if (count < 0) { av_log(avctx, AV_LOG_INFO, "Read %i bits in overflow\n", -count); } From 554dffb35f7902b9b607aa9c541ec4ea1a142102 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 26 Jun 2015 00:27:54 +0200 Subject: [PATCH 0727/1352] mpegaudiodec: copy AVFloatDSPContext from first context to all contexts This fixes a segfault when decoding multi-channel MP3onMP4 files. This is similar to commit cb72230d for MPADSPContext. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 151dbe4579601a81662b4b366d0e10df3c00027a) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegaudiodec_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index f3a335c52a..2708c1a2ae 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1880,6 +1880,7 @@ static av_cold int decode_init_mp3on4(AVCodecContext * avctx) s->mp3decctx[i]->adu_mode = 1; s->mp3decctx[i]->avctx = avctx; s->mp3decctx[i]->mpadsp = s->mp3decctx[0]->mpadsp; + s->mp3decctx[i]->fdsp = s->mp3decctx[0]->fdsp; } return 0; From 7bd9ae4afb248ba7b8a5cc772f5931c15808ae0f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 26 Jun 2015 19:31:03 +0200 Subject: [PATCH 0728/1352] s302m: fix arithmetic exception If nb_samples is zero, the bit_rate calculation results in a division by zero. Since ff_get_buffer fails if frame->nb_samples is zero, this can be fixed by moving the bit_rate calculation after that function call. That also makes it possible to reuse the already calculated frame->nb_samples value. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 04dfbc9441beed93984568c1547f1ed588122627) Signed-off-by: Andreas Cadhalpun --- libavcodec/s302m.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index 2ce1038330..61c0fe8f96 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -79,10 +79,6 @@ static int s302m_parse_frame_header(AVCodecContext *avctx, const uint8_t *buf, case 8: avctx->channel_layout = AV_CH_LAYOUT_5POINT1_BACK | AV_CH_LAYOUT_STEREO_DOWNMIX; } - avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + - 32 * (48000 / (buf_size * 8 / - (avctx->channels * - (avctx->bits_per_raw_sample + 4)))); return frame_size; } @@ -108,6 +104,8 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; + avctx->bit_rate = 48000 * avctx->channels * (avctx->bits_per_raw_sample + 4) + + 32 * 48000 / frame->nb_samples; buf_size = (frame->nb_samples * avctx->channels / 2) * block_size; if (avctx->bits_per_raw_sample == 24) { From 5999a89190e4f3530e10efb9a92c6a87eae21fa2 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 27 Jun 2015 17:50:56 +0200 Subject: [PATCH 0729/1352] nutdec: check maxpos in read_sm_data before returning success Otherwise sm_size can be larger than size, which results in a negative packet size. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 6b9fdf7f4f07926557048070cc2af3cfd0e3fe50) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 8d2b145d8d..76fd8cc554 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -963,6 +963,9 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int AV_WL32(dst+4, skip_end); } + if (avio_tell(bc) >= maxpos) + return AVERROR_INVALIDDATA; + return 0; } From 4410505b42601ed836816fc7c9f2b113bb0d1219 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 27 Jun 2015 20:16:12 +0200 Subject: [PATCH 0730/1352] wavpack: use get_bits_long to read up to 32 bits get_bits should not be used for more than 25 bits. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f9883a669c3df05a5c453428e080298c6511a17e) Signed-off-by: Andreas Cadhalpun --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index b51a21cc9d..d91b66cf2a 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -155,7 +155,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (t >= 2) { if (get_bits_left(gb) < t - 1) goto error; - t = get_bits(gb, t - 1) | (1 << (t - 1)); + t = get_bits_long(gb, t - 1) | (1 << (t - 1)); } else { if (get_bits_left(gb) < 0) goto error; @@ -186,7 +186,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, } else { if (get_bits_left(gb) < t2 - 1) goto error; - t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } } From 31ae0693d885f4ecf4ef750055f86467bfc5fa1d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 28 Jun 2015 11:21:54 +0200 Subject: [PATCH 0731/1352] huffyuvdec: validate image size Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9a345802edf7f430b3335f486aecdd8552f8367b) Signed-off-by: Andreas Cadhalpun --- libavcodec/huffyuvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 3b2b0f7f59..2746595d5b 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -37,6 +37,7 @@ #include "huffyuv.h" #include "huffyuvdsp.h" #include "thread.h" +#include "libavutil/imgutils.h" #include "libavutil/pixdesc.h" #define classic_shift_luma_table_size 42 @@ -277,6 +278,10 @@ static av_cold int decode_init(AVCodecContext *avctx) HYuvContext *s = avctx->priv_data; int ret; + ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + if (ret < 0) + return ret; + ff_huffyuvdsp_init(&s->hdsp); memset(s->vlc, 0, 4 * sizeof(VLC)); From 910df0f871dd077d0060f113c6492c25af7f313f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 2 Jul 2015 23:05:05 +0200 Subject: [PATCH 0732/1352] wavpack: limit extra_bits to 32 and use get_bits_long More than 32 bits can't be stored in an integer and get_bits should not be used with more than 25 bits. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit d0eff8857ceff2601f85037c930cbe61a88b611e) Signed-off-by: Andreas Cadhalpun --- libavcodec/wavpack.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index d91b66cf2a..554367b32f 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -271,7 +271,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { - S |= get_bits(&s->gb_extra_bits, s->extra_bits); + S |= get_bits_long(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S & 0xffff) * 3 + ((unsigned)S >> 16); } } @@ -835,7 +835,11 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0]) { + if (val[0] > 32) { + av_log(avctx, AV_LOG_ERROR, + "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + continue; + } else if (val[0]) { s->extra_bits = val[0]; } else if (val[1]) { s->shift = val[1]; From 6f024dfd539e4c88c1574bb2cea8a4c52ce02369 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 9 Jul 2015 19:50:34 +0200 Subject: [PATCH 0733/1352] snow: remove an obsolete av_assert2 It asserts that the frame linesize is larger than 37, but it can be smaller and decoding such frames works. Before commit cc884a35 src_stride > 7*MB_SIZE was necessary, because the blocks were interleaved in the tmp buffer and the last block was added with an offset of 6*MB_SIZE. It was changed for src_stride <= 7*MB_SIZE to write the blocks sequentially, hence the larger tmp_step. After that the assert was only necessary to make sure that the buffer remained large enough. Since commit bd2b6b33 s->scratchbuf is used as tmp buffer. As part of commit 86e107a7 the minimal scratchbuf size was increased to 256*7*MB_SIZE, which is enough for any src_stride <= 7*MB_SIZE. Also add a comment explaining the tmp_step calculation. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 3526a120f92929cb0a4009e403ee2f141030c487) Signed-off-by: Andreas Cadhalpun --- libavcodec/snow.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index b6a8bf4d7f..46df46c5c8 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -296,6 +296,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer BlockNode *lb= lt+b_stride; BlockNode *rb= lb+1; uint8_t *block[4]; + // When src_stride is large enough, it is possible to interleave the blocks. + // Otherwise the blocks are written sequentially in the tmp buffer. int tmp_step= src_stride >= 7*MB_SIZE ? MB_SIZE : MB_SIZE*src_stride; uint8_t *tmp = s->scratchbuf; uint8_t *ptmp; @@ -339,8 +341,6 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer if(b_w<=0 || b_h<=0) return; - av_assert2(src_stride > 2*MB_SIZE + 5); - if(!sliced && offset_dst) dst += src_x + src_y*dst_stride; dst8+= src_x + src_y*src_stride; From ba944121e281e9e13ed8a32f28207355e878d47e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 10 Jul 2015 21:50:50 +0200 Subject: [PATCH 0734/1352] imc: use correct position for flcoeffs2 calculation flcoeffs2[pos] should be the log2 of flcoeffs1[pos]. flcoeffs1[0] can be 0 here, thus flcoeffs2[pos] gets set to -inf, causing problems further down. This seems to have been copied from imc_decode_level_coefficients in commit 4eb4bb3 without updating the position. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 75fd5ce4c1c0b2d96d71c74b650cefaaef519d27) Signed-off-by: Andreas Cadhalpun --- libavcodec/imc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/imc.c b/libavcodec/imc.c index 5122f558c4..00076c9a87 100644 --- a/libavcodec/imc.c +++ b/libavcodec/imc.c @@ -420,7 +420,7 @@ static void imc_decode_level_coefficients_raw(IMCContext *q, int *levlCoeffBuf, pos = q->coef0_pos; flcoeffs1[pos] = 20000.0 / pow (2, levlCoeffBuf[0] * 0.18945); // 0.18945 = log2(10) * 0.05703125 - flcoeffs2[pos] = log2f(flcoeffs1[0]); + flcoeffs2[pos] = log2f(flcoeffs1[pos]); tmp = flcoeffs1[pos]; tmp2 = flcoeffs2[pos]; From 68c0d66d4d40c57923723222c0da7bb1a949d5c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Jul 2015 15:21:15 +0200 Subject: [PATCH 0735/1352] Merge commit 'd80811c94e068085aab797f9ba35790529126f85' * commit 'd80811c94e068085aab797f9ba35790529126f85': riff: Use the correct logging context Conflicts: libavformat/asfdec_o.c libavformat/avidec.c libavformat/dxa.c libavformat/matroskadec.c libavformat/mov.c libavformat/riff.h libavformat/riffdec.c libavformat/wavdec.c libavformat/wtvdec.c libavformat/xwma.c Merged-by: Michael Niedermayer (cherry picked from commit ba77fb61f741d9ab3bd12935527556055b2ffb2e) Signed-off-by: Andreas Cadhalpun --- libavformat/act.c | 2 +- libavformat/asfdec.c | 2 +- libavformat/avidec.c | 2 +- libavformat/dxa.c | 2 +- libavformat/matroskadec.c | 2 +- libavformat/mlvdec.c | 2 +- libavformat/mov.c | 2 +- libavformat/riff.h | 2 +- libavformat/riffdec.c | 5 +++-- libavformat/wavdec.c | 4 ++-- libavformat/wtvdec.c | 2 +- libavformat/xwma.c | 2 +- 12 files changed, 15 insertions(+), 14 deletions(-) diff --git a/libavformat/act.c b/libavformat/act.c index 3f223d57b6..faa693ccb9 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -75,7 +75,7 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(pb, st->codec, size); + ff_get_wav_header(s, pb, st->codec, size); /* 8000Hz (Fine-rec) file format has 10 bytes long diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 7f7bb4d5d4..c93395c9a5 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -423,7 +423,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) st->codec->codec_type = type; if (type == AVMEDIA_TYPE_AUDIO) { - int ret = ff_get_wav_header(pb, st->codec, type_specific_size); + int ret = ff_get_wav_header(s, pb, st->codec, type_specific_size); if (ret < 0) return ret; if (is_dvr_ms_audio) { diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 417fb74398..dd50c2d6e6 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -811,7 +811,7 @@ static int avi_read_header(AVFormatContext *s) // avio_skip(pb, size - 5 * 4); break; case AVMEDIA_TYPE_AUDIO: - ret = ff_get_wav_header(pb, st->codec, size); + ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return ret; ast->dshow_block_align = st->codec->block_align; diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 6ad1c9ffac..9ddfbc3212 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -106,7 +106,7 @@ static int dxa_read_header(AVFormatContext *s) ast = avformat_new_stream(s, NULL); if (!ast) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, ast->codec, fsize); + ret = ff_get_wav_header(s, pb, ast->codec, fsize); if (ret < 0) return ret; if (ast->codec->sample_rate > 0) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 09f7e66ca2..2d64dc079f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1714,7 +1714,7 @@ static int matroska_parse_tracks(AVFormatContext *s) ffio_init_context(&b, track->codec_priv.data, track->codec_priv.size, 0, NULL, NULL, NULL, NULL); - ret = ff_get_wav_header(&b, st->codec, track->codec_priv.size); + ret = ff_get_wav_header(s, &b, st->codec, track->codec_priv.size); if (ret < 0) return ret; codec_id = st->codec->codec_id; diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 1855ea46ce..564e113c55 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -142,7 +142,7 @@ static int scan_file(AVFormatContext *avctx, AVStream *vst, AVStream *ast, int f vst->codec->codec_tag = MKTAG('B', 'I', 'T', 16); size -= 164; } else if (ast && type == MKTAG('W', 'A', 'V', 'I') && size >= 16) { - ret = ff_get_wav_header(pb, ast->codec, 16); + ret = ff_get_wav_header(avctx, pb, ast->codec, 16); if (ret < 0) return ret; size -= 16; diff --git a/libavformat/mov.c b/libavformat/mov.c index cabba3755c..39730810e4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -696,7 +696,7 @@ static int mov_read_wfex(MOVContext *c, AVIOContext *pb, MOVAtom atom) return 0; st = c->fc->streams[c->fc->nb_streams-1]; - if (ff_get_wav_header(pb, st->codec, atom.size) < 0) { + if (ff_get_wav_header(c->fc, pb, st->codec, atom.size) < 0) { av_log(c->fc, AV_LOG_WARNING, "get_wav_header failed\n"); } diff --git a/libavformat/riff.h b/libavformat/riff.h index 88a77b07c8..e045bb84e8 100644 --- a/libavformat/riff.h +++ b/libavformat/riff.h @@ -62,7 +62,7 @@ void ff_put_bmp_header(AVIOContext *pb, AVCodecContext *enc, const AVCodecTag *t int ff_put_wav_header(AVIOContext *pb, AVCodecContext *enc, int flags); enum AVCodecID ff_wav_codec_get_id(unsigned int tag, int bps); -int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size); +int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecContext *codec, int size); extern const AVCodecTag ff_codec_bmp_tags[]; // exposed through avformat_get_riff_video_tags() extern const AVCodecTag ff_codec_wav_tags[]; diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 09fee9d603..3462b42eb4 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -80,7 +80,8 @@ static void parse_waveformatex(AVIOContext *pb, AVCodecContext *c) } } -int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) +int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, + AVCodecContext *codec, int size) { int id; @@ -122,7 +123,7 @@ int ff_get_wav_header(AVIOContext *pb, AVCodecContext *codec, int size) avio_skip(pb, size); } if (codec->sample_rate <= 0) { - av_log(NULL, AV_LOG_ERROR, + av_log(s, AV_LOG_ERROR, "Invalid sample rate: %d\n", codec->sample_rate); return AVERROR_INVALIDDATA; } diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 66fd7664f7..cf824d834e 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -128,7 +128,7 @@ static int wav_parse_fmt_tag(AVFormatContext *s, int64_t size, AVStream **st) if (!*st) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, (*st)->codec, size); + ret = ff_get_wav_header(s, pb, (*st)->codec, size); if (ret < 0) return ret; handle_stream_probing(*st); @@ -662,7 +662,7 @@ static int w64_read_header(AVFormatContext *s) if (!memcmp(guid, ff_w64_guid_fmt, 16)) { /* subtract chunk header size - normal wav file doesn't count it */ - ret = ff_get_wav_header(pb, st->codec, size - 24); + ret = ff_get_wav_header(s, pb, st->codec, size - 24); if (ret < 0) return ret; avio_skip(pb, FFALIGN(size, INT64_C(8)) - size); diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index a7334fc9d4..a887f583c7 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -663,7 +663,7 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, if (!st) return NULL; if (!ff_guidcmp(formattype, ff_format_waveformatex)) { - int ret = ff_get_wav_header(pb, st->codec, size); + int ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return NULL; } else { diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 5d29d0b99e..dec1c3ea53 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -75,7 +75,7 @@ static int xwma_read_header(AVFormatContext *s) if (!st) return AVERROR(ENOMEM); - ret = ff_get_wav_header(pb, st->codec, size); + ret = ff_get_wav_header(s, pb, st->codec, size); if (ret < 0) return ret; st->need_parsing = AVSTREAM_PARSE_NONE; From 16cbc7a9303f6f876997c096306c9184222e64b3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 11 Jul 2015 00:09:46 +0200 Subject: [PATCH 0736/1352] riffdec: prevent negative bit rate Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 189420cb561929e05f5cc4224cdca83740a24a32) Signed-off-by: Andreas Cadhalpun --- libavformat/riffdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 3462b42eb4..3d4d5d09a2 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -91,6 +91,14 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, codec->sample_rate = avio_rl32(pb); codec->bit_rate = avio_rl32(pb) * 8; codec->block_align = avio_rl16(pb); + if (codec->bit_rate < 0) { + av_log(s, AV_LOG_WARNING, + "Invalid bit rate: %d\n", codec->bit_rate); + if (s->error_recognition & AV_EF_EXPLODE) + return AVERROR_INVALIDDATA; + else + codec->bit_rate = 0; + } if (size == 14) { /* We're dealing with plain vanilla WAVEFORMAT */ codec->bits_per_coded_sample = 8; } else From 5ed5acb91070272dc4a5e2ae16eccb2f71311913 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2015 01:18:22 +0100 Subject: [PATCH 0737/1352] avcodec/opusdec: Fix extra samples read index Fixes crash Fixes Ticket4969 part 1 Signed-off-by: Michael Niedermayer (cherry picked from commit 07225fa74f2cdb29d6d85fd33675539bfdfe9ea5) Signed-off-by: Andreas Cadhalpun --- libavcodec/opusdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 9ef26c4930..7acc7cf3bd 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -569,8 +569,8 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, if (buffer_samples) { float *buf[2] = { c->out[2 * i + 0] ? c->out[2 * i + 0] : (float*)frame->extended_data[0], c->out[2 * i + 1] ? c->out[2 * i + 1] : (float*)frame->extended_data[0] }; - buf[0] += buffer_samples; - buf[1] += buffer_samples; + buf[0] += decoded_samples; + buf[1] += decoded_samples; ret = av_audio_fifo_write(c->sync_buffers[i], (void**)buf, buffer_samples); if (ret < 0) return ret; From 458b1fda34153510cdc9d4fee95f718aec665e9c Mon Sep 17 00:00:00 2001 From: Kieran Kunhya Date: Mon, 26 Oct 2015 23:09:44 +0000 Subject: [PATCH 0738/1352] opusdec: Don't run vector_fmul_scalar on zero length arrays Fixes crashes on fuzzed files Fixes Ticket4969 part2 Signed-off-by: Michael Niedermayer (cherry picked from commit b3e5f15b95f04a35821f63f6fd89ddd60f666a59) Signed-off-by: Andreas Cadhalpun --- libavcodec/opusdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c index 7acc7cf3bd..c22a2db6c2 100644 --- a/libavcodec/opusdec.c +++ b/libavcodec/opusdec.c @@ -589,7 +589,7 @@ static int opus_decode_packet(AVCodecContext *avctx, void *data, memset(frame->extended_data[i], 0, frame->linesize[0]); } - if (c->gain_i) { + if (c->gain_i && decoded_samples > 0) { c->fdsp.vector_fmul_scalar((float*)frame->extended_data[i], (float*)frame->extended_data[i], c->gain, FFALIGN(decoded_samples, 8)); From 2ccab79595ae6a7653e503c82d5efc98a10f2be9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 00:56:04 +0100 Subject: [PATCH 0739/1352] avcodec/mpeg12dec: Do not call show_bits() with invalid bits Fixes assertion failure Fixes: 63e50545709a6440d3d59f6426d58db9/signal_sigabrt_7ffff6ae7cc9_8189_3272a3010fd98ddf947c662bbde1ac13.ts Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 973c3dba27d0b1a88c70f6661b6a90d2f2e50665) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index d5e1fb6662..5fb4739cca 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1907,7 +1907,7 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y, (left && show_bits(&s->gb, FFMIN(left, 23)) && !is_d10) || ((avctx->err_recognition & (AV_EF_BITSTREAM | AV_EF_AGGRESSIVE)) && left > 8)) { av_log(avctx, AV_LOG_ERROR, "end mismatch left=%d %0X\n", - left, show_bits(&s->gb, FFMIN(left, 23))); + left, left>0 ? show_bits(&s->gb, FFMIN(left, 23)) : 0); return -1; } else goto eos; From 79e477823f7fc42912b21991e11fbf4f8966464d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 6 Nov 2015 21:04:34 +0100 Subject: [PATCH 0740/1352] jvdec: avoid unsigned overflow in comparison The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size is 3, the right side overflows leading to a wrong result of the comparison and subsequently a heap buffer overflow. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit db374790c75fa4ef947abcb5019fcf21d0b2de85) Signed-off-by: Andreas Cadhalpun --- libavformat/jvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c index 21eb14d265..9053c61cf2 100644 --- a/libavformat/jvdec.c +++ b/libavformat/jvdec.c @@ -54,7 +54,7 @@ typedef struct { static int read_probe(AVProbeData *pd) { - if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <= pd->buf_size - 4 && + if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <= pd->buf_size && !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC))) return AVPROBE_SCORE_MAX; return 0; From 372ded7f69a500993329a364f2975150e842c31e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2015 20:05:27 +0100 Subject: [PATCH 0741/1352] avcodec/takdec: Use memove, avoid undefined memcpy() use Fixes: e214333cbd94c91228e624ff39329ce6/asan_generic_4a5159_6412_96cda2530e80607210ab41ccae3d456d.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7cea3430a56fb0ff6ef60f08620fd3875e7bfeb6) Signed-off-by: Andreas Cadhalpun --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 614385803d..0e29c6283e 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -656,7 +656,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) *p1++ = v; } - memcpy(s->residues, &s->residues[tmp], 2 * filter_order); + memmove(s->residues, &s->residues[tmp], 2 * filter_order); } emms_c(); From aa464dc0417d89ff0e1c012f13093548a2d47b39 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 10 Nov 2015 22:14:39 +0100 Subject: [PATCH 0742/1352] dvdsubdec: validate offset2 similar to offset1 If it is negative, it causes segmentation faults in decode_rle. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f621749d1181987b3f815c6766ea66d6c5d55198) Signed-off-by: Andreas Cadhalpun --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index ae0f4ff10d..9272e2c012 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -343,7 +343,7 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, } } the_end: - if (offset1 >= 0) { + if (offset1 >= 0 && offset2 >= 0) { int w, h; uint8_t *bitmap; From ae1156ef2aa36b1b0e61787a52f5e06487bb1056 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 14 Nov 2015 22:46:46 +0100 Subject: [PATCH 0743/1352] mpegvideo: clear overread in clear_context Otherwise the h263p decoder can try to copy overread bytes, even though buffer is NULL. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 6a69a175e7b5c5393528ed0f5753e41573fa0df2) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpegvideo.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index bea62d9b88..645d757fbd 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1315,6 +1315,7 @@ static void clear_context(MpegEncContext *s) s->parse_context.buffer = NULL; s->parse_context.buffer_size = 0; + s->parse_context.overread = 0; s->bitstream_buffer = NULL; s->allocated_bitstream_buffer_size = 0; s->picture = NULL; From db13758b88384feb3f430d936a391af452f68313 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 26 Nov 2015 01:15:28 +0100 Subject: [PATCH 0744/1352] avcodec: avoid division by zero in avcodec_string Actually time_base should not be 0/0, but the proper fix is part of commit 7ea1b34, which can't be backported, as it changes API. Signed-off-by: Andreas Cadhalpun --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 12cf577343..0901e75d85 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -2970,6 +2970,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) } if (av_log_get_level() >= AV_LOG_DEBUG) { int g = av_gcd(enc->time_base.num, enc->time_base.den); + if (!g) + g = 1; snprintf(buf + strlen(buf), buf_size - strlen(buf), ", %d/%d", enc->time_base.num / g, enc->time_base.den / g); From a38a41df39896fb48393f7a51df90c7bcdd785e3 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Tue, 1 Dec 2015 21:15:53 +0200 Subject: [PATCH 0745/1352] doc/filters/drawtext: fix centering example Signed-off-by: Andrey Utkin Signed-off-by: Lou Logan (cherry picked from commit 648b26acc5e25ab40c43fddc54b50e9f0b13ebd8) Signed-off-by: Timothy Gu --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 97714a08a9..4b597f8ed3 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -4146,7 +4146,7 @@ within the parameter list. @item Show the text at the center of the video frame: @example -drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2" +drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2" @end example @item From ab79e3d1a5f9b2d677273d15970a719b8be039bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Aug 2015 12:44:31 +0200 Subject: [PATCH 0746/1352] avcodec/libopusenc: Fix infinite loop on flushing after 0 input Signed-off-by: Michael Niedermayer (cherry picked from commit 6701c92fa4269872856c70c3170a9b3291b46247) Signed-off-by: Michael Niedermayer --- libavcodec/libopusenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 9a1952a625..dadd7f01e8 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -324,7 +324,7 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, } else audio = frame->data[0]; } else { - if (!opus->afq.remaining_samples) + if (!opus->afq.remaining_samples || (!opus->afq.frame_alloc && !opus->afq.frame_count)) return 0; audio = opus->samples; memset(audio, 0, opus->opts.packet_size * sample_size); From 6f08086992c3fad68fbaca03b0ca2a42f0ad0d67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Sep 2015 04:57:22 +0200 Subject: [PATCH 0747/1352] avcodec/truemotion1: Check for even width Fixes out of array access Fixes: 87196d8bbc633629fc9dd851fce73e70/asan_heap-oob_26f6853_862_cov_585961513_sonic3dblast_intro-partial.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 63fb5a6aefb4223334001fd2c0d82a5e22e3b528) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 660ecf5413..b2de889c46 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -402,6 +402,10 @@ static int truemotion1_decode_header(TrueMotion1Context *s) new_pix_fmt = AV_PIX_FMT_RGB555; // RGB565 is supported as well s->w >>= width_shift; + if (s->w & 1) { + avpriv_request_sample(s->avctx, "Frame with odd width"); + return AVERROR_PATCHWELCOME; + } if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { From e5c9396a029322b1a43e24b6dbe1cb2ec76bf0f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:49:44 +0200 Subject: [PATCH 0748/1352] avformat/dump: Fix integer overflow in aspect ratio calculation Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d1bdaf3fb2c45020f72a378bb64eab1bf136581c) Signed-off-by: Michael Niedermayer --- libavformat/dump.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dump.c b/libavformat/dump.c index 3a7adbe014..c4434b3e0b 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -363,8 +363,8 @@ static void dump_stream_format(AVFormatContext *ic, int i, av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)) { AVRational display_aspect_ratio; av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - st->codec->width * st->sample_aspect_ratio.num, - st->codec->height * st->sample_aspect_ratio.den, + st->codec->width * (int64_t)st->sample_aspect_ratio.num, + st->codec->height * (int64_t)st->sample_aspect_ratio.den, 1024 * 1024); av_log(NULL, AV_LOG_INFO, ", SAR %d:%d DAR %d:%d", st->sample_aspect_ratio.num, st->sample_aspect_ratio.den, From 7ffe708297e900889f6979eee292b766b1f1872a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:00:05 +0200 Subject: [PATCH 0749/1352] avutil/common: Document FFABS() corner case Signed-off-by: Michael Niedermayer (cherry picked from commit 733511fb53fedd3adaaeabc5db9d0b29e71ea1d3) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavutil/common.h b/libavutil/common.h index c82a3a6240..a48959d82a 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -58,6 +58,12 @@ : ((a) + (1<<(b)) - 1) >> (b)) #define FFUDIV(a,b) (((a)>0 ?(a):(a)-(b)+1) / (b)) #define FFUMOD(a,b) ((a)-(b)*FFUDIV(a,b)) + +/** + * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as they + * are not representable as absolute values of their type. This is the same + * as with *abs() + */ #define FFABS(a) ((a) >= 0 ? (a) : (-(a))) #define FFSIGN(a) ((a) > 0 ? 1 : -1) From c09fe0346d9456a47717ebbd48bee1e62cab6818 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 02:17:24 +0200 Subject: [PATCH 0750/1352] avutil/common: Add FFNABS() This macro avoids the undefined corner case with the *_MIN values Previous version Reviewed-by: Ganesh Ajjanagadde Signed-off-by: Michael Niedermayer (cherry picked from commit d6cd614dac579850076ae312c29c4188f8659e46) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavutil/common.h b/libavutil/common.h index a48959d82a..526f5c6e51 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -63,10 +63,19 @@ * Absolute value, Note, INT_MIN / INT64_MIN result in undefined behavior as they * are not representable as absolute values of their type. This is the same * as with *abs() + * @see FFNABS() */ #define FFABS(a) ((a) >= 0 ? (a) : (-(a))) #define FFSIGN(a) ((a) > 0 ? 1 : -1) +/** + * Negative Absolute value. + * this works for all integers of all types. + * As with many macros, this evaluates its argument twice, it thus must not have + * a sideeffect, that is FFNABS(x++) has undefined behavior. + */ +#define FFNABS(a) ((a) <= 0 ? (a) : (-(a))) + #define FFMAX(a,b) ((a) > (b) ? (a) : (b)) #define FFMAX3(a,b,c) FFMAX(FFMAX(a,b),c) #define FFMIN(a,b) ((a) > (b) ? (b) : (a)) From 79b16c6e5e2f29b48a562f3829800909b8d398d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 09:20:23 +0200 Subject: [PATCH 0751/1352] avformat/mov: Fix integer overflow in FFABS Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 053e80f6eaf8d87521fe58ea96886b6ee0bbe59d) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 39730810e4..6f46dbbcf8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2083,7 +2083,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dlog(c->fc, "count=%d, duration=%d\n", count, duration); - if (FFABS(duration) > (1<<28) && i+2fc, AV_LOG_WARNING, "CTTS invalid\n"); av_freep(&sc->ctts_data); sc->ctts_count = 0; From f66787d3452c993ed0285cbb44369a558c733703 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Sep 2015 09:22:31 +0200 Subject: [PATCH 0752/1352] swresample/swresample: Fix integer overflow in seed calculation Fixes CID1322333 Signed-off-by: Michael Niedermayer (cherry picked from commit 32f53958b8f6ed4c3c2a7447c1e47d012796fae2) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 3e23912d35..e9bc659e08 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -638,7 +638,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co return ret; if(ret) for(ch=0; chdither.noise.ch_count; ch++) - if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, 12345678913579<dither.noise.fmt))<0) + if((ret=swri_get_dither(s, s->dither.noise.ch[ch], s->dither.noise.count, (12345678913579ULL*ch + 3141592) % 2718281828U, s->dither.noise.fmt))<0) return ret; av_assert0(s->dither.noise.ch_count == preout->ch_count); From ec35bb729cdd36a757f6180fc3c69b76404e773a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 01:18:13 +0200 Subject: [PATCH 0753/1352] avcodec/tta: Check init_get_bits8() for failure Fixes: CID1322319 Signed-off-by: Michael Niedermayer (cherry picked from commit f1593e4ca564cdb7f3194a9eee1dea16df41142d) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 5fdbac8d44..1c4316b421 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -123,6 +123,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) TTAContext *s = avctx->priv_data; GetBitContext gb; int total_frames; + int ret; s->avctx = avctx; @@ -131,7 +132,10 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) return AVERROR_INVALIDDATA; s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE); - init_get_bits8(&gb, avctx->extradata, avctx->extradata_size); + ret = init_get_bits8(&gb, avctx->extradata, avctx->extradata_size); + if (ret < 0) + return ret; + if (show_bits_long(&gb, 32) == AV_RL32("TTA1")) { /* signature */ skip_bits_long(&gb, 32); From 45c30d84b6c57b529687096bd7043c6999bd2d14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 01:18:13 +0200 Subject: [PATCH 0754/1352] avcodec/svq1dec: Check init_get_bits8() for failure Fixes: CID1322313 Signed-off-by: Michael Niedermayer (cherry picked from commit a51d4246d8ac96acee735e7e5dedb9d9ef27a594) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 2f9ea16630..1212522a69 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -617,9 +617,12 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data, uint8_t *current; int result, i, x, y, width, height; svq1_pmv *pmv; + int ret; /* initialize bit buffer */ - init_get_bits8(&s->gb, buf, buf_size); + ret = init_get_bits8(&s->gb, buf, buf_size); + if (ret < 0) + return ret; /* decode frame header */ s->frame_code = get_bits(&s->gb, 22); From 47b6ea314df6df4021690a98616d3fa73e07d0df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 12:10:02 +0200 Subject: [PATCH 0755/1352] avcodec/g2meet: Fix potential overflow in tile dimensions check Fixes CID1322351 Signed-off-by: Michael Niedermayer (cherry picked from commit 71ec8e1ed6cf4947e204e3e4b5929a44c054f5fb) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index d0cb88cb56..302dc9dfdc 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -738,7 +738,7 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, c->tile_height = bytestream2_get_be32(&bc); if (c->tile_width <= 0 || c->tile_height <= 0 || ((c->tile_width | c->tile_height) & 0xF) || - c->tile_width * 4LL * c->tile_height >= INT_MAX + c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", From 873ee14b560fa43a25b6ac88b23f9784eda53eeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Sep 2015 12:11:46 +0200 Subject: [PATCH 0756/1352] avcodec/g2meet: Also clear tile dimensions on header_fail Signed-off-by: Michael Niedermayer (cherry picked from commit fb0466699575724923aeddc4490302180dfdf4af) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 302dc9dfdc..16f46e2125 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -869,6 +869,8 @@ header_fail: c->height = 0; c->tiles_x = c->tiles_y = 0; + c->tile_width = + c->tile_height = 0; return ret; } From 3ea20e60dc5d6362dba02c4fb19e44e4943046ad Mon Sep 17 00:00:00 2001 From: Ganesh Ajjanagadde Date: Sat, 5 Sep 2015 20:42:02 -0700 Subject: [PATCH 0757/1352] avfilter/af_asyncts: use llabs for int64_t long may not be 64 bit on all platforms; so labs on int64_t is unsafe. This fixes a warning reported in: http://fate.ffmpeg.org/log.cgi?time=20150905071512&log=compile&slot=i386-darwin-clang-polly-3.7 Signed-off-by: Ganesh Ajjanagadde Signed-off-by: Michael Niedermayer (cherry picked from commit d74123d03eb1047b844bc39fbde26f199c72cbcb) Signed-off-by: Michael Niedermayer --- libavfilter/af_asyncts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_asyncts.c b/libavfilter/af_asyncts.c index 5f8e1f61cc..4be093b194 100644 --- a/libavfilter/af_asyncts.c +++ b/libavfilter/af_asyncts.c @@ -205,7 +205,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *buf) delta = pts - s->pts - get_delay(s); out_size = avresample_available(s->avr); - if (labs(delta) > s->min_delta || + if (llabs(delta) > s->min_delta || (s->first_frame && delta && s->first_pts != AV_NOPTS_VALUE)) { av_log(ctx, AV_LOG_VERBOSE, "Discontinuity - %"PRId64" samples.\n", delta); out_size = av_clipl_int32((int64_t)out_size + delta); From 7cdd319b01cfacc5ab07744ee3422a46b6f2c754 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Sep 2015 13:28:51 +0200 Subject: [PATCH 0758/1352] avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG Signed-off-by: Michael Niedermayer (cherry picked from commit 055e56e9f76da3298f1b59bf5ea46f570e844600) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index c2a92fae36..4a7862520c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -946,7 +946,14 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p skip_bits(&s->gb, 16); /* skip RSTn */ } } - if (s->nb_components == 4) { + if (s->rct && s->nb_components == 4) { + for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + ptr[4*mb_x + 2] = buffer[mb_x][0] - ((buffer[mb_x][1] + buffer[mb_x][2] - 0x200) >> 2); + ptr[4*mb_x + 1] = buffer[mb_x][1] + ptr[4*mb_x + 2]; + ptr[4*mb_x + 3] = buffer[mb_x][2] + ptr[4*mb_x + 2]; + ptr[4*mb_x + 0] = buffer[mb_x][3]; + } + } else if (s->nb_components == 4) { for(i=0; icomp_index[i]; if (s->bits <= 8) { From c6769b6d56bea1548a1c0167fdc322991bd46e50 Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Fri, 11 Sep 2015 21:49:07 +0200 Subject: [PATCH 0759/1352] lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream. Not requiring this can end up producing hilariously broken files together with -c:s copy (e.g. a webvtt file containing binary subtitle data). Signed-off-by: Simon Thelen Signed-off-by: Michael Niedermayer (cherry picked from commit b84232694ef0c6897e82b52326c9ea4027c69ec4) Signed-off-by: Michael Niedermayer --- libavformat/webvttenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/webvttenc.c b/libavformat/webvttenc.c index b93993d55c..c386538718 100644 --- a/libavformat/webvttenc.c +++ b/libavformat/webvttenc.c @@ -46,8 +46,14 @@ static void webvtt_write_time(AVIOContext *pb, int64_t millisec) static int webvtt_write_header(AVFormatContext *ctx) { AVStream *s = ctx->streams[0]; + AVCodecContext *avctx = ctx->streams[0]->codec; AVIOContext *pb = ctx->pb; + if (ctx->nb_streams != 1 || avctx->codec_id != AV_CODEC_ID_WEBVTT) { + av_log(ctx, AV_LOG_ERROR, "Exactly one WebVTT stream is needed.\n"); + return AVERROR(EINVAL); + } + avpriv_set_pts_info(s, 64, 1, 1000); avio_printf(pb, "WEBVTT\n"); From b5b29b22c0f8b49db045edb33254291486cb0db7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Sep 2015 14:26:14 +0200 Subject: [PATCH 0760/1352] avcodec/rangecoder: Check e Fixes hang.nut Found-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b2955b6c5aed11026ec5c7164462899a10cdb937) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- libavcodec/snow.h | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 760d74faf7..26ed2eeddc 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -47,8 +47,11 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, else { int i, e, a; e = 0; - while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10 + while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; + } a = 1; for (i = e - 1; i >= 0; i--) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index 46df46c5c8..d2fcc7c375 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -555,6 +555,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1; From ac19d8eb3ac797eb8826909c6f16f47df349e070 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2015 13:09:59 +0200 Subject: [PATCH 0761/1352] avcodec/ffv1dec: Explicitly check read_quant_table() return value Forwards the error code, avoids potential integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit 10bbf6cf622f8a954c6cc694ca07c24f989c99af) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 26ed2eeddc..475b1adf1f 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -503,7 +503,10 @@ static int read_quant_tables(RangeCoder *c, int context_count = 1; for (i = 0; i < 5; i++) { - context_count *= read_quant_table(c, quant_table[i], context_count); + int ret = read_quant_table(c, quant_table[i], context_count); + if (ret < 0) + return ret; + context_count *= ret; if (context_count > 32768U) { return AVERROR_INVALIDDATA; } From a2a93b0a8f5d77e244cbdbac2724855b217c29e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2015 13:20:59 +0200 Subject: [PATCH 0762/1352] avcodec/ffv1dec: Fix off by 1 error in quant_table_count check Fixes: invalid_read.nut Found-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2d221d9e069e6269cb41f3678f2734800171d87b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 475b1adf1f..0ca58f4eb6 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -306,7 +306,7 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return -1; } From 71fc26403f14ea34978b5efe4dd828248167ab09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Sep 2015 13:08:48 +0200 Subject: [PATCH 0763/1352] avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise Fixes crash Fixes: flicker-1.scout3d21443372922.28.m4a Found-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 1b82b934a166e60f64e966eaa97512ba9dcb615b) Signed-off-by: Michael Niedermayer --- libavcodec/x86/sbrdsp.asm | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/x86/sbrdsp.asm b/libavcodec/x86/sbrdsp.asm index 6f2e4f48d9..f7f7fe9a14 100644 --- a/libavcodec/x86/sbrdsp.asm +++ b/libavcodec/x86/sbrdsp.asm @@ -381,6 +381,7 @@ apply_noise_main: %else %define count m_maxq %endif + movsxdifnidn noiseq, noised dec noiseq shl count, 2 %ifdef PIC From eaf03fa8304c7a9ace12f203811641efd64c0c0f Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Thu, 1 Oct 2015 13:56:31 +0300 Subject: [PATCH 0764/1352] avformat/httpauth: Add space after commas in HTTP/RTSP auth header This fixes access to Grandstream cameras, which return 401 to ffmpeg otherwise. VLC sends Authorization: header with spaces between parameters, and it is known to work with Grandstream devices and broad range of other HTTP and RTSP servers, so author considers switching to such behaviour safe. Just for record - RFC 2617 (HTTP Auth) does not specify the need in spaces, so this is not a bug of FFmpeg. Signed-off-by: Michael Niedermayer (cherry picked from commit fdb32838723effb4560a345013387ea37b85ff20) Signed-off-by: Michael Niedermayer --- libavformat/httpauth.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavformat/httpauth.c b/libavformat/httpauth.c index dbe3eff48f..18cf36bcfe 100644 --- a/libavformat/httpauth.c +++ b/libavformat/httpauth.c @@ -220,21 +220,21 @@ static char *make_digest_auth(HTTPAuthState *state, const char *username, /* TODO: Escape the quoted strings properly. */ av_strlcatf(authstr, len, "username=\"%s\"", username); - av_strlcatf(authstr, len, ",realm=\"%s\"", state->realm); - av_strlcatf(authstr, len, ",nonce=\"%s\"", digest->nonce); - av_strlcatf(authstr, len, ",uri=\"%s\"", uri); - av_strlcatf(authstr, len, ",response=\"%s\"", response); + av_strlcatf(authstr, len, ", realm=\"%s\"", state->realm); + av_strlcatf(authstr, len, ", nonce=\"%s\"", digest->nonce); + av_strlcatf(authstr, len, ", uri=\"%s\"", uri); + av_strlcatf(authstr, len, ", response=\"%s\"", response); // we are violating the RFC and use "" because all others seem to do that too. if (digest->algorithm[0]) - av_strlcatf(authstr, len, ",algorithm=\"%s\"", digest->algorithm); + av_strlcatf(authstr, len, ", algorithm=\"%s\"", digest->algorithm); if (digest->opaque[0]) - av_strlcatf(authstr, len, ",opaque=\"%s\"", digest->opaque); + av_strlcatf(authstr, len, ", opaque=\"%s\"", digest->opaque); if (digest->qop[0]) { - av_strlcatf(authstr, len, ",qop=\"%s\"", digest->qop); - av_strlcatf(authstr, len, ",cnonce=\"%s\"", cnonce); - av_strlcatf(authstr, len, ",nc=%s", nc); + av_strlcatf(authstr, len, ", qop=\"%s\"", digest->qop); + av_strlcatf(authstr, len, ", cnonce=\"%s\"", cnonce); + av_strlcatf(authstr, len, ", nc=%s", nc); } av_strlcatf(authstr, len, "\r\n"); From a3753ba10df1911c971aa01ec80b12f3f4b46ae4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2015 20:15:48 +0200 Subject: [PATCH 0765/1352] avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons Fixes Ticket4931 Signed-off-by: Michael Niedermayer (cherry picked from commit 4c2d4e8700cd3db59bc11ab196c0002215cf601f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 0ca58f4eb6..ebdafd1f8c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -409,6 +409,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (ffv1_init_slice_state(f, fs) < 0) return AVERROR(ENOMEM); if (decode_slice_header(f, fs) < 0) { + fs->slice_x = fs->slice_y = fs->slice_height = fs->slice_width = 0; fs->slice_damaged = 1; return AVERROR_INVALIDDATA; } From f0db50a57f7b0f730f217db3d1bb359696d345f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2015 22:25:20 +0200 Subject: [PATCH 0766/1352] avcodec/ffv1dec: update progress in case of broken pointer chains Fixes deadlock Fixes Ticket4932 Signed-off-by: Michael Niedermayer (cherry picked from commit 5063a18f5635008b2a45ada1f8c1e21e20450029) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index ebdafd1f8c..5d06594657 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -935,6 +935,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); + ff_thread_report_progress(&f->picture, INT_MAX, 0); return AVERROR_INVALIDDATA; } buf_p -= v; From 99dd039d743db91b8d001eb4521c7ce392c195ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2015 02:13:42 +0200 Subject: [PATCH 0767/1352] avcodec/ffv1: Initialize vlc_state on allocation This ensures that they are always set to valid values Fixes Ticket4939 Signed-off-by: Michael Niedermayer (cherry picked from commit a878dfa4f57d068eb69fb6614f7a4a20f769ee7b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 6073bc4461..89c4e61d17 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -66,7 +66,7 @@ av_cold int ffv1_common_init(AVCodecContext *avctx) av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) { - int j; + int j, i; fs->plane_count = f->plane_count; fs->transparency = f->transparency; @@ -80,10 +80,15 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs) if (!p->state) return AVERROR(ENOMEM); } else { - if (!p->vlc_state) - p->vlc_state = av_malloc_array(p->context_count, sizeof(VlcState)); - if (!p->vlc_state) - return AVERROR(ENOMEM); + if (!p->vlc_state) { + p->vlc_state = av_mallocz_array(p->context_count, sizeof(VlcState)); + if (!p->vlc_state) + return AVERROR(ENOMEM); + for (i = 0; i < p->context_count; i++) { + p->vlc_state[i].error_sum = 4; + p->vlc_state[i].count = 1; + } + } } } From 1bb7529ac2eda7d3b7ffffeb20ec477d4440b944 Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Thu, 29 Oct 2015 09:11:37 +0100 Subject: [PATCH 0768/1352] avutil/file_open: avoid file handle inheritance on Windows Avoids inheritance of file handles on Windows systems similar to the O_CLOEXEC/FD_CLOEXEC flag on Linux. Fixes file lock issues in Windows applications when a child process is started with handle inheritance enabled (standard input/output redirection) while a FFmpeg transcoding is running in the parent process. Links relevant to the subject: https://msdn.microsoft.com/en-us/library/w7sa2b22.aspx Describes the _wsopen() function and the O_NOINHERIT flag. File handles opened by _wsopen() are inheritable by default. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx Describes handle inheritance when creating new processes. Handle inheritance must be enabled (bInheritHandles = TRUE) e.g. when you want to pass handles for stdin/stdout via lpStartupInfo. Signed-off-by: Tobias Rapp Signed-off-by: Michael Niedermayer (cherry picked from commit 474665346616e446ecd1407002fdf5f88201bf72) Signed-off-by: Michael Niedermayer --- libavutil/file_open.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavutil/file_open.c b/libavutil/file_open.c index f3164ebe68..619dc571f7 100644 --- a/libavutil/file_open.c +++ b/libavutil/file_open.c @@ -82,6 +82,9 @@ int avpriv_open(const char *filename, int flags, ...) #ifdef O_CLOEXEC flags |= O_CLOEXEC; #endif +#ifdef O_NOINHERIT + flags |= O_NOINHERIT; +#endif fd = open(filename, flags, mode); #if HAVE_FCNTL From 2f89546333b53e626d710cde357f0d13ea450474 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2015 18:08:52 +0100 Subject: [PATCH 0769/1352] avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg Fixes out of array access Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d24888ef19ba38b787b11d1ee091a3d94920c76a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 4a7862520c..5cea6a61e1 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1044,7 +1044,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap if(y==0 && toprow){ if(x==0 && leftcol){ @@ -1112,7 +1115,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap From 5d9bee34f9ae5fae996defda0fd9ccd1ca2b1f9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2015 21:27:04 +0100 Subject: [PATCH 0770/1352] avcodec/mjpegdec: Reinitialize IDCT on BPP changes Fixes misaligned access Fixes: dc9262a469f6f315f74c087a7b3a7f35/signal_sigsegv_2e95bcd_9_9c0f9f4a9ba82aa9b3ab2b91ce4d5277.jpg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cc35f6f4768ffe57cc4fcfa56ecb89aee409e3d5) Conflicts: libavcodec/mjpegdec.c (cherry picked from commit f82c4777ee7a319fe2aa36f413a61943313b4abc) --- libavcodec/mjpegdec.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5cea6a61e1..59cbd25a6e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -96,6 +96,15 @@ static void parse_avid(MJpegDecodeContext *s, uint8_t *buf, int len) av_log(s->avctx, AV_LOG_INFO, "AVID: len:%d %d\n", len, len > 14 ? buf[12] : -1); } +static void init_idct(AVCodecContext *avctx) +{ + MJpegDecodeContext *s = avctx->priv_data; + + ff_idctdsp_init(&s->idsp, avctx); + ff_init_scantable(s->idsp.idct_permutation, &s->scantable, + ff_zigzag_direct); +} + av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx) { MJpegDecodeContext *s = avctx->priv_data; @@ -110,9 +119,7 @@ av_cold int ff_mjpeg_decode_init(AVCodecContext *avctx) s->avctx = avctx; ff_blockdsp_init(&s->bdsp, avctx); ff_hpeldsp_init(&s->hdsp, avctx->flags); - ff_idctdsp_init(&s->idsp, avctx); - ff_init_scantable(s->idsp.idct_permutation, &s->scantable, - ff_zigzag_direct); + init_idct(avctx); s->buffer_size = 0; s->buffer = NULL; s->start_code = -1; @@ -254,9 +261,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->avctx->bits_per_raw_sample = bits = get_bits(&s->gb, 8); + if (s->avctx->bits_per_raw_sample != bits) { + av_log(s->avctx, AV_LOG_INFO, "Changeing bps to %d\n", bits); + s->avctx->bits_per_raw_sample = bits; + init_idct(s->avctx); + } if (s->pegasus_rct) bits = 9; if (bits == 9 && !s->pegasus_rct) From fe191124a9cabdd77b22f1a157583f8c7b4b34c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 00:36:59 +0100 Subject: [PATCH 0771/1352] avcodec/ffv1dec: Check for 0 quant tables Fixes assertion failure Fixes: 07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 5d06594657..72afa253db 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -567,7 +567,7 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) return AVERROR_INVALIDDATA; for (i = 0; i < f->quant_table_count; i++) { From 51ac1ce9668f6918593b0a937b9b98713f29e2e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 19:24:33 +0100 Subject: [PATCH 0772/1352] libavutil/channel_layout: Check strtol*() for failure Fixes assertion failure Fixes: 4f5814bb15d2dda6fc18ef9791b13816/signal_sigabrt_7ffff6ae7cc9_65_7209d160d168b76f311be6cd64a548eb.wv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c9bfd6a8c35a2102e730aca12f6e09d1627f76b3) Conflicts: libavutil/channel_layout.c --- libavutil/channel_layout.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index cd5cf426d4..45249c4367 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -125,6 +125,8 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) strlen(channel_names[i].name) == name_len && !memcmp(channel_names[i].name, name, name_len)) return (int64_t)1 << i; + + errno = 0; i = strtol(name, &end, 10); #if FF_API_GET_CHANNEL_LAYOUT_COMPAT @@ -143,14 +145,15 @@ static uint64_t get_channel_layout_single(const char *name, int name_len) } } else { #endif - if ((end + 1 - name == name_len && *end == 'c')) + if (!errno && (end + 1 - name == name_len && *end == 'c')) return av_get_default_channel_layout(i); #if FF_API_GET_CHANNEL_LAYOUT_COMPAT } #endif + errno = 0; layout = strtoll(name, &end, 0); - if (end - name == name_len) + if (!errno && end - name == name_len) return FFMAX(layout, 0); return 0; } From a3ff74c872ab7fe1e7a9ad32b2622d4aa18aea50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 02:11:01 +0100 Subject: [PATCH 0773/1352] avformat/xmv: factor return check out of if/else Signed-off-by: Michael Niedermayer (cherry picked from commit 9b6fac11da470274d4b93d46ef66527aa1824179) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 6eac4d21e8..cee2c806de 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -547,16 +547,14 @@ static int xmv_read_packet(AVFormatContext *s, /* Fetch a video frame */ result = xmv_fetch_video_packet(s, pkt); - if (result) - return result; - } else { /* Fetch an audio frame */ result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1); - if (result) - return result; } + if (result) + return result; + /* Increase our counters */ if (++xmv->current_stream >= xmv->stream_count) { From 76950e5247334dee45bdc73af7a2f134fea4da02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 02:13:36 +0100 Subject: [PATCH 0774/1352] avformat/xmv: Discard remainder of packet on error Fixes infinite loop Fixes: 9c48ae2680c5f23bca3d20ff0f325fd8/asan_generic_4c254d_1374_993f1e5967dd6f844b8d72f978ce2a6c.pss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 79c4a338e4b2bf0bc6f81c9f455994f673a92f78) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index cee2c806de..1410bff8ee 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -552,8 +552,11 @@ static int xmv_read_packet(AVFormatContext *s, result = xmv_fetch_audio_packet(s, pkt, xmv->current_stream - 1); } - if (result) + if (result) { + xmv->current_stream = 0; + xmv->video.current_frame = xmv->video.frame_count; return result; + } /* Increase our counters */ From 7ce70e6914bf78759669a005e644d2d9013b925e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 21:58:42 +0100 Subject: [PATCH 0775/1352] avcodec/dirac_parser: Fix undefined memcpy() use Fixes: 9d375e415486edd1a0c826f2307d89a4/asan_generic_4a5159_1577_faa333e83dacdd9e4dd322380aeed537.iss Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit daefd8ab2f2aeb90cd53cb75445faffdc7a3cc79) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 4119e3b660..654f0b4c97 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -123,7 +123,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, DiracParseContext *pc = s->priv_data; if (pc->overread_index) { - memcpy(pc->buffer, pc->buffer + pc->overread_index, + memmove(pc->buffer, pc->buffer + pc->overread_index, pc->index - pc->overread_index); pc->index -= pc->overread_index; pc->overread_index = 0; From c15f5068ca830ff35787aa3943bc14da474deece Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Nov 2015 22:24:23 +0100 Subject: [PATCH 0776/1352] avcodec/microdvddec: Check for string end in 'P' case Fixes out of array read Fixes: a9502b60f4cecc19475382aee255f73c/asan_heap-oob_1e87fba_2548_a8ad47f6dde36644fe9cdc444d4632d0.sub Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c719cd6cf79ec21d974b81ba874580f4b8e9eb90) Signed-off-by: Michael Niedermayer --- libavcodec/microdvddec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/microdvddec.c b/libavcodec/microdvddec.c index f3c640f932..3780fe28b5 100644 --- a/libavcodec/microdvddec.c +++ b/libavcodec/microdvddec.c @@ -148,6 +148,8 @@ static char *microdvd_load_tags(struct microdvd_tag *tags, char *s) /* Position */ case 'P': + if (!*s) + break; tag.persistent = MICRODVD_PERSISTENT_ON; tag.data1 = (*s++ == '1'); if (*s != '}') From d73a8ae70f15d4c9145c20db709f4b06b0a8e835 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2015 02:16:11 +0100 Subject: [PATCH 0777/1352] avcodec/jpeg2000dec: Clip all tile coordinates Fixes out of array access Fixes: b877a6b788a25c70e8b1d014f8628549/asan_heap-oob_1da2c3f_2324_5a1b329b0b3c4bb6b1d775660ac56717.r3d Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 43492ff3ab68a343c1264801baa1d5a02de10167) Conflicts: libavcodec/jpeg2000dec.c --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 30e069e76f..eac3661a17 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -684,10 +684,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int tileno) Jpeg2000QuantStyle *qntsty = tile->qntsty + compno; int ret; // global bandno - comp->coord_o[0][0] = FFMAX(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x); - comp->coord_o[0][1] = FFMIN((tilex + 1) * s->tile_width + s->tile_offset_x, s->width); - comp->coord_o[1][0] = FFMAX(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y); - comp->coord_o[1][1] = FFMIN((tiley + 1) * s->tile_height + s->tile_offset_y, s->height); + comp->coord_o[0][0] = av_clip(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[0][1] = av_clip((tilex + 1) * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[1][0] = av_clip(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[1][1] = av_clip((tiley + 1) * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); comp->coord[0][0] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][0], s->reduction_factor); comp->coord[0][1] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][1], s->reduction_factor); From ac302efb9151addfc9d45495d56592ba6fd384b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 00:51:56 +0100 Subject: [PATCH 0778/1352] avcodec/jpeg2000dec: Check for duplicate SIZ marker Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 44a7f17d0b20e6f8d836b2957e3e357b639f19a2) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index eac3661a17..83154c729b 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1403,6 +1403,7 @@ static void jpeg2000_dec_cleanup(Jpeg2000DecoderContext *s) memset(s->codsty, 0, sizeof(s->codsty)); memset(s->qntsty, 0, sizeof(s->qntsty)); s->numXtiles = s->numYtiles = 0; + s->ncomponents = 0; } static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s) @@ -1457,6 +1458,10 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s) switch (marker) { case JPEG2000_SIZ: + if (s->ncomponents) { + av_log(s->avctx, AV_LOG_ERROR, "Duplicate SIZ\n"); + return AVERROR_INVALIDDATA; + } ret = get_siz(s); if (!s->tile) s->numXtiles = s->numYtiles = 0; From 00dc345a83b882e3e86b76d37c11d8ad1257609b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 01:35:08 +0100 Subject: [PATCH 0779/1352] avcodec/utils: Better check for channels in av_get_audio_frame_duration() Fixes integer overflow Fixes: 0c2625f236ced104d402b4a03c0d65c7/asan_generic_274e1ce_5990_9314e7a67c26aecf011b178ade9f217c.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4e16ad2868a1819de6680fc355a8eb20164adaea) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 0901e75d85..d249507c5f 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3263,7 +3263,7 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) return frame_bytes * 8 / bps; } - if (ch > 0) { + if (ch > 0 && ch < INT_MAX/16) { /* calc from frame_bytes and channels */ switch (id) { case AV_CODEC_ID_ADPCM_AFC: From f68ff799eb00ec7f38e983c7fbe60c7ff948e401 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 02:36:22 +0100 Subject: [PATCH 0780/1352] avcodec/ivi: Check image dimensions Fixes integer overflow Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit df91aa034b82b77a3c4e01791f4a2b2ff6c82066) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 379508123f..80b0676287 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -30,6 +30,7 @@ #define BITSTREAM_READER_LE #include "libavutil/attributes.h" +#include "libavutil/imgutils.h" #include "libavutil/timer.h" #include "avcodec.h" #include "get_bits.h" @@ -310,7 +311,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg, ivi_free_buffers(planes); - if (cfg->pic_width < 1 || cfg->pic_height < 1 || + if (av_image_check_size(cfg->pic_width, cfg->pic_height, 0, NULL) < 0 || cfg->luma_bands < 1 || cfg->chroma_bands < 1) return AVERROR_INVALIDDATA; From 52d332b044eb5f10a1346fa77964ae331a0ff7d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:34:02 +0100 Subject: [PATCH 0781/1352] avcodec/flashsv: Check size before updating it Fixes out of array read Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 17705f5d4f57c15f9b9bb9cfcbbb4621fed2fc70) Signed-off-by: Michael Niedermayer --- libavcodec/flashsv.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 8791a2d750..f777f24e19 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } if (has_diff) { + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for diff\n"); + return AVERROR_INVALIDDATA; + } if (!s->keyframe) { av_log(avctx, AV_LOG_ERROR, "Inter frame without keyframe\n"); @@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, int row = get_bits(&gb, 8); av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n", i, j, col, row); + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n"); + return AVERROR_INVALIDDATA; + } size -= 2; avpriv_request_sample(avctx, "zlibprime_curr"); return AVERROR_PATCHWELCOME; From 99e080ec38eec8e8e0ca3b404d86c4526ed57d74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 14:29:02 +0100 Subject: [PATCH 0782/1352] avcodec/dpx: Move need_align to act per line Fixes out of array read Fixes: 61cf123c081ee2bb774d307c75bdb99e/asan_heap-oob_1224f76_5546_bee833ffae73f752b489b9eeaac52db7.dpx Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c8aaae8e0f1519bc99bd717ea3067c9cfdb68def) Signed-off-by: Michael Niedermayer --- libavcodec/dpx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index 5d8c4f3341..02aa779300 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -334,11 +334,11 @@ static int decode_frame(AVCodecContext *avctx, // For 12 bit, ignore alpha if (elements == 4) buf += 2; - // Jump to next aligned position - buf += need_align; } for (i = 0; i < 3; i++) ptr[i] += p->linesize[i]; + // Jump to next aligned position + buf += need_align; } break; case 16: From 3879202d68ce327416806f650f3d8bf63a4cd83a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 21:11:52 +0100 Subject: [PATCH 0783/1352] avcodec/error_resilience: avoid accessing previous or next frames tables beyond height The height of tables can be rounded up for MBAFF but this does not imply that is also true for the previous frames Fixes out of array reads Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a105f52855d08e4ab1ed7306da8e32fc90d6d647) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 2ba4a68a98..1210eb0b48 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -377,14 +377,19 @@ static void guess_mv(ERContext *s) #define MV_UNCHANGED 1 const int mb_stride = s->mb_stride; const int mb_width = s->mb_width; - const int mb_height = s->mb_height; + int mb_height = s->mb_height; int i, depth, num_avail; int mb_x, mb_y, mot_step, mot_stride; + if (s->last_pic.f && s->last_pic.f->data[0]) + mb_height = FFMIN(mb_height, (s->last_pic.f->height+15)>>4); + if (s->next_pic.f && s->next_pic.f->data[0]) + mb_height = FFMIN(mb_height, (s->next_pic.f->height+15)>>4); + set_mv_strides(s, &mot_step, &mot_stride); num_avail = 0; - for (i = 0; i < s->mb_num; i++) { + for (i = 0; i < mb_width * mb_height; i++) { const int mb_xy = s->mb_index2xy[i]; int f = 0; int error = s->error_status_table[mb_xy]; @@ -409,7 +414,7 @@ static void guess_mv(ERContext *s) if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) || num_avail <= mb_width / 2) { - for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_dir = (s->last_pic.f && s->last_pic.f->data[0]) ? MV_DIR_FORWARD : MV_DIR_BACKWARD; @@ -438,7 +443,7 @@ static void guess_mv(ERContext *s) int score_sum = 0; changed = 0; - for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; int mv_predictor[8][2] = { { 0 } }; @@ -671,7 +676,7 @@ skip_last_mv: if (none_left) return; - for (i = 0; i < s->mb_num; i++) { + for (i = 0; i < mb_width * mb_height; i++) { int mb_xy = s->mb_index2xy[i]; if (fixed[mb_xy]) fixed[mb_xy] = MV_FROZEN; From 0814b140b1d7d6d324cb76b863b9cbc8f62abd58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 00:25:11 +0100 Subject: [PATCH 0784/1352] avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() Fixes out of array read Fixes: c50c4aa6cefda71b19a31ea12302980c/asan_heap-oob_12be5fd_7011_33ebd015a74976215934add72b9c8352.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9caa9414ccf2dcf8aee2695377dee830a5024c82) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 5e32107756..b89a45ff63 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -108,7 +108,7 @@ static int dxtory_decode_v1_420(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 3LL / 2) { + if (src_size < FFALIGN(avctx->width, 2) * FFALIGN(avctx->height, 2) * 3LL / 2) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } From 6ba69f60ecb6693074bc7abcad67851a17e36c44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 00:25:11 +0100 Subject: [PATCH 0785/1352] avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() Fixes potential out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 76b6f4b7d91901929177cc61d9810dcca0bb40c1) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index b89a45ff63..a103eaa064 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -65,7 +65,7 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic, uint8_t *Y1, *Y2, *Y3, *Y4, *U, *V; int ret; - if (src_size < avctx->width * avctx->height * 9LL / 8) { + if (src_size < FFALIGN(avctx->width, 4) * FFALIGN(avctx->height, 4) * 9LL / 8) { av_log(avctx, AV_LOG_ERROR, "packet too small\n"); return AVERROR_INVALIDDATA; } From 9356635e761a17a76f11c4adcfdd504d1e031a2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 01:22:31 +0100 Subject: [PATCH 0786/1352] avcodec/takdec: Skip last p2 sample (which is unused) Fixes out of array read Fixes: cb3f38b08b4541523974667c7d1eee9e/asan_heap-oob_2659e18_9838_021fd5cd635bf76cede6398cd9ecbcdd.tak Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 08b520636e96ba6888b669b9b3f4c414631ea1d2) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0e29c6283e..0b1484958e 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -632,7 +632,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) for (; length2 > 0; length2 -= tmp) { tmp = FFMIN(length2, x); - for (i = 0; i < tmp; i++) + for (i = 0; i < tmp - (tmp == length2); i++) s->residues[filter_order + i] = *p2++ >> dshift; for (i = 0; i < tmp; i++) { From 3449b47dc548fdc91ee46c6e3de04ad8b6b3d045 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 14:52:08 +0100 Subject: [PATCH 0787/1352] avcodec/smacker: Check that the data size is a multiple of a sample vector Fixes out of array access Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 518bdad3ec..bdabe7fecb 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -667,6 +667,10 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, /* get output buffer */ frame->nb_samples = unp_size / (avctx->channels * (bits + 1)); + if (unp_size % (avctx->channels * (bits + 1))) { + av_log(avctx, AV_LOG_ERROR, "unp_size %d is odd\n", unp_size); + return AVERROR(EINVAL); + } if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; samples = (int16_t *)frame->data[0]; From dccb80dd50eedc4a5d95b56dd30144ee9e576d88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 18:18:40 +0100 Subject: [PATCH 0788/1352] avcodec/wmaprodec: Check for overread in decode_packet() Fixes assertion failure Fixes: 0256e92df2df7e933b43a2c70e4c8040/signal_sigabrt_7ffff6ae7cc9_1358_999ac18684788221490757582ce9af84.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7ad698e24e6b9dde57c4e01c145bcddfe9d6e4a3) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 56d6d32831..f32e4c2931 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1619,6 +1619,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, s->packet_done = 1; } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /** save the rest of the data so that it can be decoded From aa780a52717eda9476fcda4a6c68e781974ad7c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 20:03:39 +0100 Subject: [PATCH 0789/1352] avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() Signed-off-by: Michael Niedermayer (cherry picked from commit 016fd413f9168816924f21c0c1ffb578f7226221) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index ede1a791c8..6b60e3de68 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -28,6 +28,7 @@ #include "libavutil/attributes.h" #include "libavutil/avassert.h" #include "libavutil/common.h" +#include "libavutil/imgutils.h" #include "libavutil/mem.h" #include "avcodec.h" #include "jpeg2000.h" @@ -210,7 +211,10 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, codsty->nreslevels2decode - 1, codsty->transform)) return ret; - // component size comp->coord is uint16_t so ir cannot overflow + + if (av_image_check_size(comp->coord[0][1] - comp->coord[0][0], + comp->coord[1][1] - comp->coord[1][0], 0, avctx)) + return AVERROR_INVALIDDATA; csize = (comp->coord[0][1] - comp->coord[0][0]) * (comp->coord[1][1] - comp->coord[1][0]); From 9aa4b9c2a3427c5c7893143d319e5cbe3fdd57e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 20:49:17 +0100 Subject: [PATCH 0790/1352] avcodec/jpeg2000: Check comp coords to be within the supported size Fixes assertion failure Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi This fix is choosen to be simple to backport, better solution for master is planed Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a1a8cbcb35ef2759a66b4f0875785e4b3f277057) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 6b60e3de68..4312f8187b 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -217,6 +217,11 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, return AVERROR_INVALIDDATA; csize = (comp->coord[0][1] - comp->coord[0][0]) * (comp->coord[1][1] - comp->coord[1][0]); + if (comp->coord[0][1] > 32768 || + comp->coord[1][1] > 32768) { + av_log(avctx, AV_LOG_ERROR, "component size too large\n"); + return AVERROR_PATCHWELCOME; + } if (codsty->transform == FF_DWT97) { comp->i_data = NULL; From 50870dd3de5c69f90a95ca7f5d8eeaffe1b675ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 21:12:50 +0100 Subject: [PATCH 0791/1352] avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range Fixes potential integer overflows Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi This fix is choosen to be simple to backport, better solution for master is planed Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6ef819c40bcc2175edba7ce9e20c3036c01b36b9) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 83154c729b..ab34df0187 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -250,6 +250,10 @@ static int get_siz(Jpeg2000DecoderContext *s) avpriv_request_sample(s->avctx, "Support for image offsets"); return AVERROR_PATCHWELCOME; } + if (s->width > 32768U || s->height > 32768U) { + avpriv_request_sample(s->avctx, "Large Dimensions"); + return AVERROR_PATCHWELCOME; + } if (ncomponents <= 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of components: %d\n", From f1058efc8160affedc90abd75245d6d96d9aa0e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 21:17:05 +0100 Subject: [PATCH 0792/1352] avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions Signed-off-by: Michael Niedermayer (cherry picked from commit 65d3359fb366ea265a8468d76a111cb7352f0b55) Conflicts: libavcodec/jpeg2000dec.c --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index ab34df0187..ee4f1955ea 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -688,10 +688,10 @@ static int init_tile(Jpeg2000DecoderContext *s, int tileno) Jpeg2000QuantStyle *qntsty = tile->qntsty + compno; int ret; // global bandno - comp->coord_o[0][0] = av_clip(tilex * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); - comp->coord_o[0][1] = av_clip((tilex + 1) * s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); - comp->coord_o[1][0] = av_clip(tiley * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); - comp->coord_o[1][1] = av_clip((tiley + 1) * s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[0][0] = av_clip(tilex * (int64_t)s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[0][1] = av_clip((tilex + 1) * (int64_t)s->tile_width + s->tile_offset_x, s->image_offset_x, s->width); + comp->coord_o[1][0] = av_clip(tiley * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); + comp->coord_o[1][1] = av_clip((tiley + 1) * (int64_t)s->tile_height + s->tile_offset_y, s->image_offset_y, s->height); comp->coord[0][0] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][0], s->reduction_factor); comp->coord[0][1] = ff_jpeg2000_ceildivpow2(comp->coord_o[0][1], s->reduction_factor); From 3cef69c576c584e9f7ce7183c58276a5c4c9a859 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Nov 2015 23:41:14 +0100 Subject: [PATCH 0793/1352] avformat/utils: Do not init parser if probing is unfinished Fixes assertion failure Fixes: 136f8b8d47af7892306625e597dee655/signal_sigabrt_7ffff6ae7cc9_8941_ab11bea57c84796418f481f873dc31ba.dvr_ms Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1ef336e912a7a3a13a9933825a56c421f891e44b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d93f43452e..4ce97cca92 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2998,7 +2998,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) st->codec->time_base = st->time_base; } // only for the split stuff - if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE)) { + if (!st->parser && !(ic->flags & AVFMT_FLAG_NOPARSE) && st->request_probe <= 0) { st->parser = av_parser_init(st->codec->codec_id); if (st->parser) { if (st->need_parsing == AVSTREAM_PARSE_HEADERS) { From 75fa9c0b39f1eb3fe12c940dadd0b09d74b38042 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Nov 2015 18:19:01 +0100 Subject: [PATCH 0794/1352] avformat/matroskadec: Check subtitle stream before dereferencing Unrecognized streams are not allocated Fixes: flicker-1.color1.vp91447030769.08.webm Found-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit a5034b324cad4c29d47ef285a30b0705e6eb0384) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2d64dc079f..9917b04876 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2967,6 +2967,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, tracks[i].audio.buf_timecode = AV_NOPTS_VALUE; tracks[i].end_timecode = 0; if (tracks[i].type == MATROSKA_TRACK_TYPE_SUBTITLE && + tracks[i].stream && tracks[i].stream->discard != AVDISCARD_ALL) { index_sub = av_index_search_timestamp( tracks[i].stream, st->index_entries[index].timestamp, From 65d6748d9e42a868825901473bd228e32faf32ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Nov 2015 21:42:02 +0200 Subject: [PATCH 0795/1352] rtmpcrypt: Do the xtea decryption in little endian mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The XTEA algorithm operates on 32 bit numbers, not on byte sequences. The XTEA implementation in libavutil is written assuming big endian numbers, while the rtmpe signature encryption assumes little endian. This fixes rtmpe communication with rtmpe servers that use signature type 8 (XTEA), e.g. crunchyroll. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit e7728319b92dbb4fb949155e33de7ff5358ddff3) Signed-off-by: Michael Niedermayer --- libavformat/rtmpcrypt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/rtmpcrypt.c b/libavformat/rtmpcrypt.c index 2312527d37..fb46449a67 100644 --- a/libavformat/rtmpcrypt.c +++ b/libavformat/rtmpcrypt.c @@ -184,9 +184,14 @@ int ff_rtmpe_compute_secret_key(URLContext *h, const uint8_t *serverdata, static void rtmpe8_sig(const uint8_t *in, uint8_t *out, int key_id) { struct AVXTEA ctx; + uint8_t tmpbuf[8]; av_xtea_init(&ctx, rtmpe8_keys[key_id]); - av_xtea_crypt(&ctx, out, in, 1, NULL, 0); + AV_WB32(tmpbuf, AV_RL32(in)); + AV_WB32(tmpbuf + 4, AV_RL32(in + 4)); + av_xtea_crypt(&ctx, tmpbuf, tmpbuf, 1, NULL, 0); + AV_WL32(out, AV_RB32(tmpbuf)); + AV_WL32(out + 4, AV_RB32(tmpbuf + 4)); } static void rtmpe9_sig(const uint8_t *in, uint8_t *out, int key_id) From ee5ba259d12d60c4e67fb0d92b46bd4b16d79eac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 30 Sep 2015 13:10:48 +0200 Subject: [PATCH 0796/1352] avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup The variable is not a constant and can lead to race conditions Fixes: repro.webm (not reproducable with FFmpeg alone) Found-by: Dale Curtis Tested-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 9017ab8c5d..b27e5623b5 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -164,7 +164,7 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) s->mb_height = (s->avctx->coded_height + 15) / 16; s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE && - FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1; + avctx->thread_count > 1; if (!s->mb_layout) { // Frame threading and one thread s->macroblocks_base = av_mallocz((s->mb_width + s->mb_height * 2 + 1) * sizeof(*s->macroblocks)); From e9ec9be1467972be0a8baa3167cf1f70f1a8c097 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Nov 2015 22:12:37 +0100 Subject: [PATCH 0797/1352] avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized Fixes out of array access Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4ea4d2f438c9a7eba37980c9a87be4b34943e4d5) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 3b50114dc5..f8b152048f 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1211,6 +1211,7 @@ static int h264_slice_header_init(H264Context *h, int reinit) nb_slices = max_slices; } h->slice_context_count = nb_slices; + h->max_contexts = FFMIN(h->max_contexts, nb_slices); if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) { ret = ff_h264_context_init(h); From e8054a9595fe4b4ffa094be192547a98ad85ae2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 12:11:29 +0100 Subject: [PATCH 0798/1352] avcodec/cabac_functions: Fix "left shift of negative value -31767" Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5) Signed-off-by: Michael Niedermayer --- libavcodec/cabac_functions.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 15dba29f8e..4e132535e1 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){ #ifndef get_cabac_inline static void refill2(CABACContext *c){ - int i, x; + int i; + unsigned x; x= c->low ^ (c->low-1); i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)]; From 20de3b007bbdcbcced873aa7a5a38ef61a6d00a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 13:37:50 +0100 Subject: [PATCH 0799/1352] avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h Conflicts: libavcodec/h264_cabac.c libavcodec/h264_slice.c --- libavcodec/cabac.c | 5 ++++- libavcodec/cabac.h | 2 +- libavcodec/cabac_functions.h | 3 ++- libavcodec/h264_cabac.c | 5 ++++- libavcodec/h264_slice.c | 5 ++++- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 81a75dd52a..48f70ca30e 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; + if ((c->range<<(CABAC_BITS+1)) < c->low) + return AVERROR_INVALIDDATA; + return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed105..857211c9d9 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e132535e1..2d1d2a6b89 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; - ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); + if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) + return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 1a004a56b0..09995d8200 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1999,6 +1999,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; + int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2015,7 +2016,9 @@ decode_intra_mb: h->intra_pcm_ptr = ptr; ptr += mb_size; - ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr); + ret = ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr); + if (ret < 0) + return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index f8b152048f..0389094c4e 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2445,13 +2445,16 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } if (h->pps.cabac) { + int ret; /* realign */ align_get_bits(&h->gb); /* init cabac */ - ff_init_cabac_decoder(&h->cabac, + ret = ff_init_cabac_decoder(&h->cabac, h->gb.buffer + get_bits_count(&h->gb) / 8, (get_bits_left(&h->gb) + 7) / 8); + if (ret < 0) + return ret; ff_h264_init_cabac_states(h); From 961a1f73e39250e91b2f73a5a32b49a292b539ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 18:30:05 +0100 Subject: [PATCH 0800/1352] avcodec/hevc: Check entry_point_offsets Fixes out of array read Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index fbfcb95e30..960573fc25 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2409,7 +2409,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) HEVCLocalContext *lc = s->HEVClc; int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); - int offset; + int64_t offset; int startheader, cmpt = 0; int i, j, res = 0; @@ -2450,6 +2450,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) } if (s->sh.num_entry_point_offsets != 0) { offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt; + if (length < offset) { + av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n"); + res = AVERROR_INVALIDDATA; + goto error; + } s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset; s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset; @@ -2476,6 +2481,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) for (i = 0; i <= s->sh.num_entry_point_offsets; i++) res += ret[i]; +error: av_free(ret); av_free(arg); return res; From c44ee37cbd05af48523f7099803924dee757709c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 20:52:39 +0100 Subject: [PATCH 0801/1352] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() Fixes out of array access Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index ceceda36dc..015a4fec27 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -555,6 +555,9 @@ int ff_dwt_encode(DWTContext *s, void *t) int ff_dwt_decode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch (s->type) { case FF_DWT97: dwt_decode97_float(s, t); From b6932f64343815e988e1f977f0bd099271cb6478 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 21:02:13 +0100 Subject: [PATCH 0802/1352] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() Signed-off-by: Michael Niedermayer (cherry picked from commit feb3f39614b88c113211a98dda1bc2fe5c3c6957) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 015a4fec27..925adea13b 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -540,6 +540,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, uint16_t border[2][2], int ff_dwt_encode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch(s->type){ case FF_DWT97: dwt_encode97_float(s, t); break; From 453542f14d3c93b24541f25f073fde72d1b42907 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 22:45:46 +0100 Subject: [PATCH 0803/1352] avcodec/hevc_cabac: Fix multiple integer overflows Fixes: 04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 2b3d8c09a3..54b17945af 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -883,11 +883,13 @@ static av_always_inline int mvd_decode(HEVCContext *s) int k = 1; while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { - ret += 1 << k; + ret += 1U << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return 0; + } while (k--) ret += get_cabac_bypass(&s->HEVClc->cc) << k; return get_cabac_bypass_sign(&s->HEVClc->cc, -ret); @@ -1025,8 +1027,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) + if (prefix == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); From 02764f12a67129ec89c3de5a0b7b2edf1236bee2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 23:33:03 +0100 Subject: [PATCH 0804/1352] avcodec/hevc: allocate entries unconditionally Fixes out of array access Fixes: 08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a) Signed-off-by: Michael Niedermayer Conflicts: libavcodec/hevc.c --- libavcodec/hevc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 960573fc25..5c530b71f3 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2413,11 +2413,9 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) int startheader, cmpt = 0; int i, j, res = 0; + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { - ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); - - for (i = 1; i < s->threads_number; i++) { s->sList[i] = av_malloc(sizeof(HEVCContext)); memcpy(s->sList[i], s, sizeof(HEVCContext)); From af3e5bdd0d3277bc555cc8026c169d46e1d08ef2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 00:23:54 +0100 Subject: [PATCH 0805/1352] avcodec/vp3: Clear context on reinitialization failure Fixes null pointer dereference Fixes: 1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 4a72d0dbbd..c9bc859d8a 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2010,17 +2010,19 @@ static int vp3_decode_frame(AVCodecContext *avctx, vp3_decode_end(avctx); ret = theora_decode_header(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } else if (type == 2) { ret = theora_decode_tables(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } From 733510fb65833f3d614804aae6ba0d15fc4d65a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 17:26:05 +0100 Subject: [PATCH 0806/1352] avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() Fixes integer overflow Fixes: 3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d249507c5f..71308abee9 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -2960,8 +2960,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) enc->width, enc->height); if (enc->sample_aspect_ratio.num) { av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - enc->width * enc->sample_aspect_ratio.num, - enc->height * enc->sample_aspect_ratio.den, + enc->width * (int64_t)enc->sample_aspect_ratio.num, + enc->height * (int64_t)enc->sample_aspect_ratio.den, 1024 * 1024); snprintf(buf + strlen(buf), buf_size - strlen(buf), " [SAR %d:%d DAR %d:%d]", From 95bdbfe85159b0b6f576ae23e2b758a169ea409a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 20:08:46 +0100 Subject: [PATCH 0807/1352] avcodec/utils: Clear dimensions in ff_get_buffer() on failure Fixes out of array access Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 71308abee9..fc03e4901d 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1038,8 +1038,10 @@ end: int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags) { int ret = get_buffer_internal(avctx, frame, flags); - if (ret < 0) + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + frame->width = frame->height = 0; + } return ret; } From a3ec4b307b4f688643b46aefb4b50584236a04d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:40:32 +0100 Subject: [PATCH 0808/1352] avformat/dump: Fix integer overflow in av_dump_format() Fixes part of mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 8e7f4520226d2d9ad6a58ad6c32d1455a8b244b2) Signed-off-by: Michael Niedermayer --- libavformat/dump.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dump.c b/libavformat/dump.c index c4434b3e0b..4a88e0743c 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -430,7 +430,7 @@ void av_dump_format(AVFormatContext *ic, int index, av_log(NULL, AV_LOG_INFO, " Duration: "); if (ic->duration != AV_NOPTS_VALUE) { int hours, mins, secs, us; - int64_t duration = ic->duration + 5000; + int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 5000 ? 5000 : 0); secs = duration / AV_TIME_BASE; us = duration % AV_TIME_BASE; mins = secs / 60; From 5cc411022e49edad09aa3eb5faef14a2a51492f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:41:43 +0100 Subject: [PATCH 0809/1352] avutil/integer: Fix av_mod_i() with negative dividend Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9cb18855d29c96a5d9d2f5ad30448cae3a2ddf) Signed-off-by: Michael Niedermayer --- libavutil/integer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavutil/integer.c b/libavutil/integer.c index 5bcde0dc6e..6d6855fa1b 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -29,6 +29,8 @@ #include "integer.h" #include "avassert.h" +static const AVInteger zero_i; + AVInteger av_add_i(AVInteger a, AVInteger b){ int i, carry=0; @@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger b){ AVInteger quot_temp; if(!quot) quot = "_temp; + if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) { + a = av_mod_i(quot, av_sub_i(zero_i, a), b); + *quot = av_sub_i(zero_i, *quot); + return av_sub_i(zero_i, a); + } + av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && (int16_t)b.v[AV_INTEGER_SIZE-1] >= 0); av_assert2(av_log2_i(b)>=0); From 53ddc450c80f082c41732e2fd87346e19ae7f48d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:44:23 +0100 Subject: [PATCH 0810/1352] avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd The code expects actual positive numbers and gives completely wrong results if INT64_MIN is treated as positive Instead clip it into the valid range that is add 1 and treat it as negative Signed-off-by: Michael Niedermayer (cherry picked from commit 25e37f5ea92d4201976a59ae306ce848d257a7e6) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 126cffc3f0..b1ffd652de 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) rnd -= AV_ROUND_PASS_MINMAX; } - if (a < 0 && a != INT64_MIN) - return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1)); + if (a < 0) + return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; From c3f268b01c8948476c1eb37203adce8c18a80b9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Nov 2015 23:44:40 +0100 Subject: [PATCH 0811/1352] avcodec/mpeg4videodec: Check available data before reading custom matrix Fixes: out of array read Fixes: 76c515fc3779d1b838667c61ea13ce92/asan_heap-oob_1fc0d07_8913_794a4629a264ebdb25b58d3a94ed1785.