From b21d387d6f83c71dd756d670840107473e8bebb0 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Mon, 13 Jun 2022 16:32:44 +0530 Subject: [PATCH 001/562] ffmpeg: add option -isync This is a per-file input option that adjusts an input's timestamps with reference to another input, so that emitted packet timestamps account for the difference between the start times of the two inputs. Typical use case is to sync two or more live inputs such as from capture devices. Both the target and reference input source timestamps should be based on the same clock source. If either input lacks starting timestamps, then no sync adjustment is made. --- doc/ffmpeg.texi | 15 +++++++++++ fftools/ffmpeg.h | 2 ++ fftools/ffmpeg_opt.c | 59 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 1a534ff1cc..767df69b7f 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -518,6 +518,21 @@ see @ref{time duration syntax,,the Time duration section in the ffmpeg-utils(1) Like the @code{-ss} option but relative to the "end of file". That is negative values are earlier in the file, 0 is at EOF. +@item -isync @var{input_index} (@emph{input}) +Assign an input as a sync source. + +This will take the difference between the start times of the target and reference inputs and +offset the timestamps of the target file by that difference. The source timestamps of the two +inputs should derive from the same clock source for expected results. If @code{copyts} is set +then @code{start_at_zero} must also be set. If either of the inputs has no starting timestamp +then no sync adjustment is made. + +Acceptable values are those that refer to a valid ffmpeg input index. If the sync reference is +the target index itself or @var{-1}, then no adjustment is made to target timestamps. A sync +reference may not itself be synced to any other input. + +Default value is @var{-1}. + @item -itsoffset @var{offset} (@emph{input}) Set the input time offset. diff --git a/fftools/ffmpeg.h b/fftools/ffmpeg.h index 99d31c346e..391a35cf50 100644 --- a/fftools/ffmpeg.h +++ b/fftools/ffmpeg.h @@ -118,6 +118,7 @@ typedef struct OptionsContext { float readrate; int accurate_seek; int thread_queue_size; + int input_sync_ref; SpecifierOpt *ts_scale; int nb_ts_scale; @@ -410,6 +411,7 @@ typedef struct InputFile { at the moment when looping happens */ AVRational time_base; /* time base of the duration */ int64_t input_ts_offset; + int input_sync_ref; int64_t ts_offset; int64_t last_ts; diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index e08455478f..ac7fe3b27a 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -235,6 +235,7 @@ static void init_options(OptionsContext *o) o->chapters_input_file = INT_MAX; o->accurate_seek = 1; o->thread_queue_size = -1; + o->input_sync_ref = -1; } static int show_hwaccels(void *optctx, const char *opt, const char *arg) @@ -287,6 +288,58 @@ static int parse_and_set_vsync(const char *arg, int *vsync_var, int file_idx, in return 0; } +static int apply_sync_offsets(void) +{ + for (int i = 0; i < nb_input_files; i++) { + InputFile *ref, *self = input_files[i]; + int64_t adjustment; + int64_t self_start_time, ref_start_time, self_seek_start, ref_seek_start; + int start_times_set = 1; + + if (self->input_sync_ref == -1 || self->input_sync_ref == i) continue; + if (self->input_sync_ref >= nb_input_files || self->input_sync_ref < -1) { + av_log(NULL, AV_LOG_FATAL, "-isync for input %d references non-existent input %d.\n", i, self->input_sync_ref); + exit_program(1); + } + + if (copy_ts && !start_at_zero) { + av_log(NULL, AV_LOG_FATAL, "Use of -isync requires that start_at_zero be set if copyts is set.\n"); + exit_program(1); + } + + ref = input_files[self->input_sync_ref]; + if (ref->input_sync_ref != -1 && ref->input_sync_ref != self->input_sync_ref) { + av_log(NULL, AV_LOG_ERROR, "-isync for input %d references a resynced input %d. Sync not set.\n", i, self->input_sync_ref); + continue; + } + + if (self->ctx->start_time_realtime != AV_NOPTS_VALUE && ref->ctx->start_time_realtime != AV_NOPTS_VALUE) { + self_start_time = self->ctx->start_time_realtime; + ref_start_time = ref->ctx->start_time_realtime; + } else if (self->ctx->start_time != AV_NOPTS_VALUE && ref->ctx->start_time != AV_NOPTS_VALUE) { + self_start_time = self->ctx->start_time; + ref_start_time = ref->ctx->start_time; + } else { + start_times_set = 0; + } + + if (start_times_set) { + self_seek_start = self->start_time == AV_NOPTS_VALUE ? 0 : self->start_time; + ref_seek_start = ref->start_time == AV_NOPTS_VALUE ? 0 : ref->start_time; + + adjustment = (self_start_time - ref_start_time) + !copy_ts*(self_seek_start - ref_seek_start) + ref->input_ts_offset; + + self->ts_offset += adjustment; + + av_log(NULL, AV_LOG_INFO, "Adjusted ts offset for Input #%d by %"PRId64" us to sync with Input #%d.\n", i, adjustment, self->input_sync_ref); + } else { + av_log(NULL, AV_LOG_INFO, "Unable to identify start times for Inputs #%d and %d both. No sync adjustment made.\n", i, self->input_sync_ref); + } + } + + return 0; +} + static int opt_filter_threads(void *optctx, const char *opt, const char *arg) { av_free(filter_nbthreads); @@ -1305,6 +1358,7 @@ static int open_input_file(OptionsContext *o, const char *filename) f->ist_index = nb_input_streams - ic->nb_streams; f->start_time = o->start_time; f->recording_time = o->recording_time; + f->input_sync_ref = o->input_sync_ref; f->input_ts_offset = o->input_ts_offset; f->ts_offset = o->input_ts_offset - (copy_ts ? (start_at_zero && ic->start_time != AV_NOPTS_VALUE ? ic->start_time : 0) : timestamp); f->nb_streams = ic->nb_streams; @@ -3489,6 +3543,8 @@ int ffmpeg_parse_options(int argc, char **argv) goto fail; } + apply_sync_offsets(); + /* create the complex filtergraphs */ ret = init_complex_filters(); if (ret < 0) { @@ -3603,6 +3659,9 @@ const OptionDef options[] = { { "accurate_seek", OPT_BOOL | OPT_OFFSET | OPT_EXPERT | OPT_INPUT, { .off = OFFSET(accurate_seek) }, "enable/disable accurate seeking with -ss" }, + { "isync", HAS_ARG | OPT_INT | OPT_OFFSET | + OPT_EXPERT | OPT_INPUT, { .off = OFFSET(input_sync_ref) }, + "Indicate the input index for sync reference", "sync ref" }, { "itsoffset", HAS_ARG | OPT_TIME | OPT_OFFSET | OPT_EXPERT | OPT_INPUT, { .off = OFFSET(input_ts_offset) }, "set the input ts offset", "time_off" }, From e04cb59ecc303f75f336a60bdd19f3684275e5ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Jul 2022 23:12:30 +0200 Subject: [PATCH 002/562] Update for 5.1 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index 826fe7119d..a75b92f1ed 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.4.git +5.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0891899505..ba0002d5f8 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 5.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 2720715dab70f40025a1d209e746b6c0f188a9d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jul 2022 20:43:20 +0200 Subject: [PATCH 003/562] avcodec/lagarith: Check dst/src in zero run code Fixes: out of array access Fixes: 48799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4764457825337344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9450f759748d02d1d284d2e4afd741cb0fe0c04a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 3aeb1c8a99..00e8005222 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -409,6 +409,9 @@ output_zeros: if (zero_run) { zero_run = 0; i += esc_count; + if (i > end - dst || + i >= src_end - src) + return AVERROR_INVALIDDATA; memcpy(dst, src, i); dst += i; l->zeros_rem = lag_calc_zero_run(src[i]); From 83feded4926272904e4abcecaa573e61d457a0db Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 10 Jul 2022 20:32:55 +0200 Subject: [PATCH 004/562] avdevice/avdevice: fix return value of avdevice_list_devices() According to API docs avdevice_list_devices(), avdevice_list_input_sources() and avdevice_list_input_sinks() should return the number of autodetected devices on success. This is redundant with AVDeviceInfoList->nb_devices so it was not noticed earlier that none of the underlying device list functions work like that. Let's fix it in generic code to make it in line with the API docs. Fixes ticket #9820. Signed-off-by: Marton Balint (cherry picked from commit 64f04df37942c1b1fc11df0f99ffba7834c33f34) --- libavdevice/avdevice.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavdevice/avdevice.c b/libavdevice/avdevice.c index b4fb272eb6..58996404b3 100644 --- a/libavdevice/avdevice.c +++ b/libavdevice/avdevice.c @@ -75,9 +75,11 @@ int avdevice_list_devices(AVFormatContext *s, AVDeviceInfoList **device_list) ret = s->oformat->get_device_list(s, *device_list); else ret = s->iformat->get_device_list(s, *device_list); - if (ret < 0) + if (ret < 0) { avdevice_free_list_devices(device_list); - return ret; + return ret; + } + return (*device_list)->nb_devices; } static int list_devices_for_context(AVFormatContext *s, AVDictionary *options, From d6a1e5980bbf5993882453e0d833d0afbeeeac4a Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Wed, 6 Jul 2022 01:32:27 +0200 Subject: [PATCH 005/562] avutil/hwcontext_d3d11va: fix texture_infos writes on non-fixed-size pools --- libavutil/hwcontext_d3d11va.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index 904d14bbc8..1bc8b6c82c 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -166,6 +166,17 @@ static AVBufferRef *wrap_texture_buf(AVHWFramesContext *ctx, ID3D11Texture2D *te return NULL; } + if (s->nb_surfaces <= s->nb_surfaces_used) { + frames_hwctx->texture_infos = av_realloc_f(frames_hwctx->texture_infos, + s->nb_surfaces_used + 1, + sizeof(*frames_hwctx->texture_infos)); + if (!frames_hwctx->texture_infos) { + ID3D11Texture2D_Release(tex); + return NULL; + } + s->nb_surfaces = s->nb_surfaces_used + 1; + } + frames_hwctx->texture_infos[s->nb_surfaces_used].texture = tex; frames_hwctx->texture_infos[s->nb_surfaces_used].index = index; s->nb_surfaces_used++; @@ -284,7 +295,7 @@ static int d3d11va_frames_init(AVHWFramesContext *ctx) } } - hwctx->texture_infos = av_calloc(ctx->initial_pool_size, sizeof(*hwctx->texture_infos)); + hwctx->texture_infos = av_realloc_f(NULL, ctx->initial_pool_size, sizeof(*hwctx->texture_infos)); if (!hwctx->texture_infos) return AVERROR(ENOMEM); s->nb_surfaces = ctx->initial_pool_size; From 22878e817700d2b94f5102131d8a256afec9cfb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Nov 2018 01:36:21 +0100 Subject: [PATCH 006/562] RELEASE_NOTES: Based on the version from 5.0 Name suggested by Leo Izen and Andreas Rheinhardt LTS text suggested by Martijn van Beurden Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..afc063161f --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,18 @@ + + ┌────────────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 5.1 "Riemann" LTS │ + └────────────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 5.1 "Riemann" LTS, about 6 + months after the release of FFmpeg 5.0, our first Long Term Support + release. While several past FFmpeg releases have enjoyed long term + support, this is the first release where such an intention is made + clear at release. + + A complete Changelog is available at the root of the project, and the + complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask + on the mailing-lists. From cd894807feda1cf23d21b2330989c4d239ecf22b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jul 2022 00:25:45 +0200 Subject: [PATCH 007/562] tools/target_dec_fuzzer: Adjust threshold for MMVIDEO Fixes: Timeout Fixes: 49003/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-5550368423018496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 3592b05c84958e2723cc026e7649df508de1a9c4) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 1587045e02..017c5cf024 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -246,6 +246,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_LOCO: maxpixels /= 1024; break; case AV_CODEC_ID_VORBIS: maxsamples /= 1024; break; case AV_CODEC_ID_LSCR: maxpixels /= 16; break; + case AV_CODEC_ID_MMVIDEO: maxpixels /= 256; break; case AV_CODEC_ID_MOTIONPIXELS:maxpixels /= 256; break; case AV_CODEC_ID_MP4ALS: maxsamples /= 65536; break; case AV_CODEC_ID_MSA1: maxpixels /= 16384; break; From 288ef1939f633da9cebca791215a2a2130ef6f3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jul 2022 01:25:01 +0200 Subject: [PATCH 008/562] avcodec/ffv1dec: consider run increase in minimal golomb frame size Fixes: Timeout Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 15785e044ee1265464bb4f3ed727e2a8074f97b4) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 01ddcaa512..fd8088f16c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -883,7 +883,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, if (buf_size < avctx->width * avctx->height / (128*8)) return AVERROR_INVALIDDATA; } else { - if (buf_size < avctx->height / 8) + int w = avctx->width; + for (int i = 0; w > (1<height + i + 6)/ 8) return AVERROR_INVALIDDATA; } From 6a7842560450da25fb4184ff11dbb8b8791e8703 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jul 2022 00:20:41 +0200 Subject: [PATCH 009/562] avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check Found-by: mkver Signed-off-by: Michael Niedermayer (cherry picked from commit f7d510b33ff33d2f5cb096017ee1c00f624cc138) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index fd8088f16c..9300297267 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -884,9 +884,13 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, return AVERROR_INVALIDDATA; } else { int w = avctx->width; - for (int i = 0; w > (1< (1<height + i + 6)/ 8) + if (buf_size < (avctx->height + i + 6) / 8 * s) return AVERROR_INVALIDDATA; } From e95f80c8df9dc39592c12940983db794ab315a99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Jul 2022 22:46:45 +0200 Subject: [PATCH 010/562] avcodec/exr: Check x/ysize Fixes: OOM Fixes: 48911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6352002510094336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 614a4d1476c6e3561ebab3977cb43b2b4b6406fd) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 8cd867a32f..c25bae8cd4 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1241,7 +1241,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->tile_attr.ySize, s->ydelta - tile_y * s->tile_attr.ySize); td->xsize = FFMIN(s->tile_attr.xSize, s->xdelta - tile_x * s->tile_attr.xSize); - if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX || + av_image_check_size2(td->xsize, td->ysize, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ @@ -1265,7 +1266,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ td->xsize = s->xdelta; - if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX || + av_image_check_size2(td->xsize, td->ysize, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ From 1c06f776e6ecfc3f17bdd1e29c6add72548c9576 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jul 2022 00:32:18 +0200 Subject: [PATCH 011/562] avformat/asfdec_f: Use 64bit for packet start time Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ed78486fcb065b5b459f14d4b1c3242f6d21ec7) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 7fc174635b..bdbd4271c8 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -104,7 +104,7 @@ typedef struct ASFContext { int ts_is_pts; int packet_multi_size; int packet_time_delta; - int packet_time_start; + int64_t packet_time_start; int64_t packet_pos; int stream_index; From e8a51675ea8abf67fd5768dcfa17869e130cb8a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jul 2022 01:05:20 +0200 Subject: [PATCH 012/562] avformat/mov: Check for EOF in mov_read_iloc() Fixes: Timeout Fixes: 49216/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6563000529584128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 744ad45c44e69e354e924902c4daf0044dcd9955) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 29828ea7e6..a644f9ac62 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7540,6 +7540,8 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (int i = 0; i < item_count; i++) { int item_id = (version < 2) ? avio_rb16(pb) : avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; if (version > 0) avio_rb16(pb); // construction_method. avio_rb16(pb); // data_reference_index. From e6584a3f19c0d6a6d4143c8d8a3d4fe9222d32aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jul 2022 23:54:49 +0200 Subject: [PATCH 013/562] avformat/nutdec: Check get_packetheader() in mainheader Fixes; Timeout Fixes: 48794/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6524604713140224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5de084aa63b79586bc445e6a7fea837688b3941) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0db3d03f6c..8cc56615ad 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -200,6 +200,8 @@ static int decode_main_header(NUTContext *nut) int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + if (length == (uint64_t)-1) + return AVERROR_INVALIDDATA; end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); From 5767941df88e75b2c2020e42580abc92478842e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jun 2022 01:36:29 +0200 Subject: [PATCH 014/562] avformat/flvdec: Check for EOF in index reading Fixes: Timeout Fixes: 47992/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6020443879899136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ceff5d7b74cd9ae6055957979d27d289c70a9e1b) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c5d3c63bd0..8dba92661b 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -463,6 +463,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m goto invalid; if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) goto invalid; + if (avio_feof(ioc)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From fa511b03d3a7d02e4c6bd1e17d12eac2d71fd03c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 00:34:08 +0200 Subject: [PATCH 015/562] avcodec/mss4: Check image size with av_image_check_size2() Fixes: Timeout Fixes: 48418/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-4834851466903552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4e145f1dcdcbe19e8f8e98940dab04e9332a8b5b) Signed-off-by: Michael Niedermayer --- libavcodec/mss4.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mss4.c b/libavcodec/mss4.c index 9f3c4a593d..43eb1025aa 100644 --- a/libavcodec/mss4.c +++ b/libavcodec/mss4.c @@ -26,6 +26,7 @@ */ #include "libavutil/thread.h" +#include "libavutil/imgutils.h" #include "avcodec.h" #include "bytestream.h" @@ -477,6 +478,9 @@ static int mss4_decode_frame(AVCodecContext *avctx, AVFrame *rframe, width, height); return AVERROR_INVALIDDATA; } + if (av_image_check_size2(width, height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx) < 0) + return AVERROR_INVALIDDATA; + if (quality < 1 || quality > 100) { av_log(avctx, AV_LOG_ERROR, "Invalid quality setting %d\n", quality); return AVERROR_INVALIDDATA; From 6fbd4d22859bbf7b8b1d27a722efd8947688b5ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jul 2022 23:27:59 +0200 Subject: [PATCH 016/562] avcodec/tiff: Check tile_length and tile_width Fixes: Division by 0 Fixes: 49235/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5495613847896064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 76112c2b4167bb3c40503b3334c8b38fd707a8d5) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index bf69b083b3..2d40626ccc 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -965,6 +965,9 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame, int pos_x = 0, pos_y = 0; int ret; + if (s->tile_width <= 0 || s->tile_length <= 0) + return AVERROR_INVALIDDATA; + has_width_leftover = (s->width % s->tile_width != 0); has_height_leftover = (s->height % s->tile_length != 0); From e0723b7e4e22492275d476fcd30d759e1198bc5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jul 2022 00:51:32 +0200 Subject: [PATCH 017/562] avcodec/hevc_filter: copy_CTB() only within width&height Fixes: out of array access Fixes: 49271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5424984922652672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 009ef35d384c3df22d8a8be7416dc9d532e91c52) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 7b53c66c3b..1ae561db9e 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -143,11 +143,22 @@ static void copy_CTB(uint8_t *dst, const uint8_t *src, int width, int height, if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) { for (i = 0; i < height; i++) { - for (j = 0; j < width; j+=8) + for (j = 0; j < width - 7; j+=8) AV_COPY64U(dst+j, src+j); dst += stride_dst; src += stride_src; } + if (width&7) { + dst += ((width>>3)<<3) - stride_dst * height; + src += ((width>>3)<<3) - stride_src * height; + width &= 7; + for (i = 0; i < height; i++) { + for (j = 0; j < width; j++) + dst[j] = src[j]; + dst += stride_dst; + src += stride_src; + } + } } else { for (i = 0; i < height; i++) { for (j = 0; j < width; j+=16) From 6d83c5f87651499dbb5d310f7cbd12a25c7d07f9 Mon Sep 17 00:00:00 2001 From: Marvin Scholz Date: Sun, 24 Jul 2022 12:11:49 +0200 Subject: [PATCH 018/562] configure: properly require libx264 if enabled When libx264 can not be found even though it is enabled, it should error out properly instead of silently disabling it. (cherry picked from commit 564d7946de56155d1c42165a8b561fcf5028cbbc) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 9d6457d81b..6e012e44bc 100755 --- a/configure +++ b/configure @@ -6666,7 +6666,7 @@ enabled libvpx && { enabled libwebp && { enabled libwebp_encoder && require_pkg_config libwebp "libwebp >= 0.2.0" webp/encode.h WebPGetEncoderVersion enabled libwebp_anim_encoder && check_pkg_config libwebp_anim_encoder "libwebpmux >= 0.4.0" webp/mux.h WebPAnimEncoderOptionsInit; } -enabled libx264 && check_pkg_config libx264 x264 "stdint.h x264.h" x264_encoder_encode && +enabled libx264 && require_pkg_config libx264 x264 "stdint.h x264.h" x264_encoder_encode && require_cpp_condition libx264 x264.h "X264_BUILD >= 118" && { [ "$toolchain" != "msvc" ] || require_cpp_condition libx264 x264.h "X264_BUILD >= 158"; } && From 915ef932a3cd4679fa58d6c514992d90e5fa6930 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 29 Jul 2022 18:05:51 -0300 Subject: [PATCH 019/562] avcodec/alac: don't fail if channels aren't set during init() when extradata is valid The decoder is meant to use it as a fallback if the value in extradata is invalid. Regression since d199099be. Signed-off-by: James Almer --- libavcodec/alac.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 9aaf7066b2..4aab82d60b 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -574,13 +574,15 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) avctx->bits_per_raw_sample = alac->sample_size; avctx->sample_rate = alac->sample_rate; - if (alac->channels < 1 || alac->channels > ALAC_MAX_CHANNELS) { + if (alac->channels < 1) { av_log(avctx, AV_LOG_WARNING, "Invalid channel count\n"); + if (avctx->ch_layout.nb_channels < 1) + return AVERROR(EINVAL); alac->channels = avctx->ch_layout.nb_channels; } - if (avctx->ch_layout.nb_channels > ALAC_MAX_CHANNELS || avctx->ch_layout.nb_channels <= 0 ) { + if (alac->channels > ALAC_MAX_CHANNELS) { avpriv_report_missing_feature(avctx, "Channel count %d", - avctx->ch_layout.nb_channels); + alac->channels); return AVERROR_PATCHWELCOME; } av_channel_layout_uninit(&avctx->ch_layout); From 80d1b8938eb227f0e9efde91050836b1e9a051a9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 Jul 2022 21:34:58 +0200 Subject: [PATCH 020/562] fate/imf: Rename IMF fate-target It conflicts with the name of the test using the testtool in libavformat.mak. Fixes ticket #9841. Reviewed-by: Pierre-Anthony Lemieux Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3b923116e5a348945281b8d827074ac8f897464d) --- tests/fate/imf.mak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/imf.mak b/tests/fate/imf.mak index 70a3efdfbd..feb54d1361 100644 --- a/tests/fate/imf.mak +++ b/tests/fate/imf.mak @@ -3,4 +3,4 @@ fate-imf-cpl-with-repeat: CMD = framecrc -f imf -i $(TARGET_SAMPLES)/imf/countdo FATE_SAMPLES_FFMPEG-$(CONFIG_IMF_DEMUXER) += $(FATE_IMF) -fate-imf: $(FATE_IMF) +fate-imfdec: $(FATE_IMF) From 17426f84f617c6422abc73b1176b11ed2e8ba870 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 1 Aug 2022 14:24:51 +0200 Subject: [PATCH 021/562] tests/fate-run: Allow to skip file checksums for lavf_image The output file (even the filesize) of the recently added EXR tests depends on the endianness; therefore checksums of these files must not be part of the ref file. Therefore this commit adds an option (unused for now) to disable these checksums on a per-test basis. In order to avoid having to check twice, the checksum and the filesize info are moved to immediately follow one another; this results into updates to the ref files of all lavf-image tests. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 4fb8741c4670965eaf1f78d6122c6bdfdf1f3358) --- tests/fate-run.sh | 7 +++++-- tests/ref/lavf/bmp | 2 +- tests/ref/lavf/dpx | 2 +- tests/ref/lavf/gbrp10le.dpx | 2 +- tests/ref/lavf/gbrp12le.dpx | 2 +- tests/ref/lavf/gbrpf32be.pfm | 2 +- tests/ref/lavf/gbrpf32le.pfm | 2 +- tests/ref/lavf/gray.pam | 2 +- tests/ref/lavf/gray.xwd | 2 +- tests/ref/lavf/gray16be.pam | 2 +- tests/ref/lavf/gray16be.png | 2 +- tests/ref/lavf/grayf32be.pfm | 2 +- tests/ref/lavf/grayf32le.pfm | 2 +- tests/ref/lavf/jpg | 2 +- tests/ref/lavf/monob.pam | 2 +- tests/ref/lavf/monow.xwd | 2 +- tests/ref/lavf/none.gbrapf32le.exr | 2 +- tests/ref/lavf/none.gbrpf32le.exr | 2 +- tests/ref/lavf/none.grayf32le.exr | 2 +- tests/ref/lavf/pam | 2 +- tests/ref/lavf/pcx | 2 +- tests/ref/lavf/pgm | 2 +- tests/ref/lavf/png | 2 +- tests/ref/lavf/ppm | 2 +- tests/ref/lavf/qoi | 2 +- tests/ref/lavf/rgb48be.pam | 2 +- tests/ref/lavf/rgb48be.png | 2 +- tests/ref/lavf/rgb48le.dpx | 2 +- tests/ref/lavf/rgb48le_10.dpx | 2 +- tests/ref/lavf/rgb4_byte.xwd | 2 +- tests/ref/lavf/rgb555be.xwd | 2 +- tests/ref/lavf/rgb565be.xwd | 2 +- tests/ref/lavf/rgb8.xwd | 2 +- tests/ref/lavf/rgba.pam | 2 +- tests/ref/lavf/rgba.xwd | 2 +- tests/ref/lavf/rgba64le.dpx | 2 +- tests/ref/lavf/rle.gbrapf32le.exr | 2 +- tests/ref/lavf/rle.gbrpf32le.exr | 2 +- tests/ref/lavf/rle.grayf32le.exr | 2 +- tests/ref/lavf/sgi | 2 +- tests/ref/lavf/sun | 2 +- tests/ref/lavf/tga | 2 +- tests/ref/lavf/tiff | 2 +- tests/ref/lavf/xbm | 2 +- tests/ref/lavf/xwd | 2 +- tests/ref/lavf/zip1.gbrapf32le.exr | 2 +- tests/ref/lavf/zip1.gbrpf32le.exr | 2 +- tests/ref/lavf/zip1.grayf32le.exr | 2 +- tests/ref/lavf/zip16.gbrapf32le.exr | 2 +- tests/ref/lavf/zip16.gbrpf32le.exr | 2 +- tests/ref/lavf/zip16.grayf32le.exr | 2 +- 51 files changed, 55 insertions(+), 52 deletions(-) diff --git a/tests/fate-run.sh b/tests/fate-run.sh index 525e8e5499..4008bcbc16 100755 --- a/tests/fate-run.sh +++ b/tests/fate-run.sh @@ -362,6 +362,7 @@ lavf_container_fate() } lavf_image(){ + no_file_checksums="$3" nb_frames=13 t="${test#lavf-}" outdir="tests/data/images/$t" @@ -374,9 +375,11 @@ lavf_image(){ done fi run_avconv $DEC_OPTS -f image2 -c:v pgmyuv -i $raw_src $1 "$ENC_OPTS -metadata title=lavftest" -vf scale -frames $nb_frames -y -qscale 10 $target_path/$file - do_md5sum ${outdir}/02.$t + if [ -z "$no_file_checksums" ]; then + do_md5sum ${outdir}/02.$t + echo $(wc -c ${outdir}/02.$t) + fi do_avconv_crc $file -auto_conversion_filters $DEC_OPTS $2 -i $target_path/$file $2 - echo $(wc -c ${outdir}/02.$t) } lavf_image2pipe(){ diff --git a/tests/ref/lavf/bmp b/tests/ref/lavf/bmp index af767e552a..c4bc0332ae 100644 --- a/tests/ref/lavf/bmp +++ b/tests/ref/lavf/bmp @@ -1,3 +1,3 @@ 71f4d64a6b3c71f43a4eff526f84841c *tests/data/images/bmp/02.bmp -tests/data/images/bmp/%02d.bmp CRC=0xe6c71946 304182 tests/data/images/bmp/02.bmp +tests/data/images/bmp/%02d.bmp CRC=0xe6c71946 diff --git a/tests/ref/lavf/dpx b/tests/ref/lavf/dpx index 68fe25afcd..736fe39cff 100644 --- a/tests/ref/lavf/dpx +++ b/tests/ref/lavf/dpx @@ -1,3 +1,3 @@ 4c8880d5835ffb5fe37c1ed8c8d404de *tests/data/images/dpx/02.dpx -tests/data/images/dpx/%02d.dpx CRC=0x6da01946 305792 tests/data/images/dpx/02.dpx +tests/data/images/dpx/%02d.dpx CRC=0x6da01946 diff --git a/tests/ref/lavf/gbrp10le.dpx b/tests/ref/lavf/gbrp10le.dpx index b33da34e20..35e34d0859 100644 --- a/tests/ref/lavf/gbrp10le.dpx +++ b/tests/ref/lavf/gbrp10le.dpx @@ -1,3 +1,3 @@ 7ca935d5d5e00c54acbc85565d3039b6 *tests/data/images/gbrp10le.dpx/02.gbrp10le.dpx -tests/data/images/gbrp10le.dpx/%02d.gbrp10le.dpx CRC=0xe6663fba 407168 tests/data/images/gbrp10le.dpx/02.gbrp10le.dpx +tests/data/images/gbrp10le.dpx/%02d.gbrp10le.dpx CRC=0xe6663fba diff --git a/tests/ref/lavf/gbrp12le.dpx b/tests/ref/lavf/gbrp12le.dpx index e2e794ecc6..2758982d5a 100644 --- a/tests/ref/lavf/gbrp12le.dpx +++ b/tests/ref/lavf/gbrp12le.dpx @@ -1,3 +1,3 @@ a4cfea1797c928f2eff73573e559675d *tests/data/images/gbrp12le.dpx/02.gbrp12le.dpx -tests/data/images/gbrp12le.dpx/%02d.gbrp12le.dpx CRC=0x1c755633 609920 tests/data/images/gbrp12le.dpx/02.gbrp12le.dpx +tests/data/images/gbrp12le.dpx/%02d.gbrp12le.dpx CRC=0x1c755633 diff --git a/tests/ref/lavf/gbrpf32be.pfm b/tests/ref/lavf/gbrpf32be.pfm index 2cd6354401..ca5e1b1659 100644 --- a/tests/ref/lavf/gbrpf32be.pfm +++ b/tests/ref/lavf/gbrpf32be.pfm @@ -1,3 +1,3 @@ 6d470f8d6018b95b45afafc14b7d161a *tests/data/images/gbrpf32be.pfm/02.gbrpf32be.pfm -tests/data/images/gbrpf32be.pfm/%02d.gbrpf32be.pfm CRC=0x4b73053f 1216532 tests/data/images/gbrpf32be.pfm/02.gbrpf32be.pfm +tests/data/images/gbrpf32be.pfm/%02d.gbrpf32be.pfm CRC=0x4b73053f diff --git a/tests/ref/lavf/gbrpf32le.pfm b/tests/ref/lavf/gbrpf32le.pfm index 3ddd100443..b3947a9fcb 100644 --- a/tests/ref/lavf/gbrpf32le.pfm +++ b/tests/ref/lavf/gbrpf32le.pfm @@ -1,3 +1,3 @@ 892c5a05e1cbb3d2f7761d51e18b9c4c *tests/data/images/gbrpf32le.pfm/02.gbrpf32le.pfm -tests/data/images/gbrpf32le.pfm/%02d.gbrpf32le.pfm CRC=0x95e1053f 1216533 tests/data/images/gbrpf32le.pfm/02.gbrpf32le.pfm +tests/data/images/gbrpf32le.pfm/%02d.gbrpf32le.pfm CRC=0x95e1053f diff --git a/tests/ref/lavf/gray.pam b/tests/ref/lavf/gray.pam index 77af981c42..9283413a1b 100644 --- a/tests/ref/lavf/gray.pam +++ b/tests/ref/lavf/gray.pam @@ -1,3 +1,3 @@ 35cb9e42b2d3181be494f8693af1ddea *tests/data/images/gray.pam/02.gray.pam -tests/data/images/gray.pam/%02d.gray.pam CRC=0x0ff205be 101445 tests/data/images/gray.pam/02.gray.pam +tests/data/images/gray.pam/%02d.gray.pam CRC=0x0ff205be diff --git a/tests/ref/lavf/gray.xwd b/tests/ref/lavf/gray.xwd index 15c80fba34..38b7f245a4 100644 --- a/tests/ref/lavf/gray.xwd +++ b/tests/ref/lavf/gray.xwd @@ -1,3 +1,3 @@ 85e9b8b814a1dea71d143aac2e487037 *tests/data/images/gray.xwd/02.gray.xwd -tests/data/images/gray.xwd/%02d.gray.xwd CRC=0x0ff205be 101487 tests/data/images/gray.xwd/02.gray.xwd +tests/data/images/gray.xwd/%02d.gray.xwd CRC=0x0ff205be diff --git a/tests/ref/lavf/gray16be.pam b/tests/ref/lavf/gray16be.pam index 5038384bb8..1182b83db2 100644 --- a/tests/ref/lavf/gray16be.pam +++ b/tests/ref/lavf/gray16be.pam @@ -1,3 +1,3 @@ 740eb42157af9e9eed46b70ba6a6cf4d *tests/data/images/gray16be.pam/02.gray16be.pam -tests/data/images/gray16be.pam/%02d.gray16be.pam CRC=0x893f10ef 202823 tests/data/images/gray16be.pam/02.gray16be.pam +tests/data/images/gray16be.pam/%02d.gray16be.pam CRC=0x893f10ef diff --git a/tests/ref/lavf/gray16be.png b/tests/ref/lavf/gray16be.png index 2f52a8336d..4f4ce179d2 100644 --- a/tests/ref/lavf/gray16be.png +++ b/tests/ref/lavf/gray16be.png @@ -1,3 +1,3 @@ 6cf54c13aa407b77547cf6dfe23ecba3 *tests/data/images/gray16be.png/02.gray16be.png -tests/data/images/gray16be.png/%02d.gray16be.png CRC=0x893f10ef 47365 tests/data/images/gray16be.png/02.gray16be.png +tests/data/images/gray16be.png/%02d.gray16be.png CRC=0x893f10ef diff --git a/tests/ref/lavf/grayf32be.pfm b/tests/ref/lavf/grayf32be.pfm index 05614a0f50..19a2ca85b6 100644 --- a/tests/ref/lavf/grayf32be.pfm +++ b/tests/ref/lavf/grayf32be.pfm @@ -1,3 +1,3 @@ 0f6df0d68d7dd30e67386b1255f443c9 *tests/data/images/grayf32be.pfm/02.grayf32be.pfm -tests/data/images/grayf32be.pfm/%02d.grayf32be.pfm CRC=0xe3fda443 405524 tests/data/images/grayf32be.pfm/02.grayf32be.pfm +tests/data/images/grayf32be.pfm/%02d.grayf32be.pfm CRC=0xe3fda443 diff --git a/tests/ref/lavf/grayf32le.pfm b/tests/ref/lavf/grayf32le.pfm index a419daa650..aba861ec72 100644 --- a/tests/ref/lavf/grayf32le.pfm +++ b/tests/ref/lavf/grayf32le.pfm @@ -1,3 +1,3 @@ 145715872a894b1fde0105d8a0106191 *tests/data/images/grayf32le.pfm/02.grayf32le.pfm -tests/data/images/grayf32le.pfm/%02d.grayf32le.pfm CRC=0x5443a443 405525 tests/data/images/grayf32le.pfm/02.grayf32le.pfm +tests/data/images/grayf32le.pfm/%02d.grayf32le.pfm CRC=0x5443a443 diff --git a/tests/ref/lavf/jpg b/tests/ref/lavf/jpg index ecbb22ceba..94cee61ad7 100644 --- a/tests/ref/lavf/jpg +++ b/tests/ref/lavf/jpg @@ -1,3 +1,3 @@ 1e7c6d937f21c045e0b238a83f62f3c5 *tests/data/images/jpg/02.jpg -tests/data/images/jpg/%02d.jpg CRC=0xe3509f33 26037 tests/data/images/jpg/02.jpg +tests/data/images/jpg/%02d.jpg CRC=0xe3509f33 diff --git a/tests/ref/lavf/monob.pam b/tests/ref/lavf/monob.pam index 488907e11f..a81be2caca 100644 --- a/tests/ref/lavf/monob.pam +++ b/tests/ref/lavf/monob.pam @@ -1,3 +1,3 @@ d2f5eb2f959ca3a90c02f1887b6e0c4f *tests/data/images/monob.pam/02.monob.pam -tests/data/images/monob.pam/%02d.monob.pam CRC=0xab19200d 101447 tests/data/images/monob.pam/02.monob.pam +tests/data/images/monob.pam/%02d.monob.pam CRC=0xab19200d diff --git a/tests/ref/lavf/monow.xwd b/tests/ref/lavf/monow.xwd index da09d8b191..10cd05cfcb 100644 --- a/tests/ref/lavf/monow.xwd +++ b/tests/ref/lavf/monow.xwd @@ -1,3 +1,3 @@ 796e2e309ac0844cfb2f4959816508ee *tests/data/images/monow.xwd/02.monow.xwd -tests/data/images/monow.xwd/%02d.monow.xwd CRC=0xc9a20204 12783 tests/data/images/monow.xwd/02.monow.xwd +tests/data/images/monow.xwd/%02d.monow.xwd CRC=0xc9a20204 diff --git a/tests/ref/lavf/none.gbrapf32le.exr b/tests/ref/lavf/none.gbrapf32le.exr index 3250be2ccc..099f36cfcc 100644 --- a/tests/ref/lavf/none.gbrapf32le.exr +++ b/tests/ref/lavf/none.gbrapf32le.exr @@ -1,3 +1,3 @@ c586035e67f9ba7f2a3777933b5b22a0 *tests/data/images/none.gbrapf32le.exr/02.none.gbrapf32le.exr -tests/data/images/none.gbrapf32le.exr/%02d.none.gbrapf32le.exr CRC=0x068aca4e 1627003 tests/data/images/none.gbrapf32le.exr/02.none.gbrapf32le.exr +tests/data/images/none.gbrapf32le.exr/%02d.none.gbrapf32le.exr CRC=0x068aca4e diff --git a/tests/ref/lavf/none.gbrpf32le.exr b/tests/ref/lavf/none.gbrpf32le.exr index 41c43e372a..7e0b2bddf6 100644 --- a/tests/ref/lavf/none.gbrpf32le.exr +++ b/tests/ref/lavf/none.gbrpf32le.exr @@ -1,3 +1,3 @@ 10f42423c6585fe5053c5457fba7b235 *tests/data/images/none.gbrpf32le.exr/02.none.gbrpf32le.exr -tests/data/images/none.gbrpf32le.exr/%02d.none.gbrpf32le.exr CRC=0x95e1053f 1221481 tests/data/images/none.gbrpf32le.exr/02.none.gbrpf32le.exr +tests/data/images/none.gbrpf32le.exr/%02d.none.gbrpf32le.exr CRC=0x95e1053f diff --git a/tests/ref/lavf/none.grayf32le.exr b/tests/ref/lavf/none.grayf32le.exr index 19ab9a2d20..4d5fad8ce7 100644 --- a/tests/ref/lavf/none.grayf32le.exr +++ b/tests/ref/lavf/none.grayf32le.exr @@ -1,3 +1,3 @@ 8aa28b10bf2591b7030b78bc29907293 *tests/data/images/none.grayf32le.exr/02.none.grayf32le.exr -tests/data/images/none.grayf32le.exr/%02d.none.grayf32le.exr CRC=0x5443a443 410437 tests/data/images/none.grayf32le.exr/02.none.grayf32le.exr +tests/data/images/none.grayf32le.exr/%02d.none.grayf32le.exr CRC=0x5443a443 diff --git a/tests/ref/lavf/pam b/tests/ref/lavf/pam index 8ac3f2b10e..ec3034d1d8 100644 --- a/tests/ref/lavf/pam +++ b/tests/ref/lavf/pam @@ -1,3 +1,3 @@ 0dce5565222cf0f8b309467f279aecd2 *tests/data/images/pam/02.pam -tests/data/images/pam/%02d.pam CRC=0x6da01946 304191 tests/data/images/pam/02.pam +tests/data/images/pam/%02d.pam CRC=0x6da01946 diff --git a/tests/ref/lavf/pcx b/tests/ref/lavf/pcx index 2767ccf32e..8aa6eb4099 100644 --- a/tests/ref/lavf/pcx +++ b/tests/ref/lavf/pcx @@ -1,3 +1,3 @@ c4faf65ecc812ec8412cc26140c13bd5 *tests/data/images/pcx/02.pcx -tests/data/images/pcx/%02d.pcx CRC=0x6da01946 364147 tests/data/images/pcx/02.pcx +tests/data/images/pcx/%02d.pcx CRC=0x6da01946 diff --git a/tests/ref/lavf/pgm b/tests/ref/lavf/pgm index 4100ac95cd..814ecdcf35 100644 --- a/tests/ref/lavf/pgm +++ b/tests/ref/lavf/pgm @@ -1,3 +1,3 @@ cc777c5fc4d116d4c5a996eac8d3133e *tests/data/images/pgm/02.pgm -tests/data/images/pgm/%02d.pgm CRC=0x0ff205be 101391 tests/data/images/pgm/02.pgm +tests/data/images/pgm/%02d.pgm CRC=0x0ff205be diff --git a/tests/ref/lavf/png b/tests/ref/lavf/png index 165513e98a..2385ad1800 100644 --- a/tests/ref/lavf/png +++ b/tests/ref/lavf/png @@ -1,3 +1,3 @@ 2af72da4468e61a37c220b25cb28618a *tests/data/images/png/02.png -tests/data/images/png/%02d.png CRC=0x6da01946 248633 tests/data/images/png/02.png +tests/data/images/png/%02d.png CRC=0x6da01946 diff --git a/tests/ref/lavf/ppm b/tests/ref/lavf/ppm index 04377f12d3..ce12659062 100644 --- a/tests/ref/lavf/ppm +++ b/tests/ref/lavf/ppm @@ -1,3 +1,3 @@ 16d5dadf0b362fc8ba3cb676c5dde985 *tests/data/images/ppm/02.ppm -tests/data/images/ppm/%02d.ppm CRC=0x6da01946 304143 tests/data/images/ppm/02.ppm +tests/data/images/ppm/%02d.ppm CRC=0x6da01946 diff --git a/tests/ref/lavf/qoi b/tests/ref/lavf/qoi index 11cd832b9b..76609ea478 100644 --- a/tests/ref/lavf/qoi +++ b/tests/ref/lavf/qoi @@ -1,3 +1,3 @@ 3887a856d13f6444e213e9e268d58d55 *tests/data/images/qoi/02.qoi -tests/data/images/qoi/%02d.qoi CRC=0x6da01946 307658 tests/data/images/qoi/02.qoi +tests/data/images/qoi/%02d.qoi CRC=0x6da01946 diff --git a/tests/ref/lavf/rgb48be.pam b/tests/ref/lavf/rgb48be.pam index 13e5f77ac0..7ad9f5c686 100644 --- a/tests/ref/lavf/rgb48be.pam +++ b/tests/ref/lavf/rgb48be.pam @@ -1,3 +1,3 @@ 032538f0313b4f240b44a5bef115f5bf *tests/data/images/rgb48be.pam/02.rgb48be.pam -tests/data/images/rgb48be.pam/%02d.rgb48be.pam CRC=0x5984c023 608321 tests/data/images/rgb48be.pam/02.rgb48be.pam +tests/data/images/rgb48be.pam/%02d.rgb48be.pam CRC=0x5984c023 diff --git a/tests/ref/lavf/rgb48be.png b/tests/ref/lavf/rgb48be.png index 84f4d46f5c..b893401a8f 100644 --- a/tests/ref/lavf/rgb48be.png +++ b/tests/ref/lavf/rgb48be.png @@ -1,3 +1,3 @@ b4e38244c97debe3f528e7d1adb283ef *tests/data/images/rgb48be.png/02.rgb48be.png -tests/data/images/rgb48be.png/%02d.rgb48be.png CRC=0x5984c023 511900 tests/data/images/rgb48be.png/02.rgb48be.png +tests/data/images/rgb48be.png/%02d.rgb48be.png CRC=0x5984c023 diff --git a/tests/ref/lavf/rgb48le.dpx b/tests/ref/lavf/rgb48le.dpx index 073153898a..b808ff4bdc 100644 --- a/tests/ref/lavf/rgb48le.dpx +++ b/tests/ref/lavf/rgb48le.dpx @@ -1,3 +1,3 @@ 075963c3c08978b6a20555ba09161434 *tests/data/images/rgb48le.dpx/02.rgb48le.dpx -tests/data/images/rgb48le.dpx/%02d.rgb48le.dpx CRC=0xe5b9c023 609920 tests/data/images/rgb48le.dpx/02.rgb48le.dpx +tests/data/images/rgb48le.dpx/%02d.rgb48le.dpx CRC=0xe5b9c023 diff --git a/tests/ref/lavf/rgb48le_10.dpx b/tests/ref/lavf/rgb48le_10.dpx index ce36e5079f..a49d929f7f 100644 --- a/tests/ref/lavf/rgb48le_10.dpx +++ b/tests/ref/lavf/rgb48le_10.dpx @@ -1,3 +1,3 @@ b9f22728f8ff393bf30cf6cbd624fa95 *tests/data/images/rgb48le_10.dpx/02.rgb48le_10.dpx -tests/data/images/rgb48le_10.dpx/%02d.rgb48le_10.dpx CRC=0xf38d5830 407168 tests/data/images/rgb48le_10.dpx/02.rgb48le_10.dpx +tests/data/images/rgb48le_10.dpx/%02d.rgb48le_10.dpx CRC=0xf38d5830 diff --git a/tests/ref/lavf/rgb4_byte.xwd b/tests/ref/lavf/rgb4_byte.xwd index fee4cf7289..17546d153c 100644 --- a/tests/ref/lavf/rgb4_byte.xwd +++ b/tests/ref/lavf/rgb4_byte.xwd @@ -1,3 +1,3 @@ fe1af954966a40c2cd35fc27094ff823 *tests/data/images/rgb4_byte.xwd/02.rgb4_byte.xwd -tests/data/images/rgb4_byte.xwd/%02d.rgb4_byte.xwd CRC=0xce042dcc 104559 tests/data/images/rgb4_byte.xwd/02.rgb4_byte.xwd +tests/data/images/rgb4_byte.xwd/%02d.rgb4_byte.xwd CRC=0xce042dcc diff --git a/tests/ref/lavf/rgb555be.xwd b/tests/ref/lavf/rgb555be.xwd index 1f9c579bc4..53b81d5126 100644 --- a/tests/ref/lavf/rgb555be.xwd +++ b/tests/ref/lavf/rgb555be.xwd @@ -1,3 +1,3 @@ 1300938325d5ac12caa09a43bd58f37c *tests/data/images/rgb555be.xwd/02.rgb555be.xwd -tests/data/images/rgb555be.xwd/%02d.rgb555be.xwd CRC=0x14555d6e 202863 tests/data/images/rgb555be.xwd/02.rgb555be.xwd +tests/data/images/rgb555be.xwd/%02d.rgb555be.xwd CRC=0x14555d6e diff --git a/tests/ref/lavf/rgb565be.xwd b/tests/ref/lavf/rgb565be.xwd index 02a5bc28d3..1372fac86a 100644 --- a/tests/ref/lavf/rgb565be.xwd +++ b/tests/ref/lavf/rgb565be.xwd @@ -1,3 +1,3 @@ c0866e9e710fce735423594a93bee604 *tests/data/images/rgb565be.xwd/02.rgb565be.xwd -tests/data/images/rgb565be.xwd/%02d.rgb565be.xwd CRC=0x53209216 202863 tests/data/images/rgb565be.xwd/02.rgb565be.xwd +tests/data/images/rgb565be.xwd/%02d.rgb565be.xwd CRC=0x53209216 diff --git a/tests/ref/lavf/rgb8.xwd b/tests/ref/lavf/rgb8.xwd index 52f4e3eeba..b19763fc74 100644 --- a/tests/ref/lavf/rgb8.xwd +++ b/tests/ref/lavf/rgb8.xwd @@ -1,3 +1,3 @@ c6f3cb7c45f7238474a89d2ad61a1caf *tests/data/images/rgb8.xwd/02.rgb8.xwd -tests/data/images/rgb8.xwd/%02d.rgb8.xwd CRC=0xf217a95e 104559 tests/data/images/rgb8.xwd/02.rgb8.xwd +tests/data/images/rgb8.xwd/%02d.rgb8.xwd CRC=0xf217a95e diff --git a/tests/ref/lavf/rgba.pam b/tests/ref/lavf/rgba.pam index 56e43a4ace..4e3bf8c1a5 100644 --- a/tests/ref/lavf/rgba.pam +++ b/tests/ref/lavf/rgba.pam @@ -1,3 +1,3 @@ 2ed31ca8d8de560afb3e0fd7a873cde5 *tests/data/images/rgba.pam/02.rgba.pam -tests/data/images/rgba.pam/%02d.rgba.pam CRC=0xf07d29cd 405573 tests/data/images/rgba.pam/02.rgba.pam +tests/data/images/rgba.pam/%02d.rgba.pam CRC=0xf07d29cd diff --git a/tests/ref/lavf/rgba.xwd b/tests/ref/lavf/rgba.xwd index 95aafdceb8..2d0f568980 100644 --- a/tests/ref/lavf/rgba.xwd +++ b/tests/ref/lavf/rgba.xwd @@ -1,3 +1,3 @@ 1cdb43599c956dc8563f1e09fac5df00 *tests/data/images/rgba.xwd/02.rgba.xwd -tests/data/images/rgba.xwd/%02d.rgba.xwd CRC=0xf07d29cd 405615 tests/data/images/rgba.xwd/02.rgba.xwd +tests/data/images/rgba.xwd/%02d.rgba.xwd CRC=0xf07d29cd diff --git a/tests/ref/lavf/rgba64le.dpx b/tests/ref/lavf/rgba64le.dpx index b4092c9fd8..5ccde8975b 100644 --- a/tests/ref/lavf/rgba64le.dpx +++ b/tests/ref/lavf/rgba64le.dpx @@ -1,3 +1,3 @@ 545603630f30dec2768c8ae8d12eb8ea *tests/data/images/rgba64le.dpx/02.rgba64le.dpx -tests/data/images/rgba64le.dpx/%02d.rgba64le.dpx CRC=0xe72ce131 812672 tests/data/images/rgba64le.dpx/02.rgba64le.dpx +tests/data/images/rgba64le.dpx/%02d.rgba64le.dpx CRC=0xe72ce131 diff --git a/tests/ref/lavf/rle.gbrapf32le.exr b/tests/ref/lavf/rle.gbrapf32le.exr index e8093dacc9..130103ea23 100644 --- a/tests/ref/lavf/rle.gbrapf32le.exr +++ b/tests/ref/lavf/rle.gbrapf32le.exr @@ -1,3 +1,3 @@ 94398a5ce98bb7b1b78b2b807306f6d7 *tests/data/images/rle.gbrapf32le.exr/02.rle.gbrapf32le.exr -tests/data/images/rle.gbrapf32le.exr/%02d.rle.gbrapf32le.exr CRC=0x068aca4e 1436849 tests/data/images/rle.gbrapf32le.exr/02.rle.gbrapf32le.exr +tests/data/images/rle.gbrapf32le.exr/%02d.rle.gbrapf32le.exr CRC=0x068aca4e diff --git a/tests/ref/lavf/rle.gbrpf32le.exr b/tests/ref/lavf/rle.gbrpf32le.exr index beb8bf4a64..f16d710cc0 100644 --- a/tests/ref/lavf/rle.gbrpf32le.exr +++ b/tests/ref/lavf/rle.gbrpf32le.exr @@ -1,3 +1,3 @@ fed878e1f4391314c37088085942e572 *tests/data/images/rle.gbrpf32le.exr/02.rle.gbrpf32le.exr -tests/data/images/rle.gbrpf32le.exr/%02d.rle.gbrpf32le.exr CRC=0x95e1053f 1208298 tests/data/images/rle.gbrpf32le.exr/02.rle.gbrpf32le.exr +tests/data/images/rle.gbrpf32le.exr/%02d.rle.gbrpf32le.exr CRC=0x95e1053f diff --git a/tests/ref/lavf/rle.grayf32le.exr b/tests/ref/lavf/rle.grayf32le.exr index 883b1d6446..1ac6dfa773 100644 --- a/tests/ref/lavf/rle.grayf32le.exr +++ b/tests/ref/lavf/rle.grayf32le.exr @@ -1,3 +1,3 @@ 2841f839cb5aa98bb7aded800dda7cc7 *tests/data/images/rle.grayf32le.exr/02.rle.grayf32le.exr -tests/data/images/rle.grayf32le.exr/%02d.rle.grayf32le.exr CRC=0x5443a443 410437 tests/data/images/rle.grayf32le.exr/02.rle.grayf32le.exr +tests/data/images/rle.grayf32le.exr/%02d.rle.grayf32le.exr CRC=0x5443a443 diff --git a/tests/ref/lavf/sgi b/tests/ref/lavf/sgi index 5049278069..ad27b805f0 100644 --- a/tests/ref/lavf/sgi +++ b/tests/ref/lavf/sgi @@ -1,3 +1,3 @@ d446e540a7c18da5fd3cc0e9942cd46f *tests/data/images/sgi/02.sgi -tests/data/images/sgi/%02d.sgi CRC=0x6da01946 307287 tests/data/images/sgi/02.sgi +tests/data/images/sgi/%02d.sgi CRC=0x6da01946 diff --git a/tests/ref/lavf/sun b/tests/ref/lavf/sun index 5dc0011e7e..3aa76e469c 100644 --- a/tests/ref/lavf/sun +++ b/tests/ref/lavf/sun @@ -1,3 +1,3 @@ 07518bcb0841bc677ce6aea8464ea240 *tests/data/images/sun/02.sun -tests/data/images/sun/%02d.sun CRC=0xe6c71946 304123 tests/data/images/sun/02.sun +tests/data/images/sun/%02d.sun CRC=0xe6c71946 diff --git a/tests/ref/lavf/tga b/tests/ref/lavf/tga index c7e33b0437..96c5acd14e 100644 --- a/tests/ref/lavf/tga +++ b/tests/ref/lavf/tga @@ -1,3 +1,3 @@ c0305c53e6d79d4ed9f35f04f671246c *tests/data/images/tga/02.tga -tests/data/images/tga/%02d.tga CRC=0xe6c71946 304172 tests/data/images/tga/02.tga +tests/data/images/tga/%02d.tga CRC=0xe6c71946 diff --git a/tests/ref/lavf/tiff b/tests/ref/lavf/tiff index c708642f94..35655b10a7 100644 --- a/tests/ref/lavf/tiff +++ b/tests/ref/lavf/tiff @@ -1,3 +1,3 @@ b3299346a8959553a437e486d8f3bf76 *tests/data/images/tiff/02.tiff -tests/data/images/tiff/%02d.tiff CRC=0x6da01946 307131 tests/data/images/tiff/02.tiff +tests/data/images/tiff/%02d.tiff CRC=0x6da01946 diff --git a/tests/ref/lavf/xbm b/tests/ref/lavf/xbm index e54d6bc226..c2a91f09e4 100644 --- a/tests/ref/lavf/xbm +++ b/tests/ref/lavf/xbm @@ -1,3 +1,3 @@ 83ed197cc88f382d9253365ffef70ec5 *tests/data/images/xbm/02.xbm -tests/data/images/xbm/%02d.xbm CRC=0xc9a20204 76410 tests/data/images/xbm/02.xbm +tests/data/images/xbm/%02d.xbm CRC=0xc9a20204 diff --git a/tests/ref/lavf/xwd b/tests/ref/lavf/xwd index 7a426ed1f7..c51b3a9779 100644 --- a/tests/ref/lavf/xwd +++ b/tests/ref/lavf/xwd @@ -1,3 +1,3 @@ 50baa5560b7d1aa3188b19c1162bf7dc *tests/data/images/xwd/02.xwd -tests/data/images/xwd/%02d.xwd CRC=0x6da01946 304239 tests/data/images/xwd/02.xwd +tests/data/images/xwd/%02d.xwd CRC=0x6da01946 diff --git a/tests/ref/lavf/zip1.gbrapf32le.exr b/tests/ref/lavf/zip1.gbrapf32le.exr index 7b2f21b893..27d6b7b9dd 100644 --- a/tests/ref/lavf/zip1.gbrapf32le.exr +++ b/tests/ref/lavf/zip1.gbrapf32le.exr @@ -1,3 +1,3 @@ 9fca73aac1a2e38969bed55929da48b4 *tests/data/images/zip1.gbrapf32le.exr/02.zip1.gbrapf32le.exr -tests/data/images/zip1.gbrapf32le.exr/%02d.zip1.gbrapf32le.exr CRC=0x068aca4e 902782 tests/data/images/zip1.gbrapf32le.exr/02.zip1.gbrapf32le.exr +tests/data/images/zip1.gbrapf32le.exr/%02d.zip1.gbrapf32le.exr CRC=0x068aca4e diff --git a/tests/ref/lavf/zip1.gbrpf32le.exr b/tests/ref/lavf/zip1.gbrpf32le.exr index a986591146..a85c7866a5 100644 --- a/tests/ref/lavf/zip1.gbrpf32le.exr +++ b/tests/ref/lavf/zip1.gbrpf32le.exr @@ -1,3 +1,3 @@ a405ee4328719c53f97d351b5910e82b *tests/data/images/zip1.gbrpf32le.exr/02.zip1.gbrpf32le.exr -tests/data/images/zip1.gbrpf32le.exr/%02d.zip1.gbrpf32le.exr CRC=0x95e1053f 897319 tests/data/images/zip1.gbrpf32le.exr/02.zip1.gbrpf32le.exr +tests/data/images/zip1.gbrpf32le.exr/%02d.zip1.gbrpf32le.exr CRC=0x95e1053f diff --git a/tests/ref/lavf/zip1.grayf32le.exr b/tests/ref/lavf/zip1.grayf32le.exr index b89ceb22df..536deb2dbe 100644 --- a/tests/ref/lavf/zip1.grayf32le.exr +++ b/tests/ref/lavf/zip1.grayf32le.exr @@ -1,3 +1,3 @@ 76fe15b4e0b735a6318ca273ff52fb58 *tests/data/images/zip1.grayf32le.exr/02.zip1.grayf32le.exr -tests/data/images/zip1.grayf32le.exr/%02d.zip1.grayf32le.exr CRC=0x5443a443 91044 tests/data/images/zip1.grayf32le.exr/02.zip1.grayf32le.exr +tests/data/images/zip1.grayf32le.exr/%02d.zip1.grayf32le.exr CRC=0x5443a443 diff --git a/tests/ref/lavf/zip16.gbrapf32le.exr b/tests/ref/lavf/zip16.gbrapf32le.exr index 830ae0fe50..4dd9814e37 100644 --- a/tests/ref/lavf/zip16.gbrapf32le.exr +++ b/tests/ref/lavf/zip16.gbrapf32le.exr @@ -1,3 +1,3 @@ 8beb8db200e658e74fdd4ed4c4ca9214 *tests/data/images/zip16.gbrapf32le.exr/02.zip16.gbrapf32le.exr -tests/data/images/zip16.gbrapf32le.exr/%02d.zip16.gbrapf32le.exr CRC=0x068aca4e 807513 tests/data/images/zip16.gbrapf32le.exr/02.zip16.gbrapf32le.exr +tests/data/images/zip16.gbrapf32le.exr/%02d.zip16.gbrapf32le.exr CRC=0x068aca4e diff --git a/tests/ref/lavf/zip16.gbrpf32le.exr b/tests/ref/lavf/zip16.gbrpf32le.exr index 27fa2a7c5b..7e6f144d93 100644 --- a/tests/ref/lavf/zip16.gbrpf32le.exr +++ b/tests/ref/lavf/zip16.gbrpf32le.exr @@ -1,3 +1,3 @@ 4bc7e2640ea086b7fc31cbcd4fff19f5 *tests/data/images/zip16.gbrpf32le.exr/02.zip16.gbrpf32le.exr -tests/data/images/zip16.gbrpf32le.exr/%02d.zip16.gbrpf32le.exr CRC=0x95e1053f 796693 tests/data/images/zip16.gbrpf32le.exr/02.zip16.gbrpf32le.exr +tests/data/images/zip16.gbrpf32le.exr/%02d.zip16.gbrpf32le.exr CRC=0x95e1053f diff --git a/tests/ref/lavf/zip16.grayf32le.exr b/tests/ref/lavf/zip16.grayf32le.exr index 24f82525bd..da74286563 100644 --- a/tests/ref/lavf/zip16.grayf32le.exr +++ b/tests/ref/lavf/zip16.grayf32le.exr @@ -1,3 +1,3 @@ 5d5def6a4f16cef1122280d80c7c527d *tests/data/images/zip16.grayf32le.exr/02.zip16.grayf32le.exr -tests/data/images/zip16.grayf32le.exr/%02d.zip16.grayf32le.exr CRC=0x5443a443 63997 tests/data/images/zip16.grayf32le.exr/02.zip16.grayf32le.exr +tests/data/images/zip16.grayf32le.exr/%02d.zip16.grayf32le.exr CRC=0x5443a443 From aba74d7843dabeb4babb0b86b817d988581ed5fa Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 1 Aug 2022 14:41:38 +0200 Subject: [PATCH 022/562] fate/lavf-image: Disable file checksums for exr tests The generated files are endian-dependent, so no checksums may be part of the ref files. Fixes ticket #9854. Tested-by: Sebastian Ramacher Signed-off-by: Andreas Rheinhardt (cherry picked from commit fe211aebbf2988f7a6588cf9f45277ca74b92763) --- tests/fate/lavf-image.mak | 24 ++++++++++++------------ tests/ref/lavf/none.gbrapf32le.exr | 2 -- tests/ref/lavf/none.gbrpf32le.exr | 2 -- tests/ref/lavf/none.grayf32le.exr | 2 -- tests/ref/lavf/rle.gbrapf32le.exr | 2 -- tests/ref/lavf/rle.gbrpf32le.exr | 2 -- tests/ref/lavf/rle.grayf32le.exr | 2 -- tests/ref/lavf/zip1.gbrapf32le.exr | 2 -- tests/ref/lavf/zip1.gbrpf32le.exr | 2 -- tests/ref/lavf/zip1.grayf32le.exr | 2 -- tests/ref/lavf/zip16.gbrapf32le.exr | 2 -- tests/ref/lavf/zip16.gbrpf32le.exr | 2 -- tests/ref/lavf/zip16.grayf32le.exr | 2 -- 13 files changed, 12 insertions(+), 36 deletions(-) diff --git a/tests/fate/lavf-image.mak b/tests/fate/lavf-image.mak index 38d3689abf..6d61233cfe 100644 --- a/tests/fate/lavf-image.mak +++ b/tests/fate/lavf-image.mak @@ -59,18 +59,18 @@ $(FATE_LAVF_IMAGES): CMD = lavf_image $(FATE_LAVF_IMAGES): REF = $(SRC_PATH)/tests/ref/lavf/$(@:fate-lavf-%=%) $(FATE_LAVF_IMAGES): $(VREF) -fate-lavf-none.grayf32le.exr: CMD = lavf_image "-compression none -pix_fmt grayf32le" -fate-lavf-rle.grayf32le.exr: CMD = lavf_image "-compression rle -pix_fmt grayf32le" -fate-lavf-zip1.grayf32le.exr: CMD = lavf_image "-compression zip1 -pix_fmt grayf32le" -fate-lavf-zip16.grayf32le.exr: CMD = lavf_image "-compression zip16 -pix_fmt grayf32le" -fate-lavf-none.gbrpf32le.exr: CMD = lavf_image "-compression none -pix_fmt gbrpf32le" -fate-lavf-rle.gbrpf32le.exr: CMD = lavf_image "-compression rle -pix_fmt gbrpf32le" -fate-lavf-zip1.gbrpf32le.exr: CMD = lavf_image "-compression zip1 -pix_fmt gbrpf32le" -fate-lavf-zip16.gbrpf32le.exr: CMD = lavf_image "-compression zip16 -pix_fmt gbrpf32le" -fate-lavf-none.gbrapf32le.exr: CMD = lavf_image "-compression none -pix_fmt gbrapf32le" -fate-lavf-rle.gbrapf32le.exr: CMD = lavf_image "-compression rle -pix_fmt gbrapf32le" -fate-lavf-zip1.gbrapf32le.exr: CMD = lavf_image "-compression zip1 -pix_fmt gbrapf32le" -fate-lavf-zip16.gbrapf32le.exr: CMD = lavf_image "-compression zip16 -pix_fmt gbrapf32le" +fate-lavf-none.grayf32le.exr: CMD = lavf_image "-compression none -pix_fmt grayf32le" "" "no_file_checksums" +fate-lavf-rle.grayf32le.exr: CMD = lavf_image "-compression rle -pix_fmt grayf32le" "" "no_file_checksums" +fate-lavf-zip1.grayf32le.exr: CMD = lavf_image "-compression zip1 -pix_fmt grayf32le" "" "no_file_checksums" +fate-lavf-zip16.grayf32le.exr: CMD = lavf_image "-compression zip16 -pix_fmt grayf32le" "" "no_file_checksums" +fate-lavf-none.gbrpf32le.exr: CMD = lavf_image "-compression none -pix_fmt gbrpf32le" "" "no_file_checksums" +fate-lavf-rle.gbrpf32le.exr: CMD = lavf_image "-compression rle -pix_fmt gbrpf32le" "" "no_file_checksums" +fate-lavf-zip1.gbrpf32le.exr: CMD = lavf_image "-compression zip1 -pix_fmt gbrpf32le" "" "no_file_checksums" +fate-lavf-zip16.gbrpf32le.exr: CMD = lavf_image "-compression zip16 -pix_fmt gbrpf32le" "" "no_file_checksums" +fate-lavf-none.gbrapf32le.exr: CMD = lavf_image "-compression none -pix_fmt gbrapf32le" "" "no_file_checksums" +fate-lavf-rle.gbrapf32le.exr: CMD = lavf_image "-compression rle -pix_fmt gbrapf32le" "" "no_file_checksums" +fate-lavf-zip1.gbrapf32le.exr: CMD = lavf_image "-compression zip1 -pix_fmt gbrapf32le" "" "no_file_checksums" +fate-lavf-zip16.gbrapf32le.exr: CMD = lavf_image "-compression zip16 -pix_fmt gbrapf32le" "" "no_file_checksums" fate-lavf-jpg: CMD = lavf_image "-pix_fmt yuvj420p" fate-lavf-tiff: CMD = lavf_image "-pix_fmt rgb24" fate-lavf-gbrp10le.dpx: CMD = lavf_image "-pix_fmt gbrp10le" "-pix_fmt gbrp10le" diff --git a/tests/ref/lavf/none.gbrapf32le.exr b/tests/ref/lavf/none.gbrapf32le.exr index 099f36cfcc..e365d8d743 100644 --- a/tests/ref/lavf/none.gbrapf32le.exr +++ b/tests/ref/lavf/none.gbrapf32le.exr @@ -1,3 +1 @@ -c586035e67f9ba7f2a3777933b5b22a0 *tests/data/images/none.gbrapf32le.exr/02.none.gbrapf32le.exr -1627003 tests/data/images/none.gbrapf32le.exr/02.none.gbrapf32le.exr tests/data/images/none.gbrapf32le.exr/%02d.none.gbrapf32le.exr CRC=0x068aca4e diff --git a/tests/ref/lavf/none.gbrpf32le.exr b/tests/ref/lavf/none.gbrpf32le.exr index 7e0b2bddf6..996cd26cce 100644 --- a/tests/ref/lavf/none.gbrpf32le.exr +++ b/tests/ref/lavf/none.gbrpf32le.exr @@ -1,3 +1 @@ -10f42423c6585fe5053c5457fba7b235 *tests/data/images/none.gbrpf32le.exr/02.none.gbrpf32le.exr -1221481 tests/data/images/none.gbrpf32le.exr/02.none.gbrpf32le.exr tests/data/images/none.gbrpf32le.exr/%02d.none.gbrpf32le.exr CRC=0x95e1053f diff --git a/tests/ref/lavf/none.grayf32le.exr b/tests/ref/lavf/none.grayf32le.exr index 4d5fad8ce7..9db5bb78ef 100644 --- a/tests/ref/lavf/none.grayf32le.exr +++ b/tests/ref/lavf/none.grayf32le.exr @@ -1,3 +1 @@ -8aa28b10bf2591b7030b78bc29907293 *tests/data/images/none.grayf32le.exr/02.none.grayf32le.exr -410437 tests/data/images/none.grayf32le.exr/02.none.grayf32le.exr tests/data/images/none.grayf32le.exr/%02d.none.grayf32le.exr CRC=0x5443a443 diff --git a/tests/ref/lavf/rle.gbrapf32le.exr b/tests/ref/lavf/rle.gbrapf32le.exr index 130103ea23..43db3b6c2a 100644 --- a/tests/ref/lavf/rle.gbrapf32le.exr +++ b/tests/ref/lavf/rle.gbrapf32le.exr @@ -1,3 +1 @@ -94398a5ce98bb7b1b78b2b807306f6d7 *tests/data/images/rle.gbrapf32le.exr/02.rle.gbrapf32le.exr -1436849 tests/data/images/rle.gbrapf32le.exr/02.rle.gbrapf32le.exr tests/data/images/rle.gbrapf32le.exr/%02d.rle.gbrapf32le.exr CRC=0x068aca4e diff --git a/tests/ref/lavf/rle.gbrpf32le.exr b/tests/ref/lavf/rle.gbrpf32le.exr index f16d710cc0..a10051dc2b 100644 --- a/tests/ref/lavf/rle.gbrpf32le.exr +++ b/tests/ref/lavf/rle.gbrpf32le.exr @@ -1,3 +1 @@ -fed878e1f4391314c37088085942e572 *tests/data/images/rle.gbrpf32le.exr/02.rle.gbrpf32le.exr -1208298 tests/data/images/rle.gbrpf32le.exr/02.rle.gbrpf32le.exr tests/data/images/rle.gbrpf32le.exr/%02d.rle.gbrpf32le.exr CRC=0x95e1053f diff --git a/tests/ref/lavf/rle.grayf32le.exr b/tests/ref/lavf/rle.grayf32le.exr index 1ac6dfa773..5f44e01937 100644 --- a/tests/ref/lavf/rle.grayf32le.exr +++ b/tests/ref/lavf/rle.grayf32le.exr @@ -1,3 +1 @@ -2841f839cb5aa98bb7aded800dda7cc7 *tests/data/images/rle.grayf32le.exr/02.rle.grayf32le.exr -410437 tests/data/images/rle.grayf32le.exr/02.rle.grayf32le.exr tests/data/images/rle.grayf32le.exr/%02d.rle.grayf32le.exr CRC=0x5443a443 diff --git a/tests/ref/lavf/zip1.gbrapf32le.exr b/tests/ref/lavf/zip1.gbrapf32le.exr index 27d6b7b9dd..2f17f0122b 100644 --- a/tests/ref/lavf/zip1.gbrapf32le.exr +++ b/tests/ref/lavf/zip1.gbrapf32le.exr @@ -1,3 +1 @@ -9fca73aac1a2e38969bed55929da48b4 *tests/data/images/zip1.gbrapf32le.exr/02.zip1.gbrapf32le.exr -902782 tests/data/images/zip1.gbrapf32le.exr/02.zip1.gbrapf32le.exr tests/data/images/zip1.gbrapf32le.exr/%02d.zip1.gbrapf32le.exr CRC=0x068aca4e diff --git a/tests/ref/lavf/zip1.gbrpf32le.exr b/tests/ref/lavf/zip1.gbrpf32le.exr index a85c7866a5..5512aae8d7 100644 --- a/tests/ref/lavf/zip1.gbrpf32le.exr +++ b/tests/ref/lavf/zip1.gbrpf32le.exr @@ -1,3 +1 @@ -a405ee4328719c53f97d351b5910e82b *tests/data/images/zip1.gbrpf32le.exr/02.zip1.gbrpf32le.exr -897319 tests/data/images/zip1.gbrpf32le.exr/02.zip1.gbrpf32le.exr tests/data/images/zip1.gbrpf32le.exr/%02d.zip1.gbrpf32le.exr CRC=0x95e1053f diff --git a/tests/ref/lavf/zip1.grayf32le.exr b/tests/ref/lavf/zip1.grayf32le.exr index 536deb2dbe..c74f2aed4d 100644 --- a/tests/ref/lavf/zip1.grayf32le.exr +++ b/tests/ref/lavf/zip1.grayf32le.exr @@ -1,3 +1 @@ -76fe15b4e0b735a6318ca273ff52fb58 *tests/data/images/zip1.grayf32le.exr/02.zip1.grayf32le.exr -91044 tests/data/images/zip1.grayf32le.exr/02.zip1.grayf32le.exr tests/data/images/zip1.grayf32le.exr/%02d.zip1.grayf32le.exr CRC=0x5443a443 diff --git a/tests/ref/lavf/zip16.gbrapf32le.exr b/tests/ref/lavf/zip16.gbrapf32le.exr index 4dd9814e37..6bfe158398 100644 --- a/tests/ref/lavf/zip16.gbrapf32le.exr +++ b/tests/ref/lavf/zip16.gbrapf32le.exr @@ -1,3 +1 @@ -8beb8db200e658e74fdd4ed4c4ca9214 *tests/data/images/zip16.gbrapf32le.exr/02.zip16.gbrapf32le.exr -807513 tests/data/images/zip16.gbrapf32le.exr/02.zip16.gbrapf32le.exr tests/data/images/zip16.gbrapf32le.exr/%02d.zip16.gbrapf32le.exr CRC=0x068aca4e diff --git a/tests/ref/lavf/zip16.gbrpf32le.exr b/tests/ref/lavf/zip16.gbrpf32le.exr index 7e6f144d93..7eff2c70ea 100644 --- a/tests/ref/lavf/zip16.gbrpf32le.exr +++ b/tests/ref/lavf/zip16.gbrpf32le.exr @@ -1,3 +1 @@ -4bc7e2640ea086b7fc31cbcd4fff19f5 *tests/data/images/zip16.gbrpf32le.exr/02.zip16.gbrpf32le.exr -796693 tests/data/images/zip16.gbrpf32le.exr/02.zip16.gbrpf32le.exr tests/data/images/zip16.gbrpf32le.exr/%02d.zip16.gbrpf32le.exr CRC=0x95e1053f diff --git a/tests/ref/lavf/zip16.grayf32le.exr b/tests/ref/lavf/zip16.grayf32le.exr index da74286563..25cb361be7 100644 --- a/tests/ref/lavf/zip16.grayf32le.exr +++ b/tests/ref/lavf/zip16.grayf32le.exr @@ -1,3 +1 @@ -5d5def6a4f16cef1122280d80c7c527d *tests/data/images/zip16.grayf32le.exr/02.zip16.grayf32le.exr -63997 tests/data/images/zip16.grayf32le.exr/02.zip16.grayf32le.exr tests/data/images/zip16.grayf32le.exr/%02d.zip16.grayf32le.exr CRC=0x5443a443 From ffaf6061309b581eed1291d747fa419cab0d7565 Mon Sep 17 00:00:00 2001 From: Stephen Hutchinson Date: Sun, 7 Aug 2022 21:25:31 -0400 Subject: [PATCH 023/562] avformat/avisynth: use ch_layout.nb_channels for channel count Fixes deprecation warning Signed-off-by: James Almer (cherry picked from commit dc9843d82932ba93f616f5e2893fd5c2576468c3) --- libavformat/avisynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avisynth.c b/libavformat/avisynth.c index a97d12b6b6..ec595dab79 100644 --- a/libavformat/avisynth.c +++ b/libavformat/avisynth.c @@ -752,7 +752,7 @@ static int avisynth_create_stream_audio(AVFormatContext *s, AVStream *st) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->sample_rate = avs->vi->audio_samples_per_second; - st->codecpar->channels = avs->vi->nchannels; + st->codecpar->ch_layout.nb_channels = avs->vi->nchannels; st->duration = avs->vi->num_audio_samples; avpriv_set_pts_info(st, 64, 1, avs->vi->audio_samples_per_second); From 1ad802c45c9a57f1937862536955bdc7f8235707 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 6 Aug 2022 20:07:02 +0200 Subject: [PATCH 024/562] avcodec/libspeexdec: Fix use of uninitialized value Regression since 97d9a3293854eda84f05c22e2eaefae7406ac969. Fixes Coverity issue #1503072. Signed-off-by: Andreas Rheinhardt (cherry picked from commit eb608fd0b00424eacb4dc85f23227e186289fb48) --- libavcodec/libspeexdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libspeexdec.c b/libavcodec/libspeexdec.c index 8c9e05e51d..bb8e1a7db9 100644 --- a/libavcodec/libspeexdec.c +++ b/libavcodec/libspeexdec.c @@ -43,7 +43,7 @@ static av_cold int libspeex_decode_init(AVCodecContext *avctx) LibSpeexContext *s = avctx->priv_data; const SpeexMode *mode; SpeexHeader *header = NULL; - int spx_mode, channels; + int spx_mode, channels = avctx->ch_layout.nb_channels; if (avctx->extradata && avctx->extradata_size >= 80) { header = speex_packet_to_header(avctx->extradata, From 8479e2fc8bdfc80ed7f376594c3833c01d970030 Mon Sep 17 00:00:00 2001 From: Derek Buitenhuis Date: Wed, 10 Aug 2022 23:17:58 +0100 Subject: [PATCH 025/562] ipfsgateway: Remove default gateway A gateway can see everything, and we should not be shipping a hardcoded default from a third party company; it's a security risk. Signed-off-by: Derek Buitenhuis (cherry picked from commit 412922cc6fa790897ef6bb2be5d6f9a5f030754d) --- libavformat/ipfsgateway.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/libavformat/ipfsgateway.c b/libavformat/ipfsgateway.c index 5a5178c563..907b61b017 100644 --- a/libavformat/ipfsgateway.c +++ b/libavformat/ipfsgateway.c @@ -240,13 +240,8 @@ static int translate_ipfs_to_http(URLContext *h, const char *uri, int flags, AVD ret = populate_ipfs_gateway(h); if (ret < 1) { - // We fallback on dweb.link (managed by Protocol Labs). - snprintf(c->gateway_buffer, sizeof(c->gateway_buffer), "https://dweb.link"); - - av_log(h, AV_LOG_WARNING, - "IPFS does not appear to be running. " - "You’re now using the public gateway at dweb.link.\n"); - av_log(h, AV_LOG_INFO, + av_log(h, AV_LOG_ERROR, + "IPFS does not appear to be running.\n\n" "Installing IPFS locally is recommended to " "improve performance and reliability, " "and not share all your activity with a single IPFS gateway.\n" @@ -259,6 +254,8 @@ static int translate_ipfs_to_http(URLContext *h, const char *uri, int flags, AVD "3. Define an $IPFS_PATH environment variable " "and point it to the IPFS data path " "- this is typically ~/.ipfs\n"); + ret = AVERROR(EINVAL); + goto err; } } From 4e4cc6e56a899f6b4302e80dbcd6b4462f340905 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Mon, 15 Aug 2022 23:56:16 +0530 Subject: [PATCH 026/562] ffprobe: restore reporting error code for failed inputs c11fb46731 led to a regression whereby the return code for missing input or input probe is overridden by writer close return code and hence not conveyed in the exit code. --- fftools/ffprobe.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fftools/ffprobe.c b/fftools/ffprobe.c index f156663019..608d9050f7 100644 --- a/fftools/ffprobe.c +++ b/fftools/ffprobe.c @@ -4026,7 +4026,7 @@ int main(int argc, char **argv) WriterContext *wctx; char *buf; char *w_name = NULL, *w_args = NULL; - int ret, i; + int ret, input_ret, i; init_dynload(); @@ -4150,10 +4150,14 @@ int main(int argc, char **argv) show_error(wctx, ret); } + input_ret = ret; + writer_print_section_footer(wctx); ret = writer_close(&wctx); if (ret < 0) av_log(NULL, AV_LOG_ERROR, "Writing output failed: %s\n", av_err2str(ret)); + + ret = FFMIN(ret, input_ret); } end: From 6ee1996721710a6b15d5664446964d7b835ff3a6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 21 Aug 2022 17:46:36 -0300 Subject: [PATCH 027/562] swresample/swresample: fill the correct buffer to print the output layout string Signed-off-by: James Almer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 9b77ef65bf..601e691596 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -385,8 +385,8 @@ av_cold int swr_init(struct SwrContext *s){ goto fail; } + av_channel_layout_describe(&s->out_ch_layout, l2, sizeof(l2)); #if FF_API_OLD_CHANNEL_LAYOUT - av_channel_layout_describe(&s->out_ch_layout, l1, sizeof(l1)); if (s->out_ch_layout.order != AV_CHANNEL_ORDER_UNSPEC && s->out.ch_count != s->out_ch_layout.nb_channels) { av_log(s, AV_LOG_ERROR, "Output channel layout %s mismatches specified channel count %d\n", l2, s->out.ch_count); ret = AVERROR(EINVAL); From 0143b0d964ebdbc6760b182abcf8e4c94695dfa6 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Thu, 18 Aug 2022 21:00:28 +0200 Subject: [PATCH 028/562] configure: enable the av1_frame_split bsf for the av1 decoder The BSF is required to make use of the AV1 decoder, thus configure should also ensure it is built. --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 6e012e44bc..ba5793b2ff 100755 --- a/configure +++ b/configure @@ -2781,7 +2781,7 @@ atrac3al_decoder_select="mdct" atrac3p_decoder_select="mdct sinewin" atrac3pal_decoder_select="mdct sinewin" atrac9_decoder_select="mdct" -av1_decoder_select="cbs_av1" +av1_decoder_select="av1_frame_split_bsf cbs_av1" bink_decoder_select="blockdsp hpeldsp" binkaudio_dct_decoder_select="mdct rdft dct sinewin wma_freqs" binkaudio_rdft_decoder_select="mdct rdft sinewin wma_freqs" From 07286d82f79fe76bf59ec4888dee4bca2022fea1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 22 Aug 2022 00:05:02 -0300 Subject: [PATCH 029/562] avcodec/libsvtav1: properly initialize the flush EbBufferHeaderType struct Should fix ticket #9834 Signed-off-by: James Almer (cherry picked from commit fb70e0611bd7b634c1bc08096072f68659cc0a55) --- libavcodec/libsvtav1.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/libavcodec/libsvtav1.c b/libavcodec/libsvtav1.c index d9ebb6aa56..4001cf7f03 100644 --- a/libavcodec/libsvtav1.c +++ b/libavcodec/libsvtav1.c @@ -424,11 +424,8 @@ static int eb_send_frame(AVCodecContext *avctx, const AVFrame *frame) if (svt_enc->eos_flag == EOS_SENT) return 0; - headerPtrLast.n_alloc_len = 0; - headerPtrLast.n_filled_len = 0; - headerPtrLast.n_tick_count = 0; - headerPtrLast.p_app_private = NULL; - headerPtrLast.p_buffer = NULL; + memset(&headerPtrLast, 0, sizeof(headerPtrLast)); + headerPtrLast.pic_type = EB_AV1_INVALID_PICTURE; headerPtrLast.flags = EB_BUFFERFLAG_EOS; svt_av1_enc_send_picture(svt_enc->svt_handle, &headerPtrLast); From f28cb0c1a8d45bf64953da6331ae4645a0c5d75d Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 21 Aug 2022 15:53:10 -0300 Subject: [PATCH 030/562] fftools/ffmpeg_opt: try to propagate the requested output channel layout Don't silently replace it with the default layout for the amount of channels from the requested layout. Should fix ticket #9869 Signed-off-by: James Almer (cherry picked from commit f5a663f2a9d05eddbd50609b45d92d2e39b3f9ed) --- fftools/ffmpeg_opt.c | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index ac7fe3b27a..6e18a4a23e 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -2372,6 +2372,43 @@ static int init_complex_filters(void) return 0; } +static void set_channel_layout(OutputFilter *f, OutputStream *ost) +{ + int i, err; + + if (ost->enc_ctx->ch_layout.order != AV_CHANNEL_ORDER_UNSPEC) { + /* Pass the layout through for all orders but UNSPEC */ + err = av_channel_layout_copy(&f->ch_layout, &ost->enc_ctx->ch_layout); + if (err < 0) + exit_program(1); + return; + } + + /* Requested layout is of order UNSPEC */ + if (!ost->enc->ch_layouts) { + /* Use the default native layout for the requested amount of channels when the + encoder doesn't have a list of supported layouts */ + av_channel_layout_default(&f->ch_layout, ost->enc_ctx->ch_layout.nb_channels); + return; + } + /* Encoder has a list of supported layouts. Pick the first layout in it with the + same amount of channels as the requested layout */ + for (i = 0; ost->enc->ch_layouts[i].nb_channels; i++) { + if (ost->enc->ch_layouts[i].nb_channels == ost->enc_ctx->ch_layout.nb_channels) + break; + } + if (ost->enc->ch_layouts[i].nb_channels) { + /* Use it if one is found */ + err = av_channel_layout_copy(&f->ch_layout, &ost->enc->ch_layouts[i]); + if (err < 0) + exit_program(1); + return; + } + /* If no layout for the amount of channels requested was found, use the default + native layout for it. */ + av_channel_layout_default(&f->ch_layout, ost->enc_ctx->ch_layout.nb_channels); +} + static int open_output_file(OptionsContext *o, const char *filename) { AVFormatContext *oc; @@ -2774,7 +2811,7 @@ loop_end: f->sample_rates = ost->enc->supported_samplerates; } if (ost->enc_ctx->ch_layout.nb_channels) { - av_channel_layout_default(&f->ch_layout, ost->enc_ctx->ch_layout.nb_channels); + set_channel_layout(f, ost); } else if (ost->enc->ch_layouts) { f->ch_layouts = ost->enc->ch_layouts; } From db2d52e1ff74c89ee5b3da3c969e39a7135a17bf Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 21 Aug 2022 13:08:04 -0300 Subject: [PATCH 031/562] avcodec/libvpx: fix assembling vp9 packets with alpha channel There's no warranty that vpx_codec_encode() will generate a list with the same amount of packets for both the yuv planes encoder and the alpha plane encoder, so queueing packets based on what the main encoder returns will fail when the amount of packets in both lists differ. Queue all data packets for every vpx_codec_encode() call from both encoders before attempting to assemble output AVPackets out of them. Fixes ticket #9884 Reviewed-by: Vignesh Venkatasubramanian Signed-off-by: James Almer (cherry picked from commit 9c7a8a8546e0bea9a32174cb40cefda5ddc45001) --- libavcodec/libvpxenc.c | 83 ++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 43 deletions(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 187a9e9a36..5e5247ac7d 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -56,8 +56,6 @@ struct FrameListData { void *buf; /**< compressed data buffer */ size_t sz; /**< length of compressed data */ - void *buf_alpha; - size_t sz_alpha; int64_t pts; /**< time stamp to show frame (in timebase units) */ unsigned long duration; /**< duration to show frame @@ -87,6 +85,7 @@ typedef struct VPxEncoderContext { int have_sse; /**< true if we have pending sse[] */ uint64_t frame_number; struct FrameListData *coded_frame_list; + struct FrameListData *alpha_coded_frame_list; int cpu_used; int sharpness; @@ -311,8 +310,6 @@ static void coded_frame_add(void *list, struct FrameListData *cx_frame) static av_cold void free_coded_frame(struct FrameListData *cx_frame) { av_freep(&cx_frame->buf); - if (cx_frame->buf_alpha) - av_freep(&cx_frame->buf_alpha); av_freep(&cx_frame); } @@ -446,6 +443,7 @@ static av_cold int vpx_free(AVCodecContext *avctx) av_freep(&ctx->twopass_stats.buf); av_freep(&avctx->stats_out); free_frame_list(ctx->coded_frame_list); + free_frame_list(ctx->alpha_coded_frame_list); if (ctx->hdr10_plus_fifo) free_hdr10_plus_fifo(&ctx->hdr10_plus_fifo); return 0; @@ -1205,7 +1203,6 @@ static av_cold int vpx_init(AVCodecContext *avctx, static inline void cx_pktcpy(struct FrameListData *dst, const struct vpx_codec_cx_pkt *src, - const struct vpx_codec_cx_pkt *src_alpha, VPxContext *ctx) { dst->pts = src->data.frame.pts; @@ -1229,13 +1226,6 @@ static inline void cx_pktcpy(struct FrameListData *dst, } else { dst->frame_number = -1; /* sanity marker */ } - if (src_alpha) { - dst->buf_alpha = src_alpha->data.frame.buf; - dst->sz_alpha = src_alpha->data.frame.sz; - } else { - dst->buf_alpha = NULL; - dst->sz_alpha = 0; - } } /** @@ -1246,7 +1236,7 @@ static inline void cx_pktcpy(struct FrameListData *dst, * @return a negative AVERROR on error */ static int storeframe(AVCodecContext *avctx, struct FrameListData *cx_frame, - AVPacket *pkt) + struct FrameListData *alpha_cx_frame, AVPacket *pkt) { VPxContext *ctx = avctx->priv_data; int ret = ff_get_encode_buffer(avctx, pkt, cx_frame->sz, 0); @@ -1279,16 +1269,16 @@ static int storeframe(AVCodecContext *avctx, struct FrameListData *cx_frame, avctx->error[i] += cx_frame->sse[i + 1]; cx_frame->have_sse = 0; } - if (cx_frame->sz_alpha > 0) { + if (alpha_cx_frame) { side_data = av_packet_new_side_data(pkt, AV_PKT_DATA_MATROSKA_BLOCKADDITIONAL, - cx_frame->sz_alpha + 8); + alpha_cx_frame->sz + 8); if (!side_data) { av_packet_unref(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1); - memcpy(side_data + 8, cx_frame->buf_alpha, cx_frame->sz_alpha); + memcpy(side_data + 8, alpha_cx_frame->buf, alpha_cx_frame->sz); } if (cx_frame->frame_number != -1) { if (ctx->hdr10_plus_fifo) { @@ -1309,40 +1299,37 @@ static int storeframe(AVCodecContext *avctx, struct FrameListData *cx_frame, * @return AVERROR(EINVAL) on output size error * @return AVERROR(ENOMEM) on coded frame queue data allocation error */ -static int queue_frames(AVCodecContext *avctx, AVPacket *pkt_out) +static int queue_frames(AVCodecContext *avctx, struct vpx_codec_ctx *encoder, + struct FrameListData **frame_list, AVPacket *pkt_out) { VPxContext *ctx = avctx->priv_data; const struct vpx_codec_cx_pkt *pkt; - const struct vpx_codec_cx_pkt *pkt_alpha = NULL; const void *iter = NULL; - const void *iter_alpha = NULL; int size = 0; - if (ctx->coded_frame_list) { - struct FrameListData *cx_frame = ctx->coded_frame_list; + if (!ctx->is_alpha && *frame_list) { + struct FrameListData *cx_frame = *frame_list; /* return the leading frame if we've already begun queueing */ - size = storeframe(avctx, cx_frame, pkt_out); + size = storeframe(avctx, cx_frame, NULL, pkt_out); if (size < 0) return size; - ctx->coded_frame_list = cx_frame->next; + *frame_list = cx_frame->next; free_coded_frame(cx_frame); } /* consume all available output from the encoder before returning. buffers are only good through the next vpx_codec call */ - while ((pkt = vpx_codec_get_cx_data(&ctx->encoder, &iter)) && - (!ctx->is_alpha || - (pkt_alpha = vpx_codec_get_cx_data(&ctx->encoder_alpha, &iter_alpha)))) { + while (pkt = vpx_codec_get_cx_data(encoder, &iter)) { switch (pkt->kind) { case VPX_CODEC_CX_FRAME_PKT: - if (!size) { + if (!ctx->is_alpha && !size) { struct FrameListData cx_frame; /* avoid storing the frame when the list is empty and we haven't yet provided a frame for output */ av_assert0(!ctx->coded_frame_list); - cx_pktcpy(&cx_frame, pkt, pkt_alpha, ctx); - size = storeframe(avctx, &cx_frame, pkt_out); + cx_pktcpy(&cx_frame, pkt, ctx); + size = storeframe(avctx, &cx_frame, NULL, pkt_out); if (size < 0) return size; } else { @@ -1353,7 +1340,7 @@ static int queue_frames(AVCodecContext *avctx, AVPacket *pkt_out) "Frame queue element alloc failed\n"); return AVERROR(ENOMEM); } - cx_pktcpy(cx_frame, pkt, pkt_alpha, ctx); + cx_pktcpy(cx_frame, pkt, ctx); cx_frame->buf = av_malloc(cx_frame->sz); if (!cx_frame->buf) { @@ -1364,23 +1351,14 @@ static int queue_frames(AVCodecContext *avctx, AVPacket *pkt_out) return AVERROR(ENOMEM); } memcpy(cx_frame->buf, pkt->data.frame.buf, pkt->data.frame.sz); - if (ctx->is_alpha) { - cx_frame->buf_alpha = av_malloc(cx_frame->sz_alpha); - if (!cx_frame->buf_alpha) { - av_log(avctx, AV_LOG_ERROR, - "Data buffer alloc (%"SIZE_SPECIFIER" bytes) failed\n", - cx_frame->sz_alpha); - av_free(cx_frame); - return AVERROR(ENOMEM); - } - memcpy(cx_frame->buf_alpha, pkt_alpha->data.frame.buf, pkt_alpha->data.frame.sz); - } - coded_frame_add(&ctx->coded_frame_list, cx_frame); + coded_frame_add(frame_list, cx_frame); } break; case VPX_CODEC_STATS_PKT: { struct vpx_fixed_buf *stats = &ctx->twopass_stats; int err; + if (!pkt_out) + break; if ((err = av_reallocp(&stats->buf, stats->sz + pkt->data.twopass_stats.sz)) < 0) { @@ -1394,6 +1372,8 @@ static int queue_frames(AVCodecContext *avctx, AVPacket *pkt_out) break; } case VPX_CODEC_PSNR_PKT: + if (!pkt_out) + break; av_assert0(!ctx->have_sse); ctx->sse[0] = pkt->data.psnr.sse[0]; ctx->sse[1] = pkt->data.psnr.sse[1]; @@ -1788,7 +1768,24 @@ static int vpx_encode(AVCodecContext *avctx, AVPacket *pkt, } } - coded_size = queue_frames(avctx, pkt); + coded_size = queue_frames(avctx, &ctx->encoder, &ctx->coded_frame_list, pkt); + if (ctx->is_alpha) { + queue_frames(avctx, &ctx->encoder_alpha, &ctx->alpha_coded_frame_list, NULL); + + if (ctx->coded_frame_list && ctx->alpha_coded_frame_list) { + struct FrameListData *cx_frame = ctx->coded_frame_list; + struct FrameListData *alpha_cx_frame = ctx->alpha_coded_frame_list; + av_assert0(!coded_size); + /* return the leading frame if we've already begun queueing */ + coded_size = storeframe(avctx, cx_frame, alpha_cx_frame, pkt); + if (coded_size < 0) + return coded_size; + ctx->coded_frame_list = cx_frame->next; + ctx->alpha_coded_frame_list = alpha_cx_frame->next; + free_coded_frame(cx_frame); + free_coded_frame(alpha_cx_frame); + } + } if (!frame && avctx->flags & AV_CODEC_FLAG_PASS1) { unsigned int b64_size = AV_BASE64_SIZE(ctx->twopass_stats.sz); From bc7df3bc64c04476b816404eb3e9c22997515c06 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 20 Aug 2022 21:21:40 +0200 Subject: [PATCH 032/562] avcodec/pngdec: Fix APNG_DISPOSE_OP_BACKGROUND APNG works with a single reference frame and an output frame. According to the spec, decoding APNG works by decoding the current IDAT/fdAT chunks (which decodes to a rectangular subregion of the whole image region), followed by either overwriting the region of the output frame with the newly decoded data or by blending the newly decoded data with the data from the reference frame onto the current subregion of the output frame. The remainder of the output frame is just copied from the reference frame. Then the reference frame might be left untouched (APNG_DISPOSE_OP_PREVIOUS), it might be replaced by the output frame (APNG_DISPOSE_OP_NONE) or the rectangular subregion corresponding to the just decoded frame has to be reset to black (APNG_DISPOSE_OP_BACKGROUND). The latter case is not handled correctly by our decoder: It only performs resetting the rectangle in the reference frame when decoding the next frame; and since commit b593abda6c642cb0c3959752dd235c2faf66837f it does not reset the reference frame permanently, but only temporarily (i.e. it only affects decoding the frame after the frame with APNG_DISPOSE_OP_BACKGROUND). This is a problem if the frame after the APNG_DISPOSE_OP_BACKGROUND frame uses APNG_DISPOSE_OP_PREVIOUS, because then the frame after the APNG_DISPOSE_OP_PREVIOUS frame has an incorrect reference frame. (If it is not followed by an APNG_DISPOSE_OP_PREVIOUS frame, the decoder only keeps a reference to the output frame, which is ok.) This commit fixes this by being much closer to the spec than the earlier code: Resetting the background is no longer postponed until the next frame; instead it is applied to the reference frame. Fixes ticket #9602. (For multithreaded decoding it was actually already broken since commit 5663301560d77486c7f7c03c1aa5f542fab23c24.) Signed-off-by: Andreas Rheinhardt --- libavcodec/pngdec.c | 98 ++++++++++++++++++++++----------------------- 1 file changed, 48 insertions(+), 50 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 87b0c639e3..5fa9491f9c 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -78,11 +78,8 @@ typedef struct PNGDecContext { enum PNGImageState pic_state; int width, height; int cur_w, cur_h; - int last_w, last_h; int x_offset, y_offset; - int last_x_offset, last_y_offset; uint8_t dispose_op, blend_op; - uint8_t last_dispose_op; int bit_depth; int color_type; int compression_type; @@ -94,8 +91,6 @@ typedef struct PNGDecContext { int has_trns; uint8_t transparent_color_be[6]; - uint8_t *background_buf; - unsigned background_buf_allocated; uint32_t palette[256]; uint8_t *crow_buf; uint8_t *last_row; @@ -725,9 +720,30 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } ff_thread_release_ext_buffer(avctx, &s->picture); - if ((ret = ff_thread_get_ext_buffer(avctx, &s->picture, - AV_GET_BUFFER_FLAG_REF)) < 0) - return ret; + if (s->dispose_op == APNG_DISPOSE_OP_PREVIOUS) { + /* We only need a buffer for the current picture. */ + ret = ff_thread_get_buffer(avctx, p, 0); + if (ret < 0) + return ret; + } else if (s->dispose_op == APNG_DISPOSE_OP_BACKGROUND) { + /* We need a buffer for the current picture as well as + * a buffer for the reference to retain. */ + ret = ff_thread_get_ext_buffer(avctx, &s->picture, + AV_GET_BUFFER_FLAG_REF); + if (ret < 0) + return ret; + ret = ff_thread_get_buffer(avctx, p, 0); + if (ret < 0) + return ret; + } else { + /* The picture output this time and the reference to retain coincide. */ + if ((ret = ff_thread_get_ext_buffer(avctx, &s->picture, + AV_GET_BUFFER_FLAG_REF)) < 0) + return ret; + ret = av_frame_ref(p, s->picture.f); + if (ret < 0) + return ret; + } p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1; @@ -985,12 +1001,6 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } - s->last_w = s->cur_w; - s->last_h = s->cur_h; - s->last_x_offset = s->x_offset; - s->last_y_offset = s->y_offset; - s->last_dispose_op = s->dispose_op; - sequence_number = bytestream2_get_be32(gb); cur_w = bytestream2_get_be32(gb); cur_h = bytestream2_get_be32(gb); @@ -1086,23 +1096,6 @@ static int handle_p_frame_apng(AVCodecContext *avctx, PNGDecContext *s, ff_thread_await_progress(&s->last_picture, INT_MAX, 0); - // need to reset a rectangle to background: - if (s->last_dispose_op == APNG_DISPOSE_OP_BACKGROUND) { - av_fast_malloc(&s->background_buf, &s->background_buf_allocated, - src_stride * p->height); - if (!s->background_buf) - return AVERROR(ENOMEM); - - memcpy(s->background_buf, src, src_stride * p->height); - - for (y = s->last_y_offset; y < s->last_y_offset + s->last_h; y++) { - memset(s->background_buf + src_stride * y + - bpp * s->last_x_offset, 0, bpp * s->last_w); - } - - src = s->background_buf; - } - // copy unchanged rectangles from the last frame for (y = 0; y < s->y_offset; y++) memcpy(dst + y * dst_stride, src + y * src_stride, p->width * bpp); @@ -1171,6 +1164,22 @@ static int handle_p_frame_apng(AVCodecContext *avctx, PNGDecContext *s, return 0; } +static void apng_reset_background(PNGDecContext *s, const AVFrame *p) +{ + // need to reset a rectangle to black + av_unused int ret = av_frame_copy(s->picture.f, p); + const int bpp = s->color_type == PNG_COLOR_TYPE_PALETTE ? 4 : s->bpp; + const ptrdiff_t dst_stride = s->picture.f->linesize[0]; + uint8_t *dst = s->picture.f->data[0] + s->y_offset * dst_stride + bpp * s->x_offset; + + av_assert1(ret >= 0); + + for (size_t y = 0; y < s->cur_h; y++) { + memset(dst, 0, bpp * s->cur_w); + dst += dst_stride; + } +} + static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, AVFrame *p, const AVPacket *avpkt) { @@ -1434,6 +1443,9 @@ exit_loop: goto fail; } } + if (CONFIG_APNG_DECODER && s->dispose_op == APNG_DISPOSE_OP_BACKGROUND) + apng_reset_background(s, p); + ff_thread_report_progress(&s->picture, INT_MAX, 0); return 0; @@ -1456,15 +1468,10 @@ static void clear_frame_metadata(PNGDecContext *s) av_dict_free(&s->frame_metadata); } -static int output_frame(PNGDecContext *s, AVFrame *f, - const AVFrame *src) +static int output_frame(PNGDecContext *s, AVFrame *f) { int ret; - ret = av_frame_ref(f, src); - if (ret < 0) - return ret; - if (s->iccp_data) { AVFrameSideData *sd = av_frame_new_side_data(f, AV_FRAME_DATA_ICC_PROFILE, s->iccp_data_len); if (!sd) { @@ -1515,13 +1522,12 @@ fail: } #if CONFIG_PNG_DECODER -static int decode_frame_png(AVCodecContext *avctx, AVFrame *dst_frame, +static int decode_frame_png(AVCodecContext *avctx, AVFrame *p, int *got_frame, AVPacket *avpkt) { PNGDecContext *const s = avctx->priv_data; const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; - AVFrame *p = s->picture.f; int64_t sig; int ret; @@ -1555,7 +1561,7 @@ static int decode_frame_png(AVCodecContext *avctx, AVFrame *dst_frame, goto the_end; } - ret = output_frame(s, dst_frame, s->picture.f); + ret = output_frame(s, p); if (ret < 0) goto the_end; @@ -1574,12 +1580,11 @@ the_end: #endif #if CONFIG_APNG_DECODER -static int decode_frame_apng(AVCodecContext *avctx, AVFrame *dst_frame, +static int decode_frame_apng(AVCodecContext *avctx, AVFrame *p, int *got_frame, AVPacket *avpkt) { PNGDecContext *const s = avctx->priv_data; int ret; - AVFrame *p = s->picture.f; clear_frame_metadata(s); @@ -1608,7 +1613,7 @@ static int decode_frame_apng(AVCodecContext *avctx, AVFrame *dst_frame, if (!(s->pic_state & (PNG_ALLIMAGE|PNG_IDAT))) return AVERROR_INVALIDDATA; - ret = output_frame(s, dst_frame, s->picture.f); + ret = output_frame(s, p); if (ret < 0) return ret; @@ -1646,15 +1651,9 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src) pdst->compression_type = psrc->compression_type; pdst->interlace_type = psrc->interlace_type; pdst->filter_type = psrc->filter_type; - pdst->cur_w = psrc->cur_w; - pdst->cur_h = psrc->cur_h; - pdst->x_offset = psrc->x_offset; - pdst->y_offset = psrc->y_offset; pdst->has_trns = psrc->has_trns; memcpy(pdst->transparent_color_be, psrc->transparent_color_be, sizeof(pdst->transparent_color_be)); - pdst->dispose_op = psrc->dispose_op; - memcpy(pdst->palette, psrc->palette, sizeof(pdst->palette)); pdst->hdr_state |= psrc->hdr_state; @@ -1705,7 +1704,6 @@ static av_cold int png_dec_end(AVCodecContext *avctx) s->last_row_size = 0; av_freep(&s->tmp_row); s->tmp_row_size = 0; - av_freep(&s->background_buf); av_freep(&s->iccp_data); av_dict_free(&s->frame_metadata); From 5d6b733277c68ebe3eeb8bc96a14b59d7e585794 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:53:32 +0200 Subject: [PATCH 033/562] MAINTAINERS: Add ED25519 key for signing my commits in the future Signed-off-by: Michael Niedermayer (cherry picked from commit 05225180bea208dfd81efac327e429711a963697) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 274fc89203..499f6ad0d1 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -625,6 +625,7 @@ Leo Izen (thebombzen) B6FD 3CFC 7ACF 83FC 9137 6945 5A71 C331 FD2F A19A Loren Merritt ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE Lynne FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464 Michael Niedermayer 9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB + DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64 Nicolas George 24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93 Niklas Haas (haasn) 1DDB 8076 B14D 5B48 32FC 99D9 EB52 DA9C 02BA 6FB4 Nikolay Aleksandrov 8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1 From 9eb36ab0a1135327982afb8fa6f23e60cf50906c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Aug 2022 22:47:31 +0200 Subject: [PATCH 034/562] avcodec/mjpegdec: bayer and rct are incompatible Fixes: out of array read Fixes: 49434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5208501080686592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a44f5a521227adc7be2f78b411f56da1a4d98704) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 32874a5a19..869aee425e 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1092,6 +1092,10 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return AVERROR_INVALIDDATA; if (s->v_max != 1 || s->h_max != 1 || !s->lossless) return AVERROR_INVALIDDATA; + if (s->bayer) { + if (s->rct || s->pegasus_rct) + return AVERROR_INVALIDDATA; + } s->restart_count = s->restart_interval; @@ -1942,6 +1946,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s) } len -= 9; + if (s->bayer) + goto out; if (s->got_picture) if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); From fdc5e2329a5ba12f10c709dc7737c51819a2fa83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Mar 2020 00:54:58 +0100 Subject: [PATCH 035/562] avformat/subviewerdec: Make read_ts() more flexible Fixes: signed integer overflow: -1948269928 * 10 cannot be represented in type 'int' Fixes: 49451/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6344614822412288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 58a8e739ef93f8b42f8139e73227508256929d20) Signed-off-by: Michael Niedermayer --- libavformat/subviewerdec.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index e3a950fce3..6ffdc98c39 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -50,26 +50,32 @@ static int subviewer_probe(const AVProbeData *p) return 0; } +static int get_multiplier(int e) { + switch (e) { + case 1 : return 100; + case 2 : return 10; + case 3 : return 1; + default : return -1; + } +} + static int read_ts(const char *s, int64_t *start, int *duration) { int64_t end; int hh1, mm1, ss1, ms1; int hh2, mm2, ss2, ms2; - int multiplier = 1; + int multiplier1, multiplier2; + int ms1p1, ms1p2, ms2p1, ms2p2; - if (sscanf(s, "%u:%u:%u.%2u,%u:%u:%u.%2u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - multiplier = 10; - } else if (sscanf(s, "%u:%u:%u.%1u,%u:%u:%u.%1u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - multiplier = 100; - } - if (sscanf(s, "%u:%u:%u.%u,%u:%u:%u.%u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - ms1 = FFMIN(ms1, 999); - ms2 = FFMIN(ms2, 999); - end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier; - *start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier; + if (sscanf(s, "%u:%u:%u.%n%u%n,%u:%u:%u.%n%u%n", + &hh1, &mm1, &ss1, &ms1p1, &ms1, &ms1p2, &hh2, &mm2, &ss2, &ms2p1, &ms2, &ms2p2) == 8) { + multiplier1 = get_multiplier(ms1p2 - ms1p1); + multiplier2 = get_multiplier(ms2p2 - ms2p1); + if (multiplier1 <= 0 ||multiplier2 <= 0) + return -1; + + end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier2; + *start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier1; *duration = end - *start; return 0; } From c8ee3f9f6fc515b8fa0a769ed783c65069a91856 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Aug 2022 23:30:22 +0200 Subject: [PATCH 036/562] avcodec/mpegaudiodec_template: use unsigned shift in handle_crc() Fixes: left shift of 192 by 24 places cannot be represented in type 'int' Fixes: 49577/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP1FLOAT_fuzzer-5205996678545408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7086491fa0eca4ad647b5c9fae6d07344cc44ec0) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index a28cac9867..a711154a3c 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -374,7 +374,7 @@ static int handle_crc(MPADecodeContext *s, int sec_len) crc_val = av_crc(crc_tab, crc_val, &buf[6], sec_byte_len); AV_WB32(tmp_buf, - ((buf[6 + sec_byte_len] & (0xFF00 >> sec_rem_bits)) << 24) + + ((buf[6 + sec_byte_len] & (0xFF00U >> sec_rem_bits)) << 24) + ((s->crc << 16) >> sec_rem_bits)); crc_val = av_crc(crc_tab, crc_val, tmp_buf, 3); From 8cf035cd88ac0ca54b1be92cd2fb1e4b7f2992ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Aug 2022 23:39:56 +0200 Subject: [PATCH 037/562] avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel This is somewhat redundant with the is_decoded check. Maybe there is a nicer solution Fixes: Null pointer dereference Fixes: 49584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5297367351427072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b51e1992289383aa9f083c88e153e34b6412c89) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index f222f20706..f8f981e838 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3516,7 +3516,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, AVFrame *rframe, } } else { /* verify the SEI checksum */ - if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded && + if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded && s->sei.picture_hash.is_md5) { ret = verify_md5(s, s->ref->frame); if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) { From 54971af920f6dcac620024344dd431da58dfd8c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Aug 2022 00:02:37 +0200 Subject: [PATCH 038/562] avcodec/h263dec: Sanity check against minimal I/P frame size Fixes: Timeout Fixes: 49718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4874987894341632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca4ff9c21cb77e024fa4ff5889826a8bee4d0e0a) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 1f9f3e5e95..d411bae220 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -552,6 +552,8 @@ retry: avctx->has_b_frames = !s->low_delay; if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) { + if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; if (ff_mpeg4_workaround_bugs(avctx) == 1) goto retry; if (s->studio_profile != (s->idsp.idct == NULL)) From 59afc50ab4a547ef20320170b7c784fc3b9fb277 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 00:22:41 +0200 Subject: [PATCH 039/562] avformat/avidec: Prevent entity expansion attacks Fixes: Timeout Fixes no testcase, this is the same idea as similar attacks against XML parsers Signed-off-by: Michael Niedermayer (cherry picked from commit f3e823c2aa04d4f5571a5e04c27a244890704c8d) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 937d9e6ffb..910a4e8792 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -82,6 +82,8 @@ typedef struct AVIContext { int stream_index; DVDemuxContext *dv_demux; int odml_depth; + int64_t odml_read; + int64_t odml_max_pos; int use_odml; #define MAX_ODML_DEPTH 1000 int64_t dts_max; @@ -200,7 +202,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) st = s->streams[stream_id]; ast = st->priv_data; - if (index_sub_type) + if (index_sub_type || entries_in_use < 0) return AVERROR_INVALIDDATA; avio_rl32(pb); @@ -221,11 +223,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } for (i = 0; i < entries_in_use; i++) { + avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb)); + + // If we read more than there are bytes then we must have been reading something twice + if (avi->odml_read > avi->odml_max_pos) + return AVERROR_INVALIDDATA; + if (index_type) { int64_t pos = avio_rl32(pb) + base - 8; int len = avio_rl32(pb); int key = len >= 0; len &= 0x7FFFFFFF; + avi->odml_read += 8; av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len); @@ -244,6 +253,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) int64_t offset, pos; int duration; int ret; + avi->odml_read += 16; offset = avio_rl64(pb); avio_rl32(pb); /* size */ From 1cd07b178b02614b1f13e8b9f15c13edf3dbdf90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 20:31:32 +0200 Subject: [PATCH 040/562] libavformat/iff: Check for overflow in body_end calculation Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long' Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index b37600605a..b8e8bffe03 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -501,6 +501,9 @@ static int iff_read_header(AVFormatContext *s) case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) { From 550fd2212df136f72b0d7c34190320ff7b9d299c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 21:29:55 +0200 Subject: [PATCH 041/562] avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer() This would avoid regeting the frame on lzss errors Signed-off-by: Michael Niedermayer (cherry picked from commit 628fb97efb0b6202e56fab89670406261bf86d85) Signed-off-by: Michael Niedermayer --- libavcodec/midivid.