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 891dc8f87536ac2ec695c70d081345224524ad99) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 227ba27372..e6b89fdb54 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1873,6 +1873,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; @@ -1896,6 +1900,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; From 516525a1031b303fdb4b179dc870e83a10927504 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Nov 2015 03:32:36 +0100 Subject: [PATCH 0812/1352] avcodec/vp3: always set pix_fmt in theora_decode_header() Fixes assertion failure Fixes: d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_7ffff6ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c9bc859d8a..70552f4b20 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2299,7 +2299,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) return AVERROR_INVALIDDATA; } skip_bits(gb, 3); /* reserved */ - } + } else + avctx->pix_fmt = AV_PIX_FMT_YUV420P; // align_get_bits(gb); From ce15d773d4f7a3f224342b5eb9ccad93c71421e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Dec 2015 21:16:27 +0100 Subject: [PATCH 0813/1352] avcodec/apedec: Check length in long_filter_high_3800() Fixes out of array read Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 577d0aa260..7893bc320f 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -905,6 +905,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int i, j; int32_t dotprod, sign; + if (order >= length) + return; + memset(coeffs, 0, order * sizeof(*coeffs)); for (i = 0; i < order; i++) delay[i] = buffer[i]; From f91e71cc68fb1e82de0d1b2e5b437af880f3254b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 13:32:31 +0100 Subject: [PATCH 0814/1352] avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows Fixes integer overflow Fixes: mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit f03c2ceec174877e03bb302f5971fbe9ffbe4856) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index b1ffd652de..4d8467b8c8 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -77,7 +77,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) } if (a < 0) - return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); + return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; @@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) if (b <= INT_MAX && c <= INT_MAX) { if (a <= INT_MAX) return (a * b + r) / c; - else - return a / c * b + (a % c * b + r) / c; + else { + int64_t ad = a / c; + int64_t a2 = (a % c * b + r) / c; + if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) + return INT64_MIN; + return ad * b + a2; + } } else { #if 1 uint64_t a0 = a & 0xFFFFFFFF; @@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) t1++; } } + if (t1 > INT64_MAX) + return INT64_MIN; return t1; } #else From 4ecdd45d24103fc4073687c75a537b77b55b2bf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2015 03:14:11 +0100 Subject: [PATCH 0815/1352] avutil/timecode: Fix fps check The fps variable is explicitly set to -1 in case of some errors, the check must thus be signed or the code setting it needs to use 0 as error code the type of the field could be changed as well but its in an installed header Fixes: integer overflow Fixes: 9982cc157b1ea90429435640a989122f/asan_generic_3ad004a_3799_22cf198d9cd09928e2d9ad250474fa58.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b46dcd5209a77254345ae098b83a872634c5591b) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 1dfd040868..bf463ed515 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -151,7 +151,7 @@ static int check_fps(int fps) static int check_timecode(void *log_ctx, AVTimecode *tc) { - if (tc->fps <= 0) { + if ((int)tc->fps <= 0) { av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be specified\n"); return AVERROR(EINVAL); } From ec94195b80d9927ebb169f9cebacd7c8834a587b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Sat, 28 Nov 2015 08:27:39 +0200 Subject: [PATCH 0816/1352] mpegencts: Fix overflow in cbr mode period calculations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ts->mux_rate is int (signed 32-bit) type. The period calculations will start to overflow when mux_rate > 5mbps. This fixes overflows by converting first to 64-bit type. Fixes #5044. Signed-off-by: Timo Teräs Signed-off-by: Michael Niedermayer (cherry picked from commit 64f7db554ee83846f207e82a08946a6a5a6acfe2) Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 0184d87149..f58b3d36a1 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -738,11 +738,11 @@ static int mpegts_write_header(AVFormatContext *s) ts_st = pcr_st->priv_data; if (ts->mux_rate > 1) { - service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) / + service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period / (TS_PACKET_SIZE * 8 * 1000); - ts->sdt_packet_period = (ts->mux_rate * SDT_RETRANS_TIME) / + ts->sdt_packet_period = (int64_t)ts->mux_rate * SDT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); - ts->pat_packet_period = (ts->mux_rate * PAT_RETRANS_TIME) / + ts->pat_packet_period = (int64_t)ts->mux_rate * PAT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); if (ts->copyts < 1) From 1aa415ffb152b339997debf489b77878360eed9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 12:47:20 +0100 Subject: [PATCH 0817/1352] avcodec/vp3: Fix "runtime error: left shift of negative value" Fixes: 5c6129154b356b80bcab86f9e3ee5d29/signal_sigabrt_7ffff6ae7cc9_7322_d26ac6d7cb6567db1b8be0159b387d0b.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 18268f761bffb37552f59f87542fef3d5c80618c) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 70552f4b20..553681bade 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -206,8 +206,8 @@ typedef struct Vp3DecodeContext { int16_t *dct_tokens[3][64]; int16_t *dct_tokens_base; #define TOKEN_EOB(eob_run) ((eob_run) << 2) -#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 1) -#define TOKEN_COEFF(coeff) (((coeff) << 2) + 2) +#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 1) +#define TOKEN_COEFF(coeff) (((coeff) * 4) + 2) /** * number of blocks that contain DCT coefficients at From 0819598b008ebf6940a3638f15a96516d99f0099 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:06:16 +0100 Subject: [PATCH 0818/1352] avformat/smacker: fix integer overflow with pts_inc Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 5dcf4adafe..de8bbdb07a 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s) smk->height = avio_rl32(pb); smk->frames = avio_rl32(pb); smk->pts_inc = (int32_t)avio_rl32(pb); + if (smk->pts_inc > INT_MAX / 100) { + av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc); + return AVERROR_INVALIDDATA; + } + smk->flags = avio_rl32(pb); if(smk->flags & SMACKER_FLAG_RING_FRAME) smk->frames++; From f19d3fe8e95101f3e06a790d9a274b3e4f73f5b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:11:23 +0100 Subject: [PATCH 0819/1352] avcodec/wmaprodec: Fix overflow of cutoff Fixes: 129ca3e28d73af7b1e24a9d4118e7a2d/signal_sigabrt_7ffff6ae7cc9_836_762b310fc3ef6087bd7771e5d8e90b9b.asf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0c56f8303e676556ea09bfac73d881c6c9057259) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index f32e4c2931..8e026ba7c4 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -473,7 +473,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /** calculate subwoofer cutoff values */ for (i = 0; i < num_possible_block_sizes; i++) { int block_size = s->samples_per_frame >> i; - int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1) + int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1) / s->avctx->sample_rate; s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size); } From ae434647409daec6cc7ec27b385b0592640690f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:48:06 +0100 Subject: [PATCH 0820/1352] avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows Fixes: 549d5aab1480d10f2a775ed90b0342f1/signal_sigabrt_7ffff6ae7cc9_5643_96bbb0cfe3e28be1dadfce1075016345.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 66e05f6ff5e5c105bdd7bf3a49234ddac1b592c5) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 8e026ba7c4..4351e3fedf 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -296,6 +296,12 @@ static av_cold int decode_init(AVCodecContext *avctx) s->decode_flags = AV_RL16(edata_ptr+14); channel_mask = AV_RL32(edata_ptr+2); s->bits_per_sample = AV_RL16(edata_ptr); + + if (s->bits_per_sample > 32 || s->bits_per_sample < 1) { + avpriv_request_sample(avctx, "bits per sample is %d", s->bits_per_sample); + return AVERROR_PATCHWELCOME; + } + /** dump the extradata */ for (i = 0; i < avctx->extradata_size; i++) av_dlog(avctx, "[%x] ", avctx->extradata[i]); From 142f8308a121051c6e2d3531ea4892018ba67ef3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:11:54 +0100 Subject: [PATCH 0821/1352] avcodec/dirac_parser: Fix potential overflows in pointer checks Signed-off-by: Michael Niedermayer (cherry picked from commit 79798f7c57b098c78e0bbc6becd64b9888b013d1) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 654f0b4c97..a481b266b3 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -100,10 +100,12 @@ typedef struct DiracParseUnit { static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, int offset) { - uint8_t *start = pc->buffer + offset; - uint8_t *end = pc->buffer + pc->index; - if (start < pc->buffer || (start + 13 > end)) + int8_t *start; + + if (offset < 0 || pc->index - 13 < offset) return 0; + + start = pc->buffer + offset; pu->pu_type = start[4]; pu->next_pu_offset = AV_RB32(start + 5); From e5a2128ead24ccafaee1e0bcbe02257f1e123629 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:14:36 +0100 Subject: [PATCH 0822/1352] avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset Signed-off-by: Michael Niedermayer (cherry picked from commit c7d6ec947c053699950af90f695413a5640b3872) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index a481b266b3..8d93669292 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -114,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, if (pu->pu_type == 0x10 && pu->next_pu_offset == 0) pu->next_pu_offset = 13; + if (pu->next_pu_offset && pu->next_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset); + return 0; + } + if (pu->prev_pu_offset && pu->prev_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset); + return 0; + } + return 1; } From 9459490c2ae927e341354c311639f016d01731a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:15:38 +0100 Subject: [PATCH 0823/1352] avcodec/dirac_parser: Check that there is a previous PU before accessing it Fixes out of array read Fixes: 99d142c47e6ba3510a74b872a1a2ae72/asan_heap-oob_11b36f4_3811_0f5c69e7609a88a580135678de1df844.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a08681f1e614152184615e2bcd71c3d63835f810) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 8d93669292..0c684643a9 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -197,7 +197,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, } /* Get the picture number to set the pts and dts*/ - if (parse_timing_info) { + if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; int pts = AV_RB32(cur_pu + 13); From bafd5c3c80a4a9ee8f5c0e67320c6e0bf3869101 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 22:08:59 +0100 Subject: [PATCH 0824/1352] avcodec/hevc: Fix integer overflow of entry_point_offset Fixes out of array read Fixes: d41d8cd98f00b204e9800998ecf8427e/signal_sigsegv_321165b_7641_077dfcd8cbc80b1c0b470c8554cd6ffb.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 214085852491448631dcecb008b5d172c11b8892) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 4 ++-- libavcodec/hevc.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 5c530b71f3..85a0db8f58 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -696,7 +696,7 @@ static int hls_slice_header(HEVCContext *s) av_freep(&sh->entry_point_offset); av_freep(&sh->offset); av_freep(&sh->size); - sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); + sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned)); sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); if (!sh->entry_point_offset || !sh->offset || !sh->size) { @@ -2410,7 +2410,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int64_t offset; - int startheader, cmpt = 0; + int64_t startheader, cmpt = 0; int i, j, res = 0; ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 7efafe11e2..c71ab55000 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -607,7 +607,7 @@ typedef struct SliceHeader { unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand - int *entry_point_offset; + unsigned *entry_point_offset; int * offset; int * size; int num_entry_point_offsets; From c02a9f1c6e8c72f0e7cf2d039a06caa66fc668c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 21:44:05 +0100 Subject: [PATCH 0825/1352] swscale/utils: Fix for runtime error: left shift of negative value -1 Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 325b59368dae3c3f2f5cc39873002b4cf133ccbc) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 84c58ca5f5..66d28317af 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -391,7 +391,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x10000LL)>>7); for (i = 0; i < dstW; i++) { - int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17); + int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17); int j; (*filterPos)[i] = xx; for (j = 0; j < filterSize; j++) { From c676db730e36e07e7f86b590ca14fb1745584891 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 21:38:12 +0100 Subject: [PATCH 0826/1352] avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int Fixes: b293a6479bb4b5286cff24d356bfd955/asan_generic_225c3c9_7819_cc526b657450c6cdef1371b526499626.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f2419888ba49245761f4ab343679c38e7880cfe) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 36f1f8265a..3c39e7ac63 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -33,7 +33,7 @@ #include "libavutil/imgutils.h" #include "libavutil/opt.h" -#define RGBA(r,g,b,a) (((a) << 24) | ((r) << 16) | ((g) << 8) | (b)) +#define RGBA(r,g,b,a) (((unsigned)(a) << 24) | ((r) << 16) | ((g) << 8) | (b)) #define MAX_EPOCH_PALETTES 8 // Max 8 allowed per PGS epoch #define MAX_EPOCH_OBJECTS 64 // Max 64 allowed per PGS epoch #define MAX_OBJECT_REFS 2 // Max objects per display set From 311de799a81ed67b62805f9d72684a5405563c93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 16:23:24 +0100 Subject: [PATCH 0827/1352] avcodec/jpeg2000dec: Check bpno in decode_cblk() Fixes: undefined shift Fixes: c409ef86f892335a0a164b5871174d5a/asan_heap-oob_1dff564_2159_162b7234616deab02b544410455eb07b.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a85b02dcf70f62a6a433a607143f1f78fa5648bb) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index ee4f1955ea..67f88d9bc3 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1079,6 +1079,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(&t1->mqc, cblk->data); while (passno--) { + if (bpno < 0) { + av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); + return AVERROR_INVALIDDATA; + } switch(pass_t) { case 0: decode_sigpass(t1, width, height, bpno + 1, bandpos, From 9ee155c745b528122a5709b52d4a25fff7aea698 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Dec 2015 22:59:56 +0100 Subject: [PATCH 0828/1352] avcodec/vp3: ensure header is parsed successfully before tables Fixes assertion failure Fixes: 266ee543812e934f7b4a72923a2701d4/signal_sigabrt_7ffff6ae7cc9_7322_85218d61759d461bdf7387180e8000c9.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 26379d4fddc17cac853ef297ff327b58c44edbad) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 553681bade..b3aaf4e22d 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = { typedef struct Vp3DecodeContext { AVCodecContext *avctx; - int theora, theora_tables; + int theora, theora_tables, theora_header; int version; int width, height; int chroma_x_shift, chroma_y_shift; @@ -2240,6 +2240,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); @@ -2323,6 +2324,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) avctx->color_trc = AVCOL_TRC_BT709; } + s->theora_header = 1; return 0; } @@ -2331,6 +2333,9 @@ static int theora_decode_tables(AVCodecContext *avctx, GetBitContext *gb) Vp3DecodeContext *s = avctx->priv_data; int i, n, matrices, inter, plane; + if (!s->theora_header) + return AVERROR_INVALIDDATA; + if (s->theora >= 0x030200) { n = get_bits(gb, 3); /* loop filter limit values table */ From 70720f3e4d9e50e2d0f6d5aed8c9b576e60f802c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 13:42:05 +0100 Subject: [PATCH 0829/1352] avcodec/hevc: Check max ctb addresses for WPP Fixes out of array read Fixes: 2f95ddd996db8a6281d2e18c184595a7/asan_heap-oob_192fe91_3330_58e4441181e30a66c19f743dcb392347.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dad354f38ddc9bfc834bc21358a1d0ad41532ca0) Signed-off-by: Michael Niedermayer Conflicts: libavcodec/hevc.c Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 85a0db8f58..d29343b306 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2413,6 +2413,15 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) int64_t startheader, cmpt = 0; int i, j, res = 0; + if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * s->sps->ctb_width >= s->sps->ctb_width * s->sps->ctb_height) { + av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d %d)\n", + s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets, + s->sps->ctb_width, s->sps->ctb_height + ); + res = AVERROR_INVALIDDATA; + goto error; + } + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { From 6c83283c3a009a0cd2bf52328f2bb65d286e72ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 01:25:50 +0100 Subject: [PATCH 0830/1352] avcodec/ffv1dec: Print an error if the quant table count is invalid Signed-off-by: Michael Niedermayer (cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 72afa253db..70d1185883 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -567,8 +567,10 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { + av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); return AVERROR_INVALIDDATA; + } for (i = 0; i < f->quant_table_count; i++) { f->context_count[i] = read_quant_tables(c, f->quant_tables[i]); From 3a1aaec9bbcc915f3098448ef2fd81b6b3422c56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:21:58 +0100 Subject: [PATCH 0831/1352] avcodec/ffv1dec: Clear quant_table_count if its invalid Fixes deallocation of corrupted pointer Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi No releases affected Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 70d1185883..a34c509acf 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -569,6 +569,7 @@ static int read_extra_header(FFV1Context *f) f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); + f->quant_table_count = 0; return AVERROR_INVALIDDATA; } From 9f0e36b1011619121fd646b58ea778fb2553b320 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Dec 2015 12:59:30 +0100 Subject: [PATCH 0832/1352] update for 2.4.12 Signed-off-by: Michael Niedermayer --- Changelog | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 124 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 9914409829..39653b7667 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,128 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.4.12: +- avcodec/ffv1dec: Clear quant_table_count if its invalid +- avcodec/ffv1dec: Print an error if the quant table count is invalid +- avcodec/hevc: Check max ctb addresses for WPP +- avcodec/vp3: ensure header is parsed successfully before tables +- avcodec/jpeg2000dec: Check bpno in decode_cblk() +- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int +- swscale/utils: Fix for runtime error: left shift of negative value -1 +- avcodec/hevc: Fix integer overflow of entry_point_offset +- avcodec/dirac_parser: Check that there is a previous PU before accessing it +- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset +- avcodec/dirac_parser: Fix potential overflows in pointer checks +- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows +- avcodec/wmaprodec: Fix overflow of cutoff +- avformat/smacker: fix integer overflow with pts_inc +- avcodec/vp3: Fix "runtime error: left shift of negative value" +- mpegencts: Fix overflow in cbr mode period calculations +- avutil/timecode: Fix fps check +- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows +- avcodec/apedec: Check length in long_filter_high_3800() +- avcodec/vp3: always set pix_fmt in theora_decode_header() +- avcodec/mpeg4videodec: Check available data before reading custom matrix +- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd +- avutil/integer: Fix av_mod_i() with negative dividend +- avformat/dump: Fix integer overflow in av_dump_format() +- avcodec/utils: Clear dimensions in ff_get_buffer() on failure +- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() +- avcodec/vp3: Clear context on reinitialization failure +- avcodec/hevc: allocate entries unconditionally +- avcodec/hevc_cabac: Fix multiple integer overflows +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() +- avcodec/hevc: Check entry_point_offsets +- avcodec/cabac: Check initial cabac decoder state +- avcodec/cabac_functions: Fix "left shift of negative value -31767" +- avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized +- avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup +- rtmpcrypt: Do the xtea decryption in little endian mode +- avformat/matroskadec: Check subtitle stream before dereferencing +- avformat/utils: Do not init parser if probing is unfinished +- avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions +- avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range +- avcodec/jpeg2000: Check comp coords to be within the supported size +- avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() +- avcodec/wmaprodec: Check for overread in decode_packet() +- avcodec/smacker: Check that the data size is a multiple of a sample vector +- avcodec/takdec: Skip last p2 sample (which is unused) +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() +- avcodec/error_resilience: avoid accessing previous or next frames tables beyond height +- avcodec/dpx: Move need_align to act per line +- avcodec/flashsv: Check size before updating it +- avcodec/ivi: Check image dimensions +- avcodec/utils: Better check for channels in av_get_audio_frame_duration() +- avcodec/jpeg2000dec: Check for duplicate SIZ marker +- avcodec/jpeg2000dec: Clip all tile coordinates +- avcodec/microdvddec: Check for string end in 'P' case +- avcodec/dirac_parser: Fix undefined memcpy() use +- avformat/xmv: Discard remainder of packet on error +- avformat/xmv: factor return check out of if/else +- libavutil/channel_layout: Check strtol*() for failure +- avcodec/ffv1dec: Check for 0 quant tables +- avcodec/mjpegdec: Reinitialize IDCT on BPP changes +- avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it +- avutil/file_open: avoid file handle inheritance on Windows +- avcodec/ffv1: Initialize vlc_state on allocation +- avcodec/ffv1dec: update progress in case of broken pointer chains +- avcodec/ffv1dec: Clear slice coordinates if they are invalid or slice header decoding fails for other reasons +- avformat/httpauth: Add space after commas in HTTP/RTSP auth header +- avcodec/x86/sbrdsp: Fix using uninitialized upper 32bit of noise +- avcodec/ffv1dec: Fix off by 1 error in quant_table_count check +- avcodec/ffv1dec: Explicitly check read_quant_table() return value +- avcodec/rangecoder: Check e +- lavf/webvttenc: Require webvtt file to contain exactly one WebVTT stream. +- avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG +- avfilter/af_asyncts: use llabs for int64_t +- avcodec/g2meet: Also clear tile dimensions on header_fail +- avcodec/g2meet: Fix potential overflow in tile dimensions check +- avcodec/svq1dec: Check init_get_bits8() for failure +- avcodec/tta: Check init_get_bits8() for failure +- swresample/swresample: Fix integer overflow in seed calculation +- avformat/mov: Fix integer overflow in FFABS +- avutil/common: Add FFNABS() +- avutil/common: Document FFABS() corner case +- avformat/dump: Fix integer overflow in aspect ratio calculation +- avcodec/truemotion1: Check for even width +- avcodec/libopusenc: Fix infinite loop on flushing after 0 input +- doc/filters/drawtext: fix centering example +- avcodec: avoid division by zero in avcodec_string +- mpegvideo: clear overread in clear_context +- dvdsubdec: validate offset2 similar to offset1 +- avcodec/takdec: Use memove, avoid undefined memcpy() use +- jvdec: avoid unsigned overflow in comparison +- avcodec/mpeg12dec: Do not call show_bits() with invalid bits +- opusdec: Don't run vector_fmul_scalar on zero length arrays +- avcodec/opusdec: Fix extra samples read index +- riffdec: prevent negative bit rate +- Merge commit 'd80811c94e068085aab797f9ba35790529126f85' +- imc: use correct position for flcoeffs2 calculation +- snow: remove an obsolete av_assert2 +- wavpack: limit extra_bits to 32 and use get_bits_long +- huffyuvdec: validate image size +- wavpack: use get_bits_long to read up to 32 bits +- nutdec: check maxpos in read_sm_data before returning success +- s302m: fix arithmetic exception +- mpegaudiodec: copy AVFloatDSPContext from first context to all contexts +- vc1dec: use get_bits_long and limit the read bits to 32 +- avcodec/s302m: Only set the sample rate when some data is output +- avidec: check for valid bit_rate range +- vp9: add support for resolution changes in inter frames. +- vp9: avoid infinite loop with broken files +- videodsp: don't overread edges in vfix3 emu_edge. +- avformat/oggenc: Check segments_count for headers too +- avformat/avidec: Workaround broken initial frame +- hevc: properly handle no_rasl_output_flag when removing pictures from the DPB +- hevc: fix wpp threading deadlock. +- avcodec/ffv1: seperate slice_count from max_slice_count +- lavf/img2dec: Fix memory leak +- avcodec/mp3: fix skipping zeros +- doc: mention libavcodec can decode Opus natively + + version 2.4.11: - avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops - avformat/hevc: Fix parsing errors diff --git a/RELEASE b/RELEASE index 11e3212692..cf95c0186a 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.11 +2.4.12 diff --git a/doc/Doxyfile b/doc/Doxyfile index 13ebdc1adb..74e2732679 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.11 +PROJECT_NUMBER = 2.4.12 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 073fcfe35800d0ad400dd1668727e3741e2a6a34 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Dec 2015 21:52:23 +0100 Subject: [PATCH 0833/1352] mjpegdec: consider chroma subsampling in size check If the chroma components are subsampled, smaller buffers are allocated for them. In that case the maximal block_offset for the chroma components is not as large as for the luma component. This fixes out of bounds writes causing segmentation faults or memory corruption. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 59cbd25a6e..c98476674a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1197,7 +1197,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, int mb_bitmask_size, const AVFrame *reference) { - int i, mb_x, mb_y; + int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width, chroma_height; uint8_t *data[MAX_COMPONENTS]; const uint8_t *reference_data[MAX_COMPONENTS]; int linesize[MAX_COMPONENTS]; @@ -1214,6 +1214,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, s->restart_count = 0; + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift, + &chroma_v_shift); + chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift); + chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift); + for (i = 0; i < nb_components; i++) { int c = s->comp_index[i]; data[c] = s->picture_ptr->data[c]; @@ -1250,8 +1255,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - if ( 8*(h * mb_x + x) < s->width - && 8*(v * mb_y + y) < s->height) { + if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ? chroma_width : s->width) + && 8*(v * mb_y + y) < ((c == 1) || (c == 2) ? chroma_height : s->height)) { ptr = data[c] + block_offset; } else ptr = NULL; From ab70292fd0c35d1c308f6cdbb810746edf644233 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 17:39:38 +0100 Subject: [PATCH 0834/1352] avutil/mathematics: Fix division by 0 Fixes: CID1341571 Signed-off-by: Michael Niedermayer (cherry picked from commit bc8b1e694cc395fdf5e2917377ef11263c937d85) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 4d8467b8c8..78a87d8457 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -90,7 +90,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) else { int64_t ad = a / c; int64_t a2 = (a % c * b + r) / c; - if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) + if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b) return INT64_MIN; return ad * b + a2; } From 5e4ec87720a64cd969120af60e82cbd55454ab8e Mon Sep 17 00:00:00 2001 From: Rainer Hochecker Date: Sun, 15 Nov 2015 13:58:50 +0100 Subject: [PATCH 0835/1352] avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec Fixes a mpegts file with hevc that fails estimating duration. Increasing number of retries fixes the issue. Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8c2f1a28073d451c7db31291c333cb15ca3d0b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 4ce97cca92..f26cfb34a7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2319,7 +2319,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) } #define DURATION_MAX_READ_SIZE 250000LL -#define DURATION_MAX_RETRY 4 +#define DURATION_MAX_RETRY 6 /* only usable for MPEG-PS streams */ static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset) From bfebe3defed4336de69964b693521abc8d1f43c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:06:04 +0100 Subject: [PATCH 0836/1352] swscale/x86/rgb2rgb_template: Do not crash on misaligend stride Fixes Ticket5013 Signed-off-by: Michael Niedermayer (cherry picked from commit 80bfce35ccd11458e97f68f417fc094c5347070c) --- libswscale/x86/rgb2rgb_template.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e9b131e033..03153fd573 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,8 +1887,10 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16) + if (width >= 16 #if COMPILE_TEMPLATE_SSE2 + && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1908,6 +1910,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); #else + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" From 3440a9ba4f37eeac98ed5322f9c5c3e9e7afd447 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:50:20 +0100 Subject: [PATCH 0837/1352] swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* This also as a sideeffect fixes the non aligned case Signed-off-by: Michael Niedermayer (cherry picked from commit a066ff89bcbae6033c2ffda9271cad84f6c1b807) --- libswscale/x86/rgb2rgb_template.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 03153fd573..6f218ddbb7 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,10 +1887,9 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16 + if (width >= 16) { #if COMPILE_TEMPLATE_SSE2 - && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) - ) + if (!((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15)) { __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1909,8 +1908,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); -#else - ) + } else +#endif __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1936,7 +1935,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", "%"REG_a ); -#endif + + } for (w= (width&(~15)); w < width; w++) { dest[2*w+0] = src1[w]; dest[2*w+1] = src2[w]; From 7f33fef2a28dbc63ee98b0a217acabf760c5b7cd Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Dec 2015 18:13:07 +0100 Subject: [PATCH 0838/1352] aaccoder: prevent crash of anmr coder If minq is negative, the range of sf_idx can be larger than SCALE_MAX_DIFF allows, causing assertion failures later in encode_scale_factors. Reviewed-by: Claudio Freire Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7a4652dd5da0502ff21c183b5ca7d76b1cfd6c51) Signed-off-by: Andreas Cadhalpun --- libavcodec/aaccoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 5bf6a9c155..4b915da2c1 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -691,7 +691,7 @@ static void search_for_quantizers_anmr(AVCodecContext *avctx, AACEncContext *s, } while (idx) { sce->sf_idx[bandaddr[idx]] = minq + q0; - minq = paths[idx][minq].prev; + minq = FFMAX(paths[idx][minq].prev, 0); idx--; } //set the same quantizers inside window groups From 6fc3f6f43b24b98a768acc28f03fec37ef1a79e3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 14 Dec 2015 22:11:55 +0100 Subject: [PATCH 0839/1352] ffm: reject invalid codec_id and codec_type A negative codec_id cannot be handled by the found_decoder API of AVStream->info: if the codec_id is not recognized, found_decoder is set to -codec_id, which has to be '<0' according to the API documentation. This can cause NULL pointer dereferencing in try_decode_frame. Also make sure the codec_type matches the expected one for codec_id. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 2753f2c2d3..ee3e1d6ea4 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -243,6 +243,7 @@ static int ffm2_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int ret; ffm->packet_size = avio_rb32(pb); @@ -289,7 +290,20 @@ static int ffm2_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -389,6 +403,7 @@ static int ffm_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int i, nb_streams; uint32_t tag; @@ -426,7 +441,20 @@ static int ffm_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); /* codec_type */ + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); From 7a26ea7a7e67cff8c1f3367e4f505f1c650ca0f5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 22:00:31 +0100 Subject: [PATCH 0840/1352] opus_silk: fix typo causing overflow in silk_stabilize_lsf Due to this typo max_center can be too large, causing nlsf to be set to too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to overflow to a negative value, which is not allowed for nlsf and can cause an out of bounds read in silk_lsf2lpc. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced) Signed-off-by: Andreas Cadhalpun --- libavcodec/opus_silk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 7a89479fb9..4c64cdfce6 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ /* upper extent */ for (i = order; i > k; i--) - max_center -= min_delta[k]; + max_center -= min_delta[i]; max_center -= min_delta[k] >> 1; /* move apart */ From 465dd4bc941e96abc00e60e35947673d64d34907 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 23:43:03 +0100 Subject: [PATCH 0841/1352] sonic: make sure num_taps * channels is not larger than frame_size If that is the case, the loop setting predictor_state in sonic_decode_frame causes out of bounds reads of int_samples, which has only frame_size number of elements. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80) Signed-off-by: Andreas Cadhalpun --- libavcodec/sonic.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c5076f9d8e..ab947c47b0 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -925,6 +925,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; + if (s->num_taps * s->channels > s->frame_size) { + av_log(avctx, AV_LOG_ERROR, + "number of taps times channels (%d * %d) larger than frame size %d\n", + s->num_taps, s->channels, s->frame_size); + return AVERROR_INVALIDDATA; + } + av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n", s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling); From e32095807b86480dfa5395972f7734990e27c146 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Dec 2015 16:48:19 +0100 Subject: [PATCH 0842/1352] on2avc: limit number of bits to 30 in get_egolomb More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8) Signed-off-by: Andreas Cadhalpun --- libavcodec/on2avc.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index c864e14bc8..c4e45afe79 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; - while (get_bits1(gb)) v++; + while (get_bits1(gb)) { + v++; + if (v > 30) { + av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); + v = 30; + break; + } + } - return (1 << v) + get_bits(gb, v); + return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, From e7b09eaefa5d117c79e23d7c70732249af383b2a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Dec 2015 23:17:09 +0100 Subject: [PATCH 0843/1352] exr: fix out of bounds read in get_code This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun --- libavcodec/exr.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ff2d7b062c..eb3283848d 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -460,7 +460,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -469,7 +469,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ - if (out + cs > oe) \ + if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -502,7 +502,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -519,7 +519,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; - get_code(pl.p[j], rlc, c, lc, gb, out, oe); + get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -540,7 +540,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } From 2306964b3a0336e24d1c9d04bd54aaecf2d198d7 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 18 Dec 2015 15:18:47 +0100 Subject: [PATCH 0844/1352] nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 76fd8cc554..eec64235ef 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1082,7 +1082,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; - memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); + if (nut->header[header_idx]) + memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; From dcecc180a6ad9e05f2b1f5802ec04c95a4cc6a8d Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 18 Dec 2015 19:28:51 +0100 Subject: [PATCH 0845/1352] xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun --- libavcodec/xwddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 62dfdace16..18b1f93d2e 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { + if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } From bbe1c9839bb96f0a3988a3fdbb56283faf7f36fb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 12:02:56 +0100 Subject: [PATCH 0846/1352] nutdec: reject negative value_len in read_sm_data If it is negative, it can cause the byte position to move backwards in avio_skip, which in turn makes sm_size negative and thus size larger than the size of the packet buffer, causing invalid writes in avio_read. Also fix potential overflow of avio_tell(bc) + value_len. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index eec64235ef..df371dacb0 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -885,7 +885,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int get_str(bc, type_str, sizeof(type_str)); value_len = ffio_read_varlen(bc); - if (avio_tell(bc) + value_len >= maxpos) + if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); From f0eea9cc3a112f69991ffba79d6ca224d9eb60f5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 23:44:53 +0100 Subject: [PATCH 0847/1352] mlvdec: check that index_entries exist This fixes NULL pointer dereferencing. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9fcfe4a3cdf9a5af0c37758b178965b7b99582d4) Signed-off-by: Andreas Cadhalpun --- libavformat/mlvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 564e113c55..98373bd496 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -363,6 +363,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; + if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { + av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); + return AVERROR_INVALIDDATA; + } + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst) From b0a8095f2bf0bc03c5d4dfccaba845de6fd5bb4f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 23:45:06 +0100 Subject: [PATCH 0848/1352] rawdec: only exempt BIT0 with need_copy from buffer sanity check Otherwise the too small buffer is directly used in the frame, causing segmentation faults, when trying to use the frame. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7) Signed-off-by: Andreas Cadhalpun --- libavcodec/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 647dfa9a0a..568553923b 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); - if (buf_size < len && (avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0)) { + if (buf_size < len && ((avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(&frame->buf[0]); return AVERROR(EINVAL); From 1317c63b4b1d96c554f88a92a6b770341c529a66 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Dec 2015 20:52:39 +0100 Subject: [PATCH 0849/1352] nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun --- libavformat/nuv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index e7f0eeae8e..f1bc93e2f8 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -171,6 +171,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0.9999 && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); + if (fps < 0.0f) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); + return AVERROR_INVALIDDATA; + } else { + av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); + fps = 0.0f; + } + } // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); From fbfb2814b28d24c275c5809a7f6f6e33efe7b7dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2015 23:21:33 +0100 Subject: [PATCH 0850/1352] avcodec/mpeg4videodec: also for empty partitioned slices Fixes assertion failure Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7) Signed-off-by: Andreas Cadhalpun --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index e6b89fdb54..9acb163796 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -881,7 +881,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx) const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END; mb_num = mpeg4_decode_partition_a(ctx); - if (mb_num < 0) { + if (mb_num <= 0) { ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, part_a_error); return -1; From 030fed62f4cf51a0e1baf060cc246b43fa684908 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 8 Jan 2016 12:08:56 -0300 Subject: [PATCH 0851/1352] x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse Reviewed-by: Christophe Gisquet Signed-off-by: James Almer (cherry picked from commit dc79824deb6ac0ce236589c618744b33629201cd) --- libavutil/x86/float_dsp.asm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/x86/float_dsp.asm b/libavutil/x86/float_dsp.asm index ec3d22b230..c4484a28e6 100644 --- a/libavutil/x86/float_dsp.asm +++ b/libavutil/x86/float_dsp.asm @@ -332,10 +332,10 @@ VECTOR_FMUL_REVERSE ; float scalarproduct_float_sse(const float *v1, const float *v2, int len) INIT_XMM sse cglobal scalarproduct_float, 3,3,2, v1, v2, offset + shl offsetd, 2 + add v1q, offsetq + add v2q, offsetq neg offsetq - shl offsetq, 2 - sub v1q, offsetq - sub v2q, offsetq xorps xmm0, xmm0 .loop: movaps xmm1, [v1q+offsetq] From 2b2943e1ef804d120e8aa58424d0c13ac1515c8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Fri, 6 Mar 2015 20:39:45 +0100 Subject: [PATCH 0852/1352] avcodec/samidec: make sure to properly restore parsing context after a tag (cherry picked from commit 70082a1e533deed6688938232e6e66abbd62b0fa) Signed-off-by: Andreas Cadhalpun --- libavcodec/samidec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/samidec.c b/libavcodec/samidec.c index 39ac6082bc..14dbc5b33e 100644 --- a/libavcodec/samidec.c +++ b/libavcodec/samidec.c @@ -91,6 +91,7 @@ static int sami_paragraph_to_ass(AVCodecContext *avctx, const char *src) break; if (*p == '>') p++; + continue; } if (!av_isspace(*p)) av_bprint_chars(dst, *p, 1); From a2667c60ecc3f1f037d996dc2ce8422dbef2e57b Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 1 Nov 2015 17:02:26 +0100 Subject: [PATCH 0853/1352] avformat/ipmovie: put video decoding_map_size into packet and use it in decoder The size of decoding map can differ from one calculated internally, producing artifacts while decoding video. Signed-off-by: Paul B Mahol (cherry picked from commit c293ef258cbb2c058e23651a26edf46e3bc05050) Signed-off-by: Andreas Cadhalpun --- libavcodec/interplayvideo.c | 14 +++++++++----- libavformat/ipmovie.c | 7 ++++--- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 96c0cd1397..f9e74b0a85 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -38,6 +38,7 @@ #include #include +#include "libavutil/intreadwrite.h" #include "avcodec.h" #include "bytestream.h" #include "hpeldsp.h" @@ -949,7 +950,7 @@ static void ipvideo_decode_opcodes(IpvideoContext *s, AVFrame *frame) } } if (bytestream2_get_bytes_left(&s->stream_ptr) > 1) { - av_log(s->avctx, AV_LOG_ERROR, + av_log(s->avctx, AV_LOG_DEBUG, "decode finished with %d bytes left over\n", bytestream2_get_bytes_left(&s->stream_ptr)); } @@ -987,12 +988,15 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; + if (buf_size < 2) + return AVERROR_INVALIDDATA; + /* decoding map contains 4 bits of information per 8x8 block */ - s->decoding_map_size = avctx->width * avctx->height / (8 * 8 * 2); + s->decoding_map_size = AV_RL16(avpkt->data); /* compressed buffer needs to be large enough to at least hold an entire * decoding map */ - if (buf_size < s->decoding_map_size) + if (buf_size < s->decoding_map_size + 2) return buf_size; if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { @@ -1000,8 +1004,8 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, av_frame_unref(s->second_last_frame); } - s->decoding_map = buf; - bytestream2_init(&s->stream_ptr, buf + s->decoding_map_size, + s->decoding_map = buf + 2; + bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, buf_size - s->decoding_map_size); if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 01e70e858f..0112009d9b 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -156,7 +156,7 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, /* send both the decode map and the video data together */ - if (av_new_packet(pkt, s->decode_map_chunk_size + s->video_chunk_size)) + if (av_new_packet(pkt, 2 + s->decode_map_chunk_size + s->video_chunk_size)) return CHUNK_NOMEM; if (s->has_palette) { @@ -178,7 +178,8 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, avio_seek(pb, s->decode_map_chunk_offset, SEEK_SET); s->decode_map_chunk_offset = 0; - if (avio_read(pb, pkt->data, s->decode_map_chunk_size) != + AV_WL16(pkt->data, s->decode_map_chunk_size); + if (avio_read(pb, pkt->data + 2, s->decode_map_chunk_size) != s->decode_map_chunk_size) { av_free_packet(pkt); return CHUNK_EOF; @@ -187,7 +188,7 @@ static int load_ipmovie_packet(IPMVEContext *s, AVIOContext *pb, avio_seek(pb, s->video_chunk_offset, SEEK_SET); s->video_chunk_offset = 0; - if (avio_read(pb, pkt->data + s->decode_map_chunk_size, + if (avio_read(pb, pkt->data + 2 + s->decode_map_chunk_size, s->video_chunk_size) != s->video_chunk_size) { av_free_packet(pkt); return CHUNK_EOF; From 46fcc2ba55df8ac2475d6977e8e220fcd5e5f169 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 31 Dec 2015 16:55:43 +0100 Subject: [PATCH 0854/1352] mjpegdec: extend check for incompatible values of s->rgb and s->ls This can happen if s->ls changes from 0 to 1, but picture allocation is skipped due to s->interlaced. In that case ff_jpegls_decode_picture could be called even though the s->picture_ptr frame has the wrong pixel format and thus a wrong linesize, which results in a too small zero buffer being allocated. This fixes an out-of-bounds read in ls_decode_line. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7ea2db6eafa0a8a9497aab20be2cfc8742a59072) Signed-off-by: Andreas Cadhalpun --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index c98476674a..f6f1fae682 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -584,7 +584,8 @@ unk_pixfmt: av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len); } - if (s->rgb && !s->lossless && !s->ls) { + if ((s->rgb && !s->lossless && !s->ls) || + (!s->rgb && s->ls && s->nb_components > 1)) { av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n"); return AVERROR_PATCHWELCOME; } From 33ad09205a9f41b0ab7ec6cc628ee08e40d906be Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 2 Jan 2016 16:27:02 +0100 Subject: [PATCH 0855/1352] ffmdec: reset packet_end in case of failure This fixes segmentation faults caused by passing a packet_ptr of NULL to memcpy. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 40eb2531b279abe008012c5c2c292552d3e62449) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index ee3e1d6ea4..9a7d3a2e71 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -110,9 +110,10 @@ static int ffm_read_data(AVFormatContext *s, ffm->dts = avio_rb64(pb); frame_offset = avio_rb16(pb); avio_read(pb, ffm->packet, ffm->packet_size - FFM_HEADER_SIZE); - ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size); - if (ffm->packet_end < ffm->packet || frame_offset < 0) + if (ffm->packet_size < FFM_HEADER_SIZE + fill_size || frame_offset < 0) { return -1; + } + ffm->packet_end = ffm->packet + (ffm->packet_size - FFM_HEADER_SIZE - fill_size); /* if first packet or resynchronization packet, we must handle it specifically */ if (ffm->first_packet || (frame_offset & 0x8000)) { @@ -128,8 +129,10 @@ static int ffm_read_data(AVFormatContext *s, return 0; } ffm->first_packet = 0; - if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) + if ((frame_offset & 0x7fff) < FFM_HEADER_SIZE) { + ffm->packet_end = ffm->packet_ptr; return -1; + } ffm->packet_ptr = ffm->packet + (frame_offset & 0x7fff) - FFM_HEADER_SIZE; if (!header) break; From 7b6f04850610cbf6ef3a282423a89098ae02a57e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 Jan 2016 19:20:54 +0100 Subject: [PATCH 0856/1352] vorbisdec: reject channel mapping with less than two channels It causes the angle channel number to equal the magnitude channel number, which makes the stream undecodable according to the specification. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit b4b13848dec5420fa5dd9e1a7d4dfae5de1932d5) Signed-off-by: Andreas Cadhalpun --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 984b658253..e28972c6cc 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -783,6 +783,11 @@ static int vorbis_parse_setup_hdr_mappings(vorbis_context *vc) if (get_bits1(gb)) { mapping_setup->coupling_steps = get_bits(gb, 8) + 1; + if (vc->audio_channels < 2) { + av_log(vc->avctx, AV_LOG_ERROR, + "Square polar channel mapping with less than two channels is not compliant with the Vorbis I specification.\n"); + return AVERROR_INVALIDDATA; + } mapping_setup->magnitude = av_mallocz(mapping_setup->coupling_steps * sizeof(*mapping_setup->magnitude)); mapping_setup->angle = av_mallocz(mapping_setup->coupling_steps * From bc4332b3fc493aeca9d885ebcd658ae1d417f246 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 3 Jan 2016 19:11:24 +0100 Subject: [PATCH 0857/1352] vorbisdec: reject rangebits 0 with non-0 partitions This causes non-unique elements in floor_setup->data.t1.list, which makes the stream undecodable according to the specification. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit e7a7b3135a4e5ba4bd2e144444d95a7563f53e9b) Signed-off-by: Andreas Cadhalpun --- libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index e28972c6cc..0ef4701c1e 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -567,6 +567,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) return AVERROR(ENOMEM); rangebits = get_bits(gb, 4); + if (!rangebits && floor_setup->data.t1.partitions) { + av_log(vc->avctx, AV_LOG_ERROR, + "A rangebits value of 0 is not compliant with the Vorbis I specification.\n"); + return AVERROR_INVALIDDATA; + } rangemax = (1 << rangebits); if (rangemax > vc->blocksize[1] / 2) { av_log(vc->avctx, AV_LOG_ERROR, From d5b1ea8c7aba51ab2e73a582d32d2f0dd33934a9 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 12:57:38 +0100 Subject: [PATCH 0858/1352] brstm: make sure an ADPC chunk was read for adpcm_thp This fixes NULL pointer dereferencing. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit d7d37c479fa71639650751648275615e979beb33) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index 19a4a2a96b..9228fa7488 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -260,6 +260,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (codec->codec_id == AV_CODEC_ID_ADPCM_THP) { uint8_t *dst; + if (!b->adpc) { + av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); + return AVERROR_INVALIDDATA; + } + if (av_new_packet(pkt, 8 + (32 + 4) * codec->channels + size) < 0) return AVERROR(ENOMEM); dst = pkt->data; From ab13ba2ae83246d8fe498461b23a40374df5e552 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 12:53:20 +0100 Subject: [PATCH 0859/1352] brstm: also allocate b->table in read_packet This fixes NULL pointer dereferencing if the codec is forced to adpcm_thp even though a different one was detected. Reviewed-by: Paul B Mahol Signed-off-by: Andreas Cadhalpun (cherry picked from commit bcf4ee26a0a1ed349ec7489925540401002b87cc) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index 9228fa7488..aba3770ee6 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -263,6 +263,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (!b->adpc) { av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); return AVERROR_INVALIDDATA; + if (!b->table) { + b->table = av_mallocz(32 * codec->channels); + if (!b->table) + return AVERROR(ENOMEM); } if (av_new_packet(pkt, 8 + (32 + 4) * codec->channels + size) < 0) From 368a1803ff840c187f396ad014fce30190a3ffe3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 4 Jan 2016 13:44:16 +0100 Subject: [PATCH 0860/1352] brstm: fix missing closing brace Signed-off-by: Andreas Cadhalpun (cherry picked from commit 1cb2331eca0dbde1bc63bc715a0e98771dda8b80) Signed-off-by: Andreas Cadhalpun --- libavformat/brstm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/brstm.c b/libavformat/brstm.c index aba3770ee6..6afae73b2f 100644 --- a/libavformat/brstm.c +++ b/libavformat/brstm.c @@ -263,6 +263,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) if (!b->adpc) { av_log(s, AV_LOG_ERROR, "adpcm_thp requires ADPC chunk, but none was found.\n"); return AVERROR_INVALIDDATA; + } if (!b->table) { b->table = av_mallocz(32 * codec->channels); if (!b->table) From 859a348e44d7f9f67c948a21aa3c5856de392ac5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 13 Jan 2016 00:52:58 +0100 Subject: [PATCH 0861/1352] dca: fix misaligned access in avpriv_dca_convert_bitstream src and dst are only 8-bit-aligned, so accessing them as uint16_t causes SIGBUS crashes on architectures like sparc. This fixes ubsan runtime error: load of misaligned address for type 'const uint16_t', which requires 2 byte alignment Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 44ac13eed49593f4f8efdb72ab0d5b48e05aa305) Signed-off-by: Andreas Cadhalpun --- libavcodec/dca.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index f9529760fc..45e6156919 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -41,8 +41,6 @@ int avpriv_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst, { uint32_t mrk; int i, tmp; - const uint16_t *ssrc = (const uint16_t *) src; - uint16_t *sdst = (uint16_t *) dst; PutBitContext pb; if ((unsigned) src_size > (unsigned) max_size) @@ -54,8 +52,11 @@ int avpriv_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst, memcpy(dst, src, src_size); return src_size; case DCA_MARKER_RAW_LE: - for (i = 0; i < (src_size + 1) >> 1; i++) - *sdst++ = av_bswap16(*ssrc++); + for (i = 0; i < (src_size + 1) >> 1; i++) { + AV_WB16(dst, AV_RL16(src)); + src += 2; + dst += 2; + } return src_size; case DCA_MARKER_14B_BE: case DCA_MARKER_14B_LE: From a2966c7d1f1411ab341baae9533a6bc8e83c678a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Aug 2015 03:08:10 +0200 Subject: [PATCH 0862/1352] swscale/swscale-test: Fix slice height in random reference data creation. Found-by: Pedro Arthur Signed-off-by: Michael Niedermayer --- libswscale/swscale-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale-test.c b/libswscale/swscale-test.c index 661ff5b7b2..b79bb2373a 100644 --- a/libswscale/swscale-test.c +++ b/libswscale/swscale-test.c @@ -399,7 +399,7 @@ bad_option: for (y = 0; y < H; y++) for (x = 0; x < W * 4; x++) rgb_data[ x + y * 4 * W] = av_lfg_get(&rand); - sws_scale(sws, rgb_src, rgb_stride, 0, H, src, stride); + sws_scale(sws, rgb_src, rgb_stride, 0, H / 12, src, stride); sws_freeContext(sws); av_free(rgb_data); From fc0f08f9fb5ef5d21f0790a71152a614c4fe7d72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2015 16:13:22 +0100 Subject: [PATCH 0863/1352] avformat/mxfenc: Do not crash if there is no packet in the first stream Fixes: Ticket4914 Signed-off-by: Michael Niedermayer (cherry picked from commit b51e7554e74cbf007a1cab83c7bed3ad9fa2793a) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 3c0283b502..7ffd6b65f7 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2007,6 +2007,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) } mxf->edit_units_count++; } else if (!mxf->edit_unit_byte_count && st->index == 1) { + if (!mxf->edit_units_count) { + av_log(s, AV_LOG_ERROR, "No packets in first stream\n"); + return AVERROR_PATCHWELCOME; + } mxf->index_entries[mxf->edit_units_count-1].slice_offset = mxf->body_offset - mxf->index_entries[mxf->edit_units_count-1].offset; } From 8132ed4a4377db8bd94a77e7227d3acd771e3487 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Dec 2015 18:56:13 +0100 Subject: [PATCH 0864/1352] avfilter/vf_mpdecimate: Add missing emms_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 997de2e8107cc4256e50611463d609b18fe9619f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_mpdecimate.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c index 3ed96024c3..94c9e0bd9d 100644 --- a/libavfilter/vf_mpdecimate.c +++ b/libavfilter/vf_mpdecimate.c @@ -120,10 +120,13 @@ static int decimate_frame(AVFilterContext *ctx, cur->data[plane], cur->linesize[plane], ref->data[plane], ref->linesize[plane], FF_CEIL_RSHIFT(ref->width, hsub), - FF_CEIL_RSHIFT(ref->height, vsub))) + FF_CEIL_RSHIFT(ref->height, vsub))) { + emms_c(); return 0; + } } + emms_c(); return 1; } From ffda227636a31ff0689ee9057dc0c904df5d3333 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2015 21:59:42 +0100 Subject: [PATCH 0865/1352] avcodec/h264_refs: Fix long_idx check Fixes out of array read Fixes mozilla bug 1233606 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit b92b4775a0d07cacfdd2b4be6511f3cb362c977b) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 045f1846d3..d0a902c06e 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -283,7 +283,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h) long_idx = pic_num_extract(h, pic_id, &pic_structure); - if (long_idx > 31) { + if (long_idx > 31U) { av_log(h->avctx, AV_LOG_ERROR, "long_term_pic_idx overflow\n"); return AVERROR_INVALIDDATA; From 41289bc85322a668dc4405c90b125ef2c2d5eb76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Dec 2015 21:46:15 +0100 Subject: [PATCH 0866/1352] swscale/utils: Fix intermediate format for cascaded alpha downscaling Fixes Ticket4926 Signed-off-by: Michael Niedermayer (cherry picked from commit b83d8be6bff7d645469a623aee0b380541da15cf) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 66d28317af..64958044ab 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1532,6 +1532,9 @@ fail: // FIXME replace things by appropriate error codes int tmpH = sqrt(srcH * (int64_t)dstH); enum AVPixelFormat tmpFormat = AV_PIX_FMT_YUV420P; + if (isALPHA(srcFormat)) + tmpFormat = AV_PIX_FMT_YUVA420P; + if (srcW*(int64_t)srcH <= 4LL*dstW*dstH) return AVERROR(EINVAL); From 0affd64b1c217215ee31405c7115833326701e49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Jan 2016 02:41:06 +0100 Subject: [PATCH 0867/1352] avcodec/put_bits: Always check buffer end before writing This causes a overall slowdown of 0.1 % (tested with mpeg4 single thread encoding of matrixbench at QP=3) Signed-off-by: Michael Niedermayer (cherry picked from commit cccb0ffccc3723acc7aab3a859b24743596dd9c0) Conflicts: libavcodec/put_bits.h --- libavcodec/put_bits.h | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index c07f19595a..03e3a04c55 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -146,9 +146,13 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) #ifdef BITSTREAM_WRITER_LE bit_buf |= value << (32 - bit_left); if (n >= bit_left) { - av_assert2(s->buf_ptr+3buf_end); - AV_WL32(s->buf_ptr, bit_buf); - s->buf_ptr += 4; + if (3 < s->buf_end - s->buf_ptr) { + AV_WL32(s->buf_ptr, bit_buf); + s->buf_ptr += 4; + } else { + av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer too small\n"); + av_assert2(0); + } bit_buf = (bit_left == 32) ? 0 : value >> bit_left; bit_left += 32; } @@ -160,9 +164,13 @@ static inline void put_bits(PutBitContext *s, int n, unsigned int value) } else { bit_buf <<= bit_left; bit_buf |= value >> (n - bit_left); - av_assert2(s->buf_ptr+3buf_end); - AV_WB32(s->buf_ptr, bit_buf); - s->buf_ptr += 4; + if (3 < s->buf_end - s->buf_ptr) { + AV_WB32(s->buf_ptr, bit_buf); + s->buf_ptr += 4; + } else { + av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer too small\n"); + av_assert2(0); + } bit_left += 32 - n; bit_buf = value; } From 7ea0e525edc11fa87ed7ada15f0188b18f3da4a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jan 2016 23:22:25 +0100 Subject: [PATCH 0868/1352] swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions Fixes Ticket4960 Signed-off-by: Michael Niedermayer (cherry picked from commit 1edf129cbc897447a289ca8b045853df5df1bab3) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 64958044ab..09310b4a9f 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1056,6 +1056,12 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcW, srcH, dstW, dstH); return AVERROR(EINVAL); } + if (flags & SWS_FAST_BILINEAR) { + if (srcW < 8 || dstW < 8) { + flags ^= SWS_FAST_BILINEAR | SWS_BILINEAR; + c->flags = flags; + } + } if (!dstFilter) dstFilter = &dummyFilter; From 8158fb129e159d594d85ed8ef58ac609088e19cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jan 2016 01:06:18 +0100 Subject: [PATCH 0869/1352] avcodec/h264_slice: Fix integer overflow in implicit weight computation Fixes mozilla bug 1230423 Signed-off-by: Michael Niedermayer (cherry picked from commit 7cc01c25727a96eaaa0c177234b626e47c8ea491) Conflicts: libavcodec/h264_slice.c Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 0389094c4e..e0a25b762e 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -927,7 +927,7 @@ static void implicit_weight_table(H264Context *h, int field) cur_poc = h->cur_pic_ptr->field_poc[h->picture_structure - 1]; } if (h->ref_count[0] == 1 && h->ref_count[1] == 1 && !FRAME_MBAFF(h) && - h->ref_list[0][0].poc + h->ref_list[1][0].poc == 2 * cur_poc) { + h->ref_list[0][0].poc + (int64_t)h->ref_list[1][0].poc == 2 * cur_poc) { h->use_weight = 0; h->use_weight_chroma = 0; return; @@ -948,7 +948,7 @@ static void implicit_weight_table(H264Context *h, int field) h->chroma_log2_weight_denom = 5; for (ref0 = ref_start; ref0 < ref_count0; ref0++) { - int poc0 = h->ref_list[0][ref0].poc; + int64_t poc0 = h->ref_list[0][ref0].poc; for (ref1 = ref_start; ref1 < ref_count1; ref1++) { int w = 32; if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) { From 593dea80f28e2be96d149f11118f8591c421b68c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jan 2016 14:41:04 +0100 Subject: [PATCH 0870/1352] avcodec/motion_est: Fix mv_penalty table size Fixes out of array read Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 5b4da8a38a5ed211df9504c85ce401c30af86b97) Conflicts: libavcodec/motion_est.h --- libavcodec/ituh263enc.c | 6 +++--- libavcodec/motion_est.c | 16 ++++++++-------- libavcodec/mpeg12enc.c | 6 +++--- libavcodec/mpegvideo.h | 3 ++- libavcodec/mpegvideo_enc.c | 2 +- libavcodec/snowenc.c | 2 +- 6 files changed, 18 insertions(+), 17 deletions(-) diff --git a/libavcodec/ituh263enc.c b/libavcodec/ituh263enc.c index 43ad08026f..7a91dc0e86 100644 --- a/libavcodec/ituh263enc.c +++ b/libavcodec/ituh263enc.c @@ -43,7 +43,7 @@ /** * Table of number of bits a motion vector component needs. */ -static uint8_t mv_penalty[MAX_FCODE+1][MAX_MV*2+1]; +static uint8_t mv_penalty[MAX_FCODE+1][MAX_DMV*2+1]; /** * Minimal fcode that a motion vector component would need. @@ -676,7 +676,7 @@ static av_cold void init_mv_penalty_and_fcode(MpegEncContext *s) int mv; for(f_code=1; f_code<=MAX_FCODE; f_code++){ - for(mv=-MAX_MV; mv<=MAX_MV; mv++){ + for(mv=-MAX_DMV; mv<=MAX_DMV; mv++){ int len; if(mv==0) len= ff_mvtab[0][1]; @@ -697,7 +697,7 @@ static av_cold void init_mv_penalty_and_fcode(MpegEncContext *s) } } - mv_penalty[f_code][mv+MAX_MV]= len; + mv_penalty[f_code][mv+MAX_DMV]= len; } } diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index aae215f1d2..f45ef3e011 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -906,7 +906,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s, c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); c->sub_penalty_factor= get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_sub_cmp); c->mb_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->mb_cmp); - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; get_limits(s, 16*mb_x, 16*mb_y); c->skip=0; @@ -1102,7 +1102,7 @@ int ff_pre_estimate_p_frame_motion(MpegEncContext * s, av_assert0(s->quarter_sample==0 || s->quarter_sample==1); c->pre_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_pre_cmp); - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; get_limits(s, 16*mb_x, 16*mb_y); c->skip=0; @@ -1151,7 +1151,7 @@ static int estimate_motion_b(MpegEncContext *s, int mb_x, int mb_y, const int shift= 1+s->quarter_sample; const int mot_stride = s->mb_stride; const int mot_xy = mb_y*mot_stride + mb_x; - uint8_t * const mv_penalty= c->mv_penalty[f_code] + MAX_MV; + uint8_t * const mv_penalty= c->mv_penalty[f_code] + MAX_DMV; int mv_scale; c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); @@ -1225,8 +1225,8 @@ static inline int check_bidir_mv(MpegEncContext * s, //FIXME better f_code prediction (max mv & distance) //FIXME pointers MotionEstContext * const c= &s->me; - uint8_t * const mv_penalty_f= c->mv_penalty[s->f_code] + MAX_MV; // f_code of the prev frame - uint8_t * const mv_penalty_b= c->mv_penalty[s->b_code] + MAX_MV; // f_code of the prev frame + uint8_t * const mv_penalty_f= c->mv_penalty[s->f_code] + MAX_DMV; // f_code of the prev frame + uint8_t * const mv_penalty_b= c->mv_penalty[s->b_code] + MAX_DMV; // f_code of the prev frame int stride= c->stride; uint8_t *dest_y = c->scratchpad; uint8_t *ptr; @@ -1439,7 +1439,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) int mx, my, xmin, xmax, ymin, ymax; int16_t (*mv_table)[2]= s->b_direct_mv_table; - c->current_mv_penalty= c->mv_penalty[1] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[1] + MAX_DMV; ymin= xmin=(-32)>>shift; ymax= xmax= 31>>shift; @@ -1575,11 +1575,11 @@ void ff_estimate_b_frame_motion(MpegEncContext * s, if(s->flags & CODEC_FLAG_INTERLACED_ME){ //FIXME mb type penalty c->skip=0; - c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->f_code] + MAX_DMV; fimin= interlaced_search(s, 0, s->b_field_mv_table[0], s->b_field_select_table[0], s->b_forw_mv_table[xy][0], s->b_forw_mv_table[xy][1], 0); - c->current_mv_penalty= c->mv_penalty[s->b_code] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->b_code] + MAX_DMV; bimin= interlaced_search(s, 2, s->b_field_mv_table[1], s->b_field_select_table[1], s->b_back_mv_table[xy][0], s->b_back_mv_table[xy][1], 0); diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 827812ef55..b94af1436d 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -52,7 +52,7 @@ static const uint8_t svcd_scan_offset_placeholder[] = { 0x81, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, }; -static uint8_t mv_penalty[MAX_FCODE + 1][MAX_MV * 2 + 1]; +static uint8_t mv_penalty[MAX_FCODE + 1][MAX_DMV * 2 + 1]; static uint8_t fcode_tab[MAX_MV * 2 + 1]; static uint8_t uni_mpeg1_ac_vlc_len[64 * 64 * 2]; @@ -1050,7 +1050,7 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) } for (f_code = 1; f_code <= MAX_FCODE; f_code++) - for (mv = -MAX_MV; mv <= MAX_MV; mv++) { + for (mv = -MAX_DMV; mv <= MAX_DMV; mv++) { int len; if (mv == 0) { @@ -1073,7 +1073,7 @@ av_cold void ff_mpeg1_encode_init(MpegEncContext *s) 2 + bit_size; } - mv_penalty[f_code][mv + MAX_MV] = len; + mv_penalty[f_code][mv + MAX_DMV] = len; } diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 63ce8e77c7..6c3757cb94 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -64,6 +64,7 @@ enum OutputFormat { #define MAX_FCODE 7 #define MAX_MV 4096 +#define MAX_DMV (2*MAX_MV) #define MAX_THREADS 32 #define MAX_PICTURE_COUNT 36 @@ -196,7 +197,7 @@ typedef struct MotionEstContext{ op_pixels_func (*hpel_avg)[4]; qpel_mc_func (*qpel_put)[16]; qpel_mc_func (*qpel_avg)[16]; - uint8_t (*mv_penalty)[MAX_MV*2+1]; ///< amount of bits needed to encode a MV + uint8_t (*mv_penalty)[MAX_DMV*2+1]; ///< amount of bits needed to encode a MV uint8_t *current_mv_penalty; int (*sub_motion_search)(struct MpegEncContext * s, int *mx_ptr, int *my_ptr, int dmin, diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 8e56730a45..9bec400c61 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -70,7 +70,7 @@ static int sse_mb(MpegEncContext *s); static void denoise_dct_c(MpegEncContext *s, int16_t *block); static int dct_quantize_trellis_c(MpegEncContext *s, int16_t *block, int n, int qscale, int *overflow); -static uint8_t default_mv_penalty[MAX_FCODE + 1][MAX_MV * 2 + 1]; +static uint8_t default_mv_penalty[MAX_FCODE + 1][MAX_DMV * 2 + 1]; static uint8_t default_fcode_tab[MAX_MV * 2 + 1]; const AVOption ff_mpv_generic_options[] = { diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index eaeafa987d..738b3c693a 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -285,7 +285,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ c->penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_cmp); c->sub_penalty_factor= get_penalty_factor(s->lambda, s->lambda2, c->avctx->me_sub_cmp); c->mb_penalty_factor = get_penalty_factor(s->lambda, s->lambda2, c->avctx->mb_cmp); - c->current_mv_penalty= c->mv_penalty[s->m.f_code=1] + MAX_MV; + c->current_mv_penalty= c->mv_penalty[s->m.f_code=1] + MAX_DMV; c->xmin = - x*block_w - 16+3; c->ymin = - y*block_w - 16+3; From 5fe8dad4671e80f4dbc275df997b4d27a3d6f2cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Jan 2016 00:22:56 +0100 Subject: [PATCH 0871/1352] avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range Fixes out of array read Fixes: test_case-mdc.264 (b47be15a120979f5a1a945c938cbef33) Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 13f266b50cc7554028d22480b7e4383968e64a63) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 9bec400c61..9e53b5c080 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -316,6 +316,7 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) break; } + avctx->bits_per_raw_sample = av_clip(avctx->bits_per_raw_sample, 0, 8); s->bit_rate = avctx->bit_rate; s->width = avctx->width; s->height = avctx->height; From dd285715308f55051b423f35d14c17baebc4b14b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Jan 2016 10:49:23 +0100 Subject: [PATCH 0872/1352] avformat: Add integer fps from 31 to 60 to get_std_framerate() Fixes Ticket 5106 Signed-off-by: Michael Niedermayer (cherry picked from commit 2039b3e7511ef183dae206575114e15b6d99c134) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 2 +- libavformat/utils.c | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index ebf04f6393..6d28965a3c 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -916,7 +916,7 @@ typedef struct AVStream { /** * Stream information used internally by av_find_stream_info() */ -#define MAX_STD_TIMEBASES (30*12+7+6) +#define MAX_STD_TIMEBASES (30*12+30+3+6) struct { int64_t last_dts; int64_t duration_gcd; diff --git a/libavformat/utils.c b/libavformat/utils.c index f26cfb34a7..cf4d0d6f7d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2758,10 +2758,14 @@ static int get_std_framerate(int i) return (i + 1) * 1001; i -= 30*12; - if (i < 7) - return ((const int[]) { 40, 48, 50, 60, 80, 120, 240})[i] * 1001 * 12; + if (i < 30) + return (i + 31) * 1001 * 12; + i -= 30; - i -= 7; + if (i < 3) + return ((const int[]) { 80, 120, 240})[i] * 1001 * 12; + + i -= 3; return ((const int[]) { 24, 30, 60, 12, 15, 48 })[i] * 1000 * 12; } From f6a503c4438d98ddf52b32c0e980ccf420205cca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 12:19:48 +0100 Subject: [PATCH 0873/1352] avcodec/mss2: Check for repeat overflow Fixes: mss2_left_shift.wmv Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit e273dade78943e22b71d0ddb67cd0d737fc26edf) Signed-off-by: Michael Niedermayer --- libavcodec/mss2.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 4d53f8ab8f..ea448dabc5 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -209,8 +209,13 @@ static int decode_555(GetByteContext *gB, uint16_t *dst, int stride, last_symbol = b << 8 | bytestream2_get_byte(gB); else if (b > 129) { repeat = 0; - while (b-- > 130) + while (b-- > 130) { + if (repeat >= (INT_MAX >> 8) - 1) { + av_log(NULL, AV_LOG_ERROR, "repeat overflow\n"); + return AVERROR_INVALIDDATA; + } repeat = (repeat << 8) + bytestream2_get_byte(gB) + 1; + } if (last_symbol == -2) { int skip = FFMIN((unsigned)repeat, dst + w - p); repeat -= skip; From 5c0d8a8387772bc9309e75a8974105031359330d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 15:52:09 +0100 Subject: [PATCH 0874/1352] avcodec/mjpegdec: Fix negative shift Fixes: mjpeg_left_shift.avi Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit d86d7b2486cd5c31db8e820d8a89554abf19567e) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index f6f1fae682..8e3a98a7d9 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -950,7 +950,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = - mask & (pred + (dc << point_transform)); + mask & (pred + (dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { From d8cb5887c1cab236a36ddb4949610b67e16f57ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jan 2016 17:43:56 +0100 Subject: [PATCH 0875/1352] avcodec/dvdec: Fix "left shift of negative value -254" Fixes: dvdec_left_shift.avi Found-by: Piotr Bandurski Signed-off-by: Michael Niedermayer (cherry picked from commit 93ac72a98dff592ffc174cfb36a8975dfbf145ae) Signed-off-by: Michael Niedermayer --- libavcodec/dvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdec.c b/libavcodec/dvdec.c index 7de7e5b4ce..ccf326923d 100644 --- a/libavcodec/dvdec.c +++ b/libavcodec/dvdec.c @@ -221,7 +221,7 @@ static int dv_decode_video_segment(AVCodecContext *avctx, void *arg) dct_mode * 22 * 64 + (quant + ff_dv_quant_offset[class1]) * 64]; } - dc = dc << 2; + dc = dc * 4; /* convert to unsigned because 128 is not added in the * standard IDCT */ dc += 1024; From 60bc36193ee858e444ed659ef694cbf585f04b10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Jan 2016 18:32:32 +0100 Subject: [PATCH 0876/1352] avcodec/wavpackenc: Headers are per channel Fixes: 1b8b83a53bfa751f01b1daa65a4758db/signal_sigabrt_7ffff6ae7cb7_7488_403f71d1a2565b598d01b6cb110fac8f.aiff Fixes: assertion failure Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 26757b0279b4b93c6066c2151d4d3dbd2ec266bf) Conflicts: libavcodec/wavpackenc.c Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 63971c6755..ecc4a2eea2 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -2882,7 +2882,7 @@ static int wavpack_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } buf_size = s->block_samples * avctx->channels * 8 - + 200 /* for headers */; + + 200 * avctx->channels /* for headers */; if ((ret = ff_alloc_packet2(avctx, avpkt, buf_size)) < 0) return ret; buf = avpkt->data; From 250e5cb71df4ea8189ce1441a2274f9886adfbfc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Jan 2016 18:58:08 +0100 Subject: [PATCH 0877/1352] avcodec/wavpackenc: Check the number of channels They are stored in a byte, thus more than 255 is not possible Signed-off-by: Michael Niedermayer (cherry picked from commit 59c915a403af32c4ff5126625b0cc7e38f4beff9) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index ecc4a2eea2..2d98e53b95 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -128,6 +128,11 @@ static av_cold int wavpack_encode_init(AVCodecContext *avctx) s->avctx = avctx; + if (avctx->channels > 255) { + av_log(avctx, AV_LOG_ERROR, "Too many channels\n", avctx->channels); + return AVERROR(EINVAL); + } + if (!avctx->frame_size) { int block_samples; if (!(avctx->sample_rate & 1)) From 78f9c7dd14bec61fd0c33ddd4e2f6775c2045cad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2016 03:03:01 +0100 Subject: [PATCH 0878/1352] avcodec/mpeg4video: Check time_incr Fixes assertion failure Fixes out of memory access Fixes: test_casex.ivf Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 7c97946d6131b31340954a3f603b6bf92590a9a5) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4video.h | 2 +- libavcodec/mpeg4videoenc.c | 10 +++++++++- libavcodec/mpegvideo_enc.c | 8 +++++--- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4video.h b/libavcodec/mpeg4video.h index e83692cc87..fa92e999bd 100644 --- a/libavcodec/mpeg4video.h +++ b/libavcodec/mpeg4video.h @@ -137,7 +137,7 @@ void ff_mpeg4_encode_mb(MpegEncContext *s, void ff_mpeg4_pred_ac(MpegEncContext *s, int16_t *block, int n, int dir); void ff_set_mpeg4_time(MpegEncContext *s); -void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number); +int ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number); int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb); void ff_mpeg4_encode_video_packet_header(MpegEncContext *s); diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 5751432a31..c47b6e8410 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1086,7 +1086,7 @@ static void mpeg4_encode_vol_header(MpegEncContext *s, } /* write mpeg4 VOP header */ -void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) +int ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) { int time_incr; int time_div, time_mod; @@ -1112,6 +1112,12 @@ void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) time_mod = FFUMOD(s->time, s->avctx->time_base.den); time_incr = time_div - s->last_time_base; av_assert0(time_incr >= 0); + + // This limits the frame duration to max 1 hour + if (time_incr > 3600) { + av_log(s->avctx, AV_LOG_ERROR, "time_incr %d too large\n", time_incr); + return AVERROR(EINVAL); + } while (time_incr--) put_bits(&s->pb, 1, 1); @@ -1137,6 +1143,8 @@ void ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number) put_bits(&s->pb, 3, s->f_code); /* fcode_for */ if (s->pict_type == AV_PICTURE_TYPE_B) put_bits(&s->pb, 3, s->b_code); /* fcode_back */ + + return 0; } static av_cold void init_uni_dc_tab(void) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 9e53b5c080..b77dc9c239 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -3656,9 +3656,11 @@ static int encode_picture(MpegEncContext *s, int picture_number) ff_wmv2_encode_picture_header(s, picture_number); else if (CONFIG_MSMPEG4_ENCODER && s->msmpeg4_version) ff_msmpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_MPEG4_ENCODER && s->h263_pred) - ff_mpeg4_encode_picture_header(s, picture_number); - else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { + else if (CONFIG_MPEG4_ENCODER && s->h263_pred) { + ret = ff_mpeg4_encode_picture_header(s, picture_number); + if (ret < 0) + return ret; + } else if (CONFIG_RV10_ENCODER && s->codec_id == AV_CODEC_ID_RV10) { ret = ff_rv10_encode_picture_header(s, picture_number); if (ret < 0) return ret; From 937f3058fa231cecd301fb1012e27807fd44f54b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2016 18:49:20 +0100 Subject: [PATCH 0879/1352] avformat/asfenc: Check pts Fixes integer overflow Fixes: 0063df8be3aaa30dd6d76f59c8f818c8/signal_sigsegv_7b7b59_3634_bf418b6822bbfa68734411d96b667be3.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7c0b84d89911b2035161f5ef51aafbfcc84aa9e2) Signed-off-by: Michael Niedermayer --- libavformat/asfenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index ece840eba6..6d8bfcf9e4 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -929,6 +929,11 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts; av_assert0(pts != AV_NOPTS_VALUE); + if ( pts < - PREROLL_TIME + || pts > (INT_MAX-3)/10000LL * ASF_INDEXED_INTERVAL - PREROLL_TIME) { + av_log(s, AV_LOG_ERROR, "input pts %"PRId64" is invalid\n", pts); + return AVERROR(EINVAL); + } pts *= 10000; asf->duration = FFMAX(asf->duration, pts + pkt->duration * 10000); From 66aeb5467eeeeab310a98332817a908ca68f42c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Jan 2016 02:31:59 +0100 Subject: [PATCH 0880/1352] avformat/aviobuf: Fix end check in put_str16() Fixes out of array read Fixes: 03c406ec9530e594a074ce2979f8a1f0/asan_heap-oob_7dec26_4664_37c52495b2870a2eaac65f53958e76c1.flac Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 115fb6d03ef6310732b42258d8c3cd1839cfb74b) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 74686d1d15..7da89d716a 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -356,6 +356,8 @@ int avio_put_str16le(AVIOContext *s, const char *str) invalid: av_log(s, AV_LOG_ERROR, "Invaid UTF8 sequence in avio_put_str16le\n"); err = AVERROR(EINVAL); + if (!*(q-1)) + break; } avio_wl16(s, 0); if (err) From 70b35708b91541052a9e776c6af7a024a2e39d29 Mon Sep 17 00:00:00 2001 From: Maxim Andreev Date: Wed, 13 Jan 2016 11:51:12 +0300 Subject: [PATCH 0881/1352] avformat/hls: forbid all protocols except http(s) & file Signed-off-by: Michael Niedermayer (cherry picked from commit 7145e80b4f78cff5ed5fee04d4c4d53daaa0e077) Conflicts: libavformat/hls.c --- libavformat/hls.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 0c86461f0f..c66f85b980 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -927,6 +927,12 @@ static int open_input(HLSContext *c, struct playlist *pls) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { + const char *proto_name = avio_find_protocol_name(seg->url); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { + ret = AVERROR_INVALIDDATA; + goto cleanup; + } + ret = ffurl_open(&pls->input, seg->url, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts); @@ -934,6 +940,11 @@ static int open_input(HLSContext *c, struct playlist *pls) char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { URLContext *uc; + const char *proto_name = avio_find_protocol_name(seg->key); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { + ret = AVERROR_INVALIDDATA; + goto cleanup; + } if (ffurl_open(&uc, seg->key, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts2) == 0) { if (ffurl_read_complete(uc, pls->key, sizeof(pls->key)) From ed44b57935f68c70a6b8606c49c54277bbd91eac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2016 12:36:41 +0100 Subject: [PATCH 0882/1352] swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out Signed-off-by: Michael Niedermayer (cherry picked from commit 5e5f82a28737fba4402259617500911cc37e3674) Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 1 + libswscale/yuv2rgb.c | 89 ++++++++++++++++++----------------- 2 files changed, 46 insertions(+), 44 deletions(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index bfd24c95a5..f348d8a9e1 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -40,6 +40,7 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long #define YUVRGB_TABLE_HEADROOM 256 +#define YUVRGB_TABLE_LUMA_HEADROOM 0 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 24b02665ae..86de94cfe7 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -720,7 +720,8 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], uint16_t *y_table16; uint32_t *y_table32; int i, base, rbase, gbase, bbase, av_uninit(abase), needAlpha; - const int yoffs = fullRange ? 384 : 326; + const int yoffs = (fullRange ? 384 : 326) + YUVRGB_TABLE_LUMA_HEADROOM; + const int table_plane_size = 1024 + 2*YUVRGB_TABLE_LUMA_HEADROOM; int64_t crv = inv_table[0]; int64_t cbu = inv_table[1]; @@ -777,10 +778,10 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], return AVERROR(ENOMEM); switch (bpp) { case 1: - ALLOC_YUV_TABLE(1024); + ALLOC_YUV_TABLE(table_plane_size); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 110; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 110; i++) { y_table[i + 110] = av_clip_uint8((yb + 0x8000) >> 16) >> 7; yb += cy; } @@ -792,60 +793,60 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? 3 : 0; gbase = 1; bbase = isRgb ? 0 : 3; - ALLOC_YUV_TABLE(1024 * 3); + ALLOC_YUV_TABLE(table_plane_size * 3); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 110; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 110; i++) { int yval = av_clip_uint8((yb + 0x8000) >> 16); y_table[i + 110] = (yval >> 7) << rbase; - y_table[i + 37 + 1024] = ((yval + 43) / 85) << gbase; - y_table[i + 110 + 2048] = (yval >> 7) << bbase; + y_table[i + 37 + table_plane_size] = ((yval + 43) / 85) << gbase; + y_table[i + 110 + 2*table_plane_size] = (yval >> 7) << bbase; yb += cy; } fill_table(c->table_rV, 1, crv, y_table + yoffs); - fill_table(c->table_gU, 1, cgu, y_table + yoffs + 1024); - fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2048); + fill_table(c->table_gU, 1, cgu, y_table + yoffs + table_plane_size); + fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 1, cgv); break; case 8: rbase = isRgb ? 5 : 0; gbase = isRgb ? 2 : 3; bbase = isRgb ? 0 : 6; - ALLOC_YUV_TABLE(1024 * 3); + ALLOC_YUV_TABLE(table_plane_size * 3); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024 - 38; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size - 38; i++) { int yval = av_clip_uint8((yb + 0x8000) >> 16); y_table[i + 16] = ((yval + 18) / 36) << rbase; - y_table[i + 16 + 1024] = ((yval + 18) / 36) << gbase; - y_table[i + 37 + 2048] = ((yval + 43) / 85) << bbase; + y_table[i + 16 + table_plane_size] = ((yval + 18) / 36) << gbase; + y_table[i + 37 + 2*table_plane_size] = ((yval + 43) / 85) << bbase; yb += cy; } fill_table(c->table_rV, 1, crv, y_table + yoffs); - fill_table(c->table_gU, 1, cgu, y_table + yoffs + 1024); - fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2048); + fill_table(c->table_gU, 1, cgu, y_table + yoffs + table_plane_size); + fill_table(c->table_bU, 1, cbu, y_table + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 1, cgv); break; case 12: rbase = isRgb ? 8 : 0; gbase = 4; bbase = isRgb ? 0 : 8; - ALLOC_YUV_TABLE(1024 * 3 * 2); + ALLOC_YUV_TABLE(table_plane_size * 3 * 2); y_table16 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { uint8_t yval = av_clip_uint8((yb + 0x8000) >> 16); y_table16[i] = (yval >> 4) << rbase; - y_table16[i + 1024] = (yval >> 4) << gbase; - y_table16[i + 2048] = (yval >> 4) << bbase; + y_table16[i + table_plane_size] = (yval >> 4) << gbase; + y_table16[i + 2*table_plane_size] = (yval >> 4) << bbase; yb += cy; } if (isNotNe) - for (i = 0; i < 1024 * 3; i++) + for (i = 0; i < table_plane_size * 3; i++) y_table16[i] = av_bswap16(y_table16[i]); fill_table(c->table_rV, 2, crv, y_table16 + yoffs); - fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + 1024); - fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2048); + fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + table_plane_size); + fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 2, cgv); break; case 15: @@ -853,30 +854,30 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], rbase = isRgb ? bpp - 5 : 0; gbase = 5; bbase = isRgb ? 0 : (bpp - 5); - ALLOC_YUV_TABLE(1024 * 3 * 2); + ALLOC_YUV_TABLE(table_plane_size * 3 * 2); y_table16 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { uint8_t yval = av_clip_uint8((yb + 0x8000) >> 16); y_table16[i] = (yval >> 3) << rbase; - y_table16[i + 1024] = (yval >> (18 - bpp)) << gbase; - y_table16[i + 2048] = (yval >> 3) << bbase; + y_table16[i + table_plane_size] = (yval >> (18 - bpp)) << gbase; + y_table16[i + 2*table_plane_size] = (yval >> 3) << bbase; yb += cy; } if (isNotNe) - for (i = 0; i < 1024 * 3; i++) + for (i = 0; i < table_plane_size * 3; i++) y_table16[i] = av_bswap16(y_table16[i]); fill_table(c->table_rV, 2, crv, y_table16 + yoffs); - fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + 1024); - fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2048); + fill_table(c->table_gU, 2, cgu, y_table16 + yoffs + table_plane_size); + fill_table(c->table_bU, 2, cbu, y_table16 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 2, cgv); break; case 24: case 48: - ALLOC_YUV_TABLE(1024); + ALLOC_YUV_TABLE(table_plane_size); y_table = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { y_table[i] = av_clip_uint8((yb + 0x8000) >> 16); yb += cy; } @@ -895,20 +896,20 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], needAlpha = CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat); if (!needAlpha) abase = (base + 24) & 31; - ALLOC_YUV_TABLE(1024 * 3 * 4); + ALLOC_YUV_TABLE(table_plane_size * 3 * 4); y_table32 = c->yuvTable; - yb = -(384 << 16) - oy; - for (i = 0; i < 1024; i++) { + yb = -(384 << 16) - YUVRGB_TABLE_LUMA_HEADROOM*cy - oy; + for (i = 0; i < table_plane_size; i++) { unsigned yval = av_clip_uint8((yb + 0x8000) >> 16); y_table32[i] = (yval << rbase) + (needAlpha ? 