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c index a21303ab60..e356fda760 100644 --- a/libavcodec/midivid.c +++ b/libavcodec/midivid.c @@ -203,12 +203,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, bytestream2_skip(gb, 8); uncompressed = bytestream2_get_le32(gb); - if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0) - return ret; - - if (uncompressed) { - ret = decode_mvdv(s, avctx, frame); - } else { + if (!uncompressed) { av_fast_padded_malloc(&s->uncompressed, &s->uncompressed_size, 16LL * (avpkt->size - 12)); if (!s->uncompressed) return AVERROR(ENOMEM); @@ -217,9 +212,13 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, if (ret < 0) return ret; bytestream2_init(gb, s->uncompressed, ret); - ret = decode_mvdv(s, avctx, frame); } + if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0) + return ret; + + ret = decode_mvdv(s, avctx, frame); + if (ret < 0) return ret; key = ret; From 5a2bb107331abc0126f35b08a151bbfb276cf92b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 22:10:09 +0200 Subject: [PATCH 042/562] libavcodec/8bps: Check that line lengths fit within the buffer Fixes: Timeout Fixes: undefined pointer arithmetic Fixes: 50330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5436287485607936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2316d5ec1a95b13ff9a0ce80409fa367a041966d) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 95a35159e3..292aa03c6b 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -71,6 +71,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, unsigned char *planemap = c->planemap; int ret; + if (buf_size < planes * height *2) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; From 30bd4831e6213cee64ed950d69d1732194cc6464 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:49:04 +0200 Subject: [PATCH 043/562] doc/git-howto.texi: Document commit signing Signed-off-by: Michael Niedermayer (cherry picked from commit ced0dc807eb67516b341d68f04ce5a87b02820de) Signed-off-by: Michael Niedermayer --- doc/git-howto.texi | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/doc/git-howto.texi b/doc/git-howto.texi index 874afabbbc..5bb39bb986 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions. git add [-i|-p|-A] @end example -Make sure you have told Git your name and email address +Make sure you have told Git your name, email address and GPG key @example git config --global user.name "My Name" git config --global user.email my@@email.invalid +git config --global user.signingkey ABCDEF0123245 +@end example + +Enable signing all commits or use -S + +@example +git config --global commit.gpgsign true @end example Use @option{--global} to set the global configuration for all your Git checkouts. @@ -423,6 +430,19 @@ git checkout -b svn_23456 $SHA1 where @var{$SHA1} is the commit hash from the @command{git log} output. +@chapter gpg key generation + +If you have no gpg key yet, we recommend that you create a ed25519 based key as it +is small, fast and secure. Especially it results in small signatures in git. + +@example +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com" +@end example + +When generating a key, make sure the email specified matches the email used in git as some sites like +github consider mismatches a reason to declare such commits unverified. After generating a key you +can add it to the MAINTAINER file and upload it to a keyserver. + @chapter Pre-push checklist Once you have a set of commits that you feel are ready for pushing, From 6f53f0d09ea4c9c7f7354f018a87ef840315207d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Jul 2022 14:42:43 +0200 Subject: [PATCH 044/562] avformat/mov: Check count sums in build_open_gop_key_points() Fixes: ffmpeg.md Fixes: Out of array access Fixes: CVE-2022-2566 Found-by: Andy Nguyen Found-by: 3pvd <3pvd@google.com> Reviewed-by: Andy Nguyen Signed-off-by: Michael Niedermayer (cherry picked from commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a644f9ac62..2b1131b911 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3949,8 +3949,11 @@ static int build_open_gop_key_points(AVStream *st) /* Build an unrolled index of the samples */ sc->sample_offsets_count = 0; - for (uint32_t i = 0; i < sc->ctts_count; i++) + for (uint32_t i = 0; i < sc->ctts_count; i++) { + if (sc->ctts_data[i].count > INT_MAX - sc->sample_offsets_count) + return AVERROR(ENOMEM); sc->sample_offsets_count += sc->ctts_data[i].count; + } av_freep(&sc->sample_offsets); sc->sample_offsets = av_calloc(sc->sample_offsets_count, sizeof(*sc->sample_offsets)); if (!sc->sample_offsets) @@ -3969,8 +3972,11 @@ static int build_open_gop_key_points(AVStream *st) /* Build a list of open-GOP key samples */ sc->open_key_samples_count = 0; for (uint32_t i = 0; i < sc->sync_group_count; i++) - if (sc->sync_group[i].index == cra_index) + if (sc->sync_group[i].index == cra_index) { + if (sc->sync_group[i].count > INT_MAX - sc->open_key_samples_count) + return AVERROR(ENOMEM); sc->open_key_samples_count += sc->sync_group[i].count; + } av_freep(&sc->open_key_samples); sc->open_key_samples = av_calloc(sc->open_key_samples_count, sizeof(*sc->open_key_samples)); if (!sc->open_key_samples) @@ -3981,6 +3987,8 @@ static int build_open_gop_key_points(AVStream *st) if (sg->index == cra_index) for (uint32_t j = 0; j < sg->count; j++) sc->open_key_samples[k++] = sample_id; + if (sg->count > INT_MAX - sample_id) + return AVERROR_PATCHWELCOME; sample_id += sg->count; } From 5c0309d2788b946d05f50b2bcdb230c0cf2ae916 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Aug 2022 01:21:38 +0200 Subject: [PATCH 045/562] avformat/asfdec_o: limit recursion depth in asf_read_unknown() The threshold of 5 is arbitrary, both smaller and larger should work fine Fixes: Stack overflow Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f1a368169ef9d945dc4b4764f5c60ba9bbc9134) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 907be6de04..48b7d17322 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -109,6 +109,7 @@ typedef struct ASFContext { int64_t data_offset; int64_t first_packet_offset; // packet offset int64_t unknown_offset; // for top level header objects or subobjects without specified behavior + int in_asf_read_unknown; // ASF file must not contain more than 128 streams according to the specification ASFStream *asf_st[ASF_MAX_STREAMS]; @@ -173,7 +174,7 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) uint64_t size = avio_rl64(pb); int ret; - if (size > INT64_MAX) + if (size > INT64_MAX || asf->in_asf_read_unknown > 5) return AVERROR_INVALIDDATA; if (asf->is_header) @@ -182,8 +183,11 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) if (!g->is_subobject) { if (!(ret = strcmp(g->name, "Header Extension"))) avio_skip(pb, 22); // skip reserved fields and Data Size - if ((ret = detect_unknown_subobject(s, asf->unknown_offset, - asf->unknown_size)) < 0) + asf->in_asf_read_unknown ++; + ret = detect_unknown_subobject(s, asf->unknown_offset, + asf->unknown_size); + asf->in_asf_read_unknown --; + if (ret < 0) return ret; } else { if (size < 24) { From 1bad30dbe34f2d100b43e8f773d3fe0b5eb23523 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Aug 2022 18:10:03 +0200 Subject: [PATCH 046/562] Update for 5.1.1 Signed-off-by: Michael Niedermayer --- Changelog | 31 +++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index d77bba51f6..0b32c1e410 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,37 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 5.1.1: +- avformat/asfdec_o: limit recursion depth in asf_read_unknown() +- avformat/mov: Check count sums in build_open_gop_key_points() +- doc/git-howto.texi: Document commit signing +- libavcodec/8bps: Check that line lengths fit within the buffer +- avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer() +- libavformat/iff: Check for overflow in body_end calculation +- avformat/avidec: Prevent entity expansion attacks +- avcodec/h263dec: Sanity check against minimal I/P frame size +- avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel +- avcodec/mpegaudiodec_template: use unsigned shift in handle_crc() +- avformat/subviewerdec: Make read_ts() more flexible +- avcodec/mjpegdec: bayer and rct are incompatible +- MAINTAINERS: Add ED25519 key for signing my commits in the future +- avcodec/pngdec: Fix APNG_DISPOSE_OP_BACKGROUND +- avcodec/libvpx: fix assembling vp9 packets with alpha channel +- fftools/ffmpeg_opt: try to propagate the requested output channel layout +- avcodec/libsvtav1: properly initialize the flush EbBufferHeaderType struct +- configure: enable the av1_frame_split bsf for the av1 decoder +- swresample/swresample: fill the correct buffer to print the output layout string +- ffprobe: restore reporting error code for failed inputs +- ipfsgateway: Remove default gateway +- avcodec/libspeexdec: Fix use of uninitialized value +- avformat/avisynth: use ch_layout.nb_channels for channel count +- fate/lavf-image: Disable file checksums for exr tests +- tests/fate-run: Allow to skip file checksums for lavf_image +- fate/imf: Rename IMF fate-target +- avcodec/alac: don't fail if channels aren't set during init() when extradata is valid +- configure: properly require libx264 if enabled + + version 5.1: - add ipfs/ipns protocol support - dialogue enhance audio filter diff --git a/RELEASE b/RELEASE index a75b92f1ed..ac14c3dfaa 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1 +5.1.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index ba0002d5f8..4314fcebe6 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 5.1 +PROJECT_NUMBER = 5.1.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 4424a6223b5a81977b9af4aac03c32f69915dab4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 5 Sep 2022 01:35:19 +0200 Subject: [PATCH 047/562] avutil/tests/.gitignore: Add channel_layout testtool Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit f89949afed7a538db603f32d463fe9547bc439a7) --- libavutil/tests/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/tests/.gitignore b/libavutil/tests/.gitignore index 919010e4fc..87895912f5 100644 --- a/libavutil/tests/.gitignore +++ b/libavutil/tests/.gitignore @@ -9,6 +9,7 @@ /bprint /camellia /cast5 +/channel_layout /color_utils /cpu /cpu_init From 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 2 Sep 2022 22:21:27 +0200 Subject: [PATCH 048/562] lavc/pthread_frame: avoid leaving stale hwaccel state in worker threads This state is not refcounted, so make sure it always has a well-defined owner. Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as this commit also solves that issue in a more general way. (cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11) Signed-off-by: Anton Khirnov --- libavcodec/pthread_frame.c | 47 ++++++++++++++++++++++++++++---------- 1 file changed, 35 insertions(+), 12 deletions(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 8faea75a49..80c15b35be 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -147,6 +147,12 @@ typedef struct FrameThreadContext { * Set for the first N packets, where N is the number of threads. * While it is set, ff_thread_en/decode_frame won't return any results. */ + + /* hwaccel state is temporarily stored here in order to transfer its ownership + * to the next decoding thread without the need for extra synchronization */ + const AVHWAccel *stash_hwaccel; + void *stash_hwaccel_context; + void *stash_hwaccel_priv; } FrameThreadContext; #if FF_API_THREAD_SAFE_CALLBACKS @@ -227,9 +233,17 @@ FF_ENABLE_DEPRECATION_WARNINGS ff_thread_finish_setup(avctx); if (p->hwaccel_serializing) { + /* wipe hwaccel state to avoid stale pointers lying around; + * the state was transferred to FrameThreadContext in + * ff_thread_finish_setup(), so nothing is leaked */ + avctx->hwaccel = NULL; + avctx->hwaccel_context = NULL; + avctx->internal->hwaccel_priv_data = NULL; + p->hwaccel_serializing = 0; pthread_mutex_unlock(&p->parent->hwaccel_mutex); } + av_assert0(!avctx->hwaccel); if (p->async_serializing) { p->async_serializing = 0; @@ -293,9 +307,6 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, dst->color_range = src->color_range; dst->chroma_sample_location = src->chroma_sample_location; - dst->hwaccel = src->hwaccel; - dst->hwaccel_context = src->hwaccel_context; - dst->sample_rate = src->sample_rate; dst->sample_fmt = src->sample_fmt; #if FF_API_OLD_CHANNEL_LAYOUT @@ -308,8 +319,6 @@ FF_ENABLE_DEPRECATION_WARNINGS if (err < 0) return err; - dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data; - if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx || (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) { av_buffer_unref(&dst->hw_frames_ctx); @@ -449,6 +458,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx, pthread_mutex_unlock(&p->mutex); return err; } + + /* transfer hwaccel state stashed from previous thread, if any */ + av_assert0(!p->avctx->hwaccel); + FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel); + FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context); + FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); } av_packet_unref(p->avpkt); @@ -654,6 +669,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) { async_lock(p->parent); } + /* save hwaccel state for passing to the next thread; + * this is done here so that this worker thread can wipe its own hwaccel + * state after decoding, without requiring synchronization */ + av_assert0(!p->parent->stash_hwaccel); + p->parent->stash_hwaccel = avctx->hwaccel; + p->parent->stash_hwaccel_context = avctx->hwaccel_context; + p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data; + pthread_mutex_lock(&p->progress_mutex); if(atomic_load(&p->state) == STATE_SETUP_FINISHED){ av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n"); @@ -707,13 +730,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) park_frame_worker_threads(fctx, thread_count); - if (fctx->prev_thread && avctx->internal->hwaccel_priv_data != - fctx->prev_thread->avctx->internal->hwaccel_priv_data) { - if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) { - av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n"); - } - } - for (i = 0; i < thread_count; i++) { PerThreadContext *p = &fctx->threads[i]; AVCodecContext *ctx = p->avctx; @@ -760,6 +776,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) av_freep(&fctx->threads); ff_pthread_free(fctx, thread_ctx_offsets); + /* if we have stashed hwaccel state, move it to the user-facing context, + * so it will be freed in avcodec_close() */ + av_assert0(!avctx->hwaccel); + FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel); + FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context); + FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); + av_freep(&avctx->internal->thread_ctx); } From fcbd9ec24895b53bfa6a206aed29b5b04b68c41b Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 4 Sep 2022 23:43:04 -0300 Subject: [PATCH 049/562] avfilter/vf_scale: overwrite the width and height expressions with the original values Instead of the potentially adjusted ones. Otherwise, if config_props() is called again and if using force_original_aspect_ratio, the already adjusted values could be altered again. Example command line scale=size=1920x1000:force_original_aspect_ratio=decrease:force_divisible_by=2 user value 1920x1000 -> 1920x798 on init_dict() -> 1918x798 on frame change when eval_mode == EVAL_MODE_INIT, which after e645a1ddb9 could be at the very first frame. Signed-off-by: James Almer (cherry picked from commit d9e3cb7e73c77ccddc4d29ed5c1be3920f72c226) --- libavfilter/vf_scale.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 996f7aaa5b..2b12cf283c 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -491,19 +491,19 @@ static int config_props(AVFilterLink *outlink) if ((ret = scale_eval_dimensions(ctx)) < 0) goto fail; - ff_scale_adjust_dimensions(inlink, &scale->w, &scale->h, + outlink->w = scale->w; + outlink->h = scale->h; + + ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h, scale->force_original_aspect_ratio, scale->force_divisible_by); - if (scale->w > INT_MAX || - scale->h > INT_MAX || - (scale->h * inlink->w) > INT_MAX || - (scale->w * inlink->h) > INT_MAX) + if (outlink->w > INT_MAX || + outlink->h > INT_MAX || + (outlink->h * inlink->w) > INT_MAX || + (outlink->w * inlink->h) > INT_MAX) av_log(ctx, AV_LOG_ERROR, "Rescaled value for width or height is too big.\n"); - outlink->w = scale->w; - outlink->h = scale->h; - /* TODO: make algorithm configurable */ scale->input_is_pal = desc->flags & AV_PIX_FMT_FLAG_PAL; @@ -718,9 +718,9 @@ static int scale_frame(AVFilterLink *link, AVFrame *in, AVFrame **frame_out) goto scale; if (scale->eval_mode == EVAL_MODE_INIT) { - snprintf(buf, sizeof(buf)-1, "%d", outlink->w); + snprintf(buf, sizeof(buf) - 1, "%d", scale->w); av_opt_set(scale, "w", buf, 0); - snprintf(buf, sizeof(buf)-1, "%d", outlink->h); + snprintf(buf, sizeof(buf) - 1, "%d", scale->h); av_opt_set(scale, "h", buf, 0); ret = scale_parse_expr(ctx, NULL, &scale->w_pexpr, "width", scale->w_expr); From 425ffaec23fbe79f2d8150d0bc5eafb6668e3c5d Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 10 Sep 2022 00:36:34 -0300 Subject: [PATCH 050/562] avformat/riffdec: don't unconditionally overwrite WAVEFORMATEXTENSIBLE layout Do it only if the value conflicts with the previous channels value. Fixes ticket #9912 Signed-off-by: James Almer (cherry picked from commit 60d8c2019f59fcbeb597c900a56c8c4cd9ec8838) --- libavformat/riffdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 3946ecb72f..c1e4a04550 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -102,6 +102,8 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, return AVERROR_INVALIDDATA; } + av_channel_layout_uninit(&par->ch_layout); + par->codec_type = AVMEDIA_TYPE_AUDIO; if (!big_endian) { id = avio_rl16(pb); @@ -189,9 +191,12 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, if (par->codec_id == AV_CODEC_ID_ADPCM_G726 && par->sample_rate) par->bits_per_coded_sample = par->bit_rate / par->sample_rate; - av_channel_layout_uninit(&par->ch_layout); - par->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; - par->ch_layout.nb_channels = channels; + /* ignore WAVEFORMATEXTENSIBLE layout if different from channel count */ + if (channels != par->ch_layout.nb_channels) { + av_channel_layout_uninit(&par->ch_layout); + par->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; + par->ch_layout.nb_channels = channels; + } return 0; } From 2d04a18264e6e9b7f548954c5d1c51c3ab01b038 Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Sun, 25 Aug 2019 09:18:00 +0100 Subject: [PATCH 051/562] avcodec/arm/sbcenc: avoid callee preserved vfp registers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When compiling FFmpeg with GCC-9, some very random segfaults were observed in code which had previously called down into the SBC encoder NEON assembly routines. This was caused by these functions clobbering some of the vfp callee saved registers (d8 - d15 aka q4 - q7). GCC was using these registers to save local variables, but after these functions returned, they would contain garbage. Fix by reallocating the registers in the two affected functions in the following way: ff_sbc_analyze_4_neon: q2-q5 => q8-q11, then q1-q4 => q8-q11 ff_sbc_analyze_8_neon: q2-q9 => q8-q15 The reason for using these replacements is to keep closely related sets of registers consecutively numbered which hopefully makes the code more easy to follow. Since this commit only reallocates registers, it should have no performance impact. Signed-off-by: James Cowgill Signed-off-by: Martin Storsjö (cherry picked from commit 50a4dff69f6477b06f00eae1cac2a53ae22fe9a5) Signed-off-by: Martin Storsjö --- libavcodec/arm/sbcdsp_neon.S | 198 +++++++++++++++++------------------ 1 file changed, 99 insertions(+), 99 deletions(-) diff --git a/libavcodec/arm/sbcdsp_neon.S b/libavcodec/arm/sbcdsp_neon.S index d83d21d202..914abfb6cc 100644 --- a/libavcodec/arm/sbcdsp_neon.S +++ b/libavcodec/arm/sbcdsp_neon.S @@ -38,49 +38,49 @@ function ff_sbc_analyze_4_neon, export=1 /* TODO: merge even and odd cases (or even merge all four calls to this * function) in order to have only aligned reads from 'in' array * and reduce number of load instructions */ - vld1.16 {d4, d5}, [r0, :64]! - vld1.16 {d8, d9}, [r2, :128]! + vld1.16 {d16, d17}, [r0, :64]! + vld1.16 {d20, d21}, [r2, :128]! - vmull.s16 q0, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmull.s16 q1, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! + vmull.s16 q0, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmull.s16 q1, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! - vmlal.s16 q0, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q1, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q0, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q1, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q0, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q1, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! + vmlal.s16 q0, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q1, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! - vmlal.s16 q0, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q1, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q0, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q1, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q0, d4, d8 - vmlal.s16 q1, d5, d9 + vmlal.s16 q0, d16, d20 + vmlal.s16 q1, d17, d21 vpadd.s32 d0, d0, d1 vpadd.s32 d1, d2, d3 vrshrn.s32 d0, q0, SBC_PROTO_FIXED_SCALE - vld1.16 {d2, d3, d4, d5}, [r2, :128]! + vld1.16 {d16, d17, d18, d19}, [r2, :128]! vdup.i32 d1, d0[1] /* TODO: can be eliminated */ vdup.i32 d0, d0[0] /* TODO: can be eliminated */ - vmull.s16 q3, d2, d0 - vmull.s16 q4, d3, d0 - vmlal.s16 q3, d4, d1 - vmlal.s16 q4, d5, d1 + vmull.s16 q10, d16, d0 + vmull.s16 q11, d17, d0 + vmlal.s16 q10, d18, d1 + vmlal.s16 q11, d19, d1 - vpadd.s32 d0, d6, d7 /* TODO: can be eliminated */ - vpadd.s32 d1, d8, d9 /* TODO: can be eliminated */ + vpadd.s32 d0, d20, d21 /* TODO: can be eliminated */ + vpadd.s32 d1, d22, d23 /* TODO: can be eliminated */ vst1.32 {d0, d1}, [r1, :128] @@ -91,57 +91,57 @@ function ff_sbc_analyze_8_neon, export=1 /* TODO: merge even and odd cases (or even merge all four calls to this * function) in order to have only aligned reads from 'in' array * and reduce number of load instructions */ - vld1.16 {d4, d5}, [r0, :64]! - vld1.16 {d8, d9}, [r2, :128]! + vld1.16 {d16, d17}, [r0, :64]! + vld1.16 {d20, d21}, [r2, :128]! - vmull.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmull.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! - vmull.s16 q8, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmull.s16 q9, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmull.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmull.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! + vmull.s16 q14, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmull.s16 q15, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! - vmlal.s16 q8, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q9, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! + vmlal.s16 q14, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q15, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! - vmlal.s16 q8, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q9, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! + vmlal.s16 q14, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q15, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! - vmlal.s16 q8, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q9, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! + vmlal.s16 q14, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q15, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! + vmlal.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! - vmlal.s16 q8, d6, d10 - vmlal.s16 q9, d7, d11 + vmlal.s16 q14, d18, d22 + vmlal.s16 q15, d19, d23 - vpadd.s32 d0, d12, d13 - vpadd.s32 d1, d14, d15 - vpadd.s32 d2, d16, d17 - vpadd.s32 d3, d18, d19 + vpadd.s32 d0, d24, d25 + vpadd.s32 d1, d26, d27 + vpadd.s32 d2, d28, d29 + vpadd.s32 d3, d30, d31 vrshr.s32 q0, q0, SBC_PROTO_FIXED_SCALE vrshr.s32 q1, q1, SBC_PROTO_FIXED_SCALE @@ -153,38 +153,38 @@ function ff_sbc_analyze_8_neon, export=1 vdup.i32 d1, d0[1] /* TODO: can be eliminated */ vdup.i32 d0, d0[0] /* TODO: can be eliminated */ - vld1.16 {d4, d5}, [r2, :128]! - vmull.s16 q6, d4, d0 - vld1.16 {d6, d7}, [r2, :128]! - vmull.s16 q7, d5, d0 - vmull.s16 q8, d6, d0 - vmull.s16 q9, d7, d0 + vld1.16 {d16, d17}, [r2, :128]! + vmull.s16 q12, d16, d0 + vld1.16 {d18, d19}, [r2, :128]! + vmull.s16 q13, d17, d0 + vmull.s16 q14, d18, d0 + vmull.s16 q15, d19, d0 - vld1.16 {d4, d5}, [r2, :128]! - vmlal.s16 q6, d4, d1 - vld1.16 {d6, d7}, [r2, :128]! - vmlal.s16 q7, d5, d1 - vmlal.s16 q8, d6, d1 - vmlal.s16 q9, d7, d1 + vld1.16 {d16, d17}, [r2, :128]! + vmlal.s16 q12, d16, d1 + vld1.16 {d18, d19}, [r2, :128]! + vmlal.s16 q13, d17, d1 + vmlal.s16 q14, d18, d1 + vmlal.s16 q15, d19, d1 - vld1.16 {d4, d5}, [r2, :128]! - vmlal.s16 q6, d4, d2 - vld1.16 {d6, d7}, [r2, :128]! - vmlal.s16 q7, d5, d2 - vmlal.s16 q8, d6, d2 - vmlal.s16 q9, d7, d2 + vld1.16 {d16, d17}, [r2, :128]! + vmlal.s16 q12, d16, d2 + vld1.16 {d18, d19}, [r2, :128]! + vmlal.s16 q13, d17, d2 + vmlal.s16 q14, d18, d2 + vmlal.s16 q15, d19, d2 - vld1.16 {d4, d5}, [r2, :128]! - vmlal.s16 q6, d4, d3 - vld1.16 {d6, d7}, [r2, :128]! - vmlal.s16 q7, d5, d3 - vmlal.s16 q8, d6, d3 - vmlal.s16 q9, d7, d3 + vld1.16 {d16, d17}, [r2, :128]! + vmlal.s16 q12, d16, d3 + vld1.16 {d18, d19}, [r2, :128]! + vmlal.s16 q13, d17, d3 + vmlal.s16 q14, d18, d3 + vmlal.s16 q15, d19, d3 - vpadd.s32 d0, d12, d13 /* TODO: can be eliminated */ - vpadd.s32 d1, d14, d15 /* TODO: can be eliminated */ - vpadd.s32 d2, d16, d17 /* TODO: can be eliminated */ - vpadd.s32 d3, d18, d19 /* TODO: can be eliminated */ + vpadd.s32 d0, d24, d25 /* TODO: can be eliminated */ + vpadd.s32 d1, d26, d27 /* TODO: can be eliminated */ + vpadd.s32 d2, d28, d29 /* TODO: can be eliminated */ + vpadd.s32 d3, d30, d31 /* TODO: can be eliminated */ vst1.32 {d0, d1, d2, d3}, [r1, :128] From 96c78e50a66a3b443eb2f237e2554ab84b8a12ce Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 19 Sep 2022 14:50:30 +0200 Subject: [PATCH 052/562] lavc/pthread_frame: always transfer stashed hwaccel state Fixes assertion failures after avcodec_flush_buffers(), where stashed hwaccel state is present, but prev_thread is NULL. Found-by: Wang Bin (cherry picked from commit c504fb869264fbd8fba6e81c186b2f2848b62e26) Signed-off-by: Anton Khirnov --- libavcodec/pthread_frame.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 80c15b35be..43d6cc8ff4 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -458,14 +458,14 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx, pthread_mutex_unlock(&p->mutex); return err; } - - /* transfer hwaccel state stashed from previous thread, if any */ - av_assert0(!p->avctx->hwaccel); - FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel); - FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context); - FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); } + /* transfer the stashed hwaccel state, if any */ + av_assert0(!p->avctx->hwaccel); + FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel); + FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context); + FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); + av_packet_unref(p->avpkt); ret = av_packet_ref(p->avpkt, avpkt); if (ret < 0) { From 9772ba1b6af5bca50701f3958bcd6d15414ac45a Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 15 Sep 2022 14:53:36 +0200 Subject: [PATCH 053/562] lavc/videotoolbox: do not pass AVCodecContext to decoder output callback The opaque parameter for the callback is set in videotoolbox_start(), called when the hwaccel is initialized. When frame threading is used, avctx will be the context corresponding to the frame thread currently doing the decoding. Using this same codec context in all subsequent invocations of the decoder callback (even those triggered by a different frame thread) is unsafe, and broken after cc867f2c09d2b69cee8a0eccd62aff002cbbfe11, since each frame thread now cleans up its hwaccel state after decoding each frame. Fix this by passing hwaccel_priv_data as the opaque parameter, which exists in a single instance forwarded between all frame threads. The only other use of AVCodecContext in the decoder output callback is as a logging context. For this purpose, store a logging context in hwaccel_priv_data. (cherry picked from commit d7f4ad88a0df3c1339e142957bf2c40cd056b8ce) Signed-off-by: Anton Khirnov --- libavcodec/videotoolbox.c | 10 ++++++---- libavcodec/vt_internal.h | 2 ++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/videotoolbox.c b/libavcodec/videotoolbox.c index ce83c2594a..d61d310600 100644 --- a/libavcodec/videotoolbox.c +++ b/libavcodec/videotoolbox.c @@ -690,8 +690,7 @@ static void videotoolbox_decoder_callback(void *opaque, CMTime pts, CMTime duration) { - AVCodecContext *avctx = opaque; - VTContext *vtctx = avctx->internal->hwaccel_priv_data; + VTContext *vtctx = opaque; if (vtctx->frame) { CVPixelBufferRelease(vtctx->frame); @@ -699,7 +698,8 @@ static void videotoolbox_decoder_callback(void *opaque, } if (!image_buffer) { - av_log(avctx, status ? AV_LOG_WARNING : AV_LOG_DEBUG, "vt decoder cb: output image buffer is null: %i\n", status); + av_log(vtctx->logctx, status ? AV_LOG_WARNING : AV_LOG_DEBUG, + "vt decoder cb: output image buffer is null: %i\n", status); return; } @@ -949,7 +949,7 @@ static int videotoolbox_start(AVCodecContext *avctx) videotoolbox->cv_pix_fmt_type); decoder_cb.decompressionOutputCallback = videotoolbox_decoder_callback; - decoder_cb.decompressionOutputRefCon = avctx; + decoder_cb.decompressionOutputRefCon = avctx->internal->hwaccel_priv_data; status = VTDecompressionSessionCreate(NULL, // allocator videotoolbox->cm_fmt_desc, // videoFormatDescription @@ -1179,6 +1179,8 @@ int ff_videotoolbox_common_init(AVCodecContext *avctx) AVHWFramesContext *hw_frames; int err; + vtctx->logctx = avctx; + // Old API - do nothing. if (avctx->hwaccel_context) return 0; diff --git a/libavcodec/vt_internal.h b/libavcodec/vt_internal.h index 54a11fd1b5..9502d7c7dc 100644 --- a/libavcodec/vt_internal.h +++ b/libavcodec/vt_internal.h @@ -45,6 +45,8 @@ typedef struct VTContext { // Current H264 parameters (used to trigger decoder restart on SPS changes). uint8_t sps[3]; bool reconfig_needed; + + void *logctx; } VTContext; int ff_videotoolbox_alloc_frame(AVCodecContext *avctx, AVFrame *frame); From f202a1fdf75d0e7f48a2e8d63c2d390cc4b19c85 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 20 Sep 2022 22:08:47 +0200 Subject: [PATCH 054/562] avformat/dashdec: Fix crash on invalid input/ENOMEM, fix leak In case a SupplementalProperty node exists in an adaptationset, it is searched for a "schemeIdUri" property via xmlGetProp(). Whatever xmlGetProp() returns is then compared via av_strcasecmp() to a string literal. xmlGetProp() can return NULL, namely in case no "schemeIdUri" exists and (given that this string is allocated) presumably also on allocation failure. No check for NULL is done, so this may crash. Furthermore, the string returned by xmlGetProp() needs to be freed with xmlFree(), but this is not done either. This commit fixes both of these issues; they existed since this code has been added in 10d008f0fd9e713e290f626300d66382ad786c49. This has been found while investigating ticket #9697. The continuous leaks might very well be the reason behind the observed slowdown. Reviewed-by: Steven Liu Signed-off-by: Andreas Rheinhardt (cherry picked from commit 14b3830b33075e92f8e2766c0c53e8b6bc570c6c) --- libavformat/dashdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 63bf7e96a5..2ca91bea8b 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -956,7 +956,11 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, xmlFree(val); } if (adaptionset_supplementalproperty_node) { - if (!av_strcasecmp(xmlGetProp(adaptionset_supplementalproperty_node,"schemeIdUri"), "http://dashif.org/guidelines/last-segment-number")) { + char *scheme_id_uri = xmlGetProp(adaptionset_supplementalproperty_node, "schemeIdUri"); + if (scheme_id_uri) { + int is_last_segment_number = !av_strcasecmp(scheme_id_uri, "http://dashif.org/guidelines/last-segment-number"); + xmlFree(scheme_id_uri); + if (is_last_segment_number) { val = xmlGetProp(adaptionset_supplementalproperty_node,"value"); if (!val) { av_log(s, AV_LOG_ERROR, "Missing value attribute in adaptionset_supplementalproperty_node\n"); @@ -965,6 +969,7 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, xmlFree(val); } } + } } fragment_timeline_node = find_child_node_by_name(representation_segmenttemplate_node, "SegmentTimeline"); From 746a21063065535d6b758a46e86df411bce69d9f Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 21 Sep 2022 00:01:40 -0300 Subject: [PATCH 055/562] avformat/cafenc: derive Opus frame size from the relevant stream parameters Use the stream duration as last resort, as an off-by-one result of the "st->duration / (caf->packets - 1)" calculation can break playback on some devices. Also, don't write the sample_rate value propagated by encoders like libopus. The sample rate of the audio fed to it is irrelevant after being encoded. Fixes ticket #9930. Signed-off-by: James Almer --- libavformat/cafenc.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavformat/cafenc.c b/libavformat/cafenc.c index fedb430b17..b90811d46f 100644 --- a/libavformat/cafenc.c +++ b/libavformat/cafenc.c @@ -53,7 +53,11 @@ static uint32_t codec_flags(enum AVCodecID codec_id) { } } -static uint32_t samples_per_packet(enum AVCodecID codec_id, int channels, int block_align) { +static uint32_t samples_per_packet(const AVCodecParameters *par) { + enum AVCodecID codec_id = par->codec_id; + int channels = par->ch_layout.nb_channels, block_align = par->block_align; + int frame_size = par->frame_size, sample_rate = par->sample_rate; + switch (codec_id) { case AV_CODEC_ID_PCM_S8: case AV_CODEC_ID_PCM_S16LE: @@ -83,6 +87,8 @@ static uint32_t samples_per_packet(enum AVCodecID codec_id, int channels, int bl return 320; case AV_CODEC_ID_MP1: return 384; + case AV_CODEC_ID_OPUS: + return frame_size * 48000 / sample_rate; case AV_CODEC_ID_MP2: case AV_CODEC_ID_MP3: return 1152; @@ -110,7 +116,7 @@ static int caf_write_header(AVFormatContext *s) AVDictionaryEntry *t = NULL; unsigned int codec_tag = ff_codec_get_tag(ff_codec_caf_tags, par->codec_id); int64_t chunk_size = 0; - int frame_size = par->frame_size; + int frame_size = par->frame_size, sample_rate = par->sample_rate; if (s->nb_streams != 1) { av_log(s, AV_LOG_ERROR, "CAF files have exactly one stream\n"); @@ -139,7 +145,10 @@ static int caf_write_header(AVFormatContext *s) } if (par->codec_id != AV_CODEC_ID_MP3 || frame_size != 576) - frame_size = samples_per_packet(par->codec_id, par->ch_layout.nb_channels, par->block_align); + frame_size = samples_per_packet(par); + + if (par->codec_id == AV_CODEC_ID_OPUS) + sample_rate = 48000; ffio_wfourcc(pb, "caff"); //< mFileType avio_wb16(pb, 1); //< mFileVersion @@ -147,7 +156,7 @@ static int caf_write_header(AVFormatContext *s) ffio_wfourcc(pb, "desc"); //< Audio Description chunk avio_wb64(pb, 32); //< mChunkSize - avio_wb64(pb, av_double2int(par->sample_rate)); //< mSampleRate + avio_wb64(pb, av_double2int(sample_rate)); //< mSampleRate avio_wl32(pb, codec_tag); //< mFormatID avio_wb32(pb, codec_flags(par->codec_id)); //< mFormatFlags avio_wb32(pb, par->block_align); //< mBytesPerPacket @@ -248,7 +257,7 @@ static int caf_write_trailer(AVFormatContext *s) avio_seek(pb, caf->data, SEEK_SET); avio_wb64(pb, file_size - caf->data - 8); if (!par->block_align) { - int packet_size = samples_per_packet(par->codec_id, par->ch_layout.nb_channels, par->block_align); + int packet_size = samples_per_packet(par); if (!packet_size) { packet_size = st->duration / (caf->packets - 1); avio_seek(pb, FRAME_SIZE_OFFSET, SEEK_SET); From 344c1134a93ef81d485b7b8b9c8fd5a1aae803e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jun 2022 02:01:20 +0200 Subject: [PATCH 056/562] avcodec/bink: disallow odd positioned scaled blocks Fixes: out of array access Fixes: 47911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6194020855971840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit b14104a6376cd774b08cbe5fda56b34320a41b2e) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index ae2c65f19f..3ba3068e0b 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1088,7 +1088,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it - if ((by & 1) && blk == SCALED_BLOCK) { + if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) { bx++; dst += 8; prev += 8; From 58c5976ca0829c94402a83b2940237bf7a7c067b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 23:41:57 +0200 Subject: [PATCH 057/562] avcodec/speedhq: Check width Fixes: out of array access Fixes: 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400 Alternatively the buffer size can be increased Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0395f9ef6051315973f1fdded1804f81458566d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 4cfd4ce73d..e158061bcf 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, AVFrame *frame, uint32_t second_field_offset; int ret; - if (buf_size < 4 || avctx->width < 8) + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; quality = buf[0]; From 82207ef2661bb4451082edde6ca3d2480a725906 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jul 2022 20:15:06 +0200 Subject: [PATCH 058/562] avfilter/vf_showinfo: remove backspaces They mess with storing editing and comparing the results Signed-off-by: Michael Niedermayer (cherry picked from commit 31581ae7ee6d007f2f2dcd16de5df991ba7aa1b6) Signed-off-by: Michael Niedermayer --- libavfilter/vf_showinfo.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index 6efcafce28..68fbe8cc85 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -730,12 +730,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) av_log(ctx, AV_LOG_INFO, " %08"PRIX32, plane_checksum[plane]); av_log(ctx, AV_LOG_INFO, "] mean:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%"PRId64" ", (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); - av_log(ctx, AV_LOG_INFO, "\b] stdev:["); + av_log(ctx, AV_LOG_INFO, "%s%"PRId64, + plane ? " ":"", + (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); + av_log(ctx, AV_LOG_INFO, "] stdev:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%3.1f ", + av_log(ctx, AV_LOG_INFO, "%s%3.1f", + plane ? " ":"", sqrt((sum2[plane] - sum[plane]*(double)sum[plane]/pixelcount[plane])/pixelcount[plane])); - av_log(ctx, AV_LOG_INFO, "\b]"); + av_log(ctx, AV_LOG_INFO, "]"); } av_log(ctx, AV_LOG_INFO, "\n"); From b877696f163237346719038928b3a82a7e4999e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2022 23:09:09 +0200 Subject: [PATCH 059/562] avcodec/fmvc: Move frame allocation to a later stage This way more things are checked before allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 9783749c66bf6ca2ce7a6db4c74957fe77cbe803) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 4abf6d7048..912ad8fc82 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -401,20 +401,17 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, GetByteContext *gb = &s->gb; PutByteContext *pb = &s->pb; int ret, y, x; + int key_frame; if (avpkt->size < 8) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - bytestream2_init(gb, avpkt->data, avpkt->size); bytestream2_skip(gb, 2); - frame->key_frame = !!bytestream2_get_le16(gb); - frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + key_frame = !!bytestream2_get_le16(gb); - if (frame->key_frame) { + if (key_frame) { const uint8_t *src; unsigned type, size; uint8_t *dst; @@ -434,6 +431,12 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, return AVERROR_PATCHWELCOME; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 1; + frame->pict_type = AV_PICTURE_TYPE_I; + src = s->buffer; dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { @@ -514,6 +517,12 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, dst = &rect[block_h * s->stride]; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 0; + frame->pict_type = AV_PICTURE_TYPE_P; + ssrc = s->buffer; ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { From 47e510aa0c09bd02536c8359deadee8aa36e9794 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2022 00:32:23 +0200 Subject: [PATCH 060/562] libavformat/hls: Free keys Fixes: memleak Fixes: 50703/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6399058578636800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit d32a9f3137c91de86547601a38fea0693c3497f1) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 3dc7bd3930..e622425e80 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -250,6 +250,7 @@ static void free_init_section_list(struct playlist *pls) { int i; for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->key); av_freep(&pls->init_sections[i]->url); av_freep(&pls->init_sections[i]); } From 8f483d42e04d11d6e1d3d159ca975bb29fb6c719 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Sep 2022 19:55:09 +0200 Subject: [PATCH 061/562] avcodec/tiff: Fix loop detection Fixes regression with tickets/4364/L1004220.DNG Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 43a4854510a3d596e114d899177a5b3b323ca9fb) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 2d40626ccc..e7a2576b0b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1750,7 +1750,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, AVPacket *avpkt) { TiffContext *const s = avctx->priv_data; - unsigned off, last_off; + unsigned off, last_off = 0; int le, ret, plane, planes; int i, j, entries, stride; unsigned soff, ssize; @@ -1815,7 +1815,6 @@ again: /** whether we should process this multi-page IFD's next page */ retry_for_page = s->get_page && s->cur_page + 1 < s->get_page; // get_page is 1-indexed - last_off = off; if (retry_for_page) { // set offset to the next IFD off = ff_tget_long(&s->gb, le); @@ -1833,6 +1832,7 @@ again: avpriv_request_sample(s->avctx, "non increasing IFD offset"); return AVERROR_INVALIDDATA; } + last_off = off; if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; From 4e07d4a1eec9e9bda901ba0ade8e08603a1e5046 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2022 23:54:17 +0200 Subject: [PATCH 062/562] avcodec/exr: Check preview psize Fixes: signed integer overflow: 17121181824 * 538976288 cannot be represented in type 'long long' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5915330316206080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac26712e35f5ebc726d1be14bb4a420949e66604) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index c25bae8cd4..91a567cd41 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1951,9 +1951,12 @@ static int decode_header(EXRContext *s, AVFrame *frame) "preview", 16)) >= 0) { uint32_t pw = bytestream2_get_le32(gb); uint32_t ph = bytestream2_get_le32(gb); - int64_t psize = 4LL * pw * ph; + uint64_t psize = pw * ph; + if (psize > INT64_MAX / 4) + return AVERROR_INVALIDDATA; + psize *= 4; - if (psize >= bytestream2_get_bytes_left(gb)) + if ((int64_t)psize >= bytestream2_get_bytes_left(gb)) return AVERROR_INVALIDDATA; bytestream2_skip(gb, psize); From 03c168869e5e643ecab2e26b82e849197c87f056 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2022 23:58:36 +0200 Subject: [PATCH 063/562] avcodec/mobiclip: Check quantizer for overflow Fixes: signed integer overflow: 127 + 2147483536 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-6014034970804224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 677e27a9afa7305a918336699b377fd5b42cc299) Signed-off-by: Michael Niedermayer --- libavcodec/mobiclip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mobiclip.c b/libavcodec/mobiclip.c index dcf788c630..a1e5dca13e 100644 --- a/libavcodec/mobiclip.c +++ b/libavcodec/mobiclip.c @@ -330,7 +330,7 @@ static av_cold int mobiclip_init(AVCodecContext *avctx) return 0; } -static int setup_qtables(AVCodecContext *avctx, int quantizer) +static int setup_qtables(AVCodecContext *avctx, int64_t quantizer) { MobiClipContext *s = avctx->priv_data; int qx, qy; @@ -1256,7 +1256,7 @@ static int mobiclip_decode(AVCodecContext *avctx, AVFrame *rframe, frame->key_frame = 0; s->dct_tab_idx = 0; - ret = setup_qtables(avctx, s->quantizer + get_se_golomb(gb)); + ret = setup_qtables(avctx, s->quantizer + (int64_t)get_se_golomb(gb)); if (ret < 0) return ret; From 5a944b3a986899736b8a0c280fb2f482ec998537 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:11:20 +0200 Subject: [PATCH 064/562] avcodec/tta: Check 24bit scaling for overflow Fixes: signed integer overflow: -8427924 * 256 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5409428670644224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3993345f915bccceee315f44d412445346990e14) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 74be140d51..0fc639b11c 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -377,8 +377,15 @@ static int tta_decode_frame(AVCodecContext *avctx, AVFrame *frame, case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; From c15b355eb5a653b150fc58a01bca49ecd4116bfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:30:42 +0200 Subject: [PATCH 065/562] avcodec/apedec: Fix integer overflow in filter_3800() Fixes: signed integer overflow: -2147448926 + -198321 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5739619273015296 Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6744428485672960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f05247f6a4698c14f1cd523daa90188f50dcf6ad) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index a7c38bce1b..24877c5598 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -934,7 +934,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign; p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; - p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); + p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift); p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; From 04a2dd80549450a90bc6d92d5d8821d05766b496 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 23:42:02 +0200 Subject: [PATCH 066/562] avcodec/mjpegdec: Check for unsupported bayer case Fixes: out of array access Fixes: 51462/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-662559341582745 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd81cc22b3dd5bd6badf012b4fe4c19e062650f4) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 869aee425e..f5ad32568b 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1212,6 +1212,8 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p ptr[3*mb_x + 2] = buffer[mb_x][2] + ptr[3*mb_x + 1]; } } else if (s->bayer) { + if (s->bits <= 8) + return AVERROR_PATCHWELCOME; if (nb_components == 1) { /* Leave decoding to the TIFF/DNG decoder (see comment in ff_mjpeg_decode_sof) */ for (mb_x = 0; mb_x < width; mb_x++) From 89c2911a3cae1e35967c3a442c0e3106fe6b2004 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:28:03 +0200 Subject: [PATCH 067/562] avformat/mxfdec: Check run_in is within 65536 Fixes: signed integer overflow: 9223372036854775807 - -2146905566 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6570996594769920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7786097825d9e3f02b4574c1924c28818eb83340) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 400941c348..c2535f8e9f 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -64,6 +64,7 @@ #include "mxf.h" #define MXF_MAX_CHUNK_SIZE (32 << 20) +#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant typedef enum { Header, @@ -3632,6 +3633,7 @@ static int mxf_read_header(AVFormatContext *s) KLVPacket klv; int64_t essence_offset = 0; int ret; + int64_t run_in; mxf->last_forward_tell = INT64_MAX; @@ -3641,7 +3643,10 @@ static int mxf_read_header(AVFormatContext *s) } avio_seek(s->pb, -14, SEEK_CUR); mxf->fc = s; - mxf->run_in = avio_tell(s->pb); + run_in = avio_tell(s->pb); + if (run_in < 0 || run_in > RUN_IN_MAX) + return AVERROR_INVALIDDATA; + mxf->run_in = run_in; mxf_read_random_index_pack(s); From a3d59e33d91402325f70b55f4a9c185a3d01e5a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Sep 2022 18:23:30 +0200 Subject: [PATCH 068/562] avformat/mxfdec: only probe max run in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 1182bbb2c3226260ed672920251e3410bde8c6c9) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c2535f8e9f..4a31490868 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -4052,7 +4052,7 @@ static int mxf_read_close(AVFormatContext *s) static int mxf_probe(const AVProbeData *p) { const uint8_t *bufp = p->buf; - const uint8_t *end = p->buf + p->buf_size; + const uint8_t *end = p->buf + FFMIN(p->buf_size, RUN_IN_MAX + 1 + sizeof(mxf_header_partition_pack_key)); if (p->buf_size < sizeof(mxf_header_partition_pack_key)) return 0; From 4143d0a33a8f5eb16e36367975cea3dc3f8ca8fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:08 +0200 Subject: [PATCH 069/562] avformat/aiffdec: Check block_duration Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1c2b6265c87417033f990fa4a14da9d4008320a4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 0487d3f029..318e3ad742 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -372,6 +372,8 @@ got_sound: av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return AVERROR_INVALIDDATA; } + if (aiff->block_duration < 0) + return AVERROR_INVALIDDATA; /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 14787c60eca221deae7c7a8e3403cddd77152350 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:09 +0200 Subject: [PATCH 070/562] avformat/aiffdec: Use 64bit for block_duration use Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9303ba272e988d87084880c57056b750cc5ffd08) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 318e3ad742..80733e5801 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -428,7 +428,7 @@ static int aiff_read_packet(AVFormatContext *s, pkt->flags &= ~AV_PKT_FLAG_CORRUPT; /* Only one stream in an AIFF file */ pkt->stream_index = 0; - pkt->duration = (res / st->codecpar->block_align) * aiff->block_duration; + pkt->duration = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration; return 0; } From c9bb4e3bcce44acbd4d9055130f0e7bee44246da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 23:15:56 +0200 Subject: [PATCH 071/562] avformat/icodec: Check nb_pal Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit db73ae0dc114aa6fae08e69f977944f056a24995) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 290f658d0c..85dab3bca0 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -196,6 +196,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } + if (image->nb_pal > INT_MAX / 4 - 14 - 40) + return AVERROR_INVALIDDATA; + AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); AV_WL32(buf + 8, AV_RL32(buf + 8) / 2); } From ca55032020b1b441a493c2f4e2b69ce17d2438d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:19:53 +0200 Subject: [PATCH 072/562] avformat/ape: Check frames size Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d0349c9929e2891c90011a83152624d5cf18e628) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index bf1254e7bd..d6c8ec23b0 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -298,6 +298,8 @@ static int ape_read_header(AVFormatContext * s) ape->frames[i].pos -= ape->frames[i].skip; ape->frames[i].size += ape->frames[i].skip; } + if (ape->frames[i].size > INT_MAX - 3) + return AVERROR_INVALIDDATA; ape->frames[i].size = (ape->frames[i].size + 3) & ~3; } if (ape->fileversion < 3810) { From 08047db178ecef92195127e44aa17e7977aec3db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:24:49 +0200 Subject: [PATCH 073/562] avformat/apm: Use 64bit for bit_rate computation Fixes: signed integer overflow: -1155522528 * 4 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APM_fuzzer-6580670570299392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5b23cab5c769d6611a3fe111546d65809046a4d8) Signed-off-by: Michael Niedermayer --- libavformat/apm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/apm.c b/libavformat/apm.c index baf7d2f941..a3ddc08e83 100644 --- a/libavformat/apm.c +++ b/libavformat/apm.c @@ -148,7 +148,7 @@ static int apm_read_header(AVFormatContext *s) par->codec_id = AV_CODEC_ID_ADPCM_IMA_APM; par->format = AV_SAMPLE_FMT_S16; par->bit_rate = par->ch_layout.nb_channels * - par->sample_rate * + (int64_t)par->sample_rate * par->bits_per_coded_sample; if ((ret = avio_read(s->pb, buf, APM_FILE_EXTRADATA_SIZE)) < 0) From 01834eaec23930295c29de41f25cb112dd646f03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:30:55 +0200 Subject: [PATCH 074/562] avformat/asfdec_o: Limit packet offset avoids overflows with it Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136 Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 736e9e69d5dbbe1d81885dfef59917eb915d2f96) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 48b7d17322..e837ca62e7 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1242,6 +1242,8 @@ static int asf_read_packet_header(AVFormatContext *s) unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { From ef0a5051262e8fc237601a3def4bbdc9aa4195ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:48:43 +0200 Subject: [PATCH 075/562] avformat/cafdec: Check that nb_frasmes fits within 64bit Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d4bb4e375975dc0d31d5309106cf6ee0ed75140f) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index d5b8c38c25..e0a9031cb8 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -387,7 +387,7 @@ static int read_header(AVFormatContext *s) found_data: if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { - if (caf->data_size > 0) + if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet) st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet; } else if (ffstream(st)->nb_index_entries && st->duration > 0) { if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) { From 48acb06c7830a44a641e545b8eb079b47987ac62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:54:31 +0200 Subject: [PATCH 076/562] avformat/dhav: Use 64bit seek_back Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DHAV_fuzzer-6604736532447232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10453f5192869b63b071aee3962ae2c712f9bfd3) Signed-off-by: Michael Niedermayer --- libavformat/dhav.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dhav.c b/libavformat/dhav.c index 9d26efe8fc..4e720f2a26 100644 --- a/libavformat/dhav.c +++ b/libavformat/dhav.c @@ -242,7 +242,7 @@ static int64_t get_duration(AVFormatContext *s) avio_seek(s->pb, avio_size(s->pb) - 8, SEEK_SET); while (avio_tell(s->pb) > 12 && max_interations--) { if (avio_rl32(s->pb) == MKTAG('d','h','a','v')) { - int seek_back = avio_rl32(s->pb); + int64_t seek_back = avio_rl32(s->pb); avio_seek(s->pb, -seek_back, SEEK_CUR); read_chunk(s); From c38fde3b9d4a3f1b1ff56bf1b5feb7a245f7192b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 22:40:47 +0200 Subject: [PATCH 077/562] avformat/dxa: avoid bpc overflows Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93db0f0740cacd64ae07b5e8606b70021e48d364) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 16fbb08156..474b85270a 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s) if(tag == MKTAG('d', 'a', 't', 'a')) break; avio_skip(pb, fsize); } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) + c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); avio_seek(pb, c->vidpos, SEEK_SET); From 4038dfc1d13728f4c7cb6bc9eb44a03279aec7f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 22:46:35 +0200 Subject: [PATCH 078/562] avformat/genh: Check nb_channels for IMA ADPCM The check could be made more strict Fixes: signed integer overflow: 36 * 538976288 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-6539389873815552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0345a885455dea52fcc570b97f5dc5c75372a39c) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index a25d4d625a..1f707b5555 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -78,6 +78,8 @@ static int genh_read_header(AVFormatContext *s) case 0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; break; case 1: case 11: st->codecpar->bits_per_coded_sample = 4; + if (st->codecpar->ch_layout.nb_channels > INT_MAX / 36) + return AVERROR_INVALIDDATA; st->codecpar->block_align = 36 * st->codecpar->ch_layout.nb_channels; st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV; break; case 2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK; break; From 740a71b58362e536f43b51ed3c66ae8339f2554d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 22:55:24 +0200 Subject: [PATCH 079/562] avformat/jacosubdec: Fix overflow in get_shift() Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-6722544461283328 Fixes: signed integer overflow: 48214448 * 60 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1a68127bbcd3d638363fa0249982c494e87c9e2) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 0ee4820f62..61b1316dc9 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -144,7 +144,7 @@ static int get_shift(int timeres, const char *buf) ret = 0; switch (n) { case 4: - ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); break; case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); From 1c3c25491a8f84074da6d1d6ff42a14d5c11c654 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 13:38:21 +0200 Subject: [PATCH 080/562] avformat/flvdec: Use 64bit for sum_flv_tag_size Fixes: signed integer overflow: 2138820085 + 16130322 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6704728165187584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7124f10c1d521096042ba3c9c519828147f78c46) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 8dba92661b..7242296f7f 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -65,7 +65,7 @@ typedef struct FLVContext { uint8_t resync_buffer[2*RESYNC_BUFFER_SIZE]; int broken_sizes; - int sum_flv_tag_size; + int64_t sum_flv_tag_size; int last_keyframe_stream_index; int keyframe_count; @@ -1030,7 +1030,7 @@ retry: type = (avio_r8(s->pb) & 0x1F); orig_size = size = avio_rb24(s->pb); - flv->sum_flv_tag_size += size + 11; + flv->sum_flv_tag_size += size + 11LL; dts = avio_rb24(s->pb); dts |= (unsigned)avio_r8(s->pb) << 24; av_log(s, AV_LOG_TRACE, "type:%d, size:%d, last:%d, dts:%"PRId64" pos:%"PRId64"\n", type, size, last, dts, avio_tell(s->pb)); @@ -1330,7 +1330,7 @@ leave: !avio_feof(s->pb) && (last != orig_size || !last) && last != flv->sum_flv_tag_size && !flv->broken_sizes) { - av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %d\n", last, orig_size + 11, flv->sum_flv_tag_size); + av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %"PRId64"\n", last, orig_size + 11, flv->sum_flv_tag_size); avio_seek(s->pb, pos + 1, SEEK_SET); ret = resync(s); av_packet_unref(pkt); From de79299bf049fcb7453697ba8b2ca5c7316187f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:47:25 +0200 Subject: [PATCH 081/562] avformat/nutdec: Check fields Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6566001610719232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c146406eac06f3d3cd3d981c29e7affd834cb4d) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 8cc56615ad..24dedc4758 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -245,6 +245,11 @@ static int decode_main_header(NUTContext *nut) for (i = 0; i < 256;) { int tmp_flags = ffio_read_varlen(bc); int tmp_fields = ffio_read_varlen(bc); + if (tmp_fields < 0) { + av_log(s, AV_LOG_ERROR, "fields %d is invalid\n", tmp_fields); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (tmp_fields > 0) tmp_pts = get_s(bc); From 77628600aa589c3a03af30d015e9b07b866db00d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 15:06:25 +0200 Subject: [PATCH 082/562] avformat/rmdec: check tag_size Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6598073725353984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2cb7ee8a36bddd3425897135db514ca62fec6e44) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 881d7002ad..0f1534b582 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -563,6 +563,8 @@ static int rm_read_header(AVFormatContext *s) } tag_size = avio_rb32(pb); + if (tag_size < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, tag_size - 8); for(;;) { From 3e2b970b00a469c9367a472c4f791c25e0e055eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:29:37 +0200 Subject: [PATCH 083/562] avformat/sbgdec: clamp end_ts Fixes: signed integer overflow: 9223372036851135042 + 15666854 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6573717339111424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 981f5e46afa3673dfa43eb2bf5017680d5df25dd) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 8a6d679056..4cd12347e7 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1478,7 +1478,7 @@ static int sbg_read_packet(AVFormatContext *avf, AVPacket *packet) int ret; ts = ffstream(avf->streams[0])->cur_dts; - end_ts = ts + avf->streams[0]->codecpar->frame_size; + end_ts = av_sat_add64(ts, avf->streams[0]->codecpar->frame_size); if (avf->streams[0]->duration != AV_NOPTS_VALUE) end_ts = FFMIN(avf->streams[0]->start_time + avf->streams[0]->duration, end_ts); From ad56da76348564ba4d1e862a348930517eea429b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:35:41 +0200 Subject: [PATCH 084/562] avformat/sbgdec: Check ts_int in genrate_intervals There is probably a better place to check for this, but better here than nowhere Fixes: signed integer overflow: -9223372036824775808 - 86400000000 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6601162580688896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f529e9147a5c5c8ecf8d5ef0dd569194ce30eed) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 4cd12347e7..5edb9664cc 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1317,6 +1317,8 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* Pseudo event before the first one */ ev0 = s->events[s->nb_events - 1]; + if (av_sat_sub64(ev0.ts_int, period) != (uint64_t)ev0.ts_int - period) + return AVERROR_INVALIDDATA; ev0.ts_int -= period; ev0.ts_trans -= period; ev0.ts_next -= period; From e443e2e210bfa4edd9c44ecb34094229c9e709ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:42:21 +0200 Subject: [PATCH 085/562] avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation Fixes: signed integer overflow: 72128794995445727 * 240 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SDS_fuzzer-6628185583779840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8eb1bed075931b0ce0a8bc9a8ff5882830044c) Signed-off-by: Michael Niedermayer --- libavformat/sdsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sdsdec.c b/libavformat/sdsdec.c index f98096dca9..d296500bec 100644 --- a/libavformat/sdsdec.c +++ b/libavformat/sdsdec.c @@ -112,7 +112,7 @@ static int sds_read_header(AVFormatContext *ctx) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->ch_layout.nb_channels = 1; st->codecpar->sample_rate = sample_period ? 1000000000 / sample_period : 16000; - st->duration = (avio_size(pb) - 21) / (127) * s->size / 4; + st->duration = av_rescale((avio_size(pb) - 21) / 127, s->size, 4); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From c54161e199c1bd437d1c2fefb2333a333ed5d5b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:45:30 +0200 Subject: [PATCH 086/562] avformat/xwma: Use av_rescale() for duration computation Fixes: signed integer overflow: 34242363648 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6577923913547776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c789f753c3657be9041307f9c03749f5ba5a6bb) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index c16ff1be63..12689f37fd 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -278,7 +278,7 @@ static int xwma_read_header(AVFormatContext *s) * the total duration using the average bits per sample and the * total data length. */ - st->duration = (size<<3) * st->codecpar->sample_rate / st->codecpar->bit_rate; + st->duration = av_rescale((size<<3), st->codecpar->sample_rate, st->codecpar->bit_rate); } fail: From 67648acb761a829acb13bf503816380eaa974f36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:49:26 +0200 Subject: [PATCH 087/562] avformat/rpl: Use 64bit for duration computation Fixes: signed integer overflow: 24709512 * 88 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6737973728641024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 529f64b2eb98e0c3ae4944abd5d01fa7c1def047) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index d025589bfc..3ef6fda386 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -279,7 +279,7 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); // size of "helpful" sprite if (vst) { error |= read_line(pb, line, sizeof(line)); // offset to key frame list - vst->duration = number_of_chunks * rpl->frames_per_chunk; + vst->duration = number_of_chunks * (int64_t)rpl->frames_per_chunk; } // Read the index From 9658d1da5903ff936aba63f986f30dd103a37399 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 18:12:11 +0200 Subject: [PATCH 088/562] avformat/spdifdec: Use 64bit to compute bit rate Fixes: signed integer overflow: 32 * 553590816 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6564974517944320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4075f0cec1830a7ac081b1a23bd3f5c4e266fe26) Signed-off-by: Michael Niedermayer --- libavformat/spdifdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c index 2af75ca9db..672133581a 100644 --- a/libavformat/spdifdec.c +++ b/libavformat/spdifdec.c @@ -226,7 +226,7 @@ int ff_spdif_read_packet(AVFormatContext *s, AVPacket *pkt) if (!s->bit_rate && s->streams[0]->codecpar->sample_rate) /* stream bitrate matches 16-bit stereo PCM bitrate for currently supported codecs */ - s->bit_rate = 2 * 16 * s->streams[0]->codecpar->sample_rate; + s->bit_rate = 2 * 16LL * s->streams[0]->codecpar->sample_rate; return 0; } From 6bbe4d1f4f00b627c0c8cad9783eeff66854e936 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2022 23:49:28 +0200 Subject: [PATCH 089/562] avcodec/dstdec: Check for overflow in build_filter() Fixes: signed integer overflow: 1917019860 + 265558963 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-4833165046317056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8008940da5aa43895fd4574114309c3324249eab) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 93642e34b9..ba6651b09f 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -216,7 +216,7 @@ static uint8_t prob_dst_x_bit(int c) return (ff_reverse[c & 127] >> 1) + 1; } -static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) +static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) { int i, j, k, l; @@ -227,14 +227,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table * int total = av_clip(length - j * 8, 0, 8); for (k = 0; k < 256; k++) { - int v = 0; + int64_t v = 0; for (l = 0; l < total; l++) v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l]; + if ((int16_t)v != v) + return AVERROR_INVALIDDATA; table[i][j][k] = v; } } } + return 0; } static int decode_frame(AVCodecContext *avctx, AVFrame *frame, @@ -329,7 +332,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, return AVERROR_INVALIDDATA; ac_init(ac, gb); - build_filter(s->filter, &s->fsets); + ret = build_filter(s->filter, &s->fsets); + if (ret < 0) + return ret; memset(s->status, 0xAA, sizeof(s->status)); memset(dsd, 0, frame->nb_samples * 4 * channels); From eacfcbae690f914a4b1b4ad06999f138540cc3d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Sep 2022 22:59:48 +0200 Subject: [PATCH 090/562] Update for 5.1.2 Signed-off-by: Michael Niedermayer --- Changelog | 46 ++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 0b32c1e410..86f547c9bb 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,52 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 5.1.2: +- avcodec/dstdec: Check for overflow in build_filter() +- avformat/spdifdec: Use 64bit to compute bit rate +- avformat/rpl: Use 64bit for duration computation +- avformat/xwma: Use av_rescale() for duration computation +- avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation +- avformat/sbgdec: Check ts_int in genrate_intervals +- avformat/sbgdec: clamp end_ts +- avformat/rmdec: check tag_size +- avformat/nutdec: Check fields +- avformat/flvdec: Use 64bit for sum_flv_tag_size +- avformat/jacosubdec: Fix overflow in get_shift() +- avformat/genh: Check nb_channels for IMA ADPCM +- avformat/dxa: avoid bpc overflows +- avformat/dhav: Use 64bit seek_back +- avformat/cafdec: Check that nb_frasmes fits within 64bit +- avformat/asfdec_o: Limit packet offset +- avformat/apm: Use 64bit for bit_rate computation +- avformat/ape: Check frames size +- avformat/icodec: Check nb_pal +- avformat/aiffdec: Use 64bit for block_duration use +- avformat/aiffdec: Check block_duration +- avformat/mxfdec: only probe max run in +- avformat/mxfdec: Check run_in is within 65536 +- avcodec/mjpegdec: Check for unsupported bayer case +- avcodec/apedec: Fix integer overflow in filter_3800() +- avcodec/tta: Check 24bit scaling for overflow +- avcodec/mobiclip: Check quantizer for overflow +- avcodec/exr: Check preview psize +- avcodec/tiff: Fix loop detection +- libavformat/hls: Free keys +- avcodec/fmvc: Move frame allocation to a later stage +- avfilter/vf_showinfo: remove backspaces +- avcodec/speedhq: Check width +- avcodec/bink: disallow odd positioned scaled blocks +- avformat/cafenc: derive Opus frame size from the relevant stream parameters +- avformat/dashdec: Fix crash on invalid input/ENOMEM, fix leak +- lavc/videotoolbox: do not pass AVCodecContext to decoder output callback +- lavc/pthread_frame: always transfer stashed hwaccel state +- avcodec/arm/sbcenc: avoid callee preserved vfp registers +- avformat/riffdec: don't unconditionally overwrite WAVEFORMATEXTENSIBLE layout +- avfilter/vf_scale: overwrite the width and height expressions with the original values +- lavc/pthread_frame: avoid leaving stale hwaccel state in worker threads +- avutil/tests/.gitignore: Add channel_layout testtool + + version 5.1.1: - avformat/asfdec_o: limit recursion depth in asf_read_unknown() - avformat/mov: Check count sums in build_open_gop_key_points() diff --git a/RELEASE b/RELEASE index ac14c3dfaa..61fcc87350 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1.1 +5.1.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4314fcebe6..6c24f81ffc 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 5.1.1 +PROJECT_NUMBER = 5.1.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 05d6157aab34bc49f23284645a8f34ece870f44d Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Fri, 15 Jul 2022 13:27:10 -0400 Subject: [PATCH 091/562] avcodec/libjxlenc: avoid hard failure with unspecified primaries This patch prevents the libjxl encoder wrapper from failing to encode images when the input video has untagged primaries. It will instead assume BT.709/sRGB primaries and print a warning. Signed-off-by: Leo Izen (cherry picked from commit 940169b8aab406a8b1ccee4a9705a1e06b76d035) --- libavcodec/libjxlenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/libjxlenc.c b/libavcodec/libjxlenc.c index 6a948cc3ae..9d98a112e1 100644 --- a/libavcodec/libjxlenc.c +++ b/libavcodec/libjxlenc.c @@ -190,7 +190,7 @@ static av_cold int libjxl_encode_init(AVCodecContext *avctx) * Populate a JxlColorEncoding with the given enum AVColorPrimaries. * @return < 0 upon failure, >= 0 upon success */ -static int libjxl_populate_primaries(JxlColorEncoding *jxl_color, enum AVColorPrimaries prm) +static int libjxl_populate_primaries(void *avctx, JxlColorEncoding *jxl_color, enum AVColorPrimaries prm) { const AVColorPrimariesDesc *desc; @@ -211,6 +211,11 @@ static int libjxl_populate_primaries(JxlColorEncoding *jxl_color, enum AVColorPr jxl_color->primaries = JXL_PRIMARIES_P3; jxl_color->white_point = JXL_WHITE_POINT_D65; return 0; + case AVCOL_PRI_UNSPECIFIED: + av_log(avctx, AV_LOG_WARNING, "Unknown primaries, assuming BT.709/sRGB. Colors may be wrong.\n"); + jxl_color->primaries = JXL_PRIMARIES_SRGB; + jxl_color->white_point = JXL_WHITE_POINT_D65; + return 0; } desc = av_csp_primaries_desc_from_id(prm); @@ -340,7 +345,7 @@ static int libjxl_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFra else jxl_color.color_space = JXL_COLOR_SPACE_RGB; - ret = libjxl_populate_primaries(&jxl_color, + ret = libjxl_populate_primaries(avctx, &jxl_color, frame->color_primaries && frame->color_primaries != AVCOL_PRI_UNSPECIFIED ? frame->color_primaries : avctx->color_primaries); if (ret < 0) From 79bd6a21a04c7c457bfeb53fddc157bbd80cdaac Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Wed, 29 Jun 2022 00:14:08 +0800 Subject: [PATCH 092/562] avcodec/audiotoolboxenc: return AVERROR_EXTERNAL immediately when encode error Just return AVERROR_EXTERNAL immediately when encode error. The other logic should keep the old behavior before commit 7c05b7951. Suggested-By: Zhao Zhili Signed-off-by: Steven Liu --- libavcodec/audiotoolboxenc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/audiotoolboxenc.c b/libavcodec/audiotoolboxenc.c index 00293154bf..8bbaabd960 100644 --- a/libavcodec/audiotoolboxenc.c +++ b/libavcodec/audiotoolboxenc.c @@ -554,13 +554,12 @@ static int ffat_encode(AVCodecContext *avctx, AVPacket *avpkt, avctx->frame_size, &avpkt->pts, &avpkt->duration); - ret = 0; } else if (ret && ret != 1) { av_log(avctx, AV_LOG_ERROR, "Encode error: %i\n", ret); - ret = AVERROR_EXTERNAL; + return AVERROR_EXTERNAL; } - return ret; + return 0; } static av_cold void ffat_encode_flush(AVCodecContext *avctx) From e7dd643419cc395cecca0c84135346b85f2803ed Mon Sep 17 00:00:00 2001 From: Guangyu Sun Date: Thu, 29 Sep 2022 11:11:34 -0700 Subject: [PATCH 093/562] lavf/async: Fix ring_write return value This fixes a regression from commit 36117968ad. wrapped_url_read() used to be able to return positive number from ffurl_read(). It relies on the result to check if EOF is reached in async_buffer_task(). But FIFO callbacks must return 0 on success. This should be handled in ring_write() instead. Test case: ffmpeg -f lavfi -i testsrc -t 1 test.mp4 ffmpeg -i async:test.mp4 Signed-off-by: Guangyu Sun Signed-off-by: Anton Khirnov (cherry picked from commit fc6f7e2a3b2fff6c4df957684d939586a3de448f) Signed-off-by: Anton Khirnov --- libavformat/async.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/async.c b/libavformat/async.c index 547417aa1e..3c6f89cab9 100644 --- a/libavformat/async.c +++ b/libavformat/async.c @@ -144,8 +144,14 @@ static int wrapped_url_read(void *src, void *dst, size_t *size) static int ring_write(RingBuffer *ring, URLContext *h, size_t size) { + int ret; + av_assert2(size <= ring_space(ring)); - return av_fifo_write_from_cb(ring->fifo, wrapped_url_read, h, &size); + ret = av_fifo_write_from_cb(ring->fifo, wrapped_url_read, h, &size); + if (ret < 0) + return ret; + + return size; } static int ring_size_of_read_back(RingBuffer *ring) From f5455889fd2a879e1bfeecb7e81c2fd52ebd4baa Mon Sep 17 00:00:00 2001 From: Chema Gonzalez Date: Mon, 26 Sep 2022 09:11:22 -0700 Subject: [PATCH 094/562] libswscale: force a minimum size of the slide for bayer sources Bayer sources are read in groups of 2 lines (e.g. for a BGGR flavor, the first row contains only B and G samples, while the second row contains only G and R samples). They need to be read as a whole. Signed-off-by: Anton Khirnov (cherry picked from commit bf64a75c5ae58ed575303f70b2ab9b2208ded339) Signed-off-by: Anton Khirnov --- libswscale/swscale_unscaled.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c index 8838cc8b53..9af2e7ecc3 100644 --- a/libswscale/swscale_unscaled.c +++ b/libswscale/swscale_unscaled.c @@ -2095,6 +2095,7 @@ void ff_get_unscaled_swscale(SwsContext *c) c->convert_unscaled = rgbToPlanarRgbWrapper; if (isBayer(srcFormat)) { + c->dst_slice_align = 2; if (dstFormat == AV_PIX_FMT_RGB24) c->convert_unscaled = bayer_to_rgb24_wrapper; else if (dstFormat == AV_PIX_FMT_RGB48) From fe2d8f1872ac40d3046c6d104d73c5244e251703 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 26 Oct 2022 20:11:04 -0300 Subject: [PATCH 095/562] avcodec/aacdec: fix parsing streams with channel configuration 11 Set the correct amount of tags in tags_per_config[]. Also, there are no channels that correspond to a side element in this configuration, so reflect this in the list of known/supported channel layouts. Signed-off-by: James Almer (cherry picked from commit 8c7d3b43cc1e41de62733eb90dda7e061778f390) --- libavcodec/aacdec_template.c | 4 +--- libavcodec/aacdectab.h | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 10fba3d3b2..7e02f8f8a8 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -730,9 +730,7 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id) return ac->tag_che_map[TYPE_CPE][elem_id] = ac->che[TYPE_CPE][2]; } case 11: - if (ac->tags_mapped == 2 && - ac->oc[1].m4ac.chan_config == 11 && - type == TYPE_SCE) { + if (ac->tags_mapped == 3 && type == TYPE_SCE) { ac->tags_mapped++; return ac->tag_che_map[TYPE_SCE][elem_id] = ac->che[TYPE_SCE][1]; } diff --git a/libavcodec/aacdectab.h b/libavcodec/aacdectab.h index e03026806d..01fd18cd23 100644 --- a/libavcodec/aacdectab.h +++ b/libavcodec/aacdectab.h @@ -35,7 +35,7 @@ #include -static const int8_t tags_per_config[16] = { 0, 1, 1, 2, 3, 3, 4, 5, 0, 0, 0, 4, 5, 16, 5, 0 }; +static const int8_t tags_per_config[16] = { 0, 1, 1, 2, 3, 3, 4, 5, 0, 0, 0, 5, 5, 16, 5, 0 }; static const uint8_t aac_channel_layout_map[16][16][3] = { { { TYPE_SCE, 0, AAC_CHANNEL_FRONT }, }, @@ -84,7 +84,7 @@ static const uint64_t aac_channel_layout[16] = { 0, 0, 0, - AV_CH_LAYOUT_6POINT1, + AV_CH_LAYOUT_6POINT1_BACK, AV_CH_LAYOUT_7POINT1, AV_CH_LAYOUT_22POINT2, 0, @@ -103,7 +103,7 @@ static const AVChannelLayout aac_ch_layout[16] = { { 0 }, { 0 }, { 0 }, - AV_CHANNEL_LAYOUT_6POINT1, + AV_CHANNEL_LAYOUT_6POINT1_BACK, AV_CHANNEL_LAYOUT_7POINT1, AV_CHANNEL_LAYOUT_22POINT2, { 0 }, From b4a4a3149911b0dd24b6268a04849673e16ef99f Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 31 Oct 2022 17:24:47 -0300 Subject: [PATCH 096/562] avcodec/atrac3plus: reorder channels to match the output layout The order in which the channels are coded in the bitstream do not always follow the native, bitmask-based order of channels both signaled by the WAV container and forced by this same decoder. This is the case with layouts containing an LFE channel, as it's always coded last. Fixes ticket #9964. Signed-off-by: James Almer (cherry picked from commit 3819719099df601c470e961b9d49b9100c65641b) --- libavcodec/atrac3plusdec.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libavcodec/atrac3plusdec.c b/libavcodec/atrac3plusdec.c index f87ffb8938..aef4e36df8 100644 --- a/libavcodec/atrac3plusdec.c +++ b/libavcodec/atrac3plusdec.c @@ -48,6 +48,17 @@ #include "atrac.h" #include "atrac3plus.h" +static const uint8_t channel_map[8][8] = { + { 0, }, + { 0, 1, }, + { 0, 1, 2, }, + { 0, 1, 2, 3, }, + { 0, }, + { 0, 1, 2, 4, 5, 3, }, + { 0, 1, 2, 4, 5, 6, 3, }, + { 0, 1, 2, 4, 5, 6, 7, 3, }, +}; + typedef struct ATRAC3PContext { GetBitContext gb; AVFloatDSPContext *fdsp; @@ -65,6 +76,7 @@ typedef struct ATRAC3PContext { int num_channel_blocks; ///< number of channel blocks uint8_t channel_blocks[5]; ///< channel configuration descriptor + const uint8_t *channel_map; ///< channel layout map } ATRAC3PContext; static av_cold int atrac3p_decode_close(AVCodecContext *avctx) @@ -143,6 +155,8 @@ static av_cold int set_channel_params(ATRAC3PContext *ctx, return AVERROR_INVALIDDATA; } + ctx->channel_map = channel_map[channels - 1]; + return 0; } @@ -378,7 +392,7 @@ static int atrac3p_decode_frame(AVCodecContext *avctx, AVFrame *frame, channels_to_process, avctx); for (i = 0; i < channels_to_process; i++) - memcpy(samples_p[out_ch_index + i], ctx->outp_buf[i], + memcpy(samples_p[ctx->channel_map[out_ch_index + i]], ctx->outp_buf[i], ATRAC3P_FRAME_SAMPLES * sizeof(**samples_p)); ch_block++; From a6e26053c21362bb882932f3cfd1f1dfa2551f1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 25 Oct 2022 13:13:34 +0300 Subject: [PATCH 097/562] swscale: aarch64: Fix yuv2rgb with negative strides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat the 32 bit stride registers as signed. Alternatively, we could make the stride arguments ptrdiff_t instead of int, and changing all of the assembly to operate on these registers with their full 64 bit width, but that's a much larger and more intrusive change (and risks missing some operation, which would clamp the intermediates to 32 bit still). Fixes: https://trac.ffmpeg.org/ticket/9985 Signed-off-by: Martin Storsjö (cherry picked from commit cb803a0072cb98945dcd3f1660bd2a975650ce42) Signed-off-by: Martin Storsjö --- libswscale/aarch64/yuv2rgb_neon.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/aarch64/yuv2rgb_neon.S b/libswscale/aarch64/yuv2rgb_neon.S index f4b220fb60..f341268c5d 100644 --- a/libswscale/aarch64/yuv2rgb_neon.S +++ b/libswscale/aarch64/yuv2rgb_neon.S @@ -118,8 +118,8 @@ .endm .macro increment_yuv422p - add x6, x6, w7, UXTW // srcU += incU - add x13, x13, w14, UXTW // srcV += incV + add x6, x6, w7, SXTW // srcU += incU + add x13, x13, w14, SXTW // srcV += incV .endm .macro compute_rgba r1 g1 b1 a1 r2 g2 b2 a2 @@ -189,8 +189,8 @@ function ff_\ifmt\()_to_\ofmt\()_neon, export=1 st4 {v16.8B,v17.8B,v18.8B,v19.8B}, [x2], #32 subs w8, w8, #16 // width -= 16 b.gt 2b - add x2, x2, w3, UXTW // dst += padding - add x4, x4, w5, UXTW // srcY += paddingY + add x2, x2, w3, SXTW // dst += padding + add x4, x4, w5, SXTW // srcY += paddingY increment_\ifmt subs w1, w1, #1 // height -= 1 b.gt 1b From 5746987bad4dd3880cd3a321ef3d970663cd8085 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 24 Nov 2022 20:00:18 -0300 Subject: [PATCH 098/562] avcodec/mjpegenc: take into account component count when writing the SOF header size Fixes ticket #10069 Signed-off-by: James Almer (cherry picked from commit 100939695307743396e30e6310d2ea9cf42f9aab) --- libavcodec/mjpegenc_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 98c464fc62..18e72ebd98 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -309,7 +309,7 @@ void ff_mjpeg_encode_picture_header(AVCodecContext *avctx, PutBitContext *pb, default: av_assert0(0); } - put_bits(pb, 16, 17); + put_bits(pb, 16, 8 + 3 * components); if (lossless && ( avctx->pix_fmt == AV_PIX_FMT_BGR0 || avctx->pix_fmt == AV_PIX_FMT_BGRA || avctx->pix_fmt == AV_PIX_FMT_BGR24)) From 807afa59cca8f6019c4be4043de87a52ee11741c Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 8 Dec 2022 12:31:00 +0100 Subject: [PATCH 099/562] avcodec/nvenc: fix vbv buffer size in cq mode The CQ calculation gets thrown off and behaves very nonsensical if it isn't set to 0. --- libavcodec/nvenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index e19378736f..4450df774c 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1083,8 +1083,9 @@ static av_cold void nvenc_setup_rate_control(AVCodecContext *avctx) av_log(avctx, AV_LOG_VERBOSE, "CQ(%d) mode enabled.\n", tmp_quality); - //CQ mode shall discard avg bitrate & honor max bitrate; + // CQ mode shall discard avg bitrate/vbv buffer size and honor only max bitrate ctx->encode_config.rcParams.averageBitRate = avctx->bit_rate = 0; + ctx->encode_config.rcParams.vbvBufferSize = avctx->rc_buffer_size = 0; ctx->encode_config.rcParams.maxBitRate = avctx->rc_max_rate; } } From 070b38167c10f7742c449c25e65ffef90c8f8f0b Mon Sep 17 00:00:00 2001 From: Thierry Foucu Date: Wed, 4 Jan 2023 10:54:24 -0800 Subject: [PATCH 100/562] avcodec/mpeg12dec: use init_get_bits8 and check the return value Signed-off-by: James Almer (cherry picked from commit efbe84eb1b74a80cd12174feaaa37da2e8fb1e66) --- libavcodec/mpeg12dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index e9bde48f7a..ed1d09fc62 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2553,7 +2553,9 @@ static int decode_chunks(AVCodecContext *avctx, AVFrame *picture, } break; case EXT_START_CODE: - init_get_bits(&s2->gb, buf_ptr, input_size * 8); + ret = init_get_bits8(&s2->gb, buf_ptr, input_size); + if (ret < 0) + return ret; switch (get_bits(&s2->gb, 4)) { case 0x1: From 30d432f205538f6ef6c86ed0a90e27cdd735cd2b Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Wed, 18 Jan 2023 09:16:37 -0500 Subject: [PATCH 101/562] avcodec/libjxldec: fix gamma22 and gamma28 recognition Gamma 2.2 and Gamma 2.8 are tagged in the file as 0.45455 and 0.35714, respectively (i.e. 1/2.2 and 1/2.8). Trying to identify them as 2.2 and 2.8 instead of these values will cause the transfer function to not properly be recognized. This patch fixes this. (cherry picked from commit 9d5e66942c5bae578926e29efebec348199798df) --- libavcodec/libjxldec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/libjxldec.c b/libavcodec/libjxldec.c index 829478bbde..396ed1dcb2 100644 --- a/libavcodec/libjxldec.c +++ b/libavcodec/libjxldec.c @@ -167,9 +167,9 @@ static enum AVColorTransferCharacteristic libjxl_get_trc(void *avctx, const JxlC case JXL_TRANSFER_FUNCTION_DCI: return AVCOL_TRC_SMPTE428; case JXL_TRANSFER_FUNCTION_HLG: return AVCOL_TRC_ARIB_STD_B67; case JXL_TRANSFER_FUNCTION_GAMMA: - if (jxl_color->gamma > 2.199 && jxl_color->gamma < 2.201) + if (jxl_color->gamma > 0.45355 && jxl_color->gamma < 0.45555) return AVCOL_TRC_GAMMA22; - else if (jxl_color->gamma > 2.799 && jxl_color->gamma < 2.801) + else if (jxl_color->gamma > 0.35614 && jxl_color->gamma < 0.35814) return AVCOL_TRC_GAMMA28; else av_log(avctx, AV_LOG_WARNING, "Unsupported gamma transfer: %f\n", jxl_color->gamma); From 7268323193d55365f914de39fadd5dbdb1f68976 Mon Sep 17 00:00:00 2001 From: Lynne Date: Sun, 25 Dec 2022 01:03:30 +0100 Subject: [PATCH 102/562] hwcontext_vulkan: remove optional encode/decode extensions from the list They're not currently used, so they don't need to be there. Vulkan stabilized the decode extensions less than a week ago, and their name prefixes were changed from EXT to KHR. It's a bit too soon to be depending on it, so rather than bumping, just remove these for now. (cherry picked from commit eb0455d64690eed0068e5cb202f72ecdf899837c) --- libavutil/hwcontext_vulkan.