0 : (255u << abase)); - y_table32[i + 1024] = yval << gbase; - y_table32[i + 2048] = yval << bbase; + y_table32[i + table_plane_size] = yval << gbase; + y_table32[i + 2*table_plane_size] = yval << bbase; yb += cy; } fill_table(c->table_rV, 4, crv, y_table32 + yoffs); - fill_table(c->table_gU, 4, cgu, y_table32 + yoffs + 1024); - fill_table(c->table_bU, 4, cbu, y_table32 + yoffs + 2048); + fill_table(c->table_gU, 4, cgu, y_table32 + yoffs + table_plane_size); + fill_table(c->table_bU, 4, cbu, y_table32 + yoffs + 2*table_plane_size); fill_gv_table(c->table_gV, 4, cgv); break; default: From 38369313b959cf02d865a1d4e5983b0df30ff54b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2016 03:05:11 +0100 Subject: [PATCH 0883/1352] swscale/yuv2rgb: Increase YUV2RGB table headroom This makes SWS more robust Fixes: 07650a772d98aa63b0fed6370dc89037/asan_heap-oob_27ddeaf_2657_2c81ff264dee5d9712cb3251fb9c3bbb.264 Fixes: out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 8f3a9a8c278acf886f70a1d743bc07b6f9c7b51a) Signed-off-by: Michael Niedermayer --- libswscale/swscale_internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h index f348d8a9e1..baea85010e 100644 --- a/libswscale/swscale_internal.h +++ b/libswscale/swscale_internal.h @@ -39,8 +39,8 @@ #define STR(s) AV_TOSTRING(s) // AV_STRINGIFY is too long -#define YUVRGB_TABLE_HEADROOM 256 -#define YUVRGB_TABLE_LUMA_HEADROOM 0 +#define YUVRGB_TABLE_HEADROOM 512 +#define YUVRGB_TABLE_LUMA_HEADROOM 512 #define MAX_FILTER_SIZE SWS_MAX_FILTER_SIZE From 990abbd1c6123e39c8115b19967ba16bc69262b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Jan 2016 13:29:38 +0100 Subject: [PATCH 0884/1352] avformat/hls: More strict url checks No case is known where these are needed Signed-off-by: Michael Niedermayer (cherry picked from commit 6ba42b6482c725a59eb468391544dc0c75b8c6f0) Conflicts: libavformat/hls.c Signed-off-by: Michael Niedermayer Conflicts: libavformat/hls.c --- libavformat/hls.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index c66f85b980..63ab9511d9 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -900,6 +900,20 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, pls->is_id3_timestamped = (pls->id3_mpegts_timestamp != AV_NOPTS_VALUE); } + +static int check_url(const char *url) { + const char *proto_name = avio_find_protocol_name(url); + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + return AVERROR_INVALIDDATA; + + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') + return 0; + else if (strcmp(proto_name, "file") || !strcmp(url, "file,")) + return AVERROR_INVALIDDATA; + + return 0; +} + static int open_input(HLSContext *c, struct playlist *pls) { AVDictionary *opts = NULL; @@ -927,11 +941,9 @@ static int open_input(HLSContext *c, struct playlist *pls) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { - const char *proto_name = avio_find_protocol_name(seg->url); - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { - ret = AVERROR_INVALIDDATA; + ret = check_url(seg->url); + if (ret < 0) goto cleanup; - } ret = ffurl_open(&pls->input, seg->url, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts); @@ -940,11 +952,10 @@ static int open_input(HLSContext *c, struct playlist *pls) char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { URLContext *uc; - const char *proto_name = avio_find_protocol_name(seg->key); - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) { - ret = AVERROR_INVALIDDATA; + ret = check_url(seg->key); + if (ret < 0) goto cleanup; - } + if (ffurl_open(&uc, seg->key, AVIO_FLAG_READ, &pls->parent->interrupt_callback, &opts2) == 0) { if (ffurl_read_complete(uc, pls->key, sizeof(pls->key)) From c0df58b0e5ecee6a5f91236a689395c1a8368461 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Jan 2016 15:29:22 +0100 Subject: [PATCH 0885/1352] avformat/hls: Even stricter URL checks This fixes a null pointer dereference at least Signed-off-by: Michael Niedermayer (cherry picked from commit cfda1bea4c18ec1edbc11ecc465f788b02851488) Conflicts: libavformat/hls.c --- libavformat/hls.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 63ab9511d9..6c6a0029df 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -903,12 +903,16 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, static int check_url(const char *url) { const char *proto_name = avio_find_protocol_name(url); + + if (!proto_name) + return AVERROR_INVALIDDATA; + if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) return AVERROR_INVALIDDATA; if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') return 0; - else if (strcmp(proto_name, "file") || !strcmp(url, "file,")) + else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5)) return AVERROR_INVALIDDATA; return 0; From 2a2205b05184bc89ebcf26ff7f0ed47646a4f650 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 2 Jan 2016 16:28:31 -0300 Subject: [PATCH 0886/1352] configure: bump copyright year to 2016 Signed-off-by: James Almer (cherry picked from commit 78129978f02f27d76ecaf2cd1a7bf7a47253fdab) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 51432db3ba..c35f67c685 100755 --- a/configure +++ b/configure @@ -5603,7 +5603,7 @@ cat > $TMPH < Date: Wed, 13 Jan 2016 19:26:40 -0300 Subject: [PATCH 0887/1352] avcodec/wavpackenc: print channel count in av_log call Fixes a warning with -Wformat-extra-args (cherry picked from commit 17e7fdf61a04f52c499e2d06eab2cf2d22343aa9) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 2d98e53b95..4bfeadb2e6 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -129,7 +129,7 @@ static av_cold int wavpack_encode_init(AVCodecContext *avctx) s->avctx = avctx; if (avctx->channels > 255) { - av_log(avctx, AV_LOG_ERROR, "Too many channels\n", avctx->channels); + av_log(avctx, AV_LOG_ERROR, "Invalid channel count: %d\n", avctx->channels); return AVERROR(EINVAL); } From e4b2c75c2a69861794fa65b0d33a583dbca2b061 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 00:55:44 +0100 Subject: [PATCH 0888/1352] swscale/swscale_unscaled: Fix odd height inputs for bayer_to_rgb24_wrapper() Fixes: 372d2df1f04b49e25f109f07f90b1505/asan_heap-oob_2835d2e_8501_99e0114d7ba3a6db885d0b4684d200c1.cine Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ad3b6fa7d83db7de951ed891649af93a47e74be5) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index d3d0cf30b2..9e24623140 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1058,6 +1058,8 @@ static int bayer_to_rgb24_wrapper(SwsContext *c, const uint8_t* src[], int srcSt default: return 0; } + av_assert0(srcSliceH > 1); + copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); srcPtr += 2 * srcStride[0]; dstPtr += 2 * dstStride[0]; @@ -1068,7 +1070,10 @@ static int bayer_to_rgb24_wrapper(SwsContext *c, const uint8_t* src[], int srcSt dstPtr += 2 * dstStride[0]; } - copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); + if (i + 1 == srcSliceH) { + copy(srcPtr, -srcStride[0], dstPtr, -dstStride[0], c->srcW); + } else if (i < srcSliceH) + copy(srcPtr, srcStride[0], dstPtr, dstStride[0], c->srcW); return srcSliceH; } From af384c87035423c8f465a171ac73645e76821c94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 00:55:44 +0100 Subject: [PATCH 0889/1352] swscale/swscale_unscaled: Fix odd height inputs for bayer_to_yv12_wrapper() Fixes: 372d2df1f04b49e25f109f07f90b1505/asan_heap-oob_2835d2e_8501_99e0114d7ba3a6db885d0b4684d200c1.cine Fixes out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 757248ea3cd917a7755cb15f817a9b1f15578718) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 9e24623140..60f8c619b3 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -1109,6 +1109,8 @@ static int bayer_to_yv12_wrapper(SwsContext *c, const uint8_t* src[], int srcStr default: return 0; } + av_assert0(srcSliceH > 1); + copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); srcPtr += 2 * srcStride[0]; dstY += 2 * dstStride[0]; @@ -1123,7 +1125,10 @@ static int bayer_to_yv12_wrapper(SwsContext *c, const uint8_t* src[], int srcStr dstV += dstStride[1]; } - copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); + if (i + 1 == srcSliceH) { + copy(srcPtr, -srcStride[0], dstY, dstU, dstV, -dstStride[0], c->srcW, c->input_rgb2yuv_table); + } else if (i < srcSliceH) + copy(srcPtr, srcStride[0], dstY, dstU, dstV, dstStride[0], c->srcW, c->input_rgb2yuv_table); return srcSliceH; } From f8728dc834170928e89c2a98ebdc23466fd8e57b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 12:33:50 +0100 Subject: [PATCH 0890/1352] swscale/x86/rgb2rgb_template: Fix planar2x() for short width Fixes: 451b3e0cf956c0bd2f27ed753ac24050/asan_heap-oob_2873c01_3231_7ed10a9464d15f0d57277f5917c566a8.AVI Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit c8a9aaab2695e0f9921db946a3b9f14bea880167) Signed-off-by: Michael Niedermayer --- libswscale/x86/rgb2rgb_template.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 6f218ddbb7..73af74e6aa 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1434,7 +1434,9 @@ static inline void RENAME(planar2x)(const uint8_t *src, uint8_t *dst, int srcWid dst+= dstStride; for (y=1; y> 2; + dst[dstStride] = (src[0] + 3 * src[srcStride]) >> 2; + } for (x=mmxSize-1; x>2; From 5d40272ba8fcae15d39422c8ceeae6112735300f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 18:57:01 +0100 Subject: [PATCH 0891/1352] swscale/swscale: Add some sanity checks for srcSlice* parameters Signed-off-by: Michael Niedermayer (cherry picked from commit 321e85e1769ca1fc1567025ae264760790ee7fc9) Conflicts: libswscale/swscale.c Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 43b8740f9c..87fd63a8ce 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -895,11 +895,19 @@ int attribute_align_arg sws_scale(struct SwsContext *c, const uint8_t *src2[4]; uint8_t *dst2[4]; uint8_t *rgb0_tmp = NULL; + int macro_height = isBayer(c->srcFormat) ? 2 : (1 << c->chrSrcVSubSample); if (!srcStride || !dstStride || !dst || !srcSlice) { av_log(c, AV_LOG_ERROR, "One of the input parameters to sws_scale() is NULL, please check the calling code\n"); return 0; } + + if ((srcSliceY & (macro_height-1)) || + ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) || + srcSliceY + srcSliceH > c->srcH) { + av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); + return AVERROR(EINVAL); + } if (c->cascaded_context[0] && srcSliceY == 0 && srcSliceH == c->cascaded_context[0]->srcH) { ret = sws_scale(c->cascaded_context[0], srcSlice, srcStride, srcSliceY, srcSliceH, From 7142ddcf92c695cce2530761331844adca1300a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 03:31:25 +0100 Subject: [PATCH 0892/1352] avcodec/tiff: Check subsample & rps values more completely Fixes out of array access Fixes: 83aedfb29af669c4d6e10f1bfad974d2/asan_heap-oob_1ab42fe_4984_9f6ec14462f8d8a00ea24b320572a963.tif Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 89f464e9c229006e16f6bb5403c5529fdd0a9edd) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 9434794185..a337dc0ff0 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1005,8 +1005,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) av_log(s->avctx, AV_LOG_ERROR, "subsample count invalid\n"); return AVERROR_INVALIDDATA; } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { s->subsampling[i] = ff_tget(&s->gb, type, s->le); + if (s->subsampling[i] <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + return AVERROR_INVALIDDATA; + } + } break; case TIFF_T4OPTIONS: if (s->compr == TIFF_G3) @@ -1254,7 +1259,7 @@ static int decode_frame(AVCodecContext *avctx, avpkt->size - s->strippos); } - if (s->rps <= 0) { + if (s->rps <= 0 || s->rps % s->subsampling[1]) { av_log(avctx, AV_LOG_ERROR, "rps %d invalid\n", s->rps); return AVERROR_INVALIDDATA; } From c88fa43a3adfba0df0b2f323137f2e9aaf6e8ca9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 17:13:55 +0100 Subject: [PATCH 0893/1352] avcodec/put_bits: Assert buf_ptr in flush_put_bits() Signed-off-by: Michael Niedermayer (cherry picked from commit 3ef5de0f19774e2c3dd9b08ba2e8ab7241a4862a) Signed-off-by: Michael Niedermayer --- libavcodec/put_bits.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/put_bits.h b/libavcodec/put_bits.h index 03e3a04c55..392b90a5e0 100644 --- a/libavcodec/put_bits.h +++ b/libavcodec/put_bits.h @@ -88,7 +88,7 @@ static inline void flush_put_bits(PutBitContext *s) s->bit_buf <<= s->bit_left; #endif while (s->bit_left < 32) { - /* XXX: should test end of buffer */ + av_assert0(s->buf_ptr < s->buf_end); #ifdef BITSTREAM_WRITER_LE *s->buf_ptr++ = s->bit_buf; s->bit_buf >>= 8; From 49ae02d36f25963e8ef9ea1fba82a7e1c9914563 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jan 2016 19:20:03 +0100 Subject: [PATCH 0894/1352] avcodec/gif: Fix lzw buffer size Fixes out of array access Fixes: aaa479088e6fb40b04837b3119f47b04/asan_heap-oob_e38c68_8576_9d653078b2470700e2834636f12ff557.tga Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 03d83ba34b2070878909eae18dfac0f519503777) Signed-off-by: Michael Niedermayer --- libavcodec/gif.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/gif.c b/libavcodec/gif.c index def1b83e9d..b56d58c4df 100644 --- a/libavcodec/gif.c +++ b/libavcodec/gif.c @@ -43,6 +43,7 @@ typedef struct { const AVClass *class; LZWState *lzw; uint8_t *buf; + int buf_size; AVFrame *last_frame; int flags; uint32_t palette[AVPALETTE_COUNT]; ///< local reference palette for !pal8 @@ -168,7 +169,7 @@ static int gif_image_write_image(AVCodecContext *avctx, bytestream_put_byte(bytestream, 0x08); - ff_lzw_encode_init(s->lzw, s->buf, 2 * width * height, + ff_lzw_encode_init(s->lzw, s->buf, s->buf_size, 12, FF_LZW_GIF, put_bits); ptr = buf + y_start*linesize + x_start; @@ -224,7 +225,8 @@ static av_cold int gif_encode_init(AVCodecContext *avctx) avctx->coded_frame->key_frame = 1; s->lzw = av_mallocz(ff_lzw_encode_state_size); - s->buf = av_malloc(avctx->width*avctx->height*2); + s->buf_size = avctx->width*avctx->height*2 + 1000; + s->buf = av_malloc(s->buf_size); s->tmpl = av_malloc(avctx->width); if (!s->tmpl || !s->buf || !s->lzw) return AVERROR(ENOMEM); @@ -283,6 +285,7 @@ static int gif_encode_close(AVCodecContext *avctx) av_freep(&s->lzw); av_freep(&s->buf); + s->buf_size = 0; av_frame_free(&s->last_frame); av_freep(&s->tmpl); return 0; From a9a6e4e9c1f6d87cece9448fc9a495ac9b62e720 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2016 15:39:11 +0100 Subject: [PATCH 0895/1352] avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get() Fixes: 55d71971da50365d542ed14b65565fe1/signal_sigsegv_4765a4_8499_f146af090a94f591d6254515c7700ef5.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 158f0545d81b2aca1c936490f80d13988616910e) Signed-off-by: Michael Niedermayer --- libavcodec/ass_split.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ass_split.c b/libavcodec/ass_split.c index 413e9c8d06..04eebe3ede 100644 --- a/libavcodec/ass_split.c +++ b/libavcodec/ass_split.c @@ -470,7 +470,7 @@ ASSStyle *ff_ass_style_get(ASSSplitContext *ctx, const char *style) if (!style || !*style) style = "Default"; for (i=0; istyles_count; i++) - if (!strcmp(ass->styles[i].name, style)) + if (ass->styles[i].name && !strcmp(ass->styles[i].name, style)) return ass->styles + i; return NULL; } From 5af593290488514812527ad2ea3818dae4d41646 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 09:43:54 +0100 Subject: [PATCH 0896/1352] avformat/avio: Limit url option parsing to the documented cases This feature is not know much or used much AFAIK, and it might be helpfull in exploits. No specific case is known where it can be used in an exploit though subsequent commits depend on this commit though Signed-off-by: Michael Niedermayer (cherry picked from commit 984d58a3440d513f66344b5332f6b589c0a6bbc6) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 326bb0aa78..78d15cc40d 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -155,9 +155,16 @@ static int url_alloc_for_protocol(URLContext **puc, struct URLProtocol *up, char sep= *++p; char *key, *val; p++; + + if (strcmp(up->name, "subfile")) + ret = AVERROR(EINVAL); + while(ret >= 0 && (key= strchr(p, sep)) && ppriv_data, p, key+1, 0); + if (strcmp(p, "start") && strcmp(p, "end")) { + ret = AVERROR_OPTION_NOT_FOUND; + } else + ret= av_opt_set(uc->priv_data, p, key+1, 0); if (ret == AVERROR_OPTION_NOT_FOUND) av_log(uc, AV_LOG_ERROR, "Key '%s' not found.\n", p); *val= *key= sep; @@ -222,7 +229,7 @@ static struct URLProtocol *url_find_protocol(const char *filename) size_t proto_len = strspn(filename, URL_SCHEME_CHARS); if (filename[proto_len] != ':' && - (filename[proto_len] != ',' || !strchr(filename + proto_len + 1, ':')) || + (strncmp(filename, "subfile,", 8) || !strchr(filename + proto_len + 1, ':')) || is_dos_path(filename)) strcpy(proto_str, "file"); else From 0732e7b0eab4bbb7af3861fb1630aff3bcdd6082 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 00:36:51 +0100 Subject: [PATCH 0897/1352] avcodec/mpeg12enc: Move high resolution thread check to before initializing threads Cleaner solution is welcome! Signed-off-by: Michael Niedermayer (cherry picked from commit a53fbda9dc92273054a103db7539d2bb6e9632b2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 3 --- libavcodec/pthread_slice.c | 6 ++++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index b94af1436d..0e2f2a9318 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -144,9 +144,6 @@ static av_cold int encode_init(AVCodecContext *avctx) { MpegEncContext *s = avctx->priv_data; - if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && avctx->height > 2800) - avctx->thread_count = 1; - if (ff_mpv_encode_init(avctx) < 0) return -1; diff --git a/libavcodec/pthread_slice.c b/libavcodec/pthread_slice.c index fea989fc4c..4fcbcb175a 100644 --- a/libavcodec/pthread_slice.c +++ b/libavcodec/pthread_slice.c @@ -181,6 +181,12 @@ int ff_slice_thread_init(AVCodecContext *avctx) w32thread_init(); #endif + // We cannot do this in the encoder init as the threads are created before + if (av_codec_is_encoder(avctx->codec) && + avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO && + avctx->height > 2800) + thread_count = avctx->thread_count = 1; + if (!thread_count) { int nb_cpus = av_cpu_count(); if (avctx->height) From 9e44ea7c0f3984252dc9f8484e81d9d01168a5a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 02:38:05 +0100 Subject: [PATCH 0898/1352] avcodec/wmaenc: Check ff_wma_init() for failure Fixes null pointer dereference Fixes: c4faf8280ba366bf00a79d425f2910a8/signal_sigsegv_1f96477_5177_1448ba7e4125faceb966f44ceb69abfa.qcp Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 19e456d48c90a1e3ceeb9e6241383384cc73dfdf) Signed-off-by: Michael Niedermayer --- libavcodec/wmaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c index dfa4ad9484..18e3706db7 100644 --- a/libavcodec/wmaenc.c +++ b/libavcodec/wmaenc.c @@ -32,6 +32,7 @@ static av_cold int encode_init(AVCodecContext *avctx) WMACodecContext *s = avctx->priv_data; int i, flags1, flags2, block_align; uint8_t *extradata; + int ret; s->avctx = avctx; @@ -78,7 +79,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (avctx->channels == 2) s->ms_stereo = 1; - ff_wma_init(avctx, flags2); + if ((ret = ff_wma_init(avctx, flags2)) < 0) + return ret; /* init MDCT */ for (i = 0; i < s->nb_block_sizes; i++) From 76de78a9dbefede31c1ee24076fae1ae95883e62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 21:01:08 +0100 Subject: [PATCH 0899/1352] avformat/avformat: Replace some references to filenames by urls Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 41e07390e04cf369d84f0cc7ff5858c273290770) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 6d28965a3c..4362afda20 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -88,10 +88,10 @@ * cleanup. * * @section lavf_decoding_open Opening a media file - * The minimum information required to open a file is its URL or filename, which + * The minimum information required to open a file is its URL, which * is passed to avformat_open_input(), as in the following code: * @code - * const char *url = "in.mp3"; + * const char *url = "file:in.mp3"; * AVFormatContext *s = NULL; * int ret = avformat_open_input(&s, url, NULL, NULL); * if (ret < 0) @@ -1938,7 +1938,7 @@ AVInputFormat *av_probe_input_format3(AVProbeData *pd, int is_opened, int *score * * @param pb the bytestream to probe * @param fmt the input format is put here - * @param filename the filename of the stream + * @param url the url of the stream * @param logctx the log context * @param offset the offset within the bytestream to probe from * @param max_probe_size the maximum probe buffer size (zero for default) @@ -1947,14 +1947,14 @@ AVInputFormat *av_probe_input_format3(AVProbeData *pd, int is_opened, int *score * AVERROR code otherwise */ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt, - const char *filename, void *logctx, + const char *url, void *logctx, unsigned int offset, unsigned int max_probe_size); /** * Like av_probe_input_buffer2() but returns 0 on success */ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, - const char *filename, void *logctx, + const char *url, void *logctx, unsigned int offset, unsigned int max_probe_size); /** @@ -1965,7 +1965,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, * May be a pointer to NULL, in which case an AVFormatContext is allocated by this * function and written into ps. * Note that a user-supplied AVFormatContext will be freed on failure. - * @param filename Name of the stream to open. + * @param url URL of the stream to open. * @param fmt If non-NULL, this parameter forces a specific input format. * Otherwise the format is autodetected. * @param options A dictionary filled with AVFormatContext and demuxer-private options. @@ -1976,7 +1976,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, * * @note If you want to use custom IO, preallocate the format context and set its pb field. */ -int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputFormat *fmt, AVDictionary **options); +int avformat_open_input(AVFormatContext **ps, const char *url, AVInputFormat *fmt, AVDictionary **options); attribute_deprecated int av_demuxer_open(AVFormatContext *ic); From fa9873cce8c581b248af07d2dbfe9e9d98d9657b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2016 21:01:47 +0100 Subject: [PATCH 0900/1352] avcodec/mjpegdec: Check for end for both bytes in unescaping Fixes assertion failure Fixes: c40c779601b77dc6e19aaea0b04b9751/signal_sigabrt_7ffff6ae7cb7_5769_b94f6ec70caecb2d3d76b4771b109ac1.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 509c9e74e548139285f30ed8dcc9baf1d64359fa) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 8e3a98a7d9..55313525c0 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1915,7 +1915,7 @@ int ff_mjpeg_find_marker(MJpegDecodeContext *s, while (b < t) { uint8_t x = src[b++]; put_bits(&pb, 8, x); - if (x == 0xFF) { + if (x == 0xFF && b < t) { x = src[b++]; if (x & 0x80) { av_log(s->avctx, AV_LOG_WARNING, "Invalid escape sequence\n"); From 4f52c0a619ed587b2fb26a1e854b38264a7fdd5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 16:49:43 +0100 Subject: [PATCH 0901/1352] doc/demuxers: Document enable_drefs and use_absolute_path Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 9a8034b8bc1d1cd7a8889dc385d41744be47b159) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index e5823227af..448fe036e3 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -339,6 +339,23 @@ ffmpeg -framerate 10 -pattern_type glob -i "*.png" out.mkv @end example @end itemize +@section mov/mp4/3gp/Quicktme + +Quicktime / MP4 demuxer. + +This demuxer accepts the following options: +@table @option +@item enable_drefs +Enable loading of external tracks, disabled by default. +Enabling this can theoretically leak information in some use cases. + +@item use_absolute_path +Allows loading of external tracks via absolute paths, disabled by default. +Enabling this poses a security risk. It should only be enabled if the source +is known to be non malicious. + +@end table + @section mpegts MPEG-2 transport stream demuxer. From 53f5efcae11764e1232e0bb91cf53129ad8da2d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 11:10:27 +0100 Subject: [PATCH 0902/1352] avformat/concat: Check protocol prefix Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 8e32d014322eada1812af268d7ea9d53169d279c) Signed-off-by: Michael Niedermayer --- libavformat/concat.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/concat.c b/libavformat/concat.c index 3bbc83dfef..a1ab772193 100644 --- a/libavformat/concat.c +++ b/libavformat/concat.c @@ -64,7 +64,10 @@ static av_cold int concat_open(URLContext *h, const char *uri, int flags) struct concat_data *data = h->priv_data; struct concat_nodes *nodes; - av_strstart(uri, "concat:", &uri); + if (!av_strstart(uri, "concat:", &uri)) { + av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); + return AVERROR(EINVAL); + } for (i = 0, len = 1; uri[i]; i++) if (uri[i] == *AV_CAT_SEPARATOR) From 106e0fff2e885db845f8d47d53e2f5c1152c1dab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2016 00:35:46 +0100 Subject: [PATCH 0903/1352] avformat: Document urls a bit Spell-checked-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 3130556c0eb09f3da3c9de6473a97937a4648d62) Signed-off-by: Michael Niedermayer --- libavformat/avformat.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/avformat.h b/libavformat/avformat.h index 4362afda20..c6fd395724 100644 --- a/libavformat/avformat.h +++ b/libavformat/avformat.h @@ -78,6 +78,18 @@ * if its AVClass is non-NULL, and the protocols layer. See the discussion on * nesting in @ref avoptions documentation to learn how to access those. * + * @section urls + * URL strings in libavformat are made of a scheme/protocol, a ':', and a + * scheme specific string. URLs without a scheme and ':' used for local files + * are supported but deprecated. "file:" should be used for local files. + * + * It is important that the scheme string is not taken from untrusted + * sources without checks. + * + * Note that some schemes/protocols are quite powerful, allowing access to + * both local and remote files, parts of them, concatenations of them, local + * audio and video devices and so on. + * * @defgroup lavf_decoding Demuxing * @{ * Demuxers read a media file and split it into chunks of data (@em packets). A From ac8a265be81a58698c9f4641807ab8b6eb721b93 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 24 Jan 2016 20:47:49 +0100 Subject: [PATCH 0904/1352] avcodec/flacenc: fix calculation of bits required in case of custom sample rate Sample rate of 11025 takes 16 bits but previous code would pick only 8. Fixes assertion failure. Reviewed-by: Rostislav Pehlivanov Signed-off-by: Paul B Mahol (cherry picked from commit 3e7d6849120d61bb354376d52786c26f20e20835) Signed-off-by: Michael Niedermayer --- libavcodec/flacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index 3b72888966..6ad6fd2f81 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -916,7 +916,7 @@ static int count_frame_header(FlacEncodeContext *s) count += 16; /* explicit sample rate */ - count += ((s->sr_code[0] == 12) + (s->sr_code[0] > 12)) * 8; + count += ((s->sr_code[0] == 12) + (s->sr_code[0] > 12) * 2) * 8; /* frame header CRC-8 */ count += 8; From 9a1433683cf30ddb163ded30bdb1c59759a8f07f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Jan 2016 03:42:46 +0100 Subject: [PATCH 0905/1352] avutil/opt: check for and handle errors in av_opt_set_dict2() Previously errors could result in random entries to be lost. Signed-off-by: Michael Niedermayer (cherry picked from commit f3ace85d8869c3dddd2d28d064002d0d912e3624) Signed-off-by: Michael Niedermayer --- libavutil/opt.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavutil/opt.c b/libavutil/opt.c index 8a378040e7..cd948af23b 100644 --- a/libavutil/opt.c +++ b/libavutil/opt.c @@ -1468,10 +1468,11 @@ int av_opt_set_dict2(void *obj, AVDictionary **options, int search_flags) while ((t = av_dict_get(*options, "", t, AV_DICT_IGNORE_SUFFIX))) { ret = av_opt_set(obj, t->key, t->value, search_flags); if (ret == AVERROR_OPTION_NOT_FOUND) - av_dict_set(&tmp, t->key, t->value, 0); - else if (ret < 0) { + ret = av_dict_set(&tmp, t->key, t->value, 0); + if (ret < 0) { av_log(obj, AV_LOG_ERROR, "Error setting option %s to value %s.\n", t->key, t->value); - break; + av_dict_free(&tmp); + return ret; } ret = 0; } From a944744f197a747251ace1bb7eb58eee0341ca10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jan 2016 17:13:10 +0100 Subject: [PATCH 0906/1352] avcodec/jpeg2000dec: More completely check cdef Fixes out of array access Fixes: j2k-poc.bin Found-by: Lucas Leong Signed-off-by: Michael Niedermayer (cherry picked from commit 0aada30510d809bccfd539a90ea37b61188f2cb4) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 67f88d9bc3..c80d6f7f3b 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1292,11 +1292,15 @@ static int jpeg2000_decode_tile(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile, if (tile->codsty[0].mct) mct_decode(s, tile); - if (s->cdef[0] < 0) { - for (x = 0; x < s->ncomponents; x++) - s->cdef[x] = x + 1; - if ((s->ncomponents & 1) == 0) - s->cdef[s->ncomponents-1] = 0; + for (x = 0; x < s->ncomponents; x++) { + if (s->cdef[x] < 0) { + for (x = 0; x < s->ncomponents; x++) { + s->cdef[x] = x + 1; + } + if ((s->ncomponents & 1) == 0) + s->cdef[s->ncomponents-1] = 0; + break; + } } if (s->precision <= 8) { From a49d870aac6c5c483c637c3fed11301bd42430fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2016 00:45:17 +0100 Subject: [PATCH 0907/1352] MAINTAINERS: remove unmaintained releases Signed-off-by: Michael Niedermayer --- MAINTAINERS | 4 ---- 1 file changed, 4 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index e558f28161..d21675b02f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -533,10 +533,6 @@ x86 Michael Niedermayer Releases ======== -2.4 Michael Niedermayer -2.2 Michael Niedermayer -1.2 Michael Niedermayer - If you want to maintain an older release, please contact us From 8380f62155d9aceffed919ba41aa0447efa77204 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Fri, 15 Jan 2016 17:03:49 +0000 Subject: [PATCH 0908/1352] mov: Add an option to toggle dref opening This feature is mostly only used by NLE software, and is both of dubious value being enabled by default, and a possible security risk. Signed-off-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 712d962a6a29b1099cd872cfb07867175a93ac4c) Conflicts: libavformat/isom.h libavformat/mov.c libavformat/version.h Signed-off-by: Michael Niedermayer --- libavformat/isom.h | 1 + libavformat/mov.c | 24 +++++++++++++++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/libavformat/isom.h b/libavformat/isom.h index 6fb0c4d41b..42b87c6494 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -172,6 +172,7 @@ typedef struct MOVContext { int bitrates_count; int moov_retry; int atom_depth; + int enable_drefs; } MOVContext; int ff_mp4_read_descr_len(AVIOContext *pb); diff --git a/libavformat/mov.c b/libavformat/mov.c index 6f46dbbcf8..3246d0a49b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2465,13 +2465,23 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (sc->dref_id-1 < sc->drefs_count && sc->drefs[sc->dref_id-1].path) { MOVDref *dref = &sc->drefs[sc->dref_id - 1]; - if (mov_open_dref(&sc->pb, c->fc->filename, dref, &c->fc->interrupt_callback, - c->use_absolute_path, c->fc) < 0) - av_log(c->fc, AV_LOG_ERROR, - "stream %d, error opening alias: path='%s', dir='%s', " - "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d\n", + if (c->enable_drefs) { + if (mov_open_dref(&sc->pb, c->fc->filename, dref, &c->fc->interrupt_callback, + c->use_absolute_path, c->fc) < 0) + av_log(c->fc, AV_LOG_ERROR, + "stream %d, error opening alias: path='%s', dir='%s', " + "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d\n", + st->index, dref->path, dref->dir, dref->filename, + dref->volume, dref->nlvl_from, dref->nlvl_to); + } else { + av_log(c->fc, AV_LOG_WARNING, + "Skipped opening external track: " + "stream %d, alias: path='%s', dir='%s', " + "filename='%s', volume='%s', nlvl_from=%d, nlvl_to=%d." + "Set enable_drefs to allow this.\n", st->index, dref->path, dref->dir, dref->filename, dref->volume, dref->nlvl_from, dref->nlvl_to); + } } else { sc->pb = c->fc->pb; sc->pb_is_copied = 1; @@ -3904,6 +3914,8 @@ static int mov_read_seek(AVFormatContext *s, int stream_index, int64_t sample_ti return 0; } +#define OFFSET(x) offsetof(MOVContext, x) +#define FLAGS AV_OPT_FLAG_VIDEO_PARAM | AV_OPT_FLAG_DECODING_PARAM static const AVOption options[] = { {"use_absolute_path", "allow using absolute path when opening alias, this is a possible security issue", @@ -3911,6 +3923,8 @@ static const AVOption options[] = { 0, 1, AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_DECODING_PARAM}, {"ignore_editlist", "", offsetof(MOVContext, ignore_editlist), FF_OPT_TYPE_INT, {.i64 = 0}, 0, 1, AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_DECODING_PARAM}, + { "enable_drefs", "Enable external track support.", OFFSET(enable_drefs), AV_OPT_TYPE_INT, + {.i64 = 0}, 0, 1, FLAGS }, {NULL} }; From 3709c43887c85d89d1e6c54c5cb16e2c4de16866 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Feb 2016 02:28:30 +0100 Subject: [PATCH 0909/1352] Update for 2.4.13 Signed-off-by: Michael Niedermayer --- Changelog | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 77 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 39653b7667..47cf3eaa18 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,81 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.4.13: +- mov: Add an option to toggle dref opening +- MAINTAINERS: remove unmaintained releases +- avcodec/jpeg2000dec: More completely check cdef +- avutil/opt: check for and handle errors in av_opt_set_dict2() +- avcodec/flacenc: fix calculation of bits required in case of custom sample rate +- avformat: Document urls a bit +- avformat/concat: Check protocol prefix +- doc/demuxers: Document enable_drefs and use_absolute_path +- avcodec/mjpegdec: Check for end for both bytes in unescaping +- avformat/avformat: Replace some references to filenames by urls +- avcodec/wmaenc: Check ff_wma_init() for failure +- avcodec/mpeg12enc: Move high resolution thread check to before initializing threads +- avformat/avio: Limit url option parsing to the documented cases +- avcodec/ass_split: Fix null pointer dereference in ff_ass_style_get() +- avcodec/gif: Fix lzw buffer size +- avcodec/put_bits: Assert buf_ptr in flush_put_bits() +- avcodec/tiff: Check subsample & rps values more completely +- swscale/swscale: Add some sanity checks for srcSlice* parameters +- swscale/x86/rgb2rgb_template: Fix planar2x() for short width +- swscale/swscale_unscaled: Fix odd height inputs for bayer_to_yv12_wrapper() +- swscale/swscale_unscaled: Fix odd height inputs for bayer_to_rgb24_wrapper() +- avcodec/wavpackenc: print channel count in av_log call +- configure: bump copyright year to 2016 +- avformat/hls: Even stricter URL checks +- avformat/hls: More strict url checks +- swscale/yuv2rgb: Increase YUV2RGB table headroom +- swscale/yuv2rgb: Factor YUVRGB_TABLE_LUMA_HEADROOM out +- avformat/hls: forbid all protocols except http(s) & file +- avformat/aviobuf: Fix end check in put_str16() +- avformat/asfenc: Check pts +- avcodec/mpeg4video: Check time_incr +- avcodec/wavpackenc: Check the number of channels +- avcodec/wavpackenc: Headers are per channel +- avcodec/dvdec: Fix "left shift of negative value -254" +- avcodec/mjpegdec: Fix negative shift +- avcodec/mss2: Check for repeat overflow +- avformat: Add integer fps from 31 to 60 to get_std_framerate() +- avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range +- avcodec/motion_est: Fix mv_penalty table size +- avcodec/h264_slice: Fix integer overflow in implicit weight computation +- swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions +- avcodec/put_bits: Always check buffer end before writing +- swscale/utils: Fix intermediate format for cascaded alpha downscaling +- avcodec/h264_refs: Fix long_idx check +- avfilter/vf_mpdecimate: Add missing emms_c() +- avformat/mxfenc: Do not crash if there is no packet in the first stream +- swscale/swscale-test: Fix slice height in random reference data creation. +- dca: fix misaligned access in avpriv_dca_convert_bitstream +- brstm: fix missing closing brace +- brstm: also allocate b->table in read_packet +- brstm: make sure an ADPC chunk was read for adpcm_thp +- vorbisdec: reject rangebits 0 with non-0 partitions +- vorbisdec: reject channel mapping with less than two channels +- ffmdec: reset packet_end in case of failure +- mjpegdec: extend check for incompatible values of s->rgb and s->ls +- avformat/ipmovie: put video decoding_map_size into packet and use it in decoder +- avcodec/samidec: make sure to properly restore parsing context after a tag +- x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse +- avcodec/mpeg4videodec: also for empty partitioned slices +- nuv: sanitize negative fps rate +- rawdec: only exempt BIT0 with need_copy from buffer sanity check +- mlvdec: check that index_entries exist +- nutdec: reject negative value_len in read_sm_data +- xwddec: prevent overflow of lsize * avctx->height +- nutdec: only copy the header if it exists +- exr: fix out of bounds read in get_code +- on2avc: limit number of bits to 30 in get_egolomb +- sonic: make sure num_taps * channels is not larger than frame_size +- opus_silk: fix typo causing overflow in silk_stabilize_lsf +- ffm: reject invalid codec_id and codec_type +- aaccoder: prevent crash of anmr coder +- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* +- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride + version 2.4.12: - avcodec/ffv1dec: Clear quant_table_count if its invalid - avcodec/ffv1dec: Print an error if the quant table count is invalid diff --git a/RELEASE b/RELEASE index cf95c0186a..b40e924755 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.12 +2.4.13 diff --git a/doc/Doxyfile b/doc/Doxyfile index 74e2732679..aaa4426e4a 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.12 +PROJECT_NUMBER = 2.4.13 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From fcbbe360821d6664211df4d36ed0ad513e14d1dd Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 2 Mar 2016 11:20:07 +0100 Subject: [PATCH 0910/1352] doc/utils: fix typo for min() description Signed-off-by: Paul B Mahol (cherry picked from commit bdf474bcff29f5b40fe14f6fa1dbe10e69c73ab7) Signed-off-by: Timothy Gu --- doc/utils.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/utils.texi b/doc/utils.texi index 79bf2a22ac..00d6c31c11 100644 --- a/doc/utils.texi +++ b/doc/utils.texi @@ -861,7 +861,7 @@ Return 1 if @var{x} is lesser than or equal to @var{y}, 0 otherwise. Return the maximum between @var{x} and @var{y}. @item min(x, y) -Return the maximum between @var{x} and @var{y}. +Return the minimum between @var{x} and @var{y}. @item mod(x, y) Compute the remainder of division of @var{x} by @var{y}. From 3b6fe94289b816e75b8e7b32d6994410a55e9cf8 Mon Sep 17 00:00:00 2001 From: KO Myung-Hun Date: Mon, 15 Feb 2016 13:16:23 +0900 Subject: [PATCH 0911/1352] MAINTAINERS: add myself as an OS/2 maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit 346ec917646c18fc9e26bddf04bfa8f8f1e2e18f) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index d21675b02f..008e232c7f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -528,6 +528,7 @@ Windows ICL Matthew Oliver ADI/Blackfin DSP Marc Hoffman Sparc Roman Shaposhnik x86 Michael Niedermayer +OS/2 KO Myung-Hun Releases From 765d6e1eee119b62a5d997903141ec2630f481ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Feb 2016 04:15:29 +0100 Subject: [PATCH 0912/1352] swscale/x86/output: Move code into yuv2planeX_mainloop Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit d07f6e5f1c36be675e0900edba3e40a32f05f0f4) Signed-off-by: Michael Niedermayer --- libswscale/x86/output.asm | 141 +++++++++++++++++++------------------- 1 file changed, 72 insertions(+), 69 deletions(-) diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9ea4af9535..9570969cea 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,75 +54,7 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- - -%macro yuv2planeX_fn 3 - -%if ARCH_X86_32 -%define cntr_reg fltsizeq -%define movsx mov -%else -%define cntr_reg r7 -%define movsx movsxd -%endif - -cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset -%if %1 == 8 || %1 == 9 || %1 == 10 - pxor m6, m6 -%endif ; %1 == 8/9/10 - -%if %1 == 8 -%if ARCH_X86_32 -%assign pad 0x2c - (stack_offset & 15) - SUB rsp, pad -%define m_dith m7 -%else ; x86-64 -%define m_dith m9 -%endif ; x86-32 - - ; create registers holding dither - movq m_dith, [ditherq] ; dither - test offsetd, offsetd - jz .no_rot -%if mmsize == 16 - punpcklqdq m_dith, m_dith -%endif ; mmsize == 16 - PALIGNR m_dith, m_dith, 3, m0 -.no_rot: -%if mmsize == 16 - punpcklbw m_dith, m6 -%if ARCH_X86_64 - punpcklwd m8, m_dith, m6 - pslld m8, 12 -%else ; x86-32 - punpcklwd m5, m_dith, m6 - pslld m5, 12 -%endif ; x86-32/64 - punpckhwd m_dith, m6 - pslld m_dith, 12 -%if ARCH_X86_32 - mova [rsp+ 0], m5 - mova [rsp+16], m_dith -%endif -%else ; mmsize == 8 - punpcklbw m5, m_dith, m6 - punpckhbw m_dith, m6 - punpcklwd m4, m5, m6 - punpckhwd m5, m6 - punpcklwd m3, m_dith, m6 - punpckhwd m_dith, m6 - pslld m4, 12 - pslld m5, 12 - pslld m3, 12 - pslld m_dith, 12 - mova [rsp+ 0], m4 - mova [rsp+ 8], m5 - mova [rsp+16], m3 - mova [rsp+24], m_dith -%endif ; mmsize == 8/16 -%endif ; %1 == 8 - - xor r5, r5 - +%macro yuv2planeX_mainloop 1 .pixelloop: %assign %%i 0 ; the rep here is for the 8bit output mmx case, where dither covers @@ -233,6 +165,77 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset %assign %%i %%i+2 %endrep jg .pixelloop +%endmacro + +%macro yuv2planeX_fn 3 + +%if ARCH_X86_32 +%define cntr_reg fltsizeq +%define movsx mov +%else +%define cntr_reg r7 +%define movsx movsxd +%endif + +cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset +%if %1 == 8 || %1 == 9 || %1 == 10 + pxor m6, m6 +%endif ; %1 == 8/9/10 + +%if %1 == 8 +%if ARCH_X86_32 +%assign pad 0x2c - (stack_offset & 15) + SUB rsp, pad +%define m_dith m7 +%else ; x86-64 +%define m_dith m9 +%endif ; x86-32 + + ; create registers holding dither + movq m_dith, [ditherq] ; dither + test offsetd, offsetd + jz .no_rot +%if mmsize == 16 + punpcklqdq m_dith, m_dith +%endif ; mmsize == 16 + PALIGNR m_dith, m_dith, 3, m0 +.no_rot: +%if mmsize == 16 + punpcklbw m_dith, m6 +%if ARCH_X86_64 + punpcklwd m8, m_dith, m6 + pslld m8, 12 +%else ; x86-32 + punpcklwd m5, m_dith, m6 + pslld m5, 12 +%endif ; x86-32/64 + punpckhwd m_dith, m6 + pslld m_dith, 12 +%if ARCH_X86_32 + mova [rsp+ 0], m5 + mova [rsp+16], m_dith +%endif +%else ; mmsize == 8 + punpcklbw m5, m_dith, m6 + punpckhbw m_dith, m6 + punpcklwd m4, m5, m6 + punpckhwd m5, m6 + punpcklwd m3, m_dith, m6 + punpckhwd m_dith, m6 + pslld m4, 12 + pslld m5, 12 + pslld m3, 12 + pslld m_dith, 12 + mova [rsp+ 0], m4 + mova [rsp+ 8], m5 + mova [rsp+16], m3 + mova [rsp+24], m_dith +%endif ; mmsize == 8/16 +%endif ; %1 == 8 + + xor r5, r5 + +yuv2planeX_mainloop %1 %if %1 == 8 %if ARCH_X86_32 From 5df4b6cf05846230683fcd3833fc2e06a710e712 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Feb 2016 00:14:56 +0100 Subject: [PATCH 0913/1352] swscale/x86/output: Fix yuv2planeX_16* with unaligned destination Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit f6492a2ea8df80be0ed9591aee4019cef0e36e99) Signed-off-by: Michael Niedermayer --- libswscale/x86/output.asm | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 9570969cea..133817cb71 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -54,8 +54,8 @@ SECTION .text ; int32_t if $output_size is 16. $filter is 12-bits. $filterSize is a multiple ; of 2. $offset is either 0 or 3. $dither holds 8 values. ;----------------------------------------------------------------------------- -%macro yuv2planeX_mainloop 1 -.pixelloop: +%macro yuv2planeX_mainloop 2 +.pixelloop_%2: %assign %%i 0 ; the rep here is for the 8bit output mmx case, where dither covers ; 8 pixels but we can only handle 2 pixels per register, and thus 4 @@ -82,7 +82,7 @@ SECTION .text mova m2, m1 %endif ; %1 == 8/9/10/16 movsx cntr_reg, fltsizem -.filterloop_ %+ %%i: +.filterloop_%2_ %+ %%i: ; input pixels mov r6, [srcq+gprsize*cntr_reg-2*gprsize] %if %1 == 16 @@ -129,7 +129,7 @@ SECTION .text %endif ; %1 == 8/9/10/16 sub cntr_reg, 2 - jg .filterloop_ %+ %%i + jg .filterloop_%2_ %+ %%i %if %1 == 16 psrad m2, 31 - %1 @@ -156,7 +156,7 @@ SECTION .text %endif ; mmxext/sse2/sse4/avx pminsw m2, [yuv2yuvX_%1_upper] %endif ; %1 == 9/10/16 - mova [dstq+r5*2], m2 + mov%2 [dstq+r5*2], m2 %endif ; %1 == 8/9/10/16 add r5, mmsize/2 @@ -164,7 +164,7 @@ SECTION .text %assign %%i %%i+2 %endrep - jg .pixelloop + jg .pixelloop_%2 %endmacro %macro yuv2planeX_fn 3 @@ -235,7 +235,16 @@ cglobal yuv2planeX_%1, %3, 8, %2, filter, fltsize, src, dst, w, dither, offset xor r5, r5 -yuv2planeX_mainloop %1 +%if mmsize == 8 || %1 == 8 + yuv2planeX_mainloop %1, a +%else ; mmsize == 16 + test dstq, 15 + jnz .unaligned + yuv2planeX_mainloop %1, a + REP_RET +.unaligned: + yuv2planeX_mainloop %1, u +%endif ; mmsize == 8/16 %if %1 == 8 %if ARCH_X86_32 From 758b15404755af97a7c538010561f84d9a02095c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Feb 2016 03:31:34 +0100 Subject: [PATCH 0914/1352] avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats Signed-off-by: Michael Niedermayer (cherry picked from commit 1ec7a703806049265991723a8826bd61555edef4) Signed-off-by: Michael Niedermayer --- libavutil/pixdesc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index 154392af20..13f69fa56f 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -2116,6 +2116,7 @@ enum AVPixelFormat av_pix_fmt_swap_endianness(enum AVPixelFormat pix_fmt) #define FF_COLOR_GRAY 1 /**< gray color space */ #define FF_COLOR_YUV 2 /**< YUV color space. 16 <= Y <= 235, 16 <= U, V <= 240 */ #define FF_COLOR_YUV_JPEG 3 /**< YUV color space. 0 <= Y <= 255, 0 <= U, V <= 255 */ +#define FF_COLOR_XYZ 4 #define pixdesc_has_alpha(pixdesc) \ ((pixdesc)->nb_components == 2 || (pixdesc)->nb_components == 4 || (pixdesc)->flags & AV_PIX_FMT_FLAG_PAL) @@ -2131,6 +2132,9 @@ static int get_color_type(const AVPixFmtDescriptor *desc) { if(desc->name && !strncmp(desc->name, "yuvj", 4)) return FF_COLOR_YUV_JPEG; + if(desc->name && !strncmp(desc->name, "xyz", 3)) + return FF_COLOR_XYZ; + if(desc->flags & AV_PIX_FMT_FLAG_RGB) return FF_COLOR_RGB; From 459baf97ea6e5045f93424fbda54c9ef06ce2fe9 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 23 Feb 2016 15:50:28 +0100 Subject: [PATCH 0915/1352] postproc: fix unaligned access Based on 59074310 by Andreas Cadhalpun. Fixes ticket #5259. (cherry picked from commit 2aa21eec1adcb3737be59f0eab7081c5a790faa9) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index c1deb71ec9..0376725af7 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -985,7 +985,7 @@ void pp_postprocess(const uint8_t * src[3], const int srcStride[3], int i; const int count= FFMAX(mbHeight * absQPStride, mbWidth); for(i=0; i<(count>>2); i++){ - ((uint32_t*)c->stdQPTable)[i] = (((const uint32_t*)QP_store)[i]>>1) & 0x7F7F7F7F; + AV_WN32(c->stdQPTable + (i<<2), AV_RN32(QP_store + (i<<2)) >> 1 & 0x7F7F7F7F); } for(i<<=2; istdQPTable[i] = QP_store[i]>>1; From 2cbec6adcf71b2abc852e7c4fa4cef4003424441 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Feb 2016 23:14:03 +0100 Subject: [PATCH 0916/1352] swscale/input: Fix GBRAP16 input Fixes part of Ticket5264 Signed-off-by: Michael Niedermayer (cherry picked from commit df36257a53561a51af969a6ea6319dd2579509b9) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libswscale/input.c b/libswscale/input.c index 6716f0dcec..18a0fe628f 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -808,6 +808,19 @@ static av_always_inline void planar_rgb16_to_y(uint8_t *_dst, const uint8_t *_sr } } +static av_always_inline void planar_rgb16_to_a(uint8_t *_dst, const uint8_t *_src[4], + int width, int bpc, int is_be, int32_t *rgb2yuv) +{ + int i; + const uint16_t **src = (const uint16_t **)_src; + uint16_t *dst = (uint16_t *)_dst; + int shift = bpc < 16 ? bpc : 14; + + for (i = 0; i < width; i++) { + dst[i] = rdpx(src[3] + i) << (14 - shift); + } +} + static av_always_inline void planar_rgb16_to_uv(uint8_t *_dstU, uint8_t *_dstV, const uint8_t *_src[4], int width, int bpc, int is_be, int32_t *rgb2yuv) @@ -836,6 +849,11 @@ static void planar_rgb##nbits##endian_name##_to_y(uint8_t *dst, const uint8_t *s { \ planar_rgb16_to_y(dst, src, w, nbits, endian, rgb2yuv); \ } \ +static void planar_rgb##nbits##endian_name##_to_a(uint8_t *dst, const uint8_t *src[4], \ + int w, int32_t *rgb2yuv) \ +{ \ + planar_rgb16_to_a(dst, src, w, nbits, endian, rgb2yuv); \ +} \ static void planar_rgb##nbits##endian_name##_to_uv(uint8_t *dstU, uint8_t *dstV, \ const uint8_t *src[4], int w, int32_t *rgb2yuv) \ { \ @@ -1158,6 +1176,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14le_to_y; break; case AV_PIX_FMT_GBRAP16LE: + c->readAlpPlanar = planar_rgb16le_to_a; case AV_PIX_FMT_GBRP16LE: c->readLumPlanar = planar_rgb16le_to_y; break; @@ -1174,6 +1193,7 @@ av_cold void ff_sws_init_input_funcs(SwsContext *c) c->readLumPlanar = planar_rgb14be_to_y; break; case AV_PIX_FMT_GBRAP16BE: + c->readAlpPlanar = planar_rgb16be_to_a; case AV_PIX_FMT_GBRP16BE: c->readLumPlanar = planar_rgb16be_to_y; break; From e08ffaa46bcb9366527fdbc7ba24c372348adab6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Feb 2016 23:48:11 +0100 Subject: [PATCH 0917/1352] swscale/utils: Fix chrSrcHSubSample for GBRAP16 Fixes part of Ticket5264 Signed-off-by: Michael Niedermayer (cherry picked from commit 67e5bd0c501f7568fc8d93284d0f7eb40663ab06) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/utils.c b/libswscale/utils.c index 09310b4a9f..89c5d95c12 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1184,6 +1184,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, srcFormat != AV_PIX_FMT_GBRP12BE && srcFormat != AV_PIX_FMT_GBRP12LE && srcFormat != AV_PIX_FMT_GBRP14BE && srcFormat != AV_PIX_FMT_GBRP14LE && srcFormat != AV_PIX_FMT_GBRP16BE && srcFormat != AV_PIX_FMT_GBRP16LE && + srcFormat != AV_PIX_FMT_GBRAP16BE && srcFormat != AV_PIX_FMT_GBRAP16LE && ((dstW >> c->chrDstHSubSample) <= (srcW >> 1) || (flags & SWS_FAST_BILINEAR))) c->chrSrcHSubSample = 1; From 212acaee63065b1f4f9973895d0a4c0817eb9e76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Feb 2016 15:48:28 +0100 Subject: [PATCH 0918/1352] avcodec/avpacket: clear priv in av_init_packet() This should fix leaving uninitialized pointers in priv which can confuse user applications. See: https://github.com/golang/go/issues/14426 Only or release branches Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index a87e8e3ead..b6a1600747 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -59,6 +59,7 @@ void av_init_packet(AVPacket *pkt) #if FF_API_DESTRUCT_PACKET FF_DISABLE_DEPRECATION_WARNINGS pkt->destruct = NULL; + pkt->priv = NULL; FF_ENABLE_DEPRECATION_WARNINGS #endif pkt->buf = NULL; From 79d9680c7b00d78dbdaab2ada89fa38fd9a539c7 Mon Sep 17 00:00:00 2001 From: Boris Nagels Date: Sun, 6 Mar 2016 16:31:36 +0100 Subject: [PATCH 0919/1352] avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT RTCP synchronization packet was broken since commit in ffmpeg version > 2.8.3 (commit: e04b039b1528f4c7df5c2b93865651bfea168a19) Since this commit (2e814d0329aded98c811d0502839618f08642685) "rtpenc: Simplify code by introducing a macro for rescaling NTP timestamps", NTP_TO_RTP_FORMAT uses av_rescale_rnd() function to add the data to the packet. This causes an overflow in the av_rescale_rnd() function and it will return INT64_MIN. Causing the NTP stamp in the RTCP packet to have an invalid value. Github: Closes #182 Reverting commit '2e814d0329aded98c811d0502839618f08642685' solves the problem. (cherry picked from commit 1109ed7973c7fd1e7001898adc4976590d862122) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rtpenc.c b/libavformat/rtpenc.c index 8c5ce9763e..c64e8ce936 100644 --- a/libavformat/rtpenc.c +++ b/libavformat/rtpenc.c @@ -282,7 +282,8 @@ static void rtcp_send_sr(AVFormatContext *s1, int64_t ntp_time, int bye) avio_w8(s1->pb, RTCP_SR); avio_wb16(s1->pb, 6); /* length in words - 1 */ avio_wb32(s1->pb, s->ssrc); - avio_wb64(s1->pb, NTP_TO_RTP_FORMAT(ntp_time)); + avio_wb32(s1->pb, ntp_time / 1000000); + avio_wb32(s1->pb, ((ntp_time % 1000000) << 32) / 1000000); avio_wb32(s1->pb, rtp_ts); avio_wb32(s1->pb, s->packet_count); avio_wb32(s1->pb, s->octet_count); From 0edcb9e710e38b1fd604733008db1690aa286a98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jan 2016 22:13:14 +0100 Subject: [PATCH 0920/1352] avformat/concatdec: set safe mode to enabled instead of auto This is safer, as a selected demuxer could still mean that it was auto-detected by a user application Reviewed-previously-by: Nicolas George Reviewed-previously-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 689211d5727231c3fe92762d224dbadebdbf4e30) Conflicts: libavformat/concatdec.c --- doc/demuxers.texi | 6 ++++-- libavformat/concatdec.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 448fe036e3..101b0fc95f 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -78,7 +78,7 @@ All subsequent file-related directives apply to that file. @item @code{ffconcat version 1.0} Identify the script type and version. It also sets the @option{safe} option -to 1 if it was to its default -1. +to 1 if it was -1. To make FFmpeg recognize the format automatically, this directive must appears exactly as is (no extra space or byte-order-mark) on the very first @@ -125,7 +125,9 @@ component. If set to 0, any file name is accepted. -The default is -1, it is equivalent to 1 if the format was automatically +The default is 1. + +-1 is equivalent to 1 if the format was automatically probed and 0 otherwise. @item auto_convert diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 9e9857958d..a749515021 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -604,7 +604,7 @@ static int concat_seek(AVFormatContext *avf, int stream, static const AVOption options[] = { { "safe", "enable safe mode", - OFFSET(safe), AV_OPT_TYPE_INT, {.i64 = -1}, -1, 1, DEC }, + OFFSET(safe), AV_OPT_TYPE_INT, {.i64 = 1}, -1, 1, DEC }, { "auto_convert", "automatically convert bitstream format", OFFSET(auto_convert), AV_OPT_TYPE_INT, {.i64 = 0}, 0, 1, DEC }, { NULL } From 21844b7efb5eff75de5a05bafb042bd2b88222dd Mon Sep 17 00:00:00 2001 From: Martin Cracauer Date: Tue, 1 Dec 2015 17:59:36 -0500 Subject: [PATCH 0921/1352] avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing Trying to make heads and tails out of DTS 6.1 I can across this typo. I also noticed that this wiki page is incorrect or misleading, the channel order for 6.1 given does not match the source code. At the least it should be clarified that the layout given does not apply to DTS. https://trac.ffmpeg.org/wiki/AudioChannelManipulation Signed-off-by: Michael Niedermayer (cherry picked from commit 73d1398f0c4ce2de16790f46e05a79242137d153) Signed-off-by: Michael Niedermayer --- libavutil/channel_layout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/channel_layout.c b/libavutil/channel_layout.c index 45249c4367..7aceb81971 100644 --- a/libavutil/channel_layout.c +++ b/libavutil/channel_layout.c @@ -94,7 +94,7 @@ static const struct { { "6.0(front)", 6, AV_CH_LAYOUT_6POINT0_FRONT }, { "hexagonal", 6, AV_CH_LAYOUT_HEXAGONAL }, { "6.1", 7, AV_CH_LAYOUT_6POINT1 }, - { "6.1", 7, AV_CH_LAYOUT_6POINT1_BACK }, + { "6.1(back)", 7, AV_CH_LAYOUT_6POINT1_BACK }, { "6.1(front)", 7, AV_CH_LAYOUT_6POINT1_FRONT }, { "7.0", 7, AV_CH_LAYOUT_7POINT0 }, { "7.0(front)", 7, AV_CH_LAYOUT_7POINT0_FRONT }, From e79f2c899bb2edb7faa636641743762c79906206 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 15:18:53 +0100 Subject: [PATCH 0922/1352] avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool This should theoretically improve the randomness slightly Signed-off-by: Michael Niedermayer (cherry picked from commit 2540d884f3fd7cfac503e048112098967be2569a) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 8aa8c3879b..5af8e9e524 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -97,8 +97,13 @@ static uint32_t get_generic_seed(void) last_t = t; } - if(TEST) + if(TEST) { buffer[0] = buffer[1] = 0; + } else { +#ifdef AV_READ_TIME + buffer[111] += AV_READ_TIME(); +#endif + } av_sha_init(sha, 160); av_sha_update(sha, (const uint8_t *)buffer, sizeof(buffer)); From e6a282a4bbdb56da4672b45606f6c2646ed34d8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Sobala?= Date: Fri, 18 Sep 2015 15:40:58 +0200 Subject: [PATCH 0923/1352] avcodec/imgconvert: Support non-planar colorspaces while padding Signed-off-by: Michael Niedermayer (cherry picked from commit 0d097a869c38850c9ac09bccef60a229470f489b) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 158bc739a1..c6e52b381a 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -236,9 +236,41 @@ int av_picture_pad(AVPicture *dst, const AVPicture *src, int height, int width, int x_shift; int yheight; int i, y; + int max_step[4]; - if (pix_fmt < 0 || pix_fmt >= AV_PIX_FMT_NB || - !is_yuv_planar(desc)) return -1; + if (pix_fmt < 0 || pix_fmt >= AV_PIX_FMT_NB) + return -1; + + if (!is_yuv_planar(desc)) { + if (src) + return -1; //TODO: Not yet implemented + + av_image_fill_max_pixsteps(max_step, NULL, desc); + + if (padtop || padleft) { + memset(dst->data[0], color[0], + dst->linesize[0] * padtop + (padleft * max_step[0])); + } + + if (padleft || padright) { + optr = dst->data[0] + dst->linesize[0] * padtop + + (dst->linesize[0] - (padright * max_step[0])); + yheight = height - 1 - (padtop + padbottom); + for (y = 0; y < yheight; y++) { + memset(optr, color[0], (padleft + padright) * max_step[0]); + optr += dst->linesize[0]; + } + } + + if (padbottom || padright) { + optr = dst->data[0] + dst->linesize[0] * (height - padbottom) - + (padright * max_step[0]); + memset(optr, color[0], dst->linesize[0] * padbottom + + (padright * max_step[0])); + } + + return 0; + } for (i = 0; i < 3; i++) { x_shift = i ? desc->log2_chroma_w : 0; @@ -284,6 +316,7 @@ int av_picture_pad(AVPicture *dst, const AVPicture *src, int height, int width, (padbottom >> y_shift) + (padright >> x_shift)); } } + return 0; } From 75ffdae4d3e6f2fe65181b4ed70e230520086806 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Feb 2016 19:58:18 -0500 Subject: [PATCH 0924/1352] indeo2data: K&R formatting cosmetics Signed-off-by: Vittorio Giovara Signed-off-by: Diego Biurrun (cherry picked from commit d4066a702407352a0648af882c34ea81a404fa2b) (cherry picked from commit 522ab0b9a92962edda7156a91a494a1e2b8a7f64) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2data.h | 208 ++++++++++++++++++++-------------------- 1 file changed, 104 insertions(+), 104 deletions(-) diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 0d6d82f22c..8fd664c6ab 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -27,115 +27,115 @@ #define IR2_CODES 143 static const uint16_t ir2_codes[IR2_CODES][2] = { #ifdef BITSTREAM_READER_LE -{0x0000, 3}, {0x0004, 3}, {0x0006, 3}, {0x0001, 5}, -{0x0009, 5}, {0x0019, 5}, {0x000D, 5}, {0x001D, 5}, -{0x0023, 6}, {0x0013, 6}, {0x0033, 6}, {0x000B, 6}, -{0x002B, 6}, {0x001B, 6}, {0x0007, 8}, {0x0087, 8}, -{0x0027, 8}, {0x00A7, 8}, {0x0067, 8}, {0x00E7, 8}, -{0x0097, 8}, {0x0057, 8}, {0x0037, 8}, {0x00B7, 8}, -{0x00F7, 8}, {0x000F, 9}, {0x008F, 9}, {0x018F, 9}, -{0x014F, 9}, {0x00CF, 9}, {0x002F, 9}, {0x012F, 9}, -{0x01AF, 9}, {0x006F, 9}, {0x00EF, 9}, {0x01EF, 9}, -{0x001F, 10}, {0x021F, 10}, {0x011F, 10}, {0x031F, 10}, -{0x009F, 10}, {0x029F, 10}, {0x019F, 10}, {0x039F, 10}, -{0x005F, 10}, {0x025F, 10}, {0x015F, 10}, {0x035F, 10}, -{0x00DF, 10}, {0x02DF, 10}, {0x01DF, 10}, {0x03DF, 10}, -{0x003F, 13}, {0x103F, 13}, {0x083F, 13}, {0x183F, 13}, -{0x043F, 13}, {0x143F, 13}, {0x0C3F, 13}, {0x1C3F, 13}, -{0x023F, 13}, {0x123F, 13}, {0x0A3F, 13}, {0x1A3F, 13}, -{0x063F, 13}, {0x163F, 13}, {0x0E3F, 13}, {0x1E3F, 13}, -{0x013F, 13}, {0x113F, 13}, {0x093F, 13}, {0x193F, 13}, -{0x053F, 13}, {0x153F, 13}, {0x0D3F, 13}, {0x1D3F, 13}, -{0x033F, 13}, {0x133F, 13}, {0x0B3F, 13}, {0x1B3F, 13}, -{0x073F, 13}, {0x173F, 13}, {0x0F3F, 13}, {0x1F3F, 13}, -{0x00BF, 13}, {0x10BF, 13}, {0x08BF, 13}, {0x18BF, 13}, -{0x04BF, 13}, {0x14BF, 13}, {0x0CBF, 13}, {0x1CBF, 13}, -{0x02BF, 13}, {0x12BF, 13}, {0x0ABF, 13}, {0x1ABF, 13}, -{0x06BF, 13}, {0x16BF, 13}, {0x0EBF, 13}, {0x1EBF, 13}, -{0x01BF, 13}, {0x11BF, 13}, {0x09BF, 13}, {0x19BF, 13}, -{0x05BF, 13}, {0x15BF, 13}, {0x0DBF, 13}, {0x1DBF, 13}, -{0x03BF, 13}, {0x13BF, 13}, {0x0BBF, 13}, {0x1BBF, 13}, -{0x07BF, 13}, {0x17BF, 13}, {0x0FBF, 13}, {0x1FBF, 13}, -{0x007F, 14}, {0x207F, 14}, {0x107F, 14}, {0x307F, 14}, -{0x087F, 14}, {0x287F, 14}, {0x187F, 14}, {0x387F, 14}, -{0x047F, 14}, {0x247F, 14}, {0x147F, 14}, {0x0002, 3}, -{0x0011, 5}, {0x0005, 5}, {0x0015, 5}, {0x0003, 6}, -{0x003B, 6}, {0x0047, 8}, {0x00C7, 8}, {0x0017, 8}, -{0x00D7, 8}, {0x0077, 8}, {0x010F, 9}, {0x004F, 9}, -{0x01CF, 9}, {0x00AF, 9}, {0x016F, 9}, + { 0x0000, 3 }, { 0x0004, 3 }, { 0x0006, 3 }, { 0x0001, 5 }, + { 0x0009, 5 }, { 0x0019, 5 }, { 0x000D, 5 }, { 0x001D, 5 }, + { 0x0023, 6 }, { 0x0013, 6 }, { 0x0033, 6 }, { 0x000B, 6 }, + { 0x002B, 6 }, { 0x001B, 6 }, { 0x0007, 8 }, { 0x0087, 8 }, + { 0x0027, 8 }, { 0x00A7, 8 }, { 0x0067, 8 }, { 0x00E7, 8 }, + { 0x0097, 8 }, { 0x0057, 8 }, { 0x0037, 8 }, { 0x00B7, 8 }, + { 0x00F7, 8 }, { 0x000F, 9 }, { 0x008F, 9 }, { 0x018F, 9 }, + { 0x014F, 9 }, { 0x00CF, 9 }, { 0x002F, 9 }, { 0x012F, 9 }, + { 0x01AF, 9 }, { 0x006F, 9 }, { 0x00EF, 9 }, { 0x01EF, 9 }, + { 0x001F, 10 }, { 0x021F, 10 }, { 0x011F, 10 }, { 0x031F, 10 }, + { 0x009F, 10 }, { 0x029F, 10 }, { 0x019F, 10 }, { 0x039F, 10 }, + { 0x005F, 10 }, { 0x025F, 10 }, { 0x015F, 10 }, { 0x035F, 10 }, + { 0x00DF, 10 }, { 0x02DF, 10 }, { 0x01DF, 10 }, { 0x03DF, 10 }, + { 0x003F, 13 }, { 0x103F, 13 }, { 0x083F, 13 }, { 0x183F, 13 }, + { 0x043F, 13 }, { 0x143F, 13 }, { 0x0C3F, 13 }, { 0x1C3F, 13 }, + { 0x023F, 13 }, { 0x123F, 13 }, { 0x0A3F, 13 }, { 0x1A3F, 13 }, + { 0x063F, 13 }, { 0x163F, 13 }, { 0x0E3F, 13 }, { 0x1E3F, 13 }, + { 0x013F, 13 }, { 0x113F, 13 }, { 0x093F, 13 }, { 0x193F, 13 }, + { 0x053F, 13 }, { 0x153F, 13 }, { 0x0D3F, 13 }, { 0x1D3F, 13 }, + { 0x033F, 13 }, { 0x133F, 13 }, { 0x0B3F, 13 }, { 0x1B3F, 13 }, + { 0x073F, 13 }, { 0x173F, 13 }, { 0x0F3F, 13 }, { 0x1F3F, 13 }, + { 0x00BF, 13 }, { 0x10BF, 13 }, { 0x08BF, 13 }, { 0x18BF, 13 }, + { 0x04BF, 13 }, { 0x14BF, 13 }, { 0x0CBF, 13 }, { 0x1CBF, 13 }, + { 0x02BF, 13 }, { 0x12BF, 13 }, { 0x0ABF, 13 }, { 0x1ABF, 13 }, + { 0x06BF, 13 }, { 0x16BF, 13 }, { 0x0EBF, 13 }, { 0x1EBF, 13 }, + { 0x01BF, 13 }, { 0x11BF, 13 }, { 0x09BF, 13 }, { 0x19BF, 13 }, + { 0x05BF, 13 }, { 0x15BF, 13 }, { 0x0DBF, 13 }, { 0x1DBF, 13 }, + { 0x03BF, 13 }, { 0x13BF, 13 }, { 0x0BBF, 13 }, { 0x1BBF, 13 }, + { 0x07BF, 13 }, { 0x17BF, 13 }, { 0x0FBF, 13 }, { 0x1FBF, 13 }, + { 0x007F, 14 }, { 0x207F, 14 }, { 0x107F, 14 }, { 0x307F, 14 }, + { 0x087F, 14 }, { 0x287F, 14 }, { 0x187F, 14 }, { 0x387F, 14 }, + { 0x047F, 14 }, { 0x247F, 14 }, { 0x147F, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0005, 5 }, { 0x0015, 5 }, { 0x0003, 6 }, + { 0x003B, 6 }, { 0x0047, 8 }, { 0x00C7, 8 }, { 0x0017, 8 }, + { 0x00D7, 8 }, { 0x0077, 8 }, { 0x010F, 9 }, { 0x004F, 9 }, + { 0x01CF, 9 }, { 0x00AF, 9 }, { 0x016F, 9 }, #else - {0x0000, 3}, {0x0001, 3}, {0x0003, 3}, {0x0010, 5}, - {0x0012, 5}, {0x0013, 5}, {0x0016, 5}, {0x0017, 5}, - {0x0031, 6}, {0x0032, 6}, {0x0033, 6}, {0x0034, 6}, - {0x0035, 6}, {0x0036, 6}, {0x00E0, 8}, {0x00E1, 8}, - {0x00E4, 8}, {0x00E5, 8}, {0x00E6, 8}, {0x00E7, 8}, - {0x00E9, 8}, {0x00EA, 8}, {0x00EC, 8}, {0x00ED, 8}, - {0x00EF, 8}, {0x01E0, 9}, {0x01E2, 9}, {0x01E3, 9}, - {0x01E5, 9}, {0x01E6, 9}, {0x01E8, 9}, {0x01E9, 9}, - {0x01EB, 9}, {0x01EC, 9}, {0x01EE, 9}, {0x01EF, 9}, - {0x03E0, 10}, {0x03E1, 10}, {0x03E2, 10}, {0x03E3, 10}, - {0x03E4, 10}, {0x03E5, 10}, {0x03E6, 10}, {0x03E7, 10}, - {0x03E8, 10}, {0x03E9, 10}, {0x03EA, 10}, {0x03EB, 10}, - {0x03EC, 10}, {0x03ED, 10}, {0x03EE, 10}, {0x03EF, 10}, - {0x1F80, 13}, {0x1F81, 13}, {0x1F82, 13}, {0x1F83, 13}, - {0x1F84, 13}, {0x1F85, 13}, {0x1F86, 13}, {0x1F87, 13}, - {0x1F88, 13}, {0x1F89, 13}, {0x1F8A, 13}, {0x1F8B, 13}, - {0x1F8C, 13}, {0x1F8D, 13}, {0x1F8E, 13}, {0x1F8F, 13}, - {0x1F90, 13}, {0x1F91, 13}, {0x1F92, 13}, {0x1F93, 13}, - {0x1F94, 13}, {0x1F95, 13}, {0x1F96, 13}, {0x1F97, 13}, - {0x1F98, 13}, {0x1F99, 13}, {0x1F9A, 13}, {0x1F9B, 13}, - {0x1F9C, 13}, {0x1F9D, 13}, {0x1F9E, 13}, {0x1F9F, 13}, - {0x1FA0, 13}, {0x1FA1, 13}, {0x1FA2, 13}, {0x1FA3, 13}, - {0x1FA4, 13}, {0x1FA5, 13}, {0x1FA6, 13}, {0x1FA7, 13}, - {0x1FA8, 13}, {0x1FA9, 13}, {0x1FAA, 13}, {0x1FAB, 13}, - {0x1FAC, 13}, {0x1FAD, 13}, {0x1FAE, 13}, {0x1FAF, 13}, - {0x1FB0, 13}, {0x1FB1, 13}, {0x1FB2, 13}, {0x1FB3, 13}, - {0x1FB4, 13}, {0x1FB5, 13}, {0x1FB6, 13}, {0x1FB7, 13}, - {0x1FB8, 13}, {0x1FB9, 13}, {0x1FBA, 13}, {0x1FBB, 13}, - {0x1FBC, 13}, {0x1FBD, 13}, {0x1FBE, 13}, {0x1FBF, 13}, - {0x3F80, 14}, {0x3F81, 14}, {0x3F82, 14}, {0x3F83, 14}, - {0x3F84, 14}, {0x3F85, 14}, {0x3F86, 14}, {0x3F87, 14}, - {0x3F88, 14}, {0x3F89, 14}, {0x3F8A, 14}, {0x0002, 3}, - {0x0011, 5}, {0x0014, 5}, {0x0015, 5}, {0x0030, 6}, - {0x0037, 6}, {0x00E2, 8}, {0x00E3, 8}, {0x00E8, 8}, - {0x00EB, 8}, {0x00EE, 8}, {0x01E1, 9}, {0x01E4, 9}, - {0x01E7, 9}, {0x01EA, 9}, {0x01ED, 9} + { 0x0000, 3 }, { 0x0001, 3 }, { 0x0003, 3 }, { 0x0010, 5 }, + { 0x0012, 5 }, { 0x0013, 5 }, { 0x0016, 5 }, { 0x0017, 5 }, + { 0x0031, 6 }, { 0x0032, 6 }, { 0x0033, 6 }, { 0x0034, 6 }, + { 0x0035, 6 }, { 0x0036, 6 }, { 0x00E0, 8 }, { 0x00E1, 8 }, + { 0x00E4, 8 }, { 0x00E5, 8 }, { 0x00E6, 8 }, { 0x00E7, 8 }, + { 0x00E9, 8 }, { 0x00EA, 8 }, { 0x00EC, 8 }, { 0x00ED, 8 }, + { 0x00EF, 8 }, { 0x01E0, 9 }, { 0x01E2, 9 }, { 0x01E3, 9 }, + { 0x01E5, 9 }, { 0x01E6, 9 }, { 0x01E8, 9 }, { 0x01E9, 9 }, + { 0x01EB, 9 }, { 0x01EC, 9 }, { 0x01EE, 9 }, { 0x01EF, 9 }, + { 0x03E0, 10 }, { 0x03E1, 10 }, { 0x03E2, 10 }, { 0x03E3, 10 }, + { 0x03E4, 10 }, { 0x03E5, 10 }, { 0x03E6, 10 }, { 0x03E7, 10 }, + { 0x03E8, 10 }, { 0x03E9, 10 }, { 0x03EA, 10 }, { 0x03EB, 10 }, + { 0x03EC, 10 }, { 0x03ED, 10 }, { 0x03EE, 10 }, { 0x03EF, 10 }, + { 0x1F80, 13 }, { 0x1F81, 13 }, { 0x1F82, 13 }, { 0x1F83, 13 }, + { 0x1F84, 13 }, { 0x1F85, 13 }, { 0x1F86, 13 }, { 0x1F87, 13 }, + { 0x1F88, 13 }, { 0x1F89, 13 }, { 0x1F8A, 13 }, { 0x1F8B, 13 }, + { 0x1F8C, 13 }, { 0x1F8D, 13 }, { 0x1F8E, 13 }, { 0x1F8F, 13 }, + { 0x1F90, 13 }, { 0x1F91, 13 }, { 0x1F92, 13 }, { 0x1F93, 13 }, + { 0x1F94, 13 }, { 0x1F95, 13 }, { 0x1F96, 13 }, { 0x1F97, 13 }, + { 0x1F98, 13 }, { 0x1F99, 13 }, { 0x1F9A, 13 }, { 0x1F9B, 13 }, + { 0x1F9C, 13 }, { 0x1F9D, 13 }, { 0x1F9E, 13 }, { 0x1F9F, 13 }, + { 0x1FA0, 13 }, { 0x1FA1, 13 }, { 0x1FA2, 13 }, { 0x1FA3, 13 }, + { 0x1FA4, 13 }, { 0x1FA5, 13 }, { 0x1FA6, 13 }, { 0x1FA7, 13 }, + { 0x1FA8, 13 }, { 0x1FA9, 13 }, { 0x1FAA, 13 }, { 0x1FAB, 13 }, + { 0x1FAC, 13 }, { 0x1FAD, 13 }, { 0x1FAE, 13 }, { 0x1FAF, 13 }, + { 0x1FB0, 13 }, { 0x1FB1, 13 }, { 0x1FB2, 13 }, { 0x1FB3, 13 }, + { 0x1FB4, 13 }, { 0x1FB5, 13 }, { 0x1FB6, 13 }, { 0x1FB7, 13 }, + { 0x1FB8, 13 }, { 0x1FB9, 13 }, { 0x1FBA, 13 }, { 0x1FBB, 13 }, + { 0x1FBC, 13 }, { 0x1FBD, 13 }, { 0x1FBE, 13 }, { 0x1FBF, 13 }, + { 0x3F80, 14 }, { 0x3F81, 14 }, { 0x3F82, 14 }, { 0x3F83, 14 }, + { 0x3F84, 14 }, { 0x3F85, 14 }, { 0x3F86, 14 }, { 0x3F87, 14 }, + { 0x3F88, 14 }, { 0x3F89, 14 }, { 0x3F8A, 14 }, { 0x0002, 3 }, + { 0x0011, 5 }, { 0x0014, 5 }, { 0x0015, 5 }, { 0x0030, 6 }, + { 0x0037, 6 }, { 0x00E2, 8 }, { 0x00E3, 8 }, { 0x00E8, 8 }, + { 0x00EB, 8 }, { 0x00EE, 8 }, { 0x01E1, 9 }, { 0x01E4, 9 }, + { 0x01E7, 9 }, { 0x01EA, 9 }, { 0x01ED, 9 }, #endif }; static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80 + 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }; #endif /* AVCODEC_INDEO2DATA_H */ From 8a58f56ad0a0e52325f4481e429c989886524077 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 22 Feb 2016 19:58:19 -0500 Subject: [PATCH 0925/1352] indeo2: Fix banding artefacts Rename luma table to delta table and change how it is used. CC: libav-stable@libav.org Signed-off-by: Vittorio Giovara Signed-off-by: Diego Biurrun (cherry picked from commit f8c34f4b8d62afad3f63cf3d9617d73735bef8c1) (cherry picked from commit 73f3c8f73edf0a69502233b2c50fa9e7104f99ec) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 15 ++-- libavcodec/indeo2data.h | 162 ++++++++++++++++++++++++++++++++-------- 2 files changed, 138 insertions(+), 39 deletions(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index cccac44bf3..dd6853b898 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -148,6 +148,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, AVFrame *picture = data; AVFrame * const p = s->picture; int start, ret; + int ltab, ctab; if ((ret = ff_reget_buffer(avctx, p)) < 0) return ret; @@ -169,34 +170,36 @@ static int ir2_decode_frame(AVCodecContext *avctx, init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); + ltab = buf[0x22] & 3; + ctab = buf[0x22] >> 2; if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } else { /* interframe */ if ((ret = ir2_decode_plane_inter(s, avctx->width, avctx->height, p->data[0], p->linesize[0], - ir2_luma_table)) < 0) + ir2_delta_table[ltab])) < 0) return ret; /* swapped U and V */ if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[2], p->linesize[2], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; if ((ret = ir2_decode_plane_inter(s, avctx->width >> 2, avctx->height >> 2, p->data[1], p->linesize[1], - ir2_luma_table)) < 0) + ir2_delta_table[ctab])) < 0) return ret; } diff --git a/libavcodec/indeo2data.h b/libavcodec/indeo2data.h index 8fd664c6ab..e05c91ff58 100644 --- a/libavcodec/indeo2data.h +++ b/libavcodec/indeo2data.h @@ -103,39 +103,135 @@ static const uint16_t ir2_codes[IR2_CODES][2] = { #endif }; -static const uint8_t ir2_luma_table[256] = { - 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, - 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, - 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, - 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, - 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, - 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, - 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, - 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, - 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, - 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, - 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, - 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, - 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, - 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, - 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, - 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, - 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, - 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, - 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, - 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, - 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, - 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, - 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, - 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, - 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, - 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, - 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, - 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, - 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, - 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, - 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, - 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, +static const uint8_t ir2_delta_table[4][256] = { + { 0x80, 0x80, 0x84, 0x84, 0x7C, 0x7C, 0x7F, 0x85, + 0x81, 0x7B, 0x85, 0x7F, 0x7B, 0x81, 0x8C, 0x8C, + 0x74, 0x74, 0x83, 0x8D, 0x7D, 0x73, 0x8D, 0x83, + 0x73, 0x7D, 0x77, 0x89, 0x89, 0x77, 0x89, 0x77, + 0x77, 0x89, 0x8C, 0x95, 0x74, 0x6B, 0x95, 0x8C, + 0x6B, 0x74, 0x7C, 0x90, 0x84, 0x70, 0x90, 0x7C, + 0x70, 0x84, 0x96, 0x96, 0x6A, 0x6A, 0x82, 0x98, + 0x7E, 0x68, 0x98, 0x82, 0x68, 0x7E, 0x97, 0xA2, + 0x69, 0x5E, 0xA2, 0x97, 0x5E, 0x69, 0xA2, 0xA2, + 0x5E, 0x5E, 0x8B, 0xA3, 0x75, 0x5D, 0xA3, 0x8B, + 0x5D, 0x75, 0x71, 0x95, 0x8F, 0x6B, 0x95, 0x71, + 0x6B, 0x8F, 0x78, 0x9D, 0x88, 0x63, 0x9D, 0x78, + 0x63, 0x88, 0x7F, 0xA7, 0x81, 0x59, 0xA7, 0x7F, + 0x59, 0x81, 0xA4, 0xB1, 0x5C, 0x4F, 0xB1, 0xA4, + 0x4F, 0x5C, 0x96, 0xB1, 0x6A, 0x4F, 0xB1, 0x96, + 0x4F, 0x6A, 0xB2, 0xB2, 0x4E, 0x4E, 0x65, 0x9B, + 0x9B, 0x65, 0x9B, 0x65, 0x65, 0x9B, 0x89, 0xB4, + 0x77, 0x4C, 0xB4, 0x89, 0x4C, 0x77, 0x6A, 0xA3, + 0x96, 0x5D, 0xA3, 0x6A, 0x5D, 0x96, 0x73, 0xAC, + 0x8D, 0x54, 0xAC, 0x73, 0x54, 0x8D, 0xB4, 0xC3, + 0x4C, 0x3D, 0xC3, 0xB4, 0x3D, 0x4C, 0xA4, 0xC3, + 0x5C, 0x3D, 0xC3, 0xA4, 0x3D, 0x5C, 0xC4, 0xC4, + 0x3C, 0x3C, 0x96, 0xC6, 0x6A, 0x3A, 0xC6, 0x96, + 0x3A, 0x6A, 0x7C, 0xBA, 0x84, 0x46, 0xBA, 0x7C, + 0x46, 0x84, 0x5B, 0xAB, 0xA5, 0x55, 0xAB, 0x5B, + 0x55, 0xA5, 0x63, 0xB4, 0x9D, 0x4C, 0xB4, 0x63, + 0x4C, 0x9D, 0x86, 0xCA, 0x7A, 0x36, 0xCA, 0x86, + 0x36, 0x7A, 0xB6, 0xD7, 0x4A, 0x29, 0xD7, 0xB6, + 0x29, 0x4A, 0xC8, 0xD7, 0x38, 0x29, 0xD7, 0xC8, + 0x29, 0x38, 0xA4, 0xD8, 0x5C, 0x28, 0xD8, 0xA4, + 0x28, 0x5C, 0x6C, 0xC1, 0x94, 0x3F, 0xC1, 0x6C, + 0x3F, 0x94, 0xD9, 0xD9, 0x27, 0x27, 0x80, 0x80, }, + { 0x80, 0x80, 0x85, 0x85, 0x7B, 0x7B, 0x7E, 0x87, + 0x82, 0x79, 0x87, 0x7E, 0x79, 0x82, 0x8F, 0x8F, + 0x71, 0x71, 0x84, 0x8F, 0x7C, 0x71, 0x8F, 0x84, + 0x71, 0x7C, 0x75, 0x8B, 0x8B, 0x75, 0x8B, 0x75, + 0x75, 0x8B, 0x8E, 0x9A, 0x72, 0x66, 0x9A, 0x8E, + 0x66, 0x72, 0x7B, 0x93, 0x85, 0x6D, 0x93, 0x7B, + 0x6D, 0x85, 0x9B, 0x9B, 0x65, 0x65, 0x82, 0x9D, + 0x7E, 0x63, 0x9D, 0x82, 0x63, 0x7E, 0x9B, 0xA8, + 0x65, 0x58, 0xA8, 0x9B, 0x58, 0x65, 0xA9, 0xA9, + 0x57, 0x57, 0x8D, 0xAA, 0x73, 0x56, 0xAA, 0x8D, + 0x56, 0x73, 0x6E, 0x99, 0x92, 0x67, 0x99, 0x6E, + 0x67, 0x92, 0x76, 0xA2, 0x8A, 0x5E, 0xA2, 0x76, + 0x5E, 0x8A, 0x7F, 0xAF, 0x81, 0x51, 0xAF, 0x7F, + 0x51, 0x81, 0xAB, 0xBA, 0x55, 0x46, 0xBA, 0xAB, + 0x46, 0x55, 0x9A, 0xBB, 0x66, 0x45, 0xBB, 0x9A, + 0x45, 0x66, 0xBB, 0xBB, 0x45, 0x45, 0x60, 0xA0, + 0xA0, 0x60, 0xA0, 0x60, 0x60, 0xA0, 0x8B, 0xBE, + 0x75, 0x42, 0xBE, 0x8B, 0x42, 0x75, 0x66, 0xAA, + 0x9A, 0x56, 0xAA, 0x66, 0x56, 0x9A, 0x70, 0xB5, + 0x90, 0x4B, 0xB5, 0x70, 0x4B, 0x90, 0xBE, 0xCF, + 0x42, 0x31, 0xCF, 0xBE, 0x31, 0x42, 0xAB, 0xD0, + 0x55, 0x30, 0xD0, 0xAB, 0x30, 0x55, 0xD1, 0xD1, + 0x2F, 0x2F, 0x9A, 0xD3, 0x66, 0x2D, 0xD3, 0x9A, + 0x2D, 0x66, 0x7B, 0xC5, 0x85, 0x3B, 0xC5, 0x7B, + 0x3B, 0x85, 0x54, 0xB4, 0xAC, 0x4C, 0xB4, 0x54, + 0x4C, 0xAC, 0x5E, 0xBE, 0xA2, 0x42, 0xBE, 0x5E, + 0x42, 0xA2, 0x87, 0xD8, 0x79, 0x28, 0xD8, 0x87, + 0x28, 0x79, 0xC0, 0xE8, 0x40, 0x18, 0xE8, 0xC0, + 0x18, 0x40, 0xD5, 0xE8, 0x2B, 0x18, 0xE8, 0xD5, + 0x18, 0x2B, 0xAB, 0xE9, 0x55, 0x17, 0xE9, 0xAB, + 0x17, 0x55, 0x68, 0xCD, 0x98, 0x33, 0xCD, 0x68, + 0x33, 0x98, 0xEA, 0xEA, 0x16, 0x16, 0x80, 0x80, }, + { 0x80, 0x80, 0x86, 0x86, 0x7A, 0x7A, 0x7E, 0x88, + 0x82, 0x78, 0x88, 0x7E, 0x78, 0x82, 0x92, 0x92, + 0x6E, 0x6E, 0x85, 0x92, 0x7B, 0x6E, 0x92, 0x85, + 0x6E, 0x7B, 0x73, 0x8D, 0x8D, 0x73, 0x8D, 0x73, + 0x73, 0x8D, 0x91, 0x9E, 0x6F, 0x62, 0x9E, 0x91, + 0x62, 0x6F, 0x79, 0x97, 0x87, 0x69, 0x97, 0x79, + 0x69, 0x87, 0xA0, 0xA0, 0x60, 0x60, 0x83, 0xA2, + 0x7D, 0x5E, 0xA2, 0x83, 0x5E, 0x7D, 0xA0, 0xB0, + 0x60, 0x50, 0xB0, 0xA0, 0x50, 0x60, 0xB1, 0xB1, + 0x4F, 0x4F, 0x8F, 0xB2, 0x71, 0x4E, 0xB2, 0x8F, + 0x4E, 0x71, 0x6B, 0x9E, 0x95, 0x62, 0x9E, 0x6B, + 0x62, 0x95, 0x74, 0xA9, 0x8C, 0x57, 0xA9, 0x74, + 0x57, 0x8C, 0x7F, 0xB8, 0x81, 0x48, 0xB8, 0x7F, + 0x48, 0x81, 0xB4, 0xC5, 0x4C, 0x3B, 0xC5, 0xB4, + 0x3B, 0x4C, 0x9F, 0xC6, 0x61, 0x3A, 0xC6, 0x9F, + 0x3A, 0x61, 0xC6, 0xC6, 0x3A, 0x3A, 0x59, 0xA7, + 0xA7, 0x59, 0xA7, 0x59, 0x59, 0xA7, 0x8D, 0xCA, + 0x73, 0x36, 0xCA, 0x8D, 0x36, 0x73, 0x61, 0xB2, + 0x9F, 0x4E, 0xB2, 0x61, 0x4E, 0x9F, 0x6D, 0xBF, + 0x93, 0x41, 0xBF, 0x6D, 0x41, 0x93, 0xCA, 0xDF, + 0x36, 0x21, 0xDF, 0xCA, 0x21, 0x36, 0xB3, 0xDF, + 0x4D, 0x21, 0xDF, 0xB3, 0x21, 0x4D, 0xE1, 0xE1, + 0x1F, 0x1F, 0x9F, 0xE3, 0x61, 0x1D, 0xE3, 0x9F, + 0x1D, 0x61, 0x7A, 0xD3, 0x86, 0x2D, 0xD3, 0x7A, + 0x2D, 0x86, 0x4C, 0xBE, 0xB4, 0x42, 0xBE, 0x4C, + 0x42, 0xB4, 0x57, 0xCA, 0xA9, 0x36, 0xCA, 0x57, + 0x36, 0xA9, 0x88, 0xE9, 0x78, 0x17, 0xE9, 0x88, + 0x17, 0x78, 0xCC, 0xFB, 0x34, 0x05, 0xFB, 0xCC, + 0x05, 0x34, 0xE6, 0xFB, 0x1A, 0x05, 0xFB, 0xE6, + 0x05, 0x1A, 0xB4, 0xFD, 0x4C, 0x03, 0xFD, 0xB4, + 0x03, 0x4C, 0x63, 0xDC, 0x9D, 0x24, 0xDC, 0x63, + 0x24, 0x9D, 0xFE, 0xFE, 0x02, 0x02, 0x80, 0x80, }, + { 0x80, 0x80, 0x87, 0x87, 0x79, 0x79, 0x7E, 0x89, + 0x82, 0x77, 0x89, 0x7E, 0x77, 0x82, 0x95, 0x95, + 0x6B, 0x6B, 0x86, 0x96, 0x7A, 0x6A, 0x96, 0x86, + 0x6A, 0x7A, 0x70, 0x90, 0x90, 0x70, 0x90, 0x70, + 0x70, 0x90, 0x94, 0xA4, 0x6C, 0x5C, 0xA4, 0x94, + 0x5C, 0x6C, 0x78, 0x9B, 0x88, 0x65, 0x9B, 0x78, + 0x65, 0x88, 0xA6, 0xA6, 0x5A, 0x5A, 0x83, 0xA9, + 0x7D, 0x57, 0xA9, 0x83, 0x57, 0x7D, 0xA6, 0xB9, + 0x5A, 0x47, 0xB9, 0xA6, 0x47, 0x5A, 0xBA, 0xBA, + 0x46, 0x46, 0x92, 0xBC, 0x6E, 0x44, 0xBC, 0x92, + 0x44, 0x6E, 0x67, 0xA3, 0x99, 0x5D, 0xA3, 0x67, + 0x5D, 0x99, 0x72, 0xB0, 0x8E, 0x50, 0xB0, 0x72, + 0x50, 0x8E, 0x7F, 0xC3, 0x81, 0x3D, 0xC3, 0x7F, + 0x3D, 0x81, 0xBE, 0xD2, 0x42, 0x2E, 0xD2, 0xBE, + 0x2E, 0x42, 0xA5, 0xD4, 0x5B, 0x2C, 0xD4, 0xA5, + 0x2C, 0x5B, 0xD4, 0xD4, 0x2C, 0x2C, 0x52, 0xAE, + 0xAE, 0x52, 0xAE, 0x52, 0x52, 0xAE, 0x8F, 0xD8, + 0x71, 0x28, 0xD8, 0x8F, 0x28, 0x71, 0x5B, 0xBB, + 0xA5, 0x45, 0xBB, 0x5B, 0x45, 0xA5, 0x69, 0xCB, + 0x97, 0x35, 0xCB, 0x69, 0x35, 0x97, 0xD8, 0xF0, + 0x28, 0x10, 0xF0, 0xD8, 0x10, 0x28, 0xBD, 0xF1, + 0x43, 0x0F, 0xF1, 0xBD, 0x0F, 0x43, 0xF3, 0xF3, + 0x0D, 0x0D, 0xA5, 0xF6, 0x5B, 0x0A, 0xF6, 0xA5, + 0x0A, 0x5B, 0x78, 0xE2, 0x88, 0x1E, 0xE2, 0x78, + 0x1E, 0x88, 0x42, 0xC9, 0xBE, 0x37, 0xC9, 0x42, + 0x37, 0xBE, 0x4F, 0xD8, 0xB1, 0x28, 0xD8, 0x4F, + 0x28, 0xB1, 0x8A, 0xFD, 0x76, 0x03, 0xFD, 0x8A, + 0x03, 0x76, 0xDB, 0xFF, 0x25, 0x01, 0xFF, 0xDB, + 0x01, 0x25, 0xF9, 0xFF, 0x07, 0x01, 0xFF, 0xF9, + 0x01, 0x07, 0xBE, 0xFF, 0x42, 0x01, 0xFF, 0xBE, + 0x01, 0x42, 0x5E, 0xED, 0xA2, 0x13, 0xED, 0x5E, + 0x13, 0xA2, 0xFF, 0xFF, 0x01, 0x01, 0x80, 0x80, }, }; #endif /* AVCODEC_INDEO2DATA_H */ From fb3b1bf5d6ae1540fb3126a4759ddf361d0df158 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Mar 2016 19:40:32 +0100 Subject: [PATCH 0926/1352] avcodec/resample: Remove disabled and faulty code Fixes Ticket5345 Signed-off-by: Michael Niedermayer (cherry picked from commit 50ef7361cb5f78c94da2323f3bae86c6bbd618c8) Signed-off-by: Michael Niedermayer --- libavcodec/resample.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/resample.c b/libavcodec/resample.c index c45aa16cd1..ec311c7bfb 100644 --- a/libavcodec/resample.c +++ b/libavcodec/resample.c @@ -290,12 +290,6 @@ int audio_resample(ReSampleContext *s, short *output, short *input, int nb_sampl short *output_bak = NULL; int lenout; - if (s->input_channels == s->output_channels && s->ratio == 1.0 && 0) { - /* nothing to do */ - memcpy(output, input, nb_samples * s->input_channels * sizeof(short)); - return nb_samples; - } - if (s->sample_fmt[0] != AV_SAMPLE_FMT_S16) { int istride[1] = { s->sample_size[0] }; int ostride[1] = { 2 }; From 18254765391fd4f94eeb18e6544cef415a7b0a5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2016 15:41:30 +0100 Subject: [PATCH 0927/1352] avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored Fixes Ticket5244 Signed-off-by: Michael Niedermayer (cherry picked from commit 068026b0f7845e0f1850094d974f60d181480d64) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegenc_common.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 491c4c4efd..c0854613a0 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -117,6 +117,16 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) uint8_t *ptr; if (avctx->sample_aspect_ratio.num > 0 && avctx->sample_aspect_ratio.den > 0) { + AVRational sar = avctx->sample_aspect_ratio; + + if (sar.num > 65535 || sar.den > 65535) { + if (!av_reduce(&sar.num, &sar.den, avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 65535)) + av_log(avctx, AV_LOG_WARNING, + "Cannot store exact aspect ratio %d:%d\n", + avctx->sample_aspect_ratio.num, + avctx->sample_aspect_ratio.den); + } + /* JFIF header */ put_marker(p, APP0); put_bits(p, 16, 16); @@ -126,8 +136,8 @@ static void jpeg_put_comments(AVCodecContext *avctx, PutBitContext *p) * released revision. */ put_bits(p, 16, 0x0102); put_bits(p, 8, 0); /* units type: 0 - aspect ratio */ - put_bits(p, 16, avctx->sample_aspect_ratio.num); - put_bits(p, 16, avctx->sample_aspect_ratio.den); + put_bits(p, 16, sar.num); + put_bits(p, 16, sar.den); put_bits(p, 8, 0); /* thumbnail width */ put_bits(p, 8, 0); /* thumbnail height */ } From 7f3a3c2010e499e9cfc489156f993688f16e295d Mon Sep 17 00:00:00 2001 From: Ico Doornekamp Date: Thu, 24 Mar 2016 14:31:38 +0100 Subject: [PATCH 0928/1352] avformat/rtpdec_jpeg: fix low contrast image on low quality setting Original mail and my own followup on ffmpeg-user earlier today: I have a device sending out a MJPEG/RTP stream on a low quality setting. Decoding and displaying the video with libavformat results in a washed out, low contrast, greyish image. Playing the same stream with VLC results in proper color representation. Screenshots for comparison: http://zevv.nl/div/libav/shot-ffplay.jpg http://zevv.nl/div/libav/shot-vlc.jpg A pcap capture of a few seconds of video and SDP file for playing the stream are available at http://zevv.nl/div/libav/mjpeg.pcap http://zevv.nl/div/libav/mjpeg.sdp I believe the problem might be in the calculation of the quantization tables in the function create_default_qtables(), the attached patch solves the issue for me. The problem is that the argument 'q' is of the type uint8_t. According to the JPEG standard, if 1 <= q <= 50, the scale factor 'S' should be 5000 / Q. Because the create_default_qtables() reuses the variable 'q' to store the result of this calculation, for small values of q < 19, q wil subsequently overflow and give wrong results in the calculated quantization tables. The patch below uses a new variable 'S' (same name as in RFC2435) with the proper range to store the result of the division. Signed-off-by: Michael Niedermayer (cherry picked from commit e3e6a2cff4af9542455d416faec4584d5e823d5d) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_jpeg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpdec_jpeg.c b/libavformat/rtpdec_jpeg.c index ccd80ad7e8..cefc00a370 100644 --- a/libavformat/rtpdec_jpeg.c +++ b/libavformat/rtpdec_jpeg.c @@ -207,16 +207,17 @@ static void create_default_qtables(uint8_t *qtables, uint8_t q) { int factor = q; int i; + uint16_t S; factor = av_clip(q, 1, 99); if (q < 50) - q = 5000 / factor; + S = 5000 / factor; else - q = 200 - factor * 2; + S = 200 - factor * 2; for (i = 0; i < 128; i++) { - int val = (default_quantizers[i] * q + 50) / 100; + int val = (default_quantizers[i] * S + 50) / 100; /* Limit the quantizers to 1 <= q <= 255. */ val = av_clip(val, 1, 255); From 3dbc54573ad0040600df6c2c5ac295202fb4ebeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Mar 2016 20:55:30 +0100 Subject: [PATCH 0929/1352] avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set Reviewed-by: maintainer Signed-off-by: Michael Niedermayer (cherry picked from commit 0cd9ff4e3aa23318a855c21d60b1c9035b2b99d2) Signed-off-by: Michael Niedermayer --- libavcodec/libutvideodec.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/libutvideodec.cpp b/libavcodec/libutvideodec.cpp index 60dbd15fa8..346f43f24a 100644 --- a/libavcodec/libutvideodec.cpp +++ b/libavcodec/libutvideodec.cpp @@ -162,9 +162,19 @@ static int utvideo_decode_frame(AVCodecContext *avctx, void *data, pic->data[0] = utv->buffer + utv->buf_size + pic->linesize[0]; break; } + pic->width = w; + pic->height = h; + pic->format = avctx->pix_fmt; + + if (avctx->refcounted_frames) { + int ret = av_frame_ref((AVFrame*)data, pic); + if (ret < 0) + return ret; + } else { + av_frame_move_ref((AVFrame*)data, pic); + } *got_frame = 1; - av_frame_move_ref((AVFrame*)data, pic); return avpkt->size; } From 87d7160a9aed889d59c20fa52700cc432d8c6df9 Mon Sep 17 00:00:00 2001 From: Aaron Boxer Date: Thu, 31 Mar 2016 16:02:14 -0400 Subject: [PATCH 0930/1352] avcodec/j2kenc: Add attribution to OpenJPEG project: http://ghostscript.com/~tor/gs-browse/gs/openjpeg/libopenjpeg/t1.c Signed-off-by: Michael Niedermayer (cherry picked from commit b6b4b0a65e02495edf9d7e5b23bef99a92921147) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index ddb0b686cb..60e211e7e3 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -17,8 +17,46 @@ * You should have received a copy of the GNU Lesser General Public * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + * ********************************************************************************************************************** + * + * + * + * This source code incorporates work covered by the following copyright and + * permission notice: + * + * Copyright (c) 2002-2007, Communications and Remote Sensing Laboratory, Universite catholique de Louvain (UCL), Belgium + * Copyright (c) 2002-2007, Professor Benoit Macq + * Copyright (c) 2001-2003, David Janssens + * Copyright (c) 2002-2003, Yannick Verschueren + * Copyright (c) 2003-2007, Francois-Olivier Devaux and Antonin Descampe + * Copyright (c) 2005, Herve Drolon, FreeImage Team + * Copyright (c) 2007, Callum Lerwick + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS `AS IS' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. */ + /** * JPEG2000 image encoder * @file From e706f8045c8f99749ef41e056723fd130ce6abfb Mon Sep 17 00:00:00 2001 From: Marios Titas Date: Sat, 2 Apr 2016 21:11:44 +0300 Subject: [PATCH 0931/1352] avfilter/src_movie: fix how we check for overflows with seek_point Currently, if the movie source filter is used and a seek_point is specified on a file that has a negative start time, ffmpeg will fail. An easy way to reproduce this is as follows: $ ffmpeg -vsync passthrough -filter_complex 'color=d=10,setpts=PTS-1/TB' test.mp4 $ ffmpeg -filter_complex 'movie=filename=test.mp4:seek_point=2' -f null - The problem is caused by checking for int64_t overflow the wrong way. In general, to check whether a + b overflows, it is not enough to do: a > INT64_MAX - b because b might be negative; the correct way is: b > 0 && > a > INT64_MAX - b Signed-off-by: Michael Niedermayer (cherry picked from commit c1f9734f977f59bc0034096afbe8e43e40d93a5d) Signed-off-by: Michael Niedermayer --- libavfilter/src_movie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/src_movie.c b/libavfilter/src_movie.c index 908c03e1d3..6df52f75cc 100644 --- a/libavfilter/src_movie.c +++ b/libavfilter/src_movie.c @@ -240,7 +240,7 @@ static av_cold int movie_common_init(AVFilterContext *ctx) timestamp = movie->seek_point; // add the stream start time, should it exist if (movie->format_ctx->start_time != AV_NOPTS_VALUE) { - if (timestamp > INT64_MAX - movie->format_ctx->start_time) { + if (timestamp > 0 && movie->format_ctx->start_time > INT64_MAX - timestamp) { av_log(ctx, AV_LOG_ERROR, "%s: seek value overflow with start_time:%"PRId64" seek_point:%"PRId64"\n", movie->file_name, movie->format_ctx->start_time, movie->seek_point); From 97ebe5978eb0e496fdd74b5171d07e21dce25be1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Apr 2016 15:10:31 +0200 Subject: [PATCH 0932/1352] avcodec/bmp_parser: Ensure remaining_size is not too small in startcode packet crossing corner case Fixes Ticket 5438 Signed-off-by: Michael Niedermayer (cherry picked from commit 8e26bdd59bf559d00c7e60c53fff292de10139ff) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index c9493dc32d..7ab32a0b00 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -63,7 +63,7 @@ restart: continue; } bpc->pc.frame_start_found++; - bpc->remaining_size = bpc->fsize + i - 17; + bpc->remaining_size = bpc->fsize + FFMAX(i - 17, 0); if (bpc->pc.index + i > 17) { next = i - 17; From 8f937fdf04e46525e43951975a92a9e5f0171bab Mon Sep 17 00:00:00 2001 From: Ivan Date: Tue, 12 Apr 2016 16:32:04 -0400 Subject: [PATCH 0933/1352] avcodec/h264: Fix for H.264 configuration parsing Sometimes video fails to decode if H.264 configuration changes mid stream. The reason is that configuration parser assumes that nal_ref_idc is equal to 11b while actually some codecs but 01b there. The H.264 spec is somewhat vague about this but it looks like it allows any non-zero nal_ref_idc for sps/pps. Signed-off-by: Michael Niedermayer (cherry picked from commit 3a727606c474d3d0b9efa3c900294a84bdb5e331) Signed-off-by: Michael Niedermayer --- libavcodec/h264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 5f29267eeb..3fe9e6d905 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1821,7 +1821,7 @@ static int is_extra(const uint8_t *buf, int buf_size) const uint8_t *p= buf+6; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x67) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 7) return 0; p += nalsize; } @@ -1830,7 +1830,7 @@ static int is_extra(const uint8_t *buf, int buf_size) return 0; while(cnt--){ int nalsize= AV_RB16(p) + 2; - if(nalsize > buf_size - (p-buf) || p[2]!=0x68) + if(nalsize > buf_size - (p-buf) || (p[2] & 0x9F) != 8) return 0; p += nalsize; } From eacf7923d44a8da101e5f59414419a8db26b1394 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Apr 2016 22:38:26 +0200 Subject: [PATCH 0934/1352] avcodec/avpacket: Fix off by 5 error Fixes out of array read Fixes: mozilla bug 1266129 Found-by: Tyson Smith Tested-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 9f36ea57ae6eefb42432220feab0350494f4144c) Conflicts: libavcodec/avpacket.c --- libavcodec/avpacket.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index b6a1600747..76d014da31 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -389,10 +389,12 @@ int av_packet_split_side_data(AVPacket *pkt){ p = pkt->data + pkt->size - 8 - 5; for (i=1; ; i++){ size = AV_RB32(p); - if (size>INT_MAX || p - pkt->data < size) + if (size>INT_MAX - 5 || p - pkt->data < size) return 0; if (p[4]&128) break; + if (p - pkt->data < size + 5) + return 0; p-= size+5; } @@ -403,7 +405,7 @@ int av_packet_split_side_data(AVPacket *pkt){ p= pkt->data + pkt->size - 8 - 5; for (i=0; ; i++){ size= AV_RB32(p); - av_assert0(size<=INT_MAX && p - pkt->data >= size); + av_assert0(size<=INT_MAX - 5 && p - pkt->data >= size); pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE); pkt->side_data[i].size = size; pkt->side_data[i].type = p[4]&127; From 01704ae0d54d64cc10e26c944aeb8f3bf9dddc01 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 12 Apr 2016 10:51:30 +0200 Subject: [PATCH 0935/1352] avcodec/apedec: fix decoding of stereo files with one channel full of silence Signed-off-by: Paul B Mahol (cherry picked from commit 9149e9c0baaec122bc3da925d6068dffa60b5427) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7893bc320f..4b11b1b4bc 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1387,7 +1387,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; - if (ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) { + if ((ctx->frameflags & APE_FRAMECODE_STEREO_SILENCE) == APE_FRAMECODE_STEREO_SILENCE) { /* We are pure silence, so we're done. */ av_log(ctx->avctx, AV_LOG_DEBUG, "pure silence stereo\n"); return; From 76060ae4e99b0cc46b178168c9844812ffdacf43 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 20 Apr 2016 22:45:05 +0200 Subject: [PATCH 0936/1352] avcodec/takdec: add code that got somehow lost in process of REing Signed-off-by: Paul B Mahol (cherry picked from commit 38797a8033d061ade58b30b8ac86da222fe42a84) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0b1484958e..2b72e8476c 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -224,6 +224,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a3 = coeffs[2]; int a4 = a3 + a1; int a5 = a4 + a2; + coeffs[2] = a5; coeffs += 3; for (i = 0; i < length - 3; i++) { a3 += *coeffs; From f2c6a5d0bd25fd59f37f6ae8c65e45c89aeafea7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Apr 2016 12:30:20 +0200 Subject: [PATCH 0937/1352] avfilter/vf_drawtext: Check return code of load_glyph() Fixes segfault Fixes Ticket5347 Signed-off-by: Michael Niedermayer (cherry picked from commit 2e67a99fbc6b99315925de40fc6fa7161576be10) Signed-off-by: Michael Niedermayer --- libavfilter/vf_drawtext.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c index 4e35ca2fb6..b41a195184 100644 --- a/libavfilter/vf_drawtext.c +++ b/libavfilter/vf_drawtext.c @@ -1210,7 +1210,9 @@ static int draw_text(AVFilterContext *ctx, AVFrame *frame, dummy.code = code; glyph = av_tree_find(s->glyphs, &dummy, glyph_cmp, NULL); if (!glyph) { - load_glyph(ctx, &glyph, code); + ret = load_glyph(ctx, &glyph, code); + if (ret < 0) + return ret; } y_min = FFMIN(glyph->bbox.yMin, y_min); From 5539aca10cc663156c9feadd278d0601c58d2bd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Apr 2016 04:08:21 +0200 Subject: [PATCH 0938/1352] avcodec/ac3dec: Reset SPX when switching from EAC3 to AC3 Fixes Ticket5319 Signed-off-by: Michael Niedermayer (cherry picked from commit 9ac154d1facd4756db6918f866dccf3e3ffb698c) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index a0cdb5af69..cb946fc681 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -902,11 +902,13 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) ff_eac3_default_spx_band_struct, &s->num_spx_bands, s->spx_band_sizes); - } else { - for (ch = 1; ch <= fbw_channels; ch++) { - s->channel_uses_spx[ch] = 0; - s->first_spx_coords[ch] = 1; - } + } + } + if (!s->eac3 || !s->spx_in_use) { + s->spx_in_use = 0; + for (ch = 1; ch <= fbw_channels; ch++) { + s->channel_uses_spx[ch] = 0; + s->first_spx_coords[ch] = 1; } } From d445a2e7d8930077ca4da60c4a830457430358e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Sun, 24 Apr 2016 17:30:56 +0300 Subject: [PATCH 0939/1352] pgssubdec: fix subpicture output colorspace and range Functionality used before didn't widen the values from limited to full range. Additionally, now the decoder uses BT.709 where it should be used according to the video resolution. Default for not yet set colorimetry is BT.709 due to most observed HDMV content being HD. BT.709 coefficients were gathered from the first two parts of BT.709 to BT.2020 conversion guide in ARIB STD-B62 (Pt. 1, Chapter 6.2.2). They were additionally confirmed by manually calculating values. Fixes #4637 (cherry picked from commit 9779b6262471d553c1ed811ff7312564e39d8adf) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 10 ++++++++-- libavutil/colorspace.h | 10 ++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 3c39e7ac63..6603cc2927 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -354,8 +354,14 @@ static int parse_palette_segment(AVCodecContext *avctx, cb = bytestream_get_byte(&buf); alpha = bytestream_get_byte(&buf); - YUV_TO_RGB1(cb, cr); - YUV_TO_RGB2(r, g, b, y); + /* Default to BT.709 colorimetry. In case of <= 576 height use BT.601 */ + if (avctx->height <= 0 || avctx->height > 576) { + YUV_TO_RGB1_CCIR_BT709(cb, cr); + } else { + YUV_TO_RGB1_CCIR(cb, cr); + } + + YUV_TO_RGB2_CCIR(r, g, b, y); av_dlog(avctx, "Color %d := (%d,%d,%d,%d)\n", color_id, r, g, b, alpha); diff --git a/libavutil/colorspace.h b/libavutil/colorspace.h index f438159811..dbb0ce8b8e 100644 --- a/libavutil/colorspace.h +++ b/libavutil/colorspace.h @@ -41,6 +41,16 @@ b_add = FIX(1.77200*255.0/224.0) * cb + ONE_HALF;\ } +#define YUV_TO_RGB1_CCIR_BT709(cb1, cr1)\ +{\ + cb = (cb1) - 128;\ + cr = (cr1) - 128;\ + r_add = FIX(1.5747*255.0/224.0) * cr + ONE_HALF;\ + g_add = - FIX(0.1873*255.0/224.0) * cb - FIX(0.4682*255.0/224.0) * cr + \ + ONE_HALF;\ + b_add = FIX(1.8556*255.0/224.0) * cb + ONE_HALF;\ +} + #define YUV_TO_RGB2_CCIR(r, g, b, y1)\ {\ y = ((y1) - 16) * FIX(255.0/219.0);\ From ecf215990cf8b7d298762802dea1de7f333ab50f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Apr 2016 19:17:19 +0200 Subject: [PATCH 0940/1352] avcodec/ttaenc: Reallocate packet if its too small Fixes assertion failure Fixes Ticket5394 Signed-off-by: Michael Niedermayer (cherry picked from commit 005c61c6b8982f977e415aa69d2d2b42e6b7f3f2) Conflicts: libavcodec/ttaenc.c --- libavcodec/ttaenc.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index ccd41a90c9..37624a9c62 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -114,9 +114,12 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, { TTAEncContext *s = avctx->priv_data; PutBitContext pb; - int ret, i, out_bytes, cur_chan = 0, res = 0, samples = 0; + int ret, i, out_bytes, cur_chan, res, samples; + int64_t pkt_size = frame->nb_samples * 2LL * avctx->channels * s->bps; - if ((ret = ff_alloc_packet2(avctx, avpkt, frame->nb_samples * 2 * avctx->channels * s->bps)) < 0) +pkt_alloc: + cur_chan = 0, res = 0, samples = 0; + if ((ret = ff_alloc_packet2(avctx, avpkt, pkt_size)) < 0) return ret; init_put_bits(&pb, avpkt->data, avpkt->size); @@ -174,6 +177,14 @@ static int tta_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, rice->k1++; unary = 1 + (outval >> k); + if (unary + 100LL > put_bits_left(&pb)) { + if (pkt_size < INT_MAX/2) { + pkt_size *= 2; + av_packet_unref(avpkt); + goto pkt_alloc; + } else + return AVERROR(ENOMEM); + } do { if (unary > 31) { put_bits(&pb, 31, 0x7FFFFFFF); From ea84fbbf5ea1f3dee634a06d65c3f65fc181940d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2016 22:00:55 +0200 Subject: [PATCH 0941/1352] avformat/options_table: Add missing identifier for very strict compliance Fixes Ticket5443 Signed-off-by: Michael Niedermayer (cherry picked from commit 11db7eee9b001d6992c34b65ee7b0d64f6f5c758) Signed-off-by: Michael Niedermayer --- libavformat/options_table.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/options_table.h b/libavformat/options_table.h index 71024be195..f58e4bc399 100644 --- a/libavformat/options_table.h +++ b/libavformat/options_table.h @@ -91,6 +91,7 @@ static const AVOption avformat_options[] = { {"max_interleave_delta", "maximum buffering duration for interleaving", OFFSET(max_interleave_delta), AV_OPT_TYPE_INT64, { .i64 = 10000000 }, 0, INT64_MAX, E }, {"f_strict", "how strictly to follow the standards (deprecated; use strict, save via avconv)", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, D|E, "strict"}, {"strict", "how strictly to follow the standards", OFFSET(strict_std_compliance), AV_OPT_TYPE_INT, {.i64 = DEFAULT }, INT_MIN, INT_MAX, D|E, "strict"}, +{"very", "strictly conform to a older more strict version of the spec or reference software", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_VERY_STRICT }, INT_MIN, INT_MAX, D|E, "strict"}, {"strict", "strictly conform to all the things in the spec no matter what the consequences", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_STRICT }, INT_MIN, INT_MAX, D|E, "strict"}, {"normal", NULL, 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_NORMAL }, INT_MIN, INT_MAX, D|E, "strict"}, {"unofficial", "allow unofficial extensions", 0, AV_OPT_TYPE_CONST, {.i64 = FF_COMPLIANCE_UNOFFICIAL }, INT_MIN, INT_MAX, D|E, "strict"}, From 2bb39e8af830d1f8b9473752e67c0e6aed358411 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 May 2016 23:12:58 +0200 Subject: [PATCH 0942/1352] avformat/oggparseopus: Check that granule pos is within the supported range Larger values would imply file durations of astronomic proportions and cause overflows Fixes integer overflow Fixes: usan_int64_overflow Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 8efaee3710baa87af40556a622bf2d96a27c6425) Signed-off-by: Michael Niedermayer --- libavformat/oggparseopus.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/oggparseopus.c b/libavformat/oggparseopus.c index c8b02fab4d..584fff4538 100644 --- a/libavformat/oggparseopus.c +++ b/libavformat/oggparseopus.c @@ -117,6 +117,10 @@ static int opus_packet(AVFormatContext *avf, int idx) if (!os->psize) return AVERROR_INVALIDDATA; + if (os->granule > INT64_MAX - UINT32_MAX) { + av_log(avf, AV_LOG_ERROR, "Unsupported huge granule pos %"PRId64 "\n", os->granule); + return AVERROR_INVALIDDATA; + } if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) { int seg, d; From 3079f85dfb9188a0964c1a84c28d2658e1b497c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 May 2016 00:00:52 +0200 Subject: [PATCH 0943/1352] avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() Fixes undefined shift Fixes: usan_shift Found-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit ea791c080dd5494b3bee0c618a3f52e371b5f320) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index cf4d0d6f7d..28227ff3d1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2650,6 +2650,9 @@ enum AVCodecID ff_codec_get_id(const AVCodecTag *tags, unsigned int tag) enum AVCodecID ff_get_pcm_codec_id(int bps, int flt, int be, int sflags) { + if (bps > 64U) + return AV_CODEC_ID_NONE; + if (flt) { switch (bps) { case 32: From da88b6d118afe10aa96fe8ba22fd210145cf5765 Mon Sep 17 00:00:00 2001 From: Chris Cunningham Date: Mon, 9 May 2016 15:27:29 -0700 Subject: [PATCH 0944/1352] libavformat/oggdec: Free stream private when header parsing fails. Leaking this private structure opens up the possibility that it may be re-used when parsing later packets in the stream. This is problematic if the later packets are not the same codec type (e.g. private allocated during Vorbis parsing, but later packets are Opus and the private is assumed to be the oggopus_private type in opus_header()). Signed-off-by: Michael Niedermayer (cherry picked from commit 542f725964e52201000ec34e2f23229cf534ad3a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 8f146e49fe..2ef09b13bb 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -677,6 +677,7 @@ static int ogg_read_header(AVFormatContext *s) if (ogg->streams[i].header < 0) { av_log(s, AV_LOG_ERROR, "Header parsing failed for stream %d\n", i); ogg->streams[i].codec = NULL; + av_freep(&ogg->streams[i].private); } else if (os->codec && os->nb_header < os->codec->nb_header) { av_log(s, AV_LOG_WARNING, "Headers mismatch for stream %d: " From 8d257c3680a9b1060ab1834df2ce498266f658eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 May 2016 12:49:06 +0200 Subject: [PATCH 0945/1352] ffmpeg: Check that r_frame_rate is set before attempting to use it Avoids unexpected occurance and dependency on NaN behavior and divisions by 0 Testcase: fate-lavf-fate-avi_cram Signed-off-by: Michael Niedermayer (cherry picked from commit 6085d6b2aeef28671614f625601a23cfc922d282) Signed-off-by: Michael Niedermayer --- ffmpeg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ffmpeg.c b/ffmpeg.c index 3efa7ff579..e676414f4b 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2592,7 +2592,8 @@ static int transcode_init(void) * overhead */ if(!strcmp(oc->oformat->name, "avi")) { - if ( copy_tb<0 && av_q2d(ist->st->r_frame_rate) >= av_q2d(ist->st->avg_frame_rate) + if ( copy_tb<0 && ist->st->r_frame_rate.num + && av_q2d(ist->st->r_frame_rate) >= av_q2d(ist->st->avg_frame_rate) && 0.5/av_q2d(ist->st->r_frame_rate) > av_q2d(ist->st->time_base) && 0.5/av_q2d(ist->st->r_frame_rate) > av_q2d(dec_ctx->time_base) && av_q2d(ist->st->time_base) < 1.0/500 && av_q2d(dec_ctx->time_base) < 1.0/500 From 6d560d4a0b8d57ab4e7ac2cee183d7a1bfa67428 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 May 2016 13:43:02 +0200 Subject: [PATCH 0946/1352] avformat/utils: Do not compute the bitrate from duration == 0 Fixes division by 0 in fate-acodec-ra144 Signed-off-by: Michael Niedermayer (cherry picked from commit 635b2ec5f20d6cdef1adf4907ca28f8f09abcecc) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 28227ff3d1..9d996fed4e 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2244,7 +2244,7 @@ static void update_stream_timings(AVFormatContext *ic) if (duration != INT64_MIN && duration > 0 && ic->duration == AV_NOPTS_VALUE) { ic->duration = duration; } - if (ic->pb && (filesize = avio_size(ic->pb)) > 0 && ic->duration != AV_NOPTS_VALUE) { + if (ic->pb && (filesize = avio_size(ic->pb)) > 0 && ic->duration > 0) { /* compute the bitrate */ double bitrate = (double) filesize * 8.0 * AV_TIME_BASE / (double) ic->duration; From 695dc70aeb97fec00cff87f472f9dfb3c3a1d15f Mon Sep 17 00:00:00 2001 From: Chris Cunningham Date: Tue, 17 May 2016 11:28:32 -0700 Subject: [PATCH 0947/1352] avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id() Fixes: undefined shift. Signed-off-by: Michael Niedermayer (cherry picked from commit 2875745d354ab0ebc4af1ebaca5c5a8d26ccdc03) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 9d996fed4e..78caf79275 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2650,7 +2650,7 @@ enum AVCodecID ff_codec_get_id(const AVCodecTag *tags, unsigned int tag) enum AVCodecID ff_get_pcm_codec_id(int bps, int flt, int be, int sflags) { - if (bps > 64U) + if (bps <= 0 || bps > 64) return AV_CODEC_ID_NONE; if (flt) { From 0a4b2bdb13b4d41b8a3683e6c08ab9241ec8e8bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 May 2016 20:40:08 +0200 Subject: [PATCH 0948/1352] doc/developer.texi: Add a code of conduct See: [FFmpeg-devel] [Vote] Code of Conduct Signed-off-by: Michael Niedermayer (cherry picked from commit 89e9393022373bf97d528e6e9f2601ad0b3d0fc1) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 8b1f150ee6..889464ba74 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -399,6 +399,35 @@ finding a new maintainer and also don't forget updating the @file{MAINTAINERS} f We think our rules are not too hard. If you have comments, contact us. +@section Code of conduct + +Be friendly and respectful towards others and third parties. +Treat others the way you yourself want to be treated. + +Be considerate. Not everyone shares the same viewpoint and priorities as you do. +Different opinions and interpretations help the project. +Looking at issues from a different perspective assists development. + +Do not assume malice for things that can be attributed to incompetence. Even if +it is malice, it's rarely good to start with that as initial assumption. + +Stay friendly even if someone acts contrarily. Everyone has a bad day +once in a while. +If you yourself have a bad day or are angry then try to take a break and reply +once you are calm and without anger if you have to. + +Try to help other team members and cooperate if you can. + +The goal of software development is to create technical excellence, not for any +individual to be better and "win" against the others. Large software projects +are only possible and successful through teamwork. + +If someone struggles do not put them down. Give them a helping hand +instead and point them in the right direction. + +Finally, keep in mind the immortal words of Bill and Ted, +"Be excellent to each other." + @anchor{Submitting patches} @section Submitting patches From 3659cad6e582dae1257e2d615453240e6b69b856 Mon Sep 17 00:00:00 2001 From: Thomas Guilbert Date: Fri, 27 May 2016 15:50:25 -0700 Subject: [PATCH 0949/1352] avformat/oggparseopus: Fix Undefined behavior in oggparseopus.c and libavformat/utils.c Fixes: usan_granule_overflow constant type fix by commiter Signed-off-by: Michael Niedermayer (cherry picked from commit 1a82d2cf8fb6a7e854e7548dfcf73c3d046b34ac) Signed-off-by: Michael Niedermayer --- libavformat/oggparseopus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparseopus.c b/libavformat/oggparseopus.c index 584fff4538..8bb2a41366 100644 --- a/libavformat/oggparseopus.c +++ b/libavformat/oggparseopus.c @@ -117,7 +117,7 @@ static int opus_packet(AVFormatContext *avf, int idx) if (!os->psize) return AVERROR_INVALIDDATA; - if (os->granule > INT64_MAX - UINT32_MAX) { + if (os->granule > (1LL << 62)) { av_log(avf, AV_LOG_ERROR, "Unsupported huge granule pos %"PRId64 "\n", os->granule); return AVERROR_INVALIDDATA; } From 35613a49cccf1cbb778cd3fcd3154dbe82c26b7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 May 2016 22:01:13 +0200 Subject: [PATCH 0950/1352] avcodec/bmp_parser: Fix state Fixes Ticket5598 Signed-off-by: Michael Niedermayer (cherry picked from commit d0388bd32e1c84a9ef87ba6c448c7fffb6a9f259) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index 7ab32a0b00..b06e3e84ef 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -67,6 +67,8 @@ restart: if (bpc->pc.index + i > 17) { next = i - 17; + state = 0; + break; } else goto restart; } else if (bpc->pc.frame_start_found) From 0f0173554e67bc66273e6d7958766aed1375a006 Mon Sep 17 00:00:00 2001 From: Vivekanand Date: Thu, 7 Apr 2016 16:16:23 +0530 Subject: [PATCH 0951/1352] avformat/allformats: Making av_register_all() thread-safe. When multiple threads tries to call av_register_all(), the first thread sets initialized to 1 and do the register process. At the same time, other thread might also call av_register_all(), which returns immediately because initialized is set to 1 (even when it has not completed registering codecs). We can avoid this problem if we set initialised to 1 while exiting from function. Github: Closes #196 (cherry picked from commit b092ee701f4d0ef2b8a4171cd38101d1ee9a1034) Conflicts: libavformat/allformats.c --- libavformat/allformats.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/allformats.c b/libavformat/allformats.c index 8f70c4b12a..0ca0e98f30 100644 --- a/libavformat/allformats.c +++ b/libavformat/allformats.c @@ -54,7 +54,6 @@ void av_register_all(void) if (initialized) return; - initialized = 1; avcodec_register_all(); @@ -381,4 +380,6 @@ void av_register_all(void) REGISTER_PROTOCOL(LIBRTMPTE, librtmpte); REGISTER_PROTOCOL(LIBSSH, libssh); REGISTER_PROTOCOL(LIBSMBCLIENT, libsmbclient); + + initialized = 1; } From 0fb30a9744dd48f066762b4cba1aa5fc9bbd394a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2016 20:49:13 +0200 Subject: [PATCH 0952/1352] avfilter/af_amix: dont fail if there are no samples in output_frame() Fixes Ticket5326 Signed-off-by: Michael Niedermayer (cherry picked from commit abc957e896beb3ce33c5691b9b3701993a381852) Signed-off-by: Michael Niedermayer --- libavfilter/af_amix.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index afd7f7eace..fddf1fe0e1 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -276,6 +276,9 @@ static int output_frame(AVFilterLink *outlink, int nb_samples) calculate_scales(s, nb_samples); + if (nb_samples == 0) + return 0; + out_buf = ff_get_audio_buffer(outlink, nb_samples); if (!out_buf) return AVERROR(ENOMEM); From ede92da7a660b2176323824655f37bcadd932311 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 14:01:43 +0200 Subject: [PATCH 0953/1352] avcodec/bmp_parser: Fix frame_start_found in cross frame cases Fixes part of ticket 5598 Signed-off-by: Michael Niedermayer (cherry picked from commit bfe945ac3a0c328371dc4b4cc3409b7da5784cb8) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index b06e3e84ef..c9fe153de1 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -91,7 +91,10 @@ flush: if (ff_combine_frame(&bpc->pc, next, &buf, &buf_size) < 0) return buf_size; - bpc->pc.frame_start_found = 0; + if (next != END_NOT_FOUND && next < 0) + bpc->pc.frame_start_found = FFMAX(bpc->pc.frame_start_found - i - 1, 0); + else + bpc->pc.frame_start_found = 0; *poutbuf = buf; *poutbuf_size = buf_size; From 987360e76961496d58857d3815f3dfaa1afe9fa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 14:27:20 +0200 Subject: [PATCH 0954/1352] avcodec/bmp_parser: Fix remaining size Fixes part of ticket 5598 Signed-off-by: Michael Niedermayer (cherry picked from commit 250b620d296adba7bd3a3104a9c30e820fb0bc36) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index c9fe153de1..8111ada6f2 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -63,7 +63,7 @@ restart: continue; } bpc->pc.frame_start_found++; - bpc->remaining_size = bpc->fsize + FFMAX(i - 17, 0); + bpc->remaining_size = bpc->fsize + i - 17; if (bpc->pc.index + i > 17) { next = i - 17; From c3d08784fd6324db75f9237f08b1efd401400017 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 14:30:40 +0200 Subject: [PATCH 0955/1352] avcodec/bmp_parser: reset state Fixes part of ticket 5598 Signed-off-by: Michael Niedermayer (cherry picked from commit 37005e65eb17b1480d9e1755eeba3f50ee3b9555) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index 8111ada6f2..d2a04ef69b 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -69,8 +69,10 @@ restart: next = i - 17; state = 0; break; - } else + } else { + bpc->pc.state64 = 0; goto restart; + } } else if (bpc->pc.frame_start_found) bpc->pc.frame_start_found++; } From 95eaa6af1d182dfd3d84f4e34aac5bfb0c5e669c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 14:32:48 +0200 Subject: [PATCH 0956/1352] avcodec/bmp_parser: Check fsize Signed-off-by: Michael Niedermayer (cherry picked from commit 43a4276c6964a2ec57e08c3c622bb94d35c0441f) Signed-off-by: Michael Niedermayer --- libavcodec/bmp_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index d2a04ef69b..cd65f02a2e 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -53,7 +53,8 @@ restart: if (bpc->pc.frame_start_found == 0) { if ((state >> 48) == (('B' << 8) | 'M')) { bpc->fsize = av_bswap32(state >> 16); - bpc->pc.frame_start_found = 1; + if (bpc->fsize > 17) + bpc->pc.frame_start_found = 1; } } else if (bpc->pc.frame_start_found == 2+4+4) { // unsigned hsize = av_bswap32(state>>32); From df12a24235ab80906f98548a7d73a5526fd1a866 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jun 2016 21:43:01 +0200 Subject: [PATCH 0957/1352] avformat/mpegts: Do not trust BSSD descriptor, it is sometimes not an S302M stream Signed-off-by: Michael Niedermayer (cherry picked from commit a5eb70ad9569c62158b4b2d18f2143db791f7d27) Conflicts: libavformat/mpegts.c --- libavformat/mpegts.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index af5db08a45..c1ef22cc38 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1722,8 +1722,11 @@ int ff_parse_mpeg2_descriptor(AVFormatContext *fc, AVStream *st, int stream_type case 0x05: /* registration descriptor */ st->codec->codec_tag = bytestream_get_le32(pp); av_dlog(fc, "reg_desc=%.4s\n", (char *)&st->codec->codec_tag); - if (st->codec->codec_id == AV_CODEC_ID_NONE) + if (st->codec->codec_id == AV_CODEC_ID_NONE) { mpegts_find_stream_type(st, st->codec->codec_tag, REGD_types); + if (st->codec->codec_tag == MKTAG('B', 'S', 'S', 'D')) + st->request_probe = 50; + } break; case 0x52: /* stream identifier descriptor */ st->stream_identifier = 1 + get8(pp, desc_end); From ff2df4056cff29ac8b20b9b6a7533347d5d9f0bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Jun 2016 03:48:09 +0200 Subject: [PATCH 0958/1352] avcodec/utils: check skip_samples signedness Fixes Ticket5528 Signed-off-by: Michael Niedermayer (cherry picked from commit 153ab83bd37cbbcc79d8303cc6efbf81089b8123) Conflicts: libavcodec/utils.c --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index fc03e4901d..528c13be0f 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -2467,7 +2467,7 @@ int attribute_align_arg avcodec_decode_audio4(AVCodecContext *avctx, avctx->internal->skip_samples); discard_padding = AV_RL32(side + 4); } - if (avctx->internal->skip_samples && *got_frame_ptr) { + if (avctx->internal->skip_samples > 0 && *got_frame_ptr) { if(frame->nb_samples <= avctx->internal->skip_samples){ *got_frame_ptr = 0; avctx->internal->skip_samples -= frame->nb_samples; From ec704dc779be65d73c36e17c7984f807b80c8599 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2016 15:38:26 +0200 Subject: [PATCH 0959/1352] avcodec/mpegvideo: Do not clear the parse context during init It is allocated before, this cannot work Fixes Ticket5613 Signed-off-by: Michael Niedermayer (cherry picked from commit 24f513619680b5bef40b02db6ca07a8a009c2ece) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 645d757fbd..743e7a2117 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1313,9 +1313,7 @@ static void clear_context(MpegEncContext *s) s->b_scratchpad = s->obmc_scratchpad = NULL; - s->parse_context.buffer = NULL; - s->parse_context.buffer_size = 0; - s->parse_context.overread = 0; + s->bitstream_buffer = NULL; s->allocated_bitstream_buffer_size = 0; s->picture = NULL; From a21a9f9d0bed21d3c812a98e08c22537920583bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Jun 2016 14:28:24 +0200 Subject: [PATCH 0960/1352] avcodec/mpc8: Correct end truncation Fixes Ticket5478 Signed-off-by: Michael Niedermayer (cherry picked from commit b21f674876badefc68e4deecdb4a1d46de10b67c) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 29c65f9ef5..af15f66952 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -415,10 +415,14 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data, c->cur_frame++; c->last_bits_used = get_bits_count(gb); - if(get_bits_left(gb) < 8) // we have only padding left - c->last_bits_used = buf_size << 3; if(c->cur_frame >= c->frames) c->cur_frame = 0; + if(c->cur_frame == 0 && get_bits_left(gb) < 8) {// we have only padding left + c->last_bits_used = buf_size << 3; + } else if (get_bits_left(gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -get_bits_left(gb)); + c->last_bits_used = buf_size << 3; + } *got_frame_ptr = 1; From a36a7d3b4387aacffbb14a43f5166d39c5f48ad0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Apr 2016 17:26:56 +0200 Subject: [PATCH 0961/1352] avformat/format: Fix registering a format more than once and related races Signed-off-by: Michael Niedermayer (cherry picked from commit 4cc896ea5f06f8b1ebcde6d876d9c5b59ef9a016) Signed-off-by: Michael Niedermayer --- libavformat/format.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/libavformat/format.c b/libavformat/format.c index 1026c8f7a7..b53d367d98 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -62,20 +62,24 @@ void av_register_input_format(AVInputFormat *format) { AVInputFormat **p = last_iformat; - format->next = NULL; - while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) + // Note, format could be added after the first 2 checks but that implies that *p is no longer NULL + while(p != &format->next && !format->next && avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) p = &(*p)->next; - last_iformat = &format->next; + + if (!format->next) + last_iformat = &format->next; } void av_register_output_format(AVOutputFormat *format) { AVOutputFormat **p = last_oformat; - format->next = NULL; - while(*p || avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) + // Note, format could be added after the first 2 checks but that implies that *p is no longer NULL + while(p != &format->next && !format->next && avpriv_atomic_ptr_cas((void * volatile *)p, NULL, format)) p = &(*p)->next; - last_oformat = &format->next; + + if (!format->next) + last_oformat = &format->next; } int av_match_ext(const char *filename, const char *extensions) From d7ab6e93a688688ad27c03ba3ba15711e59036dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jun 2016 23:49:36 +0200 Subject: [PATCH 0962/1352] avformat/mov: Check sample size Fixes integer overflow Fixes: poc.mp4 Found-by: ajax secure Signed-off-by: Michael Niedermayer (cherry picked from commit 8a3221cc67a516dfc1700bdae3566ec52c7ee823) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3246d0a49b..29641b45b5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2250,7 +2250,12 @@ static void mov_build_index(MOVContext *mov, AVStream *st) sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { - AVIndexEntry *e = &st->index_entries[st->nb_index_entries++]; + AVIndexEntry *e; + if (sample_size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", sample_size); + return; + } + e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; e->size = sample_size; @@ -2348,6 +2353,10 @@ static void mov_build_index(MOVContext *mov, AVStream *st) av_log(mov->fc, AV_LOG_ERROR, "wrong chunk count %d\n", total); return; } + if (size > 0x3FFFFFFF) { + av_log(mov->fc, AV_LOG_ERROR, "Sample size %u is too large\n", size); + return; + } e = &st->index_entries[st->nb_index_entries++]; e->pos = current_offset; e->timestamp = current_dts; From 08ab94e6a638543a163f7a0ef04d8894ac7e3c81 Mon Sep 17 00:00:00 2001 From: Sasi Inguva Date: Thu, 21 Jul 2016 18:52:41 -0700 Subject: [PATCH 0963/1352] libx264: Increase x264 opts character limit to 4096 Signed-off-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 282477bf4534439ecb06f14d46446a4f1ab82284) Signed-off-by: Michael Niedermayer --- libavcodec/libx264.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 8830f592cc..fa3aea9375 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -640,8 +640,8 @@ static av_cold int X264_init(AVCodecContext *avctx) if(x4->x264opts){ const char *p= x4->x264opts; while(p){ - char param[256]={0}, val[256]={0}; - if(sscanf(p, "%255[^:=]=%255[^:]", param, val) == 1){ + char param[4096]={0}, val[4096]={0}; + if(sscanf(p, "%4095[^:=]=%4095[^:]", param, val) == 1){ OPT_STR(param, "1"); }else OPT_STR(param, val); From b0453449fd2bd25398b1a5d73e2c23b7e287f836 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Sat, 23 Jul 2016 21:43:06 +0200 Subject: [PATCH 0964/1352] libavutil/opt: Small bugfix in example. Fix const corectness and zero init the struct. This example code would actually crash when initializing string. Signed-off-by: Michael Niedermayer (cherry picked from commit 69630f4d304a4e35d90957d6a170744af87cbf93) Signed-off-by: Michael Niedermayer --- libavutil/opt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/opt.h b/libavutil/opt.h index 4905ee30c0..59bdd6498a 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -57,7 +57,7 @@ * The following example illustrates an AVOptions-enabled struct: * @code * typedef struct test_struct { - * AVClass *class; + * const AVClass *class; * int int_opt; * char *str_opt; * uint8_t *bin_opt; @@ -95,7 +95,7 @@ * @code * test_struct *alloc_test_struct(void) * { - * test_struct *ret = av_malloc(sizeof(*ret)); + * test_struct *ret = av_mallocz(sizeof(*ret)); * ret->class = &test_class; * av_opt_set_defaults(ret); * return ret; From 94fb2fba763e6261c3c57f03002a0742226aee29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Sat, 23 Jul 2016 23:47:39 +0200 Subject: [PATCH 0965/1352] libavformat/rtpdec_asf: zero initialize the AVIOContext struct This fixes crash in avformat_open_input() when accessing protocol_whitelist field. Signed-off-by: Michael Niedermayer (cherry picked from commit e947b75b1c76ef6793209c2c445b8c224a28717a) Signed-off-by: Michael Niedermayer --- libavformat/rtpdec_asf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 8e196545de..1b0ae8ab29 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -97,7 +97,7 @@ int ff_wms_parse_sdp_a_line(AVFormatContext *s, const char *p) { int ret = 0; if (av_strstart(p, "pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,", &p)) { - AVIOContext pb; + AVIOContext pb = { 0 }; RTSPState *rt = s->priv_data; AVDictionary *opts = NULL; int len = strlen(p) * 6 / 8; From 68d22a7caaa8ffd4b103932fa8954af047dc9207 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Aug 2016 13:34:40 +0200 Subject: [PATCH 0966/1352] avformat/oggdec: Fix integer overflow with invalid pts If negative pts are possible for some codecs in ogg then the code needs to be changed to use signed values. Found-by: Thomas Guilbert Fixes: clusterfuzz_usan-2016-08-02 Signed-off-by: Michael Niedermayer (cherry picked from commit c5cc3b08e56fc95665977544486bd9f06e4b7a72) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/oggdec.h b/libavformat/oggdec.h index 7dc7716036..c52604f644 100644 --- a/libavformat/oggdec.h +++ b/libavformat/oggdec.h @@ -161,6 +161,11 @@ ogg_gptopts (AVFormatContext * s, int i, uint64_t gp, int64_t *dts) if (dts) *dts = pts; } + if (pts > INT64_MAX && pts != AV_NOPTS_VALUE) { + // The return type is unsigned, we thus cannot return negative pts + av_log(s, AV_LOG_ERROR, "invalid pts %"PRId64"\n", pts); + pts = AV_NOPTS_VALUE; + } return pts; } From 9a3d09e2c935dc8dd22abc27f313a68d43ef2bbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Aug 2016 16:27:31 +0200 Subject: [PATCH 0967/1352] avcodec/raw: Fix decoding of ilacetest.mov Signed-off-by: Michael Niedermayer (cherry picked from commit bbec14de3126dbc4e1ec2b32ed714dab173386aa) Signed-off-by: Michael Niedermayer --- libavcodec/raw.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/raw.c b/libavcodec/raw.c index 62ad338b9f..f8637c9ac6 100644 --- a/libavcodec/raw.c +++ b/libavcodec/raw.c @@ -31,6 +31,7 @@ const PixelFormatTag ff_raw_pix_fmt_tags[] = { { AV_PIX_FMT_YUV420P, MKTAG('I', '4', '2', '0') }, /* Planar formats */ { AV_PIX_FMT_YUV420P, MKTAG('I', 'Y', 'U', 'V') }, + { AV_PIX_FMT_YUV420P, MKTAG('y', 'v', '1', '2') }, { AV_PIX_FMT_YUV420P, MKTAG('Y', 'V', '1', '2') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'U', 'V', '9') }, { AV_PIX_FMT_YUV410P, MKTAG('Y', 'V', 'U', '9') }, From aa54f0926273a7142195e01ec01fa99f1c903613 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 8 Aug 2016 15:27:41 +0200 Subject: [PATCH 0968/1352] cmdutils: remove the current working directory from the DLL search path on win32 Reviewed-by: Matt Oliver Signed-off-by: Michael Niedermayer (cherry picked from commit 3bf142c77337814458ed8e036796934032d9837f) Signed-off-by: Michael Niedermayer --- cmdutils.c | 9 +++++++++ cmdutils.h | 5 +++++ ffmpeg.c | 2 ++ ffplay.c | 2 ++ ffprobe.c | 2 ++ ffserver.c | 2 ++ 6 files changed, 22 insertions(+) diff --git a/cmdutils.c b/cmdutils.c index 612810a374..01bc82ce98 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -111,6 +111,15 @@ static void log_callback_report(void *ptr, int level, const char *fmt, va_list v } } +void init_dynload(void) +{ +#ifdef _WIN32 + /* Calling SetDllDirectory with the empty string (but not NULL) removes the + * current working directory from the DLL search path as a security pre-caution. */ + SetDllDirectory(""); +#endif +} + static void (*program_exit)(int ret); void register_exit(void (*cb)(int ret)) diff --git a/cmdutils.h b/cmdutils.h index 76d11a598c..3bd778b94b 100644 --- a/cmdutils.h +++ b/cmdutils.h @@ -61,6 +61,11 @@ void register_exit(void (*cb)(int ret)); */ void exit_program(int ret) av_noreturn; +/** + * Initialize dynamic library loading + */ +void init_dynload(void); + /** * Initialize the cmdutils option system, in particular * allocate the *_opts contexts. diff --git a/ffmpeg.c b/ffmpeg.c index e676414f4b..efd890355e 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -3822,6 +3822,8 @@ int main(int argc, char **argv) int ret; int64_t ti; + init_dynload(); + register_exit(ffmpeg_cleanup); setvbuf(stderr,NULL,_IONBF,0); /* win32 runtime needs this */ diff --git a/ffplay.c b/ffplay.c index 833b5b12cf..be7bd2e93b 100644 --- a/ffplay.c +++ b/ffplay.c @@ -3659,6 +3659,8 @@ int main(int argc, char **argv) VideoState *is; char dummy_videodriver[] = "SDL_VIDEODRIVER=dummy"; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); parse_loglevel(argc, argv, options); diff --git a/ffprobe.c b/ffprobe.c index 9bb0f0f10c..fecbbce5d8 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -2962,6 +2962,8 @@ int main(int argc, char **argv) char *w_name = NULL, *w_args = NULL; int ret, i; + init_dynload(); + av_log_set_flags(AV_LOG_SKIP_REPEATED); register_exit(ffprobe_cleanup); diff --git a/ffserver.c b/ffserver.c index 24e400504c..ff33b2f263 100644 --- a/ffserver.c +++ b/ffserver.c @@ -4724,6 +4724,8 @@ int main(int argc, char **argv) struct sigaction sigact = { { 0 } }; int ret = 0; + init_dynload(); + config_filename = av_strdup("/etc/ffserver.conf"); parse_loglevel(argc, argv, options); From 46ecb01f62e5944b46f1df23be714dc3e920649a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 10:28:22 +0200 Subject: [PATCH 0969/1352] avformat/swfdec: Fix inflate() error code check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes infinite loop Fixes endless.poc Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit a453bbb68f3eec202673728988bba3bc76071761) Signed-off-by: Michael Niedermayer --- libavformat/swfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c index b2c652eb9c..db683ac59b 100644 --- a/libavformat/swfdec.c +++ b/libavformat/swfdec.c @@ -90,10 +90,10 @@ retry: z->avail_out = buf_size; ret = inflate(z, Z_NO_FLUSH); - if (ret < 0) - return AVERROR(EINVAL); if (ret == Z_STREAM_END) return AVERROR_EOF; + if (ret != Z_OK) + return AVERROR(EINVAL); if (buf_size - z->avail_out == 0) goto retry; From 4d94486e7ee898c0f7631e6ec44dd9f4e37892f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Aug 2016 13:07:14 +0200 Subject: [PATCH 0970/1352] avcodec/indeo2: check ctab Fixes out of array access Fixes: 6b73fa392ac808f02e95a4e0a5770026/asan_static-oob_1b15f9a_1969_e7778535e5f27225fe0d6ded14721430.AVI Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffe44c5c75c485b4cbb12751e228f18da219df3) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index dd6853b898..1e71be5429 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -172,6 +172,12 @@ static int ir2_decode_frame(AVCodecContext *avctx, ltab = buf[0x22] & 3; ctab = buf[0x22] >> 2; + + if (ctab > 3) { + av_log(avctx, AV_LOG_ERROR, "ctab %d is invalid\n", ctab); + return AVERROR_INVALIDDATA; + } + if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, p->data[0], p->linesize[0], From d28e753895cad82f44f91941b340fec4f0a92e3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Aug 2016 19:21:07 +0200 Subject: [PATCH 0971/1352] avcodec/diracdec: Check numx/y Fixes division by 0 Fixes: 60261c4469ba3e11059890fb2832a515/asan_generic_135e694_2790_beb94eaa0aeb7d11c0437375a8964a99.drc Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a31e08fa1aa5c5f0518b8af850f28eb945268e66) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 6b93d8632b..eaaf9f7720 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1028,6 +1028,13 @@ static int dirac_unpack_idwt_params(DiracContext *s) /*[DIRAC_STD] 11.3.4 Slice coding Parameters (low delay syntax only). slice_parameters() */ s->lowdelay.num_x = svq3_get_ue_golomb(gb); s->lowdelay.num_y = svq3_get_ue_golomb(gb); + if (s->lowdelay.num_x * s->lowdelay.num_y == 0 || + s->lowdelay.num_x * (uint64_t)s->lowdelay.num_y > INT_MAX) { + av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); + s->lowdelay.num_x = s->lowdelay.num_y = 0; + return AVERROR_INVALIDDATA; + } + s->lowdelay.bytes.num = svq3_get_ue_golomb(gb); s->lowdelay.bytes.den = svq3_get_ue_golomb(gb); From ea1d555e5dd8d3ee6f1f538e3c19f984b3494545 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Aug 2016 20:30:34 +0200 Subject: [PATCH 0972/1352] libavcodec/wmalosslessdec: Check the remaining bits Fixes assertion failure Fixes: 24ebfda03228b5cc1ef792608cfba458/signal_sigabrt_7ffff6ae7c37_6473_3fa8a111dbc752b1a7c411c5ab79aaa4.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 67318187fbba382d887f9581dde48a50842f1bea) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 05d660e6d4..2cd3a0282e 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1277,6 +1277,11 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, } } + if (remaining_bits(s, gb) < 0) { + av_log(avctx, AV_LOG_ERROR, "Overread %d\n", -remaining_bits(s, gb)); + s->packet_loss = 1; + } + if (s->packet_done && !s->packet_loss && remaining_bits(s, gb) > 0) { /* save the rest of the data so that it can be decoded From afcede09b658f00182cc42a491a279b516ec5358 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 22 Aug 2016 19:24:31 -0300 Subject: [PATCH 0973/1352] cmdutils: check for SetDllDirectory() availability It's only available on Windows XP or newer. Should fix compilation with mingw32 using the default OS target. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer --- cmdutils.c | 2 +- configure | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 01bc82ce98..06c696b7f7 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -113,7 +113,7 @@ static void log_callback_report(void *ptr, int level, const char *fmt, va_list v void init_dynload(void) { -#ifdef _WIN32 +#if HAVE_SETDLLDIRECTORY /* Calling SetDllDirectory with the empty string (but not NULL) removes the * current working directory from the DLL search path as a security pre-caution. */ SetDllDirectory(""); diff --git a/configure b/configure index c35f67c685..3559ea1506 100755 --- a/configure +++ b/configure @@ -1728,6 +1728,7 @@ SYSTEM_FUNCS=" pthread_cancel sched_getaffinity SetConsoleTextAttribute + SetDllDirectory setmode setrlimit Sleep @@ -4708,6 +4709,7 @@ check_func_headers windows.h GetSystemTimeAsFileTime check_func_headers windows.h MapViewOfFile check_func_headers windows.h PeekNamedPipe check_func_headers windows.h SetConsoleTextAttribute +check_func_headers windows.h SetDllDirectory check_func_headers windows.h Sleep check_func_headers windows.h VirtualAlloc check_func_headers glob.h glob From f1b8807dae25700322fa8638a20fe41209423b87 Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Mon, 29 Aug 2016 15:25:58 +0200 Subject: [PATCH 0974/1352] cmdutils: fix implicit declaration of SetDllDirectory function Pre-processor check changed by commiter. Signed-off-by: James Almer (cherry picked from commit c32ce247a026eda99b3ea5ad46c6bbc5c5907e1a) Signed-off-by: Michael Niedermayer --- cmdutils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmdutils.c b/cmdutils.c index 06c696b7f7..c31cb96a60 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -58,6 +58,9 @@ #include #include #endif +#if HAVE_SETDLLDIRECTORY +#include +#endif static int init_report(const char *env); From 1c5515181334c3da779fb8afcd4940ea2b092b27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2016 12:19:29 +0200 Subject: [PATCH 0975/1352] avformat/avidec: Fix infinite loop in avi_read_nikon() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 360/test.poc Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit e4e4a9cad7f21593d4bcb1f2404ea0d373c36c43) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index dd50c2d6e6..93c4dfbab7 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -340,14 +340,14 @@ static void avi_metadata_creation_time(AVDictionary **metadata, char *date) static void avi_read_nikon(AVFormatContext *s, uint64_t end) { - while (avio_tell(s->pb) < end) { + while (avio_tell(s->pb) < end && !avio_feof(s->pb)) { uint32_t tag = avio_rl32(s->pb); uint32_t size = avio_rl32(s->pb); switch (tag) { case MKTAG('n', 'c', 't', 'g'): /* Nikon Tags */ { uint64_t tag_end = avio_tell(s->pb) + size; - while (avio_tell(s->pb) < tag_end) { + while (avio_tell(s->pb) < tag_end && !avio_feof(s->pb)) { uint16_t tag = avio_rl16(s->pb); uint16_t size = avio_rl16(s->pb); const char *name = NULL; From 463c85969315fc7d42f547199d0ebff31e458550 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Sep 2016 20:25:24 +0200 Subject: [PATCH 0976/1352] swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices Signed-off-by: Michael Niedermayer (cherry picked from commit 47bc1bdafb0950ccf128eaa491d8fd7cc0978813) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 60f8c619b3..9831488ca3 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -352,6 +352,7 @@ static int packed_16bpc_bswap(SwsContext *c, const uint8_t *src[], int min_stride = FFMIN(FFABS(srcstr), FFABS(dststr)); if(!dstPtr || !srcPtr) continue; + dstPtr += (srcSliceY >> c->chrDstVSubSample) * dststr; for (i = 0; i < (srcSliceH >> c->chrDstVSubSample); i++) { for (j = 0; j < min_stride; j++) { dstPtr[j] = av_bswap16(srcPtr[j]); From f9786014336690302027b02d23d10e84015006aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Sep 2016 12:15:24 +0200 Subject: [PATCH 0977/1352] swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices Signed-off-by: Michael Niedermayer (cherry picked from commit e57d99dd4e0d8fe2992da0d65b563580e35ce728) Signed-off-by: Michael Niedermayer --- libswscale/swscale_unscaled.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 9831488ca3..41d6b2b2f3 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -558,6 +558,8 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], int bpc = dst_format->comp[0].depth_minus1 + 1; int alpha = src_format->flags & AV_PIX_FMT_FLAG_ALPHA; int swap = 0; + int i; + if ( HAVE_BIGENDIAN && !(src_format->flags & AV_PIX_FMT_FLAG_BE) || !HAVE_BIGENDIAN && src_format->flags & AV_PIX_FMT_FLAG_BE) swap++; @@ -571,6 +573,12 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const uint8_t *src[], src_format->name, dst_format->name); return srcSliceH; } + + for(i=0; i<4; i++) { + dst2013[i] += stride2013[i] * srcSliceY / 2; + dst1023[i] += stride1023[i] * srcSliceY / 2; + } + switch (c->srcFormat) { case AV_PIX_FMT_RGB48LE: case AV_PIX_FMT_RGB48BE: From f58794261e56a485dcf98b349fdc8ade4f9f4225 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Sep 2016 13:13:42 +0200 Subject: [PATCH 0978/1352] avcodec/avpacket: clear side_data_elems MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 5e1bf9d8c0d2cdbbf17b06a5dfdf87a635b3203b) Signed-off-by: Michael Niedermayer --- libavcodec/avpacket.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 76d014da31..6aae811361 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -196,6 +196,7 @@ static int copy_packet_data(AVPacket *pkt, const AVPacket *src, int dup) { pkt->data = NULL; pkt->side_data = NULL; + pkt->side_data_elems = 0; if (pkt->buf) { AVBufferRef *ref = av_buffer_ref(src->buf); if (!ref) @@ -210,9 +211,11 @@ FF_DISABLE_DEPRECATION_WARNINGS pkt->destruct = dummy_destruct_packet; FF_ENABLE_DEPRECATION_WARNINGS #endif - if (pkt->side_data_elems && dup) + if (src->side_data_elems && dup) { pkt->side_data = src->side_data; - if (pkt->side_data_elems && !dup) { + pkt->side_data_elems = src->side_data_elems; + } + if (src->side_data_elems && !dup) { return av_copy_packet_side_data(pkt, src); } return 0; From 9243dbb5599ed9e4796c0534cc2f77268fc27c8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Sep 2016 13:06:53 +0200 Subject: [PATCH 0979/1352] avcodec/g726: Add missing ADDB output mask MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 1.poc Fixes out of array read Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit a5af1240fce845f645440364c1335e0f8e44ee6c) Signed-off-by: Michael Niedermayer --- libavcodec/g726.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g726.c b/libavcodec/g726.c index b0331d8643..259e5a8f23 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -207,7 +207,7 @@ static int16_t g726_decode(G726Context* c, int I) if (I_sig) /* get the sign */ dq = -dq; - re_signal = c->se + dq; + re_signal = (int16_t)(c->se + dq); /* Update second order predictor coefficient A2 and A1 */ pk0 = (c->sez + dq) ? sgn(c->sez + dq) : 0; From d4585d44c450af6f2e66c242ff11eeb3645ad3d8 Mon Sep 17 00:00:00 2001 From: Xinzheng Zhang Date: Wed, 14 Sep 2016 16:13:45 +0800 Subject: [PATCH 0980/1352] avformat/utils: fix timebase error in avformat_seek_file() When there is only one stream and stream_index has not specified, The ts has been transferd by the timebase of stream0 without modifying the stream_index In this condation it cause seek failure. Signed-off-by: Michael Niedermayer (cherry picked from commit ecc04b4f2f29ac676e6c1d1ebf20ec45f5385f1e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 78caf79275..0b84711b7f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2123,6 +2123,7 @@ int avformat_seek_file(AVFormatContext *s, int stream_index, int64_t min_ts, max_ts = av_rescale_rnd(max_ts, time_base.den, time_base.num * (int64_t)AV_TIME_BASE, AV_ROUND_DOWN | AV_ROUND_PASS_MINMAX); + stream_index = 0; } ret = s->iformat->read_seek2(s, stream_index, min_ts, From 6438fb13406d2c0cc6023fa9d2ca8942e9ebd682 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Sep 2016 15:25:38 +0200 Subject: [PATCH 0981/1352] avcodec/cavsdsp: use av_clip_uint8() for idct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes out of array read Fixes: 1.swf Found-by: 连一汉 Tested-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 0e318f110bcd6bb8e7de9127f2747272e60f48d7) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdsp.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 91f6d7350b..df9490ad8f 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -188,7 +188,6 @@ static void cavs_filter_ch_c(uint8_t *d, int stride, int alpha, int beta, int tc static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { int i; int16_t (*src)[8] = (int16_t(*)[8])block; - const uint8_t *cm = ff_crop_tab + MAX_NEG_CROP; src[0][0] += 8; @@ -243,14 +242,14 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, int stride) { const int b2 = a5 - a7; const int b3 = a4 - a6; - dst[i + 0*stride] = cm[ dst[i + 0*stride] + ((b0 + b4) >> 7)]; - dst[i + 1*stride] = cm[ dst[i + 1*stride] + ((b1 + b5) >> 7)]; - dst[i + 2*stride] = cm[ dst[i + 2*stride] + ((b2 + b6) >> 7)]; - dst[i + 3*stride] = cm[ dst[i + 3*stride] + ((b3 + b7) >> 7)]; - dst[i + 4*stride] = cm[ dst[i + 4*stride] + ((b3 - b7) >> 7)]; - dst[i + 5*stride] = cm[ dst[i + 5*stride] + ((b2 - b6) >> 7)]; - dst[i + 6*stride] = cm[ dst[i + 6*stride] + ((b1 - b5) >> 7)]; - dst[i + 7*stride] = cm[ dst[i + 7*stride] + ((b0 - b4) >> 7)]; + dst[i + 0*stride] = av_clip_uint8( dst[i + 0*stride] + ((b0 + b4) >> 7)); + dst[i + 1*stride] = av_clip_uint8( dst[i + 1*stride] + ((b1 + b5) >> 7)); + dst[i + 2*stride] = av_clip_uint8( dst[i + 2*stride] + ((b2 + b6) >> 7)); + dst[i + 3*stride] = av_clip_uint8( dst[i + 3*stride] + ((b3 + b7) >> 7)); + dst[i + 4*stride] = av_clip_uint8( dst[i + 4*stride] + ((b3 - b7) >> 7)); + dst[i + 5*stride] = av_clip_uint8( dst[i + 5*stride] + ((b2 - b6) >> 7)); + dst[i + 6*stride] = av_clip_uint8( dst[i + 6*stride] + ((b1 - b5) >> 7)); + dst[i + 7*stride] = av_clip_uint8( dst[i + 7*stride] + ((b0 - b4) >> 7)); } } From a672688086ba51f51ccf6e580a076244778268a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Sep 2016 20:25:59 +0200 Subject: [PATCH 0982/1352] avcodec/ansi: Check dimensions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 1.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 69449da436169e7facaa6d1f3bcbc41cf6ce2754) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 92981cc62e..93e431e487 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -94,6 +94,9 @@ static av_cold int decode_init(AVCodecContext *avctx) int ret = ff_set_dimensions(avctx, 80 << 3, 25 << 4); if (ret < 0) return ret; + } else if (avctx->width % FONT_WIDTH || avctx->height % s->font_height) { + av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); + return AVERROR(EINVAL); } return 0; } From b490cf4350abfec4746d6e033d533e0a15cfa93c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2016 15:47:12 +0200 Subject: [PATCH 0983/1352] avformat/avidec: Remove ancient assert MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This assert can with crafted files fail, a warning is already printed for this case. Fixes assertion failure Fixes:1/assert.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 14bac7e00d72eac687612d9b125e585011a56d4f) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 93c4dfbab7..5e9c1e3ed9 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1805,7 +1805,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, continue; // av_assert1(st2->codec->block_align); - av_assert0(fabs(av_q2d(st2->time_base) - ast2->scale / (double)ast2->rate) < av_q2d(st2->time_base) * 0.00000001); index = av_index_search_timestamp(st2, av_rescale_q(timestamp, st->time_base, From 45f5e17aa43a4cebed77d8e9781447ad29a0ed61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Sep 2016 16:14:08 +0200 Subject: [PATCH 0984/1352] avformat/avidec: Check nb_streams in read_gab2_sub() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes null pointer dereference Fixes: 1/null_point.avi Found-by: 连一汉 Signed-off-by: Michael Niedermayer (cherry picked from commit 2679ad4773aa356e7c3da5c68bc81f02a194617f) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 5e9c1e3ed9..98d0267eea 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1057,6 +1057,8 @@ static int read_gab2_sub(AVStream *st, AVPacket *pkt) ast->sub_ctx->pb = pb; if (!avformat_open_input(&ast->sub_ctx, "", sub_demuxer, NULL)) { + if (ast->sub_ctx->nb_streams != 1) + goto error; ff_read_packet(ast->sub_ctx, &ast->sub_pkt); *st->codec = *ast->sub_ctx->streams[0]->codec; ast->sub_ctx->streams[0]->codec->extradata = NULL; From c277b24173eb78a9ba6b36cf28e985e247b48d12 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sat, 16 Jan 2016 14:44:28 -0500 Subject: [PATCH 0985/1352] videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations. This can overread (either before start or beyond end) of the buffer in Nx1 (i.e. height=1) images. Fixes mozilla bug 1240080. (cherry picked from commit 0f88b3f82fafd536979993aeaafcb11a22266dbd) Signed-off-by: Michael Niedermayer --- libavcodec/x86/videodsp.asm | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/libavcodec/x86/videodsp.asm b/libavcodec/x86/videodsp.asm index 77189fa6ef..0685b03c2b 100644 --- a/libavcodec/x86/videodsp.asm +++ b/libavcodec/x86/videodsp.asm @@ -184,14 +184,10 @@ hvar_fn mov valb, [srcq+%2-1] %elif (%2-%%off) == 2 mov valw, [srcq+%2-2] -%elifidn %1, body +%else mov valb, [srcq+%2-1] - sal vald, 16 + ror vald, 16 mov valw, [srcq+%2-3] -%elifidn %1, bottom - movd mm %+ %%mmx_idx, [srcq+%2-4] -%else ; top - movd mm %+ %%mmx_idx, [srcq+%2-3] %endif %endif ; (%2-%%off) >= 1 %endmacro ; READ_NUM_BYTES @@ -244,18 +240,13 @@ hvar_fn mov [dstq+%2-1], valb %elif (%2-%%off) == 2 mov [dstq+%2-2], valw -%elifidn %1, body - mov [dstq+%2-3], valw - sar vald, 16 - mov [dstq+%2-1], valb %else - movd vald, mm %+ %%mmx_idx -%ifidn %1, bottom - sar vald, 8 -%endif mov [dstq+%2-3], valw - sar vald, 16 + ror vald, 16 mov [dstq+%2-1], valb +%ifnidn %1, body + ror vald, 16 +%endif %endif %endif ; (%2-%%off) >= 1 %endmacro ; WRITE_NUM_BYTES From 67a1940707f7a8b2dcfdcbd120bb45420e40f997 Mon Sep 17 00:00:00 2001 From: Moritz Barsnick Date: Sun, 9 Oct 2016 12:57:00 +0200 Subject: [PATCH 0986/1352] lavfi: fix typos Signed-off-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit f4e4bde1f4cff99d4ec59ed361ff9228b2050e6b) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 4 ++-- libavfilter/vf_blackframe.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 4ba77a7366..bea8d1b356 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -109,7 +109,7 @@ static av_cold int init(AVFilterContext *ctx) if (!pan->args) { av_log(ctx, AV_LOG_ERROR, "pan filter needs a channel layout and a set " - "of channels definitions as parameter\n"); + "of channel definitions as parameter\n"); return AVERROR(EINVAL); } if (!args) @@ -274,7 +274,7 @@ static int config_props(AVFilterLink *link) if (link->channels > MAX_CHANNELS || pan->nb_output_channels > MAX_CHANNELS) { av_log(ctx, AV_LOG_ERROR, - "af_pan support a maximum of %d channels. " + "af_pan supports a maximum of %d channels. " "Feel free to ask for a higher limit.\n", MAX_CHANNELS); return AVERROR_PATCHWELCOME; } diff --git a/libavfilter/vf_blackframe.c b/libavfilter/vf_blackframe.c index 1be9fcca9d..65b9c01b66 100644 --- a/libavfilter/vf_blackframe.c +++ b/libavfilter/vf_blackframe.c @@ -102,8 +102,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) #define OFFSET(x) offsetof(BlackFrameContext, x) #define FLAGS AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_FILTERING_PARAM static const AVOption blackframe_options[] = { - { "amount", "Percentage of the pixels that have to be below the threshold " - "for the frame to be considered black.", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, + { "amount", "percentage of the pixels that have to be below the threshold " + "for the frame to be considered black", OFFSET(bamount), AV_OPT_TYPE_INT, { .i64 = 98 }, 0, 100, FLAGS }, { "threshold", "threshold below which a pixel value is considered black", OFFSET(bthresh), AV_OPT_TYPE_INT, { .i64 = 32 }, 0, 255, FLAGS }, { "thresh", "threshold below which a pixel value is considered black", From 8a25a72770c48ab10a5b27e7c09ba7fa4884d406 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Oct 2016 13:40:18 +0200 Subject: [PATCH 0987/1352] avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() Signed-off-by: Michael Niedermayer (cherry picked from commit 4f96f9d1118e073d346d16be157fa5075434e7f2) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 528c13be0f..6ce75ce984 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1116,6 +1116,7 @@ int avcodec_default_execute(AVCodecContext *c, int (*func)(AVCodecContext *c2, v if (ret) ret[i] = r; } + emms_c(); return 0; } @@ -1128,6 +1129,7 @@ int avcodec_default_execute2(AVCodecContext *c, int (*func)(AVCodecContext *c2, if (ret) ret[i] = r; } + emms_c(); return 0; } From 0ccaf52fda2184cd5c01c78961f6026c361b2a60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Oct 2016 03:51:17 +0200 Subject: [PATCH 0988/1352] avcodec/interplayvideo: Check side data size before use Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit 85d23e5cbc9ad6835eef870a5b4247de78febe56) Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index f9e74b0a85..760108500b 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -1012,10 +1012,13 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, return ret; if (!s->is_16bpp) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From e44f0fa93945ec996eac33b5ff502a3bca100fba Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Fri, 14 Oct 2016 13:01:27 -0400 Subject: [PATCH 0989/1352] vp9: change order of operations in adapt_prob(). This is intended to workaround bug "665 Integer Divide Instruction May Cause Unpredictable Behavior" on some early AMD CPUs, which causes a div-by-zero in this codepath, such as reported in Mozilla bug #1293996. Note that this isn't guaranteed to fix the bug, since a compiler is free to reorder instructions that don't depend on each other. However, it appears to fix the bug in Firefox, and a similar patch was applied to libvpx also (see Chrome bug #599899). (cherry picked from commit be885da3427c5d9a6fa68229d16318afffe67193) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index dd75e9e79d..cf9768e46c 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -3477,11 +3477,10 @@ static av_always_inline void adapt_prob(uint8_t *p, unsigned ct0, unsigned ct1, if (!ct) return; + update_factor = FASTDIV(update_factor * FFMIN(ct, max_count), max_count); p1 = *p; - p2 = ((ct0 << 8) + (ct >> 1)) / ct; + p2 = ((((int64_t) ct0) << 8) + (ct >> 1)) / ct; p2 = av_clip(p2, 1, 255); - ct = FFMIN(ct, max_count); - update_factor = FASTDIV(update_factor * ct, max_count); // (p1 * (256 - update_factor) + p2 * update_factor + 128) >> 8 *p = p1 + (((p2 - p1) * update_factor + 128) >> 8); From 1869ba95f6d745cc69595aab83af9be8d2f2ce9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Oct 2016 16:29:57 +0200 Subject: [PATCH 0990/1352] avcodec/dvdsubdec: Fix buf_size check Fixes out of array access Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit 25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 9272e2c012..9e793d73b2 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -506,7 +506,8 @@ static int append_to_cached_buf(AVCodecContext *avctx, { DVDSubContext *ctx = avctx->priv_data; - if (ctx->buf_size >= sizeof(ctx->buf) - buf_size) { + av_assert0(buf_size >= 0 && ctx->buf_size <= sizeof(ctx->buf)); + if (buf_size >= sizeof(ctx->buf) - ctx->buf_size) { av_log(avctx, AV_LOG_WARNING, "Attempt to reconstruct " "too large SPU packets aborted.\n"); return AVERROR_INVALIDDATA; From acd2c3842c7f79d4b6561b095f377968f4772d6d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Oct 2016 00:11:52 +0200 Subject: [PATCH 0991/1352] avcodec/dvdsubdec: Fix off by 1 error Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer (cherry picked from commit c92f55847a3d9cd12db60bfcd0831ff7f089c37c) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 9e793d73b2..8d631cf731 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -182,7 +182,7 @@ static void guess_palette(DVDSubContext* ctx, for(i = 0; i < 4; i++) { if (alpha[i] != 0) { if (!color_used[colormap[i]]) { - level = level_map[nb_opaque_colors][j]; + level = level_map[nb_opaque_colors - 1][j]; r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; From 53f8e8388ee3382a43e306a177a0124a8fcd7efc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 13:44:52 +0100 Subject: [PATCH 0992/1352] avcodec/8bps: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 042faa847feea820451c474af0034fd3de9cff82) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index e00bdfc808..960b15fc0b 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -120,12 +120,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (avctx->bits_per_coded_sample <= 8) { + int size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); - if (pal) { + &size); + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy (frame->data[1], c->pal, AVPALETTE_SIZE); From f43f34cd68d5b85680a8cca7e15a7b8d4872630c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 13:47:38 +0100 Subject: [PATCH 0993/1352] avcodec/cinepak: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 121be310607879841d19a34d9f16d4fe9ba7f18c) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index f651c489bf..4a9d0b44c5 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -443,10 +443,13 @@ static int cinepak_decode_frame(AVCodecContext *avctx, return ret; if (s->palette_video) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); - if (pal) { + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From 054c4b71a49a57d99650eb942b787de55a714ca4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 0994/1352] avcodec/idcinvideo: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8dde65947bfabf42269e124ef83ecf9c5974a) Signed-off-by: Michael Niedermayer --- libavcodec/idcinvideo.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index 7765376cbf..3e674168cd 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -215,7 +215,8 @@ static int idcin_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; IdcinContext *s = avctx->priv_data; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); AVFrame *frame = data; int ret; @@ -228,9 +229,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, if (idcin_decode_vlcs(s, frame)) return AVERROR_INVALIDDATA; - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } /* make the palette available on the way out */ memcpy(frame->data[1], s->pal, AVPALETTE_SIZE); From e9042e9ff1f02d51aa1a096add7be77da5220b88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 0995/1352] avcodec/kmvc: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 2d99101d0964f754822fb4af121c4abc69047dba) Signed-off-by: Michael Niedermayer --- libavcodec/kmvc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/kmvc.c b/libavcodec/kmvc.c index f879c353e7..5053a27385 100644 --- a/libavcodec/kmvc.c +++ b/libavcodec/kmvc.c @@ -268,7 +268,8 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, int i, ret; int header; int blocksize; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); bytestream2_init(&ctx->g, avpkt->data, avpkt->size); @@ -303,9 +304,11 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame, } } - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(ctx->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } if (ctx->setpal) { From 71f8f6dcc960d31c7aebd958e5367c8bd68ac0f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 0996/1352] avcodec/msrle: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit a6330119a099840c5279697cf80cb768df97a90a) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 260ad807ea..291ca36a91 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -99,11 +99,14 @@ static int msrle_decode_frame(AVCodecContext *avctx, return ret; if (avctx->bits_per_coded_sample > 1 && avctx->bits_per_coded_sample <= 8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available */ memcpy(s->frame->data[1], s->pal, AVPALETTE_SIZE); From 3d46ce10b6e664d52e4d6894e09afbce0da04269 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 0997/1352] avcodec/qtrle: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 7d196f2a5a48faf25fd904b33b1fd239daae9840) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index b367643782..0c2dd944f3 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -485,11 +485,14 @@ static int qtrle_decode_frame(AVCodecContext *avctx, } if(has_palette) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { s->frame->palette_has_changed = 1; memcpy(s->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } /* make the palette available on the way out */ From 63cd1b05ede13c9e83ca765dee16bc656135cd48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 0998/1352] avcodec/qpeg: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 16793504dfba44e738655807db3274301b9bc690) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 71f322b828..3d083ae76c 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -260,7 +260,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame * const ref = a->ref; uint8_t* outdata; int delta, ret; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int pal_size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); if (avpkt->size < 0x86) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); @@ -287,9 +288,11 @@ static int decode_frame(AVCodecContext *avctx, } /* make the palette available on the way out */ - if (pal) { + if (pal && pal_size == AVPALETTE_SIZE) { p->palette_has_changed = 1; memcpy(a->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); } memcpy(p->data[1], a->pal, AVPALETTE_SIZE); From e86c933544a222457d8c042a03011f8761665434 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 0999/1352] avcodec/msvideo1: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 161ccdaa06d1d109e8f77d2535bda11ce02720f5) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 88397beb00..80d183dad1 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -306,11 +306,14 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, return ret; if (s->mode_8bit) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { memcpy(s->pal, pal, AVPALETTE_SIZE); s->frame->palette_has_changed = 1; + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } } From c9c3f1bc38413d2512eb5967f4b7a1e39fceb931 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 1000/1352] avcodec/rawdec: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0bc0215a0f7099a2bcba5dced2e045e70fee61) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 568553923b..dd56680129 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -271,8 +271,13 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, } if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { + int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, - NULL); + &pal_size); + if (pal_size != AVPALETTE_SIZE) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", pal_size); + pal = NULL; + } if (pal) { av_buffer_unref(&context->palette); From 934c315c2090317d7e8b51b7f63a53e65a90278c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Oct 2016 15:12:12 +0100 Subject: [PATCH 1001/1352] avcodec/tscc: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 979bca513424879ed0c653cb1b55fc4156a89576) Signed-off-by: Michael Niedermayer --- libavcodec/tscc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/tscc.c b/libavcodec/tscc.c index 628a6b3c36..1283ef6c57 100644 --- a/libavcodec/tscc.c +++ b/libavcodec/tscc.c @@ -99,11 +99,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, /* make the palette available on the way out */ if (c->avctx->pix_fmt == AV_PIX_FMT_PAL8) { - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); + int size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - if (pal) { + if (pal && size == AVPALETTE_SIZE) { frame->palette_has_changed = 1; memcpy(c->pal, pal, AVPALETTE_SIZE); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, "Palette size %d is wrong\n", size); } memcpy(frame->data[1], c->pal, AVPALETTE_SIZE); } From 24195619f6e8400938ce391da6ea150f84f3ca00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Nov 2016 19:24:49 +0100 Subject: [PATCH 1002/1352] avcodec/sunrast: Fix input buffer pointer check Fixes: out of array read Fixes: poc.dat Found-by: Bingchang, Liu @VARAS of IIE Tested-by: bc L Signed-off-by: Michael Niedermayer (cherry picked from commit 37138338ff602803d174b13fecd363a083bc2f9a) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index d9918f48b9..c6e50e53e1 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -168,7 +168,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } } else { for (y = 0; y < h; y++) { - if (buf_end - buf < len) + if (buf_end - buf < alen) break; memcpy(ptr, buf, len); ptr += stride; From 32c51deb3c4aaa29e38f50b2d99f9289ef77ea48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 18:05:33 +0100 Subject: [PATCH 1003/1352] avcodec/ituh263dec: Avoid spending a long time in slice sync Fixes: 177/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_FLV1_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2baf36caed98cfdc7f6a2086fbf26f1a172f16cf) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 412301078c..89fc989a8a 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -163,6 +163,7 @@ static int h263_decode_gob_header(MpegEncContext *s) /* We have a GBSC probably with GSTUFF */ skip_bits(&s->gb, 16); /* Drop the zeros */ left= get_bits_left(&s->gb); + left = FFMIN(left, 32); //MN: we must check the bits left or we might end in a infinite loop (or segfault) for(;left>13; left--){ if(get_bits1(&s->gb)) break; /* Seek the '1' bit */ From 238a17fd54ca404ef722b3b8ab3ae9f8d214ac2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 22:50:35 +0100 Subject: [PATCH 1004/1352] avcodec/rv40: Test remaining space in loop of get_dimension() Fixes infinite loop Fixes: 178/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_RV40_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1546d487cf12da37d90a080813f8d57ac33036bf) Signed-off-by: Michael Niedermayer --- libavcodec/rv40.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index 043fd724a9..6a6cf5b023 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -109,6 +109,8 @@ static int get_dimension(GetBitContext *gb, const int *dim) val = dim[get_bits1(gb) - val]; if(!val){ do{ + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; t = get_bits(gb, 8); val += t << 2; }while(t == 0xFF); From 8e7f5ecfcae761166be2b77349453d51e318c59e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2016 20:06:42 +0100 Subject: [PATCH 1005/1352] avformat/mpeg: Adjust vid probe threshold to correct mis-detection Fixes: _ij.mp3 Signed-off-by: Michael Niedermayer (cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index c2ec1e21e4..22fded6f52 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -110,7 +110,7 @@ static int mpegps_probe(AVProbeData *p) : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg if ((!!vid ^ !!audio) && (audio > 4 || vid > 1) && !sys && !pspack && p->buf_size > 2048 && vid + audio > invalid) /* PES stream */ - return (audio > 12 || vid > 3 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 + return (audio > 12 || vid > 6 + 2 * invalid) ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 02-Penguin.flac has sys:0 priv1:0 pspack:0 vid:0 audio:1 From 5497fa83f915b7194d409ce073f90f2ad36d21ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Nov 2016 02:58:34 +0100 Subject: [PATCH 1006/1352] avformat/idroqdec: Check chunk_size for being too large Signed-off-by: Michael Niedermayer (cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d) Signed-off-by: Michael Niedermayer --- libavformat/idroqdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/idroqdec.c b/libavformat/idroqdec.c index 76bb3924b1..d733953a04 100644 --- a/libavformat/idroqdec.c +++ b/libavformat/idroqdec.c @@ -157,6 +157,9 @@ static int roq_read_packet(AVFormatContext *s, chunk_size = AV_RL32(&preamble[2]) + RoQ_CHUNK_PREAMBLE_SIZE * 2 + codebook_size; + if (chunk_size > INT_MAX) + return AVERROR_INVALIDDATA; + /* rewind */ avio_seek(pb, codebook_offset, SEEK_SET); From 364f7ad5b0de79d33b2b4c159ae8e3d3b3f26096 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Nov 2016 15:29:52 +0100 Subject: [PATCH 1007/1352] avcodec/flac_parser: Update nb_headers_buffered Fixes infinite loop Fixes: fuzz.flac Found-by: Frank Liberato Reviewed-by: Frank Liberato Signed-off-by: Michael Niedermayer (cherry picked from commit 2475858889cde6221677473b663df6f985add33d) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 7faf1389ea..33efda53ca 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -579,10 +579,12 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, temp = curr->next; av_freep(&curr->link_penalty); av_free(curr); + fpc->nb_headers_buffered--; } fpc->headers = fpc->best_header->next; av_freep(&fpc->best_header->link_penalty); av_freep(&fpc->best_header); + fpc->nb_headers_buffered--; } /* Find and score new headers. */ From 1a383992ee2b9679bb8b0ef0f44c7471da636980 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 03:02:41 +0100 Subject: [PATCH 1008/1352] avformat/utils: Check start/end before computing duration in update_stream_timings() Fixes undefined behavior Fixes: 637428.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 90da187f1d334422477886a19eca3c1da29c59a7) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0b84711b7f..c713d62804 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2235,11 +2235,14 @@ static void update_stream_timings(AVFormatContext *ic) if (ic->nb_programs) { for (i = 0; i < ic->nb_programs; i++) { p = ic->programs[i]; - if (p->start_time != AV_NOPTS_VALUE && p->end_time > p->start_time) + if (p->start_time != AV_NOPTS_VALUE && + p->end_time > p->start_time && + p->end_time - (uint64_t)p->start_time <= INT64_MAX) duration = FFMAX(duration, p->end_time - p->start_time); } - } else + } else if (end_time >= start_time && end_time - (uint64_t)start_time <= INT64_MAX) { duration = FFMAX(duration, end_time - start_time); + } } } if (duration != INT64_MIN && duration > 0 && ic->duration == AV_NOPTS_VALUE) { From aef73c36764402c376d83762220946d59cbc0f5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 03:40:55 +0100 Subject: [PATCH 1009/1352] avformat/oggparsespeex: Check frames_per_packet and packet_size The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e) Signed-off-by: Michael Niedermayer --- libavformat/oggparsespeex.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/oggparsespeex.c b/libavformat/oggparsespeex.c index 9b5c65f453..55bf72b221 100644 --- a/libavformat/oggparsespeex.c +++ b/libavformat/oggparsespeex.c @@ -74,6 +74,13 @@ static int speex_header(AVFormatContext *s, int idx) { spxp->packet_size = AV_RL32(p + 56); frames_per_packet = AV_RL32(p + 64); + if (spxp->packet_size < 0 || + frames_per_packet < 0 || + spxp->packet_size * (int64_t)frames_per_packet > INT32_MAX / 256) { + av_log(s, AV_LOG_ERROR, "invalid packet_size, frames_per_packet %d %d\n", spxp->packet_size, frames_per_packet); + spxp->packet_size = 0; + return AVERROR_INVALIDDATA; + } if (frames_per_packet) spxp->packet_size *= frames_per_packet; From 483204b5c42e7e34845c0f500bcba656d3cd268a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 16:43:10 +0100 Subject: [PATCH 1010/1352] avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c Fixes: left shift of negative value Fixes: 668346-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit acc163c6ab52d2235767852262c64c7f6b273d1c) Signed-off-by: Michael Niedermayer --- libavcodec/flacdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 62c0a15ff6..776c78da71 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -56,7 +56,7 @@ static void FUNC(flac_decorrelate_indep_c)(uint8_t **out, int32_t **in, for (j = 0; j < len; j++) for (i = 0; i < channels; i++) - S(samples, i, j) = in[i][j] << shift; + S(samples, i, j) = (int)((unsigned)in[i][j] << shift); } static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, From a9479bbc5711de0d33675b614372e9d3647e1aa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 17:05:43 +0100 Subject: [PATCH 1011/1352] avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() Fixes undefined behavior Fixes: 640912-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 83a75bf6c31b3c0ce2ca7e1426d1f2e3df634239) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index a48b177828..da4d770aba 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -261,7 +261,8 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, int pred_order, int bps) { const int blocksize = s->blocksize; - int av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d), i; + unsigned av_uninit(a), av_uninit(b), av_uninit(c), av_uninit(d); + int i; int ret; /* warm up samples */ From 2e7800778c8aadb3362797caca4b6daa8c6bf3a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Dec 2016 23:44:56 +0100 Subject: [PATCH 1012/1352] avcodec/get_bits: Fix get_sbits_long(0) Fixes undefined behavior Fixes: 640889-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit c72fa432349881d5a445cd110abf698cc94d490d) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index b9dec4fe35..8a40aeeae7 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -374,6 +374,10 @@ static inline uint64_t get_bits64(GetBitContext *s, int n) */ static inline int get_sbits_long(GetBitContext *s, int n) { + // sign_extend(x, 0) is undefined + if (!n) + return 0; + return sign_extend(get_bits_long(s, n), n); } From ac0cdddc783ea49a1680c8f1a37bc037dfe46ff0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Dec 2016 00:11:17 +0100 Subject: [PATCH 1013/1352] avcodec/flacdec: Fix undefined shift in decode_subframe() Fixes undefined behavior Fixes: 639961-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1f5630af51f24d79053b6bef5b8b3ba93d637306) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index da4d770aba..969fa8e1ac 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -406,7 +406,7 @@ static inline int decode_subframe(FLACContext *s, int channel) if (wasted) { int i; for (i = 0; i < s->blocksize; i++) - decoded[i] <<= wasted; + decoded[i] = (unsigned)decoded[i] << wasted; } return 0; From cdea949fcf1471afa2da0b4806c3ba8ee9c16694 Mon Sep 17 00:00:00 2001 From: Timothy Gu Date: Mon, 5 Dec 2016 10:04:57 -0800 Subject: [PATCH 1014/1352] zmqsend: Initialize ret to 0 Fixes CID1396857. (cherry picked from commit d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173) Signed-off-by: Michael Niedermayer --- tools/zmqsend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/zmqsend.c b/tools/zmqsend.c index d47bf216b4..6148bd623c 100644 --- a/tools/zmqsend.c +++ b/tools/zmqsend.c @@ -53,7 +53,7 @@ int main(int argc, char **argv) { AVBPrint src; char c, *src_buf, *recv_buf; - int recv_buf_size, ret; + int recv_buf_size, ret = 0; void *zmq_ctx, *socket; const char *bind_address = "tcp://localhost:5555"; const char *infilename = NULL; From 4c5ebe4b014a208b8c8f52d61c4fb42b98d60e67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 11:14:51 +0100 Subject: [PATCH 1015/1352] avformat/rtmppkt: Check for packet size mismatches Fixes out of array access Found-by: Paul Cher Reviewed-by: Paul Cher Signed-off-by: Michael Niedermayer (cherry picked from commit 7d57ca4d9a75562fa32e40766211de150f8b3ee7) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 92172dc366..3a82900f10 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -235,6 +235,14 @@ static int rtmp_packet_read_one_chunk(URLContext *h, RTMPPacket *p, if (hdr != RTMP_PS_TWELVEBYTES) timestamp += prev_pkt[channel_id].timestamp; + if (prev_pkt[channel_id].read && size != prev_pkt[channel_id].size) { + av_log(NULL, AV_LOG_ERROR, "RTMP packet size mismatch %d != %d\n", + size, + prev_pkt[channel_id].size); + ff_rtmp_packet_destroy(&prev_pkt[channel_id]); + prev_pkt[channel_id].read = 0; + } + if (!prev_pkt[channel_id].read) { if ((ret = ff_rtmp_packet_create(p, channel_id, type, timestamp, size)) < 0) From 19239c983e27a8dc902187cb8b95258939143c13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 12:54:21 +0100 Subject: [PATCH 1016/1352] Avoid using the term "file" and prefer "url" in some docs and comments This should make it less ambigous that these are URLs Signed-off-by: Michael Niedermayer (cherry picked from commit a5f27a9c3aa973c543bd8bbf2a78363700bbc03e) Signed-off-by: Michael Niedermayer --- doc/ffmpeg.texi | 18 +++++++++--------- doc/ffplay.texi | 6 +++--- doc/ffprobe.texi | 10 +++++----- ffmpeg_opt.c | 4 ++-- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 4fc76820e1..862bd472c9 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -11,7 +11,7 @@ @chapter Synopsis -ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_file}@} ... @{[@var{output_file_options}] @file{output_file}@} ... +ffmpeg [@var{global_options}] @{[@var{input_file_options}] -i @file{input_url}@} ... @{[@var{output_file_options}] @file{output_url}@} ... @chapter Description @c man begin DESCRIPTION @@ -23,10 +23,10 @@ rates and resize video on the fly with a high quality polyphase filter. @command{ffmpeg} reads from an arbitrary number of input "files" (which can be regular files, pipes, network streams, grabbing devices, etc.), specified by the @code{-i} option, and writes to an arbitrary number of output "files", which are -specified by a plain output filename. Anything found on the command line which -cannot be interpreted as an option is considered to be an output filename. +specified by a plain output url. Anything found on the command line which +cannot be interpreted as an option is considered to be an output url. -Each input or output file can, in principle, contain any number of streams of +Each input or output url can, in principle, contain any number of streams of different types (video/audio/subtitle/attachment/data). The allowed number and/or types of streams may be limited by the container format. Selecting which streams from which inputs will go into which output is either done automatically @@ -242,8 +242,8 @@ Force input or output file format. The format is normally auto detected for inpu files and guessed from the file extension for output files, so this option is not needed in most cases. -@item -i @var{filename} (@emph{input}) -input file name +@item -i @var{url} (@emph{input}) +input file url @item -y (@emph{global}) Overwrite output files without asking. @@ -276,7 +276,7 @@ libx264, and the 138th audio, which will be encoded with libvorbis. When used as an input option (before @code{-i}), limit the @var{duration} of data read from the input file. -When used as an output option (before an output filename), stop writing the +When used as an output option (before an output url), stop writing the output after its duration reaches @var{duration}. @var{duration} may be a number in seconds, or in @code{hh:mm:ss[.xxx]} form. @@ -301,7 +301,7 @@ extra segment between the seek point and @var{position} will be decoded and discarded. When doing stream copy or when @option{-noaccurate_seek} is used, it will be preserved. -When used as an output option (before an output filename), decodes but discards +When used as an output option (before an output url), decodes but discards input until the timestamps reach @var{position}. @var{position} may be either in seconds or in @code{hh:mm:ss[.xxx]} form. @@ -1057,7 +1057,7 @@ may be reassigned to a different value. For example, to set the stream 0 PID to 33 and the stream 1 PID to 36 for an output mpegts file: @example -ffmpeg -i infile -streamid 0:33 -streamid 1:36 out.ts +ffmpeg -i inurl -streamid 0:33 -streamid 1:36 out.ts @end example @item -bsf[:@var{stream_specifier}] @var{bitstream_filters} (@emph{output,per-stream}) diff --git a/doc/ffplay.texi b/doc/ffplay.texi index 203085c16d..9b86c6bfc1 100644 --- a/doc/ffplay.texi +++ b/doc/ffplay.texi @@ -11,7 +11,7 @@ @chapter Synopsis -ffplay [@var{options}] [@file{input_file}] +ffplay [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -93,8 +93,8 @@ the input audio. Use the option "-filters" to show all the available filters (including sources and sinks). -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @section Advanced options diff --git a/doc/ffprobe.texi b/doc/ffprobe.texi index 0a39ed4ca5..fdbb6b1985 100644 --- a/doc/ffprobe.texi +++ b/doc/ffprobe.texi @@ -11,7 +11,7 @@ @chapter Synopsis -ffprobe [@var{options}] [@file{input_file}] +ffprobe [@var{options}] [@file{input_url}] @chapter Description @c man begin DESCRIPTION @@ -23,8 +23,8 @@ For example it can be used to check the format of the container used by a multimedia stream and the format and type of each media stream contained in it. -If a filename is specified in input, ffprobe will try to open and -probe the file content. If the file cannot be opened or recognized as +If a url is specified in input, ffprobe will try to open and +probe the url content. If the url cannot be opened or recognized as a multimedia file, a positive exit code is returned. ffprobe may be employed both as a standalone application or in @@ -325,8 +325,8 @@ equivalent of setting both @option{-show_program_version} and Force bitexact output, useful to produce output which is not dependent on the specific build. -@item -i @var{input_file} -Read @var{input_file}. +@item -i @var{input_url} +Read @var{input_url}. @end table @c man end diff --git a/ffmpeg_opt.c b/ffmpeg_opt.c index 7218d9133e..2629cfd9d9 100644 --- a/ffmpeg_opt.c +++ b/ffmpeg_opt.c @@ -2651,8 +2651,8 @@ enum OptGroup { }; static const OptionGroupDef groups[] = { - [GROUP_OUTFILE] = { "output file", NULL, OPT_OUTPUT }, - [GROUP_INFILE] = { "input file", "i", OPT_INPUT }, + [GROUP_OUTFILE] = { "output url", NULL, OPT_OUTPUT }, + [GROUP_INFILE] = { "input url", "i", OPT_INPUT }, }; static int open_files(OptionGroupList *l, const char *inout, From a07cf6423ec30be54493d46ad541c8f91fe1c13e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Dec 2016 17:27:45 +0100 Subject: [PATCH 1017/1352] ffserver: Check chunk size Fixes out of array access Fixes: poc_ffserver.py Found-by: Paul Cher Signed-off-by: Michael Niedermayer (cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156) Signed-off-by: Michael Niedermayer --- ffserver.