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c index 237caa4bc0..3bc0dc8a40 100644 --- a/libavutil/hwcontext_vulkan.c +++ b/libavutil/hwcontext_vulkan.c @@ -354,14 +354,6 @@ static const VulkanOptExtension optional_device_exts[] = { { VK_KHR_EXTERNAL_MEMORY_WIN32_EXTENSION_NAME, FF_VK_EXT_EXTERNAL_WIN32_MEMORY }, { VK_KHR_EXTERNAL_SEMAPHORE_WIN32_EXTENSION_NAME, FF_VK_EXT_EXTERNAL_WIN32_SEM }, #endif - - /* Video encoding/decoding */ - { VK_KHR_VIDEO_QUEUE_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, - { VK_KHR_VIDEO_DECODE_QUEUE_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, - { VK_KHR_VIDEO_ENCODE_QUEUE_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, - { VK_EXT_VIDEO_ENCODE_H264_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, - { VK_EXT_VIDEO_DECODE_H264_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, - { VK_EXT_VIDEO_DECODE_H265_EXTENSION_NAME, FF_VK_EXT_NO_FLAG }, }; /* Converts return values to strings */ From 11d07808bc8a6fe99ab11887ba38625146d83c44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 19:14:07 +0200 Subject: [PATCH 103/562] avformat/vividas: Check packet size Fixes: signed integer overflow: 119760682 - -2084600173 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6745781167587328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f44489cc5d4f3767f6ad2ad067ee6a3f78374bb) Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index e9954f73ed..ed4e573df8 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -683,6 +683,7 @@ static int viv_read_packet(AVFormatContext *s, if (viv->sb_entries[viv->current_sb_entry].flag == 0) { uint64_t v_size = ffio_read_varlen(pb); + int last = 0, last_start; if (!viv->num_audio) return AVERROR_INVALIDDATA; @@ -706,12 +707,18 @@ static int viv_read_packet(AVFormatContext *s, if (i > 0 && start == 0) break; + if (start < last) + return AVERROR_INVALIDDATA; viv->n_audio_subpackets = i + 1; + last = viv->audio_subpackets[i].start = start; viv->audio_subpackets[i].pcm_bytes = pcm_bytes; } + last_start = viv->audio_subpackets[viv->n_audio_subpackets].start = (int)(off - avio_tell(pb)); + if (last_start < last) + return AVERROR_INVALIDDATA; viv->current_audio_subpacket = 0; } else { From 4b0d23902f7866ca9439f2fa90e9d83dd862ae6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Sep 2022 23:16:51 +0200 Subject: [PATCH 104/562] avcodec/speexdec: Check channels > 2 More than 2 channels seems unsupported, the code seems to just output empty extra channels Fixes: Timeout Fixes: 51569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-5511509165342720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 77164b2344eb67d61f973ebbbc8e0b88aaae027b) Signed-off-by: Michael Niedermayer --- libavcodec/speexdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c index 3251eda820..3e113df530 100644 --- a/libavcodec/speexdec.c +++ b/libavcodec/speexdec.c @@ -1452,7 +1452,7 @@ static av_cold int speex_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; s->nb_channels = avctx->ch_layout.nb_channels; - if (s->nb_channels <= 0) + if (s->nb_channels <= 0 || s->nb_channels > 2) return AVERROR_INVALIDDATA; switch (s->rate) { From 3314bababfd34fdd92f9003d2777b93a5675ceb2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:04:48 +0200 Subject: [PATCH 105/562] avcodec/ffv1dec: Fail earlier if prior context is corrupted Signed-off-by: Michael Niedermayer (cherry picked from commit 4df91e2215a79546a7f08faa457c05182646b302) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 9300297267..5660e5d940 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -303,8 +303,11 @@ static int decode_slice(AVCodecContext *c, void *arg) } if ((ret = ff_ffv1_init_slice_state(f, fs)) < 0) return ret; - if (f->cur->key_frame || fs->slice_reset_contexts) + if (f->cur->key_frame || fs->slice_reset_contexts) { ff_ffv1_clear_slice_state(f, fs); + } else if (fs->slice_damaged) { + return AVERROR_INVALIDDATA; + } width = fs->slice_width; height = fs->slice_height; From aca17a8f890dfee894382ed3cb6d29f1c653af9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:28:33 +0200 Subject: [PATCH 106/562] avcodec/speedhq: Check buf_size to be big enough for DC Fixes: Timeout Fixes: 51919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6023716480090112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9184d3d7b64459e975f26284a7b2e26cbf76480b) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index e158061bcf..cfbd283417 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -501,6 +501,8 @@ static int speedhq_decode_frame(AVCodecContext *avctx, AVFrame *frame, if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; + if (buf_size < avctx->width*avctx->height / 64 / 4) + return AVERROR_INVALIDDATA; quality = buf[0]; if (quality >= 100) { From e17632834d1b6dd534593b1c6bd4298dafa06a64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Nov 2022 20:00:38 +0100 Subject: [PATCH 107/562] swscale/output: Bias 16bps output calculations to improve non overflowing range Fixes: integer overflow Fixes: ./ffmpeg -f rawvideo -video_size 66x64 -pixel_format yuva420p10le -i ~/videos/overflow_input_w66h64.yuva420p10le -filter_complex "scale=flags=bicubic+full_chroma_int+full_chroma_inp+bitexact+accurate_rnd:in_color_matrix=bt2020:out_color_matrix=bt2020:in_range=full:out_range=full,format=rgba64[out]" -pixel_format rgba64 -map '[out]' -y overflow_w66h64.png Found-by: Drew Dunne Tested-by: Drew Dunne Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0afc7fb5d30c40108d81b320823d8f5c9fbedc) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 120 ++++++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 773f3ce059..a2cbfe9c26 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1075,8 +1075,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; // 21 - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); // 21 + Y2 += (1 << 13) - (1 << 29); // 8 bits: 17 + 13 bits = 30 bits, 16 bits: 17 + 13 bits = 30 bits R = V * c->yuv2rgb_v2r_coeff; @@ -1084,20 +1084,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1134,8 +1134,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1149,20 +1149,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1190,8 +1190,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1205,20 +1205,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1236,8 +1236,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1251,20 +1251,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1315,7 +1315,7 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, // 8bit: 27 -> 17bit, 16bit: 31 - 14 = 17bit Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; // 21 + Y += (1 << 13) - (1<<29); // 21 // 8bit: 17 + 13bit = 30bit, 16bit: 17 + 13bit = 30bit R = V * c->yuv2rgb_v2r_coeff; @@ -1323,9 +1323,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1363,7 +1363,7 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1375,9 +1375,9 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], A += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1406,7 +1406,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1418,9 +1418,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1439,7 +1439,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1451,9 +1451,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From 8b09afb86efcb4bb16d282c091563369db0940c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Nov 2022 20:00:38 +0100 Subject: [PATCH 108/562] swscale/output: Bias 16bps output calculations to improve non overflowing range for GBRP16/GBRPF32 Fixes: integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit b74f89caaef2174b0bfb2791ea88e44960dba11f) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 25 +++++++++++-------------- libswscale/x86/output.asm | 16 +++++++++++++++- 2 files changed, 26 insertions(+), 15 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index a2cbfe9c26..094c58b1b5 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2340,18 +2340,15 @@ yuv2gbrp16_full_X_c(SwsContext *c, const int16_t *lumFilter, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - R = av_clip_uintp2(Y + R, 30); - G = av_clip_uintp2(Y + G, 30); - B = av_clip_uintp2(Y + B, 30); + dest16[2][i] = av_clip_uintp2(((Y + R) >> 14) + (1<<15), 16); + dest16[0][i] = av_clip_uintp2(((Y + G) >> 14) + (1<<15), 16); + dest16[1][i] = av_clip_uintp2(((Y + B) >> 14) + (1<<15), 16); - dest16[0][i] = G >> 14; - dest16[1][i] = B >> 14; - dest16[2][i] = R >> 14; if (hasAlpha) dest16[3][i] = av_clip_uintp2(A, 30) >> 14; } @@ -2416,18 +2413,18 @@ yuv2gbrpf32_full_X_c(SwsContext *c, const int16_t *lumFilter, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - R = av_clip_uintp2(Y + R, 30); - G = av_clip_uintp2(Y + G, 30); - B = av_clip_uintp2(Y + B, 30); + R = av_clip_uintp2(((Y + R) >> 14) + (1<<15), 16); + G = av_clip_uintp2(((Y + G) >> 14) + (1<<15), 16); + B = av_clip_uintp2(((Y + B) >> 14) + (1<<15), 16); - dest32[0][i] = av_float2int(float_mult * (float)(G >> 14)); - dest32[1][i] = av_float2int(float_mult * (float)(B >> 14)); - dest32[2][i] = av_float2int(float_mult * (float)(R >> 14)); + dest32[0][i] = av_float2int(float_mult * (float)G); + dest32[1][i] = av_float2int(float_mult * (float)B); + dest32[2][i] = av_float2int(float_mult * (float)R); if (hasAlpha) dest32[3][i] = av_float2int(float_mult * (float)(av_clip_uintp2(A, 30) >> 14)); } diff --git a/libswscale/x86/output.asm b/libswscale/x86/output.asm index 84e94baaf6..f943a27534 100644 --- a/libswscale/x86/output.asm +++ b/libswscale/x86/output.asm @@ -44,11 +44,13 @@ pd_yuv2gbrp_y_start: times 8 dd (1 << 9) pd_yuv2gbrp_uv_start: times 8 dd ((1 << 9) - (128 << 19)) pd_yuv2gbrp_a_start: times 8 dd (1 << 18) pd_yuv2gbrp16_offset: times 8 dd 0x10000 ;(1 << 16) -pd_yuv2gbrp16_round13: times 8 dd 0x02000 ;(1 << 13) +pd_yuv2gbrp16_round13: times 8 dd 0xE0002000 ;(1 << 13) - (1 << 29) pd_yuv2gbrp16_a_offset: times 8 dd 0x20002000 pd_yuv2gbrp16_upper30: times 8 dd 0x3FFFFFFF ;(1<<30) - 1 pd_yuv2gbrp16_upper27: times 8 dd 0x07FFFFFF ;(1<<27) - 1 +pd_yuv2gbrp16_upper16: times 8 dd 0x0000FFFF ;(1<<16) - 1 pd_yuv2gbrp16_upperC: times 8 dd 0xC0000000 +pd_yuv2gbrp_debias: times 8 dd 0x00008000 ;(1 << 29 - 14) pb_pack_shuffle8: db 0, 4, 8, 12, \ -1, -1, -1, -1, \ -1, -1, -1, -1, \ @@ -883,14 +885,26 @@ cglobal yuv2%1_full_X, 12, 14, 16, ptr, lumFilter, lumSrcx, lumFilterSize, chrFi paddd G, Y paddd B, Y +%if DEPTH < 16 CLIPP2 R, 30 CLIPP2 G, 30 CLIPP2 B, 30 +%endif psrad R, RGB_SHIFT psrad G, RGB_SHIFT psrad B, RGB_SHIFT +%if DEPTH >= 16 + paddd R, [pd_yuv2gbrp_debias] + paddd G, [pd_yuv2gbrp_debias] + paddd B, [pd_yuv2gbrp_debias] + + CLIPP2 R, 16 + CLIPP2 G, 16 + CLIPP2 B, 16 +%endif + %if FLOAT cvtdq2ps R, R cvtdq2ps G, G From 71b40b26456e21994e8c5eae83b4de46582350b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Oct 2022 23:28:59 +0200 Subject: [PATCH 109/562] avformat/replaygain: avoid undefined / negative abs Fixes: signed integer overflow: -2147483648 * 100000 cannot be represented in type 'int' Fixes: 52060/clusterfuzz-testcase-minimized-ffmpeg_dem_MP3_fuzzer-5131616708329472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2532b20b17ec557f1b925bfc41c00e7d4e17356c) Signed-off-by: Michael Niedermayer --- libavformat/replaygain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/replaygain.c b/libavformat/replaygain.c index 24f5c74183..915bcb2382 100644 --- a/libavformat/replaygain.c +++ b/libavformat/replaygain.c @@ -60,7 +60,7 @@ static int32_t parse_value(const char *value, int32_t min) } } - if (abs(db) > (INT32_MAX - mb) / 100000) + if (llabs(db) > (INT32_MAX - mb) / 100000) return min; return db * 100000 + sign * mb; From bb7e683a218bd8b3c0a0ab96b7d1c218ae475d6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Oct 2022 18:41:24 +0200 Subject: [PATCH 110/562] avcodec/alsdec: The minimal block is at least 7 bits Signed-off-by: Michael Niedermayer (cherry picked from commit 5280947fb6db37063334eae5b467cecd2417b063) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 7031fa0acb..b87cb12567 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1027,7 +1027,7 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) *bd->shift_lsbs = 0; - if (get_bits_left(gb) < 1) + if (get_bits_left(gb) < 7) return AVERROR_INVALIDDATA; // read block type flag and read the samples accordingly From e475ea86f2bdc8f2e5e9a6dc14216768292ab41d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Oct 2022 18:47:34 +0200 Subject: [PATCH 111/562] avcodec/alsdec: Check bits left before block decoding in non multi channel coding loop Fixes: Timeout Fixes: 52161/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-6440216563154944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 1dc8d82da910972d308aebc1ee722044f83b9ccc) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index b87cb12567..2cafce8cb3 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1659,7 +1659,8 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame) if (!sconf->mc_coding || ctx->js_switch) { int independent_bs = !sconf->joint_stereo; - + if (get_bits_left(gb) < 7*channels*ctx->num_blocks) + return AVERROR_INVALIDDATA; for (c = 0; c < channels; c++) { js_blocks[0] = 0; js_blocks[1] = 0; From f291b241a322b138fd586949b83571b3dbda82a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2022 23:10:02 +0100 Subject: [PATCH 112/562] swscale/input: Use more unsigned intermediates Same principle as previous commit, with sufficiently huge rgb2yuv table values this produces wrong results and undefined behavior. The unsigned produces the same incorrect results. That is probably ok as these cases with huge values seem not to occur in any real use case. Fixes: signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit ba209e3d5142fd31bb6c3e05c5b183118a278afc) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index fe0c27d743..4f7b1f8473 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -77,9 +77,9 @@ rgb64ToUV_half_c_template(uint16_t *dstU, uint16_t *dstV, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1==src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; - int g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; - int b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; + unsigned g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; dstU[i]= (ru*r + gu*g + bu*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; dstV[i]= (rv*r + gv*g + bv*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; @@ -149,9 +149,9 @@ static av_always_inline void rgb48ToUV_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = input_pixel(&src1[i * 3 + 0]); - int g = input_pixel(&src1[i * 3 + 1]); - int b_r = input_pixel(&src1[i * 3 + 2]); + unsigned r_b = input_pixel(&src1[i * 3 + 0]); + unsigned g = input_pixel(&src1[i * 3 + 1]); + unsigned b_r = input_pixel(&src1[i * 3 + 2]); dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; @@ -171,12 +171,12 @@ static av_always_inline void rgb48ToUV_half_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[6 * i + 0]) + - input_pixel(&src1[6 * i + 3]) + 1) >> 1; - int g = (input_pixel(&src1[6 * i + 1]) + - input_pixel(&src1[6 * i + 4]) + 1) >> 1; - int b_r = (input_pixel(&src1[6 * i + 2]) + - input_pixel(&src1[6 * i + 5]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[6 * i + 0]) + + input_pixel(&src1[6 * i + 3]) + 1) >> 1; + unsigned g = (input_pixel(&src1[6 * i + 1]) + + input_pixel(&src1[6 * i + 4]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[6 * i + 2]) + + input_pixel(&src1[6 * i + 5]) + 1) >> 1; dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; From c1780eeccf4f2985b5e6e024230d5235cedd1d8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2022 00:20:14 +0100 Subject: [PATCH 113/562] avutil/tx: Use unsigned in ff_tx_fft_sr_combine() to avoid undefined behavior Fixes: signed integer overflow: -1284837070 - 982101618 cannot be represented in type 'int' Fixes: 53105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4848015827664896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7792825ad6b84f54f5a7fd7f90a907291363c419) Signed-off-by: Michael Niedermayer --- libavutil/tx_priv.h | 3 +++ libavutil/tx_template.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/tx_priv.h b/libavutil/tx_priv.h index c9eda44e61..3dd748bd2c 100644 --- a/libavutil/tx_priv.h +++ b/libavutil/tx_priv.h @@ -34,6 +34,7 @@ #define MULT(x, m) ((x) * (m)) #define SCALE_TYPE float typedef float TXSample; +typedef float TXUSample; typedef AVComplexFloat TXComplex; #elif defined(TX_DOUBLE) #define TX_TAB(x) x ## _double @@ -45,6 +46,7 @@ typedef AVComplexFloat TXComplex; #define MULT(x, m) ((x) * (m)) #define SCALE_TYPE double typedef double TXSample; +typedef double TXUSample; typedef AVComplexDouble TXComplex; #elif defined(TX_INT32) #define TX_TAB(x) x ## _int32 @@ -56,6 +58,7 @@ typedef AVComplexDouble TXComplex; #define MULT(x, m) (((((int64_t)(x)) * (int64_t)(m)) + 0x40000000) >> 31) #define SCALE_TYPE float typedef int32_t TXSample; +typedef uint32_t TXUSample; typedef AVComplexInt32 TXComplex; #else typedef void TXComplex; diff --git a/libavutil/tx_template.c b/libavutil/tx_template.c index 1e4354580b..6057644a63 100644 --- a/libavutil/tx_template.c +++ b/libavutil/tx_template.c @@ -502,7 +502,7 @@ static inline void TX_NAME(ff_tx_fft_sr_combine)(TXComplex *z, int o2 = 4*len; int o3 = 6*len; const TXSample *wim = cos + o1 - 7; - TXSample t1, t2, t3, t4, t5, t6, r0, i0, r1, i1; + TXUSample t1, t2, t3, t4, t5, t6, r0, i0, r1, i1; for (int i = 0; i < len; i += 4) { TRANSFORM(z[0], z[o1 + 0], z[o2 + 0], z[o3 + 0], cos[0], wim[7]); From 7c5b975f6f6db05ed96ef0183539ea69cd4f82c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2022 22:59:55 +0100 Subject: [PATCH 114/562] avcodec/mlpdec: Check max matrix instead of max channel in noise check This is a regression since: adaa06581c5444c94eef72d61b8166f096e2687a Before this, max_channel and max_matrix_channel where compared for equality Fixes: out of array access Fixes: 53340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-514959011885875 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa79560de5e9596ada0345e5d12aa00dbeddaaa6) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index caf35dca0e..6af63c4631 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -549,7 +549,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { + if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", From 16b8de719ec15fba03fe0198d7d34c423ea0edf5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Nov 2022 23:34:22 +0100 Subject: [PATCH 115/562] avcodec/ffv1dec: restructure slice coordinate reading a bit Fixes: signed integer overflow: -1094995528 * 8224 cannot be represented in type 'int' Fixes: 53508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-474551033462784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74b6ac7ebb5c1e06a5fdfa29f79a18599942dbfa) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 61 ++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 5660e5d940..c6c4a3689d 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -168,24 +168,31 @@ static int decode_slice_header(const FFV1Context *f, FFV1Context *fs) RangeCoder *c = &fs->c; uint8_t state[CONTEXT_SIZE]; unsigned ps, i, context_count; + int sx, sy, sw, sh; + memset(state, 128, sizeof(state)); + sx = get_symbol(c, state, 0); + sy = get_symbol(c, state, 0); + sw = get_symbol(c, state, 0) + 1U; + sh = get_symbol(c, state, 0) + 1U; av_assert0(f->version > 2); - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width /f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height) - return -1; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) - return -1; + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) + return AVERROR_INVALIDDATA; + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) + return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) return AVERROR_INVALIDDATA; @@ -772,21 +779,25 @@ static int read_header(FFV1Context *f) fs->slice_damaged = 0; if (f->version == 2) { - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; + int sx = get_symbol(c, state, 0); + int sy = get_symbol(c, state, 0); + int sw = get_symbol(c, state, 0) + 1U; + int sh = get_symbol(c, state, 0) + 1U; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || - (unsigned)fs->slice_height > f->height) + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) return AVERROR_INVALIDDATA; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); } for (i = 0; i < f->plane_count; i++) { From 46a1e9e38632c71d2a810c2b0e34271811218a6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2022 18:26:59 +0100 Subject: [PATCH 116/562] avcodec/tiff: Ignore tile_count Fixes: out of array access Fixes: 52427/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4849108968144896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65ce417828cc6f5209d8467bc7755f0c59e9aa49) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index e7a2576b0b..717f299fdd 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -102,7 +102,6 @@ typedef struct TiffContext { int is_tiled; int tile_byte_counts_offset, tile_offsets_offset; int tile_width, tile_length; - int tile_count; int is_jpeg; @@ -976,7 +975,7 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame, tile_count_y = (s->height + s->tile_length - 1) / s->tile_length; /* Iterate over the number of tiles */ - for (tile_idx = 0; tile_idx < s->tile_count; tile_idx++) { + for (tile_idx = 0; tile_idx < tile_count_x * tile_count_y; tile_idx++) { tile_x = tile_idx % tile_count_x; tile_y = tile_idx / tile_count_x; @@ -1396,7 +1395,6 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_TILE_OFFSETS: s->tile_offsets_offset = off; - s->tile_count = count; s->is_tiled = 1; break; case TIFF_TILE_BYTE_COUNTS: @@ -1889,7 +1887,7 @@ again: return AVERROR_INVALIDDATA; } - has_tile_bits = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length || s->tile_count; + has_tile_bits = s->is_tiled || s->tile_byte_counts_offset || s->tile_offsets_offset || s->tile_width || s->tile_length; has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff; if (has_tile_bits && has_strip_bits) { From 3aee1b1ec3a19105936b294b6a53bcf23c4c5114 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2022 19:04:47 +0100 Subject: [PATCH 117/562] avformat/id3v2: Check taglen in read_uslt() Fixes: Timeout (read mostly the same data repeatly) Fixes: 52457/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-6610706313379840 Fixes: 53098/clusterfuzz-testcase-minimized-ffmpeg_dem_SOL_fuzzer-6481382981632000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a798af91d7d1fc31cfc1ae09cc6ab3907304f44f) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 191a305ffb..cb31864045 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -377,10 +377,10 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, lang[3] = '\0'; taglen -= 3; - if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0) + if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0 || taglen < 0) goto error; - if (decode_str(s, pb, encoding, &text, &taglen) < 0) + if (decode_str(s, pb, encoding, &text, &taglen) < 0 || taglen < 0) goto error; // FFmpeg does not support hierarchical metadata, so concatenate the keys. From 7d2360f8d67f386f0a89471f0e1857857464a797 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 12:58:58 +0200 Subject: [PATCH 118/562] avcodec/wavpack: Check for end of input in wv_unpack_dsd_high() Fixes: Timeout Fixes: 50793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-4980185027444736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ad7403bcee47e7c5e99a9c0266935e0da50c9d2) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 8bfbb654e8..45c49518f2 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -499,6 +499,8 @@ static int wv_unpack_dsd_high(WavpackFrameContext *s, uint8_t *dst_left, uint8_t sp[0].fltr0 = 0; } + if (DSD_BYTE_READY(high, low) && !bytestream2_get_bytes_left(&s->gbyte)) + return AVERROR_INVALIDDATA; while (DSD_BYTE_READY(high, low) && bytestream2_get_bytes_left(&s->gbyte)) { value = (value << 8) | bytestream2_get_byte(&s->gbyte); high = (high << 8) | 0xff; @@ -534,6 +536,8 @@ static int wv_unpack_dsd_high(WavpackFrameContext *s, uint8_t *dst_left, uint8_t sp[1].fltr0 = 0; } + if (DSD_BYTE_READY(high, low) && !bytestream2_get_bytes_left(&s->gbyte)) + return AVERROR_INVALIDDATA; while (DSD_BYTE_READY(high, low) && bytestream2_get_bytes_left(&s->gbyte)) { value = (value << 8) | bytestream2_get_byte(&s->gbyte); high = (high << 8) | 0xff; From 194a9429b2543609364a26af72e6d3f1d7bc1934 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Dec 2022 17:55:09 +0100 Subject: [PATCH 119/562] avcodec/wavpack: Avoid undefined shift in get_tail() Fixes: left shift of 1208485947 by 1 places cannot be represented in type 'int' Fixes: 54058/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5827521084260352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8374a747af247d45eb466fcb4aee90f3ae798aad) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 45c49518f2..32eb2d46bf 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -129,7 +129,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, int k) e = (1 << (p + 1)) - k - 1; res = get_bitsz(gb, p); if (res >= e) - res = (res << 1) - e + get_bits1(gb); + res = res * 2U - e + get_bits1(gb); return res; } From 8f4e355416609ea549cbd310480b540c068bf9e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Dec 2022 00:31:00 +0100 Subject: [PATCH 120/562] avcodec/sunrast: Fix maplength check Fixes: out of bounds read Found-by: Ibrahim Mohamed Reviewed-by; Ibrahim Mohamed Signed-off-by: Michael Niedermayer (cherry picked from commit f8a2a65078eaac37eae4a0d7ef440849a9d8f5b5) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index e543757a39..9d0e91f604 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" @@ -75,6 +76,12 @@ static int sunrast_decode_frame(AVCodecContext *avctx, AVFrame *p, return AVERROR_PATCHWELCOME; } + if (maplength > 768) { + av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); + return AVERROR_INVALIDDATA; + } + + // This also checks depth to be valid switch (depth) { case 1: avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE; @@ -96,15 +103,23 @@ static int sunrast_decode_frame(AVCodecContext *avctx, AVFrame *p, return AVERROR_INVALIDDATA; } + // This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int ret = ff_set_dimensions(avctx, w, h); if (ret < 0) return ret; + // ensured by ff_set_dimensions() + av_assert0(w <= (INT32_MAX - 7) / depth); + /* scanlines are aligned on 16 bit boundaries */ len = (depth * w + 7) >> 3; alen = len + (len & 1); - if (buf_end - buf < maplength + (len * h) * 3 / 256) + // ensured by ff_set_dimensions() + av_assert0(h <= INT32_MAX / (3 * len)); + + // maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check + if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) @@ -118,7 +133,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, AVFrame *p, } else if (maplength) { unsigned int len = maplength / 3; - if (maplength % 3 || maplength > 768) { + if (maplength % 3) { av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); return AVERROR_INVALIDDATA; } From 87e6221d5327c74dfca652f7e64fed138163c3f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Dec 2022 22:02:13 +0100 Subject: [PATCH 121/562] avformat/mxfdec: Use 64bit in remainder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 48000 * 223587 cannot be represented in type 'int' Fixes: 54513/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5817594836025344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 64a04fc165d453fe49906b228ac16385eda28564) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4a31490868..f6d79a3551 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3783,8 +3783,8 @@ static int64_t mxf_compute_sample_count(MXFContext *mxf, AVStream *st, if ((sample_rate.num / sample_rate.den) == 48000) { return av_rescale_q(edit_unit, sample_rate, track->edit_rate); } else { - int remainder = (sample_rate.num * time_base.num) % - (time_base.den * sample_rate.den); + int64_t remainder = (sample_rate.num * (int64_t) time_base.num) % + ( time_base.den * (int64_t)sample_rate.den); if (remainder) av_log(mxf->fc, AV_LOG_WARNING, "seeking detected on stream #%d with time base (%d/%d) and " From 7e211d001f920ea98a6a22c561bb184e1416b380 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jan 2023 20:03:40 +0100 Subject: [PATCH 122/562] avcodec/scpr: Test bx before use Fixes: out of array access on 32bit Fixes: 54850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5302669294305280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b59de3770b2e3f7f44ec4adba27c88b79adaaec) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 0623b73c84..f868c474c9 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -460,6 +460,9 @@ static int decompress_p(AVCodecContext *avctx, int run, bx = x * 16 + sx1, by = y * 16 + sy1; uint32_t r, g, b, clr, ptype = 0; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value(s, s->op_model[ptype], 6, 1000, &ptype); if (ret < 0) From d78fe4d3fb670f55da9661f6fd59b1e036c5c0a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Nov 2022 22:00:05 +0100 Subject: [PATCH 123/562] avcodec/h274: fix include Signed-off-by: Michael Niedermayer (cherry picked from commit 379e43e6ec4a7da692be3c7b8039e6c716adbf68) Signed-off-by: Michael Niedermayer --- libavcodec/h274.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h274.h b/libavcodec/h274.h index 807b3a016a..920f6991fb 100644 --- a/libavcodec/h274.h +++ b/libavcodec/h274.h @@ -28,7 +28,7 @@ #ifndef AVCODEC_H274_H #define AVCODEC_H274_H -#include +#include "libavutil/film_grain_params.h" // Must be initialized to {0} prior to first usage typedef struct H274FilmGrainDatabase { From a34fe535e41162041f47b4c2baa37d33c7949f67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:05:55 +0100 Subject: [PATCH 124/562] avcodec/eatgq: : Check index increments in tgq_decode_block() Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7755b433e913e32bb061f17d5ecfcbcfef995b7) Signed-off-by: Michael Niedermayer --- libavcodec/eatgq.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 2e9d2fe13c..eca93fd8a2 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -62,7 +62,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { uint8_t *perm = s->scantable.permutated; int i, j, value; @@ -70,6 +70,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[perm[i++]] = 0; case 0: block[perm[i++]] = 0; @@ -79,6 +81,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[perm[i++]] = 0; break; @@ -106,6 +110,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -165,8 +170,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x) if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(&s->gb, mode); } else { From 2e9faba7c7209dd8d3792ce0f38ee812a2f3828f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jan 2023 01:01:36 +0100 Subject: [PATCH 125/562] avcodec/012v: Order operations for odd size handling Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6714182078955520.fuzz Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6698145212137472.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4d42d82563d806b5610c0c91497e24ef7f37d4cf) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index c03afd0bc7..9b7fc173b7 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, AVFrame *pic, u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); memcpy(y, y_temp, sizeof(*y) * (width - x)); - memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); - memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2)); + memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2)); } line_end += stride; From 14da78a8c18c96e73e44048914702f676e55601f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Jan 2023 00:01:13 +0100 Subject: [PATCH 126/562] avcodec/scpr3: Check bx Fixes: Out of array access Fixes: 55102/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-4877396618903552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cc7e984a05b28dcfaaaad95afa061be71b4ba7fc) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index 78c58889cb..274f99ce71 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -1168,6 +1168,9 @@ static int decompress_p3(AVCodecContext *avctx, int run, bx = x * 16 + sx1, by = y * 16 + sy1; uint32_t clr, ptype = 0, r, g, b; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value3(s, 5, &s->op_model3[ptype].cntsum, s->op_model3[ptype].freqs[0], From af6919486bfe13800e6b8734575b3fefafe713c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jan 2023 00:32:44 +0100 Subject: [PATCH 127/562] avcodec/utils: use 32pixel alignment for bink bink supports 16x16 blocks in chroma planes thus we need to allocate enough. Fixes: out of array access Fixes: 55026/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6013915371012096 Reviewed-by: Peter Ross Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b95b2c8492fc1b52afd8fbe67b3be3cd518485d6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f78475d0ad..1e448a562b 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -242,6 +242,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRAP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height + if (s->codec_id == AV_CODEC_ID_BINKVIDEO) + w_align = 16*2; break; case AV_PIX_FMT_YUV411P: case AV_PIX_FMT_YUVJ411P: From 9057d347481711348442879304090bc65635eeec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jan 2023 23:36:12 +0100 Subject: [PATCH 128/562] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Fixes: 2.28595e+09 is outside the range of representable values of type 'int' Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f48d227c153fa6f0a2156f3e8d18ea1bfedf18d) Signed-off-by: Michael Niedermayer --- libavcodec/ac3.h | 2 ++ libavcodec/eac3dec.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index 29f9f9df8d..378e9a7d95 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -55,6 +55,7 @@ #define AC3_DYNAMIC_RANGE1 0 typedef int INTFLOAT; +typedef unsigned int UINTFLOAT; typedef int16_t SHORTFLOAT; #else /* USE_FIXED */ @@ -75,6 +76,7 @@ typedef int16_t SHORTFLOAT; #define AC3_DYNAMIC_RANGE1 1.0f typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float SHORTFLOAT; #endif /* USE_FIXED */ diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index d360b02691..deca51dd3d 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -138,9 +138,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); sscale *= 1.0 / (1<<23); + if (nscale < -1.0) + nscale = -1.0; #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { - float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); + UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state)); s->transform_coeffs[ch][bin] *= sscale; s->transform_coeffs[ch][bin++] += noise; } From 2953c6381afc3d52f3c97692228a5120fad4e0dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Nov 2022 14:29:32 +0100 Subject: [PATCH 129/562] avcodec/pictordec: Remove mid exit branch This causes the RLE decoder to exit before applying the last RLE run All images i tested with are unchanged, this makes the special case for handling the last run unused for non truncated images. Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 88f0e05c72f0de0cae3d9f0c5644f1965632b641) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index ed0292c797..971d0a8544 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -243,8 +243,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, run = bytestream2_get_le16(&s->g); val = bytestream2_get_byte(&s->g); } - if (!bytestream2_get_bytes_left(&s->g)) - break; if (bits_per_plane == 8) { picmemset_8bpp(s, frame, val, run, &x, &y); From b7df1d29134dc1d8399a2f229d2b44f9288de6a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sun, 5 Mar 2023 23:36:53 +0200 Subject: [PATCH 130/562] vulkan: Fix win/i386 calling convention MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes the following error when compiling with a modern version of Clang for Windows/i386: src/libavutil/hwcontext_vulkan.c:738:32: error: incompatible function pointer types initializing 'PFN_vkDebugUtilsMessengerCallbackEXT' (aka 'unsigned int (*)(enum VkDebugUtilsMessageSeverityFlagBitsEXT, unsigned int, const struct VkDebugUtilsMessengerCallbackDataEXT *, void *) __attribute__((stdcall))') with an expression of type 'VkBool32 (VkDebugUtilsMessageSeverityFlagBitsEXT, VkDebugUtilsMessageTypeFlagsEXT, const VkDebugUtilsMessengerCallbackDataEXT *, void *)' (aka 'unsigned int (enum VkDebugUtilsMessageSeverityFlagBitsEXT, unsigned int, const struct VkDebugUtilsMessengerCallbackDataEXT *, void *)') [-Wincompatible-function-pointer-types] .pfnUserCallback = vk_dbg_callback, ^~~~~~~~~~~~~~~ Signed-off-by: Martin Storsjö (cherry picked from commit f9620d74cd49c35223304ba41e28be6144e45783) Signed-off-by: Martin Storsjö --- libavutil/hwcontext_vulkan.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c index 3bc0dc8a40..5981016cf4 100644 --- a/libavutil/hwcontext_vulkan.c +++ b/libavutil/hwcontext_vulkan.c @@ -397,10 +397,10 @@ static const char *vk_ret2str(VkResult res) #undef CASE } -static VkBool32 vk_dbg_callback(VkDebugUtilsMessageSeverityFlagBitsEXT severity, - VkDebugUtilsMessageTypeFlagsEXT messageType, - const VkDebugUtilsMessengerCallbackDataEXT *data, - void *priv) +static VkBool32 VKAPI_CALL vk_dbg_callback(VkDebugUtilsMessageSeverityFlagBitsEXT severity, + VkDebugUtilsMessageTypeFlagsEXT messageType, + const VkDebugUtilsMessengerCallbackDataEXT *data, + void *priv) { int l; AVHWDeviceContext *ctx = priv; From 52d055b34d09601b54c07f31220842c1fd90d150 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Thu, 2 Mar 2023 17:27:30 +0100 Subject: [PATCH 131/562] lavu/vulkan: fix handle type for 32-bit targets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes compilation with clang which errors out on Wint-conversion. Signed-off-by: Kacper Michajłow Signed-off-by: Martin Storsjö (cherry picked from commit cc76e8340d28438c1ac56ee7dfd774d25e944264) Signed-off-by: Martin Storsjö --- libavutil/hwcontext_vulkan.c | 2 +- libavutil/vulkan.h | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavutil/hwcontext_vulkan.c b/libavutil/hwcontext_vulkan.c index 5981016cf4..c6bbc9891f 100644 --- a/libavutil/hwcontext_vulkan.c +++ b/libavutil/hwcontext_vulkan.c @@ -1145,7 +1145,7 @@ static void free_exec_ctx(AVHWFramesContext *hwfc, VulkanExecCtx *cmd) av_freep(&cmd->queues); av_freep(&cmd->bufs); - cmd->pool = NULL; + cmd->pool = VK_NULL_HANDLE; } static VkCommandBuffer get_buf_exec_ctx(AVHWFramesContext *hwfc, VulkanExecCtx *cmd) diff --git a/libavutil/vulkan.h b/libavutil/vulkan.h index d1ea1e24fb..90922c6cf3 100644 --- a/libavutil/vulkan.h +++ b/libavutil/vulkan.h @@ -122,7 +122,11 @@ typedef struct FFVulkanPipeline { VkDescriptorSetLayout *desc_layout; VkDescriptorPool desc_pool; VkDescriptorSet *desc_set; +#if VK_USE_64_BIT_PTR_DEFINES == 1 void **desc_staging; +#else + uint64_t *desc_staging; +#endif VkDescriptorSetLayoutBinding **desc_binding; VkDescriptorUpdateTemplate *desc_template; int *desc_set_initialized; From fa22608c46910b33a642fdc220470b19eb5bea52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2023 19:19:32 +0100 Subject: [PATCH 132/562] avformat/mov: Check samplesize and offset to avoid integer overflow Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c1f5c2e28e54ea8174b196d5cf4a158907395a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2b1131b911..88fbfbcb5d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4162,6 +4162,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e; From 14446f18315aada06808c89a521926c29ed07462 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Feb 2023 22:33:02 +0100 Subject: [PATCH 133/562] avcodec/ffv1dec: Check that num h/v slices is supported Fixes: out of array access Fixes: 55597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4898293416329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ead0ae68eb64ad325efafd686c434727f3d666a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index c6c4a3689d..025c362979 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -477,6 +477,11 @@ static int read_extra_header(FFV1Context *f) return AVERROR_INVALIDDATA; } + if (f->num_h_slices > MAX_SLICES / f->num_v_slices) { + av_log(f->avctx, AV_LOG_ERROR, "slice count unsupported\n"); + return AVERROR_PATCHWELCOME; + } + f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); From 365203e99ec46695578776ab1afc16fbc207a6aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:26:06 +0100 Subject: [PATCH 134/562] avcodec/pngdec: Check deloco index more exactly Fixes: out of array access: Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6716193709096960 Alternatively it should be possible to limit this to 3 plane RGB 8 /16bit to ensure the size is what it should be Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5bae704068dc37191280e024eecb8d02b762b28) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 5fa9491f9c..23e42aaf26 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -322,7 +322,7 @@ void ff_png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \ { \ int i; \ - for (i = 0; i < size; i += 3 + alpha) { \ + for (i = 0; i < size - 2; i += 3 + alpha) { \ int g = dst [i + 1]; \ dst[i + 0] += g; \ dst[i + 2] += g; \ From ce0bb67b1fda5e95ee438471c8ffc06b977b8ef2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:56:05 +0100 Subject: [PATCH 135/562] avcodec/pngdec: dont skip/read chunk twice Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6668158952144896.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df1a38d5200e14a29903f1027b4548d595c7ff8a) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 23e42aaf26..9f142980a0 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1231,6 +1231,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, } av_log(avctx, AV_LOG_ERROR, ", skipping\n"); bytestream2_skip(&s->gb, length + 8); /* tag */ + continue; } } tag = bytestream2_get_le32(&s->gb); From ac3e0e7beb7f5d053691f378928cd6e97c2c95f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 00:29:02 +0100 Subject: [PATCH 136/562] avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things Fixes: subtraction of unsigned offset from 0xf6602770 overflowed to 0xf6638c80 Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-495074400600064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0150cd41c2d3c01050a6c4f3df1de511a217913) Signed-off-by: Michael Niedermayer --- libavcodec/videodsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 324d70f2cb..d653f4d524 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -64,7 +64,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, av_assert2(start_x < end_x && block_w); w = end_x - start_x; - src += start_y * src_linesize + start_x * sizeof(pixel); + src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel); buf += start_x * sizeof(pixel); // top @@ -87,7 +87,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, buf += buf_linesize; } - buf -= block_h * buf_linesize + start_x * sizeof(pixel); + buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel); while (block_h--) { pixel *bufp = (pixel *) buf; From 86a50643abac69e06f50d6bb2b93ace7e7c22b56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 18:59:16 +0100 Subject: [PATCH 137/562] avcodec/utils: allocate a line more for VC1 and WMV3 Fixes: out of array read on 32bit Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848 The chroma MC code reads over the currently allocated frame. Alternative fixes would be allocating a few bytes more at the end instead of a whole line extra or to adjust the threshold where the edge emu code is activated Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01636a63d452c592ece35af6f72bb7affcad58f2) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1e448a562b..9249c46bee 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -322,6 +322,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 || s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A ) { From 44c1e6ed2cc2b577cb98a0092e61072aa4ae0820 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 19:39:38 +0100 Subject: [PATCH 138/562] avcodec/utils: Ensure linesize for SVQ3 Fixes: Assertion block_w * sizeof(uint8_t) <= ((buf_linesize) >= 0 ? (buf_linesize) : (-(buf_linesize)) Fixes: 54861/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5352418248622080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4eef658ca59d3d6ba46ab52a36d7faf5fe820874) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9249c46bee..ef5c785ced 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -336,6 +336,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, // the next rounded up width is 32 *width = FFMAX(*width, 32); } + if (s->codec_id == AV_CODEC_ID_SVQ3) { + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; From 2d6c2b6dc200aa5627aa22c2e36fd5e90e44a094 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:42:23 +0100 Subject: [PATCH 139/562] avcodec/bink: Fix off by 1 error in ref end Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6657932926517248 Alterantivly to this it is possibly to allocate a bigger array Note: oss-fuzz assigned this issue to a unrelated theora bug so the bug number matches that Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49487045dde6f69194332aac51fd4e598e19c7b6) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 3ba3068e0b..5a261e4a2d 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -871,7 +871,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8; + ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; From e1b1ead9e3563a1d460a62290f0da904df4f70b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:50:39 +0100 Subject: [PATCH 140/562] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() Signed-off-by: Michael Niedermayer (cherry picked from commit ea9deafd3b13233802c4548c4c58a707d76805a3) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 5a261e4a2d..795b433601 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -871,7 +871,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; + ref_end = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; @@ -927,7 +927,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8*stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->put_pixels_tab(dst, ref, stride, 8); @@ -943,7 +943,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->put_pixels_tab(dst, ref, stride, 8); @@ -975,7 +975,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->put_pixels_tab(dst, ref, stride, 8); From fbe44d7a82a453141ebf165937f8d6ad5aa0877f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 22:05:07 +0100 Subject: [PATCH 141/562] avcodec/xpmdec: Check size before allocation to avoid truncation Fixes:OOM Fixes:out of array access (no testcase) Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 95f0f84dae4f040d91f1e60dc5438612c58e8906) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 26d076d2e8..2941bdc32c 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -355,6 +355,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p, return AVERROR_INVALIDDATA; } + if (size > SIZE_MAX / 4) + return AVERROR(ENOMEM); + size *= 4; ptr += mod_strcspn(ptr, ",") + 1; From 0b6c4936ddc8d39cd929fa34ed3a329df81a43a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 23:42:59 +0100 Subject: [PATCH 142/562] avcodec/motionpixels: Mask pixels to valid values Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-6724203352555520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac6eec1fc258efce219e4fccb84312a1b13a7a23) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 29454fd242..4ac00daae9 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y) int color; color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2]; - return mp_rgb_yuv_table[color]; + return mp_rgb_yuv_table[color & 0x7FFF]; } static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p) From 9886e4c3b0880b167dbfdad722fb654c58cdc977 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 12 Nov 2022 15:19:21 +0100 Subject: [PATCH 143/562] avcodec/smcenc: stop accessing out of bounds frame (cherry picked from commit 13c13109759090b7f7182480d075e13b36ed8edd) Signed-off-by: Michael Niedermayer --- libavcodec/smcenc.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c index e1137098d0..1129da0dfd 100644 --- a/libavcodec/smcenc.c +++ b/libavcodec/smcenc.c @@ -61,6 +61,7 @@ typedef struct SMCContext { { \ row_ptr += stride * 4; \ pixel_ptr = row_ptr; \ + cur_y += 4; \ } \ } \ } @@ -117,6 +118,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, const uint8_t *prev_pixels = (const uint8_t *)s->prev_frame->data[0]; uint8_t *distinct_values = s->distinct_values; const uint8_t *pixel_ptr, *row_ptr; + const int height = frame->height; const int width = frame->width; uint8_t block_values[16]; int block_counter = 0; @@ -125,13 +127,14 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, int color_octet_index = 0; int color_table_index; /* indexes to color pair, quad, or octet tables */ int total_blocks; + int cur_y = 0; memset(s->color_pairs, 0, sizeof(s->color_pairs)); memset(s->color_quads, 0, sizeof(s->color_quads)); memset(s->color_octets, 0, sizeof(s->color_octets)); /* Number of 4x4 blocks in frame. */ - total_blocks = ((frame->width + 3) / 4) * ((frame->height + 3) / 4); + total_blocks = ((width + 3) / 4) * ((height + 3) / 4); pixel_ptr = row_ptr = src_pixels; @@ -145,11 +148,13 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, int cache_index; int distinct = 0; int blocks = 0; + int frame_y = cur_y; while (prev_pixels && s->key_frame == 0 && block_counter + inter_skip_blocks < total_blocks) { + const int y_size = FFMIN(4, height - cur_y); int compare = 0; - for (int y = 0; y < 4; y++) { + for (int y = 0; y < y_size; y++) { const ptrdiff_t offset = pixel_ptr - src_pixels; const uint8_t *prev_pixel_ptr = prev_pixels + offset; @@ -170,8 +175,10 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, pixel_ptr = xpixel_ptr; row_ptr = xrow_ptr; + cur_y = frame_y; while (block_counter > 0 && block_counter + intra_skip_blocks < total_blocks) { + const int y_size = FFMIN(4, height - cur_y); const ptrdiff_t offset = pixel_ptr - src_pixels; const int sy = offset / stride; const int sx = offset % stride; @@ -180,7 +187,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, const uint8_t *old_pixel_ptr = src_pixels + nx + ny * stride; int compare = 0; - for (int y = 0; y < 4; y++) { + for (int y = 0; y < y_size; y++) { compare |= memcmp(old_pixel_ptr + y * stride, pixel_ptr + y * stride, 4); if (compare) break; @@ -197,9 +204,11 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, pixel_ptr = xpixel_ptr; row_ptr = xrow_ptr; + cur_y = frame_y; while (block_counter + coded_blocks < total_blocks && coded_blocks < 256) { - for (int y = 0; y < 4; y++) + const int y_size = FFMIN(4, height - cur_y); + for (int y = 0; y < y_size; y++) memcpy(block_values + y * 4, pixel_ptr + y * stride, 4); qsort(block_values, 16, sizeof(block_values[0]), smc_cmp_values); @@ -224,6 +233,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, pixel_ptr = xpixel_ptr; row_ptr = xrow_ptr; + cur_y = frame_y; blocks = coded_blocks; distinct = coded_distinct; From 7c234248f859baa35e55c3dbbb7a359eae1c5257 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 12 Nov 2022 16:12:00 +0100 Subject: [PATCH 144/562] avcodec/rpzaenc: stop accessing out of bounds frame (cherry picked from commit 92f9b28ed84a77138105475beba16c146bdaf984) Signed-off-by: Michael Niedermayer --- libavcodec/rpzaenc.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/rpzaenc.c b/libavcodec/rpzaenc.c index 50b68bb8b3..3888a5b91e 100644 --- a/libavcodec/rpzaenc.c +++ b/libavcodec/rpzaenc.c @@ -205,7 +205,7 @@ static void get_max_component_diff(BlockInfo *bi, uint16_t *block_ptr, // loop thru and compare pixels for (y = 0; y < bi->block_height; y++) { - for (x = 0; x < bi->block_width; x++){ + for (x = 0; x < bi->block_width; x++) { // TODO: optimize min_r = FFMIN(R(block_ptr[x]), min_r); min_g = FFMIN(G(block_ptr[x]), min_g); @@ -277,7 +277,7 @@ static int leastsquares(uint16_t *block_ptr, BlockInfo *bi, return -1; for (i = 0; i < bi->block_height; i++) { - for (j = 0; j < bi->block_width; j++){ + for (j = 0; j < bi->block_width; j++) { x = GET_CHAN(block_ptr[j], xchannel); y = GET_CHAN(block_ptr[j], ychannel); sumx += x; @@ -324,7 +324,7 @@ static int calc_lsq_max_fit_error(uint16_t *block_ptr, BlockInfo *bi, int max_err = 0; for (i = 0; i < bi->block_height; i++) { - for (j = 0; j < bi->block_width; j++){ + for (j = 0; j < bi->block_width; j++) { int x_inc, lin_y, lin_x; x = GET_CHAN(block_ptr[j], xchannel); y = GET_CHAN(block_ptr[j], ychannel); @@ -419,7 +419,9 @@ static void update_block_in_prev_frame(const uint16_t *src_pixels, uint16_t *dest_pixels, const BlockInfo *bi, int block_counter) { - for (int y = 0; y < 4; y++) { + const int y_size = FFMIN(4, bi->image_height - bi->row * 4); + + for (int y = 0; y < y_size; y++) { memcpy(dest_pixels, src_pixels, 8); dest_pixels += bi->rowstride; src_pixels += bi->rowstride; @@ -729,14 +731,15 @@ post_skip : if (err > s->sixteen_color_thresh) { // DO SIXTEEN COLOR BLOCK uint16_t *row_ptr; - int rgb555; + int y_size, rgb555; block_offset = get_block_info(&bi, block_counter); row_ptr = &src_pixels[block_offset]; + y_size = FFMIN(4, bi.image_height - bi.row * 4); - for (int y = 0; y < 4; y++) { - for (int x = 0; x < 4; x++){ + for (int y = 0; y < y_size; y++) { + for (int x = 0; x < 4; x++) { rgb555 = row_ptr[x] & ~0x8000; put_bits(&s->pb, 16, rgb555); @@ -744,6 +747,11 @@ post_skip : row_ptr += bi.rowstride; } + for (int y = y_size; y < 4; y++) { + for (int x = 0; x < 4; x++) + put_bits(&s->pb, 16, 0); + } + block_counter++; } else { // FOUR COLOR BLOCK block_counter += encode_four_color_block(min_color, max_color, From 75ece79ff408148afab20cfaf9ecac9f59fb46a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2023 20:24:26 +0100 Subject: [PATCH 145/562] Use https for repository links Reviewed-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 011f30fc8205eff8e775d04afb98e02685cd8a7a) Signed-off-by: Michael Niedermayer --- CREDITS | 4 ++-- doc/authors.texi | 4 ++-- doc/git-howto.texi | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CREDITS b/CREDITS index e29f0b853c..f1aea93d6b 100644 --- a/CREDITS +++ b/CREDITS @@ -1,6 +1,6 @@ -See the Git history of the project (git://source.ffmpeg.org/ffmpeg) to +See the Git history of the project (https://git.ffmpeg.org/ffmpeg) to get the names of people who have contributed to FFmpeg. To check the log, you can type the command "git log" in the FFmpeg source directory, or browse the online repository at -http://source.ffmpeg.org. +https://git.ffmpeg.org/ffmpeg diff --git a/doc/authors.texi b/doc/authors.texi index 6c8c1d7efa..ce088392f8 100644 --- a/doc/authors.texi +++ b/doc/authors.texi @@ -3,9 +3,9 @@ The FFmpeg developers. For details about the authorship, see the Git history of the project -(git://source.ffmpeg.org/ffmpeg), e.g. by typing the command +(https://git.ffmpeg.org/ffmpeg), e.g. by typing the command @command{git log} in the FFmpeg source directory, or browsing the -online repository at @url{http://source.ffmpeg.org}. +online repository at @url{https://git.ffmpeg.org/ffmpeg}. Maintainers for the specific components are listed in the file @file{MAINTAINERS} in the source code tree. diff --git a/doc/git-howto.texi b/doc/git-howto.texi index 5bb39bb986..f4e2f2ec23 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -53,7 +53,7 @@ Most distribution and operating system provide a package for it. @section Cloning the source tree @example -git clone git://source.ffmpeg.org/ffmpeg +git clone https://git.ffmpeg.org/ffmpeg.git @end example This will put the FFmpeg sources into the directory @var{}. From 0dca540766d7970ebfac2c35e035ce4ea512d74e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:25:04 +0100 Subject: [PATCH 146/562] avcodec/escape124: fix signdness of end of input check Fixes: Timeout Fixes: 56561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5560363635834880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87ad0a5dd7d12c91badc215c3b5d6745fa7acb02) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 2fdffff13a..c83acad4f9 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -89,7 +89,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < size * 34) + if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) return cb; if (size >= INT_MAX / sizeof(MacroBlock)) From 405bfbd87356019668ee80ebf2bc9479f778146b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:37:44 +0100 Subject: [PATCH 147/562] avcodec/escape124: Fix some return codes Signed-off-by: Michael Niedermayer (cherry picked from commit 98df605f7a8e80471a113f7beb0983c90aa84525) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index c83acad4f9..0f996bf95c 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -89,11 +89,6 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) - return cb; - - if (size >= INT_MAX / sizeof(MacroBlock)) - return cb; cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1); if (!cb.blocks) return cb; @@ -225,7 +220,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, AVFrame *frame, // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) - return -1; + return AVERROR_INVALIDDATA; frame_flags = get_bits_long(&gb, 32); frame_size = get_bits_long(&gb, 32); @@ -276,9 +271,14 @@ static int escape124_decode_frame(AVCodecContext *avctx, AVFrame *frame, } av_freep(&s->codebooks[i].blocks); + if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34) + return AVERROR_INVALIDDATA; + + if (cb_size >= INT_MAX / sizeof(MacroBlock)) + return AVERROR_INVALIDDATA; s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size); if (!s->codebooks[i].blocks) - return -1; + return AVERROR(ENOMEM); } } From 43ea18703c376b9a8fbfb9287efc1c534378e775 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Nov 2022 23:34:33 +0100 Subject: [PATCH 148/562] avcodec/mpeg12dec: Check input size Fixes: Timeout Fixes: 53599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IPU_fuzzer-4950102511058944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c130d6911f5b09bfc648f6ae678c4c0749f61bb) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index ed1d09fc62..0e8627c4a4 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2978,6 +2978,10 @@ static int ipu_decode_frame(AVCodecContext *avctx, AVFrame *frame, GetBitContext *gb = &m->gb; int ret; + // Check for minimal intra MB size (considering mb header, luma & chroma dc VLC, ac EOB VLC) + if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16) * (2 + 3*4 + 2*2 + 2*6)) + return AVERROR_INVALIDDATA; + ret = ff_get_buffer(avctx, frame, 0); if (ret < 0) return ret; From 643318bba263d477309e7fe40eea95d3397c8c13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Mar 2023 14:53:52 +0100 Subject: [PATCH 149/562] update for 5.1.3 Signed-off-by: Michael Niedermayer --- Changelog | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 62 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 86f547c9bb..021d8c9a9e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,66 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 5.1.3: +- avcodec/mpeg12dec: Check input size +- avcodec/escape124: Fix some return codes +- avcodec/escape124: fix signdness of end of input check +- Use https for repository links +- avcodec/rpzaenc: stop accessing out of bounds frame +- avcodec/smcenc: stop accessing out of bounds frame +- avcodec/motionpixels: Mask pixels to valid values +- avcodec/xpmdec: Check size before allocation to avoid truncation +- avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() +- avcodec/bink: Fix off by 1 error in ref end +- avcodec/utils: Ensure linesize for SVQ3 +- avcodec/utils: allocate a line more for VC1 and WMV3 +- avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things +- avcodec/pngdec: dont skip/read chunk twice +- avcodec/pngdec: Check deloco index more exactly +- avcodec/ffv1dec: Check that num h/v slices is supported +- avformat/mov: Check samplesize and offset to avoid integer overflow +- lavu/vulkan: fix handle type for 32-bit targets +- vulkan: Fix win/i386 calling convention +- avcodec/pictordec: Remove mid exit branch +- avcodec/eac3dec: avoid float noise in fixed mode addition to overflow +- avcodec/utils: use 32pixel alignment for bink +- avcodec/scpr3: Check bx +- avcodec/012v: Order operations for odd size handling +- avcodec/eatgq: : Check index increments in tgq_decode_block() +- avcodec/h274: fix include +- avcodec/scpr: Test bx before use +- avformat/mxfdec: Use 64bit in remainder +- avcodec/sunrast: Fix maplength check +- avcodec/wavpack: Avoid undefined shift in get_tail() +- avcodec/wavpack: Check for end of input in wv_unpack_dsd_high() +- avformat/id3v2: Check taglen in read_uslt() +- avcodec/tiff: Ignore tile_count +- avcodec/ffv1dec: restructure slice coordinate reading a bit +- avcodec/mlpdec: Check max matrix instead of max channel in noise check +- avutil/tx: Use unsigned in ff_tx_fft_sr_combine() to avoid undefined behavior +- swscale/input: Use more unsigned intermediates +- avcodec/alsdec: Check bits left before block decoding in non multi channel coding loop +- avcodec/alsdec: The minimal block is at least 7 bits +- avformat/replaygain: avoid undefined / negative abs +- swscale/output: Bias 16bps output calculations to improve non overflowing range for GBRP16/GBRPF32 +- swscale/output: Bias 16bps output calculations to improve non overflowing range +- avcodec/speedhq: Check buf_size to be big enough for DC +- avcodec/ffv1dec: Fail earlier if prior context is corrupted +- avcodec/speexdec: Check channels > 2 +- avformat/vividas: Check packet size +- hwcontext_vulkan: remove optional encode/decode extensions from the list +- avcodec/libjxldec: fix gamma22 and gamma28 recognition +- avcodec/mpeg12dec: use init_get_bits8 and check the return value +- avcodec/nvenc: fix vbv buffer size in cq mode +- avcodec/mjpegenc: take into account component count when writing the SOF header size +- swscale: aarch64: Fix yuv2rgb with negative strides +- avcodec/atrac3plus: reorder channels to match the output layout +- avcodec/aacdec: fix parsing streams with channel configuration 11 +- libswscale: force a minimum size of the slide for bayer sources +- lavf/async: Fix ring_write return value +- avcodec/audiotoolboxenc: return AVERROR_EXTERNAL immediately when encode error +- avcodec/libjxlenc: avoid hard failure with unspecified primaries + version 5.1.2: - avcodec/dstdec: Check for overflow in build_filter() - avformat/spdifdec: Use 64bit to compute bit rate diff --git a/RELEASE b/RELEASE index 61fcc87350..cdb98d26e4 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1.2 +5.1.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 6c24f81ffc..3ab0032ea2 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 5.1.2 +PROJECT_NUMBER = 5.1.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 35534218885d83505331b6782594298810757823 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 16 Mar 2023 11:27:50 -0300 Subject: [PATCH 150/562] avfilter/vf_untile: swap the chroma shift values used for plane offsets Fixes ticket #10265 Signed-off-by: James Almer (cherry picked from commit dc61d5cf195bc6de9263883c42a58348863e6d4f) --- libavfilter/vf_untile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_untile.c b/libavfilter/vf_untile.c index 5d7709d68c..c8dafd1e60 100644 --- a/libavfilter/vf_untile.c +++ b/libavfilter/vf_untile.c @@ -134,8 +134,8 @@ static int activate(AVFilterContext *ctx) if (!(s->desc->flags & AV_PIX_FMT_FLAG_PAL)) { for (i = 1; i < 3; i ++) { if (out->data[i]) { - out->data[i] += (y >> s->desc->log2_chroma_w) * out->linesize[i]; - out->data[i] += (x >> s->desc->log2_chroma_h) * s->max_step[i]; + out->data[i] += (y >> s->desc->log2_chroma_h) * out->linesize[i]; + out->data[i] += (x >> s->desc->log2_chroma_w) * s->max_step[i]; } } } From 29412c75eb5a6307c6cf48975cdb85892952a739 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Mar 2023 19:07:47 +0100 Subject: [PATCH 151/562] avcodec/tests/snowenc: unbreak DWT tests the IDWT data type mismatched current code Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3351bbead47f7f306621b45c8f2391b6bd23d2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index e423ab0541..8064309144 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -31,6 +31,7 @@ int main(void){ #define width 256 #define height 256 int buffer[2][width*height]; + short obuffer[width*height]; SnowContext s; int i; AVLFG prng; @@ -49,24 +50,28 @@ int main(void){ printf("testing 5/3 DWT\n"); for(i=0; i20) printf("fsck: %6d %12d %7d\n",i, buffer[0][i], buffer[1][i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); { int level, orientation, x, y; @@ -87,12 +92,12 @@ int main(void){ if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; - memset(buffer[0], 0, sizeof(int)*width*height); + memset(obuffer, 0, sizeof(short)*width*height); buf[w/2 + h/2*stride]= 256*256; - ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); + ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Fri, 24 Mar 2023 00:18:06 +0100 Subject: [PATCH 152/562] avcodec/snowenc: Fix visual weight calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 5b5fcadea059ab458a886261a5b7a1cc134b517a) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 8 ++++++-- tests/ref/seek/vsynth_lena-snow | 28 +++++++++++++------------- tests/ref/vsynth/vsynth1-snow | 8 ++++---- tests/ref/vsynth/vsynth1-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth2-snow | 8 ++++---- tests/ref/vsynth/vsynth2-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow-hpel | 8 ++++---- 8 files changed, 44 insertions(+), 40 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 207948675b..a0a4af82d9 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -1533,10 +1533,10 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ int level, orientation, x, y; for(level=0; levelspatial_decomposition_count; level++){ + int64_t error=0; for(orientation=level ? 1 : 0; orientation<4; orientation++){ SubBand *b= &p->band[level][orientation]; IDWTELEM *ibuf= b->ibuf; - int64_t error=0; memset(s->spatial_idwt_buffer, 0, sizeof(*s->spatial_idwt_buffer)*width*height); ibuf[b->width/2 + b->height/2*b->stride]= 256*16; @@ -1547,9 +1547,13 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ error += d*d; } } - + if (orientation == 2) + error /= 2; b->qlog= (int)(QROOT * log2(352256.0/sqrt(error)) + 0.5); + if (orientation != 1) + error = 0; } + p->band[level][1].qlog = p->band[level][2].qlog; } } diff --git a/tests/ref/seek/vsynth_lena-snow b/tests/ref/seek/vsynth_lena-snow index 33d6c27463..b2d2d22cda 100644 --- a/tests/ref/seek/vsynth_lena-snow +++ b/tests/ref/seek/vsynth_lena-snow @@ -2,45 +2,45 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret: 0 st: 0 flags:0 ts:-0.040000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:1 ts: 0.200839 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:0 ts:-0.920000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth1-snow b/tests/ref/vsynth/vsynth1-snow index f20abd2ee4..b0e3a0bfd7 100644 --- a/tests/ref/vsynth/vsynth1-snow +++ b/tests/ref/vsynth/vsynth1-snow @@ -1,4 +1,4 @@ -67c10f8d52fcd1103caa675a1408bf6e *tests/data/fate/vsynth1-snow.avi -136088 tests/data/fate/vsynth1-snow.avi -bfc0bcc4bc7b956933aa58acc587018d *tests/data/fate/vsynth1-snow.out.rawvideo -stddev: 22.77 PSNR: 20.98 MAXDIFF: 175 bytes: 7603200/ 7603200 +c4c77a6fb926b89fe6591c398f5cd4db *tests/data/fate/vsynth1-snow.avi +136160 tests/data/fate/vsynth1-snow.avi +dcf8b3f62d9c3ae2b2d0fbbacbf83e4e *tests/data/fate/vsynth1-snow.out.rawvideo +stddev: 22.74 PSNR: 20.99 MAXDIFF: 173 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-snow-hpel b/tests/ref/vsynth/vsynth1-snow-hpel index 39780ad8a2..72b082b2ce 100644 --- a/tests/ref/vsynth/vsynth1-snow-hpel +++ b/tests/ref/vsynth/vsynth1-snow-hpel @@ -1,4 +1,4 @@ -e62ae25d5040d04622a965bcb27fdb1e *tests/data/fate/vsynth1-snow-hpel.avi -138446 tests/data/fate/vsynth1-snow-hpel.avi -57c914cd150f8fc260b5989ce3e5884c *tests/data/fate/vsynth1-snow-hpel.out.rawvideo -stddev: 22.74 PSNR: 20.99 MAXDIFF: 172 bytes: 7603200/ 7603200 +5c9eb93646eb0e5570d37e9adc9625e4 *tests/data/fate/vsynth1-snow-hpel.avi +138580 tests/data/fate/vsynth1-snow-hpel.avi +3382bdde624d8bb4af206a5ac6614605 *tests/data/fate/vsynth1-snow-hpel.out.rawvideo +stddev: 22.71 PSNR: 21.00 MAXDIFF: 171 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow b/tests/ref/vsynth/vsynth2-snow index e9607bb7d0..355f89d5f4 100644 --- a/tests/ref/vsynth/vsynth2-snow +++ b/tests/ref/vsynth/vsynth2-snow @@ -1,4 +1,4 @@ -0a41e73ddd2f54936490655b46dad4a3 *tests/data/fate/vsynth2-snow.avi -72868 tests/data/fate/vsynth2-snow.avi -34a75f5cf8a71159f1a572d9cedcfef9 *tests/data/fate/vsynth2-snow.out.rawvideo -stddev: 13.73 PSNR: 25.37 MAXDIFF: 162 bytes: 7603200/ 7603200 +5e130d6a48b69348eee7f7c76c5869a3 *tests/data/fate/vsynth2-snow.avi +72942 tests/data/fate/vsynth2-snow.avi +9b6cee60e3ec0d1f312a8a25a7878fcc *tests/data/fate/vsynth2-snow.out.rawvideo +stddev: 13.39 PSNR: 25.59 MAXDIFF: 154 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow-hpel b/tests/ref/vsynth/vsynth2-snow-hpel index 66839fd6f6..ec3b5dfad2 100644 --- a/tests/ref/vsynth/vsynth2-snow-hpel +++ b/tests/ref/vsynth/vsynth2-snow-hpel @@ -1,4 +1,4 @@ -9bc409e4794ee50691a26c9c836d31a7 *tests/data/fate/vsynth2-snow-hpel.avi -79728 tests/data/fate/vsynth2-snow-hpel.avi -2cc64d8171175a1532fd7d3ed3011fbf *tests/data/fate/vsynth2-snow-hpel.out.rawvideo -stddev: 13.70 PSNR: 25.39 MAXDIFF: 162 bytes: 7603200/ 7603200 +8edcf0fd7f066972ff77d5b891ed6dde *tests/data/fate/vsynth2-snow-hpel.avi +79798 tests/data/fate/vsynth2-snow-hpel.avi +7e0f2a24feda6fb3e54b85511a28c45f *tests/data/fate/vsynth2-snow-hpel.out.rawvideo +stddev: 13.35 PSNR: 25.62 MAXDIFF: 157 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow b/tests/ref/vsynth/vsynth_lena-snow index ec29a78483..582c294531 100644 --- a/tests/ref/vsynth/vsynth_lena-snow +++ b/tests/ref/vsynth/vsynth_lena-snow @@ -1,4 +1,4 @@ -8e96f337e8f4ccac7d72ef517e1d2208 *tests/data/fate/vsynth_lena-snow.avi -57680 tests/data/fate/vsynth_lena-snow.avi -90963cfd2359d460001c94d94256dc2b *tests/data/fate/vsynth_lena-snow.out.rawvideo -stddev: 10.48 PSNR: 27.72 MAXDIFF: 119 bytes: 7603200/ 7603200 +bf2cf9cacc1d98388798be98872049ee *tests/data/fate/vsynth_lena-snow.avi +57604 tests/data/fate/vsynth_lena-snow.avi +707a42eb20195913be55ba8dfadf72fb *tests/data/fate/vsynth_lena-snow.out.rawvideo +stddev: 10.37 PSNR: 27.81 MAXDIFF: 120 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow-hpel b/tests/ref/vsynth/vsynth_lena-snow-hpel index 2d6edd8a79..67effebc8a 100644 --- a/tests/ref/vsynth/vsynth_lena-snow-hpel +++ b/tests/ref/vsynth/vsynth_lena-snow-hpel @@ -1,4 +1,4 @@ -56b14cb1cbb637536233982e87f7ac3e *tests/data/fate/vsynth_lena-snow-hpel.avi -61764 tests/data/fate/vsynth_lena-snow-hpel.avi -244b0266127fa354d8485234b2c388e4 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo -stddev: 10.45 PSNR: 27.74 MAXDIFF: 119 bytes: 7603200/ 7603200 +c6ec87a11415a99b1a781f9f5bacb722 *tests/data/fate/vsynth_lena-snow-hpel.avi +61814 tests/data/fate/vsynth_lena-snow-hpel.avi +40f330397b7acf6bdbb3ec6d908be451 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo +stddev: 10.34 PSNR: 27.83 MAXDIFF: 118 bytes: 7603200/ 7603200 From 06dfb4fef2c8f85c066331c91d8987149b769a1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:31:40 +0100 Subject: [PATCH 153/562] avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches Signed-off-by: Michael Niedermayer (cherry picked from commit 771c266c0be29e6a1001fbd6795dd343147da1f2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index 8064309144..19635899d9 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -37,6 +37,7 @@ int main(void){ AVLFG prng; s.spatial_decomposition_count=6; s.spatial_decomposition_type=1; + int ret = 0; s.temp_dwt_buffer = av_calloc(width, sizeof(*s.temp_dwt_buffer)); s.temp_idwt_buffer = av_calloc(width, sizeof(*s.temp_idwt_buffer)); @@ -58,7 +59,10 @@ int main(void){ ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(i=0; i20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) { + printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + ret = 1; + } { int level, orientation, x, y; @@ -137,5 +144,5 @@ int main(void){ } } - return 0; + return ret; } From 037c7a2eac66e144c5e12dfaa335e9e98ef87e5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:48:56 +0100 Subject: [PATCH 154/562] avcodec/tests/snowenc: Fix 2nd test (cherry picked from commit 163013c72452621624f634c706824c77222b77c5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index 19635899d9..37198cd4e3 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -93,14 +93,14 @@ int main(void){ int w= width >> (s.spatial_decomposition_count-level); int h= height >> (s.spatial_decomposition_count-level); int stride= width << (s.spatial_decomposition_count-level); - DWTELEM *buf= buffer[0]; + IDWTELEM *buf= obuffer; int64_t error=0; if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; memset(obuffer, 0, sizeof(short)*width*height); - buf[w/2 + h/2*stride]= 256*256; + buf[w/2 + h/2*stride]= 8*256; ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Sun, 26 Mar 2023 15:12:01 +0200 Subject: [PATCH 155/562] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index 021d8c9a9e..b0d482a35b 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 5.1.3: +- avcodec/tests/snowenc: Fix 2nd test +- avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches +- avcodec/snowenc: Fix visual weight calculation +- avcodec/tests/snowenc: unbreak DWT tests +- update for 5.1.3 - avcodec/mpeg12dec: Check input size - avcodec/escape124: Fix some return codes - avcodec/escape124: fix signdness of end of input check From 00282752165a8d1e252c4a07b262d9384f618759 Mon Sep 17 00:00:00 2001 From: Kyle Manning Date: Sun, 2 Apr 2023 16:19:44 -0700 Subject: [PATCH 156/562] avcodec/nvenc: fix b-frame DTS behavior with fractional framerates When using fractional framerates (or any fraction with a numerator != 1), DTS values for packets would be calculated incorrectly. Signed-off-by: Kyle Manning Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 4450df774c..5d4989861c 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -2032,7 +2032,7 @@ static int nvenc_set_timestamp(AVCodecContext *avctx, pkt->pts = params->outputTimeStamp; pkt->dts = timestamp_queue_dequeue(ctx->timestamp_list); - pkt->dts -= FFMAX(ctx->encode_config.frameIntervalP - 1, 0) * FFMAX(avctx->ticks_per_frame, 1); + pkt->dts -= FFMAX(ctx->encode_config.frameIntervalP - 1, 0) * FFMAX(avctx->ticks_per_frame, 1) * FFMAX(avctx->time_base.num, 1); return 0; } From 796daf929a1effcb0373fb629c07cecc9069976c Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 12 Apr 2023 22:52:05 -0300 Subject: [PATCH 157/562] avformat/concatf: check if any nodes were allocated Fixes ticket #10304 Signed-off-by: James Almer (cherry picked from commit 19c2dc677f81c940aebe63ed09dacf5c725f0b35) --- libavformat/concat.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/concat.c b/libavformat/concat.c index dc0985e40c..825e43a7fa 100644 --- a/libavformat/concat.c +++ b/libavformat/concat.c @@ -296,6 +296,8 @@ static av_cold int concatf_open(URLContext *h, const char *uri, int flags) av_bprint_finalize(&bp, NULL); data->length = i; + if (!data->length) + err = AVERROR_INVALIDDATA; if (err < 0) concat_close(h); From ded3989a65fa2c03a499677172e01ee9f0489709 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 12 Apr 2023 22:53:33 -0300 Subject: [PATCH 158/562] avutil/wchar_filename: propagate MultiByteToWideChar() and WideCharToMultiByte() failures Don't return success if the string could not be converted. Signed-off-by: James Almer (cherry picked from commit 92885f26817b6b2515ac9fd5410c9e8be64bd0c0) --- libavutil/wchar_filename.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/wchar_filename.h b/libavutil/wchar_filename.h index 9a04a069f1..fbc0a55146 100644 --- a/libavutil/wchar_filename.h +++ b/libavutil/wchar_filename.h @@ -32,7 +32,8 @@ static inline int utf8towchar(const char *filename_utf8, wchar_t **filename_w) num_chars = MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, filename_utf8, -1, NULL, 0); if (num_chars <= 0) { *filename_w = NULL; - return 0; + errno = EINVAL; + return -1; } *filename_w = (wchar_t *)av_calloc(num_chars, sizeof(wchar_t)); if (!*filename_w) { @@ -52,7 +53,8 @@ static inline int wchartocp(unsigned int code_page, const wchar_t *filename_w, NULL, 0, NULL, NULL); if (num_chars <= 0) { *filename = NULL; - return 0; + errno = EINVAL; + return -1; } *filename = (char*)av_malloc_array(num_chars, sizeof *filename); if (!*filename) { From 58912f665ba317abb13dedd8c00432496afd76a4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 13 Apr 2023 09:58:25 -0300 Subject: [PATCH 159/562] avcodec/aacpsy: clip global_quality within the psy_vbr_map array boundaries Fixes ticket #10317. Signed-off-by: James Almer (cherry picked from commit 5cda6b94f45c347805cbd5a0c7ed1d712b5722d7) --- libavcodec/aacpsy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index 4c5ab2c9d5..933369e445 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -267,7 +267,7 @@ static av_cold void lame_window_init(AacPsyContext *ctx, AVCodecContext *avctx) AacPsyChannel *pch = &ctx->ch[i]; if (avctx->flags & AV_CODEC_FLAG_QSCALE) - pch->attack_threshold = psy_vbr_map[avctx->global_quality / FF_QP2LAMBDA].st_lrm; + pch->attack_threshold = psy_vbr_map[av_clip(avctx->global_quality / FF_QP2LAMBDA, 0, 10)].st_lrm; else pch->attack_threshold = lame_calc_attack_threshold(avctx->bit_rate / avctx->ch_layout.nb_channels / 1000); From c36f69d7e357b9043396d325debdfed6d49e5741 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 13 Apr 2023 10:19:57 -0300 Subject: [PATCH 160/562] avcodec/mp_cmp: reject invalid comparison function values Fixes tickets #10306 and #10318. Signed-off-by: James Almer (cherry picked from commit 7c6e26a18403376987541f1ca801ae225f8ee6d4) --- libavcodec/dvenc.c | 4 +++- libavcodec/me_cmp.c | 9 +++++++-- libavcodec/me_cmp.h | 2 +- libavcodec/motion_est.c | 11 +++++++---- libavcodec/mpegvideo_enc.c | 6 ++++-- libavcodec/snowenc.c | 6 ++++-- 6 files changed, 26 insertions(+), 12 deletions(-) diff --git a/libavcodec/dvenc.c b/libavcodec/dvenc.c index 2922829dc5..09bbe0861c 100644 --- a/libavcodec/dvenc.c +++ b/libavcodec/dvenc.c @@ -76,7 +76,9 @@ static av_cold int dvvideo_encode_init(AVCodecContext *avctx) ff_fdctdsp_init(&fdsp, avctx); ff_me_cmp_init(&mecc, avctx); ff_pixblockdsp_init(&pdsp, avctx); - ff_set_cmp(&mecc, mecc.ildct_cmp, avctx->ildct_cmp); + ret = ff_set_cmp(&mecc, mecc.ildct_cmp, avctx->ildct_cmp); + if (ret < 0) + return AVERROR(EINVAL); s->get_pixels = pdsp.get_pixels; s->ildct_cmp = mecc.ildct_cmp[5]; diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index d0cd14ad33..8cdd38047d 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -473,8 +473,9 @@ static int zero_cmp(MpegEncContext *s, uint8_t *a, uint8_t *b, return 0; } -void ff_set_cmp(MECmpContext *c, me_cmp_func *cmp, int type) +int ff_set_cmp(MECmpContext *c, me_cmp_func *cmp, int type) { + int ret = 0; int i; memset(cmp, 0, sizeof(void *) * 6); @@ -533,9 +534,13 @@ void ff_set_cmp(MECmpContext *c, me_cmp_func *cmp, int type) #endif default: av_log(NULL, AV_LOG_ERROR, - "internal error in cmp function selection\n"); + "invalid cmp function selection\n"); + ret = -1; + break; } } + + return ret; } #define BUTTERFLY2(o1, o2, i1, i2) \ diff --git a/libavcodec/me_cmp.h b/libavcodec/me_cmp.h index 7b057a923b..03d866c6bc 100644 --- a/libavcodec/me_cmp.h +++ b/libavcodec/me_cmp.h @@ -87,7 +87,7 @@ void ff_me_cmp_init_ppc(MECmpContext *c, AVCodecContext *avctx); void ff_me_cmp_init_x86(MECmpContext *c, AVCodecContext *avctx); void ff_me_cmp_init_mips(MECmpContext *c, AVCodecContext *avctx); -void ff_set_cmp(MECmpContext *c, me_cmp_func *cmp, int type); +int ff_set_cmp(MECmpContext *c, me_cmp_func *cmp, int type); void ff_dsputil_init_dwt(MECmpContext *c); diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 62c5b28364..741e431708 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -306,6 +306,7 @@ int ff_init_me(MpegEncContext *s){ MotionEstContext * const c= &s->me; int cache_size= FFMIN(ME_MAP_SIZE>>ME_MAP_SHIFT, 1<avctx->dia_size)&255, FFABS(s->avctx->pre_dia_size)&255); + int ret; if(FFMIN(s->avctx->dia_size, s->avctx->pre_dia_size) < -FFMIN(ME_MAP_SIZE, MAX_SAB_SIZE)){ av_log(s->avctx, AV_LOG_ERROR, "ME_MAP size is too small for SAB diamond\n"); @@ -321,10 +322,12 @@ int ff_init_me(MpegEncContext *s){ av_log(s->avctx, AV_LOG_INFO, "ME_MAP size may be a little small for the selected diamond size\n"); } - ff_set_cmp(&s->mecc, s->mecc.me_pre_cmp, c->avctx->me_pre_cmp); - ff_set_cmp(&s->mecc, s->mecc.me_cmp, c->avctx->me_cmp); - ff_set_cmp(&s->mecc, s->mecc.me_sub_cmp, c->avctx->me_sub_cmp); - ff_set_cmp(&s->mecc, s->mecc.mb_cmp, c->avctx->mb_cmp); + ret = ff_set_cmp(&s->mecc, s->mecc.me_pre_cmp, c->avctx->me_pre_cmp); + ret |= ff_set_cmp(&s->mecc, s->mecc.me_cmp, c->avctx->me_cmp); + ret |= ff_set_cmp(&s->mecc, s->mecc.me_sub_cmp, c->avctx->me_sub_cmp); + ret |= ff_set_cmp(&s->mecc, s->mecc.mb_cmp, c->avctx->mb_cmp); + if (ret < 0) + return ret; c->flags = get_flags(c, 0, c->avctx->me_cmp &FF_CMP_CHROMA); c->sub_flags= get_flags(c, 0, c->avctx->me_sub_cmp&FF_CMP_CHROMA); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index c9d9e2a764..0e7c2c1ab7 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -842,8 +842,10 @@ av_cold int ff_mpv_encode_init(AVCodecContext *avctx) s->quant_precision = 5; - ff_set_cmp(&s->mecc, s->mecc.ildct_cmp, avctx->ildct_cmp); - ff_set_cmp(&s->mecc, s->mecc.frame_skip_cmp, s->frame_skip_cmp); + ret = ff_set_cmp(&s->mecc, s->mecc.ildct_cmp, avctx->ildct_cmp); + ret |= ff_set_cmp(&s->mecc, s->mecc.frame_skip_cmp, s->frame_skip_cmp); + if (ret < 0) + return AVERROR(EINVAL); if (CONFIG_H261_ENCODER && s->out_format == FMT_H261) { ff_h261_encode_init(s); diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index a0a4af82d9..e900c2b3fd 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -127,8 +127,10 @@ static av_cold int encode_init(AVCodecContext *avctx) if (ret) return ret; - ff_set_cmp(&s->mecc, s->mecc.me_cmp, s->avctx->me_cmp); - ff_set_cmp(&s->mecc, s->mecc.me_sub_cmp, s->avctx->me_sub_cmp); + ret = ff_set_cmp(&s->mecc, s->mecc.me_cmp, s->avctx->me_cmp); + ret |= ff_set_cmp(&s->mecc, s->mecc.me_sub_cmp, s->avctx->me_sub_cmp); + if (ret < 0) + return AVERROR(EINVAL); s->input_picture = av_frame_alloc(); if (!s->input_picture) From 1e413487bf8ff413796d1cf1d9adafcd36f04444 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 13 Apr 2023 15:56:54 +0200 Subject: [PATCH 161/562] fftools/ffmpeg: avoid possible invalid reads with short -tag values Fixes #10319 and #10309. Based on 89c9a3ac3542c3684e511607d88b265bfa6aa64f. --- fftools/ffmpeg_opt.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index 6e18a4a23e..0969b12e7f 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -898,8 +898,11 @@ static void add_input_streams(OptionsContext *o, AVFormatContext *ic) MATCH_PER_STREAM_OPT(codec_tags, str, codec_tag, ic, st); if (codec_tag) { uint32_t tag = strtol(codec_tag, &next, 0); - if (*next) - tag = AV_RL32(codec_tag); + if (*next) { + uint8_t buf[4] = { 0 }; + memcpy(buf, codec_tag, FFMIN(sizeof(buf), strlen(codec_tag))); + tag = AV_RL32(buf); + } st->codecpar->codec_tag = tag; } @@ -1660,8 +1663,11 @@ static OutputStream *new_output_stream(OptionsContext *o, AVFormatContext *oc, e MATCH_PER_STREAM_OPT(codec_tags, str, codec_tag, oc, st); if (codec_tag) { uint32_t tag = strtol(codec_tag, &next, 0); - if (*next) - tag = AV_RL32(codec_tag); + if (*next) { + uint8_t buf[4] = { 0 }; + memcpy(buf, codec_tag, FFMIN(sizeof(buf), strlen(codec_tag))); + tag = AV_RL32(buf); + } ost->st->codecpar->codec_tag = ost->enc_ctx->codec_tag = tag; } From e6f7183eb68ce22a116ec9a2abd014b10ae50954 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 12:49:21 +0200 Subject: [PATCH 162/562] avcodec/nvdec_mpeg2: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/nvdec_mpeg12.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvdec_mpeg12.c b/libavcodec/nvdec_mpeg12.c index e10735587d..3b9ff60734 100644 --- a/libavcodec/nvdec_mpeg12.c +++ b/libavcodec/nvdec_mpeg12.c @@ -83,8 +83,9 @@ static int nvdec_mpeg12_start_frame(AVCodecContext *avctx, const uint8_t *buffer }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } return 0; From a4f995fa84b200c50e643fb6e038af6c3acce869 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:33:18 +0200 Subject: [PATCH 163/562] avcodec/nvdec_mpeg4: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/nvdec_mpeg4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvdec_mpeg4.c b/libavcodec/nvdec_mpeg4.c index b7e1821754..8163ae7d68 100644 --- a/libavcodec/nvdec_mpeg4.c +++ b/libavcodec/nvdec_mpeg4.c @@ -88,8 +88,9 @@ static int nvdec_mpeg4_start_frame(AVCodecContext *avctx, const uint8_t *buffer, }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } // We need to pass the full frame buffer and not just the slice From 4015609fcdbd030a4f9332e003db10165de8f295 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:35:13 +0200 Subject: [PATCH 164/562] avcodec/vdpau_mpeg12: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/vdpau_mpeg12.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vdpau_mpeg12.c b/libavcodec/vdpau_mpeg12.c index 354239cad5..79007aa1a8 100644 --- a/libavcodec/vdpau_mpeg12.c +++ b/libavcodec/vdpau_mpeg12.c @@ -75,8 +75,9 @@ static int vdpau_mpeg_start_frame(AVCodecContext *avctx, info->f_code[1][0] = s->mpeg_f_code[1][0]; info->f_code[1][1] = s->mpeg_f_code[1][1]; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } return ff_vdpau_common_start_frame(pic_ctx, buffer, size); From 33ed503e590c252ac5e191503ff45e67dc34c214 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:35:42 +0200 Subject: [PATCH 165/562] avcodec/vdpau_mpeg4: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/vdpau_mpeg4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vdpau_mpeg4.c b/libavcodec/vdpau_mpeg4.c index 6e082eefc6..1211b1df2c 100644 --- a/libavcodec/vdpau_mpeg4.c +++ b/libavcodec/vdpau_mpeg4.c @@ -74,8 +74,9 @@ static int vdpau_mpeg4_start_frame(AVCodecContext *avctx, info->alternate_vertical_scan_flag = s->alternate_scan; info->top_field_first = s->top_field_first; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } ff_vdpau_common_start_frame(pic_ctx, buffer, size); From bea695d54372b66a6b9b136982fc92adb63e4745 Mon Sep 17 00:00:00 2001 From: Christopher Degawa Date: Thu, 20 Oct 2022 22:55:28 -0500 Subject: [PATCH 166/562] avcodec/libsvtav1: replace vbv_bufsize with maximum_buffer_size_ms svt-av1 v1.2.0 has deprecated vbv_bufsize in favor of using - maximum_buffer_size_ms (--buf-sz) - starting_buffer_level_ms (--buf-initial-sz) - optimal_buffer_level_ms (--buf-optimal-sz) and vbv_bufsize has not been in use since svt-av1 v0.8.6 Signed-off-by: Christopher Degawa --- libavcodec/libsvtav1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/libsvtav1.c b/libavcodec/libsvtav1.c index 4001cf7f03..ecf5f9cb63 100644 --- a/libavcodec/libsvtav1.c +++ b/libavcodec/libsvtav1.c @@ -183,7 +183,7 @@ static int config_enc_params(EbSvtAv1EncConfiguration *param, param->min_qp_allowed = avctx->qmin; } param->max_bit_rate = avctx->rc_max_rate; - param->vbv_bufsize = avctx->rc_buffer_size; + param->maximum_buffer_size_ms = avctx->rc_buffer_size * 1000LL / avctx->bit_rate; if (svt_enc->crf > 0) { param->qp = svt_enc->crf; @@ -300,7 +300,7 @@ static int config_enc_params(EbSvtAv1EncConfiguration *param, avctx->bit_rate = param->rate_control_mode > 0 ? param->target_bit_rate : 0; avctx->rc_max_rate = param->max_bit_rate; - avctx->rc_buffer_size = param->vbv_bufsize; + avctx->rc_buffer_size = param->maximum_buffer_size_ms * avctx->bit_rate / 1000LL; if (avctx->bit_rate || avctx->rc_max_rate || avctx->rc_buffer_size) { AVCPBProperties *cpb_props = ff_add_cpb_side_data(avctx); From 3344d47a88506aba060b5fd2a214cf7785b11483 Mon Sep 17 00:00:00 2001 From: Christopher Degawa Date: Thu, 20 Oct 2022 22:55:27 -0500 Subject: [PATCH 167/562] avcodec/libsvtav1: remove compressed_ten_bit_format and simplify alloc_buffer compressed_ten_bit_format has been deprecated upstream and has no effect and can be removed. Plus, technically it was never used in the first place since it would require the app (ffmpeg) to set it and do additional processing of the input frames. Also simplify alloc_buffer by removing calculations relating to the non-existant processing. Signed-off-by: Christopher Degawa --- libavcodec/libsvtav1.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/libavcodec/libsvtav1.c b/libavcodec/libsvtav1.c index ecf5f9cb63..90f7c4236c 100644 --- a/libavcodec/libsvtav1.c +++ b/libavcodec/libsvtav1.c @@ -124,16 +124,12 @@ static int svt_print_error(void *log_ctx, EbErrorType err, static int alloc_buffer(EbSvtAv1EncConfiguration *config, SvtContext *svt_enc) { - const int pack_mode_10bit = - (config->encoder_bit_depth > 8) && (config->compressed_ten_bit_format == 0) ? 1 : 0; - const size_t luma_size_8bit = - config->source_width * config->source_height * (1 << pack_mode_10bit); - const size_t luma_size_10bit = - (config->encoder_bit_depth > 8 && pack_mode_10bit == 0) ? luma_size_8bit : 0; + const size_t luma_size = config->source_width * config->source_height * + (config->encoder_bit_depth > 8 ? 2 : 1); EbSvtIOFormat *in_data; - svt_enc->raw_size = (luma_size_8bit + luma_size_10bit) * 3 / 2; + svt_enc->raw_size = luma_size * 3 / 2; // allocate buffer for in and out svt_enc->in_buf = av_mallocz(sizeof(*svt_enc->in_buf)); From 8fe2fec45321d1b82f98f9725ad9118cefcfa58d Mon Sep 17 00:00:00 2001 From: Christopher Degawa Date: Sun, 20 Nov 2022 13:07:36 -0600 Subject: [PATCH 168/562] avcodec/libsvtav1: only set max_buf_sz if both bitrate and rc_buf_sz is set maximum_buffer_size_ms should only be set if both are specified or if the user sets it through -svtav1-params buf-sz=val Signed-off-by: Christopher Degawa --- libavcodec/libsvtav1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libsvtav1.c b/libavcodec/libsvtav1.c index 90f7c4236c..d41bed480b 100644 --- a/libavcodec/libsvtav1.c +++ b/libavcodec/libsvtav1.c @@ -179,7 +179,8 @@ static int config_enc_params(EbSvtAv1EncConfiguration *param, param->min_qp_allowed = avctx->qmin; } param->max_bit_rate = avctx->rc_max_rate; - param->maximum_buffer_size_ms = avctx->rc_buffer_size * 1000LL / avctx->bit_rate; + if (avctx->bit_rate && avctx->rc_buffer_size) + param->maximum_buffer_size_ms = avctx->rc_buffer_size * 1000LL / avctx->bit_rate; if (svt_enc->crf > 0) { param->qp = svt_enc->crf; From e5b5dd66535f444451e0fee59247b224d866f334 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Thu, 9 Mar 2023 20:27:06 +0200 Subject: [PATCH 169/562] avcodec/libsvtav1: use larger of bit rate and max rate for buffer size Generally if maxrate is set, the calculation should be maxrate over bufsize. This additionally enables CRF + maxrate & bufsize usage. In order to keep negative values from enabling zero to be treated as larger and causing a division by zero, check that one of the variables is larger than zero. --- libavcodec/libsvtav1.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/libsvtav1.c b/libavcodec/libsvtav1.c index d41bed480b..0f9d455660 100644 --- a/libavcodec/libsvtav1.c +++ b/libavcodec/libsvtav1.c @@ -179,8 +179,10 @@ static int config_enc_params(EbSvtAv1EncConfiguration *param, param->min_qp_allowed = avctx->qmin; } param->max_bit_rate = avctx->rc_max_rate; - if (avctx->bit_rate && avctx->rc_buffer_size) - param->maximum_buffer_size_ms = avctx->rc_buffer_size * 1000LL / avctx->bit_rate; + if ((avctx->bit_rate > 0 || avctx->rc_max_rate > 0) && avctx->rc_buffer_size) + param->maximum_buffer_size_ms = + avctx->rc_buffer_size * 1000LL / + FFMAX(avctx->bit_rate, avctx->rc_max_rate); if (svt_enc->crf > 0) { param->qp = svt_enc->crf; @@ -297,7 +299,8 @@ static int config_enc_params(EbSvtAv1EncConfiguration *param, avctx->bit_rate = param->rate_control_mode > 0 ? param->target_bit_rate : 0; avctx->rc_max_rate = param->max_bit_rate; - avctx->rc_buffer_size = param->maximum_buffer_size_ms * avctx->bit_rate / 1000LL; + avctx->rc_buffer_size = param->maximum_buffer_size_ms * + FFMAX(avctx->bit_rate, avctx->rc_max_rate) / 1000LL; if (avctx->bit_rate || avctx->rc_max_rate || avctx->rc_buffer_size) { AVCPBProperties *cpb_props = ff_add_cpb_side_data(avctx); From 25cd95a9dc3510c3cc0d7aad6f9d83f6a1078c7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sun, 16 Jul 2023 18:18:02 +0300 Subject: [PATCH 170/562] avcodec/x86/mathops: clip constants used with shift instructions within inline assembly Fixes assembling with binutil as >= 2.41 Signed-off-by: James Almer (cherry picked from commit effadce6c756247ea8bae32dc13bb3e6f464f0eb) --- libavcodec/x86/mathops.h | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 6298f5ed19..ca7e2dffc1 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -35,12 +35,20 @@ static av_always_inline av_const int MULL(int a, int b, unsigned shift) { int rt, dummy; + if (__builtin_constant_p(shift)) __asm__ ( "imull %3 \n\t" "shrdl %4, %%edx, %%eax \n\t" :"=a"(rt), "=d"(dummy) - :"a"(a), "rm"(b), "ci"((uint8_t)shift) + :"a"(a), "rm"(b), "i"(shift & 0x1F) ); + else + __asm__ ( + "imull %3 \n\t" + "shrdl %4, %%edx, %%eax \n\t" + :"=a"(rt), "=d"(dummy) + :"a"(a), "rm"(b), "c"((uint8_t)shift) + ); return rt; } @@ -113,19 +121,31 @@ __asm__ volatile(\ // avoid +32 for shift optimization (gcc should do that ...) #define NEG_SSR32 NEG_SSR32 static inline int32_t NEG_SSR32( int32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("sarl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("sarl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } #define NEG_USR32 NEG_USR32 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("shrl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("shrl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } From 566aa38d98f5f492995127e82ab9a516f59bf952 Mon Sep 17 00:00:00 2001 From: Will Cassella Date: Fri, 9 Sep 2022 22:50:32 +0000 Subject: [PATCH 171/562] libavformat/riffec: Zero-initialize channels in ff_get_wav_header Clang's static analyzer complains that leaving the variable uninitialized could lead to a code path where the uninitialized value is written to at the end of this function. This patch simply zero-initializes that variable to avoid that. Signed-off-by: Will Cassella Signed-off-by: James Almer (cherry picked from commit e601ec3c1991ee09ff45db3be4d894e5774f6f2b) --- libavformat/riffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index c1e4a04550..1c149388ab 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -94,7 +94,7 @@ static void parse_waveformatex(AVFormatContext *s, AVIOContext *pb, AVCodecParam int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecParameters *par, int size, int big_endian) { - int id, channels; + int id, channels = 0; uint64_t bitrate = 0; if (size < 14) { From af1f71cfd3ee2ef6bd17da7ff1f7d3caa6facc89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Mar 2023 18:08:24 +0200 Subject: [PATCH 172/562] Changelog: Add forgotten line Signed-off-by: Michael Niedermayer --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index b0d482a35b..9a132bc1bf 100644 --- a/Changelog +++ b/Changelog @@ -6,6 +6,7 @@ version 5.1.3: - avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches - avcodec/snowenc: Fix visual weight calculation - avcodec/tests/snowenc: unbreak DWT tests +- avfilter/vf_untile: swap the chroma shift values used for plane offsets - update for 5.1.3 - avcodec/mpeg12dec: Check input size - avcodec/escape124: Fix some return codes From dad04e27b000f649ed4afd00252b07d1d5b49b7e Mon Sep 17 00:00:00 2001 From: Lynne Date: Sun, 1 Jan 2023 00:00:00 +0100 Subject: [PATCH 173/562] configure: update copyright year (cherry picked from commit 62da0b4a741a064f118a0eece496d6bcc437ec91) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index ba5793b2ff..6629783f34 100755 --- a/configure +++ b/configure @@ -7783,7 +7783,7 @@ cat > $TMPH < Date: Sun, 26 Mar 2023 21:34:03 +0200 Subject: [PATCH 174/562] avcodec/g729postfilter: Limit shift in long term filter Fixes: shift exponent 34 is too large for 32-bit type 'int' Fixes: 57389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6229522659016704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1d8609ac1054017ea3d11b325ed94a1205e9fd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index f3cacbac05..26e937f0ba 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -353,7 +353,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, if (tmp > 0) L_temp0 >>= tmp; else - L_temp1 >>= -tmp; + L_temp1 >>= FFMIN(-tmp, 31); /* Check if longer filter increases the values of R'(k). */ if (L_temp1 > L_temp0) { From f34fe6b4a4fd6123f1ea3dcc7210424ba9b769ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Mar 2023 22:35:50 +0200 Subject: [PATCH 175/562] avcodec/vp3: Check width to avoid assertion failure Fixes: Assertion failure on x86-32 av_assert2(block_w * sizeof(pixel) <= FFABS(buf_linesize)); in ff_emulated_edge_mc() Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dab1cd2dc0471d497f481736059b2023c5b7986a) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 8ca1b0dfe3..e6505df01c 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) s->avctx = avctx; s->width = FFALIGN(avctx->coded_width, 16); s->height = FFALIGN(avctx->coded_height, 16); + if (s->width < 18) + return AVERROR_PATCHWELCOME; if (avctx->codec_id != AV_CODEC_ID_THEORA) avctx->pix_fmt = AV_PIX_FMT_YUV420P; avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; @@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) /* sanity check */ if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 || visible_width + offset_x > s->width || - visible_height + offset_y > s->height) { + visible_height + offset_y > s->height || + visible_width < 18 + ) { av_log(avctx, AV_LOG_ERROR, "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n", visible_width, visible_height, offset_x, offset_y, @@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) } else avctx->pix_fmt = AV_PIX_FMT_YUV420P; + if (s->width < 18) + return AVERROR_PATCHWELCOME; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From f38e5efbf2a905a67f2241a0a8de3210a5174473 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:15:36 +0200 Subject: [PATCH 176/562] avcodec/j2kenc: fix 5/3 DWT identifer Signed-off-by: Michael Niedermayer (cherry picked from commit f6955b6df4b599ff5604e82987b96957414f8dd5) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index ce77a6d964..550ad9081c 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1810,7 +1810,7 @@ static const AVOption options[] = { { "tile_height", "Tile Height", OFFSET(tile_height), AV_OPT_TYPE_INT, { .i64 = 256 }, 1, 1<<30, VE, }, { "pred", "DWT Type", OFFSET(pred), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE, "pred" }, { "dwt97int", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, - { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, + { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 1 }, INT_MIN, INT_MAX, VE, "pred" }, { "sop", "SOP marker", OFFSET(sop), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE, }, { "eph", "EPH marker", OFFSET(eph), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE, }, { "prog", "Progression Order", OFFSET(prog), AV_OPT_TYPE_INT, { .i64 = 0 }, JPEG2000_PGOD_LRCP, JPEG2000_PGOD_CPRL, VE, "prog" }, From 1990527edbdee2376bb37f2808a4eb8c3da59ba9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:18:05 +0200 Subject: [PATCH 177/562] avcodec/j2kenc: remove misleading pred value This field is only checked for being 0 or not and not zero means 5/3 Signed-off-by: Michael Niedermayer (cherry picked from commit 0adb375377f369b69b24d86bbfe674b7693ccf3c) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 550ad9081c..4c124a89c7 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1729,7 +1729,7 @@ static av_cold int j2kenc_init(AVCodecContext *avctx) if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && (s->pred != FF_DWT97_INT || s->format != CODEC_JP2)) { av_log(s->avctx, AV_LOG_WARNING, "Forcing lossless jp2 for pal8\n"); - s->pred = FF_DWT97_INT; + s->pred = 1; s->format = CODEC_JP2; } From 0ab5965b691debefd8341463b94c16ce6f8586f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:21:28 +0200 Subject: [PATCH 178/562] avcodec/j2kenc: Fix funky bpno errors on decoding Signed-off-by: Michael Niedermayer (cherry picked from commit 816676085e3d32f27d4001d9b95590046c487eb6) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 +-- tests/ref/vsynth/vsynth1-jpeg2000-97 | 4 ++-- tests/ref/vsynth/vsynth2-jpeg2000 | 4 ++-- tests/ref/vsynth/vsynth2-jpeg2000-97 | 4 ++-- tests/ref/vsynth/vsynth3-jpeg2000 | 4 ++-- tests/ref/vsynth/vsynth3-jpeg2000-97 | 4 ++-- tests/ref/vsynth/vsynth_lena-jpeg2000 | 4 ++-- tests/ref/vsynth/vsynth_lena-jpeg2000-97 | 4 ++-- 8 files changed, 15 insertions(+), 16 deletions(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 4c124a89c7..67dad9f1b7 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -721,11 +721,10 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20 if (max == 0){ cblk->nonzerobits = 0; - bpno = 0; } else{ cblk->nonzerobits = av_log2(max) + 1 - NMSEDEC_FRACBITS; - bpno = cblk->nonzerobits - 1; } + bpno = cblk->nonzerobits - 1; cblk->data[0] = 0; ff_mqc_initenc(&t1->mqc, cblk->data + 1); diff --git a/tests/ref/vsynth/vsynth1-jpeg2000-97 b/tests/ref/vsynth/vsynth1-jpeg2000-97 index 6ab5aa4237..c979ab5c36 100644 --- a/tests/ref/vsynth/vsynth1-jpeg2000-97 +++ b/tests/ref/vsynth/vsynth1-jpeg2000-97 @@ -1,4 +1,4 @@ -e4d03b2e3c03e56c7f831b1e662c4031 *tests/data/fate/vsynth1-jpeg2000-97.avi -3643928 tests/data/fate/vsynth1-jpeg2000-97.avi +5e6d32b7205d31245b0d1f015d08b515 *tests/data/fate/vsynth1-jpeg2000-97.avi +3643886 tests/data/fate/vsynth1-jpeg2000-97.avi a2262f1da2f49bc196b780a6b47ec4e8 *tests/data/fate/vsynth1-jpeg2000-97.out.rawvideo stddev: 4.23 PSNR: 35.59 MAXDIFF: 53 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-jpeg2000 b/tests/ref/vsynth/vsynth2-jpeg2000 index d0df0099ea..b60307d5da 100644 --- a/tests/ref/vsynth/vsynth2-jpeg2000 +++ b/tests/ref/vsynth/vsynth2-jpeg2000 @@ -1,4 +1,4 @@ -8c8a68ca748190c71b3ea43e5ab7f502 *tests/data/fate/vsynth2-jpeg2000.avi -1538736 tests/data/fate/vsynth2-jpeg2000.avi +bfe90391779a02319aab98b06dd18e6c *tests/data/fate/vsynth2-jpeg2000.avi +1538724 tests/data/fate/vsynth2-jpeg2000.avi 64fadc87447268cf90503cb294db7f61 *tests/data/fate/vsynth2-jpeg2000.out.rawvideo stddev: 4.91 PSNR: 34.29 MAXDIFF: 55 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-jpeg2000-97 b/tests/ref/vsynth/vsynth2-jpeg2000-97 index 33c1fb2425..591f8b6bb3 100644 --- a/tests/ref/vsynth/vsynth2-jpeg2000-97 +++ b/tests/ref/vsynth/vsynth2-jpeg2000-97 @@ -1,4 +1,4 @@ -c8f76055f59804ca72dbd66eb4db83a2 *tests/data/fate/vsynth2-jpeg2000-97.avi -2464138 tests/data/fate/vsynth2-jpeg2000-97.avi +aa5573136c54b1855d8d00efe2a149bd *tests/data/fate/vsynth2-jpeg2000-97.avi +2464134 tests/data/fate/vsynth2-jpeg2000-97.avi 1f63c8b065e847e4c63d57ce23442ea8 *tests/data/fate/vsynth2-jpeg2000-97.out.rawvideo stddev: 3.21 PSNR: 37.99 MAXDIFF: 26 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth3-jpeg2000 b/tests/ref/vsynth/vsynth3-jpeg2000 index ecc286b9a4..894dba27dc 100644 --- a/tests/ref/vsynth/vsynth3-jpeg2000 +++ b/tests/ref/vsynth/vsynth3-jpeg2000 @@ -1,4 +1,4 @@ -776bf3234cbf25002f129b89baab42ea *tests/data/fate/vsynth3-jpeg2000.avi -67400 tests/data/fate/vsynth3-jpeg2000.avi +1d039969504abdc143b410f99b5f9171 *tests/data/fate/vsynth3-jpeg2000.avi +67354 tests/data/fate/vsynth3-jpeg2000.avi 098f5980667e1fcd50452b1dc1a74f61 *tests/data/fate/vsynth3-jpeg2000.out.rawvideo stddev: 5.47 PSNR: 33.36 MAXDIFF: 48 bytes: 86700/ 86700 diff --git a/tests/ref/vsynth/vsynth3-jpeg2000-97 b/tests/ref/vsynth/vsynth3-jpeg2000-97 index df10f43270..5d9d083791 100644 --- a/tests/ref/vsynth/vsynth3-jpeg2000-97 +++ b/tests/ref/vsynth/vsynth3-jpeg2000-97 @@ -1,4 +1,4 @@ -cd023db503f03ef72dd83e4617a90c7b *tests/data/fate/vsynth3-jpeg2000-97.avi -85606 tests/data/fate/vsynth3-jpeg2000-97.avi +522e12684aca4262a9d613cb2db7006c *tests/data/fate/vsynth3-jpeg2000-97.avi +85526 tests/data/fate/vsynth3-jpeg2000-97.avi 8def36ad1413ab3a5c2af2e1af4603f9 *tests/data/fate/vsynth3-jpeg2000-97.out.rawvideo stddev: 4.51 PSNR: 35.04 MAXDIFF: 47 bytes: 86700/ 86700 diff --git a/tests/ref/vsynth/vsynth_lena-jpeg2000 b/tests/ref/vsynth/vsynth_lena-jpeg2000 index 88629add21..e2cbc899d3 100644 --- a/tests/ref/vsynth/vsynth_lena-jpeg2000 +++ b/tests/ref/vsynth/vsynth_lena-jpeg2000 @@ -1,4 +1,4 @@ -b8aaa45236f77a2a626791d462fd8ac1 *tests/data/fate/vsynth_lena-jpeg2000.avi -1188886 tests/data/fate/vsynth_lena-jpeg2000.avi +51f061731d7fb987ff4e71789785225e *tests/data/fate/vsynth_lena-jpeg2000.avi +1188882 tests/data/fate/vsynth_lena-jpeg2000.avi 39a2c5b61cd0cf2821c6fb4cceba2fa8 *tests/data/fate/vsynth_lena-jpeg2000.out.rawvideo stddev: 4.30 PSNR: 35.45 MAXDIFF: 45 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-jpeg2000-97 b/tests/ref/vsynth/vsynth_lena-jpeg2000-97 index b6f5f75f77..0539300185 100644 --- a/tests/ref/vsynth/vsynth_lena-jpeg2000-97 +++ b/tests/ref/vsynth/vsynth_lena-jpeg2000-97 @@ -1,4 +1,4 @@ -b2d9525433c6300674f504922d762437 *tests/data/fate/vsynth_lena-jpeg2000-97.avi -1937232 tests/data/fate/vsynth_lena-jpeg2000-97.avi +80fe872c8afaad914da6ef037957d93b *tests/data/fate/vsynth_lena-jpeg2000-97.avi +1937216 tests/data/fate/vsynth_lena-jpeg2000-97.avi 1b97333a8dc115a5ba609b0070d89d4d *tests/data/fate/vsynth_lena-jpeg2000-97.out.rawvideo stddev: 2.82 PSNR: 39.10 MAXDIFF: 24 bytes: 7603200/ 7603200 From cf6ae79a71e302b25e6cd32314d46a5740340e8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:40:31 +0200 Subject: [PATCH 179/562] avcodec/j2kenc: simplify pixel format setup Signed-off-by: Michael Niedermayer (cherry picked from commit 644d15716d5cfb28e4ea0c0ada163f70807e9a5c) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 67dad9f1b7..fbb2f991ca 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1716,6 +1716,7 @@ static av_cold int j2kenc_init(AVCodecContext *avctx) Jpeg2000EncoderContext *s = avctx->priv_data; Jpeg2000CodingStyle *codsty = &s->codsty; Jpeg2000QuantStyle *qntsty = &s->qntsty; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); s->avctx = avctx; av_log(s->avctx, AV_LOG_DEBUG, "init\n"); @@ -1758,20 +1759,13 @@ static av_cold int j2kenc_init(AVCodecContext *avctx) s->width = avctx->width; s->height = avctx->height; + s->ncomponents = desc->nb_components; for (i = 0; i < 3; i++) { - if (avctx->pix_fmt == AV_PIX_FMT_GRAY16 || avctx->pix_fmt == AV_PIX_FMT_RGB48) - s->cbps[i] = 16; - else - s->cbps[i] = 8; + s->cbps[i] = desc->comp[i].depth; } - if (avctx->pix_fmt == AV_PIX_FMT_RGB24 || avctx->pix_fmt == AV_PIX_FMT_RGB48){ - s->ncomponents = 3; - } else if (avctx->pix_fmt == AV_PIX_FMT_GRAY8 || avctx->pix_fmt == AV_PIX_FMT_PAL8 || avctx->pix_fmt == AV_PIX_FMT_GRAY16){ - s->ncomponents = 1; - } else{ // planar YUV + if ((desc->flags & AV_PIX_FMT_FLAG_PLANAR) && s->ncomponents > 1) { s->planar = 1; - s->ncomponents = 3; ret = av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, s->chroma_shift, s->chroma_shift + 1); if (ret) From 4c07c4d29aae017584ea2a4273901c4799ea5b75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:50:26 +0200 Subject: [PATCH 180/562] avcodec/j2kenc: Replace BGR48 / GRAY16 test by test for number of bits BGR48 is not supported and this was probably meant to be RGB48 so this fixes RGB48 a bit Signed-off-by: Michael Niedermayer (cherry picked from commit 7fb70d27a26bb4072edf68857636fa4343ee24a3) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index fbb2f991ca..b37820278d 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1542,7 +1542,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, s->lambda = s->picture->quality * LAMBDA_SCALE; - if (avctx->pix_fmt == AV_PIX_FMT_BGR48 || avctx->pix_fmt == AV_PIX_FMT_GRAY16) + if (s->cbps[0] > 8) copy_frame_16(s); else copy_frame_8(s); From 7c5d1725aab390245a44c191b285eb0f8b2eddd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:57:56 +0200 Subject: [PATCH 181/562] avcodec/j2kenc: Replace RGB24 special case by generic test This fixes RGB48 with libavcodec as decoder Signed-off-by: Michael Niedermayer (cherry picked from commit ad4d647591dbd953a5cf3a32a779ee5e42465bbb) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index b37820278d..e11b41ab46 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1530,6 +1530,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, int tileno, ret; Jpeg2000EncoderContext *s = avctx->priv_data; uint8_t *chunkstart, *jp2cstart, *jp2hstart; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); if ((ret = ff_alloc_packet(avctx, pkt, avctx->width*avctx->height*9 + AV_INPUT_BUFFER_MIN_SIZE)) < 0) return ret; @@ -1586,7 +1587,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream_put_byte(&s->buf, 1); bytestream_put_byte(&s->buf, 0); bytestream_put_byte(&s->buf, 0); - if (avctx->pix_fmt == AV_PIX_FMT_RGB24 || avctx->pix_fmt == AV_PIX_FMT_PAL8) { + if ((desc->flags & AV_PIX_FMT_FLAG_RGB) || avctx->pix_fmt == AV_PIX_FMT_PAL8) { bytestream_put_be32(&s->buf, 16); } else if (s->ncomponents == 1) { bytestream_put_be32(&s->buf, 17); From 7158ad82da404814371f5d11e59f9dd5e51a805d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 13:18:42 +0200 Subject: [PATCH 182/562] avcodec/huffyuvdec: Fix undefined behavior with shift Fixes: left shift of negative value -1 Fixes: 57554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFVHUFF_fuzzer-4853603839115264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27e7857bd1127974ffe1512293abee83b1035194) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index acc4aafdc2..6862376c44 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -656,9 +656,9 @@ static void decode_422_bitstream(HYuvContext *s, int count) /* TODO instead of restarting the read when the code isn't in the first level * of the joint table, jump into the 2nd level of the individual table. */ #define READ_2PIX_PLANE16(dst0, dst1, plane){\ - dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst0 += get_bits(&s->gb, 2);\ - dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst1 += get_bits(&s->gb, 2);\ } static void decode_plane_bitstream(HYuvContext *s, int width, int plane) From d1553cad73e72d7b7d256d4cf7dcb38c0ae1f375 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 15:18:55 +0200 Subject: [PATCH 183/562] avcodec/escape124: Check that blocks are allocated before use Fixes: NULL pointer dereference Fixes: 57819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5077280228769792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5366ae12b9ba60404822f6b39b41f6c0d98a7c8a) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 0f996bf95c..16626ad5b7 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -158,7 +158,7 @@ static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb, // This condition can occur with invalid bitstreams and // *codebook_index == 2 - if (block_index >= s->codebooks[*codebook_index].size) + if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks) return (MacroBlock) { { 0 } }; return s->codebooks[*codebook_index].blocks[block_index]; From c2d4ab255259c864313d433c5755fad2bf0219f4 Mon Sep 17 00:00:00 2001 From: Pierre-Anthony Lemieux Date: Wed, 26 Apr 2023 08:09:40 -0700 Subject: [PATCH 184/562] avformat/imf: fix invalid resource handling (cherry picked from commit 23d968d55a6e00dfc46799cfd0eb2ed02379037d) Signed-off-by: Michael Niedermayer --- libavformat/imf_cpl.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/libavformat/imf_cpl.c b/libavformat/imf_cpl.c index 4acc20feee..f2c6b6f064 100644 --- a/libavformat/imf_cpl.c +++ b/libavformat/imf_cpl.c @@ -511,11 +511,10 @@ static int push_main_audio_sequence(xmlNodePtr audio_sequence_elem, FFIMFCPL *cp ret = fill_trackfile_resource(resource_elem, &vt->resources[vt->resource_count], cpl); - vt->resource_count++; - if (ret) { + if (ret) av_log(NULL, AV_LOG_ERROR, "Invalid Resource\n"); - continue; - } + else + vt->resource_count++; resource_elem = xmlNextElementSibling(resource_elem); } @@ -594,11 +593,10 @@ static int push_main_image_2d_sequence(xmlNodePtr image_sequence_elem, FFIMFCPL ret = fill_trackfile_resource(resource_elem, &cpl->main_image_2d_track->resources[cpl->main_image_2d_track->resource_count], cpl); - cpl->main_image_2d_track->resource_count++; - if (ret) { + if (ret) av_log(NULL, AV_LOG_ERROR, "Invalid Resource\n"); - continue; - } + else + cpl->main_image_2d_track->resource_count++; resource_elem = xmlNextElementSibling(resource_elem); } From 8abcd8b124bc83136c6de2823dd388eff37a75dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:14 +0100 Subject: [PATCH 185/562] libavcodec/lcldec: width and height should not be unsigned Computations like col < width - 3 will not work with unsigned width=1 Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb4e28c26c3bce608214f392ab1fe6ee28ec1df) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index ffa2fe5a6d..1bea618eeb 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -169,8 +169,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, int row, col; unsigned char *encoded = avpkt->data, *outptr; uint8_t *y_out, *u_out, *v_out; - unsigned int width = avctx->width; // Real image width - unsigned int height = avctx->height; // Real image height + int width = avctx->width; // Real image width + int height = avctx->height; // Real image height unsigned int mszh_dlen; unsigned char yq, y1q, uq, vq; int uqvq, ret; From 002471255d334267cbe4b66da0b3bb339b8ef2c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:15 +0100 Subject: [PATCH 186/562] avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width Fixes: Ticket10240 Fixes: zlib_306_306_yuv422.avi Fixes: zlib_306_306_yuv411.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 0cf1ac905d2d97355a389c3baa4e132824b29f21) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 1bea618eeb..4a05680603 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -403,6 +403,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, v_out[ col >> 1 ] = *encoded++ + 128; v_out[(col >> 1) + 1] = *encoded++ + 128; } + if (col && col < width) { + u_out[ col >> 1 ] = u_out[(col>>1) - 1]; + v_out[ col >> 1 ] = v_out[(col>>1) - 1]; + } + y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -424,6 +429,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, u_out[col >> 2] = *encoded++ + 128; v_out[col >> 2] = *encoded++ + 128; } + if (col && col < width) { + u_out[col >> 2] = u_out[(col>>2) - 1]; + v_out[col >> 2] = v_out[(col>>2) - 1]; + } y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -481,6 +490,7 @@ static av_cold int decode_init(AVCodecContext *avctx) FFALIGN(avctx->height, 4); unsigned int max_decomp_size; int subsample_h, subsample_v; + int partial_h_supported = 0; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); @@ -502,14 +512,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n"); break; case IMGTYPE_YUV422: - c->decomp_size = basesize * 2; + c->decomp_size = (avctx->width & ~3) * avctx->height * 2; max_decomp_size = max_basesize * 2; avctx->pix_fmt = AV_PIX_FMT_YUV422P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n"); - if (avctx->width % 4) { - avpriv_request_sample(avctx, "Unsupported dimensions"); - return AVERROR_INVALIDDATA; - } + partial_h_supported = 1; break; case IMGTYPE_RGB24: c->decomp_size = basesize * 3; @@ -518,10 +525,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); break; case IMGTYPE_YUV411: - c->decomp_size = basesize / 2 * 3; + c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3; max_decomp_size = max_basesize / 2 * 3; avctx->pix_fmt = AV_PIX_FMT_YUV411P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n"); + partial_h_supported = 1; break; case IMGTYPE_YUV211: c->decomp_size = basesize * 2; @@ -541,7 +549,7 @@ static av_cold int decode_init(AVCodecContext *avctx) } av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v); - if (avctx->width % (1<height % (1<width % (1<height % (1< Date: Thu, 9 Mar 2023 13:57:17 +0100 Subject: [PATCH 187/562] avcodec/lcldec: More space for rgb24 Fixes: Ticket 10239 Fixes: zlib_306_306_rgb24.av Signed-off-by: Michael Niedermayer (cherry picked from commit e2c3aa8e2b800c5b860315277b3ea426b8b23393) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 4a05680603..1c52700762 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -152,6 +152,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i if (expected != (unsigned int)zstream->total_out) { av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n", expected, zstream->total_out); + if (expected > (unsigned int)zstream->total_out) + return (unsigned int)zstream->total_out; return AVERROR_UNKNOWN; } return zstream->total_out; @@ -276,12 +278,13 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen, mthread_outlen, mthread_outlen); if (ret < 0) return ret; + len = c->decomp_size; } else { int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size); if (ret < 0) return ret; + len = ret; } encoded = c->decomp_buf; - len = c->decomp_size; break; #endif default: @@ -519,7 +522,7 @@ static av_cold int decode_init(AVCodecContext *avctx) partial_h_supported = 1; break; case IMGTYPE_RGB24: - c->decomp_size = basesize * 3; + c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height; max_decomp_size = max_basesize * 3; avctx->pix_fmt = AV_PIX_FMT_BGR24; av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); From 66192786e7abc7fc4b303243676df175df388e2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jan 2023 00:51:05 +0100 Subject: [PATCH 188/562] avutil/tx_priv: Use unsigned in BF() to avoid signed overflows Fixes: signed integer overflow: 100183269 - -2132769113 cannot be represented in type 'int' Fixes: 55063/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5039294027005952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eddf7e2a3e9459fd26a76fb2984a6c9b994e2d89) Signed-off-by: Michael Niedermayer --- libavutil/tx_priv.h | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavutil/tx_priv.h b/libavutil/tx_priv.h index 3dd748bd2c..6acbede0f4 100644 --- a/libavutil/tx_priv.h +++ b/libavutil/tx_priv.h @@ -101,6 +101,12 @@ typedef void TXComplex; #define FOLD(a, b) ((a) + (b)) +#define BF(x, y, a, b) \ + do { \ + x = (a) - (b); \ + y = (a) + (b); \ + } while (0) + #elif defined(TX_INT32) /* Properly rounds the result */ @@ -131,14 +137,14 @@ typedef void TXComplex; #define FOLD(x, y) ((int32_t)((x) + (unsigned)(y) + 32) >> 6) -#endif /* TX_INT32 */ - #define BF(x, y, a, b) \ do { \ - x = (a) - (b); \ - y = (a) + (b); \ + x = (a) - (unsigned)(b); \ + y = (a) + (unsigned)(b); \ } while (0) +#endif /* TX_INT32 */ + #define CMUL3(c, a, b) CMUL((c).re, (c).im, (a).re, (a).im, (b).re, (b).im) /* Codelet flags, used to pick codelets. Must be a superset of enum AVTXFlags, From c2b46db3f439ea39bf401b011c0fe6bbaeb0b6b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2023 22:48:46 +0100 Subject: [PATCH 189/562] avcodec/g2meet: Replace fake allocation avoidance for framebuf framebuf is only allocated when the new width/height are larger than the old but nothing sets the old so its always allocated. Use av_fast_mallocz() instead. Fixes: Timeout Fixes: 55094/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5116909932904448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38adbc6eebd7f2f34ecf1b0b18019e88bad9d9f4) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 00964369c5..ee1eaf9e6f 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -146,7 +146,8 @@ typedef struct G2MContext { int got_header; uint8_t *framebuf; - int framebuf_stride, old_width, old_height; + int framebuf_stride; + unsigned int framebuf_allocated; uint8_t *synth_tile, *jpeg_tile, *epic_buf, *epic_buf_base; int tile_stride, epic_buf_stride, old_tile_w, old_tile_h; @@ -1161,14 +1162,13 @@ static int g2m_init_buffers(G2MContext *c) { int aligned_height; - if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { - c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; - aligned_height = c->height + 15; - av_free(c->framebuf); - c->framebuf = av_calloc(c->framebuf_stride, aligned_height); - if (!c->framebuf) - return AVERROR(ENOMEM); - } + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; + aligned_height = c->height + 15; + + av_fast_mallocz(&c->framebuf, &c->framebuf_allocated, c->framebuf_stride * aligned_height); + if (!c->framebuf) + return AVERROR(ENOMEM); + if (!c->synth_tile || !c->jpeg_tile || (c->compression == 2 && !c->epic_buf_base) || c->old_tile_w < c->tile_width || @@ -1618,6 +1618,7 @@ static av_cold int g2m_decode_end(AVCodecContext *avctx) av_freep(&c->jpeg_tile); av_freep(&c->cursor); av_freep(&c->framebuf); + c->framebuf_allocated = 0; return 0; } From efcb8211577b47a21ac0ab8ba2b8597be93ee0c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Feb 2023 22:49:01 +0100 Subject: [PATCH 190/562] avcodec/vorbisdec: Check codebook float values to be finite Fixes: Timeout Fixes: 55116/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-4572159970508800 Signed-off-by: Michael Niedermayer (cherry picked from commit cadd7e7a7589b5c118ad1648a09c629a6b65a3be) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 6ba0e1d811..269a6eb166 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -364,6 +364,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc) unsigned codebook_value_bits = get_bits(gb, 4) + 1; unsigned codebook_sequence_p = get_bits1(gb); + if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) { + ret = AVERROR_INVALIDDATA; + goto error; + } ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n", codebook_lookup_values); ff_dlog(NULL, " delta %f minmum %f \n", From ac015347a8034b61353c633dbfeaa5c8ac79de2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 15:05:47 +0200 Subject: [PATCH 191/562] avcodec/pngdec: remove AVFrame argument from decode_iccp_chunk() Signed-off-by: Michael Niedermayer (cherry picked from commit 7117b380a7eb9419625aa8835edec2c3c17e638b) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 9f142980a0..85cf40d1f8 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -876,7 +876,7 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, return 0; } -static int decode_iccp_chunk(PNGDecContext *s, GetByteContext *gb, AVFrame *f) +static int decode_iccp_chunk(PNGDecContext *s, GetByteContext *gb) { int ret, cnt = 0; AVBPrint bp; @@ -1313,7 +1313,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('i', 'C', 'C', 'P'): { - if ((ret = decode_iccp_chunk(s, &gb_chunk, p)) < 0) + if ((ret = decode_iccp_chunk(s, &gb_chunk)) < 0) goto fail; break; } From 13644a75d831f8978e5ad8b4fe4c571192f3fda8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 15:06:59 +0200 Subject: [PATCH 192/562] avcodec/pngdec: Do not pass AVFrame into global header decode The global header should not contain a frame, and decoding it would result in leaks Fixes: memleak Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-6603443149340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d31d4f32283f765c79d6e127d31ee2c37a0acef7) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 85cf40d1f8..b085154fbc 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -640,6 +640,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, int ret; size_t byte_depth = s->bit_depth > 8 ? 2 : 1; + if (!p) + return AVERROR_INVALIDDATA; if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n"); return AVERROR_INVALIDDATA; @@ -1358,6 +1360,9 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, } exit_loop: + if (!p) + return AVERROR_INVALIDDATA; + if (avctx->codec_id == AV_CODEC_ID_PNG && avctx->skip_frame == AVDISCARD_ALL) { return 0; @@ -1596,7 +1601,7 @@ static int decode_frame_apng(AVCodecContext *avctx, AVFrame *p, if ((ret = inflateReset(&s->zstream.zstream)) != Z_OK) return AVERROR_EXTERNAL; bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size); - if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0) + if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0) return ret; } From b9c79be72639e0d84409e3ee4f987de77cee054d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 15:18:45 +0200 Subject: [PATCH 193/562] avcodec/exr: Cleanup befor return Fixes: leaks Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6703454090559488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 885ff3b8798791eb2b0f53360a2ab4b1f9c5f6dc) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 91a567cd41..c8db720904 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1943,8 +1943,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) bytestream2_get_buffer(gb, key, FFMIN(sizeof(key) - 1, var_size)); if (strncmp("scanlineimage", key, var_size) && - strncmp("tiledimage", key, var_size)) - return AVERROR_PATCHWELCOME; + strncmp("tiledimage", key, var_size)) { + ret = AVERROR_PATCHWELCOME; + goto fail; + } continue; } else if ((var_size = check_header_variable(s, "preview", @@ -1952,12 +1954,16 @@ static int decode_header(EXRContext *s, AVFrame *frame) uint32_t pw = bytestream2_get_le32(gb); uint32_t ph = bytestream2_get_le32(gb); uint64_t psize = pw * ph; - if (psize > INT64_MAX / 4) - return AVERROR_INVALIDDATA; + if (psize > INT64_MAX / 4) { + ret = AVERROR_INVALIDDATA; + goto fail; + } psize *= 4; - if ((int64_t)psize >= bytestream2_get_bytes_left(gb)) - return AVERROR_INVALIDDATA; + if ((int64_t)psize >= bytestream2_get_bytes_left(gb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } bytestream2_skip(gb, psize); From 0c2b08227ef52babedf8659035e359bfa4fed374 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 16:56:40 +0200 Subject: [PATCH 194/562] avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5124452659888128 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6362836707442688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 34056a94eab5f8fbc7e0b8510f7c9851931f23b7) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index ef5c785ced..add1e2139b 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -316,7 +316,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } if (s->codec_id == AV_CODEC_ID_IFF_ILBM) { - w_align = FFMAX(w_align, 8); + w_align = FFMAX(w_align, 16); } *width = FFALIGN(*width, w_align); From 2878299b730ebe0b82ca2af65b3a9ca64f944d4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 17:19:10 +0200 Subject: [PATCH 195/562] avcodec/sonic: Fix two undefined integer overflows Fixes: signed integer overflow: 2147483372 - -148624 cannot be represented in type 'int' Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5477177805373440 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-6681622236233728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2632e9049391d820bde64d1fc138567a66464fcd) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index dfb055d80e..2fc8a1f6f4 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -473,7 +473,7 @@ static void predictor_init_state(int *k, int *state, int order) static int predictor_calc_error(int *k, int *state, int order, int error) { - int i, x = error - shift_down(k[order-1] * (unsigned)state[order-1], LATTICE_SHIFT); + int i, x = error - (unsigned)shift_down(k[order-1] * (unsigned)state[order-1], LATTICE_SHIFT); #if 1 int *k_ptr = &(k[order-2]), @@ -1013,7 +1013,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, AVFrame *frame, if (s->lossless) quant = 1; else - quant = get_symbol(&c, state, 0) * SAMPLE_FACTOR; + quant = get_symbol(&c, state, 0) * (unsigned)SAMPLE_FACTOR; // av_log(NULL, AV_LOG_INFO, "quant: %d\n", quant); From f174aa713455bb48f4de22df223f17d0a851660f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 17:34:16 +0200 Subject: [PATCH 196/562] avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6682195323650048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19b66b89da4b4ff086dc1fc79bbf540e82bdbcb4) Signed-off-by: Michael Niedermayer --- libavcodec/tak.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tak.c b/libavcodec/tak.c index 7221a80094..a19b2779e2 100644 --- a/libavcodec/tak.c +++ b/libavcodec/tak.c @@ -168,6 +168,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb, if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA) return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 24) + return AVERROR_INVALIDDATA; + skip_bits(gb, 24); return 0; From 7337f2e8e36b5bbadb9170a0e30b988cc4392540 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 17:38:39 +0200 Subject: [PATCH 197/562] avcodec/tiff: add a zero DNG_LINEARIZATION_TABLE check Fixes: index 4294967295 out of bounds for type 'uint16_t [65536]' Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5950405086674944 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6666195176914944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e98cf0280cd693ef82c4444fe15bc7aef8771b3) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 717f299fdd..b4a1c2f040 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1416,7 +1416,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->sub_ifd = ff_tget(&s->gb, TIFF_LONG, s->le); /** Only get the first SubIFD */ break; case DNG_LINEARIZATION_TABLE: - if (count > FF_ARRAY_ELEMS(s->dng_lut)) + if (count < 1 || count > FF_ARRAY_ELEMS(s->dng_lut)) return AVERROR_INVALIDDATA; for (int i = 0; i < count; i++) s->dng_lut[i] = ff_tget(&s->gb, type, s->le); From 50e2f8ef33856bfa05b555a05122e1b3039e34ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 00:51:38 +0100 Subject: [PATCH 198/562] avformat/wavdec: Check that smv block fits in available space Fixes: OOM Fixes: 56271/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5290810045497344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76efafdb9be966ae3ad52b32370dc644dd582bf) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index ca61b844b5..7d16b25e54 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -730,6 +730,10 @@ smv_retry: goto smv_out; } size = avio_rl24(s->pb); + if (size > wav->smv_block_size) { + ret = AVERROR_EOF; + goto smv_out; + } ret = av_get_packet(s->pb, pkt, size); if (ret < 0) goto smv_out; From 1892181787dd575bb137935ad28f81f949ac747a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 May 2023 01:46:31 +0200 Subject: [PATCH 199/562] avformat/oggparsetheora: clip duration within 64bit Fixes: signed integer overflow: 9079256848778919936 - -288230376151711746 cannot be represented in type 'long' Fixes: 58248/clusterfuzz-testcase-minimized-ffmpeg_dem_OGG_fuzzer-6326851353313280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1c3d81e71f78e4b3b2c2901ac4649cb74aec272) Signed-off-by: Michael Niedermayer --- libavformat/oggparsetheora.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c index b9184eff7b..85119352c3 100644 --- a/libavformat/oggparsetheora.c +++ b/libavformat/oggparsetheora.c @@ -196,7 +196,7 @@ static int theora_packet(AVFormatContext *s, int idx) if(s->streams[idx]->start_time == AV_NOPTS_VALUE && os->lastpts != AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration > 0) - s->streams[idx]->duration -= s->streams[idx]->start_time; + s->streams[idx]->duration = av_sat_sub64(s->streams[idx]->duration, s->streams[idx]->start_time); } } From 2cb93e863fac9ad32ae5901186b59eb23c047e64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2023 19:59:40 +0200 Subject: [PATCH 200/562] avcodec/noise_bsf: Check for wrapped frames Wrapped frames contain pointers so they need specific code to noise them, the generic code would lead to segfaults Signed-off-by: Michael Niedermayer (cherry picked from commit 0889ebc577749ee6abc620bc9030d2002487935f) Signed-off-by: Michael Niedermayer --- libavcodec/noise_bsf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/noise_bsf.c b/libavcodec/noise_bsf.c index 168f3aa373..7bdaa3c1db 100644 --- a/libavcodec/noise_bsf.c +++ b/libavcodec/noise_bsf.c @@ -86,6 +86,12 @@ static int noise_init(AVBSFContext *ctx) return AVERROR(ENOMEM); } + if (ctx->par_in->codec_id == AV_CODEC_ID_WRAPPED_AVFRAME && + strcmp(s->amount_str, "0")) { + av_log(ctx, AV_LOG_ERROR, "Wrapped AVFrame noising is unsupported\n"); + return AVERROR_PATCHWELCOME; + } + ret = av_expr_parse(&s->amount_pexpr, s->amount_str, var_names, NULL, NULL, NULL, NULL, 0, ctx); if (ret < 0) { From 4e68048151a43e08265548024ec9e98dc6028f50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2023 10:26:33 -0400 Subject: [PATCH 201/562] avformat/jpegxl_probe: Remove intermediate macro obfuscation around get_bits*() Signed-off-by: Michael Niedermayer (cherry picked from commit 25c937c0e03895866d9f5bcc659ad6afc53e20f9) Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_probe.c | 169 +++++++++++++++++++------------------ 1 file changed, 85 insertions(+), 84 deletions(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index 3de002f004..45f464ffaf 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -57,49 +57,50 @@ enum JpegXLPrimaries { FF_JPEGXL_PR_P3 = 11, }; -#define jxl_bits(n) get_bits_long(gb, (n)) -#define jxl_bits_skip(n) skip_bits_long(gb, (n)) -#define jxl_u32(c0, c1, c2, c3, u0, u1, u2, u3) jpegxl_u32(gb, \ - (const uint32_t[]){c0, c1, c2, c3}, (const uint32_t[]){u0, u1, u2, u3}) -#define jxl_u64() jpegxl_u64(gb) -#define jxl_enum() jxl_u32(0, 1, 2, 18, 0, 0, 4, 6) - /* read a U32(c_i + u(u_i)) */ -static uint32_t jpegxl_u32(GetBitContext *gb, - const uint32_t constants[4], const uint32_t ubits[4]) +static av_always_inline uint32_t jxl_u32(GetBitContext *gb, + uint32_t c0, uint32_t c1, uint32_t c2, uint32_t c3, + uint32_t u0, uint32_t u1, uint32_t u2, uint32_t u3) { - uint32_t ret, choice = jxl_bits(2); + const uint32_t constants[4] = {c0, c1, c2, c3}; + const uint32_t ubits [4] = {u0, u1, u2, u3}; + uint32_t ret, choice = get_bits(gb, 2); ret = constants[choice]; if (ubits[choice]) - ret += jxl_bits(ubits[choice]); + ret += get_bits_long(gb, ubits[choice]); return ret; } +static av_always_inline uint32_t jxl_enum(GetBitContext *gb) +{ + return jxl_u32(gb, 0, 1, 2, 18, 0, 0, 4, 6); +} + /* read a U64() */ static uint64_t jpegxl_u64(GetBitContext *gb) { uint64_t shift = 12, ret; - switch (jxl_bits(2)) { + switch (get_bits(gb, 2)) { case 0: ret = 0; break; case 1: - ret = 1 + jxl_bits(4); + ret = 1 + get_bits(gb, 4); break; case 2: - ret = 17 + jxl_bits(8); + ret = 17 + get_bits(gb, 8); break; case 3: - ret = jxl_bits(12); - while (jxl_bits(1)) { + ret = get_bits(gb, 12); + while (get_bits1(gb)) { if (shift < 60) { - ret |= (uint64_t)jxl_bits(8) << shift; + ret |= (uint64_t)get_bits(gb, 8) << shift; shift += 8; } else { - ret |= (uint64_t)jxl_bits(4) << shift; + ret |= (uint64_t)get_bits(gb, 4) << shift; break; } } @@ -142,18 +143,18 @@ static int jpegxl_read_size_header(GetBitContext *gb) { uint32_t width, height; - if (jxl_bits(1)) { + if (get_bits1(gb)) { /* small size header */ - height = (jxl_bits(5) + 1) << 3; - width = jpegxl_width_from_ratio(height, jxl_bits(3)); + height = (get_bits(gb, 5) + 1) << 3; + width = jpegxl_width_from_ratio(height, get_bits(gb, 3)); if (!width) - width = (jxl_bits(5) + 1) << 3; + width = (get_bits(gb, 5) + 1) << 3; } else { /* large size header */ - height = 1 + jxl_u32(0, 0, 0, 0, 9, 13, 18, 30); - width = jpegxl_width_from_ratio(height, jxl_bits(3)); + height = 1 + jxl_u32(gb, 0, 0, 0, 0, 9, 13, 18, 30); + width = jpegxl_width_from_ratio(height, get_bits(gb, 3)); if (!width) - width = 1 + jxl_u32(0, 0, 0, 0, 9, 13, 18, 30); + width = 1 + jxl_u32(gb, 0, 0, 0, 0, 9, 13, 18, 30); } if (width > (1 << 18) || height > (1 << 18) || (width >> 4) * (height >> 4) > (1 << 20)) @@ -170,18 +171,18 @@ static int jpegxl_read_preview_header(GetBitContext *gb) { uint32_t width, height; - if (jxl_bits(1)) { + if (get_bits1(gb)) { /* coded height and width divided by eight */ - height = jxl_u32(16, 32, 1, 33, 0, 0, 5, 9) << 3; - width = jpegxl_width_from_ratio(height, jxl_bits(3)); + height = jxl_u32(gb, 16, 32, 1, 33, 0, 0, 5, 9) << 3; + width = jpegxl_width_from_ratio(height, get_bits(gb, 3)); if (!width) - width = jxl_u32(16, 32, 1, 33, 0, 0, 5, 9) << 3; + width = jxl_u32(gb, 16, 32, 1, 33, 0, 0, 5, 9) << 3; } else { /* full height and width coded */ - height = jxl_u32(1, 65, 321, 1345, 6, 8, 10, 12); - width = jpegxl_width_from_ratio(height, jxl_bits(3)); + height = jxl_u32(gb, 1, 65, 321, 1345, 6, 8, 10, 12); + width = jpegxl_width_from_ratio(height, get_bits(gb, 3)); if (!width) - width = jxl_u32(1, 65, 321, 1345, 6, 8, 10, 12); + width = jxl_u32(gb, 1, 65, 321, 1345, 6, 8, 10, 12); } if (width > 4096 || height > 4096) return -1; @@ -194,13 +195,13 @@ static int jpegxl_read_preview_header(GetBitContext *gb) */ static void jpegxl_skip_bit_depth(GetBitContext *gb) { - if (jxl_bits(1)) { + if (get_bits1(gb)) { /* float samples */ - jxl_u32(32, 16, 24, 1, 0, 0, 0, 6); /* mantissa */ - jxl_bits_skip(4); /* exponent */ + jxl_u32(gb, 32, 16, 24, 1, 0, 0, 0, 6); /* mantissa */ + skip_bits_long(gb, 4); /* exponent */ } else { /* integer samples */ - jxl_u32(8, 10, 12, 1, 0, 0, 0, 6); + jxl_u32(gb, 8, 10, 12, 1, 0, 0, 0, 6); } } @@ -210,34 +211,34 @@ static void jpegxl_skip_bit_depth(GetBitContext *gb) */ static int jpegxl_read_extra_channel_info(GetBitContext *gb) { - int all_default = jxl_bits(1); + int all_default = get_bits1(gb); uint32_t type, name_len = 0; if (!all_default) { - type = jxl_enum(); + type = jxl_enum(gb); if (type > 63) return -1; /* enum types cannot be 64+ */ if (type == FF_JPEGXL_CT_BLACK) return -1; jpegxl_skip_bit_depth(gb); - jxl_u32(0, 3, 4, 1, 0, 0, 0, 3); /* dim-shift */ + jxl_u32(gb, 0, 3, 4, 1, 0, 0, 0, 3); /* dim-shift */ /* max of name_len is 1071 = 48 + 2^10 - 1 */ - name_len = jxl_u32(0, 0, 16, 48, 0, 4, 5, 10); + name_len = jxl_u32(gb, 0, 0, 16, 48, 0, 4, 5, 10); } else { type = FF_JPEGXL_CT_ALPHA; } /* skip over the name */ - jxl_bits_skip(8 * name_len); + skip_bits_long(gb, 8 * name_len); if (!all_default && type == FF_JPEGXL_CT_ALPHA) - jxl_bits_skip(1); + skip_bits1(gb); if (type == FF_JPEGXL_CT_SPOT_COLOR) - jxl_bits_skip(16 * 4); + skip_bits_long(gb, 16 * 4); if (type == FF_JPEGXL_CT_CFA) - jxl_u32(1, 0, 3, 19, 0, 2, 4, 8); + jxl_u32(gb, 1, 0, 3, 19, 0, 2, 4, 8); return 0; } @@ -256,39 +257,39 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) if (ret < 0) return ret; - if (jxl_bits(16) != FF_JPEGXL_CODESTREAM_SIGNATURE_LE) + if (get_bits_long(gb, 16) != FF_JPEGXL_CODESTREAM_SIGNATURE_LE) return -1; if (jpegxl_read_size_header(gb) < 0) return -1; - all_default = jxl_bits(1); + all_default = get_bits1(gb); if (!all_default) - extra_fields = jxl_bits(1); + extra_fields = get_bits1(gb); if (extra_fields) { - jxl_bits_skip(3); /* orientation */ + skip_bits_long(gb, 3); /* orientation */ /* * intrinstic size * any size header here is valid, but as it * is variable length we have to read it */ - if (jxl_bits(1)) + if (get_bits1(gb)) jpegxl_read_size_header(gb); /* preview header */ - if (jxl_bits(1)) { + if (get_bits1(gb)) { if (jpegxl_read_preview_header(gb) < 0) return -1; } /* animation header */ - if (jxl_bits(1)) { - jxl_u32(100, 1000, 1, 1, 0, 0, 10, 30); - jxl_u32(1, 1001, 1, 1, 0, 0, 8, 10); - jxl_u32(0, 0, 0, 0, 0, 3, 16, 32); - jxl_bits_skip(1); + if (get_bits1(gb)) { + jxl_u32(gb, 100, 1000, 1, 1, 0, 0, 10, 30); + jxl_u32(gb, 1, 1001, 1, 1, 0, 0, 8, 10); + jxl_u32(gb, 0, 0, 0, 0, 0, 3, 16, 32); + skip_bits_long(gb, 1); } } @@ -296,10 +297,10 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) jpegxl_skip_bit_depth(gb); /* modular_16bit_buffers must equal 1 */ - if (!jxl_bits(1)) + if (!get_bits1(gb)) return -1; - num_extra_channels = jxl_u32(0, 1, 2, 1, 0, 0, 4, 12); + num_extra_channels = jxl_u32(gb, 0, 1, 2, 1, 0, 0, 4, 12); if (num_extra_channels > 4) return -1; for (uint32_t i = 0; i < num_extra_channels; i++) { @@ -307,85 +308,85 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) return -1; } - xyb_encoded = jxl_bits(1); + xyb_encoded = get_bits1(gb); /* color encoding bundle */ - if (!jxl_bits(1)) { + if (!get_bits1(gb)) { uint32_t color_space; - have_icc_profile = jxl_bits(1); - color_space = jxl_enum(); + have_icc_profile = get_bits1(gb); + color_space = jxl_enum(gb); if (color_space > 63) return -1; if (!have_icc_profile) { if (color_space != FF_JPEGXL_CS_XYB) { - uint32_t white_point = jxl_enum(); + uint32_t white_point = jxl_enum(gb); if (white_point > 63) return -1; if (white_point == FF_JPEGXL_WP_CUSTOM) { /* ux and uy values */ - jxl_u32(0, 524288, 1048576, 2097152, 19, 19, 20, 21); - jxl_u32(0, 524288, 1048576, 2097152, 19, 19, 20, 21); + jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); + jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); } if (color_space != FF_JPEGXL_CS_GRAY) { /* primaries */ - uint32_t primaries = jxl_enum(); + uint32_t primaries = jxl_enum(gb); if (primaries > 63) return -1; if (primaries == FF_JPEGXL_PR_CUSTOM) { /* ux/uy values for r,g,b */ for (int i = 0; i < 6; i++) - jxl_u32(0, 524288, 1048576, 2097152, 19, 19, 20, 21); + jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); } } } /* transfer characteristics */ - if (jxl_bits(1)) { + if (get_bits1(gb)) { /* gamma */ - jxl_bits_skip(24); + skip_bits_long(gb, 24); } else { /* transfer function */ - if (jxl_enum() > 63) + if (jxl_enum(gb) > 63) return -1; } /* rendering intent */ - if (jxl_enum() > 63) + if (jxl_enum(gb) > 63) return -1; } } /* tone mapping bundle */ - if (extra_fields && !jxl_bits(1)) - jxl_bits_skip(16 + 16 + 1 + 16); + if (extra_fields && !get_bits1(gb)) + skip_bits_long(gb, 16 + 16 + 1 + 16); - extensions = jxl_u64(); + extensions = jpegxl_u64(gb); if (extensions) { for (int i = 0; i < 64; i++) { if (extensions & (UINT64_C(1) << i)) - jxl_u64(); + jpegxl_u64(gb); } } } /* default transform */ - if (!jxl_bits(1)) { + if (!get_bits1(gb)) { /* opsin inverse matrix */ - if (xyb_encoded && !jxl_bits(1)) - jxl_bits_skip(16 * 16); + if (xyb_encoded && !get_bits1(gb)) + skip_bits_long(gb, 16 * 16); /* cw_mask and default weights */ - if (jxl_bits(1)) - jxl_bits_skip(16 * 15); - if (jxl_bits(1)) - jxl_bits_skip(16 * 55); - if (jxl_bits(1)) - jxl_bits_skip(16 * 210); + if (get_bits1(gb)) + skip_bits_long(gb, 16 * 15); + if (get_bits1(gb)) + skip_bits_long(gb, 16 * 55); + if (get_bits1(gb)) + skip_bits_long(gb, 16 * 210); } if (!have_icc_profile) { int bits_remaining = 7 - (get_bits_count(gb) - 1) % 8; - if (bits_remaining && jxl_bits(bits_remaining)) + if (bits_remaining && get_bits(gb, bits_remaining)) return -1; } From 55de397fe048f5ae2d7ce1f5c630c513f0ff5e05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2023 10:26:34 -0400 Subject: [PATCH 202/562] avformat/jpegxl_probe: check length instead of blindly reading Enable the checked bitreader to avoid overread. Also add a few checks in loops and between blocks so we exit instead of continued execution. Alternatively we could add manual checks so that no overread can happen. This would be slightly faster but a bit more work and a bit more fragile Fixes: Out of array accesses Fixes: 59640/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-6584117345779712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ec4553e355039ce69abf8e49389fa43f1f55fc5) Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_probe.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index 45f464ffaf..47c6c54ff4 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -21,6 +21,7 @@ #include "jpegxl_probe.h" +#define UNCHECKED_BITSTREAM_READER 0 #define BITSTREAM_READER_LE #include "libavcodec/get_bits.h" @@ -292,6 +293,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) skip_bits_long(gb, 1); } } + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (!all_default) { jpegxl_skip_bit_depth(gb); @@ -306,6 +309,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) for (uint32_t i = 0; i < num_extra_channels; i++) { if (jpegxl_read_extra_channel_info(gb) < 0) return -1; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; } xyb_encoded = get_bits1(gb); @@ -335,8 +340,11 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) return -1; if (primaries == FF_JPEGXL_PR_CUSTOM) { /* ux/uy values for r,g,b */ - for (int i = 0; i < 6; i++) + for (int i = 0; i < 6; i++) { jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + } } } } @@ -362,10 +370,14 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) skip_bits_long(gb, 16 + 16 + 1 + 16); extensions = jpegxl_u64(gb); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (extensions) { for (int i = 0; i < 64; i++) { if (extensions & (UINT64_C(1) << i)) jpegxl_u64(gb); + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; } } } From 537600e78506ca4268c860ba5f21dc15d890e5b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Jun 2023 10:26:35 -0400 Subject: [PATCH 203/562] avformat/jpegxl_probe: Forward error codes Signed-off-by: Michael Niedermayer (cherry picked from commit 09621fd7d93a12974e9664b2aebb8237e5c46f03) Signed-off-by: Michael Niedermayer --- libavformat/jpegxl_probe.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/jpegxl_probe.c b/libavformat/jpegxl_probe.c index 47c6c54ff4..2d2d128387 100644 --- a/libavformat/jpegxl_probe.c +++ b/libavformat/jpegxl_probe.c @@ -261,8 +261,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) if (get_bits_long(gb, 16) != FF_JPEGXL_CODESTREAM_SIGNATURE_LE) return -1; - if (jpegxl_read_size_header(gb) < 0) - return -1; + if ((ret = jpegxl_read_size_header(gb)) < 0) + return ret; all_default = get_bits1(gb); if (!all_default) @@ -281,8 +281,9 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) /* preview header */ if (get_bits1(gb)) { - if (jpegxl_read_preview_header(gb) < 0) - return -1; + ret = jpegxl_read_preview_header(gb); + if (ret < 0) + return ret; } /* animation header */ @@ -307,8 +308,9 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen) if (num_extra_channels > 4) return -1; for (uint32_t i = 0; i < num_extra_channels; i++) { - if (jpegxl_read_extra_channel_info(gb) < 0) - return -1; + ret = jpegxl_read_extra_channel_info(gb); + if (ret < 0) + return ret; if (get_bits_left(gb) < 1) return AVERROR_INVALIDDATA; } From 74d3c9261a66d4ff154ee0b467b23c374a261d49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Jun 2023 21:44:37 +0200 Subject: [PATCH 204/562] avcodec: Ignoring errors is only possible before the input end Fixes: out of array read Fixes: Ticket 10308 Signed-off-by: Michael Niedermayer (cherry picked from commit fead656a7bf523d448fe8bd39c1f2ea36be98fb9) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 +- libavcodec/mpeg4videodec.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index d411bae220..d5d731e9f1 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -307,7 +307,7 @@ static int decode_slice(MpegEncContext *s) ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR & part_mask); - if (s->avctx->err_recognition & AV_EF_IGNORE_ERR) + if ((s->avctx->err_recognition & AV_EF_IGNORE_ERR) && get_bits_left(&s->gb) > 0) continue; return AVERROR_INVALIDDATA; } diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 220d415c6f..724c6aacf3 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1259,7 +1259,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "1. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; } SKIP_CACHE(re, &s->gb, 1); @@ -1270,7 +1270,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "2. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return AVERROR_INVALIDDATA; } From df4170b2bcadb8ccd9278532b3ba0f089cbae969 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2023 23:40:16 +0200 Subject: [PATCH 205/562] avcodec/takdsp: Fix integer overflows Fixes: avcodec/takdsp.c:44:23: runtime error: signed integer overflow: -2097158 - 2147012608 cannot be represented in type 'int' Fixes: 58417/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5268919664640000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ff8a496d41422b694f66684ada97dcf49e167782) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 881d7be5f2..b646a063db 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -28,8 +28,8 @@ static void decorrelate_ls(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p2[i] = a + b; } } @@ -39,8 +39,8 @@ static void decorrelate_sr(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p1[i] = b - a; } } @@ -50,7 +50,7 @@ static void decorrelate_sm(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; a -= b >> 1; p1[i] = a; @@ -63,7 +63,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; From 9b10b9b8cb4908e2330785ba357a76ed894fbe30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2023 23:40:18 +0200 Subject: [PATCH 206/562] avcodec/hevcdec: Avoid null pointer dereferences in MC Fixes: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffff8 Fixes: 58440/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5956015530311680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0f4d4e65093a4cb627f05d09b19c922e88cfac1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index f8f981e838..492a0e7e68 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1911,13 +1911,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0) + if (!ref0 || !ref0->frame->data[0]) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1) + if (!ref1 || !ref1->frame->data[0]) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From 515c7b21f47df97944969347b28dcba640748de6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2023 21:00:03 +0200 Subject: [PATCH 207/562] avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() Fixes: signed integer overflow: 256 * 668003712 cannot be represented in type 'int' Fixes: 59819/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-4674636538052608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a4bf559683a999c8faa408fdd8f29bd28a6a47ea) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index add1e2139b..a0c5eb4808 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -649,9 +649,9 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (sr > 0) { /* calc from sample rate */ if (id == AV_CODEC_ID_TTA) - return 256 * sr / 245; + return 256ll * sr / 245; else if (id == AV_CODEC_ID_DST) - return 588 * sr / 44100; + return 588ll * sr / 44100; else if (id == AV_CODEC_ID_BINKAUDIO_DCT) { if (sr / 22050 > 22) return 0; From cde6758306e4771114d2f97615f26b29e49758fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:20:40 +0200 Subject: [PATCH 208/562] tools/target_dec_fuzzer: Adjust threshold for speex Fixes: Timeout Fixes: 59731/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4809436670328832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe167bae969cf2deac2f5c480fc5c5ac5f8e6267) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 017c5cf024..c057500dad 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -266,6 +266,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_SCPR: maxpixels /= 32; break; case AV_CODEC_ID_SCREENPRESSO:maxpixels /= 64; break; case AV_CODEC_ID_SIMBIOSIS_IMX:maxpixels /= 16384; break; + case AV_CODEC_ID_SPEEX: maxsamples /= 128; break; case AV_CODEC_ID_SMACKAUDIO: maxsamples /= 4096; break; case AV_CODEC_ID_SMACKVIDEO: maxpixels /= 64; break; case AV_CODEC_ID_SNOW: maxpixels /= 128; break; From 706c44541ed6da16d352a55f3f80d9f48ca3c883 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:59:40 +0200 Subject: [PATCH 209/562] avutil/softfloat: fix av_sincos_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit d84677abd8ffb8ca8ad94eced6d9e03928f35d79) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 2 +- libavutil/tests/softfloat.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index a651406f74..1520027ddc 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -281,7 +281,7 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) (int64_t)av_sintbl_4_sf[(idx & 0x1f) + 1] * (a & 0x7ff) + 0x400) >> 11); - *c = (int)(((int64_t)cv * ct + (int64_t)sv * st + 0x20000000) >> 30); + *c = (int)(((int64_t)cv * ct - (int64_t)sv * st + 0x20000000) >> 30); *s = (int)(((int64_t)cv * st + (int64_t)sv * ct + 0x20000000) >> 30); } diff --git a/libavutil/tests/softfloat.c b/libavutil/tests/softfloat.c index c06de44933..a2e628fe81 100644 --- a/libavutil/tests/softfloat.c +++ b/libavutil/tests/softfloat.c @@ -148,7 +148,7 @@ int main(void){ av_sincos_sf(i*(1ULL<<32)/36/4, &s, &c); errs = (double)s/ (1<<30) - sin(i*M_PI/36); errc = (double)c/ (1<<30) - cos(i*M_PI/36); - if (fabs(errs) > 0.00000002 || fabs(errc) >0.001) { + if (fabs(errs) > 0.000000004 || fabs(errc) >0.000000004) { printf("sincos FAIL %d %f %f %f %f\n", i, (float)s/ (1<<30), (float)c/ (1<<30), sin(i*M_PI/36), cos(i*M_PI/36)); } From 18bf4e4ff788cf94cc5c65c97d1b366ffe4fb305 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 01:26:33 +0200 Subject: [PATCH 210/562] avutil/softfloat: Basic documentation for av_sincos_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 4aa1a42a91438b7107d2d77db1fc5ca95c27740c) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 1520027ddc..399ca6d682 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -236,6 +236,10 @@ static av_always_inline SoftFloat av_sqrt_sf(SoftFloat val) /** * Rounding-to-nearest used. + * + * @param a angle in units of (1ULL<<30)/M_PI radians + * @param s pointer to where sine in units of (1<<30) is returned + * @param c pointer to where cosine in units of (1<<30) is returned */ static av_unused void av_sincos_sf(int a, int *s, int *c) { From fc94130cd6f38c44cd4f72f8f848fd9e7051f8ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2023 01:09:52 +0200 Subject: [PATCH 211/562] avcodec/jpeg2000dec: Check for reduction factor and image offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This combination is not working (it writes out of array) Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 9b6d191a66a8d9b3064efecc79a9f44fb14d7875) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 92966b11f5..69503059d7 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -323,6 +323,11 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ + av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); + return AVERROR_PATCHWELCOME; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { From 1759fd0d82c460ba95c694a9c4f5a60997d154c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Jun 2023 15:56:58 +0200 Subject: [PATCH 212/562] avcodec/pcm: allow Changing parameters SDR needs this for switching between mono and stereo stations Signed-off-by: Michael Niedermayer (cherry picked from commit 94d44dbe212b3ecb67256c4edfc3d7c3c3ac4472) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 471075ad71..eb601c4af2 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -584,7 +584,7 @@ const FFCodec ff_ ## name_ ## _decoder = { \ .priv_data_size = sizeof(PCMDecode), \ .init = pcm_decode_init, \ FF_CODEC_DECODE_CB(pcm_decode_frame), \ - .p.capabilities = AV_CODEC_CAP_DR1, \ + .p.capabilities = AV_CODEC_CAP_DR1 | AV_CODEC_CAP_PARAM_CHANGE, \ .p.sample_fmts = (const enum AVSampleFormat[]){ sample_fmt_, \ AV_SAMPLE_FMT_NONE }, \ .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, \ From c09250be43d823621646ba9e984f478a028c2b2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 20:03:01 +0200 Subject: [PATCH 213/562] avformat/imf_cpl: xmlNodeListGetString() can return NULL Fixes: NULL pointer dereference Fixes: 60166/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5998301577871360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Pierre-Anthony Lemieux Signed-off-by: Michael Niedermayer (cherry picked from commit 509ce40f188734ec74078ebdd8d71f80116d9eaf) Signed-off-by: Michael Niedermayer --- libavformat/imf_cpl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/imf_cpl.c b/libavformat/imf_cpl.c index f2c6b6f064..a688a44711 100644 --- a/libavformat/imf_cpl.c +++ b/libavformat/imf_cpl.c @@ -76,6 +76,8 @@ int ff_imf_xml_read_uuid(xmlNodePtr element, AVUUID uuid) int ret = 0; element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1); + if (!element_text) + return AVERROR_INVALIDDATA; ret = av_uuid_urn_parse(element_text, uuid); if (ret) { av_log(NULL, AV_LOG_ERROR, "Invalid UUID\n"); @@ -92,7 +94,7 @@ int ff_imf_xml_read_rational(xmlNodePtr element, AVRational *rational) int ret = 0; element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1); - if (sscanf(element_text, "%i %i", &rational->num, &rational->den) != 2) { + if (element_text == NULL || sscanf(element_text, "%i %i", &rational->num, &rational->den) != 2) { av_log(NULL, AV_LOG_ERROR, "Invalid rational number\n"); ret = AVERROR_INVALIDDATA; } @@ -107,7 +109,7 @@ int ff_imf_xml_read_uint32(xmlNodePtr element, uint32_t *number) int ret = 0; element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1); - if (sscanf(element_text, "%" PRIu32, number) != 1) { + if (element_text == NULL || sscanf(element_text, "%" PRIu32, number) != 1) { av_log(NULL, AV_LOG_ERROR, "Invalid unsigned 32-bit integer"); ret = AVERROR_INVALIDDATA; } From 9b5a8aa16d996f5c3d63a14401efcf7f44b718af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 23:30:14 +0200 Subject: [PATCH 214/562] avformat/imf_cpl: Replace NULL content_title_utf8 by "" Suggested-by: Pierre-Anthony Lemieux Reviewed-by: Pierre-Anthony Lemieux Signed-off-by: Michael Niedermayer (cherry picked from commit ac3e6b74bdd6959ce4411e78161b2f06d0926c43) Signed-off-by: Michael Niedermayer --- libavformat/imf_cpl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/imf_cpl.c b/libavformat/imf_cpl.c index a688a44711..3328a3ed18 100644 --- a/libavformat/imf_cpl.c +++ b/libavformat/imf_cpl.c @@ -177,6 +177,10 @@ static int fill_content_title(xmlNodePtr cpl_element, FFIMFCPL *cpl) cpl->content_title_utf8 = xmlNodeListGetString(cpl_element->doc, element->xmlChildrenNode, 1); + if (!cpl->content_title_utf8) + cpl->content_title_utf8 = xmlStrdup(""); + if (!cpl->content_title_utf8) + return AVERROR(ENOMEM); return 0; } From cfa3ae4181567dcc711828ad59ab3000d718e37f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 01:46:20 +0200 Subject: [PATCH 215/562] avformat/avr: Check sample rate Fixes: 54979/clusterfuzz-testcase-minimized-ffmpeg_dem_AVR_fuzzer-6681035461230592 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 32556fa62b1d0615f621fd8f71bdfe3b72e43896) Signed-off-by: Michael Niedermayer --- libavformat/avr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avr.c b/libavformat/avr.c index 1cc4d56bfb..dce977b6ac 100644 --- a/libavformat/avr.c +++ b/libavformat/avr.c @@ -70,6 +70,9 @@ static int avr_read_header(AVFormatContext *s) avio_skip(s->pb, 1); // replay speed st->codecpar->sample_rate = avio_rb24(s->pb); + if (st->codecpar->sample_rate == 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4 * 3); avio_skip(s->pb, 2 * 3); avio_skip(s->pb, 20); From 7c646d22cf269964858c695b8fbfce5b5ad90ac8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Aug 2023 00:02:21 +0200 Subject: [PATCH 216/562] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: -1403461578 + -843974775 cannot be represented in type 'int' Fixes: 60868/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-4599793035378688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ce322a51eae87fd3a0eb96f2280175554ef30c5) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index f338901ab2..43ea927437 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -69,24 +69,24 @@ static int idct_row(short *in, const int *const tab, int rnd) if (!(right | in[4])) { const int k = c4 * in[0] + rnd; if (left) { - const int a0 = k + c2 * in[2]; - const int a1 = k + c6 * in[2]; - const int a2 = k - c6 * in[2]; - const int a3 = k - c2 * in[2]; + const unsigned a0 = k + c2 * in[2]; + const unsigned a1 = k + c6 * in[2]; + const unsigned a2 = k - c6 * in[2]; + const unsigned a3 = k - c2 * in[2]; const int b0 = c1 * in[1] + c3 * in[3]; const int b1 = c3 * in[1] - c7 * in[3]; const int b2 = c5 * in[1] - c1 * in[3]; const int b3 = c7 * in[1] - c5 * in[3]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } else { const int a0 = k >> ROW_SHIFT; if (a0) { From d548c94bfaf9d4c388be4ffd8be27be29de1c18e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Aug 2023 00:24:21 +0200 Subject: [PATCH 217/562] avcodec/apedec: Fix CRC for 24bps and bigendian Fixes CRC for vlc.ape and APE_48K_24bit_2CH_02_01.ape Signed-off-by: Michael Niedermayer (cherry picked from commit 696e161919f18f13be0f82f41715b445d31022d7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 24877c5598..81953df221 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1612,13 +1612,24 @@ static int ape_decode_frame(AVCodecContext *avctx, AVFrame *frame, s->samples -= blockstodecode; if (avctx->err_recognition & AV_EF_CRCCHECK && - s->fileversion >= 3900 && s->bps < 24) { + s->fileversion >= 3900) { uint32_t crc = s->CRC_state; const AVCRC *crc_tab = av_crc_get_table(AV_CRC_32_IEEE_LE); + int stride = s->bps == 24 ? 4 : (s->bps>>3); + int offset = s->bps == 24; + int bytes = s->bps >> 3; + for (i = 0; i < blockstodecode; i++) { for (ch = 0; ch < s->channels; ch++) { - uint8_t *smp = frame->data[ch] + (i*(s->bps >> 3)); - crc = av_crc(crc_tab, crc, smp, s->bps >> 3); +#if HAVE_BIGENDIAN + uint8_t *smp_native = frame->data[ch] + i*stride; + uint8_t smp[4]; + for(int j = 0; jdata[ch] + i*stride; +#endif + crc = av_crc(crc_tab, crc, smp+offset, bytes); } } From e61e0ea8c6a57327669737fd4ffe0164fde2f06b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Aug 2023 16:59:15 +0200 Subject: [PATCH 218/562] avcodec/apedec: Fix 48khz 24bit below insane level Fixes: Ticket9816 Fixes: vlc.ape and APE_48K_24bit_2CH_02_01.ape Regression since: ed0001482a74b60f3d5bc5cd7e304c9d65b2fcd5. Signed-off-by: Michael Niedermayer (cherry picked from commit 80ad0e2198df4e2961928d8304da58df6db77ec4) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 81953df221..8aca605343 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1170,7 +1170,8 @@ static void predictor_decode_mono_3930(APEContext *ctx, int count) static av_always_inline int predictor_update_filter(APEPredictor64 *p, const int decoded, const int filter, const int delayA, const int delayB, - const int adaptA, const int adaptB) + const int adaptA, const int adaptB, + int compression_level) { int64_t predictionA, predictionB; int32_t sign; @@ -1198,7 +1199,13 @@ static av_always_inline int predictor_update_filter(APEPredictor64 *p, p->buf[delayB - 3] * p->coeffsB[filter][3] + p->buf[delayB - 4] * p->coeffsB[filter][4]; - p->lastA[filter] = decoded + ((int64_t)((uint64_t)predictionA + (predictionB >> 1)) >> 10); + if (compression_level < COMPRESSION_LEVEL_INSANE) { + predictionA = (int32_t)predictionA; + predictionB = (int32_t)predictionB; + p->lastA[filter] = decoded + ((int32_t)(predictionA + (predictionB >> 1)) >> 10); + } else { + p->lastA[filter] = decoded + ((int64_t)((uint64_t)predictionA + (predictionB >> 1)) >> 10); + } p->filterA[filter] = p->lastA[filter] + ((int64_t)(p->filterA[filter] * 31ULL) >> 5); sign = APESIGN(decoded); @@ -1226,10 +1233,12 @@ static void predictor_decode_stereo_3950(APEContext *ctx, int count) while (count--) { /* Predictor Y */ *decoded0 = predictor_update_filter(p, *decoded0, 0, YDELAYA, YDELAYB, - YADAPTCOEFFSA, YADAPTCOEFFSB); + YADAPTCOEFFSA, YADAPTCOEFFSB, + ctx->compression_level); decoded0++; *decoded1 = predictor_update_filter(p, *decoded1, 1, XDELAYA, XDELAYB, - XADAPTCOEFFSA, XADAPTCOEFFSB); + XADAPTCOEFFSA, XADAPTCOEFFSB, + ctx->compression_level); decoded1++; /* Combined */ From b91b26813c62e4a6e630dbf98486c0d48dd6f5c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Aug 2023 14:35:55 +0200 Subject: [PATCH 219/562] avcodec/tta: fix signed overflow in decorrelate Fixes: signed integer overflow: 2079654542 - -139267653 cannot be represented in type 'int' Fixes: 60811/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5915858409750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 283bf5c35bc5ac92e061f27c3a680318175a1600) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 0fc639b11c..c23439a2c0 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -341,7 +341,7 @@ static int tta_decode_frame(AVCodecContext *avctx, AVFrame *frame, if (s->channels > 1) { int32_t *r = p - 1; for (*p += *r / 2; r > (int32_t*)p - s->channels; r--) - *r = *(r + 1) - *r; + *r = *(r + 1) - (unsigned)*r; } cur_chan = 0; i++; From 06ff2bfe0f29ae6fa817ea6457cd775e88780e48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2023 23:35:10 +0200 Subject: [PATCH 220/562] avcodec/mpeg4videodec: more unsigned in amv computation Fixes: signed integer overflow: -2147483648 + -1048576 cannot be represented in type 'int' Fixes: 59365/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-642654923954585 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0adaa90d89114dc86dbc5704ce31ded5b6750d13) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 724c6aacf3..b04ec1388e 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -685,7 +685,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) for (y = 0; y < 16; y++) { int v; - v = mb_v + dy * y; + v = mb_v + (unsigned)dy * y; // FIXME optimize for (x = 0; x < 16; x++) { sum += v >> shift; From 54d87e4b283734f1a97cb1b5c7e7d76f4056cdac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 19:45:18 +0200 Subject: [PATCH 221/562] avcodec/hevcdec: Fix undefined memcpy() There is likely a better way to fix this, this is mainly to show the problem Fixes: MC within same frame resulting in overlapping memcpy() Fixes: 60189/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4992746590175232 Fixes: 61753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5022150806077440 Fixes: 58062/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4717458841010176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 94bd1796ff45b396021cd260e9b037bc61815933) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 492a0e7e68..2e3ee9dc6e 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1517,7 +1517,8 @@ static void luma_mc_uni(HEVCContext *s, uint8_t *dst, ptrdiff_t dststride, if (x_off < QPEL_EXTRA_BEFORE || y_off < QPEL_EXTRA_AFTER || x_off >= pic_width - block_w - QPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - QPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - QPEL_EXTRA_AFTER || + ref == s->frame) { const ptrdiff_t edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset = QPEL_EXTRA_BEFORE * srcstride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); int buf_offset = QPEL_EXTRA_BEFORE * edge_emu_stride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); @@ -1665,6 +1666,7 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, intptr_t my = av_mod_uintp2(mv->y, 2 + vshift); intptr_t _mx = mx << (1 - hshift); intptr_t _my = my << (1 - vshift); + int emu = src0 == s->frame->data[1] || src0 == s->frame->data[2]; x_off += mv->x >> (2 + hshift); y_off += mv->y >> (2 + vshift); @@ -1672,7 +1674,8 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, if (x_off < EPEL_EXTRA_BEFORE || y_off < EPEL_EXTRA_AFTER || x_off >= pic_width - block_w - EPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - EPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - EPEL_EXTRA_AFTER || + emu) { const int edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset0 = EPEL_EXTRA_BEFORE * (srcstride + (1 << s->ps.sps->pixel_shift)); int buf_offset0 = EPEL_EXTRA_BEFORE * From 10dfb498ea42974e6523f2862775886045db9b48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 19:01:37 +0200 Subject: [PATCH 222/562] avcodec/mpeg4videodec: consider lowres in dest_pcm[] Fixes: out of array access Fixes: 59999/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5767982157266944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d48476183fad230c8e457b2f314f8e136b973c4e) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index b04ec1388e..46c6f9026b 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -123,7 +123,7 @@ void ff_mpeg4_decode_studio(MpegEncContext *s, uint8_t *dest_y, uint8_t *dest_cb int hsub = i ? s->chroma_x_shift : 0; int lowres = s->avctx->lowres; int step = 1 << lowres; - dest_pcm[i] += (linesize[i] / 2) * ((16 >> vsub) - 1); + dest_pcm[i] += (linesize[i] / 2) * ((16 >> vsub + lowres) - 1); for (int h = (16 >> (vsub + lowres)) - 1; h >= 0; h--){ for (int w = (16 >> (hsub + lowres)) - 1, idx = 0; w >= 0; w--, idx += step) dest_pcm[i][w] = src[idx]; From fccc3130c74ec01949b22726dced55cf8594121f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Mar 2023 22:11:59 +0100 Subject: [PATCH 223/562] avcodec/cscd: Check for CamStudio Lossless Codec 1.0 behavior in end check of LZO files Alternatively the check could be simply made more tolerant Fixes: Ticket10227 Signed-off-by: Michael Niedermayer (cherry picked from commit d2a0464fc2dd6f79571a66e6c7a8168323168e46) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index ea84711299..e1ebe04253 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -85,7 +85,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) { + int bpp = avctx->bits_per_coded_sample / 8; + int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height + - (avctx->width & ~3) * bpp * avctx->height; + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || (outlen && outlen != bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } From 82f7adf45dde3f7790eb7591bf312111baa5a61f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Sep 2023 16:27:02 +0200 Subject: [PATCH 224/562] avcodec/cscd: Fix "CamStudio Lossless Codec 1.0" gzip files Fixes: tickets/10241/cscd_1_0_306_306_gzip.avi Signed-off-by: Michael Niedermayer (cherry picked from commit ab7d38f970674e6765b5e1adb911c1763b9ce806) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index e1ebe04253..b0d888d9b0 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -72,6 +72,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, int buf_size = avpkt->size; CamStudioContext *c = avctx->priv_data; int ret; + int bpp = avctx->bits_per_coded_sample / 8; + int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height + - (avctx->width & ~3) * bpp * avctx->height; if (buf_size < 2) { av_log(avctx, AV_LOG_ERROR, "coded frame too small\n"); @@ -85,9 +88,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - int bpp = avctx->bits_per_coded_sample / 8; - int bugdelta = FFALIGN(avctx->width * bpp, 4) * avctx->height - - (avctx->width & ~3) * bpp * avctx->height; if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || (outlen && outlen != bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; @@ -97,7 +97,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) { + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || (dlen != c->decomp_size && dlen != c->decomp_size - bugdelta)) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); return AVERROR_INVALIDDATA; } From 55a00e464c4c13a466f97a2d984c09f2cc538505 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:13:43 +0200 Subject: [PATCH 225/562] avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure Fixes: left shift of negative value -1 Fixes: 59889/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HUFFYUV_fuzzer-5472742275940352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90647a9249aee8c0ef6c0bced3558ada9643f5b6) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 6862376c44..2785da60e7 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -716,7 +716,7 @@ static void decode_plane_bitstream(HYuvContext *s, int width, int plane) } } if( width&1 && get_bits_left(&s->gb)>0 ) { - int dst = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; + int dst = (unsigned)get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; s->temp16[0][width-1] = dst + get_bits(&s->gb, 2); } } From 3c56b5c3df4d3315d7ac5d02e9baefc6c9f0a6ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2023 01:11:48 +0200 Subject: [PATCH 226/562] avcodec/jpeg2000dec: jpeg2000 has its own lowres option jpeg2000 overrides the global lowres variable with a lowres field called reduction_factor ffmpeg -lowres X causes the reduction_factor to be set ffplay -lowres X causes both lowres and the reduction_factor to be set ossfuss sets only lowres only the ffmpeg variant works. This patch tries to make the other 2 work. Alternative we could just error out if things are inconsistent. More complex restructuring should be limited to the master branch to keep this reasonably easy to backport Fixes: out of array access Fixes: 59672/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c012d1f2bb8735f2b17ce88cd8181d2ffc989b02) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 69503059d7..fc10bb8f0c 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -393,7 +393,7 @@ static int get_siz(Jpeg2000DecoderContext *s) dimy = FFMAX(dimy, ff_jpeg2000_ceildiv(o_dimy, s->cdy[i])); } - ret = ff_set_dimensions(s->avctx, dimx, dimy); + ret = ff_set_dimensions(s->avctx, dimx << s->avctx->lowres, dimy << s->avctx->lowres); if (ret < 0) return ret; @@ -2472,6 +2472,14 @@ static av_cold int jpeg2000_decode_init(AVCodecContext *avctx) { Jpeg2000DecoderContext *s = avctx->priv_data; + if (avctx->lowres) + av_log(avctx, AV_LOG_WARNING, "lowres is overriden by reduction_factor but set anyway\n"); + if (!s->reduction_factor && avctx->lowres < JPEG2000_MAX_RESLEVELS) { + s->reduction_factor = avctx->lowres; + } + if (avctx->lowres != s->reduction_factor && avctx->lowres) + return AVERROR(EINVAL); + ff_jpeg2000dsp_init(&s->dsp); ff_jpeg2000_init_tier1_luts(); From ee90868c67782fb0a79d51376aa05b045f6805f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2023 23:58:31 +0200 Subject: [PATCH 227/562] avformat/format: Stop reading data at EOF during probing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue found by: Сергей Колесников Signed-off-by: Michael Niedermayer (cherry picked from commit 80f6e0378beae69d31f24b036a1365405dea61d1) Signed-off-by: Michael Niedermayer --- libavformat/format.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/format.c b/libavformat/format.c index 4b1f3c2986..4fb62eaffb 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -233,6 +233,7 @@ int av_probe_input_buffer2(AVIOContext *pb, const AVInputFormat **fmt, int ret = 0, probe_size, buf_offset = 0; int score = 0; int ret2; + int eof = 0; if (!max_probe_size) max_probe_size = PROBE_BUF_MAX; @@ -256,7 +257,7 @@ int av_probe_input_buffer2(AVIOContext *pb, const AVInputFormat **fmt, } } - for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt; + for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt && !eof; probe_size = FFMIN(probe_size << 1, FFMAX(max_probe_size, probe_size + 1))) { score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0; @@ -272,6 +273,7 @@ int av_probe_input_buffer2(AVIOContext *pb, const AVInputFormat **fmt, score = 0; ret = 0; /* error was end of file, nothing read */ + eof = 1; } buf_offset += ret; if (buf_offset < offset) From 6c176df7e9696175e5c1a757c57d7e9d60564c14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 May 2023 02:05:45 +0200 Subject: [PATCH 228/562] avformat/hls: reduce default max reload to 3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 1000 did result in the appearance of a never ending reload loop The RFC mandates that "If the client reloads a Playlist file and finds that it has not changed, then it MUST wait for a period of one-half the target duration before retrying." and if it has changed "the client MUST wait for at least the target duration before attempting to reload the Playlist file again" Trying to reload 3 times seems a better default than 1000 given these durations Issue found by: Сергей Колесников Signed-off-by: Michael Niedermayer (cherry picked from commit 5f810435c2a6d985fabd9e6c025e0da0c99c39a9) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index e622425e80..bf7fdc1553 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -2538,7 +2538,7 @@ static const AVOption hls_options[] = { {.str = "3gp,aac,avi,ac3,eac3,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", - OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 3}, 0, INT_MAX, FLAGS}, {"m3u8_hold_counters", "The maximum number of times to load m3u8 when it refreshes without new segments", OFFSET(m3u8_hold_counters), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {"http_persistent", "Use persistent HTTP connections", From 7be649290e9c38cc956925b6fb54beb47fdfab99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 26 Jul 2023 22:33:40 +0200 Subject: [PATCH 229/562] tools/target_dec_fuzzer: Adjust threshold for rtv1 Fixes: 60499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-5020295866744832 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9ee87245c5e6eae017430726cce9b4c20d468c2d) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index c057500dad..e03c1ecbec 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -262,6 +262,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_PAF_VIDEO: maxpixels /= 16; break; case AV_CODEC_ID_PRORES: maxpixels /= 256; break; case AV_CODEC_ID_RASC: maxpixels /= 16; break; + case AV_CODEC_ID_RTV1: maxpixels /= 16; break; case AV_CODEC_ID_SANM: maxpixels /= 16; break; case AV_CODEC_ID_SCPR: maxpixels /= 32; break; case AV_CODEC_ID_SCREENPRESSO:maxpixels /= 64; break; From 0224effb524c02ab376a887868f543a421318d20 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Sep 2023 02:13:13 +0200 Subject: [PATCH 230/562] avcodec/celp_math: avoid overflow in shift by making gain unsigned we have 1 bit more available alternatively we can clip twice as in the g729 reference Fixes: left shift of 23404 by 17 places cannot be represented in type 'int' Fixes: 61728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6280412547383296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6580a7b2b27973947118482235a2eb1214d968a2) Signed-off-by: Michael Niedermayer --- libavcodec/celp_math.h | 2 +- libavcodec/g729postfilter.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/celp_math.h b/libavcodec/celp_math.h index 18888a425d..99a0470719 100644 --- a/libavcodec/celp_math.h +++ b/libavcodec/celp_math.h @@ -78,7 +78,7 @@ int64_t ff_dot_product(const int16_t *a, const int16_t *b, int length); * * @return value << offset, if offset>=0; value >> -offset - otherwise */ -static inline int bidir_sal(int value, int offset) +static inline unsigned bidir_sal(unsigned value, int offset) { if(offset < 0) return value >> -offset; else return value << offset; diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index 26e937f0ba..382db92432 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -581,7 +581,7 @@ void ff_g729_postfilter(AudioDSPContext *adsp, int16_t* ht_prev_data, int* voici int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *speech, int subframe_size, int16_t gain_prev) { - int gain; // (3.12) + unsigned gain; // (3.12) int n; int exp_before, exp_after; @@ -603,7 +603,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t * gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000; gain = bidir_sal(gain, exp_after - exp_before); } - gain = av_clip_int16(gain); + gain = FFMIN(gain, 32767); gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875) } else gain = 0; From d5f1ecbe247d3d75ea0474556bffab017c9054d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Sep 2023 00:13:11 +0200 Subject: [PATCH 231/562] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: 1871429831 + 343006811 cannot be represented in type 'int' Fixes: 61784/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-5372151001120768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12444fe72173ab52b6479708cfd12cb889ca300) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 43ea927437..dcea32210a 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -114,7 +114,7 @@ static int idct_row(short *in, const int *const tab, int rnd) in[5] = a1; in[6] = a1; } else { - const int k = c4 * in[0] + rnd; + const unsigned int k = c4 * in[0] + rnd; const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; From b358b080a146602e87db28526d0ec3e629af3b8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2023 21:13:44 +0200 Subject: [PATCH 232/562] avformat/mxfdec: Remove this_partition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5130394286817280 Signed-off-by: Michael Niedermayer (cherry picked from commit 442d9412d21590c7a816118032c92070e00a1cc1) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f6d79a3551..2b2cfba273 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -99,7 +99,6 @@ typedef struct MXFPartition { uint64_t previous_partition; int index_sid; int body_sid; - int64_t this_partition; int64_t essence_offset; ///< absolute offset of essence int64_t essence_length; int32_t kag_size; @@ -714,10 +713,13 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size UID op; uint64_t footer_partition; uint32_t nb_essence_containers; + uint64_t this_partition; if (mxf->partitions_count >= INT_MAX / 2) return AVERROR_INVALIDDATA; + av_assert0(klv_offset >= mxf->run_in); + tmp_part = av_realloc_array(mxf->partitions, mxf->partitions_count + 1, sizeof(*mxf->partitions)); if (!tmp_part) return AVERROR(ENOMEM); @@ -760,7 +762,13 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->complete = uid[14] > 2; avio_skip(pb, 4); partition->kag_size = avio_rb32(pb); - partition->this_partition = avio_rb64(pb); + this_partition = avio_rb64(pb); + if (this_partition != klv_offset - mxf->run_in) { + av_log(mxf->fc, AV_LOG_ERROR, + "this_partition %"PRId64" mismatches %"PRId64"\n", + this_partition, klv_offset - mxf->run_in); + return AVERROR_INVALIDDATA; + } partition->previous_partition = avio_rb64(pb); footer_partition = avio_rb64(pb); partition->header_byte_count = avio_rb64(pb); @@ -780,8 +788,8 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size av_dict_set(&s->metadata, "operational_pattern_ul", str, 0); } - if (partition->this_partition && - partition->previous_partition == partition->this_partition) { + if (this_partition && + partition->previous_partition == this_partition) { av_log(mxf->fc, AV_LOG_ERROR, "PreviousPartition equal to ThisPartition %"PRIx64"\n", partition->previous_partition); @@ -789,11 +797,11 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size if (!mxf->parsing_backward && mxf->last_forward_partition > 1) { MXFPartition *prev = mxf->partitions + mxf->last_forward_partition - 2; - partition->previous_partition = prev->this_partition; + partition->previous_partition = prev->pack_ofs - mxf->run_in; } /* if no previous body partition are found point to the header * partition */ - if (partition->previous_partition == partition->this_partition) + if (partition->previous_partition == this_partition) partition->previous_partition = 0; av_log(mxf->fc, AV_LOG_ERROR, "Overriding PreviousPartition with %"PRIx64"\n", @@ -815,7 +823,7 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size "PartitionPack: ThisPartition = 0x%"PRIX64 ", PreviousPartition = 0x%"PRIX64", " "FooterPartition = 0x%"PRIX64", IndexSID = %i, BodySID = %i\n", - partition->this_partition, + this_partition, partition->previous_partition, footer_partition, partition->index_sid, partition->body_sid); @@ -889,7 +897,7 @@ static uint64_t partition_score(MXFPartition *p) score = 3; else score = 1; - return (score << 60) | ((uint64_t)p->this_partition >> 4); + return (score << 60) | ((uint64_t)p->pack_ofs >> 4); } static int mxf_add_metadata_set(MXFContext *mxf, MXFMetadataSet **metadata_set) @@ -3446,14 +3454,14 @@ static void mxf_compute_essence_containers(AVFormatContext *s) /* essence container spans to the next partition */ if (x < mxf->partitions_count - 1) - p->essence_length = mxf->partitions[x+1].this_partition - p->essence_offset; + p->essence_length = mxf->partitions[x+1].pack_ofs - mxf->run_in - p->essence_offset; if (p->essence_length < 0) { /* next ThisPartition < essence_offset */ p->essence_length = 0; av_log(mxf->fc, AV_LOG_ERROR, "partition %i: bad ThisPartition = %"PRIX64"\n", - x+1, mxf->partitions[x+1].this_partition); + x+1, mxf->partitions[x+1].pack_ofs - mxf->run_in); } } } From d4910533348155f66a202e4263a08f9ea0ea89f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:11:34 +0200 Subject: [PATCH 233/562] avformat/concatdec: Check in/outpoint for overflow Fixes: signed integer overflow: 91542414454000000 - -9154241494546000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4739147999084544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit dedc78b4b5bdab869f3038798334639d617d2309) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index e57da59e04..806b570cdf 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -665,7 +665,9 @@ static int concat_read_header(AVFormatContext *avf) else time = cat->files[i].start_time; if (cat->files[i].user_duration == AV_NOPTS_VALUE) { - if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE) + if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE || + cat->files[i].outpoint - (uint64_t)cat->files[i].inpoint != av_sat_sub64(cat->files[i].outpoint, cat->files[i].inpoint) + ) break; cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } From f43562c38a78a6736e5abf2338db731aff8ea9ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:18:14 +0200 Subject: [PATCH 234/562] avformat/sbgdec: Check for period overflow Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a9137110eda130ba07a2a43bdedff2421efbb7a9) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 5edb9664cc..9f1d399361 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1289,7 +1289,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* SBaGen handles the time before and after the extremal events, and the corresponding transitions, as if the sequence were cyclic with a 24-hours period. */ - period = s->events[s->nb_events - 1].ts - s->events[0].ts; + period = s->events[s->nb_events - 1].ts - (uint64_t)s->events[0].ts; + if (period < 0) + return AVERROR_INVALIDDATA; + period = (period + (DAY_TS - 1)) / DAY_TS * DAY_TS; period = FFMAX(period, DAY_TS); From 87f556a10c1c031c0837b7ad740e2ddc18595282 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2022 20:08:52 +0200 Subject: [PATCH 235/562] avformat/westwood_vqa: Check chunk size the type is also changed to int as it is interpreted as int in av_get_packet() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360 Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4613908817903616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 5c0df3da0b7288a43a3b783117064cfcbc8037a5) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index e3d2e2668c..03b2d9e03c 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -178,13 +178,15 @@ static int wsvqa_read_packet(AVFormatContext *s, int ret = -1; uint8_t preamble[VQA_PREAMBLE_SIZE]; uint32_t chunk_type; - uint32_t chunk_size; - int skip_byte; + int chunk_size; + unsigned skip_byte; while (avio_read(pb, preamble, VQA_PREAMBLE_SIZE) == VQA_PREAMBLE_SIZE) { chunk_type = AV_RB32(&preamble[0]); chunk_size = AV_RB32(&preamble[4]); + if (chunk_size < 0) + return AVERROR_INVALIDDATA; skip_byte = chunk_size & 0x01; if (chunk_type == VQFL_TAG) { @@ -193,9 +195,9 @@ static int wsvqa_read_packet(AVFormatContext *s, * so it can be combined with the next VQFR packet. This way each packet * includes a whole frame as expected. */ wsvqa->vqfl_chunk_pos = avio_tell(pb); - wsvqa->vqfl_chunk_size = (int)(chunk_size); - if (wsvqa->vqfl_chunk_size < 0 || wsvqa->vqfl_chunk_size > 3 * (1 << 20)) + if (chunk_size > 3 * (1 << 20)) return AVERROR_INVALIDDATA; + wsvqa->vqfl_chunk_size = chunk_size; /* We need a big seekback buffer because there can be SNxx, VIEW and ZBUF * chunks (<512 KiB total) in the stream before we read VQFR (<256 KiB) and * seek back here. */ From 6e4690ede0fa745d1a466cf4e31ed9950277ccdc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2023 00:50:15 +0200 Subject: [PATCH 236/562] avcodec/lcldec: Make PNG filter addressing match the code afterwards Also update check accordingly Fixes: tickets/10237/mszh_306_306_yuv422_nocompress.avi Fixes: tickets/10237/mszh_306_306_yuv411_nocompress.avi Signed-off-by: Michael Niedermayer (cherry picked from commit d11b8bd0c610c212d2a28767f94dc07a8ec473cf) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 1c52700762..3555a26241 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -229,16 +229,19 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, break; case COMP_MSZH_NOCOMP: { int bppx2; + int aligned_width = width; switch (c->imgtype) { case IMGTYPE_YUV111: case IMGTYPE_RGB24: bppx2 = 6; break; case IMGTYPE_YUV422: + aligned_width &= ~3; case IMGTYPE_YUV211: bppx2 = 4; break; case IMGTYPE_YUV411: + aligned_width &= ~3; case IMGTYPE_YUV420: bppx2 = 3; break; @@ -246,7 +249,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, bppx2 = 0; // will error out below break; } - if (len < ((width * height * bppx2) >> 1)) + if (len < ((aligned_width * height * bppx2) >> 1)) return AVERROR_INVALIDDATA; break; } @@ -312,8 +315,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, } break; case IMGTYPE_YUV422: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width * 2; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; @@ -329,8 +332,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, } break; case IMGTYPE_YUV411: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width / 2 * 3; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; From 3817209b6d379ec8bc7d07997aba1b5295590843 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Sep 2023 01:32:56 +0200 Subject: [PATCH 237/562] avformat/avs: Check if return code is representable Fixes: leak Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-6738814988320768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52d666edec73c834c60811e330f86a7cf1d916da) Signed-off-by: Michael Niedermayer --- libavformat/avs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index ab47980a11..19f0373157 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -140,6 +140,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) return 0; /* this indicate EOS */ if (ret < 0) return ret; + if (size != (int)size) { + av_packet_unref(pkt); + return AVERROR(EDOM); + } pkt->stream_index = avs->st_audio->index; pkt->flags |= AV_PKT_FLAG_KEY; From 43c6fabb63e6b5db65ea531c8e462656976de9dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Sep 2023 22:58:07 +0200 Subject: [PATCH 238/562] tools/target_dec_fuzzer: Adjust wmapro threshold Fixes: Timeout Fixes: 62266/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5125460729921536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bb9f8a1cb7d7b5e3742fe2212c144efea258f3d0) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index e03c1ecbec..dabb305ba0 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -294,6 +294,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_WMV3: maxpixels /= 1024; break; case AV_CODEC_ID_WS_VQA: maxpixels /= 16384; break; case AV_CODEC_ID_WMALOSSLESS: maxsamples /= 1024; break; + case AV_CODEC_ID_WMAPRO: maxsamples /= 16384; break; case AV_CODEC_ID_YLC: maxpixels /= 1024; break; case AV_CODEC_ID_ZEROCODEC: maxpixels /= 128; break; } From 95b2569427d8974b570afe209c3de9215ba9c985 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Sep 2023 23:36:29 +0200 Subject: [PATCH 239/562] avcodec/apedec: Fix an integer overflow in predictor_update_filter() Fixes: signed integer overflow: -2147483506 + -801380 cannot be represented in type 'int' Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6578985923117056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 515c0247a3062ca4639e457c81d2f58c504e9e8f) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8aca605343..8488f97a77 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1202,7 +1202,7 @@ static av_always_inline int predictor_update_filter(APEPredictor64 *p, if (compression_level < COMPRESSION_LEVEL_INSANE) { predictionA = (int32_t)predictionA; predictionB = (int32_t)predictionB; - p->lastA[filter] = decoded + ((int32_t)(predictionA + (predictionB >> 1)) >> 10); + p->lastA[filter] = (int32_t)(decoded + (unsigned)((int32_t)(predictionA + (predictionB >> 1)) >> 10)); } else { p->lastA[filter] = decoded + ((int64_t)((uint64_t)predictionA + (predictionB >> 1)) >> 10); } From 44978c5b833304744ac47c0f45dd5f60736e156d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2023 00:21:52 +0200 Subject: [PATCH 240/562] avcodec/escape124: Do not return random numbers Fixes: out of array access Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6035022714634240 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6422176201572352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe6d46490f5ea9155fe0601b6246960ae17317fc) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 16626ad5b7..de1b195172 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -237,7 +237,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, AVFrame *frame, if ((ret = av_frame_ref(frame, s->frame)) < 0) return ret; - return frame_size; + return 0; } for (i = 0; i < 3; i++) { @@ -371,7 +371,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, AVFrame *frame, *got_frame = 1; - return frame_size; + return 0; } From 30b3f2712d585fe2c77daa1bb073341c4d1aa5d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 00:30:39 +0200 Subject: [PATCH 241/562] avformat/sbgdec: Check for negative duration or un-representable end pts Fixes: signed integer overflow: 9230955872951340 - -9223372036854775808 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6330481893572608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 9b00b5734d9868971cb6e6cda0f3b8eeed93be9e) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 9f1d399361..1ef50e1598 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1461,6 +1461,13 @@ static av_cold int sbg_read_header(AVFormatContext *avf) st->duration = script.end_ts == AV_NOPTS_VALUE ? AV_NOPTS_VALUE : av_rescale(script.end_ts - script.start_ts, sbg->sample_rate, AV_TIME_BASE); + + if (st->duration != AV_NOPTS_VALUE && ( + st->duration < 0 || st->start_time > INT64_MAX - st->duration)) { + r = AVERROR_INVALIDDATA; + goto fail; + } + sti->cur_dts = st->start_time; r = encode_intervals(&script, st->codecpar, &inter); if (r < 0) From d35579c12b603620c9b8522039ffde287e0eb156 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:34:29 +0200 Subject: [PATCH 242/562] avformat/jacosubdec: Factorize code in get_shift() a bit Signed-off-by: Michael Niedermayer (cherry picked from commit 6490b9aed63c06f20bbc46e0bc801e612d07e81e) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 61b1316dc9..42c201f93a 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -143,16 +143,12 @@ static int get_shift(int timeres, const char *buf) ret = 0; switch (n) { - case 4: - ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); - break; - case 3: - ret = sign * (( (int64_t)a*60 + b) * timeres + c); - break; - case 2: - ret = sign * (( (int64_t)a) * timeres + b); - break; + case 1: a = 0; + case 2: c = b; b = a; a = 0; + case 3: d = c; c = b; b = a; a = 0; } + + ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); if ((int)ret != ret) ret = 0; From 441d5eca4b659ad27704315659311945662b8db2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:48:17 +0200 Subject: [PATCH 243/562] avformat/jacosubdec: avoid signed integer overflows in get_shift() Fixes: signed integer overflow: 22014562800 * 934633746 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5189603246866432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 32447b149fb61eb48436eddbbb1adf91b70ec5e4) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 42c201f93a..41216081ee 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -124,7 +124,7 @@ shift_and_ret: return buf + len; } -static int get_shift(int timeres, const char *buf) +static int get_shift(unsigned timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; @@ -148,7 +148,11 @@ static int get_shift(int timeres, const char *buf) case 3: d = c; c = b; b = a; a = 0; } - ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); + ret = (int64_t)a*3600 + (int64_t)b*60 + c; + if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) + return 0; + ret = sign * (ret * timeres + d); + if ((int)ret != ret) ret = 0; From 283baa733661174a53087146402fe911c88599a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:59:06 +0200 Subject: [PATCH 244/562] avformat/jacosubdec: Check timeres Signed-off-by: Michael Niedermayer (cherry picked from commit 51f0ab8b127282415822959ccad7db95ad749b5d) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 41216081ee..c6e5b4aa6d 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -227,14 +227,17 @@ static int jacosub_read_header(AVFormatContext *s) } av_bprintf(&header, "#S %s", p); break; - case 'T': // ...but must be placed after TIMERES - jacosub->timeres = strtol(p, NULL, 10); - if (!jacosub->timeres) + case 'T': { // ...but must be placed after TIMERES + int64_t timeres = strtol(p, NULL, 10); + if (timeres <= 0 || timeres > UINT32_MAX) { jacosub->timeres = 30; - else + } else { + jacosub->timeres = timeres; av_bprintf(&header, "#T %s", p); + } break; } + } } /* general/essential directives in the extradata */ From 1e239a8b88edfacfe15efc4d6215c09df0d927a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:04:11 +0200 Subject: [PATCH 245/562] avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() Fixes: signed integer overflow: -9223372036854775808 - 9222726413022000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5959420033761280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3508b496e195440d0af0203e2822937b8c6f5598) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 88fbfbcb5d..0d2ca6b9f5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8550,12 +8550,13 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) if (msc->pb && msc->current_sample < avsti->nb_index_entries) { AVIndexEntry *current_sample = &avsti->index_entries[msc->current_sample]; int64_t dts = av_rescale(current_sample->timestamp, AV_TIME_BASE, msc->time_scale); + uint64_t dtsdiff = best_dts > dts ? best_dts - (uint64_t)dts : ((uint64_t)dts - best_dts); av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && - ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || - (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { + ((dtsdiff <= AV_TIME_BASE && current_sample->pos < sample->pos) || + (dtsdiff > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; best_dts = dts; *st = avst; From 0c1babaa61948e7d581982494038c5e8f73fb760 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:14:28 +0200 Subject: [PATCH 246/562] avformat/rpl: Check for number_of_chunks overflow Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6086131095830528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b3c973acbecb879d4949fecdadd2fdfc08dea42b) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 3ef6fda386..eae0da891b 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -268,6 +268,9 @@ static int rpl_read_header(AVFormatContext *s) "Video stream will be broken!