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ffserver.c b/ffserver.c index ff33b2f263..e376dae5f1 100644 --- a/ffserver.c +++ b/ffserver.c @@ -2704,8 +2704,10 @@ static int http_receive_data(HTTPContext *c) } else if (c->buffer_ptr - c->buffer >= 2 && !memcmp(c->buffer_ptr - 1, "\r\n", 2)) { c->chunk_size = strtol(c->buffer, 0, 16); - if (c->chunk_size == 0) // end of stream + if (c->chunk_size <= 0) { // end of stream or invalid chunk size + c->chunk_size = 0; goto fail; + } c->buffer_ptr = c->buffer; break; } else if (++loop_run > 10) { @@ -2728,6 +2730,7 @@ static int http_receive_data(HTTPContext *c) /* end of connection : close it */ goto fail; else { + av_assert0(len <= c->chunk_size); c->chunk_size -= len; c->buffer_ptr += len; c->data_count += len; From 844ce50f9f61a4aa3b42f22fa7273a08d20de536 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 00:19:19 +0100 Subject: [PATCH 1018/1352] avcodec/ffv1enc: Fix size of first slice Signed-off-by: Michael Niedermayer (cherry picked from commit cff1c0edaa797eca96663d9b83e4b8c1b609ff19) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 25b70d673e..924999d4e5 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -1178,7 +1178,6 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, FFV1Context *f = avctx->priv_data; RangeCoder *const c = &f->slice_context[0]->c; AVFrame *const p = f->picture.f; - int used_count = 0; uint8_t keystate = 128; uint8_t *buf_p; int i, ret; @@ -1263,11 +1262,17 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, } } - for (i = 1; i < f->slice_count; i++) { + for (i = 0; i < f->slice_count; i++) { FFV1Context *fs = f->slice_context[i]; - uint8_t *start = pkt->data + (pkt->size - used_count) * (int64_t)i / f->slice_count; + uint8_t *start = pkt->data + pkt->size * (int64_t)i / f->slice_count; int len = pkt->size / f->slice_count; - ff_init_range_encoder(&fs->c, start, len); + if (i) { + ff_init_range_encoder(&fs->c, start, len); + } else { + av_assert0(fs->c.bytestream_end >= fs->c.bytestream_start + len); + av_assert0(fs->c.bytestream < fs->c.bytestream_start + len); + fs->c.bytestream_end = fs->c.bytestream_start + len; + } } avctx->execute(avctx, encode_slice, &f->slice_context[0], NULL, f->slice_count, sizeof(void *)); From 28def574c03c5dbdce43ab129cbf617544e223e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 17:01:14 +0100 Subject: [PATCH 1019/1352] avformat/oggdec: Skip streams in duration correction that did not had their duration set. Fixes: part of 670190.ogg Fixes integer overflow Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit ee2a6f5df8c6a151c3e3826872f1b0a07401c62a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 2ef09b13bb..b1caf98f29 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -619,6 +619,8 @@ static int ogg_get_length(AVFormatContext *s) int64_t pts; if (i < 0) continue; pts = ogg_calc_pts(s, i, NULL); + if (s->streams[i]->duration == AV_NOPTS_VALUE) + continue; if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start) { s->streams[i]->duration -= pts; ogg->streams[i].got_start= 1; From 702d697c2b05c61dc29ad8fb596f1e477f9d0139 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Dec 2016 17:01:14 +0100 Subject: [PATCH 1020/1352] avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() Fixes: part of 670190.ogg Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 8258e363851434ad5662c19d036fddb3e3f27683) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 9acb163796..8b6bc54c66 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -312,13 +312,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + beta + rho - min_ab)) + + s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + beta + rho - min_ab)) + + s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + (-r * sprite_ref[0][1] + virtual_ref[1][1]) * @@ -365,10 +365,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] <<= shift_y; - s->sprite_offset[1][i] <<= shift_c; - s->sprite_delta[0][i] <<= shift_y; - s->sprite_delta[1][i] <<= shift_y; + s->sprite_offset[0][i] *= 1 << shift_y; + s->sprite_offset[1][i] *= 1 << shift_c; + s->sprite_delta[0][i] *= 1 << shift_y; + s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; } s->real_sprite_warping_points = ctx->num_sprite_warping_points; From 4c854138bd2fd3e9deaabc19253024094d0eed5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Dec 2016 03:59:03 +0100 Subject: [PATCH 1021/1352] avutil/random_seed: Improve get_generic_seed() with higher precission clock() Tested-by: Thomas Turner Signed-off-by: Michael Niedermayer (cherry picked from commit da73d95bad4736c5e0a6b4b1a811f4dd4525bb4c) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index 5af8e9e524..bbc4596581 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -67,6 +67,7 @@ static uint32_t get_generic_seed(void) uint8_t tmp[120]; struct AVSHA *sha = (void*)tmp; clock_t last_t = 0; + clock_t last_td = 0; static uint64_t i = 0; static uint32_t buffer[512] = { 0 }; unsigned char digest[20]; @@ -86,11 +87,12 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - - if (last_t == t) { - buffer[i & 511]++; + if (last_t + 2*last_td + 1 >= t) { + last_td = t - last_t; + buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { - buffer[++i & 511] += (t - last_t) % 3294638521U; + last_td = t - last_t; + buffer[++i & 511] += last_td % 3294638521U; if (last_i && i - last_i > 4 || i - last_i > 64 || TEST && i - last_i > 8) break; } From 3490a9f8c89dea78e240014932ab12a47d1afb3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Dec 2016 14:26:41 +0100 Subject: [PATCH 1022/1352] avutil/random_seed: Reduce the time needed on systems with very low precission clock() This should fix issues on BSD CLOCKS_PER_SEC is 128 on BSD while SUSv2 requires it to be a million Signed-off-by: Michael Niedermayer (cherry picked from commit c4152fc42e480c41efb7f761b1bbe5f0bc43d5bc) Signed-off-by: Michael Niedermayer --- libavutil/random_seed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/random_seed.c b/libavutil/random_seed.c index bbc4596581..67000e4a1f 100644 --- a/libavutil/random_seed.c +++ b/libavutil/random_seed.c @@ -87,7 +87,7 @@ static uint32_t get_generic_seed(void) for (;;) { clock_t t = clock(); - if (last_t + 2*last_td + 1 >= t) { + if (last_t + 2*last_td + (CLOCKS_PER_SEC > 1000) >= t) { last_td = t - last_t; buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U); } else { From 14e5d6a009ea7927a8615b6e253a27ca248708ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Dec 2016 03:08:33 +0100 Subject: [PATCH 1023/1352] avcodec/mjpegdec: Check for rgb before flipping Fixes assertion failure due to unsupported case Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25d9643f1172ae6a210c671195ba3135895abaf3) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 55313525c0..83e26335ab 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -2199,7 +2199,7 @@ the_end: } } } - if (s->flipped) { + if (s->flipped && !s->rgb) { int j; avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift); for (index=0; index<4; index++) { From 62244f37d116af28949787d160f80f5210083e55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Jan 2017 01:25:27 +0100 Subject: [PATCH 1024/1352] avcodec/pngdec: Fix off by 1 size in decode_zbuf() Fixes out of array access Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e371f031b942d73e02c090170975561fabd5c264) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 8c22da0d78..986cde3719 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -421,13 +421,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, av_bprint_init(bp, 0, -1); while (zstream.avail_in > 0) { - av_bprint_get_buffer(bp, 1, &buf, &buf_size); - if (!buf_size) { + av_bprint_get_buffer(bp, 2, &buf, &buf_size); + if (buf_size < 2) { ret = AVERROR(ENOMEM); goto fail; } zstream.next_out = buf; - zstream.avail_out = buf_size; + zstream.avail_out = buf_size - 1; ret = inflate(&zstream, Z_PARTIAL_FLUSH); if (ret != Z_OK && ret != Z_STREAM_END) { ret = AVERROR_EXTERNAL; From 4445b614fa8104e25a5da647337a586c6a6ea6e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2017 16:13:05 +0100 Subject: [PATCH 1025/1352] avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() Fixes timeout Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 755933cb5cd17decd1838d3d64e07d4157de5638) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 83e26335ab..a5dc2c9d94 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1027,6 +1027,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, for (mb_y = 0; mb_y < s->mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in yuv_scan\n"); + return AVERROR_INVALIDDATA; + } if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; From 8106a84204431368c4b9482849811177625ebc2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2017 22:21:25 +0100 Subject: [PATCH 1026/1352] avcodec/vp56: Check for the bitstream end, pass error codes on Fixes timeout Fixes: 446/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_VP6_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6a2427558a718be0c1fffacffd935f630a7a8d) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 8 +++++++- libavcodec/vp56.c | 14 ++++++++++---- libavcodec/vp56.h | 2 +- libavcodec/vp6.c | 17 ++++++++++++----- 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 1923d6335c..5a5cbab9a8 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -171,7 +171,7 @@ static int vp5_parse_coeff_models(VP56Context *s) return 0; } -static void vp5_parse_coeff(VP56Context *s) +static int vp5_parse_coeff(VP56Context *s) { VP56RangeCoder *c = &s->c; VP56Model *model = s->modelp; @@ -181,6 +181,11 @@ static void vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end >= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ @@ -246,6 +251,7 @@ static void vp5_parse_coeff(VP56Context *s) s->coeff_ctx[ff_vp56_b6to4[b]][i] = 5; s->above_blocks[s->above_block_idx[b]].not_null_dc = s->coeff_ctx[ff_vp56_b6to4[b]][0]; } + return 0; } static void vp5_default_models_init(VP56Context *s) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index ba39b56436..b0ad94425a 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -381,12 +381,13 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) { AVFrame *frame_current, *frame_ref; VP56mb mb_type; VP56Frame ref_frame; int b, ab, b_max, plane, off; + int ret; if (s->frames[VP56_FRAME_CURRENT]->key_frame) mb_type = VP56_MB_INTRA; @@ -394,14 +395,16 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) mb_type = vp56_decode_mv(s, row, col); ref_frame = ff_vp56_reference_frame[mb_type]; - s->parse_coeff(s); + ret = s->parse_coeff(s); + if (ret < 0) + return ret; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return; + return 0; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -451,6 +454,7 @@ static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } + return 0; } static int vp56_size_changed(VP56Context *s) @@ -652,7 +656,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - vp56_decode_mb(s, mb_row, mb_col, is_alpha); + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) + return ret; for (y=0; y<4; y++) { s->above_block_idx[y] += 2; diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 56c30919b7..34d48228fd 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -74,7 +74,7 @@ typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, int offset1, int offset2, int stride, VP56mv mv, int mask, int select, int luma); -typedef void (*VP56ParseCoeff)(VP56Context *s); +typedef int (*VP56ParseCoeff)(VP56Context *s); typedef void (*VP56DefaultModelsInit)(VP56Context *s); typedef void (*VP56ParseVectorModels)(VP56Context *s); typedef int (*VP56ParseCoeffModels)(VP56Context *s); diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index a18b8ff523..1d5682b50a 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -40,8 +40,8 @@ #define VP6_MAX_HUFF_SIZE 12 -static void vp6_parse_coeff(VP56Context *s); -static void vp6_parse_coeff_huffman(VP56Context *s); +static int vp6_parse_coeff(VP56Context *s); +static int vp6_parse_coeff_huffman(VP56Context *s); static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { @@ -380,7 +380,7 @@ static unsigned vp6_get_nb_null(VP56Context *s) return val; } -static void vp6_parse_coeff_huffman(VP56Context *s) +static int vp6_parse_coeff_huffman(VP56Context *s) { VP56Model *model = s->modelp; uint8_t *permute = s->idct_scantable; @@ -402,7 +402,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s) break; } else { if (get_bits_left(&s->gb) <= 0) - return; + return AVERROR_INVALIDDATA; coeff = get_vlc2(&s->gb, vlc_coeff->table, FF_HUFFMAN_BITS, 3); if (coeff == 0) { if (coeff_idx) { @@ -437,9 +437,10 @@ static void vp6_parse_coeff_huffman(VP56Context *s) vlc_coeff = &s->ract_vlc[pt][ct][cg]; } } + return 0; } -static void vp6_parse_coeff(VP56Context *s) +static int vp6_parse_coeff(VP56Context *s) { VP56RangeCoder *c = s->ccp; VP56Model *model = s->modelp; @@ -449,6 +450,11 @@ static void vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ + if (c->end >= c->buffer && c->bits >= 0) { + av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); + return AVERROR_INVALIDDATA; + } + for (b=0; b<6; b++) { int ct = 1; /* code type */ int run = 1; @@ -512,6 +518,7 @@ static void vp6_parse_coeff(VP56Context *s) s->left_block[ff_vp56_b6to4[b]].not_null_dc = s->above_blocks[s->above_block_idx[b]].not_null_dc = !!s->block_coeff[b][0]; } + return 0; } static int vp6_block_variance(uint8_t *src, int stride) From 53c6a8d6efe2904f0aefbf5a866cc701dfc3fd96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Jan 2017 00:20:19 +0100 Subject: [PATCH 1027/1352] avcodec/utils: correct align value for interplay Fixes out of array access Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2080bc33717955a0e4268e738acf8c1eeddbf8cb) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6ce75ce984..01438cabf1 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -387,6 +387,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } + if (s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { + w_align = 8; + h_align = 8; + } break; case AV_PIX_FMT_PAL8: case AV_PIX_FMT_BGR8: @@ -396,7 +400,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 4; h_align = 4; } - if (s->codec_id == AV_CODEC_ID_JV) { + if (s->codec_id == AV_CODEC_ID_JV || + s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { w_align = 8; h_align = 8; } From 9b2591bc2d2ae8cb92b9b463e864892712843b14 Mon Sep 17 00:00:00 2001 From: Frank Liberato Date: Tue, 24 Jan 2017 10:58:17 -0800 Subject: [PATCH 1028/1352] avformat/flacdec: Check avio_read result when reading flac block header. Return AVERROR_INVALIDDATA if all four bytes aren't present. Signed-off-by: Michael Niedermayer (cherry picked from commit 95bde49982a82bc10470c0adab5969ffe635d064) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index c291393954..b1a8d5a6cd 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -50,7 +50,8 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { - avio_read(s->pb, header, 4); + if (avio_read(s->pb, header, 4) != 4) + return AVERROR(AVERROR_INVALIDDATA); flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { From 7a529a25b1adb19817442b93255ee57ff0f0610b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Feb 2017 01:32:37 +0100 Subject: [PATCH 1029/1352] avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() Fixes timeout Fixes: 496/clusterfuzz-testcase-5805083497332736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3782656631fa8262528c07794acf7e9c2aab000d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a5dc2c9d94..9e6b55d1d0 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1351,6 +1351,10 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, int block_idx = mb_y * s->block_stride[c]; int16_t (*block)[64] = &s->blocks[c][block_idx]; uint8_t *last_nnz = &s->last_nnz[c][block_idx]; + if (get_bits_left(&s->gb) <= 0) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream truncated in mjpeg_decode_scan_progressive_ac\n"); + return AVERROR_INVALIDDATA; + } for (mb_x = 0; mb_x < s->mb_width; mb_x++, block++, last_nnz++) { int ret; if (s->restart_interval && !s->restart_count) From cc73108b94bc1e63eda33602920e0c5003f1c0cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Feb 2017 02:45:02 +0100 Subject: [PATCH 1030/1352] avcodec/interplayvideo: Move parameter change check up Fixes out of array read Fixes: 544/clusterfuzz-testcase-5936536407244800.f8bd9b24_8ba77916_70c2c7be_3df6a2ea_96cd9f14 Signed-off-by: Michael Niedermayer (cherry picked from commit b1e2192007d7026049237c9ab11e05ae71bf4f42) Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 760108500b..d1294a8679 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -988,6 +988,11 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret; + if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { + av_frame_unref(s->last_frame); + av_frame_unref(s->second_last_frame); + } + if (buf_size < 2) return AVERROR_INVALIDDATA; @@ -999,10 +1004,6 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, if (buf_size < s->decoding_map_size + 2) return buf_size; - if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) { - av_frame_unref(s->last_frame); - av_frame_unref(s->second_last_frame); - } s->decoding_map = buf + 2; bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size, From f0439a39590d657bdc59151a4e1f8fb700a8cf29 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 2 Jan 2017 01:38:03 -0300 Subject: [PATCH 1031/1352] configure: bump year Happy new year! (cherry picked from commit d800d48fc67208819c2a4ae5eb214ca5e3ad7e82) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 3559ea1506..90f130786e 100755 --- a/configure +++ b/configure @@ -5605,7 +5605,7 @@ cat > $TMPH < Date: Fri, 3 Feb 2017 14:42:44 -0800 Subject: [PATCH 1032/1352] lavf/matroskadec: fix is_keyframe for early Blocks Blocks are marked as key frames whenever the "reference" field is zero. This breaks for non-keyframe Blocks with a reference timestamp of zero. The likelihood of reference timestamp being zero is increased by a longstanding bug in muxing that encodes reference timestamp as the absolute time of the referenced frame (rather than relative to the current Block timestamp, as described in MKV spec). Now using INT64_MIN to denote "no reference". Reported to chromium at http://crbug.com/497889 (contains sample) (cherry picked from commit ac25840ee32888f0c13118edeb9404a123cd3a79) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9917b04876..64a66a53ab 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -81,6 +81,7 @@ typedef const struct EbmlSyntax { int list_elem_size; int data_offset; union { + int64_t i; uint64_t u; double f; const char *s; @@ -582,7 +583,7 @@ static EbmlSyntax matroska_blockgroup[] = { { MATROSKA_ID_SIMPLEBLOCK, EBML_BIN, 0, offsetof(MatroskaBlock, bin) }, { MATROSKA_ID_BLOCKDURATION, EBML_UINT, 0, offsetof(MatroskaBlock, duration) }, { MATROSKA_ID_DISCARDPADDING, EBML_SINT, 0, offsetof(MatroskaBlock, discard_padding) }, - { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference) }, + { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference), { .i = INT64_MIN } }, { MATROSKA_ID_CODECSTATE, EBML_NONE }, { 1, EBML_UINT, 0, offsetof(MatroskaBlock, non_simple), { .u = 1 } }, { 0 } @@ -952,6 +953,9 @@ static int ebml_parse_nest(MatroskaDemuxContext *matroska, EbmlSyntax *syntax, for (i = 0; syntax[i].id; i++) switch (syntax[i].type) { + case EBML_SINT: + *(int64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.i; + break; case EBML_UINT: *(uint64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.u; break; @@ -2862,7 +2866,7 @@ static int matroska_parse_cluster_incremental(MatroskaDemuxContext *matroska) matroska->current_cluster_num_blocks = blocks_list->nb_elem; i = blocks_list->nb_elem - 1; if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; uint8_t* additional = blocks[i].additional.size > 0 ? blocks[i].additional.data : NULL; if (!blocks[i].non_simple) @@ -2900,7 +2904,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) blocks = blocks_list->elem; for (i = 0; i < blocks_list->nb_elem; i++) if (blocks[i].bin.size > 0 && blocks[i].bin.data) { - int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1; + int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1; res = matroska_parse_block(matroska, blocks[i].bin.data, blocks[i].bin.size, blocks[i].bin.pos, cluster.timecode, blocks[i].duration, From cdbaa022f4c814eb074b05dbeaa88d8af5ed6c2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Feb 2017 15:49:09 +0100 Subject: [PATCH 1033/1352] avcodec/pictordec: Fix logic error Fixes: 559/clusterfuzz-testcase-6424225917173760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c2ea3030af7b40a3c4275696fb5c76cdb80950a) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 1bc51bcf24..a60cfcbefc 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -142,7 +142,7 @@ static int decode_frame(AVCodecContext *avctx, if (av_image_check_size(s->width, s->height, 0, avctx) < 0) return -1; - if (s->width != avctx->width && s->height != avctx->height) { + if (s->width != avctx->width || s->height != avctx->height) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From bb7fd512391ef891a85edccd446954b6a7198fd2 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:24:42 -0800 Subject: [PATCH 1034/1352] lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr Core of patch is from paul@paulmehta.com Reference https://crbug.com/643950 Signed-off-by: Michael Niedermayer Check value reduced as the code does not support larger lengths (cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 29641b45b5..ff01bab0d8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -576,6 +576,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom) title_size = atom.size - 24; if (title_size > 0) { + if (title_size > FFMIN(INT_MAX, SIZE_MAX-1)) + return AVERROR_INVALIDDATA; title_str = av_malloc(title_size + 1); /* Add null terminator */ if (!title_str) return AVERROR(ENOMEM); From 01308b492a0e713eee078514d7b3143650dc5886 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 14 Dec 2016 15:26:19 -0800 Subject: [PATCH 1035/1352] lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid Core of patch is from paul@paulmehta.com Reference https://crbug.com/643951 Signed-off-by: Michael Niedermayer Check value reduced as the code does not support values beyond INT_MAX Also the check is moved to a more common place and before integer truncation (cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ff01bab0d8..f5a4ee06f2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3092,7 +3092,7 @@ static int mov_read_uuid(MOVContext *c, AVIOContext *pb, MOVAtom atom) 0xba, 0x2f, 0x08, 0x00, 0x20, 0x0c, 0x9a, 0x66 }; - if (atom.size < sizeof(uuid) || atom.size == INT64_MAX) + if (atom.size < sizeof(uuid) || atom.size >= FFMIN(INT_MAX, SIZE_MAX)) return AVERROR_INVALIDDATA; ret = avio_read(pb, uuid, sizeof(uuid)); From 9ebbce5113d9d2eb8e323d0c62adf18a4d913712 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Feb 2017 12:47:49 +0100 Subject: [PATCH 1036/1352] avformat/http: Check for truncated buffers in http_connect() Reported-by: SleepProgger Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 8fa18e042ad2c078f759692f1db5629d16d70595) Signed-off-by: Michael Niedermayer --- libavformat/http.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavformat/http.c b/libavformat/http.c index 018d25c9d7..d3a63de877 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -686,6 +686,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int len = 0; const char *method; int send_expect_100 = 0; + int ret; /* send http header */ post = h->flags & AVIO_FLAG_WRITE; @@ -776,7 +777,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, if (s->headers) av_strlcpy(headers + len, s->headers, sizeof(headers) - len); - snprintf(s->buffer, sizeof(s->buffer), + ret = snprintf(s->buffer, sizeof(s->buffer), "%s %s HTTP/1.1\r\n" "%s" "%s" @@ -792,6 +793,14 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, av_log(h, AV_LOG_DEBUG, "request: %s\n", s->buffer); + if (strlen(headers) + 1 == sizeof(headers) || + ret >= sizeof(s->buffer)) { + av_log(h, AV_LOG_ERROR, "overlong headers\n"); + err = AVERROR(EINVAL); + goto done; + } + + if ((err = ffurl_write(s->hd, s->buffer, strlen(s->buffer))) < 0) goto done; From 42ff6897cae801ed7feb3ce1712596a1d09eb940 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 15:09:34 +0100 Subject: [PATCH 1037/1352] avcodec/wavpacl: Fix runtime error: left shift of negative value -1 Fixes: 607/clusterfuzz-testcase-5108792465293312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12eebb845a7fe1ced91606547352cbdd93a2726d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 554367b32f..1e3cdc46a7 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -680,7 +680,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1); - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); + s->hybrid_minclip = ((-1UL << (orig_bpp - 1))); s->CRC = bytestream2_get_le32(&gb); // parse metadata blocks From ac73d88fbc016db49def3b01250e17a7375b2952 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 18:47:13 +0100 Subject: [PATCH 1038/1352] avcodec/mpeg12dec: Fix runtime error: left shift of negative value Fixes: 608/clusterfuzz-testcase-603978286392934 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 706757d26dd5e606c1745a4bb53fe45f6d6493cf) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 5fb4739cca..62aaec1424 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -917,8 +917,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) s->last_mv[i][0][1]); /* full_pel: only for MPEG-1 */ if (s->full_pel[i]) { - s->mv[i][0][0] <<= 1; - s->mv[i][0][1] <<= 1; + s->mv[i][0][0] *= 2; + s->mv[i][0][1] *= 2; } } } From 04fc0a82448662057d61f266693070fab0db3d22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2017 12:31:43 +0100 Subject: [PATCH 1039/1352] avcodec/pictordec: Do not read more than nb_planes Fixes undefined behavior Fixes: 622/clusterfuzz-testcase-5745722022428672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d196a67dc55eb01cf3e06d6338c5d096a29b1c) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index a60cfcbefc..7ae1a81607 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -80,7 +80,7 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, value <<= bits_per_plane; mask <<= bits_per_plane; if (*plane >= s->nb_planes) - break; + return; } } } @@ -236,7 +236,7 @@ static int decode_frame(AVCodecContext *avctx, } } - if (x < avctx->width) { + if (plane < s->nb_planes && x < avctx->width) { int run = (y + 1) * avctx->width - x; if (bits_per_plane == 8) picmemset_8bpp(s, frame, val, run, &x, &y); From d506777063433b83b470c6642e84c4a0ab70b90e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 19:04:12 +0100 Subject: [PATCH 1040/1352] avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding Fixes: 665/clusterfuzz-testcase-4863789881098240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d81616be332cca99304d0b747c2c8e2d719f349) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 2708c1a2ae..a15bee557c 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -1655,7 +1655,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, header = AV_RB32(buf); if (header>>8 == AV_RB32("TAG")>>8) { av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n"); - return buf_size; + return buf_size + skipped; } if (ff_mpa_check_header(header) < 0) { av_log(avctx, AV_LOG_ERROR, "Header missing\n"); From a560bdeaccd91b3e368342acff4770d874276c4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 21:05:33 +0100 Subject: [PATCH 1041/1352] avcodec/vp56: Fix sign typo Fixes: 664/clusterfuzz-testcase-4917047475568640 The change to fate is due to a truncated last frames which is now detected as damaged. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 513a3494396d0a20233273b3cadcb5ee86485d5c) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 2 +- libavcodec/vp6.c | 2 +- tests/ref/fate/vp5 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 5a5cbab9a8..0c28157ab0 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -181,7 +181,7 @@ static int vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 1d5682b50a..b3f6a5c3ce 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -450,7 +450,7 @@ static int vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 0e601ba811..25bc7aa587 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -245,4 +245,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xedcff050 +0, 246, 246, 1, 233472, 0x8843293b From 789da030ff3a3e86adfc4b3d40c8c1a0559d281e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 02:19:43 +0100 Subject: [PATCH 1042/1352] avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 Fixes: 669/clusterfuzz-testcase-4847965409640448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6bd79ba59f46a8b3133f28faae53b75540469803) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index bf668bbd4b..429be71a0d 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -295,7 +295,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) { if (pitch_index < 116) { *lag_int = (pitch_index + 69) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2; } else { *lag_int = pitch_index - 24; *lag_frac = 0; @@ -305,7 +305,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15); } else { *lag_int = (pitch_index + 1) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1)) << 1; + *lag_frac = (pitch_index - (*lag_int << 1)) * 2; *lag_int += *base_lag_int; } } From f46482f00c295b499d971dd5928f1990c10881b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 12:37:32 +0100 Subject: [PATCH 1043/1352] avcodec/vp56: Implement very basic error concealment This should fix the fate failure due to a truncated last frame. Alternatively the frame could be dropped. Signed-off-by: Michael Niedermayer (cherry picked from commit d34bf886e963445350c4987f7a9ed77bd9c9a5c7) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 81 ++++++++++++++++++++++++++++++++++++++++++++-- tests/ref/fate/vp5 | 2 +- 2 files changed, 79 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index b0ad94425a..6125cd1cd2 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -261,6 +261,25 @@ static VP56mb vp56_decode_mv(VP56Context *s, int row, int col) return s->mb_type; } +static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col) +{ + VP56mv *mv, vect = {0,0}; + int b; + + s->mb_type = VP56_MB_INTER_NOVEC_PF; + s->macroblocks[row * s->mb_width + col].type = s->mb_type; + + mv = &vect; + + s->macroblocks[row*s->mb_width + col].mv = *mv; + + /* same vector for all blocks */ + for (b=0; b<6; b++) + s->mv[b] = *mv; + + return s->mb_type; +} + static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame) { int idx = s->idct_scantable[0]; @@ -457,6 +476,57 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) return 0; } +static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) +{ + AVFrame *frame_current, *frame_ref; + VP56mb mb_type; + VP56Frame ref_frame; + int b, ab, b_max, plane, off; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_conceal_mv(s, row, col); + ref_frame = ff_vp56_reference_frame[mb_type]; + + frame_current = s->frames[VP56_FRAME_CURRENT]; + frame_ref = s->frames[ref_frame]; + if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) + return 0; + + ab = 6*is_alpha; + b_max = 6 - 2*is_alpha; + + switch (mb_type) { + case VP56_MB_INTRA: + for (b=0; bvp3dsp.idct_put(frame_current->data[plane] + s->block_offset[b], + s->stride[plane], s->block_coeff[b]); + } + break; + + case VP56_MB_INTER_NOVEC_PF: + case VP56_MB_INTER_NOVEC_GF: + for (b=0; bblock_offset[b]; + s->hdsp.put_pixels_tab[1][0](frame_current->data[plane] + off, + frame_ref->data[plane] + off, + s->stride[plane], 8); + s->vp3dsp.idct_add(frame_current->data[plane] + off, + s->stride[plane], s->block_coeff[b]); + } + break; + } + + if (is_alpha) { + s->block_coeff[4][0] = 0; + s->block_coeff[5][0] = 0; + } + return 0; +} + static int vp56_size_changed(VP56Context *s) { AVCodecContext *avctx = s->avctx; @@ -592,6 +662,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int block, y, uv; ptrdiff_t stride_y, stride_uv; int res; + int damaged = 0; if (p->key_frame) { p->pict_type = AV_PICTURE_TYPE_I; @@ -656,9 +727,13 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); - if (ret < 0) - return ret; + if (!damaged) { + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) + damaged = 1; + } + if (damaged) + vp56_conceal_mb(s, mb_row, mb_col, is_alpha); for (y=0; y<4; y++) { s->above_block_idx[y] += 2; diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 25bc7aa587..f044567fd9 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -245,4 +245,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0x8843293b +0, 246, 246, 1, 233472, 0xbf73f1b7 From 570826b6323592fb1b78b1f790165b8cc4e2648b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:04 +0100 Subject: [PATCH 1044/1352] avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 Fixes: 764/clusterfuzz-testcase-6273034652483584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a720b854b0d3f0fae2b1eac644dd39e5821cacb1) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 62aaec1424..07efd6afa9 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1046,7 +1046,7 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1); if (mb_block_count > 6) { - cbp <<= mb_block_count - 6; + cbp *= 1 << mb_block_count - 6; cbp |= get_bits(&s->gb, mb_block_count - 6); s->bdsp.clear_blocks(s->block[6]); } From 6ab9a989087f7350ac5ef4c91d4d4c5d7fd4eb25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2017 19:34:54 +0100 Subject: [PATCH 1045/1352] Add CHECK/SUINT code Signed-off-by: Michael Niedermayer (cherry picked from commit 4614bf2caf67a89c2d833b3368f325eab54582bc) (cherry picked from commit e8d4eacc07c61ae24f48451073a2620d8d257d33) Signed-off-by: Michael Niedermayer (cherry picked from commit 3f2a09a43f6fade53227804459e6babb1c7248b3) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavutil/internal.h b/libavutil/internal.h index 612b5f26af..1a84bc80f6 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,6 +30,10 @@ # define NDEBUG #endif +#if defined(DEBUG) && !defined(CHECKED) +# define CHECKED +#endif + #include #include #include @@ -252,6 +256,17 @@ void avpriv_request_sample(void *avc, #define SIZE_SPECIFIER "zu" #endif + +// For debuging we use signed operations so overflows can be detected (by ubsan) +// For production we use unsigned so there are no undefined operations +#ifdef CHECKED +#define SUINT int +#define SUINT32 int32_t +#else +#define SUINT unsigned +#define SUINT32 uint32_t +#endif + /** * A wrapper for open() setting O_CLOEXEC. */ From a71b23901c09d094ab2ed2a5bdd8fc61b3c6a1cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Feb 2017 13:11:43 +0100 Subject: [PATCH 1046/1352] avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' Fixes: 664/clusterfuzz-testcase-4917047475568640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b8b7921c55a93049a86cfeb2fda9423d16f8ebe) Signed-off-by: Michael Niedermayer --- libavcodec/vp3dsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index d8a3e0a354..37997431d3 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -41,7 +41,7 @@ #define xC6S2 25080 #define xC7S1 12785 -#define M(a, b) (((a) * (b)) >> 16) +#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16) static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int type) From 16e1144633d1df84c5bae4b53aaa94efc4a7f2af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:22 +0100 Subject: [PATCH 1047/1352] avcodec/vp56: Factorize vp56_render_mb() out Signed-off-by: Michael Niedermayer (cherry picked from commit 4c0139463c8f0a6f28e7b193c2a85608a7635bbd) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 77 ++++++++++++++--------------------------------- 1 file changed, 23 insertions(+), 54 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 6125cd1cd2..8e99b82219 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -400,30 +400,18 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type) { - AVFrame *frame_current, *frame_ref; - VP56mb mb_type; - VP56Frame ref_frame; int b, ab, b_max, plane, off; - int ret; - - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - mb_type = VP56_MB_INTRA; - else - mb_type = vp56_decode_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - - ret = s->parse_coeff(s); - if (ret < 0) - return ret; + AVFrame *frame_current, *frame_ref; + VP56Frame ref_frame = ff_vp56_reference_frame[mb_type]; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return 0; + return; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -473,57 +461,38 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } +} + +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + int ret; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_decode_mv(s, row, col); + + ret = s->parse_coeff(s); + if (ret < 0) + return ret; + + vp56_render_mb(s, row, col, is_alpha, mb_type); + return 0; } static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) { - AVFrame *frame_current, *frame_ref; VP56mb mb_type; - VP56Frame ref_frame; - int b, ab, b_max, plane, off; if (s->frames[VP56_FRAME_CURRENT]->key_frame) mb_type = VP56_MB_INTRA; else mb_type = vp56_conceal_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - frame_current = s->frames[VP56_FRAME_CURRENT]; - frame_ref = s->frames[ref_frame]; - if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return 0; + vp56_render_mb(s, row, col, is_alpha, mb_type); - ab = 6*is_alpha; - b_max = 6 - 2*is_alpha; - - switch (mb_type) { - case VP56_MB_INTRA: - for (b=0; bvp3dsp.idct_put(frame_current->data[plane] + s->block_offset[b], - s->stride[plane], s->block_coeff[b]); - } - break; - - case VP56_MB_INTER_NOVEC_PF: - case VP56_MB_INTER_NOVEC_GF: - for (b=0; bblock_offset[b]; - s->hdsp.put_pixels_tab[1][0](frame_current->data[plane] + off, - frame_ref->data[plane] + off, - s->stride[plane], 8); - s->vp3dsp.idct_add(frame_current->data[plane] + off, - s->stride[plane], s->block_coeff[b]); - } - break; - } - - if (is_alpha) { - s->block_coeff[4][0] = 0; - s->block_coeff[5][0] = 0; - } return 0; } From 269ef77f2afe466b3bb5cbad609cd92c241c475f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2017 03:55:02 +0100 Subject: [PATCH 1048/1352] avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() Fixes timeout with 686/clusterfuzz-testcase-5853946876788736 this shortcuts (i.e. speeds up) the error and return-to-user when decoding a truncated frame Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Previous version reviewed by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 7b5ff7d57355dc608f0fd86e3ab32a2fda65e752) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 20 ++++++++++++++------ libavcodec/vp8.h | 2 +- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index b27e5623b5..616ef656ec 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2263,7 +2263,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, #define update_pos(td, mb_y, mb_x) #endif -static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr, int is_vp7) { VP8Context *s = avctx->priv_data; @@ -2279,6 +2279,10 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize, curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; + + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; + if (mb_y == 0) prev_td = td; else @@ -2382,18 +2386,19 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void update_pos(td, mb_y, mb_x); } } + return 0; } -static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); } -static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); } static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata, @@ -2476,13 +2481,16 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, VP8ThreadData *next_td = NULL, *prev_td = NULL; VP8Frame *curframe = s->curframe; int mb_y, num_jobs = s->num_jobs; + int ret; td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { if (mb_y >= s->mb_height) break; td->thread_mb_pos = mb_y << 16; - s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + if (ret < 0) + return ret; if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index 4ed8931d21..4f0ad2fcd0 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -279,7 +279,7 @@ typedef struct VP8Context { */ int mb_layout; - void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); + int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); int vp7; From 25e65de35e553d89bc284b892afc06ee8ff8061b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Dec 2016 21:08:48 +0100 Subject: [PATCH 1049/1352] avcodec/vp3: Do not return random positive values but the buf size Signed-off-by: Michael Niedermayer (cherry picked from commit d8094a303ba36344015a44d629bafc6d7094b4ac) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index b3aaf4e22d..d23ed375f6 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2014,16 +2014,18 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } else if (type == 2) { ret = theora_decode_tables(avctx, &gb); if (ret >= 0) ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } av_log(avctx, AV_LOG_ERROR, From 2a77c0a81ed824cd3c3322779749b6b4d804fb67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Mar 2017 03:02:06 +0100 Subject: [PATCH 1050/1352] avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() Fixes timeout with 700/clusterfuzz-testcase-5660909504561152 Fixes timeout with 702/clusterfuzz-testcase-4553541576294400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ce4f28431623cdde4aa496fd10430f6c7bdef63) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 14 +++++++++++++- libavcodec/vp56.h | 3 +++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 8e99b82219..58759e0a19 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -611,8 +611,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } + s->discard_frame = 0; avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1); + if (s->discard_frame) + return AVERROR_INVALIDDATA; + if ((res = av_frame_ref(data, p)) < 0) return res; *got_frame = 1; @@ -698,8 +702,13 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, for (mb_col=0; mb_colmb_width; mb_col++) { if (!damaged) { int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); - if (ret < 0) + if (ret < 0) { damaged = 1; + if (!s->have_undamaged_frame) { + s->discard_frame = 1; + return AVERROR_INVALIDDATA; + } + } } if (damaged) vp56_conceal_mb(s, mb_row, mb_col, is_alpha); @@ -716,6 +725,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, } } + if (!damaged) + s->have_undamaged_frame = 1; + next: if (p->key_frame || s->golden_frame) { av_frame_unref(s->frames[VP56_FRAME_GOLDEN]); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 34d48228fd..e5c5bea963 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -203,6 +203,9 @@ struct vp56_context { VLC runv_vlc[2]; VLC ract_vlc[2][3][6]; unsigned int nb_null[2][2]; /* number of consecutive NULL DC/AC */ + + int have_undamaged_frame; + int discard_frame; }; From 59adb8f662466537ea4d53c2391041e2607bc616 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 00:53:52 +0100 Subject: [PATCH 1051/1352] avcodec/vp8: remove redundant check Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5098a6f6275a57f122cd8f03e7ffbe5dd090b8e0) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 616ef656ec..2fa8697e1f 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2485,8 +2485,6 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { - if (mb_y >= s->mb_height) - break; td->thread_mb_pos = mb_y << 16; ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); if (ret < 0) From 1a53c8dcfcb2f626769e700ace56e9440d046a8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 19:09:38 +0100 Subject: [PATCH 1052/1352] avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 1 of 2) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit 55d7371fe0c44c025eb0e75215e0685870f31874) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 5 ++++- libavcodec/vp56.h | 2 +- libavcodec/vp56rac.c | 5 ++++- libavcodec/vp6.c | 15 +++++++++++---- libavcodec/vp8.c | 21 ++++++++++++++------- libavcodec/vp9.c | 9 +++++++-- 6 files changed, 41 insertions(+), 16 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 0c28157ab0..7aba484f9c 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -39,8 +39,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { VP56RangeCoder *c = &s->c; int rows, cols; + int ret; - ff_vp56_init_range_decoder(&s->c, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size); + if (ret < 0) + return ret; s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c); vp56_rac_get(c); ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index e5c5bea963..c049399df8 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -224,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, */ extern const uint8_t ff_vp56_norm_shift[256]; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) { diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index 6061b7ee72..e70302bf85 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, }; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) { c->high = 255; c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + if (buf_size < 1) + return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); + return 0; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index b3f6a5c3ce..fe1a43bfb5 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) int sub_version; int rows, cols; int res = 0; + int ret; int separated_coeff = buf[0] & 1; s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->avctx->coded_width = 16 * cols; s->avctx->coded_height = 16 * rows; } else { - int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); + ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); if (ret < 0) return ret; @@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) res = VP56_SIZE_CHANGE; } - ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + if (ret < 0) + return ret; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += 2; buf_size -= 2; } - ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + if (ret < 0) + return ret; s->golden_frame = vp56_rac_get(c); if (s->filter_header) { @@ -165,7 +170,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); } else { - ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + if (ret < 0) + return ret; s->ccp = &s->cc; } } else { diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 2fa8697e1f..aa29fd6b5e 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -254,6 +254,7 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) { const uint8_t *sizes = buf; int i; + int ret; s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2); @@ -267,13 +268,13 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) if (buf_size - size < 0) return -1; - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + if (ret < 0) + return ret; buf += size; buf_size -= size; } - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - - return 0; + return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) @@ -507,7 +508,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab)); - ff_vp56_init_range_decoder(c, buf, part1_size); + ret = ff_vp56_init_range_decoder(c, buf, part1_size); + if (ret < 0) + return ret; buf += part1_size; buf_size -= part1_size; @@ -559,7 +562,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->lf_delta.enabled = 0; s->num_coeff_partitions = 1; - ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + if (ret < 0) + return ret; if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height || @@ -688,7 +693,9 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } - ff_vp56_init_range_decoder(c, buf, header_size); + ret = ff_vp56_init_range_decoder(c, buf, header_size); + if (ret < 0) + return ret; buf += header_size; buf_size -= header_size; diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index cf9768e46c..0157d7b73c 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -771,7 +771,10 @@ static int decode_frame_header(AVCodecContext *ctx, av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n"); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c, data2, size2); + res = ff_vp56_init_range_decoder(&s->c, data2, size2); + if (res < 0) + return res; + if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n"); return AVERROR_INVALIDDATA; @@ -3859,7 +3862,9 @@ static int vp9_decode_frame(AVCodecContext *ctx, void *frame, ff_thread_report_progress(&s->frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + if (res < 0) + return res; if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit ff_thread_report_progress(&s->frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; From a9394ee7ecfdbc27191650c3652389b7bb0be013 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Mar 2017 19:09:39 +0100 Subject: [PATCH 1053/1352] avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 2 of 2) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: BBB Signed-off-by: Michael Niedermayer (cherry picked from commit 1afd246960202917e244c844c534e9c1e3c323f5) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index aa29fd6b5e..f0fe0000d8 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2318,6 +2318,8 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { if (threadnr != 0) { From baa3d3e7d775d9076644df06d88d5f49da436f4f Mon Sep 17 00:00:00 2001 From: Thomas Guilbert Date: Fri, 10 Mar 2017 00:15:39 +0100 Subject: [PATCH 1054/1352] avcodec/vp8: Fix hang with slice threads Fixes: 447860.webm Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 9bbc73ae9fdedc8789b2b6be65279e9a0ecd7090) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index f0fe0000d8..cff66f40aa 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2496,8 +2496,10 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { td->thread_mb_pos = mb_y << 16; ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); - if (ret < 0) + if (ret < 0) { + update_pos(td, s->mb_height, INT_MAX & 0xFFFF); return ret; + } if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); From 74e8d58f5be818d5137cab5d48b5e1619ee2bc0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2017 17:55:32 +0100 Subject: [PATCH 1055/1352] avcodec/vp56: Reset have_undamaged_frame on resolution changes Fixes: timeout in 758/clusterfuzz-testcase-4720832028868608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e913f212907048d7009cf2f15551781c69b9985) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 58759e0a19..ec94286445 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -507,6 +507,8 @@ static int vp56_size_changed(VP56Context *s) s->plane_height[0] = s->plane_height[3] = avctx->coded_height; s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2; + s->have_undamaged_frame = 0; + for (i=0; i<4; i++) s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i]; From 4c74a38193144f4a464571471129d12110f7f0f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:06 +0100 Subject: [PATCH 1056/1352] avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() Fixes: 807/clusterfuzz-testcase-6470061042696192 Fixes null pointer dereference Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 967feea5ebb744dce97ab327d33502b43fca0c7f) Signed-off-by: Michael Niedermayer --- libavcodec/vp6.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index fe1a43bfb5..320fb97804 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -108,7 +108,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); if (ret < 0) - return ret; + goto fail; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -162,9 +162,8 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += coeff_offset; buf_size -= coeff_offset; if (buf_size < 0) { - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - ff_set_dimensions(s->avctx, 0, 0); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; @@ -172,7 +171,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } else { ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); if (ret < 0) - return ret; + goto fail; s->ccp = &s->cc; } } else { @@ -180,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } return res; +fail: + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(s->avctx, 0, 0); + return ret; } static void vp6_coeff_order_table_init(VP56Context *s) From 9c050af05f3a7d4117e4ed3efe280bd950820907 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 20:32:48 +0100 Subject: [PATCH 1057/1352] avcodec/eac3dec: Fix runtime error: left shift of negative value Fixes: 610/clusterfuzz-testcase-4831030085156864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 067485b673f6ac4b1207d6fc975d1fd968edc68e) Signed-off-by: Michael Niedermayer --- libavcodec/eac3dec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index ef815afb55..caa5e2eaf5 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) /* Vector Quantization */ int v = get_bits(gbc, bits); for (blk = 0; blk < 6; blk++) { - s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8; + s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8); } } else { /* Gain Adaptive Quantization */ @@ -271,12 +271,12 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) int b; int mbits = bits - (2 - log_gain); mant = get_sbits(gbc, mbits); - mant <<= (23 - (mbits - 1)); + mant = ((unsigned)mant) << (23 - (mbits - 1)); /* remap mantissa value to correct for asymmetric quantization */ if (mant >= 0) b = 1 << (23 - log_gain); else - b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8; + b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8); mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ From 0171371298e2ea37ffcd28e53c2fc9185e673811 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 20:39:13 +0100 Subject: [PATCH 1058/1352] avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 Fixes: 611/clusterfuzz-testcase-5613455820193792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c91bdd4524815125e1f7d8dee22ee7a73173c39a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 9e6b55d1d0..43512bc2ba 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1082,7 +1082,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr += linesize >> 1; pred &= mask; - *ptr= pred + (dc << point_transform); + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ From 0d05a80c2b7133aa405bd25c97f92b99ade238e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 21:33:27 +0100 Subject: [PATCH 1059/1352] avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative Fixes: 612/clusterfuzz-testcase-4707817137111040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa2b75263e17651187b1475551a02aa2f4ff65fe) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 8b6bc54c66..bc3fbd9195 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -364,6 +364,12 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } else { int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; + + if (shift_c < 0 || shift_y < 0) { + avpriv_request_sample(s->avctx, "Too large sprite shift"); + return AVERROR_PATCHWELCOME; + } + for (i = 0; i < 2; i++) { s->sprite_offset[0][i] *= 1 << shift_y; s->sprite_offset[1][i] *= 1 << shift_c; From ad909cafe7e69f52e3ea4f5d575a565de482df9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Feb 2017 22:40:29 +0100 Subject: [PATCH 1060/1352] avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' Fixes: 614/clusterfuzz-testcase-4931860079575040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 258763ad0e1efff82bbe2beb97527d3c19f40932) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 09995d8200..5a807347bd 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1721,7 +1721,7 @@ decode_cabac_residual_internal(H264Context *h, int16_t *block, while( j-- ) { \ coeff_abs += coeff_abs + get_cabac_bypass( CC ); \ } \ - coeff_abs+= 14; \ + coeff_abs+= 14U; \ } \ \ if( is_dc ) { \ From 7d47aad28b8e869908d8f740c27ab444d123176a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Feb 2017 03:05:32 +0100 Subject: [PATCH 1061/1352] avcodec/rv40: Fix runtime error: left shift of negative value Fixes: 630/clusterfuzz-testcase-6608718928019456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 956472a3236cc8eaeba5147c55b51bde6005c898) Signed-off-by: Michael Niedermayer --- libavcodec/rv40.c | 2 +- libavcodec/rv40dsp.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index 6a6cf5b023..0b5f3ff92f 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -188,7 +188,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row B = ptr[-r->intra_types_stride]; C = ptr[-1]; - pattern = A + (B << 4) + (C << 8); + pattern = A + B * (1 << 4) + C * (1 << 8); for(k = 0; k < MODE2_PATTERNS_NUM; k++) if(pattern == rv40_aic_table_index[k]) break; diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 19b0e93696..95ba0a9259 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src, if (u > 3 - (filter_p1 && filter_q1)) continue; - t <<= 2; + t *= 1 << 2; if (filter_p1 && filter_q1) t += src[-2*step] - src[1*step]; From 0081ccd8bdb8a72ca0bf982009b876235e9529a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Feb 2017 17:32:56 +0100 Subject: [PATCH 1062/1352] avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 Fixes: 639/clusterfuzz-testcase-5143866241974272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 631f7484918a9e7260377c3cea878be708609e64) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 89fc989a8a..44a649a53c 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -522,7 +522,7 @@ retry: }else{ level = SHOW_UBITS(re, &s->gb, 5); SKIP_CACHE(re, &s->gb, 5); - level |= SHOW_SBITS(re, &s->gb, 6)<<5; + level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5); SKIP_COUNTER(re, &s->gb, 5 + 6); } } From 4c4efea5c47b289306253ae7c8f450c4381230a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Feb 2017 01:22:24 +0100 Subject: [PATCH 1063/1352] avcodec/mpeg4video: Fix runtime error: left shift of negative value Fixes: 644/clusterfuzz-testcase-4726434209726464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6179dc8aa7e5fc5358b9614306f93f1adadf22a4) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- libavcodec/mpegvideo_motion.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index bc3fbd9195..e2b230e6ad 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -506,7 +506,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) if (ctx->divx_version == 500 && ctx->divx_build == 413) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else - sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a); + sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); } else { dx = s->sprite_delta[n][0]; dy = s->sprite_delta[n][1]; diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index e320511947..b6f20d9e91 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -47,8 +47,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[0][1]; src_x = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -16, s->width); if (src_x == s->width) motion_x = 0; @@ -94,8 +94,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[1][1]; src_x = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -8, s->width >> 1); if (src_x == s->width >> 1) motion_x = 0; From 1d26b5c0b02f80ea66106c6b450c5d60c760fd67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Feb 2017 21:57:49 +0100 Subject: [PATCH 1064/1352] avcodec/mpeg4videodec: Check sprite_offset in addition to shifts Fixes: 651/clusterfuzz-testcase-5710668915277824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6871df02d973c9ffc1aa4f6d08fb4b1b63d411be) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index e2b230e6ad..72ced2c4da 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -365,8 +365,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; - if (shift_c < 0 || shift_y < 0) { - avpriv_request_sample(s->avctx, "Too large sprite shift"); + if (shift_c < 0 || shift_y < 0 || + FFABS(s->sprite_offset[0][0]) >= INT_MAX >> shift_y || + FFABS(s->sprite_offset[1][0]) >= INT_MAX >> shift_c || + FFABS(s->sprite_offset[0][1]) >= INT_MAX >> shift_y || + FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); return AVERROR_PATCHWELCOME; } From 939168df1cab391cf7daa436416b1161149e68c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Feb 2017 22:33:16 +0100 Subject: [PATCH 1065/1352] avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows This is not necessarily specific to fuzzed files Fixes: Multiple integer overflows Fixes: 656/clusterfuzz-testcase-6463814516080640 Fixes: 658/clusterfuzz-testcase-6691260146384896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 76ba09d18245a2a41dc5f93a60fd00cdf358cb1f) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 72ced2c4da..5e41da4f98 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -381,6 +381,13 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; + + if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX || + llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX || + llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) { + avpriv_request_sample(s->avctx, "Overflow on sprite points"); + return AVERROR_PATCHWELCOME; + } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } From ac994f03011f3bf1003387be3a295829a427b794 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:24 +0100 Subject: [PATCH 1066/1352] avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 671/clusterfuzz-testcase-4990381827555328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit aff8cf18cb0b1fa4f2e3d163c3da2f25aa6d1906) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 07efd6afa9..1ed1851b89 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1000,8 +1000,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) dmy = get_dmv(s); - s->last_mv[i][0][1] = my << my_shift; - s->last_mv[i][1][1] = my << my_shift; + s->last_mv[i][0][1] = my * (1 << my_shift); + s->last_mv[i][1][1] = my * (1 << my_shift); s->mv[i][0][0] = mx; s->mv[i][0][1] = my; From 8980baa612538c9eba7394f5ff51b24447ea341c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Feb 2017 21:07:25 +0100 Subject: [PATCH 1067/1352] avcodec/eac3dec: Fix runtime error: left shift of negative value -3 Fixes: 672/clusterfuzz-testcase-5595018867769344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 87eb3749708c0eb2978f4812c7be2a4af667fdb7) Signed-off-by: Michael Niedermayer --- libavcodec/eac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index caa5e2eaf5..001a404389 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -280,7 +280,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ - mant <<= 24 - bits; + mant *= (1 << 24 - bits); if (!log_gain) { /* remap mantissa value for no GAQ or Gk=1 */ mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15; From c9a15db1a97e0efb6905784702b043e3441d6fad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Feb 2017 20:27:59 +0100 Subject: [PATCH 1068/1352] avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 Fixes: 674/clusterfuzz-testcase-6713275880308736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25e93aacc2142f3b57f1e63c67ca46d304f154ef) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 5e41da4f98..9f436d83b2 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -280,12 +280,12 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) + + s->sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][0]) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) + + s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * From 9061ea27c97e3156c373d235313d27f260aecbac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Feb 2017 20:28:00 +0100 Subject: [PATCH 1069/1352] avcodec/pictordec: Check plane value before doing value/mask computations Fixes integer overflow Fixes: 675/clusterfuzz-testcase-6722971232108544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63e400a8807dca7b0ffa3841df2e31f7419abb8d) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 7ae1a81607..988da37f33 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -77,10 +77,10 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, if (*y < 0) { *y = s->height - 1; *plane += 1; - value <<= bits_per_plane; - mask <<= bits_per_plane; if (*plane >= s->nb_planes) return; + value <<= bits_per_plane; + mask <<= bits_per_plane; } } } From 0c9dd045f47a6ba967a0d84d0308c72aaa76a38c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2017 03:13:24 +0100 Subject: [PATCH 1070/1352] avcodec/h264_direct: Fix runtime error: left shift of negative value -14 Fixes: 682/clusterfuzz-testcase-4799120021651456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4bd3f1ce3e68a9348e97ec07a247048ea72ed808) Signed-off-by: Michael Niedermayer --- libavcodec/h264_direct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index 3289fe4700..6b7347b3f8 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -600,7 +600,7 @@ single_col: { const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride]; - int my_col = (mv_col[1] << y_shift) / 2; + int my_col = (mv_col[1] * (1 << y_shift)) / 2; int mx = (scale * mv_col[0] + 128) >> 8; int my = (scale * my_col + 128) >> 8; fill_rectangle(&h->mv_cache[0][scan8[i8 * 4]], 2, 2, 8, From be4f53c1ae28c486f20aa75fd5ee7bb5385dbe80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Mar 2017 16:32:09 +0100 Subject: [PATCH 1071/1352] avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 Fixes: 693/clusterfuzz-testcase-6109776066904064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4b72d5cd6f9341dcafdbc1b9030166aa987b8304) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 43512bc2ba..ff54eb9d59 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1102,7 +1102,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr16 += linesize >> 1; pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { x = 0; From 78c268d588176bd40de43920623adfac37b1cd72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Mar 2017 03:02:07 +0100 Subject: [PATCH 1072/1352] avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() Also clear the state on errors Fixes integer overflows in 701/clusterfuzz-testcase-6594719951880192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb41956636fc264fe2077b78ef00591d83bbbace) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 9f436d83b2..6a2f4b70d4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -372,7 +372,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c ) { avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); - return AVERROR_PATCHWELCOME; + goto overflow; } for (i = 0; i < 2; i++) { @@ -382,17 +382,23 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; - if (llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w) >= INT_MAX || - llabs(s->sprite_offset[i][0] + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX || - llabs(s->sprite_offset[i][0] + s->sprite_delta[i][0] * (int64_t)w + s->sprite_delta[i][1] * (int64_t)h) >= INT_MAX) { + } + for (i = 0; i < 2; i++) { + if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); - return AVERROR_PATCHWELCOME; + goto overflow; } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } return 0; +overflow: + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + return AVERROR_PATCHWELCOME; } static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) { From 1fc71aabc40dd07ec8fe83238454cbee4630bf0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 04:39:04 +0100 Subject: [PATCH 1073/1352] avcodec/adxdec: Fix runtime error: left shift of negative value -1 Fixes: 705/clusterfuzz-testcase-5129572590813184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d23727e0420b9f77f0d4cb28b43819b402f702e5) Signed-off-by: Michael Niedermayer --- libavcodec/adxdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c index 5115cede6a..3cc2a0a2c3 100644 --- a/libavcodec/adxdec.c +++ b/libavcodec/adxdec.c @@ -81,7 +81,7 @@ static int adx_decode(ADXContext *c, int16_t *out, int offset, s2 = prev->s2; for (i = 0; i < BLOCK_SAMPLES; i++) { d = get_sbits(&gb, 4); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; s2 = s1; s1 = av_clip_int16(s0); *out++ = s1; From 02d1d31eaa386558d1efff3b4880031da93ae0cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 04:39:06 +0100 Subject: [PATCH 1074/1352] avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value Fixes: 710/clusterfuzz-testcase-5091051431788544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ab998f4c7faf90d0e46b6ead38a1df1f6a31e2eb) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mvpred.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h index 5f1e9a1ee5..03dc7352fe 100644 --- a/libavcodec/h264_mvpred.h +++ b/libavcodec/h264_mvpred.h @@ -243,7 +243,7 @@ static av_always_inline void pred_8x16_motion(H264Context *const h, if (IS_INTERLACED(type)) { \ refn >>= 1; \ AV_COPY32(mvbuf[idx], mvn); \ - mvbuf[idx][1] <<= 1; \ + mvbuf[idx][1] *= 2; \ mvn = mvbuf[idx]; \ } \ } \ From 5a9faf5f06e82400f25df656c34a115fa47007e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Mar 2017 20:12:20 +0100 Subject: [PATCH 1075/1352] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' This checks the sprite delta intermediates for overflow Fixes: 716/clusterfuzz-testcase-4890287480504320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fab13bbbcdf92da165f1a6be94fbb8f87fac639a) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 6a2f4b70d4..7b69729e49 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -386,7 +386,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g for (i = 0; i < 2; i++) { if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX) { + llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX + ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; } From 1b91b4cf4a64e56216d407dc13ebe5de83772b47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Mar 2017 04:55:15 +0100 Subject: [PATCH 1076/1352] avcodec/wavpack: Fix runtime error: left shift of negative value -2 Fixes: 723/clusterfuzz-testcase-6471394663596032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ba150051322c02e24c004bd5309468886e1e5ab6) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 1e3cdc46a7..51d9d2d619 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -734,13 +734,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } for (i = 0; i < weights; i++) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightA = t << 3; + s->decorr[s->terms - i - 1].weightA = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightA > 0) s->decorr[s->terms - i - 1].weightA += (s->decorr[s->terms - i - 1].weightA + 64) >> 7; if (s->stereo_in) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightB = t << 3; + s->decorr[s->terms - i - 1].weightB = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightB > 0) s->decorr[s->terms - i - 1].weightB += (s->decorr[s->terms - i - 1].weightB + 64) >> 7; From dcf7b700a0cc94d880f5a89335a8919a15274415 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Mar 2017 21:52:36 +0100 Subject: [PATCH 1077/1352] avcodec/wavpack: Fix runtime error: left shift of negative value -5 Fixes: 729/clusterfuzz-testcase-5154831595470848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3016e919d4e1d90da98af19ce2a9d4979506eaf3) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 51d9d2d619..3132fbcaaa 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -267,7 +267,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int bit; if (s->extra_bits) { - S <<= s->extra_bits; + S *= 1 << s->extra_bits; if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { From 4f951d7b16052665fcd70ea252ccb880176e767b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2017 21:41:34 +0100 Subject: [PATCH 1078/1352] avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 Fixes: 733/clusterfuzz-testcase-4682158096515072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 800d02abe041deacab5585bf41c1bc2ae5f4b922) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index ff54eb9d59..b72d6805b7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1141,13 +1141,13 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); pred &= mask; - *ptr = pred + (dc << point_transform); + *ptr = pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor); pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { From 0d67642bcc6e885b22213f5e6384199c52bc247c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2017 22:25:08 +0100 Subject: [PATCH 1079/1352] avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' Fixes: 736/clusterfuzz-testcase-5580263943831552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e2a4f1a9eb2c1ef3feed4a4f04db7629f2b61084) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 7b69729e49..04e6c22e48 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -384,11 +384,21 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } for (i = 0; i < 2; i++) { + int64_t sd[2] = { + s->sprite_delta[i][0] - a * (1LL<<16), + s->sprite_delta[i][1] - a * (1LL<<16) + }; + if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX + llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sd[0]) >= INT_MAX || + llabs(sd[1]) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; From 551b01c5d0740d31428d47e6a1921677752099f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Mar 2017 03:55:39 +0100 Subject: [PATCH 1080/1352] avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 Fixes: 763/clusterfuzz-testcase-6007567320875008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44e2105189ac66637f34c764febc349238250b1d) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 429be71a0d..34f6df55b3 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -265,7 +265,7 @@ static void decode_pitch_lag_high(int *lag_int, int *lag_frac, int pitch_index, *lag_frac = pitch_index - (*lag_int << 2) + 136; } else if (pitch_index < 440) { *lag_int = (pitch_index + 257 - 376) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2; /* the actual resolution is 1/2 but expressed as 1/4 */ } else { *lag_int = pitch_index - 280; From 2e876cd86a92ce83cf5762e451cf94e0272da149 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Mar 2017 03:04:05 +0100 Subject: [PATCH 1081/1352] avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' Fixes: 768/clusterfuzz-testcase-4807444305805312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a66c6e28b543804f50df1c6083a204219b6b1daa) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 6e86ebd35e..2997285a67 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1627,7 +1627,7 @@ static AVRational update_sar(int old_w, int old_h, AVRational sar, int new_w, in if (!sar.num) sar = (AVRational){1, 1}; - sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h}); + sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h})); return sar; } From 00bebaca773886ed00d618156112895e47706c62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 02:51:15 +0100 Subject: [PATCH 1082/1352] avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 822/clusterfuzz-testcase-4873433189974016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cebc5a9ccba0de7bddf7900ae85652ebc66141c) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 3132fbcaaa..38b5150053 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -835,7 +835,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 32) { + if (val[0] > 31) { av_log(avctx, AV_LOG_ERROR, "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); continue; From e695be347efa647f961e8502a21d11a81426cf2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 20:45:08 +0100 Subject: [PATCH 1083/1352] avcodec/tiff: Check for multiple geo key directories Fixes memleak Fixes: 826/clusterfuzz-testcase-5316921379520512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 108b02e5471c1dae248200db694aba9b7b8555a8) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index a337dc0ff0..0998aa1302 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1036,6 +1036,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) ADD_METADATA(count, "ModelTiepointTag", NULL); break; case TIFF_GEO_KEY_DIRECTORY: + if (s->geotag_count) { + avpriv_request_sample(s->avctx, "Multiple geo key directories\n"); + return AVERROR_INVALIDDATA; + } ADD_METADATA(1, "GeoTIFF_Version", NULL); ADD_METADATA(2, "GeoTIFF_Key_Revision", "."); s->geotag_count = ff_tget_short(&s->gb, s->le); From 64b7716802e413fe0c3389c364f689f8b0ed80c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Mar 2017 20:45:09 +0100 Subject: [PATCH 1084/1352] avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 Fixes undefined behavior Fixes: 830/clusterfuzz-testcase-6253175327686656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ebed703f153e979edb2156754c8bdac4d5d6266) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index a15bee557c..9f9e8bfe92 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -252,7 +252,7 @@ static inline int l3_unscale(int value, int exponent) #endif if (e > 31) return 0; - m = (m + (1 << (e - 1))) >> e; + m = (m + ((1U << e)>>1)) >> e; return m; } From 232ced7f4e5fb5b77d87970d8fb146085a48c61e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Mar 2017 02:00:17 +0100 Subject: [PATCH 1085/1352] avcodec/tiff: Check stripsize strippos for overflow Fixes: 861/clusterfuzz-testcase-5688284384591872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d996b56499f00f80b02a41bab3d6b7349e36e9d) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 0998aa1302..45d3e1ded0 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -905,6 +905,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_OFFS: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "strippos %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->strippos = 0; s->stripoff = value; } else @@ -916,6 +921,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_SIZE: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "stripsize %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->stripsizesoff = 0; s->stripsize = value; s->strips = 1; From 6c06cd65a236be9c6e9b109d33192ab796857e74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Mar 2017 11:20:46 +0100 Subject: [PATCH 1086/1352] avcodec/vp56: Check avctx->error_concealment before enabling EC Fixes timeout with 847/clusterfuzz-testcase-5291877358108672 Fixes timeout with 850/clusterfuzz-testcase-5721296509861888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 98da63b3f5f5a277c5c3a16860db9a9f6741e54c) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index ec94286445..32f0082551 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -706,7 +706,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); if (ret < 0) { damaged = 1; - if (!s->have_undamaged_frame) { + if (!s->have_undamaged_frame || !avctx->error_concealment) { s->discard_frame = 1; return AVERROR_INVALIDDATA; } From 78664297df0e94bb38571fc6abc59d2a16af6454 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Mar 2017 01:55:01 +0100 Subject: [PATCH 1087/1352] avcodec/tiff: Check geotag count for being non zero Fixes memleak Fixes: 874/clusterfuzz-testcase-5252796175613952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3182e19c1c29eef60208a67ad8ecad1d9a2d0694) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 45d3e1ded0..4ef509774d 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1057,7 +1057,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->geotag_count = count / 4 - 1; av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n"); } - if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) { + if ( bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4 + || s->geotag_count == 0) { s->geotag_count = 0; return -1; } From eac727a50218fe14a792575e3431bed97b07096f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jan 2017 16:37:56 +0100 Subject: [PATCH 1088/1352] avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit This should make no difference as the value should not be able to be that large but its more correct this way Fixes CID1348138 Signed-off-by: Michael Niedermayer (cherry picked from commit f48b6b8b91d63148ef50d096688ed7226cd6ddf4) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 4ef509774d..c5d5896f9a 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -407,7 +407,7 @@ static int tiff_unpack_lzma(TiffContext *s, AVFrame *p, uint8_t *dst, int stride const uint8_t *src, int size, int width, int lines, int strip_start, int is_yuv) { - uint64_t outlen = width * lines; + uint64_t outlen = width * (uint64_t)lines; int ret, line; uint8_t *buf = av_malloc(outlen); if (!buf) From a0a20e6994da619d368781b3bb5e4db43a673237 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Jan 2017 01:35:52 +0100 Subject: [PATCH 1089/1352] avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() Fixes CID1397292 Signed-off-by: Michael Niedermayer (cherry picked from commit 5f2b360fc05bbb4f21e1247d1d9af303113d6c25) Signed-off-by: Michael Niedermayer --- libavfilter/avfiltergraph.