\n", av_fourcc2str(vst->codecpar->codec_tag)); number_of_chunks = read_line_and_int(pb, &error); // number of chunks in the file + if (number_of_chunks == INT_MAX) + return AVERROR_INVALIDDATA; + // The number in the header is actually the index of the last chunk. number_of_chunks++; From c01d304a6bf1967cd232b36950a94e5fcf6ab058 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:28:55 +0200 Subject: [PATCH 247/562] avformat/tta: Better totalframes check Fixes: signed integer overflow: 4 * 740491135 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6298893367508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0d00464a50994de0993e045e09313ca8d7cc8f) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 2183045940..5477654014 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -91,7 +91,7 @@ static int tta_read_header(AVFormatContext *s) c->totalframes = nb_samples / c->frame_size + (c->last_frame_size < c->frame_size); c->currentframe = 0; - if(c->totalframes >= UINT_MAX/sizeof(uint32_t) || c->totalframes <= 0){ + if(c->totalframes >= (INT_MAX - 4)/sizeof(uint32_t) || c->totalframes <= 0){ av_log(s, AV_LOG_ERROR, "totalframes %d invalid\n", c->totalframes); return AVERROR_INVALIDDATA; } From 1718baf61c118eda4119f7de37696fb3b497fa3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:33:34 +0200 Subject: [PATCH 248/562] avformat/wavdec: Check left avio_tell for overflow Fixes: signed integer overflow: 155 + 9223372036854775655 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5364032278495232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 929ddef3f40102d6a84cfa17ed7c7ffebcf8236e) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 7d16b25e54..1c4883ea1b 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -767,6 +767,8 @@ smv_out: goto smv_retry; return AVERROR_EOF; } + if (INT64_MAX - left < avio_tell(s->pb)) + return AVERROR_INVALIDDATA; wav->data_end = avio_tell(s->pb) + left; } From f15a1d79280b929ad4cdfd5d40ae505af7c07cc9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 23:44:25 +0200 Subject: [PATCH 249/562] avformat/matroskadec: Check prebuffered_ns for overflow Fixes: signed integer overflow: 9223372036630775808 + 1000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-5406131992526848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d6df3719dd4f75b40cdf25a02f3f075b76ed045) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index ad7ee390a2..2ab344a47e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4186,13 +4186,17 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t prebuffer_ns = 1000000000; int64_t time_ns = sti->index_entries[i].timestamp * matroska->time_scale; double nano_seconds_per_second = 1000000000.0; - int64_t prebuffered_ns = time_ns + prebuffer_ns; + int64_t prebuffered_ns; double prebuffer_bytes = 0.0; int64_t temp_prebuffer_ns = prebuffer_ns; int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + if (time_ns > INT64_MAX - prebuffer_ns) + return -1; + prebuffered_ns = time_ns + prebuffer_ns; + // Start with the first Cue. CueDesc desc_end = desc_beg; From 29788ba10ec4824cafe2e154321c6f9a7a021743 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 23:55:20 +0200 Subject: [PATCH 250/562] avformat/xwma: sanity check bits_per_coded_sample Fixes: signed integer overflow: 65312 * 524296 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-6595971445555200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe6ce28d118d6030984e1ee5c2d92e98514fe3d1) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 12689f37fd..b830f9ed75 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -151,7 +151,7 @@ static int xwma_read_header(AVFormatContext *s) st->codecpar->ch_layout.nb_channels); return AVERROR_INVALIDDATA; } - if (!st->codecpar->bits_per_coded_sample) { + if (!st->codecpar->bits_per_coded_sample || st->codecpar->bits_per_coded_sample > 64) { av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n", st->codecpar->bits_per_coded_sample); return AVERROR_INVALIDDATA; From a563efcfda67b56cc50d4c2f28b7e44fcafa464b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 00:00:28 +0200 Subject: [PATCH 251/562] avformat/asfdec_f: Saturate presentation time in marker Fixes: signed integer overflow: -9223372036315799520 - 3873890816 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5009302746431488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cedb4736f568a9cc693f81b1f7c33ea2499715ab) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index bdbd4271c8..aa7aaa6ab6 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -670,7 +670,7 @@ static int asf_read_marker(AVFormatContext *s) avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time - pres_time -= asf->hdr.preroll * 10000; + pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000); avio_rl16(pb); // entry length avio_rl32(pb); // send time avio_rl32(pb); // flags From 76ee7c771568029f55fa8806315aeb4b7f149e71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 00:07:20 +0200 Subject: [PATCH 252/562] avcodec/h264_parser: saturate dts a bit Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6112289464123392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7fedbc7606614cc1a6224effa8df762b6883bdc4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 50810f1789..0a2451a153 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -645,10 +645,10 @@ static int h264_parse(AVCodecParserContext *s, int64_t num = avctx->time_base.num * (int64_t)avctx->pkt_timebase.den; if (s->dts != AV_NOPTS_VALUE) { // got DTS from the stream, update reference timestamp - p->reference_dts = s->dts - av_rescale(s->dts_ref_dts_delta, num, den); + p->reference_dts = av_sat_sub64(s->dts, av_rescale(s->dts_ref_dts_delta, num, den)); } else if (p->reference_dts != AV_NOPTS_VALUE) { // compute DTS based on reference timestamp - s->dts = p->reference_dts + av_rescale(s->dts_ref_dts_delta, num, den); + s->dts = av_sat_add64(p->reference_dts, av_rescale(s->dts_ref_dts_delta, num, den)); } if (p->reference_dts != AV_NOPTS_VALUE && s->pts == AV_NOPTS_VALUE) From d7f64a78e0d452e82be43abb3ee53f187cae86e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2023 00:07:32 +0200 Subject: [PATCH 253/562] avformat/tmv: Check video chunk size This check matches the audio chunk check Fixes: Timeout Fixes: 62681/clusterfuzz-testcase-minimized-ffmpeg_dem_TMV_fuzzer-5299107876700160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b79fc7059600b28dce392fc20e5c8bd554c2fc95) Signed-off-by: Michael Niedermayer --- libavformat/tmv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/tmv.c b/libavformat/tmv.c index ea39954190..18105f764e 100644 --- a/libavformat/tmv.c +++ b/libavformat/tmv.c @@ -103,6 +103,10 @@ static int tmv_read_header(AVFormatContext *s) char_cols = avio_r8(pb); char_rows = avio_r8(pb); tmv->video_chunk_size = char_cols * char_rows * 2; + if (!tmv->video_chunk_size) { + av_log(s, AV_LOG_ERROR, "invalid video chunk size\n"); + return AVERROR_INVALIDDATA; + } features = avio_r8(pb); if (features & ~(TMV_PADDING | TMV_STEREO)) { From 566e0aa8e22050c1c7ac4a87e4f4e262e2b94949 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Oct 2023 18:27:28 +0200 Subject: [PATCH 254/562] avcodec/xvididct: Make c* unsigned to avoid undefined overflows Fixes: signed integer overflow: 1496950099 + 728014168 cannot be represented in type 'int' Fixes: 62667/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-6511785170305024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f7e5537dc1ff2f45a6e4c98091f15e60c3647cfc) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index dcea32210a..01072d80ab 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -56,13 +56,13 @@ static const int TAB35[] = { 26722, 25172, 22654, 19266, 15137, 10426, 5315 }; static int idct_row(short *in, const int *const tab, int rnd) { - const int c1 = tab[0]; - const int c2 = tab[1]; - const int c3 = tab[2]; - const int c4 = tab[3]; - const int c5 = tab[4]; - const int c6 = tab[5]; - const int c7 = tab[6]; + const unsigned c1 = tab[0]; + const unsigned c2 = tab[1]; + const unsigned c3 = tab[2]; + const unsigned c4 = tab[3]; + const unsigned c5 = tab[4]; + const unsigned c6 = tab[5]; + const unsigned c7 = tab[6]; const int right = in[5] | in[6] | in[7]; const int left = in[1] | in[2] | in[3]; @@ -102,8 +102,8 @@ static int idct_row(short *in, const int *const tab, int rnd) return 0; } } else if (!(left | right)) { - const int a0 = (rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; - const int a1 = (rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; + const int a0 = (int)(rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; + const int a1 = (int)(rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; in[0] = a0; in[3] = a0; From 181d6e17e07b19a04aaae637c1ce533a719ad88a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 19:28:55 +0200 Subject: [PATCH 255/562] avcodec/h2645_parse: Avoid EAGAIN EAGAIN causes an assertion failure when it is returned from the decoder Fixes: Assertion consumed != (-(11)) failed at libavcodec/decode.c:462 Fixes: assertion_IOT_instruction_decode_c_462/poc Found-by: Hardik Shah of Vehere (Dawn Treaders team) Signed-off-by: Michael Niedermayer (cherry picked from commit 5ddab49d48343385eadb3a435a5491c476b66ecc) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index 787ce971ee..128dea09ef 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -123,7 +123,7 @@ static inline int get_nalsize(int nal_length_size, const uint8_t *buf, if (*buf_index >= buf_size - nal_length_size) { // the end of the buffer is reached, refill it - return AVERROR(EAGAIN); + return AVERROR_INVALIDDATA; } for (i = 0; i < nal_length_size; i++) From f861a1602529aa4788f7df85eb9f00c6b861e760 Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Sat, 14 Oct 2023 23:27:24 -0400 Subject: [PATCH 256/562] libavutil/ppc/cpu.c: check that AT_HWCAP2 is defined It was not introduced until glibc 2.18. Signed-off-by: Michael Niedermayer (cherry picked from commit d799ad24045f2ae005c8b4c90bee5330ff15fea8) Signed-off-by: Michael Niedermayer --- libavutil/ppc/cpu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index 96b491c716..bc8bb5f47c 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -95,12 +95,15 @@ int ff_get_cpu_flags_ppc(void) #endif if (ret & AV_CPU_FLAG_VSX) av_assert0(ret & AV_CPU_FLAG_ALTIVEC); - } else if (buf[i] == AT_HWCAP2) { + } +#ifdef AT_HWCAP2 /* not introduced until glibc 2.18 */ + else if (buf[i] == AT_HWCAP2) { #ifdef PPC_FEATURE2_ARCH_2_07 if (buf[i + 1] & PPC_FEATURE2_ARCH_2_07) ret |= AV_CPU_FLAG_POWER8; #endif } +#endif /* AT_HWCAP2 */ } } From 905819d18a93c0fb3685e4ba22afeb7f5af89116 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Oct 2023 01:39:16 +0200 Subject: [PATCH 257/562] avformat/mxfdec: Check klv offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Assertion klv_offset >= mxf->run_in failed at libavformat/mxfdec.c:736 Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5778404366221312.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 70f5fa63258f548cd8d067d479658bae61711ff4) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 2b2cfba273..5185fb6cc4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -445,12 +445,15 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t *key, unsigned size) return i == size; } -static int klv_read_packet(KLVPacket *klv, AVIOContext *pb) +static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, AVIOContext *pb) { int64_t length, pos; if (!mxf_read_sync(pb, mxf_klv_key, 4)) return AVERROR_INVALIDDATA; klv->offset = avio_tell(pb) - 4; + if (klv->offset < mxf->run_in) + return AVERROR_INVALIDDATA; + memcpy(klv->key, mxf_klv_key, 4); avio_read(pb, klv->key + 4, 12); length = klv_decode_ber_length(pb); @@ -3337,7 +3340,7 @@ static int mxf_seek_to_previous_partition(MXFContext *mxf) /* Make sure this is actually a PartitionPack, and if so parse it. * See deadlock2.mxf */ - if ((ret = klv_read_packet(&klv, pb)) < 0) { + if ((ret = klv_read_packet(mxf, &klv, pb)) < 0) { av_log(mxf->fc, AV_LOG_ERROR, "failed to read PartitionPack KLV\n"); return ret; } @@ -3614,7 +3617,7 @@ static void mxf_read_random_index_pack(AVFormatContext *s) if (length < min_rip_length || length > max_rip_length) goto end; avio_seek(s->pb, file_size - length, SEEK_SET); - if (klv_read_packet(&klv, s->pb) < 0 || + if (klv_read_packet(mxf, &klv, s->pb) < 0 || !IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key)) goto end; if (klv.next_klv != file_size || klv.length <= 4 || (klv.length - 4) % 12) { @@ -3661,7 +3664,7 @@ static int mxf_read_header(AVFormatContext *s) while (!avio_feof(s->pb)) { const MXFMetadataReadTableEntry *metadata; - if (klv_read_packet(&klv, s->pb) < 0) { + if (klv_read_packet(mxf, &klv, s->pb) < 0) { /* EOF - seek to previous partition or stop */ if(mxf_parse_handle_partition_or_eof(mxf) <= 0) break; @@ -3910,7 +3913,7 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) if (pos < mxf->current_klv_data.next_klv - mxf->current_klv_data.length || pos >= mxf->current_klv_data.next_klv) { mxf->current_klv_data = (KLVPacket){{0}}; - ret = klv_read_packet(&klv, s->pb); + ret = klv_read_packet(mxf, &klv, s->pb); if (ret < 0) break; max_data_size = klv.length; From 4bd4b178bfa49fdaf2a0560e1c1cfc6dad0fcf6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Oct 2023 23:32:17 +0200 Subject: [PATCH 258/562] avcodec/jpeg2000dec: Check image offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: left shift of negative value -538967841 Fixes: 62447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6427134337613824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 88453250dbe952e85899d04867914ef95785530e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index fc10bb8f0c..686a4f9758 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -323,6 +323,11 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->image_offset_x >= s->width || s->image_offset_y >= s->height) { + av_log(s->avctx, AV_LOG_ERROR, "image offsets outside image"); + return AVERROR_INVALIDDATA; + } + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); return AVERROR_PATCHWELCOME; From 5e71da4ef9636966b7ec5f8910cf0e6dd4e941e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Oct 2023 22:07:36 +0200 Subject: [PATCH 259/562] avformat/rtsp: Use rtsp_st->stream_index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array access Fixes: rtpdec_h264.c149/poc Found-by: Hardik Shah of Vehere Reviewed-by: Martin Storsjö Signed-off-by: Michael Niedermayer (cherry picked from commit e4d5ac8d7d2a08658b3db7dd821246fe6b35381f) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index f948f1d395..4c8c7a186c 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -409,7 +409,7 @@ static void parse_fmtp(AVFormatContext *s, RTSPState *rt, if (rtsp_st->sdp_payload_type == payload_type && rtsp_st->dynamic_handler && rtsp_st->dynamic_handler->parse_sdp_a_line) { - rtsp_st->dynamic_handler->parse_sdp_a_line(s, i, + rtsp_st->dynamic_handler->parse_sdp_a_line(s, rtsp_st->stream_index, rtsp_st->dynamic_protocol_context, line); } } From 7739dabb89eee2501ccf65971fa959d6c7d9a425 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 9 Oct 2023 00:16:08 +0200 Subject: [PATCH 260/562] avformat/matroskadec: Fix declaration-after-statement warnings Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 37b5f4a1f6a9c7c8f3620c6b1f7f2b0bb997e5d7) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2ab344a47e..78a11262f1 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4192,14 +4192,13 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + // Start with the first Cue. + CueDesc desc_end = desc_beg; if (time_ns > INT64_MAX - prebuffer_ns) return -1; prebuffered_ns = time_ns + prebuffer_ns; - // Start with the first Cue. - CueDesc desc_end = desc_beg; - // Figure out how much data we have downloaded for the prebuffer. This will // be used later to adjust the bits per sample to try. while (desc_end.start_time_ns != -1 && desc_end.end_time_ns < prebuffered_ns) { From 1435f5028342de869c15c4c0630d44e4439c0479 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Oct 2023 01:52:20 +0200 Subject: [PATCH 261/562] avformat/mov: Check that is_still_picture_avif has no trak based streams Fixes: Assertion failure in mov_read_iloc( in mov_read_iloc()) Fixes: 62866/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5282997370486784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 98c2711b58ce65eae02cb2ece3a664e1119fd8fe) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0d2ca6b9f5..77108738a4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4440,6 +4440,10 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; int ret; + if (c->is_still_picture_avif) { + return AVERROR_INVALIDDATA; + } + st = avformat_new_stream(c->fc, NULL); if (!st) return AVERROR(ENOMEM); st->id = -1; From 26a4846b28e4d81610b3c831f4317cbc0b422078 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Oct 2023 23:50:07 +0200 Subject: [PATCH 262/562] avcodec/dovi_rpu: Use 64 bit in get_us/se_coeff() Fixes: shift exponent 32 is too large for 32-bit type 'int' Fixes: 63151/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5067531154751488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2817efbba331ac1d3a39fbee78b480008ce20a93) Signed-off-by: Michael Niedermayer --- libavcodec/dovi_rpu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dovi_rpu.c b/libavcodec/dovi_rpu.c index dd38936552..107d1ab441 100644 --- a/libavcodec/dovi_rpu.c +++ b/libavcodec/dovi_rpu.c @@ -157,7 +157,7 @@ static inline uint64_t get_ue_coef(GetBitContext *gb, const AVDOVIRpuDataHeader case RPU_COEFF_FLOAT: fpart.u32 = get_bits_long(gb, 32); - return fpart.f32 * (1 << hdr->coef_log2_denom); + return fpart.f32 * (1LL << hdr->coef_log2_denom); } return 0; /* unreachable */ @@ -176,7 +176,7 @@ static inline int64_t get_se_coef(GetBitContext *gb, const AVDOVIRpuDataHeader * case RPU_COEFF_FLOAT: fpart.u32 = get_bits_long(gb, 32); - return fpart.f32 * (1 << hdr->coef_log2_denom); + return fpart.f32 * (1LL << hdr->coef_log2_denom); } return 0; /* unreachable */ From 0f93f8ce2cec4d85ac0eb312c904aef17f5fdb02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Oct 2023 00:11:02 +0200 Subject: [PATCH 263/562] tools/target_dec_fuzzer: Adjust threshold for CSCD Fixes: Timeout Fixes: 63362/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-4694620065628160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2f2bf82c1b3987e2d1a75cc79c4b58d286a2291) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index dabb305ba0..475d29f603 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -218,6 +218,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_CFHD: maxpixels /= 16384; break; case AV_CODEC_ID_CINEPAK: maxpixels /= 128; break; case AV_CODEC_ID_COOK: maxsamples /= 1<<20; break; + case AV_CODEC_ID_CSCD: maxpixels /= 1024; break; case AV_CODEC_ID_DFA: maxpixels /= 1024; break; case AV_CODEC_ID_DIRAC: maxpixels /= 8192; break; case AV_CODEC_ID_DSICINVIDEO: maxpixels /= 1024; break; From e531abaf3c41953618573bef9a2568f7644626b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Nov 2023 23:49:53 +0100 Subject: [PATCH 264/562] avfilter/buffersink: fix order of operation with = and <0 Reviewed-by: Sean McGovern Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit c0a18e884c2d24d1052147082c358cb6929e97f1) Signed-off-by: Michael Niedermayer --- libavfilter/buffersink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/buffersink.c b/libavfilter/buffersink.c index e269cf72d1..5e38180f53 100644 --- a/libavfilter/buffersink.c +++ b/libavfilter/buffersink.c @@ -313,7 +313,7 @@ static int asink_query_formats(AVFilterContext *ctx) cleanup_redundant_layouts(ctx); for (i = 0; i < NB_ITEMS(buf->channel_layouts); i++) if ((ret = av_channel_layout_from_mask(&layout, buf->channel_layouts[i])) < 0 || - (ret = ff_add_channel_layout(&layouts, &layout) < 0)) + (ret = ff_add_channel_layout(&layouts, &layout)) < 0) return ret; for (i = 0; i < NB_ITEMS(buf->channel_counts); i++) { layout = FF_COUNT2LAYOUT(buf->channel_counts[i]); From db73e0bb1a610c18147a897f73990711d67f6a09 Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:18 +0000 Subject: [PATCH 265/562] doc/html: support texinfo 7.0 Resolves trac ticket #10636 (http://trac.ffmpeg.org/ticket/10636). Texinfo 7.0, released in November 2022, changed the names of various functions. Compiling docs with Texinfo 7.0 resulted in warnings and improperly formatted documentation. More old names appear to have been removed in Texinfo 7.1, released October 2023, which causes docs compilation to fail. This commit addresses the issue by adding logic to switch between the old and new function names depending on the Texinfo version. Texinfo 6.8 produces identical documentation before and after the patch. CC https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1938238.html https://bugs.gentoo.org/916104 Signed-off-by: Frank Plowman (cherry picked from commit f01fdedb69e4accb1d1555106d8f682ff1f1ddc7) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 106 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 21 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index d07d974286..b7485e1f1e 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -20,8 +20,45 @@ # License along with FFmpeg; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Texinfo 7.0 changed the syntax of various functions. +# Provide a shim for older versions. +sub ff_set_from_init_file($$) { + my $key = shift; + my $value = shift; + if (exists &{'texinfo_set_from_init_file'}) { + texinfo_set_from_init_file($key, $value); + } else { + set_from_init_file($key, $value); + } +} + +sub ff_get_conf($) { + my $key = shift; + if (exists &{'texinfo_get_conf'}) { + texinfo_get_conf($key); + } else { + get_conf($key); + } +} + +sub get_formatting_function($$) { + my $obj = shift; + my $func = shift; + + my $sub = $obj->can('formatting_function'); + if ($sub) { + return $obj->formatting_function($func); + } else { + return $obj->{$func}; + } +} + +# determine texinfo version +my $program_version_num = version->declare(ff_get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # no navigation elements -set_from_init_file('HEADERS', 0); +ff_set_from_init_file('HEADERS', 0); sub ffmpeg_heading_command($$$$$) { @@ -55,7 +92,7 @@ sub ffmpeg_heading_command($$$$$) $element = $command->{'parent'}; } if ($element) { - $result .= &{$self->{'format_element_header'}}($self, $cmdname, + $result .= &{get_formatting_function($self, 'format_element_header')}($self, $cmdname, $command, $element); } @@ -112,7 +149,11 @@ sub ffmpeg_heading_command($$$$$) $cmdname = $Texinfo::Common::level_to_structuring_command{$cmdname}->[$heading_level]; } - $result .= &{$self->{'format_heading_text'}}( + # format_heading_text expects an array of headings for texinfo >= 7.0 + if ($program_version_num >= 7.000000) { + $heading = [$heading]; + } + $result .= &{get_formatting_function($self,'format_heading_text')}( $self, $cmdname, $heading, $heading_level + $self->get_conf('CHAPTER_HEADER_LEVEL') - 1, $command); @@ -126,23 +167,19 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } -# determine if texinfo is at least version 6.8 -my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; -my $program_version_6_8 = $program_version_num >= 6.008000; - # print the TOC where @contents is used if ($program_version_6_8) { - set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); + ff_set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); } else { - set_from_init_file('INLINE_CONTENTS', 1); + ff_set_from_init_file('INLINE_CONTENTS', 1); } # make chapters

-set_from_init_file('CHAPTER_HEADER_LEVEL', 2); +ff_set_from_init_file('CHAPTER_HEADER_LEVEL', 2); # Do not add
-set_from_init_file('DEFAULT_RULE', ''); -set_from_init_file('BIG_RULE', ''); +ff_set_from_init_file('DEFAULT_RULE', ''); +ff_set_from_init_file('BIG_RULE', ''); # Customized file beginning sub ffmpeg_begin_file($$$) @@ -159,7 +196,18 @@ sub ffmpeg_begin_file($$$) my ($title, $description, $encoding, $date, $css_lines, $doctype, $bodytext, $copying_comment, $after_body_open, $extra_head, $program_and_version, $program_homepage, - $program, $generator) = $self->_file_header_informations($command); + $program, $generator); + if ($program_version_num >= 7.000000) { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_information($command); + } else { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_informations($command); + } my $links = $self->_get_links ($filename, $element); @@ -223,7 +271,7 @@ if ($program_version_6_8) { sub ffmpeg_end_file($) { my $self = shift; - my $program_string = &{$self->{'format_program_string'}}($self); + my $program_string = &{get_formatting_function($self,'format_program_string')}($self); my $program_text = < $program_string @@ -244,7 +292,7 @@ if ($program_version_6_8) { # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). -set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); +ff_set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); sub ffmpeg_title($$$$) { return ''; @@ -262,8 +310,14 @@ sub ffmpeg_float($$$$$) my $args = shift; my $content = shift; - my ($caption, $prepended) = Texinfo::Common::float_name_caption($self, - $command); + my ($caption, $prepended); + if ($program_version_num >= 7.000000) { + ($caption, $prepended) = Texinfo::Convert::Converter::float_name_caption($self, + $command); + } else { + ($caption, $prepended) = Texinfo::Common::float_name_caption($self, + $command); + } my $caption_text = ''; my $prepended_text; my $prepended_save = ''; @@ -335,8 +389,13 @@ sub ffmpeg_float($$$$$) $caption->{'args'}->[0], 'float caption'); } if ($prepended_text.$caption_text ne '') { - $prepended_text = $self->_attribute_class('div','float-caption'). '>' - . $prepended_text; + if ($program_version_num >= 7.000000) { + $prepended_text = $self->html_attribute_class('div',['float-caption']). '>' + . $prepended_text; + } else { + $prepended_text = $self->_attribute_class('div','float-caption'). '>' + . $prepended_text; + } $caption_text .= ''; } my $html_class = ''; @@ -349,8 +408,13 @@ sub ffmpeg_float($$$$$) $prepended_text = ''; $caption_text = ''; } - return $self->_attribute_class('div', $html_class). '>' . "\n" . - $prepended_text . $caption_text . $content . ''; + if ($program_version_num >= 7.000000) { + return $self->html_attribute_class('div', [$html_class]). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } else { + return $self->_attribute_class('div', $html_class). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } } texinfo_register_command_formatting('float', From a3440ddec35724c45ba2bf73f9592c427690f750 Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:57 +0000 Subject: [PATCH 266/562] doc/html: fix styling issue with Texinfo 7.0 Texinfo 7.0 produces quite different HTML to Texinfo 6.8. Without this change, enumerated option flags (i.e. Possible values of x are...) render as white text on a white background with Texinfo 7.0 and are unreadable. This change removes a style for the selector `.table .table` which causes the background to turn white for these elements. As far as I can tell, it is not actually used anywhere in files generated by Texinfo 6.8. Signed-off-by: Frank Plowman (cherry picked from commit f16900bda23414caf9ec3f9dc50db7d4caf59a8b) Signed-off-by: Michael Niedermayer --- doc/bootstrap.min.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/bootstrap.min.css b/doc/bootstrap.min.css index 6f68017d58..45bf263d6e 100644 --- a/doc/bootstrap.min.css +++ b/doc/bootstrap.min.css @@ -2,4 +2,4 @@ * Bootstrap v3.2.0 (http://getbootstrap.com) * Copyright 2011-2014 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) - *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} + *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} From b49de8dfe68ae0b826ebee42091b89dfdbe41270 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:37:11 +0100 Subject: [PATCH 267/562] avformat/mov: Disallow FTYP after streams Fixes: Assertion !c->fc->nb_streams failed at libavformat/mov.c:7799 Fixes: 63875/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5479178702815232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19fcf4313148e86aa47d81a8d5d5e8d056f1f906) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 77108738a4..ee4b62aa0c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1130,6 +1130,8 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; + if (c->fc->nb_streams) + return AVERROR_INVALIDDATA; if (strcmp(type, "qt ")) c->isom = 1; From 49beba036c83e19cf71ffc59f8b9efdf5076c2e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:44:07 +0100 Subject: [PATCH 268/562] avcodec/4xm: Check for cfrm exhaustion Fixes: index -1 out of bounds for type 'CFrameBuffer [100]' Fixes: 63877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5854263397711872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bb0a684d93f793457f7bff3940a1398eb9e91703) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 7b88631a6b..96e00c2193 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -887,6 +887,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture, } if (i >= CFRAME_BUFFER_COUNT) { + if (free_index < 0) + return AVERROR_INVALIDDATA; i = free_index; f->cfrm[i].id = id; } From 4729204c17f756e186d622060088371d10b34f7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Nov 2023 00:32:27 +0100 Subject: [PATCH 269/562] Update for 5.1.4 Signed-off-by: Michael Niedermayer --- Changelog | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 117 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 9a132bc1bf..1240dd6fae 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,121 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 5.1.4: + avcodec/4xm: Check for cfrm exhaustion + avformat/mov: Disallow FTYP after streams + doc/html: fix styling issue with Texinfo 7.0 + doc/html: support texinfo 7.0 + avfilter/buffersink: fix order of operation with = and <0 + tools/target_dec_fuzzer: Adjust threshold for CSCD + avcodec/dovi_rpu: Use 64 bit in get_us/se_coeff() + avformat/mov: Check that is_still_picture_avif has no trak based streams + avformat/matroskadec: Fix declaration-after-statement warnings + avformat/rtsp: Use rtsp_st->stream_index + avcodec/jpeg2000dec: Check image offset + avformat/mxfdec: Check klv offset + libavutil/ppc/cpu.c: check that AT_HWCAP2 is defined + avcodec/h2645_parse: Avoid EAGAIN + avcodec/xvididct: Make c* unsigned to avoid undefined overflows + avformat/tmv: Check video chunk size + avcodec/h264_parser: saturate dts a bit + avformat/asfdec_f: Saturate presentation time in marker + avformat/xwma: sanity check bits_per_coded_sample + avformat/matroskadec: Check prebuffered_ns for overflow + avformat/wavdec: Check left avio_tell for overflow + avformat/tta: Better totalframes check + avformat/rpl: Check for number_of_chunks overflow + avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() + avformat/jacosubdec: Check timeres + avformat/jacosubdec: avoid signed integer overflows in get_shift() + avformat/jacosubdec: Factorize code in get_shift() a bit + avformat/sbgdec: Check for negative duration or un-representable end pts + avcodec/escape124: Do not return random numbers + avcodec/apedec: Fix an integer overflow in predictor_update_filter() + tools/target_dec_fuzzer: Adjust wmapro threshold + avformat/avs: Check if return code is representable + avcodec/lcldec: Make PNG filter addressing match the code afterwards + avformat/westwood_vqa: Check chunk size + avformat/sbgdec: Check for period overflow + avformat/concatdec: Check in/outpoint for overflow + avformat/mxfdec: Remove this_partition + avcodec/xvididct: Fix integer overflow in idct_row() + avcodec/celp_math: avoid overflow in shift + tools/target_dec_fuzzer: Adjust threshold for rtv1 + avformat/hls: reduce default max reload to 3 + avformat/format: Stop reading data at EOF during probing + avcodec/jpeg2000dec: jpeg2000 has its own lowres option + avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure + avcodec/cscd: Fix "CamStudio Lossless Codec 1.0" gzip files + avcodec/cscd: Check for CamStudio Lossless Codec 1.0 behavior in end check of LZO files + avcodec/mpeg4videodec: consider lowres in dest_pcm[] + avcodec/hevcdec: Fix undefined memcpy() + avcodec/mpeg4videodec: more unsigned in amv computation + avcodec/tta: fix signed overflow in decorrelate + avcodec/apedec: Fix 48khz 24bit below insane level + avcodec/apedec: Fix CRC for 24bps and bigendian + avcodec/xvididct: Fix integer overflow in idct_row() + avformat/avr: Check sample rate + avformat/imf_cpl: Replace NULL content_title_utf8 by "" + avformat/imf_cpl: xmlNodeListGetString() can return NULL + avcodec/pcm: allow Changing parameters + avcodec/jpeg2000dec: Check for reduction factor and image offset + avutil/softfloat: Basic documentation for av_sincos_sf() + avutil/softfloat: fix av_sincos_sf() + tools/target_dec_fuzzer: Adjust threshold for speex + avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() + avcodec/hevcdec: Avoid null pointer dereferences in MC + avcodec/takdsp: Fix integer overflows + avcodec: Ignoring errors is only possible before the input end + avformat/jpegxl_probe: Forward error codes + avformat/jpegxl_probe: check length instead of blindly reading + avformat/jpegxl_probe: Remove intermediate macro obfuscation around get_bits*() + avcodec/noise_bsf: Check for wrapped frames + avformat/oggparsetheora: clip duration within 64bit + avformat/wavdec: Check that smv block fits in available space + avcodec/tiff: add a zero DNG_LINEARIZATION_TABLE check + avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() + avcodec/sonic: Fix two undefined integer overflows + avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated + avcodec/exr: Cleanup befor return + avcodec/pngdec: Do not pass AVFrame into global header decode + avcodec/pngdec: remove AVFrame argument from decode_iccp_chunk() + avcodec/vorbisdec: Check codebook float values to be finite + avcodec/g2meet: Replace fake allocation avoidance for framebuf + avutil/tx_priv: Use unsigned in BF() to avoid signed overflows + avcodec/lcldec: More space for rgb24 + avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width + libavcodec/lcldec: width and height should not be unsigned + avformat/imf: fix invalid resource handling + avcodec/escape124: Check that blocks are allocated before use + avcodec/huffyuvdec: Fix undefined behavior with shift + avcodec/j2kenc: Replace RGB24 special case by generic test + avcodec/j2kenc: Replace BGR48 / GRAY16 test by test for number of bits + avcodec/j2kenc: simplify pixel format setup + avcodec/j2kenc: Fix funky bpno errors on decoding + avcodec/j2kenc: remove misleading pred value + avcodec/j2kenc: fix 5/3 DWT identifer + avcodec/vp3: Check width to avoid assertion failure + avcodec/g729postfilter: Limit shift in long term filter + configure: update copyright year + Changelog: Add forgotten line + libavformat/riffec: Zero-initialize channels in ff_get_wav_header + avcodec/x86/mathops: clip constants used with shift instructions within inline assembly + avcodec/libsvtav1: use larger of bit rate and max rate for buffer size + avcodec/libsvtav1: only set max_buf_sz if both bitrate and rc_buf_sz is set + avcodec/libsvtav1: remove compressed_ten_bit_format and simplify alloc_buffer + avcodec/libsvtav1: replace vbv_bufsize with maximum_buffer_size_ms + avcodec/vdpau_mpeg4: fix order of quant matrix coefficients + avcodec/vdpau_mpeg12: fix order of quant matrix coefficients + avcodec/nvdec_mpeg4: fix order of quant matrix coefficients + avcodec/nvdec_mpeg2: fix order of quant matrix coefficients + fftools/ffmpeg: avoid possible invalid reads with short -tag values + avcodec/mp_cmp: reject invalid comparison function values + avcodec/aacpsy: clip global_quality within the psy_vbr_map array boundaries + avutil/wchar_filename: propagate MultiByteToWideChar() and WideCharToMultiByte() failures + avformat/concatf: check if any nodes were allocated + avcodec/nvenc: fix b-frame DTS behavior with fractional framerates + version 5.1.3: - avcodec/tests/snowenc: Fix 2nd test - avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches diff --git a/RELEASE b/RELEASE index cdb98d26e4..76e9e619d6 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1.3 +5.1.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3ab0032ea2..7f4a340498 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 5.1.3 +PROJECT_NUMBER = 5.1.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From ae14d9c06bcddc5d4c14de02e049f489ddbf73a4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 13 Nov 2022 08:53:40 -0300 Subject: [PATCH 270/562] fftools/ffprobe: support 2D arrays in print_list_fmt() Should fix undefined behavior. Signed-off-by: James Almer (cherry picked from commit b119b3da1e772bcf152f487d6e39cbeea17d8f50) --- fftools/ffprobe.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/fftools/ffprobe.c b/fftools/ffprobe.c index 608d9050f7..67db1ca722 100644 --- a/fftools/ffprobe.c +++ b/fftools/ffprobe.c @@ -1896,12 +1896,14 @@ static void writer_register_all(void) writer_print_string(w, k, pbuf.str, 0); \ } while (0) -#define print_list_fmt(k, f, n, ...) do { \ +#define print_list_fmt(k, f, n, m, ...) do { \ av_bprint_clear(&pbuf); \ for (int idx = 0; idx < n; idx++) { \ - if (idx > 0) \ - av_bprint_chars(&pbuf, ' ', 1); \ - av_bprintf(&pbuf, f, __VA_ARGS__); \ + for (int idx2 = 0; idx2 < m; idx2++) { \ + if (idx > 0 || idx2 > 0) \ + av_bprint_chars(&pbuf, ' ', 1); \ + av_bprintf(&pbuf, f, __VA_ARGS__); \ + } \ } \ writer_print_string(w, k, pbuf.str, 0); \ } while (0) @@ -2012,7 +2014,7 @@ static void print_dovi_metadata(WriterContext *w, const AVDOVIMetadata *dovi) const AVDOVIReshapingCurve *curve = &mapping->curves[c]; writer_print_section_header(w, SECTION_ID_FRAME_SIDE_DATA_COMPONENT); - print_list_fmt("pivots", "%"PRIu16, curve->num_pivots, curve->pivots[idx]); + print_list_fmt("pivots", "%"PRIu16, curve->num_pivots, 1, curve->pivots[idx]); writer_print_section_header(w, SECTION_ID_FRAME_SIDE_DATA_PIECE_LIST); for (int i = 0; i < curve->num_pivots - 1; i++) { @@ -2024,7 +2026,7 @@ static void print_dovi_metadata(WriterContext *w, const AVDOVIMetadata *dovi) print_str("mapping_idc_name", "polynomial"); print_int("poly_order", curve->poly_order[i]); print_list_fmt("poly_coef", "%"PRIi64, - curve->poly_order[i] + 1, + curve->poly_order[i] + 1, 1, curve->poly_coef[i][idx]); break; case AV_DOVI_MAPPING_MMR: @@ -2032,8 +2034,8 @@ static void print_dovi_metadata(WriterContext *w, const AVDOVIMetadata *dovi) print_int("mmr_order", curve->mmr_order[i]); print_int("mmr_constant", curve->mmr_constant[i]); print_list_fmt("mmr_coef", "%"PRIi64, - curve->mmr_order[i] * 7, - curve->mmr_coef[i][0][idx]); + curve->mmr_order[i], 7, + curve->mmr_coef[i][idx][idx2]); break; default: print_str("mapping_idc_name", "unknown"); @@ -2071,15 +2073,15 @@ static void print_dovi_metadata(WriterContext *w, const AVDOVIMetadata *dovi) print_int("dm_metadata_id", color->dm_metadata_id); print_int("scene_refresh_flag", color->scene_refresh_flag); print_list_fmt("ycc_to_rgb_matrix", "%d/%d", - FF_ARRAY_ELEMS(color->ycc_to_rgb_matrix), + FF_ARRAY_ELEMS(color->ycc_to_rgb_matrix), 1, color->ycc_to_rgb_matrix[idx].num, color->ycc_to_rgb_matrix[idx].den); print_list_fmt("ycc_to_rgb_offset", "%d/%d", - FF_ARRAY_ELEMS(color->ycc_to_rgb_offset), + FF_ARRAY_ELEMS(color->ycc_to_rgb_offset), 1, color->ycc_to_rgb_offset[idx].num, color->ycc_to_rgb_offset[idx].den); print_list_fmt("rgb_to_lms_matrix", "%d/%d", - FF_ARRAY_ELEMS(color->rgb_to_lms_matrix), + FF_ARRAY_ELEMS(color->rgb_to_lms_matrix), 1, color->rgb_to_lms_matrix[idx].num, color->rgb_to_lms_matrix[idx].den); print_int("signal_eotf", color->signal_eotf); From dd885ab2f5060eaedbfca6d590db44fa9547dd99 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 14 Sep 2023 16:46:47 +0200 Subject: [PATCH 271/562] fftools/ffmpeg_enc: apply -top to individual encoded frames Fixes #9339. (Adapted from commit 43a0004b5c23dd8258cfe723a5c4e9fd9ee8f5ef) --- fftools/ffmpeg.c | 3 +++ tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10 | 2 +- tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10 | 2 +- tests/ref/lavf/mxf_d10 | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index e7384f052a..02afbc65ea 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -1278,6 +1278,9 @@ static void do_video_out(OutputFile *of, av_log(NULL, AV_LOG_DEBUG, "Forced keyframe at time %f\n", pts_time); } + if (ost->top_field_first >= 0) + in_picture->top_field_first = !!ost->top_field_first; + ret = encode_frame(of, ost, in_picture); if (ret < 0) exit_program(1); diff --git a/tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10 b/tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10 index 57b22848b9..a77d888b1f 100644 --- a/tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10 +++ b/tests/ref/fate/concat-demuxer-extended-lavf-mxf_d10 @@ -1 +1 @@ -1fac6962d4c5f1070d0d2db5ab7d86aa *tests/data/fate/concat-demuxer-extended-lavf-mxf_d10.ffprobe +76685555ca5598fb666d3945cd264f9d *tests/data/fate/concat-demuxer-extended-lavf-mxf_d10.ffprobe diff --git a/tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10 b/tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10 index 8937724ed1..b72551d36c 100644 --- a/tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10 +++ b/tests/ref/fate/concat-demuxer-simple1-lavf-mxf_d10 @@ -68,5 +68,5 @@ video|0|33|1.320000|33|1.320000|1|0.040000|150000|1711104|K_|1|Strings Metadata audio|1|63360|1.320000|63360|1.320000|1920|0.040000|7680|1861632|K_|1|Strings Metadata video|0|34|1.360000|34|1.360000|1|0.040000|150000|1924096|K_|1|Strings Metadata audio|1|65280|1.360000|65280|1.360000|1920|0.040000|7680|2074624|K_|1|Strings Metadata -0|mpeg2video|0|video|[0][0][0][0]|0x0000|720|608|0|0|0|0|0|1:1|45:38|yuv422p|5|tv|unknown|unknown|unknown|topleft|tb|1|N/A|25/1|25/1|1/25|0|0.000000|N/A|N/A|30000000|N/A|N/A|N/A|N/A|35|22|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0x060A2B340101010501010D001300000000000000000000000000000000000001|CPB properties|30000000|0|0|1212416|-1 +0|mpeg2video|0|video|[0][0][0][0]|0x0000|720|608|0|0|0|0|0|1:1|45:38|yuv422p|5|tv|unknown|unknown|unknown|topleft|tt|1|N/A|25/1|25/1|1/25|0|0.000000|N/A|N/A|30000000|N/A|N/A|N/A|N/A|35|22|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0x060A2B340101010501010D001300000000000000000000000000000000000001|CPB properties|30000000|0|0|1212416|-1 1|pcm_s16le|unknown|audio|[0][0][0][0]|0x0000|s16|48000|2|unknown|16|N/A|0/0|0/0|1/48000|0|0.000000|N/A|N/A|1536000|N/A|N/A|N/A|N/A|35|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0x060A2B340101010501010D001300000000000000000000000000000000000001 diff --git a/tests/ref/lavf/mxf_d10 b/tests/ref/lavf/mxf_d10 index 4644c3424d..191e9f877c 100644 --- a/tests/ref/lavf/mxf_d10 +++ b/tests/ref/lavf/mxf_d10 @@ -1,3 +1,3 @@ -74269c0a64b19269b127f64f3ce7fa6a *tests/data/lavf/lavf.mxf_d10 +963758bdb2a5d64f4e68c205fc5aba96 *tests/data/lavf/lavf.mxf_d10 5332013 tests/data/lavf/lavf.mxf_d10 tests/data/lavf/lavf.mxf_d10 CRC=0x6c74d488 From c36c91900f938f09f05ae940ba9e52a5a2d8d5a3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 6 Feb 2024 19:50:33 -0300 Subject: [PATCH 272/562] avcodec/nvdec: don't free NVDECContext->bitstream Ensure all hwaccels that allocate a buffer use NVDECContext->bitstream_internal instead. Otherwise, if FFHWAccel->end_frame() isn't called before FFHWAccel->uninit(), an attempt to free a stale pointer to memory not owned by the hwaccel could take place. Reviewed-by: Timo Rothenpieler Signed-off-by: James Almer --- libavcodec/nvdec.c | 2 +- libavcodec/nvdec_h264.c | 4 ++-- libavcodec/nvdec_hevc.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index edff46d310..d54b8669a9 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -264,8 +264,8 @@ int ff_nvdec_decode_uninit(AVCodecContext *avctx) { NVDECContext *ctx = avctx->internal->hwaccel_priv_data; - av_freep(&ctx->bitstream); av_freep(&ctx->bitstream_internal); + ctx->bitstream = NULL; ctx->bitstream_len = 0; ctx->bitstream_allocated = 0; diff --git a/libavcodec/nvdec_h264.c b/libavcodec/nvdec_h264.c index 116bd4fb5d..a9ccd6d53b 100644 --- a/libavcodec/nvdec_h264.c +++ b/libavcodec/nvdec_h264.c @@ -137,11 +137,11 @@ static int nvdec_h264_decode_slice(AVCodecContext *avctx, const uint8_t *buffer, const H264SliceContext *sl = &h->slice_ctx[0]; void *tmp; - tmp = av_fast_realloc(ctx->bitstream, &ctx->bitstream_allocated, + tmp = av_fast_realloc(ctx->bitstream_internal, &ctx->bitstream_allocated, ctx->bitstream_len + size + 3); if (!tmp) return AVERROR(ENOMEM); - ctx->bitstream = tmp; + ctx->bitstream = ctx->bitstream_internal = tmp; tmp = av_fast_realloc(ctx->slice_offsets, &ctx->slice_offsets_allocated, (ctx->nb_slices + 1) * sizeof(*ctx->slice_offsets)); diff --git a/libavcodec/nvdec_hevc.c b/libavcodec/nvdec_hevc.c index 590278ba04..1f2b5ae9d0 100644 --- a/libavcodec/nvdec_hevc.c +++ b/libavcodec/nvdec_hevc.c @@ -273,11 +273,11 @@ static int nvdec_hevc_decode_slice(AVCodecContext *avctx, const uint8_t *buffer, NVDECContext *ctx = avctx->internal->hwaccel_priv_data; void *tmp; - tmp = av_fast_realloc(ctx->bitstream, &ctx->bitstream_allocated, + tmp = av_fast_realloc(ctx->bitstream_internal, &ctx->bitstream_allocated, ctx->bitstream_len + size + 3); if (!tmp) return AVERROR(ENOMEM); - ctx->bitstream = tmp; + ctx->bitstream = ctx->bitstream_internal = tmp; tmp = av_fast_realloc(ctx->slice_offsets, &ctx->slice_offsets_allocated, (ctx->nb_slices + 1) * sizeof(*ctx->slice_offsets)); From f4718511690a6ee6295b4bdd421dee54329a5e88 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 29 Jan 2024 19:58:18 +0100 Subject: [PATCH 273/562] avformat/mov_chan: do not assume channels are in native order Existing code could have caused wrong channel order signalling or reduced channel count if a channel designation appeared multiple times. This is actually an old bug, but the conversion to the new channel layout API made it visible, because now the code overrides the proper channel count with the one calculated from the mask. Signed-off-by: Marton Balint (cherry picked from commit 3d3cad7483785191b99557c78d5a4a551088c549) --- libavformat/mov_chan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index 5b757c6a8a..5863018a79 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -534,7 +534,7 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, size -= 20; if (layout_tag == 0) { uint64_t mask_incr = mov_get_channel_mask(label); - if (mask_incr == 0) { + if (mask_incr == 0 || mask_incr <= label_mask) { label_mask = 0; break; } From 352fe0d4bf09b170245787fab1d70878b01aeb3d Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 29 Jan 2024 20:15:28 +0100 Subject: [PATCH 274/562] avformat/mov_chan: never override number of channels based on chan atom The channel designation metadata should not override the number of channels. Let's warn the user if it is inconsistent, and keep the channel layout unspecified. Before the conversion to the channel layout API the code only set the mask, but never overridden the channel count, so this restores the old behaviour. Signed-off-by: Marton Balint (cherry picked from commit dc9d64f7941f5b071283e16fa56e3af86e5c84d6) --- libavformat/mov_chan.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index 5863018a79..dc26399eee 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -548,8 +548,13 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, mask = mov_get_channel_layout(layout_tag, bitmap); if (mask) { - av_channel_layout_uninit(&st->codecpar->ch_layout); - av_channel_layout_from_mask(&st->codecpar->ch_layout, mask); + if (!st->codecpar->ch_layout.nb_channels || av_popcount64(mask) == st->codecpar->ch_layout.nb_channels) { + av_channel_layout_uninit(&st->codecpar->ch_layout); + av_channel_layout_from_mask(&st->codecpar->ch_layout, mask); + } else { + av_log(s, AV_LOG_WARNING, "ignoring channel layout with %d channels because the real number of channels is %d\n", + av_popcount64(mask), st->codecpar->ch_layout.nb_channels); + } } avio_skip(pb, size - 12); From 9bf90b12602845b1a07a4ba4e7452d9229195df5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Tue, 20 Feb 2024 20:00:16 +0200 Subject: [PATCH 275/562] avcodec/av1dec: fix matrix coefficients exposed by codec context `colorspace` in avcodec terms means `matrix coefficients`. Reviewed-by: James Almer (cherry picked from commit 37936b09ce316c32c456539afeb748d472088135) --- libavcodec/av1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index dd83373dd6..9cd5fcbb29 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -675,7 +675,7 @@ static int set_context_with_sequence(AVCodecContext *avctx, avctx->color_range = seq->color_config.color_range ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; avctx->color_primaries = seq->color_config.color_primaries; - avctx->colorspace = seq->color_config.color_primaries; + avctx->colorspace = seq->color_config.matrix_coefficients; avctx->color_trc = seq->color_config.transfer_characteristics; switch (seq->color_config.chroma_sample_position) { From b0c647d1d9214c15c35325f884759eddf2e4558e Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 16 Feb 2024 20:13:43 +0100 Subject: [PATCH 276/562] avformat/mxfdec: move resolving Descriptors to the multi descriptor resolve function Also remove unused descriptor member from MXFPackage. Signed-off-by: Marton Balint (cherry picked from commit 41672f558673151e77798f8a184fc1d3e60b16b9) --- libavformat/mxfdec.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 5185fb6cc4..bbcc5643c5 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -257,7 +257,6 @@ typedef struct MXFPackage { UID package_ul; UID *tracks_refs; int tracks_count; - MXFDescriptor *descriptor; /* only one */ UID descriptor_ref; char *name; UID *comment_refs; @@ -2202,11 +2201,12 @@ static MXFPackage* mxf_resolve_source_package(MXFContext *mxf, UID package_ul, U return NULL; } -static MXFDescriptor* mxf_resolve_multidescriptor(MXFContext *mxf, MXFDescriptor *descriptor, int track_id) +static MXFDescriptor* mxf_resolve_descriptor(MXFContext *mxf, UID *strong_ref, int track_id) { - MXFDescriptor *file_descriptor = NULL; + MXFDescriptor *descriptor, *file_descriptor = NULL; int i; + descriptor = mxf_resolve_strong_ref(mxf, strong_ref, AnyType); if (!descriptor) return NULL; @@ -2709,8 +2709,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) st->id = material_track->track_id; st->priv_data = source_track; - source_package->descriptor = mxf_resolve_strong_ref(mxf, &source_package->descriptor_ref, AnyType); - descriptor = mxf_resolve_multidescriptor(mxf, source_package->descriptor, source_track->track_id); + descriptor = mxf_resolve_descriptor(mxf, &source_package->descriptor_ref, source_track->track_id); /* A SourceClip from a EssenceGroup may only be a single frame of essence data. The clips duration is then how many * frames its suppose to repeat for. Descriptor->duration, if present, contains the real duration of the essence data */ From 68f0e9645d6804015a5e0c2c0560fdfe0425e902 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 16 Feb 2024 21:53:16 +0100 Subject: [PATCH 277/562] avformat/mxfdec: do not use AnyType when resolving Descriptors and MultipleDescriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit By using AnyType for resolving a strong reference we searched among all types, not just the ones which can be the target of the reference, which in some cases caused to find the wrong type, if the metadata set UUIDs were not unique. UUIDs do not have to be unique if their type sets them apart, SMPTE 377M says: > StrongRef: 'One to One’ relationship between sets and implemented in MXF > with UUIDs. Strong References are typed which means that the definition > identifies the kind of set which is the target of the reference. Fixes ticket #10865. Signed-off-by: Marton Balint (cherry picked from commit 68f2b32ef2b29aa95488531b007adde92ca82165) --- libavformat/mxfdec.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index bbcc5643c5..d6a0200ad9 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2203,16 +2203,14 @@ static MXFPackage* mxf_resolve_source_package(MXFContext *mxf, UID package_ul, U static MXFDescriptor* mxf_resolve_descriptor(MXFContext *mxf, UID *strong_ref, int track_id) { - MXFDescriptor *descriptor, *file_descriptor = NULL; - int i; + MXFDescriptor *descriptor = mxf_resolve_strong_ref(mxf, strong_ref, Descriptor); + if (descriptor) + return descriptor; - descriptor = mxf_resolve_strong_ref(mxf, strong_ref, AnyType); - if (!descriptor) - return NULL; - - if (descriptor->meta.type == MultipleDescriptor) { - for (i = 0; i < descriptor->file_descriptors_count; i++) { - file_descriptor = mxf_resolve_strong_ref(mxf, &descriptor->file_descriptors_refs[i], Descriptor); + descriptor = mxf_resolve_strong_ref(mxf, strong_ref, MultipleDescriptor); + if (descriptor) { + for (int i = 0; i < descriptor->file_descriptors_count; i++) { + MXFDescriptor *file_descriptor = mxf_resolve_strong_ref(mxf, &descriptor->file_descriptors_refs[i], Descriptor); if (!file_descriptor) { av_log(mxf->fc, AV_LOG_ERROR, "could not resolve file descriptor strong ref\n"); @@ -2222,8 +2220,7 @@ static MXFDescriptor* mxf_resolve_descriptor(MXFContext *mxf, UID *strong_ref, i return file_descriptor; } } - } else if (descriptor->meta.type == Descriptor) - return descriptor; + } return NULL; } From 995e7f43a7a2a10b667df30470384e1c0aba5573 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 20 Feb 2024 22:34:37 +0100 Subject: [PATCH 278/562] avformat/libsrt: use SRT_EPOLL_IN for waiting for an incoming connection This is the proper poll mode for waiting for an incoming connection according to the SRT API docs. Fixes ticket #9142. Signed-off-by: Marton Balint (cherry picked from commit 87677c2195e86b126c3438439a05d0a46ae5bb50) --- libavformat/libsrt.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavformat/libsrt.c b/libavformat/libsrt.c index cd8f5b1e7d..1fb97392c3 100644 --- a/libavformat/libsrt.c +++ b/libavformat/libsrt.c @@ -249,7 +249,7 @@ static int libsrt_listen(int eid, int fd, const struct sockaddr *addr, socklen_t if (srt_listen(fd, 1)) return libsrt_neterrno(h); - ret = libsrt_network_wait_fd_timeout(h, eid, 1, timeout, &h->interrupt_callback); + ret = libsrt_network_wait_fd_timeout(h, eid, 0, timeout, &h->interrupt_callback); if (ret < 0) return ret; @@ -390,7 +390,7 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) char hostname[1024],proto[1024],path[1024]; char portstr[10]; int64_t open_timeout = 0; - int eid, write_eid; + int eid; av_url_split(proto, sizeof(proto), NULL, 0, hostname, sizeof(hostname), &port, path, sizeof(path), uri); @@ -454,18 +454,21 @@ static int libsrt_setup(URLContext *h, const char *uri, int flags) if (libsrt_socket_nonblock(fd, 1) < 0) av_log(h, AV_LOG_DEBUG, "libsrt_socket_nonblock failed\n"); - ret = write_eid = libsrt_epoll_create(h, fd, 1); - if (ret < 0) - goto fail1; if (s->mode == SRT_MODE_LISTENER) { + int read_eid = ret = libsrt_epoll_create(h, fd, 0); + if (ret < 0) + goto fail1; // multi-client - ret = libsrt_listen(write_eid, fd, cur_ai->ai_addr, cur_ai->ai_addrlen, h, s->listen_timeout); - srt_epoll_release(write_eid); + ret = libsrt_listen(read_eid, fd, cur_ai->ai_addr, cur_ai->ai_addrlen, h, s->listen_timeout); + srt_epoll_release(read_eid); if (ret < 0) goto fail1; srt_close(fd); fd = ret; } else { + int write_eid = ret = libsrt_epoll_create(h, fd, 1); + if (ret < 0) + goto fail1; if (s->mode == SRT_MODE_RENDEZVOUS) { if (srt_bind(fd, cur_ai->ai_addr, cur_ai->ai_addrlen)) { ret = libsrt_neterrno(h); From 25c1d8cbcf2dfd3469466738bebfa22bb92034be Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 17 Feb 2024 00:06:03 +0100 Subject: [PATCH 279/562] avformat/mxfdec: remove resolve_strong_ref usage with AnyType UUIDs do not have to be unique if their type sets them apart, so avoid using AnyType, since we are only interested in specific types. Signed-off-by: Marton Balint (cherry picked from commit aa299faa9ad2b01010acc4641b1f215d60a1336b) --- libavformat/mxf.h | 3 +-- libavformat/mxfdec.c | 54 ++++++++++++++++---------------------------- 2 files changed, 20 insertions(+), 37 deletions(-) diff --git a/libavformat/mxf.h b/libavformat/mxf.h index 4d9f5119a3..1bbefad7af 100644 --- a/libavformat/mxf.h +++ b/libavformat/mxf.h @@ -30,8 +30,7 @@ typedef AVUUID UID; enum MXFMetadataSetType { - AnyType, - MaterialPackage, + MaterialPackage = 1, SourcePackage, SourceClip, TimecodeComponent, diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index d6a0200ad9..446beab7f4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1546,7 +1546,7 @@ static void *mxf_resolve_strong_ref(MXFContext *mxf, UID *strong_ref, enum MXFMe return NULL; for (i = mxf->metadata_sets_count - 1; i >= 0; i--) { if (!memcmp(*strong_ref, mxf->metadata_sets[i]->uid, 16) && - (type == AnyType || mxf->metadata_sets[i]->type == type)) { + (mxf->metadata_sets[i]->type == type)) { return mxf->metadata_sets[i]; } } @@ -2166,22 +2166,17 @@ static int mxf_add_timecode_metadata(AVDictionary **pm, const char *key, AVTimec static MXFTimecodeComponent* mxf_resolve_timecode_component(MXFContext *mxf, UID *strong_ref) { - MXFStructuralComponent *component = NULL; - MXFPulldownComponent *pulldown = NULL; + MXFTimecodeComponent *timecode; + MXFPulldownComponent *pulldown; - component = mxf_resolve_strong_ref(mxf, strong_ref, AnyType); - if (!component) - return NULL; + timecode = mxf_resolve_strong_ref(mxf, strong_ref, TimecodeComponent); + if (timecode) + return timecode; - switch (component->meta.type) { - case TimecodeComponent: - return (MXFTimecodeComponent*)component; - case PulldownComponent: /* timcode component may be located on a pulldown component */ - pulldown = (MXFPulldownComponent*)component; + pulldown = mxf_resolve_strong_ref(mxf, strong_ref, PulldownComponent); + if (pulldown) return mxf_resolve_strong_ref(mxf, &pulldown->input_segment_ref, TimecodeComponent); - default: - break; - } + return NULL; } @@ -2225,14 +2220,20 @@ static MXFDescriptor* mxf_resolve_descriptor(MXFContext *mxf, UID *strong_ref, i return NULL; } -static MXFStructuralComponent* mxf_resolve_essence_group_choice(MXFContext *mxf, MXFEssenceGroup *essence_group) +static MXFStructuralComponent* mxf_resolve_sourceclip(MXFContext *mxf, UID *strong_ref) { MXFStructuralComponent *component = NULL; MXFPackage *package = NULL; MXFDescriptor *descriptor = NULL; + MXFEssenceGroup *essence_group; int i; - if (!essence_group || !essence_group->structural_components_count) + component = mxf_resolve_strong_ref(mxf, strong_ref, SourceClip); + if (component) + return component; + + essence_group = mxf_resolve_strong_ref(mxf, strong_ref, EssenceGroup); + if (!essence_group) return NULL; /* essence groups contains multiple representations of the same media, @@ -2249,24 +2250,7 @@ static MXFStructuralComponent* mxf_resolve_essence_group_choice(MXFContext *mxf, if (descriptor) return component; } - return NULL; -} -static MXFStructuralComponent* mxf_resolve_sourceclip(MXFContext *mxf, UID *strong_ref) -{ - MXFStructuralComponent *component = NULL; - - component = mxf_resolve_strong_ref(mxf, strong_ref, AnyType); - if (!component) - return NULL; - switch (component->meta.type) { - case SourceClip: - return component; - case EssenceGroup: - return mxf_resolve_essence_group_choice(mxf, (MXFEssenceGroup*) component); - default: - break; - } return NULL; } @@ -3146,7 +3130,7 @@ static const MXFMetadataReadTableEntry mxf_metadata_read_table[] = { { { 0x06,0x0e,0x2b,0x34,0x02,0x05,0x01,0x01,0x0d,0x01,0x02,0x01,0x01,0x04,0x04,0x00 }, mxf_read_partition_pack }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x2f,0x00 }, mxf_read_preface_metadata }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x30,0x00 }, mxf_read_identification_metadata }, - { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x18,0x00 }, mxf_read_content_storage, 0, AnyType }, + { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x18,0x00 }, mxf_read_content_storage }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x37,0x00 }, mxf_read_package, sizeof(MXFPackage), SourcePackage }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x36,0x00 }, mxf_read_package, sizeof(MXFPackage), MaterialPackage }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x0f,0x00 }, mxf_read_sequence, sizeof(MXFSequence), Sequence }, @@ -3174,7 +3158,7 @@ static const MXFMetadataReadTableEntry mxf_metadata_read_table[] = { { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x04,0x01,0x02,0x02,0x00,0x00 }, mxf_read_cryptographic_context, sizeof(MXFCryptoContext), CryptoContext }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x02,0x01,0x01,0x10,0x01,0x00 }, mxf_read_index_table_segment, sizeof(MXFIndexTableSegment), IndexTableSegment }, { { 0x06,0x0e,0x2b,0x34,0x02,0x53,0x01,0x01,0x0d,0x01,0x01,0x01,0x01,0x01,0x23,0x00 }, mxf_read_essence_container_data, sizeof(MXFEssenceContainerData), EssenceContainerData }, - { { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, NULL, 0, AnyType }, + { { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, NULL }, }; static int mxf_metadataset_init(MXFMetadataSet *ctx, enum MXFMetadataSetType type, MXFPartition *partition) From ef327c189f3a4b6e1d3bdbb5269284ff3fa32d03 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 27 Feb 2024 10:31:31 +0100 Subject: [PATCH 280/562] swresample/resample: fix rounding errors with filter_size=1 and phase_shift=0 Depending on input chunk size noticable corrpution was hearable, here is an example command line: ffplay -f lavfi -i "sine=440:r=8000:samples_per_frame=32,aresample=24000:filter_size=1:phase_shift=0" Fix this by rounding the fixed point fractions up instead of down. Signed-off-by: Marton Balint (cherry picked from commit 7b1b9bb31f04fb9ba06e79c767c1084f0e229bb6) --- libswresample/resample.c | 4 ++-- tests/fate/libswresample.mak | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libswresample/resample.c b/libswresample/resample.c index 8f9efc3f21..a91c925574 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -461,8 +461,8 @@ static int multiple_resample(ResampleContext *c, AudioData *dst, int dst_size, A *consumed = 0; if (c->filter_length == 1 && c->phase_count == 1) { - int64_t index2= (1LL<<32)*c->frac/c->src_incr + (1LL<<32)*c->index; - int64_t incr= (1LL<<32) * c->dst_incr / c->src_incr; + int64_t index2= (1LL<<32)*c->frac/c->src_incr + (1LL<<32)*c->index + 1; + int64_t incr= (1LL<<32) * c->dst_incr / c->src_incr + 1; int new_size = (src_size * (int64_t)c->src_incr - c->frac + c->dst_incr - 1) / c->dst_incr; dst_size = FFMAX(FFMIN(dst_size, new_size), 0); diff --git a/tests/fate/libswresample.mak b/tests/fate/libswresample.mak index f2108016af..82d5ec4bf9 100644 --- a/tests/fate/libswresample.mak +++ b/tests/fate/libswresample.mak @@ -347,13 +347,13 @@ endef fate-swr-resample_nn-fltp-44100-8000: CMP_TARGET = 591.03 fate-swr-resample_nn-fltp-44100-8000: SIZE_TOLERANCE = 529200 - 20486 -fate-swr-resample_nn-fltp-8000-44100: CMP_TARGET = 3163.32 +fate-swr-resample_nn-fltp-8000-44100: CMP_TARGET = 3156.61 fate-swr-resample_nn-fltp-8000-44100: SIZE_TOLERANCE = 96000 - 20480 fate-swr-resample_nn-s16p-44100-8000: CMP_TARGET = 590.98 fate-swr-resample_nn-s16p-44100-8000: SIZE_TOLERANCE = 529200 - 20486 -fate-swr-resample_nn-s16p-8000-44100: CMP_TARGET = 3163.39 +fate-swr-resample_nn-s16p-8000-44100: CMP_TARGET = 3156.61 fate-swr-resample_nn-s16p-8000-44100: SIZE_TOLERANCE = 96000 - 20480 define ARESAMPLE_ASYNC From 7852c24b24e6da945fe9baf645d4bca31dfae878 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 18 Mar 2024 21:07:20 +0100 Subject: [PATCH 281/562] fftools/ffplay: use correct buffersink channel layout parameters Regression since 0995e1f1b31f6e937a1b527407ed3e850f138098. Signed-off-by: Marton Balint (cherry picked from commit 7251f909721a570726775acf61b2b9c28a950c76) --- fftools/ffplay.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 9242047f5c..846a763088 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -1992,6 +1992,8 @@ static int configure_audio_filters(VideoState *is, const char *afilters, int for goto end; if (force_output_format) { + av_bprint_clear(&bp); + av_channel_layout_describe_bprint(&is->audio_tgt.ch_layout, &bp); sample_rates [0] = is->audio_tgt.freq; if ((ret = av_opt_set_int(filt_asink, "all_channel_counts", 0, AV_OPT_SEARCH_CHILDREN)) < 0) goto end; From 4ee74fc46d14dbacbdc8d4a13a2dfc61a2b7df35 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 26 Mar 2024 21:11:20 -0300 Subject: [PATCH 282/562] avformat/mov: don't abort on duplicate Mastering Display Metadata boxes The VP9 spec defines a SmDm box for this information, and the ISOBMFF spec defines a mdvc one. If both are present, just ignore one of them. This is in line with clli and CoLL boxes. Fixes ticket #10711. Signed-off-by: James Almer (cherry picked from commit 189c32f53659b8f9dc402765905fc12a321ab1ac) --- libavformat/mov.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ee4b62aa0c..acde75d9ff 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5622,8 +5622,10 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } - if (sc->mastering) - return AVERROR_INVALIDDATA; + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Metadata\n"); + return 0; + } avio_skip(pb, 3); /* flags */ @@ -5660,11 +5662,16 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24 || sc->mastering) { + if (atom.size < 24) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } + if (sc->mastering) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate Mastering Display Color Volume\n"); + return 0; + } + sc->mastering = av_mastering_display_metadata_alloc(); if (!sc->mastering) return AVERROR(ENOMEM); From 82abc7af817ea118aaadb6adf911f78cdff75c46 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 30 Mar 2024 00:12:03 +0100 Subject: [PATCH 283/562] avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer --- libavcodec/nvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index d54b8669a9..76904b801a 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -668,6 +668,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx) NVDECContext *ctx = avctx->internal->hwaccel_priv_data; int ret = ff_nvdec_end_frame(avctx); ctx->bitstream = NULL; + ctx->bitstream_len = 0; + ctx->nb_slices = 0; return ret; } From 66430bf110b29b0b3fb8b47773572cbf70d45100 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 18 Mar 2024 21:56:58 +0100 Subject: [PATCH 284/562] avfilter/af_channelmap: fix error message if FL source channel was missing FL channel ID is 0, so for an unset value we must check for ID < 0. Regression since 1f96db959c1235bb7079d354e09914a0a2608f62. Signed-off-by: Marton Balint (cherry picked from commit 9a5627ea9a213c4929020ee8c90bae74788f645c) --- libavfilter/af_channelmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index eb173d20c4..dd323b992b 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -167,7 +167,7 @@ static av_cold int channelmap_init(AVFilterContext *ctx) for (i = 0; i < map_entries; i++) { int in_ch_idx = -1, out_ch_idx = -1; - int in_ch = 0, out_ch = 0; + int in_ch = -1, out_ch = -1; static const char err[] = "Failed to parse channel map\n"; switch (mode) { case MAP_ONE_INT: @@ -382,7 +382,7 @@ static int channelmap_config_input(AVFilterLink *inlink) if (m->in_channel_idx < 0 || m->in_channel_idx >= nb_channels) { av_channel_layout_describe(&inlink->ch_layout, layout_name, sizeof(layout_name)); - if (m->in_channel) { + if (m->in_channel >= 0) { av_channel_name(channel_name, sizeof(channel_name), m->in_channel); av_log(ctx, AV_LOG_ERROR, "input channel '%s' not available from input layout '%s'\n", From 59dccea6ef8fb2cb649b02a65eeec0b5ce461837 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 18 Mar 2024 22:08:54 +0100 Subject: [PATCH 285/562] avfilter/af_channelmap: fix mapping if in_channel was a string but out_channel was not specified In this case in_channel_idx was never set and the default 0 was used. Suprisingly no one noticed that the respective fate test output was wrong. Signed-off-by: Marton Balint (cherry picked from commit 1bea3e9ee2f3521182eea6066fc8e8e1f8910c5b) --- libavfilter/af_channelmap.c | 2 +- tests/fate/filter-audio.mak | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index dd323b992b..aa2468f941 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -375,7 +375,7 @@ static int channelmap_config_input(AVFilterLink *inlink) for (i = 0; i < s->nch; i++) { struct ChannelMap *m = &s->map[i]; - if (s->mode == MAP_PAIR_STR_INT || s->mode == MAP_PAIR_STR_STR) { + if (s->mode == MAP_PAIR_STR_INT || s->mode == MAP_PAIR_STR_STR || s->mode == MAP_ONE_STR) { m->in_channel_idx = av_channel_layout_index_from_channel( &inlink->ch_layout, m->in_channel); } diff --git a/tests/fate/filter-audio.mak b/tests/fate/filter-audio.mak index eff32b9f81..9cc09919c7 100644 --- a/tests/fate/filter-audio.mak +++ b/tests/fate/filter-audio.mak @@ -285,7 +285,7 @@ fate-filter-channelmap-one-str: SRC = $(TARGET_PATH)/tests/data/asynth-44100-2.w fate-filter-channelmap-one-str: tests/data/asynth-44100-2.wav fate-filter-channelmap-one-str: CMD = md5 -auto_conversion_filters -i $(SRC) -filter_complex_script $(TARGET_PATH)/tests/data/filtergraphs/channelmap_one_str -f wav -fflags +bitexact fate-filter-channelmap-one-str: CMP = oneline -fate-filter-channelmap-one-str: REF = 0ea3052e482c95d5d3bd9da6dac1b5fa +fate-filter-channelmap-one-str: REF = e18791f65ce5861e130b2c3e472ab90a FATE_AFILTER-$(call FILTERDEMDECENCMUX, CHANNELMAP, WAV, PCM_S16LE, PCM_S16LE, WAV) += $(FATE_FILTER_CHANNELMAP) From 19c3f055b2e29632be2f8e99e7b26b4f597c0173 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 18 Mar 2024 23:35:26 +0100 Subject: [PATCH 286/562] avfilter/af_channelmap: disallow channel index 64 MAX_CH is 64, therefore the maximum index is 63. Signed-off-by: Marton Balint (cherry picked from commit 2f754a96bd4ae4932923fe03c2d53f8273b6273c) --- libavfilter/af_channelmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index aa2468f941..18355eb43b 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -85,7 +85,7 @@ static char* split(char *message, char delim) { return next; } -static int get_channel_idx(char **map, int *ch, char delim, int max_ch) +static int get_channel_idx(char **map, int *ch, char delim, int max_nb_channels) { char *next; int len; @@ -99,7 +99,7 @@ static int get_channel_idx(char **map, int *ch, char delim, int max_ch) sscanf(*map, "%d%n", ch, &n); if (n != len) return AVERROR(EINVAL); - if (*ch < 0 || *ch > max_ch) + if (*ch < 0 || *ch >= max_nb_channels) return AVERROR(EINVAL); *map = next; return 0; From defa085fc88d018d398b00ccefbe386659864694 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 23 Mar 2024 16:10:22 +0100 Subject: [PATCH 287/562] avfilter/buffersrc: fix overriding unknown channel layouts with negotiated one Fixes ffplay playback of unknown layouts, when SDL directly supports the audio format, such as: ffplay -f lavfi anullsrc=cl=2C,aformat=s16 Without the patch, "Channel layout change is not supported" errors are generated because buffersrc (unknown 2 channel) and buffersink (stereo) negotiated a stereo layout, but the stereo layout was never stored in the BufferSourceContext. This fixes a regression of 7251f909721a570726775acf61b2b9c28a950c76, but this is more of a regression of the avfilter channel layout conversion (1f96db959c1235bb7079d354e09914a0a2608f62). Signed-off-by: Marton Balint (cherry picked from commit 2df2b4067ed01b9076a5dda073521551a32336cd) --- libavfilter/buffersrc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index a3190468bb..4949605d30 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -450,7 +450,7 @@ static int config_props(AVFilterLink *link) } break; case AVMEDIA_TYPE_AUDIO: - if (!c->ch_layout.nb_channels) { + if (!c->ch_layout.nb_channels || c->ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) { int ret = av_channel_layout_copy(&c->ch_layout, &link->ch_layout); if (ret < 0) return ret; From 36cf037fb8cf450c1b5a9fc8e02ef5c34390176b Mon Sep 17 00:00:00 2001 From: Eugene Zemtsov Date: Mon, 1 Apr 2024 19:28:03 -0700 Subject: [PATCH 288/562] avformat/mov: Check if a key is longer than the atom containing it Stop reading keys and return AVERROR_INVALIDDATA if key_size is larger than the amount of space left in the atom. Bug: https://crbug.com/41496983 Signed-off-by: Eugene Zemtsov Signed-off-by: James Almer (cherry picked from commit 8a23a145d85964950123952d897b89c2c2b1b8c5) --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index acde75d9ff..bad0063f67 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4604,12 +4604,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); From 8f209d2c90e84cd250f1a4667d1d83ec196f51dc Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 22 Nov 2023 22:17:37 +0000 Subject: [PATCH 289/562] avformat/mov: Fix integer overflow in mov_read_packet(). Fixes https://crbug.com/1499669: runtime error: signed integer overflow: 9223372036853334272 + 1375731456 cannot be represented in type 'int64_t' (aka 'long') Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 2182173a6933c02b0853751034bd5e0bf829b5f7) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index bad0063f67..7507ffe47e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8757,7 +8757,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_DISCARD; } if (sc->ctts_data && sc->ctts_index < sc->ctts_count) { - pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration; + pkt->pts = av_sat_add64(pkt->dts, av_sat_add64(sc->dts_shift, sc->ctts_data[sc->ctts_index].duration)); /* update ctts context */ sc->ctts_sample++; if (sc->ctts_index < sc->ctts_count && From 7207d398ff880c3687c75a4222785a6ad594702f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2023 00:26:03 +0100 Subject: [PATCH 290/562] avformat/mov: Ignore duplicate ftyp Fixes: switch_1080p_720p.mp4 Found-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 4cdf2c7f768015c74078544d153f243b6d9b9ac5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7507ffe47e..470307eca0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1130,8 +1130,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; - if (c->fc->nb_streams) - return AVERROR_INVALIDDATA; + if (c->fc->nb_streams) { + if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT) + return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n"); + return 0; + } if (strcmp(type, "qt ")) c->isom = 1; From 7c4a401a925c878f0635b7abd240199a13c7d8c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2023 02:36:41 +0100 Subject: [PATCH 291/562] avcodec/av1dec: Fix resolving zero divisor Fixes: Out of array read Fixes: global-buffer-overflow-AV1 Found-by: "Leonelli, Matteo" Tested-by: "Wang, Fei W" Reviewed-by: "Wang, Fei W" Signed-off-by: Michael Niedermayer (cherry picked from commit 22daf2148fc072f8f347af939f88b3af7896ab60) Signed-off-by: Michael Niedermayer --- libavcodec/av1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 9cd5fcbb29..600b022626 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -170,7 +170,7 @@ static uint8_t get_shear_params_valid(AV1DecContext *s, int idx) int16_t alpha, beta, gamma, delta, divf, divs; int64_t v, w; int32_t *param = &s->cur_frame.gm_params[idx][0]; - if (param[2] < 0) + if (param[2] <= 0) return 0; alpha = av_clip_int16(param[2] - (1 << AV1_WARPEDMODEL_PREC_BITS)); From 99e1424fe176df8d82b2172956acb8e64aa84563 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 24 Dec 2023 14:33:31 -0500 Subject: [PATCH 292/562] configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm Fixes the build. It's a requirement when utilizing PIE. Signed-off-by: Brad Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 6066c430e33b4cbf5dc8ff8b3a6d149f51d20300) Signed-off-by: Michael Niedermayer --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 6629783f34..c60ab0adc4 100755 --- a/configure +++ b/configure @@ -5495,6 +5495,7 @@ case $target_os in ;; netbsd) disable symver + enable section_data_rel_ro oss_indev_extralibs="-lossaudio" oss_outdev_extralibs="-lossaudio" enabled gcc || check_ldflags -Wl,-zmuldefs @@ -5513,6 +5514,7 @@ case $target_os in disable symver ;; freebsd) + enable section_data_rel_ro ;; bsd/os) add_extralibs -lpoll -lgnugetopt From eb5b80271f61b0c26faf8f7ad351dca22b78d43f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:23:33 +0100 Subject: [PATCH 293/562] avcodec/jpeglsdec: Check Jpeg-LS LSE Fixes: signed integer overflow: 2147478526 + 33924 cannot be represented in type 'int' Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 64243/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5195717848989696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c72a20f01a6122e1832f73801ea5f54b188abea3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index ab663dc1fc..8fe2aec3a5 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -382,6 +382,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, state->T3 = s->t3; state->reset = s->reset; ff_jpegls_reset_coding_parameters(state, 0); + + /* Testing parameters here, we cannot test in LSE or SOF because + * these interdepend and are allowed in either order + */ + if (state->maxval >= (1<bpp) || + state->T1 > state->T2 || + state->T2 > state->T3 || + state->T3 > state->maxval || + state->reset > FFMAX(255, state->maxval)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + ff_jpegls_init_state(state); if (s->bits <= 8) From 9468749249a9f5a674b5584609e4e9fc7ca6bedf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:37:49 +0100 Subject: [PATCH 294/562] avformat/mov: do not set sign bit for chunk_offsets Fixes: signed integer overflow: 2314885530818453536 - -7412889664301817824 cannot be represented in type 'long' Fixes: 64296/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6304027146846208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cfc0a68d4d3192779e356a852e71b8218e7a00ab) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 470307eca0..b4b357eee4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2087,8 +2087,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) sc->chunk_offsets[i] = avio_rb32(pb); else if (atom.type == MKTAG('c','o','6','4')) - for (i = 0; i < entries && !pb->eof_reached; i++) + for (i = 0; i < entries && !pb->eof_reached; i++) { sc->chunk_offsets[i] = avio_rb64(pb); + if (sc->chunk_offsets[i] < 0) { + av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n"); + sc->chunk_offsets[i] = 0; + } + } else return AVERROR_INVALIDDATA; From 8711cea3841fc385cccb1e7255176479e865cd4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Dec 2023 20:31:02 +0100 Subject: [PATCH 295/562] avfilter/avf_showspectrum: fix off by 1 error Fixes: out of array access Fixes: tickets/10749/poc15ffmpeg Regression since: 81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06) Signed-off-by: Michael Niedermayer --- libavfilter/avf_showspectrum.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/avf_showspectrum.c b/libavfilter/avf_showspectrum.c index b111471116..b931f52a2b 100644 --- a/libavfilter/avf_showspectrum.c +++ b/libavfilter/avf_showspectrum.c @@ -1779,7 +1779,7 @@ static int showspectrumpic_request_frame(AVFilterLink *outlink) int acc_samples = 0; int dst_offset = 0; - while (nb_frame <= s->nb_frames) { + while (nb_frame < s->nb_frames) { AVFrame *cur_frame = s->frames[nb_frame]; int cur_frame_samples = cur_frame->nb_samples; int nb_samples = 0; From 37a8ed60f15bce975279a362a3014e8b2d7db07b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Dec 2023 20:50:51 +0100 Subject: [PATCH 296/562] avfilter/vf_gradfun: Do not overread last line The code works in steps of 2 lines and lacks support for odd height Implementing odd height support is better but for now this fixes the out of array access Fixes: out of array access Fixes: tickets/10702/poc6ffmpe Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_gradfun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index 71a5f9c787..db30342d3f 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi for (y = 0; y < r; y++) ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2); for (;;) { - if (y < height - r) { + if (y + 1 < height - r) { int mod = ((y + r) / 2) % r; uint16_t *buf0 = buf + mod * bstride; uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride; From 9f52c6184f760aa8aee5278e4d3840025b6426b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 12:31:35 +0100 Subject: [PATCH 297/562] avfilter/vf_weave: Fix odd height handling Fixes: out of array access Fixes: tickets/10743/poc10ffmpeg Found-by: Zeng Yunxiang and Li Zeyuan Signed-off-by: Michael Niedermayer (cherry picked from commit 0ecc1f0e48930723d7a467761b66850811c23e62) Signed-off-by: Michael Niedermayer --- libavfilter/vf_weave.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_weave.c b/libavfilter/vf_weave.c index 2bd3994e5e..de9f79c43d 100644 --- a/libavfilter/vf_weave.c +++ b/libavfilter/vf_weave.c @@ -30,6 +30,7 @@ typedef struct WeaveContext { int double_weave; int nb_planes; int planeheight[4]; + int outheight[4]; int linesize[4]; AVFrame *prev; @@ -79,6 +80,9 @@ static int config_props_output(AVFilterLink *outlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); + s->outheight[0] = s->outheight[3] = 2*inlink->h; + s->nb_planes = av_pix_fmt_count_planes(inlink->format); return 0; @@ -104,19 +108,20 @@ static int weave_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) const int height = s->planeheight[i]; const int start = (height * jobnr) / nb_jobs; const int end = (height * (jobnr+1)) / nb_jobs; + const int compensation = 2*end > s->outheight[i]; av_image_copy_plane(out->data[i] + out->linesize[i] * field1 + out->linesize[i] * start * 2, out->linesize[i] * 2, in->data[i] + start * in->linesize[i], in->linesize[i], - s->linesize[i], end - start); + s->linesize[i], end - start - compensation * field1); av_image_copy_plane(out->data[i] + out->linesize[i] * field2 + out->linesize[i] * start * 2, out->linesize[i] * 2, s->prev->data[i] + start * s->prev->linesize[i], s->prev->linesize[i], - s->linesize[i], end - start); + s->linesize[i], end - start - compensation * field2); } return 0; From 27197d8711e9373a32ddf91b0db69c01c7229765 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Dec 2023 04:03:01 +0100 Subject: [PATCH 298/562] avfilter/af_stereowiden: Check length Fixes: out of array access Fixes: tickets/10746/poc13ffmpeg Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07) Signed-off-by: Michael Niedermayer --- libavfilter/af_stereowiden.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/af_stereowiden.c b/libavfilter/af_stereowiden.c index a91ea03957..ac4ec6fd37 100644 --- a/libavfilter/af_stereowiden.c +++ b/libavfilter/af_stereowiden.c @@ -74,6 +74,8 @@ static int config_input(AVFilterLink *inlink) s->length = s->delay * inlink->sample_rate / 1000; s->length *= 2; + if (s->length == 0) + return AVERROR(EINVAL); s->buffer = av_calloc(s->length, sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); From ef0895572f647167b4a641af08722c5ceca9b29c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Dec 2023 18:04:32 +0100 Subject: [PATCH 299/562] avfilter/f_reverse: Apply PTS compensation only when pts is available Fixes: out of array access Fixes: tickets/10753/poc16ffmpeg Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1 Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 61e73851a33f0b4cb7662f8578a4695e77bd3c19) Signed-off-by: Michael Niedermayer --- libavfilter/f_reverse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/f_reverse.c b/libavfilter/f_reverse.c index 2c99557c75..b2a826b904 100644 --- a/libavfilter/f_reverse.c +++ b/libavfilter/f_reverse.c @@ -253,7 +253,8 @@ static int areverse_request_frame(AVFilterLink *outlink) if (ret == AVERROR_EOF && s->nb_frames > 0) { AVFrame *out = s->frames[s->nb_frames - 1]; out->pts = s->pts[s->flush_idx++] - s->nb_samples; - s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; + if (s->nb_frames > 1) + s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; if (av_sample_fmt_is_planar(out->format)) reverse_samples_planar(out); From 4e9f83c65a79fb11a7467ebe2eeea7bcb0a9fbb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 21:49:48 +0100 Subject: [PATCH 300/562] avfilter/af_alimiter: Check nextpos before use Fixes: out of array read Fixes: tickets/10744/poc11ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a88b06f9ee8c88f78bdd614fc25283225223e858) Signed-off-by: Michael Niedermayer --- libavfilter/af_alimiter.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_alimiter.c b/libavfilter/af_alimiter.c index 622dc66324..906d329577 100644 --- a/libavfilter/af_alimiter.c +++ b/libavfilter/af_alimiter.c @@ -194,10 +194,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } else { for (i = s->nextiter; i < s->nextiter + s->nextlen; i++) { int j = i % buffer_size; - double ppeak, pdelta; + double ppeak = 0, pdelta; - ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? - fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); + if (nextpos[j] >= 0) + ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? + fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels); if (pdelta < nextdelta[j]) { nextdelta[j] = pdelta; From 6fe4f88a77e51f384521ddfa5db0090e677f74e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:25:25 +0100 Subject: [PATCH 301/562] avfilter/vf_swaprect: assert that rectangles are within memory Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1ba698d2bed1d4bed731b3be62e84d72c35476) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index b76e3bb99d..283133e0a4 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/eval.h" #include "libavutil/imgutils.h" @@ -170,6 +171,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; + + av_assert0(FFMAX(x1[1], x2[1]) + pw[1] <= lw[1]); + av_assert0(FFMAX(y1[1], y2[1]) + ph[1] <= lh[1]); + for (p = 0; p < s->nb_planes; p++) { if (ph[p] == ah[p] && pw[p] == aw[p]) { uint8_t *src = in->data[p] + y1[p] * in->linesize[p] + x1[p] * s->pixsteps[p]; From 75e95bbc7e3c42a0db3b4986648a7fe329fa3a58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:26:22 +0100 Subject: [PATCH 302/562] avfilter/vf_swaprect: Use height for vertical variables Signed-off-by: Michael Niedermayer (cherry picked from commit 9f4c5bd7d23eb94afe85290e03748f52483102b8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 283133e0a4..6d7e1406ad 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -138,10 +138,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) w = dw; h = dh; x1[0] = dx1; y1[0] = dy1; x2[0] = dx2; y2[0] = dy2; x1[0] = av_clip(x1[0], 0, inlink->w - 1); - y1[0] = av_clip(y1[0], 0, inlink->w - 1); + y1[0] = av_clip(y1[0], 0, inlink->h - 1); x2[0] = av_clip(x2[0], 0, inlink->w - 1); - y2[0] = av_clip(y2[0], 0, inlink->w - 1); + y2[0] = av_clip(y2[0], 0, inlink->h - 1); ah[1] = ah[2] = AV_CEIL_RSHIFT(h, s->desc->log2_chroma_h); ah[0] = ah[3] = h; From ae6912b9822d4897b2f26ebb75ae35a424328c21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:27:08 +0100 Subject: [PATCH 303/562] avfilter/vf_swaprect: round coordinates down Fixes: out of array access: Fixes: tickets/10745/poc12ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit 7deaca71b32c556620e05954ca2d13fbe9aacf1f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 6d7e1406ad..42da07cef8 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -161,14 +161,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) lw[1] = lw[2] = AV_CEIL_RSHIFT(inlink->w, s->desc->log2_chroma_w); lw[0] = lw[3] = inlink->w; - x1[1] = x1[2] = AV_CEIL_RSHIFT(x1[0], s->desc->log2_chroma_w); + x1[1] = x1[2] = (x1[0] >> s->desc->log2_chroma_w); x1[0] = x1[3] = x1[0]; - y1[1] = y1[2] = AV_CEIL_RSHIFT(y1[0], s->desc->log2_chroma_h); + y1[1] = y1[2] = (y1[0] >> s->desc->log2_chroma_h); y1[0] = y1[3] = y1[0]; - x2[1] = x2[2] = AV_CEIL_RSHIFT(x2[0], s->desc->log2_chroma_w); + x2[1] = x2[2] = (x2[0] >> s->desc->log2_chroma_w); x2[0] = x2[3] = x2[0]; - y2[1] = y2[2] = AV_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); + y2[1] = y2[2] = (y2[0] >> s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; From 87ef16a6909af8e08f0c52d469a2f193202f1296 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:09:31 +0200 Subject: [PATCH 304/562] avfilter/vf_vidstabdetect: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit bb04235d728a2b85d6cbe14dd60184faa932c855) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vidstabdetect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_vidstabdetect.c b/libavfilter/vf_vidstabdetect.c index 044911ec27..d53a925d38 100644 --- a/libavfilter/vf_vidstabdetect.c +++ b/libavfilter/vf_vidstabdetect.c @@ -159,7 +159,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) { av_log(ctx, AV_LOG_ERROR, "motion detection failed"); - return AVERROR(AVERROR_EXTERNAL); + return AVERROR_EXTERNAL; } else { if (vsWriteToFile(md, s->f, &localmotions) != VS_OK) { int ret = AVERROR(errno); From e8265e6ebd783a6150ae3ce449724e62c1ea23bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:10:22 +0200 Subject: [PATCH 305/562] avformat/flacdec: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit 029294ff541c9c85092f81dd45f18081d234f0d5) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 09404b67bb..3840f59de8 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -67,7 +67,7 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { if (avio_read(s->pb, header, 4) != 4) - return AVERROR(AVERROR_INVALIDDATA); + return AVERROR_INVALIDDATA; flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { From 4b3ce97dc824767c8e402b06f0a6e9559484e681 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 02:51:32 +0100 Subject: [PATCH 306/562] avfilter/vf_minterpolate: Check pts before division Fixes: FPE Fixes: tickets/10758/poc20ffmpeg Discovered by Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 68146f06f852078866b3ef1564556e3a272920c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_minterpolate.