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 9178939f77..d01cc5a7f5 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -817,6 +817,8 @@ static void swap_samplerates_on_filter(AVFilterContext *filter) for (j = 0; j < outlink->in_samplerates->nb_formats; j++) { int diff = abs(sample_rate - outlink->in_samplerates->formats[j]); + av_assert0(diff < INT_MAX); // This would lead to the use of uninitialized best_diff but is only possible with invalid sample rates + if (diff < best_diff) { best_diff = diff; best_idx = j; From 4b6a747c2afa5985f07090d2fee8ba5b154fc372 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 03:36:17 +0200 Subject: [PATCH 1090/1352] avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' Fixes: 619/clusterfuzz-testcase-5803914534322176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61ee2ca7758672128e30b3e87908b6845e006d71) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 8d631cf731..cdee071e96 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -186,12 +186,12 @@ static void guess_palette(DVDSubContext* ctx, r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; - rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24); + rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24); color_used[colormap[i]] = (i + 1); j++; } else { rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) | - ((alpha[i] * 17) << 24); + ((alpha[i] * 17U) << 24); } } } From 6918b400c5a99928cabe8c0f782d5983a3806872 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 20 Apr 2017 13:14:42 +0100 Subject: [PATCH 1091/1352] avformat/webmdashenc: Require the 'adaptation_sets' option to be set This seems to be non-optional, and if the muxer is run without it, strlen() is run on NULL, causing a segfault. Signed-off-by: Michael Niedermayer (cherry picked from commit cbd3a68f3e1c2d1679370301eb5e1a32a2df64fe) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 77f6170a26..16fb2db98d 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -215,6 +215,10 @@ static int parse_adaptation_sets(AVFormatContext *s) char *p = w->adaptation_sets; char *q; enum { new_set, parsed_id, parsing_streams } state; + if (!w->adaptation_sets) { + av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n"); + return AVERROR(EINVAL); + } // syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on state = new_set; while (p < w->adaptation_sets + strlen(w->adaptation_sets)) { From a82e65f0ae55651d0cdefb651c6fd7e7cef96adb Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Thu, 20 Apr 2017 16:17:44 +0100 Subject: [PATCH 1092/1352] avformat/webmdashenc: Validate the 'streams' adaptation sets parameter It should not be a value larger than the number of streams we have, or it will cause invalid reads and/or SIGSEGV. Signed-off-by: Michael Niedermayer (cherry picked from commit ec07efa70012845e8642df67a4a773f510a17088) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 16fb2db98d..91b2af354a 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -245,7 +245,11 @@ static int parse_adaptation_sets(AVFormatContext *s) as->streams = av_realloc(as->streams, sizeof(*as->streams) * ++as->nb_streams); if (as->streams == NULL) return -1; as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); - if (as->streams[as->nb_streams - 1] < 0) return -1; + if (as->streams[as->nb_streams - 1] < 0 || + as->streams[as->nb_streams - 1] >= s->nb_streams) { + av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n"); + return AVERROR(EINVAL); + } if (*q == '\0') break; if (*q == ' ') state = new_set; p = ++q; From ad5e264ae358c4c1fed30d538084e8e46c3f4f0a Mon Sep 17 00:00:00 2001 From: Martin Vignali Date: Tue, 25 Apr 2017 22:52:50 +0200 Subject: [PATCH 1093/1352] libavcodec/exr : fix float to uint16 conversion for negative float value Signed-off-by: Michael Niedermayer (cherry picked from commit e46d63745215c04637e7797228bad36bce49d881) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index eb3283848d..4dc975f4d1 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -186,9 +186,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf) * * @return normalized 16-bit unsigned int */ -static inline uint16_t exr_flt2uint(uint32_t v) +static inline uint16_t exr_flt2uint(int32_t v) { - unsigned int exp = v >> 23; + int32_t exp = v >> 23; // "HACK": negative values result in exp< 0, so clipping them to 0 // is also handled by this condition, avoids explicit check for sign bit. if (exp <= 127 + 7 - 24) // we would shift out all bits anyway From d9e4b19269d40f7dee66569c02da576d5fa9243d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 02:27:16 +0200 Subject: [PATCH 1094/1352] avcodec/mdec: Fix runtime error: left shift of negative value -127 Fixes undefined behavior Fixes: 1275/clusterfuzz-testcase-minimized-6718162017976320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ca82975b7a8eaf676a52738ec8e7e36732327cc) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 5fd06f4aa6..979ecc1917 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -74,7 +74,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (diff >= 0xffff) return AVERROR_INVALIDDATA; a->last_dc[component] += diff; - block[0] = a->last_dc[component] << 3; + block[0] = a->last_dc[component] * (1 << 3); } i = 0; From 737624e06c977d9b50fd9d71e4d888c25d7eb23a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 18:46:27 +0200 Subject: [PATCH 1095/1352] avcodec/vp3: Check remaining bits in unpack_dct_coeffs() Decreases the time spend decoding junk. May fix: 1283/clusterfuzz-testcase-minimized-6221126759874560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f00300b779e7b247c85db0d7daef448225105ff) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index d23ed375f6..8bd23e9c24 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1068,6 +1068,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->dct_tokens[0][0] = s->dct_tokens_base; + if (get_bits_left(gb) < 16) + return AVERROR_INVALIDDATA; + /* fetch the DC table indexes */ dc_y_table = get_bits(gb, 4); dc_c_table = get_bits(gb, 4); @@ -1077,6 +1080,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) 0, residual_eob_run); if (residual_eob_run < 0) return residual_eob_run; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -1099,6 +1104,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->fragment_width[1], s->fragment_height[1]); } + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); ac_c_table = get_bits(gb, 4); From 880a06bd4f88407eb5fc42e973c0a982562ebd7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 May 2017 18:53:52 +0200 Subject: [PATCH 1096/1352] avcodec/indeo2: Check remaining bits in ir2_decode_plane() Fixes: 1290/clusterfuzz-testcase-minimized-5815578902134784 Fixes: timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b29feec9829cfab2523c8d95e35bd69e689ea4af) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 1e71be5429..792b24d903 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -78,6 +78,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -117,6 +119,8 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ From 2fd6441fe4d58416075b4fbc572eb37bbcf6469b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH 1097/1352] avcodec/svq3: Increase offsets to prevent integer overflows Fixes: 1280/clusterfuzz-testcase-minimized-6102353767825408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 382b4fc9b5f3102f59743bf9c8619b31dd8ede1b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 9459329058..3e90450d4a 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -433,8 +433,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -442,8 +442,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -451,8 +451,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg); From 851c9c1cad27f030640a9e9b8651699c50a0a13d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 May 2017 15:24:46 +0200 Subject: [PATCH 1098/1352] avcodec/msvideo1: Check buffer size before re-getting the frame Fixes timeout Fixes: 1306/clusterfuzz-testcase-minimized-6152296217968640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cabfed6895fcc679cd6a6244a12d800e0f3f2d20) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 80d183dad1..1a04af22a9 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -302,6 +302,12 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + // Discard frame if its smaller than the minimum frame size + if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From ce396b2afadcc03d64b642b162bb750254e66be5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 May 2017 05:21:51 +0200 Subject: [PATCH 1099/1352] libavcodec/mpeg4videodec: Convert sprite_offset to 64bit This avoids intermediates from overflowing (the final values are checked) Fixes: runtime error: signed integer overflow: -167712 + -2147352576 cannot be represented in type 'int' Fixes: 1298/clusterfuzz-testcase-minimized-5955580877340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1c3a14073b33f790075f2884ea5c64451a6c876) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 102 ++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 52 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 04e6c22e48..1993e31fa9 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -175,6 +175,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int min_ab, i, w2, h2, w3, h3; int sprite_ref[4][2]; int virtual_ref[2][2]; + int64_t sprite_offset[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -254,10 +255,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g switch (ctx->num_sprite_warping_points) { case 0: - s->sprite_offset[0][0] = - s->sprite_offset[0][1] = - s->sprite_offset[1][0] = - s->sprite_offset[1][1] = 0; + sprite_offset[0][0] = + sprite_offset[0][1] = + sprite_offset[1][0] = + sprite_offset[1][1] = 0; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = s->sprite_delta[1][0] = 0; @@ -266,11 +267,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 1: // GMC only - s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; - s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; - s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - + sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; + sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; + sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - a * (vop_ref[0][0] / 2); - s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - + sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = @@ -280,22 +281,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + + sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][0]) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + + sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * + sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][0] + 1) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * + sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-2 * vop_ref[0][0] + 1) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * @@ -312,30 +313,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][0] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][1] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; @@ -350,10 +343,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][1] == 0 && s->sprite_delta[1][0] == 0 && s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { - s->sprite_offset[0][0] >>= ctx->sprite_shift[0]; - s->sprite_offset[0][1] >>= ctx->sprite_shift[0]; - s->sprite_offset[1][0] >>= ctx->sprite_shift[1]; - s->sprite_offset[1][1] >>= ctx->sprite_shift[1]; + sprite_offset[0][0] >>= ctx->sprite_shift[0]; + sprite_offset[0][1] >>= ctx->sprite_shift[0]; + sprite_offset[1][0] >>= ctx->sprite_shift[1]; + sprite_offset[1][1] >>= ctx->sprite_shift[1]; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = 0; s->sprite_delta[1][0] = 0; @@ -366,18 +359,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_c = 16 - ctx->sprite_shift[1]; if (shift_c < 0 || shift_y < 0 || - FFABS(s->sprite_offset[0][0]) >= INT_MAX >> shift_y || - FFABS(s->sprite_offset[1][0]) >= INT_MAX >> shift_c || - FFABS(s->sprite_offset[0][1]) >= INT_MAX >> shift_y || - FFABS(s->sprite_offset[1][1]) >= INT_MAX >> shift_c + FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || + FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c ) { avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); goto overflow; } for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] *= 1 << shift_y; - s->sprite_offset[1][i] *= 1 << shift_c; + sprite_offset[0][i] *= 1 << shift_y; + sprite_offset[1][i] *= 1 << shift_c; s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; @@ -389,16 +382,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[i][1] - a * (1LL<<16) }; - if (llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX + llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX ) { avpriv_request_sample(s->avctx, "Overflow on sprite points"); goto overflow; @@ -407,6 +400,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->real_sprite_warping_points = ctx->num_sprite_warping_points; } + s->sprite_offset[0][0] = sprite_offset[0][0]; + s->sprite_offset[0][1] = sprite_offset[0][1]; + s->sprite_offset[1][0] = sprite_offset[1][0]; + s->sprite_offset[1][1] = sprite_offset[1][1]; + return 0; overflow: memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); From 89683e3a5f489fc1766f5f477808d7b71abfa4d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 02:51:13 +0200 Subject: [PATCH 1100/1352] avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' Fixes: 1080/clusterfuzz-testcase-5353236754071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce7098b8f2b59c62b5abdb3d74819db75cf67698) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index cdee071e96..13abb9d33a 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -57,7 +57,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t * cb = *ycbcr++; YUV_TO_RGB1_CCIR(cb, cr); YUV_TO_RGB2_CCIR(r, g, b, y); - *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b; + *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b; } } From 3755414d01a39f27abf435a0c943f02b78c62211 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 03:24:40 +0200 Subject: [PATCH 1101/1352] avcodec/cavsdec: Fix undefined behavior from integer overflow Fixes: 1335/clusterfuzz-testcase-minimized-5566961566089216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0e5f7f363555d2befafb1c9e1579dbe0a2fbca7) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index a05e5c5b97..6b9a769a40 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -466,7 +466,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; + unsigned den = h->direct_den[col_mv->ref]; int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; From 133705f9e89a69463c2749188aa0d9d7acc26c8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH 1102/1352] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' Fixes: 943/clusterfuzz-testcase-5114865297391616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a78ae465fda902565ed041d93403e04490b4be0d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index b72d6805b7..8298298f23 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -698,7 +698,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block, int16_t *quant_matrix, int ss, int se, int Al, int *EOBRUN) { - int code, i, j, level, val, run; + int code, i, j, val, run; + unsigned level; if (*EOBRUN) { (*EOBRUN)--; From 2341bd7558e4db51f04586a66fa63944d8382b62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 12:48:12 +0200 Subject: [PATCH 1103/1352] avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so Fixes: out of array access Fixes: 1348/clusterfuzz-testcase-minimized-6195673642827776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce551a3925a1cf9c7824e26a246b99b6773bda4b) Signed-off-by: Michael Niedermayer --- libavcodec/tiertexseqv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index 7c62208dc5..e75f70aee2 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int static av_cold int seqvideo_decode_init(AVCodecContext *avctx) { SeqVideoContext *seq = avctx->priv_data; + int ret; seq->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 256, 128); + if (ret < 0) + return ret; + seq->frame = av_frame_alloc(); if (!seq->frame) return AVERROR(ENOMEM); From 90ea514d75ec29188012040e5451ae91da1b4dc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 18:01:25 +0200 Subject: [PATCH 1104/1352] avcodec/wnv1: Fix runtime error: left shift of negative value -1 Fixes: 1338/clusterfuzz-testcase-minimized-6485546354343936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fac508ca46f93450ec232299dfd15ac70b6f326) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 99aee3cd1c..cbf271afc6 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -52,7 +52,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value) if (v == 15) return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; else - return base_value + ((v - 7) << w->shift); + return base_value + ((v - 7U) << w->shift); } static int decode_frame(AVCodecContext *avctx, From 515514feeb86fc6e99a1924704e2cdb635063692 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 19:26:02 +0200 Subject: [PATCH 1105/1352] avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' Fixes: 1341/clusterfuzz-testcase-minimized-5441502618583040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1002932a3b16d35c46a08455f76462909eebb5aa) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 13ad57c8c1..498f13f962 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -250,7 +250,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, aligned_width = FFALIGN(c->avctx->width, 16); c->padded_bits = aligned_width - c->avctx->width; - if (c->video_size < aligned_width * avctx->height * c->bpp / 8) + if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; if (!encoding && c->palette_size && c->bpp <= 8) { avctx->pix_fmt = AV_PIX_FMT_PAL8; From e0defd45ac959ebe45c9f9dbee6734968aca952c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 19:28:56 +0200 Subject: [PATCH 1106/1352] avcodec/nellymoser: Fix multiple left shift of negative value -8591 Fixes: 1342/clusterfuzz-testcase-minimized-5490842129137664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0953736b7e97f6e121a0587a95434bf1857a27da) Signed-off-by: Michael Niedermayer --- libavcodec/nellymoser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/nellymoser.c b/libavcodec/nellymoser.c index 0740c75a0f..d6d5b7a910 100644 --- a/libavcodec/nellymoser.c +++ b/libavcodec/nellymoser.c @@ -85,7 +85,7 @@ const int16_t ff_nelly_delta_table[32] = { static inline int signed_shift(int i, int shift) { if (shift > 0) - return i << shift; + return (unsigned)i << shift; return i >> -shift; } @@ -109,7 +109,7 @@ static int headroom(int *la) return 31; } l = 30 - av_log2(FFABS(*la)); - *la <<= l; + *la *= 1< Date: Fri, 5 May 2017 20:42:11 +0200 Subject: [PATCH 1107/1352] avcodec/dfa: Fix off by 1 error Fixes out of array access Fixes: 1345/clusterfuzz-testcase-minimized-6062963045695488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f52fbf4f3ed02a7d872d8a102006f29b4421f360) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f13291ef28..f859d8312a 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -175,7 +175,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); From 766c53f9e5817e1d56b74b51615de6a191832e1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 22:17:59 +0200 Subject: [PATCH 1108/1352] avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' Fixes: 1346/clusterfuzz-testcase-minimized-5776732600664064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a234b5ade3ca6cde805b92b8b6ecacf693460a8c) Signed-off-by: Michael Niedermayer --- libavcodec/mdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 979ecc1917..83fafacc1b 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -112,11 +112,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) j = scantable[i]; if (level < 0) { level = -level; - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; level = -level; } else { - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; } } From 2b3b77e722e9ffdef7dee9d335ece2e6fd4d6703 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 23:00:59 +0200 Subject: [PATCH 1109/1352] avcodec/aacsbr_template: Do not leave bs_num_env invalid Fixes out of array read Fixes: 1349/clusterfuzz-testcase-minimized-5370707196248064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8ad83b793e883b8c6d114f81073a4e40c0308a3) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 9d12cb868f..bcedf26563 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -662,6 +662,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", ch_data->bs_num_env); + ch_data->bs_num_env = 2; return -1; } @@ -717,6 +718,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", ch_data->bs_num_env); + ch_data->bs_num_env = 2; return -1; } From 697187a6f3045dba219dee9a75b8e201af7d6121 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 01:08:54 +0200 Subject: [PATCH 1110/1352] avcodec/snowdec: Check qbias Fixes: signed integer overflow: -1094995529 * 131 cannot be represented in type 'int' Fixes: 1353/clusterfuzz-testcase-minimized-5208180449607680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 523205ce1ed9415183c162998c68f573479e78fe) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index c5fa20339a..e915b7b31c 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -370,6 +370,11 @@ static int decode_header(SnowContext *s){ s->block_max_depth= 0; return AVERROR_INVALIDDATA; } + if (FFABS(s->qbias) > 127) { + av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias); + s->qbias = 0; + return AVERROR_INVALIDDATA; + } return 0; } From a75075fc58f13f0c456f0064aa08182d57409db1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:05:17 +0200 Subject: [PATCH 1111/1352] avcodec/mlpdec: Fix runtime error: left shift of negative value -22 Fixes: 1355/clusterfuzz-testcase-minimized-6662205472768000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c535436cbeeab89be64e9f3fd652bc736f2f3245) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index ed6a7fb58c..8497e1be8c 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -261,7 +261,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp, result = (result << lsb_bits) + get_bits(gbp, lsb_bits); result += cp->sign_huff_offset; - result <<= quant_step_size; + result *= 1 << quant_step_size; m->sample_buffer[pos + s->blockpos][channel] = result; } From 7a37ef34fb07c91525ab783533a62efe036d4d7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 12:10:59 +0200 Subject: [PATCH 1112/1352] avcodec/fic: Fix multiple left shift of negative value -15 Fixes: 1356/clusterfuzz-testcase-minimized-6008489086287872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b20c71409b24460983ba5d9afa0716714f9e0f7d) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 5615e69abc..64719fd500 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -91,8 +91,8 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t7 = t3 - t1; const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd; - const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd; + const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; blk[0 * step] = ( t4 + t9 + tB) >> shift; blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; From b7a69943e8e64cd69bd118b2bda8c16d32d97122 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 15:17:29 +0200 Subject: [PATCH 1113/1352] avcodec/mimic: Fix runtime error: left shift of negative value -1 Fixes: 1365/clusterfuzz-testcase-minimized-5624158450876416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc2c420b82939a8f30838a6aa08bfd936099d3ce) Signed-off-by: Michael Niedermayer --- libavcodec/mimic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index 24724fa75d..cad2245663 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -263,7 +263,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale) coeff = vlcdec_lookup[num_bits][value]; if (pos < 3) - coeff <<= 4; + coeff *= 16; else /* TODO Use >> 10 instead of / 1001 */ coeff = (coeff * qscale) / 1001; From c767fc96e712b21f39d5d29f347920562f37748b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:38:22 +0200 Subject: [PATCH 1114/1352] avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 1368/clusterfuzz-testcase-minimized-4507293276176384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12936a4585bc293c0f88327d6840f49e8e744b62) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f859d8312a..8336eab407 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; - int v, count, segments; + int v, count; + unsigned segments; unsigned offset; segments = bytestream2_get_le32(gb); From 05a3c8d1fef42c103f8609568e3638f2842d831e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 16:43:52 +0200 Subject: [PATCH 1115/1352] avcodec/webp: Fix null pointer dereference Fixes: 1369/clusterfuzz-testcase-minimized-5048908029886464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9bf4523e40148fdd27064ab570952bd8c4d1016e) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index c92539fd93..7fb71d8f24 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1325,6 +1325,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, pkt.size = data_size; ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); + if (ret < 0) + return ret; if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); From 83a499cb519507d020c675f2414f849695c0d242 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 18:28:09 +0200 Subject: [PATCH 1116/1352] avcodec/shorten: Check k in get_uint() Fixes: undefined shift Fixes: 1371/clusterfuzz-testcase-minimized-5770822591447040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6a51f59c467ab9f4b73122dc269206fb517425) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 587c22a2b9..b01fdbbca3 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -156,8 +156,11 @@ static int allocate_buffers(ShortenContext *s) static inline unsigned int get_uint(ShortenContext *s, int k) { - if (s->version != 0) + if (s->version != 0) { k = get_ur_golomb_shorten(&s->gb, ULONGSIZE); + if (k > 31U) + return AVERROR_INVALIDDATA; + } return get_ur_golomb_shorten(&s->gb, k); } From 1d0d5d323e935c2350aa11dfee95c9828203a1a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 19:07:59 +0200 Subject: [PATCH 1117/1352] avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from Fixes integer overflow Fixes: 1372/clusterfuzz-testcase-minimized-5712192982745088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ef0f392711445e173a56b2c073dedb021ae3783) Signed-off-by: Michael Niedermayer --- libavcodec/mss3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 075685b902..3b97320c6a 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m) static int rac_get_model_sym(RangeCoder *c, Model *m) { - int prob, prob2, helper, val; + int val; int end, end2; + unsigned prob, prob2, helper; prob = 0; prob2 = c->range; From e334e402fe727c630c2f9eae2b2f7f56d702ca1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 22:24:52 +0200 Subject: [PATCH 1118/1352] avcodec/cdxl: Check format parameter Fixes out of array access Fixes: 1378/clusterfuzz-testcase-minimized-5715088008806400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 498f13f962..1021addb95 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -252,7 +252,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, c->padded_bits = aligned_width - c->avctx->width; if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { if (c->palette_size != (1 << (c->bpp - 1))) From a530ce3b5ccc0917a2db28acfc0e43eb0065df3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 02:46:54 +0200 Subject: [PATCH 1119/1352] avcodec/msmpeg4dec: Correct table depth Fixes undefined shift Fixes: 1381/clusterfuzz-testcase-minimized-5513944540119040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1121d9270783b284a70af317d8785eac7df1b72f) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 94ea3c27ba..4a4a5e3e79 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -139,7 +139,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) if(s->msmpeg4_version==2) cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1); else - cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1); + cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2); if(cbp<0 || cbp>3){ av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; From 47ed6f1c4a87c7c172bd0f24c48dc8e8200e5e4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:16:53 +0200 Subject: [PATCH 1120/1352] avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' Fixes: 1382/clusterfuzz-testcase-minimized-6013445293998080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 669419939c1d36be35196859dc73ec9a194157ad) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 3e90450d4a..57368ac4f1 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -166,7 +166,7 @@ static int svq3_decode_end(AVCodecContext *avctx); void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) { - const int qmul = svq3_dequant_coeff[qp]; + const unsigned qmul = svq3_dequant_coeff[qp]; #define stride 16 int i; int temp[16]; @@ -191,10 +191,10 @@ void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) const int z2 = 7 * temp[4 * 1 + i] - 17 * temp[4 * 3 + i]; const int z3 = 17 * temp[4 * 1 + i] + 7 * temp[4 * 3 + i]; - output[stride * 0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20; - output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20; - output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20; - output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20; + output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20; + output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20; + output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20; + output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20; } } #undef stride From 7e1589965489b202c79c1b8e3f98ed5888b87904 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:23:09 +0200 Subject: [PATCH 1121/1352] avcodec/ivi_dsp: Fix multiple left shift of negative value -2 Fixes: 1385/clusterfuzz-testcase-minimized-5552882663292928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e88cc94e58e9e4d1293f9f56c973510e30495fd) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 89121ac080..7f7b7ad28d 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst, #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = (s1) << 1; t5 = (s5) << 1;\ + t1 = (s1) * 2; t5 = (s5) * 2;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 4); - sp1 = src[ 0] << shift; - sp2 = src[ 8] << shift; - sp3 = src[16] << shift; - sp4 = src[24] << shift; + sp1 = src[ 0] * (1 << shift); + sp2 = src[ 8] * (1 << shift); + sp3 = src[16] * (1 << shift); + sp4 = src[24] * (1 << shift); INV_HAAR8( sp1, sp2, sp3, sp4, src[32], src[40], src[48], src[56], dst[ 0], dst[ 8], dst[16], dst[24], From 7bf97c4039599c724c4189ff131500e9fd2ef10d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 03:49:06 +0200 Subject: [PATCH 1122/1352] avcodec/targa_y216dec: Fix width type Fixes out of array access Fixes: 1376/clusterfuzz-testcase-minimized-6361794975105024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e56db892600c2fbe34782c6140f1ee832a2c344) Signed-off-by: Michael Niedermayer --- libavcodec/targa_y216dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/targa_y216dec.c b/libavcodec/targa_y216dec.c index 5f4eeaaad2..15c95ef2db 100644 --- a/libavcodec/targa_y216dec.c +++ b/libavcodec/targa_y216dec.c @@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data, { AVFrame *pic = data; const uint16_t *src = (uint16_t *)avpkt->data; - uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4); + uint16_t *y, *u, *v; + int aligned_width = FFALIGN(avctx->width, 4); int i, j, ret; if (avpkt->size < 4 * avctx->height * aligned_width) { From 5e072787830aac9e5c6408ffe7f031b0a2dc2c1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:12:04 +0200 Subject: [PATCH 1123/1352] avcodec/mss34dsp: Fix multiple signed integer overflow Fixes: 1387/clusterfuzz-testcase-minimized-4802757766676480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 464c4b86ee43b7912e6f23fd3e5ba40381b4c371) Signed-off-by: Michael Niedermayer --- libavcodec/mss34dsp.c | 44 +++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c index 0397add17d..4965ac514d 100644 --- a/libavcodec/mss34dsp.c +++ b/libavcodec/mss34dsp.c @@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma) } #define DCT_TEMPLATE(blk, step, SOP, shift) \ - const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \ - const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \ - const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \ - const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \ - const int t4 = blk[3 * step] + blk[7 * step]; \ - const int t5 = blk[1 * step] + blk[5 * step]; \ - const int t6 = 77062 * t4 + 51491 * t5; \ - const int t7 = 77062 * t5 - 51491 * t4; \ - const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \ - const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \ - const int tA = SOP(blk[0 * step] - blk[4 * step]); \ - const int tB = SOP(blk[0 * step] + blk[4 * step]); \ + const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \ + const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \ + const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \ + const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \ + const unsigned t4 = blk[3 * step] + blk[7 * step]; \ + const unsigned t5 = blk[1 * step] + blk[5 * step]; \ + const unsigned t6 = 77062U * t4 + 51491U * t5; \ + const unsigned t7 = 77062U * t5 - 51491U * t4; \ + const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \ + const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \ + const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \ + const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \ \ - blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \ - blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \ - blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \ - blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \ - blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \ - blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \ - blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ - blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ + blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \ + blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \ + blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \ + blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \ + blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \ + blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \ + blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \ + blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) (((a) << 16) + 0x2000) -#define SOP_COL(a) (((a) + 32) << 16) +#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000) +#define SOP_COL(a) (((a) + 32) * (1U << 16)) void ff_mss34_dct_put(uint8_t *dst, int stride, int *block) { From b92defbcaf83c7e515fff9471a720f712f7a3c88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 14:16:33 +0200 Subject: [PATCH 1124/1352] avcodec/ra144: Fix runtime error: left shift of negative value -798 Fixes: 1388/clusterfuzz-testcase-minimized-6680800936329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78bf446852a7e5e8aa52c7ca9889632e167b665f) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 696a49e7ab..cfe5aea7dc 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1598,7 +1598,7 @@ void ff_eval_coefs(int *coefs, const int *refl) int i, j; for (i=0; i < LPC_ORDER; i++) { - b1[i] = refl[i] << 4; + b1[i] = refl[i] * 16; for (j=0; j < i; j++) b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; From df8880db961e7aff6eb8cdff484b0a9276dcfe06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:40:07 +0200 Subject: [PATCH 1125/1352] avcodec/g726: Fix runtime error: left shift of negative value -2 Fixes: 1393/clusterfuzz-testcase-minimized-5948366791901184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c04aa148824f4fb7f4b70830ad3ca7a6cba8ab79) Signed-off-by: Michael Niedermayer --- libavcodec/g726.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g726.c b/libavcodec/g726.c index 259e5a8f23..858d70a000 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -270,7 +270,7 @@ static int16_t g726_decode(G726Context* c, int I) c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]); c->se >>= 1; - return av_clip(re_signal << 2, -0xffff, 0xffff); + return av_clip(re_signal * 4, -0xffff, 0xffff); } static av_cold int g726_reset(G726Context *c) From 851129e0190c38e72946275e6ec35259820c6a71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:42:17 +0200 Subject: [PATCH 1126/1352] avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' Fixes: 1394/clusterfuzz-testcase-minimized-6493376885030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ac1c87194a67e6104a3d241a4dd1ca0808784bd) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index abc9027f6c..c3cbeef3d1 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx, if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); - if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb)) return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; From 87ee5473c2584542f06259b9277bc5f9dd312a2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 15:44:51 +0200 Subject: [PATCH 1127/1352] avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' Fixes: 1395/clusterfuzz-testcase-minimized-5330939741732864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a38e9797cb4123d13ba871d166a737786ba04a9b) Signed-off-by: Michael Niedermayer --- libavcodec/s302m.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index 61c0fe8f96..ff33421abe 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -111,10 +111,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if (avctx->bits_per_raw_sample == 24) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 6; buf_size -= 7) { - *o++ = (ff_reverse[buf[2]] << 24) | + *o++ = ((unsigned)ff_reverse[buf[2]] << 24) | (ff_reverse[buf[1]] << 16) | (ff_reverse[buf[0]] << 8); - *o++ = (ff_reverse[buf[6] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) | (ff_reverse[buf[5]] << 20) | (ff_reverse[buf[4]] << 12) | (ff_reverse[buf[3] & 0x0f] << 4); @@ -123,10 +123,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } else if (avctx->bits_per_raw_sample == 20) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 5; buf_size -= 6) { - *o++ = (ff_reverse[buf[2] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) | (ff_reverse[buf[1]] << 20) | (ff_reverse[buf[0]] << 12); - *o++ = (ff_reverse[buf[5] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) | (ff_reverse[buf[4]] << 20) | (ff_reverse[buf[3]] << 12); buf += 6; From a579264bc9f3014adcc9defae0086594a16d7f00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 18:50:49 +0200 Subject: [PATCH 1128/1352] avcodec/xwddec: Check bpp more completely Fixes out of array access Fixes: 1399/clusterfuzz-testcase-minimized-4866094172995584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 441026fcb13ac23aa10edc312bdacb6445a0ad06) Signed-off-by: Michael Niedermayer --- libavcodec/xwddec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 18b1f93d2e..a06054fbd4 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, case XWD_GRAY_SCALE: if (bpp != 1 && bpp != 8) return AVERROR_INVALIDDATA; - if (pixdepth == 1) { + if (bpp == 1 && pixdepth == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOWHITE; - } else if (pixdepth == 8) { + } else if (bpp == 8 && pixdepth == 8) { avctx->pix_fmt = AV_PIX_FMT_GRAY8; } break; From 4515c5ef24c9089949d05310d984867d91e4c566 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 May 2017 23:07:42 +0200 Subject: [PATCH 1129/1352] avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' Fixes: 1401/clusterfuzz-testcase-minimized-6526248148795392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b1f66cf5c2e4d29ae06cdf3f12cdd3d808006bd) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index 40e0bef0da..cfa25f08dc 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -78,8 +78,8 @@ static void wmv2_idct_col(short * b) a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14; From 6aee15ecbcfef7af4bb14fbba3a32462dedb33d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 02:28:07 +0200 Subject: [PATCH 1130/1352] avcodec/ffv1dec: Fix copying planes of paletted formats Signed-off-by: Michael Niedermayer (cherry picked from commit 3a4d387195a5eb3c1700071af8d8150e4f7f6600) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index a34c509acf..e9c9a2dfa3 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -979,16 +979,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac FFV1Context *fs = f->slice_context[i]; int j; if (fs->slice_damaged && f->last_picture.f->data[0]) { + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); const uint8_t *src[4]; uint8_t *dst[4]; ff_thread_await_progress(&f->last_picture, INT_MAX, 0); - for (j = 0; j < 4; j++) { + for (j = 0; j < desc->nb_components; j++) { int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0; int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0; dst[j] = p->data[j] + p->linesize[j] * (fs->slice_y >> sv) + (fs->slice_x >> sh); src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] * (fs->slice_y >> sv) + (fs->slice_x >> sh); + + } + if (desc->flags & AV_PIX_FMT_FLAG_PAL || + desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) { + dst[1] = p->data[1]; + src[1] = f->last_picture.f->data[1]; } av_image_copy(dst, p->linesize, (const uint8_t **)src, f->last_picture.f->linesize, From 7c1be72e2461e3c6db61626df2c71f985ba0990e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 11:46:03 +0200 Subject: [PATCH 1131/1352] avcodec/cdxl: Check format for BGR24 Fixes: out of array access Fixes: 1427/clusterfuzz-testcase-minimized-5020737339392000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e42736b95065c69a7481d0cf55247024f54b660) Signed-off-by: Michael Niedermayer --- libavcodec/cdxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index 1021addb95..7b62ae5fc5 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -254,7 +254,7 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; From 429b5210b12a78d092e0cf8695f646170eb3213d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 11:55:27 +0200 Subject: [PATCH 1132/1352] avcodec/cavsdec: Check sym_factor Fixes: runtime error: signed integer overflow: 25984 * 130560 cannot be represented in type 'int' Fixes: 1404/clusterfuzz-testcase-minimized-5000441286885376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 279420b5a63b3f254e4932a4afb91759fb50186a) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 6b9a769a40..f6b2ed45bf 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1032,6 +1032,10 @@ static int decode_pic(AVSContext *h) h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0; From 42ae8705fae2d1c4b8aab8e9bcd76a10161ab6d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 12:07:56 +0200 Subject: [PATCH 1133/1352] avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' Fixes: 1406/clusterfuzz-testcase-minimized-5064865125236736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8824b7370a9fb72f9c699c3751a5ceb56e0cc41d) Signed-off-by: Michael Niedermayer --- libavcodec/vp8dsp.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index e1a91bb8c6..792a856d43 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -95,7 +95,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16]) static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -104,10 +105,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274; d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540; AV_ZERO64(block + i * 4); - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -116,13 +117,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] + - ((a1 + d1 + 0x20000) >> 18)); + ((int)(a1 + d1 + 0x20000) >> 18)); dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] + - ((a1 - d1 + 0x20000) >> 18)); + ((int)(a1 - d1 + 0x20000) >> 18)); dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] + - ((b1 + c1 + 0x20000) >> 18)); + ((int)(b1 + c1 + 0x20000) >> 18)); dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] + - ((b1 - c1 + 0x20000) >> 18)); + ((int)(b1 - c1 + 0x20000) >> 18)); } } From 493dc7bb12ab0cc503fc81a6a3a86df6a7cee676 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:17:31 +0200 Subject: [PATCH 1134/1352] avcodec/dvbsubdec: check region dimensions Fixes: 1408/clusterfuzz-testcase-minimized-6529985844084736 Fixes: integer overflow Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0075d9eced22839fa4f7a6eaa02155803ccae3e6) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index 097597ed91..b56103f899 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -23,6 +23,7 @@ #include "get_bits.h" #include "bytestream.h" #include "libavutil/colorspace.h" +#include "libavutil/imgutils.h" #include "libavutil/opt.h" #define DVBSUB_PAGE_SEGMENT 0x10 @@ -1138,6 +1139,7 @@ static void dvbsub_parse_region_segment(AVCodecContext *avctx, DVBSubObject *object; DVBSubObjectDisplay *display; int fill; + int ret; if (buf_size < 10) return; @@ -1164,6 +1166,12 @@ static void dvbsub_parse_region_segment(AVCodecContext *avctx, region->height = AV_RB16(buf); buf += 2; + ret = av_image_check_size(region->width, region->height, 0, avctx); + if (ret < 0) { + region->width= region->height= 0; + return; + } + if (region->width * region->height != region->buf_size) { av_free(region->pbuf); From 5817946f52fa53a60fde0d30833bc64cef1f2cb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 15:46:55 +0200 Subject: [PATCH 1135/1352] avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' Fixes: 1411/clusterfuzz-testcase-minimized-5776085184675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29692023b2f1e0580a4065f4c9b62bafd89ab337) Signed-off-by: Michael Niedermayer --- libavcodec/bmvvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bmvvideo.c b/libavcodec/bmvvideo.c index 5143b2a76b..0e35b9cf21 100644 --- a/libavcodec/bmvvideo.c +++ b/libavcodec/bmvvideo.c @@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, if (src < source || src >= source_end) return AVERROR_INVALIDDATA; shift += 2; - val |= *src << shift; + val |= (unsigned)*src << shift; if (*src & 0xC) break; } From 61e69cbb618f3d19ec678c87cd244b907d8b8462 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:50:05 +0200 Subject: [PATCH 1136/1352] avcodec/lagarith: Fix runtime error: left shift of negative value -1 Fixes: 1424/clusterfuzz-testcase-minimized-6088327159611392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ddb2dd7edbccc5596d8e3c039133be8444cb1d02) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index a08d7fde1b..0a672f83ca 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa) static uint8_t lag_calc_zero_run(int8_t x) { - return (x << 1) ^ (x >> 7); + return (x * 2) ^ (x >> 7); } static int lag_decode_prob(GetBitContext *gb, uint32_t *value) From cc44663a2c0f25e97ee866a651f3daf6b2efd4d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 00:56:45 +0200 Subject: [PATCH 1137/1352] avcodec/lagarith: Check scale_factor Fixes: 1425/clusterfuzz-testcase-minimized-6295712339853312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed3c9b5b0dd5abb545c48e930e1c32c187b0776a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 0a672f83ca..5ed0217ea5 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } scale_factor++; - cumulative_target = 1 << scale_factor; + if (scale_factor >= 32U) + return AVERROR_INVALIDDATA; + cumulative_target = 1U << scale_factor; if (scaled_cumul_prob > cumulative_target) { av_log(rac->avctx, AV_LOG_ERROR, From 61fc2a351ccb532c8fbff069ad539721a405ea2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 01:26:39 +0200 Subject: [PATCH 1138/1352] avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' Fixes: 1429/clusterfuzz-testcase-minimized-5959951610544128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae6fd1790f48c457a8cedb445dcac73f8f7b7698) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 57368ac4f1..ee4ec46a9d 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -224,16 +224,16 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block, } for (i = 0; i < 4; i++) { - const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); - const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); - const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; - const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; + const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); + const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); + const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; + const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; const int rr = (dc + 0x80000); - dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20)); - dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20)); - dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20)); - dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20)); + dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); + dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); + dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20)); + dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20)); } memset(block, 0, 16 * sizeof(int16_t)); From 62210e895b0c887cd9555994e248e22b59588da3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:41:23 +0200 Subject: [PATCH 1139/1352] avcodec/cavs: Check updated MV Fixes: runtime error: signed integer overflow: 251 + 2147483647 cannot be represented in type 'int' Fixes: 1438/clusterfuzz-testcase-minimized-4917542646710272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5871adc90f8c1037535563e33ebeaf032bb4d5d6) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 7d7fbed72c..dc81b18367 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -614,8 +614,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC, mv_pred_median(h, mvP, mvA, mvB, mvC); if (mode < MV_PRED_PSKIP) { - mvP->x += get_se_golomb(&h->gb); - mvP->y += get_se_golomb(&h->gb); + int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x; + int my = get_se_golomb(&h->gb) + (unsigned)mvP->y; + + if (mx != (int16_t)mx || my != (int16_t)my) { + av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my); + } else { + mvP->x = mx; + mvP->y = my; + } } set_mvs(mvP, size); } From 889450b2b27f22f7ce7a897fc7e169191643976d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E8=B5=9E?= Date: Wed, 10 May 2017 14:55:34 +0200 Subject: [PATCH 1140/1352] avformat/wavdec: Check chunk_size Fixes integer overflow and out of array access Signed-off-by: Michael Niedermayer (cherry picked from commit 3d232196372f309a75ed074c4cef30578eec1782) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index cf824d834e..a42e463abb 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -699,6 +699,8 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) From cd300c5601ed483b0e225e490520e39957e2d0ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 19:02:05 +0200 Subject: [PATCH 1141/1352] avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' Fixes: 1443/clusterfuzz-testcase-minimized-4826998612426752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8de60ba2740185c53cabbee6c00ed67a0d530e2) Signed-off-by: Michael Niedermayer --- libavcodec/eatqi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 864291a95c..2c92d5027d 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -93,7 +93,7 @@ static inline void tqi_idct_put(TqiContext *t, AVFrame *frame, int16_t (*block)[ static void tqi_calculate_qtable(MpegEncContext *s, int quant) { - const int qscale = (215 - 2*quant)*5; + const int64_t qscale = (215 - 2*quant)*5; int i; s->intra_matrix[0] = (ff_inv_aanscales[0]*ff_mpeg1_default_intra_matrix[0])>>11; for(i=1; i<64; i++) From 1a1cc484246d6d4ccf6da1461e23308f1ce16c31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 19:09:31 +0200 Subject: [PATCH 1142/1352] avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 Fixes: 1446/clusterfuzz-testcase-minimized-5577409124368384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db5fae32294763677caa4c1417dcba704c7e764e) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index b2de889c46..eadbf3fbbe 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) int lo, hi; lo = ydt[p1]; - lo += (lo << 5) + (lo << 10); + lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; - hi += (hi << 5) + (hi << 10); - return (lo + (hi << 16)) << 1; + hi += (hi * 32) + (hi * 1024); + return (lo + (hi * (1 << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) int r, b, lo; b = cdt[p2]; - r = cdt[p1] << 10; + r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo << 16)) << 1; + return (lo + (lo * (1 << 16))) * 2; } #if HAVE_BIGENDIAN From 3f8882fa5bfd7b8d7f9388f21a08fa983a2322a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:37:49 +0200 Subject: [PATCH 1143/1352] avcodec/webp: Always set pix_fmt Fixes: out of array access Fixes: 1434/clusterfuzz-testcase-minimized-6314998085189632 Fixes: 1435/clusterfuzz-testcase-minimized-6483783723253760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: "Ronald S. Bultje" Signed-off-by: Michael Niedermayer (cherry picked from commit 6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ libavcodec/webp.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index cff66f40aa..5c71ef2959 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2536,6 +2536,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, enum AVDiscard skip_thresh; VP8Frame *av_uninit(curframe), *prev_frame; + av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P); + if (is_vp7) ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size); else diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 7fb71d8f24..d418edee49 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1310,9 +1310,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (!s->initialized) { ff_vp8_decode_init(avctx); s->initialized = 1; - if (s->has_alpha) - avctx->pix_fmt = AV_PIX_FMT_YUVA420P; } + avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; s->lossless = 0; if (data_size > INT_MAX) { From 542f44aff07a13b0b7325e52352fcb297c16820a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 15:18:50 +0200 Subject: [PATCH 1144/1352] avcodec/dvbsubdec: Check entry_id Fixes: randomly writing over the array end Fixes: 1473/clusterfuzz-testcase-minimized-5768907824562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a69f2602fea04b7ebae2db16f2581e8ff5ee0cd) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index b56103f899..213a8defec 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1115,9 +1115,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if (depth & 0x80) + if (depth & 0x80 && entry_id < 4) clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); - else if (depth & 0x40) + else if (depth & 0x40 && entry_id < 16) clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); else if (depth & 0x20) clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); From 7f386b5487fd32dc8fede109b3a436b411a3a1f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 18:35:24 +0200 Subject: [PATCH 1145/1352] avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers Signed-off-by: Michael Niedermayer (cherry picked from commit e717fa1f0a66825fb10fec7debad768f311ee240) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 9c710bbb9e..6f2414648e 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -28,6 +28,10 @@ #include "avcodec.h" #include "internal.h" +#define VLC_BITS 7 +#define VLC_DEPTH 2 + + typedef struct CLLCContext { AVCodecContext *avctx; BswapDSPContext bdsp; @@ -73,7 +77,7 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) prefix <<= 1; } - return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1, + return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1, codes, 2, 2, symbols, 1, 1, 0); } @@ -100,7 +104,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, for (i = 0; i < ctx->avctx->width; i++) { /* Always get the alpha component */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[0].table, 7, 2); + GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH); pred[0] += code; dst[0] = pred[0]; @@ -109,21 +113,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, if (dst[0]) { /* Red */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[1].table, 7, 2); + GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH); pred[1] += code; dst[1] = pred[1]; /* Green */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[2].table, 7, 2); + GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH); pred[2] += code; dst[2] = pred[2]; /* Blue */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[3].table, 7, 2); + GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH); pred[3] += code; dst[3] = pred[3]; @@ -165,7 +169,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; dst[0] = pred; @@ -194,7 +198,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width >> is_chroma; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; outbuf[i] = pred; From 266033854850712b35f4a0bc5401f7561aff459e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 18:39:33 +0200 Subject: [PATCH 1146/1352] avcodec/cllc: Check num_bits Fixes: runtime error: shift exponent -2 is negative Fixes: 1479/clusterfuzz-testcase-minimized-6638493360979968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bfd0a97587d26c0c39413a6291ccc66e4a928d0) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 6f2414648e..7929996771 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -54,6 +54,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) num_lens = get_bits(gb, 5); + if (num_lens > VLC_BITS * VLC_DEPTH) { + vlc->table = NULL; + + av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < num_lens; i++) { num_codes = get_bits(gb, 9); num_codes_sum += num_codes; From 7a0aa0b3540b6232b63d652ca62f61e721f1b79e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 19:10:16 +0200 Subject: [PATCH 1147/1352] avcodec/msmpeg4dec: Check for cbpy VLC errors Fixes: runtime error: left shift of negative value -1 Fixes: 1480/clusterfuzz-testcase-minimized-5188321007370240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15e892aad12b23e9b5686cf66ca6fa739c734ead) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 4a4a5e3e79..8cf2ffb7d1 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -168,12 +168,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) s->mv[0][0][1] = my; *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16; } else { + int v; if(s->msmpeg4_version==2){ s->ac_pred = get_bits1(&s->gb); - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; } else{ s->ac_pred = 0; - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C; } *mb_type_ptr = MB_TYPE_INTRA; From 631f6eddd36479450cdd61900f4a50e41be1fad9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 23:24:23 +0200 Subject: [PATCH 1148/1352] avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 Fixes: 1487/clusterfuzz-testcase-minimized-6288036495097856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6899e6e56065d9365963e02690dc9e2ce7866050) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index eaaf9f7720..c9aa3209a3 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1820,9 +1820,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame) if (out) { out->avframe->reference ^= DELAYED_PIC_REF; - *got_frame = 1; if((ret = av_frame_ref(picture, out->avframe)) < 0) return ret; + *got_frame = 1; } return 0; From 8959891e272692c212891fd4d1b0c4ef19124dee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 13:05:46 +0200 Subject: [PATCH 1149/1352] avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' Fixes: 1503/clusterfuzz-testcase-minimized-5369271855087616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df640dbbc949d0f4deefaf43e86b8bd50ae997cc) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index cfa25f08dc..7b59d10a43 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -48,8 +48,8 @@ static void wmv2_idct_row(short * b) a4 = W0 * b[0] - W0 * b[4]; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8; From 091f90c9e59351234a115e2d5a61207426603b28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 May 2017 13:01:36 +0200 Subject: [PATCH 1150/1352] avcodec/avcodec: Limit the number of side data elements per packet Fixes: 1293/clusterfuzz-testcase-minimized-6054752074858496 See: [FFmpeg-devel] [PATCH] avcodec/avcodec: Limit the number of side data elements per packet Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5711cb89121268e8d78ebe8563a68e67a236cbb) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 10 ++++++++++ libavcodec/avpacket.c | 6 +++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index fb1c9ca9ec..f0405b6d02 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1096,6 +1096,16 @@ enum AVPacketSideDataType { * side data includes updated metadata which appeared in the stream. */ AV_PKT_DATA_METADATA_UPDATE, + + /** + * The number of side data elements (in fact a bit more than it). + * This is not part of the public API/ABI in the sense that it may + * change when new side data types are added. + * This must stay the last enum value. + * If its value becomes huge, some code using it + * needs to be updated as it assumes it to be smaller than other limits. + */ + AV_PKT_DATA_NB }; typedef struct AVPacketSideData { diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index 6aae811361..1814c99c71 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -306,11 +306,12 @@ uint8_t *av_packet_new_side_data(AVPacket *pkt, enum AVPacketSideDataType type, { int elems = pkt->side_data_elems; - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) + if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return NULL; if ((unsigned)size > INT_MAX - FF_INPUT_BUFFER_PADDING_SIZE) return NULL; + pkt->side_data = av_realloc(pkt->side_data, (elems + 1) * sizeof(*pkt->side_data)); if (!pkt->side_data) @@ -401,6 +402,9 @@ int av_packet_split_side_data(AVPacket *pkt){ p-= size+5; } + if (i > AV_PKT_DATA_NB) + return AVERROR(ERANGE); + pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); if (!pkt->side_data) return AVERROR(ENOMEM); From 36337acfc3db85a8bfad63b6e8dfb99f4bef0289 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 14:50:40 +0200 Subject: [PATCH 1151/1352] avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' Fixes: 1440/clusterfuzz-testcase-minimized-5785716111966208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ccce2248bf56692fc7bd436ca2c9acca772d486a) Signed-off-by: Michael Niedermayer --- libavcodec/vp8dsp.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 792a856d43..f56c84befe 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16], \ #if CONFIG_VP7_DECODER static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170; c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274; d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540; - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; AV_ZERO64(dc + i * 4); - block[0][i][0] = (a1 + d1 + 0x20000) >> 18; - block[3][i][0] = (a1 - d1 + 0x20000) >> 18; - block[1][i][0] = (b1 + c1 + 0x20000) >> 18; - block[2][i][0] = (b1 - c1 + 0x20000) >> 18; + block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18; + block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18; + block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18; + block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18; } } From aadfb596c53193403bce8d60d83fd5268b5ab509 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 14:39:26 +0200 Subject: [PATCH 1152/1352] avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 Fixes: 1512/clusterfuzz-testcase-minimized-4713846423945216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74dc728a2c2cc353da20cdc09b8cdfbbe14b7be8) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 6 +++--- libavcodec/mlpdsp.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 8497e1be8c..c06095eb8f 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -690,7 +690,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, } for (i = 0; i < order; i++) - fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift; + fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift); if (get_bits1(gbp)) { int state_bits, state_shift; @@ -1005,8 +1005,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr) for (i = 0; i < s->blockpos; i++) { uint16_t seed_shr7 = seed >> 7; - m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift; - m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift; + m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift); + m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift); seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5); } diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 3ae8c37708..2fc453c1f0 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (i = 0; i < blockpos; i++) { for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; - int32_t sample = sample_buffer[i][mat_ch] - << output_shift[mat_ch]; + int32_t sample = sample_buffer[i][mat_ch] * + (1 << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; From 34e5c8d0cbb70afd34b95ab99083820cd56f1d8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 May 2017 04:12:15 +0200 Subject: [PATCH 1153/1352] avcodec/aacsbr_template: Do not change bs_num_env before its checked Fixes: 1489/clusterfuzz-testcase-minimized-5075102901207040 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87b08ee6d2a3b0880f0a267c5d51dc7f415e81d7) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index bcedf26563..5d18580b6c 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -646,25 +646,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; unsigned bs_num_env_old = ch_data->bs_num_env; + int bs_frame_class, bs_num_env; ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env]; ch_data->bs_amp_res = sbr->bs_amp_res_header; ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old]; - switch (ch_data->bs_frame_class = get_bits(gb, 2)) { + switch (bs_frame_class = get_bits(gb, 2)) { case FIXFIX: - ch_data->bs_num_env = 1 << get_bits(gb, 2); + bs_num_env = 1 << get_bits(gb, 2); + if (bs_num_env > 4) { + av_log(ac->avctx, AV_LOG_ERROR, + "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", + bs_num_env); + return -1; + } + ch_data->bs_num_env = bs_num_env; num_rel_lead = ch_data->bs_num_env - 1; if (ch_data->bs_num_env == 1) ch_data->bs_amp_res = 0; - if (ch_data->bs_num_env > 4) { - av_log(ac->avctx, AV_LOG_ERROR, - "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", - ch_data->bs_num_env); - ch_data->bs_num_env = 2; - return -1; - } ch_data->t_env[0] = 0; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -712,15 +713,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, abs_bord_trail += get_bits(gb, 2); num_rel_lead = get_bits(gb, 2); num_rel_trail = get_bits(gb, 2); - ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1; + bs_num_env = num_rel_lead + num_rel_trail + 1; - if (ch_data->bs_num_env > 5) { + if (bs_num_env > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", - ch_data->bs_num_env); - ch_data->bs_num_env = 2; + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -735,6 +736,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env); break; } + ch_data->bs_frame_class = bs_frame_class; if (bs_pointer > ch_data->bs_num_env + 1) { av_log(ac->avctx, AV_LOG_ERROR, From ad90dc21e3674c7fa10343eec0372509f943e747 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 18:27:27 +0200 Subject: [PATCH 1154/1352] avcodec/webp: Add missing input padding Fixes: 1536/clusterfuzz-testcase-minimized-5973925404082176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3508cc3fe643a8adad6a82a60bece3ea3c5dc63) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index d418edee49..d4b73e01ea 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1043,7 +1043,7 @@ static int apply_color_indexing_transform(WebPContext *s) uint8_t *line; int pixel_bits = 8 >> pal->size_reduction; - line = av_malloc(img->frame->linesize[0]); + line = av_malloc(img->frame->linesize[0] + FF_INPUT_BUFFER_PADDING_SIZE); if (!line) return AVERROR(ENOMEM); From 273d58eeaa238e3329fe78e5bf8bf5029f7a4d55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 19:28:01 +0200 Subject: [PATCH 1155/1352] avcodec/ac3dec: Keep track of band structure It is needed in some corner cases that seem not to be forbidden Fixes: out of array index Fixes: 1538/clusterfuzz-testcase-minimized-4696904925446144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9351a156de724edb69ba6e1f05884fe806a13a21) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 27 +++++++++++++++------------ libavcodec/ac3dec.h | 2 ++ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index cb946fc681..8a5690678d 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -751,30 +751,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s) * @param[in] default_band_struct default band structure table * @param[out] num_bands number of bands (optionally NULL) * @param[out] band_sizes array containing the number of bins in each band (optionally NULL) + * @param[in,out] band_struct current band structure */ static void decode_band_structure(GetBitContext *gbc, int blk, int eac3, int ecpl, int start_subband, int end_subband, const uint8_t *default_band_struct, - int *num_bands, uint8_t *band_sizes) + int *num_bands, uint8_t *band_sizes, + uint8_t *band_struct, int band_struct_size) { int subbnd, bnd, n_subbands, n_bands=0; uint8_t bnd_sz[22]; - uint8_t coded_band_struct[22]; - const uint8_t *band_struct; n_subbands = end_subband - start_subband; + if (!blk) + memcpy(band_struct, default_band_struct, band_struct_size); + + av_assert0(band_struct_size >= start_subband + n_subbands); + + band_struct += start_subband + 1; + /* decode band structure from bitstream or use default */ if (!eac3 || get_bits1(gbc)) { for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) { - coded_band_struct[subbnd] = get_bits1(gbc); + band_struct[subbnd] = get_bits1(gbc); } - band_struct = coded_band_struct; - } else if (!blk) { - band_struct = &default_band_struct[start_subband+1]; - } else { - /* no change in band structure */ - return; } /* calculate number of bands and band sizes based on band structure. @@ -901,7 +902,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband, end_subband, ff_eac3_default_spx_band_struct, &s->num_spx_bands, - s->spx_band_sizes); + s->spx_band_sizes, + s->spx_band_struct, sizeof(s->spx_band_struct)); } } if (!s->eac3 || !s->spx_in_use) { @@ -1037,7 +1039,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband, cpl_end_subband, ff_eac3_default_cpl_band_struct, - &s->num_cpl_bands, s->cpl_band_sizes); + &s->num_cpl_bands, s->cpl_band_sizes, + s->cpl_band_struct, sizeof(s->cpl_band_struct)); } else { /* coupling not in use */ for (ch = 1; ch <= fbw_channels; ch++) { diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index c5a348ab16..123cc2c37c 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -126,6 +126,7 @@ typedef struct AC3DecodeContext { int phase_flags_in_use; ///< phase flags in use (phsflginu) int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg) int num_cpl_bands; ///< number of coupling bands (ncplbnd) + uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS]; uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band int firstchincpl; ///< first channel in coupling int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos) @@ -142,6 +143,7 @@ typedef struct AC3DecodeContext { int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant) ///< the copy region ends at the start of the spx region. int num_spx_bands; ///< number of spx bands (nspxbnds) + uint8_t spx_band_struct[SPX_MAX_BANDS]; uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos) INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact) From 72854fcf933ba54be3d50d984dadbcf254b37498 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:13:38 +0200 Subject: [PATCH 1156/1352] avcodec/mlpdec: Check that there is enough data for headers Fixes: out of array access Fixes: 1541/clusterfuzz-testcase-minimized-6403410590957568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e3e51f8c14d22ae11684dcfe58df355f0f9e6401) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c06095eb8f..e5de2ecfb7 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -1175,6 +1175,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, substr_header_size += 2; } + if (length < header_size + substr_header_size) { + av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + goto error; + } + if (!(nonrestart_substr ^ m->is_major_sync_unit)) { av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n"); goto error; From f44c9599411f7de4ea8895f4d4d52f548ee38566 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:16:44 +0200 Subject: [PATCH 1157/1352] avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' Fixes: 1556/clusterfuzz-testcase-minimized-5027865978470400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86b1b0d33dd7459f0d9c352c51ee2e374fd6f7fe) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index ee4ec46a9d..4a1b1ecbce 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -206,7 +206,7 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block, int i; if (dc) { - dc = 13 * 13 * (dc == 1 ? 1538 * block[0] + dc = 13 * 13 * (dc == 1 ? 1538U* block[0] : qmul * (block[0] >> 3) / 2); block[0] = 0; } From 6c0078656163764b3996a67b22e302b8065b589e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:21:24 +0200 Subject: [PATCH 1158/1352] avcodec/webp: Fix signedness in prefix_code check Fixes: out of array read Fixes: 1557/clusterfuzz-testcase-minimized-6535013757616128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c5cd1c9d33b4b287f85d42efb1aecfaee31de6c) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index d4b73e01ea..f08e620976 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -694,7 +694,7 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); - if (prefix_code > 39) { + if (prefix_code > 39U) { av_log(s->avctx, AV_LOG_ERROR, "distance prefix code too large: %d\n", prefix_code); return AVERROR_INVALIDDATA; From 20ba86574034c66fbbc934c0d0f8e4c499d38210 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 May 2017 23:24:04 +0200 Subject: [PATCH 1159/1352] avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' Fixes: 1559/clusterfuzz-testcase-minimized-5048096079740928 Fixes: 1560/clusterfuzz-testcase-minimized-6011037813833728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8630b2cd36c57918acfe18302fe77d1ceefbd676) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index e9c9a2dfa3..2456d6c0d1 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, if (get_rac(c, state + 0)) return 0; else { - int i, e, a; + int i, e; + unsigned a; e = 0; while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; From 04f39ac54258383682d796c97c8dfc6e9b0a1a21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Apr 2017 18:46:48 +0200 Subject: [PATCH 1160/1352] libswscale/tests/swscale: Fix uninitialized variables Signed-off-by: Michael Niedermayer (cherry picked from commit 7796f290653349a4126f2d448d11bb4440b9f257) Signed-off-by: Michael Niedermayer --- libswscale/swscale-test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale-test.c b/libswscale/swscale-test.c index b79bb2373a..45e25a378c 100644 --- a/libswscale/swscale-test.c +++ b/libswscale/swscale-test.c @@ -298,10 +298,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, struct Results r; enum AVPixelFormat srcFormat; char srcStr[12]; - int srcW, srcH; + int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; char dstStr[12]; - int dstW, dstH; + int dstW = 0, dstH = 0; int flags; int ret; From 220a2811c90d92967640ab164228bdac58bdcde1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 14:42:45 +0200 Subject: [PATCH 1161/1352] avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' It seems dual mono with a LFE channel is not forbidden Fixes: 1570/clusterfuzz-testcase-minimized-6455337349545984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c55e637072b694a1db40e21948d218bfa2e744bb) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 8a5690678d..8d59bd7288 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1341,7 +1341,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) for (ch = 1; ch <= s->channels; ch++) { int audio_channel = 0; INTFLOAT gain; - if (s->channel_mode == AC3_CHMODE_DUALMONO) + if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2) audio_channel = 2-ch; if (s->heavy_compression && s->compression_exists[audio_channel]) gain = s->heavy_dynamic_range[audio_channel]; From 10ed53cae769d551716e279640a46dd86294023f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 May 2017 16:47:13 +0200 Subject: [PATCH 1162/1352] avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode Fixes: Integer overflow Fixes: 1572/clusterfuzz-testcase-minimized-4578773729017856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 467677769a2222ff8beab3c4d7826df9b7cbc81b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 1993e31fa9..c2844d7764 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2437,16 +2437,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan); } - if (s->pict_type == AV_PICTURE_TYPE_S && - (ctx->vol_sprite_usage == STATIC_SPRITE || - ctx->vol_sprite_usage == GMC_SPRITE)) { - if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) - return AVERROR_INVALIDDATA; - if (ctx->sprite_brightness_change) - av_log(s->avctx, AV_LOG_ERROR, - "sprite_brightness_change not supported\n"); - if (ctx->vol_sprite_usage == STATIC_SPRITE) - av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + if (s->pict_type == AV_PICTURE_TYPE_S) { + if((ctx->vol_sprite_usage == STATIC_SPRITE || + ctx->vol_sprite_usage == GMC_SPRITE)) { + if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) + return AVERROR_INVALIDDATA; + if (ctx->sprite_brightness_change) + av_log(s->avctx, AV_LOG_ERROR, + "sprite_brightness_change not supported\n"); + if (ctx->vol_sprite_usage == STATIC_SPRITE) + av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + } else { + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + } } if (ctx->shape != BIN_ONLY_SHAPE) { From f0dc6925184f9e286680213b0a63eb78210625aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 19:38:46 +0200 Subject: [PATCH 1163/1352] avcodec/cllc: Check prefix Fixes: runtime error: left shift of 1610706944 by 1 places cannot be represented in type 'int' Fixes: 1421/clusterfuzz-testcase-minimized-6239947507892224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62c5949beca2c95d6af5c74985467438d2295a66) Signed-off-by: Michael Niedermayer --- libavcodec/cllc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 7929996771..00b7d444dc 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -80,6 +80,10 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) count++; } + if (prefix > (65535 - 256)/2) { + vlc->table = NULL; + return AVERROR_INVALIDDATA; + } prefix <<= 1; } From 66675990dadad1dc52dee7d3c599cd6c9d645bd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 14:43:02 +0200 Subject: [PATCH 1164/1352] avcodec/webp: Factor update_canvas_size() out Signed-off-by: Michael Niedermayer (cherry picked from commit c4f63b78b71e07dd2f5d49c032d9c3eef620c0f3) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index f08e620976..79d8ffbca7 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1082,6 +1082,21 @@ static int apply_color_indexing_transform(WebPContext *s) return 0; } +static void update_canvas_size(AVCodecContext *avctx, int w, int h) +{ + WebPContext *s = avctx->priv_data; + if (s->width && s->width != w) { + av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", + s->width, w); + } + s->width = w; + if (s->height && s->height != h) { + av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", + s->height, h); + } + s->height = h; +} + static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, uint8_t *data_start, unsigned int data_size, int is_alpha_chunk) @@ -1106,16 +1121,8 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, w = get_bits(&s->gb, 14) + 1; h = get_bits(&s->gb, 14) + 1; - if (s->width && s->width != w) { - av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", - s->width, w); - } - s->width = w; - if (s->height && s->height != h) { - av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", - s->width, w); - } - s->height = h; + + update_canvas_size(avctx, w, h); ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) From b418f5cdcfcf2d9f9eaffdf921256d8dd2a9db05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 May 2017 14:43:03 +0200 Subject: [PATCH 1165/1352] avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() Fixes: 1407/clusterfuzz-testcase-minimized-6044604124102656 Fixes: 1420/clusterfuzz-testcase-minimized-6059927359455232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 72810d20b74f05cc4b214d6c277fa6f43160df54) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 79d8ffbca7..29bef3db24 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1333,6 +1333,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); if (ret < 0) return ret; + + update_canvas_size(avctx, avctx->width, avctx->height); + if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); From e34362c6eab1352abf1d3975c900b8937ed17784 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 16:08:14 +0200 Subject: [PATCH 1166/1352] avcodec/snowdec: Check width Fixes: out of array read Fixes: 1419/clusterfuzz-testcase-minimized-6108700873850880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78aa93807b3e0674e34d32c0bf6f78d7f5b7927e) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index e915b7b31c..c5ea897aa6 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -359,6 +359,10 @@ static int decode_header(SnowContext *s){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); return AVERROR_INVALIDDATA; } + if (s->avctx->width > 65536-4) { + av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); + return AVERROR_INVALIDDATA; + } s->qlog += get_symbol(&s->c, s->header_state, 1); From a88859aabb6ef24687457d70783303381e72f879 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 May 2017 13:25:34 +0200 Subject: [PATCH 1167/1352] avcodec/flacdec: Return error code instead of 0 for failures Fixes: infinite loop Fixes: 1418/clusterfuzz-testcase-minimized-5934472438480896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f5a68533decdfb4757207e8d7b5af06e1dcd197) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 969fa8e1ac..ad9ee071c5 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -194,12 +194,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { if (buf_end - buf < 4) - return 0; + return AVERROR_INVALIDDATA; flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ - return 0; + return AVERROR_INVALIDDATA; } buf += metadata_size; } while (!metadata_last); From 0c95ae971e69fad701aaa9fc185c6208e303a4f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 14:28:20 +0200 Subject: [PATCH 1168/1352] avcodec/opus_silk: Fix integer overflow and out of array read Fixes: 1362/clusterfuzz-testcase-minimized-6097275002552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4654baff125d937ae0b1037aa5f0bf53c7351658) Signed-off-by: Michael Niedermayer --- libavcodec/opus_silk.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 4c64cdfce6..6207299d11 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -851,8 +851,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ if (nlsf[0] < min_delta[0]) nlsf[0] = min_delta[0]; for (i = 1; i < order; i++) - if (nlsf[i] < nlsf[i - 1] + min_delta[i]) - nlsf[i] = nlsf[i - 1] + min_delta[i]; + nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767)); /* push backwards to increase distance */ if (nlsf[order-1] > 32768 - min_delta[order]) From 4954a78d337c73893938bd60f814e185cfba4f41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 May 2017 13:16:07 +0200 Subject: [PATCH 1169/1352] avcodec/aacps: Fix undefined behavior Fixes: 1337/clusterfuzz-testcase-minimized-5212314171080704 Fixes the existence of a potentially invalid pointer intermediate Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 527f89e05922e840083ac6d49eeb838b1e350dd4) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 20012f9b31..5e6161364a 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -900,7 +900,7 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2 h_step[1][3] = (H22[1][e+1][b] - h[1][3]) * width; } ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd]( - l[k] + start + 1, r[k] + start + 1, + l[k] + 1 + start, r[k] + 1 + start, h, h_step, stop - start); } } From 9252b3ca23e3d365fea624df9786c00e1964382d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2017 21:19:06 +0200 Subject: [PATCH 1170/1352] avcodec/tiff: reset sampling[] if its invalid Fixes divission by 0 Fixes: clusterfuzz-testcase-minimized-5592896440893440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f08122fbe039a56ab3c24f74636b4b0efea97d85) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index c5d5896f9a..37d8bcba1b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1019,6 +1019,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->subsampling[i] = ff_tget(&s->gb, type, s->le); if (s->subsampling[i] <= 0) { av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + s->subsampling[i] = 1; return AVERROR_INVALIDDATA; } } From 242b9e3b0b0670e2a620204234139db88f1f8440 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2017 21:21:20 +0200 Subject: [PATCH 1171/1352] avcodec/svq3: Fix runtime error: left shift of negative value -6 Fixes: 1604/clusterfuzz-testcase-minimized-5312060206350336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6eb006ad47beb6d5e5cc2c99f8185965209ec6b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 4a1b1ecbce..39b063358d 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -395,8 +395,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, if (mode != PREDICT_MODE) { pred_motion(h, k, part_width >> 2, dir, 1, &mx, &my); } else { - mx = s->next_pic->motion_val[0][b_xy][0] << 1; - my = s->next_pic->motion_val[0][b_xy][1] << 1; + mx = s->next_pic->motion_val[0][b_xy][0] * 2; + my = s->next_pic->motion_val[0][b_xy][1] * 2; if (dir == 0) { mx = mx * h->frame_num_offset / From 7ed5234fe13af397fb7b06b4478172c6a138a0a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 May 2017 03:04:26 +0200 Subject: [PATCH 1172/1352] avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' Fixes: 1616/clusterfuzz-testcase-minimized-5119196578971648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ea6bc2a166edac37042f2bbc28eb603a0fbeccb) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index eadbf3fbbe..cacf625236 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -180,7 +180,7 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; hi += (hi * 32) + (hi * 1024); - return (lo + (hi * (1 << 16))) * 2; + return (lo + (hi * (1U << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -190,7 +190,7 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) b = cdt[p2]; r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo * (1 << 16))) * 2; + return (lo + (lo * (1U << 16))) * 2; } #if HAVE_BIGENDIAN From 67c4ca66cbe14b2804419cc30b493f757f05ef9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:44:36 +0200 Subject: [PATCH 1173/1352] avcodec/takdec: Fix runtime error: left shift of negative value -42 Fixes: 1635/clusterfuzz-testcase-minimized-4992749856096256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99c4c76cfbc4ae56dc8c37f5fab02f88f6b2cb48) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 2b72e8476c..8670b681ad 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -897,7 +897,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] <<= 8; + samples[i] *= 1 << 8; } break; } From cc2144230bb715b2fdfe8c90223c453102430852 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:53:32 +0200 Subject: [PATCH 1174/1352] avcodec/mlpdec: Fix runtime error: left shift of negative value -1 Fixes: 1636/clusterfuzz-testcase-minimized-5310494757879808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 552adf1dd3a38fb7a1a6109dd2b517d63290f20e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index e5de2ecfb7..4b8d93a620 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -707,7 +707,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, /* TODO: Check validity of state data. */ for (i = 0; i < order; i++) - fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0; + fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0; } } From 5e496d9694c94d43224790a5b9d3a0f807884a9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 01:12:55 +0200 Subject: [PATCH 1175/1352] avcodec/flicvideo: Check frame_size before decrementing Fixes: runtime error: signed integer overflow: -2147483627 - 22 cannot be represented in type 'int' Fixes: 1637/clusterfuzz-testcase-minimized-5376582493405184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 355e27e24dc88d6ba8f27501a34925d9d937a399) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 5bd5fb60ca..edacfcadd4 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -202,6 +202,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size < 16) + return AVERROR_INVALIDDATA; + frame_size -= 16; /* iterate through the chunks */ @@ -520,6 +523,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, if (frame_size > buf_size) frame_size = buf_size; + if (frame_size < 16) + return AVERROR_INVALIDDATA; frame_size -= 16; /* iterate through the chunks */ From 4b06d6de8da09fc649ec9d9dba8d0244ae15016a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 16:45:46 +0200 Subject: [PATCH 1176/1352] avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 1656/clusterfuzz-testcase-minimized-5900404925661184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 94d05ff15985d17aba070eaec82acd21c0da3d86) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 5f5e5f96c1..a7398dbbd2 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -3306,6 +3306,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb) if (ctx->frame_length_type == 0) { int mux_slot_length = 0; do { + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; tmp = get_bits(gb, 8); mux_slot_length += tmp; } while (tmp == 255); @@ -3335,7 +3337,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx, } if (latmctx->audio_mux_version_A == 0) { int mux_slot_length_bytes = read_payload_length_info(latmctx, gb); - if (mux_slot_length_bytes * 8 > get_bits_left(gb)) { + if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) { av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n"); return AVERROR_INVALIDDATA; } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) { From cd5f0c32bab1b4d07372ba48bf910e634029f25d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 01:54:43 +0200 Subject: [PATCH 1177/1352] avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' Fixes: 1657/clusterfuzz-testcase-minimized-4710000079405056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58ac7fb9c395ab91cb321fa4c8c9e127ce8147c3) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 8336eab407..a231af3223 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -250,7 +250,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; - unsigned delta = -((int16_t)segments * width); + int64_t delta = -((int16_t)segments * (int64_t)width); if (frame_end - frame <= delta || y + lines + skip_lines > height) return AVERROR_INVALIDDATA; frame += delta; From 061e0a99bb4632eb6ee89c560c61ccf71d4f5f33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 02:07:17 +0200 Subject: [PATCH 1178/1352] avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 Fixes: 1658/clusterfuzz-testcase-minimized-4889937130291200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25c81e4b737bcc737b13c9a752cb301a28cb3906) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 4b8d93a620..343f12bf9f 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -765,7 +765,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo if (get_bits1(gbp)) coeff_val = get_sbits(gbp, frac_bits + 2); - s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits); + s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits)); } if (s->noise_type) From b4a082be14773acd82688e754bff248a1033e68c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 17:13:18 +0200 Subject: [PATCH 1179/1352] avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' Fixes: 1669/clusterfuzz-testcase-minimized-5287529198649344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a173f484b52ed63292439de5347e49bd78cad0ed) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 64719fd500..5be427e085 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -85,22 +85,22 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const int t4 = 5793 * (t2 + t0 + 0x800 >> 12); - const int t5 = 5793 * (t3 + t1 + 0x800 >> 12); - const int t6 = t2 - t0; - const int t7 = t3 - t1; - const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; - const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; - const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; - blk[0 * step] = ( t4 + t9 + tB) >> shift; - blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; - blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; - blk[3 * step] = ( t5 - t9 + tB) >> shift; - blk[4 * step] = ( -t5 - t9 + tB) >> shift; - blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift; - blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift; - blk[7 * step] = ( -t4 + t9 + tB) >> shift; + const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); + const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t6 = t2 - t0; + const unsigned t7 = t3 - t1; + const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; + const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; + const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; + blk[0 * step] = (int)( t4 + t9 + tB) >> shift; + blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift; + blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift; + blk[3 * step] = (int)( t5 - t9 + tB) >> shift; + blk[4 * step] = (int)( -t5 - t9 + tB) >> shift; + blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift; + blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift; + blk[7 * step] = (int)( -t4 + t9 + tB) >> shift; } static void fic_idct_put(uint8_t *dst, int stride, int16_t *block) From 711ba5aadb3e60b2512f81618b72e69dcdec507e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 May 2017 17:46:56 +0200 Subject: [PATCH 1180/1352] avcodec/mimic: Use ff_set_dimensions() to set the dimensions Fixes: OOM Fixes: 1671/clusterfuzz-testcase-minimized-4759078033162240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e434840fd4b3c854beec845f950b80bc1bf93b60) Signed-off-by: Michael Niedermayer --- libavcodec/mimic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index cad2245663..9417f3d2a1 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -390,9 +390,11 @@ static int mimic_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + res = ff_set_dimensions(avctx, width, height); + if (res < 0) + return res; + ctx->avctx = avctx; - avctx->width = width; - avctx->height = height; avctx->pix_fmt = AV_PIX_FMT_YUV420P; for (i = 0; i < 3; i++) { ctx->num_vblocks[i] = FF_CEIL_RSHIFT(height, 3 + !!i); From 2b9ad554be765d6d7fa1489327021842f5d3b760 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 May 2017 01:23:01 +0200 Subject: [PATCH 1181/1352] avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context Fixes: runtime error: index 8 out of bounds for type 'uint8_t [8]' Fixes: 1699/clusterfuzz-testcase-minimized-6327177438035968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 64ea4d102a070b95832ae4a751688f87da7760a2) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 343f12bf9f..618a30fb6d 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -735,6 +735,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); + s->num_primitive_matrices = 0; return AVERROR_INVALIDDATA; } From 7af11d9ea312d3f3609c14bb18318177e8d247e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:42:12 +0200 Subject: [PATCH 1182/1352] avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' Fixes: 1711/clusterfuzz-testcase-minimized-5248503515185152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d04fc94e1021b70e542dc01a48b8398c6fc6325) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 2fc453c1f0..fbafa92d72 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -114,7 +114,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; int32_t sample = sample_buffer[i][mat_ch] * - (1 << output_shift[mat_ch]); + (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; From 48818f4d9f3ac8a07e346fd556f4de4ad4309c75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 02:46:55 +0200 Subject: [PATCH 1183/1352] avcodec/takdec: Fix runtime error: left shift of negative value -63 Fixes: 1713/clusterfuzz-testcase-minimized-5791887476654080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d66193252b4067144f11211f8f3e1d5a50146235) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 8670b681ad..3a8a9e4aab 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -855,7 +855,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] <<= s->sample_shift[chan]; + decoded[i] *= 1 << s->sample_shift[chan]; } } From 1d8789ceb35c505dccacd6aa51f2bea48a26ed0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 May 2017 00:07:02 +0200 Subject: [PATCH 1184/1352] avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' Fixes: 1630/clusterfuzz-testcase-minimized-6326111917047808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 955db411929a9876d3cd016fbbb9c49b6362feba) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 3a8a9e4aab..260032561e 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -253,11 +253,11 @@ static int decode_segment(TAKDecContext *s, int8_t mode, int32_t *decoded, int l code = xcodes[mode - 1]; for (i = 0; i < len; i++) { - int x = get_bits_long(gb, code.init); + unsigned x = get_bits_long(gb, code.init); if (x >= code.escape && get_bits1(gb)) { x |= 1 << code.init; if (x >= code.aescape) { - int scale = get_unary(gb, 1, 9); + unsigned scale = get_unary(gb, 1, 9); if (scale == 9) { int scale_bits = get_bits(gb, 3); if (scale_bits > 0) { From 535fce7a5dcdc48d5f97a4a0233b5350241bea16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 13:22:16 +0200 Subject: [PATCH 1185/1352] avcodec/vmnc: Check location before use Fixes: runtime error: signed integer overflow: 65535 * 64256 cannot be represented in type 'int' Fixes: 1717/clusterfuzz-testcase-minimized-5491696676634624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec2b76aab44f55be22eb12d86eb0dfd2eff68581) Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 46bd52ee26..71b3c1d3e0 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -374,6 +374,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, w = bytestream2_get_be16(gb); h = bytestream2_get_be16(gb); enc = bytestream2_get_be32(gb); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); + return AVERROR_INVALIDDATA; + } outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0]; size_left = bytestream2_get_bytes_left(gb); switch (enc) { @@ -451,12 +457,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(gb, 2); break; case 0x00000000: // raw rectangle data - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } if (size_left < w * h * c->bpp2) { av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", @@ -467,12 +467,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, c->pic->linesize[0]); break; case 0x00000005: // HexTile encoded rectangle - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]); if (res < 0) return res; From 33cbc52d6447621c68ca9f0e873a11e732352505 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 May 2017 21:49:54 +0200 Subject: [PATCH 1186/1352] avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' Fixes: 1724/clusterfuzz-testcase-minimized-4842395432648704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 40fa6a2fa2c255293a780a194eecae5df52644a1) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 8298298f23..0694763fb0 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -679,7 +679,7 @@ static int decode_dc_progressive(MJpegDecodeContext *s, int16_t *block, int component, int dc_index, int16_t *quant_matrix, int Al) { - int val; + unsigned val; s->bdsp.clear_block(block); val = mjpeg_decode_dc(s, dc_index); if (val == 0xfffff) { From 4639ab5fe40cb661fef8cf9e8b87b0729ba2c70f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 May 2017 01:19:50 +0200 Subject: [PATCH 1187/1352] avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 Fixes: 1734/clusterfuzz-testcase-minimized-5385630815092736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fb00b3e858b7a5aeccfe6bdfc10290c2121c3ec) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 7f7b7ad28d..75a98947fc 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -116,10 +116,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b0_2 = b0_ptr[pitch+indx+1]; tmp1 = tmp0 + b0_1; - p0 = tmp0 << 4; - p1 = tmp1 << 3; - p2 = (tmp0 + tmp2) << 3; - p3 = (tmp1 + tmp2 + b0_2) << 2; + p0 = tmp0 * 16; + p1 = tmp1 * 8; + p2 = (tmp0 + tmp2) * 8; + p3 = (tmp1 + tmp2 + b0_2) * 4; } /* process the HL-band by applying HPF vertically and LPF horizontally */ @@ -132,10 +132,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp2 = tmp1 - tmp0*6 + b1_3; b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 3; - p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2; - p2 += tmp2 << 2; - p3 += (tmp2 + b1_3) << 1; + p0 += (tmp0 + tmp1) * 8; + p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4; + p2 += tmp2 * 4; + p3 += (tmp2 + b1_3) * 2; } /* process the LH-band by applying LPF vertically and HPF horizontally */ @@ -146,10 +146,10 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, tmp0 = b2_1 + b2_2; tmp1 = b2_1 - b2_2*6 + b2_3; - p0 += tmp0 << 3; - p1 += tmp1 << 2; - p2 += (tmp0 + b2_4 + b2_5) << 2; - p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1; + p0 += tmp0 * 8; + p1 += tmp1 * 4; + p2 += (tmp0 + b2_4 + b2_5) * 4; + p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2; } /* process the HH-band by applying HPF both vertically and horizontally */ @@ -163,9 +163,9 @@ void ff_ivi_recompose53(const IVIPlaneDesc *plane, uint8_t *dst, b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 2; - p1 += (tmp0 - tmp1*6 + tmp2) << 1; - p2 += (b3_7 + b3_8) << 1; + p0 += (tmp0 + tmp1) * 4; + p1 += (tmp0 - tmp1*6 + tmp2) * 2; + p2 += (b3_7 + b3_8) * 2; p3 += b3_7 - b3_8*6 + b3_9; } From d06709ee9764821c80cf2cb5b65fc92cd923a18a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 May 2017 22:18:52 +0200 Subject: [PATCH 1188/1352] avcodec/jpeglsdec: Check get_bits_left() before decoding a picture Signed-off-by: Michael Niedermayer (cherry picked from commit 4bc3008d04451cd31818e21703ed7ed96b6ff074) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index bb8c264ae0..7d25953068 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -369,6 +369,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); } + if (get_bits_left(&s->gb) < s->height) { + ret = AVERROR_INVALIDDATA; + goto end; + } if (ilv == 0) { /* separate planes */ if (s->cur_scan > s->nb_components) { ret = AVERROR_INVALIDDATA; From ff4d07b8da3b42e943476cb33f325a2965613c6c Mon Sep 17 00:00:00 2001 From: Max Justicz Date: Wed, 24 May 2017 15:25:50 +0200 Subject: [PATCH 1189/1352] avcodec/sanm: Fix uninitialized reference frames Fixes: poc.snm Signed-off-by: Michael Niedermayer (cherry picked from commit ca616b0f72c65b0ef5f9e1e6125698b15f50a26e) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 2547abb840..17096587b4 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -462,11 +462,11 @@ static void destroy_buffers(SANMVideoContext *ctx) static av_cold int init_buffers(SANMVideoContext *ctx) { - av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); if (!ctx->version) - av_fast_padded_malloc(&ctx->stored_frame, + av_fast_padded_mallocz(&ctx->stored_frame, &ctx->stored_frame_size, ctx->buf_size); if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 || From d09e4a9e8bd1df0e318faf1f5dba5ceb2047b5a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 May 2017 19:40:42 +0200 Subject: [PATCH 1190/1352] avcodec/jpeg2000dec: Check tile offsets Fixes: runtime error: signed integer overflow: 4096 - -2147483648 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89325417e7b33f4b08171d9d609c48662d96b2d3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index c80d6f7f3b..245997a6d4 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -267,6 +267,14 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_PATCHWELCOME; } + if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || + s->image_offset_x < s->tile_offset_x || + s->image_offset_y < s->tile_offset_y) { + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n", + s->ncomponents); + return AVERROR_INVALIDDATA; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { From 6d825e9d5fbfdba196fe0a77a33fb29d38f83c59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 11:11:33 +0200 Subject: [PATCH 1191/1352] avcodec/jpeg2000dec: Fix copy and paste error Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit 5782e0ba8cc30bb08a806cdeda1adfb89a0556b4) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 245997a6d4..13f6bf302d 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -270,8 +270,7 @@ static int get_siz(Jpeg2000DecoderContext *s) if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || s->image_offset_x < s->tile_offset_x || s->image_offset_y < s->tile_offset_y) { - av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n", - s->ncomponents); + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); return AVERROR_INVALIDDATA; } From 61a1eab10e2f0102640f46f552a47a2def90b3a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 20:07:49 +0200 Subject: [PATCH 1192/1352] avcodec/smc: Check remaining input Fixes: Timeout Fixes: 1818/clusterfuzz-testcase-minimized-5039166473633792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 356194fcb17375de2472f4cbff6ede48d6a374b2) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 131300a595..304cb34a4e 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -132,6 +132,10 @@ static void smc_decode_stream(SmcContext *s) row_ptr, image_size); return; } + if (bytestream2_get_bytes_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "input too small\n"); + return; + } opcode = bytestream2_get_byte(&s->gb); switch (opcode & 0xF0) { From 836a174f6b931ccb1d384ab6bd81a62f97d14d46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Apr 2017 13:49:09 +0200 Subject: [PATCH 1193/1352] avutil/internal: Do not enable CHECKED with DEBUG This avoids potential undefined behavior in debug mode while still allowing developers which want to check for potential additional overflows to do so by manually enabling this. Reviewed-by: wm4 Signed-off-by: Michael Niedermayer (cherry picked from commit a44b3abb4cf922e379fbac55452d0482a8223597) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavutil/internal.h b/libavutil/internal.h index 1a84bc80f6..ff61f2e70b 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,9 +30,8 @@ # define NDEBUG #endif -#if defined(DEBUG) && !defined(CHECKED) -# define CHECKED -#endif +// This can be enabled to allow detection of additional integer overflows with ubsan +//#define CHECKED #include #include From 46f664363cd0b84bec7000fcbdfd6ed96fe9266e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:07:00 +0200 Subject: [PATCH 1194/1352] avcodec/ra144dec: Fix runtime error: left shift of negative value -17 Fixes: 1830/clusterfuzz-testcase-minimized-5828293733384192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c0c637d36c1de9ea461a8d863e8703da090894) Signed-off-by: Michael Niedermayer --- libavcodec/ra144dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144dec.c b/libavcodec/ra144dec.c index 29c78229bb..6b4b56d01f 100644 --- a/libavcodec/ra144dec.c +++ b/libavcodec/ra144dec.c @@ -113,7 +113,7 @@ static int ra144_decode_frame(AVCodecContext * avctx, void *data, do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb); for (j=0; j < BLOCKSIZE; j++) - *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2); + *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2)); } ractx->old_energy = energy; From b1f93365e67418c72ae9c0807d9c54f975088789 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:17:34 +0200 Subject: [PATCH 1195/1352] avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]' Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac8dfcbd89a818b786d05ebc1af70f7bf6aeb86e) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 618a30fb6d..9b5edd2101 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -735,8 +735,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); - s->num_primitive_matrices = 0; - return AVERROR_INVALIDDATA; + goto error; } for (mat = 0; mat < s->num_primitive_matrices; mat++) { @@ -749,12 +748,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Invalid channel %d specified as output from matrix.\n", s->matrix_out_ch[mat]); - return AVERROR_INVALIDDATA; + goto error; } if (frac_bits > 14) { av_log(m->avctx, AV_LOG_ERROR, "Too many fractional bits specified.\n"); - return AVERROR_INVALIDDATA; + goto error; } max_chan = s->max_matrix_channel; @@ -776,6 +775,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo } return 0; +error: + s->num_primitive_matrices = 0; + memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch)); + + return AVERROR_INVALIDDATA; } /** Read channel parameters. */ From 8f94a928c5ec051be401ed7ad3e05495b16f2dbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:03:46 +0200 Subject: [PATCH 1196/1352] avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 Fixes: 1839/clusterfuzz-testcase-minimized-6238490993885184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 357f2316a08478a4442e8051978c7b161e10281c) Signed-off-by: Michael Niedermayer --- libavcodec/ivi_dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 75a98947fc..6690770963 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -393,8 +393,8 @@ void ff_ivi_inverse_haar_4x4(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 2); - sp1 = src[0] << shift; - sp2 = src[4] << shift; + sp1 = src[0] * (1 << shift); + sp2 = src[4] * (1 << shift); INV_HAAR4( sp1, sp2, src[8], src[12], dst[0], dst[4], dst[8], dst[12], t0, t1, t2, t3, t4); From 8bffb947707fef98e32cee20673be7a48826d0f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2017 03:21:50 +0200 Subject: [PATCH 1197/1352] avcodec/libfdk-aacdec: Correct buffer_size parameter the timeDataSize argument to aacDecoder_DecodeFrame() seems undocumented and until 2016 04 (203e3f28fbebec7011342017fafc2a0bda0ce530) unused. after that commit libfdk-aacdec interprets it as size in sample units and memsets that on error. FFmpeg as well as others (like GStreamer) did interpret it as size in bytes Fixes: 1442/clusterfuzz-testcase-minimized-4540199973421056 (This requires recent libfdk to reproduce) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca6776a993903dbcfef5ae8a18556c40ecf83e1c) Signed-off-by: Michael Niedermayer --- libavcodec/libfdk-aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libfdk-aacdec.c b/libavcodec/libfdk-aacdec.c index 624d57959c..a1903805ae 100644 --- a/libavcodec/libfdk-aacdec.c +++ b/libavcodec/libfdk-aacdec.c @@ -235,7 +235,7 @@ static int fdk_aac_decode_frame(AVCodecContext *avctx, void *data, return AVERROR(ENOMEM); } - err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) buf, buf_size, 0); + err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) buf, buf_size / sizeof(INT_PCM), 0); if (err == AAC_DEC_NOT_ENOUGH_BITS) { ret = avpkt->size - valid; goto end; From 29f40cc2ac04054b534db798be5e0cb42277fcbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 03:18:02 +0200 Subject: [PATCH 1198/1352] avcodec/wnv1: More strict buffer size check This requires at least 25% of a picture to allocate and decode it Fixes: Timeout Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f50c25124a015a539823077bb302ff0c7ce8963) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index cbf271afc6..4e5f3ba69a 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx, int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; - if (buf_size <= 8) { + if (buf_size < 8 + avctx->height * (avctx->width/2)/8) { av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size); return AVERROR_INVALIDDATA; } From 1e7874b0435dd9da87d329fada94a5d343c66638 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 13:52:13 +0200 Subject: [PATCH 1199/1352] avcodec/jpeg2000dec: Check tile offsets more completely Signed-off-by: Michael Niedermayer (cherry picked from commit 9c1812491f7be2730351969f4abd9b99d300d604) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 13f6bf302d..9e422cf675 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -269,7 +269,10 @@ static int get_siz(Jpeg2000DecoderContext *s) if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || s->image_offset_x < s->tile_offset_x || - s->image_offset_y < s->tile_offset_y) { + s->image_offset_y < s->tile_offset_y || + s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x || + s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y + ) { av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); return AVERROR_INVALIDDATA; } From 844cdd2a6ccd349d5996883504e3ff23cdcc1a51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 14:00:30 +0200 Subject: [PATCH 1200/1352] avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' Fixes: 1870/clusterfuzz-testcase-minimized-4686788029317120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 781f88bb26534ececc76eaa972f02536ba2f0f55) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h index acdba62a07..eaa8f61c5c 100644 --- a/libavcodec/jpeg2000.h +++ b/libavcodec/jpeg2000.h @@ -211,7 +211,7 @@ static inline int ff_jpeg2000_ceildivpow2(int a, int b) static inline int ff_jpeg2000_ceildiv(int a, int b) { - return (a + b - 1) / b; + return (a + (int64_t)b - 1) / b; } /* TIER-1 routines */ From ea8984650c659ec387a2e154adab7d4d2cdc67db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 17:12:35 +0200 Subject: [PATCH 1201/1352] avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' Fixes: 1871/clusterfuzz-testcase-minimized-5719950331215872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b9c032ebc0ad17ac0ffefb915ff96baf9d79cab1) Signed-off-by: Michael Niedermayer --- libavcodec/snow.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/snow.h b/libavcodec/snow.h index d2fcc7c375..2a5d3a66dd 100644 --- a/libavcodec/snow.h +++ b/libavcodec/snow.h @@ -551,7 +551,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){ if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; From 7735b8e565f16ece7ad46a59a7bb35ad60998c13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2017 18:37:50 +0200 Subject: [PATCH 1202/1352] avcodec/webp: Fixes null pointer dereference Fixes: 1470/clusterfuzz-testcase-minimized-5404421666111488 Fixes: 1472/clusterfuzz-testcase-minimized-5677426430443520 Fixes: 1875/clusterfuzz-testcase-minimized-5536474562822144 Approved-by: BBB Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67020711b7d45afa073ef671f755765035a64373) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 29bef3db24..44be965229 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -1334,6 +1334,9 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (ret < 0) return ret; + if (!*got_frame) + return AVERROR_INVALIDDATA; + update_canvas_size(avctx, avctx->width, avctx->height); if (s->has_alpha) { From 6f7bedb819576f87cbbbf5b54466c0f905eed631 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:38:24 +0200 Subject: [PATCH 1203/1352] avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' Fixes: 1884/clusterfuzz-testcase-minimized-4637425835966464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c472c52525fcab4c80cdbc98b4625d318c84fcb) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index cfe5aea7dc..0560b3795f 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1701,7 +1701,7 @@ void ff_subblock_synthesis(RA144Context *ractx, const int16_t *lpc_coefs, if (cba_idx) { cba_idx += BLOCKSIZE/2 - 1; ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx); - m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12; + m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12; } else { m[0] = 0; } From ede351d351ab05ebae110f30bd7b8b7ae43e8c02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:44:32 +0200 Subject: [PATCH 1204/1352] avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' Fixes: 1885/clusterfuzz-testcase-minimized-5336328549957632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c845450d2daa0d066045cf94ab51cb496f1b824) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 0560b3795f..85a4217fa8 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1573,7 +1573,7 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12; + bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) From 160bd70fd45e25eed5a3c309b5169d6710762d17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:54:02 +0200 Subject: [PATCH 1205/1352] avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9e884f3d98df85bf7f2cf30d71877b22929fdcb) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 18d7c1e685..dc3441559c 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -271,7 +271,7 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) for (i = 0; i < d; i++) { v = get_bits_long(&ctx->gb, mb); if (v & (1 << (mb - 1))) - ctx->deltas[stream_id][i] = v - (1 << mb); + ctx->deltas[stream_id][i] = v - (1U << mb); else ctx->deltas[stream_id][i] = v; } From d1eea5ac86fd3b7ed548a284bf51a0b53b9fb556 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 May 2017 21:54:02 +0200 Subject: [PATCH 1206/1352] avcodec/truemotion2: Fix passing null pointer to memset() Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c901627918ff7480c1bb6f9cae507ee2c7c933d8) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index dc3441559c..7c38ce1853 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -906,7 +906,8 @@ static int decode_frame(AVCodecContext *avctx, buf_size - offset); if (t < 0) { int j = tm2_stream_order[i]; - memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); + if (l->tok_lens[j]) + memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); return t; } offset += t; From 78bd801c742bd25db7131635bfa604e95047d00d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 13:45:29 +0200 Subject: [PATCH 1207/1352] avcodec/jpeg2000dec: Use ff_set_dimensions() Fixes: OOM Fixes: 1890/clusterfuzz-testcase-minimized-6329019509243904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f3da6fbff864e05e8871dd04222143abdee9e77b) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 9e422cf675..aeec6fe4ef 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -231,6 +231,7 @@ static int get_siz(Jpeg2000DecoderContext *s) uint32_t log2_chroma_wh = 0; const enum AVPixelFormat *possible_fmts = NULL; int possible_fmts_nb = 0; + int ret; if (bytestream2_get_bytes_left(&s->g) < 36) return AVERROR_INVALIDDATA; @@ -326,10 +327,13 @@ static int get_siz(Jpeg2000DecoderContext *s) } /* compute image size with reduction factor */ - s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, - s->reduction_factor); - s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, - s->reduction_factor); + ret = ff_set_dimensions(s->avctx, + ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, + s->reduction_factor), + ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, + s->reduction_factor)); + if (ret < 0) + return ret; if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K || s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) { From cc1fd61f6875ffcd7df4a7a7815a2fdf6e63b9cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 May 2017 14:07:33 +0200 Subject: [PATCH 1208/1352] avcodec/ansi: Fix frame memleak Fixes: 1892/clusterfuzz-testcase-minimized-4519341733183488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e091b9b3c7859030f2896ca2ae96faa3afc694a1) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index 93e431e487..1016082e4a 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -80,10 +80,6 @@ static av_cold int decode_init(AVCodecContext *avctx) AnsiContext *s = avctx->priv_data; avctx->pix_fmt = AV_PIX_FMT_PAL8; - s->frame = av_frame_alloc(); - if (!s->frame) - return AVERROR(ENOMEM); - /* defaults */ s->font = avpriv_vga16_font; s->font_height = 16; @@ -98,6 +94,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); return AVERROR(EINVAL); } + + s->frame = av_frame_alloc(); + if (!s->frame) + return AVERROR(ENOMEM); + return 0; } From 2ba5c6e330e11d55a0633191d51faafd9b20f545 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 03:09:11 +0200 Subject: [PATCH 1209/1352] avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' Fixes: 1894/clusterfuzz-testcase-minimized-4716739789062144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d90c5bf10559554d6f9cd1dfb90767b991b76d5d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 38b5150053..a5eae7e8ea 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -548,7 +548,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else - S = T + ((s->decorr[i].weightA * A + 512) >> 10); + S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; From 249168eda80b6db421b18053dbbcefae46c9f1f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 03:13:21 +0200 Subject: [PATCH 1210/1352] avcodec/wavpack: Check float_shift Fixes: runtime error: shift exponent 40 is too large for 32-bit type 'unsigned int' Fixes: 1898/clusterfuzz-testcase-minimized-5970744880136192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4020b009d1e88ff10abd25fb768165afa546851d) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a5eae7e8ea..572b33d232 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -870,6 +870,12 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->float_flag = bytestream2_get_byte(&gb); s->float_shift = bytestream2_get_byte(&gb); s->float_max_exp = bytestream2_get_byte(&gb); + if (s->float_shift > 31) { + av_log(avctx, AV_LOG_ERROR, + "Invalid FLOATINFO, shift = %d (> 31)\n", s->float_shift); + s->float_shift = 0; + continue; + } got_float = 1; bytestream2_skip(&gb, 1); break; From 758cd1b4341f0e29724e3453b1c616abc017920c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 04:03:09 +0200 Subject: [PATCH 1211/1352] avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' Fixes: 1902/clusterfuzz-testcase-minimized-4762451407011840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87bddba43b725d43767f2a387cdea0936ac1b549) Signed-off-by: Michael Niedermayer --- libavcodec/acelp_pitch_delay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/acelp_pitch_delay.c b/libavcodec/acelp_pitch_delay.c index 3ecec01cbe..02a60e4ade 100644 --- a/libavcodec/acelp_pitch_delay.c +++ b/libavcodec/acelp_pitch_delay.c @@ -135,7 +135,7 @@ float ff_amr_set_fixed_gain(float fixed_gain_factor, float fixed_mean_energy, exp2f(M_LOG2_10 * 0.05 * (avpriv_scalarproduct_float_c(pred_table, prediction_error, 4) + energy_mean)) / - sqrtf(fixed_mean_energy); + sqrtf(fixed_mean_energy ? fixed_mean_energy : 1.0); // update quantified prediction error energy history memmove(&prediction_error[0], &prediction_error[1], From a34d0a23923db7b61776635350d43543ca678ca3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 May 2017 21:29:20 +0200 Subject: [PATCH 1212/1352] avformat/avidec: Limit formats in gab2 to srt and ass/ssa This prevents part of one exploit leading to an information leak Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 98d0267eea..08f6f67a50 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1052,6 +1052,9 @@ static int read_gab2_sub(AVStream *st, AVPacket *pkt) if (!sub_demuxer) goto error; + if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass")) + goto error; + if (!(ast->sub_ctx = avformat_alloc_context())) goto error; From c441a8bad509a447f3767fb8899d902d8eb0b3cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 13:21:58 +0200 Subject: [PATCH 1213/1352] avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' Fixes: 1903/clusterfuzz-testcase-minimized-5359318167715840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58f8cd4ac576028ef492a005bd06b1f22c3a6879) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index f6b2ed45bf..74b04c637e 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -616,7 +616,7 @@ static inline int decode_residual_inter(AVSContext *h) /* get quantizer */ if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; + h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, From c97a986e4f6988b76fa71a80dc3cddd550d3cfd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 13:39:45 +0200 Subject: [PATCH 1214/1352] avcodec/pnm: Use ff_set_dimensions() Fixes: OOM Fixes: 1906/clusterfuzz-testcase-minimized-4599315114754048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1c0d1d906d27d3f9e1b058bb065f897f90c1c7c) Signed-off-by: Michael Niedermayer --- libavcodec/pnm.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index 502e550097..314e7d7704 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -24,6 +24,7 @@ #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" #include "pnm.h" static inline int pnm_space(int c) @@ -61,6 +62,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) { char buf1[32], tuple_type[32]; int h, w, depth, maxval; + int ret; pnm_get(s, buf1, sizeof(buf1)); if(buf1[0] != 'P') @@ -110,8 +112,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; s->maxval = maxval; if (depth == 1) { if (maxval == 1) { @@ -150,8 +153,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) { pnm_get(s, buf1, sizeof(buf1)); From 78f780ebedd81cbc50ab1ea6a82dce97d2bf3d05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 15:52:56 +0200 Subject: [PATCH 1215/1352] avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' Fixes: 1908/clusterfuzz-testcase-minimized-5392712477966336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 08cb69e870c1b2fdc3574780a3662b92bfd6ef79) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 85a4217fa8..da1af66dab 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1512,7 +1512,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, v[0] = 0; for (i=!skip_first; i<3; i++) - v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n]; + v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n]; if (v[0]) { for (i=0; i < BLOCKSIZE; i++) From 81b798e24dcb975bf2a1af9c5be096bcd986f569 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:02:07 +0200 Subject: [PATCH 1216/1352] avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' Fixes: 1909/clusterfuzz-testcase-minimized-6732072662073344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6726328f7940a76c43b4d97ac37ababf363d042f) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 5f5bad224f..e11df99897 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -683,7 +683,7 @@ static int scaling_list_data(HEVCContext *s, ScalingList *sl, HEVCSPS *sps) ff_hevc_diag_scan8x8_x[i]; scaling_list_delta_coef = get_se_golomb(gb); - next_coef = (next_coef + scaling_list_delta_coef + 256) % 256; + next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256; sl->sl[size_id][matrix_id][pos] = next_coef; } } From 57778a005817fce0d013cde2192b67874be08c05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:18:23 +0200 Subject: [PATCH 1217/1352] avcodec/cinepak: Check input packet size before frame reallocation Reduces time spend decoding 1917/clusterfuzz-testcase-minimized-5023221273329664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e47057e932ff9a071d52fa1d5d4a956340eb2475) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 4a9d0b44c5..bac8bbfa0e 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -322,9 +322,6 @@ static int cinepak_decode (CinepakContext *s) int y0 = 0; int encoded_buf_size; - if (s->size < 10) - return AVERROR_INVALIDDATA; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -439,6 +436,9 @@ static int cinepak_decode_frame(AVCodecContext *avctx, s->data = buf; s->size = buf_size; + if (s->size < 10) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 6933b322d89ad81fc9ed091d4ea4327ac0186078 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 May 2017 22:53:02 +0200 Subject: [PATCH 1218/1352] avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' Fixes: 1922/clusterfuzz-testcase-minimized-5561194112876544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a47273c803edfbc43793349b74429ae29b05c003) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 572b33d232..1b537d8b7a 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -239,7 +239,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, if (get_bits_left(gb) <= 0) goto error; if (get_bits1(gb)) { - add -= (mid - base); + add -= (mid - (unsigned)base); base = mid; } else add = mid - base - 1; From 6e67a3e22c5be4f0d40a9ff806b8c0db5f78b2cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2017 18:48:37 +0200 Subject: [PATCH 1219/1352] avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3e580b7f436206e84dac89415e057fa9abdab8) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 1b537d8b7a..98102f5661 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -184,7 +184,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, goto error; t += t2; } else { - if (get_bits_left(gb) < t2 - 1) + if (t2 >= 32 || get_bits_left(gb) < t2 - 1) goto error; t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } From 257e6e3ecaf13cfbdd864eaec07b1f72465c9d60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 13:02:51 +0200 Subject: [PATCH 1220/1352] avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 136ce8baa4fc16cf38690cb457f7356c00e00a28) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index b4beee6dd7..57eec3d5b5 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -69,7 +69,7 @@ static void scale_coefs ( int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; - shift = 4 - ((dynrng << 23) >> 28); + shift = 4 - (sign_extend(dynrng, 9) >> 5); if (shift > 0 ) { round = 1 << (shift-1); for (i=0; i Date: Sun, 4 Jun 2017 13:38:02 +0200 Subject: [PATCH 1221/1352] avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index a27afed56d..ba041c761f 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -267,12 +267,20 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, uint8_t code, *dst, *end; int i, frame, ret; - if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) - return ret; + if (pkt->size < 2) + return AVERROR_INVALIDDATA; bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); + if ((code & 0xF) > 4) { + avpriv_request_sample(avctx, "unknown/invalid code"); + return AVERROR_INVALIDDATA; + } + + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) + return ret; + if (code & 0x20) { // frame is keyframe for (i = 0; i < 4; i++) memset(c->frame[i], 0, c->frame_size); @@ -367,8 +375,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, } break; default: - avpriv_request_sample(avctx, "unknown/invalid code"); - return AVERROR_INVALIDDATA; + av_assert0(0); } av_image_copy_plane(c->pic->data[0], c->pic->linesize[0], From c299d7060e9929e013d5a5b29498a72abfb062a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 17:06:27 +0200 Subject: [PATCH 1222/1352] avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29808fff339da3e0f26131f7a6209b853947a54b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index e11df99897..bc29f358a2 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -133,6 +133,12 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, } } + if (k >= FF_ARRAY_ELEMS(rps->used)) { + av_log(s->avctx, AV_LOG_ERROR, + "Invalid num_delta_pocs: %d\n", k); + return AVERROR_INVALIDDATA; + } + rps->num_delta_pocs = k; rps->num_negative_pics = k0; // sort in increasing order (smallest first) From 7e6b64a7d9a2dd64e652b3e42a741b673cda3a26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Jun 2017 21:20:04 +0200 Subject: [PATCH 1223/1352] avformat/hls: Check local file extensions This reduces the attack surface of local file-system information leaking. It prevents the existing exploit leading to an information leak. As well as similar hypothetical attacks. Leaks of information from files and symlinks ending in common multimedia extensions are still possible. But files with sensitive information like private keys and passwords generally do not use common multimedia filename extensions. It does not stop leaks via remote addresses in the LAN. The existing exploit depends on a specific decoder as well. It does appear though that the exploit should be possible with any decoder. The problem is that as long as sensitive information gets into the decoder, the output of the decoder becomes sensitive as well. The only obvious solution is to prevent access to sensitive information. Or to disable hls or possibly some of its feature. More complex solutions like checking the path to limit access to only subdirectories of the hls path may work as an alternative. But such solutions are fragile and tricky to implement portably and would not stop every possible attack nor would they work with all valid hls files. Developers have expressed their dislike / objected to disabling hls by default as well as disabling hls with local files. There also where objections against restricting remote url file extensions. This here is a less robust but also lower inconvenience solution. It can be applied stand alone or together with other solutions. limiting the check to local files was suggested by nevcairiel This recommits the security fix without the author name joke which was originally requested by Nicolas. Found-by: Emil Lerner and Pavel Cheremushkin Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 38 ++++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 6c6a0029df..17e1079b05 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -164,6 +164,7 @@ struct variant { }; typedef struct HLSContext { + AVClass *class; int n_variants; struct variant **variants; int n_playlists; @@ -179,6 +180,7 @@ typedef struct HLSContext { char *user_agent; ///< holds HTTP user agent set as an AVOption to the HTTP protocol context char *cookies; ///< holds HTTP cookie values set in either the initial response or as an AVOption to the HTTP protocol context char *headers; ///< holds HTTP headers set as an AVOption to the HTTP protocol context + char *allowed_extensions; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -901,13 +903,23 @@ static void intercept_id3(struct playlist *pls, uint8_t *buf, } -static int check_url(const char *url) { +static int check_url(HLSContext *c, const char *url) { const char *proto_name = avio_find_protocol_name(url); if (!proto_name) return AVERROR_INVALIDDATA; - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + if (av_strstart(proto_name, "file", NULL)) { + if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) { + av_log(c, AV_LOG_ERROR, + "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n" + "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n", + url); + return AVERROR_INVALIDDATA; + } + } else if (av_strstart(proto_name, "http", NULL)) { + ; + } else return AVERROR_INVALIDDATA; if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') @@ -945,7 +957,7 @@ static int open_input(HLSContext *c, struct playlist *pls) seg->url, seg->url_offset, pls->index); if (seg->key_type == KEY_NONE) { - ret = check_url(seg->url); + ret = check_url(c, seg->url); if (ret < 0) goto cleanup; @@ -956,7 +968,7 @@ static int open_input(HLSContext *c, struct playlist *pls) char iv[33], key[33], url[MAX_URL_SIZE]; if (strcmp(seg->key, pls->key_url)) { URLContext *uc; - ret = check_url(seg->key); + ret = check_url(c, seg->key); if (ret < 0) goto cleanup; @@ -1728,6 +1740,23 @@ static int hls_probe(AVProbeData *p) return 0; } +#define OFFSET(x) offsetof(HLSContext, x) +#define FLAGS AV_OPT_FLAG_DECODING_PARAM +static const AVOption hls_options[] = { + {"allowed_extensions", "List of file extensions that hls is allowed to access", + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, + {NULL} +}; + +static const AVClass hls_class = { + .class_name = "hls,applehttp", + .item_name = av_default_item_name, + .option = hls_options, + .version = LIBAVUTIL_VERSION_INT, +}; + AVInputFormat ff_hls_demuxer = { .name = "hls,applehttp", .long_name = NULL_IF_CONFIG_SMALL("Apple HTTP Live Streaming"), @@ -1737,4 +1766,5 @@ AVInputFormat ff_hls_demuxer = { .read_packet = hls_read_packet, .read_close = hls_close, .read_seek = hls_read_seek, + .priv_class = &hls_class, }; From 0d0418adb59261b41e2f850ef2adcc3507931c21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 19:33:56 +0200 Subject: [PATCH 1224/1352] avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' Fixes: 2067/clusterfuzz-testcase-minimized-5578430902960128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6ee86d9254e8fd2158cc9a31d3be96b0809411) Signed-off-by: Michael Niedermayer --- libavcodec/cavs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index dc81b18367..4934e3ae0d 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -538,8 +538,7 @@ void ff_cavs_inter(AVSContext *h, enum cavs_mb mb_type) static inline void scale_mv(AVSContext *h, int *d_x, int *d_y, cavs_vector *src, int distp) { - int den = h->scale_den[FFMAX(src->ref, 0)]; - + int64_t den = h->scale_den[FFMAX(src->ref, 0)]; *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } From 645c3b900959e8134af82885f644cab8aeaf2f09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 20:39:21 +0200 Subject: [PATCH 1225/1352] avcodec/tiff: Avoid loosing allocated geotag values Fixes memleak Fixes: 2076/clusterfuzz-testcase-minimized-6542640243802112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7cbeab4c1381f95ed0ebf85d7950bee96f66164) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 37d8bcba1b..f1575afe73 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1123,6 +1123,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) bytestream2_seek(&s->gb, pos + s->geotags[i].offset, SEEK_SET); if (bytestream2_get_bytes_left(&s->gb) < s->geotags[i].count) return AVERROR_INVALIDDATA; + if (s->geotags[i].val) + return AVERROR_INVALIDDATA; ap = av_malloc(s->geotags[i].count); if (!ap) { av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n"); From cd6cce23308f07c4e151e86ab2f9f44a3a7d43c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2017 22:23:15 +0200 Subject: [PATCH 1226/1352] avcodec/mjpegdec: Check that reference frame matches the current frame Fixes: out of array read Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 0694763fb0..2b8f074f5b 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1400,6 +1400,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask, return -1; } + if (reference) { + if (reference->width != s->picture_ptr->width || + reference->height != s->picture_ptr->height || + reference->format != s->picture_ptr->format) { + av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n"); + return AVERROR_INVALIDDATA; + } + } + av_assert0(s->picture_ptr->data[0]); /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); From 31dd76349accce5b49f8d28c84b93fb2c6471fc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:01:16 +0200 Subject: [PATCH 1227/1352] avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' Fixes: 2079/clusterfuzz-testcase-minimized-5345861779324928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e4efd41b83e78c7f2ee3e74bee90226110743a8e) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 260032561e..b01f55ca65 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -855,7 +855,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] *= 1 << s->sample_shift[chan]; + decoded[i] *= 1U << s->sample_shift[chan]; } } @@ -897,7 +897,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] *= 1 << 8; + samples[i] *= 1U << 8; } break; } From 1afe127401692b12f5c78d15725b848e719dac64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Jun 2017 16:21:37 +0200 Subject: [PATCH 1228/1352] avcodec/pafvideo: Fix assertion failure Fixes: 2100/clusterfuzz-testcase-minimized-4522961547558912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4360559ee2a6c8c624f24fc7e2a1cf00972ba68) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index ba041c761f..9aedbc0ebe 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -273,7 +273,7 @@ static int paf_video_decode(AVCodecContext *avctx, void *data, bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); - if ((code & 0xF) > 4) { + if ((code & 0xF) > 4 || (code & 0xF) == 3) { avpriv_request_sample(avctx, "unknown/invalid code"); return AVERROR_INVALIDDATA; } From 9d38f5cc2b473f02642a4c21429e88e4023932d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2017 13:44:32 +0200 Subject: [PATCH 1229/1352] avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' Fixes: 2113/clusterfuzz-testcase-minimized-6510704959946752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e3ab1a5c12fe3a88f44b734d3f2e25f4769ec47) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 57eec3d5b5..113af66e57 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -65,7 +65,7 @@ static void scale_coefs ( int len) { int i, shift, round; - int16_t mul; + unsigned mul; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; From 07c9709a33e6ca28a9f4a28c7bfc25ec869778bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2017 19:43:25 +0200 Subject: [PATCH 1230/1352] avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' Fixes: 2174/clusterfuzz-testcase-minimized-5739234533048320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90e8317b3b33dcb54ae01e419d85cbbfbd874963) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index edacfcadd4..67465a5bc9 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -275,10 +275,14 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) { av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); @@ -327,6 +331,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, case FLI_LC: /* line compressed */ starting_line = bytestream2_get_le16(&g2); + if (starting_line >= s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr = 0; y_ptr += starting_line * s->frame->linesize[0]; @@ -561,9 +567,13 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else { compressed_lines--; From 32cd8e5a072258a9fae0caa29927275db03febfa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 00:45:20 +0200 Subject: [PATCH 1231/1352] avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' Fixes: 2175/clusterfuzz-testcase-minimized-5809657849315328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 71da0a5c9750e9fd0c9609470f610d32952923eb) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index da1af66dab..67f0e84469 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1601,7 +1601,7 @@ void ff_eval_coefs(int *coefs, const int *refl) b1[i] = refl[i] * 16; for (j=0; j < i; j++) - b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; + b1[j] = ((int)(refl[i] * (unsigned)b2[i-j-1]) >> 12) + b2[j]; FFSWAP(int *, b1, b2); } From bae346d1c1ea9711d191953135598c96fed6ae67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 01:05:26 +0200 Subject: [PATCH 1232/1352] avcodec/tiff: Fix leak of geotags[].val Fixes: 2176/clusterfuzz-testcase-minimized-5908197216878592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 22a25ab3896cbb8dceebdba4d439e8b2b398ff0e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index f1575afe73..aaeb143f86 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1097,6 +1097,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (s->geotags[i].count == 0 || s->geotags[i].offset + s->geotags[i].count > count) { av_log(s->avctx, AV_LOG_WARNING, "Invalid GeoTIFF key %d\n", s->geotags[i].key); + } else if (s->geotags[i].val) { + av_log(s->avctx, AV_LOG_WARNING, "Duplicate GeoTIFF key %d\n", s->geotags[i].key); } else { char *ap = doubles2str(&dp[s->geotags[i].offset], s->geotags[i].count, ", "); if (!ap) { From 27c729a21f4255c86f6d28c5c7e67938ba35f656 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jun 2017 14:34:54 +0200 Subject: [PATCH 1233/1352] avcodec/snowdec: Fix runtime error: left shift of negative value -1 Fixes: 2197/clusterfuzz-testcase-minimized-6010716676947968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2e44126363bc9e23093ceced5d7bde1ee4bbb338) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index c5ea897aa6..129c4a2f13 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -553,7 +553,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for(; yqsb, yq); for(x=0; x Date: Sun, 11 Jun 2017 20:19:59 +0200 Subject: [PATCH 1234/1352] avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' Fixes: 2181/clusterfuzz-testcase-minimized-6314784322486272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c996374d4d86e0efbef71812448b4c65656bc667) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index 6cb49a1b3e..db482115ab 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -94,7 +94,7 @@ typedef struct Decorr { typedef struct WvChannel { int median[3]; int slow_level, error_limit; - int bitrate_acc, bitrate_delta; + unsigned bitrate_acc, bitrate_delta; } WvChannel; // macros for manipulating median values From 6145b27b71148d532bab1420dd88cada9e98c763 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 23:49:23 +0200 Subject: [PATCH 1235/1352] avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case Fixes: runtime error: signed integer overflow: 131072 + 2147352576 cannot be represented in type 'int' Fixes: 2192/clusterfuzz-testcase-minimized-5370387988742144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a87be404ab7e3f47e67e79160dcc9623e36835b) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 40 +++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index c2844d7764..880d2b2b78 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -281,26 +281,26 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][0]) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][0] + 1) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[0][0] = ((int64_t) sprite_ref[0][0] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[0][1] = ((int64_t) sprite_ref[0][1] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[1][0] = (((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[1][1] = (((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); From e33febfb86b892d2e1e1aa62e26c3719e0d7553b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Jun 2017 23:55:17 +0200 Subject: [PATCH 1236/1352] avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. Fixes: runtime error: signed integer overflow: -268386304 * 16 cannot be represented in type 'int' Fixes: 2204/clusterfuzz-testcase-minimized-5616756909408256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12245ab1f677074b8ff83e87f76a41aba692ccd6) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 880d2b2b78..78a39d44f0 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -358,14 +358,16 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; - if (shift_c < 0 || shift_y < 0 || - FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || - FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || - FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || - FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c - ) { - avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); - goto overflow; + for (i = 0; i < 2; i++) { + if (shift_c < 0 || shift_y < 0 || + FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || + FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); + goto overflow; + } } for (i = 0; i < 2; i++) { From 947961a6dc989d5532753cf187b3b7830acf3e5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:26:01 +0200 Subject: [PATCH 1237/1352] avcodec/hevc_refs: Check nb_refs in add_candidate_ref() Fixes: runtime error: index 16 out of bounds for type 'int [16]' Fixes: 2209/clusterfuzz-testcase-minimized-5012343912136704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cb4ef526dd1e5f547d0354efb0831d07e967919) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index dc35d3591a..b99d20faed 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -419,7 +419,7 @@ static int add_candidate_ref(HEVCContext *s, RefPicList *list, { HEVCFrame *ref = find_ref_idx(s, poc); - if (ref == s->ref) + if (ref == s->ref || list->nb_refs >= MAX_REFS) return AVERROR_INVALIDDATA; if (!ref) { From ccc14ccc45ca6d5abe54d049f6178edc3593e7f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Jun 2017 01:28:28 +0200 Subject: [PATCH 1238/1352] avcodec/hevcdec: Check nb_sps Signed-off-by: Michael Niedermayer (cherry picked from commit bc406744620710911de9157eafa3e61d0246566f) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index d29343b306..acdfcdb8f1 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -240,6 +240,8 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) nb_sps = get_ue_golomb_long(gb); nb_sh = get_ue_golomb_long(gb); + if (nb_sps > sps->num_long_term_ref_pics_sps) + return AVERROR_INVALIDDATA; if (nb_sh + (uint64_t)nb_sps > FF_ARRAY_ELEMS(rps->poc)) return AVERROR_INVALIDDATA; From aa97dafd26849c4413df409e713b358e9d57f6dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jun 2017 02:16:54 +0200 Subject: [PATCH 1239/1352] avcodec/shorten: Sanity check maxnlpc Fixes OOM Fixes: 2131/clusterfuzz-testcase-minimized-4718045157130240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e77ddd31a8e14bcf5eccd6008d866ae90b4b0d4c) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index b01fdbbca3..e00a7f1ec6 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -369,6 +369,10 @@ static int read_header(ShortenContext *s) s->blocksize = blocksize; maxnlpc = get_uint(s, LPCQSIZE); + if (maxnlpc > 1024U) { + av_log(s->avctx, AV_LOG_ERROR, "maxnlpc is: %d\n", maxnlpc); + return AVERROR_INVALIDDATA; + } s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); From 8fa71d7b59df98a454eef247d68ba5e4051c808c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Jun 2017 19:57:08 +0200 Subject: [PATCH 1240/1352] avcodec/jpeg2000dec: Check nonzerobits more completely Fixes: runtime error: shift exponent 36 is too large for 32-bit type 'int' Fixes: 2239/clusterfuzz-testcase-minimized-5639766592716800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dfb61ea2630029b7aec7911aade769bf1a914eea) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index aeec6fe4ef..6174d6797e 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -785,9 +785,9 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, if (!cblk->npasses) { int v = expn[bandno] + numgbits - 1 - tag_tree_decode(s, prec->zerobits + cblkno, 100); - if (v < 0) { + if (v < 0 || v > 30) { av_log(s->avctx, AV_LOG_ERROR, - "nonzerobits %d invalid\n", v); + "nonzerobits %d invalid or unsupported\n", v); return AVERROR_INVALIDDATA; } cblk->nonzerobits = v; From 6a5ade5608df72b1ab1c1567368dd9f399b6c46a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 00:34:08 +0200 Subject: [PATCH 1241/1352] avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() Fixes: runtime error: signed integer overflow: 2147483647 + 6 cannot be represented in type 'int' Fixes: 2263/clusterfuzz-testcase-minimized-4800359627227136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1edbf5e20c75f06d6987bc823e63aa4e649ccddd) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index acdfcdb8f1..6925f3da54 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -265,12 +265,16 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) delta_poc_msb_present = get_bits1(gb); if (delta_poc_msb_present) { - int delta = get_ue_golomb_long(gb); + int64_t delta = get_ue_golomb_long(gb); + int64_t poc; if (i && i != nb_sps) delta += prev_delta_msb; - rps->poc[i] += s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + poc = rps->poc[i] + s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + if (poc != (int32_t)poc) + return AVERROR_INVALIDDATA; + rps->poc[i] = poc; prev_delta_msb = delta; } } From f2e970b2bd70472c1821046a0b07639c92a763d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Jun 2017 14:54:19 +0200 Subject: [PATCH 1242/1352] avcodec/hevcpred_template: Fix left shift of negative value Fixes: runtime error: left shift of negative value -1 Fixes: 2250/clusterfuzz-testcase-minimized-5693382112313344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c94326c1fc2fb5719c6f28fe1b95c0c74417998b) Signed-off-by: Michael Niedermayer --- libavcodec/hevcpred_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 81242304dd..4fca10efc4 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -35,7 +35,7 @@ static av_always_inline void FUNC(intra_pred)(HEVCContext *s, int x0, int y0, #define MVF(x, y) \ (s->ref->tab_mvf[(x) + (y) * min_pu_width]) #define MVF_PU(x, y) \ - MVF(PU(x0 + ((x) << hshift)), PU(y0 + ((y) << vshift))) + MVF(PU(x0 + ((x) * (1 << hshift))), PU(y0 + ((y) * (1 << vshift)))) #define IS_INTRA(x, y) \ (MVF_PU(x, y).pred_flag == PF_INTRA) #define MIN_TB_ADDR_ZS(x, y) \ From d811126c617d1f5d5ba1f8c9acc79048e01a6845 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2017 14:37:19 +0200 Subject: [PATCH 1243/1352] avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output Fixes: runtime error: signed integer overflow: 2147483543 + 128 cannot be represented in type 'int' Fixes: 2234/clusterfuzz-testcase-minimized-6266896041115648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27c20068054d8c6786833234f7b6db19f1e98362) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index b01f55ca65..32241868c7 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -882,7 +882,7 @@ static int tak_decode_frame(AVCodecContext *avctx, void *data, uint8_t *samples = (uint8_t *)frame->extended_data[chan]; int32_t *decoded = s->decoded[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] = decoded[i] + 0x80; + samples[i] = decoded[i] + 0x80U; } break; case AV_SAMPLE_FMT_S16P: From a599754e7e72de2c946a27ce35f646b0359c20b6 Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Wed, 31 May 2017 02:37:41 +0300 Subject: [PATCH 1244/1352] avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 Use the correct ctxIdxInc calculation for coded_block_flag. Keep old behavior for old versions of x264 for backward compatibility. Signed-off-by: Ronald S. Bultje (cherry picked from commit 840b41b2a643fc8f0617c0370125a19c02c6b586) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 47 +++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 5a807347bd..78a0908853 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2311,21 +2311,40 @@ decode_intra_mb: if (CHROMA444(h) && IS_8x8DCT(mb_type)){ int i; uint8_t *nnz_cache = h->non_zero_count_cache; - for (i = 0; i < 2; i++){ - if (h->left_type[LEFT(i)] && !IS_8x8DCT(h->left_type[LEFT(i)])){ - nnz_cache[3+8* 1 + 2*8*i]= - nnz_cache[3+8* 2 + 2*8*i]= - nnz_cache[3+8* 6 + 2*8*i]= - nnz_cache[3+8* 7 + 2*8*i]= - nnz_cache[3+8*11 + 2*8*i]= - nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + if (h->x264_build < 151U) { + for (i = 0; i < 2; i++){ + if (h->left_type[LEFT(i)] && !IS_8x8DCT(h->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + } + } + if (h->top_type && !IS_8x8DCT(h->top_type)){ + uint32_t top_empty = !IS_INTRA(mb_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); + } + } else { + for (i = 0; i < 2; i++){ + if (h->left_type[LEFT(i)] && !IS_8x8DCT(h->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= !IS_INTRA_PCM(h->left_type[LEFT(i)]) ? 0 : 64; + } + } + if (h->top_type && !IS_8x8DCT(h->top_type)){ + uint32_t top_empty = !IS_INTRA_PCM(h->top_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); } - } - if (h->top_type && !IS_8x8DCT(h->top_type)){ - uint32_t top_empty = CABAC(h) && !IS_INTRA(mb_type) ? 0 : 0x40404040; - AV_WN32A(&nnz_cache[4+8* 0], top_empty); - AV_WN32A(&nnz_cache[4+8* 5], top_empty); - AV_WN32A(&nnz_cache[4+8*10], top_empty); } } h->cur_pic.mb_type[mb_xy] = mb_type; From 3716850e283808cded57a09f5e025af642b6af5a Mon Sep 17 00:00:00 2001 From: Anton Mitrofanov Date: Tue, 13 Jun 2017 23:37:29 +0300 Subject: [PATCH 1245/1352] avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 Signed-off-by: Ronald S. Bultje (cherry picked from commit 06dda70f1e7c69a3b1684af5e6930431c62c527a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_mb.c b/libavcodec/h264_mb.c index 7feae5761c..b5ebba10e0 100644 --- a/libavcodec/h264_mb.c +++ b/libavcodec/h264_mb.c @@ -630,7 +630,7 @@ static av_always_inline void hl_decode_mb_predict_luma(H264Context *h, uint8_t *const ptr = dest_y + block_offset[i]; const int dir = h->intra4x4_pred_mode_cache[scan8[i]]; if (transform_bypass && h->sps.profile_idc == 244 && dir <= 1) { - if (h->x264_build != -1) { + if (h->x264_build < 151U) { h->hpc.pred8x8l_add[dir](ptr, h->mb + (i * 16 + p * 256 << pixel_shift), linesize); } else h->hpc.pred8x8l_filter_add[dir](ptr, h->mb + (i * 16 + p * 256 << pixel_shift), From 3b38db6af045c7297429f14757d39b0542a65311 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Jun 2017 14:08:58 +0200 Subject: [PATCH 1246/1352] avcodec/wavpack: Fix undefined integer negation Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 2291/clusterfuzz-testcase-minimized-5538453481586688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f89747086af741ddc34e2378cde8519b8faee78) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 98102f5661..e2450aac9d 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -307,8 +307,8 @@ static float wv_get_value_float(WavpackFrameContext *s, uint32_t *crc, int S) S <<= s->float_shift; sign = S < 0; if (sign) - S = -S; - if (S >= 0x1000000) { + S = -(unsigned)S; + if (S >= 0x1000000U) { if (s->got_extra_bits && get_bits1(&s->gb_extra_bits)) S = get_bits(&s->gb_extra_bits, 23); else From 215d1fc21b962168af9334a0eb8e035fbb9df524 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2017 13:52:06 +0200 Subject: [PATCH 1247/1352] avcodec/mpeg4videodec: Fix overflow in virtual_ref computation Fixes: runtime error: signed integer overflow: 262144 * -16120 cannot be represented in type 'int' Fixes: 2292/clusterfuzz-testcase-minimized-6156080415506432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5443c4bdf4828ac5b7b19cf54feb496c2da40079) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 78a39d44f0..29aeb3272d 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -240,18 +240,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g * from w&h based to w2&h2 based which are of the 2^x form. */ virtual_ref[0][0] = 16 * (vop_ref[0][0] + w2) + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - w2 * (r * sprite_ref[1][0] - 16 * vop_ref[1][0])), w); + (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + w2 * (r * sprite_ref[1][0] - 16LL * vop_ref[1][0])), w); virtual_ref[0][1] = 16 * vop_ref[0][1] + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - w2 * (r * sprite_ref[1][1] - 16 * vop_ref[1][1])), w); + (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + w2 * (r * sprite_ref[1][1] - 16LL * vop_ref[1][1])), w); virtual_ref[1][0] = 16 * vop_ref[0][0] + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - h2 * (r * sprite_ref[2][0] - 16 * vop_ref[2][0])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + h2 * (r * sprite_ref[2][0] - 16LL * vop_ref[2][0])), h); virtual_ref[1][1] = 16 * (vop_ref[0][1] + h2) + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - h2 * (r * sprite_ref[2][1] - 16 * vop_ref[2][1])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + h2 * (r * sprite_ref[2][1] - 16LL * vop_ref[2][1])), h); switch (ctx->num_sprite_warping_points) { case 0: From b085b395ec44b5df6c787bbf3254b71142644e5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2017 14:38:34 +0200 Subject: [PATCH 1248/1352] avcodec/hevc_filter: Fix invalid shift Fixes: runtime error: left shift of negative value -1 Fixes: 2299/clusterfuzz-testcase-minimized-4843509351710720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7b3d5c3f2e2ff1994762b5e09c05fbc33790b5b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 3aaf3e55f2..a1ccaacb56 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -330,7 +330,7 @@ static int get_pcm(HEVCContext *s, int x, int y) #define TC_CALC(qp, bs) \ tctable[av_clip((qp) + DEFAULT_INTRA_TC_OFFSET * ((bs) - 1) + \ - (tc_offset >> 1 << 1), \ + (tc_offset & -2), \ 0, MAX_QP + DEFAULT_INTRA_TC_OFFSET)] static void deblocking_filter_CTB(HEVCContext *s, int x0, int y0) From f6ffc80bba0670182b4c17db3b98e0467048d866 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Jun 2017 21:21:56 +0200 Subject: [PATCH 1249/1352] avcodec/takdec: Fix integer overflow Fixes: runtime error: signed integer overflow: 512 + 2147483146 cannot be represented in type 'int' Fixes: 2314/clusterfuzz-testcase-minimized-4519333877252096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c2ef4f6b4d52a7b7184c747ffea3576926ea1b1) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 32241868c7..0fedc7864b 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -469,7 +469,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, int v = 1 << (filter_quant - 1); if (filter_order & -16) - v += s->adsp.scalarproduct_int16(&s->residues[i], s->filter, + v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { v += s->residues[i + j + 3] * s->filter[j + 3] + From 7df850abf7450ccf5900cf789eeee5362a7f913e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Jun 2017 01:58:48 +0200 Subject: [PATCH 1250/1352] avcodec/wavpack: Fix integer overflow Fixes: runtime error: signed integer overflow: 227511904 + 1964113935 cannot be represented in type 'int' Fixes: 2331/clusterfuzz-testcase-minimized-6182185830711296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 24e95f9d4de012f51fdd5767dff0b3142e13ec3a) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e2450aac9d..39aac18f7d 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -219,7 +219,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, INC_MED(1); DEC_MED(2); } else { - base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2); + base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2U); add = GET_MED(2) - 1; INC_MED(0); INC_MED(1); From babc2c20e3dd5c151f91940304b97ba989a6bf25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Jun 2017 13:45:35 +0200 Subject: [PATCH 1251/1352] avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 Fixes: runtime error: shift exponent -1 is negative Fixes: 2338/clusterfuzz-testcase-minimized-5153426541379584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4976a3411f71518d17a57e373b62517f066648fd) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 29aeb3272d..ec4912cffe 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -168,7 +168,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int a = 2 << s->sprite_warping_accuracy; int rho = 3 - s->sprite_warping_accuracy; int r = 16 / a; - int alpha = 0; + int alpha = 1; int beta = 0; int w = s->width; int h = s->height; From 664201aff83c24884e12b52e361db47eeab220da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jun 2017 00:13:53 +0200 Subject: [PATCH 1252/1352] avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() Fixes: runtime error: signed integer overflow: 2080374785 + 2080374784 cannot be represented in type 'int' Fixes: 2351/clusterfuzz-testcase-minimized-5359403240783872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73ea2a028e12a7d779834f78dc496c8c4b08361f) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 39aac18f7d..58035b99e1 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -474,7 +474,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + FFABS(R) > (1<<19)) { + if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } From 96349da5ec8eda9f0368446e557fe0c8ba0e66b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jul 2017 14:57:20 +0200 Subject: [PATCH 1253/1352] avcodec/apedec: Fix integer overflow Fixes: out of array access Fixes: PoC.ape and others Found-by: Bingchang, Liu@VARAS of IIE Signed-off-by: Michael Niedermayer (cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 4b11b1b4bc..09272b1523 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1419,6 +1419,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, int32_t *sample24; int i, ch, ret; int blockstodecode; + uint64_t decoded_buffer_size; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -1474,7 +1475,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, skip_bits_long(&s->gb, offset); } - if (!nblocks || nblocks > INT_MAX) { + if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n", nblocks); return AVERROR_INVALIDDATA; @@ -1500,8 +1501,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, blockstodecode = s->samples; /* reallocate decoded sample buffer if needed */ - av_fast_malloc(&s->decoded_buffer, &s->decoded_size, - 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)); + decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer); + av_assert0(decoded_buffer_size <= INT_MAX); + av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); memset(s->decoded_buffer, 0, s->decoded_size); From f58b107aab9ae39fed4c4d807910034cb86d9c7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Jun 2017 20:29:02 +0200 Subject: [PATCH 1254/1352] avcodec/vb: Check vertical GMC component before multiply Fixes: runtime error: signed integer overflow: 8224 * 663584 cannot be represented in type 'int' Fixes: 2393/clusterfuzz-testcase-minimized-6128334993883136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bc6ab72bc7af27189e7b524b97e45c6fcadab5cf) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 3c89a2986e..7bb0515eec 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -205,6 +205,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (flags & VB_HAS_GMC) { i = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream); + if (FFABS(j) > avctx->height) { + av_log(avctx, AV_LOG_ERROR, "GMV out of range\n"); + return AVERROR_INVALIDDATA; + } offset = i + j * avctx->width; } if (flags & VB_HAS_VIDEO) { From db440b6f06ffb81be3eb9971a76d5325284a21a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Jun 2017 13:47:32 +0200 Subject: [PATCH 1255/1352] avcodec/wavpack: Fix invalid shift Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 2377/clusterfuzz-testcase-minimized-6108505935183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c07af720984acaafaa273369080b458d73975775) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 58035b99e1..fd11580325 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -835,9 +835,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 31) { + if (val[0] > 30) { av_log(avctx, AV_LOG_ERROR, - "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + "Invalid INT32INFO, extra_bits = %d (> 30)\n", val[0]); continue; } else if (val[0]) { s->extra_bits = val[0]; From b1b795de84c2eba1dc13197d5260014282227537 Mon Sep 17 00:00:00 2001 From: Brice Waegeneire Date: Sat, 22 Jul 2017 00:09:29 +0200 Subject: [PATCH 1256/1352] doc/filters: typo in frei0r Signed-off-by: Brice Waegeneire Signed-off-by: Michael Niedermayer (cherry picked from commit 6a6eec485d23b0c47a7cfeb94995db1be91c0e1a) Signed-off-by: Michael Niedermayer --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index 4b597f8ed3..3e7709570b 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -4956,7 +4956,7 @@ It accepts the following parameters: @item filter_name The name of the frei0r effect to load. If the environment variable @env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the -directories specified by the colon-separated list in @env{FREIOR_PATH}. +directories specified by the colon-separated list in @env{FREI0R_PATH}. Otherwise, the standard frei0r paths are searched, in this order: @file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/}, @file{/usr/lib/frei0r-1/}. From 048ac053e62b8571ffc3df93cd154d0cb1565ab9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jul 2017 03:19:07 +0200 Subject: [PATCH 1257/1352] avformat/oggparsecelt: Do not re-allocate os->private Fixes: double free Fixes: clusterfuzz-testcase-minimized-5080550145785856 Found-by: ClusterFuzz Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 7140761481e4296723a592019a0244ebe6c1a8cf) Signed-off-by: Michael Niedermayer --- libavformat/oggparsecelt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/oggparsecelt.c b/libavformat/oggparsecelt.c index 2c0c511c7b..6880314055 100644 --- a/libavformat/oggparsecelt.c +++ b/libavformat/oggparsecelt.c @@ -65,9 +65,14 @@ static int celt_header(AVFormatContext *s, int idx) st->codec->channels = nb_channels; if (sample_rate) avpriv_set_pts_info(st, 64, 1, sample_rate); - priv->extra_headers_left = 1 + extra_headers; - av_free(os->private); + + if (os->private) { + av_free(priv); + priv = os->private; + } os->private = priv; + priv->extra_headers_left = 1 + extra_headers; + AV_WL32(st->codec->extradata + 0, overlap); AV_WL32(st->codec->extradata + 4, version); return 1; From dbf29313ca0cb4f82805e2d0ddaf3737bec5b480 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jul 2017 15:48:37 +0200 Subject: [PATCH 1258/1352] avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 Fixes: runtime error: signed integer overflow: -2147483647 - 2 cannot be represented in type 'int' Fixes: 2702/clusterfuzz-testcase-minimized-4511932591636480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74c1c22d7f0d25f527ed2ebf62493be5ad52c972) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index bc29f358a2..19410e94b8 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1221,6 +1221,7 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) int i, j, x, y, ctb_addr_rs, tile_id; int ret = 0; unsigned int pps_id = 0; + unsigned log2_parallel_merge_level_minus2; AVBufferRef *pps_buf; HEVCPPS *pps = av_mallocz(sizeof(*pps)); @@ -1405,13 +1406,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) goto err; } pps->lists_modification_present_flag = get_bits1(gb); - pps->log2_parallel_merge_level = get_ue_golomb_long(gb) + 2; - if (pps->log2_parallel_merge_level > sps->log2_ctb_size) { + log2_parallel_merge_level_minus2 = get_ue_golomb_long(gb); + if (log2_parallel_merge_level_minus2 > sps->log2_ctb_size) { av_log(s->avctx, AV_LOG_ERROR, "log2_parallel_merge_level_minus2 out of range: %d\n", - pps->log2_parallel_merge_level - 2); + log2_parallel_merge_level_minus2); ret = AVERROR_INVALIDDATA; goto err; } + pps->log2_parallel_merge_level = log2_parallel_merge_level_minus2 + 2; pps->slice_header_extension_present_flag = get_bits1(gb); From b7fed5da525a3a63d39ca63ce230562fcd8983a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 13:41:59 +0200 Subject: [PATCH 1259/1352] avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 Fixes: out of array accesses Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer (cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 64 ++++++++++++++++++++++++++++++------------- 1 file changed, 45 insertions(+), 19 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 3a82900f10..a708f46db0 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -426,49 +426,75 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt) pkt->size = 0; } -int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +static int amf_tag_skip(GetByteContext *gb) { - const uint8_t *base = data; AMFDataType type; unsigned nb = -1; int parse_key = 1; - if (data >= data_end) + if (bytestream2_get_bytes_left(gb) < 1) return -1; - switch ((type = *data++)) { - case AMF_DATA_TYPE_NUMBER: return 9; - case AMF_DATA_TYPE_BOOL: return 2; - case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data); - case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data); - case AMF_DATA_TYPE_NULL: return 1; + + type = bytestream2_get_byte(gb); + switch (type) { + case AMF_DATA_TYPE_NUMBER: + bytestream2_get_be64(gb); + return 0; + case AMF_DATA_TYPE_BOOL: + bytestream2_get_byte(gb); + return 0; + case AMF_DATA_TYPE_STRING: + bytestream2_skip(gb, bytestream2_get_be16(gb)); + return 0; + case AMF_DATA_TYPE_LONG_STRING: + bytestream2_skip(gb, bytestream2_get_be32(gb)); + return 0; + case AMF_DATA_TYPE_NULL: + return 0; case AMF_DATA_TYPE_ARRAY: parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: - nb = bytestream_get_be32(&data); + nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { int t; if (parse_key) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) { - data++; + bytestream2_get_byte(gb); break; } - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; + bytestream2_skip(gb, size); } - t = ff_amf_tag_size(data, data_end); - if (t < 0 || t >= data_end - data) + t = amf_tag_skip(gb); + if (t < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += t; } - return data - base; - case AMF_DATA_TYPE_OBJECT_END: return 1; + return 0; + case AMF_DATA_TYPE_OBJECT_END: return 0; default: return -1; } } +int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +{ + GetByteContext gb; + int ret; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + ret = amf_tag_skip(&gb); + if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0) + return -1; + av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data); + return bytestream2_tell(&gb); +} + int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, const uint8_t *name, uint8_t *dst, int dst_size) { From 52bb9d6d58c2df3044c793871bcbe8fe71002aff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 14:37:26 +0200 Subject: [PATCH 1260/1352] avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 Fixes: out of array accesses Found-by: JunDong Xie of Ant-financial Light-Year Security Lab Signed-off-by: Michael Niedermayer (cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 57 ++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index a708f46db0..461c9f45d8 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -495,53 +495,70 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) return bytestream2_tell(&gb); } -int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, +static int amf_get_field_value2(GetByteContext *gb, const uint8_t *name, uint8_t *dst, int dst_size) { int namelen = strlen(name); int len; - while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) { - len = ff_amf_tag_size(data, data_end); - if (len < 0) - len = data_end - data; - data += len; + while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) { + int ret = amf_tag_skip(gb); + if (ret < 0) + return -1; } - if (data_end - data < 3) + if (bytestream2_get_bytes_left(gb) < 3) return -1; - data++; + bytestream2_get_byte(gb); + for (;;) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) break; - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; - if (size == namelen && !memcmp(data-size, name, namelen)) { - switch (*data++) { + bytestream2_skip(gb, size); + if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) { + switch (bytestream2_get_byte(gb)) { case AMF_DATA_TYPE_NUMBER: - snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data))); + snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb))); break; case AMF_DATA_TYPE_BOOL: - snprintf(dst, dst_size, "%s", *data ? "true" : "false"); + snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false"); break; case AMF_DATA_TYPE_STRING: - len = bytestream_get_be16(&data); - av_strlcpy(dst, data, FFMIN(len+1, dst_size)); + len = bytestream2_get_be16(gb); + if (dst_size < 1) + return -1; + if (dst_size < len + 1) + len = dst_size - 1; + bytestream2_get_buffer(gb, dst, len); + dst[len] = 0; break; default: return -1; } return 0; } - len = ff_amf_tag_size(data, data_end); - if (len < 0 || len >= data_end - data) + len = amf_tag_skip(gb); + if (len < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += len; } return -1; } +int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, + const uint8_t *name, uint8_t *dst, int dst_size) +{ + GetByteContext gb; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + return amf_get_field_value2(&gb, name, dst, dst_size); +} + static const char* rtmp_packet_type(int type) { switch (type) { From 046e0524b92bb6933a40e1b24403763739b49495 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jul 2017 23:49:27 +0200 Subject: [PATCH 1261/1352] avcodec/diracdec: Fix integer overflow in divide3() Fixes: runtime error: signed integer overflow: -1073746548 * 21845 cannot be represented in type 'int' Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0220c768c7fc933a76c863ebbb0abdf68a88533) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index c9aa3209a3..23d12ed3f0 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -284,7 +284,7 @@ static const int qoffset_inter_tab[MAX_QUANT+1] = { /* magic number division by 3 from schroedinger */ static inline int divide3(int x) { - return ((x+1)*21845 + 10922) >> 16; + return (int)((x+1U)*21845 + 10922) >> 16; } static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum) From 0b02123cc8bb783e7677e6de2f3f2f389f59ca6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jul 2017 03:22:40 +0200 Subject: [PATCH 1262/1352] avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() Fixes: runtime error: signed integer overflow: 9 * 335544320 cannot be represented in type 'int' Fixes: 2739/clusterfuzz-testcase-minimized-6737297955356672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf8ab72ae95bb11f2c281d464594c2f6ba70326b) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index e5e447b0ac..9b19d8ee2d 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -90,7 +90,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((b0 + b2 + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4)) + (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) From 298c3bd2f419f16d0990efcf62669c73b85fb0d5 Mon Sep 17 00:00:00 2001 From: Steven Siloti Date: Tue, 18 Jul 2017 11:26:39 -0700 Subject: [PATCH 1263/1352] avformat/utils: fix memory leak in avformat_free_context The pointer to the packet queue is stored in the internal structure so the queue needs to be flushed before internal is freed. Signed-off-by: Steven Siloti Signed-off-by: Michael Niedermayer (cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index c713d62804..f6d82d2927 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3554,8 +3554,8 @@ void avformat_free_context(AVFormatContext *s) av_freep(&s->chapters); av_dict_free(&s->metadata); av_freep(&s->streams); - av_freep(&s->internal); flush_packet_queue(s); + av_freep(&s->internal); av_free(s); } From 6fd5fcf8958b128a26f3f5eb786c8abc8e1d51ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Aug 2017 05:01:45 +0200 Subject: [PATCH 1264/1352] avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int' Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 9b19d8ee2d..34408a15d6 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -108,16 +108,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((1817*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - (( 113*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + (( 217*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((6497*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From 65130aa1c69723ef3c5005dc73d42ffb97bd9473 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Aug 2017 13:32:54 +0200 Subject: [PATCH 1265/1352] avcodec/mpeg4videodec: Clear mcsel before decoding an image Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int' Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index ec4912cffe..ce91108c7a 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2271,6 +2271,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) int time_incr, time_increment; int64_t pts; + s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->flags & CODEC_FLAG_LOW_DELAY)) { From 750c704a07f63cb73e3911ec3657d9a8e1aba08b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Aug 2017 03:32:43 +0200 Subject: [PATCH 1266/1352] avcodec/diracdec: Check perspective_exp and zrs_exp. Fixes: undefined shift Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int' Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 23d12ed3f0..1ca17094bc 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -957,6 +957,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } + if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { + return AVERROR_INVALIDDATA; + } + } } From d0842707a51049d328ba7d7fdbfa3d0d870c1feb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 20:32:03 +0200 Subject: [PATCH 1267/1352] avcodec/snowdec: Fix off by 1 error Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]' Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 129c4a2f13..572d51e7a4 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -330,7 +330,7 @@ static int decode_header(SnowContext *s){ Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps > HTAPS_MAX || htaps==0) + if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ From 58b7dfde1228a85251e0fe4ee887fec7cb322d42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Aug 2017 18:24:37 +0200 Subject: [PATCH 1268/1352] avcodec/fic: Fixes signed integer overflow Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int' Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 5be427e085..4225a48ddc 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -81,12 +81,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { - const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; - const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; - const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; - const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); - const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; + const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; + const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; + const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; + const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); + const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); const unsigned t6 = t2 - t0; const unsigned t7 = t3 - t1; const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; From c5e55990106b3b0f4fb09778c5a704d1244a8281 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Aug 2017 23:38:58 +0200 Subject: [PATCH 1269/1352] avcodec/me_cmp: Fix crashes on ARM due to misalignment Adds a diff_pixels_unaligned() Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503 Signed-off-by: Michael Niedermayer (cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa) Signed-off-by: Michael Niedermayer --- libavcodec/me_cmp.c | 10 +++++----- libavcodec/pixblockdsp.c | 1 + libavcodec/pixblockdsp.h | 5 +++++ libavcodec/x86/pixblockdsp_init.c | 2 ++ 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index 1355a23807..ee6327add8 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -553,7 +553,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -593,7 +593,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1, int16_t dct[8][8]; int i, sum = 0; - s->pdsp.diff_pixels(dct[0], src1, src2, stride); + s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -620,7 +620,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -639,7 +639,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); s->mb_intra = 0; - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -742,7 +742,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2, av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c index ebde68b6a4..03422508b1 100644 --- a/libavcodec/pixblockdsp.c +++ b/libavcodec/pixblockdsp.c @@ -55,6 +55,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx) { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; + c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h index d4b8590341..ab9ff3e4a6 100644 --- a/libavcodec/pixblockdsp.h +++ b/libavcodec/pixblockdsp.h @@ -31,6 +31,11 @@ typedef struct PixblockDSPContext { const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, int stride); + void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, + const uint8_t *s1, + const uint8_t *s2, + int stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c index 4d06a44c6d..b9027dee54 100644 --- a/libavcodec/x86/pixblockdsp_init.c +++ b/libavcodec/x86/pixblockdsp_init.c @@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c, if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } From ba4b4e48092f7bd5fce78c8e0dfa3818624a519f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Aug 2017 02:15:49 +0200 Subject: [PATCH 1270/1352] avcodec/aacdec_template: Fix running cleanup in decode_ics_info() Fixes: out of array read Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Previous version reviewed-by: Alex Converse Signed-off-by: Michael Niedermayer (cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index a7398dbbd2..a2a387fb56 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1206,6 +1206,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, GetBitContext *gb) { int aot = ac->oc[1].m4ac.object_type; + int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1249,8 +1251,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, ics->swb_offset = ff_swb_offset_512[ac->oc[1].m4ac.sampling_index]; ics->num_swb = ff_aac_num_swb_512[ac->oc[1].m4ac.sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[ac->oc[1].m4ac.sampling_index]; - if (!ics->num_swb || !ics->swb_offset) - return AVERROR_BUG; + if (!ics->num_swb || !ics->swb_offset) { + ret_fail = AVERROR_BUG; + goto fail; + } } else { ics->swb_offset = ff_swb_offset_1024[ac->oc[1].m4ac.sampling_index]; ics->num_swb = ff_aac_num_swb_1024[ac->oc[1].m4ac.sampling_index]; @@ -1274,7 +1278,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); - return AVERROR_PATCHWELCOME; + ret_fail = AVERROR_PATCHWELCOME; + goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(&ics->ltp, gb, ics->max_sfb); @@ -1293,7 +1298,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return 0; fail: ics->max_sfb = 0; - return AVERROR_INVALIDDATA; + return ret_fail; } /** From ec00cc34c3f329612c96019839838a8a66a34dd6 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 1271/1352] avformat/mov: Fix signed integer overflows with total_size Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f5a4ee06f2..fa0471add6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3233,7 +3233,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; From 700473ad31975c7c5fa2dcb6255dfa900244ba01 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Sun, 20 Aug 2017 11:56:47 -0700 Subject: [PATCH 1272/1352] avformat/aviobuf: Fix signed integer overflow in avio_seek() Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 7da89d716a..8033041fe6 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -219,6 +219,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } if (offset < 0) From 6da07b7b6a05c8c78b91d860b1c295ec94f5e1c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Aug 2017 00:18:48 +0200 Subject: [PATCH 1273/1352] avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() Fixes: integer overflow Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 19410e94b8..a8608e7463 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -188,6 +188,9 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + return AVERROR_INVALIDDATA; + } prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -195,6 +198,9 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + return AVERROR_INVALIDDATA; + } prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); From 92a1da1b7d3bee9409f5952559f3579638d0f327 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Aug 2017 17:27:17 +0200 Subject: [PATCH 1274/1352] ffprobe: Fix NULL pointer handling in color parameter printing Signed-off-by: Michael Niedermayer (cherry picked from commit 351e28f9a799d9bbbb33dd10c964dca7219fa13b) Signed-off-by: Michael Niedermayer --- ffprobe.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index fecbbce5d8..bad2f4713b 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1682,6 +1682,16 @@ static inline int show_tags(WriterContext *w, AVDictionary *tags, int section_id return ret; } +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ + const char *val = av_get_colorspace_name(color_space); + if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { + print_str_opt("color_space", "unknown"); + } else { + print_str("color_space", val); + } +} + static void show_packet(WriterContext *w, AVFormatContext *fmt_ctx, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2101,9 +2111,8 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id print_str ("color_range", dec_ctx->color_range == AVCOL_RANGE_MPEG ? "tv": "pc"); else print_str_opt("color_range", "N/A"); - s = av_get_colorspace_name(dec_ctx->colorspace); - if (s) print_str ("color_space", s); - else print_str_opt("color_space", "unknown"); + print_color_space(w, dec_ctx->colorspace); + if (dec_ctx->timecode_frame_start >= 0) { char tcbuf[AV_TIMECODE_STR_SIZE]; av_timecode_make_mpeg_tc_string(tcbuf, dec_ctx->timecode_frame_start); From 7ba100d3e6e8b1e5d5342feb960a7f081d6e15af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Aug 2017 01:26:58 +0200 Subject: [PATCH 1275/1352] avformat/hls: Fix DoS due to infinite loop Fixes: loop.m3u The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome Found-by: Xiaohei and Wangchu from Alibaba Security Team Previous version reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a) Signed-off-by: Michael Niedermayer --- doc/demuxers.texi | 18 ++++++++++++++++++ libavformat/hls.c | 7 +++++++ 2 files changed, 25 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 101b0fc95f..0ebc862633 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -210,6 +210,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff --git a/libavformat/hls.c b/libavformat/hls.c index 17e1079b05..b58d050fca 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -181,6 +181,7 @@ typedef struct HLSContext { char *cookies; ///< holds HTTP cookie values set in either the initial response or as an AVOption to the HTTP protocol context char *headers; ///< holds HTTP headers set as an AVOption to the HTTP protocol context char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -1042,6 +1043,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1072,6 +1074,9 @@ restart: reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -1747,6 +1752,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; From e7dc286b16ab54342e0b415abb4dc4e0cc22f736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 12:37:25 +0200 Subject: [PATCH 1276/1352] avformat/asfdec: Fix DoS due to lack of eof check Fixes: loop.asf Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329) Signed-off-by: Michael Niedermayer --- libavformat/asfdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index c93395c9a5..b51862d8a0 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -694,13 +694,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; From 983f90ef1819a0d4d3a5685b8a617a18eaecbd4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:27 +0200 Subject: [PATCH 1277/1352] avformat/cinedec: Fix DoS due to lack of eof check Fixes: loop.cine Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6) Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 0583ce020a..22af00771c 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } From 2ac9bc34978cf77eebaf288741bdfa669e1df195 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= Date: Fri, 25 Aug 2017 01:15:29 +0200 Subject: [PATCH 1278/1352] avformat/rl2: Fix DoS due to lack of eof check Fixes: loop.rl2 Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de) Signed-off-by: Michael Niedermayer --- libavformat/rl2.