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index 97d0e96c59..9296e67bf1 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -1078,8 +1078,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, (int64_t) outlink->time_base.den * inlink->time_base.num); - alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); - alpha = av_clip(alpha, 0, ALPHA_MAX); + if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { + alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); + alpha = av_clip(alpha, 0, ALPHA_MAX); + } else { + av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); + alpha = 0; + } if (alpha == 0 || alpha == ALPHA_MAX) { av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); From 6e49fb9db16c497c4f2c91a0e0562f0b80e3a7f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:06:39 +0100 Subject: [PATCH 307/562] avcodec/mpegvideo_enc: Dont copy beyond the image Fixes: out of array access Fixes: tickets/10754/poc17ffmpeg Discovered by Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a066b8a809fa6d8b31398d41787822803f8762f2) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 0e7c2c1ab7..3ea8a46e8d 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1102,7 +1102,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) dst += INPLACE_OFFSET; if (src_stride == dst_stride) - memcpy(dst, src, src_stride * h); + memcpy(dst, src, src_stride * h - src_stride + w); else { int h2 = h; uint8_t *dst2 = dst; From a6a9e0fee7329c761c1c2685ca8e7881bb722425 Mon Sep 17 00:00:00 2001 From: Romain Beauxis Date: Mon, 1 Jan 2024 09:52:50 -0600 Subject: [PATCH 308/562] libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. This patch populates the third entry for HLS codec attribute using the AAC profile. The HLS specifications[1] require this value to be the Object Type ID as referred to in table 1.3 of ISO/IEC 14496-3:2009[2]. The numerical constants in the code refer to these OTIs minus one, as documented in commit 372597e[3], confirmed by comparing the values in the code with the values in the table mentioned above. Links: 1: https://datatracker.ietf.org/doc/html/rfc6381#section-3.3 2: https://csclub.uwaterloo.ca/~ehashman/ISO14496-3-2009.pdf 3: https://github.com/FFmpeg/FFmpeg/commit/372597e5381c097455a7b73849254d56083eb056 Changes in this version: - Default value set to "mp4a.40.2" when profile is unknown for backward compatibility. Signed-off-by: Steven Liu (cherry picked from commit 797f0b27c175022d896e46db4ac2873e3e0a70af) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 6f49ae1aa2..2b049ea0f2 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -408,8 +408,11 @@ static void write_codec_attr(AVStream *st, VariantStream *vs) } else if (st->codecpar->codec_id == AV_CODEC_ID_MP3) { snprintf(attr, sizeof(attr), "mp4a.40.34"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AAC) { - /* TODO : For HE-AAC, HE-AACv2, the last digit needs to be set to 5 and 29 respectively */ - snprintf(attr, sizeof(attr), "mp4a.40.2"); + if (st->codecpar->profile != FF_PROFILE_UNKNOWN) + snprintf(attr, sizeof(attr), "mp4a.40.%d", st->codecpar->profile+1); + else + // This is for backward compatibility with the previous implementation. + snprintf(attr, sizeof(attr), "mp4a.40.2"); } else if (st->codecpar->codec_id == AV_CODEC_ID_AC3) { snprintf(attr, sizeof(attr), "ac-3"); } else if (st->codecpar->codec_id == AV_CODEC_ID_EAC3) { From 645e8357880cab1316633836ddc34b416016e13c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:09:52 +0100 Subject: [PATCH 309/562] avcodec/mpegvideo_enc: Use ptrdiff_t for stride Signed-off-by: Michael Niedermayer (cherry picked from commit e063c1d079086150580ed7a9ad076da122e27f76) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 3ea8a46e8d..4b05253fc9 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1083,8 +1083,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) &v_chroma_shift); for (i = 0; i < 3; i++) { - int src_stride = pic_arg->linesize[i]; - int dst_stride = i ? s->uvlinesize : s->linesize; + ptrdiff_t src_stride = pic_arg->linesize[i]; + ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; int w = s->width >> h_shift; From e14a3028898e55039dddac09e9266043c0ef3a71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:10:41 +0100 Subject: [PATCH 310/562] avfilter/signature_lookup: dont leave uncleared pointers in sll_free() Signed-off-by: Michael Niedermayer (cherry picked from commit 6c504829514333439d15deb5717567fb4bdbbee0) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 86dd0c6675..3c7006c9d6 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -37,6 +37,16 @@ #define STATUS_END_REACHED 1 #define STATUS_BEGIN_REACHED 2 +static void sll_free(MatchingInfo **sll) +{ + while (*sll) { + MatchingInfo *tmp = *sll; + *sll = tmp->next; + tmp->next = NULL; + av_free(tmp); + } +} + static void fill_l1distlut(uint8_t lut[]) { int i, j, tmp_i, tmp_j,count; @@ -520,16 +530,6 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * return bestmatch; } -static void sll_free(MatchingInfo *sll) -{ - void *tmp; - while (sll) { - tmp = sll; - sll = sll->next; - av_freep(&tmp); - } -} - static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc, StreamContext *first, StreamContext *second, int mode) { CoarseSignature *cs, *cs2; @@ -572,7 +572,7 @@ static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc "ratio %f, offset %d, score %d, %d frames matching\n", bestmatch.first->index, bestmatch.second->index, bestmatch.framerateratio, bestmatch.offset, bestmatch.score, bestmatch.matchframes); - sll_free(infos); + sll_free(&infos); } } while (find_next_coarsecandidate(sc, second->coarsesiglist, &cs, &cs2, 0) && !bestmatch.whole); return bestmatch; From fa60a00f84ad7223a333afa6b746fa2d03afe861 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:40:30 +0100 Subject: [PATCH 311/562] avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure Fixes: CID 1403229 Dereference after null check Signed-off-by: Michael Niedermayer (cherry picked from commit 98ae1ad7cf16bd10a4fa79f676439edc4da7cba6) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 3c7006c9d6..ad012ecced 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -299,6 +299,11 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont if (!c->next) av_log(ctx, AV_LOG_FATAL, "Could not allocate memory"); c = c->next; + + } + if (!c) { + sll_free(&cands); + goto error; } c->framerateratio = (i+1.0) / 30; c->score = hspace[i][j].score; @@ -315,6 +320,7 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont } } } + error: for (i = 0; i < MAX_FRAMERATE; i++) { av_freep(&hspace[i]); } From 311ff75a5911449577caff3f8647e4bfff251dcc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2024 02:37:57 +0100 Subject: [PATCH 312/562] avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers Signed-off-by: Michael Niedermayer (cherry picked from commit f465badb062c8023bc245f4878e7a6a082afc416) Signed-off-by: Michael Niedermayer --- libavutil/rational.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/rational.h b/libavutil/rational.h index cbb08a0baf..790f089527 100644 --- a/libavutil/rational.h +++ b/libavutil/rational.h @@ -168,6 +168,10 @@ static av_always_inline AVRational av_inv_q(AVRational q) * In case of infinity, the returned value is expressed as `{1, 0}` or * `{-1, 0}` depending on the sign. * + * In general rational numbers with |num| <= 1<<26 && |den| <= 1<<26 + * can be recovered exactly from their double representation. + * (no exceptions were found within 1B random ones) + * * @param d `double` to convert * @param max Maximum allowed numerator and denominator * @return `d` in AVRational form From 1ed96bc406f1dbfa32028d09fd5b329a4a7bc56c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2024 20:11:56 +0100 Subject: [PATCH 313/562] avcodec/indeo3: Round dimensions up in allocate_frame_buffers() Fixes: Ticket6581 Signed-off-by: Michael Niedermayer (cherry picked from commit 3be80ce299d0073118ae42f5d99c14f912751d93) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 43669f46b5..167da1a87a 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -171,6 +171,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx, int luma_size, chroma_size; ptrdiff_t luma_pitch, chroma_pitch; + luma_width = FFALIGN(luma_width , 2); + luma_height = FFALIGN(luma_height, 2); + if (luma_width < 16 || luma_width > 640 || luma_height < 16 || luma_height > 480 || luma_width & 1 || luma_height & 1) { From c71a9c51e76264da77626abb1de636912aa5b3de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:04:13 +0100 Subject: [PATCH 314/562] swscale/utils: Allocate more dithererror Fixes: out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 18f26f8a2f8dc3b9ec3ac3ab8e03fce15cc8c88d) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index cb4f5b521c..f24b05c3d3 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1895,7 +1895,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, } for (i = 0; i < 4; i++) - if (!FF_ALLOCZ_TYPED_ARRAY(c->dither_error[i], c->dstW + 2)) + if (!FF_ALLOCZ_TYPED_ARRAY(c->dither_error[i], c->dstW + 3)) goto nomem; c->needAlpha = (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) ? 1 : 0; From 1070982e6fdc8826595f637f91430c42fce3c2d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:34:25 +0100 Subject: [PATCH 315/562] swscale/swscale: Check srcSliceH for bayer Fixes: Assertion srcSliceH > 1 failed at libswscale/swscale_unscaled.c:1359 Signed-off-by: Michael Niedermayer (cherry picked from commit 64098d0cd8ab1d27f78a335ca684f00a419b2160) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 7b40f49da4..9eb7e70b36 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -901,7 +901,8 @@ static int scale_internal(SwsContext *c, if ((srcSliceY & (macro_height_src - 1)) || ((srcSliceH & (macro_height_src - 1)) && srcSliceY + srcSliceH != c->srcH) || - srcSliceY + srcSliceH > c->srcH) { + srcSliceY + srcSliceH > c->srcH || + (isBayer(c->srcFormat) && srcSliceH <= 1)) { av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); return AVERROR(EINVAL); } From a068dfe7e36337f6612ae3225759bdeed1527bbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Feb 2024 03:32:38 +0100 Subject: [PATCH 316/562] libswscale/utils: Fix bayer to yuvj Fixes: out of array access. Earlier code assumes that a unscaled bayer to yuvj420 converter exists but the later code then skips yuvj420 Signed-off-by: Michael Niedermayer (cherry picked from commit e9cc9e492f987ce23ce8c514258a17952dd20401) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index f24b05c3d3..b5cc4f30ca 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1972,7 +1972,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* unscaled special cases */ if (unscaled && !usesHFilter && !usesVFilter && (c->srcRange == c->dstRange || isAnyRGB(dstFormat) || - isFloat(srcFormat) || isFloat(dstFormat))){ + isFloat(srcFormat) || isFloat(dstFormat) || isBayer(srcFormat))){ ff_get_unscaled_swscale(c); if (c->convert_unscaled) { From 343757e6928a9884294e145d618faca5dc545bfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Feb 2024 23:11:40 +0100 Subject: [PATCH 317/562] avformat/concatdec: Check in and outpoints to be to produce a positive representable duration Fixes: signed integer overflow: -93000000 - 9223372036839000000 cannot be represented in type 'long' Fixes: 64546/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5110813828186112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b2d7cbc378fa276d62fd676c037b9df59fc319a0) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 806b570cdf..8bd0c5c5af 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -637,6 +637,12 @@ static int concat_parse_script(AVFormatContext *avf) } } + if (file->inpoint != AV_NOPTS_VALUE && file->outpoint != AV_NOPTS_VALUE) { + if (file->inpoint > file->outpoint || + file->outpoint - (uint64_t)file->inpoint > INT64_MAX) + ret = AVERROR_INVALIDDATA; + } + fail: for (arg = 0; arg < MAX_ARGS; arg++) av_freep(&arg_str[arg]); From a7941e0a06baa70a80cf68c678cc2bdd15382cd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2024 22:27:03 +0100 Subject: [PATCH 318/562] avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() Fixes: timeout Fixes: 66326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-6295291863040000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dc89cf804a811c0d25f4649a99f7fab4b5b416fa) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 269a6eb166..4882309009 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1454,6 +1454,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + if (vr_type == 0) { voffs = voffset+j*vlen; From 7d9656e858aaeb3d548c6407bf7d83da14c86e31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Feb 2024 19:38:41 +0100 Subject: [PATCH 319/562] avcodec/proresenc_kostya: Remove bug similarity text According to kostya, it is not based on Wassermans encoder CC: Kostya Shishkov CC: Anatoliy Wasserman Signed-off-by: Michael Niedermayer (cherry picked from commit e0e30e07a1755c4f7829f64d35dc07e399c02c6e) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 1062ca1443..6e332b5ab7 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -3,9 +3,6 @@ * * Copyright (c) 2012 Konstantin Shishkov * - * This encoder appears to be based on Anatoliy Wassermans considering - * similarities in the bugs. - * * This file is part of FFmpeg. * * FFmpeg is free software; you can redistribute it and/or From 7fa625df70f38255657129d90e8cd60cdf2bc78f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 03:51:05 +0100 Subject: [PATCH 320/562] avformat/id3v2: read_uslt() check for the amount read Fixes: timeout Fixes: 66783/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5356884892647424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0f4abe2aa0117a10fb651f2c1c030d4cd516081) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index cb31864045..e6c0385a58 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -366,7 +366,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, int encoding; int ok = 0; - if (taglen < 1) + if (taglen < 4) goto error; encoding = avio_r8(pb); From f0e780370cc1c437d64f10d326b1d656ef490b5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:38:17 +0200 Subject: [PATCH 321/562] avformat/cafdec: dont seek beyond 64bit Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d973fcbcc2f944752ff10e6a76b0b2d9329937a7) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index e0a9031cb8..395f542a4c 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -265,7 +265,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) } } - if (avio_tell(pb) - ccount > size) { + if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { av_log(s, AV_LOG_ERROR, "error reading packet table\n"); return AVERROR_INVALIDDATA; } From 1f6fcc64179377114b4ecc3b9f63bd5774a64edf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:51:29 +0200 Subject: [PATCH 322/562] avformat/dxa: Adjust order of operations around block align Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 474b85270a..b4d9d00529 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; - c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; } c->bytes_left = fsize; c->wavpos = avio_tell(pb); From 4a29c43f3cbde8a5ecf449a29f3c419d1627b609 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:56:06 +0200 Subject: [PATCH 323/562] avformat/iff: Saturate avio_tell() + 12 Fixes: signed integer overflow: 9223372036854775796 + 12 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4898373660704768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8e754525ca3d3fd835f7360e11f29b02b39cd62) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index b8e8bffe03..5bff0e9b6c 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -217,7 +217,7 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof) { AVIOContext *pb = s->pb; - while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) { + while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) { uint32_t tag = avio_rl32(pb); uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); @@ -254,7 +254,7 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof) int dsd_layout[6]; ID3v2ExtraMeta *id3v2_extra_meta; - while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) { + while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) { uint32_t tag = avio_rl32(pb); uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); From 1f34d960e1c2fef6d4533ce17e4c3a0bedd6d041 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:45:33 +0200 Subject: [PATCH 324/562] avformat/cafdec: Check that data chunk end fits within 64bit Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b792e4d4c772b7b5ef8ea32be187a871000e50c2) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 395f542a4c..82b5bda4ac 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -337,6 +337,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); /* edit count */ caf->data_start = avio_tell(pb); caf->data_size = size < 0 ? -1 : size - 4; + if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start) + return AVERROR_INVALIDDATA; + if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL)) avio_skip(pb, caf->data_size); found_data = 1; From c504f7dae8ee6b5c86723896f55419f55fe32afb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Oct 2023 19:52:33 +0200 Subject: [PATCH 325/562] avformat/jacosubdec: clarify code add comments, rename variables and indent things differently Signed-off-by: Michael Niedermayer (cherry picked from commit e83e8d443b5b86aabf17d1cfb7fba9abf15e24fd) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index c6e5b4aa6d..60fe72d5d7 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -127,28 +127,28 @@ shift_and_ret: static int get_shift(unsigned timeres, const char *buf) { int sign = 1; - int a = 0, b = 0, c = 0, d = 0; + int h = 0, m = 0, s = 0, d = 0; int64_t ret; #define SSEP "%*1[.:]" - int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); + int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &h, &m, &s, &d); #undef SSEP - if (a == INT_MIN) + if (h == INT_MIN) return 0; - if (*buf == '-' || a < 0) { + if (*buf == '-' || h < 0) { sign = -1; - a = FFABS(a); + h = FFABS(h); } ret = 0; switch (n) { - case 1: a = 0; - case 2: c = b; b = a; a = 0; - case 3: d = c; c = b; b = a; a = 0; + case 1: h = 0; //clear all in case of a single parameter + case 2: s = m; m = h; h = 0; //shift into second subsecondd + case 3: d = s; s = m; m = h; h = 0; //shift into minute second subsecond } - ret = (int64_t)a*3600 + (int64_t)b*60 + c; + ret = (int64_t)h*3600 + (int64_t)m*60 + s; if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) return 0; ret = sign * (ret * timeres + d); From c6c9758e453790ddea7b81c5bafb94c36df4b1ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2023 03:51:23 +0100 Subject: [PATCH 326/562] avformat/concatdec: clip outpoint - inpoint overflow in get_best_effort_duration() An alternative would be to limit all time/duration fields to below 64bit Fixes: signed integer overflow: -93000000 - 9223372036839000000 cannot be represented in type 'long long' Fixes: 64546/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5110813828186112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd733b2be472cea766c62984237533b239e9a93d) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 8bd0c5c5af..49c12d8dc7 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -322,7 +322,7 @@ static int64_t get_best_effort_duration(ConcatFile *file, AVFormatContext *avf) if (file->user_duration != AV_NOPTS_VALUE) return file->user_duration; if (file->outpoint != AV_NOPTS_VALUE) - return file->outpoint - file->file_inpoint; + return av_sat_sub64(file->outpoint, file->file_inpoint); if (avf->duration > 0) return avf->duration - (file->file_inpoint - file->file_start_time); if (file->next_dts != AV_NOPTS_VALUE) From f7be9ecf522a395dc2a922662289aff8e36e4a38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:46:02 +0100 Subject: [PATCH 327/562] avcodec/hcadec: do not set hfr_group_count to invalid values Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488 Fixes: out of array write Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit addb85ea39300c36010ffb6dc0d28b2ea62b4805) Signed-off-by: Michael Niedermayer --- libavcodec/hcadec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c index 7054575872..b4e2e9d463 100644 --- a/libavcodec/hcadec.c +++ b/libavcodec/hcadec.c @@ -110,6 +110,7 @@ static av_cold int decode_init(AVCodecContext *avctx) float scale = 1.f / 8.f; unsigned b, chunk; int version, ret; + unsigned hfr_group_count; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; c->crc_table = av_crc_get_table(AV_CRC_16_ANSI); @@ -230,11 +231,12 @@ static av_cold int decode_init(AVCodecContext *avctx) if (c->total_band_count < c->base_band_count) return AVERROR_INVALIDDATA; - c->hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count), + hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count), c->bands_per_hfr_group); - if (c->base_band_count + c->stereo_band_count + (unsigned long)c->hfr_group_count > 128ULL) + if (c->base_band_count + c->stereo_band_count + (uint64_t)hfr_group_count > 128ULL) return AVERROR_INVALIDDATA; + c->hfr_group_count = hfr_group_count; for (int i = 0; i < avctx->ch_layout.nb_channels; i++) { c->ch[i].chan_type = r[i]; From 4c72ef510ab039ca36c48f56e017353397d11778 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 02:52:04 +0100 Subject: [PATCH 328/562] avcodec/truemotion1: Height not being a multiple of 4 is unsupported mb_change_bits is given space based on height >> 2, while more data is read Fixes: out of array access Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5201925062590464.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebdcf9849905fdd67dcd3ab93e55e47ded35fda2) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 64d9b8fed1..8bcac634ed 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -408,6 +408,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return AVERROR_PATCHWELCOME; } + if (s->h & 3) { + avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4"); + return AVERROR_PATCHWELCOME; + } + if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { av_frame_unref(s->frame); From baed91565b8cef16169510d395ecc79c0e268eed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:16:39 +0100 Subject: [PATCH 329/562] avformat/concatdec: Check user_duration sum Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6434245599690752 Fixes: signed integer overflow: 9223372026773000000 + 22337000000 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 007486058c2eb7a7518450a2ddb4fa98845887a3) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 49c12d8dc7..b1c4efcbf5 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -678,6 +678,8 @@ static int concat_read_header(AVFormatContext *avf) cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } cat->files[i].duration = cat->files[i].user_duration; + if (time + (uint64_t)cat->files[i].user_duration > INT64_MAX) + return AVERROR_INVALIDDATA; time += cat->files[i].user_duration; } if (i == cat->nb_files) { From a9eb9a993f4db3ba31d6a5ef5e52509e59232525 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:21:28 +0100 Subject: [PATCH 330/562] avformat/jacosubdec: Use 64bit for abs Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5401294942371840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 746203af3116288b1dd4442e46a5724ba759e831) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 60fe72d5d7..e22bbd788c 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -149,7 +149,7 @@ static int get_shift(unsigned timeres, const char *buf) } ret = (int64_t)h*3600 + (int64_t)m*60 + s; - if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) + if (FFABS(ret) > (INT64_MAX - FFABS((int64_t)d)) / timeres) return 0; ret = sign * (ret * timeres + d); From a3fccb9729e7e31adb12ee953920cf56472c0309 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:27:39 +0100 Subject: [PATCH 331/562] avformat/mov: use 64bit for intermediate for rounding Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f01a89c5a378cb7b55a0bcb5763cfb1da83b81f1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b4b357eee4..976c552e9b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8104,7 +8104,7 @@ static int mov_read_timecode_track(AVFormatContext *s, AVStream *st) /* 60 fps content have tmcd_nb_frames set to 30 but tc_rate set to 60, so * we multiply the frame number with the quotient. * See tickets #9492, #9710. */ - rounded_tc_rate = (tc_rate.num + tc_rate.den / 2) / tc_rate.den; + rounded_tc_rate = (tc_rate.num + tc_rate.den / 2LL) / tc_rate.den; /* Work around files where tmcd_nb_frames is rounded down from frame rate * instead of up. See ticket #5978. */ if (tmcd_nb_frames == tc_rate.num / tc_rate.den && From 21435d08ba432217e522aac68f15c582d2e9bb63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:27:39 +0100 Subject: [PATCH 332/562] avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d8d778a68531b406455f8090d81216ef374ab75) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index b93f05b4b8..bd879bd3cc 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -210,7 +210,7 @@ static int fps_from_frame_rate(AVRational rate) { if (!rate.den || !rate.num) return -1; - return (rate.num + rate.den/2) / rate.den; + return (rate.num + rate.den/2LL) / rate.den; } int av_timecode_check_frame_rate(AVRational rate) From a6aefe6e9dc5f664f18e563ade48b99840cb0351 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:36:40 +0100 Subject: [PATCH 333/562] avformat/rpl: Use 64bit for total_audio_size and check it Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4677434693517312 Fixes: signed integer overflow: 5555555555555555556 * 8 cannot be represented in type 'long long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 878625812f164fbb733f442965235656d9eaccc8) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index eae0da891b..427738bbdb 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; RPLContext *rpl = s->priv_data; AVStream *vst = NULL, *ast = NULL; - int total_audio_size; + int64_t total_audio_size; int error = 0; const char *endptr; char audio_type[RPL_LINE_LENGTH]; @@ -302,6 +302,8 @@ static int rpl_read_header(AVFormatContext *s) if (ast) av_add_index_entry(ast, offset + video_size, total_audio_size, audio_size, audio_size * 8, 0); + if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8) + return AVERROR_INVALIDDATA; total_audio_size += audio_size * 8; } From 4db0eb4653efad967ddcf71f564fd2f1169bafcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:39:49 +0100 Subject: [PATCH 334/562] avformat/sbgdec: Check for negative duration Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bed22d597b78999151e3bde0768b7fe763fc2a6) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 1ef50e1598..fdcee0b452 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -385,7 +385,7 @@ static int parse_options(struct sbg_parser *p) case 'L': FORWARD_ERROR(parse_optarg(p, opt, &oarg)); r = str_to_time(oarg.s, &p->scs.opt_duration); - if (oarg.e != oarg.s + r) { + if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { snprintf(p->err_msg, sizeof(p->err_msg), "syntax error for option -L"); return AVERROR_INVALIDDATA; From 3c37c0a7be6bfcbcce75280c2b3cb2caf8d81f47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:50:36 +0100 Subject: [PATCH 335/562] avformat/wavdec: satuarte next_tag_ofs, data_end Fixes: signed integer overflow: 5053074104798691550 + 5053074104259715104 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6515315309936640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61dca9e150b723a160d4a570885f3e5326c3d276) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1c4883ea1b..4924d8f0fb 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -444,7 +444,7 @@ static int wav_read_header(AVFormatContext *s) } if (rf64 || bw64) { - next_tag_ofs = wav->data_end = avio_tell(pb) + data_size; + next_tag_ofs = wav->data_end = av_sat_add64(avio_tell(pb), data_size); } else if (size != 0xFFFFFFFF) { data_size = size; next_tag_ofs = wav->data_end = size ? next_tag_ofs : INT64_MAX; From 1810072c2bfd67c099418c36fd9b890ac3ce453b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:57:33 +0100 Subject: [PATCH 336/562] avformat/matroskadec: Check timescale Fixes: 3.82046e+18 is outside the range of representable values of type 'unsigned int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6381436594421760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e849eb23432e45d0a1fda3901bb84eff0ce91282) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 78a11262f1..3d85e63ca9 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2824,6 +2824,10 @@ static int matroska_parse_tracks(AVFormatContext *s) track->time_scale); track->time_scale = 1.0; } + + if (matroska->time_scale * track->time_scale > UINT_MAX) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale, 1000 * 1000 * 1000); /* 64 bit pts in ns */ From a8beef67993aa267de87599007143d9f0ba67c23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:00:13 +0100 Subject: [PATCH 337/562] avformat/westwood_vqa: Fix 2g packets Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index 03b2d9e03c..024f5d3652 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s, break; case SND2_TAG: /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ - pkt->duration = (chunk_size * 2) / wsvqa->channels; + pkt->duration = (chunk_size * 2LL) / wsvqa->channels; break; } break; From e5c1bcee0368af8b459a7c88f5559bb97578924d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Feb 2024 19:40:07 +0100 Subject: [PATCH 338/562] avfilter/vf_signature: Dont crash on no frames Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5f03bbc8bba2929cc09b07d2731ae5d392e772) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 7d434328b7..0b364430f6 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -386,6 +386,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext *sc, const char* filen FILE* f; unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 }; + if (!sc->coarseend->last) + return AVERROR(EINVAL); // No frames ? + f = avpriv_fopen_utf8(filename, "w"); if (!f) { int err = AVERROR(EINVAL); From dcd1ed180bdb349a6304c2b0c9a173a05b581376 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2024 03:35:18 +0100 Subject: [PATCH 339/562] avformat/mxfdec: Check first case of offset_temp computation for overflow This is kind of ugly Fixes: signed integer overflow: 255 * 1157565362826411919 cannot be represented in type 'long' Fixes: 67313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6250434245230592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6ed6f6e8dffcf777c336869f56002da588e2de8) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 446beab7f4..14c6ecdf65 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1860,9 +1860,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t if (edit_unit < s->index_start_position + s->index_duration) { int64_t index = edit_unit - s->index_start_position; - if (s->edit_unit_byte_count) + if (s->edit_unit_byte_count) { + if (index > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * index > INT64_MAX - offset_temp) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * index; - else { + } else { if (s->nb_index_entries == 2 * s->index_duration + 1) index *= 2; /* Avid index */ From 7915f6147c030038c99e0a3dbd80156dc29d2c93 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Mar 2024 19:51:43 +0100 Subject: [PATCH 340/562] avformat/movenc: Check that cts fits in 32bit Fixes: Assertion av_rescale_rnd(start_dts, mov->movie_timescale, track->timescale, AV_ROUND_DOWN) <= 0 failed at libavformat/movenc.c:3694 Fixes: poc2 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit d88c284c18bf6cd3dd24a7c86b5e496dd3037405) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 5608afde42..3c97aa4871 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5962,6 +5962,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; + if (pkt->pts != AV_NOPTS_VALUE && + (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) { + av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n"); + return AVERROR_PATCHWELCOME; + } + if (mov->flags & FF_MOV_FLAG_FRAGMENT || mov->mode == MODE_AVIF) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { From f830fddbd3221f90e814bb0a1ac697ad756e0c96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 18:29:46 +0200 Subject: [PATCH 341/562] avformat/mxfdec: Make edit_unit_byte_count unsigned Suggested-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f30fe5e8d002e15f07eaacf720c5654097cb62df) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 14c6ecdf65..f0d141f10b 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -239,7 +239,7 @@ typedef struct MXFMCASubDescriptor { typedef struct MXFIndexTableSegment { MXFMetadataSet meta; - int edit_unit_byte_count; + unsigned edit_unit_byte_count; int index_sid; int body_sid; AVRational index_edit_rate; From 3164cee22824582d77c5dcbc3cda4954097675be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Mar 2024 23:07:01 +0100 Subject: [PATCH 342/562] avformat/aiffdec: Check for previously set channels Fixes: out of array access (av_channel_layout_copy()) Fixes: 67087/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4920720268263424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 23b29f72eeb2ff6f2176ee74b9abe78aec4cd1f4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 80733e5801..376f220984 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -106,6 +106,8 @@ static int get_aiff_header(AVFormatContext *s, int64_t size, size++; par->codec_type = AVMEDIA_TYPE_AUDIO; channels = avio_rb16(pb); + if (par->ch_layout.nb_channels && par->ch_layout.nb_channels != channels) + return AVERROR_INVALIDDATA; par->ch_layout.nb_channels = channels; num_frames = avio_rb32(pb); par->bits_per_coded_sample = avio_rb16(pb); From 808ec6ccfa0733093ed59be2398965d917109b9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2024 02:07:28 +0100 Subject: [PATCH 343/562] avformat/mpegts: Reset local nb_prg on add_program() failure add_program() will deallocate the whole array on failure so we must clear nb_prgs Fixes: null pointer dereference Fixes: crash-35a3b39ddcc5babeeb005b7399a3a1217c8781bc Found-by: Catena cyber Signed-off-by: Michael Niedermayer (cherry picked from commit cb9752d897de17212a7a3ce54ad3e16b377b22c0) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 8a3436f2be..edbf126666 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2597,7 +2597,8 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t *section, int section_len FFSWAP(struct Program, ts->prg[nb_prg], ts->prg[prg_idx]); if (prg_idx >= nb_prg) nb_prg++; - } + } else + nb_prg = 0; } } ts->nb_prg = nb_prg; From b9b1bd62256157aa747b3a0ed93c8ddf5e2bfce7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 02:15:07 +0200 Subject: [PATCH 344/562] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Fixes: Timeout Fixes: 67645/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6308760977997824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 589fa8a027f3b1707d78d7c45335acc498a5e887) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index c8db720904..15c74a8cda 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -334,7 +334,10 @@ static int huf_unpack_enc_table(GetByteContext *gb, return ret; for (; im <= iM; im++) { - uint64_t l = freq[im] = get_bits(&gbit, 6); + uint64_t l; + if (get_bits_left(&gbit) < 6) + return AVERROR_INVALIDDATA; + l = freq[im] = get_bits(&gbit, 6); if (l == LONG_ZEROCODE_RUN) { int zerun = get_bits(&gbit, 8) + SHORTEST_LONG_RUN; From fa7c23db4a223c56942c0408f8e64ced2f4bc4d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 02:18:57 +0200 Subject: [PATCH 345/562] avcodec/exr: Dont use 64bits to hold 6bits Signed-off-by: Michael Niedermayer (cherry picked from commit e3984de6ffd6068efcfb5c576f1ec788211608fe) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 15c74a8cda..f05117c98c 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -334,7 +334,7 @@ static int huf_unpack_enc_table(GetByteContext *gb, return ret; for (; im <= iM; im++) { - uint64_t l; + int l; if (get_bits_left(&gbit) < 6) return AVERROR_INVALIDDATA; l = freq[im] = get_bits(&gbit, 6); From 6444e7c3c9ec0d8ccf58f4023398603875ba989b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 22:56:02 +0200 Subject: [PATCH 346/562] avformat/isom: Uninit layout in ff_mp4_read_dec_config_descr() Fixes: memleak Fixes: 67442/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5068813261406208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit d157725cf726adc29385d264eaf79ae430b1f3e5) Signed-off-by: Michael Niedermayer --- libavformat/isom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/isom.c b/libavformat/isom.c index cf27f58082..9bf49c84cd 100644 --- a/libavformat/isom.c +++ b/libavformat/isom.c @@ -359,6 +359,7 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, AVStream *st, AVIOContext st->codecpar->extradata_size, 1, fc); if (ret < 0) return ret; + av_channel_layout_uninit(&st->codecpar->ch_layout); st->codecpar->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; st->codecpar->ch_layout.nb_channels = cfg.channels; if (cfg.object_type == 29 && cfg.sampling_index < 3) // old mp3on4 From 5335c73b9f6f872522c88eae1f3d673a04d7b360 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:31:40 +0200 Subject: [PATCH 347/562] swscale/utils: Fix xInc overflow Fixes: signed integer overflow: 2 * 1073741824 cannot be represented in type 'int' Fixes: 67802/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6249515855183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1a9eda65d027e0167f7363e0514f71311ac5d8d1) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index b5cc4f30ca..4f94adbb30 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -541,7 +541,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, filter[i * filterSize + j] = coeff; xx++; } - xDstInSrc += 2 * xInc; + xDstInSrc += 2LL * xInc; } } From cdbdfdf8044b6a884437f82b7777e943491b94cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:38:20 +0200 Subject: [PATCH 348/562] avformat/mxfdec: Check index_edit_rate Fixes: Assertion b >=0 failed at libavutil/mathematics.c:62 Fixes: 67811/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5108429687422976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed49391961999f028e0bc55767d0eef6eeb15e49) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f0d141f10b..5c7acb5d00 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1249,6 +1249,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int case 0x3F0B: segment->index_edit_rate.num = avio_rb32(pb); segment->index_edit_rate.den = avio_rb32(pb); + if (segment->index_edit_rate.num <= 0 || + segment->index_edit_rate.den <= 0) + return AVERROR_INVALIDDATA; av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num, segment->index_edit_rate.den); break; From 1b47af0b8450a4345773f847918794366d71be77 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 13 Feb 2024 14:20:55 +0100 Subject: [PATCH 349/562] fate/subtitles: Ignore line endings for sub-scc test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since 7bf1b9b35769b37684dd2f18a54f01d852a540c8, the test produces ordinary \n, yet this is not what the reference file used for the most time, leading to test failures. Reviewed-by: Martin Storsjö Signed-off-by: Andreas Rheinhardt (cherry picked from commit 99d33cc661fbd04e8657831b818042b11f1862a2) Signed-off-by: Michael Niedermayer --- tests/fate/subtitles.mak | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/fate/subtitles.mak b/tests/fate/subtitles.mak index bc464edce6..f7db63f659 100644 --- a/tests/fate/subtitles.mak +++ b/tests/fate/subtitles.mak @@ -109,6 +109,7 @@ fate-sub-charenc: CMD = fmtstdout ass -sub_charenc cp1251 -i $(TARGET_SAMPLES)/s FATE_SUBTITLES-$(call DEMDEC, SCC, CCAPTION) += fate-sub-scc fate-sub-scc: CMD = fmtstdout ass -ss 57 -i $(TARGET_SAMPLES)/sub/witch.scc +fate-sub-scc: CMP = diff FATE_SUBTITLES-$(call DEMMUX, SCC, SCC) += fate-sub-scc-remux fate-sub-scc-remux: CMD = fmtstdout scc -i $(TARGET_SAMPLES)/sub/witch.scc -ss 4:00 -map 0 -c copy From c8bd7f92098c09ecc496c7e2ffab88fd4d20ce0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Apr 2024 02:01:03 +0200 Subject: [PATCH 350/562] Update for 5.1.5 Signed-off-by: Michael Niedermayer --- Changelog | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 84 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 1240dd6fae..3d3bd84e97 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,88 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 5.1.5: + fate/subtitles: Ignore line endings for sub-scc test + avformat/mxfdec: Check index_edit_rate + swscale/utils: Fix xInc overflow + avformat/isom: Uninit layout in ff_mp4_read_dec_config_descr() + avcodec/exr: Dont use 64bits to hold 6bits + avcodec/exr: Check for remaining bits in huf_unpack_enc_table() + avformat/mpegts: Reset local nb_prg on add_program() failure + avformat/aiffdec: Check for previously set channels + avformat/mxfdec: Make edit_unit_byte_count unsigned + avformat/movenc: Check that cts fits in 32bit + avformat/mxfdec: Check first case of offset_temp computation for overflow + avfilter/vf_signature: Dont crash on no frames + avformat/westwood_vqa: Fix 2g packets + avformat/matroskadec: Check timescale + avformat/wavdec: satuarte next_tag_ofs, data_end + avformat/sbgdec: Check for negative duration + avformat/rpl: Use 64bit for total_audio_size and check it + avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() + avformat/mov: use 64bit for intermediate for rounding + avformat/jacosubdec: Use 64bit for abs + avformat/concatdec: Check user_duration sum + avcodec/truemotion1: Height not being a multiple of 4 is unsupported + avcodec/hcadec: do not set hfr_group_count to invalid values + avformat/concatdec: clip outpoint - inpoint overflow in get_best_effort_duration() + avformat/jacosubdec: clarify code + avformat/cafdec: Check that data chunk end fits within 64bit + avformat/iff: Saturate avio_tell() + 12 + avformat/dxa: Adjust order of operations around block align + avformat/cafdec: dont seek beyond 64bit + avformat/id3v2: read_uslt() check for the amount read + avcodec/proresenc_kostya: Remove bug similarity text + avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() + avformat/concatdec: Check in and outpoints to be to produce a positive representable duration + libswscale/utils: Fix bayer to yuvj + swscale/swscale: Check srcSliceH for bayer + swscale/utils: Allocate more dithererror + avcodec/indeo3: Round dimensions up in allocate_frame_buffers() + avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers + avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure + avfilter/signature_lookup: dont leave uncleared pointers in sll_free() + avcodec/mpegvideo_enc: Use ptrdiff_t for stride + libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr. + avcodec/mpegvideo_enc: Dont copy beyond the image + avfilter/vf_minterpolate: Check pts before division + avformat/flacdec: Avoid double AVERRORS + avfilter/vf_vidstabdetect: Avoid double AVERRORS + avfilter/vf_swaprect: round coordinates down + avfilter/vf_swaprect: Use height for vertical variables + avfilter/vf_swaprect: assert that rectangles are within memory + avfilter/af_alimiter: Check nextpos before use + avfilter/f_reverse: Apply PTS compensation only when pts is available + avfilter/af_stereowiden: Check length + avfilter/vf_weave: Fix odd height handling + avfilter/vf_gradfun: Do not overread last line + avfilter/avf_showspectrum: fix off by 1 error + avformat/mov: do not set sign bit for chunk_offsets + avcodec/jpeglsdec: Check Jpeg-LS LSE + configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm + avcodec/av1dec: Fix resolving zero divisor + avformat/mov: Ignore duplicate ftyp + avformat/mov: Fix integer overflow in mov_read_packet(). + avformat/mov: Check if a key is longer than the atom containing it + avfilter/buffersrc: fix overriding unknown channel layouts with negotiated one + avfilter/af_channelmap: disallow channel index 64 + avfilter/af_channelmap: fix mapping if in_channel was a string but out_channel was not specified + avfilter/af_channelmap: fix error message if FL source channel was missing + avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer + avformat/mov: don't abort on duplicate Mastering Display Metadata boxes + fftools/ffplay: use correct buffersink channel layout parameters + swresample/resample: fix rounding errors with filter_size=1 and phase_shift=0 + avformat/mxfdec: remove resolve_strong_ref usage with AnyType + avformat/libsrt: use SRT_EPOLL_IN for waiting for an incoming connection + avformat/mxfdec: do not use AnyType when resolving Descriptors and MultipleDescriptors + avformat/mxfdec: move resolving Descriptors to the multi descriptor resolve function + avcodec/av1dec: fix matrix coefficients exposed by codec context + avformat/mov_chan: never override number of channels based on chan atom + avformat/mov_chan: do not assume channels are in native order + avcodec/nvdec: don't free NVDECContext->bitstream + fftools/ffmpeg_enc: apply -top to individual encoded frames + fftools/ffprobe: support 2D arrays in print_list_fmt() + version 5.1.4: avcodec/4xm: Check for cfrm exhaustion avformat/mov: Disallow FTYP after streams diff --git a/RELEASE b/RELEASE index 76e9e619d6..220d8e0a46 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1.4 +5.1.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 7f4a340498..ec29ac805b 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 5.1.4 +PROJECT_NUMBER = 5.1.5 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From ff8eee647028933c7adeaeb446e693289691a07f Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 5 May 2024 23:59:47 -0400 Subject: [PATCH 351/562] lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's The proper type was used until 73251678c83cbe24d08264da693411b166239bc7. This covers all of the OS's that currently have V4L2 support, permutations of Linux glibc/musl, Android bionic, FreeBSD, NetBSD, OpenBSD, Solaris. Copied from FreeBSD ports patch. Signed-off-by: Brad Smith Signed-off-by: Marton Balint (cherry picked from commit 9e674b31606c805dd31b4bb754364a72a5877238) Signed-off-by: Brad Smith --- libavdevice/v4l2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index 5340382d57..c880e6a4a9 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -106,10 +106,10 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#ifdef __GLIBC__ - int (*ioctl_f)(int fd, unsigned long int request, ...); -#else +#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ int (*ioctl_f)(int fd, int request, ...); +#else + int (*ioctl_f)(int fd, unsigned long int request, ...); #endif ssize_t (*read_f)(int fd, void *buffer, size_t n); void *(*mmap_f)(void *start, size_t length, int prot, int flags, int fd, int64_t offset); From 2d50a0e84a51070d6e4c72871a6a52727f1207cd Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 07:38:40 -0400 Subject: [PATCH 352/562] avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD Use the machdep.altivec sysctl on NetBSD for AltiVec detection as is done with OpenBSD. (cherry picked from commit 115c96b9bd53e775f425f23d5b73fa0a9dedbd08) Signed-off-by: Brad Smith --- libavutil/ppc/cpu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/ppc/cpu.c b/libavutil/ppc/cpu.c index bc8bb5f47c..2b13cda662 100644 --- a/libavutil/ppc/cpu.c +++ b/libavutil/ppc/cpu.c @@ -27,7 +27,7 @@ #if HAVE_UNISTD_H #include #endif -#elif defined(__OpenBSD__) +#elif defined(__NetBSD__) || defined(__OpenBSD__) #include #include #include @@ -56,8 +56,8 @@ int ff_get_cpu_flags_ppc(void) if (result == VECTORTYPE_ALTIVEC) return AV_CPU_FLAG_ALTIVEC; return 0; -#elif defined(__APPLE__) || defined(__OpenBSD__) -#ifdef __OpenBSD__ +#elif defined(__APPLE__) || defined(__NetBSD__) || defined(__OpenBSD__) +#if defined(__NetBSD__) || defined(__OpenBSD__) int sels[2] = {CTL_MACHDEP, CPU_ALTIVEC}; #else int sels[2] = {CTL_HW, HW_VECTORUNIT}; From 41c2da99f7ed45676a5ea1d66c7be90bc129db72 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 30 Apr 2024 19:16:49 +0200 Subject: [PATCH 353/562] avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash Regression since fd172185580c1ccdcfb90bbfdb59fa806fad3117; triggered by vp4/KTkvw8dg1J8.avi in the FATE suite, but not when running fate as this code is not used when the bitexact flag is set. Bisecting done by ami_stuff, patch from user Mika Fischer in ticket #10027 (which this commit fixes). Signed-off-by: Andreas Rheinhardt (cherry picked from commit c3ca90a92e7211aef8ad1d044518a34f6ba137d7) --- libavcodec/x86/vp3dsp_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/vp3dsp_init.c b/libavcodec/x86/vp3dsp_init.c index f54fa57b3e..edac1764cb 100644 --- a/libavcodec/x86/vp3dsp_init.c +++ b/libavcodec/x86/vp3dsp_init.c @@ -53,7 +53,7 @@ av_cold void ff_vp3dsp_init_x86(VP3DSPContext *c, int flags) if (!(flags & AV_CODEC_FLAG_BITEXACT)) { c->v_loop_filter = c->v_loop_filter_unaligned = ff_vp3_v_loop_filter_mmxext; - c->h_loop_filter = c->v_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext; + c->h_loop_filter = c->h_loop_filter_unaligned = ff_vp3_h_loop_filter_mmxext; } } From 389861c02151a3373d252e2c4718be9e3cb67aa1 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 18 May 2024 19:55:30 -0400 Subject: [PATCH 354/562] configure: enable ffnvcodec, nvenc, nvdec for FreeBSD Signed-off-by: Brad Smith (cherry picked from commit 43b1a956789bf0d5796769427d40c78e460c247f) Signed-off-by: Brad Smith --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index c60ab0adc4..42bd6b5397 100755 --- a/configure +++ b/configure @@ -6959,7 +6959,7 @@ fi if enabled x86; then case $target_os in - mingw32*|mingw64*|win32|win64|linux|cygwin*) + freebsd|mingw32*|mingw64*|win32|win64|linux|cygwin*) ;; *) disable ffnvcodec cuvid nvdec nvenc From 1f3baf72181679ac94e45cae5082fae6689adaa8 Mon Sep 17 00:00:00 2001 From: llyyr Date: Thu, 23 May 2024 14:07:51 +0530 Subject: [PATCH 355/562] lavc/vp9: reset segmentation fields when segmentation isn't enabled Fields under the segmentation switch are never reset on a new frame, and retain the value from the previous frame. This bugs out a bunch of hwaccel drivers when segmentation is disabled but update_map isn't reset because they don't ignore values behind switches. This commit also resets the temporal field, though it may not be required. We also do this for vp8 [1] so this commit is just mirroring the vp8 logic. This fixes an issue with certain samples [2] that causes blocky artifacts with vaapi, d3d11va and cuda (and possibly others). Mesa worked around [3] this by ignoring these fields if segmentation.enabled is 0, but d3d11va still displays blocky artifacts. [1] https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/2e877090f958131accb8c7e5ac10e5b9865d1735:/libavcodec/vp8.c#l797 [2] https://github.com/mpv-player/mpv/issues/13533 [3] https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27816 Signed-off-by: llyyr --- libavcodec/vp9.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index fee79fb45b..27b5409be0 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -712,6 +712,12 @@ static int decode_frame_header(AVCodecContext *avctx, s->s.h.segmentation.feat[i].skip_enabled = get_bits1(&s->gb); } } + } else { + // Reset fields under segmentation switch if segmentation is disabled. + // This is necessary because some hwaccels don't ignore these fields + // if segmentation is disabled. + s->s.h.segmentation.temporal = 0; + s->s.h.segmentation.update_map = 0; } // set qmul[] based on Y/UV, AC/DC and segmentation Q idx deltas From 32af5cb10ac879a2ee8dda094df8d49aacdd418e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:43:19 +0200 Subject: [PATCH 356/562] avfilter/signature_lookup: Fix 2 differences to the refernce SW Fixes: CID1403227 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 25cb66369e7b81bd280f0bdd6d51a0e2e11881e3) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index ad012ecced..208e9cb936 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -501,10 +501,10 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * continue; /* matching sequence is too short */ if ((double) goodfcount / (double) fcount < sc->thit) continue; - if ((double) goodfcount*0.5 < FFMAX(gooda, goodb)) + if ((double) goodfcount*0.5 <= FFMAX(gooda, goodb)) continue; - meandist = (double) goodfcount / (double) distsum; + meandist = (double) distsum / (double) goodfcount; if (meandist < minmeandist || status == (STATUS_END_REACHED | STATUS_BEGIN_REACHED) || From 601e4fb1f067ecb455b3ea0b92d6092c2ea31291 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:57:43 +0200 Subject: [PATCH 357/562] avfilter/signature_lookup: Dont copy uninitialized stuff around Fixes: CID1403238 Uninitialized pointer read Fixes: CID1403239 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e7174e66ac6025cea4b8e590525314d3aea6a134) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 208e9cb936..362825935f 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -453,14 +453,14 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * } if (tolerancecount > 2) { - a = aprev; - b = bprev; if (dir == DIR_NEXT) { /* turn around */ a = infos->first; b = infos->second; dir = DIR_PREV; } else { + a = aprev; + b = bprev; break; } } From d9ccbd71f482b8ccfaf937710e8b47c6fa120cd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 03:09:54 +0200 Subject: [PATCH 358/562] avfilter/vf_thumbnail_cuda: Set ret before checking it Fixes: CID1418336 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Timo Rothenpieler Signed-off-by: Michael Niedermayer (cherry picked from commit 02301017d28422e4d0a4badb16f2226e70ec534a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_thumbnail_cuda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_thumbnail_cuda.c b/libavfilter/vf_thumbnail_cuda.c index c8dd905123..40a3b75dd0 100644 --- a/libavfilter/vf_thumbnail_cuda.c +++ b/libavfilter/vf_thumbnail_cuda.c @@ -290,7 +290,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) hist[i] = 4 * hist[i]; } - CHECK_CU(cu->cuCtxPopCurrent(&dummy)); + ret = CHECK_CU(cu->cuCtxPopCurrent(&dummy)); if (ret < 0) return ret; From b9867cade36c94663c2a5c28de0e57116dbbaab1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:20:38 +0200 Subject: [PATCH 359/562] doc/examples/vaapi_transcode: Simplify loop Fixes: CID1428858(1/2) Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit c9c11a0866d45827201b034349bceb2dc58a3499) Signed-off-by: Michael Niedermayer --- doc/examples/vaapi_transcode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/vaapi_transcode.c b/doc/examples/vaapi_transcode.c index a174bb643a..ca0cb95442 100644 --- a/doc/examples/vaapi_transcode.c +++ b/doc/examples/vaapi_transcode.c @@ -218,10 +218,8 @@ static int dec_enc(AVPacket *pkt, const AVCodec *enc_codec) fail: av_frame_free(&frame); - if (ret < 0) - return ret; } - return 0; + return ret; } int main(int argc, char **argv) From 2f0919b26a3dd36958269f130d7f7bd9f4cdbebc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 00:09:02 +0200 Subject: [PATCH 360/562] avcodec/hevcdec: Check ref frame Fixes: NULL pointer dereferences Fixes: 68197/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6382538823106560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5eb05f44503da3fdff82f1fed8ee2706d9841a9a) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 2e3ee9dc6e..9bf8a5edaa 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1914,13 +1914,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0 || !ref0->frame->data[0]) + if (!ref0 || !ref0->frame) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1 || !ref1->frame->data[0]) + if (!ref1 || !ref1->frame) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From dc9d2eb69d553e3bb144f2253def6b8e6ad4ff7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 23:22:53 +0200 Subject: [PATCH 361/562] avcodec/pngdec: Check last AVFrame before deref Fixes: NULL pointer dereference Fixes: 68184/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4926478069334016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 091fdce87e88c8622d8af89ffa6cbb0dc20c3816) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index b085154fbc..0da2ae8b6b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1027,7 +1027,7 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } - if ((sequence_number == 0 || !s->last_picture.f->data[0]) && + if ((sequence_number == 0 || !s->last_picture.f) && dispose_op == APNG_DISPOSE_OP_PREVIOUS) { // No previous frame to revert to for the first frame // Spec says to just treat it as a APNG_DISPOSE_OP_BACKGROUND From 06cc1197e500b6bed8792c9d52b4dc88b8e4df3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 21:09:45 +0200 Subject: [PATCH 362/562] avcodec/ac3_parser: Check init_get_bits8() for failure Fixes: CID1420393 Unchecked return value Sponsored-by: Sovereign Tech Fund Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 63415168dbd96475372e37ae0fd47bafe151e2f0) Signed-off-by: Michael Niedermayer --- libavcodec/ac3_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index 4f154bb7c4..9ca8992c2b 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -185,7 +185,9 @@ int av_ac3_parse_header(const uint8_t *buf, size_t size, AC3HeaderInfo hdr; int err; - init_get_bits8(&gb, buf, size); + err = init_get_bits8(&gb, buf, size); + if (err < 0) + return AVERROR_INVALIDDATA; err = ff_ac3_parse_header(&gb, &hdr); if (err < 0) return AVERROR_INVALIDDATA; From a2e4f3e5f4b425cfe71b373d2805646d73b6637a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Apr 2024 23:44:25 +0200 Subject: [PATCH 363/562] avformat/kvag: Check sample_rate Fixes: Division by 0 Fixes: -copyts -start_at_zero -itsoffset 00:00:01 -itsscale 1 -ss 00:00:02 -i zgclab/ffmpeg_crash/poc1 output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit c26a762ea1bf028a33554a5f7a18d8dd7d82f5a8) Signed-off-by: Michael Niedermayer --- libavformat/kvag.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/kvag.c b/libavformat/kvag.c index 7c3816ab82..cae2b12287 100644 --- a/libavformat/kvag.c +++ b/libavformat/kvag.c @@ -36,7 +36,7 @@ typedef struct KVAGHeader { uint32_t magic; uint32_t data_size; - uint32_t sample_rate; + int sample_rate; uint16_t stereo; } KVAGHeader; @@ -68,6 +68,9 @@ static int kvag_read_header(AVFormatContext *s) hdr.sample_rate = AV_RL32(buf + 8); hdr.stereo = AV_RL16(buf + 12); + if (hdr.sample_rate <= 0) + return AVERROR_INVALIDDATA; + par = st->codecpar; par->codec_type = AVMEDIA_TYPE_AUDIO; par->codec_id = AV_CODEC_ID_ADPCM_IMA_SSI; From a17885a73d373a1d15fdcbd55a6b1e9cf0f40209 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 03:46:33 +0200 Subject: [PATCH 364/562] avformat/mxfdec: Check body_offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long' Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 20a6bfda0f7c6447ac94611736cee6e9ce6972a0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 5c7acb5d00..c31f88bee9 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -778,6 +778,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->index_sid = avio_rb32(pb); partition->body_offset = avio_rb64(pb); partition->body_sid = avio_rb32(pb); + if (partition->body_offset < 0) + return AVERROR_INVALIDDATA; + if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) { av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n"); return AVERROR_INVALIDDATA; From 4408336d9eb7a55564abe471524d55d6204e48af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 15:50:56 +0200 Subject: [PATCH 365/562] avcodec/avs2_parser: Assert init_get_bits8() success with const size 15 Fixes: CID1506708 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a7c4f119c91bcb3791a3c242ee61a5c60379db4f) Signed-off-by: Michael Niedermayer --- libavcodec/avs2_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/avs2_parser.c b/libavcodec/avs2_parser.c index 0350517493..21f03b5578 100644 --- a/libavcodec/avs2_parser.c +++ b/libavcodec/avs2_parser.c @@ -72,13 +72,15 @@ static void parse_avs2_seq_header(AVCodecParserContext *s, const uint8_t *buf, unsigned aspect_ratio; unsigned frame_rate_code; int low_delay; + av_unused int ret; // update buf_size_min if parse more deeper const int buf_size_min = 15; if (buf_size < buf_size_min) return; - init_get_bits8(&gb, buf, buf_size_min); + ret = init_get_bits8(&gb, buf, buf_size_min); + av_assert1(ret >= 0); s->key_frame = 1; s->pict_type = AV_PICTURE_TYPE_I; From d71036b4559cecb5e1d8cb989b47d858d52921bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 21:17:25 +0200 Subject: [PATCH 366/562] avcodec/avs3_parser: assert the return value of init_get_bits() Fixes: CID1492867 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f9218e4d52e16494ed816651a110dfe0ad22638c) Signed-off-by: Michael Niedermayer --- libavcodec/avs3_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/avs3_parser.c b/libavcodec/avs3_parser.c index a9fd879e9d..cd667967b6 100644 --- a/libavcodec/avs3_parser.c +++ b/libavcodec/avs3_parser.c @@ -73,7 +73,8 @@ static void parse_avs3_nal_units(AVCodecParserContext *s, const uint8_t *buf, GetBitContext gb; int profile, ratecode, low_delay; - init_get_bits8(&gb, buf + 4, buf_size - 4); + av_unused int ret = init_get_bits(&gb, buf + 4, 100); + av_assert1(ret >= 0); s->key_frame = 1; s->pict_type = AV_PICTURE_TYPE_I; From 91df1b66c717899e474805520e79b0582923fbc7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:35 +0200 Subject: [PATCH 367/562] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a56559e688ffde40fcda5588123ffcb978da86d7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 094c58b1b5..f2b9cc6938 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1180,8 +1180,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1205,20 +1205,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1226,8 +1226,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1251,20 +1251,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 3ca9febc6e4c0289c2b6071900d886d49b451646 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:36 +0200 Subject: [PATCH 368/562] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int' Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1330a73ccadd855542ac4386f75fd72ff0ab5ea1) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index f2b9cc6938..7ccd4cefe0 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1399,7 +1399,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1418,9 +1418,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1432,7 +1432,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1451,9 +1451,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From 7618da9b2ddf004e0d1ea6e109e4c2dc886fe8dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Apr 2024 18:38:42 +0200 Subject: [PATCH 369/562] avcodec/mpegvideo_enc: Fix 1 line and one column images Fixes: Ticket10952 Fixes: poc21ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 4b05253fc9..c528ac188e 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1087,8 +1087,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; - int w = s->width >> h_shift; - int h = s->height >> v_shift; + int w = AV_CEIL_RSHIFT(s->width , h_shift); + int h = AV_CEIL_RSHIFT(s->height, v_shift); uint8_t *src = pic_arg->data[i]; uint8_t *dst = pic->f->data[i]; int vpad = 16; From c379893ebe8a301ec7d4a7fa087a3b2515e92350 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Apr 2024 00:47:31 +0200 Subject: [PATCH 370/562] avformat/concatdec: Check file Fixes: null pointer dereference Fixes: -stream_loop 1 -ss 00:00:05 -i zgclab/ffmpeg_crash/poc2 -codec:v copy -codec:a aac -y output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit a5d1497f33afa17b6a3578b66638e69bf8a558de) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index b1c4efcbf5..adbe3103ad 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -637,6 +637,11 @@ static int concat_parse_script(AVFormatContext *avf) } } + if (!file) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + if (file->inpoint != AV_NOPTS_VALUE && file->outpoint != AV_NOPTS_VALUE) { if (file->inpoint > file->outpoint || file->outpoint - (uint64_t)file->inpoint > INT64_MAX) From c3471d55c595da429000bd2802469e1da9b0789a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Apr 2024 03:08:14 +0200 Subject: [PATCH 371/562] doc/examples/demux_decode: Simplify loop Fixes: CID1463550 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 91d27f7e02e5bec4b6e53cc7a7f15df8be017bb3) Signed-off-by: Michael Niedermayer --- doc/examples/demuxing_decoding.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/doc/examples/demuxing_decoding.c b/doc/examples/demuxing_decoding.c index 999a78db0d..beaa89a869 100644 --- a/doc/examples/demuxing_decoding.c +++ b/doc/examples/demuxing_decoding.c @@ -138,11 +138,9 @@ static int decode_packet(AVCodecContext *dec, const AVPacket *pkt) ret = output_audio_frame(frame); av_frame_unref(frame); - if (ret < 0) - return ret; } - return 0; + return ret; } static int open_codec_context(int *stream_idx, From b0754513f481a37f17921286052346e394cd04a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 18:33:24 +0200 Subject: [PATCH 372/562] tools/opt_common: Check for malloc failure Fixes: CID1539100 Negative loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ba7038043a46420bc86b060dbb13b956ea50ac03) Signed-off-by: Michael Niedermayer --- fftools/opt_common.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/fftools/opt_common.c b/fftools/opt_common.c index ae5e28a5af..938a6a66c9 100644 --- a/fftools/opt_common.c +++ b/fftools/opt_common.c @@ -722,10 +722,13 @@ int show_codecs(void *optctx, const char *opt, const char *arg) return 0; } -static void print_codecs(int encoder) +static int print_codecs(int encoder) { const AVCodecDescriptor **codecs; - unsigned i, nb_codecs = get_codecs_sorted(&codecs); + int i, nb_codecs = get_codecs_sorted(&codecs); + + if (nb_codecs < 0) + return nb_codecs; printf("%s:\n" " V..... = Video\n" @@ -759,18 +762,17 @@ static void print_codecs(int encoder) } } av_free(codecs); + return 0; } int show_decoders(void *optctx, const char *opt, const char *arg) { - print_codecs(0); - return 0; + return print_codecs(0); } int show_encoders(void *optctx, const char *opt, const char *arg) { - print_codecs(1); - return 0; + return print_codecs(1); } int show_bsfs(void *optctx, const char *opt, const char *arg) From b76f24c7087c1d4684470a1cd4be2cb3a2ac7c05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 01:10:50 +0200 Subject: [PATCH 373/562] fftools/ffplay: Check return of swr_alloc_set_opts2() This probably makes no difference but its more correct Fixes: CID1503080 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f44f44155533822922f6d2f24e5c53c14e432612) Signed-off-by: Michael Niedermayer --- fftools/ffplay.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 846a763088..99c93e5fb9 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -2358,12 +2358,13 @@ static int audio_decode_frame(VideoState *is) av_channel_layout_compare(&af->frame->ch_layout, &is->audio_src.ch_layout) || af->frame->sample_rate != is->audio_src.freq || (wanted_nb_samples != af->frame->nb_samples && !is->swr_ctx)) { + int ret; swr_free(&is->swr_ctx); - swr_alloc_set_opts2(&is->swr_ctx, + ret = swr_alloc_set_opts2(&is->swr_ctx, &is->audio_tgt.ch_layout, is->audio_tgt.fmt, is->audio_tgt.freq, &af->frame->ch_layout, af->frame->format, af->frame->sample_rate, 0, NULL); - if (!is->swr_ctx || swr_init(is->swr_ctx) < 0) { + if (ret < 0 || swr_init(is->swr_ctx) < 0) { av_log(NULL, AV_LOG_ERROR, "Cannot create sample rate converter for conversion of %d Hz %s %d channels to %d Hz %s %d channels!\n", af->frame->sample_rate, av_get_sample_fmt_name(af->frame->format), af->frame->ch_layout.nb_channels, From ed6b5d616439f4ca2c7075c05b514d0fa00cad85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 21:44:33 +0200 Subject: [PATCH 374/562] avcodec/cbs_av1: Avoid shift overflow Fixes: CID1465488 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d7924a4f60f2088de1e6790345caba929eb97030) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 1229480567..6913bc6781 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -379,7 +379,7 @@ static int cbs_av1_write_increment(CodedBitstreamContext *ctx, PutBitContext *pb } if (len > 0) - put_bits(pbc, len, (1 << len) - 1 - (value != range_max)); + put_bits(pbc, len, (1U << len) - 1 - (value != range_max)); return 0; } From f7fcdeb6a0e9a1aa0d3ed2eacc503404c8409cb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:13:17 +0200 Subject: [PATCH 375/562] libavutil/base64: Try not to write over the array end Signed-off-by: Michael Niedermayer (cherry picked from commit 2d216566f258badd07bc58de1e089b6e4175dc46) Signed-off-by: Michael Niedermayer --- libavutil/base64.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/base64.c b/libavutil/base64.c index 3e66f4fcbe..69e11e6f5e 100644 --- a/libavutil/base64.c +++ b/libavutil/base64.c @@ -127,10 +127,12 @@ validity_check: } out3: - *dst++ = v >> 10; + if (end - dst) + *dst++ = v >> 10; v <<= 2; out2: - *dst++ = v >> 4; + if (end - dst) + *dst++ = v >> 4; out1: out0: return bits & 1 ? AVERROR_INVALIDDATA : out ? dst - out : 0; From 353cc497cc3629654d67757592b169a8b7ae3a67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:14:16 +0200 Subject: [PATCH 376/562] avutil/tests/base64: Check with too short output array Signed-off-by: Michael Niedermayer (cherry picked from commit c304784a86cc7e2af211ed80ce2121e788680a8e) Signed-off-by: Michael Niedermayer --- libavutil/tests/base64.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavutil/tests/base64.c b/libavutil/tests/base64.c index 400e01cefe..66d0fdc1fc 100644 --- a/libavutil/tests/base64.c +++ b/libavutil/tests/base64.c @@ -64,6 +64,16 @@ static int test_encode_decode(const uint8_t *data, unsigned int data_size, printf("Failed: decode to NULL buffer\n"); return 1; } + if (data_size > 0 && (data2_size = av_base64_decode(data2, encoded, data_size - 1)) != data_size - 1) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } + if (data_size > 1 && (data2_size = av_base64_decode(data2, encoded, data_size - 2)) != data_size - 2) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } if (strlen(encoded)) { char *end = strchr(encoded, '='); if (!end) From 0a27f1d3318c7204b7d286a7141052162299ba61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 20:50:44 +0200 Subject: [PATCH 377/562] avcodec/lpc: copy levenson coeffs only when they have been computed Fixes: CID1473514 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c2d897f3566fdf5c190583c6f5197ead5abec2ed) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index 3238ad5fc8..66f7a745f7 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -244,8 +244,10 @@ int ff_lpc_calc_coefs(LPCContext *s, double av_uninit(weight); memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var)); - for(j=0; j 1) + for(j=0; j Date: Mon, 6 May 2024 03:17:26 +0200 Subject: [PATCH 378/562] avcodec/h264_slice: Remove dead sps check Fixes: CID1439574 Dereference after null check Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a68aa951b21b8b7db0a5200bcfebc0a077a5f094) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d56722a5c2..fd0c6401b0 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1551,7 +1551,7 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, sps = h->ps.sps; - if (sps && sps->bitstream_restriction_flag && + if (sps->bitstream_restriction_flag && h->avctx->has_b_frames < sps->num_reorder_frames) { h->avctx->has_b_frames = sps->num_reorder_frames; } From 21249e8cbef15d37b2d7664b2070325a91c5c274 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 May 2024 23:29:26 +0200 Subject: [PATCH 379/562] avcodec/fmvc: remove dead assignment Fixes: CID1529220 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96c116254527cc40b386f14b77e17fbe2388d5da) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 912ad8fc82..6d7f12130e 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -101,7 +101,6 @@ static int decode_type2(GetByteContext *gb, PutByteContext *pb) continue; } } - repeat = 0; } repeat = 1; } From cb03082cfa9ea501b496fb4f5cd3745340af21b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 May 2024 23:25:10 +0200 Subject: [PATCH 380/562] avcodec/exr: Fix preview overflow Fixes: CID1515456 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 36126e4c142e43cc703f4b8c535d388ac5e403a4) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index f05117c98c..12db6d4236 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1956,7 +1956,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) "preview", 16)) >= 0) { uint32_t pw = bytestream2_get_le32(gb); uint32_t ph = bytestream2_get_le32(gb); - uint64_t psize = pw * ph; + uint64_t psize = pw * (uint64_t)ph; if (psize > INT64_MAX / 4) { ret = AVERROR_INVALIDDATA; goto fail; From 52af506fdb348fac505e1c984225f3b1a8226a7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 02:05:56 +0200 Subject: [PATCH 381/562] avcodec/qsvdec: Check av_image_get_buffer_size() for failure Fixes: CID1477406 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 8789c550faf4587527faf0bd4f6c6c5c64a04ae2) Signed-off-by: Michael Niedermayer --- libavcodec/qsvdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/qsvdec.c b/libavcodec/qsvdec.c index 5fc5bed4c8..4b2c55c8fd 100644 --- a/libavcodec/qsvdec.c +++ b/libavcodec/qsvdec.c @@ -347,9 +347,12 @@ static int qsv_decode_init_context(AVCodecContext *avctx, QSVContext *q, mfxVide q->frame_info = param->mfx.FrameInfo; - if (!avctx->hw_frames_ctx) - q->pool = av_buffer_pool_init(av_image_get_buffer_size(avctx->pix_fmt, - FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1), av_buffer_allocz); + if (!avctx->hw_frames_ctx) { + ret = av_image_get_buffer_size(avctx->pix_fmt, FFALIGN(avctx->width, 128), FFALIGN(avctx->height, 64), 1); + if (ret < 0) + return ret; + q->pool = av_buffer_pool_init(ret, av_buffer_allocz); + } return 0; } From 21fd9fb7db8d2283a7ca70de17b04aa28a58deeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 May 2024 16:07:04 +0200 Subject: [PATCH 382/562] avcodec/jpeg2000dec: remove ST=3 case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1460979 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4ed4f9a6c0a99c823706bfc4bb4df53f963f2f5a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 686a4f9758..a317040fc3 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -911,9 +911,6 @@ static int get_tlm(Jpeg2000DecoderContext *s, int n) case 2: bytestream2_get_be16(&s->g); break; - case 3: - bytestream2_get_be32(&s->g); - break; } if (SP == 0) { bytestream2_get_be16(&s->g); From 5bc913c2351cb179e33b8adc3611203e27e3edcf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 03:16:08 +0200 Subject: [PATCH 383/562] avcodec/vp3: Replace check by assert Fixes: CID1452425 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1b991e77b9b19392214f6a788541bea5662de337) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index e6505df01c..3d031ba852 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2016,8 +2016,7 @@ static int vp4_mc_loop_filter(Vp3DecodeContext *s, int plane, int motion_x, int x_offset = (-(x + 2) & 7) + 2; y_offset = (-(y + 2) & 7) + 2; - if (x_offset > 8 + x_subpel && y_offset > 8 + y_subpel) - return 0; + av_assert1(!(x_offset > 8 + x_subpel && y_offset > 8 + y_subpel)); s->vdsp.emulated_edge_mc(loop, motion_source - stride - 1, loop_stride, stride, From 61332f89a62c0b8622325e70f94bee8897c0bfda Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 00:32:43 +0200 Subject: [PATCH 384/562] avcodec/vble: Check av_image_get_buffer_size() for failure Fixes: CID1461482 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-.by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit dd5379db5d83d8b06654582afe327daa6be678a3) Signed-off-by: Michael Niedermayer --- libavcodec/vble.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vble.c b/libavcodec/vble.c index f7ab17d621..3e89b708ee 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -191,6 +191,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx) ctx->size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + if (ctx->size < 0) + return ctx->size; + ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val)); if (!ctx->val) { From 701ca03b0063a09e9fe5d536dbe55bc9282dad41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 21:04:00 +0200 Subject: [PATCH 385/562] avcodec/mpeg12dec: Use 64bit in bit computation I dont think this can actually overflow but 64bit seems reasonable to use Fixes: CID1521983 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c725df059dd9a5f2071e204924105b3ceb74cbc) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 0e8627c4a4..57ee5eaac1 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2979,7 +2979,7 @@ static int ipu_decode_frame(AVCodecContext *avctx, AVFrame *frame, int ret; // Check for minimal intra MB size (considering mb header, luma & chroma dc VLC, ac EOB VLC) - if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16) * (2 + 3*4 + 2*2 + 2*6)) + if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16) * (2LL + 3*4 + 2*2 + 2*6)) return AVERROR_INVALIDDATA; ret = ff_get_buffer(avctx, frame, 0); From ed40d4850b889dc1580e74736b8ce228e0aa5403 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 22:08:21 +0200 Subject: [PATCH 386/562] avcodec/mpeg4videodec: assert impossible wrap points Helps: CID1473517 Uninitialized scalar variable Helps: CID1473497 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8fc649b931a3cbc3a2dd9b50b75a9261a2fb4b49) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 46c6f9026b..ed2c124c7b 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -420,6 +420,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; + default: + av_assert0(0); } /* try to simplify the situation */ if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && From cb4e45231cdb3447c9690906b4edcd0b88f68a56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:13:58 +0200 Subject: [PATCH 387/562] avcodec/mpegvideo_enc: Fix potential overflow in RD Fixes: CID1500285 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b6b2b01025e016ce29e5add57305384a663edcfc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index c528ac188e..d1c64a921d 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1327,7 +1327,7 @@ static int estimate_best_b_count(MpegEncContext *s) goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); } /* get the delayed frames */ @@ -1336,7 +1336,7 @@ static int estimate_best_b_count(MpegEncContext *s) ret = out_size; goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); rd += c->error[0] + c->error[1] + c->error[2]; From 21fe5ce6937ee634d7ea0ffc170d85692c7c5093 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:43:48 +0200 Subject: [PATCH 388/562] avcodec/mscc & mwsc: Check loop counts before use This could cause timeouts Fixes: CID1439568 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e35fe3d8b9e345527a05b1ae958ac851fe09f1ed) Signed-off-by: Michael Niedermayer --- libavcodec/mscc.c | 6 ++++++ libavcodec/mwsc.c | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c index 3666b881a1..19a9f9cf8f 100644 --- a/libavcodec/mscc.c +++ b/libavcodec/mscc.c @@ -54,6 +54,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont unsigned run = bytestream2_get_byte(gb); if (run) { + if (bytestream2_get_bytes_left_p(pb) < run * s->bpp) + return AVERROR_INVALIDDATA; + switch (avctx->bits_per_coded_sample) { case 8: fill = bytestream2_get_byte(gb); @@ -102,6 +105,9 @@ static int rle_uncompress(AVCodecContext *avctx, GetByteContext *gb, PutByteCont bytestream2_seek_p(pb, y * avctx->width * s->bpp + x * s->bpp, SEEK_SET); } else { + if (bytestream2_get_bytes_left_p(pb) < copy * s->bpp) + return AVERROR_INVALIDDATA; + for (j = 0; j < copy; j++) { switch (avctx->bits_per_coded_sample) { case 8: diff --git a/libavcodec/mwsc.c b/libavcodec/mwsc.c index 499b220a07..dc3b098a51 100644 --- a/libavcodec/mwsc.c +++ b/libavcodec/mwsc.c @@ -52,6 +52,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext if (run == 0) { run = bytestream2_get_le32(gb); + + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; @@ -63,6 +67,10 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext int pos = bytestream2_tell_p(pb); bytestream2_seek(gbp, pos, SEEK_SET); + + if (pos + width - w < fill) + return AVERROR_INVALIDDATA; + for (int j = 0; j < fill; j++, w++) { if (w == width) { w = 0; @@ -74,6 +82,9 @@ static int rle_uncompress(GetByteContext *gb, PutByteContext *pb, GetByteContext intra = 0; } else { + if (bytestream2_tell_p(pb) + width - w < run) + return AVERROR_INVALIDDATA; + for (int j = 0; j < run; j++, w++) { if (w == width) { w = 0; From 84953f5c232e10d14ea85ef54779f7545195b8b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 23:25:42 +0200 Subject: [PATCH 389/562] avformat/demux: resurrect dead stores Fixes: CID1473512 Unused value Fixes: CID1529228 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 33da5f4e2717cc947cf44ad9a52668694ea4ee82) Signed-off-by: Michael Niedermayer --- libavformat/demux.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/demux.c b/libavformat/demux.c index 1620716716..ab433f4068 100644 --- a/libavformat/demux.c +++ b/libavformat/demux.c @@ -2415,7 +2415,7 @@ static int add_coded_side_data(AVStream *st, AVCodecContext *avctx) int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) { FFFormatContext *const si = ffformatcontext(ic); - int count = 0, ret = 0; + int count = 0, ret = 0, err; int64_t read_size; AVPacket *pkt1 = si->pkt; int64_t old_offset = avio_tell(ic->pb); @@ -2931,9 +2931,11 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) } } - ret = compute_chapters_end(ic); - if (ret < 0) + err = compute_chapters_end(ic); + if (err < 0) { + ret = err; goto find_stream_info_err; + } /* update the stream parameters from the internal codec contexts */ for (unsigned i = 0; i < ic->nb_streams; i++) { From 2f9a4353bb38f75a67fe9e994deadeeaa78a0f95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 00:50:02 +0200 Subject: [PATCH 390/562] avdevice/dshow: fix badly indented line Signed-off-by: Michael Niedermayer (cherry picked from commit c4004605b2fa6e2ecbd1cfc2a1da382e4f5237a5) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 5946a72cc2..fdea1ceb4a 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1369,7 +1369,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, goto error; } } - if (ctx->device_filter[otherDevType]) { + if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { From 3ab1855847eca3991d425e20235a4616cd943ab6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 21:55:44 +0200 Subject: [PATCH 391/562] avutil/tests/dict: Check av_dict_set() before get for failure Failure is possible due to strdup() Fixes: CID1516764 Dereference null return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e8a1e1899d9ededd78f8ec4722fe80c345bbf8f7) Signed-off-by: Michael Niedermayer --- libavutil/tests/dict.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/tests/dict.c b/libavutil/tests/dict.c index 56e98557a7..4c526f72f4 100644 --- a/libavutil/tests/dict.c +++ b/libavutil/tests/dict.c @@ -122,12 +122,15 @@ int main(void) //valgrind sensible test printf("\nTesting av_dict_set() with existing AVDictionaryEntry.key as key\n"); - av_dict_set(&dict, "key", "old", 0); + if (av_dict_set(&dict, "key", "old", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); - av_dict_set(&dict, e->key, "new val OK", 0); + if (av_dict_set(&dict, e->key, "new val OK", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); - av_dict_set(&dict, e->key, e->value, 0); + if (av_dict_set(&dict, e->key, e->value, 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); av_dict_free(&dict); From b2864f699e96f201c53ffe19165fd5be1348813e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 22:52:38 +0200 Subject: [PATCH 392/562] avutil/tests/opt: Check av_set_options_string() for failure This is test code after all so it should test things Fixes: CID1518990 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e3481730ed9b3b781a0d85370826bcc57d601958) Signed-off-by: Michael Niedermayer --- libavutil/tests/opt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/tests/opt.c b/libavutil/tests/opt.c index 5799e45c6a..2cc41647f1 100644 --- a/libavutil/tests/opt.c +++ b/libavutil/tests/opt.c @@ -217,6 +217,7 @@ int main(void) { TestContext test_ctx = { 0 }; char *buf; + int ret; test_ctx.class = &test_class; av_log_set_level(AV_LOG_QUIET); @@ -227,8 +228,10 @@ int main(void) av_opt_free(&test_ctx); memset(&test_ctx, 0, sizeof(test_ctx)); test_ctx.class = &test_class; - av_set_options_string(&test_ctx, buf, "=", ","); + ret = av_set_options_string(&test_ctx, buf, "=", ","); av_free(buf); + if (ret < 0) + printf("Error ret '%d'\n", ret); if (av_opt_serialize(&test_ctx, 0, 0, &buf, '=', ',') >= 0) { printf("%s\n", buf); av_free(buf); From b8dfe07c5099277c8c37138e04701fb35f1808d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:30:13 +0200 Subject: [PATCH 393/562] swscale/x86/swscale: use a clearer name for INPUT_PLANER_RGB_A_FUNC_CASE related: CID1497114 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3f9daf1c18c2f0fb9e6d0b94af8e92cafc0cf010) Signed-off-by: Michael Niedermayer --- libswscale/x86/swscale.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index 628f12137c..ee26e52dee 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -649,7 +649,7 @@ switch(c->dstBpc){ \ } -#define INPUT_PLANER_RGB_A_FUNC_CASE(fmt, name, opt) \ +#define INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(fmt, name, opt) \ case fmt: \ c->readAlpPlanar = ff_planar_##name##_to_a_##opt; @@ -672,15 +672,15 @@ switch(c->dstBpc){ \ break; #define INPUT_PLANER_RGBAXX_YUVA_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##LE, name##le, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##LE, name##le, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE(rgb_fmt##LE, name##le, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##BE, name##be, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##BE, name##be, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGBAXX_UVA_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##LE, name##le, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##LE, name##le, opt) \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##LE, name##le, opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE(rgba_fmt##BE, name##be, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(rgba_fmt##BE, name##be, opt) \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGBAXX_YUV_FUNC_CASE(rgb_fmt, rgba_fmt, name, opt) \ @@ -696,7 +696,7 @@ switch(c->dstBpc){ \ INPUT_PLANER_RGB_UV_FUNC_CASE(rgb_fmt##BE, name##be, opt) #define INPUT_PLANER_RGB_YUVA_ALL_CASES(opt) \ - INPUT_PLANER_RGB_A_FUNC_CASE( AV_PIX_FMT_GBRAP, rgb, opt) \ + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(AV_PIX_FMT_GBRAP, rgb, opt) \ INPUT_PLANER_RGB_YUV_FUNC_CASE( AV_PIX_FMT_GBRP, rgb, opt) \ INPUT_PLANER_RGBXX_YUV_FUNC_CASE( AV_PIX_FMT_GBRP9, rgb9, opt) \ INPUT_PLANER_RGBAXX_YUVA_FUNC_CASE(AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRAP10, rgb10, opt) \ @@ -708,7 +708,7 @@ switch(c->dstBpc){ \ if (EXTERNAL_SSE2(cpu_flags)) { switch (c->srcFormat) { - INPUT_PLANER_RGB_A_FUNC_CASE( AV_PIX_FMT_GBRAP, rgb, sse2); + INPUT_PLANER_RGB_A_FUNC_CASE_NOBREAK(AV_PIX_FMT_GBRAP, rgb, sse2); INPUT_PLANER_RGB_UV_FUNC_CASE( AV_PIX_FMT_GBRP, rgb, sse2); INPUT_PLANER_RGBXX_UV_FUNC_CASE( AV_PIX_FMT_GBRP9, rgb9, sse2); INPUT_PLANER_RGBAXX_UVA_FUNC_CASE( AV_PIX_FMT_GBRP10, AV_PIX_FMT_GBRAP10, rgb10, sse2); From 3b94cf8b20b683c26503fb5fcf2ae1e137d39764 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:35:08 +0200 Subject: [PATCH 394/562] swscale/yuv2rgb: Use 64bit for brightness computation This will not overflow for normal values Fixes: CID1500280 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bfc22f364d31d8f2dc2acae1bd03d5894a00b8c5) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 6ee483d12a..5f21ff9c52 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -829,7 +829,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], cbu = (cbu * contrast * saturation) >> 32; cgu = (cgu * contrast * saturation) >> 32; cgv = (cgv * contrast * saturation) >> 32; - oy -= 256 * brightness; + oy -= 256LL * brightness; c->uOffset = 0x0400040004000400LL; c->vOffset = 0x0400040004000400LL; From f3424f04704fb9ec5fff5e248626d08419aa95a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:53:28 +0200 Subject: [PATCH 395/562] avcodec/tiff: Assert init_get_bits8() success in horizontal_fill() Helps: CID1441167 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8814cedb079d5827e07a92e9424c2314bd0a6047) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index b4a1c2f040..0e18a04f09 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -410,7 +410,8 @@ static void av_always_inline horizontal_fill(TiffContext *s, uint8_t shift = is_dng ? 0 : 16 - bpp; GetBitContext gb; - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst16[i] = get_bits(&gb, bpp) << shift; } From bc5b55a4caadfd4458dd4a73c2885fc19cad9863 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 23:58:30 +0200 Subject: [PATCH 396/562] avcodec/tiff: Assert init_get_bits8() success in unpack_gray() Helps: CID1441939 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a287f17db22c0c85f0445a1d31139cc70e73205e) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 0e18a04f09..8a649ee5be 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -445,7 +445,8 @@ static void unpack_gray(TiffContext *s, AVFrame *p, GetBitContext gb; uint16_t *dst = (uint16_t *)(p->data[0] + lnum * p->linesize[0]); - init_get_bits8(&gb, src, width); + int ret = init_get_bits8(&gb, src, width); + av_assert1(ret >= 0); for (int i = 0; i < s->width; i++) { dst[i] = get_bits(&gb, bpp); From b7efe0f704898c426aa73c8bfa6d61b0bec2d8cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:25:50 +0200 Subject: [PATCH 397/562] avdevice/pulse_audio_enc: Use av_rescale() to avoid integer overflow Fixes: CID1503075 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f52b64bcc345842a88a40ddf3873559f1160e34) Signed-off-by: Michael Niedermayer --- libavdevice/pulse_audio_enc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavdevice/pulse_audio_enc.c b/libavdevice/pulse_audio_enc.c index d5928e2b3f..dd52ea94aa 100644 --- a/libavdevice/pulse_audio_enc.c +++ b/libavdevice/pulse_audio_enc.c @@ -470,10 +470,11 @@ static av_cold int pulse_write_header(AVFormatContext *h) s->nonblocking = (h->flags & AVFMT_FLAG_NONBLOCK); if (s->buffer_duration) { - int64_t bytes = s->buffer_duration; - bytes *= st->codecpar->ch_layout.nb_channels * st->codecpar->sample_rate * - av_get_bytes_per_sample(st->codecpar->format); - bytes /= 1000; + int64_t bytes = av_rescale(s->buffer_duration, + st->codecpar->ch_layout.nb_channels * + (int64_t)st->codecpar->sample_rate * + av_get_bytes_per_sample(st->codecpar->format), + 1000); buffer_attributes.tlength = FFMAX(s->buffer_size, av_clip64(bytes, 0, UINT32_MAX - 1)); av_log(s, AV_LOG_DEBUG, "Buffer duration: %ums recalculated into %"PRId64" bytes buffer.\n", From 1763189d0e93e3c8ddc78af2a2d0c6a493ecd2bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:51:53 +0200 Subject: [PATCH 398/562] avformat/ape: Use 64bit for final frame size Fixes: CID1505963 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8d03347930c051358fcbbdc557e57e157d9c9) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index d6c8ec23b0..b0587989b7 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -290,7 +290,7 @@ static int ape_read_header(AVFormatContext * s) final_size -= final_size & 3; } if (file_size <= 0 || final_size <= 0) - final_size = ape->finalframeblocks * 8; + final_size = ape->finalframeblocks * 8LL; ape->frames[ape->totalframes - 1].size = final_size; for (i = 0; i < ape->totalframes; i++) { From 66e306b8e3a6da3f60f2714b57b177f930f993ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:12:09 +0200 Subject: [PATCH 399/562] avformat/argo_asf: Use 64bit in offset intermediate Fixes: CID1467435 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9d1f65308d40502015272a3d1cc9f805c77e075) Signed-off-by: Michael Niedermayer --- libavformat/argo_asf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/argo_asf.c b/libavformat/argo_asf.c index 39a60a0dde..f628cdaa23 100644 --- a/libavformat/argo_asf.c +++ b/libavformat/argo_asf.c @@ -257,7 +257,7 @@ static int argo_asf_seek(AVFormatContext *s, int stream_index, return -1; offset = asf->fhdr.chunk_offset + ASF_CHUNK_HEADER_SIZE + - (block * st->codecpar->block_align); + block * (int64_t)st->codecpar->block_align; if ((offset = avio_seek(s->pb, offset, SEEK_SET)) < 0) return offset; From 8b19671c78fece55081612367e0862402565927c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:27:28 +0200 Subject: [PATCH 400/562] avformat/asfdec_f: Use 64bit for preroll computation Fixes: CID1500342 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 70b499476213a198ac0f39450cddaea4b34662f5) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index aa7aaa6ab6..dd9b34e035 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -670,7 +670,7 @@ static int asf_read_marker(AVFormatContext *s) avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time - pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000); + pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000LL); avio_rl16(pb); // entry length avio_rl32(pb); // send time avio_rl32(pb); // flags From a0f0e6d813799b5e21b27746415abfba9b88e84d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 02:33:37 +0200 Subject: [PATCH 401/562] avcodec/sga: Make it clear that the return is intentionally not checked Related: CID1473496 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 00d029d5c0b7029720265d579389a348220decfb) Signed-off-by: Michael Niedermayer --- libavcodec/sga.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sga.c b/libavcodec/sga.c index cdd37feb70..7da27cc1aa 100644 --- a/libavcodec/sga.c +++ b/libavcodec/sga.c @@ -72,7 +72,7 @@ static int decode_palette(GetByteContext *gb, uint32_t *pal) return AVERROR_INVALIDDATA; memset(pal, 0, 16 * sizeof(*pal)); - init_get_bits8(&gbit, gb->buffer, 18); + (void)init_get_bits8(&gbit, gb->buffer, 18); for (int RGBIndex = 0; RGBIndex < 3; RGBIndex++) { for (int index = 0; index < 16; index++) { From c48387a3f532429f5b805ff6d2203201e816d23a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 May 2024 13:18:13 +0200 Subject: [PATCH 402/562] avformat/fwse: Remove always false expression Fixes: CID1460758 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 348c3a7ffe0c3aecf35f1a26a9f321a4e608dab7) Signed-off-by: Michael Niedermayer --- libavformat/fwse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/fwse.c b/libavformat/fwse.c index 28a322d9d6..78a9e975ff 100644 --- a/libavformat/fwse.c +++ b/libavformat/fwse.c @@ -66,7 +66,7 @@ static int fwse_read_header(AVFormatContext *s) av_channel_layout_default(&par->ch_layout, channels); st->duration = avio_rl32(pb); par->sample_rate = avio_rl32(pb); - if (par->sample_rate <= 0 || par->sample_rate > INT_MAX) + if (par->sample_rate <= 0) return AVERROR_INVALIDDATA; par->block_align = 1; From f85527cd8b6db115f147e449a0145cfe5aad8a17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:31 +0200 Subject: [PATCH 403/562] avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation This issue cannot happen with the current function parameters Fixes: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 847a53f264db0b22dcc5a23ca9ade71a627f1c6c) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 0e5a6ed947..6148f0dacf 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -57,7 +57,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; } - err2 += (array[j] - ref[j]) * (array[j] - ref[j]); + err2 += (array[j] - ref[j]) * (int64_t)(array[j] - ref[j]); array[j] = ref[j]; } ff_dwt_destroy(s); From 2b7260fbb793a37b3532440ffdb2c04b40c6fab4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:32 +0200 Subject: [PATCH 404/562] avcodec/tests/jpeg2000dwt: Use 64bit in comparission Found while reviewing: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 12391b732f811fc6e868be2f08dc188e508d2567) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 6148f0dacf..520ecc05a3 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -52,7 +52,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i return 1; } for (j = 0; j max_diff) { + if (FFABS(array[j] - (int64_t)ref[j]) > max_diff) { fprintf(stderr, "missmatch at %d (%d != %d) decomp:%d border %d %d %d %d\n", j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; From 896af4bd3e3d15ad33b3b7e7e6b44e2fdedc7162 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 04:49:15 +0200 Subject: [PATCH 405/562] avcodec/wavpackenc: Use unsigned for potential 31bit shift Fixes: CID1465481 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f976db251864ad698c935130370774783bf12f4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 1f95768c09..4e31a44be2 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -1979,7 +1979,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); @@ -2008,7 +2008,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); From 442d18371ecd7f448ca058baff1813158ca4a135 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2024 04:13:14 +0200 Subject: [PATCH 406/562] avcodec/rv34: assert that size is not 0 in rv34_gen_vlc_ext() Helps: CID1548380 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5098589b0ca74b3f52e09bae277306a1fc0cd43) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 5f3b7d31cd..8a0a2945ca 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -98,6 +98,8 @@ static void rv34_gen_vlc(const uint8_t *bits, int size, VLC *vlc, const uint8_t uint16_t cw[MAX_VLC_SIZE]; int maxbits; + av_assert1(size > 0); + for (int i = 0; i < size; i++) counts[bits[i]]++; From 4d9530afdfbd6cafa6b008262c5e6be89285b691 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2024 21:16:00 +0200 Subject: [PATCH 407/562] avcodec/scpr3: Check add_dec() for failure Fixes: CID1441459 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d741638042d827aed994b819857d6587121627ab) Signed-off-by: Michael Niedermayer --- libavcodec/scpr3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c index 274f99ce71..85524feafe 100644 --- a/libavcodec/scpr3.c +++ b/libavcodec/scpr3.c @@ -466,6 +466,8 @@ static int decode_adaptive6(PixelModel3 *m, uint32_t code, uint32_t *value, return 0; grow_dec(m); c = add_dec(m, q, g, f); + if (c < 0) + return AVERROR_INVALIDDATA; } incr_cntdec(m, c); @@ -869,11 +871,11 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t sync_code3(gb, rc); break; case 6: - if (!decode_adaptive6(m, code, value, &a, &b)) { + ret = decode_adaptive6(m, code, value, &a, &b); + if (!ret) ret = update_model6_to_7(m); - if (ret < 0) - return AVERROR_INVALIDDATA; - } + if (ret < 0) + return ret; decode3(gb, rc, a, b); sync_code3(gb, rc); break; From 9e46b70436305ee77f8087bf24239a1d704f95ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 00:46:24 +0200 Subject: [PATCH 408/562] avcodec/tests/dct: Use 64bit in intermediate for error computation Fixes: CID1500284 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 161d0aa2a8d18f1f8a01cbc4c1061eadcbe592e5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/dct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/dct.c b/libavcodec/tests/dct.c index c847af2f11..fca36283c4 100644 --- a/libavcodec/tests/dct.c +++ b/libavcodec/tests/dct.c @@ -224,8 +224,8 @@ static int dct_error(const struct algo *dct, int test, int is_idct, int speed, c v = abs(err); if (v > err_inf) err_inf = v; - err2_matrix[i] += v * v; - err2 += v * v; + err2_matrix[i] += v * (int64_t)v; + err2 += v * (int64_t)v; sysErr[i] += block[i] - block1[i]; blockSumErr += v; if (abs(block[i]) > maxout) From 85242a8aafd80cf2b3a67f28b54c881ac8b3f6f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 00:45:29 +0200 Subject: [PATCH 409/562] avcodec/notchlc: Check init_get_bits8() for failure Fixes: CID1500300 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 19db9636c52c040d364fe9af94ddeeb1ecfd2c2a) Signed-off-by: Michael Niedermayer --- libavcodec/notchlc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index f6d62b8a4b..8b5902ca49 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -243,7 +243,9 @@ static int decode_blocks(AVCodecContext *avctx, AVFrame *p, bytestream2_seek(&dgb, s->y_data_offset + row_offset, SEEK_SET); - init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb)); + ret = init_get_bits8(&bit, dgb.buffer, bytestream2_get_bytes_left(&dgb)); + if (ret < 0) + return ret; for (int x = 0; x < avctx->width; x += 4) { unsigned item = bytestream2_get_le32(gb); unsigned y_min = item & 4095; From 206816e91546ead0fd90cbecb7422bdf9004d68e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2024 01:14:21 +0200 Subject: [PATCH 410/562] avcodec/pcm-dvdenc: 64bit pkt-size It seems nothing prevents such overflow even though odd Fixes: CID1441934 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 160b81ce2a87b0835125da7c72ab7ed8c0918c45) Signed-off-by: Michael Niedermayer --- libavcodec/pcm-dvdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm-dvdenc.c b/libavcodec/pcm-dvdenc.c index 0881697c17..6aa05f22f6 100644 --- a/libavcodec/pcm-dvdenc.c +++ b/libavcodec/pcm-dvdenc.c @@ -117,7 +117,7 @@ static int pcm_dvd_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, { PCMDVDContext *s = avctx->priv_data; int samples = frame->nb_samples * avctx->ch_layout.nb_channels; - int64_t pkt_size = (frame->nb_samples / s->samples_per_block) * s->block_size + 3; + int64_t pkt_size = (int64_t)(frame->nb_samples / s->samples_per_block) * s->block_size + 3; int blocks = (pkt_size - 3) / s->block_size; const int16_t *src16; const int32_t *src32; From 417723acccd4fbc2f21ef97af42cee046edb3b7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 411/562] avcodec/vp8: Check mutex init Fixes: CID1598556 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4ac7405aafb8e66dff2ac926f33b7ff755f224cf) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index f521f2c9de..3083378151 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -243,7 +243,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) return AVERROR(ENOMEM); } #if HAVE_THREADS - pthread_mutex_init(&s->thread_data[i].lock, NULL); + ret = pthread_mutex_init(&s->thread_data[i].lock, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } pthread_cond_init(&s->thread_data[i].cond, NULL); #endif } From 188fe46e92ccb4c90d91987c85a251e77efebcfb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 412/562] avcodec/vp8: Check cond init Fixes: CID1598563 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9b76e49061a321467df23f7b1c8e8e715c8dec71) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 3083378151..4dba264076 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -248,7 +248,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) free_buffers(s); return AVERROR(ret); } - pthread_cond_init(&s->thread_data[i].cond, NULL); + ret = pthread_cond_init(&s->thread_data[i].cond, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } #endif } From 5d891ffbe5c796df42e8ff44833fa89175b27f3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 May 2024 23:30:49 +0200 Subject: [PATCH 413/562] avcodec/ilbcdec: Remove dead code Yes the same dead code is in "iLBC Speech Coder ANSI-C Source Code" Fixes: CID1509370 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8a64a003b5d567354e82af679e056615c8464a6f) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index 62a9ad19bf..1cce96cc13 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -1094,12 +1094,6 @@ static void do_plc(int16_t *plc_residual, /* (o) concealed residual */ if (s->consPLICount * s->block_samples > 320) { use_gain = 29491; /* 0.9 in Q15 */ - } else if (s->consPLICount * s->block_samples > 640) { - use_gain = 22938; /* 0.7 in Q15 */ - } else if (s->consPLICount * s->block_samples > 960) { - use_gain = 16384; /* 0.5 in Q15 */ - } else if (s->consPLICount * s->block_samples > 1280) { - use_gain = 0; /* 0.0 in Q15 */ } /* Compute mixing factor of picth repeatition and noise: From f466265169957e61f29890550cea34b16d480dae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:07:40 +0200 Subject: [PATCH 414/562] avformat/sdp: Check before appending "," Found by reviewing code related to CID1500301 String not null terminated Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5b82852519e92a2b94de0f22da1a81df5b3e0412) Signed-off-by: Michael Niedermayer --- libavformat/sdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 99a19852ff..5b1d22a301 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -201,6 +201,8 @@ static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par, continue; } if (p != (psets + strlen(pset_string))) { + if (p - psets >= MAX_PSET_SIZE) + goto fail_in_loop; *p = ','; p++; } @@ -211,6 +213,7 @@ static int extradata2psets(AVFormatContext *s, const AVCodecParameters *par, if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) { av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r); +fail_in_loop: av_free(psets); av_free(tmpbuf); From 040db2b44747c1b0f39dc0c3f5e050e097af6037 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 00:53:51 +0200 Subject: [PATCH 415/562] fftools/cmdutils: Add protective () to FLAGS issue found while reviewing CID1452612 Free of array-typed value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9b9fc4be26014eb7221d9bbc297a5323d5ad40b) Signed-off-by: Michael Niedermayer --- fftools/cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index 18e768b386..1c75cfa536 100644 --- a/fftools/cmdutils.c +++ b/fftools/cmdutils.c @@ -506,7 +506,7 @@ static const AVOption *opt_find(void *obj, const char *name, const char *unit, return o; } -#define FLAGS (o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0 +#define FLAGS ((o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0) int opt_default(void *optctx, const char *opt, const char *arg) { const AVOption *o; From 4446e6b55fe4b47f1a4b9ff26b63eb6fe0ff03ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jun 2024 23:32:43 +0200 Subject: [PATCH 416/562] avdevice/xcbgrab: Check sscanf() return Alot more input checking can be performed, this is only checking the obvious missing case Fixes: CID1598562 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d13babc62fa14727ee590e5a9661f23a0d9f) Signed-off-by: Michael Niedermayer --- libavdevice/xcbgrab.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavdevice/xcbgrab.c b/libavdevice/xcbgrab.c index 64a68ba497..e76af06331 100644 --- a/libavdevice/xcbgrab.c +++ b/libavdevice/xcbgrab.c @@ -826,7 +826,10 @@ static av_cold int xcbgrab_read_header(AVFormatContext *s) if (!sscanf(s->url, "%[^+]+%d,%d", display_name, &c->x, &c->y)) { *display_name = 0; - sscanf(s->url, "+%d,%d", &c->x, &c->y); + if(sscanf(s->url, "+%d,%d", &c->x, &c->y) != 2) { + if (*s->url) + av_log(s, AV_LOG_WARNING, "Ambigous URL: %s\n", s->url); + } } c->conn = xcb_connect(display_name[0] ? display_name : NULL, &screen_num); From 5f4036b66bb12c806b5d4e96254ea0e0d78ad6d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:28:16 +0200 Subject: [PATCH 417/562] avformat/img2dec: Move DQT after unrelated if() Fixes: CID1494636 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7d04c6016b0971fecb890d3a0afe4e6706a1a68e) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index e7ff26e5dd..23bfcd2bef 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -791,7 +791,6 @@ static int jpeg_probe(const AVProbeData *p) return 0; state = EOI; break; - case DQT: case APP0: if (AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) got_header = 1; @@ -812,6 +811,7 @@ static int jpeg_probe(const AVProbeData *p) case APP13: case APP14: case APP15: + case DQT: /* fallthrough */ case COM: i += AV_RB16(&b[i + 2]) + 1; break; From 393005575b3238074449f8506c93adc9df128761 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:56:31 +0200 Subject: [PATCH 418/562] avformat/img2dec: Little JFIF / Exif cleanup This changes the behavior and makes it behave how it probably was intended. Either way this is unlikely to result in any user visible change Fixes: CID1494637 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5712f36dd0ee0144b92edd2147e24b3724d7ec89) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 23bfcd2bef..4e0bb6bff2 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -792,11 +792,13 @@ static int jpeg_probe(const AVProbeData *p) state = EOI; break; case APP0: - if (AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) + if (c == APP0 && AV_RL32(&b[i + 4]) == MKTAG('J','F','I','F')) got_header = 1; + /* fallthrough */ case APP1: - if (AV_RL32(&b[i + 4]) == MKTAG('E','x','i','f')) + if (c == APP1 && AV_RL32(&b[i + 4]) == MKTAG('E','x','i','f')) got_header = 1; + /* fallthrough */ case APP2: case APP3: case APP4: From 8dc091daee4532264c8c06e5a081d35b8892ba18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:19:36 +0200 Subject: [PATCH 419/562] avformat/libzmq: Check av_strstart() Fixes: CID1453457 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0263b6a48caaff839e4c28df15b299b89c7da92d) Signed-off-by: Michael Niedermayer --- libavformat/libzmq.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index 04c72ac601..f4bb849e46 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -94,7 +94,10 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) return AVERROR_EXTERNAL; } - av_strstart(uri, "zmq:", &uri); + if (av_strstart(uri, "zmq:", &uri)) { + av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); + return AVERROR(EINVAL); + } /*publish during write*/ if (h->flags & AVIO_FLAG_WRITE) { From e0e1a3893d1fba0721fc348831f269a5206cb4f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 01:25:59 +0200 Subject: [PATCH 420/562] avformat/matroskadec: Assert that num_levels is non negative Maybe Closes: CID1452496 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 019fce18bb0628ac8bc47a81d647a23d604b6123) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 3d85e63ca9..9a3615812e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3848,7 +3848,7 @@ static int matroska_parse_cluster(MatroskaDemuxContext *matroska) MatroskaBlock *block = &cluster->block; int res; - av_assert0(matroska->num_levels <= 2); + av_assert0(matroska->num_levels <= 2U); if (matroska->num_levels == 1) { res = ebml_parse(matroska, matroska_segment, NULL); From 14aff02a1040e75f159fab5b833dec39c639bdbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 03:17:27 +0200 Subject: [PATCH 421/562] avformat/mov: Use 64bit in intermediate for current_dts Fixes: CID1500304 Unintentional integer overflow Fixes: CID1500318 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0c977d37aad609f6ed7d148c012da8bc83df8f0b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 976c552e9b..9e87cfb387 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3043,12 +3043,12 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) corrected_dts += sample_duration * sample_count; } - current_dts += sc->stts_data[i].duration * sample_count; + current_dts += sc->stts_data[i].duration * (int64_t)sample_count; if (current_dts > corrected_dts) { int64_t drift = (current_dts - corrected_dts)/FFMAX(sample_count, 1); uint32_t correction = (sc->stts_data[i].duration > drift) ? drift : sc->stts_data[i].duration - 1; - current_dts -= correction * sample_count; + current_dts -= correction * (uint64_t)sample_count; sc->stts_data[i].duration -= correction; } From 74aeed90eb9311a75c56c3e221cd71baef67987c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 03:20:41 +0200 Subject: [PATCH 422/562] avformat/mov: Use int64_t in intermediate for corrected_dts Fixes: CID1500312 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 034054b3706bea8524cf8846813e17636ca5ab33) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9e87cfb387..42d7836b69 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3040,7 +3040,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stts_data[i].duration = 1; corrected_dts += (delta_magnitude < 0 ? (int64_t)delta_magnitude : 1) * sample_count; } else { - corrected_dts += sample_duration * sample_count; + corrected_dts += sample_duration * (int64_t)sample_count; } current_dts += sc->stts_data[i].duration * (int64_t)sample_count; From 293b368b81b77e3143b6147c59c0773872101ebf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 19:51:49 +0200 Subject: [PATCH 423/562] avfilter/vf_rotate: Check ff_draw_init2() return value Fixes: NULL pointer dereference Fixes: 3_343 Found-by: De3mond Signed-off-by: Michael Niedermayer (cherry picked from commit 9c9f095e30c196c0e3d510dc5300182ddb49a803) Signed-off-by: Michael Niedermayer --- libavfilter/vf_rotate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_rotate.c b/libavfilter/vf_rotate.c index 4429e3d543..e7d720e80a 100644 --- a/libavfilter/vf_rotate.c +++ b/libavfilter/vf_rotate.c @@ -288,7 +288,9 @@ static int config_props(AVFilterLink *outlink) double res; char *expr; - ff_draw_init(&rot->draw, inlink->format, 0); + ret = ff_draw_init(&rot->draw, inlink->format, 0); + if (ret < 0) + return ret; ff_draw_color(&rot->draw, &rot->color, rot->fillcolor); rot->hsub = pixdesc->log2_chroma_w; From 12edfe7004ce60e99b7e48b9eb260acf610de4dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jun 2024 19:37:15 +0200 Subject: [PATCH 424/562] doc/developer: Provide information about git send-email and gmail The 2 links are the clearest i found. Signed-off-by: Michael Niedermayer (cherry picked from commit 959cb2e2e36cad50b88d45c1201c2c3d64d4e48c) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index addee0d826..a6e5624881 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -494,6 +494,11 @@ patch is inline or attached per mail. You can check @url{https://patchwork.ffmpeg.org}, if your patch does not show up, its mime type likely was wrong. +@subheading How to setup git send-email? + +Please see @url{https://git-send-email.io/}. +For gmail additionally see @url{https://shallowsky.com/blog/tech/email/gmail-app-passwds.html}. + @subheading Sending patches from email clients Using @code{git send-email} might not be desirable for everyone. The following trick allows to send patches via email clients in a safe From 0dfbf1dffcd64dd7007c3df4f6d2d60e3842a63a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 22:24:42 +0200 Subject: [PATCH 425/562] Changelog: more backported commits --- Changelog | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/Changelog b/Changelog index 3d3bd84e97..a4678d783c 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,81 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 5.1.5: + doc/developer: Provide information about git send-email and gmail + avfilter/vf_rotate: Check ff_draw_init2() return value + avformat/mov: Use int64_t in intermediate for corrected_dts + avformat/mov: Use 64bit in intermediate for current_dts + avformat/matroskadec: Assert that num_levels is non negative + avformat/libzmq: Check av_strstart() + avformat/img2dec: Little JFIF / Exif cleanup + avformat/img2dec: Move DQT after unrelated if() + avdevice/xcbgrab: Check sscanf() return + fftools/cmdutils: Add protective () to FLAGS + avformat/sdp: Check before appending "," + avcodec/ilbcdec: Remove dead code + avcodec/vp8: Check cond init + avcodec/vp8: Check mutex init + avcodec/pcm-dvdenc: 64bit pkt-size + avcodec/notchlc: Check init_get_bits8() for failure + avcodec/tests/dct: Use 64bit in intermediate for error computation + avcodec/scpr3: Check add_dec() for failure + avcodec/rv34: assert that size is not 0 in rv34_gen_vlc_ext() + avcodec/wavpackenc: Use unsigned for potential 31bit shift + avcodec/tests/jpeg2000dwt: Use 64bit in comparission + avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation + avformat/fwse: Remove always false expression + avcodec/sga: Make it clear that the return is intentionally not checked + avformat/asfdec_f: Use 64bit for preroll computation + avformat/argo_asf: Use 64bit in offset intermediate + avformat/ape: Use 64bit for final frame size + avdevice/pulse_audio_enc: Use av_rescale() to avoid integer overflow + avcodec/tiff: Assert init_get_bits8() success in unpack_gray() + avcodec/tiff: Assert init_get_bits8() success in horizontal_fill() + swscale/yuv2rgb: Use 64bit for brightness computation + swscale/x86/swscale: use a clearer name for INPUT_PLANER_RGB_A_FUNC_CASE + avutil/tests/opt: Check av_set_options_string() for failure + avutil/tests/dict: Check av_dict_set() before get for failure + avdevice/dshow: fix badly indented line + avformat/demux: resurrect dead stores + avcodec/mscc & mwsc: Check loop counts before use + avcodec/mpegvideo_enc: Fix potential overflow in RD + avcodec/mpeg4videodec: assert impossible wrap points + avcodec/mpeg12dec: Use 64bit in bit computation + avcodec/vble: Check av_image_get_buffer_size() for failure + avcodec/vp3: Replace check by assert + avcodec/jpeg2000dec: remove ST=3 case + avcodec/qsvdec: Check av_image_get_buffer_size() for failure + avcodec/exr: Fix preview overflow + avcodec/fmvc: remove dead assignment + avcodec/h264_slice: Remove dead sps check + avcodec/lpc: copy levenson coeffs only when they have been computed + avutil/tests/base64: Check with too short output array + libavutil/base64: Try not to write over the array end + avcodec/cbs_av1: Avoid shift overflow + fftools/ffplay: Check return of swr_alloc_set_opts2() + tools/opt_common: Check for malloc failure + doc/examples/demux_decode: Simplify loop + avformat/concatdec: Check file + avcodec/mpegvideo_enc: Fix 1 line and one column images + swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() + swscale/output: Fix integer overflow in yuv2rgba64_1_c_template + avcodec/avs3_parser: assert the return value of init_get_bits() + avcodec/avs2_parser: Assert init_get_bits8() success with const size 15 + avformat/mxfdec: Check body_offset + avformat/kvag: Check sample_rate + avcodec/ac3_parser: Check init_get_bits8() for failure + avcodec/pngdec: Check last AVFrame before deref + avcodec/hevcdec: Check ref frame + doc/examples/vaapi_transcode: Simplify loop + avfilter/vf_thumbnail_cuda: Set ret before checking it + avfilter/signature_lookup: Dont copy uninitialized stuff around + avfilter/signature_lookup: Fix 2 differences to the refernce SW + (origin/release/5.1, github/release/5.1) lavc/vp9: reset segmentation fields when segmentation isn't enabled + configure: enable ffnvcodec, nvenc, nvdec for FreeBSD + avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash + avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD + lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's + Update for 5.1.5 fate/subtitles: Ignore line endings for sub-scc test avformat/mxfdec: Check index_edit_rate swscale/utils: Fix xInc overflow From 68f2794354fda2675187fd9414532845fce2bd7a Mon Sep 17 00:00:00 2001 From: Lynne Date: Mon, 1 Jan 2024 00:00:00 +0000 Subject: [PATCH 426/562] configure: update copyright year (cherry picked from commit b95ee2ec5f84054de8bf6db9fe1b1119d569f269) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 42bd6b5397..39a5bb8b7d 100755 --- a/configure +++ b/configure @@ -7785,7 +7785,7 @@ cat > $TMPH < Date: Sun, 16 Jun 2024 22:32:03 +0200 Subject: [PATCH 427/562] MAINTAINERS: Update the entries for the release maintainer for FFmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97ecfb5a193c43eef2e47b3e45afd3fc629c107d) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 499f6ad0d1..9175a663bf 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -591,10 +591,12 @@ wm4 Releases ======== +7.0 Michael Niedermayer +6.1 Michael Niedermayer +5.1 Michael Niedermayer +4.4 Michael Niedermayer +3.4 Michael Niedermayer 2.8 Michael Niedermayer -2.7 Michael Niedermayer -2.6 Michael Niedermayer -2.5 Michael Niedermayer If you want to maintain an older release, please contact us From 691aa476d743e5fc224bb84f8f0252e9dd163451 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 02:32:13 +0200 Subject: [PATCH 428/562] avformat/mxfdec: Check container_ul->desc before use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1592939 Dereference after null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4cab028bd0e381f2ed4ccb7f139407f1f6f537c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c31f88bee9..4707b0b7b4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2969,6 +2969,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) if (container_ul->desc) av_dict_set(&st->metadata, "data_type", container_ul->desc, 0); if (mxf->eia608_extract && + container_ul->desc && !strcmp(container_ul->desc, "vbi_vanc_smpte_436M")) { st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_EIA_608; From c1c9a07eed04a744d8cd262af7c69f4832bfd0a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:23 +0200 Subject: [PATCH 429/562] avcodec/snowenc: MV limits due to mv_penalty table size Fixes: out of array read Fixes: 69673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5476592894148608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9292aff320d7b5048b371b1babea2f9b3c4e69) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index e900c2b3fd..e053fa42dc 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -260,6 +260,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)); int s_context= 2*left->level + 2*top->level + tl->level + tr->level; int ref, best_ref, ref_score, ref_mx, ref_my; + int range = MAX_MV >> (1 + qpel); av_assert0(sizeof(s->block_state) >= 256); if(s->keyframe){ @@ -301,6 +302,11 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; + c->xmin = FFMAX(c->xmin,-range); + c->xmax = FFMIN(c->xmax, range); + c->ymin = FFMAX(c->ymin,-range); + c->ymax = FFMIN(c->ymax, range); + if(P_LEFT[0] > (c->xmax<xmax< (c->ymax<ymax< (c->xmax<xmax< Date: Tue, 18 Jun 2024 15:48:24 +0200 Subject: [PATCH 430/562] avcodec/jfdctint_template: Fewer integer anomalies Fixes: signed integer overflow: 105788 * -20995 cannot be represented in type 'int' Fixes: signed integer overflow: 923211729 + 2073948236 cannot be represented in type 'int' Fixes: signed integer overflow: 1281179284 + 2073948236 cannot be represented in type 'int' Fixes: 68975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6266769177116672 Fixes: 68997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-6284237161431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 228f255b5d9b839149cd53f0537ce76b068228ae) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index 67fb77b5e1..2f4e28b3a3 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -69,7 +69,7 @@ #define GLOBAL(x) x #define RIGHT_SHIFT(x, n) ((x) >> (n)) #define MULTIPLY16C16(var,const) ((var)*(const)) -#define DESCALE(x,n) RIGHT_SHIFT((x) + (1 << ((n) - 1)), n) +#define DESCALE(x,n) RIGHT_SHIFT((int)(x) + (1 << ((n) - 1)), n) /* @@ -175,7 +175,7 @@ #if BITS_IN_JSAMPLE == 8 && CONST_BITS<=13 && PASS1_BITS<=2 #define MULTIPLY(var,const) MULTIPLY16C16(var,const) #else -#define MULTIPLY(var,const) ((var) * (const)) +#define MULTIPLY(var,const) (int)((var) * (unsigned)(const)) #endif @@ -261,7 +261,7 @@ FUNC(ff_jpeg_fdct_islow)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From 071527557c19506e660ccc46ace09ae2c63af90a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 23:42:37 +0200 Subject: [PATCH 431/562] avcodec/r210enc: Use av_rescale for bitrate Fixes: signed integer overflow: 281612954574848 * 65344 cannot be represented in type 'long' Fixes: 68956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_R210_fuzzer-6459074458746880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d34d4b6a7ce7fa72239c47d22ab6592d0687ac86) Signed-off-by: Michael Niedermayer --- libavcodec/r210enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/r210enc.c b/libavcodec/r210enc.c index cfff21cb23..8143155611 100644 --- a/libavcodec/r210enc.c +++ b/libavcodec/r210enc.c @@ -35,7 +35,7 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->bits_per_coded_sample = 32; if (avctx->width > 0) - avctx->bit_rate = ff_guess_coded_bitrate(avctx) * aligned_width / avctx->width; + avctx->bit_rate = av_rescale(ff_guess_coded_bitrate(avctx), aligned_width, avctx->width); return 0; } From 9c96e0badc574370465f7a51362ccaf2b1861e38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 19:33:02 +0200 Subject: [PATCH 432/562] avcodec/targaenc: Allocate space for the palette Fixes: out of array access Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a7220bd5c1871827ee0edba14fc88f63173e169) Signed-off-by: Michael Niedermayer --- libavcodec/targaenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c index 84e2086869..c1cdae9e6f 100644 --- a/libavcodec/targaenc.c +++ b/libavcodec/targaenc.c @@ -21,6 +21,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -89,10 +90,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, TargaContext *s = avctx->priv_data; int bpp, picsize, datasize = -1, ret, i; uint8_t *out; + int maxpal = 32*32; picsize = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45)) < 0) + if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45 + maxpal)) < 0) return ret; /* zero out the header and only set applicable fields */ @@ -125,6 +127,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4)); } out += 32 * pal_bpp; /* skip past the palette we just output */ + av_assert0(32 * pal_bpp <= maxpal); break; } case AV_PIX_FMT_GRAY8: From 076ecf6cb19339370e25361287501c0fbb143db3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:51:22 +0200 Subject: [PATCH 433/562] swscale/output: alpha can become negative after scaling, use multiply Fixes: left shift of negative value -3245 Fixes: 69047/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6571511551950848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c5b6e865a6b1b9c3a471fc06143f11e69d71b) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 7ccd4cefe0..f6ae717d42 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1194,8 +1194,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1240,8 +1240,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1409,7 +1409,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } @@ -1442,7 +1442,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } From 1e1a0182f793bc5c727c12ab01eff05434f058d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:59:23 +0200 Subject: [PATCH 434/562] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Fixes: signed integer overflow: -140140 * 16525 cannot be represented in type 'int' Fixes: 68859/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4516387130245120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c221c7422f07f2245db5c4cdc958b42ca25eb2b7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index f6ae717d42..e9e1ec5b29 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1893,9 +1893,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; - G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*(unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From afe53194ac732f71e6d73c94b6290241eb34f619 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:23:06 +0200 Subject: [PATCH 435/562] fftools/ffmpeg: Check read() for failure Fixes: CID1591932 Ignoring number of bytes read Sponsored-by: Sovereign Tech Fund Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 34fd247c3bf06418c1eaafacf0d6052e3bbe4f5e) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 02afbc65ea..960c3d211c 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -491,8 +491,9 @@ static int read_key(void) } //Read it if(nchars != 0) { - read(0, &ch, 1); - return ch; + if (read(0, &ch, 1) == 1) + return ch; + return 0; }else{ return -1; } From 773a25a2c6ac5967d65d03f5ab6b262570a261e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Mar 2024 03:13:50 +0100 Subject: [PATCH 436/562] avformat/mov: Check edit list for overflow Fixes: 67492/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5778297231310848 Fixes: signed integer overflow: 2314885530818453536 + 7782220156096217088 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2882d30e3acfc3155e2be11db653c7c721f94f34) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 42d7836b69..b518bfb87b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3325,6 +3325,10 @@ static int get_edit_list_entry(MOVContext *mov, } *edit_list_duration = av_rescale(*edit_list_duration, msc->time_scale, global_timescale); + + if (*edit_list_duration + (uint64_t)*edit_list_media_time > INT64_MAX) + *edit_list_duration = 0; + return 1; } From ae37eda47c8288ef98e357db816ad79f42032c73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 May 2024 22:33:14 +0200 Subject: [PATCH 437/562] avcodec/cbs_jpeg: Try to move the read entity to one side in a test The checked entity should be alone on one side of the check, this avoids complex considerations of overflows. This fixes a issue of bad style in our code and a coverity issue. Fixes: CID1439654 Untrusted pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 385784a148d2886884aac69acc31bf179fac3ac2) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index da7ee808cf..79557685e2 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -166,13 +166,13 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, } } else { i = start; - if (i + 2 > frag->data_size) { + if (i > frag->data_size - 2) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker.\n", marker); return AVERROR_INVALIDDATA; } length = AV_RB16(frag->data + i); - if (i + length > frag->data_size) { + if (length > frag->data_size - i) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid JPEG image: " "truncated at %02x marker segment.\n", marker); return AVERROR_INVALIDDATA; From c8156f90ffc16c4d98ecd759075545e352ca8b8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:15:50 +0200 Subject: [PATCH 438/562] avformat/img2dec: assert no pipe on ts_from_file Help coverity with CID1500302 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4824156fa06bd60b27f9f0673fbd6a3cfc780e56) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 4e0bb6bff2..529dc5fd5a 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -25,6 +25,7 @@ #define _DEFAULT_SOURCE #define _BSD_SOURCE #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/log.h" #include "libavutil/opt.h" @@ -501,6 +502,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; + av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers if (stat(filename, &img_stat)) { res = AVERROR(EIO); goto fail; From b0b3673588a545ec5b90b67f2bb56135a2b021eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 May 2022 01:45:44 +0200 Subject: [PATCH 439/562] avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() Fixes: CID1435168 Signed-off-by: Michael Niedermayer (cherry picked from commit 63ecce9ba87867b21a7cdcd677bb268c0d807db1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_loopfilter.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/vc1_loopfilter.c b/libavcodec/vc1_loopfilter.c index 0f990cccef..ee694ede28 100644 --- a/libavcodec/vc1_loopfilter.c +++ b/libavcodec/vc1_loopfilter.c @@ -1125,10 +1125,7 @@ static av_always_inline void vc1_b_h_intfi_loop_filter(VC1Context *v, uint8_t *d dst = dest + (block_num & 2) * 4 * s->linesize + (block_num & 1) * 8; if (!(flags & RIGHT_EDGE) || !(block_num & 5)) { - if (block_num > 3) - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); - else - v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); + v->vc1dsp.vc1_h_loop_filter8(dst + 8, linesize, pq); } tt = ttblk[0] >> (block_num * 4) & 0xf; From 2039e3cf805170609bbe80e4fbc4d1b12a08a43f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:18 +0200 Subject: [PATCH 440/562] avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure Fixes: CID1591911 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 86cd7c68bc65df6703391f0cdcdbf7c57d6c4780) Signed-off-by: Michael Niedermayer --- libavcodec/mfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mfenc.c b/libavcodec/mfenc.c index bbe78605a9..46a2d09614 100644 --- a/libavcodec/mfenc.c +++ b/libavcodec/mfenc.c @@ -248,7 +248,7 @@ static int mf_sample_to_avpacket(AVCodecContext *avctx, IMFSample *sample, AVPac if ((ret = ff_get_encode_buffer(avctx, avpkt, len, 0)) < 0) return ret; - IMFSample_ConvertToContiguousBuffer(sample, &buffer); + hr = IMFSample_ConvertToContiguousBuffer(sample, &buffer); if (FAILED(hr)) return AVERROR_EXTERNAL; From 68d61b4eaf8330db84eb8655c6c350cefdfcd14c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:25 +0200 Subject: [PATCH 441/562] avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure Fixes: CID1591939 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c285bb2789667bcf014ede8b0ab06ebbbee833f) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index fdea1ceb4a..977890f152 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1464,7 +1464,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n"); goto error; } - ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); + r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); if (r != S_OK) { av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n"); goto error; From 51365681485cf19769c50af869d31edb654d5e89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 00:19:01 +0200 Subject: [PATCH 442/562] avformat/mpeg: Check len in mpegps_probe() Fixes: CID1473590 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ca237a841e9e78ac02694124d81ff78c74b0bf72) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 864b08d8f8..1df253f50e 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -75,6 +75,9 @@ static int mpegps_probe(const AVProbeData *p) int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); + if (len > INT_MAX - i) + break; + if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) From 25d4dcd474e2dc6bc80396a351831025f704155e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 01:50:00 +0200 Subject: [PATCH 443/562] avformat/rdt: Check pkt_len Fixes: CID1473553 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0373de3bc6aa6fa5c71247191afccfaf20723d) Signed-off-by: Michael Niedermayer --- libavformat/rdt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rdt.c b/libavformat/rdt.c index 2fa3c2d266..9dcae325b4 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -205,6 +205,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len, return -1; /* not followed by a data packet */ pkt_len = AV_RB16(buf+3); + if (pkt_len > len) + return AVERROR_INVALIDDATA; buf += pkt_len; len -= pkt_len; consumed += pkt_len; From 6b977edd82856150eaa3394f782a8420c17abd77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 22:53:14 +0200 Subject: [PATCH 444/562] avfilter/drawutils: Fix depthb computation Fixes: CID1496940 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 34f821e44821804e1954ca6eb38269183978a62c) Signed-off-by: Michael Niedermayer --- libavfilter/drawutils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/drawutils.c b/libavfilter/drawutils.c index b4083b9a95..b8d794a71d 100644 --- a/libavfilter/drawutils.c +++ b/libavfilter/drawutils.c @@ -61,6 +61,7 @@ int ff_fill_rgba_map(uint8_t *rgba_map, enum AVPixelFormat pix_fmt) had0 |= pos == 0; rgba_map[i] = pos; + depthb = db; } if (desc->nb_components == 3) From 085422937fc533b1862fcc93537eff255d8d76e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 23:43:37 +0200 Subject: [PATCH 445/562] avfilter/vf_avgblur: Check plane instead of AVFrame Fixes: CID1551694 Use after free (false positive based on assuming that out == in and one is freed and one used) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c296d4fdec198a32ea3995e312cede7be83352c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index bd4471cb8e..539b500114 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -288,7 +288,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) const int width = s->planewidth[plane]; if (!(s->planes & (1 << plane))) { - if (out != in) + if (out->data[plane] != in->data[plane]) av_image_copy_plane(out->data[plane], out->linesize[plane], in->data[plane], in->linesize[plane], width * ((s->depth + 7) / 8), height); From 8762af536696fdcfbab364704975cc5f130ab3b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2024 23:18:47 +0200 Subject: [PATCH 446/562] tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() Signed-off-by: Michael Niedermayer (cherry picked from commit 380a8213b165d1fda419c566241d2641cb6f5c3c) Signed-off-by: Michael Niedermayer --- tools/coverity.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/coverity.c b/tools/coverity.c index 19a132a976..541e108238 100644 --- a/tools/coverity.c +++ b/tools/coverity.c @@ -31,6 +31,17 @@ #define NULL (void *)0 +typedef long long int64_t; + +enum AVRounding { + AV_ROUND_ZERO = 0, + AV_ROUND_INF = 1, + AV_ROUND_DOWN = 2, + AV_ROUND_UP = 3, + AV_ROUND_NEAR_INF = 5, + AV_ROUND_PASS_MINMAX = 8192, +}; + // Based on https://scan.coverity.com/models void *av_malloc(size_t size) { int has_memory; @@ -77,3 +88,10 @@ void *av_free(void *ptr) { __coverity_mark_as_afm_freed__(ptr, "av_free"); } + +int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) { + __coverity_negative_sink__(b); + __coverity_negative_sink__(c); + + return (double)a * (double)b / (double)c; +} From e3dd030ef869565dbc4c582441ee47f16dc69cd0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 21:24:47 +0200 Subject: [PATCH 447/562] avfilter/af_aresample: Cleanup on av_channel_layout_copy() failure Fixes: CID1503078 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a0ea15c7afb8abd823303b9a525cc5e6572f199) Signed-off-by: Michael Niedermayer --- libavfilter/af_aresample.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_aresample.c b/libavfilter/af_aresample.c index 971c861d0e..4e7e77c7cc 100644 --- a/libavfilter/af_aresample.c +++ b/libavfilter/af_aresample.c @@ -197,8 +197,11 @@ FF_DISABLE_DEPRECATION_WARNINGS FF_ENABLE_DEPRECATION_WARNINGS #endif ret = av_channel_layout_copy(&outsamplesref->ch_layout, &outlink->ch_layout); - if (ret < 0) + if (ret < 0) { + av_frame_free(&outsamplesref); + av_frame_free(&insamplesref); return ret; + } outsamplesref->sample_rate = outlink->sample_rate; if(insamplesref->pts != AV_NOPTS_VALUE) { From 0003e3cd1904edd02c60314389ebd288877304b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 21:58:51 +0200 Subject: [PATCH 448/562] avfilter/af_channelsplit: Assert that av_channel_layout_channel_from_index() succeeds Maybe Helps: CID1503077 Bad bit shift operation Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cef720ab429244ac9e56f48d983d6086e0a227a7) Signed-off-by: Michael Niedermayer --- libavfilter/af_channelsplit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_channelsplit.c b/libavfilter/af_channelsplit.c index b537e1380f..63be9c6a7a 100644 --- a/libavfilter/af_channelsplit.c +++ b/libavfilter/af_channelsplit.c @@ -22,7 +22,7 @@ * * Split an audio stream into per-channel streams. */ - +#include "libavutil/avassert.h" #include "libavutil/attributes.h" #include "libavutil/channel_layout.h" #include "libavutil/internal.h" @@ -162,6 +162,8 @@ static int filter_frame(AVFilterLink *outlink, AVFrame *buf) enum AVChannel channel = av_channel_layout_channel_from_index(&buf->ch_layout, s->map[i]); int ret; + av_assert1(channel >= 0); + AVFrame *buf_out = av_frame_clone(buf); if (!buf_out) return AVERROR(ENOMEM); From 5929007ac5203851fb989d95448bdc9a6ac5855b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:18:53 +0200 Subject: [PATCH 449/562] avfilter/af_mcompand: compute half frequency in double Fixes: CID1422217 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2d0d502ff10378e545a1fe42a9503ab44d19fa67) Signed-off-by: Michael Niedermayer --- libavfilter/af_mcompand.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_mcompand.c b/libavfilter/af_mcompand.c index 1267cd9f34..9347f06d87 100644 --- a/libavfilter/af_mcompand.c +++ b/libavfilter/af_mcompand.c @@ -417,8 +417,8 @@ static int config_output(AVFilterLink *outlink) } new_nb_items += sscanf(tstr2, "%lf", &s->bands[i].topfreq) == 1; - if (s->bands[i].topfreq < 0 || s->bands[i].topfreq >= outlink->sample_rate / 2) { - av_log(ctx, AV_LOG_ERROR, "crossover_frequency: %f, should be >=0 and lower than half of sample rate: %d.\n", s->bands[i].topfreq, outlink->sample_rate / 2); + if (s->bands[i].topfreq < 0 || s->bands[i].topfreq >= outlink->sample_rate / 2.0) { + av_log(ctx, AV_LOG_ERROR, "crossover_frequency: %f, should be >=0 and lower than half of sample rate: %f.\n", s->bands[i].topfreq, outlink->sample_rate / 2.0); return AVERROR(EINVAL); } From 1b07b2e7e54abcdf54a37e25d3b75f72bb3d0e31 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 22 Oct 2023 19:35:52 +0100 Subject: [PATCH 450/562] cbs_av1: Reject thirty-two zero bits in uvlc code The spec allows at least thirty-two zero bits followed by a one to mean 2^32-1, with no constraint on the number of zeroes. The libaom reference decoder does not match this, instead reading thirty-two zeroes but not the following one to mean 2^32-1. These two interpretations are incompatible and other implementations may follow one or the other. Therefore reject thirty-two zeroes because the intended behaviour is not clear. Signed-off-by: Michael Niedermayer (cherry picked from commit 7110a36ba07f85ca2996d3b99898a4819e72d9bb) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 6913bc6781..edbfb31c2d 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -37,7 +37,7 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, position = get_bits_count(gbc); zeroes = 0; - while (1) { + while (zeroes < 32) { if (get_bits_left(gbc) < 1) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " "%s: bitstream ended.\n", name); @@ -50,7 +50,18 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, } if (zeroes >= 32) { - value = MAX_UINT_BITS(32); + // The spec allows at least thirty-two zero bits followed by a + // one to mean 2^32-1, with no constraint on the number of + // zeroes. The libaom reference decoder does not match this, + // instead reading thirty-two zeroes but not the following one + // to mean 2^32-1. These two interpretations are incompatible + // and other implementations may follow one or the other. + // Therefore we reject thirty-two zeroes because the intended + // behaviour is not clear. + av_log(ctx->log_ctx, AV_LOG_ERROR, "Thirty-two zero bits in " + "%s uvlc code: considered invalid due to conflicting " + "standard and reference decoder behaviour.\n", name); + return AVERROR_INVALIDDATA; } else { if (get_bits_left(gbc) < zeroes) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " From 5b2860a72229d115d6c18c18230dbbd8e0f78b5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:41:07 +0200 Subject: [PATCH 451/562] avfilter/af_pan: check nb_output_channels before use Fixes: CID1500281 Out-of-bounds write Fixes: CID1500331 Out-of-bounds write Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5fe8bf4aa51350b14d0babd47b0314232e703caf) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 067f646805..e4bd79c983 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -118,6 +118,14 @@ static av_cold int init(AVFilterContext *ctx) if (ret < 0) goto fail; + if (pan->nb_output_channels > MAX_CHANNELS) { + av_log(ctx, AV_LOG_ERROR, + "af_pan supports a maximum of %d channels. " + "Feel free to ask for a higher limit.\n", MAX_CHANNELS); + ret = AVERROR_PATCHWELCOME; + goto fail; + } + /* parse channel specifications */ while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) { int used_in_ch[MAX_CHANNELS] = {0}; From 28d9f116f9a4db00256f51ab2c35521b2693647c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 16:31:28 +0200 Subject: [PATCH 452/562] swscale/swscale: Use ptrdiff_t for linesize computations This is unlikely to make a difference Fixes: CID1591896 Unintentional integer overflow Fixes: CID1591901 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 66b60bae68a3124fb176b0c2d4580f0f76c31dc4) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 9eb7e70b36..f843677fe5 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -1169,7 +1169,7 @@ int sws_receive_slice(struct SwsContext *c, unsigned int slice_start, } for (int i = 0; i < FF_ARRAY_ELEMS(dst); i++) { - ptrdiff_t offset = c->frame_dst->linesize[i] * (slice_start >> c->chrDstVSubSample); + ptrdiff_t offset = c->frame_dst->linesize[i] * (ptrdiff_t)(slice_start >> c->chrDstVSubSample); dst[i] = FF_PTR_ADD(c->frame_dst->data[i], offset); } @@ -1230,7 +1230,7 @@ void ff_sws_slice_worker(void *priv, int jobnr, int threadnr, for (int i = 0; i < FF_ARRAY_ELEMS(dst) && parent->frame_dst->data[i]; i++) { const int vshift = (i == 1 || i == 2) ? c->chrDstVSubSample : 0; const ptrdiff_t offset = parent->frame_dst->linesize[i] * - ((slice_start + parent->dst_slice_start) >> vshift); + (ptrdiff_t)((slice_start + parent->dst_slice_start) >> vshift); dst[i] = parent->frame_dst->data[i] + offset; } From 221dc6bb5e435f4d25c5c6f92e508df8cf1150dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:46 +0200 Subject: [PATCH 453/562] avfilter/af_aderivative: Free out on error Fixes: CID1197065 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 382e9e79f3a0011d93af4b11ca6ba6b85113a09a) Signed-off-by: Michael Niedermayer --- libavfilter/af_aderivative.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/af_aderivative.c b/libavfilter/af_aderivative.c index 853c0f3412..7db7fbfb87 100644 --- a/libavfilter/af_aderivative.c +++ b/libavfilter/af_aderivative.c @@ -126,6 +126,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) s->prev = ff_get_audio_buffer(inlink, 1); if (!s->prev) { av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } } From ab086c7234138101f9b7efba1e48ecfab3277fb8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 10:17:42 +0200 Subject: [PATCH 454/562] avformat/rtpenc_vc2hq: Check sizes Fixes: CID1452585 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a9ddb705152d5090d2cb815f905bf592cc487f5) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_vc2hq.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpenc_vc2hq.c b/libavformat/rtpenc_vc2hq.c index 085204fa64..cf548191d2 100644 --- a/libavformat/rtpenc_vc2hq.c +++ b/libavformat/rtpenc_vc2hq.c @@ -45,7 +45,7 @@ static void send_packet(AVFormatContext *ctx, uint8_t parse_code, int info_hdr_s ff_rtp_send_data(ctx, rtp_ctx->buf, RTP_VC2HQ_PL_HEADER_SIZE + info_hdr_size + size, rtp_m); } -static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) +static int send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) { RTPMuxContext *rtp_ctx = ctx->priv_data; GetBitContext gc; @@ -54,6 +54,9 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int uint16_t frag_len; char *info_hdr = &rtp_ctx->buf[4]; + if (size < DIRAC_PIC_NR_SIZE) + return AVERROR(EINVAL); + pic_nr = AV_RB32(&buf[0]); buf += DIRAC_PIC_NR_SIZE; size -= DIRAC_PIC_NR_SIZE; @@ -97,6 +100,7 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int send_packet(ctx, DIRAC_RTP_PCODE_HQ_PIC_FRAGMENT, 16, buf, frag_len, interlaced, second_field, size > 0 ? 0 : 1); buf += frag_len; } + return 0; } void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame_size, int interlaced) @@ -110,16 +114,21 @@ void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame parse_code = unit[4]; unit_size = AV_RB32(&unit[5]); + if (unit_size > end - unit) + break; + switch (parse_code) { /* sequence header */ /* end of sequence */ case DIRAC_PCODE_SEQ_HEADER: case DIRAC_PCODE_END_SEQ: - send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); break; /* HQ picture */ case DIRAC_PCODE_PICTURE_HQ: - send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); break; /* parse codes without specification */ case DIRAC_PCODE_AUX: From 9b450494a2f55e79e3a82277b33b1970765735c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:23:47 +0200 Subject: [PATCH 455/562] avformat/rtsp: use < 0 for error check Found while reviewing CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9bb38ba2b782cdb6052ddcb415ef1554b0462401) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 4c8c7a186c..a0c79ab9e6 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1426,7 +1426,7 @@ retry: cur_auth_type = rt->auth_state.auth_type; if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header, send_content, - send_content_length))) + send_content_length)) < 0) return ret; if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0) From 6c21843037253d59727d83fbf2968ff532a39fd1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:28:49 +0200 Subject: [PATCH 456/562] avformat/rtsp: initialize reply1 It seems reply1 is initialized by ff_rtsp_send_cmd() in most cases but there are code paths like "continue" which look like they could skip it but even if not writing this so a complex loop after several layers of calls initialized a local variable through a pointer is just bad design. This patch simply initialized the variable. Fixes: CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 498ce4e8b82e2312690613df45f87e592dcb91a9) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index a0c79ab9e6..af19ce1d3d 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1459,6 +1459,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, char cmd[MAX_URL_SIZE]; const char *trans_pref; + memset(&reply1, 0, sizeof(reply1)); + if (rt->transport == RTSP_TRANSPORT_RDT) trans_pref = "x-pn-tng"; else if (rt->transport == RTSP_TRANSPORT_RAW) From 4d958c1e5aefdb737b1dd2648114d300e16b9a9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 19:43:15 +0200 Subject: [PATCH 457/562] avformat/rtsp: Check that lower transport is handled in one of the if() Fixes: CID1473554 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8200d382503f5fd839a72af7ba93d53880ad4b7) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index af19ce1d3d..f7ea9355e0 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1575,7 +1575,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) { snprintf(transport, sizeof(transport) - 1, "%s/UDP;multicast", trans_pref); + } else { + err = AVERROR(EINVAL); + goto fail; // transport would be uninitialized } + if (s->oformat) { av_strlcat(transport, ";mode=record", sizeof(transport)); } else if (rt->server_type == RTSP_SERVER_REAL || From ff072fe651e684c5903ee8afce31f550ac3a9ce1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:45:32 +0200 Subject: [PATCH 458/562] avformat/subfile: Merge if into switch() Found while reviewing CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0a7d964bfd5da8859c715627eeb7a048bddb79) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 2936c79e06..2f9c7791c6 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -124,9 +124,9 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) return end; } - if (whence == AVSEEK_SIZE) - return end - c->start; switch (whence) { + case AVSEEK_SIZE: + return end - c->start; case SEEK_SET: new_pos = c->start + pos; break; From a19d3de12aa602a523539a5a93903001754fd3c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:46:28 +0200 Subject: [PATCH 459/562] avformat/subfile: Assert that whence is a known case This may help CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 426d8c84c37064eef93bbcfaffd886d00a9a4ee8) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 2f9c7791c6..e6712806a9 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -18,6 +18,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/opt.h" #include "avformat.h" @@ -136,6 +137,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) case SEEK_END: new_pos = end + pos; break; + default: + av_assert0(0); } if (new_pos < c->start) return AVERROR(EINVAL); From 2528ab4895f65a9b9d56ae4b79f67075a6db3a1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 00:09:24 +0200 Subject: [PATCH 460/562] avformat/tls_schannel: Initialize ret Fixes: CID1591881 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f022afea77ced5067f511530dd8ff137967db1d9) Signed-off-by: Michael Niedermayer --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index d4959f75fa..bbeb8a81f2 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -388,7 +388,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) SECURITY_STATUS sspi_ret = SEC_E_OK; SecBuffer inbuf[4]; SecBufferDesc inbuf_desc; - int size, ret; + int size, ret = 0; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; /* If we have some left-over data from previous network activity, From 16a0e979e732bbacc8b68ca87226afb27f824b51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2024 01:47:33 +0200 Subject: [PATCH 461/562] doc/examples/vaapi_encode: Try to check fwrite() for failure Fixes: CID1604548 Unused value Sponsored-by: Sovereign Tech Fund Reviewed-by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit 3e4bfff21192aed328c906c85424737128b108f1) Signed-off-by: Michael Niedermayer --- doc/examples/vaapi_encode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/examples/vaapi_encode.c b/doc/examples/vaapi_encode.c index e232fa579a..5ba463e396 100644 --- a/doc/examples/vaapi_encode.c +++ b/doc/examples/vaapi_encode.c @@ -91,6 +91,10 @@ static int encode_write(AVCodecContext *avctx, AVFrame *frame, FILE *fout) enc_pkt->stream_index = 0; ret = fwrite(enc_pkt->data, enc_pkt->size, 1, fout); av_packet_unref(enc_pkt); + if (ret != enc_pkt->size) { + ret = AVERROR(errno); + break; + } } end: From f55dbd882f3162b016fb2f216fed7bd0a2b7a9c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:41 +0200 Subject: [PATCH 462/562] avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor Fixes: CID1591909 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 698ed0d5a5a3a1219179facb5538eea463fae13f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index 1bc8b6c82c..246e8cf55c 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -184,7 +184,7 @@ static AVBufferRef *wrap_texture_buf(AVHWFramesContext *ctx, ID3D11Texture2D *te desc->texture = tex; desc->index = index; - buf = av_buffer_create((uint8_t *)desc, sizeof(desc), free_texture, tex, 0); + buf = av_buffer_create((uint8_t *)desc, sizeof(*desc), free_texture, tex, 0); if (!buf) { ID3D11Texture2D_Release(tex); av_free(desc); From ea48c665d1cc49e1fe3771b6f5a365537e95d78e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:42 +0200 Subject: [PATCH 463/562] avutil/hwcontext_d3d11va: Free AVD3D11FrameDescriptor on error Fixes: CID1598558 Resource leak Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit cf22f944d55c8eb0119fb20354a625f8c41eb11f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index 246e8cf55c..5b7376714a 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -172,6 +172,7 @@ static AVBufferRef *wrap_texture_buf(AVHWFramesContext *ctx, ID3D11Texture2D *te sizeof(*frames_hwctx->texture_infos)); if (!frames_hwctx->texture_infos) { ID3D11Texture2D_Release(tex); + av_free(desc); return NULL; } s->nb_surfaces = s->nb_surfaces_used + 1; From 0362214b1c7bf656dcedbfc02f1eddac10b74821 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:43 +0200 Subject: [PATCH 464/562] avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 Fixes: CID1591944 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 628ba061c8d5ae018c3e8aa8ce05b8dfcdfd8410) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 53d00fa815..1f4973c148 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -134,7 +134,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, size_t size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); + sizeof(**hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; From 0e5c0a61784ec3b7cae4cca30441cf779cde04e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:44 +0200 Subject: [PATCH 465/562] avutil/wchar_filename: Correct sizeof Fixes: CID1591930 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit e9e8bea2e79bc3c481a6f81f75f6c871e3e0f367) Signed-off-by: Michael Niedermayer --- libavutil/wchar_filename.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/wchar_filename.h b/libavutil/wchar_filename.h index fbc0a55146..70194a035c 100644 --- a/libavutil/wchar_filename.h +++ b/libavutil/wchar_filename.h @@ -56,7 +56,7 @@ static inline int wchartocp(unsigned int code_page, const wchar_t *filename_w, errno = EINVAL; return -1; } - *filename = (char*)av_malloc_array(num_chars, sizeof *filename); + *filename = av_malloc_array(num_chars, sizeof **filename); if (!*filename) { errno = ENOMEM; return -1; From 40c9fb918a82f445410abd50e04afd410587ce68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 21:57:40 +0200 Subject: [PATCH 466/562] avformat/rmdec: use 64bit for audio_framesize checks It is not entirely clear what would prevent such overflow so even if it is not possible, it is better to use 64bit Fixes: CID1491898 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 665be4fa2f47910bf85a6f17b6cac9dabc6591f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 0f1534b582..e156f57bd8 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -267,9 +267,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From a8c496741683f538dc2d0f2f3af26620a0d3702e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 23:05:47 +0200 Subject: [PATCH 467/562] avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly Found while reviewing: CID1530313 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cedbef03946625bc0f7f96e9f77ad59c512b9900) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 4b97c0833f..54933ded5d 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -435,7 +435,6 @@ static int amf_tag_skip(GetByteContext *gb) { AMFDataType type; unsigned nb = -1; - int parse_key = 1; if (bytestream2_get_bytes_left(gb) < 1) return -1; @@ -460,13 +459,12 @@ static int amf_tag_skip(GetByteContext *gb) bytestream2_skip(gb, 10); return 0; case AMF_DATA_TYPE_ARRAY: - parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: - while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { + while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) { int t; - if (parse_key) { + if (type != AMF_DATA_TYPE_ARRAY) { int size = bytestream2_get_be16(gb); if (!size) { bytestream2_get_byte(gb); From 4be6ff882397cf45cc050a30889c10deb533c531 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 00:13:59 +0200 Subject: [PATCH 468/562] avformat/rtpenc_rfc4175: Use 64bit in computation if copy_offset Found while reviewing: CID1494441 Untrusted value as argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f13ae632591b043cb69b66de01e8b178037cdd0e) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_rfc4175.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rtpenc_rfc4175.c b/libavformat/rtpenc_rfc4175.c index 257d072cd3..2120274f01 100644 --- a/libavformat/rtpenc_rfc4175.c +++ b/libavformat/rtpenc_rfc4175.c @@ -116,7 +116,7 @@ void ff_rtp_send_raw_rfc4175(AVFormatContext *s1, const uint8_t *buf, int size, int l_field; int l_line; int l_off; - int copy_offset; + int64_t copy_offset; length = (headers[0] << 8) | headers[1]; l_field = (headers[2] & 0x80) >> 7; @@ -127,7 +127,7 @@ void ff_rtp_send_raw_rfc4175(AVFormatContext *s1, const uint8_t *buf, int size, if (interlaced) l_line = 2 * l_line + l_field; - copy_offset = (l_line * width + l_off) * pgroup / xinc; + copy_offset = (l_line * (int64_t)width + l_off) * pgroup / xinc; if (copy_offset + length > size) break; memcpy (dest, buf + copy_offset, length); From 0300b1dcdea8017c45f4d99d1bc08831794952d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:26 +0200 Subject: [PATCH 469/562] avcodec/proresenc_kostya: use unsigned alpha for rotation Fixes: left shift of negative value -208 Fixes: 69073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-4745020002336768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93e0265e27e6dd567812a8661988109421c5447a) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 6e332b5ab7..d23e5ed11d 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -341,7 +341,7 @@ static void get_slice_data(ProresContext *ctx, const uint16_t *src, static void get_alpha_data(ProresContext *ctx, const uint16_t *src, ptrdiff_t linesize, int x, int y, int w, int h, - int16_t *blocks, int mbs_per_slice, int abits) + uint16_t *blocks, int mbs_per_slice, int abits) { const int slice_width = 16 * mbs_per_slice; int i, j, copy_w, copy_h; From c7e8baeb75ea4eebe283d1657cf0ab11da0c9708 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:00:04 +0200 Subject: [PATCH 470/562] doc/examples/mux: remove nop Found through code review related to CID1604493 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e6c0c5731e85f00b5840d9a7d14e38cc3e07d5bc) Signed-off-by: Michael Niedermayer --- doc/examples/muxing.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/examples/muxing.c b/doc/examples/muxing.c index 3acb778322..41271bd106 100644 --- a/doc/examples/muxing.c +++ b/doc/examples/muxing.c @@ -351,8 +351,7 @@ static int write_audio_frame(AVFormatContext *oc, OutputStream *ost) if (frame) { /* convert samples from native format to destination codec format, using the resampler */ /* compute destination number of samples */ - dst_nb_samples = av_rescale_rnd(swr_get_delay(ost->swr_ctx, c->sample_rate) + frame->nb_samples, - c->sample_rate, c->sample_rate, AV_ROUND_UP); + dst_nb_samples = swr_get_delay(ost->swr_ctx, c->sample_rate) + frame->nb_samples; av_assert0(dst_nb_samples == frame->nb_samples); /* when we pass a frame to the encoder, it may keep a reference to it From 5fd805dfb411e35db1e07a02ff1a4aa527cab6a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 17:49:56 +0200 Subject: [PATCH 471/562] avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit width and height > 32bit is not supported and its easier to check in a central place Signed-off-by: Michael Niedermayer (cherry picked from commit ba63e329572b74207045fd82c93fcc0fa0479bc4) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 9ab5757cf6..9a24356202 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -298,7 +298,7 @@ int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enu stride = 8LL*w; stride += 128*8; - if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + if (w==0 || h==0 || w > INT32_MAX || h > INT32_MAX || stride >= INT_MAX || stride*(h + 128ULL) >= INT_MAX) { av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); return AVERROR(EINVAL); } From 8cc5348df6cb12724f2af3823b648ec702ae4ce9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:42 +0200 Subject: [PATCH 472/562] avcodec/xsubdec: Check parse_timecode() Fixes: CID1604490 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96fd9417e250540f228d1ad5b43a77c120208eba) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index d62fa164a5..60ed6ca93f 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -59,6 +59,7 @@ static int decode_frame(AVCodecContext *avctx, AVSubtitle *sub, int64_t packet_time = 0; GetBitContext gb; int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); + int64_t start_display_time, end_display_time; // check that at least header fits if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { @@ -73,8 +74,14 @@ static int decode_frame(AVCodecContext *avctx, AVSubtitle *sub, } if (avpkt->pts != AV_NOPTS_VALUE) packet_time = av_rescale_q(avpkt->pts, AV_TIME_BASE_Q, (AVRational){1, 1000}); - sub->start_display_time = parse_timecode(buf + 1, packet_time); - sub->end_display_time = parse_timecode(buf + 14, packet_time); + + sub->start_display_time = start_display_time = parse_timecode(buf + 1, packet_time); + sub->end_display_time = end_display_time = parse_timecode(buf + 14, packet_time); + if (sub->start_display_time != start_display_time || + sub-> end_display_time != end_display_time) { + av_log(avctx, AV_LOG_ERROR, "time code not representable in 32bit\n"); + return -1; + } buf += 27; // read header From f12e4ea885194208dc269c099e5ccc4ac85c5298 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:43 +0200 Subject: [PATCH 473/562] avcodec/cri: Check length Fixes: CID1604394 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 69dcd123f19acf851f85166159a3719565813fd0) Signed-off-by: Michael Niedermayer --- libavcodec/cri.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cri.c b/libavcodec/cri.c index 728983797a..4bbb69fd12 100644 --- a/libavcodec/cri.c +++ b/libavcodec/cri.c @@ -235,10 +235,14 @@ static int cri_decode_frame(AVCodecContext *avctx, AVFrame *p, s->data_size = length; goto skip; case 105: + if (length <= 0) + return AVERROR_INVALIDDATA; hflip = bytestream2_get_byte(gb) != 0; length--; goto skip; case 106: + if (length <= 0) + return AVERROR_INVALIDDATA; vflip = bytestream2_get_byte(gb) != 0; length--; goto skip; From 2f0931a4188fb3bb093470b4a1f6c3e66983f873 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:44 +0200 Subject: [PATCH 474/562] avcodec/dxv: Fix type in get_opcodes() Found by code review related to CID1604386 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e5af1c6e91e86b184101ef2abb49178ff409703b) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index d75f8b0402..3365fcf08a 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -440,7 +440,7 @@ static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op size_in_bits = bytestream2_get_le32(gb); endoffset = ((size_in_bits + 7) >> 3) - 4; - if (endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) + if ((int)endoffset <= 0 || bytestream2_get_bytes_left(gb) < endoffset) return AVERROR_INVALIDDATA; offset = endoffset; From e75bc1102726da2c26d888b2301165f83d2d1dfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:45 +0200 Subject: [PATCH 475/562] avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() Found while reviewing code related to CID1604409 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf5b83f6fa367f99aefc1321bafc0a7e8db33cd) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 164c2583b6..9f60fe0397 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -424,6 +424,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, /** * read unsigned golomb rice code (jpegls). + * + * @returns -1 on error */ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int esc_len) @@ -535,6 +537,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit, /** * read signed golomb rice code (flac). + * + * @returns INT_MIN on error */ static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit, int esc_len) From 007191cdc48aa51e1e94aac83f9c53f9239aaa27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:46 +0200 Subject: [PATCH 476/562] avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() Found by code review related to CID1604563 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b2aaeb81f65aaa61238d74a77034b118055340d3) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 9f60fe0397..742334978d 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -402,6 +402,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, log = av_log2(buf); if (log > 31 - limit) { + av_assert2(log >= k); buf >>= log - k; buf += (30U - log) << k; LAST_SKIP_BITS(re, gb, 32 + k - log); From 94b3f8f30ba7bb0191f680a2c0135c315a2dcb04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:48 +0200 Subject: [PATCH 477/562] avcodec/iff: Use signed count This is more a style fix than a bugfix (CID1604392 Overflowed constant) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cfe66dfebb8a1e1394bcf834b6cc785f280ccecf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 74ebddc621..dd652a14c1 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -583,7 +583,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, GetByteContext *gb) { GetByteContext cmds; - unsigned count; + int count; int i, y_pos = 0, x_pos = 0; if (bytestream2_get_be32(gb) != MKBETAG('V', 'D', 'A', 'T')) @@ -591,7 +591,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, bytestream2_skip(gb, 4); count = bytestream2_get_be16(gb) - 2; - if (bytestream2_get_bytes_left(gb) < count) + if (count < 0 || bytestream2_get_bytes_left(gb) < count) return 0; bytestream2_init(&cmds, gb->buffer, count); From 569b678653b47dfedd70438907f60454d1514559 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:49 +0200 Subject: [PATCH 478/562] avcodec/imm4: check cbphi for error Fixes: CID1604356 Overflowed constant Fixes: CID1604573 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6e4c037833c3ca0e0bd3e348701c4c0dc58bed91) Signed-off-by: Michael Niedermayer --- libavcodec/imm4.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index d826818864..f678ba1603 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -221,12 +221,15 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { - unsigned flag, cbphi, cbplo; + unsigned flag, cbplo; + int cbphi; cbplo = get_vlc2(gb, cbplo_tab.table, CBPLO_VLC_BITS, 1); flag = get_bits1(gb); cbphi = get_cbphi(gb, 1); + if (cbphi < 0) + return cbphi; ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag); if (ret < 0) @@ -274,7 +277,8 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, for (y = 0; y < avctx->height; y += 16) { for (x = 0; x < avctx->width; x += 16) { int reverse, intra_block, value; - unsigned cbphi, cbplo, flag2 = 0; + unsigned cbplo, flag2 = 0; + int cbphi; if (get_bits1(gb)) { copy_block16(frame->data[0] + y * frame->linesize[0] + x, @@ -300,6 +304,9 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, cbplo = value >> 4; cbphi = get_cbphi(gb, reverse); + if (cbphi < 0) + return cbphi; + if (intra_block) { ret = decode_blocks(avctx, gb, cbplo | (cbphi << 2), 0, offset, flag2); if (ret < 0) From 525bb4cbc08fa8f02d28ad20c06b5c6c3e404c7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:51 +0200 Subject: [PATCH 479/562] avcodec/loco: check get_ur_golomb_jpegls() for failure Fixes: CID1604400 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b9899866418cb3bd930846271470e3096917f5f6) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 9cadc9d006..48c65a1f04 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -92,10 +92,15 @@ static inline int loco_get_rice(RICEContext *r) if (get_bits_left(&r->gb) < 1) return INT_MIN; v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); + if (v == -1) + return INT_MIN; loco_update_rice_param(r, (v + 1) >> 1); if (!v) { if (r->save >= 0) { - r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + if (run == -1) + return INT_MIN; + r->run = run; if (r->run > 1) r->save += r->run + 1; else From c0cb0d5418ae9ea79ea73e3d4490f95043006977 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:52 +0200 Subject: [PATCH 480/562] avcodec/loco: Check loco_get_rice() for failure Fixes: CID1604495 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d55327684349b4db5d5905eefaa7d2aec597908d) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 48c65a1f04..c4c84773ac 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -157,6 +157,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top left pixel */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = 128 + val; /* restore top line */ for (i = 1; i < width; i++) { From d16caed6b16b0fb31c559192b46f5412abe52a52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:55 +0200 Subject: [PATCH 481/562] avcodec/motion_est: Fix score squaring overflow Fixes: CID1604552 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f18b442370d714b930e3e983c2e5d789229f3356) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 741e431708..accc220b9c 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1444,7 +1444,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) s->b_direct_mv_table[mot_xy][0]= 0; s->b_direct_mv_table[mot_xy][1]= 0; - return 256*256*256*64; + return 256*256*256*64-1; } c->xmin= xmin; From e607479d3c05ed3721c3287b955cd5a2f780dea1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:56 +0200 Subject: [PATCH 482/562] avcodec/pixlet: Simplify pfx computation Found by reviewing code related to CID1604365 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0474614e6cf8edcd0077b95772c29fae894a7db9) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 4f9282bb94..99400c804b 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -232,8 +232,8 @@ static int read_high_coeffs(AVCodecContext *avctx, const uint8_t *src, int16_t * if (cnt1 >= length) { cnt1 = get_bits(bc, nbits); } else { - pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14)); - if (pfx < 1 || pfx > 25) + pfx = FFMIN(value, 14); + if (pfx < 1) return AVERROR_INVALIDDATA; cnt1 *= (1 << pfx) - 1; shbits = show_bits(bc, pfx); From 062862fe39ce923230f94afa93cf0ed220615f34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2024 01:51:59 +0200 Subject: [PATCH 483/562] avcodec/flac_parser: Assert that we do not overrun the link_penalty array Helps: CID1454676 Out-of-bounds read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9af348bd1aa41ea10d6719c56ed2b4eda97642f3) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 81b6f12ab3..7cbefa9177 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -505,6 +505,8 @@ static int check_header_mismatch(FLACParseContext *fpc, for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++) curr = curr->next; + av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS); + if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY || header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) { FLACHeaderMarker *start, *end; From 4ae285a7736f71c56e683da99d62712c68359c97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:34:48 +0200 Subject: [PATCH 484/562] avdevice/dshow_filter: Use wcscpy_s() Fixes: CID1591929 Copy into fixed size buffer Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit daf61dddc8e27424c320d5c3abe3e0c5182cd5c0) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow_filter.c b/libavdevice/dshow_filter.c index 4642ac077c..2122c84626 100644 --- a/libavdevice/dshow_filter.c +++ b/libavdevice/dshow_filter.c @@ -135,7 +135,7 @@ long WINAPI ff_dshow_filter_JoinFilterGraph(DShowFilter *this, IFilterGraph *gra this->info.pGraph = graph; if (name) - wcscpy(this->info.achName, name); + wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name); return S_OK; } From 374a5f8b0ab93c3f3bf148314b1540b2d77a67b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:26 +0200 Subject: [PATCH 485/562] avdevice/dshow: Cleanup also on av_log case Fixes: CID1598550 Resource leak Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 25f9211bdd61641cb8739efcb45bf31b46557178) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 977890f152..2cd7c2153a 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1000,7 +1000,7 @@ dshow_cycle_formats(AVFormatContext *avctx, enum dshowDeviceType devtype, " ch=%2u, bits=%2u, rate=%6lu\n", fx->nChannels, fx->wBitsPerSample, fx->nSamplesPerSec ); - continue; + goto next; } if ( (requested_sample_rate && requested_sample_rate != fx->nSamplesPerSec) || From 2a0253d0665387cd6267314fc62ccef4b403481b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:24 +0200 Subject: [PATCH 486/562] avdevice/dshow: Check device_filter_unique_name before use Fixes: CID1591931 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 175c19166824bd93b02f60c5178365014212366e) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 2cd7c2153a..68478ca762 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1372,7 +1372,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) - if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { + if (!device_filter_unique_name || strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { av_log(avctx, AV_LOG_DEBUG, "reusing previous graph capture filter... %s\n", device_filter_unique_name); IBaseFilter_Release(device_filter); device_filter = ctx->device_filter[otherDevType]; From 672314f46f0e043ce0172d60820956b61161dabf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:27 +0200 Subject: [PATCH 487/562] avdevice/dshow: check ff_dshow_pin_ConnectionMediaType() for failure Maybe Fixes: CID1598557 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 2c2e72708831ca0cc76f72368676a8ccf624a2fe) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 68478ca762..a40572b928 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -1545,7 +1545,10 @@ dshow_add_device(AVFormatContext *avctx, ctx->capture_filter[devtype]->stream_index = st->index; - ff_dshow_pin_ConnectionMediaType(ctx->capture_pin[devtype], &type); + if (ff_dshow_pin_ConnectionMediaType(ctx->capture_pin[devtype], &type) != S_OK) { + ret = AVERROR(EIO); + goto error; + } fmt_info = dshow_get_format_info(&type); if (!fmt_info) { ret = AVERROR(EIO); From bff5c102b394d88ae471308faca094cf291fffd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:22 +0200 Subject: [PATCH 488/562] avdevice/dshow: Remove NULL check on pin The pointer is used before the check Fixes: CID1591884 Dereference before null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 989e11acb65e640d336d0d911e958a6008311a9d) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index a40572b928..023c9db052 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -431,8 +431,8 @@ dshow_get_device_media_types(AVFormatContext *avctx, enum dshowDeviceType devtyp IEnumMediaTypes_Release(types); if (p) IKsPropertySet_Release(p); - if (pin) - IPin_Release(pin); + + IPin_Release(pin); } IEnumPins_Release(pins); From 1264f271102613df2a62ef449646724158b89132 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 00:22:10 +0200 Subject: [PATCH 489/562] avfilter/vf_bm3d: Dont round MSE2SSE to an integer Fixes: CID1439581 Result is not floating-point Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ec18ec9fc1080c37a02f3709afda5c4b08d4ea89) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bm3d.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_bm3d.c b/libavfilter/vf_bm3d.c index 1167027535..dc84df71f3 100644 --- a/libavfilter/vf_bm3d.c +++ b/libavfilter/vf_bm3d.c @@ -270,7 +270,7 @@ static void do_block_matching_multi(BM3DContext *s, const uint8_t *src, int src_ int r_y, int r_x, int plane, int jobnr) { SliceContext *sc = &s->slices[jobnr]; - double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (s->max * s->max); + double MSE2SSE = s->group_size * s->block_size * s->block_size * src_range * src_range / (double)(s->max * s->max); double distMul = 1. / MSE2SSE; double th_sse = th_mse * MSE2SSE; int i, index = sc->nb_match_blocks; From 7481e2bb30883632a43aa505b04baf0bde631cb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2024 00:22:11 +0200 Subject: [PATCH 490/562] avfilter/vf_convolution_opencl: Assert that the filter name is one of the filters Helps with: CID1439572 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 19a5a8997c93d72d6fe169c42a2a04ad4bb6e03a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_convolution_opencl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_convolution_opencl.c b/libavfilter/vf_convolution_opencl.c index de3d38b553..33610bf1d8 100644 --- a/libavfilter/vf_convolution_opencl.c +++ b/libavfilter/vf_convolution_opencl.c @@ -20,6 +20,7 @@ #include "config_components.h" +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/imgutils.h" #include "libavutil/mem.h" @@ -80,6 +81,8 @@ static int convolution_opencl_init(AVFilterContext *avctx) kernel_name = "prewitt_global"; } else if (!strcmp(avctx->filter->name, "roberts_opencl")){ kernel_name = "roberts_global"; + } else { + av_assert0(0); } ctx->kernel = clCreateKernel(ctx->ocf.program, kernel_name, &cle); CL_FAIL_ON_ERROR(AVERROR(EIO), "Failed to create " From dfb67d9dabc61ead70f7df625c45cf0cc6cfd68c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2024 20:47:24 +0200 Subject: [PATCH 491/562] avcodec/tiff: Check value on positive signed targets Fixes: CID1604593 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 66d6b8033b4bf8e9b33f26729c4ab9f9b328c5a2) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 8a649ee5be..27fe264a9c 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1269,9 +1269,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->is_thumbnail = (value != 0); break; case TIFF_WIDTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->width = value; break; case TIFF_HEIGHT: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->height = value; break; case TIFF_BPP: @@ -1403,12 +1407,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->tile_byte_counts_offset = off; break; case TIFF_TILE_LENGTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->tile_length = value; break; case TIFF_TILE_WIDTH: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->tile_width = value; break; case TIFF_PREDICTOR: + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->predictor = value; break; case TIFF_SUB_IFDS: @@ -1539,12 +1549,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) } break; case TIFF_T4OPTIONS: - if (s->compr == TIFF_G3) + if (s->compr == TIFF_G3) { + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->fax_opts = value; + } break; case TIFF_T6OPTIONS: - if (s->compr == TIFF_G4) + if (s->compr == TIFF_G4) { + if (value > INT_MAX) + return AVERROR_INVALIDDATA; s->fax_opts = value; + } break; #define ADD_METADATA(count, name, sep)\ if ((ret = add_metadata(count, type, name, sep, s, frame)) < 0) {\ From 26ec1d1afb8de14e9c4851c815fceb100d90b2a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2024 20:47:27 +0200 Subject: [PATCH 492/562] avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() Untested, needs review Fixes: CID1591856 Resource leak Fixes: CID1591887 Resource leak Fixes: CID1591874 Resource leak Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 348968e9f7d8abb743a5dfca8e522ae0cf1ddc8b) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_capture.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavdevice/dshow_capture.h b/libavdevice/dshow_capture.h index b548cd7afc..09561d8eac 100644 --- a/libavdevice/dshow_capture.h +++ b/libavdevice/dshow_capture.h @@ -125,14 +125,15 @@ void ff_dshow_##prefix##_Destroy(class *this) \ class *ff_dshow_##prefix##_Create(__VA_ARGS__) \ { \ class *this = CoTaskMemAlloc(sizeof(class)); \ - void *vtbl = CoTaskMemAlloc(sizeof(*this->vtbl)); \ dshowdebug("ff_dshow_"AV_STRINGIFY(prefix)"_Create(%p)\n", this); \ - if (!this || !vtbl) \ + if (!this) \ goto fail; \ ZeroMemory(this, sizeof(class)); \ - ZeroMemory(vtbl, sizeof(*this->vtbl)); \ + this->vtbl = CoTaskMemAlloc(sizeof(*this->vtbl)); \ + if (!this->vtbl) \ + goto fail; \ + ZeroMemory(this->vtbl, sizeof(*this->vtbl)); \ this->ref = 1; \ - this->vtbl = vtbl; \ if (!setup) \ goto fail; \ dshowdebug("created ff_dshow_"AV_STRINGIFY(prefix)" %p\n", this); \ From 9e2f1e8a6e09cac68fc43389a6bf5a4e80c261bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:44:08 +0200 Subject: [PATCH 493/562] avcodec/mpegvideo_enc: Do not duplicate pictures on shifting Fixes: out of array access Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Fixes: 69599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4848626296225792.