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index d354339ea3..fe3658d88f 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;i Date: Fri, 25 Aug 2017 01:15:30 +0200 Subject: [PATCH 1279/1352] avformat/mvdec: Fix DoS due to lack of eof check Fixes: loop.mv Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 186b581f89..609095286d 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -327,6 +327,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); From 09a1d15de7942c32d1e17381c6ca8cc41e236afb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Aug 2017 00:30:33 +0200 Subject: [PATCH 1280/1352] avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int' Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 572d51e7a4..b139e5c5aa 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -115,7 +115,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ - register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; + register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; From 4fedc4ceabe32bb3bea68ab71cb42f0b6e409586 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 1281/1352] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829.nsv Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 05dfd539e4..fb36cace0d 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { From f173cdfe669556aa92857adafe60cbe5f2aa1210 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 1282/1352] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829A.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 1dcdae0a08..855d98b09e 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -762,6 +762,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -769,6 +771,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg return AVERROR(ENOMEM); for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); From a4e85b2e1c8d5b4bf0091157bbdeb0e457fb7b8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH 1283/1352] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: 20170829B.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 855d98b09e..2e5056ffe7 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -421,7 +421,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } From a17e1abf6e4dbf6a6cb3b81a77582834dcd27071 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Sep 2017 19:56:11 +0200 Subject: [PATCH 1284/1352] avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int' Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 34408a15d6..455fa622a7 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -108,16 +108,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From f8c52dfa1583f0d2c039bad8c9422d2fd190a039 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Sep 2017 00:16:29 +0200 Subject: [PATCH 1285/1352] avformat/asfdec: Fix DoS in asf_build_simple_index() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97) Signed-off-by: Michael Niedermayer --- libavformat/asfdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index b51862d8a0..94892328aa 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -1526,6 +1526,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t pos = s->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); + if (avio_feof(s->pb)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); From f5def99f52b63edf66a7938d5ad55de547d05045 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 01:32:50 +0200 Subject: [PATCH 1286/1352] avcodec/diracdec: Fix overflow in DC computation Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int' Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5995856a4236c27f231210bb08d70688e045192) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 1ca17094bc..872f023332 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1206,7 +1206,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) - block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); + block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } From 792aeda9b4f9f7a110671f9fb1c26db913c229d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 01:32:51 +0200 Subject: [PATCH 1287/1352] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels Fixes: runtime error: left shift of negative value -95 Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c225da68cffbea11270a758ff42859194c980863) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 8a843f54d7..f61dbf91e0 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -643,7 +643,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride, ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { - dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; From 53ff525c50441442ac1262128ded3134b4010503 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2017 21:10:17 +0200 Subject: [PATCH 1288/1352] avcodec/hevc_ps: Fix c?_qp_offset_list size Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]' Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index c71ab55000..d7e0d52de7 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -537,8 +537,8 @@ typedef struct HEVCPPS { uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; - int8_t cb_qp_offset_list[5]; - int8_t cr_qp_offset_list[5]; + int8_t cb_qp_offset_list[6]; + int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; From ace2a2a7e47f87c20850ea62d32a3e0119dc4685 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2017 02:42:11 +0200 Subject: [PATCH 1289/1352] avcodec/pngdec: Clean up on av_frame_ref() failure Fixes: memleak Fixes: 3203/clusterfuzz-testcase-minimized-4514553595428864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5480e82d77770e81e897a8c217f3c7f0c13a6de1) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 986cde3719..9b236a245b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -888,7 +888,7 @@ exit_loop: metadata = NULL; if ((ret = av_frame_ref(data, s->picture.f)) < 0) - return ret; + goto the_end; *got_frame = 1; From eb505747a7aa1deaccc34416e6f4d398de54cb53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 17:03:55 +0200 Subject: [PATCH 1290/1352] avcodec/svq3: Fix overflow in svq3_add_idct_c() Fixes: runtime error: signed integer overflow: 2147392585 + 524288 cannot be represented in type 'int' Fixes: 3348/clusterfuzz-testcase-minimized-4809500517203968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c933c51687db958d8045d25ed87848342e869f6) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 39b063358d..7360cf27fb 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -228,7 +228,7 @@ void ff_svq3_add_idct_c(uint8_t *dst, int16_t *block, const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; - const int rr = (dc + 0x80000); + const int rr = (dc + 0x80000u); dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); From 2ccc30217ace340b3cbbda2b771aa1e05110de30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 17:26:09 +0200 Subject: [PATCH 1291/1352] avcodec/ffv1dec: Fix integer overflow in read_quant_table() Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 2456d6c0d1..7e9130aa3b 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -480,7 +480,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale) memset(state, 128, sizeof(state)); for (v = 0; i < 128; v++) { - unsigned len = get_symbol(c, state, 0) + 1; + unsigned len = get_symbol(c, state, 0) + 1U; if (len > 128 - i) return AVERROR_INVALIDDATA; From ff55cf8d5469f9923d2637a46641b68ba31145fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Sep 2017 02:53:25 +0200 Subject: [PATCH 1292/1352] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() Fixes: runtime error: signed integer overflow: 161 * 13872281 cannot be represented in type 'int' Fixes: 3295/clusterfuzz-testcase-minimized-4738998142500864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 67da2685e03805230207daab83ab43a390fbb887) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 455fa622a7..3b6b8b171b 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -102,10 +102,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8)) + (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) + (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) From cf05ade8f1a596e6a547b9d82c046d7da540baf7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:26 +0200 Subject: [PATCH 1293/1352] avcodec/takdec: Fix integer overflows in decode_subframe() Fixes: runtime error: signed integer overflow: -1562477869 + -691460395 cannot be represented in type 'int' Fixes: 3196/clusterfuzz-testcase-minimized-4528307146063872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3dabb9c69db114b1f30c30e0a2788cffc50bac40) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0fedc7864b..886ca8a27f 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -472,10 +472,10 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { - v += s->residues[i + j + 3] * s->filter[j + 3] + - s->residues[i + j + 2] * s->filter[j + 2] + - s->residues[i + j + 1] * s->filter[j + 1] + - s->residues[i + j ] * s->filter[j ]; + v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] + + s->residues[i + j + 2] * (unsigned)s->filter[j + 2] + + s->residues[i + j + 1] * (unsigned)s->filter[j + 1] + + s->residues[i + j ] * (unsigned)s->filter[j ]; } v = (av_clip(v >> filter_quant, -8192, 8191) << dshift) - *decoded; *decoded++ = v; From 48e14c4de099b103311044d406de843cf6df3542 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:28 +0200 Subject: [PATCH 1294/1352] avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift Fixes: runtime error: shift exponent 42 is too large for 32-bit type 'unsigned int' Fixes: 3410/clusterfuzz-testcase-minimized-5313377960198144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f5eaf0b5956e492ee5023929669b1d09aaf6299) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index a1d497f049..91bc5acd23 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -263,6 +263,8 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ + if (bits > MIN_CACHE_BITS) \ + return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ SKIP_BITS(re, gb, bits); \ @@ -282,7 +284,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70}; -static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, +static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out, int blocks_per_slice) { int16_t prev_dc; @@ -306,6 +308,7 @@ static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, out[0] = prev_dc; } CLOSE_READER(re, gb); + return 0; } // adaptive codebook switching lut according to previous run/level values @@ -372,7 +375,8 @@ static int decode_slice_luma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; @@ -405,7 +409,8 @@ static int decode_slice_chroma(AVCodecContext *avctx, SliceContext *slice, init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; From f1a272b7b4883ee30f71653ab33f8a6c201803bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2017 20:45:27 +0200 Subject: [PATCH 1295/1352] avcodec/takdec: Fix integer overflow in decode_lpc() Fixes: runtime error: signed integer overflow: 16748560 + 2143729712 cannot be represented in type 'int' Fixes: 3202/clusterfuzz-testcase-minimized-4988291642294272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d31f03a0264cac24434c8108daef4ccba6d28f9) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 886ca8a27f..738f1e4a4b 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -192,7 +192,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) int a1 = *coeffs++; for (i = 0; i < length - 1 >> 1; i++) { *coeffs += a1; - coeffs[1] += *coeffs; + coeffs[1] += (unsigned)*coeffs; a1 = coeffs[1]; coeffs += 2; } From 4b4c7935da5366a61df9862563be1ea128d2fbe4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Sep 2017 22:23:26 +0200 Subject: [PATCH 1296/1352] avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized Fixes: OOM Fixes: 2225/clusterfuzz-testcase-minimized-5505632079708160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 64e034da954125ef98fb8f9153f9706cdb8a96fe) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 4312f8187b..99261a28f4 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -252,6 +252,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, // update precincts size: 2^n value reslevel->log2_prec_width = codsty->log2_prec_widths[reslevelno]; reslevel->log2_prec_height = codsty->log2_prec_heights[reslevelno]; + if (!reslevel->log2_prec_width || !reslevel->log2_prec_height) { + return AVERROR_INVALIDDATA; + } /* Number of bands for each resolution level */ if (reslevelno == 0) From 636fa97e8845959a465b5b30d2996ce9805159dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2017 04:18:21 +0200 Subject: [PATCH 1297/1352] avcodec/hevcdsp_template: Fix undefined shift Fixes: runtime error: left shift of negative value -255 Fixes: 3373/clusterfuzz-testcase-minimized-5604083912146944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbdab6eca7874fbeba6aa79c269f345e4d43f5d4) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index f61dbf91e0..b7aa22e79a 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1536,7 +1536,7 @@ static void FUNC(put_hevc_epel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; From 599ca5438aec5f9402b569544d3384fa08eeefda Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2017 04:18:22 +0200 Subject: [PATCH 1298/1352] avcodec/proresdec2: SKIP_BITS() does not work with len=32 Fixes: invalid shift Fixes: 3482/clusterfuzz-testcase-minimized-5446915875405824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c37138e01a93da2f9dd2cc5d4b77e5a38581d130) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 91bc5acd23..97b0d5f606 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -263,7 +263,7 @@ static int decode_picture_header(AVCodecContext *avctx, const uint8_t *buf, cons \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ - if (bits > MIN_CACHE_BITS) \ + if (bits > FFMIN(MIN_CACHE_BITS, 31)) \ return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ From d006160115d1989ca08a2a96d36044d12795fa1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2017 18:54:06 +0200 Subject: [PATCH 1299/1352] avcodec/truemotion2: Fix integer overflows in tm2_high_chroma() Fixes: runtime error: signed integer overflow: -1408475220 + -1408475220 cannot be represented in type 'int' Fixes: 3336/clusterfuzz-testcase-minimized-5656839179993088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44874b4f5ec2c605c70393573b9d85540ebc2d81) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 7c38ce1853..9976dcbc75 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -456,7 +456,7 @@ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *de } } -static inline void tm2_high_chroma(int *data, int stride, int *last, int *CD, int *deltas) +static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *CD, int *deltas) { int i, j; for (j = 0; j < 2; j++) { From f19ac557a57f30e7d8ce78768a6e844cff99a743 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Oct 2017 21:41:54 +0200 Subject: [PATCH 1300/1352] avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta Fixes: runtime error: signed integer overflow: -104713 * 65536 cannot be represented in type 'int' Fixes: 3453/clusterfuzz-testcase-minimized-5555554657239040 Fixes: 3528/clusterfuzz-testcase-minimized-6283628420005888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e38f280fece38e270a6462a02cc034f4116a7912) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 79 +++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index ce91108c7a..ec889e4422 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -176,6 +176,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int sprite_ref[4][2]; int virtual_ref[2][2]; int64_t sprite_offset[2][2]; + int64_t sprite_delta[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -259,10 +260,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g sprite_offset[0][1] = sprite_offset[1][0] = sprite_offset[1][1] = 0; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; @@ -273,10 +274,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g a * (vop_ref[0][0] / 2); sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; @@ -301,10 +302,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); - s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); - s->sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); + sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); + sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); ctx->sprite_shift[0] = alpha + rho; ctx->sprite_shift[1] = alpha + rho + 2; @@ -329,28 +330,28 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; - s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; - s->sprite_delta[1][1] = (-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3; + sprite_delta[0][0] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[0][0]) * h3; + sprite_delta[0][1] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[1][0]) * w3; + sprite_delta[1][0] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[0][1]) * h3; + sprite_delta[1][1] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[1][1]) * w3; ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; } /* try to simplify the situation */ - if (s->sprite_delta[0][0] == a << ctx->sprite_shift[0] && - s->sprite_delta[0][1] == 0 && - s->sprite_delta[1][0] == 0 && - s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { + if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && + sprite_delta[0][1] == 0 && + sprite_delta[1][0] == 0 && + sprite_delta[1][1] == a << ctx->sprite_shift[0]) { sprite_offset[0][0] >>= ctx->sprite_shift[0]; sprite_offset[0][1] >>= ctx->sprite_shift[0]; sprite_offset[1][0] >>= ctx->sprite_shift[1]; sprite_offset[1][1] >>= ctx->sprite_shift[1]; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = 0; - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = 0; + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = 0; ctx->sprite_shift[1] = 0; s->real_sprite_warping_points = 1; @@ -362,8 +363,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g if (shift_c < 0 || shift_y < 0 || FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || - FFABS(s->sprite_delta[0][i]) >= INT_MAX >> shift_y || - FFABS(s->sprite_delta[1][i]) >= INT_MAX >> shift_y + FFABS( sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_delta[1][i]) >= INT_MAX >> shift_y ) { avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); goto overflow; @@ -373,22 +374,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g for (i = 0; i < 2; i++) { sprite_offset[0][i] *= 1 << shift_y; sprite_offset[1][i] *= 1 << shift_c; - s->sprite_delta[0][i] *= 1 << shift_y; - s->sprite_delta[1][i] *= 1 << shift_y; + sprite_delta[0][i] *= 1 << shift_y; + sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; } for (i = 0; i < 2; i++) { int64_t sd[2] = { - s->sprite_delta[i][0] - a * (1LL<<16), - s->sprite_delta[i][1] - a * (1LL<<16) + sprite_delta[i][0] - a * (1LL<<16), + sprite_delta[i][1] - a * (1LL<<16) }; - if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + if (llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || @@ -402,10 +403,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->real_sprite_warping_points = ctx->num_sprite_warping_points; } - s->sprite_offset[0][0] = sprite_offset[0][0]; - s->sprite_offset[0][1] = sprite_offset[0][1]; - s->sprite_offset[1][0] = sprite_offset[1][0]; - s->sprite_offset[1][1] = sprite_offset[1][1]; + for (i = 0; i < 4; i++) { + s->sprite_offset[i&1][i>>1] = sprite_offset[i&1][i>>1]; + s->sprite_delta [i&1][i>>1] = sprite_delta [i&1][i>>1]; + } return 0; overflow: From bf10b862fa1d09d9983c63da4ecae80ebe68c28e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2017 01:46:28 +0200 Subject: [PATCH 1301/1352] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 3485/clusterfuzz-testcase-minimized-4940429332054016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bdee75a4e750735ab3039f004275ac8479072048) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 3b6b8b171b..8970a8602a 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -84,10 +84,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ - (b1 - ((b0 + b2 + 2) >> 2)) + (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ - (b1 + ((b0 + b2 + 1) >> 1)) + (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) From d893253fcd93d11258e98857175e93be7d158708 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2017 11:49:28 +0200 Subject: [PATCH 1302/1352] avcodec/ffv1dec: Fix out of array read in slice counting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: test-201710.mp4 Found-by: 连一汉 and Zhibin Hu Signed-off-by: Michael Niedermayer (cherry picked from commit c20f4fcb74da2d0432c7b54499bb98f48236b904) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 7e9130aa3b..0b8eef9384 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -787,7 +787,7 @@ static int read_header(FFV1Context *f) } else { const uint8_t *p = c->bytestream_end; for (f->slice_count = 0; - f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start; + f->slice_count < MAX_SLICES && 3 + 5*!!f->ec < p - c->bytestream_start; f->slice_count++) { int trailer = 3 + 5*!!f->ec; int size = AV_RB24(p-trailer); From 453da701192a7bb77fd7d85af9e7a5e04dfd19e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Oct 2017 03:06:53 +0200 Subject: [PATCH 1303/1352] avcodec/pafvideo: Check for bitstream end in decode_0() Fixes: Timeout Fixes: 3529/clusterfuzz-testcase-5057068371279872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c85329cd02e9284892bf263ce6133b2fc479792) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 9aedbc0ebe..72287e7b56 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) dend = c->frame[page] + c->frame_size; offset = (x & 0x7F) * 2; j = bytestream2_get_le16(&c->gb) + offset; + if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16) + return AVERROR_INVALIDDATA; do { offset++; if (dst + 3 * c->width + 4 > dend) @@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) do { set_src_position(c, &src, &send); if ((src + 3 * c->width + 4 > send) || - (dst + 3 * c->width + 4 > dend)) + (dst + 3 * c->width + 4 > dend) || + bytestream2_get_bytes_left(&c->gb) < 4) return AVERROR_INVALIDDATA; copy_block4(dst, src, c->width, c->width, 4); i++; From 209bd75519a3177c8411c0dc42984cc885be92c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Oct 2017 03:06:54 +0200 Subject: [PATCH 1304/1352] avcodec/snowdec: Check mv_scale Fixes: runtime error: signed integer overflow: 2 * -1094995530 cannot be represented in type 'int' Fixes: 3512/clusterfuzz-testcase-minimized-4812747210489856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 393d6fc7395611a38792e3c271b2be42ac45e672) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index b139e5c5aa..a95a5e398e 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -369,9 +369,10 @@ static int decode_header(SnowContext *s){ s->mv_scale += get_symbol(&s->c, s->header_state, 1); s->qbias += get_symbol(&s->c, s->header_state, 1); s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); - if(s->block_max_depth > 1 || s->block_max_depth < 0){ + if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; + s->mv_scale = 0; return AVERROR_INVALIDDATA; } if (FFABS(s->qbias) > 127) { From 84b83ecbfd4f42be64e9e125348204647d4afb01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 00:02:56 +0200 Subject: [PATCH 1305/1352] avcodec/jpeglsdec: Check ilv for being a supported value Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe533628b9604e2f8e5179d5c5dd17c3cb764265) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 7d25953068..62c8189c94 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -422,6 +422,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, avpriv_report_missing_feature(s->avctx, "Sample interleaved images"); ret = AVERROR_PATCHWELCOME; goto end; + } else { /* unknown interleaving */ + avpriv_report_missing_feature(s->avctx, "Unknown interleaved images"); + ret = AVERROR_PATCHWELCOME; + goto end; } if (s->xfrm && s->nb_components == 3) { From c1cd31b182bd187e9bf6f6187d63f79571b6aad9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 00:02:57 +0200 Subject: [PATCH 1306/1352] avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f80224ed19a4c012549fd460d529c7c04e68cf21) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 62c8189c94..dea02ff8e8 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -224,6 +224,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, while (x < w) { int err, pred; + if (get_bits_left(&s->gb) <= 0) + return; + /* compute gradients */ Ra = x ? R(dst, x - stride) : R(last, x); Rb = R(last, x); From 80b6f5d1dc7e2f741119b0c545793c0df459a9b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Oct 2017 23:21:40 +0100 Subject: [PATCH 1307/1352] avcodec/xan: Improve overlapping check Fixes: memcpy-param-overlap Fixes: 3612/clusterfuzz-testcase-minimized-6393461273001984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e8fafef1db43ead4eae5a6301ccc300e73aa47da) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 968464c65b..639b7a1334 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -262,7 +262,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, AVFrame *frame, prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - if (prev_palette_plane == palette_plane && FFABS(curframe_index - prevframe_index) < pixel_count) { + if (prev_palette_plane == palette_plane && FFABS(motion_x + width*motion_y) < pixel_count) { avpriv_request_sample(s->avctx, "Overlapping copy\n"); return ; } From 805923f2303e68e3fffdbeba5ddded50f8f4315c Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 12 Apr 2017 01:46:30 +0200 Subject: [PATCH 1308/1352] avformat: Free the internal codec context at the end Avoid a use after free in avformat_find_stream_info. (cherry picked from commit 9e4a5eb51b9f3b2bff0ef08e0074b7fe4893075d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index f6d82d2927..52216e314f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3273,12 +3273,6 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } av_opt_set(ic, "skip_clear", "0", AV_OPT_SEARCH_CHILDREN); - // close codecs which were opened in try_decode_frame() - for (i = 0; i < ic->nb_streams; i++) { - st = ic->streams[i]; - avcodec_close(st->codec); - } - ff_rfps_calculate(ic); for (i = 0; i < ic->nb_streams; i++) { @@ -3387,6 +3381,7 @@ find_stream_info_err: ic->streams[i]->codec->thread_count = 0; if (st->info) av_freep(&st->info->duration_error); + avcodec_close(st->codec); av_freep(&ic->streams[i]->info); } if (ic->pb) From f5fd06f12671650fe25f1cc16d555cfc3def7c89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Nov 2017 17:48:29 +0100 Subject: [PATCH 1309/1352] avcodec/xan: Check for bitstream end in xan_huffman_decode() Fixes: Timeout Fixes: 3707/clusterfuzz-testcase-6465922706440192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4b51437dccd62fc5491280db44e3c21b44aeeb3f) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 639b7a1334..cc33597d87 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -130,7 +130,10 @@ static int xan_huffman_decode(uint8_t *dest, int dest_len, return ret; while (val != 0x16) { - unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + unsigned idx; + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; + idx = val - 0x17 + get_bits1(&gb) * byte; if (idx >= 2 * byte) return AVERROR_INVALIDDATA; val = src[idx]; From 50c4028ee53d01ea01b8699fbcb05410ac9aa77a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Nov 2017 01:19:20 +0100 Subject: [PATCH 1310/1352] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() Fixes: runtime error: signed integer overflow: -503316480 + -2013265038 cannot be represented in type 'int' Fixes: 3805/clusterfuzz-testcase-minimized-6578427831255040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e131b8cedb00043dcc97cc05ca04749ec8ff57de) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index abf888ed96..e402c9636b 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1); const int a7 = block[i+3*8] + block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1); - const int b1 = (a7>>2) + a1; - const int b3 = a3 + (a5>>2); - const int b5 = (a3>>2) - a5; - const int b7 = a7 - (a1>>2); + const int b1 = (a7>>2) + (unsigned)a1; + const int b3 = (unsigned)a3 + (a5>>2); + const int b5 = (a3>>2) - (unsigned)a5; + const int b7 = (unsigned)a7 - (a1>>2); block[i+0*8] = b0 + b7; block[i+7*8] = b0 - b7; From c02dece8938ece9b7ff794528b982f3e7c152a23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Nov 2017 18:34:09 +0100 Subject: [PATCH 1311/1352] avcodec/cngdec: Fix integer clipping Fixes: runtime error: value -36211.7 is outside the range of representable values of type 'short' Fixes: 2992/clusterfuzz-testcase-6649611793989632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51090133b31bc719ea868db15d3ee38e9dbe90f1) Signed-off-by: Michael Niedermayer --- libavcodec/cngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 855baaaa8d..194b9088e5 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -146,7 +146,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data, return ret; buf_out = (int16_t *)frame->data[0]; for (i = 0; i < avctx->frame_size; i++) - buf_out[i] = p->filter_out[i + p->order]; + buf_out[i] = av_clip_int16(p->filter_out[i + p->order]); memcpy(p->filter_out, p->filter_out + avctx->frame_size, p->order * sizeof(*p->filter_out)); From ccc81f846e324c45e55da1ad03e36b5962f4d6cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:05 +0100 Subject: [PATCH 1312/1352] avcodec/snowdec: Fix integer overflow in header parsing Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576 Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c897a9285846b6a072b9650976afd4f091b7a71f) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index a95a5e398e..ce1d21126f 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -349,7 +349,7 @@ static int decode_header(SnowContext *s){ } } - s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1); + s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->spatial_decomposition_type > 1U){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type); return AVERROR_INVALIDDATA; @@ -365,10 +365,10 @@ static int decode_header(SnowContext *s){ } - s->qlog += get_symbol(&s->c, s->header_state, 1); - s->mv_scale += get_symbol(&s->c, s->header_state, 1); - s->qbias += get_symbol(&s->c, s->header_state, 1); - s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); + s->qlog += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->mv_scale += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->qbias += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; From 8b46a951f9f7c1b5cefdf7620cc4d60b0a236a41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:06 +0100 Subject: [PATCH 1313/1352] avcodec/mdct_*: Fix integer overflow in addition in RESCALE() Fixes: runtime error: signed integer overflow: 1219998458 - -1469874012 cannot be represented in type 'int' Fixes: 3443/clusterfuzz-testcase-minimized-5369987105554432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 770c934fa1635f4fadf5db4fc5cc5ad15d82455a) Signed-off-by: Michael Niedermayer --- libavcodec/mdct_fixed.c | 8 ++++---- libavcodec/mdct_template.c | 14 +++++++------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/libavcodec/mdct_fixed.c b/libavcodec/mdct_fixed.c index a32cb00ca0..aabf0c88f8 100644 --- a/libavcodec/mdct_fixed.c +++ b/libavcodec/mdct_fixed.c @@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const FFTSample *input) /* pre rotation */ for(i=0;i> 6) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6) #else /* FFT_FIXED_32 */ -# define RSCALE(x) ((x) >> 1) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1) #endif /* FFT_FIXED_32 */ #endif @@ -175,13 +175,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const FFTSample *input) /* pre rotation */ for(i=0;i Date: Mon, 13 Nov 2017 20:47:48 +0100 Subject: [PATCH 1314/1352] avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu Fixes: out of array read Fixes: 3516/attachment-311488.dat Found-by: Insu Yun, Georgia Tech. Tested-by: wuninsu@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 58cf31cee7a456057f337b3102a03206d833d5e8) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mpegvideodsp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c index 941a8e2e4c..5dcfd76a61 100644 --- a/libavcodec/x86/mpegvideodsp.c +++ b/libavcodec/x86/mpegvideodsp.c @@ -53,8 +53,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src, const int dyh = (dyy - (1 << (16 + shift))) * (h - 1); const int dxh = dxy * (h - 1); const int dyw = dyx * (w - 1); - int need_emu = (unsigned) ix >= width - w || - (unsigned) iy >= height - h; + int need_emu = (unsigned) ix >= width - w || width < w || + (unsigned) iy >= height - h || height< h + ; if ( // non-constant fullpel offset (3% of blocks) ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) | From d2f929357d595dddb2132018a39d6779e7294dc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Oct 2017 18:04:44 +0200 Subject: [PATCH 1315/1352] avcodec/h264dec: Fix potential array overread add padding before scantable arrays See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a Signed-off-by: Michael Niedermayer (cherry picked from commit 380b48fb9fdc7b0c40d67e026f9b3accb12794eb) Signed-off-by: Michael Niedermayer --- libavcodec/h264.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 2c975934a2..bf9f4e12cb 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -521,6 +521,7 @@ typedef struct H264Context { uint8_t *direct_table; uint8_t direct_cache[5 * 8]; + uint8_t scan_padding[16]; uint8_t zigzag_scan[16]; uint8_t zigzag_scan8x8[64]; uint8_t zigzag_scan8x8_cavlc[64]; From a6b1298a42866c4b22a4f36218fcb2182172081f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 21:17:15 +0100 Subject: [PATCH 1316/1352] avcodec/snowdec: Check intra block dc differences. Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3b9bbcc6edf2d83fe4857484cfa0839872188c6) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index ce1d21126f..752d39108b 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -158,13 +158,22 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ? BLOCK_INTRA : 0; - if(type){ + int ld, cbd, crd; pred_mv(s, &mx, &my, 0, left, top, tr); - l += get_symbol(&s->c, &s->block_state[32], 1); + ld = get_symbol(&s->c, &s->block_state[32], 1); + if (ld < -255 || ld > 255) { + return AVERROR_INVALIDDATA; + } + l += ld; if (s->nb_planes > 2) { - cb+= get_symbol(&s->c, &s->block_state[64], 1); - cr+= get_symbol(&s->c, &s->block_state[96], 1); + cbd = get_symbol(&s->c, &s->block_state[64], 1); + crd = get_symbol(&s->c, &s->block_state[96], 1); + if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) { + return AVERROR_INVALIDDATA; + } + cb += cbd; + cr += crd; } }else{ if(s->ref_frames > 1) From 500925587b8eb38c6a6b1ed8c340a7bf15ab8b0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 21:17:16 +0100 Subject: [PATCH 1317/1352] avcodec/snowdec: Check for remaining bitstream in decode_blocks() Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4527ec2216109867498edc3ac8a17fd879b5d017) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 752d39108b..5f3332459c 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -413,6 +413,8 @@ static int decode_blocks(SnowContext *s){ for(y=0; yc.bytestream >= s->c.bytestream_end) + return AVERROR_INVALIDDATA; if ((res = decode_q_branch(s, 0, x, y)) < 0) return res; } From 56b1146dbbec5d949ee35b88e24abaa4b4ea2145 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2017 01:28:07 +0200 Subject: [PATCH 1318/1352] avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() Fixes: Timeout Fixes: 3200/clusterfuzz-testcase-5750022136135680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65e0a7c473f23f1833538ffecf53c81fe500b5e4) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dec.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index d9cbfd15ed..af6c25ded2 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -29,7 +29,7 @@ #include "wmv2.h" -static void parse_mb_skip(Wmv2Context *w) +static int parse_mb_skip(Wmv2Context *w) { int mb_x, mb_y; MpegEncContext *const s = &w->s; @@ -44,6 +44,8 @@ static void parse_mb_skip(Wmv2Context *w) MB_TYPE_16x16 | MB_TYPE_L0; break; case SKIP_TYPE_MPEG: + if (get_bits_left(&s->gb) < s->mb_height * s->mb_width) + return AVERROR_INVALIDDATA; for (mb_y = 0; mb_y < s->mb_height; mb_y++) for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -51,6 +53,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_ROW: for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -64,6 +68,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_COL: for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -76,6 +82,7 @@ static void parse_mb_skip(Wmv2Context *w) } break; } + return 0; } static int decode_ext_header(Wmv2Context *w) @@ -169,9 +176,12 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } } else { int cbp_index; + int ret; w->j_type = 0; - parse_mb_skip(w); + ret = parse_mb_skip(w); + if (ret < 0) + return ret; cbp_index = decode012(&s->gb); if (s->qscale <= 10) { int map[3] = { 0, 2, 1 }; @@ -360,6 +370,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) w->hshift = 0; return 0; } + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_mb_non_intra_vlc[w->cbp_table_index].table, MB_NON_INTRA_VLC_BITS, 3); @@ -370,6 +382,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) cbp = code & 0x3f; } else { s->mb_intra = 1; + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2); if (code < 0) { av_log(s->avctx, AV_LOG_ERROR, From 216a9a1236c93aed026e4b829bf1998aa343980f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Nov 2017 03:40:07 +0100 Subject: [PATCH 1319/1352] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() Fixes: 4035/clusterfuzz-testcase-minimized-6479308925173760 Fixes: runtime error: signed integer overflow: 9 * 402653183 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73964680d7bce6d81ddc553a24d73e9a1c9156f9) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 8970a8602a..6992f087f8 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -93,7 +93,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) + (b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) From a756841102b7ce681addf701942286b87911c542 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 17:11:12 +0100 Subject: [PATCH 1320/1352] avcodec/zmbv: Check that the buffer is large enough for mvec Fixes: Timeout Fixes: 4143/clusterfuzz-testcase-4736864637419520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ab9568a2c3349039eec29fb960fe39de354b514) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 82ae169ef4..ed526b4d0a 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -539,6 +539,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } else { frame->key_frame = 0; frame->pict_type = AV_PICTURE_TYPE_P; + if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) + return AVERROR_INVALIDDATA; if (c->decomp_len) c->decode_xor(c); } From 5fae049904c51fe211b5aefc8651b3a2ca8c2bce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 03:38:37 +0100 Subject: [PATCH 1321/1352] avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() Fixes: runtime error: left shift of negative value -7862264 Fixes: 4074/clusterfuzz-testcase-minimized-4516104123711488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f7f70738e8dd77a698a5e28bba552ea7064af21) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index fbafa92d72..4e3a16c781 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample << 8; + *data_32++ = sample * 256; else *data_16++ = sample >> 8; } From 8b8016e0073b1c7fc14d05e3cf929d8f114207bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Nov 2017 22:01:29 +0100 Subject: [PATCH 1322/1352] avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() Fixes: runtime error: left shift of negative value -255 Fixes: 4037/clusterfuzz-testcase-minimized-5290998163832832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d88586e4728e97349f98e07ff782bb168ab96c3) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index b7aa22e79a..8672adbd49 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1457,7 +1457,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 490b7a052ebb54eb2bc12128b83bd1b2dfca6243 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 16:05:30 -0800 Subject: [PATCH 1323/1352] Fix undefined shift on assumed 8-bit input. decode_user_data() attempts to create an integer |build| value with 8 bits of spacing for 3 components. However each component is an int32_t, so shifting each component is undefined for values outside of the 8 bit range. This patch simply clamps input to 8-bits per component and prints out a warning that the values were clamped. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7010dd98b575d2e39fca947e609b85be7490b269) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index ec889e4422..410dbbfa2f 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2136,8 +2136,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, &ver2, &ver3, &build); if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; - if (e > 1) - build = (ver << 16) + (ver2 << 8) + ver3; + if (e > 1) { + if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { + av_log(s->avctx, AV_LOG_WARNING, + "Unknown Lavc version string encountered, %d.%d.%d; " + "clamping sub-version values to 8-bits.\n", + ver, ver2, ver3); + } + build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF); + } } if (e != 4) { if (strcmp(buf, "ffmpeg") == 0) From 8e50cf48663116b9c836de6032cc33d8e884acf6 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 20 Nov 2017 12:07:57 -0800 Subject: [PATCH 1324/1352] Close ogg stream upon error when using AV_EF_EXPLODE. Without this there can be multiple memory leaks for unrecognized ogg streams. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bce8fc0754c4b31f574a4372c6d7996ed29f7c2a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index b1caf98f29..4c68b3d4a8 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -685,8 +685,10 @@ static int ogg_read_header(AVFormatContext *s) "Headers mismatch for stream %d: " "expected %d received %d.\n", i, os->codec->nb_header, os->nb_header); - if (s->error_recognition & AV_EF_EXPLODE) + if (s->error_recognition & AV_EF_EXPLODE) { + ogg_read_close(s); return AVERROR_INVALIDDATA; + } } if (os->start_granule != OGG_NOGRANULE_VALUE) os->lastpts = s->streams[i]->start_time = From 554dda998c58a5ee88597185569a066ee0a829f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Nov 2017 03:15:53 +0100 Subject: [PATCH 1325/1352] avcodec/mpeg4videodec: Check also for negative versions in the validity check Signed-off-by: Michael Niedermayer (cherry picked from commit 0e7865ce4152f8b04cda6a698bbee4fd4a94009d) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 410dbbfa2f..d9d5e27c69 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2137,7 +2137,7 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; if (e > 1) { - if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { + if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) { av_log(s->avctx, AV_LOG_WARNING, "Unknown Lavc version string encountered, %d.%d.%d; " "clamping sub-version values to 8-bits.\n", From e37d3cfe1de27b779d7c88d080613d0a1eb16375 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Nov 2017 03:15:16 +0100 Subject: [PATCH 1326/1352] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* Fixes: runtime error: signed integer overflow: -2143827186 - 7404944 cannot be represented in type 'int' Fixes: 4354/clusterfuzz-testcase-minimized-4671122764201984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b6964f764382742bb052a1ee3b7167cac35332f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 6992f087f8..cf6e83cb13 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -102,10 +102,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) + ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) + ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) From 17934af052a487624ad35a0970eeadba579be0c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Nov 2017 20:14:54 +0100 Subject: [PATCH 1327/1352] avcodec/kgv1dec: Check that there is enough input for maximum RLE compression Fixes: Timeout Fixes: 4271/clusterfuzz-testcase-4676667768307712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3aad94bf2b140cfba8ae69d018da05d4948ef37f) Signed-off-by: Michael Niedermayer --- libavcodec/kgv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index b81ba75325..8b51b64c3b 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h = (buf[1] + 1) * 8; buf += 2; + if (avpkt->size < 2 + w*h / 513) + return AVERROR_INVALIDDATA; + if (w != avctx->width || h != avctx->height) { av_freep(&c->frame_buffer); av_freep(&c->last_frame_buffer); From 540b64235a0e014da8e2055db1e77ce72df208bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Nov 2017 18:45:45 +0100 Subject: [PATCH 1328/1352] avcodec/mlpdsp: Fix signed integer overflow, 2nd try The outputted bits should match what is used in the lossless check Fixes: runtime error: signed integer overflow: -538697856 * 256 cannot be represented in type 'int' Fixes: 4326/clusterfuzz-testcase-minimized-5689449645080576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97c00edaa043043c29d985653e7e1687b56dfa23) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 4e3a16c781..32a4503b64 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample * 256; + *data_32++ = sample * 256U; else *data_16++ = sample >> 8; } From 57a9f159e01d729ea16780c9c8c11739cdf4c77a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2017 21:27:37 +0100 Subject: [PATCH 1329/1352] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() Fixes: runtime error: left shift of negative value -127 Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0409d333115e623b5ccdbb364d64ca2a52fd8467) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 8672adbd49..948d139ce4 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1405,7 +1405,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From f42e64a21f3b7bb1de93d549ec61987ec25f4982 Mon Sep 17 00:00:00 2001 From: James Zern Date: Mon, 19 Oct 2015 22:44:11 -0700 Subject: [PATCH 1330/1352] libvpxenc: remove some unused ctrl id mappings VP8E_UPD_ENTROPY, VP8E_UPD_REFERENCE, VP8E_USE_REFERENCE were removed from libvpx and the remaining values were never used here Reviewed-by: Michael Niedermayer Signed-off-by: James Zern (cherry picked from commit 6540fe04a3f9a11ba7084a49b3ee5fa2fc5b32ab) Signed-off-by: Michael Niedermayer --- libavcodec/libvpxenc.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 6177133b85..e10d3a407b 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -101,19 +101,11 @@ typedef struct VP8EncoderContext { /** String mappings for enum vp8e_enc_control_id */ static const char *const ctlidstr[] = { - [VP8E_UPD_ENTROPY] = "VP8E_UPD_ENTROPY", - [VP8E_UPD_REFERENCE] = "VP8E_UPD_REFERENCE", - [VP8E_USE_REFERENCE] = "VP8E_USE_REFERENCE", - [VP8E_SET_ROI_MAP] = "VP8E_SET_ROI_MAP", - [VP8E_SET_ACTIVEMAP] = "VP8E_SET_ACTIVEMAP", - [VP8E_SET_SCALEMODE] = "VP8E_SET_SCALEMODE", [VP8E_SET_CPUUSED] = "VP8E_SET_CPUUSED", [VP8E_SET_ENABLEAUTOALTREF] = "VP8E_SET_ENABLEAUTOALTREF", [VP8E_SET_NOISE_SENSITIVITY] = "VP8E_SET_NOISE_SENSITIVITY", - [VP8E_SET_SHARPNESS] = "VP8E_SET_SHARPNESS", [VP8E_SET_STATIC_THRESHOLD] = "VP8E_SET_STATIC_THRESHOLD", [VP8E_SET_TOKEN_PARTITIONS] = "VP8E_SET_TOKEN_PARTITIONS", - [VP8E_GET_LAST_QUANTIZER] = "VP8E_GET_LAST_QUANTIZER", [VP8E_SET_ARNR_MAXFRAMES] = "VP8E_SET_ARNR_MAXFRAMES", [VP8E_SET_ARNR_STRENGTH] = "VP8E_SET_ARNR_STRENGTH", [VP8E_SET_ARNR_TYPE] = "VP8E_SET_ARNR_TYPE", From ad780b0b9162a8e25e2915032078b6ef6ce72701 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2017 23:42:04 +0100 Subject: [PATCH 1331/1352] avcodec/j2kenc: Fix out of array access in encode_cblk() Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0674087004538599797688785f6ac82358abc23b) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 60e211e7e3..2b0322e88a 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -663,7 +663,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20 cblk->ninclpasses = passno; // TODO: optional flush on each pass - cblk->passes[passno-1].rate = ff_mqc_flush(&t1->mqc); + if (passno) + cblk->passes[passno-1].rate = ff_mqc_flush(&t1->mqc); } /* tier-2 routines: */ From 6ecf356b4939e23e45a524f668447965d5c6229c Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 13:35:56 -0800 Subject: [PATCH 1332/1352] avformat/utils: Prevent undefined shift with wrap_bits > 64. 2LL << (wrap_bits=64 - 1) does not fit in int64_t; change the code to use a uint64_t (2ULL) and add an av_assert2() to ensure wrap_bits <= 64. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 03fbc0daa7e37af024f8b017a28105c32bbe25ca) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 52216e314f..71dde3da52 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1437,13 +1437,14 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; + av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && - (av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << (wrap_bits - 1)) < 0)) { - if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL << (wrap_bits - 1))) { + av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { + if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL << (wrap_bits - 1))) { // not B-frame next_pkt->pts = pktl->pkt.dts; } From 17bfddeb399b3fed1ccacd1d9b0d2ca65cee1041 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 22 Nov 2017 10:58:39 -0800 Subject: [PATCH 1333/1352] avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 9648cc6d7fdbb0a260bed1e3e23300569cff9579) Signed-off-by: Michael Niedermayer --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 86d10407f4..61c395e71e 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -105,7 +105,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) exit_at_level[i] = 0; // construct code (append 0s to end) and introduce new exits for (j = i + 1 ;j <= bits[p]; ++j) - exit_at_level[j] = code + (1 << (j - 1)); + exit_at_level[j] = code + (1u << (j - 1)); codes[p] = code; #ifdef DEBUG From b40b3ddcfcd114f6e67de6e05c3afd77d5de8406 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 28 Nov 2017 14:26:55 -0800 Subject: [PATCH 1334/1352] Don't manipulate duration when it's AV_NOPTS_VALUE. This leads to signed integer overflow. Signed-off-by: Dale Curtis Signed-off-by: James Almer (cherry picked from commit c5fd57f483d2ad8e34551b78509f1e14136f73c0) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index 5959d32b6a..e3ca775d22 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -116,7 +116,7 @@ static int vp8_packet(AVFormatContext *s, int idx) os->lastpts = os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration && s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } From c479098b630879d7b3081e9b354bdd66a140e5d8 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 30 Nov 2017 12:20:36 -0800 Subject: [PATCH 1335/1352] avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. Didn't notice this one when 9648cc6d was landed. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 95bacb521af8cd28f146f045437c9f75717a493a) Signed-off-by: Michael Niedermayer --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 61c395e71e..80d5198c62 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -73,7 +73,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) if (bits[p] > 32) return AVERROR_INVALIDDATA; for (i = 0; i < bits[p]; ++i) - exit_at_level[i+1] = 1 << i; + exit_at_level[i+1] = 1u << i; #ifdef DEBUG av_log(NULL, AV_LOG_INFO, " %u. of %u code len %d code %d - ", p, num, bits[p], codes[p]); From f9ae19faf4a1b3373cee205797d6bec61934e389 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2017 21:48:04 +0100 Subject: [PATCH 1336/1352] avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* Fixes: 4478/clusterfuzz-testcase-minimized-4752113767809024 Fixes: runtime error: signed integer overflow: -2147483626 + -319489 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e9a13a5a33bf7566591216e335f2529612100bb) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index cf6e83cb13..7189818d05 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -108,16 +108,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) + ((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From a4f65c998e0737201fff4419b4b5c4f798c424fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Dec 2017 15:32:54 +0100 Subject: [PATCH 1337/1352] avcodec/amrwbdec: Fix division by 0 in voice_factor() The added value matches "Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code (3GPP TS 26.304 version 14.0.0 Release 14) Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code" Fixes: runtime error: division by zero Fixes: 4415/clusterfuzz-testcase-minimized-4677752314658816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d0817d56b66797118880358ea7d7a2acfdca429) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 34f6df55b3..38dd99d6b4 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -614,7 +614,7 @@ static float voice_factor(float *p_vector, float p_gain, AMRWB_SFR_SIZE) * f_gain * f_gain; - return (p_ener - f_ener) / (p_ener + f_ener); + return (p_ener - f_ener) / (p_ener + f_ener + 0.01); } /** From 6ca07f581236ea048fab177d078f240b2f80f1f4 Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Mon, 4 Dec 2017 12:50:34 +0800 Subject: [PATCH 1338/1352] avfilter/formats: fix wrong function name in error message Use perdefined micro __FUNCTION__ rather than hard coding function name to fix wrong function name in error message. Signed-off-by: Jun Zhao Signed-off-by: Michael Niedermayer (cherry picked from commit 4280948702bc256e21c375790b889c735d233b0d) Signed-off-by: Michael Niedermayer --- libavfilter/formats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index 816042987d..71caf169f8 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -72,7 +72,7 @@ do { for (j = 0; j < b->nb; j++) \ if (a->fmts[i] == b->fmts[j]) { \ if(k >= FFMIN(a->nb, b->nb)){ \ - av_log(NULL, AV_LOG_ERROR, "Duplicate formats in avfilter_merge_formats() detected\n"); \ + av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s detected\n", __FUNCTION__); \ av_free(ret->fmts); \ av_free(ret); \ return NULL; \ From 49703a39f394296ca44f8003f03d9eea3eff34d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 13:06:30 +0100 Subject: [PATCH 1339/1352] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() Fixes: runtime error: left shift of negative value -3 Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 439fbb9c8b2a90e97c44c7c57245e01ca84c865d) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 948d139ce4..9bea9a6875 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1101,7 +1101,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; From a3df874b5a88c782dddba4880a8d52b4b9730949 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 17:50:12 +0100 Subject: [PATCH 1340/1352] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 13ebcd3ede..570534bd44 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -154,11 +154,15 @@ static int decode_nal_sei_message(HEVCContext *s) av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { + if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { + if (get_bits_left(gb) < 8 + 8LL*payload_size) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; } From 2ce4f01d5962d2f66b879f4186321cee8d23c281 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 18:17:13 +0100 Subject: [PATCH 1341/1352] avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented in type 'int' Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ee143558d55b590774dba69cff5a16eda089a4d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 54b17945af..60cc5d0d5a 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -685,8 +685,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return AVERROR_INVALIDDATA; + } while (k--) suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k; From d758323bfaecf27cbd57fd7a442fc29bde9289c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2017 03:06:14 +0100 Subject: [PATCH 1342/1352] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be represented in type 'int' Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4d70fbeec8cbab072b3a9b9f760b8deaaef240f2) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 7189818d05..acefd3b3d3 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -90,10 +90,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) + (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) + (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) From 52b7672ef65407ea32b6f17262712ddb894acd73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2017 03:12:03 +0100 Subject: [PATCH 1343/1352] avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) Fixes: runtime error: left shift of negative value -180 Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9ab5ef9c1ee852c80c859c9e07efe8730b57ed) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 9bea9a6875..da21f9216a 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -152,7 +152,7 @@ static void FUNC(transform_skip)(int16_t *_coeffs, int16_t log2_size) } else { for (y = 0; y < size; y++) { for (x = 0; x < size; x++) { - *coeffs = *coeffs << -shift; + *coeffs = *(uint16_t*)coeffs << -shift; coeffs++; } } From 5d18394d089cbdf04c04484c9bdac21334a00aa4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:43 +0100 Subject: [PATCH 1344/1352] avcodec/flacdec: avoid undefined shift Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 560daf88913b0de59a4d845bcd19254b406388dd) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index ad9ee071c5..efd017fb52 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -403,7 +403,7 @@ static inline int decode_subframe(FLACContext *s, int channel) return AVERROR_INVALIDDATA; } - if (wasted) { + if (wasted && wasted < 32) { int i; for (i = 0; i < s->blocksize; i++) decoded[i] = (unsigned)decoded[i] << wasted; From c745358efed4c7c85e829ab754553b2fc45bb5fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:45 +0100 Subject: [PATCH 1345/1352] avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() Fixes: left shift of negative value -1 Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d135f3c514ac1723256c8e0f5cdd466fe98a2578) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index da21f9216a..96ba2af9d6 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -965,7 +965,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -1020,7 +1020,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From b9a8b4f279df661c02c68f4f4c6370cb1244862c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:44 +0100 Subject: [PATCH 1346/1352] avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() Fixes: signed integer overflow: 2 * 1629495328 cannot be represented in type 'int' Fixes: 4716/clusterfuzz-testcase-minimized-5835915940331520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d23f7a0969bf76ad6dcdc2c4a5cd3ae884745a8) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index efd017fb52..407933e80c 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -280,7 +280,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, if (pred_order > 2) c = b - decoded[pred_order-2] + decoded[pred_order-3]; if (pred_order > 3) - d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4]; + d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4]; switch (pred_order) { case 0: From d304d7e794d0fcb9eb8995cba5d48f78d592e4f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Dec 2017 03:00:19 +0100 Subject: [PATCH 1347/1352] avcodec/exr: Check buf_size more completely Fixes: Out of heap array read Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 903be5e4f66268273dc6e3c42a7fdeaab32066ef) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 4dc975f4d1..694e18757f 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -847,7 +847,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, line_offset = AV_RL64(s->gb.buffer + jobnr * 8); // Check if the buffer has the required bytes needed from the offset - if (line_offset > buf_size - 8) + if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -856,7 +856,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); - if (data_size <= 0 || data_size > buf_size) + if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; s->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); From f391eec032bad23de45345874f4fb7a5ef2f4cf4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2017 23:23:33 +0100 Subject: [PATCH 1348/1352] Update for 2.4.14 Signed-off-by: Michael Niedermayer --- Changelog | 440 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 442 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 47cf3eaa18..c839d0f85d 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,446 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.4.14: +- avcodec/exr: Check buf_size more completely +- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() +- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() +- avcodec/flacdec: avoid undefined shift +- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() +- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() +- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() +- avfilter/formats: fix wrong function name in error message +- avcodec/amrwbdec: Fix division by 0 in voice_factor() +- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* +- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. +- Don't manipulate duration when it's AV_NOPTS_VALUE. +- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. +- avformat/utils: Prevent undefined shift with wrap_bits > 64. +- avcodec/j2kenc: Fix out of array access in encode_cblk() +- libvpxenc: remove some unused ctrl id mappings +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() +- avcodec/mlpdsp: Fix signed integer overflow, 2nd try +- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* +- avcodec/mpeg4videodec: Check also for negative versions in the validity check +- Close ogg stream upon error when using AV_EF_EXPLODE. +- Fix undefined shift on assumed 8-bit input. +- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() +- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() +- avcodec/zmbv: Check that the buffer is large enough for mvec +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() +- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() +- avcodec/snowdec: Check for remaining bitstream in decode_blocks() +- avcodec/snowdec: Check intra block dc differences. +- avcodec/h264dec: Fix potential array overread +- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu +- avcodec/mdct_*: Fix integer overflow in addition in RESCALE() +- avcodec/snowdec: Fix integer overflow in header parsing +- avcodec/cngdec: Fix integer clipping +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Check for bitstream end in xan_huffman_decode() +- avformat: Free the internal codec context at the end +- avcodec/xan: Improve overlapping check +- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() +- avcodec/jpeglsdec: Check ilv for being a supported value +- avcodec/snowdec: Check mv_scale +- avcodec/pafvideo: Check for bitstream end in decode_0() +- avcodec/ffv1dec: Fix out of array read in slice counting +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0() +- avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta +- avcodec/truemotion2: Fix integer overflows in tm2_high_chroma() +- avcodec/proresdec2: SKIP_BITS() does not work with len=32 +- avcodec/hevcdsp_template: Fix undefined shift +- avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized +- avcodec/takdec: Fix integer overflow in decode_lpc() +- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift +- avcodec/takdec: Fix integer overflows in decode_subframe() +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() +- avcodec/ffv1dec: Fix integer overflow in read_quant_table() +- avcodec/svq3: Fix overflow in svq3_add_idct_c() +- avcodec/pngdec: Clean up on av_frame_ref() failure +- avcodec/hevc_ps: Fix c?_qp_offset_list size +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avformat/utils: fix memory leak in avformat_free_context +- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() +- avcodec/diracdec: Fix integer overflow in divide3() +- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 +- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 +- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 +- avformat/oggparsecelt: Do not re-allocate os->private +- doc/filters: typo in frei0r +- avcodec/wavpack: Fix invalid shift +- avcodec/vb: Check vertical GMC component before multiply +- avcodec/apedec: Fix integer overflow +- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() +- avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 +- avcodec/wavpack: Fix integer overflow +- avcodec/takdec: Fix integer overflow +- avcodec/hevc_filter: Fix invalid shift +- avcodec/mpeg4videodec: Fix overflow in virtual_ref computation +- avcodec/wavpack: Fix undefined integer negation +- avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 +- avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 +- avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output +- avcodec/hevcpred_template: Fix left shift of negative value +- avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() +- avcodec/jpeg2000dec: Check nonzerobits more completely +- avcodec/shorten: Sanity check maxnlpc +- avcodec/hevcdec: Check nb_sps +- avcodec/hevc_refs: Check nb_refs in add_candidate_ref() +- avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. +- avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case +- avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' +- avcodec/snowdec: Fix runtime error: left shift of negative value -1 +- avcodec/tiff: Fix leak of geotags[].val +- avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' +- avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' +- avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' +- avcodec/pafvideo: Fix assertion failure +- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' +- avcodec/mjpegdec: Check that reference frame matches the current frame +- avcodec/tiff: Avoid loosing allocated geotag values +- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' +- avformat/hls: Check local file extensions +- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' +- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() +- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' +- avcodec/cinepak: Check input packet size before frame reallocation +- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' +- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' +- avcodec/pnm: Use ff_set_dimensions() +- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' +- avformat/avidec: Limit formats in gab2 to srt and ass/ssa +- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' +- avcodec/wavpack: Check float_shift +- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' +- avcodec/ansi: Fix frame memleak +- avcodec/jpeg2000dec: Use ff_set_dimensions() +- avcodec/truemotion2: Fix passing null pointer to memset() +- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' +- avcodec/webp: Fixes null pointer dereference +- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' +- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' +- avcodec/jpeg2000dec: Check tile offsets more completely +- avcodec/wnv1: More strict buffer size check +- avcodec/libfdk-aacdec: Correct buffer_size parameter +- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 +- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error +- avcodec/ra144dec: Fix runtime error: left shift of negative value -17 +- avutil/internal: Do not enable CHECKED with DEBUG +- avcodec/smc: Check remaining input +- avcodec/jpeg2000dec: Fix copy and paste error +- avcodec/jpeg2000dec: Check tile offsets +- avcodec/sanm: Fix uninitialized reference frames +- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture +- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' +- avcodec/vmnc: Check location before use +- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' +- avcodec/takdec: Fix runtime error: left shift of negative value -63 +- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' +- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context +- avcodec/mimic: Use ff_set_dimensions() to set the dimensions +- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' +- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 +- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' +- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' +- avcodec/flicvideo: Check frame_size before decrementing +- avcodec/mlpdec: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix runtime error: left shift of negative value -42 +- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' +- avcodec/svq3: Fix runtime error: left shift of negative value -6 +- avcodec/tiff: reset sampling[] if its invalid +- avcodec/aacps: Fix undefined behavior +- avcodec/opus_silk: Fix integer overflow and out of array read +- avcodec/flacdec: Return error code instead of 0 for failures +- avcodec/snowdec: Check width +- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() +- avcodec/webp: Factor update_canvas_size() out +- avcodec/cllc: Check prefix +- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode +- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' +- libswscale/tests/swscale: Fix uninitialized variables +- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' +- avcodec/webp: Fix signedness in prefix_code check +- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' +- avcodec/mlpdec: Check that there is enough data for headers +- avcodec/ac3dec: Keep track of band structure +- avcodec/webp: Add missing input padding +- avcodec/aacsbr_template: Do not change bs_num_env before its checked +- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 +- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' +- avcodec/avcodec: Limit the number of side data elements per packet +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' +- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 +- avcodec/msmpeg4dec: Check for cbpy VLC errors +- avcodec/cllc: Check num_bits +- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers +- avcodec/dvbsubdec: Check entry_id +- avcodec/webp: Always set pix_fmt +- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 +- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' +- avformat/wavdec: Check chunk_size +- avcodec/cavs: Check updated MV +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' +- avcodec/lagarith: Check scale_factor +- avcodec/lagarith: Fix runtime error: left shift of negative value -1 +- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' +- avcodec/dvbsubdec: check region dimensions +- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' +- avcodec/cavsdec: Check sym_factor +- avcodec/cdxl: Check format for BGR24 +- avcodec/ffv1dec: Fix copying planes of paletted formats +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' +- avcodec/xwddec: Check bpp more completely +- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' +- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' +- avcodec/g726: Fix runtime error: left shift of negative value -2 +- avcodec/ra144: Fix runtime error: left shift of negative value -798 +- avcodec/mss34dsp: Fix multiple signed integer overflow +- avcodec/targa_y216dec: Fix width type +- avcodec/ivi_dsp: Fix multiple left shift of negative value -2 +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' +- avcodec/msmpeg4dec: Correct table depth +- avcodec/cdxl: Check format parameter +- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from +- avcodec/shorten: Check k in get_uint() +- avcodec/webp: Fix null pointer dereference +- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' +- avcodec/mimic: Fix runtime error: left shift of negative value -1 +- avcodec/fic: Fix multiple left shift of negative value -15 +- avcodec/mlpdec: Fix runtime error: left shift of negative value -22 +- avcodec/snowdec: Check qbias +- avcodec/aacsbr_template: Do not leave bs_num_env invalid +- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' +- avcodec/dfa: Fix off by 1 error +- avcodec/nellymoser: Fix multiple left shift of negative value -8591 +- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' +- avcodec/wnv1: Fix runtime error: left shift of negative value -1 +- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' +- avcodec/cavsdec: Fix undefined behavior from integer overflow +- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' +- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit +- avcodec/msvideo1: Check buffer size before re-getting the frame +- avcodec/svq3: Increase offsets to prevent integer overflows +- avcodec/indeo2: Check remaining bits in ir2_decode_plane() +- avcodec/vp3: Check remaining bits in unpack_dct_coeffs() +- avcodec/mdec: Fix runtime error: left shift of negative value -127 +- libavcodec/exr : fix float to uint16 conversion for negative float value +- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter +- avformat/webmdashenc: Require the 'adaptation_sets' option to be set +- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' +- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() +- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit +- avcodec/tiff: Check geotag count for being non zero +- avcodec/vp56: Check avctx->error_concealment before enabling EC +- avcodec/tiff: Check stripsize strippos for overflow +- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 +- avcodec/tiff: Check for multiple geo key directories +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' +- avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 +- avcodec/wavpack: Fix runtime error: left shift of negative value -5 +- avcodec/wavpack: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' +- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value +- avcodec/adxdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 +- avcodec/h264_direct: Fix runtime error: left shift of negative value -14 +- avcodec/pictordec: Check plane value before doing value/mask computations +- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 +- avcodec/eac3dec: Fix runtime error: left shift of negative value -3 +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows +- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts +- avcodec/mpeg4video: Fix runtime error: left shift of negative value +- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 +- avcodec/rv40: Fix runtime error: left shift of negative value +- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 +- avcodec/eac3dec: Fix runtime error: left shift of negative value +- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() +- avcodec/vp56: Reset have_undamaged_frame on resolution changes +- avcodec/vp8: Fix hang with slice threads +- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() +- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() +- avcodec/vp8: remove redundant check +- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() +- avcodec/vp3: Do not return random positive values but the buf size +- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() +- avcodec/vp56: Factorize vp56_render_mb() out +- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' +- Add CHECK/SUINT code +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 +- avcodec/vp56: Implement very basic error concealment +- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 +- avcodec/vp56: Fix sign typo +- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding +- avcodec/pictordec: Do not read more than nb_planes +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value +- avcodec/wavpacl: Fix runtime error: left shift of negative value -1 +- avformat/http: Check for truncated buffers in http_connect() +- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid +- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr +- avcodec/pictordec: Fix logic error +- lavf/matroskadec: fix is_keyframe for early Blocks +- configure: bump year +- avcodec/interplayvideo: Move parameter change check up +- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() +- avformat/flacdec: Check avio_read result when reading flac block header. +- avcodec/utils: correct align value for interplay +- avcodec/vp56: Check for the bitstream end, pass error codes on +- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() +- avcodec/pngdec: Fix off by 1 size in decode_zbuf() +- avcodec/mjpegdec: Check for rgb before flipping +- avutil/random_seed: Reduce the time needed on systems with very low precission clock() +- avutil/random_seed: Improve get_generic_seed() with higher precission clock() +- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory() +- avformat/oggdec: Skip streams in duration correction that did not had their duration set. +- avcodec/ffv1enc: Fix size of first slice +- ffserver: Check chunk size +- Avoid using the term "file" and prefer "url" in some docs and comments +- avformat/rtmppkt: Check for packet size mismatches +- zmqsend: Initialize ret to 0 +- avcodec/flacdec: Fix undefined shift in decode_subframe() +- avcodec/get_bits: Fix get_sbits_long(0) +- avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() +- avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c +- avformat/oggparsespeex: Check frames_per_packet and packet_size +- avformat/utils: Check start/end before computing duration in update_stream_timings() +- avcodec/flac_parser: Update nb_headers_buffered +- avformat/idroqdec: Check chunk_size for being too large +- avformat/mpeg: Adjust vid probe threshold to correct mis-detection +- avcodec/rv40: Test remaining space in loop of get_dimension() +- avcodec/ituh263dec: Avoid spending a long time in slice sync +- avcodec/sunrast: Fix input buffer pointer check +- avcodec/tscc: Check side data size before use +- avcodec/rawdec: Check side data size before use +- avcodec/msvideo1: Check side data size before use +- avcodec/qpeg: Check side data size before use +- avcodec/qtrle: Check side data size before use +- avcodec/msrle: Check side data size before use +- avcodec/kmvc: Check side data size before use +- avcodec/idcinvideo: Check side data size before use +- avcodec/cinepak: Check side data size before use +- avcodec/8bps: Check side data size before use +- avcodec/dvdsubdec: Fix off by 1 error +- avcodec/dvdsubdec: Fix buf_size check +- vp9: change order of operations in adapt_prob(). +- avcodec/interplayvideo: Check side data size before use +- avcodec/utils: Clear MMX state before returning from avcodec_default_execute*() +- lavfi: fix typos +- videodsp: fix 1-byte overread in top/bottom READ_NUM_BYTES iterations. +- avformat/avidec: Check nb_streams in read_gab2_sub() +- avformat/avidec: Remove ancient assert +- avcodec/ansi: Check dimensions +- avcodec/cavsdsp: use av_clip_uint8() for idct +- avformat/utils: fix timebase error in avformat_seek_file() +- avcodec/g726: Add missing ADDB output mask +- avcodec/avpacket: clear side_data_elems +- swscale/swscale_unscaled: Try to fix Rgb16ToPlanarRgb16Wrapper() with slices +- swscale/swscale_unscaled: Fix packed_16bpc_bswap() with slices +- avformat/avidec: Fix infinite loop in avi_read_nikon() +- cmdutils: fix implicit declaration of SetDllDirectory function +- cmdutils: check for SetDllDirectory() availability +- libavcodec/wmalosslessdec: Check the remaining bits +- avcodec/diracdec: Check numx/y +- avcodec/indeo2: check ctab +- avformat/swfdec: Fix inflate() error code check +- cmdutils: remove the current working directory from the DLL search path on win32 +- avcodec/raw: Fix decoding of ilacetest.mov +- avformat/oggdec: Fix integer overflow with invalid pts +- libavformat/rtpdec_asf: zero initialize the AVIOContext struct +- libavutil/opt: Small bugfix in example. +- libx264: Increase x264 opts character limit to 4096 +- avformat/mov: Check sample size +- avformat/format: Fix registering a format more than once and related races +- avcodec/mpc8: Correct end truncation +- avcodec/mpegvideo: Do not clear the parse context during init +- avcodec/utils: check skip_samples signedness +- avformat/mpegts: Do not trust BSSD descriptor, it is sometimes not an S302M stream +- avcodec/bmp_parser: Check fsize +- avcodec/bmp_parser: reset state +- avcodec/bmp_parser: Fix remaining size +- avcodec/bmp_parser: Fix frame_start_found in cross frame cases +- avfilter/af_amix: dont fail if there are no samples in output_frame() +- avformat/allformats: Making av_register_all() thread-safe. +- avcodec/bmp_parser: Fix state +- avformat/oggparseopus: Fix Undefined behavior in oggparseopus.c and libavformat/utils.c +- doc/developer.texi: Add a code of conduct +- avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id() +- avformat/utils: Do not compute the bitrate from duration == 0 +- ffmpeg: Check that r_frame_rate is set before attempting to use it +- libavformat/oggdec: Free stream private when header parsing fails. +- avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id() +- avformat/oggparseopus: Check that granule pos is within the supported range +- avformat/options_table: Add missing identifier for very strict compliance +- avcodec/ttaenc: Reallocate packet if its too small +- pgssubdec: fix subpicture output colorspace and range +- avcodec/ac3dec: Reset SPX when switching from EAC3 to AC3 +- avfilter/vf_drawtext: Check return code of load_glyph() +- avcodec/takdec: add code that got somehow lost in process of REing +- avcodec/apedec: fix decoding of stereo files with one channel full of silence +- avcodec/avpacket: Fix off by 5 error +- avcodec/h264: Fix for H.264 configuration parsing +- avcodec/bmp_parser: Ensure remaining_size is not too small in startcode packet crossing corner case +- avfilter/src_movie: fix how we check for overflows with seek_point +- avcodec/j2kenc: Add attribution to OpenJPEG project: +- avcodec/libutvideodec: copy frame so it has reference counters when refcounted_frames is set +- avformat/rtpdec_jpeg: fix low contrast image on low quality setting +- avcodec/mjpegenc_common: Store approximate aspect if exact cannot be stored +- avcodec/resample: Remove disabled and faulty code +- indeo2: Fix banding artefacts +- indeo2data: K&R formatting cosmetics +- avcodec/imgconvert: Support non-planar colorspaces while padding +- avutil/random_seed: Add the runtime in cycles of the main loop to the entropy pool +- avutil/channel_layout: AV_CH_LAYOUT_6POINT1_BACK not reachable in parsing +- avformat/concatdec: set safe mode to enabled instead of auto +- avformat/rtpenc: Fix integer overflow in NTP_TO_RTP_FORMAT +- avcodec/avpacket: clear priv in av_init_packet() +- swscale/utils: Fix chrSrcHSubSample for GBRAP16 +- swscale/input: Fix GBRAP16 input +- postproc: fix unaligned access +- avutil/pixdesc: Make get_color_type() aware of CIE XYZ formats +- swscale/x86/output: Fix yuv2planeX_16* with unaligned destination +- swscale/x86/output: Move code into yuv2planeX_mainloop +- MAINTAINERS: add myself as an OS/2 maintainer +- doc/utils: fix typo for min() description + version 2.4.13: - mov: Add an option to toggle dref opening - MAINTAINERS: remove unmaintained releases diff --git a/RELEASE b/RELEASE index b40e924755..e5f31291b2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.4.13 +2.4.14 diff --git a/doc/Doxyfile b/doc/Doxyfile index aaa4426e4a..20edc63867 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.4.13 +PROJECT_NUMBER = 2.4.14 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 From 8d75aa8d79519c21f91a7dd96f330ad30d6625ed Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Tue, 26 Dec 2017 12:32:42 +0100 Subject: [PATCH 1349/1352] x264: Support version 153 It has native simultaneus 8 and 10 bit support. (cherry picked from commit c6558e8840fbb2386bf8742e4d68dd6e067d262e) (cherry picked from commit 96e8400553ae47f8f8df5b66cc268297ba38824c) Signed-off-by: Michael Niedermayer --- libavcodec/libx264.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index fa3aea9375..7f46abd80b 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -167,7 +167,11 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, x264_picture_init( &x4->pic ); x4->pic.img.i_csp = x4->params.i_csp; +#if X264_BUILD >= 153 + if (x4->params.i_bitdepth > 8) +#else if (x264_bit_depth > 8) +#endif x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH; x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt); @@ -393,6 +397,9 @@ static av_cold int X264_init(AVCodecContext *avctx) x4->params.p_log_private = avctx; x4->params.i_log_level = X264_LOG_DEBUG; x4->params.i_csp = convert_pix_fmt(avctx->pix_fmt); +#if X264_BUILD >= 153 + x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth; +#endif OPT_STR("weightp", x4->wpredp); @@ -731,6 +738,24 @@ static const enum AVPixelFormat pix_fmts_10bit[] = { AV_PIX_FMT_NV20, AV_PIX_FMT_NONE }; +static const enum AVPixelFormat pix_fmts_all[] = { + AV_PIX_FMT_YUV420P, + AV_PIX_FMT_YUVJ420P, + AV_PIX_FMT_YUV422P, + AV_PIX_FMT_YUVJ422P, + AV_PIX_FMT_YUV444P, + AV_PIX_FMT_YUVJ444P, + AV_PIX_FMT_NV12, + AV_PIX_FMT_NV16, +#ifdef X264_CSP_NV21 + AV_PIX_FMT_NV21, +#endif + AV_PIX_FMT_YUV420P10, + AV_PIX_FMT_YUV422P10, + AV_PIX_FMT_YUV444P10, + AV_PIX_FMT_NV20, + AV_PIX_FMT_NONE +}; static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { #ifdef X264_CSP_BGR AV_PIX_FMT_BGR24, @@ -741,12 +766,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { static av_cold void X264_init_static(AVCodec *codec) { +#if X264_BUILD < 153 if (x264_bit_depth == 8) codec->pix_fmts = pix_fmts_8bit; else if (x264_bit_depth == 9) codec->pix_fmts = pix_fmts_9bit; else if (x264_bit_depth == 10) codec->pix_fmts = pix_fmts_10bit; +#else + codec->pix_fmts = pix_fmts_all; +#endif } #define OFFSET(x) offsetof(X264Context, x) From 935c93c069d3330ebba46ea05785eef3906b1c7c Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 30 Dec 2017 19:38:23 -0300 Subject: [PATCH 1350/1352] changelog: update with previous commit Signed-off-by: James Almer (cherry picked from commit 03292829aa2e7a7db36de490c6cc19a4792ab3cc) Signed-off-by: Michael Niedermayer --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index c839d0f85d..9d84d8f68c 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 2.4.14: +- x264: Support version 153 - avcodec/exr: Check buf_size more completely - avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() - avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() From 2633ac3a969f60905eb72080289b5d16f6451726 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Dec 2017 16:45:18 +0100 Subject: [PATCH 1351/1352] avcodec/libx264: remove NV21, its not supported Regression introduced in 8d75aa8d79519c21f91a7dd96f330ad30d6625ed Found-by: jamrial Signed-off-by: Michael Niedermayer --- libavcodec/libx264.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 7f46abd80b..72427d3931 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -747,9 +747,6 @@ static const enum AVPixelFormat pix_fmts_all[] = { AV_PIX_FMT_YUVJ444P, AV_PIX_FMT_NV12, AV_PIX_FMT_NV16, -#ifdef X264_CSP_NV21 - AV_PIX_FMT_NV21, -#endif AV_PIX_FMT_YUV420P10, AV_PIX_FMT_YUV422P10, AV_PIX_FMT_YUV444P10, From 1cae2f002d4e76a389f41c207b05e9eb9f8b04d3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 31 Jan 2018 22:38:50 -0300 Subject: [PATCH 1352/1352] avcodec/libx264: fix usage of AVComponentDescriptor depth field AVComponentDescriptor.depth is not available in release/2.4 This fixes compilation of the libx264 wrapper. Signed-off-by: James Almer --- libavcodec/libx264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 72427d3931..97fc62f2c4 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -398,7 +398,7 @@ static av_cold int X264_init(AVCodecContext *avctx) x4->params.i_log_level = X264_LOG_DEBUG; x4->params.i_csp = convert_pix_fmt(avctx->pix_fmt); #if X264_BUILD >= 153 - x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth; + x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth_minus1 + 1; #endif OPT_STR("weightp", x4->wpredp);