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c8881cb3534b257d6e6539f563006599cd96b48) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index d1c64a921d..9cc69cd5a9 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1145,6 +1145,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) /* shift buffer entries */ for (i = flush_offset; i < MAX_PICTURE_COUNT /*s->encoding_delay + 1*/; i++) s->input_picture[i - flush_offset] = s->input_picture[i]; + for (int i = MAX_B_FRAMES + 1 - flush_offset; i <= MAX_B_FRAMES; i++) + s->input_picture[i] = NULL; s->input_picture[encoding_delay] = (Picture*) pic; From 19af012dac35067dc117ee70f4b7b6d4a4d9f11a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 22:43:22 +0200 Subject: [PATCH 494/562] avcodec/vc2enc: Fix overflows with storing large values Fixes: left shift of 1431634944 by 2 places cannot be represented in type 'int' Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 69061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6325700826038272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit af9935835335cae1ae5a4ec7fc14c1b5e25c1f2d) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 1e3127f080..f88c55c0a1 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -185,7 +185,9 @@ typedef struct VC2EncContext { static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) { int i; - int pbits = 0, bits = 0, topbit = 1, maxval = 1; + int bits = 0; + unsigned topbit = 1, maxval = 1; + uint64_t pbits = 0; if (!val++) { put_bits(pb, 1, 1); @@ -202,12 +204,13 @@ static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) for (i = 0; i < bits; i++) { topbit >>= 1; + av_assert2(pbits <= UINT64_MAX>>3); pbits <<= 2; if (val & topbit) pbits |= 0x1; } - put_bits(pb, bits*2 + 1, (pbits << 1) | 1); + put_bits64(pb, bits*2 + 1, (pbits << 1) | 1); } static av_always_inline int count_vc2_ue_uint(uint32_t val) From e542e1b8f7f266ea02e7b4d5338c47259dd46005 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2024 23:55:01 +0200 Subject: [PATCH 495/562] avcodec/utvideoenc: Use unsigned shift to build flags Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 69083/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5608202363273216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69e90491f15d8eef643f8dfd1b75805829496678) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index 15a53a6094..e846b40679 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -223,7 +223,7 @@ static av_cold int utvideo_encode_init(AVCodecContext *avctx) * - Compression mode (none/huff) * And write the flags. */ - c->flags = (c->slices - 1) << 24; + c->flags = (c->slices - 1U) << 24; c->flags |= 0 << 11; // bit field to signal interlaced encoding mode c->flags |= c->compression; From 47c6e5f1b3b0ca1edcd13ec94564208ac1b317ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:05:12 +0200 Subject: [PATCH 496/562] avcodec/mpeg12enc: Use av_rescale() in vbv_buffer_size computation Fixes: signed integer overflow: 20 * 2314885530818453759 cannot be represented in type 'long' Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0993ef675f06042402a97b08a60155c65dae8ba7) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12enc.c b/libavcodec/mpeg12enc.c index 09d63ff7dc..6a8640a04d 100644 --- a/libavcodec/mpeg12enc.c +++ b/libavcodec/mpeg12enc.c @@ -319,7 +319,7 @@ static void mpeg1_encode_sequence_header(MpegEncContext *s) else /* VBV calculation: Scaled so that a VCD has the proper * VBV size of 40 kilobytes */ - vbv_buffer_size = ((20 * s->bit_rate) / (1151929 / 2)) * 8 * 1024; + vbv_buffer_size = av_rescale_rnd(s->bit_rate, 20, 1151929 / 2, AV_ROUND_ZERO) * 8 * 1024; vbv_buffer_size = (vbv_buffer_size + 16383) / 16384; put_sbits(&s->pb, 18, v); From 5372bfe01e4a04357ab4465c1426cf8c6412dfd5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Jul 2024 21:12:54 +0200 Subject: [PATCH 497/562] avcodec/pnmdec: Use 64bit for input size check Fixes: out of array read Fixes: poc3 Reported-by: VulDB CNA Team Found-by: CookedMelon Signed-off-by: Michael Niedermayer (cherry picked from commit 3faadbe2a27e74ff5bb5f7904ec27bb1f5287dc8) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index bb2ce53496..8bd87ac1e3 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -260,7 +260,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, AVFrame *p, break; case AV_PIX_FMT_GBRPF32: if (!s->half) { - if (avctx->width * avctx->height * 12 > s->bytestream_end - s->bytestream) + if (avctx->width * avctx->height * 12LL > s->bytestream_end - s->bytestream) return AVERROR_INVALIDDATA; scale = 1.f / s->scale; if (s->endian) { From 46161ba1a998bf15a4aa7b25cdb8aa2630f4016a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 21:23:40 +0200 Subject: [PATCH 498/562] avutil/timecode: Use a 64bit framenum internally Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 68550/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6424065930756096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5ca373d7efa37d2d3911f0afbc85fad0dc86b38) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index bd879bd3cc..f40a10eb38 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -100,11 +100,12 @@ uint32_t av_timecode_get_smpte(AVRational rate, int drop, int hh, int mm, int ss return tc; } -char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) +char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum_arg) { int fps = tc->fps; int drop = tc->flags & AV_TIMECODE_FLAG_DROPFRAME; int hh, mm, ss, ff, ff_len, neg = 0; + int64_t framenum = framenum_arg; framenum += tc->start; if (drop) From 3b253df309c95553d4092b60f77ef0673d7dd064 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 21:31:21 +0200 Subject: [PATCH 499/562] avformat/mxfdec: Reorder elements of expression in bisect loop Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 68578/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6032171648221184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d288479d3431d65318d957aab710b13714fc05) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4707b0b7b4..60b6b2d320 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3755,8 +3755,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; - - while (b - a > 1) { + while (b - 1 > a) { m = (a + b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; From bb40556df44b5a48f847e2363e733bd8f5602748 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 23:44:04 +0200 Subject: [PATCH 500/562] swscale/output: Fix integer overflows in yuv2rgba64_X_c_template Fixes: signed integer overflow: -1082982400 + -1068681048 cannot be represented in type 'int' Fixes: 69995/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6285740271534080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcab9789ef750670277956e79736bca442aec2ff) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index e9e1ec5b29..d28eafe3ba 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1034,8 +1034,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, for (i = 0; i < ((dstW + 1) >> 1); i++) { int j; - int Y1 = -0x40000000; - int Y2 = -0x40000000; + unsigned Y1 = -0x40000000; + unsigned Y2 = -0x40000000; int U = -(128 << 23); // 19 int V = -(128 << 23); int R, G, B; @@ -1063,9 +1063,9 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, } // 8 bits: 12+15=27; 16 bits: 12+19=31 - Y1 >>= 14; // 10 + Y1 = (int)Y1 >> 14; // 10 Y1 += 0x10000; - Y2 >>= 14; + Y2 = (int)Y2 >> 14; Y2 += 0x10000; U >>= 14; V >>= 14; @@ -1084,20 +1084,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 0f843c76eeed9366992fb3e2e12ffeb97807432b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Jun 2024 01:50:15 +0200 Subject: [PATCH 501/562] avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables Fixes: CID1452759 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9385847af47211e8c618198499ffea99614bb55d) Signed-off-by: Michael Niedermayer --- libavfilter/vf_deshake_opencl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_deshake_opencl.c b/libavfilter/vf_deshake_opencl.c index c2b5bef897..f9a70d5cc1 100644 --- a/libavfilter/vf_deshake_opencl.c +++ b/libavfilter/vf_deshake_opencl.c @@ -704,7 +704,7 @@ static int minimize_error( total_err += deshake_ctx->ransac_err[j]; } - if (total_err < best_err) { + if (i == 0 || total_err < best_err) { for (int mi = 0; mi < 6; ++mi) { best_model[mi] = model[mi]; } From b07d36fe69e0a73a73e3eca8066e2bd6bc195a16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 00:45:45 +0200 Subject: [PATCH 502/562] avfilter/vf_elbg: Use unsigned for shifting into the top bit Fixes: part of CID1355110 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2af95b9214a6bf75f946440d36c349963396e23b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_elbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_elbg.c b/libavfilter/vf_elbg.c index fc73346ae1..08251d85ff 100644 --- a/libavfilter/vf_elbg.c +++ b/libavfilter/vf_elbg.c @@ -193,7 +193,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) p0 = (uint8_t *)out->data[0]; for (i = 0; i < elbg->codebook_length; i++) { - const int al = elbg->use_alpha ? elbg->codebook[i*4+3] : 0xff; + const unsigned al = elbg->use_alpha ? elbg->codebook[i*4+3] : 0xff; pal[i] = al << 24 | (elbg->codebook[i*4+2] << 16) | (elbg->codebook[i*4+1] << 8) | From f3600aff212e9d070d2aa3a43e1264bca6ac8b5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 01:33:11 +0200 Subject: [PATCH 503/562] avfilter/vf_lut3d: Check av_scanf() Fixes: CID1604398 Unchecked return value Fixes: CID1604542 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ace2e25720b8a26906b15aab7eebbac860bb7bf0) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lut3d.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_lut3d.c b/libavfilter/vf_lut3d.c index 358fe13e09..8c9f19b014 100644 --- a/libavfilter/vf_lut3d.c +++ b/libavfilter/vf_lut3d.c @@ -704,7 +704,8 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; @@ -1742,12 +1743,14 @@ try_again: else if (!strncmp(line + 7, "MAX ", 4)) vals = max; if (!vals) return AVERROR_INVALIDDATA; - av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2); + if (av_sscanf(line + 11, "%f %f %f", vals, vals + 1, vals + 2) != 3) + return AVERROR_INVALIDDATA; av_log(ctx, AV_LOG_DEBUG, "min: %f %f %f | max: %f %f %f\n", min[0], min[1], min[2], max[0], max[1], max[2]); goto try_again; } else if (!strncmp(line, "LUT_1D_INPUT_RANGE ", 19)) { - av_sscanf(line + 19, "%f %f", min, max); + if (av_sscanf(line + 19, "%f %f", min, max) != 2) + return AVERROR_INVALIDDATA; min[1] = min[2] = min[0]; max[1] = max[2] = max[0]; goto try_again; From a579bc48ec9628ade1ff2a10f879bc6808924538 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 22:01:29 +0200 Subject: [PATCH 504/562] avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions() Found by reviewing CID1513722 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ad9df8bcfebc1085cb8b42dae9ab688af824cdab) Signed-off-by: Michael Niedermayer --- libavfilter/scale_eval.c | 9 ++++++--- libavfilter/scale_eval.h | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavfilter/scale_eval.c b/libavfilter/scale_eval.c index dfec081e15..ea71260dcb 100644 --- a/libavfilter/scale_eval.c +++ b/libavfilter/scale_eval.c @@ -114,7 +114,7 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, int *ret_w, int *ret_h, int force_original_aspect_ratio, int force_divisible_by) { - int w, h; + int64_t w, h; int factor_w, factor_h; w = *ret_w; @@ -148,8 +148,8 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, * dimensions so that it is not divisible by the set factors anymore * unless force_divisible_by is defined as well */ if (force_original_aspect_ratio) { - int tmp_w = av_rescale(h, inlink->w, inlink->h); - int tmp_h = av_rescale(w, inlink->h, inlink->w); + int64_t tmp_w = av_rescale(h, inlink->w, inlink->h); + int64_t tmp_h = av_rescale(w, inlink->h, inlink->w); if (force_original_aspect_ratio == 1) { w = FFMIN(tmp_w, w); @@ -170,6 +170,9 @@ int ff_scale_adjust_dimensions(AVFilterLink *inlink, } } + if ((int32_t)w != w || (int32_t)h != h) + return AVERROR(EINVAL); + *ret_w = w; *ret_h = h; diff --git a/libavfilter/scale_eval.h b/libavfilter/scale_eval.h index fceb023fec..658092962d 100644 --- a/libavfilter/scale_eval.h +++ b/libavfilter/scale_eval.h @@ -40,7 +40,7 @@ int ff_scale_eval_dimensions(void *ctx, * or both of the evaluated values are of the form '-n' or if * force_original_aspect_ratio is set. * - * Returns 0. + * Returns negative error code on error or non negative on success */ int ff_scale_adjust_dimensions(AVFilterLink *inlink, int *ret_w, int *ret_h, From d63a35fcf11c9c4d3c277410d4ba9a73fe1e0e78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2024 22:42:44 +0200 Subject: [PATCH 505/562] avfilter/vf_scale: Check ff_scale_adjust_dimensions() for failure Helps: CID1513722 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2a8fb3c2cc07e741bca556eee8aea704fda4c33f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 2b12cf283c..fd3ec8db1a 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -494,10 +494,13 @@ static int config_props(AVFilterLink *outlink) outlink->w = scale->w; outlink->h = scale->h; - ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h, + ret = ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h, scale->force_original_aspect_ratio, scale->force_divisible_by); + if (ret < 0) + goto fail; + if (outlink->w > INT_MAX || outlink->h > INT_MAX || (outlink->h * inlink->w) > INT_MAX || From f32f82b421de69dfc2f6d47665a03054cccfe89d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 17:38:08 +0200 Subject: [PATCH 506/562] avformat/asfdec_o: Check size of index object We subtract 24 so it must be at least 24 Fixes: CID1604482 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 891bc070f0294e564a02f9a71f6591b6a62c90cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index e837ca62e7..b40f9dcbe3 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -864,6 +864,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) int64_t offset; uint64_t size = avio_rl64(pb); + if (size < 24) + return AVERROR_INVALIDDATA; + // simple index objects should be ordered by stream number, this loop tries to find // the first not indexed video stream for (i = 0; i < asf->nb_streams; i++) { From a39cbdbd670a539dc2da43fa55dc04a402ee70f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:10:00 +0200 Subject: [PATCH 507/562] avformat/bintext: Check avio_size() return Fixes: CID1604503 Overflowed constant Fixes: CID1604566 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bf61f811e73dc62d1b53ed4ef6044b4e9e195113) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index b6f14a03e5..a691018080 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -92,9 +92,12 @@ static int next_tag_read(AVFormatContext *avctx, uint64_t *fsize) AVIOContext *pb = avctx->pb; char buf[36]; int len; - uint64_t start_pos = avio_size(pb) - 256; + int64_t start_pos = avio_size(pb); - avio_seek(pb, start_pos, SEEK_SET); + if (start_pos < 256) + return AVERROR_INVALIDDATA; + + avio_seek(pb, start_pos - 256, SEEK_SET); if (avio_read(pb, buf, sizeof(next_magic)) != sizeof(next_magic)) return -1; if (memcmp(buf, next_magic, sizeof(next_magic))) @@ -244,7 +247,10 @@ static int xbin_read_header(AVFormatContext *s) return AVERROR(EIO); if (pb->seekable & AVIO_SEEKABLE_NORMAL) { - bin->fsize = avio_size(pb) - 9 - st->codecpar->extradata_size; + int64_t fsize = avio_size(pb); + if (fsize < 9 + st->codecpar->extradata_size) + return 0; + bin->fsize = fsize - 9 - st->codecpar->extradata_size; ff_sauce_read(s, &bin->fsize, NULL, 0); avio_seek(pb, 9 + st->codecpar->extradata_size, SEEK_SET); } @@ -284,7 +290,10 @@ static int adf_read_header(AVFormatContext *s) if (pb->seekable & AVIO_SEEKABLE_NORMAL) { int got_width = 0; - bin->fsize = avio_size(pb) - 1 - 192 - 4096; + int64_t fsize = avio_size(pb); + if (fsize < 1 + 192 + 4096) + return 0; + bin->fsize = fsize - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); if (st->codecpar->width < 8) @@ -317,6 +326,7 @@ static int idf_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; AVStream *st; int got_width = 0, ret; + int64_t fsize; if (!(pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); @@ -331,14 +341,18 @@ static int idf_read_header(AVFormatContext *s) st->codecpar->extradata[0] = 16; st->codecpar->extradata[1] = BINTEXT_PALETTE|BINTEXT_FONT; - avio_seek(pb, avio_size(pb) - 4096 - 48, SEEK_SET); + fsize = avio_size(pb); + if (fsize < 12 + 4096 + 48) + return AVERROR_INVALIDDATA; + bin->fsize = fsize - 12 - 4096 - 48; + + avio_seek(pb, bin->fsize + 12, SEEK_SET); if (avio_read(pb, st->codecpar->extradata + 2 + 48, 4096) < 0) return AVERROR(EIO); if (avio_read(pb, st->codecpar->extradata + 2, 48) < 0) return AVERROR(EIO); - bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); if (st->codecpar->width < 8) return AVERROR_INVALIDDATA; From a44dbb58faf76200bd44ca2d408c09f5671af9f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:37:54 +0200 Subject: [PATCH 508/562] avformat/hlsenc: Check ret Fixes: CID1609624 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7e577165c101513b4d8afe164e604cbef6901546) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 2b049ea0f2..e9ee533e68 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -2586,8 +2586,10 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) " will retry with a new http session.\n"); ff_format_io_close(s, &vs->out); ret = hlsenc_io_open(s, &vs->out, filename, &options); - reflush_dynbuf(vs, &range_length); - ret = hlsenc_io_close(s, &vs->out, filename); + if (ret >= 0) { + reflush_dynbuf(vs, &range_length); + ret = hlsenc_io_close(s, &vs->out, filename); + } } av_dict_free(&options); av_freep(&vs->temp_buffer); @@ -2598,6 +2600,9 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) hls_rename_temp_file(s, oc); } + if (ret < 0) + return ret; + old_filename = av_strdup(oc->url); if (!old_filename) { return AVERROR(ENOMEM); From e8f477a5f1e922967ca4820ce072e2f294056fa2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:40:46 +0200 Subject: [PATCH 509/562] avformat/hnm: Check *chunk_size Fixes: CID1604419 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 291356f58b8a1af491c692a89e6c4e70e9496f9d) Signed-off-by: Michael Niedermayer --- libavformat/hnm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 97990b2673..faa2044dff 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -113,6 +113,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) if (hnm->superchunk_remaining == 0) { /* parse next superchunk */ superchunk_size = avio_rl24(pb); + if (superchunk_size < 4) + return AVERROR_INVALIDDATA; avio_skip(pb, 1); hnm->superchunk_remaining = superchunk_size - 4; @@ -123,7 +125,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) chunk_id = avio_rl16(pb); avio_skip(pb, 2); - if (chunk_size > hnm->superchunk_remaining || !chunk_size) { + if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) { av_log(s, AV_LOG_ERROR, "invalid chunk size: %"PRIu32", offset: %"PRId64"\n", chunk_size, avio_tell(pb)); From 61306c1f51ba0493a8124c88d4255e7ab9f7c158 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 19:29:14 +0200 Subject: [PATCH 510/562] avformat/mm: Check length Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 139bf412464e62a83984cd49093936dcaa7a0865) Signed-off-by: Michael Niedermayer --- libavformat/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mm.c b/libavformat/mm.c index 1d44f41a94..de2998642a 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s) type = avio_rl16(pb); length = avio_rl32(pb); - if (type != MM_TYPE_HEADER) + if (type != MM_TYPE_HEADER || length < 10) return AVERROR_INVALIDDATA; /* read header */ From 532f504642e83748f945c69d9df12baaf6d1511e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:03:45 +0200 Subject: [PATCH 511/562] avformat/mov: Use 64bit for str_size We assign a 64bit variable to it before checking Fixes: CID1604544 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 046d069552f5c2824f36fcf95d409670208dc94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b518bfb87b..d06967ecfb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -302,7 +302,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) char *str = NULL; const char *key = NULL; uint16_t langcode = 0; - uint32_t data_type = 0, str_size, str_size_alloc; + uint32_t data_type = 0, str_size_alloc; + uint64_t str_size; int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL; int raw = 0; int num = 0; From a3b4e8156cbf34e640257c42171feb799ebd61f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:17:00 +0200 Subject: [PATCH 512/562] avformat/mp3dec; Check for avio_size() failure Fixes: CID1608710 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bb936a1a720856a51c48bf907475daa8065920c9) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 458d6dbd03..fe56982967 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -136,9 +136,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration int fill_index = (mp3->usetoc || fast_seek) && duration > 0; if (!filesize && - !(filesize = avio_size(s->pb))) { + (filesize = avio_size(s->pb)) <= 0) { av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n"); fill_index = 0; + filesize = 0; } for (i = 0; i < XING_TOC_COUNT; i++) { From 617c635d042e13aa4d6d203db7f13f09365af696 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:20:53 +0200 Subject: [PATCH 513/562] avformat/mp3dec: Check header_filesize Fixes: CID1608714 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cea4dbc903eaf8cb7a4ea53b281deff495ff8fa0) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index fe56982967..3884515fb0 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -592,7 +592,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, if (best_pos < 0) return best_pos; - if (mp3->is_cbr && ie == &ie1 && mp3->frames) { + if (mp3->is_cbr && ie == &ie1 && mp3->frames && mp3->header_filesize > 0) { int frame_duration = av_rescale(st->duration, 1, mp3->frames); ie1.timestamp = frame_duration * av_rescale(best_pos - si->data_offset, mp3->frames, mp3->header_filesize); } From 5902cab5dd3c8d7c2bdb11b22e4920f9aff067c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:29:10 +0200 Subject: [PATCH 514/562] avformat/nsvdec: Check asize for PCM Fixes: CID1604527 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e83e24650489e63f6b31e8c72a973db6367947b9) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 852e6194b0..a1a4b3966c 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -597,7 +597,7 @@ null_chunk_retry: pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ /* on ALL audio chunks ?? seems so! */ - if (asize && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { + if (asize >= 4 && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { uint8_t bps; uint8_t channels; uint16_t samplerate; From 76a059b6b209b5b39cd6fbe8dc2f13f33b29e079 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:44:45 +0200 Subject: [PATCH 515/562] avformat/sapdec: Check ffurl_get_file_handle() for error Fixes: CID1604506 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3e305a0e703843765d4dd7042092c3a38c0f97af) Signed-off-by: Michael Niedermayer --- libavformat/sapdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sapdec.c b/libavformat/sapdec.c index fd0e662433..2bacfcdf19 100644 --- a/libavformat/sapdec.c +++ b/libavformat/sapdec.c @@ -197,6 +197,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt) struct pollfd p = {fd, POLLIN, 0}; uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; + if (fd < 0) + return fd; + if (sap->eof) return AVERROR_EOF; From 29d4c0f70dbc9a36780f7aafc9cf4037137505a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:49:08 +0200 Subject: [PATCH 516/562] avformat/sauce: Check avio_size() for failure Fixes: CID1604592 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 759aae590c0298414db4d2925a33b084d7f9e7f9) Signed-off-by: Michael Niedermayer --- libavformat/sauce.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/sauce.c b/libavformat/sauce.c index 5ac9ca9d14..a9ee9697a3 100644 --- a/libavformat/sauce.c +++ b/libavformat/sauce.c @@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g AVIOContext *pb = avctx->pb; char buf[36]; int datatype, filetype, t1, t2, nb_comments; - uint64_t start_pos = avio_size(pb) - 128; + int64_t start_pos = avio_size(pb); + + if (start_pos < 128) + return AVERROR_INVALIDDATA; + + start_pos -= 128; avio_seek(pb, start_pos, SEEK_SET); if (avio_read(pb, buf, 7) != 7) From a1ef7e86a30e15e42d2318009027e129726071c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:58:21 +0200 Subject: [PATCH 517/562] avformat/siff: Basic pkt_size check Fixes: half of CID1258461 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 124a97dd8b7636fb52e042b2e85a44cce40ab5e7) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/siff.c b/libavformat/siff.c index 99756574b4..423534da64 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -198,7 +198,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->cur_frame >= c->frames) return AVERROR_EOF; if (c->curstrm == -1) { - c->pktsize = avio_rl32(s->pb) - 4; + unsigned pktsize = avio_rl32(s->pb); + if (pktsize < 4) + return AVERROR_INVALIDDATA; + c->pktsize = pktsize - 4; c->flags = avio_rl16(s->pb); if (c->flags & VB_HAS_AUDIO && !c->has_audio) return AVERROR_INVALIDDATA; From 03f12a4c476b173886de9aeb5db4377029146c99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:05:20 +0200 Subject: [PATCH 518/562] avformat/tty: Check avio_size() Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 41745e550a0274571bd9fbfb12b36ff1743d4e9c) Signed-off-by: Michael Niedermayer --- libavformat/tty.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index fbea3196fa..5a6b641d30 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -122,13 +122,16 @@ static int read_header(AVFormatContext *avctx) s->chars_per_frame = FFMAX(av_q2d(st->time_base)*s->chars_per_frame, 1); if (avctx->pb->seekable & AVIO_SEEKABLE_NORMAL) { - s->fsize = avio_size(avctx->pb); - st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; + int64_t fsize = avio_size(avctx->pb); + if (fsize > 0) { + s->fsize = fsize; + st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; - if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) - efi_read(avctx, s->fsize - 51); + if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) + efi_read(avctx, s->fsize - 51); - avio_seek(avctx->pb, 0, SEEK_SET); + avio_seek(avctx->pb, 0, SEEK_SET); + } } fail: From 5217c7bf7f915216ffb4eab1f5087aecdbb3535f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:53:58 +0200 Subject: [PATCH 519/562] avformat/ty: rec_size seems to only need 32bit May help CID1604560 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit be30913538d4be9a50672ceb683f8745d8aa75a9) Signed-off-by: Michael Niedermayer --- libavformat/ty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ty.c b/libavformat/ty.c index 760dfda54c..a77ea3afd5 100644 --- a/libavformat/ty.c +++ b/libavformat/ty.c @@ -47,7 +47,7 @@ static const uint8_t ty_AC3AudioPacket[] = { 0x00, 0x00, 0x01, 0xbd }; #define CHUNK_PEEK_COUNT 3 /* number of chunks to probe */ typedef struct TyRecHdr { - int64_t rec_size; + int32_t rec_size; uint8_t ex[2]; uint8_t rec_type; uint8_t subrec_type; From 6381da354b269cbe4a42f0861828791748d05411 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:37:54 +0200 Subject: [PATCH 520/562] avformat/xmv: Check this_packet_size Fixes: CID1604489 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 696685df0ccf437083d15f40358a6ec86f5748ac) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 4bff63297a..1a8b6903bb 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -219,6 +219,8 @@ static int xmv_read_header(AVFormatContext *s) /* Initialize the packet context */ xmv->next_packet_offset = avio_tell(pb); + if (this_packet_size < xmv->next_packet_offset) + return AVERROR_INVALIDDATA; xmv->next_packet_size = this_packet_size - xmv->next_packet_offset; xmv->stream_count = xmv->audio_track_count + 1; From e1e3ebfc38b83f447969da5c278e219e7d976b85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:55:31 +0200 Subject: [PATCH 521/562] avutil/buffer: Check ff_mutex_init() for failure Fixes: CID1604487 Unchecked return value Fixes: CID1604494 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 82f5b20ff5be4fccbf42f4b90f155db0076c0462) Signed-off-by: Michael Niedermayer --- libavutil/buffer.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index 54590be566..85d2e2b69c 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -264,7 +264,10 @@ AVBufferPool *av_buffer_pool_init2(size_t size, void *opaque, if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->opaque = opaque; @@ -283,7 +286,10 @@ AVBufferPool *av_buffer_pool_init(size_t size, AVBufferRef* (*alloc)(size_t size if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; From 62f5e89d775514eb2160f77169e6651caec9bb09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:04:42 +0200 Subject: [PATCH 522/562] avutil/frame: Check log2_crop_align Fixes: CID1604586 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 15540b3d28676d5e797764a04f6681dcd01736f8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/frame.c b/libavutil/frame.c index 4c16488c66..0738057283 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -909,7 +909,7 @@ int av_frame_apply_cropping(AVFrame *frame, int flags) if (log2_crop_align < min_log2_align) return AVERROR_BUG; - if (min_log2_align < 5) { + if (min_log2_align < 5 && log2_crop_align != INT_MAX) { frame->crop_left &= ~((1 << (5 + log2_crop_align - min_log2_align)) - 1); calc_cropping_offsets(offsets, frame, desc); } From f09c9749ace9c377590fd11099cf64635f3598b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:27:34 +0200 Subject: [PATCH 523/562] avutil/slicethread: Check pthread_*_init() for failure Fixes: CID1604383 Unchecked return value Fixes: CID1604439 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 23851c9ee0f231122c58955e795e17cfe8ca5d98) Signed-off-by: Michael Niedermayer --- libavutil/slicethread.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/libavutil/slicethread.c b/libavutil/slicethread.c index ea1c9c8311..00eba666a0 100644 --- a/libavutil/slicethread.c +++ b/libavutil/slicethread.c @@ -100,6 +100,7 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, { AVSliceThread *ctx; int nb_workers, i; + int ret; av_assert0(nb_threads >= 0); if (!nb_threads) { @@ -133,16 +134,37 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, atomic_init(&ctx->first_job, 0); atomic_init(&ctx->current_job, 0); - pthread_mutex_init(&ctx->done_mutex, NULL); - pthread_cond_init(&ctx->done_cond, NULL); + ret = pthread_mutex_init(&ctx->done_mutex, NULL); + if (ret) { + av_freep(&ctx->workers); + av_freep(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&ctx->done_cond, NULL); + if (ret) { + ctx->nb_threads = main_func ? 0 : 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } ctx->done = 0; for (i = 0; i < nb_workers; i++) { WorkerContext *w = &ctx->workers[i]; int ret; w->ctx = ctx; - pthread_mutex_init(&w->mutex, NULL); - pthread_cond_init(&w->cond, NULL); + ret = pthread_mutex_init(&w->mutex, NULL); + if (ret) { + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&w->cond, NULL); + if (ret) { + pthread_mutex_destroy(&w->mutex); + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } pthread_mutex_lock(&w->mutex); w->done = 0; From 9dbed2ef8342cbbbf82b06aed16d438334173099 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jun 2024 23:17:24 +0200 Subject: [PATCH 524/562] avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices An alternative would be to leave the context unchanged on failure of hls_slice_header() Fixes: out of array access Fixes: NULL pointer dereference Fixes: 69584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5931086299856896 Fixes: 69724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5104066422702080 Fixes: 70422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5908731129298944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d9544cfb03d8597aa2b0037def3a4679949cec6) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 9bf8a5edaa..3eb08badde 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -628,6 +628,10 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->dependent_slice_segments_enabled_flag) sh->dependent_slice_segment_flag = get_bits1(gb); + if (sh->dependent_slice_segment_flag && !s->slice_initialized) { + av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); + return AVERROR_INVALIDDATA; + } slice_address_length = av_ceil_log2(s->ps.sps->ctb_width * s->ps.sps->ctb_height); @@ -896,9 +900,6 @@ static int hls_slice_header(HEVCContext *s) } else { sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag; } - } else if (!s->slice_initialized) { - av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); - return AVERROR_INVALIDDATA; } sh->num_entry_point_offsets = 0; @@ -3179,8 +3180,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) case HEVC_NAL_RASL_N: case HEVC_NAL_RASL_R: ret = hls_slice_header(s); - if (ret < 0) + if (ret < 0) { + // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices + s->slice_initialized = 0; return ret; + } if (ret == 1) { ret = AVERROR_INVALIDDATA; goto fail; From 1165dc610ee4a7f6ecb7b102226ea7c000fdcc19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 17:08:22 +0200 Subject: [PATCH 525/562] avcodec/alsdec: Clear shift_value (the exact issue is unreproducable but the use of uninitialized data is reproducable) Should fix: signed integer overflow: -2147483648 - 127 cannot be represented in type 'int' Should fix: 69881/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-4751301204836352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6194cb87cb81ef97adfa2690e489f473182eaffe) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 2cafce8cb3..9c6d98361b 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -2109,8 +2109,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (sconf->floating) { ctx->acf = av_malloc_array(channels, sizeof(*ctx->acf)); - ctx->shift_value = av_malloc_array(channels, sizeof(*ctx->shift_value)); - ctx->last_shift_value = av_malloc_array(channels, sizeof(*ctx->last_shift_value)); + ctx->shift_value = av_calloc(channels, sizeof(*ctx->shift_value)); + ctx->last_shift_value = av_calloc(channels, sizeof(*ctx->last_shift_value)); ctx->last_acf_mantissa = av_malloc_array(channels, sizeof(*ctx->last_acf_mantissa)); ctx->raw_mantissa = av_calloc(channels, sizeof(*ctx->raw_mantissa)); From 5bc84902162bb14be5bb945320cd1400740e102e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 19:21:41 +0200 Subject: [PATCH 526/562] avcodec/proresdec: Consider negative bits left Fixes: 70036/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6298797647396864 Fixes: shift exponent 40 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 419eee63565f81aca67b29582297841c59deaab8) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 385ca2fb1c..18c35cee9e 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -516,7 +516,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex for (pos = block_mask;;) { bits_left = gb->size_in_bits - re_index; - if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) + if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) break; DECODE_CODEWORD(run, run_to_cb[FFMIN(run, 15)], LAST_SKIP_BITS); From 9acf04761d26dcb3f848e4400d30bcc04181c58a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:29:15 +0200 Subject: [PATCH 527/562] avcodec/vaapi_encode: Check hwctx Fixes: null pointer dereference Fixes: 70376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_VAAPI_fuzzer-4733551250046976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3cd077e2820679e8b9f8eb10954b4f5701191c48) Signed-off-by: Michael Niedermayer --- libavcodec/vaapi_encode.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index 284ce29888..8faa756958 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -2754,12 +2754,14 @@ av_cold int ff_vaapi_encode_close(AVCodecContext *avctx) av_buffer_pool_uninit(&ctx->output_buffer_pool); if (ctx->va_context != VA_INVALID_ID) { - vaDestroyContext(ctx->hwctx->display, ctx->va_context); + if (ctx->hwctx) + vaDestroyContext(ctx->hwctx->display, ctx->va_context); ctx->va_context = VA_INVALID_ID; } if (ctx->va_config != VA_INVALID_ID) { - vaDestroyConfig(ctx->hwctx->display, ctx->va_config); + if (ctx->hwctx) + vaDestroyConfig(ctx->hwctx->display, ctx->va_config); ctx->va_config = VA_INVALID_ID; } From e3c5099ec915b0e825565c4cb62aef7124ed878c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:50:00 +0200 Subject: [PATCH 528/562] avcodec/cfhdenc: Allocate more space Fixes: Assertion failure Fixes: 68979/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5375874714107904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a308d79e4dedea11667cb2ad42c6676ce96e8ee1) Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index 6b33b29da9..24dbe95a7d 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -547,7 +547,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, width, height * 2); } - ret = ff_alloc_packet(avctx, pkt, 64LL + s->planes * (2LL * avctx->width * avctx->height + 1000LL)); + ret = ff_alloc_packet(avctx, pkt, 256LL + s->planes * (4LL * avctx->width * (avctx->height + 15) + 2048LL)); if (ret < 0) return ret; From 2b82e33f4be460e7fa8b2f5ba0e610b671b850d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 23:19:52 +0200 Subject: [PATCH 529/562] avcodec/cfhdenc: Height of 16 is not supported Fixes: out of array access Fixes: 68941/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5990952685600768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5dde255abdeb50aefb0dcf8b060277e37d180ec6) Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index 24dbe95a7d..b5af44505f 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -258,6 +258,11 @@ static av_cold int cfhd_encode_init(AVCodecContext *avctx) if (ret < 0) return ret; + if (avctx->height < 32) { + av_log(avctx, AV_LOG_ERROR, "Height must be >= 32.\n"); + return AVERROR_INVALIDDATA; + } + if (avctx->width & 15) { av_log(avctx, AV_LOG_ERROR, "Width must be multiple of 16.\n"); return AVERROR_INVALIDDATA; From bf5fd7a5cfaf7230a64e647651207abecb569d33 Mon Sep 17 00:00:00 2001 From: Jens Frederich Date: Mon, 15 Jul 2024 06:51:29 +0000 Subject: [PATCH 530/562] avdevice/dshow: Don't skip audio devices if no video device is present The search of the current DirectShow device list has been customized so that audio devices are always found even if no video device is connected. Signed-off-by: Jens Frederich Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 60b1750134963e8326476c4fbae41cea1772ff5b) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 023c9db052..506b1fe4dc 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -644,7 +644,7 @@ static int dshow_get_device_list(AVFormatContext *avctx, AVDeviceInfoList *devic } ret = dshow_cycle_devices(avctx, devenum, VideoDevice, VideoSourceDevice, NULL, NULL, &device_list); - if (ret < S_OK) + if (ret < S_OK && ret != AVERROR(EIO)) goto error; ret = dshow_cycle_devices(avctx, devenum, AudioDevice, AudioSourceDevice, NULL, NULL, &device_list); From 8fdfc290aeb84df9f8f2d511936c8baf46232345 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Jul 2024 20:30:30 +0200 Subject: [PATCH 531/562] Update for 5.1.6 Signed-off-by: Michael Niedermayer --- Changelog | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 109 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index a4678d783c..81a582e3be 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,113 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 5.1.6: + avdevice/dshow: Don't skip audio devices if no video device is present + avcodec/cfhdenc: Height of 16 is not supported + avcodec/cfhdenc: Allocate more space + avcodec/vaapi_encode: Check hwctx + avcodec/proresdec: Consider negative bits left + avcodec/alsdec: Clear shift_value + avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices + avutil/slicethread: Check pthread_*_init() for failure + avutil/frame: Check log2_crop_align + avutil/buffer: Check ff_mutex_init() for failure + avformat/xmv: Check this_packet_size + avformat/ty: rec_size seems to only need 32bit + avformat/tty: Check avio_size() + avformat/siff: Basic pkt_size check + avformat/sauce: Check avio_size() for failure + avformat/sapdec: Check ffurl_get_file_handle() for error + avformat/nsvdec: Check asize for PCM + avformat/mp3dec: Check header_filesize + avformat/mp3dec; Check for avio_size() failure + avformat/mov: Use 64bit for str_size + avformat/mm: Check length + avformat/hnm: Check *chunk_size + avformat/hlsenc: Check ret + avformat/bintext: Check avio_size() return + avformat/asfdec_o: Check size of index object + avfilter/vf_scale: Check ff_scale_adjust_dimensions() for failure + avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions() + avfilter/vf_lut3d: Check av_scanf() + avfilter/vf_elbg: Use unsigned for shifting into the top bit + avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables + swscale/output: Fix integer overflows in yuv2rgba64_X_c_template + avformat/mxfdec: Reorder elements of expression in bisect loop + avutil/timecode: Use a 64bit framenum internally + avcodec/pnmdec: Use 64bit for input size check + avcodec/mpeg12enc: Use av_rescale() in vbv_buffer_size computation + avcodec/utvideoenc: Use unsigned shift to build flags + avcodec/vc2enc: Fix overflows with storing large values + avcodec/mpegvideo_enc: Do not duplicate pictures on shifting + avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() + avcodec/tiff: Check value on positive signed targets + avfilter/vf_convolution_opencl: Assert that the filter name is one of the filters + avfilter/vf_bm3d: Dont round MSE2SSE to an integer + avdevice/dshow: Remove NULL check on pin + avdevice/dshow: check ff_dshow_pin_ConnectionMediaType() for failure + avdevice/dshow: Check device_filter_unique_name before use + avdevice/dshow: Cleanup also on av_log case + avdevice/dshow_filter: Use wcscpy_s() + avcodec/flac_parser: Assert that we do not overrun the link_penalty array + avcodec/pixlet: Simplify pfx computation + avcodec/motion_est: Fix score squaring overflow + avcodec/loco: Check loco_get_rice() for failure + avcodec/loco: check get_ur_golomb_jpegls() for failure + avcodec/imm4: check cbphi for error + avcodec/iff: Use signed count + avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() + avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() + avcodec/dxv: Fix type in get_opcodes() + avcodec/cri: Check length + avcodec/xsubdec: Check parse_timecode() + avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit + doc/examples/mux: remove nop + avcodec/proresenc_kostya: use unsigned alpha for rotation + avformat/rtpenc_rfc4175: Use 64bit in computation if copy_offset + avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly + avformat/rmdec: use 64bit for audio_framesize checks + avutil/wchar_filename: Correct sizeof + avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 + avutil/hwcontext_d3d11va: Free AVD3D11FrameDescriptor on error + avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor + doc/examples/vaapi_encode: Try to check fwrite() for failure + avformat/tls_schannel: Initialize ret + avformat/subfile: Assert that whence is a known case + avformat/subfile: Merge if into switch() + avformat/rtsp: Check that lower transport is handled in one of the if() + avformat/rtsp: initialize reply1 + avformat/rtsp: use < 0 for error check + avformat/rtpenc_vc2hq: Check sizes + avfilter/af_aderivative: Free out on error + swscale/swscale: Use ptrdiff_t for linesize computations + avfilter/af_pan: check nb_output_channels before use + cbs_av1: Reject thirty-two zero bits in uvlc code + avfilter/af_mcompand: compute half frequency in double + avfilter/af_channelsplit: Assert that av_channel_layout_channel_from_index() succeeds + avfilter/af_aresample: Cleanup on av_channel_layout_copy() failure + tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() + avfilter/vf_avgblur: Check plane instead of AVFrame + avfilter/drawutils: Fix depthb computation + avformat/rdt: Check pkt_len + avformat/mpeg: Check len in mpegps_probe() + avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure + avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure + avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter() + avformat/img2dec: assert no pipe on ts_from_file + avcodec/cbs_jpeg: Try to move the read entity to one side in a test + avformat/mov: Check edit list for overflow + fftools/ffmpeg: Check read() for failure + swscale/output: Avoid undefined overflow in yuv2rgb_write_full() + swscale/output: alpha can become negative after scaling, use multiply + avcodec/targaenc: Allocate space for the palette + avcodec/r210enc: Use av_rescale for bitrate + avcodec/jfdctint_template: Fewer integer anomalies + avcodec/snowenc: MV limits due to mv_penalty table size + avformat/mxfdec: Check container_ul->desc before use + MAINTAINERS: Update the entries for the release maintainer for FFmpeg + version 5.1.5: doc/developer: Provide information about git send-email and gmail avfilter/vf_rotate: Check ff_draw_init2() return value diff --git a/RELEASE b/RELEASE index 220d8e0a46..8710cfdff2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1.5 +5.1.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index ec29ac805b..7231a696e5 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 5.1.5 +PROJECT_NUMBER = 5.1.6 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From a937b3c58babae893fb46b286a4792cd24a01d3d Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 8 Sep 2022 19:43:03 -0300 Subject: [PATCH 532/562] swsresample/swresample: error out on invalid layouts If it's unsupported or invalid, then there's no point trying to rebuild it using a value that may have been derived from the same layout to begin with. Move the checks before the attempts at copying the layout while at it. Fixes ticket #9908. Signed-off-by: James Almer Fixes: out of array acces Fixes: poc5 Fixes: poc6 Reported-by: VulDB CNA Team Found-by: CookedMelon Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 48 +++++++++++++++++++++++++------------- 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 601e691596..5f293c16b6 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -227,7 +227,7 @@ av_cold int swr_init(struct SwrContext *s){ s->in_ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; s->in_ch_layout.nb_channels = s->user_in_ch_count; } - } else + } else if (av_channel_layout_check(&s->user_in_chlayout)) av_channel_layout_copy(&s->in_ch_layout, &s->user_in_chlayout); if ((s->user_out_ch_count && s->user_out_ch_count != s->user_out_chlayout.nb_channels) || @@ -240,17 +240,45 @@ av_cold int swr_init(struct SwrContext *s){ s->out_ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; s->out_ch_layout.nb_channels = s->user_out_ch_count; } - } else + } else if (av_channel_layout_check(&s->user_out_chlayout)) av_channel_layout_copy(&s->out_ch_layout, &s->user_out_chlayout); if (!s->out.ch_count && !s->user_out_ch_layout) s->out.ch_count = s->out_ch_layout.nb_channels; if (!s-> in.ch_count && !s-> user_in_ch_layout) s-> in.ch_count = s->in_ch_layout.nb_channels; + + if (!(ret = av_channel_layout_check(&s->in_ch_layout)) || s->in_ch_layout.nb_channels > SWR_CH_MAX) { + if (ret) + av_channel_layout_describe(&s->in_ch_layout, l1, sizeof(l1)); + av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", ret ? l1 : ""); + return AVERROR(EINVAL); + } + + if (!(ret = av_channel_layout_check(&s->out_ch_layout)) || s->out_ch_layout.nb_channels > SWR_CH_MAX) { + if (ret) + av_channel_layout_describe(&s->out_ch_layout, l2, sizeof(l2)); + av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", ret ? l2 : ""); + return AVERROR(EINVAL); + } #else s->out.ch_count = s-> user_out_chlayout.nb_channels; s-> in.ch_count = s-> user_in_chlayout.nb_channels; + if (!(ret = av_channel_layout_check(&s->user_in_chlayout)) || s->user_in_chlayout.nb_channels > SWR_CH_MAX) { + if (ret) + av_channel_layout_describe(&s->user_in_chlayout, l1, sizeof(l1)); + av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", ret ? l1 : ""); + return AVERROR(EINVAL); + } + + if (!(ret = av_channel_layout_check(&s->user_out_chlayout)) || s->user_out_chlayout.nb_channels > SWR_CH_MAX) { + if (ret) + av_channel_layout_describe(&s->user_out_chlayout, l2, sizeof(l2)); + av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", ret ? l2 : ""); + return AVERROR(EINVAL); + } + ret = av_channel_layout_copy(&s->in_ch_layout, &s->user_in_chlayout); ret |= av_channel_layout_copy(&s->out_ch_layout, &s->user_out_chlayout); if (ret < 0) @@ -261,18 +289,6 @@ av_cold int swr_init(struct SwrContext *s){ s->dither.method = s->user_dither_method; - if (!av_channel_layout_check(&s->in_ch_layout) || s->in_ch_layout.nb_channels > SWR_CH_MAX) { - av_channel_layout_describe(&s->in_ch_layout, l1, sizeof(l1)); - av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", l1); - av_channel_layout_uninit(&s->in_ch_layout); - } - - if (!av_channel_layout_check(&s->out_ch_layout) || s->out_ch_layout.nb_channels > SWR_CH_MAX) { - av_channel_layout_describe(&s->out_ch_layout, l2, sizeof(l2)); - av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", l2); - av_channel_layout_uninit(&s->out_ch_layout); - } - switch(s->engine){ #if CONFIG_LIBSOXR case SWR_ENGINE_SOXR: s->resampler = &swri_soxr_resampler; break; @@ -291,9 +307,9 @@ av_cold int swr_init(struct SwrContext *s){ av_channel_layout_uninit(&s->in_ch_layout); } - if (!s->in_ch_layout.nb_channels || s->in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) + if (s->in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) av_channel_layout_default(&s->in_ch_layout, s->used_ch_count); - if (!s->out_ch_layout.nb_channels || s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) + if (s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) av_channel_layout_default(&s->out_ch_layout, s->out.ch_count); s->rematrix = av_channel_layout_compare(&s->out_ch_layout, &s->in_ch_layout) || From 999c1619f9ddd01e8e907887f7eb0f338d451c39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 13:31:02 +0200 Subject: [PATCH 533/562] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow The snow encoder uses block based motion estimation which can read out of array if insufficient alignment is used It may be better to only apply this for the encoder, as it would safe a few bytes of memory for the decoder. Until then, this fixes the issue in a simple way. Fixes: out of array access Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128 Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58fbeb59e74ac9a4ca81e9bc44141abcbff8ab6d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index a0c5eb4808..6efe4b24fa 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -255,6 +255,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, if (s->codec_id == AV_CODEC_ID_SVQ1) { w_align = 64; h_align = 64; + } else if (s->codec_id == AV_CODEC_ID_SNOW) { + w_align = 16; + h_align = 16; } break; case AV_PIX_FMT_RGB555: From 8c689f4d0cfaedefed98841a6dabae67341cf98d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jul 2024 21:43:39 +0200 Subject: [PATCH 534/562] avcodec/snow: Fix off by 1 error in run_buffer Fixes: out of array access Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06f5ed40f8fceb2542add052c57608121eda2f41) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 293a0eb7d9..8a19578aad 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -492,7 +492,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ !FF_ALLOCZ_TYPED_ARRAY(s->spatial_dwt_buffer, width * height) || //FIXME this does not belong here !FF_ALLOCZ_TYPED_ARRAY(s->temp_dwt_buffer, width) || !FF_ALLOCZ_TYPED_ARRAY(s->temp_idwt_buffer, width) || - !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1))) + !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1)) return AVERROR(ENOMEM); for(i=0; i Date: Mon, 5 Aug 2024 00:41:32 +0200 Subject: [PATCH 535/562] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog b/Changelog index 81a582e3be..827c7b384d 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,10 @@ releases are sorted from youngest to oldest. version 5.1.6: + avcodec/snow: Fix off by 1 error in run_buffer + avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow + swsresample/swresample: error out on invalid layouts + Update for 5.1.6 avdevice/dshow: Don't skip audio devices if no video device is present avcodec/cfhdenc: Height of 16 is not supported avcodec/cfhdenc: Allocate more space From e466f0dbade0df5fab6cd4abf69f13d114dfd2fc Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 9 Aug 2024 11:32:00 +0100 Subject: [PATCH 536/562] libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit binutils 2.43 has stricter validation for labels[1] and results in errors when building ffmpeg for armv5: src/libavcodec/arm/mlpdsp_armv5te.S:232: Error: junk at end of line, first unrecognized character is `0' Remove the leading zero in the "01" label to resolve this error. [1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=226749d5a6ff0d5c607d6428d6c81e1e7e7a994b Signed-off-by: Ross Burton Signed-off-by: Martin Storsjö (cherry picked from commit 654bd47716c4f36719fb0f3f7fd8386d5ed0b916) --- libavcodec/arm/mlpdsp_armv5te.S | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/mlpdsp_armv5te.S b/libavcodec/arm/mlpdsp_armv5te.S index 4f9aa485fd..d31568611c 100644 --- a/libavcodec/arm/mlpdsp_armv5te.S +++ b/libavcodec/arm/mlpdsp_armv5te.S @@ -229,7 +229,7 @@ A .endif .endif // Begin loop -01: +1: .if TOTAL_TAPS == 0 // Things simplify a lot in this case // In fact this could be pipelined further if it's worth it... @@ -241,7 +241,7 @@ A .endif str ST0, [PST, #-4]! str ST0, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST0, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .else .if \fir_taps & 1 .set LOAD_REG, 1 @@ -333,7 +333,7 @@ T orr AC0, AC0, AC1 str ST3, [PST, #-4]! str ST2, [PST, #4 * (MAX_BLOCKSIZE + MAX_FIR_ORDER)] str ST3, [PSAMP], #4 * MAX_CHANNELS - bne 01b + bne 1b .endif b 99f From 0e8b267a97eeeb201d1d9050101cdbc2211f0277 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Fri, 16 Aug 2024 02:01:12 +0200 Subject: [PATCH 537/562] avformat/hlsenc: correctly reset subtitle stream counter per-varstream Without resetting it, if there was a previous set of varstreams with subtitles, it would subtract from all the streams, leading to chaos and segfaults when trying to access for example stream -1. --- libavformat/hlsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index e9ee533e68..dcf66315a3 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -2412,7 +2412,6 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) int is_ref_pkt = 1; int ret = 0, can_split = 1, i, j; int stream_index = 0; - int subtitle_streams = 0; int range_length = 0; const char *proto = NULL; int use_temp_file = 0; @@ -2420,6 +2419,7 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) char *old_filename = NULL; for (i = 0; i < hls->nb_varstreams; i++) { + int subtitle_streams = 0; vs = &hls->var_streams[i]; for (j = 0; j < vs->nb_streams; j++) { if (vs->streams[j]->codecpar->codec_type == AVMEDIA_TYPE_SUBTITLE) { From 12e308b66d1d4965ebe1186b8a85d6675f7a7104 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sat, 17 Jun 2023 18:48:38 -0400 Subject: [PATCH 538/562] configure: use just the pkg-config for sndio Signed-off-by: Michael Niedermayer (cherry picked from commit f6d846459043786eb859ff1c95af30e6fbc2d0e4) Signed-off-by: Brad Smith --- configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index 39a5bb8b7d..8b0e7da6c6 100755 --- a/configure +++ b/configure @@ -6851,8 +6851,7 @@ enabled alsa && { check_pkg_config alsa alsa "alsa/asoundlib.h" snd_pcm_htimesta enabled libjack && require_pkg_config libjack jack jack/jack.h jack_port_get_latency_range -enabled sndio && { check_pkg_config sndio sndio "sndio.h" sio_open || - check_lib sndio sndio.h sio_open -lsndio; } +enabled sndio && check_pkg_config sndio sndio sndio.h sio_open if enabled libcdio; then check_pkg_config libcdio libcdio_paranoia "cdio/cdda.h cdio/paranoia.h" cdio_cddap_open || From df5a848c838116514b979b918600bdb7137db51d Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 3 Jul 2024 00:30:08 +0200 Subject: [PATCH 539/562] configure: restore autodetection of v4l2 and fbdev The detection logic for v4l2 and fbdev was accidentally modified to depend on v4l2-m2m in 43b3412. (cherry picked from commit 7405f1ad5351cc24b91a0227aeeaf24ff9d12278) Signed-off-by: Brad Smith --- configure | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 8b0e7da6c6..98ea555261 100755 --- a/configure +++ b/configure @@ -6802,11 +6802,12 @@ pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint +check_headers linux/fb.h +check_headers linux/videodev2.h +test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete + # check V4L2 codecs available in the API if enabled v4l2_m2m; then - check_headers linux/fb.h - check_headers linux/videodev2.h - test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete check_cc v4l2_m2m linux/videodev2.h "int i = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_VIDEO_M2M | V4L2_BUF_FLAG_LAST;" check_cc vc1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_VC1_ANNEX_G;" check_cc mpeg1_v4l2_m2m linux/videodev2.h "int i = V4L2_PIX_FMT_MPEG1;" From ed09f5609706ec17b3f33935b0737d2ec3e8bed6 Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Thu, 29 Aug 2024 15:40:00 +0200 Subject: [PATCH 540/562] configure: improve check for POSIX ioctl Instead of relying on system #ifdefs which may or may not be correct, detect the POSIX ioctl signature at configure time. (cherry picked from commit 00b64fca55a3a009c9d0e391c85f4fd3291e5d12) Signed-off-by: Brad Smith --- configure | 2 ++ libavdevice/v4l2.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 98ea555261..399a508189 100755 --- a/configure +++ b/configure @@ -2415,6 +2415,7 @@ HAVE_LIST=" opencl_vaapi_intel_media perl pod2man + posix_ioctl texi2html xmllint zlib_gzip @@ -6805,6 +6806,7 @@ xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint check_headers linux/fb.h check_headers linux/videodev2.h test_code cc linux/videodev2.h "struct v4l2_frmsizeenum vfse; vfse.discrete.width = 0;" && enable_sanitized struct_v4l2_frmivalenum_discrete +test_code cc sys/ioctl.h "int ioctl(int, int, ...)" && enable posix_ioctl # check V4L2 codecs available in the API if enabled v4l2_m2m; then diff --git a/libavdevice/v4l2.c b/libavdevice/v4l2.c index c880e6a4a9..281e99738e 100644 --- a/libavdevice/v4l2.c +++ b/libavdevice/v4l2.c @@ -106,7 +106,7 @@ struct video_data { int (*open_f)(const char *file, int oflag, ...); int (*close_f)(int fd); int (*dup_f)(int fd); -#if defined(__sun) || defined(__BIONIC__) || defined(__musl__) /* POSIX-like */ +#if HAVE_POSIX_IOCTL int (*ioctl_f)(int fd, int request, ...); #else int (*ioctl_f)(int fd, unsigned long int request, ...); From 17e84a454e5e20106155774d8fb17f424c4dc78e Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 26 Aug 2024 23:07:35 +0200 Subject: [PATCH 541/562] avformat/libzmq: fix check for zmq protocol prefix Fixes ticket #11134. Signed-off-by: Marton Balint (cherry picked from commit a87a96105e9150dba07e3a660e41f78557f3356c) --- libavformat/libzmq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c index f4bb849e46..da84efee73 100644 --- a/libavformat/libzmq.c +++ b/libavformat/libzmq.c @@ -94,7 +94,7 @@ static int zmq_proto_open(URLContext *h, const char *uri, int flags) return AVERROR_EXTERNAL; } - if (av_strstart(uri, "zmq:", &uri)) { + if (!av_strstart(uri, "zmq:", &uri)) { av_log(h, AV_LOG_ERROR, "URL %s lacks prefix\n", uri); return AVERROR(EINVAL); } From 4ce4ecc19c49416054572989ef62e51c2bb5ee8b Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sun, 11 Aug 2024 12:51:50 +0530 Subject: [PATCH 542/562] lavc/libx265: unbreak build for X265_BUILD >= 210 x265 added support for alpha starting with build 210. While doing so, x265_encoder_encode() changed its fifth arg to an array of pointers to x265_picture. This broke building lavc/libx265.c This patch simply unbreaks the build and maintains existing single-layer non-alpha encoding support. Fixes #11130 --- libavcodec/libx265.c | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/libavcodec/libx265.c b/libavcodec/libx265.c index f68ecb3092..5443c765da 100644 --- a/libavcodec/libx265.c +++ b/libavcodec/libx265.c @@ -504,7 +504,13 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, { libx265Context *ctx = avctx->priv_data; x265_picture x265pic; - x265_picture x265pic_out = { 0 }; +#if X265_BUILD >= 210 + x265_picture x265pic_layers_out[MAX_SCALABLE_LAYERS]; + x265_picture* x265pic_lyrptr_out[MAX_SCALABLE_LAYERS]; +#else + x265_picture x265pic_solo_out = { 0 }; +#endif + x265_picture* x265pic_out; x265_nal *nal; uint8_t *dst; int pict_type; @@ -575,8 +581,16 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } } +#if X265_BUILD >= 210 + for (i = 0; i < MAX_SCALABLE_LAYERS; i++) + x265pic_lyrptr_out[i] = &x265pic_layers_out[i]; + ret = ctx->api->encoder_encode(ctx->encoder, &nal, &nnal, - pic ? &x265pic : NULL, &x265pic_out); + pic ? &x265pic : NULL, x265pic_lyrptr_out); +#else + ret = ctx->api->encoder_encode(ctx->encoder, &nal, &nnal, + pic ? &x265pic : NULL, &x265pic_solo_out); +#endif av_freep(&x265pic.quantOffsets); @@ -604,10 +618,16 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pkt->flags |= AV_PKT_FLAG_KEY; } - pkt->pts = x265pic_out.pts; - pkt->dts = x265pic_out.dts; +#if X265_BUILD >= 210 + x265pic_out = x265pic_lyrptr_out[0]; +#else + x265pic_out = &x265pic_solo_out; +#endif - switch (x265pic_out.sliceType) { + pkt->pts = x265pic_out->pts; + pkt->dts = x265pic_out->dts; + + switch (x265pic_out->sliceType) { case X265_TYPE_IDR: case X265_TYPE_I: pict_type = AV_PICTURE_TYPE_I; @@ -625,17 +645,17 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } #if X265_BUILD >= 130 - if (x265pic_out.sliceType == X265_TYPE_B) + if (x265pic_out->sliceType == X265_TYPE_B) #else - if (x265pic_out.frameData.sliceType == 'b') + if (x265pic_out->frameData.sliceType == 'b') #endif pkt->flags |= AV_PKT_FLAG_DISPOSABLE; - ff_side_data_set_encoder_stats(pkt, x265pic_out.frameData.qp * FF_QP2LAMBDA, NULL, 0, pict_type); + ff_side_data_set_encoder_stats(pkt, x265pic_out->frameData.qp * FF_QP2LAMBDA, NULL, 0, pict_type); - if (x265pic_out.userData) { - memcpy(&avctx->reordered_opaque, x265pic_out.userData, sizeof(avctx->reordered_opaque)); - av_freep(&x265pic_out.userData); + if (x265pic_out->userData) { + memcpy(&avctx->reordered_opaque, x265pic_out->userData, sizeof(avctx->reordered_opaque)); + av_freep(&x265pic_out->userData); } else avctx->reordered_opaque = 0; From 768807492dd60671582b6f7829de8f8e5e9e6869 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sat, 5 Oct 2024 10:08:31 +0530 Subject: [PATCH 543/562] avcodec/libx265: unbreak build for X265_BUILD >= 213 Earlier, x265 made an API change to support alpha and other multiple layer pictures. We added guards to accommodate that in 1f801dfdb5 They have now reverted that API change in https://bitbucket.org/multicoreware/x265_git/commits/78e5b703b1 Updated our wrapper guards to unbreak build again. --- libavcodec/libx265.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/libx265.c b/libavcodec/libx265.c index 5443c765da..8c8391171e 100644 --- a/libavcodec/libx265.c +++ b/libavcodec/libx265.c @@ -504,7 +504,7 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, { libx265Context *ctx = avctx->priv_data; x265_picture x265pic; -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) x265_picture x265pic_layers_out[MAX_SCALABLE_LAYERS]; x265_picture* x265pic_lyrptr_out[MAX_SCALABLE_LAYERS]; #else @@ -581,7 +581,7 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } } -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) for (i = 0; i < MAX_SCALABLE_LAYERS; i++) x265pic_lyrptr_out[i] = &x265pic_layers_out[i]; @@ -618,7 +618,7 @@ static int libx265_encode_frame(AVCodecContext *avctx, AVPacket *pkt, pkt->flags |= AV_PKT_FLAG_KEY; } -#if X265_BUILD >= 210 +#if (X265_BUILD >= 210) && (X265_BUILD < 213) x265pic_out = x265pic_lyrptr_out[0]; #else x265pic_out = &x265pic_solo_out; From dcdfd7fb62464beeeb03c24f21713bf3914b9ea4 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 22 Oct 2024 19:49:16 +0200 Subject: [PATCH 544/562] avutil/wchar_filename: re-introduce explicit cast of void* to char* Fixes compile error on windows with decklink: In file included from ./libavformat/os_support.h:175, from ./libavformat/internal.h:30, from libavdevice/decklink_common.cpp:25: ./libavutil/wchar_filename.h: In function 'int wchartocp(unsigned int, const wchar_t*, char**)': ./libavutil/wchar_filename.h:59:32: error: invalid conversion from 'void*' to 'char*' [-fpermissive] 59 | *filename = av_malloc_array(num_chars, sizeof **filename); | ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | void* Regression since e9e8bea2e79bc3c481a6f81f75f6c871e3e0f367. Fixes ticket #11103. Signed-off-by: Marton Balint (cherry picked from commit 9b0128aa766221f8a32e13cf3c1d3e6d75a2d829) --- libavutil/wchar_filename.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/wchar_filename.h b/libavutil/wchar_filename.h index 70194a035c..942dc56778 100644 --- a/libavutil/wchar_filename.h +++ b/libavutil/wchar_filename.h @@ -56,7 +56,7 @@ static inline int wchartocp(unsigned int code_page, const wchar_t *filename_w, errno = EINVAL; return -1; } - *filename = av_malloc_array(num_chars, sizeof **filename); + *filename = (char *)av_malloc_array(num_chars, sizeof **filename); if (!*filename) { errno = ENOMEM; return -1; From ff0f25a1546f434f8bfddfed150ea6fa60d62d93 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 3 Nov 2024 22:32:51 +0100 Subject: [PATCH 545/562] avfilter/f_loop: fix length of aloop leftover buffer If the audio loop stops inside an audio frame, the leftover buffer contains the end of the frame, which is not looped. The length supposed to be the part which was not written to the loop buffer, so we need to drain exactly that number of bytes from the leftover buffer. Signed-off-by: Marton Balint (cherry picked from commit b33a59416072ad31a5840f33f9975d88acf45add) --- libavfilter/f_loop.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavfilter/f_loop.c b/libavfilter/f_loop.c index 672aa4c8f7..b228a93137 100644 --- a/libavfilter/f_loop.c +++ b/libavfilter/f_loop.c @@ -150,14 +150,13 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) s->pts += av_rescale_q(s->start - s->ignored_samples, (AVRational){1, outlink->sample_rate}, outlink->time_base); } s->nb_samples += ret - drain; - drain = frame->nb_samples - written; - if (s->nb_samples == s->size && drain > 0) { + if (s->nb_samples == s->size && frame->nb_samples > written) { int ret2; ret2 = av_audio_fifo_write(s->left, (void **)frame->extended_data, frame->nb_samples); if (ret2 < 0) return ret2; - av_audio_fifo_drain(s->left, drain); + av_audio_fifo_drain(s->left, written); } frame->nb_samples = ret; s->pts += av_rescale_q(ret, (AVRational){1, outlink->sample_rate}, outlink->time_base); From cde3c5fc0c61281b4ee1e175a0ab0f367f297bf4 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 4 Nov 2024 00:43:06 +0100 Subject: [PATCH 546/562] avfilter/f_loop: fix aloop activate logic The logic did not follow the documented behaviour and that caused skipping of some audio in the loop and in the leftover buffer. Example command line which should produce a smooth sine wave for the whole duration of the output: ffmpeg -f lavfi -i "sine=r=48000:f=480:d=4" -af "aloop=loop=4:start=48000:size=48000" out.wav Fixes ticket #11283. Signed-off-by: Marton Balint (cherry picked from commit fe18ed3f2a9221af0beaec7b04b7804849db1f2f) --- libavfilter/f_loop.c | 66 +++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 38 deletions(-) diff --git a/libavfilter/f_loop.c b/libavfilter/f_loop.c index b228a93137..08bca6a20d 100644 --- a/libavfilter/f_loop.c +++ b/libavfilter/f_loop.c @@ -21,6 +21,7 @@ #include "config_components.h" #include "libavutil/audio_fifo.h" +#include "libavutil/avassert.h" #include "libavutil/fifo.h" #include "libavutil/internal.h" #include "libavutil/opt.h" @@ -90,7 +91,7 @@ static av_cold void auninit(AVFilterContext *ctx) av_audio_fifo_free(s->left); } -static int push_samples(AVFilterContext *ctx, int nb_samples) +static int push_samples(AVFilterContext *ctx, int nb_samples, AVFrame **frame) { AVFilterLink *outlink = ctx->outputs[0]; LoopContext *s = ctx->priv; @@ -112,9 +113,7 @@ static int push_samples(AVFilterContext *ctx, int nb_samples) i += out->nb_samples; s->current_sample += out->nb_samples; - ret = ff_filter_frame(outlink, out); - if (ret < 0) - return ret; + *frame = out; if (s->current_sample >= s->nb_samples) { s->duration = s->pts; @@ -123,6 +122,8 @@ static int push_samples(AVFilterContext *ctx, int nb_samples) if (s->loop > 0) s->loop--; } + + return 0; } return ret; @@ -162,10 +163,7 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) s->pts += av_rescale_q(ret, (AVRational){1, outlink->sample_rate}, outlink->time_base); ret = ff_filter_frame(outlink, frame); } else { - int nb_samples = frame->nb_samples; - - av_frame_free(&frame); - ret = push_samples(ctx, nb_samples); + av_assert0(0); } } else { s->ignored_samples += frame->nb_samples; @@ -177,7 +175,7 @@ static int afilter_frame(AVFilterLink *inlink, AVFrame *frame) return ret; } -static int arequest_frame(AVFilterLink *outlink) +static int arequest_frame(AVFilterLink *outlink, AVFrame **frame) { AVFilterContext *ctx = outlink->src; LoopContext *s = ctx->priv; @@ -197,17 +195,11 @@ static int arequest_frame(AVFilterLink *outlink) av_audio_fifo_read(s->left, (void **)out->extended_data, nb_samples); out->pts = s->pts; s->pts += av_rescale_q(nb_samples, (AVRational){1, outlink->sample_rate}, outlink->time_base); - ret = ff_filter_frame(outlink, out); - if (ret < 0) - return ret; + *frame = out; } - ret = ff_request_frame(ctx->inputs[0]); + return 0; } else { - ret = push_samples(ctx, 1024); - } - - if (s->eof && s->nb_samples > 0 && s->loop != 0) { - ret = push_samples(ctx, 1024); + ret = push_samples(ctx, 1024, frame); } return ret; @@ -224,33 +216,31 @@ static int aactivate(AVFilterContext *ctx) FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink); - if (!s->eof && (s->nb_samples < s->size || !s->loop || !s->size)) { - ret = ff_inlink_consume_frame(inlink, &frame); - if (ret < 0) - return ret; - if (ret > 0) - return afilter_frame(inlink, frame); - } +retry: + ret = arequest_frame(outlink, &frame); + if (ret < 0) + return ret; + if (frame) + return ff_filter_frame(outlink, frame); - if (!s->eof && ff_inlink_acknowledge_status(inlink, &status, &pts)) { - if (status == AVERROR_EOF) { + ret = ff_inlink_consume_frame(inlink, &frame); + if (ret < 0) + return ret; + if (ret > 0) + return afilter_frame(inlink, frame); + + ret = ff_inlink_acknowledge_status(inlink, &status, &pts); + if (ret) { + if (status == AVERROR_EOF && !s->eof) { s->size = s->nb_samples; s->eof = 1; + goto retry; } - } - - if (s->eof && (!s->loop || !s->size)) { - ff_outlink_set_status(outlink, AVERROR_EOF, s->duration); + ff_outlink_set_status(outlink, status, pts); return 0; } - if (!s->eof && (!s->size || - (s->nb_samples < s->size) || - (s->nb_samples >= s->size && s->loop == 0))) { - FF_FILTER_FORWARD_WANTED(outlink, inlink); - } else if (s->loop && s->nb_samples == s->size) { - return arequest_frame(outlink); - } + FF_FILTER_FORWARD_WANTED(outlink, inlink); return FFERROR_NOT_READY; } From 0dac8251f741806fce3437a9e1fb1dde55a6a3de Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:38 +0100 Subject: [PATCH 547/562] aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. Under these conditions like seen by Firefox a read beyond the end of the buffer results in a segfault. After the over-read is reduced to a single pixel it's reasonable to use VP9's emulated edge motion compensation for this. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 430c38f698a65d597e863330810b05e083682be6) --- libavcodec/aarch64/vp9mc_neon.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/aarch64/vp9mc_neon.S b/libavcodec/aarch64/vp9mc_neon.S index abf2bae9db..38f44ca56d 100644 --- a/libavcodec/aarch64/vp9mc_neon.S +++ b/libavcodec/aarch64/vp9mc_neon.S @@ -230,6 +230,9 @@ function \type\()_8tap_\size\()h_\idx1\idx2 // reduced dst stride .if \size >= 16 sub x1, x1, x5 +.elseif \size == 4 + add x12, x2, #8 + add x13, x7, #8 .endif // size >= 16 loads two qwords and increments x2, // for size 4/8 it's enough with one qword and no @@ -248,9 +251,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 ld1 {v4.8b, v5.8b, v6.8b}, [x2], #24 ld1 {v16.8b, v17.8b, v18.8b}, [x7], #24 -.else +.elseif \size == 8 ld1 {v4.8b, v5.8b}, [x2] ld1 {v16.8b, v17.8b}, [x7] +.else // \size == 4 + ld1 {v4.8b}, [x2] + ld1 {v16.8b}, [x7] + ld1 {v5.s}[0], [x12], x3 + ld1 {v17.s}[0], [x13], x3 .endif uxtl v4.8h, v4.8b uxtl v5.8h, v5.8b From 3562311c302714e08f12a8223ae0e079ff2337ad Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:39 +0100 Subject: [PATCH 548/562] arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. This mirrors the aarch64 change. Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit f3662562156c9b908588b1e58e4203fd09217cb6) --- libavcodec/arm/vp9mc_neon.S | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/vp9mc_neon.S b/libavcodec/arm/vp9mc_neon.S index bd8cda7c30..2ec729bb31 100644 --- a/libavcodec/arm/vp9mc_neon.S +++ b/libavcodec/arm/vp9mc_neon.S @@ -279,11 +279,13 @@ function \type\()_8tap_\size\()h_\idx1\idx2 sub r1, r1, r5 .endif @ size >= 16 loads two qwords and increments r2, - @ for size 4/8 it's enough with one qword and no - @ postincrement + @ size 4 loads 1 d word, increments r2 and loads 1 32-bit lane + @ for size 8 it's enough with one qword and no postincrement .if \size >= 16 sub r3, r3, r5 sub r3, r3, #8 +.elseif \size == 4 + sub r3, r3, #8 .endif @ Load the filter vector vld1.16 {q0}, [r12,:128] @@ -295,9 +297,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 vld1.8 {d18, d19, d20}, [r2]! vld1.8 {d24, d25, d26}, [r7]! -.else +.elseif \size == 8 vld1.8 {q9}, [r2] vld1.8 {q12}, [r7] +.else @ size == 4 + vld1.8 {d18}, [r2]! + vld1.8 {d24}, [r7]! + vld1.32 {d19[0]}, [r2] + vld1.32 {d25[0]}, [r7] .endif vmovl.u8 q8, d18 vmovl.u8 q9, d19 From 14afc43c27d91f390389ad69b0b8d4056b349a64 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:40 +0100 Subject: [PATCH 549/562] vp9: recon: Use emulated edge to prevent buffer overflows The arm/aarch64 horizontal filter reads one additional pixel beyond what the filter uses. This can become an issue if the application does not allocate larger buffers than what's required for the pixel data. If the motion vector points to the bottom right edge of the picture this becomes a read buffer overflow. This triggers segfaults in Firefox for video resolutions which result in a page aligned picture size like 1280x640. Prevent this by using emulated edge in this case. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 060464105bdca82b8cfb91c7a6fb56df4c7cd9d0) --- libavcodec/vp9recon.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/vp9recon.c b/libavcodec/vp9recon.c index bfafde8c9c..ce04244ccb 100644 --- a/libavcodec/vp9recon.c +++ b/libavcodec/vp9recon.c @@ -318,7 +318,11 @@ static av_always_inline void mc_luma_unscaled(VP9TileData *td, vp9_mc_func (*mc) // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref - !!my * 3 * ref_stride - !!mx * 3 * bytesperpixel, @@ -357,7 +361,11 @@ static av_always_inline void mc_chroma_unscaled(VP9TileData *td, vp9_mc_func (*m // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref_u - !!my * 3 * src_stride_u - !!mx * 3 * bytesperpixel, From 941b05ab56e067b185ae954ca4581f58689d52a0 Mon Sep 17 00:00:00 2001 From: Bin Peng Date: Mon, 16 Dec 2024 10:31:23 +0800 Subject: [PATCH 550/562] lavc/aarch64: Fix ff_pred8x8_plane_neon_10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix test failure on aarch64: ./tests/checkasm/checkasm --test=h264pred 479612 The mismatch between neon and C functions can also be reproduced using the following bitstream and command line. wget https://streams.videolan.org/ffmpeg/incoming/intra8x8pred_10bit.264 ./ffmpeg -cpuflags 0 -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_ref ./ffmpeg -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_neon Signed-off-by: Bin Peng Signed-off-by: Martin Storsjö (cherry picked from commit decc9e643cc3ac5537f42b465e2637fbefbf41cc) --- libavcodec/aarch64/h264pred_neon.S | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/aarch64/h264pred_neon.S b/libavcodec/aarch64/h264pred_neon.S index ea37689f34..168f8191ad 100644 --- a/libavcodec/aarch64/h264pred_neon.S +++ b/libavcodec/aarch64/h264pred_neon.S @@ -595,12 +595,11 @@ function ff_pred8x8_plane_neon_10, export=1 ssubl v2.4s, v2.4h, v3.4h ext v0.16b, v0.16b, v0.16b, #14 mov v0.h[0], wzr - mul v0.8h, v0.8h, v5.h[0] dup v1.4s, v2.s[0] dup v2.4s, v2.s[0] dup v3.8h, v5.h[1] - saddw v1.4s, v1.4s, v0.4h - saddw2 v2.4s, v2.4s, v0.8h + smlal v1.4s, v0.4h, v5.h[0] + smlal2 v2.4s, v0.8h, v5.h[0] mov w3, #8 mvni v4.8h, #0xFC, lsl #8 // 1023 for clipping 1: From 6e63e4949619d4f72b5ec725b2658d404b38a576 Mon Sep 17 00:00:00 2001 From: Bin Peng Date: Fri, 13 Dec 2024 22:19:47 +0800 Subject: [PATCH 551/562] lavc/aarch64: Fix ff_pred16x16_plane_neon_10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix test failure on aarch64: ./tests/checkasm/checkasm --test=h264pred 367840 Signed-off-by: Peng Bin Signed-off-by: Martin Storsjö (cherry picked from commit 72a3656e8468a394373b6397aacc906d7f7794c2) --- libavcodec/aarch64/h264pred_neon.S | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/libavcodec/aarch64/h264pred_neon.S b/libavcodec/aarch64/h264pred_neon.S index 168f8191ad..d0999938ef 100644 --- a/libavcodec/aarch64/h264pred_neon.S +++ b/libavcodec/aarch64/h264pred_neon.S @@ -502,28 +502,27 @@ function ff_pred16x16_plane_neon_10, export=1 add v7.4h, v7.4h, v0.4h shl v2.4h, v7.4h, #4 ssubl v2.4s, v2.4h, v3.4h - shl v3.4h, v4.4h, #4 ext v0.16b, v0.16b, v0.16b, #14 - ssubl v6.4s, v5.4h, v3.4h + sxtl v6.4s, v5.4h // c mov v0.h[0], wzr mul v0.8h, v0.8h, v4.h[0] dup v16.4s, v2.s[0] dup v17.4s, v2.s[0] - dup v2.8h, v4.h[0] - dup v3.4s, v6.s[0] - shl v2.8h, v2.8h, #3 + dup v2.8h, v4.h[0] // b + dup v3.4s, v6.s[0] // c + sshll v2.4s, v2.4h, #3 // b * 8 saddw v16.4s, v16.4s, v0.4h saddw2 v17.4s, v17.4s, v0.8h - saddw v3.4s, v3.4s, v2.4h + sub v3.4s, v3.4s, v2.4s mov w3, #16 mvni v4.8h, #0xFC, lsl #8 // 1023 for clipping 1: sqshrun v0.4h, v16.4s, #5 sqshrun2 v0.8h, v17.4s, #5 - saddw v16.4s, v16.4s, v2.4h - saddw v17.4s, v17.4s, v2.4h + add v16.4s, v16.4s, v2.4s + add v17.4s, v17.4s, v2.4s sqshrun v1.4h, v16.4s, #5 sqshrun2 v1.8h, v17.4s, #5 add v16.4s, v16.4s, v3.4s From 7c954bf6826a21bfcf8dc18179b7bb851a86512d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 23 Jan 2025 12:53:10 +0200 Subject: [PATCH 552/562] rtmpproto: Avoid rare crashes in the fail: codepath in rtmp_open MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When running the cleanup in rtmp_close on failures in rtmp_open, we can in rare cases end up using rt->playpath, assuming that it is still set. The crash could happen if we hit the fail codepath in rtmp_open while publishing (rt->is_input == 0) with rt->state set to a value > STATE_FCPUBLISH. This would normally not happen while publishing; either we have an error (and rt->state <= STATE_FCPUBLISH) or we reach rt->state = STATE_PUBLISHING, and then we also return successfully from rtmp_open. The unexpected combination of states could happen if the server responds with e.g. "NetStream.Play.Stop" while expecting "NetStream.Publish.Start"; this sets rt->state to STATE_STOPPED, which also fulfills the condition "> STATE_FCPUBLISH". We don't need to free the rt->playpath/tcurl/flashver strings here; they're handled via AVOption, and thus are freed automatically when the protocol instance is freed (that's why they aren't freed manually within the rtmp_close function either). We also don't need to free the AVDictionary with options; it's owned by the caller. A smaller fix would be to just call rtmp_close before freeing the strings and dictionary, but as we don't need to free them at all, let's remove that redundant code. Signed-off-by: Martin Storsjö (cherry picked from commit 8f4819ce01584e0858fdc312aa8a17c55e350a92) --- libavformat/rtmpproto.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c index f0ef223f05..dae9f1496b 100644 --- a/libavformat/rtmpproto.c +++ b/libavformat/rtmpproto.c @@ -2884,10 +2884,6 @@ reconnect: return 0; fail: - av_freep(&rt->playpath); - av_freep(&rt->tcurl); - av_freep(&rt->flashver); - av_dict_free(opts); rtmp_close(s); return ret; } From 1bcb1be4a26f9c67c07c1d7a5484f2effbadfbbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Fri, 24 Jan 2025 23:32:52 +0200 Subject: [PATCH 553/562] configure: Improve the check for the rsync --contimeout option MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Traditionally, macOS has shipped an old version of rsync that lacked support for this option, hence this check (added in a8b3f0c5cf548f654e30c981988bb71981a3f8d3). However, in macOS 15.x, Apple have switched to providing rsync as a different tool, openrsync. The version of openrsync in at least macOS 15.2 does include "[--contimeout]" (note the lack of "=" after the option), in the output of "rsync --help", but when used, the tool errors out with "rsync: --contimeout=60: unknown option". So apparently the tool erroenously lists the option as supported, while it really isn't. The original rsync tool (with a new enough version) prints "--contimeout=SECONDS" in the output of "rsync --help". It is unclear which version of openrsync Apple are shipping; the latest upstream openrsync from OpenBSD does support the option and includes "[--contimeout=seconds]" in the output of "--help", and older versions don't seem to include the option as listed at all. Therefore, check for "--conntimeout=" with the "=", this should properly detect both new enough rsync and openrsync. This fixes running "fate-rsync" on macOS 15.x. Signed-off-by: Martin Storsjö (cherry picked from commit 3cd4e8470a1ef82223d124523f8219691dfefb60) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 399a508189..471475b08e 100755 --- a/configure +++ b/configure @@ -6800,7 +6800,7 @@ enabled makeinfo \ disabled makeinfo_html && texi2html --help 2> /dev/null | grep -q 'init-file' && enable texi2html || disable texi2html perl -v > /dev/null 2>&1 && enable perl || disable perl pod2man --help > /dev/null 2>&1 && enable pod2man || disable pod2man -rsync --help 2> /dev/null | grep -q 'contimeout' && enable rsync_contimeout || disable rsync_contimeout +rsync --help 2> /dev/null | grep -q 'contimeout=' && enable rsync_contimeout || disable rsync_contimeout xmllint --version > /dev/null 2>&1 && enable xmllint || disable xmllint check_headers linux/fb.h From 01af45c0f3d5b2113844f13061ddcc92b99fa475 Mon Sep 17 00:00:00 2001 From: Pavel Koshevoy Date: Sun, 23 Feb 2025 09:43:56 -0700 Subject: [PATCH 554/562] avformat/mov: (v4) fix get_eia608_packet The problem is reproducible with "Test for Quicktime 608 CC file.mov" from https://samples.ffmpeg.org/MPEG2/subcc/ ffmpeg -i "Test for Quicktime 608 CC file.mov" -map 0 -c copy -y remuxed.mov See https://trac.ffmpeg.org/ticket/11470 --- libavformat/mov.c | 70 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 59 insertions(+), 11 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index d06967ecfb..25562bb995 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8660,25 +8660,73 @@ static int mov_change_extradata(MOVStreamContext *sc, AVPacket *pkt) return 0; } -static int get_eia608_packet(AVIOContext *pb, AVPacket *pkt, int size) +static int get_eia608_packet(AVIOContext *pb, AVPacket *pkt, int src_size) { - int new_size, ret; + /* We can't make assumptions about the structure of the payload, + because it may include multiple cdat and cdt2 samples. */ + const uint32_t cdat = AV_RB32("cdat"); + const uint32_t cdt2 = AV_RB32("cdt2"); + int ret, out_size = 0; - if (size <= 8) + /* a valid payload must have size, 4cc, and at least 1 byte pair: */ + if (src_size < 10) return AVERROR_INVALIDDATA; - new_size = ((size - 8) / 2) * 3; - ret = av_new_packet(pkt, new_size); + + /* avoid an int overflow: */ + if ((src_size - 8) / 2 >= INT_MAX / 3) + return AVERROR_INVALIDDATA; + + ret = av_new_packet(pkt, ((src_size - 8) / 2) * 3); if (ret < 0) return ret; - avio_skip(pb, 8); - for (int j = 0; j < new_size; j += 3) { - pkt->data[j] = 0xFC; - pkt->data[j+1] = avio_r8(pb); - pkt->data[j+2] = avio_r8(pb); + /* parse and re-format the c608 payload in one pass. */ + while (src_size >= 10) { + const uint32_t atom_size = avio_rb32(pb); + const uint32_t atom_type = avio_rb32(pb); + const uint32_t data_size = atom_size - 8; + const uint8_t cc_field = + atom_type == cdat ? 1 : + atom_type == cdt2 ? 2 : + 0; + + /* account for bytes consumed for atom size and type. */ + src_size -= 8; + + /* make sure the data size stays within the buffer boundaries. */ + if (data_size < 2 || data_size > src_size) { + ret = AVERROR_INVALIDDATA; + break; + } + + /* make sure the data size is consistent with N byte pairs. */ + if (data_size % 2 != 0) { + ret = AVERROR_INVALIDDATA; + break; + } + + if (!cc_field) { + /* neither cdat or cdt2 ... skip it */ + avio_skip(pb, data_size); + src_size -= data_size; + continue; + } + + for (uint32_t i = 0; i < data_size; i += 2) { + pkt->data[out_size] = (0x1F << 3) | (1 << 2) | (cc_field - 1); + pkt->data[out_size + 1] = avio_r8(pb); + pkt->data[out_size + 2] = avio_r8(pb); + out_size += 3; + src_size -= 2; + } } - return 0; + if (src_size > 0) + /* skip any remaining unread portion of the input payload */ + avio_skip(pb, src_size); + + av_shrink_packet(pkt, out_size); + return ret; } static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) From 6ad0eab0b5b92738c946d9031d74b34bce53300a Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Fri, 18 Aug 2023 15:32:39 -0400 Subject: [PATCH 555/562] lsws/ppc/yuv2rgb_altivec: Fix build in non-VSX environments with Clang Add a check for the existence of the vec_xl() function. Clang provides the function even with VSX not enabled. (cherry picked from commit 30a8641465f7b7923e92d8724ef6a595fccb9e58) Signed-off-by: Brad Smith --- configure | 8 ++++++++ libswscale/ppc/yuv2rgb_altivec.c | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 471475b08e..2c8ec632b9 100755 --- a/configure +++ b/configure @@ -2121,6 +2121,7 @@ ARCH_EXT_LIST_PPC=" ldbrx power8 ppc4xx + vec_xl vsx " @@ -2634,6 +2635,7 @@ altivec_deps="ppc" dcbzl_deps="ppc" ldbrx_deps="ppc" ppc4xx_deps="ppc" +vec_xl_deps="altivec" vsx_deps="altivec" power8_deps="vsx" @@ -6091,6 +6093,11 @@ elif enabled ppc; then check_cpp_condition power8 "altivec.h" "defined(_ARCH_PWR8)" fi + if enabled altivec && disabled vsx; then + check_cc vec_xl altivec.h "const unsigned char *y1i = { 0 }; + vector unsigned char y0 = vec_xl(0, y1i);" + fi + elif enabled x86; then check_builtin rdtsc intrin.h "__rdtsc()" @@ -7542,6 +7549,7 @@ if enabled ppc; then echo "POWER8 enabled ${power8-no}" echo "PPC 4xx optimizations ${ppc4xx-no}" echo "dcbzl available ${dcbzl-no}" + echo "vec_xl available ${vec_xl-no}" fi if enabled loongarch; then echo "LSX enabled ${lsx-no}" diff --git a/libswscale/ppc/yuv2rgb_altivec.c b/libswscale/ppc/yuv2rgb_altivec.c index 5e1033a973..8b0a93796f 100644 --- a/libswscale/ppc/yuv2rgb_altivec.c +++ b/libswscale/ppc/yuv2rgb_altivec.c @@ -284,7 +284,7 @@ static inline void cvtyuvtoRGB(SwsContext *c, vector signed short Y, * ------------------------------------------------------------------------------ */ -#if !HAVE_VSX +#if !HAVE_VEC_XL static inline vector unsigned char vec_xl(signed long long offset, const ubyte *addr) { const vector unsigned char *v_addr = (const vector unsigned char *) (addr + offset); @@ -292,7 +292,7 @@ static inline vector unsigned char vec_xl(signed long long offset, const ubyte * return (vector unsigned char) vec_perm(v_addr[0], v_addr[1], align_perm); } -#endif /* !HAVE_VSX */ +#endif /* !HAVE_VEC_XL */ #define DEFCSP420_CVT(name, out_pixels) \ static int altivec_ ## name(SwsContext *c, const unsigned char **in, \ From c0067757ab5972a709d4d437d81163a501079eaf Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Tue, 11 Mar 2025 00:31:47 -0400 Subject: [PATCH 556/562] lsws/ppc/yuv2rgb_altivec: Fix build in non-VSX environments with Clang v2 v2: test for function if AltiVec is enabled instead of with AltiVec and without VSX (cherry picked from commit 49c8f33262d7c113c71cee9cd30b990a92afa0a1) Signed-off-by: Brad Smith --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 2c8ec632b9..87b65d86d1 100755 --- a/configure +++ b/configure @@ -6093,7 +6093,7 @@ elif enabled ppc; then check_cpp_condition power8 "altivec.h" "defined(_ARCH_PWR8)" fi - if enabled altivec && disabled vsx; then + if enabled altivec; then check_cc vec_xl altivec.h "const unsigned char *y1i = { 0 }; vector unsigned char y0 = vec_xl(0, y1i);" fi From f868ded795ed40ec53730ddbdb33cd2c61a644d7 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 4 Jan 2023 17:53:01 +0100 Subject: [PATCH 557/562] swresample/swresample_frame: fix regression in detecting changes Do not overwrite return variable values, instead use different one for checking results. (cherry picked from commit 99bd2dbc9101549b4c6afb3e8d50c6a9e9e80215) --- libswresample/swresample_frame.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libswresample/swresample_frame.c b/libswresample/swresample_frame.c index 53ac487136..8726ee58e9 100644 --- a/libswresample/swresample_frame.c +++ b/libswresample/swresample_frame.c @@ -84,7 +84,7 @@ static int config_changed(SwrContext *s, const AVFrame *out, const AVFrame *in) { AVChannelLayout ch_layout = { 0 }; - int ret = 0; + int ret = 0, err; if (in) { #if FF_API_OLD_CHANNEL_LAYOUT @@ -96,8 +96,8 @@ FF_DISABLE_DEPRECATION_WARNINGS FF_ENABLE_DEPRECATION_WARNINGS } else #endif - if ((ret = av_channel_layout_copy(&ch_layout, &in->ch_layout)) < 0) - return ret; + if ((err = av_channel_layout_copy(&ch_layout, &in->ch_layout)) < 0) + return err; if (av_channel_layout_compare(&s->in_ch_layout, &ch_layout) || s->in_sample_rate != in->sample_rate || s->in_sample_fmt != in->format) { @@ -116,8 +116,8 @@ FF_DISABLE_DEPRECATION_WARNINGS FF_ENABLE_DEPRECATION_WARNINGS } else #endif - if ((ret = av_channel_layout_copy(&ch_layout, &out->ch_layout)) < 0) - return ret; + if ((err = av_channel_layout_copy(&ch_layout, &out->ch_layout)) < 0) + return err; if (av_channel_layout_compare(&s->out_ch_layout, &ch_layout) || s->out_sample_rate != out->sample_rate || s->out_sample_fmt != out->format) { From cb46a097507f5fee04ee42c9efb3badffe3c98f3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 17 Feb 2023 15:22:38 -0300 Subject: [PATCH 558/562] doc/resampler.texi: add missing swr channel layout options Signed-off-by: James Almer (cherry picked from commit 1d14959f12ffd720377684af830a51d0cdb2aa8c) --- doc/resampler.texi | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/doc/resampler.texi b/doc/resampler.texi index 5ed3f4377a..d55654e7bc 100644 --- a/doc/resampler.texi +++ b/doc/resampler.texi @@ -11,16 +11,6 @@ programmatic use. @table @option -@item ich, in_channel_count -Set the number of input channels. Default value is 0. Setting this -value is not mandatory if the corresponding channel layout -@option{in_channel_layout} is set. - -@item och, out_channel_count -Set the number of output channels. Default value is 0. Setting this -value is not mandatory if the corresponding channel layout -@option{out_channel_layout} is set. - @item uch, used_channel_count Set the number of used input channels. Default value is 0. This option is only used for special remapping. @@ -41,8 +31,8 @@ Specify the output sample format. It is set by default to @code{none}. Set the internal sample format. Default value is @code{none}. This will automatically be chosen when it is not explicitly set. -@item icl, in_channel_layout -@item ocl, out_channel_layout +@item ichl, in_chlayout +@item ochl, out_chlayout Set the input/output channel layout. See @ref{channel layout syntax,,the Channel Layout section in the ffmpeg-utils(1) manual,ffmpeg-utils} From b791523bb9834fad6dd9a48ee235f66a204499cb Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Fri, 9 May 2025 00:18:29 +0200 Subject: [PATCH 559/562] avformat/wavdec: increase requested probe score for codec probe Codec probing was primarily added to the wav demuxer to support DTS-in-wav files, but DTS probing functions return AVPROBE_SCORE_EXTENSION+1, so we can be a bit more strict with the required score. This fixes MP3 misdetections for some wav files. Fixes ticket #11581. Signed-off-by: Marton Balint (cherry picked from commit ce01c7fb58597f525e130f47a13ff77f1db62bf4) --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 4924d8f0fb..103a3c30e8 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -168,7 +168,7 @@ static void handle_stream_probing(AVStream *st) { if (st->codecpar->codec_id == AV_CODEC_ID_PCM_S16LE) { FFStream *const sti = ffstream(st); - sti->request_probe = AVPROBE_SCORE_EXTENSION; + sti->request_probe = AVPROBE_SCORE_EXTENSION + 1; sti->probe_packets = FFMIN(sti->probe_packets, 32); } } From e09bd41752491627b4d52e8c76d3d5cfd4b2d7ba Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 22 May 2025 21:21:24 +0000 Subject: [PATCH 560/562] avfilter/avfiltergraph: fix regression in picking channel layout Signed-off-by: James Almer (cherry picked from commit 1b3f4842c18409dba5a345ef9e7b3de7a4fa3657) --- libavfilter/avfiltergraph.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index b7dbfc063b..43b3f667d3 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -938,8 +938,8 @@ static void swap_channel_layouts_on_filter(AVFilterContext *filter) } /* no penalty for LFE channel mismatch */ - if (av_channel_layout_channel_from_index(&in_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0 && - av_channel_layout_channel_from_index(&out_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0) + if (av_channel_layout_index_from_channel(&in_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0 && + av_channel_layout_index_from_channel(&out_chlayout, AV_CHAN_LOW_FREQUENCY) >= 0) score += 10; av_channel_layout_from_mask(&in_chlayout, av_channel_layout_subset(&in_chlayout, ~AV_CH_LOW_FREQUENCY)); av_channel_layout_from_mask(&out_chlayout, av_channel_layout_subset(&out_chlayout, ~AV_CH_LOW_FREQUENCY)); From f6efc1e8aa53fc0a227aba66918489f88164bae5 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 14 Jul 2023 00:42:02 +0200 Subject: [PATCH 561/562] avfilter/split: fix EOF passing to inlink (cherry picked from commit 374184a4dc16421ec6b182191898582d9275808a) --- libavfilter/split.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavfilter/split.c b/libavfilter/split.c index 98b51f976e..2a511668e2 100644 --- a/libavfilter/split.c +++ b/libavfilter/split.c @@ -67,11 +67,15 @@ static int activate(AVFilterContext *ctx) { AVFilterLink *inlink = ctx->inputs[0]; AVFrame *in; - int status, ret; + int status, ret, nb_eofs = 0; int64_t pts; - for (int i = 0; i < ctx->nb_outputs; i++) { - FF_FILTER_FORWARD_STATUS_BACK_ALL(ctx->outputs[i], ctx); + for (int i = 0; i < ctx->nb_outputs; i++) + nb_eofs += ff_outlink_get_status(ctx->outputs[i]) == AVERROR_EOF; + + if (nb_eofs == ctx->nb_outputs) { + ff_inlink_set_status(inlink, AVERROR_EOF); + return 0; } ret = ff_inlink_consume_frame(inlink, &in); From 56a67d122c9f9b0f28c8dbdd9d4b636ebbfee6d6 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 15 Jun 2025 21:30:09 +0200 Subject: [PATCH 562/562] avfilter/split: consume all frames before forwarding inlink status Signed-off-by: Marton Balint (cherry picked from commit 28a7b9c86355258e1f92ed98ec7a4d177d6506b4) --- libavfilter/split.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/split.c b/libavfilter/split.c index 2a511668e2..0fbbaa0fd7 100644 --- a/libavfilter/split.c +++ b/libavfilter/split.c @@ -101,6 +101,7 @@ static int activate(AVFilterContext *ctx) av_frame_free(&in); if (ret < 0) return ret; + return 0; } if (ff_inlink_acknowledge_status(inlink, &status, &pts)) {